1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved. 24 */ 25 26 /* 27 * This file contains the audit event table used to control the production 28 * of audit records for each system call. 29 */ 30 31 #include <sys/policy.h> 32 #include <sys/cred.h> 33 #include <sys/types.h> 34 #include <sys/systm.h> 35 #include <sys/systeminfo.h> /* for sysinfo auditing */ 36 #include <sys/utsname.h> /* for sysinfo auditing */ 37 #include <sys/proc.h> 38 #include <sys/vnode.h> 39 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 40 #include <sys/fcntl.h> 41 #include <sys/modctl.h> /* for modctl auditing */ 42 #include <sys/vnode.h> 43 #include <sys/user.h> 44 #include <sys/types.h> 45 #include <sys/processor.h> 46 #include <sys/procset.h> 47 #include <sys/acl.h> 48 #include <sys/ipc.h> 49 #include <sys/door.h> 50 #include <sys/sem.h> 51 #include <sys/msg.h> 52 #include <sys/shm.h> 53 #include <sys/kmem.h> 54 #include <sys/file.h> /* for accept */ 55 #include <sys/utssys.h> /* for fuser */ 56 #include <sys/tsol/label.h> 57 #include <sys/tsol/tndb.h> 58 #include <sys/tsol/tsyscall.h> 59 #include <c2/audit.h> 60 #include <c2/audit_kernel.h> 61 #include <c2/audit_kevents.h> 62 #include <c2/audit_record.h> 63 #include <sys/procset.h> 64 #include <nfs/mount.h> 65 #include <sys/param.h> 66 #include <sys/debug.h> 67 #include <sys/sysmacros.h> 68 #include <sys/stream.h> 69 #include <sys/strsubr.h> 70 #include <sys/stropts.h> 71 #include <sys/tihdr.h> 72 #include <sys/socket.h> 73 #include <sys/socketvar.h> 74 #include <sys/vfs_opreg.h> 75 #include <fs/sockfs/sockcommon.h> 76 #include <netinet/in.h> 77 #include <sys/ddi.h> 78 #include <sys/port_impl.h> 79 80 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_fchownat(au_event_t); 84 static au_event_t aui_fchmodat(au_event_t); 85 static au_event_t aui_open(au_event_t); 86 static au_event_t aui_openat(au_event_t); 87 static au_event_t aui_unlinkat(au_event_t); 88 static au_event_t aui_fstatat(au_event_t); 89 static au_event_t aui_msgsys(au_event_t); 90 static au_event_t aui_shmsys(au_event_t); 91 static au_event_t aui_semsys(au_event_t); 92 static au_event_t aui_utssys(au_event_t); 93 static au_event_t aui_fcntl(au_event_t); 94 static au_event_t aui_execve(au_event_t); 95 static au_event_t aui_memcntl(au_event_t); 96 static au_event_t aui_sysinfo(au_event_t); 97 static au_event_t aui_portfs(au_event_t); 98 static au_event_t aui_auditsys(au_event_t); 99 static au_event_t aui_modctl(au_event_t); 100 static au_event_t aui_acl(au_event_t); 101 static au_event_t aui_doorfs(au_event_t); 102 static au_event_t aui_privsys(au_event_t); 103 static au_event_t aui_forksys(au_event_t); 104 static au_event_t aui_labelsys(au_event_t); 105 static au_event_t aui_setpgrp(au_event_t); 106 107 static void aus_exit(struct t_audit_data *); 108 static void aus_open(struct t_audit_data *); 109 static void aus_openat(struct t_audit_data *); 110 static void aus_acl(struct t_audit_data *); 111 static void aus_acct(struct t_audit_data *); 112 static void aus_chown(struct t_audit_data *); 113 static void aus_fchown(struct t_audit_data *); 114 static void aus_lchown(struct t_audit_data *); 115 static void aus_fchownat(struct t_audit_data *); 116 static void aus_chmod(struct t_audit_data *); 117 static void aus_facl(struct t_audit_data *); 118 static void aus_fchmod(struct t_audit_data *); 119 static void aus_fchmodat(struct t_audit_data *); 120 static void aus_fcntl(struct t_audit_data *); 121 static void aus_mkdir(struct t_audit_data *); 122 static void aus_mkdirat(struct t_audit_data *); 123 static void aus_mknod(struct t_audit_data *); 124 static void aus_mknodat(struct t_audit_data *); 125 static void aus_mount(struct t_audit_data *); 126 static void aus_umount2(struct t_audit_data *); 127 static void aus_msgsys(struct t_audit_data *); 128 static void aus_semsys(struct t_audit_data *); 129 static void aus_close(struct t_audit_data *); 130 static void aus_fstatfs(struct t_audit_data *); 131 static void aus_setgid(struct t_audit_data *); 132 static void aus_setpgrp(struct t_audit_data *); 133 static void aus_setuid(struct t_audit_data *); 134 static void aus_shmsys(struct t_audit_data *); 135 static void aus_doorfs(struct t_audit_data *); 136 static void aus_ioctl(struct t_audit_data *); 137 static void aus_memcntl(struct t_audit_data *); 138 static void aus_mmap(struct t_audit_data *); 139 static void aus_munmap(struct t_audit_data *); 140 static void aus_priocntlsys(struct t_audit_data *); 141 static void aus_setegid(struct t_audit_data *); 142 static void aus_setgroups(struct t_audit_data *); 143 static void aus_seteuid(struct t_audit_data *); 144 static void aus_putmsg(struct t_audit_data *); 145 static void aus_putpmsg(struct t_audit_data *); 146 static void aus_getmsg(struct t_audit_data *); 147 static void aus_getpmsg(struct t_audit_data *); 148 static void aus_auditsys(struct t_audit_data *); 149 static void aus_sysinfo(struct t_audit_data *); 150 static void aus_modctl(struct t_audit_data *); 151 static void aus_kill(struct t_audit_data *); 152 static void aus_setregid(struct t_audit_data *); 153 static void aus_setreuid(struct t_audit_data *); 154 static void aus_labelsys(struct t_audit_data *); 155 156 static void auf_mknod(struct t_audit_data *, int, rval_t *); 157 static void auf_mknodat(struct t_audit_data *, int, rval_t *); 158 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 159 static void auf_semsys(struct t_audit_data *, int, rval_t *); 160 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 161 static void auf_read(struct t_audit_data *, int, rval_t *); 162 static void auf_write(struct t_audit_data *, int, rval_t *); 163 164 static void aus_sigqueue(struct t_audit_data *); 165 static void aus_p_online(struct t_audit_data *); 166 static void aus_processor_bind(struct t_audit_data *); 167 static void aus_inst_sync(struct t_audit_data *); 168 static void aus_brandsys(struct t_audit_data *); 169 170 static void auf_accept(struct t_audit_data *, int, rval_t *); 171 172 static void auf_bind(struct t_audit_data *, int, rval_t *); 173 static void auf_connect(struct t_audit_data *, int, rval_t *); 174 static void aus_shutdown(struct t_audit_data *); 175 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 176 static void aus_sockconfig(struct t_audit_data *); 177 static void auf_recv(struct t_audit_data *, int, rval_t *); 178 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 179 static void auf_send(struct t_audit_data *, int, rval_t *); 180 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 181 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 182 static void auf_sendto(struct t_audit_data *, int, rval_t *); 183 static void aus_socket(struct t_audit_data *); 184 /* 185 * This table contains mapping information for converting system call numbers 186 * to audit event IDs. In several cases it is necessary to map a single system 187 * call to several events. 188 */ 189 190 #define aui_null NULL /* NULL initialize function */ 191 #define aus_null NULL /* NULL start function */ 192 #define auf_null NULL /* NULL finish function */ 193 194 struct audit_s2e audit_s2e[] = 195 { 196 /* 197 * ---------- ---------- ---------- ---------- 198 * INITIAL AUDIT START SYSTEM 199 * PROCESSING EVENT PROCESSING CALL 200 * ---------- ---------- ---------- ----------- 201 * FINISH EVENT 202 * PROCESSING CONTROL 203 * ---------------------------------------------------------- 204 */ 205 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 206 auf_null, 0, 207 aui_null, AUE_EXIT, aus_exit, /* 1 exit */ 208 auf_null, S2E_NPT, 209 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */ 210 auf_null, 0, 211 aui_null, AUE_READ, aus_null, /* 3 read */ 212 auf_read, S2E_PUB, 213 aui_null, AUE_WRITE, aus_null, /* 4 write */ 214 auf_write, 0, 215 aui_open, AUE_OPEN, aus_open, /* 5 open */ 216 auf_null, S2E_SP, 217 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 218 auf_null, 0, 219 aui_null, AUE_LINK, aus_null, /* 7 linkat */ 220 auf_null, 0, 221 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */ 222 auf_null, 0, 223 aui_null, AUE_LINK, aus_null, /* 9 link */ 224 auf_null, 0, 225 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 226 auf_null, 0, 227 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */ 228 auf_null, 0, 229 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 230 auf_null, S2E_SP, 231 aui_null, AUE_NULL, aus_null, /* 13 time */ 232 auf_null, 0, 233 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 234 auf_mknod, S2E_MLD, 235 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 236 auf_null, 0, 237 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 238 auf_null, 0, 239 aui_null, AUE_NULL, aus_null, /* 17 brk */ 240 auf_null, 0, 241 aui_null, AUE_STAT, aus_null, /* 18 stat */ 242 auf_null, S2E_PUB, 243 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 246 auf_null, 0, 247 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 248 auf_null, S2E_MLD, 249 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */ 250 auf_null, S2E_PUB, 251 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 254 auf_null, 0, 255 aui_null, AUE_STIME, aus_null, /* 25 stime */ 256 auf_null, 0, 257 aui_null, AUE_NULL, aus_null, /* 26 pcsample */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 262 auf_null, 0, 263 aui_null, AUE_NULL, aus_null, /* 29 pause */ 264 auf_null, 0, 265 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */ 266 auf_null, 0, 267 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 268 auf_null, 0, 269 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 270 auf_null, 0, 271 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 272 auf_null, S2E_PUB, 273 aui_null, AUE_NICE, aus_null, /* 34 nice */ 274 auf_null, 0, 275 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 276 auf_null, S2E_PUB, 277 aui_null, AUE_NULL, aus_null, /* 36 sync */ 278 auf_null, 0, 279 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 280 auf_null, 0, 281 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 282 auf_null, S2E_PUB, 283 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */ 288 auf_null, 0, 289 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 43 times */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 44 profil */ 294 auf_null, 0, 295 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */ 296 auf_null, S2E_PUB, 297 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 298 auf_null, 0, 299 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 300 auf_null, 0, 301 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */ 302 auf_mknodat, S2E_MLD, 303 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */ 304 auf_msgsys, 0, 305 #if defined(__x86) 306 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 307 auf_null, 0, 308 #else 309 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 310 auf_null, 0, 311 #endif /* __x86 */ 312 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */ 313 auf_null, 0, 314 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */ 315 auf_shmsys, 0, 316 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */ 317 auf_semsys, 0, 318 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 321 auf_null, 0, 322 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */ 323 auf_null, 0, 324 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 325 auf_null, 0, 326 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 327 auf_null, 0, 328 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 329 auf_null, S2E_MLD, 330 aui_null, AUE_NULL, aus_null, /* 60 umask */ 331 auf_null, 0, 332 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 333 auf_null, S2E_SP, 334 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 337 auf_null, 0, 338 aui_null, AUE_RENAME, aus_null, /* 64 renameat */ 339 auf_null, 0, 340 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */ 341 auf_null, 0, 342 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */ 343 auf_null, S2E_PUB, 344 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */ 345 auf_null, S2E_PUB, 346 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */ 347 auf_null, S2E_SP, 348 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */ 349 auf_null, S2E_SP, 350 aui_null, AUE_NULL, aus_null, /* 70 tasksys */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */ 363 auf_null, 0, 364 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */ 365 auf_null, 0, 366 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */ 367 auf_null, 0, 368 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 369 auf_null, 0, 370 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 373 auf_null, 0, 374 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */ 377 auf_null, 0, 378 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 379 auf_null, 0, 380 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 381 auf_null, 0, 382 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 383 auf_null, 0, 384 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */ 385 auf_null, 0, 386 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 387 auf_null, S2E_PUB, 388 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 389 auf_null, 0, 390 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 391 auf_null, S2E_PUB, 392 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 393 auf_null, 0, 394 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 395 auf_null, 0, 396 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 397 auf_null, 0, 398 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 411 auf_null, 0, 412 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */ 413 auf_null, 0, 414 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */ 415 auf_null, 0, 416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 417 auf_null, S2E_PUB, 418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 107 waitsys */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */ 427 auf_null, 0, 428 #if defined(__x86) 429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 430 auf_null, 0, 431 #else 432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 433 auf_null, 0, 434 #endif /* __x86 */ 435 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */ 436 auf_null, 0, 437 aui_null, AUE_NULL, aus_null, /* 111 sigresend */ 438 auf_null, 0, 439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */ 440 auf_null, 0, 441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 442 auf_null, S2E_PUB, 443 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 444 auf_null, 0, 445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 448 auf_null, 0, 449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 450 auf_null, 0, 451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 452 auf_null, 0, 453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 454 auf_null, 0, 455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 456 auf_null, 0, 457 aui_null, AUE_READ, aus_null, /* 121 readv */ 458 auf_read, S2E_PUB, 459 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 460 auf_write, 0, 461 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */ 462 auf_null, 0, 463 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */ 464 auf_null, 0, 465 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */ 466 auf_null, 0, 467 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */ 468 auf_null, 0, 469 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */ 470 auf_null, 0, 471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 472 auf_null, 0, 473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 474 auf_null, 0, 475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 476 auf_null, 0, 477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 478 auf_null, 0, 479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 480 auf_null, 0, 481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 482 auf_null, 0, 483 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 135 uname */ 486 auf_null, 0, 487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 490 auf_null, 0, 491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 492 auf_null, 0, 493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */ 496 auf_null, 0, 497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 498 auf_null, 0, 499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 146 yield */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */ 510 /* was lwp_sema_wait */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */ 517 auf_null, 0, 518 aui_null, AUE_NULL, aus_null, /* 151 corectl */ 519 auf_null, 0, 520 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 521 auf_null, 0, 522 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */ 555 /* was lwp_mutex_lock */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 562 auf_null, 0, 563 aui_null, AUE_READ, aus_null, /* 173 pread */ 564 auf_read, S2E_PUB, 565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 566 auf_write, 0, 567 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 568 auf_null, 0, 569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */ 570 auf_null, 0, 571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */ 580 auf_null, 0, 581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 582 auf_null, S2E_MLD, 583 aui_null, AUE_NULL, aus_null, /* 183 pollsys */ 584 auf_null, 0, 585 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 586 auf_null, 0, 587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 588 auf_null, 0, 589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 590 auf_null, 0, 591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */ 592 auf_null, 0, 593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 594 auf_null, 0, 595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 600 auf_null, 0, 601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 616 auf_null, 0, 617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 618 auf_null, 0, 619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 620 auf_null, 0, 621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 622 auf_null, 0, 623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */ 644 auf_null, 0, 645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 646 auf_null, 0, 647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 652 auf_null, 0, 653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 656 auf_null, 0, 657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 662 auf_read, S2E_PUB, 663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 664 auf_write, 0, 665 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */ 666 auf_null, 0, 667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 668 auf_null, S2E_SP, 669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 227 zone */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 229 getcwd */ 676 auf_null, 0, 677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 680 auf_null, 0, 681 aui_null, AUE_BIND, aus_null, /* 232 bind */ 682 auf_bind, 0, 683 aui_null, AUE_NULL, aus_null, /* 233 listen */ 684 auf_null, 0, 685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 686 auf_accept, 0, 687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 688 auf_connect, 0, 689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 690 auf_null, 0, 691 aui_null, AUE_READ, aus_null, /* 237 recv */ 692 auf_recv, 0, 693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 694 auf_recvfrom, 0, 695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 696 auf_recvmsg, 0, 697 aui_null, AUE_WRITE, aus_null, /* 240 send */ 698 auf_send, 0, 699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 700 auf_sendmsg, 0, 701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 702 auf_sendto, 0, 703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 708 auf_null, 0, 709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 710 auf_setsockopt, 0, 711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 714 auf_null, 0, 715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 726 auf_null, 0, 727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 728 auf_null, 0 729 }; 730 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 732 733 734 /* exit start function */ 735 /*ARGSUSED*/ 736 static void 737 aus_exit(struct t_audit_data *tad) 738 { 739 uint32_t rval; 740 struct a { 741 long rval; 742 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 743 744 rval = (uint32_t)uap->rval; 745 au_uwrite(au_to_arg32(1, "exit status", rval)); 746 } 747 748 /* acct start function */ 749 /*ARGSUSED*/ 750 static void 751 aus_acct(struct t_audit_data *tad) 752 { 753 klwp_t *clwp = ttolwp(curthread); 754 uintptr_t fname; 755 756 struct a { 757 long fname; /* char * */ 758 } *uap = (struct a *)clwp->lwp_ap; 759 760 fname = (uintptr_t)uap->fname; 761 762 if (fname == 0) 763 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 764 } 765 766 /* chown start function */ 767 /*ARGSUSED*/ 768 static void 769 aus_chown(struct t_audit_data *tad) 770 { 771 klwp_t *clwp = ttolwp(curthread); 772 uint32_t uid, gid; 773 774 struct a { 775 long fname; /* char * */ 776 long uid; 777 long gid; 778 } *uap = (struct a *)clwp->lwp_ap; 779 780 uid = (uint32_t)uap->uid; 781 gid = (uint32_t)uap->gid; 782 783 au_uwrite(au_to_arg32(2, "new file uid", uid)); 784 au_uwrite(au_to_arg32(3, "new file gid", gid)); 785 } 786 787 /* fchown start function */ 788 /*ARGSUSED*/ 789 static void 790 aus_fchown(struct t_audit_data *tad) 791 { 792 klwp_t *clwp = ttolwp(curthread); 793 uint32_t uid, gid, fd; 794 struct file *fp; 795 struct vnode *vp; 796 struct f_audit_data *fad; 797 798 struct a { 799 long fd; 800 long uid; 801 long gid; 802 } *uap = (struct a *)clwp->lwp_ap; 803 804 fd = (uint32_t)uap->fd; 805 uid = (uint32_t)uap->uid; 806 gid = (uint32_t)uap->gid; 807 808 au_uwrite(au_to_arg32(2, "new file uid", uid)); 809 au_uwrite(au_to_arg32(3, "new file gid", gid)); 810 811 /* 812 * convert file pointer to file descriptor 813 * Note: fd ref count incremented here. 814 */ 815 if ((fp = getf(fd)) == NULL) 816 return; 817 818 /* get path from file struct here */ 819 fad = F2A(fp); 820 if (fad->fad_aupath != NULL) { 821 au_uwrite(au_to_path(fad->fad_aupath)); 822 } else { 823 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 824 } 825 826 vp = fp->f_vnode; 827 audit_attributes(vp); 828 829 /* decrement file descriptor reference count */ 830 releasef(fd); 831 } 832 833 /*ARGSUSED*/ 834 static void 835 aus_lchown(struct t_audit_data *tad) 836 { 837 klwp_t *clwp = ttolwp(curthread); 838 uint32_t uid, gid; 839 840 841 struct a { 842 long fname; /* char * */ 843 long uid; 844 long gid; 845 } *uap = (struct a *)clwp->lwp_ap; 846 847 uid = (uint32_t)uap->uid; 848 gid = (uint32_t)uap->gid; 849 850 au_uwrite(au_to_arg32(2, "new file uid", uid)); 851 au_uwrite(au_to_arg32(3, "new file gid", gid)); 852 } 853 854 static au_event_t 855 aui_fchownat(au_event_t e) 856 { 857 klwp_t *clwp = ttolwp(curthread); 858 859 struct a { 860 long fd; 861 long fname; /* char * */ 862 long uid; 863 long gid; 864 long flags; 865 } *uap = (struct a *)clwp->lwp_ap; 866 867 if (uap->fname == NULL) 868 e = AUE_FCHOWN; 869 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 870 e = AUE_LCHOWN; 871 else 872 e = AUE_CHOWN; 873 874 return (e); 875 } 876 877 /*ARGSUSED*/ 878 static void 879 aus_fchownat(struct t_audit_data *tad) 880 { 881 klwp_t *clwp = ttolwp(curthread); 882 uint32_t uid, gid; 883 884 struct a { 885 long fd; 886 long fname; /* char * */ 887 long uid; 888 long gid; 889 long flags; 890 } *uap = (struct a *)clwp->lwp_ap; 891 892 uid = (uint32_t)uap->uid; 893 gid = (uint32_t)uap->gid; 894 895 au_uwrite(au_to_arg32(3, "new file uid", uid)); 896 au_uwrite(au_to_arg32(4, "new file gid", gid)); 897 } 898 899 /*ARGSUSED*/ 900 static void 901 aus_chmod(struct t_audit_data *tad) 902 { 903 klwp_t *clwp = ttolwp(curthread); 904 uint32_t fmode; 905 906 struct a { 907 long fname; /* char * */ 908 long fmode; 909 } *uap = (struct a *)clwp->lwp_ap; 910 911 fmode = (uint32_t)uap->fmode; 912 913 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 914 } 915 916 /*ARGSUSED*/ 917 static void 918 aus_fchmod(struct t_audit_data *tad) 919 { 920 klwp_t *clwp = ttolwp(curthread); 921 uint32_t fmode, fd; 922 struct file *fp; 923 struct vnode *vp; 924 struct f_audit_data *fad; 925 926 struct a { 927 long fd; 928 long fmode; 929 } *uap = (struct a *)clwp->lwp_ap; 930 931 fd = (uint32_t)uap->fd; 932 fmode = (uint32_t)uap->fmode; 933 934 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 935 936 /* 937 * convert file pointer to file descriptor 938 * Note: fd ref count incremented here. 939 */ 940 if ((fp = getf(fd)) == NULL) 941 return; 942 943 /* get path from file struct here */ 944 fad = F2A(fp); 945 if (fad->fad_aupath != NULL) { 946 au_uwrite(au_to_path(fad->fad_aupath)); 947 } else { 948 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 949 } 950 951 vp = fp->f_vnode; 952 audit_attributes(vp); 953 954 /* decrement file descriptor reference count */ 955 releasef(fd); 956 } 957 958 static au_event_t 959 aui_fchmodat(au_event_t e) 960 { 961 klwp_t *clwp = ttolwp(curthread); 962 963 struct a { 964 long fd; 965 long fname; /* char * */ 966 long fmode; 967 long flag; 968 } *uap = (struct a *)clwp->lwp_ap; 969 970 if (uap->fname == NULL) 971 e = AUE_FCHMOD; 972 else 973 e = AUE_CHMOD; 974 975 return (e); 976 } 977 978 /*ARGSUSED*/ 979 static void 980 aus_fchmodat(struct t_audit_data *tad) 981 { 982 klwp_t *clwp = ttolwp(curthread); 983 uint32_t fmode; 984 uint32_t fd; 985 struct file *fp; 986 struct vnode *vp; 987 struct f_audit_data *fad; 988 989 struct a { 990 long fd; 991 long fname; /* char * */ 992 long fmode; 993 long flag; 994 } *uap = (struct a *)clwp->lwp_ap; 995 996 fd = (uint32_t)uap->fd; 997 fmode = (uint32_t)uap->fmode; 998 999 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 1000 1001 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */ 1002 return; 1003 1004 /* 1005 * convert file pointer to file descriptor 1006 * Note: fd ref count incremented here. 1007 */ 1008 if ((fp = getf(fd)) == NULL) 1009 return; 1010 1011 /* get path from file struct here */ 1012 fad = F2A(fp); 1013 if (fad->fad_aupath != NULL) { 1014 au_uwrite(au_to_path(fad->fad_aupath)); 1015 } else { 1016 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1017 } 1018 1019 vp = fp->f_vnode; 1020 audit_attributes(vp); 1021 1022 /* decrement file descriptor reference count */ 1023 releasef(fd); 1024 } 1025 1026 /* 1027 * convert open mode to appropriate open event 1028 */ 1029 au_event_t 1030 open_event(uint_t fm) 1031 { 1032 au_event_t e; 1033 1034 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) { 1035 case O_RDONLY: 1036 e = AUE_OPEN_R; 1037 break; 1038 case O_RDONLY | O_CREAT: 1039 e = AUE_OPEN_RC; 1040 break; 1041 case O_RDONLY | O_TRUNC: 1042 e = AUE_OPEN_RT; 1043 break; 1044 case O_RDONLY | O_TRUNC | O_CREAT: 1045 e = AUE_OPEN_RTC; 1046 break; 1047 case O_WRONLY: 1048 e = AUE_OPEN_W; 1049 break; 1050 case O_WRONLY | O_CREAT: 1051 e = AUE_OPEN_WC; 1052 break; 1053 case O_WRONLY | O_TRUNC: 1054 e = AUE_OPEN_WT; 1055 break; 1056 case O_WRONLY | O_TRUNC | O_CREAT: 1057 e = AUE_OPEN_WTC; 1058 break; 1059 case O_RDWR: 1060 e = AUE_OPEN_RW; 1061 break; 1062 case O_RDWR | O_CREAT: 1063 e = AUE_OPEN_RWC; 1064 break; 1065 case O_RDWR | O_TRUNC: 1066 e = AUE_OPEN_RWT; 1067 break; 1068 case O_RDWR | O_TRUNC | O_CREAT: 1069 e = AUE_OPEN_RWTC; 1070 break; 1071 case O_SEARCH: 1072 e = AUE_OPEN_S; 1073 break; 1074 case O_EXEC: 1075 e = AUE_OPEN_E; 1076 break; 1077 default: 1078 e = AUE_NULL; 1079 break; 1080 } 1081 1082 return (e); 1083 } 1084 1085 /* ARGSUSED */ 1086 static au_event_t 1087 aui_open(au_event_t e) 1088 { 1089 klwp_t *clwp = ttolwp(curthread); 1090 uint_t fm; 1091 1092 struct a { 1093 long fnamep; /* char * */ 1094 long fmode; 1095 long cmode; 1096 } *uap = (struct a *)clwp->lwp_ap; 1097 1098 fm = (uint_t)uap->fmode; 1099 1100 return (open_event(fm)); 1101 } 1102 1103 static void 1104 aus_open(struct t_audit_data *tad) 1105 { 1106 klwp_t *clwp = ttolwp(curthread); 1107 uint_t fm; 1108 1109 struct a { 1110 long fnamep; /* char * */ 1111 long fmode; 1112 long cmode; 1113 } *uap = (struct a *)clwp->lwp_ap; 1114 1115 fm = (uint_t)uap->fmode; 1116 1117 /* If no write, create, or trunc modes, mark as a public op */ 1118 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1119 tad->tad_ctrl |= TAD_PUBLIC_EV; 1120 } 1121 1122 /* ARGSUSED */ 1123 static au_event_t 1124 aui_openat(au_event_t e) 1125 { 1126 t_audit_data_t *tad = T2A(curthread); 1127 klwp_t *clwp = ttolwp(curthread); 1128 uint_t fm; 1129 1130 struct a { 1131 long filedes; 1132 long fnamep; /* char * */ 1133 long fmode; 1134 long cmode; 1135 } *uap = (struct a *)clwp->lwp_ap; 1136 1137 fm = (uint_t)uap->fmode; 1138 1139 /* 1140 * __openattrdirat() does an extra pathname lookup in order to 1141 * enter the extended system attribute namespace of the referenced 1142 * extended attribute filename. 1143 */ 1144 if (fm & FXATTRDIROPEN) 1145 tad->tad_ctrl |= TAD_MLD; 1146 1147 return (open_event(fm)); 1148 } 1149 1150 static void 1151 aus_openat(struct t_audit_data *tad) 1152 { 1153 klwp_t *clwp = ttolwp(curthread); 1154 uint_t fm; 1155 1156 struct a { 1157 long filedes; 1158 long fnamep; /* char * */ 1159 long fmode; 1160 long cmode; 1161 } *uap = (struct a *)clwp->lwp_ap; 1162 1163 fm = (uint_t)uap->fmode; 1164 1165 /* If no write, create, or trunc modes, mark as a public op */ 1166 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY) 1167 tad->tad_ctrl |= TAD_PUBLIC_EV; 1168 } 1169 1170 static au_event_t 1171 aui_unlinkat(au_event_t e) 1172 { 1173 klwp_t *clwp = ttolwp(curthread); 1174 1175 struct a { 1176 long filedes; 1177 long fnamep; /* char * */ 1178 long flags; 1179 } *uap = (struct a *)clwp->lwp_ap; 1180 1181 if (uap->flags & AT_REMOVEDIR) 1182 e = AUE_RMDIR; 1183 else 1184 e = AUE_UNLINK; 1185 1186 return (e); 1187 } 1188 1189 static au_event_t 1190 aui_fstatat(au_event_t e) 1191 { 1192 klwp_t *clwp = ttolwp(curthread); 1193 1194 struct a { 1195 long filedes; 1196 long fnamep; /* char * */ 1197 long statb; 1198 long flags; 1199 } *uap = (struct a *)clwp->lwp_ap; 1200 1201 if (uap->fnamep == NULL) 1202 e = AUE_FSTAT; 1203 else if (uap->flags & AT_SYMLINK_NOFOLLOW) 1204 e = AUE_LSTAT; 1205 else 1206 e = AUE_STAT; 1207 1208 return (e); 1209 } 1210 1211 /* msgsys */ 1212 static au_event_t 1213 aui_msgsys(au_event_t e) 1214 { 1215 klwp_t *clwp = ttolwp(curthread); 1216 uint_t fm; 1217 1218 struct a { 1219 long id; /* function code id */ 1220 long ap; /* arg pointer for recvmsg */ 1221 } *uap = (struct a *)clwp->lwp_ap; 1222 1223 struct b { 1224 long msgid; 1225 long cmd; 1226 long buf; /* struct msqid_ds * */ 1227 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1228 1229 fm = (uint_t)uap->id; 1230 1231 switch (fm) { 1232 case 0: /* msgget */ 1233 e = AUE_MSGGET; 1234 break; 1235 case 1: /* msgctl */ 1236 switch ((uint_t)uap1->cmd) { 1237 case IPC_RMID: 1238 e = AUE_MSGCTL_RMID; 1239 break; 1240 case IPC_SET: 1241 e = AUE_MSGCTL_SET; 1242 break; 1243 case IPC_STAT: 1244 e = AUE_MSGCTL_STAT; 1245 break; 1246 default: 1247 e = AUE_MSGCTL; 1248 break; 1249 } 1250 break; 1251 case 2: /* msgrcv */ 1252 e = AUE_MSGRCV; 1253 break; 1254 case 3: /* msgsnd */ 1255 e = AUE_MSGSND; 1256 break; 1257 default: /* illegal system call */ 1258 e = AUE_NULL; 1259 break; 1260 } 1261 1262 return (e); 1263 } 1264 1265 1266 /* shmsys */ 1267 static au_event_t 1268 aui_shmsys(au_event_t e) 1269 { 1270 klwp_t *clwp = ttolwp(curthread); 1271 int fm; 1272 1273 struct a { /* shmsys */ 1274 long id; /* function code id */ 1275 } *uap = (struct a *)clwp->lwp_ap; 1276 1277 struct b { /* ctrl */ 1278 long shmid; 1279 long cmd; 1280 long arg; /* struct shmid_ds * */ 1281 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1282 fm = (uint_t)uap->id; 1283 1284 switch (fm) { 1285 case 0: /* shmat */ 1286 e = AUE_SHMAT; 1287 break; 1288 case 1: /* shmctl */ 1289 switch ((uint_t)uap1->cmd) { 1290 case IPC_RMID: 1291 e = AUE_SHMCTL_RMID; 1292 break; 1293 case IPC_SET: 1294 e = AUE_SHMCTL_SET; 1295 break; 1296 case IPC_STAT: 1297 e = AUE_SHMCTL_STAT; 1298 break; 1299 default: 1300 e = AUE_SHMCTL; 1301 break; 1302 } 1303 break; 1304 case 2: /* shmdt */ 1305 e = AUE_SHMDT; 1306 break; 1307 case 3: /* shmget */ 1308 e = AUE_SHMGET; 1309 break; 1310 default: /* illegal system call */ 1311 e = AUE_NULL; 1312 break; 1313 } 1314 1315 return (e); 1316 } 1317 1318 1319 /* semsys */ 1320 static au_event_t 1321 aui_semsys(au_event_t e) 1322 { 1323 klwp_t *clwp = ttolwp(curthread); 1324 uint_t fm; 1325 1326 struct a { /* semsys */ 1327 long id; 1328 } *uap = (struct a *)clwp->lwp_ap; 1329 1330 struct b { /* ctrl */ 1331 long semid; 1332 long semnum; 1333 long cmd; 1334 long arg; 1335 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1336 1337 fm = (uint_t)uap->id; 1338 1339 switch (fm) { 1340 case 0: /* semctl */ 1341 switch ((uint_t)uap1->cmd) { 1342 case IPC_RMID: 1343 e = AUE_SEMCTL_RMID; 1344 break; 1345 case IPC_SET: 1346 e = AUE_SEMCTL_SET; 1347 break; 1348 case IPC_STAT: 1349 e = AUE_SEMCTL_STAT; 1350 break; 1351 case GETNCNT: 1352 e = AUE_SEMCTL_GETNCNT; 1353 break; 1354 case GETPID: 1355 e = AUE_SEMCTL_GETPID; 1356 break; 1357 case GETVAL: 1358 e = AUE_SEMCTL_GETVAL; 1359 break; 1360 case GETALL: 1361 e = AUE_SEMCTL_GETALL; 1362 break; 1363 case GETZCNT: 1364 e = AUE_SEMCTL_GETZCNT; 1365 break; 1366 case SETVAL: 1367 e = AUE_SEMCTL_SETVAL; 1368 break; 1369 case SETALL: 1370 e = AUE_SEMCTL_SETALL; 1371 break; 1372 default: 1373 e = AUE_SEMCTL; 1374 break; 1375 } 1376 break; 1377 case 1: /* semget */ 1378 e = AUE_SEMGET; 1379 break; 1380 case 2: /* semop */ 1381 e = AUE_SEMOP; 1382 break; 1383 default: /* illegal system call */ 1384 e = AUE_NULL; 1385 break; 1386 } 1387 1388 return (e); 1389 } 1390 1391 /* utssys - uname(2), ustat(2), fusers(2) */ 1392 static au_event_t 1393 aui_utssys(au_event_t e) 1394 { 1395 klwp_t *clwp = ttolwp(curthread); 1396 uint_t type; 1397 1398 struct a { 1399 union { 1400 long cbuf; /* char * */ 1401 long ubuf; /* struct stat * */ 1402 } ub; 1403 union { 1404 long mv; /* for USTAT */ 1405 long flags; /* for FUSERS */ 1406 } un; 1407 long type; 1408 long outbp; /* char * for FUSERS */ 1409 } *uap = (struct a *)clwp->lwp_ap; 1410 1411 type = (uint_t)uap->type; 1412 1413 if (type == UTS_FUSERS) 1414 return (e); 1415 else 1416 return ((au_event_t)AUE_NULL); 1417 } 1418 1419 static au_event_t 1420 aui_fcntl(au_event_t e) 1421 { 1422 klwp_t *clwp = ttolwp(curthread); 1423 uint_t cmd; 1424 1425 struct a { 1426 long fdes; 1427 long cmd; 1428 long arg; 1429 } *uap = (struct a *)clwp->lwp_ap; 1430 1431 cmd = (uint_t)uap->cmd; 1432 1433 switch (cmd) { 1434 case F_GETLK: 1435 case F_SETLK: 1436 case F_SETLKW: 1437 break; 1438 case F_SETFL: 1439 case F_GETFL: 1440 case F_GETFD: 1441 break; 1442 default: 1443 e = (au_event_t)AUE_NULL; 1444 break; 1445 } 1446 return ((au_event_t)e); 1447 } 1448 1449 /* null function for now */ 1450 static au_event_t 1451 aui_execve(au_event_t e) 1452 { 1453 return (e); 1454 } 1455 1456 /*ARGSUSED*/ 1457 static void 1458 aus_fcntl(struct t_audit_data *tad) 1459 { 1460 klwp_t *clwp = ttolwp(curthread); 1461 uint32_t cmd, fd, flags; 1462 struct file *fp; 1463 struct vnode *vp; 1464 struct f_audit_data *fad; 1465 1466 struct a { 1467 long fd; 1468 long cmd; 1469 long arg; 1470 } *uap = (struct a *)clwp->lwp_ap; 1471 1472 cmd = (uint32_t)uap->cmd; 1473 fd = (uint32_t)uap->fd; 1474 flags = (uint32_t)uap->arg; 1475 1476 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1477 1478 if (cmd == F_SETFL) 1479 au_uwrite(au_to_arg32(3, "flags", flags)); 1480 1481 /* 1482 * convert file pointer to file descriptor 1483 * Note: fd ref count incremented here. 1484 */ 1485 if ((fp = getf(fd)) == NULL) 1486 return; 1487 1488 /* get path from file struct here */ 1489 fad = F2A(fp); 1490 if (fad->fad_aupath != NULL) { 1491 au_uwrite(au_to_path(fad->fad_aupath)); 1492 } else { 1493 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1494 } 1495 1496 vp = fp->f_vnode; 1497 audit_attributes(vp); 1498 1499 /* decrement file descriptor reference count */ 1500 releasef(fd); 1501 } 1502 1503 /*ARGSUSED*/ 1504 static void 1505 aus_kill(struct t_audit_data *tad) 1506 { 1507 klwp_t *clwp = ttolwp(curthread); 1508 struct proc *p; 1509 uint32_t signo; 1510 uid_t uid, ruid; 1511 gid_t gid, rgid; 1512 pid_t pid; 1513 const auditinfo_addr_t *ainfo; 1514 cred_t *cr; 1515 1516 struct a { 1517 long pid; 1518 long signo; 1519 } *uap = (struct a *)clwp->lwp_ap; 1520 1521 pid = (pid_t)uap->pid; 1522 signo = (uint32_t)uap->signo; 1523 1524 au_uwrite(au_to_arg32(2, "signal", signo)); 1525 if (pid > 0) { 1526 mutex_enter(&pidlock); 1527 if (((p = prfind(pid)) == (struct proc *)0) || 1528 (p->p_stat == SIDL)) { 1529 mutex_exit(&pidlock); 1530 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1531 return; 1532 } 1533 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1534 mutex_exit(&pidlock); 1535 1536 mutex_enter(&p->p_crlock); 1537 crhold(cr = p->p_cred); 1538 mutex_exit(&p->p_crlock); 1539 mutex_exit(&p->p_lock); 1540 1541 ainfo = crgetauinfo(cr); 1542 if (ainfo == NULL) { 1543 crfree(cr); 1544 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1545 return; 1546 } 1547 1548 uid = crgetuid(cr); 1549 gid = crgetgid(cr); 1550 ruid = crgetruid(cr); 1551 rgid = crgetrgid(cr); 1552 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1553 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1554 1555 if (is_system_labeled()) 1556 au_uwrite(au_to_label(CR_SL(cr))); 1557 1558 crfree(cr); 1559 } 1560 else 1561 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1562 } 1563 1564 /*ARGSUSED*/ 1565 static void 1566 aus_mkdir(struct t_audit_data *tad) 1567 { 1568 klwp_t *clwp = ttolwp(curthread); 1569 uint32_t dmode; 1570 1571 struct a { 1572 long dirnamep; /* char * */ 1573 long dmode; 1574 } *uap = (struct a *)clwp->lwp_ap; 1575 1576 dmode = (uint32_t)uap->dmode; 1577 1578 au_uwrite(au_to_arg32(2, "mode", dmode)); 1579 } 1580 1581 /*ARGSUSED*/ 1582 static void 1583 aus_mkdirat(struct t_audit_data *tad) 1584 { 1585 klwp_t *clwp = ttolwp(curthread); 1586 uint32_t dmode; 1587 1588 struct a { 1589 long fd; 1590 long dirnamep; /* char * */ 1591 long dmode; 1592 } *uap = (struct a *)clwp->lwp_ap; 1593 1594 dmode = (uint32_t)uap->dmode; 1595 1596 au_uwrite(au_to_arg32(2, "mode", dmode)); 1597 } 1598 1599 /*ARGSUSED*/ 1600 static void 1601 aus_mknod(struct t_audit_data *tad) 1602 { 1603 klwp_t *clwp = ttolwp(curthread); 1604 uint32_t fmode; 1605 dev_t dev; 1606 1607 struct a { 1608 long pnamep; /* char * */ 1609 long fmode; 1610 long dev; 1611 } *uap = (struct a *)clwp->lwp_ap; 1612 1613 fmode = (uint32_t)uap->fmode; 1614 dev = (dev_t)uap->dev; 1615 1616 au_uwrite(au_to_arg32(2, "mode", fmode)); 1617 #ifdef _LP64 1618 au_uwrite(au_to_arg64(3, "dev", dev)); 1619 #else 1620 au_uwrite(au_to_arg32(3, "dev", dev)); 1621 #endif 1622 } 1623 1624 /*ARGSUSED*/ 1625 static void 1626 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1627 { 1628 klwp_t *clwp = ttolwp(curthread); 1629 vnode_t *dvp; 1630 caddr_t pnamep; 1631 1632 struct a { 1633 long pnamep; /* char * */ 1634 long fmode; 1635 long dev; 1636 } *uap = (struct a *)clwp->lwp_ap; 1637 1638 /* no error, then already path token in audit record */ 1639 if (error != EPERM && error != EINVAL) 1640 return; 1641 1642 /* do the lookup to force generation of path token */ 1643 pnamep = (caddr_t)uap->pnamep; 1644 tad->tad_ctrl |= TAD_NOATTRB; 1645 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1646 if (error == 0) 1647 VN_RELE(dvp); 1648 } 1649 1650 /*ARGSUSED*/ 1651 static void 1652 aus_mknodat(struct t_audit_data *tad) 1653 { 1654 klwp_t *clwp = ttolwp(curthread); 1655 uint32_t fmode; 1656 dev_t dev; 1657 1658 struct a { 1659 long fd; 1660 long pnamep; /* char * */ 1661 long fmode; 1662 long dev; 1663 } *uap = (struct a *)clwp->lwp_ap; 1664 1665 fmode = (uint32_t)uap->fmode; 1666 dev = (dev_t)uap->dev; 1667 1668 au_uwrite(au_to_arg32(2, "mode", fmode)); 1669 #ifdef _LP64 1670 au_uwrite(au_to_arg64(3, "dev", dev)); 1671 #else 1672 au_uwrite(au_to_arg32(3, "dev", dev)); 1673 #endif 1674 } 1675 1676 /*ARGSUSED*/ 1677 static void 1678 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval) 1679 { 1680 klwp_t *clwp = ttolwp(curthread); 1681 vnode_t *startvp; 1682 vnode_t *dvp; 1683 caddr_t pnamep; 1684 int fd; 1685 1686 struct a { 1687 long fd; 1688 long pnamep; /* char * */ 1689 long fmode; 1690 long dev; 1691 } *uap = (struct a *)clwp->lwp_ap; 1692 1693 /* no error, then already path token in audit record */ 1694 if (error != EPERM && error != EINVAL) 1695 return; 1696 1697 /* do the lookup to force generation of path token */ 1698 fd = (int)uap->fd; 1699 pnamep = (caddr_t)uap->pnamep; 1700 if (pnamep == NULL || 1701 fgetstartvp(fd, pnamep, &startvp) != 0) 1702 return; 1703 tad->tad_ctrl |= TAD_NOATTRB; 1704 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP, 1705 startvp); 1706 if (error == 0) 1707 VN_RELE(dvp); 1708 if (startvp != NULL) 1709 VN_RELE(startvp); 1710 } 1711 1712 /*ARGSUSED*/ 1713 static void 1714 aus_mount(struct t_audit_data *tad) 1715 { /* AUS_START */ 1716 klwp_t *clwp = ttolwp(curthread); 1717 uint32_t flags; 1718 uintptr_t u_fstype, dataptr; 1719 STRUCT_DECL(nfs_args, nfsargs); 1720 size_t len; 1721 char *fstype, *hostname; 1722 1723 struct a { 1724 long spec; /* char * */ 1725 long dir; /* char * */ 1726 long flags; 1727 long fstype; /* char * */ 1728 long dataptr; /* char * */ 1729 long datalen; 1730 } *uap = (struct a *)clwp->lwp_ap; 1731 1732 u_fstype = (uintptr_t)uap->fstype; 1733 flags = (uint32_t)uap->flags; 1734 dataptr = (uintptr_t)uap->dataptr; 1735 1736 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1737 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1738 goto mount_free_fstype; 1739 1740 au_uwrite(au_to_arg32(3, "flags", flags)); 1741 au_uwrite(au_to_text(fstype)); 1742 1743 if (strncmp(fstype, "nfs", 3) == 0) { 1744 1745 STRUCT_INIT(nfsargs, get_udatamodel()); 1746 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1747 1748 if (copyin((caddr_t)dataptr, 1749 STRUCT_BUF(nfsargs), 1750 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1751 /* DEBUG debug_enter((char *)NULL); */ 1752 goto mount_free_fstype; 1753 } 1754 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1755 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1756 (caddr_t)hostname, 1757 MAXNAMELEN, &len)) { 1758 goto mount_free_hostname; 1759 } 1760 au_uwrite(au_to_text(hostname)); 1761 au_uwrite(au_to_arg32(3, "internal flags", 1762 (uint_t)STRUCT_FGET(nfsargs, flags))); 1763 1764 mount_free_hostname: 1765 kmem_free(hostname, MAXNAMELEN); 1766 } 1767 1768 mount_free_fstype: 1769 kmem_free(fstype, MAXNAMELEN); 1770 } /* AUS_MOUNT */ 1771 1772 static void 1773 aus_umount_path(caddr_t umount_dir) 1774 { 1775 char *dir_path; 1776 struct audit_path *path; 1777 size_t path_len, dir_len; 1778 1779 /* length alloc'd for two string pointers */ 1780 path_len = sizeof (struct audit_path) + sizeof (char *); 1781 path = kmem_alloc(path_len, KM_SLEEP); 1782 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1783 1784 if (copyinstr(umount_dir, (caddr_t)dir_path, 1785 MAXPATHLEN, &dir_len)) 1786 goto umount2_free_dir; 1787 1788 /* 1789 * the audit_path struct assumes that the buffer pointed to 1790 * by audp_sect[n] contains string 0 immediatedly followed 1791 * by string 1. 1792 */ 1793 path->audp_sect[0] = dir_path; 1794 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1795 path->audp_size = path_len; 1796 path->audp_ref = 1; /* not used */ 1797 path->audp_cnt = 1; /* one path string */ 1798 1799 au_uwrite(au_to_path(path)); 1800 1801 umount2_free_dir: 1802 kmem_free(dir_path, MAXPATHLEN); 1803 kmem_free(path, path_len); 1804 } 1805 1806 /*ARGSUSED*/ 1807 static void 1808 aus_umount2(struct t_audit_data *tad) 1809 { 1810 klwp_t *clwp = ttolwp(curthread); 1811 struct a { 1812 long dir; /* char * */ 1813 long flags; 1814 } *uap = (struct a *)clwp->lwp_ap; 1815 1816 aus_umount_path((caddr_t)uap->dir); 1817 1818 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1819 } 1820 1821 static void 1822 aus_msgsys(struct t_audit_data *tad) 1823 { 1824 klwp_t *clwp = ttolwp(curthread); 1825 uint32_t msgid; 1826 1827 struct b { 1828 long msgid; 1829 long cmd; 1830 long buf; /* struct msqid_ds * */ 1831 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1832 1833 msgid = (uint32_t)uap1->msgid; 1834 1835 1836 switch (tad->tad_event) { 1837 case AUE_MSGGET: /* msgget */ 1838 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1839 break; 1840 case AUE_MSGCTL: /* msgctl */ 1841 case AUE_MSGCTL_RMID: /* msgctl */ 1842 case AUE_MSGCTL_SET: /* msgctl */ 1843 case AUE_MSGCTL_STAT: /* msgctl */ 1844 case AUE_MSGRCV: /* msgrcv */ 1845 case AUE_MSGSND: /* msgsnd */ 1846 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1847 break; 1848 } 1849 } 1850 1851 /*ARGSUSED*/ 1852 static void 1853 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1854 { 1855 int id; 1856 1857 if (error != 0) 1858 return; 1859 if (tad->tad_event == AUE_MSGGET) { 1860 uint32_t scid; 1861 uint32_t sy_flags; 1862 1863 /* need to determine type of executing binary */ 1864 scid = tad->tad_scid; 1865 #ifdef _SYSCALL32_IMPL 1866 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1867 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1868 else 1869 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1870 #else 1871 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1872 #endif 1873 if (sy_flags == SE_32RVAL1) 1874 id = rval->r_val1; 1875 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1876 id = rval->r_val1; 1877 if (sy_flags == SE_64RVAL) 1878 id = (int)rval->r_vals; 1879 1880 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1881 } 1882 } 1883 1884 static void 1885 aus_semsys(struct t_audit_data *tad) 1886 { 1887 klwp_t *clwp = ttolwp(curthread); 1888 uint32_t semid; 1889 1890 struct b { /* ctrl */ 1891 long semid; 1892 long semnum; 1893 long cmd; 1894 long arg; 1895 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1896 1897 semid = (uint32_t)uap1->semid; 1898 1899 switch (tad->tad_event) { 1900 case AUE_SEMCTL_RMID: 1901 case AUE_SEMCTL_STAT: 1902 case AUE_SEMCTL_GETNCNT: 1903 case AUE_SEMCTL_GETPID: 1904 case AUE_SEMCTL_GETVAL: 1905 case AUE_SEMCTL_GETALL: 1906 case AUE_SEMCTL_GETZCNT: 1907 case AUE_SEMCTL_SET: 1908 case AUE_SEMCTL_SETVAL: 1909 case AUE_SEMCTL_SETALL: 1910 case AUE_SEMCTL: 1911 case AUE_SEMOP: 1912 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1913 break; 1914 case AUE_SEMGET: 1915 au_uwrite(au_to_arg32(1, "sem key", semid)); 1916 break; 1917 } 1918 } 1919 1920 /*ARGSUSED*/ 1921 static void 1922 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1923 { 1924 int id; 1925 1926 if (error != 0) 1927 return; 1928 if (tad->tad_event == AUE_SEMGET) { 1929 uint32_t scid; 1930 uint32_t sy_flags; 1931 1932 /* need to determine type of executing binary */ 1933 scid = tad->tad_scid; 1934 #ifdef _SYSCALL32_IMPL 1935 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1936 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1937 else 1938 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1939 #else 1940 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1941 #endif 1942 if (sy_flags == SE_32RVAL1) 1943 id = rval->r_val1; 1944 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1945 id = rval->r_val1; 1946 if (sy_flags == SE_64RVAL) 1947 id = (int)rval->r_vals; 1948 1949 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1950 } 1951 } 1952 1953 /*ARGSUSED*/ 1954 static void 1955 aus_close(struct t_audit_data *tad) 1956 { 1957 klwp_t *clwp = ttolwp(curthread); 1958 uint32_t fd; 1959 struct file *fp; 1960 struct f_audit_data *fad; 1961 struct vnode *vp; 1962 struct vattr attr; 1963 au_kcontext_t *kctx = GET_KCTX_PZ; 1964 1965 struct a { 1966 long i; 1967 } *uap = (struct a *)clwp->lwp_ap; 1968 1969 fd = (uint32_t)uap->i; 1970 1971 attr.va_mask = 0; 1972 au_uwrite(au_to_arg32(1, "fd", fd)); 1973 1974 /* 1975 * convert file pointer to file descriptor 1976 * Note: fd ref count incremented here. 1977 */ 1978 if ((fp = getf(fd)) == NULL) 1979 return; 1980 1981 fad = F2A(fp); 1982 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1983 if (fad->fad_aupath != NULL) { 1984 au_uwrite(au_to_path(fad->fad_aupath)); 1985 if ((vp = fp->f_vnode) != NULL) { 1986 attr.va_mask = AT_ALL; 1987 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1988 /* 1989 * When write was not used and the file can be 1990 * considered public, skip the audit. 1991 */ 1992 if (((fp->f_flag & FWRITE) == 0) && 1993 object_is_public(&attr)) { 1994 tad->tad_flag = 0; 1995 tad->tad_evmod = 0; 1996 /* free any residual audit data */ 1997 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 1998 releasef(fd); 1999 return; 2000 } 2001 au_uwrite(au_to_attr(&attr)); 2002 audit_sec_attributes(&(u_ad), vp); 2003 } 2004 } 2005 } 2006 2007 /* decrement file descriptor reference count */ 2008 releasef(fd); 2009 } 2010 2011 /*ARGSUSED*/ 2012 static void 2013 aus_fstatfs(struct t_audit_data *tad) 2014 { 2015 klwp_t *clwp = ttolwp(curthread); 2016 uint32_t fd; 2017 struct file *fp; 2018 struct vnode *vp; 2019 struct f_audit_data *fad; 2020 2021 struct a { 2022 long fd; 2023 long buf; /* struct statfs * */ 2024 } *uap = (struct a *)clwp->lwp_ap; 2025 2026 fd = (uint_t)uap->fd; 2027 2028 /* 2029 * convert file pointer to file descriptor 2030 * Note: fd ref count incremented here. 2031 */ 2032 if ((fp = getf(fd)) == NULL) 2033 return; 2034 2035 /* get path from file struct here */ 2036 fad = F2A(fp); 2037 if (fad->fad_aupath != NULL) { 2038 au_uwrite(au_to_path(fad->fad_aupath)); 2039 } else { 2040 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2041 } 2042 2043 vp = fp->f_vnode; 2044 audit_attributes(vp); 2045 2046 /* decrement file descriptor reference count */ 2047 releasef(fd); 2048 } 2049 2050 static au_event_t 2051 aui_setpgrp(au_event_t e) 2052 { 2053 klwp_t *clwp = ttolwp(curthread); 2054 int flag; 2055 2056 struct a { 2057 long flag; 2058 long pid; 2059 long pgid; 2060 } *uap = (struct a *)clwp->lwp_ap; 2061 2062 flag = (int)uap->flag; 2063 2064 2065 switch (flag) { 2066 2067 case 1: /* setpgrp() */ 2068 e = AUE_SETPGRP; 2069 break; 2070 2071 case 3: /* setsid() */ 2072 e = AUE_SETSID; 2073 break; 2074 2075 case 5: /* setpgid() */ 2076 e = AUE_SETPGID; 2077 break; 2078 2079 case 0: /* getpgrp() - not security relevant */ 2080 case 2: /* getsid() - not security relevant */ 2081 case 4: /* getpgid() - not security relevant */ 2082 e = AUE_NULL; 2083 break; 2084 2085 default: 2086 e = AUE_NULL; 2087 break; 2088 } 2089 2090 return (e); 2091 } 2092 2093 /*ARGSUSED*/ 2094 static void 2095 aus_setpgrp(struct t_audit_data *tad) 2096 { 2097 klwp_t *clwp = ttolwp(curthread); 2098 pid_t pgid; 2099 struct proc *p; 2100 uid_t uid, ruid; 2101 gid_t gid, rgid; 2102 pid_t pid; 2103 cred_t *cr; 2104 int flag; 2105 const auditinfo_addr_t *ainfo; 2106 2107 struct a { 2108 long flag; 2109 long pid; 2110 long pgid; 2111 } *uap = (struct a *)clwp->lwp_ap; 2112 2113 flag = (int)uap->flag; 2114 pid = (pid_t)uap->pid; 2115 pgid = (pid_t)uap->pgid; 2116 2117 2118 switch (flag) { 2119 2120 case 0: /* getpgrp() */ 2121 case 1: /* setpgrp() */ 2122 case 2: /* getsid() */ 2123 case 3: /* setsid() */ 2124 case 4: /* getpgid() */ 2125 break; 2126 2127 case 5: /* setpgid() */ 2128 2129 /* current process? */ 2130 if (pid == 0) { 2131 return; 2132 } 2133 2134 mutex_enter(&pidlock); 2135 p = prfind(pid); 2136 if (p == NULL || p->p_as == &kas || 2137 p->p_stat == SIDL || p->p_stat == SZOMB) { 2138 mutex_exit(&pidlock); 2139 return; 2140 } 2141 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2142 mutex_exit(&pidlock); 2143 2144 mutex_enter(&p->p_crlock); 2145 crhold(cr = p->p_cred); 2146 mutex_exit(&p->p_crlock); 2147 mutex_exit(&p->p_lock); 2148 2149 ainfo = crgetauinfo(cr); 2150 if (ainfo == NULL) { 2151 crfree(cr); 2152 return; 2153 } 2154 2155 uid = crgetuid(cr); 2156 gid = crgetgid(cr); 2157 ruid = crgetruid(cr); 2158 rgid = crgetrgid(cr); 2159 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2160 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2161 crfree(cr); 2162 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2163 break; 2164 2165 default: 2166 break; 2167 } 2168 } 2169 2170 2171 /*ARGSUSED*/ 2172 static void 2173 aus_setregid(struct t_audit_data *tad) 2174 { 2175 klwp_t *clwp = ttolwp(curthread); 2176 uint32_t rgid, egid; 2177 2178 struct a { 2179 long rgid; 2180 long egid; 2181 } *uap = (struct a *)clwp->lwp_ap; 2182 2183 rgid = (uint32_t)uap->rgid; 2184 egid = (uint32_t)uap->egid; 2185 2186 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2187 au_uwrite(au_to_arg32(2, "egid", egid)); 2188 } 2189 2190 /*ARGSUSED*/ 2191 static void 2192 aus_setgid(struct t_audit_data *tad) 2193 { 2194 klwp_t *clwp = ttolwp(curthread); 2195 uint32_t gid; 2196 2197 struct a { 2198 long gid; 2199 } *uap = (struct a *)clwp->lwp_ap; 2200 2201 gid = (uint32_t)uap->gid; 2202 2203 au_uwrite(au_to_arg32(1, "gid", gid)); 2204 } 2205 2206 2207 /*ARGSUSED*/ 2208 static void 2209 aus_setreuid(struct t_audit_data *tad) 2210 { 2211 klwp_t *clwp = ttolwp(curthread); 2212 uint32_t ruid, euid; 2213 2214 struct a { 2215 long ruid; 2216 long euid; 2217 } *uap = (struct a *)clwp->lwp_ap; 2218 2219 ruid = (uint32_t)uap->ruid; 2220 euid = (uint32_t)uap->euid; 2221 2222 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2223 au_uwrite(au_to_arg32(2, "euid", euid)); 2224 } 2225 2226 2227 /*ARGSUSED*/ 2228 static void 2229 aus_setuid(struct t_audit_data *tad) 2230 { 2231 klwp_t *clwp = ttolwp(curthread); 2232 uint32_t uid; 2233 2234 struct a { 2235 long uid; 2236 } *uap = (struct a *)clwp->lwp_ap; 2237 2238 uid = (uint32_t)uap->uid; 2239 2240 au_uwrite(au_to_arg32(1, "uid", uid)); 2241 } 2242 2243 /*ARGSUSED*/ 2244 static void 2245 aus_shmsys(struct t_audit_data *tad) 2246 { 2247 klwp_t *clwp = ttolwp(curthread); 2248 uint32_t id, cmd; 2249 2250 struct b { 2251 long id; 2252 long cmd; 2253 long buf; /* struct shmid_ds * */ 2254 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2255 2256 id = (uint32_t)uap1->id; 2257 cmd = (uint32_t)uap1->cmd; 2258 2259 switch (tad->tad_event) { 2260 case AUE_SHMGET: /* shmget */ 2261 au_uwrite(au_to_arg32(1, "shm key", id)); 2262 break; 2263 case AUE_SHMCTL: /* shmctl */ 2264 case AUE_SHMCTL_RMID: /* shmctl */ 2265 case AUE_SHMCTL_STAT: /* shmctl */ 2266 case AUE_SHMCTL_SET: /* shmctl */ 2267 au_uwrite(au_to_arg32(1, "shm ID", id)); 2268 break; 2269 case AUE_SHMDT: /* shmdt */ 2270 au_uwrite(au_to_arg32(1, "shm adr", id)); 2271 break; 2272 case AUE_SHMAT: /* shmat */ 2273 au_uwrite(au_to_arg32(1, "shm ID", id)); 2274 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2275 break; 2276 } 2277 } 2278 2279 /*ARGSUSED*/ 2280 static void 2281 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2282 { 2283 int id; 2284 2285 if (error != 0) 2286 return; 2287 if (tad->tad_event == AUE_SHMGET) { 2288 uint32_t scid; 2289 uint32_t sy_flags; 2290 2291 /* need to determine type of executing binary */ 2292 scid = tad->tad_scid; 2293 #ifdef _SYSCALL32_IMPL 2294 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2295 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2296 else 2297 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2298 #else 2299 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2300 #endif 2301 if (sy_flags == SE_32RVAL1) 2302 id = rval->r_val1; 2303 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2304 id = rval->r_val1; 2305 if (sy_flags == SE_64RVAL) 2306 id = (int)rval->r_vals; 2307 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2308 } 2309 } 2310 2311 2312 /*ARGSUSED*/ 2313 static void 2314 aus_ioctl(struct t_audit_data *tad) 2315 { 2316 klwp_t *clwp = ttolwp(curthread); 2317 struct file *fp; 2318 struct vnode *vp; 2319 struct f_audit_data *fad; 2320 uint32_t fd, cmd; 2321 uintptr_t cmarg; 2322 2323 /* XX64 */ 2324 struct a { 2325 long fd; 2326 long cmd; 2327 long cmarg; /* caddr_t */ 2328 } *uap = (struct a *)clwp->lwp_ap; 2329 2330 fd = (uint32_t)uap->fd; 2331 cmd = (uint32_t)uap->cmd; 2332 cmarg = (uintptr_t)uap->cmarg; 2333 2334 /* 2335 * convert file pointer to file descriptor 2336 * Note: fd ref count incremented here. 2337 */ 2338 if ((fp = getf(fd)) == NULL) { 2339 au_uwrite(au_to_arg32(1, "fd", fd)); 2340 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2341 #ifndef _LP64 2342 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2343 #else 2344 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2345 #endif 2346 return; 2347 } 2348 2349 /* get path from file struct here */ 2350 fad = F2A(fp); 2351 if (fad->fad_aupath != NULL) { 2352 au_uwrite(au_to_path(fad->fad_aupath)); 2353 } else { 2354 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2355 } 2356 2357 vp = fp->f_vnode; 2358 audit_attributes(vp); 2359 2360 /* decrement file descriptor reference count */ 2361 releasef(fd); 2362 2363 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2364 #ifndef _LP64 2365 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2366 #else 2367 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2368 #endif 2369 } 2370 2371 /* 2372 * null function for memcntl for now. We might want to limit memcntl() 2373 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2374 * require privileges. 2375 */ 2376 static au_event_t 2377 aui_memcntl(au_event_t e) 2378 { 2379 return (e); 2380 } 2381 2382 /*ARGSUSED*/ 2383 static au_event_t 2384 aui_privsys(au_event_t e) 2385 { 2386 klwp_t *clwp = ttolwp(curthread); 2387 2388 struct a { 2389 long opcode; 2390 } *uap = (struct a *)clwp->lwp_ap; 2391 2392 switch (uap->opcode) { 2393 case PRIVSYS_SETPPRIV: 2394 return (AUE_SETPPRIV); 2395 default: 2396 return (AUE_NULL); 2397 } 2398 } 2399 2400 /*ARGSUSED*/ 2401 static void 2402 aus_memcntl(struct t_audit_data *tad) 2403 { 2404 klwp_t *clwp = ttolwp(curthread); 2405 2406 struct a { 2407 long addr; 2408 long len; 2409 long cmd; 2410 long arg; 2411 long attr; 2412 long mask; 2413 } *uap = (struct a *)clwp->lwp_ap; 2414 2415 #ifdef _LP64 2416 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2417 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2418 #else 2419 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2420 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2421 #endif 2422 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2423 #ifdef _LP64 2424 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2425 #else 2426 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2427 #endif 2428 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2429 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2430 } 2431 2432 /*ARGSUSED*/ 2433 static void 2434 aus_mmap(struct t_audit_data *tad) 2435 { 2436 klwp_t *clwp = ttolwp(curthread); 2437 struct file *fp; 2438 struct f_audit_data *fad; 2439 struct vnode *vp; 2440 uint32_t fd; 2441 2442 struct a { 2443 long addr; 2444 long len; 2445 long prot; 2446 long flags; 2447 long fd; 2448 long pos; 2449 } *uap = (struct a *)clwp->lwp_ap; 2450 2451 fd = (uint32_t)uap->fd; 2452 2453 #ifdef _LP64 2454 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2455 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2456 #else 2457 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2458 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2459 #endif 2460 2461 if ((fp = getf(fd)) == NULL) { 2462 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2463 return; 2464 } 2465 2466 /* 2467 * Mark in the tad if write access is NOT requested... if 2468 * this is later detected (in audit_attributes) to be a 2469 * public object, the mmap event may be discarded. 2470 */ 2471 if (((uap->prot) & PROT_WRITE) == 0) { 2472 tad->tad_ctrl |= TAD_PUBLIC_EV; 2473 } 2474 2475 fad = F2A(fp); 2476 if (fad->fad_aupath != NULL) { 2477 au_uwrite(au_to_path(fad->fad_aupath)); 2478 } else { 2479 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2480 } 2481 2482 vp = (struct vnode *)fp->f_vnode; 2483 audit_attributes(vp); 2484 2485 /* mark READ/WRITE since we can't predict access */ 2486 if (uap->prot & PROT_READ) 2487 fad->fad_flags |= FAD_READ; 2488 if (uap->prot & PROT_WRITE) 2489 fad->fad_flags |= FAD_WRITE; 2490 2491 /* decrement file descriptor reference count */ 2492 releasef(fd); 2493 2494 } /* AUS_MMAP */ 2495 2496 2497 2498 2499 /*ARGSUSED*/ 2500 static void 2501 aus_munmap(struct t_audit_data *tad) 2502 { 2503 klwp_t *clwp = ttolwp(curthread); 2504 2505 struct a { 2506 long addr; 2507 long len; 2508 } *uap = (struct a *)clwp->lwp_ap; 2509 2510 #ifdef _LP64 2511 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2512 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2513 #else 2514 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2515 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2516 #endif 2517 2518 } /* AUS_MUNMAP */ 2519 2520 2521 2522 2523 2524 2525 2526 /*ARGSUSED*/ 2527 static void 2528 aus_priocntlsys(struct t_audit_data *tad) 2529 { 2530 klwp_t *clwp = ttolwp(curthread); 2531 2532 struct a { 2533 long pc_version; 2534 long psp; /* procset_t */ 2535 long cmd; 2536 long arg; 2537 } *uap = (struct a *)clwp->lwp_ap; 2538 2539 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2540 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2541 2542 } /* AUS_PRIOCNTLSYS */ 2543 2544 2545 /*ARGSUSED*/ 2546 static void 2547 aus_setegid(struct t_audit_data *tad) 2548 { 2549 klwp_t *clwp = ttolwp(curthread); 2550 uint32_t gid; 2551 2552 struct a { 2553 long gid; 2554 } *uap = (struct a *)clwp->lwp_ap; 2555 2556 gid = (uint32_t)uap->gid; 2557 2558 au_uwrite(au_to_arg32(1, "gid", gid)); 2559 } /* AUS_SETEGID */ 2560 2561 2562 2563 2564 /*ARGSUSED*/ 2565 static void 2566 aus_setgroups(struct t_audit_data *tad) 2567 { 2568 klwp_t *clwp = ttolwp(curthread); 2569 int i; 2570 int gidsetsize; 2571 uintptr_t gidset; 2572 gid_t *gidlist; 2573 2574 struct a { 2575 long gidsetsize; 2576 long gidset; 2577 } *uap = (struct a *)clwp->lwp_ap; 2578 2579 gidsetsize = (uint_t)uap->gidsetsize; 2580 gidset = (uintptr_t)uap->gidset; 2581 2582 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2583 return; 2584 if (gidsetsize != 0) { 2585 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2586 KM_SLEEP); 2587 if (copyin((caddr_t)gidset, gidlist, 2588 gidsetsize * sizeof (gid_t)) == 0) 2589 for (i = 0; i < gidsetsize; i++) 2590 au_uwrite(au_to_arg32(1, "setgroups", 2591 (uint32_t)gidlist[i])); 2592 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2593 } else 2594 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2595 2596 } /* AUS_SETGROUPS */ 2597 2598 2599 2600 2601 2602 /*ARGSUSED*/ 2603 static void 2604 aus_seteuid(struct t_audit_data *tad) 2605 { 2606 klwp_t *clwp = ttolwp(curthread); 2607 uint32_t uid; 2608 2609 struct a { 2610 long uid; 2611 } *uap = (struct a *)clwp->lwp_ap; 2612 2613 uid = (uint32_t)uap->uid; 2614 2615 au_uwrite(au_to_arg32(1, "euid", uid)); 2616 2617 } /* AUS_SETEUID */ 2618 2619 /*ARGSUSED*/ 2620 static void 2621 aus_putmsg(struct t_audit_data *tad) 2622 { 2623 klwp_t *clwp = ttolwp(curthread); 2624 uint32_t fd, pri; 2625 struct file *fp; 2626 struct f_audit_data *fad; 2627 2628 struct a { 2629 long fdes; 2630 long ctl; /* struct strbuf * */ 2631 long data; /* struct strbuf * */ 2632 long pri; 2633 } *uap = (struct a *)clwp->lwp_ap; 2634 2635 fd = (uint32_t)uap->fdes; 2636 pri = (uint32_t)uap->pri; 2637 2638 au_uwrite(au_to_arg32(1, "fd", fd)); 2639 2640 if ((fp = getf(fd)) != NULL) { 2641 fad = F2A(fp); 2642 2643 fad->fad_flags |= FAD_WRITE; 2644 2645 /* add path name to audit record */ 2646 if (fad->fad_aupath != NULL) { 2647 au_uwrite(au_to_path(fad->fad_aupath)); 2648 } 2649 audit_attributes(fp->f_vnode); 2650 2651 releasef(fd); 2652 } 2653 2654 au_uwrite(au_to_arg32(4, "pri", pri)); 2655 } 2656 2657 /*ARGSUSED*/ 2658 static void 2659 aus_putpmsg(struct t_audit_data *tad) 2660 { 2661 klwp_t *clwp = ttolwp(curthread); 2662 uint32_t fd, pri, flags; 2663 struct file *fp; 2664 struct f_audit_data *fad; 2665 2666 struct a { 2667 long fdes; 2668 long ctl; /* struct strbuf * */ 2669 long data; /* struct strbuf * */ 2670 long pri; 2671 long flags; 2672 } *uap = (struct a *)clwp->lwp_ap; 2673 2674 fd = (uint32_t)uap->fdes; 2675 pri = (uint32_t)uap->pri; 2676 flags = (uint32_t)uap->flags; 2677 2678 au_uwrite(au_to_arg32(1, "fd", fd)); 2679 2680 if ((fp = getf(fd)) != NULL) { 2681 fad = F2A(fp); 2682 2683 fad->fad_flags |= FAD_WRITE; 2684 2685 /* add path name to audit record */ 2686 if (fad->fad_aupath != NULL) { 2687 au_uwrite(au_to_path(fad->fad_aupath)); 2688 } 2689 audit_attributes(fp->f_vnode); 2690 2691 releasef(fd); 2692 } 2693 2694 2695 au_uwrite(au_to_arg32(4, "pri", pri)); 2696 au_uwrite(au_to_arg32(5, "flags", flags)); 2697 } 2698 2699 /*ARGSUSED*/ 2700 static void 2701 aus_getmsg(struct t_audit_data *tad) 2702 { 2703 klwp_t *clwp = ttolwp(curthread); 2704 uint32_t fd, pri; 2705 struct file *fp; 2706 struct f_audit_data *fad; 2707 2708 struct a { 2709 long fdes; 2710 long ctl; /* struct strbuf * */ 2711 long data; /* struct strbuf * */ 2712 long pri; 2713 } *uap = (struct a *)clwp->lwp_ap; 2714 2715 fd = (uint32_t)uap->fdes; 2716 pri = (uint32_t)uap->pri; 2717 2718 au_uwrite(au_to_arg32(1, "fd", fd)); 2719 2720 if ((fp = getf(fd)) != NULL) { 2721 fad = F2A(fp); 2722 2723 /* 2724 * read operation on this object 2725 */ 2726 fad->fad_flags |= FAD_READ; 2727 2728 /* add path name to audit record */ 2729 if (fad->fad_aupath != NULL) { 2730 au_uwrite(au_to_path(fad->fad_aupath)); 2731 } 2732 audit_attributes(fp->f_vnode); 2733 2734 releasef(fd); 2735 } 2736 2737 au_uwrite(au_to_arg32(4, "pri", pri)); 2738 } 2739 2740 /*ARGSUSED*/ 2741 static void 2742 aus_getpmsg(struct t_audit_data *tad) 2743 { 2744 klwp_t *clwp = ttolwp(curthread); 2745 uint32_t fd; 2746 struct file *fp; 2747 struct f_audit_data *fad; 2748 2749 struct a { 2750 long fdes; 2751 long ctl; /* struct strbuf * */ 2752 long data; /* struct strbuf * */ 2753 long pri; 2754 long flags; 2755 } *uap = (struct a *)clwp->lwp_ap; 2756 2757 fd = (uint32_t)uap->fdes; 2758 2759 au_uwrite(au_to_arg32(1, "fd", fd)); 2760 2761 if ((fp = getf(fd)) != NULL) { 2762 fad = F2A(fp); 2763 2764 /* 2765 * read operation on this object 2766 */ 2767 fad->fad_flags |= FAD_READ; 2768 2769 /* add path name to audit record */ 2770 if (fad->fad_aupath != NULL) { 2771 au_uwrite(au_to_path(fad->fad_aupath)); 2772 } 2773 audit_attributes(fp->f_vnode); 2774 2775 releasef(fd); 2776 } 2777 } 2778 2779 static au_event_t 2780 aui_labelsys(au_event_t e) 2781 { 2782 klwp_t *clwp = ttolwp(curthread); 2783 uint32_t code; 2784 uint32_t cmd; 2785 2786 struct a { 2787 long code; 2788 long cmd; 2789 } *uap = (struct a *)clwp->lwp_ap; 2790 2791 code = (uint32_t)uap->code; 2792 cmd = (uint32_t)uap->cmd; 2793 2794 /* not security relevant if not changing kernel cache */ 2795 if (cmd == TNDB_GET) 2796 return (AUE_NULL); 2797 2798 switch (code) { 2799 case TSOL_TNRH: 2800 e = AUE_LABELSYS_TNRH; 2801 break; 2802 case TSOL_TNRHTP: 2803 e = AUE_LABELSYS_TNRHTP; 2804 break; 2805 case TSOL_TNMLP: 2806 e = AUE_LABELSYS_TNMLP; 2807 break; 2808 default: 2809 e = AUE_NULL; 2810 break; 2811 } 2812 2813 return (e); 2814 2815 } 2816 2817 static void 2818 aus_labelsys(struct t_audit_data *tad) 2819 { 2820 klwp_t *clwp = ttolwp(curthread); 2821 uint32_t cmd; 2822 uintptr_t a2; 2823 2824 struct a { 2825 long code; 2826 long cmd; 2827 long a2; 2828 } *uap = (struct a *)clwp->lwp_ap; 2829 2830 cmd = (uint32_t)uap->cmd; 2831 a2 = (uintptr_t)uap->a2; 2832 2833 switch (tad->tad_event) { 2834 case AUE_LABELSYS_TNRH: 2835 { 2836 tsol_rhent_t *rhent; 2837 tnaddr_t *rh_addr; 2838 2839 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2840 2841 /* Remaining args don't apply for FLUSH, so skip */ 2842 if (cmd == TNDB_FLUSH) 2843 break; 2844 2845 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2846 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2847 kmem_free(rhent, sizeof (tsol_rhent_t)); 2848 return; 2849 } 2850 2851 rh_addr = &rhent->rh_address; 2852 if (rh_addr->ta_family == AF_INET) { 2853 struct in_addr *ipaddr; 2854 2855 ipaddr = &(rh_addr->ta_addr_v4); 2856 au_uwrite(au_to_in_addr(ipaddr)); 2857 } else if (rh_addr->ta_family == AF_INET6) { 2858 int32_t *ipaddr; 2859 2860 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2861 au_uwrite(au_to_in_addr_ex(ipaddr)); 2862 } 2863 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2864 2865 kmem_free(rhent, sizeof (tsol_rhent_t)); 2866 2867 break; 2868 } 2869 case AUE_LABELSYS_TNRHTP: 2870 { 2871 tsol_tpent_t *tpent; 2872 2873 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2874 2875 /* Remaining args don't apply for FLUSH, so skip */ 2876 if (cmd == TNDB_FLUSH) 2877 break; 2878 2879 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2880 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2881 kmem_free(tpent, sizeof (tsol_tpent_t)); 2882 return; 2883 } 2884 2885 /* Make sure that the template name is null-terminated. */ 2886 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2887 2888 au_uwrite(au_to_text(tpent->name)); 2889 kmem_free(tpent, sizeof (tsol_tpent_t)); 2890 2891 break; 2892 } 2893 case AUE_LABELSYS_TNMLP: 2894 { 2895 tsol_mlpent_t *mlpent; 2896 2897 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2898 2899 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2900 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2901 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2902 return; 2903 } 2904 2905 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2906 au_uwrite(au_to_text("shared")); 2907 } else { 2908 zone_t *zone; 2909 2910 zone = zone_find_by_id(mlpent->tsme_zoneid); 2911 if (zone != NULL) { 2912 au_uwrite(au_to_text(zone->zone_name)); 2913 zone_rele(zone); 2914 } 2915 } 2916 2917 /* Remaining args don't apply for FLUSH, so skip */ 2918 if (cmd == TNDB_FLUSH) { 2919 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2920 break; 2921 } 2922 2923 au_uwrite(au_to_arg32(2, "proto num", 2924 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2925 au_uwrite(au_to_arg32(2, "mlp_port", 2926 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2927 2928 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2929 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2930 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2931 2932 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2933 2934 break; 2935 } 2936 default: 2937 break; 2938 } 2939 } 2940 2941 2942 static au_event_t 2943 aui_auditsys(au_event_t e) 2944 { 2945 klwp_t *clwp = ttolwp(curthread); 2946 uint32_t code; 2947 2948 struct a { 2949 long code; 2950 long a1; 2951 long a2; 2952 long a3; 2953 long a4; 2954 long a5; 2955 long a6; 2956 long a7; 2957 } *uap = (struct a *)clwp->lwp_ap; 2958 2959 code = (uint32_t)uap->code; 2960 2961 switch (code) { 2962 2963 case BSM_GETAUID: 2964 e = AUE_GETAUID; 2965 break; 2966 case BSM_SETAUID: 2967 e = AUE_SETAUID; 2968 break; 2969 case BSM_GETAUDIT: 2970 e = AUE_GETAUDIT; 2971 break; 2972 case BSM_GETAUDIT_ADDR: 2973 e = AUE_GETAUDIT_ADDR; 2974 break; 2975 case BSM_SETAUDIT: 2976 e = AUE_SETAUDIT; 2977 break; 2978 case BSM_SETAUDIT_ADDR: 2979 e = AUE_SETAUDIT_ADDR; 2980 break; 2981 case BSM_AUDIT: 2982 e = AUE_AUDIT; 2983 break; 2984 case BSM_AUDITCTL: 2985 switch ((uint_t)uap->a1) { 2986 2987 case A_GETPOLICY: 2988 e = AUE_AUDITON_GPOLICY; 2989 break; 2990 case A_SETPOLICY: 2991 e = AUE_AUDITON_SPOLICY; 2992 break; 2993 case A_GETAMASK: 2994 e = AUE_AUDITON_GETAMASK; 2995 break; 2996 case A_SETAMASK: 2997 e = AUE_AUDITON_SETAMASK; 2998 break; 2999 case A_GETKMASK: 3000 e = AUE_AUDITON_GETKMASK; 3001 break; 3002 case A_SETKMASK: 3003 e = AUE_AUDITON_SETKMASK; 3004 break; 3005 case A_GETQCTRL: 3006 e = AUE_AUDITON_GQCTRL; 3007 break; 3008 case A_SETQCTRL: 3009 e = AUE_AUDITON_SQCTRL; 3010 break; 3011 case A_GETCWD: 3012 e = AUE_AUDITON_GETCWD; 3013 break; 3014 case A_GETCAR: 3015 e = AUE_AUDITON_GETCAR; 3016 break; 3017 case A_GETSTAT: 3018 e = AUE_AUDITON_GETSTAT; 3019 break; 3020 case A_SETSTAT: 3021 e = AUE_AUDITON_SETSTAT; 3022 break; 3023 case A_SETUMASK: 3024 e = AUE_AUDITON_SETUMASK; 3025 break; 3026 case A_SETSMASK: 3027 e = AUE_AUDITON_SETSMASK; 3028 break; 3029 case A_GETCOND: 3030 e = AUE_AUDITON_GETCOND; 3031 break; 3032 case A_SETCOND: 3033 e = AUE_AUDITON_SETCOND; 3034 break; 3035 case A_GETCLASS: 3036 e = AUE_AUDITON_GETCLASS; 3037 break; 3038 case A_SETCLASS: 3039 e = AUE_AUDITON_SETCLASS; 3040 break; 3041 default: 3042 e = AUE_NULL; 3043 break; 3044 } 3045 break; 3046 default: 3047 e = AUE_NULL; 3048 break; 3049 } 3050 3051 return (e); 3052 3053 } /* AUI_AUDITSYS */ 3054 3055 3056 static void 3057 aus_auditsys(struct t_audit_data *tad) 3058 { 3059 klwp_t *clwp = ttolwp(curthread); 3060 uintptr_t a1, a2; 3061 STRUCT_DECL(auditinfo, ainfo); 3062 STRUCT_DECL(auditinfo_addr, ainfo_addr); 3063 au_evclass_map_t event; 3064 au_mask_t mask; 3065 int auditstate, policy; 3066 au_id_t auid; 3067 3068 3069 struct a { 3070 long code; 3071 long a1; 3072 long a2; 3073 long a3; 3074 long a4; 3075 long a5; 3076 long a6; 3077 long a7; 3078 } *uap = (struct a *)clwp->lwp_ap; 3079 3080 a1 = (uintptr_t)uap->a1; 3081 a2 = (uintptr_t)uap->a2; 3082 3083 switch (tad->tad_event) { 3084 case AUE_SETAUID: 3085 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 3086 return; 3087 au_uwrite(au_to_arg32(2, "setauid", auid)); 3088 break; 3089 case AUE_SETAUDIT: 3090 STRUCT_INIT(ainfo, get_udatamodel()); 3091 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 3092 STRUCT_SIZE(ainfo))) { 3093 return; 3094 } 3095 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 3096 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 3097 #ifdef _LP64 3098 au_uwrite(au_to_arg64((char)1, "setaudit:port", 3099 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 3100 #else 3101 au_uwrite(au_to_arg32((char)1, "setaudit:port", 3102 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 3103 #endif 3104 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 3105 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 3106 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 3107 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3108 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 3109 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3110 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 3111 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 3112 break; 3113 case AUE_SETAUDIT_ADDR: 3114 STRUCT_INIT(ainfo_addr, get_udatamodel()); 3115 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 3116 STRUCT_SIZE(ainfo_addr))) { 3117 return; 3118 } 3119 au_uwrite(au_to_arg32((char)1, "auid", 3120 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 3121 #ifdef _LP64 3122 au_uwrite(au_to_arg64((char)1, "port", 3123 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3124 #else 3125 au_uwrite(au_to_arg32((char)1, "port", 3126 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 3127 #endif 3128 au_uwrite(au_to_arg32((char)1, "type", 3129 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 3130 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 3131 AU_IPv4) { 3132 au_uwrite(au_to_in_addr( 3133 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 3134 ai_termid.at_addr))); 3135 } else { 3136 au_uwrite(au_to_in_addr_ex( 3137 (int32_t *)STRUCT_FGETP(ainfo_addr, 3138 ai_termid.at_addr))); 3139 } 3140 au_uwrite(au_to_arg32((char)1, "as_success", 3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3142 au_uwrite(au_to_arg32((char)1, "as_failure", 3143 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3144 au_uwrite(au_to_arg32((char)1, "asid", 3145 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3146 break; 3147 case AUE_AUDITON_SETAMASK: 3148 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3149 return; 3150 au_uwrite(au_to_arg32( 3151 2, "setamask:as_success", (uint32_t)mask.as_success)); 3152 au_uwrite(au_to_arg32( 3153 2, "setamask:as_failure", (uint32_t)mask.as_failure)); 3154 break; 3155 case AUE_AUDITON_SETKMASK: 3156 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3157 return; 3158 au_uwrite(au_to_arg32( 3159 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3160 au_uwrite(au_to_arg32( 3161 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3162 break; 3163 case AUE_AUDITON_SPOLICY: 3164 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3165 return; 3166 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3167 break; 3168 case AUE_AUDITON_SQCTRL: { 3169 STRUCT_DECL(au_qctrl, qctrl); 3170 model_t model; 3171 3172 model = get_udatamodel(); 3173 STRUCT_INIT(qctrl, model); 3174 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3175 return; 3176 if (model == DATAMODEL_ILP32) { 3177 au_uwrite(au_to_arg32( 3178 3, "setqctrl:aq_hiwater", 3179 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3180 au_uwrite(au_to_arg32( 3181 3, "setqctrl:aq_lowater", 3182 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3183 au_uwrite(au_to_arg32( 3184 3, "setqctrl:aq_bufsz", 3185 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3186 au_uwrite(au_to_arg32( 3187 3, "setqctrl:aq_delay", 3188 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3189 } else { 3190 au_uwrite(au_to_arg64( 3191 3, "setqctrl:aq_hiwater", 3192 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3193 au_uwrite(au_to_arg64( 3194 3, "setqctrl:aq_lowater", 3195 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3196 au_uwrite(au_to_arg64( 3197 3, "setqctrl:aq_bufsz", 3198 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3199 au_uwrite(au_to_arg64( 3200 3, "setqctrl:aq_delay", 3201 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3202 } 3203 break; 3204 } 3205 case AUE_AUDITON_SETUMASK: 3206 STRUCT_INIT(ainfo, get_udatamodel()); 3207 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3208 STRUCT_SIZE(ainfo))) { 3209 return; 3210 } 3211 au_uwrite(au_to_arg32(3, "setumask:as_success", 3212 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3213 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3214 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3215 break; 3216 case AUE_AUDITON_SETSMASK: 3217 STRUCT_INIT(ainfo, get_udatamodel()); 3218 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3219 STRUCT_SIZE(ainfo))) { 3220 return; 3221 } 3222 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3223 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3224 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3225 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3226 break; 3227 case AUE_AUDITON_SETCOND: 3228 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3229 return; 3230 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3231 break; 3232 case AUE_AUDITON_SETCLASS: 3233 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3234 return; 3235 au_uwrite(au_to_arg32( 3236 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3237 au_uwrite(au_to_arg32( 3238 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3239 break; 3240 case AUE_GETAUID: 3241 case AUE_GETAUDIT: 3242 case AUE_GETAUDIT_ADDR: 3243 case AUE_AUDIT: 3244 case AUE_AUDITON_GPOLICY: 3245 case AUE_AUDITON_GQCTRL: 3246 case AUE_AUDITON_GETAMASK: 3247 case AUE_AUDITON_GETKMASK: 3248 case AUE_AUDITON_GETCWD: 3249 case AUE_AUDITON_GETCAR: 3250 case AUE_AUDITON_GETSTAT: 3251 case AUE_AUDITON_SETSTAT: 3252 case AUE_AUDITON_GETCOND: 3253 case AUE_AUDITON_GETCLASS: 3254 break; 3255 default: 3256 break; 3257 } 3258 3259 } /* AUS_AUDITSYS */ 3260 3261 3262 /* only audit privileged operations for systeminfo(2) system call */ 3263 static au_event_t 3264 aui_sysinfo(au_event_t e) 3265 { 3266 klwp_t *clwp = ttolwp(curthread); 3267 uint32_t command; 3268 3269 struct a { 3270 long command; 3271 long buf; /* char * */ 3272 long count; 3273 } *uap = (struct a *)clwp->lwp_ap; 3274 3275 command = (uint32_t)uap->command; 3276 3277 switch (command) { 3278 case SI_SET_HOSTNAME: 3279 case SI_SET_SRPC_DOMAIN: 3280 e = (au_event_t)AUE_SYSINFO; 3281 break; 3282 default: 3283 e = (au_event_t)AUE_NULL; 3284 break; 3285 } 3286 return (e); 3287 } 3288 3289 /*ARGSUSED*/ 3290 static void 3291 aus_sysinfo(struct t_audit_data *tad) 3292 { 3293 klwp_t *clwp = ttolwp(curthread); 3294 uint32_t command; 3295 size_t len, maxlen; 3296 char *name; 3297 uintptr_t buf; 3298 3299 struct a { 3300 long command; 3301 long buf; /* char * */ 3302 long count; 3303 } *uap = (struct a *)clwp->lwp_ap; 3304 3305 command = (uint32_t)uap->command; 3306 buf = (uintptr_t)uap->buf; 3307 3308 au_uwrite(au_to_arg32(1, "cmd", command)); 3309 3310 switch (command) { 3311 case SI_SET_HOSTNAME: 3312 { 3313 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3314 return; 3315 3316 maxlen = SYS_NMLN; 3317 name = kmem_alloc(maxlen, KM_SLEEP); 3318 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3319 break; 3320 3321 /* 3322 * Must be non-NULL string and string 3323 * must be less than SYS_NMLN chars. 3324 */ 3325 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3326 break; 3327 3328 au_uwrite(au_to_text(name)); 3329 break; 3330 } 3331 3332 case SI_SET_SRPC_DOMAIN: 3333 { 3334 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3335 return; 3336 3337 maxlen = SYS_NMLN; 3338 name = kmem_alloc(maxlen, KM_SLEEP); 3339 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3340 break; 3341 3342 /* 3343 * If string passed in is longer than length 3344 * allowed for domain name, fail. 3345 */ 3346 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3347 break; 3348 3349 au_uwrite(au_to_text(name)); 3350 break; 3351 } 3352 3353 default: 3354 return; 3355 } 3356 3357 kmem_free(name, maxlen); 3358 } 3359 3360 static au_event_t 3361 aui_modctl(au_event_t e) 3362 { 3363 klwp_t *clwp = ttolwp(curthread); 3364 uint_t cmd; 3365 3366 struct a { 3367 long cmd; 3368 } *uap = (struct a *)clwp->lwp_ap; 3369 3370 cmd = (uint_t)uap->cmd; 3371 3372 switch (cmd) { 3373 case MODLOAD: 3374 e = AUE_MODLOAD; 3375 break; 3376 case MODUNLOAD: 3377 e = AUE_MODUNLOAD; 3378 break; 3379 case MODADDMAJBIND: 3380 e = AUE_MODADDMAJ; 3381 break; 3382 case MODSETDEVPOLICY: 3383 e = AUE_MODDEVPLCY; 3384 break; 3385 case MODALLOCPRIV: 3386 e = AUE_MODADDPRIV; 3387 break; 3388 default: 3389 e = AUE_NULL; 3390 break; 3391 } 3392 return (e); 3393 } 3394 3395 3396 /*ARGSUSED*/ 3397 static void 3398 aus_modctl(struct t_audit_data *tad) 3399 { 3400 klwp_t *clwp = ttolwp(curthread); 3401 void *a = clwp->lwp_ap; 3402 uint_t use_path; 3403 3404 switch (tad->tad_event) { 3405 case AUE_MODLOAD: { 3406 typedef struct { 3407 long cmd; 3408 long use_path; 3409 long filename; /* char * */ 3410 } modloada_t; 3411 3412 char *filenamep; 3413 uintptr_t fname; 3414 extern char *default_path; 3415 3416 fname = (uintptr_t)((modloada_t *)a)->filename; 3417 use_path = (uint_t)((modloada_t *)a)->use_path; 3418 3419 /* space to hold path */ 3420 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3421 /* get string */ 3422 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3423 /* free allocated path */ 3424 kmem_free(filenamep, MOD_MAXPATH); 3425 return; 3426 } 3427 /* ensure it's null terminated */ 3428 filenamep[MOD_MAXPATH - 1] = 0; 3429 3430 if (use_path) 3431 au_uwrite(au_to_text(default_path)); 3432 au_uwrite(au_to_text(filenamep)); 3433 3434 /* release temporary memory */ 3435 kmem_free(filenamep, MOD_MAXPATH); 3436 break; 3437 } 3438 case AUE_MODUNLOAD: { 3439 typedef struct { 3440 long cmd; 3441 long id; 3442 } modunloada_t; 3443 3444 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3445 3446 au_uwrite(au_to_arg32(1, "id", id)); 3447 break; 3448 } 3449 case AUE_MODADDMAJ: { 3450 STRUCT_DECL(modconfig, mc); 3451 typedef struct { 3452 long cmd; 3453 long subcmd; 3454 long data; /* int * */ 3455 } modconfiga_t; 3456 3457 STRUCT_DECL(aliases, alias); 3458 caddr_t ap; 3459 int i, num_aliases; 3460 char *drvname, *mc_drvname; 3461 char *name; 3462 extern char *ddi_major_to_name(major_t); 3463 model_t model; 3464 3465 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3466 3467 model = get_udatamodel(); 3468 STRUCT_INIT(mc, model); 3469 /* sanitize buffer */ 3470 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3471 /* get user arguments */ 3472 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3473 STRUCT_SIZE(mc)) != 0) 3474 return; 3475 3476 mc_drvname = STRUCT_FGET(mc, drvname); 3477 if ((drvname = ddi_major_to_name( 3478 (major_t)STRUCT_FGET(mc, major))) != NULL && 3479 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3480 /* safety */ 3481 if (mc_drvname[0] != '\0') { 3482 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3483 au_uwrite(au_to_text(mc_drvname)); 3484 } 3485 /* drvname != NULL from test above */ 3486 au_uwrite(au_to_text(drvname)); 3487 return; 3488 } 3489 3490 if (mc_drvname[0] != '\0') { 3491 /* safety */ 3492 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3493 au_uwrite(au_to_text(mc_drvname)); 3494 } else 3495 au_uwrite(au_to_text("no drvname")); 3496 3497 num_aliases = STRUCT_FGET(mc, num_aliases); 3498 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3499 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3500 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3501 STRUCT_INIT(alias, model); 3502 for (i = 0; i < num_aliases; i++) { 3503 bzero((caddr_t)STRUCT_BUF(alias), 3504 STRUCT_SIZE(alias)); 3505 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3506 STRUCT_SIZE(alias)) != 0) 3507 break; 3508 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3509 MAXMODCONFNAME, NULL) != 0) { 3510 break; 3511 } 3512 3513 au_uwrite(au_to_text(name)); 3514 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3515 } 3516 kmem_free(name, MAXMODCONFNAME); 3517 break; 3518 } 3519 default: 3520 break; 3521 } 3522 } 3523 3524 3525 /*ARGSUSED*/ 3526 static void 3527 auf_accept( 3528 struct t_audit_data *tad, 3529 int error, 3530 rval_t *rval) 3531 { 3532 uint32_t scid; 3533 uint32_t sy_flags; 3534 int fd; 3535 struct sonode *so; 3536 char so_laddr[sizeof (struct sockaddr_in6)]; 3537 char so_faddr[sizeof (struct sockaddr_in6)]; 3538 int err; 3539 short so_family, so_type; 3540 int add_sock_token = 0; 3541 3542 /* need to determine type of executing binary */ 3543 scid = tad->tad_scid; 3544 #ifdef _SYSCALL32_IMPL 3545 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3546 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3547 else 3548 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3549 #else 3550 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3551 #endif 3552 switch (sy_flags) { 3553 case SE_32RVAL1: 3554 /* FALLTHRU */ 3555 case SE_32RVAL2|SE_32RVAL1: 3556 fd = rval->r_val1; 3557 break; 3558 case SE_64RVAL: 3559 fd = (int)rval->r_vals; 3560 break; 3561 default: 3562 /* 3563 * should never happen, seems to be an internal error 3564 * in sysent => no fd, nothing to audit here, returning 3565 */ 3566 return; 3567 } 3568 3569 if (error) { 3570 /* can't trust socket contents. Just return */ 3571 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3572 return; 3573 } 3574 3575 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3576 /* 3577 * not security relevant if doing a accept from non socket 3578 * so no extra tokens. Should probably turn off audit record 3579 * generation here. 3580 */ 3581 return; 3582 } 3583 3584 so_family = so->so_family; 3585 so_type = so->so_type; 3586 3587 switch (so_family) { 3588 case AF_INET: 3589 case AF_INET6: 3590 /* 3591 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3592 */ 3593 if (so->so_type == SOCK_STREAM) { 3594 socklen_t len; 3595 3596 bzero((void *)so_laddr, sizeof (so_laddr)); 3597 bzero((void *)so_faddr, sizeof (so_faddr)); 3598 3599 len = sizeof (so_laddr); 3600 (void) socket_getsockname(so, 3601 (struct sockaddr *)so_laddr, &len, CRED()); 3602 len = sizeof (so_faddr); 3603 (void) socket_getpeername(so, 3604 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3605 3606 add_sock_token = 1; 3607 } 3608 break; 3609 3610 default: 3611 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3612 break; 3613 } 3614 3615 releasef(fd); 3616 3617 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3618 3619 if (add_sock_token == 0) { 3620 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3621 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3622 return; 3623 } 3624 3625 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3626 3627 } 3628 3629 /*ARGSUSED*/ 3630 static void 3631 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3632 { 3633 struct a { 3634 long fd; 3635 long addr; 3636 long len; 3637 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3638 3639 struct sonode *so; 3640 char so_laddr[sizeof (struct sockaddr_in6)]; 3641 char so_faddr[sizeof (struct sockaddr_in6)]; 3642 int err, fd; 3643 socklen_t len; 3644 short so_family, so_type; 3645 int add_sock_token = 0; 3646 3647 fd = (int)uap->fd; 3648 3649 /* 3650 * bind failed, then nothing extra to add to audit record. 3651 */ 3652 if (error) { 3653 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3654 /* XXX may want to add failed address some day */ 3655 return; 3656 } 3657 3658 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3659 /* 3660 * not security relevant if doing a bind from non socket 3661 * so no extra tokens. Should probably turn off audit record 3662 * generation here. 3663 */ 3664 return; 3665 } 3666 3667 so_family = so->so_family; 3668 so_type = so->so_type; 3669 3670 switch (so_family) { 3671 case AF_INET: 3672 case AF_INET6: 3673 3674 bzero(so_faddr, sizeof (so_faddr)); 3675 len = sizeof (so_faddr); 3676 3677 (void) socket_getpeername(so, 3678 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3679 add_sock_token = 1; 3680 3681 break; 3682 3683 case AF_UNIX: 3684 /* token added by lookup */ 3685 break; 3686 default: 3687 /* AF_ROUTE, AF_KEY do not support accept */ 3688 break; 3689 } 3690 3691 releasef(fd); 3692 3693 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3694 3695 if (add_sock_token == 0) { 3696 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3697 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3698 return; 3699 } 3700 3701 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3702 3703 } 3704 3705 /*ARGSUSED*/ 3706 static void 3707 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3708 { 3709 struct a { 3710 long fd; 3711 long addr; 3712 long len; 3713 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3714 3715 struct sonode *so; 3716 char so_laddr[sizeof (struct sockaddr_in6)]; 3717 char so_faddr[sizeof (struct sockaddr_in6)]; 3718 int err, fd; 3719 socklen_t len; 3720 short so_family, so_type; 3721 int add_sock_token = 0; 3722 3723 fd = (int)uap->fd; 3724 3725 3726 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3727 /* 3728 * not security relevant if doing a connect from non socket 3729 * so no extra tokens. Should probably turn off audit record 3730 * generation here. 3731 */ 3732 return; 3733 } 3734 3735 so_family = so->so_family; 3736 so_type = so->so_type; 3737 3738 switch (so_family) { 3739 case AF_INET: 3740 case AF_INET6: 3741 3742 bzero(so_laddr, sizeof (so_laddr)); 3743 bzero(so_faddr, sizeof (so_faddr)); 3744 3745 len = sizeof (so_laddr); 3746 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3747 &len, CRED()); 3748 if (error) { 3749 if (uap->addr == NULL) 3750 break; 3751 if (uap->len <= 0) 3752 break; 3753 len = min(uap->len, sizeof (so_faddr)); 3754 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3755 break; 3756 #ifdef NOTYET 3757 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3758 #endif 3759 } else { 3760 /* sanity check on length */ 3761 len = sizeof (so_faddr); 3762 (void) socket_getpeername(so, 3763 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3764 } 3765 3766 add_sock_token = 1; 3767 3768 break; 3769 3770 case AF_UNIX: 3771 /* does a lookup on name */ 3772 break; 3773 3774 default: 3775 /* AF_ROUTE, AF_KEY do not support accept */ 3776 break; 3777 } 3778 3779 releasef(fd); 3780 3781 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3782 3783 if (add_sock_token == 0) { 3784 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3785 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3786 return; 3787 } 3788 3789 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3790 3791 } 3792 3793 /*ARGSUSED*/ 3794 static void 3795 aus_shutdown(struct t_audit_data *tad) 3796 { 3797 struct a { 3798 long fd; 3799 long how; 3800 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3801 3802 struct sonode *so; 3803 char so_laddr[sizeof (struct sockaddr_in6)]; 3804 char so_faddr[sizeof (struct sockaddr_in6)]; 3805 int err, fd; 3806 socklen_t len; 3807 short so_family, so_type; 3808 int add_sock_token = 0; 3809 file_t *fp; /* unix domain sockets */ 3810 struct f_audit_data *fad; /* unix domain sockets */ 3811 3812 fd = (int)uap->fd; 3813 3814 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3815 /* 3816 * not security relevant if doing a shutdown using non socket 3817 * so no extra tokens. Should probably turn off audit record 3818 * generation here. 3819 */ 3820 return; 3821 } 3822 3823 so_family = so->so_family; 3824 so_type = so->so_type; 3825 3826 switch (so_family) { 3827 case AF_INET: 3828 case AF_INET6: 3829 3830 bzero(so_laddr, sizeof (so_laddr)); 3831 bzero(so_faddr, sizeof (so_faddr)); 3832 3833 len = sizeof (so_laddr); 3834 (void) socket_getsockname(so, 3835 (struct sockaddr *)so_laddr, &len, CRED()); 3836 len = sizeof (so_faddr); 3837 (void) socket_getpeername(so, 3838 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3839 3840 add_sock_token = 1; 3841 3842 break; 3843 3844 case AF_UNIX: 3845 3846 /* get path from file struct here */ 3847 fad = F2A(fp); 3848 ASSERT(fad); 3849 3850 if (fad->fad_aupath != NULL) { 3851 au_uwrite(au_to_path(fad->fad_aupath)); 3852 } else { 3853 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3854 } 3855 3856 audit_attributes(fp->f_vnode); 3857 3858 break; 3859 3860 default: 3861 /* 3862 * AF_KEY and AF_ROUTE support shutdown. No socket token 3863 * added. 3864 */ 3865 break; 3866 } 3867 3868 releasef(fd); 3869 3870 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3871 3872 if (add_sock_token == 0) { 3873 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3874 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3875 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3876 return; 3877 } 3878 3879 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3880 3881 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3882 3883 } 3884 3885 /*ARGSUSED*/ 3886 static void 3887 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3888 { 3889 struct a { 3890 long fd; 3891 long level; 3892 long optname; 3893 long *optval; 3894 long optlen; 3895 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3896 3897 struct sonode *so; 3898 char so_laddr[sizeof (struct sockaddr_in6)]; 3899 char so_faddr[sizeof (struct sockaddr_in6)]; 3900 char val[AU_BUFSIZE]; 3901 int err, fd; 3902 socklen_t len; 3903 short so_family, so_type; 3904 int add_sock_token = 0; 3905 file_t *fp; /* unix domain sockets */ 3906 struct f_audit_data *fad; /* unix domain sockets */ 3907 3908 fd = (int)uap->fd; 3909 3910 if (error) { 3911 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3912 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3913 /* XXX may want to include other arguments */ 3914 return; 3915 } 3916 3917 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3918 /* 3919 * not security relevant if doing a setsockopt from non socket 3920 * so no extra tokens. Should probably turn off audit record 3921 * generation here. 3922 */ 3923 return; 3924 } 3925 3926 so_family = so->so_family; 3927 so_type = so->so_type; 3928 3929 switch (so_family) { 3930 case AF_INET: 3931 case AF_INET6: 3932 bzero((void *)so_laddr, sizeof (so_laddr)); 3933 bzero((void *)so_faddr, sizeof (so_faddr)); 3934 3935 /* get local and foreign addresses */ 3936 len = sizeof (so_laddr); 3937 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3938 &len, CRED()); 3939 len = sizeof (so_faddr); 3940 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3941 &len, B_FALSE, CRED()); 3942 3943 add_sock_token = 1; 3944 3945 break; 3946 3947 case AF_UNIX: 3948 3949 /* get path from file struct here */ 3950 fad = F2A(fp); 3951 ASSERT(fad); 3952 3953 if (fad->fad_aupath != NULL) { 3954 au_uwrite(au_to_path(fad->fad_aupath)); 3955 } else { 3956 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3957 } 3958 3959 audit_attributes(fp->f_vnode); 3960 3961 break; 3962 3963 default: 3964 /* 3965 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3966 * added. 3967 */ 3968 break; 3969 } 3970 3971 releasef(fd); 3972 3973 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3974 3975 if (add_sock_token == 0) { 3976 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3977 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3978 } 3979 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3980 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3981 3982 bzero(val, sizeof (val)); 3983 len = min(uap->optlen, sizeof (val)); 3984 if ((len > 0) && 3985 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3986 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3987 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3988 } 3989 3990 if (add_sock_token == 0) 3991 return; 3992 3993 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3994 3995 } 3996 3997 /*ARGSUSED*/ 3998 static void 3999 aus_sockconfig(tad) 4000 struct t_audit_data *tad; 4001 { 4002 struct a { 4003 long cmd; 4004 long arg1; 4005 long arg2; 4006 long arg3; 4007 long arg4; 4008 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4009 4010 char *buf; 4011 int buflen; 4012 size_t size; 4013 4014 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4015 switch (uap->cmd) { 4016 case SOCKCONFIG_ADD_SOCK: 4017 case SOCKCONFIG_REMOVE_SOCK: 4018 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1)); 4019 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2)); 4020 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3)); 4021 4022 if (uap->arg4 == 0) { 4023 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0)); 4024 } else { 4025 buflen = MAXPATHLEN + 1; 4026 buf = kmem_alloc(buflen, KM_SLEEP); 4027 if (copyinstr((caddr_t)uap->arg4, buf, buflen, 4028 &size)) { 4029 kmem_free(buf, buflen); 4030 return; 4031 } 4032 4033 if (size > MAXPATHLEN) { 4034 kmem_free(buf, buflen); 4035 return; 4036 } 4037 4038 au_uwrite(au_to_text(buf)); 4039 kmem_free(buf, buflen); 4040 } 4041 break; 4042 case SOCKCONFIG_ADD_FILTER: 4043 case SOCKCONFIG_REMOVE_FILTER: 4044 buflen = FILNAME_MAX; 4045 buf = kmem_alloc(buflen, KM_SLEEP); 4046 4047 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) { 4048 kmem_free(buf, buflen); 4049 return; 4050 } 4051 4052 au_uwrite(au_to_text(buf)); 4053 kmem_free(buf, buflen); 4054 break; 4055 default: 4056 break; 4057 } 4058 } 4059 4060 /* 4061 * only audit recvmsg when the system call represents the creation of a new 4062 * circuit. This effectively occurs for all UDP packets and may occur for 4063 * special TCP situations where the local host has not set a local address 4064 * in the socket structure. 4065 */ 4066 /*ARGSUSED*/ 4067 static void 4068 auf_recvmsg( 4069 struct t_audit_data *tad, 4070 int error, 4071 rval_t *rvp) 4072 { 4073 struct a { 4074 long fd; 4075 long msg; /* struct msghdr */ 4076 long flags; 4077 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4078 4079 struct sonode *so; 4080 STRUCT_DECL(msghdr, msg); 4081 caddr_t msg_name; 4082 socklen_t msg_namelen; 4083 int fd; 4084 int err; 4085 char so_laddr[sizeof (struct sockaddr_in6)]; 4086 char so_faddr[sizeof (struct sockaddr_in6)]; 4087 socklen_t len; 4088 file_t *fp; /* unix domain sockets */ 4089 struct f_audit_data *fad; /* unix domain sockets */ 4090 short so_family, so_type; 4091 int add_sock_token = 0; 4092 au_kcontext_t *kctx = GET_KCTX_PZ; 4093 4094 fd = (int)uap->fd; 4095 4096 /* bail if an error */ 4097 if (error) { 4098 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4099 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4100 return; 4101 } 4102 4103 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4104 /* 4105 * not security relevant if doing a recvmsg from non socket 4106 * so no extra tokens. Should probably turn off audit record 4107 * generation here. 4108 */ 4109 return; 4110 } 4111 4112 so_family = so->so_family; 4113 so_type = so->so_type; 4114 4115 /* 4116 * only putout SOCKET_EX token if INET/INET6 family. 4117 * XXX - what do we do about other families? 4118 */ 4119 4120 switch (so_family) { 4121 case AF_INET: 4122 case AF_INET6: 4123 4124 /* 4125 * if datagram type socket, then just use what is in 4126 * socket structure for local address. 4127 * XXX - what do we do for other types? 4128 */ 4129 if ((so->so_type == SOCK_DGRAM) || 4130 (so->so_type == SOCK_RAW)) { 4131 add_sock_token = 1; 4132 4133 bzero((void *)so_laddr, sizeof (so_laddr)); 4134 bzero((void *)so_faddr, sizeof (so_faddr)); 4135 4136 /* get local address */ 4137 len = sizeof (so_laddr); 4138 (void) socket_getsockname(so, 4139 (struct sockaddr *)so_laddr, &len, CRED()); 4140 4141 /* get peer address */ 4142 STRUCT_INIT(msg, get_udatamodel()); 4143 4144 if (copyin((caddr_t)(uap->msg), 4145 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4146 break; 4147 } 4148 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4149 if (msg_name == NULL) { 4150 break; 4151 } 4152 4153 /* length is value from recvmsg - sanity check */ 4154 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4155 if (msg_namelen == 0) { 4156 break; 4157 } 4158 if (copyin(msg_name, so_faddr, 4159 sizeof (so_faddr)) != 0) { 4160 break; 4161 } 4162 4163 } else if (so->so_type == SOCK_STREAM) { 4164 4165 /* get path from file struct here */ 4166 fad = F2A(fp); 4167 ASSERT(fad); 4168 4169 /* 4170 * already processed this file for read attempt 4171 */ 4172 if (fad->fad_flags & FAD_READ) { 4173 /* don't want to audit every recvmsg attempt */ 4174 tad->tad_flag = 0; 4175 /* free any residual audit data */ 4176 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4177 releasef(fd); 4178 return; 4179 } 4180 /* 4181 * mark things so we know what happened and don't 4182 * repeat things 4183 */ 4184 fad->fad_flags |= FAD_READ; 4185 4186 bzero((void *)so_laddr, sizeof (so_laddr)); 4187 bzero((void *)so_faddr, sizeof (so_faddr)); 4188 4189 /* get local and foreign addresses */ 4190 len = sizeof (so_laddr); 4191 (void) socket_getsockname(so, 4192 (struct sockaddr *)so_laddr, &len, CRED()); 4193 len = sizeof (so_faddr); 4194 (void) socket_getpeername(so, 4195 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4196 4197 add_sock_token = 1; 4198 } 4199 4200 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4201 4202 break; 4203 4204 case AF_UNIX: 4205 /* 4206 * first check if this is first time through. Too much 4207 * duplicate code to put this in an aui_ routine. 4208 */ 4209 4210 /* get path from file struct here */ 4211 fad = F2A(fp); 4212 ASSERT(fad); 4213 4214 /* 4215 * already processed this file for read attempt 4216 */ 4217 if (fad->fad_flags & FAD_READ) { 4218 releasef(fd); 4219 /* don't want to audit every recvmsg attempt */ 4220 tad->tad_flag = 0; 4221 /* free any residual audit data */ 4222 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4223 return; 4224 } 4225 /* 4226 * mark things so we know what happened and don't 4227 * repeat things 4228 */ 4229 fad->fad_flags |= FAD_READ; 4230 4231 if (fad->fad_aupath != NULL) { 4232 au_uwrite(au_to_path(fad->fad_aupath)); 4233 } else { 4234 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4235 } 4236 4237 audit_attributes(fp->f_vnode); 4238 4239 releasef(fd); 4240 4241 return; 4242 4243 default: 4244 break; 4245 4246 } 4247 4248 releasef(fd); 4249 4250 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4251 4252 if (add_sock_token == 0) { 4253 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4254 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4255 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4256 return; 4257 } 4258 4259 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4260 4261 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4262 4263 } 4264 4265 /*ARGSUSED*/ 4266 static void 4267 auf_recvfrom( 4268 struct t_audit_data *tad, 4269 int error, 4270 rval_t *rvp) 4271 { 4272 4273 struct a { 4274 long fd; 4275 long msg; /* char */ 4276 long len; 4277 long flags; 4278 long from; /* struct sockaddr */ 4279 long fromlen; 4280 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4281 4282 socklen_t fromlen; 4283 struct sonode *so; 4284 char so_laddr[sizeof (struct sockaddr_in6)]; 4285 char so_faddr[sizeof (struct sockaddr_in6)]; 4286 int fd; 4287 short so_family, so_type; 4288 int add_sock_token = 0; 4289 socklen_t len; 4290 int err; 4291 struct file *fp; 4292 struct f_audit_data *fad; /* unix domain sockets */ 4293 au_kcontext_t *kctx = GET_KCTX_PZ; 4294 4295 fd = (int)uap->fd; 4296 4297 /* bail if an error */ 4298 if (error) { 4299 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4300 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4301 return; 4302 } 4303 4304 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4305 /* 4306 * not security relevant if doing a recvmsg from non socket 4307 * so no extra tokens. Should probably turn off audit record 4308 * generation here. 4309 */ 4310 return; 4311 } 4312 4313 so_family = so->so_family; 4314 so_type = so->so_type; 4315 4316 /* 4317 * only putout SOCKET_EX token if INET/INET6 family. 4318 * XXX - what do we do about other families? 4319 */ 4320 4321 switch (so_family) { 4322 case AF_INET: 4323 case AF_INET6: 4324 4325 /* 4326 * if datagram type socket, then just use what is in 4327 * socket structure for local address. 4328 * XXX - what do we do for other types? 4329 */ 4330 if ((so->so_type == SOCK_DGRAM) || 4331 (so->so_type == SOCK_RAW)) { 4332 add_sock_token = 1; 4333 4334 /* get local address */ 4335 len = sizeof (so_laddr); 4336 (void) socket_getsockname(so, 4337 (struct sockaddr *)so_laddr, &len, CRED()); 4338 4339 /* get peer address */ 4340 bzero((void *)so_faddr, sizeof (so_faddr)); 4341 4342 /* sanity check */ 4343 if (uap->from == NULL) 4344 break; 4345 4346 /* sanity checks */ 4347 if (uap->fromlen == 0) 4348 break; 4349 4350 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4351 sizeof (fromlen)) != 0) 4352 break; 4353 4354 if (fromlen == 0) 4355 break; 4356 4357 /* enforce maximum size */ 4358 if (fromlen > sizeof (so_faddr)) 4359 fromlen = sizeof (so_faddr); 4360 4361 if (copyin((caddr_t)(uap->from), so_faddr, 4362 fromlen) != 0) 4363 break; 4364 4365 } else if (so->so_type == SOCK_STREAM) { 4366 4367 /* get path from file struct here */ 4368 fad = F2A(fp); 4369 ASSERT(fad); 4370 4371 /* 4372 * already processed this file for read attempt 4373 */ 4374 if (fad->fad_flags & FAD_READ) { 4375 /* don't want to audit every recvfrom attempt */ 4376 tad->tad_flag = 0; 4377 /* free any residual audit data */ 4378 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4379 releasef(fd); 4380 return; 4381 } 4382 /* 4383 * mark things so we know what happened and don't 4384 * repeat things 4385 */ 4386 fad->fad_flags |= FAD_READ; 4387 4388 bzero((void *)so_laddr, sizeof (so_laddr)); 4389 bzero((void *)so_faddr, sizeof (so_faddr)); 4390 4391 /* get local and foreign addresses */ 4392 len = sizeof (so_laddr); 4393 (void) socket_getsockname(so, 4394 (struct sockaddr *)so_laddr, &len, CRED()); 4395 len = sizeof (so_faddr); 4396 (void) socket_getpeername(so, 4397 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4398 4399 add_sock_token = 1; 4400 } 4401 4402 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4403 4404 break; 4405 4406 case AF_UNIX: 4407 /* 4408 * first check if this is first time through. Too much 4409 * duplicate code to put this in an aui_ routine. 4410 */ 4411 4412 /* get path from file struct here */ 4413 fad = F2A(fp); 4414 ASSERT(fad); 4415 4416 /* 4417 * already processed this file for read attempt 4418 */ 4419 if (fad->fad_flags & FAD_READ) { 4420 /* don't want to audit every recvfrom attempt */ 4421 tad->tad_flag = 0; 4422 /* free any residual audit data */ 4423 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4424 releasef(fd); 4425 return; 4426 } 4427 /* 4428 * mark things so we know what happened and don't 4429 * repeat things 4430 */ 4431 fad->fad_flags |= FAD_READ; 4432 4433 if (fad->fad_aupath != NULL) { 4434 au_uwrite(au_to_path(fad->fad_aupath)); 4435 } else { 4436 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4437 } 4438 4439 audit_attributes(fp->f_vnode); 4440 4441 releasef(fd); 4442 4443 return; 4444 4445 default: 4446 break; 4447 4448 } 4449 4450 releasef(fd); 4451 4452 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4453 4454 if (add_sock_token == 0) { 4455 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4456 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4457 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4458 return; 4459 } 4460 4461 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4462 4463 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4464 } 4465 4466 /*ARGSUSED*/ 4467 static void 4468 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4469 { 4470 struct a { 4471 long fd; 4472 long msg; /* struct msghdr */ 4473 long flags; 4474 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4475 4476 struct sonode *so; 4477 char so_laddr[sizeof (struct sockaddr_in6)]; 4478 char so_faddr[sizeof (struct sockaddr_in6)]; 4479 int err; 4480 int fd; 4481 short so_family, so_type; 4482 int add_sock_token = 0; 4483 socklen_t len; 4484 struct file *fp; 4485 struct f_audit_data *fad; 4486 caddr_t msg_name; 4487 socklen_t msg_namelen; 4488 STRUCT_DECL(msghdr, msg); 4489 au_kcontext_t *kctx = GET_KCTX_PZ; 4490 4491 fd = (int)uap->fd; 4492 4493 /* bail if an error */ 4494 if (error) { 4495 /* XXX include destination address from system call arguments */ 4496 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4497 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4498 return; 4499 } 4500 4501 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4502 /* 4503 * not security relevant if doing a sendmsg from non socket 4504 * so no extra tokens. Should probably turn off audit record 4505 * generation here. 4506 */ 4507 return; 4508 } 4509 4510 so_family = so->so_family; 4511 so_type = so->so_type; 4512 4513 switch (so_family) { 4514 case AF_INET: 4515 case AF_INET6: 4516 /* 4517 * if datagram type socket, then just use what is in 4518 * socket structure for local address. 4519 * XXX - what do we do for other types? 4520 */ 4521 if ((so->so_type == SOCK_DGRAM) || 4522 (so->so_type == SOCK_RAW)) { 4523 4524 bzero((void *)so_laddr, sizeof (so_laddr)); 4525 bzero((void *)so_faddr, sizeof (so_faddr)); 4526 4527 /* get local address */ 4528 len = sizeof (so_laddr); 4529 (void) socket_getsockname(so, 4530 (struct sockaddr *)so_laddr, &len, CRED()); 4531 4532 /* get peer address */ 4533 STRUCT_INIT(msg, get_udatamodel()); 4534 4535 if (copyin((caddr_t)(uap->msg), 4536 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4537 break; 4538 } 4539 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4540 if (msg_name == NULL) 4541 break; 4542 4543 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4544 /* length is value from recvmsg - sanity check */ 4545 if (msg_namelen == 0) 4546 break; 4547 4548 if (copyin(msg_name, so_faddr, 4549 sizeof (so_faddr)) != 0) 4550 break; 4551 4552 add_sock_token = 1; 4553 4554 } else if (so->so_type == SOCK_STREAM) { 4555 4556 /* get path from file struct here */ 4557 fad = F2A(fp); 4558 ASSERT(fad); 4559 4560 /* 4561 * already processed this file for write attempt 4562 */ 4563 if (fad->fad_flags & FAD_WRITE) { 4564 releasef(fd); 4565 /* don't want to audit every sendmsg attempt */ 4566 tad->tad_flag = 0; 4567 /* free any residual audit data */ 4568 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4569 return; 4570 } 4571 4572 /* 4573 * mark things so we know what happened and don't 4574 * repeat things 4575 */ 4576 fad->fad_flags |= FAD_WRITE; 4577 4578 bzero((void *)so_laddr, sizeof (so_laddr)); 4579 bzero((void *)so_faddr, sizeof (so_faddr)); 4580 4581 /* get local and foreign addresses */ 4582 len = sizeof (so_laddr); 4583 (void) socket_getsockname(so, 4584 (struct sockaddr *)so_laddr, &len, CRED()); 4585 len = sizeof (so_faddr); 4586 (void) socket_getpeername(so, 4587 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4588 4589 add_sock_token = 1; 4590 } 4591 4592 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4593 4594 break; 4595 4596 case AF_UNIX: 4597 /* 4598 * first check if this is first time through. Too much 4599 * duplicate code to put this in an aui_ routine. 4600 */ 4601 4602 /* get path from file struct here */ 4603 fad = F2A(fp); 4604 ASSERT(fad); 4605 4606 /* 4607 * already processed this file for write attempt 4608 */ 4609 if (fad->fad_flags & FAD_WRITE) { 4610 releasef(fd); 4611 /* don't want to audit every sendmsg attempt */ 4612 tad->tad_flag = 0; 4613 /* free any residual audit data */ 4614 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4615 return; 4616 } 4617 /* 4618 * mark things so we know what happened and don't 4619 * repeat things 4620 */ 4621 fad->fad_flags |= FAD_WRITE; 4622 4623 if (fad->fad_aupath != NULL) { 4624 au_uwrite(au_to_path(fad->fad_aupath)); 4625 } else { 4626 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4627 } 4628 4629 audit_attributes(fp->f_vnode); 4630 4631 releasef(fd); 4632 4633 return; 4634 4635 default: 4636 break; 4637 } 4638 4639 releasef(fd); 4640 4641 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4642 4643 if (add_sock_token == 0) { 4644 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4645 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4646 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4647 return; 4648 } 4649 4650 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4651 4652 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4653 } 4654 4655 /*ARGSUSED*/ 4656 static void 4657 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4658 { 4659 struct a { 4660 long fd; 4661 long msg; /* char */ 4662 long len; 4663 long flags; 4664 long to; /* struct sockaddr */ 4665 long tolen; 4666 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4667 4668 struct sonode *so; 4669 char so_laddr[sizeof (struct sockaddr_in6)]; 4670 char so_faddr[sizeof (struct sockaddr_in6)]; 4671 socklen_t tolen; 4672 int err; 4673 int fd; 4674 socklen_t len; 4675 short so_family, so_type; 4676 int add_sock_token = 0; 4677 struct file *fp; 4678 struct f_audit_data *fad; 4679 au_kcontext_t *kctx = GET_KCTX_PZ; 4680 4681 fd = (int)uap->fd; 4682 4683 /* bail if an error */ 4684 if (error) { 4685 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4686 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4687 /* XXX include destination address from system call arguments */ 4688 return; 4689 } 4690 4691 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4692 /* 4693 * not security relevant if doing a sendto using non socket 4694 * so no extra tokens. Should probably turn off audit record 4695 * generation here. 4696 */ 4697 return; 4698 } 4699 4700 so_family = so->so_family; 4701 so_type = so->so_type; 4702 4703 /* 4704 * only putout SOCKET_EX token if INET/INET6 family. 4705 * XXX - what do we do about other families? 4706 */ 4707 4708 switch (so_family) { 4709 case AF_INET: 4710 case AF_INET6: 4711 4712 /* 4713 * if datagram type socket, then just use what is in 4714 * socket structure for local address. 4715 * XXX - what do we do for other types? 4716 */ 4717 if ((so->so_type == SOCK_DGRAM) || 4718 (so->so_type == SOCK_RAW)) { 4719 4720 bzero((void *)so_laddr, sizeof (so_laddr)); 4721 bzero((void *)so_faddr, sizeof (so_faddr)); 4722 4723 /* get local address */ 4724 len = sizeof (so_laddr); 4725 (void) socket_getsockname(so, 4726 (struct sockaddr *)so_laddr, &len, CRED()); 4727 4728 /* get peer address */ 4729 4730 /* sanity check */ 4731 if (uap->to == NULL) 4732 break; 4733 4734 /* sanity checks */ 4735 if (uap->tolen == 0) 4736 break; 4737 4738 tolen = (socklen_t)uap->tolen; 4739 4740 /* enforce maximum size */ 4741 if (tolen > sizeof (so_faddr)) 4742 tolen = sizeof (so_faddr); 4743 4744 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4745 break; 4746 4747 add_sock_token = 1; 4748 } else { 4749 /* 4750 * check if this is first time through. 4751 */ 4752 4753 /* get path from file struct here */ 4754 fad = F2A(fp); 4755 ASSERT(fad); 4756 4757 /* 4758 * already processed this file for write attempt 4759 */ 4760 if (fad->fad_flags & FAD_WRITE) { 4761 /* don't want to audit every sendto attempt */ 4762 tad->tad_flag = 0; 4763 /* free any residual audit data */ 4764 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4765 releasef(fd); 4766 return; 4767 } 4768 /* 4769 * mark things so we know what happened and don't 4770 * repeat things 4771 */ 4772 fad->fad_flags |= FAD_WRITE; 4773 4774 bzero((void *)so_laddr, sizeof (so_laddr)); 4775 bzero((void *)so_faddr, sizeof (so_faddr)); 4776 4777 /* get local and foreign addresses */ 4778 len = sizeof (so_laddr); 4779 (void) socket_getsockname(so, 4780 (struct sockaddr *)so_laddr, &len, CRED()); 4781 len = sizeof (so_faddr); 4782 (void) socket_getpeername(so, 4783 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4784 4785 add_sock_token = 1; 4786 } 4787 4788 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4789 4790 break; 4791 4792 case AF_UNIX: 4793 /* 4794 * first check if this is first time through. Too much 4795 * duplicate code to put this in an aui_ routine. 4796 */ 4797 4798 /* get path from file struct here */ 4799 fad = F2A(fp); 4800 ASSERT(fad); 4801 4802 /* 4803 * already processed this file for write attempt 4804 */ 4805 if (fad->fad_flags & FAD_WRITE) { 4806 /* don't want to audit every sendto attempt */ 4807 tad->tad_flag = 0; 4808 /* free any residual audit data */ 4809 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 4810 releasef(fd); 4811 return; 4812 } 4813 /* 4814 * mark things so we know what happened and don't 4815 * repeat things 4816 */ 4817 fad->fad_flags |= FAD_WRITE; 4818 4819 if (fad->fad_aupath != NULL) { 4820 au_uwrite(au_to_path(fad->fad_aupath)); 4821 } else { 4822 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4823 } 4824 4825 audit_attributes(fp->f_vnode); 4826 4827 releasef(fd); 4828 4829 return; 4830 4831 default: 4832 break; 4833 4834 } 4835 4836 releasef(fd); 4837 4838 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4839 4840 if (add_sock_token == 0) { 4841 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4842 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4843 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4844 return; 4845 } 4846 4847 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4848 4849 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4850 4851 } 4852 4853 /* 4854 * XXX socket(2) may be equivalent to open(2) on a unix domain 4855 * socket. This needs investigation. 4856 */ 4857 4858 /*ARGSUSED*/ 4859 static void 4860 aus_socket(struct t_audit_data *tad) 4861 { 4862 struct a { 4863 long domain; 4864 long type; 4865 long protocol; 4866 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4867 4868 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4869 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4870 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4871 } 4872 4873 /*ARGSUSED*/ 4874 static void 4875 aus_sigqueue(struct t_audit_data *tad) 4876 { 4877 struct a { 4878 long pid; 4879 long signo; 4880 long *val; 4881 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4882 struct proc *p; 4883 uid_t uid, ruid; 4884 gid_t gid, rgid; 4885 pid_t pid; 4886 const auditinfo_addr_t *ainfo; 4887 cred_t *cr; 4888 4889 pid = (pid_t)uap->pid; 4890 4891 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4892 if (pid > 0) { 4893 mutex_enter(&pidlock); 4894 if ((p = prfind(pid)) == (struct proc *)0) { 4895 mutex_exit(&pidlock); 4896 return; 4897 } 4898 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4899 mutex_exit(&pidlock); 4900 4901 mutex_enter(&p->p_crlock); 4902 crhold(cr = p->p_cred); 4903 mutex_exit(&p->p_crlock); 4904 mutex_exit(&p->p_lock); 4905 4906 ainfo = crgetauinfo(cr); 4907 if (ainfo == NULL) { 4908 crfree(cr); 4909 return; 4910 } 4911 4912 uid = crgetuid(cr); 4913 gid = crgetgid(cr); 4914 ruid = crgetruid(cr); 4915 rgid = crgetrgid(cr); 4916 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4917 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4918 crfree(cr); 4919 } 4920 else 4921 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4922 } 4923 4924 /*ARGSUSED*/ 4925 static void 4926 aus_inst_sync(struct t_audit_data *tad) 4927 { 4928 struct a { 4929 long name; /* char */ 4930 long flags; 4931 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4932 4933 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4934 } 4935 4936 /*ARGSUSED*/ 4937 static void 4938 aus_brandsys(struct t_audit_data *tad) 4939 { 4940 klwp_t *clwp = ttolwp(curthread); 4941 4942 struct a { 4943 long cmd; 4944 long arg1; 4945 long arg2; 4946 long arg3; 4947 long arg4; 4948 long arg5; 4949 long arg6; 4950 } *uap = (struct a *)clwp->lwp_ap; 4951 4952 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4953 #ifdef _LP64 4954 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4955 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4956 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4957 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4958 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4959 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4960 #else 4961 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4962 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4963 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4964 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4965 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4966 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4967 #endif 4968 } 4969 4970 /*ARGSUSED*/ 4971 static void 4972 aus_p_online(struct t_audit_data *tad) 4973 { 4974 struct a { 4975 long processor_id; 4976 long flag; 4977 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4978 4979 struct flags { 4980 int flag; 4981 char *cflag; 4982 } aflags[6] = { 4983 { P_ONLINE, "P_ONLINE"}, 4984 { P_OFFLINE, "P_OFFLINE"}, 4985 { P_NOINTR, "P_NOINTR"}, 4986 { P_SPARE, "P_SPARE"}, 4987 { P_FAULTED, "P_FAULTED"}, 4988 { P_STATUS, "P_STATUS"} 4989 }; 4990 int i; 4991 char *cflag; 4992 4993 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4994 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4995 4996 for (i = 0; i < 6; i++) { 4997 if (aflags[i].flag == uap->flag) 4998 break; 4999 } 5000 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 5001 5002 au_uwrite(au_to_text(cflag)); 5003 } 5004 5005 /*ARGSUSED*/ 5006 static void 5007 aus_processor_bind(struct t_audit_data *tad) 5008 { 5009 struct a { 5010 long id_type; 5011 long id; 5012 long processor_id; 5013 long obind; 5014 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5015 5016 struct proc *p; 5017 int lwpcnt; 5018 uid_t uid, ruid; 5019 gid_t gid, rgid; 5020 pid_t pid; 5021 const auditinfo_addr_t *ainfo; 5022 cred_t *cr; 5023 5024 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 5025 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 5026 if (uap->processor_id == PBIND_NONE) 5027 au_uwrite(au_to_text("PBIND_NONE")); 5028 else 5029 au_uwrite(au_to_arg32(3, "processor_id", 5030 (uint32_t)uap->processor_id)); 5031 5032 switch (uap->id_type) { 5033 case P_MYID: 5034 case P_LWPID: 5035 mutex_enter(&pidlock); 5036 p = ttoproc(curthread); 5037 if (p == NULL || p->p_as == &kas) { 5038 mutex_exit(&pidlock); 5039 return; 5040 } 5041 mutex_enter(&p->p_lock); 5042 mutex_exit(&pidlock); 5043 lwpcnt = p->p_lwpcnt; 5044 pid = p->p_pid; 5045 5046 mutex_enter(&p->p_crlock); 5047 crhold(cr = p->p_cred); 5048 mutex_exit(&p->p_crlock); 5049 mutex_exit(&p->p_lock); 5050 5051 ainfo = crgetauinfo(cr); 5052 if (ainfo == NULL) { 5053 crfree(cr); 5054 return; 5055 } 5056 5057 uid = crgetuid(cr); 5058 gid = crgetgid(cr); 5059 ruid = crgetruid(cr); 5060 rgid = crgetrgid(cr); 5061 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5062 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5063 crfree(cr); 5064 break; 5065 case P_PID: 5066 mutex_enter(&pidlock); 5067 p = prfind(uap->id); 5068 if (p == NULL || p->p_as == &kas) { 5069 mutex_exit(&pidlock); 5070 return; 5071 } 5072 mutex_enter(&p->p_lock); 5073 mutex_exit(&pidlock); 5074 lwpcnt = p->p_lwpcnt; 5075 pid = p->p_pid; 5076 5077 mutex_enter(&p->p_crlock); 5078 crhold(cr = p->p_cred); 5079 mutex_exit(&p->p_crlock); 5080 mutex_exit(&p->p_lock); 5081 5082 ainfo = crgetauinfo(cr); 5083 if (ainfo == NULL) { 5084 crfree(cr); 5085 return; 5086 } 5087 5088 uid = crgetuid(cr); 5089 gid = crgetgid(cr); 5090 ruid = crgetruid(cr); 5091 rgid = crgetrgid(cr); 5092 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5093 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5094 crfree(cr); 5095 5096 break; 5097 default: 5098 return; 5099 } 5100 5101 if (uap->processor_id == PBIND_NONE && 5102 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 5103 au_uwrite(au_to_text("PBIND_NONE for process")); 5104 else 5105 au_uwrite(au_to_arg32(3, "processor_id", 5106 (uint32_t)uap->processor_id)); 5107 } 5108 5109 /*ARGSUSED*/ 5110 static au_event_t 5111 aui_doorfs(au_event_t e) 5112 { 5113 uint32_t code; 5114 5115 struct a { /* doorfs */ 5116 long a1; 5117 long a2; 5118 long a3; 5119 long a4; 5120 long a5; 5121 long code; 5122 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5123 5124 /* 5125 * audit formats for several of the 5126 * door calls have not yet been determined 5127 */ 5128 code = (uint32_t)uap->code; 5129 switch (code) { 5130 case DOOR_CALL: 5131 e = AUE_DOORFS_DOOR_CALL; 5132 break; 5133 case DOOR_RETURN: 5134 e = AUE_NULL; 5135 break; 5136 case DOOR_CREATE: 5137 e = AUE_DOORFS_DOOR_CREATE; 5138 break; 5139 case DOOR_REVOKE: 5140 e = AUE_DOORFS_DOOR_REVOKE; 5141 break; 5142 case DOOR_INFO: 5143 e = AUE_NULL; 5144 break; 5145 case DOOR_UCRED: 5146 e = AUE_NULL; 5147 break; 5148 case DOOR_BIND: 5149 e = AUE_NULL; 5150 break; 5151 case DOOR_UNBIND: 5152 e = AUE_NULL; 5153 break; 5154 case DOOR_GETPARAM: 5155 e = AUE_NULL; 5156 break; 5157 case DOOR_SETPARAM: 5158 e = AUE_NULL; 5159 break; 5160 default: /* illegal system call */ 5161 e = AUE_NULL; 5162 break; 5163 } 5164 5165 return (e); 5166 } 5167 5168 static door_node_t * 5169 au_door_lookup(int did) 5170 { 5171 vnode_t *vp; 5172 file_t *fp; 5173 5174 if ((fp = getf(did)) == NULL) 5175 return (NULL); 5176 /* 5177 * Use the underlying vnode (we may be namefs mounted) 5178 */ 5179 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 5180 vp = fp->f_vnode; 5181 5182 if (vp == NULL || vp->v_type != VDOOR) { 5183 releasef(did); 5184 return (NULL); 5185 } 5186 5187 return (VTOD(vp)); 5188 } 5189 5190 /*ARGSUSED*/ 5191 static void 5192 aus_doorfs(struct t_audit_data *tad) 5193 { 5194 5195 struct a { /* doorfs */ 5196 long a1; 5197 long a2; 5198 long a3; 5199 long a4; 5200 long a5; 5201 long code; 5202 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5203 5204 door_node_t *dp; 5205 struct proc *p; 5206 uint32_t did; 5207 uid_t uid, ruid; 5208 gid_t gid, rgid; 5209 pid_t pid; 5210 const auditinfo_addr_t *ainfo; 5211 cred_t *cr; 5212 5213 did = (uint32_t)uap->a1; 5214 5215 switch (tad->tad_event) { 5216 case AUE_DOORFS_DOOR_CALL: 5217 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5218 if ((dp = au_door_lookup(did)) == NULL) 5219 break; 5220 5221 if (DOOR_INVALID(dp)) { 5222 releasef(did); 5223 break; 5224 } 5225 5226 if ((p = dp->door_target) == NULL) { 5227 releasef(did); 5228 break; 5229 } 5230 mutex_enter(&p->p_lock); 5231 releasef(did); 5232 5233 pid = p->p_pid; 5234 5235 mutex_enter(&p->p_crlock); 5236 crhold(cr = p->p_cred); 5237 mutex_exit(&p->p_crlock); 5238 mutex_exit(&p->p_lock); 5239 5240 ainfo = crgetauinfo(cr); 5241 if (ainfo == NULL) { 5242 crfree(cr); 5243 return; 5244 } 5245 uid = crgetuid(cr); 5246 gid = crgetgid(cr); 5247 ruid = crgetruid(cr); 5248 rgid = crgetrgid(cr); 5249 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5250 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5251 crfree(cr); 5252 break; 5253 case AUE_DOORFS_DOOR_RETURN: 5254 /* 5255 * We may want to write information about 5256 * all doors (if any) which will be copied 5257 * by this call to the user space 5258 */ 5259 break; 5260 case AUE_DOORFS_DOOR_CREATE: 5261 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5262 break; 5263 case AUE_DOORFS_DOOR_REVOKE: 5264 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5265 break; 5266 case AUE_DOORFS_DOOR_INFO: 5267 break; 5268 case AUE_DOORFS_DOOR_CRED: 5269 break; 5270 case AUE_DOORFS_DOOR_BIND: 5271 break; 5272 case AUE_DOORFS_DOOR_UNBIND: { 5273 break; 5274 } 5275 default: /* illegal system call */ 5276 break; 5277 } 5278 } 5279 5280 /*ARGSUSED*/ 5281 static au_event_t 5282 aui_acl(au_event_t e) 5283 { 5284 struct a { 5285 union { 5286 long name; /* char */ 5287 long fd; 5288 } obj; 5289 5290 long cmd; 5291 long nentries; 5292 long arg; /* aclent_t */ 5293 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5294 5295 switch (uap->cmd) { 5296 case SETACL: 5297 case ACE_SETACL: 5298 /* 5299 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5300 * are expected. 5301 */ 5302 break; 5303 case GETACL: 5304 case GETACLCNT: 5305 case ACE_GETACL: 5306 case ACE_GETACLCNT: 5307 /* do nothing for these four values. */ 5308 e = AUE_NULL; 5309 break; 5310 default: 5311 /* illegal system call */ 5312 break; 5313 } 5314 5315 return (e); 5316 } 5317 5318 static void 5319 au_acl(int cmd, int nentries, caddr_t bufp) 5320 { 5321 size_t a_size; 5322 aclent_t *aclbufp; 5323 ace_t *acebufp; 5324 int i; 5325 5326 switch (cmd) { 5327 case GETACL: 5328 case GETACLCNT: 5329 break; 5330 case SETACL: 5331 if (nentries < 3) 5332 break; 5333 5334 a_size = nentries * sizeof (aclent_t); 5335 5336 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5337 break; 5338 if (copyin(bufp, aclbufp, a_size)) { 5339 kmem_free(aclbufp, a_size); 5340 break; 5341 } 5342 for (i = 0; i < nentries; i++) { 5343 au_uwrite(au_to_acl(aclbufp + i)); 5344 } 5345 kmem_free(aclbufp, a_size); 5346 break; 5347 5348 case ACE_SETACL: 5349 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5350 break; 5351 5352 a_size = nentries * sizeof (ace_t); 5353 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5354 break; 5355 if (copyin(bufp, acebufp, a_size)) { 5356 kmem_free(acebufp, a_size); 5357 break; 5358 } 5359 for (i = 0; i < nentries; i++) { 5360 au_uwrite(au_to_ace(acebufp + i)); 5361 } 5362 kmem_free(acebufp, a_size); 5363 break; 5364 default: 5365 break; 5366 } 5367 } 5368 5369 /*ARGSUSED*/ 5370 static void 5371 aus_acl(struct t_audit_data *tad) 5372 { 5373 struct a { 5374 long fname; 5375 long cmd; 5376 long nentries; 5377 long aclbufp; 5378 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5379 5380 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5381 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5382 5383 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5384 } 5385 5386 /*ARGSUSED*/ 5387 static void 5388 aus_facl(struct t_audit_data *tad) 5389 { 5390 struct a { 5391 long fd; 5392 long cmd; 5393 long nentries; 5394 long aclbufp; 5395 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5396 struct file *fp; 5397 struct vnode *vp; 5398 struct f_audit_data *fad; 5399 int fd; 5400 5401 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5402 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5403 5404 fd = (int)uap->fd; 5405 5406 if ((fp = getf(fd)) == NULL) 5407 return; 5408 5409 /* get path from file struct here */ 5410 fad = F2A(fp); 5411 if (fad->fad_aupath != NULL) { 5412 au_uwrite(au_to_path(fad->fad_aupath)); 5413 } else { 5414 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5415 } 5416 5417 vp = fp->f_vnode; 5418 audit_attributes(vp); 5419 5420 /* decrement file descriptor reference count */ 5421 releasef(fd); 5422 5423 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5424 } 5425 5426 /*ARGSUSED*/ 5427 static void 5428 auf_read(tad, error, rval) 5429 struct t_audit_data *tad; 5430 int error; 5431 rval_t *rval; 5432 { 5433 struct file *fp; 5434 struct f_audit_data *fad; 5435 int fd; 5436 register struct a { 5437 long fd; 5438 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5439 au_kcontext_t *kctx = GET_KCTX_PZ; 5440 5441 fd = (int)uap->fd; 5442 5443 /* 5444 * convert file pointer to file descriptor 5445 * Note: fd ref count incremented here. 5446 */ 5447 if ((fp = getf(fd)) == NULL) 5448 return; 5449 5450 /* get path from file struct here */ 5451 fad = F2A(fp); 5452 ASSERT(fad); 5453 5454 /* 5455 * already processed this file for read attempt 5456 * 5457 * XXX might be better to turn off auditing in a aui_read() routine. 5458 */ 5459 if (fad->fad_flags & FAD_READ) { 5460 /* don't really want to audit every read attempt */ 5461 tad->tad_flag = 0; 5462 /* free any residual audit data */ 5463 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5464 releasef(fd); 5465 return; 5466 } 5467 /* mark things so we know what happened and don't repeat things */ 5468 fad->fad_flags |= FAD_READ; 5469 5470 if (fad->fad_aupath != NULL) { 5471 au_uwrite(au_to_path(fad->fad_aupath)); 5472 } else { 5473 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5474 } 5475 5476 /* include attributes */ 5477 audit_attributes(fp->f_vnode); 5478 5479 /* decrement file descriptor reference count */ 5480 releasef(fd); 5481 } 5482 5483 /*ARGSUSED*/ 5484 static void 5485 auf_write(tad, error, rval) 5486 struct t_audit_data *tad; 5487 int error; 5488 rval_t *rval; 5489 { 5490 struct file *fp; 5491 struct f_audit_data *fad; 5492 int fd; 5493 register struct a { 5494 long fd; 5495 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5496 au_kcontext_t *kctx = GET_KCTX_PZ; 5497 5498 fd = (int)uap->fd; 5499 5500 /* 5501 * convert file pointer to file descriptor 5502 * Note: fd ref count incremented here. 5503 */ 5504 if ((fp = getf(fd)) == NULL) 5505 return; 5506 5507 /* get path from file struct here */ 5508 fad = F2A(fp); 5509 ASSERT(fad); 5510 5511 /* 5512 * already processed this file for write attempt 5513 * 5514 * XXX might be better to turn off auditing in a aus_write() routine. 5515 */ 5516 if (fad->fad_flags & FAD_WRITE) { 5517 /* don't really want to audit every write attempt */ 5518 tad->tad_flag = 0; 5519 /* free any residual audit data */ 5520 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5521 releasef(fd); 5522 return; 5523 } 5524 /* mark things so we know what happened and don't repeat things */ 5525 fad->fad_flags |= FAD_WRITE; 5526 5527 if (fad->fad_aupath != NULL) { 5528 au_uwrite(au_to_path(fad->fad_aupath)); 5529 } else { 5530 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5531 } 5532 5533 /* include attributes */ 5534 audit_attributes(fp->f_vnode); 5535 5536 /* decrement file descriptor reference count */ 5537 releasef(fd); 5538 } 5539 5540 /*ARGSUSED*/ 5541 static void 5542 auf_recv(tad, error, rval) 5543 struct t_audit_data *tad; 5544 int error; 5545 rval_t *rval; 5546 { 5547 struct sonode *so; 5548 char so_laddr[sizeof (struct sockaddr_in6)]; 5549 char so_faddr[sizeof (struct sockaddr_in6)]; 5550 struct file *fp; 5551 struct f_audit_data *fad; 5552 int fd; 5553 int err; 5554 socklen_t len; 5555 short so_family, so_type; 5556 register struct a { 5557 long fd; 5558 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5559 au_kcontext_t *kctx = GET_KCTX_PZ; 5560 5561 /* 5562 * If there was an error, then nothing to do. Only generate 5563 * audit record on first successful recv. 5564 */ 5565 if (error) { 5566 /* Turn off audit record generation here. */ 5567 tad->tad_flag = 0; 5568 /* free any residual audit data */ 5569 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5570 return; 5571 } 5572 5573 fd = (int)uap->fd; 5574 5575 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5576 /* Turn off audit record generation here. */ 5577 tad->tad_flag = 0; 5578 /* free any residual audit data */ 5579 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5580 return; 5581 } 5582 5583 /* get path from file struct here */ 5584 fad = F2A(fp); 5585 ASSERT(fad); 5586 5587 /* 5588 * already processed this file for read attempt 5589 */ 5590 if (fad->fad_flags & FAD_READ) { 5591 releasef(fd); 5592 /* don't really want to audit every recv call */ 5593 tad->tad_flag = 0; 5594 /* free any residual audit data */ 5595 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5596 return; 5597 } 5598 5599 /* mark things so we know what happened and don't repeat things */ 5600 fad->fad_flags |= FAD_READ; 5601 5602 so_family = so->so_family; 5603 so_type = so->so_type; 5604 5605 switch (so_family) { 5606 case AF_INET: 5607 case AF_INET6: 5608 /* 5609 * Only for connections. 5610 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5611 */ 5612 if (so->so_state & SS_ISBOUND) { 5613 5614 bzero((void *)so_laddr, sizeof (so_laddr)); 5615 bzero((void *)so_faddr, sizeof (so_faddr)); 5616 5617 /* get local and foreign addresses */ 5618 len = sizeof (so_laddr); 5619 (void) socket_getsockname(so, 5620 (struct sockaddr *)so_laddr, &len, CRED()); 5621 len = sizeof (so_faddr); 5622 (void) socket_getpeername(so, 5623 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5624 5625 /* 5626 * only way to drop out of switch. Note that we 5627 * we release fd below. 5628 */ 5629 5630 break; 5631 } 5632 5633 releasef(fd); 5634 5635 /* don't really want to audit every recv call */ 5636 tad->tad_flag = 0; 5637 /* free any residual audit data */ 5638 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5639 5640 return; 5641 5642 case AF_UNIX: 5643 5644 if (fad->fad_aupath != NULL) { 5645 au_uwrite(au_to_path(fad->fad_aupath)); 5646 } else { 5647 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5648 } 5649 5650 audit_attributes(fp->f_vnode); 5651 5652 releasef(fd); 5653 5654 return; 5655 5656 default: 5657 releasef(fd); 5658 5659 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5660 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5661 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5662 5663 return; 5664 } 5665 5666 releasef(fd); 5667 5668 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5669 5670 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5671 5672 } 5673 5674 /*ARGSUSED*/ 5675 static void 5676 auf_send(tad, error, rval) 5677 struct t_audit_data *tad; 5678 int error; 5679 rval_t *rval; 5680 { 5681 struct sonode *so; 5682 char so_laddr[sizeof (struct sockaddr_in6)]; 5683 char so_faddr[sizeof (struct sockaddr_in6)]; 5684 struct file *fp; 5685 struct f_audit_data *fad; 5686 int fd; 5687 int err; 5688 socklen_t len; 5689 short so_family, so_type; 5690 register struct a { 5691 long fd; 5692 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5693 au_kcontext_t *kctx = GET_KCTX_PZ; 5694 5695 fd = (int)uap->fd; 5696 5697 /* 5698 * If there was an error, then nothing to do. Only generate 5699 * audit record on first successful send. 5700 */ 5701 if (error != 0) { 5702 /* Turn off audit record generation here. */ 5703 tad->tad_flag = 0; 5704 /* free any residual audit data */ 5705 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5706 return; 5707 } 5708 5709 fd = (int)uap->fd; 5710 5711 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5712 /* Turn off audit record generation here. */ 5713 tad->tad_flag = 0; 5714 /* free any residual audit data */ 5715 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5716 return; 5717 } 5718 5719 /* get path from file struct here */ 5720 fad = F2A(fp); 5721 ASSERT(fad); 5722 5723 /* 5724 * already processed this file for write attempt 5725 */ 5726 if (fad->fad_flags & FAD_WRITE) { 5727 releasef(fd); 5728 /* don't really want to audit every send call */ 5729 tad->tad_flag = 0; 5730 /* free any residual audit data */ 5731 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5732 return; 5733 } 5734 5735 /* mark things so we know what happened and don't repeat things */ 5736 fad->fad_flags |= FAD_WRITE; 5737 5738 so_family = so->so_family; 5739 so_type = so->so_type; 5740 5741 switch (so_family) { 5742 case AF_INET: 5743 case AF_INET6: 5744 /* 5745 * Only for connections. 5746 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5747 */ 5748 if (so->so_state & SS_ISBOUND) { 5749 5750 bzero((void *)so_laddr, sizeof (so_laddr)); 5751 bzero((void *)so_faddr, sizeof (so_faddr)); 5752 5753 /* get local and foreign addresses */ 5754 len = sizeof (so_laddr); 5755 (void) socket_getsockname(so, 5756 (struct sockaddr *)so_laddr, &len, CRED()); 5757 len = sizeof (so_faddr); 5758 (void) socket_getpeername(so, 5759 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5760 5761 /* 5762 * only way to drop out of switch. Note that we 5763 * we release fd below. 5764 */ 5765 5766 break; 5767 } 5768 5769 releasef(fd); 5770 /* don't really want to audit every send call */ 5771 tad->tad_flag = 0; 5772 /* free any residual audit data */ 5773 au_close(kctx, &(u_ad), 0, 0, 0, NULL); 5774 5775 return; 5776 5777 case AF_UNIX: 5778 5779 if (fad->fad_aupath != NULL) { 5780 au_uwrite(au_to_path(fad->fad_aupath)); 5781 } else { 5782 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5783 } 5784 5785 audit_attributes(fp->f_vnode); 5786 5787 releasef(fd); 5788 5789 return; 5790 5791 default: 5792 releasef(fd); 5793 5794 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5795 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5796 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5797 5798 return; 5799 } 5800 5801 releasef(fd); 5802 5803 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5804 5805 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5806 } 5807 5808 static au_event_t 5809 aui_forksys(au_event_t e) 5810 { 5811 struct a { 5812 long subcode; 5813 long flags; 5814 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5815 5816 switch ((uint_t)uap->subcode) { 5817 case 0: 5818 e = AUE_FORK1; 5819 break; 5820 case 1: 5821 e = AUE_FORKALL; 5822 break; 5823 case 2: 5824 e = AUE_VFORK; 5825 break; 5826 default: 5827 e = AUE_NULL; 5828 break; 5829 } 5830 5831 return (e); 5832 } 5833 5834 /*ARGSUSED*/ 5835 static au_event_t 5836 aui_portfs(au_event_t e) 5837 { 5838 struct a { /* portfs */ 5839 long a1; 5840 long a2; 5841 long a3; 5842 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5843 5844 /* 5845 * check opcode 5846 */ 5847 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5848 case PORT_ASSOCIATE: 5849 /* check source */ 5850 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5851 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5852 e = AUE_PORTFS_ASSOCIATE; 5853 } else { 5854 e = AUE_NULL; 5855 } 5856 break; 5857 case PORT_DISSOCIATE: 5858 /* check source */ 5859 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5860 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5861 e = AUE_PORTFS_DISSOCIATE; 5862 } else { 5863 e = AUE_NULL; 5864 } 5865 break; 5866 default: 5867 e = AUE_NULL; 5868 } 5869 return (e); 5870 } 5871