xref: /titanic_50/usr/src/uts/common/c2/audit_event.c (revision 3268e8899028a80444b82ffd371de903ba1122d5)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * This file contains the audit event table used to control the production
28  * of audit records for each system call.
29  */
30 
31 #include <sys/policy.h>
32 #include <sys/cred.h>
33 #include <sys/types.h>
34 #include <sys/systm.h>
35 #include <sys/systeminfo.h>	/* for sysinfo auditing */
36 #include <sys/utsname.h>	/* for sysinfo auditing */
37 #include <sys/proc.h>
38 #include <sys/vnode.h>
39 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
40 #include <sys/fcntl.h>
41 #include <sys/modctl.h>		/* for modctl auditing */
42 #include <sys/vnode.h>
43 #include <sys/user.h>
44 #include <sys/types.h>
45 #include <sys/processor.h>
46 #include <sys/procset.h>
47 #include <sys/acl.h>
48 #include <sys/ipc.h>
49 #include <sys/door.h>
50 #include <sys/sem.h>
51 #include <sys/msg.h>
52 #include <sys/shm.h>
53 #include <sys/kmem.h>
54 #include <sys/file.h>		/* for accept */
55 #include <sys/utssys.h>		/* for fuser */
56 #include <sys/tsol/label.h>
57 #include <sys/tsol/tndb.h>
58 #include <sys/tsol/tsyscall.h>
59 #include <c2/audit.h>
60 #include <c2/audit_kernel.h>
61 #include <c2/audit_kevents.h>
62 #include <c2/audit_record.h>
63 #include <sys/procset.h>
64 #include <nfs/mount.h>
65 #include <sys/param.h>
66 #include <sys/debug.h>
67 #include <sys/sysmacros.h>
68 #include <sys/stream.h>
69 #include <sys/strsubr.h>
70 #include <sys/stropts.h>
71 #include <sys/tihdr.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/vfs_opreg.h>
75 #include <fs/sockfs/sockcommon.h>
76 #include <netinet/in.h>
77 #include <sys/ddi.h>
78 #include <sys/port_impl.h>
79 
80 
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_fchownat(au_event_t);
84 static au_event_t	aui_fchmodat(au_event_t);
85 static au_event_t	aui_open(au_event_t);
86 static au_event_t	aui_openat(au_event_t);
87 static au_event_t	aui_unlinkat(au_event_t);
88 static au_event_t	aui_fstatat(au_event_t);
89 static au_event_t	aui_msgsys(au_event_t);
90 static au_event_t	aui_shmsys(au_event_t);
91 static au_event_t	aui_semsys(au_event_t);
92 static au_event_t	aui_utssys(au_event_t);
93 static au_event_t	aui_fcntl(au_event_t);
94 static au_event_t	aui_execve(au_event_t);
95 static au_event_t	aui_memcntl(au_event_t);
96 static au_event_t	aui_sysinfo(au_event_t);
97 static au_event_t	aui_portfs(au_event_t);
98 static au_event_t	aui_auditsys(au_event_t);
99 static au_event_t	aui_modctl(au_event_t);
100 static au_event_t	aui_acl(au_event_t);
101 static au_event_t	aui_doorfs(au_event_t);
102 static au_event_t	aui_privsys(au_event_t);
103 static au_event_t	aui_forksys(au_event_t);
104 static au_event_t	aui_labelsys(au_event_t);
105 static au_event_t	aui_setpgrp(au_event_t);
106 
107 static void	aus_exit(struct t_audit_data *);
108 static void	aus_open(struct t_audit_data *);
109 static void	aus_openat(struct t_audit_data *);
110 static void	aus_acl(struct t_audit_data *);
111 static void	aus_acct(struct t_audit_data *);
112 static void	aus_chown(struct t_audit_data *);
113 static void	aus_fchown(struct t_audit_data *);
114 static void	aus_lchown(struct t_audit_data *);
115 static void	aus_fchownat(struct t_audit_data *);
116 static void	aus_chmod(struct t_audit_data *);
117 static void	aus_facl(struct t_audit_data *);
118 static void	aus_fchmod(struct t_audit_data *);
119 static void	aus_fchmodat(struct t_audit_data *);
120 static void	aus_fcntl(struct t_audit_data *);
121 static void	aus_mkdir(struct t_audit_data *);
122 static void	aus_mkdirat(struct t_audit_data *);
123 static void	aus_mknod(struct t_audit_data *);
124 static void	aus_mknodat(struct t_audit_data *);
125 static void	aus_mount(struct t_audit_data *);
126 static void	aus_umount2(struct t_audit_data *);
127 static void	aus_msgsys(struct t_audit_data *);
128 static void	aus_semsys(struct t_audit_data *);
129 static void	aus_close(struct t_audit_data *);
130 static void	aus_fstatfs(struct t_audit_data *);
131 static void	aus_setgid(struct t_audit_data *);
132 static void	aus_setpgrp(struct t_audit_data *);
133 static void	aus_setuid(struct t_audit_data *);
134 static void	aus_shmsys(struct t_audit_data *);
135 static void	aus_doorfs(struct t_audit_data *);
136 static void	aus_ioctl(struct t_audit_data *);
137 static void	aus_memcntl(struct t_audit_data *);
138 static void	aus_mmap(struct t_audit_data *);
139 static void	aus_munmap(struct t_audit_data *);
140 static void	aus_priocntlsys(struct t_audit_data *);
141 static void	aus_setegid(struct t_audit_data *);
142 static void	aus_setgroups(struct t_audit_data *);
143 static void	aus_seteuid(struct t_audit_data *);
144 static void	aus_putmsg(struct t_audit_data *);
145 static void	aus_putpmsg(struct t_audit_data *);
146 static void	aus_getmsg(struct t_audit_data *);
147 static void	aus_getpmsg(struct t_audit_data *);
148 static void	aus_auditsys(struct t_audit_data *);
149 static void	aus_sysinfo(struct t_audit_data *);
150 static void	aus_modctl(struct t_audit_data *);
151 static void	aus_kill(struct t_audit_data *);
152 static void	aus_setregid(struct t_audit_data *);
153 static void	aus_setreuid(struct t_audit_data *);
154 static void	aus_labelsys(struct t_audit_data *);
155 
156 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
157 static void	auf_mknodat(struct t_audit_data *, int, rval_t *);
158 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
159 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
160 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
161 static void	auf_read(struct t_audit_data *, int, rval_t *);
162 static void	auf_write(struct t_audit_data *, int, rval_t *);
163 
164 static void	aus_sigqueue(struct t_audit_data *);
165 static void	aus_p_online(struct t_audit_data *);
166 static void	aus_processor_bind(struct t_audit_data *);
167 static void	aus_inst_sync(struct t_audit_data *);
168 static void	aus_brandsys(struct t_audit_data *);
169 
170 static void	auf_accept(struct t_audit_data *, int, rval_t *);
171 
172 static void	auf_bind(struct t_audit_data *, int, rval_t *);
173 static void	auf_connect(struct t_audit_data *, int, rval_t *);
174 static void	aus_shutdown(struct t_audit_data *);
175 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
176 static void	aus_sockconfig(struct t_audit_data *);
177 static void	auf_recv(struct t_audit_data *, int, rval_t *);
178 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
179 static void	auf_send(struct t_audit_data *, int, rval_t *);
180 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
181 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
182 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
183 static void	aus_socket(struct t_audit_data *);
184 /*
185  * This table contains mapping information for converting system call numbers
186  * to audit event IDs. In several cases it is necessary to map a single system
187  * call to several events.
188  */
189 
190 #define	aui_null	NULL	/* NULL initialize function */
191 #define	aus_null	NULL	/* NULL start function */
192 #define	auf_null	NULL	/* NULL finish function */
193 
194 struct audit_s2e audit_s2e[] =
195 {
196 /*
197  * ----------	---------- 	----------	----------
198  * INITIAL	AUDIT		START		SYSTEM
199  * PROCESSING	EVENT		PROCESSING	CALL
200  * ----------	----------	----------	-----------
201  *		FINISH		EVENT
202  *		PROCESSING	CONTROL
203  * ----------------------------------------------------------
204  */
205 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
206 		auf_null,	0,
207 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
208 		auf_null,	S2E_NPT,
209 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
210 		auf_null,	0,
211 aui_null,	AUE_READ,	aus_null,	/* 3 read */
212 		auf_read,	S2E_PUB,
213 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
214 		auf_write,	0,
215 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
216 		auf_null,	S2E_SP,
217 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
218 		auf_null,	0,
219 aui_null,	AUE_LINK,	aus_null,	/* 7 linkat */
220 		auf_null,	0,
221 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
222 		auf_null,	0,
223 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
224 		auf_null,	0,
225 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
226 		auf_null,	0,
227 aui_null,	AUE_SYMLINK,	aus_null,	/* 11 symlinkat */
228 		auf_null,	0,
229 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
230 		auf_null,	S2E_SP,
231 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
232 		auf_null,	0,
233 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
234 		auf_mknod,	S2E_MLD,
235 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
236 		auf_null,	0,
237 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
238 		auf_null,	0,
239 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
240 		auf_null,	0,
241 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
242 		auf_null,	S2E_PUB,
243 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
244 		auf_null,	0,
245 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
246 		auf_null,	0,
247 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
248 		auf_null,	S2E_MLD,
249 aui_null,	AUE_READLINK,	aus_null,	/* 22 readlinkat */
250 		auf_null,	S2E_PUB,
251 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
254 		auf_null,	0,
255 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
264 		auf_null,	0,
265 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
266 		auf_null,	0,
267 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
268 		auf_null,	0,
269 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
270 		auf_null,	0,
271 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
272 		auf_null,	S2E_PUB,
273 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
274 		auf_null,	0,
275 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
276 		auf_null,	S2E_PUB,
277 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
278 		auf_null,	0,
279 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
280 		auf_null,	0,
281 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
282 		auf_null,	S2E_PUB,
283 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
288 		auf_null,	0,
289 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
290 		auf_null,	0,
291 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
294 		auf_null,	0,
295 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
296 		auf_null,	S2E_PUB,
297 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
298 		auf_null,	0,
299 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
300 		auf_null,	0,
301 aui_null,	AUE_MKNOD,	aus_mknodat,	/* 48 mknodat */
302 		auf_mknodat,	S2E_MLD,
303 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
304 		auf_msgsys,	0,
305 #if defined(__x86)
306 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
307 		auf_null,	0,
308 #else
309 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
310 		auf_null,	0,
311 #endif /* __x86 */
312 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
313 		auf_null,	0,
314 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
315 		auf_shmsys,	0,
316 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
317 		auf_semsys,	0,
318 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
319 		auf_null,	0,
320 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
321 		auf_null,	0,
322 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
323 		auf_null,	0,
324 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
325 		auf_null,	0,
326 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
327 		auf_null,	0,
328 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
329 		auf_null,	S2E_MLD,
330 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
331 		auf_null,	0,
332 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
333 		auf_null,	S2E_SP,
334 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
337 		auf_null,	0,
338 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
339 		auf_null,	0,
340 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
341 		auf_null,	0,
342 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
343 		auf_null,	S2E_PUB,
344 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
345 		auf_null,	S2E_PUB,
346 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
347 		auf_null,	S2E_SP,
348 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
349 		auf_null,	S2E_SP,
350 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
363 		auf_null,	0,
364 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
365 		auf_null,	0,
366 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
367 		auf_null,	0,
368 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
369 		auf_null,	0,
370 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
373 		auf_null,	0,
374 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
379 		auf_null,	0,
380 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
381 		auf_null,	0,
382 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
383 		auf_null,	0,
384 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
385 		auf_null,	0,
386 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
389 		auf_null,	0,
390 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
391 		auf_null,	S2E_PUB,
392 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
395 		auf_null,	0,
396 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
397 		auf_null,	0,
398 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
411 		auf_null,	0,
412 aui_fchmodat,	AUE_NULL,	aus_fchmodat,	/* 101 fchmodat */
413 		auf_null,	0,
414 aui_null,	AUE_MKDIR,	aus_mkdirat,	/* 102 mkdirat */
415 		auf_null,	0,
416 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
417 		auf_null,	S2E_PUB,
418 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
425 		auf_null,	0,
426 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
427 		auf_null,	0,
428 #if defined(__x86)
429 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
430 		auf_null,	0,
431 #else
432 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
433 		auf_null,	0,
434 #endif /* __x86 */
435 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
436 		auf_null,	0,
437 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
438 		auf_null,	0,
439 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
440 		auf_null,	0,
441 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
442 		auf_null,	S2E_PUB,
443 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
444 		auf_null,	0,
445 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
446 		auf_null,	0,
447 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
448 		auf_null,	0,
449 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
450 		auf_null,	0,
451 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
452 		auf_null,	0,
453 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
454 		auf_null,	0,
455 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
456 		auf_null,	0,
457 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
458 		auf_read,	S2E_PUB,
459 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
460 		auf_write,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
464 		auf_null,	0,
465 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
466 		auf_null,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
468 		auf_null,	0,
469 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
470 		auf_null,	0,
471 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
472 		auf_null,	0,
473 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
474 		auf_null,	0,
475 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
476 		auf_null,	0,
477 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
478 		auf_null,	0,
479 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
480 		auf_null,	0,
481 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
482 		auf_null,	0,
483 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
484 		auf_null,	0,
485 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
486 		auf_null,	0,
487 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
488 		auf_null,	0,
489 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
490 		auf_null,	0,
491 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
492 		auf_null,	0,
493 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
494 		auf_null,	0,
495 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
496 		auf_null,	0,
497 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
498 		auf_null,	0,
499 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
510 						/*	was lwp_sema_wait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
517 		auf_null,	0,
518 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
519 		auf_null,	0,
520 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
521 		auf_null,	0,
522 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
555 						/*	was lwp_mutex_lock */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
560 		auf_null,	0,
561 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
562 		auf_null,	0,
563 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
564 		auf_read,	S2E_PUB,
565 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
566 		auf_write,	0,
567 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
568 		auf_null,	0,
569 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
570 		auf_null,	0,
571 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
580 		auf_null,	0,
581 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
582 		auf_null,	S2E_MLD,
583 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
584 		auf_null,	0,
585 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
586 		auf_null,	0,
587 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
588 		auf_null,	0,
589 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
590 		auf_null,	0,
591 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
594 		auf_null,	0,
595 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
600 		auf_null,	0,
601 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
616 		auf_null,	0,
617 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
618 		auf_null,	0,
619 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
620 		auf_null,	0,
621 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
622 		auf_null,	0,
623 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
644 		auf_null,	0,
645 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
646 		auf_null,	0,
647 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
652 		auf_null,	0,
653 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
654 		auf_null,	S2E_PUB,
655 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
656 		auf_null,	0,
657 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
662 		auf_read,	S2E_PUB,
663 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
664 		auf_write,	0,
665 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
666 		auf_null,	0,
667 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
668 		auf_null,	S2E_SP,
669 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
676 		auf_null,	0,
677 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
678 		auf_null,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
680 		auf_null,	0,
681 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
682 		auf_bind,	0,
683 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
684 		auf_null,	0,
685 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
686 		auf_accept,	0,
687 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
688 		auf_connect,	0,
689 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
690 		auf_null,	0,
691 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
692 		auf_recv,	0,
693 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
694 		auf_recvfrom,	0,
695 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
696 		auf_recvmsg,	0,
697 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
698 		auf_send,	0,
699 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
700 		auf_sendmsg,	0,
701 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
702 		auf_sendto,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
708 		auf_null,	0,
709 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
710 		auf_setsockopt,	0,
711 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
714 		auf_null,	0,
715 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
726 		auf_null,	0,
727 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
728 		auf_null,	0
729 };
730 
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732 
733 
734 /* exit start function */
735 /*ARGSUSED*/
736 static void
737 aus_exit(struct t_audit_data *tad)
738 {
739 	uint32_t rval;
740 	struct a {
741 		long rval;
742 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
743 
744 	rval = (uint32_t)uap->rval;
745 	au_uwrite(au_to_arg32(1, "exit status", rval));
746 }
747 
748 /* acct start function */
749 /*ARGSUSED*/
750 static void
751 aus_acct(struct t_audit_data *tad)
752 {
753 	klwp_t *clwp = ttolwp(curthread);
754 	uintptr_t fname;
755 
756 	struct a {
757 		long	fname;		/* char * */
758 	} *uap = (struct a *)clwp->lwp_ap;
759 
760 	fname = (uintptr_t)uap->fname;
761 
762 	if (fname == 0)
763 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
764 }
765 
766 /* chown start function */
767 /*ARGSUSED*/
768 static void
769 aus_chown(struct t_audit_data *tad)
770 {
771 	klwp_t *clwp = ttolwp(curthread);
772 	uint32_t uid, gid;
773 
774 	struct a {
775 		long	fname;		/* char * */
776 		long	uid;
777 		long	gid;
778 	} *uap = (struct a *)clwp->lwp_ap;
779 
780 	uid = (uint32_t)uap->uid;
781 	gid = (uint32_t)uap->gid;
782 
783 	au_uwrite(au_to_arg32(2, "new file uid", uid));
784 	au_uwrite(au_to_arg32(3, "new file gid", gid));
785 }
786 
787 /* fchown start function */
788 /*ARGSUSED*/
789 static void
790 aus_fchown(struct t_audit_data *tad)
791 {
792 	klwp_t *clwp = ttolwp(curthread);
793 	uint32_t uid, gid, fd;
794 	struct file  *fp;
795 	struct vnode *vp;
796 	struct f_audit_data *fad;
797 
798 	struct a {
799 		long fd;
800 		long uid;
801 		long gid;
802 	} *uap = (struct a *)clwp->lwp_ap;
803 
804 	fd  = (uint32_t)uap->fd;
805 	uid = (uint32_t)uap->uid;
806 	gid = (uint32_t)uap->gid;
807 
808 	au_uwrite(au_to_arg32(2, "new file uid", uid));
809 	au_uwrite(au_to_arg32(3, "new file gid", gid));
810 
811 		/*
812 		 * convert file pointer to file descriptor
813 		 *   Note: fd ref count incremented here.
814 		 */
815 	if ((fp = getf(fd)) == NULL)
816 		return;
817 
818 	/* get path from file struct here */
819 	fad = F2A(fp);
820 	if (fad->fad_aupath != NULL) {
821 		au_uwrite(au_to_path(fad->fad_aupath));
822 	} else {
823 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
824 	}
825 
826 	vp = fp->f_vnode;
827 	audit_attributes(vp);
828 
829 	/* decrement file descriptor reference count */
830 	releasef(fd);
831 }
832 
833 /*ARGSUSED*/
834 static void
835 aus_lchown(struct t_audit_data *tad)
836 {
837 	klwp_t *clwp = ttolwp(curthread);
838 	uint32_t uid, gid;
839 
840 
841 	struct a {
842 		long	fname;		/* char	* */
843 		long	uid;
844 		long	gid;
845 	} *uap = (struct a *)clwp->lwp_ap;
846 
847 	uid = (uint32_t)uap->uid;
848 	gid = (uint32_t)uap->gid;
849 
850 	au_uwrite(au_to_arg32(2, "new file uid", uid));
851 	au_uwrite(au_to_arg32(3, "new file gid", gid));
852 }
853 
854 static au_event_t
855 aui_fchownat(au_event_t e)
856 {
857 	klwp_t *clwp = ttolwp(curthread);
858 
859 	struct a {
860 		long	fd;
861 		long	fname;		/* char * */
862 		long	uid;
863 		long	gid;
864 		long	flags;
865 	} *uap = (struct a *)clwp->lwp_ap;
866 
867 	if (uap->fname == NULL)
868 		e = AUE_FCHOWN;
869 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
870 		e = AUE_LCHOWN;
871 	else
872 		e = AUE_CHOWN;
873 
874 	return (e);
875 }
876 
877 /*ARGSUSED*/
878 static void
879 aus_fchownat(struct t_audit_data *tad)
880 {
881 	klwp_t *clwp = ttolwp(curthread);
882 	uint32_t uid, gid;
883 
884 	struct a {
885 		long	fd;
886 		long	fname;		/* char * */
887 		long	uid;
888 		long	gid;
889 		long	flags;
890 	} *uap = (struct a *)clwp->lwp_ap;
891 
892 	uid = (uint32_t)uap->uid;
893 	gid = (uint32_t)uap->gid;
894 
895 	au_uwrite(au_to_arg32(3, "new file uid", uid));
896 	au_uwrite(au_to_arg32(4, "new file gid", gid));
897 }
898 
899 /*ARGSUSED*/
900 static void
901 aus_chmod(struct t_audit_data *tad)
902 {
903 	klwp_t *clwp = ttolwp(curthread);
904 	uint32_t fmode;
905 
906 	struct a {
907 		long	fname;		/* char	* */
908 		long	fmode;
909 	} *uap = (struct a *)clwp->lwp_ap;
910 
911 	fmode = (uint32_t)uap->fmode;
912 
913 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
914 }
915 
916 /*ARGSUSED*/
917 static void
918 aus_fchmod(struct t_audit_data *tad)
919 {
920 	klwp_t *clwp = ttolwp(curthread);
921 	uint32_t fmode, fd;
922 	struct file  *fp;
923 	struct vnode *vp;
924 	struct f_audit_data *fad;
925 
926 	struct a {
927 		long	fd;
928 		long	fmode;
929 	} *uap = (struct a *)clwp->lwp_ap;
930 
931 	fd = (uint32_t)uap->fd;
932 	fmode = (uint32_t)uap->fmode;
933 
934 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
935 
936 	/*
937 	 * convert file pointer to file descriptor
938 	 *   Note: fd ref count incremented here.
939 	 */
940 	if ((fp = getf(fd)) == NULL)
941 		return;
942 
943 	/* get path from file struct here */
944 	fad = F2A(fp);
945 	if (fad->fad_aupath != NULL) {
946 		au_uwrite(au_to_path(fad->fad_aupath));
947 	} else {
948 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
949 	}
950 
951 	vp = fp->f_vnode;
952 	audit_attributes(vp);
953 
954 	/* decrement file descriptor reference count */
955 	releasef(fd);
956 }
957 
958 static au_event_t
959 aui_fchmodat(au_event_t e)
960 {
961 	klwp_t *clwp = ttolwp(curthread);
962 
963 	struct a {
964 		long	fd;
965 		long	fname;		/* char	* */
966 		long	fmode;
967 		long	flag;
968 	} *uap = (struct a *)clwp->lwp_ap;
969 
970 	if (uap->fname == NULL)
971 		e = AUE_FCHMOD;
972 	else
973 		e = AUE_CHMOD;
974 
975 	return (e);
976 }
977 
978 /*ARGSUSED*/
979 static void
980 aus_fchmodat(struct t_audit_data *tad)
981 {
982 	klwp_t *clwp = ttolwp(curthread);
983 	uint32_t fmode;
984 	uint32_t fd;
985 	struct file  *fp;
986 	struct vnode *vp;
987 	struct f_audit_data *fad;
988 
989 	struct a {
990 		long	fd;
991 		long	fname;		/* char	* */
992 		long	fmode;
993 		long	flag;
994 	} *uap = (struct a *)clwp->lwp_ap;
995 
996 	fd = (uint32_t)uap->fd;
997 	fmode = (uint32_t)uap->fmode;
998 
999 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1000 
1001 	if (fd == AT_FDCWD || uap->fname != NULL)	/* same as chmod() */
1002 		return;
1003 
1004 	/*
1005 	 * convert file pointer to file descriptor
1006 	 *   Note: fd ref count incremented here.
1007 	 */
1008 	if ((fp = getf(fd)) == NULL)
1009 		return;
1010 
1011 	/* get path from file struct here */
1012 	fad = F2A(fp);
1013 	if (fad->fad_aupath != NULL) {
1014 		au_uwrite(au_to_path(fad->fad_aupath));
1015 	} else {
1016 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1017 	}
1018 
1019 	vp = fp->f_vnode;
1020 	audit_attributes(vp);
1021 
1022 	/* decrement file descriptor reference count */
1023 	releasef(fd);
1024 }
1025 
1026 /*
1027  * convert open mode to appropriate open event
1028  */
1029 au_event_t
1030 open_event(uint_t fm)
1031 {
1032 	au_event_t e;
1033 
1034 	switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1035 	case O_RDONLY:
1036 		e = AUE_OPEN_R;
1037 		break;
1038 	case O_RDONLY | O_CREAT:
1039 		e = AUE_OPEN_RC;
1040 		break;
1041 	case O_RDONLY | O_TRUNC:
1042 		e = AUE_OPEN_RT;
1043 		break;
1044 	case O_RDONLY | O_TRUNC | O_CREAT:
1045 		e = AUE_OPEN_RTC;
1046 		break;
1047 	case O_WRONLY:
1048 		e = AUE_OPEN_W;
1049 		break;
1050 	case O_WRONLY | O_CREAT:
1051 		e = AUE_OPEN_WC;
1052 		break;
1053 	case O_WRONLY | O_TRUNC:
1054 		e = AUE_OPEN_WT;
1055 		break;
1056 	case O_WRONLY | O_TRUNC | O_CREAT:
1057 		e = AUE_OPEN_WTC;
1058 		break;
1059 	case O_RDWR:
1060 		e = AUE_OPEN_RW;
1061 		break;
1062 	case O_RDWR | O_CREAT:
1063 		e = AUE_OPEN_RWC;
1064 		break;
1065 	case O_RDWR | O_TRUNC:
1066 		e = AUE_OPEN_RWT;
1067 		break;
1068 	case O_RDWR | O_TRUNC | O_CREAT:
1069 		e = AUE_OPEN_RWTC;
1070 		break;
1071 	case O_SEARCH:
1072 		e = AUE_OPEN_S;
1073 		break;
1074 	case O_EXEC:
1075 		e = AUE_OPEN_E;
1076 		break;
1077 	default:
1078 		e = AUE_NULL;
1079 		break;
1080 	}
1081 
1082 	return (e);
1083 }
1084 
1085 /* ARGSUSED */
1086 static au_event_t
1087 aui_open(au_event_t e)
1088 {
1089 	klwp_t *clwp = ttolwp(curthread);
1090 	uint_t fm;
1091 
1092 	struct a {
1093 		long	fnamep;		/* char	* */
1094 		long	fmode;
1095 		long	cmode;
1096 	} *uap = (struct a *)clwp->lwp_ap;
1097 
1098 	fm = (uint_t)uap->fmode;
1099 
1100 	return (open_event(fm));
1101 }
1102 
1103 static void
1104 aus_open(struct t_audit_data *tad)
1105 {
1106 	klwp_t *clwp = ttolwp(curthread);
1107 	uint_t fm;
1108 
1109 	struct a {
1110 		long	fnamep;		/* char	* */
1111 		long	fmode;
1112 		long	cmode;
1113 	} *uap = (struct a *)clwp->lwp_ap;
1114 
1115 	fm = (uint_t)uap->fmode;
1116 
1117 	/* If no write, create, or trunc modes, mark as a public op */
1118 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1119 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1120 }
1121 
1122 /* ARGSUSED */
1123 static au_event_t
1124 aui_openat(au_event_t e)
1125 {
1126 	t_audit_data_t *tad = T2A(curthread);
1127 	klwp_t *clwp = ttolwp(curthread);
1128 	uint_t fm;
1129 
1130 	struct a {
1131 		long	filedes;
1132 		long	fnamep;		/* char	* */
1133 		long	fmode;
1134 		long	cmode;
1135 	} *uap = (struct a *)clwp->lwp_ap;
1136 
1137 	fm = (uint_t)uap->fmode;
1138 
1139 	/*
1140 	 * __openattrdirat() does an extra pathname lookup in order to
1141 	 * enter the extended system attribute namespace of the referenced
1142 	 * extended attribute filename.
1143 	 */
1144 	if (fm & FXATTRDIROPEN)
1145 		tad->tad_ctrl |= TAD_MLD;
1146 
1147 	return (open_event(fm));
1148 }
1149 
1150 static void
1151 aus_openat(struct t_audit_data *tad)
1152 {
1153 	klwp_t *clwp = ttolwp(curthread);
1154 	uint_t fm;
1155 
1156 	struct a {
1157 		long	filedes;
1158 		long	fnamep;		/* char	* */
1159 		long	fmode;
1160 		long	cmode;
1161 	} *uap = (struct a *)clwp->lwp_ap;
1162 
1163 	fm = (uint_t)uap->fmode;
1164 
1165 	/* If no write, create, or trunc modes, mark as a public op */
1166 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1167 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1168 }
1169 
1170 static au_event_t
1171 aui_unlinkat(au_event_t e)
1172 {
1173 	klwp_t *clwp = ttolwp(curthread);
1174 
1175 	struct a {
1176 		long	filedes;
1177 		long	fnamep;		/* char	* */
1178 		long	flags;
1179 	} *uap = (struct a *)clwp->lwp_ap;
1180 
1181 	if (uap->flags & AT_REMOVEDIR)
1182 		e = AUE_RMDIR;
1183 	else
1184 		e = AUE_UNLINK;
1185 
1186 	return (e);
1187 }
1188 
1189 static au_event_t
1190 aui_fstatat(au_event_t e)
1191 {
1192 	klwp_t *clwp = ttolwp(curthread);
1193 
1194 	struct a {
1195 		long	filedes;
1196 		long	fnamep;		/* char	* */
1197 		long	statb;
1198 		long	flags;
1199 	} *uap = (struct a *)clwp->lwp_ap;
1200 
1201 	if (uap->fnamep == NULL)
1202 		e = AUE_FSTAT;
1203 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1204 		e = AUE_LSTAT;
1205 	else
1206 		e = AUE_STAT;
1207 
1208 	return (e);
1209 }
1210 
1211 /* msgsys */
1212 static au_event_t
1213 aui_msgsys(au_event_t e)
1214 {
1215 	klwp_t *clwp = ttolwp(curthread);
1216 	uint_t fm;
1217 
1218 	struct a {
1219 		long	id;	/* function code id */
1220 		long	ap;	/* arg pointer for recvmsg */
1221 	} *uap = (struct a *)clwp->lwp_ap;
1222 
1223 	struct b {
1224 		long	msgid;
1225 		long	cmd;
1226 		long	buf;	/* struct msqid_ds * */
1227 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1228 
1229 	fm  = (uint_t)uap->id;
1230 
1231 	switch (fm) {
1232 	case 0:		/* msgget */
1233 		e = AUE_MSGGET;
1234 		break;
1235 	case 1:		/* msgctl */
1236 		switch ((uint_t)uap1->cmd) {
1237 		case IPC_RMID:
1238 			e = AUE_MSGCTL_RMID;
1239 			break;
1240 		case IPC_SET:
1241 			e = AUE_MSGCTL_SET;
1242 			break;
1243 		case IPC_STAT:
1244 			e = AUE_MSGCTL_STAT;
1245 			break;
1246 		default:
1247 			e = AUE_MSGCTL;
1248 			break;
1249 		}
1250 		break;
1251 	case 2:		/* msgrcv */
1252 		e = AUE_MSGRCV;
1253 		break;
1254 	case 3:		/* msgsnd */
1255 		e = AUE_MSGSND;
1256 		break;
1257 	default:	/* illegal system call */
1258 		e = AUE_NULL;
1259 		break;
1260 	}
1261 
1262 	return (e);
1263 }
1264 
1265 
1266 /* shmsys */
1267 static au_event_t
1268 aui_shmsys(au_event_t e)
1269 {
1270 	klwp_t *clwp = ttolwp(curthread);
1271 	int fm;
1272 
1273 	struct a {		/* shmsys */
1274 		long	id;	/* function code id */
1275 	} *uap = (struct a *)clwp->lwp_ap;
1276 
1277 	struct b {		/* ctrl */
1278 		long	shmid;
1279 		long	cmd;
1280 		long	arg;		/* struct shmid_ds * */
1281 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1282 	fm  = (uint_t)uap->id;
1283 
1284 	switch (fm) {
1285 	case 0:		/* shmat */
1286 		e = AUE_SHMAT;
1287 		break;
1288 	case 1:		/* shmctl */
1289 		switch ((uint_t)uap1->cmd) {
1290 		case IPC_RMID:
1291 			e = AUE_SHMCTL_RMID;
1292 			break;
1293 		case IPC_SET:
1294 			e = AUE_SHMCTL_SET;
1295 			break;
1296 		case IPC_STAT:
1297 			e = AUE_SHMCTL_STAT;
1298 			break;
1299 		default:
1300 			e = AUE_SHMCTL;
1301 			break;
1302 		}
1303 		break;
1304 	case 2:		/* shmdt */
1305 		e = AUE_SHMDT;
1306 		break;
1307 	case 3:		/* shmget */
1308 		e = AUE_SHMGET;
1309 		break;
1310 	default:	/* illegal system call */
1311 		e = AUE_NULL;
1312 		break;
1313 	}
1314 
1315 	return (e);
1316 }
1317 
1318 
1319 /* semsys */
1320 static au_event_t
1321 aui_semsys(au_event_t e)
1322 {
1323 	klwp_t *clwp = ttolwp(curthread);
1324 	uint_t fm;
1325 
1326 	struct a {		/* semsys */
1327 		long	id;
1328 	} *uap = (struct a *)clwp->lwp_ap;
1329 
1330 	struct b {		/* ctrl */
1331 		long	semid;
1332 		long	semnum;
1333 		long	cmd;
1334 		long	arg;
1335 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1336 
1337 	fm = (uint_t)uap->id;
1338 
1339 	switch (fm) {
1340 	case 0:		/* semctl */
1341 		switch ((uint_t)uap1->cmd) {
1342 		case IPC_RMID:
1343 			e = AUE_SEMCTL_RMID;
1344 			break;
1345 		case IPC_SET:
1346 			e = AUE_SEMCTL_SET;
1347 			break;
1348 		case IPC_STAT:
1349 			e = AUE_SEMCTL_STAT;
1350 			break;
1351 		case GETNCNT:
1352 			e = AUE_SEMCTL_GETNCNT;
1353 			break;
1354 		case GETPID:
1355 			e = AUE_SEMCTL_GETPID;
1356 			break;
1357 		case GETVAL:
1358 			e = AUE_SEMCTL_GETVAL;
1359 			break;
1360 		case GETALL:
1361 			e = AUE_SEMCTL_GETALL;
1362 			break;
1363 		case GETZCNT:
1364 			e = AUE_SEMCTL_GETZCNT;
1365 			break;
1366 		case SETVAL:
1367 			e = AUE_SEMCTL_SETVAL;
1368 			break;
1369 		case SETALL:
1370 			e = AUE_SEMCTL_SETALL;
1371 			break;
1372 		default:
1373 			e = AUE_SEMCTL;
1374 			break;
1375 		}
1376 		break;
1377 	case 1:		/* semget */
1378 		e = AUE_SEMGET;
1379 		break;
1380 	case 2:		/* semop */
1381 		e = AUE_SEMOP;
1382 		break;
1383 	default:	/* illegal system call */
1384 		e = AUE_NULL;
1385 		break;
1386 	}
1387 
1388 	return (e);
1389 }
1390 
1391 /* utssys - uname(2), ustat(2), fusers(2) */
1392 static au_event_t
1393 aui_utssys(au_event_t e)
1394 {
1395 	klwp_t *clwp = ttolwp(curthread);
1396 	uint_t type;
1397 
1398 	struct a {
1399 		union {
1400 			long	cbuf;		/* char * */
1401 			long	ubuf;		/* struct stat * */
1402 		} ub;
1403 		union {
1404 			long	mv;	/* for USTAT */
1405 			long	flags;	/* for FUSERS */
1406 		} un;
1407 		long	type;
1408 		long	outbp;		/* char * for FUSERS */
1409 	} *uap = (struct a *)clwp->lwp_ap;
1410 
1411 	type = (uint_t)uap->type;
1412 
1413 	if (type == UTS_FUSERS)
1414 		return (e);
1415 	else
1416 		return ((au_event_t)AUE_NULL);
1417 }
1418 
1419 static au_event_t
1420 aui_fcntl(au_event_t e)
1421 {
1422 	klwp_t *clwp = ttolwp(curthread);
1423 	uint_t cmd;
1424 
1425 	struct a {
1426 		long	fdes;
1427 		long	cmd;
1428 		long	arg;
1429 	} *uap = (struct a *)clwp->lwp_ap;
1430 
1431 	cmd = (uint_t)uap->cmd;
1432 
1433 	switch (cmd) {
1434 	case F_GETLK:
1435 	case F_SETLK:
1436 	case F_SETLKW:
1437 		break;
1438 	case F_SETFL:
1439 	case F_GETFL:
1440 	case F_GETFD:
1441 		break;
1442 	default:
1443 		e = (au_event_t)AUE_NULL;
1444 		break;
1445 	}
1446 	return ((au_event_t)e);
1447 }
1448 
1449 /* null function for now */
1450 static au_event_t
1451 aui_execve(au_event_t e)
1452 {
1453 	return (e);
1454 }
1455 
1456 /*ARGSUSED*/
1457 static void
1458 aus_fcntl(struct t_audit_data *tad)
1459 {
1460 	klwp_t *clwp = ttolwp(curthread);
1461 	uint32_t cmd, fd, flags;
1462 	struct file  *fp;
1463 	struct vnode *vp;
1464 	struct f_audit_data *fad;
1465 
1466 	struct a {
1467 		long	fd;
1468 		long	cmd;
1469 		long	arg;
1470 	} *uap = (struct a *)clwp->lwp_ap;
1471 
1472 	cmd	= (uint32_t)uap->cmd;
1473 	fd	= (uint32_t)uap->fd;
1474 	flags	= (uint32_t)uap->arg;
1475 
1476 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1477 
1478 	if (cmd == F_SETFL)
1479 		au_uwrite(au_to_arg32(3, "flags", flags));
1480 
1481 		/*
1482 		 * convert file pointer to file descriptor
1483 		 *   Note: fd ref count incremented here.
1484 		 */
1485 	if ((fp = getf(fd)) == NULL)
1486 		return;
1487 
1488 	/* get path from file struct here */
1489 	fad = F2A(fp);
1490 	if (fad->fad_aupath != NULL) {
1491 		au_uwrite(au_to_path(fad->fad_aupath));
1492 	} else {
1493 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1494 	}
1495 
1496 	vp = fp->f_vnode;
1497 	audit_attributes(vp);
1498 
1499 	/* decrement file descriptor reference count */
1500 	releasef(fd);
1501 }
1502 
1503 /*ARGSUSED*/
1504 static void
1505 aus_kill(struct t_audit_data *tad)
1506 {
1507 	klwp_t *clwp = ttolwp(curthread);
1508 	struct proc *p;
1509 	uint32_t signo;
1510 	uid_t uid, ruid;
1511 	gid_t gid, rgid;
1512 	pid_t pid;
1513 	const auditinfo_addr_t *ainfo;
1514 	cred_t *cr;
1515 
1516 	struct a {
1517 		long	pid;
1518 		long	signo;
1519 	} *uap = (struct a *)clwp->lwp_ap;
1520 
1521 	pid   = (pid_t)uap->pid;
1522 	signo = (uint32_t)uap->signo;
1523 
1524 	au_uwrite(au_to_arg32(2, "signal", signo));
1525 	if (pid > 0) {
1526 		mutex_enter(&pidlock);
1527 		if (((p = prfind(pid)) == (struct proc *)0) ||
1528 		    (p->p_stat == SIDL)) {
1529 			mutex_exit(&pidlock);
1530 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1531 			return;
1532 		}
1533 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1534 		mutex_exit(&pidlock);
1535 
1536 		mutex_enter(&p->p_crlock);
1537 		crhold(cr = p->p_cred);
1538 		mutex_exit(&p->p_crlock);
1539 		mutex_exit(&p->p_lock);
1540 
1541 		ainfo = crgetauinfo(cr);
1542 		if (ainfo == NULL) {
1543 			crfree(cr);
1544 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1545 			return;
1546 		}
1547 
1548 		uid  = crgetuid(cr);
1549 		gid  = crgetgid(cr);
1550 		ruid = crgetruid(cr);
1551 		rgid = crgetrgid(cr);
1552 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1553 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1554 
1555 		if (is_system_labeled())
1556 			au_uwrite(au_to_label(CR_SL(cr)));
1557 
1558 		crfree(cr);
1559 	}
1560 	else
1561 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1562 }
1563 
1564 /*ARGSUSED*/
1565 static void
1566 aus_mkdir(struct t_audit_data *tad)
1567 {
1568 	klwp_t *clwp = ttolwp(curthread);
1569 	uint32_t dmode;
1570 
1571 	struct a {
1572 		long	dirnamep;		/* char * */
1573 		long	dmode;
1574 	} *uap = (struct a *)clwp->lwp_ap;
1575 
1576 	dmode = (uint32_t)uap->dmode;
1577 
1578 	au_uwrite(au_to_arg32(2, "mode", dmode));
1579 }
1580 
1581 /*ARGSUSED*/
1582 static void
1583 aus_mkdirat(struct t_audit_data *tad)
1584 {
1585 	klwp_t *clwp = ttolwp(curthread);
1586 	uint32_t dmode;
1587 
1588 	struct a {
1589 		long	fd;
1590 		long	dirnamep;		/* char * */
1591 		long	dmode;
1592 	} *uap = (struct a *)clwp->lwp_ap;
1593 
1594 	dmode = (uint32_t)uap->dmode;
1595 
1596 	au_uwrite(au_to_arg32(2, "mode", dmode));
1597 }
1598 
1599 /*ARGSUSED*/
1600 static void
1601 aus_mknod(struct t_audit_data *tad)
1602 {
1603 	klwp_t *clwp = ttolwp(curthread);
1604 	uint32_t fmode;
1605 	dev_t dev;
1606 
1607 	struct a {
1608 		long	pnamep;		/* char * */
1609 		long	fmode;
1610 		long	dev;
1611 	} *uap = (struct a *)clwp->lwp_ap;
1612 
1613 	fmode = (uint32_t)uap->fmode;
1614 	dev   = (dev_t)uap->dev;
1615 
1616 	au_uwrite(au_to_arg32(2, "mode", fmode));
1617 #ifdef _LP64
1618 	au_uwrite(au_to_arg64(3, "dev", dev));
1619 #else
1620 	au_uwrite(au_to_arg32(3, "dev", dev));
1621 #endif
1622 }
1623 
1624 /*ARGSUSED*/
1625 static void
1626 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1627 {
1628 	klwp_t *clwp = ttolwp(curthread);
1629 	vnode_t	*dvp;
1630 	caddr_t pnamep;
1631 
1632 	struct a {
1633 		long	pnamep;		/* char * */
1634 		long	fmode;
1635 		long	dev;
1636 	} *uap = (struct a *)clwp->lwp_ap;
1637 
1638 	/* no error, then already path token in audit record */
1639 	if (error != EPERM && error != EINVAL)
1640 		return;
1641 
1642 	/* do the lookup to force generation of path token */
1643 	pnamep = (caddr_t)uap->pnamep;
1644 	tad->tad_ctrl |= TAD_NOATTRB;
1645 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1646 	if (error == 0)
1647 		VN_RELE(dvp);
1648 }
1649 
1650 /*ARGSUSED*/
1651 static void
1652 aus_mknodat(struct t_audit_data *tad)
1653 {
1654 	klwp_t *clwp = ttolwp(curthread);
1655 	uint32_t fmode;
1656 	dev_t dev;
1657 
1658 	struct a {
1659 		long	fd;
1660 		long	pnamep;		/* char * */
1661 		long	fmode;
1662 		long	dev;
1663 	} *uap = (struct a *)clwp->lwp_ap;
1664 
1665 	fmode = (uint32_t)uap->fmode;
1666 	dev   = (dev_t)uap->dev;
1667 
1668 	au_uwrite(au_to_arg32(2, "mode", fmode));
1669 #ifdef _LP64
1670 	au_uwrite(au_to_arg64(3, "dev", dev));
1671 #else
1672 	au_uwrite(au_to_arg32(3, "dev", dev));
1673 #endif
1674 }
1675 
1676 /*ARGSUSED*/
1677 static void
1678 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1679 {
1680 	klwp_t *clwp = ttolwp(curthread);
1681 	vnode_t	*startvp;
1682 	vnode_t	*dvp;
1683 	caddr_t pnamep;
1684 	int fd;
1685 
1686 	struct a {
1687 		long	fd;
1688 		long	pnamep;		/* char * */
1689 		long	fmode;
1690 		long	dev;
1691 	} *uap = (struct a *)clwp->lwp_ap;
1692 
1693 	/* no error, then already path token in audit record */
1694 	if (error != EPERM && error != EINVAL)
1695 		return;
1696 
1697 	/* do the lookup to force generation of path token */
1698 	fd = (int)uap->fd;
1699 	pnamep = (caddr_t)uap->pnamep;
1700 	if (pnamep == NULL ||
1701 	    fgetstartvp(fd, pnamep, &startvp) != 0)
1702 		return;
1703 	tad->tad_ctrl |= TAD_NOATTRB;
1704 	error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1705 	    startvp);
1706 	if (error == 0)
1707 		VN_RELE(dvp);
1708 	if (startvp != NULL)
1709 		VN_RELE(startvp);
1710 }
1711 
1712 /*ARGSUSED*/
1713 static void
1714 aus_mount(struct t_audit_data *tad)
1715 {	/* AUS_START */
1716 	klwp_t *clwp = ttolwp(curthread);
1717 	uint32_t flags;
1718 	uintptr_t u_fstype, dataptr;
1719 	STRUCT_DECL(nfs_args, nfsargs);
1720 	size_t len;
1721 	char *fstype, *hostname;
1722 
1723 	struct a {
1724 		long	spec;		/* char    * */
1725 		long	dir;		/* char    * */
1726 		long	flags;
1727 		long	fstype;		/* char    * */
1728 		long	dataptr;	/* char    * */
1729 		long	datalen;
1730 	} *uap = (struct a *)clwp->lwp_ap;
1731 
1732 	u_fstype = (uintptr_t)uap->fstype;
1733 	flags    = (uint32_t)uap->flags;
1734 	dataptr  = (uintptr_t)uap->dataptr;
1735 
1736 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1737 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1738 		goto mount_free_fstype;
1739 
1740 	au_uwrite(au_to_arg32(3, "flags", flags));
1741 	au_uwrite(au_to_text(fstype));
1742 
1743 	if (strncmp(fstype, "nfs", 3) == 0) {
1744 
1745 		STRUCT_INIT(nfsargs, get_udatamodel());
1746 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1747 
1748 		if (copyin((caddr_t)dataptr,
1749 				STRUCT_BUF(nfsargs),
1750 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1751 			/* DEBUG debug_enter((char *)NULL); */
1752 			goto mount_free_fstype;
1753 		}
1754 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1755 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1756 				(caddr_t)hostname,
1757 				MAXNAMELEN, &len)) {
1758 			goto mount_free_hostname;
1759 		}
1760 		au_uwrite(au_to_text(hostname));
1761 		au_uwrite(au_to_arg32(3, "internal flags",
1762 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1763 
1764 mount_free_hostname:
1765 		kmem_free(hostname, MAXNAMELEN);
1766 	}
1767 
1768 mount_free_fstype:
1769 	kmem_free(fstype, MAXNAMELEN);
1770 }	/* AUS_MOUNT */
1771 
1772 static void
1773 aus_umount_path(caddr_t umount_dir)
1774 {
1775 	char			*dir_path;
1776 	struct audit_path	*path;
1777 	size_t			path_len, dir_len;
1778 
1779 	/* length alloc'd for two string pointers */
1780 	path_len = sizeof (struct audit_path) + sizeof (char *);
1781 	path = kmem_alloc(path_len, KM_SLEEP);
1782 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1783 
1784 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1785 	    MAXPATHLEN, &dir_len))
1786 		goto umount2_free_dir;
1787 
1788 	/*
1789 	 * the audit_path struct assumes that the buffer pointed to
1790 	 * by audp_sect[n] contains string 0 immediatedly followed
1791 	 * by string 1.
1792 	 */
1793 	path->audp_sect[0] = dir_path;
1794 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1795 	path->audp_size = path_len;
1796 	path->audp_ref = 1;		/* not used */
1797 	path->audp_cnt = 1;		/* one path string */
1798 
1799 	au_uwrite(au_to_path(path));
1800 
1801 umount2_free_dir:
1802 	kmem_free(dir_path, MAXPATHLEN);
1803 	kmem_free(path, path_len);
1804 }
1805 
1806 /*ARGSUSED*/
1807 static void
1808 aus_umount2(struct t_audit_data *tad)
1809 {
1810 	klwp_t			*clwp = ttolwp(curthread);
1811 	struct a {
1812 		long	dir;		/* char    * */
1813 		long	flags;
1814 	} *uap = (struct a *)clwp->lwp_ap;
1815 
1816 	aus_umount_path((caddr_t)uap->dir);
1817 
1818 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1819 }
1820 
1821 static void
1822 aus_msgsys(struct t_audit_data *tad)
1823 {
1824 	klwp_t *clwp = ttolwp(curthread);
1825 	uint32_t msgid;
1826 
1827 	struct b {
1828 		long	msgid;
1829 		long	cmd;
1830 		long	buf;		/* struct msqid_ds * */
1831 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1832 
1833 	msgid = (uint32_t)uap1->msgid;
1834 
1835 
1836 	switch (tad->tad_event) {
1837 	case AUE_MSGGET:		/* msgget */
1838 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1839 		break;
1840 	case AUE_MSGCTL:		/* msgctl */
1841 	case AUE_MSGCTL_RMID:		/* msgctl */
1842 	case AUE_MSGCTL_SET:		/* msgctl */
1843 	case AUE_MSGCTL_STAT:		/* msgctl */
1844 	case AUE_MSGRCV:		/* msgrcv */
1845 	case AUE_MSGSND:		/* msgsnd */
1846 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1847 		break;
1848 	}
1849 }
1850 
1851 /*ARGSUSED*/
1852 static void
1853 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1854 {
1855 	int id;
1856 
1857 	if (error != 0)
1858 		return;
1859 	if (tad->tad_event == AUE_MSGGET) {
1860 		uint32_t scid;
1861 		uint32_t sy_flags;
1862 
1863 		/* need to determine type of executing binary */
1864 		scid = tad->tad_scid;
1865 #ifdef _SYSCALL32_IMPL
1866 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1867 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1868 		else
1869 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1870 #else
1871 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1872 #endif
1873 		if (sy_flags == SE_32RVAL1)
1874 			id = rval->r_val1;
1875 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1876 			id = rval->r_val1;
1877 		if (sy_flags == SE_64RVAL)
1878 			id = (int)rval->r_vals;
1879 
1880 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1881 	}
1882 }
1883 
1884 static void
1885 aus_semsys(struct t_audit_data *tad)
1886 {
1887 	klwp_t *clwp = ttolwp(curthread);
1888 	uint32_t semid;
1889 
1890 	struct b {		/* ctrl */
1891 		long	semid;
1892 		long	semnum;
1893 		long	cmd;
1894 		long	arg;
1895 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1896 
1897 	semid = (uint32_t)uap1->semid;
1898 
1899 	switch (tad->tad_event) {
1900 	case AUE_SEMCTL_RMID:
1901 	case AUE_SEMCTL_STAT:
1902 	case AUE_SEMCTL_GETNCNT:
1903 	case AUE_SEMCTL_GETPID:
1904 	case AUE_SEMCTL_GETVAL:
1905 	case AUE_SEMCTL_GETALL:
1906 	case AUE_SEMCTL_GETZCNT:
1907 	case AUE_SEMCTL_SET:
1908 	case AUE_SEMCTL_SETVAL:
1909 	case AUE_SEMCTL_SETALL:
1910 	case AUE_SEMCTL:
1911 	case AUE_SEMOP:
1912 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1913 		break;
1914 	case AUE_SEMGET:
1915 		au_uwrite(au_to_arg32(1, "sem key", semid));
1916 		break;
1917 	}
1918 }
1919 
1920 /*ARGSUSED*/
1921 static void
1922 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1923 {
1924 	int id;
1925 
1926 	if (error != 0)
1927 		return;
1928 	if (tad->tad_event == AUE_SEMGET) {
1929 		uint32_t scid;
1930 		uint32_t sy_flags;
1931 
1932 		/* need to determine type of executing binary */
1933 		scid = tad->tad_scid;
1934 #ifdef _SYSCALL32_IMPL
1935 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1936 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1937 		else
1938 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1939 #else
1940 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1941 #endif
1942 		if (sy_flags == SE_32RVAL1)
1943 			id = rval->r_val1;
1944 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1945 			id = rval->r_val1;
1946 		if (sy_flags == SE_64RVAL)
1947 			id = (int)rval->r_vals;
1948 
1949 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1950 	}
1951 }
1952 
1953 /*ARGSUSED*/
1954 static void
1955 aus_close(struct t_audit_data *tad)
1956 {
1957 	klwp_t *clwp = ttolwp(curthread);
1958 	uint32_t fd;
1959 	struct file *fp;
1960 	struct f_audit_data *fad;
1961 	struct vnode *vp;
1962 	struct vattr attr;
1963 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1964 
1965 	struct a {
1966 		long	i;
1967 	} *uap = (struct a *)clwp->lwp_ap;
1968 
1969 	fd = (uint32_t)uap->i;
1970 
1971 	attr.va_mask = 0;
1972 	au_uwrite(au_to_arg32(1, "fd", fd));
1973 
1974 		/*
1975 		 * convert file pointer to file descriptor
1976 		 *   Note: fd ref count incremented here.
1977 		 */
1978 	if ((fp = getf(fd)) == NULL)
1979 		return;
1980 
1981 	fad = F2A(fp);
1982 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1983 	if (fad->fad_aupath != NULL) {
1984 		au_uwrite(au_to_path(fad->fad_aupath));
1985 		if ((vp = fp->f_vnode) != NULL) {
1986 			attr.va_mask = AT_ALL;
1987 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1988 				/*
1989 				 * When write was not used and the file can be
1990 				 * considered public, skip the audit.
1991 				 */
1992 				if (((fp->f_flag & FWRITE) == 0) &&
1993 				    object_is_public(&attr)) {
1994 					tad->tad_flag = 0;
1995 					tad->tad_evmod = 0;
1996 					/* free any residual audit data */
1997 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1998 					releasef(fd);
1999 					return;
2000 				}
2001 				au_uwrite(au_to_attr(&attr));
2002 				audit_sec_attributes(&(u_ad), vp);
2003 			}
2004 		}
2005 	}
2006 
2007 	/* decrement file descriptor reference count */
2008 	releasef(fd);
2009 }
2010 
2011 /*ARGSUSED*/
2012 static void
2013 aus_fstatfs(struct t_audit_data *tad)
2014 {
2015 	klwp_t *clwp = ttolwp(curthread);
2016 	uint32_t fd;
2017 	struct file  *fp;
2018 	struct vnode *vp;
2019 	struct f_audit_data *fad;
2020 
2021 	struct a {
2022 		long	fd;
2023 		long	buf;		/* struct statfs * */
2024 	} *uap = (struct a *)clwp->lwp_ap;
2025 
2026 	fd = (uint_t)uap->fd;
2027 
2028 		/*
2029 		 * convert file pointer to file descriptor
2030 		 *   Note: fd ref count incremented here.
2031 		 */
2032 	if ((fp = getf(fd)) == NULL)
2033 		return;
2034 
2035 		/* get path from file struct here */
2036 	fad = F2A(fp);
2037 	if (fad->fad_aupath != NULL) {
2038 		au_uwrite(au_to_path(fad->fad_aupath));
2039 	} else {
2040 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2041 	}
2042 
2043 	vp = fp->f_vnode;
2044 	audit_attributes(vp);
2045 
2046 	/* decrement file descriptor reference count */
2047 	releasef(fd);
2048 }
2049 
2050 static au_event_t
2051 aui_setpgrp(au_event_t e)
2052 {
2053 	klwp_t *clwp = ttolwp(curthread);
2054 	int flag;
2055 
2056 	struct a {
2057 		long	flag;
2058 		long	pid;
2059 		long	pgid;
2060 	} *uap = (struct a *)clwp->lwp_ap;
2061 
2062 	flag = (int)uap->flag;
2063 
2064 
2065 	switch (flag) {
2066 
2067 	case 1:	/* setpgrp() */
2068 		e = AUE_SETPGRP;
2069 		break;
2070 
2071 	case 3: /* setsid() */
2072 		e = AUE_SETSID;
2073 		break;
2074 
2075 	case 5: /* setpgid() */
2076 		e = AUE_SETPGID;
2077 		break;
2078 
2079 	case 0: /* getpgrp()	- not security relevant */
2080 	case 2: /* getsid()	- not security relevant */
2081 	case 4: /* getpgid() 	- not security relevant */
2082 		e = AUE_NULL;
2083 		break;
2084 
2085 	default:
2086 		e = AUE_NULL;
2087 		break;
2088 	}
2089 
2090 	return (e);
2091 }
2092 
2093 /*ARGSUSED*/
2094 static void
2095 aus_setpgrp(struct t_audit_data *tad)
2096 {
2097 	klwp_t		*clwp = ttolwp(curthread);
2098 	pid_t		pgid;
2099 	struct proc	*p;
2100 	uid_t		uid, ruid;
2101 	gid_t		gid, rgid;
2102 	pid_t		pid;
2103 	cred_t		*cr;
2104 	int		flag;
2105 	const auditinfo_addr_t	*ainfo;
2106 
2107 	struct a {
2108 		long	flag;
2109 		long	pid;
2110 		long	pgid;
2111 	} *uap = (struct a *)clwp->lwp_ap;
2112 
2113 	flag = (int)uap->flag;
2114 	pid  = (pid_t)uap->pid;
2115 	pgid = (pid_t)uap->pgid;
2116 
2117 
2118 	switch (flag) {
2119 
2120 	case 0: /* getpgrp() */
2121 	case 1: /* setpgrp() */
2122 	case 2: /* getsid() */
2123 	case 3: /* setsid() */
2124 	case 4: /* getpgid() */
2125 		break;
2126 
2127 	case 5: /* setpgid() */
2128 
2129 		/* current process? */
2130 		if (pid == 0) {
2131 			return;
2132 		}
2133 
2134 		mutex_enter(&pidlock);
2135 		p = prfind(pid);
2136 		if (p == NULL || p->p_as == &kas ||
2137 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
2138 			mutex_exit(&pidlock);
2139 			return;
2140 		}
2141 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
2142 		mutex_exit(&pidlock);
2143 
2144 		mutex_enter(&p->p_crlock);
2145 		crhold(cr = p->p_cred);
2146 		mutex_exit(&p->p_crlock);
2147 		mutex_exit(&p->p_lock);
2148 
2149 		ainfo = crgetauinfo(cr);
2150 		if (ainfo == NULL) {
2151 			crfree(cr);
2152 			return;
2153 		}
2154 
2155 		uid  = crgetuid(cr);
2156 		gid  = crgetgid(cr);
2157 		ruid = crgetruid(cr);
2158 		rgid = crgetrgid(cr);
2159 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2160 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2161 		crfree(cr);
2162 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2163 		break;
2164 
2165 	default:
2166 		break;
2167 	}
2168 }
2169 
2170 
2171 /*ARGSUSED*/
2172 static void
2173 aus_setregid(struct t_audit_data *tad)
2174 {
2175 	klwp_t *clwp = ttolwp(curthread);
2176 	uint32_t rgid, egid;
2177 
2178 	struct a {
2179 		long	 rgid;
2180 		long	 egid;
2181 	} *uap = (struct a *)clwp->lwp_ap;
2182 
2183 	rgid  = (uint32_t)uap->rgid;
2184 	egid  = (uint32_t)uap->egid;
2185 
2186 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2187 	au_uwrite(au_to_arg32(2, "egid", egid));
2188 }
2189 
2190 /*ARGSUSED*/
2191 static void
2192 aus_setgid(struct t_audit_data *tad)
2193 {
2194 	klwp_t *clwp = ttolwp(curthread);
2195 	uint32_t gid;
2196 
2197 	struct a {
2198 		long	gid;
2199 	} *uap = (struct a *)clwp->lwp_ap;
2200 
2201 	gid = (uint32_t)uap->gid;
2202 
2203 	au_uwrite(au_to_arg32(1, "gid", gid));
2204 }
2205 
2206 
2207 /*ARGSUSED*/
2208 static void
2209 aus_setreuid(struct t_audit_data *tad)
2210 {
2211 	klwp_t *clwp = ttolwp(curthread);
2212 	uint32_t ruid, euid;
2213 
2214 	struct a {
2215 		long	ruid;
2216 		long	euid;
2217 	} *uap = (struct a *)clwp->lwp_ap;
2218 
2219 	ruid = (uint32_t)uap->ruid;
2220 	euid  = (uint32_t)uap->euid;
2221 
2222 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2223 	au_uwrite(au_to_arg32(2, "euid", euid));
2224 }
2225 
2226 
2227 /*ARGSUSED*/
2228 static void
2229 aus_setuid(struct t_audit_data *tad)
2230 {
2231 	klwp_t *clwp = ttolwp(curthread);
2232 	uint32_t uid;
2233 
2234 	struct a {
2235 		long	uid;
2236 	} *uap = (struct a *)clwp->lwp_ap;
2237 
2238 	uid = (uint32_t)uap->uid;
2239 
2240 	au_uwrite(au_to_arg32(1, "uid", uid));
2241 }
2242 
2243 /*ARGSUSED*/
2244 static void
2245 aus_shmsys(struct t_audit_data *tad)
2246 {
2247 	klwp_t *clwp = ttolwp(curthread);
2248 	uint32_t id, cmd;
2249 
2250 	struct b {
2251 		long	id;
2252 		long	cmd;
2253 		long	buf;		/* struct shmid_ds * */
2254 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2255 
2256 	id  = (uint32_t)uap1->id;
2257 	cmd = (uint32_t)uap1->cmd;
2258 
2259 	switch (tad->tad_event) {
2260 	case AUE_SHMGET:			/* shmget */
2261 		au_uwrite(au_to_arg32(1, "shm key", id));
2262 		break;
2263 	case AUE_SHMCTL:			/* shmctl */
2264 	case AUE_SHMCTL_RMID:			/* shmctl */
2265 	case AUE_SHMCTL_STAT:			/* shmctl */
2266 	case AUE_SHMCTL_SET:			/* shmctl */
2267 		au_uwrite(au_to_arg32(1, "shm ID", id));
2268 		break;
2269 	case AUE_SHMDT:				/* shmdt */
2270 		au_uwrite(au_to_arg32(1, "shm adr", id));
2271 		break;
2272 	case AUE_SHMAT:				/* shmat */
2273 		au_uwrite(au_to_arg32(1, "shm ID", id));
2274 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2275 		break;
2276 	}
2277 }
2278 
2279 /*ARGSUSED*/
2280 static void
2281 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2282 {
2283 	int id;
2284 
2285 	if (error != 0)
2286 		return;
2287 	if (tad->tad_event == AUE_SHMGET) {
2288 		uint32_t scid;
2289 		uint32_t sy_flags;
2290 
2291 		/* need to determine type of executing binary */
2292 		scid = tad->tad_scid;
2293 #ifdef _SYSCALL32_IMPL
2294 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2295 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2296 		else
2297 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2298 #else
2299 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2300 #endif
2301 		if (sy_flags == SE_32RVAL1)
2302 			id = rval->r_val1;
2303 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2304 			id = rval->r_val1;
2305 		if (sy_flags == SE_64RVAL)
2306 			id = (int)rval->r_vals;
2307 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2308 	}
2309 }
2310 
2311 
2312 /*ARGSUSED*/
2313 static void
2314 aus_ioctl(struct t_audit_data *tad)
2315 {
2316 	klwp_t *clwp = ttolwp(curthread);
2317 	struct file *fp;
2318 	struct vnode *vp;
2319 	struct f_audit_data *fad;
2320 	uint32_t fd, cmd;
2321 	uintptr_t cmarg;
2322 
2323 	/* XX64 */
2324 	struct a {
2325 		long	fd;
2326 		long	cmd;
2327 		long	cmarg;		/* caddr_t */
2328 	} *uap = (struct a *)clwp->lwp_ap;
2329 
2330 	fd    = (uint32_t)uap->fd;
2331 	cmd   = (uint32_t)uap->cmd;
2332 	cmarg = (uintptr_t)uap->cmarg;
2333 
2334 		/*
2335 		 * convert file pointer to file descriptor
2336 		 *   Note: fd ref count incremented here.
2337 		 */
2338 	if ((fp = getf(fd)) == NULL) {
2339 		au_uwrite(au_to_arg32(1, "fd", fd));
2340 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2341 #ifndef _LP64
2342 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2343 #else
2344 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2345 #endif
2346 		return;
2347 	}
2348 
2349 	/* get path from file struct here */
2350 	fad = F2A(fp);
2351 	if (fad->fad_aupath != NULL) {
2352 		au_uwrite(au_to_path(fad->fad_aupath));
2353 	} else {
2354 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2355 	}
2356 
2357 	vp = fp->f_vnode;
2358 	audit_attributes(vp);
2359 
2360 	/* decrement file descriptor reference count */
2361 	releasef(fd);
2362 
2363 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2364 #ifndef _LP64
2365 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2366 #else
2367 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2368 #endif
2369 }
2370 
2371 /*
2372  * null function for memcntl for now. We might want to limit memcntl()
2373  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2374  * require privileges.
2375  */
2376 static au_event_t
2377 aui_memcntl(au_event_t e)
2378 {
2379 	return (e);
2380 }
2381 
2382 /*ARGSUSED*/
2383 static au_event_t
2384 aui_privsys(au_event_t e)
2385 {
2386 	klwp_t *clwp = ttolwp(curthread);
2387 
2388 	struct a {
2389 		long	opcode;
2390 	} *uap = (struct a *)clwp->lwp_ap;
2391 
2392 	switch (uap->opcode) {
2393 	case PRIVSYS_SETPPRIV:
2394 		return (AUE_SETPPRIV);
2395 	default:
2396 		return (AUE_NULL);
2397 	}
2398 }
2399 
2400 /*ARGSUSED*/
2401 static void
2402 aus_memcntl(struct t_audit_data *tad)
2403 {
2404 	klwp_t *clwp = ttolwp(curthread);
2405 
2406 	struct a {
2407 		long	addr;
2408 		long	len;
2409 		long	cmd;
2410 		long	arg;
2411 		long	attr;
2412 		long	mask;
2413 	} *uap = (struct a *)clwp->lwp_ap;
2414 
2415 #ifdef _LP64
2416 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2417 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2418 #else
2419 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2420 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2421 #endif
2422 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2423 #ifdef _LP64
2424 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2425 #else
2426 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2427 #endif
2428 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2429 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2430 }
2431 
2432 /*ARGSUSED*/
2433 static void
2434 aus_mmap(struct t_audit_data *tad)
2435 {
2436 	klwp_t *clwp = ttolwp(curthread);
2437 	struct file *fp;
2438 	struct f_audit_data *fad;
2439 	struct vnode *vp;
2440 	uint32_t fd;
2441 
2442 	struct a {
2443 		long	addr;
2444 		long	len;
2445 		long	prot;
2446 		long	flags;
2447 		long	fd;
2448 		long	pos;
2449 	} *uap = (struct a *)clwp->lwp_ap;
2450 
2451 	fd = (uint32_t)uap->fd;
2452 
2453 #ifdef _LP64
2454 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2455 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2456 #else
2457 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2458 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2459 #endif
2460 
2461 	if ((fp = getf(fd)) == NULL) {
2462 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2463 		return;
2464 	}
2465 
2466 	/*
2467 	 * Mark in the tad if write access is NOT requested... if
2468 	 * this is later detected (in audit_attributes) to be a
2469 	 * public object, the mmap event may be discarded.
2470 	 */
2471 	if (((uap->prot) & PROT_WRITE) == 0) {
2472 		tad->tad_ctrl |= TAD_PUBLIC_EV;
2473 	}
2474 
2475 	fad = F2A(fp);
2476 	if (fad->fad_aupath != NULL) {
2477 		au_uwrite(au_to_path(fad->fad_aupath));
2478 	} else {
2479 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2480 	}
2481 
2482 	vp = (struct vnode *)fp->f_vnode;
2483 	audit_attributes(vp);
2484 
2485 	/* mark READ/WRITE since we can't predict access */
2486 	if (uap->prot & PROT_READ)
2487 		fad->fad_flags |= FAD_READ;
2488 	if (uap->prot & PROT_WRITE)
2489 		fad->fad_flags |= FAD_WRITE;
2490 
2491 	/* decrement file descriptor reference count */
2492 	releasef(fd);
2493 
2494 }	/* AUS_MMAP */
2495 
2496 
2497 
2498 
2499 /*ARGSUSED*/
2500 static void
2501 aus_munmap(struct t_audit_data *tad)
2502 {
2503 	klwp_t *clwp = ttolwp(curthread);
2504 
2505 	struct a {
2506 		long	addr;
2507 		long	len;
2508 	} *uap = (struct a *)clwp->lwp_ap;
2509 
2510 #ifdef _LP64
2511 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2512 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2513 #else
2514 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2515 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2516 #endif
2517 
2518 }	/* AUS_MUNMAP */
2519 
2520 
2521 
2522 
2523 
2524 
2525 
2526 /*ARGSUSED*/
2527 static void
2528 aus_priocntlsys(struct t_audit_data *tad)
2529 {
2530 	klwp_t *clwp = ttolwp(curthread);
2531 
2532 	struct a {
2533 		long	pc_version;
2534 		long	psp;		/* procset_t */
2535 		long	cmd;
2536 		long	arg;
2537 	} *uap = (struct a *)clwp->lwp_ap;
2538 
2539 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2540 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2541 
2542 }	/* AUS_PRIOCNTLSYS */
2543 
2544 
2545 /*ARGSUSED*/
2546 static void
2547 aus_setegid(struct t_audit_data *tad)
2548 {
2549 	klwp_t *clwp = ttolwp(curthread);
2550 	uint32_t gid;
2551 
2552 	struct a {
2553 		long	gid;
2554 	} *uap = (struct a *)clwp->lwp_ap;
2555 
2556 	gid = (uint32_t)uap->gid;
2557 
2558 	au_uwrite(au_to_arg32(1, "gid", gid));
2559 }	/* AUS_SETEGID */
2560 
2561 
2562 
2563 
2564 /*ARGSUSED*/
2565 static void
2566 aus_setgroups(struct t_audit_data *tad)
2567 {
2568 	klwp_t *clwp = ttolwp(curthread);
2569 	int i;
2570 	int gidsetsize;
2571 	uintptr_t gidset;
2572 	gid_t *gidlist;
2573 
2574 	struct a {
2575 		long	gidsetsize;
2576 		long	gidset;
2577 	} *uap = (struct a *)clwp->lwp_ap;
2578 
2579 	gidsetsize = (uint_t)uap->gidsetsize;
2580 	gidset = (uintptr_t)uap->gidset;
2581 
2582 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2583 		return;
2584 	if (gidsetsize != 0) {
2585 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2586 		    KM_SLEEP);
2587 		if (copyin((caddr_t)gidset, gidlist,
2588 		    gidsetsize * sizeof (gid_t)) == 0)
2589 			for (i = 0; i < gidsetsize; i++)
2590 				au_uwrite(au_to_arg32(1, "setgroups",
2591 				    (uint32_t)gidlist[i]));
2592 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2593 	} else
2594 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2595 
2596 }	/* AUS_SETGROUPS */
2597 
2598 
2599 
2600 
2601 
2602 /*ARGSUSED*/
2603 static void
2604 aus_seteuid(struct t_audit_data *tad)
2605 {
2606 	klwp_t *clwp = ttolwp(curthread);
2607 	uint32_t uid;
2608 
2609 	struct a {
2610 		long	uid;
2611 	} *uap = (struct a *)clwp->lwp_ap;
2612 
2613 	uid = (uint32_t)uap->uid;
2614 
2615 	au_uwrite(au_to_arg32(1, "euid", uid));
2616 
2617 }	/* AUS_SETEUID */
2618 
2619 /*ARGSUSED*/
2620 static void
2621 aus_putmsg(struct t_audit_data *tad)
2622 {
2623 	klwp_t *clwp = ttolwp(curthread);
2624 	uint32_t fd, pri;
2625 	struct file *fp;
2626 	struct f_audit_data *fad;
2627 
2628 	struct a {
2629 		long	fdes;
2630 		long	ctl;		/* struct strbuf * */
2631 		long	data;		/* struct strbuf * */
2632 		long	pri;
2633 	} *uap = (struct a *)clwp->lwp_ap;
2634 
2635 	fd  = (uint32_t)uap->fdes;
2636 	pri = (uint32_t)uap->pri;
2637 
2638 	au_uwrite(au_to_arg32(1, "fd", fd));
2639 
2640 	if ((fp = getf(fd)) != NULL) {
2641 		fad = F2A(fp);
2642 
2643 		fad->fad_flags |= FAD_WRITE;
2644 
2645 		/* add path name to audit record */
2646 		if (fad->fad_aupath != NULL) {
2647 			au_uwrite(au_to_path(fad->fad_aupath));
2648 		}
2649 		audit_attributes(fp->f_vnode);
2650 
2651 		releasef(fd);
2652 	}
2653 
2654 	au_uwrite(au_to_arg32(4, "pri", pri));
2655 }
2656 
2657 /*ARGSUSED*/
2658 static void
2659 aus_putpmsg(struct t_audit_data *tad)
2660 {
2661 	klwp_t *clwp = ttolwp(curthread);
2662 	uint32_t fd, pri, flags;
2663 	struct file *fp;
2664 	struct f_audit_data *fad;
2665 
2666 	struct a {
2667 		long	fdes;
2668 		long	ctl;		/* struct strbuf * */
2669 		long	data;		/* struct strbuf * */
2670 		long	pri;
2671 		long	flags;
2672 	} *uap = (struct a *)clwp->lwp_ap;
2673 
2674 	fd = (uint32_t)uap->fdes;
2675 	pri  = (uint32_t)uap->pri;
2676 	flags  = (uint32_t)uap->flags;
2677 
2678 	au_uwrite(au_to_arg32(1, "fd", fd));
2679 
2680 	if ((fp = getf(fd)) != NULL) {
2681 		fad = F2A(fp);
2682 
2683 		fad->fad_flags |= FAD_WRITE;
2684 
2685 		/* add path name to audit record */
2686 		if (fad->fad_aupath != NULL) {
2687 			au_uwrite(au_to_path(fad->fad_aupath));
2688 		}
2689 		audit_attributes(fp->f_vnode);
2690 
2691 		releasef(fd);
2692 	}
2693 
2694 
2695 	au_uwrite(au_to_arg32(4, "pri", pri));
2696 	au_uwrite(au_to_arg32(5, "flags", flags));
2697 }
2698 
2699 /*ARGSUSED*/
2700 static void
2701 aus_getmsg(struct t_audit_data *tad)
2702 {
2703 	klwp_t *clwp = ttolwp(curthread);
2704 	uint32_t fd, pri;
2705 	struct file *fp;
2706 	struct f_audit_data *fad;
2707 
2708 	struct a {
2709 		long	fdes;
2710 		long	ctl;		/* struct strbuf * */
2711 		long	data;		/* struct strbuf * */
2712 		long	pri;
2713 	} *uap = (struct a *)clwp->lwp_ap;
2714 
2715 	fd  = (uint32_t)uap->fdes;
2716 	pri = (uint32_t)uap->pri;
2717 
2718 	au_uwrite(au_to_arg32(1, "fd", fd));
2719 
2720 	if ((fp = getf(fd)) != NULL) {
2721 		fad = F2A(fp);
2722 
2723 		/*
2724 		 * read operation on this object
2725 		 */
2726 		fad->fad_flags |= FAD_READ;
2727 
2728 		/* add path name to audit record */
2729 		if (fad->fad_aupath != NULL) {
2730 			au_uwrite(au_to_path(fad->fad_aupath));
2731 		}
2732 		audit_attributes(fp->f_vnode);
2733 
2734 		releasef(fd);
2735 	}
2736 
2737 	au_uwrite(au_to_arg32(4, "pri", pri));
2738 }
2739 
2740 /*ARGSUSED*/
2741 static void
2742 aus_getpmsg(struct t_audit_data *tad)
2743 {
2744 	klwp_t *clwp = ttolwp(curthread);
2745 	uint32_t fd;
2746 	struct file *fp;
2747 	struct f_audit_data *fad;
2748 
2749 	struct a {
2750 		long	fdes;
2751 		long	ctl;		/* struct strbuf * */
2752 		long	data;		/* struct strbuf * */
2753 		long	pri;
2754 		long	flags;
2755 	} *uap = (struct a *)clwp->lwp_ap;
2756 
2757 	fd = (uint32_t)uap->fdes;
2758 
2759 	au_uwrite(au_to_arg32(1, "fd", fd));
2760 
2761 	if ((fp = getf(fd)) != NULL) {
2762 		fad = F2A(fp);
2763 
2764 		/*
2765 		 * read operation on this object
2766 		 */
2767 		fad->fad_flags |= FAD_READ;
2768 
2769 		/* add path name to audit record */
2770 		if (fad->fad_aupath != NULL) {
2771 			au_uwrite(au_to_path(fad->fad_aupath));
2772 		}
2773 		audit_attributes(fp->f_vnode);
2774 
2775 		releasef(fd);
2776 	}
2777 }
2778 
2779 static au_event_t
2780 aui_labelsys(au_event_t e)
2781 {
2782 	klwp_t *clwp = ttolwp(curthread);
2783 	uint32_t code;
2784 	uint32_t cmd;
2785 
2786 	struct a {
2787 		long	code;
2788 		long	cmd;
2789 	} *uap = (struct a *)clwp->lwp_ap;
2790 
2791 	code = (uint32_t)uap->code;
2792 	cmd = (uint32_t)uap->cmd;
2793 
2794 	/* not security relevant if not changing kernel cache */
2795 	if (cmd == TNDB_GET)
2796 		return (AUE_NULL);
2797 
2798 	switch (code) {
2799 	case TSOL_TNRH:
2800 		e = AUE_LABELSYS_TNRH;
2801 		break;
2802 	case TSOL_TNRHTP:
2803 		e = AUE_LABELSYS_TNRHTP;
2804 		break;
2805 	case TSOL_TNMLP:
2806 		e = AUE_LABELSYS_TNMLP;
2807 		break;
2808 	default:
2809 		e = AUE_NULL;
2810 		break;
2811 	}
2812 
2813 	return (e);
2814 
2815 }
2816 
2817 static void
2818 aus_labelsys(struct t_audit_data *tad)
2819 {
2820 	klwp_t *clwp = ttolwp(curthread);
2821 	uint32_t cmd;
2822 	uintptr_t a2;
2823 
2824 	struct a {
2825 		long	code;
2826 		long	cmd;
2827 		long	a2;
2828 	} *uap = (struct a *)clwp->lwp_ap;
2829 
2830 	cmd = (uint32_t)uap->cmd;
2831 	a2 = (uintptr_t)uap->a2;
2832 
2833 	switch (tad->tad_event) {
2834 	case AUE_LABELSYS_TNRH:
2835 	{
2836 		tsol_rhent_t	*rhent;
2837 		tnaddr_t	*rh_addr;
2838 
2839 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2840 
2841 		/* Remaining args don't apply for FLUSH, so skip */
2842 		if (cmd == TNDB_FLUSH)
2843 			break;
2844 
2845 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2846 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2847 			kmem_free(rhent, sizeof (tsol_rhent_t));
2848 			return;
2849 		}
2850 
2851 		rh_addr = &rhent->rh_address;
2852 		if (rh_addr->ta_family == AF_INET) {
2853 			struct in_addr	*ipaddr;
2854 
2855 			ipaddr = &(rh_addr->ta_addr_v4);
2856 			au_uwrite(au_to_in_addr(ipaddr));
2857 		} else if (rh_addr->ta_family == AF_INET6) {
2858 			int32_t		*ipaddr;
2859 
2860 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2861 			au_uwrite(au_to_in_addr_ex(ipaddr));
2862 		}
2863 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2864 
2865 		kmem_free(rhent, sizeof (tsol_rhent_t));
2866 
2867 		break;
2868 	}
2869 	case AUE_LABELSYS_TNRHTP:
2870 	{
2871 		tsol_tpent_t	*tpent;
2872 
2873 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2874 
2875 		/* Remaining args don't apply for FLUSH, so skip */
2876 		if (cmd == TNDB_FLUSH)
2877 			break;
2878 
2879 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2880 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2881 			kmem_free(tpent, sizeof (tsol_tpent_t));
2882 			return;
2883 		}
2884 
2885 		/* Make sure that the template name is null-terminated. */
2886 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2887 
2888 		au_uwrite(au_to_text(tpent->name));
2889 		kmem_free(tpent, sizeof (tsol_tpent_t));
2890 
2891 		break;
2892 	}
2893 	case AUE_LABELSYS_TNMLP:
2894 	{
2895 		tsol_mlpent_t	*mlpent;
2896 
2897 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2898 
2899 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2900 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2901 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2902 			return;
2903 		}
2904 
2905 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2906 			au_uwrite(au_to_text("shared"));
2907 		} else {
2908 			zone_t	*zone;
2909 
2910 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2911 			if (zone != NULL) {
2912 				au_uwrite(au_to_text(zone->zone_name));
2913 				zone_rele(zone);
2914 			}
2915 		}
2916 
2917 		/* Remaining args don't apply for FLUSH, so skip */
2918 		if (cmd == TNDB_FLUSH) {
2919 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2920 			break;
2921 		}
2922 
2923 		au_uwrite(au_to_arg32(2, "proto num",
2924 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2925 		au_uwrite(au_to_arg32(2, "mlp_port",
2926 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2927 
2928 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2929 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2930 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2931 
2932 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2933 
2934 		break;
2935 	}
2936 	default:
2937 		break;
2938 	}
2939 }
2940 
2941 
2942 static au_event_t
2943 aui_auditsys(au_event_t e)
2944 {
2945 	klwp_t *clwp = ttolwp(curthread);
2946 	uint32_t code;
2947 
2948 	struct a {
2949 		long	code;
2950 		long	a1;
2951 		long	a2;
2952 		long	a3;
2953 		long	a4;
2954 		long	a5;
2955 		long	a6;
2956 		long	a7;
2957 	} *uap = (struct a *)clwp->lwp_ap;
2958 
2959 	code = (uint32_t)uap->code;
2960 
2961 	switch (code) {
2962 
2963 	case BSM_GETAUID:
2964 		e = AUE_GETAUID;
2965 		break;
2966 	case BSM_SETAUID:
2967 		e = AUE_SETAUID;
2968 		break;
2969 	case BSM_GETAUDIT:
2970 		e = AUE_GETAUDIT;
2971 		break;
2972 	case BSM_GETAUDIT_ADDR:
2973 		e = AUE_GETAUDIT_ADDR;
2974 		break;
2975 	case BSM_SETAUDIT:
2976 		e = AUE_SETAUDIT;
2977 		break;
2978 	case BSM_SETAUDIT_ADDR:
2979 		e = AUE_SETAUDIT_ADDR;
2980 		break;
2981 	case BSM_AUDIT:
2982 		e = AUE_AUDIT;
2983 		break;
2984 	case BSM_AUDITCTL:
2985 		switch ((uint_t)uap->a1) {
2986 
2987 		case A_GETPOLICY:
2988 			e = AUE_AUDITON_GPOLICY;
2989 			break;
2990 		case A_SETPOLICY:
2991 			e = AUE_AUDITON_SPOLICY;
2992 			break;
2993 		case A_GETAMASK:
2994 			e = AUE_AUDITON_GETAMASK;
2995 			break;
2996 		case A_SETAMASK:
2997 			e = AUE_AUDITON_SETAMASK;
2998 			break;
2999 		case A_GETKMASK:
3000 			e = AUE_AUDITON_GETKMASK;
3001 			break;
3002 		case A_SETKMASK:
3003 			e = AUE_AUDITON_SETKMASK;
3004 			break;
3005 		case A_GETQCTRL:
3006 			e = AUE_AUDITON_GQCTRL;
3007 			break;
3008 		case A_SETQCTRL:
3009 			e = AUE_AUDITON_SQCTRL;
3010 			break;
3011 		case A_GETCWD:
3012 			e = AUE_AUDITON_GETCWD;
3013 			break;
3014 		case A_GETCAR:
3015 			e = AUE_AUDITON_GETCAR;
3016 			break;
3017 		case A_GETSTAT:
3018 			e = AUE_AUDITON_GETSTAT;
3019 			break;
3020 		case A_SETSTAT:
3021 			e = AUE_AUDITON_SETSTAT;
3022 			break;
3023 		case A_SETUMASK:
3024 			e = AUE_AUDITON_SETUMASK;
3025 			break;
3026 		case A_SETSMASK:
3027 			e = AUE_AUDITON_SETSMASK;
3028 			break;
3029 		case A_GETCOND:
3030 			e = AUE_AUDITON_GETCOND;
3031 			break;
3032 		case A_SETCOND:
3033 			e = AUE_AUDITON_SETCOND;
3034 			break;
3035 		case A_GETCLASS:
3036 			e = AUE_AUDITON_GETCLASS;
3037 			break;
3038 		case A_SETCLASS:
3039 			e = AUE_AUDITON_SETCLASS;
3040 			break;
3041 		default:
3042 			e = AUE_NULL;
3043 			break;
3044 		}
3045 		break;
3046 	default:
3047 		e = AUE_NULL;
3048 		break;
3049 	}
3050 
3051 	return (e);
3052 
3053 }	/* AUI_AUDITSYS */
3054 
3055 
3056 static void
3057 aus_auditsys(struct t_audit_data *tad)
3058 {
3059 	klwp_t *clwp = ttolwp(curthread);
3060 	uintptr_t a1, a2;
3061 	STRUCT_DECL(auditinfo, ainfo);
3062 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
3063 	au_evclass_map_t event;
3064 	au_mask_t mask;
3065 	int auditstate, policy;
3066 	au_id_t auid;
3067 
3068 
3069 	struct a {
3070 		long	code;
3071 		long	a1;
3072 		long	a2;
3073 		long	a3;
3074 		long	a4;
3075 		long	a5;
3076 		long	a6;
3077 		long	a7;
3078 	} *uap = (struct a *)clwp->lwp_ap;
3079 
3080 	a1   = (uintptr_t)uap->a1;
3081 	a2   = (uintptr_t)uap->a2;
3082 
3083 	switch (tad->tad_event) {
3084 	case AUE_SETAUID:
3085 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3086 				return;
3087 		au_uwrite(au_to_arg32(2, "setauid", auid));
3088 		break;
3089 	case AUE_SETAUDIT:
3090 		STRUCT_INIT(ainfo, get_udatamodel());
3091 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3092 		    STRUCT_SIZE(ainfo))) {
3093 				return;
3094 		}
3095 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3096 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3097 #ifdef _LP64
3098 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
3099 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3100 #else
3101 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
3102 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3103 #endif
3104 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3105 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3106 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3107 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3108 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3109 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3110 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3111 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3112 		break;
3113 	case AUE_SETAUDIT_ADDR:
3114 		STRUCT_INIT(ainfo_addr, get_udatamodel());
3115 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3116 		    STRUCT_SIZE(ainfo_addr))) {
3117 				return;
3118 		}
3119 		au_uwrite(au_to_arg32((char)1, "auid",
3120 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3121 #ifdef _LP64
3122 		au_uwrite(au_to_arg64((char)1, "port",
3123 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3124 #else
3125 		au_uwrite(au_to_arg32((char)1, "port",
3126 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3127 #endif
3128 		au_uwrite(au_to_arg32((char)1, "type",
3129 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3130 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3131 		    AU_IPv4) {
3132 			au_uwrite(au_to_in_addr(
3133 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3134 			    ai_termid.at_addr)));
3135 		} else {
3136 			au_uwrite(au_to_in_addr_ex(
3137 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
3138 			    ai_termid.at_addr)));
3139 		}
3140 		au_uwrite(au_to_arg32((char)1, "as_success",
3141 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3142 		au_uwrite(au_to_arg32((char)1, "as_failure",
3143 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3144 		au_uwrite(au_to_arg32((char)1, "asid",
3145 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3146 		break;
3147 	case AUE_AUDITON_SETAMASK:
3148 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3149 				return;
3150 		au_uwrite(au_to_arg32(
3151 		    2, "setamask:as_success", (uint32_t)mask.as_success));
3152 		au_uwrite(au_to_arg32(
3153 		    2, "setamask:as_failure", (uint32_t)mask.as_failure));
3154 		break;
3155 	case AUE_AUDITON_SETKMASK:
3156 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3157 				return;
3158 		au_uwrite(au_to_arg32(
3159 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
3160 		au_uwrite(au_to_arg32(
3161 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3162 		break;
3163 	case AUE_AUDITON_SPOLICY:
3164 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3165 			return;
3166 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3167 		break;
3168 	case AUE_AUDITON_SQCTRL: {
3169 		STRUCT_DECL(au_qctrl, qctrl);
3170 		model_t model;
3171 
3172 		model = get_udatamodel();
3173 		STRUCT_INIT(qctrl, model);
3174 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3175 				return;
3176 		if (model == DATAMODEL_ILP32) {
3177 			au_uwrite(au_to_arg32(
3178 			    3, "setqctrl:aq_hiwater",
3179 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3180 			au_uwrite(au_to_arg32(
3181 			    3, "setqctrl:aq_lowater",
3182 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3183 			au_uwrite(au_to_arg32(
3184 			    3, "setqctrl:aq_bufsz",
3185 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3186 			au_uwrite(au_to_arg32(
3187 			    3, "setqctrl:aq_delay",
3188 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3189 		} else {
3190 			au_uwrite(au_to_arg64(
3191 			    3, "setqctrl:aq_hiwater",
3192 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3193 			au_uwrite(au_to_arg64(
3194 			    3, "setqctrl:aq_lowater",
3195 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3196 			au_uwrite(au_to_arg64(
3197 			    3, "setqctrl:aq_bufsz",
3198 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3199 			au_uwrite(au_to_arg64(
3200 			    3, "setqctrl:aq_delay",
3201 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3202 		}
3203 		break;
3204 	}
3205 	case AUE_AUDITON_SETUMASK:
3206 		STRUCT_INIT(ainfo, get_udatamodel());
3207 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3208 		    STRUCT_SIZE(ainfo))) {
3209 			return;
3210 		}
3211 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3212 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3213 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3214 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3215 		break;
3216 	case AUE_AUDITON_SETSMASK:
3217 		STRUCT_INIT(ainfo, get_udatamodel());
3218 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3219 		    STRUCT_SIZE(ainfo))) {
3220 			return;
3221 		}
3222 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3223 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3224 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3225 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3226 		break;
3227 	case AUE_AUDITON_SETCOND:
3228 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3229 			return;
3230 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3231 		break;
3232 	case AUE_AUDITON_SETCLASS:
3233 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3234 			return;
3235 		au_uwrite(au_to_arg32(
3236 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3237 		au_uwrite(au_to_arg32(
3238 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3239 		break;
3240 	case AUE_GETAUID:
3241 	case AUE_GETAUDIT:
3242 	case AUE_GETAUDIT_ADDR:
3243 	case AUE_AUDIT:
3244 	case AUE_AUDITON_GPOLICY:
3245 	case AUE_AUDITON_GQCTRL:
3246 	case AUE_AUDITON_GETAMASK:
3247 	case AUE_AUDITON_GETKMASK:
3248 	case AUE_AUDITON_GETCWD:
3249 	case AUE_AUDITON_GETCAR:
3250 	case AUE_AUDITON_GETSTAT:
3251 	case AUE_AUDITON_SETSTAT:
3252 	case AUE_AUDITON_GETCOND:
3253 	case AUE_AUDITON_GETCLASS:
3254 		break;
3255 	default:
3256 		break;
3257 	}
3258 
3259 }	/* AUS_AUDITSYS */
3260 
3261 
3262 /* only audit privileged operations for systeminfo(2) system call */
3263 static au_event_t
3264 aui_sysinfo(au_event_t e)
3265 {
3266 	klwp_t *clwp = ttolwp(curthread);
3267 	uint32_t command;
3268 
3269 	struct a {
3270 		long	command;
3271 		long	buf;		/* char * */
3272 		long	count;
3273 	} *uap = (struct a *)clwp->lwp_ap;
3274 
3275 	command = (uint32_t)uap->command;
3276 
3277 	switch (command) {
3278 	case SI_SET_HOSTNAME:
3279 	case SI_SET_SRPC_DOMAIN:
3280 		e = (au_event_t)AUE_SYSINFO;
3281 		break;
3282 	default:
3283 		e = (au_event_t)AUE_NULL;
3284 		break;
3285 	}
3286 	return (e);
3287 }
3288 
3289 /*ARGSUSED*/
3290 static void
3291 aus_sysinfo(struct t_audit_data *tad)
3292 {
3293 	klwp_t *clwp = ttolwp(curthread);
3294 	uint32_t command;
3295 	size_t len, maxlen;
3296 	char *name;
3297 	uintptr_t buf;
3298 
3299 	struct a {
3300 		long	command;
3301 		long	buf;		/* char * */
3302 		long	count;
3303 	} *uap = (struct a *)clwp->lwp_ap;
3304 
3305 	command = (uint32_t)uap->command;
3306 	buf = (uintptr_t)uap->buf;
3307 
3308 	au_uwrite(au_to_arg32(1, "cmd", command));
3309 
3310 	switch (command) {
3311 	case SI_SET_HOSTNAME:
3312 	{
3313 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3314 			return;
3315 
3316 		maxlen = SYS_NMLN;
3317 		name = kmem_alloc(maxlen, KM_SLEEP);
3318 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3319 			break;
3320 
3321 		/*
3322 		 * Must be non-NULL string and string
3323 		 * must be less than SYS_NMLN chars.
3324 		 */
3325 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3326 			break;
3327 
3328 		au_uwrite(au_to_text(name));
3329 		break;
3330 	}
3331 
3332 	case SI_SET_SRPC_DOMAIN:
3333 	{
3334 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3335 			return;
3336 
3337 		maxlen = SYS_NMLN;
3338 		name = kmem_alloc(maxlen, KM_SLEEP);
3339 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3340 			break;
3341 
3342 		/*
3343 		 * If string passed in is longer than length
3344 		 * allowed for domain name, fail.
3345 		 */
3346 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3347 			break;
3348 
3349 		au_uwrite(au_to_text(name));
3350 		break;
3351 	}
3352 
3353 	default:
3354 		return;
3355 	}
3356 
3357 	kmem_free(name, maxlen);
3358 }
3359 
3360 static au_event_t
3361 aui_modctl(au_event_t e)
3362 {
3363 	klwp_t *clwp = ttolwp(curthread);
3364 	uint_t cmd;
3365 
3366 	struct a {
3367 		long	cmd;
3368 	} *uap = (struct a *)clwp->lwp_ap;
3369 
3370 	cmd = (uint_t)uap->cmd;
3371 
3372 	switch (cmd) {
3373 	case MODLOAD:
3374 		e = AUE_MODLOAD;
3375 		break;
3376 	case MODUNLOAD:
3377 		e = AUE_MODUNLOAD;
3378 		break;
3379 	case MODADDMAJBIND:
3380 		e = AUE_MODADDMAJ;
3381 		break;
3382 	case MODSETDEVPOLICY:
3383 		e = AUE_MODDEVPLCY;
3384 		break;
3385 	case MODALLOCPRIV:
3386 		e = AUE_MODADDPRIV;
3387 		break;
3388 	default:
3389 		e = AUE_NULL;
3390 		break;
3391 	}
3392 	return (e);
3393 }
3394 
3395 
3396 /*ARGSUSED*/
3397 static void
3398 aus_modctl(struct t_audit_data *tad)
3399 {
3400 	klwp_t *clwp = ttolwp(curthread);
3401 	void *a	= clwp->lwp_ap;
3402 	uint_t use_path;
3403 
3404 	switch (tad->tad_event) {
3405 	case AUE_MODLOAD: {
3406 		typedef struct {
3407 			long	cmd;
3408 			long	use_path;
3409 			long	filename;		/* char * */
3410 		} modloada_t;
3411 
3412 		char *filenamep;
3413 		uintptr_t fname;
3414 		extern char *default_path;
3415 
3416 		fname = (uintptr_t)((modloada_t *)a)->filename;
3417 		use_path = (uint_t)((modloada_t *)a)->use_path;
3418 
3419 			/* space to hold path */
3420 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3421 			/* get string */
3422 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3423 				/* free allocated path */
3424 			kmem_free(filenamep, MOD_MAXPATH);
3425 			return;
3426 		}
3427 			/* ensure it's null terminated */
3428 		filenamep[MOD_MAXPATH - 1] = 0;
3429 
3430 		if (use_path)
3431 			au_uwrite(au_to_text(default_path));
3432 		au_uwrite(au_to_text(filenamep));
3433 
3434 			/* release temporary memory */
3435 		kmem_free(filenamep, MOD_MAXPATH);
3436 		break;
3437 	}
3438 	case AUE_MODUNLOAD: {
3439 		typedef struct {
3440 			long	cmd;
3441 			long	id;
3442 		} modunloada_t;
3443 
3444 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3445 
3446 		au_uwrite(au_to_arg32(1, "id", id));
3447 		break;
3448 	}
3449 	case AUE_MODADDMAJ: {
3450 		STRUCT_DECL(modconfig, mc);
3451 		typedef struct {
3452 			long	cmd;
3453 			long	subcmd;
3454 			long	data;		/* int * */
3455 		} modconfiga_t;
3456 
3457 		STRUCT_DECL(aliases, alias);
3458 		caddr_t ap;
3459 		int i, num_aliases;
3460 		char *drvname, *mc_drvname;
3461 		char *name;
3462 		extern char *ddi_major_to_name(major_t);
3463 		model_t model;
3464 
3465 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3466 
3467 		model = get_udatamodel();
3468 		STRUCT_INIT(mc, model);
3469 			/* sanitize buffer */
3470 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3471 			/* get user arguments */
3472 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3473 		    STRUCT_SIZE(mc)) != 0)
3474 			return;
3475 
3476 		mc_drvname = STRUCT_FGET(mc, drvname);
3477 		if ((drvname = ddi_major_to_name(
3478 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3479 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3480 				/* safety */
3481 			if (mc_drvname[0] != '\0') {
3482 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3483 				au_uwrite(au_to_text(mc_drvname));
3484 			}
3485 				/* drvname != NULL from test above */
3486 			au_uwrite(au_to_text(drvname));
3487 			return;
3488 		}
3489 
3490 		if (mc_drvname[0] != '\0') {
3491 				/* safety */
3492 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3493 			au_uwrite(au_to_text(mc_drvname));
3494 		} else
3495 			au_uwrite(au_to_text("no drvname"));
3496 
3497 		num_aliases = STRUCT_FGET(mc, num_aliases);
3498 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3499 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3500 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3501 		STRUCT_INIT(alias, model);
3502 		for (i = 0; i < num_aliases; i++) {
3503 			bzero((caddr_t)STRUCT_BUF(alias),
3504 			    STRUCT_SIZE(alias));
3505 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3506 			    STRUCT_SIZE(alias)) != 0)
3507 				break;
3508 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3509 			    MAXMODCONFNAME, NULL) != 0) {
3510 				break;
3511 			}
3512 
3513 			au_uwrite(au_to_text(name));
3514 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3515 		}
3516 		kmem_free(name, MAXMODCONFNAME);
3517 		break;
3518 	}
3519 	default:
3520 		break;
3521 	}
3522 }
3523 
3524 
3525 /*ARGSUSED*/
3526 static void
3527 auf_accept(
3528 	struct t_audit_data *tad,
3529 	int	error,
3530 	rval_t	*rval)
3531 {
3532 	uint32_t scid;
3533 	uint32_t sy_flags;
3534 	int fd;
3535 	struct sonode *so;
3536 	char so_laddr[sizeof (struct sockaddr_in6)];
3537 	char so_faddr[sizeof (struct sockaddr_in6)];
3538 	int err;
3539 	short so_family, so_type;
3540 	int add_sock_token = 0;
3541 
3542 	/* need to determine type of executing binary */
3543 	scid = tad->tad_scid;
3544 #ifdef _SYSCALL32_IMPL
3545 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3546 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3547 	else
3548 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3549 #else
3550 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3551 #endif
3552 	if (sy_flags == SE_32RVAL1)
3553 		fd = rval->r_val1;
3554 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3555 		fd = rval->r_val1;
3556 	if (sy_flags == SE_64RVAL)
3557 		fd = (int)rval->r_vals;
3558 
3559 	if (error) {
3560 		/* can't trust socket contents. Just return */
3561 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3562 		return;
3563 	}
3564 
3565 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3566 		/*
3567 		 * not security relevant if doing a accept from non socket
3568 		 * so no extra tokens. Should probably turn off audit record
3569 		 * generation here.
3570 		 */
3571 		return;
3572 	}
3573 
3574 	so_family = so->so_family;
3575 	so_type   = so->so_type;
3576 
3577 	switch (so_family) {
3578 	case AF_INET:
3579 	case AF_INET6:
3580 		/*
3581 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3582 		 */
3583 		if (so->so_type == SOCK_STREAM) {
3584 			socklen_t len;
3585 
3586 			bzero((void *)so_laddr, sizeof (so_laddr));
3587 			bzero((void *)so_faddr, sizeof (so_faddr));
3588 
3589 			len = sizeof (so_laddr);
3590 			(void) socket_getsockname(so,
3591 			    (struct sockaddr *)so_laddr, &len, CRED());
3592 			len = sizeof (so_faddr);
3593 			(void) socket_getpeername(so,
3594 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3595 
3596 			add_sock_token = 1;
3597 		}
3598 		break;
3599 
3600 	default:
3601 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3602 		break;
3603 	}
3604 
3605 	releasef(fd);
3606 
3607 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3608 
3609 	if (add_sock_token == 0) {
3610 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3611 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3612 		return;
3613 	}
3614 
3615 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3616 
3617 }
3618 
3619 /*ARGSUSED*/
3620 static void
3621 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3622 {
3623 	struct a {
3624 		long	fd;
3625 		long	addr;
3626 		long	len;
3627 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3628 
3629 	struct sonode *so;
3630 	char so_laddr[sizeof (struct sockaddr_in6)];
3631 	char so_faddr[sizeof (struct sockaddr_in6)];
3632 	int err, fd;
3633 	socklen_t len;
3634 	short so_family, so_type;
3635 	int add_sock_token = 0;
3636 
3637 	fd = (int)uap->fd;
3638 
3639 	/*
3640 	 * bind failed, then nothing extra to add to audit record.
3641 	 */
3642 	if (error) {
3643 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3644 		/* XXX may want to add failed address some day */
3645 		return;
3646 	}
3647 
3648 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3649 		/*
3650 		 * not security relevant if doing a bind from non socket
3651 		 * so no extra tokens. Should probably turn off audit record
3652 		 * generation here.
3653 		 */
3654 		return;
3655 	}
3656 
3657 	so_family = so->so_family;
3658 	so_type   = so->so_type;
3659 
3660 	switch (so_family) {
3661 	case AF_INET:
3662 	case AF_INET6:
3663 
3664 		bzero(so_faddr, sizeof (so_faddr));
3665 		len = sizeof (so_faddr);
3666 
3667 		(void) socket_getpeername(so,
3668 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3669 		add_sock_token = 1;
3670 
3671 		break;
3672 
3673 	case AF_UNIX:
3674 		/* token added by lookup */
3675 		break;
3676 	default:
3677 		/* AF_ROUTE, AF_KEY do not support accept */
3678 		break;
3679 	}
3680 
3681 	releasef(fd);
3682 
3683 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3684 
3685 	if (add_sock_token == 0) {
3686 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3687 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3688 		return;
3689 	}
3690 
3691 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3692 
3693 }
3694 
3695 /*ARGSUSED*/
3696 static void
3697 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3698 {
3699 	struct a {
3700 		long	fd;
3701 		long	addr;
3702 		long	len;
3703 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3704 
3705 	struct sonode *so;
3706 	char so_laddr[sizeof (struct sockaddr_in6)];
3707 	char so_faddr[sizeof (struct sockaddr_in6)];
3708 	int err, fd;
3709 	socklen_t len;
3710 	short so_family, so_type;
3711 	int add_sock_token = 0;
3712 
3713 	fd = (int)uap->fd;
3714 
3715 
3716 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3717 		/*
3718 		 * not security relevant if doing a connect from non socket
3719 		 * so no extra tokens. Should probably turn off audit record
3720 		 * generation here.
3721 		 */
3722 		return;
3723 	}
3724 
3725 	so_family = so->so_family;
3726 	so_type   = so->so_type;
3727 
3728 	switch (so_family) {
3729 	case AF_INET:
3730 	case AF_INET6:
3731 
3732 		bzero(so_laddr, sizeof (so_laddr));
3733 		bzero(so_faddr, sizeof (so_faddr));
3734 
3735 		len = sizeof (so_laddr);
3736 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3737 		    &len, CRED());
3738 		if (error) {
3739 			if (uap->addr == NULL)
3740 				break;
3741 			if (uap->len <= 0)
3742 				break;
3743 			len = min(uap->len, sizeof (so_faddr));
3744 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3745 				break;
3746 #ifdef NOTYET
3747 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3748 #endif
3749 		} else {
3750 			/* sanity check on length */
3751 			len = sizeof (so_faddr);
3752 			(void) socket_getpeername(so,
3753 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3754 		}
3755 
3756 		add_sock_token = 1;
3757 
3758 		break;
3759 
3760 	case AF_UNIX:
3761 		/* does a lookup on name */
3762 		break;
3763 
3764 	default:
3765 		/* AF_ROUTE, AF_KEY do not support accept */
3766 		break;
3767 	}
3768 
3769 	releasef(fd);
3770 
3771 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3772 
3773 	if (add_sock_token == 0) {
3774 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3775 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3776 		return;
3777 	}
3778 
3779 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3780 
3781 }
3782 
3783 /*ARGSUSED*/
3784 static void
3785 aus_shutdown(struct t_audit_data *tad)
3786 {
3787 	struct a {
3788 		long	fd;
3789 		long	how;
3790 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3791 
3792 	struct sonode *so;
3793 	char so_laddr[sizeof (struct sockaddr_in6)];
3794 	char so_faddr[sizeof (struct sockaddr_in6)];
3795 	int err, fd;
3796 	socklen_t len;
3797 	short so_family, so_type;
3798 	int add_sock_token = 0;
3799 	file_t *fp;				/* unix domain sockets */
3800 	struct f_audit_data *fad;		/* unix domain sockets */
3801 
3802 	fd = (int)uap->fd;
3803 
3804 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3805 		/*
3806 		 * not security relevant if doing a shutdown using non socket
3807 		 * so no extra tokens. Should probably turn off audit record
3808 		 * generation here.
3809 		 */
3810 		return;
3811 	}
3812 
3813 	so_family = so->so_family;
3814 	so_type   = so->so_type;
3815 
3816 	switch (so_family) {
3817 	case AF_INET:
3818 	case AF_INET6:
3819 
3820 		bzero(so_laddr, sizeof (so_laddr));
3821 		bzero(so_faddr, sizeof (so_faddr));
3822 
3823 		len = sizeof (so_laddr);
3824 		(void) socket_getsockname(so,
3825 		    (struct sockaddr *)so_laddr, &len, CRED());
3826 		len = sizeof (so_faddr);
3827 		(void) socket_getpeername(so,
3828 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3829 
3830 		add_sock_token = 1;
3831 
3832 		break;
3833 
3834 	case AF_UNIX:
3835 
3836 		/* get path from file struct here */
3837 		fad = F2A(fp);
3838 		ASSERT(fad);
3839 
3840 		if (fad->fad_aupath != NULL) {
3841 			au_uwrite(au_to_path(fad->fad_aupath));
3842 		} else {
3843 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3844 		}
3845 
3846 		audit_attributes(fp->f_vnode);
3847 
3848 		break;
3849 
3850 	default:
3851 		/*
3852 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3853 		 * added.
3854 		 */
3855 		break;
3856 	}
3857 
3858 	releasef(fd);
3859 
3860 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3861 
3862 	if (add_sock_token == 0) {
3863 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3864 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3865 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3866 		return;
3867 	}
3868 
3869 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3870 
3871 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3872 
3873 }
3874 
3875 /*ARGSUSED*/
3876 static void
3877 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3878 {
3879 	struct a {
3880 		long	fd;
3881 		long	level;
3882 		long	optname;
3883 		long	*optval;
3884 		long	optlen;
3885 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3886 
3887 	struct sonode	*so;
3888 	char so_laddr[sizeof (struct sockaddr_in6)];
3889 	char so_faddr[sizeof (struct sockaddr_in6)];
3890 	char		val[AU_BUFSIZE];
3891 	int		err, fd;
3892 	socklen_t	len;
3893 	short so_family, so_type;
3894 	int		add_sock_token = 0;
3895 	file_t *fp;				/* unix domain sockets */
3896 	struct f_audit_data *fad;		/* unix domain sockets */
3897 
3898 	fd = (int)uap->fd;
3899 
3900 	if (error) {
3901 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3902 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3903 		/* XXX may want to include other arguments */
3904 		return;
3905 	}
3906 
3907 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3908 		/*
3909 		 * not security relevant if doing a setsockopt from non socket
3910 		 * so no extra tokens. Should probably turn off audit record
3911 		 * generation here.
3912 		 */
3913 		return;
3914 	}
3915 
3916 	so_family = so->so_family;
3917 	so_type   = so->so_type;
3918 
3919 	switch (so_family) {
3920 	case AF_INET:
3921 	case AF_INET6:
3922 		bzero((void *)so_laddr, sizeof (so_laddr));
3923 		bzero((void *)so_faddr, sizeof (so_faddr));
3924 
3925 		/* get local and foreign addresses */
3926 		len = sizeof (so_laddr);
3927 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3928 		    &len, CRED());
3929 		len = sizeof (so_faddr);
3930 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3931 		    &len, B_FALSE, CRED());
3932 
3933 		add_sock_token = 1;
3934 
3935 		break;
3936 
3937 	case AF_UNIX:
3938 
3939 		/* get path from file struct here */
3940 		fad = F2A(fp);
3941 		ASSERT(fad);
3942 
3943 		if (fad->fad_aupath != NULL) {
3944 			au_uwrite(au_to_path(fad->fad_aupath));
3945 		} else {
3946 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3947 		}
3948 
3949 		audit_attributes(fp->f_vnode);
3950 
3951 		break;
3952 
3953 	default:
3954 		/*
3955 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3956 		 * added.
3957 		 */
3958 		break;
3959 	}
3960 
3961 	releasef(fd);
3962 
3963 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3964 
3965 	if (add_sock_token == 0) {
3966 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3967 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3968 	}
3969 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3970 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3971 
3972 	bzero(val, sizeof (val));
3973 	len = min(uap->optlen, sizeof (val));
3974 	if ((len > 0) &&
3975 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3976 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3977 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3978 	}
3979 
3980 	if (add_sock_token == 0)
3981 		return;
3982 
3983 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3984 
3985 }
3986 
3987 /*ARGSUSED*/
3988 static void
3989 aus_sockconfig(tad)
3990 	struct t_audit_data *tad;
3991 {
3992 	struct a {
3993 		long	cmd;
3994 		long	arg1;
3995 		long	arg2;
3996 		long	arg3;
3997 		long	arg4;
3998 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3999 
4000 	char	*buf;
4001 	int	buflen;
4002 	size_t	size;
4003 
4004 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4005 	switch (uap->cmd) {
4006 	case SOCKCONFIG_ADD_SOCK:
4007 	case SOCKCONFIG_REMOVE_SOCK:
4008 		au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4009 		au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4010 		au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4011 
4012 		if (uap->arg4 == 0) {
4013 			au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4014 		} else {
4015 			buflen = MAXPATHLEN + 1;
4016 			buf = kmem_alloc(buflen, KM_SLEEP);
4017 			if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4018 			    &size)) {
4019 				kmem_free(buf, buflen);
4020 				return;
4021 			}
4022 
4023 			if (size > MAXPATHLEN) {
4024 				kmem_free(buf, buflen);
4025 				return;
4026 			}
4027 
4028 			au_uwrite(au_to_text(buf));
4029 			kmem_free(buf, buflen);
4030 		}
4031 		break;
4032 	case SOCKCONFIG_ADD_FILTER:
4033 	case SOCKCONFIG_REMOVE_FILTER:
4034 		buflen = FILNAME_MAX;
4035 		buf = kmem_alloc(buflen, KM_SLEEP);
4036 
4037 		if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4038 			kmem_free(buf, buflen);
4039 			return;
4040 		}
4041 
4042 		au_uwrite(au_to_text(buf));
4043 		kmem_free(buf, buflen);
4044 		break;
4045 	default:
4046 		break;
4047 	}
4048 }
4049 
4050 /*
4051  * only audit recvmsg when the system call represents the creation of a new
4052  * circuit. This effectively occurs for all UDP packets and may occur for
4053  * special TCP situations where the local host has not set a local address
4054  * in the socket structure.
4055  */
4056 /*ARGSUSED*/
4057 static void
4058 auf_recvmsg(
4059 	struct t_audit_data *tad,
4060 	int error,
4061 	rval_t *rvp)
4062 {
4063 	struct a {
4064 		long	fd;
4065 		long	msg;	/* struct msghdr */
4066 		long	flags;
4067 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4068 
4069 	struct sonode	*so;
4070 	STRUCT_DECL(msghdr, msg);
4071 	caddr_t msg_name;
4072 	socklen_t msg_namelen;
4073 	int fd;
4074 	int err;
4075 	char so_laddr[sizeof (struct sockaddr_in6)];
4076 	char so_faddr[sizeof (struct sockaddr_in6)];
4077 	socklen_t len;
4078 	file_t *fp;				/* unix domain sockets */
4079 	struct f_audit_data *fad;		/* unix domain sockets */
4080 	short so_family, so_type;
4081 	int add_sock_token = 0;
4082 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4083 
4084 	fd = (int)uap->fd;
4085 
4086 	/* bail if an error */
4087 	if (error) {
4088 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4089 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4090 		return;
4091 	}
4092 
4093 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4094 		/*
4095 		 * not security relevant if doing a recvmsg from non socket
4096 		 * so no extra tokens. Should probably turn off audit record
4097 		 * generation here.
4098 		 */
4099 		return;
4100 	}
4101 
4102 	so_family = so->so_family;
4103 	so_type   = so->so_type;
4104 
4105 	/*
4106 	 * only putout SOCKET_EX token if INET/INET6 family.
4107 	 * XXX - what do we do about other families?
4108 	 */
4109 
4110 	switch (so_family) {
4111 	case AF_INET:
4112 	case AF_INET6:
4113 
4114 		/*
4115 		 * if datagram type socket, then just use what is in
4116 		 * socket structure for local address.
4117 		 * XXX - what do we do for other types?
4118 		 */
4119 		if ((so->so_type == SOCK_DGRAM) ||
4120 		    (so->so_type == SOCK_RAW)) {
4121 			add_sock_token = 1;
4122 
4123 			bzero((void *)so_laddr, sizeof (so_laddr));
4124 			bzero((void *)so_faddr, sizeof (so_faddr));
4125 
4126 			/* get local address */
4127 			len = sizeof (so_laddr);
4128 			(void) socket_getsockname(so,
4129 			    (struct sockaddr *)so_laddr, &len, CRED());
4130 
4131 			/* get peer address */
4132 			STRUCT_INIT(msg, get_udatamodel());
4133 
4134 			if (copyin((caddr_t)(uap->msg),
4135 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4136 				break;
4137 			}
4138 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4139 			if (msg_name == NULL) {
4140 				break;
4141 			}
4142 
4143 			/* length is value from recvmsg - sanity check */
4144 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4145 			if (msg_namelen == 0) {
4146 				break;
4147 			}
4148 			if (copyin(msg_name, so_faddr,
4149 			    sizeof (so_faddr)) != 0) {
4150 				break;
4151 			}
4152 
4153 		} else if (so->so_type == SOCK_STREAM) {
4154 
4155 			/* get path from file struct here */
4156 			fad = F2A(fp);
4157 			ASSERT(fad);
4158 
4159 			/*
4160 			 * already processed this file for read attempt
4161 			 */
4162 			if (fad->fad_flags & FAD_READ) {
4163 				/* don't want to audit every recvmsg attempt */
4164 				tad->tad_flag = 0;
4165 				/* free any residual audit data */
4166 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4167 				releasef(fd);
4168 				return;
4169 			}
4170 			/*
4171 			 * mark things so we know what happened and don't
4172 			 * repeat things
4173 			 */
4174 			fad->fad_flags |= FAD_READ;
4175 
4176 			bzero((void *)so_laddr, sizeof (so_laddr));
4177 			bzero((void *)so_faddr, sizeof (so_faddr));
4178 
4179 			/* get local and foreign addresses */
4180 			len = sizeof (so_laddr);
4181 			(void) socket_getsockname(so,
4182 			    (struct sockaddr *)so_laddr, &len, CRED());
4183 			len = sizeof (so_faddr);
4184 			(void) socket_getpeername(so,
4185 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4186 
4187 			add_sock_token = 1;
4188 		}
4189 
4190 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4191 
4192 		break;
4193 
4194 	case AF_UNIX:
4195 		/*
4196 		 * first check if this is first time through. Too much
4197 		 * duplicate code to put this in an aui_ routine.
4198 		 */
4199 
4200 		/* get path from file struct here */
4201 		fad = F2A(fp);
4202 		ASSERT(fad);
4203 
4204 		/*
4205 		 * already processed this file for read attempt
4206 		 */
4207 		if (fad->fad_flags & FAD_READ) {
4208 			releasef(fd);
4209 			/* don't want to audit every recvmsg attempt */
4210 			tad->tad_flag = 0;
4211 			/* free any residual audit data */
4212 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4213 			return;
4214 		}
4215 		/*
4216 		 * mark things so we know what happened and don't
4217 		 * repeat things
4218 		 */
4219 		fad->fad_flags |= FAD_READ;
4220 
4221 		if (fad->fad_aupath != NULL) {
4222 			au_uwrite(au_to_path(fad->fad_aupath));
4223 		} else {
4224 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4225 		}
4226 
4227 		audit_attributes(fp->f_vnode);
4228 
4229 		releasef(fd);
4230 
4231 		return;
4232 
4233 	default:
4234 		break;
4235 
4236 	}
4237 
4238 	releasef(fd);
4239 
4240 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4241 
4242 	if (add_sock_token == 0) {
4243 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4244 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4245 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4246 		return;
4247 	}
4248 
4249 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4250 
4251 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4252 
4253 }
4254 
4255 /*ARGSUSED*/
4256 static void
4257 auf_recvfrom(
4258 	struct t_audit_data *tad,
4259 	int error,
4260 	rval_t *rvp)
4261 {
4262 
4263 	struct a {
4264 		long	fd;
4265 		long	msg;	/* char */
4266 		long	len;
4267 		long	flags;
4268 		long	from;	/* struct sockaddr */
4269 		long	fromlen;
4270 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4271 
4272 	socklen_t	fromlen;
4273 	struct sonode	*so;
4274 	char so_laddr[sizeof (struct sockaddr_in6)];
4275 	char so_faddr[sizeof (struct sockaddr_in6)];
4276 	int		fd;
4277 	short so_family, so_type;
4278 	int add_sock_token = 0;
4279 	socklen_t len;
4280 	int err;
4281 	struct file *fp;
4282 	struct f_audit_data *fad;		/* unix domain sockets */
4283 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4284 
4285 	fd = (int)uap->fd;
4286 
4287 	/* bail if an error */
4288 	if (error) {
4289 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4290 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4291 		return;
4292 	}
4293 
4294 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4295 		/*
4296 		 * not security relevant if doing a recvmsg from non socket
4297 		 * so no extra tokens. Should probably turn off audit record
4298 		 * generation here.
4299 		 */
4300 		return;
4301 	}
4302 
4303 	so_family = so->so_family;
4304 	so_type   = so->so_type;
4305 
4306 	/*
4307 	 * only putout SOCKET_EX token if INET/INET6 family.
4308 	 * XXX - what do we do about other families?
4309 	 */
4310 
4311 	switch (so_family) {
4312 	case AF_INET:
4313 	case AF_INET6:
4314 
4315 		/*
4316 		 * if datagram type socket, then just use what is in
4317 		 * socket structure for local address.
4318 		 * XXX - what do we do for other types?
4319 		 */
4320 		if ((so->so_type == SOCK_DGRAM) ||
4321 		    (so->so_type == SOCK_RAW)) {
4322 			add_sock_token = 1;
4323 
4324 			/* get local address */
4325 			len = sizeof (so_laddr);
4326 			(void) socket_getsockname(so,
4327 			    (struct sockaddr *)so_laddr, &len, CRED());
4328 
4329 			/* get peer address */
4330 			bzero((void *)so_faddr, sizeof (so_faddr));
4331 
4332 			/* sanity check */
4333 			if (uap->from == NULL)
4334 				break;
4335 
4336 			/* sanity checks */
4337 			if (uap->fromlen == 0)
4338 				break;
4339 
4340 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4341 			    sizeof (fromlen)) != 0)
4342 				break;
4343 
4344 			if (fromlen == 0)
4345 				break;
4346 
4347 			/* enforce maximum size */
4348 			if (fromlen > sizeof (so_faddr))
4349 				fromlen = sizeof (so_faddr);
4350 
4351 			if (copyin((caddr_t)(uap->from), so_faddr,
4352 			    fromlen) != 0)
4353 				break;
4354 
4355 		} else if (so->so_type == SOCK_STREAM) {
4356 
4357 			/* get path from file struct here */
4358 			fad = F2A(fp);
4359 			ASSERT(fad);
4360 
4361 			/*
4362 			 * already processed this file for read attempt
4363 			 */
4364 			if (fad->fad_flags & FAD_READ) {
4365 				/* don't want to audit every recvfrom attempt */
4366 				tad->tad_flag = 0;
4367 				/* free any residual audit data */
4368 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4369 				releasef(fd);
4370 				return;
4371 			}
4372 			/*
4373 			 * mark things so we know what happened and don't
4374 			 * repeat things
4375 			 */
4376 			fad->fad_flags |= FAD_READ;
4377 
4378 			bzero((void *)so_laddr, sizeof (so_laddr));
4379 			bzero((void *)so_faddr, sizeof (so_faddr));
4380 
4381 			/* get local and foreign addresses */
4382 			len = sizeof (so_laddr);
4383 			(void) socket_getsockname(so,
4384 			    (struct sockaddr *)so_laddr, &len, CRED());
4385 			len = sizeof (so_faddr);
4386 			(void) socket_getpeername(so,
4387 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4388 
4389 			add_sock_token = 1;
4390 		}
4391 
4392 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4393 
4394 		break;
4395 
4396 	case AF_UNIX:
4397 		/*
4398 		 * first check if this is first time through. Too much
4399 		 * duplicate code to put this in an aui_ routine.
4400 		 */
4401 
4402 		/* get path from file struct here */
4403 		fad = F2A(fp);
4404 		ASSERT(fad);
4405 
4406 		/*
4407 		 * already processed this file for read attempt
4408 		 */
4409 		if (fad->fad_flags & FAD_READ) {
4410 			/* don't want to audit every recvfrom attempt */
4411 			tad->tad_flag = 0;
4412 			/* free any residual audit data */
4413 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4414 			releasef(fd);
4415 			return;
4416 		}
4417 		/*
4418 		 * mark things so we know what happened and don't
4419 		 * repeat things
4420 		 */
4421 		fad->fad_flags |= FAD_READ;
4422 
4423 		if (fad->fad_aupath != NULL) {
4424 			au_uwrite(au_to_path(fad->fad_aupath));
4425 		} else {
4426 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4427 		}
4428 
4429 		audit_attributes(fp->f_vnode);
4430 
4431 		releasef(fd);
4432 
4433 		return;
4434 
4435 	default:
4436 		break;
4437 
4438 	}
4439 
4440 	releasef(fd);
4441 
4442 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4443 
4444 	if (add_sock_token == 0) {
4445 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4446 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4447 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4448 		return;
4449 	}
4450 
4451 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4452 
4453 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4454 }
4455 
4456 /*ARGSUSED*/
4457 static void
4458 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4459 {
4460 	struct a {
4461 		long	fd;
4462 		long	msg;	/* struct msghdr */
4463 		long	flags;
4464 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4465 
4466 	struct sonode	*so;
4467 	char so_laddr[sizeof (struct sockaddr_in6)];
4468 	char so_faddr[sizeof (struct sockaddr_in6)];
4469 	int		err;
4470 	int		fd;
4471 	short so_family, so_type;
4472 	int		add_sock_token = 0;
4473 	socklen_t	len;
4474 	struct file	*fp;
4475 	struct f_audit_data *fad;
4476 	caddr_t		msg_name;
4477 	socklen_t	msg_namelen;
4478 	STRUCT_DECL(msghdr, msg);
4479 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4480 
4481 	fd = (int)uap->fd;
4482 
4483 	/* bail if an error */
4484 	if (error) {
4485 		/* XXX include destination address from system call arguments */
4486 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4487 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4488 		return;
4489 	}
4490 
4491 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4492 		/*
4493 		 * not security relevant if doing a sendmsg from non socket
4494 		 * so no extra tokens. Should probably turn off audit record
4495 		 * generation here.
4496 		 */
4497 		return;
4498 	}
4499 
4500 	so_family = so->so_family;
4501 	so_type   = so->so_type;
4502 
4503 	switch (so_family) {
4504 	case AF_INET:
4505 	case AF_INET6:
4506 		/*
4507 		 * if datagram type socket, then just use what is in
4508 		 * socket structure for local address.
4509 		 * XXX - what do we do for other types?
4510 		 */
4511 		if ((so->so_type == SOCK_DGRAM) ||
4512 		    (so->so_type == SOCK_RAW)) {
4513 
4514 			bzero((void *)so_laddr, sizeof (so_laddr));
4515 			bzero((void *)so_faddr, sizeof (so_faddr));
4516 
4517 			/* get local address */
4518 			len = sizeof (so_laddr);
4519 			(void) socket_getsockname(so,
4520 			    (struct sockaddr *)so_laddr, &len, CRED());
4521 
4522 			/* get peer address */
4523 			STRUCT_INIT(msg, get_udatamodel());
4524 
4525 			if (copyin((caddr_t)(uap->msg),
4526 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4527 				break;
4528 			}
4529 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4530 			if (msg_name == NULL)
4531 				break;
4532 
4533 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4534 			/* length is value from recvmsg - sanity check */
4535 			if (msg_namelen == 0)
4536 				break;
4537 
4538 			if (copyin(msg_name, so_faddr,
4539 			    sizeof (so_faddr)) != 0)
4540 				break;
4541 
4542 			add_sock_token = 1;
4543 
4544 		} else if (so->so_type == SOCK_STREAM) {
4545 
4546 			/* get path from file struct here */
4547 			fad = F2A(fp);
4548 			ASSERT(fad);
4549 
4550 			/*
4551 			 * already processed this file for write attempt
4552 			 */
4553 			if (fad->fad_flags & FAD_WRITE) {
4554 				releasef(fd);
4555 				/* don't want to audit every sendmsg attempt */
4556 				tad->tad_flag = 0;
4557 				/* free any residual audit data */
4558 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4559 				return;
4560 			}
4561 
4562 			/*
4563 			 * mark things so we know what happened and don't
4564 			 * repeat things
4565 			 */
4566 			fad->fad_flags |= FAD_WRITE;
4567 
4568 			bzero((void *)so_laddr, sizeof (so_laddr));
4569 			bzero((void *)so_faddr, sizeof (so_faddr));
4570 
4571 			/* get local and foreign addresses */
4572 			len = sizeof (so_laddr);
4573 			(void) socket_getsockname(so,
4574 			    (struct sockaddr *)so_laddr, &len, CRED());
4575 			len = sizeof (so_faddr);
4576 			(void) socket_getpeername(so,
4577 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4578 
4579 			add_sock_token = 1;
4580 		}
4581 
4582 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4583 
4584 		break;
4585 
4586 	case AF_UNIX:
4587 		/*
4588 		 * first check if this is first time through. Too much
4589 		 * duplicate code to put this in an aui_ routine.
4590 		 */
4591 
4592 		/* get path from file struct here */
4593 		fad = F2A(fp);
4594 		ASSERT(fad);
4595 
4596 		/*
4597 		 * already processed this file for write attempt
4598 		 */
4599 		if (fad->fad_flags & FAD_WRITE) {
4600 			releasef(fd);
4601 			/* don't want to audit every sendmsg attempt */
4602 			tad->tad_flag = 0;
4603 			/* free any residual audit data */
4604 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4605 			return;
4606 		}
4607 		/*
4608 		 * mark things so we know what happened and don't
4609 		 * repeat things
4610 		 */
4611 		fad->fad_flags |= FAD_WRITE;
4612 
4613 		if (fad->fad_aupath != NULL) {
4614 			au_uwrite(au_to_path(fad->fad_aupath));
4615 		} else {
4616 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4617 		}
4618 
4619 		audit_attributes(fp->f_vnode);
4620 
4621 		releasef(fd);
4622 
4623 		return;
4624 
4625 	default:
4626 		break;
4627 	}
4628 
4629 	releasef(fd);
4630 
4631 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4632 
4633 	if (add_sock_token == 0) {
4634 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4635 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4636 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4637 		return;
4638 	}
4639 
4640 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4641 
4642 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4643 }
4644 
4645 /*ARGSUSED*/
4646 static void
4647 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4648 {
4649 	struct a {
4650 		long	fd;
4651 		long	msg;	/* char */
4652 		long	len;
4653 		long	flags;
4654 		long	to;	/* struct sockaddr */
4655 		long	tolen;
4656 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4657 
4658 	struct sonode	*so;
4659 	char so_laddr[sizeof (struct sockaddr_in6)];
4660 	char so_faddr[sizeof (struct sockaddr_in6)];
4661 	socklen_t	tolen;
4662 	int		err;
4663 	int		fd;
4664 	socklen_t	len;
4665 	short so_family, so_type;
4666 	int		add_sock_token = 0;
4667 	struct file	*fp;
4668 	struct f_audit_data *fad;
4669 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4670 
4671 	fd = (int)uap->fd;
4672 
4673 	/* bail if an error */
4674 	if (error) {
4675 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4676 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4677 		/* XXX include destination address from system call arguments */
4678 		return;
4679 	}
4680 
4681 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4682 		/*
4683 		 * not security relevant if doing a sendto using non socket
4684 		 * so no extra tokens. Should probably turn off audit record
4685 		 * generation here.
4686 		 */
4687 		return;
4688 	}
4689 
4690 	so_family = so->so_family;
4691 	so_type   = so->so_type;
4692 
4693 	/*
4694 	 * only putout SOCKET_EX token if INET/INET6 family.
4695 	 * XXX - what do we do about other families?
4696 	 */
4697 
4698 	switch (so_family) {
4699 	case AF_INET:
4700 	case AF_INET6:
4701 
4702 		/*
4703 		 * if datagram type socket, then just use what is in
4704 		 * socket structure for local address.
4705 		 * XXX - what do we do for other types?
4706 		 */
4707 		if ((so->so_type == SOCK_DGRAM) ||
4708 		    (so->so_type == SOCK_RAW)) {
4709 
4710 			bzero((void *)so_laddr, sizeof (so_laddr));
4711 			bzero((void *)so_faddr, sizeof (so_faddr));
4712 
4713 			/* get local address */
4714 			len = sizeof (so_laddr);
4715 			(void) socket_getsockname(so,
4716 			    (struct sockaddr *)so_laddr, &len, CRED());
4717 
4718 			/* get peer address */
4719 
4720 			/* sanity check */
4721 			if (uap->to == NULL)
4722 				break;
4723 
4724 			/* sanity checks */
4725 			if (uap->tolen == 0)
4726 				break;
4727 
4728 			tolen = (socklen_t)uap->tolen;
4729 
4730 			/* enforce maximum size */
4731 			if (tolen > sizeof (so_faddr))
4732 				tolen = sizeof (so_faddr);
4733 
4734 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4735 				break;
4736 
4737 			add_sock_token = 1;
4738 		} else {
4739 			/*
4740 			 * check if this is first time through.
4741 			 */
4742 
4743 			/* get path from file struct here */
4744 			fad = F2A(fp);
4745 			ASSERT(fad);
4746 
4747 			/*
4748 			 * already processed this file for write attempt
4749 			 */
4750 			if (fad->fad_flags & FAD_WRITE) {
4751 				/* don't want to audit every sendto attempt */
4752 				tad->tad_flag = 0;
4753 				/* free any residual audit data */
4754 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4755 				releasef(fd);
4756 				return;
4757 			}
4758 			/*
4759 			 * mark things so we know what happened and don't
4760 			 * repeat things
4761 			 */
4762 			fad->fad_flags |= FAD_WRITE;
4763 
4764 			bzero((void *)so_laddr, sizeof (so_laddr));
4765 			bzero((void *)so_faddr, sizeof (so_faddr));
4766 
4767 			/* get local and foreign addresses */
4768 			len = sizeof (so_laddr);
4769 			(void) socket_getsockname(so,
4770 			    (struct sockaddr *)so_laddr, &len, CRED());
4771 			len = sizeof (so_faddr);
4772 			(void) socket_getpeername(so,
4773 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4774 
4775 			add_sock_token = 1;
4776 		}
4777 
4778 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4779 
4780 		break;
4781 
4782 	case AF_UNIX:
4783 		/*
4784 		 * first check if this is first time through. Too much
4785 		 * duplicate code to put this in an aui_ routine.
4786 		 */
4787 
4788 		/* get path from file struct here */
4789 		fad = F2A(fp);
4790 		ASSERT(fad);
4791 
4792 		/*
4793 		 * already processed this file for write attempt
4794 		 */
4795 		if (fad->fad_flags & FAD_WRITE) {
4796 			/* don't want to audit every sendto attempt */
4797 			tad->tad_flag = 0;
4798 			/* free any residual audit data */
4799 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4800 			releasef(fd);
4801 			return;
4802 		}
4803 		/*
4804 		 * mark things so we know what happened and don't
4805 		 * repeat things
4806 		 */
4807 		fad->fad_flags |= FAD_WRITE;
4808 
4809 		if (fad->fad_aupath != NULL) {
4810 			au_uwrite(au_to_path(fad->fad_aupath));
4811 		} else {
4812 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4813 		}
4814 
4815 		audit_attributes(fp->f_vnode);
4816 
4817 		releasef(fd);
4818 
4819 		return;
4820 
4821 	default:
4822 		break;
4823 
4824 	}
4825 
4826 	releasef(fd);
4827 
4828 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4829 
4830 	if (add_sock_token == 0) {
4831 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4832 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4833 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4834 		return;
4835 	}
4836 
4837 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4838 
4839 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4840 
4841 }
4842 
4843 /*
4844  * XXX socket(2) may be equivalent to open(2) on a unix domain
4845  * socket. This needs investigation.
4846  */
4847 
4848 /*ARGSUSED*/
4849 static void
4850 aus_socket(struct t_audit_data *tad)
4851 {
4852 	struct a {
4853 		long	domain;
4854 		long	type;
4855 		long	protocol;
4856 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4857 
4858 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4859 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4860 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4861 }
4862 
4863 /*ARGSUSED*/
4864 static void
4865 aus_sigqueue(struct t_audit_data *tad)
4866 {
4867 	struct a {
4868 		long	pid;
4869 		long	signo;
4870 		long	*val;
4871 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4872 	struct proc *p;
4873 	uid_t uid, ruid;
4874 	gid_t gid, rgid;
4875 	pid_t pid;
4876 	const auditinfo_addr_t *ainfo;
4877 	cred_t *cr;
4878 
4879 	pid = (pid_t)uap->pid;
4880 
4881 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4882 	if (pid > 0) {
4883 		mutex_enter(&pidlock);
4884 		if ((p = prfind(pid)) == (struct proc *)0) {
4885 			mutex_exit(&pidlock);
4886 			return;
4887 		}
4888 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4889 		mutex_exit(&pidlock);
4890 
4891 		mutex_enter(&p->p_crlock);
4892 		crhold(cr = p->p_cred);
4893 		mutex_exit(&p->p_crlock);
4894 		mutex_exit(&p->p_lock);
4895 
4896 		ainfo = crgetauinfo(cr);
4897 		if (ainfo == NULL) {
4898 			crfree(cr);
4899 			return;
4900 		}
4901 
4902 		uid  = crgetuid(cr);
4903 		gid  = crgetgid(cr);
4904 		ruid = crgetruid(cr);
4905 		rgid = crgetrgid(cr);
4906 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4907 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4908 		crfree(cr);
4909 	}
4910 	else
4911 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4912 }
4913 
4914 /*ARGSUSED*/
4915 static void
4916 aus_inst_sync(struct t_audit_data *tad)
4917 {
4918 	struct a {
4919 		long	name;	/* char */
4920 		long	flags;
4921 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4922 
4923 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4924 }
4925 
4926 /*ARGSUSED*/
4927 static void
4928 aus_brandsys(struct t_audit_data *tad)
4929 {
4930 	klwp_t *clwp = ttolwp(curthread);
4931 
4932 	struct a {
4933 		long	cmd;
4934 		long	arg1;
4935 		long	arg2;
4936 		long	arg3;
4937 		long	arg4;
4938 		long	arg5;
4939 		long	arg6;
4940 	} *uap = (struct a *)clwp->lwp_ap;
4941 
4942 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4943 #ifdef _LP64
4944 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4945 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4946 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4947 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4948 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4949 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4950 #else
4951 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4952 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4953 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4954 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4955 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4956 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4957 #endif
4958 }
4959 
4960 /*ARGSUSED*/
4961 static void
4962 aus_p_online(struct t_audit_data *tad)
4963 {
4964 	struct a {
4965 		long	processor_id;
4966 		long	flag;
4967 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4968 
4969 	struct flags {
4970 			int	flag;
4971 			char	*cflag;
4972 	} aflags[6] = {
4973 			{ P_ONLINE, "P_ONLINE"},
4974 			{ P_OFFLINE, "P_OFFLINE"},
4975 			{ P_NOINTR, "P_NOINTR"},
4976 			{ P_SPARE, "P_SPARE"},
4977 			{ P_FAULTED, "P_FAULTED"},
4978 			{ P_STATUS, "P_STATUS"}
4979 	};
4980 	int i;
4981 	char *cflag;
4982 
4983 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4984 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4985 
4986 	for (i = 0; i < 6; i++) {
4987 		if (aflags[i].flag == uap->flag)
4988 			break;
4989 	}
4990 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4991 
4992 	au_uwrite(au_to_text(cflag));
4993 }
4994 
4995 /*ARGSUSED*/
4996 static void
4997 aus_processor_bind(struct t_audit_data *tad)
4998 {
4999 	struct a {
5000 		long	id_type;
5001 		long	id;
5002 		long	processor_id;
5003 		long	obind;
5004 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5005 
5006 	struct proc *p;
5007 	int lwpcnt;
5008 	uid_t uid, ruid;
5009 	gid_t gid, rgid;
5010 	pid_t pid;
5011 	const auditinfo_addr_t *ainfo;
5012 	cred_t *cr;
5013 
5014 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5015 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5016 	if (uap->processor_id == PBIND_NONE)
5017 		au_uwrite(au_to_text("PBIND_NONE"));
5018 	else
5019 		au_uwrite(au_to_arg32(3, "processor_id",
5020 		    (uint32_t)uap->processor_id));
5021 
5022 	switch (uap->id_type) {
5023 	case P_MYID:
5024 	case P_LWPID:
5025 		mutex_enter(&pidlock);
5026 		p = ttoproc(curthread);
5027 		if (p == NULL || p->p_as == &kas) {
5028 			mutex_exit(&pidlock);
5029 			return;
5030 		}
5031 		mutex_enter(&p->p_lock);
5032 		mutex_exit(&pidlock);
5033 		lwpcnt = p->p_lwpcnt;
5034 		pid  = p->p_pid;
5035 
5036 		mutex_enter(&p->p_crlock);
5037 		crhold(cr = p->p_cred);
5038 		mutex_exit(&p->p_crlock);
5039 		mutex_exit(&p->p_lock);
5040 
5041 		ainfo = crgetauinfo(cr);
5042 		if (ainfo == NULL) {
5043 			crfree(cr);
5044 			return;
5045 		}
5046 
5047 		uid  = crgetuid(cr);
5048 		gid  = crgetgid(cr);
5049 		ruid = crgetruid(cr);
5050 		rgid = crgetrgid(cr);
5051 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5052 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5053 		crfree(cr);
5054 		break;
5055 	case P_PID:
5056 		mutex_enter(&pidlock);
5057 		p = prfind(uap->id);
5058 		if (p == NULL || p->p_as == &kas) {
5059 			mutex_exit(&pidlock);
5060 			return;
5061 		}
5062 		mutex_enter(&p->p_lock);
5063 		mutex_exit(&pidlock);
5064 		lwpcnt = p->p_lwpcnt;
5065 		pid  = p->p_pid;
5066 
5067 		mutex_enter(&p->p_crlock);
5068 		crhold(cr = p->p_cred);
5069 		mutex_exit(&p->p_crlock);
5070 		mutex_exit(&p->p_lock);
5071 
5072 		ainfo = crgetauinfo(cr);
5073 		if (ainfo == NULL) {
5074 			crfree(cr);
5075 			return;
5076 		}
5077 
5078 		uid  = crgetuid(cr);
5079 		gid  = crgetgid(cr);
5080 		ruid = crgetruid(cr);
5081 		rgid = crgetrgid(cr);
5082 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5083 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5084 		crfree(cr);
5085 
5086 		break;
5087 	default:
5088 		return;
5089 	}
5090 
5091 	if (uap->processor_id == PBIND_NONE &&
5092 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5093 		au_uwrite(au_to_text("PBIND_NONE for process"));
5094 	else
5095 		au_uwrite(au_to_arg32(3, "processor_id",
5096 		    (uint32_t)uap->processor_id));
5097 }
5098 
5099 /*ARGSUSED*/
5100 static au_event_t
5101 aui_doorfs(au_event_t e)
5102 {
5103 	uint32_t code;
5104 
5105 	struct a {		/* doorfs */
5106 		long	a1;
5107 		long	a2;
5108 		long	a3;
5109 		long	a4;
5110 		long	a5;
5111 		long	code;
5112 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5113 
5114 	/*
5115 	 *	audit formats for several of the
5116 	 *	door calls have not yet been determined
5117 	 */
5118 	code = (uint32_t)uap->code;
5119 	switch (code) {
5120 	case DOOR_CALL:
5121 		e = AUE_DOORFS_DOOR_CALL;
5122 		break;
5123 	case DOOR_RETURN:
5124 		e = AUE_NULL;
5125 		break;
5126 	case DOOR_CREATE:
5127 		e = AUE_DOORFS_DOOR_CREATE;
5128 		break;
5129 	case DOOR_REVOKE:
5130 		e = AUE_DOORFS_DOOR_REVOKE;
5131 		break;
5132 	case DOOR_INFO:
5133 		e = AUE_NULL;
5134 		break;
5135 	case DOOR_UCRED:
5136 		e = AUE_NULL;
5137 		break;
5138 	case DOOR_BIND:
5139 		e = AUE_NULL;
5140 		break;
5141 	case DOOR_UNBIND:
5142 		e = AUE_NULL;
5143 		break;
5144 	case DOOR_GETPARAM:
5145 		e = AUE_NULL;
5146 		break;
5147 	case DOOR_SETPARAM:
5148 		e = AUE_NULL;
5149 		break;
5150 	default:	/* illegal system call */
5151 		e = AUE_NULL;
5152 		break;
5153 	}
5154 
5155 	return (e);
5156 }
5157 
5158 static door_node_t *
5159 au_door_lookup(int did)
5160 {
5161 	vnode_t	*vp;
5162 	file_t *fp;
5163 
5164 	if ((fp = getf(did)) == NULL)
5165 		return (NULL);
5166 	/*
5167 	 * Use the underlying vnode (we may be namefs mounted)
5168 	 */
5169 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5170 		vp = fp->f_vnode;
5171 
5172 	if (vp == NULL || vp->v_type != VDOOR) {
5173 		releasef(did);
5174 		return (NULL);
5175 	}
5176 
5177 	return (VTOD(vp));
5178 }
5179 
5180 /*ARGSUSED*/
5181 static void
5182 aus_doorfs(struct t_audit_data *tad)
5183 {
5184 
5185 	struct a {		/* doorfs */
5186 		long	a1;
5187 		long	a2;
5188 		long	a3;
5189 		long	a4;
5190 		long	a5;
5191 		long	code;
5192 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5193 
5194 	door_node_t	*dp;
5195 	struct proc	*p;
5196 	uint32_t	did;
5197 	uid_t uid, ruid;
5198 	gid_t gid, rgid;
5199 	pid_t pid;
5200 	const auditinfo_addr_t *ainfo;
5201 	cred_t *cr;
5202 
5203 	did = (uint32_t)uap->a1;
5204 
5205 	switch (tad->tad_event) {
5206 	case AUE_DOORFS_DOOR_CALL:
5207 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5208 		if ((dp = au_door_lookup(did)) == NULL)
5209 			break;
5210 
5211 		if (DOOR_INVALID(dp)) {
5212 			releasef(did);
5213 			break;
5214 		}
5215 
5216 		if ((p = dp->door_target) == NULL) {
5217 			releasef(did);
5218 			break;
5219 		}
5220 		mutex_enter(&p->p_lock);
5221 		releasef(did);
5222 
5223 		pid  = p->p_pid;
5224 
5225 		mutex_enter(&p->p_crlock);
5226 		crhold(cr = p->p_cred);
5227 		mutex_exit(&p->p_crlock);
5228 		mutex_exit(&p->p_lock);
5229 
5230 		ainfo = crgetauinfo(cr);
5231 		if (ainfo == NULL) {
5232 			crfree(cr);
5233 			return;
5234 		}
5235 		uid  = crgetuid(cr);
5236 		gid  = crgetgid(cr);
5237 		ruid = crgetruid(cr);
5238 		rgid = crgetrgid(cr);
5239 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5240 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5241 		crfree(cr);
5242 		break;
5243 	case AUE_DOORFS_DOOR_RETURN:
5244 		/*
5245 		 * We may want to write information about
5246 		 * all doors (if any) which will be copied
5247 		 * by this call to the user space
5248 		 */
5249 		break;
5250 	case AUE_DOORFS_DOOR_CREATE:
5251 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5252 		break;
5253 	case AUE_DOORFS_DOOR_REVOKE:
5254 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5255 		break;
5256 	case AUE_DOORFS_DOOR_INFO:
5257 		break;
5258 	case AUE_DOORFS_DOOR_CRED:
5259 		break;
5260 	case AUE_DOORFS_DOOR_BIND:
5261 		break;
5262 	case AUE_DOORFS_DOOR_UNBIND: {
5263 		break;
5264 	}
5265 	default:	/* illegal system call */
5266 		break;
5267 	}
5268 }
5269 
5270 /*ARGSUSED*/
5271 static au_event_t
5272 aui_acl(au_event_t e)
5273 {
5274 	struct a {
5275 		union {
5276 			long	name;	/* char */
5277 			long	fd;
5278 		}		obj;
5279 
5280 		long		cmd;
5281 		long		nentries;
5282 		long		arg;	/* aclent_t */
5283 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5284 
5285 	switch (uap->cmd) {
5286 	case SETACL:
5287 	case ACE_SETACL:
5288 		/*
5289 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5290 		 * are expected.
5291 		 */
5292 		break;
5293 	case GETACL:
5294 	case GETACLCNT:
5295 	case ACE_GETACL:
5296 	case ACE_GETACLCNT:
5297 		/* do nothing for these four values. */
5298 		e = AUE_NULL;
5299 		break;
5300 	default:
5301 		/* illegal system call */
5302 		break;
5303 	}
5304 
5305 	return (e);
5306 }
5307 
5308 static void
5309 au_acl(int cmd, int nentries, caddr_t bufp)
5310 {
5311 	size_t		a_size;
5312 	aclent_t	*aclbufp;
5313 	ace_t		*acebufp;
5314 	int		i;
5315 
5316 	switch (cmd) {
5317 	case GETACL:
5318 	case GETACLCNT:
5319 		break;
5320 	case SETACL:
5321 		if (nentries < 3)
5322 			break;
5323 
5324 		a_size = nentries * sizeof (aclent_t);
5325 
5326 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5327 			break;
5328 		if (copyin(bufp, aclbufp, a_size)) {
5329 			kmem_free(aclbufp, a_size);
5330 			break;
5331 		}
5332 		for (i = 0; i < nentries; i++) {
5333 			au_uwrite(au_to_acl(aclbufp + i));
5334 		}
5335 		kmem_free(aclbufp, a_size);
5336 		break;
5337 
5338 	case ACE_SETACL:
5339 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5340 			break;
5341 
5342 		a_size = nentries * sizeof (ace_t);
5343 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5344 			break;
5345 		if (copyin(bufp, acebufp, a_size)) {
5346 			kmem_free(acebufp, a_size);
5347 			break;
5348 		}
5349 		for (i = 0; i < nentries; i++) {
5350 			au_uwrite(au_to_ace(acebufp + i));
5351 		}
5352 		kmem_free(acebufp, a_size);
5353 		break;
5354 	default:
5355 		break;
5356 	}
5357 }
5358 
5359 /*ARGSUSED*/
5360 static void
5361 aus_acl(struct t_audit_data *tad)
5362 {
5363 	struct a {
5364 		long	fname;
5365 		long	cmd;
5366 		long	nentries;
5367 		long	aclbufp;
5368 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5369 
5370 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5371 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5372 
5373 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5374 }
5375 
5376 /*ARGSUSED*/
5377 static void
5378 aus_facl(struct t_audit_data *tad)
5379 {
5380 	struct a {
5381 		long	fd;
5382 		long	cmd;
5383 		long	nentries;
5384 		long	aclbufp;
5385 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5386 	struct file  *fp;
5387 	struct vnode *vp;
5388 	struct f_audit_data *fad;
5389 	int fd;
5390 
5391 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5392 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5393 
5394 	fd = (int)uap->fd;
5395 
5396 	if ((fp = getf(fd)) == NULL)
5397 		return;
5398 
5399 	/* get path from file struct here */
5400 	fad = F2A(fp);
5401 	if (fad->fad_aupath != NULL) {
5402 		au_uwrite(au_to_path(fad->fad_aupath));
5403 	} else {
5404 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5405 	}
5406 
5407 	vp = fp->f_vnode;
5408 	audit_attributes(vp);
5409 
5410 	/* decrement file descriptor reference count */
5411 	releasef(fd);
5412 
5413 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5414 }
5415 
5416 /*ARGSUSED*/
5417 static void
5418 auf_read(tad, error, rval)
5419 	struct t_audit_data *tad;
5420 	int error;
5421 	rval_t *rval;
5422 {
5423 	struct file *fp;
5424 	struct f_audit_data *fad;
5425 	int fd;
5426 	register struct a {
5427 		long	fd;
5428 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5429 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5430 
5431 	fd = (int)uap->fd;
5432 
5433 	/*
5434 	 * convert file pointer to file descriptor
5435 	 *   Note: fd ref count incremented here.
5436 	 */
5437 	if ((fp = getf(fd)) == NULL)
5438 		return;
5439 
5440 	/* get path from file struct here */
5441 	fad = F2A(fp);
5442 	ASSERT(fad);
5443 
5444 	/*
5445 	 * already processed this file for read attempt
5446 	 *
5447 	 * XXX might be better to turn off auditing in a aui_read() routine.
5448 	 */
5449 	if (fad->fad_flags & FAD_READ) {
5450 		/* don't really want to audit every read attempt */
5451 		tad->tad_flag = 0;
5452 		/* free any residual audit data */
5453 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5454 		releasef(fd);
5455 		return;
5456 	}
5457 	/* mark things so we know what happened and don't repeat things */
5458 	fad->fad_flags |= FAD_READ;
5459 
5460 	if (fad->fad_aupath != NULL) {
5461 		au_uwrite(au_to_path(fad->fad_aupath));
5462 	} else {
5463 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5464 	}
5465 
5466 	/* include attributes */
5467 	audit_attributes(fp->f_vnode);
5468 
5469 	/* decrement file descriptor reference count */
5470 	releasef(fd);
5471 }
5472 
5473 /*ARGSUSED*/
5474 static void
5475 auf_write(tad, error, rval)
5476 	struct t_audit_data *tad;
5477 	int error;
5478 	rval_t *rval;
5479 {
5480 	struct file *fp;
5481 	struct f_audit_data *fad;
5482 	int fd;
5483 	register struct a {
5484 		long	fd;
5485 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5486 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5487 
5488 	fd = (int)uap->fd;
5489 
5490 	/*
5491 	 * convert file pointer to file descriptor
5492 	 *   Note: fd ref count incremented here.
5493 	 */
5494 	if ((fp = getf(fd)) == NULL)
5495 		return;
5496 
5497 	/* get path from file struct here */
5498 	fad = F2A(fp);
5499 	ASSERT(fad);
5500 
5501 	/*
5502 	 * already processed this file for write attempt
5503 	 *
5504 	 * XXX might be better to turn off auditing in a aus_write() routine.
5505 	 */
5506 	if (fad->fad_flags & FAD_WRITE) {
5507 		/* don't really want to audit every write attempt */
5508 		tad->tad_flag = 0;
5509 		/* free any residual audit data */
5510 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5511 		releasef(fd);
5512 		return;
5513 	}
5514 	/* mark things so we know what happened and don't repeat things */
5515 	fad->fad_flags |= FAD_WRITE;
5516 
5517 	if (fad->fad_aupath != NULL) {
5518 		au_uwrite(au_to_path(fad->fad_aupath));
5519 	} else {
5520 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5521 	}
5522 
5523 	/* include attributes */
5524 	audit_attributes(fp->f_vnode);
5525 
5526 	/* decrement file descriptor reference count */
5527 	releasef(fd);
5528 }
5529 
5530 /*ARGSUSED*/
5531 static void
5532 auf_recv(tad, error, rval)
5533 	struct t_audit_data *tad;
5534 	int error;
5535 	rval_t *rval;
5536 {
5537 	struct sonode *so;
5538 	char so_laddr[sizeof (struct sockaddr_in6)];
5539 	char so_faddr[sizeof (struct sockaddr_in6)];
5540 	struct file *fp;
5541 	struct f_audit_data *fad;
5542 	int fd;
5543 	int err;
5544 	socklen_t len;
5545 	short so_family, so_type;
5546 	register struct a {
5547 		long	fd;
5548 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5549 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5550 
5551 	/*
5552 	 * If there was an error, then nothing to do. Only generate
5553 	 * audit record on first successful recv.
5554 	 */
5555 	if (error) {
5556 		/* Turn off audit record generation here. */
5557 		tad->tad_flag = 0;
5558 		/* free any residual audit data */
5559 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5560 		return;
5561 	}
5562 
5563 	fd = (int)uap->fd;
5564 
5565 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5566 		/* Turn off audit record generation here. */
5567 		tad->tad_flag = 0;
5568 		/* free any residual audit data */
5569 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5570 		return;
5571 	}
5572 
5573 	/* get path from file struct here */
5574 	fad = F2A(fp);
5575 	ASSERT(fad);
5576 
5577 	/*
5578 	 * already processed this file for read attempt
5579 	 */
5580 	if (fad->fad_flags & FAD_READ) {
5581 		releasef(fd);
5582 		/* don't really want to audit every recv call */
5583 		tad->tad_flag = 0;
5584 		/* free any residual audit data */
5585 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5586 		return;
5587 	}
5588 
5589 	/* mark things so we know what happened and don't repeat things */
5590 	fad->fad_flags |= FAD_READ;
5591 
5592 	so_family = so->so_family;
5593 	so_type   = so->so_type;
5594 
5595 	switch (so_family) {
5596 	case AF_INET:
5597 	case AF_INET6:
5598 		/*
5599 		 * Only for connections.
5600 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5601 		 */
5602 		if (so->so_state & SS_ISBOUND) {
5603 
5604 			bzero((void *)so_laddr, sizeof (so_laddr));
5605 			bzero((void *)so_faddr, sizeof (so_faddr));
5606 
5607 			/* get local and foreign addresses */
5608 			len = sizeof (so_laddr);
5609 			(void) socket_getsockname(so,
5610 			    (struct sockaddr *)so_laddr, &len, CRED());
5611 			len = sizeof (so_faddr);
5612 			(void) socket_getpeername(so,
5613 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5614 
5615 			/*
5616 			 * only way to drop out of switch. Note that we
5617 			 * we release fd below.
5618 			 */
5619 
5620 			break;
5621 		}
5622 
5623 		releasef(fd);
5624 
5625 		/* don't really want to audit every recv call */
5626 		tad->tad_flag = 0;
5627 		/* free any residual audit data */
5628 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5629 
5630 		return;
5631 
5632 	case AF_UNIX:
5633 
5634 		if (fad->fad_aupath != NULL) {
5635 			au_uwrite(au_to_path(fad->fad_aupath));
5636 		} else {
5637 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5638 		}
5639 
5640 		audit_attributes(fp->f_vnode);
5641 
5642 		releasef(fd);
5643 
5644 		return;
5645 
5646 	default:
5647 		releasef(fd);
5648 
5649 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5650 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5651 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5652 
5653 		return;
5654 	}
5655 
5656 	releasef(fd);
5657 
5658 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5659 
5660 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5661 
5662 }
5663 
5664 /*ARGSUSED*/
5665 static void
5666 auf_send(tad, error, rval)
5667 	struct t_audit_data *tad;
5668 	int error;
5669 	rval_t *rval;
5670 {
5671 	struct sonode *so;
5672 	char so_laddr[sizeof (struct sockaddr_in6)];
5673 	char so_faddr[sizeof (struct sockaddr_in6)];
5674 	struct file *fp;
5675 	struct f_audit_data *fad;
5676 	int fd;
5677 	int err;
5678 	socklen_t len;
5679 	short so_family, so_type;
5680 	register struct a {
5681 		long	fd;
5682 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5683 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5684 
5685 	fd = (int)uap->fd;
5686 
5687 	/*
5688 	 * If there was an error, then nothing to do. Only generate
5689 	 * audit record on first successful send.
5690 	 */
5691 	if (error != 0) {
5692 		/* Turn off audit record generation here. */
5693 		tad->tad_flag = 0;
5694 		/* free any residual audit data */
5695 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5696 		return;
5697 	}
5698 
5699 	fd = (int)uap->fd;
5700 
5701 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5702 		/* Turn off audit record generation here. */
5703 		tad->tad_flag = 0;
5704 		/* free any residual audit data */
5705 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5706 		return;
5707 	}
5708 
5709 	/* get path from file struct here */
5710 	fad = F2A(fp);
5711 	ASSERT(fad);
5712 
5713 	/*
5714 	 * already processed this file for write attempt
5715 	 */
5716 	if (fad->fad_flags & FAD_WRITE) {
5717 		releasef(fd);
5718 		/* don't really want to audit every send call */
5719 		tad->tad_flag = 0;
5720 		/* free any residual audit data */
5721 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5722 		return;
5723 	}
5724 
5725 	/* mark things so we know what happened and don't repeat things */
5726 	fad->fad_flags |= FAD_WRITE;
5727 
5728 	so_family = so->so_family;
5729 	so_type   = so->so_type;
5730 
5731 	switch (so_family) {
5732 	case AF_INET:
5733 	case AF_INET6:
5734 		/*
5735 		 * Only for connections.
5736 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5737 		 */
5738 		if (so->so_state & SS_ISBOUND) {
5739 
5740 			bzero((void *)so_laddr, sizeof (so_laddr));
5741 			bzero((void *)so_faddr, sizeof (so_faddr));
5742 
5743 			/* get local and foreign addresses */
5744 			len = sizeof (so_laddr);
5745 			(void) socket_getsockname(so,
5746 			    (struct sockaddr *)so_laddr, &len, CRED());
5747 			len = sizeof (so_faddr);
5748 			(void) socket_getpeername(so,
5749 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5750 
5751 			/*
5752 			 * only way to drop out of switch. Note that we
5753 			 * we release fd below.
5754 			 */
5755 
5756 			break;
5757 		}
5758 
5759 		releasef(fd);
5760 		/* don't really want to audit every send call */
5761 		tad->tad_flag = 0;
5762 		/* free any residual audit data */
5763 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5764 
5765 		return;
5766 
5767 	case AF_UNIX:
5768 
5769 		if (fad->fad_aupath != NULL) {
5770 			au_uwrite(au_to_path(fad->fad_aupath));
5771 		} else {
5772 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5773 		}
5774 
5775 		audit_attributes(fp->f_vnode);
5776 
5777 		releasef(fd);
5778 
5779 		return;
5780 
5781 	default:
5782 		releasef(fd);
5783 
5784 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5785 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5786 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5787 
5788 		return;
5789 	}
5790 
5791 	releasef(fd);
5792 
5793 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5794 
5795 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5796 }
5797 
5798 static au_event_t
5799 aui_forksys(au_event_t e)
5800 {
5801 	struct a {
5802 		long	subcode;
5803 		long	flags;
5804 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5805 
5806 	switch ((uint_t)uap->subcode) {
5807 	case 0:
5808 		e = AUE_FORK1;
5809 		break;
5810 	case 1:
5811 		e = AUE_FORKALL;
5812 		break;
5813 	case 2:
5814 		e = AUE_VFORK;
5815 		break;
5816 	default:
5817 		e = AUE_NULL;
5818 		break;
5819 	}
5820 
5821 	return (e);
5822 }
5823 
5824 /*ARGSUSED*/
5825 static au_event_t
5826 aui_portfs(au_event_t e)
5827 {
5828 	struct a {		/* portfs */
5829 		long	a1;
5830 		long	a2;
5831 		long	a3;
5832 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5833 
5834 	/*
5835 	 * check opcode
5836 	 */
5837 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5838 	case PORT_ASSOCIATE:
5839 		/* check source */
5840 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5841 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5842 			e = AUE_PORTFS_ASSOCIATE;
5843 		} else {
5844 			e = AUE_NULL;
5845 		}
5846 		break;
5847 	case PORT_DISSOCIATE:
5848 		/* check source */
5849 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5850 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5851 			e = AUE_PORTFS_DISSOCIATE;
5852 		} else {
5853 			e = AUE_NULL;
5854 		}
5855 		break;
5856 	default:
5857 		e = AUE_NULL;
5858 	}
5859 	return (e);
5860 }
5861