xref: /titanic_44/usr/src/uts/common/c2/audit_event.c (revision 744947dc83c634d985ed3ad79ac9c5e28d1865fd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * This file contains the audit event table used to control the production
27  * of audit records for each system call.
28  */
29 
30 #include <sys/policy.h>
31 #include <sys/cred.h>
32 #include <sys/types.h>
33 #include <sys/systm.h>
34 #include <sys/systeminfo.h>	/* for sysinfo auditing */
35 #include <sys/utsname.h>	/* for sysinfo auditing */
36 #include <sys/proc.h>
37 #include <sys/vnode.h>
38 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
39 #include <sys/fcntl.h>
40 #include <sys/modctl.h>		/* for modctl auditing */
41 #include <sys/vnode.h>
42 #include <sys/user.h>
43 #include <sys/types.h>
44 #include <sys/processor.h>
45 #include <sys/procset.h>
46 #include <sys/acl.h>
47 #include <sys/ipc.h>
48 #include <sys/door.h>
49 #include <sys/sem.h>
50 #include <sys/msg.h>
51 #include <sys/shm.h>
52 #include <sys/kmem.h>
53 #include <sys/file.h>		/* for accept */
54 #include <sys/utssys.h>		/* for fuser */
55 #include <sys/tsol/label.h>
56 #include <sys/tsol/tndb.h>
57 #include <sys/tsol/tsyscall.h>
58 #include <c2/audit.h>
59 #include <c2/audit_kernel.h>
60 #include <c2/audit_kevents.h>
61 #include <c2/audit_record.h>
62 #include <sys/procset.h>
63 #include <nfs/mount.h>
64 #include <sys/param.h>
65 #include <sys/debug.h>
66 #include <sys/sysmacros.h>
67 #include <sys/stream.h>
68 #include <sys/strsubr.h>
69 #include <sys/stropts.h>
70 #include <sys/tihdr.h>
71 #include <sys/socket.h>
72 #include <sys/socketvar.h>
73 #include <sys/vfs_opreg.h>
74 #include <fs/sockfs/sockcommon.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 char	_depends_on[] = "fs/sockfs";
81 
82 static au_event_t	aui_fchownat(au_event_t);
83 static au_event_t	aui_open(au_event_t);
84 static au_event_t	aui_openat(au_event_t);
85 static au_event_t	aui_unlinkat(au_event_t);
86 static au_event_t	aui_fstatat(au_event_t);
87 static au_event_t	aui_msgsys(au_event_t);
88 static au_event_t	aui_shmsys(au_event_t);
89 static au_event_t	aui_semsys(au_event_t);
90 static au_event_t	aui_utssys(au_event_t);
91 static au_event_t	aui_fcntl(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_portfs(au_event_t);
96 static au_event_t	aui_auditsys(au_event_t);
97 static au_event_t	aui_modctl(au_event_t);
98 static au_event_t	aui_acl(au_event_t);
99 static au_event_t	aui_doorfs(au_event_t);
100 static au_event_t	aui_privsys(au_event_t);
101 static au_event_t	aui_forksys(au_event_t);
102 static au_event_t	aui_labelsys(au_event_t);
103 static au_event_t	aui_setpgrp(au_event_t);
104 
105 static void	aus_exit(struct t_audit_data *);
106 static void	aus_open(struct t_audit_data *);
107 static void	aus_openat(struct t_audit_data *);
108 static void	aus_acl(struct t_audit_data *);
109 static void	aus_acct(struct t_audit_data *);
110 static void	aus_chown(struct t_audit_data *);
111 static void	aus_fchown(struct t_audit_data *);
112 static void	aus_lchown(struct t_audit_data *);
113 static void	aus_fchownat(struct t_audit_data *);
114 static void	aus_chmod(struct t_audit_data *);
115 static void	aus_facl(struct t_audit_data *);
116 static void	aus_fchmod(struct t_audit_data *);
117 static void	aus_fcntl(struct t_audit_data *);
118 static void	aus_mkdir(struct t_audit_data *);
119 static void	aus_mknod(struct t_audit_data *);
120 static void	aus_mount(struct t_audit_data *);
121 static void	aus_umount2(struct t_audit_data *);
122 static void	aus_msgsys(struct t_audit_data *);
123 static void	aus_semsys(struct t_audit_data *);
124 static void	aus_close(struct t_audit_data *);
125 static void	aus_fstatfs(struct t_audit_data *);
126 static void	aus_setgid(struct t_audit_data *);
127 static void	aus_setpgrp(struct t_audit_data *);
128 static void	aus_setuid(struct t_audit_data *);
129 static void	aus_shmsys(struct t_audit_data *);
130 static void	aus_doorfs(struct t_audit_data *);
131 static void	aus_ioctl(struct t_audit_data *);
132 static void	aus_memcntl(struct t_audit_data *);
133 static void	aus_mmap(struct t_audit_data *);
134 static void	aus_munmap(struct t_audit_data *);
135 static void	aus_priocntlsys(struct t_audit_data *);
136 static void	aus_setegid(struct t_audit_data *);
137 static void	aus_setgroups(struct t_audit_data *);
138 static void	aus_seteuid(struct t_audit_data *);
139 static void	aus_putmsg(struct t_audit_data *);
140 static void	aus_putpmsg(struct t_audit_data *);
141 static void	aus_getmsg(struct t_audit_data *);
142 static void	aus_getpmsg(struct t_audit_data *);
143 static void	aus_auditsys(struct t_audit_data *);
144 static void	aus_sysinfo(struct t_audit_data *);
145 static void	aus_modctl(struct t_audit_data *);
146 static void	aus_kill(struct t_audit_data *);
147 static void	aus_setregid(struct t_audit_data *);
148 static void	aus_setreuid(struct t_audit_data *);
149 static void	aus_labelsys(struct t_audit_data *);
150 
151 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
152 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
153 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
154 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
155 static void	auf_read(struct t_audit_data *, int, rval_t *);
156 static void	auf_write(struct t_audit_data *, int, rval_t *);
157 
158 static void	aus_sigqueue(struct t_audit_data *);
159 static void	aus_p_online(struct t_audit_data *);
160 static void	aus_processor_bind(struct t_audit_data *);
161 static void	aus_inst_sync(struct t_audit_data *);
162 static void	aus_brandsys(struct t_audit_data *);
163 
164 static void	auf_accept(struct t_audit_data *, int, rval_t *);
165 
166 static void	auf_bind(struct t_audit_data *, int, rval_t *);
167 static void	auf_connect(struct t_audit_data *, int, rval_t *);
168 static void	aus_shutdown(struct t_audit_data *);
169 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
170 static void	aus_sockconfig(struct t_audit_data *);
171 static void	auf_recv(struct t_audit_data *, int, rval_t *);
172 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
173 static void	auf_send(struct t_audit_data *, int, rval_t *);
174 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
175 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
176 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
177 static void	aus_socket(struct t_audit_data *);
178 /*
179  * This table contains mapping information for converting system call numbers
180  * to audit event IDs. In several cases it is necessary to map a single system
181  * call to several events.
182  */
183 
184 #define	aui_null	NULL	/* NULL initialize function */
185 #define	aus_null	NULL	/* NULL start function */
186 #define	auf_null	NULL	/* NULL finish function */
187 
188 struct audit_s2e audit_s2e[] =
189 {
190 /*
191  * ----------	---------- 	----------	----------
192  * INITIAL	AUDIT		START		SYSTEM
193  * PROCESSING	EVENT		PROCESSING	CALL
194  * ----------	----------	----------	-----------
195  *		FINISH		EVENT
196  *		PROCESSING	CONTROL
197  * ----------------------------------------------------------
198  */
199 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
200 		auf_null,	0,
201 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
202 		auf_null,	S2E_NPT,
203 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
204 		auf_null,	0,
205 aui_null,	AUE_READ,	aus_null,	/* 3 read */
206 		auf_read,	S2E_PUB,
207 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
208 		auf_write,	0,
209 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
210 		auf_null,	S2E_SP,
211 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
212 		auf_null,	0,
213 aui_null,	AUE_NULL,	aus_null,	/* 7 (loadable) was wait */
214 		auf_null,	0,
215 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
216 		auf_null,	0,
217 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
218 		auf_null,	0,
219 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
220 		auf_null,	0,
221 aui_null,	AUE_NULL,	aus_null,	/* 11 (loadable) was exec */
222 		auf_null,	0,
223 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
224 		auf_null,	S2E_SP,
225 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
226 		auf_null,	0,
227 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
228 		auf_mknod,	0,
229 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
230 		auf_null,	0,
231 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
232 		auf_null,	0,
233 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
234 		auf_null,	0,
235 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
236 		auf_null,	S2E_PUB,
237 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
238 		auf_null,	0,
239 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
240 		auf_null,	0,
241 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
242 		auf_null,	S2E_MLD,
243 aui_null,	AUE_NULL,	aus_null,	/* 22 (loadable) was umount */
244 		auf_null,	0,
245 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
246 		auf_null,	0,
247 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
248 		auf_null,	0,
249 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
264 		auf_null,	0,
265 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
266 		auf_null,	S2E_PUB,
267 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
268 		auf_null,	0,
269 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
270 		auf_null,	S2E_PUB,
271 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
272 		auf_null,	0,
273 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
274 		auf_null,	0,
275 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
276 		auf_null,	S2E_PUB,
277 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
282 		auf_null,	0,
283 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
288 		auf_null,	0,
289 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
290 		auf_null,	S2E_PUB | S2E_ATC,
291 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
294 		auf_null,	0,
295 aui_null,	AUE_NULL,	aus_null,	/* 48 (loadable) was ssig */
296 		auf_null,	0,
297 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
298 		auf_msgsys,	0,
299 #if defined(__x86)
300 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
301 		auf_null,	0,
302 #else
303 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
304 		auf_null,	0,
305 #endif /* __x86 */
306 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
307 		auf_null,	0,
308 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
309 		auf_shmsys,	0,
310 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
311 		auf_semsys,	0,
312 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
313 		auf_null,	0,
314 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
315 		auf_null,	0,
316 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
317 		auf_null,	S2E_ATC,
318 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
319 		auf_null,	0,
320 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
321 		auf_null,	0,
322 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
323 		auf_null,	S2E_MLD,
324 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
325 		auf_null,	0,
326 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
327 		auf_null,	S2E_SP,
328 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
329 		auf_null,	0,
330 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
331 		auf_null,	0,
332 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
333 		auf_null,	S2E_ATC,
334 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
335 		auf_null,	S2E_ATC,
336 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
337 		auf_null,	S2E_PUB | S2E_ATC,
338 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
339 		auf_null,	S2E_PUB | S2E_ATC,
340 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
341 		auf_null,	S2E_SP | S2E_ATC,
342 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
343 		auf_null,	S2E_SP | S2E_ATC,
344 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
345 		auf_null,	0,
346 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
361 		auf_null,	0,
362 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
363 		auf_null,	0,
364 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
365 		auf_null,	0,
366 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
367 		auf_null,	0,
368 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
369 		auf_null,	0,
370 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
373 		auf_null,	0,
374 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
375 		auf_null,	0,
376 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
379 		auf_null,	0,
380 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
381 		auf_null,	S2E_PUB,
382 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
383 		auf_null,	0,
384 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
385 		auf_null,	S2E_PUB,
386 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
387 		auf_null,	0,
388 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
389 		auf_null,	0,
390 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
391 		auf_null,	0,
392 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
395 		auf_null,	0,
396 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
409 		auf_null,	0,
410 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
411 		auf_null,	S2E_PUB,
412 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
413 		auf_null,	0,
414 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
415 		auf_null,	0,
416 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
421 		auf_null,	0,
422 #if defined(__x86)
423 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
424 		auf_null,	0,
425 #else
426 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
427 		auf_null,	0,
428 #endif /* __x86 */
429 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
430 		auf_null,	S2E_ATC,
431 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
432 		auf_null,	0,
433 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
434 		auf_null,	0,
435 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
436 		auf_null,	S2E_PUB,
437 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
438 		auf_null,	0,
439 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
440 		auf_null,	0,
441 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
442 		auf_null,	0,
443 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
444 		auf_null,	0,
445 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
446 		auf_null,	0,
447 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
448 		auf_null,	0,
449 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
450 		auf_null,	0,
451 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
452 		auf_read,	S2E_PUB,
453 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
454 		auf_write,	0,
455 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
456 		auf_null,	0,
457 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
458 		auf_null,	0,
459 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
460 		auf_null,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
464 		auf_null,	0,
465 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
466 		auf_null,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
468 		auf_null,	0,
469 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
470 		auf_null,	0,
471 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
472 		auf_null,	0,
473 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
474 		auf_null,	0,
475 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
476 		auf_null,	0,
477 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
478 		auf_null,	0,
479 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
480 		auf_null,	0,
481 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
482 		auf_null,	0,
483 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
484 		auf_null,	0,
485 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
486 		auf_null,	0,
487 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
488 		auf_null,	0,
489 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
490 		auf_null,	0,
491 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
492 		auf_null,	0,
493 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
494 		auf_null,	0,
495 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
496 		auf_null,	0,
497 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
498 		auf_null,	0,
499 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
504 						/*	was lwp_sema_wait */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
513 		auf_null,	0,
514 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
515 		auf_null,	0,
516 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
517 		auf_null,	0,
518 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
519 		auf_null,	0,
520 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
521 		auf_null,	0,
522 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
549 						/*	was lwp_mutex_lock */
550 		auf_null,	0,
551 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
556 		auf_null,	0,
557 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
558 		auf_read,	S2E_PUB,
559 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
560 		auf_write,	0,
561 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
562 		auf_null,	0,
563 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
564 		auf_null,	0,
565 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
566 		auf_null,	0,
567 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
568 		auf_null,	0,
569 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
570 		auf_null,	0,
571 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
574 		auf_null,	0,
575 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
576 		auf_null,	S2E_MLD,
577 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
578 		auf_null,	0,
579 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
580 		auf_null,	0,
581 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
582 		auf_null,	0,
583 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
584 		auf_null,	0,
585 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
586 		auf_null,	0,
587 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
588 		auf_null,	0,
589 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
590 		auf_null,	0,
591 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
594 		auf_null,	0,
595 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
610 		auf_null,	0,
611 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
612 		auf_null,	0,
613 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
614 		auf_null,	0,
615 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
616 		auf_null,	0,
617 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
618 		auf_null,	0,
619 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
620 		auf_null,	0,
621 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
622 		auf_null,	0,
623 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
638 		auf_null,	0,
639 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
640 		auf_null,	0,
641 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
642 		auf_null,	S2E_PUB,
643 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
644 		auf_null,	S2E_PUB,
645 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
646 		auf_null,	0,
647 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
650 		auf_null,	0,
651 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
652 		auf_null,	0,
653 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
654 		auf_null,	0,
655 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
656 		auf_read,	S2E_PUB,
657 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
658 		auf_write,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
660 		auf_null,	0,
661 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
662 		auf_null,	S2E_SP,
663 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
664 		auf_null,	0,
665 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
666 		auf_null,	0,
667 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
668 		auf_null,	0,
669 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
670 		auf_null,	0,
671 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
674 		auf_null,	0,
675 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
676 		auf_bind,	0,
677 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
678 		auf_null,	0,
679 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
680 		auf_accept,	0,
681 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
682 		auf_connect,	0,
683 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
684 		auf_null,	0,
685 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
686 		auf_recv,	0,
687 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
688 		auf_recvfrom,	0,
689 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
690 		auf_recvmsg,	0,
691 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
692 		auf_send,	0,
693 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
694 		auf_sendmsg,	0,
695 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
696 		auf_sendto,	0,
697 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
698 		auf_null,	0,
699 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
700 		auf_null,	0,
701 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
702 		auf_null,	0,
703 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
704 		auf_setsockopt,	0,
705 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
708 		auf_null,	0,
709 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
710 		auf_null,	0,
711 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
720 		auf_null,	0,
721 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
722 		auf_null,	0
723 };
724 
725 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
726 
727 
728 /* exit start function */
729 /*ARGSUSED*/
730 static void
731 aus_exit(struct t_audit_data *tad)
732 {
733 	uint32_t rval;
734 	struct a {
735 		long rval;
736 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
737 
738 	rval = (uint32_t)uap->rval;
739 	au_uwrite(au_to_arg32(1, "exit status", rval));
740 }
741 
742 /* acct start function */
743 /*ARGSUSED*/
744 static void
745 aus_acct(struct t_audit_data *tad)
746 {
747 	klwp_t *clwp = ttolwp(curthread);
748 	uintptr_t fname;
749 
750 	struct a {
751 		long	fname;		/* char * */
752 	} *uap = (struct a *)clwp->lwp_ap;
753 
754 	fname = (uintptr_t)uap->fname;
755 
756 	if (fname == 0)
757 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
758 }
759 
760 /* chown start function */
761 /*ARGSUSED*/
762 static void
763 aus_chown(struct t_audit_data *tad)
764 {
765 	klwp_t *clwp = ttolwp(curthread);
766 	uint32_t uid, gid;
767 
768 	struct a {
769 		long	fname;		/* char * */
770 		long	uid;
771 		long	gid;
772 	} *uap = (struct a *)clwp->lwp_ap;
773 
774 	uid = (uint32_t)uap->uid;
775 	gid = (uint32_t)uap->gid;
776 
777 	au_uwrite(au_to_arg32(2, "new file uid", uid));
778 	au_uwrite(au_to_arg32(3, "new file gid", gid));
779 }
780 
781 /* fchown start function */
782 /*ARGSUSED*/
783 static void
784 aus_fchown(struct t_audit_data *tad)
785 {
786 	klwp_t *clwp = ttolwp(curthread);
787 	uint32_t uid, gid, fd;
788 	struct file  *fp;
789 	struct vnode *vp;
790 	struct f_audit_data *fad;
791 
792 	struct a {
793 		long fd;
794 		long uid;
795 		long gid;
796 	} *uap = (struct a *)clwp->lwp_ap;
797 
798 	fd  = (uint32_t)uap->fd;
799 	uid = (uint32_t)uap->uid;
800 	gid = (uint32_t)uap->gid;
801 
802 	au_uwrite(au_to_arg32(2, "new file uid", uid));
803 	au_uwrite(au_to_arg32(3, "new file gid", gid));
804 
805 		/*
806 		 * convert file pointer to file descriptor
807 		 *   Note: fd ref count incremented here.
808 		 */
809 	if ((fp = getf(fd)) == NULL)
810 		return;
811 
812 	/* get path from file struct here */
813 	fad = F2A(fp);
814 	if (fad->fad_aupath != NULL) {
815 		au_uwrite(au_to_path(fad->fad_aupath));
816 	} else {
817 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
818 	}
819 
820 	vp = fp->f_vnode;
821 	audit_attributes(vp);
822 
823 	/* decrement file descriptor reference count */
824 	releasef(fd);
825 }
826 
827 /*ARGSUSED*/
828 static void
829 aus_lchown(struct t_audit_data *tad)
830 {
831 	klwp_t *clwp = ttolwp(curthread);
832 	uint32_t uid, gid;
833 
834 
835 	struct a {
836 		long	fname;		/* char	* */
837 		long	uid;
838 		long	gid;
839 	} *uap = (struct a *)clwp->lwp_ap;
840 
841 	uid = (uint32_t)uap->uid;
842 	gid = (uint32_t)uap->gid;
843 
844 	au_uwrite(au_to_arg32(2, "new file uid", uid));
845 	au_uwrite(au_to_arg32(3, "new file gid", gid));
846 }
847 
848 static au_event_t
849 aui_fchownat(au_event_t e)
850 {
851 	klwp_t *clwp = ttolwp(curthread);
852 
853 	struct a {
854 		long	fd;
855 		long	fname;		/* char * */
856 		long	uid;
857 		long	gid;
858 		long	flags;
859 	} *uap = (struct a *)clwp->lwp_ap;
860 
861 	if (uap->fname == NULL)
862 		e = AUE_FCHOWN;
863 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
864 		e = AUE_LCHOWN;
865 	else
866 		e = AUE_CHOWN;
867 
868 	return (e);
869 }
870 
871 /*ARGSUSED*/
872 static void
873 aus_fchownat(struct t_audit_data *tad)
874 {
875 	klwp_t *clwp = ttolwp(curthread);
876 	uint32_t uid, gid;
877 
878 	struct a {
879 		long	fd;
880 		long	fname;		/* char * */
881 		long	uid;
882 		long	gid;
883 		long	flags;
884 	} *uap = (struct a *)clwp->lwp_ap;
885 
886 	uid = (uint32_t)uap->uid;
887 	gid = (uint32_t)uap->gid;
888 
889 	au_uwrite(au_to_arg32(3, "new file uid", uid));
890 	au_uwrite(au_to_arg32(4, "new file gid", gid));
891 }
892 
893 /* chmod start function */
894 /*ARGSUSED*/
895 static void
896 aus_chmod(struct t_audit_data *tad)
897 {
898 	klwp_t *clwp = ttolwp(curthread);
899 	uint32_t fmode;
900 
901 	struct a {
902 		long	fname;		/* char	* */
903 		long	fmode;
904 	} *uap = (struct a *)clwp->lwp_ap;
905 
906 	fmode = (uint32_t)uap->fmode;
907 
908 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
909 }
910 
911 /* chmod start function */
912 /*ARGSUSED*/
913 static void
914 aus_fchmod(struct t_audit_data *tad)
915 {
916 	klwp_t *clwp = ttolwp(curthread);
917 	uint32_t fmode, fd;
918 	struct file  *fp;
919 	struct vnode *vp;
920 	struct f_audit_data *fad;
921 
922 	struct a {
923 		long	fd;
924 		long	fmode;
925 	} *uap = (struct a *)clwp->lwp_ap;
926 
927 	fd = (uint32_t)uap->fd;
928 	fmode = (uint32_t)uap->fmode;
929 
930 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
931 
932 		/*
933 		 * convert file pointer to file descriptor
934 		 *   Note: fd ref count incremented here.
935 		 */
936 	if ((fp = getf(fd)) == NULL)
937 		return;
938 
939 		/* get path from file struct here */
940 	fad = F2A(fp);
941 	if (fad->fad_aupath != NULL) {
942 		au_uwrite(au_to_path(fad->fad_aupath));
943 	} else {
944 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
945 	}
946 
947 	vp = fp->f_vnode;
948 	audit_attributes(vp);
949 
950 	/* decrement file descriptor reference count */
951 	releasef(fd);
952 }
953 
954 /*
955  * convert open mode to appropriate open event
956  */
957 au_event_t
958 open_event(uint_t fm)
959 {
960 	au_event_t e;
961 
962 	switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) {
963 	case O_RDONLY:
964 		e = AUE_OPEN_R;
965 		break;
966 	case O_RDONLY | O_CREAT:
967 		e = AUE_OPEN_RC;
968 		break;
969 	case O_RDONLY | O_TRUNC:
970 		e = AUE_OPEN_RT;
971 		break;
972 	case O_RDONLY | O_TRUNC | O_CREAT:
973 		e = AUE_OPEN_RTC;
974 		break;
975 	case O_WRONLY:
976 		e = AUE_OPEN_W;
977 		break;
978 	case O_WRONLY | O_CREAT:
979 		e = AUE_OPEN_WC;
980 		break;
981 	case O_WRONLY | O_TRUNC:
982 		e = AUE_OPEN_WT;
983 		break;
984 	case O_WRONLY | O_TRUNC | O_CREAT:
985 		e = AUE_OPEN_WTC;
986 		break;
987 	case O_RDWR:
988 		e = AUE_OPEN_RW;
989 		break;
990 	case O_RDWR | O_CREAT:
991 		e = AUE_OPEN_RWC;
992 		break;
993 	case O_RDWR | O_TRUNC:
994 		e = AUE_OPEN_RWT;
995 		break;
996 	case O_RDWR | O_TRUNC | O_CREAT:
997 		e = AUE_OPEN_RWTC;
998 		break;
999 	default:
1000 		e = AUE_NULL;
1001 		break;
1002 	}
1003 
1004 	return (e);
1005 }
1006 
1007 /* ARGSUSED */
1008 static au_event_t
1009 aui_open(au_event_t e)
1010 {
1011 	t_audit_data_t *tad = T2A(curthread);
1012 	klwp_t *clwp = ttolwp(curthread);
1013 	uint_t fm;
1014 
1015 	struct a {
1016 		long	fnamep;		/* char	* */
1017 		long	fmode;
1018 		long	cmode;
1019 	} *uap = (struct a *)clwp->lwp_ap;
1020 
1021 	fm = (uint_t)uap->fmode;
1022 
1023 	/* convert to appropriate au_ctrl */
1024 	if (fm & (FXATTR | FXATTRDIROPEN))
1025 		tad->tad_ctrl |= TAD_ATTPATH;
1026 
1027 	return (open_event(fm));
1028 }
1029 
1030 static void
1031 aus_open(struct t_audit_data *tad)
1032 {
1033 	klwp_t *clwp = ttolwp(curthread);
1034 	uint_t fm;
1035 
1036 	struct a {
1037 		long	fnamep;		/* char	* */
1038 		long	fmode;
1039 		long	cmode;
1040 	} *uap = (struct a *)clwp->lwp_ap;
1041 
1042 	fm = (uint_t)uap->fmode;
1043 
1044 	/* If no write, create, or trunc modes, mark as a public op */
1045 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1046 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1047 }
1048 
1049 /* ARGSUSED */
1050 static au_event_t
1051 aui_openat(au_event_t e)
1052 {
1053 	t_audit_data_t *tad = T2A(curthread);
1054 	klwp_t *clwp = ttolwp(curthread);
1055 	uint_t fm;
1056 
1057 	struct a {
1058 		long	filedes;
1059 		long	fnamep;		/* char	* */
1060 		long	fmode;
1061 		long	cmode;
1062 	} *uap = (struct a *)clwp->lwp_ap;
1063 
1064 	fm = (uint_t)uap->fmode;
1065 
1066 	/* convert to appropriate au_ctrl */
1067 	if (fm & (FXATTR | FXATTRDIROPEN))
1068 		tad->tad_ctrl |= TAD_ATTPATH;
1069 
1070 	return (open_event(fm));
1071 }
1072 
1073 static void
1074 aus_openat(struct t_audit_data *tad)
1075 {
1076 	klwp_t *clwp = ttolwp(curthread);
1077 	uint_t fm;
1078 
1079 	struct a {
1080 		long	filedes;
1081 		long	fnamep;		/* char	* */
1082 		long	fmode;
1083 		long	cmode;
1084 	} *uap = (struct a *)clwp->lwp_ap;
1085 
1086 	fm = (uint_t)uap->fmode;
1087 
1088 	/* If no write, create, or trunc modes, mark as a public op */
1089 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1090 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1091 }
1092 
1093 static au_event_t
1094 aui_unlinkat(au_event_t e)
1095 {
1096 	klwp_t *clwp = ttolwp(curthread);
1097 
1098 	struct a {
1099 		long	filedes;
1100 		long	fnamep;		/* char	* */
1101 		long	flags;
1102 	} *uap = (struct a *)clwp->lwp_ap;
1103 
1104 	if (uap->flags & AT_REMOVEDIR)
1105 		e = AUE_RMDIR;
1106 	else
1107 		e = AUE_UNLINK;
1108 
1109 	return (e);
1110 }
1111 
1112 static au_event_t
1113 aui_fstatat(au_event_t e)
1114 {
1115 	klwp_t *clwp = ttolwp(curthread);
1116 
1117 	struct a {
1118 		long	filedes;
1119 		long	fnamep;		/* char	* */
1120 		long	statb;
1121 		long	flags;
1122 	} *uap = (struct a *)clwp->lwp_ap;
1123 
1124 	if (uap->fnamep == NULL)
1125 		e = AUE_FSTAT;
1126 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1127 		e = AUE_LSTAT;
1128 	else
1129 		e = AUE_STAT;
1130 
1131 	return (e);
1132 }
1133 
1134 /* msgsys */
1135 static au_event_t
1136 aui_msgsys(au_event_t e)
1137 {
1138 	klwp_t *clwp = ttolwp(curthread);
1139 	uint_t fm;
1140 
1141 	struct a {
1142 		long	id;	/* function code id */
1143 		long	ap;	/* arg pointer for recvmsg */
1144 	} *uap = (struct a *)clwp->lwp_ap;
1145 
1146 	struct b {
1147 		long	msgid;
1148 		long	cmd;
1149 		long	buf;	/* struct msqid_ds * */
1150 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1151 
1152 	fm  = (uint_t)uap->id;
1153 
1154 	switch (fm) {
1155 	case 0:		/* msgget */
1156 		e = AUE_MSGGET;
1157 		break;
1158 	case 1:		/* msgctl */
1159 		switch ((uint_t)uap1->cmd) {
1160 		case IPC_RMID:
1161 			e = AUE_MSGCTL_RMID;
1162 			break;
1163 		case IPC_SET:
1164 			e = AUE_MSGCTL_SET;
1165 			break;
1166 		case IPC_STAT:
1167 			e = AUE_MSGCTL_STAT;
1168 			break;
1169 		default:
1170 			e = AUE_MSGCTL;
1171 			break;
1172 		}
1173 		break;
1174 	case 2:		/* msgrcv */
1175 		e = AUE_MSGRCV;
1176 		break;
1177 	case 3:		/* msgsnd */
1178 		e = AUE_MSGSND;
1179 		break;
1180 	default:	/* illegal system call */
1181 		e = AUE_NULL;
1182 		break;
1183 	}
1184 
1185 	return (e);
1186 }
1187 
1188 
1189 /* shmsys */
1190 static au_event_t
1191 aui_shmsys(au_event_t e)
1192 {
1193 	klwp_t *clwp = ttolwp(curthread);
1194 	int fm;
1195 
1196 	struct a {		/* shmsys */
1197 		long	id;	/* function code id */
1198 	} *uap = (struct a *)clwp->lwp_ap;
1199 
1200 	struct b {		/* ctrl */
1201 		long	shmid;
1202 		long	cmd;
1203 		long	arg;		/* struct shmid_ds * */
1204 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1205 	fm  = (uint_t)uap->id;
1206 
1207 	switch (fm) {
1208 	case 0:		/* shmat */
1209 		e = AUE_SHMAT;
1210 		break;
1211 	case 1:		/* shmctl */
1212 		switch ((uint_t)uap1->cmd) {
1213 		case IPC_RMID:
1214 			e = AUE_SHMCTL_RMID;
1215 			break;
1216 		case IPC_SET:
1217 			e = AUE_SHMCTL_SET;
1218 			break;
1219 		case IPC_STAT:
1220 			e = AUE_SHMCTL_STAT;
1221 			break;
1222 		default:
1223 			e = AUE_SHMCTL;
1224 			break;
1225 		}
1226 		break;
1227 	case 2:		/* shmdt */
1228 		e = AUE_SHMDT;
1229 		break;
1230 	case 3:		/* shmget */
1231 		e = AUE_SHMGET;
1232 		break;
1233 	default:	/* illegal system call */
1234 		e = AUE_NULL;
1235 		break;
1236 	}
1237 
1238 	return (e);
1239 }
1240 
1241 
1242 /* semsys */
1243 static au_event_t
1244 aui_semsys(au_event_t e)
1245 {
1246 	klwp_t *clwp = ttolwp(curthread);
1247 	uint_t fm;
1248 
1249 	struct a {		/* semsys */
1250 		long	id;
1251 	} *uap = (struct a *)clwp->lwp_ap;
1252 
1253 	struct b {		/* ctrl */
1254 		long	semid;
1255 		long	semnum;
1256 		long	cmd;
1257 		long	arg;
1258 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1259 
1260 	fm = (uint_t)uap->id;
1261 
1262 	switch (fm) {
1263 	case 0:		/* semctl */
1264 		switch ((uint_t)uap1->cmd) {
1265 		case IPC_RMID:
1266 			e = AUE_SEMCTL_RMID;
1267 			break;
1268 		case IPC_SET:
1269 			e = AUE_SEMCTL_SET;
1270 			break;
1271 		case IPC_STAT:
1272 			e = AUE_SEMCTL_STAT;
1273 			break;
1274 		case GETNCNT:
1275 			e = AUE_SEMCTL_GETNCNT;
1276 			break;
1277 		case GETPID:
1278 			e = AUE_SEMCTL_GETPID;
1279 			break;
1280 		case GETVAL:
1281 			e = AUE_SEMCTL_GETVAL;
1282 			break;
1283 		case GETALL:
1284 			e = AUE_SEMCTL_GETALL;
1285 			break;
1286 		case GETZCNT:
1287 			e = AUE_SEMCTL_GETZCNT;
1288 			break;
1289 		case SETVAL:
1290 			e = AUE_SEMCTL_SETVAL;
1291 			break;
1292 		case SETALL:
1293 			e = AUE_SEMCTL_SETALL;
1294 			break;
1295 		default:
1296 			e = AUE_SEMCTL;
1297 			break;
1298 		}
1299 		break;
1300 	case 1:		/* semget */
1301 		e = AUE_SEMGET;
1302 		break;
1303 	case 2:		/* semop */
1304 		e = AUE_SEMOP;
1305 		break;
1306 	default:	/* illegal system call */
1307 		e = AUE_NULL;
1308 		break;
1309 	}
1310 
1311 	return (e);
1312 }
1313 
1314 /* utssys - uname(2), ustat(2), fusers(2) */
1315 static au_event_t
1316 aui_utssys(au_event_t e)
1317 {
1318 	klwp_t *clwp = ttolwp(curthread);
1319 	uint_t type;
1320 
1321 	struct a {
1322 		union {
1323 			long	cbuf;		/* char * */
1324 			long	ubuf;		/* struct stat * */
1325 		} ub;
1326 		union {
1327 			long	mv;	/* for USTAT */
1328 			long	flags;	/* for FUSERS */
1329 		} un;
1330 		long	type;
1331 		long	outbp;		/* char * for FUSERS */
1332 	} *uap = (struct a *)clwp->lwp_ap;
1333 
1334 	type = (uint_t)uap->type;
1335 
1336 	if (type == UTS_FUSERS)
1337 		return (e);
1338 	else
1339 		return ((au_event_t)AUE_NULL);
1340 }
1341 
1342 static au_event_t
1343 aui_fcntl(au_event_t e)
1344 {
1345 	klwp_t *clwp = ttolwp(curthread);
1346 	uint_t cmd;
1347 
1348 	struct a {
1349 		long	fdes;
1350 		long	cmd;
1351 		long	arg;
1352 	} *uap = (struct a *)clwp->lwp_ap;
1353 
1354 	cmd = (uint_t)uap->cmd;
1355 
1356 	switch (cmd) {
1357 	case F_GETLK:
1358 	case F_SETLK:
1359 	case F_SETLKW:
1360 		break;
1361 	case F_SETFL:
1362 	case F_GETFL:
1363 	case F_GETFD:
1364 		break;
1365 	default:
1366 		e = (au_event_t)AUE_NULL;
1367 		break;
1368 	}
1369 	return ((au_event_t)e);
1370 }
1371 
1372 /* null function for now */
1373 static au_event_t
1374 aui_execve(au_event_t e)
1375 {
1376 	return (e);
1377 }
1378 
1379 /*ARGSUSED*/
1380 static void
1381 aus_fcntl(struct t_audit_data *tad)
1382 {
1383 	klwp_t *clwp = ttolwp(curthread);
1384 	uint32_t cmd, fd, flags;
1385 	struct file  *fp;
1386 	struct vnode *vp;
1387 	struct f_audit_data *fad;
1388 
1389 	struct a {
1390 		long	fd;
1391 		long	cmd;
1392 		long	arg;
1393 	} *uap = (struct a *)clwp->lwp_ap;
1394 
1395 	cmd	= (uint32_t)uap->cmd;
1396 	fd	= (uint32_t)uap->fd;
1397 	flags	= (uint32_t)uap->arg;
1398 
1399 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1400 
1401 	if (cmd == F_SETFL)
1402 		au_uwrite(au_to_arg32(3, "flags", flags));
1403 
1404 		/*
1405 		 * convert file pointer to file descriptor
1406 		 *   Note: fd ref count incremented here.
1407 		 */
1408 	if ((fp = getf(fd)) == NULL)
1409 		return;
1410 
1411 	/* get path from file struct here */
1412 	fad = F2A(fp);
1413 	if (fad->fad_aupath != NULL) {
1414 		au_uwrite(au_to_path(fad->fad_aupath));
1415 	} else {
1416 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1417 	}
1418 
1419 	vp = fp->f_vnode;
1420 	audit_attributes(vp);
1421 
1422 	/* decrement file descriptor reference count */
1423 	releasef(fd);
1424 }
1425 
1426 /*ARGSUSED*/
1427 static void
1428 aus_kill(struct t_audit_data *tad)
1429 {
1430 	klwp_t *clwp = ttolwp(curthread);
1431 	struct proc *p;
1432 	uint32_t signo;
1433 	uid_t uid, ruid;
1434 	gid_t gid, rgid;
1435 	pid_t pid;
1436 	const auditinfo_addr_t *ainfo;
1437 	cred_t *cr;
1438 
1439 	struct a {
1440 		long	pid;
1441 		long	signo;
1442 	} *uap = (struct a *)clwp->lwp_ap;
1443 
1444 	pid   = (pid_t)uap->pid;
1445 	signo = (uint32_t)uap->signo;
1446 
1447 	au_uwrite(au_to_arg32(2, "signal", signo));
1448 	if (pid > 0) {
1449 		mutex_enter(&pidlock);
1450 		if (((p = prfind(pid)) == (struct proc *)0) ||
1451 		    (p->p_stat == SIDL)) {
1452 			mutex_exit(&pidlock);
1453 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1454 			return;
1455 		}
1456 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1457 		mutex_exit(&pidlock);
1458 
1459 		mutex_enter(&p->p_crlock);
1460 		crhold(cr = p->p_cred);
1461 		mutex_exit(&p->p_crlock);
1462 		mutex_exit(&p->p_lock);
1463 
1464 		ainfo = crgetauinfo(cr);
1465 		if (ainfo == NULL) {
1466 			crfree(cr);
1467 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1468 			return;
1469 		}
1470 
1471 		uid  = crgetuid(cr);
1472 		gid  = crgetgid(cr);
1473 		ruid = crgetruid(cr);
1474 		rgid = crgetrgid(cr);
1475 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1476 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1477 
1478 		if (is_system_labeled())
1479 			au_uwrite(au_to_label(CR_SL(cr)));
1480 
1481 		crfree(cr);
1482 	}
1483 	else
1484 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1485 }
1486 
1487 /*ARGSUSED*/
1488 static void
1489 aus_mkdir(struct t_audit_data *tad)
1490 {
1491 	klwp_t *clwp = ttolwp(curthread);
1492 	uint32_t dmode;
1493 
1494 	struct a {
1495 		long	dirnamep;		/* char * */
1496 		long	dmode;
1497 	} *uap = (struct a *)clwp->lwp_ap;
1498 
1499 	dmode = (uint32_t)uap->dmode;
1500 
1501 	au_uwrite(au_to_arg32(2, "mode", dmode));
1502 }
1503 
1504 /*ARGSUSED*/
1505 static void
1506 aus_mknod(struct t_audit_data *tad)
1507 {
1508 	klwp_t *clwp = ttolwp(curthread);
1509 	uint32_t fmode;
1510 	dev_t dev;
1511 
1512 	struct a {
1513 		long	pnamep;		/* char * */
1514 		long	fmode;
1515 		long	dev;
1516 	} *uap = (struct a *)clwp->lwp_ap;
1517 
1518 	fmode = (uint32_t)uap->fmode;
1519 	dev   = (dev_t)uap->dev;
1520 
1521 	au_uwrite(au_to_arg32(2, "mode", fmode));
1522 #ifdef _LP64
1523 	au_uwrite(au_to_arg64(3, "dev", dev));
1524 #else
1525 	au_uwrite(au_to_arg32(3, "dev", dev));
1526 #endif
1527 }
1528 
1529 /*ARGSUSED*/
1530 static void
1531 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1532 {
1533 	klwp_t *clwp = ttolwp(curthread);
1534 	vnode_t	*dvp;
1535 	caddr_t pnamep;
1536 
1537 	struct a {
1538 		long	pnamep;		/* char * */
1539 		long	fmode;
1540 		long	dev;
1541 	} *uap = (struct a *)clwp->lwp_ap;
1542 
1543 	/* no error, then already path token in audit record */
1544 	if (error != EPERM)
1545 		return;
1546 
1547 	/* not auditing this event, nothing then to do */
1548 	if (tad->tad_flag == 0)
1549 		return;
1550 
1551 	/* do the lookup to force generation of path token */
1552 	pnamep = (caddr_t)uap->pnamep;
1553 	tad->tad_ctrl |= TAD_NOATTRB;
1554 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1555 	if (error == 0)
1556 		VN_RELE(dvp);
1557 }
1558 
1559 /*ARGSUSED*/
1560 static void
1561 aus_mount(struct t_audit_data *tad)
1562 {	/* AUS_START */
1563 	klwp_t *clwp = ttolwp(curthread);
1564 	uint32_t flags;
1565 	uintptr_t u_fstype, dataptr;
1566 	STRUCT_DECL(nfs_args, nfsargs);
1567 	size_t len;
1568 	char *fstype, *hostname;
1569 
1570 	struct a {
1571 		long	spec;		/* char    * */
1572 		long	dir;		/* char    * */
1573 		long	flags;
1574 		long	fstype;		/* char    * */
1575 		long	dataptr;	/* char    * */
1576 		long	datalen;
1577 	} *uap = (struct a *)clwp->lwp_ap;
1578 
1579 	u_fstype = (uintptr_t)uap->fstype;
1580 	flags    = (uint32_t)uap->flags;
1581 	dataptr  = (uintptr_t)uap->dataptr;
1582 
1583 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1584 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1585 		goto mount_free_fstype;
1586 
1587 	au_uwrite(au_to_arg32(3, "flags", flags));
1588 	au_uwrite(au_to_text(fstype));
1589 
1590 	if (strncmp(fstype, "nfs", 3) == 0) {
1591 
1592 		STRUCT_INIT(nfsargs, get_udatamodel());
1593 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1594 
1595 		if (copyin((caddr_t)dataptr,
1596 				STRUCT_BUF(nfsargs),
1597 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1598 			/* DEBUG debug_enter((char *)NULL); */
1599 			goto mount_free_fstype;
1600 		}
1601 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1602 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1603 				(caddr_t)hostname,
1604 				MAXNAMELEN, &len)) {
1605 			goto mount_free_hostname;
1606 		}
1607 		au_uwrite(au_to_text(hostname));
1608 		au_uwrite(au_to_arg32(3, "internal flags",
1609 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1610 
1611 mount_free_hostname:
1612 		kmem_free(hostname, MAXNAMELEN);
1613 	}
1614 
1615 mount_free_fstype:
1616 	kmem_free(fstype, MAXNAMELEN);
1617 }	/* AUS_MOUNT */
1618 
1619 static void
1620 aus_umount_path(caddr_t umount_dir)
1621 {
1622 	char			*dir_path;
1623 	struct audit_path	*path;
1624 	size_t			path_len, dir_len;
1625 
1626 	/* length alloc'd for two string pointers */
1627 	path_len = sizeof (struct audit_path) + sizeof (char *);
1628 	path = kmem_alloc(path_len, KM_SLEEP);
1629 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1630 
1631 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1632 	    MAXPATHLEN, &dir_len))
1633 		goto umount2_free_dir;
1634 
1635 	/*
1636 	 * the audit_path struct assumes that the buffer pointed to
1637 	 * by audp_sect[n] contains string 0 immediatedly followed
1638 	 * by string 1.
1639 	 */
1640 	path->audp_sect[0] = dir_path;
1641 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1642 	path->audp_size = path_len;
1643 	path->audp_ref = 1;		/* not used */
1644 	path->audp_cnt = 1;		/* one path string */
1645 
1646 	au_uwrite(au_to_path(path));
1647 
1648 umount2_free_dir:
1649 	kmem_free(dir_path, MAXPATHLEN);
1650 	kmem_free(path, path_len);
1651 }
1652 
1653 /*ARGSUSED*/
1654 static void
1655 aus_umount2(struct t_audit_data *tad)
1656 {
1657 	klwp_t			*clwp = ttolwp(curthread);
1658 	struct a {
1659 		long	dir;		/* char    * */
1660 		long	flags;
1661 	} *uap = (struct a *)clwp->lwp_ap;
1662 
1663 	aus_umount_path((caddr_t)uap->dir);
1664 
1665 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1666 }
1667 
1668 static void
1669 aus_msgsys(struct t_audit_data *tad)
1670 {
1671 	klwp_t *clwp = ttolwp(curthread);
1672 	uint32_t msgid;
1673 
1674 	struct b {
1675 		long	msgid;
1676 		long	cmd;
1677 		long	buf;		/* struct msqid_ds * */
1678 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1679 
1680 	msgid = (uint32_t)uap1->msgid;
1681 
1682 
1683 	switch (tad->tad_event) {
1684 	case AUE_MSGGET:		/* msgget */
1685 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1686 		break;
1687 	case AUE_MSGCTL:		/* msgctl */
1688 	case AUE_MSGCTL_RMID:		/* msgctl */
1689 	case AUE_MSGCTL_SET:		/* msgctl */
1690 	case AUE_MSGCTL_STAT:		/* msgctl */
1691 	case AUE_MSGRCV:		/* msgrcv */
1692 	case AUE_MSGSND:		/* msgsnd */
1693 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1694 		break;
1695 	}
1696 }
1697 
1698 /*ARGSUSED*/
1699 static void
1700 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1701 {
1702 	int id;
1703 
1704 	if (error != 0)
1705 		return;
1706 	if (tad->tad_event == AUE_MSGGET) {
1707 		uint32_t scid;
1708 		uint32_t sy_flags;
1709 
1710 		/* need to determine type of executing binary */
1711 		scid = tad->tad_scid;
1712 #ifdef _SYSCALL32_IMPL
1713 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1714 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1715 		else
1716 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1717 #else
1718 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1719 #endif
1720 		if (sy_flags == SE_32RVAL1)
1721 			id = rval->r_val1;
1722 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1723 			id = rval->r_val1;
1724 		if (sy_flags == SE_64RVAL)
1725 			id = (int)rval->r_vals;
1726 
1727 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1728 	}
1729 }
1730 
1731 static void
1732 aus_semsys(struct t_audit_data *tad)
1733 {
1734 	klwp_t *clwp = ttolwp(curthread);
1735 	uint32_t semid;
1736 
1737 	struct b {		/* ctrl */
1738 		long	semid;
1739 		long	semnum;
1740 		long	cmd;
1741 		long	arg;
1742 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1743 
1744 	semid = (uint32_t)uap1->semid;
1745 
1746 	switch (tad->tad_event) {
1747 	case AUE_SEMCTL_RMID:
1748 	case AUE_SEMCTL_STAT:
1749 	case AUE_SEMCTL_GETNCNT:
1750 	case AUE_SEMCTL_GETPID:
1751 	case AUE_SEMCTL_GETVAL:
1752 	case AUE_SEMCTL_GETALL:
1753 	case AUE_SEMCTL_GETZCNT:
1754 	case AUE_SEMCTL_SET:
1755 	case AUE_SEMCTL_SETVAL:
1756 	case AUE_SEMCTL_SETALL:
1757 	case AUE_SEMCTL:
1758 	case AUE_SEMOP:
1759 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1760 		break;
1761 	case AUE_SEMGET:
1762 		au_uwrite(au_to_arg32(1, "sem key", semid));
1763 		break;
1764 	}
1765 }
1766 
1767 /*ARGSUSED*/
1768 static void
1769 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1770 {
1771 	int id;
1772 
1773 	if (error != 0)
1774 		return;
1775 	if (tad->tad_event == AUE_SEMGET) {
1776 		uint32_t scid;
1777 		uint32_t sy_flags;
1778 
1779 		/* need to determine type of executing binary */
1780 		scid = tad->tad_scid;
1781 #ifdef _SYSCALL32_IMPL
1782 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1783 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1784 		else
1785 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1786 #else
1787 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1788 #endif
1789 		if (sy_flags == SE_32RVAL1)
1790 			id = rval->r_val1;
1791 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1792 			id = rval->r_val1;
1793 		if (sy_flags == SE_64RVAL)
1794 			id = (int)rval->r_vals;
1795 
1796 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1797 	}
1798 }
1799 
1800 /*ARGSUSED*/
1801 static void
1802 aus_close(struct t_audit_data *tad)
1803 {
1804 	klwp_t *clwp = ttolwp(curthread);
1805 	uint32_t fd;
1806 	struct file *fp;
1807 	struct f_audit_data *fad;
1808 	struct vnode *vp;
1809 	struct vattr attr;
1810 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1811 
1812 	struct a {
1813 		long	i;
1814 	} *uap = (struct a *)clwp->lwp_ap;
1815 
1816 	fd = (uint32_t)uap->i;
1817 
1818 	attr.va_mask = 0;
1819 	au_uwrite(au_to_arg32(1, "fd", fd));
1820 
1821 		/*
1822 		 * convert file pointer to file descriptor
1823 		 *   Note: fd ref count incremented here.
1824 		 */
1825 	if ((fp = getf(fd)) == NULL)
1826 		return;
1827 
1828 	fad = F2A(fp);
1829 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1830 	if (fad->fad_aupath != NULL) {
1831 		au_uwrite(au_to_path(fad->fad_aupath));
1832 		if ((vp = fp->f_vnode) != NULL) {
1833 			attr.va_mask = AT_ALL;
1834 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1835 				/*
1836 				 * When write was not used and the file can be
1837 				 * considered public, skip the audit.
1838 				 */
1839 				if (((fp->f_flag & FWRITE) == 0) &&
1840 				    object_is_public(&attr)) {
1841 					tad->tad_flag = 0;
1842 					tad->tad_evmod = 0;
1843 					/* free any residual audit data */
1844 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1845 					releasef(fd);
1846 					return;
1847 				}
1848 				au_uwrite(au_to_attr(&attr));
1849 				audit_sec_attributes(&(u_ad), vp);
1850 			}
1851 		}
1852 	}
1853 
1854 	/* decrement file descriptor reference count */
1855 	releasef(fd);
1856 }
1857 
1858 /*ARGSUSED*/
1859 static void
1860 aus_fstatfs(struct t_audit_data *tad)
1861 {
1862 	klwp_t *clwp = ttolwp(curthread);
1863 	uint32_t fd;
1864 	struct file  *fp;
1865 	struct vnode *vp;
1866 	struct f_audit_data *fad;
1867 
1868 	struct a {
1869 		long	fd;
1870 		long	buf;		/* struct statfs * */
1871 	} *uap = (struct a *)clwp->lwp_ap;
1872 
1873 	fd = (uint_t)uap->fd;
1874 
1875 		/*
1876 		 * convert file pointer to file descriptor
1877 		 *   Note: fd ref count incremented here.
1878 		 */
1879 	if ((fp = getf(fd)) == NULL)
1880 		return;
1881 
1882 		/* get path from file struct here */
1883 	fad = F2A(fp);
1884 	if (fad->fad_aupath != NULL) {
1885 		au_uwrite(au_to_path(fad->fad_aupath));
1886 	} else {
1887 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1888 	}
1889 
1890 	vp = fp->f_vnode;
1891 	audit_attributes(vp);
1892 
1893 	/* decrement file descriptor reference count */
1894 	releasef(fd);
1895 }
1896 
1897 static au_event_t
1898 aui_setpgrp(au_event_t e)
1899 {
1900 	klwp_t *clwp = ttolwp(curthread);
1901 	int flag;
1902 
1903 	struct a {
1904 		long	flag;
1905 		long	pid;
1906 		long	pgid;
1907 	} *uap = (struct a *)clwp->lwp_ap;
1908 
1909 	flag = (int)uap->flag;
1910 
1911 
1912 	switch (flag) {
1913 
1914 	case 1:	/* setpgrp() */
1915 		e = AUE_SETPGRP;
1916 		break;
1917 
1918 	case 3: /* setsid() */
1919 		e = AUE_SETSID;
1920 		break;
1921 
1922 	case 5: /* setpgid() */
1923 		e = AUE_SETPGID;
1924 		break;
1925 
1926 	case 0: /* getpgrp()	- not security relevant */
1927 	case 2: /* getsid()	- not security relevant */
1928 	case 4: /* getpgid() 	- not security relevant */
1929 		e = AUE_NULL;
1930 		break;
1931 
1932 	default:
1933 		e = AUE_NULL;
1934 		break;
1935 	}
1936 
1937 	return (e);
1938 }
1939 
1940 /*ARGSUSED*/
1941 static void
1942 aus_setpgrp(struct t_audit_data *tad)
1943 {
1944 	klwp_t		*clwp = ttolwp(curthread);
1945 	pid_t		pgid;
1946 	struct proc	*p;
1947 	uid_t		uid, ruid;
1948 	gid_t		gid, rgid;
1949 	pid_t		pid;
1950 	cred_t		*cr;
1951 	int		flag;
1952 	const auditinfo_addr_t	*ainfo;
1953 
1954 	struct a {
1955 		long	flag;
1956 		long	pid;
1957 		long	pgid;
1958 	} *uap = (struct a *)clwp->lwp_ap;
1959 
1960 	flag = (int)uap->flag;
1961 	pid  = (pid_t)uap->pid;
1962 	pgid = (pid_t)uap->pgid;
1963 
1964 
1965 	switch (flag) {
1966 
1967 	case 0: /* getpgrp() */
1968 	case 1: /* setpgrp() */
1969 	case 2: /* getsid() */
1970 	case 3: /* setsid() */
1971 	case 4: /* getpgid() */
1972 		break;
1973 
1974 	case 5: /* setpgid() */
1975 
1976 		/* current process? */
1977 		if (pid == 0) {
1978 			return;
1979 		}
1980 
1981 		mutex_enter(&pidlock);
1982 		p = prfind(pid);
1983 		if (p == NULL || p->p_as == &kas ||
1984 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
1985 			mutex_exit(&pidlock);
1986 			return;
1987 		}
1988 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1989 		mutex_exit(&pidlock);
1990 
1991 		mutex_enter(&p->p_crlock);
1992 		crhold(cr = p->p_cred);
1993 		mutex_exit(&p->p_crlock);
1994 		mutex_exit(&p->p_lock);
1995 
1996 		ainfo = crgetauinfo(cr);
1997 		if (ainfo == NULL) {
1998 			crfree(cr);
1999 			return;
2000 		}
2001 
2002 		uid  = crgetuid(cr);
2003 		gid  = crgetgid(cr);
2004 		ruid = crgetruid(cr);
2005 		rgid = crgetrgid(cr);
2006 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2007 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2008 		crfree(cr);
2009 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2010 		break;
2011 
2012 	default:
2013 		break;
2014 	}
2015 }
2016 
2017 
2018 /*ARGSUSED*/
2019 static void
2020 aus_setregid(struct t_audit_data *tad)
2021 {
2022 	klwp_t *clwp = ttolwp(curthread);
2023 	uint32_t rgid, egid;
2024 
2025 	struct a {
2026 		long	 rgid;
2027 		long	 egid;
2028 	} *uap = (struct a *)clwp->lwp_ap;
2029 
2030 	rgid  = (uint32_t)uap->rgid;
2031 	egid  = (uint32_t)uap->egid;
2032 
2033 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2034 	au_uwrite(au_to_arg32(2, "egid", egid));
2035 }
2036 
2037 /*ARGSUSED*/
2038 static void
2039 aus_setgid(struct t_audit_data *tad)
2040 {
2041 	klwp_t *clwp = ttolwp(curthread);
2042 	uint32_t gid;
2043 
2044 	struct a {
2045 		long	gid;
2046 	} *uap = (struct a *)clwp->lwp_ap;
2047 
2048 	gid = (uint32_t)uap->gid;
2049 
2050 	au_uwrite(au_to_arg32(1, "gid", gid));
2051 }
2052 
2053 
2054 /*ARGSUSED*/
2055 static void
2056 aus_setreuid(struct t_audit_data *tad)
2057 {
2058 	klwp_t *clwp = ttolwp(curthread);
2059 	uint32_t ruid, euid;
2060 
2061 	struct a {
2062 		long	ruid;
2063 		long	euid;
2064 	} *uap = (struct a *)clwp->lwp_ap;
2065 
2066 	ruid = (uint32_t)uap->ruid;
2067 	euid  = (uint32_t)uap->euid;
2068 
2069 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2070 	au_uwrite(au_to_arg32(2, "euid", euid));
2071 }
2072 
2073 
2074 /*ARGSUSED*/
2075 static void
2076 aus_setuid(struct t_audit_data *tad)
2077 {
2078 	klwp_t *clwp = ttolwp(curthread);
2079 	uint32_t uid;
2080 
2081 	struct a {
2082 		long	uid;
2083 	} *uap = (struct a *)clwp->lwp_ap;
2084 
2085 	uid = (uint32_t)uap->uid;
2086 
2087 	au_uwrite(au_to_arg32(1, "uid", uid));
2088 }
2089 
2090 /*ARGSUSED*/
2091 static void
2092 aus_shmsys(struct t_audit_data *tad)
2093 {
2094 	klwp_t *clwp = ttolwp(curthread);
2095 	uint32_t id, cmd;
2096 
2097 	struct b {
2098 		long	id;
2099 		long	cmd;
2100 		long	buf;		/* struct shmid_ds * */
2101 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2102 
2103 	id  = (uint32_t)uap1->id;
2104 	cmd = (uint32_t)uap1->cmd;
2105 
2106 	switch (tad->tad_event) {
2107 	case AUE_SHMGET:			/* shmget */
2108 		au_uwrite(au_to_arg32(1, "shm key", id));
2109 		break;
2110 	case AUE_SHMCTL:			/* shmctl */
2111 	case AUE_SHMCTL_RMID:			/* shmctl */
2112 	case AUE_SHMCTL_STAT:			/* shmctl */
2113 	case AUE_SHMCTL_SET:			/* shmctl */
2114 		au_uwrite(au_to_arg32(1, "shm ID", id));
2115 		break;
2116 	case AUE_SHMDT:				/* shmdt */
2117 		au_uwrite(au_to_arg32(1, "shm adr", id));
2118 		break;
2119 	case AUE_SHMAT:				/* shmat */
2120 		au_uwrite(au_to_arg32(1, "shm ID", id));
2121 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2122 		break;
2123 	}
2124 }
2125 
2126 /*ARGSUSED*/
2127 static void
2128 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2129 {
2130 	int id;
2131 
2132 	if (error != 0)
2133 		return;
2134 	if (tad->tad_event == AUE_SHMGET) {
2135 		uint32_t scid;
2136 		uint32_t sy_flags;
2137 
2138 		/* need to determine type of executing binary */
2139 		scid = tad->tad_scid;
2140 #ifdef _SYSCALL32_IMPL
2141 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2142 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2143 		else
2144 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2145 #else
2146 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2147 #endif
2148 		if (sy_flags == SE_32RVAL1)
2149 			id = rval->r_val1;
2150 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2151 			id = rval->r_val1;
2152 		if (sy_flags == SE_64RVAL)
2153 			id = (int)rval->r_vals;
2154 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2155 	}
2156 }
2157 
2158 
2159 /*ARGSUSED*/
2160 static void
2161 aus_ioctl(struct t_audit_data *tad)
2162 {
2163 	klwp_t *clwp = ttolwp(curthread);
2164 	struct file *fp;
2165 	struct vnode *vp;
2166 	struct f_audit_data *fad;
2167 	uint32_t fd, cmd;
2168 	uintptr_t cmarg;
2169 
2170 	/* XX64 */
2171 	struct a {
2172 		long	fd;
2173 		long	cmd;
2174 		long	cmarg;		/* caddr_t */
2175 	} *uap = (struct a *)clwp->lwp_ap;
2176 
2177 	fd    = (uint32_t)uap->fd;
2178 	cmd   = (uint32_t)uap->cmd;
2179 	cmarg = (uintptr_t)uap->cmarg;
2180 
2181 		/*
2182 		 * convert file pointer to file descriptor
2183 		 *   Note: fd ref count incremented here.
2184 		 */
2185 	if ((fp = getf(fd)) == NULL) {
2186 		au_uwrite(au_to_arg32(1, "fd", fd));
2187 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2188 #ifndef _LP64
2189 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2190 #else
2191 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2192 #endif
2193 		return;
2194 	}
2195 
2196 	/* get path from file struct here */
2197 	fad = F2A(fp);
2198 	if (fad->fad_aupath != NULL) {
2199 		au_uwrite(au_to_path(fad->fad_aupath));
2200 	} else {
2201 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2202 	}
2203 
2204 	vp = fp->f_vnode;
2205 	audit_attributes(vp);
2206 
2207 	/* decrement file descriptor reference count */
2208 	releasef(fd);
2209 
2210 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2211 #ifndef _LP64
2212 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2213 #else
2214 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2215 #endif
2216 }
2217 
2218 /*
2219  * null function for memcntl for now. We might want to limit memcntl()
2220  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2221  * require privileges.
2222  */
2223 static au_event_t
2224 aui_memcntl(au_event_t e)
2225 {
2226 	return (e);
2227 }
2228 
2229 /*ARGSUSED*/
2230 static au_event_t
2231 aui_privsys(au_event_t e)
2232 {
2233 	klwp_t *clwp = ttolwp(curthread);
2234 
2235 	struct a {
2236 		long	opcode;
2237 	} *uap = (struct a *)clwp->lwp_ap;
2238 
2239 	switch (uap->opcode) {
2240 	case PRIVSYS_SETPPRIV:
2241 		return (AUE_SETPPRIV);
2242 	default:
2243 		return (AUE_NULL);
2244 	}
2245 }
2246 
2247 /*ARGSUSED*/
2248 static void
2249 aus_memcntl(struct t_audit_data *tad)
2250 {
2251 	klwp_t *clwp = ttolwp(curthread);
2252 
2253 	struct a {
2254 		long	addr;
2255 		long	len;
2256 		long	cmd;
2257 		long	arg;
2258 		long	attr;
2259 		long	mask;
2260 	} *uap = (struct a *)clwp->lwp_ap;
2261 
2262 #ifdef _LP64
2263 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2264 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2265 #else
2266 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2267 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2268 #endif
2269 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2270 #ifdef _LP64
2271 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2272 #else
2273 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2274 #endif
2275 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2276 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2277 }
2278 
2279 /*ARGSUSED*/
2280 static void
2281 aus_mmap(struct t_audit_data *tad)
2282 {
2283 	klwp_t *clwp = ttolwp(curthread);
2284 	struct file *fp;
2285 	struct f_audit_data *fad;
2286 	struct vnode *vp;
2287 	uint32_t fd;
2288 
2289 	struct a {
2290 		long	addr;
2291 		long	len;
2292 		long	prot;
2293 		long	flags;
2294 		long	fd;
2295 		long	pos;
2296 	} *uap = (struct a *)clwp->lwp_ap;
2297 
2298 	fd = (uint32_t)uap->fd;
2299 
2300 #ifdef _LP64
2301 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2302 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2303 #else
2304 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2305 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2306 #endif
2307 
2308 	if ((fp = getf(fd)) == NULL) {
2309 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2310 		return;
2311 	}
2312 
2313 	/*
2314 	 * Mark in the tad if write access is NOT requested... if
2315 	 * this is later detected (in audit_attributes) to be a
2316 	 * public object, the mmap event may be discarded.
2317 	 */
2318 	if (((uap->prot) & PROT_WRITE) == 0) {
2319 		tad->tad_ctrl |= TAD_PUBLIC_EV;
2320 	}
2321 
2322 	fad = F2A(fp);
2323 	if (fad->fad_aupath != NULL) {
2324 		au_uwrite(au_to_path(fad->fad_aupath));
2325 	} else {
2326 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2327 	}
2328 
2329 	vp = (struct vnode *)fp->f_vnode;
2330 	audit_attributes(vp);
2331 
2332 	/* mark READ/WRITE since we can't predict access */
2333 	if (uap->prot & PROT_READ)
2334 		fad->fad_flags |= FAD_READ;
2335 	if (uap->prot & PROT_WRITE)
2336 		fad->fad_flags |= FAD_WRITE;
2337 
2338 	/* decrement file descriptor reference count */
2339 	releasef(fd);
2340 
2341 }	/* AUS_MMAP */
2342 
2343 
2344 
2345 
2346 /*ARGSUSED*/
2347 static void
2348 aus_munmap(struct t_audit_data *tad)
2349 {
2350 	klwp_t *clwp = ttolwp(curthread);
2351 
2352 	struct a {
2353 		long	addr;
2354 		long	len;
2355 	} *uap = (struct a *)clwp->lwp_ap;
2356 
2357 #ifdef _LP64
2358 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2359 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2360 #else
2361 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2362 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2363 #endif
2364 
2365 }	/* AUS_MUNMAP */
2366 
2367 
2368 
2369 
2370 
2371 
2372 
2373 /*ARGSUSED*/
2374 static void
2375 aus_priocntlsys(struct t_audit_data *tad)
2376 {
2377 	klwp_t *clwp = ttolwp(curthread);
2378 
2379 	struct a {
2380 		long	pc_version;
2381 		long	psp;		/* procset_t */
2382 		long	cmd;
2383 		long	arg;
2384 	} *uap = (struct a *)clwp->lwp_ap;
2385 
2386 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2387 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2388 
2389 }	/* AUS_PRIOCNTLSYS */
2390 
2391 
2392 /*ARGSUSED*/
2393 static void
2394 aus_setegid(struct t_audit_data *tad)
2395 {
2396 	klwp_t *clwp = ttolwp(curthread);
2397 	uint32_t gid;
2398 
2399 	struct a {
2400 		long	gid;
2401 	} *uap = (struct a *)clwp->lwp_ap;
2402 
2403 	gid = (uint32_t)uap->gid;
2404 
2405 	au_uwrite(au_to_arg32(1, "gid", gid));
2406 }	/* AUS_SETEGID */
2407 
2408 
2409 
2410 
2411 /*ARGSUSED*/
2412 static void
2413 aus_setgroups(struct t_audit_data *tad)
2414 {
2415 	klwp_t *clwp = ttolwp(curthread);
2416 	int i;
2417 	int gidsetsize;
2418 	uintptr_t gidset;
2419 	gid_t *gidlist;
2420 
2421 	struct a {
2422 		long	gidsetsize;
2423 		long	gidset;
2424 	} *uap = (struct a *)clwp->lwp_ap;
2425 
2426 	gidsetsize = (uint_t)uap->gidsetsize;
2427 	gidset = (uintptr_t)uap->gidset;
2428 
2429 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2430 		return;
2431 	if (gidsetsize != 0) {
2432 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2433 		    KM_SLEEP);
2434 		if (copyin((caddr_t)gidset, gidlist,
2435 		    gidsetsize * sizeof (gid_t)) == 0)
2436 			for (i = 0; i < gidsetsize; i++)
2437 				au_uwrite(au_to_arg32(1, "setgroups",
2438 				    (uint32_t)gidlist[i]));
2439 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2440 	} else
2441 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2442 
2443 }	/* AUS_SETGROUPS */
2444 
2445 
2446 
2447 
2448 
2449 /*ARGSUSED*/
2450 static void
2451 aus_seteuid(struct t_audit_data *tad)
2452 {
2453 	klwp_t *clwp = ttolwp(curthread);
2454 	uint32_t uid;
2455 
2456 	struct a {
2457 		long	uid;
2458 	} *uap = (struct a *)clwp->lwp_ap;
2459 
2460 	uid = (uint32_t)uap->uid;
2461 
2462 	au_uwrite(au_to_arg32(1, "euid", uid));
2463 
2464 }	/* AUS_SETEUID */
2465 
2466 /*ARGSUSED*/
2467 static void
2468 aus_putmsg(struct t_audit_data *tad)
2469 {
2470 	klwp_t *clwp = ttolwp(curthread);
2471 	uint32_t fd, pri;
2472 	struct file *fp;
2473 	struct f_audit_data *fad;
2474 
2475 	struct a {
2476 		long	fdes;
2477 		long	ctl;		/* struct strbuf * */
2478 		long	data;		/* struct strbuf * */
2479 		long	pri;
2480 	} *uap = (struct a *)clwp->lwp_ap;
2481 
2482 	fd  = (uint32_t)uap->fdes;
2483 	pri = (uint32_t)uap->pri;
2484 
2485 	au_uwrite(au_to_arg32(1, "fd", fd));
2486 
2487 	if ((fp = getf(fd)) != NULL) {
2488 		fad = F2A(fp);
2489 
2490 		fad->fad_flags |= FAD_WRITE;
2491 
2492 		/* add path name to audit record */
2493 		if (fad->fad_aupath != NULL) {
2494 			au_uwrite(au_to_path(fad->fad_aupath));
2495 		}
2496 		audit_attributes(fp->f_vnode);
2497 
2498 		releasef(fd);
2499 	}
2500 
2501 	au_uwrite(au_to_arg32(4, "pri", pri));
2502 }
2503 
2504 /*ARGSUSED*/
2505 static void
2506 aus_putpmsg(struct t_audit_data *tad)
2507 {
2508 	klwp_t *clwp = ttolwp(curthread);
2509 	uint32_t fd, pri, flags;
2510 	struct file *fp;
2511 	struct f_audit_data *fad;
2512 
2513 	struct a {
2514 		long	fdes;
2515 		long	ctl;		/* struct strbuf * */
2516 		long	data;		/* struct strbuf * */
2517 		long	pri;
2518 		long	flags;
2519 	} *uap = (struct a *)clwp->lwp_ap;
2520 
2521 	fd = (uint32_t)uap->fdes;
2522 	pri  = (uint32_t)uap->pri;
2523 	flags  = (uint32_t)uap->flags;
2524 
2525 	au_uwrite(au_to_arg32(1, "fd", fd));
2526 
2527 	if ((fp = getf(fd)) != NULL) {
2528 		fad = F2A(fp);
2529 
2530 		fad->fad_flags |= FAD_WRITE;
2531 
2532 		/* add path name to audit record */
2533 		if (fad->fad_aupath != NULL) {
2534 			au_uwrite(au_to_path(fad->fad_aupath));
2535 		}
2536 		audit_attributes(fp->f_vnode);
2537 
2538 		releasef(fd);
2539 	}
2540 
2541 
2542 	au_uwrite(au_to_arg32(4, "pri", pri));
2543 	au_uwrite(au_to_arg32(5, "flags", flags));
2544 }
2545 
2546 /*ARGSUSED*/
2547 static void
2548 aus_getmsg(struct t_audit_data *tad)
2549 {
2550 	klwp_t *clwp = ttolwp(curthread);
2551 	uint32_t fd, pri;
2552 	struct file *fp;
2553 	struct f_audit_data *fad;
2554 
2555 	struct a {
2556 		long	fdes;
2557 		long	ctl;		/* struct strbuf * */
2558 		long	data;		/* struct strbuf * */
2559 		long	pri;
2560 	} *uap = (struct a *)clwp->lwp_ap;
2561 
2562 	fd  = (uint32_t)uap->fdes;
2563 	pri = (uint32_t)uap->pri;
2564 
2565 	au_uwrite(au_to_arg32(1, "fd", fd));
2566 
2567 	if ((fp = getf(fd)) != NULL) {
2568 		fad = F2A(fp);
2569 
2570 		/*
2571 		 * read operation on this object
2572 		 */
2573 		fad->fad_flags |= FAD_READ;
2574 
2575 		/* add path name to audit record */
2576 		if (fad->fad_aupath != NULL) {
2577 			au_uwrite(au_to_path(fad->fad_aupath));
2578 		}
2579 		audit_attributes(fp->f_vnode);
2580 
2581 		releasef(fd);
2582 	}
2583 
2584 	au_uwrite(au_to_arg32(4, "pri", pri));
2585 }
2586 
2587 /*ARGSUSED*/
2588 static void
2589 aus_getpmsg(struct t_audit_data *tad)
2590 {
2591 	klwp_t *clwp = ttolwp(curthread);
2592 	uint32_t fd;
2593 	struct file *fp;
2594 	struct f_audit_data *fad;
2595 
2596 	struct a {
2597 		long	fdes;
2598 		long	ctl;		/* struct strbuf * */
2599 		long	data;		/* struct strbuf * */
2600 		long	pri;
2601 		long	flags;
2602 	} *uap = (struct a *)clwp->lwp_ap;
2603 
2604 	fd = (uint32_t)uap->fdes;
2605 
2606 	au_uwrite(au_to_arg32(1, "fd", fd));
2607 
2608 	if ((fp = getf(fd)) != NULL) {
2609 		fad = F2A(fp);
2610 
2611 		/*
2612 		 * read operation on this object
2613 		 */
2614 		fad->fad_flags |= FAD_READ;
2615 
2616 		/* add path name to audit record */
2617 		if (fad->fad_aupath != NULL) {
2618 			au_uwrite(au_to_path(fad->fad_aupath));
2619 		}
2620 		audit_attributes(fp->f_vnode);
2621 
2622 		releasef(fd);
2623 	}
2624 }
2625 
2626 static au_event_t
2627 aui_labelsys(au_event_t e)
2628 {
2629 	klwp_t *clwp = ttolwp(curthread);
2630 	uint32_t code;
2631 	uint32_t cmd;
2632 
2633 	struct a {
2634 		long	code;
2635 		long	cmd;
2636 	} *uap = (struct a *)clwp->lwp_ap;
2637 
2638 	code = (uint32_t)uap->code;
2639 	cmd = (uint32_t)uap->cmd;
2640 
2641 	/* not security relevant if not changing kernel cache */
2642 	if (cmd == TNDB_GET)
2643 		return (AUE_NULL);
2644 
2645 	switch (code) {
2646 	case TSOL_TNRH:
2647 		e = AUE_LABELSYS_TNRH;
2648 		break;
2649 	case TSOL_TNRHTP:
2650 		e = AUE_LABELSYS_TNRHTP;
2651 		break;
2652 	case TSOL_TNMLP:
2653 		e = AUE_LABELSYS_TNMLP;
2654 		break;
2655 	default:
2656 		e = AUE_NULL;
2657 		break;
2658 	}
2659 
2660 	return (e);
2661 
2662 }
2663 
2664 static void
2665 aus_labelsys(struct t_audit_data *tad)
2666 {
2667 	klwp_t *clwp = ttolwp(curthread);
2668 	uint32_t cmd;
2669 	uintptr_t a2;
2670 
2671 	struct a {
2672 		long	code;
2673 		long	cmd;
2674 		long	a2;
2675 	} *uap = (struct a *)clwp->lwp_ap;
2676 
2677 	cmd = (uint32_t)uap->cmd;
2678 	a2 = (uintptr_t)uap->a2;
2679 
2680 	switch (tad->tad_event) {
2681 	case AUE_LABELSYS_TNRH:
2682 	{
2683 		tsol_rhent_t	*rhent;
2684 		tnaddr_t	*rh_addr;
2685 
2686 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2687 
2688 		/* Remaining args don't apply for FLUSH, so skip */
2689 		if (cmd == TNDB_FLUSH)
2690 			break;
2691 
2692 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2693 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2694 			kmem_free(rhent, sizeof (tsol_rhent_t));
2695 			return;
2696 		}
2697 
2698 		rh_addr = &rhent->rh_address;
2699 		if (rh_addr->ta_family == AF_INET) {
2700 			struct in_addr	*ipaddr;
2701 
2702 			ipaddr = &(rh_addr->ta_addr_v4);
2703 			au_uwrite(au_to_in_addr(ipaddr));
2704 		} else if (rh_addr->ta_family == AF_INET6) {
2705 			int32_t		*ipaddr;
2706 
2707 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2708 			au_uwrite(au_to_in_addr_ex(ipaddr));
2709 		}
2710 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2711 
2712 		kmem_free(rhent, sizeof (tsol_rhent_t));
2713 
2714 		break;
2715 	}
2716 	case AUE_LABELSYS_TNRHTP:
2717 	{
2718 		tsol_tpent_t	*tpent;
2719 
2720 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2721 
2722 		/* Remaining args don't apply for FLUSH, so skip */
2723 		if (cmd == TNDB_FLUSH)
2724 			break;
2725 
2726 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2727 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2728 			kmem_free(tpent, sizeof (tsol_tpent_t));
2729 			return;
2730 		}
2731 
2732 		/* Make sure that the template name is null-terminated. */
2733 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2734 
2735 		au_uwrite(au_to_text(tpent->name));
2736 		kmem_free(tpent, sizeof (tsol_tpent_t));
2737 
2738 		break;
2739 	}
2740 	case AUE_LABELSYS_TNMLP:
2741 	{
2742 		tsol_mlpent_t	*mlpent;
2743 
2744 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2745 
2746 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2747 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2748 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2749 			return;
2750 		}
2751 
2752 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2753 			au_uwrite(au_to_text("shared"));
2754 		} else {
2755 			zone_t	*zone;
2756 
2757 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2758 			if (zone != NULL) {
2759 				au_uwrite(au_to_text(zone->zone_name));
2760 				zone_rele(zone);
2761 			}
2762 		}
2763 
2764 		/* Remaining args don't apply for FLUSH, so skip */
2765 		if (cmd == TNDB_FLUSH) {
2766 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2767 			break;
2768 		}
2769 
2770 		au_uwrite(au_to_arg32(2, "proto num",
2771 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2772 		au_uwrite(au_to_arg32(2, "mlp_port",
2773 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2774 
2775 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2776 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2777 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2778 
2779 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2780 
2781 		break;
2782 	}
2783 	default:
2784 		break;
2785 	}
2786 }
2787 
2788 
2789 static au_event_t
2790 aui_auditsys(au_event_t e)
2791 {
2792 	klwp_t *clwp = ttolwp(curthread);
2793 	uint32_t code;
2794 
2795 	struct a {
2796 		long	code;
2797 		long	a1;
2798 		long	a2;
2799 		long	a3;
2800 		long	a4;
2801 		long	a5;
2802 		long	a6;
2803 		long	a7;
2804 	} *uap = (struct a *)clwp->lwp_ap;
2805 
2806 	code = (uint32_t)uap->code;
2807 
2808 	switch (code) {
2809 
2810 	case BSM_GETAUID:
2811 		e = AUE_GETAUID;
2812 		break;
2813 	case BSM_SETAUID:
2814 		e = AUE_SETAUID;
2815 		break;
2816 	case BSM_GETAUDIT:
2817 		e = AUE_GETAUDIT;
2818 		break;
2819 	case BSM_GETAUDIT_ADDR:
2820 		e = AUE_GETAUDIT_ADDR;
2821 		break;
2822 	case BSM_SETAUDIT:
2823 		e = AUE_SETAUDIT;
2824 		break;
2825 	case BSM_SETAUDIT_ADDR:
2826 		e = AUE_SETAUDIT_ADDR;
2827 		break;
2828 	case BSM_AUDIT:
2829 		e = AUE_AUDIT;
2830 		break;
2831 	case BSM_AUDITCTL:
2832 		switch ((uint_t)uap->a1) {
2833 
2834 		case A_GETPOLICY:
2835 			e = AUE_AUDITON_GPOLICY;
2836 			break;
2837 		case A_SETPOLICY:
2838 			e = AUE_AUDITON_SPOLICY;
2839 			break;
2840 		case A_GETKMASK:
2841 			e = AUE_AUDITON_GETKMASK;
2842 			break;
2843 		case A_SETKMASK:
2844 			e = AUE_AUDITON_SETKMASK;
2845 			break;
2846 		case A_GETQCTRL:
2847 			e = AUE_AUDITON_GQCTRL;
2848 			break;
2849 		case A_SETQCTRL:
2850 			e = AUE_AUDITON_SQCTRL;
2851 			break;
2852 		case A_GETCWD:
2853 			e = AUE_AUDITON_GETCWD;
2854 			break;
2855 		case A_GETCAR:
2856 			e = AUE_AUDITON_GETCAR;
2857 			break;
2858 		case A_GETSTAT:
2859 			e = AUE_AUDITON_GETSTAT;
2860 			break;
2861 		case A_SETSTAT:
2862 			e = AUE_AUDITON_SETSTAT;
2863 			break;
2864 		case A_SETUMASK:
2865 			e = AUE_AUDITON_SETUMASK;
2866 			break;
2867 		case A_SETSMASK:
2868 			e = AUE_AUDITON_SETSMASK;
2869 			break;
2870 		case A_GETCOND:
2871 			e = AUE_AUDITON_GETCOND;
2872 			break;
2873 		case A_SETCOND:
2874 			e = AUE_AUDITON_SETCOND;
2875 			break;
2876 		case A_GETCLASS:
2877 			e = AUE_AUDITON_GETCLASS;
2878 			break;
2879 		case A_SETCLASS:
2880 			e = AUE_AUDITON_SETCLASS;
2881 			break;
2882 		default:
2883 			e = AUE_NULL;
2884 			break;
2885 		}
2886 		break;
2887 	default:
2888 		e = AUE_NULL;
2889 		break;
2890 	}
2891 
2892 	return (e);
2893 
2894 }	/* AUI_AUDITSYS */
2895 
2896 
2897 static void
2898 aus_auditsys(struct t_audit_data *tad)
2899 {
2900 	klwp_t *clwp = ttolwp(curthread);
2901 	uintptr_t a1, a2;
2902 	STRUCT_DECL(auditinfo, ainfo);
2903 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2904 	au_evclass_map_t event;
2905 	au_mask_t mask;
2906 	int auditstate, policy;
2907 	au_id_t auid;
2908 
2909 
2910 	struct a {
2911 		long	code;
2912 		long	a1;
2913 		long	a2;
2914 		long	a3;
2915 		long	a4;
2916 		long	a5;
2917 		long	a6;
2918 		long	a7;
2919 	} *uap = (struct a *)clwp->lwp_ap;
2920 
2921 	a1   = (uintptr_t)uap->a1;
2922 	a2   = (uintptr_t)uap->a2;
2923 
2924 	switch (tad->tad_event) {
2925 	case AUE_SETAUID:
2926 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2927 				return;
2928 		au_uwrite(au_to_arg32(2, "setauid", auid));
2929 		break;
2930 	case AUE_SETAUDIT:
2931 		STRUCT_INIT(ainfo, get_udatamodel());
2932 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2933 		    STRUCT_SIZE(ainfo))) {
2934 				return;
2935 		}
2936 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2937 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2938 #ifdef _LP64
2939 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2940 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2941 #else
2942 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2943 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2944 #endif
2945 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2946 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2947 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2948 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2949 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2950 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2951 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2952 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2953 		break;
2954 	case AUE_SETAUDIT_ADDR:
2955 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2956 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2957 		    STRUCT_SIZE(ainfo_addr))) {
2958 				return;
2959 		}
2960 		au_uwrite(au_to_arg32((char)1, "auid",
2961 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2962 #ifdef _LP64
2963 		au_uwrite(au_to_arg64((char)1, "port",
2964 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2965 #else
2966 		au_uwrite(au_to_arg32((char)1, "port",
2967 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2968 #endif
2969 		au_uwrite(au_to_arg32((char)1, "type",
2970 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2971 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2972 		    AU_IPv4) {
2973 			au_uwrite(au_to_in_addr(
2974 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2975 			    ai_termid.at_addr)));
2976 		} else {
2977 			au_uwrite(au_to_in_addr_ex(
2978 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2979 			    ai_termid.at_addr)));
2980 		}
2981 		au_uwrite(au_to_arg32((char)1, "as_success",
2982 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2983 		au_uwrite(au_to_arg32((char)1, "as_failure",
2984 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2985 		au_uwrite(au_to_arg32((char)1, "asid",
2986 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2987 		break;
2988 	case AUE_AUDITON_SETKMASK:
2989 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2990 				return;
2991 		au_uwrite(au_to_arg32(
2992 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2993 		au_uwrite(au_to_arg32(
2994 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2995 		break;
2996 	case AUE_AUDITON_SPOLICY:
2997 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2998 			return;
2999 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3000 		break;
3001 	case AUE_AUDITON_SQCTRL: {
3002 		STRUCT_DECL(au_qctrl, qctrl);
3003 		model_t model;
3004 
3005 		model = get_udatamodel();
3006 		STRUCT_INIT(qctrl, model);
3007 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3008 				return;
3009 		if (model == DATAMODEL_ILP32) {
3010 			au_uwrite(au_to_arg32(
3011 			    3, "setqctrl:aq_hiwater",
3012 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3013 			au_uwrite(au_to_arg32(
3014 			    3, "setqctrl:aq_lowater",
3015 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3016 			au_uwrite(au_to_arg32(
3017 			    3, "setqctrl:aq_bufsz",
3018 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3019 			au_uwrite(au_to_arg32(
3020 			    3, "setqctrl:aq_delay",
3021 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3022 		} else {
3023 			au_uwrite(au_to_arg64(
3024 			    3, "setqctrl:aq_hiwater",
3025 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3026 			au_uwrite(au_to_arg64(
3027 			    3, "setqctrl:aq_lowater",
3028 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3029 			au_uwrite(au_to_arg64(
3030 			    3, "setqctrl:aq_bufsz",
3031 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3032 			au_uwrite(au_to_arg64(
3033 			    3, "setqctrl:aq_delay",
3034 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3035 		}
3036 		break;
3037 	}
3038 	case AUE_AUDITON_SETUMASK:
3039 		STRUCT_INIT(ainfo, get_udatamodel());
3040 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3041 		    STRUCT_SIZE(ainfo))) {
3042 			return;
3043 		}
3044 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3045 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3046 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3047 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3048 		break;
3049 	case AUE_AUDITON_SETSMASK:
3050 		STRUCT_INIT(ainfo, get_udatamodel());
3051 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3052 		    STRUCT_SIZE(ainfo))) {
3053 			return;
3054 		}
3055 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3056 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3057 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3058 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3059 		break;
3060 	case AUE_AUDITON_SETCOND:
3061 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3062 			return;
3063 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3064 		break;
3065 	case AUE_AUDITON_SETCLASS:
3066 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3067 			return;
3068 		au_uwrite(au_to_arg32(
3069 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3070 		au_uwrite(au_to_arg32(
3071 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3072 		break;
3073 	case AUE_GETAUID:
3074 	case AUE_GETAUDIT:
3075 	case AUE_GETAUDIT_ADDR:
3076 	case AUE_AUDIT:
3077 	case AUE_AUDITON_GPOLICY:
3078 	case AUE_AUDITON_GQCTRL:
3079 	case AUE_AUDITON_GETKMASK:
3080 	case AUE_AUDITON_GETCWD:
3081 	case AUE_AUDITON_GETCAR:
3082 	case AUE_AUDITON_GETSTAT:
3083 	case AUE_AUDITON_SETSTAT:
3084 	case AUE_AUDITON_GETCOND:
3085 	case AUE_AUDITON_GETCLASS:
3086 		break;
3087 	default:
3088 		break;
3089 	}
3090 
3091 }	/* AUS_AUDITSYS */
3092 
3093 
3094 /* only audit privileged operations for systeminfo(2) system call */
3095 static au_event_t
3096 aui_sysinfo(au_event_t e)
3097 {
3098 	klwp_t *clwp = ttolwp(curthread);
3099 	uint32_t command;
3100 
3101 	struct a {
3102 		long	command;
3103 		long	buf;		/* char * */
3104 		long	count;
3105 	} *uap = (struct a *)clwp->lwp_ap;
3106 
3107 	command = (uint32_t)uap->command;
3108 
3109 	switch (command) {
3110 	case SI_SET_HOSTNAME:
3111 	case SI_SET_SRPC_DOMAIN:
3112 		e = (au_event_t)AUE_SYSINFO;
3113 		break;
3114 	default:
3115 		e = (au_event_t)AUE_NULL;
3116 		break;
3117 	}
3118 	return (e);
3119 }
3120 
3121 /*ARGSUSED*/
3122 static void
3123 aus_sysinfo(struct t_audit_data *tad)
3124 {
3125 	klwp_t *clwp = ttolwp(curthread);
3126 	uint32_t command;
3127 	size_t len, maxlen;
3128 	char *name;
3129 	uintptr_t buf;
3130 
3131 	struct a {
3132 		long	command;
3133 		long	buf;		/* char * */
3134 		long	count;
3135 	} *uap = (struct a *)clwp->lwp_ap;
3136 
3137 	command = (uint32_t)uap->command;
3138 	buf = (uintptr_t)uap->buf;
3139 
3140 	au_uwrite(au_to_arg32(1, "cmd", command));
3141 
3142 	switch (command) {
3143 	case SI_SET_HOSTNAME:
3144 	{
3145 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3146 			return;
3147 
3148 		maxlen = SYS_NMLN;
3149 		name = kmem_alloc(maxlen, KM_SLEEP);
3150 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3151 			break;
3152 
3153 		/*
3154 		 * Must be non-NULL string and string
3155 		 * must be less than SYS_NMLN chars.
3156 		 */
3157 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3158 			break;
3159 
3160 		au_uwrite(au_to_text(name));
3161 		break;
3162 	}
3163 
3164 	case SI_SET_SRPC_DOMAIN:
3165 	{
3166 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3167 			return;
3168 
3169 		maxlen = SYS_NMLN;
3170 		name = kmem_alloc(maxlen, KM_SLEEP);
3171 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3172 			break;
3173 
3174 		/*
3175 		 * If string passed in is longer than length
3176 		 * allowed for domain name, fail.
3177 		 */
3178 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3179 			break;
3180 
3181 		au_uwrite(au_to_text(name));
3182 		break;
3183 	}
3184 
3185 	default:
3186 		return;
3187 	}
3188 
3189 	kmem_free(name, maxlen);
3190 }
3191 
3192 static au_event_t
3193 aui_modctl(au_event_t e)
3194 {
3195 	klwp_t *clwp = ttolwp(curthread);
3196 	uint_t cmd;
3197 
3198 	struct a {
3199 		long	cmd;
3200 	} *uap = (struct a *)clwp->lwp_ap;
3201 
3202 	cmd = (uint_t)uap->cmd;
3203 
3204 	switch (cmd) {
3205 	case MODLOAD:
3206 		e = AUE_MODLOAD;
3207 		break;
3208 	case MODUNLOAD:
3209 		e = AUE_MODUNLOAD;
3210 		break;
3211 	case MODADDMAJBIND:
3212 		e = AUE_MODADDMAJ;
3213 		break;
3214 	case MODSETDEVPOLICY:
3215 		e = AUE_MODDEVPLCY;
3216 		break;
3217 	case MODALLOCPRIV:
3218 		e = AUE_MODADDPRIV;
3219 		break;
3220 	default:
3221 		e = AUE_NULL;
3222 		break;
3223 	}
3224 	return (e);
3225 }
3226 
3227 
3228 /*ARGSUSED*/
3229 static void
3230 aus_modctl(struct t_audit_data *tad)
3231 {
3232 	klwp_t *clwp = ttolwp(curthread);
3233 	void *a	= clwp->lwp_ap;
3234 	uint_t use_path;
3235 
3236 	switch (tad->tad_event) {
3237 	case AUE_MODLOAD: {
3238 		typedef struct {
3239 			long	cmd;
3240 			long	use_path;
3241 			long	filename;		/* char * */
3242 		} modloada_t;
3243 
3244 		char *filenamep;
3245 		uintptr_t fname;
3246 		extern char *default_path;
3247 
3248 		fname = (uintptr_t)((modloada_t *)a)->filename;
3249 		use_path = (uint_t)((modloada_t *)a)->use_path;
3250 
3251 			/* space to hold path */
3252 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3253 			/* get string */
3254 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3255 				/* free allocated path */
3256 			kmem_free(filenamep, MOD_MAXPATH);
3257 			return;
3258 		}
3259 			/* ensure it's null terminated */
3260 		filenamep[MOD_MAXPATH - 1] = 0;
3261 
3262 		if (use_path)
3263 			au_uwrite(au_to_text(default_path));
3264 		au_uwrite(au_to_text(filenamep));
3265 
3266 			/* release temporary memory */
3267 		kmem_free(filenamep, MOD_MAXPATH);
3268 		break;
3269 	}
3270 	case AUE_MODUNLOAD: {
3271 		typedef struct {
3272 			long	cmd;
3273 			long	id;
3274 		} modunloada_t;
3275 
3276 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3277 
3278 		au_uwrite(au_to_arg32(1, "id", id));
3279 		break;
3280 	}
3281 	case AUE_MODADDMAJ: {
3282 		STRUCT_DECL(modconfig, mc);
3283 		typedef struct {
3284 			long	cmd;
3285 			long	subcmd;
3286 			long	data;		/* int * */
3287 		} modconfiga_t;
3288 
3289 		STRUCT_DECL(aliases, alias);
3290 		caddr_t ap;
3291 		int i, num_aliases;
3292 		char *drvname, *mc_drvname;
3293 		char *name;
3294 		extern char *ddi_major_to_name(major_t);
3295 		model_t model;
3296 
3297 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3298 
3299 		model = get_udatamodel();
3300 		STRUCT_INIT(mc, model);
3301 			/* sanitize buffer */
3302 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3303 			/* get user arguments */
3304 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3305 		    STRUCT_SIZE(mc)) != 0)
3306 			return;
3307 
3308 		mc_drvname = STRUCT_FGET(mc, drvname);
3309 		if ((drvname = ddi_major_to_name(
3310 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3311 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3312 				/* safety */
3313 			if (mc_drvname[0] != '\0') {
3314 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3315 				au_uwrite(au_to_text(mc_drvname));
3316 			}
3317 				/* drvname != NULL from test above */
3318 			au_uwrite(au_to_text(drvname));
3319 			return;
3320 		}
3321 
3322 		if (mc_drvname[0] != '\0') {
3323 				/* safety */
3324 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3325 			au_uwrite(au_to_text(mc_drvname));
3326 		} else
3327 			au_uwrite(au_to_text("no drvname"));
3328 
3329 		num_aliases = STRUCT_FGET(mc, num_aliases);
3330 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3331 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3332 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3333 		STRUCT_INIT(alias, model);
3334 		for (i = 0; i < num_aliases; i++) {
3335 			bzero((caddr_t)STRUCT_BUF(alias),
3336 			    STRUCT_SIZE(alias));
3337 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3338 			    STRUCT_SIZE(alias)) != 0)
3339 				break;
3340 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3341 			    MAXMODCONFNAME, NULL) != 0) {
3342 				break;
3343 			}
3344 
3345 			au_uwrite(au_to_text(name));
3346 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3347 		}
3348 		kmem_free(name, MAXMODCONFNAME);
3349 		break;
3350 	}
3351 	default:
3352 		break;
3353 	}
3354 }
3355 
3356 
3357 /*ARGSUSED*/
3358 static void
3359 auf_accept(
3360 	struct t_audit_data *tad,
3361 	int	error,
3362 	rval_t	*rval)
3363 {
3364 	uint32_t scid;
3365 	uint32_t sy_flags;
3366 	int fd;
3367 	struct sonode *so;
3368 	char so_laddr[sizeof (struct sockaddr_in6)];
3369 	char so_faddr[sizeof (struct sockaddr_in6)];
3370 	int err;
3371 	short so_family, so_type;
3372 	int add_sock_token = 0;
3373 
3374 	/* need to determine type of executing binary */
3375 	scid = tad->tad_scid;
3376 #ifdef _SYSCALL32_IMPL
3377 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3378 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3379 	else
3380 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3381 #else
3382 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3383 #endif
3384 	if (sy_flags == SE_32RVAL1)
3385 		fd = rval->r_val1;
3386 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3387 		fd = rval->r_val1;
3388 	if (sy_flags == SE_64RVAL)
3389 		fd = (int)rval->r_vals;
3390 
3391 	if (error) {
3392 		/* can't trust socket contents. Just return */
3393 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3394 		return;
3395 	}
3396 
3397 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3398 		/*
3399 		 * not security relevant if doing a accept from non socket
3400 		 * so no extra tokens. Should probably turn off audit record
3401 		 * generation here.
3402 		 */
3403 		return;
3404 	}
3405 
3406 	so_family = so->so_family;
3407 	so_type   = so->so_type;
3408 
3409 	switch (so_family) {
3410 	case AF_INET:
3411 	case AF_INET6:
3412 		/*
3413 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3414 		 */
3415 		if (so->so_type == SOCK_STREAM) {
3416 			socklen_t len;
3417 
3418 			bzero((void *)so_laddr, sizeof (so_laddr));
3419 			bzero((void *)so_faddr, sizeof (so_faddr));
3420 
3421 			len = sizeof (so_laddr);
3422 			(void) socket_getsockname(so,
3423 			    (struct sockaddr *)so_laddr, &len, CRED());
3424 			len = sizeof (so_faddr);
3425 			(void) socket_getpeername(so,
3426 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3427 
3428 			add_sock_token = 1;
3429 		}
3430 		break;
3431 
3432 	default:
3433 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3434 		break;
3435 	}
3436 
3437 	releasef(fd);
3438 
3439 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3440 
3441 	if (add_sock_token == 0) {
3442 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3443 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3444 		return;
3445 	}
3446 
3447 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3448 
3449 }
3450 
3451 /*ARGSUSED*/
3452 static void
3453 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3454 {
3455 	struct a {
3456 		long	fd;
3457 		long	addr;
3458 		long	len;
3459 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3460 
3461 	struct sonode *so;
3462 	char so_laddr[sizeof (struct sockaddr_in6)];
3463 	char so_faddr[sizeof (struct sockaddr_in6)];
3464 	int err, fd;
3465 	socklen_t len;
3466 	short so_family, so_type;
3467 	int add_sock_token = 0;
3468 
3469 	fd = (int)uap->fd;
3470 
3471 	/*
3472 	 * bind failed, then nothing extra to add to audit record.
3473 	 */
3474 	if (error) {
3475 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3476 		/* XXX may want to add failed address some day */
3477 		return;
3478 	}
3479 
3480 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3481 		/*
3482 		 * not security relevant if doing a bind from non socket
3483 		 * so no extra tokens. Should probably turn off audit record
3484 		 * generation here.
3485 		 */
3486 		return;
3487 	}
3488 
3489 	so_family = so->so_family;
3490 	so_type   = so->so_type;
3491 
3492 	switch (so_family) {
3493 	case AF_INET:
3494 	case AF_INET6:
3495 
3496 		bzero(so_faddr, sizeof (so_faddr));
3497 		len = sizeof (so_faddr);
3498 
3499 		(void) socket_getpeername(so,
3500 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3501 		add_sock_token = 1;
3502 
3503 		break;
3504 
3505 	case AF_UNIX:
3506 		/* token added by lookup */
3507 		break;
3508 	default:
3509 		/* AF_ROUTE, AF_KEY do not support accept */
3510 		break;
3511 	}
3512 
3513 	releasef(fd);
3514 
3515 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3516 
3517 	if (add_sock_token == 0) {
3518 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3519 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3520 		return;
3521 	}
3522 
3523 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3524 
3525 }
3526 
3527 /*ARGSUSED*/
3528 static void
3529 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3530 {
3531 	struct a {
3532 		long	fd;
3533 		long	addr;
3534 		long	len;
3535 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3536 
3537 	struct sonode *so;
3538 	char so_laddr[sizeof (struct sockaddr_in6)];
3539 	char so_faddr[sizeof (struct sockaddr_in6)];
3540 	int err, fd;
3541 	socklen_t len;
3542 	short so_family, so_type;
3543 	int add_sock_token = 0;
3544 
3545 	fd = (int)uap->fd;
3546 
3547 
3548 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3549 		/*
3550 		 * not security relevant if doing a connect from non socket
3551 		 * so no extra tokens. Should probably turn off audit record
3552 		 * generation here.
3553 		 */
3554 		return;
3555 	}
3556 
3557 	so_family = so->so_family;
3558 	so_type   = so->so_type;
3559 
3560 	switch (so_family) {
3561 	case AF_INET:
3562 	case AF_INET6:
3563 
3564 		bzero(so_laddr, sizeof (so_laddr));
3565 		bzero(so_faddr, sizeof (so_faddr));
3566 
3567 		len = sizeof (so_laddr);
3568 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3569 		    &len, CRED());
3570 		if (error) {
3571 			if (uap->addr == NULL)
3572 				break;
3573 			if (uap->len <= 0)
3574 				break;
3575 			len = min(uap->len, sizeof (so_faddr));
3576 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3577 				break;
3578 #ifdef NOTYET
3579 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3580 #endif
3581 		} else {
3582 			/* sanity check on length */
3583 			len = sizeof (so_faddr);
3584 			(void) socket_getpeername(so,
3585 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3586 		}
3587 
3588 		add_sock_token = 1;
3589 
3590 		break;
3591 
3592 	case AF_UNIX:
3593 		/* does a lookup on name */
3594 		break;
3595 
3596 	default:
3597 		/* AF_ROUTE, AF_KEY do not support accept */
3598 		break;
3599 	}
3600 
3601 	releasef(fd);
3602 
3603 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3604 
3605 	if (add_sock_token == 0) {
3606 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3607 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3608 		return;
3609 	}
3610 
3611 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3612 
3613 }
3614 
3615 /*ARGSUSED*/
3616 static void
3617 aus_shutdown(struct t_audit_data *tad)
3618 {
3619 	struct a {
3620 		long	fd;
3621 		long	how;
3622 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3623 
3624 	struct sonode *so;
3625 	char so_laddr[sizeof (struct sockaddr_in6)];
3626 	char so_faddr[sizeof (struct sockaddr_in6)];
3627 	int err, fd;
3628 	socklen_t len;
3629 	short so_family, so_type;
3630 	int add_sock_token = 0;
3631 	file_t *fp;				/* unix domain sockets */
3632 	struct f_audit_data *fad;		/* unix domain sockets */
3633 
3634 	fd = (int)uap->fd;
3635 
3636 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3637 		/*
3638 		 * not security relevant if doing a shutdown using non socket
3639 		 * so no extra tokens. Should probably turn off audit record
3640 		 * generation here.
3641 		 */
3642 		return;
3643 	}
3644 
3645 	so_family = so->so_family;
3646 	so_type   = so->so_type;
3647 
3648 	switch (so_family) {
3649 	case AF_INET:
3650 	case AF_INET6:
3651 
3652 		bzero(so_laddr, sizeof (so_laddr));
3653 		bzero(so_faddr, sizeof (so_faddr));
3654 
3655 		len = sizeof (so_laddr);
3656 		(void) socket_getsockname(so,
3657 		    (struct sockaddr *)so_laddr, &len, CRED());
3658 		len = sizeof (so_faddr);
3659 		(void) socket_getpeername(so,
3660 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3661 
3662 		add_sock_token = 1;
3663 
3664 		break;
3665 
3666 	case AF_UNIX:
3667 
3668 		/* get path from file struct here */
3669 		fad = F2A(fp);
3670 		ASSERT(fad);
3671 
3672 		if (fad->fad_aupath != NULL) {
3673 			au_uwrite(au_to_path(fad->fad_aupath));
3674 		} else {
3675 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3676 		}
3677 
3678 		audit_attributes(fp->f_vnode);
3679 
3680 		break;
3681 
3682 	default:
3683 		/*
3684 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3685 		 * added.
3686 		 */
3687 		break;
3688 	}
3689 
3690 	releasef(fd);
3691 
3692 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3693 
3694 	if (add_sock_token == 0) {
3695 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3696 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3697 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3698 		return;
3699 	}
3700 
3701 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3702 
3703 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3704 
3705 }
3706 
3707 /*ARGSUSED*/
3708 static void
3709 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3710 {
3711 	struct a {
3712 		long	fd;
3713 		long	level;
3714 		long	optname;
3715 		long	*optval;
3716 		long	optlen;
3717 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3718 
3719 	struct sonode	*so;
3720 	char so_laddr[sizeof (struct sockaddr_in6)];
3721 	char so_faddr[sizeof (struct sockaddr_in6)];
3722 	char		val[AU_BUFSIZE];
3723 	int		err, fd;
3724 	socklen_t	len;
3725 	short so_family, so_type;
3726 	int		add_sock_token = 0;
3727 	file_t *fp;				/* unix domain sockets */
3728 	struct f_audit_data *fad;		/* unix domain sockets */
3729 
3730 	fd = (int)uap->fd;
3731 
3732 	if (error) {
3733 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3734 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3735 		/* XXX may want to include other arguments */
3736 		return;
3737 	}
3738 
3739 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3740 		/*
3741 		 * not security relevant if doing a setsockopt from non socket
3742 		 * so no extra tokens. Should probably turn off audit record
3743 		 * generation here.
3744 		 */
3745 		return;
3746 	}
3747 
3748 	so_family = so->so_family;
3749 	so_type   = so->so_type;
3750 
3751 	switch (so_family) {
3752 	case AF_INET:
3753 	case AF_INET6:
3754 		bzero((void *)so_laddr, sizeof (so_laddr));
3755 		bzero((void *)so_faddr, sizeof (so_faddr));
3756 
3757 		/* get local and foreign addresses */
3758 		len = sizeof (so_laddr);
3759 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3760 		    &len, CRED());
3761 		len = sizeof (so_faddr);
3762 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3763 		    &len, B_FALSE, CRED());
3764 
3765 		add_sock_token = 1;
3766 
3767 		break;
3768 
3769 	case AF_UNIX:
3770 
3771 		/* get path from file struct here */
3772 		fad = F2A(fp);
3773 		ASSERT(fad);
3774 
3775 		if (fad->fad_aupath != NULL) {
3776 			au_uwrite(au_to_path(fad->fad_aupath));
3777 		} else {
3778 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3779 		}
3780 
3781 		audit_attributes(fp->f_vnode);
3782 
3783 		break;
3784 
3785 	default:
3786 		/*
3787 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3788 		 * added.
3789 		 */
3790 		break;
3791 	}
3792 
3793 	releasef(fd);
3794 
3795 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3796 
3797 	if (add_sock_token == 0) {
3798 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3799 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3800 	}
3801 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3802 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3803 
3804 	bzero(val, sizeof (val));
3805 	len = min(uap->optlen, sizeof (val));
3806 	if ((len > 0) &&
3807 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3808 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3809 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3810 	}
3811 
3812 	if (add_sock_token == 0)
3813 		return;
3814 
3815 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3816 
3817 }
3818 
3819 /*ARGSUSED*/
3820 static void
3821 aus_sockconfig(tad)
3822 	struct t_audit_data *tad;
3823 {
3824 	struct a {
3825 		long	cmd;
3826 		long	arg1;
3827 		long	arg2;
3828 		long	arg3;
3829 		long	arg4;
3830 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3831 
3832 	char	*buf;
3833 	int	buflen;
3834 	size_t	size;
3835 
3836 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
3837 	switch (uap->cmd) {
3838 	case SOCKCONFIG_ADD_SOCK:
3839 	case SOCKCONFIG_REMOVE_SOCK:
3840 		au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
3841 		au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
3842 		au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
3843 
3844 		if (uap->arg4 == 0) {
3845 			au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
3846 		} else {
3847 			buflen = MAXPATHLEN + 1;
3848 			buf = kmem_alloc(buflen, KM_SLEEP);
3849 			if (copyinstr((caddr_t)uap->arg4, buf, buflen,
3850 			    &size)) {
3851 				kmem_free(buf, buflen);
3852 				return;
3853 			}
3854 
3855 			if (size > MAXPATHLEN) {
3856 				kmem_free(buf, buflen);
3857 				return;
3858 			}
3859 
3860 			au_uwrite(au_to_text(buf));
3861 			kmem_free(buf, buflen);
3862 		}
3863 		break;
3864 	case SOCKCONFIG_ADD_FILTER:
3865 	case SOCKCONFIG_REMOVE_FILTER:
3866 		buflen = FILNAME_MAX;
3867 		buf = kmem_alloc(buflen, KM_SLEEP);
3868 
3869 		if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
3870 			kmem_free(buf, buflen);
3871 			return;
3872 		}
3873 
3874 		au_uwrite(au_to_text(buf));
3875 		kmem_free(buf, buflen);
3876 		break;
3877 	default:
3878 		break;
3879 	}
3880 }
3881 
3882 /*
3883  * only audit recvmsg when the system call represents the creation of a new
3884  * circuit. This effectively occurs for all UDP packets and may occur for
3885  * special TCP situations where the local host has not set a local address
3886  * in the socket structure.
3887  */
3888 /*ARGSUSED*/
3889 static void
3890 auf_recvmsg(
3891 	struct t_audit_data *tad,
3892 	int error,
3893 	rval_t *rvp)
3894 {
3895 	struct a {
3896 		long	fd;
3897 		long	msg;	/* struct msghdr */
3898 		long	flags;
3899 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3900 
3901 	struct sonode	*so;
3902 	STRUCT_DECL(msghdr, msg);
3903 	caddr_t msg_name;
3904 	socklen_t msg_namelen;
3905 	int fd;
3906 	int err;
3907 	char so_laddr[sizeof (struct sockaddr_in6)];
3908 	char so_faddr[sizeof (struct sockaddr_in6)];
3909 	socklen_t len;
3910 	file_t *fp;				/* unix domain sockets */
3911 	struct f_audit_data *fad;		/* unix domain sockets */
3912 	short so_family, so_type;
3913 	int add_sock_token = 0;
3914 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3915 
3916 	fd = (int)uap->fd;
3917 
3918 	/* bail if an error */
3919 	if (error) {
3920 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3921 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3922 		return;
3923 	}
3924 
3925 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3926 		/*
3927 		 * not security relevant if doing a recvmsg from non socket
3928 		 * so no extra tokens. Should probably turn off audit record
3929 		 * generation here.
3930 		 */
3931 		return;
3932 	}
3933 
3934 	so_family = so->so_family;
3935 	so_type   = so->so_type;
3936 
3937 	/*
3938 	 * only putout SOCKET_EX token if INET/INET6 family.
3939 	 * XXX - what do we do about other families?
3940 	 */
3941 
3942 	switch (so_family) {
3943 	case AF_INET:
3944 	case AF_INET6:
3945 
3946 		/*
3947 		 * if datagram type socket, then just use what is in
3948 		 * socket structure for local address.
3949 		 * XXX - what do we do for other types?
3950 		 */
3951 		if ((so->so_type == SOCK_DGRAM) ||
3952 		    (so->so_type == SOCK_RAW)) {
3953 			add_sock_token = 1;
3954 
3955 			bzero((void *)so_laddr, sizeof (so_laddr));
3956 			bzero((void *)so_faddr, sizeof (so_faddr));
3957 
3958 			/* get local address */
3959 			len = sizeof (so_laddr);
3960 			(void) socket_getsockname(so,
3961 			    (struct sockaddr *)so_laddr, &len, CRED());
3962 
3963 			/* get peer address */
3964 			STRUCT_INIT(msg, get_udatamodel());
3965 
3966 			if (copyin((caddr_t)(uap->msg),
3967 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3968 				break;
3969 			}
3970 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3971 			if (msg_name == NULL) {
3972 				break;
3973 			}
3974 
3975 			/* length is value from recvmsg - sanity check */
3976 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3977 			if (msg_namelen == 0) {
3978 				break;
3979 			}
3980 			if (copyin(msg_name, so_faddr,
3981 			    sizeof (so_faddr)) != 0) {
3982 				break;
3983 			}
3984 
3985 		} else if (so->so_type == SOCK_STREAM) {
3986 
3987 			/* get path from file struct here */
3988 			fad = F2A(fp);
3989 			ASSERT(fad);
3990 
3991 			/*
3992 			 * already processed this file for read attempt
3993 			 */
3994 			if (fad->fad_flags & FAD_READ) {
3995 				/* don't want to audit every recvmsg attempt */
3996 				tad->tad_flag = 0;
3997 				/* free any residual audit data */
3998 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
3999 				releasef(fd);
4000 				return;
4001 			}
4002 			/*
4003 			 * mark things so we know what happened and don't
4004 			 * repeat things
4005 			 */
4006 			fad->fad_flags |= FAD_READ;
4007 
4008 			bzero((void *)so_laddr, sizeof (so_laddr));
4009 			bzero((void *)so_faddr, sizeof (so_faddr));
4010 
4011 			/* get local and foreign addresses */
4012 			len = sizeof (so_laddr);
4013 			(void) socket_getsockname(so,
4014 			    (struct sockaddr *)so_laddr, &len, CRED());
4015 			len = sizeof (so_faddr);
4016 			(void) socket_getpeername(so,
4017 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4018 
4019 			add_sock_token = 1;
4020 		}
4021 
4022 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4023 
4024 		break;
4025 
4026 	case AF_UNIX:
4027 		/*
4028 		 * first check if this is first time through. Too much
4029 		 * duplicate code to put this in an aui_ routine.
4030 		 */
4031 
4032 		/* get path from file struct here */
4033 		fad = F2A(fp);
4034 		ASSERT(fad);
4035 
4036 		/*
4037 		 * already processed this file for read attempt
4038 		 */
4039 		if (fad->fad_flags & FAD_READ) {
4040 			releasef(fd);
4041 			/* don't want to audit every recvmsg attempt */
4042 			tad->tad_flag = 0;
4043 			/* free any residual audit data */
4044 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4045 			return;
4046 		}
4047 		/*
4048 		 * mark things so we know what happened and don't
4049 		 * repeat things
4050 		 */
4051 		fad->fad_flags |= FAD_READ;
4052 
4053 		if (fad->fad_aupath != NULL) {
4054 			au_uwrite(au_to_path(fad->fad_aupath));
4055 		} else {
4056 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4057 		}
4058 
4059 		audit_attributes(fp->f_vnode);
4060 
4061 		releasef(fd);
4062 
4063 		return;
4064 
4065 	default:
4066 		break;
4067 
4068 	}
4069 
4070 	releasef(fd);
4071 
4072 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4073 
4074 	if (add_sock_token == 0) {
4075 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4076 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4077 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4078 		return;
4079 	}
4080 
4081 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4082 
4083 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4084 
4085 }
4086 
4087 /*ARGSUSED*/
4088 static void
4089 auf_recvfrom(
4090 	struct t_audit_data *tad,
4091 	int error,
4092 	rval_t *rvp)
4093 {
4094 
4095 	struct a {
4096 		long	fd;
4097 		long	msg;	/* char */
4098 		long	len;
4099 		long	flags;
4100 		long	from;	/* struct sockaddr */
4101 		long	fromlen;
4102 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4103 
4104 	socklen_t	fromlen;
4105 	struct sonode	*so;
4106 	char so_laddr[sizeof (struct sockaddr_in6)];
4107 	char so_faddr[sizeof (struct sockaddr_in6)];
4108 	int		fd;
4109 	short so_family, so_type;
4110 	int add_sock_token = 0;
4111 	socklen_t len;
4112 	int err;
4113 	struct file *fp;
4114 	struct f_audit_data *fad;		/* unix domain sockets */
4115 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4116 
4117 	fd = (int)uap->fd;
4118 
4119 	/* bail if an error */
4120 	if (error) {
4121 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4122 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4123 		return;
4124 	}
4125 
4126 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4127 		/*
4128 		 * not security relevant if doing a recvmsg from non socket
4129 		 * so no extra tokens. Should probably turn off audit record
4130 		 * generation here.
4131 		 */
4132 		return;
4133 	}
4134 
4135 	so_family = so->so_family;
4136 	so_type   = so->so_type;
4137 
4138 	/*
4139 	 * only putout SOCKET_EX token if INET/INET6 family.
4140 	 * XXX - what do we do about other families?
4141 	 */
4142 
4143 	switch (so_family) {
4144 	case AF_INET:
4145 	case AF_INET6:
4146 
4147 		/*
4148 		 * if datagram type socket, then just use what is in
4149 		 * socket structure for local address.
4150 		 * XXX - what do we do for other types?
4151 		 */
4152 		if ((so->so_type == SOCK_DGRAM) ||
4153 		    (so->so_type == SOCK_RAW)) {
4154 			add_sock_token = 1;
4155 
4156 			/* get local address */
4157 			len = sizeof (so_laddr);
4158 			(void) socket_getsockname(so,
4159 			    (struct sockaddr *)so_laddr, &len, CRED());
4160 
4161 			/* get peer address */
4162 			bzero((void *)so_faddr, sizeof (so_faddr));
4163 
4164 			/* sanity check */
4165 			if (uap->from == NULL)
4166 				break;
4167 
4168 			/* sanity checks */
4169 			if (uap->fromlen == 0)
4170 				break;
4171 
4172 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4173 			    sizeof (fromlen)) != 0)
4174 				break;
4175 
4176 			if (fromlen == 0)
4177 				break;
4178 
4179 			/* enforce maximum size */
4180 			if (fromlen > sizeof (so_faddr))
4181 				fromlen = sizeof (so_faddr);
4182 
4183 			if (copyin((caddr_t)(uap->from), so_faddr,
4184 			    fromlen) != 0)
4185 				break;
4186 
4187 		} else if (so->so_type == SOCK_STREAM) {
4188 
4189 			/* get path from file struct here */
4190 			fad = F2A(fp);
4191 			ASSERT(fad);
4192 
4193 			/*
4194 			 * already processed this file for read attempt
4195 			 */
4196 			if (fad->fad_flags & FAD_READ) {
4197 				/* don't want to audit every recvfrom attempt */
4198 				tad->tad_flag = 0;
4199 				/* free any residual audit data */
4200 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4201 				releasef(fd);
4202 				return;
4203 			}
4204 			/*
4205 			 * mark things so we know what happened and don't
4206 			 * repeat things
4207 			 */
4208 			fad->fad_flags |= FAD_READ;
4209 
4210 			bzero((void *)so_laddr, sizeof (so_laddr));
4211 			bzero((void *)so_faddr, sizeof (so_faddr));
4212 
4213 			/* get local and foreign addresses */
4214 			len = sizeof (so_laddr);
4215 			(void) socket_getsockname(so,
4216 			    (struct sockaddr *)so_laddr, &len, CRED());
4217 			len = sizeof (so_faddr);
4218 			(void) socket_getpeername(so,
4219 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4220 
4221 			add_sock_token = 1;
4222 		}
4223 
4224 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4225 
4226 		break;
4227 
4228 	case AF_UNIX:
4229 		/*
4230 		 * first check if this is first time through. Too much
4231 		 * duplicate code to put this in an aui_ routine.
4232 		 */
4233 
4234 		/* get path from file struct here */
4235 		fad = F2A(fp);
4236 		ASSERT(fad);
4237 
4238 		/*
4239 		 * already processed this file for read attempt
4240 		 */
4241 		if (fad->fad_flags & FAD_READ) {
4242 			/* don't want to audit every recvfrom attempt */
4243 			tad->tad_flag = 0;
4244 			/* free any residual audit data */
4245 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4246 			releasef(fd);
4247 			return;
4248 		}
4249 		/*
4250 		 * mark things so we know what happened and don't
4251 		 * repeat things
4252 		 */
4253 		fad->fad_flags |= FAD_READ;
4254 
4255 		if (fad->fad_aupath != NULL) {
4256 			au_uwrite(au_to_path(fad->fad_aupath));
4257 		} else {
4258 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4259 		}
4260 
4261 		audit_attributes(fp->f_vnode);
4262 
4263 		releasef(fd);
4264 
4265 		return;
4266 
4267 	default:
4268 		break;
4269 
4270 	}
4271 
4272 	releasef(fd);
4273 
4274 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4275 
4276 	if (add_sock_token == 0) {
4277 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4278 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4279 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4280 		return;
4281 	}
4282 
4283 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4284 
4285 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4286 }
4287 
4288 /*ARGSUSED*/
4289 static void
4290 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4291 {
4292 	struct a {
4293 		long	fd;
4294 		long	msg;	/* struct msghdr */
4295 		long	flags;
4296 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4297 
4298 	struct sonode	*so;
4299 	char so_laddr[sizeof (struct sockaddr_in6)];
4300 	char so_faddr[sizeof (struct sockaddr_in6)];
4301 	int		err;
4302 	int		fd;
4303 	short so_family, so_type;
4304 	int		add_sock_token = 0;
4305 	socklen_t	len;
4306 	struct file	*fp;
4307 	struct f_audit_data *fad;
4308 	caddr_t		msg_name;
4309 	socklen_t	msg_namelen;
4310 	STRUCT_DECL(msghdr, msg);
4311 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4312 
4313 	fd = (int)uap->fd;
4314 
4315 	/* bail if an error */
4316 	if (error) {
4317 		/* XXX include destination address from system call arguments */
4318 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4319 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4320 		return;
4321 	}
4322 
4323 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4324 		/*
4325 		 * not security relevant if doing a sendmsg from non socket
4326 		 * so no extra tokens. Should probably turn off audit record
4327 		 * generation here.
4328 		 */
4329 		return;
4330 	}
4331 
4332 	so_family = so->so_family;
4333 	so_type   = so->so_type;
4334 
4335 	switch (so_family) {
4336 	case AF_INET:
4337 	case AF_INET6:
4338 		/*
4339 		 * if datagram type socket, then just use what is in
4340 		 * socket structure for local address.
4341 		 * XXX - what do we do for other types?
4342 		 */
4343 		if ((so->so_type == SOCK_DGRAM) ||
4344 		    (so->so_type == SOCK_RAW)) {
4345 
4346 			bzero((void *)so_laddr, sizeof (so_laddr));
4347 			bzero((void *)so_faddr, sizeof (so_faddr));
4348 
4349 			/* get local address */
4350 			len = sizeof (so_laddr);
4351 			(void) socket_getsockname(so,
4352 			    (struct sockaddr *)so_laddr, &len, CRED());
4353 
4354 			/* get peer address */
4355 			STRUCT_INIT(msg, get_udatamodel());
4356 
4357 			if (copyin((caddr_t)(uap->msg),
4358 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4359 				break;
4360 			}
4361 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4362 			if (msg_name == NULL)
4363 				break;
4364 
4365 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4366 			/* length is value from recvmsg - sanity check */
4367 			if (msg_namelen == 0)
4368 				break;
4369 
4370 			if (copyin(msg_name, so_faddr,
4371 			    sizeof (so_faddr)) != 0)
4372 				break;
4373 
4374 			add_sock_token = 1;
4375 
4376 		} else if (so->so_type == SOCK_STREAM) {
4377 
4378 			/* get path from file struct here */
4379 			fad = F2A(fp);
4380 			ASSERT(fad);
4381 
4382 			/*
4383 			 * already processed this file for write attempt
4384 			 */
4385 			if (fad->fad_flags & FAD_WRITE) {
4386 				releasef(fd);
4387 				/* don't want to audit every sendmsg attempt */
4388 				tad->tad_flag = 0;
4389 				/* free any residual audit data */
4390 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4391 				return;
4392 			}
4393 
4394 			/*
4395 			 * mark things so we know what happened and don't
4396 			 * repeat things
4397 			 */
4398 			fad->fad_flags |= FAD_WRITE;
4399 
4400 			bzero((void *)so_laddr, sizeof (so_laddr));
4401 			bzero((void *)so_faddr, sizeof (so_faddr));
4402 
4403 			/* get local and foreign addresses */
4404 			len = sizeof (so_laddr);
4405 			(void) socket_getsockname(so,
4406 			    (struct sockaddr *)so_laddr, &len, CRED());
4407 			len = sizeof (so_faddr);
4408 			(void) socket_getpeername(so,
4409 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4410 
4411 			add_sock_token = 1;
4412 		}
4413 
4414 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4415 
4416 		break;
4417 
4418 	case AF_UNIX:
4419 		/*
4420 		 * first check if this is first time through. Too much
4421 		 * duplicate code to put this in an aui_ routine.
4422 		 */
4423 
4424 		/* get path from file struct here */
4425 		fad = F2A(fp);
4426 		ASSERT(fad);
4427 
4428 		/*
4429 		 * already processed this file for write attempt
4430 		 */
4431 		if (fad->fad_flags & FAD_WRITE) {
4432 			releasef(fd);
4433 			/* don't want to audit every sendmsg attempt */
4434 			tad->tad_flag = 0;
4435 			/* free any residual audit data */
4436 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4437 			return;
4438 		}
4439 		/*
4440 		 * mark things so we know what happened and don't
4441 		 * repeat things
4442 		 */
4443 		fad->fad_flags |= FAD_WRITE;
4444 
4445 		if (fad->fad_aupath != NULL) {
4446 			au_uwrite(au_to_path(fad->fad_aupath));
4447 		} else {
4448 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4449 		}
4450 
4451 		audit_attributes(fp->f_vnode);
4452 
4453 		releasef(fd);
4454 
4455 		return;
4456 
4457 	default:
4458 		break;
4459 	}
4460 
4461 	releasef(fd);
4462 
4463 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4464 
4465 	if (add_sock_token == 0) {
4466 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4467 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4468 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4469 		return;
4470 	}
4471 
4472 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4473 
4474 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4475 }
4476 
4477 /*ARGSUSED*/
4478 static void
4479 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4480 {
4481 	struct a {
4482 		long	fd;
4483 		long	msg;	/* char */
4484 		long	len;
4485 		long	flags;
4486 		long	to;	/* struct sockaddr */
4487 		long	tolen;
4488 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4489 
4490 	struct sonode	*so;
4491 	char so_laddr[sizeof (struct sockaddr_in6)];
4492 	char so_faddr[sizeof (struct sockaddr_in6)];
4493 	socklen_t	tolen;
4494 	int		err;
4495 	int		fd;
4496 	socklen_t	len;
4497 	short so_family, so_type;
4498 	int		add_sock_token = 0;
4499 	struct file	*fp;
4500 	struct f_audit_data *fad;
4501 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4502 
4503 	fd = (int)uap->fd;
4504 
4505 	/* bail if an error */
4506 	if (error) {
4507 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4508 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4509 		/* XXX include destination address from system call arguments */
4510 		return;
4511 	}
4512 
4513 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4514 		/*
4515 		 * not security relevant if doing a sendto using non socket
4516 		 * so no extra tokens. Should probably turn off audit record
4517 		 * generation here.
4518 		 */
4519 		return;
4520 	}
4521 
4522 	so_family = so->so_family;
4523 	so_type   = so->so_type;
4524 
4525 	/*
4526 	 * only putout SOCKET_EX token if INET/INET6 family.
4527 	 * XXX - what do we do about other families?
4528 	 */
4529 
4530 	switch (so_family) {
4531 	case AF_INET:
4532 	case AF_INET6:
4533 
4534 		/*
4535 		 * if datagram type socket, then just use what is in
4536 		 * socket structure for local address.
4537 		 * XXX - what do we do for other types?
4538 		 */
4539 		if ((so->so_type == SOCK_DGRAM) ||
4540 		    (so->so_type == SOCK_RAW)) {
4541 
4542 			bzero((void *)so_laddr, sizeof (so_laddr));
4543 			bzero((void *)so_faddr, sizeof (so_faddr));
4544 
4545 			/* get local address */
4546 			len = sizeof (so_laddr);
4547 			(void) socket_getsockname(so,
4548 			    (struct sockaddr *)so_laddr, &len, CRED());
4549 
4550 			/* get peer address */
4551 
4552 			/* sanity check */
4553 			if (uap->to == NULL)
4554 				break;
4555 
4556 			/* sanity checks */
4557 			if (uap->tolen == 0)
4558 				break;
4559 
4560 			tolen = (socklen_t)uap->tolen;
4561 
4562 			/* enforce maximum size */
4563 			if (tolen > sizeof (so_faddr))
4564 				tolen = sizeof (so_faddr);
4565 
4566 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4567 				break;
4568 
4569 			add_sock_token = 1;
4570 		} else {
4571 			/*
4572 			 * check if this is first time through.
4573 			 */
4574 
4575 			/* get path from file struct here */
4576 			fad = F2A(fp);
4577 			ASSERT(fad);
4578 
4579 			/*
4580 			 * already processed this file for write attempt
4581 			 */
4582 			if (fad->fad_flags & FAD_WRITE) {
4583 				/* don't want to audit every sendto attempt */
4584 				tad->tad_flag = 0;
4585 				/* free any residual audit data */
4586 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4587 				releasef(fd);
4588 				return;
4589 			}
4590 			/*
4591 			 * mark things so we know what happened and don't
4592 			 * repeat things
4593 			 */
4594 			fad->fad_flags |= FAD_WRITE;
4595 
4596 			bzero((void *)so_laddr, sizeof (so_laddr));
4597 			bzero((void *)so_faddr, sizeof (so_faddr));
4598 
4599 			/* get local and foreign addresses */
4600 			len = sizeof (so_laddr);
4601 			(void) socket_getsockname(so,
4602 			    (struct sockaddr *)so_laddr, &len, CRED());
4603 			len = sizeof (so_faddr);
4604 			(void) socket_getpeername(so,
4605 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4606 
4607 			add_sock_token = 1;
4608 		}
4609 
4610 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4611 
4612 		break;
4613 
4614 	case AF_UNIX:
4615 		/*
4616 		 * first check if this is first time through. Too much
4617 		 * duplicate code to put this in an aui_ routine.
4618 		 */
4619 
4620 		/* get path from file struct here */
4621 		fad = F2A(fp);
4622 		ASSERT(fad);
4623 
4624 		/*
4625 		 * already processed this file for write attempt
4626 		 */
4627 		if (fad->fad_flags & FAD_WRITE) {
4628 			/* don't want to audit every sendto attempt */
4629 			tad->tad_flag = 0;
4630 			/* free any residual audit data */
4631 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4632 			releasef(fd);
4633 			return;
4634 		}
4635 		/*
4636 		 * mark things so we know what happened and don't
4637 		 * repeat things
4638 		 */
4639 		fad->fad_flags |= FAD_WRITE;
4640 
4641 		if (fad->fad_aupath != NULL) {
4642 			au_uwrite(au_to_path(fad->fad_aupath));
4643 		} else {
4644 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4645 		}
4646 
4647 		audit_attributes(fp->f_vnode);
4648 
4649 		releasef(fd);
4650 
4651 		return;
4652 
4653 	default:
4654 		break;
4655 
4656 	}
4657 
4658 	releasef(fd);
4659 
4660 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4661 
4662 	if (add_sock_token == 0) {
4663 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4664 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4665 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4666 		return;
4667 	}
4668 
4669 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4670 
4671 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4672 
4673 }
4674 
4675 /*
4676  * XXX socket(2) may be equivalent to open(2) on a unix domain
4677  * socket. This needs investigation.
4678  */
4679 
4680 /*ARGSUSED*/
4681 static void
4682 aus_socket(struct t_audit_data *tad)
4683 {
4684 	struct a {
4685 		long	domain;
4686 		long	type;
4687 		long	protocol;
4688 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4689 
4690 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4691 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4692 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4693 }
4694 
4695 /*ARGSUSED*/
4696 static void
4697 aus_sigqueue(struct t_audit_data *tad)
4698 {
4699 	struct a {
4700 		long	pid;
4701 		long	signo;
4702 		long	*val;
4703 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4704 	struct proc *p;
4705 	uid_t uid, ruid;
4706 	gid_t gid, rgid;
4707 	pid_t pid;
4708 	const auditinfo_addr_t *ainfo;
4709 	cred_t *cr;
4710 
4711 	pid = (pid_t)uap->pid;
4712 
4713 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4714 	if (pid > 0) {
4715 		mutex_enter(&pidlock);
4716 		if ((p = prfind(pid)) == (struct proc *)0) {
4717 			mutex_exit(&pidlock);
4718 			return;
4719 		}
4720 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4721 		mutex_exit(&pidlock);
4722 
4723 		mutex_enter(&p->p_crlock);
4724 		crhold(cr = p->p_cred);
4725 		mutex_exit(&p->p_crlock);
4726 		mutex_exit(&p->p_lock);
4727 
4728 		ainfo = crgetauinfo(cr);
4729 		if (ainfo == NULL) {
4730 			crfree(cr);
4731 			return;
4732 		}
4733 
4734 		uid  = crgetuid(cr);
4735 		gid  = crgetgid(cr);
4736 		ruid = crgetruid(cr);
4737 		rgid = crgetrgid(cr);
4738 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4739 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4740 		crfree(cr);
4741 	}
4742 	else
4743 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4744 }
4745 
4746 /*ARGSUSED*/
4747 static void
4748 aus_inst_sync(struct t_audit_data *tad)
4749 {
4750 	struct a {
4751 		long	name;	/* char */
4752 		long	flags;
4753 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4754 
4755 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4756 }
4757 
4758 /*ARGSUSED*/
4759 static void
4760 aus_brandsys(struct t_audit_data *tad)
4761 {
4762 	klwp_t *clwp = ttolwp(curthread);
4763 
4764 	struct a {
4765 		long	cmd;
4766 		long	arg1;
4767 		long	arg2;
4768 		long	arg3;
4769 		long	arg4;
4770 		long	arg5;
4771 		long	arg6;
4772 	} *uap = (struct a *)clwp->lwp_ap;
4773 
4774 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4775 #ifdef _LP64
4776 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4777 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4778 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4779 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4780 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4781 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4782 #else
4783 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4784 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4785 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4786 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4787 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4788 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4789 #endif
4790 }
4791 
4792 /*ARGSUSED*/
4793 static void
4794 aus_p_online(struct t_audit_data *tad)
4795 {
4796 	struct a {
4797 		long	processor_id;
4798 		long	flag;
4799 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4800 
4801 	struct flags {
4802 			int	flag;
4803 			char	*cflag;
4804 	} aflags[6] = {
4805 			{ P_ONLINE, "P_ONLINE"},
4806 			{ P_OFFLINE, "P_OFFLINE"},
4807 			{ P_NOINTR, "P_NOINTR"},
4808 			{ P_SPARE, "P_SPARE"},
4809 			{ P_FAULTED, "P_FAULTED"},
4810 			{ P_STATUS, "P_STATUS"}
4811 	};
4812 	int i;
4813 	char *cflag;
4814 
4815 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4816 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4817 
4818 	for (i = 0; i < 6; i++) {
4819 		if (aflags[i].flag == uap->flag)
4820 			break;
4821 	}
4822 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4823 
4824 	au_uwrite(au_to_text(cflag));
4825 }
4826 
4827 /*ARGSUSED*/
4828 static void
4829 aus_processor_bind(struct t_audit_data *tad)
4830 {
4831 	struct a {
4832 		long	id_type;
4833 		long	id;
4834 		long	processor_id;
4835 		long	obind;
4836 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4837 
4838 	struct proc *p;
4839 	int lwpcnt;
4840 	uid_t uid, ruid;
4841 	gid_t gid, rgid;
4842 	pid_t pid;
4843 	const auditinfo_addr_t *ainfo;
4844 	cred_t *cr;
4845 
4846 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4847 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4848 	if (uap->processor_id == PBIND_NONE)
4849 		au_uwrite(au_to_text("PBIND_NONE"));
4850 	else
4851 		au_uwrite(au_to_arg32(3, "processor_id",
4852 		    (uint32_t)uap->processor_id));
4853 
4854 	switch (uap->id_type) {
4855 	case P_MYID:
4856 	case P_LWPID:
4857 		mutex_enter(&pidlock);
4858 		p = ttoproc(curthread);
4859 		if (p == NULL || p->p_as == &kas) {
4860 			mutex_exit(&pidlock);
4861 			return;
4862 		}
4863 		mutex_enter(&p->p_lock);
4864 		mutex_exit(&pidlock);
4865 		lwpcnt = p->p_lwpcnt;
4866 		pid  = p->p_pid;
4867 
4868 		mutex_enter(&p->p_crlock);
4869 		crhold(cr = p->p_cred);
4870 		mutex_exit(&p->p_crlock);
4871 		mutex_exit(&p->p_lock);
4872 
4873 		ainfo = crgetauinfo(cr);
4874 		if (ainfo == NULL) {
4875 			crfree(cr);
4876 			return;
4877 		}
4878 
4879 		uid  = crgetuid(cr);
4880 		gid  = crgetgid(cr);
4881 		ruid = crgetruid(cr);
4882 		rgid = crgetrgid(cr);
4883 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4884 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4885 		crfree(cr);
4886 		break;
4887 	case P_PID:
4888 		mutex_enter(&pidlock);
4889 		p = prfind(uap->id);
4890 		if (p == NULL || p->p_as == &kas) {
4891 			mutex_exit(&pidlock);
4892 			return;
4893 		}
4894 		mutex_enter(&p->p_lock);
4895 		mutex_exit(&pidlock);
4896 		lwpcnt = p->p_lwpcnt;
4897 		pid  = p->p_pid;
4898 
4899 		mutex_enter(&p->p_crlock);
4900 		crhold(cr = p->p_cred);
4901 		mutex_exit(&p->p_crlock);
4902 		mutex_exit(&p->p_lock);
4903 
4904 		ainfo = crgetauinfo(cr);
4905 		if (ainfo == NULL) {
4906 			crfree(cr);
4907 			return;
4908 		}
4909 
4910 		uid  = crgetuid(cr);
4911 		gid  = crgetgid(cr);
4912 		ruid = crgetruid(cr);
4913 		rgid = crgetrgid(cr);
4914 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4915 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4916 		crfree(cr);
4917 
4918 		break;
4919 	default:
4920 		return;
4921 	}
4922 
4923 	if (uap->processor_id == PBIND_NONE &&
4924 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4925 		au_uwrite(au_to_text("PBIND_NONE for process"));
4926 	else
4927 		au_uwrite(au_to_arg32(3, "processor_id",
4928 		    (uint32_t)uap->processor_id));
4929 }
4930 
4931 /*ARGSUSED*/
4932 static au_event_t
4933 aui_doorfs(au_event_t e)
4934 {
4935 	uint32_t code;
4936 
4937 	struct a {		/* doorfs */
4938 		long	a1;
4939 		long	a2;
4940 		long	a3;
4941 		long	a4;
4942 		long	a5;
4943 		long	code;
4944 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4945 
4946 	/*
4947 	 *	audit formats for several of the
4948 	 *	door calls have not yet been determined
4949 	 */
4950 	code = (uint32_t)uap->code;
4951 	switch (code) {
4952 	case DOOR_CALL:
4953 		e = AUE_DOORFS_DOOR_CALL;
4954 		break;
4955 	case DOOR_RETURN:
4956 		e = AUE_NULL;
4957 		break;
4958 	case DOOR_CREATE:
4959 		e = AUE_DOORFS_DOOR_CREATE;
4960 		break;
4961 	case DOOR_REVOKE:
4962 		e = AUE_DOORFS_DOOR_REVOKE;
4963 		break;
4964 	case DOOR_INFO:
4965 		e = AUE_NULL;
4966 		break;
4967 	case DOOR_UCRED:
4968 		e = AUE_NULL;
4969 		break;
4970 	case DOOR_BIND:
4971 		e = AUE_NULL;
4972 		break;
4973 	case DOOR_UNBIND:
4974 		e = AUE_NULL;
4975 		break;
4976 	case DOOR_GETPARAM:
4977 		e = AUE_NULL;
4978 		break;
4979 	case DOOR_SETPARAM:
4980 		e = AUE_NULL;
4981 		break;
4982 	default:	/* illegal system call */
4983 		e = AUE_NULL;
4984 		break;
4985 	}
4986 
4987 	return (e);
4988 }
4989 
4990 static door_node_t *
4991 au_door_lookup(int did)
4992 {
4993 	vnode_t	*vp;
4994 	file_t *fp;
4995 
4996 	if ((fp = getf(did)) == NULL)
4997 		return (NULL);
4998 	/*
4999 	 * Use the underlying vnode (we may be namefs mounted)
5000 	 */
5001 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5002 		vp = fp->f_vnode;
5003 
5004 	if (vp == NULL || vp->v_type != VDOOR) {
5005 		releasef(did);
5006 		return (NULL);
5007 	}
5008 
5009 	return (VTOD(vp));
5010 }
5011 
5012 /*ARGSUSED*/
5013 static void
5014 aus_doorfs(struct t_audit_data *tad)
5015 {
5016 
5017 	struct a {		/* doorfs */
5018 		long	a1;
5019 		long	a2;
5020 		long	a3;
5021 		long	a4;
5022 		long	a5;
5023 		long	code;
5024 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5025 
5026 	door_node_t	*dp;
5027 	struct proc	*p;
5028 	uint32_t	did;
5029 	uid_t uid, ruid;
5030 	gid_t gid, rgid;
5031 	pid_t pid;
5032 	const auditinfo_addr_t *ainfo;
5033 	cred_t *cr;
5034 
5035 	did = (uint32_t)uap->a1;
5036 
5037 	switch (tad->tad_event) {
5038 	case AUE_DOORFS_DOOR_CALL:
5039 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5040 		if ((dp = au_door_lookup(did)) == NULL)
5041 			break;
5042 
5043 		if (DOOR_INVALID(dp)) {
5044 			releasef(did);
5045 			break;
5046 		}
5047 
5048 		if ((p = dp->door_target) == NULL) {
5049 			releasef(did);
5050 			break;
5051 		}
5052 		mutex_enter(&p->p_lock);
5053 		releasef(did);
5054 
5055 		pid  = p->p_pid;
5056 
5057 		mutex_enter(&p->p_crlock);
5058 		crhold(cr = p->p_cred);
5059 		mutex_exit(&p->p_crlock);
5060 		mutex_exit(&p->p_lock);
5061 
5062 		ainfo = crgetauinfo(cr);
5063 		if (ainfo == NULL) {
5064 			crfree(cr);
5065 			return;
5066 		}
5067 		uid  = crgetuid(cr);
5068 		gid  = crgetgid(cr);
5069 		ruid = crgetruid(cr);
5070 		rgid = crgetrgid(cr);
5071 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5072 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5073 		crfree(cr);
5074 		break;
5075 	case AUE_DOORFS_DOOR_RETURN:
5076 		/*
5077 		 * We may want to write information about
5078 		 * all doors (if any) which will be copied
5079 		 * by this call to the user space
5080 		 */
5081 		break;
5082 	case AUE_DOORFS_DOOR_CREATE:
5083 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5084 		break;
5085 	case AUE_DOORFS_DOOR_REVOKE:
5086 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5087 		break;
5088 	case AUE_DOORFS_DOOR_INFO:
5089 		break;
5090 	case AUE_DOORFS_DOOR_CRED:
5091 		break;
5092 	case AUE_DOORFS_DOOR_BIND:
5093 		break;
5094 	case AUE_DOORFS_DOOR_UNBIND: {
5095 		break;
5096 	}
5097 	default:	/* illegal system call */
5098 		break;
5099 	}
5100 }
5101 
5102 /*ARGSUSED*/
5103 static au_event_t
5104 aui_acl(au_event_t e)
5105 {
5106 	struct a {
5107 		union {
5108 			long	name;	/* char */
5109 			long	fd;
5110 		}		obj;
5111 
5112 		long		cmd;
5113 		long		nentries;
5114 		long		arg;	/* aclent_t */
5115 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5116 
5117 	switch (uap->cmd) {
5118 	case SETACL:
5119 	case ACE_SETACL:
5120 		/*
5121 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5122 		 * are expected.
5123 		 */
5124 		break;
5125 	case GETACL:
5126 	case GETACLCNT:
5127 	case ACE_GETACL:
5128 	case ACE_GETACLCNT:
5129 		/* do nothing for these four values. */
5130 		e = AUE_NULL;
5131 		break;
5132 	default:
5133 		/* illegal system call */
5134 		break;
5135 	}
5136 
5137 	return (e);
5138 }
5139 
5140 static void
5141 au_acl(int cmd, int nentries, caddr_t bufp)
5142 {
5143 	size_t		a_size;
5144 	aclent_t	*aclbufp;
5145 	ace_t		*acebufp;
5146 	int		i;
5147 
5148 	switch (cmd) {
5149 	case GETACL:
5150 	case GETACLCNT:
5151 		break;
5152 	case SETACL:
5153 		if (nentries < 3)
5154 			break;
5155 
5156 		a_size = nentries * sizeof (aclent_t);
5157 
5158 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5159 			break;
5160 		if (copyin(bufp, aclbufp, a_size)) {
5161 			kmem_free(aclbufp, a_size);
5162 			break;
5163 		}
5164 		for (i = 0; i < nentries; i++) {
5165 			au_uwrite(au_to_acl(aclbufp + i));
5166 		}
5167 		kmem_free(aclbufp, a_size);
5168 		break;
5169 
5170 	case ACE_SETACL:
5171 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5172 			break;
5173 
5174 		a_size = nentries * sizeof (ace_t);
5175 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5176 			break;
5177 		if (copyin(bufp, acebufp, a_size)) {
5178 			kmem_free(acebufp, a_size);
5179 			break;
5180 		}
5181 		for (i = 0; i < nentries; i++) {
5182 			au_uwrite(au_to_ace(acebufp + i));
5183 		}
5184 		kmem_free(acebufp, a_size);
5185 		break;
5186 	default:
5187 		break;
5188 	}
5189 }
5190 
5191 /*ARGSUSED*/
5192 static void
5193 aus_acl(struct t_audit_data *tad)
5194 {
5195 	struct a {
5196 		long	fname;
5197 		long	cmd;
5198 		long	nentries;
5199 		long	aclbufp;
5200 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5201 
5202 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5203 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5204 
5205 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5206 }
5207 
5208 /*ARGSUSED*/
5209 static void
5210 aus_facl(struct t_audit_data *tad)
5211 {
5212 	struct a {
5213 		long	fd;
5214 		long	cmd;
5215 		long	nentries;
5216 		long	aclbufp;
5217 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5218 	struct file  *fp;
5219 	struct vnode *vp;
5220 	struct f_audit_data *fad;
5221 	int fd;
5222 
5223 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5224 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5225 
5226 	fd = (int)uap->fd;
5227 
5228 	if ((fp = getf(fd)) == NULL)
5229 		return;
5230 
5231 	/* get path from file struct here */
5232 	fad = F2A(fp);
5233 	if (fad->fad_aupath != NULL) {
5234 		au_uwrite(au_to_path(fad->fad_aupath));
5235 	} else {
5236 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5237 	}
5238 
5239 	vp = fp->f_vnode;
5240 	audit_attributes(vp);
5241 
5242 	/* decrement file descriptor reference count */
5243 	releasef(fd);
5244 
5245 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5246 }
5247 
5248 /*ARGSUSED*/
5249 static void
5250 auf_read(tad, error, rval)
5251 	struct t_audit_data *tad;
5252 	int error;
5253 	rval_t *rval;
5254 {
5255 	struct file *fp;
5256 	struct f_audit_data *fad;
5257 	int fd;
5258 	register struct a {
5259 		long	fd;
5260 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5261 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5262 
5263 	fd = (int)uap->fd;
5264 
5265 	/*
5266 	 * convert file pointer to file descriptor
5267 	 *   Note: fd ref count incremented here.
5268 	 */
5269 	if ((fp = getf(fd)) == NULL)
5270 		return;
5271 
5272 	/* get path from file struct here */
5273 	fad = F2A(fp);
5274 	ASSERT(fad);
5275 
5276 	/*
5277 	 * already processed this file for read attempt
5278 	 *
5279 	 * XXX might be better to turn off auditing in a aui_read() routine.
5280 	 */
5281 	if (fad->fad_flags & FAD_READ) {
5282 		/* don't really want to audit every read attempt */
5283 		tad->tad_flag = 0;
5284 		/* free any residual audit data */
5285 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5286 		releasef(fd);
5287 		return;
5288 	}
5289 	/* mark things so we know what happened and don't repeat things */
5290 	fad->fad_flags |= FAD_READ;
5291 
5292 	if (fad->fad_aupath != NULL) {
5293 		au_uwrite(au_to_path(fad->fad_aupath));
5294 	} else {
5295 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5296 	}
5297 
5298 	/* include attributes */
5299 	audit_attributes(fp->f_vnode);
5300 
5301 	/* decrement file descriptor reference count */
5302 	releasef(fd);
5303 }
5304 
5305 /*ARGSUSED*/
5306 static void
5307 auf_write(tad, error, rval)
5308 	struct t_audit_data *tad;
5309 	int error;
5310 	rval_t *rval;
5311 {
5312 	struct file *fp;
5313 	struct f_audit_data *fad;
5314 	int fd;
5315 	register struct a {
5316 		long	fd;
5317 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5318 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5319 
5320 	fd = (int)uap->fd;
5321 
5322 	/*
5323 	 * convert file pointer to file descriptor
5324 	 *   Note: fd ref count incremented here.
5325 	 */
5326 	if ((fp = getf(fd)) == NULL)
5327 		return;
5328 
5329 	/* get path from file struct here */
5330 	fad = F2A(fp);
5331 	ASSERT(fad);
5332 
5333 	/*
5334 	 * already processed this file for write attempt
5335 	 *
5336 	 * XXX might be better to turn off auditing in a aus_write() routine.
5337 	 */
5338 	if (fad->fad_flags & FAD_WRITE) {
5339 		/* don't really want to audit every write attempt */
5340 		tad->tad_flag = 0;
5341 		/* free any residual audit data */
5342 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5343 		releasef(fd);
5344 		return;
5345 	}
5346 	/* mark things so we know what happened and don't repeat things */
5347 	fad->fad_flags |= FAD_WRITE;
5348 
5349 	if (fad->fad_aupath != NULL) {
5350 		au_uwrite(au_to_path(fad->fad_aupath));
5351 	} else {
5352 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5353 	}
5354 
5355 	/* include attributes */
5356 	audit_attributes(fp->f_vnode);
5357 
5358 	/* decrement file descriptor reference count */
5359 	releasef(fd);
5360 }
5361 
5362 /*ARGSUSED*/
5363 static void
5364 auf_recv(tad, error, rval)
5365 	struct t_audit_data *tad;
5366 	int error;
5367 	rval_t *rval;
5368 {
5369 	struct sonode *so;
5370 	char so_laddr[sizeof (struct sockaddr_in6)];
5371 	char so_faddr[sizeof (struct sockaddr_in6)];
5372 	struct file *fp;
5373 	struct f_audit_data *fad;
5374 	int fd;
5375 	int err;
5376 	socklen_t len;
5377 	short so_family, so_type;
5378 	register struct a {
5379 		long	fd;
5380 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5381 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5382 
5383 	/*
5384 	 * If there was an error, then nothing to do. Only generate
5385 	 * audit record on first successful recv.
5386 	 */
5387 	if (error) {
5388 		/* Turn off audit record generation here. */
5389 		tad->tad_flag = 0;
5390 		/* free any residual audit data */
5391 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5392 		return;
5393 	}
5394 
5395 	fd = (int)uap->fd;
5396 
5397 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5398 		/* Turn off audit record generation here. */
5399 		tad->tad_flag = 0;
5400 		/* free any residual audit data */
5401 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5402 		return;
5403 	}
5404 
5405 	/* get path from file struct here */
5406 	fad = F2A(fp);
5407 	ASSERT(fad);
5408 
5409 	/*
5410 	 * already processed this file for read attempt
5411 	 */
5412 	if (fad->fad_flags & FAD_READ) {
5413 		releasef(fd);
5414 		/* don't really want to audit every recv call */
5415 		tad->tad_flag = 0;
5416 		/* free any residual audit data */
5417 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5418 		return;
5419 	}
5420 
5421 	/* mark things so we know what happened and don't repeat things */
5422 	fad->fad_flags |= FAD_READ;
5423 
5424 	so_family = so->so_family;
5425 	so_type   = so->so_type;
5426 
5427 	switch (so_family) {
5428 	case AF_INET:
5429 	case AF_INET6:
5430 		/*
5431 		 * Only for connections.
5432 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5433 		 */
5434 		if (so->so_state & SS_ISBOUND) {
5435 
5436 			bzero((void *)so_laddr, sizeof (so_laddr));
5437 			bzero((void *)so_faddr, sizeof (so_faddr));
5438 
5439 			/* get local and foreign addresses */
5440 			len = sizeof (so_laddr);
5441 			(void) socket_getsockname(so,
5442 			    (struct sockaddr *)so_laddr, &len, CRED());
5443 			len = sizeof (so_faddr);
5444 			(void) socket_getpeername(so,
5445 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5446 
5447 			/*
5448 			 * only way to drop out of switch. Note that we
5449 			 * we release fd below.
5450 			 */
5451 
5452 			break;
5453 		}
5454 
5455 		releasef(fd);
5456 
5457 		/* don't really want to audit every recv call */
5458 		tad->tad_flag = 0;
5459 		/* free any residual audit data */
5460 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5461 
5462 		return;
5463 
5464 	case AF_UNIX:
5465 
5466 		if (fad->fad_aupath != NULL) {
5467 			au_uwrite(au_to_path(fad->fad_aupath));
5468 		} else {
5469 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5470 		}
5471 
5472 		audit_attributes(fp->f_vnode);
5473 
5474 		releasef(fd);
5475 
5476 		return;
5477 
5478 	default:
5479 		releasef(fd);
5480 
5481 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5482 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5483 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5484 
5485 		return;
5486 	}
5487 
5488 	releasef(fd);
5489 
5490 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5491 
5492 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5493 
5494 }
5495 
5496 /*ARGSUSED*/
5497 static void
5498 auf_send(tad, error, rval)
5499 	struct t_audit_data *tad;
5500 	int error;
5501 	rval_t *rval;
5502 {
5503 	struct sonode *so;
5504 	char so_laddr[sizeof (struct sockaddr_in6)];
5505 	char so_faddr[sizeof (struct sockaddr_in6)];
5506 	struct file *fp;
5507 	struct f_audit_data *fad;
5508 	int fd;
5509 	int err;
5510 	socklen_t len;
5511 	short so_family, so_type;
5512 	register struct a {
5513 		long	fd;
5514 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5515 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5516 
5517 	fd = (int)uap->fd;
5518 
5519 	/*
5520 	 * If there was an error, then nothing to do. Only generate
5521 	 * audit record on first successful send.
5522 	 */
5523 	if (error != 0) {
5524 		/* Turn off audit record generation here. */
5525 		tad->tad_flag = 0;
5526 		/* free any residual audit data */
5527 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5528 		return;
5529 	}
5530 
5531 	fd = (int)uap->fd;
5532 
5533 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5534 		/* Turn off audit record generation here. */
5535 		tad->tad_flag = 0;
5536 		/* free any residual audit data */
5537 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5538 		return;
5539 	}
5540 
5541 	/* get path from file struct here */
5542 	fad = F2A(fp);
5543 	ASSERT(fad);
5544 
5545 	/*
5546 	 * already processed this file for write attempt
5547 	 */
5548 	if (fad->fad_flags & FAD_WRITE) {
5549 		releasef(fd);
5550 		/* don't really want to audit every send call */
5551 		tad->tad_flag = 0;
5552 		/* free any residual audit data */
5553 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5554 		return;
5555 	}
5556 
5557 	/* mark things so we know what happened and don't repeat things */
5558 	fad->fad_flags |= FAD_WRITE;
5559 
5560 	so_family = so->so_family;
5561 	so_type   = so->so_type;
5562 
5563 	switch (so_family) {
5564 	case AF_INET:
5565 	case AF_INET6:
5566 		/*
5567 		 * Only for connections.
5568 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5569 		 */
5570 		if (so->so_state & SS_ISBOUND) {
5571 
5572 			bzero((void *)so_laddr, sizeof (so_laddr));
5573 			bzero((void *)so_faddr, sizeof (so_faddr));
5574 
5575 			/* get local and foreign addresses */
5576 			len = sizeof (so_laddr);
5577 			(void) socket_getsockname(so,
5578 			    (struct sockaddr *)so_laddr, &len, CRED());
5579 			len = sizeof (so_faddr);
5580 			(void) socket_getpeername(so,
5581 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5582 
5583 			/*
5584 			 * only way to drop out of switch. Note that we
5585 			 * we release fd below.
5586 			 */
5587 
5588 			break;
5589 		}
5590 
5591 		releasef(fd);
5592 		/* don't really want to audit every send call */
5593 		tad->tad_flag = 0;
5594 		/* free any residual audit data */
5595 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5596 
5597 		return;
5598 
5599 	case AF_UNIX:
5600 
5601 		if (fad->fad_aupath != NULL) {
5602 			au_uwrite(au_to_path(fad->fad_aupath));
5603 		} else {
5604 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5605 		}
5606 
5607 		audit_attributes(fp->f_vnode);
5608 
5609 		releasef(fd);
5610 
5611 		return;
5612 
5613 	default:
5614 		releasef(fd);
5615 
5616 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5617 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5618 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5619 
5620 		return;
5621 	}
5622 
5623 	releasef(fd);
5624 
5625 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5626 
5627 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5628 }
5629 
5630 static au_event_t
5631 aui_forksys(au_event_t e)
5632 {
5633 	struct a {
5634 		long	subcode;
5635 		long	flags;
5636 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5637 
5638 	switch ((uint_t)uap->subcode) {
5639 	case 0:
5640 		e = AUE_FORK1;
5641 		break;
5642 	case 1:
5643 		e = AUE_FORKALL;
5644 		break;
5645 	case 2:
5646 		e = AUE_VFORK;
5647 		break;
5648 	default:
5649 		e = AUE_NULL;
5650 		break;
5651 	}
5652 
5653 	return (e);
5654 }
5655 
5656 /*ARGSUSED*/
5657 static au_event_t
5658 aui_portfs(au_event_t e)
5659 {
5660 	struct a {		/* portfs */
5661 		long	a1;
5662 		long	a2;
5663 		long	a3;
5664 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5665 
5666 	/*
5667 	 * check opcode
5668 	 */
5669 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5670 	case PORT_ASSOCIATE:
5671 		/* check source */
5672 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5673 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5674 			e = AUE_PORTFS_ASSOCIATE;
5675 		} else {
5676 			e = AUE_NULL;
5677 		}
5678 		break;
5679 	case PORT_DISSOCIATE:
5680 		/* check source */
5681 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5682 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5683 			e = AUE_PORTFS_DISSOCIATE;
5684 		} else {
5685 			e = AUE_NULL;
5686 		}
5687 		break;
5688 	default:
5689 		e = AUE_NULL;
5690 	}
5691 	return (e);
5692 }
5693