1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_open(struct t_audit_data *); 106 static void aus_acl(struct t_audit_data *); 107 static void aus_acct(struct t_audit_data *); 108 static void aus_chown(struct t_audit_data *); 109 static void aus_fchown(struct t_audit_data *); 110 static void aus_lchown(struct t_audit_data *); 111 static void aus_chmod(struct t_audit_data *); 112 static void aus_facl(struct t_audit_data *); 113 static void aus_fchmod(struct t_audit_data *); 114 static void aus_fcntl(struct t_audit_data *); 115 static void aus_fsat(struct t_audit_data *); 116 static void aus_mkdir(struct t_audit_data *); 117 static void aus_mknod(struct t_audit_data *); 118 static void aus_mount(struct t_audit_data *); 119 static void aus_umount(struct t_audit_data *); 120 static void aus_umount2(struct t_audit_data *); 121 static void aus_msgsys(struct t_audit_data *); 122 static void aus_semsys(struct t_audit_data *); 123 static void aus_close(struct t_audit_data *); 124 static void aus_fstatfs(struct t_audit_data *); 125 static void aus_setgid(struct t_audit_data *); 126 static void aus_setpgrp(struct t_audit_data *); 127 static void aus_setuid(struct t_audit_data *); 128 static void aus_shmsys(struct t_audit_data *); 129 static void aus_doorfs(struct t_audit_data *); 130 static void aus_ioctl(struct t_audit_data *); 131 static void aus_memcntl(struct t_audit_data *); 132 static void aus_mmap(struct t_audit_data *); 133 static void aus_munmap(struct t_audit_data *); 134 static void aus_priocntlsys(struct t_audit_data *); 135 static void aus_setegid(struct t_audit_data *); 136 static void aus_setgroups(struct t_audit_data *); 137 static void aus_seteuid(struct t_audit_data *); 138 static void aus_putmsg(struct t_audit_data *); 139 static void aus_putpmsg(struct t_audit_data *); 140 static void aus_getmsg(struct t_audit_data *); 141 static void aus_getpmsg(struct t_audit_data *); 142 static void aus_auditsys(struct t_audit_data *); 143 static void aus_sysinfo(struct t_audit_data *); 144 static void aus_modctl(struct t_audit_data *); 145 static void aus_kill(struct t_audit_data *); 146 static void aus_xmknod(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 static void aus_labelsys(struct t_audit_data *); 150 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 156 static void auf_read(struct t_audit_data *, int, rval_t *); 157 static void auf_write(struct t_audit_data *, int, rval_t *); 158 159 static void aus_sigqueue(struct t_audit_data *); 160 static void aus_p_online(struct t_audit_data *); 161 static void aus_processor_bind(struct t_audit_data *); 162 static void aus_inst_sync(struct t_audit_data *); 163 static void aus_brandsys(struct t_audit_data *); 164 165 static void auf_accept(struct t_audit_data *, int, rval_t *); 166 167 static void auf_bind(struct t_audit_data *, int, rval_t *); 168 static void auf_connect(struct t_audit_data *, int, rval_t *); 169 static void aus_shutdown(struct t_audit_data *); 170 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 171 static void aus_sockconfig(struct t_audit_data *); 172 static void auf_recv(struct t_audit_data *, int, rval_t *); 173 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_send(struct t_audit_data *, int, rval_t *); 175 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 176 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 177 static void auf_sendto(struct t_audit_data *, int, rval_t *); 178 static void aus_socket(struct t_audit_data *); 179 /* 180 * This table contains mapping information for converting system call numbers 181 * to audit event IDs. In several cases it is necessary to map a single system 182 * call to several events. 183 */ 184 185 #define aui_null NULL /* NULL initialize function */ 186 #define aus_null NULL /* NULL start function */ 187 #define auf_null NULL /* NULL finish function */ 188 189 struct audit_s2e audit_s2e[] = 190 { 191 /* 192 * ---------- ---------- ---------- ---------- 193 * INITIAL AUDIT START SYSTEM 194 * PROCESSING EVENT PROCESSING CALL 195 * ---------- ---------- ---------- ----------- 196 * FINISH EVENT 197 * PROCESSING CONTROL 198 * ---------------------------------------------------------- 199 */ 200 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 201 auf_null, 0, 202 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 203 auf_null, S2E_NPT, 204 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 205 auf_null, 0, 206 aui_null, AUE_READ, aus_null, /* 3 read */ 207 auf_read, S2E_PUB, 208 aui_null, AUE_WRITE, aus_null, /* 4 write */ 209 auf_write, 0, 210 aui_open, AUE_OPEN, aus_open, /* 5 open */ 211 auf_null, S2E_SP, 212 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 213 auf_null, 0, 214 aui_null, AUE_NULL, aus_null, /* 7 wait */ 215 auf_null, 0, 216 aui_null, AUE_CREAT, aus_null, /* 8 create */ 217 auf_null, S2E_SP, 218 aui_null, AUE_LINK, aus_null, /* 9 link */ 219 auf_null, 0, 220 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 221 auf_null, 0, 222 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 223 auf_null, S2E_MLD, 224 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 225 auf_null, S2E_SP, 226 aui_null, AUE_NULL, aus_null, /* 13 time */ 227 auf_null, 0, 228 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 229 auf_mknod, 0, 230 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 231 auf_null, 0, 232 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 233 auf_null, 0, 234 aui_null, AUE_NULL, aus_null, /* 17 brk */ 235 auf_null, 0, 236 aui_null, AUE_STAT, aus_null, /* 18 stat */ 237 auf_null, S2E_PUB, 238 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 239 auf_null, 0, 240 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 241 auf_null, 0, 242 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 243 auf_null, S2E_MLD, 244 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 245 auf_null, 0, 246 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 249 auf_null, 0, 250 aui_null, AUE_STIME, aus_null, /* 25 stime */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 29 pause */ 259 auf_null, 0, 260 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 263 auf_null, 0, 264 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 265 auf_null, 0, 266 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NICE, aus_null, /* 34 nice */ 269 auf_null, 0, 270 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 271 auf_null, S2E_PUB, 272 aui_null, AUE_NULL, aus_null, /* 36 sync */ 273 auf_null, 0, 274 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 275 auf_null, 0, 276 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 277 auf_null, S2E_PUB, 278 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 41 dup */ 283 auf_null, 0, 284 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 43 times */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 44 profil */ 289 auf_null, 0, 290 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 291 /* was proc lock */ 292 auf_null, 0, 293 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 48 sig */ 298 auf_null, 0, 299 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 300 auf_msgsys, 0, 301 #if defined(__x86) 302 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 303 auf_null, 0, 304 #else 305 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 306 auf_null, 0, 307 #endif /* __x86 */ 308 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 309 auf_null, 0, 310 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 311 auf_shmsys, 0, 312 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 313 auf_semsys, 0, 314 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 319 auf_null, 0, 320 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 321 auf_null, 0, 322 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 323 auf_null, 0, 324 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 325 auf_null, S2E_MLD, 326 aui_null, AUE_NULL, aus_null, /* 60 umask */ 327 auf_null, 0, 328 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 329 auf_null, S2E_SP, 330 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 341 /* file locking call */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 344 /* local system calls */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 359 /* was sigret (SunOS) */ 360 auf_null, 0, 361 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 364 auf_null, 0, 365 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 366 auf_null, 0, 367 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 368 auf_null, 0, 369 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 370 auf_null, 0, 371 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 372 auf_null, 0, 373 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 374 /* was libattach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 377 /* was libdetach */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 380 auf_null, 0, 381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 382 auf_null, 0, 383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 384 auf_null, 0, 385 aui_null, AUE_NULL, aus_null, /* 87 poll */ 386 auf_null, 0, 387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 390 auf_null, 0, 391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 392 auf_null, S2E_PUB, 393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 396 auf_null, 0, 397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 398 auf_null, 0, 399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 412 auf_null, 0, 413 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 414 auf_null, 0, 415 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 416 /* was evtrapret */ 417 auf_null, 0, 418 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 419 auf_null, S2E_PUB, 420 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 427 auf_null, 0, 428 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 429 auf_null, 0, 430 #if defined(__x86) 431 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 432 auf_null, 0, 433 #else 434 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 435 auf_null, 0, 436 #endif /* __x86 */ 437 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 438 auf_null, 0, 439 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 440 auf_null, 0, 441 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 442 auf_null, 0, /* 112 priocntlsys */ 443 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 444 auf_null, S2E_PUB, 445 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 446 auf_null, 0, 447 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 450 auf_null, 0, 451 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 452 auf_null, 0, 453 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 454 auf_null, 0, 455 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 456 auf_null, 0, 457 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 458 auf_null, 0, 459 aui_null, AUE_READ, aus_null, /* 121 readv */ 460 auf_read, S2E_PUB, 461 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 462 auf_write, 0, 463 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 464 auf_null, S2E_PUB, 465 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 466 auf_null, S2E_PUB, 467 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 468 auf_null, 0, 469 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 470 auf_xmknod, 0, 471 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 472 auf_null, 0, 473 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 474 auf_null, 0, 475 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 476 auf_null, 0, 477 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 478 auf_null, 0, 479 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 480 auf_null, 0, 481 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 482 auf_null, 0, 483 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 484 auf_null, 0, 485 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 135 uname */ 488 auf_null, 0, 489 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 490 auf_null, 0, 491 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 492 auf_null, 0, 493 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 494 auf_null, 0, 495 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 498 auf_null, 0, 499 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 500 auf_null, 0, 501 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 502 auf_null, 0, 503 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 146 yield */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 518 auf_null, 0, 519 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 520 auf_null, 0, 521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 522 auf_null, 0, 523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 524 auf_null, 0, 525 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 548 /* was lwp_setprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 551 /* was lwp_getprivate */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 562 auf_null, 0, 563 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 564 auf_null, 0, 565 aui_null, AUE_READ, aus_null, /* 173 pread */ 566 auf_read, S2E_PUB, 567 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 568 auf_write, 0, 569 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 570 auf_null, 0, 571 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 572 /* aus_inst_sync */ 573 auf_null, 0, 574 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 583 auf_null, 0, 584 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 585 auf_null, S2E_MLD, 586 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 587 auf_null, 0, 588 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 589 auf_null, 0, 590 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 591 auf_null, 0, 592 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 593 auf_null, 0, 594 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 595 auf_null, 0, /* 187 processor_bind */ 596 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 597 auf_null, 0, 598 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 603 auf_null, 0, 604 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 617 auf_null, 0, 618 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 619 auf_null, 0, 620 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 621 auf_null, 0, 622 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 623 auf_null, 0, 624 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 625 auf_null, 0, 626 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 645 auf_null, 0, 646 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 647 auf_null, 0, 648 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 649 auf_null, 0, 650 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 653 auf_null, S2E_PUB, 654 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 655 auf_null, 0, 656 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 657 auf_null, S2E_PUB, 658 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 659 auf_null, 0, 660 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 663 auf_null, 0, 664 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 665 auf_read, S2E_PUB, 666 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 667 auf_write, 0, 668 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 669 auf_null, S2E_SP, 670 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 671 auf_null, S2E_SP, 672 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 677 auf_null, 0, 678 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 679 auf_null, 0, 680 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 681 auf_null, 0, 682 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 683 auf_null, 0, 684 aui_null, AUE_BIND, aus_null, /* 232 bind */ 685 auf_bind, 0, 686 aui_null, AUE_NULL, aus_null, /* 233 listen */ 687 auf_null, 0, 688 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 689 auf_accept, 0, 690 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 691 auf_connect, 0, 692 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 693 auf_null, 0, 694 aui_null, AUE_READ, aus_null, /* 237 recv */ 695 auf_recv, 0, 696 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 697 auf_recvfrom, 0, 698 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 699 auf_recvmsg, 0, 700 aui_null, AUE_WRITE, aus_null, /* 240 send */ 701 auf_send, 0, 702 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 703 auf_sendmsg, 0, 704 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 705 auf_sendto, 0, 706 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 709 auf_null, 0, 710 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 711 auf_null, 0, 712 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 713 auf_setsockopt, 0, 714 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 717 auf_null, 0, 718 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 727 auf_null, 0, 728 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 729 auf_null, 0, 730 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 731 auf_null, 0 732 }; 733 734 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 735 736 737 /* acct start function */ 738 /*ARGSUSED*/ 739 static void 740 aus_acct(struct t_audit_data *tad) 741 { 742 klwp_t *clwp = ttolwp(curthread); 743 uintptr_t fname; 744 745 struct a { 746 long fname; /* char * */ 747 } *uap = (struct a *)clwp->lwp_ap; 748 749 fname = (uintptr_t)uap->fname; 750 751 if (fname == 0) 752 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 753 } 754 755 /* chown start function */ 756 /*ARGSUSED*/ 757 static void 758 aus_chown(struct t_audit_data *tad) 759 { 760 klwp_t *clwp = ttolwp(curthread); 761 uint32_t uid, gid; 762 763 struct a { 764 long fname; /* char * */ 765 long uid; 766 long gid; 767 } *uap = (struct a *)clwp->lwp_ap; 768 769 uid = (uint32_t)uap->uid; 770 gid = (uint32_t)uap->gid; 771 772 au_uwrite(au_to_arg32(2, "new file uid", uid)); 773 au_uwrite(au_to_arg32(3, "new file gid", gid)); 774 } 775 776 /* fchown start function */ 777 /*ARGSUSED*/ 778 static void 779 aus_fchown(struct t_audit_data *tad) 780 { 781 klwp_t *clwp = ttolwp(curthread); 782 uint32_t uid, gid, fd; 783 struct file *fp; 784 struct vnode *vp; 785 struct f_audit_data *fad; 786 787 struct a { 788 long fd; 789 long uid; 790 long gid; 791 } *uap = (struct a *)clwp->lwp_ap; 792 793 fd = (uint32_t)uap->fd; 794 uid = (uint32_t)uap->uid; 795 gid = (uint32_t)uap->gid; 796 797 au_uwrite(au_to_arg32(2, "new file uid", uid)); 798 au_uwrite(au_to_arg32(3, "new file gid", gid)); 799 800 /* 801 * convert file pointer to file descriptor 802 * Note: fd ref count incremented here. 803 */ 804 if ((fp = getf(fd)) == NULL) 805 return; 806 807 /* get path from file struct here */ 808 fad = F2A(fp); 809 if (fad->fad_aupath != NULL) { 810 au_uwrite(au_to_path(fad->fad_aupath)); 811 } else { 812 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 813 } 814 815 vp = fp->f_vnode; 816 audit_attributes(vp); 817 818 /* decrement file descriptor reference count */ 819 releasef(fd); 820 } 821 822 /*ARGSUSED*/ 823 static void 824 aus_lchown(struct t_audit_data *tad) 825 { 826 klwp_t *clwp = ttolwp(curthread); 827 uint32_t uid, gid; 828 829 830 struct a { 831 long fname; /* char * */ 832 long uid; 833 long gid; 834 } *uap = (struct a *)clwp->lwp_ap; 835 836 uid = (uint32_t)uap->uid; 837 gid = (uint32_t)uap->gid; 838 839 au_uwrite(au_to_arg32(2, "new file uid", uid)); 840 au_uwrite(au_to_arg32(3, "new file gid", gid)); 841 } 842 843 /* chmod start function */ 844 /*ARGSUSED*/ 845 static void 846 aus_chmod(struct t_audit_data *tad) 847 { 848 klwp_t *clwp = ttolwp(curthread); 849 uint32_t fmode; 850 851 struct a { 852 long fname; /* char * */ 853 long fmode; 854 } *uap = (struct a *)clwp->lwp_ap; 855 856 fmode = (uint32_t)uap->fmode; 857 858 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 859 } 860 861 /* chmod start function */ 862 /*ARGSUSED*/ 863 static void 864 aus_fchmod(struct t_audit_data *tad) 865 { 866 klwp_t *clwp = ttolwp(curthread); 867 uint32_t fmode, fd; 868 struct file *fp; 869 struct vnode *vp; 870 struct f_audit_data *fad; 871 872 struct a { 873 long fd; 874 long fmode; 875 } *uap = (struct a *)clwp->lwp_ap; 876 877 fd = (uint32_t)uap->fd; 878 fmode = (uint32_t)uap->fmode; 879 880 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 881 882 /* 883 * convert file pointer to file descriptor 884 * Note: fd ref count incremented here. 885 */ 886 if ((fp = getf(fd)) == NULL) 887 return; 888 889 /* get path from file struct here */ 890 fad = F2A(fp); 891 if (fad->fad_aupath != NULL) { 892 au_uwrite(au_to_path(fad->fad_aupath)); 893 } else { 894 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 895 } 896 897 vp = fp->f_vnode; 898 audit_attributes(vp); 899 900 /* decrement file descriptor reference count */ 901 releasef(fd); 902 } 903 904 905 /* convert open to appropriate event */ 906 static au_event_t 907 aui_open(au_event_t e) 908 { 909 klwp_t *clwp = ttolwp(curthread); 910 uint_t fm; 911 912 struct a { 913 long fnamep; /* char * */ 914 long fmode; 915 long cmode; 916 } *uap = (struct a *)clwp->lwp_ap; 917 918 fm = (uint_t)uap->fmode; 919 920 if (fm & O_WRONLY) 921 e = AUE_OPEN_W; 922 else if (fm & O_RDWR) 923 e = AUE_OPEN_RW; 924 else 925 e = AUE_OPEN_R; 926 927 if (fm & O_CREAT) 928 e += 1; 929 if (fm & O_TRUNC) 930 e += 2; 931 932 return (e); 933 } 934 935 /*ARGSUSED*/ 936 static void 937 aus_open(struct t_audit_data *tad) 938 { 939 klwp_t *clwp = ttolwp(curthread); 940 uint_t fm; 941 942 struct a { 943 long fnamep; /* char * */ 944 long fmode; 945 long cmode; 946 } *uap = (struct a *)clwp->lwp_ap; 947 948 fm = (uint_t)uap->fmode; 949 950 /* If no write, create, or trunc modes, mark as a public op */ 951 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 952 tad->tad_ctrl |= PAD_PUBLIC_EV; 953 } 954 955 /* convert openat(2) to appropriate event */ 956 static au_event_t 957 aui_fsat(au_event_t e) 958 { 959 t_audit_data_t *tad = U2A(u); 960 klwp_t *clwp = ttolwp(curthread); 961 uint_t fmcode, fm; 962 struct a { 963 long id; 964 long arg1; 965 long arg2; 966 long arg3; 967 long arg4; 968 long arg5; 969 } *uap = (struct a *)clwp->lwp_ap; 970 971 fmcode = (uint_t)uap->id; 972 973 switch (fmcode) { 974 975 case 0: /* openat */ 976 case 1: /* openat64 */ 977 fm = (uint_t)uap->arg3; 978 if (fm & O_WRONLY) 979 e = AUE_OPENAT_W; 980 else if (fm & O_RDWR) 981 e = AUE_OPENAT_RW; 982 else 983 e = AUE_OPENAT_R; 984 985 /* 986 * openat modes are defined in the following order: 987 * Read only 988 * Read|Create 989 * Read|Trunc 990 * Read|Create|Trunc 991 * Write Only 992 * Write|Create 993 * Write|Trunc 994 * Write|Create|Trunc * RW Only 995 * RW|Create 996 * RW|Trunc 997 * RW|Create|Trunc 998 */ 999 if (fm & O_CREAT) 1000 e += 1; /* increment to include CREAT in mode */ 1001 if (fm & O_TRUNC) 1002 e += 2; /* increment to include TRUNC in mode */ 1003 1004 /* convert to appropriate au_ctrl */ 1005 tad->tad_ctrl |= PAD_SAVPATH; 1006 if (fm & FXATTR) 1007 tad->tad_ctrl |= PAD_ATPATH; 1008 1009 1010 break; 1011 case 2: /* fstatat64 */ 1012 case 3: /* fstatat */ 1013 e = AUE_FSTATAT; 1014 break; 1015 case 4: /* fchownat */ 1016 e = AUE_FCHOWNAT; 1017 break; 1018 case 5: /* unlinkat */ 1019 e = AUE_UNLINKAT; 1020 break; 1021 case 6: /* futimesat */ 1022 e = AUE_FUTIMESAT; 1023 break; 1024 case 7: /* renameat */ 1025 e = AUE_RENAMEAT; 1026 break; 1027 case 9: /* __openattrdirat */ 1028 tad->tad_ctrl |= PAD_SAVPATH; 1029 /*FALLTHROUGH*/ 1030 default: 1031 e = AUE_NULL; 1032 break; 1033 } 1034 1035 return (e); 1036 } 1037 1038 /*ARGSUSED*/ 1039 static void 1040 aus_fsat(struct t_audit_data *tad) 1041 { 1042 klwp_t *clwp = ttolwp(curthread); 1043 uint_t fmcode, fm; 1044 struct a { 1045 long id; 1046 long arg1; 1047 long arg2; 1048 long arg3; 1049 long arg4; 1050 long arg5; 1051 } *uap = (struct a *)clwp->lwp_ap; 1052 1053 fmcode = (uint_t)uap->id; 1054 1055 switch (fmcode) { 1056 1057 case 0: /* openat */ 1058 case 1: /* openat64 */ 1059 fm = (uint_t)uap->arg3; 1060 /* If no write, create, or trunc modes, mark as a public op */ 1061 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1062 tad->tad_ctrl |= PAD_PUBLIC_EV; 1063 1064 break; 1065 case 2: /* fstatat64 */ 1066 case 3: /* fstatat */ 1067 tad->tad_ctrl |= PAD_PUBLIC_EV; 1068 break; 1069 default: 1070 break; 1071 } 1072 } 1073 1074 /* msgsys */ 1075 static au_event_t 1076 aui_msgsys(au_event_t e) 1077 { 1078 klwp_t *clwp = ttolwp(curthread); 1079 uint_t fm; 1080 1081 struct a { 1082 long id; /* function code id */ 1083 long ap; /* arg pointer for recvmsg */ 1084 } *uap = (struct a *)clwp->lwp_ap; 1085 1086 struct b { 1087 long msgid; 1088 long cmd; 1089 long buf; /* struct msqid_ds * */ 1090 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1091 1092 fm = (uint_t)uap->id; 1093 1094 switch (fm) { 1095 case 0: /* msgget */ 1096 e = AUE_MSGGET; 1097 break; 1098 case 1: /* msgctl */ 1099 switch ((uint_t)uap1->cmd) { 1100 case IPC_RMID: 1101 e = AUE_MSGCTL_RMID; 1102 break; 1103 case IPC_SET: 1104 e = AUE_MSGCTL_SET; 1105 break; 1106 case IPC_STAT: 1107 e = AUE_MSGCTL_STAT; 1108 break; 1109 default: 1110 e = AUE_MSGCTL; 1111 break; 1112 } 1113 break; 1114 case 2: /* msgrcv */ 1115 e = AUE_MSGRCV; 1116 break; 1117 case 3: /* msgsnd */ 1118 e = AUE_MSGSND; 1119 break; 1120 default: /* illegal system call */ 1121 e = AUE_NULL; 1122 break; 1123 } 1124 1125 return (e); 1126 } 1127 1128 1129 /* shmsys */ 1130 static au_event_t 1131 aui_shmsys(au_event_t e) 1132 { 1133 klwp_t *clwp = ttolwp(curthread); 1134 int fm; 1135 1136 struct a { /* shmsys */ 1137 long id; /* function code id */ 1138 } *uap = (struct a *)clwp->lwp_ap; 1139 1140 struct b { /* ctrl */ 1141 long shmid; 1142 long cmd; 1143 long arg; /* struct shmid_ds * */ 1144 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1145 fm = (uint_t)uap->id; 1146 1147 switch (fm) { 1148 case 0: /* shmat */ 1149 e = AUE_SHMAT; 1150 break; 1151 case 1: /* shmctl */ 1152 switch ((uint_t)uap1->cmd) { 1153 case IPC_RMID: 1154 e = AUE_SHMCTL_RMID; 1155 break; 1156 case IPC_SET: 1157 e = AUE_SHMCTL_SET; 1158 break; 1159 case IPC_STAT: 1160 e = AUE_SHMCTL_STAT; 1161 break; 1162 default: 1163 e = AUE_SHMCTL; 1164 break; 1165 } 1166 break; 1167 case 2: /* shmdt */ 1168 e = AUE_SHMDT; 1169 break; 1170 case 3: /* shmget */ 1171 e = AUE_SHMGET; 1172 break; 1173 default: /* illegal system call */ 1174 e = AUE_NULL; 1175 break; 1176 } 1177 1178 return (e); 1179 } 1180 1181 1182 /* semsys */ 1183 static au_event_t 1184 aui_semsys(au_event_t e) 1185 { 1186 klwp_t *clwp = ttolwp(curthread); 1187 uint_t fm; 1188 1189 struct a { /* semsys */ 1190 long id; 1191 } *uap = (struct a *)clwp->lwp_ap; 1192 1193 struct b { /* ctrl */ 1194 long semid; 1195 long semnum; 1196 long cmd; 1197 long arg; 1198 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1199 1200 fm = (uint_t)uap->id; 1201 1202 switch (fm) { 1203 case 0: /* semctl */ 1204 switch ((uint_t)uap1->cmd) { 1205 case IPC_RMID: 1206 e = AUE_SEMCTL_RMID; 1207 break; 1208 case IPC_SET: 1209 e = AUE_SEMCTL_SET; 1210 break; 1211 case IPC_STAT: 1212 e = AUE_SEMCTL_STAT; 1213 break; 1214 case GETNCNT: 1215 e = AUE_SEMCTL_GETNCNT; 1216 break; 1217 case GETPID: 1218 e = AUE_SEMCTL_GETPID; 1219 break; 1220 case GETVAL: 1221 e = AUE_SEMCTL_GETVAL; 1222 break; 1223 case GETALL: 1224 e = AUE_SEMCTL_GETALL; 1225 break; 1226 case GETZCNT: 1227 e = AUE_SEMCTL_GETZCNT; 1228 break; 1229 case SETVAL: 1230 e = AUE_SEMCTL_SETVAL; 1231 break; 1232 case SETALL: 1233 e = AUE_SEMCTL_SETALL; 1234 break; 1235 default: 1236 e = AUE_SEMCTL; 1237 break; 1238 } 1239 break; 1240 case 1: /* semget */ 1241 e = AUE_SEMGET; 1242 break; 1243 case 2: /* semop */ 1244 e = AUE_SEMOP; 1245 break; 1246 default: /* illegal system call */ 1247 e = AUE_NULL; 1248 break; 1249 } 1250 1251 return (e); 1252 } 1253 1254 /* utssys - uname(2), ustat(2), fusers(2) */ 1255 static au_event_t 1256 aui_utssys(au_event_t e) 1257 { 1258 klwp_t *clwp = ttolwp(curthread); 1259 uint_t type; 1260 1261 struct a { 1262 union { 1263 long cbuf; /* char * */ 1264 long ubuf; /* struct stat * */ 1265 } ub; 1266 union { 1267 long mv; /* for USTAT */ 1268 long flags; /* for FUSERS */ 1269 } un; 1270 long type; 1271 long outbp; /* char * for FUSERS */ 1272 } *uap = (struct a *)clwp->lwp_ap; 1273 1274 type = (uint_t)uap->type; 1275 1276 if (type == UTS_FUSERS) 1277 return (e); 1278 else 1279 return ((au_event_t)AUE_NULL); 1280 } 1281 1282 static au_event_t 1283 aui_fcntl(au_event_t e) 1284 { 1285 klwp_t *clwp = ttolwp(curthread); 1286 uint_t cmd; 1287 1288 struct a { 1289 long fdes; 1290 long cmd; 1291 long arg; 1292 } *uap = (struct a *)clwp->lwp_ap; 1293 1294 cmd = (uint_t)uap->cmd; 1295 1296 switch (cmd) { 1297 case F_GETLK: 1298 case F_SETLK: 1299 case F_SETLKW: 1300 break; 1301 case F_SETFL: 1302 case F_GETFL: 1303 case F_GETFD: 1304 break; 1305 default: 1306 e = (au_event_t)AUE_NULL; 1307 break; 1308 } 1309 return ((au_event_t)e); 1310 } 1311 1312 /* null function for now */ 1313 static au_event_t 1314 aui_execv(au_event_t e) 1315 { 1316 return (e); 1317 } 1318 1319 /* null function for now */ 1320 static au_event_t 1321 aui_execve(au_event_t e) 1322 { 1323 return (e); 1324 } 1325 1326 /*ARGSUSED*/ 1327 static void 1328 aus_fcntl(struct t_audit_data *tad) 1329 { 1330 klwp_t *clwp = ttolwp(curthread); 1331 uint32_t cmd, fd; 1332 struct file *fp; 1333 struct vnode *vp; 1334 struct f_audit_data *fad; 1335 1336 struct a { 1337 long fd; 1338 long cmd; 1339 long arg; 1340 } *uap = (struct a *)clwp->lwp_ap; 1341 1342 cmd = (uint32_t)uap->cmd; 1343 fd = (uint32_t)uap->fd; 1344 1345 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1346 1347 /* 1348 * convert file pointer to file descriptor 1349 * Note: fd ref count incremented here. 1350 */ 1351 if ((fp = getf(fd)) == NULL) 1352 return; 1353 1354 /* get path from file struct here */ 1355 fad = F2A(fp); 1356 if (fad->fad_aupath != NULL) { 1357 au_uwrite(au_to_path(fad->fad_aupath)); 1358 } else { 1359 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1360 } 1361 1362 vp = fp->f_vnode; 1363 audit_attributes(vp); 1364 1365 /* decrement file descriptor reference count */ 1366 releasef(fd); 1367 } 1368 1369 /*ARGSUSED*/ 1370 static void 1371 aus_kill(struct t_audit_data *tad) 1372 { 1373 klwp_t *clwp = ttolwp(curthread); 1374 struct proc *p; 1375 uint32_t signo; 1376 uid_t uid, ruid; 1377 gid_t gid, rgid; 1378 pid_t pid; 1379 const auditinfo_addr_t *ainfo; 1380 cred_t *cr; 1381 1382 struct a { 1383 long pid; 1384 long signo; 1385 } *uap = (struct a *)clwp->lwp_ap; 1386 1387 pid = (pid_t)uap->pid; 1388 signo = (uint32_t)uap->signo; 1389 1390 au_uwrite(au_to_arg32(2, "signal", signo)); 1391 if (pid > 0) { 1392 mutex_enter(&pidlock); 1393 if (((p = prfind(pid)) == (struct proc *)0) || 1394 (p->p_stat == SIDL)) { 1395 mutex_exit(&pidlock); 1396 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1397 return; 1398 } 1399 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1400 mutex_exit(&pidlock); 1401 1402 mutex_enter(&p->p_crlock); 1403 crhold(cr = p->p_cred); 1404 mutex_exit(&p->p_crlock); 1405 mutex_exit(&p->p_lock); 1406 1407 ainfo = crgetauinfo(cr); 1408 if (ainfo == NULL) { 1409 crfree(cr); 1410 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1411 return; 1412 } 1413 1414 uid = crgetuid(cr); 1415 gid = crgetgid(cr); 1416 ruid = crgetruid(cr); 1417 rgid = crgetrgid(cr); 1418 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1419 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1420 1421 if (is_system_labeled()) 1422 au_uwrite(au_to_label(CR_SL(cr))); 1423 1424 crfree(cr); 1425 } 1426 else 1427 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1428 } 1429 1430 /*ARGSUSED*/ 1431 static void 1432 aus_mkdir(struct t_audit_data *tad) 1433 { 1434 klwp_t *clwp = ttolwp(curthread); 1435 uint32_t dmode; 1436 1437 struct a { 1438 long dirnamep; /* char * */ 1439 long dmode; 1440 } *uap = (struct a *)clwp->lwp_ap; 1441 1442 dmode = (uint32_t)uap->dmode; 1443 1444 au_uwrite(au_to_arg32(2, "mode", dmode)); 1445 } 1446 1447 /*ARGSUSED*/ 1448 static void 1449 aus_mknod(struct t_audit_data *tad) 1450 { 1451 klwp_t *clwp = ttolwp(curthread); 1452 uint32_t fmode; 1453 dev_t dev; 1454 1455 struct a { 1456 long pnamep; /* char * */ 1457 long fmode; 1458 long dev; 1459 } *uap = (struct a *)clwp->lwp_ap; 1460 1461 fmode = (uint32_t)uap->fmode; 1462 dev = (dev_t)uap->dev; 1463 1464 au_uwrite(au_to_arg32(2, "mode", fmode)); 1465 #ifdef _LP64 1466 au_uwrite(au_to_arg64(3, "dev", dev)); 1467 #else 1468 au_uwrite(au_to_arg32(3, "dev", dev)); 1469 #endif 1470 } 1471 1472 /*ARGSUSED*/ 1473 static void 1474 aus_xmknod(struct t_audit_data *tad) 1475 { 1476 klwp_t *clwp = ttolwp(curthread); 1477 uint32_t fmode; 1478 dev_t dev; 1479 1480 struct a { 1481 long version; /* version */ 1482 long pnamep; /* char * */ 1483 long fmode; 1484 long dev; 1485 } *uap = (struct a *)clwp->lwp_ap; 1486 1487 fmode = (uint32_t)uap->fmode; 1488 dev = (dev_t)uap->dev; 1489 1490 au_uwrite(au_to_arg32(2, "mode", fmode)); 1491 #ifdef _LP64 1492 au_uwrite(au_to_arg64(3, "dev", dev)); 1493 #else 1494 au_uwrite(au_to_arg32(3, "dev", dev)); 1495 #endif 1496 } 1497 1498 /*ARGSUSED*/ 1499 static void 1500 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1501 { 1502 klwp_t *clwp = ttolwp(curthread); 1503 vnode_t *dvp; 1504 caddr_t pnamep; 1505 1506 struct a { 1507 long pnamep; /* char * */ 1508 long fmode; 1509 long dev; 1510 } *uap = (struct a *)clwp->lwp_ap; 1511 1512 /* no error, then already path token in audit record */ 1513 if (error != EPERM) 1514 return; 1515 1516 /* not auditing this event, nothing then to do */ 1517 if (tad->tad_flag == 0) 1518 return; 1519 1520 /* do the lookup to force generation of path token */ 1521 pnamep = (caddr_t)uap->pnamep; 1522 tad->tad_ctrl |= PAD_NOATTRB; 1523 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1524 if (error == 0) 1525 VN_RELE(dvp); 1526 } 1527 1528 /*ARGSUSED*/ 1529 static void 1530 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1531 { 1532 klwp_t *clwp = ttolwp(curthread); 1533 vnode_t *dvp; 1534 caddr_t pnamep; 1535 1536 struct a { 1537 long version; /* version */ 1538 long pnamep; /* char * */ 1539 long fmode; 1540 long dev; 1541 } *uap = (struct a *)clwp->lwp_arg; 1542 1543 1544 /* no error, then already path token in audit record */ 1545 if (error != EPERM) 1546 return; 1547 1548 /* not auditing this event, nothing then to do */ 1549 if (tad->tad_flag == 0) 1550 return; 1551 1552 /* do the lookup to force generation of path token */ 1553 pnamep = (caddr_t)uap->pnamep; 1554 tad->tad_ctrl |= PAD_NOATTRB; 1555 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1556 if (error == 0) 1557 VN_RELE(dvp); 1558 } 1559 1560 /*ARGSUSED*/ 1561 static void 1562 aus_mount(struct t_audit_data *tad) 1563 { /* AUS_START */ 1564 klwp_t *clwp = ttolwp(curthread); 1565 uint32_t flags; 1566 uintptr_t u_fstype, dataptr; 1567 STRUCT_DECL(nfs_args, nfsargs); 1568 size_t len; 1569 char *fstype, *hostname; 1570 1571 struct a { 1572 long spec; /* char * */ 1573 long dir; /* char * */ 1574 long flags; 1575 long fstype; /* char * */ 1576 long dataptr; /* char * */ 1577 long datalen; 1578 } *uap = (struct a *)clwp->lwp_ap; 1579 1580 u_fstype = (uintptr_t)uap->fstype; 1581 flags = (uint32_t)uap->flags; 1582 dataptr = (uintptr_t)uap->dataptr; 1583 1584 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1585 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1586 goto mount_free_fstype; 1587 1588 au_uwrite(au_to_arg32(3, "flags", flags)); 1589 au_uwrite(au_to_text(fstype)); 1590 1591 if (strncmp(fstype, "nfs", 3) == 0) { 1592 1593 STRUCT_INIT(nfsargs, get_udatamodel()); 1594 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1595 1596 if (copyin((caddr_t)dataptr, 1597 STRUCT_BUF(nfsargs), 1598 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1599 /* DEBUG debug_enter((char *)NULL); */ 1600 goto mount_free_fstype; 1601 } 1602 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1603 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1604 (caddr_t)hostname, 1605 MAXNAMELEN, &len)) { 1606 goto mount_free_hostname; 1607 } 1608 au_uwrite(au_to_text(hostname)); 1609 au_uwrite(au_to_arg32(3, "internal flags", 1610 (uint_t)STRUCT_FGET(nfsargs, flags))); 1611 1612 mount_free_hostname: 1613 kmem_free(hostname, MAXNAMELEN); 1614 } 1615 1616 mount_free_fstype: 1617 kmem_free(fstype, MAXNAMELEN); 1618 } /* AUS_MOUNT */ 1619 1620 static void 1621 aus_umount_path(caddr_t umount_dir) 1622 { 1623 char *dir_path; 1624 struct audit_path *path; 1625 size_t path_len, dir_len; 1626 1627 /* length alloc'd for two string pointers */ 1628 path_len = sizeof (struct audit_path) + sizeof (char *); 1629 path = kmem_alloc(path_len, KM_SLEEP); 1630 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1631 1632 if (copyinstr(umount_dir, (caddr_t)dir_path, 1633 MAXPATHLEN, &dir_len)) 1634 goto umount2_free_dir; 1635 1636 /* 1637 * the audit_path struct assumes that the buffer pointed to 1638 * by audp_sect[n] contains string 0 immediatedly followed 1639 * by string 1. 1640 */ 1641 path->audp_sect[0] = dir_path; 1642 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1643 path->audp_size = path_len; 1644 path->audp_ref = 1; /* not used */ 1645 path->audp_cnt = 1; /* one path string */ 1646 1647 au_uwrite(au_to_path(path)); 1648 1649 umount2_free_dir: 1650 kmem_free(dir_path, MAXPATHLEN); 1651 kmem_free(path, path_len); 1652 } 1653 1654 /* 1655 * the umount syscall is implemented as a call to umount2, but the args 1656 * are different... 1657 */ 1658 1659 /*ARGSUSED*/ 1660 static void 1661 aus_umount(struct t_audit_data *tad) 1662 { 1663 klwp_t *clwp = ttolwp(curthread); 1664 struct a { 1665 long dir; /* char * */ 1666 } *uap = (struct a *)clwp->lwp_ap; 1667 1668 aus_umount_path((caddr_t)uap->dir); 1669 } 1670 1671 /*ARGSUSED*/ 1672 static void 1673 aus_umount2(struct t_audit_data *tad) 1674 { 1675 klwp_t *clwp = ttolwp(curthread); 1676 struct a { 1677 long dir; /* char * */ 1678 long flags; 1679 } *uap = (struct a *)clwp->lwp_ap; 1680 1681 aus_umount_path((caddr_t)uap->dir); 1682 1683 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1684 } 1685 1686 static void 1687 aus_msgsys(struct t_audit_data *tad) 1688 { 1689 klwp_t *clwp = ttolwp(curthread); 1690 uint32_t msgid; 1691 1692 struct b { 1693 long msgid; 1694 long cmd; 1695 long buf; /* struct msqid_ds * */ 1696 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1697 1698 msgid = (uint32_t)uap1->msgid; 1699 1700 1701 switch (tad->tad_event) { 1702 case AUE_MSGGET: /* msgget */ 1703 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1704 break; 1705 case AUE_MSGCTL: /* msgctl */ 1706 case AUE_MSGCTL_RMID: /* msgctl */ 1707 case AUE_MSGCTL_SET: /* msgctl */ 1708 case AUE_MSGCTL_STAT: /* msgctl */ 1709 case AUE_MSGRCV: /* msgrcv */ 1710 case AUE_MSGSND: /* msgsnd */ 1711 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1712 break; 1713 } 1714 } 1715 1716 /*ARGSUSED*/ 1717 static void 1718 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1719 { 1720 int id; 1721 1722 if (error != 0) 1723 return; 1724 if (tad->tad_event == AUE_MSGGET) { 1725 uint32_t scid; 1726 uint32_t sy_flags; 1727 1728 /* need to determine type of executing binary */ 1729 scid = tad->tad_scid; 1730 #ifdef _SYSCALL32_IMPL 1731 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1732 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1733 else 1734 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1735 #else 1736 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1737 #endif 1738 if (sy_flags == SE_32RVAL1) 1739 id = rval->r_val1; 1740 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1741 id = rval->r_val1; 1742 if (sy_flags == SE_64RVAL) 1743 id = (int)rval->r_vals; 1744 1745 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1746 } 1747 } 1748 1749 static void 1750 aus_semsys(struct t_audit_data *tad) 1751 { 1752 klwp_t *clwp = ttolwp(curthread); 1753 uint32_t semid; 1754 1755 struct b { /* ctrl */ 1756 long semid; 1757 long semnum; 1758 long cmd; 1759 long arg; 1760 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1761 1762 semid = (uint32_t)uap1->semid; 1763 1764 switch (tad->tad_event) { 1765 case AUE_SEMCTL_RMID: 1766 case AUE_SEMCTL_STAT: 1767 case AUE_SEMCTL_GETNCNT: 1768 case AUE_SEMCTL_GETPID: 1769 case AUE_SEMCTL_GETVAL: 1770 case AUE_SEMCTL_GETALL: 1771 case AUE_SEMCTL_GETZCNT: 1772 case AUE_SEMCTL_SET: 1773 case AUE_SEMCTL_SETVAL: 1774 case AUE_SEMCTL_SETALL: 1775 case AUE_SEMCTL: 1776 case AUE_SEMOP: 1777 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1778 break; 1779 case AUE_SEMGET: 1780 au_uwrite(au_to_arg32(1, "sem key", semid)); 1781 break; 1782 } 1783 } 1784 1785 /*ARGSUSED*/ 1786 static void 1787 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1788 { 1789 int id; 1790 1791 if (error != 0) 1792 return; 1793 if (tad->tad_event == AUE_SEMGET) { 1794 uint32_t scid; 1795 uint32_t sy_flags; 1796 1797 /* need to determine type of executing binary */ 1798 scid = tad->tad_scid; 1799 #ifdef _SYSCALL32_IMPL 1800 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1801 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1802 else 1803 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1804 #else 1805 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1806 #endif 1807 if (sy_flags == SE_32RVAL1) 1808 id = rval->r_val1; 1809 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1810 id = rval->r_val1; 1811 if (sy_flags == SE_64RVAL) 1812 id = (int)rval->r_vals; 1813 1814 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1815 } 1816 } 1817 1818 /*ARGSUSED*/ 1819 static void 1820 aus_close(struct t_audit_data *tad) 1821 { 1822 klwp_t *clwp = ttolwp(curthread); 1823 uint32_t fd; 1824 struct file *fp; 1825 struct f_audit_data *fad; 1826 struct vnode *vp; 1827 struct vattr attr; 1828 au_kcontext_t *kctx = GET_KCTX_PZ; 1829 1830 struct a { 1831 long i; 1832 } *uap = (struct a *)clwp->lwp_ap; 1833 1834 fd = (uint32_t)uap->i; 1835 1836 attr.va_mask = 0; 1837 au_uwrite(au_to_arg32(1, "fd", fd)); 1838 1839 /* 1840 * convert file pointer to file descriptor 1841 * Note: fd ref count incremented here. 1842 */ 1843 if ((fp = getf(fd)) == NULL) 1844 return; 1845 1846 fad = F2A(fp); 1847 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1848 if (fad->fad_aupath != NULL) { 1849 au_uwrite(au_to_path(fad->fad_aupath)); 1850 if ((vp = fp->f_vnode) != NULL) { 1851 attr.va_mask = AT_ALL; 1852 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1853 /* 1854 * When write was not used and the file can be 1855 * considered public, skip the audit. 1856 */ 1857 if (((fp->f_flag & FWRITE) == 0) && 1858 file_is_public(&attr)) { 1859 tad->tad_flag = 0; 1860 tad->tad_evmod = 0; 1861 /* free any residual audit data */ 1862 au_close(kctx, &(u_ad), 0, 0, 0); 1863 releasef(fd); 1864 return; 1865 } 1866 au_uwrite(au_to_attr(&attr)); 1867 audit_sec_attributes(&(u_ad), vp); 1868 } 1869 } 1870 } 1871 1872 /* decrement file descriptor reference count */ 1873 releasef(fd); 1874 } 1875 1876 /*ARGSUSED*/ 1877 static void 1878 aus_fstatfs(struct t_audit_data *tad) 1879 { 1880 klwp_t *clwp = ttolwp(curthread); 1881 uint32_t fd; 1882 struct file *fp; 1883 struct vnode *vp; 1884 struct f_audit_data *fad; 1885 1886 struct a { 1887 long fd; 1888 long buf; /* struct statfs * */ 1889 } *uap = (struct a *)clwp->lwp_ap; 1890 1891 fd = (uint_t)uap->fd; 1892 1893 /* 1894 * convert file pointer to file descriptor 1895 * Note: fd ref count incremented here. 1896 */ 1897 if ((fp = getf(fd)) == NULL) 1898 return; 1899 1900 /* get path from file struct here */ 1901 fad = F2A(fp); 1902 if (fad->fad_aupath != NULL) { 1903 au_uwrite(au_to_path(fad->fad_aupath)); 1904 } else { 1905 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1906 } 1907 1908 vp = fp->f_vnode; 1909 audit_attributes(vp); 1910 1911 /* decrement file descriptor reference count */ 1912 releasef(fd); 1913 } 1914 1915 static au_event_t 1916 aui_setpgrp(au_event_t e) 1917 { 1918 klwp_t *clwp = ttolwp(curthread); 1919 int flag; 1920 1921 struct a { 1922 long flag; 1923 long pid; 1924 long pgid; 1925 } *uap = (struct a *)clwp->lwp_ap; 1926 1927 flag = (int)uap->flag; 1928 1929 1930 switch (flag) { 1931 1932 case 1: /* setpgrp() */ 1933 e = AUE_SETPGRP; 1934 break; 1935 1936 case 3: /* setsid() */ 1937 e = AUE_SETSID; 1938 break; 1939 1940 case 5: /* setpgid() */ 1941 e = AUE_SETPGID; 1942 break; 1943 1944 case 0: /* getpgrp() - not security relevant */ 1945 case 2: /* getsid() - not security relevant */ 1946 case 4: /* getpgid() - not security relevant */ 1947 e = AUE_NULL; 1948 break; 1949 1950 default: 1951 e = AUE_NULL; 1952 break; 1953 } 1954 1955 return (e); 1956 } 1957 1958 /*ARGSUSED*/ 1959 static void 1960 aus_setpgrp(struct t_audit_data *tad) 1961 { 1962 klwp_t *clwp = ttolwp(curthread); 1963 pid_t pgid; 1964 struct proc *p; 1965 uid_t uid, ruid; 1966 gid_t gid, rgid; 1967 pid_t pid; 1968 cred_t *cr; 1969 int flag; 1970 const auditinfo_addr_t *ainfo; 1971 1972 struct a { 1973 long flag; 1974 long pid; 1975 long pgid; 1976 } *uap = (struct a *)clwp->lwp_ap; 1977 1978 flag = (int)uap->flag; 1979 pid = (pid_t)uap->pid; 1980 pgid = (pid_t)uap->pgid; 1981 1982 1983 switch (flag) { 1984 1985 case 0: /* getpgrp() */ 1986 case 1: /* setpgrp() */ 1987 case 2: /* getsid() */ 1988 case 3: /* setsid() */ 1989 case 4: /* getpgid() */ 1990 break; 1991 1992 case 5: /* setpgid() */ 1993 1994 /* current process? */ 1995 if (pid == 0) { 1996 return; 1997 } 1998 1999 mutex_enter(&pidlock); 2000 p = prfind(pid); 2001 if (p == NULL || p->p_as == &kas || 2002 p->p_stat == SIDL || p->p_stat == SZOMB) { 2003 mutex_exit(&pidlock); 2004 return; 2005 } 2006 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2007 mutex_exit(&pidlock); 2008 2009 mutex_enter(&p->p_crlock); 2010 crhold(cr = p->p_cred); 2011 mutex_exit(&p->p_crlock); 2012 mutex_exit(&p->p_lock); 2013 2014 ainfo = crgetauinfo(cr); 2015 if (ainfo == NULL) { 2016 crfree(cr); 2017 return; 2018 } 2019 2020 uid = crgetuid(cr); 2021 gid = crgetgid(cr); 2022 ruid = crgetruid(cr); 2023 rgid = crgetrgid(cr); 2024 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2025 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2026 crfree(cr); 2027 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2028 break; 2029 2030 default: 2031 break; 2032 } 2033 } 2034 2035 2036 /*ARGSUSED*/ 2037 static void 2038 aus_setregid(struct t_audit_data *tad) 2039 { 2040 klwp_t *clwp = ttolwp(curthread); 2041 uint32_t rgid, egid; 2042 2043 struct a { 2044 long rgid; 2045 long egid; 2046 } *uap = (struct a *)clwp->lwp_ap; 2047 2048 rgid = (uint32_t)uap->rgid; 2049 egid = (uint32_t)uap->egid; 2050 2051 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2052 au_uwrite(au_to_arg32(2, "egid", egid)); 2053 } 2054 2055 /*ARGSUSED*/ 2056 static void 2057 aus_setgid(struct t_audit_data *tad) 2058 { 2059 klwp_t *clwp = ttolwp(curthread); 2060 uint32_t gid; 2061 2062 struct a { 2063 long gid; 2064 } *uap = (struct a *)clwp->lwp_ap; 2065 2066 gid = (uint32_t)uap->gid; 2067 2068 au_uwrite(au_to_arg32(1, "gid", gid)); 2069 } 2070 2071 2072 /*ARGSUSED*/ 2073 static void 2074 aus_setreuid(struct t_audit_data *tad) 2075 { 2076 klwp_t *clwp = ttolwp(curthread); 2077 uint32_t ruid, euid; 2078 2079 struct a { 2080 long ruid; 2081 long euid; 2082 } *uap = (struct a *)clwp->lwp_ap; 2083 2084 ruid = (uint32_t)uap->ruid; 2085 euid = (uint32_t)uap->euid; 2086 2087 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2088 au_uwrite(au_to_arg32(2, "euid", euid)); 2089 } 2090 2091 2092 /*ARGSUSED*/ 2093 static void 2094 aus_setuid(struct t_audit_data *tad) 2095 { 2096 klwp_t *clwp = ttolwp(curthread); 2097 uint32_t uid; 2098 2099 struct a { 2100 long uid; 2101 } *uap = (struct a *)clwp->lwp_ap; 2102 2103 uid = (uint32_t)uap->uid; 2104 2105 au_uwrite(au_to_arg32(1, "uid", uid)); 2106 } 2107 2108 /*ARGSUSED*/ 2109 static void 2110 aus_shmsys(struct t_audit_data *tad) 2111 { 2112 klwp_t *clwp = ttolwp(curthread); 2113 uint32_t id, cmd; 2114 2115 struct b { 2116 long id; 2117 long cmd; 2118 long buf; /* struct shmid_ds * */ 2119 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2120 2121 id = (uint32_t)uap1->id; 2122 cmd = (uint32_t)uap1->cmd; 2123 2124 switch (tad->tad_event) { 2125 case AUE_SHMGET: /* shmget */ 2126 au_uwrite(au_to_arg32(1, "shm key", id)); 2127 break; 2128 case AUE_SHMCTL: /* shmctl */ 2129 case AUE_SHMCTL_RMID: /* shmctl */ 2130 case AUE_SHMCTL_STAT: /* shmctl */ 2131 case AUE_SHMCTL_SET: /* shmctl */ 2132 au_uwrite(au_to_arg32(1, "shm ID", id)); 2133 break; 2134 case AUE_SHMDT: /* shmdt */ 2135 au_uwrite(au_to_arg32(1, "shm adr", id)); 2136 break; 2137 case AUE_SHMAT: /* shmat */ 2138 au_uwrite(au_to_arg32(1, "shm ID", id)); 2139 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2140 break; 2141 } 2142 } 2143 2144 /*ARGSUSED*/ 2145 static void 2146 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2147 { 2148 int id; 2149 2150 if (error != 0) 2151 return; 2152 if (tad->tad_event == AUE_SHMGET) { 2153 uint32_t scid; 2154 uint32_t sy_flags; 2155 2156 /* need to determine type of executing binary */ 2157 scid = tad->tad_scid; 2158 #ifdef _SYSCALL32_IMPL 2159 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2160 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2161 else 2162 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2163 #else 2164 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2165 #endif 2166 if (sy_flags == SE_32RVAL1) 2167 id = rval->r_val1; 2168 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2169 id = rval->r_val1; 2170 if (sy_flags == SE_64RVAL) 2171 id = (int)rval->r_vals; 2172 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2173 } 2174 } 2175 2176 2177 /*ARGSUSED*/ 2178 static void 2179 aus_ioctl(struct t_audit_data *tad) 2180 { 2181 klwp_t *clwp = ttolwp(curthread); 2182 struct file *fp; 2183 struct vnode *vp; 2184 struct f_audit_data *fad; 2185 uint32_t fd, cmd; 2186 uintptr_t cmarg; 2187 2188 /* XX64 */ 2189 struct a { 2190 long fd; 2191 long cmd; 2192 long cmarg; /* caddr_t */ 2193 } *uap = (struct a *)clwp->lwp_ap; 2194 2195 fd = (uint32_t)uap->fd; 2196 cmd = (uint32_t)uap->cmd; 2197 cmarg = (uintptr_t)uap->cmarg; 2198 2199 /* 2200 * convert file pointer to file descriptor 2201 * Note: fd ref count incremented here. 2202 */ 2203 if ((fp = getf(fd)) == NULL) { 2204 au_uwrite(au_to_arg32(1, "fd", fd)); 2205 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2206 #ifndef _LP64 2207 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2208 #else 2209 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2210 #endif 2211 return; 2212 } 2213 2214 /* get path from file struct here */ 2215 fad = F2A(fp); 2216 if (fad->fad_aupath != NULL) { 2217 au_uwrite(au_to_path(fad->fad_aupath)); 2218 } else { 2219 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2220 } 2221 2222 vp = fp->f_vnode; 2223 audit_attributes(vp); 2224 2225 /* decrement file descriptor reference count */ 2226 releasef(fd); 2227 2228 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2229 #ifndef _LP64 2230 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2231 #else 2232 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2233 #endif 2234 } 2235 2236 /* 2237 * null function for memcntl for now. We might want to limit memcntl() 2238 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2239 * require privileges. 2240 */ 2241 static au_event_t 2242 aui_memcntl(au_event_t e) 2243 { 2244 return (e); 2245 } 2246 2247 /*ARGSUSED*/ 2248 static au_event_t 2249 aui_privsys(au_event_t e) 2250 { 2251 klwp_t *clwp = ttolwp(curthread); 2252 2253 struct a { 2254 long opcode; 2255 } *uap = (struct a *)clwp->lwp_ap; 2256 2257 switch (uap->opcode) { 2258 case PRIVSYS_SETPPRIV: 2259 return (AUE_SETPPRIV); 2260 default: 2261 return (AUE_NULL); 2262 } 2263 } 2264 2265 /*ARGSUSED*/ 2266 static void 2267 aus_memcntl(struct t_audit_data *tad) 2268 { 2269 klwp_t *clwp = ttolwp(curthread); 2270 2271 struct a { 2272 long addr; 2273 long len; 2274 long cmd; 2275 long arg; 2276 long attr; 2277 long mask; 2278 } *uap = (struct a *)clwp->lwp_ap; 2279 2280 #ifdef _LP64 2281 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2282 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2283 #else 2284 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2285 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2286 #endif 2287 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2288 #ifdef _LP64 2289 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2290 #else 2291 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2292 #endif 2293 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2294 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2295 } 2296 2297 /*ARGSUSED*/ 2298 static void 2299 aus_mmap(struct t_audit_data *tad) 2300 { 2301 klwp_t *clwp = ttolwp(curthread); 2302 struct file *fp; 2303 struct f_audit_data *fad; 2304 struct vnode *vp; 2305 uint32_t fd; 2306 2307 struct a { 2308 long addr; 2309 long len; 2310 long prot; 2311 long flags; 2312 long fd; 2313 long pos; 2314 } *uap = (struct a *)clwp->lwp_ap; 2315 2316 fd = (uint32_t)uap->fd; 2317 2318 #ifdef _LP64 2319 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2320 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2321 #else 2322 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2323 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2324 #endif 2325 2326 if ((fp = getf(fd)) == NULL) { 2327 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2328 return; 2329 } 2330 2331 /* 2332 * Mark in the tad if write access is NOT requested... if 2333 * this is later detected (in audit_attributes) to be a 2334 * public object, the mmap event may be discarded. 2335 */ 2336 if (((uap->prot) & PROT_WRITE) == 0) { 2337 tad->tad_ctrl |= PAD_PUBLIC_EV; 2338 } 2339 2340 fad = F2A(fp); 2341 if (fad->fad_aupath != NULL) { 2342 au_uwrite(au_to_path(fad->fad_aupath)); 2343 } else { 2344 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2345 } 2346 2347 vp = (struct vnode *)fp->f_vnode; 2348 audit_attributes(vp); 2349 2350 /* mark READ/WRITE since we can't predict access */ 2351 if (uap->prot & PROT_READ) 2352 fad->fad_flags |= FAD_READ; 2353 if (uap->prot & PROT_WRITE) 2354 fad->fad_flags |= FAD_WRITE; 2355 2356 /* decrement file descriptor reference count */ 2357 releasef(fd); 2358 2359 } /* AUS_MMAP */ 2360 2361 2362 2363 2364 /*ARGSUSED*/ 2365 static void 2366 aus_munmap(struct t_audit_data *tad) 2367 { 2368 klwp_t *clwp = ttolwp(curthread); 2369 2370 struct a { 2371 long addr; 2372 long len; 2373 } *uap = (struct a *)clwp->lwp_ap; 2374 2375 #ifdef _LP64 2376 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2377 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2378 #else 2379 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2380 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2381 #endif 2382 2383 } /* AUS_MUNMAP */ 2384 2385 2386 2387 2388 2389 2390 2391 /*ARGSUSED*/ 2392 static void 2393 aus_priocntlsys(struct t_audit_data *tad) 2394 { 2395 klwp_t *clwp = ttolwp(curthread); 2396 2397 struct a { 2398 long pc_version; 2399 long psp; /* procset_t */ 2400 long cmd; 2401 long arg; 2402 } *uap = (struct a *)clwp->lwp_ap; 2403 2404 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2405 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2406 2407 } /* AUS_PRIOCNTLSYS */ 2408 2409 2410 /*ARGSUSED*/ 2411 static void 2412 aus_setegid(struct t_audit_data *tad) 2413 { 2414 klwp_t *clwp = ttolwp(curthread); 2415 uint32_t gid; 2416 2417 struct a { 2418 long gid; 2419 } *uap = (struct a *)clwp->lwp_ap; 2420 2421 gid = (uint32_t)uap->gid; 2422 2423 au_uwrite(au_to_arg32(1, "gid", gid)); 2424 } /* AUS_SETEGID */ 2425 2426 2427 2428 2429 /*ARGSUSED*/ 2430 static void 2431 aus_setgroups(struct t_audit_data *tad) 2432 { 2433 klwp_t *clwp = ttolwp(curthread); 2434 int i; 2435 int gidsetsize; 2436 uintptr_t gidset; 2437 gid_t *gidlist; 2438 2439 struct a { 2440 long gidsetsize; 2441 long gidset; 2442 } *uap = (struct a *)clwp->lwp_ap; 2443 2444 gidsetsize = (uint_t)uap->gidsetsize; 2445 gidset = (uintptr_t)uap->gidset; 2446 2447 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2448 return; 2449 if (gidsetsize != 0) { 2450 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2451 KM_SLEEP); 2452 if (copyin((caddr_t)gidset, gidlist, 2453 gidsetsize * sizeof (gid_t)) == 0) 2454 for (i = 0; i < gidsetsize; i++) 2455 au_uwrite(au_to_arg32(1, "setgroups", 2456 (uint32_t)gidlist[i])); 2457 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2458 } else 2459 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2460 2461 } /* AUS_SETGROUPS */ 2462 2463 2464 2465 2466 2467 /*ARGSUSED*/ 2468 static void 2469 aus_seteuid(struct t_audit_data *tad) 2470 { 2471 klwp_t *clwp = ttolwp(curthread); 2472 uint32_t uid; 2473 2474 struct a { 2475 long uid; 2476 } *uap = (struct a *)clwp->lwp_ap; 2477 2478 uid = (uint32_t)uap->uid; 2479 2480 au_uwrite(au_to_arg32(1, "euid", uid)); 2481 2482 } /* AUS_SETEUID */ 2483 2484 /*ARGSUSED*/ 2485 static void 2486 aus_putmsg(struct t_audit_data *tad) 2487 { 2488 klwp_t *clwp = ttolwp(curthread); 2489 uint32_t fd, pri; 2490 struct file *fp; 2491 struct f_audit_data *fad; 2492 2493 struct a { 2494 long fdes; 2495 long ctl; /* struct strbuf * */ 2496 long data; /* struct strbuf * */ 2497 long pri; 2498 } *uap = (struct a *)clwp->lwp_ap; 2499 2500 fd = (uint32_t)uap->fdes; 2501 pri = (uint32_t)uap->pri; 2502 2503 au_uwrite(au_to_arg32(1, "fd", fd)); 2504 2505 if ((fp = getf(fd)) != NULL) { 2506 fad = F2A(fp); 2507 2508 fad->fad_flags |= FAD_WRITE; 2509 2510 /* add path name to audit record */ 2511 if (fad->fad_aupath != NULL) { 2512 au_uwrite(au_to_path(fad->fad_aupath)); 2513 } 2514 audit_attributes(fp->f_vnode); 2515 2516 releasef(fd); 2517 } 2518 2519 au_uwrite(au_to_arg32(4, "pri", pri)); 2520 } 2521 2522 /*ARGSUSED*/ 2523 static void 2524 aus_putpmsg(struct t_audit_data *tad) 2525 { 2526 klwp_t *clwp = ttolwp(curthread); 2527 uint32_t fd, pri, flags; 2528 struct file *fp; 2529 struct f_audit_data *fad; 2530 2531 struct a { 2532 long fdes; 2533 long ctl; /* struct strbuf * */ 2534 long data; /* struct strbuf * */ 2535 long pri; 2536 long flags; 2537 } *uap = (struct a *)clwp->lwp_ap; 2538 2539 fd = (uint32_t)uap->fdes; 2540 pri = (uint32_t)uap->pri; 2541 flags = (uint32_t)uap->flags; 2542 2543 au_uwrite(au_to_arg32(1, "fd", fd)); 2544 2545 if ((fp = getf(fd)) != NULL) { 2546 fad = F2A(fp); 2547 2548 fad->fad_flags |= FAD_WRITE; 2549 2550 /* add path name to audit record */ 2551 if (fad->fad_aupath != NULL) { 2552 au_uwrite(au_to_path(fad->fad_aupath)); 2553 } 2554 audit_attributes(fp->f_vnode); 2555 2556 releasef(fd); 2557 } 2558 2559 2560 au_uwrite(au_to_arg32(4, "pri", pri)); 2561 au_uwrite(au_to_arg32(5, "flags", flags)); 2562 } 2563 2564 /*ARGSUSED*/ 2565 static void 2566 aus_getmsg(struct t_audit_data *tad) 2567 { 2568 klwp_t *clwp = ttolwp(curthread); 2569 uint32_t fd, pri; 2570 struct file *fp; 2571 struct f_audit_data *fad; 2572 2573 struct a { 2574 long fdes; 2575 long ctl; /* struct strbuf * */ 2576 long data; /* struct strbuf * */ 2577 long pri; 2578 } *uap = (struct a *)clwp->lwp_ap; 2579 2580 fd = (uint32_t)uap->fdes; 2581 pri = (uint32_t)uap->pri; 2582 2583 au_uwrite(au_to_arg32(1, "fd", fd)); 2584 2585 if ((fp = getf(fd)) != NULL) { 2586 fad = F2A(fp); 2587 2588 /* 2589 * read operation on this object 2590 */ 2591 fad->fad_flags |= FAD_READ; 2592 2593 /* add path name to audit record */ 2594 if (fad->fad_aupath != NULL) { 2595 au_uwrite(au_to_path(fad->fad_aupath)); 2596 } 2597 audit_attributes(fp->f_vnode); 2598 2599 releasef(fd); 2600 } 2601 2602 au_uwrite(au_to_arg32(4, "pri", pri)); 2603 } 2604 2605 /*ARGSUSED*/ 2606 static void 2607 aus_getpmsg(struct t_audit_data *tad) 2608 { 2609 klwp_t *clwp = ttolwp(curthread); 2610 uint32_t fd; 2611 struct file *fp; 2612 struct f_audit_data *fad; 2613 2614 struct a { 2615 long fdes; 2616 long ctl; /* struct strbuf * */ 2617 long data; /* struct strbuf * */ 2618 long pri; 2619 long flags; 2620 } *uap = (struct a *)clwp->lwp_ap; 2621 2622 fd = (uint32_t)uap->fdes; 2623 2624 au_uwrite(au_to_arg32(1, "fd", fd)); 2625 2626 if ((fp = getf(fd)) != NULL) { 2627 fad = F2A(fp); 2628 2629 /* 2630 * read operation on this object 2631 */ 2632 fad->fad_flags |= FAD_READ; 2633 2634 /* add path name to audit record */ 2635 if (fad->fad_aupath != NULL) { 2636 au_uwrite(au_to_path(fad->fad_aupath)); 2637 } 2638 audit_attributes(fp->f_vnode); 2639 2640 releasef(fd); 2641 } 2642 } 2643 2644 static au_event_t 2645 aui_labelsys(au_event_t e) 2646 { 2647 klwp_t *clwp = ttolwp(curthread); 2648 uint32_t code; 2649 uint32_t cmd; 2650 2651 struct a { 2652 long code; 2653 long cmd; 2654 } *uap = (struct a *)clwp->lwp_ap; 2655 2656 code = (uint32_t)uap->code; 2657 cmd = (uint32_t)uap->cmd; 2658 2659 /* not security relevant if not changing kernel cache */ 2660 if (cmd == TNDB_GET) 2661 return (AUE_NULL); 2662 2663 switch (code) { 2664 case TSOL_TNRH: 2665 e = AUE_LABELSYS_TNRH; 2666 break; 2667 case TSOL_TNRHTP: 2668 e = AUE_LABELSYS_TNRHTP; 2669 break; 2670 case TSOL_TNMLP: 2671 e = AUE_LABELSYS_TNMLP; 2672 break; 2673 default: 2674 e = AUE_NULL; 2675 break; 2676 } 2677 2678 return (e); 2679 2680 } 2681 2682 static void 2683 aus_labelsys(struct t_audit_data *tad) 2684 { 2685 klwp_t *clwp = ttolwp(curthread); 2686 uint32_t cmd; 2687 uintptr_t a2; 2688 2689 struct a { 2690 long code; 2691 long cmd; 2692 long a2; 2693 } *uap = (struct a *)clwp->lwp_ap; 2694 2695 cmd = (uint32_t)uap->cmd; 2696 a2 = (uintptr_t)uap->a2; 2697 2698 switch (tad->tad_event) { 2699 case AUE_LABELSYS_TNRH: 2700 { 2701 tsol_rhent_t *rhent; 2702 tnaddr_t *rh_addr; 2703 2704 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2705 2706 /* Remaining args don't apply for FLUSH, so skip */ 2707 if (cmd == TNDB_FLUSH) 2708 break; 2709 2710 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2711 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2712 kmem_free(rhent, sizeof (tsol_rhent_t)); 2713 return; 2714 } 2715 2716 rh_addr = &rhent->rh_address; 2717 if (rh_addr->ta_family == AF_INET) { 2718 struct in_addr *ipaddr; 2719 2720 ipaddr = &(rh_addr->ta_addr_v4); 2721 au_uwrite(au_to_in_addr(ipaddr)); 2722 } else if (rh_addr->ta_family == AF_INET6) { 2723 int32_t *ipaddr; 2724 2725 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2726 au_uwrite(au_to_in_addr_ex(ipaddr)); 2727 } 2728 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2729 2730 kmem_free(rhent, sizeof (tsol_rhent_t)); 2731 2732 break; 2733 } 2734 case AUE_LABELSYS_TNRHTP: 2735 { 2736 tsol_tpent_t *tpent; 2737 2738 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2739 2740 /* Remaining args don't apply for FLUSH, so skip */ 2741 if (cmd == TNDB_FLUSH) 2742 break; 2743 2744 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2745 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2746 kmem_free(tpent, sizeof (tsol_tpent_t)); 2747 return; 2748 } 2749 2750 /* Make sure that the template name is null-terminated. */ 2751 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2752 2753 au_uwrite(au_to_text(tpent->name)); 2754 kmem_free(tpent, sizeof (tsol_tpent_t)); 2755 2756 break; 2757 } 2758 case AUE_LABELSYS_TNMLP: 2759 { 2760 tsol_mlpent_t *mlpent; 2761 2762 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2763 2764 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2765 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2766 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2767 return; 2768 } 2769 2770 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2771 au_uwrite(au_to_text("shared")); 2772 } else { 2773 zone_t *zone; 2774 2775 zone = zone_find_by_id(mlpent->tsme_zoneid); 2776 if (zone != NULL) { 2777 au_uwrite(au_to_text(zone->zone_name)); 2778 zone_rele(zone); 2779 } 2780 } 2781 2782 /* Remaining args don't apply for FLUSH, so skip */ 2783 if (cmd == TNDB_FLUSH) { 2784 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2785 break; 2786 } 2787 2788 au_uwrite(au_to_arg32(2, "proto num", 2789 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2790 au_uwrite(au_to_arg32(2, "mlp_port", 2791 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2792 2793 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2794 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2795 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2796 2797 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2798 2799 break; 2800 } 2801 default: 2802 break; 2803 } 2804 } 2805 2806 2807 static au_event_t 2808 aui_auditsys(au_event_t e) 2809 { 2810 klwp_t *clwp = ttolwp(curthread); 2811 uint32_t code; 2812 2813 struct a { 2814 long code; 2815 long a1; 2816 long a2; 2817 long a3; 2818 long a4; 2819 long a5; 2820 long a6; 2821 long a7; 2822 } *uap = (struct a *)clwp->lwp_ap; 2823 2824 code = (uint32_t)uap->code; 2825 2826 switch (code) { 2827 2828 case BSM_GETAUID: 2829 e = AUE_GETAUID; 2830 break; 2831 case BSM_SETAUID: 2832 e = AUE_SETAUID; 2833 break; 2834 case BSM_GETAUDIT: 2835 e = AUE_GETAUDIT; 2836 break; 2837 case BSM_GETAUDIT_ADDR: 2838 e = AUE_GETAUDIT_ADDR; 2839 break; 2840 case BSM_SETAUDIT: 2841 e = AUE_SETAUDIT; 2842 break; 2843 case BSM_SETAUDIT_ADDR: 2844 e = AUE_SETAUDIT_ADDR; 2845 break; 2846 case BSM_AUDIT: 2847 e = AUE_AUDIT; 2848 break; 2849 case BSM_AUDITON: 2850 case BSM_AUDITCTL: 2851 2852 switch ((uint_t)uap->a1) { 2853 2854 case A_GETPOLICY: 2855 e = AUE_AUDITON_GPOLICY; 2856 break; 2857 case A_SETPOLICY: 2858 e = AUE_AUDITON_SPOLICY; 2859 break; 2860 case A_GETKMASK: 2861 e = AUE_AUDITON_GETKMASK; 2862 break; 2863 case A_SETKMASK: 2864 e = AUE_AUDITON_SETKMASK; 2865 break; 2866 case A_GETQCTRL: 2867 e = AUE_AUDITON_GQCTRL; 2868 break; 2869 case A_SETQCTRL: 2870 e = AUE_AUDITON_SQCTRL; 2871 break; 2872 case A_GETCWD: 2873 e = AUE_AUDITON_GETCWD; 2874 break; 2875 case A_GETCAR: 2876 e = AUE_AUDITON_GETCAR; 2877 break; 2878 case A_GETSTAT: 2879 e = AUE_AUDITON_GETSTAT; 2880 break; 2881 case A_SETSTAT: 2882 e = AUE_AUDITON_SETSTAT; 2883 break; 2884 case A_SETUMASK: 2885 e = AUE_AUDITON_SETUMASK; 2886 break; 2887 case A_SETSMASK: 2888 e = AUE_AUDITON_SETSMASK; 2889 break; 2890 case A_GETCOND: 2891 e = AUE_AUDITON_GETCOND; 2892 break; 2893 case A_SETCOND: 2894 e = AUE_AUDITON_SETCOND; 2895 break; 2896 case A_GETCLASS: 2897 e = AUE_AUDITON_GETCLASS; 2898 break; 2899 case A_SETCLASS: 2900 e = AUE_AUDITON_SETCLASS; 2901 break; 2902 default: 2903 e = AUE_NULL; 2904 break; 2905 } 2906 break; 2907 default: 2908 e = AUE_NULL; 2909 break; 2910 } 2911 2912 return (e); 2913 2914 } /* AUI_AUDITSYS */ 2915 2916 2917 static void 2918 aus_auditsys(struct t_audit_data *tad) 2919 { 2920 klwp_t *clwp = ttolwp(curthread); 2921 uintptr_t a1, a2; 2922 STRUCT_DECL(auditinfo, ainfo); 2923 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2924 au_evclass_map_t event; 2925 au_mask_t mask; 2926 int auditstate, policy; 2927 au_id_t auid; 2928 2929 2930 struct a { 2931 long code; 2932 long a1; 2933 long a2; 2934 long a3; 2935 long a4; 2936 long a5; 2937 long a6; 2938 long a7; 2939 } *uap = (struct a *)clwp->lwp_ap; 2940 2941 a1 = (uintptr_t)uap->a1; 2942 a2 = (uintptr_t)uap->a2; 2943 2944 switch (tad->tad_event) { 2945 case AUE_SETAUID: 2946 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2947 return; 2948 au_uwrite(au_to_arg32(2, "setauid", auid)); 2949 break; 2950 case AUE_SETAUDIT: 2951 STRUCT_INIT(ainfo, get_udatamodel()); 2952 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2953 STRUCT_SIZE(ainfo))) { 2954 return; 2955 } 2956 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2957 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2958 #ifdef _LP64 2959 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2960 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2961 #else 2962 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2963 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2964 #endif 2965 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2966 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2967 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2968 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2969 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2970 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2971 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2972 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2973 break; 2974 case AUE_SETAUDIT_ADDR: 2975 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2976 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2977 STRUCT_SIZE(ainfo_addr))) { 2978 return; 2979 } 2980 au_uwrite(au_to_arg32((char)1, "auid", 2981 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2982 #ifdef _LP64 2983 au_uwrite(au_to_arg64((char)1, "port", 2984 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2985 #else 2986 au_uwrite(au_to_arg32((char)1, "port", 2987 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2988 #endif 2989 au_uwrite(au_to_arg32((char)1, "type", 2990 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2991 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2992 AU_IPv4) { 2993 au_uwrite(au_to_in_addr( 2994 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2995 ai_termid.at_addr))); 2996 } else { 2997 au_uwrite(au_to_in_addr_ex( 2998 (int32_t *)STRUCT_FGETP(ainfo_addr, 2999 ai_termid.at_addr))); 3000 } 3001 au_uwrite(au_to_arg32((char)1, "as_success", 3002 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3003 au_uwrite(au_to_arg32((char)1, "as_failure", 3004 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3005 au_uwrite(au_to_arg32((char)1, "asid", 3006 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3007 break; 3008 case AUE_AUDITON_SETKMASK: 3009 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3010 return; 3011 au_uwrite(au_to_arg32( 3012 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3013 au_uwrite(au_to_arg32( 3014 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3015 break; 3016 case AUE_AUDITON_SPOLICY: 3017 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3018 return; 3019 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3020 break; 3021 case AUE_AUDITON_SQCTRL: { 3022 STRUCT_DECL(au_qctrl, qctrl); 3023 model_t model; 3024 3025 model = get_udatamodel(); 3026 STRUCT_INIT(qctrl, model); 3027 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3028 return; 3029 if (model == DATAMODEL_ILP32) { 3030 au_uwrite(au_to_arg32( 3031 3, "setqctrl:aq_hiwater", 3032 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3033 au_uwrite(au_to_arg32( 3034 3, "setqctrl:aq_lowater", 3035 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3036 au_uwrite(au_to_arg32( 3037 3, "setqctrl:aq_bufsz", 3038 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3039 au_uwrite(au_to_arg32( 3040 3, "setqctrl:aq_delay", 3041 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3042 } else { 3043 au_uwrite(au_to_arg64( 3044 3, "setqctrl:aq_hiwater", 3045 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3046 au_uwrite(au_to_arg64( 3047 3, "setqctrl:aq_lowater", 3048 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3049 au_uwrite(au_to_arg64( 3050 3, "setqctrl:aq_bufsz", 3051 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3052 au_uwrite(au_to_arg64( 3053 3, "setqctrl:aq_delay", 3054 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3055 } 3056 break; 3057 } 3058 case AUE_AUDITON_SETUMASK: 3059 STRUCT_INIT(ainfo, get_udatamodel()); 3060 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3061 STRUCT_SIZE(ainfo))) { 3062 return; 3063 } 3064 au_uwrite(au_to_arg32(3, "setumask:as_success", 3065 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3066 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3067 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3068 break; 3069 case AUE_AUDITON_SETSMASK: 3070 STRUCT_INIT(ainfo, get_udatamodel()); 3071 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3072 STRUCT_SIZE(ainfo))) { 3073 return; 3074 } 3075 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3076 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3077 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3078 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3079 break; 3080 case AUE_AUDITON_SETCOND: 3081 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3082 return; 3083 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3084 break; 3085 case AUE_AUDITON_SETCLASS: 3086 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3087 return; 3088 au_uwrite(au_to_arg32( 3089 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3090 au_uwrite(au_to_arg32( 3091 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3092 break; 3093 case AUE_GETAUID: 3094 case AUE_GETAUDIT: 3095 case AUE_GETAUDIT_ADDR: 3096 case AUE_AUDIT: 3097 case AUE_AUDITON_GPOLICY: 3098 case AUE_AUDITON_GQCTRL: 3099 case AUE_AUDITON_GETKMASK: 3100 case AUE_AUDITON_GETCWD: 3101 case AUE_AUDITON_GETCAR: 3102 case AUE_AUDITON_GETSTAT: 3103 case AUE_AUDITON_SETSTAT: 3104 case AUE_AUDITON_GETCOND: 3105 case AUE_AUDITON_GETCLASS: 3106 break; 3107 default: 3108 break; 3109 } 3110 3111 } /* AUS_AUDITSYS */ 3112 3113 3114 /* only audit privileged operations for systeminfo(2) system call */ 3115 static au_event_t 3116 aui_sysinfo(au_event_t e) 3117 { 3118 klwp_t *clwp = ttolwp(curthread); 3119 uint32_t command; 3120 3121 struct a { 3122 long command; 3123 long buf; /* char * */ 3124 long count; 3125 } *uap = (struct a *)clwp->lwp_ap; 3126 3127 command = (uint32_t)uap->command; 3128 3129 switch (command) { 3130 case SI_SET_HOSTNAME: 3131 case SI_SET_SRPC_DOMAIN: 3132 e = (au_event_t)AUE_SYSINFO; 3133 break; 3134 default: 3135 e = (au_event_t)AUE_NULL; 3136 break; 3137 } 3138 return (e); 3139 } 3140 3141 /*ARGSUSED*/ 3142 static void 3143 aus_sysinfo(struct t_audit_data *tad) 3144 { 3145 klwp_t *clwp = ttolwp(curthread); 3146 uint32_t command; 3147 size_t len, maxlen; 3148 char *name; 3149 uintptr_t buf; 3150 3151 struct a { 3152 long command; 3153 long buf; /* char * */ 3154 long count; 3155 } *uap = (struct a *)clwp->lwp_ap; 3156 3157 command = (uint32_t)uap->command; 3158 buf = (uintptr_t)uap->buf; 3159 3160 au_uwrite(au_to_arg32(1, "cmd", command)); 3161 3162 switch (command) { 3163 case SI_SET_HOSTNAME: 3164 { 3165 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3166 return; 3167 3168 maxlen = SYS_NMLN; 3169 name = kmem_alloc(maxlen, KM_SLEEP); 3170 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3171 break; 3172 3173 /* 3174 * Must be non-NULL string and string 3175 * must be less than SYS_NMLN chars. 3176 */ 3177 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3178 break; 3179 3180 au_uwrite(au_to_text(name)); 3181 break; 3182 } 3183 3184 case SI_SET_SRPC_DOMAIN: 3185 { 3186 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3187 return; 3188 3189 maxlen = SYS_NMLN; 3190 name = kmem_alloc(maxlen, KM_SLEEP); 3191 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3192 break; 3193 3194 /* 3195 * If string passed in is longer than length 3196 * allowed for domain name, fail. 3197 */ 3198 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3199 break; 3200 3201 au_uwrite(au_to_text(name)); 3202 break; 3203 } 3204 3205 default: 3206 return; 3207 } 3208 3209 kmem_free(name, maxlen); 3210 } 3211 3212 static au_event_t 3213 aui_modctl(au_event_t e) 3214 { 3215 klwp_t *clwp = ttolwp(curthread); 3216 uint_t cmd; 3217 3218 struct a { 3219 long cmd; 3220 } *uap = (struct a *)clwp->lwp_ap; 3221 3222 cmd = (uint_t)uap->cmd; 3223 3224 switch (cmd) { 3225 case MODLOAD: 3226 e = AUE_MODLOAD; 3227 break; 3228 case MODUNLOAD: 3229 e = AUE_MODUNLOAD; 3230 break; 3231 case MODADDMAJBIND: 3232 e = AUE_MODADDMAJ; 3233 break; 3234 case MODSETDEVPOLICY: 3235 e = AUE_MODDEVPLCY; 3236 break; 3237 case MODALLOCPRIV: 3238 e = AUE_MODADDPRIV; 3239 break; 3240 default: 3241 e = AUE_NULL; 3242 break; 3243 } 3244 return (e); 3245 } 3246 3247 3248 /*ARGSUSED*/ 3249 static void 3250 aus_modctl(struct t_audit_data *tad) 3251 { 3252 klwp_t *clwp = ttolwp(curthread); 3253 void *a = clwp->lwp_ap; 3254 uint_t use_path; 3255 3256 switch (tad->tad_event) { 3257 case AUE_MODLOAD: { 3258 typedef struct { 3259 long cmd; 3260 long use_path; 3261 long filename; /* char * */ 3262 } modloada_t; 3263 3264 char *filenamep; 3265 uintptr_t fname; 3266 extern char *default_path; 3267 3268 fname = (uintptr_t)((modloada_t *)a)->filename; 3269 use_path = (uint_t)((modloada_t *)a)->use_path; 3270 3271 /* space to hold path */ 3272 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3273 /* get string */ 3274 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3275 /* free allocated path */ 3276 kmem_free(filenamep, MOD_MAXPATH); 3277 return; 3278 } 3279 /* ensure it's null terminated */ 3280 filenamep[MOD_MAXPATH - 1] = 0; 3281 3282 if (use_path) 3283 au_uwrite(au_to_text(default_path)); 3284 au_uwrite(au_to_text(filenamep)); 3285 3286 /* release temporary memory */ 3287 kmem_free(filenamep, MOD_MAXPATH); 3288 break; 3289 } 3290 case AUE_MODUNLOAD: { 3291 typedef struct { 3292 long cmd; 3293 long id; 3294 } modunloada_t; 3295 3296 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3297 3298 au_uwrite(au_to_arg32(1, "id", id)); 3299 break; 3300 } 3301 case AUE_MODADDMAJ: { 3302 STRUCT_DECL(modconfig, mc); 3303 typedef struct { 3304 long cmd; 3305 long subcmd; 3306 long data; /* int * */ 3307 } modconfiga_t; 3308 3309 STRUCT_DECL(aliases, alias); 3310 caddr_t ap; 3311 int i, num_aliases; 3312 char *drvname, *mc_drvname; 3313 char *name; 3314 extern char *ddi_major_to_name(major_t); 3315 model_t model; 3316 3317 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3318 3319 model = get_udatamodel(); 3320 STRUCT_INIT(mc, model); 3321 /* sanitize buffer */ 3322 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3323 /* get user arguments */ 3324 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3325 STRUCT_SIZE(mc)) != 0) 3326 return; 3327 3328 mc_drvname = STRUCT_FGET(mc, drvname); 3329 if ((drvname = ddi_major_to_name( 3330 (major_t)STRUCT_FGET(mc, major))) != NULL && 3331 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3332 /* safety */ 3333 if (mc_drvname[0] != '\0') { 3334 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3335 au_uwrite(au_to_text(mc_drvname)); 3336 } 3337 /* drvname != NULL from test above */ 3338 au_uwrite(au_to_text(drvname)); 3339 return; 3340 } 3341 3342 if (mc_drvname[0] != '\0') { 3343 /* safety */ 3344 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3345 au_uwrite(au_to_text(mc_drvname)); 3346 } else 3347 au_uwrite(au_to_text("no drvname")); 3348 3349 num_aliases = STRUCT_FGET(mc, num_aliases); 3350 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3351 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3352 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3353 STRUCT_INIT(alias, model); 3354 for (i = 0; i < num_aliases; i++) { 3355 bzero((caddr_t)STRUCT_BUF(alias), 3356 STRUCT_SIZE(alias)); 3357 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3358 STRUCT_SIZE(alias)) != 0) 3359 break; 3360 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3361 MAXMODCONFNAME, NULL) != 0) { 3362 break; 3363 } 3364 3365 au_uwrite(au_to_text(name)); 3366 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3367 } 3368 kmem_free(name, MAXMODCONFNAME); 3369 break; 3370 } 3371 default: 3372 break; 3373 } 3374 } 3375 3376 3377 /*ARGSUSED*/ 3378 static void 3379 auf_accept( 3380 struct t_audit_data *tad, 3381 int error, 3382 rval_t *rval) 3383 { 3384 uint32_t scid; 3385 uint32_t sy_flags; 3386 int fd; 3387 struct sonode *so; 3388 char so_laddr[sizeof (struct sockaddr_in6)]; 3389 char so_faddr[sizeof (struct sockaddr_in6)]; 3390 int err; 3391 short so_family, so_type; 3392 int add_sock_token = 0; 3393 3394 /* need to determine type of executing binary */ 3395 scid = tad->tad_scid; 3396 #ifdef _SYSCALL32_IMPL 3397 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3398 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3399 else 3400 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3401 #else 3402 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3403 #endif 3404 if (sy_flags == SE_32RVAL1) 3405 fd = rval->r_val1; 3406 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3407 fd = rval->r_val1; 3408 if (sy_flags == SE_64RVAL) 3409 fd = (int)rval->r_vals; 3410 3411 if (error) { 3412 /* can't trust socket contents. Just return */ 3413 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3414 return; 3415 } 3416 3417 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3418 /* 3419 * not security relevant if doing a accept from non socket 3420 * so no extra tokens. Should probably turn off audit record 3421 * generation here. 3422 */ 3423 return; 3424 } 3425 3426 so_family = so->so_family; 3427 so_type = so->so_type; 3428 3429 switch (so_family) { 3430 case AF_INET: 3431 case AF_INET6: 3432 /* 3433 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3434 */ 3435 if (so->so_type == SOCK_STREAM) { 3436 socklen_t len; 3437 3438 bzero((void *)so_laddr, sizeof (so_laddr)); 3439 bzero((void *)so_faddr, sizeof (so_faddr)); 3440 3441 len = sizeof (so_laddr); 3442 (void) socket_getsockname(so, 3443 (struct sockaddr *)so_laddr, &len, CRED()); 3444 len = sizeof (so_faddr); 3445 (void) socket_getpeername(so, 3446 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3447 3448 add_sock_token = 1; 3449 } 3450 break; 3451 3452 default: 3453 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3454 break; 3455 } 3456 3457 releasef(fd); 3458 3459 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3460 3461 if (add_sock_token == 0) { 3462 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3463 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3464 return; 3465 } 3466 3467 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3468 3469 } 3470 3471 /*ARGSUSED*/ 3472 static void 3473 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3474 { 3475 struct a { 3476 long fd; 3477 long addr; 3478 long len; 3479 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3480 3481 struct sonode *so; 3482 char so_laddr[sizeof (struct sockaddr_in6)]; 3483 char so_faddr[sizeof (struct sockaddr_in6)]; 3484 int err, fd; 3485 socklen_t len; 3486 short so_family, so_type; 3487 int add_sock_token = 0; 3488 3489 fd = (int)uap->fd; 3490 3491 /* 3492 * bind failed, then nothing extra to add to audit record. 3493 */ 3494 if (error) { 3495 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3496 /* XXX may want to add failed address some day */ 3497 return; 3498 } 3499 3500 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3501 /* 3502 * not security relevant if doing a bind from non socket 3503 * so no extra tokens. Should probably turn off audit record 3504 * generation here. 3505 */ 3506 return; 3507 } 3508 3509 so_family = so->so_family; 3510 so_type = so->so_type; 3511 3512 switch (so_family) { 3513 case AF_INET: 3514 case AF_INET6: 3515 3516 bzero(so_faddr, sizeof (so_faddr)); 3517 len = sizeof (so_faddr); 3518 3519 (void) socket_getpeername(so, 3520 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3521 add_sock_token = 1; 3522 3523 break; 3524 3525 case AF_UNIX: 3526 /* token added by lookup */ 3527 break; 3528 default: 3529 /* AF_ROUTE, AF_KEY do not support accept */ 3530 break; 3531 } 3532 3533 releasef(fd); 3534 3535 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3536 3537 if (add_sock_token == 0) { 3538 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3539 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3540 return; 3541 } 3542 3543 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3544 3545 } 3546 3547 /*ARGSUSED*/ 3548 static void 3549 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3550 { 3551 struct a { 3552 long fd; 3553 long addr; 3554 long len; 3555 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3556 3557 struct sonode *so; 3558 char so_laddr[sizeof (struct sockaddr_in6)]; 3559 char so_faddr[sizeof (struct sockaddr_in6)]; 3560 int err, fd; 3561 socklen_t len; 3562 short so_family, so_type; 3563 int add_sock_token = 0; 3564 3565 fd = (int)uap->fd; 3566 3567 3568 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3569 /* 3570 * not security relevant if doing a connect from non socket 3571 * so no extra tokens. Should probably turn off audit record 3572 * generation here. 3573 */ 3574 return; 3575 } 3576 3577 so_family = so->so_family; 3578 so_type = so->so_type; 3579 3580 switch (so_family) { 3581 case AF_INET: 3582 case AF_INET6: 3583 3584 bzero(so_laddr, sizeof (so_laddr)); 3585 bzero(so_faddr, sizeof (so_faddr)); 3586 3587 len = sizeof (so_laddr); 3588 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3589 &len, CRED()); 3590 if (error) { 3591 if (uap->addr == NULL) 3592 break; 3593 if (uap->len <= 0) 3594 break; 3595 len = min(uap->len, sizeof (so_faddr)); 3596 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3597 break; 3598 #ifdef NOTYET 3599 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3600 #endif 3601 } else { 3602 /* sanity check on length */ 3603 len = sizeof (so_faddr); 3604 (void) socket_getpeername(so, 3605 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3606 } 3607 3608 add_sock_token = 1; 3609 3610 break; 3611 3612 case AF_UNIX: 3613 /* does a lookup on name */ 3614 break; 3615 3616 default: 3617 /* AF_ROUTE, AF_KEY do not support accept */ 3618 break; 3619 } 3620 3621 releasef(fd); 3622 3623 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3624 3625 if (add_sock_token == 0) { 3626 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3627 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3628 return; 3629 } 3630 3631 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3632 3633 } 3634 3635 /*ARGSUSED*/ 3636 static void 3637 aus_shutdown(struct t_audit_data *tad) 3638 { 3639 struct a { 3640 long fd; 3641 long how; 3642 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3643 3644 struct sonode *so; 3645 char so_laddr[sizeof (struct sockaddr_in6)]; 3646 char so_faddr[sizeof (struct sockaddr_in6)]; 3647 int err, fd; 3648 socklen_t len; 3649 short so_family, so_type; 3650 int add_sock_token = 0; 3651 file_t *fp; /* unix domain sockets */ 3652 struct f_audit_data *fad; /* unix domain sockets */ 3653 3654 fd = (int)uap->fd; 3655 3656 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3657 /* 3658 * not security relevant if doing a shutdown using non socket 3659 * so no extra tokens. Should probably turn off audit record 3660 * generation here. 3661 */ 3662 return; 3663 } 3664 3665 so_family = so->so_family; 3666 so_type = so->so_type; 3667 3668 switch (so_family) { 3669 case AF_INET: 3670 case AF_INET6: 3671 3672 bzero(so_laddr, sizeof (so_laddr)); 3673 bzero(so_faddr, sizeof (so_faddr)); 3674 3675 len = sizeof (so_laddr); 3676 (void) socket_getsockname(so, 3677 (struct sockaddr *)so_laddr, &len, CRED()); 3678 len = sizeof (so_faddr); 3679 (void) socket_getpeername(so, 3680 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3681 3682 add_sock_token = 1; 3683 3684 break; 3685 3686 case AF_UNIX: 3687 3688 /* get path from file struct here */ 3689 fad = F2A(fp); 3690 ASSERT(fad); 3691 3692 if (fad->fad_aupath != NULL) { 3693 au_uwrite(au_to_path(fad->fad_aupath)); 3694 } else { 3695 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3696 } 3697 3698 audit_attributes(fp->f_vnode); 3699 3700 break; 3701 3702 default: 3703 /* 3704 * AF_KEY and AF_ROUTE support shutdown. No socket token 3705 * added. 3706 */ 3707 break; 3708 } 3709 3710 releasef(fd); 3711 3712 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3713 3714 if (add_sock_token == 0) { 3715 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3716 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3717 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3718 return; 3719 } 3720 3721 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3722 3723 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3724 3725 } 3726 3727 /*ARGSUSED*/ 3728 static void 3729 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3730 { 3731 struct a { 3732 long fd; 3733 long level; 3734 long optname; 3735 long *optval; 3736 long optlen; 3737 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3738 3739 struct sonode *so; 3740 char so_laddr[sizeof (struct sockaddr_in6)]; 3741 char so_faddr[sizeof (struct sockaddr_in6)]; 3742 char val[AU_BUFSIZE]; 3743 int err, fd; 3744 socklen_t len; 3745 short so_family, so_type; 3746 int add_sock_token = 0; 3747 file_t *fp; /* unix domain sockets */ 3748 struct f_audit_data *fad; /* unix domain sockets */ 3749 3750 fd = (int)uap->fd; 3751 3752 if (error) { 3753 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3754 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3755 /* XXX may want to include other arguments */ 3756 return; 3757 } 3758 3759 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3760 /* 3761 * not security relevant if doing a setsockopt from non socket 3762 * so no extra tokens. Should probably turn off audit record 3763 * generation here. 3764 */ 3765 return; 3766 } 3767 3768 so_family = so->so_family; 3769 so_type = so->so_type; 3770 3771 switch (so_family) { 3772 case AF_INET: 3773 case AF_INET6: 3774 bzero((void *)so_laddr, sizeof (so_laddr)); 3775 bzero((void *)so_faddr, sizeof (so_faddr)); 3776 3777 /* get local and foreign addresses */ 3778 len = sizeof (so_laddr); 3779 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3780 &len, CRED()); 3781 len = sizeof (so_faddr); 3782 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3783 &len, B_FALSE, CRED()); 3784 3785 add_sock_token = 1; 3786 3787 break; 3788 3789 case AF_UNIX: 3790 3791 /* get path from file struct here */ 3792 fad = F2A(fp); 3793 ASSERT(fad); 3794 3795 if (fad->fad_aupath != NULL) { 3796 au_uwrite(au_to_path(fad->fad_aupath)); 3797 } else { 3798 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3799 } 3800 3801 audit_attributes(fp->f_vnode); 3802 3803 break; 3804 3805 default: 3806 /* 3807 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3808 * added. 3809 */ 3810 break; 3811 } 3812 3813 releasef(fd); 3814 3815 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3816 3817 if (add_sock_token == 0) { 3818 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3819 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3820 } 3821 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3822 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3823 3824 bzero(val, sizeof (val)); 3825 len = min(uap->optlen, sizeof (val)); 3826 if ((len > 0) && 3827 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3828 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3829 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3830 } 3831 3832 if (add_sock_token == 0) 3833 return; 3834 3835 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3836 3837 } 3838 3839 /*ARGSUSED*/ 3840 static void 3841 aus_sockconfig(tad) 3842 struct t_audit_data *tad; 3843 { 3844 struct a { 3845 long domain; 3846 long type; 3847 long protocol; 3848 long devpath; 3849 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3850 3851 char *kdevpath; 3852 int kdevpathlen = MAXPATHLEN + 1; 3853 size_t size; 3854 3855 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3856 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3857 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3858 3859 if (uap->devpath == 0) { 3860 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3861 } else { 3862 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3863 3864 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3865 &size)) { 3866 kmem_free(kdevpath, kdevpathlen); 3867 return; 3868 } 3869 3870 if (size > MAXPATHLEN) { 3871 kmem_free(kdevpath, kdevpathlen); 3872 return; 3873 } 3874 3875 au_uwrite(au_to_text(kdevpath)); 3876 kmem_free(kdevpath, kdevpathlen); 3877 } 3878 } 3879 3880 /* 3881 * only audit recvmsg when the system call represents the creation of a new 3882 * circuit. This effectively occurs for all UDP packets and may occur for 3883 * special TCP situations where the local host has not set a local address 3884 * in the socket structure. 3885 */ 3886 /*ARGSUSED*/ 3887 static void 3888 auf_recvmsg( 3889 struct t_audit_data *tad, 3890 int error, 3891 rval_t *rvp) 3892 { 3893 struct a { 3894 long fd; 3895 long msg; /* struct msghdr */ 3896 long flags; 3897 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3898 3899 struct sonode *so; 3900 STRUCT_DECL(msghdr, msg); 3901 caddr_t msg_name; 3902 socklen_t msg_namelen; 3903 int fd; 3904 int err; 3905 char so_laddr[sizeof (struct sockaddr_in6)]; 3906 char so_faddr[sizeof (struct sockaddr_in6)]; 3907 socklen_t len; 3908 file_t *fp; /* unix domain sockets */ 3909 struct f_audit_data *fad; /* unix domain sockets */ 3910 short so_family, so_type; 3911 int add_sock_token = 0; 3912 au_kcontext_t *kctx = GET_KCTX_PZ; 3913 3914 fd = (int)uap->fd; 3915 3916 /* bail if an error */ 3917 if (error) { 3918 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3919 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3920 return; 3921 } 3922 3923 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3924 /* 3925 * not security relevant if doing a recvmsg from non socket 3926 * so no extra tokens. Should probably turn off audit record 3927 * generation here. 3928 */ 3929 return; 3930 } 3931 3932 so_family = so->so_family; 3933 so_type = so->so_type; 3934 3935 /* 3936 * only putout SOCKET_EX token if INET/INET6 family. 3937 * XXX - what do we do about other families? 3938 */ 3939 3940 switch (so_family) { 3941 case AF_INET: 3942 case AF_INET6: 3943 3944 /* 3945 * if datagram type socket, then just use what is in 3946 * socket structure for local address. 3947 * XXX - what do we do for other types? 3948 */ 3949 if ((so->so_type == SOCK_DGRAM) || 3950 (so->so_type == SOCK_RAW)) { 3951 add_sock_token = 1; 3952 3953 bzero((void *)so_laddr, sizeof (so_laddr)); 3954 bzero((void *)so_faddr, sizeof (so_faddr)); 3955 3956 /* get local address */ 3957 len = sizeof (so_laddr); 3958 (void) socket_getsockname(so, 3959 (struct sockaddr *)so_laddr, &len, CRED()); 3960 3961 /* get peer address */ 3962 STRUCT_INIT(msg, get_udatamodel()); 3963 3964 if (copyin((caddr_t)(uap->msg), 3965 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3966 break; 3967 } 3968 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3969 if (msg_name == NULL) { 3970 break; 3971 } 3972 3973 /* length is value from recvmsg - sanity check */ 3974 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3975 if (msg_namelen == 0) { 3976 break; 3977 } 3978 if (copyin(msg_name, so_faddr, 3979 sizeof (so_faddr)) != 0) { 3980 break; 3981 } 3982 3983 } else if (so->so_type == SOCK_STREAM) { 3984 3985 /* get path from file struct here */ 3986 fad = F2A(fp); 3987 ASSERT(fad); 3988 3989 /* 3990 * already processed this file for read attempt 3991 */ 3992 if (fad->fad_flags & FAD_READ) { 3993 /* don't want to audit every recvmsg attempt */ 3994 tad->tad_flag = 0; 3995 /* free any residual audit data */ 3996 au_close(kctx, &(u_ad), 0, 0, 0); 3997 releasef(fd); 3998 return; 3999 } 4000 /* 4001 * mark things so we know what happened and don't 4002 * repeat things 4003 */ 4004 fad->fad_flags |= FAD_READ; 4005 4006 bzero((void *)so_laddr, sizeof (so_laddr)); 4007 bzero((void *)so_faddr, sizeof (so_faddr)); 4008 4009 /* get local and foreign addresses */ 4010 len = sizeof (so_laddr); 4011 (void) socket_getsockname(so, 4012 (struct sockaddr *)so_laddr, &len, CRED()); 4013 len = sizeof (so_faddr); 4014 (void) socket_getpeername(so, 4015 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4016 4017 add_sock_token = 1; 4018 } 4019 4020 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4021 4022 break; 4023 4024 case AF_UNIX: 4025 /* 4026 * first check if this is first time through. Too much 4027 * duplicate code to put this in an aui_ routine. 4028 */ 4029 4030 /* get path from file struct here */ 4031 fad = F2A(fp); 4032 ASSERT(fad); 4033 4034 /* 4035 * already processed this file for read attempt 4036 */ 4037 if (fad->fad_flags & FAD_READ) { 4038 releasef(fd); 4039 /* don't want to audit every recvmsg attempt */ 4040 tad->tad_flag = 0; 4041 /* free any residual audit data */ 4042 au_close(kctx, &(u_ad), 0, 0, 0); 4043 return; 4044 } 4045 /* 4046 * mark things so we know what happened and don't 4047 * repeat things 4048 */ 4049 fad->fad_flags |= FAD_READ; 4050 4051 if (fad->fad_aupath != NULL) { 4052 au_uwrite(au_to_path(fad->fad_aupath)); 4053 } else { 4054 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4055 } 4056 4057 audit_attributes(fp->f_vnode); 4058 4059 releasef(fd); 4060 4061 return; 4062 4063 default: 4064 break; 4065 4066 } 4067 4068 releasef(fd); 4069 4070 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4071 4072 if (add_sock_token == 0) { 4073 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4074 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4075 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4076 return; 4077 } 4078 4079 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4080 4081 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4082 4083 } 4084 4085 /*ARGSUSED*/ 4086 static void 4087 auf_recvfrom( 4088 struct t_audit_data *tad, 4089 int error, 4090 rval_t *rvp) 4091 { 4092 4093 struct a { 4094 long fd; 4095 long msg; /* char */ 4096 long len; 4097 long flags; 4098 long from; /* struct sockaddr */ 4099 long fromlen; 4100 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4101 4102 socklen_t fromlen; 4103 struct sonode *so; 4104 char so_laddr[sizeof (struct sockaddr_in6)]; 4105 char so_faddr[sizeof (struct sockaddr_in6)]; 4106 int fd; 4107 short so_family, so_type; 4108 int add_sock_token = 0; 4109 socklen_t len; 4110 int err; 4111 struct file *fp; 4112 struct f_audit_data *fad; /* unix domain sockets */ 4113 au_kcontext_t *kctx = GET_KCTX_PZ; 4114 4115 fd = (int)uap->fd; 4116 4117 /* bail if an error */ 4118 if (error) { 4119 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4120 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4121 return; 4122 } 4123 4124 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4125 /* 4126 * not security relevant if doing a recvmsg from non socket 4127 * so no extra tokens. Should probably turn off audit record 4128 * generation here. 4129 */ 4130 return; 4131 } 4132 4133 so_family = so->so_family; 4134 so_type = so->so_type; 4135 4136 /* 4137 * only putout SOCKET_EX token if INET/INET6 family. 4138 * XXX - what do we do about other families? 4139 */ 4140 4141 switch (so_family) { 4142 case AF_INET: 4143 case AF_INET6: 4144 4145 /* 4146 * if datagram type socket, then just use what is in 4147 * socket structure for local address. 4148 * XXX - what do we do for other types? 4149 */ 4150 if ((so->so_type == SOCK_DGRAM) || 4151 (so->so_type == SOCK_RAW)) { 4152 add_sock_token = 1; 4153 4154 /* get local address */ 4155 len = sizeof (so_laddr); 4156 (void) socket_getsockname(so, 4157 (struct sockaddr *)so_laddr, &len, CRED()); 4158 4159 /* get peer address */ 4160 bzero((void *)so_faddr, sizeof (so_faddr)); 4161 4162 /* sanity check */ 4163 if (uap->from == NULL) 4164 break; 4165 4166 /* sanity checks */ 4167 if (uap->fromlen == 0) 4168 break; 4169 4170 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4171 sizeof (fromlen)) != 0) 4172 break; 4173 4174 if (fromlen == 0) 4175 break; 4176 4177 /* enforce maximum size */ 4178 if (fromlen > sizeof (so_faddr)) 4179 fromlen = sizeof (so_faddr); 4180 4181 if (copyin((caddr_t)(uap->from), so_faddr, 4182 fromlen) != 0) 4183 break; 4184 4185 } else if (so->so_type == SOCK_STREAM) { 4186 4187 /* get path from file struct here */ 4188 fad = F2A(fp); 4189 ASSERT(fad); 4190 4191 /* 4192 * already processed this file for read attempt 4193 */ 4194 if (fad->fad_flags & FAD_READ) { 4195 /* don't want to audit every recvfrom attempt */ 4196 tad->tad_flag = 0; 4197 /* free any residual audit data */ 4198 au_close(kctx, &(u_ad), 0, 0, 0); 4199 releasef(fd); 4200 return; 4201 } 4202 /* 4203 * mark things so we know what happened and don't 4204 * repeat things 4205 */ 4206 fad->fad_flags |= FAD_READ; 4207 4208 bzero((void *)so_laddr, sizeof (so_laddr)); 4209 bzero((void *)so_faddr, sizeof (so_faddr)); 4210 4211 /* get local and foreign addresses */ 4212 len = sizeof (so_laddr); 4213 (void) socket_getsockname(so, 4214 (struct sockaddr *)so_laddr, &len, CRED()); 4215 len = sizeof (so_faddr); 4216 (void) socket_getpeername(so, 4217 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4218 4219 add_sock_token = 1; 4220 } 4221 4222 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4223 4224 break; 4225 4226 case AF_UNIX: 4227 /* 4228 * first check if this is first time through. Too much 4229 * duplicate code to put this in an aui_ routine. 4230 */ 4231 4232 /* get path from file struct here */ 4233 fad = F2A(fp); 4234 ASSERT(fad); 4235 4236 /* 4237 * already processed this file for read attempt 4238 */ 4239 if (fad->fad_flags & FAD_READ) { 4240 /* don't want to audit every recvfrom attempt */ 4241 tad->tad_flag = 0; 4242 /* free any residual audit data */ 4243 au_close(kctx, &(u_ad), 0, 0, 0); 4244 releasef(fd); 4245 return; 4246 } 4247 /* 4248 * mark things so we know what happened and don't 4249 * repeat things 4250 */ 4251 fad->fad_flags |= FAD_READ; 4252 4253 if (fad->fad_aupath != NULL) { 4254 au_uwrite(au_to_path(fad->fad_aupath)); 4255 } else { 4256 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4257 } 4258 4259 audit_attributes(fp->f_vnode); 4260 4261 releasef(fd); 4262 4263 return; 4264 4265 default: 4266 break; 4267 4268 } 4269 4270 releasef(fd); 4271 4272 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4273 4274 if (add_sock_token == 0) { 4275 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4276 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4277 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4278 return; 4279 } 4280 4281 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4282 4283 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4284 } 4285 4286 /*ARGSUSED*/ 4287 static void 4288 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4289 { 4290 struct a { 4291 long fd; 4292 long msg; /* struct msghdr */ 4293 long flags; 4294 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4295 4296 struct sonode *so; 4297 char so_laddr[sizeof (struct sockaddr_in6)]; 4298 char so_faddr[sizeof (struct sockaddr_in6)]; 4299 int err; 4300 int fd; 4301 short so_family, so_type; 4302 int add_sock_token = 0; 4303 socklen_t len; 4304 struct file *fp; 4305 struct f_audit_data *fad; 4306 caddr_t msg_name; 4307 socklen_t msg_namelen; 4308 STRUCT_DECL(msghdr, msg); 4309 au_kcontext_t *kctx = GET_KCTX_PZ; 4310 4311 fd = (int)uap->fd; 4312 4313 /* bail if an error */ 4314 if (error) { 4315 /* XXX include destination address from system call arguments */ 4316 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4317 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4318 return; 4319 } 4320 4321 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4322 /* 4323 * not security relevant if doing a sendmsg from non socket 4324 * so no extra tokens. Should probably turn off audit record 4325 * generation here. 4326 */ 4327 return; 4328 } 4329 4330 so_family = so->so_family; 4331 so_type = so->so_type; 4332 4333 switch (so_family) { 4334 case AF_INET: 4335 case AF_INET6: 4336 /* 4337 * if datagram type socket, then just use what is in 4338 * socket structure for local address. 4339 * XXX - what do we do for other types? 4340 */ 4341 if ((so->so_type == SOCK_DGRAM) || 4342 (so->so_type == SOCK_RAW)) { 4343 4344 bzero((void *)so_laddr, sizeof (so_laddr)); 4345 bzero((void *)so_faddr, sizeof (so_faddr)); 4346 4347 /* get local address */ 4348 len = sizeof (so_laddr); 4349 (void) socket_getsockname(so, 4350 (struct sockaddr *)so_laddr, &len, CRED()); 4351 4352 /* get peer address */ 4353 STRUCT_INIT(msg, get_udatamodel()); 4354 4355 if (copyin((caddr_t)(uap->msg), 4356 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4357 break; 4358 } 4359 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4360 if (msg_name == NULL) 4361 break; 4362 4363 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4364 /* length is value from recvmsg - sanity check */ 4365 if (msg_namelen == 0) 4366 break; 4367 4368 if (copyin(msg_name, so_faddr, 4369 sizeof (so_faddr)) != 0) 4370 break; 4371 4372 add_sock_token = 1; 4373 4374 } else if (so->so_type == SOCK_STREAM) { 4375 4376 /* get path from file struct here */ 4377 fad = F2A(fp); 4378 ASSERT(fad); 4379 4380 /* 4381 * already processed this file for write attempt 4382 */ 4383 if (fad->fad_flags & FAD_WRITE) { 4384 releasef(fd); 4385 /* don't want to audit every sendmsg attempt */ 4386 tad->tad_flag = 0; 4387 /* free any residual audit data */ 4388 au_close(kctx, &(u_ad), 0, 0, 0); 4389 return; 4390 } 4391 4392 /* 4393 * mark things so we know what happened and don't 4394 * repeat things 4395 */ 4396 fad->fad_flags |= FAD_WRITE; 4397 4398 bzero((void *)so_laddr, sizeof (so_laddr)); 4399 bzero((void *)so_faddr, sizeof (so_faddr)); 4400 4401 /* get local and foreign addresses */ 4402 len = sizeof (so_laddr); 4403 (void) socket_getsockname(so, 4404 (struct sockaddr *)so_laddr, &len, CRED()); 4405 len = sizeof (so_faddr); 4406 (void) socket_getpeername(so, 4407 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4408 4409 add_sock_token = 1; 4410 } 4411 4412 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4413 4414 break; 4415 4416 case AF_UNIX: 4417 /* 4418 * first check if this is first time through. Too much 4419 * duplicate code to put this in an aui_ routine. 4420 */ 4421 4422 /* get path from file struct here */ 4423 fad = F2A(fp); 4424 ASSERT(fad); 4425 4426 /* 4427 * already processed this file for write attempt 4428 */ 4429 if (fad->fad_flags & FAD_WRITE) { 4430 releasef(fd); 4431 /* don't want to audit every sendmsg attempt */ 4432 tad->tad_flag = 0; 4433 /* free any residual audit data */ 4434 au_close(kctx, &(u_ad), 0, 0, 0); 4435 return; 4436 } 4437 /* 4438 * mark things so we know what happened and don't 4439 * repeat things 4440 */ 4441 fad->fad_flags |= FAD_WRITE; 4442 4443 if (fad->fad_aupath != NULL) { 4444 au_uwrite(au_to_path(fad->fad_aupath)); 4445 } else { 4446 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4447 } 4448 4449 audit_attributes(fp->f_vnode); 4450 4451 releasef(fd); 4452 4453 return; 4454 4455 default: 4456 break; 4457 } 4458 4459 releasef(fd); 4460 4461 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4462 4463 if (add_sock_token == 0) { 4464 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4465 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4466 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4467 return; 4468 } 4469 4470 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4471 4472 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4473 } 4474 4475 /*ARGSUSED*/ 4476 static void 4477 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4478 { 4479 struct a { 4480 long fd; 4481 long msg; /* char */ 4482 long len; 4483 long flags; 4484 long to; /* struct sockaddr */ 4485 long tolen; 4486 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4487 4488 struct sonode *so; 4489 char so_laddr[sizeof (struct sockaddr_in6)]; 4490 char so_faddr[sizeof (struct sockaddr_in6)]; 4491 socklen_t tolen; 4492 int err; 4493 int fd; 4494 socklen_t len; 4495 short so_family, so_type; 4496 int add_sock_token = 0; 4497 struct file *fp; 4498 struct f_audit_data *fad; 4499 au_kcontext_t *kctx = GET_KCTX_PZ; 4500 4501 fd = (int)uap->fd; 4502 4503 /* bail if an error */ 4504 if (error) { 4505 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4506 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4507 /* XXX include destination address from system call arguments */ 4508 return; 4509 } 4510 4511 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4512 /* 4513 * not security relevant if doing a sendto using non socket 4514 * so no extra tokens. Should probably turn off audit record 4515 * generation here. 4516 */ 4517 return; 4518 } 4519 4520 so_family = so->so_family; 4521 so_type = so->so_type; 4522 4523 /* 4524 * only putout SOCKET_EX token if INET/INET6 family. 4525 * XXX - what do we do about other families? 4526 */ 4527 4528 switch (so_family) { 4529 case AF_INET: 4530 case AF_INET6: 4531 4532 /* 4533 * if datagram type socket, then just use what is in 4534 * socket structure for local address. 4535 * XXX - what do we do for other types? 4536 */ 4537 if ((so->so_type == SOCK_DGRAM) || 4538 (so->so_type == SOCK_RAW)) { 4539 4540 bzero((void *)so_laddr, sizeof (so_laddr)); 4541 bzero((void *)so_faddr, sizeof (so_faddr)); 4542 4543 /* get local address */ 4544 len = sizeof (so_laddr); 4545 (void) socket_getsockname(so, 4546 (struct sockaddr *)so_laddr, &len, CRED()); 4547 4548 /* get peer address */ 4549 4550 /* sanity check */ 4551 if (uap->to == NULL) 4552 break; 4553 4554 /* sanity checks */ 4555 if (uap->tolen == 0) 4556 break; 4557 4558 tolen = (socklen_t)uap->tolen; 4559 4560 /* enforce maximum size */ 4561 if (tolen > sizeof (so_faddr)) 4562 tolen = sizeof (so_faddr); 4563 4564 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4565 break; 4566 4567 add_sock_token = 1; 4568 } else { 4569 /* 4570 * check if this is first time through. 4571 */ 4572 4573 /* get path from file struct here */ 4574 fad = F2A(fp); 4575 ASSERT(fad); 4576 4577 /* 4578 * already processed this file for write attempt 4579 */ 4580 if (fad->fad_flags & FAD_WRITE) { 4581 /* don't want to audit every sendto attempt */ 4582 tad->tad_flag = 0; 4583 /* free any residual audit data */ 4584 au_close(kctx, &(u_ad), 0, 0, 0); 4585 releasef(fd); 4586 return; 4587 } 4588 /* 4589 * mark things so we know what happened and don't 4590 * repeat things 4591 */ 4592 fad->fad_flags |= FAD_WRITE; 4593 4594 bzero((void *)so_laddr, sizeof (so_laddr)); 4595 bzero((void *)so_faddr, sizeof (so_faddr)); 4596 4597 /* get local and foreign addresses */ 4598 len = sizeof (so_laddr); 4599 (void) socket_getsockname(so, 4600 (struct sockaddr *)so_laddr, &len, CRED()); 4601 len = sizeof (so_faddr); 4602 (void) socket_getpeername(so, 4603 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4604 4605 add_sock_token = 1; 4606 } 4607 4608 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4609 4610 break; 4611 4612 case AF_UNIX: 4613 /* 4614 * first check if this is first time through. Too much 4615 * duplicate code to put this in an aui_ routine. 4616 */ 4617 4618 /* get path from file struct here */ 4619 fad = F2A(fp); 4620 ASSERT(fad); 4621 4622 /* 4623 * already processed this file for write attempt 4624 */ 4625 if (fad->fad_flags & FAD_WRITE) { 4626 /* don't want to audit every sendto attempt */ 4627 tad->tad_flag = 0; 4628 /* free any residual audit data */ 4629 au_close(kctx, &(u_ad), 0, 0, 0); 4630 releasef(fd); 4631 return; 4632 } 4633 /* 4634 * mark things so we know what happened and don't 4635 * repeat things 4636 */ 4637 fad->fad_flags |= FAD_WRITE; 4638 4639 if (fad->fad_aupath != NULL) { 4640 au_uwrite(au_to_path(fad->fad_aupath)); 4641 } else { 4642 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4643 } 4644 4645 audit_attributes(fp->f_vnode); 4646 4647 releasef(fd); 4648 4649 return; 4650 4651 default: 4652 break; 4653 4654 } 4655 4656 releasef(fd); 4657 4658 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4659 4660 if (add_sock_token == 0) { 4661 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4662 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4663 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4664 return; 4665 } 4666 4667 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4668 4669 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4670 4671 } 4672 4673 /* 4674 * XXX socket(2) may be equivalent to open(2) on a unix domain 4675 * socket. This needs investigation. 4676 */ 4677 4678 /*ARGSUSED*/ 4679 static void 4680 aus_socket(struct t_audit_data *tad) 4681 { 4682 struct a { 4683 long domain; 4684 long type; 4685 long protocol; 4686 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4687 4688 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4689 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4690 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4691 } 4692 4693 /*ARGSUSED*/ 4694 static void 4695 aus_sigqueue(struct t_audit_data *tad) 4696 { 4697 struct a { 4698 long pid; 4699 long signo; 4700 long *val; 4701 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4702 struct proc *p; 4703 uid_t uid, ruid; 4704 gid_t gid, rgid; 4705 pid_t pid; 4706 const auditinfo_addr_t *ainfo; 4707 cred_t *cr; 4708 4709 pid = (pid_t)uap->pid; 4710 4711 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4712 if (pid > 0) { 4713 mutex_enter(&pidlock); 4714 if ((p = prfind(pid)) == (struct proc *)0) { 4715 mutex_exit(&pidlock); 4716 return; 4717 } 4718 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4719 mutex_exit(&pidlock); 4720 4721 mutex_enter(&p->p_crlock); 4722 crhold(cr = p->p_cred); 4723 mutex_exit(&p->p_crlock); 4724 mutex_exit(&p->p_lock); 4725 4726 ainfo = crgetauinfo(cr); 4727 if (ainfo == NULL) { 4728 crfree(cr); 4729 return; 4730 } 4731 4732 uid = crgetuid(cr); 4733 gid = crgetgid(cr); 4734 ruid = crgetruid(cr); 4735 rgid = crgetrgid(cr); 4736 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4737 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4738 crfree(cr); 4739 } 4740 else 4741 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4742 } 4743 4744 /*ARGSUSED*/ 4745 static void 4746 aus_inst_sync(struct t_audit_data *tad) 4747 { 4748 struct a { 4749 long name; /* char */ 4750 long flags; 4751 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4752 4753 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4754 } 4755 4756 /*ARGSUSED*/ 4757 static void 4758 aus_brandsys(struct t_audit_data *tad) 4759 { 4760 klwp_t *clwp = ttolwp(curthread); 4761 4762 struct a { 4763 long cmd; 4764 long arg1; 4765 long arg2; 4766 long arg3; 4767 long arg4; 4768 long arg5; 4769 long arg6; 4770 } *uap = (struct a *)clwp->lwp_ap; 4771 4772 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4773 #ifdef _LP64 4774 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4775 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4776 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4777 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4778 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4779 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4780 #else 4781 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4782 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4783 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4784 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4785 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4786 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4787 #endif 4788 } 4789 4790 /*ARGSUSED*/ 4791 static void 4792 aus_p_online(struct t_audit_data *tad) 4793 { 4794 struct a { 4795 long processor_id; 4796 long flag; 4797 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4798 4799 struct flags { 4800 int flag; 4801 char *cflag; 4802 } aflags[6] = { 4803 { P_ONLINE, "P_ONLINE"}, 4804 { P_OFFLINE, "P_OFFLINE"}, 4805 { P_NOINTR, "P_NOINTR"}, 4806 { P_SPARE, "P_SPARE"}, 4807 { P_FAULTED, "P_FAULTED"}, 4808 { P_STATUS, "P_STATUS"} 4809 }; 4810 int i; 4811 char *cflag; 4812 4813 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4814 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4815 4816 for (i = 0; i < 6; i++) { 4817 if (aflags[i].flag == uap->flag) 4818 break; 4819 } 4820 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4821 4822 au_uwrite(au_to_text(cflag)); 4823 } 4824 4825 /*ARGSUSED*/ 4826 static void 4827 aus_processor_bind(struct t_audit_data *tad) 4828 { 4829 struct a { 4830 long id_type; 4831 long id; 4832 long processor_id; 4833 long obind; 4834 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4835 4836 struct proc *p; 4837 int lwpcnt; 4838 uid_t uid, ruid; 4839 gid_t gid, rgid; 4840 pid_t pid; 4841 const auditinfo_addr_t *ainfo; 4842 cred_t *cr; 4843 4844 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4845 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4846 if (uap->processor_id == PBIND_NONE) 4847 au_uwrite(au_to_text("PBIND_NONE")); 4848 else 4849 au_uwrite(au_to_arg32(3, "processor_id", 4850 (uint32_t)uap->processor_id)); 4851 4852 switch (uap->id_type) { 4853 case P_MYID: 4854 case P_LWPID: 4855 mutex_enter(&pidlock); 4856 p = ttoproc(curthread); 4857 if (p == NULL || p->p_as == &kas) { 4858 mutex_exit(&pidlock); 4859 return; 4860 } 4861 mutex_enter(&p->p_lock); 4862 mutex_exit(&pidlock); 4863 lwpcnt = p->p_lwpcnt; 4864 pid = p->p_pid; 4865 4866 mutex_enter(&p->p_crlock); 4867 crhold(cr = p->p_cred); 4868 mutex_exit(&p->p_crlock); 4869 mutex_exit(&p->p_lock); 4870 4871 ainfo = crgetauinfo(cr); 4872 if (ainfo == NULL) { 4873 crfree(cr); 4874 return; 4875 } 4876 4877 uid = crgetuid(cr); 4878 gid = crgetgid(cr); 4879 ruid = crgetruid(cr); 4880 rgid = crgetrgid(cr); 4881 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4882 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4883 crfree(cr); 4884 break; 4885 case P_PID: 4886 mutex_enter(&pidlock); 4887 p = prfind(uap->id); 4888 if (p == NULL || p->p_as == &kas) { 4889 mutex_exit(&pidlock); 4890 return; 4891 } 4892 mutex_enter(&p->p_lock); 4893 mutex_exit(&pidlock); 4894 lwpcnt = p->p_lwpcnt; 4895 pid = p->p_pid; 4896 4897 mutex_enter(&p->p_crlock); 4898 crhold(cr = p->p_cred); 4899 mutex_exit(&p->p_crlock); 4900 mutex_exit(&p->p_lock); 4901 4902 ainfo = crgetauinfo(cr); 4903 if (ainfo == NULL) { 4904 crfree(cr); 4905 return; 4906 } 4907 4908 uid = crgetuid(cr); 4909 gid = crgetgid(cr); 4910 ruid = crgetruid(cr); 4911 rgid = crgetrgid(cr); 4912 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4913 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4914 crfree(cr); 4915 4916 break; 4917 default: 4918 return; 4919 } 4920 4921 if (uap->processor_id == PBIND_NONE && 4922 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4923 au_uwrite(au_to_text("PBIND_NONE for process")); 4924 else 4925 au_uwrite(au_to_arg32(3, "processor_id", 4926 (uint32_t)uap->processor_id)); 4927 } 4928 4929 /*ARGSUSED*/ 4930 static au_event_t 4931 aui_doorfs(au_event_t e) 4932 { 4933 uint32_t code; 4934 4935 struct a { /* doorfs */ 4936 long a1; 4937 long a2; 4938 long a3; 4939 long a4; 4940 long a5; 4941 long code; 4942 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4943 4944 /* 4945 * audit formats for several of the 4946 * door calls have not yet been determined 4947 */ 4948 code = (uint32_t)uap->code; 4949 switch (code) { 4950 case DOOR_CALL: 4951 e = AUE_DOORFS_DOOR_CALL; 4952 break; 4953 case DOOR_RETURN: 4954 e = AUE_NULL; 4955 break; 4956 case DOOR_CREATE: 4957 e = AUE_DOORFS_DOOR_CREATE; 4958 break; 4959 case DOOR_REVOKE: 4960 e = AUE_DOORFS_DOOR_REVOKE; 4961 break; 4962 case DOOR_INFO: 4963 e = AUE_NULL; 4964 break; 4965 case DOOR_UCRED: 4966 e = AUE_NULL; 4967 break; 4968 case DOOR_BIND: 4969 e = AUE_NULL; 4970 break; 4971 case DOOR_UNBIND: 4972 e = AUE_NULL; 4973 break; 4974 case DOOR_GETPARAM: 4975 e = AUE_NULL; 4976 break; 4977 case DOOR_SETPARAM: 4978 e = AUE_NULL; 4979 break; 4980 default: /* illegal system call */ 4981 e = AUE_NULL; 4982 break; 4983 } 4984 4985 return (e); 4986 } 4987 4988 static door_node_t * 4989 au_door_lookup(int did) 4990 { 4991 vnode_t *vp; 4992 file_t *fp; 4993 4994 if ((fp = getf(did)) == NULL) 4995 return (NULL); 4996 /* 4997 * Use the underlying vnode (we may be namefs mounted) 4998 */ 4999 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5000 vp = fp->f_vnode; 5001 5002 if (vp == NULL || vp->v_type != VDOOR) { 5003 releasef(did); 5004 return (NULL); 5005 } 5006 5007 return (VTOD(vp)); 5008 } 5009 5010 /*ARGSUSED*/ 5011 static void 5012 aus_doorfs(struct t_audit_data *tad) 5013 { 5014 5015 struct a { /* doorfs */ 5016 long a1; 5017 long a2; 5018 long a3; 5019 long a4; 5020 long a5; 5021 long code; 5022 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5023 5024 door_node_t *dp; 5025 struct proc *p; 5026 uint32_t did; 5027 uid_t uid, ruid; 5028 gid_t gid, rgid; 5029 pid_t pid; 5030 const auditinfo_addr_t *ainfo; 5031 cred_t *cr; 5032 5033 did = (uint32_t)uap->a1; 5034 5035 switch (tad->tad_event) { 5036 case AUE_DOORFS_DOOR_CALL: 5037 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5038 if ((dp = au_door_lookup(did)) == NULL) 5039 break; 5040 5041 if (DOOR_INVALID(dp)) { 5042 releasef(did); 5043 break; 5044 } 5045 5046 if ((p = dp->door_target) == NULL) { 5047 releasef(did); 5048 break; 5049 } 5050 mutex_enter(&p->p_lock); 5051 releasef(did); 5052 5053 pid = p->p_pid; 5054 5055 mutex_enter(&p->p_crlock); 5056 crhold(cr = p->p_cred); 5057 mutex_exit(&p->p_crlock); 5058 mutex_exit(&p->p_lock); 5059 5060 ainfo = crgetauinfo(cr); 5061 if (ainfo == NULL) { 5062 crfree(cr); 5063 return; 5064 } 5065 uid = crgetuid(cr); 5066 gid = crgetgid(cr); 5067 ruid = crgetruid(cr); 5068 rgid = crgetrgid(cr); 5069 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5070 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5071 crfree(cr); 5072 break; 5073 case AUE_DOORFS_DOOR_RETURN: 5074 /* 5075 * We may want to write information about 5076 * all doors (if any) which will be copied 5077 * by this call to the user space 5078 */ 5079 break; 5080 case AUE_DOORFS_DOOR_CREATE: 5081 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5082 break; 5083 case AUE_DOORFS_DOOR_REVOKE: 5084 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5085 break; 5086 case AUE_DOORFS_DOOR_INFO: 5087 break; 5088 case AUE_DOORFS_DOOR_CRED: 5089 break; 5090 case AUE_DOORFS_DOOR_BIND: 5091 break; 5092 case AUE_DOORFS_DOOR_UNBIND: { 5093 break; 5094 } 5095 default: /* illegal system call */ 5096 break; 5097 } 5098 } 5099 5100 /*ARGSUSED*/ 5101 static au_event_t 5102 aui_acl(au_event_t e) 5103 { 5104 struct a { 5105 union { 5106 long name; /* char */ 5107 long fd; 5108 } obj; 5109 5110 long cmd; 5111 long nentries; 5112 long arg; /* aclent_t */ 5113 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5114 5115 switch (uap->cmd) { 5116 case SETACL: 5117 case ACE_SETACL: 5118 /* 5119 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5120 * are expected. 5121 */ 5122 break; 5123 case GETACL: 5124 case GETACLCNT: 5125 case ACE_GETACL: 5126 case ACE_GETACLCNT: 5127 /* do nothing for these four values. */ 5128 e = AUE_NULL; 5129 break; 5130 default: 5131 /* illegal system call */ 5132 break; 5133 } 5134 5135 return (e); 5136 } 5137 5138 static void 5139 au_acl(int cmd, int nentries, caddr_t bufp) 5140 { 5141 size_t a_size; 5142 aclent_t *aclbufp; 5143 ace_t *acebufp; 5144 int i; 5145 5146 switch (cmd) { 5147 case GETACL: 5148 case GETACLCNT: 5149 break; 5150 case SETACL: 5151 if (nentries < 3) 5152 break; 5153 5154 a_size = nentries * sizeof (aclent_t); 5155 5156 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5157 break; 5158 if (copyin(bufp, aclbufp, a_size)) { 5159 kmem_free(aclbufp, a_size); 5160 break; 5161 } 5162 for (i = 0; i < nentries; i++) { 5163 au_uwrite(au_to_acl(aclbufp + i)); 5164 } 5165 kmem_free(aclbufp, a_size); 5166 break; 5167 5168 case ACE_SETACL: 5169 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5170 break; 5171 5172 a_size = nentries * sizeof (ace_t); 5173 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5174 break; 5175 if (copyin(bufp, acebufp, a_size)) { 5176 kmem_free(acebufp, a_size); 5177 break; 5178 } 5179 for (i = 0; i < nentries; i++) { 5180 au_uwrite(au_to_ace(acebufp + i)); 5181 } 5182 kmem_free(acebufp, a_size); 5183 break; 5184 default: 5185 break; 5186 } 5187 } 5188 5189 /*ARGSUSED*/ 5190 static void 5191 aus_acl(struct t_audit_data *tad) 5192 { 5193 struct a { 5194 long fname; 5195 long cmd; 5196 long nentries; 5197 long aclbufp; 5198 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5199 5200 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5201 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5202 5203 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5204 } 5205 5206 /*ARGSUSED*/ 5207 static void 5208 aus_facl(struct t_audit_data *tad) 5209 { 5210 struct a { 5211 long fd; 5212 long cmd; 5213 long nentries; 5214 long aclbufp; 5215 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5216 struct file *fp; 5217 struct vnode *vp; 5218 struct f_audit_data *fad; 5219 int fd; 5220 5221 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5222 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5223 5224 fd = (int)uap->fd; 5225 5226 if ((fp = getf(fd)) == NULL) 5227 return; 5228 5229 /* get path from file struct here */ 5230 fad = F2A(fp); 5231 if (fad->fad_aupath != NULL) { 5232 au_uwrite(au_to_path(fad->fad_aupath)); 5233 } else { 5234 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5235 } 5236 5237 vp = fp->f_vnode; 5238 audit_attributes(vp); 5239 5240 /* decrement file descriptor reference count */ 5241 releasef(fd); 5242 5243 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5244 } 5245 5246 /*ARGSUSED*/ 5247 static void 5248 auf_read(tad, error, rval) 5249 struct t_audit_data *tad; 5250 int error; 5251 rval_t *rval; 5252 { 5253 struct file *fp; 5254 struct f_audit_data *fad; 5255 int fd; 5256 register struct a { 5257 long fd; 5258 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5259 au_kcontext_t *kctx = GET_KCTX_PZ; 5260 5261 fd = (int)uap->fd; 5262 5263 /* 5264 * convert file pointer to file descriptor 5265 * Note: fd ref count incremented here. 5266 */ 5267 if ((fp = getf(fd)) == NULL) 5268 return; 5269 5270 /* get path from file struct here */ 5271 fad = F2A(fp); 5272 ASSERT(fad); 5273 5274 /* 5275 * already processed this file for read attempt 5276 * 5277 * XXX might be better to turn off auditing in a aui_read() routine. 5278 */ 5279 if (fad->fad_flags & FAD_READ) { 5280 /* don't really want to audit every read attempt */ 5281 tad->tad_flag = 0; 5282 /* free any residual audit data */ 5283 au_close(kctx, &(u_ad), 0, 0, 0); 5284 releasef(fd); 5285 return; 5286 } 5287 /* mark things so we know what happened and don't repeat things */ 5288 fad->fad_flags |= FAD_READ; 5289 5290 if (fad->fad_aupath != NULL) { 5291 au_uwrite(au_to_path(fad->fad_aupath)); 5292 } else { 5293 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5294 } 5295 5296 /* include attributes */ 5297 audit_attributes(fp->f_vnode); 5298 5299 /* decrement file descriptor reference count */ 5300 releasef(fd); 5301 } 5302 5303 /*ARGSUSED*/ 5304 static void 5305 auf_write(tad, error, rval) 5306 struct t_audit_data *tad; 5307 int error; 5308 rval_t *rval; 5309 { 5310 struct file *fp; 5311 struct f_audit_data *fad; 5312 int fd; 5313 register struct a { 5314 long fd; 5315 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5316 au_kcontext_t *kctx = GET_KCTX_PZ; 5317 5318 fd = (int)uap->fd; 5319 5320 /* 5321 * convert file pointer to file descriptor 5322 * Note: fd ref count incremented here. 5323 */ 5324 if ((fp = getf(fd)) == NULL) 5325 return; 5326 5327 /* get path from file struct here */ 5328 fad = F2A(fp); 5329 ASSERT(fad); 5330 5331 /* 5332 * already processed this file for write attempt 5333 * 5334 * XXX might be better to turn off auditing in a aus_write() routine. 5335 */ 5336 if (fad->fad_flags & FAD_WRITE) { 5337 /* don't really want to audit every write attempt */ 5338 tad->tad_flag = 0; 5339 /* free any residual audit data */ 5340 au_close(kctx, &(u_ad), 0, 0, 0); 5341 releasef(fd); 5342 return; 5343 } 5344 /* mark things so we know what happened and don't repeat things */ 5345 fad->fad_flags |= FAD_WRITE; 5346 5347 if (fad->fad_aupath != NULL) { 5348 au_uwrite(au_to_path(fad->fad_aupath)); 5349 } else { 5350 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5351 } 5352 5353 /* include attributes */ 5354 audit_attributes(fp->f_vnode); 5355 5356 /* decrement file descriptor reference count */ 5357 releasef(fd); 5358 } 5359 5360 /*ARGSUSED*/ 5361 static void 5362 auf_recv(tad, error, rval) 5363 struct t_audit_data *tad; 5364 int error; 5365 rval_t *rval; 5366 { 5367 struct sonode *so; 5368 char so_laddr[sizeof (struct sockaddr_in6)]; 5369 char so_faddr[sizeof (struct sockaddr_in6)]; 5370 struct file *fp; 5371 struct f_audit_data *fad; 5372 int fd; 5373 int err; 5374 socklen_t len; 5375 short so_family, so_type; 5376 register struct a { 5377 long fd; 5378 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5379 au_kcontext_t *kctx = GET_KCTX_PZ; 5380 5381 /* 5382 * If there was an error, then nothing to do. Only generate 5383 * audit record on first successful recv. 5384 */ 5385 if (error) { 5386 /* Turn off audit record generation here. */ 5387 tad->tad_flag = 0; 5388 /* free any residual audit data */ 5389 au_close(kctx, &(u_ad), 0, 0, 0); 5390 return; 5391 } 5392 5393 fd = (int)uap->fd; 5394 5395 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5396 /* Turn off audit record generation here. */ 5397 tad->tad_flag = 0; 5398 /* free any residual audit data */ 5399 au_close(kctx, &(u_ad), 0, 0, 0); 5400 return; 5401 } 5402 5403 /* get path from file struct here */ 5404 fad = F2A(fp); 5405 ASSERT(fad); 5406 5407 /* 5408 * already processed this file for read attempt 5409 */ 5410 if (fad->fad_flags & FAD_READ) { 5411 releasef(fd); 5412 /* don't really want to audit every recv call */ 5413 tad->tad_flag = 0; 5414 /* free any residual audit data */ 5415 au_close(kctx, &(u_ad), 0, 0, 0); 5416 return; 5417 } 5418 5419 /* mark things so we know what happened and don't repeat things */ 5420 fad->fad_flags |= FAD_READ; 5421 5422 so_family = so->so_family; 5423 so_type = so->so_type; 5424 5425 switch (so_family) { 5426 case AF_INET: 5427 case AF_INET6: 5428 /* 5429 * Only for connections. 5430 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5431 */ 5432 if (so->so_state & SS_ISBOUND) { 5433 5434 bzero((void *)so_laddr, sizeof (so_laddr)); 5435 bzero((void *)so_faddr, sizeof (so_faddr)); 5436 5437 /* get local and foreign addresses */ 5438 len = sizeof (so_laddr); 5439 (void) socket_getsockname(so, 5440 (struct sockaddr *)so_laddr, &len, CRED()); 5441 len = sizeof (so_faddr); 5442 (void) socket_getpeername(so, 5443 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5444 5445 /* 5446 * only way to drop out of switch. Note that we 5447 * we release fd below. 5448 */ 5449 5450 break; 5451 } 5452 5453 releasef(fd); 5454 5455 /* don't really want to audit every recv call */ 5456 tad->tad_flag = 0; 5457 /* free any residual audit data */ 5458 au_close(kctx, &(u_ad), 0, 0, 0); 5459 5460 return; 5461 5462 case AF_UNIX: 5463 5464 if (fad->fad_aupath != NULL) { 5465 au_uwrite(au_to_path(fad->fad_aupath)); 5466 } else { 5467 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5468 } 5469 5470 audit_attributes(fp->f_vnode); 5471 5472 releasef(fd); 5473 5474 return; 5475 5476 default: 5477 releasef(fd); 5478 5479 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5480 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5481 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5482 5483 return; 5484 } 5485 5486 releasef(fd); 5487 5488 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5489 5490 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5491 5492 } 5493 5494 /*ARGSUSED*/ 5495 static void 5496 auf_send(tad, error, rval) 5497 struct t_audit_data *tad; 5498 int error; 5499 rval_t *rval; 5500 { 5501 struct sonode *so; 5502 char so_laddr[sizeof (struct sockaddr_in6)]; 5503 char so_faddr[sizeof (struct sockaddr_in6)]; 5504 struct file *fp; 5505 struct f_audit_data *fad; 5506 int fd; 5507 int err; 5508 socklen_t len; 5509 short so_family, so_type; 5510 register struct a { 5511 long fd; 5512 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5513 au_kcontext_t *kctx = GET_KCTX_PZ; 5514 5515 fd = (int)uap->fd; 5516 5517 /* 5518 * If there was an error, then nothing to do. Only generate 5519 * audit record on first successful send. 5520 */ 5521 if (error != 0) { 5522 /* Turn off audit record generation here. */ 5523 tad->tad_flag = 0; 5524 /* free any residual audit data */ 5525 au_close(kctx, &(u_ad), 0, 0, 0); 5526 return; 5527 } 5528 5529 fd = (int)uap->fd; 5530 5531 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5532 /* Turn off audit record generation here. */ 5533 tad->tad_flag = 0; 5534 /* free any residual audit data */ 5535 au_close(kctx, &(u_ad), 0, 0, 0); 5536 return; 5537 } 5538 5539 /* get path from file struct here */ 5540 fad = F2A(fp); 5541 ASSERT(fad); 5542 5543 /* 5544 * already processed this file for write attempt 5545 */ 5546 if (fad->fad_flags & FAD_WRITE) { 5547 releasef(fd); 5548 /* don't really want to audit every send call */ 5549 tad->tad_flag = 0; 5550 /* free any residual audit data */ 5551 au_close(kctx, &(u_ad), 0, 0, 0); 5552 return; 5553 } 5554 5555 /* mark things so we know what happened and don't repeat things */ 5556 fad->fad_flags |= FAD_WRITE; 5557 5558 so_family = so->so_family; 5559 so_type = so->so_type; 5560 5561 switch (so_family) { 5562 case AF_INET: 5563 case AF_INET6: 5564 /* 5565 * Only for connections. 5566 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5567 */ 5568 if (so->so_state & SS_ISBOUND) { 5569 5570 bzero((void *)so_laddr, sizeof (so_laddr)); 5571 bzero((void *)so_faddr, sizeof (so_faddr)); 5572 5573 /* get local and foreign addresses */ 5574 len = sizeof (so_laddr); 5575 (void) socket_getsockname(so, 5576 (struct sockaddr *)so_laddr, &len, CRED()); 5577 len = sizeof (so_faddr); 5578 (void) socket_getpeername(so, 5579 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5580 5581 /* 5582 * only way to drop out of switch. Note that we 5583 * we release fd below. 5584 */ 5585 5586 break; 5587 } 5588 5589 releasef(fd); 5590 /* don't really want to audit every send call */ 5591 tad->tad_flag = 0; 5592 /* free any residual audit data */ 5593 au_close(kctx, &(u_ad), 0, 0, 0); 5594 5595 return; 5596 5597 case AF_UNIX: 5598 5599 if (fad->fad_aupath != NULL) { 5600 au_uwrite(au_to_path(fad->fad_aupath)); 5601 } else { 5602 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5603 } 5604 5605 audit_attributes(fp->f_vnode); 5606 5607 releasef(fd); 5608 5609 return; 5610 5611 default: 5612 releasef(fd); 5613 5614 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5615 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5616 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5617 5618 return; 5619 } 5620 5621 releasef(fd); 5622 5623 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5624 5625 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5626 } 5627 5628 static au_event_t 5629 aui_forksys(au_event_t e) 5630 { 5631 struct a { 5632 long subcode; 5633 long flags; 5634 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5635 5636 switch ((uint_t)uap->subcode) { 5637 case 0: 5638 e = AUE_FORK1; 5639 break; 5640 case 1: 5641 e = AUE_FORKALL; 5642 break; 5643 case 2: 5644 e = AUE_VFORK; 5645 break; 5646 default: 5647 e = AUE_NULL; 5648 break; 5649 } 5650 5651 return (e); 5652 } 5653 5654 /*ARGSUSED*/ 5655 static au_event_t 5656 aui_portfs(au_event_t e) 5657 { 5658 struct a { /* portfs */ 5659 long a1; 5660 long a2; 5661 long a3; 5662 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5663 5664 /* 5665 * check opcode 5666 */ 5667 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5668 case PORT_ASSOCIATE: 5669 /* check source */ 5670 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5671 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5672 e = AUE_PORTFS_ASSOCIATE; 5673 } else { 5674 e = AUE_NULL; 5675 } 5676 break; 5677 case PORT_DISSOCIATE: 5678 /* check source */ 5679 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5680 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5681 e = AUE_PORTFS_DISSOCIATE; 5682 } else { 5683 e = AUE_NULL; 5684 } 5685 break; 5686 default: 5687 e = AUE_NULL; 5688 } 5689 return (e); 5690 } 5691