xref: /titanic_50/usr/src/uts/common/c2/audit_event.c (revision 56dd2b4519ecc7832e0656be6ddafdd86c164b25)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <sys/tsol/label.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 int	au_naevent;
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_null(au_event_t);
84 static au_event_t	aui_open(au_event_t);
85 static au_event_t	aui_fsat(au_event_t);
86 static au_event_t	aui_msgsys(au_event_t);
87 static au_event_t	aui_shmsys(au_event_t);
88 static au_event_t	aui_semsys(au_event_t);
89 static au_event_t	aui_utssys(au_event_t);
90 static au_event_t	aui_fcntl(au_event_t);
91 static au_event_t	aui_execv(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_portfs(au_event_t);
96 static au_event_t	aui_auditsys(au_event_t);
97 static au_event_t	aui_modctl(au_event_t);
98 static au_event_t	aui_acl(au_event_t);
99 static au_event_t	aui_doorfs(au_event_t);
100 static au_event_t	aui_privsys(au_event_t);
101 static au_event_t	aui_forksys(au_event_t);
102 
103 static void	aus_null(struct t_audit_data *);
104 static void	aus_open(struct t_audit_data *);
105 static void	aus_acl(struct t_audit_data *);
106 static void	aus_acct(struct t_audit_data *);
107 static void	aus_chown(struct t_audit_data *);
108 static void	aus_fchown(struct t_audit_data *);
109 static void	aus_lchown(struct t_audit_data *);
110 static void	aus_chmod(struct t_audit_data *);
111 static void	aus_facl(struct t_audit_data *);
112 static void	aus_fchmod(struct t_audit_data *);
113 static void	aus_fcntl(struct t_audit_data *);
114 static void	aus_fsat(struct t_audit_data *);
115 static void	aus_mkdir(struct t_audit_data *);
116 static void	aus_mknod(struct t_audit_data *);
117 static void	aus_mount(struct t_audit_data *);
118 static void	aus_umount(struct t_audit_data *);
119 static void	aus_umount2(struct t_audit_data *);
120 static void	aus_msgsys(struct t_audit_data *);
121 static void	aus_semsys(struct t_audit_data *);
122 static void	aus_close(struct t_audit_data *);
123 static void	aus_fstatfs(struct t_audit_data *);
124 static void	aus_setgid(struct t_audit_data *);
125 static void	aus_setuid(struct t_audit_data *);
126 static void	aus_shmsys(struct t_audit_data *);
127 static void	aus_doorfs(struct t_audit_data *);
128 static void	aus_ioctl(struct t_audit_data *);
129 static void	aus_memcntl(struct t_audit_data *);
130 static void	aus_mmap(struct t_audit_data *);
131 static void	aus_munmap(struct t_audit_data *);
132 static void	aus_priocntlsys(struct t_audit_data *);
133 static void	aus_setegid(struct t_audit_data *);
134 static void	aus_setgroups(struct t_audit_data *);
135 static void	aus_seteuid(struct t_audit_data *);
136 static void	aus_putmsg(struct t_audit_data *);
137 static void	aus_putpmsg(struct t_audit_data *);
138 static void	aus_getmsg(struct t_audit_data *);
139 static void	aus_getpmsg(struct t_audit_data *);
140 static void	aus_auditsys(struct t_audit_data *);
141 static void	aus_sysinfo(struct t_audit_data *);
142 static void	aus_modctl(struct t_audit_data *);
143 static void	aus_kill(struct t_audit_data *);
144 static void	aus_xmknod(struct t_audit_data *);
145 static void	aus_setregid(struct t_audit_data *);
146 static void	aus_setreuid(struct t_audit_data *);
147 
148 static void	auf_null(struct t_audit_data *, int, rval_t *);
149 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
150 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
151 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
152 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
153 #if 0
154 static void	auf_open(struct t_audit_data *, int, rval_t *);
155 #endif
156 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
157 static void	auf_read(struct t_audit_data *, int, rval_t *);
158 static void	auf_write(struct t_audit_data *, int, rval_t *);
159 
160 static void	aus_sigqueue(struct t_audit_data *);
161 static void	aus_p_online(struct t_audit_data *);
162 static void	aus_processor_bind(struct t_audit_data *);
163 static void	aus_inst_sync(struct t_audit_data *);
164 static void	aus_brandsys(struct t_audit_data *);
165 
166 static void	auf_accept(struct t_audit_data *, int, rval_t *);
167 
168 static void	auf_bind(struct t_audit_data *, int, rval_t *);
169 static void	auf_connect(struct t_audit_data *, int, rval_t *);
170 static void	aus_shutdown(struct t_audit_data *);
171 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
172 static void	aus_sockconfig(struct t_audit_data *);
173 static void	auf_recv(struct t_audit_data *, int, rval_t *);
174 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
175 static void	auf_send(struct t_audit_data *, int, rval_t *);
176 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
177 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
178 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
179 static void	aus_socket(struct t_audit_data *);
180 /*
181  * This table contains mapping information for converting system call numbers
182  * to audit event IDs. In several cases it is necessary to map a single system
183  * call to several events.
184  */
185 
186 struct audit_s2e audit_s2e[] =
187 {
188 /*
189  * ----------	---------- 	----------	----------
190  * INITIAL	AUDIT		START		SYSTEM
191  * PROCESSING	EVENT		PROCESSING	CALL
192  * ----------	----------	----------	-----------
193  *		FINISH		EVENT
194  *		PROCESSING	CONTROL
195  * ----------------------------------------------------------
196  */
197 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
198 		auf_null,	0,
199 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
200 		auf_null,	S2E_NPT,
201 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
202 		auf_null,	0,
203 aui_null,	AUE_READ,	aus_null,	/* 3 read */
204 		auf_read,	S2E_PUB,
205 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
206 		auf_write,	0,
207 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
208 		auf_null,	S2E_SP,
209 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
210 		auf_null,	0,
211 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
212 		auf_null,	0,
213 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
214 		auf_null,	S2E_SP,
215 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
216 		auf_null,	0,
217 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
218 		auf_null,	0,
219 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
220 		auf_null,	S2E_MLD,
221 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
222 		auf_null,	S2E_SP,
223 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
224 		auf_null,	0,
225 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
226 		auf_mknod,	0,
227 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
228 		auf_null,	0,
229 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
230 		auf_null,	0,
231 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
232 		auf_null,	0,
233 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
234 		auf_null,	S2E_PUB,
235 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
236 		auf_null,	0,
237 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
238 		auf_null,	0,
239 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
240 		auf_null,	S2E_MLD,
241 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
242 		auf_null,	0,
243 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
244 		auf_null,	0,
245 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
246 		auf_null,	0,
247 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
248 		auf_null,	0,
249 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
256 		auf_null,	0,
257 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
262 		auf_null,	0,
263 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
264 		auf_null,	S2E_PUB,
265 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
266 		auf_null,	0,
267 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
268 		auf_null,	S2E_PUB,
269 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
270 		auf_null,	0,
271 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
272 		auf_null,	0,
273 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
274 		auf_null,	S2E_PUB,
275 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
276 		auf_null,	0,
277 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
280 		auf_null,	0,
281 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
288 						/*	was proc lock */
289 		auf_null,	0,
290 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
291 		auf_null,	0,
292 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
293 		auf_null,	0,
294 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
295 		auf_null,	0,
296 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
297 		auf_msgsys,	0,
298 #if defined(__x86)
299 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
300 		auf_null,	0,
301 #else
302 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
303 		auf_null,	0,
304 #endif /* __x86 */
305 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
306 		auf_null,	0,
307 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
308 		auf_shmsys,	0,
309 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
310 		auf_semsys,	0,
311 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
312 		auf_null,	0,
313 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
314 		auf_null,	0,
315 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
316 		auf_null,	0,
317 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
318 		auf_null,	0,
319 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
320 		auf_null,	0,
321 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
322 		auf_null,	S2E_MLD,
323 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
324 		auf_null,	0,
325 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
326 		auf_null,	S2E_SP,
327 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
328 		auf_null,	0,
329 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
330 		auf_null,	0,
331 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
332 		auf_null,	0,
333 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
334 		auf_null,	0,
335 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
336 		auf_null,	0,
337 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
338 						/*	file locking call */
339 		auf_null,	0,
340 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
341 						/*	local system calls */
342 		auf_null,	0,
343 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
344 		auf_null,	0,
345 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
346 		auf_null,	0,
347 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
348 		auf_null,	0,
349 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
350 		auf_null,	0,
351 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
352 		auf_null,	0,
353 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
354 		auf_null,	0,
355 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
356 						/*	was sigret (SunOS) */
357 		auf_null,	0,
358 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
363 		auf_null,	0,
364 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
365 		auf_null,	0,
366 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
367 		auf_null,	0,
368 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
369 		auf_null,	0,
370 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
371 						/*	was libattach */
372 		auf_null,	0,
373 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
374 						/*	was libdetach */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
377 		auf_null,	0,
378 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
379 		auf_null,	0,
380 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
381 		auf_null,	0,
382 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
383 		auf_null,	0,
384 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
385 		auf_null,	S2E_PUB,
386 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
387 		auf_null,	0,
388 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
389 		auf_null,	S2E_PUB,
390 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
391 		auf_null,	0,
392 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
393 		auf_null,	0,
394 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
395 		auf_null,	0,
396 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
411 		auf_null,	0,
412 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
413 						/*	was evtrapret */
414 		auf_null,	0,
415 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
416 		auf_null,	S2E_PUB,
417 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
418 		auf_null,	0,
419 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
422 		auf_null,	0,
423 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
424 		auf_null,	0,
425 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
426 		auf_null,	0,
427 #if defined(__x86)
428 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
429 		auf_null,	0,
430 #else
431 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
432 		auf_null,	0,
433 #endif /* __x86 */
434 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
435 		auf_null,	0,
436 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
437 		auf_null,	0,
438 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
439 		auf_null,	0,		/* 112 priocntlsys */
440 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
441 		auf_null,	S2E_PUB,
442 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
443 		auf_null,	0,
444 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
445 		auf_null,	0,
446 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
447 		auf_null,	0,
448 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
449 		auf_null,	0,
450 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
451 		auf_null,	0,
452 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
453 		auf_null,	0,
454 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
455 		auf_null,	0,
456 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
457 		auf_read,	S2E_PUB,
458 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
459 		auf_write,	0,
460 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
461 		auf_null,	S2E_PUB,
462 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
463 		auf_null,	S2E_PUB,
464 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
465 		auf_null,	0,
466 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
467 		auf_xmknod,	0,
468 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
469 		auf_null,	0,
470 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
471 		auf_null,	0,
472 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
473 		auf_null,	0,
474 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
475 		auf_null,	0,
476 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
477 		auf_null,	0,
478 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
479 		auf_null,	0,
480 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
481 		auf_null,	0,
482 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
483 		auf_null,	0,
484 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
485 		auf_null,	0,
486 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
487 		auf_null,	0,
488 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
489 		auf_null,	0,
490 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
491 		auf_null,	0,
492 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
493 		auf_null,	0,
494 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
495 		auf_null,	0,
496 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
497 		auf_null,	0,
498 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
499 		auf_null,	0,
500 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
501 		auf_null,	0,
502 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
517 		auf_null,	0,
518 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
519 		auf_null,	0,
520 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
521 		auf_null,	0,
522 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
545 						/*	was lwp_setprivate */
546 		auf_null,	0,
547 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
548 						/*	was lwp_getprivate */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
555 		auf_null,	0,
556 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
557 		auf_null,	0,
558 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
559 		auf_null,	0,
560 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
561 		auf_null,	0,
562 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
563 		auf_read,	S2E_PUB,
564 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
565 		auf_write,	0,
566 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
567 		auf_null,	0,
568 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
569 						/* aus_inst_sync */
570 		auf_null,	0,
571 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
580 		auf_null,	0,
581 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
582 		auf_null,	0,
583 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
584 		auf_null,	0,
585 aui_null,	AUE_NULL,	aus_null,	/* 184 (loadable) tsolsys */
586 		auf_null,	0,
587 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
588 		auf_null,	0,
589 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
590 		auf_null,	0,
591 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
592 		auf_null,	0,		/* 187 processor_bind */
593 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
594 		auf_null,	0,
595 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
600 		auf_null,	0,
601 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
616 		auf_null,	0,
617 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
618 		auf_null,	0,
619 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
620 		auf_null,	0,
621 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
622 		auf_null,	0,
623 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
644 		auf_null,	0,
645 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
646 		auf_null,	0,
647 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
652 		auf_null,	0,
653 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
654 		auf_null,	S2E_PUB,
655 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
656 		auf_null,	0,
657 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
662 		auf_read,	S2E_PUB,
663 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
664 		auf_write,	0,
665 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
666 		auf_null,	S2E_SP,
667 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
668 		auf_null,	S2E_SP,
669 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
676 		auf_null,	0,
677 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
678 		auf_null,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
680 		auf_null,	0,
681 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
682 		auf_bind,	0,
683 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
684 		auf_null,	0,
685 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
686 		auf_accept,	0,
687 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
688 		auf_connect,	0,
689 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
690 		auf_null,	0,
691 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
692 		auf_recv,	0,
693 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
694 		auf_recvfrom,	0,
695 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
696 		auf_recvmsg,	0,
697 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
698 		auf_send,	0,
699 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
700 		auf_sendmsg,	0,
701 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
702 		auf_sendto,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
708 		auf_null,	0,
709 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
710 		auf_setsockopt,	0,
711 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
714 		auf_null,	0,
715 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
726 		auf_null,	0,
727 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
728 		auf_null,	0
729 };
730 
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732 
733 /* null start function */
734 /*ARGSUSED*/
735 static void
736 aus_null(struct t_audit_data *tad)
737 {
738 }
739 
740 /* acct start function */
741 /*ARGSUSED*/
742 static void
743 aus_acct(struct t_audit_data *tad)
744 {
745 	klwp_t *clwp = ttolwp(curthread);
746 	uintptr_t fname;
747 
748 	struct a {
749 		long	fname;		/* char * */
750 	} *uap = (struct a *)clwp->lwp_ap;
751 
752 	fname = (uintptr_t)uap->fname;
753 
754 	if (fname == 0)
755 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
756 }
757 
758 /* chown start function */
759 /*ARGSUSED*/
760 static void
761 aus_chown(struct t_audit_data *tad)
762 {
763 	klwp_t *clwp = ttolwp(curthread);
764 	uint32_t uid, gid;
765 
766 	struct a {
767 		long	fname;		/* char * */
768 		long	uid;
769 		long	gid;
770 	} *uap = (struct a *)clwp->lwp_ap;
771 
772 	uid = (uint32_t)uap->uid;
773 	gid = (uint32_t)uap->gid;
774 
775 	au_uwrite(au_to_arg32(2, "new file uid", uid));
776 	au_uwrite(au_to_arg32(3, "new file gid", gid));
777 }
778 
779 /* fchown start function */
780 /*ARGSUSED*/
781 static void
782 aus_fchown(struct t_audit_data *tad)
783 {
784 	klwp_t *clwp = ttolwp(curthread);
785 	uint32_t uid, gid, fd;
786 	struct file  *fp;
787 	struct vnode *vp;
788 	struct f_audit_data *fad;
789 
790 	struct a {
791 		long fd;
792 		long uid;
793 		long gid;
794 	} *uap = (struct a *)clwp->lwp_ap;
795 
796 	fd  = (uint32_t)uap->fd;
797 	uid = (uint32_t)uap->uid;
798 	gid = (uint32_t)uap->gid;
799 
800 	au_uwrite(au_to_arg32(2, "new file uid", uid));
801 	au_uwrite(au_to_arg32(3, "new file gid", gid));
802 
803 		/*
804 		 * convert file pointer to file descriptor
805 		 *   Note: fd ref count incremented here.
806 		 */
807 	if ((fp = getf(fd)) == NULL)
808 		return;
809 
810 	/* get path from file struct here */
811 	fad = F2A(fp);
812 	if (fad->fad_aupath != NULL) {
813 		au_uwrite(au_to_path(fad->fad_aupath));
814 	} else {
815 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
816 	}
817 
818 	vp = fp->f_vnode;
819 	audit_attributes(vp);
820 
821 	/* decrement file descriptor reference count */
822 	releasef(fd);
823 }
824 
825 /*ARGSUSED*/
826 static void
827 aus_lchown(struct t_audit_data *tad)
828 {
829 	klwp_t *clwp = ttolwp(curthread);
830 	uint32_t uid, gid;
831 
832 
833 	struct a {
834 		long	fname;		/* char	* */
835 		long	uid;
836 		long	gid;
837 	} *uap = (struct a *)clwp->lwp_ap;
838 
839 	uid = (uint32_t)uap->uid;
840 	gid = (uint32_t)uap->gid;
841 
842 	au_uwrite(au_to_arg32(2, "new file uid", uid));
843 	au_uwrite(au_to_arg32(3, "new file gid", gid));
844 }
845 
846 /* chmod start function */
847 /*ARGSUSED*/
848 static void
849 aus_chmod(struct t_audit_data *tad)
850 {
851 	klwp_t *clwp = ttolwp(curthread);
852 	uint32_t fmode;
853 
854 	struct a {
855 		long	fname;		/* char	* */
856 		long	fmode;
857 	} *uap = (struct a *)clwp->lwp_ap;
858 
859 	fmode = (uint32_t)uap->fmode;
860 
861 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
862 }
863 
864 /* chmod start function */
865 /*ARGSUSED*/
866 static void
867 aus_fchmod(struct t_audit_data *tad)
868 {
869 	klwp_t *clwp = ttolwp(curthread);
870 	uint32_t fmode, fd;
871 	struct file  *fp;
872 	struct vnode *vp;
873 	struct f_audit_data *fad;
874 
875 	struct a {
876 		long	fd;
877 		long	fmode;
878 	} *uap = (struct a *)clwp->lwp_ap;
879 
880 	fd = (uint32_t)uap->fd;
881 	fmode = (uint32_t)uap->fmode;
882 
883 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
884 
885 		/*
886 		 * convert file pointer to file descriptor
887 		 *   Note: fd ref count incremented here.
888 		 */
889 	if ((fp = getf(fd)) == NULL)
890 		return;
891 
892 		/* get path from file struct here */
893 	fad = F2A(fp);
894 	if (fad->fad_aupath != NULL) {
895 		au_uwrite(au_to_path(fad->fad_aupath));
896 	} else {
897 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
898 	}
899 
900 	vp = fp->f_vnode;
901 	audit_attributes(vp);
902 
903 	/* decrement file descriptor reference count */
904 	releasef(fd);
905 }
906 
907 /* null function */
908 /*ARGSUSED*/
909 static void
910 auf_null(struct t_audit_data *tad, int error, rval_t *rval)
911 {
912 }
913 
914 /* null function */
915 static au_event_t
916 aui_null(au_event_t e)
917 {
918 	return (e);
919 }
920 
921 /* convert open to appropriate event */
922 static au_event_t
923 aui_open(au_event_t e)
924 {
925 	klwp_t *clwp = ttolwp(curthread);
926 	uint_t fm;
927 
928 	struct a {
929 		long	fnamep;		/* char	* */
930 		long	fmode;
931 		long	cmode;
932 	} *uap = (struct a *)clwp->lwp_ap;
933 
934 	fm = (uint_t)uap->fmode;
935 
936 	if (fm & O_WRONLY)
937 		e = AUE_OPEN_W;
938 	else if (fm & O_RDWR)
939 		e = AUE_OPEN_RW;
940 	else
941 		e = AUE_OPEN_R;
942 
943 	if (fm & O_CREAT)
944 		e += 1;
945 	if (fm & O_TRUNC)
946 		e += 2;
947 
948 	return (e);
949 }
950 
951 /*ARGSUSED*/
952 static void
953 aus_open(struct t_audit_data *tad)
954 {
955 	klwp_t *clwp = ttolwp(curthread);
956 	uint_t fm;
957 
958 	struct a {
959 		long	fnamep;		/* char	* */
960 		long	fmode;
961 		long	cmode;
962 	} *uap = (struct a *)clwp->lwp_ap;
963 
964 	fm = (uint_t)uap->fmode;
965 
966 	/* If no write, create, or trunc modes, mark as a public op */
967 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
968 		tad->tad_ctrl |= PAD_PUBLIC_EV;
969 }
970 
971 /* convert openat(2) to appropriate event */
972 static au_event_t
973 aui_fsat(au_event_t e)
974 {
975 	t_audit_data_t	*tad = U2A(u);
976 	klwp_t *clwp = ttolwp(curthread);
977 	uint_t fmcode, fm;
978 	struct a {
979 		long id;
980 		long arg1;
981 		long arg2;
982 		long arg3;
983 		long arg4;
984 		long arg5;
985 	} *uap = (struct a *)clwp->lwp_ap;
986 
987 	fmcode  = (uint_t)uap->id;
988 
989 	switch (fmcode) {
990 
991 	case 0: /* openat */
992 	case 1: /* openat64 */
993 		fm = (uint_t)uap->arg3;
994 		if (fm & O_WRONLY)
995 			e = AUE_OPENAT_W;
996 		else if (fm & O_RDWR)
997 			e = AUE_OPENAT_RW;
998 		else
999 			e = AUE_OPENAT_R;
1000 
1001 		/*
1002 		 * openat modes are defined in the following order:
1003 		 * Read only
1004 		 * Read|Create
1005 		 * Read|Trunc
1006 		 * Read|Create|Trunc
1007 		 * Write Only
1008 		 * Write|Create
1009 		 * Write|Trunc
1010 		 * Write|Create|Trunc * RW Only
1011 		 * RW|Create
1012 		 * RW|Trunc
1013 		 * RW|Create|Trunc
1014 		 */
1015 		if (fm & O_CREAT)
1016 			e += 1;		/* increment to include CREAT in mode */
1017 		if (fm & O_TRUNC)
1018 			e += 2;		/* increment to include TRUNC in mode */
1019 
1020 		/* convert to appropriate au_ctrl */
1021 		tad->tad_ctrl |= PAD_SAVPATH;
1022 		if (fm & FXATTR)
1023 			tad->tad_ctrl |= PAD_ATPATH;
1024 
1025 
1026 		break;
1027 	case 2: /* fstatat64 */
1028 	case 3: /* fstatat */
1029 		e = AUE_FSTATAT;
1030 		break;
1031 	case 4: /* fchownat */
1032 		e = AUE_FCHOWNAT;
1033 		break;
1034 	case 5: /* unlinkat */
1035 		e = AUE_UNLINKAT;
1036 		break;
1037 	case 6: /* futimesat */
1038 		e = AUE_FUTIMESAT;
1039 		break;
1040 	case 7: /* renameat */
1041 		e = AUE_RENAMEAT;
1042 		break;
1043 	case 9: /* __openattrdirat */
1044 		tad->tad_ctrl |= PAD_SAVPATH;
1045 		/*FALLTHROUGH*/
1046 	default:
1047 		e = AUE_NULL;
1048 		break;
1049 	}
1050 
1051 	return (e);
1052 }
1053 
1054 /*ARGSUSED*/
1055 static void
1056 aus_fsat(struct t_audit_data *tad)
1057 {
1058 	klwp_t *clwp = ttolwp(curthread);
1059 	uint_t fmcode, fm;
1060 	struct a {
1061 		long id;
1062 		long arg1;
1063 		long arg2;
1064 		long arg3;
1065 		long arg4;
1066 		long arg5;
1067 	} *uap = (struct a *)clwp->lwp_ap;
1068 
1069 	fmcode  = (uint_t)uap->id;
1070 
1071 	switch (fmcode) {
1072 
1073 	case 0: /* openat */
1074 	case 1: /* openat64 */
1075 		fm = (uint_t)uap->arg3;
1076 		/* If no write, create, or trunc modes, mark as a public op */
1077 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1078 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1079 
1080 		break;
1081 	case 2: /* fstatat64 */
1082 	case 3: /* fstatat */
1083 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1084 		break;
1085 	default:
1086 		break;
1087 	}
1088 }
1089 
1090 /* msgsys */
1091 static au_event_t
1092 aui_msgsys(au_event_t e)
1093 {
1094 	klwp_t *clwp = ttolwp(curthread);
1095 	uint_t fm;
1096 
1097 	struct a {
1098 		long	id;	/* function code id */
1099 		long	ap;	/* arg pointer for recvmsg */
1100 	} *uap = (struct a *)clwp->lwp_ap;
1101 
1102 	struct b {
1103 		long	msgid;
1104 		long	cmd;
1105 		long	buf;	/* struct msqid_ds * */
1106 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1107 
1108 	fm  = (uint_t)uap->id;
1109 
1110 	switch (fm) {
1111 	case 0:		/* msgget */
1112 		e = AUE_MSGGET;
1113 		break;
1114 	case 1:		/* msgctl */
1115 		switch ((uint_t)uap1->cmd) {
1116 		case IPC_RMID:
1117 			e = AUE_MSGCTL_RMID;
1118 			break;
1119 		case IPC_SET:
1120 			e = AUE_MSGCTL_SET;
1121 			break;
1122 		case IPC_STAT:
1123 			e = AUE_MSGCTL_STAT;
1124 			break;
1125 		default:
1126 			e = AUE_MSGCTL;
1127 			break;
1128 		}
1129 		break;
1130 	case 2:		/* msgrcv */
1131 		e = AUE_MSGRCV;
1132 		break;
1133 	case 3:		/* msgsnd */
1134 		e = AUE_MSGSND;
1135 		break;
1136 	default:	/* illegal system call */
1137 		e = AUE_NULL;
1138 		break;
1139 	}
1140 
1141 	return (e);
1142 }
1143 
1144 
1145 /* shmsys */
1146 static au_event_t
1147 aui_shmsys(au_event_t e)
1148 {
1149 	klwp_t *clwp = ttolwp(curthread);
1150 	int fm;
1151 
1152 	struct a {		/* shmsys */
1153 		long	id;	/* function code id */
1154 	} *uap = (struct a *)clwp->lwp_ap;
1155 
1156 	struct b {		/* ctrl */
1157 		long	shmid;
1158 		long	cmd;
1159 		long	arg;		/* struct shmid_ds * */
1160 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1161 	fm  = (uint_t)uap->id;
1162 
1163 	switch (fm) {
1164 	case 0:		/* shmat */
1165 		e = AUE_SHMAT;
1166 		break;
1167 	case 1:		/* shmctl */
1168 		switch ((uint_t)uap1->cmd) {
1169 		case IPC_RMID:
1170 			e = AUE_SHMCTL_RMID;
1171 			break;
1172 		case IPC_SET:
1173 			e = AUE_SHMCTL_SET;
1174 			break;
1175 		case IPC_STAT:
1176 			e = AUE_SHMCTL_STAT;
1177 			break;
1178 		default:
1179 			e = AUE_SHMCTL;
1180 			break;
1181 		}
1182 		break;
1183 	case 2:		/* shmdt */
1184 		e = AUE_SHMDT;
1185 		break;
1186 	case 3:		/* shmget */
1187 		e = AUE_SHMGET;
1188 		break;
1189 	default:	/* illegal system call */
1190 		e = AUE_NULL;
1191 		break;
1192 	}
1193 
1194 	return (e);
1195 }
1196 
1197 
1198 /* semsys */
1199 static au_event_t
1200 aui_semsys(au_event_t e)
1201 {
1202 	klwp_t *clwp = ttolwp(curthread);
1203 	uint_t fm;
1204 
1205 	struct a {		/* semsys */
1206 		long	id;
1207 	} *uap = (struct a *)clwp->lwp_ap;
1208 
1209 	struct b {		/* ctrl */
1210 		long	semid;
1211 		long	semnum;
1212 		long	cmd;
1213 		long	arg;
1214 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1215 
1216 	fm = (uint_t)uap->id;
1217 
1218 	switch (fm) {
1219 	case 0:		/* semctl */
1220 		switch ((uint_t)uap1->cmd) {
1221 		case IPC_RMID:
1222 			e = AUE_SEMCTL_RMID;
1223 			break;
1224 		case IPC_SET:
1225 			e = AUE_SEMCTL_SET;
1226 			break;
1227 		case IPC_STAT:
1228 			e = AUE_SEMCTL_STAT;
1229 			break;
1230 		case GETNCNT:
1231 			e = AUE_SEMCTL_GETNCNT;
1232 			break;
1233 		case GETPID:
1234 			e = AUE_SEMCTL_GETPID;
1235 			break;
1236 		case GETVAL:
1237 			e = AUE_SEMCTL_GETVAL;
1238 			break;
1239 		case GETALL:
1240 			e = AUE_SEMCTL_GETALL;
1241 			break;
1242 		case GETZCNT:
1243 			e = AUE_SEMCTL_GETZCNT;
1244 			break;
1245 		case SETVAL:
1246 			e = AUE_SEMCTL_SETVAL;
1247 			break;
1248 		case SETALL:
1249 			e = AUE_SEMCTL_SETALL;
1250 			break;
1251 		default:
1252 			e = AUE_SEMCTL;
1253 			break;
1254 		}
1255 		break;
1256 	case 1:		/* semget */
1257 		e = AUE_SEMGET;
1258 		break;
1259 	case 2:		/* semop */
1260 		e = AUE_SEMOP;
1261 		break;
1262 	default:	/* illegal system call */
1263 		e = AUE_NULL;
1264 		break;
1265 	}
1266 
1267 	return (e);
1268 }
1269 
1270 /* utssys - uname(2), ustat(2), fusers(2) */
1271 static au_event_t
1272 aui_utssys(au_event_t e)
1273 {
1274 	klwp_t *clwp = ttolwp(curthread);
1275 	uint_t type;
1276 
1277 	struct a {
1278 		union {
1279 			long	cbuf;		/* char * */
1280 			long	ubuf;		/* struct stat * */
1281 		} ub;
1282 		union {
1283 			long	mv;	/* for USTAT */
1284 			long	flags;	/* for FUSERS */
1285 		} un;
1286 		long	type;
1287 		long	outbp;		/* char * for FUSERS */
1288 	} *uap = (struct a *)clwp->lwp_ap;
1289 
1290 	type = (uint_t)uap->type;
1291 
1292 	if (type == UTS_FUSERS)
1293 		return (e);
1294 	else
1295 		return ((au_event_t)AUE_NULL);
1296 }
1297 
1298 static au_event_t
1299 aui_fcntl(au_event_t e)
1300 {
1301 	klwp_t *clwp = ttolwp(curthread);
1302 	uint_t cmd;
1303 
1304 	struct a {
1305 		long	fdes;
1306 		long	cmd;
1307 		long	arg;
1308 	} *uap = (struct a *)clwp->lwp_ap;
1309 
1310 	cmd = (uint_t)uap->cmd;
1311 
1312 	switch (cmd) {
1313 	case F_GETLK:
1314 	case F_SETLK:
1315 	case F_SETLKW:
1316 		break;
1317 	case F_SETFL:
1318 	case F_GETFL:
1319 	case F_GETFD:
1320 		break;
1321 	default:
1322 		e = (au_event_t)AUE_NULL;
1323 		break;
1324 	}
1325 	return ((au_event_t)e);
1326 }
1327 
1328 /* null function for now */
1329 static au_event_t
1330 aui_execv(au_event_t e)
1331 {
1332 	return (e);
1333 }
1334 
1335 /* null function for now */
1336 static au_event_t
1337 aui_execve(au_event_t e)
1338 {
1339 	return (e);
1340 }
1341 
1342 /*ARGSUSED*/
1343 static void
1344 aus_fcntl(struct t_audit_data *tad)
1345 {
1346 	klwp_t *clwp = ttolwp(curthread);
1347 	uint32_t cmd, fd;
1348 	struct file  *fp;
1349 	struct vnode *vp;
1350 	struct f_audit_data *fad;
1351 
1352 	struct a {
1353 		long	fd;
1354 		long	cmd;
1355 		long	arg;
1356 	} *uap = (struct a *)clwp->lwp_ap;
1357 
1358 	cmd = (uint32_t)uap->cmd;
1359 	fd  = (uint32_t)uap->fd;
1360 
1361 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1362 
1363 		/*
1364 		 * convert file pointer to file descriptor
1365 		 *   Note: fd ref count incremented here.
1366 		 */
1367 	if ((fp = getf(fd)) == NULL)
1368 		return;
1369 
1370 	/* get path from file struct here */
1371 	fad = F2A(fp);
1372 	if (fad->fad_aupath != NULL) {
1373 		au_uwrite(au_to_path(fad->fad_aupath));
1374 	} else {
1375 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1376 	}
1377 
1378 	vp = fp->f_vnode;
1379 	audit_attributes(vp);
1380 
1381 	/* decrement file descriptor reference count */
1382 	releasef(fd);
1383 }
1384 
1385 /*ARGSUSED*/
1386 static void
1387 aus_kill(struct t_audit_data *tad)
1388 {
1389 	klwp_t *clwp = ttolwp(curthread);
1390 	struct proc *p;
1391 	uint32_t signo;
1392 	uid_t uid, ruid;
1393 	gid_t gid, rgid;
1394 	pid_t pid;
1395 	const auditinfo_addr_t *ainfo;
1396 	cred_t *cr;
1397 
1398 	struct a {
1399 		long	pid;
1400 		long	signo;
1401 	} *uap = (struct a *)clwp->lwp_ap;
1402 
1403 	pid   = (pid_t)uap->pid;
1404 	signo = (uint32_t)uap->signo;
1405 
1406 	au_uwrite(au_to_arg32(2, "signal", signo));
1407 	if (pid > 0) {
1408 		mutex_enter(&pidlock);
1409 		if (((p = prfind(pid)) == (struct proc *)0) ||
1410 		    (p->p_stat == SIDL)) {
1411 			mutex_exit(&pidlock);
1412 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1413 			return;
1414 		}
1415 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1416 		mutex_exit(&pidlock);
1417 
1418 		mutex_enter(&p->p_crlock);
1419 		crhold(cr = p->p_cred);
1420 		mutex_exit(&p->p_crlock);
1421 		mutex_exit(&p->p_lock);
1422 
1423 		ainfo = crgetauinfo(cr);
1424 		if (ainfo == NULL) {
1425 			crfree(cr);
1426 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1427 			return;
1428 		}
1429 
1430 		uid  = crgetuid(cr);
1431 		gid  = crgetgid(cr);
1432 		ruid = crgetruid(cr);
1433 		rgid = crgetrgid(cr);
1434 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1435 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1436 
1437 		if (is_system_labeled())
1438 			au_uwrite(au_to_label(CR_SL(cr)));
1439 
1440 		crfree(cr);
1441 	}
1442 	else
1443 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1444 }
1445 
1446 /*ARGSUSED*/
1447 static void
1448 aus_mkdir(struct t_audit_data *tad)
1449 {
1450 	klwp_t *clwp = ttolwp(curthread);
1451 	uint32_t dmode;
1452 
1453 	struct a {
1454 		long	dirnamep;		/* char * */
1455 		long	dmode;
1456 	} *uap = (struct a *)clwp->lwp_ap;
1457 
1458 	dmode = (uint32_t)uap->dmode;
1459 
1460 	au_uwrite(au_to_arg32(2, "mode", dmode));
1461 }
1462 
1463 /*ARGSUSED*/
1464 static void
1465 aus_mknod(struct t_audit_data *tad)
1466 {
1467 	klwp_t *clwp = ttolwp(curthread);
1468 	uint32_t fmode;
1469 	dev_t dev;
1470 
1471 	struct a {
1472 		long	pnamep;		/* char * */
1473 		long	fmode;
1474 		long	dev;
1475 	} *uap = (struct a *)clwp->lwp_ap;
1476 
1477 	fmode = (uint32_t)uap->fmode;
1478 	dev   = (dev_t)uap->dev;
1479 
1480 	au_uwrite(au_to_arg32(2, "mode", fmode));
1481 #ifdef _LP64
1482 	au_uwrite(au_to_arg64(3, "dev", dev));
1483 #else
1484 	au_uwrite(au_to_arg32(3, "dev", dev));
1485 #endif
1486 }
1487 
1488 /*ARGSUSED*/
1489 static void
1490 aus_xmknod(struct t_audit_data *tad)
1491 {
1492 	klwp_t *clwp = ttolwp(curthread);
1493 	uint32_t fmode;
1494 	dev_t dev;
1495 
1496 	struct a {
1497 		long	version;	/* version */
1498 		long	pnamep;		/* char * */
1499 		long	fmode;
1500 		long	dev;
1501 	} *uap = (struct a *)clwp->lwp_ap;
1502 
1503 	fmode = (uint32_t)uap->fmode;
1504 	dev   = (dev_t)uap->dev;
1505 
1506 	au_uwrite(au_to_arg32(2, "mode", fmode));
1507 #ifdef _LP64
1508 	au_uwrite(au_to_arg64(3, "dev", dev));
1509 #else
1510 	au_uwrite(au_to_arg32(3, "dev", dev));
1511 #endif
1512 }
1513 
1514 /*ARGSUSED*/
1515 static void
1516 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1517 {
1518 	klwp_t *clwp = ttolwp(curthread);
1519 	vnode_t	*dvp;
1520 	caddr_t pnamep;
1521 
1522 	struct a {
1523 		long	pnamep;		/* char * */
1524 		long	fmode;
1525 		long	dev;
1526 	} *uap = (struct a *)clwp->lwp_ap;
1527 
1528 	/* no error, then already path token in audit record */
1529 	if (error != EPERM)
1530 		return;
1531 
1532 	/* not auditing this event, nothing then to do */
1533 	if (tad->tad_flag == 0)
1534 		return;
1535 
1536 	/* do the lookup to force generation of path token */
1537 	pnamep = (caddr_t)uap->pnamep;
1538 	tad->tad_ctrl |= PAD_NOATTRB;
1539 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1540 	if (error == 0)
1541 		VN_RELE(dvp);
1542 }
1543 
1544 /*ARGSUSED*/
1545 static void
1546 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1547 {
1548 	klwp_t *clwp = ttolwp(curthread);
1549 	vnode_t	*dvp;
1550 	caddr_t pnamep;
1551 
1552 	struct a {
1553 		long	version;	/* version */
1554 		long	pnamep;		/* char * */
1555 		long	fmode;
1556 		long	dev;
1557 	} *uap = (struct a *)clwp->lwp_arg;
1558 
1559 
1560 	/* no error, then already path token in audit record */
1561 	if (error != EPERM)
1562 		return;
1563 
1564 	/* not auditing this event, nothing then to do */
1565 	if (tad->tad_flag == 0)
1566 		return;
1567 
1568 	/* do the lookup to force generation of path token */
1569 	pnamep = (caddr_t)uap->pnamep;
1570 	tad->tad_ctrl |= PAD_NOATTRB;
1571 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1572 	if (error == 0)
1573 		VN_RELE(dvp);
1574 }
1575 
1576 /*ARGSUSED*/
1577 static void
1578 aus_mount(struct t_audit_data *tad)
1579 {	/* AUS_START */
1580 	klwp_t *clwp = ttolwp(curthread);
1581 	uint32_t flags;
1582 	uintptr_t u_fstype, dataptr;
1583 	STRUCT_DECL(nfs_args, nfsargs);
1584 	size_t len;
1585 	char *fstype, *hostname;
1586 
1587 	struct a {
1588 		long	spec;		/* char    * */
1589 		long	dir;		/* char    * */
1590 		long	flags;
1591 		long	fstype;		/* char    * */
1592 		long	dataptr;	/* char    * */
1593 		long	datalen;
1594 	} *uap = (struct a *)clwp->lwp_ap;
1595 
1596 	u_fstype = (uintptr_t)uap->fstype;
1597 	flags    = (uint32_t)uap->flags;
1598 	dataptr  = (uintptr_t)uap->dataptr;
1599 
1600 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1601 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1602 		goto mount_free_fstype;
1603 
1604 	au_uwrite(au_to_arg32(3, "flags", flags));
1605 	au_uwrite(au_to_text(fstype));
1606 
1607 	if (strncmp(fstype, "nfs", 3) == 0) {
1608 
1609 		STRUCT_INIT(nfsargs, get_udatamodel());
1610 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1611 
1612 		if (copyin((caddr_t)dataptr,
1613 				STRUCT_BUF(nfsargs),
1614 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1615 			/* DEBUG debug_enter((char *)NULL); */
1616 			goto mount_free_fstype;
1617 		}
1618 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1619 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1620 				(caddr_t)hostname,
1621 				MAXNAMELEN, &len)) {
1622 			goto mount_free_hostname;
1623 		}
1624 		au_uwrite(au_to_text(hostname));
1625 		au_uwrite(au_to_arg32(3, "internal flags",
1626 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1627 
1628 mount_free_hostname:
1629 		kmem_free(hostname, MAXNAMELEN);
1630 	}
1631 
1632 mount_free_fstype:
1633 	kmem_free(fstype, MAXNAMELEN);
1634 }	/* AUS_MOUNT */
1635 
1636 static void
1637 aus_umount_path(caddr_t umount_dir)
1638 {
1639 	char			*dir_path;
1640 	struct audit_path	*path;
1641 	size_t			path_len, dir_len;
1642 
1643 	/* length alloc'd for two string pointers */
1644 	path_len = sizeof (struct audit_path) + sizeof (char *);
1645 	path = kmem_alloc(path_len, KM_SLEEP);
1646 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1647 
1648 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1649 	    MAXPATHLEN, &dir_len))
1650 		goto umount2_free_dir;
1651 
1652 	/*
1653 	 * the audit_path struct assumes that the buffer pointed to
1654 	 * by audp_sect[n] contains string 0 immediatedly followed
1655 	 * by string 1.
1656 	 */
1657 	path->audp_sect[0] = dir_path;
1658 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1659 	path->audp_size = path_len;
1660 	path->audp_ref = 1;		/* not used */
1661 	path->audp_cnt = 1;		/* one path string */
1662 
1663 	au_uwrite(au_to_path(path));
1664 
1665 umount2_free_dir:
1666 	kmem_free(dir_path, MAXPATHLEN);
1667 	kmem_free(path, path_len);
1668 }
1669 
1670 /*
1671  * the umount syscall is implemented as a call to umount2, but the args
1672  * are different...
1673  */
1674 
1675 /*ARGSUSED*/
1676 static void
1677 aus_umount(struct t_audit_data *tad)
1678 {
1679 	klwp_t			*clwp = ttolwp(curthread);
1680 	struct a {
1681 		long	dir;		/* char    * */
1682 	} *uap = (struct a *)clwp->lwp_ap;
1683 
1684 	aus_umount_path((caddr_t)uap->dir);
1685 }
1686 
1687 /*ARGSUSED*/
1688 static void
1689 aus_umount2(struct t_audit_data *tad)
1690 {
1691 	klwp_t			*clwp = ttolwp(curthread);
1692 	struct a {
1693 		long	dir;		/* char    * */
1694 		long	flags;
1695 	} *uap = (struct a *)clwp->lwp_ap;
1696 
1697 	aus_umount_path((caddr_t)uap->dir);
1698 
1699 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1700 }
1701 
1702 static void
1703 aus_msgsys(struct t_audit_data *tad)
1704 {
1705 	klwp_t *clwp = ttolwp(curthread);
1706 	uint32_t msgid;
1707 
1708 	struct b {
1709 		long	msgid;
1710 		long	cmd;
1711 		long	buf;		/* struct msqid_ds * */
1712 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1713 
1714 	msgid = (uint32_t)uap1->msgid;
1715 
1716 
1717 	switch (tad->tad_event) {
1718 	case AUE_MSGGET:		/* msgget */
1719 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1720 		break;
1721 	case AUE_MSGCTL:		/* msgctl */
1722 	case AUE_MSGCTL_RMID:		/* msgctl */
1723 	case AUE_MSGCTL_STAT:		/* msgctl */
1724 	case AUE_MSGRCV:		/* msgrcv */
1725 	case AUE_MSGSND:		/* msgsnd */
1726 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1727 		break;
1728 	case AUE_MSGCTL_SET:		/* msgctl */
1729 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1730 		break;
1731 	}
1732 }
1733 
1734 /*ARGSUSED*/
1735 static void
1736 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1737 {
1738 	int id;
1739 
1740 	if (error != 0)
1741 		return;
1742 	if (tad->tad_event == AUE_MSGGET) {
1743 		uint32_t scid;
1744 		uint32_t sy_flags;
1745 
1746 		/* need to determine type of executing binary */
1747 		scid = tad->tad_scid;
1748 #ifdef _SYSCALL32_IMPL
1749 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1750 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1751 		else
1752 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1753 #else
1754 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1755 #endif
1756 		if (sy_flags == SE_32RVAL1)
1757 			id = rval->r_val1;
1758 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1759 			id = rval->r_val1;
1760 		if (sy_flags == SE_64RVAL)
1761 			id = (int)rval->r_vals;
1762 
1763 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1764 	}
1765 }
1766 
1767 static void
1768 aus_semsys(struct t_audit_data *tad)
1769 {
1770 	klwp_t *clwp = ttolwp(curthread);
1771 	uint32_t semid;
1772 
1773 	struct b {		/* ctrl */
1774 		long	semid;
1775 		long	semnum;
1776 		long	cmd;
1777 		long	arg;
1778 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1779 
1780 	semid = (uint32_t)uap1->semid;
1781 
1782 	switch (tad->tad_event) {
1783 	case AUE_SEMCTL_RMID:
1784 	case AUE_SEMCTL_STAT:
1785 	case AUE_SEMCTL_GETNCNT:
1786 	case AUE_SEMCTL_GETPID:
1787 	case AUE_SEMCTL_GETVAL:
1788 	case AUE_SEMCTL_GETALL:
1789 	case AUE_SEMCTL_GETZCNT:
1790 	case AUE_SEMCTL_SETVAL:
1791 	case AUE_SEMCTL_SETALL:
1792 	case AUE_SEMCTL:
1793 	case AUE_SEMOP:
1794 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1795 		break;
1796 	case AUE_SEMCTL_SET:
1797 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1798 		break;
1799 	case AUE_SEMGET:
1800 		au_uwrite(au_to_arg32(1, "sem key", semid));
1801 		break;
1802 	}
1803 }
1804 
1805 /*ARGSUSED*/
1806 static void
1807 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1808 {
1809 	int id;
1810 
1811 	if (error != 0)
1812 		return;
1813 	if (tad->tad_event == AUE_SEMGET) {
1814 		uint32_t scid;
1815 		uint32_t sy_flags;
1816 
1817 		/* need to determine type of executing binary */
1818 		scid = tad->tad_scid;
1819 #ifdef _SYSCALL32_IMPL
1820 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1821 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1822 		else
1823 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1824 #else
1825 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1826 #endif
1827 		if (sy_flags == SE_32RVAL1)
1828 			id = rval->r_val1;
1829 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1830 			id = rval->r_val1;
1831 		if (sy_flags == SE_64RVAL)
1832 			id = (int)rval->r_vals;
1833 
1834 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1835 	}
1836 }
1837 
1838 /*ARGSUSED*/
1839 static void
1840 aus_close(struct t_audit_data *tad)
1841 {
1842 	klwp_t *clwp = ttolwp(curthread);
1843 	uint32_t fd;
1844 	struct file *fp;
1845 	struct f_audit_data *fad;
1846 	struct vnode *vp;
1847 	struct vattr attr;
1848 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1849 
1850 	struct a {
1851 		long	i;
1852 	} *uap = (struct a *)clwp->lwp_ap;
1853 
1854 	fd = (uint32_t)uap->i;
1855 
1856 	attr.va_mask = 0;
1857 	au_uwrite(au_to_arg32(1, "fd", fd));
1858 
1859 		/*
1860 		 * convert file pointer to file descriptor
1861 		 *   Note: fd ref count incremented here.
1862 		 */
1863 	if ((fp = getf(fd)) == NULL)
1864 		return;
1865 
1866 	fad = F2A(fp);
1867 	tad->tad_evmod = (short)fad->fad_flags;
1868 	if (fad->fad_aupath != NULL) {
1869 		au_uwrite(au_to_path(fad->fad_aupath));
1870 		if ((vp = fp->f_vnode) != NULL) {
1871 			attr.va_mask = AT_ALL;
1872 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1873 				/*
1874 				 * When write was not used and the file can be
1875 				 * considered public, skip the audit.
1876 				 */
1877 				if (((fp->f_flag & FWRITE) == 0) &&
1878 				    file_is_public(&attr)) {
1879 					tad->tad_flag = 0;
1880 					tad->tad_evmod = 0;
1881 					/* free any residual audit data */
1882 					au_close(kctx, &(u_ad), 0, 0, 0);
1883 					releasef(fd);
1884 					return;
1885 				}
1886 				au_uwrite(au_to_attr(&attr));
1887 				audit_sec_attributes(&(u_ad), vp);
1888 			}
1889 		}
1890 	}
1891 
1892 	/* decrement file descriptor reference count */
1893 	releasef(fd);
1894 }
1895 
1896 /*ARGSUSED*/
1897 static void
1898 aus_fstatfs(struct t_audit_data *tad)
1899 {
1900 	klwp_t *clwp = ttolwp(curthread);
1901 	uint32_t fd;
1902 	struct file  *fp;
1903 	struct vnode *vp;
1904 	struct f_audit_data *fad;
1905 
1906 	struct a {
1907 		long	fd;
1908 		long	buf;		/* struct statfs * */
1909 	} *uap = (struct a *)clwp->lwp_ap;
1910 
1911 	fd = (uint_t)uap->fd;
1912 
1913 		/*
1914 		 * convert file pointer to file descriptor
1915 		 *   Note: fd ref count incremented here.
1916 		 */
1917 	if ((fp = getf(fd)) == NULL)
1918 		return;
1919 
1920 		/* get path from file struct here */
1921 	fad = F2A(fp);
1922 	if (fad->fad_aupath != NULL) {
1923 		au_uwrite(au_to_path(fad->fad_aupath));
1924 	} else {
1925 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1926 	}
1927 
1928 	vp = fp->f_vnode;
1929 	audit_attributes(vp);
1930 
1931 	/* decrement file descriptor reference count */
1932 	releasef(fd);
1933 }
1934 
1935 #ifdef NOTYET
1936 /*ARGSUSED*/
1937 static void
1938 aus_setpgrp(struct t_audit_data *tad)
1939 {
1940 	klwp_t *clwp = ttolwp(curthread);
1941 	uint32_t pgrp;
1942 	struct proc *p;
1943 	uid_t uid, ruid;
1944 	gid_t gid, rgid;
1945 	pid_t pid;
1946 	const auditinfo_addr_t *ainfo;
1947 	cred_t *cr;
1948 
1949 	struct a {
1950 		long	pid;
1951 		long	pgrp;
1952 	} *uap = (struct a *)clwp->lwp_ap;
1953 
1954 	pid  = (pid_t)uap->pid;
1955 	pgrp = (uint32_t)uap->pgrp;
1956 
1957 		/* current process? */
1958 	if (pid == 0)
1959 		(return);
1960 
1961 	mutex_enter(&pidlock);
1962 	p = prfind(pid);
1963 	if (p == NULL || p->p_as == &kas) {
1964 		mutex_exit(&pidlock);
1965 		return;
1966 	}
1967 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1968 	mutex_exit(&pidlock);
1969 
1970 	mutex_enter(&p->p_crlock);
1971 	crhold(cr = p->p_cred);
1972 	mutex_exit(&p->p_crlock);
1973 	mutex_exit(&p->p_lock);
1974 
1975 	ainfo = crgetauinfo(cr);
1976 	if (ainfo == NULL) {
1977 		crfree(cr);
1978 		return;
1979 	}
1980 
1981 	uid  = crgetuid(cr);
1982 	gid  = crgetgid(cr);
1983 	ruid = crgetruid(cr);
1984 	rgid = crgetrgid(cr);
1985 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1986 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1987 	crfree(cr);
1988 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1989 }
1990 #endif
1991 
1992 /*ARGSUSED*/
1993 static void
1994 aus_setregid(struct t_audit_data *tad)
1995 {
1996 	klwp_t *clwp = ttolwp(curthread);
1997 	uint32_t rgid, egid;
1998 
1999 	struct a {
2000 		long	 rgid;
2001 		long	 egid;
2002 	} *uap = (struct a *)clwp->lwp_ap;
2003 
2004 	rgid  = (uint32_t)uap->rgid;
2005 	egid  = (uint32_t)uap->egid;
2006 
2007 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2008 	au_uwrite(au_to_arg32(2, "egid", egid));
2009 }
2010 
2011 /*ARGSUSED*/
2012 static void
2013 aus_setgid(struct t_audit_data *tad)
2014 {
2015 	klwp_t *clwp = ttolwp(curthread);
2016 	uint32_t gid;
2017 
2018 	struct a {
2019 		long	gid;
2020 	} *uap = (struct a *)clwp->lwp_ap;
2021 
2022 	gid = (uint32_t)uap->gid;
2023 
2024 	au_uwrite(au_to_arg32(1, "gid", gid));
2025 }
2026 
2027 
2028 /*ARGSUSED*/
2029 static void
2030 aus_setreuid(struct t_audit_data *tad)
2031 {
2032 	klwp_t *clwp = ttolwp(curthread);
2033 	uint32_t ruid, euid;
2034 
2035 	struct a {
2036 		long	ruid;
2037 		long	euid;
2038 	} *uap = (struct a *)clwp->lwp_ap;
2039 
2040 	ruid = (uint32_t)uap->ruid;
2041 	euid  = (uint32_t)uap->euid;
2042 
2043 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2044 	au_uwrite(au_to_arg32(2, "euid", euid));
2045 }
2046 
2047 
2048 /*ARGSUSED*/
2049 static void
2050 aus_setuid(struct t_audit_data *tad)
2051 {
2052 	klwp_t *clwp = ttolwp(curthread);
2053 	uint32_t uid;
2054 
2055 	struct a {
2056 		long	uid;
2057 	} *uap = (struct a *)clwp->lwp_ap;
2058 
2059 	uid = (uint32_t)uap->uid;
2060 
2061 	au_uwrite(au_to_arg32(1, "uid", uid));
2062 }
2063 
2064 /*ARGSUSED*/
2065 static void
2066 aus_shmsys(struct t_audit_data *tad)
2067 {
2068 	klwp_t *clwp = ttolwp(curthread);
2069 	uint32_t id, cmd;
2070 
2071 	struct b {
2072 		long	id;
2073 		long	cmd;
2074 		long	buf;		/* struct shmid_ds * */
2075 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2076 
2077 	id  = (uint32_t)uap1->id;
2078 	cmd = (uint32_t)uap1->cmd;
2079 
2080 	switch (tad->tad_event) {
2081 	case AUE_SHMGET:			/* shmget */
2082 		au_uwrite(au_to_arg32(1, "shm key", id));
2083 		break;
2084 	case AUE_SHMCTL:			/* shmctl */
2085 	case AUE_SHMCTL_RMID:			/* shmctl */
2086 	case AUE_SHMCTL_STAT:			/* shmctl */
2087 	case AUE_SHMCTL_SET:			/* shmctl */
2088 		au_uwrite(au_to_arg32(1, "shm ID", id));
2089 		break;
2090 	case AUE_SHMDT:				/* shmdt */
2091 		au_uwrite(au_to_arg32(1, "shm adr", id));
2092 		break;
2093 	case AUE_SHMAT:				/* shmat */
2094 		au_uwrite(au_to_arg32(1, "shm ID", id));
2095 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2096 		break;
2097 	}
2098 }
2099 
2100 /*ARGSUSED*/
2101 static void
2102 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2103 {
2104 	int id;
2105 
2106 	if (error != 0)
2107 		return;
2108 	if (tad->tad_event == AUE_SHMGET) {
2109 		uint32_t scid;
2110 		uint32_t sy_flags;
2111 
2112 		/* need to determine type of executing binary */
2113 		scid = tad->tad_scid;
2114 #ifdef _SYSCALL32_IMPL
2115 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2116 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2117 		else
2118 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2119 #else
2120 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2121 #endif
2122 		if (sy_flags == SE_32RVAL1)
2123 			id = rval->r_val1;
2124 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2125 			id = rval->r_val1;
2126 		if (sy_flags == SE_64RVAL)
2127 			id = (int)rval->r_vals;
2128 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2129 	}
2130 }
2131 
2132 
2133 /*ARGSUSED*/
2134 static void
2135 aus_ioctl(struct t_audit_data *tad)
2136 {
2137 	klwp_t *clwp = ttolwp(curthread);
2138 	struct file *fp;
2139 	struct vnode *vp;
2140 	struct f_audit_data *fad;
2141 	uint32_t fd, cmd;
2142 	uintptr_t cmarg;
2143 
2144 	/* XX64 */
2145 	struct a {
2146 		long	fd;
2147 		long	cmd;
2148 		long	cmarg;		/* caddr_t */
2149 	} *uap = (struct a *)clwp->lwp_ap;
2150 
2151 	fd    = (uint32_t)uap->fd;
2152 	cmd   = (uint32_t)uap->cmd;
2153 	cmarg = (uintptr_t)uap->cmarg;
2154 
2155 		/*
2156 		 * convert file pointer to file descriptor
2157 		 *   Note: fd ref count incremented here.
2158 		 */
2159 	if ((fp = getf(fd)) == NULL) {
2160 		au_uwrite(au_to_arg32(1, "fd", fd));
2161 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2162 #ifndef _LP64
2163 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2164 #else
2165 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2166 #endif
2167 		return;
2168 	}
2169 
2170 	/* get path from file struct here */
2171 	fad = F2A(fp);
2172 	if (fad->fad_aupath != NULL) {
2173 		au_uwrite(au_to_path(fad->fad_aupath));
2174 	} else {
2175 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2176 	}
2177 
2178 	vp = fp->f_vnode;
2179 	audit_attributes(vp);
2180 
2181 	/* decrement file descriptor reference count */
2182 	releasef(fd);
2183 
2184 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2185 #ifndef _LP64
2186 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2187 #else
2188 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2189 #endif
2190 }
2191 
2192 /*
2193  * null function for memcntl for now. We might want to limit memcntl()
2194  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2195  * require privileges.
2196  */
2197 static au_event_t
2198 aui_memcntl(au_event_t e)
2199 {
2200 	return (e);
2201 }
2202 
2203 /*ARGSUSED*/
2204 static au_event_t
2205 aui_privsys(au_event_t e)
2206 {
2207 	klwp_t *clwp = ttolwp(curthread);
2208 
2209 	struct a {
2210 		long	opcode;
2211 	} *uap = (struct a *)clwp->lwp_ap;
2212 
2213 	switch (uap->opcode) {
2214 	case PRIVSYS_SETPPRIV:
2215 		return (AUE_SETPPRIV);
2216 	default:
2217 		return (AUE_NULL);
2218 	}
2219 }
2220 
2221 /*ARGSUSED*/
2222 static void
2223 aus_memcntl(struct t_audit_data *tad)
2224 {
2225 	klwp_t *clwp = ttolwp(curthread);
2226 
2227 	struct a {
2228 		long	addr;
2229 		long	len;
2230 		long	cmd;
2231 		long	arg;
2232 		long	attr;
2233 		long	mask;
2234 	} *uap = (struct a *)clwp->lwp_ap;
2235 
2236 #ifdef _LP64
2237 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2238 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2239 #else
2240 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2241 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2242 #endif
2243 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2244 #ifdef _LP64
2245 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2246 #else
2247 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2248 #endif
2249 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2250 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2251 }
2252 
2253 /*ARGSUSED*/
2254 static void
2255 aus_mmap(struct t_audit_data *tad)
2256 {
2257 	klwp_t *clwp = ttolwp(curthread);
2258 	struct file *fp;
2259 	struct f_audit_data *fad;
2260 	struct vnode *vp;
2261 	uint32_t fd;
2262 
2263 	struct a {
2264 		long	addr;
2265 		long	len;
2266 		long	prot;
2267 		long	flags;
2268 		long	fd;
2269 		long	pos;
2270 	} *uap = (struct a *)clwp->lwp_ap;
2271 
2272 	fd = (uint32_t)uap->fd;
2273 
2274 #ifdef _LP64
2275 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2276 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2277 #else
2278 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2279 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2280 #endif
2281 
2282 	if ((fp = getf(fd)) == NULL) {
2283 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2284 		return;
2285 	}
2286 
2287 	/*
2288 	 * Mark in the tad if write access is NOT requested... if
2289 	 * this is later detected (in audit_attributes) to be a
2290 	 * public object, the mmap event may be discarded.
2291 	 */
2292 	if (((uap->prot) & PROT_WRITE) == 0) {
2293 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2294 	}
2295 
2296 	fad = F2A(fp);
2297 	if (fad->fad_aupath != NULL) {
2298 		au_uwrite(au_to_path(fad->fad_aupath));
2299 	} else {
2300 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2301 	}
2302 
2303 	vp = (struct vnode *)fp->f_vnode;
2304 	audit_attributes(vp);
2305 
2306 	/* mark READ/WRITE since we can't predict access */
2307 	if (uap->prot & PROT_READ)
2308 		fad->fad_flags |= FAD_READ;
2309 	if (uap->prot & PROT_WRITE)
2310 		fad->fad_flags |= FAD_WRITE;
2311 
2312 	/* decrement file descriptor reference count */
2313 	releasef(fd);
2314 
2315 }	/* AUS_MMAP */
2316 
2317 
2318 
2319 
2320 /*ARGSUSED*/
2321 static void
2322 aus_munmap(struct t_audit_data *tad)
2323 {
2324 	klwp_t *clwp = ttolwp(curthread);
2325 
2326 	struct a {
2327 		long	addr;
2328 		long	len;
2329 	} *uap = (struct a *)clwp->lwp_ap;
2330 
2331 #ifdef _LP64
2332 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2333 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2334 #else
2335 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2336 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2337 #endif
2338 
2339 }	/* AUS_MUNMAP */
2340 
2341 
2342 
2343 
2344 
2345 
2346 
2347 /*ARGSUSED*/
2348 static void
2349 aus_priocntlsys(struct t_audit_data *tad)
2350 {
2351 	klwp_t *clwp = ttolwp(curthread);
2352 
2353 	struct a {
2354 		long	pc_version;
2355 		long	psp;		/* procset_t */
2356 		long	cmd;
2357 		long	arg;
2358 	} *uap = (struct a *)clwp->lwp_ap;
2359 
2360 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2361 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2362 
2363 }	/* AUS_PRIOCNTLSYS */
2364 
2365 
2366 /*ARGSUSED*/
2367 static void
2368 aus_setegid(struct t_audit_data *tad)
2369 {
2370 	klwp_t *clwp = ttolwp(curthread);
2371 	uint32_t gid;
2372 
2373 	struct a {
2374 		long	gid;
2375 	} *uap = (struct a *)clwp->lwp_ap;
2376 
2377 	gid = (uint32_t)uap->gid;
2378 
2379 	au_uwrite(au_to_arg32(1, "gid", gid));
2380 }	/* AUS_SETEGID */
2381 
2382 
2383 
2384 
2385 /*ARGSUSED*/
2386 static void
2387 aus_setgroups(struct t_audit_data *tad)
2388 {
2389 	klwp_t *clwp = ttolwp(curthread);
2390 	int i;
2391 	int gidsetsize;
2392 	uintptr_t gidset;
2393 	gid_t *gidlist;
2394 
2395 	struct a {
2396 		long	gidsetsize;
2397 		long	gidset;
2398 	} *uap = (struct a *)clwp->lwp_ap;
2399 
2400 	gidsetsize = (uint_t)uap->gidsetsize;
2401 	gidset = (uintptr_t)uap->gidset;
2402 
2403 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2404 		return;
2405 	if (gidsetsize != 0) {
2406 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2407 		    KM_SLEEP);
2408 		if (copyin((caddr_t)gidset, gidlist,
2409 		    gidsetsize * sizeof (gid_t)) == 0)
2410 			for (i = 0; i < gidsetsize; i++)
2411 				au_uwrite(au_to_arg32(1, "setgroups",
2412 				    (uint32_t)gidlist[i]));
2413 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2414 	} else
2415 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2416 
2417 }	/* AUS_SETGROUPS */
2418 
2419 
2420 
2421 
2422 
2423 /*ARGSUSED*/
2424 static void
2425 aus_seteuid(struct t_audit_data *tad)
2426 {
2427 	klwp_t *clwp = ttolwp(curthread);
2428 	uint32_t uid;
2429 
2430 	struct a {
2431 		long	uid;
2432 	} *uap = (struct a *)clwp->lwp_ap;
2433 
2434 	uid = (uint32_t)uap->uid;
2435 
2436 	au_uwrite(au_to_arg32(1, "euid", uid));
2437 
2438 }	/* AUS_SETEUID */
2439 
2440 /*ARGSUSED*/
2441 static void
2442 aus_putmsg(struct t_audit_data *tad)
2443 {
2444 	klwp_t *clwp = ttolwp(curthread);
2445 	uint32_t fd, pri;
2446 	struct file *fp;
2447 	struct f_audit_data *fad;
2448 
2449 	struct a {
2450 		long	fdes;
2451 		long	ctl;		/* struct strbuf * */
2452 		long	data;		/* struct strbuf * */
2453 		long	pri;
2454 	} *uap = (struct a *)clwp->lwp_ap;
2455 
2456 	fd  = (uint32_t)uap->fdes;
2457 	pri = (uint32_t)uap->pri;
2458 
2459 	au_uwrite(au_to_arg32(1, "fd", fd));
2460 
2461 	if ((fp = getf(fd)) != NULL) {
2462 		fad = F2A(fp);
2463 
2464 		fad->fad_flags |= FAD_WRITE;
2465 
2466 		/* add path name to audit record */
2467 		if (fad->fad_aupath != NULL) {
2468 			au_uwrite(au_to_path(fad->fad_aupath));
2469 		}
2470 		audit_attributes(fp->f_vnode);
2471 
2472 		releasef(fd);
2473 	}
2474 
2475 	au_uwrite(au_to_arg32(4, "pri", pri));
2476 }
2477 
2478 /*ARGSUSED*/
2479 static void
2480 aus_putpmsg(struct t_audit_data *tad)
2481 {
2482 	klwp_t *clwp = ttolwp(curthread);
2483 	uint32_t fd, pri, flags;
2484 	struct file *fp;
2485 	struct f_audit_data *fad;
2486 
2487 	struct a {
2488 		long	fdes;
2489 		long	ctl;		/* struct strbuf * */
2490 		long	data;		/* struct strbuf * */
2491 		long	pri;
2492 		long	flags;
2493 	} *uap = (struct a *)clwp->lwp_ap;
2494 
2495 	fd = (uint32_t)uap->fdes;
2496 	pri  = (uint32_t)uap->pri;
2497 	flags  = (uint32_t)uap->flags;
2498 
2499 	au_uwrite(au_to_arg32(1, "fd", fd));
2500 
2501 	if ((fp = getf(fd)) != NULL) {
2502 		fad = F2A(fp);
2503 
2504 		fad->fad_flags |= FAD_WRITE;
2505 
2506 		/* add path name to audit record */
2507 		if (fad->fad_aupath != NULL) {
2508 			au_uwrite(au_to_path(fad->fad_aupath));
2509 		}
2510 		audit_attributes(fp->f_vnode);
2511 
2512 		releasef(fd);
2513 	}
2514 
2515 
2516 	au_uwrite(au_to_arg32(4, "pri", pri));
2517 	au_uwrite(au_to_arg32(5, "flags", flags));
2518 }
2519 
2520 /*ARGSUSED*/
2521 static void
2522 aus_getmsg(struct t_audit_data *tad)
2523 {
2524 	klwp_t *clwp = ttolwp(curthread);
2525 	uint32_t fd, pri;
2526 	struct file *fp;
2527 	struct f_audit_data *fad;
2528 
2529 	struct a {
2530 		long	fdes;
2531 		long	ctl;		/* struct strbuf * */
2532 		long	data;		/* struct strbuf * */
2533 		long	pri;
2534 	} *uap = (struct a *)clwp->lwp_ap;
2535 
2536 	fd  = (uint32_t)uap->fdes;
2537 	pri = (uint32_t)uap->pri;
2538 
2539 	au_uwrite(au_to_arg32(1, "fd", fd));
2540 
2541 	if ((fp = getf(fd)) != NULL) {
2542 		fad = F2A(fp);
2543 
2544 		/*
2545 		 * read operation on this object
2546 		 */
2547 		fad->fad_flags |= FAD_READ;
2548 
2549 		/* add path name to audit record */
2550 		if (fad->fad_aupath != NULL) {
2551 			au_uwrite(au_to_path(fad->fad_aupath));
2552 		}
2553 		audit_attributes(fp->f_vnode);
2554 
2555 		releasef(fd);
2556 	}
2557 
2558 	au_uwrite(au_to_arg32(4, "pri", pri));
2559 }
2560 
2561 /*ARGSUSED*/
2562 static void
2563 aus_getpmsg(struct t_audit_data *tad)
2564 {
2565 	klwp_t *clwp = ttolwp(curthread);
2566 	uint32_t fd;
2567 	struct file *fp;
2568 	struct f_audit_data *fad;
2569 
2570 	struct a {
2571 		long	fdes;
2572 		long	ctl;		/* struct strbuf * */
2573 		long	data;		/* struct strbuf * */
2574 		long	pri;
2575 		long	flags;
2576 	} *uap = (struct a *)clwp->lwp_ap;
2577 
2578 	fd = (uint32_t)uap->fdes;
2579 
2580 	au_uwrite(au_to_arg32(1, "fd", fd));
2581 
2582 	if ((fp = getf(fd)) != NULL) {
2583 		fad = F2A(fp);
2584 
2585 		/*
2586 		 * read operation on this object
2587 		 */
2588 		fad->fad_flags |= FAD_READ;
2589 
2590 		/* add path name to audit record */
2591 		if (fad->fad_aupath != NULL) {
2592 			au_uwrite(au_to_path(fad->fad_aupath));
2593 		}
2594 		audit_attributes(fp->f_vnode);
2595 
2596 		releasef(fd);
2597 	}
2598 }
2599 
2600 static au_event_t
2601 aui_auditsys(au_event_t e)
2602 {
2603 	klwp_t *clwp = ttolwp(curthread);
2604 	uint32_t code;
2605 
2606 	struct a {
2607 		long	code;
2608 		long	a1;
2609 		long	a2;
2610 		long	a3;
2611 		long	a4;
2612 		long	a5;
2613 		long	a6;
2614 		long	a7;
2615 	} *uap = (struct a *)clwp->lwp_ap;
2616 
2617 	code = (uint32_t)uap->code;
2618 
2619 	switch (code) {
2620 
2621 	case BSM_GETAUID:
2622 		e = AUE_GETAUID;
2623 		break;
2624 	case BSM_SETAUID:
2625 		e = AUE_SETAUID;
2626 		break;
2627 	case BSM_GETAUDIT:
2628 		e = AUE_GETAUDIT;
2629 		break;
2630 	case BSM_GETAUDIT_ADDR:
2631 		e = AUE_GETAUDIT_ADDR;
2632 		break;
2633 	case BSM_SETAUDIT:
2634 		e = AUE_SETAUDIT;
2635 		break;
2636 	case BSM_SETAUDIT_ADDR:
2637 		e = AUE_SETAUDIT_ADDR;
2638 		break;
2639 	case BSM_AUDIT:
2640 		e = AUE_AUDIT;
2641 		break;
2642 	case BSM_AUDITSVC:
2643 		e = AUE_AUDITSVC;
2644 		break;
2645 	case BSM_GETPORTAUDIT:
2646 		e = AUE_GETPORTAUDIT;
2647 		break;
2648 	case BSM_AUDITON:
2649 	case BSM_AUDITCTL:
2650 
2651 		switch ((uint_t)uap->a1) {
2652 
2653 		case A_GETPOLICY:
2654 			e = AUE_AUDITON_GPOLICY;
2655 			break;
2656 		case A_SETPOLICY:
2657 			e = AUE_AUDITON_SPOLICY;
2658 			break;
2659 		case A_GETKMASK:
2660 			e = AUE_AUDITON_GETKMASK;
2661 			break;
2662 		case A_SETKMASK:
2663 			e = AUE_AUDITON_SETKMASK;
2664 			break;
2665 		case A_GETQCTRL:
2666 			e = AUE_AUDITON_GQCTRL;
2667 			break;
2668 		case A_SETQCTRL:
2669 			e = AUE_AUDITON_SQCTRL;
2670 			break;
2671 		case A_GETCWD:
2672 			e = AUE_AUDITON_GETCWD;
2673 			break;
2674 		case A_GETCAR:
2675 			e = AUE_AUDITON_GETCAR;
2676 			break;
2677 		case A_GETSTAT:
2678 			e = AUE_AUDITON_GETSTAT;
2679 			break;
2680 		case A_SETSTAT:
2681 			e = AUE_AUDITON_SETSTAT;
2682 			break;
2683 		case A_SETUMASK:
2684 			e = AUE_AUDITON_SETUMASK;
2685 			break;
2686 		case A_SETSMASK:
2687 			e = AUE_AUDITON_SETSMASK;
2688 			break;
2689 		case A_GETCOND:
2690 			e = AUE_AUDITON_GETCOND;
2691 			break;
2692 		case A_SETCOND:
2693 			e = AUE_AUDITON_SETCOND;
2694 			break;
2695 		case A_GETCLASS:
2696 			e = AUE_AUDITON_GETCLASS;
2697 			break;
2698 		case A_SETCLASS:
2699 			e = AUE_AUDITON_SETCLASS;
2700 			break;
2701 		default:
2702 			e = AUE_NULL;
2703 			break;
2704 		}
2705 		break;
2706 	default:
2707 		e = AUE_NULL;
2708 		break;
2709 	}
2710 
2711 	return (e);
2712 
2713 
2714 
2715 
2716 }	/* AUI_AUDITSYS */
2717 
2718 
2719 
2720 
2721 
2722 
2723 
2724 static void
2725 aus_auditsys(struct t_audit_data *tad)
2726 {
2727 	klwp_t *clwp = ttolwp(curthread);
2728 	uintptr_t a1, a2;
2729 	struct file *fp;
2730 	struct f_audit_data *fad;
2731 	struct vnode *vp;
2732 	STRUCT_DECL(auditinfo, ainfo);
2733 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2734 	au_evclass_map_t event;
2735 	au_mask_t mask;
2736 	int auditstate, policy;
2737 	au_id_t auid;
2738 
2739 
2740 	struct a {
2741 		long	code;
2742 		long	a1;
2743 		long	a2;
2744 		long	a3;
2745 		long	a4;
2746 		long	a5;
2747 		long	a6;
2748 		long	a7;
2749 	} *uap = (struct a *)clwp->lwp_ap;
2750 
2751 	a1   = (uintptr_t)uap->a1;
2752 	a2   = (uintptr_t)uap->a2;
2753 
2754 	switch (tad->tad_event) {
2755 	case AUE_SETAUID:
2756 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2757 				return;
2758 		au_uwrite(au_to_arg32(2, "setauid", auid));
2759 		break;
2760 	case AUE_SETAUDIT:
2761 		STRUCT_INIT(ainfo, get_udatamodel());
2762 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2763 		    STRUCT_SIZE(ainfo))) {
2764 				return;
2765 		}
2766 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2767 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2768 #ifdef _LP64
2769 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2770 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2771 #else
2772 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2773 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2774 #endif
2775 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2776 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2777 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2778 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2779 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2780 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2781 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2782 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2783 		break;
2784 	case AUE_SETAUDIT_ADDR:
2785 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2786 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2787 		    STRUCT_SIZE(ainfo_addr))) {
2788 				return;
2789 		}
2790 		au_uwrite(au_to_arg32((char)1, "auid",
2791 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2792 #ifdef _LP64
2793 		au_uwrite(au_to_arg64((char)1, "port",
2794 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2795 #else
2796 		au_uwrite(au_to_arg32((char)1, "port",
2797 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2798 #endif
2799 		au_uwrite(au_to_arg32((char)1, "type",
2800 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2801 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2802 		    AU_IPv4) {
2803 			au_uwrite(au_to_in_addr(
2804 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2805 			    ai_termid.at_addr)));
2806 		} else {
2807 			au_uwrite(au_to_in_addr_ex(
2808 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2809 			    ai_termid.at_addr)));
2810 		}
2811 		au_uwrite(au_to_arg32((char)1, "as_success",
2812 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2813 		au_uwrite(au_to_arg32((char)1, "as_failure",
2814 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2815 		au_uwrite(au_to_arg32((char)1, "asid",
2816 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2817 		break;
2818 	case AUE_AUDITSVC:
2819 		/*
2820 		 * convert file pointer to file descriptor
2821 		 * Note: fd ref count incremented here
2822 		 */
2823 		if ((fp = getf((uint_t)a1)) == NULL)
2824 			return;
2825 		fad = F2A(fp);
2826 		if (fad->fad_aupath != NULL) {
2827 			au_uwrite(au_to_path(fad->fad_aupath));
2828 		} else {
2829 			au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1));
2830 		}
2831 
2832 		vp = fp->f_vnode;	/* include vnode attributes */
2833 		audit_attributes(vp);
2834 
2835 		/* decrement file descriptor ref count */
2836 		releasef((uint_t)a1);
2837 
2838 		au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2));
2839 		break;
2840 	case AUE_AUDITON_SETKMASK:
2841 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2842 				return;
2843 		au_uwrite(au_to_arg32(
2844 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2845 		au_uwrite(au_to_arg32(
2846 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2847 		break;
2848 	case AUE_AUDITON_SPOLICY:
2849 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2850 			return;
2851 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2852 		break;
2853 	case AUE_AUDITON_SQCTRL: {
2854 		STRUCT_DECL(au_qctrl, qctrl);
2855 		model_t model;
2856 
2857 		model = get_udatamodel();
2858 		STRUCT_INIT(qctrl, model);
2859 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2860 				return;
2861 		if (model == DATAMODEL_ILP32) {
2862 			au_uwrite(au_to_arg32(
2863 			    3, "setqctrl:aq_hiwater",
2864 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2865 			au_uwrite(au_to_arg32(
2866 			    3, "setqctrl:aq_lowater",
2867 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2868 			au_uwrite(au_to_arg32(
2869 			    3, "setqctrl:aq_bufsz",
2870 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2871 			au_uwrite(au_to_arg32(
2872 			    3, "setqctrl:aq_delay",
2873 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2874 		} else {
2875 			au_uwrite(au_to_arg64(
2876 			    3, "setqctrl:aq_hiwater",
2877 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2878 			au_uwrite(au_to_arg64(
2879 			    3, "setqctrl:aq_lowater",
2880 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2881 			au_uwrite(au_to_arg64(
2882 			    3, "setqctrl:aq_bufsz",
2883 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2884 			au_uwrite(au_to_arg64(
2885 			    3, "setqctrl:aq_delay",
2886 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2887 		}
2888 		break;
2889 	}
2890 	case AUE_AUDITON_SETUMASK:
2891 		STRUCT_INIT(ainfo, get_udatamodel());
2892 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2893 		    STRUCT_SIZE(ainfo))) {
2894 			return;
2895 		}
2896 		au_uwrite(au_to_arg32(3, "setumask:as_success",
2897 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2898 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
2899 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2900 		break;
2901 	case AUE_AUDITON_SETSMASK:
2902 		STRUCT_INIT(ainfo, get_udatamodel());
2903 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2904 		    STRUCT_SIZE(ainfo))) {
2905 			return;
2906 		}
2907 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
2908 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2909 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
2910 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2911 		break;
2912 	case AUE_AUDITON_SETCOND:
2913 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
2914 			return;
2915 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
2916 		break;
2917 	case AUE_AUDITON_SETCLASS:
2918 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
2919 			return;
2920 		au_uwrite(au_to_arg32(
2921 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
2922 		au_uwrite(au_to_arg32(
2923 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
2924 		break;
2925 	case AUE_GETAUID:
2926 	case AUE_GETAUDIT:
2927 	case AUE_GETAUDIT_ADDR:
2928 	case AUE_AUDIT:
2929 	case AUE_GETPORTAUDIT:
2930 	case AUE_AUDITON_GPOLICY:
2931 	case AUE_AUDITON_GQCTRL:
2932 	case AUE_AUDITON_GETKMASK:
2933 	case AUE_AUDITON_GETCWD:
2934 	case AUE_AUDITON_GETCAR:
2935 	case AUE_AUDITON_GETSTAT:
2936 	case AUE_AUDITON_SETSTAT:
2937 	case AUE_AUDITON_GETCOND:
2938 	case AUE_AUDITON_GETCLASS:
2939 		break;
2940 	default:
2941 		break;
2942 	}
2943 
2944 }	/* AUS_AUDITSYS */
2945 
2946 
2947 /* only audit privileged operations for systeminfo(2) system call */
2948 static au_event_t
2949 aui_sysinfo(au_event_t e)
2950 {
2951 	klwp_t *clwp = ttolwp(curthread);
2952 	uint32_t command;
2953 
2954 	struct a {
2955 		long	command;
2956 		long	buf;		/* char * */
2957 		long	count;
2958 	} *uap = (struct a *)clwp->lwp_ap;
2959 
2960 	command = (uint32_t)uap->command;
2961 
2962 	switch (command) {
2963 	case SI_SET_HOSTNAME:
2964 	case SI_SET_SRPC_DOMAIN:
2965 		e = (au_event_t)AUE_SYSINFO;
2966 		break;
2967 	default:
2968 		e = (au_event_t)AUE_NULL;
2969 		break;
2970 	}
2971 	return (e);
2972 }
2973 
2974 /*ARGSUSED*/
2975 static void
2976 aus_sysinfo(struct t_audit_data *tad)
2977 {
2978 	klwp_t *clwp = ttolwp(curthread);
2979 	uint32_t command;
2980 	size_t len, maxlen;
2981 	char *name;
2982 	uintptr_t buf;
2983 
2984 	struct a {
2985 		long	command;
2986 		long	buf;		/* char * */
2987 		long	count;
2988 	} *uap = (struct a *)clwp->lwp_ap;
2989 
2990 	command = (uint32_t)uap->command;
2991 	buf = (uintptr_t)uap->buf;
2992 
2993 	au_uwrite(au_to_arg32(1, "cmd", command));
2994 
2995 	switch (command) {
2996 	case SI_SET_HOSTNAME:
2997 	{
2998 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
2999 			return;
3000 
3001 		maxlen = SYS_NMLN;
3002 		name = kmem_alloc(maxlen, KM_SLEEP);
3003 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3004 			break;
3005 
3006 		/*
3007 		 * Must be non-NULL string and string
3008 		 * must be less than SYS_NMLN chars.
3009 		 */
3010 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3011 			break;
3012 
3013 		au_uwrite(au_to_text(name));
3014 		break;
3015 	}
3016 
3017 	case SI_SET_SRPC_DOMAIN:
3018 	{
3019 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3020 			return;
3021 
3022 		maxlen = SYS_NMLN;
3023 		name = kmem_alloc(maxlen, KM_SLEEP);
3024 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3025 			break;
3026 
3027 		/*
3028 		 * If string passed in is longer than length
3029 		 * allowed for domain name, fail.
3030 		 */
3031 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3032 			break;
3033 
3034 		au_uwrite(au_to_text(name));
3035 		break;
3036 	}
3037 
3038 	default:
3039 		return;
3040 	}
3041 
3042 	kmem_free(name, maxlen);
3043 }
3044 
3045 static au_event_t
3046 aui_modctl(au_event_t e)
3047 {
3048 	klwp_t *clwp = ttolwp(curthread);
3049 	uint_t cmd;
3050 
3051 	struct a {
3052 		long	cmd;
3053 	} *uap = (struct a *)clwp->lwp_ap;
3054 
3055 	cmd = (uint_t)uap->cmd;
3056 
3057 	switch (cmd) {
3058 	case MODLOAD:
3059 		e = AUE_MODLOAD;
3060 		break;
3061 	case MODUNLOAD:
3062 		e = AUE_MODUNLOAD;
3063 		break;
3064 	case MODADDMAJBIND:
3065 		e = AUE_MODADDMAJ;
3066 		break;
3067 	case MODSETDEVPOLICY:
3068 		e = AUE_MODDEVPLCY;
3069 		break;
3070 	case MODALLOCPRIV:
3071 		e = AUE_MODADDPRIV;
3072 		break;
3073 	default:
3074 		e = AUE_NULL;
3075 		break;
3076 	}
3077 	return (e);
3078 }
3079 
3080 
3081 /*ARGSUSED*/
3082 static void
3083 aus_modctl(struct t_audit_data *tad)
3084 {
3085 	klwp_t *clwp = ttolwp(curthread);
3086 	void *a	= clwp->lwp_ap;
3087 	uint_t use_path;
3088 
3089 	switch (tad->tad_event) {
3090 	case AUE_MODLOAD: {
3091 		typedef struct {
3092 			long	cmd;
3093 			long	use_path;
3094 			long	filename;		/* char * */
3095 		} modloada_t;
3096 
3097 		char *filenamep;
3098 		uintptr_t fname;
3099 		extern char *default_path;
3100 
3101 		fname = (uintptr_t)((modloada_t *)a)->filename;
3102 		use_path = (uint_t)((modloada_t *)a)->use_path;
3103 
3104 			/* space to hold path */
3105 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3106 			/* get string */
3107 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3108 				/* free allocated path */
3109 			kmem_free(filenamep, MOD_MAXPATH);
3110 			return;
3111 		}
3112 			/* ensure it's null terminated */
3113 		filenamep[MOD_MAXPATH - 1] = 0;
3114 
3115 		if (use_path)
3116 			au_uwrite(au_to_text(default_path));
3117 		au_uwrite(au_to_text(filenamep));
3118 
3119 			/* release temporary memory */
3120 		kmem_free(filenamep, MOD_MAXPATH);
3121 		break;
3122 	}
3123 	case AUE_MODUNLOAD: {
3124 		typedef struct {
3125 			long	cmd;
3126 			long	id;
3127 		} modunloada_t;
3128 
3129 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3130 
3131 		au_uwrite(au_to_arg32(1, "id", id));
3132 		break;
3133 	}
3134 	case AUE_MODADDMAJ: {
3135 		STRUCT_DECL(modconfig, mc);
3136 		typedef struct {
3137 			long	cmd;
3138 			long	subcmd;
3139 			long	data;		/* int * */
3140 		} modconfiga_t;
3141 
3142 		STRUCT_DECL(aliases, alias);
3143 		caddr_t ap;
3144 		int i, num_aliases;
3145 		char *drvname, *mc_drvname;
3146 		char *name;
3147 		extern char *ddi_major_to_name(major_t);
3148 		model_t model;
3149 
3150 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3151 
3152 		model = get_udatamodel();
3153 		STRUCT_INIT(mc, model);
3154 			/* sanitize buffer */
3155 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3156 			/* get user arguments */
3157 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3158 		    STRUCT_SIZE(mc)) != 0)
3159 			return;
3160 
3161 		mc_drvname = STRUCT_FGET(mc, drvname);
3162 		if ((drvname = ddi_major_to_name(
3163 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3164 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3165 				/* safety */
3166 			if (mc_drvname[0] != '\0') {
3167 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3168 				au_uwrite(au_to_text(mc_drvname));
3169 			}
3170 				/* drvname != NULL from test above */
3171 			au_uwrite(au_to_text(drvname));
3172 			return;
3173 		}
3174 
3175 		if (mc_drvname[0] != '\0') {
3176 				/* safety */
3177 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3178 			au_uwrite(au_to_text(mc_drvname));
3179 		} else
3180 			au_uwrite(au_to_text("no drvname"));
3181 
3182 		num_aliases = STRUCT_FGET(mc, num_aliases);
3183 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3184 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3185 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3186 		STRUCT_INIT(alias, model);
3187 		for (i = 0; i < num_aliases; i++) {
3188 			bzero((caddr_t)STRUCT_BUF(alias),
3189 			    STRUCT_SIZE(alias));
3190 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3191 			    STRUCT_SIZE(alias)) != 0)
3192 				break;
3193 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3194 			    MAXMODCONFNAME, NULL) != 0) {
3195 				break;
3196 			}
3197 
3198 			au_uwrite(au_to_text(name));
3199 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3200 		}
3201 		kmem_free(name, MAXMODCONFNAME);
3202 		break;
3203 	}
3204 	default:
3205 		break;
3206 	}
3207 }
3208 
3209 
3210 /*ARGSUSED*/
3211 static void
3212 auf_accept(
3213 	struct t_audit_data *tad,
3214 	int	error,
3215 	rval_t	*rval)
3216 {
3217 	uint32_t scid;
3218 	uint32_t sy_flags;
3219 	int fd;
3220 	struct sonode *so;
3221 	char so_laddr[sizeof (struct sockaddr_in6)];
3222 	char so_faddr[sizeof (struct sockaddr_in6)];
3223 	int err;
3224 	int len;
3225 	short so_family, so_type;
3226 	int add_sock_token = 0;
3227 
3228 	/* need to determine type of executing binary */
3229 	scid = tad->tad_scid;
3230 #ifdef _SYSCALL32_IMPL
3231 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3232 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3233 	else
3234 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3235 #else
3236 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3237 #endif
3238 	if (sy_flags == SE_32RVAL1)
3239 		fd = rval->r_val1;
3240 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3241 		fd = rval->r_val1;
3242 	if (sy_flags == SE_64RVAL)
3243 		fd = (int)rval->r_vals;
3244 
3245 	if (error) {
3246 		/* can't trust socket contents. Just return */
3247 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3248 		return;
3249 	}
3250 
3251 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3252 		/*
3253 		 * not security relevant if doing a accept from non socket
3254 		 * so no extra tokens. Should probably turn off audit record
3255 		 * generation here.
3256 		 */
3257 		return;
3258 	}
3259 
3260 	so_family = so->so_family;
3261 	so_type   = so->so_type;
3262 
3263 	switch (so_family) {
3264 	case AF_INET:
3265 	case AF_INET6:
3266 		/*
3267 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3268 		 */
3269 		if (so->so_type == SOCK_STREAM) {
3270 
3271 			bzero((void *)so_laddr, sizeof (so_laddr));
3272 			bzero((void *)so_faddr, sizeof (so_faddr));
3273 
3274 			/*
3275 			 * no local address then need to get it from lower
3276 			 * levels. only put out record on first read ala
3277 			 * AUE_WRITE.
3278 			 */
3279 			if (so->so_state & SS_ISBOUND) {
3280 				/* only done once on a connection */
3281 				(void) SOP_GETSOCKNAME(so);
3282 				(void) SOP_GETPEERNAME(so);
3283 
3284 				/* get local and foreign addresses */
3285 				mutex_enter(&so->so_lock);
3286 				len = min(so->so_laddr_len, sizeof (so_laddr));
3287 				bcopy(so->so_laddr_sa, so_laddr, len);
3288 				len = min(so->so_faddr_len, sizeof (so_faddr));
3289 				bcopy(so->so_faddr_sa, so_faddr, len);
3290 				mutex_exit(&so->so_lock);
3291 			}
3292 
3293 			add_sock_token = 1;
3294 		}
3295 		break;
3296 
3297 	default:
3298 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3299 		break;
3300 	}
3301 
3302 	releasef(fd);
3303 
3304 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3305 
3306 	if (add_sock_token == 0) {
3307 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3308 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3309 		return;
3310 	}
3311 
3312 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3313 
3314 }
3315 
3316 /*ARGSUSED*/
3317 static void
3318 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3319 {
3320 	struct a {
3321 		long	fd;
3322 		long	addr;
3323 		long	len;
3324 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3325 
3326 	struct sonode *so;
3327 	char so_laddr[sizeof (struct sockaddr_in6)];
3328 	char so_faddr[sizeof (struct sockaddr_in6)];
3329 	int err, fd;
3330 	int len;
3331 	short so_family, so_type;
3332 	int add_sock_token = 0;
3333 
3334 	fd = (int)uap->fd;
3335 
3336 	/*
3337 	 * bind failed, then nothing extra to add to audit record.
3338 	 */
3339 	if (error) {
3340 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3341 		/* XXX may want to add failed address some day */
3342 		return;
3343 	}
3344 
3345 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3346 		/*
3347 		 * not security relevant if doing a bind from non socket
3348 		 * so no extra tokens. Should probably turn off audit record
3349 		 * generation here.
3350 		 */
3351 		return;
3352 	}
3353 
3354 	so_family = so->so_family;
3355 	so_type   = so->so_type;
3356 
3357 	switch (so_family) {
3358 	case AF_INET:
3359 	case AF_INET6:
3360 
3361 		bzero(so_faddr, sizeof (so_faddr));
3362 
3363 		if (so->so_state & SS_ISBOUND) {
3364 			/* only done once on a connection */
3365 			(void) SOP_GETSOCKNAME(so);
3366 		}
3367 
3368 		mutex_enter(&so->so_lock);
3369 		len = min(so->so_laddr_len, sizeof (so_laddr));
3370 		bcopy(so->so_laddr_sa, so_laddr, len);
3371 		mutex_exit(&so->so_lock);
3372 
3373 		add_sock_token = 1;
3374 
3375 		break;
3376 
3377 	case AF_UNIX:
3378 		/* token added by lookup */
3379 		break;
3380 	default:
3381 		/* AF_ROUTE, AF_KEY do not support accept */
3382 		break;
3383 	}
3384 
3385 	releasef(fd);
3386 
3387 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3388 
3389 	if (add_sock_token == 0) {
3390 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3391 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3392 		return;
3393 	}
3394 
3395 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3396 
3397 }
3398 
3399 /*ARGSUSED*/
3400 static void
3401 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3402 {
3403 	struct a {
3404 		long	fd;
3405 		long	addr;
3406 		long	len;
3407 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3408 
3409 	struct sonode *so;
3410 	char so_laddr[sizeof (struct sockaddr_in6)];
3411 	char so_faddr[sizeof (struct sockaddr_in6)];
3412 	int err, fd;
3413 	int len;
3414 	short so_family, so_type;
3415 	int add_sock_token = 0;
3416 
3417 	fd = (int)uap->fd;
3418 
3419 
3420 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3421 		/*
3422 		 * not security relevant if doing a connect from non socket
3423 		 * so no extra tokens. Should probably turn off audit record
3424 		 * generation here.
3425 		 */
3426 		return;
3427 	}
3428 
3429 	so_family = so->so_family;
3430 	so_type   = so->so_type;
3431 
3432 	switch (so_family) {
3433 	case AF_INET:
3434 	case AF_INET6:
3435 		/*
3436 		 * no local address then need to get it from lower
3437 		 * levels.
3438 		 */
3439 		if (so->so_state & SS_ISBOUND) {
3440 			/* only done once on a connection */
3441 			(void) SOP_GETSOCKNAME(so);
3442 			(void) SOP_GETPEERNAME(so);
3443 		}
3444 
3445 		bzero(so_laddr, sizeof (so_laddr));
3446 		bzero(so_faddr, sizeof (so_faddr));
3447 
3448 		mutex_enter(&so->so_lock);
3449 		len = min(so->so_laddr_len, sizeof (so_laddr));
3450 		bcopy(so->so_laddr_sa, so_laddr, len);
3451 		if (error) {
3452 			mutex_exit(&so->so_lock);
3453 			if (uap->addr == NULL)
3454 				break;
3455 			if (uap->len <= 0)
3456 				break;
3457 			len = min(uap->len, sizeof (so_faddr));
3458 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3459 				break;
3460 #ifdef NOTYET
3461 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3462 #endif
3463 		} else {
3464 			/* sanity check on length */
3465 			len = min(so->so_faddr_len, sizeof (so_faddr));
3466 			bcopy(so->so_faddr_sa, so_faddr, len);
3467 			mutex_exit(&so->so_lock);
3468 		}
3469 
3470 		add_sock_token = 1;
3471 
3472 		break;
3473 
3474 	case AF_UNIX:
3475 		/* does a lookup on name */
3476 		break;
3477 
3478 	default:
3479 		/* AF_ROUTE, AF_KEY do not support accept */
3480 		break;
3481 	}
3482 
3483 	releasef(fd);
3484 
3485 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3486 
3487 	if (add_sock_token == 0) {
3488 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3489 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3490 		return;
3491 	}
3492 
3493 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3494 
3495 }
3496 
3497 /*ARGSUSED*/
3498 static void
3499 aus_shutdown(struct t_audit_data *tad)
3500 {
3501 	struct a {
3502 		long	fd;
3503 		long	how;
3504 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3505 
3506 	struct sonode *so;
3507 	char so_laddr[sizeof (struct sockaddr_in6)];
3508 	char so_faddr[sizeof (struct sockaddr_in6)];
3509 	int err, fd;
3510 	int len;
3511 	short so_family, so_type;
3512 	int add_sock_token = 0;
3513 	file_t *fp;				/* unix domain sockets */
3514 	struct f_audit_data *fad;		/* unix domain sockets */
3515 
3516 	fd = (int)uap->fd;
3517 
3518 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3519 		/*
3520 		 * not security relevant if doing a shutdown using non socket
3521 		 * so no extra tokens. Should probably turn off audit record
3522 		 * generation here.
3523 		 */
3524 		return;
3525 	}
3526 
3527 	so_family = so->so_family;
3528 	so_type   = so->so_type;
3529 
3530 	switch (so_family) {
3531 	case AF_INET:
3532 	case AF_INET6:
3533 
3534 		bzero(so_laddr, sizeof (so_laddr));
3535 		bzero(so_faddr, sizeof (so_faddr));
3536 
3537 		if (so->so_state & SS_ISBOUND) {
3538 			/*
3539 			 * no local address then need to get it from lower
3540 			 * levels.
3541 			 */
3542 			if (so->so_laddr_len == 0)
3543 				(void) SOP_GETSOCKNAME(so);
3544 			if (so->so_faddr_len == 0)
3545 				(void) SOP_GETPEERNAME(so);
3546 		}
3547 
3548 		mutex_enter(&so->so_lock);
3549 		len = min(so->so_laddr_len, sizeof (so_laddr));
3550 		bcopy(so->so_laddr_sa, so_laddr, len);
3551 		len = min(so->so_faddr_len, sizeof (so_faddr));
3552 		bcopy(so->so_faddr_sa, so_faddr, len);
3553 		mutex_exit(&so->so_lock);
3554 
3555 		add_sock_token = 1;
3556 
3557 		break;
3558 
3559 	case AF_UNIX:
3560 
3561 		/* get path from file struct here */
3562 		fad = F2A(fp);
3563 		ASSERT(fad);
3564 
3565 		if (fad->fad_aupath != NULL) {
3566 			au_uwrite(au_to_path(fad->fad_aupath));
3567 		} else {
3568 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3569 		}
3570 
3571 		audit_attributes(fp->f_vnode);
3572 
3573 		break;
3574 
3575 	default:
3576 		/*
3577 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3578 		 * added.
3579 		 */
3580 		break;
3581 	}
3582 
3583 	releasef(fd);
3584 
3585 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3586 
3587 	if (add_sock_token == 0) {
3588 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3589 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3590 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3591 		return;
3592 	}
3593 
3594 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3595 
3596 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3597 
3598 }
3599 
3600 /*ARGSUSED*/
3601 static void
3602 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3603 {
3604 	struct a {
3605 		long	fd;
3606 		long	level;
3607 		long	optname;
3608 		long	*optval;
3609 		long	optlen;
3610 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3611 
3612 	struct sonode	*so;
3613 	char so_laddr[sizeof (struct sockaddr_in6)];
3614 	char so_faddr[sizeof (struct sockaddr_in6)];
3615 	char		val[AU_BUFSIZE];
3616 	int		err, fd;
3617 	int		len;
3618 	short so_family, so_type;
3619 	int		add_sock_token = 0;
3620 	file_t *fp;				/* unix domain sockets */
3621 	struct f_audit_data *fad;		/* unix domain sockets */
3622 
3623 	fd = (int)uap->fd;
3624 
3625 	if (error) {
3626 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3627 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3628 		/* XXX may want to include other arguments */
3629 		return;
3630 	}
3631 
3632 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3633 		/*
3634 		 * not security relevant if doing a setsockopt from non socket
3635 		 * so no extra tokens. Should probably turn off audit record
3636 		 * generation here.
3637 		 */
3638 		return;
3639 	}
3640 
3641 	so_family = so->so_family;
3642 	so_type   = so->so_type;
3643 
3644 	switch (so_family) {
3645 	case AF_INET:
3646 	case AF_INET6:
3647 
3648 		bzero((void *)so_laddr, sizeof (so_laddr));
3649 		bzero((void *)so_faddr, sizeof (so_faddr));
3650 
3651 		if (so->so_state & SS_ISBOUND) {
3652 			if (so->so_laddr_len == 0)
3653 				(void) SOP_GETSOCKNAME(so);
3654 			if (so->so_faddr_len == 0)
3655 				(void) SOP_GETPEERNAME(so);
3656 		}
3657 
3658 		/* get local and foreign addresses */
3659 		mutex_enter(&so->so_lock);
3660 		len = min(so->so_laddr_len, sizeof (so_laddr));
3661 		bcopy(so->so_laddr_sa, so_laddr, len);
3662 		len = min(so->so_faddr_len, sizeof (so_faddr));
3663 		bcopy(so->so_faddr_sa, so_faddr, len);
3664 		mutex_exit(&so->so_lock);
3665 
3666 		add_sock_token = 1;
3667 
3668 		break;
3669 
3670 	case AF_UNIX:
3671 
3672 		/* get path from file struct here */
3673 		fad = F2A(fp);
3674 		ASSERT(fad);
3675 
3676 		if (fad->fad_aupath != NULL) {
3677 			au_uwrite(au_to_path(fad->fad_aupath));
3678 		} else {
3679 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3680 		}
3681 
3682 		audit_attributes(fp->f_vnode);
3683 
3684 		break;
3685 
3686 	default:
3687 		/*
3688 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3689 		 * added.
3690 		 */
3691 		break;
3692 	}
3693 
3694 	releasef(fd);
3695 
3696 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3697 
3698 	if (add_sock_token == 0) {
3699 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3700 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3701 	}
3702 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3703 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3704 
3705 	bzero(val, sizeof (val));
3706 	len = min(uap->optlen, sizeof (val));
3707 	if ((len > 0) &&
3708 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3709 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3710 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3711 	}
3712 
3713 	if (add_sock_token == 0)
3714 		return;
3715 
3716 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3717 
3718 }
3719 
3720 /*ARGSUSED*/
3721 static void
3722 aus_sockconfig(tad)
3723 	struct t_audit_data *tad;
3724 {
3725 	struct a {
3726 		long	domain;
3727 		long	type;
3728 		long	protocol;
3729 		long	devpath;
3730 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3731 
3732 	char	*kdevpath;
3733 	int	kdevpathlen = MAXPATHLEN + 1;
3734 	size_t	size;
3735 
3736 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3737 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3738 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3739 
3740 	if (uap->devpath == 0) {
3741 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3742 	} else {
3743 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3744 
3745 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3746 			&size)) {
3747 			kmem_free(kdevpath, kdevpathlen);
3748 			return;
3749 		}
3750 
3751 		if (size > MAXPATHLEN) {
3752 			kmem_free(kdevpath, kdevpathlen);
3753 			return;
3754 		}
3755 
3756 		au_uwrite(au_to_text(kdevpath));
3757 		kmem_free(kdevpath, kdevpathlen);
3758 	}
3759 }
3760 
3761 /*
3762  * only audit recvmsg when the system call represents the creation of a new
3763  * circuit. This effectively occurs for all UDP packets and may occur for
3764  * special TCP situations where the local host has not set a local address
3765  * in the socket structure.
3766  */
3767 /*ARGSUSED*/
3768 static void
3769 auf_recvmsg(
3770 	struct t_audit_data *tad,
3771 	int error,
3772 	rval_t *rvp)
3773 {
3774 	struct a {
3775 		long	fd;
3776 		long	msg;	/* struct msghdr */
3777 		long	flags;
3778 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3779 
3780 	struct sonode	*so;
3781 	STRUCT_DECL(msghdr, msg);
3782 	caddr_t msg_name;
3783 	socklen_t msg_namelen;
3784 	int fd;
3785 	int err;
3786 	char so_laddr[sizeof (struct sockaddr_in6)];
3787 	char so_faddr[sizeof (struct sockaddr_in6)];
3788 	int len;
3789 	file_t *fp;				/* unix domain sockets */
3790 	struct f_audit_data *fad;		/* unix domain sockets */
3791 	short so_family, so_type;
3792 	int add_sock_token = 0;
3793 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3794 
3795 	fd = (int)uap->fd;
3796 
3797 	/* bail if an error */
3798 	if (error) {
3799 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3800 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3801 		return;
3802 	}
3803 
3804 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3805 		/*
3806 		 * not security relevant if doing a recvmsg from non socket
3807 		 * so no extra tokens. Should probably turn off audit record
3808 		 * generation here.
3809 		 */
3810 		return;
3811 	}
3812 
3813 	so_family = so->so_family;
3814 	so_type   = so->so_type;
3815 
3816 	/*
3817 	 * only putout SOCKET_EX token if INET/INET6 family.
3818 	 * XXX - what do we do about other families?
3819 	 */
3820 
3821 	switch (so_family) {
3822 	case AF_INET:
3823 	case AF_INET6:
3824 
3825 		/*
3826 		 * if datagram type socket, then just use what is in
3827 		 * socket structure for local address.
3828 		 * XXX - what do we do for other types?
3829 		 */
3830 		if ((so->so_type == SOCK_DGRAM) ||
3831 		    (so->so_type == SOCK_RAW)) {
3832 			add_sock_token = 1;
3833 
3834 			bzero((void *)so_laddr, sizeof (so_laddr));
3835 			bzero((void *)so_faddr, sizeof (so_faddr));
3836 
3837 			/* get local address */
3838 			mutex_enter(&so->so_lock);
3839 			len = min(so->so_laddr_len, sizeof (so_laddr));
3840 			bcopy(so->so_laddr_sa, so_laddr, len);
3841 			mutex_exit(&so->so_lock);
3842 
3843 			/* get peer address */
3844 			STRUCT_INIT(msg, get_udatamodel());
3845 
3846 			if (copyin((caddr_t)(uap->msg),
3847 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3848 				break;
3849 			}
3850 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3851 			if (msg_name == NULL) {
3852 				break;
3853 			}
3854 
3855 			/* length is value from recvmsg - sanity check */
3856 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3857 			if (msg_namelen == 0) {
3858 				break;
3859 			}
3860 			if (copyin(msg_name, so_faddr,
3861 			    sizeof (so_faddr)) != 0) {
3862 				break;
3863 			}
3864 
3865 		} else if (so->so_type == SOCK_STREAM) {
3866 
3867 			/* get path from file struct here */
3868 			fad = F2A(fp);
3869 			ASSERT(fad);
3870 
3871 			/*
3872 			 * already processed this file for read attempt
3873 			 */
3874 			if (fad->fad_flags & FAD_READ) {
3875 				/* don't want to audit every recvmsg attempt */
3876 				tad->tad_flag = 0;
3877 				/* free any residual audit data */
3878 				au_close(kctx, &(u_ad), 0, 0, 0);
3879 				releasef(fd);
3880 				return;
3881 			}
3882 			/*
3883 			 * mark things so we know what happened and don't
3884 			 * repeat things
3885 			 */
3886 			fad->fad_flags |= FAD_READ;
3887 
3888 			bzero((void *)so_laddr, sizeof (so_laddr));
3889 			bzero((void *)so_faddr, sizeof (so_faddr));
3890 
3891 			if (so->so_state & SS_ISBOUND) {
3892 
3893 				if (so->so_laddr_len == 0)
3894 					(void) SOP_GETSOCKNAME(so);
3895 				if (so->so_faddr_len == 0)
3896 					(void) SOP_GETPEERNAME(so);
3897 
3898 				/* get local and foreign addresses */
3899 				mutex_enter(&so->so_lock);
3900 				len = min(so->so_laddr_len, sizeof (so_laddr));
3901 				bcopy(so->so_laddr_sa, so_laddr, len);
3902 				len = min(so->so_faddr_len, sizeof (so_faddr));
3903 				bcopy(so->so_faddr_sa, so_faddr, len);
3904 				mutex_exit(&so->so_lock);
3905 			}
3906 
3907 			add_sock_token = 1;
3908 		}
3909 
3910 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3911 
3912 		break;
3913 
3914 	case AF_UNIX:
3915 		/*
3916 		 * first check if this is first time through. Too much
3917 		 * duplicate code to put this in an aui_ routine.
3918 		 */
3919 
3920 		/* get path from file struct here */
3921 		fad = F2A(fp);
3922 		ASSERT(fad);
3923 
3924 		/*
3925 		 * already processed this file for read attempt
3926 		 */
3927 		if (fad->fad_flags & FAD_READ) {
3928 			releasef(fd);
3929 			/* don't want to audit every recvmsg attempt */
3930 			tad->tad_flag = 0;
3931 			/* free any residual audit data */
3932 			au_close(kctx, &(u_ad), 0, 0, 0);
3933 			return;
3934 		}
3935 		/*
3936 		 * mark things so we know what happened and don't
3937 		 * repeat things
3938 		 */
3939 		fad->fad_flags |= FAD_READ;
3940 
3941 		if (fad->fad_aupath != NULL) {
3942 			au_uwrite(au_to_path(fad->fad_aupath));
3943 		} else {
3944 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3945 		}
3946 
3947 		audit_attributes(fp->f_vnode);
3948 
3949 		releasef(fd);
3950 
3951 		return;
3952 
3953 	default:
3954 		break;
3955 
3956 	}
3957 
3958 	releasef(fd);
3959 
3960 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3961 
3962 	if (add_sock_token == 0) {
3963 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
3964 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
3965 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3966 		return;
3967 	}
3968 
3969 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3970 
3971 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3972 
3973 }
3974 
3975 /*ARGSUSED*/
3976 static void
3977 auf_recvfrom(
3978 	struct t_audit_data *tad,
3979 	int error,
3980 	rval_t *rvp)
3981 {
3982 
3983 	struct a {
3984 		long	fd;
3985 		long	msg;	/* char */
3986 		long	len;
3987 		long	flags;
3988 		long	from;	/* struct sockaddr */
3989 		long	fromlen;
3990 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3991 
3992 	socklen_t	fromlen;
3993 	struct sonode	*so;
3994 	char so_laddr[sizeof (struct sockaddr_in6)];
3995 	char so_faddr[sizeof (struct sockaddr_in6)];
3996 	int		fd;
3997 	short so_family, so_type;
3998 	int add_sock_token = 0;
3999 	int len;
4000 	int err;
4001 	struct file *fp;
4002 	struct f_audit_data *fad;		/* unix domain sockets */
4003 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4004 
4005 	fd = (int)uap->fd;
4006 
4007 	/* bail if an error */
4008 	if (error) {
4009 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4010 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4011 		return;
4012 	}
4013 
4014 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4015 		/*
4016 		 * not security relevant if doing a recvmsg from non socket
4017 		 * so no extra tokens. Should probably turn off audit record
4018 		 * generation here.
4019 		 */
4020 		return;
4021 	}
4022 
4023 	so_family = so->so_family;
4024 	so_type   = so->so_type;
4025 
4026 	/*
4027 	 * only putout SOCKET_EX token if INET/INET6 family.
4028 	 * XXX - what do we do about other families?
4029 	 */
4030 
4031 	switch (so_family) {
4032 	case AF_INET:
4033 	case AF_INET6:
4034 
4035 		/*
4036 		 * if datagram type socket, then just use what is in
4037 		 * socket structure for local address.
4038 		 * XXX - what do we do for other types?
4039 		 */
4040 		if ((so->so_type == SOCK_DGRAM) ||
4041 		    (so->so_type == SOCK_RAW)) {
4042 			add_sock_token = 1;
4043 
4044 			/* get local address */
4045 			mutex_enter(&so->so_lock);
4046 			len = min(so->so_laddr_len, sizeof (so_laddr));
4047 			bcopy(so->so_laddr_sa, so_laddr, len);
4048 			mutex_exit(&so->so_lock);
4049 
4050 			/* get peer address */
4051 			bzero((void *)so_faddr, sizeof (so_faddr));
4052 
4053 			/* sanity check */
4054 			if (uap->from == NULL)
4055 				break;
4056 
4057 			/* sanity checks */
4058 			if (uap->fromlen == 0)
4059 				break;
4060 
4061 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4062 			    sizeof (fromlen)) != 0)
4063 				break;
4064 
4065 			if (fromlen == 0)
4066 				break;
4067 
4068 			/* enforce maximum size */
4069 			if (fromlen > sizeof (so_faddr))
4070 				fromlen = sizeof (so_faddr);
4071 
4072 			if (copyin((caddr_t)(uap->from), so_faddr,
4073 			    fromlen) != 0)
4074 				break;
4075 
4076 		} else if (so->so_type == SOCK_STREAM) {
4077 
4078 			/* get path from file struct here */
4079 			fad = F2A(fp);
4080 			ASSERT(fad);
4081 
4082 			/*
4083 			 * already processed this file for read attempt
4084 			 */
4085 			if (fad->fad_flags & FAD_READ) {
4086 				/* don't want to audit every recvfrom attempt */
4087 				tad->tad_flag = 0;
4088 				/* free any residual audit data */
4089 				au_close(kctx, &(u_ad), 0, 0, 0);
4090 				releasef(fd);
4091 				return;
4092 			}
4093 			/*
4094 			 * mark things so we know what happened and don't
4095 			 * repeat things
4096 			 */
4097 			fad->fad_flags |= FAD_READ;
4098 
4099 			bzero((void *)so_laddr, sizeof (so_laddr));
4100 			bzero((void *)so_faddr, sizeof (so_faddr));
4101 
4102 			if (so->so_state & SS_ISBOUND) {
4103 
4104 				if (so->so_laddr_len == 0)
4105 					(void) SOP_GETSOCKNAME(so);
4106 				if (so->so_faddr_len == 0)
4107 					(void) SOP_GETPEERNAME(so);
4108 
4109 				/* get local and foreign addresses */
4110 				mutex_enter(&so->so_lock);
4111 				len = min(so->so_laddr_len, sizeof (so_laddr));
4112 				bcopy(so->so_laddr_sa, so_laddr, len);
4113 				len = min(so->so_faddr_len, sizeof (so_faddr));
4114 				bcopy(so->so_faddr_sa, so_faddr, len);
4115 				mutex_exit(&so->so_lock);
4116 			}
4117 
4118 			add_sock_token = 1;
4119 		}
4120 
4121 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4122 
4123 		break;
4124 
4125 	case AF_UNIX:
4126 		/*
4127 		 * first check if this is first time through. Too much
4128 		 * duplicate code to put this in an aui_ routine.
4129 		 */
4130 
4131 		/* get path from file struct here */
4132 		fad = F2A(fp);
4133 		ASSERT(fad);
4134 
4135 		/*
4136 		 * already processed this file for read attempt
4137 		 */
4138 		if (fad->fad_flags & FAD_READ) {
4139 			/* don't want to audit every recvfrom attempt */
4140 			tad->tad_flag = 0;
4141 			/* free any residual audit data */
4142 			au_close(kctx, &(u_ad), 0, 0, 0);
4143 			releasef(fd);
4144 			return;
4145 		}
4146 		/*
4147 		 * mark things so we know what happened and don't
4148 		 * repeat things
4149 		 */
4150 		fad->fad_flags |= FAD_READ;
4151 
4152 		if (fad->fad_aupath != NULL) {
4153 			au_uwrite(au_to_path(fad->fad_aupath));
4154 		} else {
4155 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4156 		}
4157 
4158 		audit_attributes(fp->f_vnode);
4159 
4160 		releasef(fd);
4161 
4162 		return;
4163 
4164 	default:
4165 		break;
4166 
4167 	}
4168 
4169 	releasef(fd);
4170 
4171 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4172 
4173 	if (add_sock_token == 0) {
4174 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4175 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4176 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4177 		return;
4178 	}
4179 
4180 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4181 
4182 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4183 }
4184 
4185 /*ARGSUSED*/
4186 static void
4187 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4188 {
4189 	struct a {
4190 		long	fd;
4191 		long	msg;	/* struct msghdr */
4192 		long	flags;
4193 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4194 
4195 	struct sonode	*so;
4196 	char so_laddr[sizeof (struct sockaddr_in6)];
4197 	char so_faddr[sizeof (struct sockaddr_in6)];
4198 	int		err;
4199 	int		fd;
4200 	short so_family, so_type;
4201 	int		add_sock_token = 0;
4202 	int		len;
4203 	struct file	*fp;
4204 	struct f_audit_data *fad;
4205 	caddr_t		msg_name;
4206 	socklen_t	msg_namelen;
4207 	STRUCT_DECL(msghdr, msg);
4208 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4209 
4210 	fd = (int)uap->fd;
4211 
4212 	/* bail if an error */
4213 	if (error) {
4214 		/* XXX include destination address from system call arguments */
4215 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4216 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4217 		return;
4218 	}
4219 
4220 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4221 		/*
4222 		 * not security relevant if doing a sendmsg from non socket
4223 		 * so no extra tokens. Should probably turn off audit record
4224 		 * generation here.
4225 		 */
4226 		return;
4227 	}
4228 
4229 	so_family = so->so_family;
4230 	so_type   = so->so_type;
4231 
4232 	switch (so_family) {
4233 	case AF_INET:
4234 	case AF_INET6:
4235 		/*
4236 		 * if datagram type socket, then just use what is in
4237 		 * socket structure for local address.
4238 		 * XXX - what do we do for other types?
4239 		 */
4240 		if ((so->so_type == SOCK_DGRAM) ||
4241 		    (so->so_type == SOCK_RAW)) {
4242 
4243 			bzero((void *)so_laddr, sizeof (so_laddr));
4244 			bzero((void *)so_faddr, sizeof (so_faddr));
4245 
4246 			/* get local address */
4247 			mutex_enter(&so->so_lock);
4248 			len = min(so->so_laddr_len, sizeof (so_laddr));
4249 			bcopy(so->so_laddr_sa, so_laddr, len);
4250 			mutex_exit(&so->so_lock);
4251 
4252 			/* get peer address */
4253 			STRUCT_INIT(msg, get_udatamodel());
4254 
4255 			if (copyin((caddr_t)(uap->msg),
4256 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4257 				break;
4258 			}
4259 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4260 			if (msg_name == NULL)
4261 				break;
4262 
4263 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4264 			/* length is value from recvmsg - sanity check */
4265 			if (msg_namelen == 0)
4266 				break;
4267 
4268 			if (copyin(msg_name, so_faddr,
4269 			    sizeof (so_faddr)) != 0)
4270 				break;
4271 
4272 			add_sock_token = 1;
4273 
4274 		} else if (so->so_type == SOCK_STREAM) {
4275 
4276 			/* get path from file struct here */
4277 			fad = F2A(fp);
4278 			ASSERT(fad);
4279 
4280 			/*
4281 			 * already processed this file for write attempt
4282 			 */
4283 			if (fad->fad_flags & FAD_WRITE) {
4284 				releasef(fd);
4285 				/* don't want to audit every sendmsg attempt */
4286 				tad->tad_flag = 0;
4287 				/* free any residual audit data */
4288 				au_close(kctx, &(u_ad), 0, 0, 0);
4289 				return;
4290 			}
4291 
4292 			/*
4293 			 * mark things so we know what happened and don't
4294 			 * repeat things
4295 			 */
4296 			fad->fad_flags |= FAD_WRITE;
4297 
4298 			bzero((void *)so_laddr, sizeof (so_laddr));
4299 			bzero((void *)so_faddr, sizeof (so_faddr));
4300 
4301 			if (so->so_state & SS_ISBOUND) {
4302 
4303 				if (so->so_laddr_len == 0)
4304 					(void) SOP_GETSOCKNAME(so);
4305 				if (so->so_faddr_len == 0)
4306 					(void) SOP_GETPEERNAME(so);
4307 
4308 				/* get local and foreign addresses */
4309 				mutex_enter(&so->so_lock);
4310 				len = min(so->so_laddr_len, sizeof (so_laddr));
4311 				bcopy(so->so_laddr_sa, so_laddr, len);
4312 				len = min(so->so_faddr_len, sizeof (so_faddr));
4313 				bcopy(so->so_faddr_sa, so_faddr, len);
4314 				mutex_exit(&so->so_lock);
4315 			}
4316 
4317 			add_sock_token = 1;
4318 		}
4319 
4320 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4321 
4322 		break;
4323 
4324 	case AF_UNIX:
4325 		/*
4326 		 * first check if this is first time through. Too much
4327 		 * duplicate code to put this in an aui_ routine.
4328 		 */
4329 
4330 		/* get path from file struct here */
4331 		fad = F2A(fp);
4332 		ASSERT(fad);
4333 
4334 		/*
4335 		 * already processed this file for write attempt
4336 		 */
4337 		if (fad->fad_flags & FAD_WRITE) {
4338 			releasef(fd);
4339 			/* don't want to audit every sendmsg attempt */
4340 			tad->tad_flag = 0;
4341 			/* free any residual audit data */
4342 			au_close(kctx, &(u_ad), 0, 0, 0);
4343 			return;
4344 		}
4345 		/*
4346 		 * mark things so we know what happened and don't
4347 		 * repeat things
4348 		 */
4349 		fad->fad_flags |= FAD_WRITE;
4350 
4351 		if (fad->fad_aupath != NULL) {
4352 			au_uwrite(au_to_path(fad->fad_aupath));
4353 		} else {
4354 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4355 		}
4356 
4357 		audit_attributes(fp->f_vnode);
4358 
4359 		releasef(fd);
4360 
4361 		return;
4362 
4363 	default:
4364 		break;
4365 	}
4366 
4367 	releasef(fd);
4368 
4369 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4370 
4371 	if (add_sock_token == 0) {
4372 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4373 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4374 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4375 		return;
4376 	}
4377 
4378 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4379 
4380 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4381 }
4382 
4383 /*ARGSUSED*/
4384 static void
4385 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4386 {
4387 	struct a {
4388 		long	fd;
4389 		long	msg;	/* char */
4390 		long	len;
4391 		long	flags;
4392 		long	to;	/* struct sockaddr */
4393 		long	tolen;
4394 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4395 
4396 	struct sonode	*so;
4397 	char so_laddr[sizeof (struct sockaddr_in6)];
4398 	char so_faddr[sizeof (struct sockaddr_in6)];
4399 	socklen_t	tolen;
4400 	int		err;
4401 	int		fd;
4402 	int		len;
4403 	short so_family, so_type;
4404 	int		add_sock_token = 0;
4405 	struct file	*fp;
4406 	struct f_audit_data *fad;
4407 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4408 
4409 	fd = (int)uap->fd;
4410 
4411 	/* bail if an error */
4412 	if (error) {
4413 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4414 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4415 		/* XXX include destination address from system call arguments */
4416 		return;
4417 	}
4418 
4419 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4420 		/*
4421 		 * not security relevant if doing a sendto using non socket
4422 		 * so no extra tokens. Should probably turn off audit record
4423 		 * generation here.
4424 		 */
4425 		return;
4426 	}
4427 
4428 	so_family = so->so_family;
4429 	so_type   = so->so_type;
4430 
4431 	/*
4432 	 * only putout SOCKET_EX token if INET/INET6 family.
4433 	 * XXX - what do we do about other families?
4434 	 */
4435 
4436 	switch (so_family) {
4437 	case AF_INET:
4438 	case AF_INET6:
4439 
4440 		/*
4441 		 * if datagram type socket, then just use what is in
4442 		 * socket structure for local address.
4443 		 * XXX - what do we do for other types?
4444 		 */
4445 		if ((so->so_type == SOCK_DGRAM) ||
4446 		    (so->so_type == SOCK_RAW)) {
4447 
4448 			bzero((void *)so_laddr, sizeof (so_laddr));
4449 			bzero((void *)so_faddr, sizeof (so_faddr));
4450 
4451 			/* get local address */
4452 			mutex_enter(&so->so_lock);
4453 			len = min(so->so_laddr_len, sizeof (so_laddr));
4454 			bcopy(so->so_laddr_sa, so_laddr, len);
4455 			mutex_exit(&so->so_lock);
4456 
4457 			/* get peer address */
4458 
4459 			/* sanity check */
4460 			if (uap->to == NULL)
4461 				break;
4462 
4463 			/* sanity checks */
4464 			if (uap->tolen == 0)
4465 				break;
4466 
4467 			tolen = (socklen_t)uap->tolen;
4468 
4469 			/* enforce maximum size */
4470 			if (tolen > sizeof (so_faddr))
4471 				tolen = sizeof (so_faddr);
4472 
4473 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4474 				break;
4475 
4476 			add_sock_token = 1;
4477 		} else {
4478 			/*
4479 			 * check if this is first time through.
4480 			 */
4481 
4482 			/* get path from file struct here */
4483 			fad = F2A(fp);
4484 			ASSERT(fad);
4485 
4486 			/*
4487 			 * already processed this file for write attempt
4488 			 */
4489 			if (fad->fad_flags & FAD_WRITE) {
4490 				/* don't want to audit every sendto attempt */
4491 				tad->tad_flag = 0;
4492 				/* free any residual audit data */
4493 				au_close(kctx, &(u_ad), 0, 0, 0);
4494 				releasef(fd);
4495 				return;
4496 			}
4497 			/*
4498 			 * mark things so we know what happened and don't
4499 			 * repeat things
4500 			 */
4501 			fad->fad_flags |= FAD_WRITE;
4502 
4503 			bzero((void *)so_laddr, sizeof (so_laddr));
4504 			bzero((void *)so_faddr, sizeof (so_faddr));
4505 
4506 			if (so->so_state & SS_ISBOUND) {
4507 
4508 				if (so->so_laddr_len == 0)
4509 					(void) SOP_GETSOCKNAME(so);
4510 				if (so->so_faddr_len == 0)
4511 					(void) SOP_GETPEERNAME(so);
4512 
4513 				/* get local and foreign addresses */
4514 				mutex_enter(&so->so_lock);
4515 				len = min(so->so_laddr_len, sizeof (so_laddr));
4516 				bcopy(so->so_laddr_sa, so_laddr, len);
4517 				len = min(so->so_faddr_len, sizeof (so_faddr));
4518 				bcopy(so->so_faddr_sa, so_faddr, len);
4519 				mutex_exit(&so->so_lock);
4520 			}
4521 
4522 			add_sock_token = 1;
4523 		}
4524 
4525 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4526 
4527 		break;
4528 
4529 	case AF_UNIX:
4530 		/*
4531 		 * first check if this is first time through. Too much
4532 		 * duplicate code to put this in an aui_ routine.
4533 		 */
4534 
4535 		/* get path from file struct here */
4536 		fad = F2A(fp);
4537 		ASSERT(fad);
4538 
4539 		/*
4540 		 * already processed this file for write attempt
4541 		 */
4542 		if (fad->fad_flags & FAD_WRITE) {
4543 			/* don't want to audit every sendto attempt */
4544 			tad->tad_flag = 0;
4545 			/* free any residual audit data */
4546 			au_close(kctx, &(u_ad), 0, 0, 0);
4547 			releasef(fd);
4548 			return;
4549 		}
4550 		/*
4551 		 * mark things so we know what happened and don't
4552 		 * repeat things
4553 		 */
4554 		fad->fad_flags |= FAD_WRITE;
4555 
4556 		if (fad->fad_aupath != NULL) {
4557 			au_uwrite(au_to_path(fad->fad_aupath));
4558 		} else {
4559 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4560 		}
4561 
4562 		audit_attributes(fp->f_vnode);
4563 
4564 		releasef(fd);
4565 
4566 		return;
4567 
4568 	default:
4569 		break;
4570 
4571 	}
4572 
4573 	releasef(fd);
4574 
4575 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4576 
4577 	if (add_sock_token == 0) {
4578 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4579 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4580 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4581 		return;
4582 	}
4583 
4584 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4585 
4586 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4587 
4588 }
4589 
4590 /*
4591  * XXX socket(2) may be equivalent to open(2) on a unix domain
4592  * socket. This needs investigation.
4593  */
4594 
4595 /*ARGSUSED*/
4596 static void
4597 aus_socket(struct t_audit_data *tad)
4598 {
4599 	struct a {
4600 		long	domain;
4601 		long	type;
4602 		long	protocol;
4603 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4604 
4605 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4606 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4607 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4608 }
4609 
4610 /*ARGSUSED*/
4611 static void
4612 aus_sigqueue(struct t_audit_data *tad)
4613 {
4614 	struct a {
4615 		long	pid;
4616 		long	signo;
4617 		long	*val;
4618 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4619 	struct proc *p;
4620 	uid_t uid, ruid;
4621 	gid_t gid, rgid;
4622 	pid_t pid;
4623 	const auditinfo_addr_t *ainfo;
4624 	cred_t *cr;
4625 
4626 	pid = (pid_t)uap->pid;
4627 
4628 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4629 	if (pid > 0) {
4630 		mutex_enter(&pidlock);
4631 		if ((p = prfind(pid)) == (struct proc *)0) {
4632 			mutex_exit(&pidlock);
4633 			return;
4634 		}
4635 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4636 		mutex_exit(&pidlock);
4637 
4638 		mutex_enter(&p->p_crlock);
4639 		crhold(cr = p->p_cred);
4640 		mutex_exit(&p->p_crlock);
4641 		mutex_exit(&p->p_lock);
4642 
4643 		ainfo = crgetauinfo(cr);
4644 		if (ainfo == NULL) {
4645 			crfree(cr);
4646 			return;
4647 		}
4648 
4649 		uid  = crgetuid(cr);
4650 		gid  = crgetgid(cr);
4651 		ruid = crgetruid(cr);
4652 		rgid = crgetrgid(cr);
4653 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4654 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4655 		crfree(cr);
4656 	}
4657 	else
4658 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4659 }
4660 
4661 /*ARGSUSED*/
4662 static void
4663 aus_inst_sync(struct t_audit_data *tad)
4664 {
4665 	struct a {
4666 		long	name;	/* char */
4667 		long	flags;
4668 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4669 
4670 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4671 }
4672 
4673 /*ARGSUSED*/
4674 static void
4675 aus_brandsys(struct t_audit_data *tad)
4676 {
4677 	klwp_t *clwp = ttolwp(curthread);
4678 
4679 	struct a {
4680 		long	cmd;
4681 		long	arg1;
4682 		long	arg2;
4683 		long	arg3;
4684 		long	arg4;
4685 		long	arg5;
4686 		long	arg6;
4687 	} *uap = (struct a *)clwp->lwp_ap;
4688 
4689 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4690 #ifdef _LP64
4691 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4692 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4693 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4694 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4695 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4696 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4697 #else
4698 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4699 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4700 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4701 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4702 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4703 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4704 #endif
4705 }
4706 
4707 /*ARGSUSED*/
4708 static void
4709 aus_p_online(struct t_audit_data *tad)
4710 {
4711 	struct a {
4712 		long	processor_id;
4713 		long	flag;
4714 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4715 
4716 	struct flags {
4717 			int	flag;
4718 			char	*cflag;
4719 	} aflags[6] = {
4720 			{ P_ONLINE, "P_ONLINE"},
4721 			{ P_OFFLINE, "P_OFFLINE"},
4722 			{ P_NOINTR, "P_NOINTR"},
4723 			{ P_SPARE, "P_SPARE"},
4724 			{ P_FAULTED, "P_FAULTED"},
4725 			{ P_STATUS, "P_STATUS"}
4726 	};
4727 	int i;
4728 	char *cflag;
4729 
4730 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4731 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4732 
4733 	for (i = 0; i < 6; i++) {
4734 		if (aflags[i].flag == uap->flag)
4735 			break;
4736 	}
4737 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4738 
4739 	au_uwrite(au_to_text(cflag));
4740 }
4741 
4742 /*ARGSUSED*/
4743 static void
4744 aus_processor_bind(struct t_audit_data *tad)
4745 {
4746 	struct a {
4747 		long	id_type;
4748 		long	id;
4749 		long	processor_id;
4750 		long	obind;
4751 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4752 
4753 	struct proc *p;
4754 	int lwpcnt;
4755 	uid_t uid, ruid;
4756 	gid_t gid, rgid;
4757 	pid_t pid;
4758 	const auditinfo_addr_t *ainfo;
4759 	cred_t *cr;
4760 
4761 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4762 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4763 	if (uap->processor_id == PBIND_NONE)
4764 		au_uwrite(au_to_text("PBIND_NONE"));
4765 	else
4766 		au_uwrite(au_to_arg32(3, "processor_id",
4767 		    (uint32_t)uap->processor_id));
4768 
4769 	switch (uap->id_type) {
4770 	case P_MYID:
4771 	case P_LWPID:
4772 		mutex_enter(&pidlock);
4773 		p = ttoproc(curthread);
4774 		if (p == NULL || p->p_as == &kas) {
4775 			mutex_exit(&pidlock);
4776 			return;
4777 		}
4778 		mutex_enter(&p->p_lock);
4779 		mutex_exit(&pidlock);
4780 		lwpcnt = p->p_lwpcnt;
4781 		pid  = p->p_pid;
4782 
4783 		mutex_enter(&p->p_crlock);
4784 		crhold(cr = p->p_cred);
4785 		mutex_exit(&p->p_crlock);
4786 		mutex_exit(&p->p_lock);
4787 
4788 		ainfo = crgetauinfo(cr);
4789 		if (ainfo == NULL) {
4790 			crfree(cr);
4791 			return;
4792 		}
4793 
4794 		uid  = crgetuid(cr);
4795 		gid  = crgetgid(cr);
4796 		ruid = crgetruid(cr);
4797 		rgid = crgetrgid(cr);
4798 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4799 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4800 		crfree(cr);
4801 		break;
4802 	case P_PID:
4803 		mutex_enter(&pidlock);
4804 		p = prfind(uap->id);
4805 		if (p == NULL || p->p_as == &kas) {
4806 			mutex_exit(&pidlock);
4807 			return;
4808 		}
4809 		mutex_enter(&p->p_lock);
4810 		mutex_exit(&pidlock);
4811 		lwpcnt = p->p_lwpcnt;
4812 		pid  = p->p_pid;
4813 
4814 		mutex_enter(&p->p_crlock);
4815 		crhold(cr = p->p_cred);
4816 		mutex_exit(&p->p_crlock);
4817 		mutex_exit(&p->p_lock);
4818 
4819 		ainfo = crgetauinfo(cr);
4820 		if (ainfo == NULL) {
4821 			crfree(cr);
4822 			return;
4823 		}
4824 
4825 		uid  = crgetuid(cr);
4826 		gid  = crgetgid(cr);
4827 		ruid = crgetruid(cr);
4828 		rgid = crgetrgid(cr);
4829 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4830 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4831 		crfree(cr);
4832 
4833 		break;
4834 	default:
4835 		return;
4836 	}
4837 
4838 	if (uap->processor_id == PBIND_NONE &&
4839 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4840 		au_uwrite(au_to_text("PBIND_NONE for process"));
4841 	else
4842 		au_uwrite(au_to_arg32(3, "processor_id",
4843 		    (uint32_t)uap->processor_id));
4844 }
4845 
4846 /*ARGSUSED*/
4847 static au_event_t
4848 aui_doorfs(au_event_t e)
4849 {
4850 	uint32_t code;
4851 
4852 	struct a {		/* doorfs */
4853 		long	a1;
4854 		long	a2;
4855 		long	a3;
4856 		long	a4;
4857 		long	a5;
4858 		long	code;
4859 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4860 
4861 	/*
4862 	 *	audit formats for several of the
4863 	 *	door calls have not yet been determined
4864 	 */
4865 	code = (uint32_t)uap->code;
4866 	switch (code) {
4867 	case DOOR_CALL:
4868 		e = AUE_DOORFS_DOOR_CALL;
4869 		break;
4870 	case DOOR_RETURN:
4871 		e = AUE_NULL;
4872 		break;
4873 	case DOOR_CREATE:
4874 		e = AUE_DOORFS_DOOR_CREATE;
4875 		break;
4876 	case DOOR_REVOKE:
4877 		e = AUE_DOORFS_DOOR_REVOKE;
4878 		break;
4879 	case DOOR_INFO:
4880 		e = AUE_NULL;
4881 		break;
4882 	case DOOR_UCRED:
4883 		e = AUE_NULL;
4884 		break;
4885 	case DOOR_BIND:
4886 		e = AUE_NULL;
4887 		break;
4888 	case DOOR_UNBIND:
4889 		e = AUE_NULL;
4890 		break;
4891 	case DOOR_GETPARAM:
4892 		e = AUE_NULL;
4893 		break;
4894 	case DOOR_SETPARAM:
4895 		e = AUE_NULL;
4896 		break;
4897 	default:	/* illegal system call */
4898 		e = AUE_NULL;
4899 		break;
4900 	}
4901 
4902 	return (e);
4903 }
4904 
4905 static door_node_t *
4906 au_door_lookup(int did)
4907 {
4908 	vnode_t	*vp;
4909 	file_t *fp;
4910 
4911 	if ((fp = getf(did)) == NULL)
4912 		return (NULL);
4913 	/*
4914 	 * Use the underlying vnode (we may be namefs mounted)
4915 	 */
4916 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
4917 		vp = fp->f_vnode;
4918 
4919 	if (vp == NULL || vp->v_type != VDOOR) {
4920 		releasef(did);
4921 		return (NULL);
4922 	}
4923 
4924 	return (VTOD(vp));
4925 }
4926 
4927 /*ARGSUSED*/
4928 static void
4929 aus_doorfs(struct t_audit_data *tad)
4930 {
4931 
4932 	struct a {		/* doorfs */
4933 		long	a1;
4934 		long	a2;
4935 		long	a3;
4936 		long	a4;
4937 		long	a5;
4938 		long	code;
4939 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4940 
4941 	door_node_t	*dp;
4942 	struct proc	*p;
4943 	uint32_t	did;
4944 	uid_t uid, ruid;
4945 	gid_t gid, rgid;
4946 	pid_t pid;
4947 	const auditinfo_addr_t *ainfo;
4948 	cred_t *cr;
4949 
4950 	did = (uint32_t)uap->a1;
4951 
4952 	switch (tad->tad_event) {
4953 	case AUE_DOORFS_DOOR_CALL:
4954 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4955 		if ((dp = au_door_lookup(did)) == NULL)
4956 			break;
4957 
4958 		if (DOOR_INVALID(dp)) {
4959 			releasef(did);
4960 			break;
4961 		}
4962 
4963 		if ((p = dp->door_target) == NULL) {
4964 			releasef(did);
4965 			break;
4966 		}
4967 		mutex_enter(&p->p_lock);
4968 		releasef(did);
4969 
4970 		pid  = p->p_pid;
4971 
4972 		mutex_enter(&p->p_crlock);
4973 		crhold(cr = p->p_cred);
4974 		mutex_exit(&p->p_crlock);
4975 		mutex_exit(&p->p_lock);
4976 
4977 		ainfo = crgetauinfo(cr);
4978 		if (ainfo == NULL) {
4979 			crfree(cr);
4980 			return;
4981 		}
4982 		uid  = crgetuid(cr);
4983 		gid  = crgetgid(cr);
4984 		ruid = crgetruid(cr);
4985 		rgid = crgetrgid(cr);
4986 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4987 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4988 		crfree(cr);
4989 		break;
4990 	case AUE_DOORFS_DOOR_RETURN:
4991 		/*
4992 		 * We may want to write information about
4993 		 * all doors (if any) which will be copied
4994 		 * by this call to the user space
4995 		 */
4996 		break;
4997 	case AUE_DOORFS_DOOR_CREATE:
4998 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
4999 		break;
5000 	case AUE_DOORFS_DOOR_REVOKE:
5001 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5002 		break;
5003 	case AUE_DOORFS_DOOR_INFO:
5004 		break;
5005 	case AUE_DOORFS_DOOR_CRED:
5006 		break;
5007 	case AUE_DOORFS_DOOR_BIND:
5008 		break;
5009 	case AUE_DOORFS_DOOR_UNBIND: {
5010 		break;
5011 	}
5012 	default:	/* illegal system call */
5013 		break;
5014 	}
5015 }
5016 
5017 /*ARGSUSED*/
5018 static au_event_t
5019 aui_acl(au_event_t e)
5020 {
5021 	struct a {
5022 		union {
5023 			long	name;	/* char */
5024 			long	fd;
5025 		}		obj;
5026 
5027 		long		cmd;
5028 		long		nentries;
5029 		long		arg;	/* aclent_t */
5030 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5031 
5032 	switch (uap->cmd) {
5033 	case SETACL:
5034 		/* ok, acl(SETACL, ...) and facl(SETACL, ...)  are expected. */
5035 		break;
5036 	case GETACL:
5037 	case GETACLCNT:
5038 		/* do nothing for these two values. */
5039 		e = AUE_NULL;
5040 		break;
5041 	default:
5042 		/* illegal system call */
5043 		break;
5044 	}
5045 
5046 	return (e);
5047 }
5048 
5049 
5050 /*ARGSUSED*/
5051 static void
5052 aus_acl(struct t_audit_data *tad)
5053 {
5054 	struct a {
5055 		long	fname;
5056 		long	cmd;
5057 		long	nentries;
5058 		long	aclbufp;
5059 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5060 	struct acl *aclbufp;
5061 
5062 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5063 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5064 
5065 	switch (uap->cmd) {
5066 	case GETACL:
5067 	case GETACLCNT:
5068 		break;
5069 	case SETACL:
5070 		if (uap->nentries < 3)
5071 			break;
5072 		else {
5073 			size_t a_size = uap->nentries * sizeof (struct acl);
5074 			int i;
5075 
5076 			aclbufp = kmem_alloc(a_size, KM_SLEEP);
5077 			if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5078 				kmem_free(aclbufp, a_size);
5079 				break;
5080 			}
5081 			for (i = 0; i < uap->nentries; i++) {
5082 				au_uwrite(au_to_acl(aclbufp + i));
5083 			}
5084 			kmem_free(aclbufp, a_size);
5085 			break;
5086 		}
5087 	default:
5088 		break;
5089 	}
5090 }
5091 
5092 /*ARGSUSED*/
5093 static void
5094 aus_facl(struct t_audit_data *tad)
5095 {
5096 	struct a {
5097 		long	fd;
5098 		long	cmd;
5099 		long	nentries;
5100 		long	aclbufp;
5101 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5102 	struct file  *fp;
5103 	struct vnode *vp;
5104 	struct f_audit_data *fad;
5105 	struct acl *aclbufp;
5106 	int fd;
5107 
5108 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5109 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5110 
5111 	fd = (int)uap->fd;
5112 
5113 	if ((fp = getf(fd)) == NULL)
5114 		return;
5115 
5116 	/* get path from file struct here */
5117 	fad = F2A(fp);
5118 	if (fad->fad_aupath != NULL) {
5119 		au_uwrite(au_to_path(fad->fad_aupath));
5120 	} else {
5121 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5122 	}
5123 
5124 	vp = fp->f_vnode;
5125 	audit_attributes(vp);
5126 
5127 	/* decrement file descriptor reference count */
5128 	releasef(fd);
5129 
5130 	switch (uap->cmd) {
5131 	case GETACL:
5132 	case GETACLCNT:
5133 		break;
5134 	case SETACL:
5135 		if (uap->nentries < 3)
5136 			break;
5137 		else {
5138 			size_t a_size = uap->nentries * sizeof (struct acl);
5139 			int i;
5140 
5141 			aclbufp = kmem_alloc(a_size, KM_SLEEP);
5142 			if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5143 				kmem_free(aclbufp, a_size);
5144 				break;
5145 			}
5146 			for (i = 0; i < uap->nentries; i++) {
5147 				au_uwrite(au_to_acl(aclbufp + i));
5148 			}
5149 			kmem_free(aclbufp, a_size);
5150 			break;
5151 		}
5152 	default:
5153 		break;
5154 	}
5155 }
5156 
5157 /*ARGSUSED*/
5158 static void
5159 auf_read(tad, error, rval)
5160 	struct t_audit_data *tad;
5161 	int error;
5162 	rval_t *rval;
5163 {
5164 	struct file *fp;
5165 	struct f_audit_data *fad;
5166 	int fd;
5167 	register struct a {
5168 		long	fd;
5169 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5170 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5171 
5172 	fd = (int)uap->fd;
5173 
5174 	/*
5175 	 * convert file pointer to file descriptor
5176 	 *   Note: fd ref count incremented here.
5177 	 */
5178 	if ((fp = getf(fd)) == NULL)
5179 		return;
5180 
5181 	/* get path from file struct here */
5182 	fad = F2A(fp);
5183 	ASSERT(fad);
5184 
5185 	/*
5186 	 * already processed this file for read attempt
5187 	 *
5188 	 * XXX might be better to turn off auditing in a aui_read() routine.
5189 	 */
5190 	if (fad->fad_flags & FAD_READ) {
5191 		/* don't really want to audit every read attempt */
5192 		tad->tad_flag = 0;
5193 		/* free any residual audit data */
5194 		au_close(kctx, &(u_ad), 0, 0, 0);
5195 		releasef(fd);
5196 		return;
5197 	}
5198 	/* mark things so we know what happened and don't repeat things */
5199 	fad->fad_flags |= FAD_READ;
5200 
5201 	if (fad->fad_aupath != NULL) {
5202 		au_uwrite(au_to_path(fad->fad_aupath));
5203 	} else {
5204 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5205 	}
5206 
5207 	/* include attributes */
5208 	audit_attributes(fp->f_vnode);
5209 
5210 	/* decrement file descriptor reference count */
5211 	releasef(fd);
5212 }
5213 
5214 /*ARGSUSED*/
5215 static void
5216 auf_write(tad, error, rval)
5217 	struct t_audit_data *tad;
5218 	int error;
5219 	rval_t *rval;
5220 {
5221 	struct file *fp;
5222 	struct f_audit_data *fad;
5223 	int fd;
5224 	register struct a {
5225 		long	fd;
5226 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5227 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5228 
5229 	fd = (int)uap->fd;
5230 
5231 	/*
5232 	 * convert file pointer to file descriptor
5233 	 *   Note: fd ref count incremented here.
5234 	 */
5235 	if ((fp = getf(fd)) == NULL)
5236 		return;
5237 
5238 	/* get path from file struct here */
5239 	fad = F2A(fp);
5240 	ASSERT(fad);
5241 
5242 	/*
5243 	 * already processed this file for write attempt
5244 	 *
5245 	 * XXX might be better to turn off auditing in a aus_write() routine.
5246 	 */
5247 	if (fad->fad_flags & FAD_WRITE) {
5248 		/* don't really want to audit every write attempt */
5249 		tad->tad_flag = 0;
5250 		/* free any residual audit data */
5251 		au_close(kctx, &(u_ad), 0, 0, 0);
5252 		releasef(fd);
5253 		return;
5254 	}
5255 	/* mark things so we know what happened and don't repeat things */
5256 	fad->fad_flags |= FAD_WRITE;
5257 
5258 	if (fad->fad_aupath != NULL) {
5259 		au_uwrite(au_to_path(fad->fad_aupath));
5260 	} else {
5261 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5262 	}
5263 
5264 	/* include attributes */
5265 	audit_attributes(fp->f_vnode);
5266 
5267 	/* decrement file descriptor reference count */
5268 	releasef(fd);
5269 }
5270 
5271 /*ARGSUSED*/
5272 static void
5273 auf_recv(tad, error, rval)
5274 	struct t_audit_data *tad;
5275 	int error;
5276 	rval_t *rval;
5277 {
5278 	struct sonode *so;
5279 	char so_laddr[sizeof (struct sockaddr_in6)];
5280 	char so_faddr[sizeof (struct sockaddr_in6)];
5281 	struct file *fp;
5282 	struct f_audit_data *fad;
5283 	int fd;
5284 	int err;
5285 	int len;
5286 	short so_family, so_type;
5287 	register struct a {
5288 		long	fd;
5289 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5290 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5291 
5292 	/*
5293 	 * If there was an error, then nothing to do. Only generate
5294 	 * audit record on first successful recv.
5295 	 */
5296 	if (error) {
5297 		/* Turn off audit record generation here. */
5298 		tad->tad_flag = 0;
5299 		/* free any residual audit data */
5300 		au_close(kctx, &(u_ad), 0, 0, 0);
5301 		return;
5302 	}
5303 
5304 	fd = (int)uap->fd;
5305 
5306 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5307 		/* Turn off audit record generation here. */
5308 		tad->tad_flag = 0;
5309 		/* free any residual audit data */
5310 		au_close(kctx, &(u_ad), 0, 0, 0);
5311 		return;
5312 	}
5313 
5314 	/* get path from file struct here */
5315 	fad = F2A(fp);
5316 	ASSERT(fad);
5317 
5318 	/*
5319 	 * already processed this file for read attempt
5320 	 */
5321 	if (fad->fad_flags & FAD_READ) {
5322 		releasef(fd);
5323 		/* don't really want to audit every recv call */
5324 		tad->tad_flag = 0;
5325 		/* free any residual audit data */
5326 		au_close(kctx, &(u_ad), 0, 0, 0);
5327 		return;
5328 	}
5329 
5330 	/* mark things so we know what happened and don't repeat things */
5331 	fad->fad_flags |= FAD_READ;
5332 
5333 	so_family = so->so_family;
5334 	so_type   = so->so_type;
5335 
5336 	switch (so_family) {
5337 	case AF_INET:
5338 	case AF_INET6:
5339 		/*
5340 		 * Only for connections.
5341 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5342 		 */
5343 		if (so->so_state & SS_ISBOUND) {
5344 
5345 			bzero((void *)so_laddr, sizeof (so_laddr));
5346 			bzero((void *)so_faddr, sizeof (so_faddr));
5347 
5348 			/* only done once on a connection */
5349 			(void) SOP_GETSOCKNAME(so);
5350 			(void) SOP_GETPEERNAME(so);
5351 
5352 			/* get local and foreign addresses */
5353 			mutex_enter(&so->so_lock);
5354 			len = min(so->so_laddr_len, sizeof (so_laddr));
5355 			bcopy(so->so_laddr_sa, so_laddr, len);
5356 			len = min(so->so_faddr_len, sizeof (so_faddr));
5357 			bcopy(so->so_faddr_sa, so_faddr, len);
5358 			mutex_exit(&so->so_lock);
5359 
5360 			/*
5361 			 * only way to drop out of switch. Note that we
5362 			 * we release fd below.
5363 			 */
5364 
5365 			break;
5366 		}
5367 
5368 		releasef(fd);
5369 
5370 		/* don't really want to audit every recv call */
5371 		tad->tad_flag = 0;
5372 		/* free any residual audit data */
5373 		au_close(kctx, &(u_ad), 0, 0, 0);
5374 
5375 		return;
5376 
5377 	case AF_UNIX:
5378 
5379 		if (fad->fad_aupath != NULL) {
5380 			au_uwrite(au_to_path(fad->fad_aupath));
5381 		} else {
5382 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5383 		}
5384 
5385 		audit_attributes(fp->f_vnode);
5386 
5387 		releasef(fd);
5388 
5389 		return;
5390 
5391 	default:
5392 		releasef(fd);
5393 
5394 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5395 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5396 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5397 
5398 		return;
5399 	}
5400 
5401 	releasef(fd);
5402 
5403 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5404 
5405 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5406 
5407 }
5408 
5409 /*ARGSUSED*/
5410 static void
5411 auf_send(tad, error, rval)
5412 	struct t_audit_data *tad;
5413 	int error;
5414 	rval_t *rval;
5415 {
5416 	struct sonode *so;
5417 	char so_laddr[sizeof (struct sockaddr_in6)];
5418 	char so_faddr[sizeof (struct sockaddr_in6)];
5419 	struct file *fp;
5420 	struct f_audit_data *fad;
5421 	int fd;
5422 	int err;
5423 	int len;
5424 	short so_family, so_type;
5425 	register struct a {
5426 		long	fd;
5427 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5428 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5429 
5430 	fd = (int)uap->fd;
5431 
5432 	/*
5433 	 * If there was an error, then nothing to do. Only generate
5434 	 * audit record on first successful send.
5435 	 */
5436 	if (error != 0) {
5437 		/* Turn off audit record generation here. */
5438 		tad->tad_flag = 0;
5439 		/* free any residual audit data */
5440 		au_close(kctx, &(u_ad), 0, 0, 0);
5441 		return;
5442 	}
5443 
5444 	fd = (int)uap->fd;
5445 
5446 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5447 		/* Turn off audit record generation here. */
5448 		tad->tad_flag = 0;
5449 		/* free any residual audit data */
5450 		au_close(kctx, &(u_ad), 0, 0, 0);
5451 		return;
5452 	}
5453 
5454 	/* get path from file struct here */
5455 	fad = F2A(fp);
5456 	ASSERT(fad);
5457 
5458 	/*
5459 	 * already processed this file for write attempt
5460 	 */
5461 	if (fad->fad_flags & FAD_WRITE) {
5462 		releasef(fd);
5463 		/* don't really want to audit every send call */
5464 		tad->tad_flag = 0;
5465 		/* free any residual audit data */
5466 		au_close(kctx, &(u_ad), 0, 0, 0);
5467 		return;
5468 	}
5469 
5470 	/* mark things so we know what happened and don't repeat things */
5471 	fad->fad_flags |= FAD_WRITE;
5472 
5473 	so_family = so->so_family;
5474 	so_type   = so->so_type;
5475 
5476 	switch (so_family) {
5477 	case AF_INET:
5478 	case AF_INET6:
5479 		/*
5480 		 * Only for connections.
5481 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5482 		 */
5483 		if (so->so_state & SS_ISBOUND) {
5484 
5485 			bzero((void *)so_laddr, sizeof (so_laddr));
5486 			bzero((void *)so_faddr, sizeof (so_faddr));
5487 
5488 			/* only done once on a connection */
5489 			(void) SOP_GETSOCKNAME(so);
5490 			(void) SOP_GETPEERNAME(so);
5491 
5492 			/* get local and foreign addresses */
5493 			mutex_enter(&so->so_lock);
5494 			len = min(so->so_laddr_len, sizeof (so_laddr));
5495 			bcopy(so->so_laddr_sa, so_laddr, len);
5496 			len = min(so->so_faddr_len, sizeof (so_faddr));
5497 			bcopy(so->so_faddr_sa, so_faddr, len);
5498 			mutex_exit(&so->so_lock);
5499 
5500 			/*
5501 			 * only way to drop out of switch. Note that we
5502 			 * we release fd below.
5503 			 */
5504 
5505 			break;
5506 		}
5507 
5508 		releasef(fd);
5509 		/* don't really want to audit every send call */
5510 		tad->tad_flag = 0;
5511 		/* free any residual audit data */
5512 		au_close(kctx, &(u_ad), 0, 0, 0);
5513 
5514 		return;
5515 
5516 	case AF_UNIX:
5517 
5518 		if (fad->fad_aupath != NULL) {
5519 			au_uwrite(au_to_path(fad->fad_aupath));
5520 		} else {
5521 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5522 		}
5523 
5524 		audit_attributes(fp->f_vnode);
5525 
5526 		releasef(fd);
5527 
5528 		return;
5529 
5530 	default:
5531 		releasef(fd);
5532 
5533 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5534 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5535 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5536 
5537 		return;
5538 	}
5539 
5540 	releasef(fd);
5541 
5542 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5543 
5544 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5545 }
5546 
5547 static au_event_t
5548 aui_forksys(au_event_t e)
5549 {
5550 	struct a {
5551 		long	subcode;
5552 		long	flags;
5553 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5554 
5555 	switch ((uint_t)uap->subcode) {
5556 	case 0:
5557 		e = AUE_FORK1;
5558 		break;
5559 	case 1:
5560 		e = AUE_FORKALL;
5561 		break;
5562 	case 2:
5563 		e = AUE_VFORK;
5564 		break;
5565 	default:
5566 		e = AUE_NULL;
5567 		break;
5568 	}
5569 
5570 	return (e);
5571 }
5572 
5573 /*ARGSUSED*/
5574 static au_event_t
5575 aui_portfs(au_event_t e)
5576 {
5577 	struct a {		/* portfs */
5578 		long	a1;
5579 		long	a2;
5580 		long	a3;
5581 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5582 
5583 	/*
5584 	 * check opcode
5585 	 */
5586 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5587 	case PORT_ASSOCIATE:
5588 	case PORT_DISSOCIATE:
5589 		/*
5590 		 * check source
5591 		 */
5592 		if ((uint_t)uap->a3 == PORT_SOURCE_FILE) {
5593 			e = AUE_PORTFS;
5594 		} else {
5595 			e = AUE_NULL;
5596 		}
5597 		break;
5598 	default:
5599 		e = AUE_NULL;
5600 	}
5601 	return (e);
5602 }
5603