xref: /titanic_44/usr/src/uts/common/c2/audit_event.c (revision 5494fa53f9c55de7fb31e3bfb7e0da50d08159a5)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <sys/tsol/label.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 
78 extern token_t	*au_to_sock_inet(struct sockaddr_in *);
79 
80 int	au_naevent;
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_null(au_event_t);
84 static au_event_t	aui_open(au_event_t);
85 static au_event_t	aui_fsat(au_event_t);
86 static au_event_t	aui_msgsys(au_event_t);
87 static au_event_t	aui_shmsys(au_event_t);
88 static au_event_t	aui_semsys(au_event_t);
89 static au_event_t	aui_utssys(au_event_t);
90 static au_event_t	aui_fcntl(au_event_t);
91 static au_event_t	aui_execv(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_auditsys(au_event_t);
96 static au_event_t	aui_modctl(au_event_t);
97 static au_event_t	aui_acl(au_event_t);
98 static au_event_t	aui_doorfs(au_event_t);
99 static au_event_t	aui_privsys(au_event_t);
100 static au_event_t	aui_forksys(au_event_t);
101 
102 static void	aus_null(struct t_audit_data *);
103 static void	aus_open(struct t_audit_data *);
104 static void	aus_acl(struct t_audit_data *);
105 static void	aus_acct(struct t_audit_data *);
106 static void	aus_chown(struct t_audit_data *);
107 static void	aus_fchown(struct t_audit_data *);
108 static void	aus_lchown(struct t_audit_data *);
109 static void	aus_chmod(struct t_audit_data *);
110 static void	aus_facl(struct t_audit_data *);
111 static void	aus_fchmod(struct t_audit_data *);
112 static void	aus_fcntl(struct t_audit_data *);
113 static void	aus_fsat(struct t_audit_data *);
114 static void	aus_mkdir(struct t_audit_data *);
115 static void	aus_mknod(struct t_audit_data *);
116 static void	aus_mount(struct t_audit_data *);
117 static void	aus_umount(struct t_audit_data *);
118 static void	aus_umount2(struct t_audit_data *);
119 static void	aus_msgsys(struct t_audit_data *);
120 static void	aus_semsys(struct t_audit_data *);
121 static void	aus_close(struct t_audit_data *);
122 static void	aus_fstatfs(struct t_audit_data *);
123 static void	aus_setgid(struct t_audit_data *);
124 static void	aus_setuid(struct t_audit_data *);
125 static void	aus_shmsys(struct t_audit_data *);
126 static void	aus_doorfs(struct t_audit_data *);
127 static void	aus_ioctl(struct t_audit_data *);
128 static void	aus_memcntl(struct t_audit_data *);
129 static void	aus_mmap(struct t_audit_data *);
130 static void	aus_munmap(struct t_audit_data *);
131 static void	aus_priocntlsys(struct t_audit_data *);
132 static void	aus_setegid(struct t_audit_data *);
133 static void	aus_setgroups(struct t_audit_data *);
134 static void	aus_seteuid(struct t_audit_data *);
135 static void	aus_putmsg(struct t_audit_data *);
136 static void	aus_putpmsg(struct t_audit_data *);
137 static void	aus_getmsg(struct t_audit_data *);
138 static void	aus_getpmsg(struct t_audit_data *);
139 static void	aus_auditsys(struct t_audit_data *);
140 static void	aus_sysinfo(struct t_audit_data *);
141 static void	aus_modctl(struct t_audit_data *);
142 static void	aus_kill(struct t_audit_data *);
143 static void	aus_xmknod(struct t_audit_data *);
144 static void	aus_setregid(struct t_audit_data *);
145 static void	aus_setreuid(struct t_audit_data *);
146 
147 static void	auf_null(struct t_audit_data *, int, rval_t *);
148 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
149 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
150 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
151 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
152 #if 0
153 static void	auf_open(struct t_audit_data *, int, rval_t *);
154 #endif
155 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
156 static void	auf_read(struct t_audit_data *, int, rval_t *);
157 static void	auf_write(struct t_audit_data *, int, rval_t *);
158 
159 static void	aus_sigqueue(struct t_audit_data *);
160 static void	aus_p_online(struct t_audit_data *);
161 static void	aus_processor_bind(struct t_audit_data *);
162 static void	aus_inst_sync(struct t_audit_data *);
163 static void	aus_brandsys(struct t_audit_data *);
164 
165 static void	auf_accept(struct t_audit_data *, int, rval_t *);
166 
167 static void	auf_bind(struct t_audit_data *, int, rval_t *);
168 static void	auf_connect(struct t_audit_data *, int, rval_t *);
169 static void	aus_shutdown(struct t_audit_data *);
170 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
171 static void	aus_sockconfig(struct t_audit_data *);
172 static void	auf_recv(struct t_audit_data *, int, rval_t *);
173 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
174 static void	auf_send(struct t_audit_data *, int, rval_t *);
175 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
176 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
177 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
178 static void	aus_socket(struct t_audit_data *);
179 /*
180  * This table contains mapping information for converting system call numbers
181  * to audit event IDs. In several cases it is necessary to map a single system
182  * call to several events.
183  */
184 
185 struct audit_s2e audit_s2e[] =
186 {
187 /*
188  * ----------	---------- 	----------	----------
189  * INITIAL	AUDIT		START		SYSTEM
190  * PROCESSING	EVENT		PROCESSING	CALL
191  * ----------	----------	----------	-----------
192  *		FINISH		EVENT
193  *		PROCESSING	CONTROL
194  * ----------------------------------------------------------
195  */
196 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
197 		auf_null,	0,
198 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
199 		auf_null,	S2E_NPT,
200 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
201 		auf_null,	0,
202 aui_null,	AUE_READ,	aus_null,	/* 3 read */
203 		auf_read,	S2E_PUB,
204 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
205 		auf_write,	0,
206 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
207 		auf_null,	S2E_SP,
208 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
209 		auf_null,	0,
210 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
211 		auf_null,	0,
212 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
213 		auf_null,	S2E_SP,
214 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
215 		auf_null,	0,
216 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
217 		auf_null,	0,
218 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
219 		auf_null,	S2E_MLD,
220 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
221 		auf_null,	S2E_SP,
222 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
223 		auf_null,	0,
224 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
225 		auf_mknod,	0,
226 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
227 		auf_null,	0,
228 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
229 		auf_null,	0,
230 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
231 		auf_null,	0,
232 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
233 		auf_null,	S2E_PUB,
234 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
235 		auf_null,	0,
236 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
237 		auf_null,	0,
238 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
239 		auf_null,	S2E_MLD,
240 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
241 		auf_null,	0,
242 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
243 		auf_null,	0,
244 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
245 		auf_null,	0,
246 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
247 		auf_null,	0,
248 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
249 		auf_null,	0,
250 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
251 		auf_null,	0,
252 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
253 		auf_null,	0,
254 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
255 		auf_null,	0,
256 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
257 		auf_null,	0,
258 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
259 		auf_null,	0,
260 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
261 		auf_null,	0,
262 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
263 		auf_null,	S2E_PUB,
264 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
265 		auf_null,	0,
266 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
267 		auf_null,	S2E_PUB,
268 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
269 		auf_null,	0,
270 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
271 		auf_null,	0,
272 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
273 		auf_null,	S2E_PUB,
274 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
275 		auf_null,	0,
276 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
277 		auf_null,	0,
278 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
279 		auf_null,	0,
280 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
281 		auf_null,	0,
282 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
283 		auf_null,	0,
284 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
285 		auf_null,	0,
286 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
287 						/*	was proc lock */
288 		auf_null,	0,
289 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
290 		auf_null,	0,
291 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
294 		auf_null,	0,
295 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
296 		auf_msgsys,	0,
297 #if defined(__x86)
298 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
299 		auf_null,	0,
300 #else
301 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
302 		auf_null,	0,
303 #endif /* __x86 */
304 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
305 		auf_null,	0,
306 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
307 		auf_shmsys,	0,
308 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
309 		auf_semsys,	0,
310 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
311 		auf_null,	0,
312 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
313 		auf_null,	0,
314 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
315 		auf_null,	0,
316 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
317 		auf_null,	0,
318 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
319 		auf_null,	0,
320 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
321 		auf_null,	S2E_MLD,
322 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
323 		auf_null,	0,
324 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
325 		auf_null,	S2E_SP,
326 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
327 		auf_null,	0,
328 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
329 		auf_null,	0,
330 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
331 		auf_null,	0,
332 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
333 		auf_null,	0,
334 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
337 						/*	file locking call */
338 		auf_null,	0,
339 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
340 						/*	local system calls */
341 		auf_null,	0,
342 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
343 		auf_null,	0,
344 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
345 		auf_null,	0,
346 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
355 						/*	was sigret (SunOS) */
356 		auf_null,	0,
357 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
358 		auf_null,	0,
359 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
360 		auf_null,	0,
361 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
362 		auf_null,	0,
363 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
364 		auf_null,	0,
365 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
366 		auf_null,	0,
367 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
368 		auf_null,	0,
369 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
370 						/*	was libattach */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
373 						/*	was libdetach */
374 		auf_null,	0,
375 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
376 		auf_null,	0,
377 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
378 		auf_null,	0,
379 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
380 		auf_null,	0,
381 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
382 		auf_null,	0,
383 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
384 		auf_null,	S2E_PUB,
385 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
386 		auf_null,	0,
387 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
388 		auf_null,	S2E_PUB,
389 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
390 		auf_null,	0,
391 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
392 		auf_null,	0,
393 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
394 		auf_null,	0,
395 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
396 		auf_null,	0,
397 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
398 		auf_null,	0,
399 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
400 		auf_null,	0,
401 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
402 		auf_null,	0,
403 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
404 		auf_null,	0,
405 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
406 		auf_null,	0,
407 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
408 		auf_null,	0,
409 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
410 		auf_null,	0,
411 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
412 						/*	was evtrapret */
413 		auf_null,	0,
414 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
415 		auf_null,	S2E_PUB,
416 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
425 		auf_null,	0,
426 #if defined(__x86)
427 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
428 		auf_null,	0,
429 #else
430 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
431 		auf_null,	0,
432 #endif /* __x86 */
433 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
434 		auf_null,	0,
435 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
436 		auf_null,	0,
437 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
438 		auf_null,	0,		/* 112 priocntlsys */
439 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
440 		auf_null,	S2E_PUB,
441 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
442 		auf_null,	0,
443 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
444 		auf_null,	0,
445 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
446 		auf_null,	0,
447 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
448 		auf_null,	0,
449 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
450 		auf_null,	0,
451 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
452 		auf_null,	0,
453 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
454 		auf_null,	0,
455 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
456 		auf_read,	S2E_PUB,
457 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
458 		auf_write,	0,
459 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
460 		auf_null,	S2E_PUB,
461 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
462 		auf_null,	S2E_PUB,
463 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
464 		auf_null,	0,
465 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
466 		auf_xmknod,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
468 		auf_null,	0,
469 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
470 		auf_null,	0,
471 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
472 		auf_null,	0,
473 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
474 		auf_null,	0,
475 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
476 		auf_null,	0,
477 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
478 		auf_null,	0,
479 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
480 		auf_null,	0,
481 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
482 		auf_null,	0,
483 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
484 		auf_null,	0,
485 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
486 		auf_null,	0,
487 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
488 		auf_null,	0,
489 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
490 		auf_null,	0,
491 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
492 		auf_null,	0,
493 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
494 		auf_null,	0,
495 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
496 		auf_null,	0,
497 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
498 		auf_null,	0,
499 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
510 		auf_null,	0,
511 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
512 		auf_null,	0,
513 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
514 		auf_null,	0,
515 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
516 		auf_null,	0,
517 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
518 		auf_null,	0,
519 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
520 		auf_null,	0,
521 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
522 		auf_null,	0,
523 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
524 		auf_null,	0,
525 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
526 		auf_null,	0,
527 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
528 		auf_null,	0,
529 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
530 		auf_null,	0,
531 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
532 		auf_null,	0,
533 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
534 		auf_null,	0,
535 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
536 		auf_null,	0,
537 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
538 		auf_null,	0,
539 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
540 		auf_null,	0,
541 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
542 		auf_null,	0,
543 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
544 						/*	was lwp_setprivate */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
547 						/*	was lwp_getprivate */
548 		auf_null,	0,
549 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
550 		auf_null,	0,
551 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
560 		auf_null,	0,
561 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
562 		auf_read,	S2E_PUB,
563 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
564 		auf_write,	0,
565 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
566 		auf_null,	0,
567 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
568 						/* aus_inst_sync */
569 		auf_null,	0,
570 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
571 		auf_null,	0,
572 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
573 		auf_null,	0,
574 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
575 		auf_null,	0,
576 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
577 		auf_null,	0,
578 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
579 		auf_null,	0,
580 aui_null,	AUE_NULL,	aus_null,	/* 182 (loadable) */
581 		auf_null,	0,
582 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
583 		auf_null,	0,
584 aui_null,	AUE_NULL,	aus_null,	/* 184 (loadable) tsolsys */
585 		auf_null,	0,
586 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
587 		auf_null,	0,
588 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
589 		auf_null,	0,
590 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
591 		auf_null,	0,		/* 187 processor_bind */
592 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
593 		auf_null,	0,
594 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
595 		auf_null,	0,
596 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
597 		auf_null,	0,
598 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
599 		auf_null,	0,
600 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
601 		auf_null,	0,
602 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
603 		auf_null,	0,
604 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
605 		auf_null,	0,
606 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
607 		auf_null,	0,
608 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
609 		auf_null,	0,
610 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
611 		auf_null,	0,
612 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
613 		auf_null,	0,
614 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
615 		auf_null,	0,
616 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
617 		auf_null,	0,
618 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
619 		auf_null,	0,
620 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
621 		auf_null,	0,
622 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
623 		auf_null,	0,
624 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
625 		auf_null,	0,
626 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
627 		auf_null,	0,
628 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
629 		auf_null,	0,
630 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
631 		auf_null,	0,
632 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
633 		auf_null,	0,
634 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
635 		auf_null,	0,
636 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
637 		auf_null,	0,
638 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
639 		auf_null,	0,
640 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
641 		auf_null,	0,
642 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
643 		auf_null,	0,
644 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
645 		auf_null,	0,
646 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
647 		auf_null,	S2E_PUB,
648 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
649 		auf_null,	S2E_PUB,
650 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
651 		auf_null,	0,
652 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
653 		auf_null,	S2E_PUB,
654 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
655 		auf_null,	0,
656 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
657 		auf_null,	0,
658 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
659 		auf_null,	0,
660 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
661 		auf_read,	S2E_PUB,
662 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
663 		auf_write,	0,
664 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
665 		auf_null,	S2E_SP,
666 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
667 		auf_null,	S2E_SP,
668 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
669 		auf_null,	0,
670 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
671 		auf_null,	0,
672 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
673 		auf_null,	0,
674 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
675 		auf_null,	0,
676 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
677 		auf_null,	0,
678 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
679 		auf_null,	0,
680 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
681 		auf_bind,	0,
682 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
683 		auf_null,	0,
684 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
685 		auf_accept,	0,
686 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
687 		auf_connect,	0,
688 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
689 		auf_null,	0,
690 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
691 		auf_recv,	0,
692 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
693 		auf_recvfrom,	0,
694 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
695 		auf_recvmsg,	0,
696 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
697 		auf_send,	0,
698 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
699 		auf_sendmsg,	0,
700 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
701 		auf_sendto,	0,
702 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
703 		auf_null,	0,
704 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
705 		auf_null,	0,
706 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
707 		auf_null,	0,
708 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
709 		auf_setsockopt,	0,
710 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
711 		auf_null,	0,
712 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
713 		auf_null,	0,
714 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
715 		auf_null,	0,
716 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
717 		auf_null,	0,
718 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
719 		auf_null,	0,
720 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
721 		auf_null,	0,
722 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
723 		auf_null,	0,
724 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
725 		auf_null,	0,
726 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
727 		auf_null,	0
728 };
729 
730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
731 
732 char *so_not_bound = "socket not bound";
733 char *so_not_conn  = "socket not connected";
734 char *so_bad_addr  = "bad socket address";
735 char *so_bad_peer_addr  = "bad peer address";
736 
737 /* null start function */
738 /*ARGSUSED*/
739 static void
740 aus_null(struct t_audit_data *tad)
741 {
742 }
743 
744 /* acct start function */
745 /*ARGSUSED*/
746 static void
747 aus_acct(struct t_audit_data *tad)
748 {
749 	klwp_t *clwp = ttolwp(curthread);
750 	uintptr_t fname;
751 
752 	struct a {
753 		long	fname;		/* char * */
754 	} *uap = (struct a *)clwp->lwp_ap;
755 
756 	fname = (uintptr_t)uap->fname;
757 
758 	if (fname == 0)
759 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
760 }
761 
762 /* chown start function */
763 /*ARGSUSED*/
764 static void
765 aus_chown(struct t_audit_data *tad)
766 {
767 	klwp_t *clwp = ttolwp(curthread);
768 	uint32_t uid, gid;
769 
770 	struct a {
771 		long	fname;		/* char * */
772 		long	uid;
773 		long	gid;
774 	} *uap = (struct a *)clwp->lwp_ap;
775 
776 	uid = (uint32_t)uap->uid;
777 	gid = (uint32_t)uap->gid;
778 
779 	au_uwrite(au_to_arg32(2, "new file uid", uid));
780 	au_uwrite(au_to_arg32(3, "new file gid", gid));
781 }
782 
783 /* fchown start function */
784 /*ARGSUSED*/
785 static void
786 aus_fchown(struct t_audit_data *tad)
787 {
788 	klwp_t *clwp = ttolwp(curthread);
789 	uint32_t uid, gid, fd;
790 	struct file  *fp;
791 	struct vnode *vp;
792 	struct f_audit_data *fad;
793 
794 	struct a {
795 		long fd;
796 		long uid;
797 		long gid;
798 	} *uap = (struct a *)clwp->lwp_ap;
799 
800 	fd  = (uint32_t)uap->fd;
801 	uid = (uint32_t)uap->uid;
802 	gid = (uint32_t)uap->gid;
803 
804 	au_uwrite(au_to_arg32(2, "new file uid", uid));
805 	au_uwrite(au_to_arg32(3, "new file gid", gid));
806 
807 		/*
808 		 * convert file pointer to file descriptor
809 		 *   Note: fd ref count incremented here.
810 		 */
811 	if ((fp = getf(fd)) == NULL)
812 		return;
813 
814 	/* get path from file struct here */
815 	fad = F2A(fp);
816 	if (fad->fad_aupath != NULL) {
817 		au_uwrite(au_to_path(fad->fad_aupath));
818 	} else {
819 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
820 	}
821 
822 	vp = fp->f_vnode;
823 	audit_attributes(vp);
824 
825 	/* decrement file descriptor reference count */
826 	releasef(fd);
827 }
828 
829 /*ARGSUSED*/
830 static void
831 aus_lchown(struct t_audit_data *tad)
832 {
833 	klwp_t *clwp = ttolwp(curthread);
834 	uint32_t uid, gid;
835 
836 
837 	struct a {
838 		long	fname;		/* char	* */
839 		long	uid;
840 		long	gid;
841 	} *uap = (struct a *)clwp->lwp_ap;
842 
843 	uid = (uint32_t)uap->uid;
844 	gid = (uint32_t)uap->gid;
845 
846 	au_uwrite(au_to_arg32(2, "new file uid", uid));
847 	au_uwrite(au_to_arg32(3, "new file gid", gid));
848 }
849 
850 /* chmod start function */
851 /*ARGSUSED*/
852 static void
853 aus_chmod(struct t_audit_data *tad)
854 {
855 	klwp_t *clwp = ttolwp(curthread);
856 	uint32_t fmode;
857 
858 	struct a {
859 		long	fname;		/* char	* */
860 		long	fmode;
861 	} *uap = (struct a *)clwp->lwp_ap;
862 
863 	fmode = (uint32_t)uap->fmode;
864 
865 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
866 }
867 
868 /* chmod start function */
869 /*ARGSUSED*/
870 static void
871 aus_fchmod(struct t_audit_data *tad)
872 {
873 	klwp_t *clwp = ttolwp(curthread);
874 	uint32_t fmode, fd;
875 	struct file  *fp;
876 	struct vnode *vp;
877 	struct f_audit_data *fad;
878 
879 	struct a {
880 		long	fd;
881 		long	fmode;
882 	} *uap = (struct a *)clwp->lwp_ap;
883 
884 	fd = (uint32_t)uap->fd;
885 	fmode = (uint32_t)uap->fmode;
886 
887 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
888 
889 		/*
890 		 * convert file pointer to file descriptor
891 		 *   Note: fd ref count incremented here.
892 		 */
893 	if ((fp = getf(fd)) == NULL)
894 		return;
895 
896 		/* get path from file struct here */
897 	fad = F2A(fp);
898 	if (fad->fad_aupath != NULL) {
899 		au_uwrite(au_to_path(fad->fad_aupath));
900 	} else {
901 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
902 	}
903 
904 	vp = fp->f_vnode;
905 	audit_attributes(vp);
906 
907 	/* decrement file descriptor reference count */
908 	releasef(fd);
909 }
910 
911 /* null function */
912 /*ARGSUSED*/
913 static void
914 auf_null(struct t_audit_data *tad, int error, rval_t *rval)
915 {
916 }
917 
918 /* null function */
919 static au_event_t
920 aui_null(au_event_t e)
921 {
922 	return (e);
923 }
924 
925 /* convert open to appropriate event */
926 static au_event_t
927 aui_open(au_event_t e)
928 {
929 	klwp_t *clwp = ttolwp(curthread);
930 	uint_t fm;
931 
932 	struct a {
933 		long	fnamep;		/* char	* */
934 		long	fmode;
935 		long	cmode;
936 	} *uap = (struct a *)clwp->lwp_ap;
937 
938 	fm = (uint_t)uap->fmode;
939 
940 	if (fm & O_WRONLY)
941 		e = AUE_OPEN_W;
942 	else if (fm & O_RDWR)
943 		e = AUE_OPEN_RW;
944 	else
945 		e = AUE_OPEN_R;
946 
947 	if (fm & O_CREAT)
948 		e += 1;
949 	if (fm & O_TRUNC)
950 		e += 2;
951 
952 	return (e);
953 }
954 
955 /*ARGSUSED*/
956 static void
957 aus_open(struct t_audit_data *tad)
958 {
959 	klwp_t *clwp = ttolwp(curthread);
960 	uint_t fm;
961 
962 	struct a {
963 		long	fnamep;		/* char	* */
964 		long	fmode;
965 		long	cmode;
966 	} *uap = (struct a *)clwp->lwp_ap;
967 
968 	fm = (uint_t)uap->fmode;
969 
970 	/* If no write, create, or trunc modes, mark as a public op */
971 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
972 		tad->tad_ctrl |= PAD_PUBLIC_EV;
973 }
974 
975 /* convert openat(2) to appropriate event */
976 static au_event_t
977 aui_fsat(au_event_t e)
978 {
979 	t_audit_data_t	*tad = U2A(u);
980 	klwp_t *clwp = ttolwp(curthread);
981 	uint_t fmcode, fm;
982 	struct a {
983 		long id;
984 		long arg1;
985 		long arg2;
986 		long arg3;
987 		long arg4;
988 		long arg5;
989 	} *uap = (struct a *)clwp->lwp_ap;
990 
991 	fmcode  = (uint_t)uap->id;
992 
993 	switch (fmcode) {
994 
995 	case 0: /* openat */
996 	case 1: /* openat64 */
997 		fm = (uint_t)uap->arg3;
998 		if (fm & O_WRONLY)
999 			e = AUE_OPENAT_W;
1000 		else if (fm & O_RDWR)
1001 			e = AUE_OPENAT_RW;
1002 		else
1003 			e = AUE_OPENAT_R;
1004 
1005 		/*
1006 		 * openat modes are defined in the following order:
1007 		 * Read only
1008 		 * Read|Create
1009 		 * Read|Trunc
1010 		 * Read|Create|Trunc
1011 		 * Write Only
1012 		 * Write|Create
1013 		 * Write|Trunc
1014 		 * Write|Create|Trunc * RW Only
1015 		 * RW|Create
1016 		 * RW|Trunc
1017 		 * RW|Create|Trunc
1018 		 */
1019 		if (fm & O_CREAT)
1020 			e += 1;		/* increment to include CREAT in mode */
1021 		if (fm & O_TRUNC)
1022 			e += 2;		/* increment to include TRUNC in mode */
1023 
1024 		/* convert to appropriate au_ctrl */
1025 		tad->tad_ctrl |= PAD_SAVPATH;
1026 		if (fm & FXATTR)
1027 			tad->tad_ctrl |= PAD_ATPATH;
1028 
1029 
1030 		break;
1031 	case 2: /* fstatat64 */
1032 	case 3: /* fstatat */
1033 		e = AUE_FSTATAT;
1034 		break;
1035 	case 4: /* fchownat */
1036 		e = AUE_FCHOWNAT;
1037 		break;
1038 	case 5: /* unlinkat */
1039 		e = AUE_UNLINKAT;
1040 		break;
1041 	case 6: /* futimesat */
1042 		e = AUE_FUTIMESAT;
1043 		break;
1044 	case 7: /* renameat */
1045 		e = AUE_RENAMEAT;
1046 		break;
1047 	default:
1048 		e = AUE_NULL;
1049 		break;
1050 	}
1051 
1052 	return (e);
1053 }
1054 
1055 /*ARGSUSED*/
1056 static void
1057 aus_fsat(struct t_audit_data *tad)
1058 {
1059 	klwp_t *clwp = ttolwp(curthread);
1060 	uint_t fmcode, fm;
1061 	struct a {
1062 		long id;
1063 		long arg1;
1064 		long arg2;
1065 		long arg3;
1066 		long arg4;
1067 		long arg5;
1068 	} *uap = (struct a *)clwp->lwp_ap;
1069 
1070 	fmcode  = (uint_t)uap->id;
1071 
1072 	switch (fmcode) {
1073 
1074 	case 0: /* openat */
1075 	case 1: /* openat64 */
1076 		fm = (uint_t)uap->arg3;
1077 		/* If no write, create, or trunc modes, mark as a public op */
1078 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1079 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1080 
1081 		break;
1082 	case 2: /* fstatat64 */
1083 	case 3: /* fstatat */
1084 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1085 		break;
1086 	default:
1087 		break;
1088 	}
1089 }
1090 
1091 /* msgsys */
1092 static au_event_t
1093 aui_msgsys(au_event_t e)
1094 {
1095 	klwp_t *clwp = ttolwp(curthread);
1096 	uint_t fm;
1097 
1098 	struct a {
1099 		long	id;	/* function code id */
1100 		long	ap;	/* arg pointer for recvmsg */
1101 	} *uap = (struct a *)clwp->lwp_ap;
1102 
1103 	struct b {
1104 		long	msgid;
1105 		long	cmd;
1106 		long	buf;	/* struct msqid_ds * */
1107 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1108 
1109 	fm  = (uint_t)uap->id;
1110 
1111 	switch (fm) {
1112 	case 0:		/* msgget */
1113 		e = AUE_MSGGET;
1114 		break;
1115 	case 1:		/* msgctl */
1116 		switch ((uint_t)uap1->cmd) {
1117 		case IPC_RMID:
1118 			e = AUE_MSGCTL_RMID;
1119 			break;
1120 		case IPC_SET:
1121 			e = AUE_MSGCTL_SET;
1122 			break;
1123 		case IPC_STAT:
1124 			e = AUE_MSGCTL_STAT;
1125 			break;
1126 		default:
1127 			e = AUE_MSGCTL;
1128 			break;
1129 		}
1130 		break;
1131 	case 2:		/* msgrcv */
1132 		e = AUE_MSGRCV;
1133 		break;
1134 	case 3:		/* msgsnd */
1135 		e = AUE_MSGSND;
1136 		break;
1137 	default:	/* illegal system call */
1138 		e = AUE_NULL;
1139 		break;
1140 	}
1141 
1142 	return (e);
1143 }
1144 
1145 
1146 /* shmsys */
1147 static au_event_t
1148 aui_shmsys(au_event_t e)
1149 {
1150 	klwp_t *clwp = ttolwp(curthread);
1151 	int fm;
1152 
1153 	struct a {		/* shmsys */
1154 		long	id;	/* function code id */
1155 	} *uap = (struct a *)clwp->lwp_ap;
1156 
1157 	struct b {		/* ctrl */
1158 		long	shmid;
1159 		long	cmd;
1160 		long	arg;		/* struct shmid_ds * */
1161 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1162 	fm  = (uint_t)uap->id;
1163 
1164 	switch (fm) {
1165 	case 0:		/* shmat */
1166 		e = AUE_SHMAT;
1167 		break;
1168 	case 1:		/* shmctl */
1169 		switch ((uint_t)uap1->cmd) {
1170 		case IPC_RMID:
1171 			e = AUE_SHMCTL_RMID;
1172 			break;
1173 		case IPC_SET:
1174 			e = AUE_SHMCTL_SET;
1175 			break;
1176 		case IPC_STAT:
1177 			e = AUE_SHMCTL_STAT;
1178 			break;
1179 		default:
1180 			e = AUE_SHMCTL;
1181 			break;
1182 		}
1183 		break;
1184 	case 2:		/* shmdt */
1185 		e = AUE_SHMDT;
1186 		break;
1187 	case 3:		/* shmget */
1188 		e = AUE_SHMGET;
1189 		break;
1190 	default:	/* illegal system call */
1191 		e = AUE_NULL;
1192 		break;
1193 	}
1194 
1195 	return (e);
1196 }
1197 
1198 
1199 /* semsys */
1200 static au_event_t
1201 aui_semsys(au_event_t e)
1202 {
1203 	klwp_t *clwp = ttolwp(curthread);
1204 	uint_t fm;
1205 
1206 	struct a {		/* semsys */
1207 		long	id;
1208 	} *uap = (struct a *)clwp->lwp_ap;
1209 
1210 	struct b {		/* ctrl */
1211 		long	semid;
1212 		long	semnum;
1213 		long	cmd;
1214 		long	arg;
1215 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1216 
1217 	fm = (uint_t)uap->id;
1218 
1219 	switch (fm) {
1220 	case 0:		/* semctl */
1221 		switch ((uint_t)uap1->cmd) {
1222 		case IPC_RMID:
1223 			e = AUE_SEMCTL_RMID;
1224 			break;
1225 		case IPC_SET:
1226 			e = AUE_SEMCTL_SET;
1227 			break;
1228 		case IPC_STAT:
1229 			e = AUE_SEMCTL_STAT;
1230 			break;
1231 		case GETNCNT:
1232 			e = AUE_SEMCTL_GETNCNT;
1233 			break;
1234 		case GETPID:
1235 			e = AUE_SEMCTL_GETPID;
1236 			break;
1237 		case GETVAL:
1238 			e = AUE_SEMCTL_GETVAL;
1239 			break;
1240 		case GETALL:
1241 			e = AUE_SEMCTL_GETALL;
1242 			break;
1243 		case GETZCNT:
1244 			e = AUE_SEMCTL_GETZCNT;
1245 			break;
1246 		case SETVAL:
1247 			e = AUE_SEMCTL_SETVAL;
1248 			break;
1249 		case SETALL:
1250 			e = AUE_SEMCTL_SETALL;
1251 			break;
1252 		default:
1253 			e = AUE_SEMCTL;
1254 			break;
1255 		}
1256 		break;
1257 	case 1:		/* semget */
1258 		e = AUE_SEMGET;
1259 		break;
1260 	case 2:		/* semop */
1261 		e = AUE_SEMOP;
1262 		break;
1263 	default:	/* illegal system call */
1264 		e = AUE_NULL;
1265 		break;
1266 	}
1267 
1268 	return (e);
1269 }
1270 
1271 /* utssys - uname(2), ustat(2), fusers(2) */
1272 static au_event_t
1273 aui_utssys(au_event_t e)
1274 {
1275 	klwp_t *clwp = ttolwp(curthread);
1276 	uint_t type;
1277 
1278 	struct a {
1279 		union {
1280 			long	cbuf;		/* char * */
1281 			long	ubuf;		/* struct stat * */
1282 		} ub;
1283 		union {
1284 			long	mv;	/* for USTAT */
1285 			long	flags;	/* for FUSERS */
1286 		} un;
1287 		long	type;
1288 		long	outbp;		/* char * for FUSERS */
1289 	} *uap = (struct a *)clwp->lwp_ap;
1290 
1291 	type = (uint_t)uap->type;
1292 
1293 	if (type == UTS_FUSERS)
1294 		return (e);
1295 	else
1296 		return ((au_event_t)AUE_NULL);
1297 }
1298 
1299 static au_event_t
1300 aui_fcntl(au_event_t e)
1301 {
1302 	klwp_t *clwp = ttolwp(curthread);
1303 	uint_t cmd;
1304 
1305 	struct a {
1306 		long	fdes;
1307 		long	cmd;
1308 		long	arg;
1309 	} *uap = (struct a *)clwp->lwp_ap;
1310 
1311 	cmd = (uint_t)uap->cmd;
1312 
1313 	switch (cmd) {
1314 	case F_GETLK:
1315 	case F_SETLK:
1316 	case F_SETLKW:
1317 		break;
1318 	case F_SETFL:
1319 	case F_GETFL:
1320 	case F_GETFD:
1321 		break;
1322 	default:
1323 		e = (au_event_t)AUE_NULL;
1324 		break;
1325 	}
1326 	return ((au_event_t)e);
1327 }
1328 
1329 /* null function for now */
1330 static au_event_t
1331 aui_execv(au_event_t e)
1332 {
1333 	return (e);
1334 }
1335 
1336 /* null function for now */
1337 static au_event_t
1338 aui_execve(au_event_t e)
1339 {
1340 	return (e);
1341 }
1342 
1343 /*ARGSUSED*/
1344 static void
1345 aus_fcntl(struct t_audit_data *tad)
1346 {
1347 	klwp_t *clwp = ttolwp(curthread);
1348 	uint32_t cmd, fd;
1349 	struct file  *fp;
1350 	struct vnode *vp;
1351 	struct f_audit_data *fad;
1352 
1353 	struct a {
1354 		long	fd;
1355 		long	cmd;
1356 		long	arg;
1357 	} *uap = (struct a *)clwp->lwp_ap;
1358 
1359 	cmd = (uint32_t)uap->cmd;
1360 	fd  = (uint32_t)uap->fd;
1361 
1362 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1363 
1364 		/*
1365 		 * convert file pointer to file descriptor
1366 		 *   Note: fd ref count incremented here.
1367 		 */
1368 	if ((fp = getf(fd)) == NULL)
1369 		return;
1370 
1371 	/* get path from file struct here */
1372 	fad = F2A(fp);
1373 	if (fad->fad_aupath != NULL) {
1374 		au_uwrite(au_to_path(fad->fad_aupath));
1375 	} else {
1376 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1377 	}
1378 
1379 	vp = fp->f_vnode;
1380 	audit_attributes(vp);
1381 
1382 	/* decrement file descriptor reference count */
1383 	releasef(fd);
1384 }
1385 
1386 /*ARGSUSED*/
1387 static void
1388 aus_kill(struct t_audit_data *tad)
1389 {
1390 	klwp_t *clwp = ttolwp(curthread);
1391 	struct proc *p;
1392 	uint32_t signo;
1393 	uid_t uid, ruid;
1394 	gid_t gid, rgid;
1395 	pid_t pid;
1396 	const auditinfo_addr_t *ainfo;
1397 	cred_t *cr;
1398 
1399 	struct a {
1400 		long	pid;
1401 		long	signo;
1402 	} *uap = (struct a *)clwp->lwp_ap;
1403 
1404 	pid   = (pid_t)uap->pid;
1405 	signo = (uint32_t)uap->signo;
1406 
1407 	au_uwrite(au_to_arg32(2, "signal", signo));
1408 	if (pid > 0) {
1409 		mutex_enter(&pidlock);
1410 		if (((p = prfind(pid)) == (struct proc *)0) ||
1411 		    (p->p_stat == SIDL)) {
1412 			mutex_exit(&pidlock);
1413 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1414 			return;
1415 		}
1416 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1417 		mutex_exit(&pidlock);
1418 
1419 		mutex_enter(&p->p_crlock);
1420 		crhold(cr = p->p_cred);
1421 		mutex_exit(&p->p_crlock);
1422 		mutex_exit(&p->p_lock);
1423 
1424 		ainfo = crgetauinfo(cr);
1425 		if (ainfo == NULL) {
1426 			crfree(cr);
1427 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1428 			return;
1429 		}
1430 
1431 		uid  = crgetuid(cr);
1432 		gid  = crgetgid(cr);
1433 		ruid = crgetruid(cr);
1434 		rgid = crgetrgid(cr);
1435 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1436 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1437 
1438 		if (is_system_labeled())
1439 			au_uwrite(au_to_label(CR_SL(cr)));
1440 
1441 		crfree(cr);
1442 	}
1443 	else
1444 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1445 }
1446 
1447 /*ARGSUSED*/
1448 static void
1449 aus_mkdir(struct t_audit_data *tad)
1450 {
1451 	klwp_t *clwp = ttolwp(curthread);
1452 	uint32_t dmode;
1453 
1454 	struct a {
1455 		long	dirnamep;		/* char * */
1456 		long	dmode;
1457 	} *uap = (struct a *)clwp->lwp_ap;
1458 
1459 	dmode = (uint32_t)uap->dmode;
1460 
1461 	au_uwrite(au_to_arg32(2, "mode", dmode));
1462 }
1463 
1464 /*ARGSUSED*/
1465 static void
1466 aus_mknod(struct t_audit_data *tad)
1467 {
1468 	klwp_t *clwp = ttolwp(curthread);
1469 	uint32_t fmode;
1470 	dev_t dev;
1471 
1472 	struct a {
1473 		long	pnamep;		/* char * */
1474 		long	fmode;
1475 		long	dev;
1476 	} *uap = (struct a *)clwp->lwp_ap;
1477 
1478 	fmode = (uint32_t)uap->fmode;
1479 	dev   = (dev_t)uap->dev;
1480 
1481 	au_uwrite(au_to_arg32(2, "mode", fmode));
1482 #ifdef _LP64
1483 	au_uwrite(au_to_arg64(3, "dev", dev));
1484 #else
1485 	au_uwrite(au_to_arg32(3, "dev", dev));
1486 #endif
1487 }
1488 
1489 /*ARGSUSED*/
1490 static void
1491 aus_xmknod(struct t_audit_data *tad)
1492 {
1493 	klwp_t *clwp = ttolwp(curthread);
1494 	uint32_t fmode;
1495 	dev_t dev;
1496 
1497 	struct a {
1498 		long	version;	/* version */
1499 		long	pnamep;		/* char * */
1500 		long	fmode;
1501 		long	dev;
1502 	} *uap = (struct a *)clwp->lwp_ap;
1503 
1504 	fmode = (uint32_t)uap->fmode;
1505 	dev   = (dev_t)uap->dev;
1506 
1507 	au_uwrite(au_to_arg32(2, "mode", fmode));
1508 #ifdef _LP64
1509 	au_uwrite(au_to_arg64(3, "dev", dev));
1510 #else
1511 	au_uwrite(au_to_arg32(3, "dev", dev));
1512 #endif
1513 }
1514 
1515 /*ARGSUSED*/
1516 static void
1517 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1518 {
1519 	klwp_t *clwp = ttolwp(curthread);
1520 	vnode_t	*dvp;
1521 	caddr_t pnamep;
1522 
1523 	struct a {
1524 		long	pnamep;		/* char * */
1525 		long	fmode;
1526 		long	dev;
1527 	} *uap = (struct a *)clwp->lwp_ap;
1528 
1529 	/* no error, then already path token in audit record */
1530 	if (error != EPERM)
1531 		return;
1532 
1533 	/* not auditing this event, nothing then to do */
1534 	if (tad->tad_flag == 0)
1535 		return;
1536 
1537 	/* do the lookup to force generation of path token */
1538 	pnamep = (caddr_t)uap->pnamep;
1539 	tad->tad_ctrl |= PAD_NOATTRB;
1540 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1541 	if (error == 0)
1542 		VN_RELE(dvp);
1543 }
1544 
1545 /*ARGSUSED*/
1546 static void
1547 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1548 {
1549 	klwp_t *clwp = ttolwp(curthread);
1550 	vnode_t	*dvp;
1551 	caddr_t pnamep;
1552 
1553 	struct a {
1554 		long	version;	/* version */
1555 		long	pnamep;		/* char * */
1556 		long	fmode;
1557 		long	dev;
1558 	} *uap = (struct a *)clwp->lwp_arg;
1559 
1560 
1561 	/* no error, then already path token in audit record */
1562 	if (error != EPERM)
1563 		return;
1564 
1565 	/* not auditing this event, nothing then to do */
1566 	if (tad->tad_flag == 0)
1567 		return;
1568 
1569 	/* do the lookup to force generation of path token */
1570 	pnamep = (caddr_t)uap->pnamep;
1571 	tad->tad_ctrl |= PAD_NOATTRB;
1572 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1573 	if (error == 0)
1574 		VN_RELE(dvp);
1575 }
1576 
1577 /*ARGSUSED*/
1578 static void
1579 aus_mount(struct t_audit_data *tad)
1580 {	/* AUS_START */
1581 	klwp_t *clwp = ttolwp(curthread);
1582 	uint32_t flags;
1583 	uintptr_t u_fstype, dataptr;
1584 	STRUCT_DECL(nfs_args, nfsargs);
1585 	size_t len;
1586 	char *fstype, *hostname;
1587 
1588 	struct a {
1589 		long	spec;		/* char    * */
1590 		long	dir;		/* char    * */
1591 		long	flags;
1592 		long	fstype;		/* char    * */
1593 		long	dataptr;	/* char    * */
1594 		long	datalen;
1595 	} *uap = (struct a *)clwp->lwp_ap;
1596 
1597 	u_fstype = (uintptr_t)uap->fstype;
1598 	flags    = (uint32_t)uap->flags;
1599 	dataptr  = (uintptr_t)uap->dataptr;
1600 
1601 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1602 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1603 		goto mount_free_fstype;
1604 
1605 	au_uwrite(au_to_arg32(3, "flags", flags));
1606 	au_uwrite(au_to_text(fstype));
1607 
1608 	if (strncmp(fstype, "nfs", 3) == 0) {
1609 
1610 		STRUCT_INIT(nfsargs, get_udatamodel());
1611 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1612 
1613 		if (copyin((caddr_t)dataptr,
1614 				STRUCT_BUF(nfsargs),
1615 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1616 			/* DEBUG debug_enter((char *)NULL); */
1617 			goto mount_free_fstype;
1618 		}
1619 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1620 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1621 				(caddr_t)hostname,
1622 				MAXNAMELEN, &len)) {
1623 			goto mount_free_hostname;
1624 		}
1625 		au_uwrite(au_to_text(hostname));
1626 		au_uwrite(au_to_arg32(3, "internal flags",
1627 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1628 
1629 mount_free_hostname:
1630 		kmem_free(hostname, MAXNAMELEN);
1631 	}
1632 
1633 mount_free_fstype:
1634 	kmem_free(fstype, MAXNAMELEN);
1635 }	/* AUS_MOUNT */
1636 
1637 static void
1638 aus_umount_path(caddr_t umount_dir)
1639 {
1640 	char			*dir_path;
1641 	struct audit_path	*path;
1642 	size_t			path_len, dir_len;
1643 
1644 	/* length alloc'd for two string pointers */
1645 	path_len = sizeof (struct audit_path) + sizeof (char *);
1646 	path = kmem_alloc(path_len, KM_SLEEP);
1647 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1648 
1649 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1650 	    MAXPATHLEN, &dir_len))
1651 		goto umount2_free_dir;
1652 
1653 	/*
1654 	 * the audit_path struct assumes that the buffer pointed to
1655 	 * by audp_sect[n] contains string 0 immediatedly followed
1656 	 * by string 1.
1657 	 */
1658 	path->audp_sect[0] = dir_path;
1659 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1660 	path->audp_size = path_len;
1661 	path->audp_ref = 1;		/* not used */
1662 	path->audp_cnt = 1;		/* one path string */
1663 
1664 	au_uwrite(au_to_path(path));
1665 
1666 umount2_free_dir:
1667 	kmem_free(dir_path, MAXPATHLEN);
1668 	kmem_free(path, path_len);
1669 }
1670 
1671 /*
1672  * the umount syscall is implemented as a call to umount2, but the args
1673  * are different...
1674  */
1675 
1676 /*ARGSUSED*/
1677 static void
1678 aus_umount(struct t_audit_data *tad)
1679 {
1680 	klwp_t			*clwp = ttolwp(curthread);
1681 	struct a {
1682 		long	dir;		/* char    * */
1683 	} *uap = (struct a *)clwp->lwp_ap;
1684 
1685 	aus_umount_path((caddr_t)uap->dir);
1686 }
1687 
1688 /*ARGSUSED*/
1689 static void
1690 aus_umount2(struct t_audit_data *tad)
1691 {
1692 	klwp_t			*clwp = ttolwp(curthread);
1693 	struct a {
1694 		long	dir;		/* char    * */
1695 		long	flags;
1696 	} *uap = (struct a *)clwp->lwp_ap;
1697 
1698 	aus_umount_path((caddr_t)uap->dir);
1699 
1700 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1701 }
1702 
1703 static void
1704 aus_msgsys(struct t_audit_data *tad)
1705 {
1706 	klwp_t *clwp = ttolwp(curthread);
1707 	uint32_t msgid;
1708 
1709 	struct b {
1710 		long	msgid;
1711 		long	cmd;
1712 		long	buf;		/* struct msqid_ds * */
1713 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1714 
1715 	msgid = (uint32_t)uap1->msgid;
1716 
1717 
1718 	switch (tad->tad_event) {
1719 	case AUE_MSGGET:		/* msgget */
1720 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1721 		break;
1722 	case AUE_MSGCTL:		/* msgctl */
1723 	case AUE_MSGCTL_RMID:		/* msgctl */
1724 	case AUE_MSGCTL_STAT:		/* msgctl */
1725 	case AUE_MSGRCV:		/* msgrcv */
1726 	case AUE_MSGSND:		/* msgsnd */
1727 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1728 		break;
1729 	case AUE_MSGCTL_SET:		/* msgctl */
1730 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1731 		break;
1732 	}
1733 }
1734 
1735 /*ARGSUSED*/
1736 static void
1737 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1738 {
1739 	int id;
1740 
1741 	if (error != 0)
1742 		return;
1743 	if (tad->tad_event == AUE_MSGGET) {
1744 		uint32_t scid;
1745 		uint32_t sy_flags;
1746 
1747 		/* need to determine type of executing binary */
1748 		scid = tad->tad_scid;
1749 #ifdef _SYSCALL32_IMPL
1750 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1751 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1752 		else
1753 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1754 #else
1755 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1756 #endif
1757 		if (sy_flags == SE_32RVAL1)
1758 			id = rval->r_val1;
1759 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1760 			id = rval->r_val1;
1761 		if (sy_flags == SE_64RVAL)
1762 			id = (int)rval->r_vals;
1763 
1764 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1765 	}
1766 }
1767 
1768 static void
1769 aus_semsys(struct t_audit_data *tad)
1770 {
1771 	klwp_t *clwp = ttolwp(curthread);
1772 	uint32_t semid;
1773 
1774 	struct b {		/* ctrl */
1775 		long	semid;
1776 		long	semnum;
1777 		long	cmd;
1778 		long	arg;
1779 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1780 
1781 	semid = (uint32_t)uap1->semid;
1782 
1783 	switch (tad->tad_event) {
1784 	case AUE_SEMCTL_RMID:
1785 	case AUE_SEMCTL_STAT:
1786 	case AUE_SEMCTL_GETNCNT:
1787 	case AUE_SEMCTL_GETPID:
1788 	case AUE_SEMCTL_GETVAL:
1789 	case AUE_SEMCTL_GETALL:
1790 	case AUE_SEMCTL_GETZCNT:
1791 	case AUE_SEMCTL_SETVAL:
1792 	case AUE_SEMCTL_SETALL:
1793 	case AUE_SEMCTL:
1794 	case AUE_SEMOP:
1795 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1796 		break;
1797 	case AUE_SEMCTL_SET:
1798 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1799 		break;
1800 	case AUE_SEMGET:
1801 		au_uwrite(au_to_arg32(1, "sem key", semid));
1802 		break;
1803 	}
1804 }
1805 
1806 /*ARGSUSED*/
1807 static void
1808 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1809 {
1810 	int id;
1811 
1812 	if (error != 0)
1813 		return;
1814 	if (tad->tad_event == AUE_SEMGET) {
1815 		uint32_t scid;
1816 		uint32_t sy_flags;
1817 
1818 		/* need to determine type of executing binary */
1819 		scid = tad->tad_scid;
1820 #ifdef _SYSCALL32_IMPL
1821 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1822 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1823 		else
1824 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1825 #else
1826 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1827 #endif
1828 		if (sy_flags == SE_32RVAL1)
1829 			id = rval->r_val1;
1830 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1831 			id = rval->r_val1;
1832 		if (sy_flags == SE_64RVAL)
1833 			id = (int)rval->r_vals;
1834 
1835 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1836 	}
1837 }
1838 
1839 /*ARGSUSED*/
1840 static void
1841 aus_close(struct t_audit_data *tad)
1842 {
1843 	klwp_t *clwp = ttolwp(curthread);
1844 	uint32_t fd;
1845 	struct file *fp;
1846 	struct f_audit_data *fad;
1847 	struct vnode *vp;
1848 	struct vattr attr;
1849 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1850 
1851 	struct a {
1852 		long	i;
1853 	} *uap = (struct a *)clwp->lwp_ap;
1854 
1855 	fd = (uint32_t)uap->i;
1856 
1857 	attr.va_mask = 0;
1858 	au_uwrite(au_to_arg32(1, "fd", fd));
1859 
1860 		/*
1861 		 * convert file pointer to file descriptor
1862 		 *   Note: fd ref count incremented here.
1863 		 */
1864 	if ((fp = getf(fd)) == NULL)
1865 		return;
1866 
1867 	fad = F2A(fp);
1868 	tad->tad_evmod = (short)fad->fad_flags;
1869 	if (fad->fad_aupath != NULL) {
1870 		au_uwrite(au_to_path(fad->fad_aupath));
1871 		if ((vp = fp->f_vnode) != NULL) {
1872 			attr.va_mask = AT_ALL;
1873 			if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) {
1874 				/*
1875 				 * When write was not used and the file can be
1876 				 * considered public, skip the audit.
1877 				 */
1878 				if (((fp->f_flag & FWRITE) == 0) &&
1879 				    file_is_public(&attr)) {
1880 					tad->tad_flag = 0;
1881 					tad->tad_evmod = 0;
1882 					/* free any residual audit data */
1883 					au_close(kctx, &(u_ad), 0, 0, 0);
1884 					releasef(fd);
1885 					return;
1886 				}
1887 				au_uwrite(au_to_attr(&attr));
1888 				audit_sec_attributes(&(u_ad), vp);
1889 			}
1890 		}
1891 	}
1892 
1893 	/* decrement file descriptor reference count */
1894 	releasef(fd);
1895 }
1896 
1897 /*ARGSUSED*/
1898 static void
1899 aus_fstatfs(struct t_audit_data *tad)
1900 {
1901 	klwp_t *clwp = ttolwp(curthread);
1902 	uint32_t fd;
1903 	struct file  *fp;
1904 	struct vnode *vp;
1905 	struct f_audit_data *fad;
1906 
1907 	struct a {
1908 		long	fd;
1909 		long	buf;		/* struct statfs * */
1910 	} *uap = (struct a *)clwp->lwp_ap;
1911 
1912 	fd = (uint_t)uap->fd;
1913 
1914 		/*
1915 		 * convert file pointer to file descriptor
1916 		 *   Note: fd ref count incremented here.
1917 		 */
1918 	if ((fp = getf(fd)) == NULL)
1919 		return;
1920 
1921 		/* get path from file struct here */
1922 	fad = F2A(fp);
1923 	if (fad->fad_aupath != NULL) {
1924 		au_uwrite(au_to_path(fad->fad_aupath));
1925 	} else {
1926 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1927 	}
1928 
1929 	vp = fp->f_vnode;
1930 	audit_attributes(vp);
1931 
1932 	/* decrement file descriptor reference count */
1933 	releasef(fd);
1934 }
1935 
1936 #ifdef NOTYET
1937 /*ARGSUSED*/
1938 static void
1939 aus_setpgrp(struct t_audit_data *tad)
1940 {
1941 	klwp_t *clwp = ttolwp(curthread);
1942 	uint32_t pgrp;
1943 	struct proc *p;
1944 	uid_t uid, ruid;
1945 	gid_t gid, rgid;
1946 	pid_t pid;
1947 	const auditinfo_addr_t *ainfo;
1948 	cred_t *cr;
1949 
1950 	struct a {
1951 		long	pid;
1952 		long	pgrp;
1953 	} *uap = (struct a *)clwp->lwp_ap;
1954 
1955 	pid  = (pid_t)uap->pid;
1956 	pgrp = (uint32_t)uap->pgrp;
1957 
1958 		/* current process? */
1959 	if (pid == 0)
1960 		(return);
1961 
1962 	mutex_enter(&pidlock);
1963 	p = prfind(pid);
1964 	if (p == NULL || p->p_as == &kas) {
1965 		mutex_exit(&pidlock);
1966 		return;
1967 	}
1968 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1969 	mutex_exit(&pidlock);
1970 
1971 	mutex_enter(&p->p_crlock);
1972 	crhold(cr = p->p_cred);
1973 	mutex_exit(&p->p_crlock);
1974 	mutex_exit(&p->p_lock);
1975 
1976 	ainfo = crgetauinfo(cr);
1977 	if (ainfo == NULL) {
1978 		crfree(cr);
1979 		return;
1980 	}
1981 
1982 	uid  = crgetuid(cr);
1983 	gid  = crgetgid(cr);
1984 	ruid = crgetruid(cr);
1985 	rgid = crgetrgid(cr);
1986 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1987 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1988 	crfree(cr);
1989 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1990 }
1991 #endif
1992 
1993 /*ARGSUSED*/
1994 static void
1995 aus_setregid(struct t_audit_data *tad)
1996 {
1997 	klwp_t *clwp = ttolwp(curthread);
1998 	uint32_t rgid, egid;
1999 
2000 	struct a {
2001 		long	 rgid;
2002 		long	 egid;
2003 	} *uap = (struct a *)clwp->lwp_ap;
2004 
2005 	rgid  = (uint32_t)uap->rgid;
2006 	egid  = (uint32_t)uap->egid;
2007 
2008 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2009 	au_uwrite(au_to_arg32(2, "egid", egid));
2010 }
2011 
2012 /*ARGSUSED*/
2013 static void
2014 aus_setgid(struct t_audit_data *tad)
2015 {
2016 	klwp_t *clwp = ttolwp(curthread);
2017 	uint32_t gid;
2018 
2019 	struct a {
2020 		long	gid;
2021 	} *uap = (struct a *)clwp->lwp_ap;
2022 
2023 	gid = (uint32_t)uap->gid;
2024 
2025 	au_uwrite(au_to_arg32(1, "gid", gid));
2026 }
2027 
2028 
2029 /*ARGSUSED*/
2030 static void
2031 aus_setreuid(struct t_audit_data *tad)
2032 {
2033 	klwp_t *clwp = ttolwp(curthread);
2034 	uint32_t ruid, euid;
2035 
2036 	struct a {
2037 		long	ruid;
2038 		long	euid;
2039 	} *uap = (struct a *)clwp->lwp_ap;
2040 
2041 	ruid = (uint32_t)uap->ruid;
2042 	euid  = (uint32_t)uap->euid;
2043 
2044 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2045 	au_uwrite(au_to_arg32(2, "euid", euid));
2046 }
2047 
2048 
2049 /*ARGSUSED*/
2050 static void
2051 aus_setuid(struct t_audit_data *tad)
2052 {
2053 	klwp_t *clwp = ttolwp(curthread);
2054 	uint32_t uid;
2055 
2056 	struct a {
2057 		long	uid;
2058 	} *uap = (struct a *)clwp->lwp_ap;
2059 
2060 	uid = (uint32_t)uap->uid;
2061 
2062 	au_uwrite(au_to_arg32(1, "uid", uid));
2063 }
2064 
2065 /*ARGSUSED*/
2066 static void
2067 aus_shmsys(struct t_audit_data *tad)
2068 {
2069 	klwp_t *clwp = ttolwp(curthread);
2070 	uint32_t id, cmd;
2071 
2072 	struct b {
2073 		long	id;
2074 		long	cmd;
2075 		long	buf;		/* struct shmid_ds * */
2076 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2077 
2078 	id  = (uint32_t)uap1->id;
2079 	cmd = (uint32_t)uap1->cmd;
2080 
2081 	switch (tad->tad_event) {
2082 	case AUE_SHMGET:			/* shmget */
2083 		au_uwrite(au_to_arg32(1, "shm key", id));
2084 		break;
2085 	case AUE_SHMCTL:			/* shmctl */
2086 	case AUE_SHMCTL_RMID:			/* shmctl */
2087 	case AUE_SHMCTL_STAT:			/* shmctl */
2088 	case AUE_SHMCTL_SET:			/* shmctl */
2089 		au_uwrite(au_to_arg32(1, "shm ID", id));
2090 		break;
2091 	case AUE_SHMDT:				/* shmdt */
2092 		au_uwrite(au_to_arg32(1, "shm adr", id));
2093 		break;
2094 	case AUE_SHMAT:				/* shmat */
2095 		au_uwrite(au_to_arg32(1, "shm ID", id));
2096 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2097 		break;
2098 	}
2099 }
2100 
2101 /*ARGSUSED*/
2102 static void
2103 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2104 {
2105 	int id;
2106 
2107 	if (error != 0)
2108 		return;
2109 	if (tad->tad_event == AUE_SHMGET) {
2110 		uint32_t scid;
2111 		uint32_t sy_flags;
2112 
2113 		/* need to determine type of executing binary */
2114 		scid = tad->tad_scid;
2115 #ifdef _SYSCALL32_IMPL
2116 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2117 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2118 		else
2119 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2120 #else
2121 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2122 #endif
2123 		if (sy_flags == SE_32RVAL1)
2124 			id = rval->r_val1;
2125 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2126 			id = rval->r_val1;
2127 		if (sy_flags == SE_64RVAL)
2128 			id = (int)rval->r_vals;
2129 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2130 	}
2131 }
2132 
2133 
2134 /*ARGSUSED*/
2135 static void
2136 aus_ioctl(struct t_audit_data *tad)
2137 {
2138 	klwp_t *clwp = ttolwp(curthread);
2139 	struct file *fp;
2140 	struct vnode *vp;
2141 	struct f_audit_data *fad;
2142 	uint32_t fd, cmd;
2143 	uintptr_t cmarg;
2144 
2145 	/* XX64 */
2146 	struct a {
2147 		long	fd;
2148 		long	cmd;
2149 		long	cmarg;		/* caddr_t */
2150 	} *uap = (struct a *)clwp->lwp_ap;
2151 
2152 	fd    = (uint32_t)uap->fd;
2153 	cmd   = (uint32_t)uap->cmd;
2154 	cmarg = (uintptr_t)uap->cmarg;
2155 
2156 		/*
2157 		 * convert file pointer to file descriptor
2158 		 *   Note: fd ref count incremented here.
2159 		 */
2160 	if ((fp = getf(fd)) == NULL) {
2161 		au_uwrite(au_to_arg32(1, "fd", fd));
2162 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2163 #ifndef _LP64
2164 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2165 #else
2166 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2167 #endif
2168 		return;
2169 	}
2170 
2171 	/* get path from file struct here */
2172 	fad = F2A(fp);
2173 	if (fad->fad_aupath != NULL) {
2174 		au_uwrite(au_to_path(fad->fad_aupath));
2175 	} else {
2176 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2177 	}
2178 
2179 	vp = fp->f_vnode;
2180 	audit_attributes(vp);
2181 
2182 	/* decrement file descriptor reference count */
2183 	releasef(fd);
2184 
2185 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2186 #ifndef _LP64
2187 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2188 #else
2189 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2190 #endif
2191 }
2192 
2193 /*
2194  * null function for memcntl for now. We might want to limit memcntl()
2195  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2196  * require privileges.
2197  */
2198 static au_event_t
2199 aui_memcntl(au_event_t e)
2200 {
2201 	return (e);
2202 }
2203 
2204 /*ARGSUSED*/
2205 static au_event_t
2206 aui_privsys(au_event_t e)
2207 {
2208 	klwp_t *clwp = ttolwp(curthread);
2209 
2210 	struct a {
2211 		long	opcode;
2212 	} *uap = (struct a *)clwp->lwp_ap;
2213 
2214 	switch (uap->opcode) {
2215 	case PRIVSYS_SETPPRIV:
2216 		return (AUE_SETPPRIV);
2217 	default:
2218 		return (AUE_NULL);
2219 	}
2220 }
2221 
2222 /*ARGSUSED*/
2223 static void
2224 aus_memcntl(struct t_audit_data *tad)
2225 {
2226 	klwp_t *clwp = ttolwp(curthread);
2227 
2228 	struct a {
2229 		long	addr;
2230 		long	len;
2231 		long	cmd;
2232 		long	arg;
2233 		long	attr;
2234 		long	mask;
2235 	} *uap = (struct a *)clwp->lwp_ap;
2236 
2237 #ifdef _LP64
2238 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2239 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2240 #else
2241 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2242 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2243 #endif
2244 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2245 #ifdef _LP64
2246 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2247 #else
2248 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2249 #endif
2250 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2251 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2252 }
2253 
2254 /*ARGSUSED*/
2255 static void
2256 aus_mmap(struct t_audit_data *tad)
2257 {
2258 	klwp_t *clwp = ttolwp(curthread);
2259 	struct file *fp;
2260 	struct f_audit_data *fad;
2261 	struct vnode *vp;
2262 	uint32_t fd;
2263 
2264 	struct a {
2265 		long	addr;
2266 		long	len;
2267 		long	prot;
2268 		long	flags;
2269 		long	fd;
2270 		long	pos;
2271 	} *uap = (struct a *)clwp->lwp_ap;
2272 
2273 	fd = (uint32_t)uap->fd;
2274 
2275 #ifdef _LP64
2276 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2277 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2278 #else
2279 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2280 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2281 #endif
2282 
2283 	if ((fp = getf(fd)) == NULL) {
2284 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2285 		return;
2286 	}
2287 
2288 	/*
2289 	 * Mark in the tad if write access is NOT requested... if
2290 	 * this is later detected (in audit_attributes) to be a
2291 	 * public object, the mmap event may be discarded.
2292 	 */
2293 	if (((uap->prot) & PROT_WRITE) == 0) {
2294 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2295 	}
2296 
2297 	fad = F2A(fp);
2298 	if (fad->fad_aupath != NULL) {
2299 		au_uwrite(au_to_path(fad->fad_aupath));
2300 	} else {
2301 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2302 	}
2303 
2304 	vp = (struct vnode *)fp->f_vnode;
2305 	audit_attributes(vp);
2306 
2307 	/* mark READ/WRITE since we can't predict access */
2308 	if (uap->prot & PROT_READ)
2309 		fad->fad_flags |= FAD_READ;
2310 	if (uap->prot & PROT_WRITE)
2311 		fad->fad_flags |= FAD_WRITE;
2312 
2313 	/* decrement file descriptor reference count */
2314 	releasef(fd);
2315 
2316 }	/* AUS_MMAP */
2317 
2318 
2319 
2320 
2321 /*ARGSUSED*/
2322 static void
2323 aus_munmap(struct t_audit_data *tad)
2324 {
2325 	klwp_t *clwp = ttolwp(curthread);
2326 
2327 	struct a {
2328 		long	addr;
2329 		long	len;
2330 	} *uap = (struct a *)clwp->lwp_ap;
2331 
2332 #ifdef _LP64
2333 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2334 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2335 #else
2336 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2337 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2338 #endif
2339 
2340 }	/* AUS_MUNMAP */
2341 
2342 
2343 
2344 
2345 
2346 
2347 
2348 /*ARGSUSED*/
2349 static void
2350 aus_priocntlsys(struct t_audit_data *tad)
2351 {
2352 	klwp_t *clwp = ttolwp(curthread);
2353 
2354 	struct a {
2355 		long	pc_version;
2356 		long	psp;		/* procset_t */
2357 		long	cmd;
2358 		long	arg;
2359 	} *uap = (struct a *)clwp->lwp_ap;
2360 
2361 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2362 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2363 
2364 }	/* AUS_PRIOCNTLSYS */
2365 
2366 
2367 /*ARGSUSED*/
2368 static void
2369 aus_setegid(struct t_audit_data *tad)
2370 {
2371 	klwp_t *clwp = ttolwp(curthread);
2372 	uint32_t gid;
2373 
2374 	struct a {
2375 		long	gid;
2376 	} *uap = (struct a *)clwp->lwp_ap;
2377 
2378 	gid = (uint32_t)uap->gid;
2379 
2380 	au_uwrite(au_to_arg32(1, "gid", gid));
2381 }	/* AUS_SETEGID */
2382 
2383 
2384 
2385 
2386 /*ARGSUSED*/
2387 static void
2388 aus_setgroups(struct t_audit_data *tad)
2389 {
2390 	klwp_t *clwp = ttolwp(curthread);
2391 	int i;
2392 	int gidsetsize;
2393 	uintptr_t gidset;
2394 	gid_t *gidlist;
2395 
2396 	struct a {
2397 		long	gidsetsize;
2398 		long	gidset;
2399 	} *uap = (struct a *)clwp->lwp_ap;
2400 
2401 	gidsetsize = (uint_t)uap->gidsetsize;
2402 	gidset = (uintptr_t)uap->gidset;
2403 
2404 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2405 		return;
2406 	if (gidsetsize != 0) {
2407 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2408 						KM_SLEEP);
2409 		if (copyin((caddr_t)gidset, gidlist,
2410 			gidsetsize * sizeof (gid_t)) == 0)
2411 			for (i = 0; i < gidsetsize; i++)
2412 				au_uwrite(au_to_arg32(1, "setgroups",
2413 						(uint32_t)gidlist[i]));
2414 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2415 	} else
2416 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2417 
2418 }	/* AUS_SETGROUPS */
2419 
2420 
2421 
2422 
2423 
2424 /*ARGSUSED*/
2425 static void
2426 aus_seteuid(struct t_audit_data *tad)
2427 {
2428 	klwp_t *clwp = ttolwp(curthread);
2429 	uint32_t uid;
2430 
2431 	struct a {
2432 		long	uid;
2433 	} *uap = (struct a *)clwp->lwp_ap;
2434 
2435 	uid = (uint32_t)uap->uid;
2436 
2437 	au_uwrite(au_to_arg32(1, "euid", uid));
2438 
2439 }	/* AUS_SETEUID */
2440 
2441 /*ARGSUSED*/
2442 static void
2443 aus_putmsg(struct t_audit_data *tad)
2444 {
2445 	klwp_t *clwp = ttolwp(curthread);
2446 	uint32_t fd, pri;
2447 	struct file *fp;
2448 	struct f_audit_data *fad;
2449 
2450 	struct a {
2451 		long	fdes;
2452 		long	ctl;		/* struct strbuf * */
2453 		long	data;		/* struct strbuf * */
2454 		long	pri;
2455 	} *uap = (struct a *)clwp->lwp_ap;
2456 
2457 	fd  = (uint32_t)uap->fdes;
2458 	pri = (uint32_t)uap->pri;
2459 
2460 	au_uwrite(au_to_arg32(1, "fd", fd));
2461 
2462 	if ((fp = getf(fd)) != NULL) {
2463 		fad = F2A(fp);
2464 
2465 		fad->fad_flags |= FAD_WRITE;
2466 
2467 		/* add path name to audit record */
2468 		if (fad->fad_aupath != NULL) {
2469 			au_uwrite(au_to_path(fad->fad_aupath));
2470 		}
2471 		audit_attributes(fp->f_vnode);
2472 
2473 		releasef(fd);
2474 	}
2475 
2476 	au_uwrite(au_to_arg32(4, "pri", pri));
2477 }
2478 
2479 /*ARGSUSED*/
2480 static void
2481 aus_putpmsg(struct t_audit_data *tad)
2482 {
2483 	klwp_t *clwp = ttolwp(curthread);
2484 	uint32_t fd, pri, flags;
2485 	struct file *fp;
2486 	struct f_audit_data *fad;
2487 
2488 	struct a {
2489 		long	fdes;
2490 		long	ctl;		/* struct strbuf * */
2491 		long	data;		/* struct strbuf * */
2492 		long	pri;
2493 		long	flags;
2494 	} *uap = (struct a *)clwp->lwp_ap;
2495 
2496 	fd = (uint32_t)uap->fdes;
2497 	pri  = (uint32_t)uap->pri;
2498 	flags  = (uint32_t)uap->flags;
2499 
2500 	au_uwrite(au_to_arg32(1, "fd", fd));
2501 
2502 	if ((fp = getf(fd)) != NULL) {
2503 		fad = F2A(fp);
2504 
2505 		fad->fad_flags |= FAD_WRITE;
2506 
2507 		/* add path name to audit record */
2508 		if (fad->fad_aupath != NULL) {
2509 			au_uwrite(au_to_path(fad->fad_aupath));
2510 		}
2511 		audit_attributes(fp->f_vnode);
2512 
2513 		releasef(fd);
2514 	}
2515 
2516 
2517 	au_uwrite(au_to_arg32(4, "pri", pri));
2518 	au_uwrite(au_to_arg32(5, "flags", flags));
2519 }
2520 
2521 /*ARGSUSED*/
2522 static void
2523 aus_getmsg(struct t_audit_data *tad)
2524 {
2525 	klwp_t *clwp = ttolwp(curthread);
2526 	uint32_t fd, pri;
2527 	struct file *fp;
2528 	struct f_audit_data *fad;
2529 
2530 	struct a {
2531 		long	fdes;
2532 		long	ctl;		/* struct strbuf * */
2533 		long	data;		/* struct strbuf * */
2534 		long	pri;
2535 	} *uap = (struct a *)clwp->lwp_ap;
2536 
2537 	fd  = (uint32_t)uap->fdes;
2538 	pri = (uint32_t)uap->pri;
2539 
2540 	au_uwrite(au_to_arg32(1, "fd", fd));
2541 
2542 	if ((fp = getf(fd)) != NULL) {
2543 		fad = F2A(fp);
2544 
2545 		/*
2546 		 * read operation on this object
2547 		 */
2548 		fad->fad_flags |= FAD_READ;
2549 
2550 		/* add path name to audit record */
2551 		if (fad->fad_aupath != NULL) {
2552 			au_uwrite(au_to_path(fad->fad_aupath));
2553 		}
2554 		audit_attributes(fp->f_vnode);
2555 
2556 		releasef(fd);
2557 	}
2558 
2559 	au_uwrite(au_to_arg32(4, "pri", pri));
2560 }
2561 
2562 /*ARGSUSED*/
2563 static void
2564 aus_getpmsg(struct t_audit_data *tad)
2565 {
2566 	klwp_t *clwp = ttolwp(curthread);
2567 	uint32_t fd;
2568 	struct file *fp;
2569 	struct f_audit_data *fad;
2570 
2571 	struct a {
2572 		long	fdes;
2573 		long	ctl;		/* struct strbuf * */
2574 		long	data;		/* struct strbuf * */
2575 		long	pri;
2576 		long	flags;
2577 	} *uap = (struct a *)clwp->lwp_ap;
2578 
2579 	fd = (uint32_t)uap->fdes;
2580 
2581 	au_uwrite(au_to_arg32(1, "fd", fd));
2582 
2583 	if ((fp = getf(fd)) != NULL) {
2584 		fad = F2A(fp);
2585 
2586 		/*
2587 		 * read operation on this object
2588 		 */
2589 		fad->fad_flags |= FAD_READ;
2590 
2591 		/* add path name to audit record */
2592 		if (fad->fad_aupath != NULL) {
2593 			au_uwrite(au_to_path(fad->fad_aupath));
2594 		}
2595 		audit_attributes(fp->f_vnode);
2596 
2597 		releasef(fd);
2598 	}
2599 }
2600 
2601 static au_event_t
2602 aui_auditsys(au_event_t e)
2603 {
2604 	klwp_t *clwp = ttolwp(curthread);
2605 	uint32_t code;
2606 
2607 	struct a {
2608 		long	code;
2609 		long	a1;
2610 		long	a2;
2611 		long	a3;
2612 		long	a4;
2613 		long	a5;
2614 		long	a6;
2615 		long	a7;
2616 	} *uap = (struct a *)clwp->lwp_ap;
2617 
2618 	code = (uint32_t)uap->code;
2619 
2620 	switch (code) {
2621 
2622 	case BSM_GETAUID:
2623 		e = AUE_GETAUID;
2624 		break;
2625 	case BSM_SETAUID:
2626 		e = AUE_SETAUID;
2627 		break;
2628 	case BSM_GETAUDIT:
2629 		e = AUE_GETAUDIT;
2630 		break;
2631 	case BSM_GETAUDIT_ADDR:
2632 		e = AUE_GETAUDIT_ADDR;
2633 		break;
2634 	case BSM_SETAUDIT:
2635 		e = AUE_SETAUDIT;
2636 		break;
2637 	case BSM_SETAUDIT_ADDR:
2638 		e = AUE_SETAUDIT_ADDR;
2639 		break;
2640 	case BSM_AUDIT:
2641 		e = AUE_AUDIT;
2642 		break;
2643 	case BSM_AUDITSVC:
2644 		e = AUE_AUDITSVC;
2645 		break;
2646 	case BSM_GETPORTAUDIT:
2647 		e = AUE_GETPORTAUDIT;
2648 		break;
2649 	case BSM_AUDITON:
2650 	case BSM_AUDITCTL:
2651 
2652 		switch ((uint_t)uap->a1) {
2653 
2654 		case A_GETPOLICY:
2655 			e = AUE_AUDITON_GPOLICY;
2656 			break;
2657 		case A_SETPOLICY:
2658 			e = AUE_AUDITON_SPOLICY;
2659 			break;
2660 		case A_GETKMASK:
2661 			e = AUE_AUDITON_GETKMASK;
2662 			break;
2663 		case A_SETKMASK:
2664 			e = AUE_AUDITON_SETKMASK;
2665 			break;
2666 		case A_GETQCTRL:
2667 			e = AUE_AUDITON_GQCTRL;
2668 			break;
2669 		case A_SETQCTRL:
2670 			e = AUE_AUDITON_SQCTRL;
2671 			break;
2672 		case A_GETCWD:
2673 			e = AUE_AUDITON_GETCWD;
2674 			break;
2675 		case A_GETCAR:
2676 			e = AUE_AUDITON_GETCAR;
2677 			break;
2678 		case A_GETSTAT:
2679 			e = AUE_AUDITON_GETSTAT;
2680 			break;
2681 		case A_SETSTAT:
2682 			e = AUE_AUDITON_SETSTAT;
2683 			break;
2684 		case A_SETUMASK:
2685 			e = AUE_AUDITON_SETUMASK;
2686 			break;
2687 		case A_SETSMASK:
2688 			e = AUE_AUDITON_SETSMASK;
2689 			break;
2690 		case A_GETCOND:
2691 			e = AUE_AUDITON_GETCOND;
2692 			break;
2693 		case A_SETCOND:
2694 			e = AUE_AUDITON_SETCOND;
2695 			break;
2696 		case A_GETCLASS:
2697 			e = AUE_AUDITON_GETCLASS;
2698 			break;
2699 		case A_SETCLASS:
2700 			e = AUE_AUDITON_SETCLASS;
2701 			break;
2702 		default:
2703 			e = AUE_NULL;
2704 			break;
2705 		}
2706 		break;
2707 	default:
2708 		e = AUE_NULL;
2709 		break;
2710 	}
2711 
2712 	return (e);
2713 
2714 
2715 
2716 
2717 }	/* AUI_AUDITSYS */
2718 
2719 
2720 
2721 
2722 
2723 
2724 
2725 static void
2726 aus_auditsys(struct t_audit_data *tad)
2727 {
2728 	klwp_t *clwp = ttolwp(curthread);
2729 	uintptr_t a1, a2;
2730 	struct file *fp;
2731 	struct f_audit_data *fad;
2732 	struct vnode *vp;
2733 	STRUCT_DECL(auditinfo, ainfo);
2734 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2735 	au_evclass_map_t event;
2736 	au_mask_t mask;
2737 	int auditstate, policy;
2738 	au_id_t auid;
2739 
2740 
2741 	struct a {
2742 		long	code;
2743 		long	a1;
2744 		long	a2;
2745 		long	a3;
2746 		long	a4;
2747 		long	a5;
2748 		long	a6;
2749 		long	a7;
2750 	} *uap = (struct a *)clwp->lwp_ap;
2751 
2752 	a1   = (uintptr_t)uap->a1;
2753 	a2   = (uintptr_t)uap->a2;
2754 
2755 	switch (tad->tad_event) {
2756 	case AUE_SETAUID:
2757 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2758 				return;
2759 		au_uwrite(au_to_arg32(2, "setauid", auid));
2760 		break;
2761 	case AUE_SETAUDIT:
2762 		STRUCT_INIT(ainfo, get_udatamodel());
2763 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2764 				STRUCT_SIZE(ainfo))) {
2765 				return;
2766 		}
2767 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2768 			(uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2769 #ifdef _LP64
2770 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2771 			(uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2772 #else
2773 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2774 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2775 #endif
2776 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2777 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2778 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2779 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2780 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2781 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2782 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2783 			(uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2784 		break;
2785 	case AUE_SETAUDIT_ADDR:
2786 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2787 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2788 				STRUCT_SIZE(ainfo_addr))) {
2789 				return;
2790 		}
2791 		au_uwrite(au_to_arg32((char)1, "auid",
2792 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2793 #ifdef _LP64
2794 		au_uwrite(au_to_arg64((char)1, "port",
2795 			(uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2796 #else
2797 		au_uwrite(au_to_arg32((char)1, "port",
2798 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2799 #endif
2800 		au_uwrite(au_to_arg32((char)1, "type",
2801 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2802 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2803 		    AU_IPv4) {
2804 			au_uwrite(au_to_in_addr(
2805 				(struct in_addr *)STRUCT_FGETP(ainfo_addr,
2806 					ai_termid.at_addr)));
2807 		} else {
2808 			au_uwrite(au_to_in_addr_ex(
2809 				(int32_t *)STRUCT_FGETP(ainfo_addr,
2810 					ai_termid.at_addr)));
2811 		}
2812 		au_uwrite(au_to_arg32((char)1, "as_success",
2813 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2814 		au_uwrite(au_to_arg32((char)1, "as_failure",
2815 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2816 		au_uwrite(au_to_arg32((char)1, "asid",
2817 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2818 		break;
2819 	case AUE_AUDITSVC:
2820 		/*
2821 		 * convert file pointer to file descriptor
2822 		 * Note: fd ref count incremented here
2823 		 */
2824 		if ((fp = getf((uint_t)a1)) == NULL)
2825 			return;
2826 		fad = F2A(fp);
2827 		if (fad->fad_aupath != NULL) {
2828 			au_uwrite(au_to_path(fad->fad_aupath));
2829 		} else {
2830 			au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1));
2831 		}
2832 
2833 		vp = fp->f_vnode;	/* include vnode attributes */
2834 		audit_attributes(vp);
2835 
2836 		/* decrement file descriptor ref count */
2837 		releasef((uint_t)a1);
2838 
2839 		au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2));
2840 		break;
2841 	case AUE_AUDITON_SETKMASK:
2842 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2843 				return;
2844 		au_uwrite(au_to_arg32(
2845 			2, "setkmask:as_success", (uint32_t)mask.as_success));
2846 		au_uwrite(au_to_arg32(
2847 			2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2848 		break;
2849 	case AUE_AUDITON_SPOLICY:
2850 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2851 			return;
2852 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2853 		break;
2854 	case AUE_AUDITON_SQCTRL: {
2855 		STRUCT_DECL(au_qctrl, qctrl);
2856 		model_t model;
2857 
2858 		model = get_udatamodel();
2859 		STRUCT_INIT(qctrl, model);
2860 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2861 				return;
2862 		if (model == DATAMODEL_ILP32) {
2863 			au_uwrite(au_to_arg32(
2864 				3, "setqctrl:aq_hiwater",
2865 				(uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2866 			au_uwrite(au_to_arg32(
2867 				3, "setqctrl:aq_lowater",
2868 				(uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2869 			au_uwrite(au_to_arg32(
2870 				3, "setqctrl:aq_bufsz",
2871 				(uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2872 			au_uwrite(au_to_arg32(
2873 				3, "setqctrl:aq_delay",
2874 				(uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2875 		} else {
2876 			au_uwrite(au_to_arg64(
2877 				3, "setqctrl:aq_hiwater",
2878 				(uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2879 			au_uwrite(au_to_arg64(
2880 				3, "setqctrl:aq_lowater",
2881 				(uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2882 			au_uwrite(au_to_arg64(
2883 				3, "setqctrl:aq_bufsz",
2884 				(uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2885 			au_uwrite(au_to_arg64(
2886 				3, "setqctrl:aq_delay",
2887 				(uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2888 		}
2889 		break;
2890 	}
2891 	case AUE_AUDITON_SETUMASK:
2892 		STRUCT_INIT(ainfo, get_udatamodel());
2893 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2894 				STRUCT_SIZE(ainfo))) {
2895 				return;
2896 		}
2897 		au_uwrite(au_to_arg32(3, "setumask:as_success",
2898 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2899 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
2900 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2901 		break;
2902 	case AUE_AUDITON_SETSMASK:
2903 		STRUCT_INIT(ainfo, get_udatamodel());
2904 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2905 				STRUCT_SIZE(ainfo))) {
2906 				return;
2907 		}
2908 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
2909 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2910 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
2911 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2912 		break;
2913 	case AUE_AUDITON_SETCOND:
2914 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
2915 			return;
2916 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
2917 		break;
2918 	case AUE_AUDITON_SETCLASS:
2919 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
2920 			return;
2921 		au_uwrite(au_to_arg32(
2922 			2, "setclass:ec_event", (uint32_t)event.ec_number));
2923 		au_uwrite(au_to_arg32(
2924 			3, "setclass:ec_class", (uint32_t)event.ec_class));
2925 		break;
2926 	case AUE_GETAUID:
2927 	case AUE_GETAUDIT:
2928 	case AUE_GETAUDIT_ADDR:
2929 	case AUE_AUDIT:
2930 	case AUE_GETPORTAUDIT:
2931 	case AUE_AUDITON_GPOLICY:
2932 	case AUE_AUDITON_GQCTRL:
2933 	case AUE_AUDITON_GETKMASK:
2934 	case AUE_AUDITON_GETCWD:
2935 	case AUE_AUDITON_GETCAR:
2936 	case AUE_AUDITON_GETSTAT:
2937 	case AUE_AUDITON_SETSTAT:
2938 	case AUE_AUDITON_GETCOND:
2939 	case AUE_AUDITON_GETCLASS:
2940 		break;
2941 	default:
2942 		break;
2943 	}
2944 
2945 }	/* AUS_AUDITSYS */
2946 
2947 
2948 /* only audit privileged operations for systeminfo(2) system call */
2949 static au_event_t
2950 aui_sysinfo(au_event_t e)
2951 {
2952 	klwp_t *clwp = ttolwp(curthread);
2953 	uint32_t command;
2954 
2955 	struct a {
2956 		long	command;
2957 		long	buf;		/* char * */
2958 		long	count;
2959 	} *uap = (struct a *)clwp->lwp_ap;
2960 
2961 	command = (uint32_t)uap->command;
2962 
2963 	switch (command) {
2964 	case SI_SET_HOSTNAME:
2965 	case SI_SET_SRPC_DOMAIN:
2966 		e = (au_event_t)AUE_SYSINFO;
2967 		break;
2968 	default:
2969 		e = (au_event_t)AUE_NULL;
2970 		break;
2971 	}
2972 	return (e);
2973 }
2974 
2975 /*ARGSUSED*/
2976 static void
2977 aus_sysinfo(struct t_audit_data *tad)
2978 {
2979 	klwp_t *clwp = ttolwp(curthread);
2980 	uint32_t command;
2981 	size_t len, maxlen;
2982 	char *name;
2983 	uintptr_t buf;
2984 
2985 	struct a {
2986 		long	command;
2987 		long	buf;		/* char * */
2988 		long	count;
2989 	} *uap = (struct a *)clwp->lwp_ap;
2990 
2991 	command = (uint32_t)uap->command;
2992 	buf = (uintptr_t)uap->buf;
2993 
2994 	au_uwrite(au_to_arg32(1, "cmd", command));
2995 
2996 	switch (command) {
2997 	case SI_SET_HOSTNAME:
2998 	{
2999 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3000 			return;
3001 
3002 		maxlen = SYS_NMLN;
3003 		name = kmem_alloc(maxlen, KM_SLEEP);
3004 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3005 			break;
3006 
3007 		/*
3008 		 * Must be non-NULL string and string
3009 		 * must be less than SYS_NMLN chars.
3010 		 */
3011 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3012 			break;
3013 
3014 		au_uwrite(au_to_text(name));
3015 		break;
3016 	}
3017 
3018 	case SI_SET_SRPC_DOMAIN:
3019 	{
3020 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3021 			return;
3022 
3023 		maxlen = SYS_NMLN;
3024 		name = kmem_alloc(maxlen, KM_SLEEP);
3025 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3026 			break;
3027 
3028 		/*
3029 		 * If string passed in is longer than length
3030 		 * allowed for domain name, fail.
3031 		 */
3032 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3033 			break;
3034 
3035 		au_uwrite(au_to_text(name));
3036 		break;
3037 	}
3038 
3039 	default:
3040 		return;
3041 	}
3042 
3043 	kmem_free(name, maxlen);
3044 }
3045 
3046 static au_event_t
3047 aui_modctl(au_event_t e)
3048 {
3049 	klwp_t *clwp = ttolwp(curthread);
3050 	uint_t cmd;
3051 
3052 	struct a {
3053 		long	cmd;
3054 	} *uap = (struct a *)clwp->lwp_ap;
3055 
3056 	cmd = (uint_t)uap->cmd;
3057 
3058 	switch (cmd) {
3059 	case MODLOAD:
3060 		e = AUE_MODLOAD;
3061 		break;
3062 	case MODUNLOAD:
3063 		e = AUE_MODUNLOAD;
3064 		break;
3065 	case MODADDMAJBIND:
3066 		e = AUE_MODADDMAJ;
3067 		break;
3068 	case MODSETDEVPOLICY:
3069 		e = AUE_MODDEVPLCY;
3070 		break;
3071 	case MODALLOCPRIV:
3072 		e = AUE_MODADDPRIV;
3073 		break;
3074 	default:
3075 		e = AUE_NULL;
3076 		break;
3077 	}
3078 	return (e);
3079 }
3080 
3081 
3082 /*ARGSUSED*/
3083 static void
3084 aus_modctl(struct t_audit_data *tad)
3085 {
3086 	klwp_t *clwp = ttolwp(curthread);
3087 	void *a	= clwp->lwp_ap;
3088 	uint_t use_path;
3089 
3090 	switch (tad->tad_event) {
3091 	case AUE_MODLOAD: {
3092 		typedef struct {
3093 			long	cmd;
3094 			long	use_path;
3095 			long	filename;		/* char * */
3096 		} modloada_t;
3097 
3098 		char *filenamep;
3099 		uintptr_t fname;
3100 		extern char *default_path;
3101 
3102 		fname = (uintptr_t)((modloada_t *)a)->filename;
3103 		use_path = (uint_t)((modloada_t *)a)->use_path;
3104 
3105 			/* space to hold path */
3106 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3107 			/* get string */
3108 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3109 				/* free allocated path */
3110 			kmem_free(filenamep, MOD_MAXPATH);
3111 			return;
3112 		}
3113 			/* ensure it's null terminated */
3114 		filenamep[MOD_MAXPATH - 1] = 0;
3115 
3116 		if (use_path)
3117 			au_uwrite(au_to_text(default_path));
3118 		au_uwrite(au_to_text(filenamep));
3119 
3120 			/* release temporary memory */
3121 		kmem_free(filenamep, MOD_MAXPATH);
3122 		break;
3123 	}
3124 	case AUE_MODUNLOAD: {
3125 		typedef struct {
3126 			long	cmd;
3127 			long	id;
3128 		} modunloada_t;
3129 
3130 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3131 
3132 		au_uwrite(au_to_arg32(1, "id", id));
3133 		break;
3134 	}
3135 	case AUE_MODADDMAJ: {
3136 		STRUCT_DECL(modconfig, mc);
3137 		typedef struct {
3138 			long	cmd;
3139 			long	subcmd;
3140 			long	data;		/* int * */
3141 		} modconfiga_t;
3142 
3143 		STRUCT_DECL(aliases, alias);
3144 		caddr_t ap;
3145 		int i, num_aliases;
3146 		char *drvname, *mc_drvname;
3147 		char *name;
3148 		extern char *ddi_major_to_name(major_t);
3149 		model_t model;
3150 
3151 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3152 
3153 		model = get_udatamodel();
3154 		STRUCT_INIT(mc, model);
3155 			/* sanitize buffer */
3156 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3157 			/* get user arguments */
3158 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3159 				STRUCT_SIZE(mc)) != 0)
3160 			return;
3161 
3162 		mc_drvname = STRUCT_FGET(mc, drvname);
3163 		if ((drvname = ddi_major_to_name(
3164 			(major_t)STRUCT_FGET(mc, major))) != NULL &&
3165 			strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3166 				/* safety */
3167 			if (mc_drvname[0] != '\0') {
3168 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3169 				au_uwrite(au_to_text(mc_drvname));
3170 			}
3171 				/* drvname != NULL from test above */
3172 			au_uwrite(au_to_text(drvname));
3173 			return;
3174 		}
3175 
3176 		if (mc_drvname[0] != '\0') {
3177 				/* safety */
3178 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3179 			au_uwrite(au_to_text(mc_drvname));
3180 		} else
3181 			au_uwrite(au_to_text("no drvname"));
3182 
3183 		num_aliases = STRUCT_FGET(mc, num_aliases);
3184 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3185 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3186 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3187 		STRUCT_INIT(alias, model);
3188 		for (i = 0; i < num_aliases; i++) {
3189 			bzero((caddr_t)STRUCT_BUF(alias),
3190 					STRUCT_SIZE(alias));
3191 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3192 					STRUCT_SIZE(alias)) != 0)
3193 				break;
3194 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3195 			    MAXMODCONFNAME, NULL) != 0) {
3196 				break;
3197 			}
3198 
3199 			au_uwrite(au_to_text(name));
3200 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3201 		}
3202 		kmem_free(name, MAXMODCONFNAME);
3203 		break;
3204 	}
3205 	default:
3206 		break;
3207 	}
3208 }
3209 
3210 /*
3211  * private version of getsonode that does not do eprintsoline()
3212  */
3213 static struct sonode *
3214 au_getsonode(int sock, int *errorp, file_t **fpp)
3215 {
3216 	file_t *fp;
3217 	register vnode_t *vp;
3218 	struct sonode *so;
3219 
3220 	if ((fp = getf(sock)) == NULL) {
3221 		*errorp = EBADF;
3222 		return (NULL);
3223 	}
3224 	vp = fp->f_vnode;
3225 	/* Check if it is a socket */
3226 	if (vp->v_type != VSOCK) {
3227 		releasef(sock);
3228 		*errorp = ENOTSOCK;
3229 		return (NULL);
3230 	}
3231 	/*
3232 	 * Use the stream head to find the real socket vnode.
3233 	 * This is needed when namefs sits above sockfs.
3234 	 */
3235 	ASSERT(vp->v_stream);
3236 	ASSERT(vp->v_stream->sd_vnode);
3237 	vp = vp->v_stream->sd_vnode;
3238 	so = VTOSO(vp);
3239 	if (so->so_version == SOV_STREAM) {
3240 		releasef(sock);
3241 		*errorp = ENOTSOCK;
3242 		return (NULL);
3243 	}
3244 	if (fpp)
3245 		*fpp = fp;
3246 	return (so);
3247 }
3248 
3249 /*ARGSUSED*/
3250 static void
3251 auf_accept(
3252 	struct t_audit_data *tad,
3253 	int	error,
3254 	rval_t	*rval)
3255 {
3256 	uint32_t scid;
3257 	uint32_t sy_flags;
3258 	int fd;
3259 	struct sonode *so;
3260 	char so_laddr[sizeof (struct sockaddr_in6)];
3261 	char so_faddr[sizeof (struct sockaddr_in6)];
3262 	int err;
3263 	int len;
3264 	short so_family, so_type;
3265 	int add_sock_token = 0;
3266 
3267 	/* need to determine type of executing binary */
3268 	scid = tad->tad_scid;
3269 #ifdef _SYSCALL32_IMPL
3270 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3271 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3272 	else
3273 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3274 #else
3275 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3276 #endif
3277 	if (sy_flags == SE_32RVAL1)
3278 		fd = rval->r_val1;
3279 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3280 		fd = rval->r_val1;
3281 	if (sy_flags == SE_64RVAL)
3282 		fd = (int)rval->r_vals;
3283 
3284 	if (error) {
3285 		/* can't trust socket contents. Just return */
3286 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3287 		return;
3288 	}
3289 
3290 	if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) {
3291 		/*
3292 		 * not security relevant if doing a accept from non socket
3293 		 * so no extra tokens. Should probably turn off audit record
3294 		 * generation here.
3295 		 */
3296 		return;
3297 	}
3298 
3299 	so_family = so->so_family;
3300 	so_type   = so->so_type;
3301 
3302 	switch (so_family) {
3303 	case AF_INET:
3304 	case AF_INET6:
3305 		/*
3306 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3307 		 */
3308 		if (so->so_type == SOCK_STREAM) {
3309 
3310 			bzero((void *)so_laddr, sizeof (so_laddr));
3311 			bzero((void *)so_faddr, sizeof (so_faddr));
3312 
3313 			/*
3314 			 * no local address then need to get it from lower
3315 			 * levels. only put out record on first read ala
3316 			 * AUE_WRITE.
3317 			 */
3318 			if (so->so_state & SS_ISBOUND) {
3319 				/* only done once on a connection */
3320 				(void) SOP_GETSOCKNAME(so);
3321 				(void) SOP_GETPEERNAME(so);
3322 
3323 				/* get local and foreign addresses */
3324 				mutex_enter(&so->so_lock);
3325 				len = min(so->so_laddr_len, sizeof (so_laddr));
3326 				bcopy(so->so_laddr_sa, so_laddr, len);
3327 				len = min(so->so_faddr_len, sizeof (so_faddr));
3328 				bcopy(so->so_faddr_sa, so_faddr, len);
3329 				mutex_exit(&so->so_lock);
3330 			}
3331 
3332 			add_sock_token = 1;
3333 		}
3334 		break;
3335 
3336 	default:
3337 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3338 		break;
3339 	}
3340 
3341 	releasef(fd);
3342 
3343 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3344 
3345 	if (add_sock_token == 0) {
3346 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3347 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3348 		return;
3349 	}
3350 
3351 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3352 
3353 }
3354 
3355 /*ARGSUSED*/
3356 static void
3357 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3358 {
3359 	struct a {
3360 		long	fd;
3361 		long	addr;
3362 		long	len;
3363 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3364 
3365 	struct sonode *so;
3366 	char so_laddr[sizeof (struct sockaddr_in6)];
3367 	char so_faddr[sizeof (struct sockaddr_in6)];
3368 	int err, fd;
3369 	int len;
3370 	short so_family, so_type;
3371 	int add_sock_token = 0;
3372 
3373 	fd = (int)uap->fd;
3374 
3375 	/*
3376 	 * bind failed, then nothing extra to add to audit record.
3377 	 */
3378 	if (error) {
3379 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3380 		/* XXX may want to add failed address some day */
3381 		return;
3382 	}
3383 
3384 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3385 		/*
3386 		 * not security relevant if doing a bind from non socket
3387 		 * so no extra tokens. Should probably turn off audit record
3388 		 * generation here.
3389 		 */
3390 		return;
3391 	}
3392 
3393 	so_family = so->so_family;
3394 	so_type   = so->so_type;
3395 
3396 	switch (so_family) {
3397 	case AF_INET:
3398 	case AF_INET6:
3399 
3400 		bzero(so_faddr, sizeof (so_faddr));
3401 
3402 		if (so->so_state & SS_ISBOUND) {
3403 			/* only done once on a connection */
3404 			(void) SOP_GETSOCKNAME(so);
3405 		}
3406 
3407 		mutex_enter(&so->so_lock);
3408 		len = min(so->so_laddr_len, sizeof (so_laddr));
3409 		bcopy(so->so_laddr_sa, so_laddr, len);
3410 		mutex_exit(&so->so_lock);
3411 
3412 		add_sock_token = 1;
3413 
3414 		break;
3415 
3416 	case AF_UNIX:
3417 		/* token added by lookup */
3418 		break;
3419 	default:
3420 		/* AF_ROUTE, AF_KEY do not support accept */
3421 		break;
3422 	}
3423 
3424 	releasef(fd);
3425 
3426 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3427 
3428 	if (add_sock_token == 0) {
3429 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3430 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3431 		return;
3432 	}
3433 
3434 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3435 
3436 }
3437 
3438 /*ARGSUSED*/
3439 static void
3440 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3441 {
3442 	struct a {
3443 		long	fd;
3444 		long	addr;
3445 		long	len;
3446 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3447 
3448 	struct sonode *so;
3449 	char so_laddr[sizeof (struct sockaddr_in6)];
3450 	char so_faddr[sizeof (struct sockaddr_in6)];
3451 	int err, fd;
3452 	int len;
3453 	short so_family, so_type;
3454 	int add_sock_token = 0;
3455 
3456 	fd = (int)uap->fd;
3457 
3458 
3459 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3460 		/*
3461 		 * not security relevant if doing a connect from non socket
3462 		 * so no extra tokens. Should probably turn off audit record
3463 		 * generation here.
3464 		 */
3465 		return;
3466 	}
3467 
3468 	so_family = so->so_family;
3469 	so_type   = so->so_type;
3470 
3471 	switch (so_family) {
3472 	case AF_INET:
3473 	case AF_INET6:
3474 		/*
3475 		 * no local address then need to get it from lower
3476 		 * levels.
3477 		 */
3478 		if (so->so_state & SS_ISBOUND) {
3479 			/* only done once on a connection */
3480 			(void) SOP_GETSOCKNAME(so);
3481 			(void) SOP_GETPEERNAME(so);
3482 		}
3483 
3484 		bzero(so_laddr, sizeof (so_laddr));
3485 		bzero(so_faddr, sizeof (so_faddr));
3486 
3487 		mutex_enter(&so->so_lock);
3488 		len = min(so->so_laddr_len, sizeof (so_laddr));
3489 		bcopy(so->so_laddr_sa, so_laddr, len);
3490 		if (error) {
3491 			mutex_exit(&so->so_lock);
3492 			if (uap->addr == NULL)
3493 				break;
3494 			if (uap->len <= 0)
3495 				break;
3496 			len = min(uap->len, sizeof (so_faddr));
3497 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3498 				break;
3499 #ifdef NOTYET
3500 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3501 #endif
3502 		} else {
3503 			/* sanity check on length */
3504 			len = min(so->so_faddr_len, sizeof (so_faddr));
3505 			bcopy(so->so_faddr_sa, so_faddr, len);
3506 			mutex_exit(&so->so_lock);
3507 		}
3508 
3509 		add_sock_token = 1;
3510 
3511 		break;
3512 
3513 	case AF_UNIX:
3514 		/* does a lookup on name */
3515 		break;
3516 
3517 	default:
3518 		/* AF_ROUTE, AF_KEY do not support accept */
3519 		break;
3520 	}
3521 
3522 	releasef(fd);
3523 
3524 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3525 
3526 	if (add_sock_token == 0) {
3527 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3528 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3529 		return;
3530 	}
3531 
3532 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3533 
3534 }
3535 
3536 /*ARGSUSED*/
3537 static void
3538 aus_shutdown(struct t_audit_data *tad)
3539 {
3540 	struct a {
3541 		long	fd;
3542 		long	how;
3543 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3544 
3545 	struct sonode *so;
3546 	char so_laddr[sizeof (struct sockaddr_in6)];
3547 	char so_faddr[sizeof (struct sockaddr_in6)];
3548 	int err, fd;
3549 	int len;
3550 	short so_family, so_type;
3551 	int add_sock_token = 0;
3552 	file_t *fp;				/* unix domain sockets */
3553 	struct f_audit_data *fad;		/* unix domain sockets */
3554 
3555 	fd = (int)uap->fd;
3556 
3557 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3558 		/*
3559 		 * not security relevant if doing a shutdown using non socket
3560 		 * so no extra tokens. Should probably turn off audit record
3561 		 * generation here.
3562 		 */
3563 		return;
3564 	}
3565 
3566 	so_family = so->so_family;
3567 	so_type   = so->so_type;
3568 
3569 	switch (so_family) {
3570 	case AF_INET:
3571 	case AF_INET6:
3572 
3573 		bzero(so_laddr, sizeof (so_laddr));
3574 		bzero(so_faddr, sizeof (so_faddr));
3575 
3576 		if (so->so_state & SS_ISBOUND) {
3577 			/*
3578 			 * no local address then need to get it from lower
3579 			 * levels.
3580 			 */
3581 			if (so->so_laddr_len == 0)
3582 				(void) SOP_GETSOCKNAME(so);
3583 			if (so->so_faddr_len == 0)
3584 				(void) SOP_GETPEERNAME(so);
3585 		}
3586 
3587 		mutex_enter(&so->so_lock);
3588 		len = min(so->so_laddr_len, sizeof (so_laddr));
3589 		bcopy(so->so_laddr_sa, so_laddr, len);
3590 		len = min(so->so_faddr_len, sizeof (so_faddr));
3591 		bcopy(so->so_faddr_sa, so_faddr, len);
3592 		mutex_exit(&so->so_lock);
3593 
3594 		add_sock_token = 1;
3595 
3596 		break;
3597 
3598 	case AF_UNIX:
3599 
3600 		/* get path from file struct here */
3601 		fad = F2A(fp);
3602 		ASSERT(fad);
3603 
3604 		if (fad->fad_aupath != NULL) {
3605 			au_uwrite(au_to_path(fad->fad_aupath));
3606 		} else {
3607 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3608 		}
3609 
3610 		audit_attributes(fp->f_vnode);
3611 
3612 		break;
3613 
3614 	default:
3615 		/*
3616 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3617 		 * added.
3618 		 */
3619 		break;
3620 	}
3621 
3622 	releasef(fd);
3623 
3624 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3625 
3626 	if (add_sock_token == 0) {
3627 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3628 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3629 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3630 		return;
3631 	}
3632 
3633 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3634 
3635 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3636 
3637 }
3638 
3639 /*ARGSUSED*/
3640 static void
3641 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3642 {
3643 	struct a {
3644 		long	fd;
3645 		long	level;
3646 		long	optname;
3647 		long	*optval;
3648 		long	optlen;
3649 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3650 
3651 	struct sonode	*so;
3652 	char so_laddr[sizeof (struct sockaddr_in6)];
3653 	char so_faddr[sizeof (struct sockaddr_in6)];
3654 	char		val[AU_BUFSIZE];
3655 	int		err, fd;
3656 	int		len;
3657 	short so_family, so_type;
3658 	int		add_sock_token = 0;
3659 	file_t *fp;				/* unix domain sockets */
3660 	struct f_audit_data *fad;		/* unix domain sockets */
3661 
3662 	fd = (int)uap->fd;
3663 
3664 	if (error) {
3665 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3666 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3667 		/* XXX may want to include other arguments */
3668 		return;
3669 	}
3670 
3671 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3672 		/*
3673 		 * not security relevant if doing a setsockopt from non socket
3674 		 * so no extra tokens. Should probably turn off audit record
3675 		 * generation here.
3676 		 */
3677 		return;
3678 	}
3679 
3680 	so_family = so->so_family;
3681 	so_type   = so->so_type;
3682 
3683 	switch (so_family) {
3684 	case AF_INET:
3685 	case AF_INET6:
3686 
3687 		bzero((void *)so_laddr, sizeof (so_laddr));
3688 		bzero((void *)so_faddr, sizeof (so_faddr));
3689 
3690 		if (so->so_state & SS_ISBOUND) {
3691 			if (so->so_laddr_len == 0)
3692 				(void) SOP_GETSOCKNAME(so);
3693 			if (so->so_faddr_len == 0)
3694 				(void) SOP_GETPEERNAME(so);
3695 		}
3696 
3697 		/* get local and foreign addresses */
3698 		mutex_enter(&so->so_lock);
3699 		len = min(so->so_laddr_len, sizeof (so_laddr));
3700 		bcopy(so->so_laddr_sa, so_laddr, len);
3701 		len = min(so->so_faddr_len, sizeof (so_faddr));
3702 		bcopy(so->so_faddr_sa, so_faddr, len);
3703 		mutex_exit(&so->so_lock);
3704 
3705 		add_sock_token = 1;
3706 
3707 		break;
3708 
3709 	case AF_UNIX:
3710 
3711 		/* get path from file struct here */
3712 		fad = F2A(fp);
3713 		ASSERT(fad);
3714 
3715 		if (fad->fad_aupath != NULL) {
3716 			au_uwrite(au_to_path(fad->fad_aupath));
3717 		} else {
3718 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3719 		}
3720 
3721 		audit_attributes(fp->f_vnode);
3722 
3723 		break;
3724 
3725 	default:
3726 		/*
3727 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3728 		 * added.
3729 		 */
3730 		break;
3731 	}
3732 
3733 	releasef(fd);
3734 
3735 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3736 
3737 	if (add_sock_token == 0) {
3738 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3739 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3740 	}
3741 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3742 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3743 
3744 	bzero(val, sizeof (val));
3745 	len = min(uap->optlen, sizeof (val));
3746 	if ((len > 0) &&
3747 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3748 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3749 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3750 	}
3751 
3752 	if (add_sock_token == 0)
3753 		return;
3754 
3755 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3756 
3757 }
3758 
3759 /*ARGSUSED*/
3760 static void
3761 aus_sockconfig(tad)
3762 	struct t_audit_data *tad;
3763 {
3764 	struct a {
3765 		long	domain;
3766 		long	type;
3767 		long	protocol;
3768 		long	devpath;
3769 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3770 
3771 	char	*kdevpath;
3772 	int	kdevpathlen = MAXPATHLEN + 1;
3773 	size_t	size;
3774 
3775 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3776 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3777 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3778 
3779 	if (uap->devpath == 0) {
3780 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3781 	} else {
3782 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3783 
3784 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3785 			&size)) {
3786 			kmem_free(kdevpath, kdevpathlen);
3787 			return;
3788 		}
3789 
3790 		if (size > MAXPATHLEN) {
3791 			kmem_free(kdevpath, kdevpathlen);
3792 			return;
3793 		}
3794 
3795 		au_uwrite(au_to_text(kdevpath));
3796 		kmem_free(kdevpath, kdevpathlen);
3797 	}
3798 }
3799 
3800 /*
3801  * only audit recvmsg when the system call represents the creation of a new
3802  * circuit. This effectively occurs for all UDP packets and may occur for
3803  * special TCP situations where the local host has not set a local address
3804  * in the socket structure.
3805  */
3806 /*ARGSUSED*/
3807 static void
3808 auf_recvmsg(
3809 	struct t_audit_data *tad,
3810 	int error,
3811 	rval_t *rvp)
3812 {
3813 	struct a {
3814 		long	fd;
3815 		long	msg;	/* struct msghdr */
3816 		long	flags;
3817 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3818 
3819 	struct sonode	*so;
3820 	STRUCT_DECL(msghdr, msg);
3821 	caddr_t msg_name;
3822 	socklen_t msg_namelen;
3823 	int fd;
3824 	int err;
3825 	char so_laddr[sizeof (struct sockaddr_in6)];
3826 	char so_faddr[sizeof (struct sockaddr_in6)];
3827 	int len;
3828 	file_t *fp;				/* unix domain sockets */
3829 	struct f_audit_data *fad;		/* unix domain sockets */
3830 	short so_family, so_type;
3831 	int add_sock_token = 0;
3832 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3833 
3834 	fd = (int)uap->fd;
3835 
3836 	/* bail if an error */
3837 	if (error) {
3838 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3839 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3840 		return;
3841 	}
3842 
3843 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3844 		/*
3845 		 * not security relevant if doing a recvmsg from non socket
3846 		 * so no extra tokens. Should probably turn off audit record
3847 		 * generation here.
3848 		 */
3849 		return;
3850 	}
3851 
3852 	so_family = so->so_family;
3853 	so_type   = so->so_type;
3854 
3855 	/*
3856 	 * only putout SOCKET_EX token if INET/INET6 family.
3857 	 * XXX - what do we do about other families?
3858 	 */
3859 
3860 	switch (so_family) {
3861 	case AF_INET:
3862 	case AF_INET6:
3863 
3864 		/*
3865 		 * if datagram type socket, then just use what is in
3866 		 * socket structure for local address.
3867 		 * XXX - what do we do for other types?
3868 		 */
3869 		if ((so->so_type == SOCK_DGRAM) ||
3870 		    (so->so_type == SOCK_RAW)) {
3871 			add_sock_token = 1;
3872 
3873 			bzero((void *)so_laddr, sizeof (so_laddr));
3874 			bzero((void *)so_faddr, sizeof (so_faddr));
3875 
3876 			/* get local address */
3877 			mutex_enter(&so->so_lock);
3878 			len = min(so->so_laddr_len, sizeof (so_laddr));
3879 			bcopy(so->so_laddr_sa, so_laddr, len);
3880 			mutex_exit(&so->so_lock);
3881 
3882 			/* get peer address */
3883 			STRUCT_INIT(msg, get_udatamodel());
3884 
3885 			if (copyin((caddr_t)(uap->msg),
3886 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3887 				break;
3888 			}
3889 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3890 			if (msg_name == NULL) {
3891 				break;
3892 			}
3893 
3894 			/* length is value from recvmsg - sanity check */
3895 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3896 			if (msg_namelen == 0) {
3897 				break;
3898 			}
3899 			if (copyin(msg_name, so_faddr,
3900 			    sizeof (so_faddr)) != 0) {
3901 				break;
3902 			}
3903 
3904 		} else if (so->so_type == SOCK_STREAM) {
3905 
3906 			/* get path from file struct here */
3907 			fad = F2A(fp);
3908 			ASSERT(fad);
3909 
3910 			/*
3911 			 * already processed this file for read attempt
3912 			 */
3913 			if (fad->fad_flags & FAD_READ) {
3914 				/* don't want to audit every recvmsg attempt */
3915 				tad->tad_flag = 0;
3916 				/* free any residual audit data */
3917 				au_close(kctx, &(u_ad), 0, 0, 0);
3918 				releasef(fd);
3919 				return;
3920 			}
3921 			/*
3922 			 * mark things so we know what happened and don't
3923 			 * repeat things
3924 			 */
3925 			fad->fad_flags |= FAD_READ;
3926 
3927 			bzero((void *)so_laddr, sizeof (so_laddr));
3928 			bzero((void *)so_faddr, sizeof (so_faddr));
3929 
3930 			if (so->so_state & SS_ISBOUND) {
3931 
3932 				if (so->so_laddr_len == 0)
3933 					(void) SOP_GETSOCKNAME(so);
3934 				if (so->so_faddr_len == 0)
3935 					(void) SOP_GETPEERNAME(so);
3936 
3937 				/* get local and foreign addresses */
3938 				mutex_enter(&so->so_lock);
3939 				len = min(so->so_laddr_len, sizeof (so_laddr));
3940 				bcopy(so->so_laddr_sa, so_laddr, len);
3941 				len = min(so->so_faddr_len, sizeof (so_faddr));
3942 				bcopy(so->so_faddr_sa, so_faddr, len);
3943 				mutex_exit(&so->so_lock);
3944 			}
3945 
3946 			add_sock_token = 1;
3947 		}
3948 
3949 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3950 
3951 		break;
3952 
3953 	case AF_UNIX:
3954 		/*
3955 		 * first check if this is first time through. Too much
3956 		 * duplicate code to put this in an aui_ routine.
3957 		 */
3958 
3959 		/* get path from file struct here */
3960 		fad = F2A(fp);
3961 		ASSERT(fad);
3962 
3963 		/*
3964 		 * already processed this file for read attempt
3965 		 */
3966 		if (fad->fad_flags & FAD_READ) {
3967 			releasef(fd);
3968 			/* don't want to audit every recvmsg attempt */
3969 			tad->tad_flag = 0;
3970 			/* free any residual audit data */
3971 			au_close(kctx, &(u_ad), 0, 0, 0);
3972 			return;
3973 		}
3974 		/*
3975 		 * mark things so we know what happened and don't
3976 		 * repeat things
3977 		 */
3978 		fad->fad_flags |= FAD_READ;
3979 
3980 		if (fad->fad_aupath != NULL) {
3981 			au_uwrite(au_to_path(fad->fad_aupath));
3982 		} else {
3983 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3984 		}
3985 
3986 		audit_attributes(fp->f_vnode);
3987 
3988 		releasef(fd);
3989 
3990 		return;
3991 
3992 	default:
3993 		break;
3994 
3995 	}
3996 
3997 	releasef(fd);
3998 
3999 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4000 
4001 	if (add_sock_token == 0) {
4002 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4003 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4004 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4005 		return;
4006 	}
4007 
4008 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4009 
4010 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4011 
4012 }
4013 
4014 /*ARGSUSED*/
4015 static void
4016 auf_recvfrom(
4017 	struct t_audit_data *tad,
4018 	int error,
4019 	rval_t *rvp)
4020 {
4021 
4022 	struct a {
4023 		long	fd;
4024 		long	msg;	/* char */
4025 		long	len;
4026 		long	flags;
4027 		long	from;	/* struct sockaddr */
4028 		long	fromlen;
4029 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4030 
4031 	socklen_t	fromlen;
4032 	struct sonode	*so;
4033 	char so_laddr[sizeof (struct sockaddr_in6)];
4034 	char so_faddr[sizeof (struct sockaddr_in6)];
4035 	int		fd;
4036 	short so_family, so_type;
4037 	int add_sock_token = 0;
4038 	int len;
4039 	int err;
4040 	struct file *fp;
4041 	struct f_audit_data *fad;		/* unix domain sockets */
4042 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4043 
4044 	fd = (int)uap->fd;
4045 
4046 	/* bail if an error */
4047 	if (error) {
4048 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4049 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4050 		return;
4051 	}
4052 
4053 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4054 		/*
4055 		 * not security relevant if doing a recvmsg from non socket
4056 		 * so no extra tokens. Should probably turn off audit record
4057 		 * generation here.
4058 		 */
4059 		return;
4060 	}
4061 
4062 	so_family = so->so_family;
4063 	so_type   = so->so_type;
4064 
4065 	/*
4066 	 * only putout SOCKET_EX token if INET/INET6 family.
4067 	 * XXX - what do we do about other families?
4068 	 */
4069 
4070 	switch (so_family) {
4071 	case AF_INET:
4072 	case AF_INET6:
4073 
4074 		/*
4075 		 * if datagram type socket, then just use what is in
4076 		 * socket structure for local address.
4077 		 * XXX - what do we do for other types?
4078 		 */
4079 		if ((so->so_type == SOCK_DGRAM) ||
4080 		    (so->so_type == SOCK_RAW)) {
4081 			add_sock_token = 1;
4082 
4083 			/* get local address */
4084 			mutex_enter(&so->so_lock);
4085 			len = min(so->so_laddr_len, sizeof (so_laddr));
4086 			bcopy(so->so_laddr_sa, so_laddr, len);
4087 			mutex_exit(&so->so_lock);
4088 
4089 			/* get peer address */
4090 			bzero((void *)so_faddr, sizeof (so_faddr));
4091 
4092 			/* sanity check */
4093 			if (uap->from == NULL)
4094 				break;
4095 
4096 			/* sanity checks */
4097 			if (uap->fromlen == 0)
4098 				break;
4099 
4100 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4101 			    sizeof (fromlen)) != 0)
4102 				break;
4103 
4104 			if (fromlen == 0)
4105 				break;
4106 
4107 			/* enforce maximum size */
4108 			if (fromlen > sizeof (so_faddr))
4109 				fromlen = sizeof (so_faddr);
4110 
4111 			if (copyin((caddr_t)(uap->from), so_faddr,
4112 			    fromlen) != 0)
4113 				break;
4114 
4115 		} else if (so->so_type == SOCK_STREAM) {
4116 
4117 			/* get path from file struct here */
4118 			fad = F2A(fp);
4119 			ASSERT(fad);
4120 
4121 			/*
4122 			 * already processed this file for read attempt
4123 			 */
4124 			if (fad->fad_flags & FAD_READ) {
4125 				/* don't want to audit every recvfrom attempt */
4126 				tad->tad_flag = 0;
4127 				/* free any residual audit data */
4128 				au_close(kctx, &(u_ad), 0, 0, 0);
4129 				releasef(fd);
4130 				return;
4131 			}
4132 			/*
4133 			 * mark things so we know what happened and don't
4134 			 * repeat things
4135 			 */
4136 			fad->fad_flags |= FAD_READ;
4137 
4138 			bzero((void *)so_laddr, sizeof (so_laddr));
4139 			bzero((void *)so_faddr, sizeof (so_faddr));
4140 
4141 			if (so->so_state & SS_ISBOUND) {
4142 
4143 				if (so->so_laddr_len == 0)
4144 					(void) SOP_GETSOCKNAME(so);
4145 				if (so->so_faddr_len == 0)
4146 					(void) SOP_GETPEERNAME(so);
4147 
4148 				/* get local and foreign addresses */
4149 				mutex_enter(&so->so_lock);
4150 				len = min(so->so_laddr_len, sizeof (so_laddr));
4151 				bcopy(so->so_laddr_sa, so_laddr, len);
4152 				len = min(so->so_faddr_len, sizeof (so_faddr));
4153 				bcopy(so->so_faddr_sa, so_faddr, len);
4154 				mutex_exit(&so->so_lock);
4155 			}
4156 
4157 			add_sock_token = 1;
4158 		}
4159 
4160 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4161 
4162 		break;
4163 
4164 	case AF_UNIX:
4165 		/*
4166 		 * first check if this is first time through. Too much
4167 		 * duplicate code to put this in an aui_ routine.
4168 		 */
4169 
4170 		/* get path from file struct here */
4171 		fad = F2A(fp);
4172 		ASSERT(fad);
4173 
4174 		/*
4175 		 * already processed this file for read attempt
4176 		 */
4177 		if (fad->fad_flags & FAD_READ) {
4178 			/* don't want to audit every recvfrom attempt */
4179 			tad->tad_flag = 0;
4180 			/* free any residual audit data */
4181 			au_close(kctx, &(u_ad), 0, 0, 0);
4182 			releasef(fd);
4183 			return;
4184 		}
4185 		/*
4186 		 * mark things so we know what happened and don't
4187 		 * repeat things
4188 		 */
4189 		fad->fad_flags |= FAD_READ;
4190 
4191 		if (fad->fad_aupath != NULL) {
4192 			au_uwrite(au_to_path(fad->fad_aupath));
4193 		} else {
4194 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4195 		}
4196 
4197 		audit_attributes(fp->f_vnode);
4198 
4199 		releasef(fd);
4200 
4201 		return;
4202 
4203 	default:
4204 		break;
4205 
4206 	}
4207 
4208 	releasef(fd);
4209 
4210 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4211 
4212 	if (add_sock_token == 0) {
4213 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4214 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4215 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4216 		return;
4217 	}
4218 
4219 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4220 
4221 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4222 }
4223 
4224 /*ARGSUSED*/
4225 static void
4226 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4227 {
4228 	struct a {
4229 		long	fd;
4230 		long	msg;	/* struct msghdr */
4231 		long	flags;
4232 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4233 
4234 	struct sonode	*so;
4235 	char so_laddr[sizeof (struct sockaddr_in6)];
4236 	char so_faddr[sizeof (struct sockaddr_in6)];
4237 	int		err;
4238 	int		fd;
4239 	short so_family, so_type;
4240 	int		add_sock_token = 0;
4241 	int		len;
4242 	struct file	*fp;
4243 	struct f_audit_data *fad;
4244 	caddr_t		msg_name;
4245 	socklen_t	msg_namelen;
4246 	STRUCT_DECL(msghdr, msg);
4247 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4248 
4249 	fd = (int)uap->fd;
4250 
4251 	/* bail if an error */
4252 	if (error) {
4253 		/* XXX include destination address from system call arguments */
4254 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4255 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4256 		return;
4257 	}
4258 
4259 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4260 		/*
4261 		 * not security relevant if doing a sendmsg from non socket
4262 		 * so no extra tokens. Should probably turn off audit record
4263 		 * generation here.
4264 		 */
4265 		return;
4266 	}
4267 
4268 	so_family = so->so_family;
4269 	so_type   = so->so_type;
4270 
4271 	switch (so_family) {
4272 	case AF_INET:
4273 	case AF_INET6:
4274 		/*
4275 		 * if datagram type socket, then just use what is in
4276 		 * socket structure for local address.
4277 		 * XXX - what do we do for other types?
4278 		 */
4279 		if ((so->so_type == SOCK_DGRAM) ||
4280 		    (so->so_type == SOCK_RAW)) {
4281 
4282 			bzero((void *)so_laddr, sizeof (so_laddr));
4283 			bzero((void *)so_faddr, sizeof (so_faddr));
4284 
4285 			/* get local address */
4286 			mutex_enter(&so->so_lock);
4287 			len = min(so->so_laddr_len, sizeof (so_laddr));
4288 			bcopy(so->so_laddr_sa, so_laddr, len);
4289 			mutex_exit(&so->so_lock);
4290 
4291 			/* get peer address */
4292 			STRUCT_INIT(msg, get_udatamodel());
4293 
4294 			if (copyin((caddr_t)(uap->msg),
4295 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4296 				break;
4297 			}
4298 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4299 			if (msg_name == NULL)
4300 				break;
4301 
4302 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4303 			/* length is value from recvmsg - sanity check */
4304 			if (msg_namelen == 0)
4305 				break;
4306 
4307 			if (copyin(msg_name, so_faddr,
4308 			    sizeof (so_faddr)) != 0)
4309 				break;
4310 
4311 			add_sock_token = 1;
4312 
4313 		} else if (so->so_type == SOCK_STREAM) {
4314 
4315 			/* get path from file struct here */
4316 			fad = F2A(fp);
4317 			ASSERT(fad);
4318 
4319 			/*
4320 			 * already processed this file for write attempt
4321 			 */
4322 			if (fad->fad_flags & FAD_WRITE) {
4323 				releasef(fd);
4324 				/* don't want to audit every sendmsg attempt */
4325 				tad->tad_flag = 0;
4326 				/* free any residual audit data */
4327 				au_close(kctx, &(u_ad), 0, 0, 0);
4328 				return;
4329 			}
4330 
4331 			/*
4332 			 * mark things so we know what happened and don't
4333 			 * repeat things
4334 			 */
4335 			fad->fad_flags |= FAD_WRITE;
4336 
4337 			bzero((void *)so_laddr, sizeof (so_laddr));
4338 			bzero((void *)so_faddr, sizeof (so_faddr));
4339 
4340 			if (so->so_state & SS_ISBOUND) {
4341 
4342 				if (so->so_laddr_len == 0)
4343 					(void) SOP_GETSOCKNAME(so);
4344 				if (so->so_faddr_len == 0)
4345 					(void) SOP_GETPEERNAME(so);
4346 
4347 				/* get local and foreign addresses */
4348 				mutex_enter(&so->so_lock);
4349 				len = min(so->so_laddr_len, sizeof (so_laddr));
4350 				bcopy(so->so_laddr_sa, so_laddr, len);
4351 				len = min(so->so_faddr_len, sizeof (so_faddr));
4352 				bcopy(so->so_faddr_sa, so_faddr, len);
4353 				mutex_exit(&so->so_lock);
4354 			}
4355 
4356 			add_sock_token = 1;
4357 		}
4358 
4359 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4360 
4361 		break;
4362 
4363 	case AF_UNIX:
4364 		/*
4365 		 * first check if this is first time through. Too much
4366 		 * duplicate code to put this in an aui_ routine.
4367 		 */
4368 
4369 		/* get path from file struct here */
4370 		fad = F2A(fp);
4371 		ASSERT(fad);
4372 
4373 		/*
4374 		 * already processed this file for write attempt
4375 		 */
4376 		if (fad->fad_flags & FAD_WRITE) {
4377 			releasef(fd);
4378 			/* don't want to audit every sendmsg attempt */
4379 			tad->tad_flag = 0;
4380 			/* free any residual audit data */
4381 			au_close(kctx, &(u_ad), 0, 0, 0);
4382 			return;
4383 		}
4384 		/*
4385 		 * mark things so we know what happened and don't
4386 		 * repeat things
4387 		 */
4388 		fad->fad_flags |= FAD_WRITE;
4389 
4390 		if (fad->fad_aupath != NULL) {
4391 			au_uwrite(au_to_path(fad->fad_aupath));
4392 		} else {
4393 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4394 		}
4395 
4396 		audit_attributes(fp->f_vnode);
4397 
4398 		releasef(fd);
4399 
4400 		return;
4401 
4402 	default:
4403 		break;
4404 	}
4405 
4406 	releasef(fd);
4407 
4408 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4409 
4410 	if (add_sock_token == 0) {
4411 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4412 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4413 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4414 		return;
4415 	}
4416 
4417 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4418 
4419 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4420 }
4421 
4422 /*ARGSUSED*/
4423 static void
4424 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4425 {
4426 	struct a {
4427 		long	fd;
4428 		long	msg;	/* char */
4429 		long	len;
4430 		long	flags;
4431 		long	to;	/* struct sockaddr */
4432 		long	tolen;
4433 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4434 
4435 	struct sonode	*so;
4436 	char so_laddr[sizeof (struct sockaddr_in6)];
4437 	char so_faddr[sizeof (struct sockaddr_in6)];
4438 	socklen_t	tolen;
4439 	int		err;
4440 	int		fd;
4441 	int		len;
4442 	short so_family, so_type;
4443 	int		add_sock_token = 0;
4444 	struct file	*fp;
4445 	struct f_audit_data *fad;
4446 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4447 
4448 	fd = (int)uap->fd;
4449 
4450 	/* bail if an error */
4451 	if (error) {
4452 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4453 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4454 		/* XXX include destination address from system call arguments */
4455 		return;
4456 	}
4457 
4458 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4459 		/*
4460 		 * not security relevant if doing a sendto using non socket
4461 		 * so no extra tokens. Should probably turn off audit record
4462 		 * generation here.
4463 		 */
4464 		return;
4465 	}
4466 
4467 	so_family = so->so_family;
4468 	so_type   = so->so_type;
4469 
4470 	/*
4471 	 * only putout SOCKET_EX token if INET/INET6 family.
4472 	 * XXX - what do we do about other families?
4473 	 */
4474 
4475 	switch (so_family) {
4476 	case AF_INET:
4477 	case AF_INET6:
4478 
4479 		/*
4480 		 * if datagram type socket, then just use what is in
4481 		 * socket structure for local address.
4482 		 * XXX - what do we do for other types?
4483 		 */
4484 		if ((so->so_type == SOCK_DGRAM) ||
4485 		    (so->so_type == SOCK_RAW)) {
4486 
4487 			bzero((void *)so_laddr, sizeof (so_laddr));
4488 			bzero((void *)so_faddr, sizeof (so_faddr));
4489 
4490 			/* get local address */
4491 			mutex_enter(&so->so_lock);
4492 			len = min(so->so_laddr_len, sizeof (so_laddr));
4493 			bcopy(so->so_laddr_sa, so_laddr, len);
4494 			mutex_exit(&so->so_lock);
4495 
4496 			/* get peer address */
4497 
4498 			/* sanity check */
4499 			if (uap->to == NULL)
4500 				break;
4501 
4502 			/* sanity checks */
4503 			if (uap->tolen == 0)
4504 				break;
4505 
4506 			tolen = (socklen_t)uap->tolen;
4507 
4508 			/* enforce maximum size */
4509 			if (tolen > sizeof (so_faddr))
4510 				tolen = sizeof (so_faddr);
4511 
4512 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4513 				break;
4514 
4515 			add_sock_token = 1;
4516 		} else {
4517 			/*
4518 			 * check if this is first time through.
4519 			 */
4520 
4521 			/* get path from file struct here */
4522 			fad = F2A(fp);
4523 			ASSERT(fad);
4524 
4525 			/*
4526 			 * already processed this file for write attempt
4527 			 */
4528 			if (fad->fad_flags & FAD_WRITE) {
4529 				/* don't want to audit every sendto attempt */
4530 				tad->tad_flag = 0;
4531 				/* free any residual audit data */
4532 				au_close(kctx, &(u_ad), 0, 0, 0);
4533 				releasef(fd);
4534 				return;
4535 			}
4536 			/*
4537 			 * mark things so we know what happened and don't
4538 			 * repeat things
4539 			 */
4540 			fad->fad_flags |= FAD_WRITE;
4541 
4542 			bzero((void *)so_laddr, sizeof (so_laddr));
4543 			bzero((void *)so_faddr, sizeof (so_faddr));
4544 
4545 			if (so->so_state & SS_ISBOUND) {
4546 
4547 				if (so->so_laddr_len == 0)
4548 					(void) SOP_GETSOCKNAME(so);
4549 				if (so->so_faddr_len == 0)
4550 					(void) SOP_GETPEERNAME(so);
4551 
4552 				/* get local and foreign addresses */
4553 				mutex_enter(&so->so_lock);
4554 				len = min(so->so_laddr_len, sizeof (so_laddr));
4555 				bcopy(so->so_laddr_sa, so_laddr, len);
4556 				len = min(so->so_faddr_len, sizeof (so_faddr));
4557 				bcopy(so->so_faddr_sa, so_faddr, len);
4558 				mutex_exit(&so->so_lock);
4559 			}
4560 
4561 			add_sock_token = 1;
4562 		}
4563 
4564 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4565 
4566 		break;
4567 
4568 	case AF_UNIX:
4569 		/*
4570 		 * first check if this is first time through. Too much
4571 		 * duplicate code to put this in an aui_ routine.
4572 		 */
4573 
4574 		/* get path from file struct here */
4575 		fad = F2A(fp);
4576 		ASSERT(fad);
4577 
4578 		/*
4579 		 * already processed this file for write attempt
4580 		 */
4581 		if (fad->fad_flags & FAD_WRITE) {
4582 			/* don't want to audit every sendto attempt */
4583 			tad->tad_flag = 0;
4584 			/* free any residual audit data */
4585 			au_close(kctx, &(u_ad), 0, 0, 0);
4586 			releasef(fd);
4587 			return;
4588 		}
4589 		/*
4590 		 * mark things so we know what happened and don't
4591 		 * repeat things
4592 		 */
4593 		fad->fad_flags |= FAD_WRITE;
4594 
4595 		if (fad->fad_aupath != NULL) {
4596 			au_uwrite(au_to_path(fad->fad_aupath));
4597 		} else {
4598 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4599 		}
4600 
4601 		audit_attributes(fp->f_vnode);
4602 
4603 		releasef(fd);
4604 
4605 		return;
4606 
4607 	default:
4608 		break;
4609 
4610 	}
4611 
4612 	releasef(fd);
4613 
4614 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4615 
4616 	if (add_sock_token == 0) {
4617 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4618 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4619 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4620 		return;
4621 	}
4622 
4623 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4624 
4625 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4626 
4627 }
4628 
4629 /*
4630  * XXX socket(2) may be equivilent to open(2) on a unix domain
4631  * socket. This needs investigation.
4632  */
4633 
4634 /*ARGSUSED*/
4635 static void
4636 aus_socket(struct t_audit_data *tad)
4637 {
4638 	struct a {
4639 		long	domain;
4640 		long	type;
4641 		long	protocol;
4642 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4643 
4644 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4645 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4646 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4647 }
4648 
4649 /*ARGSUSED*/
4650 static void
4651 aus_sigqueue(struct t_audit_data *tad)
4652 {
4653 	struct a {
4654 		long	pid;
4655 		long	signo;
4656 		long	*val;
4657 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4658 	struct proc *p;
4659 	uid_t uid, ruid;
4660 	gid_t gid, rgid;
4661 	pid_t pid;
4662 	const auditinfo_addr_t *ainfo;
4663 	cred_t *cr;
4664 
4665 	pid = (pid_t)uap->pid;
4666 
4667 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4668 	if (pid > 0) {
4669 		mutex_enter(&pidlock);
4670 		if ((p = prfind(pid)) == (struct proc *)0) {
4671 			mutex_exit(&pidlock);
4672 			return;
4673 		}
4674 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4675 		mutex_exit(&pidlock);
4676 
4677 		mutex_enter(&p->p_crlock);
4678 		crhold(cr = p->p_cred);
4679 		mutex_exit(&p->p_crlock);
4680 		mutex_exit(&p->p_lock);
4681 
4682 		ainfo = crgetauinfo(cr);
4683 		if (ainfo == NULL) {
4684 			crfree(cr);
4685 			return;
4686 		}
4687 
4688 		uid  = crgetuid(cr);
4689 		gid  = crgetgid(cr);
4690 		ruid = crgetruid(cr);
4691 		rgid = crgetrgid(cr);
4692 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4693 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4694 		crfree(cr);
4695 	}
4696 	else
4697 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4698 }
4699 
4700 /*ARGSUSED*/
4701 static void
4702 aus_inst_sync(struct t_audit_data *tad)
4703 {
4704 	struct a {
4705 		long	name;	/* char */
4706 		long	flags;
4707 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4708 
4709 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4710 }
4711 
4712 /*ARGSUSED*/
4713 static void
4714 aus_brandsys(struct t_audit_data *tad)
4715 {
4716 	klwp_t *clwp = ttolwp(curthread);
4717 
4718 	struct a {
4719 		long	cmd;
4720 		long	arg1;
4721 		long	arg2;
4722 		long	arg3;
4723 		long	arg4;
4724 		long	arg5;
4725 		long	arg6;
4726 	} *uap = (struct a *)clwp->lwp_ap;
4727 
4728 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4729 #ifdef _LP64
4730 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4731 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4732 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4733 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4734 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4735 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4736 #else
4737 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4738 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4739 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4740 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4741 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4742 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4743 #endif
4744 }
4745 
4746 /*ARGSUSED*/
4747 static void
4748 aus_p_online(struct t_audit_data *tad)
4749 {
4750 	struct a {
4751 		long	processor_id;
4752 		long	flag;
4753 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4754 
4755 	struct flags {
4756 			int	flag;
4757 			char	*cflag;
4758 	} aflags[6] = {
4759 			{ P_ONLINE, "P_ONLINE"},
4760 			{ P_OFFLINE, "P_OFFLINE"},
4761 			{ P_NOINTR, "P_NOINTR"},
4762 			{ P_SPARE, "P_SPARE"},
4763 			{ P_FAULTED, "P_FAULTED"},
4764 			{ P_STATUS, "P_STATUS"}
4765 	};
4766 	int i;
4767 	char *cflag;
4768 
4769 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4770 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4771 
4772 	for (i = 0; i < 6; i++) {
4773 		if (aflags[i].flag == uap->flag)
4774 			break;
4775 	}
4776 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4777 
4778 	au_uwrite(au_to_text(cflag));
4779 }
4780 
4781 /*ARGSUSED*/
4782 static void
4783 aus_processor_bind(struct t_audit_data *tad)
4784 {
4785 	struct a {
4786 		long	id_type;
4787 		long	id;
4788 		long	processor_id;
4789 		long	obind;
4790 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4791 
4792 	struct proc *p;
4793 	int lwpcnt;
4794 	uid_t uid, ruid;
4795 	gid_t gid, rgid;
4796 	pid_t pid;
4797 	const auditinfo_addr_t *ainfo;
4798 	cred_t *cr;
4799 
4800 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4801 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4802 	if (uap->processor_id == PBIND_NONE)
4803 		au_uwrite(au_to_text("PBIND_NONE"));
4804 	else
4805 		au_uwrite(au_to_arg32(3, "processor_id",
4806 					(uint32_t)uap->processor_id));
4807 
4808 	switch (uap->id_type) {
4809 	case P_MYID:
4810 	case P_LWPID:
4811 		mutex_enter(&pidlock);
4812 		p = ttoproc(curthread);
4813 		if (p == NULL || p->p_as == &kas) {
4814 			mutex_exit(&pidlock);
4815 			return;
4816 		}
4817 		mutex_enter(&p->p_lock);
4818 		mutex_exit(&pidlock);
4819 		lwpcnt = p->p_lwpcnt;
4820 		pid  = p->p_pid;
4821 
4822 		mutex_enter(&p->p_crlock);
4823 		crhold(cr = p->p_cred);
4824 		mutex_exit(&p->p_crlock);
4825 		mutex_exit(&p->p_lock);
4826 
4827 		ainfo = crgetauinfo(cr);
4828 		if (ainfo == NULL) {
4829 			crfree(cr);
4830 			return;
4831 		}
4832 
4833 		uid  = crgetuid(cr);
4834 		gid  = crgetgid(cr);
4835 		ruid = crgetruid(cr);
4836 		rgid = crgetrgid(cr);
4837 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4838 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4839 		crfree(cr);
4840 		break;
4841 	case P_PID:
4842 		mutex_enter(&pidlock);
4843 		p = prfind(uap->id);
4844 		if (p == NULL || p->p_as == &kas) {
4845 			mutex_exit(&pidlock);
4846 			return;
4847 		}
4848 		mutex_enter(&p->p_lock);
4849 		mutex_exit(&pidlock);
4850 		lwpcnt = p->p_lwpcnt;
4851 		pid  = p->p_pid;
4852 
4853 		mutex_enter(&p->p_crlock);
4854 		crhold(cr = p->p_cred);
4855 		mutex_exit(&p->p_crlock);
4856 		mutex_exit(&p->p_lock);
4857 
4858 		ainfo = crgetauinfo(cr);
4859 		if (ainfo == NULL) {
4860 			crfree(cr);
4861 			return;
4862 		}
4863 
4864 		uid  = crgetuid(cr);
4865 		gid  = crgetgid(cr);
4866 		ruid = crgetruid(cr);
4867 		rgid = crgetrgid(cr);
4868 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4869 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4870 		crfree(cr);
4871 
4872 		break;
4873 	default:
4874 		return;
4875 	}
4876 
4877 	if (uap->processor_id == PBIND_NONE &&
4878 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4879 		au_uwrite(au_to_text("PBIND_NONE for process"));
4880 	else
4881 		au_uwrite(au_to_arg32(3, "processor_id",
4882 					(uint32_t)uap->processor_id));
4883 }
4884 
4885 /*ARGSUSED*/
4886 static au_event_t
4887 aui_doorfs(au_event_t e)
4888 {
4889 	uint32_t code;
4890 
4891 	struct a {		/* doorfs */
4892 		long	a1;
4893 		long	a2;
4894 		long	a3;
4895 		long	a4;
4896 		long	a5;
4897 		long	code;
4898 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4899 
4900 	/*
4901 	 *	audit formats for several of the
4902 	 *	door calls have not yet been determined
4903 	 */
4904 	code = (uint32_t)uap->code;
4905 	switch (code) {
4906 	case DOOR_CALL:
4907 		e = AUE_DOORFS_DOOR_CALL;
4908 		break;
4909 	case DOOR_RETURN:
4910 		e = AUE_NULL;
4911 		break;
4912 	case DOOR_CREATE:
4913 		e = AUE_DOORFS_DOOR_CREATE;
4914 		break;
4915 	case DOOR_REVOKE:
4916 		e = AUE_DOORFS_DOOR_REVOKE;
4917 		break;
4918 	case DOOR_INFO:
4919 		e = AUE_NULL;
4920 		break;
4921 	case DOOR_UCRED:
4922 		e = AUE_NULL;
4923 		break;
4924 	case DOOR_BIND:
4925 		e = AUE_NULL;
4926 		break;
4927 	case DOOR_UNBIND:
4928 		e = AUE_NULL;
4929 		break;
4930 	case DOOR_GETPARAM:
4931 		e = AUE_NULL;
4932 		break;
4933 	case DOOR_SETPARAM:
4934 		e = AUE_NULL;
4935 		break;
4936 	default:	/* illegal system call */
4937 		e = AUE_NULL;
4938 		break;
4939 	}
4940 
4941 	return (e);
4942 }
4943 
4944 static door_node_t *
4945 au_door_lookup(int did)
4946 {
4947 	vnode_t	*vp;
4948 	file_t *fp;
4949 
4950 	if ((fp = getf(did)) == NULL)
4951 		return (NULL);
4952 	/*
4953 	 * Use the underlying vnode (we may be namefs mounted)
4954 	 */
4955 	if (VOP_REALVP(fp->f_vnode, &vp))
4956 		vp = fp->f_vnode;
4957 
4958 	if (vp == NULL || vp->v_type != VDOOR) {
4959 		releasef(did);
4960 		return (NULL);
4961 	}
4962 
4963 	return (VTOD(vp));
4964 }
4965 
4966 /*ARGSUSED*/
4967 static void
4968 aus_doorfs(struct t_audit_data *tad)
4969 {
4970 
4971 	struct a {		/* doorfs */
4972 		long	a1;
4973 		long	a2;
4974 		long	a3;
4975 		long	a4;
4976 		long	a5;
4977 		long	code;
4978 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4979 
4980 	door_node_t	*dp;
4981 	struct proc	*p;
4982 	uint32_t	did;
4983 	uid_t uid, ruid;
4984 	gid_t gid, rgid;
4985 	pid_t pid;
4986 	const auditinfo_addr_t *ainfo;
4987 	cred_t *cr;
4988 
4989 	did = (uint32_t)uap->a1;
4990 
4991 	switch (tad->tad_event) {
4992 	case AUE_DOORFS_DOOR_CALL:
4993 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4994 		if ((dp = au_door_lookup(did)) == NULL)
4995 			break;
4996 
4997 		if (DOOR_INVALID(dp)) {
4998 			releasef(did);
4999 			break;
5000 		}
5001 
5002 		if ((p = dp->door_target) == NULL) {
5003 			releasef(did);
5004 			break;
5005 		}
5006 		mutex_enter(&p->p_lock);
5007 		releasef(did);
5008 
5009 		pid  = p->p_pid;
5010 
5011 		mutex_enter(&p->p_crlock);
5012 		crhold(cr = p->p_cred);
5013 		mutex_exit(&p->p_crlock);
5014 		mutex_exit(&p->p_lock);
5015 
5016 		ainfo = crgetauinfo(cr);
5017 		if (ainfo == NULL) {
5018 			crfree(cr);
5019 			return;
5020 		}
5021 		uid  = crgetuid(cr);
5022 		gid  = crgetgid(cr);
5023 		ruid = crgetruid(cr);
5024 		rgid = crgetrgid(cr);
5025 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5026 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5027 		crfree(cr);
5028 		break;
5029 	case AUE_DOORFS_DOOR_RETURN:
5030 		/*
5031 		 * We may want to write information about
5032 		 * all doors (if any) which will be copied
5033 		 * by this call to the user space
5034 		 */
5035 		break;
5036 	case AUE_DOORFS_DOOR_CREATE:
5037 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5038 		break;
5039 	case AUE_DOORFS_DOOR_REVOKE:
5040 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5041 		break;
5042 	case AUE_DOORFS_DOOR_INFO:
5043 		break;
5044 	case AUE_DOORFS_DOOR_CRED:
5045 		break;
5046 	case AUE_DOORFS_DOOR_BIND:
5047 		break;
5048 	case AUE_DOORFS_DOOR_UNBIND: {
5049 		break;
5050 	}
5051 	default:	/* illegal system call */
5052 		break;
5053 	}
5054 }
5055 
5056 /*ARGSUSED*/
5057 static au_event_t
5058 aui_acl(au_event_t e)
5059 {
5060 	struct a {
5061 		union {
5062 			long	name;	/* char */
5063 			long	fd;
5064 		}		obj;
5065 
5066 		long		cmd;
5067 		long		nentries;
5068 		long		arg;	/* aclent_t */
5069 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5070 
5071 	switch (uap->cmd) {
5072 	case SETACL:
5073 		/* ok, acl(SETACL, ...) and facl(SETACL, ...)  are expected. */
5074 		break;
5075 	case GETACL:
5076 	case GETACLCNT:
5077 		/* do nothing for these two values. */
5078 		e = AUE_NULL;
5079 		break;
5080 	default:
5081 		/* illegal system call */
5082 		break;
5083 	}
5084 
5085 	return (e);
5086 }
5087 
5088 
5089 /*ARGSUSED*/
5090 static void
5091 aus_acl(struct t_audit_data *tad)
5092 {
5093 	struct a {
5094 		long	fname;
5095 		long	cmd;
5096 		long	nentries;
5097 		long	aclbufp;
5098 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5099 	struct acl *aclbufp;
5100 
5101 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5102 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5103 
5104 	switch (uap->cmd) {
5105 	case GETACL:
5106 	case GETACLCNT:
5107 		break;
5108 	case SETACL:
5109 	    if (uap->nentries < 3)
5110 		break;
5111 	    else {
5112 		size_t a_size = uap->nentries * sizeof (struct acl);
5113 		int i;
5114 
5115 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5116 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5117 			kmem_free(aclbufp, a_size);
5118 			break;
5119 		}
5120 		for (i = 0; i < uap->nentries; i++) {
5121 			au_uwrite(au_to_acl(aclbufp + i));
5122 		}
5123 		kmem_free(aclbufp, a_size);
5124 		break;
5125 	}
5126 	default:
5127 		break;
5128 	}
5129 }
5130 
5131 /*ARGSUSED*/
5132 static void
5133 aus_facl(struct t_audit_data *tad)
5134 {
5135 	struct a {
5136 		long	fd;
5137 		long	cmd;
5138 		long	nentries;
5139 		long	aclbufp;
5140 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5141 	struct file  *fp;
5142 	struct vnode *vp;
5143 	struct f_audit_data *fad;
5144 	struct acl *aclbufp;
5145 	int fd;
5146 
5147 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5148 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5149 
5150 	fd = (int)uap->fd;
5151 
5152 	if ((fp = getf(fd)) == NULL)
5153 		return;
5154 
5155 	/* get path from file struct here */
5156 	fad = F2A(fp);
5157 	if (fad->fad_aupath != NULL) {
5158 		au_uwrite(au_to_path(fad->fad_aupath));
5159 	} else {
5160 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5161 	}
5162 
5163 	vp = fp->f_vnode;
5164 	audit_attributes(vp);
5165 
5166 	/* decrement file descriptor reference count */
5167 	releasef(fd);
5168 
5169 	switch (uap->cmd) {
5170 	case GETACL:
5171 	case GETACLCNT:
5172 		break;
5173 	case SETACL:
5174 	    if (uap->nentries < 3)
5175 		break;
5176 	    else {
5177 		size_t a_size = uap->nentries * sizeof (struct acl);
5178 		int i;
5179 
5180 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5181 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5182 			kmem_free(aclbufp, a_size);
5183 			break;
5184 		}
5185 		for (i = 0; i < uap->nentries; i++) {
5186 			au_uwrite(au_to_acl(aclbufp + i));
5187 		}
5188 		kmem_free(aclbufp, a_size);
5189 		break;
5190 	}
5191 	default:
5192 		break;
5193 	}
5194 }
5195 
5196 /*ARGSUSED*/
5197 static void
5198 auf_read(tad, error, rval)
5199 	struct t_audit_data *tad;
5200 	int error;
5201 	rval_t *rval;
5202 {
5203 	struct file *fp;
5204 	struct f_audit_data *fad;
5205 	int fd;
5206 	register struct a {
5207 		long	fd;
5208 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5209 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5210 
5211 	fd = (int)uap->fd;
5212 
5213 	/*
5214 	 * convert file pointer to file descriptor
5215 	 *   Note: fd ref count incremented here.
5216 	 */
5217 	if ((fp = getf(fd)) == NULL)
5218 		return;
5219 
5220 	/* get path from file struct here */
5221 	fad = F2A(fp);
5222 	ASSERT(fad);
5223 
5224 	/*
5225 	 * already processed this file for read attempt
5226 	 *
5227 	 * XXX might be better to turn off auditing in a aui_read() routine.
5228 	 */
5229 	if (fad->fad_flags & FAD_READ) {
5230 		/* don't really want to audit every read attempt */
5231 		tad->tad_flag = 0;
5232 		/* free any residual audit data */
5233 		au_close(kctx, &(u_ad), 0, 0, 0);
5234 		releasef(fd);
5235 		return;
5236 	}
5237 	/* mark things so we know what happened and don't repeat things */
5238 	fad->fad_flags |= FAD_READ;
5239 
5240 	if (fad->fad_aupath != NULL) {
5241 		au_uwrite(au_to_path(fad->fad_aupath));
5242 	} else {
5243 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5244 	}
5245 
5246 	/* include attributes */
5247 	audit_attributes(fp->f_vnode);
5248 
5249 	/* decrement file descriptor reference count */
5250 	releasef(fd);
5251 }
5252 
5253 /*ARGSUSED*/
5254 static void
5255 auf_write(tad, error, rval)
5256 	struct t_audit_data *tad;
5257 	int error;
5258 	rval_t *rval;
5259 {
5260 	struct file *fp;
5261 	struct f_audit_data *fad;
5262 	int fd;
5263 	register struct a {
5264 		long	fd;
5265 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5266 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5267 
5268 	fd = (int)uap->fd;
5269 
5270 	/*
5271 	 * convert file pointer to file descriptor
5272 	 *   Note: fd ref count incremented here.
5273 	 */
5274 	if ((fp = getf(fd)) == NULL)
5275 		return;
5276 
5277 	/* get path from file struct here */
5278 	fad = F2A(fp);
5279 	ASSERT(fad);
5280 
5281 	/*
5282 	 * already processed this file for write attempt
5283 	 *
5284 	 * XXX might be better to turn off auditing in a aus_write() routine.
5285 	 */
5286 	if (fad->fad_flags & FAD_WRITE) {
5287 		/* don't really want to audit every write attempt */
5288 		tad->tad_flag = 0;
5289 		/* free any residual audit data */
5290 		au_close(kctx, &(u_ad), 0, 0, 0);
5291 		releasef(fd);
5292 		return;
5293 	}
5294 	/* mark things so we know what happened and don't repeat things */
5295 	fad->fad_flags |= FAD_WRITE;
5296 
5297 	if (fad->fad_aupath != NULL) {
5298 		au_uwrite(au_to_path(fad->fad_aupath));
5299 	} else {
5300 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5301 	}
5302 
5303 	/* include attributes */
5304 	audit_attributes(fp->f_vnode);
5305 
5306 	/* decrement file descriptor reference count */
5307 	releasef(fd);
5308 }
5309 
5310 /*ARGSUSED*/
5311 static void
5312 auf_recv(tad, error, rval)
5313 	struct t_audit_data *tad;
5314 	int error;
5315 	rval_t *rval;
5316 {
5317 	struct sonode *so;
5318 	char so_laddr[sizeof (struct sockaddr_in6)];
5319 	char so_faddr[sizeof (struct sockaddr_in6)];
5320 	struct file *fp;
5321 	struct f_audit_data *fad;
5322 	int fd;
5323 	int err;
5324 	int len;
5325 	short so_family, so_type;
5326 	register struct a {
5327 		long	fd;
5328 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5329 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5330 
5331 	/*
5332 	 * If there was an error, then nothing to do. Only generate
5333 	 * audit record on first successful recv.
5334 	 */
5335 	if (error) {
5336 		/* Turn off audit record generation here. */
5337 		tad->tad_flag = 0;
5338 		/* free any residual audit data */
5339 		au_close(kctx, &(u_ad), 0, 0, 0);
5340 		return;
5341 	}
5342 
5343 	fd = (int)uap->fd;
5344 
5345 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5346 		/* Turn off audit record generation here. */
5347 		tad->tad_flag = 0;
5348 		/* free any residual audit data */
5349 		au_close(kctx, &(u_ad), 0, 0, 0);
5350 		return;
5351 	}
5352 
5353 	/* get path from file struct here */
5354 	fad = F2A(fp);
5355 	ASSERT(fad);
5356 
5357 	/*
5358 	 * already processed this file for read attempt
5359 	 */
5360 	if (fad->fad_flags & FAD_READ) {
5361 		releasef(fd);
5362 		/* don't really want to audit every recv call */
5363 		tad->tad_flag = 0;
5364 		/* free any residual audit data */
5365 		au_close(kctx, &(u_ad), 0, 0, 0);
5366 		return;
5367 	}
5368 
5369 	/* mark things so we know what happened and don't repeat things */
5370 	fad->fad_flags |= FAD_READ;
5371 
5372 	so_family = so->so_family;
5373 	so_type   = so->so_type;
5374 
5375 	switch (so_family) {
5376 	case AF_INET:
5377 	case AF_INET6:
5378 		/*
5379 		 * Only for connections.
5380 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5381 		 */
5382 		if (so->so_state & SS_ISBOUND) {
5383 
5384 			bzero((void *)so_laddr, sizeof (so_laddr));
5385 			bzero((void *)so_faddr, sizeof (so_faddr));
5386 
5387 			/* only done once on a connection */
5388 			(void) SOP_GETSOCKNAME(so);
5389 			(void) SOP_GETPEERNAME(so);
5390 
5391 			/* get local and foreign addresses */
5392 			mutex_enter(&so->so_lock);
5393 			len = min(so->so_laddr_len, sizeof (so_laddr));
5394 			bcopy(so->so_laddr_sa, so_laddr, len);
5395 			len = min(so->so_faddr_len, sizeof (so_faddr));
5396 			bcopy(so->so_faddr_sa, so_faddr, len);
5397 			mutex_exit(&so->so_lock);
5398 
5399 			/*
5400 			 * only way to drop out of switch. Note that we
5401 			 * we release fd below.
5402 			 */
5403 
5404 			break;
5405 		}
5406 
5407 		releasef(fd);
5408 
5409 		/* don't really want to audit every recv call */
5410 		tad->tad_flag = 0;
5411 		/* free any residual audit data */
5412 		au_close(kctx, &(u_ad), 0, 0, 0);
5413 
5414 		return;
5415 
5416 	case AF_UNIX:
5417 
5418 		if (fad->fad_aupath != NULL) {
5419 			au_uwrite(au_to_path(fad->fad_aupath));
5420 		} else {
5421 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5422 		}
5423 
5424 		audit_attributes(fp->f_vnode);
5425 
5426 		releasef(fd);
5427 
5428 		return;
5429 
5430 	default:
5431 		releasef(fd);
5432 
5433 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5434 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5435 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5436 
5437 		return;
5438 	}
5439 
5440 	releasef(fd);
5441 
5442 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5443 
5444 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5445 
5446 }
5447 
5448 /*ARGSUSED*/
5449 static void
5450 auf_send(tad, error, rval)
5451 	struct t_audit_data *tad;
5452 	int error;
5453 	rval_t *rval;
5454 {
5455 	struct sonode *so;
5456 	char so_laddr[sizeof (struct sockaddr_in6)];
5457 	char so_faddr[sizeof (struct sockaddr_in6)];
5458 	struct file *fp;
5459 	struct f_audit_data *fad;
5460 	int fd;
5461 	int err;
5462 	int len;
5463 	short so_family, so_type;
5464 	register struct a {
5465 		long	fd;
5466 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5467 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5468 
5469 	fd = (int)uap->fd;
5470 
5471 	/*
5472 	 * If there was an error, then nothing to do. Only generate
5473 	 * audit record on first successful send.
5474 	 */
5475 	if (error != 0) {
5476 		/* Turn off audit record generation here. */
5477 		tad->tad_flag = 0;
5478 		/* free any residual audit data */
5479 		au_close(kctx, &(u_ad), 0, 0, 0);
5480 		return;
5481 	}
5482 
5483 	fd = (int)uap->fd;
5484 
5485 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5486 		/* Turn off audit record generation here. */
5487 		tad->tad_flag = 0;
5488 		/* free any residual audit data */
5489 		au_close(kctx, &(u_ad), 0, 0, 0);
5490 		return;
5491 	}
5492 
5493 	/* get path from file struct here */
5494 	fad = F2A(fp);
5495 	ASSERT(fad);
5496 
5497 	/*
5498 	 * already processed this file for write attempt
5499 	 */
5500 	if (fad->fad_flags & FAD_WRITE) {
5501 		releasef(fd);
5502 		/* don't really want to audit every send call */
5503 		tad->tad_flag = 0;
5504 		/* free any residual audit data */
5505 		au_close(kctx, &(u_ad), 0, 0, 0);
5506 		return;
5507 	}
5508 
5509 	/* mark things so we know what happened and don't repeat things */
5510 	fad->fad_flags |= FAD_WRITE;
5511 
5512 	so_family = so->so_family;
5513 	so_type   = so->so_type;
5514 
5515 	switch (so_family) {
5516 	case AF_INET:
5517 	case AF_INET6:
5518 		/*
5519 		 * Only for connections.
5520 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5521 		 */
5522 		if (so->so_state & SS_ISBOUND) {
5523 
5524 			bzero((void *)so_laddr, sizeof (so_laddr));
5525 			bzero((void *)so_faddr, sizeof (so_faddr));
5526 
5527 			/* only done once on a connection */
5528 			(void) SOP_GETSOCKNAME(so);
5529 			(void) SOP_GETPEERNAME(so);
5530 
5531 			/* get local and foreign addresses */
5532 			mutex_enter(&so->so_lock);
5533 			len = min(so->so_laddr_len, sizeof (so_laddr));
5534 			bcopy(so->so_laddr_sa, so_laddr, len);
5535 			len = min(so->so_faddr_len, sizeof (so_faddr));
5536 			bcopy(so->so_faddr_sa, so_faddr, len);
5537 			mutex_exit(&so->so_lock);
5538 
5539 			/*
5540 			 * only way to drop out of switch. Note that we
5541 			 * we release fd below.
5542 			 */
5543 
5544 			break;
5545 		}
5546 
5547 		releasef(fd);
5548 		/* don't really want to audit every send call */
5549 		tad->tad_flag = 0;
5550 		/* free any residual audit data */
5551 		au_close(kctx, &(u_ad), 0, 0, 0);
5552 
5553 		return;
5554 
5555 	case AF_UNIX:
5556 
5557 		if (fad->fad_aupath != NULL) {
5558 			au_uwrite(au_to_path(fad->fad_aupath));
5559 		} else {
5560 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5561 		}
5562 
5563 		audit_attributes(fp->f_vnode);
5564 
5565 		releasef(fd);
5566 
5567 		return;
5568 
5569 	default:
5570 		releasef(fd);
5571 
5572 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5573 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5574 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5575 
5576 		return;
5577 	}
5578 
5579 	releasef(fd);
5580 
5581 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5582 
5583 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5584 }
5585 
5586 static au_event_t
5587 aui_forksys(au_event_t e)
5588 {
5589 	struct a {
5590 		long	subcode;
5591 		long	flags;
5592 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5593 
5594 	switch ((uint_t)uap->subcode) {
5595 	case 0:
5596 		e = AUE_FORK1;
5597 		break;
5598 	case 1:
5599 		e = AUE_FORKALL;
5600 		break;
5601 	case 2:
5602 		e = AUE_VFORK;
5603 		break;
5604 	default:
5605 		e = AUE_NULL;
5606 		break;
5607 	}
5608 
5609 	return (e);
5610 }
5611