1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 #include <sys/port_impl.h> 78 79 80 int au_naevent; 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_null(au_event_t); 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 103 static void aus_null(struct t_audit_data *); 104 static void aus_open(struct t_audit_data *); 105 static void aus_acl(struct t_audit_data *); 106 static void aus_acct(struct t_audit_data *); 107 static void aus_chown(struct t_audit_data *); 108 static void aus_fchown(struct t_audit_data *); 109 static void aus_lchown(struct t_audit_data *); 110 static void aus_chmod(struct t_audit_data *); 111 static void aus_facl(struct t_audit_data *); 112 static void aus_fchmod(struct t_audit_data *); 113 static void aus_fcntl(struct t_audit_data *); 114 static void aus_fsat(struct t_audit_data *); 115 static void aus_mkdir(struct t_audit_data *); 116 static void aus_mknod(struct t_audit_data *); 117 static void aus_mount(struct t_audit_data *); 118 static void aus_umount(struct t_audit_data *); 119 static void aus_umount2(struct t_audit_data *); 120 static void aus_msgsys(struct t_audit_data *); 121 static void aus_semsys(struct t_audit_data *); 122 static void aus_close(struct t_audit_data *); 123 static void aus_fstatfs(struct t_audit_data *); 124 static void aus_setgid(struct t_audit_data *); 125 static void aus_setuid(struct t_audit_data *); 126 static void aus_shmsys(struct t_audit_data *); 127 static void aus_doorfs(struct t_audit_data *); 128 static void aus_ioctl(struct t_audit_data *); 129 static void aus_memcntl(struct t_audit_data *); 130 static void aus_mmap(struct t_audit_data *); 131 static void aus_munmap(struct t_audit_data *); 132 static void aus_priocntlsys(struct t_audit_data *); 133 static void aus_setegid(struct t_audit_data *); 134 static void aus_setgroups(struct t_audit_data *); 135 static void aus_seteuid(struct t_audit_data *); 136 static void aus_putmsg(struct t_audit_data *); 137 static void aus_putpmsg(struct t_audit_data *); 138 static void aus_getmsg(struct t_audit_data *); 139 static void aus_getpmsg(struct t_audit_data *); 140 static void aus_auditsys(struct t_audit_data *); 141 static void aus_sysinfo(struct t_audit_data *); 142 static void aus_modctl(struct t_audit_data *); 143 static void aus_kill(struct t_audit_data *); 144 static void aus_xmknod(struct t_audit_data *); 145 static void aus_setregid(struct t_audit_data *); 146 static void aus_setreuid(struct t_audit_data *); 147 148 static void auf_null(struct t_audit_data *, int, rval_t *); 149 static void auf_mknod(struct t_audit_data *, int, rval_t *); 150 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 151 static void auf_semsys(struct t_audit_data *, int, rval_t *); 152 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 153 #if 0 154 static void auf_open(struct t_audit_data *, int, rval_t *); 155 #endif 156 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 157 static void auf_read(struct t_audit_data *, int, rval_t *); 158 static void auf_write(struct t_audit_data *, int, rval_t *); 159 160 static void aus_sigqueue(struct t_audit_data *); 161 static void aus_p_online(struct t_audit_data *); 162 static void aus_processor_bind(struct t_audit_data *); 163 static void aus_inst_sync(struct t_audit_data *); 164 static void aus_brandsys(struct t_audit_data *); 165 166 static void auf_accept(struct t_audit_data *, int, rval_t *); 167 168 static void auf_bind(struct t_audit_data *, int, rval_t *); 169 static void auf_connect(struct t_audit_data *, int, rval_t *); 170 static void aus_shutdown(struct t_audit_data *); 171 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 172 static void aus_sockconfig(struct t_audit_data *); 173 static void auf_recv(struct t_audit_data *, int, rval_t *); 174 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 175 static void auf_send(struct t_audit_data *, int, rval_t *); 176 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 177 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 178 static void auf_sendto(struct t_audit_data *, int, rval_t *); 179 static void aus_socket(struct t_audit_data *); 180 /* 181 * This table contains mapping information for converting system call numbers 182 * to audit event IDs. In several cases it is necessary to map a single system 183 * call to several events. 184 */ 185 186 struct audit_s2e audit_s2e[] = 187 { 188 /* 189 * ---------- ---------- ---------- ---------- 190 * INITIAL AUDIT START SYSTEM 191 * PROCESSING EVENT PROCESSING CALL 192 * ---------- ---------- ---------- ----------- 193 * FINISH EVENT 194 * PROCESSING CONTROL 195 * ---------------------------------------------------------- 196 */ 197 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 198 auf_null, 0, 199 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 200 auf_null, S2E_NPT, 201 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 202 auf_null, 0, 203 aui_null, AUE_READ, aus_null, /* 3 read */ 204 auf_read, S2E_PUB, 205 aui_null, AUE_WRITE, aus_null, /* 4 write */ 206 auf_write, 0, 207 aui_open, AUE_OPEN, aus_open, /* 5 open */ 208 auf_null, S2E_SP, 209 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 210 auf_null, 0, 211 aui_null, AUE_NULL, aus_null, /* 7 wait */ 212 auf_null, 0, 213 aui_null, AUE_CREAT, aus_null, /* 8 create */ 214 auf_null, S2E_SP, 215 aui_null, AUE_LINK, aus_null, /* 9 link */ 216 auf_null, 0, 217 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 218 auf_null, 0, 219 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 220 auf_null, S2E_MLD, 221 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 222 auf_null, S2E_SP, 223 aui_null, AUE_NULL, aus_null, /* 13 time */ 224 auf_null, 0, 225 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 226 auf_mknod, 0, 227 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 228 auf_null, 0, 229 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 230 auf_null, 0, 231 aui_null, AUE_NULL, aus_null, /* 17 brk */ 232 auf_null, 0, 233 aui_null, AUE_STAT, aus_null, /* 18 stat */ 234 auf_null, S2E_PUB, 235 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 236 auf_null, 0, 237 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 238 auf_null, 0, 239 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 240 auf_null, S2E_MLD, 241 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 242 auf_null, 0, 243 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 244 auf_null, 0, 245 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 246 auf_null, 0, 247 aui_null, AUE_STIME, aus_null, /* 25 stime */ 248 auf_null, 0, 249 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 250 auf_null, 0, 251 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 252 auf_null, 0, 253 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 254 auf_null, 0, 255 aui_null, AUE_NULL, aus_null, /* 29 pause */ 256 auf_null, 0, 257 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 258 auf_null, 0, 259 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 260 auf_null, 0, 261 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 262 auf_null, 0, 263 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 264 auf_null, S2E_PUB, 265 aui_null, AUE_NICE, aus_null, /* 34 nice */ 266 auf_null, 0, 267 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 268 auf_null, S2E_PUB, 269 aui_null, AUE_NULL, aus_null, /* 36 sync */ 270 auf_null, 0, 271 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 272 auf_null, 0, 273 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 274 auf_null, S2E_PUB, 275 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 276 auf_null, 0, 277 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 278 auf_null, 0, 279 aui_null, AUE_NULL, aus_null, /* 41 dup */ 280 auf_null, 0, 281 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 282 auf_null, 0, 283 aui_null, AUE_NULL, aus_null, /* 43 times */ 284 auf_null, 0, 285 aui_null, AUE_NULL, aus_null, /* 44 profil */ 286 auf_null, 0, 287 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 288 /* was proc lock */ 289 auf_null, 0, 290 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 291 auf_null, 0, 292 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 293 auf_null, 0, 294 aui_null, AUE_NULL, aus_null, /* 48 sig */ 295 auf_null, 0, 296 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 297 auf_msgsys, 0, 298 #if defined(__x86) 299 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 300 auf_null, 0, 301 #else 302 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 303 auf_null, 0, 304 #endif /* __x86 */ 305 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 306 auf_null, 0, 307 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 308 auf_shmsys, 0, 309 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 310 auf_semsys, 0, 311 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 312 auf_null, 0, 313 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 314 auf_null, 0, 315 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 316 auf_null, 0, 317 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 318 auf_null, 0, 319 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 320 auf_null, 0, 321 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 322 auf_null, S2E_MLD, 323 aui_null, AUE_NULL, aus_null, /* 60 umask */ 324 auf_null, 0, 325 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 326 auf_null, S2E_SP, 327 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 328 auf_null, 0, 329 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 330 auf_null, 0, 331 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 332 auf_null, 0, 333 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 334 auf_null, 0, 335 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 336 auf_null, 0, 337 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 338 /* file locking call */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 341 /* local system calls */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 344 auf_null, 0, 345 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 346 auf_null, 0, 347 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 348 auf_null, 0, 349 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 350 auf_null, 0, 351 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 352 auf_null, 0, 353 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 354 auf_null, 0, 355 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 356 /* was sigret (SunOS) */ 357 auf_null, 0, 358 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 359 auf_null, 0, 360 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 361 auf_null, 0, 362 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 363 auf_null, 0, 364 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 365 auf_null, 0, 366 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 367 auf_null, 0, 368 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 369 auf_null, 0, 370 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 371 /* was libattach */ 372 auf_null, 0, 373 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 374 /* was libdetach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 377 auf_null, 0, 378 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 379 auf_null, 0, 380 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 381 auf_null, 0, 382 aui_null, AUE_NULL, aus_null, /* 87 poll */ 383 auf_null, 0, 384 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 385 auf_null, S2E_PUB, 386 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 387 auf_null, 0, 388 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 389 auf_null, S2E_PUB, 390 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 391 auf_null, 0, 392 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 393 auf_null, 0, 394 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 395 auf_null, 0, 396 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 397 auf_null, 0, 398 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 399 auf_null, 0, 400 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 401 auf_null, 0, 402 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 403 auf_null, 0, 404 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 405 auf_null, 0, 406 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 407 auf_null, 0, 408 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 409 auf_null, 0, 410 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 411 auf_null, 0, 412 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 413 /* was evtrapret */ 414 auf_null, 0, 415 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 416 auf_null, S2E_PUB, 417 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 418 auf_null, 0, 419 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 420 auf_null, 0, 421 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 422 auf_null, 0, 423 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 424 auf_null, 0, 425 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 426 auf_null, 0, 427 #if defined(__x86) 428 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 429 auf_null, 0, 430 #else 431 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 432 auf_null, 0, 433 #endif /* __x86 */ 434 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 435 auf_null, 0, 436 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 437 auf_null, 0, 438 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 439 auf_null, 0, /* 112 priocntlsys */ 440 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 441 auf_null, S2E_PUB, 442 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 443 auf_null, 0, 444 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 445 auf_null, 0, 446 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 447 auf_null, 0, 448 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 449 auf_null, 0, 450 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 451 auf_null, 0, 452 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 453 auf_null, 0, 454 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 455 auf_null, 0, 456 aui_null, AUE_READ, aus_null, /* 121 readv */ 457 auf_read, S2E_PUB, 458 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 459 auf_write, 0, 460 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 461 auf_null, S2E_PUB, 462 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 463 auf_null, S2E_PUB, 464 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 465 auf_null, 0, 466 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 467 auf_xmknod, 0, 468 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 469 auf_null, 0, 470 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 471 auf_null, 0, 472 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 473 auf_null, 0, 474 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 475 auf_null, 0, 476 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 477 auf_null, 0, 478 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 479 auf_null, 0, 480 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 481 auf_null, 0, 482 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 483 auf_null, 0, 484 aui_null, AUE_NULL, aus_null, /* 135 uname */ 485 auf_null, 0, 486 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 487 auf_null, 0, 488 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 489 auf_null, 0, 490 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 491 auf_null, 0, 492 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 493 auf_null, 0, 494 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 495 auf_null, 0, 496 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 497 auf_null, 0, 498 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 499 auf_null, 0, 500 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 501 auf_null, 0, 502 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 503 auf_null, 0, 504 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 505 auf_null, 0, 506 aui_null, AUE_NULL, aus_null, /* 146 yield */ 507 auf_null, 0, 508 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 509 auf_null, 0, 510 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 511 auf_null, 0, 512 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 513 auf_null, 0, 514 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 515 auf_null, 0, 516 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 517 auf_null, 0, 518 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 519 auf_null, 0, 520 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 521 auf_null, 0, 522 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 523 auf_null, 0, 524 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 525 auf_null, 0, 526 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 527 auf_null, 0, 528 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 529 auf_null, 0, 530 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 531 auf_null, 0, 532 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 533 auf_null, 0, 534 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 535 auf_null, 0, 536 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 537 auf_null, 0, 538 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 539 auf_null, 0, 540 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 541 auf_null, 0, 542 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 543 auf_null, 0, 544 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 545 /* was lwp_setprivate */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 548 /* was lwp_getprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 551 auf_null, 0, 552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 553 auf_null, 0, 554 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 555 auf_null, 0, 556 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 557 auf_null, 0, 558 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 559 auf_null, 0, 560 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 561 auf_null, 0, 562 aui_null, AUE_READ, aus_null, /* 173 pread */ 563 auf_read, S2E_PUB, 564 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 565 auf_write, 0, 566 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 567 auf_null, 0, 568 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 569 /* aus_inst_sync */ 570 auf_null, 0, 571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 572 auf_null, 0, 573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 574 auf_null, 0, 575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 576 auf_null, 0, 577 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 578 auf_null, 0, 579 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 580 auf_null, 0, 581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 582 auf_null, 0, 583 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 584 auf_null, 0, 585 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 586 auf_null, 0, 587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 588 auf_null, 0, 589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 590 auf_null, 0, 591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 592 auf_null, 0, /* 187 processor_bind */ 593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 594 auf_null, 0, 595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 596 auf_null, 0, 597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 598 auf_null, 0, 599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 600 auf_null, 0, 601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 602 auf_null, 0, 603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 604 auf_null, 0, 605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 606 auf_null, 0, 607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 608 auf_null, 0, 609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 610 auf_null, 0, 611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 612 auf_null, 0, 613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 614 auf_null, 0, 615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 616 auf_null, 0, 617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 618 auf_null, 0, 619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 620 auf_null, 0, 621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 622 auf_null, 0, 623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 624 auf_null, 0, 625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 626 auf_null, 0, 627 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 628 auf_null, 0, 629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 630 auf_null, 0, 631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 632 auf_null, 0, 633 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 634 auf_null, 0, 635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 636 auf_null, 0, 637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 638 auf_null, 0, 639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 640 auf_null, 0, 641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 642 auf_null, 0, 643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 644 auf_null, 0, 645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 646 auf_null, 0, 647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 648 auf_null, S2E_PUB, 649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 650 auf_null, S2E_PUB, 651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 652 auf_null, 0, 653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 654 auf_null, S2E_PUB, 655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 656 auf_null, 0, 657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 658 auf_null, 0, 659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 660 auf_null, 0, 661 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 662 auf_read, S2E_PUB, 663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 664 auf_write, 0, 665 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 666 auf_null, S2E_SP, 667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 668 auf_null, S2E_SP, 669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 670 auf_null, 0, 671 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 672 auf_null, 0, 673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 674 auf_null, 0, 675 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 676 auf_null, 0, 677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 678 auf_null, 0, 679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 680 auf_null, 0, 681 aui_null, AUE_BIND, aus_null, /* 232 bind */ 682 auf_bind, 0, 683 aui_null, AUE_NULL, aus_null, /* 233 listen */ 684 auf_null, 0, 685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 686 auf_accept, 0, 687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 688 auf_connect, 0, 689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 690 auf_null, 0, 691 aui_null, AUE_READ, aus_null, /* 237 recv */ 692 auf_recv, 0, 693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 694 auf_recvfrom, 0, 695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 696 auf_recvmsg, 0, 697 aui_null, AUE_WRITE, aus_null, /* 240 send */ 698 auf_send, 0, 699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 700 auf_sendmsg, 0, 701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 702 auf_sendto, 0, 703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 704 auf_null, 0, 705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 706 auf_null, 0, 707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 708 auf_null, 0, 709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 710 auf_setsockopt, 0, 711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 712 auf_null, 0, 713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 714 auf_null, 0, 715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 716 auf_null, 0, 717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 718 auf_null, 0, 719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 720 auf_null, 0, 721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 722 auf_null, 0, 723 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 724 auf_null, 0, 725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 726 auf_null, 0, 727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 728 auf_null, 0 729 }; 730 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 732 733 /* null start function */ 734 /*ARGSUSED*/ 735 static void 736 aus_null(struct t_audit_data *tad) 737 { 738 } 739 740 /* acct start function */ 741 /*ARGSUSED*/ 742 static void 743 aus_acct(struct t_audit_data *tad) 744 { 745 klwp_t *clwp = ttolwp(curthread); 746 uintptr_t fname; 747 748 struct a { 749 long fname; /* char * */ 750 } *uap = (struct a *)clwp->lwp_ap; 751 752 fname = (uintptr_t)uap->fname; 753 754 if (fname == 0) 755 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 756 } 757 758 /* chown start function */ 759 /*ARGSUSED*/ 760 static void 761 aus_chown(struct t_audit_data *tad) 762 { 763 klwp_t *clwp = ttolwp(curthread); 764 uint32_t uid, gid; 765 766 struct a { 767 long fname; /* char * */ 768 long uid; 769 long gid; 770 } *uap = (struct a *)clwp->lwp_ap; 771 772 uid = (uint32_t)uap->uid; 773 gid = (uint32_t)uap->gid; 774 775 au_uwrite(au_to_arg32(2, "new file uid", uid)); 776 au_uwrite(au_to_arg32(3, "new file gid", gid)); 777 } 778 779 /* fchown start function */ 780 /*ARGSUSED*/ 781 static void 782 aus_fchown(struct t_audit_data *tad) 783 { 784 klwp_t *clwp = ttolwp(curthread); 785 uint32_t uid, gid, fd; 786 struct file *fp; 787 struct vnode *vp; 788 struct f_audit_data *fad; 789 790 struct a { 791 long fd; 792 long uid; 793 long gid; 794 } *uap = (struct a *)clwp->lwp_ap; 795 796 fd = (uint32_t)uap->fd; 797 uid = (uint32_t)uap->uid; 798 gid = (uint32_t)uap->gid; 799 800 au_uwrite(au_to_arg32(2, "new file uid", uid)); 801 au_uwrite(au_to_arg32(3, "new file gid", gid)); 802 803 /* 804 * convert file pointer to file descriptor 805 * Note: fd ref count incremented here. 806 */ 807 if ((fp = getf(fd)) == NULL) 808 return; 809 810 /* get path from file struct here */ 811 fad = F2A(fp); 812 if (fad->fad_aupath != NULL) { 813 au_uwrite(au_to_path(fad->fad_aupath)); 814 } else { 815 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 816 } 817 818 vp = fp->f_vnode; 819 audit_attributes(vp); 820 821 /* decrement file descriptor reference count */ 822 releasef(fd); 823 } 824 825 /*ARGSUSED*/ 826 static void 827 aus_lchown(struct t_audit_data *tad) 828 { 829 klwp_t *clwp = ttolwp(curthread); 830 uint32_t uid, gid; 831 832 833 struct a { 834 long fname; /* char * */ 835 long uid; 836 long gid; 837 } *uap = (struct a *)clwp->lwp_ap; 838 839 uid = (uint32_t)uap->uid; 840 gid = (uint32_t)uap->gid; 841 842 au_uwrite(au_to_arg32(2, "new file uid", uid)); 843 au_uwrite(au_to_arg32(3, "new file gid", gid)); 844 } 845 846 /* chmod start function */ 847 /*ARGSUSED*/ 848 static void 849 aus_chmod(struct t_audit_data *tad) 850 { 851 klwp_t *clwp = ttolwp(curthread); 852 uint32_t fmode; 853 854 struct a { 855 long fname; /* char * */ 856 long fmode; 857 } *uap = (struct a *)clwp->lwp_ap; 858 859 fmode = (uint32_t)uap->fmode; 860 861 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 862 } 863 864 /* chmod start function */ 865 /*ARGSUSED*/ 866 static void 867 aus_fchmod(struct t_audit_data *tad) 868 { 869 klwp_t *clwp = ttolwp(curthread); 870 uint32_t fmode, fd; 871 struct file *fp; 872 struct vnode *vp; 873 struct f_audit_data *fad; 874 875 struct a { 876 long fd; 877 long fmode; 878 } *uap = (struct a *)clwp->lwp_ap; 879 880 fd = (uint32_t)uap->fd; 881 fmode = (uint32_t)uap->fmode; 882 883 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 884 885 /* 886 * convert file pointer to file descriptor 887 * Note: fd ref count incremented here. 888 */ 889 if ((fp = getf(fd)) == NULL) 890 return; 891 892 /* get path from file struct here */ 893 fad = F2A(fp); 894 if (fad->fad_aupath != NULL) { 895 au_uwrite(au_to_path(fad->fad_aupath)); 896 } else { 897 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 898 } 899 900 vp = fp->f_vnode; 901 audit_attributes(vp); 902 903 /* decrement file descriptor reference count */ 904 releasef(fd); 905 } 906 907 /* null function */ 908 /*ARGSUSED*/ 909 static void 910 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 911 { 912 } 913 914 /* null function */ 915 static au_event_t 916 aui_null(au_event_t e) 917 { 918 return (e); 919 } 920 921 /* convert open to appropriate event */ 922 static au_event_t 923 aui_open(au_event_t e) 924 { 925 klwp_t *clwp = ttolwp(curthread); 926 uint_t fm; 927 928 struct a { 929 long fnamep; /* char * */ 930 long fmode; 931 long cmode; 932 } *uap = (struct a *)clwp->lwp_ap; 933 934 fm = (uint_t)uap->fmode; 935 936 if (fm & O_WRONLY) 937 e = AUE_OPEN_W; 938 else if (fm & O_RDWR) 939 e = AUE_OPEN_RW; 940 else 941 e = AUE_OPEN_R; 942 943 if (fm & O_CREAT) 944 e += 1; 945 if (fm & O_TRUNC) 946 e += 2; 947 948 return (e); 949 } 950 951 /*ARGSUSED*/ 952 static void 953 aus_open(struct t_audit_data *tad) 954 { 955 klwp_t *clwp = ttolwp(curthread); 956 uint_t fm; 957 958 struct a { 959 long fnamep; /* char * */ 960 long fmode; 961 long cmode; 962 } *uap = (struct a *)clwp->lwp_ap; 963 964 fm = (uint_t)uap->fmode; 965 966 /* If no write, create, or trunc modes, mark as a public op */ 967 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 968 tad->tad_ctrl |= PAD_PUBLIC_EV; 969 } 970 971 /* convert openat(2) to appropriate event */ 972 static au_event_t 973 aui_fsat(au_event_t e) 974 { 975 t_audit_data_t *tad = U2A(u); 976 klwp_t *clwp = ttolwp(curthread); 977 uint_t fmcode, fm; 978 struct a { 979 long id; 980 long arg1; 981 long arg2; 982 long arg3; 983 long arg4; 984 long arg5; 985 } *uap = (struct a *)clwp->lwp_ap; 986 987 fmcode = (uint_t)uap->id; 988 989 switch (fmcode) { 990 991 case 0: /* openat */ 992 case 1: /* openat64 */ 993 fm = (uint_t)uap->arg3; 994 if (fm & O_WRONLY) 995 e = AUE_OPENAT_W; 996 else if (fm & O_RDWR) 997 e = AUE_OPENAT_RW; 998 else 999 e = AUE_OPENAT_R; 1000 1001 /* 1002 * openat modes are defined in the following order: 1003 * Read only 1004 * Read|Create 1005 * Read|Trunc 1006 * Read|Create|Trunc 1007 * Write Only 1008 * Write|Create 1009 * Write|Trunc 1010 * Write|Create|Trunc * RW Only 1011 * RW|Create 1012 * RW|Trunc 1013 * RW|Create|Trunc 1014 */ 1015 if (fm & O_CREAT) 1016 e += 1; /* increment to include CREAT in mode */ 1017 if (fm & O_TRUNC) 1018 e += 2; /* increment to include TRUNC in mode */ 1019 1020 /* convert to appropriate au_ctrl */ 1021 tad->tad_ctrl |= PAD_SAVPATH; 1022 if (fm & FXATTR) 1023 tad->tad_ctrl |= PAD_ATPATH; 1024 1025 1026 break; 1027 case 2: /* fstatat64 */ 1028 case 3: /* fstatat */ 1029 e = AUE_FSTATAT; 1030 break; 1031 case 4: /* fchownat */ 1032 e = AUE_FCHOWNAT; 1033 break; 1034 case 5: /* unlinkat */ 1035 e = AUE_UNLINKAT; 1036 break; 1037 case 6: /* futimesat */ 1038 e = AUE_FUTIMESAT; 1039 break; 1040 case 7: /* renameat */ 1041 e = AUE_RENAMEAT; 1042 break; 1043 case 9: /* __openattrdirat */ 1044 tad->tad_ctrl |= PAD_SAVPATH; 1045 /*FALLTHROUGH*/ 1046 default: 1047 e = AUE_NULL; 1048 break; 1049 } 1050 1051 return (e); 1052 } 1053 1054 /*ARGSUSED*/ 1055 static void 1056 aus_fsat(struct t_audit_data *tad) 1057 { 1058 klwp_t *clwp = ttolwp(curthread); 1059 uint_t fmcode, fm; 1060 struct a { 1061 long id; 1062 long arg1; 1063 long arg2; 1064 long arg3; 1065 long arg4; 1066 long arg5; 1067 } *uap = (struct a *)clwp->lwp_ap; 1068 1069 fmcode = (uint_t)uap->id; 1070 1071 switch (fmcode) { 1072 1073 case 0: /* openat */ 1074 case 1: /* openat64 */ 1075 fm = (uint_t)uap->arg3; 1076 /* If no write, create, or trunc modes, mark as a public op */ 1077 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1078 tad->tad_ctrl |= PAD_PUBLIC_EV; 1079 1080 break; 1081 case 2: /* fstatat64 */ 1082 case 3: /* fstatat */ 1083 tad->tad_ctrl |= PAD_PUBLIC_EV; 1084 break; 1085 default: 1086 break; 1087 } 1088 } 1089 1090 /* msgsys */ 1091 static au_event_t 1092 aui_msgsys(au_event_t e) 1093 { 1094 klwp_t *clwp = ttolwp(curthread); 1095 uint_t fm; 1096 1097 struct a { 1098 long id; /* function code id */ 1099 long ap; /* arg pointer for recvmsg */ 1100 } *uap = (struct a *)clwp->lwp_ap; 1101 1102 struct b { 1103 long msgid; 1104 long cmd; 1105 long buf; /* struct msqid_ds * */ 1106 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1107 1108 fm = (uint_t)uap->id; 1109 1110 switch (fm) { 1111 case 0: /* msgget */ 1112 e = AUE_MSGGET; 1113 break; 1114 case 1: /* msgctl */ 1115 switch ((uint_t)uap1->cmd) { 1116 case IPC_RMID: 1117 e = AUE_MSGCTL_RMID; 1118 break; 1119 case IPC_SET: 1120 e = AUE_MSGCTL_SET; 1121 break; 1122 case IPC_STAT: 1123 e = AUE_MSGCTL_STAT; 1124 break; 1125 default: 1126 e = AUE_MSGCTL; 1127 break; 1128 } 1129 break; 1130 case 2: /* msgrcv */ 1131 e = AUE_MSGRCV; 1132 break; 1133 case 3: /* msgsnd */ 1134 e = AUE_MSGSND; 1135 break; 1136 default: /* illegal system call */ 1137 e = AUE_NULL; 1138 break; 1139 } 1140 1141 return (e); 1142 } 1143 1144 1145 /* shmsys */ 1146 static au_event_t 1147 aui_shmsys(au_event_t e) 1148 { 1149 klwp_t *clwp = ttolwp(curthread); 1150 int fm; 1151 1152 struct a { /* shmsys */ 1153 long id; /* function code id */ 1154 } *uap = (struct a *)clwp->lwp_ap; 1155 1156 struct b { /* ctrl */ 1157 long shmid; 1158 long cmd; 1159 long arg; /* struct shmid_ds * */ 1160 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1161 fm = (uint_t)uap->id; 1162 1163 switch (fm) { 1164 case 0: /* shmat */ 1165 e = AUE_SHMAT; 1166 break; 1167 case 1: /* shmctl */ 1168 switch ((uint_t)uap1->cmd) { 1169 case IPC_RMID: 1170 e = AUE_SHMCTL_RMID; 1171 break; 1172 case IPC_SET: 1173 e = AUE_SHMCTL_SET; 1174 break; 1175 case IPC_STAT: 1176 e = AUE_SHMCTL_STAT; 1177 break; 1178 default: 1179 e = AUE_SHMCTL; 1180 break; 1181 } 1182 break; 1183 case 2: /* shmdt */ 1184 e = AUE_SHMDT; 1185 break; 1186 case 3: /* shmget */ 1187 e = AUE_SHMGET; 1188 break; 1189 default: /* illegal system call */ 1190 e = AUE_NULL; 1191 break; 1192 } 1193 1194 return (e); 1195 } 1196 1197 1198 /* semsys */ 1199 static au_event_t 1200 aui_semsys(au_event_t e) 1201 { 1202 klwp_t *clwp = ttolwp(curthread); 1203 uint_t fm; 1204 1205 struct a { /* semsys */ 1206 long id; 1207 } *uap = (struct a *)clwp->lwp_ap; 1208 1209 struct b { /* ctrl */ 1210 long semid; 1211 long semnum; 1212 long cmd; 1213 long arg; 1214 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1215 1216 fm = (uint_t)uap->id; 1217 1218 switch (fm) { 1219 case 0: /* semctl */ 1220 switch ((uint_t)uap1->cmd) { 1221 case IPC_RMID: 1222 e = AUE_SEMCTL_RMID; 1223 break; 1224 case IPC_SET: 1225 e = AUE_SEMCTL_SET; 1226 break; 1227 case IPC_STAT: 1228 e = AUE_SEMCTL_STAT; 1229 break; 1230 case GETNCNT: 1231 e = AUE_SEMCTL_GETNCNT; 1232 break; 1233 case GETPID: 1234 e = AUE_SEMCTL_GETPID; 1235 break; 1236 case GETVAL: 1237 e = AUE_SEMCTL_GETVAL; 1238 break; 1239 case GETALL: 1240 e = AUE_SEMCTL_GETALL; 1241 break; 1242 case GETZCNT: 1243 e = AUE_SEMCTL_GETZCNT; 1244 break; 1245 case SETVAL: 1246 e = AUE_SEMCTL_SETVAL; 1247 break; 1248 case SETALL: 1249 e = AUE_SEMCTL_SETALL; 1250 break; 1251 default: 1252 e = AUE_SEMCTL; 1253 break; 1254 } 1255 break; 1256 case 1: /* semget */ 1257 e = AUE_SEMGET; 1258 break; 1259 case 2: /* semop */ 1260 e = AUE_SEMOP; 1261 break; 1262 default: /* illegal system call */ 1263 e = AUE_NULL; 1264 break; 1265 } 1266 1267 return (e); 1268 } 1269 1270 /* utssys - uname(2), ustat(2), fusers(2) */ 1271 static au_event_t 1272 aui_utssys(au_event_t e) 1273 { 1274 klwp_t *clwp = ttolwp(curthread); 1275 uint_t type; 1276 1277 struct a { 1278 union { 1279 long cbuf; /* char * */ 1280 long ubuf; /* struct stat * */ 1281 } ub; 1282 union { 1283 long mv; /* for USTAT */ 1284 long flags; /* for FUSERS */ 1285 } un; 1286 long type; 1287 long outbp; /* char * for FUSERS */ 1288 } *uap = (struct a *)clwp->lwp_ap; 1289 1290 type = (uint_t)uap->type; 1291 1292 if (type == UTS_FUSERS) 1293 return (e); 1294 else 1295 return ((au_event_t)AUE_NULL); 1296 } 1297 1298 static au_event_t 1299 aui_fcntl(au_event_t e) 1300 { 1301 klwp_t *clwp = ttolwp(curthread); 1302 uint_t cmd; 1303 1304 struct a { 1305 long fdes; 1306 long cmd; 1307 long arg; 1308 } *uap = (struct a *)clwp->lwp_ap; 1309 1310 cmd = (uint_t)uap->cmd; 1311 1312 switch (cmd) { 1313 case F_GETLK: 1314 case F_SETLK: 1315 case F_SETLKW: 1316 break; 1317 case F_SETFL: 1318 case F_GETFL: 1319 case F_GETFD: 1320 break; 1321 default: 1322 e = (au_event_t)AUE_NULL; 1323 break; 1324 } 1325 return ((au_event_t)e); 1326 } 1327 1328 /* null function for now */ 1329 static au_event_t 1330 aui_execv(au_event_t e) 1331 { 1332 return (e); 1333 } 1334 1335 /* null function for now */ 1336 static au_event_t 1337 aui_execve(au_event_t e) 1338 { 1339 return (e); 1340 } 1341 1342 /*ARGSUSED*/ 1343 static void 1344 aus_fcntl(struct t_audit_data *tad) 1345 { 1346 klwp_t *clwp = ttolwp(curthread); 1347 uint32_t cmd, fd; 1348 struct file *fp; 1349 struct vnode *vp; 1350 struct f_audit_data *fad; 1351 1352 struct a { 1353 long fd; 1354 long cmd; 1355 long arg; 1356 } *uap = (struct a *)clwp->lwp_ap; 1357 1358 cmd = (uint32_t)uap->cmd; 1359 fd = (uint32_t)uap->fd; 1360 1361 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1362 1363 /* 1364 * convert file pointer to file descriptor 1365 * Note: fd ref count incremented here. 1366 */ 1367 if ((fp = getf(fd)) == NULL) 1368 return; 1369 1370 /* get path from file struct here */ 1371 fad = F2A(fp); 1372 if (fad->fad_aupath != NULL) { 1373 au_uwrite(au_to_path(fad->fad_aupath)); 1374 } else { 1375 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1376 } 1377 1378 vp = fp->f_vnode; 1379 audit_attributes(vp); 1380 1381 /* decrement file descriptor reference count */ 1382 releasef(fd); 1383 } 1384 1385 /*ARGSUSED*/ 1386 static void 1387 aus_kill(struct t_audit_data *tad) 1388 { 1389 klwp_t *clwp = ttolwp(curthread); 1390 struct proc *p; 1391 uint32_t signo; 1392 uid_t uid, ruid; 1393 gid_t gid, rgid; 1394 pid_t pid; 1395 const auditinfo_addr_t *ainfo; 1396 cred_t *cr; 1397 1398 struct a { 1399 long pid; 1400 long signo; 1401 } *uap = (struct a *)clwp->lwp_ap; 1402 1403 pid = (pid_t)uap->pid; 1404 signo = (uint32_t)uap->signo; 1405 1406 au_uwrite(au_to_arg32(2, "signal", signo)); 1407 if (pid > 0) { 1408 mutex_enter(&pidlock); 1409 if (((p = prfind(pid)) == (struct proc *)0) || 1410 (p->p_stat == SIDL)) { 1411 mutex_exit(&pidlock); 1412 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1413 return; 1414 } 1415 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1416 mutex_exit(&pidlock); 1417 1418 mutex_enter(&p->p_crlock); 1419 crhold(cr = p->p_cred); 1420 mutex_exit(&p->p_crlock); 1421 mutex_exit(&p->p_lock); 1422 1423 ainfo = crgetauinfo(cr); 1424 if (ainfo == NULL) { 1425 crfree(cr); 1426 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1427 return; 1428 } 1429 1430 uid = crgetuid(cr); 1431 gid = crgetgid(cr); 1432 ruid = crgetruid(cr); 1433 rgid = crgetrgid(cr); 1434 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1435 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1436 1437 if (is_system_labeled()) 1438 au_uwrite(au_to_label(CR_SL(cr))); 1439 1440 crfree(cr); 1441 } 1442 else 1443 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1444 } 1445 1446 /*ARGSUSED*/ 1447 static void 1448 aus_mkdir(struct t_audit_data *tad) 1449 { 1450 klwp_t *clwp = ttolwp(curthread); 1451 uint32_t dmode; 1452 1453 struct a { 1454 long dirnamep; /* char * */ 1455 long dmode; 1456 } *uap = (struct a *)clwp->lwp_ap; 1457 1458 dmode = (uint32_t)uap->dmode; 1459 1460 au_uwrite(au_to_arg32(2, "mode", dmode)); 1461 } 1462 1463 /*ARGSUSED*/ 1464 static void 1465 aus_mknod(struct t_audit_data *tad) 1466 { 1467 klwp_t *clwp = ttolwp(curthread); 1468 uint32_t fmode; 1469 dev_t dev; 1470 1471 struct a { 1472 long pnamep; /* char * */ 1473 long fmode; 1474 long dev; 1475 } *uap = (struct a *)clwp->lwp_ap; 1476 1477 fmode = (uint32_t)uap->fmode; 1478 dev = (dev_t)uap->dev; 1479 1480 au_uwrite(au_to_arg32(2, "mode", fmode)); 1481 #ifdef _LP64 1482 au_uwrite(au_to_arg64(3, "dev", dev)); 1483 #else 1484 au_uwrite(au_to_arg32(3, "dev", dev)); 1485 #endif 1486 } 1487 1488 /*ARGSUSED*/ 1489 static void 1490 aus_xmknod(struct t_audit_data *tad) 1491 { 1492 klwp_t *clwp = ttolwp(curthread); 1493 uint32_t fmode; 1494 dev_t dev; 1495 1496 struct a { 1497 long version; /* version */ 1498 long pnamep; /* char * */ 1499 long fmode; 1500 long dev; 1501 } *uap = (struct a *)clwp->lwp_ap; 1502 1503 fmode = (uint32_t)uap->fmode; 1504 dev = (dev_t)uap->dev; 1505 1506 au_uwrite(au_to_arg32(2, "mode", fmode)); 1507 #ifdef _LP64 1508 au_uwrite(au_to_arg64(3, "dev", dev)); 1509 #else 1510 au_uwrite(au_to_arg32(3, "dev", dev)); 1511 #endif 1512 } 1513 1514 /*ARGSUSED*/ 1515 static void 1516 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1517 { 1518 klwp_t *clwp = ttolwp(curthread); 1519 vnode_t *dvp; 1520 caddr_t pnamep; 1521 1522 struct a { 1523 long pnamep; /* char * */ 1524 long fmode; 1525 long dev; 1526 } *uap = (struct a *)clwp->lwp_ap; 1527 1528 /* no error, then already path token in audit record */ 1529 if (error != EPERM) 1530 return; 1531 1532 /* not auditing this event, nothing then to do */ 1533 if (tad->tad_flag == 0) 1534 return; 1535 1536 /* do the lookup to force generation of path token */ 1537 pnamep = (caddr_t)uap->pnamep; 1538 tad->tad_ctrl |= PAD_NOATTRB; 1539 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1540 if (error == 0) 1541 VN_RELE(dvp); 1542 } 1543 1544 /*ARGSUSED*/ 1545 static void 1546 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1547 { 1548 klwp_t *clwp = ttolwp(curthread); 1549 vnode_t *dvp; 1550 caddr_t pnamep; 1551 1552 struct a { 1553 long version; /* version */ 1554 long pnamep; /* char * */ 1555 long fmode; 1556 long dev; 1557 } *uap = (struct a *)clwp->lwp_arg; 1558 1559 1560 /* no error, then already path token in audit record */ 1561 if (error != EPERM) 1562 return; 1563 1564 /* not auditing this event, nothing then to do */ 1565 if (tad->tad_flag == 0) 1566 return; 1567 1568 /* do the lookup to force generation of path token */ 1569 pnamep = (caddr_t)uap->pnamep; 1570 tad->tad_ctrl |= PAD_NOATTRB; 1571 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1572 if (error == 0) 1573 VN_RELE(dvp); 1574 } 1575 1576 /*ARGSUSED*/ 1577 static void 1578 aus_mount(struct t_audit_data *tad) 1579 { /* AUS_START */ 1580 klwp_t *clwp = ttolwp(curthread); 1581 uint32_t flags; 1582 uintptr_t u_fstype, dataptr; 1583 STRUCT_DECL(nfs_args, nfsargs); 1584 size_t len; 1585 char *fstype, *hostname; 1586 1587 struct a { 1588 long spec; /* char * */ 1589 long dir; /* char * */ 1590 long flags; 1591 long fstype; /* char * */ 1592 long dataptr; /* char * */ 1593 long datalen; 1594 } *uap = (struct a *)clwp->lwp_ap; 1595 1596 u_fstype = (uintptr_t)uap->fstype; 1597 flags = (uint32_t)uap->flags; 1598 dataptr = (uintptr_t)uap->dataptr; 1599 1600 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1601 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1602 goto mount_free_fstype; 1603 1604 au_uwrite(au_to_arg32(3, "flags", flags)); 1605 au_uwrite(au_to_text(fstype)); 1606 1607 if (strncmp(fstype, "nfs", 3) == 0) { 1608 1609 STRUCT_INIT(nfsargs, get_udatamodel()); 1610 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1611 1612 if (copyin((caddr_t)dataptr, 1613 STRUCT_BUF(nfsargs), 1614 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1615 /* DEBUG debug_enter((char *)NULL); */ 1616 goto mount_free_fstype; 1617 } 1618 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1619 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1620 (caddr_t)hostname, 1621 MAXNAMELEN, &len)) { 1622 goto mount_free_hostname; 1623 } 1624 au_uwrite(au_to_text(hostname)); 1625 au_uwrite(au_to_arg32(3, "internal flags", 1626 (uint_t)STRUCT_FGET(nfsargs, flags))); 1627 1628 mount_free_hostname: 1629 kmem_free(hostname, MAXNAMELEN); 1630 } 1631 1632 mount_free_fstype: 1633 kmem_free(fstype, MAXNAMELEN); 1634 } /* AUS_MOUNT */ 1635 1636 static void 1637 aus_umount_path(caddr_t umount_dir) 1638 { 1639 char *dir_path; 1640 struct audit_path *path; 1641 size_t path_len, dir_len; 1642 1643 /* length alloc'd for two string pointers */ 1644 path_len = sizeof (struct audit_path) + sizeof (char *); 1645 path = kmem_alloc(path_len, KM_SLEEP); 1646 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1647 1648 if (copyinstr(umount_dir, (caddr_t)dir_path, 1649 MAXPATHLEN, &dir_len)) 1650 goto umount2_free_dir; 1651 1652 /* 1653 * the audit_path struct assumes that the buffer pointed to 1654 * by audp_sect[n] contains string 0 immediatedly followed 1655 * by string 1. 1656 */ 1657 path->audp_sect[0] = dir_path; 1658 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1659 path->audp_size = path_len; 1660 path->audp_ref = 1; /* not used */ 1661 path->audp_cnt = 1; /* one path string */ 1662 1663 au_uwrite(au_to_path(path)); 1664 1665 umount2_free_dir: 1666 kmem_free(dir_path, MAXPATHLEN); 1667 kmem_free(path, path_len); 1668 } 1669 1670 /* 1671 * the umount syscall is implemented as a call to umount2, but the args 1672 * are different... 1673 */ 1674 1675 /*ARGSUSED*/ 1676 static void 1677 aus_umount(struct t_audit_data *tad) 1678 { 1679 klwp_t *clwp = ttolwp(curthread); 1680 struct a { 1681 long dir; /* char * */ 1682 } *uap = (struct a *)clwp->lwp_ap; 1683 1684 aus_umount_path((caddr_t)uap->dir); 1685 } 1686 1687 /*ARGSUSED*/ 1688 static void 1689 aus_umount2(struct t_audit_data *tad) 1690 { 1691 klwp_t *clwp = ttolwp(curthread); 1692 struct a { 1693 long dir; /* char * */ 1694 long flags; 1695 } *uap = (struct a *)clwp->lwp_ap; 1696 1697 aus_umount_path((caddr_t)uap->dir); 1698 1699 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1700 } 1701 1702 static void 1703 aus_msgsys(struct t_audit_data *tad) 1704 { 1705 klwp_t *clwp = ttolwp(curthread); 1706 uint32_t msgid; 1707 1708 struct b { 1709 long msgid; 1710 long cmd; 1711 long buf; /* struct msqid_ds * */ 1712 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1713 1714 msgid = (uint32_t)uap1->msgid; 1715 1716 1717 switch (tad->tad_event) { 1718 case AUE_MSGGET: /* msgget */ 1719 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1720 break; 1721 case AUE_MSGCTL: /* msgctl */ 1722 case AUE_MSGCTL_RMID: /* msgctl */ 1723 case AUE_MSGCTL_STAT: /* msgctl */ 1724 case AUE_MSGRCV: /* msgrcv */ 1725 case AUE_MSGSND: /* msgsnd */ 1726 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1727 break; 1728 case AUE_MSGCTL_SET: /* msgctl */ 1729 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1730 break; 1731 } 1732 } 1733 1734 /*ARGSUSED*/ 1735 static void 1736 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1737 { 1738 int id; 1739 1740 if (error != 0) 1741 return; 1742 if (tad->tad_event == AUE_MSGGET) { 1743 uint32_t scid; 1744 uint32_t sy_flags; 1745 1746 /* need to determine type of executing binary */ 1747 scid = tad->tad_scid; 1748 #ifdef _SYSCALL32_IMPL 1749 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1750 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1751 else 1752 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1753 #else 1754 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1755 #endif 1756 if (sy_flags == SE_32RVAL1) 1757 id = rval->r_val1; 1758 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1759 id = rval->r_val1; 1760 if (sy_flags == SE_64RVAL) 1761 id = (int)rval->r_vals; 1762 1763 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1764 } 1765 } 1766 1767 static void 1768 aus_semsys(struct t_audit_data *tad) 1769 { 1770 klwp_t *clwp = ttolwp(curthread); 1771 uint32_t semid; 1772 1773 struct b { /* ctrl */ 1774 long semid; 1775 long semnum; 1776 long cmd; 1777 long arg; 1778 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1779 1780 semid = (uint32_t)uap1->semid; 1781 1782 switch (tad->tad_event) { 1783 case AUE_SEMCTL_RMID: 1784 case AUE_SEMCTL_STAT: 1785 case AUE_SEMCTL_GETNCNT: 1786 case AUE_SEMCTL_GETPID: 1787 case AUE_SEMCTL_GETVAL: 1788 case AUE_SEMCTL_GETALL: 1789 case AUE_SEMCTL_GETZCNT: 1790 case AUE_SEMCTL_SETVAL: 1791 case AUE_SEMCTL_SETALL: 1792 case AUE_SEMCTL: 1793 case AUE_SEMOP: 1794 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1795 break; 1796 case AUE_SEMCTL_SET: 1797 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1798 break; 1799 case AUE_SEMGET: 1800 au_uwrite(au_to_arg32(1, "sem key", semid)); 1801 break; 1802 } 1803 } 1804 1805 /*ARGSUSED*/ 1806 static void 1807 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1808 { 1809 int id; 1810 1811 if (error != 0) 1812 return; 1813 if (tad->tad_event == AUE_SEMGET) { 1814 uint32_t scid; 1815 uint32_t sy_flags; 1816 1817 /* need to determine type of executing binary */ 1818 scid = tad->tad_scid; 1819 #ifdef _SYSCALL32_IMPL 1820 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1821 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1822 else 1823 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1824 #else 1825 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1826 #endif 1827 if (sy_flags == SE_32RVAL1) 1828 id = rval->r_val1; 1829 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1830 id = rval->r_val1; 1831 if (sy_flags == SE_64RVAL) 1832 id = (int)rval->r_vals; 1833 1834 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1835 } 1836 } 1837 1838 /*ARGSUSED*/ 1839 static void 1840 aus_close(struct t_audit_data *tad) 1841 { 1842 klwp_t *clwp = ttolwp(curthread); 1843 uint32_t fd; 1844 struct file *fp; 1845 struct f_audit_data *fad; 1846 struct vnode *vp; 1847 struct vattr attr; 1848 au_kcontext_t *kctx = GET_KCTX_PZ; 1849 1850 struct a { 1851 long i; 1852 } *uap = (struct a *)clwp->lwp_ap; 1853 1854 fd = (uint32_t)uap->i; 1855 1856 attr.va_mask = 0; 1857 au_uwrite(au_to_arg32(1, "fd", fd)); 1858 1859 /* 1860 * convert file pointer to file descriptor 1861 * Note: fd ref count incremented here. 1862 */ 1863 if ((fp = getf(fd)) == NULL) 1864 return; 1865 1866 fad = F2A(fp); 1867 tad->tad_evmod = (short)fad->fad_flags; 1868 if (fad->fad_aupath != NULL) { 1869 au_uwrite(au_to_path(fad->fad_aupath)); 1870 if ((vp = fp->f_vnode) != NULL) { 1871 attr.va_mask = AT_ALL; 1872 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1873 /* 1874 * When write was not used and the file can be 1875 * considered public, skip the audit. 1876 */ 1877 if (((fp->f_flag & FWRITE) == 0) && 1878 file_is_public(&attr)) { 1879 tad->tad_flag = 0; 1880 tad->tad_evmod = 0; 1881 /* free any residual audit data */ 1882 au_close(kctx, &(u_ad), 0, 0, 0); 1883 releasef(fd); 1884 return; 1885 } 1886 au_uwrite(au_to_attr(&attr)); 1887 audit_sec_attributes(&(u_ad), vp); 1888 } 1889 } 1890 } 1891 1892 /* decrement file descriptor reference count */ 1893 releasef(fd); 1894 } 1895 1896 /*ARGSUSED*/ 1897 static void 1898 aus_fstatfs(struct t_audit_data *tad) 1899 { 1900 klwp_t *clwp = ttolwp(curthread); 1901 uint32_t fd; 1902 struct file *fp; 1903 struct vnode *vp; 1904 struct f_audit_data *fad; 1905 1906 struct a { 1907 long fd; 1908 long buf; /* struct statfs * */ 1909 } *uap = (struct a *)clwp->lwp_ap; 1910 1911 fd = (uint_t)uap->fd; 1912 1913 /* 1914 * convert file pointer to file descriptor 1915 * Note: fd ref count incremented here. 1916 */ 1917 if ((fp = getf(fd)) == NULL) 1918 return; 1919 1920 /* get path from file struct here */ 1921 fad = F2A(fp); 1922 if (fad->fad_aupath != NULL) { 1923 au_uwrite(au_to_path(fad->fad_aupath)); 1924 } else { 1925 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1926 } 1927 1928 vp = fp->f_vnode; 1929 audit_attributes(vp); 1930 1931 /* decrement file descriptor reference count */ 1932 releasef(fd); 1933 } 1934 1935 #ifdef NOTYET 1936 /*ARGSUSED*/ 1937 static void 1938 aus_setpgrp(struct t_audit_data *tad) 1939 { 1940 klwp_t *clwp = ttolwp(curthread); 1941 uint32_t pgrp; 1942 struct proc *p; 1943 uid_t uid, ruid; 1944 gid_t gid, rgid; 1945 pid_t pid; 1946 const auditinfo_addr_t *ainfo; 1947 cred_t *cr; 1948 1949 struct a { 1950 long pid; 1951 long pgrp; 1952 } *uap = (struct a *)clwp->lwp_ap; 1953 1954 pid = (pid_t)uap->pid; 1955 pgrp = (uint32_t)uap->pgrp; 1956 1957 /* current process? */ 1958 if (pid == 0) 1959 (return); 1960 1961 mutex_enter(&pidlock); 1962 p = prfind(pid); 1963 if (p == NULL || p->p_as == &kas) { 1964 mutex_exit(&pidlock); 1965 return; 1966 } 1967 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1968 mutex_exit(&pidlock); 1969 1970 mutex_enter(&p->p_crlock); 1971 crhold(cr = p->p_cred); 1972 mutex_exit(&p->p_crlock); 1973 mutex_exit(&p->p_lock); 1974 1975 ainfo = crgetauinfo(cr); 1976 if (ainfo == NULL) { 1977 crfree(cr); 1978 return; 1979 } 1980 1981 uid = crgetuid(cr); 1982 gid = crgetgid(cr); 1983 ruid = crgetruid(cr); 1984 rgid = crgetrgid(cr); 1985 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1986 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1987 crfree(cr); 1988 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1989 } 1990 #endif 1991 1992 /*ARGSUSED*/ 1993 static void 1994 aus_setregid(struct t_audit_data *tad) 1995 { 1996 klwp_t *clwp = ttolwp(curthread); 1997 uint32_t rgid, egid; 1998 1999 struct a { 2000 long rgid; 2001 long egid; 2002 } *uap = (struct a *)clwp->lwp_ap; 2003 2004 rgid = (uint32_t)uap->rgid; 2005 egid = (uint32_t)uap->egid; 2006 2007 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2008 au_uwrite(au_to_arg32(2, "egid", egid)); 2009 } 2010 2011 /*ARGSUSED*/ 2012 static void 2013 aus_setgid(struct t_audit_data *tad) 2014 { 2015 klwp_t *clwp = ttolwp(curthread); 2016 uint32_t gid; 2017 2018 struct a { 2019 long gid; 2020 } *uap = (struct a *)clwp->lwp_ap; 2021 2022 gid = (uint32_t)uap->gid; 2023 2024 au_uwrite(au_to_arg32(1, "gid", gid)); 2025 } 2026 2027 2028 /*ARGSUSED*/ 2029 static void 2030 aus_setreuid(struct t_audit_data *tad) 2031 { 2032 klwp_t *clwp = ttolwp(curthread); 2033 uint32_t ruid, euid; 2034 2035 struct a { 2036 long ruid; 2037 long euid; 2038 } *uap = (struct a *)clwp->lwp_ap; 2039 2040 ruid = (uint32_t)uap->ruid; 2041 euid = (uint32_t)uap->euid; 2042 2043 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2044 au_uwrite(au_to_arg32(2, "euid", euid)); 2045 } 2046 2047 2048 /*ARGSUSED*/ 2049 static void 2050 aus_setuid(struct t_audit_data *tad) 2051 { 2052 klwp_t *clwp = ttolwp(curthread); 2053 uint32_t uid; 2054 2055 struct a { 2056 long uid; 2057 } *uap = (struct a *)clwp->lwp_ap; 2058 2059 uid = (uint32_t)uap->uid; 2060 2061 au_uwrite(au_to_arg32(1, "uid", uid)); 2062 } 2063 2064 /*ARGSUSED*/ 2065 static void 2066 aus_shmsys(struct t_audit_data *tad) 2067 { 2068 klwp_t *clwp = ttolwp(curthread); 2069 uint32_t id, cmd; 2070 2071 struct b { 2072 long id; 2073 long cmd; 2074 long buf; /* struct shmid_ds * */ 2075 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2076 2077 id = (uint32_t)uap1->id; 2078 cmd = (uint32_t)uap1->cmd; 2079 2080 switch (tad->tad_event) { 2081 case AUE_SHMGET: /* shmget */ 2082 au_uwrite(au_to_arg32(1, "shm key", id)); 2083 break; 2084 case AUE_SHMCTL: /* shmctl */ 2085 case AUE_SHMCTL_RMID: /* shmctl */ 2086 case AUE_SHMCTL_STAT: /* shmctl */ 2087 case AUE_SHMCTL_SET: /* shmctl */ 2088 au_uwrite(au_to_arg32(1, "shm ID", id)); 2089 break; 2090 case AUE_SHMDT: /* shmdt */ 2091 au_uwrite(au_to_arg32(1, "shm adr", id)); 2092 break; 2093 case AUE_SHMAT: /* shmat */ 2094 au_uwrite(au_to_arg32(1, "shm ID", id)); 2095 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2096 break; 2097 } 2098 } 2099 2100 /*ARGSUSED*/ 2101 static void 2102 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2103 { 2104 int id; 2105 2106 if (error != 0) 2107 return; 2108 if (tad->tad_event == AUE_SHMGET) { 2109 uint32_t scid; 2110 uint32_t sy_flags; 2111 2112 /* need to determine type of executing binary */ 2113 scid = tad->tad_scid; 2114 #ifdef _SYSCALL32_IMPL 2115 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2116 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2117 else 2118 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2119 #else 2120 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2121 #endif 2122 if (sy_flags == SE_32RVAL1) 2123 id = rval->r_val1; 2124 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2125 id = rval->r_val1; 2126 if (sy_flags == SE_64RVAL) 2127 id = (int)rval->r_vals; 2128 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2129 } 2130 } 2131 2132 2133 /*ARGSUSED*/ 2134 static void 2135 aus_ioctl(struct t_audit_data *tad) 2136 { 2137 klwp_t *clwp = ttolwp(curthread); 2138 struct file *fp; 2139 struct vnode *vp; 2140 struct f_audit_data *fad; 2141 uint32_t fd, cmd; 2142 uintptr_t cmarg; 2143 2144 /* XX64 */ 2145 struct a { 2146 long fd; 2147 long cmd; 2148 long cmarg; /* caddr_t */ 2149 } *uap = (struct a *)clwp->lwp_ap; 2150 2151 fd = (uint32_t)uap->fd; 2152 cmd = (uint32_t)uap->cmd; 2153 cmarg = (uintptr_t)uap->cmarg; 2154 2155 /* 2156 * convert file pointer to file descriptor 2157 * Note: fd ref count incremented here. 2158 */ 2159 if ((fp = getf(fd)) == NULL) { 2160 au_uwrite(au_to_arg32(1, "fd", fd)); 2161 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2162 #ifndef _LP64 2163 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2164 #else 2165 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2166 #endif 2167 return; 2168 } 2169 2170 /* get path from file struct here */ 2171 fad = F2A(fp); 2172 if (fad->fad_aupath != NULL) { 2173 au_uwrite(au_to_path(fad->fad_aupath)); 2174 } else { 2175 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2176 } 2177 2178 vp = fp->f_vnode; 2179 audit_attributes(vp); 2180 2181 /* decrement file descriptor reference count */ 2182 releasef(fd); 2183 2184 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2185 #ifndef _LP64 2186 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2187 #else 2188 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2189 #endif 2190 } 2191 2192 /* 2193 * null function for memcntl for now. We might want to limit memcntl() 2194 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2195 * require privileges. 2196 */ 2197 static au_event_t 2198 aui_memcntl(au_event_t e) 2199 { 2200 return (e); 2201 } 2202 2203 /*ARGSUSED*/ 2204 static au_event_t 2205 aui_privsys(au_event_t e) 2206 { 2207 klwp_t *clwp = ttolwp(curthread); 2208 2209 struct a { 2210 long opcode; 2211 } *uap = (struct a *)clwp->lwp_ap; 2212 2213 switch (uap->opcode) { 2214 case PRIVSYS_SETPPRIV: 2215 return (AUE_SETPPRIV); 2216 default: 2217 return (AUE_NULL); 2218 } 2219 } 2220 2221 /*ARGSUSED*/ 2222 static void 2223 aus_memcntl(struct t_audit_data *tad) 2224 { 2225 klwp_t *clwp = ttolwp(curthread); 2226 2227 struct a { 2228 long addr; 2229 long len; 2230 long cmd; 2231 long arg; 2232 long attr; 2233 long mask; 2234 } *uap = (struct a *)clwp->lwp_ap; 2235 2236 #ifdef _LP64 2237 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2238 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2239 #else 2240 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2241 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2242 #endif 2243 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2244 #ifdef _LP64 2245 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2246 #else 2247 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2248 #endif 2249 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2250 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2251 } 2252 2253 /*ARGSUSED*/ 2254 static void 2255 aus_mmap(struct t_audit_data *tad) 2256 { 2257 klwp_t *clwp = ttolwp(curthread); 2258 struct file *fp; 2259 struct f_audit_data *fad; 2260 struct vnode *vp; 2261 uint32_t fd; 2262 2263 struct a { 2264 long addr; 2265 long len; 2266 long prot; 2267 long flags; 2268 long fd; 2269 long pos; 2270 } *uap = (struct a *)clwp->lwp_ap; 2271 2272 fd = (uint32_t)uap->fd; 2273 2274 #ifdef _LP64 2275 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2276 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2277 #else 2278 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2279 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2280 #endif 2281 2282 if ((fp = getf(fd)) == NULL) { 2283 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2284 return; 2285 } 2286 2287 /* 2288 * Mark in the tad if write access is NOT requested... if 2289 * this is later detected (in audit_attributes) to be a 2290 * public object, the mmap event may be discarded. 2291 */ 2292 if (((uap->prot) & PROT_WRITE) == 0) { 2293 tad->tad_ctrl |= PAD_PUBLIC_EV; 2294 } 2295 2296 fad = F2A(fp); 2297 if (fad->fad_aupath != NULL) { 2298 au_uwrite(au_to_path(fad->fad_aupath)); 2299 } else { 2300 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2301 } 2302 2303 vp = (struct vnode *)fp->f_vnode; 2304 audit_attributes(vp); 2305 2306 /* mark READ/WRITE since we can't predict access */ 2307 if (uap->prot & PROT_READ) 2308 fad->fad_flags |= FAD_READ; 2309 if (uap->prot & PROT_WRITE) 2310 fad->fad_flags |= FAD_WRITE; 2311 2312 /* decrement file descriptor reference count */ 2313 releasef(fd); 2314 2315 } /* AUS_MMAP */ 2316 2317 2318 2319 2320 /*ARGSUSED*/ 2321 static void 2322 aus_munmap(struct t_audit_data *tad) 2323 { 2324 klwp_t *clwp = ttolwp(curthread); 2325 2326 struct a { 2327 long addr; 2328 long len; 2329 } *uap = (struct a *)clwp->lwp_ap; 2330 2331 #ifdef _LP64 2332 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2333 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2334 #else 2335 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2336 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2337 #endif 2338 2339 } /* AUS_MUNMAP */ 2340 2341 2342 2343 2344 2345 2346 2347 /*ARGSUSED*/ 2348 static void 2349 aus_priocntlsys(struct t_audit_data *tad) 2350 { 2351 klwp_t *clwp = ttolwp(curthread); 2352 2353 struct a { 2354 long pc_version; 2355 long psp; /* procset_t */ 2356 long cmd; 2357 long arg; 2358 } *uap = (struct a *)clwp->lwp_ap; 2359 2360 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2361 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2362 2363 } /* AUS_PRIOCNTLSYS */ 2364 2365 2366 /*ARGSUSED*/ 2367 static void 2368 aus_setegid(struct t_audit_data *tad) 2369 { 2370 klwp_t *clwp = ttolwp(curthread); 2371 uint32_t gid; 2372 2373 struct a { 2374 long gid; 2375 } *uap = (struct a *)clwp->lwp_ap; 2376 2377 gid = (uint32_t)uap->gid; 2378 2379 au_uwrite(au_to_arg32(1, "gid", gid)); 2380 } /* AUS_SETEGID */ 2381 2382 2383 2384 2385 /*ARGSUSED*/ 2386 static void 2387 aus_setgroups(struct t_audit_data *tad) 2388 { 2389 klwp_t *clwp = ttolwp(curthread); 2390 int i; 2391 int gidsetsize; 2392 uintptr_t gidset; 2393 gid_t *gidlist; 2394 2395 struct a { 2396 long gidsetsize; 2397 long gidset; 2398 } *uap = (struct a *)clwp->lwp_ap; 2399 2400 gidsetsize = (uint_t)uap->gidsetsize; 2401 gidset = (uintptr_t)uap->gidset; 2402 2403 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2404 return; 2405 if (gidsetsize != 0) { 2406 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2407 KM_SLEEP); 2408 if (copyin((caddr_t)gidset, gidlist, 2409 gidsetsize * sizeof (gid_t)) == 0) 2410 for (i = 0; i < gidsetsize; i++) 2411 au_uwrite(au_to_arg32(1, "setgroups", 2412 (uint32_t)gidlist[i])); 2413 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2414 } else 2415 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2416 2417 } /* AUS_SETGROUPS */ 2418 2419 2420 2421 2422 2423 /*ARGSUSED*/ 2424 static void 2425 aus_seteuid(struct t_audit_data *tad) 2426 { 2427 klwp_t *clwp = ttolwp(curthread); 2428 uint32_t uid; 2429 2430 struct a { 2431 long uid; 2432 } *uap = (struct a *)clwp->lwp_ap; 2433 2434 uid = (uint32_t)uap->uid; 2435 2436 au_uwrite(au_to_arg32(1, "euid", uid)); 2437 2438 } /* AUS_SETEUID */ 2439 2440 /*ARGSUSED*/ 2441 static void 2442 aus_putmsg(struct t_audit_data *tad) 2443 { 2444 klwp_t *clwp = ttolwp(curthread); 2445 uint32_t fd, pri; 2446 struct file *fp; 2447 struct f_audit_data *fad; 2448 2449 struct a { 2450 long fdes; 2451 long ctl; /* struct strbuf * */ 2452 long data; /* struct strbuf * */ 2453 long pri; 2454 } *uap = (struct a *)clwp->lwp_ap; 2455 2456 fd = (uint32_t)uap->fdes; 2457 pri = (uint32_t)uap->pri; 2458 2459 au_uwrite(au_to_arg32(1, "fd", fd)); 2460 2461 if ((fp = getf(fd)) != NULL) { 2462 fad = F2A(fp); 2463 2464 fad->fad_flags |= FAD_WRITE; 2465 2466 /* add path name to audit record */ 2467 if (fad->fad_aupath != NULL) { 2468 au_uwrite(au_to_path(fad->fad_aupath)); 2469 } 2470 audit_attributes(fp->f_vnode); 2471 2472 releasef(fd); 2473 } 2474 2475 au_uwrite(au_to_arg32(4, "pri", pri)); 2476 } 2477 2478 /*ARGSUSED*/ 2479 static void 2480 aus_putpmsg(struct t_audit_data *tad) 2481 { 2482 klwp_t *clwp = ttolwp(curthread); 2483 uint32_t fd, pri, flags; 2484 struct file *fp; 2485 struct f_audit_data *fad; 2486 2487 struct a { 2488 long fdes; 2489 long ctl; /* struct strbuf * */ 2490 long data; /* struct strbuf * */ 2491 long pri; 2492 long flags; 2493 } *uap = (struct a *)clwp->lwp_ap; 2494 2495 fd = (uint32_t)uap->fdes; 2496 pri = (uint32_t)uap->pri; 2497 flags = (uint32_t)uap->flags; 2498 2499 au_uwrite(au_to_arg32(1, "fd", fd)); 2500 2501 if ((fp = getf(fd)) != NULL) { 2502 fad = F2A(fp); 2503 2504 fad->fad_flags |= FAD_WRITE; 2505 2506 /* add path name to audit record */ 2507 if (fad->fad_aupath != NULL) { 2508 au_uwrite(au_to_path(fad->fad_aupath)); 2509 } 2510 audit_attributes(fp->f_vnode); 2511 2512 releasef(fd); 2513 } 2514 2515 2516 au_uwrite(au_to_arg32(4, "pri", pri)); 2517 au_uwrite(au_to_arg32(5, "flags", flags)); 2518 } 2519 2520 /*ARGSUSED*/ 2521 static void 2522 aus_getmsg(struct t_audit_data *tad) 2523 { 2524 klwp_t *clwp = ttolwp(curthread); 2525 uint32_t fd, pri; 2526 struct file *fp; 2527 struct f_audit_data *fad; 2528 2529 struct a { 2530 long fdes; 2531 long ctl; /* struct strbuf * */ 2532 long data; /* struct strbuf * */ 2533 long pri; 2534 } *uap = (struct a *)clwp->lwp_ap; 2535 2536 fd = (uint32_t)uap->fdes; 2537 pri = (uint32_t)uap->pri; 2538 2539 au_uwrite(au_to_arg32(1, "fd", fd)); 2540 2541 if ((fp = getf(fd)) != NULL) { 2542 fad = F2A(fp); 2543 2544 /* 2545 * read operation on this object 2546 */ 2547 fad->fad_flags |= FAD_READ; 2548 2549 /* add path name to audit record */ 2550 if (fad->fad_aupath != NULL) { 2551 au_uwrite(au_to_path(fad->fad_aupath)); 2552 } 2553 audit_attributes(fp->f_vnode); 2554 2555 releasef(fd); 2556 } 2557 2558 au_uwrite(au_to_arg32(4, "pri", pri)); 2559 } 2560 2561 /*ARGSUSED*/ 2562 static void 2563 aus_getpmsg(struct t_audit_data *tad) 2564 { 2565 klwp_t *clwp = ttolwp(curthread); 2566 uint32_t fd; 2567 struct file *fp; 2568 struct f_audit_data *fad; 2569 2570 struct a { 2571 long fdes; 2572 long ctl; /* struct strbuf * */ 2573 long data; /* struct strbuf * */ 2574 long pri; 2575 long flags; 2576 } *uap = (struct a *)clwp->lwp_ap; 2577 2578 fd = (uint32_t)uap->fdes; 2579 2580 au_uwrite(au_to_arg32(1, "fd", fd)); 2581 2582 if ((fp = getf(fd)) != NULL) { 2583 fad = F2A(fp); 2584 2585 /* 2586 * read operation on this object 2587 */ 2588 fad->fad_flags |= FAD_READ; 2589 2590 /* add path name to audit record */ 2591 if (fad->fad_aupath != NULL) { 2592 au_uwrite(au_to_path(fad->fad_aupath)); 2593 } 2594 audit_attributes(fp->f_vnode); 2595 2596 releasef(fd); 2597 } 2598 } 2599 2600 static au_event_t 2601 aui_auditsys(au_event_t e) 2602 { 2603 klwp_t *clwp = ttolwp(curthread); 2604 uint32_t code; 2605 2606 struct a { 2607 long code; 2608 long a1; 2609 long a2; 2610 long a3; 2611 long a4; 2612 long a5; 2613 long a6; 2614 long a7; 2615 } *uap = (struct a *)clwp->lwp_ap; 2616 2617 code = (uint32_t)uap->code; 2618 2619 switch (code) { 2620 2621 case BSM_GETAUID: 2622 e = AUE_GETAUID; 2623 break; 2624 case BSM_SETAUID: 2625 e = AUE_SETAUID; 2626 break; 2627 case BSM_GETAUDIT: 2628 e = AUE_GETAUDIT; 2629 break; 2630 case BSM_GETAUDIT_ADDR: 2631 e = AUE_GETAUDIT_ADDR; 2632 break; 2633 case BSM_SETAUDIT: 2634 e = AUE_SETAUDIT; 2635 break; 2636 case BSM_SETAUDIT_ADDR: 2637 e = AUE_SETAUDIT_ADDR; 2638 break; 2639 case BSM_AUDIT: 2640 e = AUE_AUDIT; 2641 break; 2642 case BSM_AUDITSVC: 2643 e = AUE_AUDITSVC; 2644 break; 2645 case BSM_GETPORTAUDIT: 2646 e = AUE_GETPORTAUDIT; 2647 break; 2648 case BSM_AUDITON: 2649 case BSM_AUDITCTL: 2650 2651 switch ((uint_t)uap->a1) { 2652 2653 case A_GETPOLICY: 2654 e = AUE_AUDITON_GPOLICY; 2655 break; 2656 case A_SETPOLICY: 2657 e = AUE_AUDITON_SPOLICY; 2658 break; 2659 case A_GETKMASK: 2660 e = AUE_AUDITON_GETKMASK; 2661 break; 2662 case A_SETKMASK: 2663 e = AUE_AUDITON_SETKMASK; 2664 break; 2665 case A_GETQCTRL: 2666 e = AUE_AUDITON_GQCTRL; 2667 break; 2668 case A_SETQCTRL: 2669 e = AUE_AUDITON_SQCTRL; 2670 break; 2671 case A_GETCWD: 2672 e = AUE_AUDITON_GETCWD; 2673 break; 2674 case A_GETCAR: 2675 e = AUE_AUDITON_GETCAR; 2676 break; 2677 case A_GETSTAT: 2678 e = AUE_AUDITON_GETSTAT; 2679 break; 2680 case A_SETSTAT: 2681 e = AUE_AUDITON_SETSTAT; 2682 break; 2683 case A_SETUMASK: 2684 e = AUE_AUDITON_SETUMASK; 2685 break; 2686 case A_SETSMASK: 2687 e = AUE_AUDITON_SETSMASK; 2688 break; 2689 case A_GETCOND: 2690 e = AUE_AUDITON_GETCOND; 2691 break; 2692 case A_SETCOND: 2693 e = AUE_AUDITON_SETCOND; 2694 break; 2695 case A_GETCLASS: 2696 e = AUE_AUDITON_GETCLASS; 2697 break; 2698 case A_SETCLASS: 2699 e = AUE_AUDITON_SETCLASS; 2700 break; 2701 default: 2702 e = AUE_NULL; 2703 break; 2704 } 2705 break; 2706 default: 2707 e = AUE_NULL; 2708 break; 2709 } 2710 2711 return (e); 2712 2713 2714 2715 2716 } /* AUI_AUDITSYS */ 2717 2718 2719 2720 2721 2722 2723 2724 static void 2725 aus_auditsys(struct t_audit_data *tad) 2726 { 2727 klwp_t *clwp = ttolwp(curthread); 2728 uintptr_t a1, a2; 2729 struct file *fp; 2730 struct f_audit_data *fad; 2731 struct vnode *vp; 2732 STRUCT_DECL(auditinfo, ainfo); 2733 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2734 au_evclass_map_t event; 2735 au_mask_t mask; 2736 int auditstate, policy; 2737 au_id_t auid; 2738 2739 2740 struct a { 2741 long code; 2742 long a1; 2743 long a2; 2744 long a3; 2745 long a4; 2746 long a5; 2747 long a6; 2748 long a7; 2749 } *uap = (struct a *)clwp->lwp_ap; 2750 2751 a1 = (uintptr_t)uap->a1; 2752 a2 = (uintptr_t)uap->a2; 2753 2754 switch (tad->tad_event) { 2755 case AUE_SETAUID: 2756 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2757 return; 2758 au_uwrite(au_to_arg32(2, "setauid", auid)); 2759 break; 2760 case AUE_SETAUDIT: 2761 STRUCT_INIT(ainfo, get_udatamodel()); 2762 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2763 STRUCT_SIZE(ainfo))) { 2764 return; 2765 } 2766 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2767 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2768 #ifdef _LP64 2769 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2770 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2771 #else 2772 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2773 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2774 #endif 2775 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2776 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2777 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2778 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2779 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2780 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2781 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2782 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2783 break; 2784 case AUE_SETAUDIT_ADDR: 2785 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2786 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2787 STRUCT_SIZE(ainfo_addr))) { 2788 return; 2789 } 2790 au_uwrite(au_to_arg32((char)1, "auid", 2791 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2792 #ifdef _LP64 2793 au_uwrite(au_to_arg64((char)1, "port", 2794 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2795 #else 2796 au_uwrite(au_to_arg32((char)1, "port", 2797 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2798 #endif 2799 au_uwrite(au_to_arg32((char)1, "type", 2800 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2801 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2802 AU_IPv4) { 2803 au_uwrite(au_to_in_addr( 2804 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2805 ai_termid.at_addr))); 2806 } else { 2807 au_uwrite(au_to_in_addr_ex( 2808 (int32_t *)STRUCT_FGETP(ainfo_addr, 2809 ai_termid.at_addr))); 2810 } 2811 au_uwrite(au_to_arg32((char)1, "as_success", 2812 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2813 au_uwrite(au_to_arg32((char)1, "as_failure", 2814 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2815 au_uwrite(au_to_arg32((char)1, "asid", 2816 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2817 break; 2818 case AUE_AUDITSVC: 2819 /* 2820 * convert file pointer to file descriptor 2821 * Note: fd ref count incremented here 2822 */ 2823 if ((fp = getf((uint_t)a1)) == NULL) 2824 return; 2825 fad = F2A(fp); 2826 if (fad->fad_aupath != NULL) { 2827 au_uwrite(au_to_path(fad->fad_aupath)); 2828 } else { 2829 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2830 } 2831 2832 vp = fp->f_vnode; /* include vnode attributes */ 2833 audit_attributes(vp); 2834 2835 /* decrement file descriptor ref count */ 2836 releasef((uint_t)a1); 2837 2838 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2839 break; 2840 case AUE_AUDITON_SETKMASK: 2841 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2842 return; 2843 au_uwrite(au_to_arg32( 2844 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2845 au_uwrite(au_to_arg32( 2846 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2847 break; 2848 case AUE_AUDITON_SPOLICY: 2849 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2850 return; 2851 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2852 break; 2853 case AUE_AUDITON_SQCTRL: { 2854 STRUCT_DECL(au_qctrl, qctrl); 2855 model_t model; 2856 2857 model = get_udatamodel(); 2858 STRUCT_INIT(qctrl, model); 2859 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2860 return; 2861 if (model == DATAMODEL_ILP32) { 2862 au_uwrite(au_to_arg32( 2863 3, "setqctrl:aq_hiwater", 2864 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2865 au_uwrite(au_to_arg32( 2866 3, "setqctrl:aq_lowater", 2867 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2868 au_uwrite(au_to_arg32( 2869 3, "setqctrl:aq_bufsz", 2870 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2871 au_uwrite(au_to_arg32( 2872 3, "setqctrl:aq_delay", 2873 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2874 } else { 2875 au_uwrite(au_to_arg64( 2876 3, "setqctrl:aq_hiwater", 2877 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2878 au_uwrite(au_to_arg64( 2879 3, "setqctrl:aq_lowater", 2880 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2881 au_uwrite(au_to_arg64( 2882 3, "setqctrl:aq_bufsz", 2883 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2884 au_uwrite(au_to_arg64( 2885 3, "setqctrl:aq_delay", 2886 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2887 } 2888 break; 2889 } 2890 case AUE_AUDITON_SETUMASK: 2891 STRUCT_INIT(ainfo, get_udatamodel()); 2892 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2893 STRUCT_SIZE(ainfo))) { 2894 return; 2895 } 2896 au_uwrite(au_to_arg32(3, "setumask:as_success", 2897 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2898 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2899 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2900 break; 2901 case AUE_AUDITON_SETSMASK: 2902 STRUCT_INIT(ainfo, get_udatamodel()); 2903 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2904 STRUCT_SIZE(ainfo))) { 2905 return; 2906 } 2907 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2908 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2909 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2910 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2911 break; 2912 case AUE_AUDITON_SETCOND: 2913 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2914 return; 2915 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2916 break; 2917 case AUE_AUDITON_SETCLASS: 2918 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2919 return; 2920 au_uwrite(au_to_arg32( 2921 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2922 au_uwrite(au_to_arg32( 2923 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2924 break; 2925 case AUE_GETAUID: 2926 case AUE_GETAUDIT: 2927 case AUE_GETAUDIT_ADDR: 2928 case AUE_AUDIT: 2929 case AUE_GETPORTAUDIT: 2930 case AUE_AUDITON_GPOLICY: 2931 case AUE_AUDITON_GQCTRL: 2932 case AUE_AUDITON_GETKMASK: 2933 case AUE_AUDITON_GETCWD: 2934 case AUE_AUDITON_GETCAR: 2935 case AUE_AUDITON_GETSTAT: 2936 case AUE_AUDITON_SETSTAT: 2937 case AUE_AUDITON_GETCOND: 2938 case AUE_AUDITON_GETCLASS: 2939 break; 2940 default: 2941 break; 2942 } 2943 2944 } /* AUS_AUDITSYS */ 2945 2946 2947 /* only audit privileged operations for systeminfo(2) system call */ 2948 static au_event_t 2949 aui_sysinfo(au_event_t e) 2950 { 2951 klwp_t *clwp = ttolwp(curthread); 2952 uint32_t command; 2953 2954 struct a { 2955 long command; 2956 long buf; /* char * */ 2957 long count; 2958 } *uap = (struct a *)clwp->lwp_ap; 2959 2960 command = (uint32_t)uap->command; 2961 2962 switch (command) { 2963 case SI_SET_HOSTNAME: 2964 case SI_SET_SRPC_DOMAIN: 2965 e = (au_event_t)AUE_SYSINFO; 2966 break; 2967 default: 2968 e = (au_event_t)AUE_NULL; 2969 break; 2970 } 2971 return (e); 2972 } 2973 2974 /*ARGSUSED*/ 2975 static void 2976 aus_sysinfo(struct t_audit_data *tad) 2977 { 2978 klwp_t *clwp = ttolwp(curthread); 2979 uint32_t command; 2980 size_t len, maxlen; 2981 char *name; 2982 uintptr_t buf; 2983 2984 struct a { 2985 long command; 2986 long buf; /* char * */ 2987 long count; 2988 } *uap = (struct a *)clwp->lwp_ap; 2989 2990 command = (uint32_t)uap->command; 2991 buf = (uintptr_t)uap->buf; 2992 2993 au_uwrite(au_to_arg32(1, "cmd", command)); 2994 2995 switch (command) { 2996 case SI_SET_HOSTNAME: 2997 { 2998 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2999 return; 3000 3001 maxlen = SYS_NMLN; 3002 name = kmem_alloc(maxlen, KM_SLEEP); 3003 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3004 break; 3005 3006 /* 3007 * Must be non-NULL string and string 3008 * must be less than SYS_NMLN chars. 3009 */ 3010 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3011 break; 3012 3013 au_uwrite(au_to_text(name)); 3014 break; 3015 } 3016 3017 case SI_SET_SRPC_DOMAIN: 3018 { 3019 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3020 return; 3021 3022 maxlen = SYS_NMLN; 3023 name = kmem_alloc(maxlen, KM_SLEEP); 3024 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3025 break; 3026 3027 /* 3028 * If string passed in is longer than length 3029 * allowed for domain name, fail. 3030 */ 3031 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3032 break; 3033 3034 au_uwrite(au_to_text(name)); 3035 break; 3036 } 3037 3038 default: 3039 return; 3040 } 3041 3042 kmem_free(name, maxlen); 3043 } 3044 3045 static au_event_t 3046 aui_modctl(au_event_t e) 3047 { 3048 klwp_t *clwp = ttolwp(curthread); 3049 uint_t cmd; 3050 3051 struct a { 3052 long cmd; 3053 } *uap = (struct a *)clwp->lwp_ap; 3054 3055 cmd = (uint_t)uap->cmd; 3056 3057 switch (cmd) { 3058 case MODLOAD: 3059 e = AUE_MODLOAD; 3060 break; 3061 case MODUNLOAD: 3062 e = AUE_MODUNLOAD; 3063 break; 3064 case MODADDMAJBIND: 3065 e = AUE_MODADDMAJ; 3066 break; 3067 case MODSETDEVPOLICY: 3068 e = AUE_MODDEVPLCY; 3069 break; 3070 case MODALLOCPRIV: 3071 e = AUE_MODADDPRIV; 3072 break; 3073 default: 3074 e = AUE_NULL; 3075 break; 3076 } 3077 return (e); 3078 } 3079 3080 3081 /*ARGSUSED*/ 3082 static void 3083 aus_modctl(struct t_audit_data *tad) 3084 { 3085 klwp_t *clwp = ttolwp(curthread); 3086 void *a = clwp->lwp_ap; 3087 uint_t use_path; 3088 3089 switch (tad->tad_event) { 3090 case AUE_MODLOAD: { 3091 typedef struct { 3092 long cmd; 3093 long use_path; 3094 long filename; /* char * */ 3095 } modloada_t; 3096 3097 char *filenamep; 3098 uintptr_t fname; 3099 extern char *default_path; 3100 3101 fname = (uintptr_t)((modloada_t *)a)->filename; 3102 use_path = (uint_t)((modloada_t *)a)->use_path; 3103 3104 /* space to hold path */ 3105 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3106 /* get string */ 3107 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3108 /* free allocated path */ 3109 kmem_free(filenamep, MOD_MAXPATH); 3110 return; 3111 } 3112 /* ensure it's null terminated */ 3113 filenamep[MOD_MAXPATH - 1] = 0; 3114 3115 if (use_path) 3116 au_uwrite(au_to_text(default_path)); 3117 au_uwrite(au_to_text(filenamep)); 3118 3119 /* release temporary memory */ 3120 kmem_free(filenamep, MOD_MAXPATH); 3121 break; 3122 } 3123 case AUE_MODUNLOAD: { 3124 typedef struct { 3125 long cmd; 3126 long id; 3127 } modunloada_t; 3128 3129 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3130 3131 au_uwrite(au_to_arg32(1, "id", id)); 3132 break; 3133 } 3134 case AUE_MODADDMAJ: { 3135 STRUCT_DECL(modconfig, mc); 3136 typedef struct { 3137 long cmd; 3138 long subcmd; 3139 long data; /* int * */ 3140 } modconfiga_t; 3141 3142 STRUCT_DECL(aliases, alias); 3143 caddr_t ap; 3144 int i, num_aliases; 3145 char *drvname, *mc_drvname; 3146 char *name; 3147 extern char *ddi_major_to_name(major_t); 3148 model_t model; 3149 3150 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3151 3152 model = get_udatamodel(); 3153 STRUCT_INIT(mc, model); 3154 /* sanitize buffer */ 3155 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3156 /* get user arguments */ 3157 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3158 STRUCT_SIZE(mc)) != 0) 3159 return; 3160 3161 mc_drvname = STRUCT_FGET(mc, drvname); 3162 if ((drvname = ddi_major_to_name( 3163 (major_t)STRUCT_FGET(mc, major))) != NULL && 3164 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3165 /* safety */ 3166 if (mc_drvname[0] != '\0') { 3167 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3168 au_uwrite(au_to_text(mc_drvname)); 3169 } 3170 /* drvname != NULL from test above */ 3171 au_uwrite(au_to_text(drvname)); 3172 return; 3173 } 3174 3175 if (mc_drvname[0] != '\0') { 3176 /* safety */ 3177 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3178 au_uwrite(au_to_text(mc_drvname)); 3179 } else 3180 au_uwrite(au_to_text("no drvname")); 3181 3182 num_aliases = STRUCT_FGET(mc, num_aliases); 3183 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3184 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3185 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3186 STRUCT_INIT(alias, model); 3187 for (i = 0; i < num_aliases; i++) { 3188 bzero((caddr_t)STRUCT_BUF(alias), 3189 STRUCT_SIZE(alias)); 3190 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3191 STRUCT_SIZE(alias)) != 0) 3192 break; 3193 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3194 MAXMODCONFNAME, NULL) != 0) { 3195 break; 3196 } 3197 3198 au_uwrite(au_to_text(name)); 3199 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3200 } 3201 kmem_free(name, MAXMODCONFNAME); 3202 break; 3203 } 3204 default: 3205 break; 3206 } 3207 } 3208 3209 3210 /*ARGSUSED*/ 3211 static void 3212 auf_accept( 3213 struct t_audit_data *tad, 3214 int error, 3215 rval_t *rval) 3216 { 3217 uint32_t scid; 3218 uint32_t sy_flags; 3219 int fd; 3220 struct sonode *so; 3221 char so_laddr[sizeof (struct sockaddr_in6)]; 3222 char so_faddr[sizeof (struct sockaddr_in6)]; 3223 int err; 3224 int len; 3225 short so_family, so_type; 3226 int add_sock_token = 0; 3227 3228 /* need to determine type of executing binary */ 3229 scid = tad->tad_scid; 3230 #ifdef _SYSCALL32_IMPL 3231 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3232 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3233 else 3234 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3235 #else 3236 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3237 #endif 3238 if (sy_flags == SE_32RVAL1) 3239 fd = rval->r_val1; 3240 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3241 fd = rval->r_val1; 3242 if (sy_flags == SE_64RVAL) 3243 fd = (int)rval->r_vals; 3244 3245 if (error) { 3246 /* can't trust socket contents. Just return */ 3247 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3248 return; 3249 } 3250 3251 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3252 /* 3253 * not security relevant if doing a accept from non socket 3254 * so no extra tokens. Should probably turn off audit record 3255 * generation here. 3256 */ 3257 return; 3258 } 3259 3260 so_family = so->so_family; 3261 so_type = so->so_type; 3262 3263 switch (so_family) { 3264 case AF_INET: 3265 case AF_INET6: 3266 /* 3267 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3268 */ 3269 if (so->so_type == SOCK_STREAM) { 3270 3271 bzero((void *)so_laddr, sizeof (so_laddr)); 3272 bzero((void *)so_faddr, sizeof (so_faddr)); 3273 3274 /* 3275 * no local address then need to get it from lower 3276 * levels. only put out record on first read ala 3277 * AUE_WRITE. 3278 */ 3279 if (so->so_state & SS_ISBOUND) { 3280 /* only done once on a connection */ 3281 (void) SOP_GETSOCKNAME(so); 3282 (void) SOP_GETPEERNAME(so); 3283 3284 /* get local and foreign addresses */ 3285 mutex_enter(&so->so_lock); 3286 len = min(so->so_laddr_len, sizeof (so_laddr)); 3287 bcopy(so->so_laddr_sa, so_laddr, len); 3288 len = min(so->so_faddr_len, sizeof (so_faddr)); 3289 bcopy(so->so_faddr_sa, so_faddr, len); 3290 mutex_exit(&so->so_lock); 3291 } 3292 3293 add_sock_token = 1; 3294 } 3295 break; 3296 3297 default: 3298 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3299 break; 3300 } 3301 3302 releasef(fd); 3303 3304 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3305 3306 if (add_sock_token == 0) { 3307 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3308 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3309 return; 3310 } 3311 3312 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3313 3314 } 3315 3316 /*ARGSUSED*/ 3317 static void 3318 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3319 { 3320 struct a { 3321 long fd; 3322 long addr; 3323 long len; 3324 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3325 3326 struct sonode *so; 3327 char so_laddr[sizeof (struct sockaddr_in6)]; 3328 char so_faddr[sizeof (struct sockaddr_in6)]; 3329 int err, fd; 3330 int len; 3331 short so_family, so_type; 3332 int add_sock_token = 0; 3333 3334 fd = (int)uap->fd; 3335 3336 /* 3337 * bind failed, then nothing extra to add to audit record. 3338 */ 3339 if (error) { 3340 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3341 /* XXX may want to add failed address some day */ 3342 return; 3343 } 3344 3345 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3346 /* 3347 * not security relevant if doing a bind from non socket 3348 * so no extra tokens. Should probably turn off audit record 3349 * generation here. 3350 */ 3351 return; 3352 } 3353 3354 so_family = so->so_family; 3355 so_type = so->so_type; 3356 3357 switch (so_family) { 3358 case AF_INET: 3359 case AF_INET6: 3360 3361 bzero(so_faddr, sizeof (so_faddr)); 3362 3363 if (so->so_state & SS_ISBOUND) { 3364 /* only done once on a connection */ 3365 (void) SOP_GETSOCKNAME(so); 3366 } 3367 3368 mutex_enter(&so->so_lock); 3369 len = min(so->so_laddr_len, sizeof (so_laddr)); 3370 bcopy(so->so_laddr_sa, so_laddr, len); 3371 mutex_exit(&so->so_lock); 3372 3373 add_sock_token = 1; 3374 3375 break; 3376 3377 case AF_UNIX: 3378 /* token added by lookup */ 3379 break; 3380 default: 3381 /* AF_ROUTE, AF_KEY do not support accept */ 3382 break; 3383 } 3384 3385 releasef(fd); 3386 3387 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3388 3389 if (add_sock_token == 0) { 3390 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3391 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3392 return; 3393 } 3394 3395 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3396 3397 } 3398 3399 /*ARGSUSED*/ 3400 static void 3401 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3402 { 3403 struct a { 3404 long fd; 3405 long addr; 3406 long len; 3407 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3408 3409 struct sonode *so; 3410 char so_laddr[sizeof (struct sockaddr_in6)]; 3411 char so_faddr[sizeof (struct sockaddr_in6)]; 3412 int err, fd; 3413 int len; 3414 short so_family, so_type; 3415 int add_sock_token = 0; 3416 3417 fd = (int)uap->fd; 3418 3419 3420 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3421 /* 3422 * not security relevant if doing a connect from non socket 3423 * so no extra tokens. Should probably turn off audit record 3424 * generation here. 3425 */ 3426 return; 3427 } 3428 3429 so_family = so->so_family; 3430 so_type = so->so_type; 3431 3432 switch (so_family) { 3433 case AF_INET: 3434 case AF_INET6: 3435 /* 3436 * no local address then need to get it from lower 3437 * levels. 3438 */ 3439 if (so->so_state & SS_ISBOUND) { 3440 /* only done once on a connection */ 3441 (void) SOP_GETSOCKNAME(so); 3442 (void) SOP_GETPEERNAME(so); 3443 } 3444 3445 bzero(so_laddr, sizeof (so_laddr)); 3446 bzero(so_faddr, sizeof (so_faddr)); 3447 3448 mutex_enter(&so->so_lock); 3449 len = min(so->so_laddr_len, sizeof (so_laddr)); 3450 bcopy(so->so_laddr_sa, so_laddr, len); 3451 if (error) { 3452 mutex_exit(&so->so_lock); 3453 if (uap->addr == NULL) 3454 break; 3455 if (uap->len <= 0) 3456 break; 3457 len = min(uap->len, sizeof (so_faddr)); 3458 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3459 break; 3460 #ifdef NOTYET 3461 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3462 #endif 3463 } else { 3464 /* sanity check on length */ 3465 len = min(so->so_faddr_len, sizeof (so_faddr)); 3466 bcopy(so->so_faddr_sa, so_faddr, len); 3467 mutex_exit(&so->so_lock); 3468 } 3469 3470 add_sock_token = 1; 3471 3472 break; 3473 3474 case AF_UNIX: 3475 /* does a lookup on name */ 3476 break; 3477 3478 default: 3479 /* AF_ROUTE, AF_KEY do not support accept */ 3480 break; 3481 } 3482 3483 releasef(fd); 3484 3485 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3486 3487 if (add_sock_token == 0) { 3488 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3489 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3490 return; 3491 } 3492 3493 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3494 3495 } 3496 3497 /*ARGSUSED*/ 3498 static void 3499 aus_shutdown(struct t_audit_data *tad) 3500 { 3501 struct a { 3502 long fd; 3503 long how; 3504 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3505 3506 struct sonode *so; 3507 char so_laddr[sizeof (struct sockaddr_in6)]; 3508 char so_faddr[sizeof (struct sockaddr_in6)]; 3509 int err, fd; 3510 int len; 3511 short so_family, so_type; 3512 int add_sock_token = 0; 3513 file_t *fp; /* unix domain sockets */ 3514 struct f_audit_data *fad; /* unix domain sockets */ 3515 3516 fd = (int)uap->fd; 3517 3518 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3519 /* 3520 * not security relevant if doing a shutdown using non socket 3521 * so no extra tokens. Should probably turn off audit record 3522 * generation here. 3523 */ 3524 return; 3525 } 3526 3527 so_family = so->so_family; 3528 so_type = so->so_type; 3529 3530 switch (so_family) { 3531 case AF_INET: 3532 case AF_INET6: 3533 3534 bzero(so_laddr, sizeof (so_laddr)); 3535 bzero(so_faddr, sizeof (so_faddr)); 3536 3537 if (so->so_state & SS_ISBOUND) { 3538 /* 3539 * no local address then need to get it from lower 3540 * levels. 3541 */ 3542 if (so->so_laddr_len == 0) 3543 (void) SOP_GETSOCKNAME(so); 3544 if (so->so_faddr_len == 0) 3545 (void) SOP_GETPEERNAME(so); 3546 } 3547 3548 mutex_enter(&so->so_lock); 3549 len = min(so->so_laddr_len, sizeof (so_laddr)); 3550 bcopy(so->so_laddr_sa, so_laddr, len); 3551 len = min(so->so_faddr_len, sizeof (so_faddr)); 3552 bcopy(so->so_faddr_sa, so_faddr, len); 3553 mutex_exit(&so->so_lock); 3554 3555 add_sock_token = 1; 3556 3557 break; 3558 3559 case AF_UNIX: 3560 3561 /* get path from file struct here */ 3562 fad = F2A(fp); 3563 ASSERT(fad); 3564 3565 if (fad->fad_aupath != NULL) { 3566 au_uwrite(au_to_path(fad->fad_aupath)); 3567 } else { 3568 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3569 } 3570 3571 audit_attributes(fp->f_vnode); 3572 3573 break; 3574 3575 default: 3576 /* 3577 * AF_KEY and AF_ROUTE support shutdown. No socket token 3578 * added. 3579 */ 3580 break; 3581 } 3582 3583 releasef(fd); 3584 3585 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3586 3587 if (add_sock_token == 0) { 3588 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3589 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3590 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3591 return; 3592 } 3593 3594 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3595 3596 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3597 3598 } 3599 3600 /*ARGSUSED*/ 3601 static void 3602 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3603 { 3604 struct a { 3605 long fd; 3606 long level; 3607 long optname; 3608 long *optval; 3609 long optlen; 3610 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3611 3612 struct sonode *so; 3613 char so_laddr[sizeof (struct sockaddr_in6)]; 3614 char so_faddr[sizeof (struct sockaddr_in6)]; 3615 char val[AU_BUFSIZE]; 3616 int err, fd; 3617 int len; 3618 short so_family, so_type; 3619 int add_sock_token = 0; 3620 file_t *fp; /* unix domain sockets */ 3621 struct f_audit_data *fad; /* unix domain sockets */ 3622 3623 fd = (int)uap->fd; 3624 3625 if (error) { 3626 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3627 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3628 /* XXX may want to include other arguments */ 3629 return; 3630 } 3631 3632 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3633 /* 3634 * not security relevant if doing a setsockopt from non socket 3635 * so no extra tokens. Should probably turn off audit record 3636 * generation here. 3637 */ 3638 return; 3639 } 3640 3641 so_family = so->so_family; 3642 so_type = so->so_type; 3643 3644 switch (so_family) { 3645 case AF_INET: 3646 case AF_INET6: 3647 3648 bzero((void *)so_laddr, sizeof (so_laddr)); 3649 bzero((void *)so_faddr, sizeof (so_faddr)); 3650 3651 if (so->so_state & SS_ISBOUND) { 3652 if (so->so_laddr_len == 0) 3653 (void) SOP_GETSOCKNAME(so); 3654 if (so->so_faddr_len == 0) 3655 (void) SOP_GETPEERNAME(so); 3656 } 3657 3658 /* get local and foreign addresses */ 3659 mutex_enter(&so->so_lock); 3660 len = min(so->so_laddr_len, sizeof (so_laddr)); 3661 bcopy(so->so_laddr_sa, so_laddr, len); 3662 len = min(so->so_faddr_len, sizeof (so_faddr)); 3663 bcopy(so->so_faddr_sa, so_faddr, len); 3664 mutex_exit(&so->so_lock); 3665 3666 add_sock_token = 1; 3667 3668 break; 3669 3670 case AF_UNIX: 3671 3672 /* get path from file struct here */ 3673 fad = F2A(fp); 3674 ASSERT(fad); 3675 3676 if (fad->fad_aupath != NULL) { 3677 au_uwrite(au_to_path(fad->fad_aupath)); 3678 } else { 3679 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3680 } 3681 3682 audit_attributes(fp->f_vnode); 3683 3684 break; 3685 3686 default: 3687 /* 3688 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3689 * added. 3690 */ 3691 break; 3692 } 3693 3694 releasef(fd); 3695 3696 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3697 3698 if (add_sock_token == 0) { 3699 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3700 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3701 } 3702 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3703 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3704 3705 bzero(val, sizeof (val)); 3706 len = min(uap->optlen, sizeof (val)); 3707 if ((len > 0) && 3708 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3709 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3710 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3711 } 3712 3713 if (add_sock_token == 0) 3714 return; 3715 3716 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3717 3718 } 3719 3720 /*ARGSUSED*/ 3721 static void 3722 aus_sockconfig(tad) 3723 struct t_audit_data *tad; 3724 { 3725 struct a { 3726 long domain; 3727 long type; 3728 long protocol; 3729 long devpath; 3730 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3731 3732 char *kdevpath; 3733 int kdevpathlen = MAXPATHLEN + 1; 3734 size_t size; 3735 3736 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3737 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3738 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3739 3740 if (uap->devpath == 0) { 3741 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3742 } else { 3743 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3744 3745 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3746 &size)) { 3747 kmem_free(kdevpath, kdevpathlen); 3748 return; 3749 } 3750 3751 if (size > MAXPATHLEN) { 3752 kmem_free(kdevpath, kdevpathlen); 3753 return; 3754 } 3755 3756 au_uwrite(au_to_text(kdevpath)); 3757 kmem_free(kdevpath, kdevpathlen); 3758 } 3759 } 3760 3761 /* 3762 * only audit recvmsg when the system call represents the creation of a new 3763 * circuit. This effectively occurs for all UDP packets and may occur for 3764 * special TCP situations where the local host has not set a local address 3765 * in the socket structure. 3766 */ 3767 /*ARGSUSED*/ 3768 static void 3769 auf_recvmsg( 3770 struct t_audit_data *tad, 3771 int error, 3772 rval_t *rvp) 3773 { 3774 struct a { 3775 long fd; 3776 long msg; /* struct msghdr */ 3777 long flags; 3778 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3779 3780 struct sonode *so; 3781 STRUCT_DECL(msghdr, msg); 3782 caddr_t msg_name; 3783 socklen_t msg_namelen; 3784 int fd; 3785 int err; 3786 char so_laddr[sizeof (struct sockaddr_in6)]; 3787 char so_faddr[sizeof (struct sockaddr_in6)]; 3788 int len; 3789 file_t *fp; /* unix domain sockets */ 3790 struct f_audit_data *fad; /* unix domain sockets */ 3791 short so_family, so_type; 3792 int add_sock_token = 0; 3793 au_kcontext_t *kctx = GET_KCTX_PZ; 3794 3795 fd = (int)uap->fd; 3796 3797 /* bail if an error */ 3798 if (error) { 3799 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3800 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3801 return; 3802 } 3803 3804 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3805 /* 3806 * not security relevant if doing a recvmsg from non socket 3807 * so no extra tokens. Should probably turn off audit record 3808 * generation here. 3809 */ 3810 return; 3811 } 3812 3813 so_family = so->so_family; 3814 so_type = so->so_type; 3815 3816 /* 3817 * only putout SOCKET_EX token if INET/INET6 family. 3818 * XXX - what do we do about other families? 3819 */ 3820 3821 switch (so_family) { 3822 case AF_INET: 3823 case AF_INET6: 3824 3825 /* 3826 * if datagram type socket, then just use what is in 3827 * socket structure for local address. 3828 * XXX - what do we do for other types? 3829 */ 3830 if ((so->so_type == SOCK_DGRAM) || 3831 (so->so_type == SOCK_RAW)) { 3832 add_sock_token = 1; 3833 3834 bzero((void *)so_laddr, sizeof (so_laddr)); 3835 bzero((void *)so_faddr, sizeof (so_faddr)); 3836 3837 /* get local address */ 3838 mutex_enter(&so->so_lock); 3839 len = min(so->so_laddr_len, sizeof (so_laddr)); 3840 bcopy(so->so_laddr_sa, so_laddr, len); 3841 mutex_exit(&so->so_lock); 3842 3843 /* get peer address */ 3844 STRUCT_INIT(msg, get_udatamodel()); 3845 3846 if (copyin((caddr_t)(uap->msg), 3847 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3848 break; 3849 } 3850 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3851 if (msg_name == NULL) { 3852 break; 3853 } 3854 3855 /* length is value from recvmsg - sanity check */ 3856 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3857 if (msg_namelen == 0) { 3858 break; 3859 } 3860 if (copyin(msg_name, so_faddr, 3861 sizeof (so_faddr)) != 0) { 3862 break; 3863 } 3864 3865 } else if (so->so_type == SOCK_STREAM) { 3866 3867 /* get path from file struct here */ 3868 fad = F2A(fp); 3869 ASSERT(fad); 3870 3871 /* 3872 * already processed this file for read attempt 3873 */ 3874 if (fad->fad_flags & FAD_READ) { 3875 /* don't want to audit every recvmsg attempt */ 3876 tad->tad_flag = 0; 3877 /* free any residual audit data */ 3878 au_close(kctx, &(u_ad), 0, 0, 0); 3879 releasef(fd); 3880 return; 3881 } 3882 /* 3883 * mark things so we know what happened and don't 3884 * repeat things 3885 */ 3886 fad->fad_flags |= FAD_READ; 3887 3888 bzero((void *)so_laddr, sizeof (so_laddr)); 3889 bzero((void *)so_faddr, sizeof (so_faddr)); 3890 3891 if (so->so_state & SS_ISBOUND) { 3892 3893 if (so->so_laddr_len == 0) 3894 (void) SOP_GETSOCKNAME(so); 3895 if (so->so_faddr_len == 0) 3896 (void) SOP_GETPEERNAME(so); 3897 3898 /* get local and foreign addresses */ 3899 mutex_enter(&so->so_lock); 3900 len = min(so->so_laddr_len, sizeof (so_laddr)); 3901 bcopy(so->so_laddr_sa, so_laddr, len); 3902 len = min(so->so_faddr_len, sizeof (so_faddr)); 3903 bcopy(so->so_faddr_sa, so_faddr, len); 3904 mutex_exit(&so->so_lock); 3905 } 3906 3907 add_sock_token = 1; 3908 } 3909 3910 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3911 3912 break; 3913 3914 case AF_UNIX: 3915 /* 3916 * first check if this is first time through. Too much 3917 * duplicate code to put this in an aui_ routine. 3918 */ 3919 3920 /* get path from file struct here */ 3921 fad = F2A(fp); 3922 ASSERT(fad); 3923 3924 /* 3925 * already processed this file for read attempt 3926 */ 3927 if (fad->fad_flags & FAD_READ) { 3928 releasef(fd); 3929 /* don't want to audit every recvmsg attempt */ 3930 tad->tad_flag = 0; 3931 /* free any residual audit data */ 3932 au_close(kctx, &(u_ad), 0, 0, 0); 3933 return; 3934 } 3935 /* 3936 * mark things so we know what happened and don't 3937 * repeat things 3938 */ 3939 fad->fad_flags |= FAD_READ; 3940 3941 if (fad->fad_aupath != NULL) { 3942 au_uwrite(au_to_path(fad->fad_aupath)); 3943 } else { 3944 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3945 } 3946 3947 audit_attributes(fp->f_vnode); 3948 3949 releasef(fd); 3950 3951 return; 3952 3953 default: 3954 break; 3955 3956 } 3957 3958 releasef(fd); 3959 3960 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3961 3962 if (add_sock_token == 0) { 3963 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 3964 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 3965 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3966 return; 3967 } 3968 3969 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3970 3971 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3972 3973 } 3974 3975 /*ARGSUSED*/ 3976 static void 3977 auf_recvfrom( 3978 struct t_audit_data *tad, 3979 int error, 3980 rval_t *rvp) 3981 { 3982 3983 struct a { 3984 long fd; 3985 long msg; /* char */ 3986 long len; 3987 long flags; 3988 long from; /* struct sockaddr */ 3989 long fromlen; 3990 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3991 3992 socklen_t fromlen; 3993 struct sonode *so; 3994 char so_laddr[sizeof (struct sockaddr_in6)]; 3995 char so_faddr[sizeof (struct sockaddr_in6)]; 3996 int fd; 3997 short so_family, so_type; 3998 int add_sock_token = 0; 3999 int len; 4000 int err; 4001 struct file *fp; 4002 struct f_audit_data *fad; /* unix domain sockets */ 4003 au_kcontext_t *kctx = GET_KCTX_PZ; 4004 4005 fd = (int)uap->fd; 4006 4007 /* bail if an error */ 4008 if (error) { 4009 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4010 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4011 return; 4012 } 4013 4014 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4015 /* 4016 * not security relevant if doing a recvmsg from non socket 4017 * so no extra tokens. Should probably turn off audit record 4018 * generation here. 4019 */ 4020 return; 4021 } 4022 4023 so_family = so->so_family; 4024 so_type = so->so_type; 4025 4026 /* 4027 * only putout SOCKET_EX token if INET/INET6 family. 4028 * XXX - what do we do about other families? 4029 */ 4030 4031 switch (so_family) { 4032 case AF_INET: 4033 case AF_INET6: 4034 4035 /* 4036 * if datagram type socket, then just use what is in 4037 * socket structure for local address. 4038 * XXX - what do we do for other types? 4039 */ 4040 if ((so->so_type == SOCK_DGRAM) || 4041 (so->so_type == SOCK_RAW)) { 4042 add_sock_token = 1; 4043 4044 /* get local address */ 4045 mutex_enter(&so->so_lock); 4046 len = min(so->so_laddr_len, sizeof (so_laddr)); 4047 bcopy(so->so_laddr_sa, so_laddr, len); 4048 mutex_exit(&so->so_lock); 4049 4050 /* get peer address */ 4051 bzero((void *)so_faddr, sizeof (so_faddr)); 4052 4053 /* sanity check */ 4054 if (uap->from == NULL) 4055 break; 4056 4057 /* sanity checks */ 4058 if (uap->fromlen == 0) 4059 break; 4060 4061 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4062 sizeof (fromlen)) != 0) 4063 break; 4064 4065 if (fromlen == 0) 4066 break; 4067 4068 /* enforce maximum size */ 4069 if (fromlen > sizeof (so_faddr)) 4070 fromlen = sizeof (so_faddr); 4071 4072 if (copyin((caddr_t)(uap->from), so_faddr, 4073 fromlen) != 0) 4074 break; 4075 4076 } else if (so->so_type == SOCK_STREAM) { 4077 4078 /* get path from file struct here */ 4079 fad = F2A(fp); 4080 ASSERT(fad); 4081 4082 /* 4083 * already processed this file for read attempt 4084 */ 4085 if (fad->fad_flags & FAD_READ) { 4086 /* don't want to audit every recvfrom attempt */ 4087 tad->tad_flag = 0; 4088 /* free any residual audit data */ 4089 au_close(kctx, &(u_ad), 0, 0, 0); 4090 releasef(fd); 4091 return; 4092 } 4093 /* 4094 * mark things so we know what happened and don't 4095 * repeat things 4096 */ 4097 fad->fad_flags |= FAD_READ; 4098 4099 bzero((void *)so_laddr, sizeof (so_laddr)); 4100 bzero((void *)so_faddr, sizeof (so_faddr)); 4101 4102 if (so->so_state & SS_ISBOUND) { 4103 4104 if (so->so_laddr_len == 0) 4105 (void) SOP_GETSOCKNAME(so); 4106 if (so->so_faddr_len == 0) 4107 (void) SOP_GETPEERNAME(so); 4108 4109 /* get local and foreign addresses */ 4110 mutex_enter(&so->so_lock); 4111 len = min(so->so_laddr_len, sizeof (so_laddr)); 4112 bcopy(so->so_laddr_sa, so_laddr, len); 4113 len = min(so->so_faddr_len, sizeof (so_faddr)); 4114 bcopy(so->so_faddr_sa, so_faddr, len); 4115 mutex_exit(&so->so_lock); 4116 } 4117 4118 add_sock_token = 1; 4119 } 4120 4121 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4122 4123 break; 4124 4125 case AF_UNIX: 4126 /* 4127 * first check if this is first time through. Too much 4128 * duplicate code to put this in an aui_ routine. 4129 */ 4130 4131 /* get path from file struct here */ 4132 fad = F2A(fp); 4133 ASSERT(fad); 4134 4135 /* 4136 * already processed this file for read attempt 4137 */ 4138 if (fad->fad_flags & FAD_READ) { 4139 /* don't want to audit every recvfrom attempt */ 4140 tad->tad_flag = 0; 4141 /* free any residual audit data */ 4142 au_close(kctx, &(u_ad), 0, 0, 0); 4143 releasef(fd); 4144 return; 4145 } 4146 /* 4147 * mark things so we know what happened and don't 4148 * repeat things 4149 */ 4150 fad->fad_flags |= FAD_READ; 4151 4152 if (fad->fad_aupath != NULL) { 4153 au_uwrite(au_to_path(fad->fad_aupath)); 4154 } else { 4155 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4156 } 4157 4158 audit_attributes(fp->f_vnode); 4159 4160 releasef(fd); 4161 4162 return; 4163 4164 default: 4165 break; 4166 4167 } 4168 4169 releasef(fd); 4170 4171 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4172 4173 if (add_sock_token == 0) { 4174 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4175 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4176 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4177 return; 4178 } 4179 4180 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4181 4182 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4183 } 4184 4185 /*ARGSUSED*/ 4186 static void 4187 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4188 { 4189 struct a { 4190 long fd; 4191 long msg; /* struct msghdr */ 4192 long flags; 4193 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4194 4195 struct sonode *so; 4196 char so_laddr[sizeof (struct sockaddr_in6)]; 4197 char so_faddr[sizeof (struct sockaddr_in6)]; 4198 int err; 4199 int fd; 4200 short so_family, so_type; 4201 int add_sock_token = 0; 4202 int len; 4203 struct file *fp; 4204 struct f_audit_data *fad; 4205 caddr_t msg_name; 4206 socklen_t msg_namelen; 4207 STRUCT_DECL(msghdr, msg); 4208 au_kcontext_t *kctx = GET_KCTX_PZ; 4209 4210 fd = (int)uap->fd; 4211 4212 /* bail if an error */ 4213 if (error) { 4214 /* XXX include destination address from system call arguments */ 4215 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4216 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4217 return; 4218 } 4219 4220 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4221 /* 4222 * not security relevant if doing a sendmsg from non socket 4223 * so no extra tokens. Should probably turn off audit record 4224 * generation here. 4225 */ 4226 return; 4227 } 4228 4229 so_family = so->so_family; 4230 so_type = so->so_type; 4231 4232 switch (so_family) { 4233 case AF_INET: 4234 case AF_INET6: 4235 /* 4236 * if datagram type socket, then just use what is in 4237 * socket structure for local address. 4238 * XXX - what do we do for other types? 4239 */ 4240 if ((so->so_type == SOCK_DGRAM) || 4241 (so->so_type == SOCK_RAW)) { 4242 4243 bzero((void *)so_laddr, sizeof (so_laddr)); 4244 bzero((void *)so_faddr, sizeof (so_faddr)); 4245 4246 /* get local address */ 4247 mutex_enter(&so->so_lock); 4248 len = min(so->so_laddr_len, sizeof (so_laddr)); 4249 bcopy(so->so_laddr_sa, so_laddr, len); 4250 mutex_exit(&so->so_lock); 4251 4252 /* get peer address */ 4253 STRUCT_INIT(msg, get_udatamodel()); 4254 4255 if (copyin((caddr_t)(uap->msg), 4256 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4257 break; 4258 } 4259 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4260 if (msg_name == NULL) 4261 break; 4262 4263 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4264 /* length is value from recvmsg - sanity check */ 4265 if (msg_namelen == 0) 4266 break; 4267 4268 if (copyin(msg_name, so_faddr, 4269 sizeof (so_faddr)) != 0) 4270 break; 4271 4272 add_sock_token = 1; 4273 4274 } else if (so->so_type == SOCK_STREAM) { 4275 4276 /* get path from file struct here */ 4277 fad = F2A(fp); 4278 ASSERT(fad); 4279 4280 /* 4281 * already processed this file for write attempt 4282 */ 4283 if (fad->fad_flags & FAD_WRITE) { 4284 releasef(fd); 4285 /* don't want to audit every sendmsg attempt */ 4286 tad->tad_flag = 0; 4287 /* free any residual audit data */ 4288 au_close(kctx, &(u_ad), 0, 0, 0); 4289 return; 4290 } 4291 4292 /* 4293 * mark things so we know what happened and don't 4294 * repeat things 4295 */ 4296 fad->fad_flags |= FAD_WRITE; 4297 4298 bzero((void *)so_laddr, sizeof (so_laddr)); 4299 bzero((void *)so_faddr, sizeof (so_faddr)); 4300 4301 if (so->so_state & SS_ISBOUND) { 4302 4303 if (so->so_laddr_len == 0) 4304 (void) SOP_GETSOCKNAME(so); 4305 if (so->so_faddr_len == 0) 4306 (void) SOP_GETPEERNAME(so); 4307 4308 /* get local and foreign addresses */ 4309 mutex_enter(&so->so_lock); 4310 len = min(so->so_laddr_len, sizeof (so_laddr)); 4311 bcopy(so->so_laddr_sa, so_laddr, len); 4312 len = min(so->so_faddr_len, sizeof (so_faddr)); 4313 bcopy(so->so_faddr_sa, so_faddr, len); 4314 mutex_exit(&so->so_lock); 4315 } 4316 4317 add_sock_token = 1; 4318 } 4319 4320 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4321 4322 break; 4323 4324 case AF_UNIX: 4325 /* 4326 * first check if this is first time through. Too much 4327 * duplicate code to put this in an aui_ routine. 4328 */ 4329 4330 /* get path from file struct here */ 4331 fad = F2A(fp); 4332 ASSERT(fad); 4333 4334 /* 4335 * already processed this file for write attempt 4336 */ 4337 if (fad->fad_flags & FAD_WRITE) { 4338 releasef(fd); 4339 /* don't want to audit every sendmsg attempt */ 4340 tad->tad_flag = 0; 4341 /* free any residual audit data */ 4342 au_close(kctx, &(u_ad), 0, 0, 0); 4343 return; 4344 } 4345 /* 4346 * mark things so we know what happened and don't 4347 * repeat things 4348 */ 4349 fad->fad_flags |= FAD_WRITE; 4350 4351 if (fad->fad_aupath != NULL) { 4352 au_uwrite(au_to_path(fad->fad_aupath)); 4353 } else { 4354 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4355 } 4356 4357 audit_attributes(fp->f_vnode); 4358 4359 releasef(fd); 4360 4361 return; 4362 4363 default: 4364 break; 4365 } 4366 4367 releasef(fd); 4368 4369 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4370 4371 if (add_sock_token == 0) { 4372 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4373 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4374 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4375 return; 4376 } 4377 4378 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4379 4380 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4381 } 4382 4383 /*ARGSUSED*/ 4384 static void 4385 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4386 { 4387 struct a { 4388 long fd; 4389 long msg; /* char */ 4390 long len; 4391 long flags; 4392 long to; /* struct sockaddr */ 4393 long tolen; 4394 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4395 4396 struct sonode *so; 4397 char so_laddr[sizeof (struct sockaddr_in6)]; 4398 char so_faddr[sizeof (struct sockaddr_in6)]; 4399 socklen_t tolen; 4400 int err; 4401 int fd; 4402 int len; 4403 short so_family, so_type; 4404 int add_sock_token = 0; 4405 struct file *fp; 4406 struct f_audit_data *fad; 4407 au_kcontext_t *kctx = GET_KCTX_PZ; 4408 4409 fd = (int)uap->fd; 4410 4411 /* bail if an error */ 4412 if (error) { 4413 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4414 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4415 /* XXX include destination address from system call arguments */ 4416 return; 4417 } 4418 4419 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4420 /* 4421 * not security relevant if doing a sendto using non socket 4422 * so no extra tokens. Should probably turn off audit record 4423 * generation here. 4424 */ 4425 return; 4426 } 4427 4428 so_family = so->so_family; 4429 so_type = so->so_type; 4430 4431 /* 4432 * only putout SOCKET_EX token if INET/INET6 family. 4433 * XXX - what do we do about other families? 4434 */ 4435 4436 switch (so_family) { 4437 case AF_INET: 4438 case AF_INET6: 4439 4440 /* 4441 * if datagram type socket, then just use what is in 4442 * socket structure for local address. 4443 * XXX - what do we do for other types? 4444 */ 4445 if ((so->so_type == SOCK_DGRAM) || 4446 (so->so_type == SOCK_RAW)) { 4447 4448 bzero((void *)so_laddr, sizeof (so_laddr)); 4449 bzero((void *)so_faddr, sizeof (so_faddr)); 4450 4451 /* get local address */ 4452 mutex_enter(&so->so_lock); 4453 len = min(so->so_laddr_len, sizeof (so_laddr)); 4454 bcopy(so->so_laddr_sa, so_laddr, len); 4455 mutex_exit(&so->so_lock); 4456 4457 /* get peer address */ 4458 4459 /* sanity check */ 4460 if (uap->to == NULL) 4461 break; 4462 4463 /* sanity checks */ 4464 if (uap->tolen == 0) 4465 break; 4466 4467 tolen = (socklen_t)uap->tolen; 4468 4469 /* enforce maximum size */ 4470 if (tolen > sizeof (so_faddr)) 4471 tolen = sizeof (so_faddr); 4472 4473 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4474 break; 4475 4476 add_sock_token = 1; 4477 } else { 4478 /* 4479 * check if this is first time through. 4480 */ 4481 4482 /* get path from file struct here */ 4483 fad = F2A(fp); 4484 ASSERT(fad); 4485 4486 /* 4487 * already processed this file for write attempt 4488 */ 4489 if (fad->fad_flags & FAD_WRITE) { 4490 /* don't want to audit every sendto attempt */ 4491 tad->tad_flag = 0; 4492 /* free any residual audit data */ 4493 au_close(kctx, &(u_ad), 0, 0, 0); 4494 releasef(fd); 4495 return; 4496 } 4497 /* 4498 * mark things so we know what happened and don't 4499 * repeat things 4500 */ 4501 fad->fad_flags |= FAD_WRITE; 4502 4503 bzero((void *)so_laddr, sizeof (so_laddr)); 4504 bzero((void *)so_faddr, sizeof (so_faddr)); 4505 4506 if (so->so_state & SS_ISBOUND) { 4507 4508 if (so->so_laddr_len == 0) 4509 (void) SOP_GETSOCKNAME(so); 4510 if (so->so_faddr_len == 0) 4511 (void) SOP_GETPEERNAME(so); 4512 4513 /* get local and foreign addresses */ 4514 mutex_enter(&so->so_lock); 4515 len = min(so->so_laddr_len, sizeof (so_laddr)); 4516 bcopy(so->so_laddr_sa, so_laddr, len); 4517 len = min(so->so_faddr_len, sizeof (so_faddr)); 4518 bcopy(so->so_faddr_sa, so_faddr, len); 4519 mutex_exit(&so->so_lock); 4520 } 4521 4522 add_sock_token = 1; 4523 } 4524 4525 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4526 4527 break; 4528 4529 case AF_UNIX: 4530 /* 4531 * first check if this is first time through. Too much 4532 * duplicate code to put this in an aui_ routine. 4533 */ 4534 4535 /* get path from file struct here */ 4536 fad = F2A(fp); 4537 ASSERT(fad); 4538 4539 /* 4540 * already processed this file for write attempt 4541 */ 4542 if (fad->fad_flags & FAD_WRITE) { 4543 /* don't want to audit every sendto attempt */ 4544 tad->tad_flag = 0; 4545 /* free any residual audit data */ 4546 au_close(kctx, &(u_ad), 0, 0, 0); 4547 releasef(fd); 4548 return; 4549 } 4550 /* 4551 * mark things so we know what happened and don't 4552 * repeat things 4553 */ 4554 fad->fad_flags |= FAD_WRITE; 4555 4556 if (fad->fad_aupath != NULL) { 4557 au_uwrite(au_to_path(fad->fad_aupath)); 4558 } else { 4559 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4560 } 4561 4562 audit_attributes(fp->f_vnode); 4563 4564 releasef(fd); 4565 4566 return; 4567 4568 default: 4569 break; 4570 4571 } 4572 4573 releasef(fd); 4574 4575 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4576 4577 if (add_sock_token == 0) { 4578 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4579 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4580 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4581 return; 4582 } 4583 4584 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4585 4586 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4587 4588 } 4589 4590 /* 4591 * XXX socket(2) may be equivalent to open(2) on a unix domain 4592 * socket. This needs investigation. 4593 */ 4594 4595 /*ARGSUSED*/ 4596 static void 4597 aus_socket(struct t_audit_data *tad) 4598 { 4599 struct a { 4600 long domain; 4601 long type; 4602 long protocol; 4603 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4604 4605 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4606 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4607 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4608 } 4609 4610 /*ARGSUSED*/ 4611 static void 4612 aus_sigqueue(struct t_audit_data *tad) 4613 { 4614 struct a { 4615 long pid; 4616 long signo; 4617 long *val; 4618 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4619 struct proc *p; 4620 uid_t uid, ruid; 4621 gid_t gid, rgid; 4622 pid_t pid; 4623 const auditinfo_addr_t *ainfo; 4624 cred_t *cr; 4625 4626 pid = (pid_t)uap->pid; 4627 4628 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4629 if (pid > 0) { 4630 mutex_enter(&pidlock); 4631 if ((p = prfind(pid)) == (struct proc *)0) { 4632 mutex_exit(&pidlock); 4633 return; 4634 } 4635 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4636 mutex_exit(&pidlock); 4637 4638 mutex_enter(&p->p_crlock); 4639 crhold(cr = p->p_cred); 4640 mutex_exit(&p->p_crlock); 4641 mutex_exit(&p->p_lock); 4642 4643 ainfo = crgetauinfo(cr); 4644 if (ainfo == NULL) { 4645 crfree(cr); 4646 return; 4647 } 4648 4649 uid = crgetuid(cr); 4650 gid = crgetgid(cr); 4651 ruid = crgetruid(cr); 4652 rgid = crgetrgid(cr); 4653 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4654 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4655 crfree(cr); 4656 } 4657 else 4658 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4659 } 4660 4661 /*ARGSUSED*/ 4662 static void 4663 aus_inst_sync(struct t_audit_data *tad) 4664 { 4665 struct a { 4666 long name; /* char */ 4667 long flags; 4668 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4669 4670 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4671 } 4672 4673 /*ARGSUSED*/ 4674 static void 4675 aus_brandsys(struct t_audit_data *tad) 4676 { 4677 klwp_t *clwp = ttolwp(curthread); 4678 4679 struct a { 4680 long cmd; 4681 long arg1; 4682 long arg2; 4683 long arg3; 4684 long arg4; 4685 long arg5; 4686 long arg6; 4687 } *uap = (struct a *)clwp->lwp_ap; 4688 4689 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4690 #ifdef _LP64 4691 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4692 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4693 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4694 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4695 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4696 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4697 #else 4698 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4699 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4700 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4701 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4702 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4703 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4704 #endif 4705 } 4706 4707 /*ARGSUSED*/ 4708 static void 4709 aus_p_online(struct t_audit_data *tad) 4710 { 4711 struct a { 4712 long processor_id; 4713 long flag; 4714 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4715 4716 struct flags { 4717 int flag; 4718 char *cflag; 4719 } aflags[6] = { 4720 { P_ONLINE, "P_ONLINE"}, 4721 { P_OFFLINE, "P_OFFLINE"}, 4722 { P_NOINTR, "P_NOINTR"}, 4723 { P_SPARE, "P_SPARE"}, 4724 { P_FAULTED, "P_FAULTED"}, 4725 { P_STATUS, "P_STATUS"} 4726 }; 4727 int i; 4728 char *cflag; 4729 4730 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4731 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4732 4733 for (i = 0; i < 6; i++) { 4734 if (aflags[i].flag == uap->flag) 4735 break; 4736 } 4737 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4738 4739 au_uwrite(au_to_text(cflag)); 4740 } 4741 4742 /*ARGSUSED*/ 4743 static void 4744 aus_processor_bind(struct t_audit_data *tad) 4745 { 4746 struct a { 4747 long id_type; 4748 long id; 4749 long processor_id; 4750 long obind; 4751 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4752 4753 struct proc *p; 4754 int lwpcnt; 4755 uid_t uid, ruid; 4756 gid_t gid, rgid; 4757 pid_t pid; 4758 const auditinfo_addr_t *ainfo; 4759 cred_t *cr; 4760 4761 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4762 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4763 if (uap->processor_id == PBIND_NONE) 4764 au_uwrite(au_to_text("PBIND_NONE")); 4765 else 4766 au_uwrite(au_to_arg32(3, "processor_id", 4767 (uint32_t)uap->processor_id)); 4768 4769 switch (uap->id_type) { 4770 case P_MYID: 4771 case P_LWPID: 4772 mutex_enter(&pidlock); 4773 p = ttoproc(curthread); 4774 if (p == NULL || p->p_as == &kas) { 4775 mutex_exit(&pidlock); 4776 return; 4777 } 4778 mutex_enter(&p->p_lock); 4779 mutex_exit(&pidlock); 4780 lwpcnt = p->p_lwpcnt; 4781 pid = p->p_pid; 4782 4783 mutex_enter(&p->p_crlock); 4784 crhold(cr = p->p_cred); 4785 mutex_exit(&p->p_crlock); 4786 mutex_exit(&p->p_lock); 4787 4788 ainfo = crgetauinfo(cr); 4789 if (ainfo == NULL) { 4790 crfree(cr); 4791 return; 4792 } 4793 4794 uid = crgetuid(cr); 4795 gid = crgetgid(cr); 4796 ruid = crgetruid(cr); 4797 rgid = crgetrgid(cr); 4798 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4799 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4800 crfree(cr); 4801 break; 4802 case P_PID: 4803 mutex_enter(&pidlock); 4804 p = prfind(uap->id); 4805 if (p == NULL || p->p_as == &kas) { 4806 mutex_exit(&pidlock); 4807 return; 4808 } 4809 mutex_enter(&p->p_lock); 4810 mutex_exit(&pidlock); 4811 lwpcnt = p->p_lwpcnt; 4812 pid = p->p_pid; 4813 4814 mutex_enter(&p->p_crlock); 4815 crhold(cr = p->p_cred); 4816 mutex_exit(&p->p_crlock); 4817 mutex_exit(&p->p_lock); 4818 4819 ainfo = crgetauinfo(cr); 4820 if (ainfo == NULL) { 4821 crfree(cr); 4822 return; 4823 } 4824 4825 uid = crgetuid(cr); 4826 gid = crgetgid(cr); 4827 ruid = crgetruid(cr); 4828 rgid = crgetrgid(cr); 4829 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4830 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4831 crfree(cr); 4832 4833 break; 4834 default: 4835 return; 4836 } 4837 4838 if (uap->processor_id == PBIND_NONE && 4839 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4840 au_uwrite(au_to_text("PBIND_NONE for process")); 4841 else 4842 au_uwrite(au_to_arg32(3, "processor_id", 4843 (uint32_t)uap->processor_id)); 4844 } 4845 4846 /*ARGSUSED*/ 4847 static au_event_t 4848 aui_doorfs(au_event_t e) 4849 { 4850 uint32_t code; 4851 4852 struct a { /* doorfs */ 4853 long a1; 4854 long a2; 4855 long a3; 4856 long a4; 4857 long a5; 4858 long code; 4859 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4860 4861 /* 4862 * audit formats for several of the 4863 * door calls have not yet been determined 4864 */ 4865 code = (uint32_t)uap->code; 4866 switch (code) { 4867 case DOOR_CALL: 4868 e = AUE_DOORFS_DOOR_CALL; 4869 break; 4870 case DOOR_RETURN: 4871 e = AUE_NULL; 4872 break; 4873 case DOOR_CREATE: 4874 e = AUE_DOORFS_DOOR_CREATE; 4875 break; 4876 case DOOR_REVOKE: 4877 e = AUE_DOORFS_DOOR_REVOKE; 4878 break; 4879 case DOOR_INFO: 4880 e = AUE_NULL; 4881 break; 4882 case DOOR_UCRED: 4883 e = AUE_NULL; 4884 break; 4885 case DOOR_BIND: 4886 e = AUE_NULL; 4887 break; 4888 case DOOR_UNBIND: 4889 e = AUE_NULL; 4890 break; 4891 case DOOR_GETPARAM: 4892 e = AUE_NULL; 4893 break; 4894 case DOOR_SETPARAM: 4895 e = AUE_NULL; 4896 break; 4897 default: /* illegal system call */ 4898 e = AUE_NULL; 4899 break; 4900 } 4901 4902 return (e); 4903 } 4904 4905 static door_node_t * 4906 au_door_lookup(int did) 4907 { 4908 vnode_t *vp; 4909 file_t *fp; 4910 4911 if ((fp = getf(did)) == NULL) 4912 return (NULL); 4913 /* 4914 * Use the underlying vnode (we may be namefs mounted) 4915 */ 4916 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4917 vp = fp->f_vnode; 4918 4919 if (vp == NULL || vp->v_type != VDOOR) { 4920 releasef(did); 4921 return (NULL); 4922 } 4923 4924 return (VTOD(vp)); 4925 } 4926 4927 /*ARGSUSED*/ 4928 static void 4929 aus_doorfs(struct t_audit_data *tad) 4930 { 4931 4932 struct a { /* doorfs */ 4933 long a1; 4934 long a2; 4935 long a3; 4936 long a4; 4937 long a5; 4938 long code; 4939 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4940 4941 door_node_t *dp; 4942 struct proc *p; 4943 uint32_t did; 4944 uid_t uid, ruid; 4945 gid_t gid, rgid; 4946 pid_t pid; 4947 const auditinfo_addr_t *ainfo; 4948 cred_t *cr; 4949 4950 did = (uint32_t)uap->a1; 4951 4952 switch (tad->tad_event) { 4953 case AUE_DOORFS_DOOR_CALL: 4954 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4955 if ((dp = au_door_lookup(did)) == NULL) 4956 break; 4957 4958 if (DOOR_INVALID(dp)) { 4959 releasef(did); 4960 break; 4961 } 4962 4963 if ((p = dp->door_target) == NULL) { 4964 releasef(did); 4965 break; 4966 } 4967 mutex_enter(&p->p_lock); 4968 releasef(did); 4969 4970 pid = p->p_pid; 4971 4972 mutex_enter(&p->p_crlock); 4973 crhold(cr = p->p_cred); 4974 mutex_exit(&p->p_crlock); 4975 mutex_exit(&p->p_lock); 4976 4977 ainfo = crgetauinfo(cr); 4978 if (ainfo == NULL) { 4979 crfree(cr); 4980 return; 4981 } 4982 uid = crgetuid(cr); 4983 gid = crgetgid(cr); 4984 ruid = crgetruid(cr); 4985 rgid = crgetrgid(cr); 4986 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4987 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4988 crfree(cr); 4989 break; 4990 case AUE_DOORFS_DOOR_RETURN: 4991 /* 4992 * We may want to write information about 4993 * all doors (if any) which will be copied 4994 * by this call to the user space 4995 */ 4996 break; 4997 case AUE_DOORFS_DOOR_CREATE: 4998 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 4999 break; 5000 case AUE_DOORFS_DOOR_REVOKE: 5001 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5002 break; 5003 case AUE_DOORFS_DOOR_INFO: 5004 break; 5005 case AUE_DOORFS_DOOR_CRED: 5006 break; 5007 case AUE_DOORFS_DOOR_BIND: 5008 break; 5009 case AUE_DOORFS_DOOR_UNBIND: { 5010 break; 5011 } 5012 default: /* illegal system call */ 5013 break; 5014 } 5015 } 5016 5017 /*ARGSUSED*/ 5018 static au_event_t 5019 aui_acl(au_event_t e) 5020 { 5021 struct a { 5022 union { 5023 long name; /* char */ 5024 long fd; 5025 } obj; 5026 5027 long cmd; 5028 long nentries; 5029 long arg; /* aclent_t */ 5030 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5031 5032 switch (uap->cmd) { 5033 case SETACL: 5034 case ACE_SETACL: 5035 /* 5036 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5037 * are expected. 5038 */ 5039 break; 5040 case GETACL: 5041 case GETACLCNT: 5042 case ACE_GETACLCNT: 5043 /* do nothing for these two values. */ 5044 e = AUE_NULL; 5045 break; 5046 default: 5047 /* illegal system call */ 5048 break; 5049 } 5050 5051 return (e); 5052 } 5053 5054 static void 5055 au_acl(int cmd, int nentries, caddr_t bufp) 5056 { 5057 size_t a_size; 5058 aclent_t *aclbufp; 5059 ace_t *acebufp; 5060 int i; 5061 5062 switch (cmd) { 5063 case GETACL: 5064 case GETACLCNT: 5065 break; 5066 case SETACL: 5067 if (nentries < 3) 5068 break; 5069 5070 a_size = nentries * sizeof (aclent_t); 5071 5072 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5073 break; 5074 if (copyin(bufp, aclbufp, a_size)) { 5075 kmem_free(aclbufp, a_size); 5076 break; 5077 } 5078 for (i = 0; i < nentries; i++) { 5079 au_uwrite(au_to_acl(aclbufp + i)); 5080 } 5081 kmem_free(aclbufp, a_size); 5082 break; 5083 5084 case ACE_SETACL: 5085 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5086 break; 5087 5088 a_size = nentries * sizeof (ace_t); 5089 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5090 break; 5091 if (copyin(bufp, acebufp, a_size)) { 5092 kmem_free(acebufp, a_size); 5093 break; 5094 } 5095 for (i = 0; i < nentries; i++) { 5096 au_uwrite(au_to_ace(acebufp + i)); 5097 } 5098 kmem_free(acebufp, a_size); 5099 break; 5100 default: 5101 break; 5102 } 5103 } 5104 5105 /*ARGSUSED*/ 5106 static void 5107 aus_acl(struct t_audit_data *tad) 5108 { 5109 struct a { 5110 long fname; 5111 long cmd; 5112 long nentries; 5113 long aclbufp; 5114 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5115 5116 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5117 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5118 5119 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5120 } 5121 5122 /*ARGSUSED*/ 5123 static void 5124 aus_facl(struct t_audit_data *tad) 5125 { 5126 struct a { 5127 long fd; 5128 long cmd; 5129 long nentries; 5130 long aclbufp; 5131 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5132 struct file *fp; 5133 struct vnode *vp; 5134 struct f_audit_data *fad; 5135 int fd; 5136 5137 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5138 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5139 5140 fd = (int)uap->fd; 5141 5142 if ((fp = getf(fd)) == NULL) 5143 return; 5144 5145 /* get path from file struct here */ 5146 fad = F2A(fp); 5147 if (fad->fad_aupath != NULL) { 5148 au_uwrite(au_to_path(fad->fad_aupath)); 5149 } else { 5150 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5151 } 5152 5153 vp = fp->f_vnode; 5154 audit_attributes(vp); 5155 5156 /* decrement file descriptor reference count */ 5157 releasef(fd); 5158 5159 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5160 } 5161 5162 /*ARGSUSED*/ 5163 static void 5164 auf_read(tad, error, rval) 5165 struct t_audit_data *tad; 5166 int error; 5167 rval_t *rval; 5168 { 5169 struct file *fp; 5170 struct f_audit_data *fad; 5171 int fd; 5172 register struct a { 5173 long fd; 5174 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5175 au_kcontext_t *kctx = GET_KCTX_PZ; 5176 5177 fd = (int)uap->fd; 5178 5179 /* 5180 * convert file pointer to file descriptor 5181 * Note: fd ref count incremented here. 5182 */ 5183 if ((fp = getf(fd)) == NULL) 5184 return; 5185 5186 /* get path from file struct here */ 5187 fad = F2A(fp); 5188 ASSERT(fad); 5189 5190 /* 5191 * already processed this file for read attempt 5192 * 5193 * XXX might be better to turn off auditing in a aui_read() routine. 5194 */ 5195 if (fad->fad_flags & FAD_READ) { 5196 /* don't really want to audit every read attempt */ 5197 tad->tad_flag = 0; 5198 /* free any residual audit data */ 5199 au_close(kctx, &(u_ad), 0, 0, 0); 5200 releasef(fd); 5201 return; 5202 } 5203 /* mark things so we know what happened and don't repeat things */ 5204 fad->fad_flags |= FAD_READ; 5205 5206 if (fad->fad_aupath != NULL) { 5207 au_uwrite(au_to_path(fad->fad_aupath)); 5208 } else { 5209 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5210 } 5211 5212 /* include attributes */ 5213 audit_attributes(fp->f_vnode); 5214 5215 /* decrement file descriptor reference count */ 5216 releasef(fd); 5217 } 5218 5219 /*ARGSUSED*/ 5220 static void 5221 auf_write(tad, error, rval) 5222 struct t_audit_data *tad; 5223 int error; 5224 rval_t *rval; 5225 { 5226 struct file *fp; 5227 struct f_audit_data *fad; 5228 int fd; 5229 register struct a { 5230 long fd; 5231 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5232 au_kcontext_t *kctx = GET_KCTX_PZ; 5233 5234 fd = (int)uap->fd; 5235 5236 /* 5237 * convert file pointer to file descriptor 5238 * Note: fd ref count incremented here. 5239 */ 5240 if ((fp = getf(fd)) == NULL) 5241 return; 5242 5243 /* get path from file struct here */ 5244 fad = F2A(fp); 5245 ASSERT(fad); 5246 5247 /* 5248 * already processed this file for write attempt 5249 * 5250 * XXX might be better to turn off auditing in a aus_write() routine. 5251 */ 5252 if (fad->fad_flags & FAD_WRITE) { 5253 /* don't really want to audit every write attempt */ 5254 tad->tad_flag = 0; 5255 /* free any residual audit data */ 5256 au_close(kctx, &(u_ad), 0, 0, 0); 5257 releasef(fd); 5258 return; 5259 } 5260 /* mark things so we know what happened and don't repeat things */ 5261 fad->fad_flags |= FAD_WRITE; 5262 5263 if (fad->fad_aupath != NULL) { 5264 au_uwrite(au_to_path(fad->fad_aupath)); 5265 } else { 5266 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5267 } 5268 5269 /* include attributes */ 5270 audit_attributes(fp->f_vnode); 5271 5272 /* decrement file descriptor reference count */ 5273 releasef(fd); 5274 } 5275 5276 /*ARGSUSED*/ 5277 static void 5278 auf_recv(tad, error, rval) 5279 struct t_audit_data *tad; 5280 int error; 5281 rval_t *rval; 5282 { 5283 struct sonode *so; 5284 char so_laddr[sizeof (struct sockaddr_in6)]; 5285 char so_faddr[sizeof (struct sockaddr_in6)]; 5286 struct file *fp; 5287 struct f_audit_data *fad; 5288 int fd; 5289 int err; 5290 int len; 5291 short so_family, so_type; 5292 register struct a { 5293 long fd; 5294 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5295 au_kcontext_t *kctx = GET_KCTX_PZ; 5296 5297 /* 5298 * If there was an error, then nothing to do. Only generate 5299 * audit record on first successful recv. 5300 */ 5301 if (error) { 5302 /* Turn off audit record generation here. */ 5303 tad->tad_flag = 0; 5304 /* free any residual audit data */ 5305 au_close(kctx, &(u_ad), 0, 0, 0); 5306 return; 5307 } 5308 5309 fd = (int)uap->fd; 5310 5311 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5312 /* Turn off audit record generation here. */ 5313 tad->tad_flag = 0; 5314 /* free any residual audit data */ 5315 au_close(kctx, &(u_ad), 0, 0, 0); 5316 return; 5317 } 5318 5319 /* get path from file struct here */ 5320 fad = F2A(fp); 5321 ASSERT(fad); 5322 5323 /* 5324 * already processed this file for read attempt 5325 */ 5326 if (fad->fad_flags & FAD_READ) { 5327 releasef(fd); 5328 /* don't really want to audit every recv call */ 5329 tad->tad_flag = 0; 5330 /* free any residual audit data */ 5331 au_close(kctx, &(u_ad), 0, 0, 0); 5332 return; 5333 } 5334 5335 /* mark things so we know what happened and don't repeat things */ 5336 fad->fad_flags |= FAD_READ; 5337 5338 so_family = so->so_family; 5339 so_type = so->so_type; 5340 5341 switch (so_family) { 5342 case AF_INET: 5343 case AF_INET6: 5344 /* 5345 * Only for connections. 5346 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5347 */ 5348 if (so->so_state & SS_ISBOUND) { 5349 5350 bzero((void *)so_laddr, sizeof (so_laddr)); 5351 bzero((void *)so_faddr, sizeof (so_faddr)); 5352 5353 /* only done once on a connection */ 5354 (void) SOP_GETSOCKNAME(so); 5355 (void) SOP_GETPEERNAME(so); 5356 5357 /* get local and foreign addresses */ 5358 mutex_enter(&so->so_lock); 5359 len = min(so->so_laddr_len, sizeof (so_laddr)); 5360 bcopy(so->so_laddr_sa, so_laddr, len); 5361 len = min(so->so_faddr_len, sizeof (so_faddr)); 5362 bcopy(so->so_faddr_sa, so_faddr, len); 5363 mutex_exit(&so->so_lock); 5364 5365 /* 5366 * only way to drop out of switch. Note that we 5367 * we release fd below. 5368 */ 5369 5370 break; 5371 } 5372 5373 releasef(fd); 5374 5375 /* don't really want to audit every recv call */ 5376 tad->tad_flag = 0; 5377 /* free any residual audit data */ 5378 au_close(kctx, &(u_ad), 0, 0, 0); 5379 5380 return; 5381 5382 case AF_UNIX: 5383 5384 if (fad->fad_aupath != NULL) { 5385 au_uwrite(au_to_path(fad->fad_aupath)); 5386 } else { 5387 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5388 } 5389 5390 audit_attributes(fp->f_vnode); 5391 5392 releasef(fd); 5393 5394 return; 5395 5396 default: 5397 releasef(fd); 5398 5399 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5400 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5401 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5402 5403 return; 5404 } 5405 5406 releasef(fd); 5407 5408 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5409 5410 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5411 5412 } 5413 5414 /*ARGSUSED*/ 5415 static void 5416 auf_send(tad, error, rval) 5417 struct t_audit_data *tad; 5418 int error; 5419 rval_t *rval; 5420 { 5421 struct sonode *so; 5422 char so_laddr[sizeof (struct sockaddr_in6)]; 5423 char so_faddr[sizeof (struct sockaddr_in6)]; 5424 struct file *fp; 5425 struct f_audit_data *fad; 5426 int fd; 5427 int err; 5428 int len; 5429 short so_family, so_type; 5430 register struct a { 5431 long fd; 5432 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5433 au_kcontext_t *kctx = GET_KCTX_PZ; 5434 5435 fd = (int)uap->fd; 5436 5437 /* 5438 * If there was an error, then nothing to do. Only generate 5439 * audit record on first successful send. 5440 */ 5441 if (error != 0) { 5442 /* Turn off audit record generation here. */ 5443 tad->tad_flag = 0; 5444 /* free any residual audit data */ 5445 au_close(kctx, &(u_ad), 0, 0, 0); 5446 return; 5447 } 5448 5449 fd = (int)uap->fd; 5450 5451 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5452 /* Turn off audit record generation here. */ 5453 tad->tad_flag = 0; 5454 /* free any residual audit data */ 5455 au_close(kctx, &(u_ad), 0, 0, 0); 5456 return; 5457 } 5458 5459 /* get path from file struct here */ 5460 fad = F2A(fp); 5461 ASSERT(fad); 5462 5463 /* 5464 * already processed this file for write attempt 5465 */ 5466 if (fad->fad_flags & FAD_WRITE) { 5467 releasef(fd); 5468 /* don't really want to audit every send call */ 5469 tad->tad_flag = 0; 5470 /* free any residual audit data */ 5471 au_close(kctx, &(u_ad), 0, 0, 0); 5472 return; 5473 } 5474 5475 /* mark things so we know what happened and don't repeat things */ 5476 fad->fad_flags |= FAD_WRITE; 5477 5478 so_family = so->so_family; 5479 so_type = so->so_type; 5480 5481 switch (so_family) { 5482 case AF_INET: 5483 case AF_INET6: 5484 /* 5485 * Only for connections. 5486 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5487 */ 5488 if (so->so_state & SS_ISBOUND) { 5489 5490 bzero((void *)so_laddr, sizeof (so_laddr)); 5491 bzero((void *)so_faddr, sizeof (so_faddr)); 5492 5493 /* only done once on a connection */ 5494 (void) SOP_GETSOCKNAME(so); 5495 (void) SOP_GETPEERNAME(so); 5496 5497 /* get local and foreign addresses */ 5498 mutex_enter(&so->so_lock); 5499 len = min(so->so_laddr_len, sizeof (so_laddr)); 5500 bcopy(so->so_laddr_sa, so_laddr, len); 5501 len = min(so->so_faddr_len, sizeof (so_faddr)); 5502 bcopy(so->so_faddr_sa, so_faddr, len); 5503 mutex_exit(&so->so_lock); 5504 5505 /* 5506 * only way to drop out of switch. Note that we 5507 * we release fd below. 5508 */ 5509 5510 break; 5511 } 5512 5513 releasef(fd); 5514 /* don't really want to audit every send call */ 5515 tad->tad_flag = 0; 5516 /* free any residual audit data */ 5517 au_close(kctx, &(u_ad), 0, 0, 0); 5518 5519 return; 5520 5521 case AF_UNIX: 5522 5523 if (fad->fad_aupath != NULL) { 5524 au_uwrite(au_to_path(fad->fad_aupath)); 5525 } else { 5526 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5527 } 5528 5529 audit_attributes(fp->f_vnode); 5530 5531 releasef(fd); 5532 5533 return; 5534 5535 default: 5536 releasef(fd); 5537 5538 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5539 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5540 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5541 5542 return; 5543 } 5544 5545 releasef(fd); 5546 5547 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5548 5549 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5550 } 5551 5552 static au_event_t 5553 aui_forksys(au_event_t e) 5554 { 5555 struct a { 5556 long subcode; 5557 long flags; 5558 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5559 5560 switch ((uint_t)uap->subcode) { 5561 case 0: 5562 e = AUE_FORK1; 5563 break; 5564 case 1: 5565 e = AUE_FORKALL; 5566 break; 5567 case 2: 5568 e = AUE_VFORK; 5569 break; 5570 default: 5571 e = AUE_NULL; 5572 break; 5573 } 5574 5575 return (e); 5576 } 5577 5578 /*ARGSUSED*/ 5579 static au_event_t 5580 aui_portfs(au_event_t e) 5581 { 5582 struct a { /* portfs */ 5583 long a1; 5584 long a2; 5585 long a3; 5586 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5587 5588 /* 5589 * check opcode 5590 */ 5591 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5592 case PORT_ASSOCIATE: 5593 case PORT_DISSOCIATE: 5594 /* 5595 * check source 5596 */ 5597 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5598 e = AUE_PORTFS; 5599 } else { 5600 e = AUE_NULL; 5601 } 5602 break; 5603 default: 5604 e = AUE_NULL; 5605 } 5606 return (e); 5607 } 5608