1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 104 static void aus_open(struct t_audit_data *); 105 static void aus_acl(struct t_audit_data *); 106 static void aus_acct(struct t_audit_data *); 107 static void aus_chown(struct t_audit_data *); 108 static void aus_fchown(struct t_audit_data *); 109 static void aus_lchown(struct t_audit_data *); 110 static void aus_chmod(struct t_audit_data *); 111 static void aus_facl(struct t_audit_data *); 112 static void aus_fchmod(struct t_audit_data *); 113 static void aus_fcntl(struct t_audit_data *); 114 static void aus_fsat(struct t_audit_data *); 115 static void aus_mkdir(struct t_audit_data *); 116 static void aus_mknod(struct t_audit_data *); 117 static void aus_mount(struct t_audit_data *); 118 static void aus_umount(struct t_audit_data *); 119 static void aus_umount2(struct t_audit_data *); 120 static void aus_msgsys(struct t_audit_data *); 121 static void aus_semsys(struct t_audit_data *); 122 static void aus_close(struct t_audit_data *); 123 static void aus_fstatfs(struct t_audit_data *); 124 static void aus_setgid(struct t_audit_data *); 125 static void aus_setuid(struct t_audit_data *); 126 static void aus_shmsys(struct t_audit_data *); 127 static void aus_doorfs(struct t_audit_data *); 128 static void aus_ioctl(struct t_audit_data *); 129 static void aus_memcntl(struct t_audit_data *); 130 static void aus_mmap(struct t_audit_data *); 131 static void aus_munmap(struct t_audit_data *); 132 static void aus_priocntlsys(struct t_audit_data *); 133 static void aus_setegid(struct t_audit_data *); 134 static void aus_setgroups(struct t_audit_data *); 135 static void aus_seteuid(struct t_audit_data *); 136 static void aus_putmsg(struct t_audit_data *); 137 static void aus_putpmsg(struct t_audit_data *); 138 static void aus_getmsg(struct t_audit_data *); 139 static void aus_getpmsg(struct t_audit_data *); 140 static void aus_auditsys(struct t_audit_data *); 141 static void aus_sysinfo(struct t_audit_data *); 142 static void aus_modctl(struct t_audit_data *); 143 static void aus_kill(struct t_audit_data *); 144 static void aus_xmknod(struct t_audit_data *); 145 static void aus_setregid(struct t_audit_data *); 146 static void aus_setreuid(struct t_audit_data *); 147 static void aus_labelsys(struct t_audit_data *); 148 149 static void auf_mknod(struct t_audit_data *, int, rval_t *); 150 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 151 static void auf_semsys(struct t_audit_data *, int, rval_t *); 152 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 153 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 154 static void auf_read(struct t_audit_data *, int, rval_t *); 155 static void auf_write(struct t_audit_data *, int, rval_t *); 156 157 static void aus_sigqueue(struct t_audit_data *); 158 static void aus_p_online(struct t_audit_data *); 159 static void aus_processor_bind(struct t_audit_data *); 160 static void aus_inst_sync(struct t_audit_data *); 161 static void aus_brandsys(struct t_audit_data *); 162 163 static void auf_accept(struct t_audit_data *, int, rval_t *); 164 165 static void auf_bind(struct t_audit_data *, int, rval_t *); 166 static void auf_connect(struct t_audit_data *, int, rval_t *); 167 static void aus_shutdown(struct t_audit_data *); 168 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 169 static void aus_sockconfig(struct t_audit_data *); 170 static void auf_recv(struct t_audit_data *, int, rval_t *); 171 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 172 static void auf_send(struct t_audit_data *, int, rval_t *); 173 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 175 static void auf_sendto(struct t_audit_data *, int, rval_t *); 176 static void aus_socket(struct t_audit_data *); 177 /* 178 * This table contains mapping information for converting system call numbers 179 * to audit event IDs. In several cases it is necessary to map a single system 180 * call to several events. 181 */ 182 183 #define aui_null NULL /* NULL initialize function */ 184 #define aus_null NULL /* NULL start function */ 185 #define auf_null NULL /* NULL finish function */ 186 187 struct audit_s2e audit_s2e[] = 188 { 189 /* 190 * ---------- ---------- ---------- ---------- 191 * INITIAL AUDIT START SYSTEM 192 * PROCESSING EVENT PROCESSING CALL 193 * ---------- ---------- ---------- ----------- 194 * FINISH EVENT 195 * PROCESSING CONTROL 196 * ---------------------------------------------------------- 197 */ 198 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 199 auf_null, 0, 200 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 201 auf_null, S2E_NPT, 202 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 203 auf_null, 0, 204 aui_null, AUE_READ, aus_null, /* 3 read */ 205 auf_read, S2E_PUB, 206 aui_null, AUE_WRITE, aus_null, /* 4 write */ 207 auf_write, 0, 208 aui_open, AUE_OPEN, aus_open, /* 5 open */ 209 auf_null, S2E_SP, 210 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 211 auf_null, 0, 212 aui_null, AUE_NULL, aus_null, /* 7 wait */ 213 auf_null, 0, 214 aui_null, AUE_CREAT, aus_null, /* 8 create */ 215 auf_null, S2E_SP, 216 aui_null, AUE_LINK, aus_null, /* 9 link */ 217 auf_null, 0, 218 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 219 auf_null, 0, 220 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 221 auf_null, S2E_MLD, 222 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 223 auf_null, S2E_SP, 224 aui_null, AUE_NULL, aus_null, /* 13 time */ 225 auf_null, 0, 226 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 227 auf_mknod, 0, 228 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 229 auf_null, 0, 230 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 231 auf_null, 0, 232 aui_null, AUE_NULL, aus_null, /* 17 brk */ 233 auf_null, 0, 234 aui_null, AUE_STAT, aus_null, /* 18 stat */ 235 auf_null, S2E_PUB, 236 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 237 auf_null, 0, 238 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 239 auf_null, 0, 240 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 241 auf_null, S2E_MLD, 242 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 243 auf_null, 0, 244 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 245 auf_null, 0, 246 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 247 auf_null, 0, 248 aui_null, AUE_STIME, aus_null, /* 25 stime */ 249 auf_null, 0, 250 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 29 pause */ 257 auf_null, 0, 258 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 263 auf_null, 0, 264 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 265 auf_null, S2E_PUB, 266 aui_null, AUE_NICE, aus_null, /* 34 nice */ 267 auf_null, 0, 268 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 269 auf_null, S2E_PUB, 270 aui_null, AUE_NULL, aus_null, /* 36 sync */ 271 auf_null, 0, 272 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 273 auf_null, 0, 274 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 275 auf_null, S2E_PUB, 276 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 277 auf_null, 0, 278 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 41 dup */ 281 auf_null, 0, 282 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 283 auf_null, 0, 284 aui_null, AUE_NULL, aus_null, /* 43 times */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 44 profil */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 289 /* was proc lock */ 290 auf_null, 0, 291 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 48 sig */ 296 auf_null, 0, 297 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 298 auf_msgsys, 0, 299 #if defined(__x86) 300 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 301 auf_null, 0, 302 #else 303 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 304 auf_null, 0, 305 #endif /* __x86 */ 306 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 307 auf_null, 0, 308 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 309 auf_shmsys, 0, 310 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 311 auf_semsys, 0, 312 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 317 auf_null, 0, 318 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 321 auf_null, 0, 322 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 323 auf_null, S2E_MLD, 324 aui_null, AUE_NULL, aus_null, /* 60 umask */ 325 auf_null, 0, 326 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 327 auf_null, S2E_SP, 328 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 339 /* file locking call */ 340 auf_null, 0, 341 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 342 /* local system calls */ 343 auf_null, 0, 344 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 357 /* was sigret (SunOS) */ 358 auf_null, 0, 359 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 364 auf_null, 0, 365 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 366 auf_null, 0, 367 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 368 auf_null, 0, 369 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 370 auf_null, 0, 371 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 372 /* was libattach */ 373 auf_null, 0, 374 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 375 /* was libdetach */ 376 auf_null, 0, 377 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 378 auf_null, 0, 379 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 380 auf_null, 0, 381 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 382 auf_null, 0, 383 aui_null, AUE_NULL, aus_null, /* 87 poll */ 384 auf_null, 0, 385 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 386 auf_null, S2E_PUB, 387 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 388 auf_null, 0, 389 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 390 auf_null, S2E_PUB, 391 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 392 auf_null, 0, 393 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 394 auf_null, 0, 395 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 396 auf_null, 0, 397 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 412 auf_null, 0, 413 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 414 /* was evtrapret */ 415 auf_null, 0, 416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 417 auf_null, S2E_PUB, 418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 427 auf_null, 0, 428 #if defined(__x86) 429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 430 auf_null, 0, 431 #else 432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 433 auf_null, 0, 434 #endif /* __x86 */ 435 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 436 auf_null, 0, 437 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 438 auf_null, 0, 439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 440 auf_null, 0, /* 112 priocntlsys */ 441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 442 auf_null, S2E_PUB, 443 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 444 auf_null, 0, 445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 448 auf_null, 0, 449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 450 auf_null, 0, 451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 452 auf_null, 0, 453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 454 auf_null, 0, 455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 456 auf_null, 0, 457 aui_null, AUE_READ, aus_null, /* 121 readv */ 458 auf_read, S2E_PUB, 459 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 460 auf_write, 0, 461 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 462 auf_null, S2E_PUB, 463 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 464 auf_null, S2E_PUB, 465 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 466 auf_null, 0, 467 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 468 auf_xmknod, 0, 469 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 470 auf_null, 0, 471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 472 auf_null, 0, 473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 474 auf_null, 0, 475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 476 auf_null, 0, 477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 478 auf_null, 0, 479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 480 auf_null, 0, 481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 482 auf_null, 0, 483 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 135 uname */ 486 auf_null, 0, 487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 490 auf_null, 0, 491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 492 auf_null, 0, 493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 496 auf_null, 0, 497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 498 auf_null, 0, 499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 500 auf_null, 0, 501 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 146 yield */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 518 auf_null, 0, 519 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 520 auf_null, 0, 521 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 522 auf_null, 0, 523 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 546 /* was lwp_setprivate */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 549 /* was lwp_getprivate */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 562 auf_null, 0, 563 aui_null, AUE_READ, aus_null, /* 173 pread */ 564 auf_read, S2E_PUB, 565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 566 auf_write, 0, 567 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 568 auf_null, 0, 569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 570 /* aus_inst_sync */ 571 auf_null, 0, 572 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 581 auf_null, 0, 582 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 583 auf_null, S2E_MLD, 584 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 585 auf_null, 0, 586 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 587 auf_null, 0, 588 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 589 auf_null, 0, 590 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 591 auf_null, 0, 592 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 593 auf_null, 0, /* 187 processor_bind */ 594 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 595 auf_null, 0, 596 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 601 auf_null, 0, 602 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 617 auf_null, 0, 618 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 619 auf_null, 0, 620 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 621 auf_null, 0, 622 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 623 auf_null, 0, 624 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 645 auf_null, 0, 646 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 647 auf_null, 0, 648 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 653 auf_null, 0, 654 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 655 auf_null, S2E_PUB, 656 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 657 auf_null, 0, 658 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 663 auf_read, S2E_PUB, 664 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 665 auf_write, 0, 666 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 667 auf_null, S2E_SP, 668 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 669 auf_null, S2E_SP, 670 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 677 auf_null, 0, 678 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 679 auf_null, 0, 680 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 681 auf_null, 0, 682 aui_null, AUE_BIND, aus_null, /* 232 bind */ 683 auf_bind, 0, 684 aui_null, AUE_NULL, aus_null, /* 233 listen */ 685 auf_null, 0, 686 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 687 auf_accept, 0, 688 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 689 auf_connect, 0, 690 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 691 auf_null, 0, 692 aui_null, AUE_READ, aus_null, /* 237 recv */ 693 auf_recv, 0, 694 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 695 auf_recvfrom, 0, 696 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 697 auf_recvmsg, 0, 698 aui_null, AUE_WRITE, aus_null, /* 240 send */ 699 auf_send, 0, 700 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 701 auf_sendmsg, 0, 702 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 703 auf_sendto, 0, 704 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 709 auf_null, 0, 710 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 711 auf_setsockopt, 0, 712 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 713 auf_null, 0, 714 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 715 auf_null, 0, 716 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 727 auf_null, 0, 728 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 729 auf_null, 0 730 }; 731 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 733 734 735 /* acct start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_acct(struct t_audit_data *tad) 739 { 740 klwp_t *clwp = ttolwp(curthread); 741 uintptr_t fname; 742 743 struct a { 744 long fname; /* char * */ 745 } *uap = (struct a *)clwp->lwp_ap; 746 747 fname = (uintptr_t)uap->fname; 748 749 if (fname == 0) 750 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 751 } 752 753 /* chown start function */ 754 /*ARGSUSED*/ 755 static void 756 aus_chown(struct t_audit_data *tad) 757 { 758 klwp_t *clwp = ttolwp(curthread); 759 uint32_t uid, gid; 760 761 struct a { 762 long fname; /* char * */ 763 long uid; 764 long gid; 765 } *uap = (struct a *)clwp->lwp_ap; 766 767 uid = (uint32_t)uap->uid; 768 gid = (uint32_t)uap->gid; 769 770 au_uwrite(au_to_arg32(2, "new file uid", uid)); 771 au_uwrite(au_to_arg32(3, "new file gid", gid)); 772 } 773 774 /* fchown start function */ 775 /*ARGSUSED*/ 776 static void 777 aus_fchown(struct t_audit_data *tad) 778 { 779 klwp_t *clwp = ttolwp(curthread); 780 uint32_t uid, gid, fd; 781 struct file *fp; 782 struct vnode *vp; 783 struct f_audit_data *fad; 784 785 struct a { 786 long fd; 787 long uid; 788 long gid; 789 } *uap = (struct a *)clwp->lwp_ap; 790 791 fd = (uint32_t)uap->fd; 792 uid = (uint32_t)uap->uid; 793 gid = (uint32_t)uap->gid; 794 795 au_uwrite(au_to_arg32(2, "new file uid", uid)); 796 au_uwrite(au_to_arg32(3, "new file gid", gid)); 797 798 /* 799 * convert file pointer to file descriptor 800 * Note: fd ref count incremented here. 801 */ 802 if ((fp = getf(fd)) == NULL) 803 return; 804 805 /* get path from file struct here */ 806 fad = F2A(fp); 807 if (fad->fad_aupath != NULL) { 808 au_uwrite(au_to_path(fad->fad_aupath)); 809 } else { 810 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 811 } 812 813 vp = fp->f_vnode; 814 audit_attributes(vp); 815 816 /* decrement file descriptor reference count */ 817 releasef(fd); 818 } 819 820 /*ARGSUSED*/ 821 static void 822 aus_lchown(struct t_audit_data *tad) 823 { 824 klwp_t *clwp = ttolwp(curthread); 825 uint32_t uid, gid; 826 827 828 struct a { 829 long fname; /* char * */ 830 long uid; 831 long gid; 832 } *uap = (struct a *)clwp->lwp_ap; 833 834 uid = (uint32_t)uap->uid; 835 gid = (uint32_t)uap->gid; 836 837 au_uwrite(au_to_arg32(2, "new file uid", uid)); 838 au_uwrite(au_to_arg32(3, "new file gid", gid)); 839 } 840 841 /* chmod start function */ 842 /*ARGSUSED*/ 843 static void 844 aus_chmod(struct t_audit_data *tad) 845 { 846 klwp_t *clwp = ttolwp(curthread); 847 uint32_t fmode; 848 849 struct a { 850 long fname; /* char * */ 851 long fmode; 852 } *uap = (struct a *)clwp->lwp_ap; 853 854 fmode = (uint32_t)uap->fmode; 855 856 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 857 } 858 859 /* chmod start function */ 860 /*ARGSUSED*/ 861 static void 862 aus_fchmod(struct t_audit_data *tad) 863 { 864 klwp_t *clwp = ttolwp(curthread); 865 uint32_t fmode, fd; 866 struct file *fp; 867 struct vnode *vp; 868 struct f_audit_data *fad; 869 870 struct a { 871 long fd; 872 long fmode; 873 } *uap = (struct a *)clwp->lwp_ap; 874 875 fd = (uint32_t)uap->fd; 876 fmode = (uint32_t)uap->fmode; 877 878 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 879 880 /* 881 * convert file pointer to file descriptor 882 * Note: fd ref count incremented here. 883 */ 884 if ((fp = getf(fd)) == NULL) 885 return; 886 887 /* get path from file struct here */ 888 fad = F2A(fp); 889 if (fad->fad_aupath != NULL) { 890 au_uwrite(au_to_path(fad->fad_aupath)); 891 } else { 892 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 893 } 894 895 vp = fp->f_vnode; 896 audit_attributes(vp); 897 898 /* decrement file descriptor reference count */ 899 releasef(fd); 900 } 901 902 903 /* convert open to appropriate event */ 904 static au_event_t 905 aui_open(au_event_t e) 906 { 907 klwp_t *clwp = ttolwp(curthread); 908 uint_t fm; 909 910 struct a { 911 long fnamep; /* char * */ 912 long fmode; 913 long cmode; 914 } *uap = (struct a *)clwp->lwp_ap; 915 916 fm = (uint_t)uap->fmode; 917 918 if (fm & O_WRONLY) 919 e = AUE_OPEN_W; 920 else if (fm & O_RDWR) 921 e = AUE_OPEN_RW; 922 else 923 e = AUE_OPEN_R; 924 925 if (fm & O_CREAT) 926 e += 1; 927 if (fm & O_TRUNC) 928 e += 2; 929 930 return (e); 931 } 932 933 /*ARGSUSED*/ 934 static void 935 aus_open(struct t_audit_data *tad) 936 { 937 klwp_t *clwp = ttolwp(curthread); 938 uint_t fm; 939 940 struct a { 941 long fnamep; /* char * */ 942 long fmode; 943 long cmode; 944 } *uap = (struct a *)clwp->lwp_ap; 945 946 fm = (uint_t)uap->fmode; 947 948 /* If no write, create, or trunc modes, mark as a public op */ 949 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 950 tad->tad_ctrl |= PAD_PUBLIC_EV; 951 } 952 953 /* convert openat(2) to appropriate event */ 954 static au_event_t 955 aui_fsat(au_event_t e) 956 { 957 t_audit_data_t *tad = U2A(u); 958 klwp_t *clwp = ttolwp(curthread); 959 uint_t fmcode, fm; 960 struct a { 961 long id; 962 long arg1; 963 long arg2; 964 long arg3; 965 long arg4; 966 long arg5; 967 } *uap = (struct a *)clwp->lwp_ap; 968 969 fmcode = (uint_t)uap->id; 970 971 switch (fmcode) { 972 973 case 0: /* openat */ 974 case 1: /* openat64 */ 975 fm = (uint_t)uap->arg3; 976 if (fm & O_WRONLY) 977 e = AUE_OPENAT_W; 978 else if (fm & O_RDWR) 979 e = AUE_OPENAT_RW; 980 else 981 e = AUE_OPENAT_R; 982 983 /* 984 * openat modes are defined in the following order: 985 * Read only 986 * Read|Create 987 * Read|Trunc 988 * Read|Create|Trunc 989 * Write Only 990 * Write|Create 991 * Write|Trunc 992 * Write|Create|Trunc * RW Only 993 * RW|Create 994 * RW|Trunc 995 * RW|Create|Trunc 996 */ 997 if (fm & O_CREAT) 998 e += 1; /* increment to include CREAT in mode */ 999 if (fm & O_TRUNC) 1000 e += 2; /* increment to include TRUNC in mode */ 1001 1002 /* convert to appropriate au_ctrl */ 1003 tad->tad_ctrl |= PAD_SAVPATH; 1004 if (fm & FXATTR) 1005 tad->tad_ctrl |= PAD_ATPATH; 1006 1007 1008 break; 1009 case 2: /* fstatat64 */ 1010 case 3: /* fstatat */ 1011 e = AUE_FSTATAT; 1012 break; 1013 case 4: /* fchownat */ 1014 e = AUE_FCHOWNAT; 1015 break; 1016 case 5: /* unlinkat */ 1017 e = AUE_UNLINKAT; 1018 break; 1019 case 6: /* futimesat */ 1020 e = AUE_FUTIMESAT; 1021 break; 1022 case 7: /* renameat */ 1023 e = AUE_RENAMEAT; 1024 break; 1025 case 9: /* __openattrdirat */ 1026 tad->tad_ctrl |= PAD_SAVPATH; 1027 /*FALLTHROUGH*/ 1028 default: 1029 e = AUE_NULL; 1030 break; 1031 } 1032 1033 return (e); 1034 } 1035 1036 /*ARGSUSED*/ 1037 static void 1038 aus_fsat(struct t_audit_data *tad) 1039 { 1040 klwp_t *clwp = ttolwp(curthread); 1041 uint_t fmcode, fm; 1042 struct a { 1043 long id; 1044 long arg1; 1045 long arg2; 1046 long arg3; 1047 long arg4; 1048 long arg5; 1049 } *uap = (struct a *)clwp->lwp_ap; 1050 1051 fmcode = (uint_t)uap->id; 1052 1053 switch (fmcode) { 1054 1055 case 0: /* openat */ 1056 case 1: /* openat64 */ 1057 fm = (uint_t)uap->arg3; 1058 /* If no write, create, or trunc modes, mark as a public op */ 1059 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1060 tad->tad_ctrl |= PAD_PUBLIC_EV; 1061 1062 break; 1063 case 2: /* fstatat64 */ 1064 case 3: /* fstatat */ 1065 tad->tad_ctrl |= PAD_PUBLIC_EV; 1066 break; 1067 default: 1068 break; 1069 } 1070 } 1071 1072 /* msgsys */ 1073 static au_event_t 1074 aui_msgsys(au_event_t e) 1075 { 1076 klwp_t *clwp = ttolwp(curthread); 1077 uint_t fm; 1078 1079 struct a { 1080 long id; /* function code id */ 1081 long ap; /* arg pointer for recvmsg */ 1082 } *uap = (struct a *)clwp->lwp_ap; 1083 1084 struct b { 1085 long msgid; 1086 long cmd; 1087 long buf; /* struct msqid_ds * */ 1088 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1089 1090 fm = (uint_t)uap->id; 1091 1092 switch (fm) { 1093 case 0: /* msgget */ 1094 e = AUE_MSGGET; 1095 break; 1096 case 1: /* msgctl */ 1097 switch ((uint_t)uap1->cmd) { 1098 case IPC_RMID: 1099 e = AUE_MSGCTL_RMID; 1100 break; 1101 case IPC_SET: 1102 e = AUE_MSGCTL_SET; 1103 break; 1104 case IPC_STAT: 1105 e = AUE_MSGCTL_STAT; 1106 break; 1107 default: 1108 e = AUE_MSGCTL; 1109 break; 1110 } 1111 break; 1112 case 2: /* msgrcv */ 1113 e = AUE_MSGRCV; 1114 break; 1115 case 3: /* msgsnd */ 1116 e = AUE_MSGSND; 1117 break; 1118 default: /* illegal system call */ 1119 e = AUE_NULL; 1120 break; 1121 } 1122 1123 return (e); 1124 } 1125 1126 1127 /* shmsys */ 1128 static au_event_t 1129 aui_shmsys(au_event_t e) 1130 { 1131 klwp_t *clwp = ttolwp(curthread); 1132 int fm; 1133 1134 struct a { /* shmsys */ 1135 long id; /* function code id */ 1136 } *uap = (struct a *)clwp->lwp_ap; 1137 1138 struct b { /* ctrl */ 1139 long shmid; 1140 long cmd; 1141 long arg; /* struct shmid_ds * */ 1142 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1143 fm = (uint_t)uap->id; 1144 1145 switch (fm) { 1146 case 0: /* shmat */ 1147 e = AUE_SHMAT; 1148 break; 1149 case 1: /* shmctl */ 1150 switch ((uint_t)uap1->cmd) { 1151 case IPC_RMID: 1152 e = AUE_SHMCTL_RMID; 1153 break; 1154 case IPC_SET: 1155 e = AUE_SHMCTL_SET; 1156 break; 1157 case IPC_STAT: 1158 e = AUE_SHMCTL_STAT; 1159 break; 1160 default: 1161 e = AUE_SHMCTL; 1162 break; 1163 } 1164 break; 1165 case 2: /* shmdt */ 1166 e = AUE_SHMDT; 1167 break; 1168 case 3: /* shmget */ 1169 e = AUE_SHMGET; 1170 break; 1171 default: /* illegal system call */ 1172 e = AUE_NULL; 1173 break; 1174 } 1175 1176 return (e); 1177 } 1178 1179 1180 /* semsys */ 1181 static au_event_t 1182 aui_semsys(au_event_t e) 1183 { 1184 klwp_t *clwp = ttolwp(curthread); 1185 uint_t fm; 1186 1187 struct a { /* semsys */ 1188 long id; 1189 } *uap = (struct a *)clwp->lwp_ap; 1190 1191 struct b { /* ctrl */ 1192 long semid; 1193 long semnum; 1194 long cmd; 1195 long arg; 1196 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1197 1198 fm = (uint_t)uap->id; 1199 1200 switch (fm) { 1201 case 0: /* semctl */ 1202 switch ((uint_t)uap1->cmd) { 1203 case IPC_RMID: 1204 e = AUE_SEMCTL_RMID; 1205 break; 1206 case IPC_SET: 1207 e = AUE_SEMCTL_SET; 1208 break; 1209 case IPC_STAT: 1210 e = AUE_SEMCTL_STAT; 1211 break; 1212 case GETNCNT: 1213 e = AUE_SEMCTL_GETNCNT; 1214 break; 1215 case GETPID: 1216 e = AUE_SEMCTL_GETPID; 1217 break; 1218 case GETVAL: 1219 e = AUE_SEMCTL_GETVAL; 1220 break; 1221 case GETALL: 1222 e = AUE_SEMCTL_GETALL; 1223 break; 1224 case GETZCNT: 1225 e = AUE_SEMCTL_GETZCNT; 1226 break; 1227 case SETVAL: 1228 e = AUE_SEMCTL_SETVAL; 1229 break; 1230 case SETALL: 1231 e = AUE_SEMCTL_SETALL; 1232 break; 1233 default: 1234 e = AUE_SEMCTL; 1235 break; 1236 } 1237 break; 1238 case 1: /* semget */ 1239 e = AUE_SEMGET; 1240 break; 1241 case 2: /* semop */ 1242 e = AUE_SEMOP; 1243 break; 1244 default: /* illegal system call */ 1245 e = AUE_NULL; 1246 break; 1247 } 1248 1249 return (e); 1250 } 1251 1252 /* utssys - uname(2), ustat(2), fusers(2) */ 1253 static au_event_t 1254 aui_utssys(au_event_t e) 1255 { 1256 klwp_t *clwp = ttolwp(curthread); 1257 uint_t type; 1258 1259 struct a { 1260 union { 1261 long cbuf; /* char * */ 1262 long ubuf; /* struct stat * */ 1263 } ub; 1264 union { 1265 long mv; /* for USTAT */ 1266 long flags; /* for FUSERS */ 1267 } un; 1268 long type; 1269 long outbp; /* char * for FUSERS */ 1270 } *uap = (struct a *)clwp->lwp_ap; 1271 1272 type = (uint_t)uap->type; 1273 1274 if (type == UTS_FUSERS) 1275 return (e); 1276 else 1277 return ((au_event_t)AUE_NULL); 1278 } 1279 1280 static au_event_t 1281 aui_fcntl(au_event_t e) 1282 { 1283 klwp_t *clwp = ttolwp(curthread); 1284 uint_t cmd; 1285 1286 struct a { 1287 long fdes; 1288 long cmd; 1289 long arg; 1290 } *uap = (struct a *)clwp->lwp_ap; 1291 1292 cmd = (uint_t)uap->cmd; 1293 1294 switch (cmd) { 1295 case F_GETLK: 1296 case F_SETLK: 1297 case F_SETLKW: 1298 break; 1299 case F_SETFL: 1300 case F_GETFL: 1301 case F_GETFD: 1302 break; 1303 default: 1304 e = (au_event_t)AUE_NULL; 1305 break; 1306 } 1307 return ((au_event_t)e); 1308 } 1309 1310 /* null function for now */ 1311 static au_event_t 1312 aui_execv(au_event_t e) 1313 { 1314 return (e); 1315 } 1316 1317 /* null function for now */ 1318 static au_event_t 1319 aui_execve(au_event_t e) 1320 { 1321 return (e); 1322 } 1323 1324 /*ARGSUSED*/ 1325 static void 1326 aus_fcntl(struct t_audit_data *tad) 1327 { 1328 klwp_t *clwp = ttolwp(curthread); 1329 uint32_t cmd, fd; 1330 struct file *fp; 1331 struct vnode *vp; 1332 struct f_audit_data *fad; 1333 1334 struct a { 1335 long fd; 1336 long cmd; 1337 long arg; 1338 } *uap = (struct a *)clwp->lwp_ap; 1339 1340 cmd = (uint32_t)uap->cmd; 1341 fd = (uint32_t)uap->fd; 1342 1343 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1344 1345 /* 1346 * convert file pointer to file descriptor 1347 * Note: fd ref count incremented here. 1348 */ 1349 if ((fp = getf(fd)) == NULL) 1350 return; 1351 1352 /* get path from file struct here */ 1353 fad = F2A(fp); 1354 if (fad->fad_aupath != NULL) { 1355 au_uwrite(au_to_path(fad->fad_aupath)); 1356 } else { 1357 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1358 } 1359 1360 vp = fp->f_vnode; 1361 audit_attributes(vp); 1362 1363 /* decrement file descriptor reference count */ 1364 releasef(fd); 1365 } 1366 1367 /*ARGSUSED*/ 1368 static void 1369 aus_kill(struct t_audit_data *tad) 1370 { 1371 klwp_t *clwp = ttolwp(curthread); 1372 struct proc *p; 1373 uint32_t signo; 1374 uid_t uid, ruid; 1375 gid_t gid, rgid; 1376 pid_t pid; 1377 const auditinfo_addr_t *ainfo; 1378 cred_t *cr; 1379 1380 struct a { 1381 long pid; 1382 long signo; 1383 } *uap = (struct a *)clwp->lwp_ap; 1384 1385 pid = (pid_t)uap->pid; 1386 signo = (uint32_t)uap->signo; 1387 1388 au_uwrite(au_to_arg32(2, "signal", signo)); 1389 if (pid > 0) { 1390 mutex_enter(&pidlock); 1391 if (((p = prfind(pid)) == (struct proc *)0) || 1392 (p->p_stat == SIDL)) { 1393 mutex_exit(&pidlock); 1394 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1395 return; 1396 } 1397 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1398 mutex_exit(&pidlock); 1399 1400 mutex_enter(&p->p_crlock); 1401 crhold(cr = p->p_cred); 1402 mutex_exit(&p->p_crlock); 1403 mutex_exit(&p->p_lock); 1404 1405 ainfo = crgetauinfo(cr); 1406 if (ainfo == NULL) { 1407 crfree(cr); 1408 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1409 return; 1410 } 1411 1412 uid = crgetuid(cr); 1413 gid = crgetgid(cr); 1414 ruid = crgetruid(cr); 1415 rgid = crgetrgid(cr); 1416 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1417 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1418 1419 if (is_system_labeled()) 1420 au_uwrite(au_to_label(CR_SL(cr))); 1421 1422 crfree(cr); 1423 } 1424 else 1425 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1426 } 1427 1428 /*ARGSUSED*/ 1429 static void 1430 aus_mkdir(struct t_audit_data *tad) 1431 { 1432 klwp_t *clwp = ttolwp(curthread); 1433 uint32_t dmode; 1434 1435 struct a { 1436 long dirnamep; /* char * */ 1437 long dmode; 1438 } *uap = (struct a *)clwp->lwp_ap; 1439 1440 dmode = (uint32_t)uap->dmode; 1441 1442 au_uwrite(au_to_arg32(2, "mode", dmode)); 1443 } 1444 1445 /*ARGSUSED*/ 1446 static void 1447 aus_mknod(struct t_audit_data *tad) 1448 { 1449 klwp_t *clwp = ttolwp(curthread); 1450 uint32_t fmode; 1451 dev_t dev; 1452 1453 struct a { 1454 long pnamep; /* char * */ 1455 long fmode; 1456 long dev; 1457 } *uap = (struct a *)clwp->lwp_ap; 1458 1459 fmode = (uint32_t)uap->fmode; 1460 dev = (dev_t)uap->dev; 1461 1462 au_uwrite(au_to_arg32(2, "mode", fmode)); 1463 #ifdef _LP64 1464 au_uwrite(au_to_arg64(3, "dev", dev)); 1465 #else 1466 au_uwrite(au_to_arg32(3, "dev", dev)); 1467 #endif 1468 } 1469 1470 /*ARGSUSED*/ 1471 static void 1472 aus_xmknod(struct t_audit_data *tad) 1473 { 1474 klwp_t *clwp = ttolwp(curthread); 1475 uint32_t fmode; 1476 dev_t dev; 1477 1478 struct a { 1479 long version; /* version */ 1480 long pnamep; /* char * */ 1481 long fmode; 1482 long dev; 1483 } *uap = (struct a *)clwp->lwp_ap; 1484 1485 fmode = (uint32_t)uap->fmode; 1486 dev = (dev_t)uap->dev; 1487 1488 au_uwrite(au_to_arg32(2, "mode", fmode)); 1489 #ifdef _LP64 1490 au_uwrite(au_to_arg64(3, "dev", dev)); 1491 #else 1492 au_uwrite(au_to_arg32(3, "dev", dev)); 1493 #endif 1494 } 1495 1496 /*ARGSUSED*/ 1497 static void 1498 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1499 { 1500 klwp_t *clwp = ttolwp(curthread); 1501 vnode_t *dvp; 1502 caddr_t pnamep; 1503 1504 struct a { 1505 long pnamep; /* char * */ 1506 long fmode; 1507 long dev; 1508 } *uap = (struct a *)clwp->lwp_ap; 1509 1510 /* no error, then already path token in audit record */ 1511 if (error != EPERM) 1512 return; 1513 1514 /* not auditing this event, nothing then to do */ 1515 if (tad->tad_flag == 0) 1516 return; 1517 1518 /* do the lookup to force generation of path token */ 1519 pnamep = (caddr_t)uap->pnamep; 1520 tad->tad_ctrl |= PAD_NOATTRB; 1521 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1522 if (error == 0) 1523 VN_RELE(dvp); 1524 } 1525 1526 /*ARGSUSED*/ 1527 static void 1528 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1529 { 1530 klwp_t *clwp = ttolwp(curthread); 1531 vnode_t *dvp; 1532 caddr_t pnamep; 1533 1534 struct a { 1535 long version; /* version */ 1536 long pnamep; /* char * */ 1537 long fmode; 1538 long dev; 1539 } *uap = (struct a *)clwp->lwp_arg; 1540 1541 1542 /* no error, then already path token in audit record */ 1543 if (error != EPERM) 1544 return; 1545 1546 /* not auditing this event, nothing then to do */ 1547 if (tad->tad_flag == 0) 1548 return; 1549 1550 /* do the lookup to force generation of path token */ 1551 pnamep = (caddr_t)uap->pnamep; 1552 tad->tad_ctrl |= PAD_NOATTRB; 1553 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1554 if (error == 0) 1555 VN_RELE(dvp); 1556 } 1557 1558 /*ARGSUSED*/ 1559 static void 1560 aus_mount(struct t_audit_data *tad) 1561 { /* AUS_START */ 1562 klwp_t *clwp = ttolwp(curthread); 1563 uint32_t flags; 1564 uintptr_t u_fstype, dataptr; 1565 STRUCT_DECL(nfs_args, nfsargs); 1566 size_t len; 1567 char *fstype, *hostname; 1568 1569 struct a { 1570 long spec; /* char * */ 1571 long dir; /* char * */ 1572 long flags; 1573 long fstype; /* char * */ 1574 long dataptr; /* char * */ 1575 long datalen; 1576 } *uap = (struct a *)clwp->lwp_ap; 1577 1578 u_fstype = (uintptr_t)uap->fstype; 1579 flags = (uint32_t)uap->flags; 1580 dataptr = (uintptr_t)uap->dataptr; 1581 1582 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1583 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1584 goto mount_free_fstype; 1585 1586 au_uwrite(au_to_arg32(3, "flags", flags)); 1587 au_uwrite(au_to_text(fstype)); 1588 1589 if (strncmp(fstype, "nfs", 3) == 0) { 1590 1591 STRUCT_INIT(nfsargs, get_udatamodel()); 1592 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1593 1594 if (copyin((caddr_t)dataptr, 1595 STRUCT_BUF(nfsargs), 1596 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1597 /* DEBUG debug_enter((char *)NULL); */ 1598 goto mount_free_fstype; 1599 } 1600 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1601 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1602 (caddr_t)hostname, 1603 MAXNAMELEN, &len)) { 1604 goto mount_free_hostname; 1605 } 1606 au_uwrite(au_to_text(hostname)); 1607 au_uwrite(au_to_arg32(3, "internal flags", 1608 (uint_t)STRUCT_FGET(nfsargs, flags))); 1609 1610 mount_free_hostname: 1611 kmem_free(hostname, MAXNAMELEN); 1612 } 1613 1614 mount_free_fstype: 1615 kmem_free(fstype, MAXNAMELEN); 1616 } /* AUS_MOUNT */ 1617 1618 static void 1619 aus_umount_path(caddr_t umount_dir) 1620 { 1621 char *dir_path; 1622 struct audit_path *path; 1623 size_t path_len, dir_len; 1624 1625 /* length alloc'd for two string pointers */ 1626 path_len = sizeof (struct audit_path) + sizeof (char *); 1627 path = kmem_alloc(path_len, KM_SLEEP); 1628 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1629 1630 if (copyinstr(umount_dir, (caddr_t)dir_path, 1631 MAXPATHLEN, &dir_len)) 1632 goto umount2_free_dir; 1633 1634 /* 1635 * the audit_path struct assumes that the buffer pointed to 1636 * by audp_sect[n] contains string 0 immediatedly followed 1637 * by string 1. 1638 */ 1639 path->audp_sect[0] = dir_path; 1640 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1641 path->audp_size = path_len; 1642 path->audp_ref = 1; /* not used */ 1643 path->audp_cnt = 1; /* one path string */ 1644 1645 au_uwrite(au_to_path(path)); 1646 1647 umount2_free_dir: 1648 kmem_free(dir_path, MAXPATHLEN); 1649 kmem_free(path, path_len); 1650 } 1651 1652 /* 1653 * the umount syscall is implemented as a call to umount2, but the args 1654 * are different... 1655 */ 1656 1657 /*ARGSUSED*/ 1658 static void 1659 aus_umount(struct t_audit_data *tad) 1660 { 1661 klwp_t *clwp = ttolwp(curthread); 1662 struct a { 1663 long dir; /* char * */ 1664 } *uap = (struct a *)clwp->lwp_ap; 1665 1666 aus_umount_path((caddr_t)uap->dir); 1667 } 1668 1669 /*ARGSUSED*/ 1670 static void 1671 aus_umount2(struct t_audit_data *tad) 1672 { 1673 klwp_t *clwp = ttolwp(curthread); 1674 struct a { 1675 long dir; /* char * */ 1676 long flags; 1677 } *uap = (struct a *)clwp->lwp_ap; 1678 1679 aus_umount_path((caddr_t)uap->dir); 1680 1681 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1682 } 1683 1684 static void 1685 aus_msgsys(struct t_audit_data *tad) 1686 { 1687 klwp_t *clwp = ttolwp(curthread); 1688 uint32_t msgid; 1689 1690 struct b { 1691 long msgid; 1692 long cmd; 1693 long buf; /* struct msqid_ds * */ 1694 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1695 1696 msgid = (uint32_t)uap1->msgid; 1697 1698 1699 switch (tad->tad_event) { 1700 case AUE_MSGGET: /* msgget */ 1701 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1702 break; 1703 case AUE_MSGCTL: /* msgctl */ 1704 case AUE_MSGCTL_RMID: /* msgctl */ 1705 case AUE_MSGCTL_STAT: /* msgctl */ 1706 case AUE_MSGRCV: /* msgrcv */ 1707 case AUE_MSGSND: /* msgsnd */ 1708 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1709 break; 1710 case AUE_MSGCTL_SET: /* msgctl */ 1711 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1712 break; 1713 } 1714 } 1715 1716 /*ARGSUSED*/ 1717 static void 1718 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1719 { 1720 int id; 1721 1722 if (error != 0) 1723 return; 1724 if (tad->tad_event == AUE_MSGGET) { 1725 uint32_t scid; 1726 uint32_t sy_flags; 1727 1728 /* need to determine type of executing binary */ 1729 scid = tad->tad_scid; 1730 #ifdef _SYSCALL32_IMPL 1731 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1732 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1733 else 1734 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1735 #else 1736 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1737 #endif 1738 if (sy_flags == SE_32RVAL1) 1739 id = rval->r_val1; 1740 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1741 id = rval->r_val1; 1742 if (sy_flags == SE_64RVAL) 1743 id = (int)rval->r_vals; 1744 1745 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1746 } 1747 } 1748 1749 static void 1750 aus_semsys(struct t_audit_data *tad) 1751 { 1752 klwp_t *clwp = ttolwp(curthread); 1753 uint32_t semid; 1754 1755 struct b { /* ctrl */ 1756 long semid; 1757 long semnum; 1758 long cmd; 1759 long arg; 1760 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1761 1762 semid = (uint32_t)uap1->semid; 1763 1764 switch (tad->tad_event) { 1765 case AUE_SEMCTL_RMID: 1766 case AUE_SEMCTL_STAT: 1767 case AUE_SEMCTL_GETNCNT: 1768 case AUE_SEMCTL_GETPID: 1769 case AUE_SEMCTL_GETVAL: 1770 case AUE_SEMCTL_GETALL: 1771 case AUE_SEMCTL_GETZCNT: 1772 case AUE_SEMCTL_SETVAL: 1773 case AUE_SEMCTL_SETALL: 1774 case AUE_SEMCTL: 1775 case AUE_SEMOP: 1776 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1777 break; 1778 case AUE_SEMCTL_SET: 1779 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1780 break; 1781 case AUE_SEMGET: 1782 au_uwrite(au_to_arg32(1, "sem key", semid)); 1783 break; 1784 } 1785 } 1786 1787 /*ARGSUSED*/ 1788 static void 1789 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1790 { 1791 int id; 1792 1793 if (error != 0) 1794 return; 1795 if (tad->tad_event == AUE_SEMGET) { 1796 uint32_t scid; 1797 uint32_t sy_flags; 1798 1799 /* need to determine type of executing binary */ 1800 scid = tad->tad_scid; 1801 #ifdef _SYSCALL32_IMPL 1802 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1803 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1804 else 1805 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1806 #else 1807 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1808 #endif 1809 if (sy_flags == SE_32RVAL1) 1810 id = rval->r_val1; 1811 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1812 id = rval->r_val1; 1813 if (sy_flags == SE_64RVAL) 1814 id = (int)rval->r_vals; 1815 1816 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1817 } 1818 } 1819 1820 /*ARGSUSED*/ 1821 static void 1822 aus_close(struct t_audit_data *tad) 1823 { 1824 klwp_t *clwp = ttolwp(curthread); 1825 uint32_t fd; 1826 struct file *fp; 1827 struct f_audit_data *fad; 1828 struct vnode *vp; 1829 struct vattr attr; 1830 au_kcontext_t *kctx = GET_KCTX_PZ; 1831 1832 struct a { 1833 long i; 1834 } *uap = (struct a *)clwp->lwp_ap; 1835 1836 fd = (uint32_t)uap->i; 1837 1838 attr.va_mask = 0; 1839 au_uwrite(au_to_arg32(1, "fd", fd)); 1840 1841 /* 1842 * convert file pointer to file descriptor 1843 * Note: fd ref count incremented here. 1844 */ 1845 if ((fp = getf(fd)) == NULL) 1846 return; 1847 1848 fad = F2A(fp); 1849 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1850 if (fad->fad_aupath != NULL) { 1851 au_uwrite(au_to_path(fad->fad_aupath)); 1852 if ((vp = fp->f_vnode) != NULL) { 1853 attr.va_mask = AT_ALL; 1854 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1855 /* 1856 * When write was not used and the file can be 1857 * considered public, skip the audit. 1858 */ 1859 if (((fp->f_flag & FWRITE) == 0) && 1860 file_is_public(&attr)) { 1861 tad->tad_flag = 0; 1862 tad->tad_evmod = 0; 1863 /* free any residual audit data */ 1864 au_close(kctx, &(u_ad), 0, 0, 0); 1865 releasef(fd); 1866 return; 1867 } 1868 au_uwrite(au_to_attr(&attr)); 1869 audit_sec_attributes(&(u_ad), vp); 1870 } 1871 } 1872 } 1873 1874 /* decrement file descriptor reference count */ 1875 releasef(fd); 1876 } 1877 1878 /*ARGSUSED*/ 1879 static void 1880 aus_fstatfs(struct t_audit_data *tad) 1881 { 1882 klwp_t *clwp = ttolwp(curthread); 1883 uint32_t fd; 1884 struct file *fp; 1885 struct vnode *vp; 1886 struct f_audit_data *fad; 1887 1888 struct a { 1889 long fd; 1890 long buf; /* struct statfs * */ 1891 } *uap = (struct a *)clwp->lwp_ap; 1892 1893 fd = (uint_t)uap->fd; 1894 1895 /* 1896 * convert file pointer to file descriptor 1897 * Note: fd ref count incremented here. 1898 */ 1899 if ((fp = getf(fd)) == NULL) 1900 return; 1901 1902 /* get path from file struct here */ 1903 fad = F2A(fp); 1904 if (fad->fad_aupath != NULL) { 1905 au_uwrite(au_to_path(fad->fad_aupath)); 1906 } else { 1907 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1908 } 1909 1910 vp = fp->f_vnode; 1911 audit_attributes(vp); 1912 1913 /* decrement file descriptor reference count */ 1914 releasef(fd); 1915 } 1916 1917 #ifdef NOTYET 1918 /*ARGSUSED*/ 1919 static void 1920 aus_setpgrp(struct t_audit_data *tad) 1921 { 1922 klwp_t *clwp = ttolwp(curthread); 1923 uint32_t pgrp; 1924 struct proc *p; 1925 uid_t uid, ruid; 1926 gid_t gid, rgid; 1927 pid_t pid; 1928 const auditinfo_addr_t *ainfo; 1929 cred_t *cr; 1930 1931 struct a { 1932 long pid; 1933 long pgrp; 1934 } *uap = (struct a *)clwp->lwp_ap; 1935 1936 pid = (pid_t)uap->pid; 1937 pgrp = (uint32_t)uap->pgrp; 1938 1939 /* current process? */ 1940 if (pid == 0) 1941 (return); 1942 1943 mutex_enter(&pidlock); 1944 p = prfind(pid); 1945 if (p == NULL || p->p_as == &kas) { 1946 mutex_exit(&pidlock); 1947 return; 1948 } 1949 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1950 mutex_exit(&pidlock); 1951 1952 mutex_enter(&p->p_crlock); 1953 crhold(cr = p->p_cred); 1954 mutex_exit(&p->p_crlock); 1955 mutex_exit(&p->p_lock); 1956 1957 ainfo = crgetauinfo(cr); 1958 if (ainfo == NULL) { 1959 crfree(cr); 1960 return; 1961 } 1962 1963 uid = crgetuid(cr); 1964 gid = crgetgid(cr); 1965 ruid = crgetruid(cr); 1966 rgid = crgetrgid(cr); 1967 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1968 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1969 crfree(cr); 1970 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1971 } 1972 #endif 1973 1974 /*ARGSUSED*/ 1975 static void 1976 aus_setregid(struct t_audit_data *tad) 1977 { 1978 klwp_t *clwp = ttolwp(curthread); 1979 uint32_t rgid, egid; 1980 1981 struct a { 1982 long rgid; 1983 long egid; 1984 } *uap = (struct a *)clwp->lwp_ap; 1985 1986 rgid = (uint32_t)uap->rgid; 1987 egid = (uint32_t)uap->egid; 1988 1989 au_uwrite(au_to_arg32(1, "rgid", rgid)); 1990 au_uwrite(au_to_arg32(2, "egid", egid)); 1991 } 1992 1993 /*ARGSUSED*/ 1994 static void 1995 aus_setgid(struct t_audit_data *tad) 1996 { 1997 klwp_t *clwp = ttolwp(curthread); 1998 uint32_t gid; 1999 2000 struct a { 2001 long gid; 2002 } *uap = (struct a *)clwp->lwp_ap; 2003 2004 gid = (uint32_t)uap->gid; 2005 2006 au_uwrite(au_to_arg32(1, "gid", gid)); 2007 } 2008 2009 2010 /*ARGSUSED*/ 2011 static void 2012 aus_setreuid(struct t_audit_data *tad) 2013 { 2014 klwp_t *clwp = ttolwp(curthread); 2015 uint32_t ruid, euid; 2016 2017 struct a { 2018 long ruid; 2019 long euid; 2020 } *uap = (struct a *)clwp->lwp_ap; 2021 2022 ruid = (uint32_t)uap->ruid; 2023 euid = (uint32_t)uap->euid; 2024 2025 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2026 au_uwrite(au_to_arg32(2, "euid", euid)); 2027 } 2028 2029 2030 /*ARGSUSED*/ 2031 static void 2032 aus_setuid(struct t_audit_data *tad) 2033 { 2034 klwp_t *clwp = ttolwp(curthread); 2035 uint32_t uid; 2036 2037 struct a { 2038 long uid; 2039 } *uap = (struct a *)clwp->lwp_ap; 2040 2041 uid = (uint32_t)uap->uid; 2042 2043 au_uwrite(au_to_arg32(1, "uid", uid)); 2044 } 2045 2046 /*ARGSUSED*/ 2047 static void 2048 aus_shmsys(struct t_audit_data *tad) 2049 { 2050 klwp_t *clwp = ttolwp(curthread); 2051 uint32_t id, cmd; 2052 2053 struct b { 2054 long id; 2055 long cmd; 2056 long buf; /* struct shmid_ds * */ 2057 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2058 2059 id = (uint32_t)uap1->id; 2060 cmd = (uint32_t)uap1->cmd; 2061 2062 switch (tad->tad_event) { 2063 case AUE_SHMGET: /* shmget */ 2064 au_uwrite(au_to_arg32(1, "shm key", id)); 2065 break; 2066 case AUE_SHMCTL: /* shmctl */ 2067 case AUE_SHMCTL_RMID: /* shmctl */ 2068 case AUE_SHMCTL_STAT: /* shmctl */ 2069 case AUE_SHMCTL_SET: /* shmctl */ 2070 au_uwrite(au_to_arg32(1, "shm ID", id)); 2071 break; 2072 case AUE_SHMDT: /* shmdt */ 2073 au_uwrite(au_to_arg32(1, "shm adr", id)); 2074 break; 2075 case AUE_SHMAT: /* shmat */ 2076 au_uwrite(au_to_arg32(1, "shm ID", id)); 2077 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2078 break; 2079 } 2080 } 2081 2082 /*ARGSUSED*/ 2083 static void 2084 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2085 { 2086 int id; 2087 2088 if (error != 0) 2089 return; 2090 if (tad->tad_event == AUE_SHMGET) { 2091 uint32_t scid; 2092 uint32_t sy_flags; 2093 2094 /* need to determine type of executing binary */ 2095 scid = tad->tad_scid; 2096 #ifdef _SYSCALL32_IMPL 2097 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2098 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2099 else 2100 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2101 #else 2102 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2103 #endif 2104 if (sy_flags == SE_32RVAL1) 2105 id = rval->r_val1; 2106 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2107 id = rval->r_val1; 2108 if (sy_flags == SE_64RVAL) 2109 id = (int)rval->r_vals; 2110 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2111 } 2112 } 2113 2114 2115 /*ARGSUSED*/ 2116 static void 2117 aus_ioctl(struct t_audit_data *tad) 2118 { 2119 klwp_t *clwp = ttolwp(curthread); 2120 struct file *fp; 2121 struct vnode *vp; 2122 struct f_audit_data *fad; 2123 uint32_t fd, cmd; 2124 uintptr_t cmarg; 2125 2126 /* XX64 */ 2127 struct a { 2128 long fd; 2129 long cmd; 2130 long cmarg; /* caddr_t */ 2131 } *uap = (struct a *)clwp->lwp_ap; 2132 2133 fd = (uint32_t)uap->fd; 2134 cmd = (uint32_t)uap->cmd; 2135 cmarg = (uintptr_t)uap->cmarg; 2136 2137 /* 2138 * convert file pointer to file descriptor 2139 * Note: fd ref count incremented here. 2140 */ 2141 if ((fp = getf(fd)) == NULL) { 2142 au_uwrite(au_to_arg32(1, "fd", fd)); 2143 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2144 #ifndef _LP64 2145 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2146 #else 2147 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2148 #endif 2149 return; 2150 } 2151 2152 /* get path from file struct here */ 2153 fad = F2A(fp); 2154 if (fad->fad_aupath != NULL) { 2155 au_uwrite(au_to_path(fad->fad_aupath)); 2156 } else { 2157 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2158 } 2159 2160 vp = fp->f_vnode; 2161 audit_attributes(vp); 2162 2163 /* decrement file descriptor reference count */ 2164 releasef(fd); 2165 2166 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2167 #ifndef _LP64 2168 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2169 #else 2170 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2171 #endif 2172 } 2173 2174 /* 2175 * null function for memcntl for now. We might want to limit memcntl() 2176 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2177 * require privileges. 2178 */ 2179 static au_event_t 2180 aui_memcntl(au_event_t e) 2181 { 2182 return (e); 2183 } 2184 2185 /*ARGSUSED*/ 2186 static au_event_t 2187 aui_privsys(au_event_t e) 2188 { 2189 klwp_t *clwp = ttolwp(curthread); 2190 2191 struct a { 2192 long opcode; 2193 } *uap = (struct a *)clwp->lwp_ap; 2194 2195 switch (uap->opcode) { 2196 case PRIVSYS_SETPPRIV: 2197 return (AUE_SETPPRIV); 2198 default: 2199 return (AUE_NULL); 2200 } 2201 } 2202 2203 /*ARGSUSED*/ 2204 static void 2205 aus_memcntl(struct t_audit_data *tad) 2206 { 2207 klwp_t *clwp = ttolwp(curthread); 2208 2209 struct a { 2210 long addr; 2211 long len; 2212 long cmd; 2213 long arg; 2214 long attr; 2215 long mask; 2216 } *uap = (struct a *)clwp->lwp_ap; 2217 2218 #ifdef _LP64 2219 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2220 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2221 #else 2222 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2223 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2224 #endif 2225 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2226 #ifdef _LP64 2227 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2228 #else 2229 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2230 #endif 2231 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2232 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2233 } 2234 2235 /*ARGSUSED*/ 2236 static void 2237 aus_mmap(struct t_audit_data *tad) 2238 { 2239 klwp_t *clwp = ttolwp(curthread); 2240 struct file *fp; 2241 struct f_audit_data *fad; 2242 struct vnode *vp; 2243 uint32_t fd; 2244 2245 struct a { 2246 long addr; 2247 long len; 2248 long prot; 2249 long flags; 2250 long fd; 2251 long pos; 2252 } *uap = (struct a *)clwp->lwp_ap; 2253 2254 fd = (uint32_t)uap->fd; 2255 2256 #ifdef _LP64 2257 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2258 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2259 #else 2260 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2261 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2262 #endif 2263 2264 if ((fp = getf(fd)) == NULL) { 2265 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2266 return; 2267 } 2268 2269 /* 2270 * Mark in the tad if write access is NOT requested... if 2271 * this is later detected (in audit_attributes) to be a 2272 * public object, the mmap event may be discarded. 2273 */ 2274 if (((uap->prot) & PROT_WRITE) == 0) { 2275 tad->tad_ctrl |= PAD_PUBLIC_EV; 2276 } 2277 2278 fad = F2A(fp); 2279 if (fad->fad_aupath != NULL) { 2280 au_uwrite(au_to_path(fad->fad_aupath)); 2281 } else { 2282 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2283 } 2284 2285 vp = (struct vnode *)fp->f_vnode; 2286 audit_attributes(vp); 2287 2288 /* mark READ/WRITE since we can't predict access */ 2289 if (uap->prot & PROT_READ) 2290 fad->fad_flags |= FAD_READ; 2291 if (uap->prot & PROT_WRITE) 2292 fad->fad_flags |= FAD_WRITE; 2293 2294 /* decrement file descriptor reference count */ 2295 releasef(fd); 2296 2297 } /* AUS_MMAP */ 2298 2299 2300 2301 2302 /*ARGSUSED*/ 2303 static void 2304 aus_munmap(struct t_audit_data *tad) 2305 { 2306 klwp_t *clwp = ttolwp(curthread); 2307 2308 struct a { 2309 long addr; 2310 long len; 2311 } *uap = (struct a *)clwp->lwp_ap; 2312 2313 #ifdef _LP64 2314 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2315 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2316 #else 2317 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2318 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2319 #endif 2320 2321 } /* AUS_MUNMAP */ 2322 2323 2324 2325 2326 2327 2328 2329 /*ARGSUSED*/ 2330 static void 2331 aus_priocntlsys(struct t_audit_data *tad) 2332 { 2333 klwp_t *clwp = ttolwp(curthread); 2334 2335 struct a { 2336 long pc_version; 2337 long psp; /* procset_t */ 2338 long cmd; 2339 long arg; 2340 } *uap = (struct a *)clwp->lwp_ap; 2341 2342 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2343 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2344 2345 } /* AUS_PRIOCNTLSYS */ 2346 2347 2348 /*ARGSUSED*/ 2349 static void 2350 aus_setegid(struct t_audit_data *tad) 2351 { 2352 klwp_t *clwp = ttolwp(curthread); 2353 uint32_t gid; 2354 2355 struct a { 2356 long gid; 2357 } *uap = (struct a *)clwp->lwp_ap; 2358 2359 gid = (uint32_t)uap->gid; 2360 2361 au_uwrite(au_to_arg32(1, "gid", gid)); 2362 } /* AUS_SETEGID */ 2363 2364 2365 2366 2367 /*ARGSUSED*/ 2368 static void 2369 aus_setgroups(struct t_audit_data *tad) 2370 { 2371 klwp_t *clwp = ttolwp(curthread); 2372 int i; 2373 int gidsetsize; 2374 uintptr_t gidset; 2375 gid_t *gidlist; 2376 2377 struct a { 2378 long gidsetsize; 2379 long gidset; 2380 } *uap = (struct a *)clwp->lwp_ap; 2381 2382 gidsetsize = (uint_t)uap->gidsetsize; 2383 gidset = (uintptr_t)uap->gidset; 2384 2385 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2386 return; 2387 if (gidsetsize != 0) { 2388 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2389 KM_SLEEP); 2390 if (copyin((caddr_t)gidset, gidlist, 2391 gidsetsize * sizeof (gid_t)) == 0) 2392 for (i = 0; i < gidsetsize; i++) 2393 au_uwrite(au_to_arg32(1, "setgroups", 2394 (uint32_t)gidlist[i])); 2395 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2396 } else 2397 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2398 2399 } /* AUS_SETGROUPS */ 2400 2401 2402 2403 2404 2405 /*ARGSUSED*/ 2406 static void 2407 aus_seteuid(struct t_audit_data *tad) 2408 { 2409 klwp_t *clwp = ttolwp(curthread); 2410 uint32_t uid; 2411 2412 struct a { 2413 long uid; 2414 } *uap = (struct a *)clwp->lwp_ap; 2415 2416 uid = (uint32_t)uap->uid; 2417 2418 au_uwrite(au_to_arg32(1, "euid", uid)); 2419 2420 } /* AUS_SETEUID */ 2421 2422 /*ARGSUSED*/ 2423 static void 2424 aus_putmsg(struct t_audit_data *tad) 2425 { 2426 klwp_t *clwp = ttolwp(curthread); 2427 uint32_t fd, pri; 2428 struct file *fp; 2429 struct f_audit_data *fad; 2430 2431 struct a { 2432 long fdes; 2433 long ctl; /* struct strbuf * */ 2434 long data; /* struct strbuf * */ 2435 long pri; 2436 } *uap = (struct a *)clwp->lwp_ap; 2437 2438 fd = (uint32_t)uap->fdes; 2439 pri = (uint32_t)uap->pri; 2440 2441 au_uwrite(au_to_arg32(1, "fd", fd)); 2442 2443 if ((fp = getf(fd)) != NULL) { 2444 fad = F2A(fp); 2445 2446 fad->fad_flags |= FAD_WRITE; 2447 2448 /* add path name to audit record */ 2449 if (fad->fad_aupath != NULL) { 2450 au_uwrite(au_to_path(fad->fad_aupath)); 2451 } 2452 audit_attributes(fp->f_vnode); 2453 2454 releasef(fd); 2455 } 2456 2457 au_uwrite(au_to_arg32(4, "pri", pri)); 2458 } 2459 2460 /*ARGSUSED*/ 2461 static void 2462 aus_putpmsg(struct t_audit_data *tad) 2463 { 2464 klwp_t *clwp = ttolwp(curthread); 2465 uint32_t fd, pri, flags; 2466 struct file *fp; 2467 struct f_audit_data *fad; 2468 2469 struct a { 2470 long fdes; 2471 long ctl; /* struct strbuf * */ 2472 long data; /* struct strbuf * */ 2473 long pri; 2474 long flags; 2475 } *uap = (struct a *)clwp->lwp_ap; 2476 2477 fd = (uint32_t)uap->fdes; 2478 pri = (uint32_t)uap->pri; 2479 flags = (uint32_t)uap->flags; 2480 2481 au_uwrite(au_to_arg32(1, "fd", fd)); 2482 2483 if ((fp = getf(fd)) != NULL) { 2484 fad = F2A(fp); 2485 2486 fad->fad_flags |= FAD_WRITE; 2487 2488 /* add path name to audit record */ 2489 if (fad->fad_aupath != NULL) { 2490 au_uwrite(au_to_path(fad->fad_aupath)); 2491 } 2492 audit_attributes(fp->f_vnode); 2493 2494 releasef(fd); 2495 } 2496 2497 2498 au_uwrite(au_to_arg32(4, "pri", pri)); 2499 au_uwrite(au_to_arg32(5, "flags", flags)); 2500 } 2501 2502 /*ARGSUSED*/ 2503 static void 2504 aus_getmsg(struct t_audit_data *tad) 2505 { 2506 klwp_t *clwp = ttolwp(curthread); 2507 uint32_t fd, pri; 2508 struct file *fp; 2509 struct f_audit_data *fad; 2510 2511 struct a { 2512 long fdes; 2513 long ctl; /* struct strbuf * */ 2514 long data; /* struct strbuf * */ 2515 long pri; 2516 } *uap = (struct a *)clwp->lwp_ap; 2517 2518 fd = (uint32_t)uap->fdes; 2519 pri = (uint32_t)uap->pri; 2520 2521 au_uwrite(au_to_arg32(1, "fd", fd)); 2522 2523 if ((fp = getf(fd)) != NULL) { 2524 fad = F2A(fp); 2525 2526 /* 2527 * read operation on this object 2528 */ 2529 fad->fad_flags |= FAD_READ; 2530 2531 /* add path name to audit record */ 2532 if (fad->fad_aupath != NULL) { 2533 au_uwrite(au_to_path(fad->fad_aupath)); 2534 } 2535 audit_attributes(fp->f_vnode); 2536 2537 releasef(fd); 2538 } 2539 2540 au_uwrite(au_to_arg32(4, "pri", pri)); 2541 } 2542 2543 /*ARGSUSED*/ 2544 static void 2545 aus_getpmsg(struct t_audit_data *tad) 2546 { 2547 klwp_t *clwp = ttolwp(curthread); 2548 uint32_t fd; 2549 struct file *fp; 2550 struct f_audit_data *fad; 2551 2552 struct a { 2553 long fdes; 2554 long ctl; /* struct strbuf * */ 2555 long data; /* struct strbuf * */ 2556 long pri; 2557 long flags; 2558 } *uap = (struct a *)clwp->lwp_ap; 2559 2560 fd = (uint32_t)uap->fdes; 2561 2562 au_uwrite(au_to_arg32(1, "fd", fd)); 2563 2564 if ((fp = getf(fd)) != NULL) { 2565 fad = F2A(fp); 2566 2567 /* 2568 * read operation on this object 2569 */ 2570 fad->fad_flags |= FAD_READ; 2571 2572 /* add path name to audit record */ 2573 if (fad->fad_aupath != NULL) { 2574 au_uwrite(au_to_path(fad->fad_aupath)); 2575 } 2576 audit_attributes(fp->f_vnode); 2577 2578 releasef(fd); 2579 } 2580 } 2581 2582 static au_event_t 2583 aui_labelsys(au_event_t e) 2584 { 2585 klwp_t *clwp = ttolwp(curthread); 2586 uint32_t code; 2587 uint32_t cmd; 2588 2589 struct a { 2590 long code; 2591 long cmd; 2592 } *uap = (struct a *)clwp->lwp_ap; 2593 2594 code = (uint32_t)uap->code; 2595 cmd = (uint32_t)uap->cmd; 2596 2597 /* not security relevant if not changing kernel cache */ 2598 if (cmd == TNDB_GET) 2599 return (AUE_NULL); 2600 2601 switch (code) { 2602 case TSOL_TNRH: 2603 e = AUE_LABELSYS_TNRH; 2604 break; 2605 case TSOL_TNRHTP: 2606 e = AUE_LABELSYS_TNRHTP; 2607 break; 2608 case TSOL_TNMLP: 2609 e = AUE_LABELSYS_TNMLP; 2610 break; 2611 default: 2612 e = AUE_NULL; 2613 break; 2614 } 2615 2616 return (e); 2617 2618 } 2619 2620 static void 2621 aus_labelsys(struct t_audit_data *tad) 2622 { 2623 klwp_t *clwp = ttolwp(curthread); 2624 uint32_t cmd; 2625 uintptr_t a2; 2626 2627 struct a { 2628 long code; 2629 long cmd; 2630 long a2; 2631 } *uap = (struct a *)clwp->lwp_ap; 2632 2633 cmd = (uint32_t)uap->cmd; 2634 a2 = (uintptr_t)uap->a2; 2635 2636 switch (tad->tad_event) { 2637 case AUE_LABELSYS_TNRH: 2638 { 2639 tsol_rhent_t *rhent; 2640 tnaddr_t *rh_addr; 2641 2642 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2643 2644 /* Remaining args don't apply for FLUSH, so skip */ 2645 if (cmd == TNDB_FLUSH) 2646 break; 2647 2648 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2649 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2650 kmem_free(rhent, sizeof (tsol_rhent_t)); 2651 return; 2652 } 2653 2654 rh_addr = &rhent->rh_address; 2655 if (rh_addr->ta_family == AF_INET) { 2656 struct in_addr *ipaddr; 2657 2658 ipaddr = &(rh_addr->ta_addr_v4); 2659 au_uwrite(au_to_in_addr(ipaddr)); 2660 } else if (rh_addr->ta_family == AF_INET6) { 2661 int32_t *ipaddr; 2662 2663 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2664 au_uwrite(au_to_in_addr_ex(ipaddr)); 2665 } 2666 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2667 2668 kmem_free(rhent, sizeof (tsol_rhent_t)); 2669 2670 break; 2671 } 2672 case AUE_LABELSYS_TNRHTP: 2673 { 2674 tsol_tpent_t *tpent; 2675 2676 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2677 2678 /* Remaining args don't apply for FLUSH, so skip */ 2679 if (cmd == TNDB_FLUSH) 2680 break; 2681 2682 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2683 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2684 kmem_free(tpent, sizeof (tsol_tpent_t)); 2685 return; 2686 } 2687 2688 /* Make sure that the template name is null-terminated. */ 2689 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2690 2691 au_uwrite(au_to_text(tpent->name)); 2692 kmem_free(tpent, sizeof (tsol_tpent_t)); 2693 2694 break; 2695 } 2696 case AUE_LABELSYS_TNMLP: 2697 { 2698 tsol_mlpent_t *mlpent; 2699 2700 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2701 2702 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2703 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2704 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2705 return; 2706 } 2707 2708 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2709 au_uwrite(au_to_text("shared")); 2710 } else { 2711 zone_t *zone; 2712 2713 zone = zone_find_by_id(mlpent->tsme_zoneid); 2714 if (zone != NULL) { 2715 au_uwrite(au_to_text(zone->zone_name)); 2716 zone_rele(zone); 2717 } 2718 } 2719 2720 /* Remaining args don't apply for FLUSH, so skip */ 2721 if (cmd == TNDB_FLUSH) { 2722 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2723 break; 2724 } 2725 2726 au_uwrite(au_to_arg32(2, "proto num", 2727 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2728 au_uwrite(au_to_arg32(2, "mlp_port", 2729 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2730 2731 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2732 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2733 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2734 2735 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2736 2737 break; 2738 } 2739 default: 2740 break; 2741 } 2742 } 2743 2744 2745 static au_event_t 2746 aui_auditsys(au_event_t e) 2747 { 2748 klwp_t *clwp = ttolwp(curthread); 2749 uint32_t code; 2750 2751 struct a { 2752 long code; 2753 long a1; 2754 long a2; 2755 long a3; 2756 long a4; 2757 long a5; 2758 long a6; 2759 long a7; 2760 } *uap = (struct a *)clwp->lwp_ap; 2761 2762 code = (uint32_t)uap->code; 2763 2764 switch (code) { 2765 2766 case BSM_GETAUID: 2767 e = AUE_GETAUID; 2768 break; 2769 case BSM_SETAUID: 2770 e = AUE_SETAUID; 2771 break; 2772 case BSM_GETAUDIT: 2773 e = AUE_GETAUDIT; 2774 break; 2775 case BSM_GETAUDIT_ADDR: 2776 e = AUE_GETAUDIT_ADDR; 2777 break; 2778 case BSM_SETAUDIT: 2779 e = AUE_SETAUDIT; 2780 break; 2781 case BSM_SETAUDIT_ADDR: 2782 e = AUE_SETAUDIT_ADDR; 2783 break; 2784 case BSM_AUDIT: 2785 e = AUE_AUDIT; 2786 break; 2787 case BSM_AUDITON: 2788 case BSM_AUDITCTL: 2789 2790 switch ((uint_t)uap->a1) { 2791 2792 case A_GETPOLICY: 2793 e = AUE_AUDITON_GPOLICY; 2794 break; 2795 case A_SETPOLICY: 2796 e = AUE_AUDITON_SPOLICY; 2797 break; 2798 case A_GETKMASK: 2799 e = AUE_AUDITON_GETKMASK; 2800 break; 2801 case A_SETKMASK: 2802 e = AUE_AUDITON_SETKMASK; 2803 break; 2804 case A_GETQCTRL: 2805 e = AUE_AUDITON_GQCTRL; 2806 break; 2807 case A_SETQCTRL: 2808 e = AUE_AUDITON_SQCTRL; 2809 break; 2810 case A_GETCWD: 2811 e = AUE_AUDITON_GETCWD; 2812 break; 2813 case A_GETCAR: 2814 e = AUE_AUDITON_GETCAR; 2815 break; 2816 case A_GETSTAT: 2817 e = AUE_AUDITON_GETSTAT; 2818 break; 2819 case A_SETSTAT: 2820 e = AUE_AUDITON_SETSTAT; 2821 break; 2822 case A_SETUMASK: 2823 e = AUE_AUDITON_SETUMASK; 2824 break; 2825 case A_SETSMASK: 2826 e = AUE_AUDITON_SETSMASK; 2827 break; 2828 case A_GETCOND: 2829 e = AUE_AUDITON_GETCOND; 2830 break; 2831 case A_SETCOND: 2832 e = AUE_AUDITON_SETCOND; 2833 break; 2834 case A_GETCLASS: 2835 e = AUE_AUDITON_GETCLASS; 2836 break; 2837 case A_SETCLASS: 2838 e = AUE_AUDITON_SETCLASS; 2839 break; 2840 default: 2841 e = AUE_NULL; 2842 break; 2843 } 2844 break; 2845 default: 2846 e = AUE_NULL; 2847 break; 2848 } 2849 2850 return (e); 2851 2852 } /* AUI_AUDITSYS */ 2853 2854 2855 static void 2856 aus_auditsys(struct t_audit_data *tad) 2857 { 2858 klwp_t *clwp = ttolwp(curthread); 2859 uintptr_t a1, a2; 2860 STRUCT_DECL(auditinfo, ainfo); 2861 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2862 au_evclass_map_t event; 2863 au_mask_t mask; 2864 int auditstate, policy; 2865 au_id_t auid; 2866 2867 2868 struct a { 2869 long code; 2870 long a1; 2871 long a2; 2872 long a3; 2873 long a4; 2874 long a5; 2875 long a6; 2876 long a7; 2877 } *uap = (struct a *)clwp->lwp_ap; 2878 2879 a1 = (uintptr_t)uap->a1; 2880 a2 = (uintptr_t)uap->a2; 2881 2882 switch (tad->tad_event) { 2883 case AUE_SETAUID: 2884 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2885 return; 2886 au_uwrite(au_to_arg32(2, "setauid", auid)); 2887 break; 2888 case AUE_SETAUDIT: 2889 STRUCT_INIT(ainfo, get_udatamodel()); 2890 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2891 STRUCT_SIZE(ainfo))) { 2892 return; 2893 } 2894 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2895 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2896 #ifdef _LP64 2897 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2898 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2899 #else 2900 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2901 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2902 #endif 2903 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2904 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2905 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2906 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2907 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2908 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2909 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2910 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2911 break; 2912 case AUE_SETAUDIT_ADDR: 2913 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2914 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2915 STRUCT_SIZE(ainfo_addr))) { 2916 return; 2917 } 2918 au_uwrite(au_to_arg32((char)1, "auid", 2919 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2920 #ifdef _LP64 2921 au_uwrite(au_to_arg64((char)1, "port", 2922 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2923 #else 2924 au_uwrite(au_to_arg32((char)1, "port", 2925 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2926 #endif 2927 au_uwrite(au_to_arg32((char)1, "type", 2928 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2929 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2930 AU_IPv4) { 2931 au_uwrite(au_to_in_addr( 2932 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2933 ai_termid.at_addr))); 2934 } else { 2935 au_uwrite(au_to_in_addr_ex( 2936 (int32_t *)STRUCT_FGETP(ainfo_addr, 2937 ai_termid.at_addr))); 2938 } 2939 au_uwrite(au_to_arg32((char)1, "as_success", 2940 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2941 au_uwrite(au_to_arg32((char)1, "as_failure", 2942 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2943 au_uwrite(au_to_arg32((char)1, "asid", 2944 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2945 break; 2946 case AUE_AUDITON_SETKMASK: 2947 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2948 return; 2949 au_uwrite(au_to_arg32( 2950 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2951 au_uwrite(au_to_arg32( 2952 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2953 break; 2954 case AUE_AUDITON_SPOLICY: 2955 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2956 return; 2957 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2958 break; 2959 case AUE_AUDITON_SQCTRL: { 2960 STRUCT_DECL(au_qctrl, qctrl); 2961 model_t model; 2962 2963 model = get_udatamodel(); 2964 STRUCT_INIT(qctrl, model); 2965 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2966 return; 2967 if (model == DATAMODEL_ILP32) { 2968 au_uwrite(au_to_arg32( 2969 3, "setqctrl:aq_hiwater", 2970 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2971 au_uwrite(au_to_arg32( 2972 3, "setqctrl:aq_lowater", 2973 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2974 au_uwrite(au_to_arg32( 2975 3, "setqctrl:aq_bufsz", 2976 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2977 au_uwrite(au_to_arg32( 2978 3, "setqctrl:aq_delay", 2979 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2980 } else { 2981 au_uwrite(au_to_arg64( 2982 3, "setqctrl:aq_hiwater", 2983 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2984 au_uwrite(au_to_arg64( 2985 3, "setqctrl:aq_lowater", 2986 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2987 au_uwrite(au_to_arg64( 2988 3, "setqctrl:aq_bufsz", 2989 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2990 au_uwrite(au_to_arg64( 2991 3, "setqctrl:aq_delay", 2992 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2993 } 2994 break; 2995 } 2996 case AUE_AUDITON_SETUMASK: 2997 STRUCT_INIT(ainfo, get_udatamodel()); 2998 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2999 STRUCT_SIZE(ainfo))) { 3000 return; 3001 } 3002 au_uwrite(au_to_arg32(3, "setumask:as_success", 3003 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3004 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3005 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3006 break; 3007 case AUE_AUDITON_SETSMASK: 3008 STRUCT_INIT(ainfo, get_udatamodel()); 3009 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3010 STRUCT_SIZE(ainfo))) { 3011 return; 3012 } 3013 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3014 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3015 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3016 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3017 break; 3018 case AUE_AUDITON_SETCOND: 3019 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3020 return; 3021 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3022 break; 3023 case AUE_AUDITON_SETCLASS: 3024 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3025 return; 3026 au_uwrite(au_to_arg32( 3027 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3028 au_uwrite(au_to_arg32( 3029 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3030 break; 3031 case AUE_GETAUID: 3032 case AUE_GETAUDIT: 3033 case AUE_GETAUDIT_ADDR: 3034 case AUE_AUDIT: 3035 case AUE_AUDITON_GPOLICY: 3036 case AUE_AUDITON_GQCTRL: 3037 case AUE_AUDITON_GETKMASK: 3038 case AUE_AUDITON_GETCWD: 3039 case AUE_AUDITON_GETCAR: 3040 case AUE_AUDITON_GETSTAT: 3041 case AUE_AUDITON_SETSTAT: 3042 case AUE_AUDITON_GETCOND: 3043 case AUE_AUDITON_GETCLASS: 3044 break; 3045 default: 3046 break; 3047 } 3048 3049 } /* AUS_AUDITSYS */ 3050 3051 3052 /* only audit privileged operations for systeminfo(2) system call */ 3053 static au_event_t 3054 aui_sysinfo(au_event_t e) 3055 { 3056 klwp_t *clwp = ttolwp(curthread); 3057 uint32_t command; 3058 3059 struct a { 3060 long command; 3061 long buf; /* char * */ 3062 long count; 3063 } *uap = (struct a *)clwp->lwp_ap; 3064 3065 command = (uint32_t)uap->command; 3066 3067 switch (command) { 3068 case SI_SET_HOSTNAME: 3069 case SI_SET_SRPC_DOMAIN: 3070 e = (au_event_t)AUE_SYSINFO; 3071 break; 3072 default: 3073 e = (au_event_t)AUE_NULL; 3074 break; 3075 } 3076 return (e); 3077 } 3078 3079 /*ARGSUSED*/ 3080 static void 3081 aus_sysinfo(struct t_audit_data *tad) 3082 { 3083 klwp_t *clwp = ttolwp(curthread); 3084 uint32_t command; 3085 size_t len, maxlen; 3086 char *name; 3087 uintptr_t buf; 3088 3089 struct a { 3090 long command; 3091 long buf; /* char * */ 3092 long count; 3093 } *uap = (struct a *)clwp->lwp_ap; 3094 3095 command = (uint32_t)uap->command; 3096 buf = (uintptr_t)uap->buf; 3097 3098 au_uwrite(au_to_arg32(1, "cmd", command)); 3099 3100 switch (command) { 3101 case SI_SET_HOSTNAME: 3102 { 3103 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3104 return; 3105 3106 maxlen = SYS_NMLN; 3107 name = kmem_alloc(maxlen, KM_SLEEP); 3108 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3109 break; 3110 3111 /* 3112 * Must be non-NULL string and string 3113 * must be less than SYS_NMLN chars. 3114 */ 3115 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3116 break; 3117 3118 au_uwrite(au_to_text(name)); 3119 break; 3120 } 3121 3122 case SI_SET_SRPC_DOMAIN: 3123 { 3124 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3125 return; 3126 3127 maxlen = SYS_NMLN; 3128 name = kmem_alloc(maxlen, KM_SLEEP); 3129 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3130 break; 3131 3132 /* 3133 * If string passed in is longer than length 3134 * allowed for domain name, fail. 3135 */ 3136 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3137 break; 3138 3139 au_uwrite(au_to_text(name)); 3140 break; 3141 } 3142 3143 default: 3144 return; 3145 } 3146 3147 kmem_free(name, maxlen); 3148 } 3149 3150 static au_event_t 3151 aui_modctl(au_event_t e) 3152 { 3153 klwp_t *clwp = ttolwp(curthread); 3154 uint_t cmd; 3155 3156 struct a { 3157 long cmd; 3158 } *uap = (struct a *)clwp->lwp_ap; 3159 3160 cmd = (uint_t)uap->cmd; 3161 3162 switch (cmd) { 3163 case MODLOAD: 3164 e = AUE_MODLOAD; 3165 break; 3166 case MODUNLOAD: 3167 e = AUE_MODUNLOAD; 3168 break; 3169 case MODADDMAJBIND: 3170 e = AUE_MODADDMAJ; 3171 break; 3172 case MODSETDEVPOLICY: 3173 e = AUE_MODDEVPLCY; 3174 break; 3175 case MODALLOCPRIV: 3176 e = AUE_MODADDPRIV; 3177 break; 3178 default: 3179 e = AUE_NULL; 3180 break; 3181 } 3182 return (e); 3183 } 3184 3185 3186 /*ARGSUSED*/ 3187 static void 3188 aus_modctl(struct t_audit_data *tad) 3189 { 3190 klwp_t *clwp = ttolwp(curthread); 3191 void *a = clwp->lwp_ap; 3192 uint_t use_path; 3193 3194 switch (tad->tad_event) { 3195 case AUE_MODLOAD: { 3196 typedef struct { 3197 long cmd; 3198 long use_path; 3199 long filename; /* char * */ 3200 } modloada_t; 3201 3202 char *filenamep; 3203 uintptr_t fname; 3204 extern char *default_path; 3205 3206 fname = (uintptr_t)((modloada_t *)a)->filename; 3207 use_path = (uint_t)((modloada_t *)a)->use_path; 3208 3209 /* space to hold path */ 3210 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3211 /* get string */ 3212 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3213 /* free allocated path */ 3214 kmem_free(filenamep, MOD_MAXPATH); 3215 return; 3216 } 3217 /* ensure it's null terminated */ 3218 filenamep[MOD_MAXPATH - 1] = 0; 3219 3220 if (use_path) 3221 au_uwrite(au_to_text(default_path)); 3222 au_uwrite(au_to_text(filenamep)); 3223 3224 /* release temporary memory */ 3225 kmem_free(filenamep, MOD_MAXPATH); 3226 break; 3227 } 3228 case AUE_MODUNLOAD: { 3229 typedef struct { 3230 long cmd; 3231 long id; 3232 } modunloada_t; 3233 3234 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3235 3236 au_uwrite(au_to_arg32(1, "id", id)); 3237 break; 3238 } 3239 case AUE_MODADDMAJ: { 3240 STRUCT_DECL(modconfig, mc); 3241 typedef struct { 3242 long cmd; 3243 long subcmd; 3244 long data; /* int * */ 3245 } modconfiga_t; 3246 3247 STRUCT_DECL(aliases, alias); 3248 caddr_t ap; 3249 int i, num_aliases; 3250 char *drvname, *mc_drvname; 3251 char *name; 3252 extern char *ddi_major_to_name(major_t); 3253 model_t model; 3254 3255 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3256 3257 model = get_udatamodel(); 3258 STRUCT_INIT(mc, model); 3259 /* sanitize buffer */ 3260 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3261 /* get user arguments */ 3262 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3263 STRUCT_SIZE(mc)) != 0) 3264 return; 3265 3266 mc_drvname = STRUCT_FGET(mc, drvname); 3267 if ((drvname = ddi_major_to_name( 3268 (major_t)STRUCT_FGET(mc, major))) != NULL && 3269 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3270 /* safety */ 3271 if (mc_drvname[0] != '\0') { 3272 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3273 au_uwrite(au_to_text(mc_drvname)); 3274 } 3275 /* drvname != NULL from test above */ 3276 au_uwrite(au_to_text(drvname)); 3277 return; 3278 } 3279 3280 if (mc_drvname[0] != '\0') { 3281 /* safety */ 3282 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3283 au_uwrite(au_to_text(mc_drvname)); 3284 } else 3285 au_uwrite(au_to_text("no drvname")); 3286 3287 num_aliases = STRUCT_FGET(mc, num_aliases); 3288 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3289 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3290 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3291 STRUCT_INIT(alias, model); 3292 for (i = 0; i < num_aliases; i++) { 3293 bzero((caddr_t)STRUCT_BUF(alias), 3294 STRUCT_SIZE(alias)); 3295 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3296 STRUCT_SIZE(alias)) != 0) 3297 break; 3298 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3299 MAXMODCONFNAME, NULL) != 0) { 3300 break; 3301 } 3302 3303 au_uwrite(au_to_text(name)); 3304 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3305 } 3306 kmem_free(name, MAXMODCONFNAME); 3307 break; 3308 } 3309 default: 3310 break; 3311 } 3312 } 3313 3314 3315 /*ARGSUSED*/ 3316 static void 3317 auf_accept( 3318 struct t_audit_data *tad, 3319 int error, 3320 rval_t *rval) 3321 { 3322 uint32_t scid; 3323 uint32_t sy_flags; 3324 int fd; 3325 struct sonode *so; 3326 char so_laddr[sizeof (struct sockaddr_in6)]; 3327 char so_faddr[sizeof (struct sockaddr_in6)]; 3328 int err; 3329 short so_family, so_type; 3330 int add_sock_token = 0; 3331 3332 /* need to determine type of executing binary */ 3333 scid = tad->tad_scid; 3334 #ifdef _SYSCALL32_IMPL 3335 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3336 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3337 else 3338 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3339 #else 3340 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3341 #endif 3342 if (sy_flags == SE_32RVAL1) 3343 fd = rval->r_val1; 3344 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3345 fd = rval->r_val1; 3346 if (sy_flags == SE_64RVAL) 3347 fd = (int)rval->r_vals; 3348 3349 if (error) { 3350 /* can't trust socket contents. Just return */ 3351 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3352 return; 3353 } 3354 3355 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3356 /* 3357 * not security relevant if doing a accept from non socket 3358 * so no extra tokens. Should probably turn off audit record 3359 * generation here. 3360 */ 3361 return; 3362 } 3363 3364 so_family = so->so_family; 3365 so_type = so->so_type; 3366 3367 switch (so_family) { 3368 case AF_INET: 3369 case AF_INET6: 3370 /* 3371 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3372 */ 3373 if (so->so_type == SOCK_STREAM) { 3374 socklen_t len; 3375 3376 bzero((void *)so_laddr, sizeof (so_laddr)); 3377 bzero((void *)so_faddr, sizeof (so_faddr)); 3378 3379 len = sizeof (so_laddr); 3380 (void) socket_getsockname(so, 3381 (struct sockaddr *)so_laddr, &len, CRED()); 3382 len = sizeof (so_faddr); 3383 (void) socket_getpeername(so, 3384 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3385 3386 add_sock_token = 1; 3387 } 3388 break; 3389 3390 default: 3391 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3392 break; 3393 } 3394 3395 releasef(fd); 3396 3397 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3398 3399 if (add_sock_token == 0) { 3400 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3401 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3402 return; 3403 } 3404 3405 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3406 3407 } 3408 3409 /*ARGSUSED*/ 3410 static void 3411 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3412 { 3413 struct a { 3414 long fd; 3415 long addr; 3416 long len; 3417 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3418 3419 struct sonode *so; 3420 char so_laddr[sizeof (struct sockaddr_in6)]; 3421 char so_faddr[sizeof (struct sockaddr_in6)]; 3422 int err, fd; 3423 socklen_t len; 3424 short so_family, so_type; 3425 int add_sock_token = 0; 3426 3427 fd = (int)uap->fd; 3428 3429 /* 3430 * bind failed, then nothing extra to add to audit record. 3431 */ 3432 if (error) { 3433 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3434 /* XXX may want to add failed address some day */ 3435 return; 3436 } 3437 3438 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3439 /* 3440 * not security relevant if doing a bind from non socket 3441 * so no extra tokens. Should probably turn off audit record 3442 * generation here. 3443 */ 3444 return; 3445 } 3446 3447 so_family = so->so_family; 3448 so_type = so->so_type; 3449 3450 switch (so_family) { 3451 case AF_INET: 3452 case AF_INET6: 3453 3454 bzero(so_faddr, sizeof (so_faddr)); 3455 len = sizeof (so_faddr); 3456 3457 (void) socket_getpeername(so, 3458 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3459 add_sock_token = 1; 3460 3461 break; 3462 3463 case AF_UNIX: 3464 /* token added by lookup */ 3465 break; 3466 default: 3467 /* AF_ROUTE, AF_KEY do not support accept */ 3468 break; 3469 } 3470 3471 releasef(fd); 3472 3473 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3474 3475 if (add_sock_token == 0) { 3476 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3477 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3478 return; 3479 } 3480 3481 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3482 3483 } 3484 3485 /*ARGSUSED*/ 3486 static void 3487 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3488 { 3489 struct a { 3490 long fd; 3491 long addr; 3492 long len; 3493 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3494 3495 struct sonode *so; 3496 char so_laddr[sizeof (struct sockaddr_in6)]; 3497 char so_faddr[sizeof (struct sockaddr_in6)]; 3498 int err, fd; 3499 socklen_t len; 3500 short so_family, so_type; 3501 int add_sock_token = 0; 3502 3503 fd = (int)uap->fd; 3504 3505 3506 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3507 /* 3508 * not security relevant if doing a connect from non socket 3509 * so no extra tokens. Should probably turn off audit record 3510 * generation here. 3511 */ 3512 return; 3513 } 3514 3515 so_family = so->so_family; 3516 so_type = so->so_type; 3517 3518 switch (so_family) { 3519 case AF_INET: 3520 case AF_INET6: 3521 3522 bzero(so_laddr, sizeof (so_laddr)); 3523 bzero(so_faddr, sizeof (so_faddr)); 3524 3525 len = sizeof (so_laddr); 3526 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3527 &len, CRED()); 3528 if (error) { 3529 if (uap->addr == NULL) 3530 break; 3531 if (uap->len <= 0) 3532 break; 3533 len = min(uap->len, sizeof (so_faddr)); 3534 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3535 break; 3536 #ifdef NOTYET 3537 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3538 #endif 3539 } else { 3540 /* sanity check on length */ 3541 len = sizeof (so_faddr); 3542 (void) socket_getpeername(so, 3543 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3544 } 3545 3546 add_sock_token = 1; 3547 3548 break; 3549 3550 case AF_UNIX: 3551 /* does a lookup on name */ 3552 break; 3553 3554 default: 3555 /* AF_ROUTE, AF_KEY do not support accept */ 3556 break; 3557 } 3558 3559 releasef(fd); 3560 3561 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3562 3563 if (add_sock_token == 0) { 3564 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3565 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3566 return; 3567 } 3568 3569 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3570 3571 } 3572 3573 /*ARGSUSED*/ 3574 static void 3575 aus_shutdown(struct t_audit_data *tad) 3576 { 3577 struct a { 3578 long fd; 3579 long how; 3580 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3581 3582 struct sonode *so; 3583 char so_laddr[sizeof (struct sockaddr_in6)]; 3584 char so_faddr[sizeof (struct sockaddr_in6)]; 3585 int err, fd; 3586 socklen_t len; 3587 short so_family, so_type; 3588 int add_sock_token = 0; 3589 file_t *fp; /* unix domain sockets */ 3590 struct f_audit_data *fad; /* unix domain sockets */ 3591 3592 fd = (int)uap->fd; 3593 3594 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3595 /* 3596 * not security relevant if doing a shutdown using non socket 3597 * so no extra tokens. Should probably turn off audit record 3598 * generation here. 3599 */ 3600 return; 3601 } 3602 3603 so_family = so->so_family; 3604 so_type = so->so_type; 3605 3606 switch (so_family) { 3607 case AF_INET: 3608 case AF_INET6: 3609 3610 bzero(so_laddr, sizeof (so_laddr)); 3611 bzero(so_faddr, sizeof (so_faddr)); 3612 3613 len = sizeof (so_laddr); 3614 (void) socket_getsockname(so, 3615 (struct sockaddr *)so_laddr, &len, CRED()); 3616 len = sizeof (so_faddr); 3617 (void) socket_getpeername(so, 3618 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3619 3620 add_sock_token = 1; 3621 3622 break; 3623 3624 case AF_UNIX: 3625 3626 /* get path from file struct here */ 3627 fad = F2A(fp); 3628 ASSERT(fad); 3629 3630 if (fad->fad_aupath != NULL) { 3631 au_uwrite(au_to_path(fad->fad_aupath)); 3632 } else { 3633 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3634 } 3635 3636 audit_attributes(fp->f_vnode); 3637 3638 break; 3639 3640 default: 3641 /* 3642 * AF_KEY and AF_ROUTE support shutdown. No socket token 3643 * added. 3644 */ 3645 break; 3646 } 3647 3648 releasef(fd); 3649 3650 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3651 3652 if (add_sock_token == 0) { 3653 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3654 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3655 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3656 return; 3657 } 3658 3659 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3660 3661 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3662 3663 } 3664 3665 /*ARGSUSED*/ 3666 static void 3667 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3668 { 3669 struct a { 3670 long fd; 3671 long level; 3672 long optname; 3673 long *optval; 3674 long optlen; 3675 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3676 3677 struct sonode *so; 3678 char so_laddr[sizeof (struct sockaddr_in6)]; 3679 char so_faddr[sizeof (struct sockaddr_in6)]; 3680 char val[AU_BUFSIZE]; 3681 int err, fd; 3682 socklen_t len; 3683 short so_family, so_type; 3684 int add_sock_token = 0; 3685 file_t *fp; /* unix domain sockets */ 3686 struct f_audit_data *fad; /* unix domain sockets */ 3687 3688 fd = (int)uap->fd; 3689 3690 if (error) { 3691 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3692 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3693 /* XXX may want to include other arguments */ 3694 return; 3695 } 3696 3697 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3698 /* 3699 * not security relevant if doing a setsockopt from non socket 3700 * so no extra tokens. Should probably turn off audit record 3701 * generation here. 3702 */ 3703 return; 3704 } 3705 3706 so_family = so->so_family; 3707 so_type = so->so_type; 3708 3709 switch (so_family) { 3710 case AF_INET: 3711 case AF_INET6: 3712 bzero((void *)so_laddr, sizeof (so_laddr)); 3713 bzero((void *)so_faddr, sizeof (so_faddr)); 3714 3715 /* get local and foreign addresses */ 3716 len = sizeof (so_laddr); 3717 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3718 &len, CRED()); 3719 len = sizeof (so_faddr); 3720 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3721 &len, B_FALSE, CRED()); 3722 3723 add_sock_token = 1; 3724 3725 break; 3726 3727 case AF_UNIX: 3728 3729 /* get path from file struct here */ 3730 fad = F2A(fp); 3731 ASSERT(fad); 3732 3733 if (fad->fad_aupath != NULL) { 3734 au_uwrite(au_to_path(fad->fad_aupath)); 3735 } else { 3736 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3737 } 3738 3739 audit_attributes(fp->f_vnode); 3740 3741 break; 3742 3743 default: 3744 /* 3745 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3746 * added. 3747 */ 3748 break; 3749 } 3750 3751 releasef(fd); 3752 3753 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3754 3755 if (add_sock_token == 0) { 3756 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3757 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3758 } 3759 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3760 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3761 3762 bzero(val, sizeof (val)); 3763 len = min(uap->optlen, sizeof (val)); 3764 if ((len > 0) && 3765 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3766 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3767 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3768 } 3769 3770 if (add_sock_token == 0) 3771 return; 3772 3773 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3774 3775 } 3776 3777 /*ARGSUSED*/ 3778 static void 3779 aus_sockconfig(tad) 3780 struct t_audit_data *tad; 3781 { 3782 struct a { 3783 long domain; 3784 long type; 3785 long protocol; 3786 long devpath; 3787 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3788 3789 char *kdevpath; 3790 int kdevpathlen = MAXPATHLEN + 1; 3791 size_t size; 3792 3793 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3794 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3795 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3796 3797 if (uap->devpath == 0) { 3798 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3799 } else { 3800 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3801 3802 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3803 &size)) { 3804 kmem_free(kdevpath, kdevpathlen); 3805 return; 3806 } 3807 3808 if (size > MAXPATHLEN) { 3809 kmem_free(kdevpath, kdevpathlen); 3810 return; 3811 } 3812 3813 au_uwrite(au_to_text(kdevpath)); 3814 kmem_free(kdevpath, kdevpathlen); 3815 } 3816 } 3817 3818 /* 3819 * only audit recvmsg when the system call represents the creation of a new 3820 * circuit. This effectively occurs for all UDP packets and may occur for 3821 * special TCP situations where the local host has not set a local address 3822 * in the socket structure. 3823 */ 3824 /*ARGSUSED*/ 3825 static void 3826 auf_recvmsg( 3827 struct t_audit_data *tad, 3828 int error, 3829 rval_t *rvp) 3830 { 3831 struct a { 3832 long fd; 3833 long msg; /* struct msghdr */ 3834 long flags; 3835 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3836 3837 struct sonode *so; 3838 STRUCT_DECL(msghdr, msg); 3839 caddr_t msg_name; 3840 socklen_t msg_namelen; 3841 int fd; 3842 int err; 3843 char so_laddr[sizeof (struct sockaddr_in6)]; 3844 char so_faddr[sizeof (struct sockaddr_in6)]; 3845 socklen_t len; 3846 file_t *fp; /* unix domain sockets */ 3847 struct f_audit_data *fad; /* unix domain sockets */ 3848 short so_family, so_type; 3849 int add_sock_token = 0; 3850 au_kcontext_t *kctx = GET_KCTX_PZ; 3851 3852 fd = (int)uap->fd; 3853 3854 /* bail if an error */ 3855 if (error) { 3856 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3857 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3858 return; 3859 } 3860 3861 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3862 /* 3863 * not security relevant if doing a recvmsg from non socket 3864 * so no extra tokens. Should probably turn off audit record 3865 * generation here. 3866 */ 3867 return; 3868 } 3869 3870 so_family = so->so_family; 3871 so_type = so->so_type; 3872 3873 /* 3874 * only putout SOCKET_EX token if INET/INET6 family. 3875 * XXX - what do we do about other families? 3876 */ 3877 3878 switch (so_family) { 3879 case AF_INET: 3880 case AF_INET6: 3881 3882 /* 3883 * if datagram type socket, then just use what is in 3884 * socket structure for local address. 3885 * XXX - what do we do for other types? 3886 */ 3887 if ((so->so_type == SOCK_DGRAM) || 3888 (so->so_type == SOCK_RAW)) { 3889 add_sock_token = 1; 3890 3891 bzero((void *)so_laddr, sizeof (so_laddr)); 3892 bzero((void *)so_faddr, sizeof (so_faddr)); 3893 3894 /* get local address */ 3895 len = sizeof (so_laddr); 3896 (void) socket_getsockname(so, 3897 (struct sockaddr *)so_laddr, &len, CRED()); 3898 3899 /* get peer address */ 3900 STRUCT_INIT(msg, get_udatamodel()); 3901 3902 if (copyin((caddr_t)(uap->msg), 3903 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3904 break; 3905 } 3906 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3907 if (msg_name == NULL) { 3908 break; 3909 } 3910 3911 /* length is value from recvmsg - sanity check */ 3912 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3913 if (msg_namelen == 0) { 3914 break; 3915 } 3916 if (copyin(msg_name, so_faddr, 3917 sizeof (so_faddr)) != 0) { 3918 break; 3919 } 3920 3921 } else if (so->so_type == SOCK_STREAM) { 3922 3923 /* get path from file struct here */ 3924 fad = F2A(fp); 3925 ASSERT(fad); 3926 3927 /* 3928 * already processed this file for read attempt 3929 */ 3930 if (fad->fad_flags & FAD_READ) { 3931 /* don't want to audit every recvmsg attempt */ 3932 tad->tad_flag = 0; 3933 /* free any residual audit data */ 3934 au_close(kctx, &(u_ad), 0, 0, 0); 3935 releasef(fd); 3936 return; 3937 } 3938 /* 3939 * mark things so we know what happened and don't 3940 * repeat things 3941 */ 3942 fad->fad_flags |= FAD_READ; 3943 3944 bzero((void *)so_laddr, sizeof (so_laddr)); 3945 bzero((void *)so_faddr, sizeof (so_faddr)); 3946 3947 /* get local and foreign addresses */ 3948 len = sizeof (so_laddr); 3949 (void) socket_getsockname(so, 3950 (struct sockaddr *)so_laddr, &len, CRED()); 3951 len = sizeof (so_faddr); 3952 (void) socket_getpeername(so, 3953 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3954 3955 add_sock_token = 1; 3956 } 3957 3958 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3959 3960 break; 3961 3962 case AF_UNIX: 3963 /* 3964 * first check if this is first time through. Too much 3965 * duplicate code to put this in an aui_ routine. 3966 */ 3967 3968 /* get path from file struct here */ 3969 fad = F2A(fp); 3970 ASSERT(fad); 3971 3972 /* 3973 * already processed this file for read attempt 3974 */ 3975 if (fad->fad_flags & FAD_READ) { 3976 releasef(fd); 3977 /* don't want to audit every recvmsg attempt */ 3978 tad->tad_flag = 0; 3979 /* free any residual audit data */ 3980 au_close(kctx, &(u_ad), 0, 0, 0); 3981 return; 3982 } 3983 /* 3984 * mark things so we know what happened and don't 3985 * repeat things 3986 */ 3987 fad->fad_flags |= FAD_READ; 3988 3989 if (fad->fad_aupath != NULL) { 3990 au_uwrite(au_to_path(fad->fad_aupath)); 3991 } else { 3992 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3993 } 3994 3995 audit_attributes(fp->f_vnode); 3996 3997 releasef(fd); 3998 3999 return; 4000 4001 default: 4002 break; 4003 4004 } 4005 4006 releasef(fd); 4007 4008 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4009 4010 if (add_sock_token == 0) { 4011 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4012 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4013 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4014 return; 4015 } 4016 4017 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4018 4019 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4020 4021 } 4022 4023 /*ARGSUSED*/ 4024 static void 4025 auf_recvfrom( 4026 struct t_audit_data *tad, 4027 int error, 4028 rval_t *rvp) 4029 { 4030 4031 struct a { 4032 long fd; 4033 long msg; /* char */ 4034 long len; 4035 long flags; 4036 long from; /* struct sockaddr */ 4037 long fromlen; 4038 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4039 4040 socklen_t fromlen; 4041 struct sonode *so; 4042 char so_laddr[sizeof (struct sockaddr_in6)]; 4043 char so_faddr[sizeof (struct sockaddr_in6)]; 4044 int fd; 4045 short so_family, so_type; 4046 int add_sock_token = 0; 4047 socklen_t len; 4048 int err; 4049 struct file *fp; 4050 struct f_audit_data *fad; /* unix domain sockets */ 4051 au_kcontext_t *kctx = GET_KCTX_PZ; 4052 4053 fd = (int)uap->fd; 4054 4055 /* bail if an error */ 4056 if (error) { 4057 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4058 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4059 return; 4060 } 4061 4062 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4063 /* 4064 * not security relevant if doing a recvmsg from non socket 4065 * so no extra tokens. Should probably turn off audit record 4066 * generation here. 4067 */ 4068 return; 4069 } 4070 4071 so_family = so->so_family; 4072 so_type = so->so_type; 4073 4074 /* 4075 * only putout SOCKET_EX token if INET/INET6 family. 4076 * XXX - what do we do about other families? 4077 */ 4078 4079 switch (so_family) { 4080 case AF_INET: 4081 case AF_INET6: 4082 4083 /* 4084 * if datagram type socket, then just use what is in 4085 * socket structure for local address. 4086 * XXX - what do we do for other types? 4087 */ 4088 if ((so->so_type == SOCK_DGRAM) || 4089 (so->so_type == SOCK_RAW)) { 4090 add_sock_token = 1; 4091 4092 /* get local address */ 4093 len = sizeof (so_laddr); 4094 (void) socket_getsockname(so, 4095 (struct sockaddr *)so_laddr, &len, CRED()); 4096 4097 /* get peer address */ 4098 bzero((void *)so_faddr, sizeof (so_faddr)); 4099 4100 /* sanity check */ 4101 if (uap->from == NULL) 4102 break; 4103 4104 /* sanity checks */ 4105 if (uap->fromlen == 0) 4106 break; 4107 4108 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4109 sizeof (fromlen)) != 0) 4110 break; 4111 4112 if (fromlen == 0) 4113 break; 4114 4115 /* enforce maximum size */ 4116 if (fromlen > sizeof (so_faddr)) 4117 fromlen = sizeof (so_faddr); 4118 4119 if (copyin((caddr_t)(uap->from), so_faddr, 4120 fromlen) != 0) 4121 break; 4122 4123 } else if (so->so_type == SOCK_STREAM) { 4124 4125 /* get path from file struct here */ 4126 fad = F2A(fp); 4127 ASSERT(fad); 4128 4129 /* 4130 * already processed this file for read attempt 4131 */ 4132 if (fad->fad_flags & FAD_READ) { 4133 /* don't want to audit every recvfrom attempt */ 4134 tad->tad_flag = 0; 4135 /* free any residual audit data */ 4136 au_close(kctx, &(u_ad), 0, 0, 0); 4137 releasef(fd); 4138 return; 4139 } 4140 /* 4141 * mark things so we know what happened and don't 4142 * repeat things 4143 */ 4144 fad->fad_flags |= FAD_READ; 4145 4146 bzero((void *)so_laddr, sizeof (so_laddr)); 4147 bzero((void *)so_faddr, sizeof (so_faddr)); 4148 4149 /* get local and foreign addresses */ 4150 len = sizeof (so_laddr); 4151 (void) socket_getsockname(so, 4152 (struct sockaddr *)so_laddr, &len, CRED()); 4153 len = sizeof (so_faddr); 4154 (void) socket_getpeername(so, 4155 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4156 4157 add_sock_token = 1; 4158 } 4159 4160 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4161 4162 break; 4163 4164 case AF_UNIX: 4165 /* 4166 * first check if this is first time through. Too much 4167 * duplicate code to put this in an aui_ routine. 4168 */ 4169 4170 /* get path from file struct here */ 4171 fad = F2A(fp); 4172 ASSERT(fad); 4173 4174 /* 4175 * already processed this file for read attempt 4176 */ 4177 if (fad->fad_flags & FAD_READ) { 4178 /* don't want to audit every recvfrom attempt */ 4179 tad->tad_flag = 0; 4180 /* free any residual audit data */ 4181 au_close(kctx, &(u_ad), 0, 0, 0); 4182 releasef(fd); 4183 return; 4184 } 4185 /* 4186 * mark things so we know what happened and don't 4187 * repeat things 4188 */ 4189 fad->fad_flags |= FAD_READ; 4190 4191 if (fad->fad_aupath != NULL) { 4192 au_uwrite(au_to_path(fad->fad_aupath)); 4193 } else { 4194 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4195 } 4196 4197 audit_attributes(fp->f_vnode); 4198 4199 releasef(fd); 4200 4201 return; 4202 4203 default: 4204 break; 4205 4206 } 4207 4208 releasef(fd); 4209 4210 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4211 4212 if (add_sock_token == 0) { 4213 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4214 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4215 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4216 return; 4217 } 4218 4219 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4220 4221 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4222 } 4223 4224 /*ARGSUSED*/ 4225 static void 4226 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4227 { 4228 struct a { 4229 long fd; 4230 long msg; /* struct msghdr */ 4231 long flags; 4232 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4233 4234 struct sonode *so; 4235 char so_laddr[sizeof (struct sockaddr_in6)]; 4236 char so_faddr[sizeof (struct sockaddr_in6)]; 4237 int err; 4238 int fd; 4239 short so_family, so_type; 4240 int add_sock_token = 0; 4241 socklen_t len; 4242 struct file *fp; 4243 struct f_audit_data *fad; 4244 caddr_t msg_name; 4245 socklen_t msg_namelen; 4246 STRUCT_DECL(msghdr, msg); 4247 au_kcontext_t *kctx = GET_KCTX_PZ; 4248 4249 fd = (int)uap->fd; 4250 4251 /* bail if an error */ 4252 if (error) { 4253 /* XXX include destination address from system call arguments */ 4254 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4255 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4256 return; 4257 } 4258 4259 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4260 /* 4261 * not security relevant if doing a sendmsg from non socket 4262 * so no extra tokens. Should probably turn off audit record 4263 * generation here. 4264 */ 4265 return; 4266 } 4267 4268 so_family = so->so_family; 4269 so_type = so->so_type; 4270 4271 switch (so_family) { 4272 case AF_INET: 4273 case AF_INET6: 4274 /* 4275 * if datagram type socket, then just use what is in 4276 * socket structure for local address. 4277 * XXX - what do we do for other types? 4278 */ 4279 if ((so->so_type == SOCK_DGRAM) || 4280 (so->so_type == SOCK_RAW)) { 4281 4282 bzero((void *)so_laddr, sizeof (so_laddr)); 4283 bzero((void *)so_faddr, sizeof (so_faddr)); 4284 4285 /* get local address */ 4286 len = sizeof (so_laddr); 4287 (void) socket_getsockname(so, 4288 (struct sockaddr *)so_laddr, &len, CRED()); 4289 4290 /* get peer address */ 4291 STRUCT_INIT(msg, get_udatamodel()); 4292 4293 if (copyin((caddr_t)(uap->msg), 4294 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4295 break; 4296 } 4297 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4298 if (msg_name == NULL) 4299 break; 4300 4301 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4302 /* length is value from recvmsg - sanity check */ 4303 if (msg_namelen == 0) 4304 break; 4305 4306 if (copyin(msg_name, so_faddr, 4307 sizeof (so_faddr)) != 0) 4308 break; 4309 4310 add_sock_token = 1; 4311 4312 } else if (so->so_type == SOCK_STREAM) { 4313 4314 /* get path from file struct here */ 4315 fad = F2A(fp); 4316 ASSERT(fad); 4317 4318 /* 4319 * already processed this file for write attempt 4320 */ 4321 if (fad->fad_flags & FAD_WRITE) { 4322 releasef(fd); 4323 /* don't want to audit every sendmsg attempt */ 4324 tad->tad_flag = 0; 4325 /* free any residual audit data */ 4326 au_close(kctx, &(u_ad), 0, 0, 0); 4327 return; 4328 } 4329 4330 /* 4331 * mark things so we know what happened and don't 4332 * repeat things 4333 */ 4334 fad->fad_flags |= FAD_WRITE; 4335 4336 bzero((void *)so_laddr, sizeof (so_laddr)); 4337 bzero((void *)so_faddr, sizeof (so_faddr)); 4338 4339 /* get local and foreign addresses */ 4340 len = sizeof (so_laddr); 4341 (void) socket_getsockname(so, 4342 (struct sockaddr *)so_laddr, &len, CRED()); 4343 len = sizeof (so_faddr); 4344 (void) socket_getpeername(so, 4345 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4346 4347 add_sock_token = 1; 4348 } 4349 4350 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4351 4352 break; 4353 4354 case AF_UNIX: 4355 /* 4356 * first check if this is first time through. Too much 4357 * duplicate code to put this in an aui_ routine. 4358 */ 4359 4360 /* get path from file struct here */ 4361 fad = F2A(fp); 4362 ASSERT(fad); 4363 4364 /* 4365 * already processed this file for write attempt 4366 */ 4367 if (fad->fad_flags & FAD_WRITE) { 4368 releasef(fd); 4369 /* don't want to audit every sendmsg attempt */ 4370 tad->tad_flag = 0; 4371 /* free any residual audit data */ 4372 au_close(kctx, &(u_ad), 0, 0, 0); 4373 return; 4374 } 4375 /* 4376 * mark things so we know what happened and don't 4377 * repeat things 4378 */ 4379 fad->fad_flags |= FAD_WRITE; 4380 4381 if (fad->fad_aupath != NULL) { 4382 au_uwrite(au_to_path(fad->fad_aupath)); 4383 } else { 4384 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4385 } 4386 4387 audit_attributes(fp->f_vnode); 4388 4389 releasef(fd); 4390 4391 return; 4392 4393 default: 4394 break; 4395 } 4396 4397 releasef(fd); 4398 4399 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4400 4401 if (add_sock_token == 0) { 4402 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4403 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4404 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4405 return; 4406 } 4407 4408 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4409 4410 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4411 } 4412 4413 /*ARGSUSED*/ 4414 static void 4415 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4416 { 4417 struct a { 4418 long fd; 4419 long msg; /* char */ 4420 long len; 4421 long flags; 4422 long to; /* struct sockaddr */ 4423 long tolen; 4424 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4425 4426 struct sonode *so; 4427 char so_laddr[sizeof (struct sockaddr_in6)]; 4428 char so_faddr[sizeof (struct sockaddr_in6)]; 4429 socklen_t tolen; 4430 int err; 4431 int fd; 4432 socklen_t len; 4433 short so_family, so_type; 4434 int add_sock_token = 0; 4435 struct file *fp; 4436 struct f_audit_data *fad; 4437 au_kcontext_t *kctx = GET_KCTX_PZ; 4438 4439 fd = (int)uap->fd; 4440 4441 /* bail if an error */ 4442 if (error) { 4443 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4444 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4445 /* XXX include destination address from system call arguments */ 4446 return; 4447 } 4448 4449 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4450 /* 4451 * not security relevant if doing a sendto using non socket 4452 * so no extra tokens. Should probably turn off audit record 4453 * generation here. 4454 */ 4455 return; 4456 } 4457 4458 so_family = so->so_family; 4459 so_type = so->so_type; 4460 4461 /* 4462 * only putout SOCKET_EX token if INET/INET6 family. 4463 * XXX - what do we do about other families? 4464 */ 4465 4466 switch (so_family) { 4467 case AF_INET: 4468 case AF_INET6: 4469 4470 /* 4471 * if datagram type socket, then just use what is in 4472 * socket structure for local address. 4473 * XXX - what do we do for other types? 4474 */ 4475 if ((so->so_type == SOCK_DGRAM) || 4476 (so->so_type == SOCK_RAW)) { 4477 4478 bzero((void *)so_laddr, sizeof (so_laddr)); 4479 bzero((void *)so_faddr, sizeof (so_faddr)); 4480 4481 /* get local address */ 4482 len = sizeof (so_laddr); 4483 (void) socket_getsockname(so, 4484 (struct sockaddr *)so_laddr, &len, CRED()); 4485 4486 /* get peer address */ 4487 4488 /* sanity check */ 4489 if (uap->to == NULL) 4490 break; 4491 4492 /* sanity checks */ 4493 if (uap->tolen == 0) 4494 break; 4495 4496 tolen = (socklen_t)uap->tolen; 4497 4498 /* enforce maximum size */ 4499 if (tolen > sizeof (so_faddr)) 4500 tolen = sizeof (so_faddr); 4501 4502 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4503 break; 4504 4505 add_sock_token = 1; 4506 } else { 4507 /* 4508 * check if this is first time through. 4509 */ 4510 4511 /* get path from file struct here */ 4512 fad = F2A(fp); 4513 ASSERT(fad); 4514 4515 /* 4516 * already processed this file for write attempt 4517 */ 4518 if (fad->fad_flags & FAD_WRITE) { 4519 /* don't want to audit every sendto attempt */ 4520 tad->tad_flag = 0; 4521 /* free any residual audit data */ 4522 au_close(kctx, &(u_ad), 0, 0, 0); 4523 releasef(fd); 4524 return; 4525 } 4526 /* 4527 * mark things so we know what happened and don't 4528 * repeat things 4529 */ 4530 fad->fad_flags |= FAD_WRITE; 4531 4532 bzero((void *)so_laddr, sizeof (so_laddr)); 4533 bzero((void *)so_faddr, sizeof (so_faddr)); 4534 4535 /* get local and foreign addresses */ 4536 len = sizeof (so_laddr); 4537 (void) socket_getsockname(so, 4538 (struct sockaddr *)so_laddr, &len, CRED()); 4539 len = sizeof (so_faddr); 4540 (void) socket_getpeername(so, 4541 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4542 4543 add_sock_token = 1; 4544 } 4545 4546 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4547 4548 break; 4549 4550 case AF_UNIX: 4551 /* 4552 * first check if this is first time through. Too much 4553 * duplicate code to put this in an aui_ routine. 4554 */ 4555 4556 /* get path from file struct here */ 4557 fad = F2A(fp); 4558 ASSERT(fad); 4559 4560 /* 4561 * already processed this file for write attempt 4562 */ 4563 if (fad->fad_flags & FAD_WRITE) { 4564 /* don't want to audit every sendto attempt */ 4565 tad->tad_flag = 0; 4566 /* free any residual audit data */ 4567 au_close(kctx, &(u_ad), 0, 0, 0); 4568 releasef(fd); 4569 return; 4570 } 4571 /* 4572 * mark things so we know what happened and don't 4573 * repeat things 4574 */ 4575 fad->fad_flags |= FAD_WRITE; 4576 4577 if (fad->fad_aupath != NULL) { 4578 au_uwrite(au_to_path(fad->fad_aupath)); 4579 } else { 4580 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4581 } 4582 4583 audit_attributes(fp->f_vnode); 4584 4585 releasef(fd); 4586 4587 return; 4588 4589 default: 4590 break; 4591 4592 } 4593 4594 releasef(fd); 4595 4596 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4597 4598 if (add_sock_token == 0) { 4599 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4600 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4601 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4602 return; 4603 } 4604 4605 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4606 4607 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4608 4609 } 4610 4611 /* 4612 * XXX socket(2) may be equivalent to open(2) on a unix domain 4613 * socket. This needs investigation. 4614 */ 4615 4616 /*ARGSUSED*/ 4617 static void 4618 aus_socket(struct t_audit_data *tad) 4619 { 4620 struct a { 4621 long domain; 4622 long type; 4623 long protocol; 4624 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4625 4626 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4627 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4628 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4629 } 4630 4631 /*ARGSUSED*/ 4632 static void 4633 aus_sigqueue(struct t_audit_data *tad) 4634 { 4635 struct a { 4636 long pid; 4637 long signo; 4638 long *val; 4639 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4640 struct proc *p; 4641 uid_t uid, ruid; 4642 gid_t gid, rgid; 4643 pid_t pid; 4644 const auditinfo_addr_t *ainfo; 4645 cred_t *cr; 4646 4647 pid = (pid_t)uap->pid; 4648 4649 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4650 if (pid > 0) { 4651 mutex_enter(&pidlock); 4652 if ((p = prfind(pid)) == (struct proc *)0) { 4653 mutex_exit(&pidlock); 4654 return; 4655 } 4656 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4657 mutex_exit(&pidlock); 4658 4659 mutex_enter(&p->p_crlock); 4660 crhold(cr = p->p_cred); 4661 mutex_exit(&p->p_crlock); 4662 mutex_exit(&p->p_lock); 4663 4664 ainfo = crgetauinfo(cr); 4665 if (ainfo == NULL) { 4666 crfree(cr); 4667 return; 4668 } 4669 4670 uid = crgetuid(cr); 4671 gid = crgetgid(cr); 4672 ruid = crgetruid(cr); 4673 rgid = crgetrgid(cr); 4674 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4675 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4676 crfree(cr); 4677 } 4678 else 4679 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4680 } 4681 4682 /*ARGSUSED*/ 4683 static void 4684 aus_inst_sync(struct t_audit_data *tad) 4685 { 4686 struct a { 4687 long name; /* char */ 4688 long flags; 4689 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4690 4691 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4692 } 4693 4694 /*ARGSUSED*/ 4695 static void 4696 aus_brandsys(struct t_audit_data *tad) 4697 { 4698 klwp_t *clwp = ttolwp(curthread); 4699 4700 struct a { 4701 long cmd; 4702 long arg1; 4703 long arg2; 4704 long arg3; 4705 long arg4; 4706 long arg5; 4707 long arg6; 4708 } *uap = (struct a *)clwp->lwp_ap; 4709 4710 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4711 #ifdef _LP64 4712 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4713 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4714 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4715 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4716 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4717 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4718 #else 4719 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4720 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4721 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4722 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4723 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4724 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4725 #endif 4726 } 4727 4728 /*ARGSUSED*/ 4729 static void 4730 aus_p_online(struct t_audit_data *tad) 4731 { 4732 struct a { 4733 long processor_id; 4734 long flag; 4735 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4736 4737 struct flags { 4738 int flag; 4739 char *cflag; 4740 } aflags[6] = { 4741 { P_ONLINE, "P_ONLINE"}, 4742 { P_OFFLINE, "P_OFFLINE"}, 4743 { P_NOINTR, "P_NOINTR"}, 4744 { P_SPARE, "P_SPARE"}, 4745 { P_FAULTED, "P_FAULTED"}, 4746 { P_STATUS, "P_STATUS"} 4747 }; 4748 int i; 4749 char *cflag; 4750 4751 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4752 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4753 4754 for (i = 0; i < 6; i++) { 4755 if (aflags[i].flag == uap->flag) 4756 break; 4757 } 4758 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4759 4760 au_uwrite(au_to_text(cflag)); 4761 } 4762 4763 /*ARGSUSED*/ 4764 static void 4765 aus_processor_bind(struct t_audit_data *tad) 4766 { 4767 struct a { 4768 long id_type; 4769 long id; 4770 long processor_id; 4771 long obind; 4772 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4773 4774 struct proc *p; 4775 int lwpcnt; 4776 uid_t uid, ruid; 4777 gid_t gid, rgid; 4778 pid_t pid; 4779 const auditinfo_addr_t *ainfo; 4780 cred_t *cr; 4781 4782 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4783 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4784 if (uap->processor_id == PBIND_NONE) 4785 au_uwrite(au_to_text("PBIND_NONE")); 4786 else 4787 au_uwrite(au_to_arg32(3, "processor_id", 4788 (uint32_t)uap->processor_id)); 4789 4790 switch (uap->id_type) { 4791 case P_MYID: 4792 case P_LWPID: 4793 mutex_enter(&pidlock); 4794 p = ttoproc(curthread); 4795 if (p == NULL || p->p_as == &kas) { 4796 mutex_exit(&pidlock); 4797 return; 4798 } 4799 mutex_enter(&p->p_lock); 4800 mutex_exit(&pidlock); 4801 lwpcnt = p->p_lwpcnt; 4802 pid = p->p_pid; 4803 4804 mutex_enter(&p->p_crlock); 4805 crhold(cr = p->p_cred); 4806 mutex_exit(&p->p_crlock); 4807 mutex_exit(&p->p_lock); 4808 4809 ainfo = crgetauinfo(cr); 4810 if (ainfo == NULL) { 4811 crfree(cr); 4812 return; 4813 } 4814 4815 uid = crgetuid(cr); 4816 gid = crgetgid(cr); 4817 ruid = crgetruid(cr); 4818 rgid = crgetrgid(cr); 4819 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4820 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4821 crfree(cr); 4822 break; 4823 case P_PID: 4824 mutex_enter(&pidlock); 4825 p = prfind(uap->id); 4826 if (p == NULL || p->p_as == &kas) { 4827 mutex_exit(&pidlock); 4828 return; 4829 } 4830 mutex_enter(&p->p_lock); 4831 mutex_exit(&pidlock); 4832 lwpcnt = p->p_lwpcnt; 4833 pid = p->p_pid; 4834 4835 mutex_enter(&p->p_crlock); 4836 crhold(cr = p->p_cred); 4837 mutex_exit(&p->p_crlock); 4838 mutex_exit(&p->p_lock); 4839 4840 ainfo = crgetauinfo(cr); 4841 if (ainfo == NULL) { 4842 crfree(cr); 4843 return; 4844 } 4845 4846 uid = crgetuid(cr); 4847 gid = crgetgid(cr); 4848 ruid = crgetruid(cr); 4849 rgid = crgetrgid(cr); 4850 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4851 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4852 crfree(cr); 4853 4854 break; 4855 default: 4856 return; 4857 } 4858 4859 if (uap->processor_id == PBIND_NONE && 4860 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4861 au_uwrite(au_to_text("PBIND_NONE for process")); 4862 else 4863 au_uwrite(au_to_arg32(3, "processor_id", 4864 (uint32_t)uap->processor_id)); 4865 } 4866 4867 /*ARGSUSED*/ 4868 static au_event_t 4869 aui_doorfs(au_event_t e) 4870 { 4871 uint32_t code; 4872 4873 struct a { /* doorfs */ 4874 long a1; 4875 long a2; 4876 long a3; 4877 long a4; 4878 long a5; 4879 long code; 4880 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4881 4882 /* 4883 * audit formats for several of the 4884 * door calls have not yet been determined 4885 */ 4886 code = (uint32_t)uap->code; 4887 switch (code) { 4888 case DOOR_CALL: 4889 e = AUE_DOORFS_DOOR_CALL; 4890 break; 4891 case DOOR_RETURN: 4892 e = AUE_NULL; 4893 break; 4894 case DOOR_CREATE: 4895 e = AUE_DOORFS_DOOR_CREATE; 4896 break; 4897 case DOOR_REVOKE: 4898 e = AUE_DOORFS_DOOR_REVOKE; 4899 break; 4900 case DOOR_INFO: 4901 e = AUE_NULL; 4902 break; 4903 case DOOR_UCRED: 4904 e = AUE_NULL; 4905 break; 4906 case DOOR_BIND: 4907 e = AUE_NULL; 4908 break; 4909 case DOOR_UNBIND: 4910 e = AUE_NULL; 4911 break; 4912 case DOOR_GETPARAM: 4913 e = AUE_NULL; 4914 break; 4915 case DOOR_SETPARAM: 4916 e = AUE_NULL; 4917 break; 4918 default: /* illegal system call */ 4919 e = AUE_NULL; 4920 break; 4921 } 4922 4923 return (e); 4924 } 4925 4926 static door_node_t * 4927 au_door_lookup(int did) 4928 { 4929 vnode_t *vp; 4930 file_t *fp; 4931 4932 if ((fp = getf(did)) == NULL) 4933 return (NULL); 4934 /* 4935 * Use the underlying vnode (we may be namefs mounted) 4936 */ 4937 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4938 vp = fp->f_vnode; 4939 4940 if (vp == NULL || vp->v_type != VDOOR) { 4941 releasef(did); 4942 return (NULL); 4943 } 4944 4945 return (VTOD(vp)); 4946 } 4947 4948 /*ARGSUSED*/ 4949 static void 4950 aus_doorfs(struct t_audit_data *tad) 4951 { 4952 4953 struct a { /* doorfs */ 4954 long a1; 4955 long a2; 4956 long a3; 4957 long a4; 4958 long a5; 4959 long code; 4960 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4961 4962 door_node_t *dp; 4963 struct proc *p; 4964 uint32_t did; 4965 uid_t uid, ruid; 4966 gid_t gid, rgid; 4967 pid_t pid; 4968 const auditinfo_addr_t *ainfo; 4969 cred_t *cr; 4970 4971 did = (uint32_t)uap->a1; 4972 4973 switch (tad->tad_event) { 4974 case AUE_DOORFS_DOOR_CALL: 4975 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4976 if ((dp = au_door_lookup(did)) == NULL) 4977 break; 4978 4979 if (DOOR_INVALID(dp)) { 4980 releasef(did); 4981 break; 4982 } 4983 4984 if ((p = dp->door_target) == NULL) { 4985 releasef(did); 4986 break; 4987 } 4988 mutex_enter(&p->p_lock); 4989 releasef(did); 4990 4991 pid = p->p_pid; 4992 4993 mutex_enter(&p->p_crlock); 4994 crhold(cr = p->p_cred); 4995 mutex_exit(&p->p_crlock); 4996 mutex_exit(&p->p_lock); 4997 4998 ainfo = crgetauinfo(cr); 4999 if (ainfo == NULL) { 5000 crfree(cr); 5001 return; 5002 } 5003 uid = crgetuid(cr); 5004 gid = crgetgid(cr); 5005 ruid = crgetruid(cr); 5006 rgid = crgetrgid(cr); 5007 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5008 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5009 crfree(cr); 5010 break; 5011 case AUE_DOORFS_DOOR_RETURN: 5012 /* 5013 * We may want to write information about 5014 * all doors (if any) which will be copied 5015 * by this call to the user space 5016 */ 5017 break; 5018 case AUE_DOORFS_DOOR_CREATE: 5019 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5020 break; 5021 case AUE_DOORFS_DOOR_REVOKE: 5022 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5023 break; 5024 case AUE_DOORFS_DOOR_INFO: 5025 break; 5026 case AUE_DOORFS_DOOR_CRED: 5027 break; 5028 case AUE_DOORFS_DOOR_BIND: 5029 break; 5030 case AUE_DOORFS_DOOR_UNBIND: { 5031 break; 5032 } 5033 default: /* illegal system call */ 5034 break; 5035 } 5036 } 5037 5038 /*ARGSUSED*/ 5039 static au_event_t 5040 aui_acl(au_event_t e) 5041 { 5042 struct a { 5043 union { 5044 long name; /* char */ 5045 long fd; 5046 } obj; 5047 5048 long cmd; 5049 long nentries; 5050 long arg; /* aclent_t */ 5051 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5052 5053 switch (uap->cmd) { 5054 case SETACL: 5055 case ACE_SETACL: 5056 /* 5057 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5058 * are expected. 5059 */ 5060 break; 5061 case GETACL: 5062 case GETACLCNT: 5063 case ACE_GETACLCNT: 5064 /* do nothing for these two values. */ 5065 e = AUE_NULL; 5066 break; 5067 default: 5068 /* illegal system call */ 5069 break; 5070 } 5071 5072 return (e); 5073 } 5074 5075 static void 5076 au_acl(int cmd, int nentries, caddr_t bufp) 5077 { 5078 size_t a_size; 5079 aclent_t *aclbufp; 5080 ace_t *acebufp; 5081 int i; 5082 5083 switch (cmd) { 5084 case GETACL: 5085 case GETACLCNT: 5086 break; 5087 case SETACL: 5088 if (nentries < 3) 5089 break; 5090 5091 a_size = nentries * sizeof (aclent_t); 5092 5093 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5094 break; 5095 if (copyin(bufp, aclbufp, a_size)) { 5096 kmem_free(aclbufp, a_size); 5097 break; 5098 } 5099 for (i = 0; i < nentries; i++) { 5100 au_uwrite(au_to_acl(aclbufp + i)); 5101 } 5102 kmem_free(aclbufp, a_size); 5103 break; 5104 5105 case ACE_SETACL: 5106 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5107 break; 5108 5109 a_size = nentries * sizeof (ace_t); 5110 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5111 break; 5112 if (copyin(bufp, acebufp, a_size)) { 5113 kmem_free(acebufp, a_size); 5114 break; 5115 } 5116 for (i = 0; i < nentries; i++) { 5117 au_uwrite(au_to_ace(acebufp + i)); 5118 } 5119 kmem_free(acebufp, a_size); 5120 break; 5121 default: 5122 break; 5123 } 5124 } 5125 5126 /*ARGSUSED*/ 5127 static void 5128 aus_acl(struct t_audit_data *tad) 5129 { 5130 struct a { 5131 long fname; 5132 long cmd; 5133 long nentries; 5134 long aclbufp; 5135 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5136 5137 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5138 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5139 5140 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5141 } 5142 5143 /*ARGSUSED*/ 5144 static void 5145 aus_facl(struct t_audit_data *tad) 5146 { 5147 struct a { 5148 long fd; 5149 long cmd; 5150 long nentries; 5151 long aclbufp; 5152 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5153 struct file *fp; 5154 struct vnode *vp; 5155 struct f_audit_data *fad; 5156 int fd; 5157 5158 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5159 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5160 5161 fd = (int)uap->fd; 5162 5163 if ((fp = getf(fd)) == NULL) 5164 return; 5165 5166 /* get path from file struct here */ 5167 fad = F2A(fp); 5168 if (fad->fad_aupath != NULL) { 5169 au_uwrite(au_to_path(fad->fad_aupath)); 5170 } else { 5171 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5172 } 5173 5174 vp = fp->f_vnode; 5175 audit_attributes(vp); 5176 5177 /* decrement file descriptor reference count */ 5178 releasef(fd); 5179 5180 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5181 } 5182 5183 /*ARGSUSED*/ 5184 static void 5185 auf_read(tad, error, rval) 5186 struct t_audit_data *tad; 5187 int error; 5188 rval_t *rval; 5189 { 5190 struct file *fp; 5191 struct f_audit_data *fad; 5192 int fd; 5193 register struct a { 5194 long fd; 5195 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5196 au_kcontext_t *kctx = GET_KCTX_PZ; 5197 5198 fd = (int)uap->fd; 5199 5200 /* 5201 * convert file pointer to file descriptor 5202 * Note: fd ref count incremented here. 5203 */ 5204 if ((fp = getf(fd)) == NULL) 5205 return; 5206 5207 /* get path from file struct here */ 5208 fad = F2A(fp); 5209 ASSERT(fad); 5210 5211 /* 5212 * already processed this file for read attempt 5213 * 5214 * XXX might be better to turn off auditing in a aui_read() routine. 5215 */ 5216 if (fad->fad_flags & FAD_READ) { 5217 /* don't really want to audit every read attempt */ 5218 tad->tad_flag = 0; 5219 /* free any residual audit data */ 5220 au_close(kctx, &(u_ad), 0, 0, 0); 5221 releasef(fd); 5222 return; 5223 } 5224 /* mark things so we know what happened and don't repeat things */ 5225 fad->fad_flags |= FAD_READ; 5226 5227 if (fad->fad_aupath != NULL) { 5228 au_uwrite(au_to_path(fad->fad_aupath)); 5229 } else { 5230 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5231 } 5232 5233 /* include attributes */ 5234 audit_attributes(fp->f_vnode); 5235 5236 /* decrement file descriptor reference count */ 5237 releasef(fd); 5238 } 5239 5240 /*ARGSUSED*/ 5241 static void 5242 auf_write(tad, error, rval) 5243 struct t_audit_data *tad; 5244 int error; 5245 rval_t *rval; 5246 { 5247 struct file *fp; 5248 struct f_audit_data *fad; 5249 int fd; 5250 register struct a { 5251 long fd; 5252 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5253 au_kcontext_t *kctx = GET_KCTX_PZ; 5254 5255 fd = (int)uap->fd; 5256 5257 /* 5258 * convert file pointer to file descriptor 5259 * Note: fd ref count incremented here. 5260 */ 5261 if ((fp = getf(fd)) == NULL) 5262 return; 5263 5264 /* get path from file struct here */ 5265 fad = F2A(fp); 5266 ASSERT(fad); 5267 5268 /* 5269 * already processed this file for write attempt 5270 * 5271 * XXX might be better to turn off auditing in a aus_write() routine. 5272 */ 5273 if (fad->fad_flags & FAD_WRITE) { 5274 /* don't really want to audit every write attempt */ 5275 tad->tad_flag = 0; 5276 /* free any residual audit data */ 5277 au_close(kctx, &(u_ad), 0, 0, 0); 5278 releasef(fd); 5279 return; 5280 } 5281 /* mark things so we know what happened and don't repeat things */ 5282 fad->fad_flags |= FAD_WRITE; 5283 5284 if (fad->fad_aupath != NULL) { 5285 au_uwrite(au_to_path(fad->fad_aupath)); 5286 } else { 5287 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5288 } 5289 5290 /* include attributes */ 5291 audit_attributes(fp->f_vnode); 5292 5293 /* decrement file descriptor reference count */ 5294 releasef(fd); 5295 } 5296 5297 /*ARGSUSED*/ 5298 static void 5299 auf_recv(tad, error, rval) 5300 struct t_audit_data *tad; 5301 int error; 5302 rval_t *rval; 5303 { 5304 struct sonode *so; 5305 char so_laddr[sizeof (struct sockaddr_in6)]; 5306 char so_faddr[sizeof (struct sockaddr_in6)]; 5307 struct file *fp; 5308 struct f_audit_data *fad; 5309 int fd; 5310 int err; 5311 socklen_t len; 5312 short so_family, so_type; 5313 register struct a { 5314 long fd; 5315 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5316 au_kcontext_t *kctx = GET_KCTX_PZ; 5317 5318 /* 5319 * If there was an error, then nothing to do. Only generate 5320 * audit record on first successful recv. 5321 */ 5322 if (error) { 5323 /* Turn off audit record generation here. */ 5324 tad->tad_flag = 0; 5325 /* free any residual audit data */ 5326 au_close(kctx, &(u_ad), 0, 0, 0); 5327 return; 5328 } 5329 5330 fd = (int)uap->fd; 5331 5332 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5333 /* Turn off audit record generation here. */ 5334 tad->tad_flag = 0; 5335 /* free any residual audit data */ 5336 au_close(kctx, &(u_ad), 0, 0, 0); 5337 return; 5338 } 5339 5340 /* get path from file struct here */ 5341 fad = F2A(fp); 5342 ASSERT(fad); 5343 5344 /* 5345 * already processed this file for read attempt 5346 */ 5347 if (fad->fad_flags & FAD_READ) { 5348 releasef(fd); 5349 /* don't really want to audit every recv call */ 5350 tad->tad_flag = 0; 5351 /* free any residual audit data */ 5352 au_close(kctx, &(u_ad), 0, 0, 0); 5353 return; 5354 } 5355 5356 /* mark things so we know what happened and don't repeat things */ 5357 fad->fad_flags |= FAD_READ; 5358 5359 so_family = so->so_family; 5360 so_type = so->so_type; 5361 5362 switch (so_family) { 5363 case AF_INET: 5364 case AF_INET6: 5365 /* 5366 * Only for connections. 5367 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5368 */ 5369 if (so->so_state & SS_ISBOUND) { 5370 5371 bzero((void *)so_laddr, sizeof (so_laddr)); 5372 bzero((void *)so_faddr, sizeof (so_faddr)); 5373 5374 /* get local and foreign addresses */ 5375 len = sizeof (so_laddr); 5376 (void) socket_getsockname(so, 5377 (struct sockaddr *)so_laddr, &len, CRED()); 5378 len = sizeof (so_faddr); 5379 (void) socket_getpeername(so, 5380 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5381 5382 /* 5383 * only way to drop out of switch. Note that we 5384 * we release fd below. 5385 */ 5386 5387 break; 5388 } 5389 5390 releasef(fd); 5391 5392 /* don't really want to audit every recv call */ 5393 tad->tad_flag = 0; 5394 /* free any residual audit data */ 5395 au_close(kctx, &(u_ad), 0, 0, 0); 5396 5397 return; 5398 5399 case AF_UNIX: 5400 5401 if (fad->fad_aupath != NULL) { 5402 au_uwrite(au_to_path(fad->fad_aupath)); 5403 } else { 5404 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5405 } 5406 5407 audit_attributes(fp->f_vnode); 5408 5409 releasef(fd); 5410 5411 return; 5412 5413 default: 5414 releasef(fd); 5415 5416 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5417 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5418 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5419 5420 return; 5421 } 5422 5423 releasef(fd); 5424 5425 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5426 5427 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5428 5429 } 5430 5431 /*ARGSUSED*/ 5432 static void 5433 auf_send(tad, error, rval) 5434 struct t_audit_data *tad; 5435 int error; 5436 rval_t *rval; 5437 { 5438 struct sonode *so; 5439 char so_laddr[sizeof (struct sockaddr_in6)]; 5440 char so_faddr[sizeof (struct sockaddr_in6)]; 5441 struct file *fp; 5442 struct f_audit_data *fad; 5443 int fd; 5444 int err; 5445 socklen_t len; 5446 short so_family, so_type; 5447 register struct a { 5448 long fd; 5449 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5450 au_kcontext_t *kctx = GET_KCTX_PZ; 5451 5452 fd = (int)uap->fd; 5453 5454 /* 5455 * If there was an error, then nothing to do. Only generate 5456 * audit record on first successful send. 5457 */ 5458 if (error != 0) { 5459 /* Turn off audit record generation here. */ 5460 tad->tad_flag = 0; 5461 /* free any residual audit data */ 5462 au_close(kctx, &(u_ad), 0, 0, 0); 5463 return; 5464 } 5465 5466 fd = (int)uap->fd; 5467 5468 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5469 /* Turn off audit record generation here. */ 5470 tad->tad_flag = 0; 5471 /* free any residual audit data */ 5472 au_close(kctx, &(u_ad), 0, 0, 0); 5473 return; 5474 } 5475 5476 /* get path from file struct here */ 5477 fad = F2A(fp); 5478 ASSERT(fad); 5479 5480 /* 5481 * already processed this file for write attempt 5482 */ 5483 if (fad->fad_flags & FAD_WRITE) { 5484 releasef(fd); 5485 /* don't really want to audit every send call */ 5486 tad->tad_flag = 0; 5487 /* free any residual audit data */ 5488 au_close(kctx, &(u_ad), 0, 0, 0); 5489 return; 5490 } 5491 5492 /* mark things so we know what happened and don't repeat things */ 5493 fad->fad_flags |= FAD_WRITE; 5494 5495 so_family = so->so_family; 5496 so_type = so->so_type; 5497 5498 switch (so_family) { 5499 case AF_INET: 5500 case AF_INET6: 5501 /* 5502 * Only for connections. 5503 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5504 */ 5505 if (so->so_state & SS_ISBOUND) { 5506 5507 bzero((void *)so_laddr, sizeof (so_laddr)); 5508 bzero((void *)so_faddr, sizeof (so_faddr)); 5509 5510 /* get local and foreign addresses */ 5511 len = sizeof (so_laddr); 5512 (void) socket_getsockname(so, 5513 (struct sockaddr *)so_laddr, &len, CRED()); 5514 len = sizeof (so_faddr); 5515 (void) socket_getpeername(so, 5516 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5517 5518 /* 5519 * only way to drop out of switch. Note that we 5520 * we release fd below. 5521 */ 5522 5523 break; 5524 } 5525 5526 releasef(fd); 5527 /* don't really want to audit every send call */ 5528 tad->tad_flag = 0; 5529 /* free any residual audit data */ 5530 au_close(kctx, &(u_ad), 0, 0, 0); 5531 5532 return; 5533 5534 case AF_UNIX: 5535 5536 if (fad->fad_aupath != NULL) { 5537 au_uwrite(au_to_path(fad->fad_aupath)); 5538 } else { 5539 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5540 } 5541 5542 audit_attributes(fp->f_vnode); 5543 5544 releasef(fd); 5545 5546 return; 5547 5548 default: 5549 releasef(fd); 5550 5551 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5552 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5553 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5554 5555 return; 5556 } 5557 5558 releasef(fd); 5559 5560 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5561 5562 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5563 } 5564 5565 static au_event_t 5566 aui_forksys(au_event_t e) 5567 { 5568 struct a { 5569 long subcode; 5570 long flags; 5571 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5572 5573 switch ((uint_t)uap->subcode) { 5574 case 0: 5575 e = AUE_FORK1; 5576 break; 5577 case 1: 5578 e = AUE_FORKALL; 5579 break; 5580 case 2: 5581 e = AUE_VFORK; 5582 break; 5583 default: 5584 e = AUE_NULL; 5585 break; 5586 } 5587 5588 return (e); 5589 } 5590 5591 /*ARGSUSED*/ 5592 static au_event_t 5593 aui_portfs(au_event_t e) 5594 { 5595 struct a { /* portfs */ 5596 long a1; 5597 long a2; 5598 long a3; 5599 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5600 5601 /* 5602 * check opcode 5603 */ 5604 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5605 case PORT_ASSOCIATE: 5606 /* check source */ 5607 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5608 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5609 e = AUE_PORTFS_ASSOCIATE; 5610 } else { 5611 e = AUE_NULL; 5612 } 5613 break; 5614 case PORT_DISSOCIATE: 5615 /* check source */ 5616 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5617 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5618 e = AUE_PORTFS_DISSOCIATE; 5619 } else { 5620 e = AUE_NULL; 5621 } 5622 break; 5623 default: 5624 e = AUE_NULL; 5625 } 5626 return (e); 5627 } 5628