xref: /titanic_44/usr/src/uts/common/c2/audit_event.c (revision 25351652d920ae27c5a56c199da581033ce763f6)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 char	_depends_on[] = "fs/sockfs";
81 
82 static au_event_t	aui_open(au_event_t);
83 static au_event_t	aui_fsat(au_event_t);
84 static au_event_t	aui_msgsys(au_event_t);
85 static au_event_t	aui_shmsys(au_event_t);
86 static au_event_t	aui_semsys(au_event_t);
87 static au_event_t	aui_utssys(au_event_t);
88 static au_event_t	aui_fcntl(au_event_t);
89 static au_event_t	aui_execv(au_event_t);
90 static au_event_t	aui_execve(au_event_t);
91 static au_event_t	aui_memcntl(au_event_t);
92 static au_event_t	aui_sysinfo(au_event_t);
93 static au_event_t	aui_portfs(au_event_t);
94 static au_event_t	aui_auditsys(au_event_t);
95 static au_event_t	aui_modctl(au_event_t);
96 static au_event_t	aui_acl(au_event_t);
97 static au_event_t	aui_doorfs(au_event_t);
98 static au_event_t	aui_privsys(au_event_t);
99 static au_event_t	aui_forksys(au_event_t);
100 static au_event_t	aui_labelsys(au_event_t);
101 
102 static void	aus_open(struct t_audit_data *);
103 static void	aus_acl(struct t_audit_data *);
104 static void	aus_acct(struct t_audit_data *);
105 static void	aus_chown(struct t_audit_data *);
106 static void	aus_fchown(struct t_audit_data *);
107 static void	aus_lchown(struct t_audit_data *);
108 static void	aus_chmod(struct t_audit_data *);
109 static void	aus_facl(struct t_audit_data *);
110 static void	aus_fchmod(struct t_audit_data *);
111 static void	aus_fcntl(struct t_audit_data *);
112 static void	aus_fsat(struct t_audit_data *);
113 static void	aus_mkdir(struct t_audit_data *);
114 static void	aus_mknod(struct t_audit_data *);
115 static void	aus_mount(struct t_audit_data *);
116 static void	aus_umount(struct t_audit_data *);
117 static void	aus_umount2(struct t_audit_data *);
118 static void	aus_msgsys(struct t_audit_data *);
119 static void	aus_semsys(struct t_audit_data *);
120 static void	aus_close(struct t_audit_data *);
121 static void	aus_fstatfs(struct t_audit_data *);
122 static void	aus_setgid(struct t_audit_data *);
123 static void	aus_setuid(struct t_audit_data *);
124 static void	aus_shmsys(struct t_audit_data *);
125 static void	aus_doorfs(struct t_audit_data *);
126 static void	aus_ioctl(struct t_audit_data *);
127 static void	aus_memcntl(struct t_audit_data *);
128 static void	aus_mmap(struct t_audit_data *);
129 static void	aus_munmap(struct t_audit_data *);
130 static void	aus_priocntlsys(struct t_audit_data *);
131 static void	aus_setegid(struct t_audit_data *);
132 static void	aus_setgroups(struct t_audit_data *);
133 static void	aus_seteuid(struct t_audit_data *);
134 static void	aus_putmsg(struct t_audit_data *);
135 static void	aus_putpmsg(struct t_audit_data *);
136 static void	aus_getmsg(struct t_audit_data *);
137 static void	aus_getpmsg(struct t_audit_data *);
138 static void	aus_auditsys(struct t_audit_data *);
139 static void	aus_sysinfo(struct t_audit_data *);
140 static void	aus_modctl(struct t_audit_data *);
141 static void	aus_kill(struct t_audit_data *);
142 static void	aus_xmknod(struct t_audit_data *);
143 static void	aus_setregid(struct t_audit_data *);
144 static void	aus_setreuid(struct t_audit_data *);
145 static void	aus_labelsys(struct t_audit_data *);
146 
147 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
148 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
149 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
150 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
151 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
152 static void	auf_read(struct t_audit_data *, int, rval_t *);
153 static void	auf_write(struct t_audit_data *, int, rval_t *);
154 
155 static void	aus_sigqueue(struct t_audit_data *);
156 static void	aus_p_online(struct t_audit_data *);
157 static void	aus_processor_bind(struct t_audit_data *);
158 static void	aus_inst_sync(struct t_audit_data *);
159 static void	aus_brandsys(struct t_audit_data *);
160 
161 static void	auf_accept(struct t_audit_data *, int, rval_t *);
162 
163 static void	auf_bind(struct t_audit_data *, int, rval_t *);
164 static void	auf_connect(struct t_audit_data *, int, rval_t *);
165 static void	aus_shutdown(struct t_audit_data *);
166 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
167 static void	aus_sockconfig(struct t_audit_data *);
168 static void	auf_recv(struct t_audit_data *, int, rval_t *);
169 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
170 static void	auf_send(struct t_audit_data *, int, rval_t *);
171 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
172 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
173 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
174 static void	aus_socket(struct t_audit_data *);
175 /*
176  * This table contains mapping information for converting system call numbers
177  * to audit event IDs. In several cases it is necessary to map a single system
178  * call to several events.
179  */
180 
181 #define	aui_null	NULL	/* NULL initialize function */
182 #define	aus_null	NULL	/* NULL start function */
183 #define	auf_null	NULL	/* NULL finish function */
184 
185 struct audit_s2e audit_s2e[] =
186 {
187 /*
188  * ----------	---------- 	----------	----------
189  * INITIAL	AUDIT		START		SYSTEM
190  * PROCESSING	EVENT		PROCESSING	CALL
191  * ----------	----------	----------	-----------
192  *		FINISH		EVENT
193  *		PROCESSING	CONTROL
194  * ----------------------------------------------------------
195  */
196 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
197 		auf_null,	0,
198 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
199 		auf_null,	S2E_NPT,
200 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
201 		auf_null,	0,
202 aui_null,	AUE_READ,	aus_null,	/* 3 read */
203 		auf_read,	S2E_PUB,
204 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
205 		auf_write,	0,
206 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
207 		auf_null,	S2E_SP,
208 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
209 		auf_null,	0,
210 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
211 		auf_null,	0,
212 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
213 		auf_null,	S2E_SP,
214 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
215 		auf_null,	0,
216 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
217 		auf_null,	0,
218 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
219 		auf_null,	S2E_MLD,
220 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
221 		auf_null,	S2E_SP,
222 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
223 		auf_null,	0,
224 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
225 		auf_mknod,	0,
226 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
227 		auf_null,	0,
228 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
229 		auf_null,	0,
230 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
231 		auf_null,	0,
232 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
233 		auf_null,	S2E_PUB,
234 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
235 		auf_null,	0,
236 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
237 		auf_null,	0,
238 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
239 		auf_null,	S2E_MLD,
240 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
241 		auf_null,	0,
242 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
243 		auf_null,	0,
244 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
245 		auf_null,	0,
246 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
247 		auf_null,	0,
248 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
249 		auf_null,	0,
250 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
251 		auf_null,	0,
252 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
253 		auf_null,	0,
254 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
255 		auf_null,	0,
256 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
257 		auf_null,	0,
258 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
259 		auf_null,	0,
260 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
261 		auf_null,	0,
262 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
263 		auf_null,	S2E_PUB,
264 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
265 		auf_null,	0,
266 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
267 		auf_null,	S2E_PUB,
268 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
269 		auf_null,	0,
270 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
271 		auf_null,	0,
272 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
273 		auf_null,	S2E_PUB,
274 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
275 		auf_null,	0,
276 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
277 		auf_null,	0,
278 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
279 		auf_null,	0,
280 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
281 		auf_null,	0,
282 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
283 		auf_null,	0,
284 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
285 		auf_null,	0,
286 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
287 						/*	was proc lock */
288 		auf_null,	0,
289 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
290 		auf_null,	0,
291 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
294 		auf_null,	0,
295 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
296 		auf_msgsys,	0,
297 #if defined(__x86)
298 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
299 		auf_null,	0,
300 #else
301 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
302 		auf_null,	0,
303 #endif /* __x86 */
304 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
305 		auf_null,	0,
306 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
307 		auf_shmsys,	0,
308 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
309 		auf_semsys,	0,
310 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
311 		auf_null,	0,
312 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
313 		auf_null,	0,
314 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
315 		auf_null,	0,
316 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
317 		auf_null,	0,
318 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
319 		auf_null,	0,
320 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
321 		auf_null,	S2E_MLD,
322 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
323 		auf_null,	0,
324 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
325 		auf_null,	S2E_SP,
326 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
327 		auf_null,	0,
328 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
329 		auf_null,	0,
330 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
331 		auf_null,	0,
332 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
333 		auf_null,	0,
334 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
337 						/*	file locking call */
338 		auf_null,	0,
339 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
340 						/*	local system calls */
341 		auf_null,	0,
342 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
343 		auf_null,	0,
344 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
345 		auf_null,	0,
346 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
355 						/*	was sigret (SunOS) */
356 		auf_null,	0,
357 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
358 		auf_null,	0,
359 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
360 		auf_null,	0,
361 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
362 		auf_null,	0,
363 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
364 		auf_null,	0,
365 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
366 		auf_null,	0,
367 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
368 		auf_null,	0,
369 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
370 						/*	was libattach */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
373 						/*	was libdetach */
374 		auf_null,	0,
375 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
376 		auf_null,	0,
377 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
378 		auf_null,	0,
379 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
380 		auf_null,	0,
381 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
382 		auf_null,	0,
383 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
384 		auf_null,	S2E_PUB,
385 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
386 		auf_null,	0,
387 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
388 		auf_null,	S2E_PUB,
389 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
390 		auf_null,	0,
391 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
392 		auf_null,	0,
393 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
394 		auf_null,	0,
395 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
396 		auf_null,	0,
397 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
398 		auf_null,	0,
399 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
400 		auf_null,	0,
401 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
402 		auf_null,	0,
403 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
404 		auf_null,	0,
405 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
406 		auf_null,	0,
407 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
408 		auf_null,	0,
409 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
410 		auf_null,	0,
411 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
412 						/*	was evtrapret */
413 		auf_null,	0,
414 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
415 		auf_null,	S2E_PUB,
416 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
425 		auf_null,	0,
426 #if defined(__x86)
427 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
428 		auf_null,	0,
429 #else
430 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
431 		auf_null,	0,
432 #endif /* __x86 */
433 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
434 		auf_null,	0,
435 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
436 		auf_null,	0,
437 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
438 		auf_null,	0,		/* 112 priocntlsys */
439 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
440 		auf_null,	S2E_PUB,
441 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
442 		auf_null,	0,
443 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
444 		auf_null,	0,
445 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
446 		auf_null,	0,
447 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
448 		auf_null,	0,
449 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
450 		auf_null,	0,
451 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
452 		auf_null,	0,
453 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
454 		auf_null,	0,
455 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
456 		auf_read,	S2E_PUB,
457 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
458 		auf_write,	0,
459 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
460 		auf_null,	S2E_PUB,
461 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
462 		auf_null,	S2E_PUB,
463 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
464 		auf_null,	0,
465 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
466 		auf_xmknod,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
468 		auf_null,	0,
469 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
470 		auf_null,	0,
471 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
472 		auf_null,	0,
473 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
474 		auf_null,	0,
475 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
476 		auf_null,	0,
477 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
478 		auf_null,	0,
479 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
480 		auf_null,	0,
481 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
482 		auf_null,	0,
483 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
484 		auf_null,	0,
485 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
486 		auf_null,	0,
487 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
488 		auf_null,	0,
489 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
490 		auf_null,	0,
491 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
492 		auf_null,	0,
493 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
494 		auf_null,	0,
495 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
496 		auf_null,	0,
497 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
498 		auf_null,	0,
499 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
510 		auf_null,	0,
511 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
512 		auf_null,	0,
513 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
514 		auf_null,	0,
515 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
516 		auf_null,	0,
517 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
518 		auf_null,	0,
519 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
520 		auf_null,	0,
521 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
522 		auf_null,	0,
523 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
524 		auf_null,	0,
525 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
526 		auf_null,	0,
527 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
528 		auf_null,	0,
529 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
530 		auf_null,	0,
531 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
532 		auf_null,	0,
533 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
534 		auf_null,	0,
535 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
536 		auf_null,	0,
537 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
538 		auf_null,	0,
539 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
540 		auf_null,	0,
541 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
542 		auf_null,	0,
543 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
544 						/*	was lwp_setprivate */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
547 						/*	was lwp_getprivate */
548 		auf_null,	0,
549 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
550 		auf_null,	0,
551 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
560 		auf_null,	0,
561 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
562 		auf_read,	S2E_PUB,
563 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
564 		auf_write,	0,
565 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
566 		auf_null,	0,
567 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
568 						/* aus_inst_sync */
569 		auf_null,	0,
570 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
571 		auf_null,	0,
572 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
573 		auf_null,	0,
574 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
575 		auf_null,	0,
576 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
577 		auf_null,	0,
578 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
579 		auf_null,	0,
580 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
581 		auf_null,	0,
582 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
583 		auf_null,	0,
584 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
585 		auf_null,	0,
586 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
587 		auf_null,	0,
588 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
589 		auf_null,	0,
590 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
591 		auf_null,	0,		/* 187 processor_bind */
592 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
593 		auf_null,	0,
594 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
595 		auf_null,	0,
596 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
597 		auf_null,	0,
598 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
599 		auf_null,	0,
600 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
601 		auf_null,	0,
602 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
603 		auf_null,	0,
604 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
605 		auf_null,	0,
606 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
607 		auf_null,	0,
608 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
609 		auf_null,	0,
610 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
611 		auf_null,	0,
612 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
613 		auf_null,	0,
614 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
615 		auf_null,	0,
616 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
617 		auf_null,	0,
618 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
619 		auf_null,	0,
620 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
621 		auf_null,	0,
622 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
623 		auf_null,	0,
624 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
625 		auf_null,	0,
626 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
627 		auf_null,	0,
628 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
629 		auf_null,	0,
630 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
631 		auf_null,	0,
632 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
633 		auf_null,	0,
634 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
635 		auf_null,	0,
636 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
637 		auf_null,	0,
638 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
639 		auf_null,	0,
640 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
641 		auf_null,	0,
642 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
643 		auf_null,	0,
644 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
645 		auf_null,	0,
646 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
647 		auf_null,	S2E_PUB,
648 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
649 		auf_null,	S2E_PUB,
650 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
651 		auf_null,	0,
652 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
653 		auf_null,	S2E_PUB,
654 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
655 		auf_null,	0,
656 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
657 		auf_null,	0,
658 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
659 		auf_null,	0,
660 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
661 		auf_read,	S2E_PUB,
662 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
663 		auf_write,	0,
664 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
665 		auf_null,	S2E_SP,
666 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
667 		auf_null,	S2E_SP,
668 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
669 		auf_null,	0,
670 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
671 		auf_null,	0,
672 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
673 		auf_null,	0,
674 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
675 		auf_null,	0,
676 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
677 		auf_null,	0,
678 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
679 		auf_null,	0,
680 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
681 		auf_bind,	0,
682 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
683 		auf_null,	0,
684 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
685 		auf_accept,	0,
686 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
687 		auf_connect,	0,
688 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
689 		auf_null,	0,
690 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
691 		auf_recv,	0,
692 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
693 		auf_recvfrom,	0,
694 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
695 		auf_recvmsg,	0,
696 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
697 		auf_send,	0,
698 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
699 		auf_sendmsg,	0,
700 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
701 		auf_sendto,	0,
702 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
703 		auf_null,	0,
704 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
705 		auf_null,	0,
706 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
707 		auf_null,	0,
708 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
709 		auf_setsockopt,	0,
710 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
711 		auf_null,	0,
712 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
713 		auf_null,	0,
714 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
715 		auf_null,	0,
716 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
717 		auf_null,	0,
718 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
719 		auf_null,	0,
720 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
721 		auf_null,	0,
722 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
723 		auf_null,	0,
724 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
725 		auf_null,	0,
726 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
727 		auf_null,	0
728 };
729 
730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
731 
732 
733 /* acct start function */
734 /*ARGSUSED*/
735 static void
736 aus_acct(struct t_audit_data *tad)
737 {
738 	klwp_t *clwp = ttolwp(curthread);
739 	uintptr_t fname;
740 
741 	struct a {
742 		long	fname;		/* char * */
743 	} *uap = (struct a *)clwp->lwp_ap;
744 
745 	fname = (uintptr_t)uap->fname;
746 
747 	if (fname == 0)
748 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
749 }
750 
751 /* chown start function */
752 /*ARGSUSED*/
753 static void
754 aus_chown(struct t_audit_data *tad)
755 {
756 	klwp_t *clwp = ttolwp(curthread);
757 	uint32_t uid, gid;
758 
759 	struct a {
760 		long	fname;		/* char * */
761 		long	uid;
762 		long	gid;
763 	} *uap = (struct a *)clwp->lwp_ap;
764 
765 	uid = (uint32_t)uap->uid;
766 	gid = (uint32_t)uap->gid;
767 
768 	au_uwrite(au_to_arg32(2, "new file uid", uid));
769 	au_uwrite(au_to_arg32(3, "new file gid", gid));
770 }
771 
772 /* fchown start function */
773 /*ARGSUSED*/
774 static void
775 aus_fchown(struct t_audit_data *tad)
776 {
777 	klwp_t *clwp = ttolwp(curthread);
778 	uint32_t uid, gid, fd;
779 	struct file  *fp;
780 	struct vnode *vp;
781 	struct f_audit_data *fad;
782 
783 	struct a {
784 		long fd;
785 		long uid;
786 		long gid;
787 	} *uap = (struct a *)clwp->lwp_ap;
788 
789 	fd  = (uint32_t)uap->fd;
790 	uid = (uint32_t)uap->uid;
791 	gid = (uint32_t)uap->gid;
792 
793 	au_uwrite(au_to_arg32(2, "new file uid", uid));
794 	au_uwrite(au_to_arg32(3, "new file gid", gid));
795 
796 		/*
797 		 * convert file pointer to file descriptor
798 		 *   Note: fd ref count incremented here.
799 		 */
800 	if ((fp = getf(fd)) == NULL)
801 		return;
802 
803 	/* get path from file struct here */
804 	fad = F2A(fp);
805 	if (fad->fad_aupath != NULL) {
806 		au_uwrite(au_to_path(fad->fad_aupath));
807 	} else {
808 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
809 	}
810 
811 	vp = fp->f_vnode;
812 	audit_attributes(vp);
813 
814 	/* decrement file descriptor reference count */
815 	releasef(fd);
816 }
817 
818 /*ARGSUSED*/
819 static void
820 aus_lchown(struct t_audit_data *tad)
821 {
822 	klwp_t *clwp = ttolwp(curthread);
823 	uint32_t uid, gid;
824 
825 
826 	struct a {
827 		long	fname;		/* char	* */
828 		long	uid;
829 		long	gid;
830 	} *uap = (struct a *)clwp->lwp_ap;
831 
832 	uid = (uint32_t)uap->uid;
833 	gid = (uint32_t)uap->gid;
834 
835 	au_uwrite(au_to_arg32(2, "new file uid", uid));
836 	au_uwrite(au_to_arg32(3, "new file gid", gid));
837 }
838 
839 /* chmod start function */
840 /*ARGSUSED*/
841 static void
842 aus_chmod(struct t_audit_data *tad)
843 {
844 	klwp_t *clwp = ttolwp(curthread);
845 	uint32_t fmode;
846 
847 	struct a {
848 		long	fname;		/* char	* */
849 		long	fmode;
850 	} *uap = (struct a *)clwp->lwp_ap;
851 
852 	fmode = (uint32_t)uap->fmode;
853 
854 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
855 }
856 
857 /* chmod start function */
858 /*ARGSUSED*/
859 static void
860 aus_fchmod(struct t_audit_data *tad)
861 {
862 	klwp_t *clwp = ttolwp(curthread);
863 	uint32_t fmode, fd;
864 	struct file  *fp;
865 	struct vnode *vp;
866 	struct f_audit_data *fad;
867 
868 	struct a {
869 		long	fd;
870 		long	fmode;
871 	} *uap = (struct a *)clwp->lwp_ap;
872 
873 	fd = (uint32_t)uap->fd;
874 	fmode = (uint32_t)uap->fmode;
875 
876 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
877 
878 		/*
879 		 * convert file pointer to file descriptor
880 		 *   Note: fd ref count incremented here.
881 		 */
882 	if ((fp = getf(fd)) == NULL)
883 		return;
884 
885 		/* get path from file struct here */
886 	fad = F2A(fp);
887 	if (fad->fad_aupath != NULL) {
888 		au_uwrite(au_to_path(fad->fad_aupath));
889 	} else {
890 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
891 	}
892 
893 	vp = fp->f_vnode;
894 	audit_attributes(vp);
895 
896 	/* decrement file descriptor reference count */
897 	releasef(fd);
898 }
899 
900 
901 /* convert open to appropriate event */
902 static au_event_t
903 aui_open(au_event_t e)
904 {
905 	klwp_t *clwp = ttolwp(curthread);
906 	uint_t fm;
907 
908 	struct a {
909 		long	fnamep;		/* char	* */
910 		long	fmode;
911 		long	cmode;
912 	} *uap = (struct a *)clwp->lwp_ap;
913 
914 	fm = (uint_t)uap->fmode;
915 
916 	if (fm & O_WRONLY)
917 		e = AUE_OPEN_W;
918 	else if (fm & O_RDWR)
919 		e = AUE_OPEN_RW;
920 	else
921 		e = AUE_OPEN_R;
922 
923 	if (fm & O_CREAT)
924 		e += 1;
925 	if (fm & O_TRUNC)
926 		e += 2;
927 
928 	return (e);
929 }
930 
931 /*ARGSUSED*/
932 static void
933 aus_open(struct t_audit_data *tad)
934 {
935 	klwp_t *clwp = ttolwp(curthread);
936 	uint_t fm;
937 
938 	struct a {
939 		long	fnamep;		/* char	* */
940 		long	fmode;
941 		long	cmode;
942 	} *uap = (struct a *)clwp->lwp_ap;
943 
944 	fm = (uint_t)uap->fmode;
945 
946 	/* If no write, create, or trunc modes, mark as a public op */
947 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
948 		tad->tad_ctrl |= PAD_PUBLIC_EV;
949 }
950 
951 /* convert openat(2) to appropriate event */
952 static au_event_t
953 aui_fsat(au_event_t e)
954 {
955 	t_audit_data_t	*tad = U2A(u);
956 	klwp_t *clwp = ttolwp(curthread);
957 	uint_t fmcode, fm;
958 	struct a {
959 		long id;
960 		long arg1;
961 		long arg2;
962 		long arg3;
963 		long arg4;
964 		long arg5;
965 	} *uap = (struct a *)clwp->lwp_ap;
966 
967 	fmcode  = (uint_t)uap->id;
968 
969 	switch (fmcode) {
970 
971 	case 0: /* openat */
972 	case 1: /* openat64 */
973 		fm = (uint_t)uap->arg3;
974 		if (fm & O_WRONLY)
975 			e = AUE_OPENAT_W;
976 		else if (fm & O_RDWR)
977 			e = AUE_OPENAT_RW;
978 		else
979 			e = AUE_OPENAT_R;
980 
981 		/*
982 		 * openat modes are defined in the following order:
983 		 * Read only
984 		 * Read|Create
985 		 * Read|Trunc
986 		 * Read|Create|Trunc
987 		 * Write Only
988 		 * Write|Create
989 		 * Write|Trunc
990 		 * Write|Create|Trunc * RW Only
991 		 * RW|Create
992 		 * RW|Trunc
993 		 * RW|Create|Trunc
994 		 */
995 		if (fm & O_CREAT)
996 			e += 1;		/* increment to include CREAT in mode */
997 		if (fm & O_TRUNC)
998 			e += 2;		/* increment to include TRUNC in mode */
999 
1000 		/* convert to appropriate au_ctrl */
1001 		tad->tad_ctrl |= PAD_SAVPATH;
1002 		if (fm & FXATTR)
1003 			tad->tad_ctrl |= PAD_ATPATH;
1004 
1005 
1006 		break;
1007 	case 2: /* fstatat64 */
1008 	case 3: /* fstatat */
1009 		e = AUE_FSTATAT;
1010 		break;
1011 	case 4: /* fchownat */
1012 		e = AUE_FCHOWNAT;
1013 		break;
1014 	case 5: /* unlinkat */
1015 		e = AUE_UNLINKAT;
1016 		break;
1017 	case 6: /* futimesat */
1018 		e = AUE_FUTIMESAT;
1019 		break;
1020 	case 7: /* renameat */
1021 		e = AUE_RENAMEAT;
1022 		break;
1023 	case 9: /* __openattrdirat */
1024 		tad->tad_ctrl |= PAD_SAVPATH;
1025 		/*FALLTHROUGH*/
1026 	default:
1027 		e = AUE_NULL;
1028 		break;
1029 	}
1030 
1031 	return (e);
1032 }
1033 
1034 /*ARGSUSED*/
1035 static void
1036 aus_fsat(struct t_audit_data *tad)
1037 {
1038 	klwp_t *clwp = ttolwp(curthread);
1039 	uint_t fmcode, fm;
1040 	struct a {
1041 		long id;
1042 		long arg1;
1043 		long arg2;
1044 		long arg3;
1045 		long arg4;
1046 		long arg5;
1047 	} *uap = (struct a *)clwp->lwp_ap;
1048 
1049 	fmcode  = (uint_t)uap->id;
1050 
1051 	switch (fmcode) {
1052 
1053 	case 0: /* openat */
1054 	case 1: /* openat64 */
1055 		fm = (uint_t)uap->arg3;
1056 		/* If no write, create, or trunc modes, mark as a public op */
1057 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1058 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1059 
1060 		break;
1061 	case 2: /* fstatat64 */
1062 	case 3: /* fstatat */
1063 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1064 		break;
1065 	default:
1066 		break;
1067 	}
1068 }
1069 
1070 /* msgsys */
1071 static au_event_t
1072 aui_msgsys(au_event_t e)
1073 {
1074 	klwp_t *clwp = ttolwp(curthread);
1075 	uint_t fm;
1076 
1077 	struct a {
1078 		long	id;	/* function code id */
1079 		long	ap;	/* arg pointer for recvmsg */
1080 	} *uap = (struct a *)clwp->lwp_ap;
1081 
1082 	struct b {
1083 		long	msgid;
1084 		long	cmd;
1085 		long	buf;	/* struct msqid_ds * */
1086 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1087 
1088 	fm  = (uint_t)uap->id;
1089 
1090 	switch (fm) {
1091 	case 0:		/* msgget */
1092 		e = AUE_MSGGET;
1093 		break;
1094 	case 1:		/* msgctl */
1095 		switch ((uint_t)uap1->cmd) {
1096 		case IPC_RMID:
1097 			e = AUE_MSGCTL_RMID;
1098 			break;
1099 		case IPC_SET:
1100 			e = AUE_MSGCTL_SET;
1101 			break;
1102 		case IPC_STAT:
1103 			e = AUE_MSGCTL_STAT;
1104 			break;
1105 		default:
1106 			e = AUE_MSGCTL;
1107 			break;
1108 		}
1109 		break;
1110 	case 2:		/* msgrcv */
1111 		e = AUE_MSGRCV;
1112 		break;
1113 	case 3:		/* msgsnd */
1114 		e = AUE_MSGSND;
1115 		break;
1116 	default:	/* illegal system call */
1117 		e = AUE_NULL;
1118 		break;
1119 	}
1120 
1121 	return (e);
1122 }
1123 
1124 
1125 /* shmsys */
1126 static au_event_t
1127 aui_shmsys(au_event_t e)
1128 {
1129 	klwp_t *clwp = ttolwp(curthread);
1130 	int fm;
1131 
1132 	struct a {		/* shmsys */
1133 		long	id;	/* function code id */
1134 	} *uap = (struct a *)clwp->lwp_ap;
1135 
1136 	struct b {		/* ctrl */
1137 		long	shmid;
1138 		long	cmd;
1139 		long	arg;		/* struct shmid_ds * */
1140 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1141 	fm  = (uint_t)uap->id;
1142 
1143 	switch (fm) {
1144 	case 0:		/* shmat */
1145 		e = AUE_SHMAT;
1146 		break;
1147 	case 1:		/* shmctl */
1148 		switch ((uint_t)uap1->cmd) {
1149 		case IPC_RMID:
1150 			e = AUE_SHMCTL_RMID;
1151 			break;
1152 		case IPC_SET:
1153 			e = AUE_SHMCTL_SET;
1154 			break;
1155 		case IPC_STAT:
1156 			e = AUE_SHMCTL_STAT;
1157 			break;
1158 		default:
1159 			e = AUE_SHMCTL;
1160 			break;
1161 		}
1162 		break;
1163 	case 2:		/* shmdt */
1164 		e = AUE_SHMDT;
1165 		break;
1166 	case 3:		/* shmget */
1167 		e = AUE_SHMGET;
1168 		break;
1169 	default:	/* illegal system call */
1170 		e = AUE_NULL;
1171 		break;
1172 	}
1173 
1174 	return (e);
1175 }
1176 
1177 
1178 /* semsys */
1179 static au_event_t
1180 aui_semsys(au_event_t e)
1181 {
1182 	klwp_t *clwp = ttolwp(curthread);
1183 	uint_t fm;
1184 
1185 	struct a {		/* semsys */
1186 		long	id;
1187 	} *uap = (struct a *)clwp->lwp_ap;
1188 
1189 	struct b {		/* ctrl */
1190 		long	semid;
1191 		long	semnum;
1192 		long	cmd;
1193 		long	arg;
1194 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1195 
1196 	fm = (uint_t)uap->id;
1197 
1198 	switch (fm) {
1199 	case 0:		/* semctl */
1200 		switch ((uint_t)uap1->cmd) {
1201 		case IPC_RMID:
1202 			e = AUE_SEMCTL_RMID;
1203 			break;
1204 		case IPC_SET:
1205 			e = AUE_SEMCTL_SET;
1206 			break;
1207 		case IPC_STAT:
1208 			e = AUE_SEMCTL_STAT;
1209 			break;
1210 		case GETNCNT:
1211 			e = AUE_SEMCTL_GETNCNT;
1212 			break;
1213 		case GETPID:
1214 			e = AUE_SEMCTL_GETPID;
1215 			break;
1216 		case GETVAL:
1217 			e = AUE_SEMCTL_GETVAL;
1218 			break;
1219 		case GETALL:
1220 			e = AUE_SEMCTL_GETALL;
1221 			break;
1222 		case GETZCNT:
1223 			e = AUE_SEMCTL_GETZCNT;
1224 			break;
1225 		case SETVAL:
1226 			e = AUE_SEMCTL_SETVAL;
1227 			break;
1228 		case SETALL:
1229 			e = AUE_SEMCTL_SETALL;
1230 			break;
1231 		default:
1232 			e = AUE_SEMCTL;
1233 			break;
1234 		}
1235 		break;
1236 	case 1:		/* semget */
1237 		e = AUE_SEMGET;
1238 		break;
1239 	case 2:		/* semop */
1240 		e = AUE_SEMOP;
1241 		break;
1242 	default:	/* illegal system call */
1243 		e = AUE_NULL;
1244 		break;
1245 	}
1246 
1247 	return (e);
1248 }
1249 
1250 /* utssys - uname(2), ustat(2), fusers(2) */
1251 static au_event_t
1252 aui_utssys(au_event_t e)
1253 {
1254 	klwp_t *clwp = ttolwp(curthread);
1255 	uint_t type;
1256 
1257 	struct a {
1258 		union {
1259 			long	cbuf;		/* char * */
1260 			long	ubuf;		/* struct stat * */
1261 		} ub;
1262 		union {
1263 			long	mv;	/* for USTAT */
1264 			long	flags;	/* for FUSERS */
1265 		} un;
1266 		long	type;
1267 		long	outbp;		/* char * for FUSERS */
1268 	} *uap = (struct a *)clwp->lwp_ap;
1269 
1270 	type = (uint_t)uap->type;
1271 
1272 	if (type == UTS_FUSERS)
1273 		return (e);
1274 	else
1275 		return ((au_event_t)AUE_NULL);
1276 }
1277 
1278 static au_event_t
1279 aui_fcntl(au_event_t e)
1280 {
1281 	klwp_t *clwp = ttolwp(curthread);
1282 	uint_t cmd;
1283 
1284 	struct a {
1285 		long	fdes;
1286 		long	cmd;
1287 		long	arg;
1288 	} *uap = (struct a *)clwp->lwp_ap;
1289 
1290 	cmd = (uint_t)uap->cmd;
1291 
1292 	switch (cmd) {
1293 	case F_GETLK:
1294 	case F_SETLK:
1295 	case F_SETLKW:
1296 		break;
1297 	case F_SETFL:
1298 	case F_GETFL:
1299 	case F_GETFD:
1300 		break;
1301 	default:
1302 		e = (au_event_t)AUE_NULL;
1303 		break;
1304 	}
1305 	return ((au_event_t)e);
1306 }
1307 
1308 /* null function for now */
1309 static au_event_t
1310 aui_execv(au_event_t e)
1311 {
1312 	return (e);
1313 }
1314 
1315 /* null function for now */
1316 static au_event_t
1317 aui_execve(au_event_t e)
1318 {
1319 	return (e);
1320 }
1321 
1322 /*ARGSUSED*/
1323 static void
1324 aus_fcntl(struct t_audit_data *tad)
1325 {
1326 	klwp_t *clwp = ttolwp(curthread);
1327 	uint32_t cmd, fd;
1328 	struct file  *fp;
1329 	struct vnode *vp;
1330 	struct f_audit_data *fad;
1331 
1332 	struct a {
1333 		long	fd;
1334 		long	cmd;
1335 		long	arg;
1336 	} *uap = (struct a *)clwp->lwp_ap;
1337 
1338 	cmd = (uint32_t)uap->cmd;
1339 	fd  = (uint32_t)uap->fd;
1340 
1341 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1342 
1343 		/*
1344 		 * convert file pointer to file descriptor
1345 		 *   Note: fd ref count incremented here.
1346 		 */
1347 	if ((fp = getf(fd)) == NULL)
1348 		return;
1349 
1350 	/* get path from file struct here */
1351 	fad = F2A(fp);
1352 	if (fad->fad_aupath != NULL) {
1353 		au_uwrite(au_to_path(fad->fad_aupath));
1354 	} else {
1355 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1356 	}
1357 
1358 	vp = fp->f_vnode;
1359 	audit_attributes(vp);
1360 
1361 	/* decrement file descriptor reference count */
1362 	releasef(fd);
1363 }
1364 
1365 /*ARGSUSED*/
1366 static void
1367 aus_kill(struct t_audit_data *tad)
1368 {
1369 	klwp_t *clwp = ttolwp(curthread);
1370 	struct proc *p;
1371 	uint32_t signo;
1372 	uid_t uid, ruid;
1373 	gid_t gid, rgid;
1374 	pid_t pid;
1375 	const auditinfo_addr_t *ainfo;
1376 	cred_t *cr;
1377 
1378 	struct a {
1379 		long	pid;
1380 		long	signo;
1381 	} *uap = (struct a *)clwp->lwp_ap;
1382 
1383 	pid   = (pid_t)uap->pid;
1384 	signo = (uint32_t)uap->signo;
1385 
1386 	au_uwrite(au_to_arg32(2, "signal", signo));
1387 	if (pid > 0) {
1388 		mutex_enter(&pidlock);
1389 		if (((p = prfind(pid)) == (struct proc *)0) ||
1390 		    (p->p_stat == SIDL)) {
1391 			mutex_exit(&pidlock);
1392 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1393 			return;
1394 		}
1395 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1396 		mutex_exit(&pidlock);
1397 
1398 		mutex_enter(&p->p_crlock);
1399 		crhold(cr = p->p_cred);
1400 		mutex_exit(&p->p_crlock);
1401 		mutex_exit(&p->p_lock);
1402 
1403 		ainfo = crgetauinfo(cr);
1404 		if (ainfo == NULL) {
1405 			crfree(cr);
1406 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1407 			return;
1408 		}
1409 
1410 		uid  = crgetuid(cr);
1411 		gid  = crgetgid(cr);
1412 		ruid = crgetruid(cr);
1413 		rgid = crgetrgid(cr);
1414 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1415 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1416 
1417 		if (is_system_labeled())
1418 			au_uwrite(au_to_label(CR_SL(cr)));
1419 
1420 		crfree(cr);
1421 	}
1422 	else
1423 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1424 }
1425 
1426 /*ARGSUSED*/
1427 static void
1428 aus_mkdir(struct t_audit_data *tad)
1429 {
1430 	klwp_t *clwp = ttolwp(curthread);
1431 	uint32_t dmode;
1432 
1433 	struct a {
1434 		long	dirnamep;		/* char * */
1435 		long	dmode;
1436 	} *uap = (struct a *)clwp->lwp_ap;
1437 
1438 	dmode = (uint32_t)uap->dmode;
1439 
1440 	au_uwrite(au_to_arg32(2, "mode", dmode));
1441 }
1442 
1443 /*ARGSUSED*/
1444 static void
1445 aus_mknod(struct t_audit_data *tad)
1446 {
1447 	klwp_t *clwp = ttolwp(curthread);
1448 	uint32_t fmode;
1449 	dev_t dev;
1450 
1451 	struct a {
1452 		long	pnamep;		/* char * */
1453 		long	fmode;
1454 		long	dev;
1455 	} *uap = (struct a *)clwp->lwp_ap;
1456 
1457 	fmode = (uint32_t)uap->fmode;
1458 	dev   = (dev_t)uap->dev;
1459 
1460 	au_uwrite(au_to_arg32(2, "mode", fmode));
1461 #ifdef _LP64
1462 	au_uwrite(au_to_arg64(3, "dev", dev));
1463 #else
1464 	au_uwrite(au_to_arg32(3, "dev", dev));
1465 #endif
1466 }
1467 
1468 /*ARGSUSED*/
1469 static void
1470 aus_xmknod(struct t_audit_data *tad)
1471 {
1472 	klwp_t *clwp = ttolwp(curthread);
1473 	uint32_t fmode;
1474 	dev_t dev;
1475 
1476 	struct a {
1477 		long	version;	/* version */
1478 		long	pnamep;		/* char * */
1479 		long	fmode;
1480 		long	dev;
1481 	} *uap = (struct a *)clwp->lwp_ap;
1482 
1483 	fmode = (uint32_t)uap->fmode;
1484 	dev   = (dev_t)uap->dev;
1485 
1486 	au_uwrite(au_to_arg32(2, "mode", fmode));
1487 #ifdef _LP64
1488 	au_uwrite(au_to_arg64(3, "dev", dev));
1489 #else
1490 	au_uwrite(au_to_arg32(3, "dev", dev));
1491 #endif
1492 }
1493 
1494 /*ARGSUSED*/
1495 static void
1496 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1497 {
1498 	klwp_t *clwp = ttolwp(curthread);
1499 	vnode_t	*dvp;
1500 	caddr_t pnamep;
1501 
1502 	struct a {
1503 		long	pnamep;		/* char * */
1504 		long	fmode;
1505 		long	dev;
1506 	} *uap = (struct a *)clwp->lwp_ap;
1507 
1508 	/* no error, then already path token in audit record */
1509 	if (error != EPERM)
1510 		return;
1511 
1512 	/* not auditing this event, nothing then to do */
1513 	if (tad->tad_flag == 0)
1514 		return;
1515 
1516 	/* do the lookup to force generation of path token */
1517 	pnamep = (caddr_t)uap->pnamep;
1518 	tad->tad_ctrl |= PAD_NOATTRB;
1519 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1520 	if (error == 0)
1521 		VN_RELE(dvp);
1522 }
1523 
1524 /*ARGSUSED*/
1525 static void
1526 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1527 {
1528 	klwp_t *clwp = ttolwp(curthread);
1529 	vnode_t	*dvp;
1530 	caddr_t pnamep;
1531 
1532 	struct a {
1533 		long	version;	/* version */
1534 		long	pnamep;		/* char * */
1535 		long	fmode;
1536 		long	dev;
1537 	} *uap = (struct a *)clwp->lwp_arg;
1538 
1539 
1540 	/* no error, then already path token in audit record */
1541 	if (error != EPERM)
1542 		return;
1543 
1544 	/* not auditing this event, nothing then to do */
1545 	if (tad->tad_flag == 0)
1546 		return;
1547 
1548 	/* do the lookup to force generation of path token */
1549 	pnamep = (caddr_t)uap->pnamep;
1550 	tad->tad_ctrl |= PAD_NOATTRB;
1551 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1552 	if (error == 0)
1553 		VN_RELE(dvp);
1554 }
1555 
1556 /*ARGSUSED*/
1557 static void
1558 aus_mount(struct t_audit_data *tad)
1559 {	/* AUS_START */
1560 	klwp_t *clwp = ttolwp(curthread);
1561 	uint32_t flags;
1562 	uintptr_t u_fstype, dataptr;
1563 	STRUCT_DECL(nfs_args, nfsargs);
1564 	size_t len;
1565 	char *fstype, *hostname;
1566 
1567 	struct a {
1568 		long	spec;		/* char    * */
1569 		long	dir;		/* char    * */
1570 		long	flags;
1571 		long	fstype;		/* char    * */
1572 		long	dataptr;	/* char    * */
1573 		long	datalen;
1574 	} *uap = (struct a *)clwp->lwp_ap;
1575 
1576 	u_fstype = (uintptr_t)uap->fstype;
1577 	flags    = (uint32_t)uap->flags;
1578 	dataptr  = (uintptr_t)uap->dataptr;
1579 
1580 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1581 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1582 		goto mount_free_fstype;
1583 
1584 	au_uwrite(au_to_arg32(3, "flags", flags));
1585 	au_uwrite(au_to_text(fstype));
1586 
1587 	if (strncmp(fstype, "nfs", 3) == 0) {
1588 
1589 		STRUCT_INIT(nfsargs, get_udatamodel());
1590 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1591 
1592 		if (copyin((caddr_t)dataptr,
1593 				STRUCT_BUF(nfsargs),
1594 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1595 			/* DEBUG debug_enter((char *)NULL); */
1596 			goto mount_free_fstype;
1597 		}
1598 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1599 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1600 				(caddr_t)hostname,
1601 				MAXNAMELEN, &len)) {
1602 			goto mount_free_hostname;
1603 		}
1604 		au_uwrite(au_to_text(hostname));
1605 		au_uwrite(au_to_arg32(3, "internal flags",
1606 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1607 
1608 mount_free_hostname:
1609 		kmem_free(hostname, MAXNAMELEN);
1610 	}
1611 
1612 mount_free_fstype:
1613 	kmem_free(fstype, MAXNAMELEN);
1614 }	/* AUS_MOUNT */
1615 
1616 static void
1617 aus_umount_path(caddr_t umount_dir)
1618 {
1619 	char			*dir_path;
1620 	struct audit_path	*path;
1621 	size_t			path_len, dir_len;
1622 
1623 	/* length alloc'd for two string pointers */
1624 	path_len = sizeof (struct audit_path) + sizeof (char *);
1625 	path = kmem_alloc(path_len, KM_SLEEP);
1626 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1627 
1628 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1629 	    MAXPATHLEN, &dir_len))
1630 		goto umount2_free_dir;
1631 
1632 	/*
1633 	 * the audit_path struct assumes that the buffer pointed to
1634 	 * by audp_sect[n] contains string 0 immediatedly followed
1635 	 * by string 1.
1636 	 */
1637 	path->audp_sect[0] = dir_path;
1638 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1639 	path->audp_size = path_len;
1640 	path->audp_ref = 1;		/* not used */
1641 	path->audp_cnt = 1;		/* one path string */
1642 
1643 	au_uwrite(au_to_path(path));
1644 
1645 umount2_free_dir:
1646 	kmem_free(dir_path, MAXPATHLEN);
1647 	kmem_free(path, path_len);
1648 }
1649 
1650 /*
1651  * the umount syscall is implemented as a call to umount2, but the args
1652  * are different...
1653  */
1654 
1655 /*ARGSUSED*/
1656 static void
1657 aus_umount(struct t_audit_data *tad)
1658 {
1659 	klwp_t			*clwp = ttolwp(curthread);
1660 	struct a {
1661 		long	dir;		/* char    * */
1662 	} *uap = (struct a *)clwp->lwp_ap;
1663 
1664 	aus_umount_path((caddr_t)uap->dir);
1665 }
1666 
1667 /*ARGSUSED*/
1668 static void
1669 aus_umount2(struct t_audit_data *tad)
1670 {
1671 	klwp_t			*clwp = ttolwp(curthread);
1672 	struct a {
1673 		long	dir;		/* char    * */
1674 		long	flags;
1675 	} *uap = (struct a *)clwp->lwp_ap;
1676 
1677 	aus_umount_path((caddr_t)uap->dir);
1678 
1679 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1680 }
1681 
1682 static void
1683 aus_msgsys(struct t_audit_data *tad)
1684 {
1685 	klwp_t *clwp = ttolwp(curthread);
1686 	uint32_t msgid;
1687 
1688 	struct b {
1689 		long	msgid;
1690 		long	cmd;
1691 		long	buf;		/* struct msqid_ds * */
1692 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1693 
1694 	msgid = (uint32_t)uap1->msgid;
1695 
1696 
1697 	switch (tad->tad_event) {
1698 	case AUE_MSGGET:		/* msgget */
1699 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1700 		break;
1701 	case AUE_MSGCTL:		/* msgctl */
1702 	case AUE_MSGCTL_RMID:		/* msgctl */
1703 	case AUE_MSGCTL_STAT:		/* msgctl */
1704 	case AUE_MSGRCV:		/* msgrcv */
1705 	case AUE_MSGSND:		/* msgsnd */
1706 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1707 		break;
1708 	case AUE_MSGCTL_SET:		/* msgctl */
1709 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1710 		break;
1711 	}
1712 }
1713 
1714 /*ARGSUSED*/
1715 static void
1716 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1717 {
1718 	int id;
1719 
1720 	if (error != 0)
1721 		return;
1722 	if (tad->tad_event == AUE_MSGGET) {
1723 		uint32_t scid;
1724 		uint32_t sy_flags;
1725 
1726 		/* need to determine type of executing binary */
1727 		scid = tad->tad_scid;
1728 #ifdef _SYSCALL32_IMPL
1729 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1730 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1731 		else
1732 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1733 #else
1734 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1735 #endif
1736 		if (sy_flags == SE_32RVAL1)
1737 			id = rval->r_val1;
1738 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1739 			id = rval->r_val1;
1740 		if (sy_flags == SE_64RVAL)
1741 			id = (int)rval->r_vals;
1742 
1743 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1744 	}
1745 }
1746 
1747 static void
1748 aus_semsys(struct t_audit_data *tad)
1749 {
1750 	klwp_t *clwp = ttolwp(curthread);
1751 	uint32_t semid;
1752 
1753 	struct b {		/* ctrl */
1754 		long	semid;
1755 		long	semnum;
1756 		long	cmd;
1757 		long	arg;
1758 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1759 
1760 	semid = (uint32_t)uap1->semid;
1761 
1762 	switch (tad->tad_event) {
1763 	case AUE_SEMCTL_RMID:
1764 	case AUE_SEMCTL_STAT:
1765 	case AUE_SEMCTL_GETNCNT:
1766 	case AUE_SEMCTL_GETPID:
1767 	case AUE_SEMCTL_GETVAL:
1768 	case AUE_SEMCTL_GETALL:
1769 	case AUE_SEMCTL_GETZCNT:
1770 	case AUE_SEMCTL_SETVAL:
1771 	case AUE_SEMCTL_SETALL:
1772 	case AUE_SEMCTL:
1773 	case AUE_SEMOP:
1774 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1775 		break;
1776 	case AUE_SEMCTL_SET:
1777 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1778 		break;
1779 	case AUE_SEMGET:
1780 		au_uwrite(au_to_arg32(1, "sem key", semid));
1781 		break;
1782 	}
1783 }
1784 
1785 /*ARGSUSED*/
1786 static void
1787 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1788 {
1789 	int id;
1790 
1791 	if (error != 0)
1792 		return;
1793 	if (tad->tad_event == AUE_SEMGET) {
1794 		uint32_t scid;
1795 		uint32_t sy_flags;
1796 
1797 		/* need to determine type of executing binary */
1798 		scid = tad->tad_scid;
1799 #ifdef _SYSCALL32_IMPL
1800 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1801 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1802 		else
1803 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1804 #else
1805 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1806 #endif
1807 		if (sy_flags == SE_32RVAL1)
1808 			id = rval->r_val1;
1809 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1810 			id = rval->r_val1;
1811 		if (sy_flags == SE_64RVAL)
1812 			id = (int)rval->r_vals;
1813 
1814 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1815 	}
1816 }
1817 
1818 /*ARGSUSED*/
1819 static void
1820 aus_close(struct t_audit_data *tad)
1821 {
1822 	klwp_t *clwp = ttolwp(curthread);
1823 	uint32_t fd;
1824 	struct file *fp;
1825 	struct f_audit_data *fad;
1826 	struct vnode *vp;
1827 	struct vattr attr;
1828 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1829 
1830 	struct a {
1831 		long	i;
1832 	} *uap = (struct a *)clwp->lwp_ap;
1833 
1834 	fd = (uint32_t)uap->i;
1835 
1836 	attr.va_mask = 0;
1837 	au_uwrite(au_to_arg32(1, "fd", fd));
1838 
1839 		/*
1840 		 * convert file pointer to file descriptor
1841 		 *   Note: fd ref count incremented here.
1842 		 */
1843 	if ((fp = getf(fd)) == NULL)
1844 		return;
1845 
1846 	fad = F2A(fp);
1847 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1848 	if (fad->fad_aupath != NULL) {
1849 		au_uwrite(au_to_path(fad->fad_aupath));
1850 		if ((vp = fp->f_vnode) != NULL) {
1851 			attr.va_mask = AT_ALL;
1852 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1853 				/*
1854 				 * When write was not used and the file can be
1855 				 * considered public, skip the audit.
1856 				 */
1857 				if (((fp->f_flag & FWRITE) == 0) &&
1858 				    file_is_public(&attr)) {
1859 					tad->tad_flag = 0;
1860 					tad->tad_evmod = 0;
1861 					/* free any residual audit data */
1862 					au_close(kctx, &(u_ad), 0, 0, 0);
1863 					releasef(fd);
1864 					return;
1865 				}
1866 				au_uwrite(au_to_attr(&attr));
1867 				audit_sec_attributes(&(u_ad), vp);
1868 			}
1869 		}
1870 	}
1871 
1872 	/* decrement file descriptor reference count */
1873 	releasef(fd);
1874 }
1875 
1876 /*ARGSUSED*/
1877 static void
1878 aus_fstatfs(struct t_audit_data *tad)
1879 {
1880 	klwp_t *clwp = ttolwp(curthread);
1881 	uint32_t fd;
1882 	struct file  *fp;
1883 	struct vnode *vp;
1884 	struct f_audit_data *fad;
1885 
1886 	struct a {
1887 		long	fd;
1888 		long	buf;		/* struct statfs * */
1889 	} *uap = (struct a *)clwp->lwp_ap;
1890 
1891 	fd = (uint_t)uap->fd;
1892 
1893 		/*
1894 		 * convert file pointer to file descriptor
1895 		 *   Note: fd ref count incremented here.
1896 		 */
1897 	if ((fp = getf(fd)) == NULL)
1898 		return;
1899 
1900 		/* get path from file struct here */
1901 	fad = F2A(fp);
1902 	if (fad->fad_aupath != NULL) {
1903 		au_uwrite(au_to_path(fad->fad_aupath));
1904 	} else {
1905 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1906 	}
1907 
1908 	vp = fp->f_vnode;
1909 	audit_attributes(vp);
1910 
1911 	/* decrement file descriptor reference count */
1912 	releasef(fd);
1913 }
1914 
1915 #ifdef NOTYET
1916 /*ARGSUSED*/
1917 static void
1918 aus_setpgrp(struct t_audit_data *tad)
1919 {
1920 	klwp_t *clwp = ttolwp(curthread);
1921 	uint32_t pgrp;
1922 	struct proc *p;
1923 	uid_t uid, ruid;
1924 	gid_t gid, rgid;
1925 	pid_t pid;
1926 	const auditinfo_addr_t *ainfo;
1927 	cred_t *cr;
1928 
1929 	struct a {
1930 		long	pid;
1931 		long	pgrp;
1932 	} *uap = (struct a *)clwp->lwp_ap;
1933 
1934 	pid  = (pid_t)uap->pid;
1935 	pgrp = (uint32_t)uap->pgrp;
1936 
1937 		/* current process? */
1938 	if (pid == 0)
1939 		(return);
1940 
1941 	mutex_enter(&pidlock);
1942 	p = prfind(pid);
1943 	if (p == NULL || p->p_as == &kas) {
1944 		mutex_exit(&pidlock);
1945 		return;
1946 	}
1947 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1948 	mutex_exit(&pidlock);
1949 
1950 	mutex_enter(&p->p_crlock);
1951 	crhold(cr = p->p_cred);
1952 	mutex_exit(&p->p_crlock);
1953 	mutex_exit(&p->p_lock);
1954 
1955 	ainfo = crgetauinfo(cr);
1956 	if (ainfo == NULL) {
1957 		crfree(cr);
1958 		return;
1959 	}
1960 
1961 	uid  = crgetuid(cr);
1962 	gid  = crgetgid(cr);
1963 	ruid = crgetruid(cr);
1964 	rgid = crgetrgid(cr);
1965 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1966 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1967 	crfree(cr);
1968 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1969 }
1970 #endif
1971 
1972 /*ARGSUSED*/
1973 static void
1974 aus_setregid(struct t_audit_data *tad)
1975 {
1976 	klwp_t *clwp = ttolwp(curthread);
1977 	uint32_t rgid, egid;
1978 
1979 	struct a {
1980 		long	 rgid;
1981 		long	 egid;
1982 	} *uap = (struct a *)clwp->lwp_ap;
1983 
1984 	rgid  = (uint32_t)uap->rgid;
1985 	egid  = (uint32_t)uap->egid;
1986 
1987 	au_uwrite(au_to_arg32(1, "rgid", rgid));
1988 	au_uwrite(au_to_arg32(2, "egid", egid));
1989 }
1990 
1991 /*ARGSUSED*/
1992 static void
1993 aus_setgid(struct t_audit_data *tad)
1994 {
1995 	klwp_t *clwp = ttolwp(curthread);
1996 	uint32_t gid;
1997 
1998 	struct a {
1999 		long	gid;
2000 	} *uap = (struct a *)clwp->lwp_ap;
2001 
2002 	gid = (uint32_t)uap->gid;
2003 
2004 	au_uwrite(au_to_arg32(1, "gid", gid));
2005 }
2006 
2007 
2008 /*ARGSUSED*/
2009 static void
2010 aus_setreuid(struct t_audit_data *tad)
2011 {
2012 	klwp_t *clwp = ttolwp(curthread);
2013 	uint32_t ruid, euid;
2014 
2015 	struct a {
2016 		long	ruid;
2017 		long	euid;
2018 	} *uap = (struct a *)clwp->lwp_ap;
2019 
2020 	ruid = (uint32_t)uap->ruid;
2021 	euid  = (uint32_t)uap->euid;
2022 
2023 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2024 	au_uwrite(au_to_arg32(2, "euid", euid));
2025 }
2026 
2027 
2028 /*ARGSUSED*/
2029 static void
2030 aus_setuid(struct t_audit_data *tad)
2031 {
2032 	klwp_t *clwp = ttolwp(curthread);
2033 	uint32_t uid;
2034 
2035 	struct a {
2036 		long	uid;
2037 	} *uap = (struct a *)clwp->lwp_ap;
2038 
2039 	uid = (uint32_t)uap->uid;
2040 
2041 	au_uwrite(au_to_arg32(1, "uid", uid));
2042 }
2043 
2044 /*ARGSUSED*/
2045 static void
2046 aus_shmsys(struct t_audit_data *tad)
2047 {
2048 	klwp_t *clwp = ttolwp(curthread);
2049 	uint32_t id, cmd;
2050 
2051 	struct b {
2052 		long	id;
2053 		long	cmd;
2054 		long	buf;		/* struct shmid_ds * */
2055 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2056 
2057 	id  = (uint32_t)uap1->id;
2058 	cmd = (uint32_t)uap1->cmd;
2059 
2060 	switch (tad->tad_event) {
2061 	case AUE_SHMGET:			/* shmget */
2062 		au_uwrite(au_to_arg32(1, "shm key", id));
2063 		break;
2064 	case AUE_SHMCTL:			/* shmctl */
2065 	case AUE_SHMCTL_RMID:			/* shmctl */
2066 	case AUE_SHMCTL_STAT:			/* shmctl */
2067 	case AUE_SHMCTL_SET:			/* shmctl */
2068 		au_uwrite(au_to_arg32(1, "shm ID", id));
2069 		break;
2070 	case AUE_SHMDT:				/* shmdt */
2071 		au_uwrite(au_to_arg32(1, "shm adr", id));
2072 		break;
2073 	case AUE_SHMAT:				/* shmat */
2074 		au_uwrite(au_to_arg32(1, "shm ID", id));
2075 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2076 		break;
2077 	}
2078 }
2079 
2080 /*ARGSUSED*/
2081 static void
2082 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2083 {
2084 	int id;
2085 
2086 	if (error != 0)
2087 		return;
2088 	if (tad->tad_event == AUE_SHMGET) {
2089 		uint32_t scid;
2090 		uint32_t sy_flags;
2091 
2092 		/* need to determine type of executing binary */
2093 		scid = tad->tad_scid;
2094 #ifdef _SYSCALL32_IMPL
2095 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2096 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2097 		else
2098 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2099 #else
2100 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2101 #endif
2102 		if (sy_flags == SE_32RVAL1)
2103 			id = rval->r_val1;
2104 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2105 			id = rval->r_val1;
2106 		if (sy_flags == SE_64RVAL)
2107 			id = (int)rval->r_vals;
2108 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2109 	}
2110 }
2111 
2112 
2113 /*ARGSUSED*/
2114 static void
2115 aus_ioctl(struct t_audit_data *tad)
2116 {
2117 	klwp_t *clwp = ttolwp(curthread);
2118 	struct file *fp;
2119 	struct vnode *vp;
2120 	struct f_audit_data *fad;
2121 	uint32_t fd, cmd;
2122 	uintptr_t cmarg;
2123 
2124 	/* XX64 */
2125 	struct a {
2126 		long	fd;
2127 		long	cmd;
2128 		long	cmarg;		/* caddr_t */
2129 	} *uap = (struct a *)clwp->lwp_ap;
2130 
2131 	fd    = (uint32_t)uap->fd;
2132 	cmd   = (uint32_t)uap->cmd;
2133 	cmarg = (uintptr_t)uap->cmarg;
2134 
2135 		/*
2136 		 * convert file pointer to file descriptor
2137 		 *   Note: fd ref count incremented here.
2138 		 */
2139 	if ((fp = getf(fd)) == NULL) {
2140 		au_uwrite(au_to_arg32(1, "fd", fd));
2141 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2142 #ifndef _LP64
2143 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2144 #else
2145 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2146 #endif
2147 		return;
2148 	}
2149 
2150 	/* get path from file struct here */
2151 	fad = F2A(fp);
2152 	if (fad->fad_aupath != NULL) {
2153 		au_uwrite(au_to_path(fad->fad_aupath));
2154 	} else {
2155 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2156 	}
2157 
2158 	vp = fp->f_vnode;
2159 	audit_attributes(vp);
2160 
2161 	/* decrement file descriptor reference count */
2162 	releasef(fd);
2163 
2164 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2165 #ifndef _LP64
2166 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2167 #else
2168 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2169 #endif
2170 }
2171 
2172 /*
2173  * null function for memcntl for now. We might want to limit memcntl()
2174  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2175  * require privileges.
2176  */
2177 static au_event_t
2178 aui_memcntl(au_event_t e)
2179 {
2180 	return (e);
2181 }
2182 
2183 /*ARGSUSED*/
2184 static au_event_t
2185 aui_privsys(au_event_t e)
2186 {
2187 	klwp_t *clwp = ttolwp(curthread);
2188 
2189 	struct a {
2190 		long	opcode;
2191 	} *uap = (struct a *)clwp->lwp_ap;
2192 
2193 	switch (uap->opcode) {
2194 	case PRIVSYS_SETPPRIV:
2195 		return (AUE_SETPPRIV);
2196 	default:
2197 		return (AUE_NULL);
2198 	}
2199 }
2200 
2201 /*ARGSUSED*/
2202 static void
2203 aus_memcntl(struct t_audit_data *tad)
2204 {
2205 	klwp_t *clwp = ttolwp(curthread);
2206 
2207 	struct a {
2208 		long	addr;
2209 		long	len;
2210 		long	cmd;
2211 		long	arg;
2212 		long	attr;
2213 		long	mask;
2214 	} *uap = (struct a *)clwp->lwp_ap;
2215 
2216 #ifdef _LP64
2217 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2218 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2219 #else
2220 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2221 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2222 #endif
2223 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2224 #ifdef _LP64
2225 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2226 #else
2227 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2228 #endif
2229 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2230 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2231 }
2232 
2233 /*ARGSUSED*/
2234 static void
2235 aus_mmap(struct t_audit_data *tad)
2236 {
2237 	klwp_t *clwp = ttolwp(curthread);
2238 	struct file *fp;
2239 	struct f_audit_data *fad;
2240 	struct vnode *vp;
2241 	uint32_t fd;
2242 
2243 	struct a {
2244 		long	addr;
2245 		long	len;
2246 		long	prot;
2247 		long	flags;
2248 		long	fd;
2249 		long	pos;
2250 	} *uap = (struct a *)clwp->lwp_ap;
2251 
2252 	fd = (uint32_t)uap->fd;
2253 
2254 #ifdef _LP64
2255 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2256 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2257 #else
2258 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2259 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2260 #endif
2261 
2262 	if ((fp = getf(fd)) == NULL) {
2263 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2264 		return;
2265 	}
2266 
2267 	/*
2268 	 * Mark in the tad if write access is NOT requested... if
2269 	 * this is later detected (in audit_attributes) to be a
2270 	 * public object, the mmap event may be discarded.
2271 	 */
2272 	if (((uap->prot) & PROT_WRITE) == 0) {
2273 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2274 	}
2275 
2276 	fad = F2A(fp);
2277 	if (fad->fad_aupath != NULL) {
2278 		au_uwrite(au_to_path(fad->fad_aupath));
2279 	} else {
2280 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2281 	}
2282 
2283 	vp = (struct vnode *)fp->f_vnode;
2284 	audit_attributes(vp);
2285 
2286 	/* mark READ/WRITE since we can't predict access */
2287 	if (uap->prot & PROT_READ)
2288 		fad->fad_flags |= FAD_READ;
2289 	if (uap->prot & PROT_WRITE)
2290 		fad->fad_flags |= FAD_WRITE;
2291 
2292 	/* decrement file descriptor reference count */
2293 	releasef(fd);
2294 
2295 }	/* AUS_MMAP */
2296 
2297 
2298 
2299 
2300 /*ARGSUSED*/
2301 static void
2302 aus_munmap(struct t_audit_data *tad)
2303 {
2304 	klwp_t *clwp = ttolwp(curthread);
2305 
2306 	struct a {
2307 		long	addr;
2308 		long	len;
2309 	} *uap = (struct a *)clwp->lwp_ap;
2310 
2311 #ifdef _LP64
2312 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2313 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2314 #else
2315 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2316 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2317 #endif
2318 
2319 }	/* AUS_MUNMAP */
2320 
2321 
2322 
2323 
2324 
2325 
2326 
2327 /*ARGSUSED*/
2328 static void
2329 aus_priocntlsys(struct t_audit_data *tad)
2330 {
2331 	klwp_t *clwp = ttolwp(curthread);
2332 
2333 	struct a {
2334 		long	pc_version;
2335 		long	psp;		/* procset_t */
2336 		long	cmd;
2337 		long	arg;
2338 	} *uap = (struct a *)clwp->lwp_ap;
2339 
2340 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2341 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2342 
2343 }	/* AUS_PRIOCNTLSYS */
2344 
2345 
2346 /*ARGSUSED*/
2347 static void
2348 aus_setegid(struct t_audit_data *tad)
2349 {
2350 	klwp_t *clwp = ttolwp(curthread);
2351 	uint32_t gid;
2352 
2353 	struct a {
2354 		long	gid;
2355 	} *uap = (struct a *)clwp->lwp_ap;
2356 
2357 	gid = (uint32_t)uap->gid;
2358 
2359 	au_uwrite(au_to_arg32(1, "gid", gid));
2360 }	/* AUS_SETEGID */
2361 
2362 
2363 
2364 
2365 /*ARGSUSED*/
2366 static void
2367 aus_setgroups(struct t_audit_data *tad)
2368 {
2369 	klwp_t *clwp = ttolwp(curthread);
2370 	int i;
2371 	int gidsetsize;
2372 	uintptr_t gidset;
2373 	gid_t *gidlist;
2374 
2375 	struct a {
2376 		long	gidsetsize;
2377 		long	gidset;
2378 	} *uap = (struct a *)clwp->lwp_ap;
2379 
2380 	gidsetsize = (uint_t)uap->gidsetsize;
2381 	gidset = (uintptr_t)uap->gidset;
2382 
2383 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2384 		return;
2385 	if (gidsetsize != 0) {
2386 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2387 		    KM_SLEEP);
2388 		if (copyin((caddr_t)gidset, gidlist,
2389 		    gidsetsize * sizeof (gid_t)) == 0)
2390 			for (i = 0; i < gidsetsize; i++)
2391 				au_uwrite(au_to_arg32(1, "setgroups",
2392 				    (uint32_t)gidlist[i]));
2393 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2394 	} else
2395 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2396 
2397 }	/* AUS_SETGROUPS */
2398 
2399 
2400 
2401 
2402 
2403 /*ARGSUSED*/
2404 static void
2405 aus_seteuid(struct t_audit_data *tad)
2406 {
2407 	klwp_t *clwp = ttolwp(curthread);
2408 	uint32_t uid;
2409 
2410 	struct a {
2411 		long	uid;
2412 	} *uap = (struct a *)clwp->lwp_ap;
2413 
2414 	uid = (uint32_t)uap->uid;
2415 
2416 	au_uwrite(au_to_arg32(1, "euid", uid));
2417 
2418 }	/* AUS_SETEUID */
2419 
2420 /*ARGSUSED*/
2421 static void
2422 aus_putmsg(struct t_audit_data *tad)
2423 {
2424 	klwp_t *clwp = ttolwp(curthread);
2425 	uint32_t fd, pri;
2426 	struct file *fp;
2427 	struct f_audit_data *fad;
2428 
2429 	struct a {
2430 		long	fdes;
2431 		long	ctl;		/* struct strbuf * */
2432 		long	data;		/* struct strbuf * */
2433 		long	pri;
2434 	} *uap = (struct a *)clwp->lwp_ap;
2435 
2436 	fd  = (uint32_t)uap->fdes;
2437 	pri = (uint32_t)uap->pri;
2438 
2439 	au_uwrite(au_to_arg32(1, "fd", fd));
2440 
2441 	if ((fp = getf(fd)) != NULL) {
2442 		fad = F2A(fp);
2443 
2444 		fad->fad_flags |= FAD_WRITE;
2445 
2446 		/* add path name to audit record */
2447 		if (fad->fad_aupath != NULL) {
2448 			au_uwrite(au_to_path(fad->fad_aupath));
2449 		}
2450 		audit_attributes(fp->f_vnode);
2451 
2452 		releasef(fd);
2453 	}
2454 
2455 	au_uwrite(au_to_arg32(4, "pri", pri));
2456 }
2457 
2458 /*ARGSUSED*/
2459 static void
2460 aus_putpmsg(struct t_audit_data *tad)
2461 {
2462 	klwp_t *clwp = ttolwp(curthread);
2463 	uint32_t fd, pri, flags;
2464 	struct file *fp;
2465 	struct f_audit_data *fad;
2466 
2467 	struct a {
2468 		long	fdes;
2469 		long	ctl;		/* struct strbuf * */
2470 		long	data;		/* struct strbuf * */
2471 		long	pri;
2472 		long	flags;
2473 	} *uap = (struct a *)clwp->lwp_ap;
2474 
2475 	fd = (uint32_t)uap->fdes;
2476 	pri  = (uint32_t)uap->pri;
2477 	flags  = (uint32_t)uap->flags;
2478 
2479 	au_uwrite(au_to_arg32(1, "fd", fd));
2480 
2481 	if ((fp = getf(fd)) != NULL) {
2482 		fad = F2A(fp);
2483 
2484 		fad->fad_flags |= FAD_WRITE;
2485 
2486 		/* add path name to audit record */
2487 		if (fad->fad_aupath != NULL) {
2488 			au_uwrite(au_to_path(fad->fad_aupath));
2489 		}
2490 		audit_attributes(fp->f_vnode);
2491 
2492 		releasef(fd);
2493 	}
2494 
2495 
2496 	au_uwrite(au_to_arg32(4, "pri", pri));
2497 	au_uwrite(au_to_arg32(5, "flags", flags));
2498 }
2499 
2500 /*ARGSUSED*/
2501 static void
2502 aus_getmsg(struct t_audit_data *tad)
2503 {
2504 	klwp_t *clwp = ttolwp(curthread);
2505 	uint32_t fd, pri;
2506 	struct file *fp;
2507 	struct f_audit_data *fad;
2508 
2509 	struct a {
2510 		long	fdes;
2511 		long	ctl;		/* struct strbuf * */
2512 		long	data;		/* struct strbuf * */
2513 		long	pri;
2514 	} *uap = (struct a *)clwp->lwp_ap;
2515 
2516 	fd  = (uint32_t)uap->fdes;
2517 	pri = (uint32_t)uap->pri;
2518 
2519 	au_uwrite(au_to_arg32(1, "fd", fd));
2520 
2521 	if ((fp = getf(fd)) != NULL) {
2522 		fad = F2A(fp);
2523 
2524 		/*
2525 		 * read operation on this object
2526 		 */
2527 		fad->fad_flags |= FAD_READ;
2528 
2529 		/* add path name to audit record */
2530 		if (fad->fad_aupath != NULL) {
2531 			au_uwrite(au_to_path(fad->fad_aupath));
2532 		}
2533 		audit_attributes(fp->f_vnode);
2534 
2535 		releasef(fd);
2536 	}
2537 
2538 	au_uwrite(au_to_arg32(4, "pri", pri));
2539 }
2540 
2541 /*ARGSUSED*/
2542 static void
2543 aus_getpmsg(struct t_audit_data *tad)
2544 {
2545 	klwp_t *clwp = ttolwp(curthread);
2546 	uint32_t fd;
2547 	struct file *fp;
2548 	struct f_audit_data *fad;
2549 
2550 	struct a {
2551 		long	fdes;
2552 		long	ctl;		/* struct strbuf * */
2553 		long	data;		/* struct strbuf * */
2554 		long	pri;
2555 		long	flags;
2556 	} *uap = (struct a *)clwp->lwp_ap;
2557 
2558 	fd = (uint32_t)uap->fdes;
2559 
2560 	au_uwrite(au_to_arg32(1, "fd", fd));
2561 
2562 	if ((fp = getf(fd)) != NULL) {
2563 		fad = F2A(fp);
2564 
2565 		/*
2566 		 * read operation on this object
2567 		 */
2568 		fad->fad_flags |= FAD_READ;
2569 
2570 		/* add path name to audit record */
2571 		if (fad->fad_aupath != NULL) {
2572 			au_uwrite(au_to_path(fad->fad_aupath));
2573 		}
2574 		audit_attributes(fp->f_vnode);
2575 
2576 		releasef(fd);
2577 	}
2578 }
2579 
2580 static au_event_t
2581 aui_labelsys(au_event_t e)
2582 {
2583 	klwp_t *clwp = ttolwp(curthread);
2584 	uint32_t code;
2585 	uint32_t cmd;
2586 
2587 	struct a {
2588 		long	code;
2589 		long	cmd;
2590 	} *uap = (struct a *)clwp->lwp_ap;
2591 
2592 	code = (uint32_t)uap->code;
2593 	cmd = (uint32_t)uap->cmd;
2594 
2595 	/* not security relevant if not changing kernel cache */
2596 	if (cmd == TNDB_GET)
2597 		return (AUE_NULL);
2598 
2599 	switch (code) {
2600 	case TSOL_TNRH:
2601 		e = AUE_LABELSYS_TNRH;
2602 		break;
2603 	case TSOL_TNRHTP:
2604 		e = AUE_LABELSYS_TNRHTP;
2605 		break;
2606 	case TSOL_TNMLP:
2607 		e = AUE_LABELSYS_TNMLP;
2608 		break;
2609 	default:
2610 		e = AUE_NULL;
2611 		break;
2612 	}
2613 
2614 	return (e);
2615 
2616 }
2617 
2618 static void
2619 aus_labelsys(struct t_audit_data *tad)
2620 {
2621 	klwp_t *clwp = ttolwp(curthread);
2622 	uint32_t cmd;
2623 	uintptr_t a2;
2624 
2625 	struct a {
2626 		long	code;
2627 		long	cmd;
2628 		long	a2;
2629 	} *uap = (struct a *)clwp->lwp_ap;
2630 
2631 	cmd = (uint32_t)uap->cmd;
2632 	a2 = (uintptr_t)uap->a2;
2633 
2634 	switch (tad->tad_event) {
2635 	case AUE_LABELSYS_TNRH:
2636 	{
2637 		tsol_rhent_t	*rhent;
2638 		tnaddr_t	*rh_addr;
2639 
2640 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2641 
2642 		/* Remaining args don't apply for FLUSH, so skip */
2643 		if (cmd == TNDB_FLUSH)
2644 			break;
2645 
2646 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2647 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2648 			kmem_free(rhent, sizeof (tsol_rhent_t));
2649 			return;
2650 		}
2651 
2652 		rh_addr = &rhent->rh_address;
2653 		if (rh_addr->ta_family == AF_INET) {
2654 			struct in_addr	*ipaddr;
2655 
2656 			ipaddr = &(rh_addr->ta_addr_v4);
2657 			au_uwrite(au_to_in_addr(ipaddr));
2658 		} else if (rh_addr->ta_family == AF_INET6) {
2659 			int32_t		*ipaddr;
2660 
2661 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2662 			au_uwrite(au_to_in_addr_ex(ipaddr));
2663 		}
2664 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2665 
2666 		kmem_free(rhent, sizeof (tsol_rhent_t));
2667 
2668 		break;
2669 	}
2670 	case AUE_LABELSYS_TNRHTP:
2671 	{
2672 		tsol_tpent_t	*tpent;
2673 
2674 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2675 
2676 		/* Remaining args don't apply for FLUSH, so skip */
2677 		if (cmd == TNDB_FLUSH)
2678 			break;
2679 
2680 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2681 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2682 			kmem_free(tpent, sizeof (tsol_tpent_t));
2683 			return;
2684 		}
2685 
2686 		/* Make sure that the template name is null-terminated. */
2687 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2688 
2689 		au_uwrite(au_to_text(tpent->name));
2690 		kmem_free(tpent, sizeof (tsol_tpent_t));
2691 
2692 		break;
2693 	}
2694 	case AUE_LABELSYS_TNMLP:
2695 	{
2696 		tsol_mlpent_t	*mlpent;
2697 
2698 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2699 
2700 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2701 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2702 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2703 			return;
2704 		}
2705 
2706 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2707 			au_uwrite(au_to_text("shared"));
2708 		} else {
2709 			zone_t	*zone;
2710 
2711 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2712 			if (zone != NULL) {
2713 				au_uwrite(au_to_text(zone->zone_name));
2714 				zone_rele(zone);
2715 			}
2716 		}
2717 
2718 		/* Remaining args don't apply for FLUSH, so skip */
2719 		if (cmd == TNDB_FLUSH) {
2720 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2721 			break;
2722 		}
2723 
2724 		au_uwrite(au_to_arg32(2, "proto num",
2725 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2726 		au_uwrite(au_to_arg32(2, "mlp_port",
2727 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2728 
2729 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2730 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2731 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2732 
2733 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2734 
2735 		break;
2736 	}
2737 	default:
2738 		break;
2739 	}
2740 }
2741 
2742 
2743 static au_event_t
2744 aui_auditsys(au_event_t e)
2745 {
2746 	klwp_t *clwp = ttolwp(curthread);
2747 	uint32_t code;
2748 
2749 	struct a {
2750 		long	code;
2751 		long	a1;
2752 		long	a2;
2753 		long	a3;
2754 		long	a4;
2755 		long	a5;
2756 		long	a6;
2757 		long	a7;
2758 	} *uap = (struct a *)clwp->lwp_ap;
2759 
2760 	code = (uint32_t)uap->code;
2761 
2762 	switch (code) {
2763 
2764 	case BSM_GETAUID:
2765 		e = AUE_GETAUID;
2766 		break;
2767 	case BSM_SETAUID:
2768 		e = AUE_SETAUID;
2769 		break;
2770 	case BSM_GETAUDIT:
2771 		e = AUE_GETAUDIT;
2772 		break;
2773 	case BSM_GETAUDIT_ADDR:
2774 		e = AUE_GETAUDIT_ADDR;
2775 		break;
2776 	case BSM_SETAUDIT:
2777 		e = AUE_SETAUDIT;
2778 		break;
2779 	case BSM_SETAUDIT_ADDR:
2780 		e = AUE_SETAUDIT_ADDR;
2781 		break;
2782 	case BSM_AUDIT:
2783 		e = AUE_AUDIT;
2784 		break;
2785 	case BSM_GETPORTAUDIT:
2786 		e = AUE_GETPORTAUDIT;
2787 		break;
2788 	case BSM_AUDITON:
2789 	case BSM_AUDITCTL:
2790 
2791 		switch ((uint_t)uap->a1) {
2792 
2793 		case A_GETPOLICY:
2794 			e = AUE_AUDITON_GPOLICY;
2795 			break;
2796 		case A_SETPOLICY:
2797 			e = AUE_AUDITON_SPOLICY;
2798 			break;
2799 		case A_GETKMASK:
2800 			e = AUE_AUDITON_GETKMASK;
2801 			break;
2802 		case A_SETKMASK:
2803 			e = AUE_AUDITON_SETKMASK;
2804 			break;
2805 		case A_GETQCTRL:
2806 			e = AUE_AUDITON_GQCTRL;
2807 			break;
2808 		case A_SETQCTRL:
2809 			e = AUE_AUDITON_SQCTRL;
2810 			break;
2811 		case A_GETCWD:
2812 			e = AUE_AUDITON_GETCWD;
2813 			break;
2814 		case A_GETCAR:
2815 			e = AUE_AUDITON_GETCAR;
2816 			break;
2817 		case A_GETSTAT:
2818 			e = AUE_AUDITON_GETSTAT;
2819 			break;
2820 		case A_SETSTAT:
2821 			e = AUE_AUDITON_SETSTAT;
2822 			break;
2823 		case A_SETUMASK:
2824 			e = AUE_AUDITON_SETUMASK;
2825 			break;
2826 		case A_SETSMASK:
2827 			e = AUE_AUDITON_SETSMASK;
2828 			break;
2829 		case A_GETCOND:
2830 			e = AUE_AUDITON_GETCOND;
2831 			break;
2832 		case A_SETCOND:
2833 			e = AUE_AUDITON_SETCOND;
2834 			break;
2835 		case A_GETCLASS:
2836 			e = AUE_AUDITON_GETCLASS;
2837 			break;
2838 		case A_SETCLASS:
2839 			e = AUE_AUDITON_SETCLASS;
2840 			break;
2841 		default:
2842 			e = AUE_NULL;
2843 			break;
2844 		}
2845 		break;
2846 	default:
2847 		e = AUE_NULL;
2848 		break;
2849 	}
2850 
2851 	return (e);
2852 
2853 }	/* AUI_AUDITSYS */
2854 
2855 
2856 static void
2857 aus_auditsys(struct t_audit_data *tad)
2858 {
2859 	klwp_t *clwp = ttolwp(curthread);
2860 	uintptr_t a1, a2;
2861 	STRUCT_DECL(auditinfo, ainfo);
2862 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2863 	au_evclass_map_t event;
2864 	au_mask_t mask;
2865 	int auditstate, policy;
2866 	au_id_t auid;
2867 
2868 
2869 	struct a {
2870 		long	code;
2871 		long	a1;
2872 		long	a2;
2873 		long	a3;
2874 		long	a4;
2875 		long	a5;
2876 		long	a6;
2877 		long	a7;
2878 	} *uap = (struct a *)clwp->lwp_ap;
2879 
2880 	a1   = (uintptr_t)uap->a1;
2881 	a2   = (uintptr_t)uap->a2;
2882 
2883 	switch (tad->tad_event) {
2884 	case AUE_SETAUID:
2885 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2886 				return;
2887 		au_uwrite(au_to_arg32(2, "setauid", auid));
2888 		break;
2889 	case AUE_SETAUDIT:
2890 		STRUCT_INIT(ainfo, get_udatamodel());
2891 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2892 		    STRUCT_SIZE(ainfo))) {
2893 				return;
2894 		}
2895 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2896 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2897 #ifdef _LP64
2898 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2899 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2900 #else
2901 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2902 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2903 #endif
2904 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2905 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2906 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2907 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2908 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2909 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2910 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2911 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2912 		break;
2913 	case AUE_SETAUDIT_ADDR:
2914 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2915 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2916 		    STRUCT_SIZE(ainfo_addr))) {
2917 				return;
2918 		}
2919 		au_uwrite(au_to_arg32((char)1, "auid",
2920 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2921 #ifdef _LP64
2922 		au_uwrite(au_to_arg64((char)1, "port",
2923 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2924 #else
2925 		au_uwrite(au_to_arg32((char)1, "port",
2926 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2927 #endif
2928 		au_uwrite(au_to_arg32((char)1, "type",
2929 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2930 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2931 		    AU_IPv4) {
2932 			au_uwrite(au_to_in_addr(
2933 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2934 			    ai_termid.at_addr)));
2935 		} else {
2936 			au_uwrite(au_to_in_addr_ex(
2937 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2938 			    ai_termid.at_addr)));
2939 		}
2940 		au_uwrite(au_to_arg32((char)1, "as_success",
2941 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2942 		au_uwrite(au_to_arg32((char)1, "as_failure",
2943 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2944 		au_uwrite(au_to_arg32((char)1, "asid",
2945 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2946 		break;
2947 	case AUE_AUDITON_SETKMASK:
2948 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2949 				return;
2950 		au_uwrite(au_to_arg32(
2951 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2952 		au_uwrite(au_to_arg32(
2953 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2954 		break;
2955 	case AUE_AUDITON_SPOLICY:
2956 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2957 			return;
2958 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2959 		break;
2960 	case AUE_AUDITON_SQCTRL: {
2961 		STRUCT_DECL(au_qctrl, qctrl);
2962 		model_t model;
2963 
2964 		model = get_udatamodel();
2965 		STRUCT_INIT(qctrl, model);
2966 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2967 				return;
2968 		if (model == DATAMODEL_ILP32) {
2969 			au_uwrite(au_to_arg32(
2970 			    3, "setqctrl:aq_hiwater",
2971 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2972 			au_uwrite(au_to_arg32(
2973 			    3, "setqctrl:aq_lowater",
2974 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2975 			au_uwrite(au_to_arg32(
2976 			    3, "setqctrl:aq_bufsz",
2977 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2978 			au_uwrite(au_to_arg32(
2979 			    3, "setqctrl:aq_delay",
2980 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2981 		} else {
2982 			au_uwrite(au_to_arg64(
2983 			    3, "setqctrl:aq_hiwater",
2984 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2985 			au_uwrite(au_to_arg64(
2986 			    3, "setqctrl:aq_lowater",
2987 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2988 			au_uwrite(au_to_arg64(
2989 			    3, "setqctrl:aq_bufsz",
2990 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2991 			au_uwrite(au_to_arg64(
2992 			    3, "setqctrl:aq_delay",
2993 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2994 		}
2995 		break;
2996 	}
2997 	case AUE_AUDITON_SETUMASK:
2998 		STRUCT_INIT(ainfo, get_udatamodel());
2999 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3000 		    STRUCT_SIZE(ainfo))) {
3001 			return;
3002 		}
3003 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3004 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3005 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3006 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3007 		break;
3008 	case AUE_AUDITON_SETSMASK:
3009 		STRUCT_INIT(ainfo, get_udatamodel());
3010 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3011 		    STRUCT_SIZE(ainfo))) {
3012 			return;
3013 		}
3014 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3015 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3016 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3017 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3018 		break;
3019 	case AUE_AUDITON_SETCOND:
3020 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3021 			return;
3022 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3023 		break;
3024 	case AUE_AUDITON_SETCLASS:
3025 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3026 			return;
3027 		au_uwrite(au_to_arg32(
3028 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3029 		au_uwrite(au_to_arg32(
3030 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3031 		break;
3032 	case AUE_GETAUID:
3033 	case AUE_GETAUDIT:
3034 	case AUE_GETAUDIT_ADDR:
3035 	case AUE_AUDIT:
3036 	case AUE_GETPORTAUDIT:
3037 	case AUE_AUDITON_GPOLICY:
3038 	case AUE_AUDITON_GQCTRL:
3039 	case AUE_AUDITON_GETKMASK:
3040 	case AUE_AUDITON_GETCWD:
3041 	case AUE_AUDITON_GETCAR:
3042 	case AUE_AUDITON_GETSTAT:
3043 	case AUE_AUDITON_SETSTAT:
3044 	case AUE_AUDITON_GETCOND:
3045 	case AUE_AUDITON_GETCLASS:
3046 		break;
3047 	default:
3048 		break;
3049 	}
3050 
3051 }	/* AUS_AUDITSYS */
3052 
3053 
3054 /* only audit privileged operations for systeminfo(2) system call */
3055 static au_event_t
3056 aui_sysinfo(au_event_t e)
3057 {
3058 	klwp_t *clwp = ttolwp(curthread);
3059 	uint32_t command;
3060 
3061 	struct a {
3062 		long	command;
3063 		long	buf;		/* char * */
3064 		long	count;
3065 	} *uap = (struct a *)clwp->lwp_ap;
3066 
3067 	command = (uint32_t)uap->command;
3068 
3069 	switch (command) {
3070 	case SI_SET_HOSTNAME:
3071 	case SI_SET_SRPC_DOMAIN:
3072 		e = (au_event_t)AUE_SYSINFO;
3073 		break;
3074 	default:
3075 		e = (au_event_t)AUE_NULL;
3076 		break;
3077 	}
3078 	return (e);
3079 }
3080 
3081 /*ARGSUSED*/
3082 static void
3083 aus_sysinfo(struct t_audit_data *tad)
3084 {
3085 	klwp_t *clwp = ttolwp(curthread);
3086 	uint32_t command;
3087 	size_t len, maxlen;
3088 	char *name;
3089 	uintptr_t buf;
3090 
3091 	struct a {
3092 		long	command;
3093 		long	buf;		/* char * */
3094 		long	count;
3095 	} *uap = (struct a *)clwp->lwp_ap;
3096 
3097 	command = (uint32_t)uap->command;
3098 	buf = (uintptr_t)uap->buf;
3099 
3100 	au_uwrite(au_to_arg32(1, "cmd", command));
3101 
3102 	switch (command) {
3103 	case SI_SET_HOSTNAME:
3104 	{
3105 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3106 			return;
3107 
3108 		maxlen = SYS_NMLN;
3109 		name = kmem_alloc(maxlen, KM_SLEEP);
3110 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3111 			break;
3112 
3113 		/*
3114 		 * Must be non-NULL string and string
3115 		 * must be less than SYS_NMLN chars.
3116 		 */
3117 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3118 			break;
3119 
3120 		au_uwrite(au_to_text(name));
3121 		break;
3122 	}
3123 
3124 	case SI_SET_SRPC_DOMAIN:
3125 	{
3126 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3127 			return;
3128 
3129 		maxlen = SYS_NMLN;
3130 		name = kmem_alloc(maxlen, KM_SLEEP);
3131 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3132 			break;
3133 
3134 		/*
3135 		 * If string passed in is longer than length
3136 		 * allowed for domain name, fail.
3137 		 */
3138 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3139 			break;
3140 
3141 		au_uwrite(au_to_text(name));
3142 		break;
3143 	}
3144 
3145 	default:
3146 		return;
3147 	}
3148 
3149 	kmem_free(name, maxlen);
3150 }
3151 
3152 static au_event_t
3153 aui_modctl(au_event_t e)
3154 {
3155 	klwp_t *clwp = ttolwp(curthread);
3156 	uint_t cmd;
3157 
3158 	struct a {
3159 		long	cmd;
3160 	} *uap = (struct a *)clwp->lwp_ap;
3161 
3162 	cmd = (uint_t)uap->cmd;
3163 
3164 	switch (cmd) {
3165 	case MODLOAD:
3166 		e = AUE_MODLOAD;
3167 		break;
3168 	case MODUNLOAD:
3169 		e = AUE_MODUNLOAD;
3170 		break;
3171 	case MODADDMAJBIND:
3172 		e = AUE_MODADDMAJ;
3173 		break;
3174 	case MODSETDEVPOLICY:
3175 		e = AUE_MODDEVPLCY;
3176 		break;
3177 	case MODALLOCPRIV:
3178 		e = AUE_MODADDPRIV;
3179 		break;
3180 	default:
3181 		e = AUE_NULL;
3182 		break;
3183 	}
3184 	return (e);
3185 }
3186 
3187 
3188 /*ARGSUSED*/
3189 static void
3190 aus_modctl(struct t_audit_data *tad)
3191 {
3192 	klwp_t *clwp = ttolwp(curthread);
3193 	void *a	= clwp->lwp_ap;
3194 	uint_t use_path;
3195 
3196 	switch (tad->tad_event) {
3197 	case AUE_MODLOAD: {
3198 		typedef struct {
3199 			long	cmd;
3200 			long	use_path;
3201 			long	filename;		/* char * */
3202 		} modloada_t;
3203 
3204 		char *filenamep;
3205 		uintptr_t fname;
3206 		extern char *default_path;
3207 
3208 		fname = (uintptr_t)((modloada_t *)a)->filename;
3209 		use_path = (uint_t)((modloada_t *)a)->use_path;
3210 
3211 			/* space to hold path */
3212 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3213 			/* get string */
3214 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3215 				/* free allocated path */
3216 			kmem_free(filenamep, MOD_MAXPATH);
3217 			return;
3218 		}
3219 			/* ensure it's null terminated */
3220 		filenamep[MOD_MAXPATH - 1] = 0;
3221 
3222 		if (use_path)
3223 			au_uwrite(au_to_text(default_path));
3224 		au_uwrite(au_to_text(filenamep));
3225 
3226 			/* release temporary memory */
3227 		kmem_free(filenamep, MOD_MAXPATH);
3228 		break;
3229 	}
3230 	case AUE_MODUNLOAD: {
3231 		typedef struct {
3232 			long	cmd;
3233 			long	id;
3234 		} modunloada_t;
3235 
3236 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3237 
3238 		au_uwrite(au_to_arg32(1, "id", id));
3239 		break;
3240 	}
3241 	case AUE_MODADDMAJ: {
3242 		STRUCT_DECL(modconfig, mc);
3243 		typedef struct {
3244 			long	cmd;
3245 			long	subcmd;
3246 			long	data;		/* int * */
3247 		} modconfiga_t;
3248 
3249 		STRUCT_DECL(aliases, alias);
3250 		caddr_t ap;
3251 		int i, num_aliases;
3252 		char *drvname, *mc_drvname;
3253 		char *name;
3254 		extern char *ddi_major_to_name(major_t);
3255 		model_t model;
3256 
3257 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3258 
3259 		model = get_udatamodel();
3260 		STRUCT_INIT(mc, model);
3261 			/* sanitize buffer */
3262 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3263 			/* get user arguments */
3264 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3265 		    STRUCT_SIZE(mc)) != 0)
3266 			return;
3267 
3268 		mc_drvname = STRUCT_FGET(mc, drvname);
3269 		if ((drvname = ddi_major_to_name(
3270 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3271 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3272 				/* safety */
3273 			if (mc_drvname[0] != '\0') {
3274 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3275 				au_uwrite(au_to_text(mc_drvname));
3276 			}
3277 				/* drvname != NULL from test above */
3278 			au_uwrite(au_to_text(drvname));
3279 			return;
3280 		}
3281 
3282 		if (mc_drvname[0] != '\0') {
3283 				/* safety */
3284 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3285 			au_uwrite(au_to_text(mc_drvname));
3286 		} else
3287 			au_uwrite(au_to_text("no drvname"));
3288 
3289 		num_aliases = STRUCT_FGET(mc, num_aliases);
3290 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3291 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3292 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3293 		STRUCT_INIT(alias, model);
3294 		for (i = 0; i < num_aliases; i++) {
3295 			bzero((caddr_t)STRUCT_BUF(alias),
3296 			    STRUCT_SIZE(alias));
3297 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3298 			    STRUCT_SIZE(alias)) != 0)
3299 				break;
3300 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3301 			    MAXMODCONFNAME, NULL) != 0) {
3302 				break;
3303 			}
3304 
3305 			au_uwrite(au_to_text(name));
3306 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3307 		}
3308 		kmem_free(name, MAXMODCONFNAME);
3309 		break;
3310 	}
3311 	default:
3312 		break;
3313 	}
3314 }
3315 
3316 
3317 /*ARGSUSED*/
3318 static void
3319 auf_accept(
3320 	struct t_audit_data *tad,
3321 	int	error,
3322 	rval_t	*rval)
3323 {
3324 	uint32_t scid;
3325 	uint32_t sy_flags;
3326 	int fd;
3327 	struct sonode *so;
3328 	char so_laddr[sizeof (struct sockaddr_in6)];
3329 	char so_faddr[sizeof (struct sockaddr_in6)];
3330 	int err;
3331 	int len;
3332 	short so_family, so_type;
3333 	int add_sock_token = 0;
3334 
3335 	/* need to determine type of executing binary */
3336 	scid = tad->tad_scid;
3337 #ifdef _SYSCALL32_IMPL
3338 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3339 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3340 	else
3341 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3342 #else
3343 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3344 #endif
3345 	if (sy_flags == SE_32RVAL1)
3346 		fd = rval->r_val1;
3347 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3348 		fd = rval->r_val1;
3349 	if (sy_flags == SE_64RVAL)
3350 		fd = (int)rval->r_vals;
3351 
3352 	if (error) {
3353 		/* can't trust socket contents. Just return */
3354 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3355 		return;
3356 	}
3357 
3358 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3359 		/*
3360 		 * not security relevant if doing a accept from non socket
3361 		 * so no extra tokens. Should probably turn off audit record
3362 		 * generation here.
3363 		 */
3364 		return;
3365 	}
3366 
3367 	so_family = so->so_family;
3368 	so_type   = so->so_type;
3369 
3370 	switch (so_family) {
3371 	case AF_INET:
3372 	case AF_INET6:
3373 		/*
3374 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3375 		 */
3376 		if (so->so_type == SOCK_STREAM) {
3377 
3378 			bzero((void *)so_laddr, sizeof (so_laddr));
3379 			bzero((void *)so_faddr, sizeof (so_faddr));
3380 
3381 			/*
3382 			 * no local address then need to get it from lower
3383 			 * levels. only put out record on first read ala
3384 			 * AUE_WRITE.
3385 			 */
3386 			if (so->so_state & SS_ISBOUND) {
3387 				/* only done once on a connection */
3388 				(void) SOP_GETSOCKNAME(so);
3389 				(void) SOP_GETPEERNAME(so);
3390 
3391 				/* get local and foreign addresses */
3392 				mutex_enter(&so->so_lock);
3393 				len = min(so->so_laddr_len, sizeof (so_laddr));
3394 				bcopy(so->so_laddr_sa, so_laddr, len);
3395 				len = min(so->so_faddr_len, sizeof (so_faddr));
3396 				bcopy(so->so_faddr_sa, so_faddr, len);
3397 				mutex_exit(&so->so_lock);
3398 			}
3399 
3400 			add_sock_token = 1;
3401 		}
3402 		break;
3403 
3404 	default:
3405 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3406 		break;
3407 	}
3408 
3409 	releasef(fd);
3410 
3411 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3412 
3413 	if (add_sock_token == 0) {
3414 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3415 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3416 		return;
3417 	}
3418 
3419 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3420 
3421 }
3422 
3423 /*ARGSUSED*/
3424 static void
3425 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3426 {
3427 	struct a {
3428 		long	fd;
3429 		long	addr;
3430 		long	len;
3431 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3432 
3433 	struct sonode *so;
3434 	char so_laddr[sizeof (struct sockaddr_in6)];
3435 	char so_faddr[sizeof (struct sockaddr_in6)];
3436 	int err, fd;
3437 	int len;
3438 	short so_family, so_type;
3439 	int add_sock_token = 0;
3440 
3441 	fd = (int)uap->fd;
3442 
3443 	/*
3444 	 * bind failed, then nothing extra to add to audit record.
3445 	 */
3446 	if (error) {
3447 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3448 		/* XXX may want to add failed address some day */
3449 		return;
3450 	}
3451 
3452 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3453 		/*
3454 		 * not security relevant if doing a bind from non socket
3455 		 * so no extra tokens. Should probably turn off audit record
3456 		 * generation here.
3457 		 */
3458 		return;
3459 	}
3460 
3461 	so_family = so->so_family;
3462 	so_type   = so->so_type;
3463 
3464 	switch (so_family) {
3465 	case AF_INET:
3466 	case AF_INET6:
3467 
3468 		bzero(so_faddr, sizeof (so_faddr));
3469 
3470 		if (so->so_state & SS_ISBOUND) {
3471 			/* only done once on a connection */
3472 			(void) SOP_GETSOCKNAME(so);
3473 		}
3474 
3475 		mutex_enter(&so->so_lock);
3476 		len = min(so->so_laddr_len, sizeof (so_laddr));
3477 		bcopy(so->so_laddr_sa, so_laddr, len);
3478 		mutex_exit(&so->so_lock);
3479 
3480 		add_sock_token = 1;
3481 
3482 		break;
3483 
3484 	case AF_UNIX:
3485 		/* token added by lookup */
3486 		break;
3487 	default:
3488 		/* AF_ROUTE, AF_KEY do not support accept */
3489 		break;
3490 	}
3491 
3492 	releasef(fd);
3493 
3494 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3495 
3496 	if (add_sock_token == 0) {
3497 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3498 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3499 		return;
3500 	}
3501 
3502 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3503 
3504 }
3505 
3506 /*ARGSUSED*/
3507 static void
3508 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3509 {
3510 	struct a {
3511 		long	fd;
3512 		long	addr;
3513 		long	len;
3514 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3515 
3516 	struct sonode *so;
3517 	char so_laddr[sizeof (struct sockaddr_in6)];
3518 	char so_faddr[sizeof (struct sockaddr_in6)];
3519 	int err, fd;
3520 	int len;
3521 	short so_family, so_type;
3522 	int add_sock_token = 0;
3523 
3524 	fd = (int)uap->fd;
3525 
3526 
3527 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3528 		/*
3529 		 * not security relevant if doing a connect from non socket
3530 		 * so no extra tokens. Should probably turn off audit record
3531 		 * generation here.
3532 		 */
3533 		return;
3534 	}
3535 
3536 	so_family = so->so_family;
3537 	so_type   = so->so_type;
3538 
3539 	switch (so_family) {
3540 	case AF_INET:
3541 	case AF_INET6:
3542 		/*
3543 		 * no local address then need to get it from lower
3544 		 * levels.
3545 		 */
3546 		if (so->so_state & SS_ISBOUND) {
3547 			/* only done once on a connection */
3548 			(void) SOP_GETSOCKNAME(so);
3549 			(void) SOP_GETPEERNAME(so);
3550 		}
3551 
3552 		bzero(so_laddr, sizeof (so_laddr));
3553 		bzero(so_faddr, sizeof (so_faddr));
3554 
3555 		mutex_enter(&so->so_lock);
3556 		len = min(so->so_laddr_len, sizeof (so_laddr));
3557 		bcopy(so->so_laddr_sa, so_laddr, len);
3558 		if (error) {
3559 			mutex_exit(&so->so_lock);
3560 			if (uap->addr == NULL)
3561 				break;
3562 			if (uap->len <= 0)
3563 				break;
3564 			len = min(uap->len, sizeof (so_faddr));
3565 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3566 				break;
3567 #ifdef NOTYET
3568 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3569 #endif
3570 		} else {
3571 			/* sanity check on length */
3572 			len = min(so->so_faddr_len, sizeof (so_faddr));
3573 			bcopy(so->so_faddr_sa, so_faddr, len);
3574 			mutex_exit(&so->so_lock);
3575 		}
3576 
3577 		add_sock_token = 1;
3578 
3579 		break;
3580 
3581 	case AF_UNIX:
3582 		/* does a lookup on name */
3583 		break;
3584 
3585 	default:
3586 		/* AF_ROUTE, AF_KEY do not support accept */
3587 		break;
3588 	}
3589 
3590 	releasef(fd);
3591 
3592 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3593 
3594 	if (add_sock_token == 0) {
3595 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3596 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3597 		return;
3598 	}
3599 
3600 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3601 
3602 }
3603 
3604 /*ARGSUSED*/
3605 static void
3606 aus_shutdown(struct t_audit_data *tad)
3607 {
3608 	struct a {
3609 		long	fd;
3610 		long	how;
3611 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3612 
3613 	struct sonode *so;
3614 	char so_laddr[sizeof (struct sockaddr_in6)];
3615 	char so_faddr[sizeof (struct sockaddr_in6)];
3616 	int err, fd;
3617 	int len;
3618 	short so_family, so_type;
3619 	int add_sock_token = 0;
3620 	file_t *fp;				/* unix domain sockets */
3621 	struct f_audit_data *fad;		/* unix domain sockets */
3622 
3623 	fd = (int)uap->fd;
3624 
3625 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3626 		/*
3627 		 * not security relevant if doing a shutdown using non socket
3628 		 * so no extra tokens. Should probably turn off audit record
3629 		 * generation here.
3630 		 */
3631 		return;
3632 	}
3633 
3634 	so_family = so->so_family;
3635 	so_type   = so->so_type;
3636 
3637 	switch (so_family) {
3638 	case AF_INET:
3639 	case AF_INET6:
3640 
3641 		bzero(so_laddr, sizeof (so_laddr));
3642 		bzero(so_faddr, sizeof (so_faddr));
3643 
3644 		if (so->so_state & SS_ISBOUND) {
3645 			/*
3646 			 * no local address then need to get it from lower
3647 			 * levels.
3648 			 */
3649 			if (so->so_laddr_len == 0)
3650 				(void) SOP_GETSOCKNAME(so);
3651 			if (so->so_faddr_len == 0)
3652 				(void) SOP_GETPEERNAME(so);
3653 		}
3654 
3655 		mutex_enter(&so->so_lock);
3656 		len = min(so->so_laddr_len, sizeof (so_laddr));
3657 		bcopy(so->so_laddr_sa, so_laddr, len);
3658 		len = min(so->so_faddr_len, sizeof (so_faddr));
3659 		bcopy(so->so_faddr_sa, so_faddr, len);
3660 		mutex_exit(&so->so_lock);
3661 
3662 		add_sock_token = 1;
3663 
3664 		break;
3665 
3666 	case AF_UNIX:
3667 
3668 		/* get path from file struct here */
3669 		fad = F2A(fp);
3670 		ASSERT(fad);
3671 
3672 		if (fad->fad_aupath != NULL) {
3673 			au_uwrite(au_to_path(fad->fad_aupath));
3674 		} else {
3675 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3676 		}
3677 
3678 		audit_attributes(fp->f_vnode);
3679 
3680 		break;
3681 
3682 	default:
3683 		/*
3684 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3685 		 * added.
3686 		 */
3687 		break;
3688 	}
3689 
3690 	releasef(fd);
3691 
3692 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3693 
3694 	if (add_sock_token == 0) {
3695 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3696 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3697 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3698 		return;
3699 	}
3700 
3701 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3702 
3703 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3704 
3705 }
3706 
3707 /*ARGSUSED*/
3708 static void
3709 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3710 {
3711 	struct a {
3712 		long	fd;
3713 		long	level;
3714 		long	optname;
3715 		long	*optval;
3716 		long	optlen;
3717 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3718 
3719 	struct sonode	*so;
3720 	char so_laddr[sizeof (struct sockaddr_in6)];
3721 	char so_faddr[sizeof (struct sockaddr_in6)];
3722 	char		val[AU_BUFSIZE];
3723 	int		err, fd;
3724 	int		len;
3725 	short so_family, so_type;
3726 	int		add_sock_token = 0;
3727 	file_t *fp;				/* unix domain sockets */
3728 	struct f_audit_data *fad;		/* unix domain sockets */
3729 
3730 	fd = (int)uap->fd;
3731 
3732 	if (error) {
3733 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3734 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3735 		/* XXX may want to include other arguments */
3736 		return;
3737 	}
3738 
3739 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3740 		/*
3741 		 * not security relevant if doing a setsockopt from non socket
3742 		 * so no extra tokens. Should probably turn off audit record
3743 		 * generation here.
3744 		 */
3745 		return;
3746 	}
3747 
3748 	so_family = so->so_family;
3749 	so_type   = so->so_type;
3750 
3751 	switch (so_family) {
3752 	case AF_INET:
3753 	case AF_INET6:
3754 
3755 		bzero((void *)so_laddr, sizeof (so_laddr));
3756 		bzero((void *)so_faddr, sizeof (so_faddr));
3757 
3758 		if (so->so_state & SS_ISBOUND) {
3759 			if (so->so_laddr_len == 0)
3760 				(void) SOP_GETSOCKNAME(so);
3761 			if (so->so_faddr_len == 0)
3762 				(void) SOP_GETPEERNAME(so);
3763 		}
3764 
3765 		/* get local and foreign addresses */
3766 		mutex_enter(&so->so_lock);
3767 		len = min(so->so_laddr_len, sizeof (so_laddr));
3768 		bcopy(so->so_laddr_sa, so_laddr, len);
3769 		len = min(so->so_faddr_len, sizeof (so_faddr));
3770 		bcopy(so->so_faddr_sa, so_faddr, len);
3771 		mutex_exit(&so->so_lock);
3772 
3773 		add_sock_token = 1;
3774 
3775 		break;
3776 
3777 	case AF_UNIX:
3778 
3779 		/* get path from file struct here */
3780 		fad = F2A(fp);
3781 		ASSERT(fad);
3782 
3783 		if (fad->fad_aupath != NULL) {
3784 			au_uwrite(au_to_path(fad->fad_aupath));
3785 		} else {
3786 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3787 		}
3788 
3789 		audit_attributes(fp->f_vnode);
3790 
3791 		break;
3792 
3793 	default:
3794 		/*
3795 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3796 		 * added.
3797 		 */
3798 		break;
3799 	}
3800 
3801 	releasef(fd);
3802 
3803 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3804 
3805 	if (add_sock_token == 0) {
3806 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3807 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3808 	}
3809 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3810 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3811 
3812 	bzero(val, sizeof (val));
3813 	len = min(uap->optlen, sizeof (val));
3814 	if ((len > 0) &&
3815 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3816 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3817 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3818 	}
3819 
3820 	if (add_sock_token == 0)
3821 		return;
3822 
3823 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3824 
3825 }
3826 
3827 /*ARGSUSED*/
3828 static void
3829 aus_sockconfig(tad)
3830 	struct t_audit_data *tad;
3831 {
3832 	struct a {
3833 		long	domain;
3834 		long	type;
3835 		long	protocol;
3836 		long	devpath;
3837 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3838 
3839 	char	*kdevpath;
3840 	int	kdevpathlen = MAXPATHLEN + 1;
3841 	size_t	size;
3842 
3843 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3844 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3845 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3846 
3847 	if (uap->devpath == 0) {
3848 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3849 	} else {
3850 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3851 
3852 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3853 			&size)) {
3854 			kmem_free(kdevpath, kdevpathlen);
3855 			return;
3856 		}
3857 
3858 		if (size > MAXPATHLEN) {
3859 			kmem_free(kdevpath, kdevpathlen);
3860 			return;
3861 		}
3862 
3863 		au_uwrite(au_to_text(kdevpath));
3864 		kmem_free(kdevpath, kdevpathlen);
3865 	}
3866 }
3867 
3868 /*
3869  * only audit recvmsg when the system call represents the creation of a new
3870  * circuit. This effectively occurs for all UDP packets and may occur for
3871  * special TCP situations where the local host has not set a local address
3872  * in the socket structure.
3873  */
3874 /*ARGSUSED*/
3875 static void
3876 auf_recvmsg(
3877 	struct t_audit_data *tad,
3878 	int error,
3879 	rval_t *rvp)
3880 {
3881 	struct a {
3882 		long	fd;
3883 		long	msg;	/* struct msghdr */
3884 		long	flags;
3885 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3886 
3887 	struct sonode	*so;
3888 	STRUCT_DECL(msghdr, msg);
3889 	caddr_t msg_name;
3890 	socklen_t msg_namelen;
3891 	int fd;
3892 	int err;
3893 	char so_laddr[sizeof (struct sockaddr_in6)];
3894 	char so_faddr[sizeof (struct sockaddr_in6)];
3895 	int len;
3896 	file_t *fp;				/* unix domain sockets */
3897 	struct f_audit_data *fad;		/* unix domain sockets */
3898 	short so_family, so_type;
3899 	int add_sock_token = 0;
3900 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3901 
3902 	fd = (int)uap->fd;
3903 
3904 	/* bail if an error */
3905 	if (error) {
3906 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3907 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3908 		return;
3909 	}
3910 
3911 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3912 		/*
3913 		 * not security relevant if doing a recvmsg from non socket
3914 		 * so no extra tokens. Should probably turn off audit record
3915 		 * generation here.
3916 		 */
3917 		return;
3918 	}
3919 
3920 	so_family = so->so_family;
3921 	so_type   = so->so_type;
3922 
3923 	/*
3924 	 * only putout SOCKET_EX token if INET/INET6 family.
3925 	 * XXX - what do we do about other families?
3926 	 */
3927 
3928 	switch (so_family) {
3929 	case AF_INET:
3930 	case AF_INET6:
3931 
3932 		/*
3933 		 * if datagram type socket, then just use what is in
3934 		 * socket structure for local address.
3935 		 * XXX - what do we do for other types?
3936 		 */
3937 		if ((so->so_type == SOCK_DGRAM) ||
3938 		    (so->so_type == SOCK_RAW)) {
3939 			add_sock_token = 1;
3940 
3941 			bzero((void *)so_laddr, sizeof (so_laddr));
3942 			bzero((void *)so_faddr, sizeof (so_faddr));
3943 
3944 			/* get local address */
3945 			mutex_enter(&so->so_lock);
3946 			len = min(so->so_laddr_len, sizeof (so_laddr));
3947 			bcopy(so->so_laddr_sa, so_laddr, len);
3948 			mutex_exit(&so->so_lock);
3949 
3950 			/* get peer address */
3951 			STRUCT_INIT(msg, get_udatamodel());
3952 
3953 			if (copyin((caddr_t)(uap->msg),
3954 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3955 				break;
3956 			}
3957 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3958 			if (msg_name == NULL) {
3959 				break;
3960 			}
3961 
3962 			/* length is value from recvmsg - sanity check */
3963 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3964 			if (msg_namelen == 0) {
3965 				break;
3966 			}
3967 			if (copyin(msg_name, so_faddr,
3968 			    sizeof (so_faddr)) != 0) {
3969 				break;
3970 			}
3971 
3972 		} else if (so->so_type == SOCK_STREAM) {
3973 
3974 			/* get path from file struct here */
3975 			fad = F2A(fp);
3976 			ASSERT(fad);
3977 
3978 			/*
3979 			 * already processed this file for read attempt
3980 			 */
3981 			if (fad->fad_flags & FAD_READ) {
3982 				/* don't want to audit every recvmsg attempt */
3983 				tad->tad_flag = 0;
3984 				/* free any residual audit data */
3985 				au_close(kctx, &(u_ad), 0, 0, 0);
3986 				releasef(fd);
3987 				return;
3988 			}
3989 			/*
3990 			 * mark things so we know what happened and don't
3991 			 * repeat things
3992 			 */
3993 			fad->fad_flags |= FAD_READ;
3994 
3995 			bzero((void *)so_laddr, sizeof (so_laddr));
3996 			bzero((void *)so_faddr, sizeof (so_faddr));
3997 
3998 			if (so->so_state & SS_ISBOUND) {
3999 
4000 				if (so->so_laddr_len == 0)
4001 					(void) SOP_GETSOCKNAME(so);
4002 				if (so->so_faddr_len == 0)
4003 					(void) SOP_GETPEERNAME(so);
4004 
4005 				/* get local and foreign addresses */
4006 				mutex_enter(&so->so_lock);
4007 				len = min(so->so_laddr_len, sizeof (so_laddr));
4008 				bcopy(so->so_laddr_sa, so_laddr, len);
4009 				len = min(so->so_faddr_len, sizeof (so_faddr));
4010 				bcopy(so->so_faddr_sa, so_faddr, len);
4011 				mutex_exit(&so->so_lock);
4012 			}
4013 
4014 			add_sock_token = 1;
4015 		}
4016 
4017 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4018 
4019 		break;
4020 
4021 	case AF_UNIX:
4022 		/*
4023 		 * first check if this is first time through. Too much
4024 		 * duplicate code to put this in an aui_ routine.
4025 		 */
4026 
4027 		/* get path from file struct here */
4028 		fad = F2A(fp);
4029 		ASSERT(fad);
4030 
4031 		/*
4032 		 * already processed this file for read attempt
4033 		 */
4034 		if (fad->fad_flags & FAD_READ) {
4035 			releasef(fd);
4036 			/* don't want to audit every recvmsg attempt */
4037 			tad->tad_flag = 0;
4038 			/* free any residual audit data */
4039 			au_close(kctx, &(u_ad), 0, 0, 0);
4040 			return;
4041 		}
4042 		/*
4043 		 * mark things so we know what happened and don't
4044 		 * repeat things
4045 		 */
4046 		fad->fad_flags |= FAD_READ;
4047 
4048 		if (fad->fad_aupath != NULL) {
4049 			au_uwrite(au_to_path(fad->fad_aupath));
4050 		} else {
4051 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4052 		}
4053 
4054 		audit_attributes(fp->f_vnode);
4055 
4056 		releasef(fd);
4057 
4058 		return;
4059 
4060 	default:
4061 		break;
4062 
4063 	}
4064 
4065 	releasef(fd);
4066 
4067 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4068 
4069 	if (add_sock_token == 0) {
4070 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4071 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4072 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4073 		return;
4074 	}
4075 
4076 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4077 
4078 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4079 
4080 }
4081 
4082 /*ARGSUSED*/
4083 static void
4084 auf_recvfrom(
4085 	struct t_audit_data *tad,
4086 	int error,
4087 	rval_t *rvp)
4088 {
4089 
4090 	struct a {
4091 		long	fd;
4092 		long	msg;	/* char */
4093 		long	len;
4094 		long	flags;
4095 		long	from;	/* struct sockaddr */
4096 		long	fromlen;
4097 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4098 
4099 	socklen_t	fromlen;
4100 	struct sonode	*so;
4101 	char so_laddr[sizeof (struct sockaddr_in6)];
4102 	char so_faddr[sizeof (struct sockaddr_in6)];
4103 	int		fd;
4104 	short so_family, so_type;
4105 	int add_sock_token = 0;
4106 	int len;
4107 	int err;
4108 	struct file *fp;
4109 	struct f_audit_data *fad;		/* unix domain sockets */
4110 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4111 
4112 	fd = (int)uap->fd;
4113 
4114 	/* bail if an error */
4115 	if (error) {
4116 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4117 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4118 		return;
4119 	}
4120 
4121 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4122 		/*
4123 		 * not security relevant if doing a recvmsg from non socket
4124 		 * so no extra tokens. Should probably turn off audit record
4125 		 * generation here.
4126 		 */
4127 		return;
4128 	}
4129 
4130 	so_family = so->so_family;
4131 	so_type   = so->so_type;
4132 
4133 	/*
4134 	 * only putout SOCKET_EX token if INET/INET6 family.
4135 	 * XXX - what do we do about other families?
4136 	 */
4137 
4138 	switch (so_family) {
4139 	case AF_INET:
4140 	case AF_INET6:
4141 
4142 		/*
4143 		 * if datagram type socket, then just use what is in
4144 		 * socket structure for local address.
4145 		 * XXX - what do we do for other types?
4146 		 */
4147 		if ((so->so_type == SOCK_DGRAM) ||
4148 		    (so->so_type == SOCK_RAW)) {
4149 			add_sock_token = 1;
4150 
4151 			/* get local address */
4152 			mutex_enter(&so->so_lock);
4153 			len = min(so->so_laddr_len, sizeof (so_laddr));
4154 			bcopy(so->so_laddr_sa, so_laddr, len);
4155 			mutex_exit(&so->so_lock);
4156 
4157 			/* get peer address */
4158 			bzero((void *)so_faddr, sizeof (so_faddr));
4159 
4160 			/* sanity check */
4161 			if (uap->from == NULL)
4162 				break;
4163 
4164 			/* sanity checks */
4165 			if (uap->fromlen == 0)
4166 				break;
4167 
4168 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4169 			    sizeof (fromlen)) != 0)
4170 				break;
4171 
4172 			if (fromlen == 0)
4173 				break;
4174 
4175 			/* enforce maximum size */
4176 			if (fromlen > sizeof (so_faddr))
4177 				fromlen = sizeof (so_faddr);
4178 
4179 			if (copyin((caddr_t)(uap->from), so_faddr,
4180 			    fromlen) != 0)
4181 				break;
4182 
4183 		} else if (so->so_type == SOCK_STREAM) {
4184 
4185 			/* get path from file struct here */
4186 			fad = F2A(fp);
4187 			ASSERT(fad);
4188 
4189 			/*
4190 			 * already processed this file for read attempt
4191 			 */
4192 			if (fad->fad_flags & FAD_READ) {
4193 				/* don't want to audit every recvfrom attempt */
4194 				tad->tad_flag = 0;
4195 				/* free any residual audit data */
4196 				au_close(kctx, &(u_ad), 0, 0, 0);
4197 				releasef(fd);
4198 				return;
4199 			}
4200 			/*
4201 			 * mark things so we know what happened and don't
4202 			 * repeat things
4203 			 */
4204 			fad->fad_flags |= FAD_READ;
4205 
4206 			bzero((void *)so_laddr, sizeof (so_laddr));
4207 			bzero((void *)so_faddr, sizeof (so_faddr));
4208 
4209 			if (so->so_state & SS_ISBOUND) {
4210 
4211 				if (so->so_laddr_len == 0)
4212 					(void) SOP_GETSOCKNAME(so);
4213 				if (so->so_faddr_len == 0)
4214 					(void) SOP_GETPEERNAME(so);
4215 
4216 				/* get local and foreign addresses */
4217 				mutex_enter(&so->so_lock);
4218 				len = min(so->so_laddr_len, sizeof (so_laddr));
4219 				bcopy(so->so_laddr_sa, so_laddr, len);
4220 				len = min(so->so_faddr_len, sizeof (so_faddr));
4221 				bcopy(so->so_faddr_sa, so_faddr, len);
4222 				mutex_exit(&so->so_lock);
4223 			}
4224 
4225 			add_sock_token = 1;
4226 		}
4227 
4228 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4229 
4230 		break;
4231 
4232 	case AF_UNIX:
4233 		/*
4234 		 * first check if this is first time through. Too much
4235 		 * duplicate code to put this in an aui_ routine.
4236 		 */
4237 
4238 		/* get path from file struct here */
4239 		fad = F2A(fp);
4240 		ASSERT(fad);
4241 
4242 		/*
4243 		 * already processed this file for read attempt
4244 		 */
4245 		if (fad->fad_flags & FAD_READ) {
4246 			/* don't want to audit every recvfrom attempt */
4247 			tad->tad_flag = 0;
4248 			/* free any residual audit data */
4249 			au_close(kctx, &(u_ad), 0, 0, 0);
4250 			releasef(fd);
4251 			return;
4252 		}
4253 		/*
4254 		 * mark things so we know what happened and don't
4255 		 * repeat things
4256 		 */
4257 		fad->fad_flags |= FAD_READ;
4258 
4259 		if (fad->fad_aupath != NULL) {
4260 			au_uwrite(au_to_path(fad->fad_aupath));
4261 		} else {
4262 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4263 		}
4264 
4265 		audit_attributes(fp->f_vnode);
4266 
4267 		releasef(fd);
4268 
4269 		return;
4270 
4271 	default:
4272 		break;
4273 
4274 	}
4275 
4276 	releasef(fd);
4277 
4278 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4279 
4280 	if (add_sock_token == 0) {
4281 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4282 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4283 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4284 		return;
4285 	}
4286 
4287 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4288 
4289 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4290 }
4291 
4292 /*ARGSUSED*/
4293 static void
4294 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4295 {
4296 	struct a {
4297 		long	fd;
4298 		long	msg;	/* struct msghdr */
4299 		long	flags;
4300 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4301 
4302 	struct sonode	*so;
4303 	char so_laddr[sizeof (struct sockaddr_in6)];
4304 	char so_faddr[sizeof (struct sockaddr_in6)];
4305 	int		err;
4306 	int		fd;
4307 	short so_family, so_type;
4308 	int		add_sock_token = 0;
4309 	int		len;
4310 	struct file	*fp;
4311 	struct f_audit_data *fad;
4312 	caddr_t		msg_name;
4313 	socklen_t	msg_namelen;
4314 	STRUCT_DECL(msghdr, msg);
4315 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4316 
4317 	fd = (int)uap->fd;
4318 
4319 	/* bail if an error */
4320 	if (error) {
4321 		/* XXX include destination address from system call arguments */
4322 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4323 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4324 		return;
4325 	}
4326 
4327 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4328 		/*
4329 		 * not security relevant if doing a sendmsg from non socket
4330 		 * so no extra tokens. Should probably turn off audit record
4331 		 * generation here.
4332 		 */
4333 		return;
4334 	}
4335 
4336 	so_family = so->so_family;
4337 	so_type   = so->so_type;
4338 
4339 	switch (so_family) {
4340 	case AF_INET:
4341 	case AF_INET6:
4342 		/*
4343 		 * if datagram type socket, then just use what is in
4344 		 * socket structure for local address.
4345 		 * XXX - what do we do for other types?
4346 		 */
4347 		if ((so->so_type == SOCK_DGRAM) ||
4348 		    (so->so_type == SOCK_RAW)) {
4349 
4350 			bzero((void *)so_laddr, sizeof (so_laddr));
4351 			bzero((void *)so_faddr, sizeof (so_faddr));
4352 
4353 			/* get local address */
4354 			mutex_enter(&so->so_lock);
4355 			len = min(so->so_laddr_len, sizeof (so_laddr));
4356 			bcopy(so->so_laddr_sa, so_laddr, len);
4357 			mutex_exit(&so->so_lock);
4358 
4359 			/* get peer address */
4360 			STRUCT_INIT(msg, get_udatamodel());
4361 
4362 			if (copyin((caddr_t)(uap->msg),
4363 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4364 				break;
4365 			}
4366 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4367 			if (msg_name == NULL)
4368 				break;
4369 
4370 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4371 			/* length is value from recvmsg - sanity check */
4372 			if (msg_namelen == 0)
4373 				break;
4374 
4375 			if (copyin(msg_name, so_faddr,
4376 			    sizeof (so_faddr)) != 0)
4377 				break;
4378 
4379 			add_sock_token = 1;
4380 
4381 		} else if (so->so_type == SOCK_STREAM) {
4382 
4383 			/* get path from file struct here */
4384 			fad = F2A(fp);
4385 			ASSERT(fad);
4386 
4387 			/*
4388 			 * already processed this file for write attempt
4389 			 */
4390 			if (fad->fad_flags & FAD_WRITE) {
4391 				releasef(fd);
4392 				/* don't want to audit every sendmsg attempt */
4393 				tad->tad_flag = 0;
4394 				/* free any residual audit data */
4395 				au_close(kctx, &(u_ad), 0, 0, 0);
4396 				return;
4397 			}
4398 
4399 			/*
4400 			 * mark things so we know what happened and don't
4401 			 * repeat things
4402 			 */
4403 			fad->fad_flags |= FAD_WRITE;
4404 
4405 			bzero((void *)so_laddr, sizeof (so_laddr));
4406 			bzero((void *)so_faddr, sizeof (so_faddr));
4407 
4408 			if (so->so_state & SS_ISBOUND) {
4409 
4410 				if (so->so_laddr_len == 0)
4411 					(void) SOP_GETSOCKNAME(so);
4412 				if (so->so_faddr_len == 0)
4413 					(void) SOP_GETPEERNAME(so);
4414 
4415 				/* get local and foreign addresses */
4416 				mutex_enter(&so->so_lock);
4417 				len = min(so->so_laddr_len, sizeof (so_laddr));
4418 				bcopy(so->so_laddr_sa, so_laddr, len);
4419 				len = min(so->so_faddr_len, sizeof (so_faddr));
4420 				bcopy(so->so_faddr_sa, so_faddr, len);
4421 				mutex_exit(&so->so_lock);
4422 			}
4423 
4424 			add_sock_token = 1;
4425 		}
4426 
4427 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4428 
4429 		break;
4430 
4431 	case AF_UNIX:
4432 		/*
4433 		 * first check if this is first time through. Too much
4434 		 * duplicate code to put this in an aui_ routine.
4435 		 */
4436 
4437 		/* get path from file struct here */
4438 		fad = F2A(fp);
4439 		ASSERT(fad);
4440 
4441 		/*
4442 		 * already processed this file for write attempt
4443 		 */
4444 		if (fad->fad_flags & FAD_WRITE) {
4445 			releasef(fd);
4446 			/* don't want to audit every sendmsg attempt */
4447 			tad->tad_flag = 0;
4448 			/* free any residual audit data */
4449 			au_close(kctx, &(u_ad), 0, 0, 0);
4450 			return;
4451 		}
4452 		/*
4453 		 * mark things so we know what happened and don't
4454 		 * repeat things
4455 		 */
4456 		fad->fad_flags |= FAD_WRITE;
4457 
4458 		if (fad->fad_aupath != NULL) {
4459 			au_uwrite(au_to_path(fad->fad_aupath));
4460 		} else {
4461 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4462 		}
4463 
4464 		audit_attributes(fp->f_vnode);
4465 
4466 		releasef(fd);
4467 
4468 		return;
4469 
4470 	default:
4471 		break;
4472 	}
4473 
4474 	releasef(fd);
4475 
4476 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4477 
4478 	if (add_sock_token == 0) {
4479 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4480 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4481 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4482 		return;
4483 	}
4484 
4485 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4486 
4487 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4488 }
4489 
4490 /*ARGSUSED*/
4491 static void
4492 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4493 {
4494 	struct a {
4495 		long	fd;
4496 		long	msg;	/* char */
4497 		long	len;
4498 		long	flags;
4499 		long	to;	/* struct sockaddr */
4500 		long	tolen;
4501 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4502 
4503 	struct sonode	*so;
4504 	char so_laddr[sizeof (struct sockaddr_in6)];
4505 	char so_faddr[sizeof (struct sockaddr_in6)];
4506 	socklen_t	tolen;
4507 	int		err;
4508 	int		fd;
4509 	int		len;
4510 	short so_family, so_type;
4511 	int		add_sock_token = 0;
4512 	struct file	*fp;
4513 	struct f_audit_data *fad;
4514 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4515 
4516 	fd = (int)uap->fd;
4517 
4518 	/* bail if an error */
4519 	if (error) {
4520 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4521 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4522 		/* XXX include destination address from system call arguments */
4523 		return;
4524 	}
4525 
4526 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4527 		/*
4528 		 * not security relevant if doing a sendto using non socket
4529 		 * so no extra tokens. Should probably turn off audit record
4530 		 * generation here.
4531 		 */
4532 		return;
4533 	}
4534 
4535 	so_family = so->so_family;
4536 	so_type   = so->so_type;
4537 
4538 	/*
4539 	 * only putout SOCKET_EX token if INET/INET6 family.
4540 	 * XXX - what do we do about other families?
4541 	 */
4542 
4543 	switch (so_family) {
4544 	case AF_INET:
4545 	case AF_INET6:
4546 
4547 		/*
4548 		 * if datagram type socket, then just use what is in
4549 		 * socket structure for local address.
4550 		 * XXX - what do we do for other types?
4551 		 */
4552 		if ((so->so_type == SOCK_DGRAM) ||
4553 		    (so->so_type == SOCK_RAW)) {
4554 
4555 			bzero((void *)so_laddr, sizeof (so_laddr));
4556 			bzero((void *)so_faddr, sizeof (so_faddr));
4557 
4558 			/* get local address */
4559 			mutex_enter(&so->so_lock);
4560 			len = min(so->so_laddr_len, sizeof (so_laddr));
4561 			bcopy(so->so_laddr_sa, so_laddr, len);
4562 			mutex_exit(&so->so_lock);
4563 
4564 			/* get peer address */
4565 
4566 			/* sanity check */
4567 			if (uap->to == NULL)
4568 				break;
4569 
4570 			/* sanity checks */
4571 			if (uap->tolen == 0)
4572 				break;
4573 
4574 			tolen = (socklen_t)uap->tolen;
4575 
4576 			/* enforce maximum size */
4577 			if (tolen > sizeof (so_faddr))
4578 				tolen = sizeof (so_faddr);
4579 
4580 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4581 				break;
4582 
4583 			add_sock_token = 1;
4584 		} else {
4585 			/*
4586 			 * check if this is first time through.
4587 			 */
4588 
4589 			/* get path from file struct here */
4590 			fad = F2A(fp);
4591 			ASSERT(fad);
4592 
4593 			/*
4594 			 * already processed this file for write attempt
4595 			 */
4596 			if (fad->fad_flags & FAD_WRITE) {
4597 				/* don't want to audit every sendto attempt */
4598 				tad->tad_flag = 0;
4599 				/* free any residual audit data */
4600 				au_close(kctx, &(u_ad), 0, 0, 0);
4601 				releasef(fd);
4602 				return;
4603 			}
4604 			/*
4605 			 * mark things so we know what happened and don't
4606 			 * repeat things
4607 			 */
4608 			fad->fad_flags |= FAD_WRITE;
4609 
4610 			bzero((void *)so_laddr, sizeof (so_laddr));
4611 			bzero((void *)so_faddr, sizeof (so_faddr));
4612 
4613 			if (so->so_state & SS_ISBOUND) {
4614 
4615 				if (so->so_laddr_len == 0)
4616 					(void) SOP_GETSOCKNAME(so);
4617 				if (so->so_faddr_len == 0)
4618 					(void) SOP_GETPEERNAME(so);
4619 
4620 				/* get local and foreign addresses */
4621 				mutex_enter(&so->so_lock);
4622 				len = min(so->so_laddr_len, sizeof (so_laddr));
4623 				bcopy(so->so_laddr_sa, so_laddr, len);
4624 				len = min(so->so_faddr_len, sizeof (so_faddr));
4625 				bcopy(so->so_faddr_sa, so_faddr, len);
4626 				mutex_exit(&so->so_lock);
4627 			}
4628 
4629 			add_sock_token = 1;
4630 		}
4631 
4632 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4633 
4634 		break;
4635 
4636 	case AF_UNIX:
4637 		/*
4638 		 * first check if this is first time through. Too much
4639 		 * duplicate code to put this in an aui_ routine.
4640 		 */
4641 
4642 		/* get path from file struct here */
4643 		fad = F2A(fp);
4644 		ASSERT(fad);
4645 
4646 		/*
4647 		 * already processed this file for write attempt
4648 		 */
4649 		if (fad->fad_flags & FAD_WRITE) {
4650 			/* don't want to audit every sendto attempt */
4651 			tad->tad_flag = 0;
4652 			/* free any residual audit data */
4653 			au_close(kctx, &(u_ad), 0, 0, 0);
4654 			releasef(fd);
4655 			return;
4656 		}
4657 		/*
4658 		 * mark things so we know what happened and don't
4659 		 * repeat things
4660 		 */
4661 		fad->fad_flags |= FAD_WRITE;
4662 
4663 		if (fad->fad_aupath != NULL) {
4664 			au_uwrite(au_to_path(fad->fad_aupath));
4665 		} else {
4666 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4667 		}
4668 
4669 		audit_attributes(fp->f_vnode);
4670 
4671 		releasef(fd);
4672 
4673 		return;
4674 
4675 	default:
4676 		break;
4677 
4678 	}
4679 
4680 	releasef(fd);
4681 
4682 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4683 
4684 	if (add_sock_token == 0) {
4685 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4686 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4687 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4688 		return;
4689 	}
4690 
4691 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4692 
4693 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4694 
4695 }
4696 
4697 /*
4698  * XXX socket(2) may be equivalent to open(2) on a unix domain
4699  * socket. This needs investigation.
4700  */
4701 
4702 /*ARGSUSED*/
4703 static void
4704 aus_socket(struct t_audit_data *tad)
4705 {
4706 	struct a {
4707 		long	domain;
4708 		long	type;
4709 		long	protocol;
4710 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4711 
4712 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4713 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4714 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4715 }
4716 
4717 /*ARGSUSED*/
4718 static void
4719 aus_sigqueue(struct t_audit_data *tad)
4720 {
4721 	struct a {
4722 		long	pid;
4723 		long	signo;
4724 		long	*val;
4725 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4726 	struct proc *p;
4727 	uid_t uid, ruid;
4728 	gid_t gid, rgid;
4729 	pid_t pid;
4730 	const auditinfo_addr_t *ainfo;
4731 	cred_t *cr;
4732 
4733 	pid = (pid_t)uap->pid;
4734 
4735 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4736 	if (pid > 0) {
4737 		mutex_enter(&pidlock);
4738 		if ((p = prfind(pid)) == (struct proc *)0) {
4739 			mutex_exit(&pidlock);
4740 			return;
4741 		}
4742 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4743 		mutex_exit(&pidlock);
4744 
4745 		mutex_enter(&p->p_crlock);
4746 		crhold(cr = p->p_cred);
4747 		mutex_exit(&p->p_crlock);
4748 		mutex_exit(&p->p_lock);
4749 
4750 		ainfo = crgetauinfo(cr);
4751 		if (ainfo == NULL) {
4752 			crfree(cr);
4753 			return;
4754 		}
4755 
4756 		uid  = crgetuid(cr);
4757 		gid  = crgetgid(cr);
4758 		ruid = crgetruid(cr);
4759 		rgid = crgetrgid(cr);
4760 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4761 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4762 		crfree(cr);
4763 	}
4764 	else
4765 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4766 }
4767 
4768 /*ARGSUSED*/
4769 static void
4770 aus_inst_sync(struct t_audit_data *tad)
4771 {
4772 	struct a {
4773 		long	name;	/* char */
4774 		long	flags;
4775 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4776 
4777 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4778 }
4779 
4780 /*ARGSUSED*/
4781 static void
4782 aus_brandsys(struct t_audit_data *tad)
4783 {
4784 	klwp_t *clwp = ttolwp(curthread);
4785 
4786 	struct a {
4787 		long	cmd;
4788 		long	arg1;
4789 		long	arg2;
4790 		long	arg3;
4791 		long	arg4;
4792 		long	arg5;
4793 		long	arg6;
4794 	} *uap = (struct a *)clwp->lwp_ap;
4795 
4796 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4797 #ifdef _LP64
4798 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4799 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4800 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4801 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4802 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4803 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4804 #else
4805 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4806 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4807 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4808 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4809 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4810 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4811 #endif
4812 }
4813 
4814 /*ARGSUSED*/
4815 static void
4816 aus_p_online(struct t_audit_data *tad)
4817 {
4818 	struct a {
4819 		long	processor_id;
4820 		long	flag;
4821 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4822 
4823 	struct flags {
4824 			int	flag;
4825 			char	*cflag;
4826 	} aflags[6] = {
4827 			{ P_ONLINE, "P_ONLINE"},
4828 			{ P_OFFLINE, "P_OFFLINE"},
4829 			{ P_NOINTR, "P_NOINTR"},
4830 			{ P_SPARE, "P_SPARE"},
4831 			{ P_FAULTED, "P_FAULTED"},
4832 			{ P_STATUS, "P_STATUS"}
4833 	};
4834 	int i;
4835 	char *cflag;
4836 
4837 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4838 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4839 
4840 	for (i = 0; i < 6; i++) {
4841 		if (aflags[i].flag == uap->flag)
4842 			break;
4843 	}
4844 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4845 
4846 	au_uwrite(au_to_text(cflag));
4847 }
4848 
4849 /*ARGSUSED*/
4850 static void
4851 aus_processor_bind(struct t_audit_data *tad)
4852 {
4853 	struct a {
4854 		long	id_type;
4855 		long	id;
4856 		long	processor_id;
4857 		long	obind;
4858 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4859 
4860 	struct proc *p;
4861 	int lwpcnt;
4862 	uid_t uid, ruid;
4863 	gid_t gid, rgid;
4864 	pid_t pid;
4865 	const auditinfo_addr_t *ainfo;
4866 	cred_t *cr;
4867 
4868 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4869 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4870 	if (uap->processor_id == PBIND_NONE)
4871 		au_uwrite(au_to_text("PBIND_NONE"));
4872 	else
4873 		au_uwrite(au_to_arg32(3, "processor_id",
4874 		    (uint32_t)uap->processor_id));
4875 
4876 	switch (uap->id_type) {
4877 	case P_MYID:
4878 	case P_LWPID:
4879 		mutex_enter(&pidlock);
4880 		p = ttoproc(curthread);
4881 		if (p == NULL || p->p_as == &kas) {
4882 			mutex_exit(&pidlock);
4883 			return;
4884 		}
4885 		mutex_enter(&p->p_lock);
4886 		mutex_exit(&pidlock);
4887 		lwpcnt = p->p_lwpcnt;
4888 		pid  = p->p_pid;
4889 
4890 		mutex_enter(&p->p_crlock);
4891 		crhold(cr = p->p_cred);
4892 		mutex_exit(&p->p_crlock);
4893 		mutex_exit(&p->p_lock);
4894 
4895 		ainfo = crgetauinfo(cr);
4896 		if (ainfo == NULL) {
4897 			crfree(cr);
4898 			return;
4899 		}
4900 
4901 		uid  = crgetuid(cr);
4902 		gid  = crgetgid(cr);
4903 		ruid = crgetruid(cr);
4904 		rgid = crgetrgid(cr);
4905 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4906 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4907 		crfree(cr);
4908 		break;
4909 	case P_PID:
4910 		mutex_enter(&pidlock);
4911 		p = prfind(uap->id);
4912 		if (p == NULL || p->p_as == &kas) {
4913 			mutex_exit(&pidlock);
4914 			return;
4915 		}
4916 		mutex_enter(&p->p_lock);
4917 		mutex_exit(&pidlock);
4918 		lwpcnt = p->p_lwpcnt;
4919 		pid  = p->p_pid;
4920 
4921 		mutex_enter(&p->p_crlock);
4922 		crhold(cr = p->p_cred);
4923 		mutex_exit(&p->p_crlock);
4924 		mutex_exit(&p->p_lock);
4925 
4926 		ainfo = crgetauinfo(cr);
4927 		if (ainfo == NULL) {
4928 			crfree(cr);
4929 			return;
4930 		}
4931 
4932 		uid  = crgetuid(cr);
4933 		gid  = crgetgid(cr);
4934 		ruid = crgetruid(cr);
4935 		rgid = crgetrgid(cr);
4936 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4937 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4938 		crfree(cr);
4939 
4940 		break;
4941 	default:
4942 		return;
4943 	}
4944 
4945 	if (uap->processor_id == PBIND_NONE &&
4946 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4947 		au_uwrite(au_to_text("PBIND_NONE for process"));
4948 	else
4949 		au_uwrite(au_to_arg32(3, "processor_id",
4950 		    (uint32_t)uap->processor_id));
4951 }
4952 
4953 /*ARGSUSED*/
4954 static au_event_t
4955 aui_doorfs(au_event_t e)
4956 {
4957 	uint32_t code;
4958 
4959 	struct a {		/* doorfs */
4960 		long	a1;
4961 		long	a2;
4962 		long	a3;
4963 		long	a4;
4964 		long	a5;
4965 		long	code;
4966 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4967 
4968 	/*
4969 	 *	audit formats for several of the
4970 	 *	door calls have not yet been determined
4971 	 */
4972 	code = (uint32_t)uap->code;
4973 	switch (code) {
4974 	case DOOR_CALL:
4975 		e = AUE_DOORFS_DOOR_CALL;
4976 		break;
4977 	case DOOR_RETURN:
4978 		e = AUE_NULL;
4979 		break;
4980 	case DOOR_CREATE:
4981 		e = AUE_DOORFS_DOOR_CREATE;
4982 		break;
4983 	case DOOR_REVOKE:
4984 		e = AUE_DOORFS_DOOR_REVOKE;
4985 		break;
4986 	case DOOR_INFO:
4987 		e = AUE_NULL;
4988 		break;
4989 	case DOOR_UCRED:
4990 		e = AUE_NULL;
4991 		break;
4992 	case DOOR_BIND:
4993 		e = AUE_NULL;
4994 		break;
4995 	case DOOR_UNBIND:
4996 		e = AUE_NULL;
4997 		break;
4998 	case DOOR_GETPARAM:
4999 		e = AUE_NULL;
5000 		break;
5001 	case DOOR_SETPARAM:
5002 		e = AUE_NULL;
5003 		break;
5004 	default:	/* illegal system call */
5005 		e = AUE_NULL;
5006 		break;
5007 	}
5008 
5009 	return (e);
5010 }
5011 
5012 static door_node_t *
5013 au_door_lookup(int did)
5014 {
5015 	vnode_t	*vp;
5016 	file_t *fp;
5017 
5018 	if ((fp = getf(did)) == NULL)
5019 		return (NULL);
5020 	/*
5021 	 * Use the underlying vnode (we may be namefs mounted)
5022 	 */
5023 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5024 		vp = fp->f_vnode;
5025 
5026 	if (vp == NULL || vp->v_type != VDOOR) {
5027 		releasef(did);
5028 		return (NULL);
5029 	}
5030 
5031 	return (VTOD(vp));
5032 }
5033 
5034 /*ARGSUSED*/
5035 static void
5036 aus_doorfs(struct t_audit_data *tad)
5037 {
5038 
5039 	struct a {		/* doorfs */
5040 		long	a1;
5041 		long	a2;
5042 		long	a3;
5043 		long	a4;
5044 		long	a5;
5045 		long	code;
5046 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5047 
5048 	door_node_t	*dp;
5049 	struct proc	*p;
5050 	uint32_t	did;
5051 	uid_t uid, ruid;
5052 	gid_t gid, rgid;
5053 	pid_t pid;
5054 	const auditinfo_addr_t *ainfo;
5055 	cred_t *cr;
5056 
5057 	did = (uint32_t)uap->a1;
5058 
5059 	switch (tad->tad_event) {
5060 	case AUE_DOORFS_DOOR_CALL:
5061 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5062 		if ((dp = au_door_lookup(did)) == NULL)
5063 			break;
5064 
5065 		if (DOOR_INVALID(dp)) {
5066 			releasef(did);
5067 			break;
5068 		}
5069 
5070 		if ((p = dp->door_target) == NULL) {
5071 			releasef(did);
5072 			break;
5073 		}
5074 		mutex_enter(&p->p_lock);
5075 		releasef(did);
5076 
5077 		pid  = p->p_pid;
5078 
5079 		mutex_enter(&p->p_crlock);
5080 		crhold(cr = p->p_cred);
5081 		mutex_exit(&p->p_crlock);
5082 		mutex_exit(&p->p_lock);
5083 
5084 		ainfo = crgetauinfo(cr);
5085 		if (ainfo == NULL) {
5086 			crfree(cr);
5087 			return;
5088 		}
5089 		uid  = crgetuid(cr);
5090 		gid  = crgetgid(cr);
5091 		ruid = crgetruid(cr);
5092 		rgid = crgetrgid(cr);
5093 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5094 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5095 		crfree(cr);
5096 		break;
5097 	case AUE_DOORFS_DOOR_RETURN:
5098 		/*
5099 		 * We may want to write information about
5100 		 * all doors (if any) which will be copied
5101 		 * by this call to the user space
5102 		 */
5103 		break;
5104 	case AUE_DOORFS_DOOR_CREATE:
5105 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5106 		break;
5107 	case AUE_DOORFS_DOOR_REVOKE:
5108 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5109 		break;
5110 	case AUE_DOORFS_DOOR_INFO:
5111 		break;
5112 	case AUE_DOORFS_DOOR_CRED:
5113 		break;
5114 	case AUE_DOORFS_DOOR_BIND:
5115 		break;
5116 	case AUE_DOORFS_DOOR_UNBIND: {
5117 		break;
5118 	}
5119 	default:	/* illegal system call */
5120 		break;
5121 	}
5122 }
5123 
5124 /*ARGSUSED*/
5125 static au_event_t
5126 aui_acl(au_event_t e)
5127 {
5128 	struct a {
5129 		union {
5130 			long	name;	/* char */
5131 			long	fd;
5132 		}		obj;
5133 
5134 		long		cmd;
5135 		long		nentries;
5136 		long		arg;	/* aclent_t */
5137 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5138 
5139 	switch (uap->cmd) {
5140 	case SETACL:
5141 	case ACE_SETACL:
5142 		/*
5143 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5144 		 * are expected.
5145 		 */
5146 		break;
5147 	case GETACL:
5148 	case GETACLCNT:
5149 	case ACE_GETACLCNT:
5150 		/* do nothing for these two values. */
5151 		e = AUE_NULL;
5152 		break;
5153 	default:
5154 		/* illegal system call */
5155 		break;
5156 	}
5157 
5158 	return (e);
5159 }
5160 
5161 static void
5162 au_acl(int cmd, int nentries, caddr_t bufp)
5163 {
5164 	size_t		a_size;
5165 	aclent_t	*aclbufp;
5166 	ace_t		*acebufp;
5167 	int		i;
5168 
5169 	switch (cmd) {
5170 	case GETACL:
5171 	case GETACLCNT:
5172 		break;
5173 	case SETACL:
5174 		if (nentries < 3)
5175 			break;
5176 
5177 		a_size = nentries * sizeof (aclent_t);
5178 
5179 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5180 			break;
5181 		if (copyin(bufp, aclbufp, a_size)) {
5182 			kmem_free(aclbufp, a_size);
5183 			break;
5184 		}
5185 		for (i = 0; i < nentries; i++) {
5186 			au_uwrite(au_to_acl(aclbufp + i));
5187 		}
5188 		kmem_free(aclbufp, a_size);
5189 		break;
5190 
5191 	case ACE_SETACL:
5192 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5193 			break;
5194 
5195 		a_size = nentries * sizeof (ace_t);
5196 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5197 			break;
5198 		if (copyin(bufp, acebufp, a_size)) {
5199 			kmem_free(acebufp, a_size);
5200 			break;
5201 		}
5202 		for (i = 0; i < nentries; i++) {
5203 			au_uwrite(au_to_ace(acebufp + i));
5204 		}
5205 		kmem_free(acebufp, a_size);
5206 		break;
5207 	default:
5208 		break;
5209 	}
5210 }
5211 
5212 /*ARGSUSED*/
5213 static void
5214 aus_acl(struct t_audit_data *tad)
5215 {
5216 	struct a {
5217 		long	fname;
5218 		long	cmd;
5219 		long	nentries;
5220 		long	aclbufp;
5221 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5222 
5223 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5224 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5225 
5226 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5227 }
5228 
5229 /*ARGSUSED*/
5230 static void
5231 aus_facl(struct t_audit_data *tad)
5232 {
5233 	struct a {
5234 		long	fd;
5235 		long	cmd;
5236 		long	nentries;
5237 		long	aclbufp;
5238 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5239 	struct file  *fp;
5240 	struct vnode *vp;
5241 	struct f_audit_data *fad;
5242 	int fd;
5243 
5244 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5245 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5246 
5247 	fd = (int)uap->fd;
5248 
5249 	if ((fp = getf(fd)) == NULL)
5250 		return;
5251 
5252 	/* get path from file struct here */
5253 	fad = F2A(fp);
5254 	if (fad->fad_aupath != NULL) {
5255 		au_uwrite(au_to_path(fad->fad_aupath));
5256 	} else {
5257 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5258 	}
5259 
5260 	vp = fp->f_vnode;
5261 	audit_attributes(vp);
5262 
5263 	/* decrement file descriptor reference count */
5264 	releasef(fd);
5265 
5266 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5267 }
5268 
5269 /*ARGSUSED*/
5270 static void
5271 auf_read(tad, error, rval)
5272 	struct t_audit_data *tad;
5273 	int error;
5274 	rval_t *rval;
5275 {
5276 	struct file *fp;
5277 	struct f_audit_data *fad;
5278 	int fd;
5279 	register struct a {
5280 		long	fd;
5281 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5282 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5283 
5284 	fd = (int)uap->fd;
5285 
5286 	/*
5287 	 * convert file pointer to file descriptor
5288 	 *   Note: fd ref count incremented here.
5289 	 */
5290 	if ((fp = getf(fd)) == NULL)
5291 		return;
5292 
5293 	/* get path from file struct here */
5294 	fad = F2A(fp);
5295 	ASSERT(fad);
5296 
5297 	/*
5298 	 * already processed this file for read attempt
5299 	 *
5300 	 * XXX might be better to turn off auditing in a aui_read() routine.
5301 	 */
5302 	if (fad->fad_flags & FAD_READ) {
5303 		/* don't really want to audit every read attempt */
5304 		tad->tad_flag = 0;
5305 		/* free any residual audit data */
5306 		au_close(kctx, &(u_ad), 0, 0, 0);
5307 		releasef(fd);
5308 		return;
5309 	}
5310 	/* mark things so we know what happened and don't repeat things */
5311 	fad->fad_flags |= FAD_READ;
5312 
5313 	if (fad->fad_aupath != NULL) {
5314 		au_uwrite(au_to_path(fad->fad_aupath));
5315 	} else {
5316 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5317 	}
5318 
5319 	/* include attributes */
5320 	audit_attributes(fp->f_vnode);
5321 
5322 	/* decrement file descriptor reference count */
5323 	releasef(fd);
5324 }
5325 
5326 /*ARGSUSED*/
5327 static void
5328 auf_write(tad, error, rval)
5329 	struct t_audit_data *tad;
5330 	int error;
5331 	rval_t *rval;
5332 {
5333 	struct file *fp;
5334 	struct f_audit_data *fad;
5335 	int fd;
5336 	register struct a {
5337 		long	fd;
5338 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5339 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5340 
5341 	fd = (int)uap->fd;
5342 
5343 	/*
5344 	 * convert file pointer to file descriptor
5345 	 *   Note: fd ref count incremented here.
5346 	 */
5347 	if ((fp = getf(fd)) == NULL)
5348 		return;
5349 
5350 	/* get path from file struct here */
5351 	fad = F2A(fp);
5352 	ASSERT(fad);
5353 
5354 	/*
5355 	 * already processed this file for write attempt
5356 	 *
5357 	 * XXX might be better to turn off auditing in a aus_write() routine.
5358 	 */
5359 	if (fad->fad_flags & FAD_WRITE) {
5360 		/* don't really want to audit every write attempt */
5361 		tad->tad_flag = 0;
5362 		/* free any residual audit data */
5363 		au_close(kctx, &(u_ad), 0, 0, 0);
5364 		releasef(fd);
5365 		return;
5366 	}
5367 	/* mark things so we know what happened and don't repeat things */
5368 	fad->fad_flags |= FAD_WRITE;
5369 
5370 	if (fad->fad_aupath != NULL) {
5371 		au_uwrite(au_to_path(fad->fad_aupath));
5372 	} else {
5373 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5374 	}
5375 
5376 	/* include attributes */
5377 	audit_attributes(fp->f_vnode);
5378 
5379 	/* decrement file descriptor reference count */
5380 	releasef(fd);
5381 }
5382 
5383 /*ARGSUSED*/
5384 static void
5385 auf_recv(tad, error, rval)
5386 	struct t_audit_data *tad;
5387 	int error;
5388 	rval_t *rval;
5389 {
5390 	struct sonode *so;
5391 	char so_laddr[sizeof (struct sockaddr_in6)];
5392 	char so_faddr[sizeof (struct sockaddr_in6)];
5393 	struct file *fp;
5394 	struct f_audit_data *fad;
5395 	int fd;
5396 	int err;
5397 	int len;
5398 	short so_family, so_type;
5399 	register struct a {
5400 		long	fd;
5401 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5402 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5403 
5404 	/*
5405 	 * If there was an error, then nothing to do. Only generate
5406 	 * audit record on first successful recv.
5407 	 */
5408 	if (error) {
5409 		/* Turn off audit record generation here. */
5410 		tad->tad_flag = 0;
5411 		/* free any residual audit data */
5412 		au_close(kctx, &(u_ad), 0, 0, 0);
5413 		return;
5414 	}
5415 
5416 	fd = (int)uap->fd;
5417 
5418 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5419 		/* Turn off audit record generation here. */
5420 		tad->tad_flag = 0;
5421 		/* free any residual audit data */
5422 		au_close(kctx, &(u_ad), 0, 0, 0);
5423 		return;
5424 	}
5425 
5426 	/* get path from file struct here */
5427 	fad = F2A(fp);
5428 	ASSERT(fad);
5429 
5430 	/*
5431 	 * already processed this file for read attempt
5432 	 */
5433 	if (fad->fad_flags & FAD_READ) {
5434 		releasef(fd);
5435 		/* don't really want to audit every recv call */
5436 		tad->tad_flag = 0;
5437 		/* free any residual audit data */
5438 		au_close(kctx, &(u_ad), 0, 0, 0);
5439 		return;
5440 	}
5441 
5442 	/* mark things so we know what happened and don't repeat things */
5443 	fad->fad_flags |= FAD_READ;
5444 
5445 	so_family = so->so_family;
5446 	so_type   = so->so_type;
5447 
5448 	switch (so_family) {
5449 	case AF_INET:
5450 	case AF_INET6:
5451 		/*
5452 		 * Only for connections.
5453 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5454 		 */
5455 		if (so->so_state & SS_ISBOUND) {
5456 
5457 			bzero((void *)so_laddr, sizeof (so_laddr));
5458 			bzero((void *)so_faddr, sizeof (so_faddr));
5459 
5460 			/* only done once on a connection */
5461 			(void) SOP_GETSOCKNAME(so);
5462 			(void) SOP_GETPEERNAME(so);
5463 
5464 			/* get local and foreign addresses */
5465 			mutex_enter(&so->so_lock);
5466 			len = min(so->so_laddr_len, sizeof (so_laddr));
5467 			bcopy(so->so_laddr_sa, so_laddr, len);
5468 			len = min(so->so_faddr_len, sizeof (so_faddr));
5469 			bcopy(so->so_faddr_sa, so_faddr, len);
5470 			mutex_exit(&so->so_lock);
5471 
5472 			/*
5473 			 * only way to drop out of switch. Note that we
5474 			 * we release fd below.
5475 			 */
5476 
5477 			break;
5478 		}
5479 
5480 		releasef(fd);
5481 
5482 		/* don't really want to audit every recv call */
5483 		tad->tad_flag = 0;
5484 		/* free any residual audit data */
5485 		au_close(kctx, &(u_ad), 0, 0, 0);
5486 
5487 		return;
5488 
5489 	case AF_UNIX:
5490 
5491 		if (fad->fad_aupath != NULL) {
5492 			au_uwrite(au_to_path(fad->fad_aupath));
5493 		} else {
5494 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5495 		}
5496 
5497 		audit_attributes(fp->f_vnode);
5498 
5499 		releasef(fd);
5500 
5501 		return;
5502 
5503 	default:
5504 		releasef(fd);
5505 
5506 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5507 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5508 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5509 
5510 		return;
5511 	}
5512 
5513 	releasef(fd);
5514 
5515 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5516 
5517 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5518 
5519 }
5520 
5521 /*ARGSUSED*/
5522 static void
5523 auf_send(tad, error, rval)
5524 	struct t_audit_data *tad;
5525 	int error;
5526 	rval_t *rval;
5527 {
5528 	struct sonode *so;
5529 	char so_laddr[sizeof (struct sockaddr_in6)];
5530 	char so_faddr[sizeof (struct sockaddr_in6)];
5531 	struct file *fp;
5532 	struct f_audit_data *fad;
5533 	int fd;
5534 	int err;
5535 	int len;
5536 	short so_family, so_type;
5537 	register struct a {
5538 		long	fd;
5539 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5540 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5541 
5542 	fd = (int)uap->fd;
5543 
5544 	/*
5545 	 * If there was an error, then nothing to do. Only generate
5546 	 * audit record on first successful send.
5547 	 */
5548 	if (error != 0) {
5549 		/* Turn off audit record generation here. */
5550 		tad->tad_flag = 0;
5551 		/* free any residual audit data */
5552 		au_close(kctx, &(u_ad), 0, 0, 0);
5553 		return;
5554 	}
5555 
5556 	fd = (int)uap->fd;
5557 
5558 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5559 		/* Turn off audit record generation here. */
5560 		tad->tad_flag = 0;
5561 		/* free any residual audit data */
5562 		au_close(kctx, &(u_ad), 0, 0, 0);
5563 		return;
5564 	}
5565 
5566 	/* get path from file struct here */
5567 	fad = F2A(fp);
5568 	ASSERT(fad);
5569 
5570 	/*
5571 	 * already processed this file for write attempt
5572 	 */
5573 	if (fad->fad_flags & FAD_WRITE) {
5574 		releasef(fd);
5575 		/* don't really want to audit every send call */
5576 		tad->tad_flag = 0;
5577 		/* free any residual audit data */
5578 		au_close(kctx, &(u_ad), 0, 0, 0);
5579 		return;
5580 	}
5581 
5582 	/* mark things so we know what happened and don't repeat things */
5583 	fad->fad_flags |= FAD_WRITE;
5584 
5585 	so_family = so->so_family;
5586 	so_type   = so->so_type;
5587 
5588 	switch (so_family) {
5589 	case AF_INET:
5590 	case AF_INET6:
5591 		/*
5592 		 * Only for connections.
5593 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5594 		 */
5595 		if (so->so_state & SS_ISBOUND) {
5596 
5597 			bzero((void *)so_laddr, sizeof (so_laddr));
5598 			bzero((void *)so_faddr, sizeof (so_faddr));
5599 
5600 			/* only done once on a connection */
5601 			(void) SOP_GETSOCKNAME(so);
5602 			(void) SOP_GETPEERNAME(so);
5603 
5604 			/* get local and foreign addresses */
5605 			mutex_enter(&so->so_lock);
5606 			len = min(so->so_laddr_len, sizeof (so_laddr));
5607 			bcopy(so->so_laddr_sa, so_laddr, len);
5608 			len = min(so->so_faddr_len, sizeof (so_faddr));
5609 			bcopy(so->so_faddr_sa, so_faddr, len);
5610 			mutex_exit(&so->so_lock);
5611 
5612 			/*
5613 			 * only way to drop out of switch. Note that we
5614 			 * we release fd below.
5615 			 */
5616 
5617 			break;
5618 		}
5619 
5620 		releasef(fd);
5621 		/* don't really want to audit every send call */
5622 		tad->tad_flag = 0;
5623 		/* free any residual audit data */
5624 		au_close(kctx, &(u_ad), 0, 0, 0);
5625 
5626 		return;
5627 
5628 	case AF_UNIX:
5629 
5630 		if (fad->fad_aupath != NULL) {
5631 			au_uwrite(au_to_path(fad->fad_aupath));
5632 		} else {
5633 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5634 		}
5635 
5636 		audit_attributes(fp->f_vnode);
5637 
5638 		releasef(fd);
5639 
5640 		return;
5641 
5642 	default:
5643 		releasef(fd);
5644 
5645 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5646 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5647 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5648 
5649 		return;
5650 	}
5651 
5652 	releasef(fd);
5653 
5654 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5655 
5656 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5657 }
5658 
5659 static au_event_t
5660 aui_forksys(au_event_t e)
5661 {
5662 	struct a {
5663 		long	subcode;
5664 		long	flags;
5665 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5666 
5667 	switch ((uint_t)uap->subcode) {
5668 	case 0:
5669 		e = AUE_FORK1;
5670 		break;
5671 	case 1:
5672 		e = AUE_FORKALL;
5673 		break;
5674 	case 2:
5675 		e = AUE_VFORK;
5676 		break;
5677 	default:
5678 		e = AUE_NULL;
5679 		break;
5680 	}
5681 
5682 	return (e);
5683 }
5684 
5685 /*ARGSUSED*/
5686 static au_event_t
5687 aui_portfs(au_event_t e)
5688 {
5689 	struct a {		/* portfs */
5690 		long	a1;
5691 		long	a2;
5692 		long	a3;
5693 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5694 
5695 	/*
5696 	 * check opcode
5697 	 */
5698 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5699 	case PORT_ASSOCIATE:
5700 	case PORT_DISSOCIATE:
5701 		/*
5702 		 * check source
5703 		 */
5704 		if ((uint_t)uap->a3 == PORT_SOURCE_FILE) {
5705 			e = AUE_PORTFS;
5706 		} else {
5707 			e = AUE_NULL;
5708 		}
5709 		break;
5710 	default:
5711 		e = AUE_NULL;
5712 	}
5713 	return (e);
5714 }
5715