xref: /titanic_50/usr/src/uts/common/c2/audit_event.c (revision e38c922ef0e324c6fd8b205270fd97d564f88630)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * This file contains the audit event table used to control the production
27  * of audit records for each system call.
28  */
29 
30 #include <sys/policy.h>
31 #include <sys/cred.h>
32 #include <sys/types.h>
33 #include <sys/systm.h>
34 #include <sys/systeminfo.h>	/* for sysinfo auditing */
35 #include <sys/utsname.h>	/* for sysinfo auditing */
36 #include <sys/proc.h>
37 #include <sys/vnode.h>
38 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
39 #include <sys/fcntl.h>
40 #include <sys/modctl.h>		/* for modctl auditing */
41 #include <sys/vnode.h>
42 #include <sys/user.h>
43 #include <sys/types.h>
44 #include <sys/processor.h>
45 #include <sys/procset.h>
46 #include <sys/acl.h>
47 #include <sys/ipc.h>
48 #include <sys/door.h>
49 #include <sys/sem.h>
50 #include <sys/msg.h>
51 #include <sys/shm.h>
52 #include <sys/kmem.h>
53 #include <sys/file.h>		/* for accept */
54 #include <sys/utssys.h>		/* for fuser */
55 #include <sys/tsol/label.h>
56 #include <sys/tsol/tndb.h>
57 #include <sys/tsol/tsyscall.h>
58 #include <c2/audit.h>
59 #include <c2/audit_kernel.h>
60 #include <c2/audit_kevents.h>
61 #include <c2/audit_record.h>
62 #include <sys/procset.h>
63 #include <nfs/mount.h>
64 #include <sys/param.h>
65 #include <sys/debug.h>
66 #include <sys/sysmacros.h>
67 #include <sys/stream.h>
68 #include <sys/strsubr.h>
69 #include <sys/stropts.h>
70 #include <sys/tihdr.h>
71 #include <sys/socket.h>
72 #include <sys/socketvar.h>
73 #include <sys/vfs_opreg.h>
74 #include <fs/sockfs/sockcommon.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 char	_depends_on[] = "fs/sockfs";
81 
82 static au_event_t	aui_fchownat(au_event_t);
83 static au_event_t	aui_open(au_event_t);
84 static au_event_t	aui_openat(au_event_t);
85 static au_event_t	aui_unlinkat(au_event_t);
86 static au_event_t	aui_fstatat(au_event_t);
87 static au_event_t	aui_msgsys(au_event_t);
88 static au_event_t	aui_shmsys(au_event_t);
89 static au_event_t	aui_semsys(au_event_t);
90 static au_event_t	aui_utssys(au_event_t);
91 static au_event_t	aui_fcntl(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_portfs(au_event_t);
96 static au_event_t	aui_auditsys(au_event_t);
97 static au_event_t	aui_modctl(au_event_t);
98 static au_event_t	aui_acl(au_event_t);
99 static au_event_t	aui_doorfs(au_event_t);
100 static au_event_t	aui_privsys(au_event_t);
101 static au_event_t	aui_forksys(au_event_t);
102 static au_event_t	aui_labelsys(au_event_t);
103 static au_event_t	aui_setpgrp(au_event_t);
104 
105 static void	aus_exit(struct t_audit_data *);
106 static void	aus_open(struct t_audit_data *);
107 static void	aus_openat(struct t_audit_data *);
108 static void	aus_acl(struct t_audit_data *);
109 static void	aus_acct(struct t_audit_data *);
110 static void	aus_chown(struct t_audit_data *);
111 static void	aus_fchown(struct t_audit_data *);
112 static void	aus_lchown(struct t_audit_data *);
113 static void	aus_fchownat(struct t_audit_data *);
114 static void	aus_chmod(struct t_audit_data *);
115 static void	aus_facl(struct t_audit_data *);
116 static void	aus_fchmod(struct t_audit_data *);
117 static void	aus_fcntl(struct t_audit_data *);
118 static void	aus_mkdir(struct t_audit_data *);
119 static void	aus_mknod(struct t_audit_data *);
120 static void	aus_mount(struct t_audit_data *);
121 static void	aus_umount2(struct t_audit_data *);
122 static void	aus_msgsys(struct t_audit_data *);
123 static void	aus_semsys(struct t_audit_data *);
124 static void	aus_close(struct t_audit_data *);
125 static void	aus_fstatfs(struct t_audit_data *);
126 static void	aus_setgid(struct t_audit_data *);
127 static void	aus_setpgrp(struct t_audit_data *);
128 static void	aus_setuid(struct t_audit_data *);
129 static void	aus_shmsys(struct t_audit_data *);
130 static void	aus_doorfs(struct t_audit_data *);
131 static void	aus_ioctl(struct t_audit_data *);
132 static void	aus_memcntl(struct t_audit_data *);
133 static void	aus_mmap(struct t_audit_data *);
134 static void	aus_munmap(struct t_audit_data *);
135 static void	aus_priocntlsys(struct t_audit_data *);
136 static void	aus_setegid(struct t_audit_data *);
137 static void	aus_setgroups(struct t_audit_data *);
138 static void	aus_seteuid(struct t_audit_data *);
139 static void	aus_putmsg(struct t_audit_data *);
140 static void	aus_putpmsg(struct t_audit_data *);
141 static void	aus_getmsg(struct t_audit_data *);
142 static void	aus_getpmsg(struct t_audit_data *);
143 static void	aus_auditsys(struct t_audit_data *);
144 static void	aus_sysinfo(struct t_audit_data *);
145 static void	aus_modctl(struct t_audit_data *);
146 static void	aus_kill(struct t_audit_data *);
147 static void	aus_setregid(struct t_audit_data *);
148 static void	aus_setreuid(struct t_audit_data *);
149 static void	aus_labelsys(struct t_audit_data *);
150 
151 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
152 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
153 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
154 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
155 static void	auf_read(struct t_audit_data *, int, rval_t *);
156 static void	auf_write(struct t_audit_data *, int, rval_t *);
157 
158 static void	aus_sigqueue(struct t_audit_data *);
159 static void	aus_p_online(struct t_audit_data *);
160 static void	aus_processor_bind(struct t_audit_data *);
161 static void	aus_inst_sync(struct t_audit_data *);
162 static void	aus_brandsys(struct t_audit_data *);
163 
164 static void	auf_accept(struct t_audit_data *, int, rval_t *);
165 
166 static void	auf_bind(struct t_audit_data *, int, rval_t *);
167 static void	auf_connect(struct t_audit_data *, int, rval_t *);
168 static void	aus_shutdown(struct t_audit_data *);
169 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
170 static void	aus_sockconfig(struct t_audit_data *);
171 static void	auf_recv(struct t_audit_data *, int, rval_t *);
172 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
173 static void	auf_send(struct t_audit_data *, int, rval_t *);
174 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
175 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
176 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
177 static void	aus_socket(struct t_audit_data *);
178 /*
179  * This table contains mapping information for converting system call numbers
180  * to audit event IDs. In several cases it is necessary to map a single system
181  * call to several events.
182  */
183 
184 #define	aui_null	NULL	/* NULL initialize function */
185 #define	aus_null	NULL	/* NULL start function */
186 #define	auf_null	NULL	/* NULL finish function */
187 
188 struct audit_s2e audit_s2e[] =
189 {
190 /*
191  * ----------	---------- 	----------	----------
192  * INITIAL	AUDIT		START		SYSTEM
193  * PROCESSING	EVENT		PROCESSING	CALL
194  * ----------	----------	----------	-----------
195  *		FINISH		EVENT
196  *		PROCESSING	CONTROL
197  * ----------------------------------------------------------
198  */
199 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
200 		auf_null,	0,
201 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
202 		auf_null,	S2E_NPT,
203 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
204 		auf_null,	0,
205 aui_null,	AUE_READ,	aus_null,	/* 3 read */
206 		auf_read,	S2E_PUB,
207 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
208 		auf_write,	0,
209 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
210 		auf_null,	S2E_SP,
211 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
212 		auf_null,	0,
213 aui_null,	AUE_NULL,	aus_null,	/* 7 (loadable) was wait */
214 		auf_null,	0,
215 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
216 		auf_null,	0,
217 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
218 		auf_null,	0,
219 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
220 		auf_null,	0,
221 aui_null,	AUE_NULL,	aus_null,	/* 11 (loadable) was exec */
222 		auf_null,	0,
223 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
224 		auf_null,	S2E_SP,
225 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
226 		auf_null,	0,
227 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
228 		auf_mknod,	0,
229 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
230 		auf_null,	0,
231 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
232 		auf_null,	0,
233 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
234 		auf_null,	0,
235 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
236 		auf_null,	S2E_PUB,
237 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
238 		auf_null,	0,
239 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
240 		auf_null,	0,
241 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
242 		auf_null,	S2E_MLD,
243 aui_null,	AUE_NULL,	aus_null,	/* 22 (loadable) was umount */
244 		auf_null,	0,
245 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
246 		auf_null,	0,
247 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
248 		auf_null,	0,
249 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
264 		auf_null,	0,
265 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
266 		auf_null,	S2E_PUB,
267 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
268 		auf_null,	0,
269 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
270 		auf_null,	S2E_PUB,
271 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
272 		auf_null,	0,
273 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
274 		auf_null,	0,
275 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
276 		auf_null,	S2E_PUB,
277 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
282 		auf_null,	0,
283 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
288 		auf_null,	0,
289 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
290 		auf_null,	S2E_PUB,
291 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
294 		auf_null,	0,
295 aui_null,	AUE_NULL,	aus_null,	/* 48 (loadable) was ssig */
296 		auf_null,	0,
297 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
298 		auf_msgsys,	0,
299 #if defined(__x86)
300 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
301 		auf_null,	0,
302 #else
303 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
304 		auf_null,	0,
305 #endif /* __x86 */
306 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
307 		auf_null,	0,
308 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
309 		auf_shmsys,	0,
310 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
311 		auf_semsys,	0,
312 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
313 		auf_null,	0,
314 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
315 		auf_null,	0,
316 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
317 		auf_null,	0,
318 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
319 		auf_null,	0,
320 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
321 		auf_null,	0,
322 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
323 		auf_null,	S2E_MLD,
324 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
325 		auf_null,	0,
326 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
327 		auf_null,	S2E_SP,
328 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
329 		auf_null,	0,
330 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
331 		auf_null,	0,
332 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
333 		auf_null,	0,
334 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
335 		auf_null,	0,
336 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
337 		auf_null,	S2E_PUB,
338 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
339 		auf_null,	S2E_PUB,
340 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
341 		auf_null,	S2E_SP,
342 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
343 		auf_null,	S2E_SP,
344 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
345 		auf_null,	0,
346 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
361 		auf_null,	0,
362 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
363 		auf_null,	0,
364 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
365 		auf_null,	0,
366 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
367 		auf_null,	0,
368 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
369 		auf_null,	0,
370 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
373 		auf_null,	0,
374 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
375 		auf_null,	0,
376 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
379 		auf_null,	0,
380 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
381 		auf_null,	S2E_PUB,
382 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
383 		auf_null,	0,
384 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
385 		auf_null,	S2E_PUB,
386 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
387 		auf_null,	0,
388 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
389 		auf_null,	0,
390 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
391 		auf_null,	0,
392 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
395 		auf_null,	0,
396 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
409 		auf_null,	0,
410 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
411 		auf_null,	S2E_PUB,
412 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
413 		auf_null,	0,
414 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
415 		auf_null,	0,
416 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
421 		auf_null,	0,
422 #if defined(__x86)
423 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
424 		auf_null,	0,
425 #else
426 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
427 		auf_null,	0,
428 #endif /* __x86 */
429 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
430 		auf_null,	0,
431 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
432 		auf_null,	0,
433 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
434 		auf_null,	0,
435 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
436 		auf_null,	S2E_PUB,
437 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
438 		auf_null,	0,
439 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
440 		auf_null,	0,
441 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
442 		auf_null,	0,
443 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
444 		auf_null,	0,
445 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
446 		auf_null,	0,
447 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
448 		auf_null,	0,
449 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
450 		auf_null,	0,
451 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
452 		auf_read,	S2E_PUB,
453 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
454 		auf_write,	0,
455 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
456 		auf_null,	0,
457 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
458 		auf_null,	0,
459 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
460 		auf_null,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
464 		auf_null,	0,
465 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
466 		auf_null,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
468 		auf_null,	0,
469 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
470 		auf_null,	0,
471 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
472 		auf_null,	0,
473 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
474 		auf_null,	0,
475 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
476 		auf_null,	0,
477 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
478 		auf_null,	0,
479 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
480 		auf_null,	0,
481 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
482 		auf_null,	0,
483 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
484 		auf_null,	0,
485 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
486 		auf_null,	0,
487 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
488 		auf_null,	0,
489 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
490 		auf_null,	0,
491 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
492 		auf_null,	0,
493 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
494 		auf_null,	0,
495 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
496 		auf_null,	0,
497 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
498 		auf_null,	0,
499 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
504 						/*	was lwp_sema_wait */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
513 		auf_null,	0,
514 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
515 		auf_null,	0,
516 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
517 		auf_null,	0,
518 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
519 		auf_null,	0,
520 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
521 		auf_null,	0,
522 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
549 						/*	was lwp_mutex_lock */
550 		auf_null,	0,
551 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
556 		auf_null,	0,
557 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
558 		auf_read,	S2E_PUB,
559 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
560 		auf_write,	0,
561 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
562 		auf_null,	0,
563 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
564 		auf_null,	0,
565 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
566 		auf_null,	0,
567 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
568 		auf_null,	0,
569 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
570 		auf_null,	0,
571 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
574 		auf_null,	0,
575 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
576 		auf_null,	S2E_MLD,
577 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
578 		auf_null,	0,
579 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
580 		auf_null,	0,
581 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
582 		auf_null,	0,
583 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
584 		auf_null,	0,
585 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
586 		auf_null,	0,
587 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
588 		auf_null,	0,
589 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
590 		auf_null,	0,
591 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
594 		auf_null,	0,
595 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
610 		auf_null,	0,
611 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
612 		auf_null,	0,
613 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
614 		auf_null,	0,
615 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
616 		auf_null,	0,
617 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
618 		auf_null,	0,
619 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
620 		auf_null,	0,
621 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
622 		auf_null,	0,
623 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
638 		auf_null,	0,
639 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
640 		auf_null,	0,
641 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
642 		auf_null,	S2E_PUB,
643 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
644 		auf_null,	S2E_PUB,
645 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
646 		auf_null,	0,
647 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
650 		auf_null,	0,
651 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
652 		auf_null,	0,
653 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
654 		auf_null,	0,
655 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
656 		auf_read,	S2E_PUB,
657 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
658 		auf_write,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
660 		auf_null,	0,
661 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
662 		auf_null,	S2E_SP,
663 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
664 		auf_null,	0,
665 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
666 		auf_null,	0,
667 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
668 		auf_null,	0,
669 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
670 		auf_null,	0,
671 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
674 		auf_null,	0,
675 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
676 		auf_bind,	0,
677 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
678 		auf_null,	0,
679 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
680 		auf_accept,	0,
681 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
682 		auf_connect,	0,
683 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
684 		auf_null,	0,
685 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
686 		auf_recv,	0,
687 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
688 		auf_recvfrom,	0,
689 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
690 		auf_recvmsg,	0,
691 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
692 		auf_send,	0,
693 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
694 		auf_sendmsg,	0,
695 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
696 		auf_sendto,	0,
697 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
698 		auf_null,	0,
699 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
700 		auf_null,	0,
701 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
702 		auf_null,	0,
703 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
704 		auf_setsockopt,	0,
705 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
708 		auf_null,	0,
709 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
710 		auf_null,	0,
711 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
720 		auf_null,	0,
721 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
722 		auf_null,	0
723 };
724 
725 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
726 
727 
728 /* exit start function */
729 /*ARGSUSED*/
730 static void
731 aus_exit(struct t_audit_data *tad)
732 {
733 	uint32_t rval;
734 	struct a {
735 		long rval;
736 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
737 
738 	rval = (uint32_t)uap->rval;
739 	au_uwrite(au_to_arg32(1, "exit status", rval));
740 }
741 
742 /* acct start function */
743 /*ARGSUSED*/
744 static void
745 aus_acct(struct t_audit_data *tad)
746 {
747 	klwp_t *clwp = ttolwp(curthread);
748 	uintptr_t fname;
749 
750 	struct a {
751 		long	fname;		/* char * */
752 	} *uap = (struct a *)clwp->lwp_ap;
753 
754 	fname = (uintptr_t)uap->fname;
755 
756 	if (fname == 0)
757 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
758 }
759 
760 /* chown start function */
761 /*ARGSUSED*/
762 static void
763 aus_chown(struct t_audit_data *tad)
764 {
765 	klwp_t *clwp = ttolwp(curthread);
766 	uint32_t uid, gid;
767 
768 	struct a {
769 		long	fname;		/* char * */
770 		long	uid;
771 		long	gid;
772 	} *uap = (struct a *)clwp->lwp_ap;
773 
774 	uid = (uint32_t)uap->uid;
775 	gid = (uint32_t)uap->gid;
776 
777 	au_uwrite(au_to_arg32(2, "new file uid", uid));
778 	au_uwrite(au_to_arg32(3, "new file gid", gid));
779 }
780 
781 /* fchown start function */
782 /*ARGSUSED*/
783 static void
784 aus_fchown(struct t_audit_data *tad)
785 {
786 	klwp_t *clwp = ttolwp(curthread);
787 	uint32_t uid, gid, fd;
788 	struct file  *fp;
789 	struct vnode *vp;
790 	struct f_audit_data *fad;
791 
792 	struct a {
793 		long fd;
794 		long uid;
795 		long gid;
796 	} *uap = (struct a *)clwp->lwp_ap;
797 
798 	fd  = (uint32_t)uap->fd;
799 	uid = (uint32_t)uap->uid;
800 	gid = (uint32_t)uap->gid;
801 
802 	au_uwrite(au_to_arg32(2, "new file uid", uid));
803 	au_uwrite(au_to_arg32(3, "new file gid", gid));
804 
805 		/*
806 		 * convert file pointer to file descriptor
807 		 *   Note: fd ref count incremented here.
808 		 */
809 	if ((fp = getf(fd)) == NULL)
810 		return;
811 
812 	/* get path from file struct here */
813 	fad = F2A(fp);
814 	if (fad->fad_aupath != NULL) {
815 		au_uwrite(au_to_path(fad->fad_aupath));
816 	} else {
817 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
818 	}
819 
820 	vp = fp->f_vnode;
821 	audit_attributes(vp);
822 
823 	/* decrement file descriptor reference count */
824 	releasef(fd);
825 }
826 
827 /*ARGSUSED*/
828 static void
829 aus_lchown(struct t_audit_data *tad)
830 {
831 	klwp_t *clwp = ttolwp(curthread);
832 	uint32_t uid, gid;
833 
834 
835 	struct a {
836 		long	fname;		/* char	* */
837 		long	uid;
838 		long	gid;
839 	} *uap = (struct a *)clwp->lwp_ap;
840 
841 	uid = (uint32_t)uap->uid;
842 	gid = (uint32_t)uap->gid;
843 
844 	au_uwrite(au_to_arg32(2, "new file uid", uid));
845 	au_uwrite(au_to_arg32(3, "new file gid", gid));
846 }
847 
848 static au_event_t
849 aui_fchownat(au_event_t e)
850 {
851 	klwp_t *clwp = ttolwp(curthread);
852 
853 	struct a {
854 		long	fd;
855 		long	fname;		/* char * */
856 		long	uid;
857 		long	gid;
858 		long	flags;
859 	} *uap = (struct a *)clwp->lwp_ap;
860 
861 	if (uap->fname == NULL)
862 		e = AUE_FCHOWN;
863 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
864 		e = AUE_LCHOWN;
865 	else
866 		e = AUE_CHOWN;
867 
868 	return (e);
869 }
870 
871 /*ARGSUSED*/
872 static void
873 aus_fchownat(struct t_audit_data *tad)
874 {
875 	klwp_t *clwp = ttolwp(curthread);
876 	uint32_t uid, gid;
877 
878 	struct a {
879 		long	fd;
880 		long	fname;		/* char * */
881 		long	uid;
882 		long	gid;
883 		long	flags;
884 	} *uap = (struct a *)clwp->lwp_ap;
885 
886 	uid = (uint32_t)uap->uid;
887 	gid = (uint32_t)uap->gid;
888 
889 	au_uwrite(au_to_arg32(3, "new file uid", uid));
890 	au_uwrite(au_to_arg32(4, "new file gid", gid));
891 }
892 
893 /* chmod start function */
894 /*ARGSUSED*/
895 static void
896 aus_chmod(struct t_audit_data *tad)
897 {
898 	klwp_t *clwp = ttolwp(curthread);
899 	uint32_t fmode;
900 
901 	struct a {
902 		long	fname;		/* char	* */
903 		long	fmode;
904 	} *uap = (struct a *)clwp->lwp_ap;
905 
906 	fmode = (uint32_t)uap->fmode;
907 
908 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
909 }
910 
911 /* chmod start function */
912 /*ARGSUSED*/
913 static void
914 aus_fchmod(struct t_audit_data *tad)
915 {
916 	klwp_t *clwp = ttolwp(curthread);
917 	uint32_t fmode, fd;
918 	struct file  *fp;
919 	struct vnode *vp;
920 	struct f_audit_data *fad;
921 
922 	struct a {
923 		long	fd;
924 		long	fmode;
925 	} *uap = (struct a *)clwp->lwp_ap;
926 
927 	fd = (uint32_t)uap->fd;
928 	fmode = (uint32_t)uap->fmode;
929 
930 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
931 
932 		/*
933 		 * convert file pointer to file descriptor
934 		 *   Note: fd ref count incremented here.
935 		 */
936 	if ((fp = getf(fd)) == NULL)
937 		return;
938 
939 		/* get path from file struct here */
940 	fad = F2A(fp);
941 	if (fad->fad_aupath != NULL) {
942 		au_uwrite(au_to_path(fad->fad_aupath));
943 	} else {
944 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
945 	}
946 
947 	vp = fp->f_vnode;
948 	audit_attributes(vp);
949 
950 	/* decrement file descriptor reference count */
951 	releasef(fd);
952 }
953 
954 /*
955  * convert open mode to appropriate open event
956  */
957 au_event_t
958 open_event(uint_t fm)
959 {
960 	au_event_t e;
961 
962 	switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) {
963 	case O_RDONLY:
964 		e = AUE_OPEN_R;
965 		break;
966 	case O_RDONLY | O_CREAT:
967 		e = AUE_OPEN_RC;
968 		break;
969 	case O_RDONLY | O_TRUNC:
970 		e = AUE_OPEN_RT;
971 		break;
972 	case O_RDONLY | O_TRUNC | O_CREAT:
973 		e = AUE_OPEN_RTC;
974 		break;
975 	case O_WRONLY:
976 		e = AUE_OPEN_W;
977 		break;
978 	case O_WRONLY | O_CREAT:
979 		e = AUE_OPEN_WC;
980 		break;
981 	case O_WRONLY | O_TRUNC:
982 		e = AUE_OPEN_WT;
983 		break;
984 	case O_WRONLY | O_TRUNC | O_CREAT:
985 		e = AUE_OPEN_WTC;
986 		break;
987 	case O_RDWR:
988 		e = AUE_OPEN_RW;
989 		break;
990 	case O_RDWR | O_CREAT:
991 		e = AUE_OPEN_RWC;
992 		break;
993 	case O_RDWR | O_TRUNC:
994 		e = AUE_OPEN_RWT;
995 		break;
996 	case O_RDWR | O_TRUNC | O_CREAT:
997 		e = AUE_OPEN_RWTC;
998 		break;
999 	default:
1000 		e = AUE_NULL;
1001 		break;
1002 	}
1003 
1004 	return (e);
1005 }
1006 
1007 /* ARGSUSED */
1008 static au_event_t
1009 aui_open(au_event_t e)
1010 {
1011 	klwp_t *clwp = ttolwp(curthread);
1012 	uint_t fm;
1013 
1014 	struct a {
1015 		long	fnamep;		/* char	* */
1016 		long	fmode;
1017 		long	cmode;
1018 	} *uap = (struct a *)clwp->lwp_ap;
1019 
1020 	fm = (uint_t)uap->fmode;
1021 
1022 	return (open_event(fm));
1023 }
1024 
1025 static void
1026 aus_open(struct t_audit_data *tad)
1027 {
1028 	klwp_t *clwp = ttolwp(curthread);
1029 	uint_t fm;
1030 
1031 	struct a {
1032 		long	fnamep;		/* char	* */
1033 		long	fmode;
1034 		long	cmode;
1035 	} *uap = (struct a *)clwp->lwp_ap;
1036 
1037 	fm = (uint_t)uap->fmode;
1038 
1039 	/* If no write, create, or trunc modes, mark as a public op */
1040 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1041 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1042 }
1043 
1044 /* ARGSUSED */
1045 static au_event_t
1046 aui_openat(au_event_t e)
1047 {
1048 	t_audit_data_t *tad = T2A(curthread);
1049 	klwp_t *clwp = ttolwp(curthread);
1050 	uint_t fm;
1051 
1052 	struct a {
1053 		long	filedes;
1054 		long	fnamep;		/* char	* */
1055 		long	fmode;
1056 		long	cmode;
1057 	} *uap = (struct a *)clwp->lwp_ap;
1058 
1059 	fm = (uint_t)uap->fmode;
1060 
1061 	/*
1062 	 * __openattrdirat() does an extra pathname lookup in order to
1063 	 * enter the extended system attribute namespace of the referenced
1064 	 * extended attribute filename.
1065 	 */
1066 	if (fm & FXATTRDIROPEN)
1067 		tad->tad_ctrl |= TAD_MLD;
1068 
1069 	return (open_event(fm));
1070 }
1071 
1072 static void
1073 aus_openat(struct t_audit_data *tad)
1074 {
1075 	klwp_t *clwp = ttolwp(curthread);
1076 	uint_t fm;
1077 
1078 	struct a {
1079 		long	filedes;
1080 		long	fnamep;		/* char	* */
1081 		long	fmode;
1082 		long	cmode;
1083 	} *uap = (struct a *)clwp->lwp_ap;
1084 
1085 	fm = (uint_t)uap->fmode;
1086 
1087 	/* If no write, create, or trunc modes, mark as a public op */
1088 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1089 		tad->tad_ctrl |= TAD_PUBLIC_EV;
1090 }
1091 
1092 static au_event_t
1093 aui_unlinkat(au_event_t e)
1094 {
1095 	klwp_t *clwp = ttolwp(curthread);
1096 
1097 	struct a {
1098 		long	filedes;
1099 		long	fnamep;		/* char	* */
1100 		long	flags;
1101 	} *uap = (struct a *)clwp->lwp_ap;
1102 
1103 	if (uap->flags & AT_REMOVEDIR)
1104 		e = AUE_RMDIR;
1105 	else
1106 		e = AUE_UNLINK;
1107 
1108 	return (e);
1109 }
1110 
1111 static au_event_t
1112 aui_fstatat(au_event_t e)
1113 {
1114 	klwp_t *clwp = ttolwp(curthread);
1115 
1116 	struct a {
1117 		long	filedes;
1118 		long	fnamep;		/* char	* */
1119 		long	statb;
1120 		long	flags;
1121 	} *uap = (struct a *)clwp->lwp_ap;
1122 
1123 	if (uap->fnamep == NULL)
1124 		e = AUE_FSTAT;
1125 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1126 		e = AUE_LSTAT;
1127 	else
1128 		e = AUE_STAT;
1129 
1130 	return (e);
1131 }
1132 
1133 /* msgsys */
1134 static au_event_t
1135 aui_msgsys(au_event_t e)
1136 {
1137 	klwp_t *clwp = ttolwp(curthread);
1138 	uint_t fm;
1139 
1140 	struct a {
1141 		long	id;	/* function code id */
1142 		long	ap;	/* arg pointer for recvmsg */
1143 	} *uap = (struct a *)clwp->lwp_ap;
1144 
1145 	struct b {
1146 		long	msgid;
1147 		long	cmd;
1148 		long	buf;	/* struct msqid_ds * */
1149 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1150 
1151 	fm  = (uint_t)uap->id;
1152 
1153 	switch (fm) {
1154 	case 0:		/* msgget */
1155 		e = AUE_MSGGET;
1156 		break;
1157 	case 1:		/* msgctl */
1158 		switch ((uint_t)uap1->cmd) {
1159 		case IPC_RMID:
1160 			e = AUE_MSGCTL_RMID;
1161 			break;
1162 		case IPC_SET:
1163 			e = AUE_MSGCTL_SET;
1164 			break;
1165 		case IPC_STAT:
1166 			e = AUE_MSGCTL_STAT;
1167 			break;
1168 		default:
1169 			e = AUE_MSGCTL;
1170 			break;
1171 		}
1172 		break;
1173 	case 2:		/* msgrcv */
1174 		e = AUE_MSGRCV;
1175 		break;
1176 	case 3:		/* msgsnd */
1177 		e = AUE_MSGSND;
1178 		break;
1179 	default:	/* illegal system call */
1180 		e = AUE_NULL;
1181 		break;
1182 	}
1183 
1184 	return (e);
1185 }
1186 
1187 
1188 /* shmsys */
1189 static au_event_t
1190 aui_shmsys(au_event_t e)
1191 {
1192 	klwp_t *clwp = ttolwp(curthread);
1193 	int fm;
1194 
1195 	struct a {		/* shmsys */
1196 		long	id;	/* function code id */
1197 	} *uap = (struct a *)clwp->lwp_ap;
1198 
1199 	struct b {		/* ctrl */
1200 		long	shmid;
1201 		long	cmd;
1202 		long	arg;		/* struct shmid_ds * */
1203 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1204 	fm  = (uint_t)uap->id;
1205 
1206 	switch (fm) {
1207 	case 0:		/* shmat */
1208 		e = AUE_SHMAT;
1209 		break;
1210 	case 1:		/* shmctl */
1211 		switch ((uint_t)uap1->cmd) {
1212 		case IPC_RMID:
1213 			e = AUE_SHMCTL_RMID;
1214 			break;
1215 		case IPC_SET:
1216 			e = AUE_SHMCTL_SET;
1217 			break;
1218 		case IPC_STAT:
1219 			e = AUE_SHMCTL_STAT;
1220 			break;
1221 		default:
1222 			e = AUE_SHMCTL;
1223 			break;
1224 		}
1225 		break;
1226 	case 2:		/* shmdt */
1227 		e = AUE_SHMDT;
1228 		break;
1229 	case 3:		/* shmget */
1230 		e = AUE_SHMGET;
1231 		break;
1232 	default:	/* illegal system call */
1233 		e = AUE_NULL;
1234 		break;
1235 	}
1236 
1237 	return (e);
1238 }
1239 
1240 
1241 /* semsys */
1242 static au_event_t
1243 aui_semsys(au_event_t e)
1244 {
1245 	klwp_t *clwp = ttolwp(curthread);
1246 	uint_t fm;
1247 
1248 	struct a {		/* semsys */
1249 		long	id;
1250 	} *uap = (struct a *)clwp->lwp_ap;
1251 
1252 	struct b {		/* ctrl */
1253 		long	semid;
1254 		long	semnum;
1255 		long	cmd;
1256 		long	arg;
1257 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1258 
1259 	fm = (uint_t)uap->id;
1260 
1261 	switch (fm) {
1262 	case 0:		/* semctl */
1263 		switch ((uint_t)uap1->cmd) {
1264 		case IPC_RMID:
1265 			e = AUE_SEMCTL_RMID;
1266 			break;
1267 		case IPC_SET:
1268 			e = AUE_SEMCTL_SET;
1269 			break;
1270 		case IPC_STAT:
1271 			e = AUE_SEMCTL_STAT;
1272 			break;
1273 		case GETNCNT:
1274 			e = AUE_SEMCTL_GETNCNT;
1275 			break;
1276 		case GETPID:
1277 			e = AUE_SEMCTL_GETPID;
1278 			break;
1279 		case GETVAL:
1280 			e = AUE_SEMCTL_GETVAL;
1281 			break;
1282 		case GETALL:
1283 			e = AUE_SEMCTL_GETALL;
1284 			break;
1285 		case GETZCNT:
1286 			e = AUE_SEMCTL_GETZCNT;
1287 			break;
1288 		case SETVAL:
1289 			e = AUE_SEMCTL_SETVAL;
1290 			break;
1291 		case SETALL:
1292 			e = AUE_SEMCTL_SETALL;
1293 			break;
1294 		default:
1295 			e = AUE_SEMCTL;
1296 			break;
1297 		}
1298 		break;
1299 	case 1:		/* semget */
1300 		e = AUE_SEMGET;
1301 		break;
1302 	case 2:		/* semop */
1303 		e = AUE_SEMOP;
1304 		break;
1305 	default:	/* illegal system call */
1306 		e = AUE_NULL;
1307 		break;
1308 	}
1309 
1310 	return (e);
1311 }
1312 
1313 /* utssys - uname(2), ustat(2), fusers(2) */
1314 static au_event_t
1315 aui_utssys(au_event_t e)
1316 {
1317 	klwp_t *clwp = ttolwp(curthread);
1318 	uint_t type;
1319 
1320 	struct a {
1321 		union {
1322 			long	cbuf;		/* char * */
1323 			long	ubuf;		/* struct stat * */
1324 		} ub;
1325 		union {
1326 			long	mv;	/* for USTAT */
1327 			long	flags;	/* for FUSERS */
1328 		} un;
1329 		long	type;
1330 		long	outbp;		/* char * for FUSERS */
1331 	} *uap = (struct a *)clwp->lwp_ap;
1332 
1333 	type = (uint_t)uap->type;
1334 
1335 	if (type == UTS_FUSERS)
1336 		return (e);
1337 	else
1338 		return ((au_event_t)AUE_NULL);
1339 }
1340 
1341 static au_event_t
1342 aui_fcntl(au_event_t e)
1343 {
1344 	klwp_t *clwp = ttolwp(curthread);
1345 	uint_t cmd;
1346 
1347 	struct a {
1348 		long	fdes;
1349 		long	cmd;
1350 		long	arg;
1351 	} *uap = (struct a *)clwp->lwp_ap;
1352 
1353 	cmd = (uint_t)uap->cmd;
1354 
1355 	switch (cmd) {
1356 	case F_GETLK:
1357 	case F_SETLK:
1358 	case F_SETLKW:
1359 		break;
1360 	case F_SETFL:
1361 	case F_GETFL:
1362 	case F_GETFD:
1363 		break;
1364 	default:
1365 		e = (au_event_t)AUE_NULL;
1366 		break;
1367 	}
1368 	return ((au_event_t)e);
1369 }
1370 
1371 /* null function for now */
1372 static au_event_t
1373 aui_execve(au_event_t e)
1374 {
1375 	return (e);
1376 }
1377 
1378 /*ARGSUSED*/
1379 static void
1380 aus_fcntl(struct t_audit_data *tad)
1381 {
1382 	klwp_t *clwp = ttolwp(curthread);
1383 	uint32_t cmd, fd, flags;
1384 	struct file  *fp;
1385 	struct vnode *vp;
1386 	struct f_audit_data *fad;
1387 
1388 	struct a {
1389 		long	fd;
1390 		long	cmd;
1391 		long	arg;
1392 	} *uap = (struct a *)clwp->lwp_ap;
1393 
1394 	cmd	= (uint32_t)uap->cmd;
1395 	fd	= (uint32_t)uap->fd;
1396 	flags	= (uint32_t)uap->arg;
1397 
1398 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1399 
1400 	if (cmd == F_SETFL)
1401 		au_uwrite(au_to_arg32(3, "flags", flags));
1402 
1403 		/*
1404 		 * convert file pointer to file descriptor
1405 		 *   Note: fd ref count incremented here.
1406 		 */
1407 	if ((fp = getf(fd)) == NULL)
1408 		return;
1409 
1410 	/* get path from file struct here */
1411 	fad = F2A(fp);
1412 	if (fad->fad_aupath != NULL) {
1413 		au_uwrite(au_to_path(fad->fad_aupath));
1414 	} else {
1415 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1416 	}
1417 
1418 	vp = fp->f_vnode;
1419 	audit_attributes(vp);
1420 
1421 	/* decrement file descriptor reference count */
1422 	releasef(fd);
1423 }
1424 
1425 /*ARGSUSED*/
1426 static void
1427 aus_kill(struct t_audit_data *tad)
1428 {
1429 	klwp_t *clwp = ttolwp(curthread);
1430 	struct proc *p;
1431 	uint32_t signo;
1432 	uid_t uid, ruid;
1433 	gid_t gid, rgid;
1434 	pid_t pid;
1435 	const auditinfo_addr_t *ainfo;
1436 	cred_t *cr;
1437 
1438 	struct a {
1439 		long	pid;
1440 		long	signo;
1441 	} *uap = (struct a *)clwp->lwp_ap;
1442 
1443 	pid   = (pid_t)uap->pid;
1444 	signo = (uint32_t)uap->signo;
1445 
1446 	au_uwrite(au_to_arg32(2, "signal", signo));
1447 	if (pid > 0) {
1448 		mutex_enter(&pidlock);
1449 		if (((p = prfind(pid)) == (struct proc *)0) ||
1450 		    (p->p_stat == SIDL)) {
1451 			mutex_exit(&pidlock);
1452 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1453 			return;
1454 		}
1455 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1456 		mutex_exit(&pidlock);
1457 
1458 		mutex_enter(&p->p_crlock);
1459 		crhold(cr = p->p_cred);
1460 		mutex_exit(&p->p_crlock);
1461 		mutex_exit(&p->p_lock);
1462 
1463 		ainfo = crgetauinfo(cr);
1464 		if (ainfo == NULL) {
1465 			crfree(cr);
1466 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1467 			return;
1468 		}
1469 
1470 		uid  = crgetuid(cr);
1471 		gid  = crgetgid(cr);
1472 		ruid = crgetruid(cr);
1473 		rgid = crgetrgid(cr);
1474 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1475 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1476 
1477 		if (is_system_labeled())
1478 			au_uwrite(au_to_label(CR_SL(cr)));
1479 
1480 		crfree(cr);
1481 	}
1482 	else
1483 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1484 }
1485 
1486 /*ARGSUSED*/
1487 static void
1488 aus_mkdir(struct t_audit_data *tad)
1489 {
1490 	klwp_t *clwp = ttolwp(curthread);
1491 	uint32_t dmode;
1492 
1493 	struct a {
1494 		long	dirnamep;		/* char * */
1495 		long	dmode;
1496 	} *uap = (struct a *)clwp->lwp_ap;
1497 
1498 	dmode = (uint32_t)uap->dmode;
1499 
1500 	au_uwrite(au_to_arg32(2, "mode", dmode));
1501 }
1502 
1503 /*ARGSUSED*/
1504 static void
1505 aus_mknod(struct t_audit_data *tad)
1506 {
1507 	klwp_t *clwp = ttolwp(curthread);
1508 	uint32_t fmode;
1509 	dev_t dev;
1510 
1511 	struct a {
1512 		long	pnamep;		/* char * */
1513 		long	fmode;
1514 		long	dev;
1515 	} *uap = (struct a *)clwp->lwp_ap;
1516 
1517 	fmode = (uint32_t)uap->fmode;
1518 	dev   = (dev_t)uap->dev;
1519 
1520 	au_uwrite(au_to_arg32(2, "mode", fmode));
1521 #ifdef _LP64
1522 	au_uwrite(au_to_arg64(3, "dev", dev));
1523 #else
1524 	au_uwrite(au_to_arg32(3, "dev", dev));
1525 #endif
1526 }
1527 
1528 /*ARGSUSED*/
1529 static void
1530 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1531 {
1532 	klwp_t *clwp = ttolwp(curthread);
1533 	vnode_t	*dvp;
1534 	caddr_t pnamep;
1535 
1536 	struct a {
1537 		long	pnamep;		/* char * */
1538 		long	fmode;
1539 		long	dev;
1540 	} *uap = (struct a *)clwp->lwp_ap;
1541 
1542 	/* no error, then already path token in audit record */
1543 	if (error != EPERM)
1544 		return;
1545 
1546 	/* not auditing this event, nothing then to do */
1547 	if (tad->tad_flag == 0)
1548 		return;
1549 
1550 	/* do the lookup to force generation of path token */
1551 	pnamep = (caddr_t)uap->pnamep;
1552 	tad->tad_ctrl |= TAD_NOATTRB;
1553 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1554 	if (error == 0)
1555 		VN_RELE(dvp);
1556 }
1557 
1558 /*ARGSUSED*/
1559 static void
1560 aus_mount(struct t_audit_data *tad)
1561 {	/* AUS_START */
1562 	klwp_t *clwp = ttolwp(curthread);
1563 	uint32_t flags;
1564 	uintptr_t u_fstype, dataptr;
1565 	STRUCT_DECL(nfs_args, nfsargs);
1566 	size_t len;
1567 	char *fstype, *hostname;
1568 
1569 	struct a {
1570 		long	spec;		/* char    * */
1571 		long	dir;		/* char    * */
1572 		long	flags;
1573 		long	fstype;		/* char    * */
1574 		long	dataptr;	/* char    * */
1575 		long	datalen;
1576 	} *uap = (struct a *)clwp->lwp_ap;
1577 
1578 	u_fstype = (uintptr_t)uap->fstype;
1579 	flags    = (uint32_t)uap->flags;
1580 	dataptr  = (uintptr_t)uap->dataptr;
1581 
1582 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1583 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1584 		goto mount_free_fstype;
1585 
1586 	au_uwrite(au_to_arg32(3, "flags", flags));
1587 	au_uwrite(au_to_text(fstype));
1588 
1589 	if (strncmp(fstype, "nfs", 3) == 0) {
1590 
1591 		STRUCT_INIT(nfsargs, get_udatamodel());
1592 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1593 
1594 		if (copyin((caddr_t)dataptr,
1595 				STRUCT_BUF(nfsargs),
1596 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1597 			/* DEBUG debug_enter((char *)NULL); */
1598 			goto mount_free_fstype;
1599 		}
1600 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1601 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1602 				(caddr_t)hostname,
1603 				MAXNAMELEN, &len)) {
1604 			goto mount_free_hostname;
1605 		}
1606 		au_uwrite(au_to_text(hostname));
1607 		au_uwrite(au_to_arg32(3, "internal flags",
1608 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1609 
1610 mount_free_hostname:
1611 		kmem_free(hostname, MAXNAMELEN);
1612 	}
1613 
1614 mount_free_fstype:
1615 	kmem_free(fstype, MAXNAMELEN);
1616 }	/* AUS_MOUNT */
1617 
1618 static void
1619 aus_umount_path(caddr_t umount_dir)
1620 {
1621 	char			*dir_path;
1622 	struct audit_path	*path;
1623 	size_t			path_len, dir_len;
1624 
1625 	/* length alloc'd for two string pointers */
1626 	path_len = sizeof (struct audit_path) + sizeof (char *);
1627 	path = kmem_alloc(path_len, KM_SLEEP);
1628 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1629 
1630 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1631 	    MAXPATHLEN, &dir_len))
1632 		goto umount2_free_dir;
1633 
1634 	/*
1635 	 * the audit_path struct assumes that the buffer pointed to
1636 	 * by audp_sect[n] contains string 0 immediatedly followed
1637 	 * by string 1.
1638 	 */
1639 	path->audp_sect[0] = dir_path;
1640 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1641 	path->audp_size = path_len;
1642 	path->audp_ref = 1;		/* not used */
1643 	path->audp_cnt = 1;		/* one path string */
1644 
1645 	au_uwrite(au_to_path(path));
1646 
1647 umount2_free_dir:
1648 	kmem_free(dir_path, MAXPATHLEN);
1649 	kmem_free(path, path_len);
1650 }
1651 
1652 /*ARGSUSED*/
1653 static void
1654 aus_umount2(struct t_audit_data *tad)
1655 {
1656 	klwp_t			*clwp = ttolwp(curthread);
1657 	struct a {
1658 		long	dir;		/* char    * */
1659 		long	flags;
1660 	} *uap = (struct a *)clwp->lwp_ap;
1661 
1662 	aus_umount_path((caddr_t)uap->dir);
1663 
1664 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1665 }
1666 
1667 static void
1668 aus_msgsys(struct t_audit_data *tad)
1669 {
1670 	klwp_t *clwp = ttolwp(curthread);
1671 	uint32_t msgid;
1672 
1673 	struct b {
1674 		long	msgid;
1675 		long	cmd;
1676 		long	buf;		/* struct msqid_ds * */
1677 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1678 
1679 	msgid = (uint32_t)uap1->msgid;
1680 
1681 
1682 	switch (tad->tad_event) {
1683 	case AUE_MSGGET:		/* msgget */
1684 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1685 		break;
1686 	case AUE_MSGCTL:		/* msgctl */
1687 	case AUE_MSGCTL_RMID:		/* msgctl */
1688 	case AUE_MSGCTL_SET:		/* msgctl */
1689 	case AUE_MSGCTL_STAT:		/* msgctl */
1690 	case AUE_MSGRCV:		/* msgrcv */
1691 	case AUE_MSGSND:		/* msgsnd */
1692 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1693 		break;
1694 	}
1695 }
1696 
1697 /*ARGSUSED*/
1698 static void
1699 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1700 {
1701 	int id;
1702 
1703 	if (error != 0)
1704 		return;
1705 	if (tad->tad_event == AUE_MSGGET) {
1706 		uint32_t scid;
1707 		uint32_t sy_flags;
1708 
1709 		/* need to determine type of executing binary */
1710 		scid = tad->tad_scid;
1711 #ifdef _SYSCALL32_IMPL
1712 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1713 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1714 		else
1715 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1716 #else
1717 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1718 #endif
1719 		if (sy_flags == SE_32RVAL1)
1720 			id = rval->r_val1;
1721 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1722 			id = rval->r_val1;
1723 		if (sy_flags == SE_64RVAL)
1724 			id = (int)rval->r_vals;
1725 
1726 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1727 	}
1728 }
1729 
1730 static void
1731 aus_semsys(struct t_audit_data *tad)
1732 {
1733 	klwp_t *clwp = ttolwp(curthread);
1734 	uint32_t semid;
1735 
1736 	struct b {		/* ctrl */
1737 		long	semid;
1738 		long	semnum;
1739 		long	cmd;
1740 		long	arg;
1741 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1742 
1743 	semid = (uint32_t)uap1->semid;
1744 
1745 	switch (tad->tad_event) {
1746 	case AUE_SEMCTL_RMID:
1747 	case AUE_SEMCTL_STAT:
1748 	case AUE_SEMCTL_GETNCNT:
1749 	case AUE_SEMCTL_GETPID:
1750 	case AUE_SEMCTL_GETVAL:
1751 	case AUE_SEMCTL_GETALL:
1752 	case AUE_SEMCTL_GETZCNT:
1753 	case AUE_SEMCTL_SET:
1754 	case AUE_SEMCTL_SETVAL:
1755 	case AUE_SEMCTL_SETALL:
1756 	case AUE_SEMCTL:
1757 	case AUE_SEMOP:
1758 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1759 		break;
1760 	case AUE_SEMGET:
1761 		au_uwrite(au_to_arg32(1, "sem key", semid));
1762 		break;
1763 	}
1764 }
1765 
1766 /*ARGSUSED*/
1767 static void
1768 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1769 {
1770 	int id;
1771 
1772 	if (error != 0)
1773 		return;
1774 	if (tad->tad_event == AUE_SEMGET) {
1775 		uint32_t scid;
1776 		uint32_t sy_flags;
1777 
1778 		/* need to determine type of executing binary */
1779 		scid = tad->tad_scid;
1780 #ifdef _SYSCALL32_IMPL
1781 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1782 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1783 		else
1784 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1785 #else
1786 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1787 #endif
1788 		if (sy_flags == SE_32RVAL1)
1789 			id = rval->r_val1;
1790 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1791 			id = rval->r_val1;
1792 		if (sy_flags == SE_64RVAL)
1793 			id = (int)rval->r_vals;
1794 
1795 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1796 	}
1797 }
1798 
1799 /*ARGSUSED*/
1800 static void
1801 aus_close(struct t_audit_data *tad)
1802 {
1803 	klwp_t *clwp = ttolwp(curthread);
1804 	uint32_t fd;
1805 	struct file *fp;
1806 	struct f_audit_data *fad;
1807 	struct vnode *vp;
1808 	struct vattr attr;
1809 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1810 
1811 	struct a {
1812 		long	i;
1813 	} *uap = (struct a *)clwp->lwp_ap;
1814 
1815 	fd = (uint32_t)uap->i;
1816 
1817 	attr.va_mask = 0;
1818 	au_uwrite(au_to_arg32(1, "fd", fd));
1819 
1820 		/*
1821 		 * convert file pointer to file descriptor
1822 		 *   Note: fd ref count incremented here.
1823 		 */
1824 	if ((fp = getf(fd)) == NULL)
1825 		return;
1826 
1827 	fad = F2A(fp);
1828 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1829 	if (fad->fad_aupath != NULL) {
1830 		au_uwrite(au_to_path(fad->fad_aupath));
1831 		if ((vp = fp->f_vnode) != NULL) {
1832 			attr.va_mask = AT_ALL;
1833 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1834 				/*
1835 				 * When write was not used and the file can be
1836 				 * considered public, skip the audit.
1837 				 */
1838 				if (((fp->f_flag & FWRITE) == 0) &&
1839 				    object_is_public(&attr)) {
1840 					tad->tad_flag = 0;
1841 					tad->tad_evmod = 0;
1842 					/* free any residual audit data */
1843 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1844 					releasef(fd);
1845 					return;
1846 				}
1847 				au_uwrite(au_to_attr(&attr));
1848 				audit_sec_attributes(&(u_ad), vp);
1849 			}
1850 		}
1851 	}
1852 
1853 	/* decrement file descriptor reference count */
1854 	releasef(fd);
1855 }
1856 
1857 /*ARGSUSED*/
1858 static void
1859 aus_fstatfs(struct t_audit_data *tad)
1860 {
1861 	klwp_t *clwp = ttolwp(curthread);
1862 	uint32_t fd;
1863 	struct file  *fp;
1864 	struct vnode *vp;
1865 	struct f_audit_data *fad;
1866 
1867 	struct a {
1868 		long	fd;
1869 		long	buf;		/* struct statfs * */
1870 	} *uap = (struct a *)clwp->lwp_ap;
1871 
1872 	fd = (uint_t)uap->fd;
1873 
1874 		/*
1875 		 * convert file pointer to file descriptor
1876 		 *   Note: fd ref count incremented here.
1877 		 */
1878 	if ((fp = getf(fd)) == NULL)
1879 		return;
1880 
1881 		/* get path from file struct here */
1882 	fad = F2A(fp);
1883 	if (fad->fad_aupath != NULL) {
1884 		au_uwrite(au_to_path(fad->fad_aupath));
1885 	} else {
1886 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1887 	}
1888 
1889 	vp = fp->f_vnode;
1890 	audit_attributes(vp);
1891 
1892 	/* decrement file descriptor reference count */
1893 	releasef(fd);
1894 }
1895 
1896 static au_event_t
1897 aui_setpgrp(au_event_t e)
1898 {
1899 	klwp_t *clwp = ttolwp(curthread);
1900 	int flag;
1901 
1902 	struct a {
1903 		long	flag;
1904 		long	pid;
1905 		long	pgid;
1906 	} *uap = (struct a *)clwp->lwp_ap;
1907 
1908 	flag = (int)uap->flag;
1909 
1910 
1911 	switch (flag) {
1912 
1913 	case 1:	/* setpgrp() */
1914 		e = AUE_SETPGRP;
1915 		break;
1916 
1917 	case 3: /* setsid() */
1918 		e = AUE_SETSID;
1919 		break;
1920 
1921 	case 5: /* setpgid() */
1922 		e = AUE_SETPGID;
1923 		break;
1924 
1925 	case 0: /* getpgrp()	- not security relevant */
1926 	case 2: /* getsid()	- not security relevant */
1927 	case 4: /* getpgid() 	- not security relevant */
1928 		e = AUE_NULL;
1929 		break;
1930 
1931 	default:
1932 		e = AUE_NULL;
1933 		break;
1934 	}
1935 
1936 	return (e);
1937 }
1938 
1939 /*ARGSUSED*/
1940 static void
1941 aus_setpgrp(struct t_audit_data *tad)
1942 {
1943 	klwp_t		*clwp = ttolwp(curthread);
1944 	pid_t		pgid;
1945 	struct proc	*p;
1946 	uid_t		uid, ruid;
1947 	gid_t		gid, rgid;
1948 	pid_t		pid;
1949 	cred_t		*cr;
1950 	int		flag;
1951 	const auditinfo_addr_t	*ainfo;
1952 
1953 	struct a {
1954 		long	flag;
1955 		long	pid;
1956 		long	pgid;
1957 	} *uap = (struct a *)clwp->lwp_ap;
1958 
1959 	flag = (int)uap->flag;
1960 	pid  = (pid_t)uap->pid;
1961 	pgid = (pid_t)uap->pgid;
1962 
1963 
1964 	switch (flag) {
1965 
1966 	case 0: /* getpgrp() */
1967 	case 1: /* setpgrp() */
1968 	case 2: /* getsid() */
1969 	case 3: /* setsid() */
1970 	case 4: /* getpgid() */
1971 		break;
1972 
1973 	case 5: /* setpgid() */
1974 
1975 		/* current process? */
1976 		if (pid == 0) {
1977 			return;
1978 		}
1979 
1980 		mutex_enter(&pidlock);
1981 		p = prfind(pid);
1982 		if (p == NULL || p->p_as == &kas ||
1983 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
1984 			mutex_exit(&pidlock);
1985 			return;
1986 		}
1987 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1988 		mutex_exit(&pidlock);
1989 
1990 		mutex_enter(&p->p_crlock);
1991 		crhold(cr = p->p_cred);
1992 		mutex_exit(&p->p_crlock);
1993 		mutex_exit(&p->p_lock);
1994 
1995 		ainfo = crgetauinfo(cr);
1996 		if (ainfo == NULL) {
1997 			crfree(cr);
1998 			return;
1999 		}
2000 
2001 		uid  = crgetuid(cr);
2002 		gid  = crgetgid(cr);
2003 		ruid = crgetruid(cr);
2004 		rgid = crgetrgid(cr);
2005 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2006 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2007 		crfree(cr);
2008 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2009 		break;
2010 
2011 	default:
2012 		break;
2013 	}
2014 }
2015 
2016 
2017 /*ARGSUSED*/
2018 static void
2019 aus_setregid(struct t_audit_data *tad)
2020 {
2021 	klwp_t *clwp = ttolwp(curthread);
2022 	uint32_t rgid, egid;
2023 
2024 	struct a {
2025 		long	 rgid;
2026 		long	 egid;
2027 	} *uap = (struct a *)clwp->lwp_ap;
2028 
2029 	rgid  = (uint32_t)uap->rgid;
2030 	egid  = (uint32_t)uap->egid;
2031 
2032 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2033 	au_uwrite(au_to_arg32(2, "egid", egid));
2034 }
2035 
2036 /*ARGSUSED*/
2037 static void
2038 aus_setgid(struct t_audit_data *tad)
2039 {
2040 	klwp_t *clwp = ttolwp(curthread);
2041 	uint32_t gid;
2042 
2043 	struct a {
2044 		long	gid;
2045 	} *uap = (struct a *)clwp->lwp_ap;
2046 
2047 	gid = (uint32_t)uap->gid;
2048 
2049 	au_uwrite(au_to_arg32(1, "gid", gid));
2050 }
2051 
2052 
2053 /*ARGSUSED*/
2054 static void
2055 aus_setreuid(struct t_audit_data *tad)
2056 {
2057 	klwp_t *clwp = ttolwp(curthread);
2058 	uint32_t ruid, euid;
2059 
2060 	struct a {
2061 		long	ruid;
2062 		long	euid;
2063 	} *uap = (struct a *)clwp->lwp_ap;
2064 
2065 	ruid = (uint32_t)uap->ruid;
2066 	euid  = (uint32_t)uap->euid;
2067 
2068 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2069 	au_uwrite(au_to_arg32(2, "euid", euid));
2070 }
2071 
2072 
2073 /*ARGSUSED*/
2074 static void
2075 aus_setuid(struct t_audit_data *tad)
2076 {
2077 	klwp_t *clwp = ttolwp(curthread);
2078 	uint32_t uid;
2079 
2080 	struct a {
2081 		long	uid;
2082 	} *uap = (struct a *)clwp->lwp_ap;
2083 
2084 	uid = (uint32_t)uap->uid;
2085 
2086 	au_uwrite(au_to_arg32(1, "uid", uid));
2087 }
2088 
2089 /*ARGSUSED*/
2090 static void
2091 aus_shmsys(struct t_audit_data *tad)
2092 {
2093 	klwp_t *clwp = ttolwp(curthread);
2094 	uint32_t id, cmd;
2095 
2096 	struct b {
2097 		long	id;
2098 		long	cmd;
2099 		long	buf;		/* struct shmid_ds * */
2100 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2101 
2102 	id  = (uint32_t)uap1->id;
2103 	cmd = (uint32_t)uap1->cmd;
2104 
2105 	switch (tad->tad_event) {
2106 	case AUE_SHMGET:			/* shmget */
2107 		au_uwrite(au_to_arg32(1, "shm key", id));
2108 		break;
2109 	case AUE_SHMCTL:			/* shmctl */
2110 	case AUE_SHMCTL_RMID:			/* shmctl */
2111 	case AUE_SHMCTL_STAT:			/* shmctl */
2112 	case AUE_SHMCTL_SET:			/* shmctl */
2113 		au_uwrite(au_to_arg32(1, "shm ID", id));
2114 		break;
2115 	case AUE_SHMDT:				/* shmdt */
2116 		au_uwrite(au_to_arg32(1, "shm adr", id));
2117 		break;
2118 	case AUE_SHMAT:				/* shmat */
2119 		au_uwrite(au_to_arg32(1, "shm ID", id));
2120 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2121 		break;
2122 	}
2123 }
2124 
2125 /*ARGSUSED*/
2126 static void
2127 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2128 {
2129 	int id;
2130 
2131 	if (error != 0)
2132 		return;
2133 	if (tad->tad_event == AUE_SHMGET) {
2134 		uint32_t scid;
2135 		uint32_t sy_flags;
2136 
2137 		/* need to determine type of executing binary */
2138 		scid = tad->tad_scid;
2139 #ifdef _SYSCALL32_IMPL
2140 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2141 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2142 		else
2143 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2144 #else
2145 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2146 #endif
2147 		if (sy_flags == SE_32RVAL1)
2148 			id = rval->r_val1;
2149 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2150 			id = rval->r_val1;
2151 		if (sy_flags == SE_64RVAL)
2152 			id = (int)rval->r_vals;
2153 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2154 	}
2155 }
2156 
2157 
2158 /*ARGSUSED*/
2159 static void
2160 aus_ioctl(struct t_audit_data *tad)
2161 {
2162 	klwp_t *clwp = ttolwp(curthread);
2163 	struct file *fp;
2164 	struct vnode *vp;
2165 	struct f_audit_data *fad;
2166 	uint32_t fd, cmd;
2167 	uintptr_t cmarg;
2168 
2169 	/* XX64 */
2170 	struct a {
2171 		long	fd;
2172 		long	cmd;
2173 		long	cmarg;		/* caddr_t */
2174 	} *uap = (struct a *)clwp->lwp_ap;
2175 
2176 	fd    = (uint32_t)uap->fd;
2177 	cmd   = (uint32_t)uap->cmd;
2178 	cmarg = (uintptr_t)uap->cmarg;
2179 
2180 		/*
2181 		 * convert file pointer to file descriptor
2182 		 *   Note: fd ref count incremented here.
2183 		 */
2184 	if ((fp = getf(fd)) == NULL) {
2185 		au_uwrite(au_to_arg32(1, "fd", fd));
2186 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2187 #ifndef _LP64
2188 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2189 #else
2190 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2191 #endif
2192 		return;
2193 	}
2194 
2195 	/* get path from file struct here */
2196 	fad = F2A(fp);
2197 	if (fad->fad_aupath != NULL) {
2198 		au_uwrite(au_to_path(fad->fad_aupath));
2199 	} else {
2200 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2201 	}
2202 
2203 	vp = fp->f_vnode;
2204 	audit_attributes(vp);
2205 
2206 	/* decrement file descriptor reference count */
2207 	releasef(fd);
2208 
2209 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2210 #ifndef _LP64
2211 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2212 #else
2213 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2214 #endif
2215 }
2216 
2217 /*
2218  * null function for memcntl for now. We might want to limit memcntl()
2219  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2220  * require privileges.
2221  */
2222 static au_event_t
2223 aui_memcntl(au_event_t e)
2224 {
2225 	return (e);
2226 }
2227 
2228 /*ARGSUSED*/
2229 static au_event_t
2230 aui_privsys(au_event_t e)
2231 {
2232 	klwp_t *clwp = ttolwp(curthread);
2233 
2234 	struct a {
2235 		long	opcode;
2236 	} *uap = (struct a *)clwp->lwp_ap;
2237 
2238 	switch (uap->opcode) {
2239 	case PRIVSYS_SETPPRIV:
2240 		return (AUE_SETPPRIV);
2241 	default:
2242 		return (AUE_NULL);
2243 	}
2244 }
2245 
2246 /*ARGSUSED*/
2247 static void
2248 aus_memcntl(struct t_audit_data *tad)
2249 {
2250 	klwp_t *clwp = ttolwp(curthread);
2251 
2252 	struct a {
2253 		long	addr;
2254 		long	len;
2255 		long	cmd;
2256 		long	arg;
2257 		long	attr;
2258 		long	mask;
2259 	} *uap = (struct a *)clwp->lwp_ap;
2260 
2261 #ifdef _LP64
2262 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2263 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2264 #else
2265 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2266 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2267 #endif
2268 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2269 #ifdef _LP64
2270 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2271 #else
2272 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2273 #endif
2274 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2275 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2276 }
2277 
2278 /*ARGSUSED*/
2279 static void
2280 aus_mmap(struct t_audit_data *tad)
2281 {
2282 	klwp_t *clwp = ttolwp(curthread);
2283 	struct file *fp;
2284 	struct f_audit_data *fad;
2285 	struct vnode *vp;
2286 	uint32_t fd;
2287 
2288 	struct a {
2289 		long	addr;
2290 		long	len;
2291 		long	prot;
2292 		long	flags;
2293 		long	fd;
2294 		long	pos;
2295 	} *uap = (struct a *)clwp->lwp_ap;
2296 
2297 	fd = (uint32_t)uap->fd;
2298 
2299 #ifdef _LP64
2300 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2301 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2302 #else
2303 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2304 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2305 #endif
2306 
2307 	if ((fp = getf(fd)) == NULL) {
2308 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2309 		return;
2310 	}
2311 
2312 	/*
2313 	 * Mark in the tad if write access is NOT requested... if
2314 	 * this is later detected (in audit_attributes) to be a
2315 	 * public object, the mmap event may be discarded.
2316 	 */
2317 	if (((uap->prot) & PROT_WRITE) == 0) {
2318 		tad->tad_ctrl |= TAD_PUBLIC_EV;
2319 	}
2320 
2321 	fad = F2A(fp);
2322 	if (fad->fad_aupath != NULL) {
2323 		au_uwrite(au_to_path(fad->fad_aupath));
2324 	} else {
2325 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2326 	}
2327 
2328 	vp = (struct vnode *)fp->f_vnode;
2329 	audit_attributes(vp);
2330 
2331 	/* mark READ/WRITE since we can't predict access */
2332 	if (uap->prot & PROT_READ)
2333 		fad->fad_flags |= FAD_READ;
2334 	if (uap->prot & PROT_WRITE)
2335 		fad->fad_flags |= FAD_WRITE;
2336 
2337 	/* decrement file descriptor reference count */
2338 	releasef(fd);
2339 
2340 }	/* AUS_MMAP */
2341 
2342 
2343 
2344 
2345 /*ARGSUSED*/
2346 static void
2347 aus_munmap(struct t_audit_data *tad)
2348 {
2349 	klwp_t *clwp = ttolwp(curthread);
2350 
2351 	struct a {
2352 		long	addr;
2353 		long	len;
2354 	} *uap = (struct a *)clwp->lwp_ap;
2355 
2356 #ifdef _LP64
2357 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2358 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2359 #else
2360 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2361 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2362 #endif
2363 
2364 }	/* AUS_MUNMAP */
2365 
2366 
2367 
2368 
2369 
2370 
2371 
2372 /*ARGSUSED*/
2373 static void
2374 aus_priocntlsys(struct t_audit_data *tad)
2375 {
2376 	klwp_t *clwp = ttolwp(curthread);
2377 
2378 	struct a {
2379 		long	pc_version;
2380 		long	psp;		/* procset_t */
2381 		long	cmd;
2382 		long	arg;
2383 	} *uap = (struct a *)clwp->lwp_ap;
2384 
2385 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2386 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2387 
2388 }	/* AUS_PRIOCNTLSYS */
2389 
2390 
2391 /*ARGSUSED*/
2392 static void
2393 aus_setegid(struct t_audit_data *tad)
2394 {
2395 	klwp_t *clwp = ttolwp(curthread);
2396 	uint32_t gid;
2397 
2398 	struct a {
2399 		long	gid;
2400 	} *uap = (struct a *)clwp->lwp_ap;
2401 
2402 	gid = (uint32_t)uap->gid;
2403 
2404 	au_uwrite(au_to_arg32(1, "gid", gid));
2405 }	/* AUS_SETEGID */
2406 
2407 
2408 
2409 
2410 /*ARGSUSED*/
2411 static void
2412 aus_setgroups(struct t_audit_data *tad)
2413 {
2414 	klwp_t *clwp = ttolwp(curthread);
2415 	int i;
2416 	int gidsetsize;
2417 	uintptr_t gidset;
2418 	gid_t *gidlist;
2419 
2420 	struct a {
2421 		long	gidsetsize;
2422 		long	gidset;
2423 	} *uap = (struct a *)clwp->lwp_ap;
2424 
2425 	gidsetsize = (uint_t)uap->gidsetsize;
2426 	gidset = (uintptr_t)uap->gidset;
2427 
2428 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2429 		return;
2430 	if (gidsetsize != 0) {
2431 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2432 		    KM_SLEEP);
2433 		if (copyin((caddr_t)gidset, gidlist,
2434 		    gidsetsize * sizeof (gid_t)) == 0)
2435 			for (i = 0; i < gidsetsize; i++)
2436 				au_uwrite(au_to_arg32(1, "setgroups",
2437 				    (uint32_t)gidlist[i]));
2438 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2439 	} else
2440 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2441 
2442 }	/* AUS_SETGROUPS */
2443 
2444 
2445 
2446 
2447 
2448 /*ARGSUSED*/
2449 static void
2450 aus_seteuid(struct t_audit_data *tad)
2451 {
2452 	klwp_t *clwp = ttolwp(curthread);
2453 	uint32_t uid;
2454 
2455 	struct a {
2456 		long	uid;
2457 	} *uap = (struct a *)clwp->lwp_ap;
2458 
2459 	uid = (uint32_t)uap->uid;
2460 
2461 	au_uwrite(au_to_arg32(1, "euid", uid));
2462 
2463 }	/* AUS_SETEUID */
2464 
2465 /*ARGSUSED*/
2466 static void
2467 aus_putmsg(struct t_audit_data *tad)
2468 {
2469 	klwp_t *clwp = ttolwp(curthread);
2470 	uint32_t fd, pri;
2471 	struct file *fp;
2472 	struct f_audit_data *fad;
2473 
2474 	struct a {
2475 		long	fdes;
2476 		long	ctl;		/* struct strbuf * */
2477 		long	data;		/* struct strbuf * */
2478 		long	pri;
2479 	} *uap = (struct a *)clwp->lwp_ap;
2480 
2481 	fd  = (uint32_t)uap->fdes;
2482 	pri = (uint32_t)uap->pri;
2483 
2484 	au_uwrite(au_to_arg32(1, "fd", fd));
2485 
2486 	if ((fp = getf(fd)) != NULL) {
2487 		fad = F2A(fp);
2488 
2489 		fad->fad_flags |= FAD_WRITE;
2490 
2491 		/* add path name to audit record */
2492 		if (fad->fad_aupath != NULL) {
2493 			au_uwrite(au_to_path(fad->fad_aupath));
2494 		}
2495 		audit_attributes(fp->f_vnode);
2496 
2497 		releasef(fd);
2498 	}
2499 
2500 	au_uwrite(au_to_arg32(4, "pri", pri));
2501 }
2502 
2503 /*ARGSUSED*/
2504 static void
2505 aus_putpmsg(struct t_audit_data *tad)
2506 {
2507 	klwp_t *clwp = ttolwp(curthread);
2508 	uint32_t fd, pri, flags;
2509 	struct file *fp;
2510 	struct f_audit_data *fad;
2511 
2512 	struct a {
2513 		long	fdes;
2514 		long	ctl;		/* struct strbuf * */
2515 		long	data;		/* struct strbuf * */
2516 		long	pri;
2517 		long	flags;
2518 	} *uap = (struct a *)clwp->lwp_ap;
2519 
2520 	fd = (uint32_t)uap->fdes;
2521 	pri  = (uint32_t)uap->pri;
2522 	flags  = (uint32_t)uap->flags;
2523 
2524 	au_uwrite(au_to_arg32(1, "fd", fd));
2525 
2526 	if ((fp = getf(fd)) != NULL) {
2527 		fad = F2A(fp);
2528 
2529 		fad->fad_flags |= FAD_WRITE;
2530 
2531 		/* add path name to audit record */
2532 		if (fad->fad_aupath != NULL) {
2533 			au_uwrite(au_to_path(fad->fad_aupath));
2534 		}
2535 		audit_attributes(fp->f_vnode);
2536 
2537 		releasef(fd);
2538 	}
2539 
2540 
2541 	au_uwrite(au_to_arg32(4, "pri", pri));
2542 	au_uwrite(au_to_arg32(5, "flags", flags));
2543 }
2544 
2545 /*ARGSUSED*/
2546 static void
2547 aus_getmsg(struct t_audit_data *tad)
2548 {
2549 	klwp_t *clwp = ttolwp(curthread);
2550 	uint32_t fd, pri;
2551 	struct file *fp;
2552 	struct f_audit_data *fad;
2553 
2554 	struct a {
2555 		long	fdes;
2556 		long	ctl;		/* struct strbuf * */
2557 		long	data;		/* struct strbuf * */
2558 		long	pri;
2559 	} *uap = (struct a *)clwp->lwp_ap;
2560 
2561 	fd  = (uint32_t)uap->fdes;
2562 	pri = (uint32_t)uap->pri;
2563 
2564 	au_uwrite(au_to_arg32(1, "fd", fd));
2565 
2566 	if ((fp = getf(fd)) != NULL) {
2567 		fad = F2A(fp);
2568 
2569 		/*
2570 		 * read operation on this object
2571 		 */
2572 		fad->fad_flags |= FAD_READ;
2573 
2574 		/* add path name to audit record */
2575 		if (fad->fad_aupath != NULL) {
2576 			au_uwrite(au_to_path(fad->fad_aupath));
2577 		}
2578 		audit_attributes(fp->f_vnode);
2579 
2580 		releasef(fd);
2581 	}
2582 
2583 	au_uwrite(au_to_arg32(4, "pri", pri));
2584 }
2585 
2586 /*ARGSUSED*/
2587 static void
2588 aus_getpmsg(struct t_audit_data *tad)
2589 {
2590 	klwp_t *clwp = ttolwp(curthread);
2591 	uint32_t fd;
2592 	struct file *fp;
2593 	struct f_audit_data *fad;
2594 
2595 	struct a {
2596 		long	fdes;
2597 		long	ctl;		/* struct strbuf * */
2598 		long	data;		/* struct strbuf * */
2599 		long	pri;
2600 		long	flags;
2601 	} *uap = (struct a *)clwp->lwp_ap;
2602 
2603 	fd = (uint32_t)uap->fdes;
2604 
2605 	au_uwrite(au_to_arg32(1, "fd", fd));
2606 
2607 	if ((fp = getf(fd)) != NULL) {
2608 		fad = F2A(fp);
2609 
2610 		/*
2611 		 * read operation on this object
2612 		 */
2613 		fad->fad_flags |= FAD_READ;
2614 
2615 		/* add path name to audit record */
2616 		if (fad->fad_aupath != NULL) {
2617 			au_uwrite(au_to_path(fad->fad_aupath));
2618 		}
2619 		audit_attributes(fp->f_vnode);
2620 
2621 		releasef(fd);
2622 	}
2623 }
2624 
2625 static au_event_t
2626 aui_labelsys(au_event_t e)
2627 {
2628 	klwp_t *clwp = ttolwp(curthread);
2629 	uint32_t code;
2630 	uint32_t cmd;
2631 
2632 	struct a {
2633 		long	code;
2634 		long	cmd;
2635 	} *uap = (struct a *)clwp->lwp_ap;
2636 
2637 	code = (uint32_t)uap->code;
2638 	cmd = (uint32_t)uap->cmd;
2639 
2640 	/* not security relevant if not changing kernel cache */
2641 	if (cmd == TNDB_GET)
2642 		return (AUE_NULL);
2643 
2644 	switch (code) {
2645 	case TSOL_TNRH:
2646 		e = AUE_LABELSYS_TNRH;
2647 		break;
2648 	case TSOL_TNRHTP:
2649 		e = AUE_LABELSYS_TNRHTP;
2650 		break;
2651 	case TSOL_TNMLP:
2652 		e = AUE_LABELSYS_TNMLP;
2653 		break;
2654 	default:
2655 		e = AUE_NULL;
2656 		break;
2657 	}
2658 
2659 	return (e);
2660 
2661 }
2662 
2663 static void
2664 aus_labelsys(struct t_audit_data *tad)
2665 {
2666 	klwp_t *clwp = ttolwp(curthread);
2667 	uint32_t cmd;
2668 	uintptr_t a2;
2669 
2670 	struct a {
2671 		long	code;
2672 		long	cmd;
2673 		long	a2;
2674 	} *uap = (struct a *)clwp->lwp_ap;
2675 
2676 	cmd = (uint32_t)uap->cmd;
2677 	a2 = (uintptr_t)uap->a2;
2678 
2679 	switch (tad->tad_event) {
2680 	case AUE_LABELSYS_TNRH:
2681 	{
2682 		tsol_rhent_t	*rhent;
2683 		tnaddr_t	*rh_addr;
2684 
2685 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2686 
2687 		/* Remaining args don't apply for FLUSH, so skip */
2688 		if (cmd == TNDB_FLUSH)
2689 			break;
2690 
2691 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2692 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2693 			kmem_free(rhent, sizeof (tsol_rhent_t));
2694 			return;
2695 		}
2696 
2697 		rh_addr = &rhent->rh_address;
2698 		if (rh_addr->ta_family == AF_INET) {
2699 			struct in_addr	*ipaddr;
2700 
2701 			ipaddr = &(rh_addr->ta_addr_v4);
2702 			au_uwrite(au_to_in_addr(ipaddr));
2703 		} else if (rh_addr->ta_family == AF_INET6) {
2704 			int32_t		*ipaddr;
2705 
2706 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2707 			au_uwrite(au_to_in_addr_ex(ipaddr));
2708 		}
2709 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2710 
2711 		kmem_free(rhent, sizeof (tsol_rhent_t));
2712 
2713 		break;
2714 	}
2715 	case AUE_LABELSYS_TNRHTP:
2716 	{
2717 		tsol_tpent_t	*tpent;
2718 
2719 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2720 
2721 		/* Remaining args don't apply for FLUSH, so skip */
2722 		if (cmd == TNDB_FLUSH)
2723 			break;
2724 
2725 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2726 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2727 			kmem_free(tpent, sizeof (tsol_tpent_t));
2728 			return;
2729 		}
2730 
2731 		/* Make sure that the template name is null-terminated. */
2732 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2733 
2734 		au_uwrite(au_to_text(tpent->name));
2735 		kmem_free(tpent, sizeof (tsol_tpent_t));
2736 
2737 		break;
2738 	}
2739 	case AUE_LABELSYS_TNMLP:
2740 	{
2741 		tsol_mlpent_t	*mlpent;
2742 
2743 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2744 
2745 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2746 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2747 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2748 			return;
2749 		}
2750 
2751 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2752 			au_uwrite(au_to_text("shared"));
2753 		} else {
2754 			zone_t	*zone;
2755 
2756 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2757 			if (zone != NULL) {
2758 				au_uwrite(au_to_text(zone->zone_name));
2759 				zone_rele(zone);
2760 			}
2761 		}
2762 
2763 		/* Remaining args don't apply for FLUSH, so skip */
2764 		if (cmd == TNDB_FLUSH) {
2765 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2766 			break;
2767 		}
2768 
2769 		au_uwrite(au_to_arg32(2, "proto num",
2770 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2771 		au_uwrite(au_to_arg32(2, "mlp_port",
2772 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2773 
2774 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2775 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2776 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2777 
2778 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2779 
2780 		break;
2781 	}
2782 	default:
2783 		break;
2784 	}
2785 }
2786 
2787 
2788 static au_event_t
2789 aui_auditsys(au_event_t e)
2790 {
2791 	klwp_t *clwp = ttolwp(curthread);
2792 	uint32_t code;
2793 
2794 	struct a {
2795 		long	code;
2796 		long	a1;
2797 		long	a2;
2798 		long	a3;
2799 		long	a4;
2800 		long	a5;
2801 		long	a6;
2802 		long	a7;
2803 	} *uap = (struct a *)clwp->lwp_ap;
2804 
2805 	code = (uint32_t)uap->code;
2806 
2807 	switch (code) {
2808 
2809 	case BSM_GETAUID:
2810 		e = AUE_GETAUID;
2811 		break;
2812 	case BSM_SETAUID:
2813 		e = AUE_SETAUID;
2814 		break;
2815 	case BSM_GETAUDIT:
2816 		e = AUE_GETAUDIT;
2817 		break;
2818 	case BSM_GETAUDIT_ADDR:
2819 		e = AUE_GETAUDIT_ADDR;
2820 		break;
2821 	case BSM_SETAUDIT:
2822 		e = AUE_SETAUDIT;
2823 		break;
2824 	case BSM_SETAUDIT_ADDR:
2825 		e = AUE_SETAUDIT_ADDR;
2826 		break;
2827 	case BSM_AUDIT:
2828 		e = AUE_AUDIT;
2829 		break;
2830 	case BSM_AUDITCTL:
2831 		switch ((uint_t)uap->a1) {
2832 
2833 		case A_GETPOLICY:
2834 			e = AUE_AUDITON_GPOLICY;
2835 			break;
2836 		case A_SETPOLICY:
2837 			e = AUE_AUDITON_SPOLICY;
2838 			break;
2839 		case A_GETKMASK:
2840 			e = AUE_AUDITON_GETKMASK;
2841 			break;
2842 		case A_SETKMASK:
2843 			e = AUE_AUDITON_SETKMASK;
2844 			break;
2845 		case A_GETQCTRL:
2846 			e = AUE_AUDITON_GQCTRL;
2847 			break;
2848 		case A_SETQCTRL:
2849 			e = AUE_AUDITON_SQCTRL;
2850 			break;
2851 		case A_GETCWD:
2852 			e = AUE_AUDITON_GETCWD;
2853 			break;
2854 		case A_GETCAR:
2855 			e = AUE_AUDITON_GETCAR;
2856 			break;
2857 		case A_GETSTAT:
2858 			e = AUE_AUDITON_GETSTAT;
2859 			break;
2860 		case A_SETSTAT:
2861 			e = AUE_AUDITON_SETSTAT;
2862 			break;
2863 		case A_SETUMASK:
2864 			e = AUE_AUDITON_SETUMASK;
2865 			break;
2866 		case A_SETSMASK:
2867 			e = AUE_AUDITON_SETSMASK;
2868 			break;
2869 		case A_GETCOND:
2870 			e = AUE_AUDITON_GETCOND;
2871 			break;
2872 		case A_SETCOND:
2873 			e = AUE_AUDITON_SETCOND;
2874 			break;
2875 		case A_GETCLASS:
2876 			e = AUE_AUDITON_GETCLASS;
2877 			break;
2878 		case A_SETCLASS:
2879 			e = AUE_AUDITON_SETCLASS;
2880 			break;
2881 		default:
2882 			e = AUE_NULL;
2883 			break;
2884 		}
2885 		break;
2886 	default:
2887 		e = AUE_NULL;
2888 		break;
2889 	}
2890 
2891 	return (e);
2892 
2893 }	/* AUI_AUDITSYS */
2894 
2895 
2896 static void
2897 aus_auditsys(struct t_audit_data *tad)
2898 {
2899 	klwp_t *clwp = ttolwp(curthread);
2900 	uintptr_t a1, a2;
2901 	STRUCT_DECL(auditinfo, ainfo);
2902 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2903 	au_evclass_map_t event;
2904 	au_mask_t mask;
2905 	int auditstate, policy;
2906 	au_id_t auid;
2907 
2908 
2909 	struct a {
2910 		long	code;
2911 		long	a1;
2912 		long	a2;
2913 		long	a3;
2914 		long	a4;
2915 		long	a5;
2916 		long	a6;
2917 		long	a7;
2918 	} *uap = (struct a *)clwp->lwp_ap;
2919 
2920 	a1   = (uintptr_t)uap->a1;
2921 	a2   = (uintptr_t)uap->a2;
2922 
2923 	switch (tad->tad_event) {
2924 	case AUE_SETAUID:
2925 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2926 				return;
2927 		au_uwrite(au_to_arg32(2, "setauid", auid));
2928 		break;
2929 	case AUE_SETAUDIT:
2930 		STRUCT_INIT(ainfo, get_udatamodel());
2931 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2932 		    STRUCT_SIZE(ainfo))) {
2933 				return;
2934 		}
2935 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2936 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2937 #ifdef _LP64
2938 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2939 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2940 #else
2941 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2942 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2943 #endif
2944 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2945 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2946 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2947 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2948 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2949 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2950 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2951 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2952 		break;
2953 	case AUE_SETAUDIT_ADDR:
2954 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2955 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2956 		    STRUCT_SIZE(ainfo_addr))) {
2957 				return;
2958 		}
2959 		au_uwrite(au_to_arg32((char)1, "auid",
2960 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2961 #ifdef _LP64
2962 		au_uwrite(au_to_arg64((char)1, "port",
2963 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2964 #else
2965 		au_uwrite(au_to_arg32((char)1, "port",
2966 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2967 #endif
2968 		au_uwrite(au_to_arg32((char)1, "type",
2969 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2970 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2971 		    AU_IPv4) {
2972 			au_uwrite(au_to_in_addr(
2973 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2974 			    ai_termid.at_addr)));
2975 		} else {
2976 			au_uwrite(au_to_in_addr_ex(
2977 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2978 			    ai_termid.at_addr)));
2979 		}
2980 		au_uwrite(au_to_arg32((char)1, "as_success",
2981 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2982 		au_uwrite(au_to_arg32((char)1, "as_failure",
2983 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2984 		au_uwrite(au_to_arg32((char)1, "asid",
2985 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2986 		break;
2987 	case AUE_AUDITON_SETKMASK:
2988 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2989 				return;
2990 		au_uwrite(au_to_arg32(
2991 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2992 		au_uwrite(au_to_arg32(
2993 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2994 		break;
2995 	case AUE_AUDITON_SPOLICY:
2996 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2997 			return;
2998 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2999 		break;
3000 	case AUE_AUDITON_SQCTRL: {
3001 		STRUCT_DECL(au_qctrl, qctrl);
3002 		model_t model;
3003 
3004 		model = get_udatamodel();
3005 		STRUCT_INIT(qctrl, model);
3006 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3007 				return;
3008 		if (model == DATAMODEL_ILP32) {
3009 			au_uwrite(au_to_arg32(
3010 			    3, "setqctrl:aq_hiwater",
3011 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3012 			au_uwrite(au_to_arg32(
3013 			    3, "setqctrl:aq_lowater",
3014 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3015 			au_uwrite(au_to_arg32(
3016 			    3, "setqctrl:aq_bufsz",
3017 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3018 			au_uwrite(au_to_arg32(
3019 			    3, "setqctrl:aq_delay",
3020 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3021 		} else {
3022 			au_uwrite(au_to_arg64(
3023 			    3, "setqctrl:aq_hiwater",
3024 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3025 			au_uwrite(au_to_arg64(
3026 			    3, "setqctrl:aq_lowater",
3027 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3028 			au_uwrite(au_to_arg64(
3029 			    3, "setqctrl:aq_bufsz",
3030 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3031 			au_uwrite(au_to_arg64(
3032 			    3, "setqctrl:aq_delay",
3033 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3034 		}
3035 		break;
3036 	}
3037 	case AUE_AUDITON_SETUMASK:
3038 		STRUCT_INIT(ainfo, get_udatamodel());
3039 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3040 		    STRUCT_SIZE(ainfo))) {
3041 			return;
3042 		}
3043 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3044 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3045 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3046 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3047 		break;
3048 	case AUE_AUDITON_SETSMASK:
3049 		STRUCT_INIT(ainfo, get_udatamodel());
3050 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3051 		    STRUCT_SIZE(ainfo))) {
3052 			return;
3053 		}
3054 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3055 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3056 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3057 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3058 		break;
3059 	case AUE_AUDITON_SETCOND:
3060 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3061 			return;
3062 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3063 		break;
3064 	case AUE_AUDITON_SETCLASS:
3065 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3066 			return;
3067 		au_uwrite(au_to_arg32(
3068 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3069 		au_uwrite(au_to_arg32(
3070 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3071 		break;
3072 	case AUE_GETAUID:
3073 	case AUE_GETAUDIT:
3074 	case AUE_GETAUDIT_ADDR:
3075 	case AUE_AUDIT:
3076 	case AUE_AUDITON_GPOLICY:
3077 	case AUE_AUDITON_GQCTRL:
3078 	case AUE_AUDITON_GETKMASK:
3079 	case AUE_AUDITON_GETCWD:
3080 	case AUE_AUDITON_GETCAR:
3081 	case AUE_AUDITON_GETSTAT:
3082 	case AUE_AUDITON_SETSTAT:
3083 	case AUE_AUDITON_GETCOND:
3084 	case AUE_AUDITON_GETCLASS:
3085 		break;
3086 	default:
3087 		break;
3088 	}
3089 
3090 }	/* AUS_AUDITSYS */
3091 
3092 
3093 /* only audit privileged operations for systeminfo(2) system call */
3094 static au_event_t
3095 aui_sysinfo(au_event_t e)
3096 {
3097 	klwp_t *clwp = ttolwp(curthread);
3098 	uint32_t command;
3099 
3100 	struct a {
3101 		long	command;
3102 		long	buf;		/* char * */
3103 		long	count;
3104 	} *uap = (struct a *)clwp->lwp_ap;
3105 
3106 	command = (uint32_t)uap->command;
3107 
3108 	switch (command) {
3109 	case SI_SET_HOSTNAME:
3110 	case SI_SET_SRPC_DOMAIN:
3111 		e = (au_event_t)AUE_SYSINFO;
3112 		break;
3113 	default:
3114 		e = (au_event_t)AUE_NULL;
3115 		break;
3116 	}
3117 	return (e);
3118 }
3119 
3120 /*ARGSUSED*/
3121 static void
3122 aus_sysinfo(struct t_audit_data *tad)
3123 {
3124 	klwp_t *clwp = ttolwp(curthread);
3125 	uint32_t command;
3126 	size_t len, maxlen;
3127 	char *name;
3128 	uintptr_t buf;
3129 
3130 	struct a {
3131 		long	command;
3132 		long	buf;		/* char * */
3133 		long	count;
3134 	} *uap = (struct a *)clwp->lwp_ap;
3135 
3136 	command = (uint32_t)uap->command;
3137 	buf = (uintptr_t)uap->buf;
3138 
3139 	au_uwrite(au_to_arg32(1, "cmd", command));
3140 
3141 	switch (command) {
3142 	case SI_SET_HOSTNAME:
3143 	{
3144 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3145 			return;
3146 
3147 		maxlen = SYS_NMLN;
3148 		name = kmem_alloc(maxlen, KM_SLEEP);
3149 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3150 			break;
3151 
3152 		/*
3153 		 * Must be non-NULL string and string
3154 		 * must be less than SYS_NMLN chars.
3155 		 */
3156 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3157 			break;
3158 
3159 		au_uwrite(au_to_text(name));
3160 		break;
3161 	}
3162 
3163 	case SI_SET_SRPC_DOMAIN:
3164 	{
3165 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3166 			return;
3167 
3168 		maxlen = SYS_NMLN;
3169 		name = kmem_alloc(maxlen, KM_SLEEP);
3170 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3171 			break;
3172 
3173 		/*
3174 		 * If string passed in is longer than length
3175 		 * allowed for domain name, fail.
3176 		 */
3177 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3178 			break;
3179 
3180 		au_uwrite(au_to_text(name));
3181 		break;
3182 	}
3183 
3184 	default:
3185 		return;
3186 	}
3187 
3188 	kmem_free(name, maxlen);
3189 }
3190 
3191 static au_event_t
3192 aui_modctl(au_event_t e)
3193 {
3194 	klwp_t *clwp = ttolwp(curthread);
3195 	uint_t cmd;
3196 
3197 	struct a {
3198 		long	cmd;
3199 	} *uap = (struct a *)clwp->lwp_ap;
3200 
3201 	cmd = (uint_t)uap->cmd;
3202 
3203 	switch (cmd) {
3204 	case MODLOAD:
3205 		e = AUE_MODLOAD;
3206 		break;
3207 	case MODUNLOAD:
3208 		e = AUE_MODUNLOAD;
3209 		break;
3210 	case MODADDMAJBIND:
3211 		e = AUE_MODADDMAJ;
3212 		break;
3213 	case MODSETDEVPOLICY:
3214 		e = AUE_MODDEVPLCY;
3215 		break;
3216 	case MODALLOCPRIV:
3217 		e = AUE_MODADDPRIV;
3218 		break;
3219 	default:
3220 		e = AUE_NULL;
3221 		break;
3222 	}
3223 	return (e);
3224 }
3225 
3226 
3227 /*ARGSUSED*/
3228 static void
3229 aus_modctl(struct t_audit_data *tad)
3230 {
3231 	klwp_t *clwp = ttolwp(curthread);
3232 	void *a	= clwp->lwp_ap;
3233 	uint_t use_path;
3234 
3235 	switch (tad->tad_event) {
3236 	case AUE_MODLOAD: {
3237 		typedef struct {
3238 			long	cmd;
3239 			long	use_path;
3240 			long	filename;		/* char * */
3241 		} modloada_t;
3242 
3243 		char *filenamep;
3244 		uintptr_t fname;
3245 		extern char *default_path;
3246 
3247 		fname = (uintptr_t)((modloada_t *)a)->filename;
3248 		use_path = (uint_t)((modloada_t *)a)->use_path;
3249 
3250 			/* space to hold path */
3251 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3252 			/* get string */
3253 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3254 				/* free allocated path */
3255 			kmem_free(filenamep, MOD_MAXPATH);
3256 			return;
3257 		}
3258 			/* ensure it's null terminated */
3259 		filenamep[MOD_MAXPATH - 1] = 0;
3260 
3261 		if (use_path)
3262 			au_uwrite(au_to_text(default_path));
3263 		au_uwrite(au_to_text(filenamep));
3264 
3265 			/* release temporary memory */
3266 		kmem_free(filenamep, MOD_MAXPATH);
3267 		break;
3268 	}
3269 	case AUE_MODUNLOAD: {
3270 		typedef struct {
3271 			long	cmd;
3272 			long	id;
3273 		} modunloada_t;
3274 
3275 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3276 
3277 		au_uwrite(au_to_arg32(1, "id", id));
3278 		break;
3279 	}
3280 	case AUE_MODADDMAJ: {
3281 		STRUCT_DECL(modconfig, mc);
3282 		typedef struct {
3283 			long	cmd;
3284 			long	subcmd;
3285 			long	data;		/* int * */
3286 		} modconfiga_t;
3287 
3288 		STRUCT_DECL(aliases, alias);
3289 		caddr_t ap;
3290 		int i, num_aliases;
3291 		char *drvname, *mc_drvname;
3292 		char *name;
3293 		extern char *ddi_major_to_name(major_t);
3294 		model_t model;
3295 
3296 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3297 
3298 		model = get_udatamodel();
3299 		STRUCT_INIT(mc, model);
3300 			/* sanitize buffer */
3301 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3302 			/* get user arguments */
3303 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3304 		    STRUCT_SIZE(mc)) != 0)
3305 			return;
3306 
3307 		mc_drvname = STRUCT_FGET(mc, drvname);
3308 		if ((drvname = ddi_major_to_name(
3309 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3310 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3311 				/* safety */
3312 			if (mc_drvname[0] != '\0') {
3313 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3314 				au_uwrite(au_to_text(mc_drvname));
3315 			}
3316 				/* drvname != NULL from test above */
3317 			au_uwrite(au_to_text(drvname));
3318 			return;
3319 		}
3320 
3321 		if (mc_drvname[0] != '\0') {
3322 				/* safety */
3323 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3324 			au_uwrite(au_to_text(mc_drvname));
3325 		} else
3326 			au_uwrite(au_to_text("no drvname"));
3327 
3328 		num_aliases = STRUCT_FGET(mc, num_aliases);
3329 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3330 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3331 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3332 		STRUCT_INIT(alias, model);
3333 		for (i = 0; i < num_aliases; i++) {
3334 			bzero((caddr_t)STRUCT_BUF(alias),
3335 			    STRUCT_SIZE(alias));
3336 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3337 			    STRUCT_SIZE(alias)) != 0)
3338 				break;
3339 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3340 			    MAXMODCONFNAME, NULL) != 0) {
3341 				break;
3342 			}
3343 
3344 			au_uwrite(au_to_text(name));
3345 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3346 		}
3347 		kmem_free(name, MAXMODCONFNAME);
3348 		break;
3349 	}
3350 	default:
3351 		break;
3352 	}
3353 }
3354 
3355 
3356 /*ARGSUSED*/
3357 static void
3358 auf_accept(
3359 	struct t_audit_data *tad,
3360 	int	error,
3361 	rval_t	*rval)
3362 {
3363 	uint32_t scid;
3364 	uint32_t sy_flags;
3365 	int fd;
3366 	struct sonode *so;
3367 	char so_laddr[sizeof (struct sockaddr_in6)];
3368 	char so_faddr[sizeof (struct sockaddr_in6)];
3369 	int err;
3370 	short so_family, so_type;
3371 	int add_sock_token = 0;
3372 
3373 	/* need to determine type of executing binary */
3374 	scid = tad->tad_scid;
3375 #ifdef _SYSCALL32_IMPL
3376 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3377 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3378 	else
3379 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3380 #else
3381 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3382 #endif
3383 	if (sy_flags == SE_32RVAL1)
3384 		fd = rval->r_val1;
3385 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3386 		fd = rval->r_val1;
3387 	if (sy_flags == SE_64RVAL)
3388 		fd = (int)rval->r_vals;
3389 
3390 	if (error) {
3391 		/* can't trust socket contents. Just return */
3392 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3393 		return;
3394 	}
3395 
3396 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3397 		/*
3398 		 * not security relevant if doing a accept from non socket
3399 		 * so no extra tokens. Should probably turn off audit record
3400 		 * generation here.
3401 		 */
3402 		return;
3403 	}
3404 
3405 	so_family = so->so_family;
3406 	so_type   = so->so_type;
3407 
3408 	switch (so_family) {
3409 	case AF_INET:
3410 	case AF_INET6:
3411 		/*
3412 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3413 		 */
3414 		if (so->so_type == SOCK_STREAM) {
3415 			socklen_t len;
3416 
3417 			bzero((void *)so_laddr, sizeof (so_laddr));
3418 			bzero((void *)so_faddr, sizeof (so_faddr));
3419 
3420 			len = sizeof (so_laddr);
3421 			(void) socket_getsockname(so,
3422 			    (struct sockaddr *)so_laddr, &len, CRED());
3423 			len = sizeof (so_faddr);
3424 			(void) socket_getpeername(so,
3425 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3426 
3427 			add_sock_token = 1;
3428 		}
3429 		break;
3430 
3431 	default:
3432 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3433 		break;
3434 	}
3435 
3436 	releasef(fd);
3437 
3438 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3439 
3440 	if (add_sock_token == 0) {
3441 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3442 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3443 		return;
3444 	}
3445 
3446 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3447 
3448 }
3449 
3450 /*ARGSUSED*/
3451 static void
3452 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3453 {
3454 	struct a {
3455 		long	fd;
3456 		long	addr;
3457 		long	len;
3458 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3459 
3460 	struct sonode *so;
3461 	char so_laddr[sizeof (struct sockaddr_in6)];
3462 	char so_faddr[sizeof (struct sockaddr_in6)];
3463 	int err, fd;
3464 	socklen_t len;
3465 	short so_family, so_type;
3466 	int add_sock_token = 0;
3467 
3468 	fd = (int)uap->fd;
3469 
3470 	/*
3471 	 * bind failed, then nothing extra to add to audit record.
3472 	 */
3473 	if (error) {
3474 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3475 		/* XXX may want to add failed address some day */
3476 		return;
3477 	}
3478 
3479 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3480 		/*
3481 		 * not security relevant if doing a bind from non socket
3482 		 * so no extra tokens. Should probably turn off audit record
3483 		 * generation here.
3484 		 */
3485 		return;
3486 	}
3487 
3488 	so_family = so->so_family;
3489 	so_type   = so->so_type;
3490 
3491 	switch (so_family) {
3492 	case AF_INET:
3493 	case AF_INET6:
3494 
3495 		bzero(so_faddr, sizeof (so_faddr));
3496 		len = sizeof (so_faddr);
3497 
3498 		(void) socket_getpeername(so,
3499 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3500 		add_sock_token = 1;
3501 
3502 		break;
3503 
3504 	case AF_UNIX:
3505 		/* token added by lookup */
3506 		break;
3507 	default:
3508 		/* AF_ROUTE, AF_KEY do not support accept */
3509 		break;
3510 	}
3511 
3512 	releasef(fd);
3513 
3514 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3515 
3516 	if (add_sock_token == 0) {
3517 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3518 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3519 		return;
3520 	}
3521 
3522 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3523 
3524 }
3525 
3526 /*ARGSUSED*/
3527 static void
3528 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3529 {
3530 	struct a {
3531 		long	fd;
3532 		long	addr;
3533 		long	len;
3534 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3535 
3536 	struct sonode *so;
3537 	char so_laddr[sizeof (struct sockaddr_in6)];
3538 	char so_faddr[sizeof (struct sockaddr_in6)];
3539 	int err, fd;
3540 	socklen_t len;
3541 	short so_family, so_type;
3542 	int add_sock_token = 0;
3543 
3544 	fd = (int)uap->fd;
3545 
3546 
3547 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3548 		/*
3549 		 * not security relevant if doing a connect from non socket
3550 		 * so no extra tokens. Should probably turn off audit record
3551 		 * generation here.
3552 		 */
3553 		return;
3554 	}
3555 
3556 	so_family = so->so_family;
3557 	so_type   = so->so_type;
3558 
3559 	switch (so_family) {
3560 	case AF_INET:
3561 	case AF_INET6:
3562 
3563 		bzero(so_laddr, sizeof (so_laddr));
3564 		bzero(so_faddr, sizeof (so_faddr));
3565 
3566 		len = sizeof (so_laddr);
3567 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3568 		    &len, CRED());
3569 		if (error) {
3570 			if (uap->addr == NULL)
3571 				break;
3572 			if (uap->len <= 0)
3573 				break;
3574 			len = min(uap->len, sizeof (so_faddr));
3575 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3576 				break;
3577 #ifdef NOTYET
3578 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3579 #endif
3580 		} else {
3581 			/* sanity check on length */
3582 			len = sizeof (so_faddr);
3583 			(void) socket_getpeername(so,
3584 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3585 		}
3586 
3587 		add_sock_token = 1;
3588 
3589 		break;
3590 
3591 	case AF_UNIX:
3592 		/* does a lookup on name */
3593 		break;
3594 
3595 	default:
3596 		/* AF_ROUTE, AF_KEY do not support accept */
3597 		break;
3598 	}
3599 
3600 	releasef(fd);
3601 
3602 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3603 
3604 	if (add_sock_token == 0) {
3605 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3606 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3607 		return;
3608 	}
3609 
3610 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3611 
3612 }
3613 
3614 /*ARGSUSED*/
3615 static void
3616 aus_shutdown(struct t_audit_data *tad)
3617 {
3618 	struct a {
3619 		long	fd;
3620 		long	how;
3621 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3622 
3623 	struct sonode *so;
3624 	char so_laddr[sizeof (struct sockaddr_in6)];
3625 	char so_faddr[sizeof (struct sockaddr_in6)];
3626 	int err, fd;
3627 	socklen_t len;
3628 	short so_family, so_type;
3629 	int add_sock_token = 0;
3630 	file_t *fp;				/* unix domain sockets */
3631 	struct f_audit_data *fad;		/* unix domain sockets */
3632 
3633 	fd = (int)uap->fd;
3634 
3635 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3636 		/*
3637 		 * not security relevant if doing a shutdown using non socket
3638 		 * so no extra tokens. Should probably turn off audit record
3639 		 * generation here.
3640 		 */
3641 		return;
3642 	}
3643 
3644 	so_family = so->so_family;
3645 	so_type   = so->so_type;
3646 
3647 	switch (so_family) {
3648 	case AF_INET:
3649 	case AF_INET6:
3650 
3651 		bzero(so_laddr, sizeof (so_laddr));
3652 		bzero(so_faddr, sizeof (so_faddr));
3653 
3654 		len = sizeof (so_laddr);
3655 		(void) socket_getsockname(so,
3656 		    (struct sockaddr *)so_laddr, &len, CRED());
3657 		len = sizeof (so_faddr);
3658 		(void) socket_getpeername(so,
3659 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3660 
3661 		add_sock_token = 1;
3662 
3663 		break;
3664 
3665 	case AF_UNIX:
3666 
3667 		/* get path from file struct here */
3668 		fad = F2A(fp);
3669 		ASSERT(fad);
3670 
3671 		if (fad->fad_aupath != NULL) {
3672 			au_uwrite(au_to_path(fad->fad_aupath));
3673 		} else {
3674 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3675 		}
3676 
3677 		audit_attributes(fp->f_vnode);
3678 
3679 		break;
3680 
3681 	default:
3682 		/*
3683 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3684 		 * added.
3685 		 */
3686 		break;
3687 	}
3688 
3689 	releasef(fd);
3690 
3691 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3692 
3693 	if (add_sock_token == 0) {
3694 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3695 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3696 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3697 		return;
3698 	}
3699 
3700 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3701 
3702 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3703 
3704 }
3705 
3706 /*ARGSUSED*/
3707 static void
3708 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3709 {
3710 	struct a {
3711 		long	fd;
3712 		long	level;
3713 		long	optname;
3714 		long	*optval;
3715 		long	optlen;
3716 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3717 
3718 	struct sonode	*so;
3719 	char so_laddr[sizeof (struct sockaddr_in6)];
3720 	char so_faddr[sizeof (struct sockaddr_in6)];
3721 	char		val[AU_BUFSIZE];
3722 	int		err, fd;
3723 	socklen_t	len;
3724 	short so_family, so_type;
3725 	int		add_sock_token = 0;
3726 	file_t *fp;				/* unix domain sockets */
3727 	struct f_audit_data *fad;		/* unix domain sockets */
3728 
3729 	fd = (int)uap->fd;
3730 
3731 	if (error) {
3732 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3733 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3734 		/* XXX may want to include other arguments */
3735 		return;
3736 	}
3737 
3738 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3739 		/*
3740 		 * not security relevant if doing a setsockopt from non socket
3741 		 * so no extra tokens. Should probably turn off audit record
3742 		 * generation here.
3743 		 */
3744 		return;
3745 	}
3746 
3747 	so_family = so->so_family;
3748 	so_type   = so->so_type;
3749 
3750 	switch (so_family) {
3751 	case AF_INET:
3752 	case AF_INET6:
3753 		bzero((void *)so_laddr, sizeof (so_laddr));
3754 		bzero((void *)so_faddr, sizeof (so_faddr));
3755 
3756 		/* get local and foreign addresses */
3757 		len = sizeof (so_laddr);
3758 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3759 		    &len, CRED());
3760 		len = sizeof (so_faddr);
3761 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3762 		    &len, B_FALSE, CRED());
3763 
3764 		add_sock_token = 1;
3765 
3766 		break;
3767 
3768 	case AF_UNIX:
3769 
3770 		/* get path from file struct here */
3771 		fad = F2A(fp);
3772 		ASSERT(fad);
3773 
3774 		if (fad->fad_aupath != NULL) {
3775 			au_uwrite(au_to_path(fad->fad_aupath));
3776 		} else {
3777 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3778 		}
3779 
3780 		audit_attributes(fp->f_vnode);
3781 
3782 		break;
3783 
3784 	default:
3785 		/*
3786 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3787 		 * added.
3788 		 */
3789 		break;
3790 	}
3791 
3792 	releasef(fd);
3793 
3794 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3795 
3796 	if (add_sock_token == 0) {
3797 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3798 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3799 	}
3800 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3801 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3802 
3803 	bzero(val, sizeof (val));
3804 	len = min(uap->optlen, sizeof (val));
3805 	if ((len > 0) &&
3806 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3807 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3808 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3809 	}
3810 
3811 	if (add_sock_token == 0)
3812 		return;
3813 
3814 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3815 
3816 }
3817 
3818 /*ARGSUSED*/
3819 static void
3820 aus_sockconfig(tad)
3821 	struct t_audit_data *tad;
3822 {
3823 	struct a {
3824 		long	cmd;
3825 		long	arg1;
3826 		long	arg2;
3827 		long	arg3;
3828 		long	arg4;
3829 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3830 
3831 	char	*buf;
3832 	int	buflen;
3833 	size_t	size;
3834 
3835 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
3836 	switch (uap->cmd) {
3837 	case SOCKCONFIG_ADD_SOCK:
3838 	case SOCKCONFIG_REMOVE_SOCK:
3839 		au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
3840 		au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
3841 		au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
3842 
3843 		if (uap->arg4 == 0) {
3844 			au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
3845 		} else {
3846 			buflen = MAXPATHLEN + 1;
3847 			buf = kmem_alloc(buflen, KM_SLEEP);
3848 			if (copyinstr((caddr_t)uap->arg4, buf, buflen,
3849 			    &size)) {
3850 				kmem_free(buf, buflen);
3851 				return;
3852 			}
3853 
3854 			if (size > MAXPATHLEN) {
3855 				kmem_free(buf, buflen);
3856 				return;
3857 			}
3858 
3859 			au_uwrite(au_to_text(buf));
3860 			kmem_free(buf, buflen);
3861 		}
3862 		break;
3863 	case SOCKCONFIG_ADD_FILTER:
3864 	case SOCKCONFIG_REMOVE_FILTER:
3865 		buflen = FILNAME_MAX;
3866 		buf = kmem_alloc(buflen, KM_SLEEP);
3867 
3868 		if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
3869 			kmem_free(buf, buflen);
3870 			return;
3871 		}
3872 
3873 		au_uwrite(au_to_text(buf));
3874 		kmem_free(buf, buflen);
3875 		break;
3876 	default:
3877 		break;
3878 	}
3879 }
3880 
3881 /*
3882  * only audit recvmsg when the system call represents the creation of a new
3883  * circuit. This effectively occurs for all UDP packets and may occur for
3884  * special TCP situations where the local host has not set a local address
3885  * in the socket structure.
3886  */
3887 /*ARGSUSED*/
3888 static void
3889 auf_recvmsg(
3890 	struct t_audit_data *tad,
3891 	int error,
3892 	rval_t *rvp)
3893 {
3894 	struct a {
3895 		long	fd;
3896 		long	msg;	/* struct msghdr */
3897 		long	flags;
3898 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3899 
3900 	struct sonode	*so;
3901 	STRUCT_DECL(msghdr, msg);
3902 	caddr_t msg_name;
3903 	socklen_t msg_namelen;
3904 	int fd;
3905 	int err;
3906 	char so_laddr[sizeof (struct sockaddr_in6)];
3907 	char so_faddr[sizeof (struct sockaddr_in6)];
3908 	socklen_t len;
3909 	file_t *fp;				/* unix domain sockets */
3910 	struct f_audit_data *fad;		/* unix domain sockets */
3911 	short so_family, so_type;
3912 	int add_sock_token = 0;
3913 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3914 
3915 	fd = (int)uap->fd;
3916 
3917 	/* bail if an error */
3918 	if (error) {
3919 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3920 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3921 		return;
3922 	}
3923 
3924 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3925 		/*
3926 		 * not security relevant if doing a recvmsg from non socket
3927 		 * so no extra tokens. Should probably turn off audit record
3928 		 * generation here.
3929 		 */
3930 		return;
3931 	}
3932 
3933 	so_family = so->so_family;
3934 	so_type   = so->so_type;
3935 
3936 	/*
3937 	 * only putout SOCKET_EX token if INET/INET6 family.
3938 	 * XXX - what do we do about other families?
3939 	 */
3940 
3941 	switch (so_family) {
3942 	case AF_INET:
3943 	case AF_INET6:
3944 
3945 		/*
3946 		 * if datagram type socket, then just use what is in
3947 		 * socket structure for local address.
3948 		 * XXX - what do we do for other types?
3949 		 */
3950 		if ((so->so_type == SOCK_DGRAM) ||
3951 		    (so->so_type == SOCK_RAW)) {
3952 			add_sock_token = 1;
3953 
3954 			bzero((void *)so_laddr, sizeof (so_laddr));
3955 			bzero((void *)so_faddr, sizeof (so_faddr));
3956 
3957 			/* get local address */
3958 			len = sizeof (so_laddr);
3959 			(void) socket_getsockname(so,
3960 			    (struct sockaddr *)so_laddr, &len, CRED());
3961 
3962 			/* get peer address */
3963 			STRUCT_INIT(msg, get_udatamodel());
3964 
3965 			if (copyin((caddr_t)(uap->msg),
3966 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3967 				break;
3968 			}
3969 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3970 			if (msg_name == NULL) {
3971 				break;
3972 			}
3973 
3974 			/* length is value from recvmsg - sanity check */
3975 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3976 			if (msg_namelen == 0) {
3977 				break;
3978 			}
3979 			if (copyin(msg_name, so_faddr,
3980 			    sizeof (so_faddr)) != 0) {
3981 				break;
3982 			}
3983 
3984 		} else if (so->so_type == SOCK_STREAM) {
3985 
3986 			/* get path from file struct here */
3987 			fad = F2A(fp);
3988 			ASSERT(fad);
3989 
3990 			/*
3991 			 * already processed this file for read attempt
3992 			 */
3993 			if (fad->fad_flags & FAD_READ) {
3994 				/* don't want to audit every recvmsg attempt */
3995 				tad->tad_flag = 0;
3996 				/* free any residual audit data */
3997 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
3998 				releasef(fd);
3999 				return;
4000 			}
4001 			/*
4002 			 * mark things so we know what happened and don't
4003 			 * repeat things
4004 			 */
4005 			fad->fad_flags |= FAD_READ;
4006 
4007 			bzero((void *)so_laddr, sizeof (so_laddr));
4008 			bzero((void *)so_faddr, sizeof (so_faddr));
4009 
4010 			/* get local and foreign addresses */
4011 			len = sizeof (so_laddr);
4012 			(void) socket_getsockname(so,
4013 			    (struct sockaddr *)so_laddr, &len, CRED());
4014 			len = sizeof (so_faddr);
4015 			(void) socket_getpeername(so,
4016 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4017 
4018 			add_sock_token = 1;
4019 		}
4020 
4021 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4022 
4023 		break;
4024 
4025 	case AF_UNIX:
4026 		/*
4027 		 * first check if this is first time through. Too much
4028 		 * duplicate code to put this in an aui_ routine.
4029 		 */
4030 
4031 		/* get path from file struct here */
4032 		fad = F2A(fp);
4033 		ASSERT(fad);
4034 
4035 		/*
4036 		 * already processed this file for read attempt
4037 		 */
4038 		if (fad->fad_flags & FAD_READ) {
4039 			releasef(fd);
4040 			/* don't want to audit every recvmsg attempt */
4041 			tad->tad_flag = 0;
4042 			/* free any residual audit data */
4043 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4044 			return;
4045 		}
4046 		/*
4047 		 * mark things so we know what happened and don't
4048 		 * repeat things
4049 		 */
4050 		fad->fad_flags |= FAD_READ;
4051 
4052 		if (fad->fad_aupath != NULL) {
4053 			au_uwrite(au_to_path(fad->fad_aupath));
4054 		} else {
4055 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4056 		}
4057 
4058 		audit_attributes(fp->f_vnode);
4059 
4060 		releasef(fd);
4061 
4062 		return;
4063 
4064 	default:
4065 		break;
4066 
4067 	}
4068 
4069 	releasef(fd);
4070 
4071 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4072 
4073 	if (add_sock_token == 0) {
4074 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4075 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4076 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4077 		return;
4078 	}
4079 
4080 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4081 
4082 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4083 
4084 }
4085 
4086 /*ARGSUSED*/
4087 static void
4088 auf_recvfrom(
4089 	struct t_audit_data *tad,
4090 	int error,
4091 	rval_t *rvp)
4092 {
4093 
4094 	struct a {
4095 		long	fd;
4096 		long	msg;	/* char */
4097 		long	len;
4098 		long	flags;
4099 		long	from;	/* struct sockaddr */
4100 		long	fromlen;
4101 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4102 
4103 	socklen_t	fromlen;
4104 	struct sonode	*so;
4105 	char so_laddr[sizeof (struct sockaddr_in6)];
4106 	char so_faddr[sizeof (struct sockaddr_in6)];
4107 	int		fd;
4108 	short so_family, so_type;
4109 	int add_sock_token = 0;
4110 	socklen_t len;
4111 	int err;
4112 	struct file *fp;
4113 	struct f_audit_data *fad;		/* unix domain sockets */
4114 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4115 
4116 	fd = (int)uap->fd;
4117 
4118 	/* bail if an error */
4119 	if (error) {
4120 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4121 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4122 		return;
4123 	}
4124 
4125 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4126 		/*
4127 		 * not security relevant if doing a recvmsg from non socket
4128 		 * so no extra tokens. Should probably turn off audit record
4129 		 * generation here.
4130 		 */
4131 		return;
4132 	}
4133 
4134 	so_family = so->so_family;
4135 	so_type   = so->so_type;
4136 
4137 	/*
4138 	 * only putout SOCKET_EX token if INET/INET6 family.
4139 	 * XXX - what do we do about other families?
4140 	 */
4141 
4142 	switch (so_family) {
4143 	case AF_INET:
4144 	case AF_INET6:
4145 
4146 		/*
4147 		 * if datagram type socket, then just use what is in
4148 		 * socket structure for local address.
4149 		 * XXX - what do we do for other types?
4150 		 */
4151 		if ((so->so_type == SOCK_DGRAM) ||
4152 		    (so->so_type == SOCK_RAW)) {
4153 			add_sock_token = 1;
4154 
4155 			/* get local address */
4156 			len = sizeof (so_laddr);
4157 			(void) socket_getsockname(so,
4158 			    (struct sockaddr *)so_laddr, &len, CRED());
4159 
4160 			/* get peer address */
4161 			bzero((void *)so_faddr, sizeof (so_faddr));
4162 
4163 			/* sanity check */
4164 			if (uap->from == NULL)
4165 				break;
4166 
4167 			/* sanity checks */
4168 			if (uap->fromlen == 0)
4169 				break;
4170 
4171 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4172 			    sizeof (fromlen)) != 0)
4173 				break;
4174 
4175 			if (fromlen == 0)
4176 				break;
4177 
4178 			/* enforce maximum size */
4179 			if (fromlen > sizeof (so_faddr))
4180 				fromlen = sizeof (so_faddr);
4181 
4182 			if (copyin((caddr_t)(uap->from), so_faddr,
4183 			    fromlen) != 0)
4184 				break;
4185 
4186 		} else if (so->so_type == SOCK_STREAM) {
4187 
4188 			/* get path from file struct here */
4189 			fad = F2A(fp);
4190 			ASSERT(fad);
4191 
4192 			/*
4193 			 * already processed this file for read attempt
4194 			 */
4195 			if (fad->fad_flags & FAD_READ) {
4196 				/* don't want to audit every recvfrom attempt */
4197 				tad->tad_flag = 0;
4198 				/* free any residual audit data */
4199 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4200 				releasef(fd);
4201 				return;
4202 			}
4203 			/*
4204 			 * mark things so we know what happened and don't
4205 			 * repeat things
4206 			 */
4207 			fad->fad_flags |= FAD_READ;
4208 
4209 			bzero((void *)so_laddr, sizeof (so_laddr));
4210 			bzero((void *)so_faddr, sizeof (so_faddr));
4211 
4212 			/* get local and foreign addresses */
4213 			len = sizeof (so_laddr);
4214 			(void) socket_getsockname(so,
4215 			    (struct sockaddr *)so_laddr, &len, CRED());
4216 			len = sizeof (so_faddr);
4217 			(void) socket_getpeername(so,
4218 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4219 
4220 			add_sock_token = 1;
4221 		}
4222 
4223 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4224 
4225 		break;
4226 
4227 	case AF_UNIX:
4228 		/*
4229 		 * first check if this is first time through. Too much
4230 		 * duplicate code to put this in an aui_ routine.
4231 		 */
4232 
4233 		/* get path from file struct here */
4234 		fad = F2A(fp);
4235 		ASSERT(fad);
4236 
4237 		/*
4238 		 * already processed this file for read attempt
4239 		 */
4240 		if (fad->fad_flags & FAD_READ) {
4241 			/* don't want to audit every recvfrom attempt */
4242 			tad->tad_flag = 0;
4243 			/* free any residual audit data */
4244 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4245 			releasef(fd);
4246 			return;
4247 		}
4248 		/*
4249 		 * mark things so we know what happened and don't
4250 		 * repeat things
4251 		 */
4252 		fad->fad_flags |= FAD_READ;
4253 
4254 		if (fad->fad_aupath != NULL) {
4255 			au_uwrite(au_to_path(fad->fad_aupath));
4256 		} else {
4257 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4258 		}
4259 
4260 		audit_attributes(fp->f_vnode);
4261 
4262 		releasef(fd);
4263 
4264 		return;
4265 
4266 	default:
4267 		break;
4268 
4269 	}
4270 
4271 	releasef(fd);
4272 
4273 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4274 
4275 	if (add_sock_token == 0) {
4276 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4277 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4278 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4279 		return;
4280 	}
4281 
4282 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4283 
4284 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4285 }
4286 
4287 /*ARGSUSED*/
4288 static void
4289 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4290 {
4291 	struct a {
4292 		long	fd;
4293 		long	msg;	/* struct msghdr */
4294 		long	flags;
4295 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4296 
4297 	struct sonode	*so;
4298 	char so_laddr[sizeof (struct sockaddr_in6)];
4299 	char so_faddr[sizeof (struct sockaddr_in6)];
4300 	int		err;
4301 	int		fd;
4302 	short so_family, so_type;
4303 	int		add_sock_token = 0;
4304 	socklen_t	len;
4305 	struct file	*fp;
4306 	struct f_audit_data *fad;
4307 	caddr_t		msg_name;
4308 	socklen_t	msg_namelen;
4309 	STRUCT_DECL(msghdr, msg);
4310 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4311 
4312 	fd = (int)uap->fd;
4313 
4314 	/* bail if an error */
4315 	if (error) {
4316 		/* XXX include destination address from system call arguments */
4317 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4318 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4319 		return;
4320 	}
4321 
4322 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4323 		/*
4324 		 * not security relevant if doing a sendmsg from non socket
4325 		 * so no extra tokens. Should probably turn off audit record
4326 		 * generation here.
4327 		 */
4328 		return;
4329 	}
4330 
4331 	so_family = so->so_family;
4332 	so_type   = so->so_type;
4333 
4334 	switch (so_family) {
4335 	case AF_INET:
4336 	case AF_INET6:
4337 		/*
4338 		 * if datagram type socket, then just use what is in
4339 		 * socket structure for local address.
4340 		 * XXX - what do we do for other types?
4341 		 */
4342 		if ((so->so_type == SOCK_DGRAM) ||
4343 		    (so->so_type == SOCK_RAW)) {
4344 
4345 			bzero((void *)so_laddr, sizeof (so_laddr));
4346 			bzero((void *)so_faddr, sizeof (so_faddr));
4347 
4348 			/* get local address */
4349 			len = sizeof (so_laddr);
4350 			(void) socket_getsockname(so,
4351 			    (struct sockaddr *)so_laddr, &len, CRED());
4352 
4353 			/* get peer address */
4354 			STRUCT_INIT(msg, get_udatamodel());
4355 
4356 			if (copyin((caddr_t)(uap->msg),
4357 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4358 				break;
4359 			}
4360 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4361 			if (msg_name == NULL)
4362 				break;
4363 
4364 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4365 			/* length is value from recvmsg - sanity check */
4366 			if (msg_namelen == 0)
4367 				break;
4368 
4369 			if (copyin(msg_name, so_faddr,
4370 			    sizeof (so_faddr)) != 0)
4371 				break;
4372 
4373 			add_sock_token = 1;
4374 
4375 		} else if (so->so_type == SOCK_STREAM) {
4376 
4377 			/* get path from file struct here */
4378 			fad = F2A(fp);
4379 			ASSERT(fad);
4380 
4381 			/*
4382 			 * already processed this file for write attempt
4383 			 */
4384 			if (fad->fad_flags & FAD_WRITE) {
4385 				releasef(fd);
4386 				/* don't want to audit every sendmsg attempt */
4387 				tad->tad_flag = 0;
4388 				/* free any residual audit data */
4389 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4390 				return;
4391 			}
4392 
4393 			/*
4394 			 * mark things so we know what happened and don't
4395 			 * repeat things
4396 			 */
4397 			fad->fad_flags |= FAD_WRITE;
4398 
4399 			bzero((void *)so_laddr, sizeof (so_laddr));
4400 			bzero((void *)so_faddr, sizeof (so_faddr));
4401 
4402 			/* get local and foreign addresses */
4403 			len = sizeof (so_laddr);
4404 			(void) socket_getsockname(so,
4405 			    (struct sockaddr *)so_laddr, &len, CRED());
4406 			len = sizeof (so_faddr);
4407 			(void) socket_getpeername(so,
4408 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4409 
4410 			add_sock_token = 1;
4411 		}
4412 
4413 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4414 
4415 		break;
4416 
4417 	case AF_UNIX:
4418 		/*
4419 		 * first check if this is first time through. Too much
4420 		 * duplicate code to put this in an aui_ routine.
4421 		 */
4422 
4423 		/* get path from file struct here */
4424 		fad = F2A(fp);
4425 		ASSERT(fad);
4426 
4427 		/*
4428 		 * already processed this file for write attempt
4429 		 */
4430 		if (fad->fad_flags & FAD_WRITE) {
4431 			releasef(fd);
4432 			/* don't want to audit every sendmsg attempt */
4433 			tad->tad_flag = 0;
4434 			/* free any residual audit data */
4435 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4436 			return;
4437 		}
4438 		/*
4439 		 * mark things so we know what happened and don't
4440 		 * repeat things
4441 		 */
4442 		fad->fad_flags |= FAD_WRITE;
4443 
4444 		if (fad->fad_aupath != NULL) {
4445 			au_uwrite(au_to_path(fad->fad_aupath));
4446 		} else {
4447 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4448 		}
4449 
4450 		audit_attributes(fp->f_vnode);
4451 
4452 		releasef(fd);
4453 
4454 		return;
4455 
4456 	default:
4457 		break;
4458 	}
4459 
4460 	releasef(fd);
4461 
4462 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4463 
4464 	if (add_sock_token == 0) {
4465 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4466 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4467 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4468 		return;
4469 	}
4470 
4471 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4472 
4473 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4474 }
4475 
4476 /*ARGSUSED*/
4477 static void
4478 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4479 {
4480 	struct a {
4481 		long	fd;
4482 		long	msg;	/* char */
4483 		long	len;
4484 		long	flags;
4485 		long	to;	/* struct sockaddr */
4486 		long	tolen;
4487 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4488 
4489 	struct sonode	*so;
4490 	char so_laddr[sizeof (struct sockaddr_in6)];
4491 	char so_faddr[sizeof (struct sockaddr_in6)];
4492 	socklen_t	tolen;
4493 	int		err;
4494 	int		fd;
4495 	socklen_t	len;
4496 	short so_family, so_type;
4497 	int		add_sock_token = 0;
4498 	struct file	*fp;
4499 	struct f_audit_data *fad;
4500 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4501 
4502 	fd = (int)uap->fd;
4503 
4504 	/* bail if an error */
4505 	if (error) {
4506 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4507 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4508 		/* XXX include destination address from system call arguments */
4509 		return;
4510 	}
4511 
4512 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4513 		/*
4514 		 * not security relevant if doing a sendto using non socket
4515 		 * so no extra tokens. Should probably turn off audit record
4516 		 * generation here.
4517 		 */
4518 		return;
4519 	}
4520 
4521 	so_family = so->so_family;
4522 	so_type   = so->so_type;
4523 
4524 	/*
4525 	 * only putout SOCKET_EX token if INET/INET6 family.
4526 	 * XXX - what do we do about other families?
4527 	 */
4528 
4529 	switch (so_family) {
4530 	case AF_INET:
4531 	case AF_INET6:
4532 
4533 		/*
4534 		 * if datagram type socket, then just use what is in
4535 		 * socket structure for local address.
4536 		 * XXX - what do we do for other types?
4537 		 */
4538 		if ((so->so_type == SOCK_DGRAM) ||
4539 		    (so->so_type == SOCK_RAW)) {
4540 
4541 			bzero((void *)so_laddr, sizeof (so_laddr));
4542 			bzero((void *)so_faddr, sizeof (so_faddr));
4543 
4544 			/* get local address */
4545 			len = sizeof (so_laddr);
4546 			(void) socket_getsockname(so,
4547 			    (struct sockaddr *)so_laddr, &len, CRED());
4548 
4549 			/* get peer address */
4550 
4551 			/* sanity check */
4552 			if (uap->to == NULL)
4553 				break;
4554 
4555 			/* sanity checks */
4556 			if (uap->tolen == 0)
4557 				break;
4558 
4559 			tolen = (socklen_t)uap->tolen;
4560 
4561 			/* enforce maximum size */
4562 			if (tolen > sizeof (so_faddr))
4563 				tolen = sizeof (so_faddr);
4564 
4565 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4566 				break;
4567 
4568 			add_sock_token = 1;
4569 		} else {
4570 			/*
4571 			 * check if this is first time through.
4572 			 */
4573 
4574 			/* get path from file struct here */
4575 			fad = F2A(fp);
4576 			ASSERT(fad);
4577 
4578 			/*
4579 			 * already processed this file for write attempt
4580 			 */
4581 			if (fad->fad_flags & FAD_WRITE) {
4582 				/* don't want to audit every sendto attempt */
4583 				tad->tad_flag = 0;
4584 				/* free any residual audit data */
4585 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4586 				releasef(fd);
4587 				return;
4588 			}
4589 			/*
4590 			 * mark things so we know what happened and don't
4591 			 * repeat things
4592 			 */
4593 			fad->fad_flags |= FAD_WRITE;
4594 
4595 			bzero((void *)so_laddr, sizeof (so_laddr));
4596 			bzero((void *)so_faddr, sizeof (so_faddr));
4597 
4598 			/* get local and foreign addresses */
4599 			len = sizeof (so_laddr);
4600 			(void) socket_getsockname(so,
4601 			    (struct sockaddr *)so_laddr, &len, CRED());
4602 			len = sizeof (so_faddr);
4603 			(void) socket_getpeername(so,
4604 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4605 
4606 			add_sock_token = 1;
4607 		}
4608 
4609 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4610 
4611 		break;
4612 
4613 	case AF_UNIX:
4614 		/*
4615 		 * first check if this is first time through. Too much
4616 		 * duplicate code to put this in an aui_ routine.
4617 		 */
4618 
4619 		/* get path from file struct here */
4620 		fad = F2A(fp);
4621 		ASSERT(fad);
4622 
4623 		/*
4624 		 * already processed this file for write attempt
4625 		 */
4626 		if (fad->fad_flags & FAD_WRITE) {
4627 			/* don't want to audit every sendto attempt */
4628 			tad->tad_flag = 0;
4629 			/* free any residual audit data */
4630 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4631 			releasef(fd);
4632 			return;
4633 		}
4634 		/*
4635 		 * mark things so we know what happened and don't
4636 		 * repeat things
4637 		 */
4638 		fad->fad_flags |= FAD_WRITE;
4639 
4640 		if (fad->fad_aupath != NULL) {
4641 			au_uwrite(au_to_path(fad->fad_aupath));
4642 		} else {
4643 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4644 		}
4645 
4646 		audit_attributes(fp->f_vnode);
4647 
4648 		releasef(fd);
4649 
4650 		return;
4651 
4652 	default:
4653 		break;
4654 
4655 	}
4656 
4657 	releasef(fd);
4658 
4659 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4660 
4661 	if (add_sock_token == 0) {
4662 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4663 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4664 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4665 		return;
4666 	}
4667 
4668 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4669 
4670 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4671 
4672 }
4673 
4674 /*
4675  * XXX socket(2) may be equivalent to open(2) on a unix domain
4676  * socket. This needs investigation.
4677  */
4678 
4679 /*ARGSUSED*/
4680 static void
4681 aus_socket(struct t_audit_data *tad)
4682 {
4683 	struct a {
4684 		long	domain;
4685 		long	type;
4686 		long	protocol;
4687 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4688 
4689 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4690 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4691 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4692 }
4693 
4694 /*ARGSUSED*/
4695 static void
4696 aus_sigqueue(struct t_audit_data *tad)
4697 {
4698 	struct a {
4699 		long	pid;
4700 		long	signo;
4701 		long	*val;
4702 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4703 	struct proc *p;
4704 	uid_t uid, ruid;
4705 	gid_t gid, rgid;
4706 	pid_t pid;
4707 	const auditinfo_addr_t *ainfo;
4708 	cred_t *cr;
4709 
4710 	pid = (pid_t)uap->pid;
4711 
4712 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4713 	if (pid > 0) {
4714 		mutex_enter(&pidlock);
4715 		if ((p = prfind(pid)) == (struct proc *)0) {
4716 			mutex_exit(&pidlock);
4717 			return;
4718 		}
4719 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4720 		mutex_exit(&pidlock);
4721 
4722 		mutex_enter(&p->p_crlock);
4723 		crhold(cr = p->p_cred);
4724 		mutex_exit(&p->p_crlock);
4725 		mutex_exit(&p->p_lock);
4726 
4727 		ainfo = crgetauinfo(cr);
4728 		if (ainfo == NULL) {
4729 			crfree(cr);
4730 			return;
4731 		}
4732 
4733 		uid  = crgetuid(cr);
4734 		gid  = crgetgid(cr);
4735 		ruid = crgetruid(cr);
4736 		rgid = crgetrgid(cr);
4737 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4738 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4739 		crfree(cr);
4740 	}
4741 	else
4742 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4743 }
4744 
4745 /*ARGSUSED*/
4746 static void
4747 aus_inst_sync(struct t_audit_data *tad)
4748 {
4749 	struct a {
4750 		long	name;	/* char */
4751 		long	flags;
4752 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4753 
4754 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4755 }
4756 
4757 /*ARGSUSED*/
4758 static void
4759 aus_brandsys(struct t_audit_data *tad)
4760 {
4761 	klwp_t *clwp = ttolwp(curthread);
4762 
4763 	struct a {
4764 		long	cmd;
4765 		long	arg1;
4766 		long	arg2;
4767 		long	arg3;
4768 		long	arg4;
4769 		long	arg5;
4770 		long	arg6;
4771 	} *uap = (struct a *)clwp->lwp_ap;
4772 
4773 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4774 #ifdef _LP64
4775 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4776 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4777 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4778 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4779 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4780 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4781 #else
4782 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4783 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4784 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4785 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4786 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4787 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4788 #endif
4789 }
4790 
4791 /*ARGSUSED*/
4792 static void
4793 aus_p_online(struct t_audit_data *tad)
4794 {
4795 	struct a {
4796 		long	processor_id;
4797 		long	flag;
4798 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4799 
4800 	struct flags {
4801 			int	flag;
4802 			char	*cflag;
4803 	} aflags[6] = {
4804 			{ P_ONLINE, "P_ONLINE"},
4805 			{ P_OFFLINE, "P_OFFLINE"},
4806 			{ P_NOINTR, "P_NOINTR"},
4807 			{ P_SPARE, "P_SPARE"},
4808 			{ P_FAULTED, "P_FAULTED"},
4809 			{ P_STATUS, "P_STATUS"}
4810 	};
4811 	int i;
4812 	char *cflag;
4813 
4814 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4815 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4816 
4817 	for (i = 0; i < 6; i++) {
4818 		if (aflags[i].flag == uap->flag)
4819 			break;
4820 	}
4821 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4822 
4823 	au_uwrite(au_to_text(cflag));
4824 }
4825 
4826 /*ARGSUSED*/
4827 static void
4828 aus_processor_bind(struct t_audit_data *tad)
4829 {
4830 	struct a {
4831 		long	id_type;
4832 		long	id;
4833 		long	processor_id;
4834 		long	obind;
4835 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4836 
4837 	struct proc *p;
4838 	int lwpcnt;
4839 	uid_t uid, ruid;
4840 	gid_t gid, rgid;
4841 	pid_t pid;
4842 	const auditinfo_addr_t *ainfo;
4843 	cred_t *cr;
4844 
4845 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4846 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4847 	if (uap->processor_id == PBIND_NONE)
4848 		au_uwrite(au_to_text("PBIND_NONE"));
4849 	else
4850 		au_uwrite(au_to_arg32(3, "processor_id",
4851 		    (uint32_t)uap->processor_id));
4852 
4853 	switch (uap->id_type) {
4854 	case P_MYID:
4855 	case P_LWPID:
4856 		mutex_enter(&pidlock);
4857 		p = ttoproc(curthread);
4858 		if (p == NULL || p->p_as == &kas) {
4859 			mutex_exit(&pidlock);
4860 			return;
4861 		}
4862 		mutex_enter(&p->p_lock);
4863 		mutex_exit(&pidlock);
4864 		lwpcnt = p->p_lwpcnt;
4865 		pid  = p->p_pid;
4866 
4867 		mutex_enter(&p->p_crlock);
4868 		crhold(cr = p->p_cred);
4869 		mutex_exit(&p->p_crlock);
4870 		mutex_exit(&p->p_lock);
4871 
4872 		ainfo = crgetauinfo(cr);
4873 		if (ainfo == NULL) {
4874 			crfree(cr);
4875 			return;
4876 		}
4877 
4878 		uid  = crgetuid(cr);
4879 		gid  = crgetgid(cr);
4880 		ruid = crgetruid(cr);
4881 		rgid = crgetrgid(cr);
4882 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4883 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4884 		crfree(cr);
4885 		break;
4886 	case P_PID:
4887 		mutex_enter(&pidlock);
4888 		p = prfind(uap->id);
4889 		if (p == NULL || p->p_as == &kas) {
4890 			mutex_exit(&pidlock);
4891 			return;
4892 		}
4893 		mutex_enter(&p->p_lock);
4894 		mutex_exit(&pidlock);
4895 		lwpcnt = p->p_lwpcnt;
4896 		pid  = p->p_pid;
4897 
4898 		mutex_enter(&p->p_crlock);
4899 		crhold(cr = p->p_cred);
4900 		mutex_exit(&p->p_crlock);
4901 		mutex_exit(&p->p_lock);
4902 
4903 		ainfo = crgetauinfo(cr);
4904 		if (ainfo == NULL) {
4905 			crfree(cr);
4906 			return;
4907 		}
4908 
4909 		uid  = crgetuid(cr);
4910 		gid  = crgetgid(cr);
4911 		ruid = crgetruid(cr);
4912 		rgid = crgetrgid(cr);
4913 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4914 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4915 		crfree(cr);
4916 
4917 		break;
4918 	default:
4919 		return;
4920 	}
4921 
4922 	if (uap->processor_id == PBIND_NONE &&
4923 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4924 		au_uwrite(au_to_text("PBIND_NONE for process"));
4925 	else
4926 		au_uwrite(au_to_arg32(3, "processor_id",
4927 		    (uint32_t)uap->processor_id));
4928 }
4929 
4930 /*ARGSUSED*/
4931 static au_event_t
4932 aui_doorfs(au_event_t e)
4933 {
4934 	uint32_t code;
4935 
4936 	struct a {		/* doorfs */
4937 		long	a1;
4938 		long	a2;
4939 		long	a3;
4940 		long	a4;
4941 		long	a5;
4942 		long	code;
4943 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4944 
4945 	/*
4946 	 *	audit formats for several of the
4947 	 *	door calls have not yet been determined
4948 	 */
4949 	code = (uint32_t)uap->code;
4950 	switch (code) {
4951 	case DOOR_CALL:
4952 		e = AUE_DOORFS_DOOR_CALL;
4953 		break;
4954 	case DOOR_RETURN:
4955 		e = AUE_NULL;
4956 		break;
4957 	case DOOR_CREATE:
4958 		e = AUE_DOORFS_DOOR_CREATE;
4959 		break;
4960 	case DOOR_REVOKE:
4961 		e = AUE_DOORFS_DOOR_REVOKE;
4962 		break;
4963 	case DOOR_INFO:
4964 		e = AUE_NULL;
4965 		break;
4966 	case DOOR_UCRED:
4967 		e = AUE_NULL;
4968 		break;
4969 	case DOOR_BIND:
4970 		e = AUE_NULL;
4971 		break;
4972 	case DOOR_UNBIND:
4973 		e = AUE_NULL;
4974 		break;
4975 	case DOOR_GETPARAM:
4976 		e = AUE_NULL;
4977 		break;
4978 	case DOOR_SETPARAM:
4979 		e = AUE_NULL;
4980 		break;
4981 	default:	/* illegal system call */
4982 		e = AUE_NULL;
4983 		break;
4984 	}
4985 
4986 	return (e);
4987 }
4988 
4989 static door_node_t *
4990 au_door_lookup(int did)
4991 {
4992 	vnode_t	*vp;
4993 	file_t *fp;
4994 
4995 	if ((fp = getf(did)) == NULL)
4996 		return (NULL);
4997 	/*
4998 	 * Use the underlying vnode (we may be namefs mounted)
4999 	 */
5000 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5001 		vp = fp->f_vnode;
5002 
5003 	if (vp == NULL || vp->v_type != VDOOR) {
5004 		releasef(did);
5005 		return (NULL);
5006 	}
5007 
5008 	return (VTOD(vp));
5009 }
5010 
5011 /*ARGSUSED*/
5012 static void
5013 aus_doorfs(struct t_audit_data *tad)
5014 {
5015 
5016 	struct a {		/* doorfs */
5017 		long	a1;
5018 		long	a2;
5019 		long	a3;
5020 		long	a4;
5021 		long	a5;
5022 		long	code;
5023 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5024 
5025 	door_node_t	*dp;
5026 	struct proc	*p;
5027 	uint32_t	did;
5028 	uid_t uid, ruid;
5029 	gid_t gid, rgid;
5030 	pid_t pid;
5031 	const auditinfo_addr_t *ainfo;
5032 	cred_t *cr;
5033 
5034 	did = (uint32_t)uap->a1;
5035 
5036 	switch (tad->tad_event) {
5037 	case AUE_DOORFS_DOOR_CALL:
5038 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5039 		if ((dp = au_door_lookup(did)) == NULL)
5040 			break;
5041 
5042 		if (DOOR_INVALID(dp)) {
5043 			releasef(did);
5044 			break;
5045 		}
5046 
5047 		if ((p = dp->door_target) == NULL) {
5048 			releasef(did);
5049 			break;
5050 		}
5051 		mutex_enter(&p->p_lock);
5052 		releasef(did);
5053 
5054 		pid  = p->p_pid;
5055 
5056 		mutex_enter(&p->p_crlock);
5057 		crhold(cr = p->p_cred);
5058 		mutex_exit(&p->p_crlock);
5059 		mutex_exit(&p->p_lock);
5060 
5061 		ainfo = crgetauinfo(cr);
5062 		if (ainfo == NULL) {
5063 			crfree(cr);
5064 			return;
5065 		}
5066 		uid  = crgetuid(cr);
5067 		gid  = crgetgid(cr);
5068 		ruid = crgetruid(cr);
5069 		rgid = crgetrgid(cr);
5070 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5071 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5072 		crfree(cr);
5073 		break;
5074 	case AUE_DOORFS_DOOR_RETURN:
5075 		/*
5076 		 * We may want to write information about
5077 		 * all doors (if any) which will be copied
5078 		 * by this call to the user space
5079 		 */
5080 		break;
5081 	case AUE_DOORFS_DOOR_CREATE:
5082 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5083 		break;
5084 	case AUE_DOORFS_DOOR_REVOKE:
5085 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5086 		break;
5087 	case AUE_DOORFS_DOOR_INFO:
5088 		break;
5089 	case AUE_DOORFS_DOOR_CRED:
5090 		break;
5091 	case AUE_DOORFS_DOOR_BIND:
5092 		break;
5093 	case AUE_DOORFS_DOOR_UNBIND: {
5094 		break;
5095 	}
5096 	default:	/* illegal system call */
5097 		break;
5098 	}
5099 }
5100 
5101 /*ARGSUSED*/
5102 static au_event_t
5103 aui_acl(au_event_t e)
5104 {
5105 	struct a {
5106 		union {
5107 			long	name;	/* char */
5108 			long	fd;
5109 		}		obj;
5110 
5111 		long		cmd;
5112 		long		nentries;
5113 		long		arg;	/* aclent_t */
5114 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5115 
5116 	switch (uap->cmd) {
5117 	case SETACL:
5118 	case ACE_SETACL:
5119 		/*
5120 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5121 		 * are expected.
5122 		 */
5123 		break;
5124 	case GETACL:
5125 	case GETACLCNT:
5126 	case ACE_GETACL:
5127 	case ACE_GETACLCNT:
5128 		/* do nothing for these four values. */
5129 		e = AUE_NULL;
5130 		break;
5131 	default:
5132 		/* illegal system call */
5133 		break;
5134 	}
5135 
5136 	return (e);
5137 }
5138 
5139 static void
5140 au_acl(int cmd, int nentries, caddr_t bufp)
5141 {
5142 	size_t		a_size;
5143 	aclent_t	*aclbufp;
5144 	ace_t		*acebufp;
5145 	int		i;
5146 
5147 	switch (cmd) {
5148 	case GETACL:
5149 	case GETACLCNT:
5150 		break;
5151 	case SETACL:
5152 		if (nentries < 3)
5153 			break;
5154 
5155 		a_size = nentries * sizeof (aclent_t);
5156 
5157 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5158 			break;
5159 		if (copyin(bufp, aclbufp, a_size)) {
5160 			kmem_free(aclbufp, a_size);
5161 			break;
5162 		}
5163 		for (i = 0; i < nentries; i++) {
5164 			au_uwrite(au_to_acl(aclbufp + i));
5165 		}
5166 		kmem_free(aclbufp, a_size);
5167 		break;
5168 
5169 	case ACE_SETACL:
5170 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5171 			break;
5172 
5173 		a_size = nentries * sizeof (ace_t);
5174 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5175 			break;
5176 		if (copyin(bufp, acebufp, a_size)) {
5177 			kmem_free(acebufp, a_size);
5178 			break;
5179 		}
5180 		for (i = 0; i < nentries; i++) {
5181 			au_uwrite(au_to_ace(acebufp + i));
5182 		}
5183 		kmem_free(acebufp, a_size);
5184 		break;
5185 	default:
5186 		break;
5187 	}
5188 }
5189 
5190 /*ARGSUSED*/
5191 static void
5192 aus_acl(struct t_audit_data *tad)
5193 {
5194 	struct a {
5195 		long	fname;
5196 		long	cmd;
5197 		long	nentries;
5198 		long	aclbufp;
5199 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5200 
5201 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5202 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5203 
5204 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5205 }
5206 
5207 /*ARGSUSED*/
5208 static void
5209 aus_facl(struct t_audit_data *tad)
5210 {
5211 	struct a {
5212 		long	fd;
5213 		long	cmd;
5214 		long	nentries;
5215 		long	aclbufp;
5216 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5217 	struct file  *fp;
5218 	struct vnode *vp;
5219 	struct f_audit_data *fad;
5220 	int fd;
5221 
5222 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5223 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5224 
5225 	fd = (int)uap->fd;
5226 
5227 	if ((fp = getf(fd)) == NULL)
5228 		return;
5229 
5230 	/* get path from file struct here */
5231 	fad = F2A(fp);
5232 	if (fad->fad_aupath != NULL) {
5233 		au_uwrite(au_to_path(fad->fad_aupath));
5234 	} else {
5235 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5236 	}
5237 
5238 	vp = fp->f_vnode;
5239 	audit_attributes(vp);
5240 
5241 	/* decrement file descriptor reference count */
5242 	releasef(fd);
5243 
5244 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5245 }
5246 
5247 /*ARGSUSED*/
5248 static void
5249 auf_read(tad, error, rval)
5250 	struct t_audit_data *tad;
5251 	int error;
5252 	rval_t *rval;
5253 {
5254 	struct file *fp;
5255 	struct f_audit_data *fad;
5256 	int fd;
5257 	register struct a {
5258 		long	fd;
5259 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5260 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5261 
5262 	fd = (int)uap->fd;
5263 
5264 	/*
5265 	 * convert file pointer to file descriptor
5266 	 *   Note: fd ref count incremented here.
5267 	 */
5268 	if ((fp = getf(fd)) == NULL)
5269 		return;
5270 
5271 	/* get path from file struct here */
5272 	fad = F2A(fp);
5273 	ASSERT(fad);
5274 
5275 	/*
5276 	 * already processed this file for read attempt
5277 	 *
5278 	 * XXX might be better to turn off auditing in a aui_read() routine.
5279 	 */
5280 	if (fad->fad_flags & FAD_READ) {
5281 		/* don't really want to audit every read attempt */
5282 		tad->tad_flag = 0;
5283 		/* free any residual audit data */
5284 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5285 		releasef(fd);
5286 		return;
5287 	}
5288 	/* mark things so we know what happened and don't repeat things */
5289 	fad->fad_flags |= FAD_READ;
5290 
5291 	if (fad->fad_aupath != NULL) {
5292 		au_uwrite(au_to_path(fad->fad_aupath));
5293 	} else {
5294 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5295 	}
5296 
5297 	/* include attributes */
5298 	audit_attributes(fp->f_vnode);
5299 
5300 	/* decrement file descriptor reference count */
5301 	releasef(fd);
5302 }
5303 
5304 /*ARGSUSED*/
5305 static void
5306 auf_write(tad, error, rval)
5307 	struct t_audit_data *tad;
5308 	int error;
5309 	rval_t *rval;
5310 {
5311 	struct file *fp;
5312 	struct f_audit_data *fad;
5313 	int fd;
5314 	register struct a {
5315 		long	fd;
5316 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5317 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5318 
5319 	fd = (int)uap->fd;
5320 
5321 	/*
5322 	 * convert file pointer to file descriptor
5323 	 *   Note: fd ref count incremented here.
5324 	 */
5325 	if ((fp = getf(fd)) == NULL)
5326 		return;
5327 
5328 	/* get path from file struct here */
5329 	fad = F2A(fp);
5330 	ASSERT(fad);
5331 
5332 	/*
5333 	 * already processed this file for write attempt
5334 	 *
5335 	 * XXX might be better to turn off auditing in a aus_write() routine.
5336 	 */
5337 	if (fad->fad_flags & FAD_WRITE) {
5338 		/* don't really want to audit every write attempt */
5339 		tad->tad_flag = 0;
5340 		/* free any residual audit data */
5341 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5342 		releasef(fd);
5343 		return;
5344 	}
5345 	/* mark things so we know what happened and don't repeat things */
5346 	fad->fad_flags |= FAD_WRITE;
5347 
5348 	if (fad->fad_aupath != NULL) {
5349 		au_uwrite(au_to_path(fad->fad_aupath));
5350 	} else {
5351 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5352 	}
5353 
5354 	/* include attributes */
5355 	audit_attributes(fp->f_vnode);
5356 
5357 	/* decrement file descriptor reference count */
5358 	releasef(fd);
5359 }
5360 
5361 /*ARGSUSED*/
5362 static void
5363 auf_recv(tad, error, rval)
5364 	struct t_audit_data *tad;
5365 	int error;
5366 	rval_t *rval;
5367 {
5368 	struct sonode *so;
5369 	char so_laddr[sizeof (struct sockaddr_in6)];
5370 	char so_faddr[sizeof (struct sockaddr_in6)];
5371 	struct file *fp;
5372 	struct f_audit_data *fad;
5373 	int fd;
5374 	int err;
5375 	socklen_t len;
5376 	short so_family, so_type;
5377 	register struct a {
5378 		long	fd;
5379 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5380 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5381 
5382 	/*
5383 	 * If there was an error, then nothing to do. Only generate
5384 	 * audit record on first successful recv.
5385 	 */
5386 	if (error) {
5387 		/* Turn off audit record generation here. */
5388 		tad->tad_flag = 0;
5389 		/* free any residual audit data */
5390 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5391 		return;
5392 	}
5393 
5394 	fd = (int)uap->fd;
5395 
5396 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5397 		/* Turn off audit record generation here. */
5398 		tad->tad_flag = 0;
5399 		/* free any residual audit data */
5400 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5401 		return;
5402 	}
5403 
5404 	/* get path from file struct here */
5405 	fad = F2A(fp);
5406 	ASSERT(fad);
5407 
5408 	/*
5409 	 * already processed this file for read attempt
5410 	 */
5411 	if (fad->fad_flags & FAD_READ) {
5412 		releasef(fd);
5413 		/* don't really want to audit every recv call */
5414 		tad->tad_flag = 0;
5415 		/* free any residual audit data */
5416 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5417 		return;
5418 	}
5419 
5420 	/* mark things so we know what happened and don't repeat things */
5421 	fad->fad_flags |= FAD_READ;
5422 
5423 	so_family = so->so_family;
5424 	so_type   = so->so_type;
5425 
5426 	switch (so_family) {
5427 	case AF_INET:
5428 	case AF_INET6:
5429 		/*
5430 		 * Only for connections.
5431 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5432 		 */
5433 		if (so->so_state & SS_ISBOUND) {
5434 
5435 			bzero((void *)so_laddr, sizeof (so_laddr));
5436 			bzero((void *)so_faddr, sizeof (so_faddr));
5437 
5438 			/* get local and foreign addresses */
5439 			len = sizeof (so_laddr);
5440 			(void) socket_getsockname(so,
5441 			    (struct sockaddr *)so_laddr, &len, CRED());
5442 			len = sizeof (so_faddr);
5443 			(void) socket_getpeername(so,
5444 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5445 
5446 			/*
5447 			 * only way to drop out of switch. Note that we
5448 			 * we release fd below.
5449 			 */
5450 
5451 			break;
5452 		}
5453 
5454 		releasef(fd);
5455 
5456 		/* don't really want to audit every recv call */
5457 		tad->tad_flag = 0;
5458 		/* free any residual audit data */
5459 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5460 
5461 		return;
5462 
5463 	case AF_UNIX:
5464 
5465 		if (fad->fad_aupath != NULL) {
5466 			au_uwrite(au_to_path(fad->fad_aupath));
5467 		} else {
5468 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5469 		}
5470 
5471 		audit_attributes(fp->f_vnode);
5472 
5473 		releasef(fd);
5474 
5475 		return;
5476 
5477 	default:
5478 		releasef(fd);
5479 
5480 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5481 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5482 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5483 
5484 		return;
5485 	}
5486 
5487 	releasef(fd);
5488 
5489 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5490 
5491 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5492 
5493 }
5494 
5495 /*ARGSUSED*/
5496 static void
5497 auf_send(tad, error, rval)
5498 	struct t_audit_data *tad;
5499 	int error;
5500 	rval_t *rval;
5501 {
5502 	struct sonode *so;
5503 	char so_laddr[sizeof (struct sockaddr_in6)];
5504 	char so_faddr[sizeof (struct sockaddr_in6)];
5505 	struct file *fp;
5506 	struct f_audit_data *fad;
5507 	int fd;
5508 	int err;
5509 	socklen_t len;
5510 	short so_family, so_type;
5511 	register struct a {
5512 		long	fd;
5513 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5514 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5515 
5516 	fd = (int)uap->fd;
5517 
5518 	/*
5519 	 * If there was an error, then nothing to do. Only generate
5520 	 * audit record on first successful send.
5521 	 */
5522 	if (error != 0) {
5523 		/* Turn off audit record generation here. */
5524 		tad->tad_flag = 0;
5525 		/* free any residual audit data */
5526 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5527 		return;
5528 	}
5529 
5530 	fd = (int)uap->fd;
5531 
5532 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5533 		/* Turn off audit record generation here. */
5534 		tad->tad_flag = 0;
5535 		/* free any residual audit data */
5536 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5537 		return;
5538 	}
5539 
5540 	/* get path from file struct here */
5541 	fad = F2A(fp);
5542 	ASSERT(fad);
5543 
5544 	/*
5545 	 * already processed this file for write attempt
5546 	 */
5547 	if (fad->fad_flags & FAD_WRITE) {
5548 		releasef(fd);
5549 		/* don't really want to audit every send call */
5550 		tad->tad_flag = 0;
5551 		/* free any residual audit data */
5552 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5553 		return;
5554 	}
5555 
5556 	/* mark things so we know what happened and don't repeat things */
5557 	fad->fad_flags |= FAD_WRITE;
5558 
5559 	so_family = so->so_family;
5560 	so_type   = so->so_type;
5561 
5562 	switch (so_family) {
5563 	case AF_INET:
5564 	case AF_INET6:
5565 		/*
5566 		 * Only for connections.
5567 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5568 		 */
5569 		if (so->so_state & SS_ISBOUND) {
5570 
5571 			bzero((void *)so_laddr, sizeof (so_laddr));
5572 			bzero((void *)so_faddr, sizeof (so_faddr));
5573 
5574 			/* get local and foreign addresses */
5575 			len = sizeof (so_laddr);
5576 			(void) socket_getsockname(so,
5577 			    (struct sockaddr *)so_laddr, &len, CRED());
5578 			len = sizeof (so_faddr);
5579 			(void) socket_getpeername(so,
5580 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5581 
5582 			/*
5583 			 * only way to drop out of switch. Note that we
5584 			 * we release fd below.
5585 			 */
5586 
5587 			break;
5588 		}
5589 
5590 		releasef(fd);
5591 		/* don't really want to audit every send call */
5592 		tad->tad_flag = 0;
5593 		/* free any residual audit data */
5594 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5595 
5596 		return;
5597 
5598 	case AF_UNIX:
5599 
5600 		if (fad->fad_aupath != NULL) {
5601 			au_uwrite(au_to_path(fad->fad_aupath));
5602 		} else {
5603 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5604 		}
5605 
5606 		audit_attributes(fp->f_vnode);
5607 
5608 		releasef(fd);
5609 
5610 		return;
5611 
5612 	default:
5613 		releasef(fd);
5614 
5615 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5616 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5617 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5618 
5619 		return;
5620 	}
5621 
5622 	releasef(fd);
5623 
5624 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5625 
5626 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5627 }
5628 
5629 static au_event_t
5630 aui_forksys(au_event_t e)
5631 {
5632 	struct a {
5633 		long	subcode;
5634 		long	flags;
5635 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5636 
5637 	switch ((uint_t)uap->subcode) {
5638 	case 0:
5639 		e = AUE_FORK1;
5640 		break;
5641 	case 1:
5642 		e = AUE_FORKALL;
5643 		break;
5644 	case 2:
5645 		e = AUE_VFORK;
5646 		break;
5647 	default:
5648 		e = AUE_NULL;
5649 		break;
5650 	}
5651 
5652 	return (e);
5653 }
5654 
5655 /*ARGSUSED*/
5656 static au_event_t
5657 aui_portfs(au_event_t e)
5658 {
5659 	struct a {		/* portfs */
5660 		long	a1;
5661 		long	a2;
5662 		long	a3;
5663 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5664 
5665 	/*
5666 	 * check opcode
5667 	 */
5668 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5669 	case PORT_ASSOCIATE:
5670 		/* check source */
5671 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5672 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5673 			e = AUE_PORTFS_ASSOCIATE;
5674 		} else {
5675 			e = AUE_NULL;
5676 		}
5677 		break;
5678 	case PORT_DISSOCIATE:
5679 		/* check source */
5680 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5681 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5682 			e = AUE_PORTFS_DISSOCIATE;
5683 		} else {
5684 			e = AUE_NULL;
5685 		}
5686 		break;
5687 	default:
5688 		e = AUE_NULL;
5689 	}
5690 	return (e);
5691 }
5692