1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 /* 26 * This file contains the audit event table used to control the production 27 * of audit records for each system call. 28 */ 29 30 #include <sys/policy.h> 31 #include <sys/cred.h> 32 #include <sys/types.h> 33 #include <sys/systm.h> 34 #include <sys/systeminfo.h> /* for sysinfo auditing */ 35 #include <sys/utsname.h> /* for sysinfo auditing */ 36 #include <sys/proc.h> 37 #include <sys/vnode.h> 38 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 39 #include <sys/fcntl.h> 40 #include <sys/modctl.h> /* for modctl auditing */ 41 #include <sys/vnode.h> 42 #include <sys/user.h> 43 #include <sys/types.h> 44 #include <sys/processor.h> 45 #include <sys/procset.h> 46 #include <sys/acl.h> 47 #include <sys/ipc.h> 48 #include <sys/door.h> 49 #include <sys/sem.h> 50 #include <sys/msg.h> 51 #include <sys/shm.h> 52 #include <sys/kmem.h> 53 #include <sys/file.h> /* for accept */ 54 #include <sys/utssys.h> /* for fuser */ 55 #include <sys/tsol/label.h> 56 #include <sys/tsol/tndb.h> 57 #include <sys/tsol/tsyscall.h> 58 #include <c2/audit.h> 59 #include <c2/audit_kernel.h> 60 #include <c2/audit_kevents.h> 61 #include <c2/audit_record.h> 62 #include <sys/procset.h> 63 #include <nfs/mount.h> 64 #include <sys/param.h> 65 #include <sys/debug.h> 66 #include <sys/sysmacros.h> 67 #include <sys/stream.h> 68 #include <sys/strsubr.h> 69 #include <sys/stropts.h> 70 #include <sys/tihdr.h> 71 #include <sys/socket.h> 72 #include <sys/socketvar.h> 73 #include <sys/vfs_opreg.h> 74 #include <fs/sockfs/sockcommon.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 char _depends_on[] = "fs/sockfs"; 81 82 static au_event_t aui_fchownat(au_event_t); 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_openat(au_event_t); 85 static au_event_t aui_unlinkat(au_event_t); 86 static au_event_t aui_fstatat(au_event_t); 87 static au_event_t aui_msgsys(au_event_t); 88 static au_event_t aui_shmsys(au_event_t); 89 static au_event_t aui_semsys(au_event_t); 90 static au_event_t aui_utssys(au_event_t); 91 static au_event_t aui_fcntl(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_exit(struct t_audit_data *); 106 static void aus_open(struct t_audit_data *); 107 static void aus_openat(struct t_audit_data *); 108 static void aus_acl(struct t_audit_data *); 109 static void aus_acct(struct t_audit_data *); 110 static void aus_chown(struct t_audit_data *); 111 static void aus_fchown(struct t_audit_data *); 112 static void aus_lchown(struct t_audit_data *); 113 static void aus_fchownat(struct t_audit_data *); 114 static void aus_chmod(struct t_audit_data *); 115 static void aus_facl(struct t_audit_data *); 116 static void aus_fchmod(struct t_audit_data *); 117 static void aus_fcntl(struct t_audit_data *); 118 static void aus_mkdir(struct t_audit_data *); 119 static void aus_mknod(struct t_audit_data *); 120 static void aus_mount(struct t_audit_data *); 121 static void aus_umount2(struct t_audit_data *); 122 static void aus_msgsys(struct t_audit_data *); 123 static void aus_semsys(struct t_audit_data *); 124 static void aus_close(struct t_audit_data *); 125 static void aus_fstatfs(struct t_audit_data *); 126 static void aus_setgid(struct t_audit_data *); 127 static void aus_setpgrp(struct t_audit_data *); 128 static void aus_setuid(struct t_audit_data *); 129 static void aus_shmsys(struct t_audit_data *); 130 static void aus_doorfs(struct t_audit_data *); 131 static void aus_ioctl(struct t_audit_data *); 132 static void aus_memcntl(struct t_audit_data *); 133 static void aus_mmap(struct t_audit_data *); 134 static void aus_munmap(struct t_audit_data *); 135 static void aus_priocntlsys(struct t_audit_data *); 136 static void aus_setegid(struct t_audit_data *); 137 static void aus_setgroups(struct t_audit_data *); 138 static void aus_seteuid(struct t_audit_data *); 139 static void aus_putmsg(struct t_audit_data *); 140 static void aus_putpmsg(struct t_audit_data *); 141 static void aus_getmsg(struct t_audit_data *); 142 static void aus_getpmsg(struct t_audit_data *); 143 static void aus_auditsys(struct t_audit_data *); 144 static void aus_sysinfo(struct t_audit_data *); 145 static void aus_modctl(struct t_audit_data *); 146 static void aus_kill(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 static void aus_labelsys(struct t_audit_data *); 150 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 static void auf_read(struct t_audit_data *, int, rval_t *); 156 static void auf_write(struct t_audit_data *, int, rval_t *); 157 158 static void aus_sigqueue(struct t_audit_data *); 159 static void aus_p_online(struct t_audit_data *); 160 static void aus_processor_bind(struct t_audit_data *); 161 static void aus_inst_sync(struct t_audit_data *); 162 static void aus_brandsys(struct t_audit_data *); 163 164 static void auf_accept(struct t_audit_data *, int, rval_t *); 165 166 static void auf_bind(struct t_audit_data *, int, rval_t *); 167 static void auf_connect(struct t_audit_data *, int, rval_t *); 168 static void aus_shutdown(struct t_audit_data *); 169 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 170 static void aus_sockconfig(struct t_audit_data *); 171 static void auf_recv(struct t_audit_data *, int, rval_t *); 172 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 173 static void auf_send(struct t_audit_data *, int, rval_t *); 174 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 176 static void auf_sendto(struct t_audit_data *, int, rval_t *); 177 static void aus_socket(struct t_audit_data *); 178 /* 179 * This table contains mapping information for converting system call numbers 180 * to audit event IDs. In several cases it is necessary to map a single system 181 * call to several events. 182 */ 183 184 #define aui_null NULL /* NULL initialize function */ 185 #define aus_null NULL /* NULL start function */ 186 #define auf_null NULL /* NULL finish function */ 187 188 struct audit_s2e audit_s2e[] = 189 { 190 /* 191 * ---------- ---------- ---------- ---------- 192 * INITIAL AUDIT START SYSTEM 193 * PROCESSING EVENT PROCESSING CALL 194 * ---------- ---------- ---------- ----------- 195 * FINISH EVENT 196 * PROCESSING CONTROL 197 * ---------------------------------------------------------- 198 */ 199 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 200 auf_null, 0, 201 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 202 auf_null, S2E_NPT, 203 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 204 auf_null, 0, 205 aui_null, AUE_READ, aus_null, /* 3 read */ 206 auf_read, S2E_PUB, 207 aui_null, AUE_WRITE, aus_null, /* 4 write */ 208 auf_write, 0, 209 aui_open, AUE_OPEN, aus_open, /* 5 open */ 210 auf_null, S2E_SP, 211 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 212 auf_null, 0, 213 aui_null, AUE_NULL, aus_null, /* 7 (loadable) was wait */ 214 auf_null, 0, 215 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 216 auf_null, 0, 217 aui_null, AUE_LINK, aus_null, /* 9 link */ 218 auf_null, 0, 219 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 220 auf_null, 0, 221 aui_null, AUE_NULL, aus_null, /* 11 (loadable) was exec */ 222 auf_null, 0, 223 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 224 auf_null, S2E_SP, 225 aui_null, AUE_NULL, aus_null, /* 13 time */ 226 auf_null, 0, 227 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 228 auf_mknod, 0, 229 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 230 auf_null, 0, 231 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 232 auf_null, 0, 233 aui_null, AUE_NULL, aus_null, /* 17 brk */ 234 auf_null, 0, 235 aui_null, AUE_STAT, aus_null, /* 18 stat */ 236 auf_null, S2E_PUB, 237 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 240 auf_null, 0, 241 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 242 auf_null, S2E_MLD, 243 aui_null, AUE_NULL, aus_null, /* 22 (loadable) was umount */ 244 auf_null, 0, 245 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 246 auf_null, 0, 247 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 248 auf_null, 0, 249 aui_null, AUE_STIME, aus_null, /* 25 stime */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 29 pause */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 264 auf_null, 0, 265 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 266 auf_null, S2E_PUB, 267 aui_null, AUE_NICE, aus_null, /* 34 nice */ 268 auf_null, 0, 269 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 270 auf_null, S2E_PUB, 271 aui_null, AUE_NULL, aus_null, /* 36 sync */ 272 auf_null, 0, 273 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 274 auf_null, 0, 275 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 276 auf_null, S2E_PUB, 277 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 282 auf_null, 0, 283 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 43 times */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 44 profil */ 288 auf_null, 0, 289 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 290 auf_null, S2E_PUB | S2E_ATC, 291 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 48 (loadable) was ssig */ 296 auf_null, 0, 297 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 298 auf_msgsys, 0, 299 #if defined(__x86) 300 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 301 auf_null, 0, 302 #else 303 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 304 auf_null, 0, 305 #endif /* __x86 */ 306 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 307 auf_null, 0, 308 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 309 auf_shmsys, 0, 310 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 311 auf_semsys, 0, 312 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 315 auf_null, 0, 316 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 317 auf_null, S2E_ATC, 318 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 321 auf_null, 0, 322 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 323 auf_null, S2E_MLD, 324 aui_null, AUE_NULL, aus_null, /* 60 umask */ 325 auf_null, 0, 326 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 327 auf_null, S2E_SP, 328 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 331 auf_null, 0, 332 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 333 auf_null, S2E_ATC, 334 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 335 auf_null, S2E_ATC, 336 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 337 auf_null, S2E_PUB | S2E_ATC, 338 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 339 auf_null, S2E_PUB | S2E_ATC, 340 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 341 auf_null, S2E_SP | S2E_ATC, 342 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 343 auf_null, S2E_SP | S2E_ATC, 344 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 361 auf_null, 0, 362 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 363 auf_null, 0, 364 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 367 auf_null, 0, 368 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 369 auf_null, 0, 370 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 373 auf_null, 0, 374 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 375 auf_null, 0, 376 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 379 auf_null, 0, 380 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 381 auf_null, S2E_PUB, 382 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 383 auf_null, 0, 384 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 387 auf_null, 0, 388 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 389 auf_null, 0, 390 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 391 auf_null, 0, 392 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 101 (loadable) */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 409 auf_null, 0, 410 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 411 auf_null, S2E_PUB, 412 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 413 auf_null, 0, 414 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 415 auf_null, 0, 416 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 421 auf_null, 0, 422 #if defined(__x86) 423 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 424 auf_null, 0, 425 #else 426 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 427 auf_null, 0, 428 #endif /* __x86 */ 429 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 430 auf_null, S2E_ATC, 431 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 432 auf_null, 0, 433 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 434 auf_null, 0, 435 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 436 auf_null, S2E_PUB, 437 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 438 auf_null, 0, 439 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 440 auf_null, 0, 441 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 442 auf_null, 0, 443 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 444 auf_null, 0, 445 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 446 auf_null, 0, 447 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 448 auf_null, 0, 449 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 450 auf_null, 0, 451 aui_null, AUE_READ, aus_null, /* 121 readv */ 452 auf_read, S2E_PUB, 453 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 454 auf_write, 0, 455 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 456 auf_null, 0, 457 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 458 auf_null, 0, 459 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 460 auf_null, 0, 461 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 464 auf_null, 0, 465 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 468 auf_null, 0, 469 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 470 auf_null, 0, 471 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 472 auf_null, 0, 473 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 474 auf_null, 0, 475 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 476 auf_null, 0, 477 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 478 auf_null, 0, 479 aui_null, AUE_NULL, aus_null, /* 135 uname */ 480 auf_null, 0, 481 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 482 auf_null, 0, 483 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 484 auf_null, 0, 485 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 486 auf_null, 0, 487 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 490 auf_null, 0, 491 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 492 auf_null, 0, 493 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 146 yield */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 504 /* was lwp_sema_wait */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 513 auf_null, 0, 514 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 515 auf_null, 0, 516 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 549 /* was lwp_mutex_lock */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 556 auf_null, 0, 557 aui_null, AUE_READ, aus_null, /* 173 pread */ 558 auf_read, S2E_PUB, 559 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 560 auf_write, 0, 561 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 562 auf_null, 0, 563 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 564 auf_null, 0, 565 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 566 auf_null, 0, 567 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 568 auf_null, 0, 569 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 574 auf_null, 0, 575 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 576 auf_null, S2E_MLD, 577 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 578 auf_null, 0, 579 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 580 auf_null, 0, 581 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 582 auf_null, 0, 583 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 584 auf_null, 0, 585 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 586 auf_null, 0, 587 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 588 auf_null, 0, 589 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 590 auf_null, 0, 591 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 594 auf_null, 0, 595 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 610 auf_null, 0, 611 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 612 auf_null, 0, 613 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 614 auf_null, 0, 615 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 616 auf_null, 0, 617 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 618 auf_null, 0, 619 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 620 auf_null, 0, 621 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 638 auf_null, 0, 639 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 640 auf_null, 0, 641 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 642 auf_null, S2E_PUB, 643 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 644 auf_null, S2E_PUB, 645 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 646 auf_null, 0, 647 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 650 auf_null, 0, 651 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 652 auf_null, 0, 653 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 654 auf_null, 0, 655 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 656 auf_read, S2E_PUB, 657 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 658 auf_write, 0, 659 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 660 auf_null, 0, 661 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 662 auf_null, S2E_SP, 663 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 664 auf_null, 0, 665 aui_null, AUE_NULL, aus_null, /* 227 zone */ 666 auf_null, 0, 667 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 670 auf_null, 0, 671 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 674 auf_null, 0, 675 aui_null, AUE_BIND, aus_null, /* 232 bind */ 676 auf_bind, 0, 677 aui_null, AUE_NULL, aus_null, /* 233 listen */ 678 auf_null, 0, 679 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 680 auf_accept, 0, 681 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 682 auf_connect, 0, 683 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 684 auf_null, 0, 685 aui_null, AUE_READ, aus_null, /* 237 recv */ 686 auf_recv, 0, 687 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 688 auf_recvfrom, 0, 689 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 690 auf_recvmsg, 0, 691 aui_null, AUE_WRITE, aus_null, /* 240 send */ 692 auf_send, 0, 693 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 694 auf_sendmsg, 0, 695 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 696 auf_sendto, 0, 697 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 698 auf_null, 0, 699 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 700 auf_null, 0, 701 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 702 auf_null, 0, 703 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 704 auf_setsockopt, 0, 705 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 708 auf_null, 0, 709 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 710 auf_null, 0, 711 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 720 auf_null, 0, 721 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 722 auf_null, 0 723 }; 724 725 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 726 727 728 /* exit start function */ 729 /*ARGSUSED*/ 730 static void 731 aus_exit(struct t_audit_data *tad) 732 { 733 uint32_t rval; 734 struct a { 735 long rval; 736 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 737 738 rval = (uint32_t)uap->rval; 739 au_uwrite(au_to_arg32(1, "exit status", rval)); 740 } 741 742 /* acct start function */ 743 /*ARGSUSED*/ 744 static void 745 aus_acct(struct t_audit_data *tad) 746 { 747 klwp_t *clwp = ttolwp(curthread); 748 uintptr_t fname; 749 750 struct a { 751 long fname; /* char * */ 752 } *uap = (struct a *)clwp->lwp_ap; 753 754 fname = (uintptr_t)uap->fname; 755 756 if (fname == 0) 757 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 758 } 759 760 /* chown start function */ 761 /*ARGSUSED*/ 762 static void 763 aus_chown(struct t_audit_data *tad) 764 { 765 klwp_t *clwp = ttolwp(curthread); 766 uint32_t uid, gid; 767 768 struct a { 769 long fname; /* char * */ 770 long uid; 771 long gid; 772 } *uap = (struct a *)clwp->lwp_ap; 773 774 uid = (uint32_t)uap->uid; 775 gid = (uint32_t)uap->gid; 776 777 au_uwrite(au_to_arg32(2, "new file uid", uid)); 778 au_uwrite(au_to_arg32(3, "new file gid", gid)); 779 } 780 781 /* fchown start function */ 782 /*ARGSUSED*/ 783 static void 784 aus_fchown(struct t_audit_data *tad) 785 { 786 klwp_t *clwp = ttolwp(curthread); 787 uint32_t uid, gid, fd; 788 struct file *fp; 789 struct vnode *vp; 790 struct f_audit_data *fad; 791 792 struct a { 793 long fd; 794 long uid; 795 long gid; 796 } *uap = (struct a *)clwp->lwp_ap; 797 798 fd = (uint32_t)uap->fd; 799 uid = (uint32_t)uap->uid; 800 gid = (uint32_t)uap->gid; 801 802 au_uwrite(au_to_arg32(2, "new file uid", uid)); 803 au_uwrite(au_to_arg32(3, "new file gid", gid)); 804 805 /* 806 * convert file pointer to file descriptor 807 * Note: fd ref count incremented here. 808 */ 809 if ((fp = getf(fd)) == NULL) 810 return; 811 812 /* get path from file struct here */ 813 fad = F2A(fp); 814 if (fad->fad_aupath != NULL) { 815 au_uwrite(au_to_path(fad->fad_aupath)); 816 } else { 817 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 818 } 819 820 vp = fp->f_vnode; 821 audit_attributes(vp); 822 823 /* decrement file descriptor reference count */ 824 releasef(fd); 825 } 826 827 /*ARGSUSED*/ 828 static void 829 aus_lchown(struct t_audit_data *tad) 830 { 831 klwp_t *clwp = ttolwp(curthread); 832 uint32_t uid, gid; 833 834 835 struct a { 836 long fname; /* char * */ 837 long uid; 838 long gid; 839 } *uap = (struct a *)clwp->lwp_ap; 840 841 uid = (uint32_t)uap->uid; 842 gid = (uint32_t)uap->gid; 843 844 au_uwrite(au_to_arg32(2, "new file uid", uid)); 845 au_uwrite(au_to_arg32(3, "new file gid", gid)); 846 } 847 848 static au_event_t 849 aui_fchownat(au_event_t e) 850 { 851 klwp_t *clwp = ttolwp(curthread); 852 853 struct a { 854 long fd; 855 long fname; /* char * */ 856 long uid; 857 long gid; 858 long flags; 859 } *uap = (struct a *)clwp->lwp_ap; 860 861 if (uap->fname == NULL) 862 e = AUE_FCHOWN; 863 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 864 e = AUE_LCHOWN; 865 else 866 e = AUE_CHOWN; 867 868 return (e); 869 } 870 871 /*ARGSUSED*/ 872 static void 873 aus_fchownat(struct t_audit_data *tad) 874 { 875 klwp_t *clwp = ttolwp(curthread); 876 uint32_t uid, gid; 877 878 struct a { 879 long fd; 880 long fname; /* char * */ 881 long uid; 882 long gid; 883 long flags; 884 } *uap = (struct a *)clwp->lwp_ap; 885 886 uid = (uint32_t)uap->uid; 887 gid = (uint32_t)uap->gid; 888 889 au_uwrite(au_to_arg32(3, "new file uid", uid)); 890 au_uwrite(au_to_arg32(4, "new file gid", gid)); 891 } 892 893 /* chmod start function */ 894 /*ARGSUSED*/ 895 static void 896 aus_chmod(struct t_audit_data *tad) 897 { 898 klwp_t *clwp = ttolwp(curthread); 899 uint32_t fmode; 900 901 struct a { 902 long fname; /* char * */ 903 long fmode; 904 } *uap = (struct a *)clwp->lwp_ap; 905 906 fmode = (uint32_t)uap->fmode; 907 908 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 909 } 910 911 /* chmod start function */ 912 /*ARGSUSED*/ 913 static void 914 aus_fchmod(struct t_audit_data *tad) 915 { 916 klwp_t *clwp = ttolwp(curthread); 917 uint32_t fmode, fd; 918 struct file *fp; 919 struct vnode *vp; 920 struct f_audit_data *fad; 921 922 struct a { 923 long fd; 924 long fmode; 925 } *uap = (struct a *)clwp->lwp_ap; 926 927 fd = (uint32_t)uap->fd; 928 fmode = (uint32_t)uap->fmode; 929 930 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 931 932 /* 933 * convert file pointer to file descriptor 934 * Note: fd ref count incremented here. 935 */ 936 if ((fp = getf(fd)) == NULL) 937 return; 938 939 /* get path from file struct here */ 940 fad = F2A(fp); 941 if (fad->fad_aupath != NULL) { 942 au_uwrite(au_to_path(fad->fad_aupath)); 943 } else { 944 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 945 } 946 947 vp = fp->f_vnode; 948 audit_attributes(vp); 949 950 /* decrement file descriptor reference count */ 951 releasef(fd); 952 } 953 954 /* 955 * convert open mode to appropriate open event 956 */ 957 au_event_t 958 open_event(uint_t fm) 959 { 960 au_event_t e; 961 962 switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) { 963 case O_RDONLY: 964 e = AUE_OPEN_R; 965 break; 966 case O_RDONLY | O_CREAT: 967 e = AUE_OPEN_RC; 968 break; 969 case O_RDONLY | O_TRUNC: 970 e = AUE_OPEN_RT; 971 break; 972 case O_RDONLY | O_TRUNC | O_CREAT: 973 e = AUE_OPEN_RTC; 974 break; 975 case O_WRONLY: 976 e = AUE_OPEN_W; 977 break; 978 case O_WRONLY | O_CREAT: 979 e = AUE_OPEN_WC; 980 break; 981 case O_WRONLY | O_TRUNC: 982 e = AUE_OPEN_WT; 983 break; 984 case O_WRONLY | O_TRUNC | O_CREAT: 985 e = AUE_OPEN_WTC; 986 break; 987 case O_RDWR: 988 e = AUE_OPEN_RW; 989 break; 990 case O_RDWR | O_CREAT: 991 e = AUE_OPEN_RWC; 992 break; 993 case O_RDWR | O_TRUNC: 994 e = AUE_OPEN_RWT; 995 break; 996 case O_RDWR | O_TRUNC | O_CREAT: 997 e = AUE_OPEN_RWTC; 998 break; 999 default: 1000 e = AUE_NULL; 1001 break; 1002 } 1003 1004 return (e); 1005 } 1006 1007 /* ARGSUSED */ 1008 static au_event_t 1009 aui_open(au_event_t e) 1010 { 1011 t_audit_data_t *tad = T2A(curthread); 1012 klwp_t *clwp = ttolwp(curthread); 1013 uint_t fm; 1014 1015 struct a { 1016 long fnamep; /* char * */ 1017 long fmode; 1018 long cmode; 1019 } *uap = (struct a *)clwp->lwp_ap; 1020 1021 fm = (uint_t)uap->fmode; 1022 1023 /* convert to appropriate au_ctrl */ 1024 if (fm & (FXATTR | FXATTRDIROPEN)) 1025 tad->tad_ctrl |= TAD_ATTPATH; 1026 1027 return (open_event(fm)); 1028 } 1029 1030 static void 1031 aus_open(struct t_audit_data *tad) 1032 { 1033 klwp_t *clwp = ttolwp(curthread); 1034 uint_t fm; 1035 1036 struct a { 1037 long fnamep; /* char * */ 1038 long fmode; 1039 long cmode; 1040 } *uap = (struct a *)clwp->lwp_ap; 1041 1042 fm = (uint_t)uap->fmode; 1043 1044 /* If no write, create, or trunc modes, mark as a public op */ 1045 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1046 tad->tad_ctrl |= TAD_PUBLIC_EV; 1047 } 1048 1049 /* ARGSUSED */ 1050 static au_event_t 1051 aui_openat(au_event_t e) 1052 { 1053 t_audit_data_t *tad = T2A(curthread); 1054 klwp_t *clwp = ttolwp(curthread); 1055 uint_t fm; 1056 1057 struct a { 1058 long filedes; 1059 long fnamep; /* char * */ 1060 long fmode; 1061 long cmode; 1062 } *uap = (struct a *)clwp->lwp_ap; 1063 1064 fm = (uint_t)uap->fmode; 1065 1066 /* convert to appropriate au_ctrl */ 1067 if (fm & (FXATTR | FXATTRDIROPEN)) 1068 tad->tad_ctrl |= TAD_ATTPATH; 1069 1070 return (open_event(fm)); 1071 } 1072 1073 static void 1074 aus_openat(struct t_audit_data *tad) 1075 { 1076 klwp_t *clwp = ttolwp(curthread); 1077 uint_t fm; 1078 1079 struct a { 1080 long filedes; 1081 long fnamep; /* char * */ 1082 long fmode; 1083 long cmode; 1084 } *uap = (struct a *)clwp->lwp_ap; 1085 1086 fm = (uint_t)uap->fmode; 1087 1088 /* If no write, create, or trunc modes, mark as a public op */ 1089 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1090 tad->tad_ctrl |= TAD_PUBLIC_EV; 1091 } 1092 1093 static au_event_t 1094 aui_unlinkat(au_event_t e) 1095 { 1096 klwp_t *clwp = ttolwp(curthread); 1097 1098 struct a { 1099 long filedes; 1100 long fnamep; /* char * */ 1101 long flags; 1102 } *uap = (struct a *)clwp->lwp_ap; 1103 1104 if (uap->flags & AT_REMOVEDIR) 1105 e = AUE_RMDIR; 1106 else 1107 e = AUE_UNLINK; 1108 1109 return (e); 1110 } 1111 1112 static au_event_t 1113 aui_fstatat(au_event_t e) 1114 { 1115 klwp_t *clwp = ttolwp(curthread); 1116 1117 struct a { 1118 long filedes; 1119 long fnamep; /* char * */ 1120 long statb; 1121 long flags; 1122 } *uap = (struct a *)clwp->lwp_ap; 1123 1124 if (uap->fnamep == NULL) 1125 e = AUE_FSTAT; 1126 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1127 e = AUE_LSTAT; 1128 else 1129 e = AUE_STAT; 1130 1131 return (e); 1132 } 1133 1134 /* msgsys */ 1135 static au_event_t 1136 aui_msgsys(au_event_t e) 1137 { 1138 klwp_t *clwp = ttolwp(curthread); 1139 uint_t fm; 1140 1141 struct a { 1142 long id; /* function code id */ 1143 long ap; /* arg pointer for recvmsg */ 1144 } *uap = (struct a *)clwp->lwp_ap; 1145 1146 struct b { 1147 long msgid; 1148 long cmd; 1149 long buf; /* struct msqid_ds * */ 1150 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1151 1152 fm = (uint_t)uap->id; 1153 1154 switch (fm) { 1155 case 0: /* msgget */ 1156 e = AUE_MSGGET; 1157 break; 1158 case 1: /* msgctl */ 1159 switch ((uint_t)uap1->cmd) { 1160 case IPC_RMID: 1161 e = AUE_MSGCTL_RMID; 1162 break; 1163 case IPC_SET: 1164 e = AUE_MSGCTL_SET; 1165 break; 1166 case IPC_STAT: 1167 e = AUE_MSGCTL_STAT; 1168 break; 1169 default: 1170 e = AUE_MSGCTL; 1171 break; 1172 } 1173 break; 1174 case 2: /* msgrcv */ 1175 e = AUE_MSGRCV; 1176 break; 1177 case 3: /* msgsnd */ 1178 e = AUE_MSGSND; 1179 break; 1180 default: /* illegal system call */ 1181 e = AUE_NULL; 1182 break; 1183 } 1184 1185 return (e); 1186 } 1187 1188 1189 /* shmsys */ 1190 static au_event_t 1191 aui_shmsys(au_event_t e) 1192 { 1193 klwp_t *clwp = ttolwp(curthread); 1194 int fm; 1195 1196 struct a { /* shmsys */ 1197 long id; /* function code id */ 1198 } *uap = (struct a *)clwp->lwp_ap; 1199 1200 struct b { /* ctrl */ 1201 long shmid; 1202 long cmd; 1203 long arg; /* struct shmid_ds * */ 1204 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1205 fm = (uint_t)uap->id; 1206 1207 switch (fm) { 1208 case 0: /* shmat */ 1209 e = AUE_SHMAT; 1210 break; 1211 case 1: /* shmctl */ 1212 switch ((uint_t)uap1->cmd) { 1213 case IPC_RMID: 1214 e = AUE_SHMCTL_RMID; 1215 break; 1216 case IPC_SET: 1217 e = AUE_SHMCTL_SET; 1218 break; 1219 case IPC_STAT: 1220 e = AUE_SHMCTL_STAT; 1221 break; 1222 default: 1223 e = AUE_SHMCTL; 1224 break; 1225 } 1226 break; 1227 case 2: /* shmdt */ 1228 e = AUE_SHMDT; 1229 break; 1230 case 3: /* shmget */ 1231 e = AUE_SHMGET; 1232 break; 1233 default: /* illegal system call */ 1234 e = AUE_NULL; 1235 break; 1236 } 1237 1238 return (e); 1239 } 1240 1241 1242 /* semsys */ 1243 static au_event_t 1244 aui_semsys(au_event_t e) 1245 { 1246 klwp_t *clwp = ttolwp(curthread); 1247 uint_t fm; 1248 1249 struct a { /* semsys */ 1250 long id; 1251 } *uap = (struct a *)clwp->lwp_ap; 1252 1253 struct b { /* ctrl */ 1254 long semid; 1255 long semnum; 1256 long cmd; 1257 long arg; 1258 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1259 1260 fm = (uint_t)uap->id; 1261 1262 switch (fm) { 1263 case 0: /* semctl */ 1264 switch ((uint_t)uap1->cmd) { 1265 case IPC_RMID: 1266 e = AUE_SEMCTL_RMID; 1267 break; 1268 case IPC_SET: 1269 e = AUE_SEMCTL_SET; 1270 break; 1271 case IPC_STAT: 1272 e = AUE_SEMCTL_STAT; 1273 break; 1274 case GETNCNT: 1275 e = AUE_SEMCTL_GETNCNT; 1276 break; 1277 case GETPID: 1278 e = AUE_SEMCTL_GETPID; 1279 break; 1280 case GETVAL: 1281 e = AUE_SEMCTL_GETVAL; 1282 break; 1283 case GETALL: 1284 e = AUE_SEMCTL_GETALL; 1285 break; 1286 case GETZCNT: 1287 e = AUE_SEMCTL_GETZCNT; 1288 break; 1289 case SETVAL: 1290 e = AUE_SEMCTL_SETVAL; 1291 break; 1292 case SETALL: 1293 e = AUE_SEMCTL_SETALL; 1294 break; 1295 default: 1296 e = AUE_SEMCTL; 1297 break; 1298 } 1299 break; 1300 case 1: /* semget */ 1301 e = AUE_SEMGET; 1302 break; 1303 case 2: /* semop */ 1304 e = AUE_SEMOP; 1305 break; 1306 default: /* illegal system call */ 1307 e = AUE_NULL; 1308 break; 1309 } 1310 1311 return (e); 1312 } 1313 1314 /* utssys - uname(2), ustat(2), fusers(2) */ 1315 static au_event_t 1316 aui_utssys(au_event_t e) 1317 { 1318 klwp_t *clwp = ttolwp(curthread); 1319 uint_t type; 1320 1321 struct a { 1322 union { 1323 long cbuf; /* char * */ 1324 long ubuf; /* struct stat * */ 1325 } ub; 1326 union { 1327 long mv; /* for USTAT */ 1328 long flags; /* for FUSERS */ 1329 } un; 1330 long type; 1331 long outbp; /* char * for FUSERS */ 1332 } *uap = (struct a *)clwp->lwp_ap; 1333 1334 type = (uint_t)uap->type; 1335 1336 if (type == UTS_FUSERS) 1337 return (e); 1338 else 1339 return ((au_event_t)AUE_NULL); 1340 } 1341 1342 static au_event_t 1343 aui_fcntl(au_event_t e) 1344 { 1345 klwp_t *clwp = ttolwp(curthread); 1346 uint_t cmd; 1347 1348 struct a { 1349 long fdes; 1350 long cmd; 1351 long arg; 1352 } *uap = (struct a *)clwp->lwp_ap; 1353 1354 cmd = (uint_t)uap->cmd; 1355 1356 switch (cmd) { 1357 case F_GETLK: 1358 case F_SETLK: 1359 case F_SETLKW: 1360 break; 1361 case F_SETFL: 1362 case F_GETFL: 1363 case F_GETFD: 1364 break; 1365 default: 1366 e = (au_event_t)AUE_NULL; 1367 break; 1368 } 1369 return ((au_event_t)e); 1370 } 1371 1372 /* null function for now */ 1373 static au_event_t 1374 aui_execve(au_event_t e) 1375 { 1376 return (e); 1377 } 1378 1379 /*ARGSUSED*/ 1380 static void 1381 aus_fcntl(struct t_audit_data *tad) 1382 { 1383 klwp_t *clwp = ttolwp(curthread); 1384 uint32_t cmd, fd, flags; 1385 struct file *fp; 1386 struct vnode *vp; 1387 struct f_audit_data *fad; 1388 1389 struct a { 1390 long fd; 1391 long cmd; 1392 long arg; 1393 } *uap = (struct a *)clwp->lwp_ap; 1394 1395 cmd = (uint32_t)uap->cmd; 1396 fd = (uint32_t)uap->fd; 1397 flags = (uint32_t)uap->arg; 1398 1399 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1400 1401 if (cmd == F_SETFL) 1402 au_uwrite(au_to_arg32(3, "flags", flags)); 1403 1404 /* 1405 * convert file pointer to file descriptor 1406 * Note: fd ref count incremented here. 1407 */ 1408 if ((fp = getf(fd)) == NULL) 1409 return; 1410 1411 /* get path from file struct here */ 1412 fad = F2A(fp); 1413 if (fad->fad_aupath != NULL) { 1414 au_uwrite(au_to_path(fad->fad_aupath)); 1415 } else { 1416 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1417 } 1418 1419 vp = fp->f_vnode; 1420 audit_attributes(vp); 1421 1422 /* decrement file descriptor reference count */ 1423 releasef(fd); 1424 } 1425 1426 /*ARGSUSED*/ 1427 static void 1428 aus_kill(struct t_audit_data *tad) 1429 { 1430 klwp_t *clwp = ttolwp(curthread); 1431 struct proc *p; 1432 uint32_t signo; 1433 uid_t uid, ruid; 1434 gid_t gid, rgid; 1435 pid_t pid; 1436 const auditinfo_addr_t *ainfo; 1437 cred_t *cr; 1438 1439 struct a { 1440 long pid; 1441 long signo; 1442 } *uap = (struct a *)clwp->lwp_ap; 1443 1444 pid = (pid_t)uap->pid; 1445 signo = (uint32_t)uap->signo; 1446 1447 au_uwrite(au_to_arg32(2, "signal", signo)); 1448 if (pid > 0) { 1449 mutex_enter(&pidlock); 1450 if (((p = prfind(pid)) == (struct proc *)0) || 1451 (p->p_stat == SIDL)) { 1452 mutex_exit(&pidlock); 1453 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1454 return; 1455 } 1456 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1457 mutex_exit(&pidlock); 1458 1459 mutex_enter(&p->p_crlock); 1460 crhold(cr = p->p_cred); 1461 mutex_exit(&p->p_crlock); 1462 mutex_exit(&p->p_lock); 1463 1464 ainfo = crgetauinfo(cr); 1465 if (ainfo == NULL) { 1466 crfree(cr); 1467 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1468 return; 1469 } 1470 1471 uid = crgetuid(cr); 1472 gid = crgetgid(cr); 1473 ruid = crgetruid(cr); 1474 rgid = crgetrgid(cr); 1475 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1476 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1477 1478 if (is_system_labeled()) 1479 au_uwrite(au_to_label(CR_SL(cr))); 1480 1481 crfree(cr); 1482 } 1483 else 1484 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1485 } 1486 1487 /*ARGSUSED*/ 1488 static void 1489 aus_mkdir(struct t_audit_data *tad) 1490 { 1491 klwp_t *clwp = ttolwp(curthread); 1492 uint32_t dmode; 1493 1494 struct a { 1495 long dirnamep; /* char * */ 1496 long dmode; 1497 } *uap = (struct a *)clwp->lwp_ap; 1498 1499 dmode = (uint32_t)uap->dmode; 1500 1501 au_uwrite(au_to_arg32(2, "mode", dmode)); 1502 } 1503 1504 /*ARGSUSED*/ 1505 static void 1506 aus_mknod(struct t_audit_data *tad) 1507 { 1508 klwp_t *clwp = ttolwp(curthread); 1509 uint32_t fmode; 1510 dev_t dev; 1511 1512 struct a { 1513 long pnamep; /* char * */ 1514 long fmode; 1515 long dev; 1516 } *uap = (struct a *)clwp->lwp_ap; 1517 1518 fmode = (uint32_t)uap->fmode; 1519 dev = (dev_t)uap->dev; 1520 1521 au_uwrite(au_to_arg32(2, "mode", fmode)); 1522 #ifdef _LP64 1523 au_uwrite(au_to_arg64(3, "dev", dev)); 1524 #else 1525 au_uwrite(au_to_arg32(3, "dev", dev)); 1526 #endif 1527 } 1528 1529 /*ARGSUSED*/ 1530 static void 1531 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1532 { 1533 klwp_t *clwp = ttolwp(curthread); 1534 vnode_t *dvp; 1535 caddr_t pnamep; 1536 1537 struct a { 1538 long pnamep; /* char * */ 1539 long fmode; 1540 long dev; 1541 } *uap = (struct a *)clwp->lwp_ap; 1542 1543 /* no error, then already path token in audit record */ 1544 if (error != EPERM) 1545 return; 1546 1547 /* not auditing this event, nothing then to do */ 1548 if (tad->tad_flag == 0) 1549 return; 1550 1551 /* do the lookup to force generation of path token */ 1552 pnamep = (caddr_t)uap->pnamep; 1553 tad->tad_ctrl |= TAD_NOATTRB; 1554 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1555 if (error == 0) 1556 VN_RELE(dvp); 1557 } 1558 1559 /*ARGSUSED*/ 1560 static void 1561 aus_mount(struct t_audit_data *tad) 1562 { /* AUS_START */ 1563 klwp_t *clwp = ttolwp(curthread); 1564 uint32_t flags; 1565 uintptr_t u_fstype, dataptr; 1566 STRUCT_DECL(nfs_args, nfsargs); 1567 size_t len; 1568 char *fstype, *hostname; 1569 1570 struct a { 1571 long spec; /* char * */ 1572 long dir; /* char * */ 1573 long flags; 1574 long fstype; /* char * */ 1575 long dataptr; /* char * */ 1576 long datalen; 1577 } *uap = (struct a *)clwp->lwp_ap; 1578 1579 u_fstype = (uintptr_t)uap->fstype; 1580 flags = (uint32_t)uap->flags; 1581 dataptr = (uintptr_t)uap->dataptr; 1582 1583 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1584 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1585 goto mount_free_fstype; 1586 1587 au_uwrite(au_to_arg32(3, "flags", flags)); 1588 au_uwrite(au_to_text(fstype)); 1589 1590 if (strncmp(fstype, "nfs", 3) == 0) { 1591 1592 STRUCT_INIT(nfsargs, get_udatamodel()); 1593 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1594 1595 if (copyin((caddr_t)dataptr, 1596 STRUCT_BUF(nfsargs), 1597 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1598 /* DEBUG debug_enter((char *)NULL); */ 1599 goto mount_free_fstype; 1600 } 1601 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1602 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1603 (caddr_t)hostname, 1604 MAXNAMELEN, &len)) { 1605 goto mount_free_hostname; 1606 } 1607 au_uwrite(au_to_text(hostname)); 1608 au_uwrite(au_to_arg32(3, "internal flags", 1609 (uint_t)STRUCT_FGET(nfsargs, flags))); 1610 1611 mount_free_hostname: 1612 kmem_free(hostname, MAXNAMELEN); 1613 } 1614 1615 mount_free_fstype: 1616 kmem_free(fstype, MAXNAMELEN); 1617 } /* AUS_MOUNT */ 1618 1619 static void 1620 aus_umount_path(caddr_t umount_dir) 1621 { 1622 char *dir_path; 1623 struct audit_path *path; 1624 size_t path_len, dir_len; 1625 1626 /* length alloc'd for two string pointers */ 1627 path_len = sizeof (struct audit_path) + sizeof (char *); 1628 path = kmem_alloc(path_len, KM_SLEEP); 1629 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1630 1631 if (copyinstr(umount_dir, (caddr_t)dir_path, 1632 MAXPATHLEN, &dir_len)) 1633 goto umount2_free_dir; 1634 1635 /* 1636 * the audit_path struct assumes that the buffer pointed to 1637 * by audp_sect[n] contains string 0 immediatedly followed 1638 * by string 1. 1639 */ 1640 path->audp_sect[0] = dir_path; 1641 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1642 path->audp_size = path_len; 1643 path->audp_ref = 1; /* not used */ 1644 path->audp_cnt = 1; /* one path string */ 1645 1646 au_uwrite(au_to_path(path)); 1647 1648 umount2_free_dir: 1649 kmem_free(dir_path, MAXPATHLEN); 1650 kmem_free(path, path_len); 1651 } 1652 1653 /*ARGSUSED*/ 1654 static void 1655 aus_umount2(struct t_audit_data *tad) 1656 { 1657 klwp_t *clwp = ttolwp(curthread); 1658 struct a { 1659 long dir; /* char * */ 1660 long flags; 1661 } *uap = (struct a *)clwp->lwp_ap; 1662 1663 aus_umount_path((caddr_t)uap->dir); 1664 1665 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1666 } 1667 1668 static void 1669 aus_msgsys(struct t_audit_data *tad) 1670 { 1671 klwp_t *clwp = ttolwp(curthread); 1672 uint32_t msgid; 1673 1674 struct b { 1675 long msgid; 1676 long cmd; 1677 long buf; /* struct msqid_ds * */ 1678 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1679 1680 msgid = (uint32_t)uap1->msgid; 1681 1682 1683 switch (tad->tad_event) { 1684 case AUE_MSGGET: /* msgget */ 1685 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1686 break; 1687 case AUE_MSGCTL: /* msgctl */ 1688 case AUE_MSGCTL_RMID: /* msgctl */ 1689 case AUE_MSGCTL_SET: /* msgctl */ 1690 case AUE_MSGCTL_STAT: /* msgctl */ 1691 case AUE_MSGRCV: /* msgrcv */ 1692 case AUE_MSGSND: /* msgsnd */ 1693 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1694 break; 1695 } 1696 } 1697 1698 /*ARGSUSED*/ 1699 static void 1700 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1701 { 1702 int id; 1703 1704 if (error != 0) 1705 return; 1706 if (tad->tad_event == AUE_MSGGET) { 1707 uint32_t scid; 1708 uint32_t sy_flags; 1709 1710 /* need to determine type of executing binary */ 1711 scid = tad->tad_scid; 1712 #ifdef _SYSCALL32_IMPL 1713 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1714 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1715 else 1716 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1717 #else 1718 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1719 #endif 1720 if (sy_flags == SE_32RVAL1) 1721 id = rval->r_val1; 1722 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1723 id = rval->r_val1; 1724 if (sy_flags == SE_64RVAL) 1725 id = (int)rval->r_vals; 1726 1727 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1728 } 1729 } 1730 1731 static void 1732 aus_semsys(struct t_audit_data *tad) 1733 { 1734 klwp_t *clwp = ttolwp(curthread); 1735 uint32_t semid; 1736 1737 struct b { /* ctrl */ 1738 long semid; 1739 long semnum; 1740 long cmd; 1741 long arg; 1742 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1743 1744 semid = (uint32_t)uap1->semid; 1745 1746 switch (tad->tad_event) { 1747 case AUE_SEMCTL_RMID: 1748 case AUE_SEMCTL_STAT: 1749 case AUE_SEMCTL_GETNCNT: 1750 case AUE_SEMCTL_GETPID: 1751 case AUE_SEMCTL_GETVAL: 1752 case AUE_SEMCTL_GETALL: 1753 case AUE_SEMCTL_GETZCNT: 1754 case AUE_SEMCTL_SET: 1755 case AUE_SEMCTL_SETVAL: 1756 case AUE_SEMCTL_SETALL: 1757 case AUE_SEMCTL: 1758 case AUE_SEMOP: 1759 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1760 break; 1761 case AUE_SEMGET: 1762 au_uwrite(au_to_arg32(1, "sem key", semid)); 1763 break; 1764 } 1765 } 1766 1767 /*ARGSUSED*/ 1768 static void 1769 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1770 { 1771 int id; 1772 1773 if (error != 0) 1774 return; 1775 if (tad->tad_event == AUE_SEMGET) { 1776 uint32_t scid; 1777 uint32_t sy_flags; 1778 1779 /* need to determine type of executing binary */ 1780 scid = tad->tad_scid; 1781 #ifdef _SYSCALL32_IMPL 1782 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1783 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1784 else 1785 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1786 #else 1787 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1788 #endif 1789 if (sy_flags == SE_32RVAL1) 1790 id = rval->r_val1; 1791 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1792 id = rval->r_val1; 1793 if (sy_flags == SE_64RVAL) 1794 id = (int)rval->r_vals; 1795 1796 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1797 } 1798 } 1799 1800 /*ARGSUSED*/ 1801 static void 1802 aus_close(struct t_audit_data *tad) 1803 { 1804 klwp_t *clwp = ttolwp(curthread); 1805 uint32_t fd; 1806 struct file *fp; 1807 struct f_audit_data *fad; 1808 struct vnode *vp; 1809 struct vattr attr; 1810 au_kcontext_t *kctx = GET_KCTX_PZ; 1811 1812 struct a { 1813 long i; 1814 } *uap = (struct a *)clwp->lwp_ap; 1815 1816 fd = (uint32_t)uap->i; 1817 1818 attr.va_mask = 0; 1819 au_uwrite(au_to_arg32(1, "fd", fd)); 1820 1821 /* 1822 * convert file pointer to file descriptor 1823 * Note: fd ref count incremented here. 1824 */ 1825 if ((fp = getf(fd)) == NULL) 1826 return; 1827 1828 fad = F2A(fp); 1829 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1830 if (fad->fad_aupath != NULL) { 1831 au_uwrite(au_to_path(fad->fad_aupath)); 1832 if ((vp = fp->f_vnode) != NULL) { 1833 attr.va_mask = AT_ALL; 1834 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1835 /* 1836 * When write was not used and the file can be 1837 * considered public, skip the audit. 1838 */ 1839 if (((fp->f_flag & FWRITE) == 0) && 1840 object_is_public(&attr)) { 1841 tad->tad_flag = 0; 1842 tad->tad_evmod = 0; 1843 /* free any residual audit data */ 1844 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1845 releasef(fd); 1846 return; 1847 } 1848 au_uwrite(au_to_attr(&attr)); 1849 audit_sec_attributes(&(u_ad), vp); 1850 } 1851 } 1852 } 1853 1854 /* decrement file descriptor reference count */ 1855 releasef(fd); 1856 } 1857 1858 /*ARGSUSED*/ 1859 static void 1860 aus_fstatfs(struct t_audit_data *tad) 1861 { 1862 klwp_t *clwp = ttolwp(curthread); 1863 uint32_t fd; 1864 struct file *fp; 1865 struct vnode *vp; 1866 struct f_audit_data *fad; 1867 1868 struct a { 1869 long fd; 1870 long buf; /* struct statfs * */ 1871 } *uap = (struct a *)clwp->lwp_ap; 1872 1873 fd = (uint_t)uap->fd; 1874 1875 /* 1876 * convert file pointer to file descriptor 1877 * Note: fd ref count incremented here. 1878 */ 1879 if ((fp = getf(fd)) == NULL) 1880 return; 1881 1882 /* get path from file struct here */ 1883 fad = F2A(fp); 1884 if (fad->fad_aupath != NULL) { 1885 au_uwrite(au_to_path(fad->fad_aupath)); 1886 } else { 1887 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1888 } 1889 1890 vp = fp->f_vnode; 1891 audit_attributes(vp); 1892 1893 /* decrement file descriptor reference count */ 1894 releasef(fd); 1895 } 1896 1897 static au_event_t 1898 aui_setpgrp(au_event_t e) 1899 { 1900 klwp_t *clwp = ttolwp(curthread); 1901 int flag; 1902 1903 struct a { 1904 long flag; 1905 long pid; 1906 long pgid; 1907 } *uap = (struct a *)clwp->lwp_ap; 1908 1909 flag = (int)uap->flag; 1910 1911 1912 switch (flag) { 1913 1914 case 1: /* setpgrp() */ 1915 e = AUE_SETPGRP; 1916 break; 1917 1918 case 3: /* setsid() */ 1919 e = AUE_SETSID; 1920 break; 1921 1922 case 5: /* setpgid() */ 1923 e = AUE_SETPGID; 1924 break; 1925 1926 case 0: /* getpgrp() - not security relevant */ 1927 case 2: /* getsid() - not security relevant */ 1928 case 4: /* getpgid() - not security relevant */ 1929 e = AUE_NULL; 1930 break; 1931 1932 default: 1933 e = AUE_NULL; 1934 break; 1935 } 1936 1937 return (e); 1938 } 1939 1940 /*ARGSUSED*/ 1941 static void 1942 aus_setpgrp(struct t_audit_data *tad) 1943 { 1944 klwp_t *clwp = ttolwp(curthread); 1945 pid_t pgid; 1946 struct proc *p; 1947 uid_t uid, ruid; 1948 gid_t gid, rgid; 1949 pid_t pid; 1950 cred_t *cr; 1951 int flag; 1952 const auditinfo_addr_t *ainfo; 1953 1954 struct a { 1955 long flag; 1956 long pid; 1957 long pgid; 1958 } *uap = (struct a *)clwp->lwp_ap; 1959 1960 flag = (int)uap->flag; 1961 pid = (pid_t)uap->pid; 1962 pgid = (pid_t)uap->pgid; 1963 1964 1965 switch (flag) { 1966 1967 case 0: /* getpgrp() */ 1968 case 1: /* setpgrp() */ 1969 case 2: /* getsid() */ 1970 case 3: /* setsid() */ 1971 case 4: /* getpgid() */ 1972 break; 1973 1974 case 5: /* setpgid() */ 1975 1976 /* current process? */ 1977 if (pid == 0) { 1978 return; 1979 } 1980 1981 mutex_enter(&pidlock); 1982 p = prfind(pid); 1983 if (p == NULL || p->p_as == &kas || 1984 p->p_stat == SIDL || p->p_stat == SZOMB) { 1985 mutex_exit(&pidlock); 1986 return; 1987 } 1988 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1989 mutex_exit(&pidlock); 1990 1991 mutex_enter(&p->p_crlock); 1992 crhold(cr = p->p_cred); 1993 mutex_exit(&p->p_crlock); 1994 mutex_exit(&p->p_lock); 1995 1996 ainfo = crgetauinfo(cr); 1997 if (ainfo == NULL) { 1998 crfree(cr); 1999 return; 2000 } 2001 2002 uid = crgetuid(cr); 2003 gid = crgetgid(cr); 2004 ruid = crgetruid(cr); 2005 rgid = crgetrgid(cr); 2006 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2007 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2008 crfree(cr); 2009 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2010 break; 2011 2012 default: 2013 break; 2014 } 2015 } 2016 2017 2018 /*ARGSUSED*/ 2019 static void 2020 aus_setregid(struct t_audit_data *tad) 2021 { 2022 klwp_t *clwp = ttolwp(curthread); 2023 uint32_t rgid, egid; 2024 2025 struct a { 2026 long rgid; 2027 long egid; 2028 } *uap = (struct a *)clwp->lwp_ap; 2029 2030 rgid = (uint32_t)uap->rgid; 2031 egid = (uint32_t)uap->egid; 2032 2033 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2034 au_uwrite(au_to_arg32(2, "egid", egid)); 2035 } 2036 2037 /*ARGSUSED*/ 2038 static void 2039 aus_setgid(struct t_audit_data *tad) 2040 { 2041 klwp_t *clwp = ttolwp(curthread); 2042 uint32_t gid; 2043 2044 struct a { 2045 long gid; 2046 } *uap = (struct a *)clwp->lwp_ap; 2047 2048 gid = (uint32_t)uap->gid; 2049 2050 au_uwrite(au_to_arg32(1, "gid", gid)); 2051 } 2052 2053 2054 /*ARGSUSED*/ 2055 static void 2056 aus_setreuid(struct t_audit_data *tad) 2057 { 2058 klwp_t *clwp = ttolwp(curthread); 2059 uint32_t ruid, euid; 2060 2061 struct a { 2062 long ruid; 2063 long euid; 2064 } *uap = (struct a *)clwp->lwp_ap; 2065 2066 ruid = (uint32_t)uap->ruid; 2067 euid = (uint32_t)uap->euid; 2068 2069 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2070 au_uwrite(au_to_arg32(2, "euid", euid)); 2071 } 2072 2073 2074 /*ARGSUSED*/ 2075 static void 2076 aus_setuid(struct t_audit_data *tad) 2077 { 2078 klwp_t *clwp = ttolwp(curthread); 2079 uint32_t uid; 2080 2081 struct a { 2082 long uid; 2083 } *uap = (struct a *)clwp->lwp_ap; 2084 2085 uid = (uint32_t)uap->uid; 2086 2087 au_uwrite(au_to_arg32(1, "uid", uid)); 2088 } 2089 2090 /*ARGSUSED*/ 2091 static void 2092 aus_shmsys(struct t_audit_data *tad) 2093 { 2094 klwp_t *clwp = ttolwp(curthread); 2095 uint32_t id, cmd; 2096 2097 struct b { 2098 long id; 2099 long cmd; 2100 long buf; /* struct shmid_ds * */ 2101 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2102 2103 id = (uint32_t)uap1->id; 2104 cmd = (uint32_t)uap1->cmd; 2105 2106 switch (tad->tad_event) { 2107 case AUE_SHMGET: /* shmget */ 2108 au_uwrite(au_to_arg32(1, "shm key", id)); 2109 break; 2110 case AUE_SHMCTL: /* shmctl */ 2111 case AUE_SHMCTL_RMID: /* shmctl */ 2112 case AUE_SHMCTL_STAT: /* shmctl */ 2113 case AUE_SHMCTL_SET: /* shmctl */ 2114 au_uwrite(au_to_arg32(1, "shm ID", id)); 2115 break; 2116 case AUE_SHMDT: /* shmdt */ 2117 au_uwrite(au_to_arg32(1, "shm adr", id)); 2118 break; 2119 case AUE_SHMAT: /* shmat */ 2120 au_uwrite(au_to_arg32(1, "shm ID", id)); 2121 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2122 break; 2123 } 2124 } 2125 2126 /*ARGSUSED*/ 2127 static void 2128 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2129 { 2130 int id; 2131 2132 if (error != 0) 2133 return; 2134 if (tad->tad_event == AUE_SHMGET) { 2135 uint32_t scid; 2136 uint32_t sy_flags; 2137 2138 /* need to determine type of executing binary */ 2139 scid = tad->tad_scid; 2140 #ifdef _SYSCALL32_IMPL 2141 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2142 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2143 else 2144 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2145 #else 2146 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2147 #endif 2148 if (sy_flags == SE_32RVAL1) 2149 id = rval->r_val1; 2150 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2151 id = rval->r_val1; 2152 if (sy_flags == SE_64RVAL) 2153 id = (int)rval->r_vals; 2154 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2155 } 2156 } 2157 2158 2159 /*ARGSUSED*/ 2160 static void 2161 aus_ioctl(struct t_audit_data *tad) 2162 { 2163 klwp_t *clwp = ttolwp(curthread); 2164 struct file *fp; 2165 struct vnode *vp; 2166 struct f_audit_data *fad; 2167 uint32_t fd, cmd; 2168 uintptr_t cmarg; 2169 2170 /* XX64 */ 2171 struct a { 2172 long fd; 2173 long cmd; 2174 long cmarg; /* caddr_t */ 2175 } *uap = (struct a *)clwp->lwp_ap; 2176 2177 fd = (uint32_t)uap->fd; 2178 cmd = (uint32_t)uap->cmd; 2179 cmarg = (uintptr_t)uap->cmarg; 2180 2181 /* 2182 * convert file pointer to file descriptor 2183 * Note: fd ref count incremented here. 2184 */ 2185 if ((fp = getf(fd)) == NULL) { 2186 au_uwrite(au_to_arg32(1, "fd", fd)); 2187 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2188 #ifndef _LP64 2189 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2190 #else 2191 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2192 #endif 2193 return; 2194 } 2195 2196 /* get path from file struct here */ 2197 fad = F2A(fp); 2198 if (fad->fad_aupath != NULL) { 2199 au_uwrite(au_to_path(fad->fad_aupath)); 2200 } else { 2201 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2202 } 2203 2204 vp = fp->f_vnode; 2205 audit_attributes(vp); 2206 2207 /* decrement file descriptor reference count */ 2208 releasef(fd); 2209 2210 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2211 #ifndef _LP64 2212 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2213 #else 2214 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2215 #endif 2216 } 2217 2218 /* 2219 * null function for memcntl for now. We might want to limit memcntl() 2220 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2221 * require privileges. 2222 */ 2223 static au_event_t 2224 aui_memcntl(au_event_t e) 2225 { 2226 return (e); 2227 } 2228 2229 /*ARGSUSED*/ 2230 static au_event_t 2231 aui_privsys(au_event_t e) 2232 { 2233 klwp_t *clwp = ttolwp(curthread); 2234 2235 struct a { 2236 long opcode; 2237 } *uap = (struct a *)clwp->lwp_ap; 2238 2239 switch (uap->opcode) { 2240 case PRIVSYS_SETPPRIV: 2241 return (AUE_SETPPRIV); 2242 default: 2243 return (AUE_NULL); 2244 } 2245 } 2246 2247 /*ARGSUSED*/ 2248 static void 2249 aus_memcntl(struct t_audit_data *tad) 2250 { 2251 klwp_t *clwp = ttolwp(curthread); 2252 2253 struct a { 2254 long addr; 2255 long len; 2256 long cmd; 2257 long arg; 2258 long attr; 2259 long mask; 2260 } *uap = (struct a *)clwp->lwp_ap; 2261 2262 #ifdef _LP64 2263 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2264 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2265 #else 2266 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2267 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2268 #endif 2269 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2270 #ifdef _LP64 2271 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2272 #else 2273 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2274 #endif 2275 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2276 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2277 } 2278 2279 /*ARGSUSED*/ 2280 static void 2281 aus_mmap(struct t_audit_data *tad) 2282 { 2283 klwp_t *clwp = ttolwp(curthread); 2284 struct file *fp; 2285 struct f_audit_data *fad; 2286 struct vnode *vp; 2287 uint32_t fd; 2288 2289 struct a { 2290 long addr; 2291 long len; 2292 long prot; 2293 long flags; 2294 long fd; 2295 long pos; 2296 } *uap = (struct a *)clwp->lwp_ap; 2297 2298 fd = (uint32_t)uap->fd; 2299 2300 #ifdef _LP64 2301 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2302 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2303 #else 2304 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2305 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2306 #endif 2307 2308 if ((fp = getf(fd)) == NULL) { 2309 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2310 return; 2311 } 2312 2313 /* 2314 * Mark in the tad if write access is NOT requested... if 2315 * this is later detected (in audit_attributes) to be a 2316 * public object, the mmap event may be discarded. 2317 */ 2318 if (((uap->prot) & PROT_WRITE) == 0) { 2319 tad->tad_ctrl |= TAD_PUBLIC_EV; 2320 } 2321 2322 fad = F2A(fp); 2323 if (fad->fad_aupath != NULL) { 2324 au_uwrite(au_to_path(fad->fad_aupath)); 2325 } else { 2326 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2327 } 2328 2329 vp = (struct vnode *)fp->f_vnode; 2330 audit_attributes(vp); 2331 2332 /* mark READ/WRITE since we can't predict access */ 2333 if (uap->prot & PROT_READ) 2334 fad->fad_flags |= FAD_READ; 2335 if (uap->prot & PROT_WRITE) 2336 fad->fad_flags |= FAD_WRITE; 2337 2338 /* decrement file descriptor reference count */ 2339 releasef(fd); 2340 2341 } /* AUS_MMAP */ 2342 2343 2344 2345 2346 /*ARGSUSED*/ 2347 static void 2348 aus_munmap(struct t_audit_data *tad) 2349 { 2350 klwp_t *clwp = ttolwp(curthread); 2351 2352 struct a { 2353 long addr; 2354 long len; 2355 } *uap = (struct a *)clwp->lwp_ap; 2356 2357 #ifdef _LP64 2358 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2359 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2360 #else 2361 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2362 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2363 #endif 2364 2365 } /* AUS_MUNMAP */ 2366 2367 2368 2369 2370 2371 2372 2373 /*ARGSUSED*/ 2374 static void 2375 aus_priocntlsys(struct t_audit_data *tad) 2376 { 2377 klwp_t *clwp = ttolwp(curthread); 2378 2379 struct a { 2380 long pc_version; 2381 long psp; /* procset_t */ 2382 long cmd; 2383 long arg; 2384 } *uap = (struct a *)clwp->lwp_ap; 2385 2386 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2387 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2388 2389 } /* AUS_PRIOCNTLSYS */ 2390 2391 2392 /*ARGSUSED*/ 2393 static void 2394 aus_setegid(struct t_audit_data *tad) 2395 { 2396 klwp_t *clwp = ttolwp(curthread); 2397 uint32_t gid; 2398 2399 struct a { 2400 long gid; 2401 } *uap = (struct a *)clwp->lwp_ap; 2402 2403 gid = (uint32_t)uap->gid; 2404 2405 au_uwrite(au_to_arg32(1, "gid", gid)); 2406 } /* AUS_SETEGID */ 2407 2408 2409 2410 2411 /*ARGSUSED*/ 2412 static void 2413 aus_setgroups(struct t_audit_data *tad) 2414 { 2415 klwp_t *clwp = ttolwp(curthread); 2416 int i; 2417 int gidsetsize; 2418 uintptr_t gidset; 2419 gid_t *gidlist; 2420 2421 struct a { 2422 long gidsetsize; 2423 long gidset; 2424 } *uap = (struct a *)clwp->lwp_ap; 2425 2426 gidsetsize = (uint_t)uap->gidsetsize; 2427 gidset = (uintptr_t)uap->gidset; 2428 2429 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2430 return; 2431 if (gidsetsize != 0) { 2432 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2433 KM_SLEEP); 2434 if (copyin((caddr_t)gidset, gidlist, 2435 gidsetsize * sizeof (gid_t)) == 0) 2436 for (i = 0; i < gidsetsize; i++) 2437 au_uwrite(au_to_arg32(1, "setgroups", 2438 (uint32_t)gidlist[i])); 2439 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2440 } else 2441 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2442 2443 } /* AUS_SETGROUPS */ 2444 2445 2446 2447 2448 2449 /*ARGSUSED*/ 2450 static void 2451 aus_seteuid(struct t_audit_data *tad) 2452 { 2453 klwp_t *clwp = ttolwp(curthread); 2454 uint32_t uid; 2455 2456 struct a { 2457 long uid; 2458 } *uap = (struct a *)clwp->lwp_ap; 2459 2460 uid = (uint32_t)uap->uid; 2461 2462 au_uwrite(au_to_arg32(1, "euid", uid)); 2463 2464 } /* AUS_SETEUID */ 2465 2466 /*ARGSUSED*/ 2467 static void 2468 aus_putmsg(struct t_audit_data *tad) 2469 { 2470 klwp_t *clwp = ttolwp(curthread); 2471 uint32_t fd, pri; 2472 struct file *fp; 2473 struct f_audit_data *fad; 2474 2475 struct a { 2476 long fdes; 2477 long ctl; /* struct strbuf * */ 2478 long data; /* struct strbuf * */ 2479 long pri; 2480 } *uap = (struct a *)clwp->lwp_ap; 2481 2482 fd = (uint32_t)uap->fdes; 2483 pri = (uint32_t)uap->pri; 2484 2485 au_uwrite(au_to_arg32(1, "fd", fd)); 2486 2487 if ((fp = getf(fd)) != NULL) { 2488 fad = F2A(fp); 2489 2490 fad->fad_flags |= FAD_WRITE; 2491 2492 /* add path name to audit record */ 2493 if (fad->fad_aupath != NULL) { 2494 au_uwrite(au_to_path(fad->fad_aupath)); 2495 } 2496 audit_attributes(fp->f_vnode); 2497 2498 releasef(fd); 2499 } 2500 2501 au_uwrite(au_to_arg32(4, "pri", pri)); 2502 } 2503 2504 /*ARGSUSED*/ 2505 static void 2506 aus_putpmsg(struct t_audit_data *tad) 2507 { 2508 klwp_t *clwp = ttolwp(curthread); 2509 uint32_t fd, pri, flags; 2510 struct file *fp; 2511 struct f_audit_data *fad; 2512 2513 struct a { 2514 long fdes; 2515 long ctl; /* struct strbuf * */ 2516 long data; /* struct strbuf * */ 2517 long pri; 2518 long flags; 2519 } *uap = (struct a *)clwp->lwp_ap; 2520 2521 fd = (uint32_t)uap->fdes; 2522 pri = (uint32_t)uap->pri; 2523 flags = (uint32_t)uap->flags; 2524 2525 au_uwrite(au_to_arg32(1, "fd", fd)); 2526 2527 if ((fp = getf(fd)) != NULL) { 2528 fad = F2A(fp); 2529 2530 fad->fad_flags |= FAD_WRITE; 2531 2532 /* add path name to audit record */ 2533 if (fad->fad_aupath != NULL) { 2534 au_uwrite(au_to_path(fad->fad_aupath)); 2535 } 2536 audit_attributes(fp->f_vnode); 2537 2538 releasef(fd); 2539 } 2540 2541 2542 au_uwrite(au_to_arg32(4, "pri", pri)); 2543 au_uwrite(au_to_arg32(5, "flags", flags)); 2544 } 2545 2546 /*ARGSUSED*/ 2547 static void 2548 aus_getmsg(struct t_audit_data *tad) 2549 { 2550 klwp_t *clwp = ttolwp(curthread); 2551 uint32_t fd, pri; 2552 struct file *fp; 2553 struct f_audit_data *fad; 2554 2555 struct a { 2556 long fdes; 2557 long ctl; /* struct strbuf * */ 2558 long data; /* struct strbuf * */ 2559 long pri; 2560 } *uap = (struct a *)clwp->lwp_ap; 2561 2562 fd = (uint32_t)uap->fdes; 2563 pri = (uint32_t)uap->pri; 2564 2565 au_uwrite(au_to_arg32(1, "fd", fd)); 2566 2567 if ((fp = getf(fd)) != NULL) { 2568 fad = F2A(fp); 2569 2570 /* 2571 * read operation on this object 2572 */ 2573 fad->fad_flags |= FAD_READ; 2574 2575 /* add path name to audit record */ 2576 if (fad->fad_aupath != NULL) { 2577 au_uwrite(au_to_path(fad->fad_aupath)); 2578 } 2579 audit_attributes(fp->f_vnode); 2580 2581 releasef(fd); 2582 } 2583 2584 au_uwrite(au_to_arg32(4, "pri", pri)); 2585 } 2586 2587 /*ARGSUSED*/ 2588 static void 2589 aus_getpmsg(struct t_audit_data *tad) 2590 { 2591 klwp_t *clwp = ttolwp(curthread); 2592 uint32_t fd; 2593 struct file *fp; 2594 struct f_audit_data *fad; 2595 2596 struct a { 2597 long fdes; 2598 long ctl; /* struct strbuf * */ 2599 long data; /* struct strbuf * */ 2600 long pri; 2601 long flags; 2602 } *uap = (struct a *)clwp->lwp_ap; 2603 2604 fd = (uint32_t)uap->fdes; 2605 2606 au_uwrite(au_to_arg32(1, "fd", fd)); 2607 2608 if ((fp = getf(fd)) != NULL) { 2609 fad = F2A(fp); 2610 2611 /* 2612 * read operation on this object 2613 */ 2614 fad->fad_flags |= FAD_READ; 2615 2616 /* add path name to audit record */ 2617 if (fad->fad_aupath != NULL) { 2618 au_uwrite(au_to_path(fad->fad_aupath)); 2619 } 2620 audit_attributes(fp->f_vnode); 2621 2622 releasef(fd); 2623 } 2624 } 2625 2626 static au_event_t 2627 aui_labelsys(au_event_t e) 2628 { 2629 klwp_t *clwp = ttolwp(curthread); 2630 uint32_t code; 2631 uint32_t cmd; 2632 2633 struct a { 2634 long code; 2635 long cmd; 2636 } *uap = (struct a *)clwp->lwp_ap; 2637 2638 code = (uint32_t)uap->code; 2639 cmd = (uint32_t)uap->cmd; 2640 2641 /* not security relevant if not changing kernel cache */ 2642 if (cmd == TNDB_GET) 2643 return (AUE_NULL); 2644 2645 switch (code) { 2646 case TSOL_TNRH: 2647 e = AUE_LABELSYS_TNRH; 2648 break; 2649 case TSOL_TNRHTP: 2650 e = AUE_LABELSYS_TNRHTP; 2651 break; 2652 case TSOL_TNMLP: 2653 e = AUE_LABELSYS_TNMLP; 2654 break; 2655 default: 2656 e = AUE_NULL; 2657 break; 2658 } 2659 2660 return (e); 2661 2662 } 2663 2664 static void 2665 aus_labelsys(struct t_audit_data *tad) 2666 { 2667 klwp_t *clwp = ttolwp(curthread); 2668 uint32_t cmd; 2669 uintptr_t a2; 2670 2671 struct a { 2672 long code; 2673 long cmd; 2674 long a2; 2675 } *uap = (struct a *)clwp->lwp_ap; 2676 2677 cmd = (uint32_t)uap->cmd; 2678 a2 = (uintptr_t)uap->a2; 2679 2680 switch (tad->tad_event) { 2681 case AUE_LABELSYS_TNRH: 2682 { 2683 tsol_rhent_t *rhent; 2684 tnaddr_t *rh_addr; 2685 2686 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2687 2688 /* Remaining args don't apply for FLUSH, so skip */ 2689 if (cmd == TNDB_FLUSH) 2690 break; 2691 2692 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2693 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2694 kmem_free(rhent, sizeof (tsol_rhent_t)); 2695 return; 2696 } 2697 2698 rh_addr = &rhent->rh_address; 2699 if (rh_addr->ta_family == AF_INET) { 2700 struct in_addr *ipaddr; 2701 2702 ipaddr = &(rh_addr->ta_addr_v4); 2703 au_uwrite(au_to_in_addr(ipaddr)); 2704 } else if (rh_addr->ta_family == AF_INET6) { 2705 int32_t *ipaddr; 2706 2707 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2708 au_uwrite(au_to_in_addr_ex(ipaddr)); 2709 } 2710 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2711 2712 kmem_free(rhent, sizeof (tsol_rhent_t)); 2713 2714 break; 2715 } 2716 case AUE_LABELSYS_TNRHTP: 2717 { 2718 tsol_tpent_t *tpent; 2719 2720 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2721 2722 /* Remaining args don't apply for FLUSH, so skip */ 2723 if (cmd == TNDB_FLUSH) 2724 break; 2725 2726 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2727 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2728 kmem_free(tpent, sizeof (tsol_tpent_t)); 2729 return; 2730 } 2731 2732 /* Make sure that the template name is null-terminated. */ 2733 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2734 2735 au_uwrite(au_to_text(tpent->name)); 2736 kmem_free(tpent, sizeof (tsol_tpent_t)); 2737 2738 break; 2739 } 2740 case AUE_LABELSYS_TNMLP: 2741 { 2742 tsol_mlpent_t *mlpent; 2743 2744 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2745 2746 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2747 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2748 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2749 return; 2750 } 2751 2752 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2753 au_uwrite(au_to_text("shared")); 2754 } else { 2755 zone_t *zone; 2756 2757 zone = zone_find_by_id(mlpent->tsme_zoneid); 2758 if (zone != NULL) { 2759 au_uwrite(au_to_text(zone->zone_name)); 2760 zone_rele(zone); 2761 } 2762 } 2763 2764 /* Remaining args don't apply for FLUSH, so skip */ 2765 if (cmd == TNDB_FLUSH) { 2766 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2767 break; 2768 } 2769 2770 au_uwrite(au_to_arg32(2, "proto num", 2771 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2772 au_uwrite(au_to_arg32(2, "mlp_port", 2773 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2774 2775 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2776 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2777 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2778 2779 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2780 2781 break; 2782 } 2783 default: 2784 break; 2785 } 2786 } 2787 2788 2789 static au_event_t 2790 aui_auditsys(au_event_t e) 2791 { 2792 klwp_t *clwp = ttolwp(curthread); 2793 uint32_t code; 2794 2795 struct a { 2796 long code; 2797 long a1; 2798 long a2; 2799 long a3; 2800 long a4; 2801 long a5; 2802 long a6; 2803 long a7; 2804 } *uap = (struct a *)clwp->lwp_ap; 2805 2806 code = (uint32_t)uap->code; 2807 2808 switch (code) { 2809 2810 case BSM_GETAUID: 2811 e = AUE_GETAUID; 2812 break; 2813 case BSM_SETAUID: 2814 e = AUE_SETAUID; 2815 break; 2816 case BSM_GETAUDIT: 2817 e = AUE_GETAUDIT; 2818 break; 2819 case BSM_GETAUDIT_ADDR: 2820 e = AUE_GETAUDIT_ADDR; 2821 break; 2822 case BSM_SETAUDIT: 2823 e = AUE_SETAUDIT; 2824 break; 2825 case BSM_SETAUDIT_ADDR: 2826 e = AUE_SETAUDIT_ADDR; 2827 break; 2828 case BSM_AUDIT: 2829 e = AUE_AUDIT; 2830 break; 2831 case BSM_AUDITCTL: 2832 switch ((uint_t)uap->a1) { 2833 2834 case A_GETPOLICY: 2835 e = AUE_AUDITON_GPOLICY; 2836 break; 2837 case A_SETPOLICY: 2838 e = AUE_AUDITON_SPOLICY; 2839 break; 2840 case A_GETKMASK: 2841 e = AUE_AUDITON_GETKMASK; 2842 break; 2843 case A_SETKMASK: 2844 e = AUE_AUDITON_SETKMASK; 2845 break; 2846 case A_GETQCTRL: 2847 e = AUE_AUDITON_GQCTRL; 2848 break; 2849 case A_SETQCTRL: 2850 e = AUE_AUDITON_SQCTRL; 2851 break; 2852 case A_GETCWD: 2853 e = AUE_AUDITON_GETCWD; 2854 break; 2855 case A_GETCAR: 2856 e = AUE_AUDITON_GETCAR; 2857 break; 2858 case A_GETSTAT: 2859 e = AUE_AUDITON_GETSTAT; 2860 break; 2861 case A_SETSTAT: 2862 e = AUE_AUDITON_SETSTAT; 2863 break; 2864 case A_SETUMASK: 2865 e = AUE_AUDITON_SETUMASK; 2866 break; 2867 case A_SETSMASK: 2868 e = AUE_AUDITON_SETSMASK; 2869 break; 2870 case A_GETCOND: 2871 e = AUE_AUDITON_GETCOND; 2872 break; 2873 case A_SETCOND: 2874 e = AUE_AUDITON_SETCOND; 2875 break; 2876 case A_GETCLASS: 2877 e = AUE_AUDITON_GETCLASS; 2878 break; 2879 case A_SETCLASS: 2880 e = AUE_AUDITON_SETCLASS; 2881 break; 2882 default: 2883 e = AUE_NULL; 2884 break; 2885 } 2886 break; 2887 default: 2888 e = AUE_NULL; 2889 break; 2890 } 2891 2892 return (e); 2893 2894 } /* AUI_AUDITSYS */ 2895 2896 2897 static void 2898 aus_auditsys(struct t_audit_data *tad) 2899 { 2900 klwp_t *clwp = ttolwp(curthread); 2901 uintptr_t a1, a2; 2902 STRUCT_DECL(auditinfo, ainfo); 2903 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2904 au_evclass_map_t event; 2905 au_mask_t mask; 2906 int auditstate, policy; 2907 au_id_t auid; 2908 2909 2910 struct a { 2911 long code; 2912 long a1; 2913 long a2; 2914 long a3; 2915 long a4; 2916 long a5; 2917 long a6; 2918 long a7; 2919 } *uap = (struct a *)clwp->lwp_ap; 2920 2921 a1 = (uintptr_t)uap->a1; 2922 a2 = (uintptr_t)uap->a2; 2923 2924 switch (tad->tad_event) { 2925 case AUE_SETAUID: 2926 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2927 return; 2928 au_uwrite(au_to_arg32(2, "setauid", auid)); 2929 break; 2930 case AUE_SETAUDIT: 2931 STRUCT_INIT(ainfo, get_udatamodel()); 2932 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2933 STRUCT_SIZE(ainfo))) { 2934 return; 2935 } 2936 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2937 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2938 #ifdef _LP64 2939 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2940 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2941 #else 2942 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2943 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2944 #endif 2945 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2946 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2947 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2948 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2949 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2950 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2951 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2952 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2953 break; 2954 case AUE_SETAUDIT_ADDR: 2955 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2956 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2957 STRUCT_SIZE(ainfo_addr))) { 2958 return; 2959 } 2960 au_uwrite(au_to_arg32((char)1, "auid", 2961 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2962 #ifdef _LP64 2963 au_uwrite(au_to_arg64((char)1, "port", 2964 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2965 #else 2966 au_uwrite(au_to_arg32((char)1, "port", 2967 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2968 #endif 2969 au_uwrite(au_to_arg32((char)1, "type", 2970 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2971 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2972 AU_IPv4) { 2973 au_uwrite(au_to_in_addr( 2974 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2975 ai_termid.at_addr))); 2976 } else { 2977 au_uwrite(au_to_in_addr_ex( 2978 (int32_t *)STRUCT_FGETP(ainfo_addr, 2979 ai_termid.at_addr))); 2980 } 2981 au_uwrite(au_to_arg32((char)1, "as_success", 2982 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2983 au_uwrite(au_to_arg32((char)1, "as_failure", 2984 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2985 au_uwrite(au_to_arg32((char)1, "asid", 2986 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2987 break; 2988 case AUE_AUDITON_SETKMASK: 2989 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2990 return; 2991 au_uwrite(au_to_arg32( 2992 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2993 au_uwrite(au_to_arg32( 2994 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2995 break; 2996 case AUE_AUDITON_SPOLICY: 2997 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2998 return; 2999 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3000 break; 3001 case AUE_AUDITON_SQCTRL: { 3002 STRUCT_DECL(au_qctrl, qctrl); 3003 model_t model; 3004 3005 model = get_udatamodel(); 3006 STRUCT_INIT(qctrl, model); 3007 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3008 return; 3009 if (model == DATAMODEL_ILP32) { 3010 au_uwrite(au_to_arg32( 3011 3, "setqctrl:aq_hiwater", 3012 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3013 au_uwrite(au_to_arg32( 3014 3, "setqctrl:aq_lowater", 3015 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3016 au_uwrite(au_to_arg32( 3017 3, "setqctrl:aq_bufsz", 3018 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3019 au_uwrite(au_to_arg32( 3020 3, "setqctrl:aq_delay", 3021 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3022 } else { 3023 au_uwrite(au_to_arg64( 3024 3, "setqctrl:aq_hiwater", 3025 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3026 au_uwrite(au_to_arg64( 3027 3, "setqctrl:aq_lowater", 3028 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3029 au_uwrite(au_to_arg64( 3030 3, "setqctrl:aq_bufsz", 3031 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3032 au_uwrite(au_to_arg64( 3033 3, "setqctrl:aq_delay", 3034 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3035 } 3036 break; 3037 } 3038 case AUE_AUDITON_SETUMASK: 3039 STRUCT_INIT(ainfo, get_udatamodel()); 3040 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3041 STRUCT_SIZE(ainfo))) { 3042 return; 3043 } 3044 au_uwrite(au_to_arg32(3, "setumask:as_success", 3045 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3046 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3047 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3048 break; 3049 case AUE_AUDITON_SETSMASK: 3050 STRUCT_INIT(ainfo, get_udatamodel()); 3051 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3052 STRUCT_SIZE(ainfo))) { 3053 return; 3054 } 3055 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3056 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3057 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3058 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3059 break; 3060 case AUE_AUDITON_SETCOND: 3061 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3062 return; 3063 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3064 break; 3065 case AUE_AUDITON_SETCLASS: 3066 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3067 return; 3068 au_uwrite(au_to_arg32( 3069 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3070 au_uwrite(au_to_arg32( 3071 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3072 break; 3073 case AUE_GETAUID: 3074 case AUE_GETAUDIT: 3075 case AUE_GETAUDIT_ADDR: 3076 case AUE_AUDIT: 3077 case AUE_AUDITON_GPOLICY: 3078 case AUE_AUDITON_GQCTRL: 3079 case AUE_AUDITON_GETKMASK: 3080 case AUE_AUDITON_GETCWD: 3081 case AUE_AUDITON_GETCAR: 3082 case AUE_AUDITON_GETSTAT: 3083 case AUE_AUDITON_SETSTAT: 3084 case AUE_AUDITON_GETCOND: 3085 case AUE_AUDITON_GETCLASS: 3086 break; 3087 default: 3088 break; 3089 } 3090 3091 } /* AUS_AUDITSYS */ 3092 3093 3094 /* only audit privileged operations for systeminfo(2) system call */ 3095 static au_event_t 3096 aui_sysinfo(au_event_t e) 3097 { 3098 klwp_t *clwp = ttolwp(curthread); 3099 uint32_t command; 3100 3101 struct a { 3102 long command; 3103 long buf; /* char * */ 3104 long count; 3105 } *uap = (struct a *)clwp->lwp_ap; 3106 3107 command = (uint32_t)uap->command; 3108 3109 switch (command) { 3110 case SI_SET_HOSTNAME: 3111 case SI_SET_SRPC_DOMAIN: 3112 e = (au_event_t)AUE_SYSINFO; 3113 break; 3114 default: 3115 e = (au_event_t)AUE_NULL; 3116 break; 3117 } 3118 return (e); 3119 } 3120 3121 /*ARGSUSED*/ 3122 static void 3123 aus_sysinfo(struct t_audit_data *tad) 3124 { 3125 klwp_t *clwp = ttolwp(curthread); 3126 uint32_t command; 3127 size_t len, maxlen; 3128 char *name; 3129 uintptr_t buf; 3130 3131 struct a { 3132 long command; 3133 long buf; /* char * */ 3134 long count; 3135 } *uap = (struct a *)clwp->lwp_ap; 3136 3137 command = (uint32_t)uap->command; 3138 buf = (uintptr_t)uap->buf; 3139 3140 au_uwrite(au_to_arg32(1, "cmd", command)); 3141 3142 switch (command) { 3143 case SI_SET_HOSTNAME: 3144 { 3145 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3146 return; 3147 3148 maxlen = SYS_NMLN; 3149 name = kmem_alloc(maxlen, KM_SLEEP); 3150 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3151 break; 3152 3153 /* 3154 * Must be non-NULL string and string 3155 * must be less than SYS_NMLN chars. 3156 */ 3157 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3158 break; 3159 3160 au_uwrite(au_to_text(name)); 3161 break; 3162 } 3163 3164 case SI_SET_SRPC_DOMAIN: 3165 { 3166 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3167 return; 3168 3169 maxlen = SYS_NMLN; 3170 name = kmem_alloc(maxlen, KM_SLEEP); 3171 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3172 break; 3173 3174 /* 3175 * If string passed in is longer than length 3176 * allowed for domain name, fail. 3177 */ 3178 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3179 break; 3180 3181 au_uwrite(au_to_text(name)); 3182 break; 3183 } 3184 3185 default: 3186 return; 3187 } 3188 3189 kmem_free(name, maxlen); 3190 } 3191 3192 static au_event_t 3193 aui_modctl(au_event_t e) 3194 { 3195 klwp_t *clwp = ttolwp(curthread); 3196 uint_t cmd; 3197 3198 struct a { 3199 long cmd; 3200 } *uap = (struct a *)clwp->lwp_ap; 3201 3202 cmd = (uint_t)uap->cmd; 3203 3204 switch (cmd) { 3205 case MODLOAD: 3206 e = AUE_MODLOAD; 3207 break; 3208 case MODUNLOAD: 3209 e = AUE_MODUNLOAD; 3210 break; 3211 case MODADDMAJBIND: 3212 e = AUE_MODADDMAJ; 3213 break; 3214 case MODSETDEVPOLICY: 3215 e = AUE_MODDEVPLCY; 3216 break; 3217 case MODALLOCPRIV: 3218 e = AUE_MODADDPRIV; 3219 break; 3220 default: 3221 e = AUE_NULL; 3222 break; 3223 } 3224 return (e); 3225 } 3226 3227 3228 /*ARGSUSED*/ 3229 static void 3230 aus_modctl(struct t_audit_data *tad) 3231 { 3232 klwp_t *clwp = ttolwp(curthread); 3233 void *a = clwp->lwp_ap; 3234 uint_t use_path; 3235 3236 switch (tad->tad_event) { 3237 case AUE_MODLOAD: { 3238 typedef struct { 3239 long cmd; 3240 long use_path; 3241 long filename; /* char * */ 3242 } modloada_t; 3243 3244 char *filenamep; 3245 uintptr_t fname; 3246 extern char *default_path; 3247 3248 fname = (uintptr_t)((modloada_t *)a)->filename; 3249 use_path = (uint_t)((modloada_t *)a)->use_path; 3250 3251 /* space to hold path */ 3252 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3253 /* get string */ 3254 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3255 /* free allocated path */ 3256 kmem_free(filenamep, MOD_MAXPATH); 3257 return; 3258 } 3259 /* ensure it's null terminated */ 3260 filenamep[MOD_MAXPATH - 1] = 0; 3261 3262 if (use_path) 3263 au_uwrite(au_to_text(default_path)); 3264 au_uwrite(au_to_text(filenamep)); 3265 3266 /* release temporary memory */ 3267 kmem_free(filenamep, MOD_MAXPATH); 3268 break; 3269 } 3270 case AUE_MODUNLOAD: { 3271 typedef struct { 3272 long cmd; 3273 long id; 3274 } modunloada_t; 3275 3276 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3277 3278 au_uwrite(au_to_arg32(1, "id", id)); 3279 break; 3280 } 3281 case AUE_MODADDMAJ: { 3282 STRUCT_DECL(modconfig, mc); 3283 typedef struct { 3284 long cmd; 3285 long subcmd; 3286 long data; /* int * */ 3287 } modconfiga_t; 3288 3289 STRUCT_DECL(aliases, alias); 3290 caddr_t ap; 3291 int i, num_aliases; 3292 char *drvname, *mc_drvname; 3293 char *name; 3294 extern char *ddi_major_to_name(major_t); 3295 model_t model; 3296 3297 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3298 3299 model = get_udatamodel(); 3300 STRUCT_INIT(mc, model); 3301 /* sanitize buffer */ 3302 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3303 /* get user arguments */ 3304 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3305 STRUCT_SIZE(mc)) != 0) 3306 return; 3307 3308 mc_drvname = STRUCT_FGET(mc, drvname); 3309 if ((drvname = ddi_major_to_name( 3310 (major_t)STRUCT_FGET(mc, major))) != NULL && 3311 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3312 /* safety */ 3313 if (mc_drvname[0] != '\0') { 3314 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3315 au_uwrite(au_to_text(mc_drvname)); 3316 } 3317 /* drvname != NULL from test above */ 3318 au_uwrite(au_to_text(drvname)); 3319 return; 3320 } 3321 3322 if (mc_drvname[0] != '\0') { 3323 /* safety */ 3324 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3325 au_uwrite(au_to_text(mc_drvname)); 3326 } else 3327 au_uwrite(au_to_text("no drvname")); 3328 3329 num_aliases = STRUCT_FGET(mc, num_aliases); 3330 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3331 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3332 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3333 STRUCT_INIT(alias, model); 3334 for (i = 0; i < num_aliases; i++) { 3335 bzero((caddr_t)STRUCT_BUF(alias), 3336 STRUCT_SIZE(alias)); 3337 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3338 STRUCT_SIZE(alias)) != 0) 3339 break; 3340 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3341 MAXMODCONFNAME, NULL) != 0) { 3342 break; 3343 } 3344 3345 au_uwrite(au_to_text(name)); 3346 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3347 } 3348 kmem_free(name, MAXMODCONFNAME); 3349 break; 3350 } 3351 default: 3352 break; 3353 } 3354 } 3355 3356 3357 /*ARGSUSED*/ 3358 static void 3359 auf_accept( 3360 struct t_audit_data *tad, 3361 int error, 3362 rval_t *rval) 3363 { 3364 uint32_t scid; 3365 uint32_t sy_flags; 3366 int fd; 3367 struct sonode *so; 3368 char so_laddr[sizeof (struct sockaddr_in6)]; 3369 char so_faddr[sizeof (struct sockaddr_in6)]; 3370 int err; 3371 short so_family, so_type; 3372 int add_sock_token = 0; 3373 3374 /* need to determine type of executing binary */ 3375 scid = tad->tad_scid; 3376 #ifdef _SYSCALL32_IMPL 3377 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3378 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3379 else 3380 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3381 #else 3382 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3383 #endif 3384 if (sy_flags == SE_32RVAL1) 3385 fd = rval->r_val1; 3386 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3387 fd = rval->r_val1; 3388 if (sy_flags == SE_64RVAL) 3389 fd = (int)rval->r_vals; 3390 3391 if (error) { 3392 /* can't trust socket contents. Just return */ 3393 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3394 return; 3395 } 3396 3397 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3398 /* 3399 * not security relevant if doing a accept from non socket 3400 * so no extra tokens. Should probably turn off audit record 3401 * generation here. 3402 */ 3403 return; 3404 } 3405 3406 so_family = so->so_family; 3407 so_type = so->so_type; 3408 3409 switch (so_family) { 3410 case AF_INET: 3411 case AF_INET6: 3412 /* 3413 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3414 */ 3415 if (so->so_type == SOCK_STREAM) { 3416 socklen_t len; 3417 3418 bzero((void *)so_laddr, sizeof (so_laddr)); 3419 bzero((void *)so_faddr, sizeof (so_faddr)); 3420 3421 len = sizeof (so_laddr); 3422 (void) socket_getsockname(so, 3423 (struct sockaddr *)so_laddr, &len, CRED()); 3424 len = sizeof (so_faddr); 3425 (void) socket_getpeername(so, 3426 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3427 3428 add_sock_token = 1; 3429 } 3430 break; 3431 3432 default: 3433 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3434 break; 3435 } 3436 3437 releasef(fd); 3438 3439 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3440 3441 if (add_sock_token == 0) { 3442 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3443 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3444 return; 3445 } 3446 3447 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3448 3449 } 3450 3451 /*ARGSUSED*/ 3452 static void 3453 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3454 { 3455 struct a { 3456 long fd; 3457 long addr; 3458 long len; 3459 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3460 3461 struct sonode *so; 3462 char so_laddr[sizeof (struct sockaddr_in6)]; 3463 char so_faddr[sizeof (struct sockaddr_in6)]; 3464 int err, fd; 3465 socklen_t len; 3466 short so_family, so_type; 3467 int add_sock_token = 0; 3468 3469 fd = (int)uap->fd; 3470 3471 /* 3472 * bind failed, then nothing extra to add to audit record. 3473 */ 3474 if (error) { 3475 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3476 /* XXX may want to add failed address some day */ 3477 return; 3478 } 3479 3480 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3481 /* 3482 * not security relevant if doing a bind from non socket 3483 * so no extra tokens. Should probably turn off audit record 3484 * generation here. 3485 */ 3486 return; 3487 } 3488 3489 so_family = so->so_family; 3490 so_type = so->so_type; 3491 3492 switch (so_family) { 3493 case AF_INET: 3494 case AF_INET6: 3495 3496 bzero(so_faddr, sizeof (so_faddr)); 3497 len = sizeof (so_faddr); 3498 3499 (void) socket_getpeername(so, 3500 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3501 add_sock_token = 1; 3502 3503 break; 3504 3505 case AF_UNIX: 3506 /* token added by lookup */ 3507 break; 3508 default: 3509 /* AF_ROUTE, AF_KEY do not support accept */ 3510 break; 3511 } 3512 3513 releasef(fd); 3514 3515 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3516 3517 if (add_sock_token == 0) { 3518 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3519 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3520 return; 3521 } 3522 3523 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3524 3525 } 3526 3527 /*ARGSUSED*/ 3528 static void 3529 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3530 { 3531 struct a { 3532 long fd; 3533 long addr; 3534 long len; 3535 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3536 3537 struct sonode *so; 3538 char so_laddr[sizeof (struct sockaddr_in6)]; 3539 char so_faddr[sizeof (struct sockaddr_in6)]; 3540 int err, fd; 3541 socklen_t len; 3542 short so_family, so_type; 3543 int add_sock_token = 0; 3544 3545 fd = (int)uap->fd; 3546 3547 3548 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3549 /* 3550 * not security relevant if doing a connect from non socket 3551 * so no extra tokens. Should probably turn off audit record 3552 * generation here. 3553 */ 3554 return; 3555 } 3556 3557 so_family = so->so_family; 3558 so_type = so->so_type; 3559 3560 switch (so_family) { 3561 case AF_INET: 3562 case AF_INET6: 3563 3564 bzero(so_laddr, sizeof (so_laddr)); 3565 bzero(so_faddr, sizeof (so_faddr)); 3566 3567 len = sizeof (so_laddr); 3568 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3569 &len, CRED()); 3570 if (error) { 3571 if (uap->addr == NULL) 3572 break; 3573 if (uap->len <= 0) 3574 break; 3575 len = min(uap->len, sizeof (so_faddr)); 3576 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3577 break; 3578 #ifdef NOTYET 3579 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3580 #endif 3581 } else { 3582 /* sanity check on length */ 3583 len = sizeof (so_faddr); 3584 (void) socket_getpeername(so, 3585 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3586 } 3587 3588 add_sock_token = 1; 3589 3590 break; 3591 3592 case AF_UNIX: 3593 /* does a lookup on name */ 3594 break; 3595 3596 default: 3597 /* AF_ROUTE, AF_KEY do not support accept */ 3598 break; 3599 } 3600 3601 releasef(fd); 3602 3603 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3604 3605 if (add_sock_token == 0) { 3606 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3607 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3608 return; 3609 } 3610 3611 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3612 3613 } 3614 3615 /*ARGSUSED*/ 3616 static void 3617 aus_shutdown(struct t_audit_data *tad) 3618 { 3619 struct a { 3620 long fd; 3621 long how; 3622 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3623 3624 struct sonode *so; 3625 char so_laddr[sizeof (struct sockaddr_in6)]; 3626 char so_faddr[sizeof (struct sockaddr_in6)]; 3627 int err, fd; 3628 socklen_t len; 3629 short so_family, so_type; 3630 int add_sock_token = 0; 3631 file_t *fp; /* unix domain sockets */ 3632 struct f_audit_data *fad; /* unix domain sockets */ 3633 3634 fd = (int)uap->fd; 3635 3636 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3637 /* 3638 * not security relevant if doing a shutdown using non socket 3639 * so no extra tokens. Should probably turn off audit record 3640 * generation here. 3641 */ 3642 return; 3643 } 3644 3645 so_family = so->so_family; 3646 so_type = so->so_type; 3647 3648 switch (so_family) { 3649 case AF_INET: 3650 case AF_INET6: 3651 3652 bzero(so_laddr, sizeof (so_laddr)); 3653 bzero(so_faddr, sizeof (so_faddr)); 3654 3655 len = sizeof (so_laddr); 3656 (void) socket_getsockname(so, 3657 (struct sockaddr *)so_laddr, &len, CRED()); 3658 len = sizeof (so_faddr); 3659 (void) socket_getpeername(so, 3660 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3661 3662 add_sock_token = 1; 3663 3664 break; 3665 3666 case AF_UNIX: 3667 3668 /* get path from file struct here */ 3669 fad = F2A(fp); 3670 ASSERT(fad); 3671 3672 if (fad->fad_aupath != NULL) { 3673 au_uwrite(au_to_path(fad->fad_aupath)); 3674 } else { 3675 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3676 } 3677 3678 audit_attributes(fp->f_vnode); 3679 3680 break; 3681 3682 default: 3683 /* 3684 * AF_KEY and AF_ROUTE support shutdown. No socket token 3685 * added. 3686 */ 3687 break; 3688 } 3689 3690 releasef(fd); 3691 3692 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3693 3694 if (add_sock_token == 0) { 3695 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3696 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3697 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3698 return; 3699 } 3700 3701 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3702 3703 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3704 3705 } 3706 3707 /*ARGSUSED*/ 3708 static void 3709 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3710 { 3711 struct a { 3712 long fd; 3713 long level; 3714 long optname; 3715 long *optval; 3716 long optlen; 3717 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3718 3719 struct sonode *so; 3720 char so_laddr[sizeof (struct sockaddr_in6)]; 3721 char so_faddr[sizeof (struct sockaddr_in6)]; 3722 char val[AU_BUFSIZE]; 3723 int err, fd; 3724 socklen_t len; 3725 short so_family, so_type; 3726 int add_sock_token = 0; 3727 file_t *fp; /* unix domain sockets */ 3728 struct f_audit_data *fad; /* unix domain sockets */ 3729 3730 fd = (int)uap->fd; 3731 3732 if (error) { 3733 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3734 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3735 /* XXX may want to include other arguments */ 3736 return; 3737 } 3738 3739 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3740 /* 3741 * not security relevant if doing a setsockopt from non socket 3742 * so no extra tokens. Should probably turn off audit record 3743 * generation here. 3744 */ 3745 return; 3746 } 3747 3748 so_family = so->so_family; 3749 so_type = so->so_type; 3750 3751 switch (so_family) { 3752 case AF_INET: 3753 case AF_INET6: 3754 bzero((void *)so_laddr, sizeof (so_laddr)); 3755 bzero((void *)so_faddr, sizeof (so_faddr)); 3756 3757 /* get local and foreign addresses */ 3758 len = sizeof (so_laddr); 3759 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3760 &len, CRED()); 3761 len = sizeof (so_faddr); 3762 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3763 &len, B_FALSE, CRED()); 3764 3765 add_sock_token = 1; 3766 3767 break; 3768 3769 case AF_UNIX: 3770 3771 /* get path from file struct here */ 3772 fad = F2A(fp); 3773 ASSERT(fad); 3774 3775 if (fad->fad_aupath != NULL) { 3776 au_uwrite(au_to_path(fad->fad_aupath)); 3777 } else { 3778 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3779 } 3780 3781 audit_attributes(fp->f_vnode); 3782 3783 break; 3784 3785 default: 3786 /* 3787 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3788 * added. 3789 */ 3790 break; 3791 } 3792 3793 releasef(fd); 3794 3795 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3796 3797 if (add_sock_token == 0) { 3798 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3799 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3800 } 3801 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3802 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3803 3804 bzero(val, sizeof (val)); 3805 len = min(uap->optlen, sizeof (val)); 3806 if ((len > 0) && 3807 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3808 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3809 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3810 } 3811 3812 if (add_sock_token == 0) 3813 return; 3814 3815 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3816 3817 } 3818 3819 /*ARGSUSED*/ 3820 static void 3821 aus_sockconfig(tad) 3822 struct t_audit_data *tad; 3823 { 3824 struct a { 3825 long cmd; 3826 long arg1; 3827 long arg2; 3828 long arg3; 3829 long arg4; 3830 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3831 3832 char *buf; 3833 int buflen; 3834 size_t size; 3835 3836 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 3837 switch (uap->cmd) { 3838 case SOCKCONFIG_ADD_SOCK: 3839 case SOCKCONFIG_REMOVE_SOCK: 3840 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 3841 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 3842 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 3843 3844 if (uap->arg4 == 0) { 3845 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 3846 } else { 3847 buflen = MAXPATHLEN + 1; 3848 buf = kmem_alloc(buflen, KM_SLEEP); 3849 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 3850 &size)) { 3851 kmem_free(buf, buflen); 3852 return; 3853 } 3854 3855 if (size > MAXPATHLEN) { 3856 kmem_free(buf, buflen); 3857 return; 3858 } 3859 3860 au_uwrite(au_to_text(buf)); 3861 kmem_free(buf, buflen); 3862 } 3863 break; 3864 case SOCKCONFIG_ADD_FILTER: 3865 case SOCKCONFIG_REMOVE_FILTER: 3866 buflen = FILNAME_MAX; 3867 buf = kmem_alloc(buflen, KM_SLEEP); 3868 3869 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 3870 kmem_free(buf, buflen); 3871 return; 3872 } 3873 3874 au_uwrite(au_to_text(buf)); 3875 kmem_free(buf, buflen); 3876 break; 3877 default: 3878 break; 3879 } 3880 } 3881 3882 /* 3883 * only audit recvmsg when the system call represents the creation of a new 3884 * circuit. This effectively occurs for all UDP packets and may occur for 3885 * special TCP situations where the local host has not set a local address 3886 * in the socket structure. 3887 */ 3888 /*ARGSUSED*/ 3889 static void 3890 auf_recvmsg( 3891 struct t_audit_data *tad, 3892 int error, 3893 rval_t *rvp) 3894 { 3895 struct a { 3896 long fd; 3897 long msg; /* struct msghdr */ 3898 long flags; 3899 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3900 3901 struct sonode *so; 3902 STRUCT_DECL(msghdr, msg); 3903 caddr_t msg_name; 3904 socklen_t msg_namelen; 3905 int fd; 3906 int err; 3907 char so_laddr[sizeof (struct sockaddr_in6)]; 3908 char so_faddr[sizeof (struct sockaddr_in6)]; 3909 socklen_t len; 3910 file_t *fp; /* unix domain sockets */ 3911 struct f_audit_data *fad; /* unix domain sockets */ 3912 short so_family, so_type; 3913 int add_sock_token = 0; 3914 au_kcontext_t *kctx = GET_KCTX_PZ; 3915 3916 fd = (int)uap->fd; 3917 3918 /* bail if an error */ 3919 if (error) { 3920 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3921 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3922 return; 3923 } 3924 3925 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3926 /* 3927 * not security relevant if doing a recvmsg from non socket 3928 * so no extra tokens. Should probably turn off audit record 3929 * generation here. 3930 */ 3931 return; 3932 } 3933 3934 so_family = so->so_family; 3935 so_type = so->so_type; 3936 3937 /* 3938 * only putout SOCKET_EX token if INET/INET6 family. 3939 * XXX - what do we do about other families? 3940 */ 3941 3942 switch (so_family) { 3943 case AF_INET: 3944 case AF_INET6: 3945 3946 /* 3947 * if datagram type socket, then just use what is in 3948 * socket structure for local address. 3949 * XXX - what do we do for other types? 3950 */ 3951 if ((so->so_type == SOCK_DGRAM) || 3952 (so->so_type == SOCK_RAW)) { 3953 add_sock_token = 1; 3954 3955 bzero((void *)so_laddr, sizeof (so_laddr)); 3956 bzero((void *)so_faddr, sizeof (so_faddr)); 3957 3958 /* get local address */ 3959 len = sizeof (so_laddr); 3960 (void) socket_getsockname(so, 3961 (struct sockaddr *)so_laddr, &len, CRED()); 3962 3963 /* get peer address */ 3964 STRUCT_INIT(msg, get_udatamodel()); 3965 3966 if (copyin((caddr_t)(uap->msg), 3967 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3968 break; 3969 } 3970 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3971 if (msg_name == NULL) { 3972 break; 3973 } 3974 3975 /* length is value from recvmsg - sanity check */ 3976 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3977 if (msg_namelen == 0) { 3978 break; 3979 } 3980 if (copyin(msg_name, so_faddr, 3981 sizeof (so_faddr)) != 0) { 3982 break; 3983 } 3984 3985 } else if (so->so_type == SOCK_STREAM) { 3986 3987 /* get path from file struct here */ 3988 fad = F2A(fp); 3989 ASSERT(fad); 3990 3991 /* 3992 * already processed this file for read attempt 3993 */ 3994 if (fad->fad_flags & FAD_READ) { 3995 /* don't want to audit every recvmsg attempt */ 3996 tad->tad_flag = 0; 3997 /* free any residual audit data */ 3998 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 3999 releasef(fd); 4000 return; 4001 } 4002 /* 4003 * mark things so we know what happened and don't 4004 * repeat things 4005 */ 4006 fad->fad_flags |= FAD_READ; 4007 4008 bzero((void *)so_laddr, sizeof (so_laddr)); 4009 bzero((void *)so_faddr, sizeof (so_faddr)); 4010 4011 /* get local and foreign addresses */ 4012 len = sizeof (so_laddr); 4013 (void) socket_getsockname(so, 4014 (struct sockaddr *)so_laddr, &len, CRED()); 4015 len = sizeof (so_faddr); 4016 (void) socket_getpeername(so, 4017 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4018 4019 add_sock_token = 1; 4020 } 4021 4022 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4023 4024 break; 4025 4026 case AF_UNIX: 4027 /* 4028 * first check if this is first time through. Too much 4029 * duplicate code to put this in an aui_ routine. 4030 */ 4031 4032 /* get path from file struct here */ 4033 fad = F2A(fp); 4034 ASSERT(fad); 4035 4036 /* 4037 * already processed this file for read attempt 4038 */ 4039 if (fad->fad_flags & FAD_READ) { 4040 releasef(fd); 4041 /* don't want to audit every recvmsg attempt */ 4042 tad->tad_flag = 0; 4043 /* free any residual audit data */ 4044 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4045 return; 4046 } 4047 /* 4048 * mark things so we know what happened and don't 4049 * repeat things 4050 */ 4051 fad->fad_flags |= FAD_READ; 4052 4053 if (fad->fad_aupath != NULL) { 4054 au_uwrite(au_to_path(fad->fad_aupath)); 4055 } else { 4056 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4057 } 4058 4059 audit_attributes(fp->f_vnode); 4060 4061 releasef(fd); 4062 4063 return; 4064 4065 default: 4066 break; 4067 4068 } 4069 4070 releasef(fd); 4071 4072 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4073 4074 if (add_sock_token == 0) { 4075 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4076 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4077 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4078 return; 4079 } 4080 4081 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4082 4083 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4084 4085 } 4086 4087 /*ARGSUSED*/ 4088 static void 4089 auf_recvfrom( 4090 struct t_audit_data *tad, 4091 int error, 4092 rval_t *rvp) 4093 { 4094 4095 struct a { 4096 long fd; 4097 long msg; /* char */ 4098 long len; 4099 long flags; 4100 long from; /* struct sockaddr */ 4101 long fromlen; 4102 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4103 4104 socklen_t fromlen; 4105 struct sonode *so; 4106 char so_laddr[sizeof (struct sockaddr_in6)]; 4107 char so_faddr[sizeof (struct sockaddr_in6)]; 4108 int fd; 4109 short so_family, so_type; 4110 int add_sock_token = 0; 4111 socklen_t len; 4112 int err; 4113 struct file *fp; 4114 struct f_audit_data *fad; /* unix domain sockets */ 4115 au_kcontext_t *kctx = GET_KCTX_PZ; 4116 4117 fd = (int)uap->fd; 4118 4119 /* bail if an error */ 4120 if (error) { 4121 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4122 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4123 return; 4124 } 4125 4126 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4127 /* 4128 * not security relevant if doing a recvmsg from non socket 4129 * so no extra tokens. Should probably turn off audit record 4130 * generation here. 4131 */ 4132 return; 4133 } 4134 4135 so_family = so->so_family; 4136 so_type = so->so_type; 4137 4138 /* 4139 * only putout SOCKET_EX token if INET/INET6 family. 4140 * XXX - what do we do about other families? 4141 */ 4142 4143 switch (so_family) { 4144 case AF_INET: 4145 case AF_INET6: 4146 4147 /* 4148 * if datagram type socket, then just use what is in 4149 * socket structure for local address. 4150 * XXX - what do we do for other types? 4151 */ 4152 if ((so->so_type == SOCK_DGRAM) || 4153 (so->so_type == SOCK_RAW)) { 4154 add_sock_token = 1; 4155 4156 /* get local address */ 4157 len = sizeof (so_laddr); 4158 (void) socket_getsockname(so, 4159 (struct sockaddr *)so_laddr, &len, CRED()); 4160 4161 /* get peer address */ 4162 bzero((void *)so_faddr, sizeof (so_faddr)); 4163 4164 /* sanity check */ 4165 if (uap->from == NULL) 4166 break; 4167 4168 /* sanity checks */ 4169 if (uap->fromlen == 0) 4170 break; 4171 4172 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4173 sizeof (fromlen)) != 0) 4174 break; 4175 4176 if (fromlen == 0) 4177 break; 4178 4179 /* enforce maximum size */ 4180 if (fromlen > sizeof (so_faddr)) 4181 fromlen = sizeof (so_faddr); 4182 4183 if (copyin((caddr_t)(uap->from), so_faddr, 4184 fromlen) != 0) 4185 break; 4186 4187 } else if (so->so_type == SOCK_STREAM) { 4188 4189 /* get path from file struct here */ 4190 fad = F2A(fp); 4191 ASSERT(fad); 4192 4193 /* 4194 * already processed this file for read attempt 4195 */ 4196 if (fad->fad_flags & FAD_READ) { 4197 /* don't want to audit every recvfrom attempt */ 4198 tad->tad_flag = 0; 4199 /* free any residual audit data */ 4200 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4201 releasef(fd); 4202 return; 4203 } 4204 /* 4205 * mark things so we know what happened and don't 4206 * repeat things 4207 */ 4208 fad->fad_flags |= FAD_READ; 4209 4210 bzero((void *)so_laddr, sizeof (so_laddr)); 4211 bzero((void *)so_faddr, sizeof (so_faddr)); 4212 4213 /* get local and foreign addresses */ 4214 len = sizeof (so_laddr); 4215 (void) socket_getsockname(so, 4216 (struct sockaddr *)so_laddr, &len, CRED()); 4217 len = sizeof (so_faddr); 4218 (void) socket_getpeername(so, 4219 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4220 4221 add_sock_token = 1; 4222 } 4223 4224 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4225 4226 break; 4227 4228 case AF_UNIX: 4229 /* 4230 * first check if this is first time through. Too much 4231 * duplicate code to put this in an aui_ routine. 4232 */ 4233 4234 /* get path from file struct here */ 4235 fad = F2A(fp); 4236 ASSERT(fad); 4237 4238 /* 4239 * already processed this file for read attempt 4240 */ 4241 if (fad->fad_flags & FAD_READ) { 4242 /* don't want to audit every recvfrom attempt */ 4243 tad->tad_flag = 0; 4244 /* free any residual audit data */ 4245 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4246 releasef(fd); 4247 return; 4248 } 4249 /* 4250 * mark things so we know what happened and don't 4251 * repeat things 4252 */ 4253 fad->fad_flags |= FAD_READ; 4254 4255 if (fad->fad_aupath != NULL) { 4256 au_uwrite(au_to_path(fad->fad_aupath)); 4257 } else { 4258 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4259 } 4260 4261 audit_attributes(fp->f_vnode); 4262 4263 releasef(fd); 4264 4265 return; 4266 4267 default: 4268 break; 4269 4270 } 4271 4272 releasef(fd); 4273 4274 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4275 4276 if (add_sock_token == 0) { 4277 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4278 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4279 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4280 return; 4281 } 4282 4283 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4284 4285 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4286 } 4287 4288 /*ARGSUSED*/ 4289 static void 4290 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4291 { 4292 struct a { 4293 long fd; 4294 long msg; /* struct msghdr */ 4295 long flags; 4296 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4297 4298 struct sonode *so; 4299 char so_laddr[sizeof (struct sockaddr_in6)]; 4300 char so_faddr[sizeof (struct sockaddr_in6)]; 4301 int err; 4302 int fd; 4303 short so_family, so_type; 4304 int add_sock_token = 0; 4305 socklen_t len; 4306 struct file *fp; 4307 struct f_audit_data *fad; 4308 caddr_t msg_name; 4309 socklen_t msg_namelen; 4310 STRUCT_DECL(msghdr, msg); 4311 au_kcontext_t *kctx = GET_KCTX_PZ; 4312 4313 fd = (int)uap->fd; 4314 4315 /* bail if an error */ 4316 if (error) { 4317 /* XXX include destination address from system call arguments */ 4318 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4319 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4320 return; 4321 } 4322 4323 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4324 /* 4325 * not security relevant if doing a sendmsg from non socket 4326 * so no extra tokens. Should probably turn off audit record 4327 * generation here. 4328 */ 4329 return; 4330 } 4331 4332 so_family = so->so_family; 4333 so_type = so->so_type; 4334 4335 switch (so_family) { 4336 case AF_INET: 4337 case AF_INET6: 4338 /* 4339 * if datagram type socket, then just use what is in 4340 * socket structure for local address. 4341 * XXX - what do we do for other types? 4342 */ 4343 if ((so->so_type == SOCK_DGRAM) || 4344 (so->so_type == SOCK_RAW)) { 4345 4346 bzero((void *)so_laddr, sizeof (so_laddr)); 4347 bzero((void *)so_faddr, sizeof (so_faddr)); 4348 4349 /* get local address */ 4350 len = sizeof (so_laddr); 4351 (void) socket_getsockname(so, 4352 (struct sockaddr *)so_laddr, &len, CRED()); 4353 4354 /* get peer address */ 4355 STRUCT_INIT(msg, get_udatamodel()); 4356 4357 if (copyin((caddr_t)(uap->msg), 4358 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4359 break; 4360 } 4361 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4362 if (msg_name == NULL) 4363 break; 4364 4365 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4366 /* length is value from recvmsg - sanity check */ 4367 if (msg_namelen == 0) 4368 break; 4369 4370 if (copyin(msg_name, so_faddr, 4371 sizeof (so_faddr)) != 0) 4372 break; 4373 4374 add_sock_token = 1; 4375 4376 } else if (so->so_type == SOCK_STREAM) { 4377 4378 /* get path from file struct here */ 4379 fad = F2A(fp); 4380 ASSERT(fad); 4381 4382 /* 4383 * already processed this file for write attempt 4384 */ 4385 if (fad->fad_flags & FAD_WRITE) { 4386 releasef(fd); 4387 /* don't want to audit every sendmsg attempt */ 4388 tad->tad_flag = 0; 4389 /* free any residual audit data */ 4390 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4391 return; 4392 } 4393 4394 /* 4395 * mark things so we know what happened and don't 4396 * repeat things 4397 */ 4398 fad->fad_flags |= FAD_WRITE; 4399 4400 bzero((void *)so_laddr, sizeof (so_laddr)); 4401 bzero((void *)so_faddr, sizeof (so_faddr)); 4402 4403 /* get local and foreign addresses */ 4404 len = sizeof (so_laddr); 4405 (void) socket_getsockname(so, 4406 (struct sockaddr *)so_laddr, &len, CRED()); 4407 len = sizeof (so_faddr); 4408 (void) socket_getpeername(so, 4409 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4410 4411 add_sock_token = 1; 4412 } 4413 4414 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4415 4416 break; 4417 4418 case AF_UNIX: 4419 /* 4420 * first check if this is first time through. Too much 4421 * duplicate code to put this in an aui_ routine. 4422 */ 4423 4424 /* get path from file struct here */ 4425 fad = F2A(fp); 4426 ASSERT(fad); 4427 4428 /* 4429 * already processed this file for write attempt 4430 */ 4431 if (fad->fad_flags & FAD_WRITE) { 4432 releasef(fd); 4433 /* don't want to audit every sendmsg attempt */ 4434 tad->tad_flag = 0; 4435 /* free any residual audit data */ 4436 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4437 return; 4438 } 4439 /* 4440 * mark things so we know what happened and don't 4441 * repeat things 4442 */ 4443 fad->fad_flags |= FAD_WRITE; 4444 4445 if (fad->fad_aupath != NULL) { 4446 au_uwrite(au_to_path(fad->fad_aupath)); 4447 } else { 4448 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4449 } 4450 4451 audit_attributes(fp->f_vnode); 4452 4453 releasef(fd); 4454 4455 return; 4456 4457 default: 4458 break; 4459 } 4460 4461 releasef(fd); 4462 4463 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4464 4465 if (add_sock_token == 0) { 4466 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4467 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4468 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4469 return; 4470 } 4471 4472 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4473 4474 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4475 } 4476 4477 /*ARGSUSED*/ 4478 static void 4479 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4480 { 4481 struct a { 4482 long fd; 4483 long msg; /* char */ 4484 long len; 4485 long flags; 4486 long to; /* struct sockaddr */ 4487 long tolen; 4488 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4489 4490 struct sonode *so; 4491 char so_laddr[sizeof (struct sockaddr_in6)]; 4492 char so_faddr[sizeof (struct sockaddr_in6)]; 4493 socklen_t tolen; 4494 int err; 4495 int fd; 4496 socklen_t len; 4497 short so_family, so_type; 4498 int add_sock_token = 0; 4499 struct file *fp; 4500 struct f_audit_data *fad; 4501 au_kcontext_t *kctx = GET_KCTX_PZ; 4502 4503 fd = (int)uap->fd; 4504 4505 /* bail if an error */ 4506 if (error) { 4507 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4508 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4509 /* XXX include destination address from system call arguments */ 4510 return; 4511 } 4512 4513 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4514 /* 4515 * not security relevant if doing a sendto using non socket 4516 * so no extra tokens. Should probably turn off audit record 4517 * generation here. 4518 */ 4519 return; 4520 } 4521 4522 so_family = so->so_family; 4523 so_type = so->so_type; 4524 4525 /* 4526 * only putout SOCKET_EX token if INET/INET6 family. 4527 * XXX - what do we do about other families? 4528 */ 4529 4530 switch (so_family) { 4531 case AF_INET: 4532 case AF_INET6: 4533 4534 /* 4535 * if datagram type socket, then just use what is in 4536 * socket structure for local address. 4537 * XXX - what do we do for other types? 4538 */ 4539 if ((so->so_type == SOCK_DGRAM) || 4540 (so->so_type == SOCK_RAW)) { 4541 4542 bzero((void *)so_laddr, sizeof (so_laddr)); 4543 bzero((void *)so_faddr, sizeof (so_faddr)); 4544 4545 /* get local address */ 4546 len = sizeof (so_laddr); 4547 (void) socket_getsockname(so, 4548 (struct sockaddr *)so_laddr, &len, CRED()); 4549 4550 /* get peer address */ 4551 4552 /* sanity check */ 4553 if (uap->to == NULL) 4554 break; 4555 4556 /* sanity checks */ 4557 if (uap->tolen == 0) 4558 break; 4559 4560 tolen = (socklen_t)uap->tolen; 4561 4562 /* enforce maximum size */ 4563 if (tolen > sizeof (so_faddr)) 4564 tolen = sizeof (so_faddr); 4565 4566 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4567 break; 4568 4569 add_sock_token = 1; 4570 } else { 4571 /* 4572 * check if this is first time through. 4573 */ 4574 4575 /* get path from file struct here */ 4576 fad = F2A(fp); 4577 ASSERT(fad); 4578 4579 /* 4580 * already processed this file for write attempt 4581 */ 4582 if (fad->fad_flags & FAD_WRITE) { 4583 /* don't want to audit every sendto attempt */ 4584 tad->tad_flag = 0; 4585 /* free any residual audit data */ 4586 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4587 releasef(fd); 4588 return; 4589 } 4590 /* 4591 * mark things so we know what happened and don't 4592 * repeat things 4593 */ 4594 fad->fad_flags |= FAD_WRITE; 4595 4596 bzero((void *)so_laddr, sizeof (so_laddr)); 4597 bzero((void *)so_faddr, sizeof (so_faddr)); 4598 4599 /* get local and foreign addresses */ 4600 len = sizeof (so_laddr); 4601 (void) socket_getsockname(so, 4602 (struct sockaddr *)so_laddr, &len, CRED()); 4603 len = sizeof (so_faddr); 4604 (void) socket_getpeername(so, 4605 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4606 4607 add_sock_token = 1; 4608 } 4609 4610 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4611 4612 break; 4613 4614 case AF_UNIX: 4615 /* 4616 * first check if this is first time through. Too much 4617 * duplicate code to put this in an aui_ routine. 4618 */ 4619 4620 /* get path from file struct here */ 4621 fad = F2A(fp); 4622 ASSERT(fad); 4623 4624 /* 4625 * already processed this file for write attempt 4626 */ 4627 if (fad->fad_flags & FAD_WRITE) { 4628 /* don't want to audit every sendto attempt */ 4629 tad->tad_flag = 0; 4630 /* free any residual audit data */ 4631 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4632 releasef(fd); 4633 return; 4634 } 4635 /* 4636 * mark things so we know what happened and don't 4637 * repeat things 4638 */ 4639 fad->fad_flags |= FAD_WRITE; 4640 4641 if (fad->fad_aupath != NULL) { 4642 au_uwrite(au_to_path(fad->fad_aupath)); 4643 } else { 4644 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4645 } 4646 4647 audit_attributes(fp->f_vnode); 4648 4649 releasef(fd); 4650 4651 return; 4652 4653 default: 4654 break; 4655 4656 } 4657 4658 releasef(fd); 4659 4660 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4661 4662 if (add_sock_token == 0) { 4663 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4664 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4665 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4666 return; 4667 } 4668 4669 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4670 4671 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4672 4673 } 4674 4675 /* 4676 * XXX socket(2) may be equivalent to open(2) on a unix domain 4677 * socket. This needs investigation. 4678 */ 4679 4680 /*ARGSUSED*/ 4681 static void 4682 aus_socket(struct t_audit_data *tad) 4683 { 4684 struct a { 4685 long domain; 4686 long type; 4687 long protocol; 4688 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4689 4690 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4691 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4692 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4693 } 4694 4695 /*ARGSUSED*/ 4696 static void 4697 aus_sigqueue(struct t_audit_data *tad) 4698 { 4699 struct a { 4700 long pid; 4701 long signo; 4702 long *val; 4703 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4704 struct proc *p; 4705 uid_t uid, ruid; 4706 gid_t gid, rgid; 4707 pid_t pid; 4708 const auditinfo_addr_t *ainfo; 4709 cred_t *cr; 4710 4711 pid = (pid_t)uap->pid; 4712 4713 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4714 if (pid > 0) { 4715 mutex_enter(&pidlock); 4716 if ((p = prfind(pid)) == (struct proc *)0) { 4717 mutex_exit(&pidlock); 4718 return; 4719 } 4720 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4721 mutex_exit(&pidlock); 4722 4723 mutex_enter(&p->p_crlock); 4724 crhold(cr = p->p_cred); 4725 mutex_exit(&p->p_crlock); 4726 mutex_exit(&p->p_lock); 4727 4728 ainfo = crgetauinfo(cr); 4729 if (ainfo == NULL) { 4730 crfree(cr); 4731 return; 4732 } 4733 4734 uid = crgetuid(cr); 4735 gid = crgetgid(cr); 4736 ruid = crgetruid(cr); 4737 rgid = crgetrgid(cr); 4738 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4739 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4740 crfree(cr); 4741 } 4742 else 4743 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4744 } 4745 4746 /*ARGSUSED*/ 4747 static void 4748 aus_inst_sync(struct t_audit_data *tad) 4749 { 4750 struct a { 4751 long name; /* char */ 4752 long flags; 4753 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4754 4755 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4756 } 4757 4758 /*ARGSUSED*/ 4759 static void 4760 aus_brandsys(struct t_audit_data *tad) 4761 { 4762 klwp_t *clwp = ttolwp(curthread); 4763 4764 struct a { 4765 long cmd; 4766 long arg1; 4767 long arg2; 4768 long arg3; 4769 long arg4; 4770 long arg5; 4771 long arg6; 4772 } *uap = (struct a *)clwp->lwp_ap; 4773 4774 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4775 #ifdef _LP64 4776 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4777 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4778 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4779 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4780 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4781 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4782 #else 4783 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4784 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4785 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4786 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4787 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4788 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4789 #endif 4790 } 4791 4792 /*ARGSUSED*/ 4793 static void 4794 aus_p_online(struct t_audit_data *tad) 4795 { 4796 struct a { 4797 long processor_id; 4798 long flag; 4799 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4800 4801 struct flags { 4802 int flag; 4803 char *cflag; 4804 } aflags[6] = { 4805 { P_ONLINE, "P_ONLINE"}, 4806 { P_OFFLINE, "P_OFFLINE"}, 4807 { P_NOINTR, "P_NOINTR"}, 4808 { P_SPARE, "P_SPARE"}, 4809 { P_FAULTED, "P_FAULTED"}, 4810 { P_STATUS, "P_STATUS"} 4811 }; 4812 int i; 4813 char *cflag; 4814 4815 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4816 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4817 4818 for (i = 0; i < 6; i++) { 4819 if (aflags[i].flag == uap->flag) 4820 break; 4821 } 4822 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4823 4824 au_uwrite(au_to_text(cflag)); 4825 } 4826 4827 /*ARGSUSED*/ 4828 static void 4829 aus_processor_bind(struct t_audit_data *tad) 4830 { 4831 struct a { 4832 long id_type; 4833 long id; 4834 long processor_id; 4835 long obind; 4836 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4837 4838 struct proc *p; 4839 int lwpcnt; 4840 uid_t uid, ruid; 4841 gid_t gid, rgid; 4842 pid_t pid; 4843 const auditinfo_addr_t *ainfo; 4844 cred_t *cr; 4845 4846 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4847 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4848 if (uap->processor_id == PBIND_NONE) 4849 au_uwrite(au_to_text("PBIND_NONE")); 4850 else 4851 au_uwrite(au_to_arg32(3, "processor_id", 4852 (uint32_t)uap->processor_id)); 4853 4854 switch (uap->id_type) { 4855 case P_MYID: 4856 case P_LWPID: 4857 mutex_enter(&pidlock); 4858 p = ttoproc(curthread); 4859 if (p == NULL || p->p_as == &kas) { 4860 mutex_exit(&pidlock); 4861 return; 4862 } 4863 mutex_enter(&p->p_lock); 4864 mutex_exit(&pidlock); 4865 lwpcnt = p->p_lwpcnt; 4866 pid = p->p_pid; 4867 4868 mutex_enter(&p->p_crlock); 4869 crhold(cr = p->p_cred); 4870 mutex_exit(&p->p_crlock); 4871 mutex_exit(&p->p_lock); 4872 4873 ainfo = crgetauinfo(cr); 4874 if (ainfo == NULL) { 4875 crfree(cr); 4876 return; 4877 } 4878 4879 uid = crgetuid(cr); 4880 gid = crgetgid(cr); 4881 ruid = crgetruid(cr); 4882 rgid = crgetrgid(cr); 4883 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4884 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4885 crfree(cr); 4886 break; 4887 case P_PID: 4888 mutex_enter(&pidlock); 4889 p = prfind(uap->id); 4890 if (p == NULL || p->p_as == &kas) { 4891 mutex_exit(&pidlock); 4892 return; 4893 } 4894 mutex_enter(&p->p_lock); 4895 mutex_exit(&pidlock); 4896 lwpcnt = p->p_lwpcnt; 4897 pid = p->p_pid; 4898 4899 mutex_enter(&p->p_crlock); 4900 crhold(cr = p->p_cred); 4901 mutex_exit(&p->p_crlock); 4902 mutex_exit(&p->p_lock); 4903 4904 ainfo = crgetauinfo(cr); 4905 if (ainfo == NULL) { 4906 crfree(cr); 4907 return; 4908 } 4909 4910 uid = crgetuid(cr); 4911 gid = crgetgid(cr); 4912 ruid = crgetruid(cr); 4913 rgid = crgetrgid(cr); 4914 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4915 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4916 crfree(cr); 4917 4918 break; 4919 default: 4920 return; 4921 } 4922 4923 if (uap->processor_id == PBIND_NONE && 4924 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4925 au_uwrite(au_to_text("PBIND_NONE for process")); 4926 else 4927 au_uwrite(au_to_arg32(3, "processor_id", 4928 (uint32_t)uap->processor_id)); 4929 } 4930 4931 /*ARGSUSED*/ 4932 static au_event_t 4933 aui_doorfs(au_event_t e) 4934 { 4935 uint32_t code; 4936 4937 struct a { /* doorfs */ 4938 long a1; 4939 long a2; 4940 long a3; 4941 long a4; 4942 long a5; 4943 long code; 4944 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4945 4946 /* 4947 * audit formats for several of the 4948 * door calls have not yet been determined 4949 */ 4950 code = (uint32_t)uap->code; 4951 switch (code) { 4952 case DOOR_CALL: 4953 e = AUE_DOORFS_DOOR_CALL; 4954 break; 4955 case DOOR_RETURN: 4956 e = AUE_NULL; 4957 break; 4958 case DOOR_CREATE: 4959 e = AUE_DOORFS_DOOR_CREATE; 4960 break; 4961 case DOOR_REVOKE: 4962 e = AUE_DOORFS_DOOR_REVOKE; 4963 break; 4964 case DOOR_INFO: 4965 e = AUE_NULL; 4966 break; 4967 case DOOR_UCRED: 4968 e = AUE_NULL; 4969 break; 4970 case DOOR_BIND: 4971 e = AUE_NULL; 4972 break; 4973 case DOOR_UNBIND: 4974 e = AUE_NULL; 4975 break; 4976 case DOOR_GETPARAM: 4977 e = AUE_NULL; 4978 break; 4979 case DOOR_SETPARAM: 4980 e = AUE_NULL; 4981 break; 4982 default: /* illegal system call */ 4983 e = AUE_NULL; 4984 break; 4985 } 4986 4987 return (e); 4988 } 4989 4990 static door_node_t * 4991 au_door_lookup(int did) 4992 { 4993 vnode_t *vp; 4994 file_t *fp; 4995 4996 if ((fp = getf(did)) == NULL) 4997 return (NULL); 4998 /* 4999 * Use the underlying vnode (we may be namefs mounted) 5000 */ 5001 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5002 vp = fp->f_vnode; 5003 5004 if (vp == NULL || vp->v_type != VDOOR) { 5005 releasef(did); 5006 return (NULL); 5007 } 5008 5009 return (VTOD(vp)); 5010 } 5011 5012 /*ARGSUSED*/ 5013 static void 5014 aus_doorfs(struct t_audit_data *tad) 5015 { 5016 5017 struct a { /* doorfs */ 5018 long a1; 5019 long a2; 5020 long a3; 5021 long a4; 5022 long a5; 5023 long code; 5024 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5025 5026 door_node_t *dp; 5027 struct proc *p; 5028 uint32_t did; 5029 uid_t uid, ruid; 5030 gid_t gid, rgid; 5031 pid_t pid; 5032 const auditinfo_addr_t *ainfo; 5033 cred_t *cr; 5034 5035 did = (uint32_t)uap->a1; 5036 5037 switch (tad->tad_event) { 5038 case AUE_DOORFS_DOOR_CALL: 5039 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5040 if ((dp = au_door_lookup(did)) == NULL) 5041 break; 5042 5043 if (DOOR_INVALID(dp)) { 5044 releasef(did); 5045 break; 5046 } 5047 5048 if ((p = dp->door_target) == NULL) { 5049 releasef(did); 5050 break; 5051 } 5052 mutex_enter(&p->p_lock); 5053 releasef(did); 5054 5055 pid = p->p_pid; 5056 5057 mutex_enter(&p->p_crlock); 5058 crhold(cr = p->p_cred); 5059 mutex_exit(&p->p_crlock); 5060 mutex_exit(&p->p_lock); 5061 5062 ainfo = crgetauinfo(cr); 5063 if (ainfo == NULL) { 5064 crfree(cr); 5065 return; 5066 } 5067 uid = crgetuid(cr); 5068 gid = crgetgid(cr); 5069 ruid = crgetruid(cr); 5070 rgid = crgetrgid(cr); 5071 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5072 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5073 crfree(cr); 5074 break; 5075 case AUE_DOORFS_DOOR_RETURN: 5076 /* 5077 * We may want to write information about 5078 * all doors (if any) which will be copied 5079 * by this call to the user space 5080 */ 5081 break; 5082 case AUE_DOORFS_DOOR_CREATE: 5083 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5084 break; 5085 case AUE_DOORFS_DOOR_REVOKE: 5086 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5087 break; 5088 case AUE_DOORFS_DOOR_INFO: 5089 break; 5090 case AUE_DOORFS_DOOR_CRED: 5091 break; 5092 case AUE_DOORFS_DOOR_BIND: 5093 break; 5094 case AUE_DOORFS_DOOR_UNBIND: { 5095 break; 5096 } 5097 default: /* illegal system call */ 5098 break; 5099 } 5100 } 5101 5102 /*ARGSUSED*/ 5103 static au_event_t 5104 aui_acl(au_event_t e) 5105 { 5106 struct a { 5107 union { 5108 long name; /* char */ 5109 long fd; 5110 } obj; 5111 5112 long cmd; 5113 long nentries; 5114 long arg; /* aclent_t */ 5115 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5116 5117 switch (uap->cmd) { 5118 case SETACL: 5119 case ACE_SETACL: 5120 /* 5121 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5122 * are expected. 5123 */ 5124 break; 5125 case GETACL: 5126 case GETACLCNT: 5127 case ACE_GETACL: 5128 case ACE_GETACLCNT: 5129 /* do nothing for these four values. */ 5130 e = AUE_NULL; 5131 break; 5132 default: 5133 /* illegal system call */ 5134 break; 5135 } 5136 5137 return (e); 5138 } 5139 5140 static void 5141 au_acl(int cmd, int nentries, caddr_t bufp) 5142 { 5143 size_t a_size; 5144 aclent_t *aclbufp; 5145 ace_t *acebufp; 5146 int i; 5147 5148 switch (cmd) { 5149 case GETACL: 5150 case GETACLCNT: 5151 break; 5152 case SETACL: 5153 if (nentries < 3) 5154 break; 5155 5156 a_size = nentries * sizeof (aclent_t); 5157 5158 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5159 break; 5160 if (copyin(bufp, aclbufp, a_size)) { 5161 kmem_free(aclbufp, a_size); 5162 break; 5163 } 5164 for (i = 0; i < nentries; i++) { 5165 au_uwrite(au_to_acl(aclbufp + i)); 5166 } 5167 kmem_free(aclbufp, a_size); 5168 break; 5169 5170 case ACE_SETACL: 5171 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5172 break; 5173 5174 a_size = nentries * sizeof (ace_t); 5175 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5176 break; 5177 if (copyin(bufp, acebufp, a_size)) { 5178 kmem_free(acebufp, a_size); 5179 break; 5180 } 5181 for (i = 0; i < nentries; i++) { 5182 au_uwrite(au_to_ace(acebufp + i)); 5183 } 5184 kmem_free(acebufp, a_size); 5185 break; 5186 default: 5187 break; 5188 } 5189 } 5190 5191 /*ARGSUSED*/ 5192 static void 5193 aus_acl(struct t_audit_data *tad) 5194 { 5195 struct a { 5196 long fname; 5197 long cmd; 5198 long nentries; 5199 long aclbufp; 5200 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5201 5202 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5203 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5204 5205 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5206 } 5207 5208 /*ARGSUSED*/ 5209 static void 5210 aus_facl(struct t_audit_data *tad) 5211 { 5212 struct a { 5213 long fd; 5214 long cmd; 5215 long nentries; 5216 long aclbufp; 5217 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5218 struct file *fp; 5219 struct vnode *vp; 5220 struct f_audit_data *fad; 5221 int fd; 5222 5223 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5224 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5225 5226 fd = (int)uap->fd; 5227 5228 if ((fp = getf(fd)) == NULL) 5229 return; 5230 5231 /* get path from file struct here */ 5232 fad = F2A(fp); 5233 if (fad->fad_aupath != NULL) { 5234 au_uwrite(au_to_path(fad->fad_aupath)); 5235 } else { 5236 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5237 } 5238 5239 vp = fp->f_vnode; 5240 audit_attributes(vp); 5241 5242 /* decrement file descriptor reference count */ 5243 releasef(fd); 5244 5245 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5246 } 5247 5248 /*ARGSUSED*/ 5249 static void 5250 auf_read(tad, error, rval) 5251 struct t_audit_data *tad; 5252 int error; 5253 rval_t *rval; 5254 { 5255 struct file *fp; 5256 struct f_audit_data *fad; 5257 int fd; 5258 register struct a { 5259 long fd; 5260 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5261 au_kcontext_t *kctx = GET_KCTX_PZ; 5262 5263 fd = (int)uap->fd; 5264 5265 /* 5266 * convert file pointer to file descriptor 5267 * Note: fd ref count incremented here. 5268 */ 5269 if ((fp = getf(fd)) == NULL) 5270 return; 5271 5272 /* get path from file struct here */ 5273 fad = F2A(fp); 5274 ASSERT(fad); 5275 5276 /* 5277 * already processed this file for read attempt 5278 * 5279 * XXX might be better to turn off auditing in a aui_read() routine. 5280 */ 5281 if (fad->fad_flags & FAD_READ) { 5282 /* don't really want to audit every read attempt */ 5283 tad->tad_flag = 0; 5284 /* free any residual audit data */ 5285 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5286 releasef(fd); 5287 return; 5288 } 5289 /* mark things so we know what happened and don't repeat things */ 5290 fad->fad_flags |= FAD_READ; 5291 5292 if (fad->fad_aupath != NULL) { 5293 au_uwrite(au_to_path(fad->fad_aupath)); 5294 } else { 5295 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5296 } 5297 5298 /* include attributes */ 5299 audit_attributes(fp->f_vnode); 5300 5301 /* decrement file descriptor reference count */ 5302 releasef(fd); 5303 } 5304 5305 /*ARGSUSED*/ 5306 static void 5307 auf_write(tad, error, rval) 5308 struct t_audit_data *tad; 5309 int error; 5310 rval_t *rval; 5311 { 5312 struct file *fp; 5313 struct f_audit_data *fad; 5314 int fd; 5315 register struct a { 5316 long fd; 5317 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5318 au_kcontext_t *kctx = GET_KCTX_PZ; 5319 5320 fd = (int)uap->fd; 5321 5322 /* 5323 * convert file pointer to file descriptor 5324 * Note: fd ref count incremented here. 5325 */ 5326 if ((fp = getf(fd)) == NULL) 5327 return; 5328 5329 /* get path from file struct here */ 5330 fad = F2A(fp); 5331 ASSERT(fad); 5332 5333 /* 5334 * already processed this file for write attempt 5335 * 5336 * XXX might be better to turn off auditing in a aus_write() routine. 5337 */ 5338 if (fad->fad_flags & FAD_WRITE) { 5339 /* don't really want to audit every write attempt */ 5340 tad->tad_flag = 0; 5341 /* free any residual audit data */ 5342 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5343 releasef(fd); 5344 return; 5345 } 5346 /* mark things so we know what happened and don't repeat things */ 5347 fad->fad_flags |= FAD_WRITE; 5348 5349 if (fad->fad_aupath != NULL) { 5350 au_uwrite(au_to_path(fad->fad_aupath)); 5351 } else { 5352 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5353 } 5354 5355 /* include attributes */ 5356 audit_attributes(fp->f_vnode); 5357 5358 /* decrement file descriptor reference count */ 5359 releasef(fd); 5360 } 5361 5362 /*ARGSUSED*/ 5363 static void 5364 auf_recv(tad, error, rval) 5365 struct t_audit_data *tad; 5366 int error; 5367 rval_t *rval; 5368 { 5369 struct sonode *so; 5370 char so_laddr[sizeof (struct sockaddr_in6)]; 5371 char so_faddr[sizeof (struct sockaddr_in6)]; 5372 struct file *fp; 5373 struct f_audit_data *fad; 5374 int fd; 5375 int err; 5376 socklen_t len; 5377 short so_family, so_type; 5378 register struct a { 5379 long fd; 5380 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5381 au_kcontext_t *kctx = GET_KCTX_PZ; 5382 5383 /* 5384 * If there was an error, then nothing to do. Only generate 5385 * audit record on first successful recv. 5386 */ 5387 if (error) { 5388 /* Turn off audit record generation here. */ 5389 tad->tad_flag = 0; 5390 /* free any residual audit data */ 5391 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5392 return; 5393 } 5394 5395 fd = (int)uap->fd; 5396 5397 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5398 /* Turn off audit record generation here. */ 5399 tad->tad_flag = 0; 5400 /* free any residual audit data */ 5401 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5402 return; 5403 } 5404 5405 /* get path from file struct here */ 5406 fad = F2A(fp); 5407 ASSERT(fad); 5408 5409 /* 5410 * already processed this file for read attempt 5411 */ 5412 if (fad->fad_flags & FAD_READ) { 5413 releasef(fd); 5414 /* don't really want to audit every recv call */ 5415 tad->tad_flag = 0; 5416 /* free any residual audit data */ 5417 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5418 return; 5419 } 5420 5421 /* mark things so we know what happened and don't repeat things */ 5422 fad->fad_flags |= FAD_READ; 5423 5424 so_family = so->so_family; 5425 so_type = so->so_type; 5426 5427 switch (so_family) { 5428 case AF_INET: 5429 case AF_INET6: 5430 /* 5431 * Only for connections. 5432 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5433 */ 5434 if (so->so_state & SS_ISBOUND) { 5435 5436 bzero((void *)so_laddr, sizeof (so_laddr)); 5437 bzero((void *)so_faddr, sizeof (so_faddr)); 5438 5439 /* get local and foreign addresses */ 5440 len = sizeof (so_laddr); 5441 (void) socket_getsockname(so, 5442 (struct sockaddr *)so_laddr, &len, CRED()); 5443 len = sizeof (so_faddr); 5444 (void) socket_getpeername(so, 5445 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5446 5447 /* 5448 * only way to drop out of switch. Note that we 5449 * we release fd below. 5450 */ 5451 5452 break; 5453 } 5454 5455 releasef(fd); 5456 5457 /* don't really want to audit every recv call */ 5458 tad->tad_flag = 0; 5459 /* free any residual audit data */ 5460 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5461 5462 return; 5463 5464 case AF_UNIX: 5465 5466 if (fad->fad_aupath != NULL) { 5467 au_uwrite(au_to_path(fad->fad_aupath)); 5468 } else { 5469 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5470 } 5471 5472 audit_attributes(fp->f_vnode); 5473 5474 releasef(fd); 5475 5476 return; 5477 5478 default: 5479 releasef(fd); 5480 5481 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5482 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5483 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5484 5485 return; 5486 } 5487 5488 releasef(fd); 5489 5490 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5491 5492 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5493 5494 } 5495 5496 /*ARGSUSED*/ 5497 static void 5498 auf_send(tad, error, rval) 5499 struct t_audit_data *tad; 5500 int error; 5501 rval_t *rval; 5502 { 5503 struct sonode *so; 5504 char so_laddr[sizeof (struct sockaddr_in6)]; 5505 char so_faddr[sizeof (struct sockaddr_in6)]; 5506 struct file *fp; 5507 struct f_audit_data *fad; 5508 int fd; 5509 int err; 5510 socklen_t len; 5511 short so_family, so_type; 5512 register struct a { 5513 long fd; 5514 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5515 au_kcontext_t *kctx = GET_KCTX_PZ; 5516 5517 fd = (int)uap->fd; 5518 5519 /* 5520 * If there was an error, then nothing to do. Only generate 5521 * audit record on first successful send. 5522 */ 5523 if (error != 0) { 5524 /* Turn off audit record generation here. */ 5525 tad->tad_flag = 0; 5526 /* free any residual audit data */ 5527 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5528 return; 5529 } 5530 5531 fd = (int)uap->fd; 5532 5533 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5534 /* Turn off audit record generation here. */ 5535 tad->tad_flag = 0; 5536 /* free any residual audit data */ 5537 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5538 return; 5539 } 5540 5541 /* get path from file struct here */ 5542 fad = F2A(fp); 5543 ASSERT(fad); 5544 5545 /* 5546 * already processed this file for write attempt 5547 */ 5548 if (fad->fad_flags & FAD_WRITE) { 5549 releasef(fd); 5550 /* don't really want to audit every send call */ 5551 tad->tad_flag = 0; 5552 /* free any residual audit data */ 5553 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5554 return; 5555 } 5556 5557 /* mark things so we know what happened and don't repeat things */ 5558 fad->fad_flags |= FAD_WRITE; 5559 5560 so_family = so->so_family; 5561 so_type = so->so_type; 5562 5563 switch (so_family) { 5564 case AF_INET: 5565 case AF_INET6: 5566 /* 5567 * Only for connections. 5568 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5569 */ 5570 if (so->so_state & SS_ISBOUND) { 5571 5572 bzero((void *)so_laddr, sizeof (so_laddr)); 5573 bzero((void *)so_faddr, sizeof (so_faddr)); 5574 5575 /* get local and foreign addresses */ 5576 len = sizeof (so_laddr); 5577 (void) socket_getsockname(so, 5578 (struct sockaddr *)so_laddr, &len, CRED()); 5579 len = sizeof (so_faddr); 5580 (void) socket_getpeername(so, 5581 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5582 5583 /* 5584 * only way to drop out of switch. Note that we 5585 * we release fd below. 5586 */ 5587 5588 break; 5589 } 5590 5591 releasef(fd); 5592 /* don't really want to audit every send call */ 5593 tad->tad_flag = 0; 5594 /* free any residual audit data */ 5595 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5596 5597 return; 5598 5599 case AF_UNIX: 5600 5601 if (fad->fad_aupath != NULL) { 5602 au_uwrite(au_to_path(fad->fad_aupath)); 5603 } else { 5604 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5605 } 5606 5607 audit_attributes(fp->f_vnode); 5608 5609 releasef(fd); 5610 5611 return; 5612 5613 default: 5614 releasef(fd); 5615 5616 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5617 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5618 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5619 5620 return; 5621 } 5622 5623 releasef(fd); 5624 5625 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5626 5627 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5628 } 5629 5630 static au_event_t 5631 aui_forksys(au_event_t e) 5632 { 5633 struct a { 5634 long subcode; 5635 long flags; 5636 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5637 5638 switch ((uint_t)uap->subcode) { 5639 case 0: 5640 e = AUE_FORK1; 5641 break; 5642 case 1: 5643 e = AUE_FORKALL; 5644 break; 5645 case 2: 5646 e = AUE_VFORK; 5647 break; 5648 default: 5649 e = AUE_NULL; 5650 break; 5651 } 5652 5653 return (e); 5654 } 5655 5656 /*ARGSUSED*/ 5657 static au_event_t 5658 aui_portfs(au_event_t e) 5659 { 5660 struct a { /* portfs */ 5661 long a1; 5662 long a2; 5663 long a3; 5664 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5665 5666 /* 5667 * check opcode 5668 */ 5669 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5670 case PORT_ASSOCIATE: 5671 /* check source */ 5672 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5673 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5674 e = AUE_PORTFS_ASSOCIATE; 5675 } else { 5676 e = AUE_NULL; 5677 } 5678 break; 5679 case PORT_DISSOCIATE: 5680 /* check source */ 5681 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5682 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5683 e = AUE_PORTFS_DISSOCIATE; 5684 } else { 5685 e = AUE_NULL; 5686 } 5687 break; 5688 default: 5689 e = AUE_NULL; 5690 } 5691 return (e); 5692 } 5693