1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2010 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_fchownat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 static void aus_exit(struct t_audit_data *); 108 static void aus_open(struct t_audit_data *); 109 static void aus_openat(struct t_audit_data *); 110 static void aus_acl(struct t_audit_data *); 111 static void aus_acct(struct t_audit_data *); 112 static void aus_chown(struct t_audit_data *); 113 static void aus_fchown(struct t_audit_data *); 114 static void aus_lchown(struct t_audit_data *); 115 static void aus_fchownat(struct t_audit_data *); 116 static void aus_chmod(struct t_audit_data *); 117 static void aus_facl(struct t_audit_data *); 118 static void aus_fchmod(struct t_audit_data *); 119 static void aus_fcntl(struct t_audit_data *); 120 static void aus_mkdir(struct t_audit_data *); 121 static void aus_mknod(struct t_audit_data *); 122 static void aus_mount(struct t_audit_data *); 123 static void aus_umount2(struct t_audit_data *); 124 static void aus_msgsys(struct t_audit_data *); 125 static void aus_semsys(struct t_audit_data *); 126 static void aus_close(struct t_audit_data *); 127 static void aus_fstatfs(struct t_audit_data *); 128 static void aus_setgid(struct t_audit_data *); 129 static void aus_setpgrp(struct t_audit_data *); 130 static void aus_setuid(struct t_audit_data *); 131 static void aus_shmsys(struct t_audit_data *); 132 static void aus_doorfs(struct t_audit_data *); 133 static void aus_ioctl(struct t_audit_data *); 134 static void aus_memcntl(struct t_audit_data *); 135 static void aus_mmap(struct t_audit_data *); 136 static void aus_munmap(struct t_audit_data *); 137 static void aus_priocntlsys(struct t_audit_data *); 138 static void aus_setegid(struct t_audit_data *); 139 static void aus_setgroups(struct t_audit_data *); 140 static void aus_seteuid(struct t_audit_data *); 141 static void aus_putmsg(struct t_audit_data *); 142 static void aus_putpmsg(struct t_audit_data *); 143 static void aus_getmsg(struct t_audit_data *); 144 static void aus_getpmsg(struct t_audit_data *); 145 static void aus_auditsys(struct t_audit_data *); 146 static void aus_sysinfo(struct t_audit_data *); 147 static void aus_modctl(struct t_audit_data *); 148 static void aus_kill(struct t_audit_data *); 149 static void aus_setregid(struct t_audit_data *); 150 static void aus_setreuid(struct t_audit_data *); 151 static void aus_labelsys(struct t_audit_data *); 152 153 static void auf_mknod(struct t_audit_data *, int, rval_t *); 154 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 155 static void auf_semsys(struct t_audit_data *, int, rval_t *); 156 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 157 static void auf_read(struct t_audit_data *, int, rval_t *); 158 static void auf_write(struct t_audit_data *, int, rval_t *); 159 160 static void aus_sigqueue(struct t_audit_data *); 161 static void aus_p_online(struct t_audit_data *); 162 static void aus_processor_bind(struct t_audit_data *); 163 static void aus_inst_sync(struct t_audit_data *); 164 static void aus_brandsys(struct t_audit_data *); 165 166 static void auf_accept(struct t_audit_data *, int, rval_t *); 167 168 static void auf_bind(struct t_audit_data *, int, rval_t *); 169 static void auf_connect(struct t_audit_data *, int, rval_t *); 170 static void aus_shutdown(struct t_audit_data *); 171 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 172 static void aus_sockconfig(struct t_audit_data *); 173 static void auf_recv(struct t_audit_data *, int, rval_t *); 174 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_send(struct t_audit_data *, int, rval_t *); 176 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 177 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 178 static void auf_sendto(struct t_audit_data *, int, rval_t *); 179 static void aus_socket(struct t_audit_data *); 180 /* 181 * This table contains mapping information for converting system call numbers 182 * to audit event IDs. In several cases it is necessary to map a single system 183 * call to several events. 184 */ 185 186 #define aui_null NULL /* NULL initialize function */ 187 #define aus_null NULL /* NULL start function */ 188 #define auf_null NULL /* NULL finish function */ 189 190 struct audit_s2e audit_s2e[] = 191 { 192 /* 193 * ---------- ---------- ---------- ---------- 194 * INITIAL AUDIT START SYSTEM 195 * PROCESSING EVENT PROCESSING CALL 196 * ---------- ---------- ---------- ----------- 197 * FINISH EVENT 198 * PROCESSING CONTROL 199 * ---------------------------------------------------------- 200 */ 201 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 202 auf_null, 0, 203 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 204 auf_null, S2E_NPT, 205 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 206 auf_null, 0, 207 aui_null, AUE_READ, aus_null, /* 3 read */ 208 auf_read, S2E_PUB, 209 aui_null, AUE_WRITE, aus_null, /* 4 write */ 210 auf_write, 0, 211 aui_open, AUE_OPEN, aus_open, /* 5 open */ 212 auf_null, S2E_SP, 213 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 214 auf_null, 0, 215 aui_null, AUE_NULL, aus_null, /* 7 (loadable) was wait */ 216 auf_null, 0, 217 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 218 auf_null, 0, 219 aui_null, AUE_LINK, aus_null, /* 9 link */ 220 auf_null, 0, 221 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 222 auf_null, 0, 223 aui_null, AUE_NULL, aus_null, /* 11 (loadable) was exec */ 224 auf_null, 0, 225 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 226 auf_null, S2E_SP, 227 aui_null, AUE_NULL, aus_null, /* 13 time */ 228 auf_null, 0, 229 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 230 auf_mknod, 0, 231 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 232 auf_null, 0, 233 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 234 auf_null, 0, 235 aui_null, AUE_NULL, aus_null, /* 17 brk */ 236 auf_null, 0, 237 aui_null, AUE_STAT, aus_null, /* 18 stat */ 238 auf_null, S2E_PUB, 239 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 240 auf_null, 0, 241 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 242 auf_null, 0, 243 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 244 auf_null, S2E_MLD, 245 aui_null, AUE_NULL, aus_null, /* 22 (loadable) was umount */ 246 auf_null, 0, 247 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 250 auf_null, 0, 251 aui_null, AUE_STIME, aus_null, /* 25 stime */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 29 pause */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 264 auf_null, 0, 265 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 266 auf_null, 0, 267 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 268 auf_null, S2E_PUB, 269 aui_null, AUE_NICE, aus_null, /* 34 nice */ 270 auf_null, 0, 271 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 272 auf_null, S2E_PUB, 273 aui_null, AUE_NULL, aus_null, /* 36 sync */ 274 auf_null, 0, 275 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 276 auf_null, 0, 277 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 278 auf_null, S2E_PUB, 279 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 280 auf_null, 0, 281 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 284 auf_null, 0, 285 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 43 times */ 288 auf_null, 0, 289 aui_null, AUE_NULL, aus_null, /* 44 profil */ 290 auf_null, 0, 291 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 292 auf_null, S2E_PUB | S2E_ATC, 293 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 48 (loadable) was ssig */ 298 auf_null, 0, 299 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 300 auf_msgsys, 0, 301 #if defined(__x86) 302 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 303 auf_null, 0, 304 #else 305 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 306 auf_null, 0, 307 #endif /* __x86 */ 308 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 309 auf_null, 0, 310 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 311 auf_shmsys, 0, 312 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 313 auf_semsys, 0, 314 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 317 auf_null, 0, 318 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 319 auf_null, S2E_ATC, 320 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 321 auf_null, 0, 322 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 323 auf_null, 0, 324 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 325 auf_null, S2E_MLD, 326 aui_null, AUE_NULL, aus_null, /* 60 umask */ 327 auf_null, 0, 328 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 329 auf_null, S2E_SP, 330 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 333 auf_null, 0, 334 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 335 auf_null, S2E_ATC, 336 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 337 auf_null, S2E_ATC, 338 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 339 auf_null, S2E_PUB | S2E_ATC, 340 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 341 auf_null, S2E_PUB | S2E_ATC, 342 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 343 auf_null, S2E_SP | S2E_ATC, 344 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 345 auf_null, S2E_SP | S2E_ATC, 346 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 363 auf_null, 0, 364 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 365 auf_null, 0, 366 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 367 auf_null, 0, 368 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 369 auf_null, 0, 370 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 373 auf_null, 0, 374 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 375 auf_null, 0, 376 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 377 auf_null, 0, 378 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 379 auf_null, 0, 380 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 381 auf_null, 0, 382 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 383 auf_null, S2E_PUB, 384 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 385 auf_null, 0, 386 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 389 auf_null, 0, 390 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 391 auf_null, 0, 392 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 393 auf_null, 0, 394 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 395 auf_null, 0, 396 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 101 (loadable) */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 411 auf_null, 0, 412 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 413 auf_null, S2E_PUB, 414 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 415 auf_null, 0, 416 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 423 auf_null, 0, 424 #if defined(__x86) 425 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 426 auf_null, 0, 427 #else 428 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 429 auf_null, 0, 430 #endif /* __x86 */ 431 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 432 auf_null, S2E_ATC, 433 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 434 auf_null, 0, 435 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 436 auf_null, 0, 437 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 438 auf_null, S2E_PUB, 439 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 440 auf_null, 0, 441 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 442 auf_null, 0, 443 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 444 auf_null, 0, 445 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 448 auf_null, 0, 449 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 450 auf_null, 0, 451 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 452 auf_null, 0, 453 aui_null, AUE_READ, aus_null, /* 121 readv */ 454 auf_read, S2E_PUB, 455 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 456 auf_write, 0, 457 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 458 auf_null, 0, 459 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 460 auf_null, 0, 461 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 464 auf_null, 0, 465 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 466 auf_null, 0, 467 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 468 auf_null, 0, 469 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 470 auf_null, 0, 471 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 472 auf_null, 0, 473 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 474 auf_null, 0, 475 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 476 auf_null, 0, 477 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 478 auf_null, 0, 479 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 480 auf_null, 0, 481 aui_null, AUE_NULL, aus_null, /* 135 uname */ 482 auf_null, 0, 483 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 486 auf_null, 0, 487 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 488 auf_null, 0, 489 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 490 auf_null, 0, 491 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 492 auf_null, 0, 493 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 494 auf_null, 0, 495 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 498 auf_null, 0, 499 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 146 yield */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 506 /* was lwp_sema_wait */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 515 auf_null, 0, 516 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 517 auf_null, 0, 518 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 519 auf_null, 0, 520 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 521 auf_null, 0, 522 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 551 /* was lwp_mutex_lock */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 558 auf_null, 0, 559 aui_null, AUE_READ, aus_null, /* 173 pread */ 560 auf_read, S2E_PUB, 561 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 562 auf_write, 0, 563 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 564 auf_null, 0, 565 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 566 auf_null, 0, 567 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 568 auf_null, 0, 569 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 570 auf_null, 0, 571 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 576 auf_null, 0, 577 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 578 auf_null, S2E_MLD, 579 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 580 auf_null, 0, 581 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 582 auf_null, 0, 583 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 584 auf_null, 0, 585 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 586 auf_null, 0, 587 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 588 auf_null, 0, 589 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 590 auf_null, 0, 591 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 594 auf_null, 0, 595 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 596 auf_null, 0, 597 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 600 auf_null, 0, 601 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 612 auf_null, 0, 613 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 614 auf_null, 0, 615 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 616 auf_null, 0, 617 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 618 auf_null, 0, 619 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 620 auf_null, 0, 621 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 622 auf_null, 0, 623 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 640 auf_null, 0, 641 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 642 auf_null, 0, 643 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 644 auf_null, S2E_PUB, 645 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 646 auf_null, S2E_PUB, 647 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 648 auf_null, 0, 649 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 652 auf_null, 0, 653 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 654 auf_null, 0, 655 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 656 auf_null, 0, 657 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 658 auf_read, S2E_PUB, 659 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 660 auf_write, 0, 661 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 662 auf_null, 0, 663 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 664 auf_null, S2E_SP, 665 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 666 auf_null, 0, 667 aui_null, AUE_NULL, aus_null, /* 227 zone */ 668 auf_null, 0, 669 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 672 auf_null, 0, 673 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 676 auf_null, 0, 677 aui_null, AUE_BIND, aus_null, /* 232 bind */ 678 auf_bind, 0, 679 aui_null, AUE_NULL, aus_null, /* 233 listen */ 680 auf_null, 0, 681 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 682 auf_accept, 0, 683 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 684 auf_connect, 0, 685 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 686 auf_null, 0, 687 aui_null, AUE_READ, aus_null, /* 237 recv */ 688 auf_recv, 0, 689 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 690 auf_recvfrom, 0, 691 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 692 auf_recvmsg, 0, 693 aui_null, AUE_WRITE, aus_null, /* 240 send */ 694 auf_send, 0, 695 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 696 auf_sendmsg, 0, 697 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 698 auf_sendto, 0, 699 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 700 auf_null, 0, 701 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 702 auf_null, 0, 703 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 704 auf_null, 0, 705 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 706 auf_setsockopt, 0, 707 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 708 auf_null, 0, 709 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 710 auf_null, 0, 711 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 714 auf_null, 0, 715 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 722 auf_null, 0, 723 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 724 auf_null, 0 725 }; 726 727 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 728 729 730 /* exit start function */ 731 /*ARGSUSED*/ 732 static void 733 aus_exit(struct t_audit_data *tad) 734 { 735 uint32_t rval; 736 struct a { 737 long rval; 738 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 739 740 rval = (uint32_t)uap->rval; 741 au_uwrite(au_to_arg32(1, "exit status", rval)); 742 } 743 744 /* acct start function */ 745 /*ARGSUSED*/ 746 static void 747 aus_acct(struct t_audit_data *tad) 748 { 749 klwp_t *clwp = ttolwp(curthread); 750 uintptr_t fname; 751 752 struct a { 753 long fname; /* char * */ 754 } *uap = (struct a *)clwp->lwp_ap; 755 756 fname = (uintptr_t)uap->fname; 757 758 if (fname == 0) 759 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 760 } 761 762 /* chown start function */ 763 /*ARGSUSED*/ 764 static void 765 aus_chown(struct t_audit_data *tad) 766 { 767 klwp_t *clwp = ttolwp(curthread); 768 uint32_t uid, gid; 769 770 struct a { 771 long fname; /* char * */ 772 long uid; 773 long gid; 774 } *uap = (struct a *)clwp->lwp_ap; 775 776 uid = (uint32_t)uap->uid; 777 gid = (uint32_t)uap->gid; 778 779 au_uwrite(au_to_arg32(2, "new file uid", uid)); 780 au_uwrite(au_to_arg32(3, "new file gid", gid)); 781 } 782 783 /* fchown start function */ 784 /*ARGSUSED*/ 785 static void 786 aus_fchown(struct t_audit_data *tad) 787 { 788 klwp_t *clwp = ttolwp(curthread); 789 uint32_t uid, gid, fd; 790 struct file *fp; 791 struct vnode *vp; 792 struct f_audit_data *fad; 793 794 struct a { 795 long fd; 796 long uid; 797 long gid; 798 } *uap = (struct a *)clwp->lwp_ap; 799 800 fd = (uint32_t)uap->fd; 801 uid = (uint32_t)uap->uid; 802 gid = (uint32_t)uap->gid; 803 804 au_uwrite(au_to_arg32(2, "new file uid", uid)); 805 au_uwrite(au_to_arg32(3, "new file gid", gid)); 806 807 /* 808 * convert file pointer to file descriptor 809 * Note: fd ref count incremented here. 810 */ 811 if ((fp = getf(fd)) == NULL) 812 return; 813 814 /* get path from file struct here */ 815 fad = F2A(fp); 816 if (fad->fad_aupath != NULL) { 817 au_uwrite(au_to_path(fad->fad_aupath)); 818 } else { 819 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 820 } 821 822 vp = fp->f_vnode; 823 audit_attributes(vp); 824 825 /* decrement file descriptor reference count */ 826 releasef(fd); 827 } 828 829 /*ARGSUSED*/ 830 static void 831 aus_lchown(struct t_audit_data *tad) 832 { 833 klwp_t *clwp = ttolwp(curthread); 834 uint32_t uid, gid; 835 836 837 struct a { 838 long fname; /* char * */ 839 long uid; 840 long gid; 841 } *uap = (struct a *)clwp->lwp_ap; 842 843 uid = (uint32_t)uap->uid; 844 gid = (uint32_t)uap->gid; 845 846 au_uwrite(au_to_arg32(2, "new file uid", uid)); 847 au_uwrite(au_to_arg32(3, "new file gid", gid)); 848 } 849 850 static au_event_t 851 aui_fchownat(au_event_t e) 852 { 853 klwp_t *clwp = ttolwp(curthread); 854 855 struct a { 856 long fd; 857 long fname; /* char * */ 858 long uid; 859 long gid; 860 long flags; 861 } *uap = (struct a *)clwp->lwp_ap; 862 863 if (uap->fname == NULL) 864 e = AUE_FCHOWN; 865 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 866 e = AUE_LCHOWN; 867 else 868 e = AUE_CHOWN; 869 870 return (e); 871 } 872 873 /*ARGSUSED*/ 874 static void 875 aus_fchownat(struct t_audit_data *tad) 876 { 877 klwp_t *clwp = ttolwp(curthread); 878 uint32_t uid, gid; 879 880 struct a { 881 long fd; 882 long fname; /* char * */ 883 long uid; 884 long gid; 885 long flags; 886 } *uap = (struct a *)clwp->lwp_ap; 887 888 uid = (uint32_t)uap->uid; 889 gid = (uint32_t)uap->gid; 890 891 au_uwrite(au_to_arg32(3, "new file uid", uid)); 892 au_uwrite(au_to_arg32(4, "new file gid", gid)); 893 } 894 895 /* chmod start function */ 896 /*ARGSUSED*/ 897 static void 898 aus_chmod(struct t_audit_data *tad) 899 { 900 klwp_t *clwp = ttolwp(curthread); 901 uint32_t fmode; 902 903 struct a { 904 long fname; /* char * */ 905 long fmode; 906 } *uap = (struct a *)clwp->lwp_ap; 907 908 fmode = (uint32_t)uap->fmode; 909 910 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 911 } 912 913 /* chmod start function */ 914 /*ARGSUSED*/ 915 static void 916 aus_fchmod(struct t_audit_data *tad) 917 { 918 klwp_t *clwp = ttolwp(curthread); 919 uint32_t fmode, fd; 920 struct file *fp; 921 struct vnode *vp; 922 struct f_audit_data *fad; 923 924 struct a { 925 long fd; 926 long fmode; 927 } *uap = (struct a *)clwp->lwp_ap; 928 929 fd = (uint32_t)uap->fd; 930 fmode = (uint32_t)uap->fmode; 931 932 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 933 934 /* 935 * convert file pointer to file descriptor 936 * Note: fd ref count incremented here. 937 */ 938 if ((fp = getf(fd)) == NULL) 939 return; 940 941 /* get path from file struct here */ 942 fad = F2A(fp); 943 if (fad->fad_aupath != NULL) { 944 au_uwrite(au_to_path(fad->fad_aupath)); 945 } else { 946 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 947 } 948 949 vp = fp->f_vnode; 950 audit_attributes(vp); 951 952 /* decrement file descriptor reference count */ 953 releasef(fd); 954 } 955 956 /* 957 * convert open mode to appropriate open event 958 */ 959 au_event_t 960 open_event(uint_t fm) 961 { 962 au_event_t e; 963 964 switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) { 965 case O_RDONLY: 966 e = AUE_OPEN_R; 967 break; 968 case O_RDONLY | O_CREAT: 969 e = AUE_OPEN_RC; 970 break; 971 case O_RDONLY | O_TRUNC: 972 e = AUE_OPEN_RT; 973 break; 974 case O_RDONLY | O_TRUNC | O_CREAT: 975 e = AUE_OPEN_RTC; 976 break; 977 case O_WRONLY: 978 e = AUE_OPEN_W; 979 break; 980 case O_WRONLY | O_CREAT: 981 e = AUE_OPEN_WC; 982 break; 983 case O_WRONLY | O_TRUNC: 984 e = AUE_OPEN_WT; 985 break; 986 case O_WRONLY | O_TRUNC | O_CREAT: 987 e = AUE_OPEN_WTC; 988 break; 989 case O_RDWR: 990 e = AUE_OPEN_RW; 991 break; 992 case O_RDWR | O_CREAT: 993 e = AUE_OPEN_RWC; 994 break; 995 case O_RDWR | O_TRUNC: 996 e = AUE_OPEN_RWT; 997 break; 998 case O_RDWR | O_TRUNC | O_CREAT: 999 e = AUE_OPEN_RWTC; 1000 break; 1001 default: 1002 e = AUE_NULL; 1003 break; 1004 } 1005 1006 return (e); 1007 } 1008 1009 /* ARGSUSED */ 1010 static au_event_t 1011 aui_open(au_event_t e) 1012 { 1013 t_audit_data_t *tad = T2A(curthread); 1014 klwp_t *clwp = ttolwp(curthread); 1015 uint_t fm; 1016 1017 struct a { 1018 long fnamep; /* char * */ 1019 long fmode; 1020 long cmode; 1021 } *uap = (struct a *)clwp->lwp_ap; 1022 1023 fm = (uint_t)uap->fmode; 1024 1025 /* convert to appropriate au_ctrl */ 1026 if (fm & (FXATTR | FXATTRDIROPEN)) 1027 tad->tad_ctrl |= PAD_ATTPATH; 1028 1029 return (open_event(fm)); 1030 } 1031 1032 static void 1033 aus_open(struct t_audit_data *tad) 1034 { 1035 klwp_t *clwp = ttolwp(curthread); 1036 uint_t fm; 1037 1038 struct a { 1039 long fnamep; /* char * */ 1040 long fmode; 1041 long cmode; 1042 } *uap = (struct a *)clwp->lwp_ap; 1043 1044 fm = (uint_t)uap->fmode; 1045 1046 /* If no write, create, or trunc modes, mark as a public op */ 1047 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1048 tad->tad_ctrl |= PAD_PUBLIC_EV; 1049 } 1050 1051 /* ARGSUSED */ 1052 static au_event_t 1053 aui_openat(au_event_t e) 1054 { 1055 t_audit_data_t *tad = T2A(curthread); 1056 klwp_t *clwp = ttolwp(curthread); 1057 uint_t fm; 1058 1059 struct a { 1060 long filedes; 1061 long fnamep; /* char * */ 1062 long fmode; 1063 long cmode; 1064 } *uap = (struct a *)clwp->lwp_ap; 1065 1066 fm = (uint_t)uap->fmode; 1067 1068 /* convert to appropriate au_ctrl */ 1069 if (fm & (FXATTR | FXATTRDIROPEN)) 1070 tad->tad_ctrl |= PAD_ATTPATH; 1071 1072 return (open_event(fm)); 1073 } 1074 1075 static void 1076 aus_openat(struct t_audit_data *tad) 1077 { 1078 klwp_t *clwp = ttolwp(curthread); 1079 uint_t fm; 1080 1081 struct a { 1082 long filedes; 1083 long fnamep; /* char * */ 1084 long fmode; 1085 long cmode; 1086 } *uap = (struct a *)clwp->lwp_ap; 1087 1088 fm = (uint_t)uap->fmode; 1089 1090 /* If no write, create, or trunc modes, mark as a public op */ 1091 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1092 tad->tad_ctrl |= PAD_PUBLIC_EV; 1093 } 1094 1095 static au_event_t 1096 aui_unlinkat(au_event_t e) 1097 { 1098 klwp_t *clwp = ttolwp(curthread); 1099 1100 struct a { 1101 long filedes; 1102 long fnamep; /* char * */ 1103 long flags; 1104 } *uap = (struct a *)clwp->lwp_ap; 1105 1106 if (uap->flags & AT_REMOVEDIR) 1107 e = AUE_RMDIR; 1108 else 1109 e = AUE_UNLINK; 1110 1111 return (e); 1112 } 1113 1114 static au_event_t 1115 aui_fstatat(au_event_t e) 1116 { 1117 klwp_t *clwp = ttolwp(curthread); 1118 1119 struct a { 1120 long filedes; 1121 long fnamep; /* char * */ 1122 long statb; 1123 long flags; 1124 } *uap = (struct a *)clwp->lwp_ap; 1125 1126 if (uap->fnamep == NULL) 1127 e = AUE_FSTAT; 1128 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1129 e = AUE_LSTAT; 1130 else 1131 e = AUE_STAT; 1132 1133 return (e); 1134 } 1135 1136 /* msgsys */ 1137 static au_event_t 1138 aui_msgsys(au_event_t e) 1139 { 1140 klwp_t *clwp = ttolwp(curthread); 1141 uint_t fm; 1142 1143 struct a { 1144 long id; /* function code id */ 1145 long ap; /* arg pointer for recvmsg */ 1146 } *uap = (struct a *)clwp->lwp_ap; 1147 1148 struct b { 1149 long msgid; 1150 long cmd; 1151 long buf; /* struct msqid_ds * */ 1152 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1153 1154 fm = (uint_t)uap->id; 1155 1156 switch (fm) { 1157 case 0: /* msgget */ 1158 e = AUE_MSGGET; 1159 break; 1160 case 1: /* msgctl */ 1161 switch ((uint_t)uap1->cmd) { 1162 case IPC_RMID: 1163 e = AUE_MSGCTL_RMID; 1164 break; 1165 case IPC_SET: 1166 e = AUE_MSGCTL_SET; 1167 break; 1168 case IPC_STAT: 1169 e = AUE_MSGCTL_STAT; 1170 break; 1171 default: 1172 e = AUE_MSGCTL; 1173 break; 1174 } 1175 break; 1176 case 2: /* msgrcv */ 1177 e = AUE_MSGRCV; 1178 break; 1179 case 3: /* msgsnd */ 1180 e = AUE_MSGSND; 1181 break; 1182 default: /* illegal system call */ 1183 e = AUE_NULL; 1184 break; 1185 } 1186 1187 return (e); 1188 } 1189 1190 1191 /* shmsys */ 1192 static au_event_t 1193 aui_shmsys(au_event_t e) 1194 { 1195 klwp_t *clwp = ttolwp(curthread); 1196 int fm; 1197 1198 struct a { /* shmsys */ 1199 long id; /* function code id */ 1200 } *uap = (struct a *)clwp->lwp_ap; 1201 1202 struct b { /* ctrl */ 1203 long shmid; 1204 long cmd; 1205 long arg; /* struct shmid_ds * */ 1206 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1207 fm = (uint_t)uap->id; 1208 1209 switch (fm) { 1210 case 0: /* shmat */ 1211 e = AUE_SHMAT; 1212 break; 1213 case 1: /* shmctl */ 1214 switch ((uint_t)uap1->cmd) { 1215 case IPC_RMID: 1216 e = AUE_SHMCTL_RMID; 1217 break; 1218 case IPC_SET: 1219 e = AUE_SHMCTL_SET; 1220 break; 1221 case IPC_STAT: 1222 e = AUE_SHMCTL_STAT; 1223 break; 1224 default: 1225 e = AUE_SHMCTL; 1226 break; 1227 } 1228 break; 1229 case 2: /* shmdt */ 1230 e = AUE_SHMDT; 1231 break; 1232 case 3: /* shmget */ 1233 e = AUE_SHMGET; 1234 break; 1235 default: /* illegal system call */ 1236 e = AUE_NULL; 1237 break; 1238 } 1239 1240 return (e); 1241 } 1242 1243 1244 /* semsys */ 1245 static au_event_t 1246 aui_semsys(au_event_t e) 1247 { 1248 klwp_t *clwp = ttolwp(curthread); 1249 uint_t fm; 1250 1251 struct a { /* semsys */ 1252 long id; 1253 } *uap = (struct a *)clwp->lwp_ap; 1254 1255 struct b { /* ctrl */ 1256 long semid; 1257 long semnum; 1258 long cmd; 1259 long arg; 1260 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1261 1262 fm = (uint_t)uap->id; 1263 1264 switch (fm) { 1265 case 0: /* semctl */ 1266 switch ((uint_t)uap1->cmd) { 1267 case IPC_RMID: 1268 e = AUE_SEMCTL_RMID; 1269 break; 1270 case IPC_SET: 1271 e = AUE_SEMCTL_SET; 1272 break; 1273 case IPC_STAT: 1274 e = AUE_SEMCTL_STAT; 1275 break; 1276 case GETNCNT: 1277 e = AUE_SEMCTL_GETNCNT; 1278 break; 1279 case GETPID: 1280 e = AUE_SEMCTL_GETPID; 1281 break; 1282 case GETVAL: 1283 e = AUE_SEMCTL_GETVAL; 1284 break; 1285 case GETALL: 1286 e = AUE_SEMCTL_GETALL; 1287 break; 1288 case GETZCNT: 1289 e = AUE_SEMCTL_GETZCNT; 1290 break; 1291 case SETVAL: 1292 e = AUE_SEMCTL_SETVAL; 1293 break; 1294 case SETALL: 1295 e = AUE_SEMCTL_SETALL; 1296 break; 1297 default: 1298 e = AUE_SEMCTL; 1299 break; 1300 } 1301 break; 1302 case 1: /* semget */ 1303 e = AUE_SEMGET; 1304 break; 1305 case 2: /* semop */ 1306 e = AUE_SEMOP; 1307 break; 1308 default: /* illegal system call */ 1309 e = AUE_NULL; 1310 break; 1311 } 1312 1313 return (e); 1314 } 1315 1316 /* utssys - uname(2), ustat(2), fusers(2) */ 1317 static au_event_t 1318 aui_utssys(au_event_t e) 1319 { 1320 klwp_t *clwp = ttolwp(curthread); 1321 uint_t type; 1322 1323 struct a { 1324 union { 1325 long cbuf; /* char * */ 1326 long ubuf; /* struct stat * */ 1327 } ub; 1328 union { 1329 long mv; /* for USTAT */ 1330 long flags; /* for FUSERS */ 1331 } un; 1332 long type; 1333 long outbp; /* char * for FUSERS */ 1334 } *uap = (struct a *)clwp->lwp_ap; 1335 1336 type = (uint_t)uap->type; 1337 1338 if (type == UTS_FUSERS) 1339 return (e); 1340 else 1341 return ((au_event_t)AUE_NULL); 1342 } 1343 1344 static au_event_t 1345 aui_fcntl(au_event_t e) 1346 { 1347 klwp_t *clwp = ttolwp(curthread); 1348 uint_t cmd; 1349 1350 struct a { 1351 long fdes; 1352 long cmd; 1353 long arg; 1354 } *uap = (struct a *)clwp->lwp_ap; 1355 1356 cmd = (uint_t)uap->cmd; 1357 1358 switch (cmd) { 1359 case F_GETLK: 1360 case F_SETLK: 1361 case F_SETLKW: 1362 break; 1363 case F_SETFL: 1364 case F_GETFL: 1365 case F_GETFD: 1366 break; 1367 default: 1368 e = (au_event_t)AUE_NULL; 1369 break; 1370 } 1371 return ((au_event_t)e); 1372 } 1373 1374 /* null function for now */ 1375 static au_event_t 1376 aui_execve(au_event_t e) 1377 { 1378 return (e); 1379 } 1380 1381 /*ARGSUSED*/ 1382 static void 1383 aus_fcntl(struct t_audit_data *tad) 1384 { 1385 klwp_t *clwp = ttolwp(curthread); 1386 uint32_t cmd, fd, flags; 1387 struct file *fp; 1388 struct vnode *vp; 1389 struct f_audit_data *fad; 1390 1391 struct a { 1392 long fd; 1393 long cmd; 1394 long arg; 1395 } *uap = (struct a *)clwp->lwp_ap; 1396 1397 cmd = (uint32_t)uap->cmd; 1398 fd = (uint32_t)uap->fd; 1399 flags = (uint32_t)uap->arg; 1400 1401 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1402 1403 if (cmd == F_SETFL) 1404 au_uwrite(au_to_arg32(3, "flags", flags)); 1405 1406 /* 1407 * convert file pointer to file descriptor 1408 * Note: fd ref count incremented here. 1409 */ 1410 if ((fp = getf(fd)) == NULL) 1411 return; 1412 1413 /* get path from file struct here */ 1414 fad = F2A(fp); 1415 if (fad->fad_aupath != NULL) { 1416 au_uwrite(au_to_path(fad->fad_aupath)); 1417 } else { 1418 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1419 } 1420 1421 vp = fp->f_vnode; 1422 audit_attributes(vp); 1423 1424 /* decrement file descriptor reference count */ 1425 releasef(fd); 1426 } 1427 1428 /*ARGSUSED*/ 1429 static void 1430 aus_kill(struct t_audit_data *tad) 1431 { 1432 klwp_t *clwp = ttolwp(curthread); 1433 struct proc *p; 1434 uint32_t signo; 1435 uid_t uid, ruid; 1436 gid_t gid, rgid; 1437 pid_t pid; 1438 const auditinfo_addr_t *ainfo; 1439 cred_t *cr; 1440 1441 struct a { 1442 long pid; 1443 long signo; 1444 } *uap = (struct a *)clwp->lwp_ap; 1445 1446 pid = (pid_t)uap->pid; 1447 signo = (uint32_t)uap->signo; 1448 1449 au_uwrite(au_to_arg32(2, "signal", signo)); 1450 if (pid > 0) { 1451 mutex_enter(&pidlock); 1452 if (((p = prfind(pid)) == (struct proc *)0) || 1453 (p->p_stat == SIDL)) { 1454 mutex_exit(&pidlock); 1455 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1456 return; 1457 } 1458 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1459 mutex_exit(&pidlock); 1460 1461 mutex_enter(&p->p_crlock); 1462 crhold(cr = p->p_cred); 1463 mutex_exit(&p->p_crlock); 1464 mutex_exit(&p->p_lock); 1465 1466 ainfo = crgetauinfo(cr); 1467 if (ainfo == NULL) { 1468 crfree(cr); 1469 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1470 return; 1471 } 1472 1473 uid = crgetuid(cr); 1474 gid = crgetgid(cr); 1475 ruid = crgetruid(cr); 1476 rgid = crgetrgid(cr); 1477 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1478 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1479 1480 if (is_system_labeled()) 1481 au_uwrite(au_to_label(CR_SL(cr))); 1482 1483 crfree(cr); 1484 } 1485 else 1486 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1487 } 1488 1489 /*ARGSUSED*/ 1490 static void 1491 aus_mkdir(struct t_audit_data *tad) 1492 { 1493 klwp_t *clwp = ttolwp(curthread); 1494 uint32_t dmode; 1495 1496 struct a { 1497 long dirnamep; /* char * */ 1498 long dmode; 1499 } *uap = (struct a *)clwp->lwp_ap; 1500 1501 dmode = (uint32_t)uap->dmode; 1502 1503 au_uwrite(au_to_arg32(2, "mode", dmode)); 1504 } 1505 1506 /*ARGSUSED*/ 1507 static void 1508 aus_mknod(struct t_audit_data *tad) 1509 { 1510 klwp_t *clwp = ttolwp(curthread); 1511 uint32_t fmode; 1512 dev_t dev; 1513 1514 struct a { 1515 long pnamep; /* char * */ 1516 long fmode; 1517 long dev; 1518 } *uap = (struct a *)clwp->lwp_ap; 1519 1520 fmode = (uint32_t)uap->fmode; 1521 dev = (dev_t)uap->dev; 1522 1523 au_uwrite(au_to_arg32(2, "mode", fmode)); 1524 #ifdef _LP64 1525 au_uwrite(au_to_arg64(3, "dev", dev)); 1526 #else 1527 au_uwrite(au_to_arg32(3, "dev", dev)); 1528 #endif 1529 } 1530 1531 /*ARGSUSED*/ 1532 static void 1533 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1534 { 1535 klwp_t *clwp = ttolwp(curthread); 1536 vnode_t *dvp; 1537 caddr_t pnamep; 1538 1539 struct a { 1540 long pnamep; /* char * */ 1541 long fmode; 1542 long dev; 1543 } *uap = (struct a *)clwp->lwp_ap; 1544 1545 /* no error, then already path token in audit record */ 1546 if (error != EPERM) 1547 return; 1548 1549 /* not auditing this event, nothing then to do */ 1550 if (tad->tad_flag == 0) 1551 return; 1552 1553 /* do the lookup to force generation of path token */ 1554 pnamep = (caddr_t)uap->pnamep; 1555 tad->tad_ctrl |= PAD_NOATTRB; 1556 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1557 if (error == 0) 1558 VN_RELE(dvp); 1559 } 1560 1561 /*ARGSUSED*/ 1562 static void 1563 aus_mount(struct t_audit_data *tad) 1564 { /* AUS_START */ 1565 klwp_t *clwp = ttolwp(curthread); 1566 uint32_t flags; 1567 uintptr_t u_fstype, dataptr; 1568 STRUCT_DECL(nfs_args, nfsargs); 1569 size_t len; 1570 char *fstype, *hostname; 1571 1572 struct a { 1573 long spec; /* char * */ 1574 long dir; /* char * */ 1575 long flags; 1576 long fstype; /* char * */ 1577 long dataptr; /* char * */ 1578 long datalen; 1579 } *uap = (struct a *)clwp->lwp_ap; 1580 1581 u_fstype = (uintptr_t)uap->fstype; 1582 flags = (uint32_t)uap->flags; 1583 dataptr = (uintptr_t)uap->dataptr; 1584 1585 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1586 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1587 goto mount_free_fstype; 1588 1589 au_uwrite(au_to_arg32(3, "flags", flags)); 1590 au_uwrite(au_to_text(fstype)); 1591 1592 if (strncmp(fstype, "nfs", 3) == 0) { 1593 1594 STRUCT_INIT(nfsargs, get_udatamodel()); 1595 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1596 1597 if (copyin((caddr_t)dataptr, 1598 STRUCT_BUF(nfsargs), 1599 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1600 /* DEBUG debug_enter((char *)NULL); */ 1601 goto mount_free_fstype; 1602 } 1603 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1604 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1605 (caddr_t)hostname, 1606 MAXNAMELEN, &len)) { 1607 goto mount_free_hostname; 1608 } 1609 au_uwrite(au_to_text(hostname)); 1610 au_uwrite(au_to_arg32(3, "internal flags", 1611 (uint_t)STRUCT_FGET(nfsargs, flags))); 1612 1613 mount_free_hostname: 1614 kmem_free(hostname, MAXNAMELEN); 1615 } 1616 1617 mount_free_fstype: 1618 kmem_free(fstype, MAXNAMELEN); 1619 } /* AUS_MOUNT */ 1620 1621 static void 1622 aus_umount_path(caddr_t umount_dir) 1623 { 1624 char *dir_path; 1625 struct audit_path *path; 1626 size_t path_len, dir_len; 1627 1628 /* length alloc'd for two string pointers */ 1629 path_len = sizeof (struct audit_path) + sizeof (char *); 1630 path = kmem_alloc(path_len, KM_SLEEP); 1631 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1632 1633 if (copyinstr(umount_dir, (caddr_t)dir_path, 1634 MAXPATHLEN, &dir_len)) 1635 goto umount2_free_dir; 1636 1637 /* 1638 * the audit_path struct assumes that the buffer pointed to 1639 * by audp_sect[n] contains string 0 immediatedly followed 1640 * by string 1. 1641 */ 1642 path->audp_sect[0] = dir_path; 1643 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1644 path->audp_size = path_len; 1645 path->audp_ref = 1; /* not used */ 1646 path->audp_cnt = 1; /* one path string */ 1647 1648 au_uwrite(au_to_path(path)); 1649 1650 umount2_free_dir: 1651 kmem_free(dir_path, MAXPATHLEN); 1652 kmem_free(path, path_len); 1653 } 1654 1655 /*ARGSUSED*/ 1656 static void 1657 aus_umount2(struct t_audit_data *tad) 1658 { 1659 klwp_t *clwp = ttolwp(curthread); 1660 struct a { 1661 long dir; /* char * */ 1662 long flags; 1663 } *uap = (struct a *)clwp->lwp_ap; 1664 1665 aus_umount_path((caddr_t)uap->dir); 1666 1667 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1668 } 1669 1670 static void 1671 aus_msgsys(struct t_audit_data *tad) 1672 { 1673 klwp_t *clwp = ttolwp(curthread); 1674 uint32_t msgid; 1675 1676 struct b { 1677 long msgid; 1678 long cmd; 1679 long buf; /* struct msqid_ds * */ 1680 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1681 1682 msgid = (uint32_t)uap1->msgid; 1683 1684 1685 switch (tad->tad_event) { 1686 case AUE_MSGGET: /* msgget */ 1687 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1688 break; 1689 case AUE_MSGCTL: /* msgctl */ 1690 case AUE_MSGCTL_RMID: /* msgctl */ 1691 case AUE_MSGCTL_SET: /* msgctl */ 1692 case AUE_MSGCTL_STAT: /* msgctl */ 1693 case AUE_MSGRCV: /* msgrcv */ 1694 case AUE_MSGSND: /* msgsnd */ 1695 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1696 break; 1697 } 1698 } 1699 1700 /*ARGSUSED*/ 1701 static void 1702 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1703 { 1704 int id; 1705 1706 if (error != 0) 1707 return; 1708 if (tad->tad_event == AUE_MSGGET) { 1709 uint32_t scid; 1710 uint32_t sy_flags; 1711 1712 /* need to determine type of executing binary */ 1713 scid = tad->tad_scid; 1714 #ifdef _SYSCALL32_IMPL 1715 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1716 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1717 else 1718 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1719 #else 1720 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1721 #endif 1722 if (sy_flags == SE_32RVAL1) 1723 id = rval->r_val1; 1724 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1725 id = rval->r_val1; 1726 if (sy_flags == SE_64RVAL) 1727 id = (int)rval->r_vals; 1728 1729 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1730 } 1731 } 1732 1733 static void 1734 aus_semsys(struct t_audit_data *tad) 1735 { 1736 klwp_t *clwp = ttolwp(curthread); 1737 uint32_t semid; 1738 1739 struct b { /* ctrl */ 1740 long semid; 1741 long semnum; 1742 long cmd; 1743 long arg; 1744 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1745 1746 semid = (uint32_t)uap1->semid; 1747 1748 switch (tad->tad_event) { 1749 case AUE_SEMCTL_RMID: 1750 case AUE_SEMCTL_STAT: 1751 case AUE_SEMCTL_GETNCNT: 1752 case AUE_SEMCTL_GETPID: 1753 case AUE_SEMCTL_GETVAL: 1754 case AUE_SEMCTL_GETALL: 1755 case AUE_SEMCTL_GETZCNT: 1756 case AUE_SEMCTL_SET: 1757 case AUE_SEMCTL_SETVAL: 1758 case AUE_SEMCTL_SETALL: 1759 case AUE_SEMCTL: 1760 case AUE_SEMOP: 1761 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1762 break; 1763 case AUE_SEMGET: 1764 au_uwrite(au_to_arg32(1, "sem key", semid)); 1765 break; 1766 } 1767 } 1768 1769 /*ARGSUSED*/ 1770 static void 1771 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1772 { 1773 int id; 1774 1775 if (error != 0) 1776 return; 1777 if (tad->tad_event == AUE_SEMGET) { 1778 uint32_t scid; 1779 uint32_t sy_flags; 1780 1781 /* need to determine type of executing binary */ 1782 scid = tad->tad_scid; 1783 #ifdef _SYSCALL32_IMPL 1784 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1785 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1786 else 1787 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1788 #else 1789 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1790 #endif 1791 if (sy_flags == SE_32RVAL1) 1792 id = rval->r_val1; 1793 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1794 id = rval->r_val1; 1795 if (sy_flags == SE_64RVAL) 1796 id = (int)rval->r_vals; 1797 1798 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1799 } 1800 } 1801 1802 /*ARGSUSED*/ 1803 static void 1804 aus_close(struct t_audit_data *tad) 1805 { 1806 klwp_t *clwp = ttolwp(curthread); 1807 uint32_t fd; 1808 struct file *fp; 1809 struct f_audit_data *fad; 1810 struct vnode *vp; 1811 struct vattr attr; 1812 au_kcontext_t *kctx = GET_KCTX_PZ; 1813 1814 struct a { 1815 long i; 1816 } *uap = (struct a *)clwp->lwp_ap; 1817 1818 fd = (uint32_t)uap->i; 1819 1820 attr.va_mask = 0; 1821 au_uwrite(au_to_arg32(1, "fd", fd)); 1822 1823 /* 1824 * convert file pointer to file descriptor 1825 * Note: fd ref count incremented here. 1826 */ 1827 if ((fp = getf(fd)) == NULL) 1828 return; 1829 1830 fad = F2A(fp); 1831 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1832 if (fad->fad_aupath != NULL) { 1833 au_uwrite(au_to_path(fad->fad_aupath)); 1834 if ((vp = fp->f_vnode) != NULL) { 1835 attr.va_mask = AT_ALL; 1836 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1837 /* 1838 * When write was not used and the file can be 1839 * considered public, skip the audit. 1840 */ 1841 if (((fp->f_flag & FWRITE) == 0) && 1842 file_is_public(&attr)) { 1843 tad->tad_flag = 0; 1844 tad->tad_evmod = 0; 1845 /* free any residual audit data */ 1846 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1847 releasef(fd); 1848 return; 1849 } 1850 au_uwrite(au_to_attr(&attr)); 1851 audit_sec_attributes(&(u_ad), vp); 1852 } 1853 } 1854 } 1855 1856 /* decrement file descriptor reference count */ 1857 releasef(fd); 1858 } 1859 1860 /*ARGSUSED*/ 1861 static void 1862 aus_fstatfs(struct t_audit_data *tad) 1863 { 1864 klwp_t *clwp = ttolwp(curthread); 1865 uint32_t fd; 1866 struct file *fp; 1867 struct vnode *vp; 1868 struct f_audit_data *fad; 1869 1870 struct a { 1871 long fd; 1872 long buf; /* struct statfs * */ 1873 } *uap = (struct a *)clwp->lwp_ap; 1874 1875 fd = (uint_t)uap->fd; 1876 1877 /* 1878 * convert file pointer to file descriptor 1879 * Note: fd ref count incremented here. 1880 */ 1881 if ((fp = getf(fd)) == NULL) 1882 return; 1883 1884 /* get path from file struct here */ 1885 fad = F2A(fp); 1886 if (fad->fad_aupath != NULL) { 1887 au_uwrite(au_to_path(fad->fad_aupath)); 1888 } else { 1889 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1890 } 1891 1892 vp = fp->f_vnode; 1893 audit_attributes(vp); 1894 1895 /* decrement file descriptor reference count */ 1896 releasef(fd); 1897 } 1898 1899 static au_event_t 1900 aui_setpgrp(au_event_t e) 1901 { 1902 klwp_t *clwp = ttolwp(curthread); 1903 int flag; 1904 1905 struct a { 1906 long flag; 1907 long pid; 1908 long pgid; 1909 } *uap = (struct a *)clwp->lwp_ap; 1910 1911 flag = (int)uap->flag; 1912 1913 1914 switch (flag) { 1915 1916 case 1: /* setpgrp() */ 1917 e = AUE_SETPGRP; 1918 break; 1919 1920 case 3: /* setsid() */ 1921 e = AUE_SETSID; 1922 break; 1923 1924 case 5: /* setpgid() */ 1925 e = AUE_SETPGID; 1926 break; 1927 1928 case 0: /* getpgrp() - not security relevant */ 1929 case 2: /* getsid() - not security relevant */ 1930 case 4: /* getpgid() - not security relevant */ 1931 e = AUE_NULL; 1932 break; 1933 1934 default: 1935 e = AUE_NULL; 1936 break; 1937 } 1938 1939 return (e); 1940 } 1941 1942 /*ARGSUSED*/ 1943 static void 1944 aus_setpgrp(struct t_audit_data *tad) 1945 { 1946 klwp_t *clwp = ttolwp(curthread); 1947 pid_t pgid; 1948 struct proc *p; 1949 uid_t uid, ruid; 1950 gid_t gid, rgid; 1951 pid_t pid; 1952 cred_t *cr; 1953 int flag; 1954 const auditinfo_addr_t *ainfo; 1955 1956 struct a { 1957 long flag; 1958 long pid; 1959 long pgid; 1960 } *uap = (struct a *)clwp->lwp_ap; 1961 1962 flag = (int)uap->flag; 1963 pid = (pid_t)uap->pid; 1964 pgid = (pid_t)uap->pgid; 1965 1966 1967 switch (flag) { 1968 1969 case 0: /* getpgrp() */ 1970 case 1: /* setpgrp() */ 1971 case 2: /* getsid() */ 1972 case 3: /* setsid() */ 1973 case 4: /* getpgid() */ 1974 break; 1975 1976 case 5: /* setpgid() */ 1977 1978 /* current process? */ 1979 if (pid == 0) { 1980 return; 1981 } 1982 1983 mutex_enter(&pidlock); 1984 p = prfind(pid); 1985 if (p == NULL || p->p_as == &kas || 1986 p->p_stat == SIDL || p->p_stat == SZOMB) { 1987 mutex_exit(&pidlock); 1988 return; 1989 } 1990 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1991 mutex_exit(&pidlock); 1992 1993 mutex_enter(&p->p_crlock); 1994 crhold(cr = p->p_cred); 1995 mutex_exit(&p->p_crlock); 1996 mutex_exit(&p->p_lock); 1997 1998 ainfo = crgetauinfo(cr); 1999 if (ainfo == NULL) { 2000 crfree(cr); 2001 return; 2002 } 2003 2004 uid = crgetuid(cr); 2005 gid = crgetgid(cr); 2006 ruid = crgetruid(cr); 2007 rgid = crgetrgid(cr); 2008 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2009 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2010 crfree(cr); 2011 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2012 break; 2013 2014 default: 2015 break; 2016 } 2017 } 2018 2019 2020 /*ARGSUSED*/ 2021 static void 2022 aus_setregid(struct t_audit_data *tad) 2023 { 2024 klwp_t *clwp = ttolwp(curthread); 2025 uint32_t rgid, egid; 2026 2027 struct a { 2028 long rgid; 2029 long egid; 2030 } *uap = (struct a *)clwp->lwp_ap; 2031 2032 rgid = (uint32_t)uap->rgid; 2033 egid = (uint32_t)uap->egid; 2034 2035 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2036 au_uwrite(au_to_arg32(2, "egid", egid)); 2037 } 2038 2039 /*ARGSUSED*/ 2040 static void 2041 aus_setgid(struct t_audit_data *tad) 2042 { 2043 klwp_t *clwp = ttolwp(curthread); 2044 uint32_t gid; 2045 2046 struct a { 2047 long gid; 2048 } *uap = (struct a *)clwp->lwp_ap; 2049 2050 gid = (uint32_t)uap->gid; 2051 2052 au_uwrite(au_to_arg32(1, "gid", gid)); 2053 } 2054 2055 2056 /*ARGSUSED*/ 2057 static void 2058 aus_setreuid(struct t_audit_data *tad) 2059 { 2060 klwp_t *clwp = ttolwp(curthread); 2061 uint32_t ruid, euid; 2062 2063 struct a { 2064 long ruid; 2065 long euid; 2066 } *uap = (struct a *)clwp->lwp_ap; 2067 2068 ruid = (uint32_t)uap->ruid; 2069 euid = (uint32_t)uap->euid; 2070 2071 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2072 au_uwrite(au_to_arg32(2, "euid", euid)); 2073 } 2074 2075 2076 /*ARGSUSED*/ 2077 static void 2078 aus_setuid(struct t_audit_data *tad) 2079 { 2080 klwp_t *clwp = ttolwp(curthread); 2081 uint32_t uid; 2082 2083 struct a { 2084 long uid; 2085 } *uap = (struct a *)clwp->lwp_ap; 2086 2087 uid = (uint32_t)uap->uid; 2088 2089 au_uwrite(au_to_arg32(1, "uid", uid)); 2090 } 2091 2092 /*ARGSUSED*/ 2093 static void 2094 aus_shmsys(struct t_audit_data *tad) 2095 { 2096 klwp_t *clwp = ttolwp(curthread); 2097 uint32_t id, cmd; 2098 2099 struct b { 2100 long id; 2101 long cmd; 2102 long buf; /* struct shmid_ds * */ 2103 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2104 2105 id = (uint32_t)uap1->id; 2106 cmd = (uint32_t)uap1->cmd; 2107 2108 switch (tad->tad_event) { 2109 case AUE_SHMGET: /* shmget */ 2110 au_uwrite(au_to_arg32(1, "shm key", id)); 2111 break; 2112 case AUE_SHMCTL: /* shmctl */ 2113 case AUE_SHMCTL_RMID: /* shmctl */ 2114 case AUE_SHMCTL_STAT: /* shmctl */ 2115 case AUE_SHMCTL_SET: /* shmctl */ 2116 au_uwrite(au_to_arg32(1, "shm ID", id)); 2117 break; 2118 case AUE_SHMDT: /* shmdt */ 2119 au_uwrite(au_to_arg32(1, "shm adr", id)); 2120 break; 2121 case AUE_SHMAT: /* shmat */ 2122 au_uwrite(au_to_arg32(1, "shm ID", id)); 2123 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2124 break; 2125 } 2126 } 2127 2128 /*ARGSUSED*/ 2129 static void 2130 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2131 { 2132 int id; 2133 2134 if (error != 0) 2135 return; 2136 if (tad->tad_event == AUE_SHMGET) { 2137 uint32_t scid; 2138 uint32_t sy_flags; 2139 2140 /* need to determine type of executing binary */ 2141 scid = tad->tad_scid; 2142 #ifdef _SYSCALL32_IMPL 2143 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2144 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2145 else 2146 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2147 #else 2148 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2149 #endif 2150 if (sy_flags == SE_32RVAL1) 2151 id = rval->r_val1; 2152 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2153 id = rval->r_val1; 2154 if (sy_flags == SE_64RVAL) 2155 id = (int)rval->r_vals; 2156 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2157 } 2158 } 2159 2160 2161 /*ARGSUSED*/ 2162 static void 2163 aus_ioctl(struct t_audit_data *tad) 2164 { 2165 klwp_t *clwp = ttolwp(curthread); 2166 struct file *fp; 2167 struct vnode *vp; 2168 struct f_audit_data *fad; 2169 uint32_t fd, cmd; 2170 uintptr_t cmarg; 2171 2172 /* XX64 */ 2173 struct a { 2174 long fd; 2175 long cmd; 2176 long cmarg; /* caddr_t */ 2177 } *uap = (struct a *)clwp->lwp_ap; 2178 2179 fd = (uint32_t)uap->fd; 2180 cmd = (uint32_t)uap->cmd; 2181 cmarg = (uintptr_t)uap->cmarg; 2182 2183 /* 2184 * convert file pointer to file descriptor 2185 * Note: fd ref count incremented here. 2186 */ 2187 if ((fp = getf(fd)) == NULL) { 2188 au_uwrite(au_to_arg32(1, "fd", fd)); 2189 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2190 #ifndef _LP64 2191 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2192 #else 2193 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2194 #endif 2195 return; 2196 } 2197 2198 /* get path from file struct here */ 2199 fad = F2A(fp); 2200 if (fad->fad_aupath != NULL) { 2201 au_uwrite(au_to_path(fad->fad_aupath)); 2202 } else { 2203 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2204 } 2205 2206 vp = fp->f_vnode; 2207 audit_attributes(vp); 2208 2209 /* decrement file descriptor reference count */ 2210 releasef(fd); 2211 2212 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2213 #ifndef _LP64 2214 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2215 #else 2216 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2217 #endif 2218 } 2219 2220 /* 2221 * null function for memcntl for now. We might want to limit memcntl() 2222 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2223 * require privileges. 2224 */ 2225 static au_event_t 2226 aui_memcntl(au_event_t e) 2227 { 2228 return (e); 2229 } 2230 2231 /*ARGSUSED*/ 2232 static au_event_t 2233 aui_privsys(au_event_t e) 2234 { 2235 klwp_t *clwp = ttolwp(curthread); 2236 2237 struct a { 2238 long opcode; 2239 } *uap = (struct a *)clwp->lwp_ap; 2240 2241 switch (uap->opcode) { 2242 case PRIVSYS_SETPPRIV: 2243 return (AUE_SETPPRIV); 2244 default: 2245 return (AUE_NULL); 2246 } 2247 } 2248 2249 /*ARGSUSED*/ 2250 static void 2251 aus_memcntl(struct t_audit_data *tad) 2252 { 2253 klwp_t *clwp = ttolwp(curthread); 2254 2255 struct a { 2256 long addr; 2257 long len; 2258 long cmd; 2259 long arg; 2260 long attr; 2261 long mask; 2262 } *uap = (struct a *)clwp->lwp_ap; 2263 2264 #ifdef _LP64 2265 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2266 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2267 #else 2268 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2269 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2270 #endif 2271 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2272 #ifdef _LP64 2273 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2274 #else 2275 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2276 #endif 2277 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2278 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2279 } 2280 2281 /*ARGSUSED*/ 2282 static void 2283 aus_mmap(struct t_audit_data *tad) 2284 { 2285 klwp_t *clwp = ttolwp(curthread); 2286 struct file *fp; 2287 struct f_audit_data *fad; 2288 struct vnode *vp; 2289 uint32_t fd; 2290 2291 struct a { 2292 long addr; 2293 long len; 2294 long prot; 2295 long flags; 2296 long fd; 2297 long pos; 2298 } *uap = (struct a *)clwp->lwp_ap; 2299 2300 fd = (uint32_t)uap->fd; 2301 2302 #ifdef _LP64 2303 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2304 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2305 #else 2306 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2307 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2308 #endif 2309 2310 if ((fp = getf(fd)) == NULL) { 2311 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2312 return; 2313 } 2314 2315 /* 2316 * Mark in the tad if write access is NOT requested... if 2317 * this is later detected (in audit_attributes) to be a 2318 * public object, the mmap event may be discarded. 2319 */ 2320 if (((uap->prot) & PROT_WRITE) == 0) { 2321 tad->tad_ctrl |= PAD_PUBLIC_EV; 2322 } 2323 2324 fad = F2A(fp); 2325 if (fad->fad_aupath != NULL) { 2326 au_uwrite(au_to_path(fad->fad_aupath)); 2327 } else { 2328 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2329 } 2330 2331 vp = (struct vnode *)fp->f_vnode; 2332 audit_attributes(vp); 2333 2334 /* mark READ/WRITE since we can't predict access */ 2335 if (uap->prot & PROT_READ) 2336 fad->fad_flags |= FAD_READ; 2337 if (uap->prot & PROT_WRITE) 2338 fad->fad_flags |= FAD_WRITE; 2339 2340 /* decrement file descriptor reference count */ 2341 releasef(fd); 2342 2343 } /* AUS_MMAP */ 2344 2345 2346 2347 2348 /*ARGSUSED*/ 2349 static void 2350 aus_munmap(struct t_audit_data *tad) 2351 { 2352 klwp_t *clwp = ttolwp(curthread); 2353 2354 struct a { 2355 long addr; 2356 long len; 2357 } *uap = (struct a *)clwp->lwp_ap; 2358 2359 #ifdef _LP64 2360 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2361 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2362 #else 2363 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2364 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2365 #endif 2366 2367 } /* AUS_MUNMAP */ 2368 2369 2370 2371 2372 2373 2374 2375 /*ARGSUSED*/ 2376 static void 2377 aus_priocntlsys(struct t_audit_data *tad) 2378 { 2379 klwp_t *clwp = ttolwp(curthread); 2380 2381 struct a { 2382 long pc_version; 2383 long psp; /* procset_t */ 2384 long cmd; 2385 long arg; 2386 } *uap = (struct a *)clwp->lwp_ap; 2387 2388 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2389 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2390 2391 } /* AUS_PRIOCNTLSYS */ 2392 2393 2394 /*ARGSUSED*/ 2395 static void 2396 aus_setegid(struct t_audit_data *tad) 2397 { 2398 klwp_t *clwp = ttolwp(curthread); 2399 uint32_t gid; 2400 2401 struct a { 2402 long gid; 2403 } *uap = (struct a *)clwp->lwp_ap; 2404 2405 gid = (uint32_t)uap->gid; 2406 2407 au_uwrite(au_to_arg32(1, "gid", gid)); 2408 } /* AUS_SETEGID */ 2409 2410 2411 2412 2413 /*ARGSUSED*/ 2414 static void 2415 aus_setgroups(struct t_audit_data *tad) 2416 { 2417 klwp_t *clwp = ttolwp(curthread); 2418 int i; 2419 int gidsetsize; 2420 uintptr_t gidset; 2421 gid_t *gidlist; 2422 2423 struct a { 2424 long gidsetsize; 2425 long gidset; 2426 } *uap = (struct a *)clwp->lwp_ap; 2427 2428 gidsetsize = (uint_t)uap->gidsetsize; 2429 gidset = (uintptr_t)uap->gidset; 2430 2431 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2432 return; 2433 if (gidsetsize != 0) { 2434 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2435 KM_SLEEP); 2436 if (copyin((caddr_t)gidset, gidlist, 2437 gidsetsize * sizeof (gid_t)) == 0) 2438 for (i = 0; i < gidsetsize; i++) 2439 au_uwrite(au_to_arg32(1, "setgroups", 2440 (uint32_t)gidlist[i])); 2441 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2442 } else 2443 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2444 2445 } /* AUS_SETGROUPS */ 2446 2447 2448 2449 2450 2451 /*ARGSUSED*/ 2452 static void 2453 aus_seteuid(struct t_audit_data *tad) 2454 { 2455 klwp_t *clwp = ttolwp(curthread); 2456 uint32_t uid; 2457 2458 struct a { 2459 long uid; 2460 } *uap = (struct a *)clwp->lwp_ap; 2461 2462 uid = (uint32_t)uap->uid; 2463 2464 au_uwrite(au_to_arg32(1, "euid", uid)); 2465 2466 } /* AUS_SETEUID */ 2467 2468 /*ARGSUSED*/ 2469 static void 2470 aus_putmsg(struct t_audit_data *tad) 2471 { 2472 klwp_t *clwp = ttolwp(curthread); 2473 uint32_t fd, pri; 2474 struct file *fp; 2475 struct f_audit_data *fad; 2476 2477 struct a { 2478 long fdes; 2479 long ctl; /* struct strbuf * */ 2480 long data; /* struct strbuf * */ 2481 long pri; 2482 } *uap = (struct a *)clwp->lwp_ap; 2483 2484 fd = (uint32_t)uap->fdes; 2485 pri = (uint32_t)uap->pri; 2486 2487 au_uwrite(au_to_arg32(1, "fd", fd)); 2488 2489 if ((fp = getf(fd)) != NULL) { 2490 fad = F2A(fp); 2491 2492 fad->fad_flags |= FAD_WRITE; 2493 2494 /* add path name to audit record */ 2495 if (fad->fad_aupath != NULL) { 2496 au_uwrite(au_to_path(fad->fad_aupath)); 2497 } 2498 audit_attributes(fp->f_vnode); 2499 2500 releasef(fd); 2501 } 2502 2503 au_uwrite(au_to_arg32(4, "pri", pri)); 2504 } 2505 2506 /*ARGSUSED*/ 2507 static void 2508 aus_putpmsg(struct t_audit_data *tad) 2509 { 2510 klwp_t *clwp = ttolwp(curthread); 2511 uint32_t fd, pri, flags; 2512 struct file *fp; 2513 struct f_audit_data *fad; 2514 2515 struct a { 2516 long fdes; 2517 long ctl; /* struct strbuf * */ 2518 long data; /* struct strbuf * */ 2519 long pri; 2520 long flags; 2521 } *uap = (struct a *)clwp->lwp_ap; 2522 2523 fd = (uint32_t)uap->fdes; 2524 pri = (uint32_t)uap->pri; 2525 flags = (uint32_t)uap->flags; 2526 2527 au_uwrite(au_to_arg32(1, "fd", fd)); 2528 2529 if ((fp = getf(fd)) != NULL) { 2530 fad = F2A(fp); 2531 2532 fad->fad_flags |= FAD_WRITE; 2533 2534 /* add path name to audit record */ 2535 if (fad->fad_aupath != NULL) { 2536 au_uwrite(au_to_path(fad->fad_aupath)); 2537 } 2538 audit_attributes(fp->f_vnode); 2539 2540 releasef(fd); 2541 } 2542 2543 2544 au_uwrite(au_to_arg32(4, "pri", pri)); 2545 au_uwrite(au_to_arg32(5, "flags", flags)); 2546 } 2547 2548 /*ARGSUSED*/ 2549 static void 2550 aus_getmsg(struct t_audit_data *tad) 2551 { 2552 klwp_t *clwp = ttolwp(curthread); 2553 uint32_t fd, pri; 2554 struct file *fp; 2555 struct f_audit_data *fad; 2556 2557 struct a { 2558 long fdes; 2559 long ctl; /* struct strbuf * */ 2560 long data; /* struct strbuf * */ 2561 long pri; 2562 } *uap = (struct a *)clwp->lwp_ap; 2563 2564 fd = (uint32_t)uap->fdes; 2565 pri = (uint32_t)uap->pri; 2566 2567 au_uwrite(au_to_arg32(1, "fd", fd)); 2568 2569 if ((fp = getf(fd)) != NULL) { 2570 fad = F2A(fp); 2571 2572 /* 2573 * read operation on this object 2574 */ 2575 fad->fad_flags |= FAD_READ; 2576 2577 /* add path name to audit record */ 2578 if (fad->fad_aupath != NULL) { 2579 au_uwrite(au_to_path(fad->fad_aupath)); 2580 } 2581 audit_attributes(fp->f_vnode); 2582 2583 releasef(fd); 2584 } 2585 2586 au_uwrite(au_to_arg32(4, "pri", pri)); 2587 } 2588 2589 /*ARGSUSED*/ 2590 static void 2591 aus_getpmsg(struct t_audit_data *tad) 2592 { 2593 klwp_t *clwp = ttolwp(curthread); 2594 uint32_t fd; 2595 struct file *fp; 2596 struct f_audit_data *fad; 2597 2598 struct a { 2599 long fdes; 2600 long ctl; /* struct strbuf * */ 2601 long data; /* struct strbuf * */ 2602 long pri; 2603 long flags; 2604 } *uap = (struct a *)clwp->lwp_ap; 2605 2606 fd = (uint32_t)uap->fdes; 2607 2608 au_uwrite(au_to_arg32(1, "fd", fd)); 2609 2610 if ((fp = getf(fd)) != NULL) { 2611 fad = F2A(fp); 2612 2613 /* 2614 * read operation on this object 2615 */ 2616 fad->fad_flags |= FAD_READ; 2617 2618 /* add path name to audit record */ 2619 if (fad->fad_aupath != NULL) { 2620 au_uwrite(au_to_path(fad->fad_aupath)); 2621 } 2622 audit_attributes(fp->f_vnode); 2623 2624 releasef(fd); 2625 } 2626 } 2627 2628 static au_event_t 2629 aui_labelsys(au_event_t e) 2630 { 2631 klwp_t *clwp = ttolwp(curthread); 2632 uint32_t code; 2633 uint32_t cmd; 2634 2635 struct a { 2636 long code; 2637 long cmd; 2638 } *uap = (struct a *)clwp->lwp_ap; 2639 2640 code = (uint32_t)uap->code; 2641 cmd = (uint32_t)uap->cmd; 2642 2643 /* not security relevant if not changing kernel cache */ 2644 if (cmd == TNDB_GET) 2645 return (AUE_NULL); 2646 2647 switch (code) { 2648 case TSOL_TNRH: 2649 e = AUE_LABELSYS_TNRH; 2650 break; 2651 case TSOL_TNRHTP: 2652 e = AUE_LABELSYS_TNRHTP; 2653 break; 2654 case TSOL_TNMLP: 2655 e = AUE_LABELSYS_TNMLP; 2656 break; 2657 default: 2658 e = AUE_NULL; 2659 break; 2660 } 2661 2662 return (e); 2663 2664 } 2665 2666 static void 2667 aus_labelsys(struct t_audit_data *tad) 2668 { 2669 klwp_t *clwp = ttolwp(curthread); 2670 uint32_t cmd; 2671 uintptr_t a2; 2672 2673 struct a { 2674 long code; 2675 long cmd; 2676 long a2; 2677 } *uap = (struct a *)clwp->lwp_ap; 2678 2679 cmd = (uint32_t)uap->cmd; 2680 a2 = (uintptr_t)uap->a2; 2681 2682 switch (tad->tad_event) { 2683 case AUE_LABELSYS_TNRH: 2684 { 2685 tsol_rhent_t *rhent; 2686 tnaddr_t *rh_addr; 2687 2688 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2689 2690 /* Remaining args don't apply for FLUSH, so skip */ 2691 if (cmd == TNDB_FLUSH) 2692 break; 2693 2694 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2695 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2696 kmem_free(rhent, sizeof (tsol_rhent_t)); 2697 return; 2698 } 2699 2700 rh_addr = &rhent->rh_address; 2701 if (rh_addr->ta_family == AF_INET) { 2702 struct in_addr *ipaddr; 2703 2704 ipaddr = &(rh_addr->ta_addr_v4); 2705 au_uwrite(au_to_in_addr(ipaddr)); 2706 } else if (rh_addr->ta_family == AF_INET6) { 2707 int32_t *ipaddr; 2708 2709 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2710 au_uwrite(au_to_in_addr_ex(ipaddr)); 2711 } 2712 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2713 2714 kmem_free(rhent, sizeof (tsol_rhent_t)); 2715 2716 break; 2717 } 2718 case AUE_LABELSYS_TNRHTP: 2719 { 2720 tsol_tpent_t *tpent; 2721 2722 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2723 2724 /* Remaining args don't apply for FLUSH, so skip */ 2725 if (cmd == TNDB_FLUSH) 2726 break; 2727 2728 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2729 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2730 kmem_free(tpent, sizeof (tsol_tpent_t)); 2731 return; 2732 } 2733 2734 /* Make sure that the template name is null-terminated. */ 2735 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2736 2737 au_uwrite(au_to_text(tpent->name)); 2738 kmem_free(tpent, sizeof (tsol_tpent_t)); 2739 2740 break; 2741 } 2742 case AUE_LABELSYS_TNMLP: 2743 { 2744 tsol_mlpent_t *mlpent; 2745 2746 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2747 2748 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2749 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2750 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2751 return; 2752 } 2753 2754 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2755 au_uwrite(au_to_text("shared")); 2756 } else { 2757 zone_t *zone; 2758 2759 zone = zone_find_by_id(mlpent->tsme_zoneid); 2760 if (zone != NULL) { 2761 au_uwrite(au_to_text(zone->zone_name)); 2762 zone_rele(zone); 2763 } 2764 } 2765 2766 /* Remaining args don't apply for FLUSH, so skip */ 2767 if (cmd == TNDB_FLUSH) { 2768 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2769 break; 2770 } 2771 2772 au_uwrite(au_to_arg32(2, "proto num", 2773 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2774 au_uwrite(au_to_arg32(2, "mlp_port", 2775 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2776 2777 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2778 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2779 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2780 2781 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2782 2783 break; 2784 } 2785 default: 2786 break; 2787 } 2788 } 2789 2790 2791 static au_event_t 2792 aui_auditsys(au_event_t e) 2793 { 2794 klwp_t *clwp = ttolwp(curthread); 2795 uint32_t code; 2796 2797 struct a { 2798 long code; 2799 long a1; 2800 long a2; 2801 long a3; 2802 long a4; 2803 long a5; 2804 long a6; 2805 long a7; 2806 } *uap = (struct a *)clwp->lwp_ap; 2807 2808 code = (uint32_t)uap->code; 2809 2810 switch (code) { 2811 2812 case BSM_GETAUID: 2813 e = AUE_GETAUID; 2814 break; 2815 case BSM_SETAUID: 2816 e = AUE_SETAUID; 2817 break; 2818 case BSM_GETAUDIT: 2819 e = AUE_GETAUDIT; 2820 break; 2821 case BSM_GETAUDIT_ADDR: 2822 e = AUE_GETAUDIT_ADDR; 2823 break; 2824 case BSM_SETAUDIT: 2825 e = AUE_SETAUDIT; 2826 break; 2827 case BSM_SETAUDIT_ADDR: 2828 e = AUE_SETAUDIT_ADDR; 2829 break; 2830 case BSM_AUDIT: 2831 e = AUE_AUDIT; 2832 break; 2833 case BSM_AUDITCTL: 2834 switch ((uint_t)uap->a1) { 2835 2836 case A_GETPOLICY: 2837 e = AUE_AUDITON_GPOLICY; 2838 break; 2839 case A_SETPOLICY: 2840 e = AUE_AUDITON_SPOLICY; 2841 break; 2842 case A_GETKMASK: 2843 e = AUE_AUDITON_GETKMASK; 2844 break; 2845 case A_SETKMASK: 2846 e = AUE_AUDITON_SETKMASK; 2847 break; 2848 case A_GETQCTRL: 2849 e = AUE_AUDITON_GQCTRL; 2850 break; 2851 case A_SETQCTRL: 2852 e = AUE_AUDITON_SQCTRL; 2853 break; 2854 case A_GETCWD: 2855 e = AUE_AUDITON_GETCWD; 2856 break; 2857 case A_GETCAR: 2858 e = AUE_AUDITON_GETCAR; 2859 break; 2860 case A_GETSTAT: 2861 e = AUE_AUDITON_GETSTAT; 2862 break; 2863 case A_SETSTAT: 2864 e = AUE_AUDITON_SETSTAT; 2865 break; 2866 case A_SETUMASK: 2867 e = AUE_AUDITON_SETUMASK; 2868 break; 2869 case A_SETSMASK: 2870 e = AUE_AUDITON_SETSMASK; 2871 break; 2872 case A_GETCOND: 2873 e = AUE_AUDITON_GETCOND; 2874 break; 2875 case A_SETCOND: 2876 e = AUE_AUDITON_SETCOND; 2877 break; 2878 case A_GETCLASS: 2879 e = AUE_AUDITON_GETCLASS; 2880 break; 2881 case A_SETCLASS: 2882 e = AUE_AUDITON_SETCLASS; 2883 break; 2884 default: 2885 e = AUE_NULL; 2886 break; 2887 } 2888 break; 2889 default: 2890 e = AUE_NULL; 2891 break; 2892 } 2893 2894 return (e); 2895 2896 } /* AUI_AUDITSYS */ 2897 2898 2899 static void 2900 aus_auditsys(struct t_audit_data *tad) 2901 { 2902 klwp_t *clwp = ttolwp(curthread); 2903 uintptr_t a1, a2; 2904 STRUCT_DECL(auditinfo, ainfo); 2905 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2906 au_evclass_map_t event; 2907 au_mask_t mask; 2908 int auditstate, policy; 2909 au_id_t auid; 2910 2911 2912 struct a { 2913 long code; 2914 long a1; 2915 long a2; 2916 long a3; 2917 long a4; 2918 long a5; 2919 long a6; 2920 long a7; 2921 } *uap = (struct a *)clwp->lwp_ap; 2922 2923 a1 = (uintptr_t)uap->a1; 2924 a2 = (uintptr_t)uap->a2; 2925 2926 switch (tad->tad_event) { 2927 case AUE_SETAUID: 2928 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2929 return; 2930 au_uwrite(au_to_arg32(2, "setauid", auid)); 2931 break; 2932 case AUE_SETAUDIT: 2933 STRUCT_INIT(ainfo, get_udatamodel()); 2934 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2935 STRUCT_SIZE(ainfo))) { 2936 return; 2937 } 2938 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2939 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2940 #ifdef _LP64 2941 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2942 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2943 #else 2944 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2945 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2946 #endif 2947 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2948 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2949 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2950 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2951 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2952 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2953 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2954 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2955 break; 2956 case AUE_SETAUDIT_ADDR: 2957 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2958 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2959 STRUCT_SIZE(ainfo_addr))) { 2960 return; 2961 } 2962 au_uwrite(au_to_arg32((char)1, "auid", 2963 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2964 #ifdef _LP64 2965 au_uwrite(au_to_arg64((char)1, "port", 2966 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2967 #else 2968 au_uwrite(au_to_arg32((char)1, "port", 2969 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2970 #endif 2971 au_uwrite(au_to_arg32((char)1, "type", 2972 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2973 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2974 AU_IPv4) { 2975 au_uwrite(au_to_in_addr( 2976 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2977 ai_termid.at_addr))); 2978 } else { 2979 au_uwrite(au_to_in_addr_ex( 2980 (int32_t *)STRUCT_FGETP(ainfo_addr, 2981 ai_termid.at_addr))); 2982 } 2983 au_uwrite(au_to_arg32((char)1, "as_success", 2984 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2985 au_uwrite(au_to_arg32((char)1, "as_failure", 2986 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2987 au_uwrite(au_to_arg32((char)1, "asid", 2988 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2989 break; 2990 case AUE_AUDITON_SETKMASK: 2991 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2992 return; 2993 au_uwrite(au_to_arg32( 2994 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2995 au_uwrite(au_to_arg32( 2996 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2997 break; 2998 case AUE_AUDITON_SPOLICY: 2999 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3000 return; 3001 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3002 break; 3003 case AUE_AUDITON_SQCTRL: { 3004 STRUCT_DECL(au_qctrl, qctrl); 3005 model_t model; 3006 3007 model = get_udatamodel(); 3008 STRUCT_INIT(qctrl, model); 3009 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3010 return; 3011 if (model == DATAMODEL_ILP32) { 3012 au_uwrite(au_to_arg32( 3013 3, "setqctrl:aq_hiwater", 3014 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3015 au_uwrite(au_to_arg32( 3016 3, "setqctrl:aq_lowater", 3017 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3018 au_uwrite(au_to_arg32( 3019 3, "setqctrl:aq_bufsz", 3020 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3021 au_uwrite(au_to_arg32( 3022 3, "setqctrl:aq_delay", 3023 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3024 } else { 3025 au_uwrite(au_to_arg64( 3026 3, "setqctrl:aq_hiwater", 3027 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3028 au_uwrite(au_to_arg64( 3029 3, "setqctrl:aq_lowater", 3030 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3031 au_uwrite(au_to_arg64( 3032 3, "setqctrl:aq_bufsz", 3033 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3034 au_uwrite(au_to_arg64( 3035 3, "setqctrl:aq_delay", 3036 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3037 } 3038 break; 3039 } 3040 case AUE_AUDITON_SETUMASK: 3041 STRUCT_INIT(ainfo, get_udatamodel()); 3042 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3043 STRUCT_SIZE(ainfo))) { 3044 return; 3045 } 3046 au_uwrite(au_to_arg32(3, "setumask:as_success", 3047 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3048 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3049 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3050 break; 3051 case AUE_AUDITON_SETSMASK: 3052 STRUCT_INIT(ainfo, get_udatamodel()); 3053 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3054 STRUCT_SIZE(ainfo))) { 3055 return; 3056 } 3057 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3058 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3059 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3060 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3061 break; 3062 case AUE_AUDITON_SETCOND: 3063 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3064 return; 3065 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3066 break; 3067 case AUE_AUDITON_SETCLASS: 3068 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3069 return; 3070 au_uwrite(au_to_arg32( 3071 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3072 au_uwrite(au_to_arg32( 3073 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3074 break; 3075 case AUE_GETAUID: 3076 case AUE_GETAUDIT: 3077 case AUE_GETAUDIT_ADDR: 3078 case AUE_AUDIT: 3079 case AUE_AUDITON_GPOLICY: 3080 case AUE_AUDITON_GQCTRL: 3081 case AUE_AUDITON_GETKMASK: 3082 case AUE_AUDITON_GETCWD: 3083 case AUE_AUDITON_GETCAR: 3084 case AUE_AUDITON_GETSTAT: 3085 case AUE_AUDITON_SETSTAT: 3086 case AUE_AUDITON_GETCOND: 3087 case AUE_AUDITON_GETCLASS: 3088 break; 3089 default: 3090 break; 3091 } 3092 3093 } /* AUS_AUDITSYS */ 3094 3095 3096 /* only audit privileged operations for systeminfo(2) system call */ 3097 static au_event_t 3098 aui_sysinfo(au_event_t e) 3099 { 3100 klwp_t *clwp = ttolwp(curthread); 3101 uint32_t command; 3102 3103 struct a { 3104 long command; 3105 long buf; /* char * */ 3106 long count; 3107 } *uap = (struct a *)clwp->lwp_ap; 3108 3109 command = (uint32_t)uap->command; 3110 3111 switch (command) { 3112 case SI_SET_HOSTNAME: 3113 case SI_SET_SRPC_DOMAIN: 3114 e = (au_event_t)AUE_SYSINFO; 3115 break; 3116 default: 3117 e = (au_event_t)AUE_NULL; 3118 break; 3119 } 3120 return (e); 3121 } 3122 3123 /*ARGSUSED*/ 3124 static void 3125 aus_sysinfo(struct t_audit_data *tad) 3126 { 3127 klwp_t *clwp = ttolwp(curthread); 3128 uint32_t command; 3129 size_t len, maxlen; 3130 char *name; 3131 uintptr_t buf; 3132 3133 struct a { 3134 long command; 3135 long buf; /* char * */ 3136 long count; 3137 } *uap = (struct a *)clwp->lwp_ap; 3138 3139 command = (uint32_t)uap->command; 3140 buf = (uintptr_t)uap->buf; 3141 3142 au_uwrite(au_to_arg32(1, "cmd", command)); 3143 3144 switch (command) { 3145 case SI_SET_HOSTNAME: 3146 { 3147 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3148 return; 3149 3150 maxlen = SYS_NMLN; 3151 name = kmem_alloc(maxlen, KM_SLEEP); 3152 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3153 break; 3154 3155 /* 3156 * Must be non-NULL string and string 3157 * must be less than SYS_NMLN chars. 3158 */ 3159 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3160 break; 3161 3162 au_uwrite(au_to_text(name)); 3163 break; 3164 } 3165 3166 case SI_SET_SRPC_DOMAIN: 3167 { 3168 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3169 return; 3170 3171 maxlen = SYS_NMLN; 3172 name = kmem_alloc(maxlen, KM_SLEEP); 3173 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3174 break; 3175 3176 /* 3177 * If string passed in is longer than length 3178 * allowed for domain name, fail. 3179 */ 3180 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3181 break; 3182 3183 au_uwrite(au_to_text(name)); 3184 break; 3185 } 3186 3187 default: 3188 return; 3189 } 3190 3191 kmem_free(name, maxlen); 3192 } 3193 3194 static au_event_t 3195 aui_modctl(au_event_t e) 3196 { 3197 klwp_t *clwp = ttolwp(curthread); 3198 uint_t cmd; 3199 3200 struct a { 3201 long cmd; 3202 } *uap = (struct a *)clwp->lwp_ap; 3203 3204 cmd = (uint_t)uap->cmd; 3205 3206 switch (cmd) { 3207 case MODLOAD: 3208 e = AUE_MODLOAD; 3209 break; 3210 case MODUNLOAD: 3211 e = AUE_MODUNLOAD; 3212 break; 3213 case MODADDMAJBIND: 3214 e = AUE_MODADDMAJ; 3215 break; 3216 case MODSETDEVPOLICY: 3217 e = AUE_MODDEVPLCY; 3218 break; 3219 case MODALLOCPRIV: 3220 e = AUE_MODADDPRIV; 3221 break; 3222 default: 3223 e = AUE_NULL; 3224 break; 3225 } 3226 return (e); 3227 } 3228 3229 3230 /*ARGSUSED*/ 3231 static void 3232 aus_modctl(struct t_audit_data *tad) 3233 { 3234 klwp_t *clwp = ttolwp(curthread); 3235 void *a = clwp->lwp_ap; 3236 uint_t use_path; 3237 3238 switch (tad->tad_event) { 3239 case AUE_MODLOAD: { 3240 typedef struct { 3241 long cmd; 3242 long use_path; 3243 long filename; /* char * */ 3244 } modloada_t; 3245 3246 char *filenamep; 3247 uintptr_t fname; 3248 extern char *default_path; 3249 3250 fname = (uintptr_t)((modloada_t *)a)->filename; 3251 use_path = (uint_t)((modloada_t *)a)->use_path; 3252 3253 /* space to hold path */ 3254 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3255 /* get string */ 3256 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3257 /* free allocated path */ 3258 kmem_free(filenamep, MOD_MAXPATH); 3259 return; 3260 } 3261 /* ensure it's null terminated */ 3262 filenamep[MOD_MAXPATH - 1] = 0; 3263 3264 if (use_path) 3265 au_uwrite(au_to_text(default_path)); 3266 au_uwrite(au_to_text(filenamep)); 3267 3268 /* release temporary memory */ 3269 kmem_free(filenamep, MOD_MAXPATH); 3270 break; 3271 } 3272 case AUE_MODUNLOAD: { 3273 typedef struct { 3274 long cmd; 3275 long id; 3276 } modunloada_t; 3277 3278 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3279 3280 au_uwrite(au_to_arg32(1, "id", id)); 3281 break; 3282 } 3283 case AUE_MODADDMAJ: { 3284 STRUCT_DECL(modconfig, mc); 3285 typedef struct { 3286 long cmd; 3287 long subcmd; 3288 long data; /* int * */ 3289 } modconfiga_t; 3290 3291 STRUCT_DECL(aliases, alias); 3292 caddr_t ap; 3293 int i, num_aliases; 3294 char *drvname, *mc_drvname; 3295 char *name; 3296 extern char *ddi_major_to_name(major_t); 3297 model_t model; 3298 3299 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3300 3301 model = get_udatamodel(); 3302 STRUCT_INIT(mc, model); 3303 /* sanitize buffer */ 3304 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3305 /* get user arguments */ 3306 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3307 STRUCT_SIZE(mc)) != 0) 3308 return; 3309 3310 mc_drvname = STRUCT_FGET(mc, drvname); 3311 if ((drvname = ddi_major_to_name( 3312 (major_t)STRUCT_FGET(mc, major))) != NULL && 3313 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3314 /* safety */ 3315 if (mc_drvname[0] != '\0') { 3316 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3317 au_uwrite(au_to_text(mc_drvname)); 3318 } 3319 /* drvname != NULL from test above */ 3320 au_uwrite(au_to_text(drvname)); 3321 return; 3322 } 3323 3324 if (mc_drvname[0] != '\0') { 3325 /* safety */ 3326 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3327 au_uwrite(au_to_text(mc_drvname)); 3328 } else 3329 au_uwrite(au_to_text("no drvname")); 3330 3331 num_aliases = STRUCT_FGET(mc, num_aliases); 3332 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3333 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3334 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3335 STRUCT_INIT(alias, model); 3336 for (i = 0; i < num_aliases; i++) { 3337 bzero((caddr_t)STRUCT_BUF(alias), 3338 STRUCT_SIZE(alias)); 3339 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3340 STRUCT_SIZE(alias)) != 0) 3341 break; 3342 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3343 MAXMODCONFNAME, NULL) != 0) { 3344 break; 3345 } 3346 3347 au_uwrite(au_to_text(name)); 3348 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3349 } 3350 kmem_free(name, MAXMODCONFNAME); 3351 break; 3352 } 3353 default: 3354 break; 3355 } 3356 } 3357 3358 3359 /*ARGSUSED*/ 3360 static void 3361 auf_accept( 3362 struct t_audit_data *tad, 3363 int error, 3364 rval_t *rval) 3365 { 3366 uint32_t scid; 3367 uint32_t sy_flags; 3368 int fd; 3369 struct sonode *so; 3370 char so_laddr[sizeof (struct sockaddr_in6)]; 3371 char so_faddr[sizeof (struct sockaddr_in6)]; 3372 int err; 3373 short so_family, so_type; 3374 int add_sock_token = 0; 3375 3376 /* need to determine type of executing binary */ 3377 scid = tad->tad_scid; 3378 #ifdef _SYSCALL32_IMPL 3379 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3380 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3381 else 3382 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3383 #else 3384 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3385 #endif 3386 if (sy_flags == SE_32RVAL1) 3387 fd = rval->r_val1; 3388 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3389 fd = rval->r_val1; 3390 if (sy_flags == SE_64RVAL) 3391 fd = (int)rval->r_vals; 3392 3393 if (error) { 3394 /* can't trust socket contents. Just return */ 3395 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3396 return; 3397 } 3398 3399 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3400 /* 3401 * not security relevant if doing a accept from non socket 3402 * so no extra tokens. Should probably turn off audit record 3403 * generation here. 3404 */ 3405 return; 3406 } 3407 3408 so_family = so->so_family; 3409 so_type = so->so_type; 3410 3411 switch (so_family) { 3412 case AF_INET: 3413 case AF_INET6: 3414 /* 3415 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3416 */ 3417 if (so->so_type == SOCK_STREAM) { 3418 socklen_t len; 3419 3420 bzero((void *)so_laddr, sizeof (so_laddr)); 3421 bzero((void *)so_faddr, sizeof (so_faddr)); 3422 3423 len = sizeof (so_laddr); 3424 (void) socket_getsockname(so, 3425 (struct sockaddr *)so_laddr, &len, CRED()); 3426 len = sizeof (so_faddr); 3427 (void) socket_getpeername(so, 3428 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3429 3430 add_sock_token = 1; 3431 } 3432 break; 3433 3434 default: 3435 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3436 break; 3437 } 3438 3439 releasef(fd); 3440 3441 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3442 3443 if (add_sock_token == 0) { 3444 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3445 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3446 return; 3447 } 3448 3449 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3450 3451 } 3452 3453 /*ARGSUSED*/ 3454 static void 3455 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3456 { 3457 struct a { 3458 long fd; 3459 long addr; 3460 long len; 3461 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3462 3463 struct sonode *so; 3464 char so_laddr[sizeof (struct sockaddr_in6)]; 3465 char so_faddr[sizeof (struct sockaddr_in6)]; 3466 int err, fd; 3467 socklen_t len; 3468 short so_family, so_type; 3469 int add_sock_token = 0; 3470 3471 fd = (int)uap->fd; 3472 3473 /* 3474 * bind failed, then nothing extra to add to audit record. 3475 */ 3476 if (error) { 3477 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3478 /* XXX may want to add failed address some day */ 3479 return; 3480 } 3481 3482 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3483 /* 3484 * not security relevant if doing a bind from non socket 3485 * so no extra tokens. Should probably turn off audit record 3486 * generation here. 3487 */ 3488 return; 3489 } 3490 3491 so_family = so->so_family; 3492 so_type = so->so_type; 3493 3494 switch (so_family) { 3495 case AF_INET: 3496 case AF_INET6: 3497 3498 bzero(so_faddr, sizeof (so_faddr)); 3499 len = sizeof (so_faddr); 3500 3501 (void) socket_getpeername(so, 3502 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3503 add_sock_token = 1; 3504 3505 break; 3506 3507 case AF_UNIX: 3508 /* token added by lookup */ 3509 break; 3510 default: 3511 /* AF_ROUTE, AF_KEY do not support accept */ 3512 break; 3513 } 3514 3515 releasef(fd); 3516 3517 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3518 3519 if (add_sock_token == 0) { 3520 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3521 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3522 return; 3523 } 3524 3525 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3526 3527 } 3528 3529 /*ARGSUSED*/ 3530 static void 3531 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3532 { 3533 struct a { 3534 long fd; 3535 long addr; 3536 long len; 3537 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3538 3539 struct sonode *so; 3540 char so_laddr[sizeof (struct sockaddr_in6)]; 3541 char so_faddr[sizeof (struct sockaddr_in6)]; 3542 int err, fd; 3543 socklen_t len; 3544 short so_family, so_type; 3545 int add_sock_token = 0; 3546 3547 fd = (int)uap->fd; 3548 3549 3550 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3551 /* 3552 * not security relevant if doing a connect from non socket 3553 * so no extra tokens. Should probably turn off audit record 3554 * generation here. 3555 */ 3556 return; 3557 } 3558 3559 so_family = so->so_family; 3560 so_type = so->so_type; 3561 3562 switch (so_family) { 3563 case AF_INET: 3564 case AF_INET6: 3565 3566 bzero(so_laddr, sizeof (so_laddr)); 3567 bzero(so_faddr, sizeof (so_faddr)); 3568 3569 len = sizeof (so_laddr); 3570 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3571 &len, CRED()); 3572 if (error) { 3573 if (uap->addr == NULL) 3574 break; 3575 if (uap->len <= 0) 3576 break; 3577 len = min(uap->len, sizeof (so_faddr)); 3578 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3579 break; 3580 #ifdef NOTYET 3581 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3582 #endif 3583 } else { 3584 /* sanity check on length */ 3585 len = sizeof (so_faddr); 3586 (void) socket_getpeername(so, 3587 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3588 } 3589 3590 add_sock_token = 1; 3591 3592 break; 3593 3594 case AF_UNIX: 3595 /* does a lookup on name */ 3596 break; 3597 3598 default: 3599 /* AF_ROUTE, AF_KEY do not support accept */ 3600 break; 3601 } 3602 3603 releasef(fd); 3604 3605 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3606 3607 if (add_sock_token == 0) { 3608 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3609 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3610 return; 3611 } 3612 3613 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3614 3615 } 3616 3617 /*ARGSUSED*/ 3618 static void 3619 aus_shutdown(struct t_audit_data *tad) 3620 { 3621 struct a { 3622 long fd; 3623 long how; 3624 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3625 3626 struct sonode *so; 3627 char so_laddr[sizeof (struct sockaddr_in6)]; 3628 char so_faddr[sizeof (struct sockaddr_in6)]; 3629 int err, fd; 3630 socklen_t len; 3631 short so_family, so_type; 3632 int add_sock_token = 0; 3633 file_t *fp; /* unix domain sockets */ 3634 struct f_audit_data *fad; /* unix domain sockets */ 3635 3636 fd = (int)uap->fd; 3637 3638 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3639 /* 3640 * not security relevant if doing a shutdown using non socket 3641 * so no extra tokens. Should probably turn off audit record 3642 * generation here. 3643 */ 3644 return; 3645 } 3646 3647 so_family = so->so_family; 3648 so_type = so->so_type; 3649 3650 switch (so_family) { 3651 case AF_INET: 3652 case AF_INET6: 3653 3654 bzero(so_laddr, sizeof (so_laddr)); 3655 bzero(so_faddr, sizeof (so_faddr)); 3656 3657 len = sizeof (so_laddr); 3658 (void) socket_getsockname(so, 3659 (struct sockaddr *)so_laddr, &len, CRED()); 3660 len = sizeof (so_faddr); 3661 (void) socket_getpeername(so, 3662 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3663 3664 add_sock_token = 1; 3665 3666 break; 3667 3668 case AF_UNIX: 3669 3670 /* get path from file struct here */ 3671 fad = F2A(fp); 3672 ASSERT(fad); 3673 3674 if (fad->fad_aupath != NULL) { 3675 au_uwrite(au_to_path(fad->fad_aupath)); 3676 } else { 3677 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3678 } 3679 3680 audit_attributes(fp->f_vnode); 3681 3682 break; 3683 3684 default: 3685 /* 3686 * AF_KEY and AF_ROUTE support shutdown. No socket token 3687 * added. 3688 */ 3689 break; 3690 } 3691 3692 releasef(fd); 3693 3694 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3695 3696 if (add_sock_token == 0) { 3697 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3698 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3699 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3700 return; 3701 } 3702 3703 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3704 3705 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3706 3707 } 3708 3709 /*ARGSUSED*/ 3710 static void 3711 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3712 { 3713 struct a { 3714 long fd; 3715 long level; 3716 long optname; 3717 long *optval; 3718 long optlen; 3719 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3720 3721 struct sonode *so; 3722 char so_laddr[sizeof (struct sockaddr_in6)]; 3723 char so_faddr[sizeof (struct sockaddr_in6)]; 3724 char val[AU_BUFSIZE]; 3725 int err, fd; 3726 socklen_t len; 3727 short so_family, so_type; 3728 int add_sock_token = 0; 3729 file_t *fp; /* unix domain sockets */ 3730 struct f_audit_data *fad; /* unix domain sockets */ 3731 3732 fd = (int)uap->fd; 3733 3734 if (error) { 3735 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3736 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3737 /* XXX may want to include other arguments */ 3738 return; 3739 } 3740 3741 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3742 /* 3743 * not security relevant if doing a setsockopt from non socket 3744 * so no extra tokens. Should probably turn off audit record 3745 * generation here. 3746 */ 3747 return; 3748 } 3749 3750 so_family = so->so_family; 3751 so_type = so->so_type; 3752 3753 switch (so_family) { 3754 case AF_INET: 3755 case AF_INET6: 3756 bzero((void *)so_laddr, sizeof (so_laddr)); 3757 bzero((void *)so_faddr, sizeof (so_faddr)); 3758 3759 /* get local and foreign addresses */ 3760 len = sizeof (so_laddr); 3761 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3762 &len, CRED()); 3763 len = sizeof (so_faddr); 3764 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3765 &len, B_FALSE, CRED()); 3766 3767 add_sock_token = 1; 3768 3769 break; 3770 3771 case AF_UNIX: 3772 3773 /* get path from file struct here */ 3774 fad = F2A(fp); 3775 ASSERT(fad); 3776 3777 if (fad->fad_aupath != NULL) { 3778 au_uwrite(au_to_path(fad->fad_aupath)); 3779 } else { 3780 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3781 } 3782 3783 audit_attributes(fp->f_vnode); 3784 3785 break; 3786 3787 default: 3788 /* 3789 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3790 * added. 3791 */ 3792 break; 3793 } 3794 3795 releasef(fd); 3796 3797 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3798 3799 if (add_sock_token == 0) { 3800 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3801 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3802 } 3803 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3804 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3805 3806 bzero(val, sizeof (val)); 3807 len = min(uap->optlen, sizeof (val)); 3808 if ((len > 0) && 3809 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3810 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3811 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3812 } 3813 3814 if (add_sock_token == 0) 3815 return; 3816 3817 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3818 3819 } 3820 3821 /*ARGSUSED*/ 3822 static void 3823 aus_sockconfig(tad) 3824 struct t_audit_data *tad; 3825 { 3826 struct a { 3827 long domain; 3828 long type; 3829 long protocol; 3830 long devpath; 3831 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3832 3833 char *kdevpath; 3834 int kdevpathlen = MAXPATHLEN + 1; 3835 size_t size; 3836 3837 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3838 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3839 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3840 3841 if (uap->devpath == 0) { 3842 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3843 } else { 3844 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3845 3846 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3847 &size)) { 3848 kmem_free(kdevpath, kdevpathlen); 3849 return; 3850 } 3851 3852 if (size > MAXPATHLEN) { 3853 kmem_free(kdevpath, kdevpathlen); 3854 return; 3855 } 3856 3857 au_uwrite(au_to_text(kdevpath)); 3858 kmem_free(kdevpath, kdevpathlen); 3859 } 3860 } 3861 3862 /* 3863 * only audit recvmsg when the system call represents the creation of a new 3864 * circuit. This effectively occurs for all UDP packets and may occur for 3865 * special TCP situations where the local host has not set a local address 3866 * in the socket structure. 3867 */ 3868 /*ARGSUSED*/ 3869 static void 3870 auf_recvmsg( 3871 struct t_audit_data *tad, 3872 int error, 3873 rval_t *rvp) 3874 { 3875 struct a { 3876 long fd; 3877 long msg; /* struct msghdr */ 3878 long flags; 3879 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3880 3881 struct sonode *so; 3882 STRUCT_DECL(msghdr, msg); 3883 caddr_t msg_name; 3884 socklen_t msg_namelen; 3885 int fd; 3886 int err; 3887 char so_laddr[sizeof (struct sockaddr_in6)]; 3888 char so_faddr[sizeof (struct sockaddr_in6)]; 3889 socklen_t len; 3890 file_t *fp; /* unix domain sockets */ 3891 struct f_audit_data *fad; /* unix domain sockets */ 3892 short so_family, so_type; 3893 int add_sock_token = 0; 3894 au_kcontext_t *kctx = GET_KCTX_PZ; 3895 3896 fd = (int)uap->fd; 3897 3898 /* bail if an error */ 3899 if (error) { 3900 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3901 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3902 return; 3903 } 3904 3905 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3906 /* 3907 * not security relevant if doing a recvmsg from non socket 3908 * so no extra tokens. Should probably turn off audit record 3909 * generation here. 3910 */ 3911 return; 3912 } 3913 3914 so_family = so->so_family; 3915 so_type = so->so_type; 3916 3917 /* 3918 * only putout SOCKET_EX token if INET/INET6 family. 3919 * XXX - what do we do about other families? 3920 */ 3921 3922 switch (so_family) { 3923 case AF_INET: 3924 case AF_INET6: 3925 3926 /* 3927 * if datagram type socket, then just use what is in 3928 * socket structure for local address. 3929 * XXX - what do we do for other types? 3930 */ 3931 if ((so->so_type == SOCK_DGRAM) || 3932 (so->so_type == SOCK_RAW)) { 3933 add_sock_token = 1; 3934 3935 bzero((void *)so_laddr, sizeof (so_laddr)); 3936 bzero((void *)so_faddr, sizeof (so_faddr)); 3937 3938 /* get local address */ 3939 len = sizeof (so_laddr); 3940 (void) socket_getsockname(so, 3941 (struct sockaddr *)so_laddr, &len, CRED()); 3942 3943 /* get peer address */ 3944 STRUCT_INIT(msg, get_udatamodel()); 3945 3946 if (copyin((caddr_t)(uap->msg), 3947 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3948 break; 3949 } 3950 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3951 if (msg_name == NULL) { 3952 break; 3953 } 3954 3955 /* length is value from recvmsg - sanity check */ 3956 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3957 if (msg_namelen == 0) { 3958 break; 3959 } 3960 if (copyin(msg_name, so_faddr, 3961 sizeof (so_faddr)) != 0) { 3962 break; 3963 } 3964 3965 } else if (so->so_type == SOCK_STREAM) { 3966 3967 /* get path from file struct here */ 3968 fad = F2A(fp); 3969 ASSERT(fad); 3970 3971 /* 3972 * already processed this file for read attempt 3973 */ 3974 if (fad->fad_flags & FAD_READ) { 3975 /* don't want to audit every recvmsg attempt */ 3976 tad->tad_flag = 0; 3977 /* free any residual audit data */ 3978 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 3979 releasef(fd); 3980 return; 3981 } 3982 /* 3983 * mark things so we know what happened and don't 3984 * repeat things 3985 */ 3986 fad->fad_flags |= FAD_READ; 3987 3988 bzero((void *)so_laddr, sizeof (so_laddr)); 3989 bzero((void *)so_faddr, sizeof (so_faddr)); 3990 3991 /* get local and foreign addresses */ 3992 len = sizeof (so_laddr); 3993 (void) socket_getsockname(so, 3994 (struct sockaddr *)so_laddr, &len, CRED()); 3995 len = sizeof (so_faddr); 3996 (void) socket_getpeername(so, 3997 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3998 3999 add_sock_token = 1; 4000 } 4001 4002 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4003 4004 break; 4005 4006 case AF_UNIX: 4007 /* 4008 * first check if this is first time through. Too much 4009 * duplicate code to put this in an aui_ routine. 4010 */ 4011 4012 /* get path from file struct here */ 4013 fad = F2A(fp); 4014 ASSERT(fad); 4015 4016 /* 4017 * already processed this file for read attempt 4018 */ 4019 if (fad->fad_flags & FAD_READ) { 4020 releasef(fd); 4021 /* don't want to audit every recvmsg attempt */ 4022 tad->tad_flag = 0; 4023 /* free any residual audit data */ 4024 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4025 return; 4026 } 4027 /* 4028 * mark things so we know what happened and don't 4029 * repeat things 4030 */ 4031 fad->fad_flags |= FAD_READ; 4032 4033 if (fad->fad_aupath != NULL) { 4034 au_uwrite(au_to_path(fad->fad_aupath)); 4035 } else { 4036 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4037 } 4038 4039 audit_attributes(fp->f_vnode); 4040 4041 releasef(fd); 4042 4043 return; 4044 4045 default: 4046 break; 4047 4048 } 4049 4050 releasef(fd); 4051 4052 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4053 4054 if (add_sock_token == 0) { 4055 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4056 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4057 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4058 return; 4059 } 4060 4061 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4062 4063 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4064 4065 } 4066 4067 /*ARGSUSED*/ 4068 static void 4069 auf_recvfrom( 4070 struct t_audit_data *tad, 4071 int error, 4072 rval_t *rvp) 4073 { 4074 4075 struct a { 4076 long fd; 4077 long msg; /* char */ 4078 long len; 4079 long flags; 4080 long from; /* struct sockaddr */ 4081 long fromlen; 4082 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4083 4084 socklen_t fromlen; 4085 struct sonode *so; 4086 char so_laddr[sizeof (struct sockaddr_in6)]; 4087 char so_faddr[sizeof (struct sockaddr_in6)]; 4088 int fd; 4089 short so_family, so_type; 4090 int add_sock_token = 0; 4091 socklen_t len; 4092 int err; 4093 struct file *fp; 4094 struct f_audit_data *fad; /* unix domain sockets */ 4095 au_kcontext_t *kctx = GET_KCTX_PZ; 4096 4097 fd = (int)uap->fd; 4098 4099 /* bail if an error */ 4100 if (error) { 4101 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4102 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4103 return; 4104 } 4105 4106 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4107 /* 4108 * not security relevant if doing a recvmsg from non socket 4109 * so no extra tokens. Should probably turn off audit record 4110 * generation here. 4111 */ 4112 return; 4113 } 4114 4115 so_family = so->so_family; 4116 so_type = so->so_type; 4117 4118 /* 4119 * only putout SOCKET_EX token if INET/INET6 family. 4120 * XXX - what do we do about other families? 4121 */ 4122 4123 switch (so_family) { 4124 case AF_INET: 4125 case AF_INET6: 4126 4127 /* 4128 * if datagram type socket, then just use what is in 4129 * socket structure for local address. 4130 * XXX - what do we do for other types? 4131 */ 4132 if ((so->so_type == SOCK_DGRAM) || 4133 (so->so_type == SOCK_RAW)) { 4134 add_sock_token = 1; 4135 4136 /* get local address */ 4137 len = sizeof (so_laddr); 4138 (void) socket_getsockname(so, 4139 (struct sockaddr *)so_laddr, &len, CRED()); 4140 4141 /* get peer address */ 4142 bzero((void *)so_faddr, sizeof (so_faddr)); 4143 4144 /* sanity check */ 4145 if (uap->from == NULL) 4146 break; 4147 4148 /* sanity checks */ 4149 if (uap->fromlen == 0) 4150 break; 4151 4152 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4153 sizeof (fromlen)) != 0) 4154 break; 4155 4156 if (fromlen == 0) 4157 break; 4158 4159 /* enforce maximum size */ 4160 if (fromlen > sizeof (so_faddr)) 4161 fromlen = sizeof (so_faddr); 4162 4163 if (copyin((caddr_t)(uap->from), so_faddr, 4164 fromlen) != 0) 4165 break; 4166 4167 } else if (so->so_type == SOCK_STREAM) { 4168 4169 /* get path from file struct here */ 4170 fad = F2A(fp); 4171 ASSERT(fad); 4172 4173 /* 4174 * already processed this file for read attempt 4175 */ 4176 if (fad->fad_flags & FAD_READ) { 4177 /* don't want to audit every recvfrom attempt */ 4178 tad->tad_flag = 0; 4179 /* free any residual audit data */ 4180 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4181 releasef(fd); 4182 return; 4183 } 4184 /* 4185 * mark things so we know what happened and don't 4186 * repeat things 4187 */ 4188 fad->fad_flags |= FAD_READ; 4189 4190 bzero((void *)so_laddr, sizeof (so_laddr)); 4191 bzero((void *)so_faddr, sizeof (so_faddr)); 4192 4193 /* get local and foreign addresses */ 4194 len = sizeof (so_laddr); 4195 (void) socket_getsockname(so, 4196 (struct sockaddr *)so_laddr, &len, CRED()); 4197 len = sizeof (so_faddr); 4198 (void) socket_getpeername(so, 4199 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4200 4201 add_sock_token = 1; 4202 } 4203 4204 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4205 4206 break; 4207 4208 case AF_UNIX: 4209 /* 4210 * first check if this is first time through. Too much 4211 * duplicate code to put this in an aui_ routine. 4212 */ 4213 4214 /* get path from file struct here */ 4215 fad = F2A(fp); 4216 ASSERT(fad); 4217 4218 /* 4219 * already processed this file for read attempt 4220 */ 4221 if (fad->fad_flags & FAD_READ) { 4222 /* don't want to audit every recvfrom attempt */ 4223 tad->tad_flag = 0; 4224 /* free any residual audit data */ 4225 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4226 releasef(fd); 4227 return; 4228 } 4229 /* 4230 * mark things so we know what happened and don't 4231 * repeat things 4232 */ 4233 fad->fad_flags |= FAD_READ; 4234 4235 if (fad->fad_aupath != NULL) { 4236 au_uwrite(au_to_path(fad->fad_aupath)); 4237 } else { 4238 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4239 } 4240 4241 audit_attributes(fp->f_vnode); 4242 4243 releasef(fd); 4244 4245 return; 4246 4247 default: 4248 break; 4249 4250 } 4251 4252 releasef(fd); 4253 4254 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4255 4256 if (add_sock_token == 0) { 4257 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4258 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4259 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4260 return; 4261 } 4262 4263 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4264 4265 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4266 } 4267 4268 /*ARGSUSED*/ 4269 static void 4270 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4271 { 4272 struct a { 4273 long fd; 4274 long msg; /* struct msghdr */ 4275 long flags; 4276 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4277 4278 struct sonode *so; 4279 char so_laddr[sizeof (struct sockaddr_in6)]; 4280 char so_faddr[sizeof (struct sockaddr_in6)]; 4281 int err; 4282 int fd; 4283 short so_family, so_type; 4284 int add_sock_token = 0; 4285 socklen_t len; 4286 struct file *fp; 4287 struct f_audit_data *fad; 4288 caddr_t msg_name; 4289 socklen_t msg_namelen; 4290 STRUCT_DECL(msghdr, msg); 4291 au_kcontext_t *kctx = GET_KCTX_PZ; 4292 4293 fd = (int)uap->fd; 4294 4295 /* bail if an error */ 4296 if (error) { 4297 /* XXX include destination address from system call arguments */ 4298 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4299 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4300 return; 4301 } 4302 4303 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4304 /* 4305 * not security relevant if doing a sendmsg from non socket 4306 * so no extra tokens. Should probably turn off audit record 4307 * generation here. 4308 */ 4309 return; 4310 } 4311 4312 so_family = so->so_family; 4313 so_type = so->so_type; 4314 4315 switch (so_family) { 4316 case AF_INET: 4317 case AF_INET6: 4318 /* 4319 * if datagram type socket, then just use what is in 4320 * socket structure for local address. 4321 * XXX - what do we do for other types? 4322 */ 4323 if ((so->so_type == SOCK_DGRAM) || 4324 (so->so_type == SOCK_RAW)) { 4325 4326 bzero((void *)so_laddr, sizeof (so_laddr)); 4327 bzero((void *)so_faddr, sizeof (so_faddr)); 4328 4329 /* get local address */ 4330 len = sizeof (so_laddr); 4331 (void) socket_getsockname(so, 4332 (struct sockaddr *)so_laddr, &len, CRED()); 4333 4334 /* get peer address */ 4335 STRUCT_INIT(msg, get_udatamodel()); 4336 4337 if (copyin((caddr_t)(uap->msg), 4338 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4339 break; 4340 } 4341 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4342 if (msg_name == NULL) 4343 break; 4344 4345 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4346 /* length is value from recvmsg - sanity check */ 4347 if (msg_namelen == 0) 4348 break; 4349 4350 if (copyin(msg_name, so_faddr, 4351 sizeof (so_faddr)) != 0) 4352 break; 4353 4354 add_sock_token = 1; 4355 4356 } else if (so->so_type == SOCK_STREAM) { 4357 4358 /* get path from file struct here */ 4359 fad = F2A(fp); 4360 ASSERT(fad); 4361 4362 /* 4363 * already processed this file for write attempt 4364 */ 4365 if (fad->fad_flags & FAD_WRITE) { 4366 releasef(fd); 4367 /* don't want to audit every sendmsg attempt */ 4368 tad->tad_flag = 0; 4369 /* free any residual audit data */ 4370 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4371 return; 4372 } 4373 4374 /* 4375 * mark things so we know what happened and don't 4376 * repeat things 4377 */ 4378 fad->fad_flags |= FAD_WRITE; 4379 4380 bzero((void *)so_laddr, sizeof (so_laddr)); 4381 bzero((void *)so_faddr, sizeof (so_faddr)); 4382 4383 /* get local and foreign addresses */ 4384 len = sizeof (so_laddr); 4385 (void) socket_getsockname(so, 4386 (struct sockaddr *)so_laddr, &len, CRED()); 4387 len = sizeof (so_faddr); 4388 (void) socket_getpeername(so, 4389 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4390 4391 add_sock_token = 1; 4392 } 4393 4394 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4395 4396 break; 4397 4398 case AF_UNIX: 4399 /* 4400 * first check if this is first time through. Too much 4401 * duplicate code to put this in an aui_ routine. 4402 */ 4403 4404 /* get path from file struct here */ 4405 fad = F2A(fp); 4406 ASSERT(fad); 4407 4408 /* 4409 * already processed this file for write attempt 4410 */ 4411 if (fad->fad_flags & FAD_WRITE) { 4412 releasef(fd); 4413 /* don't want to audit every sendmsg attempt */ 4414 tad->tad_flag = 0; 4415 /* free any residual audit data */ 4416 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4417 return; 4418 } 4419 /* 4420 * mark things so we know what happened and don't 4421 * repeat things 4422 */ 4423 fad->fad_flags |= FAD_WRITE; 4424 4425 if (fad->fad_aupath != NULL) { 4426 au_uwrite(au_to_path(fad->fad_aupath)); 4427 } else { 4428 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4429 } 4430 4431 audit_attributes(fp->f_vnode); 4432 4433 releasef(fd); 4434 4435 return; 4436 4437 default: 4438 break; 4439 } 4440 4441 releasef(fd); 4442 4443 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4444 4445 if (add_sock_token == 0) { 4446 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4447 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4448 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4449 return; 4450 } 4451 4452 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4453 4454 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4455 } 4456 4457 /*ARGSUSED*/ 4458 static void 4459 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4460 { 4461 struct a { 4462 long fd; 4463 long msg; /* char */ 4464 long len; 4465 long flags; 4466 long to; /* struct sockaddr */ 4467 long tolen; 4468 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4469 4470 struct sonode *so; 4471 char so_laddr[sizeof (struct sockaddr_in6)]; 4472 char so_faddr[sizeof (struct sockaddr_in6)]; 4473 socklen_t tolen; 4474 int err; 4475 int fd; 4476 socklen_t len; 4477 short so_family, so_type; 4478 int add_sock_token = 0; 4479 struct file *fp; 4480 struct f_audit_data *fad; 4481 au_kcontext_t *kctx = GET_KCTX_PZ; 4482 4483 fd = (int)uap->fd; 4484 4485 /* bail if an error */ 4486 if (error) { 4487 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4488 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4489 /* XXX include destination address from system call arguments */ 4490 return; 4491 } 4492 4493 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4494 /* 4495 * not security relevant if doing a sendto using non socket 4496 * so no extra tokens. Should probably turn off audit record 4497 * generation here. 4498 */ 4499 return; 4500 } 4501 4502 so_family = so->so_family; 4503 so_type = so->so_type; 4504 4505 /* 4506 * only putout SOCKET_EX token if INET/INET6 family. 4507 * XXX - what do we do about other families? 4508 */ 4509 4510 switch (so_family) { 4511 case AF_INET: 4512 case AF_INET6: 4513 4514 /* 4515 * if datagram type socket, then just use what is in 4516 * socket structure for local address. 4517 * XXX - what do we do for other types? 4518 */ 4519 if ((so->so_type == SOCK_DGRAM) || 4520 (so->so_type == SOCK_RAW)) { 4521 4522 bzero((void *)so_laddr, sizeof (so_laddr)); 4523 bzero((void *)so_faddr, sizeof (so_faddr)); 4524 4525 /* get local address */ 4526 len = sizeof (so_laddr); 4527 (void) socket_getsockname(so, 4528 (struct sockaddr *)so_laddr, &len, CRED()); 4529 4530 /* get peer address */ 4531 4532 /* sanity check */ 4533 if (uap->to == NULL) 4534 break; 4535 4536 /* sanity checks */ 4537 if (uap->tolen == 0) 4538 break; 4539 4540 tolen = (socklen_t)uap->tolen; 4541 4542 /* enforce maximum size */ 4543 if (tolen > sizeof (so_faddr)) 4544 tolen = sizeof (so_faddr); 4545 4546 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4547 break; 4548 4549 add_sock_token = 1; 4550 } else { 4551 /* 4552 * check if this is first time through. 4553 */ 4554 4555 /* get path from file struct here */ 4556 fad = F2A(fp); 4557 ASSERT(fad); 4558 4559 /* 4560 * already processed this file for write attempt 4561 */ 4562 if (fad->fad_flags & FAD_WRITE) { 4563 /* don't want to audit every sendto attempt */ 4564 tad->tad_flag = 0; 4565 /* free any residual audit data */ 4566 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4567 releasef(fd); 4568 return; 4569 } 4570 /* 4571 * mark things so we know what happened and don't 4572 * repeat things 4573 */ 4574 fad->fad_flags |= FAD_WRITE; 4575 4576 bzero((void *)so_laddr, sizeof (so_laddr)); 4577 bzero((void *)so_faddr, sizeof (so_faddr)); 4578 4579 /* get local and foreign addresses */ 4580 len = sizeof (so_laddr); 4581 (void) socket_getsockname(so, 4582 (struct sockaddr *)so_laddr, &len, CRED()); 4583 len = sizeof (so_faddr); 4584 (void) socket_getpeername(so, 4585 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4586 4587 add_sock_token = 1; 4588 } 4589 4590 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4591 4592 break; 4593 4594 case AF_UNIX: 4595 /* 4596 * first check if this is first time through. Too much 4597 * duplicate code to put this in an aui_ routine. 4598 */ 4599 4600 /* get path from file struct here */ 4601 fad = F2A(fp); 4602 ASSERT(fad); 4603 4604 /* 4605 * already processed this file for write attempt 4606 */ 4607 if (fad->fad_flags & FAD_WRITE) { 4608 /* don't want to audit every sendto attempt */ 4609 tad->tad_flag = 0; 4610 /* free any residual audit data */ 4611 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4612 releasef(fd); 4613 return; 4614 } 4615 /* 4616 * mark things so we know what happened and don't 4617 * repeat things 4618 */ 4619 fad->fad_flags |= FAD_WRITE; 4620 4621 if (fad->fad_aupath != NULL) { 4622 au_uwrite(au_to_path(fad->fad_aupath)); 4623 } else { 4624 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4625 } 4626 4627 audit_attributes(fp->f_vnode); 4628 4629 releasef(fd); 4630 4631 return; 4632 4633 default: 4634 break; 4635 4636 } 4637 4638 releasef(fd); 4639 4640 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4641 4642 if (add_sock_token == 0) { 4643 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4644 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4645 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4646 return; 4647 } 4648 4649 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4650 4651 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4652 4653 } 4654 4655 /* 4656 * XXX socket(2) may be equivalent to open(2) on a unix domain 4657 * socket. This needs investigation. 4658 */ 4659 4660 /*ARGSUSED*/ 4661 static void 4662 aus_socket(struct t_audit_data *tad) 4663 { 4664 struct a { 4665 long domain; 4666 long type; 4667 long protocol; 4668 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4669 4670 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4671 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4672 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4673 } 4674 4675 /*ARGSUSED*/ 4676 static void 4677 aus_sigqueue(struct t_audit_data *tad) 4678 { 4679 struct a { 4680 long pid; 4681 long signo; 4682 long *val; 4683 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4684 struct proc *p; 4685 uid_t uid, ruid; 4686 gid_t gid, rgid; 4687 pid_t pid; 4688 const auditinfo_addr_t *ainfo; 4689 cred_t *cr; 4690 4691 pid = (pid_t)uap->pid; 4692 4693 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4694 if (pid > 0) { 4695 mutex_enter(&pidlock); 4696 if ((p = prfind(pid)) == (struct proc *)0) { 4697 mutex_exit(&pidlock); 4698 return; 4699 } 4700 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4701 mutex_exit(&pidlock); 4702 4703 mutex_enter(&p->p_crlock); 4704 crhold(cr = p->p_cred); 4705 mutex_exit(&p->p_crlock); 4706 mutex_exit(&p->p_lock); 4707 4708 ainfo = crgetauinfo(cr); 4709 if (ainfo == NULL) { 4710 crfree(cr); 4711 return; 4712 } 4713 4714 uid = crgetuid(cr); 4715 gid = crgetgid(cr); 4716 ruid = crgetruid(cr); 4717 rgid = crgetrgid(cr); 4718 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4719 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4720 crfree(cr); 4721 } 4722 else 4723 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4724 } 4725 4726 /*ARGSUSED*/ 4727 static void 4728 aus_inst_sync(struct t_audit_data *tad) 4729 { 4730 struct a { 4731 long name; /* char */ 4732 long flags; 4733 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4734 4735 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4736 } 4737 4738 /*ARGSUSED*/ 4739 static void 4740 aus_brandsys(struct t_audit_data *tad) 4741 { 4742 klwp_t *clwp = ttolwp(curthread); 4743 4744 struct a { 4745 long cmd; 4746 long arg1; 4747 long arg2; 4748 long arg3; 4749 long arg4; 4750 long arg5; 4751 long arg6; 4752 } *uap = (struct a *)clwp->lwp_ap; 4753 4754 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4755 #ifdef _LP64 4756 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4757 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4758 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4759 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4760 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4761 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4762 #else 4763 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4764 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4765 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4766 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4767 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4768 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4769 #endif 4770 } 4771 4772 /*ARGSUSED*/ 4773 static void 4774 aus_p_online(struct t_audit_data *tad) 4775 { 4776 struct a { 4777 long processor_id; 4778 long flag; 4779 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4780 4781 struct flags { 4782 int flag; 4783 char *cflag; 4784 } aflags[6] = { 4785 { P_ONLINE, "P_ONLINE"}, 4786 { P_OFFLINE, "P_OFFLINE"}, 4787 { P_NOINTR, "P_NOINTR"}, 4788 { P_SPARE, "P_SPARE"}, 4789 { P_FAULTED, "P_FAULTED"}, 4790 { P_STATUS, "P_STATUS"} 4791 }; 4792 int i; 4793 char *cflag; 4794 4795 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4796 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4797 4798 for (i = 0; i < 6; i++) { 4799 if (aflags[i].flag == uap->flag) 4800 break; 4801 } 4802 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4803 4804 au_uwrite(au_to_text(cflag)); 4805 } 4806 4807 /*ARGSUSED*/ 4808 static void 4809 aus_processor_bind(struct t_audit_data *tad) 4810 { 4811 struct a { 4812 long id_type; 4813 long id; 4814 long processor_id; 4815 long obind; 4816 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4817 4818 struct proc *p; 4819 int lwpcnt; 4820 uid_t uid, ruid; 4821 gid_t gid, rgid; 4822 pid_t pid; 4823 const auditinfo_addr_t *ainfo; 4824 cred_t *cr; 4825 4826 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4827 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4828 if (uap->processor_id == PBIND_NONE) 4829 au_uwrite(au_to_text("PBIND_NONE")); 4830 else 4831 au_uwrite(au_to_arg32(3, "processor_id", 4832 (uint32_t)uap->processor_id)); 4833 4834 switch (uap->id_type) { 4835 case P_MYID: 4836 case P_LWPID: 4837 mutex_enter(&pidlock); 4838 p = ttoproc(curthread); 4839 if (p == NULL || p->p_as == &kas) { 4840 mutex_exit(&pidlock); 4841 return; 4842 } 4843 mutex_enter(&p->p_lock); 4844 mutex_exit(&pidlock); 4845 lwpcnt = p->p_lwpcnt; 4846 pid = p->p_pid; 4847 4848 mutex_enter(&p->p_crlock); 4849 crhold(cr = p->p_cred); 4850 mutex_exit(&p->p_crlock); 4851 mutex_exit(&p->p_lock); 4852 4853 ainfo = crgetauinfo(cr); 4854 if (ainfo == NULL) { 4855 crfree(cr); 4856 return; 4857 } 4858 4859 uid = crgetuid(cr); 4860 gid = crgetgid(cr); 4861 ruid = crgetruid(cr); 4862 rgid = crgetrgid(cr); 4863 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4864 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4865 crfree(cr); 4866 break; 4867 case P_PID: 4868 mutex_enter(&pidlock); 4869 p = prfind(uap->id); 4870 if (p == NULL || p->p_as == &kas) { 4871 mutex_exit(&pidlock); 4872 return; 4873 } 4874 mutex_enter(&p->p_lock); 4875 mutex_exit(&pidlock); 4876 lwpcnt = p->p_lwpcnt; 4877 pid = p->p_pid; 4878 4879 mutex_enter(&p->p_crlock); 4880 crhold(cr = p->p_cred); 4881 mutex_exit(&p->p_crlock); 4882 mutex_exit(&p->p_lock); 4883 4884 ainfo = crgetauinfo(cr); 4885 if (ainfo == NULL) { 4886 crfree(cr); 4887 return; 4888 } 4889 4890 uid = crgetuid(cr); 4891 gid = crgetgid(cr); 4892 ruid = crgetruid(cr); 4893 rgid = crgetrgid(cr); 4894 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4895 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4896 crfree(cr); 4897 4898 break; 4899 default: 4900 return; 4901 } 4902 4903 if (uap->processor_id == PBIND_NONE && 4904 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4905 au_uwrite(au_to_text("PBIND_NONE for process")); 4906 else 4907 au_uwrite(au_to_arg32(3, "processor_id", 4908 (uint32_t)uap->processor_id)); 4909 } 4910 4911 /*ARGSUSED*/ 4912 static au_event_t 4913 aui_doorfs(au_event_t e) 4914 { 4915 uint32_t code; 4916 4917 struct a { /* doorfs */ 4918 long a1; 4919 long a2; 4920 long a3; 4921 long a4; 4922 long a5; 4923 long code; 4924 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4925 4926 /* 4927 * audit formats for several of the 4928 * door calls have not yet been determined 4929 */ 4930 code = (uint32_t)uap->code; 4931 switch (code) { 4932 case DOOR_CALL: 4933 e = AUE_DOORFS_DOOR_CALL; 4934 break; 4935 case DOOR_RETURN: 4936 e = AUE_NULL; 4937 break; 4938 case DOOR_CREATE: 4939 e = AUE_DOORFS_DOOR_CREATE; 4940 break; 4941 case DOOR_REVOKE: 4942 e = AUE_DOORFS_DOOR_REVOKE; 4943 break; 4944 case DOOR_INFO: 4945 e = AUE_NULL; 4946 break; 4947 case DOOR_UCRED: 4948 e = AUE_NULL; 4949 break; 4950 case DOOR_BIND: 4951 e = AUE_NULL; 4952 break; 4953 case DOOR_UNBIND: 4954 e = AUE_NULL; 4955 break; 4956 case DOOR_GETPARAM: 4957 e = AUE_NULL; 4958 break; 4959 case DOOR_SETPARAM: 4960 e = AUE_NULL; 4961 break; 4962 default: /* illegal system call */ 4963 e = AUE_NULL; 4964 break; 4965 } 4966 4967 return (e); 4968 } 4969 4970 static door_node_t * 4971 au_door_lookup(int did) 4972 { 4973 vnode_t *vp; 4974 file_t *fp; 4975 4976 if ((fp = getf(did)) == NULL) 4977 return (NULL); 4978 /* 4979 * Use the underlying vnode (we may be namefs mounted) 4980 */ 4981 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4982 vp = fp->f_vnode; 4983 4984 if (vp == NULL || vp->v_type != VDOOR) { 4985 releasef(did); 4986 return (NULL); 4987 } 4988 4989 return (VTOD(vp)); 4990 } 4991 4992 /*ARGSUSED*/ 4993 static void 4994 aus_doorfs(struct t_audit_data *tad) 4995 { 4996 4997 struct a { /* doorfs */ 4998 long a1; 4999 long a2; 5000 long a3; 5001 long a4; 5002 long a5; 5003 long code; 5004 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5005 5006 door_node_t *dp; 5007 struct proc *p; 5008 uint32_t did; 5009 uid_t uid, ruid; 5010 gid_t gid, rgid; 5011 pid_t pid; 5012 const auditinfo_addr_t *ainfo; 5013 cred_t *cr; 5014 5015 did = (uint32_t)uap->a1; 5016 5017 switch (tad->tad_event) { 5018 case AUE_DOORFS_DOOR_CALL: 5019 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5020 if ((dp = au_door_lookup(did)) == NULL) 5021 break; 5022 5023 if (DOOR_INVALID(dp)) { 5024 releasef(did); 5025 break; 5026 } 5027 5028 if ((p = dp->door_target) == NULL) { 5029 releasef(did); 5030 break; 5031 } 5032 mutex_enter(&p->p_lock); 5033 releasef(did); 5034 5035 pid = p->p_pid; 5036 5037 mutex_enter(&p->p_crlock); 5038 crhold(cr = p->p_cred); 5039 mutex_exit(&p->p_crlock); 5040 mutex_exit(&p->p_lock); 5041 5042 ainfo = crgetauinfo(cr); 5043 if (ainfo == NULL) { 5044 crfree(cr); 5045 return; 5046 } 5047 uid = crgetuid(cr); 5048 gid = crgetgid(cr); 5049 ruid = crgetruid(cr); 5050 rgid = crgetrgid(cr); 5051 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5052 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5053 crfree(cr); 5054 break; 5055 case AUE_DOORFS_DOOR_RETURN: 5056 /* 5057 * We may want to write information about 5058 * all doors (if any) which will be copied 5059 * by this call to the user space 5060 */ 5061 break; 5062 case AUE_DOORFS_DOOR_CREATE: 5063 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5064 break; 5065 case AUE_DOORFS_DOOR_REVOKE: 5066 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5067 break; 5068 case AUE_DOORFS_DOOR_INFO: 5069 break; 5070 case AUE_DOORFS_DOOR_CRED: 5071 break; 5072 case AUE_DOORFS_DOOR_BIND: 5073 break; 5074 case AUE_DOORFS_DOOR_UNBIND: { 5075 break; 5076 } 5077 default: /* illegal system call */ 5078 break; 5079 } 5080 } 5081 5082 /*ARGSUSED*/ 5083 static au_event_t 5084 aui_acl(au_event_t e) 5085 { 5086 struct a { 5087 union { 5088 long name; /* char */ 5089 long fd; 5090 } obj; 5091 5092 long cmd; 5093 long nentries; 5094 long arg; /* aclent_t */ 5095 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5096 5097 switch (uap->cmd) { 5098 case SETACL: 5099 case ACE_SETACL: 5100 /* 5101 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5102 * are expected. 5103 */ 5104 break; 5105 case GETACL: 5106 case GETACLCNT: 5107 case ACE_GETACL: 5108 case ACE_GETACLCNT: 5109 /* do nothing for these four values. */ 5110 e = AUE_NULL; 5111 break; 5112 default: 5113 /* illegal system call */ 5114 break; 5115 } 5116 5117 return (e); 5118 } 5119 5120 static void 5121 au_acl(int cmd, int nentries, caddr_t bufp) 5122 { 5123 size_t a_size; 5124 aclent_t *aclbufp; 5125 ace_t *acebufp; 5126 int i; 5127 5128 switch (cmd) { 5129 case GETACL: 5130 case GETACLCNT: 5131 break; 5132 case SETACL: 5133 if (nentries < 3) 5134 break; 5135 5136 a_size = nentries * sizeof (aclent_t); 5137 5138 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5139 break; 5140 if (copyin(bufp, aclbufp, a_size)) { 5141 kmem_free(aclbufp, a_size); 5142 break; 5143 } 5144 for (i = 0; i < nentries; i++) { 5145 au_uwrite(au_to_acl(aclbufp + i)); 5146 } 5147 kmem_free(aclbufp, a_size); 5148 break; 5149 5150 case ACE_SETACL: 5151 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5152 break; 5153 5154 a_size = nentries * sizeof (ace_t); 5155 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5156 break; 5157 if (copyin(bufp, acebufp, a_size)) { 5158 kmem_free(acebufp, a_size); 5159 break; 5160 } 5161 for (i = 0; i < nentries; i++) { 5162 au_uwrite(au_to_ace(acebufp + i)); 5163 } 5164 kmem_free(acebufp, a_size); 5165 break; 5166 default: 5167 break; 5168 } 5169 } 5170 5171 /*ARGSUSED*/ 5172 static void 5173 aus_acl(struct t_audit_data *tad) 5174 { 5175 struct a { 5176 long fname; 5177 long cmd; 5178 long nentries; 5179 long aclbufp; 5180 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5181 5182 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5183 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5184 5185 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5186 } 5187 5188 /*ARGSUSED*/ 5189 static void 5190 aus_facl(struct t_audit_data *tad) 5191 { 5192 struct a { 5193 long fd; 5194 long cmd; 5195 long nentries; 5196 long aclbufp; 5197 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5198 struct file *fp; 5199 struct vnode *vp; 5200 struct f_audit_data *fad; 5201 int fd; 5202 5203 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5204 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5205 5206 fd = (int)uap->fd; 5207 5208 if ((fp = getf(fd)) == NULL) 5209 return; 5210 5211 /* get path from file struct here */ 5212 fad = F2A(fp); 5213 if (fad->fad_aupath != NULL) { 5214 au_uwrite(au_to_path(fad->fad_aupath)); 5215 } else { 5216 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5217 } 5218 5219 vp = fp->f_vnode; 5220 audit_attributes(vp); 5221 5222 /* decrement file descriptor reference count */ 5223 releasef(fd); 5224 5225 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5226 } 5227 5228 /*ARGSUSED*/ 5229 static void 5230 auf_read(tad, error, rval) 5231 struct t_audit_data *tad; 5232 int error; 5233 rval_t *rval; 5234 { 5235 struct file *fp; 5236 struct f_audit_data *fad; 5237 int fd; 5238 register struct a { 5239 long fd; 5240 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5241 au_kcontext_t *kctx = GET_KCTX_PZ; 5242 5243 fd = (int)uap->fd; 5244 5245 /* 5246 * convert file pointer to file descriptor 5247 * Note: fd ref count incremented here. 5248 */ 5249 if ((fp = getf(fd)) == NULL) 5250 return; 5251 5252 /* get path from file struct here */ 5253 fad = F2A(fp); 5254 ASSERT(fad); 5255 5256 /* 5257 * already processed this file for read attempt 5258 * 5259 * XXX might be better to turn off auditing in a aui_read() routine. 5260 */ 5261 if (fad->fad_flags & FAD_READ) { 5262 /* don't really want to audit every read attempt */ 5263 tad->tad_flag = 0; 5264 /* free any residual audit data */ 5265 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5266 releasef(fd); 5267 return; 5268 } 5269 /* mark things so we know what happened and don't repeat things */ 5270 fad->fad_flags |= FAD_READ; 5271 5272 if (fad->fad_aupath != NULL) { 5273 au_uwrite(au_to_path(fad->fad_aupath)); 5274 } else { 5275 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5276 } 5277 5278 /* include attributes */ 5279 audit_attributes(fp->f_vnode); 5280 5281 /* decrement file descriptor reference count */ 5282 releasef(fd); 5283 } 5284 5285 /*ARGSUSED*/ 5286 static void 5287 auf_write(tad, error, rval) 5288 struct t_audit_data *tad; 5289 int error; 5290 rval_t *rval; 5291 { 5292 struct file *fp; 5293 struct f_audit_data *fad; 5294 int fd; 5295 register struct a { 5296 long fd; 5297 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5298 au_kcontext_t *kctx = GET_KCTX_PZ; 5299 5300 fd = (int)uap->fd; 5301 5302 /* 5303 * convert file pointer to file descriptor 5304 * Note: fd ref count incremented here. 5305 */ 5306 if ((fp = getf(fd)) == NULL) 5307 return; 5308 5309 /* get path from file struct here */ 5310 fad = F2A(fp); 5311 ASSERT(fad); 5312 5313 /* 5314 * already processed this file for write attempt 5315 * 5316 * XXX might be better to turn off auditing in a aus_write() routine. 5317 */ 5318 if (fad->fad_flags & FAD_WRITE) { 5319 /* don't really want to audit every write attempt */ 5320 tad->tad_flag = 0; 5321 /* free any residual audit data */ 5322 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5323 releasef(fd); 5324 return; 5325 } 5326 /* mark things so we know what happened and don't repeat things */ 5327 fad->fad_flags |= FAD_WRITE; 5328 5329 if (fad->fad_aupath != NULL) { 5330 au_uwrite(au_to_path(fad->fad_aupath)); 5331 } else { 5332 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5333 } 5334 5335 /* include attributes */ 5336 audit_attributes(fp->f_vnode); 5337 5338 /* decrement file descriptor reference count */ 5339 releasef(fd); 5340 } 5341 5342 /*ARGSUSED*/ 5343 static void 5344 auf_recv(tad, error, rval) 5345 struct t_audit_data *tad; 5346 int error; 5347 rval_t *rval; 5348 { 5349 struct sonode *so; 5350 char so_laddr[sizeof (struct sockaddr_in6)]; 5351 char so_faddr[sizeof (struct sockaddr_in6)]; 5352 struct file *fp; 5353 struct f_audit_data *fad; 5354 int fd; 5355 int err; 5356 socklen_t len; 5357 short so_family, so_type; 5358 register struct a { 5359 long fd; 5360 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5361 au_kcontext_t *kctx = GET_KCTX_PZ; 5362 5363 /* 5364 * If there was an error, then nothing to do. Only generate 5365 * audit record on first successful recv. 5366 */ 5367 if (error) { 5368 /* Turn off audit record generation here. */ 5369 tad->tad_flag = 0; 5370 /* free any residual audit data */ 5371 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5372 return; 5373 } 5374 5375 fd = (int)uap->fd; 5376 5377 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5378 /* Turn off audit record generation here. */ 5379 tad->tad_flag = 0; 5380 /* free any residual audit data */ 5381 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5382 return; 5383 } 5384 5385 /* get path from file struct here */ 5386 fad = F2A(fp); 5387 ASSERT(fad); 5388 5389 /* 5390 * already processed this file for read attempt 5391 */ 5392 if (fad->fad_flags & FAD_READ) { 5393 releasef(fd); 5394 /* don't really want to audit every recv call */ 5395 tad->tad_flag = 0; 5396 /* free any residual audit data */ 5397 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5398 return; 5399 } 5400 5401 /* mark things so we know what happened and don't repeat things */ 5402 fad->fad_flags |= FAD_READ; 5403 5404 so_family = so->so_family; 5405 so_type = so->so_type; 5406 5407 switch (so_family) { 5408 case AF_INET: 5409 case AF_INET6: 5410 /* 5411 * Only for connections. 5412 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5413 */ 5414 if (so->so_state & SS_ISBOUND) { 5415 5416 bzero((void *)so_laddr, sizeof (so_laddr)); 5417 bzero((void *)so_faddr, sizeof (so_faddr)); 5418 5419 /* get local and foreign addresses */ 5420 len = sizeof (so_laddr); 5421 (void) socket_getsockname(so, 5422 (struct sockaddr *)so_laddr, &len, CRED()); 5423 len = sizeof (so_faddr); 5424 (void) socket_getpeername(so, 5425 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5426 5427 /* 5428 * only way to drop out of switch. Note that we 5429 * we release fd below. 5430 */ 5431 5432 break; 5433 } 5434 5435 releasef(fd); 5436 5437 /* don't really want to audit every recv call */ 5438 tad->tad_flag = 0; 5439 /* free any residual audit data */ 5440 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5441 5442 return; 5443 5444 case AF_UNIX: 5445 5446 if (fad->fad_aupath != NULL) { 5447 au_uwrite(au_to_path(fad->fad_aupath)); 5448 } else { 5449 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5450 } 5451 5452 audit_attributes(fp->f_vnode); 5453 5454 releasef(fd); 5455 5456 return; 5457 5458 default: 5459 releasef(fd); 5460 5461 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5462 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5463 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5464 5465 return; 5466 } 5467 5468 releasef(fd); 5469 5470 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5471 5472 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5473 5474 } 5475 5476 /*ARGSUSED*/ 5477 static void 5478 auf_send(tad, error, rval) 5479 struct t_audit_data *tad; 5480 int error; 5481 rval_t *rval; 5482 { 5483 struct sonode *so; 5484 char so_laddr[sizeof (struct sockaddr_in6)]; 5485 char so_faddr[sizeof (struct sockaddr_in6)]; 5486 struct file *fp; 5487 struct f_audit_data *fad; 5488 int fd; 5489 int err; 5490 socklen_t len; 5491 short so_family, so_type; 5492 register struct a { 5493 long fd; 5494 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5495 au_kcontext_t *kctx = GET_KCTX_PZ; 5496 5497 fd = (int)uap->fd; 5498 5499 /* 5500 * If there was an error, then nothing to do. Only generate 5501 * audit record on first successful send. 5502 */ 5503 if (error != 0) { 5504 /* Turn off audit record generation here. */ 5505 tad->tad_flag = 0; 5506 /* free any residual audit data */ 5507 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5508 return; 5509 } 5510 5511 fd = (int)uap->fd; 5512 5513 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5514 /* Turn off audit record generation here. */ 5515 tad->tad_flag = 0; 5516 /* free any residual audit data */ 5517 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5518 return; 5519 } 5520 5521 /* get path from file struct here */ 5522 fad = F2A(fp); 5523 ASSERT(fad); 5524 5525 /* 5526 * already processed this file for write attempt 5527 */ 5528 if (fad->fad_flags & FAD_WRITE) { 5529 releasef(fd); 5530 /* don't really want to audit every send call */ 5531 tad->tad_flag = 0; 5532 /* free any residual audit data */ 5533 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5534 return; 5535 } 5536 5537 /* mark things so we know what happened and don't repeat things */ 5538 fad->fad_flags |= FAD_WRITE; 5539 5540 so_family = so->so_family; 5541 so_type = so->so_type; 5542 5543 switch (so_family) { 5544 case AF_INET: 5545 case AF_INET6: 5546 /* 5547 * Only for connections. 5548 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5549 */ 5550 if (so->so_state & SS_ISBOUND) { 5551 5552 bzero((void *)so_laddr, sizeof (so_laddr)); 5553 bzero((void *)so_faddr, sizeof (so_faddr)); 5554 5555 /* get local and foreign addresses */ 5556 len = sizeof (so_laddr); 5557 (void) socket_getsockname(so, 5558 (struct sockaddr *)so_laddr, &len, CRED()); 5559 len = sizeof (so_faddr); 5560 (void) socket_getpeername(so, 5561 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5562 5563 /* 5564 * only way to drop out of switch. Note that we 5565 * we release fd below. 5566 */ 5567 5568 break; 5569 } 5570 5571 releasef(fd); 5572 /* don't really want to audit every send call */ 5573 tad->tad_flag = 0; 5574 /* free any residual audit data */ 5575 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5576 5577 return; 5578 5579 case AF_UNIX: 5580 5581 if (fad->fad_aupath != NULL) { 5582 au_uwrite(au_to_path(fad->fad_aupath)); 5583 } else { 5584 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5585 } 5586 5587 audit_attributes(fp->f_vnode); 5588 5589 releasef(fd); 5590 5591 return; 5592 5593 default: 5594 releasef(fd); 5595 5596 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5597 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5598 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5599 5600 return; 5601 } 5602 5603 releasef(fd); 5604 5605 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5606 5607 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5608 } 5609 5610 static au_event_t 5611 aui_forksys(au_event_t e) 5612 { 5613 struct a { 5614 long subcode; 5615 long flags; 5616 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5617 5618 switch ((uint_t)uap->subcode) { 5619 case 0: 5620 e = AUE_FORK1; 5621 break; 5622 case 1: 5623 e = AUE_FORKALL; 5624 break; 5625 case 2: 5626 e = AUE_VFORK; 5627 break; 5628 default: 5629 e = AUE_NULL; 5630 break; 5631 } 5632 5633 return (e); 5634 } 5635 5636 /*ARGSUSED*/ 5637 static au_event_t 5638 aui_portfs(au_event_t e) 5639 { 5640 struct a { /* portfs */ 5641 long a1; 5642 long a2; 5643 long a3; 5644 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5645 5646 /* 5647 * check opcode 5648 */ 5649 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5650 case PORT_ASSOCIATE: 5651 /* check source */ 5652 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5653 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5654 e = AUE_PORTFS_ASSOCIATE; 5655 } else { 5656 e = AUE_NULL; 5657 } 5658 break; 5659 case PORT_DISSOCIATE: 5660 /* check source */ 5661 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5662 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5663 e = AUE_PORTFS_DISSOCIATE; 5664 } else { 5665 e = AUE_NULL; 5666 } 5667 break; 5668 default: 5669 e = AUE_NULL; 5670 } 5671 return (e); 5672 } 5673