1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_fchownat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 static void aus_open(struct t_audit_data *); 108 static void aus_openat(struct t_audit_data *); 109 static void aus_acl(struct t_audit_data *); 110 static void aus_acct(struct t_audit_data *); 111 static void aus_chown(struct t_audit_data *); 112 static void aus_fchown(struct t_audit_data *); 113 static void aus_lchown(struct t_audit_data *); 114 static void aus_fchownat(struct t_audit_data *); 115 static void aus_chmod(struct t_audit_data *); 116 static void aus_facl(struct t_audit_data *); 117 static void aus_fchmod(struct t_audit_data *); 118 static void aus_fcntl(struct t_audit_data *); 119 static void aus_mkdir(struct t_audit_data *); 120 static void aus_mknod(struct t_audit_data *); 121 static void aus_mount(struct t_audit_data *); 122 static void aus_umount2(struct t_audit_data *); 123 static void aus_msgsys(struct t_audit_data *); 124 static void aus_semsys(struct t_audit_data *); 125 static void aus_close(struct t_audit_data *); 126 static void aus_fstatfs(struct t_audit_data *); 127 static void aus_setgid(struct t_audit_data *); 128 static void aus_setpgrp(struct t_audit_data *); 129 static void aus_setuid(struct t_audit_data *); 130 static void aus_shmsys(struct t_audit_data *); 131 static void aus_doorfs(struct t_audit_data *); 132 static void aus_ioctl(struct t_audit_data *); 133 static void aus_memcntl(struct t_audit_data *); 134 static void aus_mmap(struct t_audit_data *); 135 static void aus_munmap(struct t_audit_data *); 136 static void aus_priocntlsys(struct t_audit_data *); 137 static void aus_setegid(struct t_audit_data *); 138 static void aus_setgroups(struct t_audit_data *); 139 static void aus_seteuid(struct t_audit_data *); 140 static void aus_putmsg(struct t_audit_data *); 141 static void aus_putpmsg(struct t_audit_data *); 142 static void aus_getmsg(struct t_audit_data *); 143 static void aus_getpmsg(struct t_audit_data *); 144 static void aus_auditsys(struct t_audit_data *); 145 static void aus_sysinfo(struct t_audit_data *); 146 static void aus_modctl(struct t_audit_data *); 147 static void aus_kill(struct t_audit_data *); 148 static void aus_setregid(struct t_audit_data *); 149 static void aus_setreuid(struct t_audit_data *); 150 static void aus_labelsys(struct t_audit_data *); 151 152 static void auf_mknod(struct t_audit_data *, int, rval_t *); 153 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 154 static void auf_semsys(struct t_audit_data *, int, rval_t *); 155 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 156 static void auf_read(struct t_audit_data *, int, rval_t *); 157 static void auf_write(struct t_audit_data *, int, rval_t *); 158 159 static void aus_sigqueue(struct t_audit_data *); 160 static void aus_p_online(struct t_audit_data *); 161 static void aus_processor_bind(struct t_audit_data *); 162 static void aus_inst_sync(struct t_audit_data *); 163 static void aus_brandsys(struct t_audit_data *); 164 165 static void auf_accept(struct t_audit_data *, int, rval_t *); 166 167 static void auf_bind(struct t_audit_data *, int, rval_t *); 168 static void auf_connect(struct t_audit_data *, int, rval_t *); 169 static void aus_shutdown(struct t_audit_data *); 170 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 171 static void aus_sockconfig(struct t_audit_data *); 172 static void auf_recv(struct t_audit_data *, int, rval_t *); 173 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_send(struct t_audit_data *, int, rval_t *); 175 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 176 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 177 static void auf_sendto(struct t_audit_data *, int, rval_t *); 178 static void aus_socket(struct t_audit_data *); 179 /* 180 * This table contains mapping information for converting system call numbers 181 * to audit event IDs. In several cases it is necessary to map a single system 182 * call to several events. 183 */ 184 185 #define aui_null NULL /* NULL initialize function */ 186 #define aus_null NULL /* NULL start function */ 187 #define auf_null NULL /* NULL finish function */ 188 189 struct audit_s2e audit_s2e[] = 190 { 191 /* 192 * ---------- ---------- ---------- ---------- 193 * INITIAL AUDIT START SYSTEM 194 * PROCESSING EVENT PROCESSING CALL 195 * ---------- ---------- ---------- ----------- 196 * FINISH EVENT 197 * PROCESSING CONTROL 198 * ---------------------------------------------------------- 199 */ 200 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 201 auf_null, 0, 202 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 203 auf_null, S2E_NPT, 204 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 205 auf_null, 0, 206 aui_null, AUE_READ, aus_null, /* 3 read */ 207 auf_read, S2E_PUB, 208 aui_null, AUE_WRITE, aus_null, /* 4 write */ 209 auf_write, 0, 210 aui_open, AUE_OPEN, aus_open, /* 5 open */ 211 auf_null, S2E_SP, 212 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 213 auf_null, 0, 214 aui_null, AUE_NULL, aus_null, /* 7 (loadable) was wait */ 215 auf_null, 0, 216 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 217 auf_null, 0, 218 aui_null, AUE_LINK, aus_null, /* 9 link */ 219 auf_null, 0, 220 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 221 auf_null, 0, 222 aui_null, AUE_NULL, aus_null, /* 11 (loadable) was exec */ 223 auf_null, 0, 224 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 225 auf_null, S2E_SP, 226 aui_null, AUE_NULL, aus_null, /* 13 time */ 227 auf_null, 0, 228 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 229 auf_mknod, 0, 230 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 231 auf_null, 0, 232 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 233 auf_null, 0, 234 aui_null, AUE_NULL, aus_null, /* 17 brk */ 235 auf_null, 0, 236 aui_null, AUE_STAT, aus_null, /* 18 stat */ 237 auf_null, S2E_PUB, 238 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 239 auf_null, 0, 240 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 241 auf_null, 0, 242 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 243 auf_null, S2E_MLD, 244 aui_null, AUE_NULL, aus_null, /* 22 (loadable) was umount */ 245 auf_null, 0, 246 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 249 auf_null, 0, 250 aui_null, AUE_STIME, aus_null, /* 25 stime */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 29 pause */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 263 auf_null, 0, 264 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 265 auf_null, 0, 266 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NICE, aus_null, /* 34 nice */ 269 auf_null, 0, 270 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 271 auf_null, S2E_PUB, 272 aui_null, AUE_NULL, aus_null, /* 36 sync */ 273 auf_null, 0, 274 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 275 auf_null, 0, 276 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 277 auf_null, S2E_PUB, 278 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 283 auf_null, 0, 284 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 43 times */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 44 profil */ 289 auf_null, 0, 290 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 291 auf_null, S2E_PUB | S2E_ATC, 292 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 295 auf_null, 0, 296 aui_null, AUE_NULL, aus_null, /* 48 (loadable) was ssig */ 297 auf_null, 0, 298 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 299 auf_msgsys, 0, 300 #if defined(__x86) 301 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 302 auf_null, 0, 303 #else 304 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 305 auf_null, 0, 306 #endif /* __x86 */ 307 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 308 auf_null, 0, 309 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 310 auf_shmsys, 0, 311 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 312 auf_semsys, 0, 313 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 316 auf_null, 0, 317 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 318 auf_null, S2E_ATC, 319 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 320 auf_null, 0, 321 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 322 auf_null, 0, 323 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 324 auf_null, S2E_MLD, 325 aui_null, AUE_NULL, aus_null, /* 60 umask */ 326 auf_null, 0, 327 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 328 auf_null, S2E_SP, 329 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 332 auf_null, 0, 333 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 334 auf_null, S2E_ATC, 335 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 336 auf_null, S2E_ATC, 337 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 338 auf_null, S2E_PUB | S2E_ATC, 339 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 340 auf_null, S2E_PUB | S2E_ATC, 341 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 342 auf_null, S2E_SP | S2E_ATC, 343 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 344 auf_null, S2E_SP | S2E_ATC, 345 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 356 auf_null, 0, 357 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 358 auf_null, 0, 359 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 362 auf_null, 0, 363 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 364 auf_null, 0, 365 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 366 auf_null, 0, 367 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 368 auf_null, 0, 369 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 370 auf_null, 0, 371 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 374 auf_null, 0, 375 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 376 auf_null, 0, 377 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 380 auf_null, 0, 381 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 382 auf_null, S2E_PUB, 383 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 384 auf_null, 0, 385 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 386 auf_null, S2E_PUB, 387 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 388 auf_null, 0, 389 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 390 auf_null, 0, 391 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 392 auf_null, 0, 393 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 396 auf_null, 0, 397 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 101 (loadable) */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 410 auf_null, 0, 411 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 412 auf_null, S2E_PUB, 413 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 414 auf_null, 0, 415 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 416 auf_null, 0, 417 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 422 auf_null, 0, 423 #if defined(__x86) 424 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 425 auf_null, 0, 426 #else 427 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 428 auf_null, 0, 429 #endif /* __x86 */ 430 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 431 auf_null, S2E_ATC, 432 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 433 auf_null, 0, 434 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 435 auf_null, 0, 436 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 437 auf_null, S2E_PUB, 438 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 439 auf_null, 0, 440 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 441 auf_null, 0, 442 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 443 auf_null, 0, 444 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 445 auf_null, 0, 446 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 447 auf_null, 0, 448 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 449 auf_null, 0, 450 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 451 auf_null, 0, 452 aui_null, AUE_READ, aus_null, /* 121 readv */ 453 auf_read, S2E_PUB, 454 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 455 auf_write, 0, 456 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 457 auf_null, 0, 458 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 459 auf_null, 0, 460 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 461 auf_null, 0, 462 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 463 auf_null, 0, 464 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 465 auf_null, 0, 466 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 467 auf_null, 0, 468 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 469 auf_null, 0, 470 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 471 auf_null, 0, 472 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 473 auf_null, 0, 474 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 475 auf_null, 0, 476 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 477 auf_null, 0, 478 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 479 auf_null, 0, 480 aui_null, AUE_NULL, aus_null, /* 135 uname */ 481 auf_null, 0, 482 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 483 auf_null, 0, 484 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 485 auf_null, 0, 486 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 487 auf_null, 0, 488 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 489 auf_null, 0, 490 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 491 auf_null, 0, 492 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 493 auf_null, 0, 494 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 495 auf_null, 0, 496 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 497 auf_null, 0, 498 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 499 auf_null, 0, 500 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 146 yield */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 505 /* was lwp_sema_wait */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 514 auf_null, 0, 515 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 516 auf_null, 0, 517 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 518 auf_null, 0, 519 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 520 auf_null, 0, 521 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 522 auf_null, 0, 523 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 550 /* was lwp_mutex_lock */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 557 auf_null, 0, 558 aui_null, AUE_READ, aus_null, /* 173 pread */ 559 auf_read, S2E_PUB, 560 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 561 auf_write, 0, 562 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 563 auf_null, 0, 564 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 565 auf_null, 0, 566 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 567 auf_null, 0, 568 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 569 auf_null, 0, 570 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 571 auf_null, 0, 572 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 575 auf_null, 0, 576 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 577 auf_null, S2E_MLD, 578 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 579 auf_null, 0, 580 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 581 auf_null, 0, 582 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 583 auf_null, 0, 584 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 585 auf_null, 0, 586 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 587 auf_null, 0, 588 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 589 auf_null, 0, 590 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 591 auf_null, 0, 592 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 593 auf_null, 0, 594 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 595 auf_null, 0, 596 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 611 auf_null, 0, 612 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 613 auf_null, 0, 614 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 615 auf_null, 0, 616 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 617 auf_null, 0, 618 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 619 auf_null, 0, 620 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 621 auf_null, 0, 622 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 623 auf_null, 0, 624 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 639 auf_null, 0, 640 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 641 auf_null, 0, 642 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 643 auf_null, S2E_PUB, 644 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 645 auf_null, S2E_PUB, 646 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 647 auf_null, 0, 648 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 651 auf_null, 0, 652 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 653 auf_null, 0, 654 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 655 auf_null, 0, 656 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 657 auf_read, S2E_PUB, 658 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 659 auf_write, 0, 660 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 661 auf_null, 0, 662 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 663 auf_null, S2E_SP, 664 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 665 auf_null, 0, 666 aui_null, AUE_NULL, aus_null, /* 227 zone */ 667 auf_null, 0, 668 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 669 auf_null, 0, 670 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 671 auf_null, 0, 672 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 675 auf_null, 0, 676 aui_null, AUE_BIND, aus_null, /* 232 bind */ 677 auf_bind, 0, 678 aui_null, AUE_NULL, aus_null, /* 233 listen */ 679 auf_null, 0, 680 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 681 auf_accept, 0, 682 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 683 auf_connect, 0, 684 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 685 auf_null, 0, 686 aui_null, AUE_READ, aus_null, /* 237 recv */ 687 auf_recv, 0, 688 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 689 auf_recvfrom, 0, 690 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 691 auf_recvmsg, 0, 692 aui_null, AUE_WRITE, aus_null, /* 240 send */ 693 auf_send, 0, 694 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 695 auf_sendmsg, 0, 696 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 697 auf_sendto, 0, 698 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 699 auf_null, 0, 700 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 701 auf_null, 0, 702 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 703 auf_null, 0, 704 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 705 auf_setsockopt, 0, 706 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 709 auf_null, 0, 710 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 711 auf_null, 0, 712 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 713 auf_null, 0, 714 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 721 auf_null, 0, 722 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 723 auf_null, 0 724 }; 725 726 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 727 728 729 /* acct start function */ 730 /*ARGSUSED*/ 731 static void 732 aus_acct(struct t_audit_data *tad) 733 { 734 klwp_t *clwp = ttolwp(curthread); 735 uintptr_t fname; 736 737 struct a { 738 long fname; /* char * */ 739 } *uap = (struct a *)clwp->lwp_ap; 740 741 fname = (uintptr_t)uap->fname; 742 743 if (fname == 0) 744 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 745 } 746 747 /* chown start function */ 748 /*ARGSUSED*/ 749 static void 750 aus_chown(struct t_audit_data *tad) 751 { 752 klwp_t *clwp = ttolwp(curthread); 753 uint32_t uid, gid; 754 755 struct a { 756 long fname; /* char * */ 757 long uid; 758 long gid; 759 } *uap = (struct a *)clwp->lwp_ap; 760 761 uid = (uint32_t)uap->uid; 762 gid = (uint32_t)uap->gid; 763 764 au_uwrite(au_to_arg32(2, "new file uid", uid)); 765 au_uwrite(au_to_arg32(3, "new file gid", gid)); 766 } 767 768 /* fchown start function */ 769 /*ARGSUSED*/ 770 static void 771 aus_fchown(struct t_audit_data *tad) 772 { 773 klwp_t *clwp = ttolwp(curthread); 774 uint32_t uid, gid, fd; 775 struct file *fp; 776 struct vnode *vp; 777 struct f_audit_data *fad; 778 779 struct a { 780 long fd; 781 long uid; 782 long gid; 783 } *uap = (struct a *)clwp->lwp_ap; 784 785 fd = (uint32_t)uap->fd; 786 uid = (uint32_t)uap->uid; 787 gid = (uint32_t)uap->gid; 788 789 au_uwrite(au_to_arg32(2, "new file uid", uid)); 790 au_uwrite(au_to_arg32(3, "new file gid", gid)); 791 792 /* 793 * convert file pointer to file descriptor 794 * Note: fd ref count incremented here. 795 */ 796 if ((fp = getf(fd)) == NULL) 797 return; 798 799 /* get path from file struct here */ 800 fad = F2A(fp); 801 if (fad->fad_aupath != NULL) { 802 au_uwrite(au_to_path(fad->fad_aupath)); 803 } else { 804 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 805 } 806 807 vp = fp->f_vnode; 808 audit_attributes(vp); 809 810 /* decrement file descriptor reference count */ 811 releasef(fd); 812 } 813 814 /*ARGSUSED*/ 815 static void 816 aus_lchown(struct t_audit_data *tad) 817 { 818 klwp_t *clwp = ttolwp(curthread); 819 uint32_t uid, gid; 820 821 822 struct a { 823 long fname; /* char * */ 824 long uid; 825 long gid; 826 } *uap = (struct a *)clwp->lwp_ap; 827 828 uid = (uint32_t)uap->uid; 829 gid = (uint32_t)uap->gid; 830 831 au_uwrite(au_to_arg32(2, "new file uid", uid)); 832 au_uwrite(au_to_arg32(3, "new file gid", gid)); 833 } 834 835 static au_event_t 836 aui_fchownat(au_event_t e) 837 { 838 klwp_t *clwp = ttolwp(curthread); 839 840 struct a { 841 long fd; 842 long fname; /* char * */ 843 long uid; 844 long gid; 845 long flags; 846 } *uap = (struct a *)clwp->lwp_ap; 847 848 if (uap->fname == NULL) 849 e = AUE_FCHOWN; 850 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 851 e = AUE_LCHOWN; 852 else 853 e = AUE_CHOWN; 854 855 return (e); 856 } 857 858 /*ARGSUSED*/ 859 static void 860 aus_fchownat(struct t_audit_data *tad) 861 { 862 klwp_t *clwp = ttolwp(curthread); 863 uint32_t uid, gid; 864 865 struct a { 866 long fd; 867 long fname; /* char * */ 868 long uid; 869 long gid; 870 long flags; 871 } *uap = (struct a *)clwp->lwp_ap; 872 873 uid = (uint32_t)uap->uid; 874 gid = (uint32_t)uap->gid; 875 876 au_uwrite(au_to_arg32(3, "new file uid", uid)); 877 au_uwrite(au_to_arg32(4, "new file gid", gid)); 878 } 879 880 /* chmod start function */ 881 /*ARGSUSED*/ 882 static void 883 aus_chmod(struct t_audit_data *tad) 884 { 885 klwp_t *clwp = ttolwp(curthread); 886 uint32_t fmode; 887 888 struct a { 889 long fname; /* char * */ 890 long fmode; 891 } *uap = (struct a *)clwp->lwp_ap; 892 893 fmode = (uint32_t)uap->fmode; 894 895 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 896 } 897 898 /* chmod start function */ 899 /*ARGSUSED*/ 900 static void 901 aus_fchmod(struct t_audit_data *tad) 902 { 903 klwp_t *clwp = ttolwp(curthread); 904 uint32_t fmode, fd; 905 struct file *fp; 906 struct vnode *vp; 907 struct f_audit_data *fad; 908 909 struct a { 910 long fd; 911 long fmode; 912 } *uap = (struct a *)clwp->lwp_ap; 913 914 fd = (uint32_t)uap->fd; 915 fmode = (uint32_t)uap->fmode; 916 917 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 918 919 /* 920 * convert file pointer to file descriptor 921 * Note: fd ref count incremented here. 922 */ 923 if ((fp = getf(fd)) == NULL) 924 return; 925 926 /* get path from file struct here */ 927 fad = F2A(fp); 928 if (fad->fad_aupath != NULL) { 929 au_uwrite(au_to_path(fad->fad_aupath)); 930 } else { 931 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 932 } 933 934 vp = fp->f_vnode; 935 audit_attributes(vp); 936 937 /* decrement file descriptor reference count */ 938 releasef(fd); 939 } 940 941 /* 942 * convert open mode to appropriate open event 943 */ 944 au_event_t 945 open_event(uint_t fm) 946 { 947 au_event_t e; 948 949 switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) { 950 case O_RDONLY: 951 e = AUE_OPEN_R; 952 break; 953 case O_RDONLY | O_CREAT: 954 e = AUE_OPEN_RC; 955 break; 956 case O_RDONLY | O_TRUNC: 957 e = AUE_OPEN_RT; 958 break; 959 case O_RDONLY | O_TRUNC | O_CREAT: 960 e = AUE_OPEN_RTC; 961 break; 962 case O_WRONLY: 963 e = AUE_OPEN_W; 964 break; 965 case O_WRONLY | O_CREAT: 966 e = AUE_OPEN_WC; 967 break; 968 case O_WRONLY | O_TRUNC: 969 e = AUE_OPEN_WT; 970 break; 971 case O_WRONLY | O_TRUNC | O_CREAT: 972 e = AUE_OPEN_WTC; 973 break; 974 case O_RDWR: 975 e = AUE_OPEN_RW; 976 break; 977 case O_RDWR | O_CREAT: 978 e = AUE_OPEN_RWC; 979 break; 980 case O_RDWR | O_TRUNC: 981 e = AUE_OPEN_RWT; 982 break; 983 case O_RDWR | O_TRUNC | O_CREAT: 984 e = AUE_OPEN_RWTC; 985 break; 986 default: 987 e = AUE_NULL; 988 break; 989 } 990 991 return (e); 992 } 993 994 /* ARGSUSED */ 995 static au_event_t 996 aui_open(au_event_t e) 997 { 998 t_audit_data_t *tad = T2A(curthread); 999 klwp_t *clwp = ttolwp(curthread); 1000 uint_t fm; 1001 1002 struct a { 1003 long fnamep; /* char * */ 1004 long fmode; 1005 long cmode; 1006 } *uap = (struct a *)clwp->lwp_ap; 1007 1008 fm = (uint_t)uap->fmode; 1009 1010 /* convert to appropriate au_ctrl */ 1011 if (fm & (FXATTR | FXATTRDIROPEN)) 1012 tad->tad_ctrl |= PAD_ATTPATH; 1013 1014 return (open_event(fm)); 1015 } 1016 1017 static void 1018 aus_open(struct t_audit_data *tad) 1019 { 1020 klwp_t *clwp = ttolwp(curthread); 1021 uint_t fm; 1022 1023 struct a { 1024 long fnamep; /* char * */ 1025 long fmode; 1026 long cmode; 1027 } *uap = (struct a *)clwp->lwp_ap; 1028 1029 fm = (uint_t)uap->fmode; 1030 1031 /* If no write, create, or trunc modes, mark as a public op */ 1032 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1033 tad->tad_ctrl |= PAD_PUBLIC_EV; 1034 } 1035 1036 /* ARGSUSED */ 1037 static au_event_t 1038 aui_openat(au_event_t e) 1039 { 1040 t_audit_data_t *tad = T2A(curthread); 1041 klwp_t *clwp = ttolwp(curthread); 1042 uint_t fm; 1043 1044 struct a { 1045 long filedes; 1046 long fnamep; /* char * */ 1047 long fmode; 1048 long cmode; 1049 } *uap = (struct a *)clwp->lwp_ap; 1050 1051 fm = (uint_t)uap->fmode; 1052 1053 /* convert to appropriate au_ctrl */ 1054 if (fm & (FXATTR | FXATTRDIROPEN)) 1055 tad->tad_ctrl |= PAD_ATTPATH; 1056 1057 return (open_event(fm)); 1058 } 1059 1060 static void 1061 aus_openat(struct t_audit_data *tad) 1062 { 1063 klwp_t *clwp = ttolwp(curthread); 1064 uint_t fm; 1065 1066 struct a { 1067 long filedes; 1068 long fnamep; /* char * */ 1069 long fmode; 1070 long cmode; 1071 } *uap = (struct a *)clwp->lwp_ap; 1072 1073 fm = (uint_t)uap->fmode; 1074 1075 /* If no write, create, or trunc modes, mark as a public op */ 1076 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1077 tad->tad_ctrl |= PAD_PUBLIC_EV; 1078 } 1079 1080 static au_event_t 1081 aui_unlinkat(au_event_t e) 1082 { 1083 klwp_t *clwp = ttolwp(curthread); 1084 1085 struct a { 1086 long filedes; 1087 long fnamep; /* char * */ 1088 long flags; 1089 } *uap = (struct a *)clwp->lwp_ap; 1090 1091 if (uap->flags & AT_REMOVEDIR) 1092 e = AUE_RMDIR; 1093 else 1094 e = AUE_UNLINK; 1095 1096 return (e); 1097 } 1098 1099 static au_event_t 1100 aui_fstatat(au_event_t e) 1101 { 1102 klwp_t *clwp = ttolwp(curthread); 1103 1104 struct a { 1105 long filedes; 1106 long fnamep; /* char * */ 1107 long statb; 1108 long flags; 1109 } *uap = (struct a *)clwp->lwp_ap; 1110 1111 if (uap->fnamep == NULL) 1112 e = AUE_FSTAT; 1113 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1114 e = AUE_LSTAT; 1115 else 1116 e = AUE_STAT; 1117 1118 return (e); 1119 } 1120 1121 /* msgsys */ 1122 static au_event_t 1123 aui_msgsys(au_event_t e) 1124 { 1125 klwp_t *clwp = ttolwp(curthread); 1126 uint_t fm; 1127 1128 struct a { 1129 long id; /* function code id */ 1130 long ap; /* arg pointer for recvmsg */ 1131 } *uap = (struct a *)clwp->lwp_ap; 1132 1133 struct b { 1134 long msgid; 1135 long cmd; 1136 long buf; /* struct msqid_ds * */ 1137 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1138 1139 fm = (uint_t)uap->id; 1140 1141 switch (fm) { 1142 case 0: /* msgget */ 1143 e = AUE_MSGGET; 1144 break; 1145 case 1: /* msgctl */ 1146 switch ((uint_t)uap1->cmd) { 1147 case IPC_RMID: 1148 e = AUE_MSGCTL_RMID; 1149 break; 1150 case IPC_SET: 1151 e = AUE_MSGCTL_SET; 1152 break; 1153 case IPC_STAT: 1154 e = AUE_MSGCTL_STAT; 1155 break; 1156 default: 1157 e = AUE_MSGCTL; 1158 break; 1159 } 1160 break; 1161 case 2: /* msgrcv */ 1162 e = AUE_MSGRCV; 1163 break; 1164 case 3: /* msgsnd */ 1165 e = AUE_MSGSND; 1166 break; 1167 default: /* illegal system call */ 1168 e = AUE_NULL; 1169 break; 1170 } 1171 1172 return (e); 1173 } 1174 1175 1176 /* shmsys */ 1177 static au_event_t 1178 aui_shmsys(au_event_t e) 1179 { 1180 klwp_t *clwp = ttolwp(curthread); 1181 int fm; 1182 1183 struct a { /* shmsys */ 1184 long id; /* function code id */ 1185 } *uap = (struct a *)clwp->lwp_ap; 1186 1187 struct b { /* ctrl */ 1188 long shmid; 1189 long cmd; 1190 long arg; /* struct shmid_ds * */ 1191 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1192 fm = (uint_t)uap->id; 1193 1194 switch (fm) { 1195 case 0: /* shmat */ 1196 e = AUE_SHMAT; 1197 break; 1198 case 1: /* shmctl */ 1199 switch ((uint_t)uap1->cmd) { 1200 case IPC_RMID: 1201 e = AUE_SHMCTL_RMID; 1202 break; 1203 case IPC_SET: 1204 e = AUE_SHMCTL_SET; 1205 break; 1206 case IPC_STAT: 1207 e = AUE_SHMCTL_STAT; 1208 break; 1209 default: 1210 e = AUE_SHMCTL; 1211 break; 1212 } 1213 break; 1214 case 2: /* shmdt */ 1215 e = AUE_SHMDT; 1216 break; 1217 case 3: /* shmget */ 1218 e = AUE_SHMGET; 1219 break; 1220 default: /* illegal system call */ 1221 e = AUE_NULL; 1222 break; 1223 } 1224 1225 return (e); 1226 } 1227 1228 1229 /* semsys */ 1230 static au_event_t 1231 aui_semsys(au_event_t e) 1232 { 1233 klwp_t *clwp = ttolwp(curthread); 1234 uint_t fm; 1235 1236 struct a { /* semsys */ 1237 long id; 1238 } *uap = (struct a *)clwp->lwp_ap; 1239 1240 struct b { /* ctrl */ 1241 long semid; 1242 long semnum; 1243 long cmd; 1244 long arg; 1245 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1246 1247 fm = (uint_t)uap->id; 1248 1249 switch (fm) { 1250 case 0: /* semctl */ 1251 switch ((uint_t)uap1->cmd) { 1252 case IPC_RMID: 1253 e = AUE_SEMCTL_RMID; 1254 break; 1255 case IPC_SET: 1256 e = AUE_SEMCTL_SET; 1257 break; 1258 case IPC_STAT: 1259 e = AUE_SEMCTL_STAT; 1260 break; 1261 case GETNCNT: 1262 e = AUE_SEMCTL_GETNCNT; 1263 break; 1264 case GETPID: 1265 e = AUE_SEMCTL_GETPID; 1266 break; 1267 case GETVAL: 1268 e = AUE_SEMCTL_GETVAL; 1269 break; 1270 case GETALL: 1271 e = AUE_SEMCTL_GETALL; 1272 break; 1273 case GETZCNT: 1274 e = AUE_SEMCTL_GETZCNT; 1275 break; 1276 case SETVAL: 1277 e = AUE_SEMCTL_SETVAL; 1278 break; 1279 case SETALL: 1280 e = AUE_SEMCTL_SETALL; 1281 break; 1282 default: 1283 e = AUE_SEMCTL; 1284 break; 1285 } 1286 break; 1287 case 1: /* semget */ 1288 e = AUE_SEMGET; 1289 break; 1290 case 2: /* semop */ 1291 e = AUE_SEMOP; 1292 break; 1293 default: /* illegal system call */ 1294 e = AUE_NULL; 1295 break; 1296 } 1297 1298 return (e); 1299 } 1300 1301 /* utssys - uname(2), ustat(2), fusers(2) */ 1302 static au_event_t 1303 aui_utssys(au_event_t e) 1304 { 1305 klwp_t *clwp = ttolwp(curthread); 1306 uint_t type; 1307 1308 struct a { 1309 union { 1310 long cbuf; /* char * */ 1311 long ubuf; /* struct stat * */ 1312 } ub; 1313 union { 1314 long mv; /* for USTAT */ 1315 long flags; /* for FUSERS */ 1316 } un; 1317 long type; 1318 long outbp; /* char * for FUSERS */ 1319 } *uap = (struct a *)clwp->lwp_ap; 1320 1321 type = (uint_t)uap->type; 1322 1323 if (type == UTS_FUSERS) 1324 return (e); 1325 else 1326 return ((au_event_t)AUE_NULL); 1327 } 1328 1329 static au_event_t 1330 aui_fcntl(au_event_t e) 1331 { 1332 klwp_t *clwp = ttolwp(curthread); 1333 uint_t cmd; 1334 1335 struct a { 1336 long fdes; 1337 long cmd; 1338 long arg; 1339 } *uap = (struct a *)clwp->lwp_ap; 1340 1341 cmd = (uint_t)uap->cmd; 1342 1343 switch (cmd) { 1344 case F_GETLK: 1345 case F_SETLK: 1346 case F_SETLKW: 1347 break; 1348 case F_SETFL: 1349 case F_GETFL: 1350 case F_GETFD: 1351 break; 1352 default: 1353 e = (au_event_t)AUE_NULL; 1354 break; 1355 } 1356 return ((au_event_t)e); 1357 } 1358 1359 /* null function for now */ 1360 static au_event_t 1361 aui_execve(au_event_t e) 1362 { 1363 return (e); 1364 } 1365 1366 /*ARGSUSED*/ 1367 static void 1368 aus_fcntl(struct t_audit_data *tad) 1369 { 1370 klwp_t *clwp = ttolwp(curthread); 1371 uint32_t cmd, fd; 1372 struct file *fp; 1373 struct vnode *vp; 1374 struct f_audit_data *fad; 1375 1376 struct a { 1377 long fd; 1378 long cmd; 1379 long arg; 1380 } *uap = (struct a *)clwp->lwp_ap; 1381 1382 cmd = (uint32_t)uap->cmd; 1383 fd = (uint32_t)uap->fd; 1384 1385 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1386 1387 /* 1388 * convert file pointer to file descriptor 1389 * Note: fd ref count incremented here. 1390 */ 1391 if ((fp = getf(fd)) == NULL) 1392 return; 1393 1394 /* get path from file struct here */ 1395 fad = F2A(fp); 1396 if (fad->fad_aupath != NULL) { 1397 au_uwrite(au_to_path(fad->fad_aupath)); 1398 } else { 1399 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1400 } 1401 1402 vp = fp->f_vnode; 1403 audit_attributes(vp); 1404 1405 /* decrement file descriptor reference count */ 1406 releasef(fd); 1407 } 1408 1409 /*ARGSUSED*/ 1410 static void 1411 aus_kill(struct t_audit_data *tad) 1412 { 1413 klwp_t *clwp = ttolwp(curthread); 1414 struct proc *p; 1415 uint32_t signo; 1416 uid_t uid, ruid; 1417 gid_t gid, rgid; 1418 pid_t pid; 1419 const auditinfo_addr_t *ainfo; 1420 cred_t *cr; 1421 1422 struct a { 1423 long pid; 1424 long signo; 1425 } *uap = (struct a *)clwp->lwp_ap; 1426 1427 pid = (pid_t)uap->pid; 1428 signo = (uint32_t)uap->signo; 1429 1430 au_uwrite(au_to_arg32(2, "signal", signo)); 1431 if (pid > 0) { 1432 mutex_enter(&pidlock); 1433 if (((p = prfind(pid)) == (struct proc *)0) || 1434 (p->p_stat == SIDL)) { 1435 mutex_exit(&pidlock); 1436 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1437 return; 1438 } 1439 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1440 mutex_exit(&pidlock); 1441 1442 mutex_enter(&p->p_crlock); 1443 crhold(cr = p->p_cred); 1444 mutex_exit(&p->p_crlock); 1445 mutex_exit(&p->p_lock); 1446 1447 ainfo = crgetauinfo(cr); 1448 if (ainfo == NULL) { 1449 crfree(cr); 1450 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1451 return; 1452 } 1453 1454 uid = crgetuid(cr); 1455 gid = crgetgid(cr); 1456 ruid = crgetruid(cr); 1457 rgid = crgetrgid(cr); 1458 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1459 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1460 1461 if (is_system_labeled()) 1462 au_uwrite(au_to_label(CR_SL(cr))); 1463 1464 crfree(cr); 1465 } 1466 else 1467 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1468 } 1469 1470 /*ARGSUSED*/ 1471 static void 1472 aus_mkdir(struct t_audit_data *tad) 1473 { 1474 klwp_t *clwp = ttolwp(curthread); 1475 uint32_t dmode; 1476 1477 struct a { 1478 long dirnamep; /* char * */ 1479 long dmode; 1480 } *uap = (struct a *)clwp->lwp_ap; 1481 1482 dmode = (uint32_t)uap->dmode; 1483 1484 au_uwrite(au_to_arg32(2, "mode", dmode)); 1485 } 1486 1487 /*ARGSUSED*/ 1488 static void 1489 aus_mknod(struct t_audit_data *tad) 1490 { 1491 klwp_t *clwp = ttolwp(curthread); 1492 uint32_t fmode; 1493 dev_t dev; 1494 1495 struct a { 1496 long pnamep; /* char * */ 1497 long fmode; 1498 long dev; 1499 } *uap = (struct a *)clwp->lwp_ap; 1500 1501 fmode = (uint32_t)uap->fmode; 1502 dev = (dev_t)uap->dev; 1503 1504 au_uwrite(au_to_arg32(2, "mode", fmode)); 1505 #ifdef _LP64 1506 au_uwrite(au_to_arg64(3, "dev", dev)); 1507 #else 1508 au_uwrite(au_to_arg32(3, "dev", dev)); 1509 #endif 1510 } 1511 1512 /*ARGSUSED*/ 1513 static void 1514 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1515 { 1516 klwp_t *clwp = ttolwp(curthread); 1517 vnode_t *dvp; 1518 caddr_t pnamep; 1519 1520 struct a { 1521 long pnamep; /* char * */ 1522 long fmode; 1523 long dev; 1524 } *uap = (struct a *)clwp->lwp_ap; 1525 1526 /* no error, then already path token in audit record */ 1527 if (error != EPERM) 1528 return; 1529 1530 /* not auditing this event, nothing then to do */ 1531 if (tad->tad_flag == 0) 1532 return; 1533 1534 /* do the lookup to force generation of path token */ 1535 pnamep = (caddr_t)uap->pnamep; 1536 tad->tad_ctrl |= PAD_NOATTRB; 1537 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1538 if (error == 0) 1539 VN_RELE(dvp); 1540 } 1541 1542 /*ARGSUSED*/ 1543 static void 1544 aus_mount(struct t_audit_data *tad) 1545 { /* AUS_START */ 1546 klwp_t *clwp = ttolwp(curthread); 1547 uint32_t flags; 1548 uintptr_t u_fstype, dataptr; 1549 STRUCT_DECL(nfs_args, nfsargs); 1550 size_t len; 1551 char *fstype, *hostname; 1552 1553 struct a { 1554 long spec; /* char * */ 1555 long dir; /* char * */ 1556 long flags; 1557 long fstype; /* char * */ 1558 long dataptr; /* char * */ 1559 long datalen; 1560 } *uap = (struct a *)clwp->lwp_ap; 1561 1562 u_fstype = (uintptr_t)uap->fstype; 1563 flags = (uint32_t)uap->flags; 1564 dataptr = (uintptr_t)uap->dataptr; 1565 1566 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1567 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1568 goto mount_free_fstype; 1569 1570 au_uwrite(au_to_arg32(3, "flags", flags)); 1571 au_uwrite(au_to_text(fstype)); 1572 1573 if (strncmp(fstype, "nfs", 3) == 0) { 1574 1575 STRUCT_INIT(nfsargs, get_udatamodel()); 1576 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1577 1578 if (copyin((caddr_t)dataptr, 1579 STRUCT_BUF(nfsargs), 1580 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1581 /* DEBUG debug_enter((char *)NULL); */ 1582 goto mount_free_fstype; 1583 } 1584 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1585 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1586 (caddr_t)hostname, 1587 MAXNAMELEN, &len)) { 1588 goto mount_free_hostname; 1589 } 1590 au_uwrite(au_to_text(hostname)); 1591 au_uwrite(au_to_arg32(3, "internal flags", 1592 (uint_t)STRUCT_FGET(nfsargs, flags))); 1593 1594 mount_free_hostname: 1595 kmem_free(hostname, MAXNAMELEN); 1596 } 1597 1598 mount_free_fstype: 1599 kmem_free(fstype, MAXNAMELEN); 1600 } /* AUS_MOUNT */ 1601 1602 static void 1603 aus_umount_path(caddr_t umount_dir) 1604 { 1605 char *dir_path; 1606 struct audit_path *path; 1607 size_t path_len, dir_len; 1608 1609 /* length alloc'd for two string pointers */ 1610 path_len = sizeof (struct audit_path) + sizeof (char *); 1611 path = kmem_alloc(path_len, KM_SLEEP); 1612 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1613 1614 if (copyinstr(umount_dir, (caddr_t)dir_path, 1615 MAXPATHLEN, &dir_len)) 1616 goto umount2_free_dir; 1617 1618 /* 1619 * the audit_path struct assumes that the buffer pointed to 1620 * by audp_sect[n] contains string 0 immediatedly followed 1621 * by string 1. 1622 */ 1623 path->audp_sect[0] = dir_path; 1624 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1625 path->audp_size = path_len; 1626 path->audp_ref = 1; /* not used */ 1627 path->audp_cnt = 1; /* one path string */ 1628 1629 au_uwrite(au_to_path(path)); 1630 1631 umount2_free_dir: 1632 kmem_free(dir_path, MAXPATHLEN); 1633 kmem_free(path, path_len); 1634 } 1635 1636 /*ARGSUSED*/ 1637 static void 1638 aus_umount2(struct t_audit_data *tad) 1639 { 1640 klwp_t *clwp = ttolwp(curthread); 1641 struct a { 1642 long dir; /* char * */ 1643 long flags; 1644 } *uap = (struct a *)clwp->lwp_ap; 1645 1646 aus_umount_path((caddr_t)uap->dir); 1647 1648 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1649 } 1650 1651 static void 1652 aus_msgsys(struct t_audit_data *tad) 1653 { 1654 klwp_t *clwp = ttolwp(curthread); 1655 uint32_t msgid; 1656 1657 struct b { 1658 long msgid; 1659 long cmd; 1660 long buf; /* struct msqid_ds * */ 1661 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1662 1663 msgid = (uint32_t)uap1->msgid; 1664 1665 1666 switch (tad->tad_event) { 1667 case AUE_MSGGET: /* msgget */ 1668 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1669 break; 1670 case AUE_MSGCTL: /* msgctl */ 1671 case AUE_MSGCTL_RMID: /* msgctl */ 1672 case AUE_MSGCTL_SET: /* msgctl */ 1673 case AUE_MSGCTL_STAT: /* msgctl */ 1674 case AUE_MSGRCV: /* msgrcv */ 1675 case AUE_MSGSND: /* msgsnd */ 1676 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1677 break; 1678 } 1679 } 1680 1681 /*ARGSUSED*/ 1682 static void 1683 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1684 { 1685 int id; 1686 1687 if (error != 0) 1688 return; 1689 if (tad->tad_event == AUE_MSGGET) { 1690 uint32_t scid; 1691 uint32_t sy_flags; 1692 1693 /* need to determine type of executing binary */ 1694 scid = tad->tad_scid; 1695 #ifdef _SYSCALL32_IMPL 1696 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1697 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1698 else 1699 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1700 #else 1701 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1702 #endif 1703 if (sy_flags == SE_32RVAL1) 1704 id = rval->r_val1; 1705 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1706 id = rval->r_val1; 1707 if (sy_flags == SE_64RVAL) 1708 id = (int)rval->r_vals; 1709 1710 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1711 } 1712 } 1713 1714 static void 1715 aus_semsys(struct t_audit_data *tad) 1716 { 1717 klwp_t *clwp = ttolwp(curthread); 1718 uint32_t semid; 1719 1720 struct b { /* ctrl */ 1721 long semid; 1722 long semnum; 1723 long cmd; 1724 long arg; 1725 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1726 1727 semid = (uint32_t)uap1->semid; 1728 1729 switch (tad->tad_event) { 1730 case AUE_SEMCTL_RMID: 1731 case AUE_SEMCTL_STAT: 1732 case AUE_SEMCTL_GETNCNT: 1733 case AUE_SEMCTL_GETPID: 1734 case AUE_SEMCTL_GETVAL: 1735 case AUE_SEMCTL_GETALL: 1736 case AUE_SEMCTL_GETZCNT: 1737 case AUE_SEMCTL_SET: 1738 case AUE_SEMCTL_SETVAL: 1739 case AUE_SEMCTL_SETALL: 1740 case AUE_SEMCTL: 1741 case AUE_SEMOP: 1742 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1743 break; 1744 case AUE_SEMGET: 1745 au_uwrite(au_to_arg32(1, "sem key", semid)); 1746 break; 1747 } 1748 } 1749 1750 /*ARGSUSED*/ 1751 static void 1752 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1753 { 1754 int id; 1755 1756 if (error != 0) 1757 return; 1758 if (tad->tad_event == AUE_SEMGET) { 1759 uint32_t scid; 1760 uint32_t sy_flags; 1761 1762 /* need to determine type of executing binary */ 1763 scid = tad->tad_scid; 1764 #ifdef _SYSCALL32_IMPL 1765 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1766 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1767 else 1768 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1769 #else 1770 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1771 #endif 1772 if (sy_flags == SE_32RVAL1) 1773 id = rval->r_val1; 1774 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1775 id = rval->r_val1; 1776 if (sy_flags == SE_64RVAL) 1777 id = (int)rval->r_vals; 1778 1779 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1780 } 1781 } 1782 1783 /*ARGSUSED*/ 1784 static void 1785 aus_close(struct t_audit_data *tad) 1786 { 1787 klwp_t *clwp = ttolwp(curthread); 1788 uint32_t fd; 1789 struct file *fp; 1790 struct f_audit_data *fad; 1791 struct vnode *vp; 1792 struct vattr attr; 1793 au_kcontext_t *kctx = GET_KCTX_PZ; 1794 1795 struct a { 1796 long i; 1797 } *uap = (struct a *)clwp->lwp_ap; 1798 1799 fd = (uint32_t)uap->i; 1800 1801 attr.va_mask = 0; 1802 au_uwrite(au_to_arg32(1, "fd", fd)); 1803 1804 /* 1805 * convert file pointer to file descriptor 1806 * Note: fd ref count incremented here. 1807 */ 1808 if ((fp = getf(fd)) == NULL) 1809 return; 1810 1811 fad = F2A(fp); 1812 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1813 if (fad->fad_aupath != NULL) { 1814 au_uwrite(au_to_path(fad->fad_aupath)); 1815 if ((vp = fp->f_vnode) != NULL) { 1816 attr.va_mask = AT_ALL; 1817 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1818 /* 1819 * When write was not used and the file can be 1820 * considered public, skip the audit. 1821 */ 1822 if (((fp->f_flag & FWRITE) == 0) && 1823 file_is_public(&attr)) { 1824 tad->tad_flag = 0; 1825 tad->tad_evmod = 0; 1826 /* free any residual audit data */ 1827 au_close(kctx, &(u_ad), 0, 0, 0); 1828 releasef(fd); 1829 return; 1830 } 1831 au_uwrite(au_to_attr(&attr)); 1832 audit_sec_attributes(&(u_ad), vp); 1833 } 1834 } 1835 } 1836 1837 /* decrement file descriptor reference count */ 1838 releasef(fd); 1839 } 1840 1841 /*ARGSUSED*/ 1842 static void 1843 aus_fstatfs(struct t_audit_data *tad) 1844 { 1845 klwp_t *clwp = ttolwp(curthread); 1846 uint32_t fd; 1847 struct file *fp; 1848 struct vnode *vp; 1849 struct f_audit_data *fad; 1850 1851 struct a { 1852 long fd; 1853 long buf; /* struct statfs * */ 1854 } *uap = (struct a *)clwp->lwp_ap; 1855 1856 fd = (uint_t)uap->fd; 1857 1858 /* 1859 * convert file pointer to file descriptor 1860 * Note: fd ref count incremented here. 1861 */ 1862 if ((fp = getf(fd)) == NULL) 1863 return; 1864 1865 /* get path from file struct here */ 1866 fad = F2A(fp); 1867 if (fad->fad_aupath != NULL) { 1868 au_uwrite(au_to_path(fad->fad_aupath)); 1869 } else { 1870 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1871 } 1872 1873 vp = fp->f_vnode; 1874 audit_attributes(vp); 1875 1876 /* decrement file descriptor reference count */ 1877 releasef(fd); 1878 } 1879 1880 static au_event_t 1881 aui_setpgrp(au_event_t e) 1882 { 1883 klwp_t *clwp = ttolwp(curthread); 1884 int flag; 1885 1886 struct a { 1887 long flag; 1888 long pid; 1889 long pgid; 1890 } *uap = (struct a *)clwp->lwp_ap; 1891 1892 flag = (int)uap->flag; 1893 1894 1895 switch (flag) { 1896 1897 case 1: /* setpgrp() */ 1898 e = AUE_SETPGRP; 1899 break; 1900 1901 case 3: /* setsid() */ 1902 e = AUE_SETSID; 1903 break; 1904 1905 case 5: /* setpgid() */ 1906 e = AUE_SETPGID; 1907 break; 1908 1909 case 0: /* getpgrp() - not security relevant */ 1910 case 2: /* getsid() - not security relevant */ 1911 case 4: /* getpgid() - not security relevant */ 1912 e = AUE_NULL; 1913 break; 1914 1915 default: 1916 e = AUE_NULL; 1917 break; 1918 } 1919 1920 return (e); 1921 } 1922 1923 /*ARGSUSED*/ 1924 static void 1925 aus_setpgrp(struct t_audit_data *tad) 1926 { 1927 klwp_t *clwp = ttolwp(curthread); 1928 pid_t pgid; 1929 struct proc *p; 1930 uid_t uid, ruid; 1931 gid_t gid, rgid; 1932 pid_t pid; 1933 cred_t *cr; 1934 int flag; 1935 const auditinfo_addr_t *ainfo; 1936 1937 struct a { 1938 long flag; 1939 long pid; 1940 long pgid; 1941 } *uap = (struct a *)clwp->lwp_ap; 1942 1943 flag = (int)uap->flag; 1944 pid = (pid_t)uap->pid; 1945 pgid = (pid_t)uap->pgid; 1946 1947 1948 switch (flag) { 1949 1950 case 0: /* getpgrp() */ 1951 case 1: /* setpgrp() */ 1952 case 2: /* getsid() */ 1953 case 3: /* setsid() */ 1954 case 4: /* getpgid() */ 1955 break; 1956 1957 case 5: /* setpgid() */ 1958 1959 /* current process? */ 1960 if (pid == 0) { 1961 return; 1962 } 1963 1964 mutex_enter(&pidlock); 1965 p = prfind(pid); 1966 if (p == NULL || p->p_as == &kas || 1967 p->p_stat == SIDL || p->p_stat == SZOMB) { 1968 mutex_exit(&pidlock); 1969 return; 1970 } 1971 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1972 mutex_exit(&pidlock); 1973 1974 mutex_enter(&p->p_crlock); 1975 crhold(cr = p->p_cred); 1976 mutex_exit(&p->p_crlock); 1977 mutex_exit(&p->p_lock); 1978 1979 ainfo = crgetauinfo(cr); 1980 if (ainfo == NULL) { 1981 crfree(cr); 1982 return; 1983 } 1984 1985 uid = crgetuid(cr); 1986 gid = crgetgid(cr); 1987 ruid = crgetruid(cr); 1988 rgid = crgetrgid(cr); 1989 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1990 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1991 crfree(cr); 1992 au_uwrite(au_to_arg32(2, "pgid", pgid)); 1993 break; 1994 1995 default: 1996 break; 1997 } 1998 } 1999 2000 2001 /*ARGSUSED*/ 2002 static void 2003 aus_setregid(struct t_audit_data *tad) 2004 { 2005 klwp_t *clwp = ttolwp(curthread); 2006 uint32_t rgid, egid; 2007 2008 struct a { 2009 long rgid; 2010 long egid; 2011 } *uap = (struct a *)clwp->lwp_ap; 2012 2013 rgid = (uint32_t)uap->rgid; 2014 egid = (uint32_t)uap->egid; 2015 2016 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2017 au_uwrite(au_to_arg32(2, "egid", egid)); 2018 } 2019 2020 /*ARGSUSED*/ 2021 static void 2022 aus_setgid(struct t_audit_data *tad) 2023 { 2024 klwp_t *clwp = ttolwp(curthread); 2025 uint32_t gid; 2026 2027 struct a { 2028 long gid; 2029 } *uap = (struct a *)clwp->lwp_ap; 2030 2031 gid = (uint32_t)uap->gid; 2032 2033 au_uwrite(au_to_arg32(1, "gid", gid)); 2034 } 2035 2036 2037 /*ARGSUSED*/ 2038 static void 2039 aus_setreuid(struct t_audit_data *tad) 2040 { 2041 klwp_t *clwp = ttolwp(curthread); 2042 uint32_t ruid, euid; 2043 2044 struct a { 2045 long ruid; 2046 long euid; 2047 } *uap = (struct a *)clwp->lwp_ap; 2048 2049 ruid = (uint32_t)uap->ruid; 2050 euid = (uint32_t)uap->euid; 2051 2052 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2053 au_uwrite(au_to_arg32(2, "euid", euid)); 2054 } 2055 2056 2057 /*ARGSUSED*/ 2058 static void 2059 aus_setuid(struct t_audit_data *tad) 2060 { 2061 klwp_t *clwp = ttolwp(curthread); 2062 uint32_t uid; 2063 2064 struct a { 2065 long uid; 2066 } *uap = (struct a *)clwp->lwp_ap; 2067 2068 uid = (uint32_t)uap->uid; 2069 2070 au_uwrite(au_to_arg32(1, "uid", uid)); 2071 } 2072 2073 /*ARGSUSED*/ 2074 static void 2075 aus_shmsys(struct t_audit_data *tad) 2076 { 2077 klwp_t *clwp = ttolwp(curthread); 2078 uint32_t id, cmd; 2079 2080 struct b { 2081 long id; 2082 long cmd; 2083 long buf; /* struct shmid_ds * */ 2084 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2085 2086 id = (uint32_t)uap1->id; 2087 cmd = (uint32_t)uap1->cmd; 2088 2089 switch (tad->tad_event) { 2090 case AUE_SHMGET: /* shmget */ 2091 au_uwrite(au_to_arg32(1, "shm key", id)); 2092 break; 2093 case AUE_SHMCTL: /* shmctl */ 2094 case AUE_SHMCTL_RMID: /* shmctl */ 2095 case AUE_SHMCTL_STAT: /* shmctl */ 2096 case AUE_SHMCTL_SET: /* shmctl */ 2097 au_uwrite(au_to_arg32(1, "shm ID", id)); 2098 break; 2099 case AUE_SHMDT: /* shmdt */ 2100 au_uwrite(au_to_arg32(1, "shm adr", id)); 2101 break; 2102 case AUE_SHMAT: /* shmat */ 2103 au_uwrite(au_to_arg32(1, "shm ID", id)); 2104 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2105 break; 2106 } 2107 } 2108 2109 /*ARGSUSED*/ 2110 static void 2111 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2112 { 2113 int id; 2114 2115 if (error != 0) 2116 return; 2117 if (tad->tad_event == AUE_SHMGET) { 2118 uint32_t scid; 2119 uint32_t sy_flags; 2120 2121 /* need to determine type of executing binary */ 2122 scid = tad->tad_scid; 2123 #ifdef _SYSCALL32_IMPL 2124 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2125 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2126 else 2127 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2128 #else 2129 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2130 #endif 2131 if (sy_flags == SE_32RVAL1) 2132 id = rval->r_val1; 2133 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2134 id = rval->r_val1; 2135 if (sy_flags == SE_64RVAL) 2136 id = (int)rval->r_vals; 2137 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2138 } 2139 } 2140 2141 2142 /*ARGSUSED*/ 2143 static void 2144 aus_ioctl(struct t_audit_data *tad) 2145 { 2146 klwp_t *clwp = ttolwp(curthread); 2147 struct file *fp; 2148 struct vnode *vp; 2149 struct f_audit_data *fad; 2150 uint32_t fd, cmd; 2151 uintptr_t cmarg; 2152 2153 /* XX64 */ 2154 struct a { 2155 long fd; 2156 long cmd; 2157 long cmarg; /* caddr_t */ 2158 } *uap = (struct a *)clwp->lwp_ap; 2159 2160 fd = (uint32_t)uap->fd; 2161 cmd = (uint32_t)uap->cmd; 2162 cmarg = (uintptr_t)uap->cmarg; 2163 2164 /* 2165 * convert file pointer to file descriptor 2166 * Note: fd ref count incremented here. 2167 */ 2168 if ((fp = getf(fd)) == NULL) { 2169 au_uwrite(au_to_arg32(1, "fd", fd)); 2170 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2171 #ifndef _LP64 2172 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2173 #else 2174 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2175 #endif 2176 return; 2177 } 2178 2179 /* get path from file struct here */ 2180 fad = F2A(fp); 2181 if (fad->fad_aupath != NULL) { 2182 au_uwrite(au_to_path(fad->fad_aupath)); 2183 } else { 2184 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2185 } 2186 2187 vp = fp->f_vnode; 2188 audit_attributes(vp); 2189 2190 /* decrement file descriptor reference count */ 2191 releasef(fd); 2192 2193 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2194 #ifndef _LP64 2195 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2196 #else 2197 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2198 #endif 2199 } 2200 2201 /* 2202 * null function for memcntl for now. We might want to limit memcntl() 2203 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2204 * require privileges. 2205 */ 2206 static au_event_t 2207 aui_memcntl(au_event_t e) 2208 { 2209 return (e); 2210 } 2211 2212 /*ARGSUSED*/ 2213 static au_event_t 2214 aui_privsys(au_event_t e) 2215 { 2216 klwp_t *clwp = ttolwp(curthread); 2217 2218 struct a { 2219 long opcode; 2220 } *uap = (struct a *)clwp->lwp_ap; 2221 2222 switch (uap->opcode) { 2223 case PRIVSYS_SETPPRIV: 2224 return (AUE_SETPPRIV); 2225 default: 2226 return (AUE_NULL); 2227 } 2228 } 2229 2230 /*ARGSUSED*/ 2231 static void 2232 aus_memcntl(struct t_audit_data *tad) 2233 { 2234 klwp_t *clwp = ttolwp(curthread); 2235 2236 struct a { 2237 long addr; 2238 long len; 2239 long cmd; 2240 long arg; 2241 long attr; 2242 long mask; 2243 } *uap = (struct a *)clwp->lwp_ap; 2244 2245 #ifdef _LP64 2246 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2247 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2248 #else 2249 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2250 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2251 #endif 2252 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2253 #ifdef _LP64 2254 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2255 #else 2256 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2257 #endif 2258 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2259 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2260 } 2261 2262 /*ARGSUSED*/ 2263 static void 2264 aus_mmap(struct t_audit_data *tad) 2265 { 2266 klwp_t *clwp = ttolwp(curthread); 2267 struct file *fp; 2268 struct f_audit_data *fad; 2269 struct vnode *vp; 2270 uint32_t fd; 2271 2272 struct a { 2273 long addr; 2274 long len; 2275 long prot; 2276 long flags; 2277 long fd; 2278 long pos; 2279 } *uap = (struct a *)clwp->lwp_ap; 2280 2281 fd = (uint32_t)uap->fd; 2282 2283 #ifdef _LP64 2284 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2285 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2286 #else 2287 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2288 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2289 #endif 2290 2291 if ((fp = getf(fd)) == NULL) { 2292 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2293 return; 2294 } 2295 2296 /* 2297 * Mark in the tad if write access is NOT requested... if 2298 * this is later detected (in audit_attributes) to be a 2299 * public object, the mmap event may be discarded. 2300 */ 2301 if (((uap->prot) & PROT_WRITE) == 0) { 2302 tad->tad_ctrl |= PAD_PUBLIC_EV; 2303 } 2304 2305 fad = F2A(fp); 2306 if (fad->fad_aupath != NULL) { 2307 au_uwrite(au_to_path(fad->fad_aupath)); 2308 } else { 2309 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2310 } 2311 2312 vp = (struct vnode *)fp->f_vnode; 2313 audit_attributes(vp); 2314 2315 /* mark READ/WRITE since we can't predict access */ 2316 if (uap->prot & PROT_READ) 2317 fad->fad_flags |= FAD_READ; 2318 if (uap->prot & PROT_WRITE) 2319 fad->fad_flags |= FAD_WRITE; 2320 2321 /* decrement file descriptor reference count */ 2322 releasef(fd); 2323 2324 } /* AUS_MMAP */ 2325 2326 2327 2328 2329 /*ARGSUSED*/ 2330 static void 2331 aus_munmap(struct t_audit_data *tad) 2332 { 2333 klwp_t *clwp = ttolwp(curthread); 2334 2335 struct a { 2336 long addr; 2337 long len; 2338 } *uap = (struct a *)clwp->lwp_ap; 2339 2340 #ifdef _LP64 2341 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2342 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2343 #else 2344 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2345 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2346 #endif 2347 2348 } /* AUS_MUNMAP */ 2349 2350 2351 2352 2353 2354 2355 2356 /*ARGSUSED*/ 2357 static void 2358 aus_priocntlsys(struct t_audit_data *tad) 2359 { 2360 klwp_t *clwp = ttolwp(curthread); 2361 2362 struct a { 2363 long pc_version; 2364 long psp; /* procset_t */ 2365 long cmd; 2366 long arg; 2367 } *uap = (struct a *)clwp->lwp_ap; 2368 2369 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2370 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2371 2372 } /* AUS_PRIOCNTLSYS */ 2373 2374 2375 /*ARGSUSED*/ 2376 static void 2377 aus_setegid(struct t_audit_data *tad) 2378 { 2379 klwp_t *clwp = ttolwp(curthread); 2380 uint32_t gid; 2381 2382 struct a { 2383 long gid; 2384 } *uap = (struct a *)clwp->lwp_ap; 2385 2386 gid = (uint32_t)uap->gid; 2387 2388 au_uwrite(au_to_arg32(1, "gid", gid)); 2389 } /* AUS_SETEGID */ 2390 2391 2392 2393 2394 /*ARGSUSED*/ 2395 static void 2396 aus_setgroups(struct t_audit_data *tad) 2397 { 2398 klwp_t *clwp = ttolwp(curthread); 2399 int i; 2400 int gidsetsize; 2401 uintptr_t gidset; 2402 gid_t *gidlist; 2403 2404 struct a { 2405 long gidsetsize; 2406 long gidset; 2407 } *uap = (struct a *)clwp->lwp_ap; 2408 2409 gidsetsize = (uint_t)uap->gidsetsize; 2410 gidset = (uintptr_t)uap->gidset; 2411 2412 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2413 return; 2414 if (gidsetsize != 0) { 2415 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2416 KM_SLEEP); 2417 if (copyin((caddr_t)gidset, gidlist, 2418 gidsetsize * sizeof (gid_t)) == 0) 2419 for (i = 0; i < gidsetsize; i++) 2420 au_uwrite(au_to_arg32(1, "setgroups", 2421 (uint32_t)gidlist[i])); 2422 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2423 } else 2424 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2425 2426 } /* AUS_SETGROUPS */ 2427 2428 2429 2430 2431 2432 /*ARGSUSED*/ 2433 static void 2434 aus_seteuid(struct t_audit_data *tad) 2435 { 2436 klwp_t *clwp = ttolwp(curthread); 2437 uint32_t uid; 2438 2439 struct a { 2440 long uid; 2441 } *uap = (struct a *)clwp->lwp_ap; 2442 2443 uid = (uint32_t)uap->uid; 2444 2445 au_uwrite(au_to_arg32(1, "euid", uid)); 2446 2447 } /* AUS_SETEUID */ 2448 2449 /*ARGSUSED*/ 2450 static void 2451 aus_putmsg(struct t_audit_data *tad) 2452 { 2453 klwp_t *clwp = ttolwp(curthread); 2454 uint32_t fd, pri; 2455 struct file *fp; 2456 struct f_audit_data *fad; 2457 2458 struct a { 2459 long fdes; 2460 long ctl; /* struct strbuf * */ 2461 long data; /* struct strbuf * */ 2462 long pri; 2463 } *uap = (struct a *)clwp->lwp_ap; 2464 2465 fd = (uint32_t)uap->fdes; 2466 pri = (uint32_t)uap->pri; 2467 2468 au_uwrite(au_to_arg32(1, "fd", fd)); 2469 2470 if ((fp = getf(fd)) != NULL) { 2471 fad = F2A(fp); 2472 2473 fad->fad_flags |= FAD_WRITE; 2474 2475 /* add path name to audit record */ 2476 if (fad->fad_aupath != NULL) { 2477 au_uwrite(au_to_path(fad->fad_aupath)); 2478 } 2479 audit_attributes(fp->f_vnode); 2480 2481 releasef(fd); 2482 } 2483 2484 au_uwrite(au_to_arg32(4, "pri", pri)); 2485 } 2486 2487 /*ARGSUSED*/ 2488 static void 2489 aus_putpmsg(struct t_audit_data *tad) 2490 { 2491 klwp_t *clwp = ttolwp(curthread); 2492 uint32_t fd, pri, flags; 2493 struct file *fp; 2494 struct f_audit_data *fad; 2495 2496 struct a { 2497 long fdes; 2498 long ctl; /* struct strbuf * */ 2499 long data; /* struct strbuf * */ 2500 long pri; 2501 long flags; 2502 } *uap = (struct a *)clwp->lwp_ap; 2503 2504 fd = (uint32_t)uap->fdes; 2505 pri = (uint32_t)uap->pri; 2506 flags = (uint32_t)uap->flags; 2507 2508 au_uwrite(au_to_arg32(1, "fd", fd)); 2509 2510 if ((fp = getf(fd)) != NULL) { 2511 fad = F2A(fp); 2512 2513 fad->fad_flags |= FAD_WRITE; 2514 2515 /* add path name to audit record */ 2516 if (fad->fad_aupath != NULL) { 2517 au_uwrite(au_to_path(fad->fad_aupath)); 2518 } 2519 audit_attributes(fp->f_vnode); 2520 2521 releasef(fd); 2522 } 2523 2524 2525 au_uwrite(au_to_arg32(4, "pri", pri)); 2526 au_uwrite(au_to_arg32(5, "flags", flags)); 2527 } 2528 2529 /*ARGSUSED*/ 2530 static void 2531 aus_getmsg(struct t_audit_data *tad) 2532 { 2533 klwp_t *clwp = ttolwp(curthread); 2534 uint32_t fd, pri; 2535 struct file *fp; 2536 struct f_audit_data *fad; 2537 2538 struct a { 2539 long fdes; 2540 long ctl; /* struct strbuf * */ 2541 long data; /* struct strbuf * */ 2542 long pri; 2543 } *uap = (struct a *)clwp->lwp_ap; 2544 2545 fd = (uint32_t)uap->fdes; 2546 pri = (uint32_t)uap->pri; 2547 2548 au_uwrite(au_to_arg32(1, "fd", fd)); 2549 2550 if ((fp = getf(fd)) != NULL) { 2551 fad = F2A(fp); 2552 2553 /* 2554 * read operation on this object 2555 */ 2556 fad->fad_flags |= FAD_READ; 2557 2558 /* add path name to audit record */ 2559 if (fad->fad_aupath != NULL) { 2560 au_uwrite(au_to_path(fad->fad_aupath)); 2561 } 2562 audit_attributes(fp->f_vnode); 2563 2564 releasef(fd); 2565 } 2566 2567 au_uwrite(au_to_arg32(4, "pri", pri)); 2568 } 2569 2570 /*ARGSUSED*/ 2571 static void 2572 aus_getpmsg(struct t_audit_data *tad) 2573 { 2574 klwp_t *clwp = ttolwp(curthread); 2575 uint32_t fd; 2576 struct file *fp; 2577 struct f_audit_data *fad; 2578 2579 struct a { 2580 long fdes; 2581 long ctl; /* struct strbuf * */ 2582 long data; /* struct strbuf * */ 2583 long pri; 2584 long flags; 2585 } *uap = (struct a *)clwp->lwp_ap; 2586 2587 fd = (uint32_t)uap->fdes; 2588 2589 au_uwrite(au_to_arg32(1, "fd", fd)); 2590 2591 if ((fp = getf(fd)) != NULL) { 2592 fad = F2A(fp); 2593 2594 /* 2595 * read operation on this object 2596 */ 2597 fad->fad_flags |= FAD_READ; 2598 2599 /* add path name to audit record */ 2600 if (fad->fad_aupath != NULL) { 2601 au_uwrite(au_to_path(fad->fad_aupath)); 2602 } 2603 audit_attributes(fp->f_vnode); 2604 2605 releasef(fd); 2606 } 2607 } 2608 2609 static au_event_t 2610 aui_labelsys(au_event_t e) 2611 { 2612 klwp_t *clwp = ttolwp(curthread); 2613 uint32_t code; 2614 uint32_t cmd; 2615 2616 struct a { 2617 long code; 2618 long cmd; 2619 } *uap = (struct a *)clwp->lwp_ap; 2620 2621 code = (uint32_t)uap->code; 2622 cmd = (uint32_t)uap->cmd; 2623 2624 /* not security relevant if not changing kernel cache */ 2625 if (cmd == TNDB_GET) 2626 return (AUE_NULL); 2627 2628 switch (code) { 2629 case TSOL_TNRH: 2630 e = AUE_LABELSYS_TNRH; 2631 break; 2632 case TSOL_TNRHTP: 2633 e = AUE_LABELSYS_TNRHTP; 2634 break; 2635 case TSOL_TNMLP: 2636 e = AUE_LABELSYS_TNMLP; 2637 break; 2638 default: 2639 e = AUE_NULL; 2640 break; 2641 } 2642 2643 return (e); 2644 2645 } 2646 2647 static void 2648 aus_labelsys(struct t_audit_data *tad) 2649 { 2650 klwp_t *clwp = ttolwp(curthread); 2651 uint32_t cmd; 2652 uintptr_t a2; 2653 2654 struct a { 2655 long code; 2656 long cmd; 2657 long a2; 2658 } *uap = (struct a *)clwp->lwp_ap; 2659 2660 cmd = (uint32_t)uap->cmd; 2661 a2 = (uintptr_t)uap->a2; 2662 2663 switch (tad->tad_event) { 2664 case AUE_LABELSYS_TNRH: 2665 { 2666 tsol_rhent_t *rhent; 2667 tnaddr_t *rh_addr; 2668 2669 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2670 2671 /* Remaining args don't apply for FLUSH, so skip */ 2672 if (cmd == TNDB_FLUSH) 2673 break; 2674 2675 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2676 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2677 kmem_free(rhent, sizeof (tsol_rhent_t)); 2678 return; 2679 } 2680 2681 rh_addr = &rhent->rh_address; 2682 if (rh_addr->ta_family == AF_INET) { 2683 struct in_addr *ipaddr; 2684 2685 ipaddr = &(rh_addr->ta_addr_v4); 2686 au_uwrite(au_to_in_addr(ipaddr)); 2687 } else if (rh_addr->ta_family == AF_INET6) { 2688 int32_t *ipaddr; 2689 2690 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2691 au_uwrite(au_to_in_addr_ex(ipaddr)); 2692 } 2693 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2694 2695 kmem_free(rhent, sizeof (tsol_rhent_t)); 2696 2697 break; 2698 } 2699 case AUE_LABELSYS_TNRHTP: 2700 { 2701 tsol_tpent_t *tpent; 2702 2703 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2704 2705 /* Remaining args don't apply for FLUSH, so skip */ 2706 if (cmd == TNDB_FLUSH) 2707 break; 2708 2709 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2710 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2711 kmem_free(tpent, sizeof (tsol_tpent_t)); 2712 return; 2713 } 2714 2715 /* Make sure that the template name is null-terminated. */ 2716 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2717 2718 au_uwrite(au_to_text(tpent->name)); 2719 kmem_free(tpent, sizeof (tsol_tpent_t)); 2720 2721 break; 2722 } 2723 case AUE_LABELSYS_TNMLP: 2724 { 2725 tsol_mlpent_t *mlpent; 2726 2727 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2728 2729 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2730 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2731 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2732 return; 2733 } 2734 2735 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2736 au_uwrite(au_to_text("shared")); 2737 } else { 2738 zone_t *zone; 2739 2740 zone = zone_find_by_id(mlpent->tsme_zoneid); 2741 if (zone != NULL) { 2742 au_uwrite(au_to_text(zone->zone_name)); 2743 zone_rele(zone); 2744 } 2745 } 2746 2747 /* Remaining args don't apply for FLUSH, so skip */ 2748 if (cmd == TNDB_FLUSH) { 2749 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2750 break; 2751 } 2752 2753 au_uwrite(au_to_arg32(2, "proto num", 2754 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2755 au_uwrite(au_to_arg32(2, "mlp_port", 2756 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2757 2758 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2759 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2760 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2761 2762 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2763 2764 break; 2765 } 2766 default: 2767 break; 2768 } 2769 } 2770 2771 2772 static au_event_t 2773 aui_auditsys(au_event_t e) 2774 { 2775 klwp_t *clwp = ttolwp(curthread); 2776 uint32_t code; 2777 2778 struct a { 2779 long code; 2780 long a1; 2781 long a2; 2782 long a3; 2783 long a4; 2784 long a5; 2785 long a6; 2786 long a7; 2787 } *uap = (struct a *)clwp->lwp_ap; 2788 2789 code = (uint32_t)uap->code; 2790 2791 switch (code) { 2792 2793 case BSM_GETAUID: 2794 e = AUE_GETAUID; 2795 break; 2796 case BSM_SETAUID: 2797 e = AUE_SETAUID; 2798 break; 2799 case BSM_GETAUDIT: 2800 e = AUE_GETAUDIT; 2801 break; 2802 case BSM_GETAUDIT_ADDR: 2803 e = AUE_GETAUDIT_ADDR; 2804 break; 2805 case BSM_SETAUDIT: 2806 e = AUE_SETAUDIT; 2807 break; 2808 case BSM_SETAUDIT_ADDR: 2809 e = AUE_SETAUDIT_ADDR; 2810 break; 2811 case BSM_AUDIT: 2812 e = AUE_AUDIT; 2813 break; 2814 case BSM_AUDITCTL: 2815 switch ((uint_t)uap->a1) { 2816 2817 case A_GETPOLICY: 2818 e = AUE_AUDITON_GPOLICY; 2819 break; 2820 case A_SETPOLICY: 2821 e = AUE_AUDITON_SPOLICY; 2822 break; 2823 case A_GETKMASK: 2824 e = AUE_AUDITON_GETKMASK; 2825 break; 2826 case A_SETKMASK: 2827 e = AUE_AUDITON_SETKMASK; 2828 break; 2829 case A_GETQCTRL: 2830 e = AUE_AUDITON_GQCTRL; 2831 break; 2832 case A_SETQCTRL: 2833 e = AUE_AUDITON_SQCTRL; 2834 break; 2835 case A_GETCWD: 2836 e = AUE_AUDITON_GETCWD; 2837 break; 2838 case A_GETCAR: 2839 e = AUE_AUDITON_GETCAR; 2840 break; 2841 case A_GETSTAT: 2842 e = AUE_AUDITON_GETSTAT; 2843 break; 2844 case A_SETSTAT: 2845 e = AUE_AUDITON_SETSTAT; 2846 break; 2847 case A_SETUMASK: 2848 e = AUE_AUDITON_SETUMASK; 2849 break; 2850 case A_SETSMASK: 2851 e = AUE_AUDITON_SETSMASK; 2852 break; 2853 case A_GETCOND: 2854 e = AUE_AUDITON_GETCOND; 2855 break; 2856 case A_SETCOND: 2857 e = AUE_AUDITON_SETCOND; 2858 break; 2859 case A_GETCLASS: 2860 e = AUE_AUDITON_GETCLASS; 2861 break; 2862 case A_SETCLASS: 2863 e = AUE_AUDITON_SETCLASS; 2864 break; 2865 default: 2866 e = AUE_NULL; 2867 break; 2868 } 2869 break; 2870 default: 2871 e = AUE_NULL; 2872 break; 2873 } 2874 2875 return (e); 2876 2877 } /* AUI_AUDITSYS */ 2878 2879 2880 static void 2881 aus_auditsys(struct t_audit_data *tad) 2882 { 2883 klwp_t *clwp = ttolwp(curthread); 2884 uintptr_t a1, a2; 2885 STRUCT_DECL(auditinfo, ainfo); 2886 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2887 au_evclass_map_t event; 2888 au_mask_t mask; 2889 int auditstate, policy; 2890 au_id_t auid; 2891 2892 2893 struct a { 2894 long code; 2895 long a1; 2896 long a2; 2897 long a3; 2898 long a4; 2899 long a5; 2900 long a6; 2901 long a7; 2902 } *uap = (struct a *)clwp->lwp_ap; 2903 2904 a1 = (uintptr_t)uap->a1; 2905 a2 = (uintptr_t)uap->a2; 2906 2907 switch (tad->tad_event) { 2908 case AUE_SETAUID: 2909 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2910 return; 2911 au_uwrite(au_to_arg32(2, "setauid", auid)); 2912 break; 2913 case AUE_SETAUDIT: 2914 STRUCT_INIT(ainfo, get_udatamodel()); 2915 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2916 STRUCT_SIZE(ainfo))) { 2917 return; 2918 } 2919 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2920 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2921 #ifdef _LP64 2922 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2923 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2924 #else 2925 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2926 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2927 #endif 2928 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2929 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2930 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2931 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2932 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2933 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2934 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2935 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2936 break; 2937 case AUE_SETAUDIT_ADDR: 2938 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2939 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2940 STRUCT_SIZE(ainfo_addr))) { 2941 return; 2942 } 2943 au_uwrite(au_to_arg32((char)1, "auid", 2944 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2945 #ifdef _LP64 2946 au_uwrite(au_to_arg64((char)1, "port", 2947 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2948 #else 2949 au_uwrite(au_to_arg32((char)1, "port", 2950 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2951 #endif 2952 au_uwrite(au_to_arg32((char)1, "type", 2953 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2954 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2955 AU_IPv4) { 2956 au_uwrite(au_to_in_addr( 2957 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2958 ai_termid.at_addr))); 2959 } else { 2960 au_uwrite(au_to_in_addr_ex( 2961 (int32_t *)STRUCT_FGETP(ainfo_addr, 2962 ai_termid.at_addr))); 2963 } 2964 au_uwrite(au_to_arg32((char)1, "as_success", 2965 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2966 au_uwrite(au_to_arg32((char)1, "as_failure", 2967 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2968 au_uwrite(au_to_arg32((char)1, "asid", 2969 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2970 break; 2971 case AUE_AUDITON_SETKMASK: 2972 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2973 return; 2974 au_uwrite(au_to_arg32( 2975 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2976 au_uwrite(au_to_arg32( 2977 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2978 break; 2979 case AUE_AUDITON_SPOLICY: 2980 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2981 return; 2982 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2983 break; 2984 case AUE_AUDITON_SQCTRL: { 2985 STRUCT_DECL(au_qctrl, qctrl); 2986 model_t model; 2987 2988 model = get_udatamodel(); 2989 STRUCT_INIT(qctrl, model); 2990 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2991 return; 2992 if (model == DATAMODEL_ILP32) { 2993 au_uwrite(au_to_arg32( 2994 3, "setqctrl:aq_hiwater", 2995 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2996 au_uwrite(au_to_arg32( 2997 3, "setqctrl:aq_lowater", 2998 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2999 au_uwrite(au_to_arg32( 3000 3, "setqctrl:aq_bufsz", 3001 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3002 au_uwrite(au_to_arg32( 3003 3, "setqctrl:aq_delay", 3004 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3005 } else { 3006 au_uwrite(au_to_arg64( 3007 3, "setqctrl:aq_hiwater", 3008 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3009 au_uwrite(au_to_arg64( 3010 3, "setqctrl:aq_lowater", 3011 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3012 au_uwrite(au_to_arg64( 3013 3, "setqctrl:aq_bufsz", 3014 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3015 au_uwrite(au_to_arg64( 3016 3, "setqctrl:aq_delay", 3017 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3018 } 3019 break; 3020 } 3021 case AUE_AUDITON_SETUMASK: 3022 STRUCT_INIT(ainfo, get_udatamodel()); 3023 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3024 STRUCT_SIZE(ainfo))) { 3025 return; 3026 } 3027 au_uwrite(au_to_arg32(3, "setumask:as_success", 3028 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3029 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3030 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3031 break; 3032 case AUE_AUDITON_SETSMASK: 3033 STRUCT_INIT(ainfo, get_udatamodel()); 3034 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3035 STRUCT_SIZE(ainfo))) { 3036 return; 3037 } 3038 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3039 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3040 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3041 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3042 break; 3043 case AUE_AUDITON_SETCOND: 3044 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3045 return; 3046 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3047 break; 3048 case AUE_AUDITON_SETCLASS: 3049 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3050 return; 3051 au_uwrite(au_to_arg32( 3052 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3053 au_uwrite(au_to_arg32( 3054 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3055 break; 3056 case AUE_GETAUID: 3057 case AUE_GETAUDIT: 3058 case AUE_GETAUDIT_ADDR: 3059 case AUE_AUDIT: 3060 case AUE_AUDITON_GPOLICY: 3061 case AUE_AUDITON_GQCTRL: 3062 case AUE_AUDITON_GETKMASK: 3063 case AUE_AUDITON_GETCWD: 3064 case AUE_AUDITON_GETCAR: 3065 case AUE_AUDITON_GETSTAT: 3066 case AUE_AUDITON_SETSTAT: 3067 case AUE_AUDITON_GETCOND: 3068 case AUE_AUDITON_GETCLASS: 3069 break; 3070 default: 3071 break; 3072 } 3073 3074 } /* AUS_AUDITSYS */ 3075 3076 3077 /* only audit privileged operations for systeminfo(2) system call */ 3078 static au_event_t 3079 aui_sysinfo(au_event_t e) 3080 { 3081 klwp_t *clwp = ttolwp(curthread); 3082 uint32_t command; 3083 3084 struct a { 3085 long command; 3086 long buf; /* char * */ 3087 long count; 3088 } *uap = (struct a *)clwp->lwp_ap; 3089 3090 command = (uint32_t)uap->command; 3091 3092 switch (command) { 3093 case SI_SET_HOSTNAME: 3094 case SI_SET_SRPC_DOMAIN: 3095 e = (au_event_t)AUE_SYSINFO; 3096 break; 3097 default: 3098 e = (au_event_t)AUE_NULL; 3099 break; 3100 } 3101 return (e); 3102 } 3103 3104 /*ARGSUSED*/ 3105 static void 3106 aus_sysinfo(struct t_audit_data *tad) 3107 { 3108 klwp_t *clwp = ttolwp(curthread); 3109 uint32_t command; 3110 size_t len, maxlen; 3111 char *name; 3112 uintptr_t buf; 3113 3114 struct a { 3115 long command; 3116 long buf; /* char * */ 3117 long count; 3118 } *uap = (struct a *)clwp->lwp_ap; 3119 3120 command = (uint32_t)uap->command; 3121 buf = (uintptr_t)uap->buf; 3122 3123 au_uwrite(au_to_arg32(1, "cmd", command)); 3124 3125 switch (command) { 3126 case SI_SET_HOSTNAME: 3127 { 3128 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3129 return; 3130 3131 maxlen = SYS_NMLN; 3132 name = kmem_alloc(maxlen, KM_SLEEP); 3133 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3134 break; 3135 3136 /* 3137 * Must be non-NULL string and string 3138 * must be less than SYS_NMLN chars. 3139 */ 3140 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3141 break; 3142 3143 au_uwrite(au_to_text(name)); 3144 break; 3145 } 3146 3147 case SI_SET_SRPC_DOMAIN: 3148 { 3149 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3150 return; 3151 3152 maxlen = SYS_NMLN; 3153 name = kmem_alloc(maxlen, KM_SLEEP); 3154 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3155 break; 3156 3157 /* 3158 * If string passed in is longer than length 3159 * allowed for domain name, fail. 3160 */ 3161 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3162 break; 3163 3164 au_uwrite(au_to_text(name)); 3165 break; 3166 } 3167 3168 default: 3169 return; 3170 } 3171 3172 kmem_free(name, maxlen); 3173 } 3174 3175 static au_event_t 3176 aui_modctl(au_event_t e) 3177 { 3178 klwp_t *clwp = ttolwp(curthread); 3179 uint_t cmd; 3180 3181 struct a { 3182 long cmd; 3183 } *uap = (struct a *)clwp->lwp_ap; 3184 3185 cmd = (uint_t)uap->cmd; 3186 3187 switch (cmd) { 3188 case MODLOAD: 3189 e = AUE_MODLOAD; 3190 break; 3191 case MODUNLOAD: 3192 e = AUE_MODUNLOAD; 3193 break; 3194 case MODADDMAJBIND: 3195 e = AUE_MODADDMAJ; 3196 break; 3197 case MODSETDEVPOLICY: 3198 e = AUE_MODDEVPLCY; 3199 break; 3200 case MODALLOCPRIV: 3201 e = AUE_MODADDPRIV; 3202 break; 3203 default: 3204 e = AUE_NULL; 3205 break; 3206 } 3207 return (e); 3208 } 3209 3210 3211 /*ARGSUSED*/ 3212 static void 3213 aus_modctl(struct t_audit_data *tad) 3214 { 3215 klwp_t *clwp = ttolwp(curthread); 3216 void *a = clwp->lwp_ap; 3217 uint_t use_path; 3218 3219 switch (tad->tad_event) { 3220 case AUE_MODLOAD: { 3221 typedef struct { 3222 long cmd; 3223 long use_path; 3224 long filename; /* char * */ 3225 } modloada_t; 3226 3227 char *filenamep; 3228 uintptr_t fname; 3229 extern char *default_path; 3230 3231 fname = (uintptr_t)((modloada_t *)a)->filename; 3232 use_path = (uint_t)((modloada_t *)a)->use_path; 3233 3234 /* space to hold path */ 3235 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3236 /* get string */ 3237 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3238 /* free allocated path */ 3239 kmem_free(filenamep, MOD_MAXPATH); 3240 return; 3241 } 3242 /* ensure it's null terminated */ 3243 filenamep[MOD_MAXPATH - 1] = 0; 3244 3245 if (use_path) 3246 au_uwrite(au_to_text(default_path)); 3247 au_uwrite(au_to_text(filenamep)); 3248 3249 /* release temporary memory */ 3250 kmem_free(filenamep, MOD_MAXPATH); 3251 break; 3252 } 3253 case AUE_MODUNLOAD: { 3254 typedef struct { 3255 long cmd; 3256 long id; 3257 } modunloada_t; 3258 3259 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3260 3261 au_uwrite(au_to_arg32(1, "id", id)); 3262 break; 3263 } 3264 case AUE_MODADDMAJ: { 3265 STRUCT_DECL(modconfig, mc); 3266 typedef struct { 3267 long cmd; 3268 long subcmd; 3269 long data; /* int * */ 3270 } modconfiga_t; 3271 3272 STRUCT_DECL(aliases, alias); 3273 caddr_t ap; 3274 int i, num_aliases; 3275 char *drvname, *mc_drvname; 3276 char *name; 3277 extern char *ddi_major_to_name(major_t); 3278 model_t model; 3279 3280 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3281 3282 model = get_udatamodel(); 3283 STRUCT_INIT(mc, model); 3284 /* sanitize buffer */ 3285 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3286 /* get user arguments */ 3287 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3288 STRUCT_SIZE(mc)) != 0) 3289 return; 3290 3291 mc_drvname = STRUCT_FGET(mc, drvname); 3292 if ((drvname = ddi_major_to_name( 3293 (major_t)STRUCT_FGET(mc, major))) != NULL && 3294 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3295 /* safety */ 3296 if (mc_drvname[0] != '\0') { 3297 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3298 au_uwrite(au_to_text(mc_drvname)); 3299 } 3300 /* drvname != NULL from test above */ 3301 au_uwrite(au_to_text(drvname)); 3302 return; 3303 } 3304 3305 if (mc_drvname[0] != '\0') { 3306 /* safety */ 3307 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3308 au_uwrite(au_to_text(mc_drvname)); 3309 } else 3310 au_uwrite(au_to_text("no drvname")); 3311 3312 num_aliases = STRUCT_FGET(mc, num_aliases); 3313 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3314 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3315 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3316 STRUCT_INIT(alias, model); 3317 for (i = 0; i < num_aliases; i++) { 3318 bzero((caddr_t)STRUCT_BUF(alias), 3319 STRUCT_SIZE(alias)); 3320 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3321 STRUCT_SIZE(alias)) != 0) 3322 break; 3323 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3324 MAXMODCONFNAME, NULL) != 0) { 3325 break; 3326 } 3327 3328 au_uwrite(au_to_text(name)); 3329 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3330 } 3331 kmem_free(name, MAXMODCONFNAME); 3332 break; 3333 } 3334 default: 3335 break; 3336 } 3337 } 3338 3339 3340 /*ARGSUSED*/ 3341 static void 3342 auf_accept( 3343 struct t_audit_data *tad, 3344 int error, 3345 rval_t *rval) 3346 { 3347 uint32_t scid; 3348 uint32_t sy_flags; 3349 int fd; 3350 struct sonode *so; 3351 char so_laddr[sizeof (struct sockaddr_in6)]; 3352 char so_faddr[sizeof (struct sockaddr_in6)]; 3353 int err; 3354 short so_family, so_type; 3355 int add_sock_token = 0; 3356 3357 /* need to determine type of executing binary */ 3358 scid = tad->tad_scid; 3359 #ifdef _SYSCALL32_IMPL 3360 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3361 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3362 else 3363 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3364 #else 3365 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3366 #endif 3367 if (sy_flags == SE_32RVAL1) 3368 fd = rval->r_val1; 3369 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3370 fd = rval->r_val1; 3371 if (sy_flags == SE_64RVAL) 3372 fd = (int)rval->r_vals; 3373 3374 if (error) { 3375 /* can't trust socket contents. Just return */ 3376 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3377 return; 3378 } 3379 3380 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3381 /* 3382 * not security relevant if doing a accept from non socket 3383 * so no extra tokens. Should probably turn off audit record 3384 * generation here. 3385 */ 3386 return; 3387 } 3388 3389 so_family = so->so_family; 3390 so_type = so->so_type; 3391 3392 switch (so_family) { 3393 case AF_INET: 3394 case AF_INET6: 3395 /* 3396 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3397 */ 3398 if (so->so_type == SOCK_STREAM) { 3399 socklen_t len; 3400 3401 bzero((void *)so_laddr, sizeof (so_laddr)); 3402 bzero((void *)so_faddr, sizeof (so_faddr)); 3403 3404 len = sizeof (so_laddr); 3405 (void) socket_getsockname(so, 3406 (struct sockaddr *)so_laddr, &len, CRED()); 3407 len = sizeof (so_faddr); 3408 (void) socket_getpeername(so, 3409 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3410 3411 add_sock_token = 1; 3412 } 3413 break; 3414 3415 default: 3416 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3417 break; 3418 } 3419 3420 releasef(fd); 3421 3422 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3423 3424 if (add_sock_token == 0) { 3425 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3426 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3427 return; 3428 } 3429 3430 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3431 3432 } 3433 3434 /*ARGSUSED*/ 3435 static void 3436 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3437 { 3438 struct a { 3439 long fd; 3440 long addr; 3441 long len; 3442 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3443 3444 struct sonode *so; 3445 char so_laddr[sizeof (struct sockaddr_in6)]; 3446 char so_faddr[sizeof (struct sockaddr_in6)]; 3447 int err, fd; 3448 socklen_t len; 3449 short so_family, so_type; 3450 int add_sock_token = 0; 3451 3452 fd = (int)uap->fd; 3453 3454 /* 3455 * bind failed, then nothing extra to add to audit record. 3456 */ 3457 if (error) { 3458 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3459 /* XXX may want to add failed address some day */ 3460 return; 3461 } 3462 3463 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3464 /* 3465 * not security relevant if doing a bind from non socket 3466 * so no extra tokens. Should probably turn off audit record 3467 * generation here. 3468 */ 3469 return; 3470 } 3471 3472 so_family = so->so_family; 3473 so_type = so->so_type; 3474 3475 switch (so_family) { 3476 case AF_INET: 3477 case AF_INET6: 3478 3479 bzero(so_faddr, sizeof (so_faddr)); 3480 len = sizeof (so_faddr); 3481 3482 (void) socket_getpeername(so, 3483 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3484 add_sock_token = 1; 3485 3486 break; 3487 3488 case AF_UNIX: 3489 /* token added by lookup */ 3490 break; 3491 default: 3492 /* AF_ROUTE, AF_KEY do not support accept */ 3493 break; 3494 } 3495 3496 releasef(fd); 3497 3498 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3499 3500 if (add_sock_token == 0) { 3501 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3502 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3503 return; 3504 } 3505 3506 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3507 3508 } 3509 3510 /*ARGSUSED*/ 3511 static void 3512 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3513 { 3514 struct a { 3515 long fd; 3516 long addr; 3517 long len; 3518 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3519 3520 struct sonode *so; 3521 char so_laddr[sizeof (struct sockaddr_in6)]; 3522 char so_faddr[sizeof (struct sockaddr_in6)]; 3523 int err, fd; 3524 socklen_t len; 3525 short so_family, so_type; 3526 int add_sock_token = 0; 3527 3528 fd = (int)uap->fd; 3529 3530 3531 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3532 /* 3533 * not security relevant if doing a connect from non socket 3534 * so no extra tokens. Should probably turn off audit record 3535 * generation here. 3536 */ 3537 return; 3538 } 3539 3540 so_family = so->so_family; 3541 so_type = so->so_type; 3542 3543 switch (so_family) { 3544 case AF_INET: 3545 case AF_INET6: 3546 3547 bzero(so_laddr, sizeof (so_laddr)); 3548 bzero(so_faddr, sizeof (so_faddr)); 3549 3550 len = sizeof (so_laddr); 3551 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3552 &len, CRED()); 3553 if (error) { 3554 if (uap->addr == NULL) 3555 break; 3556 if (uap->len <= 0) 3557 break; 3558 len = min(uap->len, sizeof (so_faddr)); 3559 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3560 break; 3561 #ifdef NOTYET 3562 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3563 #endif 3564 } else { 3565 /* sanity check on length */ 3566 len = sizeof (so_faddr); 3567 (void) socket_getpeername(so, 3568 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3569 } 3570 3571 add_sock_token = 1; 3572 3573 break; 3574 3575 case AF_UNIX: 3576 /* does a lookup on name */ 3577 break; 3578 3579 default: 3580 /* AF_ROUTE, AF_KEY do not support accept */ 3581 break; 3582 } 3583 3584 releasef(fd); 3585 3586 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3587 3588 if (add_sock_token == 0) { 3589 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3590 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3591 return; 3592 } 3593 3594 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3595 3596 } 3597 3598 /*ARGSUSED*/ 3599 static void 3600 aus_shutdown(struct t_audit_data *tad) 3601 { 3602 struct a { 3603 long fd; 3604 long how; 3605 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3606 3607 struct sonode *so; 3608 char so_laddr[sizeof (struct sockaddr_in6)]; 3609 char so_faddr[sizeof (struct sockaddr_in6)]; 3610 int err, fd; 3611 socklen_t len; 3612 short so_family, so_type; 3613 int add_sock_token = 0; 3614 file_t *fp; /* unix domain sockets */ 3615 struct f_audit_data *fad; /* unix domain sockets */ 3616 3617 fd = (int)uap->fd; 3618 3619 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3620 /* 3621 * not security relevant if doing a shutdown using non socket 3622 * so no extra tokens. Should probably turn off audit record 3623 * generation here. 3624 */ 3625 return; 3626 } 3627 3628 so_family = so->so_family; 3629 so_type = so->so_type; 3630 3631 switch (so_family) { 3632 case AF_INET: 3633 case AF_INET6: 3634 3635 bzero(so_laddr, sizeof (so_laddr)); 3636 bzero(so_faddr, sizeof (so_faddr)); 3637 3638 len = sizeof (so_laddr); 3639 (void) socket_getsockname(so, 3640 (struct sockaddr *)so_laddr, &len, CRED()); 3641 len = sizeof (so_faddr); 3642 (void) socket_getpeername(so, 3643 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3644 3645 add_sock_token = 1; 3646 3647 break; 3648 3649 case AF_UNIX: 3650 3651 /* get path from file struct here */ 3652 fad = F2A(fp); 3653 ASSERT(fad); 3654 3655 if (fad->fad_aupath != NULL) { 3656 au_uwrite(au_to_path(fad->fad_aupath)); 3657 } else { 3658 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3659 } 3660 3661 audit_attributes(fp->f_vnode); 3662 3663 break; 3664 3665 default: 3666 /* 3667 * AF_KEY and AF_ROUTE support shutdown. No socket token 3668 * added. 3669 */ 3670 break; 3671 } 3672 3673 releasef(fd); 3674 3675 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3676 3677 if (add_sock_token == 0) { 3678 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3679 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3680 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3681 return; 3682 } 3683 3684 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3685 3686 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3687 3688 } 3689 3690 /*ARGSUSED*/ 3691 static void 3692 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3693 { 3694 struct a { 3695 long fd; 3696 long level; 3697 long optname; 3698 long *optval; 3699 long optlen; 3700 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3701 3702 struct sonode *so; 3703 char so_laddr[sizeof (struct sockaddr_in6)]; 3704 char so_faddr[sizeof (struct sockaddr_in6)]; 3705 char val[AU_BUFSIZE]; 3706 int err, fd; 3707 socklen_t len; 3708 short so_family, so_type; 3709 int add_sock_token = 0; 3710 file_t *fp; /* unix domain sockets */ 3711 struct f_audit_data *fad; /* unix domain sockets */ 3712 3713 fd = (int)uap->fd; 3714 3715 if (error) { 3716 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3717 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3718 /* XXX may want to include other arguments */ 3719 return; 3720 } 3721 3722 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3723 /* 3724 * not security relevant if doing a setsockopt from non socket 3725 * so no extra tokens. Should probably turn off audit record 3726 * generation here. 3727 */ 3728 return; 3729 } 3730 3731 so_family = so->so_family; 3732 so_type = so->so_type; 3733 3734 switch (so_family) { 3735 case AF_INET: 3736 case AF_INET6: 3737 bzero((void *)so_laddr, sizeof (so_laddr)); 3738 bzero((void *)so_faddr, sizeof (so_faddr)); 3739 3740 /* get local and foreign addresses */ 3741 len = sizeof (so_laddr); 3742 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3743 &len, CRED()); 3744 len = sizeof (so_faddr); 3745 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3746 &len, B_FALSE, CRED()); 3747 3748 add_sock_token = 1; 3749 3750 break; 3751 3752 case AF_UNIX: 3753 3754 /* get path from file struct here */ 3755 fad = F2A(fp); 3756 ASSERT(fad); 3757 3758 if (fad->fad_aupath != NULL) { 3759 au_uwrite(au_to_path(fad->fad_aupath)); 3760 } else { 3761 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3762 } 3763 3764 audit_attributes(fp->f_vnode); 3765 3766 break; 3767 3768 default: 3769 /* 3770 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3771 * added. 3772 */ 3773 break; 3774 } 3775 3776 releasef(fd); 3777 3778 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3779 3780 if (add_sock_token == 0) { 3781 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3782 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3783 } 3784 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3785 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3786 3787 bzero(val, sizeof (val)); 3788 len = min(uap->optlen, sizeof (val)); 3789 if ((len > 0) && 3790 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3791 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3792 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3793 } 3794 3795 if (add_sock_token == 0) 3796 return; 3797 3798 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3799 3800 } 3801 3802 /*ARGSUSED*/ 3803 static void 3804 aus_sockconfig(tad) 3805 struct t_audit_data *tad; 3806 { 3807 struct a { 3808 long domain; 3809 long type; 3810 long protocol; 3811 long devpath; 3812 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3813 3814 char *kdevpath; 3815 int kdevpathlen = MAXPATHLEN + 1; 3816 size_t size; 3817 3818 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3819 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3820 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3821 3822 if (uap->devpath == 0) { 3823 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3824 } else { 3825 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3826 3827 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3828 &size)) { 3829 kmem_free(kdevpath, kdevpathlen); 3830 return; 3831 } 3832 3833 if (size > MAXPATHLEN) { 3834 kmem_free(kdevpath, kdevpathlen); 3835 return; 3836 } 3837 3838 au_uwrite(au_to_text(kdevpath)); 3839 kmem_free(kdevpath, kdevpathlen); 3840 } 3841 } 3842 3843 /* 3844 * only audit recvmsg when the system call represents the creation of a new 3845 * circuit. This effectively occurs for all UDP packets and may occur for 3846 * special TCP situations where the local host has not set a local address 3847 * in the socket structure. 3848 */ 3849 /*ARGSUSED*/ 3850 static void 3851 auf_recvmsg( 3852 struct t_audit_data *tad, 3853 int error, 3854 rval_t *rvp) 3855 { 3856 struct a { 3857 long fd; 3858 long msg; /* struct msghdr */ 3859 long flags; 3860 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3861 3862 struct sonode *so; 3863 STRUCT_DECL(msghdr, msg); 3864 caddr_t msg_name; 3865 socklen_t msg_namelen; 3866 int fd; 3867 int err; 3868 char so_laddr[sizeof (struct sockaddr_in6)]; 3869 char so_faddr[sizeof (struct sockaddr_in6)]; 3870 socklen_t len; 3871 file_t *fp; /* unix domain sockets */ 3872 struct f_audit_data *fad; /* unix domain sockets */ 3873 short so_family, so_type; 3874 int add_sock_token = 0; 3875 au_kcontext_t *kctx = GET_KCTX_PZ; 3876 3877 fd = (int)uap->fd; 3878 3879 /* bail if an error */ 3880 if (error) { 3881 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3882 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3883 return; 3884 } 3885 3886 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3887 /* 3888 * not security relevant if doing a recvmsg from non socket 3889 * so no extra tokens. Should probably turn off audit record 3890 * generation here. 3891 */ 3892 return; 3893 } 3894 3895 so_family = so->so_family; 3896 so_type = so->so_type; 3897 3898 /* 3899 * only putout SOCKET_EX token if INET/INET6 family. 3900 * XXX - what do we do about other families? 3901 */ 3902 3903 switch (so_family) { 3904 case AF_INET: 3905 case AF_INET6: 3906 3907 /* 3908 * if datagram type socket, then just use what is in 3909 * socket structure for local address. 3910 * XXX - what do we do for other types? 3911 */ 3912 if ((so->so_type == SOCK_DGRAM) || 3913 (so->so_type == SOCK_RAW)) { 3914 add_sock_token = 1; 3915 3916 bzero((void *)so_laddr, sizeof (so_laddr)); 3917 bzero((void *)so_faddr, sizeof (so_faddr)); 3918 3919 /* get local address */ 3920 len = sizeof (so_laddr); 3921 (void) socket_getsockname(so, 3922 (struct sockaddr *)so_laddr, &len, CRED()); 3923 3924 /* get peer address */ 3925 STRUCT_INIT(msg, get_udatamodel()); 3926 3927 if (copyin((caddr_t)(uap->msg), 3928 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3929 break; 3930 } 3931 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3932 if (msg_name == NULL) { 3933 break; 3934 } 3935 3936 /* length is value from recvmsg - sanity check */ 3937 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3938 if (msg_namelen == 0) { 3939 break; 3940 } 3941 if (copyin(msg_name, so_faddr, 3942 sizeof (so_faddr)) != 0) { 3943 break; 3944 } 3945 3946 } else if (so->so_type == SOCK_STREAM) { 3947 3948 /* get path from file struct here */ 3949 fad = F2A(fp); 3950 ASSERT(fad); 3951 3952 /* 3953 * already processed this file for read attempt 3954 */ 3955 if (fad->fad_flags & FAD_READ) { 3956 /* don't want to audit every recvmsg attempt */ 3957 tad->tad_flag = 0; 3958 /* free any residual audit data */ 3959 au_close(kctx, &(u_ad), 0, 0, 0); 3960 releasef(fd); 3961 return; 3962 } 3963 /* 3964 * mark things so we know what happened and don't 3965 * repeat things 3966 */ 3967 fad->fad_flags |= FAD_READ; 3968 3969 bzero((void *)so_laddr, sizeof (so_laddr)); 3970 bzero((void *)so_faddr, sizeof (so_faddr)); 3971 3972 /* get local and foreign addresses */ 3973 len = sizeof (so_laddr); 3974 (void) socket_getsockname(so, 3975 (struct sockaddr *)so_laddr, &len, CRED()); 3976 len = sizeof (so_faddr); 3977 (void) socket_getpeername(so, 3978 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3979 3980 add_sock_token = 1; 3981 } 3982 3983 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3984 3985 break; 3986 3987 case AF_UNIX: 3988 /* 3989 * first check if this is first time through. Too much 3990 * duplicate code to put this in an aui_ routine. 3991 */ 3992 3993 /* get path from file struct here */ 3994 fad = F2A(fp); 3995 ASSERT(fad); 3996 3997 /* 3998 * already processed this file for read attempt 3999 */ 4000 if (fad->fad_flags & FAD_READ) { 4001 releasef(fd); 4002 /* don't want to audit every recvmsg attempt */ 4003 tad->tad_flag = 0; 4004 /* free any residual audit data */ 4005 au_close(kctx, &(u_ad), 0, 0, 0); 4006 return; 4007 } 4008 /* 4009 * mark things so we know what happened and don't 4010 * repeat things 4011 */ 4012 fad->fad_flags |= FAD_READ; 4013 4014 if (fad->fad_aupath != NULL) { 4015 au_uwrite(au_to_path(fad->fad_aupath)); 4016 } else { 4017 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4018 } 4019 4020 audit_attributes(fp->f_vnode); 4021 4022 releasef(fd); 4023 4024 return; 4025 4026 default: 4027 break; 4028 4029 } 4030 4031 releasef(fd); 4032 4033 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4034 4035 if (add_sock_token == 0) { 4036 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4037 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4038 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4039 return; 4040 } 4041 4042 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4043 4044 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4045 4046 } 4047 4048 /*ARGSUSED*/ 4049 static void 4050 auf_recvfrom( 4051 struct t_audit_data *tad, 4052 int error, 4053 rval_t *rvp) 4054 { 4055 4056 struct a { 4057 long fd; 4058 long msg; /* char */ 4059 long len; 4060 long flags; 4061 long from; /* struct sockaddr */ 4062 long fromlen; 4063 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4064 4065 socklen_t fromlen; 4066 struct sonode *so; 4067 char so_laddr[sizeof (struct sockaddr_in6)]; 4068 char so_faddr[sizeof (struct sockaddr_in6)]; 4069 int fd; 4070 short so_family, so_type; 4071 int add_sock_token = 0; 4072 socklen_t len; 4073 int err; 4074 struct file *fp; 4075 struct f_audit_data *fad; /* unix domain sockets */ 4076 au_kcontext_t *kctx = GET_KCTX_PZ; 4077 4078 fd = (int)uap->fd; 4079 4080 /* bail if an error */ 4081 if (error) { 4082 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4083 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4084 return; 4085 } 4086 4087 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4088 /* 4089 * not security relevant if doing a recvmsg from non socket 4090 * so no extra tokens. Should probably turn off audit record 4091 * generation here. 4092 */ 4093 return; 4094 } 4095 4096 so_family = so->so_family; 4097 so_type = so->so_type; 4098 4099 /* 4100 * only putout SOCKET_EX token if INET/INET6 family. 4101 * XXX - what do we do about other families? 4102 */ 4103 4104 switch (so_family) { 4105 case AF_INET: 4106 case AF_INET6: 4107 4108 /* 4109 * if datagram type socket, then just use what is in 4110 * socket structure for local address. 4111 * XXX - what do we do for other types? 4112 */ 4113 if ((so->so_type == SOCK_DGRAM) || 4114 (so->so_type == SOCK_RAW)) { 4115 add_sock_token = 1; 4116 4117 /* get local address */ 4118 len = sizeof (so_laddr); 4119 (void) socket_getsockname(so, 4120 (struct sockaddr *)so_laddr, &len, CRED()); 4121 4122 /* get peer address */ 4123 bzero((void *)so_faddr, sizeof (so_faddr)); 4124 4125 /* sanity check */ 4126 if (uap->from == NULL) 4127 break; 4128 4129 /* sanity checks */ 4130 if (uap->fromlen == 0) 4131 break; 4132 4133 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4134 sizeof (fromlen)) != 0) 4135 break; 4136 4137 if (fromlen == 0) 4138 break; 4139 4140 /* enforce maximum size */ 4141 if (fromlen > sizeof (so_faddr)) 4142 fromlen = sizeof (so_faddr); 4143 4144 if (copyin((caddr_t)(uap->from), so_faddr, 4145 fromlen) != 0) 4146 break; 4147 4148 } else if (so->so_type == SOCK_STREAM) { 4149 4150 /* get path from file struct here */ 4151 fad = F2A(fp); 4152 ASSERT(fad); 4153 4154 /* 4155 * already processed this file for read attempt 4156 */ 4157 if (fad->fad_flags & FAD_READ) { 4158 /* don't want to audit every recvfrom attempt */ 4159 tad->tad_flag = 0; 4160 /* free any residual audit data */ 4161 au_close(kctx, &(u_ad), 0, 0, 0); 4162 releasef(fd); 4163 return; 4164 } 4165 /* 4166 * mark things so we know what happened and don't 4167 * repeat things 4168 */ 4169 fad->fad_flags |= FAD_READ; 4170 4171 bzero((void *)so_laddr, sizeof (so_laddr)); 4172 bzero((void *)so_faddr, sizeof (so_faddr)); 4173 4174 /* get local and foreign addresses */ 4175 len = sizeof (so_laddr); 4176 (void) socket_getsockname(so, 4177 (struct sockaddr *)so_laddr, &len, CRED()); 4178 len = sizeof (so_faddr); 4179 (void) socket_getpeername(so, 4180 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4181 4182 add_sock_token = 1; 4183 } 4184 4185 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4186 4187 break; 4188 4189 case AF_UNIX: 4190 /* 4191 * first check if this is first time through. Too much 4192 * duplicate code to put this in an aui_ routine. 4193 */ 4194 4195 /* get path from file struct here */ 4196 fad = F2A(fp); 4197 ASSERT(fad); 4198 4199 /* 4200 * already processed this file for read attempt 4201 */ 4202 if (fad->fad_flags & FAD_READ) { 4203 /* don't want to audit every recvfrom attempt */ 4204 tad->tad_flag = 0; 4205 /* free any residual audit data */ 4206 au_close(kctx, &(u_ad), 0, 0, 0); 4207 releasef(fd); 4208 return; 4209 } 4210 /* 4211 * mark things so we know what happened and don't 4212 * repeat things 4213 */ 4214 fad->fad_flags |= FAD_READ; 4215 4216 if (fad->fad_aupath != NULL) { 4217 au_uwrite(au_to_path(fad->fad_aupath)); 4218 } else { 4219 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4220 } 4221 4222 audit_attributes(fp->f_vnode); 4223 4224 releasef(fd); 4225 4226 return; 4227 4228 default: 4229 break; 4230 4231 } 4232 4233 releasef(fd); 4234 4235 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4236 4237 if (add_sock_token == 0) { 4238 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4239 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4240 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4241 return; 4242 } 4243 4244 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4245 4246 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4247 } 4248 4249 /*ARGSUSED*/ 4250 static void 4251 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4252 { 4253 struct a { 4254 long fd; 4255 long msg; /* struct msghdr */ 4256 long flags; 4257 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4258 4259 struct sonode *so; 4260 char so_laddr[sizeof (struct sockaddr_in6)]; 4261 char so_faddr[sizeof (struct sockaddr_in6)]; 4262 int err; 4263 int fd; 4264 short so_family, so_type; 4265 int add_sock_token = 0; 4266 socklen_t len; 4267 struct file *fp; 4268 struct f_audit_data *fad; 4269 caddr_t msg_name; 4270 socklen_t msg_namelen; 4271 STRUCT_DECL(msghdr, msg); 4272 au_kcontext_t *kctx = GET_KCTX_PZ; 4273 4274 fd = (int)uap->fd; 4275 4276 /* bail if an error */ 4277 if (error) { 4278 /* XXX include destination address from system call arguments */ 4279 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4280 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4281 return; 4282 } 4283 4284 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4285 /* 4286 * not security relevant if doing a sendmsg from non socket 4287 * so no extra tokens. Should probably turn off audit record 4288 * generation here. 4289 */ 4290 return; 4291 } 4292 4293 so_family = so->so_family; 4294 so_type = so->so_type; 4295 4296 switch (so_family) { 4297 case AF_INET: 4298 case AF_INET6: 4299 /* 4300 * if datagram type socket, then just use what is in 4301 * socket structure for local address. 4302 * XXX - what do we do for other types? 4303 */ 4304 if ((so->so_type == SOCK_DGRAM) || 4305 (so->so_type == SOCK_RAW)) { 4306 4307 bzero((void *)so_laddr, sizeof (so_laddr)); 4308 bzero((void *)so_faddr, sizeof (so_faddr)); 4309 4310 /* get local address */ 4311 len = sizeof (so_laddr); 4312 (void) socket_getsockname(so, 4313 (struct sockaddr *)so_laddr, &len, CRED()); 4314 4315 /* get peer address */ 4316 STRUCT_INIT(msg, get_udatamodel()); 4317 4318 if (copyin((caddr_t)(uap->msg), 4319 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4320 break; 4321 } 4322 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4323 if (msg_name == NULL) 4324 break; 4325 4326 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4327 /* length is value from recvmsg - sanity check */ 4328 if (msg_namelen == 0) 4329 break; 4330 4331 if (copyin(msg_name, so_faddr, 4332 sizeof (so_faddr)) != 0) 4333 break; 4334 4335 add_sock_token = 1; 4336 4337 } else if (so->so_type == SOCK_STREAM) { 4338 4339 /* get path from file struct here */ 4340 fad = F2A(fp); 4341 ASSERT(fad); 4342 4343 /* 4344 * already processed this file for write attempt 4345 */ 4346 if (fad->fad_flags & FAD_WRITE) { 4347 releasef(fd); 4348 /* don't want to audit every sendmsg attempt */ 4349 tad->tad_flag = 0; 4350 /* free any residual audit data */ 4351 au_close(kctx, &(u_ad), 0, 0, 0); 4352 return; 4353 } 4354 4355 /* 4356 * mark things so we know what happened and don't 4357 * repeat things 4358 */ 4359 fad->fad_flags |= FAD_WRITE; 4360 4361 bzero((void *)so_laddr, sizeof (so_laddr)); 4362 bzero((void *)so_faddr, sizeof (so_faddr)); 4363 4364 /* get local and foreign addresses */ 4365 len = sizeof (so_laddr); 4366 (void) socket_getsockname(so, 4367 (struct sockaddr *)so_laddr, &len, CRED()); 4368 len = sizeof (so_faddr); 4369 (void) socket_getpeername(so, 4370 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4371 4372 add_sock_token = 1; 4373 } 4374 4375 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4376 4377 break; 4378 4379 case AF_UNIX: 4380 /* 4381 * first check if this is first time through. Too much 4382 * duplicate code to put this in an aui_ routine. 4383 */ 4384 4385 /* get path from file struct here */ 4386 fad = F2A(fp); 4387 ASSERT(fad); 4388 4389 /* 4390 * already processed this file for write attempt 4391 */ 4392 if (fad->fad_flags & FAD_WRITE) { 4393 releasef(fd); 4394 /* don't want to audit every sendmsg attempt */ 4395 tad->tad_flag = 0; 4396 /* free any residual audit data */ 4397 au_close(kctx, &(u_ad), 0, 0, 0); 4398 return; 4399 } 4400 /* 4401 * mark things so we know what happened and don't 4402 * repeat things 4403 */ 4404 fad->fad_flags |= FAD_WRITE; 4405 4406 if (fad->fad_aupath != NULL) { 4407 au_uwrite(au_to_path(fad->fad_aupath)); 4408 } else { 4409 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4410 } 4411 4412 audit_attributes(fp->f_vnode); 4413 4414 releasef(fd); 4415 4416 return; 4417 4418 default: 4419 break; 4420 } 4421 4422 releasef(fd); 4423 4424 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4425 4426 if (add_sock_token == 0) { 4427 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4428 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4429 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4430 return; 4431 } 4432 4433 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4434 4435 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4436 } 4437 4438 /*ARGSUSED*/ 4439 static void 4440 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4441 { 4442 struct a { 4443 long fd; 4444 long msg; /* char */ 4445 long len; 4446 long flags; 4447 long to; /* struct sockaddr */ 4448 long tolen; 4449 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4450 4451 struct sonode *so; 4452 char so_laddr[sizeof (struct sockaddr_in6)]; 4453 char so_faddr[sizeof (struct sockaddr_in6)]; 4454 socklen_t tolen; 4455 int err; 4456 int fd; 4457 socklen_t len; 4458 short so_family, so_type; 4459 int add_sock_token = 0; 4460 struct file *fp; 4461 struct f_audit_data *fad; 4462 au_kcontext_t *kctx = GET_KCTX_PZ; 4463 4464 fd = (int)uap->fd; 4465 4466 /* bail if an error */ 4467 if (error) { 4468 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4469 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4470 /* XXX include destination address from system call arguments */ 4471 return; 4472 } 4473 4474 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4475 /* 4476 * not security relevant if doing a sendto using non socket 4477 * so no extra tokens. Should probably turn off audit record 4478 * generation here. 4479 */ 4480 return; 4481 } 4482 4483 so_family = so->so_family; 4484 so_type = so->so_type; 4485 4486 /* 4487 * only putout SOCKET_EX token if INET/INET6 family. 4488 * XXX - what do we do about other families? 4489 */ 4490 4491 switch (so_family) { 4492 case AF_INET: 4493 case AF_INET6: 4494 4495 /* 4496 * if datagram type socket, then just use what is in 4497 * socket structure for local address. 4498 * XXX - what do we do for other types? 4499 */ 4500 if ((so->so_type == SOCK_DGRAM) || 4501 (so->so_type == SOCK_RAW)) { 4502 4503 bzero((void *)so_laddr, sizeof (so_laddr)); 4504 bzero((void *)so_faddr, sizeof (so_faddr)); 4505 4506 /* get local address */ 4507 len = sizeof (so_laddr); 4508 (void) socket_getsockname(so, 4509 (struct sockaddr *)so_laddr, &len, CRED()); 4510 4511 /* get peer address */ 4512 4513 /* sanity check */ 4514 if (uap->to == NULL) 4515 break; 4516 4517 /* sanity checks */ 4518 if (uap->tolen == 0) 4519 break; 4520 4521 tolen = (socklen_t)uap->tolen; 4522 4523 /* enforce maximum size */ 4524 if (tolen > sizeof (so_faddr)) 4525 tolen = sizeof (so_faddr); 4526 4527 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4528 break; 4529 4530 add_sock_token = 1; 4531 } else { 4532 /* 4533 * check if this is first time through. 4534 */ 4535 4536 /* get path from file struct here */ 4537 fad = F2A(fp); 4538 ASSERT(fad); 4539 4540 /* 4541 * already processed this file for write attempt 4542 */ 4543 if (fad->fad_flags & FAD_WRITE) { 4544 /* don't want to audit every sendto attempt */ 4545 tad->tad_flag = 0; 4546 /* free any residual audit data */ 4547 au_close(kctx, &(u_ad), 0, 0, 0); 4548 releasef(fd); 4549 return; 4550 } 4551 /* 4552 * mark things so we know what happened and don't 4553 * repeat things 4554 */ 4555 fad->fad_flags |= FAD_WRITE; 4556 4557 bzero((void *)so_laddr, sizeof (so_laddr)); 4558 bzero((void *)so_faddr, sizeof (so_faddr)); 4559 4560 /* get local and foreign addresses */ 4561 len = sizeof (so_laddr); 4562 (void) socket_getsockname(so, 4563 (struct sockaddr *)so_laddr, &len, CRED()); 4564 len = sizeof (so_faddr); 4565 (void) socket_getpeername(so, 4566 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4567 4568 add_sock_token = 1; 4569 } 4570 4571 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4572 4573 break; 4574 4575 case AF_UNIX: 4576 /* 4577 * first check if this is first time through. Too much 4578 * duplicate code to put this in an aui_ routine. 4579 */ 4580 4581 /* get path from file struct here */ 4582 fad = F2A(fp); 4583 ASSERT(fad); 4584 4585 /* 4586 * already processed this file for write attempt 4587 */ 4588 if (fad->fad_flags & FAD_WRITE) { 4589 /* don't want to audit every sendto attempt */ 4590 tad->tad_flag = 0; 4591 /* free any residual audit data */ 4592 au_close(kctx, &(u_ad), 0, 0, 0); 4593 releasef(fd); 4594 return; 4595 } 4596 /* 4597 * mark things so we know what happened and don't 4598 * repeat things 4599 */ 4600 fad->fad_flags |= FAD_WRITE; 4601 4602 if (fad->fad_aupath != NULL) { 4603 au_uwrite(au_to_path(fad->fad_aupath)); 4604 } else { 4605 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4606 } 4607 4608 audit_attributes(fp->f_vnode); 4609 4610 releasef(fd); 4611 4612 return; 4613 4614 default: 4615 break; 4616 4617 } 4618 4619 releasef(fd); 4620 4621 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4622 4623 if (add_sock_token == 0) { 4624 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4625 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4626 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4627 return; 4628 } 4629 4630 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4631 4632 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4633 4634 } 4635 4636 /* 4637 * XXX socket(2) may be equivalent to open(2) on a unix domain 4638 * socket. This needs investigation. 4639 */ 4640 4641 /*ARGSUSED*/ 4642 static void 4643 aus_socket(struct t_audit_data *tad) 4644 { 4645 struct a { 4646 long domain; 4647 long type; 4648 long protocol; 4649 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4650 4651 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4652 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4653 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4654 } 4655 4656 /*ARGSUSED*/ 4657 static void 4658 aus_sigqueue(struct t_audit_data *tad) 4659 { 4660 struct a { 4661 long pid; 4662 long signo; 4663 long *val; 4664 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4665 struct proc *p; 4666 uid_t uid, ruid; 4667 gid_t gid, rgid; 4668 pid_t pid; 4669 const auditinfo_addr_t *ainfo; 4670 cred_t *cr; 4671 4672 pid = (pid_t)uap->pid; 4673 4674 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4675 if (pid > 0) { 4676 mutex_enter(&pidlock); 4677 if ((p = prfind(pid)) == (struct proc *)0) { 4678 mutex_exit(&pidlock); 4679 return; 4680 } 4681 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4682 mutex_exit(&pidlock); 4683 4684 mutex_enter(&p->p_crlock); 4685 crhold(cr = p->p_cred); 4686 mutex_exit(&p->p_crlock); 4687 mutex_exit(&p->p_lock); 4688 4689 ainfo = crgetauinfo(cr); 4690 if (ainfo == NULL) { 4691 crfree(cr); 4692 return; 4693 } 4694 4695 uid = crgetuid(cr); 4696 gid = crgetgid(cr); 4697 ruid = crgetruid(cr); 4698 rgid = crgetrgid(cr); 4699 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4700 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4701 crfree(cr); 4702 } 4703 else 4704 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4705 } 4706 4707 /*ARGSUSED*/ 4708 static void 4709 aus_inst_sync(struct t_audit_data *tad) 4710 { 4711 struct a { 4712 long name; /* char */ 4713 long flags; 4714 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4715 4716 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4717 } 4718 4719 /*ARGSUSED*/ 4720 static void 4721 aus_brandsys(struct t_audit_data *tad) 4722 { 4723 klwp_t *clwp = ttolwp(curthread); 4724 4725 struct a { 4726 long cmd; 4727 long arg1; 4728 long arg2; 4729 long arg3; 4730 long arg4; 4731 long arg5; 4732 long arg6; 4733 } *uap = (struct a *)clwp->lwp_ap; 4734 4735 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4736 #ifdef _LP64 4737 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4738 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4739 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4740 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4741 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4742 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4743 #else 4744 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4745 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4746 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4747 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4748 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4749 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4750 #endif 4751 } 4752 4753 /*ARGSUSED*/ 4754 static void 4755 aus_p_online(struct t_audit_data *tad) 4756 { 4757 struct a { 4758 long processor_id; 4759 long flag; 4760 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4761 4762 struct flags { 4763 int flag; 4764 char *cflag; 4765 } aflags[6] = { 4766 { P_ONLINE, "P_ONLINE"}, 4767 { P_OFFLINE, "P_OFFLINE"}, 4768 { P_NOINTR, "P_NOINTR"}, 4769 { P_SPARE, "P_SPARE"}, 4770 { P_FAULTED, "P_FAULTED"}, 4771 { P_STATUS, "P_STATUS"} 4772 }; 4773 int i; 4774 char *cflag; 4775 4776 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4777 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4778 4779 for (i = 0; i < 6; i++) { 4780 if (aflags[i].flag == uap->flag) 4781 break; 4782 } 4783 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4784 4785 au_uwrite(au_to_text(cflag)); 4786 } 4787 4788 /*ARGSUSED*/ 4789 static void 4790 aus_processor_bind(struct t_audit_data *tad) 4791 { 4792 struct a { 4793 long id_type; 4794 long id; 4795 long processor_id; 4796 long obind; 4797 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4798 4799 struct proc *p; 4800 int lwpcnt; 4801 uid_t uid, ruid; 4802 gid_t gid, rgid; 4803 pid_t pid; 4804 const auditinfo_addr_t *ainfo; 4805 cred_t *cr; 4806 4807 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4808 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4809 if (uap->processor_id == PBIND_NONE) 4810 au_uwrite(au_to_text("PBIND_NONE")); 4811 else 4812 au_uwrite(au_to_arg32(3, "processor_id", 4813 (uint32_t)uap->processor_id)); 4814 4815 switch (uap->id_type) { 4816 case P_MYID: 4817 case P_LWPID: 4818 mutex_enter(&pidlock); 4819 p = ttoproc(curthread); 4820 if (p == NULL || p->p_as == &kas) { 4821 mutex_exit(&pidlock); 4822 return; 4823 } 4824 mutex_enter(&p->p_lock); 4825 mutex_exit(&pidlock); 4826 lwpcnt = p->p_lwpcnt; 4827 pid = p->p_pid; 4828 4829 mutex_enter(&p->p_crlock); 4830 crhold(cr = p->p_cred); 4831 mutex_exit(&p->p_crlock); 4832 mutex_exit(&p->p_lock); 4833 4834 ainfo = crgetauinfo(cr); 4835 if (ainfo == NULL) { 4836 crfree(cr); 4837 return; 4838 } 4839 4840 uid = crgetuid(cr); 4841 gid = crgetgid(cr); 4842 ruid = crgetruid(cr); 4843 rgid = crgetrgid(cr); 4844 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4845 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4846 crfree(cr); 4847 break; 4848 case P_PID: 4849 mutex_enter(&pidlock); 4850 p = prfind(uap->id); 4851 if (p == NULL || p->p_as == &kas) { 4852 mutex_exit(&pidlock); 4853 return; 4854 } 4855 mutex_enter(&p->p_lock); 4856 mutex_exit(&pidlock); 4857 lwpcnt = p->p_lwpcnt; 4858 pid = p->p_pid; 4859 4860 mutex_enter(&p->p_crlock); 4861 crhold(cr = p->p_cred); 4862 mutex_exit(&p->p_crlock); 4863 mutex_exit(&p->p_lock); 4864 4865 ainfo = crgetauinfo(cr); 4866 if (ainfo == NULL) { 4867 crfree(cr); 4868 return; 4869 } 4870 4871 uid = crgetuid(cr); 4872 gid = crgetgid(cr); 4873 ruid = crgetruid(cr); 4874 rgid = crgetrgid(cr); 4875 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4876 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4877 crfree(cr); 4878 4879 break; 4880 default: 4881 return; 4882 } 4883 4884 if (uap->processor_id == PBIND_NONE && 4885 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4886 au_uwrite(au_to_text("PBIND_NONE for process")); 4887 else 4888 au_uwrite(au_to_arg32(3, "processor_id", 4889 (uint32_t)uap->processor_id)); 4890 } 4891 4892 /*ARGSUSED*/ 4893 static au_event_t 4894 aui_doorfs(au_event_t e) 4895 { 4896 uint32_t code; 4897 4898 struct a { /* doorfs */ 4899 long a1; 4900 long a2; 4901 long a3; 4902 long a4; 4903 long a5; 4904 long code; 4905 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4906 4907 /* 4908 * audit formats for several of the 4909 * door calls have not yet been determined 4910 */ 4911 code = (uint32_t)uap->code; 4912 switch (code) { 4913 case DOOR_CALL: 4914 e = AUE_DOORFS_DOOR_CALL; 4915 break; 4916 case DOOR_RETURN: 4917 e = AUE_NULL; 4918 break; 4919 case DOOR_CREATE: 4920 e = AUE_DOORFS_DOOR_CREATE; 4921 break; 4922 case DOOR_REVOKE: 4923 e = AUE_DOORFS_DOOR_REVOKE; 4924 break; 4925 case DOOR_INFO: 4926 e = AUE_NULL; 4927 break; 4928 case DOOR_UCRED: 4929 e = AUE_NULL; 4930 break; 4931 case DOOR_BIND: 4932 e = AUE_NULL; 4933 break; 4934 case DOOR_UNBIND: 4935 e = AUE_NULL; 4936 break; 4937 case DOOR_GETPARAM: 4938 e = AUE_NULL; 4939 break; 4940 case DOOR_SETPARAM: 4941 e = AUE_NULL; 4942 break; 4943 default: /* illegal system call */ 4944 e = AUE_NULL; 4945 break; 4946 } 4947 4948 return (e); 4949 } 4950 4951 static door_node_t * 4952 au_door_lookup(int did) 4953 { 4954 vnode_t *vp; 4955 file_t *fp; 4956 4957 if ((fp = getf(did)) == NULL) 4958 return (NULL); 4959 /* 4960 * Use the underlying vnode (we may be namefs mounted) 4961 */ 4962 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4963 vp = fp->f_vnode; 4964 4965 if (vp == NULL || vp->v_type != VDOOR) { 4966 releasef(did); 4967 return (NULL); 4968 } 4969 4970 return (VTOD(vp)); 4971 } 4972 4973 /*ARGSUSED*/ 4974 static void 4975 aus_doorfs(struct t_audit_data *tad) 4976 { 4977 4978 struct a { /* doorfs */ 4979 long a1; 4980 long a2; 4981 long a3; 4982 long a4; 4983 long a5; 4984 long code; 4985 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4986 4987 door_node_t *dp; 4988 struct proc *p; 4989 uint32_t did; 4990 uid_t uid, ruid; 4991 gid_t gid, rgid; 4992 pid_t pid; 4993 const auditinfo_addr_t *ainfo; 4994 cred_t *cr; 4995 4996 did = (uint32_t)uap->a1; 4997 4998 switch (tad->tad_event) { 4999 case AUE_DOORFS_DOOR_CALL: 5000 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5001 if ((dp = au_door_lookup(did)) == NULL) 5002 break; 5003 5004 if (DOOR_INVALID(dp)) { 5005 releasef(did); 5006 break; 5007 } 5008 5009 if ((p = dp->door_target) == NULL) { 5010 releasef(did); 5011 break; 5012 } 5013 mutex_enter(&p->p_lock); 5014 releasef(did); 5015 5016 pid = p->p_pid; 5017 5018 mutex_enter(&p->p_crlock); 5019 crhold(cr = p->p_cred); 5020 mutex_exit(&p->p_crlock); 5021 mutex_exit(&p->p_lock); 5022 5023 ainfo = crgetauinfo(cr); 5024 if (ainfo == NULL) { 5025 crfree(cr); 5026 return; 5027 } 5028 uid = crgetuid(cr); 5029 gid = crgetgid(cr); 5030 ruid = crgetruid(cr); 5031 rgid = crgetrgid(cr); 5032 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5033 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5034 crfree(cr); 5035 break; 5036 case AUE_DOORFS_DOOR_RETURN: 5037 /* 5038 * We may want to write information about 5039 * all doors (if any) which will be copied 5040 * by this call to the user space 5041 */ 5042 break; 5043 case AUE_DOORFS_DOOR_CREATE: 5044 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5045 break; 5046 case AUE_DOORFS_DOOR_REVOKE: 5047 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5048 break; 5049 case AUE_DOORFS_DOOR_INFO: 5050 break; 5051 case AUE_DOORFS_DOOR_CRED: 5052 break; 5053 case AUE_DOORFS_DOOR_BIND: 5054 break; 5055 case AUE_DOORFS_DOOR_UNBIND: { 5056 break; 5057 } 5058 default: /* illegal system call */ 5059 break; 5060 } 5061 } 5062 5063 /*ARGSUSED*/ 5064 static au_event_t 5065 aui_acl(au_event_t e) 5066 { 5067 struct a { 5068 union { 5069 long name; /* char */ 5070 long fd; 5071 } obj; 5072 5073 long cmd; 5074 long nentries; 5075 long arg; /* aclent_t */ 5076 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5077 5078 switch (uap->cmd) { 5079 case SETACL: 5080 case ACE_SETACL: 5081 /* 5082 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5083 * are expected. 5084 */ 5085 break; 5086 case GETACL: 5087 case GETACLCNT: 5088 case ACE_GETACL: 5089 case ACE_GETACLCNT: 5090 /* do nothing for these four values. */ 5091 e = AUE_NULL; 5092 break; 5093 default: 5094 /* illegal system call */ 5095 break; 5096 } 5097 5098 return (e); 5099 } 5100 5101 static void 5102 au_acl(int cmd, int nentries, caddr_t bufp) 5103 { 5104 size_t a_size; 5105 aclent_t *aclbufp; 5106 ace_t *acebufp; 5107 int i; 5108 5109 switch (cmd) { 5110 case GETACL: 5111 case GETACLCNT: 5112 break; 5113 case SETACL: 5114 if (nentries < 3) 5115 break; 5116 5117 a_size = nentries * sizeof (aclent_t); 5118 5119 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5120 break; 5121 if (copyin(bufp, aclbufp, a_size)) { 5122 kmem_free(aclbufp, a_size); 5123 break; 5124 } 5125 for (i = 0; i < nentries; i++) { 5126 au_uwrite(au_to_acl(aclbufp + i)); 5127 } 5128 kmem_free(aclbufp, a_size); 5129 break; 5130 5131 case ACE_SETACL: 5132 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5133 break; 5134 5135 a_size = nentries * sizeof (ace_t); 5136 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5137 break; 5138 if (copyin(bufp, acebufp, a_size)) { 5139 kmem_free(acebufp, a_size); 5140 break; 5141 } 5142 for (i = 0; i < nentries; i++) { 5143 au_uwrite(au_to_ace(acebufp + i)); 5144 } 5145 kmem_free(acebufp, a_size); 5146 break; 5147 default: 5148 break; 5149 } 5150 } 5151 5152 /*ARGSUSED*/ 5153 static void 5154 aus_acl(struct t_audit_data *tad) 5155 { 5156 struct a { 5157 long fname; 5158 long cmd; 5159 long nentries; 5160 long aclbufp; 5161 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5162 5163 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5164 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5165 5166 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5167 } 5168 5169 /*ARGSUSED*/ 5170 static void 5171 aus_facl(struct t_audit_data *tad) 5172 { 5173 struct a { 5174 long fd; 5175 long cmd; 5176 long nentries; 5177 long aclbufp; 5178 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5179 struct file *fp; 5180 struct vnode *vp; 5181 struct f_audit_data *fad; 5182 int fd; 5183 5184 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5185 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5186 5187 fd = (int)uap->fd; 5188 5189 if ((fp = getf(fd)) == NULL) 5190 return; 5191 5192 /* get path from file struct here */ 5193 fad = F2A(fp); 5194 if (fad->fad_aupath != NULL) { 5195 au_uwrite(au_to_path(fad->fad_aupath)); 5196 } else { 5197 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5198 } 5199 5200 vp = fp->f_vnode; 5201 audit_attributes(vp); 5202 5203 /* decrement file descriptor reference count */ 5204 releasef(fd); 5205 5206 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5207 } 5208 5209 /*ARGSUSED*/ 5210 static void 5211 auf_read(tad, error, rval) 5212 struct t_audit_data *tad; 5213 int error; 5214 rval_t *rval; 5215 { 5216 struct file *fp; 5217 struct f_audit_data *fad; 5218 int fd; 5219 register struct a { 5220 long fd; 5221 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5222 au_kcontext_t *kctx = GET_KCTX_PZ; 5223 5224 fd = (int)uap->fd; 5225 5226 /* 5227 * convert file pointer to file descriptor 5228 * Note: fd ref count incremented here. 5229 */ 5230 if ((fp = getf(fd)) == NULL) 5231 return; 5232 5233 /* get path from file struct here */ 5234 fad = F2A(fp); 5235 ASSERT(fad); 5236 5237 /* 5238 * already processed this file for read attempt 5239 * 5240 * XXX might be better to turn off auditing in a aui_read() routine. 5241 */ 5242 if (fad->fad_flags & FAD_READ) { 5243 /* don't really want to audit every read attempt */ 5244 tad->tad_flag = 0; 5245 /* free any residual audit data */ 5246 au_close(kctx, &(u_ad), 0, 0, 0); 5247 releasef(fd); 5248 return; 5249 } 5250 /* mark things so we know what happened and don't repeat things */ 5251 fad->fad_flags |= FAD_READ; 5252 5253 if (fad->fad_aupath != NULL) { 5254 au_uwrite(au_to_path(fad->fad_aupath)); 5255 } else { 5256 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5257 } 5258 5259 /* include attributes */ 5260 audit_attributes(fp->f_vnode); 5261 5262 /* decrement file descriptor reference count */ 5263 releasef(fd); 5264 } 5265 5266 /*ARGSUSED*/ 5267 static void 5268 auf_write(tad, error, rval) 5269 struct t_audit_data *tad; 5270 int error; 5271 rval_t *rval; 5272 { 5273 struct file *fp; 5274 struct f_audit_data *fad; 5275 int fd; 5276 register struct a { 5277 long fd; 5278 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5279 au_kcontext_t *kctx = GET_KCTX_PZ; 5280 5281 fd = (int)uap->fd; 5282 5283 /* 5284 * convert file pointer to file descriptor 5285 * Note: fd ref count incremented here. 5286 */ 5287 if ((fp = getf(fd)) == NULL) 5288 return; 5289 5290 /* get path from file struct here */ 5291 fad = F2A(fp); 5292 ASSERT(fad); 5293 5294 /* 5295 * already processed this file for write attempt 5296 * 5297 * XXX might be better to turn off auditing in a aus_write() routine. 5298 */ 5299 if (fad->fad_flags & FAD_WRITE) { 5300 /* don't really want to audit every write attempt */ 5301 tad->tad_flag = 0; 5302 /* free any residual audit data */ 5303 au_close(kctx, &(u_ad), 0, 0, 0); 5304 releasef(fd); 5305 return; 5306 } 5307 /* mark things so we know what happened and don't repeat things */ 5308 fad->fad_flags |= FAD_WRITE; 5309 5310 if (fad->fad_aupath != NULL) { 5311 au_uwrite(au_to_path(fad->fad_aupath)); 5312 } else { 5313 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5314 } 5315 5316 /* include attributes */ 5317 audit_attributes(fp->f_vnode); 5318 5319 /* decrement file descriptor reference count */ 5320 releasef(fd); 5321 } 5322 5323 /*ARGSUSED*/ 5324 static void 5325 auf_recv(tad, error, rval) 5326 struct t_audit_data *tad; 5327 int error; 5328 rval_t *rval; 5329 { 5330 struct sonode *so; 5331 char so_laddr[sizeof (struct sockaddr_in6)]; 5332 char so_faddr[sizeof (struct sockaddr_in6)]; 5333 struct file *fp; 5334 struct f_audit_data *fad; 5335 int fd; 5336 int err; 5337 socklen_t len; 5338 short so_family, so_type; 5339 register struct a { 5340 long fd; 5341 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5342 au_kcontext_t *kctx = GET_KCTX_PZ; 5343 5344 /* 5345 * If there was an error, then nothing to do. Only generate 5346 * audit record on first successful recv. 5347 */ 5348 if (error) { 5349 /* Turn off audit record generation here. */ 5350 tad->tad_flag = 0; 5351 /* free any residual audit data */ 5352 au_close(kctx, &(u_ad), 0, 0, 0); 5353 return; 5354 } 5355 5356 fd = (int)uap->fd; 5357 5358 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5359 /* Turn off audit record generation here. */ 5360 tad->tad_flag = 0; 5361 /* free any residual audit data */ 5362 au_close(kctx, &(u_ad), 0, 0, 0); 5363 return; 5364 } 5365 5366 /* get path from file struct here */ 5367 fad = F2A(fp); 5368 ASSERT(fad); 5369 5370 /* 5371 * already processed this file for read attempt 5372 */ 5373 if (fad->fad_flags & FAD_READ) { 5374 releasef(fd); 5375 /* don't really want to audit every recv call */ 5376 tad->tad_flag = 0; 5377 /* free any residual audit data */ 5378 au_close(kctx, &(u_ad), 0, 0, 0); 5379 return; 5380 } 5381 5382 /* mark things so we know what happened and don't repeat things */ 5383 fad->fad_flags |= FAD_READ; 5384 5385 so_family = so->so_family; 5386 so_type = so->so_type; 5387 5388 switch (so_family) { 5389 case AF_INET: 5390 case AF_INET6: 5391 /* 5392 * Only for connections. 5393 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5394 */ 5395 if (so->so_state & SS_ISBOUND) { 5396 5397 bzero((void *)so_laddr, sizeof (so_laddr)); 5398 bzero((void *)so_faddr, sizeof (so_faddr)); 5399 5400 /* get local and foreign addresses */ 5401 len = sizeof (so_laddr); 5402 (void) socket_getsockname(so, 5403 (struct sockaddr *)so_laddr, &len, CRED()); 5404 len = sizeof (so_faddr); 5405 (void) socket_getpeername(so, 5406 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5407 5408 /* 5409 * only way to drop out of switch. Note that we 5410 * we release fd below. 5411 */ 5412 5413 break; 5414 } 5415 5416 releasef(fd); 5417 5418 /* don't really want to audit every recv call */ 5419 tad->tad_flag = 0; 5420 /* free any residual audit data */ 5421 au_close(kctx, &(u_ad), 0, 0, 0); 5422 5423 return; 5424 5425 case AF_UNIX: 5426 5427 if (fad->fad_aupath != NULL) { 5428 au_uwrite(au_to_path(fad->fad_aupath)); 5429 } else { 5430 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5431 } 5432 5433 audit_attributes(fp->f_vnode); 5434 5435 releasef(fd); 5436 5437 return; 5438 5439 default: 5440 releasef(fd); 5441 5442 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5443 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5444 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5445 5446 return; 5447 } 5448 5449 releasef(fd); 5450 5451 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5452 5453 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5454 5455 } 5456 5457 /*ARGSUSED*/ 5458 static void 5459 auf_send(tad, error, rval) 5460 struct t_audit_data *tad; 5461 int error; 5462 rval_t *rval; 5463 { 5464 struct sonode *so; 5465 char so_laddr[sizeof (struct sockaddr_in6)]; 5466 char so_faddr[sizeof (struct sockaddr_in6)]; 5467 struct file *fp; 5468 struct f_audit_data *fad; 5469 int fd; 5470 int err; 5471 socklen_t len; 5472 short so_family, so_type; 5473 register struct a { 5474 long fd; 5475 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5476 au_kcontext_t *kctx = GET_KCTX_PZ; 5477 5478 fd = (int)uap->fd; 5479 5480 /* 5481 * If there was an error, then nothing to do. Only generate 5482 * audit record on first successful send. 5483 */ 5484 if (error != 0) { 5485 /* Turn off audit record generation here. */ 5486 tad->tad_flag = 0; 5487 /* free any residual audit data */ 5488 au_close(kctx, &(u_ad), 0, 0, 0); 5489 return; 5490 } 5491 5492 fd = (int)uap->fd; 5493 5494 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5495 /* Turn off audit record generation here. */ 5496 tad->tad_flag = 0; 5497 /* free any residual audit data */ 5498 au_close(kctx, &(u_ad), 0, 0, 0); 5499 return; 5500 } 5501 5502 /* get path from file struct here */ 5503 fad = F2A(fp); 5504 ASSERT(fad); 5505 5506 /* 5507 * already processed this file for write attempt 5508 */ 5509 if (fad->fad_flags & FAD_WRITE) { 5510 releasef(fd); 5511 /* don't really want to audit every send call */ 5512 tad->tad_flag = 0; 5513 /* free any residual audit data */ 5514 au_close(kctx, &(u_ad), 0, 0, 0); 5515 return; 5516 } 5517 5518 /* mark things so we know what happened and don't repeat things */ 5519 fad->fad_flags |= FAD_WRITE; 5520 5521 so_family = so->so_family; 5522 so_type = so->so_type; 5523 5524 switch (so_family) { 5525 case AF_INET: 5526 case AF_INET6: 5527 /* 5528 * Only for connections. 5529 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5530 */ 5531 if (so->so_state & SS_ISBOUND) { 5532 5533 bzero((void *)so_laddr, sizeof (so_laddr)); 5534 bzero((void *)so_faddr, sizeof (so_faddr)); 5535 5536 /* get local and foreign addresses */ 5537 len = sizeof (so_laddr); 5538 (void) socket_getsockname(so, 5539 (struct sockaddr *)so_laddr, &len, CRED()); 5540 len = sizeof (so_faddr); 5541 (void) socket_getpeername(so, 5542 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5543 5544 /* 5545 * only way to drop out of switch. Note that we 5546 * we release fd below. 5547 */ 5548 5549 break; 5550 } 5551 5552 releasef(fd); 5553 /* don't really want to audit every send call */ 5554 tad->tad_flag = 0; 5555 /* free any residual audit data */ 5556 au_close(kctx, &(u_ad), 0, 0, 0); 5557 5558 return; 5559 5560 case AF_UNIX: 5561 5562 if (fad->fad_aupath != NULL) { 5563 au_uwrite(au_to_path(fad->fad_aupath)); 5564 } else { 5565 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5566 } 5567 5568 audit_attributes(fp->f_vnode); 5569 5570 releasef(fd); 5571 5572 return; 5573 5574 default: 5575 releasef(fd); 5576 5577 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5578 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5579 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5580 5581 return; 5582 } 5583 5584 releasef(fd); 5585 5586 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5587 5588 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5589 } 5590 5591 static au_event_t 5592 aui_forksys(au_event_t e) 5593 { 5594 struct a { 5595 long subcode; 5596 long flags; 5597 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5598 5599 switch ((uint_t)uap->subcode) { 5600 case 0: 5601 e = AUE_FORK1; 5602 break; 5603 case 1: 5604 e = AUE_FORKALL; 5605 break; 5606 case 2: 5607 e = AUE_VFORK; 5608 break; 5609 default: 5610 e = AUE_NULL; 5611 break; 5612 } 5613 5614 return (e); 5615 } 5616 5617 /*ARGSUSED*/ 5618 static au_event_t 5619 aui_portfs(au_event_t e) 5620 { 5621 struct a { /* portfs */ 5622 long a1; 5623 long a2; 5624 long a3; 5625 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5626 5627 /* 5628 * check opcode 5629 */ 5630 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5631 case PORT_ASSOCIATE: 5632 /* check source */ 5633 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5634 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5635 e = AUE_PORTFS_ASSOCIATE; 5636 } else { 5637 e = AUE_NULL; 5638 } 5639 break; 5640 case PORT_DISSOCIATE: 5641 /* check source */ 5642 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5643 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5644 e = AUE_PORTFS_DISSOCIATE; 5645 } else { 5646 e = AUE_NULL; 5647 } 5648 break; 5649 default: 5650 e = AUE_NULL; 5651 } 5652 return (e); 5653 } 5654