1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_open(struct t_audit_data *); 106 static void aus_acl(struct t_audit_data *); 107 static void aus_acct(struct t_audit_data *); 108 static void aus_chown(struct t_audit_data *); 109 static void aus_fchown(struct t_audit_data *); 110 static void aus_lchown(struct t_audit_data *); 111 static void aus_chmod(struct t_audit_data *); 112 static void aus_facl(struct t_audit_data *); 113 static void aus_fchmod(struct t_audit_data *); 114 static void aus_fcntl(struct t_audit_data *); 115 static void aus_fsat(struct t_audit_data *); 116 static void aus_mkdir(struct t_audit_data *); 117 static void aus_mknod(struct t_audit_data *); 118 static void aus_mount(struct t_audit_data *); 119 static void aus_umount(struct t_audit_data *); 120 static void aus_umount2(struct t_audit_data *); 121 static void aus_msgsys(struct t_audit_data *); 122 static void aus_semsys(struct t_audit_data *); 123 static void aus_close(struct t_audit_data *); 124 static void aus_fstatfs(struct t_audit_data *); 125 static void aus_setgid(struct t_audit_data *); 126 static void aus_setpgrp(struct t_audit_data *); 127 static void aus_setuid(struct t_audit_data *); 128 static void aus_shmsys(struct t_audit_data *); 129 static void aus_doorfs(struct t_audit_data *); 130 static void aus_ioctl(struct t_audit_data *); 131 static void aus_memcntl(struct t_audit_data *); 132 static void aus_mmap(struct t_audit_data *); 133 static void aus_munmap(struct t_audit_data *); 134 static void aus_priocntlsys(struct t_audit_data *); 135 static void aus_setegid(struct t_audit_data *); 136 static void aus_setgroups(struct t_audit_data *); 137 static void aus_seteuid(struct t_audit_data *); 138 static void aus_putmsg(struct t_audit_data *); 139 static void aus_putpmsg(struct t_audit_data *); 140 static void aus_getmsg(struct t_audit_data *); 141 static void aus_getpmsg(struct t_audit_data *); 142 static void aus_auditsys(struct t_audit_data *); 143 static void aus_sysinfo(struct t_audit_data *); 144 static void aus_modctl(struct t_audit_data *); 145 static void aus_kill(struct t_audit_data *); 146 static void aus_xmknod(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 static void aus_labelsys(struct t_audit_data *); 150 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 156 static void auf_read(struct t_audit_data *, int, rval_t *); 157 static void auf_write(struct t_audit_data *, int, rval_t *); 158 159 static void aus_sigqueue(struct t_audit_data *); 160 static void aus_p_online(struct t_audit_data *); 161 static void aus_processor_bind(struct t_audit_data *); 162 static void aus_inst_sync(struct t_audit_data *); 163 static void aus_brandsys(struct t_audit_data *); 164 165 static void auf_accept(struct t_audit_data *, int, rval_t *); 166 167 static void auf_bind(struct t_audit_data *, int, rval_t *); 168 static void auf_connect(struct t_audit_data *, int, rval_t *); 169 static void aus_shutdown(struct t_audit_data *); 170 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 171 static void aus_sockconfig(struct t_audit_data *); 172 static void auf_recv(struct t_audit_data *, int, rval_t *); 173 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_send(struct t_audit_data *, int, rval_t *); 175 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 176 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 177 static void auf_sendto(struct t_audit_data *, int, rval_t *); 178 static void aus_socket(struct t_audit_data *); 179 /* 180 * This table contains mapping information for converting system call numbers 181 * to audit event IDs. In several cases it is necessary to map a single system 182 * call to several events. 183 */ 184 185 #define aui_null NULL /* NULL initialize function */ 186 #define aus_null NULL /* NULL start function */ 187 #define auf_null NULL /* NULL finish function */ 188 189 struct audit_s2e audit_s2e[] = 190 { 191 /* 192 * ---------- ---------- ---------- ---------- 193 * INITIAL AUDIT START SYSTEM 194 * PROCESSING EVENT PROCESSING CALL 195 * ---------- ---------- ---------- ----------- 196 * FINISH EVENT 197 * PROCESSING CONTROL 198 * ---------------------------------------------------------- 199 */ 200 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 201 auf_null, 0, 202 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 203 auf_null, S2E_NPT, 204 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 205 auf_null, 0, 206 aui_null, AUE_READ, aus_null, /* 3 read */ 207 auf_read, S2E_PUB, 208 aui_null, AUE_WRITE, aus_null, /* 4 write */ 209 auf_write, 0, 210 aui_open, AUE_OPEN, aus_open, /* 5 open */ 211 auf_null, S2E_SP, 212 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 213 auf_null, 0, 214 aui_null, AUE_NULL, aus_null, /* 7 wait */ 215 auf_null, 0, 216 aui_null, AUE_CREAT, aus_null, /* 8 create */ 217 auf_null, S2E_SP, 218 aui_null, AUE_LINK, aus_null, /* 9 link */ 219 auf_null, 0, 220 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 221 auf_null, 0, 222 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 223 auf_null, S2E_MLD, 224 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 225 auf_null, S2E_SP, 226 aui_null, AUE_NULL, aus_null, /* 13 time */ 227 auf_null, 0, 228 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 229 auf_mknod, 0, 230 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 231 auf_null, 0, 232 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 233 auf_null, 0, 234 aui_null, AUE_NULL, aus_null, /* 17 brk */ 235 auf_null, 0, 236 aui_null, AUE_STAT, aus_null, /* 18 stat */ 237 auf_null, S2E_PUB, 238 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 239 auf_null, 0, 240 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 241 auf_null, 0, 242 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 243 auf_null, S2E_MLD, 244 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 245 auf_null, 0, 246 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 249 auf_null, 0, 250 aui_null, AUE_STIME, aus_null, /* 25 stime */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 29 pause */ 259 auf_null, 0, 260 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 263 auf_null, 0, 264 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 265 auf_null, 0, 266 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NICE, aus_null, /* 34 nice */ 269 auf_null, 0, 270 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 271 auf_null, S2E_PUB, 272 aui_null, AUE_NULL, aus_null, /* 36 sync */ 273 auf_null, 0, 274 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 275 auf_null, 0, 276 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 277 auf_null, S2E_PUB, 278 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 41 dup */ 283 auf_null, 0, 284 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 43 times */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 44 profil */ 289 auf_null, 0, 290 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 291 /* was proc lock */ 292 auf_null, 0, 293 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 48 sig */ 298 auf_null, 0, 299 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 300 auf_msgsys, 0, 301 #if defined(__x86) 302 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 303 auf_null, 0, 304 #else 305 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 306 auf_null, 0, 307 #endif /* __x86 */ 308 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 309 auf_null, 0, 310 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 311 auf_shmsys, 0, 312 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 313 auf_semsys, 0, 314 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 319 auf_null, 0, 320 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 321 auf_null, 0, 322 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 323 auf_null, 0, 324 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 325 auf_null, S2E_MLD, 326 aui_null, AUE_NULL, aus_null, /* 60 umask */ 327 auf_null, 0, 328 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 329 auf_null, S2E_SP, 330 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 341 /* file locking call */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 344 /* local system calls */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 359 /* was sigret (SunOS) */ 360 auf_null, 0, 361 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 364 auf_null, 0, 365 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 366 auf_null, 0, 367 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 368 auf_null, 0, 369 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 370 auf_null, 0, 371 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 372 auf_null, 0, 373 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 374 /* was libattach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 377 /* was libdetach */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 380 auf_null, 0, 381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 382 auf_null, 0, 383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 384 auf_null, 0, 385 aui_null, AUE_NULL, aus_null, /* 87 poll */ 386 auf_null, 0, 387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 390 auf_null, 0, 391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 392 auf_null, S2E_PUB, 393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 396 auf_null, 0, 397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 398 auf_null, 0, 399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 412 auf_null, 0, 413 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 414 auf_null, 0, 415 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 416 /* was evtrapret */ 417 auf_null, 0, 418 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 419 auf_null, S2E_PUB, 420 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 427 auf_null, 0, 428 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 429 auf_null, 0, 430 #if defined(__x86) 431 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 432 auf_null, 0, 433 #else 434 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 435 auf_null, 0, 436 #endif /* __x86 */ 437 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 438 auf_null, 0, 439 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 440 auf_null, 0, 441 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 442 auf_null, 0, /* 112 priocntlsys */ 443 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 444 auf_null, S2E_PUB, 445 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 446 auf_null, 0, 447 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 450 auf_null, 0, 451 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 452 auf_null, 0, 453 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 454 auf_null, 0, 455 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 456 auf_null, 0, 457 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 458 auf_null, 0, 459 aui_null, AUE_READ, aus_null, /* 121 readv */ 460 auf_read, S2E_PUB, 461 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 462 auf_write, 0, 463 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 464 auf_null, S2E_PUB, 465 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 466 auf_null, S2E_PUB, 467 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 468 auf_null, 0, 469 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 470 auf_xmknod, 0, 471 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 472 auf_null, 0, 473 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 474 auf_null, 0, 475 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 476 auf_null, 0, 477 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 478 auf_null, 0, 479 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 480 auf_null, 0, 481 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 482 auf_null, 0, 483 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 484 auf_null, 0, 485 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 135 uname */ 488 auf_null, 0, 489 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 490 auf_null, 0, 491 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 492 auf_null, 0, 493 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 494 auf_null, 0, 495 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 498 auf_null, 0, 499 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 500 auf_null, 0, 501 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 502 auf_null, 0, 503 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 146 yield */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 518 auf_null, 0, 519 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 520 auf_null, 0, 521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 522 auf_null, 0, 523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 524 auf_null, 0, 525 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 548 /* was lwp_setprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 551 /* was lwp_getprivate */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 562 auf_null, 0, 563 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 564 auf_null, 0, 565 aui_null, AUE_READ, aus_null, /* 173 pread */ 566 auf_read, S2E_PUB, 567 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 568 auf_write, 0, 569 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 570 auf_null, 0, 571 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 572 /* aus_inst_sync */ 573 auf_null, 0, 574 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 583 auf_null, 0, 584 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 585 auf_null, S2E_MLD, 586 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 587 auf_null, 0, 588 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 589 auf_null, 0, 590 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 591 auf_null, 0, 592 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 593 auf_null, 0, 594 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 595 auf_null, 0, /* 187 processor_bind */ 596 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 597 auf_null, 0, 598 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 603 auf_null, 0, 604 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 617 auf_null, 0, 618 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 619 auf_null, 0, 620 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 621 auf_null, 0, 622 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 623 auf_null, 0, 624 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 625 auf_null, 0, 626 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 645 auf_null, 0, 646 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 647 auf_null, 0, 648 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 649 auf_null, 0, 650 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 653 auf_null, S2E_PUB, 654 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 655 auf_null, 0, 656 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 657 auf_null, S2E_PUB, 658 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 659 auf_null, 0, 660 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 663 auf_null, 0, 664 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 665 auf_read, S2E_PUB, 666 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 667 auf_write, 0, 668 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 669 auf_null, S2E_SP, 670 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 671 auf_null, S2E_SP, 672 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 677 auf_null, 0, 678 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 679 auf_null, 0, 680 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 681 auf_null, 0, 682 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 683 auf_null, 0, 684 aui_null, AUE_BIND, aus_null, /* 232 bind */ 685 auf_bind, 0, 686 aui_null, AUE_NULL, aus_null, /* 233 listen */ 687 auf_null, 0, 688 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 689 auf_accept, 0, 690 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 691 auf_connect, 0, 692 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 693 auf_null, 0, 694 aui_null, AUE_READ, aus_null, /* 237 recv */ 695 auf_recv, 0, 696 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 697 auf_recvfrom, 0, 698 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 699 auf_recvmsg, 0, 700 aui_null, AUE_WRITE, aus_null, /* 240 send */ 701 auf_send, 0, 702 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 703 auf_sendmsg, 0, 704 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 705 auf_sendto, 0, 706 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 709 auf_null, 0, 710 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 711 auf_null, 0, 712 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 713 auf_setsockopt, 0, 714 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 717 auf_null, 0, 718 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 727 auf_null, 0, 728 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 729 auf_null, 0, 730 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 731 auf_null, 0 732 }; 733 734 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 735 736 737 /* acct start function */ 738 /*ARGSUSED*/ 739 static void 740 aus_acct(struct t_audit_data *tad) 741 { 742 klwp_t *clwp = ttolwp(curthread); 743 uintptr_t fname; 744 745 struct a { 746 long fname; /* char * */ 747 } *uap = (struct a *)clwp->lwp_ap; 748 749 fname = (uintptr_t)uap->fname; 750 751 if (fname == 0) 752 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 753 } 754 755 /* chown start function */ 756 /*ARGSUSED*/ 757 static void 758 aus_chown(struct t_audit_data *tad) 759 { 760 klwp_t *clwp = ttolwp(curthread); 761 uint32_t uid, gid; 762 763 struct a { 764 long fname; /* char * */ 765 long uid; 766 long gid; 767 } *uap = (struct a *)clwp->lwp_ap; 768 769 uid = (uint32_t)uap->uid; 770 gid = (uint32_t)uap->gid; 771 772 au_uwrite(au_to_arg32(2, "new file uid", uid)); 773 au_uwrite(au_to_arg32(3, "new file gid", gid)); 774 } 775 776 /* fchown start function */ 777 /*ARGSUSED*/ 778 static void 779 aus_fchown(struct t_audit_data *tad) 780 { 781 klwp_t *clwp = ttolwp(curthread); 782 uint32_t uid, gid, fd; 783 struct file *fp; 784 struct vnode *vp; 785 struct f_audit_data *fad; 786 787 struct a { 788 long fd; 789 long uid; 790 long gid; 791 } *uap = (struct a *)clwp->lwp_ap; 792 793 fd = (uint32_t)uap->fd; 794 uid = (uint32_t)uap->uid; 795 gid = (uint32_t)uap->gid; 796 797 au_uwrite(au_to_arg32(2, "new file uid", uid)); 798 au_uwrite(au_to_arg32(3, "new file gid", gid)); 799 800 /* 801 * convert file pointer to file descriptor 802 * Note: fd ref count incremented here. 803 */ 804 if ((fp = getf(fd)) == NULL) 805 return; 806 807 /* get path from file struct here */ 808 fad = F2A(fp); 809 if (fad->fad_aupath != NULL) { 810 au_uwrite(au_to_path(fad->fad_aupath)); 811 } else { 812 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 813 } 814 815 vp = fp->f_vnode; 816 audit_attributes(vp); 817 818 /* decrement file descriptor reference count */ 819 releasef(fd); 820 } 821 822 /*ARGSUSED*/ 823 static void 824 aus_lchown(struct t_audit_data *tad) 825 { 826 klwp_t *clwp = ttolwp(curthread); 827 uint32_t uid, gid; 828 829 830 struct a { 831 long fname; /* char * */ 832 long uid; 833 long gid; 834 } *uap = (struct a *)clwp->lwp_ap; 835 836 uid = (uint32_t)uap->uid; 837 gid = (uint32_t)uap->gid; 838 839 au_uwrite(au_to_arg32(2, "new file uid", uid)); 840 au_uwrite(au_to_arg32(3, "new file gid", gid)); 841 } 842 843 /* chmod start function */ 844 /*ARGSUSED*/ 845 static void 846 aus_chmod(struct t_audit_data *tad) 847 { 848 klwp_t *clwp = ttolwp(curthread); 849 uint32_t fmode; 850 851 struct a { 852 long fname; /* char * */ 853 long fmode; 854 } *uap = (struct a *)clwp->lwp_ap; 855 856 fmode = (uint32_t)uap->fmode; 857 858 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 859 } 860 861 /* chmod start function */ 862 /*ARGSUSED*/ 863 static void 864 aus_fchmod(struct t_audit_data *tad) 865 { 866 klwp_t *clwp = ttolwp(curthread); 867 uint32_t fmode, fd; 868 struct file *fp; 869 struct vnode *vp; 870 struct f_audit_data *fad; 871 872 struct a { 873 long fd; 874 long fmode; 875 } *uap = (struct a *)clwp->lwp_ap; 876 877 fd = (uint32_t)uap->fd; 878 fmode = (uint32_t)uap->fmode; 879 880 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 881 882 /* 883 * convert file pointer to file descriptor 884 * Note: fd ref count incremented here. 885 */ 886 if ((fp = getf(fd)) == NULL) 887 return; 888 889 /* get path from file struct here */ 890 fad = F2A(fp); 891 if (fad->fad_aupath != NULL) { 892 au_uwrite(au_to_path(fad->fad_aupath)); 893 } else { 894 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 895 } 896 897 vp = fp->f_vnode; 898 audit_attributes(vp); 899 900 /* decrement file descriptor reference count */ 901 releasef(fd); 902 } 903 904 905 /* convert open to appropriate event */ 906 static au_event_t 907 aui_open(au_event_t e) 908 { 909 klwp_t *clwp = ttolwp(curthread); 910 uint_t fm; 911 912 struct a { 913 long fnamep; /* char * */ 914 long fmode; 915 long cmode; 916 } *uap = (struct a *)clwp->lwp_ap; 917 918 fm = (uint_t)uap->fmode; 919 920 if (fm & O_WRONLY) 921 e = AUE_OPEN_W; 922 else if (fm & O_RDWR) 923 e = AUE_OPEN_RW; 924 else 925 e = AUE_OPEN_R; 926 927 if (fm & O_CREAT) 928 e += 1; 929 if (fm & O_TRUNC) 930 e += 2; 931 932 return (e); 933 } 934 935 /*ARGSUSED*/ 936 static void 937 aus_open(struct t_audit_data *tad) 938 { 939 klwp_t *clwp = ttolwp(curthread); 940 uint_t fm; 941 942 struct a { 943 long fnamep; /* char * */ 944 long fmode; 945 long cmode; 946 } *uap = (struct a *)clwp->lwp_ap; 947 948 fm = (uint_t)uap->fmode; 949 950 /* If no write, create, or trunc modes, mark as a public op */ 951 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 952 tad->tad_ctrl |= PAD_PUBLIC_EV; 953 } 954 955 /* convert openat(2) to appropriate event */ 956 static au_event_t 957 aui_fsat(au_event_t e) 958 { 959 t_audit_data_t *tad = U2A(u); 960 klwp_t *clwp = ttolwp(curthread); 961 uint_t fmcode, fm; 962 struct a { 963 long id; 964 long arg1; 965 long arg2; 966 long arg3; 967 long arg4; 968 long arg5; 969 } *uap = (struct a *)clwp->lwp_ap; 970 971 fmcode = (uint_t)uap->id; 972 973 switch (fmcode) { 974 975 case 0: /* openat */ 976 case 1: /* openat64 */ 977 fm = (uint_t)uap->arg3; 978 if (fm & O_WRONLY) 979 e = AUE_OPENAT_W; 980 else if (fm & O_RDWR) 981 e = AUE_OPENAT_RW; 982 else 983 e = AUE_OPENAT_R; 984 985 /* 986 * openat modes are defined in the following order: 987 * Read only 988 * Read|Create 989 * Read|Trunc 990 * Read|Create|Trunc 991 * Write Only 992 * Write|Create 993 * Write|Trunc 994 * Write|Create|Trunc * RW Only 995 * RW|Create 996 * RW|Trunc 997 * RW|Create|Trunc 998 */ 999 if (fm & O_CREAT) 1000 e += 1; /* increment to include CREAT in mode */ 1001 if (fm & O_TRUNC) 1002 e += 2; /* increment to include TRUNC in mode */ 1003 1004 /* convert to appropriate au_ctrl */ 1005 tad->tad_ctrl |= PAD_SAVPATH; 1006 if (fm & FXATTR) 1007 tad->tad_ctrl |= PAD_ATPATH; 1008 1009 1010 break; 1011 case 2: /* fstatat64 */ 1012 case 3: /* fstatat */ 1013 e = AUE_FSTATAT; 1014 break; 1015 case 4: /* fchownat */ 1016 e = AUE_FCHOWNAT; 1017 break; 1018 case 5: /* unlinkat */ 1019 e = AUE_UNLINKAT; 1020 break; 1021 case 6: /* futimesat */ 1022 e = AUE_FUTIMESAT; 1023 break; 1024 case 7: /* renameat */ 1025 e = AUE_RENAMEAT; 1026 break; 1027 case 8: /* faccessat */ 1028 e = AUE_FACCESSAT; 1029 break; 1030 case 9: /* __openattrdirat */ 1031 tad->tad_ctrl |= PAD_SAVPATH; 1032 /*FALLTHROUGH*/ 1033 default: 1034 e = AUE_NULL; 1035 break; 1036 } 1037 1038 return (e); 1039 } 1040 1041 /*ARGSUSED*/ 1042 static void 1043 aus_fsat(struct t_audit_data *tad) 1044 { 1045 klwp_t *clwp = ttolwp(curthread); 1046 uint_t fmcode, fm; 1047 struct a { 1048 long id; 1049 long arg1; 1050 long arg2; 1051 long arg3; 1052 long arg4; 1053 long arg5; 1054 } *uap = (struct a *)clwp->lwp_ap; 1055 1056 fmcode = (uint_t)uap->id; 1057 1058 switch (fmcode) { 1059 1060 case 0: /* openat */ 1061 case 1: /* openat64 */ 1062 fm = (uint_t)uap->arg3; 1063 /* If no write, create, or trunc modes, mark as a public op */ 1064 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1065 tad->tad_ctrl |= PAD_PUBLIC_EV; 1066 1067 break; 1068 case 2: /* fstatat64 */ 1069 case 3: /* fstatat */ 1070 tad->tad_ctrl |= PAD_PUBLIC_EV; 1071 break; 1072 default: 1073 break; 1074 } 1075 } 1076 1077 /* msgsys */ 1078 static au_event_t 1079 aui_msgsys(au_event_t e) 1080 { 1081 klwp_t *clwp = ttolwp(curthread); 1082 uint_t fm; 1083 1084 struct a { 1085 long id; /* function code id */ 1086 long ap; /* arg pointer for recvmsg */ 1087 } *uap = (struct a *)clwp->lwp_ap; 1088 1089 struct b { 1090 long msgid; 1091 long cmd; 1092 long buf; /* struct msqid_ds * */ 1093 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1094 1095 fm = (uint_t)uap->id; 1096 1097 switch (fm) { 1098 case 0: /* msgget */ 1099 e = AUE_MSGGET; 1100 break; 1101 case 1: /* msgctl */ 1102 switch ((uint_t)uap1->cmd) { 1103 case IPC_RMID: 1104 e = AUE_MSGCTL_RMID; 1105 break; 1106 case IPC_SET: 1107 e = AUE_MSGCTL_SET; 1108 break; 1109 case IPC_STAT: 1110 e = AUE_MSGCTL_STAT; 1111 break; 1112 default: 1113 e = AUE_MSGCTL; 1114 break; 1115 } 1116 break; 1117 case 2: /* msgrcv */ 1118 e = AUE_MSGRCV; 1119 break; 1120 case 3: /* msgsnd */ 1121 e = AUE_MSGSND; 1122 break; 1123 default: /* illegal system call */ 1124 e = AUE_NULL; 1125 break; 1126 } 1127 1128 return (e); 1129 } 1130 1131 1132 /* shmsys */ 1133 static au_event_t 1134 aui_shmsys(au_event_t e) 1135 { 1136 klwp_t *clwp = ttolwp(curthread); 1137 int fm; 1138 1139 struct a { /* shmsys */ 1140 long id; /* function code id */ 1141 } *uap = (struct a *)clwp->lwp_ap; 1142 1143 struct b { /* ctrl */ 1144 long shmid; 1145 long cmd; 1146 long arg; /* struct shmid_ds * */ 1147 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1148 fm = (uint_t)uap->id; 1149 1150 switch (fm) { 1151 case 0: /* shmat */ 1152 e = AUE_SHMAT; 1153 break; 1154 case 1: /* shmctl */ 1155 switch ((uint_t)uap1->cmd) { 1156 case IPC_RMID: 1157 e = AUE_SHMCTL_RMID; 1158 break; 1159 case IPC_SET: 1160 e = AUE_SHMCTL_SET; 1161 break; 1162 case IPC_STAT: 1163 e = AUE_SHMCTL_STAT; 1164 break; 1165 default: 1166 e = AUE_SHMCTL; 1167 break; 1168 } 1169 break; 1170 case 2: /* shmdt */ 1171 e = AUE_SHMDT; 1172 break; 1173 case 3: /* shmget */ 1174 e = AUE_SHMGET; 1175 break; 1176 default: /* illegal system call */ 1177 e = AUE_NULL; 1178 break; 1179 } 1180 1181 return (e); 1182 } 1183 1184 1185 /* semsys */ 1186 static au_event_t 1187 aui_semsys(au_event_t e) 1188 { 1189 klwp_t *clwp = ttolwp(curthread); 1190 uint_t fm; 1191 1192 struct a { /* semsys */ 1193 long id; 1194 } *uap = (struct a *)clwp->lwp_ap; 1195 1196 struct b { /* ctrl */ 1197 long semid; 1198 long semnum; 1199 long cmd; 1200 long arg; 1201 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1202 1203 fm = (uint_t)uap->id; 1204 1205 switch (fm) { 1206 case 0: /* semctl */ 1207 switch ((uint_t)uap1->cmd) { 1208 case IPC_RMID: 1209 e = AUE_SEMCTL_RMID; 1210 break; 1211 case IPC_SET: 1212 e = AUE_SEMCTL_SET; 1213 break; 1214 case IPC_STAT: 1215 e = AUE_SEMCTL_STAT; 1216 break; 1217 case GETNCNT: 1218 e = AUE_SEMCTL_GETNCNT; 1219 break; 1220 case GETPID: 1221 e = AUE_SEMCTL_GETPID; 1222 break; 1223 case GETVAL: 1224 e = AUE_SEMCTL_GETVAL; 1225 break; 1226 case GETALL: 1227 e = AUE_SEMCTL_GETALL; 1228 break; 1229 case GETZCNT: 1230 e = AUE_SEMCTL_GETZCNT; 1231 break; 1232 case SETVAL: 1233 e = AUE_SEMCTL_SETVAL; 1234 break; 1235 case SETALL: 1236 e = AUE_SEMCTL_SETALL; 1237 break; 1238 default: 1239 e = AUE_SEMCTL; 1240 break; 1241 } 1242 break; 1243 case 1: /* semget */ 1244 e = AUE_SEMGET; 1245 break; 1246 case 2: /* semop */ 1247 e = AUE_SEMOP; 1248 break; 1249 default: /* illegal system call */ 1250 e = AUE_NULL; 1251 break; 1252 } 1253 1254 return (e); 1255 } 1256 1257 /* utssys - uname(2), ustat(2), fusers(2) */ 1258 static au_event_t 1259 aui_utssys(au_event_t e) 1260 { 1261 klwp_t *clwp = ttolwp(curthread); 1262 uint_t type; 1263 1264 struct a { 1265 union { 1266 long cbuf; /* char * */ 1267 long ubuf; /* struct stat * */ 1268 } ub; 1269 union { 1270 long mv; /* for USTAT */ 1271 long flags; /* for FUSERS */ 1272 } un; 1273 long type; 1274 long outbp; /* char * for FUSERS */ 1275 } *uap = (struct a *)clwp->lwp_ap; 1276 1277 type = (uint_t)uap->type; 1278 1279 if (type == UTS_FUSERS) 1280 return (e); 1281 else 1282 return ((au_event_t)AUE_NULL); 1283 } 1284 1285 static au_event_t 1286 aui_fcntl(au_event_t e) 1287 { 1288 klwp_t *clwp = ttolwp(curthread); 1289 uint_t cmd; 1290 1291 struct a { 1292 long fdes; 1293 long cmd; 1294 long arg; 1295 } *uap = (struct a *)clwp->lwp_ap; 1296 1297 cmd = (uint_t)uap->cmd; 1298 1299 switch (cmd) { 1300 case F_GETLK: 1301 case F_SETLK: 1302 case F_SETLKW: 1303 break; 1304 case F_SETFL: 1305 case F_GETFL: 1306 case F_GETFD: 1307 break; 1308 default: 1309 e = (au_event_t)AUE_NULL; 1310 break; 1311 } 1312 return ((au_event_t)e); 1313 } 1314 1315 /* null function for now */ 1316 static au_event_t 1317 aui_execv(au_event_t e) 1318 { 1319 return (e); 1320 } 1321 1322 /* null function for now */ 1323 static au_event_t 1324 aui_execve(au_event_t e) 1325 { 1326 return (e); 1327 } 1328 1329 /*ARGSUSED*/ 1330 static void 1331 aus_fcntl(struct t_audit_data *tad) 1332 { 1333 klwp_t *clwp = ttolwp(curthread); 1334 uint32_t cmd, fd; 1335 struct file *fp; 1336 struct vnode *vp; 1337 struct f_audit_data *fad; 1338 1339 struct a { 1340 long fd; 1341 long cmd; 1342 long arg; 1343 } *uap = (struct a *)clwp->lwp_ap; 1344 1345 cmd = (uint32_t)uap->cmd; 1346 fd = (uint32_t)uap->fd; 1347 1348 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1349 1350 /* 1351 * convert file pointer to file descriptor 1352 * Note: fd ref count incremented here. 1353 */ 1354 if ((fp = getf(fd)) == NULL) 1355 return; 1356 1357 /* get path from file struct here */ 1358 fad = F2A(fp); 1359 if (fad->fad_aupath != NULL) { 1360 au_uwrite(au_to_path(fad->fad_aupath)); 1361 } else { 1362 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1363 } 1364 1365 vp = fp->f_vnode; 1366 audit_attributes(vp); 1367 1368 /* decrement file descriptor reference count */ 1369 releasef(fd); 1370 } 1371 1372 /*ARGSUSED*/ 1373 static void 1374 aus_kill(struct t_audit_data *tad) 1375 { 1376 klwp_t *clwp = ttolwp(curthread); 1377 struct proc *p; 1378 uint32_t signo; 1379 uid_t uid, ruid; 1380 gid_t gid, rgid; 1381 pid_t pid; 1382 const auditinfo_addr_t *ainfo; 1383 cred_t *cr; 1384 1385 struct a { 1386 long pid; 1387 long signo; 1388 } *uap = (struct a *)clwp->lwp_ap; 1389 1390 pid = (pid_t)uap->pid; 1391 signo = (uint32_t)uap->signo; 1392 1393 au_uwrite(au_to_arg32(2, "signal", signo)); 1394 if (pid > 0) { 1395 mutex_enter(&pidlock); 1396 if (((p = prfind(pid)) == (struct proc *)0) || 1397 (p->p_stat == SIDL)) { 1398 mutex_exit(&pidlock); 1399 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1400 return; 1401 } 1402 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1403 mutex_exit(&pidlock); 1404 1405 mutex_enter(&p->p_crlock); 1406 crhold(cr = p->p_cred); 1407 mutex_exit(&p->p_crlock); 1408 mutex_exit(&p->p_lock); 1409 1410 ainfo = crgetauinfo(cr); 1411 if (ainfo == NULL) { 1412 crfree(cr); 1413 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1414 return; 1415 } 1416 1417 uid = crgetuid(cr); 1418 gid = crgetgid(cr); 1419 ruid = crgetruid(cr); 1420 rgid = crgetrgid(cr); 1421 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1422 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1423 1424 if (is_system_labeled()) 1425 au_uwrite(au_to_label(CR_SL(cr))); 1426 1427 crfree(cr); 1428 } 1429 else 1430 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1431 } 1432 1433 /*ARGSUSED*/ 1434 static void 1435 aus_mkdir(struct t_audit_data *tad) 1436 { 1437 klwp_t *clwp = ttolwp(curthread); 1438 uint32_t dmode; 1439 1440 struct a { 1441 long dirnamep; /* char * */ 1442 long dmode; 1443 } *uap = (struct a *)clwp->lwp_ap; 1444 1445 dmode = (uint32_t)uap->dmode; 1446 1447 au_uwrite(au_to_arg32(2, "mode", dmode)); 1448 } 1449 1450 /*ARGSUSED*/ 1451 static void 1452 aus_mknod(struct t_audit_data *tad) 1453 { 1454 klwp_t *clwp = ttolwp(curthread); 1455 uint32_t fmode; 1456 dev_t dev; 1457 1458 struct a { 1459 long pnamep; /* char * */ 1460 long fmode; 1461 long dev; 1462 } *uap = (struct a *)clwp->lwp_ap; 1463 1464 fmode = (uint32_t)uap->fmode; 1465 dev = (dev_t)uap->dev; 1466 1467 au_uwrite(au_to_arg32(2, "mode", fmode)); 1468 #ifdef _LP64 1469 au_uwrite(au_to_arg64(3, "dev", dev)); 1470 #else 1471 au_uwrite(au_to_arg32(3, "dev", dev)); 1472 #endif 1473 } 1474 1475 /*ARGSUSED*/ 1476 static void 1477 aus_xmknod(struct t_audit_data *tad) 1478 { 1479 klwp_t *clwp = ttolwp(curthread); 1480 uint32_t fmode; 1481 dev_t dev; 1482 1483 struct a { 1484 long version; /* version */ 1485 long pnamep; /* char * */ 1486 long fmode; 1487 long dev; 1488 } *uap = (struct a *)clwp->lwp_ap; 1489 1490 fmode = (uint32_t)uap->fmode; 1491 dev = (dev_t)uap->dev; 1492 1493 au_uwrite(au_to_arg32(2, "mode", fmode)); 1494 #ifdef _LP64 1495 au_uwrite(au_to_arg64(3, "dev", dev)); 1496 #else 1497 au_uwrite(au_to_arg32(3, "dev", dev)); 1498 #endif 1499 } 1500 1501 /*ARGSUSED*/ 1502 static void 1503 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1504 { 1505 klwp_t *clwp = ttolwp(curthread); 1506 vnode_t *dvp; 1507 caddr_t pnamep; 1508 1509 struct a { 1510 long pnamep; /* char * */ 1511 long fmode; 1512 long dev; 1513 } *uap = (struct a *)clwp->lwp_ap; 1514 1515 /* no error, then already path token in audit record */ 1516 if (error != EPERM) 1517 return; 1518 1519 /* not auditing this event, nothing then to do */ 1520 if (tad->tad_flag == 0) 1521 return; 1522 1523 /* do the lookup to force generation of path token */ 1524 pnamep = (caddr_t)uap->pnamep; 1525 tad->tad_ctrl |= PAD_NOATTRB; 1526 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1527 if (error == 0) 1528 VN_RELE(dvp); 1529 } 1530 1531 /*ARGSUSED*/ 1532 static void 1533 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1534 { 1535 klwp_t *clwp = ttolwp(curthread); 1536 vnode_t *dvp; 1537 caddr_t pnamep; 1538 1539 struct a { 1540 long version; /* version */ 1541 long pnamep; /* char * */ 1542 long fmode; 1543 long dev; 1544 } *uap = (struct a *)clwp->lwp_arg; 1545 1546 1547 /* no error, then already path token in audit record */ 1548 if (error != EPERM) 1549 return; 1550 1551 /* not auditing this event, nothing then to do */ 1552 if (tad->tad_flag == 0) 1553 return; 1554 1555 /* do the lookup to force generation of path token */ 1556 pnamep = (caddr_t)uap->pnamep; 1557 tad->tad_ctrl |= PAD_NOATTRB; 1558 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1559 if (error == 0) 1560 VN_RELE(dvp); 1561 } 1562 1563 /*ARGSUSED*/ 1564 static void 1565 aus_mount(struct t_audit_data *tad) 1566 { /* AUS_START */ 1567 klwp_t *clwp = ttolwp(curthread); 1568 uint32_t flags; 1569 uintptr_t u_fstype, dataptr; 1570 STRUCT_DECL(nfs_args, nfsargs); 1571 size_t len; 1572 char *fstype, *hostname; 1573 1574 struct a { 1575 long spec; /* char * */ 1576 long dir; /* char * */ 1577 long flags; 1578 long fstype; /* char * */ 1579 long dataptr; /* char * */ 1580 long datalen; 1581 } *uap = (struct a *)clwp->lwp_ap; 1582 1583 u_fstype = (uintptr_t)uap->fstype; 1584 flags = (uint32_t)uap->flags; 1585 dataptr = (uintptr_t)uap->dataptr; 1586 1587 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1588 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1589 goto mount_free_fstype; 1590 1591 au_uwrite(au_to_arg32(3, "flags", flags)); 1592 au_uwrite(au_to_text(fstype)); 1593 1594 if (strncmp(fstype, "nfs", 3) == 0) { 1595 1596 STRUCT_INIT(nfsargs, get_udatamodel()); 1597 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1598 1599 if (copyin((caddr_t)dataptr, 1600 STRUCT_BUF(nfsargs), 1601 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1602 /* DEBUG debug_enter((char *)NULL); */ 1603 goto mount_free_fstype; 1604 } 1605 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1606 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1607 (caddr_t)hostname, 1608 MAXNAMELEN, &len)) { 1609 goto mount_free_hostname; 1610 } 1611 au_uwrite(au_to_text(hostname)); 1612 au_uwrite(au_to_arg32(3, "internal flags", 1613 (uint_t)STRUCT_FGET(nfsargs, flags))); 1614 1615 mount_free_hostname: 1616 kmem_free(hostname, MAXNAMELEN); 1617 } 1618 1619 mount_free_fstype: 1620 kmem_free(fstype, MAXNAMELEN); 1621 } /* AUS_MOUNT */ 1622 1623 static void 1624 aus_umount_path(caddr_t umount_dir) 1625 { 1626 char *dir_path; 1627 struct audit_path *path; 1628 size_t path_len, dir_len; 1629 1630 /* length alloc'd for two string pointers */ 1631 path_len = sizeof (struct audit_path) + sizeof (char *); 1632 path = kmem_alloc(path_len, KM_SLEEP); 1633 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1634 1635 if (copyinstr(umount_dir, (caddr_t)dir_path, 1636 MAXPATHLEN, &dir_len)) 1637 goto umount2_free_dir; 1638 1639 /* 1640 * the audit_path struct assumes that the buffer pointed to 1641 * by audp_sect[n] contains string 0 immediatedly followed 1642 * by string 1. 1643 */ 1644 path->audp_sect[0] = dir_path; 1645 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1646 path->audp_size = path_len; 1647 path->audp_ref = 1; /* not used */ 1648 path->audp_cnt = 1; /* one path string */ 1649 1650 au_uwrite(au_to_path(path)); 1651 1652 umount2_free_dir: 1653 kmem_free(dir_path, MAXPATHLEN); 1654 kmem_free(path, path_len); 1655 } 1656 1657 /* 1658 * the umount syscall is implemented as a call to umount2, but the args 1659 * are different... 1660 */ 1661 1662 /*ARGSUSED*/ 1663 static void 1664 aus_umount(struct t_audit_data *tad) 1665 { 1666 klwp_t *clwp = ttolwp(curthread); 1667 struct a { 1668 long dir; /* char * */ 1669 } *uap = (struct a *)clwp->lwp_ap; 1670 1671 aus_umount_path((caddr_t)uap->dir); 1672 } 1673 1674 /*ARGSUSED*/ 1675 static void 1676 aus_umount2(struct t_audit_data *tad) 1677 { 1678 klwp_t *clwp = ttolwp(curthread); 1679 struct a { 1680 long dir; /* char * */ 1681 long flags; 1682 } *uap = (struct a *)clwp->lwp_ap; 1683 1684 aus_umount_path((caddr_t)uap->dir); 1685 1686 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1687 } 1688 1689 static void 1690 aus_msgsys(struct t_audit_data *tad) 1691 { 1692 klwp_t *clwp = ttolwp(curthread); 1693 uint32_t msgid; 1694 1695 struct b { 1696 long msgid; 1697 long cmd; 1698 long buf; /* struct msqid_ds * */ 1699 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1700 1701 msgid = (uint32_t)uap1->msgid; 1702 1703 1704 switch (tad->tad_event) { 1705 case AUE_MSGGET: /* msgget */ 1706 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1707 break; 1708 case AUE_MSGCTL: /* msgctl */ 1709 case AUE_MSGCTL_RMID: /* msgctl */ 1710 case AUE_MSGCTL_SET: /* msgctl */ 1711 case AUE_MSGCTL_STAT: /* msgctl */ 1712 case AUE_MSGRCV: /* msgrcv */ 1713 case AUE_MSGSND: /* msgsnd */ 1714 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1715 break; 1716 } 1717 } 1718 1719 /*ARGSUSED*/ 1720 static void 1721 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1722 { 1723 int id; 1724 1725 if (error != 0) 1726 return; 1727 if (tad->tad_event == AUE_MSGGET) { 1728 uint32_t scid; 1729 uint32_t sy_flags; 1730 1731 /* need to determine type of executing binary */ 1732 scid = tad->tad_scid; 1733 #ifdef _SYSCALL32_IMPL 1734 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1735 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1736 else 1737 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1738 #else 1739 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1740 #endif 1741 if (sy_flags == SE_32RVAL1) 1742 id = rval->r_val1; 1743 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1744 id = rval->r_val1; 1745 if (sy_flags == SE_64RVAL) 1746 id = (int)rval->r_vals; 1747 1748 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1749 } 1750 } 1751 1752 static void 1753 aus_semsys(struct t_audit_data *tad) 1754 { 1755 klwp_t *clwp = ttolwp(curthread); 1756 uint32_t semid; 1757 1758 struct b { /* ctrl */ 1759 long semid; 1760 long semnum; 1761 long cmd; 1762 long arg; 1763 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1764 1765 semid = (uint32_t)uap1->semid; 1766 1767 switch (tad->tad_event) { 1768 case AUE_SEMCTL_RMID: 1769 case AUE_SEMCTL_STAT: 1770 case AUE_SEMCTL_GETNCNT: 1771 case AUE_SEMCTL_GETPID: 1772 case AUE_SEMCTL_GETVAL: 1773 case AUE_SEMCTL_GETALL: 1774 case AUE_SEMCTL_GETZCNT: 1775 case AUE_SEMCTL_SET: 1776 case AUE_SEMCTL_SETVAL: 1777 case AUE_SEMCTL_SETALL: 1778 case AUE_SEMCTL: 1779 case AUE_SEMOP: 1780 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1781 break; 1782 case AUE_SEMGET: 1783 au_uwrite(au_to_arg32(1, "sem key", semid)); 1784 break; 1785 } 1786 } 1787 1788 /*ARGSUSED*/ 1789 static void 1790 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1791 { 1792 int id; 1793 1794 if (error != 0) 1795 return; 1796 if (tad->tad_event == AUE_SEMGET) { 1797 uint32_t scid; 1798 uint32_t sy_flags; 1799 1800 /* need to determine type of executing binary */ 1801 scid = tad->tad_scid; 1802 #ifdef _SYSCALL32_IMPL 1803 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1804 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1805 else 1806 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1807 #else 1808 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1809 #endif 1810 if (sy_flags == SE_32RVAL1) 1811 id = rval->r_val1; 1812 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1813 id = rval->r_val1; 1814 if (sy_flags == SE_64RVAL) 1815 id = (int)rval->r_vals; 1816 1817 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1818 } 1819 } 1820 1821 /*ARGSUSED*/ 1822 static void 1823 aus_close(struct t_audit_data *tad) 1824 { 1825 klwp_t *clwp = ttolwp(curthread); 1826 uint32_t fd; 1827 struct file *fp; 1828 struct f_audit_data *fad; 1829 struct vnode *vp; 1830 struct vattr attr; 1831 au_kcontext_t *kctx = GET_KCTX_PZ; 1832 1833 struct a { 1834 long i; 1835 } *uap = (struct a *)clwp->lwp_ap; 1836 1837 fd = (uint32_t)uap->i; 1838 1839 attr.va_mask = 0; 1840 au_uwrite(au_to_arg32(1, "fd", fd)); 1841 1842 /* 1843 * convert file pointer to file descriptor 1844 * Note: fd ref count incremented here. 1845 */ 1846 if ((fp = getf(fd)) == NULL) 1847 return; 1848 1849 fad = F2A(fp); 1850 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1851 if (fad->fad_aupath != NULL) { 1852 au_uwrite(au_to_path(fad->fad_aupath)); 1853 if ((vp = fp->f_vnode) != NULL) { 1854 attr.va_mask = AT_ALL; 1855 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1856 /* 1857 * When write was not used and the file can be 1858 * considered public, skip the audit. 1859 */ 1860 if (((fp->f_flag & FWRITE) == 0) && 1861 file_is_public(&attr)) { 1862 tad->tad_flag = 0; 1863 tad->tad_evmod = 0; 1864 /* free any residual audit data */ 1865 au_close(kctx, &(u_ad), 0, 0, 0); 1866 releasef(fd); 1867 return; 1868 } 1869 au_uwrite(au_to_attr(&attr)); 1870 audit_sec_attributes(&(u_ad), vp); 1871 } 1872 } 1873 } 1874 1875 /* decrement file descriptor reference count */ 1876 releasef(fd); 1877 } 1878 1879 /*ARGSUSED*/ 1880 static void 1881 aus_fstatfs(struct t_audit_data *tad) 1882 { 1883 klwp_t *clwp = ttolwp(curthread); 1884 uint32_t fd; 1885 struct file *fp; 1886 struct vnode *vp; 1887 struct f_audit_data *fad; 1888 1889 struct a { 1890 long fd; 1891 long buf; /* struct statfs * */ 1892 } *uap = (struct a *)clwp->lwp_ap; 1893 1894 fd = (uint_t)uap->fd; 1895 1896 /* 1897 * convert file pointer to file descriptor 1898 * Note: fd ref count incremented here. 1899 */ 1900 if ((fp = getf(fd)) == NULL) 1901 return; 1902 1903 /* get path from file struct here */ 1904 fad = F2A(fp); 1905 if (fad->fad_aupath != NULL) { 1906 au_uwrite(au_to_path(fad->fad_aupath)); 1907 } else { 1908 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1909 } 1910 1911 vp = fp->f_vnode; 1912 audit_attributes(vp); 1913 1914 /* decrement file descriptor reference count */ 1915 releasef(fd); 1916 } 1917 1918 static au_event_t 1919 aui_setpgrp(au_event_t e) 1920 { 1921 klwp_t *clwp = ttolwp(curthread); 1922 int flag; 1923 1924 struct a { 1925 long flag; 1926 long pid; 1927 long pgid; 1928 } *uap = (struct a *)clwp->lwp_ap; 1929 1930 flag = (int)uap->flag; 1931 1932 1933 switch (flag) { 1934 1935 case 1: /* setpgrp() */ 1936 e = AUE_SETPGRP; 1937 break; 1938 1939 case 3: /* setsid() */ 1940 e = AUE_SETSID; 1941 break; 1942 1943 case 5: /* setpgid() */ 1944 e = AUE_SETPGID; 1945 break; 1946 1947 case 0: /* getpgrp() - not security relevant */ 1948 case 2: /* getsid() - not security relevant */ 1949 case 4: /* getpgid() - not security relevant */ 1950 e = AUE_NULL; 1951 break; 1952 1953 default: 1954 e = AUE_NULL; 1955 break; 1956 } 1957 1958 return (e); 1959 } 1960 1961 /*ARGSUSED*/ 1962 static void 1963 aus_setpgrp(struct t_audit_data *tad) 1964 { 1965 klwp_t *clwp = ttolwp(curthread); 1966 pid_t pgid; 1967 struct proc *p; 1968 uid_t uid, ruid; 1969 gid_t gid, rgid; 1970 pid_t pid; 1971 cred_t *cr; 1972 int flag; 1973 const auditinfo_addr_t *ainfo; 1974 1975 struct a { 1976 long flag; 1977 long pid; 1978 long pgid; 1979 } *uap = (struct a *)clwp->lwp_ap; 1980 1981 flag = (int)uap->flag; 1982 pid = (pid_t)uap->pid; 1983 pgid = (pid_t)uap->pgid; 1984 1985 1986 switch (flag) { 1987 1988 case 0: /* getpgrp() */ 1989 case 1: /* setpgrp() */ 1990 case 2: /* getsid() */ 1991 case 3: /* setsid() */ 1992 case 4: /* getpgid() */ 1993 break; 1994 1995 case 5: /* setpgid() */ 1996 1997 /* current process? */ 1998 if (pid == 0) { 1999 return; 2000 } 2001 2002 mutex_enter(&pidlock); 2003 p = prfind(pid); 2004 if (p == NULL || p->p_as == &kas || 2005 p->p_stat == SIDL || p->p_stat == SZOMB) { 2006 mutex_exit(&pidlock); 2007 return; 2008 } 2009 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2010 mutex_exit(&pidlock); 2011 2012 mutex_enter(&p->p_crlock); 2013 crhold(cr = p->p_cred); 2014 mutex_exit(&p->p_crlock); 2015 mutex_exit(&p->p_lock); 2016 2017 ainfo = crgetauinfo(cr); 2018 if (ainfo == NULL) { 2019 crfree(cr); 2020 return; 2021 } 2022 2023 uid = crgetuid(cr); 2024 gid = crgetgid(cr); 2025 ruid = crgetruid(cr); 2026 rgid = crgetrgid(cr); 2027 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2028 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2029 crfree(cr); 2030 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2031 break; 2032 2033 default: 2034 break; 2035 } 2036 } 2037 2038 2039 /*ARGSUSED*/ 2040 static void 2041 aus_setregid(struct t_audit_data *tad) 2042 { 2043 klwp_t *clwp = ttolwp(curthread); 2044 uint32_t rgid, egid; 2045 2046 struct a { 2047 long rgid; 2048 long egid; 2049 } *uap = (struct a *)clwp->lwp_ap; 2050 2051 rgid = (uint32_t)uap->rgid; 2052 egid = (uint32_t)uap->egid; 2053 2054 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2055 au_uwrite(au_to_arg32(2, "egid", egid)); 2056 } 2057 2058 /*ARGSUSED*/ 2059 static void 2060 aus_setgid(struct t_audit_data *tad) 2061 { 2062 klwp_t *clwp = ttolwp(curthread); 2063 uint32_t gid; 2064 2065 struct a { 2066 long gid; 2067 } *uap = (struct a *)clwp->lwp_ap; 2068 2069 gid = (uint32_t)uap->gid; 2070 2071 au_uwrite(au_to_arg32(1, "gid", gid)); 2072 } 2073 2074 2075 /*ARGSUSED*/ 2076 static void 2077 aus_setreuid(struct t_audit_data *tad) 2078 { 2079 klwp_t *clwp = ttolwp(curthread); 2080 uint32_t ruid, euid; 2081 2082 struct a { 2083 long ruid; 2084 long euid; 2085 } *uap = (struct a *)clwp->lwp_ap; 2086 2087 ruid = (uint32_t)uap->ruid; 2088 euid = (uint32_t)uap->euid; 2089 2090 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2091 au_uwrite(au_to_arg32(2, "euid", euid)); 2092 } 2093 2094 2095 /*ARGSUSED*/ 2096 static void 2097 aus_setuid(struct t_audit_data *tad) 2098 { 2099 klwp_t *clwp = ttolwp(curthread); 2100 uint32_t uid; 2101 2102 struct a { 2103 long uid; 2104 } *uap = (struct a *)clwp->lwp_ap; 2105 2106 uid = (uint32_t)uap->uid; 2107 2108 au_uwrite(au_to_arg32(1, "uid", uid)); 2109 } 2110 2111 /*ARGSUSED*/ 2112 static void 2113 aus_shmsys(struct t_audit_data *tad) 2114 { 2115 klwp_t *clwp = ttolwp(curthread); 2116 uint32_t id, cmd; 2117 2118 struct b { 2119 long id; 2120 long cmd; 2121 long buf; /* struct shmid_ds * */ 2122 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2123 2124 id = (uint32_t)uap1->id; 2125 cmd = (uint32_t)uap1->cmd; 2126 2127 switch (tad->tad_event) { 2128 case AUE_SHMGET: /* shmget */ 2129 au_uwrite(au_to_arg32(1, "shm key", id)); 2130 break; 2131 case AUE_SHMCTL: /* shmctl */ 2132 case AUE_SHMCTL_RMID: /* shmctl */ 2133 case AUE_SHMCTL_STAT: /* shmctl */ 2134 case AUE_SHMCTL_SET: /* shmctl */ 2135 au_uwrite(au_to_arg32(1, "shm ID", id)); 2136 break; 2137 case AUE_SHMDT: /* shmdt */ 2138 au_uwrite(au_to_arg32(1, "shm adr", id)); 2139 break; 2140 case AUE_SHMAT: /* shmat */ 2141 au_uwrite(au_to_arg32(1, "shm ID", id)); 2142 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2143 break; 2144 } 2145 } 2146 2147 /*ARGSUSED*/ 2148 static void 2149 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2150 { 2151 int id; 2152 2153 if (error != 0) 2154 return; 2155 if (tad->tad_event == AUE_SHMGET) { 2156 uint32_t scid; 2157 uint32_t sy_flags; 2158 2159 /* need to determine type of executing binary */ 2160 scid = tad->tad_scid; 2161 #ifdef _SYSCALL32_IMPL 2162 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2163 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2164 else 2165 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2166 #else 2167 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2168 #endif 2169 if (sy_flags == SE_32RVAL1) 2170 id = rval->r_val1; 2171 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2172 id = rval->r_val1; 2173 if (sy_flags == SE_64RVAL) 2174 id = (int)rval->r_vals; 2175 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2176 } 2177 } 2178 2179 2180 /*ARGSUSED*/ 2181 static void 2182 aus_ioctl(struct t_audit_data *tad) 2183 { 2184 klwp_t *clwp = ttolwp(curthread); 2185 struct file *fp; 2186 struct vnode *vp; 2187 struct f_audit_data *fad; 2188 uint32_t fd, cmd; 2189 uintptr_t cmarg; 2190 2191 /* XX64 */ 2192 struct a { 2193 long fd; 2194 long cmd; 2195 long cmarg; /* caddr_t */ 2196 } *uap = (struct a *)clwp->lwp_ap; 2197 2198 fd = (uint32_t)uap->fd; 2199 cmd = (uint32_t)uap->cmd; 2200 cmarg = (uintptr_t)uap->cmarg; 2201 2202 /* 2203 * convert file pointer to file descriptor 2204 * Note: fd ref count incremented here. 2205 */ 2206 if ((fp = getf(fd)) == NULL) { 2207 au_uwrite(au_to_arg32(1, "fd", fd)); 2208 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2209 #ifndef _LP64 2210 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2211 #else 2212 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2213 #endif 2214 return; 2215 } 2216 2217 /* get path from file struct here */ 2218 fad = F2A(fp); 2219 if (fad->fad_aupath != NULL) { 2220 au_uwrite(au_to_path(fad->fad_aupath)); 2221 } else { 2222 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2223 } 2224 2225 vp = fp->f_vnode; 2226 audit_attributes(vp); 2227 2228 /* decrement file descriptor reference count */ 2229 releasef(fd); 2230 2231 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2232 #ifndef _LP64 2233 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2234 #else 2235 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2236 #endif 2237 } 2238 2239 /* 2240 * null function for memcntl for now. We might want to limit memcntl() 2241 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2242 * require privileges. 2243 */ 2244 static au_event_t 2245 aui_memcntl(au_event_t e) 2246 { 2247 return (e); 2248 } 2249 2250 /*ARGSUSED*/ 2251 static au_event_t 2252 aui_privsys(au_event_t e) 2253 { 2254 klwp_t *clwp = ttolwp(curthread); 2255 2256 struct a { 2257 long opcode; 2258 } *uap = (struct a *)clwp->lwp_ap; 2259 2260 switch (uap->opcode) { 2261 case PRIVSYS_SETPPRIV: 2262 return (AUE_SETPPRIV); 2263 default: 2264 return (AUE_NULL); 2265 } 2266 } 2267 2268 /*ARGSUSED*/ 2269 static void 2270 aus_memcntl(struct t_audit_data *tad) 2271 { 2272 klwp_t *clwp = ttolwp(curthread); 2273 2274 struct a { 2275 long addr; 2276 long len; 2277 long cmd; 2278 long arg; 2279 long attr; 2280 long mask; 2281 } *uap = (struct a *)clwp->lwp_ap; 2282 2283 #ifdef _LP64 2284 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2285 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2286 #else 2287 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2288 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2289 #endif 2290 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2291 #ifdef _LP64 2292 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2293 #else 2294 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2295 #endif 2296 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2297 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2298 } 2299 2300 /*ARGSUSED*/ 2301 static void 2302 aus_mmap(struct t_audit_data *tad) 2303 { 2304 klwp_t *clwp = ttolwp(curthread); 2305 struct file *fp; 2306 struct f_audit_data *fad; 2307 struct vnode *vp; 2308 uint32_t fd; 2309 2310 struct a { 2311 long addr; 2312 long len; 2313 long prot; 2314 long flags; 2315 long fd; 2316 long pos; 2317 } *uap = (struct a *)clwp->lwp_ap; 2318 2319 fd = (uint32_t)uap->fd; 2320 2321 #ifdef _LP64 2322 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2323 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2324 #else 2325 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2326 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2327 #endif 2328 2329 if ((fp = getf(fd)) == NULL) { 2330 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2331 return; 2332 } 2333 2334 /* 2335 * Mark in the tad if write access is NOT requested... if 2336 * this is later detected (in audit_attributes) to be a 2337 * public object, the mmap event may be discarded. 2338 */ 2339 if (((uap->prot) & PROT_WRITE) == 0) { 2340 tad->tad_ctrl |= PAD_PUBLIC_EV; 2341 } 2342 2343 fad = F2A(fp); 2344 if (fad->fad_aupath != NULL) { 2345 au_uwrite(au_to_path(fad->fad_aupath)); 2346 } else { 2347 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2348 } 2349 2350 vp = (struct vnode *)fp->f_vnode; 2351 audit_attributes(vp); 2352 2353 /* mark READ/WRITE since we can't predict access */ 2354 if (uap->prot & PROT_READ) 2355 fad->fad_flags |= FAD_READ; 2356 if (uap->prot & PROT_WRITE) 2357 fad->fad_flags |= FAD_WRITE; 2358 2359 /* decrement file descriptor reference count */ 2360 releasef(fd); 2361 2362 } /* AUS_MMAP */ 2363 2364 2365 2366 2367 /*ARGSUSED*/ 2368 static void 2369 aus_munmap(struct t_audit_data *tad) 2370 { 2371 klwp_t *clwp = ttolwp(curthread); 2372 2373 struct a { 2374 long addr; 2375 long len; 2376 } *uap = (struct a *)clwp->lwp_ap; 2377 2378 #ifdef _LP64 2379 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2380 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2381 #else 2382 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2383 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2384 #endif 2385 2386 } /* AUS_MUNMAP */ 2387 2388 2389 2390 2391 2392 2393 2394 /*ARGSUSED*/ 2395 static void 2396 aus_priocntlsys(struct t_audit_data *tad) 2397 { 2398 klwp_t *clwp = ttolwp(curthread); 2399 2400 struct a { 2401 long pc_version; 2402 long psp; /* procset_t */ 2403 long cmd; 2404 long arg; 2405 } *uap = (struct a *)clwp->lwp_ap; 2406 2407 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2408 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2409 2410 } /* AUS_PRIOCNTLSYS */ 2411 2412 2413 /*ARGSUSED*/ 2414 static void 2415 aus_setegid(struct t_audit_data *tad) 2416 { 2417 klwp_t *clwp = ttolwp(curthread); 2418 uint32_t gid; 2419 2420 struct a { 2421 long gid; 2422 } *uap = (struct a *)clwp->lwp_ap; 2423 2424 gid = (uint32_t)uap->gid; 2425 2426 au_uwrite(au_to_arg32(1, "gid", gid)); 2427 } /* AUS_SETEGID */ 2428 2429 2430 2431 2432 /*ARGSUSED*/ 2433 static void 2434 aus_setgroups(struct t_audit_data *tad) 2435 { 2436 klwp_t *clwp = ttolwp(curthread); 2437 int i; 2438 int gidsetsize; 2439 uintptr_t gidset; 2440 gid_t *gidlist; 2441 2442 struct a { 2443 long gidsetsize; 2444 long gidset; 2445 } *uap = (struct a *)clwp->lwp_ap; 2446 2447 gidsetsize = (uint_t)uap->gidsetsize; 2448 gidset = (uintptr_t)uap->gidset; 2449 2450 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2451 return; 2452 if (gidsetsize != 0) { 2453 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2454 KM_SLEEP); 2455 if (copyin((caddr_t)gidset, gidlist, 2456 gidsetsize * sizeof (gid_t)) == 0) 2457 for (i = 0; i < gidsetsize; i++) 2458 au_uwrite(au_to_arg32(1, "setgroups", 2459 (uint32_t)gidlist[i])); 2460 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2461 } else 2462 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2463 2464 } /* AUS_SETGROUPS */ 2465 2466 2467 2468 2469 2470 /*ARGSUSED*/ 2471 static void 2472 aus_seteuid(struct t_audit_data *tad) 2473 { 2474 klwp_t *clwp = ttolwp(curthread); 2475 uint32_t uid; 2476 2477 struct a { 2478 long uid; 2479 } *uap = (struct a *)clwp->lwp_ap; 2480 2481 uid = (uint32_t)uap->uid; 2482 2483 au_uwrite(au_to_arg32(1, "euid", uid)); 2484 2485 } /* AUS_SETEUID */ 2486 2487 /*ARGSUSED*/ 2488 static void 2489 aus_putmsg(struct t_audit_data *tad) 2490 { 2491 klwp_t *clwp = ttolwp(curthread); 2492 uint32_t fd, pri; 2493 struct file *fp; 2494 struct f_audit_data *fad; 2495 2496 struct a { 2497 long fdes; 2498 long ctl; /* struct strbuf * */ 2499 long data; /* struct strbuf * */ 2500 long pri; 2501 } *uap = (struct a *)clwp->lwp_ap; 2502 2503 fd = (uint32_t)uap->fdes; 2504 pri = (uint32_t)uap->pri; 2505 2506 au_uwrite(au_to_arg32(1, "fd", fd)); 2507 2508 if ((fp = getf(fd)) != NULL) { 2509 fad = F2A(fp); 2510 2511 fad->fad_flags |= FAD_WRITE; 2512 2513 /* add path name to audit record */ 2514 if (fad->fad_aupath != NULL) { 2515 au_uwrite(au_to_path(fad->fad_aupath)); 2516 } 2517 audit_attributes(fp->f_vnode); 2518 2519 releasef(fd); 2520 } 2521 2522 au_uwrite(au_to_arg32(4, "pri", pri)); 2523 } 2524 2525 /*ARGSUSED*/ 2526 static void 2527 aus_putpmsg(struct t_audit_data *tad) 2528 { 2529 klwp_t *clwp = ttolwp(curthread); 2530 uint32_t fd, pri, flags; 2531 struct file *fp; 2532 struct f_audit_data *fad; 2533 2534 struct a { 2535 long fdes; 2536 long ctl; /* struct strbuf * */ 2537 long data; /* struct strbuf * */ 2538 long pri; 2539 long flags; 2540 } *uap = (struct a *)clwp->lwp_ap; 2541 2542 fd = (uint32_t)uap->fdes; 2543 pri = (uint32_t)uap->pri; 2544 flags = (uint32_t)uap->flags; 2545 2546 au_uwrite(au_to_arg32(1, "fd", fd)); 2547 2548 if ((fp = getf(fd)) != NULL) { 2549 fad = F2A(fp); 2550 2551 fad->fad_flags |= FAD_WRITE; 2552 2553 /* add path name to audit record */ 2554 if (fad->fad_aupath != NULL) { 2555 au_uwrite(au_to_path(fad->fad_aupath)); 2556 } 2557 audit_attributes(fp->f_vnode); 2558 2559 releasef(fd); 2560 } 2561 2562 2563 au_uwrite(au_to_arg32(4, "pri", pri)); 2564 au_uwrite(au_to_arg32(5, "flags", flags)); 2565 } 2566 2567 /*ARGSUSED*/ 2568 static void 2569 aus_getmsg(struct t_audit_data *tad) 2570 { 2571 klwp_t *clwp = ttolwp(curthread); 2572 uint32_t fd, pri; 2573 struct file *fp; 2574 struct f_audit_data *fad; 2575 2576 struct a { 2577 long fdes; 2578 long ctl; /* struct strbuf * */ 2579 long data; /* struct strbuf * */ 2580 long pri; 2581 } *uap = (struct a *)clwp->lwp_ap; 2582 2583 fd = (uint32_t)uap->fdes; 2584 pri = (uint32_t)uap->pri; 2585 2586 au_uwrite(au_to_arg32(1, "fd", fd)); 2587 2588 if ((fp = getf(fd)) != NULL) { 2589 fad = F2A(fp); 2590 2591 /* 2592 * read operation on this object 2593 */ 2594 fad->fad_flags |= FAD_READ; 2595 2596 /* add path name to audit record */ 2597 if (fad->fad_aupath != NULL) { 2598 au_uwrite(au_to_path(fad->fad_aupath)); 2599 } 2600 audit_attributes(fp->f_vnode); 2601 2602 releasef(fd); 2603 } 2604 2605 au_uwrite(au_to_arg32(4, "pri", pri)); 2606 } 2607 2608 /*ARGSUSED*/ 2609 static void 2610 aus_getpmsg(struct t_audit_data *tad) 2611 { 2612 klwp_t *clwp = ttolwp(curthread); 2613 uint32_t fd; 2614 struct file *fp; 2615 struct f_audit_data *fad; 2616 2617 struct a { 2618 long fdes; 2619 long ctl; /* struct strbuf * */ 2620 long data; /* struct strbuf * */ 2621 long pri; 2622 long flags; 2623 } *uap = (struct a *)clwp->lwp_ap; 2624 2625 fd = (uint32_t)uap->fdes; 2626 2627 au_uwrite(au_to_arg32(1, "fd", fd)); 2628 2629 if ((fp = getf(fd)) != NULL) { 2630 fad = F2A(fp); 2631 2632 /* 2633 * read operation on this object 2634 */ 2635 fad->fad_flags |= FAD_READ; 2636 2637 /* add path name to audit record */ 2638 if (fad->fad_aupath != NULL) { 2639 au_uwrite(au_to_path(fad->fad_aupath)); 2640 } 2641 audit_attributes(fp->f_vnode); 2642 2643 releasef(fd); 2644 } 2645 } 2646 2647 static au_event_t 2648 aui_labelsys(au_event_t e) 2649 { 2650 klwp_t *clwp = ttolwp(curthread); 2651 uint32_t code; 2652 uint32_t cmd; 2653 2654 struct a { 2655 long code; 2656 long cmd; 2657 } *uap = (struct a *)clwp->lwp_ap; 2658 2659 code = (uint32_t)uap->code; 2660 cmd = (uint32_t)uap->cmd; 2661 2662 /* not security relevant if not changing kernel cache */ 2663 if (cmd == TNDB_GET) 2664 return (AUE_NULL); 2665 2666 switch (code) { 2667 case TSOL_TNRH: 2668 e = AUE_LABELSYS_TNRH; 2669 break; 2670 case TSOL_TNRHTP: 2671 e = AUE_LABELSYS_TNRHTP; 2672 break; 2673 case TSOL_TNMLP: 2674 e = AUE_LABELSYS_TNMLP; 2675 break; 2676 default: 2677 e = AUE_NULL; 2678 break; 2679 } 2680 2681 return (e); 2682 2683 } 2684 2685 static void 2686 aus_labelsys(struct t_audit_data *tad) 2687 { 2688 klwp_t *clwp = ttolwp(curthread); 2689 uint32_t cmd; 2690 uintptr_t a2; 2691 2692 struct a { 2693 long code; 2694 long cmd; 2695 long a2; 2696 } *uap = (struct a *)clwp->lwp_ap; 2697 2698 cmd = (uint32_t)uap->cmd; 2699 a2 = (uintptr_t)uap->a2; 2700 2701 switch (tad->tad_event) { 2702 case AUE_LABELSYS_TNRH: 2703 { 2704 tsol_rhent_t *rhent; 2705 tnaddr_t *rh_addr; 2706 2707 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2708 2709 /* Remaining args don't apply for FLUSH, so skip */ 2710 if (cmd == TNDB_FLUSH) 2711 break; 2712 2713 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2714 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2715 kmem_free(rhent, sizeof (tsol_rhent_t)); 2716 return; 2717 } 2718 2719 rh_addr = &rhent->rh_address; 2720 if (rh_addr->ta_family == AF_INET) { 2721 struct in_addr *ipaddr; 2722 2723 ipaddr = &(rh_addr->ta_addr_v4); 2724 au_uwrite(au_to_in_addr(ipaddr)); 2725 } else if (rh_addr->ta_family == AF_INET6) { 2726 int32_t *ipaddr; 2727 2728 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2729 au_uwrite(au_to_in_addr_ex(ipaddr)); 2730 } 2731 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2732 2733 kmem_free(rhent, sizeof (tsol_rhent_t)); 2734 2735 break; 2736 } 2737 case AUE_LABELSYS_TNRHTP: 2738 { 2739 tsol_tpent_t *tpent; 2740 2741 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2742 2743 /* Remaining args don't apply for FLUSH, so skip */ 2744 if (cmd == TNDB_FLUSH) 2745 break; 2746 2747 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2748 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2749 kmem_free(tpent, sizeof (tsol_tpent_t)); 2750 return; 2751 } 2752 2753 /* Make sure that the template name is null-terminated. */ 2754 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2755 2756 au_uwrite(au_to_text(tpent->name)); 2757 kmem_free(tpent, sizeof (tsol_tpent_t)); 2758 2759 break; 2760 } 2761 case AUE_LABELSYS_TNMLP: 2762 { 2763 tsol_mlpent_t *mlpent; 2764 2765 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2766 2767 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2768 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2769 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2770 return; 2771 } 2772 2773 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2774 au_uwrite(au_to_text("shared")); 2775 } else { 2776 zone_t *zone; 2777 2778 zone = zone_find_by_id(mlpent->tsme_zoneid); 2779 if (zone != NULL) { 2780 au_uwrite(au_to_text(zone->zone_name)); 2781 zone_rele(zone); 2782 } 2783 } 2784 2785 /* Remaining args don't apply for FLUSH, so skip */ 2786 if (cmd == TNDB_FLUSH) { 2787 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2788 break; 2789 } 2790 2791 au_uwrite(au_to_arg32(2, "proto num", 2792 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2793 au_uwrite(au_to_arg32(2, "mlp_port", 2794 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2795 2796 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2797 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2798 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2799 2800 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2801 2802 break; 2803 } 2804 default: 2805 break; 2806 } 2807 } 2808 2809 2810 static au_event_t 2811 aui_auditsys(au_event_t e) 2812 { 2813 klwp_t *clwp = ttolwp(curthread); 2814 uint32_t code; 2815 2816 struct a { 2817 long code; 2818 long a1; 2819 long a2; 2820 long a3; 2821 long a4; 2822 long a5; 2823 long a6; 2824 long a7; 2825 } *uap = (struct a *)clwp->lwp_ap; 2826 2827 code = (uint32_t)uap->code; 2828 2829 switch (code) { 2830 2831 case BSM_GETAUID: 2832 e = AUE_GETAUID; 2833 break; 2834 case BSM_SETAUID: 2835 e = AUE_SETAUID; 2836 break; 2837 case BSM_GETAUDIT: 2838 e = AUE_GETAUDIT; 2839 break; 2840 case BSM_GETAUDIT_ADDR: 2841 e = AUE_GETAUDIT_ADDR; 2842 break; 2843 case BSM_SETAUDIT: 2844 e = AUE_SETAUDIT; 2845 break; 2846 case BSM_SETAUDIT_ADDR: 2847 e = AUE_SETAUDIT_ADDR; 2848 break; 2849 case BSM_AUDIT: 2850 e = AUE_AUDIT; 2851 break; 2852 case BSM_AUDITCTL: 2853 switch ((uint_t)uap->a1) { 2854 2855 case A_GETPOLICY: 2856 e = AUE_AUDITON_GPOLICY; 2857 break; 2858 case A_SETPOLICY: 2859 e = AUE_AUDITON_SPOLICY; 2860 break; 2861 case A_GETKMASK: 2862 e = AUE_AUDITON_GETKMASK; 2863 break; 2864 case A_SETKMASK: 2865 e = AUE_AUDITON_SETKMASK; 2866 break; 2867 case A_GETQCTRL: 2868 e = AUE_AUDITON_GQCTRL; 2869 break; 2870 case A_SETQCTRL: 2871 e = AUE_AUDITON_SQCTRL; 2872 break; 2873 case A_GETCWD: 2874 e = AUE_AUDITON_GETCWD; 2875 break; 2876 case A_GETCAR: 2877 e = AUE_AUDITON_GETCAR; 2878 break; 2879 case A_GETSTAT: 2880 e = AUE_AUDITON_GETSTAT; 2881 break; 2882 case A_SETSTAT: 2883 e = AUE_AUDITON_SETSTAT; 2884 break; 2885 case A_SETUMASK: 2886 e = AUE_AUDITON_SETUMASK; 2887 break; 2888 case A_SETSMASK: 2889 e = AUE_AUDITON_SETSMASK; 2890 break; 2891 case A_GETCOND: 2892 e = AUE_AUDITON_GETCOND; 2893 break; 2894 case A_SETCOND: 2895 e = AUE_AUDITON_SETCOND; 2896 break; 2897 case A_GETCLASS: 2898 e = AUE_AUDITON_GETCLASS; 2899 break; 2900 case A_SETCLASS: 2901 e = AUE_AUDITON_SETCLASS; 2902 break; 2903 default: 2904 e = AUE_NULL; 2905 break; 2906 } 2907 break; 2908 default: 2909 e = AUE_NULL; 2910 break; 2911 } 2912 2913 return (e); 2914 2915 } /* AUI_AUDITSYS */ 2916 2917 2918 static void 2919 aus_auditsys(struct t_audit_data *tad) 2920 { 2921 klwp_t *clwp = ttolwp(curthread); 2922 uintptr_t a1, a2; 2923 STRUCT_DECL(auditinfo, ainfo); 2924 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2925 au_evclass_map_t event; 2926 au_mask_t mask; 2927 int auditstate, policy; 2928 au_id_t auid; 2929 2930 2931 struct a { 2932 long code; 2933 long a1; 2934 long a2; 2935 long a3; 2936 long a4; 2937 long a5; 2938 long a6; 2939 long a7; 2940 } *uap = (struct a *)clwp->lwp_ap; 2941 2942 a1 = (uintptr_t)uap->a1; 2943 a2 = (uintptr_t)uap->a2; 2944 2945 switch (tad->tad_event) { 2946 case AUE_SETAUID: 2947 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2948 return; 2949 au_uwrite(au_to_arg32(2, "setauid", auid)); 2950 break; 2951 case AUE_SETAUDIT: 2952 STRUCT_INIT(ainfo, get_udatamodel()); 2953 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2954 STRUCT_SIZE(ainfo))) { 2955 return; 2956 } 2957 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2958 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2959 #ifdef _LP64 2960 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2961 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2962 #else 2963 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2964 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2965 #endif 2966 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2967 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2968 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2969 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2970 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2971 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2972 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2973 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2974 break; 2975 case AUE_SETAUDIT_ADDR: 2976 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2977 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2978 STRUCT_SIZE(ainfo_addr))) { 2979 return; 2980 } 2981 au_uwrite(au_to_arg32((char)1, "auid", 2982 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2983 #ifdef _LP64 2984 au_uwrite(au_to_arg64((char)1, "port", 2985 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2986 #else 2987 au_uwrite(au_to_arg32((char)1, "port", 2988 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2989 #endif 2990 au_uwrite(au_to_arg32((char)1, "type", 2991 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2992 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2993 AU_IPv4) { 2994 au_uwrite(au_to_in_addr( 2995 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2996 ai_termid.at_addr))); 2997 } else { 2998 au_uwrite(au_to_in_addr_ex( 2999 (int32_t *)STRUCT_FGETP(ainfo_addr, 3000 ai_termid.at_addr))); 3001 } 3002 au_uwrite(au_to_arg32((char)1, "as_success", 3003 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3004 au_uwrite(au_to_arg32((char)1, "as_failure", 3005 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3006 au_uwrite(au_to_arg32((char)1, "asid", 3007 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3008 break; 3009 case AUE_AUDITON_SETKMASK: 3010 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3011 return; 3012 au_uwrite(au_to_arg32( 3013 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3014 au_uwrite(au_to_arg32( 3015 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3016 break; 3017 case AUE_AUDITON_SPOLICY: 3018 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3019 return; 3020 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3021 break; 3022 case AUE_AUDITON_SQCTRL: { 3023 STRUCT_DECL(au_qctrl, qctrl); 3024 model_t model; 3025 3026 model = get_udatamodel(); 3027 STRUCT_INIT(qctrl, model); 3028 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3029 return; 3030 if (model == DATAMODEL_ILP32) { 3031 au_uwrite(au_to_arg32( 3032 3, "setqctrl:aq_hiwater", 3033 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3034 au_uwrite(au_to_arg32( 3035 3, "setqctrl:aq_lowater", 3036 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3037 au_uwrite(au_to_arg32( 3038 3, "setqctrl:aq_bufsz", 3039 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3040 au_uwrite(au_to_arg32( 3041 3, "setqctrl:aq_delay", 3042 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3043 } else { 3044 au_uwrite(au_to_arg64( 3045 3, "setqctrl:aq_hiwater", 3046 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3047 au_uwrite(au_to_arg64( 3048 3, "setqctrl:aq_lowater", 3049 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3050 au_uwrite(au_to_arg64( 3051 3, "setqctrl:aq_bufsz", 3052 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3053 au_uwrite(au_to_arg64( 3054 3, "setqctrl:aq_delay", 3055 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3056 } 3057 break; 3058 } 3059 case AUE_AUDITON_SETUMASK: 3060 STRUCT_INIT(ainfo, get_udatamodel()); 3061 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3062 STRUCT_SIZE(ainfo))) { 3063 return; 3064 } 3065 au_uwrite(au_to_arg32(3, "setumask:as_success", 3066 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3067 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3068 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3069 break; 3070 case AUE_AUDITON_SETSMASK: 3071 STRUCT_INIT(ainfo, get_udatamodel()); 3072 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3073 STRUCT_SIZE(ainfo))) { 3074 return; 3075 } 3076 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3077 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3078 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3079 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3080 break; 3081 case AUE_AUDITON_SETCOND: 3082 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3083 return; 3084 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3085 break; 3086 case AUE_AUDITON_SETCLASS: 3087 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3088 return; 3089 au_uwrite(au_to_arg32( 3090 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3091 au_uwrite(au_to_arg32( 3092 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3093 break; 3094 case AUE_GETAUID: 3095 case AUE_GETAUDIT: 3096 case AUE_GETAUDIT_ADDR: 3097 case AUE_AUDIT: 3098 case AUE_AUDITON_GPOLICY: 3099 case AUE_AUDITON_GQCTRL: 3100 case AUE_AUDITON_GETKMASK: 3101 case AUE_AUDITON_GETCWD: 3102 case AUE_AUDITON_GETCAR: 3103 case AUE_AUDITON_GETSTAT: 3104 case AUE_AUDITON_SETSTAT: 3105 case AUE_AUDITON_GETCOND: 3106 case AUE_AUDITON_GETCLASS: 3107 break; 3108 default: 3109 break; 3110 } 3111 3112 } /* AUS_AUDITSYS */ 3113 3114 3115 /* only audit privileged operations for systeminfo(2) system call */ 3116 static au_event_t 3117 aui_sysinfo(au_event_t e) 3118 { 3119 klwp_t *clwp = ttolwp(curthread); 3120 uint32_t command; 3121 3122 struct a { 3123 long command; 3124 long buf; /* char * */ 3125 long count; 3126 } *uap = (struct a *)clwp->lwp_ap; 3127 3128 command = (uint32_t)uap->command; 3129 3130 switch (command) { 3131 case SI_SET_HOSTNAME: 3132 case SI_SET_SRPC_DOMAIN: 3133 e = (au_event_t)AUE_SYSINFO; 3134 break; 3135 default: 3136 e = (au_event_t)AUE_NULL; 3137 break; 3138 } 3139 return (e); 3140 } 3141 3142 /*ARGSUSED*/ 3143 static void 3144 aus_sysinfo(struct t_audit_data *tad) 3145 { 3146 klwp_t *clwp = ttolwp(curthread); 3147 uint32_t command; 3148 size_t len, maxlen; 3149 char *name; 3150 uintptr_t buf; 3151 3152 struct a { 3153 long command; 3154 long buf; /* char * */ 3155 long count; 3156 } *uap = (struct a *)clwp->lwp_ap; 3157 3158 command = (uint32_t)uap->command; 3159 buf = (uintptr_t)uap->buf; 3160 3161 au_uwrite(au_to_arg32(1, "cmd", command)); 3162 3163 switch (command) { 3164 case SI_SET_HOSTNAME: 3165 { 3166 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3167 return; 3168 3169 maxlen = SYS_NMLN; 3170 name = kmem_alloc(maxlen, KM_SLEEP); 3171 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3172 break; 3173 3174 /* 3175 * Must be non-NULL string and string 3176 * must be less than SYS_NMLN chars. 3177 */ 3178 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3179 break; 3180 3181 au_uwrite(au_to_text(name)); 3182 break; 3183 } 3184 3185 case SI_SET_SRPC_DOMAIN: 3186 { 3187 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3188 return; 3189 3190 maxlen = SYS_NMLN; 3191 name = kmem_alloc(maxlen, KM_SLEEP); 3192 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3193 break; 3194 3195 /* 3196 * If string passed in is longer than length 3197 * allowed for domain name, fail. 3198 */ 3199 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3200 break; 3201 3202 au_uwrite(au_to_text(name)); 3203 break; 3204 } 3205 3206 default: 3207 return; 3208 } 3209 3210 kmem_free(name, maxlen); 3211 } 3212 3213 static au_event_t 3214 aui_modctl(au_event_t e) 3215 { 3216 klwp_t *clwp = ttolwp(curthread); 3217 uint_t cmd; 3218 3219 struct a { 3220 long cmd; 3221 } *uap = (struct a *)clwp->lwp_ap; 3222 3223 cmd = (uint_t)uap->cmd; 3224 3225 switch (cmd) { 3226 case MODLOAD: 3227 e = AUE_MODLOAD; 3228 break; 3229 case MODUNLOAD: 3230 e = AUE_MODUNLOAD; 3231 break; 3232 case MODADDMAJBIND: 3233 e = AUE_MODADDMAJ; 3234 break; 3235 case MODSETDEVPOLICY: 3236 e = AUE_MODDEVPLCY; 3237 break; 3238 case MODALLOCPRIV: 3239 e = AUE_MODADDPRIV; 3240 break; 3241 default: 3242 e = AUE_NULL; 3243 break; 3244 } 3245 return (e); 3246 } 3247 3248 3249 /*ARGSUSED*/ 3250 static void 3251 aus_modctl(struct t_audit_data *tad) 3252 { 3253 klwp_t *clwp = ttolwp(curthread); 3254 void *a = clwp->lwp_ap; 3255 uint_t use_path; 3256 3257 switch (tad->tad_event) { 3258 case AUE_MODLOAD: { 3259 typedef struct { 3260 long cmd; 3261 long use_path; 3262 long filename; /* char * */ 3263 } modloada_t; 3264 3265 char *filenamep; 3266 uintptr_t fname; 3267 extern char *default_path; 3268 3269 fname = (uintptr_t)((modloada_t *)a)->filename; 3270 use_path = (uint_t)((modloada_t *)a)->use_path; 3271 3272 /* space to hold path */ 3273 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3274 /* get string */ 3275 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3276 /* free allocated path */ 3277 kmem_free(filenamep, MOD_MAXPATH); 3278 return; 3279 } 3280 /* ensure it's null terminated */ 3281 filenamep[MOD_MAXPATH - 1] = 0; 3282 3283 if (use_path) 3284 au_uwrite(au_to_text(default_path)); 3285 au_uwrite(au_to_text(filenamep)); 3286 3287 /* release temporary memory */ 3288 kmem_free(filenamep, MOD_MAXPATH); 3289 break; 3290 } 3291 case AUE_MODUNLOAD: { 3292 typedef struct { 3293 long cmd; 3294 long id; 3295 } modunloada_t; 3296 3297 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3298 3299 au_uwrite(au_to_arg32(1, "id", id)); 3300 break; 3301 } 3302 case AUE_MODADDMAJ: { 3303 STRUCT_DECL(modconfig, mc); 3304 typedef struct { 3305 long cmd; 3306 long subcmd; 3307 long data; /* int * */ 3308 } modconfiga_t; 3309 3310 STRUCT_DECL(aliases, alias); 3311 caddr_t ap; 3312 int i, num_aliases; 3313 char *drvname, *mc_drvname; 3314 char *name; 3315 extern char *ddi_major_to_name(major_t); 3316 model_t model; 3317 3318 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3319 3320 model = get_udatamodel(); 3321 STRUCT_INIT(mc, model); 3322 /* sanitize buffer */ 3323 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3324 /* get user arguments */ 3325 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3326 STRUCT_SIZE(mc)) != 0) 3327 return; 3328 3329 mc_drvname = STRUCT_FGET(mc, drvname); 3330 if ((drvname = ddi_major_to_name( 3331 (major_t)STRUCT_FGET(mc, major))) != NULL && 3332 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3333 /* safety */ 3334 if (mc_drvname[0] != '\0') { 3335 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3336 au_uwrite(au_to_text(mc_drvname)); 3337 } 3338 /* drvname != NULL from test above */ 3339 au_uwrite(au_to_text(drvname)); 3340 return; 3341 } 3342 3343 if (mc_drvname[0] != '\0') { 3344 /* safety */ 3345 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3346 au_uwrite(au_to_text(mc_drvname)); 3347 } else 3348 au_uwrite(au_to_text("no drvname")); 3349 3350 num_aliases = STRUCT_FGET(mc, num_aliases); 3351 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3352 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3353 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3354 STRUCT_INIT(alias, model); 3355 for (i = 0; i < num_aliases; i++) { 3356 bzero((caddr_t)STRUCT_BUF(alias), 3357 STRUCT_SIZE(alias)); 3358 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3359 STRUCT_SIZE(alias)) != 0) 3360 break; 3361 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3362 MAXMODCONFNAME, NULL) != 0) { 3363 break; 3364 } 3365 3366 au_uwrite(au_to_text(name)); 3367 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3368 } 3369 kmem_free(name, MAXMODCONFNAME); 3370 break; 3371 } 3372 default: 3373 break; 3374 } 3375 } 3376 3377 3378 /*ARGSUSED*/ 3379 static void 3380 auf_accept( 3381 struct t_audit_data *tad, 3382 int error, 3383 rval_t *rval) 3384 { 3385 uint32_t scid; 3386 uint32_t sy_flags; 3387 int fd; 3388 struct sonode *so; 3389 char so_laddr[sizeof (struct sockaddr_in6)]; 3390 char so_faddr[sizeof (struct sockaddr_in6)]; 3391 int err; 3392 short so_family, so_type; 3393 int add_sock_token = 0; 3394 3395 /* need to determine type of executing binary */ 3396 scid = tad->tad_scid; 3397 #ifdef _SYSCALL32_IMPL 3398 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3399 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3400 else 3401 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3402 #else 3403 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3404 #endif 3405 if (sy_flags == SE_32RVAL1) 3406 fd = rval->r_val1; 3407 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3408 fd = rval->r_val1; 3409 if (sy_flags == SE_64RVAL) 3410 fd = (int)rval->r_vals; 3411 3412 if (error) { 3413 /* can't trust socket contents. Just return */ 3414 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3415 return; 3416 } 3417 3418 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3419 /* 3420 * not security relevant if doing a accept from non socket 3421 * so no extra tokens. Should probably turn off audit record 3422 * generation here. 3423 */ 3424 return; 3425 } 3426 3427 so_family = so->so_family; 3428 so_type = so->so_type; 3429 3430 switch (so_family) { 3431 case AF_INET: 3432 case AF_INET6: 3433 /* 3434 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3435 */ 3436 if (so->so_type == SOCK_STREAM) { 3437 socklen_t len; 3438 3439 bzero((void *)so_laddr, sizeof (so_laddr)); 3440 bzero((void *)so_faddr, sizeof (so_faddr)); 3441 3442 len = sizeof (so_laddr); 3443 (void) socket_getsockname(so, 3444 (struct sockaddr *)so_laddr, &len, CRED()); 3445 len = sizeof (so_faddr); 3446 (void) socket_getpeername(so, 3447 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3448 3449 add_sock_token = 1; 3450 } 3451 break; 3452 3453 default: 3454 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3455 break; 3456 } 3457 3458 releasef(fd); 3459 3460 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3461 3462 if (add_sock_token == 0) { 3463 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3464 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3465 return; 3466 } 3467 3468 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3469 3470 } 3471 3472 /*ARGSUSED*/ 3473 static void 3474 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3475 { 3476 struct a { 3477 long fd; 3478 long addr; 3479 long len; 3480 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3481 3482 struct sonode *so; 3483 char so_laddr[sizeof (struct sockaddr_in6)]; 3484 char so_faddr[sizeof (struct sockaddr_in6)]; 3485 int err, fd; 3486 socklen_t len; 3487 short so_family, so_type; 3488 int add_sock_token = 0; 3489 3490 fd = (int)uap->fd; 3491 3492 /* 3493 * bind failed, then nothing extra to add to audit record. 3494 */ 3495 if (error) { 3496 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3497 /* XXX may want to add failed address some day */ 3498 return; 3499 } 3500 3501 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3502 /* 3503 * not security relevant if doing a bind from non socket 3504 * so no extra tokens. Should probably turn off audit record 3505 * generation here. 3506 */ 3507 return; 3508 } 3509 3510 so_family = so->so_family; 3511 so_type = so->so_type; 3512 3513 switch (so_family) { 3514 case AF_INET: 3515 case AF_INET6: 3516 3517 bzero(so_faddr, sizeof (so_faddr)); 3518 len = sizeof (so_faddr); 3519 3520 (void) socket_getpeername(so, 3521 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3522 add_sock_token = 1; 3523 3524 break; 3525 3526 case AF_UNIX: 3527 /* token added by lookup */ 3528 break; 3529 default: 3530 /* AF_ROUTE, AF_KEY do not support accept */ 3531 break; 3532 } 3533 3534 releasef(fd); 3535 3536 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3537 3538 if (add_sock_token == 0) { 3539 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3540 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3541 return; 3542 } 3543 3544 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3545 3546 } 3547 3548 /*ARGSUSED*/ 3549 static void 3550 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3551 { 3552 struct a { 3553 long fd; 3554 long addr; 3555 long len; 3556 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3557 3558 struct sonode *so; 3559 char so_laddr[sizeof (struct sockaddr_in6)]; 3560 char so_faddr[sizeof (struct sockaddr_in6)]; 3561 int err, fd; 3562 socklen_t len; 3563 short so_family, so_type; 3564 int add_sock_token = 0; 3565 3566 fd = (int)uap->fd; 3567 3568 3569 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3570 /* 3571 * not security relevant if doing a connect from non socket 3572 * so no extra tokens. Should probably turn off audit record 3573 * generation here. 3574 */ 3575 return; 3576 } 3577 3578 so_family = so->so_family; 3579 so_type = so->so_type; 3580 3581 switch (so_family) { 3582 case AF_INET: 3583 case AF_INET6: 3584 3585 bzero(so_laddr, sizeof (so_laddr)); 3586 bzero(so_faddr, sizeof (so_faddr)); 3587 3588 len = sizeof (so_laddr); 3589 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3590 &len, CRED()); 3591 if (error) { 3592 if (uap->addr == NULL) 3593 break; 3594 if (uap->len <= 0) 3595 break; 3596 len = min(uap->len, sizeof (so_faddr)); 3597 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3598 break; 3599 #ifdef NOTYET 3600 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3601 #endif 3602 } else { 3603 /* sanity check on length */ 3604 len = sizeof (so_faddr); 3605 (void) socket_getpeername(so, 3606 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3607 } 3608 3609 add_sock_token = 1; 3610 3611 break; 3612 3613 case AF_UNIX: 3614 /* does a lookup on name */ 3615 break; 3616 3617 default: 3618 /* AF_ROUTE, AF_KEY do not support accept */ 3619 break; 3620 } 3621 3622 releasef(fd); 3623 3624 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3625 3626 if (add_sock_token == 0) { 3627 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3628 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3629 return; 3630 } 3631 3632 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3633 3634 } 3635 3636 /*ARGSUSED*/ 3637 static void 3638 aus_shutdown(struct t_audit_data *tad) 3639 { 3640 struct a { 3641 long fd; 3642 long how; 3643 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3644 3645 struct sonode *so; 3646 char so_laddr[sizeof (struct sockaddr_in6)]; 3647 char so_faddr[sizeof (struct sockaddr_in6)]; 3648 int err, fd; 3649 socklen_t len; 3650 short so_family, so_type; 3651 int add_sock_token = 0; 3652 file_t *fp; /* unix domain sockets */ 3653 struct f_audit_data *fad; /* unix domain sockets */ 3654 3655 fd = (int)uap->fd; 3656 3657 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3658 /* 3659 * not security relevant if doing a shutdown using non socket 3660 * so no extra tokens. Should probably turn off audit record 3661 * generation here. 3662 */ 3663 return; 3664 } 3665 3666 so_family = so->so_family; 3667 so_type = so->so_type; 3668 3669 switch (so_family) { 3670 case AF_INET: 3671 case AF_INET6: 3672 3673 bzero(so_laddr, sizeof (so_laddr)); 3674 bzero(so_faddr, sizeof (so_faddr)); 3675 3676 len = sizeof (so_laddr); 3677 (void) socket_getsockname(so, 3678 (struct sockaddr *)so_laddr, &len, CRED()); 3679 len = sizeof (so_faddr); 3680 (void) socket_getpeername(so, 3681 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3682 3683 add_sock_token = 1; 3684 3685 break; 3686 3687 case AF_UNIX: 3688 3689 /* get path from file struct here */ 3690 fad = F2A(fp); 3691 ASSERT(fad); 3692 3693 if (fad->fad_aupath != NULL) { 3694 au_uwrite(au_to_path(fad->fad_aupath)); 3695 } else { 3696 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3697 } 3698 3699 audit_attributes(fp->f_vnode); 3700 3701 break; 3702 3703 default: 3704 /* 3705 * AF_KEY and AF_ROUTE support shutdown. No socket token 3706 * added. 3707 */ 3708 break; 3709 } 3710 3711 releasef(fd); 3712 3713 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3714 3715 if (add_sock_token == 0) { 3716 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3717 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3718 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3719 return; 3720 } 3721 3722 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3723 3724 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3725 3726 } 3727 3728 /*ARGSUSED*/ 3729 static void 3730 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3731 { 3732 struct a { 3733 long fd; 3734 long level; 3735 long optname; 3736 long *optval; 3737 long optlen; 3738 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3739 3740 struct sonode *so; 3741 char so_laddr[sizeof (struct sockaddr_in6)]; 3742 char so_faddr[sizeof (struct sockaddr_in6)]; 3743 char val[AU_BUFSIZE]; 3744 int err, fd; 3745 socklen_t len; 3746 short so_family, so_type; 3747 int add_sock_token = 0; 3748 file_t *fp; /* unix domain sockets */ 3749 struct f_audit_data *fad; /* unix domain sockets */ 3750 3751 fd = (int)uap->fd; 3752 3753 if (error) { 3754 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3755 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3756 /* XXX may want to include other arguments */ 3757 return; 3758 } 3759 3760 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3761 /* 3762 * not security relevant if doing a setsockopt from non socket 3763 * so no extra tokens. Should probably turn off audit record 3764 * generation here. 3765 */ 3766 return; 3767 } 3768 3769 so_family = so->so_family; 3770 so_type = so->so_type; 3771 3772 switch (so_family) { 3773 case AF_INET: 3774 case AF_INET6: 3775 bzero((void *)so_laddr, sizeof (so_laddr)); 3776 bzero((void *)so_faddr, sizeof (so_faddr)); 3777 3778 /* get local and foreign addresses */ 3779 len = sizeof (so_laddr); 3780 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3781 &len, CRED()); 3782 len = sizeof (so_faddr); 3783 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3784 &len, B_FALSE, CRED()); 3785 3786 add_sock_token = 1; 3787 3788 break; 3789 3790 case AF_UNIX: 3791 3792 /* get path from file struct here */ 3793 fad = F2A(fp); 3794 ASSERT(fad); 3795 3796 if (fad->fad_aupath != NULL) { 3797 au_uwrite(au_to_path(fad->fad_aupath)); 3798 } else { 3799 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3800 } 3801 3802 audit_attributes(fp->f_vnode); 3803 3804 break; 3805 3806 default: 3807 /* 3808 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3809 * added. 3810 */ 3811 break; 3812 } 3813 3814 releasef(fd); 3815 3816 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3817 3818 if (add_sock_token == 0) { 3819 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3820 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3821 } 3822 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3823 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3824 3825 bzero(val, sizeof (val)); 3826 len = min(uap->optlen, sizeof (val)); 3827 if ((len > 0) && 3828 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3829 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3830 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3831 } 3832 3833 if (add_sock_token == 0) 3834 return; 3835 3836 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3837 3838 } 3839 3840 /*ARGSUSED*/ 3841 static void 3842 aus_sockconfig(tad) 3843 struct t_audit_data *tad; 3844 { 3845 struct a { 3846 long domain; 3847 long type; 3848 long protocol; 3849 long devpath; 3850 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3851 3852 char *kdevpath; 3853 int kdevpathlen = MAXPATHLEN + 1; 3854 size_t size; 3855 3856 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3857 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3858 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3859 3860 if (uap->devpath == 0) { 3861 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3862 } else { 3863 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3864 3865 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3866 &size)) { 3867 kmem_free(kdevpath, kdevpathlen); 3868 return; 3869 } 3870 3871 if (size > MAXPATHLEN) { 3872 kmem_free(kdevpath, kdevpathlen); 3873 return; 3874 } 3875 3876 au_uwrite(au_to_text(kdevpath)); 3877 kmem_free(kdevpath, kdevpathlen); 3878 } 3879 } 3880 3881 /* 3882 * only audit recvmsg when the system call represents the creation of a new 3883 * circuit. This effectively occurs for all UDP packets and may occur for 3884 * special TCP situations where the local host has not set a local address 3885 * in the socket structure. 3886 */ 3887 /*ARGSUSED*/ 3888 static void 3889 auf_recvmsg( 3890 struct t_audit_data *tad, 3891 int error, 3892 rval_t *rvp) 3893 { 3894 struct a { 3895 long fd; 3896 long msg; /* struct msghdr */ 3897 long flags; 3898 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3899 3900 struct sonode *so; 3901 STRUCT_DECL(msghdr, msg); 3902 caddr_t msg_name; 3903 socklen_t msg_namelen; 3904 int fd; 3905 int err; 3906 char so_laddr[sizeof (struct sockaddr_in6)]; 3907 char so_faddr[sizeof (struct sockaddr_in6)]; 3908 socklen_t len; 3909 file_t *fp; /* unix domain sockets */ 3910 struct f_audit_data *fad; /* unix domain sockets */ 3911 short so_family, so_type; 3912 int add_sock_token = 0; 3913 au_kcontext_t *kctx = GET_KCTX_PZ; 3914 3915 fd = (int)uap->fd; 3916 3917 /* bail if an error */ 3918 if (error) { 3919 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3920 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3921 return; 3922 } 3923 3924 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3925 /* 3926 * not security relevant if doing a recvmsg from non socket 3927 * so no extra tokens. Should probably turn off audit record 3928 * generation here. 3929 */ 3930 return; 3931 } 3932 3933 so_family = so->so_family; 3934 so_type = so->so_type; 3935 3936 /* 3937 * only putout SOCKET_EX token if INET/INET6 family. 3938 * XXX - what do we do about other families? 3939 */ 3940 3941 switch (so_family) { 3942 case AF_INET: 3943 case AF_INET6: 3944 3945 /* 3946 * if datagram type socket, then just use what is in 3947 * socket structure for local address. 3948 * XXX - what do we do for other types? 3949 */ 3950 if ((so->so_type == SOCK_DGRAM) || 3951 (so->so_type == SOCK_RAW)) { 3952 add_sock_token = 1; 3953 3954 bzero((void *)so_laddr, sizeof (so_laddr)); 3955 bzero((void *)so_faddr, sizeof (so_faddr)); 3956 3957 /* get local address */ 3958 len = sizeof (so_laddr); 3959 (void) socket_getsockname(so, 3960 (struct sockaddr *)so_laddr, &len, CRED()); 3961 3962 /* get peer address */ 3963 STRUCT_INIT(msg, get_udatamodel()); 3964 3965 if (copyin((caddr_t)(uap->msg), 3966 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3967 break; 3968 } 3969 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3970 if (msg_name == NULL) { 3971 break; 3972 } 3973 3974 /* length is value from recvmsg - sanity check */ 3975 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3976 if (msg_namelen == 0) { 3977 break; 3978 } 3979 if (copyin(msg_name, so_faddr, 3980 sizeof (so_faddr)) != 0) { 3981 break; 3982 } 3983 3984 } else if (so->so_type == SOCK_STREAM) { 3985 3986 /* get path from file struct here */ 3987 fad = F2A(fp); 3988 ASSERT(fad); 3989 3990 /* 3991 * already processed this file for read attempt 3992 */ 3993 if (fad->fad_flags & FAD_READ) { 3994 /* don't want to audit every recvmsg attempt */ 3995 tad->tad_flag = 0; 3996 /* free any residual audit data */ 3997 au_close(kctx, &(u_ad), 0, 0, 0); 3998 releasef(fd); 3999 return; 4000 } 4001 /* 4002 * mark things so we know what happened and don't 4003 * repeat things 4004 */ 4005 fad->fad_flags |= FAD_READ; 4006 4007 bzero((void *)so_laddr, sizeof (so_laddr)); 4008 bzero((void *)so_faddr, sizeof (so_faddr)); 4009 4010 /* get local and foreign addresses */ 4011 len = sizeof (so_laddr); 4012 (void) socket_getsockname(so, 4013 (struct sockaddr *)so_laddr, &len, CRED()); 4014 len = sizeof (so_faddr); 4015 (void) socket_getpeername(so, 4016 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4017 4018 add_sock_token = 1; 4019 } 4020 4021 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4022 4023 break; 4024 4025 case AF_UNIX: 4026 /* 4027 * first check if this is first time through. Too much 4028 * duplicate code to put this in an aui_ routine. 4029 */ 4030 4031 /* get path from file struct here */ 4032 fad = F2A(fp); 4033 ASSERT(fad); 4034 4035 /* 4036 * already processed this file for read attempt 4037 */ 4038 if (fad->fad_flags & FAD_READ) { 4039 releasef(fd); 4040 /* don't want to audit every recvmsg attempt */ 4041 tad->tad_flag = 0; 4042 /* free any residual audit data */ 4043 au_close(kctx, &(u_ad), 0, 0, 0); 4044 return; 4045 } 4046 /* 4047 * mark things so we know what happened and don't 4048 * repeat things 4049 */ 4050 fad->fad_flags |= FAD_READ; 4051 4052 if (fad->fad_aupath != NULL) { 4053 au_uwrite(au_to_path(fad->fad_aupath)); 4054 } else { 4055 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4056 } 4057 4058 audit_attributes(fp->f_vnode); 4059 4060 releasef(fd); 4061 4062 return; 4063 4064 default: 4065 break; 4066 4067 } 4068 4069 releasef(fd); 4070 4071 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4072 4073 if (add_sock_token == 0) { 4074 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4075 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4076 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4077 return; 4078 } 4079 4080 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4081 4082 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4083 4084 } 4085 4086 /*ARGSUSED*/ 4087 static void 4088 auf_recvfrom( 4089 struct t_audit_data *tad, 4090 int error, 4091 rval_t *rvp) 4092 { 4093 4094 struct a { 4095 long fd; 4096 long msg; /* char */ 4097 long len; 4098 long flags; 4099 long from; /* struct sockaddr */ 4100 long fromlen; 4101 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4102 4103 socklen_t fromlen; 4104 struct sonode *so; 4105 char so_laddr[sizeof (struct sockaddr_in6)]; 4106 char so_faddr[sizeof (struct sockaddr_in6)]; 4107 int fd; 4108 short so_family, so_type; 4109 int add_sock_token = 0; 4110 socklen_t len; 4111 int err; 4112 struct file *fp; 4113 struct f_audit_data *fad; /* unix domain sockets */ 4114 au_kcontext_t *kctx = GET_KCTX_PZ; 4115 4116 fd = (int)uap->fd; 4117 4118 /* bail if an error */ 4119 if (error) { 4120 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4121 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4122 return; 4123 } 4124 4125 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4126 /* 4127 * not security relevant if doing a recvmsg from non socket 4128 * so no extra tokens. Should probably turn off audit record 4129 * generation here. 4130 */ 4131 return; 4132 } 4133 4134 so_family = so->so_family; 4135 so_type = so->so_type; 4136 4137 /* 4138 * only putout SOCKET_EX token if INET/INET6 family. 4139 * XXX - what do we do about other families? 4140 */ 4141 4142 switch (so_family) { 4143 case AF_INET: 4144 case AF_INET6: 4145 4146 /* 4147 * if datagram type socket, then just use what is in 4148 * socket structure for local address. 4149 * XXX - what do we do for other types? 4150 */ 4151 if ((so->so_type == SOCK_DGRAM) || 4152 (so->so_type == SOCK_RAW)) { 4153 add_sock_token = 1; 4154 4155 /* get local address */ 4156 len = sizeof (so_laddr); 4157 (void) socket_getsockname(so, 4158 (struct sockaddr *)so_laddr, &len, CRED()); 4159 4160 /* get peer address */ 4161 bzero((void *)so_faddr, sizeof (so_faddr)); 4162 4163 /* sanity check */ 4164 if (uap->from == NULL) 4165 break; 4166 4167 /* sanity checks */ 4168 if (uap->fromlen == 0) 4169 break; 4170 4171 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4172 sizeof (fromlen)) != 0) 4173 break; 4174 4175 if (fromlen == 0) 4176 break; 4177 4178 /* enforce maximum size */ 4179 if (fromlen > sizeof (so_faddr)) 4180 fromlen = sizeof (so_faddr); 4181 4182 if (copyin((caddr_t)(uap->from), so_faddr, 4183 fromlen) != 0) 4184 break; 4185 4186 } else if (so->so_type == SOCK_STREAM) { 4187 4188 /* get path from file struct here */ 4189 fad = F2A(fp); 4190 ASSERT(fad); 4191 4192 /* 4193 * already processed this file for read attempt 4194 */ 4195 if (fad->fad_flags & FAD_READ) { 4196 /* don't want to audit every recvfrom attempt */ 4197 tad->tad_flag = 0; 4198 /* free any residual audit data */ 4199 au_close(kctx, &(u_ad), 0, 0, 0); 4200 releasef(fd); 4201 return; 4202 } 4203 /* 4204 * mark things so we know what happened and don't 4205 * repeat things 4206 */ 4207 fad->fad_flags |= FAD_READ; 4208 4209 bzero((void *)so_laddr, sizeof (so_laddr)); 4210 bzero((void *)so_faddr, sizeof (so_faddr)); 4211 4212 /* get local and foreign addresses */ 4213 len = sizeof (so_laddr); 4214 (void) socket_getsockname(so, 4215 (struct sockaddr *)so_laddr, &len, CRED()); 4216 len = sizeof (so_faddr); 4217 (void) socket_getpeername(so, 4218 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4219 4220 add_sock_token = 1; 4221 } 4222 4223 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4224 4225 break; 4226 4227 case AF_UNIX: 4228 /* 4229 * first check if this is first time through. Too much 4230 * duplicate code to put this in an aui_ routine. 4231 */ 4232 4233 /* get path from file struct here */ 4234 fad = F2A(fp); 4235 ASSERT(fad); 4236 4237 /* 4238 * already processed this file for read attempt 4239 */ 4240 if (fad->fad_flags & FAD_READ) { 4241 /* don't want to audit every recvfrom attempt */ 4242 tad->tad_flag = 0; 4243 /* free any residual audit data */ 4244 au_close(kctx, &(u_ad), 0, 0, 0); 4245 releasef(fd); 4246 return; 4247 } 4248 /* 4249 * mark things so we know what happened and don't 4250 * repeat things 4251 */ 4252 fad->fad_flags |= FAD_READ; 4253 4254 if (fad->fad_aupath != NULL) { 4255 au_uwrite(au_to_path(fad->fad_aupath)); 4256 } else { 4257 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4258 } 4259 4260 audit_attributes(fp->f_vnode); 4261 4262 releasef(fd); 4263 4264 return; 4265 4266 default: 4267 break; 4268 4269 } 4270 4271 releasef(fd); 4272 4273 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4274 4275 if (add_sock_token == 0) { 4276 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4277 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4278 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4279 return; 4280 } 4281 4282 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4283 4284 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4285 } 4286 4287 /*ARGSUSED*/ 4288 static void 4289 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4290 { 4291 struct a { 4292 long fd; 4293 long msg; /* struct msghdr */ 4294 long flags; 4295 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4296 4297 struct sonode *so; 4298 char so_laddr[sizeof (struct sockaddr_in6)]; 4299 char so_faddr[sizeof (struct sockaddr_in6)]; 4300 int err; 4301 int fd; 4302 short so_family, so_type; 4303 int add_sock_token = 0; 4304 socklen_t len; 4305 struct file *fp; 4306 struct f_audit_data *fad; 4307 caddr_t msg_name; 4308 socklen_t msg_namelen; 4309 STRUCT_DECL(msghdr, msg); 4310 au_kcontext_t *kctx = GET_KCTX_PZ; 4311 4312 fd = (int)uap->fd; 4313 4314 /* bail if an error */ 4315 if (error) { 4316 /* XXX include destination address from system call arguments */ 4317 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4318 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4319 return; 4320 } 4321 4322 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4323 /* 4324 * not security relevant if doing a sendmsg from non socket 4325 * so no extra tokens. Should probably turn off audit record 4326 * generation here. 4327 */ 4328 return; 4329 } 4330 4331 so_family = so->so_family; 4332 so_type = so->so_type; 4333 4334 switch (so_family) { 4335 case AF_INET: 4336 case AF_INET6: 4337 /* 4338 * if datagram type socket, then just use what is in 4339 * socket structure for local address. 4340 * XXX - what do we do for other types? 4341 */ 4342 if ((so->so_type == SOCK_DGRAM) || 4343 (so->so_type == SOCK_RAW)) { 4344 4345 bzero((void *)so_laddr, sizeof (so_laddr)); 4346 bzero((void *)so_faddr, sizeof (so_faddr)); 4347 4348 /* get local address */ 4349 len = sizeof (so_laddr); 4350 (void) socket_getsockname(so, 4351 (struct sockaddr *)so_laddr, &len, CRED()); 4352 4353 /* get peer address */ 4354 STRUCT_INIT(msg, get_udatamodel()); 4355 4356 if (copyin((caddr_t)(uap->msg), 4357 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4358 break; 4359 } 4360 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4361 if (msg_name == NULL) 4362 break; 4363 4364 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4365 /* length is value from recvmsg - sanity check */ 4366 if (msg_namelen == 0) 4367 break; 4368 4369 if (copyin(msg_name, so_faddr, 4370 sizeof (so_faddr)) != 0) 4371 break; 4372 4373 add_sock_token = 1; 4374 4375 } else if (so->so_type == SOCK_STREAM) { 4376 4377 /* get path from file struct here */ 4378 fad = F2A(fp); 4379 ASSERT(fad); 4380 4381 /* 4382 * already processed this file for write attempt 4383 */ 4384 if (fad->fad_flags & FAD_WRITE) { 4385 releasef(fd); 4386 /* don't want to audit every sendmsg attempt */ 4387 tad->tad_flag = 0; 4388 /* free any residual audit data */ 4389 au_close(kctx, &(u_ad), 0, 0, 0); 4390 return; 4391 } 4392 4393 /* 4394 * mark things so we know what happened and don't 4395 * repeat things 4396 */ 4397 fad->fad_flags |= FAD_WRITE; 4398 4399 bzero((void *)so_laddr, sizeof (so_laddr)); 4400 bzero((void *)so_faddr, sizeof (so_faddr)); 4401 4402 /* get local and foreign addresses */ 4403 len = sizeof (so_laddr); 4404 (void) socket_getsockname(so, 4405 (struct sockaddr *)so_laddr, &len, CRED()); 4406 len = sizeof (so_faddr); 4407 (void) socket_getpeername(so, 4408 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4409 4410 add_sock_token = 1; 4411 } 4412 4413 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4414 4415 break; 4416 4417 case AF_UNIX: 4418 /* 4419 * first check if this is first time through. Too much 4420 * duplicate code to put this in an aui_ routine. 4421 */ 4422 4423 /* get path from file struct here */ 4424 fad = F2A(fp); 4425 ASSERT(fad); 4426 4427 /* 4428 * already processed this file for write attempt 4429 */ 4430 if (fad->fad_flags & FAD_WRITE) { 4431 releasef(fd); 4432 /* don't want to audit every sendmsg attempt */ 4433 tad->tad_flag = 0; 4434 /* free any residual audit data */ 4435 au_close(kctx, &(u_ad), 0, 0, 0); 4436 return; 4437 } 4438 /* 4439 * mark things so we know what happened and don't 4440 * repeat things 4441 */ 4442 fad->fad_flags |= FAD_WRITE; 4443 4444 if (fad->fad_aupath != NULL) { 4445 au_uwrite(au_to_path(fad->fad_aupath)); 4446 } else { 4447 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4448 } 4449 4450 audit_attributes(fp->f_vnode); 4451 4452 releasef(fd); 4453 4454 return; 4455 4456 default: 4457 break; 4458 } 4459 4460 releasef(fd); 4461 4462 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4463 4464 if (add_sock_token == 0) { 4465 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4466 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4467 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4468 return; 4469 } 4470 4471 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4472 4473 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4474 } 4475 4476 /*ARGSUSED*/ 4477 static void 4478 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4479 { 4480 struct a { 4481 long fd; 4482 long msg; /* char */ 4483 long len; 4484 long flags; 4485 long to; /* struct sockaddr */ 4486 long tolen; 4487 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4488 4489 struct sonode *so; 4490 char so_laddr[sizeof (struct sockaddr_in6)]; 4491 char so_faddr[sizeof (struct sockaddr_in6)]; 4492 socklen_t tolen; 4493 int err; 4494 int fd; 4495 socklen_t len; 4496 short so_family, so_type; 4497 int add_sock_token = 0; 4498 struct file *fp; 4499 struct f_audit_data *fad; 4500 au_kcontext_t *kctx = GET_KCTX_PZ; 4501 4502 fd = (int)uap->fd; 4503 4504 /* bail if an error */ 4505 if (error) { 4506 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4507 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4508 /* XXX include destination address from system call arguments */ 4509 return; 4510 } 4511 4512 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4513 /* 4514 * not security relevant if doing a sendto using non socket 4515 * so no extra tokens. Should probably turn off audit record 4516 * generation here. 4517 */ 4518 return; 4519 } 4520 4521 so_family = so->so_family; 4522 so_type = so->so_type; 4523 4524 /* 4525 * only putout SOCKET_EX token if INET/INET6 family. 4526 * XXX - what do we do about other families? 4527 */ 4528 4529 switch (so_family) { 4530 case AF_INET: 4531 case AF_INET6: 4532 4533 /* 4534 * if datagram type socket, then just use what is in 4535 * socket structure for local address. 4536 * XXX - what do we do for other types? 4537 */ 4538 if ((so->so_type == SOCK_DGRAM) || 4539 (so->so_type == SOCK_RAW)) { 4540 4541 bzero((void *)so_laddr, sizeof (so_laddr)); 4542 bzero((void *)so_faddr, sizeof (so_faddr)); 4543 4544 /* get local address */ 4545 len = sizeof (so_laddr); 4546 (void) socket_getsockname(so, 4547 (struct sockaddr *)so_laddr, &len, CRED()); 4548 4549 /* get peer address */ 4550 4551 /* sanity check */ 4552 if (uap->to == NULL) 4553 break; 4554 4555 /* sanity checks */ 4556 if (uap->tolen == 0) 4557 break; 4558 4559 tolen = (socklen_t)uap->tolen; 4560 4561 /* enforce maximum size */ 4562 if (tolen > sizeof (so_faddr)) 4563 tolen = sizeof (so_faddr); 4564 4565 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4566 break; 4567 4568 add_sock_token = 1; 4569 } else { 4570 /* 4571 * check if this is first time through. 4572 */ 4573 4574 /* get path from file struct here */ 4575 fad = F2A(fp); 4576 ASSERT(fad); 4577 4578 /* 4579 * already processed this file for write attempt 4580 */ 4581 if (fad->fad_flags & FAD_WRITE) { 4582 /* don't want to audit every sendto attempt */ 4583 tad->tad_flag = 0; 4584 /* free any residual audit data */ 4585 au_close(kctx, &(u_ad), 0, 0, 0); 4586 releasef(fd); 4587 return; 4588 } 4589 /* 4590 * mark things so we know what happened and don't 4591 * repeat things 4592 */ 4593 fad->fad_flags |= FAD_WRITE; 4594 4595 bzero((void *)so_laddr, sizeof (so_laddr)); 4596 bzero((void *)so_faddr, sizeof (so_faddr)); 4597 4598 /* get local and foreign addresses */ 4599 len = sizeof (so_laddr); 4600 (void) socket_getsockname(so, 4601 (struct sockaddr *)so_laddr, &len, CRED()); 4602 len = sizeof (so_faddr); 4603 (void) socket_getpeername(so, 4604 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4605 4606 add_sock_token = 1; 4607 } 4608 4609 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4610 4611 break; 4612 4613 case AF_UNIX: 4614 /* 4615 * first check if this is first time through. Too much 4616 * duplicate code to put this in an aui_ routine. 4617 */ 4618 4619 /* get path from file struct here */ 4620 fad = F2A(fp); 4621 ASSERT(fad); 4622 4623 /* 4624 * already processed this file for write attempt 4625 */ 4626 if (fad->fad_flags & FAD_WRITE) { 4627 /* don't want to audit every sendto attempt */ 4628 tad->tad_flag = 0; 4629 /* free any residual audit data */ 4630 au_close(kctx, &(u_ad), 0, 0, 0); 4631 releasef(fd); 4632 return; 4633 } 4634 /* 4635 * mark things so we know what happened and don't 4636 * repeat things 4637 */ 4638 fad->fad_flags |= FAD_WRITE; 4639 4640 if (fad->fad_aupath != NULL) { 4641 au_uwrite(au_to_path(fad->fad_aupath)); 4642 } else { 4643 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4644 } 4645 4646 audit_attributes(fp->f_vnode); 4647 4648 releasef(fd); 4649 4650 return; 4651 4652 default: 4653 break; 4654 4655 } 4656 4657 releasef(fd); 4658 4659 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4660 4661 if (add_sock_token == 0) { 4662 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4663 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4664 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4665 return; 4666 } 4667 4668 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4669 4670 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4671 4672 } 4673 4674 /* 4675 * XXX socket(2) may be equivalent to open(2) on a unix domain 4676 * socket. This needs investigation. 4677 */ 4678 4679 /*ARGSUSED*/ 4680 static void 4681 aus_socket(struct t_audit_data *tad) 4682 { 4683 struct a { 4684 long domain; 4685 long type; 4686 long protocol; 4687 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4688 4689 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4690 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4691 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4692 } 4693 4694 /*ARGSUSED*/ 4695 static void 4696 aus_sigqueue(struct t_audit_data *tad) 4697 { 4698 struct a { 4699 long pid; 4700 long signo; 4701 long *val; 4702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4703 struct proc *p; 4704 uid_t uid, ruid; 4705 gid_t gid, rgid; 4706 pid_t pid; 4707 const auditinfo_addr_t *ainfo; 4708 cred_t *cr; 4709 4710 pid = (pid_t)uap->pid; 4711 4712 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4713 if (pid > 0) { 4714 mutex_enter(&pidlock); 4715 if ((p = prfind(pid)) == (struct proc *)0) { 4716 mutex_exit(&pidlock); 4717 return; 4718 } 4719 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4720 mutex_exit(&pidlock); 4721 4722 mutex_enter(&p->p_crlock); 4723 crhold(cr = p->p_cred); 4724 mutex_exit(&p->p_crlock); 4725 mutex_exit(&p->p_lock); 4726 4727 ainfo = crgetauinfo(cr); 4728 if (ainfo == NULL) { 4729 crfree(cr); 4730 return; 4731 } 4732 4733 uid = crgetuid(cr); 4734 gid = crgetgid(cr); 4735 ruid = crgetruid(cr); 4736 rgid = crgetrgid(cr); 4737 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4738 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4739 crfree(cr); 4740 } 4741 else 4742 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4743 } 4744 4745 /*ARGSUSED*/ 4746 static void 4747 aus_inst_sync(struct t_audit_data *tad) 4748 { 4749 struct a { 4750 long name; /* char */ 4751 long flags; 4752 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4753 4754 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4755 } 4756 4757 /*ARGSUSED*/ 4758 static void 4759 aus_brandsys(struct t_audit_data *tad) 4760 { 4761 klwp_t *clwp = ttolwp(curthread); 4762 4763 struct a { 4764 long cmd; 4765 long arg1; 4766 long arg2; 4767 long arg3; 4768 long arg4; 4769 long arg5; 4770 long arg6; 4771 } *uap = (struct a *)clwp->lwp_ap; 4772 4773 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4774 #ifdef _LP64 4775 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4776 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4777 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4778 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4779 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4780 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4781 #else 4782 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4783 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4784 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4785 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4786 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4787 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4788 #endif 4789 } 4790 4791 /*ARGSUSED*/ 4792 static void 4793 aus_p_online(struct t_audit_data *tad) 4794 { 4795 struct a { 4796 long processor_id; 4797 long flag; 4798 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4799 4800 struct flags { 4801 int flag; 4802 char *cflag; 4803 } aflags[6] = { 4804 { P_ONLINE, "P_ONLINE"}, 4805 { P_OFFLINE, "P_OFFLINE"}, 4806 { P_NOINTR, "P_NOINTR"}, 4807 { P_SPARE, "P_SPARE"}, 4808 { P_FAULTED, "P_FAULTED"}, 4809 { P_STATUS, "P_STATUS"} 4810 }; 4811 int i; 4812 char *cflag; 4813 4814 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4815 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4816 4817 for (i = 0; i < 6; i++) { 4818 if (aflags[i].flag == uap->flag) 4819 break; 4820 } 4821 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4822 4823 au_uwrite(au_to_text(cflag)); 4824 } 4825 4826 /*ARGSUSED*/ 4827 static void 4828 aus_processor_bind(struct t_audit_data *tad) 4829 { 4830 struct a { 4831 long id_type; 4832 long id; 4833 long processor_id; 4834 long obind; 4835 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4836 4837 struct proc *p; 4838 int lwpcnt; 4839 uid_t uid, ruid; 4840 gid_t gid, rgid; 4841 pid_t pid; 4842 const auditinfo_addr_t *ainfo; 4843 cred_t *cr; 4844 4845 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4846 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4847 if (uap->processor_id == PBIND_NONE) 4848 au_uwrite(au_to_text("PBIND_NONE")); 4849 else 4850 au_uwrite(au_to_arg32(3, "processor_id", 4851 (uint32_t)uap->processor_id)); 4852 4853 switch (uap->id_type) { 4854 case P_MYID: 4855 case P_LWPID: 4856 mutex_enter(&pidlock); 4857 p = ttoproc(curthread); 4858 if (p == NULL || p->p_as == &kas) { 4859 mutex_exit(&pidlock); 4860 return; 4861 } 4862 mutex_enter(&p->p_lock); 4863 mutex_exit(&pidlock); 4864 lwpcnt = p->p_lwpcnt; 4865 pid = p->p_pid; 4866 4867 mutex_enter(&p->p_crlock); 4868 crhold(cr = p->p_cred); 4869 mutex_exit(&p->p_crlock); 4870 mutex_exit(&p->p_lock); 4871 4872 ainfo = crgetauinfo(cr); 4873 if (ainfo == NULL) { 4874 crfree(cr); 4875 return; 4876 } 4877 4878 uid = crgetuid(cr); 4879 gid = crgetgid(cr); 4880 ruid = crgetruid(cr); 4881 rgid = crgetrgid(cr); 4882 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4883 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4884 crfree(cr); 4885 break; 4886 case P_PID: 4887 mutex_enter(&pidlock); 4888 p = prfind(uap->id); 4889 if (p == NULL || p->p_as == &kas) { 4890 mutex_exit(&pidlock); 4891 return; 4892 } 4893 mutex_enter(&p->p_lock); 4894 mutex_exit(&pidlock); 4895 lwpcnt = p->p_lwpcnt; 4896 pid = p->p_pid; 4897 4898 mutex_enter(&p->p_crlock); 4899 crhold(cr = p->p_cred); 4900 mutex_exit(&p->p_crlock); 4901 mutex_exit(&p->p_lock); 4902 4903 ainfo = crgetauinfo(cr); 4904 if (ainfo == NULL) { 4905 crfree(cr); 4906 return; 4907 } 4908 4909 uid = crgetuid(cr); 4910 gid = crgetgid(cr); 4911 ruid = crgetruid(cr); 4912 rgid = crgetrgid(cr); 4913 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4914 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4915 crfree(cr); 4916 4917 break; 4918 default: 4919 return; 4920 } 4921 4922 if (uap->processor_id == PBIND_NONE && 4923 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4924 au_uwrite(au_to_text("PBIND_NONE for process")); 4925 else 4926 au_uwrite(au_to_arg32(3, "processor_id", 4927 (uint32_t)uap->processor_id)); 4928 } 4929 4930 /*ARGSUSED*/ 4931 static au_event_t 4932 aui_doorfs(au_event_t e) 4933 { 4934 uint32_t code; 4935 4936 struct a { /* doorfs */ 4937 long a1; 4938 long a2; 4939 long a3; 4940 long a4; 4941 long a5; 4942 long code; 4943 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4944 4945 /* 4946 * audit formats for several of the 4947 * door calls have not yet been determined 4948 */ 4949 code = (uint32_t)uap->code; 4950 switch (code) { 4951 case DOOR_CALL: 4952 e = AUE_DOORFS_DOOR_CALL; 4953 break; 4954 case DOOR_RETURN: 4955 e = AUE_NULL; 4956 break; 4957 case DOOR_CREATE: 4958 e = AUE_DOORFS_DOOR_CREATE; 4959 break; 4960 case DOOR_REVOKE: 4961 e = AUE_DOORFS_DOOR_REVOKE; 4962 break; 4963 case DOOR_INFO: 4964 e = AUE_NULL; 4965 break; 4966 case DOOR_UCRED: 4967 e = AUE_NULL; 4968 break; 4969 case DOOR_BIND: 4970 e = AUE_NULL; 4971 break; 4972 case DOOR_UNBIND: 4973 e = AUE_NULL; 4974 break; 4975 case DOOR_GETPARAM: 4976 e = AUE_NULL; 4977 break; 4978 case DOOR_SETPARAM: 4979 e = AUE_NULL; 4980 break; 4981 default: /* illegal system call */ 4982 e = AUE_NULL; 4983 break; 4984 } 4985 4986 return (e); 4987 } 4988 4989 static door_node_t * 4990 au_door_lookup(int did) 4991 { 4992 vnode_t *vp; 4993 file_t *fp; 4994 4995 if ((fp = getf(did)) == NULL) 4996 return (NULL); 4997 /* 4998 * Use the underlying vnode (we may be namefs mounted) 4999 */ 5000 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5001 vp = fp->f_vnode; 5002 5003 if (vp == NULL || vp->v_type != VDOOR) { 5004 releasef(did); 5005 return (NULL); 5006 } 5007 5008 return (VTOD(vp)); 5009 } 5010 5011 /*ARGSUSED*/ 5012 static void 5013 aus_doorfs(struct t_audit_data *tad) 5014 { 5015 5016 struct a { /* doorfs */ 5017 long a1; 5018 long a2; 5019 long a3; 5020 long a4; 5021 long a5; 5022 long code; 5023 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5024 5025 door_node_t *dp; 5026 struct proc *p; 5027 uint32_t did; 5028 uid_t uid, ruid; 5029 gid_t gid, rgid; 5030 pid_t pid; 5031 const auditinfo_addr_t *ainfo; 5032 cred_t *cr; 5033 5034 did = (uint32_t)uap->a1; 5035 5036 switch (tad->tad_event) { 5037 case AUE_DOORFS_DOOR_CALL: 5038 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5039 if ((dp = au_door_lookup(did)) == NULL) 5040 break; 5041 5042 if (DOOR_INVALID(dp)) { 5043 releasef(did); 5044 break; 5045 } 5046 5047 if ((p = dp->door_target) == NULL) { 5048 releasef(did); 5049 break; 5050 } 5051 mutex_enter(&p->p_lock); 5052 releasef(did); 5053 5054 pid = p->p_pid; 5055 5056 mutex_enter(&p->p_crlock); 5057 crhold(cr = p->p_cred); 5058 mutex_exit(&p->p_crlock); 5059 mutex_exit(&p->p_lock); 5060 5061 ainfo = crgetauinfo(cr); 5062 if (ainfo == NULL) { 5063 crfree(cr); 5064 return; 5065 } 5066 uid = crgetuid(cr); 5067 gid = crgetgid(cr); 5068 ruid = crgetruid(cr); 5069 rgid = crgetrgid(cr); 5070 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5071 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5072 crfree(cr); 5073 break; 5074 case AUE_DOORFS_DOOR_RETURN: 5075 /* 5076 * We may want to write information about 5077 * all doors (if any) which will be copied 5078 * by this call to the user space 5079 */ 5080 break; 5081 case AUE_DOORFS_DOOR_CREATE: 5082 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5083 break; 5084 case AUE_DOORFS_DOOR_REVOKE: 5085 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5086 break; 5087 case AUE_DOORFS_DOOR_INFO: 5088 break; 5089 case AUE_DOORFS_DOOR_CRED: 5090 break; 5091 case AUE_DOORFS_DOOR_BIND: 5092 break; 5093 case AUE_DOORFS_DOOR_UNBIND: { 5094 break; 5095 } 5096 default: /* illegal system call */ 5097 break; 5098 } 5099 } 5100 5101 /*ARGSUSED*/ 5102 static au_event_t 5103 aui_acl(au_event_t e) 5104 { 5105 struct a { 5106 union { 5107 long name; /* char */ 5108 long fd; 5109 } obj; 5110 5111 long cmd; 5112 long nentries; 5113 long arg; /* aclent_t */ 5114 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5115 5116 switch (uap->cmd) { 5117 case SETACL: 5118 case ACE_SETACL: 5119 /* 5120 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5121 * are expected. 5122 */ 5123 break; 5124 case GETACL: 5125 case GETACLCNT: 5126 case ACE_GETACL: 5127 case ACE_GETACLCNT: 5128 /* do nothing for these four values. */ 5129 e = AUE_NULL; 5130 break; 5131 default: 5132 /* illegal system call */ 5133 break; 5134 } 5135 5136 return (e); 5137 } 5138 5139 static void 5140 au_acl(int cmd, int nentries, caddr_t bufp) 5141 { 5142 size_t a_size; 5143 aclent_t *aclbufp; 5144 ace_t *acebufp; 5145 int i; 5146 5147 switch (cmd) { 5148 case GETACL: 5149 case GETACLCNT: 5150 break; 5151 case SETACL: 5152 if (nentries < 3) 5153 break; 5154 5155 a_size = nentries * sizeof (aclent_t); 5156 5157 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5158 break; 5159 if (copyin(bufp, aclbufp, a_size)) { 5160 kmem_free(aclbufp, a_size); 5161 break; 5162 } 5163 for (i = 0; i < nentries; i++) { 5164 au_uwrite(au_to_acl(aclbufp + i)); 5165 } 5166 kmem_free(aclbufp, a_size); 5167 break; 5168 5169 case ACE_SETACL: 5170 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5171 break; 5172 5173 a_size = nentries * sizeof (ace_t); 5174 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5175 break; 5176 if (copyin(bufp, acebufp, a_size)) { 5177 kmem_free(acebufp, a_size); 5178 break; 5179 } 5180 for (i = 0; i < nentries; i++) { 5181 au_uwrite(au_to_ace(acebufp + i)); 5182 } 5183 kmem_free(acebufp, a_size); 5184 break; 5185 default: 5186 break; 5187 } 5188 } 5189 5190 /*ARGSUSED*/ 5191 static void 5192 aus_acl(struct t_audit_data *tad) 5193 { 5194 struct a { 5195 long fname; 5196 long cmd; 5197 long nentries; 5198 long aclbufp; 5199 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5200 5201 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5202 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5203 5204 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5205 } 5206 5207 /*ARGSUSED*/ 5208 static void 5209 aus_facl(struct t_audit_data *tad) 5210 { 5211 struct a { 5212 long fd; 5213 long cmd; 5214 long nentries; 5215 long aclbufp; 5216 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5217 struct file *fp; 5218 struct vnode *vp; 5219 struct f_audit_data *fad; 5220 int fd; 5221 5222 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5223 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5224 5225 fd = (int)uap->fd; 5226 5227 if ((fp = getf(fd)) == NULL) 5228 return; 5229 5230 /* get path from file struct here */ 5231 fad = F2A(fp); 5232 if (fad->fad_aupath != NULL) { 5233 au_uwrite(au_to_path(fad->fad_aupath)); 5234 } else { 5235 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5236 } 5237 5238 vp = fp->f_vnode; 5239 audit_attributes(vp); 5240 5241 /* decrement file descriptor reference count */ 5242 releasef(fd); 5243 5244 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5245 } 5246 5247 /*ARGSUSED*/ 5248 static void 5249 auf_read(tad, error, rval) 5250 struct t_audit_data *tad; 5251 int error; 5252 rval_t *rval; 5253 { 5254 struct file *fp; 5255 struct f_audit_data *fad; 5256 int fd; 5257 register struct a { 5258 long fd; 5259 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5260 au_kcontext_t *kctx = GET_KCTX_PZ; 5261 5262 fd = (int)uap->fd; 5263 5264 /* 5265 * convert file pointer to file descriptor 5266 * Note: fd ref count incremented here. 5267 */ 5268 if ((fp = getf(fd)) == NULL) 5269 return; 5270 5271 /* get path from file struct here */ 5272 fad = F2A(fp); 5273 ASSERT(fad); 5274 5275 /* 5276 * already processed this file for read attempt 5277 * 5278 * XXX might be better to turn off auditing in a aui_read() routine. 5279 */ 5280 if (fad->fad_flags & FAD_READ) { 5281 /* don't really want to audit every read attempt */ 5282 tad->tad_flag = 0; 5283 /* free any residual audit data */ 5284 au_close(kctx, &(u_ad), 0, 0, 0); 5285 releasef(fd); 5286 return; 5287 } 5288 /* mark things so we know what happened and don't repeat things */ 5289 fad->fad_flags |= FAD_READ; 5290 5291 if (fad->fad_aupath != NULL) { 5292 au_uwrite(au_to_path(fad->fad_aupath)); 5293 } else { 5294 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5295 } 5296 5297 /* include attributes */ 5298 audit_attributes(fp->f_vnode); 5299 5300 /* decrement file descriptor reference count */ 5301 releasef(fd); 5302 } 5303 5304 /*ARGSUSED*/ 5305 static void 5306 auf_write(tad, error, rval) 5307 struct t_audit_data *tad; 5308 int error; 5309 rval_t *rval; 5310 { 5311 struct file *fp; 5312 struct f_audit_data *fad; 5313 int fd; 5314 register struct a { 5315 long fd; 5316 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5317 au_kcontext_t *kctx = GET_KCTX_PZ; 5318 5319 fd = (int)uap->fd; 5320 5321 /* 5322 * convert file pointer to file descriptor 5323 * Note: fd ref count incremented here. 5324 */ 5325 if ((fp = getf(fd)) == NULL) 5326 return; 5327 5328 /* get path from file struct here */ 5329 fad = F2A(fp); 5330 ASSERT(fad); 5331 5332 /* 5333 * already processed this file for write attempt 5334 * 5335 * XXX might be better to turn off auditing in a aus_write() routine. 5336 */ 5337 if (fad->fad_flags & FAD_WRITE) { 5338 /* don't really want to audit every write attempt */ 5339 tad->tad_flag = 0; 5340 /* free any residual audit data */ 5341 au_close(kctx, &(u_ad), 0, 0, 0); 5342 releasef(fd); 5343 return; 5344 } 5345 /* mark things so we know what happened and don't repeat things */ 5346 fad->fad_flags |= FAD_WRITE; 5347 5348 if (fad->fad_aupath != NULL) { 5349 au_uwrite(au_to_path(fad->fad_aupath)); 5350 } else { 5351 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5352 } 5353 5354 /* include attributes */ 5355 audit_attributes(fp->f_vnode); 5356 5357 /* decrement file descriptor reference count */ 5358 releasef(fd); 5359 } 5360 5361 /*ARGSUSED*/ 5362 static void 5363 auf_recv(tad, error, rval) 5364 struct t_audit_data *tad; 5365 int error; 5366 rval_t *rval; 5367 { 5368 struct sonode *so; 5369 char so_laddr[sizeof (struct sockaddr_in6)]; 5370 char so_faddr[sizeof (struct sockaddr_in6)]; 5371 struct file *fp; 5372 struct f_audit_data *fad; 5373 int fd; 5374 int err; 5375 socklen_t len; 5376 short so_family, so_type; 5377 register struct a { 5378 long fd; 5379 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5380 au_kcontext_t *kctx = GET_KCTX_PZ; 5381 5382 /* 5383 * If there was an error, then nothing to do. Only generate 5384 * audit record on first successful recv. 5385 */ 5386 if (error) { 5387 /* Turn off audit record generation here. */ 5388 tad->tad_flag = 0; 5389 /* free any residual audit data */ 5390 au_close(kctx, &(u_ad), 0, 0, 0); 5391 return; 5392 } 5393 5394 fd = (int)uap->fd; 5395 5396 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5397 /* Turn off audit record generation here. */ 5398 tad->tad_flag = 0; 5399 /* free any residual audit data */ 5400 au_close(kctx, &(u_ad), 0, 0, 0); 5401 return; 5402 } 5403 5404 /* get path from file struct here */ 5405 fad = F2A(fp); 5406 ASSERT(fad); 5407 5408 /* 5409 * already processed this file for read attempt 5410 */ 5411 if (fad->fad_flags & FAD_READ) { 5412 releasef(fd); 5413 /* don't really want to audit every recv call */ 5414 tad->tad_flag = 0; 5415 /* free any residual audit data */ 5416 au_close(kctx, &(u_ad), 0, 0, 0); 5417 return; 5418 } 5419 5420 /* mark things so we know what happened and don't repeat things */ 5421 fad->fad_flags |= FAD_READ; 5422 5423 so_family = so->so_family; 5424 so_type = so->so_type; 5425 5426 switch (so_family) { 5427 case AF_INET: 5428 case AF_INET6: 5429 /* 5430 * Only for connections. 5431 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5432 */ 5433 if (so->so_state & SS_ISBOUND) { 5434 5435 bzero((void *)so_laddr, sizeof (so_laddr)); 5436 bzero((void *)so_faddr, sizeof (so_faddr)); 5437 5438 /* get local and foreign addresses */ 5439 len = sizeof (so_laddr); 5440 (void) socket_getsockname(so, 5441 (struct sockaddr *)so_laddr, &len, CRED()); 5442 len = sizeof (so_faddr); 5443 (void) socket_getpeername(so, 5444 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5445 5446 /* 5447 * only way to drop out of switch. Note that we 5448 * we release fd below. 5449 */ 5450 5451 break; 5452 } 5453 5454 releasef(fd); 5455 5456 /* don't really want to audit every recv call */ 5457 tad->tad_flag = 0; 5458 /* free any residual audit data */ 5459 au_close(kctx, &(u_ad), 0, 0, 0); 5460 5461 return; 5462 5463 case AF_UNIX: 5464 5465 if (fad->fad_aupath != NULL) { 5466 au_uwrite(au_to_path(fad->fad_aupath)); 5467 } else { 5468 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5469 } 5470 5471 audit_attributes(fp->f_vnode); 5472 5473 releasef(fd); 5474 5475 return; 5476 5477 default: 5478 releasef(fd); 5479 5480 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5481 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5482 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5483 5484 return; 5485 } 5486 5487 releasef(fd); 5488 5489 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5490 5491 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5492 5493 } 5494 5495 /*ARGSUSED*/ 5496 static void 5497 auf_send(tad, error, rval) 5498 struct t_audit_data *tad; 5499 int error; 5500 rval_t *rval; 5501 { 5502 struct sonode *so; 5503 char so_laddr[sizeof (struct sockaddr_in6)]; 5504 char so_faddr[sizeof (struct sockaddr_in6)]; 5505 struct file *fp; 5506 struct f_audit_data *fad; 5507 int fd; 5508 int err; 5509 socklen_t len; 5510 short so_family, so_type; 5511 register struct a { 5512 long fd; 5513 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5514 au_kcontext_t *kctx = GET_KCTX_PZ; 5515 5516 fd = (int)uap->fd; 5517 5518 /* 5519 * If there was an error, then nothing to do. Only generate 5520 * audit record on first successful send. 5521 */ 5522 if (error != 0) { 5523 /* Turn off audit record generation here. */ 5524 tad->tad_flag = 0; 5525 /* free any residual audit data */ 5526 au_close(kctx, &(u_ad), 0, 0, 0); 5527 return; 5528 } 5529 5530 fd = (int)uap->fd; 5531 5532 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5533 /* Turn off audit record generation here. */ 5534 tad->tad_flag = 0; 5535 /* free any residual audit data */ 5536 au_close(kctx, &(u_ad), 0, 0, 0); 5537 return; 5538 } 5539 5540 /* get path from file struct here */ 5541 fad = F2A(fp); 5542 ASSERT(fad); 5543 5544 /* 5545 * already processed this file for write attempt 5546 */ 5547 if (fad->fad_flags & FAD_WRITE) { 5548 releasef(fd); 5549 /* don't really want to audit every send call */ 5550 tad->tad_flag = 0; 5551 /* free any residual audit data */ 5552 au_close(kctx, &(u_ad), 0, 0, 0); 5553 return; 5554 } 5555 5556 /* mark things so we know what happened and don't repeat things */ 5557 fad->fad_flags |= FAD_WRITE; 5558 5559 so_family = so->so_family; 5560 so_type = so->so_type; 5561 5562 switch (so_family) { 5563 case AF_INET: 5564 case AF_INET6: 5565 /* 5566 * Only for connections. 5567 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5568 */ 5569 if (so->so_state & SS_ISBOUND) { 5570 5571 bzero((void *)so_laddr, sizeof (so_laddr)); 5572 bzero((void *)so_faddr, sizeof (so_faddr)); 5573 5574 /* get local and foreign addresses */ 5575 len = sizeof (so_laddr); 5576 (void) socket_getsockname(so, 5577 (struct sockaddr *)so_laddr, &len, CRED()); 5578 len = sizeof (so_faddr); 5579 (void) socket_getpeername(so, 5580 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5581 5582 /* 5583 * only way to drop out of switch. Note that we 5584 * we release fd below. 5585 */ 5586 5587 break; 5588 } 5589 5590 releasef(fd); 5591 /* don't really want to audit every send call */ 5592 tad->tad_flag = 0; 5593 /* free any residual audit data */ 5594 au_close(kctx, &(u_ad), 0, 0, 0); 5595 5596 return; 5597 5598 case AF_UNIX: 5599 5600 if (fad->fad_aupath != NULL) { 5601 au_uwrite(au_to_path(fad->fad_aupath)); 5602 } else { 5603 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5604 } 5605 5606 audit_attributes(fp->f_vnode); 5607 5608 releasef(fd); 5609 5610 return; 5611 5612 default: 5613 releasef(fd); 5614 5615 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5616 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5617 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5618 5619 return; 5620 } 5621 5622 releasef(fd); 5623 5624 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5625 5626 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5627 } 5628 5629 static au_event_t 5630 aui_forksys(au_event_t e) 5631 { 5632 struct a { 5633 long subcode; 5634 long flags; 5635 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5636 5637 switch ((uint_t)uap->subcode) { 5638 case 0: 5639 e = AUE_FORK1; 5640 break; 5641 case 1: 5642 e = AUE_FORKALL; 5643 break; 5644 case 2: 5645 e = AUE_VFORK; 5646 break; 5647 default: 5648 e = AUE_NULL; 5649 break; 5650 } 5651 5652 return (e); 5653 } 5654 5655 /*ARGSUSED*/ 5656 static au_event_t 5657 aui_portfs(au_event_t e) 5658 { 5659 struct a { /* portfs */ 5660 long a1; 5661 long a2; 5662 long a3; 5663 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5664 5665 /* 5666 * check opcode 5667 */ 5668 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5669 case PORT_ASSOCIATE: 5670 /* check source */ 5671 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5672 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5673 e = AUE_PORTFS_ASSOCIATE; 5674 } else { 5675 e = AUE_NULL; 5676 } 5677 break; 5678 case PORT_DISSOCIATE: 5679 /* check source */ 5680 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5681 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5682 e = AUE_PORTFS_DISSOCIATE; 5683 } else { 5684 e = AUE_NULL; 5685 } 5686 break; 5687 default: 5688 e = AUE_NULL; 5689 } 5690 return (e); 5691 } 5692