1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 int au_naevent; 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_open(au_event_t); 84 static au_event_t aui_fsat(au_event_t); 85 static au_event_t aui_msgsys(au_event_t); 86 static au_event_t aui_shmsys(au_event_t); 87 static au_event_t aui_semsys(au_event_t); 88 static au_event_t aui_utssys(au_event_t); 89 static au_event_t aui_fcntl(au_event_t); 90 static au_event_t aui_execv(au_event_t); 91 static au_event_t aui_execve(au_event_t); 92 static au_event_t aui_memcntl(au_event_t); 93 static au_event_t aui_sysinfo(au_event_t); 94 static au_event_t aui_portfs(au_event_t); 95 static au_event_t aui_auditsys(au_event_t); 96 static au_event_t aui_modctl(au_event_t); 97 static au_event_t aui_acl(au_event_t); 98 static au_event_t aui_doorfs(au_event_t); 99 static au_event_t aui_privsys(au_event_t); 100 static au_event_t aui_forksys(au_event_t); 101 static au_event_t aui_labelsys(au_event_t); 102 103 static void aus_open(struct t_audit_data *); 104 static void aus_acl(struct t_audit_data *); 105 static void aus_acct(struct t_audit_data *); 106 static void aus_chown(struct t_audit_data *); 107 static void aus_fchown(struct t_audit_data *); 108 static void aus_lchown(struct t_audit_data *); 109 static void aus_chmod(struct t_audit_data *); 110 static void aus_facl(struct t_audit_data *); 111 static void aus_fchmod(struct t_audit_data *); 112 static void aus_fcntl(struct t_audit_data *); 113 static void aus_fsat(struct t_audit_data *); 114 static void aus_mkdir(struct t_audit_data *); 115 static void aus_mknod(struct t_audit_data *); 116 static void aus_mount(struct t_audit_data *); 117 static void aus_umount(struct t_audit_data *); 118 static void aus_umount2(struct t_audit_data *); 119 static void aus_msgsys(struct t_audit_data *); 120 static void aus_semsys(struct t_audit_data *); 121 static void aus_close(struct t_audit_data *); 122 static void aus_fstatfs(struct t_audit_data *); 123 static void aus_setgid(struct t_audit_data *); 124 static void aus_setuid(struct t_audit_data *); 125 static void aus_shmsys(struct t_audit_data *); 126 static void aus_doorfs(struct t_audit_data *); 127 static void aus_ioctl(struct t_audit_data *); 128 static void aus_memcntl(struct t_audit_data *); 129 static void aus_mmap(struct t_audit_data *); 130 static void aus_munmap(struct t_audit_data *); 131 static void aus_priocntlsys(struct t_audit_data *); 132 static void aus_setegid(struct t_audit_data *); 133 static void aus_setgroups(struct t_audit_data *); 134 static void aus_seteuid(struct t_audit_data *); 135 static void aus_putmsg(struct t_audit_data *); 136 static void aus_putpmsg(struct t_audit_data *); 137 static void aus_getmsg(struct t_audit_data *); 138 static void aus_getpmsg(struct t_audit_data *); 139 static void aus_auditsys(struct t_audit_data *); 140 static void aus_sysinfo(struct t_audit_data *); 141 static void aus_modctl(struct t_audit_data *); 142 static void aus_kill(struct t_audit_data *); 143 static void aus_xmknod(struct t_audit_data *); 144 static void aus_setregid(struct t_audit_data *); 145 static void aus_setreuid(struct t_audit_data *); 146 static void aus_labelsys(struct t_audit_data *); 147 148 static void auf_mknod(struct t_audit_data *, int, rval_t *); 149 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 150 static void auf_semsys(struct t_audit_data *, int, rval_t *); 151 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 152 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 153 static void auf_read(struct t_audit_data *, int, rval_t *); 154 static void auf_write(struct t_audit_data *, int, rval_t *); 155 156 static void aus_sigqueue(struct t_audit_data *); 157 static void aus_p_online(struct t_audit_data *); 158 static void aus_processor_bind(struct t_audit_data *); 159 static void aus_inst_sync(struct t_audit_data *); 160 static void aus_brandsys(struct t_audit_data *); 161 162 static void auf_accept(struct t_audit_data *, int, rval_t *); 163 164 static void auf_bind(struct t_audit_data *, int, rval_t *); 165 static void auf_connect(struct t_audit_data *, int, rval_t *); 166 static void aus_shutdown(struct t_audit_data *); 167 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 168 static void aus_sockconfig(struct t_audit_data *); 169 static void auf_recv(struct t_audit_data *, int, rval_t *); 170 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 171 static void auf_send(struct t_audit_data *, int, rval_t *); 172 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 173 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 174 static void auf_sendto(struct t_audit_data *, int, rval_t *); 175 static void aus_socket(struct t_audit_data *); 176 /* 177 * This table contains mapping information for converting system call numbers 178 * to audit event IDs. In several cases it is necessary to map a single system 179 * call to several events. 180 */ 181 182 #define aui_null NULL /* NULL initialize function */ 183 #define aus_null NULL /* NULL start function */ 184 #define auf_null NULL /* NULL finish function */ 185 186 struct audit_s2e audit_s2e[] = 187 { 188 /* 189 * ---------- ---------- ---------- ---------- 190 * INITIAL AUDIT START SYSTEM 191 * PROCESSING EVENT PROCESSING CALL 192 * ---------- ---------- ---------- ----------- 193 * FINISH EVENT 194 * PROCESSING CONTROL 195 * ---------------------------------------------------------- 196 */ 197 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 198 auf_null, 0, 199 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 200 auf_null, S2E_NPT, 201 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 202 auf_null, 0, 203 aui_null, AUE_READ, aus_null, /* 3 read */ 204 auf_read, S2E_PUB, 205 aui_null, AUE_WRITE, aus_null, /* 4 write */ 206 auf_write, 0, 207 aui_open, AUE_OPEN, aus_open, /* 5 open */ 208 auf_null, S2E_SP, 209 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 210 auf_null, 0, 211 aui_null, AUE_NULL, aus_null, /* 7 wait */ 212 auf_null, 0, 213 aui_null, AUE_CREAT, aus_null, /* 8 create */ 214 auf_null, S2E_SP, 215 aui_null, AUE_LINK, aus_null, /* 9 link */ 216 auf_null, 0, 217 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 218 auf_null, 0, 219 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 220 auf_null, S2E_MLD, 221 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 222 auf_null, S2E_SP, 223 aui_null, AUE_NULL, aus_null, /* 13 time */ 224 auf_null, 0, 225 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 226 auf_mknod, 0, 227 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 228 auf_null, 0, 229 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 230 auf_null, 0, 231 aui_null, AUE_NULL, aus_null, /* 17 brk */ 232 auf_null, 0, 233 aui_null, AUE_STAT, aus_null, /* 18 stat */ 234 auf_null, S2E_PUB, 235 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 236 auf_null, 0, 237 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 238 auf_null, 0, 239 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 240 auf_null, S2E_MLD, 241 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 242 auf_null, 0, 243 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 246 auf_null, 0, 247 aui_null, AUE_STIME, aus_null, /* 25 stime */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 29 pause */ 256 auf_null, 0, 257 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 262 auf_null, 0, 263 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 264 auf_null, S2E_PUB, 265 aui_null, AUE_NICE, aus_null, /* 34 nice */ 266 auf_null, 0, 267 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 268 auf_null, S2E_PUB, 269 aui_null, AUE_NULL, aus_null, /* 36 sync */ 270 auf_null, 0, 271 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 272 auf_null, 0, 273 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 274 auf_null, S2E_PUB, 275 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 276 auf_null, 0, 277 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 41 dup */ 280 auf_null, 0, 281 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 43 times */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 44 profil */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 288 /* was proc lock */ 289 auf_null, 0, 290 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 291 auf_null, 0, 292 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 48 sig */ 295 auf_null, 0, 296 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 297 auf_msgsys, 0, 298 #if defined(__x86) 299 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 300 auf_null, 0, 301 #else 302 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 303 auf_null, 0, 304 #endif /* __x86 */ 305 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 306 auf_null, 0, 307 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 308 auf_shmsys, 0, 309 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 310 auf_semsys, 0, 311 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 312 auf_null, 0, 313 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 316 auf_null, 0, 317 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 318 auf_null, 0, 319 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 320 auf_null, 0, 321 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 322 auf_null, S2E_MLD, 323 aui_null, AUE_NULL, aus_null, /* 60 umask */ 324 auf_null, 0, 325 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 326 auf_null, S2E_SP, 327 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 328 auf_null, 0, 329 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 334 auf_null, 0, 335 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 338 /* file locking call */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 341 /* local system calls */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 356 /* was sigret (SunOS) */ 357 auf_null, 0, 358 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 363 auf_null, 0, 364 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 365 auf_null, 0, 366 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 367 auf_null, 0, 368 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 369 auf_null, 0, 370 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 371 /* was libattach */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 374 /* was libdetach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 377 auf_null, 0, 378 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 379 auf_null, 0, 380 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 381 auf_null, 0, 382 aui_null, AUE_NULL, aus_null, /* 87 poll */ 383 auf_null, 0, 384 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 387 auf_null, 0, 388 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 389 auf_null, S2E_PUB, 390 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 391 auf_null, 0, 392 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 393 auf_null, 0, 394 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 395 auf_null, 0, 396 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 411 auf_null, 0, 412 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 413 /* was evtrapret */ 414 auf_null, 0, 415 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 416 auf_null, S2E_PUB, 417 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 426 auf_null, 0, 427 #if defined(__x86) 428 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 429 auf_null, 0, 430 #else 431 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 432 auf_null, 0, 433 #endif /* __x86 */ 434 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 435 auf_null, 0, 436 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 437 auf_null, 0, 438 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 439 auf_null, 0, /* 112 priocntlsys */ 440 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 441 auf_null, S2E_PUB, 442 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 443 auf_null, 0, 444 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 445 auf_null, 0, 446 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 447 auf_null, 0, 448 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 449 auf_null, 0, 450 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 451 auf_null, 0, 452 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 453 auf_null, 0, 454 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 455 auf_null, 0, 456 aui_null, AUE_READ, aus_null, /* 121 readv */ 457 auf_read, S2E_PUB, 458 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 459 auf_write, 0, 460 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 461 auf_null, S2E_PUB, 462 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 463 auf_null, S2E_PUB, 464 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 465 auf_null, 0, 466 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 467 auf_xmknod, 0, 468 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 469 auf_null, 0, 470 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 471 auf_null, 0, 472 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 473 auf_null, 0, 474 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 475 auf_null, 0, 476 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 477 auf_null, 0, 478 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 479 auf_null, 0, 480 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 481 auf_null, 0, 482 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 483 auf_null, 0, 484 aui_null, AUE_NULL, aus_null, /* 135 uname */ 485 auf_null, 0, 486 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 487 auf_null, 0, 488 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 489 auf_null, 0, 490 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 491 auf_null, 0, 492 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 493 auf_null, 0, 494 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 495 auf_null, 0, 496 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 497 auf_null, 0, 498 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 499 auf_null, 0, 500 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 146 yield */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 517 auf_null, 0, 518 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 519 auf_null, 0, 520 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 521 auf_null, 0, 522 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 545 /* was lwp_setprivate */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 548 /* was lwp_getprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 561 auf_null, 0, 562 aui_null, AUE_READ, aus_null, /* 173 pread */ 563 auf_read, S2E_PUB, 564 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 565 auf_write, 0, 566 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 567 auf_null, 0, 568 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 569 /* aus_inst_sync */ 570 auf_null, 0, 571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 580 auf_null, 0, 581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 582 auf_null, 0, 583 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 584 auf_null, 0, 585 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 586 auf_null, 0, 587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 588 auf_null, 0, 589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 590 auf_null, 0, 591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 592 auf_null, 0, /* 187 processor_bind */ 593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 594 auf_null, 0, 595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 600 auf_null, 0, 601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 616 auf_null, 0, 617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 618 auf_null, 0, 619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 620 auf_null, 0, 621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 622 auf_null, 0, 623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 644 auf_null, 0, 645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 646 auf_null, 0, 647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 652 auf_null, 0, 653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 656 auf_null, 0, 657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 662 auf_read, S2E_PUB, 663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 664 auf_write, 0, 665 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 666 auf_null, S2E_SP, 667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 668 auf_null, S2E_SP, 669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 676 auf_null, 0, 677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 680 auf_null, 0, 681 aui_null, AUE_BIND, aus_null, /* 232 bind */ 682 auf_bind, 0, 683 aui_null, AUE_NULL, aus_null, /* 233 listen */ 684 auf_null, 0, 685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 686 auf_accept, 0, 687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 688 auf_connect, 0, 689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 690 auf_null, 0, 691 aui_null, AUE_READ, aus_null, /* 237 recv */ 692 auf_recv, 0, 693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 694 auf_recvfrom, 0, 695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 696 auf_recvmsg, 0, 697 aui_null, AUE_WRITE, aus_null, /* 240 send */ 698 auf_send, 0, 699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 700 auf_sendmsg, 0, 701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 702 auf_sendto, 0, 703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 708 auf_null, 0, 709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 710 auf_setsockopt, 0, 711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 714 auf_null, 0, 715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 726 auf_null, 0, 727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 728 auf_null, 0 729 }; 730 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 732 733 734 /* acct start function */ 735 /*ARGSUSED*/ 736 static void 737 aus_acct(struct t_audit_data *tad) 738 { 739 klwp_t *clwp = ttolwp(curthread); 740 uintptr_t fname; 741 742 struct a { 743 long fname; /* char * */ 744 } *uap = (struct a *)clwp->lwp_ap; 745 746 fname = (uintptr_t)uap->fname; 747 748 if (fname == 0) 749 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 750 } 751 752 /* chown start function */ 753 /*ARGSUSED*/ 754 static void 755 aus_chown(struct t_audit_data *tad) 756 { 757 klwp_t *clwp = ttolwp(curthread); 758 uint32_t uid, gid; 759 760 struct a { 761 long fname; /* char * */ 762 long uid; 763 long gid; 764 } *uap = (struct a *)clwp->lwp_ap; 765 766 uid = (uint32_t)uap->uid; 767 gid = (uint32_t)uap->gid; 768 769 au_uwrite(au_to_arg32(2, "new file uid", uid)); 770 au_uwrite(au_to_arg32(3, "new file gid", gid)); 771 } 772 773 /* fchown start function */ 774 /*ARGSUSED*/ 775 static void 776 aus_fchown(struct t_audit_data *tad) 777 { 778 klwp_t *clwp = ttolwp(curthread); 779 uint32_t uid, gid, fd; 780 struct file *fp; 781 struct vnode *vp; 782 struct f_audit_data *fad; 783 784 struct a { 785 long fd; 786 long uid; 787 long gid; 788 } *uap = (struct a *)clwp->lwp_ap; 789 790 fd = (uint32_t)uap->fd; 791 uid = (uint32_t)uap->uid; 792 gid = (uint32_t)uap->gid; 793 794 au_uwrite(au_to_arg32(2, "new file uid", uid)); 795 au_uwrite(au_to_arg32(3, "new file gid", gid)); 796 797 /* 798 * convert file pointer to file descriptor 799 * Note: fd ref count incremented here. 800 */ 801 if ((fp = getf(fd)) == NULL) 802 return; 803 804 /* get path from file struct here */ 805 fad = F2A(fp); 806 if (fad->fad_aupath != NULL) { 807 au_uwrite(au_to_path(fad->fad_aupath)); 808 } else { 809 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 810 } 811 812 vp = fp->f_vnode; 813 audit_attributes(vp); 814 815 /* decrement file descriptor reference count */ 816 releasef(fd); 817 } 818 819 /*ARGSUSED*/ 820 static void 821 aus_lchown(struct t_audit_data *tad) 822 { 823 klwp_t *clwp = ttolwp(curthread); 824 uint32_t uid, gid; 825 826 827 struct a { 828 long fname; /* char * */ 829 long uid; 830 long gid; 831 } *uap = (struct a *)clwp->lwp_ap; 832 833 uid = (uint32_t)uap->uid; 834 gid = (uint32_t)uap->gid; 835 836 au_uwrite(au_to_arg32(2, "new file uid", uid)); 837 au_uwrite(au_to_arg32(3, "new file gid", gid)); 838 } 839 840 /* chmod start function */ 841 /*ARGSUSED*/ 842 static void 843 aus_chmod(struct t_audit_data *tad) 844 { 845 klwp_t *clwp = ttolwp(curthread); 846 uint32_t fmode; 847 848 struct a { 849 long fname; /* char * */ 850 long fmode; 851 } *uap = (struct a *)clwp->lwp_ap; 852 853 fmode = (uint32_t)uap->fmode; 854 855 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 856 } 857 858 /* chmod start function */ 859 /*ARGSUSED*/ 860 static void 861 aus_fchmod(struct t_audit_data *tad) 862 { 863 klwp_t *clwp = ttolwp(curthread); 864 uint32_t fmode, fd; 865 struct file *fp; 866 struct vnode *vp; 867 struct f_audit_data *fad; 868 869 struct a { 870 long fd; 871 long fmode; 872 } *uap = (struct a *)clwp->lwp_ap; 873 874 fd = (uint32_t)uap->fd; 875 fmode = (uint32_t)uap->fmode; 876 877 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 878 879 /* 880 * convert file pointer to file descriptor 881 * Note: fd ref count incremented here. 882 */ 883 if ((fp = getf(fd)) == NULL) 884 return; 885 886 /* get path from file struct here */ 887 fad = F2A(fp); 888 if (fad->fad_aupath != NULL) { 889 au_uwrite(au_to_path(fad->fad_aupath)); 890 } else { 891 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 892 } 893 894 vp = fp->f_vnode; 895 audit_attributes(vp); 896 897 /* decrement file descriptor reference count */ 898 releasef(fd); 899 } 900 901 902 /* convert open to appropriate event */ 903 static au_event_t 904 aui_open(au_event_t e) 905 { 906 klwp_t *clwp = ttolwp(curthread); 907 uint_t fm; 908 909 struct a { 910 long fnamep; /* char * */ 911 long fmode; 912 long cmode; 913 } *uap = (struct a *)clwp->lwp_ap; 914 915 fm = (uint_t)uap->fmode; 916 917 if (fm & O_WRONLY) 918 e = AUE_OPEN_W; 919 else if (fm & O_RDWR) 920 e = AUE_OPEN_RW; 921 else 922 e = AUE_OPEN_R; 923 924 if (fm & O_CREAT) 925 e += 1; 926 if (fm & O_TRUNC) 927 e += 2; 928 929 return (e); 930 } 931 932 /*ARGSUSED*/ 933 static void 934 aus_open(struct t_audit_data *tad) 935 { 936 klwp_t *clwp = ttolwp(curthread); 937 uint_t fm; 938 939 struct a { 940 long fnamep; /* char * */ 941 long fmode; 942 long cmode; 943 } *uap = (struct a *)clwp->lwp_ap; 944 945 fm = (uint_t)uap->fmode; 946 947 /* If no write, create, or trunc modes, mark as a public op */ 948 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 949 tad->tad_ctrl |= PAD_PUBLIC_EV; 950 } 951 952 /* convert openat(2) to appropriate event */ 953 static au_event_t 954 aui_fsat(au_event_t e) 955 { 956 t_audit_data_t *tad = U2A(u); 957 klwp_t *clwp = ttolwp(curthread); 958 uint_t fmcode, fm; 959 struct a { 960 long id; 961 long arg1; 962 long arg2; 963 long arg3; 964 long arg4; 965 long arg5; 966 } *uap = (struct a *)clwp->lwp_ap; 967 968 fmcode = (uint_t)uap->id; 969 970 switch (fmcode) { 971 972 case 0: /* openat */ 973 case 1: /* openat64 */ 974 fm = (uint_t)uap->arg3; 975 if (fm & O_WRONLY) 976 e = AUE_OPENAT_W; 977 else if (fm & O_RDWR) 978 e = AUE_OPENAT_RW; 979 else 980 e = AUE_OPENAT_R; 981 982 /* 983 * openat modes are defined in the following order: 984 * Read only 985 * Read|Create 986 * Read|Trunc 987 * Read|Create|Trunc 988 * Write Only 989 * Write|Create 990 * Write|Trunc 991 * Write|Create|Trunc * RW Only 992 * RW|Create 993 * RW|Trunc 994 * RW|Create|Trunc 995 */ 996 if (fm & O_CREAT) 997 e += 1; /* increment to include CREAT in mode */ 998 if (fm & O_TRUNC) 999 e += 2; /* increment to include TRUNC in mode */ 1000 1001 /* convert to appropriate au_ctrl */ 1002 tad->tad_ctrl |= PAD_SAVPATH; 1003 if (fm & FXATTR) 1004 tad->tad_ctrl |= PAD_ATPATH; 1005 1006 1007 break; 1008 case 2: /* fstatat64 */ 1009 case 3: /* fstatat */ 1010 e = AUE_FSTATAT; 1011 break; 1012 case 4: /* fchownat */ 1013 e = AUE_FCHOWNAT; 1014 break; 1015 case 5: /* unlinkat */ 1016 e = AUE_UNLINKAT; 1017 break; 1018 case 6: /* futimesat */ 1019 e = AUE_FUTIMESAT; 1020 break; 1021 case 7: /* renameat */ 1022 e = AUE_RENAMEAT; 1023 break; 1024 case 9: /* __openattrdirat */ 1025 tad->tad_ctrl |= PAD_SAVPATH; 1026 /*FALLTHROUGH*/ 1027 default: 1028 e = AUE_NULL; 1029 break; 1030 } 1031 1032 return (e); 1033 } 1034 1035 /*ARGSUSED*/ 1036 static void 1037 aus_fsat(struct t_audit_data *tad) 1038 { 1039 klwp_t *clwp = ttolwp(curthread); 1040 uint_t fmcode, fm; 1041 struct a { 1042 long id; 1043 long arg1; 1044 long arg2; 1045 long arg3; 1046 long arg4; 1047 long arg5; 1048 } *uap = (struct a *)clwp->lwp_ap; 1049 1050 fmcode = (uint_t)uap->id; 1051 1052 switch (fmcode) { 1053 1054 case 0: /* openat */ 1055 case 1: /* openat64 */ 1056 fm = (uint_t)uap->arg3; 1057 /* If no write, create, or trunc modes, mark as a public op */ 1058 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1059 tad->tad_ctrl |= PAD_PUBLIC_EV; 1060 1061 break; 1062 case 2: /* fstatat64 */ 1063 case 3: /* fstatat */ 1064 tad->tad_ctrl |= PAD_PUBLIC_EV; 1065 break; 1066 default: 1067 break; 1068 } 1069 } 1070 1071 /* msgsys */ 1072 static au_event_t 1073 aui_msgsys(au_event_t e) 1074 { 1075 klwp_t *clwp = ttolwp(curthread); 1076 uint_t fm; 1077 1078 struct a { 1079 long id; /* function code id */ 1080 long ap; /* arg pointer for recvmsg */ 1081 } *uap = (struct a *)clwp->lwp_ap; 1082 1083 struct b { 1084 long msgid; 1085 long cmd; 1086 long buf; /* struct msqid_ds * */ 1087 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1088 1089 fm = (uint_t)uap->id; 1090 1091 switch (fm) { 1092 case 0: /* msgget */ 1093 e = AUE_MSGGET; 1094 break; 1095 case 1: /* msgctl */ 1096 switch ((uint_t)uap1->cmd) { 1097 case IPC_RMID: 1098 e = AUE_MSGCTL_RMID; 1099 break; 1100 case IPC_SET: 1101 e = AUE_MSGCTL_SET; 1102 break; 1103 case IPC_STAT: 1104 e = AUE_MSGCTL_STAT; 1105 break; 1106 default: 1107 e = AUE_MSGCTL; 1108 break; 1109 } 1110 break; 1111 case 2: /* msgrcv */ 1112 e = AUE_MSGRCV; 1113 break; 1114 case 3: /* msgsnd */ 1115 e = AUE_MSGSND; 1116 break; 1117 default: /* illegal system call */ 1118 e = AUE_NULL; 1119 break; 1120 } 1121 1122 return (e); 1123 } 1124 1125 1126 /* shmsys */ 1127 static au_event_t 1128 aui_shmsys(au_event_t e) 1129 { 1130 klwp_t *clwp = ttolwp(curthread); 1131 int fm; 1132 1133 struct a { /* shmsys */ 1134 long id; /* function code id */ 1135 } *uap = (struct a *)clwp->lwp_ap; 1136 1137 struct b { /* ctrl */ 1138 long shmid; 1139 long cmd; 1140 long arg; /* struct shmid_ds * */ 1141 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1142 fm = (uint_t)uap->id; 1143 1144 switch (fm) { 1145 case 0: /* shmat */ 1146 e = AUE_SHMAT; 1147 break; 1148 case 1: /* shmctl */ 1149 switch ((uint_t)uap1->cmd) { 1150 case IPC_RMID: 1151 e = AUE_SHMCTL_RMID; 1152 break; 1153 case IPC_SET: 1154 e = AUE_SHMCTL_SET; 1155 break; 1156 case IPC_STAT: 1157 e = AUE_SHMCTL_STAT; 1158 break; 1159 default: 1160 e = AUE_SHMCTL; 1161 break; 1162 } 1163 break; 1164 case 2: /* shmdt */ 1165 e = AUE_SHMDT; 1166 break; 1167 case 3: /* shmget */ 1168 e = AUE_SHMGET; 1169 break; 1170 default: /* illegal system call */ 1171 e = AUE_NULL; 1172 break; 1173 } 1174 1175 return (e); 1176 } 1177 1178 1179 /* semsys */ 1180 static au_event_t 1181 aui_semsys(au_event_t e) 1182 { 1183 klwp_t *clwp = ttolwp(curthread); 1184 uint_t fm; 1185 1186 struct a { /* semsys */ 1187 long id; 1188 } *uap = (struct a *)clwp->lwp_ap; 1189 1190 struct b { /* ctrl */ 1191 long semid; 1192 long semnum; 1193 long cmd; 1194 long arg; 1195 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1196 1197 fm = (uint_t)uap->id; 1198 1199 switch (fm) { 1200 case 0: /* semctl */ 1201 switch ((uint_t)uap1->cmd) { 1202 case IPC_RMID: 1203 e = AUE_SEMCTL_RMID; 1204 break; 1205 case IPC_SET: 1206 e = AUE_SEMCTL_SET; 1207 break; 1208 case IPC_STAT: 1209 e = AUE_SEMCTL_STAT; 1210 break; 1211 case GETNCNT: 1212 e = AUE_SEMCTL_GETNCNT; 1213 break; 1214 case GETPID: 1215 e = AUE_SEMCTL_GETPID; 1216 break; 1217 case GETVAL: 1218 e = AUE_SEMCTL_GETVAL; 1219 break; 1220 case GETALL: 1221 e = AUE_SEMCTL_GETALL; 1222 break; 1223 case GETZCNT: 1224 e = AUE_SEMCTL_GETZCNT; 1225 break; 1226 case SETVAL: 1227 e = AUE_SEMCTL_SETVAL; 1228 break; 1229 case SETALL: 1230 e = AUE_SEMCTL_SETALL; 1231 break; 1232 default: 1233 e = AUE_SEMCTL; 1234 break; 1235 } 1236 break; 1237 case 1: /* semget */ 1238 e = AUE_SEMGET; 1239 break; 1240 case 2: /* semop */ 1241 e = AUE_SEMOP; 1242 break; 1243 default: /* illegal system call */ 1244 e = AUE_NULL; 1245 break; 1246 } 1247 1248 return (e); 1249 } 1250 1251 /* utssys - uname(2), ustat(2), fusers(2) */ 1252 static au_event_t 1253 aui_utssys(au_event_t e) 1254 { 1255 klwp_t *clwp = ttolwp(curthread); 1256 uint_t type; 1257 1258 struct a { 1259 union { 1260 long cbuf; /* char * */ 1261 long ubuf; /* struct stat * */ 1262 } ub; 1263 union { 1264 long mv; /* for USTAT */ 1265 long flags; /* for FUSERS */ 1266 } un; 1267 long type; 1268 long outbp; /* char * for FUSERS */ 1269 } *uap = (struct a *)clwp->lwp_ap; 1270 1271 type = (uint_t)uap->type; 1272 1273 if (type == UTS_FUSERS) 1274 return (e); 1275 else 1276 return ((au_event_t)AUE_NULL); 1277 } 1278 1279 static au_event_t 1280 aui_fcntl(au_event_t e) 1281 { 1282 klwp_t *clwp = ttolwp(curthread); 1283 uint_t cmd; 1284 1285 struct a { 1286 long fdes; 1287 long cmd; 1288 long arg; 1289 } *uap = (struct a *)clwp->lwp_ap; 1290 1291 cmd = (uint_t)uap->cmd; 1292 1293 switch (cmd) { 1294 case F_GETLK: 1295 case F_SETLK: 1296 case F_SETLKW: 1297 break; 1298 case F_SETFL: 1299 case F_GETFL: 1300 case F_GETFD: 1301 break; 1302 default: 1303 e = (au_event_t)AUE_NULL; 1304 break; 1305 } 1306 return ((au_event_t)e); 1307 } 1308 1309 /* null function for now */ 1310 static au_event_t 1311 aui_execv(au_event_t e) 1312 { 1313 return (e); 1314 } 1315 1316 /* null function for now */ 1317 static au_event_t 1318 aui_execve(au_event_t e) 1319 { 1320 return (e); 1321 } 1322 1323 /*ARGSUSED*/ 1324 static void 1325 aus_fcntl(struct t_audit_data *tad) 1326 { 1327 klwp_t *clwp = ttolwp(curthread); 1328 uint32_t cmd, fd; 1329 struct file *fp; 1330 struct vnode *vp; 1331 struct f_audit_data *fad; 1332 1333 struct a { 1334 long fd; 1335 long cmd; 1336 long arg; 1337 } *uap = (struct a *)clwp->lwp_ap; 1338 1339 cmd = (uint32_t)uap->cmd; 1340 fd = (uint32_t)uap->fd; 1341 1342 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1343 1344 /* 1345 * convert file pointer to file descriptor 1346 * Note: fd ref count incremented here. 1347 */ 1348 if ((fp = getf(fd)) == NULL) 1349 return; 1350 1351 /* get path from file struct here */ 1352 fad = F2A(fp); 1353 if (fad->fad_aupath != NULL) { 1354 au_uwrite(au_to_path(fad->fad_aupath)); 1355 } else { 1356 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1357 } 1358 1359 vp = fp->f_vnode; 1360 audit_attributes(vp); 1361 1362 /* decrement file descriptor reference count */ 1363 releasef(fd); 1364 } 1365 1366 /*ARGSUSED*/ 1367 static void 1368 aus_kill(struct t_audit_data *tad) 1369 { 1370 klwp_t *clwp = ttolwp(curthread); 1371 struct proc *p; 1372 uint32_t signo; 1373 uid_t uid, ruid; 1374 gid_t gid, rgid; 1375 pid_t pid; 1376 const auditinfo_addr_t *ainfo; 1377 cred_t *cr; 1378 1379 struct a { 1380 long pid; 1381 long signo; 1382 } *uap = (struct a *)clwp->lwp_ap; 1383 1384 pid = (pid_t)uap->pid; 1385 signo = (uint32_t)uap->signo; 1386 1387 au_uwrite(au_to_arg32(2, "signal", signo)); 1388 if (pid > 0) { 1389 mutex_enter(&pidlock); 1390 if (((p = prfind(pid)) == (struct proc *)0) || 1391 (p->p_stat == SIDL)) { 1392 mutex_exit(&pidlock); 1393 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1394 return; 1395 } 1396 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1397 mutex_exit(&pidlock); 1398 1399 mutex_enter(&p->p_crlock); 1400 crhold(cr = p->p_cred); 1401 mutex_exit(&p->p_crlock); 1402 mutex_exit(&p->p_lock); 1403 1404 ainfo = crgetauinfo(cr); 1405 if (ainfo == NULL) { 1406 crfree(cr); 1407 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1408 return; 1409 } 1410 1411 uid = crgetuid(cr); 1412 gid = crgetgid(cr); 1413 ruid = crgetruid(cr); 1414 rgid = crgetrgid(cr); 1415 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1416 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1417 1418 if (is_system_labeled()) 1419 au_uwrite(au_to_label(CR_SL(cr))); 1420 1421 crfree(cr); 1422 } 1423 else 1424 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1425 } 1426 1427 /*ARGSUSED*/ 1428 static void 1429 aus_mkdir(struct t_audit_data *tad) 1430 { 1431 klwp_t *clwp = ttolwp(curthread); 1432 uint32_t dmode; 1433 1434 struct a { 1435 long dirnamep; /* char * */ 1436 long dmode; 1437 } *uap = (struct a *)clwp->lwp_ap; 1438 1439 dmode = (uint32_t)uap->dmode; 1440 1441 au_uwrite(au_to_arg32(2, "mode", dmode)); 1442 } 1443 1444 /*ARGSUSED*/ 1445 static void 1446 aus_mknod(struct t_audit_data *tad) 1447 { 1448 klwp_t *clwp = ttolwp(curthread); 1449 uint32_t fmode; 1450 dev_t dev; 1451 1452 struct a { 1453 long pnamep; /* char * */ 1454 long fmode; 1455 long dev; 1456 } *uap = (struct a *)clwp->lwp_ap; 1457 1458 fmode = (uint32_t)uap->fmode; 1459 dev = (dev_t)uap->dev; 1460 1461 au_uwrite(au_to_arg32(2, "mode", fmode)); 1462 #ifdef _LP64 1463 au_uwrite(au_to_arg64(3, "dev", dev)); 1464 #else 1465 au_uwrite(au_to_arg32(3, "dev", dev)); 1466 #endif 1467 } 1468 1469 /*ARGSUSED*/ 1470 static void 1471 aus_xmknod(struct t_audit_data *tad) 1472 { 1473 klwp_t *clwp = ttolwp(curthread); 1474 uint32_t fmode; 1475 dev_t dev; 1476 1477 struct a { 1478 long version; /* version */ 1479 long pnamep; /* char * */ 1480 long fmode; 1481 long dev; 1482 } *uap = (struct a *)clwp->lwp_ap; 1483 1484 fmode = (uint32_t)uap->fmode; 1485 dev = (dev_t)uap->dev; 1486 1487 au_uwrite(au_to_arg32(2, "mode", fmode)); 1488 #ifdef _LP64 1489 au_uwrite(au_to_arg64(3, "dev", dev)); 1490 #else 1491 au_uwrite(au_to_arg32(3, "dev", dev)); 1492 #endif 1493 } 1494 1495 /*ARGSUSED*/ 1496 static void 1497 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1498 { 1499 klwp_t *clwp = ttolwp(curthread); 1500 vnode_t *dvp; 1501 caddr_t pnamep; 1502 1503 struct a { 1504 long pnamep; /* char * */ 1505 long fmode; 1506 long dev; 1507 } *uap = (struct a *)clwp->lwp_ap; 1508 1509 /* no error, then already path token in audit record */ 1510 if (error != EPERM) 1511 return; 1512 1513 /* not auditing this event, nothing then to do */ 1514 if (tad->tad_flag == 0) 1515 return; 1516 1517 /* do the lookup to force generation of path token */ 1518 pnamep = (caddr_t)uap->pnamep; 1519 tad->tad_ctrl |= PAD_NOATTRB; 1520 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1521 if (error == 0) 1522 VN_RELE(dvp); 1523 } 1524 1525 /*ARGSUSED*/ 1526 static void 1527 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1528 { 1529 klwp_t *clwp = ttolwp(curthread); 1530 vnode_t *dvp; 1531 caddr_t pnamep; 1532 1533 struct a { 1534 long version; /* version */ 1535 long pnamep; /* char * */ 1536 long fmode; 1537 long dev; 1538 } *uap = (struct a *)clwp->lwp_arg; 1539 1540 1541 /* no error, then already path token in audit record */ 1542 if (error != EPERM) 1543 return; 1544 1545 /* not auditing this event, nothing then to do */ 1546 if (tad->tad_flag == 0) 1547 return; 1548 1549 /* do the lookup to force generation of path token */ 1550 pnamep = (caddr_t)uap->pnamep; 1551 tad->tad_ctrl |= PAD_NOATTRB; 1552 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1553 if (error == 0) 1554 VN_RELE(dvp); 1555 } 1556 1557 /*ARGSUSED*/ 1558 static void 1559 aus_mount(struct t_audit_data *tad) 1560 { /* AUS_START */ 1561 klwp_t *clwp = ttolwp(curthread); 1562 uint32_t flags; 1563 uintptr_t u_fstype, dataptr; 1564 STRUCT_DECL(nfs_args, nfsargs); 1565 size_t len; 1566 char *fstype, *hostname; 1567 1568 struct a { 1569 long spec; /* char * */ 1570 long dir; /* char * */ 1571 long flags; 1572 long fstype; /* char * */ 1573 long dataptr; /* char * */ 1574 long datalen; 1575 } *uap = (struct a *)clwp->lwp_ap; 1576 1577 u_fstype = (uintptr_t)uap->fstype; 1578 flags = (uint32_t)uap->flags; 1579 dataptr = (uintptr_t)uap->dataptr; 1580 1581 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1582 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1583 goto mount_free_fstype; 1584 1585 au_uwrite(au_to_arg32(3, "flags", flags)); 1586 au_uwrite(au_to_text(fstype)); 1587 1588 if (strncmp(fstype, "nfs", 3) == 0) { 1589 1590 STRUCT_INIT(nfsargs, get_udatamodel()); 1591 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1592 1593 if (copyin((caddr_t)dataptr, 1594 STRUCT_BUF(nfsargs), 1595 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1596 /* DEBUG debug_enter((char *)NULL); */ 1597 goto mount_free_fstype; 1598 } 1599 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1600 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1601 (caddr_t)hostname, 1602 MAXNAMELEN, &len)) { 1603 goto mount_free_hostname; 1604 } 1605 au_uwrite(au_to_text(hostname)); 1606 au_uwrite(au_to_arg32(3, "internal flags", 1607 (uint_t)STRUCT_FGET(nfsargs, flags))); 1608 1609 mount_free_hostname: 1610 kmem_free(hostname, MAXNAMELEN); 1611 } 1612 1613 mount_free_fstype: 1614 kmem_free(fstype, MAXNAMELEN); 1615 } /* AUS_MOUNT */ 1616 1617 static void 1618 aus_umount_path(caddr_t umount_dir) 1619 { 1620 char *dir_path; 1621 struct audit_path *path; 1622 size_t path_len, dir_len; 1623 1624 /* length alloc'd for two string pointers */ 1625 path_len = sizeof (struct audit_path) + sizeof (char *); 1626 path = kmem_alloc(path_len, KM_SLEEP); 1627 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1628 1629 if (copyinstr(umount_dir, (caddr_t)dir_path, 1630 MAXPATHLEN, &dir_len)) 1631 goto umount2_free_dir; 1632 1633 /* 1634 * the audit_path struct assumes that the buffer pointed to 1635 * by audp_sect[n] contains string 0 immediatedly followed 1636 * by string 1. 1637 */ 1638 path->audp_sect[0] = dir_path; 1639 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1640 path->audp_size = path_len; 1641 path->audp_ref = 1; /* not used */ 1642 path->audp_cnt = 1; /* one path string */ 1643 1644 au_uwrite(au_to_path(path)); 1645 1646 umount2_free_dir: 1647 kmem_free(dir_path, MAXPATHLEN); 1648 kmem_free(path, path_len); 1649 } 1650 1651 /* 1652 * the umount syscall is implemented as a call to umount2, but the args 1653 * are different... 1654 */ 1655 1656 /*ARGSUSED*/ 1657 static void 1658 aus_umount(struct t_audit_data *tad) 1659 { 1660 klwp_t *clwp = ttolwp(curthread); 1661 struct a { 1662 long dir; /* char * */ 1663 } *uap = (struct a *)clwp->lwp_ap; 1664 1665 aus_umount_path((caddr_t)uap->dir); 1666 } 1667 1668 /*ARGSUSED*/ 1669 static void 1670 aus_umount2(struct t_audit_data *tad) 1671 { 1672 klwp_t *clwp = ttolwp(curthread); 1673 struct a { 1674 long dir; /* char * */ 1675 long flags; 1676 } *uap = (struct a *)clwp->lwp_ap; 1677 1678 aus_umount_path((caddr_t)uap->dir); 1679 1680 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1681 } 1682 1683 static void 1684 aus_msgsys(struct t_audit_data *tad) 1685 { 1686 klwp_t *clwp = ttolwp(curthread); 1687 uint32_t msgid; 1688 1689 struct b { 1690 long msgid; 1691 long cmd; 1692 long buf; /* struct msqid_ds * */ 1693 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1694 1695 msgid = (uint32_t)uap1->msgid; 1696 1697 1698 switch (tad->tad_event) { 1699 case AUE_MSGGET: /* msgget */ 1700 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1701 break; 1702 case AUE_MSGCTL: /* msgctl */ 1703 case AUE_MSGCTL_RMID: /* msgctl */ 1704 case AUE_MSGCTL_STAT: /* msgctl */ 1705 case AUE_MSGRCV: /* msgrcv */ 1706 case AUE_MSGSND: /* msgsnd */ 1707 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1708 break; 1709 case AUE_MSGCTL_SET: /* msgctl */ 1710 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1711 break; 1712 } 1713 } 1714 1715 /*ARGSUSED*/ 1716 static void 1717 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1718 { 1719 int id; 1720 1721 if (error != 0) 1722 return; 1723 if (tad->tad_event == AUE_MSGGET) { 1724 uint32_t scid; 1725 uint32_t sy_flags; 1726 1727 /* need to determine type of executing binary */ 1728 scid = tad->tad_scid; 1729 #ifdef _SYSCALL32_IMPL 1730 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1731 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1732 else 1733 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1734 #else 1735 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1736 #endif 1737 if (sy_flags == SE_32RVAL1) 1738 id = rval->r_val1; 1739 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1740 id = rval->r_val1; 1741 if (sy_flags == SE_64RVAL) 1742 id = (int)rval->r_vals; 1743 1744 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1745 } 1746 } 1747 1748 static void 1749 aus_semsys(struct t_audit_data *tad) 1750 { 1751 klwp_t *clwp = ttolwp(curthread); 1752 uint32_t semid; 1753 1754 struct b { /* ctrl */ 1755 long semid; 1756 long semnum; 1757 long cmd; 1758 long arg; 1759 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1760 1761 semid = (uint32_t)uap1->semid; 1762 1763 switch (tad->tad_event) { 1764 case AUE_SEMCTL_RMID: 1765 case AUE_SEMCTL_STAT: 1766 case AUE_SEMCTL_GETNCNT: 1767 case AUE_SEMCTL_GETPID: 1768 case AUE_SEMCTL_GETVAL: 1769 case AUE_SEMCTL_GETALL: 1770 case AUE_SEMCTL_GETZCNT: 1771 case AUE_SEMCTL_SETVAL: 1772 case AUE_SEMCTL_SETALL: 1773 case AUE_SEMCTL: 1774 case AUE_SEMOP: 1775 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1776 break; 1777 case AUE_SEMCTL_SET: 1778 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1779 break; 1780 case AUE_SEMGET: 1781 au_uwrite(au_to_arg32(1, "sem key", semid)); 1782 break; 1783 } 1784 } 1785 1786 /*ARGSUSED*/ 1787 static void 1788 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1789 { 1790 int id; 1791 1792 if (error != 0) 1793 return; 1794 if (tad->tad_event == AUE_SEMGET) { 1795 uint32_t scid; 1796 uint32_t sy_flags; 1797 1798 /* need to determine type of executing binary */ 1799 scid = tad->tad_scid; 1800 #ifdef _SYSCALL32_IMPL 1801 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1802 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1803 else 1804 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1805 #else 1806 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1807 #endif 1808 if (sy_flags == SE_32RVAL1) 1809 id = rval->r_val1; 1810 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1811 id = rval->r_val1; 1812 if (sy_flags == SE_64RVAL) 1813 id = (int)rval->r_vals; 1814 1815 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1816 } 1817 } 1818 1819 /*ARGSUSED*/ 1820 static void 1821 aus_close(struct t_audit_data *tad) 1822 { 1823 klwp_t *clwp = ttolwp(curthread); 1824 uint32_t fd; 1825 struct file *fp; 1826 struct f_audit_data *fad; 1827 struct vnode *vp; 1828 struct vattr attr; 1829 au_kcontext_t *kctx = GET_KCTX_PZ; 1830 1831 struct a { 1832 long i; 1833 } *uap = (struct a *)clwp->lwp_ap; 1834 1835 fd = (uint32_t)uap->i; 1836 1837 attr.va_mask = 0; 1838 au_uwrite(au_to_arg32(1, "fd", fd)); 1839 1840 /* 1841 * convert file pointer to file descriptor 1842 * Note: fd ref count incremented here. 1843 */ 1844 if ((fp = getf(fd)) == NULL) 1845 return; 1846 1847 fad = F2A(fp); 1848 tad->tad_evmod = (short)fad->fad_flags; 1849 if (fad->fad_aupath != NULL) { 1850 au_uwrite(au_to_path(fad->fad_aupath)); 1851 if ((vp = fp->f_vnode) != NULL) { 1852 attr.va_mask = AT_ALL; 1853 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1854 /* 1855 * When write was not used and the file can be 1856 * considered public, skip the audit. 1857 */ 1858 if (((fp->f_flag & FWRITE) == 0) && 1859 file_is_public(&attr)) { 1860 tad->tad_flag = 0; 1861 tad->tad_evmod = 0; 1862 /* free any residual audit data */ 1863 au_close(kctx, &(u_ad), 0, 0, 0); 1864 releasef(fd); 1865 return; 1866 } 1867 au_uwrite(au_to_attr(&attr)); 1868 audit_sec_attributes(&(u_ad), vp); 1869 } 1870 } 1871 } 1872 1873 /* decrement file descriptor reference count */ 1874 releasef(fd); 1875 } 1876 1877 /*ARGSUSED*/ 1878 static void 1879 aus_fstatfs(struct t_audit_data *tad) 1880 { 1881 klwp_t *clwp = ttolwp(curthread); 1882 uint32_t fd; 1883 struct file *fp; 1884 struct vnode *vp; 1885 struct f_audit_data *fad; 1886 1887 struct a { 1888 long fd; 1889 long buf; /* struct statfs * */ 1890 } *uap = (struct a *)clwp->lwp_ap; 1891 1892 fd = (uint_t)uap->fd; 1893 1894 /* 1895 * convert file pointer to file descriptor 1896 * Note: fd ref count incremented here. 1897 */ 1898 if ((fp = getf(fd)) == NULL) 1899 return; 1900 1901 /* get path from file struct here */ 1902 fad = F2A(fp); 1903 if (fad->fad_aupath != NULL) { 1904 au_uwrite(au_to_path(fad->fad_aupath)); 1905 } else { 1906 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1907 } 1908 1909 vp = fp->f_vnode; 1910 audit_attributes(vp); 1911 1912 /* decrement file descriptor reference count */ 1913 releasef(fd); 1914 } 1915 1916 #ifdef NOTYET 1917 /*ARGSUSED*/ 1918 static void 1919 aus_setpgrp(struct t_audit_data *tad) 1920 { 1921 klwp_t *clwp = ttolwp(curthread); 1922 uint32_t pgrp; 1923 struct proc *p; 1924 uid_t uid, ruid; 1925 gid_t gid, rgid; 1926 pid_t pid; 1927 const auditinfo_addr_t *ainfo; 1928 cred_t *cr; 1929 1930 struct a { 1931 long pid; 1932 long pgrp; 1933 } *uap = (struct a *)clwp->lwp_ap; 1934 1935 pid = (pid_t)uap->pid; 1936 pgrp = (uint32_t)uap->pgrp; 1937 1938 /* current process? */ 1939 if (pid == 0) 1940 (return); 1941 1942 mutex_enter(&pidlock); 1943 p = prfind(pid); 1944 if (p == NULL || p->p_as == &kas) { 1945 mutex_exit(&pidlock); 1946 return; 1947 } 1948 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1949 mutex_exit(&pidlock); 1950 1951 mutex_enter(&p->p_crlock); 1952 crhold(cr = p->p_cred); 1953 mutex_exit(&p->p_crlock); 1954 mutex_exit(&p->p_lock); 1955 1956 ainfo = crgetauinfo(cr); 1957 if (ainfo == NULL) { 1958 crfree(cr); 1959 return; 1960 } 1961 1962 uid = crgetuid(cr); 1963 gid = crgetgid(cr); 1964 ruid = crgetruid(cr); 1965 rgid = crgetrgid(cr); 1966 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1967 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1968 crfree(cr); 1969 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1970 } 1971 #endif 1972 1973 /*ARGSUSED*/ 1974 static void 1975 aus_setregid(struct t_audit_data *tad) 1976 { 1977 klwp_t *clwp = ttolwp(curthread); 1978 uint32_t rgid, egid; 1979 1980 struct a { 1981 long rgid; 1982 long egid; 1983 } *uap = (struct a *)clwp->lwp_ap; 1984 1985 rgid = (uint32_t)uap->rgid; 1986 egid = (uint32_t)uap->egid; 1987 1988 au_uwrite(au_to_arg32(1, "rgid", rgid)); 1989 au_uwrite(au_to_arg32(2, "egid", egid)); 1990 } 1991 1992 /*ARGSUSED*/ 1993 static void 1994 aus_setgid(struct t_audit_data *tad) 1995 { 1996 klwp_t *clwp = ttolwp(curthread); 1997 uint32_t gid; 1998 1999 struct a { 2000 long gid; 2001 } *uap = (struct a *)clwp->lwp_ap; 2002 2003 gid = (uint32_t)uap->gid; 2004 2005 au_uwrite(au_to_arg32(1, "gid", gid)); 2006 } 2007 2008 2009 /*ARGSUSED*/ 2010 static void 2011 aus_setreuid(struct t_audit_data *tad) 2012 { 2013 klwp_t *clwp = ttolwp(curthread); 2014 uint32_t ruid, euid; 2015 2016 struct a { 2017 long ruid; 2018 long euid; 2019 } *uap = (struct a *)clwp->lwp_ap; 2020 2021 ruid = (uint32_t)uap->ruid; 2022 euid = (uint32_t)uap->euid; 2023 2024 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2025 au_uwrite(au_to_arg32(2, "euid", euid)); 2026 } 2027 2028 2029 /*ARGSUSED*/ 2030 static void 2031 aus_setuid(struct t_audit_data *tad) 2032 { 2033 klwp_t *clwp = ttolwp(curthread); 2034 uint32_t uid; 2035 2036 struct a { 2037 long uid; 2038 } *uap = (struct a *)clwp->lwp_ap; 2039 2040 uid = (uint32_t)uap->uid; 2041 2042 au_uwrite(au_to_arg32(1, "uid", uid)); 2043 } 2044 2045 /*ARGSUSED*/ 2046 static void 2047 aus_shmsys(struct t_audit_data *tad) 2048 { 2049 klwp_t *clwp = ttolwp(curthread); 2050 uint32_t id, cmd; 2051 2052 struct b { 2053 long id; 2054 long cmd; 2055 long buf; /* struct shmid_ds * */ 2056 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2057 2058 id = (uint32_t)uap1->id; 2059 cmd = (uint32_t)uap1->cmd; 2060 2061 switch (tad->tad_event) { 2062 case AUE_SHMGET: /* shmget */ 2063 au_uwrite(au_to_arg32(1, "shm key", id)); 2064 break; 2065 case AUE_SHMCTL: /* shmctl */ 2066 case AUE_SHMCTL_RMID: /* shmctl */ 2067 case AUE_SHMCTL_STAT: /* shmctl */ 2068 case AUE_SHMCTL_SET: /* shmctl */ 2069 au_uwrite(au_to_arg32(1, "shm ID", id)); 2070 break; 2071 case AUE_SHMDT: /* shmdt */ 2072 au_uwrite(au_to_arg32(1, "shm adr", id)); 2073 break; 2074 case AUE_SHMAT: /* shmat */ 2075 au_uwrite(au_to_arg32(1, "shm ID", id)); 2076 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2077 break; 2078 } 2079 } 2080 2081 /*ARGSUSED*/ 2082 static void 2083 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2084 { 2085 int id; 2086 2087 if (error != 0) 2088 return; 2089 if (tad->tad_event == AUE_SHMGET) { 2090 uint32_t scid; 2091 uint32_t sy_flags; 2092 2093 /* need to determine type of executing binary */ 2094 scid = tad->tad_scid; 2095 #ifdef _SYSCALL32_IMPL 2096 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2097 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2098 else 2099 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2100 #else 2101 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2102 #endif 2103 if (sy_flags == SE_32RVAL1) 2104 id = rval->r_val1; 2105 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2106 id = rval->r_val1; 2107 if (sy_flags == SE_64RVAL) 2108 id = (int)rval->r_vals; 2109 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2110 } 2111 } 2112 2113 2114 /*ARGSUSED*/ 2115 static void 2116 aus_ioctl(struct t_audit_data *tad) 2117 { 2118 klwp_t *clwp = ttolwp(curthread); 2119 struct file *fp; 2120 struct vnode *vp; 2121 struct f_audit_data *fad; 2122 uint32_t fd, cmd; 2123 uintptr_t cmarg; 2124 2125 /* XX64 */ 2126 struct a { 2127 long fd; 2128 long cmd; 2129 long cmarg; /* caddr_t */ 2130 } *uap = (struct a *)clwp->lwp_ap; 2131 2132 fd = (uint32_t)uap->fd; 2133 cmd = (uint32_t)uap->cmd; 2134 cmarg = (uintptr_t)uap->cmarg; 2135 2136 /* 2137 * convert file pointer to file descriptor 2138 * Note: fd ref count incremented here. 2139 */ 2140 if ((fp = getf(fd)) == NULL) { 2141 au_uwrite(au_to_arg32(1, "fd", fd)); 2142 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2143 #ifndef _LP64 2144 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2145 #else 2146 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2147 #endif 2148 return; 2149 } 2150 2151 /* get path from file struct here */ 2152 fad = F2A(fp); 2153 if (fad->fad_aupath != NULL) { 2154 au_uwrite(au_to_path(fad->fad_aupath)); 2155 } else { 2156 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2157 } 2158 2159 vp = fp->f_vnode; 2160 audit_attributes(vp); 2161 2162 /* decrement file descriptor reference count */ 2163 releasef(fd); 2164 2165 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2166 #ifndef _LP64 2167 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2168 #else 2169 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2170 #endif 2171 } 2172 2173 /* 2174 * null function for memcntl for now. We might want to limit memcntl() 2175 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2176 * require privileges. 2177 */ 2178 static au_event_t 2179 aui_memcntl(au_event_t e) 2180 { 2181 return (e); 2182 } 2183 2184 /*ARGSUSED*/ 2185 static au_event_t 2186 aui_privsys(au_event_t e) 2187 { 2188 klwp_t *clwp = ttolwp(curthread); 2189 2190 struct a { 2191 long opcode; 2192 } *uap = (struct a *)clwp->lwp_ap; 2193 2194 switch (uap->opcode) { 2195 case PRIVSYS_SETPPRIV: 2196 return (AUE_SETPPRIV); 2197 default: 2198 return (AUE_NULL); 2199 } 2200 } 2201 2202 /*ARGSUSED*/ 2203 static void 2204 aus_memcntl(struct t_audit_data *tad) 2205 { 2206 klwp_t *clwp = ttolwp(curthread); 2207 2208 struct a { 2209 long addr; 2210 long len; 2211 long cmd; 2212 long arg; 2213 long attr; 2214 long mask; 2215 } *uap = (struct a *)clwp->lwp_ap; 2216 2217 #ifdef _LP64 2218 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2219 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2220 #else 2221 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2222 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2223 #endif 2224 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2225 #ifdef _LP64 2226 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2227 #else 2228 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2229 #endif 2230 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2231 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2232 } 2233 2234 /*ARGSUSED*/ 2235 static void 2236 aus_mmap(struct t_audit_data *tad) 2237 { 2238 klwp_t *clwp = ttolwp(curthread); 2239 struct file *fp; 2240 struct f_audit_data *fad; 2241 struct vnode *vp; 2242 uint32_t fd; 2243 2244 struct a { 2245 long addr; 2246 long len; 2247 long prot; 2248 long flags; 2249 long fd; 2250 long pos; 2251 } *uap = (struct a *)clwp->lwp_ap; 2252 2253 fd = (uint32_t)uap->fd; 2254 2255 #ifdef _LP64 2256 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2257 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2258 #else 2259 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2260 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2261 #endif 2262 2263 if ((fp = getf(fd)) == NULL) { 2264 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2265 return; 2266 } 2267 2268 /* 2269 * Mark in the tad if write access is NOT requested... if 2270 * this is later detected (in audit_attributes) to be a 2271 * public object, the mmap event may be discarded. 2272 */ 2273 if (((uap->prot) & PROT_WRITE) == 0) { 2274 tad->tad_ctrl |= PAD_PUBLIC_EV; 2275 } 2276 2277 fad = F2A(fp); 2278 if (fad->fad_aupath != NULL) { 2279 au_uwrite(au_to_path(fad->fad_aupath)); 2280 } else { 2281 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2282 } 2283 2284 vp = (struct vnode *)fp->f_vnode; 2285 audit_attributes(vp); 2286 2287 /* mark READ/WRITE since we can't predict access */ 2288 if (uap->prot & PROT_READ) 2289 fad->fad_flags |= FAD_READ; 2290 if (uap->prot & PROT_WRITE) 2291 fad->fad_flags |= FAD_WRITE; 2292 2293 /* decrement file descriptor reference count */ 2294 releasef(fd); 2295 2296 } /* AUS_MMAP */ 2297 2298 2299 2300 2301 /*ARGSUSED*/ 2302 static void 2303 aus_munmap(struct t_audit_data *tad) 2304 { 2305 klwp_t *clwp = ttolwp(curthread); 2306 2307 struct a { 2308 long addr; 2309 long len; 2310 } *uap = (struct a *)clwp->lwp_ap; 2311 2312 #ifdef _LP64 2313 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2314 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2315 #else 2316 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2317 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2318 #endif 2319 2320 } /* AUS_MUNMAP */ 2321 2322 2323 2324 2325 2326 2327 2328 /*ARGSUSED*/ 2329 static void 2330 aus_priocntlsys(struct t_audit_data *tad) 2331 { 2332 klwp_t *clwp = ttolwp(curthread); 2333 2334 struct a { 2335 long pc_version; 2336 long psp; /* procset_t */ 2337 long cmd; 2338 long arg; 2339 } *uap = (struct a *)clwp->lwp_ap; 2340 2341 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2342 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2343 2344 } /* AUS_PRIOCNTLSYS */ 2345 2346 2347 /*ARGSUSED*/ 2348 static void 2349 aus_setegid(struct t_audit_data *tad) 2350 { 2351 klwp_t *clwp = ttolwp(curthread); 2352 uint32_t gid; 2353 2354 struct a { 2355 long gid; 2356 } *uap = (struct a *)clwp->lwp_ap; 2357 2358 gid = (uint32_t)uap->gid; 2359 2360 au_uwrite(au_to_arg32(1, "gid", gid)); 2361 } /* AUS_SETEGID */ 2362 2363 2364 2365 2366 /*ARGSUSED*/ 2367 static void 2368 aus_setgroups(struct t_audit_data *tad) 2369 { 2370 klwp_t *clwp = ttolwp(curthread); 2371 int i; 2372 int gidsetsize; 2373 uintptr_t gidset; 2374 gid_t *gidlist; 2375 2376 struct a { 2377 long gidsetsize; 2378 long gidset; 2379 } *uap = (struct a *)clwp->lwp_ap; 2380 2381 gidsetsize = (uint_t)uap->gidsetsize; 2382 gidset = (uintptr_t)uap->gidset; 2383 2384 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2385 return; 2386 if (gidsetsize != 0) { 2387 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2388 KM_SLEEP); 2389 if (copyin((caddr_t)gidset, gidlist, 2390 gidsetsize * sizeof (gid_t)) == 0) 2391 for (i = 0; i < gidsetsize; i++) 2392 au_uwrite(au_to_arg32(1, "setgroups", 2393 (uint32_t)gidlist[i])); 2394 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2395 } else 2396 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2397 2398 } /* AUS_SETGROUPS */ 2399 2400 2401 2402 2403 2404 /*ARGSUSED*/ 2405 static void 2406 aus_seteuid(struct t_audit_data *tad) 2407 { 2408 klwp_t *clwp = ttolwp(curthread); 2409 uint32_t uid; 2410 2411 struct a { 2412 long uid; 2413 } *uap = (struct a *)clwp->lwp_ap; 2414 2415 uid = (uint32_t)uap->uid; 2416 2417 au_uwrite(au_to_arg32(1, "euid", uid)); 2418 2419 } /* AUS_SETEUID */ 2420 2421 /*ARGSUSED*/ 2422 static void 2423 aus_putmsg(struct t_audit_data *tad) 2424 { 2425 klwp_t *clwp = ttolwp(curthread); 2426 uint32_t fd, pri; 2427 struct file *fp; 2428 struct f_audit_data *fad; 2429 2430 struct a { 2431 long fdes; 2432 long ctl; /* struct strbuf * */ 2433 long data; /* struct strbuf * */ 2434 long pri; 2435 } *uap = (struct a *)clwp->lwp_ap; 2436 2437 fd = (uint32_t)uap->fdes; 2438 pri = (uint32_t)uap->pri; 2439 2440 au_uwrite(au_to_arg32(1, "fd", fd)); 2441 2442 if ((fp = getf(fd)) != NULL) { 2443 fad = F2A(fp); 2444 2445 fad->fad_flags |= FAD_WRITE; 2446 2447 /* add path name to audit record */ 2448 if (fad->fad_aupath != NULL) { 2449 au_uwrite(au_to_path(fad->fad_aupath)); 2450 } 2451 audit_attributes(fp->f_vnode); 2452 2453 releasef(fd); 2454 } 2455 2456 au_uwrite(au_to_arg32(4, "pri", pri)); 2457 } 2458 2459 /*ARGSUSED*/ 2460 static void 2461 aus_putpmsg(struct t_audit_data *tad) 2462 { 2463 klwp_t *clwp = ttolwp(curthread); 2464 uint32_t fd, pri, flags; 2465 struct file *fp; 2466 struct f_audit_data *fad; 2467 2468 struct a { 2469 long fdes; 2470 long ctl; /* struct strbuf * */ 2471 long data; /* struct strbuf * */ 2472 long pri; 2473 long flags; 2474 } *uap = (struct a *)clwp->lwp_ap; 2475 2476 fd = (uint32_t)uap->fdes; 2477 pri = (uint32_t)uap->pri; 2478 flags = (uint32_t)uap->flags; 2479 2480 au_uwrite(au_to_arg32(1, "fd", fd)); 2481 2482 if ((fp = getf(fd)) != NULL) { 2483 fad = F2A(fp); 2484 2485 fad->fad_flags |= FAD_WRITE; 2486 2487 /* add path name to audit record */ 2488 if (fad->fad_aupath != NULL) { 2489 au_uwrite(au_to_path(fad->fad_aupath)); 2490 } 2491 audit_attributes(fp->f_vnode); 2492 2493 releasef(fd); 2494 } 2495 2496 2497 au_uwrite(au_to_arg32(4, "pri", pri)); 2498 au_uwrite(au_to_arg32(5, "flags", flags)); 2499 } 2500 2501 /*ARGSUSED*/ 2502 static void 2503 aus_getmsg(struct t_audit_data *tad) 2504 { 2505 klwp_t *clwp = ttolwp(curthread); 2506 uint32_t fd, pri; 2507 struct file *fp; 2508 struct f_audit_data *fad; 2509 2510 struct a { 2511 long fdes; 2512 long ctl; /* struct strbuf * */ 2513 long data; /* struct strbuf * */ 2514 long pri; 2515 } *uap = (struct a *)clwp->lwp_ap; 2516 2517 fd = (uint32_t)uap->fdes; 2518 pri = (uint32_t)uap->pri; 2519 2520 au_uwrite(au_to_arg32(1, "fd", fd)); 2521 2522 if ((fp = getf(fd)) != NULL) { 2523 fad = F2A(fp); 2524 2525 /* 2526 * read operation on this object 2527 */ 2528 fad->fad_flags |= FAD_READ; 2529 2530 /* add path name to audit record */ 2531 if (fad->fad_aupath != NULL) { 2532 au_uwrite(au_to_path(fad->fad_aupath)); 2533 } 2534 audit_attributes(fp->f_vnode); 2535 2536 releasef(fd); 2537 } 2538 2539 au_uwrite(au_to_arg32(4, "pri", pri)); 2540 } 2541 2542 /*ARGSUSED*/ 2543 static void 2544 aus_getpmsg(struct t_audit_data *tad) 2545 { 2546 klwp_t *clwp = ttolwp(curthread); 2547 uint32_t fd; 2548 struct file *fp; 2549 struct f_audit_data *fad; 2550 2551 struct a { 2552 long fdes; 2553 long ctl; /* struct strbuf * */ 2554 long data; /* struct strbuf * */ 2555 long pri; 2556 long flags; 2557 } *uap = (struct a *)clwp->lwp_ap; 2558 2559 fd = (uint32_t)uap->fdes; 2560 2561 au_uwrite(au_to_arg32(1, "fd", fd)); 2562 2563 if ((fp = getf(fd)) != NULL) { 2564 fad = F2A(fp); 2565 2566 /* 2567 * read operation on this object 2568 */ 2569 fad->fad_flags |= FAD_READ; 2570 2571 /* add path name to audit record */ 2572 if (fad->fad_aupath != NULL) { 2573 au_uwrite(au_to_path(fad->fad_aupath)); 2574 } 2575 audit_attributes(fp->f_vnode); 2576 2577 releasef(fd); 2578 } 2579 } 2580 2581 static au_event_t 2582 aui_labelsys(au_event_t e) 2583 { 2584 klwp_t *clwp = ttolwp(curthread); 2585 uint32_t code; 2586 uint32_t cmd; 2587 2588 struct a { 2589 long code; 2590 long cmd; 2591 } *uap = (struct a *)clwp->lwp_ap; 2592 2593 code = (uint32_t)uap->code; 2594 cmd = (uint32_t)uap->cmd; 2595 2596 /* not security relevant if not changing kernel cache */ 2597 if (cmd == TNDB_GET) 2598 return (AUE_NULL); 2599 2600 switch (code) { 2601 case TSOL_TNRH: 2602 e = AUE_LABELSYS_TNRH; 2603 break; 2604 case TSOL_TNRHTP: 2605 e = AUE_LABELSYS_TNRHTP; 2606 break; 2607 case TSOL_TNMLP: 2608 e = AUE_LABELSYS_TNMLP; 2609 break; 2610 default: 2611 e = AUE_NULL; 2612 break; 2613 } 2614 2615 return (e); 2616 2617 } 2618 2619 static void 2620 aus_labelsys(struct t_audit_data *tad) 2621 { 2622 klwp_t *clwp = ttolwp(curthread); 2623 uint32_t cmd; 2624 uintptr_t a2; 2625 2626 struct a { 2627 long code; 2628 long cmd; 2629 long a2; 2630 } *uap = (struct a *)clwp->lwp_ap; 2631 2632 cmd = (uint32_t)uap->cmd; 2633 a2 = (uintptr_t)uap->a2; 2634 2635 switch (tad->tad_event) { 2636 case AUE_LABELSYS_TNRH: 2637 { 2638 tsol_rhent_t *rhent; 2639 tnaddr_t *rh_addr; 2640 2641 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2642 2643 /* Remaining args don't apply for FLUSH, so skip */ 2644 if (cmd == TNDB_FLUSH) 2645 break; 2646 2647 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2648 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2649 kmem_free(rhent, sizeof (tsol_rhent_t)); 2650 return; 2651 } 2652 2653 rh_addr = &rhent->rh_address; 2654 if (rh_addr->ta_family == AF_INET) { 2655 struct in_addr *ipaddr; 2656 2657 ipaddr = &(rh_addr->ta_addr_v4); 2658 au_uwrite(au_to_in_addr(ipaddr)); 2659 } else if (rh_addr->ta_family == AF_INET6) { 2660 int32_t *ipaddr; 2661 2662 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2663 au_uwrite(au_to_in_addr_ex(ipaddr)); 2664 } 2665 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2666 2667 kmem_free(rhent, sizeof (tsol_rhent_t)); 2668 2669 break; 2670 } 2671 case AUE_LABELSYS_TNRHTP: 2672 { 2673 tsol_tpent_t *tpent; 2674 2675 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2676 2677 /* Remaining args don't apply for FLUSH, so skip */ 2678 if (cmd == TNDB_FLUSH) 2679 break; 2680 2681 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2682 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2683 kmem_free(tpent, sizeof (tsol_tpent_t)); 2684 return; 2685 } 2686 2687 /* Make sure that the template name is null-terminated. */ 2688 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2689 2690 au_uwrite(au_to_text(tpent->name)); 2691 kmem_free(tpent, sizeof (tsol_tpent_t)); 2692 2693 break; 2694 } 2695 case AUE_LABELSYS_TNMLP: 2696 { 2697 tsol_mlpent_t *mlpent; 2698 2699 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2700 2701 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2702 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2703 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2704 return; 2705 } 2706 2707 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2708 au_uwrite(au_to_text("shared")); 2709 } else { 2710 zone_t *zone; 2711 2712 zone = zone_find_by_id(mlpent->tsme_zoneid); 2713 if (zone != NULL) { 2714 au_uwrite(au_to_text(zone->zone_name)); 2715 zone_rele(zone); 2716 } 2717 } 2718 2719 /* Remaining args don't apply for FLUSH, so skip */ 2720 if (cmd == TNDB_FLUSH) { 2721 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2722 break; 2723 } 2724 2725 au_uwrite(au_to_arg32(2, "proto num", 2726 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2727 au_uwrite(au_to_arg32(2, "mlp_port", 2728 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2729 2730 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2731 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2732 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2733 2734 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2735 2736 break; 2737 } 2738 default: 2739 break; 2740 } 2741 } 2742 2743 2744 static au_event_t 2745 aui_auditsys(au_event_t e) 2746 { 2747 klwp_t *clwp = ttolwp(curthread); 2748 uint32_t code; 2749 2750 struct a { 2751 long code; 2752 long a1; 2753 long a2; 2754 long a3; 2755 long a4; 2756 long a5; 2757 long a6; 2758 long a7; 2759 } *uap = (struct a *)clwp->lwp_ap; 2760 2761 code = (uint32_t)uap->code; 2762 2763 switch (code) { 2764 2765 case BSM_GETAUID: 2766 e = AUE_GETAUID; 2767 break; 2768 case BSM_SETAUID: 2769 e = AUE_SETAUID; 2770 break; 2771 case BSM_GETAUDIT: 2772 e = AUE_GETAUDIT; 2773 break; 2774 case BSM_GETAUDIT_ADDR: 2775 e = AUE_GETAUDIT_ADDR; 2776 break; 2777 case BSM_SETAUDIT: 2778 e = AUE_SETAUDIT; 2779 break; 2780 case BSM_SETAUDIT_ADDR: 2781 e = AUE_SETAUDIT_ADDR; 2782 break; 2783 case BSM_AUDIT: 2784 e = AUE_AUDIT; 2785 break; 2786 case BSM_GETPORTAUDIT: 2787 e = AUE_GETPORTAUDIT; 2788 break; 2789 case BSM_AUDITON: 2790 case BSM_AUDITCTL: 2791 2792 switch ((uint_t)uap->a1) { 2793 2794 case A_GETPOLICY: 2795 e = AUE_AUDITON_GPOLICY; 2796 break; 2797 case A_SETPOLICY: 2798 e = AUE_AUDITON_SPOLICY; 2799 break; 2800 case A_GETKMASK: 2801 e = AUE_AUDITON_GETKMASK; 2802 break; 2803 case A_SETKMASK: 2804 e = AUE_AUDITON_SETKMASK; 2805 break; 2806 case A_GETQCTRL: 2807 e = AUE_AUDITON_GQCTRL; 2808 break; 2809 case A_SETQCTRL: 2810 e = AUE_AUDITON_SQCTRL; 2811 break; 2812 case A_GETCWD: 2813 e = AUE_AUDITON_GETCWD; 2814 break; 2815 case A_GETCAR: 2816 e = AUE_AUDITON_GETCAR; 2817 break; 2818 case A_GETSTAT: 2819 e = AUE_AUDITON_GETSTAT; 2820 break; 2821 case A_SETSTAT: 2822 e = AUE_AUDITON_SETSTAT; 2823 break; 2824 case A_SETUMASK: 2825 e = AUE_AUDITON_SETUMASK; 2826 break; 2827 case A_SETSMASK: 2828 e = AUE_AUDITON_SETSMASK; 2829 break; 2830 case A_GETCOND: 2831 e = AUE_AUDITON_GETCOND; 2832 break; 2833 case A_SETCOND: 2834 e = AUE_AUDITON_SETCOND; 2835 break; 2836 case A_GETCLASS: 2837 e = AUE_AUDITON_GETCLASS; 2838 break; 2839 case A_SETCLASS: 2840 e = AUE_AUDITON_SETCLASS; 2841 break; 2842 default: 2843 e = AUE_NULL; 2844 break; 2845 } 2846 break; 2847 default: 2848 e = AUE_NULL; 2849 break; 2850 } 2851 2852 return (e); 2853 2854 } /* AUI_AUDITSYS */ 2855 2856 2857 static void 2858 aus_auditsys(struct t_audit_data *tad) 2859 { 2860 klwp_t *clwp = ttolwp(curthread); 2861 uintptr_t a1, a2; 2862 STRUCT_DECL(auditinfo, ainfo); 2863 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2864 au_evclass_map_t event; 2865 au_mask_t mask; 2866 int auditstate, policy; 2867 au_id_t auid; 2868 2869 2870 struct a { 2871 long code; 2872 long a1; 2873 long a2; 2874 long a3; 2875 long a4; 2876 long a5; 2877 long a6; 2878 long a7; 2879 } *uap = (struct a *)clwp->lwp_ap; 2880 2881 a1 = (uintptr_t)uap->a1; 2882 a2 = (uintptr_t)uap->a2; 2883 2884 switch (tad->tad_event) { 2885 case AUE_SETAUID: 2886 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2887 return; 2888 au_uwrite(au_to_arg32(2, "setauid", auid)); 2889 break; 2890 case AUE_SETAUDIT: 2891 STRUCT_INIT(ainfo, get_udatamodel()); 2892 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2893 STRUCT_SIZE(ainfo))) { 2894 return; 2895 } 2896 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2897 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2898 #ifdef _LP64 2899 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2900 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2901 #else 2902 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2903 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2904 #endif 2905 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2906 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2907 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2908 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2909 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2910 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2911 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2912 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2913 break; 2914 case AUE_SETAUDIT_ADDR: 2915 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2916 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2917 STRUCT_SIZE(ainfo_addr))) { 2918 return; 2919 } 2920 au_uwrite(au_to_arg32((char)1, "auid", 2921 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2922 #ifdef _LP64 2923 au_uwrite(au_to_arg64((char)1, "port", 2924 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2925 #else 2926 au_uwrite(au_to_arg32((char)1, "port", 2927 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2928 #endif 2929 au_uwrite(au_to_arg32((char)1, "type", 2930 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2931 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2932 AU_IPv4) { 2933 au_uwrite(au_to_in_addr( 2934 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2935 ai_termid.at_addr))); 2936 } else { 2937 au_uwrite(au_to_in_addr_ex( 2938 (int32_t *)STRUCT_FGETP(ainfo_addr, 2939 ai_termid.at_addr))); 2940 } 2941 au_uwrite(au_to_arg32((char)1, "as_success", 2942 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2943 au_uwrite(au_to_arg32((char)1, "as_failure", 2944 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2945 au_uwrite(au_to_arg32((char)1, "asid", 2946 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2947 break; 2948 case AUE_AUDITON_SETKMASK: 2949 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2950 return; 2951 au_uwrite(au_to_arg32( 2952 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2953 au_uwrite(au_to_arg32( 2954 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2955 break; 2956 case AUE_AUDITON_SPOLICY: 2957 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2958 return; 2959 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2960 break; 2961 case AUE_AUDITON_SQCTRL: { 2962 STRUCT_DECL(au_qctrl, qctrl); 2963 model_t model; 2964 2965 model = get_udatamodel(); 2966 STRUCT_INIT(qctrl, model); 2967 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2968 return; 2969 if (model == DATAMODEL_ILP32) { 2970 au_uwrite(au_to_arg32( 2971 3, "setqctrl:aq_hiwater", 2972 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2973 au_uwrite(au_to_arg32( 2974 3, "setqctrl:aq_lowater", 2975 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2976 au_uwrite(au_to_arg32( 2977 3, "setqctrl:aq_bufsz", 2978 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2979 au_uwrite(au_to_arg32( 2980 3, "setqctrl:aq_delay", 2981 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2982 } else { 2983 au_uwrite(au_to_arg64( 2984 3, "setqctrl:aq_hiwater", 2985 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2986 au_uwrite(au_to_arg64( 2987 3, "setqctrl:aq_lowater", 2988 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2989 au_uwrite(au_to_arg64( 2990 3, "setqctrl:aq_bufsz", 2991 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2992 au_uwrite(au_to_arg64( 2993 3, "setqctrl:aq_delay", 2994 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2995 } 2996 break; 2997 } 2998 case AUE_AUDITON_SETUMASK: 2999 STRUCT_INIT(ainfo, get_udatamodel()); 3000 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3001 STRUCT_SIZE(ainfo))) { 3002 return; 3003 } 3004 au_uwrite(au_to_arg32(3, "setumask:as_success", 3005 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3006 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3007 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3008 break; 3009 case AUE_AUDITON_SETSMASK: 3010 STRUCT_INIT(ainfo, get_udatamodel()); 3011 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3012 STRUCT_SIZE(ainfo))) { 3013 return; 3014 } 3015 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3016 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3017 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3018 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3019 break; 3020 case AUE_AUDITON_SETCOND: 3021 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3022 return; 3023 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3024 break; 3025 case AUE_AUDITON_SETCLASS: 3026 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3027 return; 3028 au_uwrite(au_to_arg32( 3029 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3030 au_uwrite(au_to_arg32( 3031 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3032 break; 3033 case AUE_GETAUID: 3034 case AUE_GETAUDIT: 3035 case AUE_GETAUDIT_ADDR: 3036 case AUE_AUDIT: 3037 case AUE_GETPORTAUDIT: 3038 case AUE_AUDITON_GPOLICY: 3039 case AUE_AUDITON_GQCTRL: 3040 case AUE_AUDITON_GETKMASK: 3041 case AUE_AUDITON_GETCWD: 3042 case AUE_AUDITON_GETCAR: 3043 case AUE_AUDITON_GETSTAT: 3044 case AUE_AUDITON_SETSTAT: 3045 case AUE_AUDITON_GETCOND: 3046 case AUE_AUDITON_GETCLASS: 3047 break; 3048 default: 3049 break; 3050 } 3051 3052 } /* AUS_AUDITSYS */ 3053 3054 3055 /* only audit privileged operations for systeminfo(2) system call */ 3056 static au_event_t 3057 aui_sysinfo(au_event_t e) 3058 { 3059 klwp_t *clwp = ttolwp(curthread); 3060 uint32_t command; 3061 3062 struct a { 3063 long command; 3064 long buf; /* char * */ 3065 long count; 3066 } *uap = (struct a *)clwp->lwp_ap; 3067 3068 command = (uint32_t)uap->command; 3069 3070 switch (command) { 3071 case SI_SET_HOSTNAME: 3072 case SI_SET_SRPC_DOMAIN: 3073 e = (au_event_t)AUE_SYSINFO; 3074 break; 3075 default: 3076 e = (au_event_t)AUE_NULL; 3077 break; 3078 } 3079 return (e); 3080 } 3081 3082 /*ARGSUSED*/ 3083 static void 3084 aus_sysinfo(struct t_audit_data *tad) 3085 { 3086 klwp_t *clwp = ttolwp(curthread); 3087 uint32_t command; 3088 size_t len, maxlen; 3089 char *name; 3090 uintptr_t buf; 3091 3092 struct a { 3093 long command; 3094 long buf; /* char * */ 3095 long count; 3096 } *uap = (struct a *)clwp->lwp_ap; 3097 3098 command = (uint32_t)uap->command; 3099 buf = (uintptr_t)uap->buf; 3100 3101 au_uwrite(au_to_arg32(1, "cmd", command)); 3102 3103 switch (command) { 3104 case SI_SET_HOSTNAME: 3105 { 3106 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3107 return; 3108 3109 maxlen = SYS_NMLN; 3110 name = kmem_alloc(maxlen, KM_SLEEP); 3111 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3112 break; 3113 3114 /* 3115 * Must be non-NULL string and string 3116 * must be less than SYS_NMLN chars. 3117 */ 3118 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3119 break; 3120 3121 au_uwrite(au_to_text(name)); 3122 break; 3123 } 3124 3125 case SI_SET_SRPC_DOMAIN: 3126 { 3127 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3128 return; 3129 3130 maxlen = SYS_NMLN; 3131 name = kmem_alloc(maxlen, KM_SLEEP); 3132 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3133 break; 3134 3135 /* 3136 * If string passed in is longer than length 3137 * allowed for domain name, fail. 3138 */ 3139 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3140 break; 3141 3142 au_uwrite(au_to_text(name)); 3143 break; 3144 } 3145 3146 default: 3147 return; 3148 } 3149 3150 kmem_free(name, maxlen); 3151 } 3152 3153 static au_event_t 3154 aui_modctl(au_event_t e) 3155 { 3156 klwp_t *clwp = ttolwp(curthread); 3157 uint_t cmd; 3158 3159 struct a { 3160 long cmd; 3161 } *uap = (struct a *)clwp->lwp_ap; 3162 3163 cmd = (uint_t)uap->cmd; 3164 3165 switch (cmd) { 3166 case MODLOAD: 3167 e = AUE_MODLOAD; 3168 break; 3169 case MODUNLOAD: 3170 e = AUE_MODUNLOAD; 3171 break; 3172 case MODADDMAJBIND: 3173 e = AUE_MODADDMAJ; 3174 break; 3175 case MODSETDEVPOLICY: 3176 e = AUE_MODDEVPLCY; 3177 break; 3178 case MODALLOCPRIV: 3179 e = AUE_MODADDPRIV; 3180 break; 3181 default: 3182 e = AUE_NULL; 3183 break; 3184 } 3185 return (e); 3186 } 3187 3188 3189 /*ARGSUSED*/ 3190 static void 3191 aus_modctl(struct t_audit_data *tad) 3192 { 3193 klwp_t *clwp = ttolwp(curthread); 3194 void *a = clwp->lwp_ap; 3195 uint_t use_path; 3196 3197 switch (tad->tad_event) { 3198 case AUE_MODLOAD: { 3199 typedef struct { 3200 long cmd; 3201 long use_path; 3202 long filename; /* char * */ 3203 } modloada_t; 3204 3205 char *filenamep; 3206 uintptr_t fname; 3207 extern char *default_path; 3208 3209 fname = (uintptr_t)((modloada_t *)a)->filename; 3210 use_path = (uint_t)((modloada_t *)a)->use_path; 3211 3212 /* space to hold path */ 3213 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3214 /* get string */ 3215 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3216 /* free allocated path */ 3217 kmem_free(filenamep, MOD_MAXPATH); 3218 return; 3219 } 3220 /* ensure it's null terminated */ 3221 filenamep[MOD_MAXPATH - 1] = 0; 3222 3223 if (use_path) 3224 au_uwrite(au_to_text(default_path)); 3225 au_uwrite(au_to_text(filenamep)); 3226 3227 /* release temporary memory */ 3228 kmem_free(filenamep, MOD_MAXPATH); 3229 break; 3230 } 3231 case AUE_MODUNLOAD: { 3232 typedef struct { 3233 long cmd; 3234 long id; 3235 } modunloada_t; 3236 3237 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3238 3239 au_uwrite(au_to_arg32(1, "id", id)); 3240 break; 3241 } 3242 case AUE_MODADDMAJ: { 3243 STRUCT_DECL(modconfig, mc); 3244 typedef struct { 3245 long cmd; 3246 long subcmd; 3247 long data; /* int * */ 3248 } modconfiga_t; 3249 3250 STRUCT_DECL(aliases, alias); 3251 caddr_t ap; 3252 int i, num_aliases; 3253 char *drvname, *mc_drvname; 3254 char *name; 3255 extern char *ddi_major_to_name(major_t); 3256 model_t model; 3257 3258 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3259 3260 model = get_udatamodel(); 3261 STRUCT_INIT(mc, model); 3262 /* sanitize buffer */ 3263 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3264 /* get user arguments */ 3265 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3266 STRUCT_SIZE(mc)) != 0) 3267 return; 3268 3269 mc_drvname = STRUCT_FGET(mc, drvname); 3270 if ((drvname = ddi_major_to_name( 3271 (major_t)STRUCT_FGET(mc, major))) != NULL && 3272 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3273 /* safety */ 3274 if (mc_drvname[0] != '\0') { 3275 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3276 au_uwrite(au_to_text(mc_drvname)); 3277 } 3278 /* drvname != NULL from test above */ 3279 au_uwrite(au_to_text(drvname)); 3280 return; 3281 } 3282 3283 if (mc_drvname[0] != '\0') { 3284 /* safety */ 3285 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3286 au_uwrite(au_to_text(mc_drvname)); 3287 } else 3288 au_uwrite(au_to_text("no drvname")); 3289 3290 num_aliases = STRUCT_FGET(mc, num_aliases); 3291 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3292 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3293 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3294 STRUCT_INIT(alias, model); 3295 for (i = 0; i < num_aliases; i++) { 3296 bzero((caddr_t)STRUCT_BUF(alias), 3297 STRUCT_SIZE(alias)); 3298 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3299 STRUCT_SIZE(alias)) != 0) 3300 break; 3301 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3302 MAXMODCONFNAME, NULL) != 0) { 3303 break; 3304 } 3305 3306 au_uwrite(au_to_text(name)); 3307 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3308 } 3309 kmem_free(name, MAXMODCONFNAME); 3310 break; 3311 } 3312 default: 3313 break; 3314 } 3315 } 3316 3317 3318 /*ARGSUSED*/ 3319 static void 3320 auf_accept( 3321 struct t_audit_data *tad, 3322 int error, 3323 rval_t *rval) 3324 { 3325 uint32_t scid; 3326 uint32_t sy_flags; 3327 int fd; 3328 struct sonode *so; 3329 char so_laddr[sizeof (struct sockaddr_in6)]; 3330 char so_faddr[sizeof (struct sockaddr_in6)]; 3331 int err; 3332 int len; 3333 short so_family, so_type; 3334 int add_sock_token = 0; 3335 3336 /* need to determine type of executing binary */ 3337 scid = tad->tad_scid; 3338 #ifdef _SYSCALL32_IMPL 3339 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3340 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3341 else 3342 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3343 #else 3344 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3345 #endif 3346 if (sy_flags == SE_32RVAL1) 3347 fd = rval->r_val1; 3348 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3349 fd = rval->r_val1; 3350 if (sy_flags == SE_64RVAL) 3351 fd = (int)rval->r_vals; 3352 3353 if (error) { 3354 /* can't trust socket contents. Just return */ 3355 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3356 return; 3357 } 3358 3359 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3360 /* 3361 * not security relevant if doing a accept from non socket 3362 * so no extra tokens. Should probably turn off audit record 3363 * generation here. 3364 */ 3365 return; 3366 } 3367 3368 so_family = so->so_family; 3369 so_type = so->so_type; 3370 3371 switch (so_family) { 3372 case AF_INET: 3373 case AF_INET6: 3374 /* 3375 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3376 */ 3377 if (so->so_type == SOCK_STREAM) { 3378 3379 bzero((void *)so_laddr, sizeof (so_laddr)); 3380 bzero((void *)so_faddr, sizeof (so_faddr)); 3381 3382 /* 3383 * no local address then need to get it from lower 3384 * levels. only put out record on first read ala 3385 * AUE_WRITE. 3386 */ 3387 if (so->so_state & SS_ISBOUND) { 3388 /* only done once on a connection */ 3389 (void) SOP_GETSOCKNAME(so); 3390 (void) SOP_GETPEERNAME(so); 3391 3392 /* get local and foreign addresses */ 3393 mutex_enter(&so->so_lock); 3394 len = min(so->so_laddr_len, sizeof (so_laddr)); 3395 bcopy(so->so_laddr_sa, so_laddr, len); 3396 len = min(so->so_faddr_len, sizeof (so_faddr)); 3397 bcopy(so->so_faddr_sa, so_faddr, len); 3398 mutex_exit(&so->so_lock); 3399 } 3400 3401 add_sock_token = 1; 3402 } 3403 break; 3404 3405 default: 3406 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3407 break; 3408 } 3409 3410 releasef(fd); 3411 3412 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3413 3414 if (add_sock_token == 0) { 3415 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3416 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3417 return; 3418 } 3419 3420 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3421 3422 } 3423 3424 /*ARGSUSED*/ 3425 static void 3426 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3427 { 3428 struct a { 3429 long fd; 3430 long addr; 3431 long len; 3432 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3433 3434 struct sonode *so; 3435 char so_laddr[sizeof (struct sockaddr_in6)]; 3436 char so_faddr[sizeof (struct sockaddr_in6)]; 3437 int err, fd; 3438 int len; 3439 short so_family, so_type; 3440 int add_sock_token = 0; 3441 3442 fd = (int)uap->fd; 3443 3444 /* 3445 * bind failed, then nothing extra to add to audit record. 3446 */ 3447 if (error) { 3448 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3449 /* XXX may want to add failed address some day */ 3450 return; 3451 } 3452 3453 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3454 /* 3455 * not security relevant if doing a bind from non socket 3456 * so no extra tokens. Should probably turn off audit record 3457 * generation here. 3458 */ 3459 return; 3460 } 3461 3462 so_family = so->so_family; 3463 so_type = so->so_type; 3464 3465 switch (so_family) { 3466 case AF_INET: 3467 case AF_INET6: 3468 3469 bzero(so_faddr, sizeof (so_faddr)); 3470 3471 if (so->so_state & SS_ISBOUND) { 3472 /* only done once on a connection */ 3473 (void) SOP_GETSOCKNAME(so); 3474 } 3475 3476 mutex_enter(&so->so_lock); 3477 len = min(so->so_laddr_len, sizeof (so_laddr)); 3478 bcopy(so->so_laddr_sa, so_laddr, len); 3479 mutex_exit(&so->so_lock); 3480 3481 add_sock_token = 1; 3482 3483 break; 3484 3485 case AF_UNIX: 3486 /* token added by lookup */ 3487 break; 3488 default: 3489 /* AF_ROUTE, AF_KEY do not support accept */ 3490 break; 3491 } 3492 3493 releasef(fd); 3494 3495 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3496 3497 if (add_sock_token == 0) { 3498 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3499 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3500 return; 3501 } 3502 3503 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3504 3505 } 3506 3507 /*ARGSUSED*/ 3508 static void 3509 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3510 { 3511 struct a { 3512 long fd; 3513 long addr; 3514 long len; 3515 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3516 3517 struct sonode *so; 3518 char so_laddr[sizeof (struct sockaddr_in6)]; 3519 char so_faddr[sizeof (struct sockaddr_in6)]; 3520 int err, fd; 3521 int len; 3522 short so_family, so_type; 3523 int add_sock_token = 0; 3524 3525 fd = (int)uap->fd; 3526 3527 3528 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3529 /* 3530 * not security relevant if doing a connect from non socket 3531 * so no extra tokens. Should probably turn off audit record 3532 * generation here. 3533 */ 3534 return; 3535 } 3536 3537 so_family = so->so_family; 3538 so_type = so->so_type; 3539 3540 switch (so_family) { 3541 case AF_INET: 3542 case AF_INET6: 3543 /* 3544 * no local address then need to get it from lower 3545 * levels. 3546 */ 3547 if (so->so_state & SS_ISBOUND) { 3548 /* only done once on a connection */ 3549 (void) SOP_GETSOCKNAME(so); 3550 (void) SOP_GETPEERNAME(so); 3551 } 3552 3553 bzero(so_laddr, sizeof (so_laddr)); 3554 bzero(so_faddr, sizeof (so_faddr)); 3555 3556 mutex_enter(&so->so_lock); 3557 len = min(so->so_laddr_len, sizeof (so_laddr)); 3558 bcopy(so->so_laddr_sa, so_laddr, len); 3559 if (error) { 3560 mutex_exit(&so->so_lock); 3561 if (uap->addr == NULL) 3562 break; 3563 if (uap->len <= 0) 3564 break; 3565 len = min(uap->len, sizeof (so_faddr)); 3566 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3567 break; 3568 #ifdef NOTYET 3569 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3570 #endif 3571 } else { 3572 /* sanity check on length */ 3573 len = min(so->so_faddr_len, sizeof (so_faddr)); 3574 bcopy(so->so_faddr_sa, so_faddr, len); 3575 mutex_exit(&so->so_lock); 3576 } 3577 3578 add_sock_token = 1; 3579 3580 break; 3581 3582 case AF_UNIX: 3583 /* does a lookup on name */ 3584 break; 3585 3586 default: 3587 /* AF_ROUTE, AF_KEY do not support accept */ 3588 break; 3589 } 3590 3591 releasef(fd); 3592 3593 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3594 3595 if (add_sock_token == 0) { 3596 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3597 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3598 return; 3599 } 3600 3601 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3602 3603 } 3604 3605 /*ARGSUSED*/ 3606 static void 3607 aus_shutdown(struct t_audit_data *tad) 3608 { 3609 struct a { 3610 long fd; 3611 long how; 3612 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3613 3614 struct sonode *so; 3615 char so_laddr[sizeof (struct sockaddr_in6)]; 3616 char so_faddr[sizeof (struct sockaddr_in6)]; 3617 int err, fd; 3618 int len; 3619 short so_family, so_type; 3620 int add_sock_token = 0; 3621 file_t *fp; /* unix domain sockets */ 3622 struct f_audit_data *fad; /* unix domain sockets */ 3623 3624 fd = (int)uap->fd; 3625 3626 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3627 /* 3628 * not security relevant if doing a shutdown using non socket 3629 * so no extra tokens. Should probably turn off audit record 3630 * generation here. 3631 */ 3632 return; 3633 } 3634 3635 so_family = so->so_family; 3636 so_type = so->so_type; 3637 3638 switch (so_family) { 3639 case AF_INET: 3640 case AF_INET6: 3641 3642 bzero(so_laddr, sizeof (so_laddr)); 3643 bzero(so_faddr, sizeof (so_faddr)); 3644 3645 if (so->so_state & SS_ISBOUND) { 3646 /* 3647 * no local address then need to get it from lower 3648 * levels. 3649 */ 3650 if (so->so_laddr_len == 0) 3651 (void) SOP_GETSOCKNAME(so); 3652 if (so->so_faddr_len == 0) 3653 (void) SOP_GETPEERNAME(so); 3654 } 3655 3656 mutex_enter(&so->so_lock); 3657 len = min(so->so_laddr_len, sizeof (so_laddr)); 3658 bcopy(so->so_laddr_sa, so_laddr, len); 3659 len = min(so->so_faddr_len, sizeof (so_faddr)); 3660 bcopy(so->so_faddr_sa, so_faddr, len); 3661 mutex_exit(&so->so_lock); 3662 3663 add_sock_token = 1; 3664 3665 break; 3666 3667 case AF_UNIX: 3668 3669 /* get path from file struct here */ 3670 fad = F2A(fp); 3671 ASSERT(fad); 3672 3673 if (fad->fad_aupath != NULL) { 3674 au_uwrite(au_to_path(fad->fad_aupath)); 3675 } else { 3676 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3677 } 3678 3679 audit_attributes(fp->f_vnode); 3680 3681 break; 3682 3683 default: 3684 /* 3685 * AF_KEY and AF_ROUTE support shutdown. No socket token 3686 * added. 3687 */ 3688 break; 3689 } 3690 3691 releasef(fd); 3692 3693 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3694 3695 if (add_sock_token == 0) { 3696 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3697 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3698 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3699 return; 3700 } 3701 3702 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3703 3704 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3705 3706 } 3707 3708 /*ARGSUSED*/ 3709 static void 3710 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3711 { 3712 struct a { 3713 long fd; 3714 long level; 3715 long optname; 3716 long *optval; 3717 long optlen; 3718 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3719 3720 struct sonode *so; 3721 char so_laddr[sizeof (struct sockaddr_in6)]; 3722 char so_faddr[sizeof (struct sockaddr_in6)]; 3723 char val[AU_BUFSIZE]; 3724 int err, fd; 3725 int len; 3726 short so_family, so_type; 3727 int add_sock_token = 0; 3728 file_t *fp; /* unix domain sockets */ 3729 struct f_audit_data *fad; /* unix domain sockets */ 3730 3731 fd = (int)uap->fd; 3732 3733 if (error) { 3734 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3735 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3736 /* XXX may want to include other arguments */ 3737 return; 3738 } 3739 3740 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3741 /* 3742 * not security relevant if doing a setsockopt from non socket 3743 * so no extra tokens. Should probably turn off audit record 3744 * generation here. 3745 */ 3746 return; 3747 } 3748 3749 so_family = so->so_family; 3750 so_type = so->so_type; 3751 3752 switch (so_family) { 3753 case AF_INET: 3754 case AF_INET6: 3755 3756 bzero((void *)so_laddr, sizeof (so_laddr)); 3757 bzero((void *)so_faddr, sizeof (so_faddr)); 3758 3759 if (so->so_state & SS_ISBOUND) { 3760 if (so->so_laddr_len == 0) 3761 (void) SOP_GETSOCKNAME(so); 3762 if (so->so_faddr_len == 0) 3763 (void) SOP_GETPEERNAME(so); 3764 } 3765 3766 /* get local and foreign addresses */ 3767 mutex_enter(&so->so_lock); 3768 len = min(so->so_laddr_len, sizeof (so_laddr)); 3769 bcopy(so->so_laddr_sa, so_laddr, len); 3770 len = min(so->so_faddr_len, sizeof (so_faddr)); 3771 bcopy(so->so_faddr_sa, so_faddr, len); 3772 mutex_exit(&so->so_lock); 3773 3774 add_sock_token = 1; 3775 3776 break; 3777 3778 case AF_UNIX: 3779 3780 /* get path from file struct here */ 3781 fad = F2A(fp); 3782 ASSERT(fad); 3783 3784 if (fad->fad_aupath != NULL) { 3785 au_uwrite(au_to_path(fad->fad_aupath)); 3786 } else { 3787 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3788 } 3789 3790 audit_attributes(fp->f_vnode); 3791 3792 break; 3793 3794 default: 3795 /* 3796 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3797 * added. 3798 */ 3799 break; 3800 } 3801 3802 releasef(fd); 3803 3804 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3805 3806 if (add_sock_token == 0) { 3807 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3808 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3809 } 3810 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3811 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3812 3813 bzero(val, sizeof (val)); 3814 len = min(uap->optlen, sizeof (val)); 3815 if ((len > 0) && 3816 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3817 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3818 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3819 } 3820 3821 if (add_sock_token == 0) 3822 return; 3823 3824 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3825 3826 } 3827 3828 /*ARGSUSED*/ 3829 static void 3830 aus_sockconfig(tad) 3831 struct t_audit_data *tad; 3832 { 3833 struct a { 3834 long domain; 3835 long type; 3836 long protocol; 3837 long devpath; 3838 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3839 3840 char *kdevpath; 3841 int kdevpathlen = MAXPATHLEN + 1; 3842 size_t size; 3843 3844 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3845 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3846 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3847 3848 if (uap->devpath == 0) { 3849 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3850 } else { 3851 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3852 3853 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3854 &size)) { 3855 kmem_free(kdevpath, kdevpathlen); 3856 return; 3857 } 3858 3859 if (size > MAXPATHLEN) { 3860 kmem_free(kdevpath, kdevpathlen); 3861 return; 3862 } 3863 3864 au_uwrite(au_to_text(kdevpath)); 3865 kmem_free(kdevpath, kdevpathlen); 3866 } 3867 } 3868 3869 /* 3870 * only audit recvmsg when the system call represents the creation of a new 3871 * circuit. This effectively occurs for all UDP packets and may occur for 3872 * special TCP situations where the local host has not set a local address 3873 * in the socket structure. 3874 */ 3875 /*ARGSUSED*/ 3876 static void 3877 auf_recvmsg( 3878 struct t_audit_data *tad, 3879 int error, 3880 rval_t *rvp) 3881 { 3882 struct a { 3883 long fd; 3884 long msg; /* struct msghdr */ 3885 long flags; 3886 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3887 3888 struct sonode *so; 3889 STRUCT_DECL(msghdr, msg); 3890 caddr_t msg_name; 3891 socklen_t msg_namelen; 3892 int fd; 3893 int err; 3894 char so_laddr[sizeof (struct sockaddr_in6)]; 3895 char so_faddr[sizeof (struct sockaddr_in6)]; 3896 int len; 3897 file_t *fp; /* unix domain sockets */ 3898 struct f_audit_data *fad; /* unix domain sockets */ 3899 short so_family, so_type; 3900 int add_sock_token = 0; 3901 au_kcontext_t *kctx = GET_KCTX_PZ; 3902 3903 fd = (int)uap->fd; 3904 3905 /* bail if an error */ 3906 if (error) { 3907 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3908 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3909 return; 3910 } 3911 3912 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3913 /* 3914 * not security relevant if doing a recvmsg from non socket 3915 * so no extra tokens. Should probably turn off audit record 3916 * generation here. 3917 */ 3918 return; 3919 } 3920 3921 so_family = so->so_family; 3922 so_type = so->so_type; 3923 3924 /* 3925 * only putout SOCKET_EX token if INET/INET6 family. 3926 * XXX - what do we do about other families? 3927 */ 3928 3929 switch (so_family) { 3930 case AF_INET: 3931 case AF_INET6: 3932 3933 /* 3934 * if datagram type socket, then just use what is in 3935 * socket structure for local address. 3936 * XXX - what do we do for other types? 3937 */ 3938 if ((so->so_type == SOCK_DGRAM) || 3939 (so->so_type == SOCK_RAW)) { 3940 add_sock_token = 1; 3941 3942 bzero((void *)so_laddr, sizeof (so_laddr)); 3943 bzero((void *)so_faddr, sizeof (so_faddr)); 3944 3945 /* get local address */ 3946 mutex_enter(&so->so_lock); 3947 len = min(so->so_laddr_len, sizeof (so_laddr)); 3948 bcopy(so->so_laddr_sa, so_laddr, len); 3949 mutex_exit(&so->so_lock); 3950 3951 /* get peer address */ 3952 STRUCT_INIT(msg, get_udatamodel()); 3953 3954 if (copyin((caddr_t)(uap->msg), 3955 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3956 break; 3957 } 3958 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3959 if (msg_name == NULL) { 3960 break; 3961 } 3962 3963 /* length is value from recvmsg - sanity check */ 3964 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3965 if (msg_namelen == 0) { 3966 break; 3967 } 3968 if (copyin(msg_name, so_faddr, 3969 sizeof (so_faddr)) != 0) { 3970 break; 3971 } 3972 3973 } else if (so->so_type == SOCK_STREAM) { 3974 3975 /* get path from file struct here */ 3976 fad = F2A(fp); 3977 ASSERT(fad); 3978 3979 /* 3980 * already processed this file for read attempt 3981 */ 3982 if (fad->fad_flags & FAD_READ) { 3983 /* don't want to audit every recvmsg attempt */ 3984 tad->tad_flag = 0; 3985 /* free any residual audit data */ 3986 au_close(kctx, &(u_ad), 0, 0, 0); 3987 releasef(fd); 3988 return; 3989 } 3990 /* 3991 * mark things so we know what happened and don't 3992 * repeat things 3993 */ 3994 fad->fad_flags |= FAD_READ; 3995 3996 bzero((void *)so_laddr, sizeof (so_laddr)); 3997 bzero((void *)so_faddr, sizeof (so_faddr)); 3998 3999 if (so->so_state & SS_ISBOUND) { 4000 4001 if (so->so_laddr_len == 0) 4002 (void) SOP_GETSOCKNAME(so); 4003 if (so->so_faddr_len == 0) 4004 (void) SOP_GETPEERNAME(so); 4005 4006 /* get local and foreign addresses */ 4007 mutex_enter(&so->so_lock); 4008 len = min(so->so_laddr_len, sizeof (so_laddr)); 4009 bcopy(so->so_laddr_sa, so_laddr, len); 4010 len = min(so->so_faddr_len, sizeof (so_faddr)); 4011 bcopy(so->so_faddr_sa, so_faddr, len); 4012 mutex_exit(&so->so_lock); 4013 } 4014 4015 add_sock_token = 1; 4016 } 4017 4018 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4019 4020 break; 4021 4022 case AF_UNIX: 4023 /* 4024 * first check if this is first time through. Too much 4025 * duplicate code to put this in an aui_ routine. 4026 */ 4027 4028 /* get path from file struct here */ 4029 fad = F2A(fp); 4030 ASSERT(fad); 4031 4032 /* 4033 * already processed this file for read attempt 4034 */ 4035 if (fad->fad_flags & FAD_READ) { 4036 releasef(fd); 4037 /* don't want to audit every recvmsg attempt */ 4038 tad->tad_flag = 0; 4039 /* free any residual audit data */ 4040 au_close(kctx, &(u_ad), 0, 0, 0); 4041 return; 4042 } 4043 /* 4044 * mark things so we know what happened and don't 4045 * repeat things 4046 */ 4047 fad->fad_flags |= FAD_READ; 4048 4049 if (fad->fad_aupath != NULL) { 4050 au_uwrite(au_to_path(fad->fad_aupath)); 4051 } else { 4052 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4053 } 4054 4055 audit_attributes(fp->f_vnode); 4056 4057 releasef(fd); 4058 4059 return; 4060 4061 default: 4062 break; 4063 4064 } 4065 4066 releasef(fd); 4067 4068 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4069 4070 if (add_sock_token == 0) { 4071 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4072 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4073 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4074 return; 4075 } 4076 4077 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4078 4079 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4080 4081 } 4082 4083 /*ARGSUSED*/ 4084 static void 4085 auf_recvfrom( 4086 struct t_audit_data *tad, 4087 int error, 4088 rval_t *rvp) 4089 { 4090 4091 struct a { 4092 long fd; 4093 long msg; /* char */ 4094 long len; 4095 long flags; 4096 long from; /* struct sockaddr */ 4097 long fromlen; 4098 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4099 4100 socklen_t fromlen; 4101 struct sonode *so; 4102 char so_laddr[sizeof (struct sockaddr_in6)]; 4103 char so_faddr[sizeof (struct sockaddr_in6)]; 4104 int fd; 4105 short so_family, so_type; 4106 int add_sock_token = 0; 4107 int len; 4108 int err; 4109 struct file *fp; 4110 struct f_audit_data *fad; /* unix domain sockets */ 4111 au_kcontext_t *kctx = GET_KCTX_PZ; 4112 4113 fd = (int)uap->fd; 4114 4115 /* bail if an error */ 4116 if (error) { 4117 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4118 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4119 return; 4120 } 4121 4122 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4123 /* 4124 * not security relevant if doing a recvmsg from non socket 4125 * so no extra tokens. Should probably turn off audit record 4126 * generation here. 4127 */ 4128 return; 4129 } 4130 4131 so_family = so->so_family; 4132 so_type = so->so_type; 4133 4134 /* 4135 * only putout SOCKET_EX token if INET/INET6 family. 4136 * XXX - what do we do about other families? 4137 */ 4138 4139 switch (so_family) { 4140 case AF_INET: 4141 case AF_INET6: 4142 4143 /* 4144 * if datagram type socket, then just use what is in 4145 * socket structure for local address. 4146 * XXX - what do we do for other types? 4147 */ 4148 if ((so->so_type == SOCK_DGRAM) || 4149 (so->so_type == SOCK_RAW)) { 4150 add_sock_token = 1; 4151 4152 /* get local address */ 4153 mutex_enter(&so->so_lock); 4154 len = min(so->so_laddr_len, sizeof (so_laddr)); 4155 bcopy(so->so_laddr_sa, so_laddr, len); 4156 mutex_exit(&so->so_lock); 4157 4158 /* get peer address */ 4159 bzero((void *)so_faddr, sizeof (so_faddr)); 4160 4161 /* sanity check */ 4162 if (uap->from == NULL) 4163 break; 4164 4165 /* sanity checks */ 4166 if (uap->fromlen == 0) 4167 break; 4168 4169 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4170 sizeof (fromlen)) != 0) 4171 break; 4172 4173 if (fromlen == 0) 4174 break; 4175 4176 /* enforce maximum size */ 4177 if (fromlen > sizeof (so_faddr)) 4178 fromlen = sizeof (so_faddr); 4179 4180 if (copyin((caddr_t)(uap->from), so_faddr, 4181 fromlen) != 0) 4182 break; 4183 4184 } else if (so->so_type == SOCK_STREAM) { 4185 4186 /* get path from file struct here */ 4187 fad = F2A(fp); 4188 ASSERT(fad); 4189 4190 /* 4191 * already processed this file for read attempt 4192 */ 4193 if (fad->fad_flags & FAD_READ) { 4194 /* don't want to audit every recvfrom attempt */ 4195 tad->tad_flag = 0; 4196 /* free any residual audit data */ 4197 au_close(kctx, &(u_ad), 0, 0, 0); 4198 releasef(fd); 4199 return; 4200 } 4201 /* 4202 * mark things so we know what happened and don't 4203 * repeat things 4204 */ 4205 fad->fad_flags |= FAD_READ; 4206 4207 bzero((void *)so_laddr, sizeof (so_laddr)); 4208 bzero((void *)so_faddr, sizeof (so_faddr)); 4209 4210 if (so->so_state & SS_ISBOUND) { 4211 4212 if (so->so_laddr_len == 0) 4213 (void) SOP_GETSOCKNAME(so); 4214 if (so->so_faddr_len == 0) 4215 (void) SOP_GETPEERNAME(so); 4216 4217 /* get local and foreign addresses */ 4218 mutex_enter(&so->so_lock); 4219 len = min(so->so_laddr_len, sizeof (so_laddr)); 4220 bcopy(so->so_laddr_sa, so_laddr, len); 4221 len = min(so->so_faddr_len, sizeof (so_faddr)); 4222 bcopy(so->so_faddr_sa, so_faddr, len); 4223 mutex_exit(&so->so_lock); 4224 } 4225 4226 add_sock_token = 1; 4227 } 4228 4229 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4230 4231 break; 4232 4233 case AF_UNIX: 4234 /* 4235 * first check if this is first time through. Too much 4236 * duplicate code to put this in an aui_ routine. 4237 */ 4238 4239 /* get path from file struct here */ 4240 fad = F2A(fp); 4241 ASSERT(fad); 4242 4243 /* 4244 * already processed this file for read attempt 4245 */ 4246 if (fad->fad_flags & FAD_READ) { 4247 /* don't want to audit every recvfrom attempt */ 4248 tad->tad_flag = 0; 4249 /* free any residual audit data */ 4250 au_close(kctx, &(u_ad), 0, 0, 0); 4251 releasef(fd); 4252 return; 4253 } 4254 /* 4255 * mark things so we know what happened and don't 4256 * repeat things 4257 */ 4258 fad->fad_flags |= FAD_READ; 4259 4260 if (fad->fad_aupath != NULL) { 4261 au_uwrite(au_to_path(fad->fad_aupath)); 4262 } else { 4263 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4264 } 4265 4266 audit_attributes(fp->f_vnode); 4267 4268 releasef(fd); 4269 4270 return; 4271 4272 default: 4273 break; 4274 4275 } 4276 4277 releasef(fd); 4278 4279 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4280 4281 if (add_sock_token == 0) { 4282 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4283 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4284 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4285 return; 4286 } 4287 4288 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4289 4290 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4291 } 4292 4293 /*ARGSUSED*/ 4294 static void 4295 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4296 { 4297 struct a { 4298 long fd; 4299 long msg; /* struct msghdr */ 4300 long flags; 4301 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4302 4303 struct sonode *so; 4304 char so_laddr[sizeof (struct sockaddr_in6)]; 4305 char so_faddr[sizeof (struct sockaddr_in6)]; 4306 int err; 4307 int fd; 4308 short so_family, so_type; 4309 int add_sock_token = 0; 4310 int len; 4311 struct file *fp; 4312 struct f_audit_data *fad; 4313 caddr_t msg_name; 4314 socklen_t msg_namelen; 4315 STRUCT_DECL(msghdr, msg); 4316 au_kcontext_t *kctx = GET_KCTX_PZ; 4317 4318 fd = (int)uap->fd; 4319 4320 /* bail if an error */ 4321 if (error) { 4322 /* XXX include destination address from system call arguments */ 4323 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4324 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4325 return; 4326 } 4327 4328 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4329 /* 4330 * not security relevant if doing a sendmsg from non socket 4331 * so no extra tokens. Should probably turn off audit record 4332 * generation here. 4333 */ 4334 return; 4335 } 4336 4337 so_family = so->so_family; 4338 so_type = so->so_type; 4339 4340 switch (so_family) { 4341 case AF_INET: 4342 case AF_INET6: 4343 /* 4344 * if datagram type socket, then just use what is in 4345 * socket structure for local address. 4346 * XXX - what do we do for other types? 4347 */ 4348 if ((so->so_type == SOCK_DGRAM) || 4349 (so->so_type == SOCK_RAW)) { 4350 4351 bzero((void *)so_laddr, sizeof (so_laddr)); 4352 bzero((void *)so_faddr, sizeof (so_faddr)); 4353 4354 /* get local address */ 4355 mutex_enter(&so->so_lock); 4356 len = min(so->so_laddr_len, sizeof (so_laddr)); 4357 bcopy(so->so_laddr_sa, so_laddr, len); 4358 mutex_exit(&so->so_lock); 4359 4360 /* get peer address */ 4361 STRUCT_INIT(msg, get_udatamodel()); 4362 4363 if (copyin((caddr_t)(uap->msg), 4364 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4365 break; 4366 } 4367 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4368 if (msg_name == NULL) 4369 break; 4370 4371 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4372 /* length is value from recvmsg - sanity check */ 4373 if (msg_namelen == 0) 4374 break; 4375 4376 if (copyin(msg_name, so_faddr, 4377 sizeof (so_faddr)) != 0) 4378 break; 4379 4380 add_sock_token = 1; 4381 4382 } else if (so->so_type == SOCK_STREAM) { 4383 4384 /* get path from file struct here */ 4385 fad = F2A(fp); 4386 ASSERT(fad); 4387 4388 /* 4389 * already processed this file for write attempt 4390 */ 4391 if (fad->fad_flags & FAD_WRITE) { 4392 releasef(fd); 4393 /* don't want to audit every sendmsg attempt */ 4394 tad->tad_flag = 0; 4395 /* free any residual audit data */ 4396 au_close(kctx, &(u_ad), 0, 0, 0); 4397 return; 4398 } 4399 4400 /* 4401 * mark things so we know what happened and don't 4402 * repeat things 4403 */ 4404 fad->fad_flags |= FAD_WRITE; 4405 4406 bzero((void *)so_laddr, sizeof (so_laddr)); 4407 bzero((void *)so_faddr, sizeof (so_faddr)); 4408 4409 if (so->so_state & SS_ISBOUND) { 4410 4411 if (so->so_laddr_len == 0) 4412 (void) SOP_GETSOCKNAME(so); 4413 if (so->so_faddr_len == 0) 4414 (void) SOP_GETPEERNAME(so); 4415 4416 /* get local and foreign addresses */ 4417 mutex_enter(&so->so_lock); 4418 len = min(so->so_laddr_len, sizeof (so_laddr)); 4419 bcopy(so->so_laddr_sa, so_laddr, len); 4420 len = min(so->so_faddr_len, sizeof (so_faddr)); 4421 bcopy(so->so_faddr_sa, so_faddr, len); 4422 mutex_exit(&so->so_lock); 4423 } 4424 4425 add_sock_token = 1; 4426 } 4427 4428 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4429 4430 break; 4431 4432 case AF_UNIX: 4433 /* 4434 * first check if this is first time through. Too much 4435 * duplicate code to put this in an aui_ routine. 4436 */ 4437 4438 /* get path from file struct here */ 4439 fad = F2A(fp); 4440 ASSERT(fad); 4441 4442 /* 4443 * already processed this file for write attempt 4444 */ 4445 if (fad->fad_flags & FAD_WRITE) { 4446 releasef(fd); 4447 /* don't want to audit every sendmsg attempt */ 4448 tad->tad_flag = 0; 4449 /* free any residual audit data */ 4450 au_close(kctx, &(u_ad), 0, 0, 0); 4451 return; 4452 } 4453 /* 4454 * mark things so we know what happened and don't 4455 * repeat things 4456 */ 4457 fad->fad_flags |= FAD_WRITE; 4458 4459 if (fad->fad_aupath != NULL) { 4460 au_uwrite(au_to_path(fad->fad_aupath)); 4461 } else { 4462 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4463 } 4464 4465 audit_attributes(fp->f_vnode); 4466 4467 releasef(fd); 4468 4469 return; 4470 4471 default: 4472 break; 4473 } 4474 4475 releasef(fd); 4476 4477 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4478 4479 if (add_sock_token == 0) { 4480 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4481 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4482 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4483 return; 4484 } 4485 4486 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4487 4488 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4489 } 4490 4491 /*ARGSUSED*/ 4492 static void 4493 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4494 { 4495 struct a { 4496 long fd; 4497 long msg; /* char */ 4498 long len; 4499 long flags; 4500 long to; /* struct sockaddr */ 4501 long tolen; 4502 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4503 4504 struct sonode *so; 4505 char so_laddr[sizeof (struct sockaddr_in6)]; 4506 char so_faddr[sizeof (struct sockaddr_in6)]; 4507 socklen_t tolen; 4508 int err; 4509 int fd; 4510 int len; 4511 short so_family, so_type; 4512 int add_sock_token = 0; 4513 struct file *fp; 4514 struct f_audit_data *fad; 4515 au_kcontext_t *kctx = GET_KCTX_PZ; 4516 4517 fd = (int)uap->fd; 4518 4519 /* bail if an error */ 4520 if (error) { 4521 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4522 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4523 /* XXX include destination address from system call arguments */ 4524 return; 4525 } 4526 4527 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4528 /* 4529 * not security relevant if doing a sendto using non socket 4530 * so no extra tokens. Should probably turn off audit record 4531 * generation here. 4532 */ 4533 return; 4534 } 4535 4536 so_family = so->so_family; 4537 so_type = so->so_type; 4538 4539 /* 4540 * only putout SOCKET_EX token if INET/INET6 family. 4541 * XXX - what do we do about other families? 4542 */ 4543 4544 switch (so_family) { 4545 case AF_INET: 4546 case AF_INET6: 4547 4548 /* 4549 * if datagram type socket, then just use what is in 4550 * socket structure for local address. 4551 * XXX - what do we do for other types? 4552 */ 4553 if ((so->so_type == SOCK_DGRAM) || 4554 (so->so_type == SOCK_RAW)) { 4555 4556 bzero((void *)so_laddr, sizeof (so_laddr)); 4557 bzero((void *)so_faddr, sizeof (so_faddr)); 4558 4559 /* get local address */ 4560 mutex_enter(&so->so_lock); 4561 len = min(so->so_laddr_len, sizeof (so_laddr)); 4562 bcopy(so->so_laddr_sa, so_laddr, len); 4563 mutex_exit(&so->so_lock); 4564 4565 /* get peer address */ 4566 4567 /* sanity check */ 4568 if (uap->to == NULL) 4569 break; 4570 4571 /* sanity checks */ 4572 if (uap->tolen == 0) 4573 break; 4574 4575 tolen = (socklen_t)uap->tolen; 4576 4577 /* enforce maximum size */ 4578 if (tolen > sizeof (so_faddr)) 4579 tolen = sizeof (so_faddr); 4580 4581 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4582 break; 4583 4584 add_sock_token = 1; 4585 } else { 4586 /* 4587 * check if this is first time through. 4588 */ 4589 4590 /* get path from file struct here */ 4591 fad = F2A(fp); 4592 ASSERT(fad); 4593 4594 /* 4595 * already processed this file for write attempt 4596 */ 4597 if (fad->fad_flags & FAD_WRITE) { 4598 /* don't want to audit every sendto attempt */ 4599 tad->tad_flag = 0; 4600 /* free any residual audit data */ 4601 au_close(kctx, &(u_ad), 0, 0, 0); 4602 releasef(fd); 4603 return; 4604 } 4605 /* 4606 * mark things so we know what happened and don't 4607 * repeat things 4608 */ 4609 fad->fad_flags |= FAD_WRITE; 4610 4611 bzero((void *)so_laddr, sizeof (so_laddr)); 4612 bzero((void *)so_faddr, sizeof (so_faddr)); 4613 4614 if (so->so_state & SS_ISBOUND) { 4615 4616 if (so->so_laddr_len == 0) 4617 (void) SOP_GETSOCKNAME(so); 4618 if (so->so_faddr_len == 0) 4619 (void) SOP_GETPEERNAME(so); 4620 4621 /* get local and foreign addresses */ 4622 mutex_enter(&so->so_lock); 4623 len = min(so->so_laddr_len, sizeof (so_laddr)); 4624 bcopy(so->so_laddr_sa, so_laddr, len); 4625 len = min(so->so_faddr_len, sizeof (so_faddr)); 4626 bcopy(so->so_faddr_sa, so_faddr, len); 4627 mutex_exit(&so->so_lock); 4628 } 4629 4630 add_sock_token = 1; 4631 } 4632 4633 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4634 4635 break; 4636 4637 case AF_UNIX: 4638 /* 4639 * first check if this is first time through. Too much 4640 * duplicate code to put this in an aui_ routine. 4641 */ 4642 4643 /* get path from file struct here */ 4644 fad = F2A(fp); 4645 ASSERT(fad); 4646 4647 /* 4648 * already processed this file for write attempt 4649 */ 4650 if (fad->fad_flags & FAD_WRITE) { 4651 /* don't want to audit every sendto attempt */ 4652 tad->tad_flag = 0; 4653 /* free any residual audit data */ 4654 au_close(kctx, &(u_ad), 0, 0, 0); 4655 releasef(fd); 4656 return; 4657 } 4658 /* 4659 * mark things so we know what happened and don't 4660 * repeat things 4661 */ 4662 fad->fad_flags |= FAD_WRITE; 4663 4664 if (fad->fad_aupath != NULL) { 4665 au_uwrite(au_to_path(fad->fad_aupath)); 4666 } else { 4667 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4668 } 4669 4670 audit_attributes(fp->f_vnode); 4671 4672 releasef(fd); 4673 4674 return; 4675 4676 default: 4677 break; 4678 4679 } 4680 4681 releasef(fd); 4682 4683 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4684 4685 if (add_sock_token == 0) { 4686 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4687 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4688 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4689 return; 4690 } 4691 4692 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4693 4694 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4695 4696 } 4697 4698 /* 4699 * XXX socket(2) may be equivalent to open(2) on a unix domain 4700 * socket. This needs investigation. 4701 */ 4702 4703 /*ARGSUSED*/ 4704 static void 4705 aus_socket(struct t_audit_data *tad) 4706 { 4707 struct a { 4708 long domain; 4709 long type; 4710 long protocol; 4711 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4712 4713 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4714 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4715 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4716 } 4717 4718 /*ARGSUSED*/ 4719 static void 4720 aus_sigqueue(struct t_audit_data *tad) 4721 { 4722 struct a { 4723 long pid; 4724 long signo; 4725 long *val; 4726 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4727 struct proc *p; 4728 uid_t uid, ruid; 4729 gid_t gid, rgid; 4730 pid_t pid; 4731 const auditinfo_addr_t *ainfo; 4732 cred_t *cr; 4733 4734 pid = (pid_t)uap->pid; 4735 4736 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4737 if (pid > 0) { 4738 mutex_enter(&pidlock); 4739 if ((p = prfind(pid)) == (struct proc *)0) { 4740 mutex_exit(&pidlock); 4741 return; 4742 } 4743 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4744 mutex_exit(&pidlock); 4745 4746 mutex_enter(&p->p_crlock); 4747 crhold(cr = p->p_cred); 4748 mutex_exit(&p->p_crlock); 4749 mutex_exit(&p->p_lock); 4750 4751 ainfo = crgetauinfo(cr); 4752 if (ainfo == NULL) { 4753 crfree(cr); 4754 return; 4755 } 4756 4757 uid = crgetuid(cr); 4758 gid = crgetgid(cr); 4759 ruid = crgetruid(cr); 4760 rgid = crgetrgid(cr); 4761 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4762 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4763 crfree(cr); 4764 } 4765 else 4766 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4767 } 4768 4769 /*ARGSUSED*/ 4770 static void 4771 aus_inst_sync(struct t_audit_data *tad) 4772 { 4773 struct a { 4774 long name; /* char */ 4775 long flags; 4776 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4777 4778 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4779 } 4780 4781 /*ARGSUSED*/ 4782 static void 4783 aus_brandsys(struct t_audit_data *tad) 4784 { 4785 klwp_t *clwp = ttolwp(curthread); 4786 4787 struct a { 4788 long cmd; 4789 long arg1; 4790 long arg2; 4791 long arg3; 4792 long arg4; 4793 long arg5; 4794 long arg6; 4795 } *uap = (struct a *)clwp->lwp_ap; 4796 4797 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4798 #ifdef _LP64 4799 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4800 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4801 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4802 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4803 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4804 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4805 #else 4806 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4807 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4808 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4809 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4810 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4811 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4812 #endif 4813 } 4814 4815 /*ARGSUSED*/ 4816 static void 4817 aus_p_online(struct t_audit_data *tad) 4818 { 4819 struct a { 4820 long processor_id; 4821 long flag; 4822 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4823 4824 struct flags { 4825 int flag; 4826 char *cflag; 4827 } aflags[6] = { 4828 { P_ONLINE, "P_ONLINE"}, 4829 { P_OFFLINE, "P_OFFLINE"}, 4830 { P_NOINTR, "P_NOINTR"}, 4831 { P_SPARE, "P_SPARE"}, 4832 { P_FAULTED, "P_FAULTED"}, 4833 { P_STATUS, "P_STATUS"} 4834 }; 4835 int i; 4836 char *cflag; 4837 4838 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4839 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4840 4841 for (i = 0; i < 6; i++) { 4842 if (aflags[i].flag == uap->flag) 4843 break; 4844 } 4845 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4846 4847 au_uwrite(au_to_text(cflag)); 4848 } 4849 4850 /*ARGSUSED*/ 4851 static void 4852 aus_processor_bind(struct t_audit_data *tad) 4853 { 4854 struct a { 4855 long id_type; 4856 long id; 4857 long processor_id; 4858 long obind; 4859 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4860 4861 struct proc *p; 4862 int lwpcnt; 4863 uid_t uid, ruid; 4864 gid_t gid, rgid; 4865 pid_t pid; 4866 const auditinfo_addr_t *ainfo; 4867 cred_t *cr; 4868 4869 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4870 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4871 if (uap->processor_id == PBIND_NONE) 4872 au_uwrite(au_to_text("PBIND_NONE")); 4873 else 4874 au_uwrite(au_to_arg32(3, "processor_id", 4875 (uint32_t)uap->processor_id)); 4876 4877 switch (uap->id_type) { 4878 case P_MYID: 4879 case P_LWPID: 4880 mutex_enter(&pidlock); 4881 p = ttoproc(curthread); 4882 if (p == NULL || p->p_as == &kas) { 4883 mutex_exit(&pidlock); 4884 return; 4885 } 4886 mutex_enter(&p->p_lock); 4887 mutex_exit(&pidlock); 4888 lwpcnt = p->p_lwpcnt; 4889 pid = p->p_pid; 4890 4891 mutex_enter(&p->p_crlock); 4892 crhold(cr = p->p_cred); 4893 mutex_exit(&p->p_crlock); 4894 mutex_exit(&p->p_lock); 4895 4896 ainfo = crgetauinfo(cr); 4897 if (ainfo == NULL) { 4898 crfree(cr); 4899 return; 4900 } 4901 4902 uid = crgetuid(cr); 4903 gid = crgetgid(cr); 4904 ruid = crgetruid(cr); 4905 rgid = crgetrgid(cr); 4906 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4907 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4908 crfree(cr); 4909 break; 4910 case P_PID: 4911 mutex_enter(&pidlock); 4912 p = prfind(uap->id); 4913 if (p == NULL || p->p_as == &kas) { 4914 mutex_exit(&pidlock); 4915 return; 4916 } 4917 mutex_enter(&p->p_lock); 4918 mutex_exit(&pidlock); 4919 lwpcnt = p->p_lwpcnt; 4920 pid = p->p_pid; 4921 4922 mutex_enter(&p->p_crlock); 4923 crhold(cr = p->p_cred); 4924 mutex_exit(&p->p_crlock); 4925 mutex_exit(&p->p_lock); 4926 4927 ainfo = crgetauinfo(cr); 4928 if (ainfo == NULL) { 4929 crfree(cr); 4930 return; 4931 } 4932 4933 uid = crgetuid(cr); 4934 gid = crgetgid(cr); 4935 ruid = crgetruid(cr); 4936 rgid = crgetrgid(cr); 4937 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4938 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4939 crfree(cr); 4940 4941 break; 4942 default: 4943 return; 4944 } 4945 4946 if (uap->processor_id == PBIND_NONE && 4947 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4948 au_uwrite(au_to_text("PBIND_NONE for process")); 4949 else 4950 au_uwrite(au_to_arg32(3, "processor_id", 4951 (uint32_t)uap->processor_id)); 4952 } 4953 4954 /*ARGSUSED*/ 4955 static au_event_t 4956 aui_doorfs(au_event_t e) 4957 { 4958 uint32_t code; 4959 4960 struct a { /* doorfs */ 4961 long a1; 4962 long a2; 4963 long a3; 4964 long a4; 4965 long a5; 4966 long code; 4967 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4968 4969 /* 4970 * audit formats for several of the 4971 * door calls have not yet been determined 4972 */ 4973 code = (uint32_t)uap->code; 4974 switch (code) { 4975 case DOOR_CALL: 4976 e = AUE_DOORFS_DOOR_CALL; 4977 break; 4978 case DOOR_RETURN: 4979 e = AUE_NULL; 4980 break; 4981 case DOOR_CREATE: 4982 e = AUE_DOORFS_DOOR_CREATE; 4983 break; 4984 case DOOR_REVOKE: 4985 e = AUE_DOORFS_DOOR_REVOKE; 4986 break; 4987 case DOOR_INFO: 4988 e = AUE_NULL; 4989 break; 4990 case DOOR_UCRED: 4991 e = AUE_NULL; 4992 break; 4993 case DOOR_BIND: 4994 e = AUE_NULL; 4995 break; 4996 case DOOR_UNBIND: 4997 e = AUE_NULL; 4998 break; 4999 case DOOR_GETPARAM: 5000 e = AUE_NULL; 5001 break; 5002 case DOOR_SETPARAM: 5003 e = AUE_NULL; 5004 break; 5005 default: /* illegal system call */ 5006 e = AUE_NULL; 5007 break; 5008 } 5009 5010 return (e); 5011 } 5012 5013 static door_node_t * 5014 au_door_lookup(int did) 5015 { 5016 vnode_t *vp; 5017 file_t *fp; 5018 5019 if ((fp = getf(did)) == NULL) 5020 return (NULL); 5021 /* 5022 * Use the underlying vnode (we may be namefs mounted) 5023 */ 5024 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5025 vp = fp->f_vnode; 5026 5027 if (vp == NULL || vp->v_type != VDOOR) { 5028 releasef(did); 5029 return (NULL); 5030 } 5031 5032 return (VTOD(vp)); 5033 } 5034 5035 /*ARGSUSED*/ 5036 static void 5037 aus_doorfs(struct t_audit_data *tad) 5038 { 5039 5040 struct a { /* doorfs */ 5041 long a1; 5042 long a2; 5043 long a3; 5044 long a4; 5045 long a5; 5046 long code; 5047 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5048 5049 door_node_t *dp; 5050 struct proc *p; 5051 uint32_t did; 5052 uid_t uid, ruid; 5053 gid_t gid, rgid; 5054 pid_t pid; 5055 const auditinfo_addr_t *ainfo; 5056 cred_t *cr; 5057 5058 did = (uint32_t)uap->a1; 5059 5060 switch (tad->tad_event) { 5061 case AUE_DOORFS_DOOR_CALL: 5062 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5063 if ((dp = au_door_lookup(did)) == NULL) 5064 break; 5065 5066 if (DOOR_INVALID(dp)) { 5067 releasef(did); 5068 break; 5069 } 5070 5071 if ((p = dp->door_target) == NULL) { 5072 releasef(did); 5073 break; 5074 } 5075 mutex_enter(&p->p_lock); 5076 releasef(did); 5077 5078 pid = p->p_pid; 5079 5080 mutex_enter(&p->p_crlock); 5081 crhold(cr = p->p_cred); 5082 mutex_exit(&p->p_crlock); 5083 mutex_exit(&p->p_lock); 5084 5085 ainfo = crgetauinfo(cr); 5086 if (ainfo == NULL) { 5087 crfree(cr); 5088 return; 5089 } 5090 uid = crgetuid(cr); 5091 gid = crgetgid(cr); 5092 ruid = crgetruid(cr); 5093 rgid = crgetrgid(cr); 5094 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5095 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5096 crfree(cr); 5097 break; 5098 case AUE_DOORFS_DOOR_RETURN: 5099 /* 5100 * We may want to write information about 5101 * all doors (if any) which will be copied 5102 * by this call to the user space 5103 */ 5104 break; 5105 case AUE_DOORFS_DOOR_CREATE: 5106 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5107 break; 5108 case AUE_DOORFS_DOOR_REVOKE: 5109 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5110 break; 5111 case AUE_DOORFS_DOOR_INFO: 5112 break; 5113 case AUE_DOORFS_DOOR_CRED: 5114 break; 5115 case AUE_DOORFS_DOOR_BIND: 5116 break; 5117 case AUE_DOORFS_DOOR_UNBIND: { 5118 break; 5119 } 5120 default: /* illegal system call */ 5121 break; 5122 } 5123 } 5124 5125 /*ARGSUSED*/ 5126 static au_event_t 5127 aui_acl(au_event_t e) 5128 { 5129 struct a { 5130 union { 5131 long name; /* char */ 5132 long fd; 5133 } obj; 5134 5135 long cmd; 5136 long nentries; 5137 long arg; /* aclent_t */ 5138 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5139 5140 switch (uap->cmd) { 5141 case SETACL: 5142 case ACE_SETACL: 5143 /* 5144 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5145 * are expected. 5146 */ 5147 break; 5148 case GETACL: 5149 case GETACLCNT: 5150 case ACE_GETACLCNT: 5151 /* do nothing for these two values. */ 5152 e = AUE_NULL; 5153 break; 5154 default: 5155 /* illegal system call */ 5156 break; 5157 } 5158 5159 return (e); 5160 } 5161 5162 static void 5163 au_acl(int cmd, int nentries, caddr_t bufp) 5164 { 5165 size_t a_size; 5166 aclent_t *aclbufp; 5167 ace_t *acebufp; 5168 int i; 5169 5170 switch (cmd) { 5171 case GETACL: 5172 case GETACLCNT: 5173 break; 5174 case SETACL: 5175 if (nentries < 3) 5176 break; 5177 5178 a_size = nentries * sizeof (aclent_t); 5179 5180 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5181 break; 5182 if (copyin(bufp, aclbufp, a_size)) { 5183 kmem_free(aclbufp, a_size); 5184 break; 5185 } 5186 for (i = 0; i < nentries; i++) { 5187 au_uwrite(au_to_acl(aclbufp + i)); 5188 } 5189 kmem_free(aclbufp, a_size); 5190 break; 5191 5192 case ACE_SETACL: 5193 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5194 break; 5195 5196 a_size = nentries * sizeof (ace_t); 5197 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5198 break; 5199 if (copyin(bufp, acebufp, a_size)) { 5200 kmem_free(acebufp, a_size); 5201 break; 5202 } 5203 for (i = 0; i < nentries; i++) { 5204 au_uwrite(au_to_ace(acebufp + i)); 5205 } 5206 kmem_free(acebufp, a_size); 5207 break; 5208 default: 5209 break; 5210 } 5211 } 5212 5213 /*ARGSUSED*/ 5214 static void 5215 aus_acl(struct t_audit_data *tad) 5216 { 5217 struct a { 5218 long fname; 5219 long cmd; 5220 long nentries; 5221 long aclbufp; 5222 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5223 5224 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5225 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5226 5227 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5228 } 5229 5230 /*ARGSUSED*/ 5231 static void 5232 aus_facl(struct t_audit_data *tad) 5233 { 5234 struct a { 5235 long fd; 5236 long cmd; 5237 long nentries; 5238 long aclbufp; 5239 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5240 struct file *fp; 5241 struct vnode *vp; 5242 struct f_audit_data *fad; 5243 int fd; 5244 5245 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5246 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5247 5248 fd = (int)uap->fd; 5249 5250 if ((fp = getf(fd)) == NULL) 5251 return; 5252 5253 /* get path from file struct here */ 5254 fad = F2A(fp); 5255 if (fad->fad_aupath != NULL) { 5256 au_uwrite(au_to_path(fad->fad_aupath)); 5257 } else { 5258 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5259 } 5260 5261 vp = fp->f_vnode; 5262 audit_attributes(vp); 5263 5264 /* decrement file descriptor reference count */ 5265 releasef(fd); 5266 5267 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5268 } 5269 5270 /*ARGSUSED*/ 5271 static void 5272 auf_read(tad, error, rval) 5273 struct t_audit_data *tad; 5274 int error; 5275 rval_t *rval; 5276 { 5277 struct file *fp; 5278 struct f_audit_data *fad; 5279 int fd; 5280 register struct a { 5281 long fd; 5282 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5283 au_kcontext_t *kctx = GET_KCTX_PZ; 5284 5285 fd = (int)uap->fd; 5286 5287 /* 5288 * convert file pointer to file descriptor 5289 * Note: fd ref count incremented here. 5290 */ 5291 if ((fp = getf(fd)) == NULL) 5292 return; 5293 5294 /* get path from file struct here */ 5295 fad = F2A(fp); 5296 ASSERT(fad); 5297 5298 /* 5299 * already processed this file for read attempt 5300 * 5301 * XXX might be better to turn off auditing in a aui_read() routine. 5302 */ 5303 if (fad->fad_flags & FAD_READ) { 5304 /* don't really want to audit every read attempt */ 5305 tad->tad_flag = 0; 5306 /* free any residual audit data */ 5307 au_close(kctx, &(u_ad), 0, 0, 0); 5308 releasef(fd); 5309 return; 5310 } 5311 /* mark things so we know what happened and don't repeat things */ 5312 fad->fad_flags |= FAD_READ; 5313 5314 if (fad->fad_aupath != NULL) { 5315 au_uwrite(au_to_path(fad->fad_aupath)); 5316 } else { 5317 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5318 } 5319 5320 /* include attributes */ 5321 audit_attributes(fp->f_vnode); 5322 5323 /* decrement file descriptor reference count */ 5324 releasef(fd); 5325 } 5326 5327 /*ARGSUSED*/ 5328 static void 5329 auf_write(tad, error, rval) 5330 struct t_audit_data *tad; 5331 int error; 5332 rval_t *rval; 5333 { 5334 struct file *fp; 5335 struct f_audit_data *fad; 5336 int fd; 5337 register struct a { 5338 long fd; 5339 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5340 au_kcontext_t *kctx = GET_KCTX_PZ; 5341 5342 fd = (int)uap->fd; 5343 5344 /* 5345 * convert file pointer to file descriptor 5346 * Note: fd ref count incremented here. 5347 */ 5348 if ((fp = getf(fd)) == NULL) 5349 return; 5350 5351 /* get path from file struct here */ 5352 fad = F2A(fp); 5353 ASSERT(fad); 5354 5355 /* 5356 * already processed this file for write attempt 5357 * 5358 * XXX might be better to turn off auditing in a aus_write() routine. 5359 */ 5360 if (fad->fad_flags & FAD_WRITE) { 5361 /* don't really want to audit every write attempt */ 5362 tad->tad_flag = 0; 5363 /* free any residual audit data */ 5364 au_close(kctx, &(u_ad), 0, 0, 0); 5365 releasef(fd); 5366 return; 5367 } 5368 /* mark things so we know what happened and don't repeat things */ 5369 fad->fad_flags |= FAD_WRITE; 5370 5371 if (fad->fad_aupath != NULL) { 5372 au_uwrite(au_to_path(fad->fad_aupath)); 5373 } else { 5374 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5375 } 5376 5377 /* include attributes */ 5378 audit_attributes(fp->f_vnode); 5379 5380 /* decrement file descriptor reference count */ 5381 releasef(fd); 5382 } 5383 5384 /*ARGSUSED*/ 5385 static void 5386 auf_recv(tad, error, rval) 5387 struct t_audit_data *tad; 5388 int error; 5389 rval_t *rval; 5390 { 5391 struct sonode *so; 5392 char so_laddr[sizeof (struct sockaddr_in6)]; 5393 char so_faddr[sizeof (struct sockaddr_in6)]; 5394 struct file *fp; 5395 struct f_audit_data *fad; 5396 int fd; 5397 int err; 5398 int len; 5399 short so_family, so_type; 5400 register struct a { 5401 long fd; 5402 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5403 au_kcontext_t *kctx = GET_KCTX_PZ; 5404 5405 /* 5406 * If there was an error, then nothing to do. Only generate 5407 * audit record on first successful recv. 5408 */ 5409 if (error) { 5410 /* Turn off audit record generation here. */ 5411 tad->tad_flag = 0; 5412 /* free any residual audit data */ 5413 au_close(kctx, &(u_ad), 0, 0, 0); 5414 return; 5415 } 5416 5417 fd = (int)uap->fd; 5418 5419 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5420 /* Turn off audit record generation here. */ 5421 tad->tad_flag = 0; 5422 /* free any residual audit data */ 5423 au_close(kctx, &(u_ad), 0, 0, 0); 5424 return; 5425 } 5426 5427 /* get path from file struct here */ 5428 fad = F2A(fp); 5429 ASSERT(fad); 5430 5431 /* 5432 * already processed this file for read attempt 5433 */ 5434 if (fad->fad_flags & FAD_READ) { 5435 releasef(fd); 5436 /* don't really want to audit every recv call */ 5437 tad->tad_flag = 0; 5438 /* free any residual audit data */ 5439 au_close(kctx, &(u_ad), 0, 0, 0); 5440 return; 5441 } 5442 5443 /* mark things so we know what happened and don't repeat things */ 5444 fad->fad_flags |= FAD_READ; 5445 5446 so_family = so->so_family; 5447 so_type = so->so_type; 5448 5449 switch (so_family) { 5450 case AF_INET: 5451 case AF_INET6: 5452 /* 5453 * Only for connections. 5454 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5455 */ 5456 if (so->so_state & SS_ISBOUND) { 5457 5458 bzero((void *)so_laddr, sizeof (so_laddr)); 5459 bzero((void *)so_faddr, sizeof (so_faddr)); 5460 5461 /* only done once on a connection */ 5462 (void) SOP_GETSOCKNAME(so); 5463 (void) SOP_GETPEERNAME(so); 5464 5465 /* get local and foreign addresses */ 5466 mutex_enter(&so->so_lock); 5467 len = min(so->so_laddr_len, sizeof (so_laddr)); 5468 bcopy(so->so_laddr_sa, so_laddr, len); 5469 len = min(so->so_faddr_len, sizeof (so_faddr)); 5470 bcopy(so->so_faddr_sa, so_faddr, len); 5471 mutex_exit(&so->so_lock); 5472 5473 /* 5474 * only way to drop out of switch. Note that we 5475 * we release fd below. 5476 */ 5477 5478 break; 5479 } 5480 5481 releasef(fd); 5482 5483 /* don't really want to audit every recv call */ 5484 tad->tad_flag = 0; 5485 /* free any residual audit data */ 5486 au_close(kctx, &(u_ad), 0, 0, 0); 5487 5488 return; 5489 5490 case AF_UNIX: 5491 5492 if (fad->fad_aupath != NULL) { 5493 au_uwrite(au_to_path(fad->fad_aupath)); 5494 } else { 5495 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5496 } 5497 5498 audit_attributes(fp->f_vnode); 5499 5500 releasef(fd); 5501 5502 return; 5503 5504 default: 5505 releasef(fd); 5506 5507 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5508 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5509 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5510 5511 return; 5512 } 5513 5514 releasef(fd); 5515 5516 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5517 5518 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5519 5520 } 5521 5522 /*ARGSUSED*/ 5523 static void 5524 auf_send(tad, error, rval) 5525 struct t_audit_data *tad; 5526 int error; 5527 rval_t *rval; 5528 { 5529 struct sonode *so; 5530 char so_laddr[sizeof (struct sockaddr_in6)]; 5531 char so_faddr[sizeof (struct sockaddr_in6)]; 5532 struct file *fp; 5533 struct f_audit_data *fad; 5534 int fd; 5535 int err; 5536 int len; 5537 short so_family, so_type; 5538 register struct a { 5539 long fd; 5540 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5541 au_kcontext_t *kctx = GET_KCTX_PZ; 5542 5543 fd = (int)uap->fd; 5544 5545 /* 5546 * If there was an error, then nothing to do. Only generate 5547 * audit record on first successful send. 5548 */ 5549 if (error != 0) { 5550 /* Turn off audit record generation here. */ 5551 tad->tad_flag = 0; 5552 /* free any residual audit data */ 5553 au_close(kctx, &(u_ad), 0, 0, 0); 5554 return; 5555 } 5556 5557 fd = (int)uap->fd; 5558 5559 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5560 /* Turn off audit record generation here. */ 5561 tad->tad_flag = 0; 5562 /* free any residual audit data */ 5563 au_close(kctx, &(u_ad), 0, 0, 0); 5564 return; 5565 } 5566 5567 /* get path from file struct here */ 5568 fad = F2A(fp); 5569 ASSERT(fad); 5570 5571 /* 5572 * already processed this file for write attempt 5573 */ 5574 if (fad->fad_flags & FAD_WRITE) { 5575 releasef(fd); 5576 /* don't really want to audit every send call */ 5577 tad->tad_flag = 0; 5578 /* free any residual audit data */ 5579 au_close(kctx, &(u_ad), 0, 0, 0); 5580 return; 5581 } 5582 5583 /* mark things so we know what happened and don't repeat things */ 5584 fad->fad_flags |= FAD_WRITE; 5585 5586 so_family = so->so_family; 5587 so_type = so->so_type; 5588 5589 switch (so_family) { 5590 case AF_INET: 5591 case AF_INET6: 5592 /* 5593 * Only for connections. 5594 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5595 */ 5596 if (so->so_state & SS_ISBOUND) { 5597 5598 bzero((void *)so_laddr, sizeof (so_laddr)); 5599 bzero((void *)so_faddr, sizeof (so_faddr)); 5600 5601 /* only done once on a connection */ 5602 (void) SOP_GETSOCKNAME(so); 5603 (void) SOP_GETPEERNAME(so); 5604 5605 /* get local and foreign addresses */ 5606 mutex_enter(&so->so_lock); 5607 len = min(so->so_laddr_len, sizeof (so_laddr)); 5608 bcopy(so->so_laddr_sa, so_laddr, len); 5609 len = min(so->so_faddr_len, sizeof (so_faddr)); 5610 bcopy(so->so_faddr_sa, so_faddr, len); 5611 mutex_exit(&so->so_lock); 5612 5613 /* 5614 * only way to drop out of switch. Note that we 5615 * we release fd below. 5616 */ 5617 5618 break; 5619 } 5620 5621 releasef(fd); 5622 /* don't really want to audit every send call */ 5623 tad->tad_flag = 0; 5624 /* free any residual audit data */ 5625 au_close(kctx, &(u_ad), 0, 0, 0); 5626 5627 return; 5628 5629 case AF_UNIX: 5630 5631 if (fad->fad_aupath != NULL) { 5632 au_uwrite(au_to_path(fad->fad_aupath)); 5633 } else { 5634 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5635 } 5636 5637 audit_attributes(fp->f_vnode); 5638 5639 releasef(fd); 5640 5641 return; 5642 5643 default: 5644 releasef(fd); 5645 5646 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5647 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5648 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5649 5650 return; 5651 } 5652 5653 releasef(fd); 5654 5655 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5656 5657 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5658 } 5659 5660 static au_event_t 5661 aui_forksys(au_event_t e) 5662 { 5663 struct a { 5664 long subcode; 5665 long flags; 5666 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5667 5668 switch ((uint_t)uap->subcode) { 5669 case 0: 5670 e = AUE_FORK1; 5671 break; 5672 case 1: 5673 e = AUE_FORKALL; 5674 break; 5675 case 2: 5676 e = AUE_VFORK; 5677 break; 5678 default: 5679 e = AUE_NULL; 5680 break; 5681 } 5682 5683 return (e); 5684 } 5685 5686 /*ARGSUSED*/ 5687 static au_event_t 5688 aui_portfs(au_event_t e) 5689 { 5690 struct a { /* portfs */ 5691 long a1; 5692 long a2; 5693 long a3; 5694 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5695 5696 /* 5697 * check opcode 5698 */ 5699 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5700 case PORT_ASSOCIATE: 5701 case PORT_DISSOCIATE: 5702 /* 5703 * check source 5704 */ 5705 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5706 e = AUE_PORTFS; 5707 } else { 5708 e = AUE_NULL; 5709 } 5710 break; 5711 default: 5712 e = AUE_NULL; 5713 } 5714 return (e); 5715 } 5716