xref: /titanic_50/usr/src/uts/common/c2/audit_event.c (revision f48205be61a214698b763ff550ab9e657525104c)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <sys/tsol/label.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 
78 extern token_t	*au_to_sock_inet(struct sockaddr_in *);
79 
80 int	au_naevent;
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_null(au_event_t);
84 static au_event_t	aui_open(au_event_t);
85 static au_event_t	aui_fsat(au_event_t);
86 static au_event_t	aui_msgsys(au_event_t);
87 static au_event_t	aui_shmsys(au_event_t);
88 static au_event_t	aui_semsys(au_event_t);
89 static au_event_t	aui_utssys(au_event_t);
90 static au_event_t	aui_fcntl(au_event_t);
91 static au_event_t	aui_execv(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_auditsys(au_event_t);
96 static au_event_t	aui_modctl(au_event_t);
97 static au_event_t	aui_acl(au_event_t);
98 static au_event_t	aui_doorfs(au_event_t);
99 static au_event_t	aui_privsys(au_event_t);
100 static au_event_t	aui_forksys(au_event_t);
101 
102 static void	aus_null(struct t_audit_data *);
103 static void	aus_open(struct t_audit_data *);
104 static void	aus_acl(struct t_audit_data *);
105 static void	aus_acct(struct t_audit_data *);
106 static void	aus_chown(struct t_audit_data *);
107 static void	aus_fchown(struct t_audit_data *);
108 static void	aus_lchown(struct t_audit_data *);
109 static void	aus_chmod(struct t_audit_data *);
110 static void	aus_facl(struct t_audit_data *);
111 static void	aus_fchmod(struct t_audit_data *);
112 static void	aus_fcntl(struct t_audit_data *);
113 static void	aus_fsat(struct t_audit_data *);
114 static void	aus_mkdir(struct t_audit_data *);
115 static void	aus_mknod(struct t_audit_data *);
116 static void	aus_mount(struct t_audit_data *);
117 static void	aus_umount(struct t_audit_data *);
118 static void	aus_umount2(struct t_audit_data *);
119 static void	aus_msgsys(struct t_audit_data *);
120 static void	aus_semsys(struct t_audit_data *);
121 static void	aus_close(struct t_audit_data *);
122 static void	aus_fstatfs(struct t_audit_data *);
123 static void	aus_setgid(struct t_audit_data *);
124 static void	aus_setuid(struct t_audit_data *);
125 static void	aus_shmsys(struct t_audit_data *);
126 static void	aus_doorfs(struct t_audit_data *);
127 static void	aus_ioctl(struct t_audit_data *);
128 static void	aus_memcntl(struct t_audit_data *);
129 static void	aus_mmap(struct t_audit_data *);
130 static void	aus_munmap(struct t_audit_data *);
131 static void	aus_priocntlsys(struct t_audit_data *);
132 static void	aus_setegid(struct t_audit_data *);
133 static void	aus_setgroups(struct t_audit_data *);
134 static void	aus_seteuid(struct t_audit_data *);
135 static void	aus_putmsg(struct t_audit_data *);
136 static void	aus_putpmsg(struct t_audit_data *);
137 static void	aus_getmsg(struct t_audit_data *);
138 static void	aus_getpmsg(struct t_audit_data *);
139 static void	aus_auditsys(struct t_audit_data *);
140 static void	aus_sysinfo(struct t_audit_data *);
141 static void	aus_modctl(struct t_audit_data *);
142 static void	aus_kill(struct t_audit_data *);
143 static void	aus_xmknod(struct t_audit_data *);
144 static void	aus_setregid(struct t_audit_data *);
145 static void	aus_setreuid(struct t_audit_data *);
146 
147 static void	auf_null(struct t_audit_data *, int, rval_t *);
148 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
149 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
150 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
151 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
152 #if 0
153 static void	auf_open(struct t_audit_data *, int, rval_t *);
154 #endif
155 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
156 static void	auf_read(struct t_audit_data *, int, rval_t *);
157 static void	auf_write(struct t_audit_data *, int, rval_t *);
158 
159 static void	aus_sigqueue(struct t_audit_data *);
160 static void	aus_p_online(struct t_audit_data *);
161 static void	aus_processor_bind(struct t_audit_data *);
162 static void	aus_inst_sync(struct t_audit_data *);
163 static void	aus_brandsys(struct t_audit_data *);
164 
165 static void	auf_accept(struct t_audit_data *, int, rval_t *);
166 
167 static void	auf_bind(struct t_audit_data *, int, rval_t *);
168 static void	auf_connect(struct t_audit_data *, int, rval_t *);
169 static void	aus_shutdown(struct t_audit_data *);
170 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
171 static void	aus_sockconfig(struct t_audit_data *);
172 static void	auf_recv(struct t_audit_data *, int, rval_t *);
173 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
174 static void	auf_send(struct t_audit_data *, int, rval_t *);
175 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
176 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
177 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
178 static void	aus_socket(struct t_audit_data *);
179 /*
180  * This table contains mapping information for converting system call numbers
181  * to audit event IDs. In several cases it is necessary to map a single system
182  * call to several events.
183  */
184 
185 struct audit_s2e audit_s2e[] =
186 {
187 /*
188  * ----------	---------- 	----------	----------
189  * INITIAL	AUDIT		START		SYSTEM
190  * PROCESSING	EVENT		PROCESSING	CALL
191  * ----------	----------	----------	-----------
192  *		FINISH		EVENT
193  *		PROCESSING	CONTROL
194  * ----------------------------------------------------------
195  */
196 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
197 		auf_null,	0,
198 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
199 		auf_null,	S2E_NPT,
200 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
201 		auf_null,	0,
202 aui_null,	AUE_READ,	aus_null,	/* 3 read */
203 		auf_read,	S2E_PUB,
204 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
205 		auf_write,	0,
206 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
207 		auf_null,	S2E_SP,
208 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
209 		auf_null,	0,
210 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
211 		auf_null,	0,
212 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
213 		auf_null,	S2E_SP,
214 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
215 		auf_null,	0,
216 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
217 		auf_null,	0,
218 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
219 		auf_null,	S2E_MLD,
220 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
221 		auf_null,	S2E_SP,
222 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
223 		auf_null,	0,
224 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
225 		auf_mknod,	0,
226 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
227 		auf_null,	0,
228 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
229 		auf_null,	0,
230 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
231 		auf_null,	0,
232 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
233 		auf_null,	S2E_PUB,
234 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
235 		auf_null,	0,
236 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
237 		auf_null,	0,
238 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
239 		auf_null,	S2E_MLD,
240 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
241 		auf_null,	0,
242 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
243 		auf_null,	0,
244 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
245 		auf_null,	0,
246 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
247 		auf_null,	0,
248 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
249 		auf_null,	0,
250 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
251 		auf_null,	0,
252 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
253 		auf_null,	0,
254 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
255 		auf_null,	0,
256 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
257 		auf_null,	0,
258 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
259 		auf_null,	0,
260 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
261 		auf_null,	0,
262 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
263 		auf_null,	S2E_PUB,
264 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
265 		auf_null,	0,
266 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
267 		auf_null,	S2E_PUB,
268 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
269 		auf_null,	0,
270 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
271 		auf_null,	0,
272 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
273 		auf_null,	S2E_PUB,
274 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
275 		auf_null,	0,
276 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
277 		auf_null,	0,
278 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
279 		auf_null,	0,
280 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
281 		auf_null,	0,
282 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
283 		auf_null,	0,
284 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
285 		auf_null,	0,
286 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
287 						/*	was proc lock */
288 		auf_null,	0,
289 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
290 		auf_null,	0,
291 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
292 		auf_null,	0,
293 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
294 		auf_null,	0,
295 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
296 		auf_msgsys,	0,
297 #if defined(__x86)
298 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
299 		auf_null,	0,
300 #else
301 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
302 		auf_null,	0,
303 #endif /* __x86 */
304 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
305 		auf_null,	0,
306 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
307 		auf_shmsys,	0,
308 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
309 		auf_semsys,	0,
310 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
311 		auf_null,	0,
312 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
313 		auf_null,	0,
314 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
315 		auf_null,	0,
316 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
317 		auf_null,	0,
318 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
319 		auf_null,	0,
320 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
321 		auf_null,	S2E_MLD,
322 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
323 		auf_null,	0,
324 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
325 		auf_null,	S2E_SP,
326 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
327 		auf_null,	0,
328 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
329 		auf_null,	0,
330 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
331 		auf_null,	0,
332 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
333 		auf_null,	0,
334 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
337 						/*	file locking call */
338 		auf_null,	0,
339 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
340 						/*	local system calls */
341 		auf_null,	0,
342 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
343 		auf_null,	0,
344 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
345 		auf_null,	0,
346 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
355 						/*	was sigret (SunOS) */
356 		auf_null,	0,
357 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
358 		auf_null,	0,
359 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
360 		auf_null,	0,
361 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
362 		auf_null,	0,
363 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
364 		auf_null,	0,
365 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
366 		auf_null,	0,
367 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
368 		auf_null,	0,
369 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
370 						/*	was libattach */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
373 						/*	was libdetach */
374 		auf_null,	0,
375 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
376 		auf_null,	0,
377 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
378 		auf_null,	0,
379 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
380 		auf_null,	0,
381 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
382 		auf_null,	0,
383 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
384 		auf_null,	S2E_PUB,
385 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
386 		auf_null,	0,
387 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
388 		auf_null,	S2E_PUB,
389 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
390 		auf_null,	0,
391 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
392 		auf_null,	0,
393 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
394 		auf_null,	0,
395 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
396 		auf_null,	0,
397 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
398 		auf_null,	0,
399 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
400 		auf_null,	0,
401 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
402 		auf_null,	0,
403 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
404 		auf_null,	0,
405 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
406 		auf_null,	0,
407 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
408 		auf_null,	0,
409 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
410 		auf_null,	0,
411 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
412 						/*	was evtrapret */
413 		auf_null,	0,
414 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
415 		auf_null,	S2E_PUB,
416 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
425 		auf_null,	0,
426 #if defined(__x86)
427 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
428 		auf_null,	0,
429 #else
430 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
431 		auf_null,	0,
432 #endif /* __x86 */
433 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
434 		auf_null,	0,
435 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
436 		auf_null,	0,
437 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
438 		auf_null,	0,		/* 112 priocntlsys */
439 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
440 		auf_null,	S2E_PUB,
441 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
442 		auf_null,	0,
443 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
444 		auf_null,	0,
445 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
446 		auf_null,	0,
447 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
448 		auf_null,	0,
449 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
450 		auf_null,	0,
451 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
452 		auf_null,	0,
453 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
454 		auf_null,	0,
455 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
456 		auf_read,	S2E_PUB,
457 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
458 		auf_write,	0,
459 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
460 		auf_null,	S2E_PUB,
461 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
462 		auf_null,	S2E_PUB,
463 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
464 		auf_null,	0,
465 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
466 		auf_xmknod,	0,
467 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
468 		auf_null,	0,
469 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
470 		auf_null,	0,
471 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
472 		auf_null,	0,
473 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
474 		auf_null,	0,
475 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
476 		auf_null,	0,
477 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
478 		auf_null,	0,
479 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
480 		auf_null,	0,
481 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
482 		auf_null,	0,
483 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
484 		auf_null,	0,
485 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
486 		auf_null,	0,
487 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
488 		auf_null,	0,
489 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
490 		auf_null,	0,
491 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
492 		auf_null,	0,
493 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
494 		auf_null,	0,
495 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
496 		auf_null,	0,
497 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
498 		auf_null,	0,
499 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
510 		auf_null,	0,
511 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
512 		auf_null,	0,
513 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
514 		auf_null,	0,
515 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
516 		auf_null,	0,
517 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
518 		auf_null,	0,
519 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
520 		auf_null,	0,
521 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
522 		auf_null,	0,
523 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
524 		auf_null,	0,
525 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
526 		auf_null,	0,
527 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
528 		auf_null,	0,
529 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
530 		auf_null,	0,
531 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
532 		auf_null,	0,
533 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
534 		auf_null,	0,
535 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
536 		auf_null,	0,
537 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
538 		auf_null,	0,
539 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
540 		auf_null,	0,
541 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
542 		auf_null,	0,
543 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
544 						/*	was lwp_setprivate */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
547 						/*	was lwp_getprivate */
548 		auf_null,	0,
549 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
550 		auf_null,	0,
551 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_unlock  */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
560 		auf_null,	0,
561 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
562 		auf_read,	S2E_PUB,
563 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
564 		auf_write,	0,
565 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
566 		auf_null,	0,
567 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
568 						/* aus_inst_sync */
569 		auf_null,	0,
570 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
571 		auf_null,	0,
572 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
573 		auf_null,	0,
574 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
575 		auf_null,	0,
576 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
577 		auf_null,	0,
578 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
579 		auf_null,	0,
580 aui_null,	AUE_NULL,	aus_null,	/* 182 (loadable) */
581 		auf_null,	0,
582 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
583 		auf_null,	0,
584 aui_null,	AUE_NULL,	aus_null,	/* 184 (loadable) tsolsys */
585 		auf_null,	0,
586 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
587 		auf_null,	0,
588 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
589 		auf_null,	0,
590 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
591 		auf_null,	0,		/* 187 processor_bind */
592 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
593 		auf_null,	0,
594 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
595 		auf_null,	0,
596 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
597 		auf_null,	0,
598 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
599 		auf_null,	0,
600 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
601 		auf_null,	0,
602 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
603 		auf_null,	0,
604 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
605 		auf_null,	0,
606 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
607 		auf_null,	0,
608 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
609 		auf_null,	0,
610 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
611 		auf_null,	0,
612 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
613 		auf_null,	0,
614 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
615 		auf_null,	0,
616 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
617 		auf_null,	0,
618 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
619 		auf_null,	0,
620 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
621 		auf_null,	0,
622 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
623 		auf_null,	0,
624 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
625 		auf_null,	0,
626 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
627 		auf_null,	0,
628 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
629 		auf_null,	0,
630 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
631 		auf_null,	0,
632 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
633 		auf_null,	0,
634 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
635 		auf_null,	0,
636 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
637 		auf_null,	0,
638 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
639 		auf_null,	0,
640 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
641 		auf_null,	0,
642 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
643 		auf_null,	0,
644 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
645 		auf_null,	0,
646 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
647 		auf_null,	S2E_PUB,
648 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
649 		auf_null,	S2E_PUB,
650 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
651 		auf_null,	0,
652 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
653 		auf_null,	S2E_PUB,
654 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
655 		auf_null,	0,
656 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
657 		auf_null,	0,
658 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
659 		auf_null,	0,
660 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
661 		auf_read,	S2E_PUB,
662 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
663 		auf_write,	0,
664 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
665 		auf_null,	S2E_SP,
666 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
667 		auf_null,	S2E_SP,
668 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
669 		auf_null,	0,
670 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
671 		auf_null,	0,
672 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
673 		auf_null,	0,
674 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
675 		auf_null,	0,
676 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
677 		auf_null,	0,
678 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
679 		auf_null,	0,
680 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
681 		auf_bind,	0,
682 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
683 		auf_null,	0,
684 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
685 		auf_accept,	0,
686 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
687 		auf_connect,	0,
688 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
689 		auf_null,	0,
690 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
691 		auf_recv,	0,
692 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
693 		auf_recvfrom,	0,
694 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
695 		auf_recvmsg,	0,
696 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
697 		auf_send,	0,
698 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
699 		auf_sendmsg,	0,
700 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
701 		auf_sendto,	0,
702 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
703 		auf_null,	0,
704 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
705 		auf_null,	0,
706 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
707 		auf_null,	0,
708 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
709 		auf_setsockopt,	0,
710 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
711 		auf_null,	0,
712 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
713 		auf_null,	0,
714 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
715 		auf_null,	0,
716 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
717 		auf_null,	0,
718 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
719 		auf_null,	0,
720 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_init */
721 		auf_null,	0,
722 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
723 		auf_null,	0,
724 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
725 		auf_null,	0,
726 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
727 		auf_null,	0
728 };
729 
730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
731 
732 char *so_not_bound = "socket not bound";
733 char *so_not_conn  = "socket not connected";
734 char *so_bad_addr  = "bad socket address";
735 char *so_bad_peer_addr  = "bad peer address";
736 
737 /* null start function */
738 /*ARGSUSED*/
739 static void
740 aus_null(struct t_audit_data *tad)
741 {
742 }
743 
744 /* acct start function */
745 /*ARGSUSED*/
746 static void
747 aus_acct(struct t_audit_data *tad)
748 {
749 	klwp_t *clwp = ttolwp(curthread);
750 	uintptr_t fname;
751 
752 	struct a {
753 		long	fname;		/* char * */
754 	} *uap = (struct a *)clwp->lwp_ap;
755 
756 	fname = (uintptr_t)uap->fname;
757 
758 	if (fname == 0)
759 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
760 }
761 
762 /* chown start function */
763 /*ARGSUSED*/
764 static void
765 aus_chown(struct t_audit_data *tad)
766 {
767 	klwp_t *clwp = ttolwp(curthread);
768 	uint32_t uid, gid;
769 
770 	struct a {
771 		long	fname;		/* char * */
772 		long	uid;
773 		long	gid;
774 	} *uap = (struct a *)clwp->lwp_ap;
775 
776 	uid = (uint32_t)uap->uid;
777 	gid = (uint32_t)uap->gid;
778 
779 	au_uwrite(au_to_arg32(2, "new file uid", uid));
780 	au_uwrite(au_to_arg32(3, "new file gid", gid));
781 }
782 
783 /* fchown start function */
784 /*ARGSUSED*/
785 static void
786 aus_fchown(struct t_audit_data *tad)
787 {
788 	klwp_t *clwp = ttolwp(curthread);
789 	uint32_t uid, gid, fd;
790 	struct file  *fp;
791 	struct vnode *vp;
792 	struct f_audit_data *fad;
793 
794 	struct a {
795 		long fd;
796 		long uid;
797 		long gid;
798 	} *uap = (struct a *)clwp->lwp_ap;
799 
800 	fd  = (uint32_t)uap->fd;
801 	uid = (uint32_t)uap->uid;
802 	gid = (uint32_t)uap->gid;
803 
804 	au_uwrite(au_to_arg32(2, "new file uid", uid));
805 	au_uwrite(au_to_arg32(3, "new file gid", gid));
806 
807 		/*
808 		 * convert file pointer to file descriptor
809 		 *   Note: fd ref count incremented here.
810 		 */
811 	if ((fp = getf(fd)) == NULL)
812 		return;
813 
814 	/* get path from file struct here */
815 	fad = F2A(fp);
816 	if (fad->fad_aupath != NULL) {
817 		au_uwrite(au_to_path(fad->fad_aupath));
818 	} else {
819 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
820 	}
821 
822 	vp = fp->f_vnode;
823 	audit_attributes(vp);
824 
825 	/* decrement file descriptor reference count */
826 	releasef(fd);
827 }
828 
829 /*ARGSUSED*/
830 static void
831 aus_lchown(struct t_audit_data *tad)
832 {
833 	klwp_t *clwp = ttolwp(curthread);
834 	uint32_t uid, gid;
835 
836 
837 	struct a {
838 		long	fname;		/* char	* */
839 		long	uid;
840 		long	gid;
841 	} *uap = (struct a *)clwp->lwp_ap;
842 
843 	uid = (uint32_t)uap->uid;
844 	gid = (uint32_t)uap->gid;
845 
846 	au_uwrite(au_to_arg32(2, "new file uid", uid));
847 	au_uwrite(au_to_arg32(3, "new file gid", gid));
848 }
849 
850 /* chmod start function */
851 /*ARGSUSED*/
852 static void
853 aus_chmod(struct t_audit_data *tad)
854 {
855 	klwp_t *clwp = ttolwp(curthread);
856 	uint32_t fmode;
857 
858 	struct a {
859 		long	fname;		/* char	* */
860 		long	fmode;
861 	} *uap = (struct a *)clwp->lwp_ap;
862 
863 	fmode = (uint32_t)uap->fmode;
864 
865 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
866 }
867 
868 /* chmod start function */
869 /*ARGSUSED*/
870 static void
871 aus_fchmod(struct t_audit_data *tad)
872 {
873 	klwp_t *clwp = ttolwp(curthread);
874 	uint32_t fmode, fd;
875 	struct file  *fp;
876 	struct vnode *vp;
877 	struct f_audit_data *fad;
878 
879 	struct a {
880 		long	fd;
881 		long	fmode;
882 	} *uap = (struct a *)clwp->lwp_ap;
883 
884 	fd = (uint32_t)uap->fd;
885 	fmode = (uint32_t)uap->fmode;
886 
887 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
888 
889 		/*
890 		 * convert file pointer to file descriptor
891 		 *   Note: fd ref count incremented here.
892 		 */
893 	if ((fp = getf(fd)) == NULL)
894 		return;
895 
896 		/* get path from file struct here */
897 	fad = F2A(fp);
898 	if (fad->fad_aupath != NULL) {
899 		au_uwrite(au_to_path(fad->fad_aupath));
900 	} else {
901 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
902 	}
903 
904 	vp = fp->f_vnode;
905 	audit_attributes(vp);
906 
907 	/* decrement file descriptor reference count */
908 	releasef(fd);
909 }
910 
911 /* null function */
912 /*ARGSUSED*/
913 static void
914 auf_null(struct t_audit_data *tad, int error, rval_t *rval)
915 {
916 }
917 
918 /* null function */
919 static au_event_t
920 aui_null(au_event_t e)
921 {
922 	return (e);
923 }
924 
925 /* convert open to appropriate event */
926 static au_event_t
927 aui_open(au_event_t e)
928 {
929 	klwp_t *clwp = ttolwp(curthread);
930 	uint_t fm;
931 
932 	struct a {
933 		long	fnamep;		/* char	* */
934 		long	fmode;
935 		long	cmode;
936 	} *uap = (struct a *)clwp->lwp_ap;
937 
938 	fm = (uint_t)uap->fmode;
939 
940 	if (fm & O_WRONLY)
941 		e = AUE_OPEN_W;
942 	else if (fm & O_RDWR)
943 		e = AUE_OPEN_RW;
944 	else
945 		e = AUE_OPEN_R;
946 
947 	if (fm & O_CREAT)
948 		e += 1;
949 	if (fm & O_TRUNC)
950 		e += 2;
951 
952 	return (e);
953 }
954 
955 /*ARGSUSED*/
956 static void
957 aus_open(struct t_audit_data *tad)
958 {
959 	klwp_t *clwp = ttolwp(curthread);
960 	uint_t fm;
961 
962 	struct a {
963 		long	fnamep;		/* char	* */
964 		long	fmode;
965 		long	cmode;
966 	} *uap = (struct a *)clwp->lwp_ap;
967 
968 	fm = (uint_t)uap->fmode;
969 
970 	/* If no write, create, or trunc modes, mark as a public op */
971 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
972 		tad->tad_ctrl |= PAD_PUBLIC_EV;
973 }
974 
975 /* convert openat(2) to appropriate event */
976 static au_event_t
977 aui_fsat(au_event_t e)
978 {
979 	t_audit_data_t	*tad = U2A(u);
980 	klwp_t *clwp = ttolwp(curthread);
981 	uint_t fmcode, fm;
982 	struct a {
983 		long id;
984 		long arg1;
985 		long arg2;
986 		long arg3;
987 		long arg4;
988 		long arg5;
989 	} *uap = (struct a *)clwp->lwp_ap;
990 
991 	fmcode  = (uint_t)uap->id;
992 
993 	switch (fmcode) {
994 
995 	case 0: /* openat */
996 	case 1: /* openat64 */
997 		fm = (uint_t)uap->arg3;
998 		if (fm & O_WRONLY)
999 			e = AUE_OPENAT_W;
1000 		else if (fm & O_RDWR)
1001 			e = AUE_OPENAT_RW;
1002 		else
1003 			e = AUE_OPENAT_R;
1004 
1005 		/*
1006 		 * openat modes are defined in the following order:
1007 		 * Read only
1008 		 * Read|Create
1009 		 * Read|Trunc
1010 		 * Read|Create|Trunc
1011 		 * Write Only
1012 		 * Write|Create
1013 		 * Write|Trunc
1014 		 * Write|Create|Trunc * RW Only
1015 		 * RW|Create
1016 		 * RW|Trunc
1017 		 * RW|Create|Trunc
1018 		 */
1019 		if (fm & O_CREAT)
1020 			e += 1;		/* increment to include CREAT in mode */
1021 		if (fm & O_TRUNC)
1022 			e += 2;		/* increment to include TRUNC in mode */
1023 
1024 		/* convert to appropriate au_ctrl */
1025 		tad->tad_ctrl |= PAD_SAVPATH;
1026 		if (fm & FXATTR)
1027 			tad->tad_ctrl |= PAD_ATPATH;
1028 
1029 
1030 		break;
1031 	case 2: /* fstatat64 */
1032 	case 3: /* fstatat */
1033 		e = AUE_FSTATAT;
1034 		break;
1035 	case 4: /* fchownat */
1036 		e = AUE_FCHOWNAT;
1037 		break;
1038 	case 5: /* unlinkat */
1039 		e = AUE_UNLINKAT;
1040 		break;
1041 	case 6: /* futimesat */
1042 		e = AUE_FUTIMESAT;
1043 		break;
1044 	case 7: /* renameat */
1045 		e = AUE_RENAMEAT;
1046 		break;
1047 	default:
1048 		e = AUE_NULL;
1049 		break;
1050 	}
1051 
1052 	return (e);
1053 }
1054 
1055 /*ARGSUSED*/
1056 static void
1057 aus_fsat(struct t_audit_data *tad)
1058 {
1059 	klwp_t *clwp = ttolwp(curthread);
1060 	uint_t fmcode, fm;
1061 	struct a {
1062 		long id;
1063 		long arg1;
1064 		long arg2;
1065 		long arg3;
1066 		long arg4;
1067 		long arg5;
1068 	} *uap = (struct a *)clwp->lwp_ap;
1069 
1070 	fmcode  = (uint_t)uap->id;
1071 
1072 	switch (fmcode) {
1073 
1074 	case 0: /* openat */
1075 	case 1: /* openat64 */
1076 		fm = (uint_t)uap->arg3;
1077 		/* If no write, create, or trunc modes, mark as a public op */
1078 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1079 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1080 
1081 		break;
1082 	case 2: /* fstatat64 */
1083 	case 3: /* fstatat */
1084 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1085 		break;
1086 	default:
1087 		break;
1088 	}
1089 }
1090 
1091 /* msgsys */
1092 static au_event_t
1093 aui_msgsys(au_event_t e)
1094 {
1095 	klwp_t *clwp = ttolwp(curthread);
1096 	uint_t fm;
1097 
1098 	struct a {
1099 		long	id;	/* function code id */
1100 		long	ap;	/* arg pointer for recvmsg */
1101 	} *uap = (struct a *)clwp->lwp_ap;
1102 
1103 	struct b {
1104 		long	msgid;
1105 		long	cmd;
1106 		long	buf;	/* struct msqid_ds * */
1107 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1108 
1109 	fm  = (uint_t)uap->id;
1110 
1111 	switch (fm) {
1112 	case 0:		/* msgget */
1113 		e = AUE_MSGGET;
1114 		break;
1115 	case 1:		/* msgctl */
1116 		switch ((uint_t)uap1->cmd) {
1117 		case IPC_RMID:
1118 			e = AUE_MSGCTL_RMID;
1119 			break;
1120 		case IPC_SET:
1121 			e = AUE_MSGCTL_SET;
1122 			break;
1123 		case IPC_STAT:
1124 			e = AUE_MSGCTL_STAT;
1125 			break;
1126 		default:
1127 			e = AUE_MSGCTL;
1128 			break;
1129 		}
1130 		break;
1131 	case 2:		/* msgrcv */
1132 		e = AUE_MSGRCV;
1133 		break;
1134 	case 3:		/* msgsnd */
1135 		e = AUE_MSGSND;
1136 		break;
1137 	default:	/* illegal system call */
1138 		e = AUE_NULL;
1139 		break;
1140 	}
1141 
1142 	return (e);
1143 }
1144 
1145 
1146 /* shmsys */
1147 static au_event_t
1148 aui_shmsys(au_event_t e)
1149 {
1150 	klwp_t *clwp = ttolwp(curthread);
1151 	int fm;
1152 
1153 	struct a {		/* shmsys */
1154 		long	id;	/* function code id */
1155 	} *uap = (struct a *)clwp->lwp_ap;
1156 
1157 	struct b {		/* ctrl */
1158 		long	shmid;
1159 		long	cmd;
1160 		long	arg;		/* struct shmid_ds * */
1161 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1162 	fm  = (uint_t)uap->id;
1163 
1164 	switch (fm) {
1165 	case 0:		/* shmat */
1166 		e = AUE_SHMAT;
1167 		break;
1168 	case 1:		/* shmctl */
1169 		switch ((uint_t)uap1->cmd) {
1170 		case IPC_RMID:
1171 			e = AUE_SHMCTL_RMID;
1172 			break;
1173 		case IPC_SET:
1174 			e = AUE_SHMCTL_SET;
1175 			break;
1176 		case IPC_STAT:
1177 			e = AUE_SHMCTL_STAT;
1178 			break;
1179 		default:
1180 			e = AUE_SHMCTL;
1181 			break;
1182 		}
1183 		break;
1184 	case 2:		/* shmdt */
1185 		e = AUE_SHMDT;
1186 		break;
1187 	case 3:		/* shmget */
1188 		e = AUE_SHMGET;
1189 		break;
1190 	default:	/* illegal system call */
1191 		e = AUE_NULL;
1192 		break;
1193 	}
1194 
1195 	return (e);
1196 }
1197 
1198 
1199 /* semsys */
1200 static au_event_t
1201 aui_semsys(au_event_t e)
1202 {
1203 	klwp_t *clwp = ttolwp(curthread);
1204 	uint_t fm;
1205 
1206 	struct a {		/* semsys */
1207 		long	id;
1208 	} *uap = (struct a *)clwp->lwp_ap;
1209 
1210 	struct b {		/* ctrl */
1211 		long	semid;
1212 		long	semnum;
1213 		long	cmd;
1214 		long	arg;
1215 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1216 
1217 	fm = (uint_t)uap->id;
1218 
1219 	switch (fm) {
1220 	case 0:		/* semctl */
1221 		switch ((uint_t)uap1->cmd) {
1222 		case IPC_RMID:
1223 			e = AUE_SEMCTL_RMID;
1224 			break;
1225 		case IPC_SET:
1226 			e = AUE_SEMCTL_SET;
1227 			break;
1228 		case IPC_STAT:
1229 			e = AUE_SEMCTL_STAT;
1230 			break;
1231 		case GETNCNT:
1232 			e = AUE_SEMCTL_GETNCNT;
1233 			break;
1234 		case GETPID:
1235 			e = AUE_SEMCTL_GETPID;
1236 			break;
1237 		case GETVAL:
1238 			e = AUE_SEMCTL_GETVAL;
1239 			break;
1240 		case GETALL:
1241 			e = AUE_SEMCTL_GETALL;
1242 			break;
1243 		case GETZCNT:
1244 			e = AUE_SEMCTL_GETZCNT;
1245 			break;
1246 		case SETVAL:
1247 			e = AUE_SEMCTL_SETVAL;
1248 			break;
1249 		case SETALL:
1250 			e = AUE_SEMCTL_SETALL;
1251 			break;
1252 		default:
1253 			e = AUE_SEMCTL;
1254 			break;
1255 		}
1256 		break;
1257 	case 1:		/* semget */
1258 		e = AUE_SEMGET;
1259 		break;
1260 	case 2:		/* semop */
1261 		e = AUE_SEMOP;
1262 		break;
1263 	default:	/* illegal system call */
1264 		e = AUE_NULL;
1265 		break;
1266 	}
1267 
1268 	return (e);
1269 }
1270 
1271 /* utssys - uname(2), ustat(2), fusers(2) */
1272 static au_event_t
1273 aui_utssys(au_event_t e)
1274 {
1275 	klwp_t *clwp = ttolwp(curthread);
1276 	uint_t type;
1277 
1278 	struct a {
1279 		union {
1280 			long	cbuf;		/* char * */
1281 			long	ubuf;		/* struct stat * */
1282 		} ub;
1283 		union {
1284 			long	mv;	/* for USTAT */
1285 			long	flags;	/* for FUSERS */
1286 		} un;
1287 		long	type;
1288 		long	outbp;		/* char * for FUSERS */
1289 	} *uap = (struct a *)clwp->lwp_ap;
1290 
1291 	type = (uint_t)uap->type;
1292 
1293 	if (type == UTS_FUSERS)
1294 		return (e);
1295 	else
1296 		return ((au_event_t)AUE_NULL);
1297 }
1298 
1299 static au_event_t
1300 aui_fcntl(au_event_t e)
1301 {
1302 	klwp_t *clwp = ttolwp(curthread);
1303 	uint_t cmd;
1304 
1305 	struct a {
1306 		long	fdes;
1307 		long	cmd;
1308 		long	arg;
1309 	} *uap = (struct a *)clwp->lwp_ap;
1310 
1311 	cmd = (uint_t)uap->cmd;
1312 
1313 	switch (cmd) {
1314 	case F_GETLK:
1315 	case F_SETLK:
1316 	case F_SETLKW:
1317 		break;
1318 	case F_SETFL:
1319 	case F_GETFL:
1320 	case F_GETFD:
1321 		break;
1322 	default:
1323 		e = (au_event_t)AUE_NULL;
1324 		break;
1325 	}
1326 	return ((au_event_t)e);
1327 }
1328 
1329 /* null function for now */
1330 static au_event_t
1331 aui_execv(au_event_t e)
1332 {
1333 	return (e);
1334 }
1335 
1336 /* null function for now */
1337 static au_event_t
1338 aui_execve(au_event_t e)
1339 {
1340 	return (e);
1341 }
1342 
1343 /*ARGSUSED*/
1344 static void
1345 aus_fcntl(struct t_audit_data *tad)
1346 {
1347 	klwp_t *clwp = ttolwp(curthread);
1348 	uint32_t cmd, fd;
1349 	struct file  *fp;
1350 	struct vnode *vp;
1351 	struct f_audit_data *fad;
1352 
1353 	struct a {
1354 		long	fd;
1355 		long	cmd;
1356 		long	arg;
1357 	} *uap = (struct a *)clwp->lwp_ap;
1358 
1359 	cmd = (uint32_t)uap->cmd;
1360 	fd  = (uint32_t)uap->fd;
1361 
1362 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1363 
1364 		/*
1365 		 * convert file pointer to file descriptor
1366 		 *   Note: fd ref count incremented here.
1367 		 */
1368 	if ((fp = getf(fd)) == NULL)
1369 		return;
1370 
1371 	/* get path from file struct here */
1372 	fad = F2A(fp);
1373 	if (fad->fad_aupath != NULL) {
1374 		au_uwrite(au_to_path(fad->fad_aupath));
1375 	} else {
1376 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1377 	}
1378 
1379 	vp = fp->f_vnode;
1380 	audit_attributes(vp);
1381 
1382 	/* decrement file descriptor reference count */
1383 	releasef(fd);
1384 }
1385 
1386 /*ARGSUSED*/
1387 static void
1388 aus_kill(struct t_audit_data *tad)
1389 {
1390 	klwp_t *clwp = ttolwp(curthread);
1391 	struct proc *p;
1392 	uint32_t signo;
1393 	uid_t uid, ruid;
1394 	gid_t gid, rgid;
1395 	pid_t pid;
1396 	const auditinfo_addr_t *ainfo;
1397 	cred_t *cr;
1398 
1399 	struct a {
1400 		long	pid;
1401 		long	signo;
1402 	} *uap = (struct a *)clwp->lwp_ap;
1403 
1404 	pid   = (pid_t)uap->pid;
1405 	signo = (uint32_t)uap->signo;
1406 
1407 	au_uwrite(au_to_arg32(2, "signal", signo));
1408 	if (pid > 0) {
1409 		mutex_enter(&pidlock);
1410 		if (((p = prfind(pid)) == (struct proc *)0) ||
1411 		    (p->p_stat == SIDL)) {
1412 			mutex_exit(&pidlock);
1413 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1414 			return;
1415 		}
1416 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1417 		mutex_exit(&pidlock);
1418 
1419 		mutex_enter(&p->p_crlock);
1420 		crhold(cr = p->p_cred);
1421 		mutex_exit(&p->p_crlock);
1422 		mutex_exit(&p->p_lock);
1423 
1424 		ainfo = crgetauinfo(cr);
1425 		if (ainfo == NULL) {
1426 			crfree(cr);
1427 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1428 			return;
1429 		}
1430 
1431 		uid  = crgetuid(cr);
1432 		gid  = crgetgid(cr);
1433 		ruid = crgetruid(cr);
1434 		rgid = crgetrgid(cr);
1435 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1436 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1437 
1438 		if (is_system_labeled())
1439 			au_uwrite(au_to_label(CR_SL(cr)));
1440 
1441 		crfree(cr);
1442 	}
1443 	else
1444 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1445 }
1446 
1447 /*ARGSUSED*/
1448 static void
1449 aus_mkdir(struct t_audit_data *tad)
1450 {
1451 	klwp_t *clwp = ttolwp(curthread);
1452 	uint32_t dmode;
1453 
1454 	struct a {
1455 		long	dirnamep;		/* char * */
1456 		long	dmode;
1457 	} *uap = (struct a *)clwp->lwp_ap;
1458 
1459 	dmode = (uint32_t)uap->dmode;
1460 
1461 	au_uwrite(au_to_arg32(2, "mode", dmode));
1462 }
1463 
1464 /*ARGSUSED*/
1465 static void
1466 aus_mknod(struct t_audit_data *tad)
1467 {
1468 	klwp_t *clwp = ttolwp(curthread);
1469 	uint32_t fmode;
1470 	dev_t dev;
1471 
1472 	struct a {
1473 		long	pnamep;		/* char * */
1474 		long	fmode;
1475 		long	dev;
1476 	} *uap = (struct a *)clwp->lwp_ap;
1477 
1478 	fmode = (uint32_t)uap->fmode;
1479 	dev   = (dev_t)uap->dev;
1480 
1481 	au_uwrite(au_to_arg32(2, "mode", fmode));
1482 #ifdef _LP64
1483 	au_uwrite(au_to_arg64(3, "dev", dev));
1484 #else
1485 	au_uwrite(au_to_arg32(3, "dev", dev));
1486 #endif
1487 }
1488 
1489 /*ARGSUSED*/
1490 static void
1491 aus_xmknod(struct t_audit_data *tad)
1492 {
1493 	klwp_t *clwp = ttolwp(curthread);
1494 	uint32_t fmode;
1495 	dev_t dev;
1496 
1497 	struct a {
1498 		long	version;	/* version */
1499 		long	pnamep;		/* char * */
1500 		long	fmode;
1501 		long	dev;
1502 	} *uap = (struct a *)clwp->lwp_ap;
1503 
1504 	fmode = (uint32_t)uap->fmode;
1505 	dev   = (dev_t)uap->dev;
1506 
1507 	au_uwrite(au_to_arg32(2, "mode", fmode));
1508 #ifdef _LP64
1509 	au_uwrite(au_to_arg64(3, "dev", dev));
1510 #else
1511 	au_uwrite(au_to_arg32(3, "dev", dev));
1512 #endif
1513 }
1514 
1515 /*ARGSUSED*/
1516 static void
1517 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1518 {
1519 	klwp_t *clwp = ttolwp(curthread);
1520 	vnode_t	*dvp;
1521 	caddr_t pnamep;
1522 
1523 	struct a {
1524 		long	pnamep;		/* char * */
1525 		long	fmode;
1526 		long	dev;
1527 	} *uap = (struct a *)clwp->lwp_ap;
1528 
1529 	/* no error, then already path token in audit record */
1530 	if (error != EPERM)
1531 		return;
1532 
1533 	/* not auditing this event, nothing then to do */
1534 	if (tad->tad_flag == 0)
1535 		return;
1536 
1537 	/* do the lookup to force generation of path token */
1538 	pnamep = (caddr_t)uap->pnamep;
1539 	tad->tad_ctrl |= PAD_NOATTRB;
1540 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1541 	if (error == 0)
1542 		VN_RELE(dvp);
1543 }
1544 
1545 /*ARGSUSED*/
1546 static void
1547 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1548 {
1549 	klwp_t *clwp = ttolwp(curthread);
1550 	vnode_t	*dvp;
1551 	caddr_t pnamep;
1552 
1553 	struct a {
1554 		long	version;	/* version */
1555 		long	pnamep;		/* char * */
1556 		long	fmode;
1557 		long	dev;
1558 	} *uap = (struct a *)clwp->lwp_arg;
1559 
1560 
1561 	/* no error, then already path token in audit record */
1562 	if (error != EPERM)
1563 		return;
1564 
1565 	/* not auditing this event, nothing then to do */
1566 	if (tad->tad_flag == 0)
1567 		return;
1568 
1569 	/* do the lookup to force generation of path token */
1570 	pnamep = (caddr_t)uap->pnamep;
1571 	tad->tad_ctrl |= PAD_NOATTRB;
1572 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1573 	if (error == 0)
1574 		VN_RELE(dvp);
1575 }
1576 
1577 /*ARGSUSED*/
1578 static void
1579 aus_mount(struct t_audit_data *tad)
1580 {	/* AUS_START */
1581 	klwp_t *clwp = ttolwp(curthread);
1582 	uint32_t flags;
1583 	uintptr_t u_fstype, dataptr;
1584 	STRUCT_DECL(nfs_args, nfsargs);
1585 	size_t len;
1586 	char *fstype, *hostname;
1587 
1588 	struct a {
1589 		long	spec;		/* char    * */
1590 		long	dir;		/* char    * */
1591 		long	flags;
1592 		long	fstype;		/* char    * */
1593 		long	dataptr;	/* char    * */
1594 		long	datalen;
1595 	} *uap = (struct a *)clwp->lwp_ap;
1596 
1597 	u_fstype = (uintptr_t)uap->fstype;
1598 	flags    = (uint32_t)uap->flags;
1599 	dataptr  = (uintptr_t)uap->dataptr;
1600 
1601 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1602 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1603 		goto mount_free_fstype;
1604 
1605 	au_uwrite(au_to_arg32(3, "flags", flags));
1606 	au_uwrite(au_to_text(fstype));
1607 
1608 	if (strncmp(fstype, "nfs", 3) == 0) {
1609 
1610 		STRUCT_INIT(nfsargs, get_udatamodel());
1611 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1612 
1613 		if (copyin((caddr_t)dataptr,
1614 				STRUCT_BUF(nfsargs),
1615 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1616 			/* DEBUG debug_enter((char *)NULL); */
1617 			goto mount_free_fstype;
1618 		}
1619 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1620 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1621 				(caddr_t)hostname,
1622 				MAXNAMELEN, &len)) {
1623 			goto mount_free_hostname;
1624 		}
1625 		au_uwrite(au_to_text(hostname));
1626 		au_uwrite(au_to_arg32(3, "internal flags",
1627 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1628 
1629 mount_free_hostname:
1630 		kmem_free(hostname, MAXNAMELEN);
1631 	}
1632 
1633 mount_free_fstype:
1634 	kmem_free(fstype, MAXNAMELEN);
1635 }	/* AUS_MOUNT */
1636 
1637 static void
1638 aus_umount_path(caddr_t umount_dir)
1639 {
1640 	char			*dir_path;
1641 	struct audit_path	*path;
1642 	size_t			path_len, dir_len;
1643 
1644 	/* length alloc'd for two string pointers */
1645 	path_len = sizeof (struct audit_path) + sizeof (char *);
1646 	path = kmem_alloc(path_len, KM_SLEEP);
1647 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1648 
1649 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1650 	    MAXPATHLEN, &dir_len))
1651 		goto umount2_free_dir;
1652 
1653 	/*
1654 	 * the audit_path struct assumes that the buffer pointed to
1655 	 * by audp_sect[n] contains string 0 immediatedly followed
1656 	 * by string 1.
1657 	 */
1658 	path->audp_sect[0] = dir_path;
1659 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1660 	path->audp_size = path_len;
1661 	path->audp_ref = 1;		/* not used */
1662 	path->audp_cnt = 1;		/* one path string */
1663 
1664 	au_uwrite(au_to_path(path));
1665 
1666 umount2_free_dir:
1667 	kmem_free(dir_path, MAXPATHLEN);
1668 	kmem_free(path, path_len);
1669 }
1670 
1671 /*
1672  * the umount syscall is implemented as a call to umount2, but the args
1673  * are different...
1674  */
1675 
1676 /*ARGSUSED*/
1677 static void
1678 aus_umount(struct t_audit_data *tad)
1679 {
1680 	klwp_t			*clwp = ttolwp(curthread);
1681 	struct a {
1682 		long	dir;		/* char    * */
1683 	} *uap = (struct a *)clwp->lwp_ap;
1684 
1685 	aus_umount_path((caddr_t)uap->dir);
1686 }
1687 
1688 /*ARGSUSED*/
1689 static void
1690 aus_umount2(struct t_audit_data *tad)
1691 {
1692 	klwp_t			*clwp = ttolwp(curthread);
1693 	struct a {
1694 		long	dir;		/* char    * */
1695 		long	flags;
1696 	} *uap = (struct a *)clwp->lwp_ap;
1697 
1698 	aus_umount_path((caddr_t)uap->dir);
1699 
1700 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1701 }
1702 
1703 static void
1704 aus_msgsys(struct t_audit_data *tad)
1705 {
1706 	klwp_t *clwp = ttolwp(curthread);
1707 	uint32_t msgid;
1708 
1709 	struct b {
1710 		long	msgid;
1711 		long	cmd;
1712 		long	buf;		/* struct msqid_ds * */
1713 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1714 
1715 	msgid = (uint32_t)uap1->msgid;
1716 
1717 
1718 	switch (tad->tad_event) {
1719 	case AUE_MSGGET:		/* msgget */
1720 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1721 		break;
1722 	case AUE_MSGCTL:		/* msgctl */
1723 	case AUE_MSGCTL_RMID:		/* msgctl */
1724 	case AUE_MSGCTL_STAT:		/* msgctl */
1725 	case AUE_MSGRCV:		/* msgrcv */
1726 	case AUE_MSGSND:		/* msgsnd */
1727 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1728 		break;
1729 	case AUE_MSGCTL_SET:		/* msgctl */
1730 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1731 		break;
1732 	}
1733 }
1734 
1735 /*ARGSUSED*/
1736 static void
1737 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1738 {
1739 	int id;
1740 
1741 	if (error != 0)
1742 		return;
1743 	if (tad->tad_event == AUE_MSGGET) {
1744 		uint32_t scid;
1745 		uint32_t sy_flags;
1746 
1747 		/* need to determine type of executing binary */
1748 		scid = tad->tad_scid;
1749 #ifdef _SYSCALL32_IMPL
1750 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1751 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1752 		else
1753 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1754 #else
1755 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1756 #endif
1757 		if (sy_flags == SE_32RVAL1)
1758 			id = rval->r_val1;
1759 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1760 			id = rval->r_val1;
1761 		if (sy_flags == SE_64RVAL)
1762 			id = (int)rval->r_vals;
1763 
1764 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1765 	}
1766 }
1767 
1768 static void
1769 aus_semsys(struct t_audit_data *tad)
1770 {
1771 	klwp_t *clwp = ttolwp(curthread);
1772 	uint32_t semid;
1773 
1774 	struct b {		/* ctrl */
1775 		long	semid;
1776 		long	semnum;
1777 		long	cmd;
1778 		long	arg;
1779 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1780 
1781 	semid = (uint32_t)uap1->semid;
1782 
1783 	switch (tad->tad_event) {
1784 	case AUE_SEMCTL_RMID:
1785 	case AUE_SEMCTL_STAT:
1786 	case AUE_SEMCTL_GETNCNT:
1787 	case AUE_SEMCTL_GETPID:
1788 	case AUE_SEMCTL_GETVAL:
1789 	case AUE_SEMCTL_GETALL:
1790 	case AUE_SEMCTL_GETZCNT:
1791 	case AUE_SEMCTL_SETVAL:
1792 	case AUE_SEMCTL_SETALL:
1793 	case AUE_SEMCTL:
1794 	case AUE_SEMOP:
1795 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1796 		break;
1797 	case AUE_SEMCTL_SET:
1798 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1799 		break;
1800 	case AUE_SEMGET:
1801 		au_uwrite(au_to_arg32(1, "sem key", semid));
1802 		break;
1803 	}
1804 }
1805 
1806 /*ARGSUSED*/
1807 static void
1808 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1809 {
1810 	int id;
1811 
1812 	if (error != 0)
1813 		return;
1814 	if (tad->tad_event == AUE_SEMGET) {
1815 		uint32_t scid;
1816 		uint32_t sy_flags;
1817 
1818 		/* need to determine type of executing binary */
1819 		scid = tad->tad_scid;
1820 #ifdef _SYSCALL32_IMPL
1821 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1822 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1823 		else
1824 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1825 #else
1826 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1827 #endif
1828 		if (sy_flags == SE_32RVAL1)
1829 			id = rval->r_val1;
1830 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1831 			id = rval->r_val1;
1832 		if (sy_flags == SE_64RVAL)
1833 			id = (int)rval->r_vals;
1834 
1835 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1836 	}
1837 }
1838 
1839 /*ARGSUSED*/
1840 static void
1841 aus_close(struct t_audit_data *tad)
1842 {
1843 	klwp_t *clwp = ttolwp(curthread);
1844 	uint32_t fd;
1845 	struct file *fp;
1846 	struct f_audit_data *fad;
1847 	struct vnode *vp;
1848 	struct vattr attr;
1849 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1850 
1851 	struct a {
1852 		long	i;
1853 	} *uap = (struct a *)clwp->lwp_ap;
1854 
1855 	fd = (uint32_t)uap->i;
1856 
1857 	attr.va_mask = 0;
1858 	au_uwrite(au_to_arg32(1, "fd", fd));
1859 
1860 		/*
1861 		 * convert file pointer to file descriptor
1862 		 *   Note: fd ref count incremented here.
1863 		 */
1864 	if ((fp = getf(fd)) == NULL)
1865 		return;
1866 
1867 	fad = F2A(fp);
1868 	tad->tad_evmod = (short)fad->fad_flags;
1869 	if (fad->fad_aupath != NULL) {
1870 		au_uwrite(au_to_path(fad->fad_aupath));
1871 		if ((vp = fp->f_vnode) != NULL) {
1872 			attr.va_mask = AT_ALL;
1873 			if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) {
1874 				/*
1875 				 * When write was not used and the file can be
1876 				 * considered public, skip the audit.
1877 				 */
1878 				if (((fp->f_flag & FWRITE) == 0) &&
1879 				    file_is_public(&attr)) {
1880 					tad->tad_flag = 0;
1881 					tad->tad_evmod = 0;
1882 					/* free any residual audit data */
1883 					au_close(kctx, &(u_ad), 0, 0, 0);
1884 					releasef(fd);
1885 					return;
1886 				}
1887 				au_uwrite(au_to_attr(&attr));
1888 				audit_sec_attributes(&(u_ad), vp);
1889 			}
1890 		}
1891 	}
1892 
1893 	/* decrement file descriptor reference count */
1894 	releasef(fd);
1895 }
1896 
1897 /*ARGSUSED*/
1898 static void
1899 aus_fstatfs(struct t_audit_data *tad)
1900 {
1901 	klwp_t *clwp = ttolwp(curthread);
1902 	uint32_t fd;
1903 	struct file  *fp;
1904 	struct vnode *vp;
1905 	struct f_audit_data *fad;
1906 
1907 	struct a {
1908 		long	fd;
1909 		long	buf;		/* struct statfs * */
1910 	} *uap = (struct a *)clwp->lwp_ap;
1911 
1912 	fd = (uint_t)uap->fd;
1913 
1914 		/*
1915 		 * convert file pointer to file descriptor
1916 		 *   Note: fd ref count incremented here.
1917 		 */
1918 	if ((fp = getf(fd)) == NULL)
1919 		return;
1920 
1921 		/* get path from file struct here */
1922 	fad = F2A(fp);
1923 	if (fad->fad_aupath != NULL) {
1924 		au_uwrite(au_to_path(fad->fad_aupath));
1925 	} else {
1926 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1927 	}
1928 
1929 	vp = fp->f_vnode;
1930 	audit_attributes(vp);
1931 
1932 	/* decrement file descriptor reference count */
1933 	releasef(fd);
1934 }
1935 
1936 #ifdef NOTYET
1937 /*ARGSUSED*/
1938 static void
1939 aus_setpgrp(struct t_audit_data *tad)
1940 {
1941 	klwp_t *clwp = ttolwp(curthread);
1942 	uint32_t pgrp;
1943 	struct proc *p;
1944 	uid_t uid, ruid;
1945 	gid_t gid, rgid;
1946 	pid_t pid;
1947 	const auditinfo_addr_t *ainfo;
1948 	cred_t *cr;
1949 
1950 	struct a {
1951 		long	pid;
1952 		long	pgrp;
1953 	} *uap = (struct a *)clwp->lwp_ap;
1954 
1955 	pid  = (pid_t)uap->pid;
1956 	pgrp = (uint32_t)uap->pgrp;
1957 
1958 		/* current process? */
1959 	if (pid == 0)
1960 		(return);
1961 
1962 	mutex_enter(&pidlock);
1963 	p = prfind(pid);
1964 	if (p == NULL || p->p_as == &kas) {
1965 		mutex_exit(&pidlock);
1966 		return;
1967 	}
1968 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1969 	mutex_exit(&pidlock);
1970 
1971 	mutex_enter(&p->p_crlock);
1972 	crhold(cr = p->p_cred);
1973 	mutex_exit(&p->p_crlock);
1974 	mutex_exit(&p->p_lock);
1975 
1976 	ainfo = crgetauinfo(cr);
1977 	if (ainfo == NULL) {
1978 		crfree(cr);
1979 		return;
1980 	}
1981 
1982 	uid  = crgetuid(cr);
1983 	gid  = crgetgid(cr);
1984 	ruid = crgetruid(cr);
1985 	rgid = crgetrgid(cr);
1986 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1987 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1988 	crfree(cr);
1989 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1990 }
1991 #endif
1992 
1993 /*ARGSUSED*/
1994 static void
1995 aus_setregid(struct t_audit_data *tad)
1996 {
1997 	klwp_t *clwp = ttolwp(curthread);
1998 	uint32_t rgid, egid;
1999 
2000 	struct a {
2001 		long	 rgid;
2002 		long	 egid;
2003 	} *uap = (struct a *)clwp->lwp_ap;
2004 
2005 	rgid  = (uint32_t)uap->rgid;
2006 	egid  = (uint32_t)uap->egid;
2007 
2008 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2009 	au_uwrite(au_to_arg32(2, "egid", egid));
2010 }
2011 
2012 /*ARGSUSED*/
2013 static void
2014 aus_setgid(struct t_audit_data *tad)
2015 {
2016 	klwp_t *clwp = ttolwp(curthread);
2017 	uint32_t gid;
2018 
2019 	struct a {
2020 		long	gid;
2021 	} *uap = (struct a *)clwp->lwp_ap;
2022 
2023 	gid = (uint32_t)uap->gid;
2024 
2025 	au_uwrite(au_to_arg32(1, "gid", gid));
2026 }
2027 
2028 
2029 /*ARGSUSED*/
2030 static void
2031 aus_setreuid(struct t_audit_data *tad)
2032 {
2033 	klwp_t *clwp = ttolwp(curthread);
2034 	uint32_t ruid, euid;
2035 
2036 	struct a {
2037 		long	ruid;
2038 		long	euid;
2039 	} *uap = (struct a *)clwp->lwp_ap;
2040 
2041 	ruid = (uint32_t)uap->ruid;
2042 	euid  = (uint32_t)uap->euid;
2043 
2044 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2045 	au_uwrite(au_to_arg32(2, "euid", euid));
2046 }
2047 
2048 
2049 /*ARGSUSED*/
2050 static void
2051 aus_setuid(struct t_audit_data *tad)
2052 {
2053 	klwp_t *clwp = ttolwp(curthread);
2054 	uint32_t uid;
2055 
2056 	struct a {
2057 		long	uid;
2058 	} *uap = (struct a *)clwp->lwp_ap;
2059 
2060 	uid = (uint32_t)uap->uid;
2061 
2062 	au_uwrite(au_to_arg32(1, "uid", uid));
2063 }
2064 
2065 /*ARGSUSED*/
2066 static void
2067 aus_shmsys(struct t_audit_data *tad)
2068 {
2069 	klwp_t *clwp = ttolwp(curthread);
2070 	uint32_t id, cmd;
2071 
2072 	struct b {
2073 		long	id;
2074 		long	cmd;
2075 		long	buf;		/* struct shmid_ds * */
2076 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2077 
2078 	id  = (uint32_t)uap1->id;
2079 	cmd = (uint32_t)uap1->cmd;
2080 
2081 	switch (tad->tad_event) {
2082 	case AUE_SHMGET:			/* shmget */
2083 		au_uwrite(au_to_arg32(1, "shm key", id));
2084 		break;
2085 	case AUE_SHMCTL:			/* shmctl */
2086 	case AUE_SHMCTL_RMID:			/* shmctl */
2087 	case AUE_SHMCTL_STAT:			/* shmctl */
2088 	case AUE_SHMCTL_SET:			/* shmctl */
2089 		au_uwrite(au_to_arg32(1, "shm ID", id));
2090 		break;
2091 	case AUE_SHMDT:				/* shmdt */
2092 		au_uwrite(au_to_arg32(1, "shm adr", id));
2093 		break;
2094 	case AUE_SHMAT:				/* shmat */
2095 		au_uwrite(au_to_arg32(1, "shm ID", id));
2096 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2097 		break;
2098 	}
2099 }
2100 
2101 /*ARGSUSED*/
2102 static void
2103 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2104 {
2105 	int id;
2106 
2107 	if (error != 0)
2108 		return;
2109 	if (tad->tad_event == AUE_SHMGET) {
2110 		uint32_t scid;
2111 		uint32_t sy_flags;
2112 
2113 		/* need to determine type of executing binary */
2114 		scid = tad->tad_scid;
2115 #ifdef _SYSCALL32_IMPL
2116 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2117 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2118 		else
2119 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2120 #else
2121 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2122 #endif
2123 		if (sy_flags == SE_32RVAL1)
2124 			id = rval->r_val1;
2125 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2126 			id = rval->r_val1;
2127 		if (sy_flags == SE_64RVAL)
2128 			id = (int)rval->r_vals;
2129 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2130 	}
2131 }
2132 
2133 
2134 /*ARGSUSED*/
2135 static void
2136 aus_ioctl(struct t_audit_data *tad)
2137 {
2138 	klwp_t *clwp = ttolwp(curthread);
2139 	struct file *fp;
2140 	struct vnode *vp;
2141 	struct f_audit_data *fad;
2142 	uint32_t fd, cmd;
2143 	uintptr_t cmarg;
2144 
2145 	/* XX64 */
2146 	struct a {
2147 		long	fd;
2148 		long	cmd;
2149 		long	cmarg;		/* caddr_t */
2150 	} *uap = (struct a *)clwp->lwp_ap;
2151 
2152 	fd    = (uint32_t)uap->fd;
2153 	cmd   = (uint32_t)uap->cmd;
2154 	cmarg = (uintptr_t)uap->cmarg;
2155 
2156 		/*
2157 		 * convert file pointer to file descriptor
2158 		 *   Note: fd ref count incremented here.
2159 		 */
2160 	if ((fp = getf(fd)) == NULL) {
2161 		au_uwrite(au_to_arg32(1, "fd", fd));
2162 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2163 #ifndef _LP64
2164 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2165 #else
2166 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2167 #endif
2168 		return;
2169 	}
2170 
2171 	/* get path from file struct here */
2172 	fad = F2A(fp);
2173 	if (fad->fad_aupath != NULL) {
2174 		au_uwrite(au_to_path(fad->fad_aupath));
2175 	} else {
2176 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2177 	}
2178 
2179 	vp = fp->f_vnode;
2180 	audit_attributes(vp);
2181 
2182 	/* decrement file descriptor reference count */
2183 	releasef(fd);
2184 
2185 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2186 #ifndef _LP64
2187 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2188 #else
2189 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2190 #endif
2191 }
2192 
2193 /*
2194  * null function for memcntl for now. We might want to limit memcntl()
2195  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2196  * require privileges.
2197  */
2198 static au_event_t
2199 aui_memcntl(au_event_t e)
2200 {
2201 	return (e);
2202 }
2203 
2204 /*ARGSUSED*/
2205 static au_event_t
2206 aui_privsys(au_event_t e)
2207 {
2208 	klwp_t *clwp = ttolwp(curthread);
2209 
2210 	struct a {
2211 		long	opcode;
2212 	} *uap = (struct a *)clwp->lwp_ap;
2213 
2214 	switch (uap->opcode) {
2215 	case PRIVSYS_SETPPRIV:
2216 		return (AUE_SETPPRIV);
2217 	default:
2218 		return (AUE_NULL);
2219 	}
2220 }
2221 
2222 /*ARGSUSED*/
2223 static void
2224 aus_memcntl(struct t_audit_data *tad)
2225 {
2226 	klwp_t *clwp = ttolwp(curthread);
2227 
2228 	struct a {
2229 		long	addr;
2230 		long	len;
2231 		long	cmd;
2232 		long	arg;
2233 		long	attr;
2234 		long	mask;
2235 	} *uap = (struct a *)clwp->lwp_ap;
2236 
2237 #ifdef _LP64
2238 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2239 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2240 #else
2241 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2242 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2243 #endif
2244 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2245 #ifdef _LP64
2246 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2247 #else
2248 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2249 #endif
2250 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2251 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2252 }
2253 
2254 /*ARGSUSED*/
2255 static void
2256 aus_mmap(struct t_audit_data *tad)
2257 {
2258 	klwp_t *clwp = ttolwp(curthread);
2259 	struct file *fp;
2260 	struct f_audit_data *fad;
2261 	struct vnode *vp;
2262 	uint32_t fd;
2263 
2264 	struct a {
2265 		long	addr;
2266 		long	len;
2267 		long	prot;
2268 		long	flags;
2269 		long	fd;
2270 		long	pos;
2271 	} *uap = (struct a *)clwp->lwp_ap;
2272 
2273 	fd = (uint32_t)uap->fd;
2274 
2275 #ifdef _LP64
2276 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2277 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2278 #else
2279 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2280 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2281 #endif
2282 
2283 	if ((fp = getf(fd)) == NULL) {
2284 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2285 		return;
2286 	}
2287 
2288 	/*
2289 	 * Mark in the tad if write access is NOT requested... if
2290 	 * this is later detected (in audit_attributes) to be a
2291 	 * public object, the mmap event may be discarded.
2292 	 */
2293 	if (((uap->prot) & PROT_WRITE) == 0) {
2294 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2295 	}
2296 
2297 	fad = F2A(fp);
2298 	if (fad->fad_aupath != NULL) {
2299 		au_uwrite(au_to_path(fad->fad_aupath));
2300 	} else {
2301 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2302 	}
2303 
2304 	vp = (struct vnode *)fp->f_vnode;
2305 	audit_attributes(vp);
2306 
2307 	/* mark READ/WRITE since we can't predict access */
2308 	if (uap->prot & PROT_READ)
2309 		fad->fad_flags |= FAD_READ;
2310 	if (uap->prot & PROT_WRITE)
2311 		fad->fad_flags |= FAD_WRITE;
2312 
2313 	/* decrement file descriptor reference count */
2314 	releasef(fd);
2315 
2316 }	/* AUS_MMAP */
2317 
2318 
2319 
2320 
2321 /*ARGSUSED*/
2322 static void
2323 aus_munmap(struct t_audit_data *tad)
2324 {
2325 	klwp_t *clwp = ttolwp(curthread);
2326 
2327 	struct a {
2328 		long	addr;
2329 		long	len;
2330 	} *uap = (struct a *)clwp->lwp_ap;
2331 
2332 #ifdef _LP64
2333 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2334 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2335 #else
2336 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2337 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2338 #endif
2339 
2340 }	/* AUS_MUNMAP */
2341 
2342 
2343 
2344 
2345 
2346 
2347 
2348 /*ARGSUSED*/
2349 static void
2350 aus_priocntlsys(struct t_audit_data *tad)
2351 {
2352 	klwp_t *clwp = ttolwp(curthread);
2353 
2354 	struct a {
2355 		long	pc_version;
2356 		long	psp;		/* procset_t */
2357 		long	cmd;
2358 		long	arg;
2359 	} *uap = (struct a *)clwp->lwp_ap;
2360 
2361 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2362 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2363 
2364 }	/* AUS_PRIOCNTLSYS */
2365 
2366 
2367 /*ARGSUSED*/
2368 static void
2369 aus_setegid(struct t_audit_data *tad)
2370 {
2371 	klwp_t *clwp = ttolwp(curthread);
2372 	uint32_t gid;
2373 
2374 	struct a {
2375 		long	gid;
2376 	} *uap = (struct a *)clwp->lwp_ap;
2377 
2378 	gid = (uint32_t)uap->gid;
2379 
2380 	au_uwrite(au_to_arg32(1, "gid", gid));
2381 }	/* AUS_SETEGID */
2382 
2383 
2384 
2385 
2386 /*ARGSUSED*/
2387 static void
2388 aus_setgroups(struct t_audit_data *tad)
2389 {
2390 	klwp_t *clwp = ttolwp(curthread);
2391 	int i;
2392 	int gidsetsize;
2393 	uintptr_t gidset;
2394 	gid_t *gidlist;
2395 
2396 	struct a {
2397 		long	gidsetsize;
2398 		long	gidset;
2399 	} *uap = (struct a *)clwp->lwp_ap;
2400 
2401 	gidsetsize = (uint_t)uap->gidsetsize;
2402 	gidset = (uintptr_t)uap->gidset;
2403 
2404 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2405 		return;
2406 	if (gidsetsize != 0) {
2407 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2408 						KM_SLEEP);
2409 		if (copyin((caddr_t)gidset, gidlist,
2410 			gidsetsize * sizeof (gid_t)) == 0)
2411 			for (i = 0; i < gidsetsize; i++)
2412 				au_uwrite(au_to_arg32(1, "setgroups",
2413 						(uint32_t)gidlist[i]));
2414 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2415 	} else
2416 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2417 
2418 }	/* AUS_SETGROUPS */
2419 
2420 
2421 
2422 
2423 
2424 /*ARGSUSED*/
2425 static void
2426 aus_seteuid(struct t_audit_data *tad)
2427 {
2428 	klwp_t *clwp = ttolwp(curthread);
2429 	uint32_t uid;
2430 
2431 	struct a {
2432 		long	uid;
2433 	} *uap = (struct a *)clwp->lwp_ap;
2434 
2435 	uid = (uint32_t)uap->uid;
2436 
2437 	au_uwrite(au_to_arg32(1, "euid", uid));
2438 
2439 }	/* AUS_SETEUID */
2440 
2441 /*ARGSUSED*/
2442 static void
2443 aus_putmsg(struct t_audit_data *tad)
2444 {
2445 	klwp_t *clwp = ttolwp(curthread);
2446 	uint32_t fd, pri;
2447 	struct file *fp;
2448 	struct f_audit_data *fad;
2449 
2450 	struct a {
2451 		long	fdes;
2452 		long	ctl;		/* struct strbuf * */
2453 		long	data;		/* struct strbuf * */
2454 		long	pri;
2455 	} *uap = (struct a *)clwp->lwp_ap;
2456 
2457 	fd  = (uint32_t)uap->fdes;
2458 	pri = (uint32_t)uap->pri;
2459 
2460 	au_uwrite(au_to_arg32(1, "fd", fd));
2461 
2462 	if ((fp = getf(fd)) != NULL) {
2463 		fad = F2A(fp);
2464 
2465 		fad->fad_flags |= FAD_WRITE;
2466 
2467 		/* add path name to audit record */
2468 		if (fad->fad_aupath != NULL) {
2469 			au_uwrite(au_to_path(fad->fad_aupath));
2470 		}
2471 		audit_attributes(fp->f_vnode);
2472 
2473 		releasef(fd);
2474 	}
2475 
2476 	au_uwrite(au_to_arg32(4, "pri", pri));
2477 }
2478 
2479 /*ARGSUSED*/
2480 static void
2481 aus_putpmsg(struct t_audit_data *tad)
2482 {
2483 	klwp_t *clwp = ttolwp(curthread);
2484 	uint32_t fd, pri, flags;
2485 	struct file *fp;
2486 	struct f_audit_data *fad;
2487 
2488 	struct a {
2489 		long	fdes;
2490 		long	ctl;		/* struct strbuf * */
2491 		long	data;		/* struct strbuf * */
2492 		long	pri;
2493 		long	flags;
2494 	} *uap = (struct a *)clwp->lwp_ap;
2495 
2496 	fd = (uint32_t)uap->fdes;
2497 	pri  = (uint32_t)uap->pri;
2498 	flags  = (uint32_t)uap->flags;
2499 
2500 	au_uwrite(au_to_arg32(1, "fd", fd));
2501 
2502 	if ((fp = getf(fd)) != NULL) {
2503 		fad = F2A(fp);
2504 
2505 		fad->fad_flags |= FAD_WRITE;
2506 
2507 		/* add path name to audit record */
2508 		if (fad->fad_aupath != NULL) {
2509 			au_uwrite(au_to_path(fad->fad_aupath));
2510 		}
2511 		audit_attributes(fp->f_vnode);
2512 
2513 		releasef(fd);
2514 	}
2515 
2516 
2517 	au_uwrite(au_to_arg32(4, "pri", pri));
2518 	au_uwrite(au_to_arg32(5, "flags", flags));
2519 }
2520 
2521 /*ARGSUSED*/
2522 static void
2523 aus_getmsg(struct t_audit_data *tad)
2524 {
2525 	klwp_t *clwp = ttolwp(curthread);
2526 	uint32_t fd, pri;
2527 	struct file *fp;
2528 	struct f_audit_data *fad;
2529 
2530 	struct a {
2531 		long	fdes;
2532 		long	ctl;		/* struct strbuf * */
2533 		long	data;		/* struct strbuf * */
2534 		long	pri;
2535 	} *uap = (struct a *)clwp->lwp_ap;
2536 
2537 	fd  = (uint32_t)uap->fdes;
2538 	pri = (uint32_t)uap->pri;
2539 
2540 	au_uwrite(au_to_arg32(1, "fd", fd));
2541 
2542 	if ((fp = getf(fd)) != NULL) {
2543 		fad = F2A(fp);
2544 
2545 		/*
2546 		 * read operation on this object
2547 		 */
2548 		fad->fad_flags |= FAD_READ;
2549 
2550 		/* add path name to audit record */
2551 		if (fad->fad_aupath != NULL) {
2552 			au_uwrite(au_to_path(fad->fad_aupath));
2553 		}
2554 		audit_attributes(fp->f_vnode);
2555 
2556 		releasef(fd);
2557 	}
2558 
2559 	au_uwrite(au_to_arg32(4, "pri", pri));
2560 }
2561 
2562 /*ARGSUSED*/
2563 static void
2564 aus_getpmsg(struct t_audit_data *tad)
2565 {
2566 	klwp_t *clwp = ttolwp(curthread);
2567 	uint32_t fd;
2568 	struct file *fp;
2569 	struct f_audit_data *fad;
2570 
2571 	struct a {
2572 		long	fdes;
2573 		long	ctl;		/* struct strbuf * */
2574 		long	data;		/* struct strbuf * */
2575 		long	pri;
2576 		long	flags;
2577 	} *uap = (struct a *)clwp->lwp_ap;
2578 
2579 	fd = (uint32_t)uap->fdes;
2580 
2581 	au_uwrite(au_to_arg32(1, "fd", fd));
2582 
2583 	if ((fp = getf(fd)) != NULL) {
2584 		fad = F2A(fp);
2585 
2586 		/*
2587 		 * read operation on this object
2588 		 */
2589 		fad->fad_flags |= FAD_READ;
2590 
2591 		/* add path name to audit record */
2592 		if (fad->fad_aupath != NULL) {
2593 			au_uwrite(au_to_path(fad->fad_aupath));
2594 		}
2595 		audit_attributes(fp->f_vnode);
2596 
2597 		releasef(fd);
2598 	}
2599 }
2600 
2601 static au_event_t
2602 aui_auditsys(au_event_t e)
2603 {
2604 	klwp_t *clwp = ttolwp(curthread);
2605 	uint32_t code;
2606 
2607 	struct a {
2608 		long	code;
2609 		long	a1;
2610 		long	a2;
2611 		long	a3;
2612 		long	a4;
2613 		long	a5;
2614 		long	a6;
2615 		long	a7;
2616 	} *uap = (struct a *)clwp->lwp_ap;
2617 
2618 	code = (uint32_t)uap->code;
2619 
2620 	switch (code) {
2621 
2622 	case BSM_GETAUID:
2623 		e = AUE_GETAUID;
2624 		break;
2625 	case BSM_SETAUID:
2626 		e = AUE_SETAUID;
2627 		break;
2628 	case BSM_GETAUDIT:
2629 		e = AUE_GETAUDIT;
2630 		break;
2631 	case BSM_GETAUDIT_ADDR:
2632 		e = AUE_GETAUDIT_ADDR;
2633 		break;
2634 	case BSM_SETAUDIT:
2635 		e = AUE_SETAUDIT;
2636 		break;
2637 	case BSM_SETAUDIT_ADDR:
2638 		e = AUE_SETAUDIT_ADDR;
2639 		break;
2640 	case BSM_AUDIT:
2641 		e = AUE_AUDIT;
2642 		break;
2643 	case BSM_AUDITSVC:
2644 		e = AUE_AUDITSVC;
2645 		break;
2646 	case BSM_GETPORTAUDIT:
2647 		e = AUE_GETPORTAUDIT;
2648 		break;
2649 	case BSM_AUDITON:
2650 	case BSM_AUDITCTL:
2651 
2652 		switch ((uint_t)uap->a1) {
2653 
2654 		case A_GETPOLICY:
2655 			e = AUE_AUDITON_GPOLICY;
2656 			break;
2657 		case A_SETPOLICY:
2658 			e = AUE_AUDITON_SPOLICY;
2659 			break;
2660 		case A_GETKMASK:
2661 			e = AUE_AUDITON_GETKMASK;
2662 			break;
2663 		case A_SETKMASK:
2664 			e = AUE_AUDITON_SETKMASK;
2665 			break;
2666 		case A_GETQCTRL:
2667 			e = AUE_AUDITON_GQCTRL;
2668 			break;
2669 		case A_SETQCTRL:
2670 			e = AUE_AUDITON_SQCTRL;
2671 			break;
2672 		case A_GETCWD:
2673 			e = AUE_AUDITON_GETCWD;
2674 			break;
2675 		case A_GETCAR:
2676 			e = AUE_AUDITON_GETCAR;
2677 			break;
2678 		case A_GETSTAT:
2679 			e = AUE_AUDITON_GETSTAT;
2680 			break;
2681 		case A_SETSTAT:
2682 			e = AUE_AUDITON_SETSTAT;
2683 			break;
2684 		case A_SETUMASK:
2685 			e = AUE_AUDITON_SETUMASK;
2686 			break;
2687 		case A_SETSMASK:
2688 			e = AUE_AUDITON_SETSMASK;
2689 			break;
2690 		case A_GETCOND:
2691 			e = AUE_AUDITON_GETCOND;
2692 			break;
2693 		case A_SETCOND:
2694 			e = AUE_AUDITON_SETCOND;
2695 			break;
2696 		case A_GETCLASS:
2697 			e = AUE_AUDITON_GETCLASS;
2698 			break;
2699 		case A_SETCLASS:
2700 			e = AUE_AUDITON_SETCLASS;
2701 			break;
2702 		default:
2703 			e = AUE_NULL;
2704 			break;
2705 		}
2706 		break;
2707 	default:
2708 		e = AUE_NULL;
2709 		break;
2710 	}
2711 
2712 	return (e);
2713 
2714 
2715 
2716 
2717 }	/* AUI_AUDITSYS */
2718 
2719 
2720 
2721 
2722 
2723 
2724 
2725 static void
2726 aus_auditsys(struct t_audit_data *tad)
2727 {
2728 	klwp_t *clwp = ttolwp(curthread);
2729 	uintptr_t a1, a2;
2730 	struct file *fp;
2731 	struct f_audit_data *fad;
2732 	struct vnode *vp;
2733 	STRUCT_DECL(auditinfo, ainfo);
2734 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2735 	au_evclass_map_t event;
2736 	au_mask_t mask;
2737 	int auditstate, policy;
2738 
2739 
2740 	struct a {
2741 		long	code;
2742 		long	a1;
2743 		long	a2;
2744 		long	a3;
2745 		long	a4;
2746 		long	a5;
2747 		long	a6;
2748 		long	a7;
2749 	} *uap = (struct a *)clwp->lwp_ap;
2750 
2751 	a1   = (uintptr_t)uap->a1;
2752 	a2   = (uintptr_t)uap->a2;
2753 
2754 	switch (tad->tad_event) {
2755 	case AUE_SETAUID:
2756 		au_uwrite(au_to_arg32(2, "setauid", (uint32_t)a1));
2757 		break;
2758 	case AUE_SETAUDIT:
2759 		STRUCT_INIT(ainfo, get_udatamodel());
2760 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2761 				STRUCT_SIZE(ainfo))) {
2762 				return;
2763 		}
2764 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2765 			(uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2766 #ifdef _LP64
2767 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2768 			(uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2769 #else
2770 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2771 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2772 #endif
2773 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2774 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2775 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2776 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2777 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2778 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2779 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2780 			(uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2781 		break;
2782 	case AUE_SETAUDIT_ADDR:
2783 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2784 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2785 				STRUCT_SIZE(ainfo_addr))) {
2786 				return;
2787 		}
2788 		au_uwrite(au_to_arg32((char)1, "auid",
2789 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2790 #ifdef _LP64
2791 		au_uwrite(au_to_arg64((char)1, "port",
2792 			(uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2793 #else
2794 		au_uwrite(au_to_arg32((char)1, "port",
2795 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2796 #endif
2797 		au_uwrite(au_to_arg32((char)1, "type",
2798 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2799 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2800 		    AU_IPv4) {
2801 			au_uwrite(au_to_in_addr(
2802 				(struct in_addr *)STRUCT_FGETP(ainfo_addr,
2803 					ai_termid.at_addr)));
2804 		} else {
2805 			au_uwrite(au_to_in_addr_ex(
2806 				(int32_t *)STRUCT_FGETP(ainfo_addr,
2807 					ai_termid.at_addr)));
2808 		}
2809 		au_uwrite(au_to_arg32((char)1, "as_success",
2810 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2811 		au_uwrite(au_to_arg32((char)1, "as_failure",
2812 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2813 		au_uwrite(au_to_arg32((char)1, "asid",
2814 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2815 		break;
2816 	case AUE_AUDITSVC:
2817 		/*
2818 		 * convert file pointer to file descriptor
2819 		 * Note: fd ref count incremented here
2820 		 */
2821 		if ((fp = getf((uint_t)a1)) == NULL)
2822 			return;
2823 		fad = F2A(fp);
2824 		if (fad->fad_aupath != NULL) {
2825 			au_uwrite(au_to_path(fad->fad_aupath));
2826 		} else {
2827 			au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1));
2828 		}
2829 
2830 		vp = fp->f_vnode;	/* include vnode attributes */
2831 		audit_attributes(vp);
2832 
2833 		/* decrement file descriptor ref count */
2834 		releasef((uint_t)a1);
2835 
2836 		au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2));
2837 		break;
2838 	case AUE_AUDITON_SETKMASK:
2839 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2840 				return;
2841 		au_uwrite(au_to_arg32(
2842 			2, "setkmask:as_success", (uint32_t)mask.as_success));
2843 		au_uwrite(au_to_arg32(
2844 			2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2845 		break;
2846 	case AUE_AUDITON_SPOLICY:
2847 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2848 			return;
2849 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2850 		break;
2851 	case AUE_AUDITON_SQCTRL: {
2852 		STRUCT_DECL(au_qctrl, qctrl);
2853 		model_t model;
2854 
2855 		model = get_udatamodel();
2856 		STRUCT_INIT(qctrl, model);
2857 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2858 				return;
2859 		if (model == DATAMODEL_ILP32) {
2860 			au_uwrite(au_to_arg32(
2861 				3, "setqctrl:aq_hiwater",
2862 				(uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2863 			au_uwrite(au_to_arg32(
2864 				3, "setqctrl:aq_lowater",
2865 				(uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2866 			au_uwrite(au_to_arg32(
2867 				3, "setqctrl:aq_bufsz",
2868 				(uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2869 			au_uwrite(au_to_arg32(
2870 				3, "setqctrl:aq_delay",
2871 				(uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2872 		} else {
2873 			au_uwrite(au_to_arg64(
2874 				3, "setqctrl:aq_hiwater",
2875 				(uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2876 			au_uwrite(au_to_arg64(
2877 				3, "setqctrl:aq_lowater",
2878 				(uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2879 			au_uwrite(au_to_arg64(
2880 				3, "setqctrl:aq_bufsz",
2881 				(uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2882 			au_uwrite(au_to_arg64(
2883 				3, "setqctrl:aq_delay",
2884 				(uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2885 		}
2886 		break;
2887 	}
2888 	case AUE_AUDITON_SETUMASK:
2889 		STRUCT_INIT(ainfo, get_udatamodel());
2890 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2891 				STRUCT_SIZE(ainfo))) {
2892 				return;
2893 		}
2894 		au_uwrite(au_to_arg32(3, "setumask:as_success",
2895 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2896 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
2897 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2898 		break;
2899 	case AUE_AUDITON_SETSMASK:
2900 		STRUCT_INIT(ainfo, get_udatamodel());
2901 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2902 				STRUCT_SIZE(ainfo))) {
2903 				return;
2904 		}
2905 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
2906 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2907 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
2908 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2909 		break;
2910 	case AUE_AUDITON_SETCOND:
2911 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
2912 			return;
2913 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
2914 		break;
2915 	case AUE_AUDITON_SETCLASS:
2916 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
2917 			return;
2918 		au_uwrite(au_to_arg32(
2919 			2, "setclass:ec_event", (uint32_t)event.ec_number));
2920 		au_uwrite(au_to_arg32(
2921 			3, "setclass:ec_class", (uint32_t)event.ec_class));
2922 		break;
2923 	case AUE_GETAUID:
2924 	case AUE_GETAUDIT:
2925 	case AUE_GETAUDIT_ADDR:
2926 	case AUE_AUDIT:
2927 	case AUE_GETPORTAUDIT:
2928 	case AUE_AUDITON_GPOLICY:
2929 	case AUE_AUDITON_GQCTRL:
2930 	case AUE_AUDITON_GETKMASK:
2931 	case AUE_AUDITON_GETCWD:
2932 	case AUE_AUDITON_GETCAR:
2933 	case AUE_AUDITON_GETSTAT:
2934 	case AUE_AUDITON_SETSTAT:
2935 	case AUE_AUDITON_GETCOND:
2936 	case AUE_AUDITON_GETCLASS:
2937 		break;
2938 	default:
2939 		break;
2940 	}
2941 
2942 }	/* AUS_AUDITSYS */
2943 
2944 
2945 /* only audit privileged operations for systeminfo(2) system call */
2946 static au_event_t
2947 aui_sysinfo(au_event_t e)
2948 {
2949 	klwp_t *clwp = ttolwp(curthread);
2950 	uint32_t command;
2951 
2952 	struct a {
2953 		long	command;
2954 		long	buf;		/* char * */
2955 		long	count;
2956 	} *uap = (struct a *)clwp->lwp_ap;
2957 
2958 	command = (uint32_t)uap->command;
2959 
2960 	switch (command) {
2961 	case SI_SET_HOSTNAME:
2962 	case SI_SET_SRPC_DOMAIN:
2963 		e = (au_event_t)AUE_SYSINFO;
2964 		break;
2965 	default:
2966 		e = (au_event_t)AUE_NULL;
2967 		break;
2968 	}
2969 	return (e);
2970 }
2971 
2972 /*ARGSUSED*/
2973 static void
2974 aus_sysinfo(struct t_audit_data *tad)
2975 {
2976 	klwp_t *clwp = ttolwp(curthread);
2977 	uint32_t command;
2978 	size_t len, maxlen;
2979 	char *name;
2980 	uintptr_t buf;
2981 
2982 	struct a {
2983 		long	command;
2984 		long	buf;		/* char * */
2985 		long	count;
2986 	} *uap = (struct a *)clwp->lwp_ap;
2987 
2988 	command = (uint32_t)uap->command;
2989 	buf = (uintptr_t)uap->buf;
2990 
2991 	au_uwrite(au_to_arg32(1, "cmd", command));
2992 
2993 	switch (command) {
2994 	case SI_SET_HOSTNAME:
2995 	{
2996 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
2997 			return;
2998 
2999 		maxlen = SYS_NMLN;
3000 		name = kmem_alloc(maxlen, KM_SLEEP);
3001 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3002 			break;
3003 
3004 		/*
3005 		 * Must be non-NULL string and string
3006 		 * must be less than SYS_NMLN chars.
3007 		 */
3008 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3009 			break;
3010 
3011 		au_uwrite(au_to_text(name));
3012 		break;
3013 	}
3014 
3015 	case SI_SET_SRPC_DOMAIN:
3016 	{
3017 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3018 			return;
3019 
3020 		maxlen = SYS_NMLN;
3021 		name = kmem_alloc(maxlen, KM_SLEEP);
3022 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3023 			break;
3024 
3025 		/*
3026 		 * If string passed in is longer than length
3027 		 * allowed for domain name, fail.
3028 		 */
3029 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3030 			break;
3031 
3032 		au_uwrite(au_to_text(name));
3033 		break;
3034 	}
3035 
3036 	default:
3037 		return;
3038 	}
3039 
3040 	kmem_free(name, maxlen);
3041 }
3042 
3043 static au_event_t
3044 aui_modctl(au_event_t e)
3045 {
3046 	klwp_t *clwp = ttolwp(curthread);
3047 	uint_t cmd;
3048 
3049 	struct a {
3050 		long	cmd;
3051 	} *uap = (struct a *)clwp->lwp_ap;
3052 
3053 	cmd = (uint_t)uap->cmd;
3054 
3055 	switch (cmd) {
3056 	case MODLOAD:
3057 		e = AUE_MODLOAD;
3058 		break;
3059 	case MODUNLOAD:
3060 		e = AUE_MODUNLOAD;
3061 		break;
3062 	case MODADDMAJBIND:
3063 		e = AUE_MODADDMAJ;
3064 		break;
3065 	case MODSETDEVPOLICY:
3066 		e = AUE_MODDEVPLCY;
3067 		break;
3068 	case MODALLOCPRIV:
3069 		e = AUE_MODADDPRIV;
3070 		break;
3071 	default:
3072 		e = AUE_NULL;
3073 		break;
3074 	}
3075 	return (e);
3076 }
3077 
3078 
3079 /*ARGSUSED*/
3080 static void
3081 aus_modctl(struct t_audit_data *tad)
3082 {
3083 	klwp_t *clwp = ttolwp(curthread);
3084 	void *a	= clwp->lwp_ap;
3085 	uint_t use_path;
3086 
3087 	switch (tad->tad_event) {
3088 	case AUE_MODLOAD: {
3089 		typedef struct {
3090 			long	cmd;
3091 			long	use_path;
3092 			long	filename;		/* char * */
3093 		} modloada_t;
3094 
3095 		char *filenamep;
3096 		uintptr_t fname;
3097 		extern char *default_path;
3098 
3099 		fname = (uintptr_t)((modloada_t *)a)->filename;
3100 		use_path = (uint_t)((modloada_t *)a)->use_path;
3101 
3102 			/* space to hold path */
3103 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3104 			/* get string */
3105 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3106 				/* free allocated path */
3107 			kmem_free(filenamep, MOD_MAXPATH);
3108 			return;
3109 		}
3110 			/* ensure it's null terminated */
3111 		filenamep[MOD_MAXPATH - 1] = 0;
3112 
3113 		if (use_path)
3114 			au_uwrite(au_to_text(default_path));
3115 		au_uwrite(au_to_text(filenamep));
3116 
3117 			/* release temporary memory */
3118 		kmem_free(filenamep, MOD_MAXPATH);
3119 		break;
3120 	}
3121 	case AUE_MODUNLOAD: {
3122 		typedef struct {
3123 			long	cmd;
3124 			long	id;
3125 		} modunloada_t;
3126 
3127 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3128 
3129 		au_uwrite(au_to_arg32(1, "id", id));
3130 		break;
3131 	}
3132 	case AUE_MODADDMAJ: {
3133 		STRUCT_DECL(modconfig, mc);
3134 		typedef struct {
3135 			long	cmd;
3136 			long	subcmd;
3137 			long	data;		/* int * */
3138 		} modconfiga_t;
3139 
3140 		STRUCT_DECL(aliases, alias);
3141 		caddr_t ap;
3142 		int i, num_aliases;
3143 		char *drvname, *mc_drvname;
3144 		char *name;
3145 		extern char *ddi_major_to_name(major_t);
3146 		model_t model;
3147 
3148 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3149 
3150 		model = get_udatamodel();
3151 		STRUCT_INIT(mc, model);
3152 			/* sanitize buffer */
3153 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3154 			/* get user arguments */
3155 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3156 				STRUCT_SIZE(mc)) != 0)
3157 			return;
3158 
3159 		mc_drvname = STRUCT_FGET(mc, drvname);
3160 		if ((drvname = ddi_major_to_name(
3161 			(major_t)STRUCT_FGET(mc, major))) != NULL &&
3162 			strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3163 				/* safety */
3164 			if (mc_drvname[0] != '\0') {
3165 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3166 				au_uwrite(au_to_text(mc_drvname));
3167 			}
3168 				/* drvname != NULL from test above */
3169 			au_uwrite(au_to_text(drvname));
3170 			return;
3171 		}
3172 
3173 		if (mc_drvname[0] != '\0') {
3174 				/* safety */
3175 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3176 			au_uwrite(au_to_text(mc_drvname));
3177 		} else
3178 			au_uwrite(au_to_text("no drvname"));
3179 
3180 		num_aliases = STRUCT_FGET(mc, num_aliases);
3181 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3182 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3183 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3184 		STRUCT_INIT(alias, model);
3185 		for (i = 0; i < num_aliases; i++) {
3186 			bzero((caddr_t)STRUCT_BUF(alias),
3187 					STRUCT_SIZE(alias));
3188 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3189 					STRUCT_SIZE(alias)) != 0)
3190 				break;
3191 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3192 			    MAXMODCONFNAME, NULL) != 0) {
3193 				break;
3194 			}
3195 
3196 			au_uwrite(au_to_text(name));
3197 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3198 		}
3199 		kmem_free(name, MAXMODCONFNAME);
3200 		break;
3201 	}
3202 	default:
3203 		break;
3204 	}
3205 }
3206 
3207 /*
3208  * private version of getsonode that does not do eprintsoline()
3209  */
3210 static struct sonode *
3211 au_getsonode(int sock, int *errorp, file_t **fpp)
3212 {
3213 	file_t *fp;
3214 	register vnode_t *vp;
3215 	struct sonode *so;
3216 
3217 	if ((fp = getf(sock)) == NULL) {
3218 		*errorp = EBADF;
3219 		return (NULL);
3220 	}
3221 	vp = fp->f_vnode;
3222 	/* Check if it is a socket */
3223 	if (vp->v_type != VSOCK) {
3224 		releasef(sock);
3225 		*errorp = ENOTSOCK;
3226 		return (NULL);
3227 	}
3228 	/*
3229 	 * Use the stream head to find the real socket vnode.
3230 	 * This is needed when namefs sits above sockfs.
3231 	 */
3232 	ASSERT(vp->v_stream);
3233 	ASSERT(vp->v_stream->sd_vnode);
3234 	vp = vp->v_stream->sd_vnode;
3235 	so = VTOSO(vp);
3236 	if (so->so_version == SOV_STREAM) {
3237 		releasef(sock);
3238 		*errorp = ENOTSOCK;
3239 		return (NULL);
3240 	}
3241 	if (fpp)
3242 		*fpp = fp;
3243 	return (so);
3244 }
3245 
3246 /*ARGSUSED*/
3247 static void
3248 auf_accept(
3249 	struct t_audit_data *tad,
3250 	int	error,
3251 	rval_t	*rval)
3252 {
3253 	uint32_t scid;
3254 	uint32_t sy_flags;
3255 	int fd;
3256 	struct sonode *so;
3257 	char so_laddr[sizeof (struct sockaddr_in6)];
3258 	char so_faddr[sizeof (struct sockaddr_in6)];
3259 	int err;
3260 	int len;
3261 	short so_family, so_type;
3262 	int add_sock_token = 0;
3263 
3264 	/* need to determine type of executing binary */
3265 	scid = tad->tad_scid;
3266 #ifdef _SYSCALL32_IMPL
3267 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3268 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3269 	else
3270 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3271 #else
3272 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3273 #endif
3274 	if (sy_flags == SE_32RVAL1)
3275 		fd = rval->r_val1;
3276 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3277 		fd = rval->r_val1;
3278 	if (sy_flags == SE_64RVAL)
3279 		fd = (int)rval->r_vals;
3280 
3281 	if (error) {
3282 		/* can't trust socket contents. Just return */
3283 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3284 		return;
3285 	}
3286 
3287 	if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) {
3288 		/*
3289 		 * not security relevant if doing a accept from non socket
3290 		 * so no extra tokens. Should probably turn off audit record
3291 		 * generation here.
3292 		 */
3293 		return;
3294 	}
3295 
3296 	so_family = so->so_family;
3297 	so_type   = so->so_type;
3298 
3299 	switch (so_family) {
3300 	case AF_INET:
3301 	case AF_INET6:
3302 		/*
3303 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3304 		 */
3305 		if (so->so_type == SOCK_STREAM) {
3306 
3307 			bzero((void *)so_laddr, sizeof (so_laddr));
3308 			bzero((void *)so_faddr, sizeof (so_faddr));
3309 
3310 			/*
3311 			 * no local address then need to get it from lower
3312 			 * levels. only put out record on first read ala
3313 			 * AUE_WRITE.
3314 			 */
3315 			if (so->so_state & SS_ISBOUND) {
3316 				/* only done once on a connection */
3317 				(void) SOP_GETSOCKNAME(so);
3318 				(void) SOP_GETPEERNAME(so);
3319 
3320 				/* get local and foreign addresses */
3321 				mutex_enter(&so->so_lock);
3322 				len = min(so->so_laddr_len, sizeof (so_laddr));
3323 				bcopy(so->so_laddr_sa, so_laddr, len);
3324 				len = min(so->so_faddr_len, sizeof (so_faddr));
3325 				bcopy(so->so_faddr_sa, so_faddr, len);
3326 				mutex_exit(&so->so_lock);
3327 			}
3328 
3329 			add_sock_token = 1;
3330 		}
3331 		break;
3332 
3333 	default:
3334 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3335 		break;
3336 	}
3337 
3338 	releasef(fd);
3339 
3340 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3341 
3342 	if (add_sock_token == 0) {
3343 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3344 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3345 		return;
3346 	}
3347 
3348 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3349 
3350 }
3351 
3352 /*ARGSUSED*/
3353 static void
3354 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3355 {
3356 	struct a {
3357 		long	fd;
3358 		long	addr;
3359 		long	len;
3360 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3361 
3362 	struct sonode *so;
3363 	char so_laddr[sizeof (struct sockaddr_in6)];
3364 	char so_faddr[sizeof (struct sockaddr_in6)];
3365 	int err, fd;
3366 	int len;
3367 	short so_family, so_type;
3368 	int add_sock_token = 0;
3369 
3370 	fd = (int)uap->fd;
3371 
3372 	/*
3373 	 * bind failed, then nothing extra to add to audit record.
3374 	 */
3375 	if (error) {
3376 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3377 		/* XXX may want to add failed address some day */
3378 		return;
3379 	}
3380 
3381 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3382 		/*
3383 		 * not security relevant if doing a bind from non socket
3384 		 * so no extra tokens. Should probably turn off audit record
3385 		 * generation here.
3386 		 */
3387 		return;
3388 	}
3389 
3390 	so_family = so->so_family;
3391 	so_type   = so->so_type;
3392 
3393 	switch (so_family) {
3394 	case AF_INET:
3395 	case AF_INET6:
3396 
3397 		bzero(so_faddr, sizeof (so_faddr));
3398 
3399 		if (so->so_state & SS_ISBOUND) {
3400 			/* only done once on a connection */
3401 			(void) SOP_GETSOCKNAME(so);
3402 		}
3403 
3404 		mutex_enter(&so->so_lock);
3405 		len = min(so->so_laddr_len, sizeof (so_laddr));
3406 		bcopy(so->so_laddr_sa, so_laddr, len);
3407 		mutex_exit(&so->so_lock);
3408 
3409 		add_sock_token = 1;
3410 
3411 		break;
3412 
3413 	case AF_UNIX:
3414 		/* token added by lookup */
3415 		break;
3416 	default:
3417 		/* AF_ROUTE, AF_KEY do not support accept */
3418 		break;
3419 	}
3420 
3421 	releasef(fd);
3422 
3423 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3424 
3425 	if (add_sock_token == 0) {
3426 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3427 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3428 		return;
3429 	}
3430 
3431 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3432 
3433 }
3434 
3435 /*ARGSUSED*/
3436 static void
3437 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3438 {
3439 	struct a {
3440 		long	fd;
3441 		long	addr;
3442 		long	len;
3443 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3444 
3445 	struct sonode *so;
3446 	char so_laddr[sizeof (struct sockaddr_in6)];
3447 	char so_faddr[sizeof (struct sockaddr_in6)];
3448 	int err, fd;
3449 	int len;
3450 	short so_family, so_type;
3451 	int add_sock_token = 0;
3452 
3453 	fd = (int)uap->fd;
3454 
3455 
3456 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3457 		/*
3458 		 * not security relevant if doing a connect from non socket
3459 		 * so no extra tokens. Should probably turn off audit record
3460 		 * generation here.
3461 		 */
3462 		return;
3463 	}
3464 
3465 	so_family = so->so_family;
3466 	so_type   = so->so_type;
3467 
3468 	switch (so_family) {
3469 	case AF_INET:
3470 	case AF_INET6:
3471 		/*
3472 		 * no local address then need to get it from lower
3473 		 * levels.
3474 		 */
3475 		if (so->so_state & SS_ISBOUND) {
3476 			/* only done once on a connection */
3477 			(void) SOP_GETSOCKNAME(so);
3478 			(void) SOP_GETPEERNAME(so);
3479 		}
3480 
3481 		bzero(so_laddr, sizeof (so_laddr));
3482 		bzero(so_faddr, sizeof (so_faddr));
3483 
3484 		mutex_enter(&so->so_lock);
3485 		len = min(so->so_laddr_len, sizeof (so_laddr));
3486 		bcopy(so->so_laddr_sa, so_laddr, len);
3487 		if (error) {
3488 			mutex_exit(&so->so_lock);
3489 			if (uap->addr == NULL)
3490 				break;
3491 			if (uap->len <= 0)
3492 				break;
3493 			len = min(uap->len, sizeof (so_faddr));
3494 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3495 				break;
3496 #ifdef NOTYET
3497 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3498 #endif
3499 		} else {
3500 			/* sanity check on length */
3501 			len = min(so->so_faddr_len, sizeof (so_faddr));
3502 			bcopy(so->so_faddr_sa, so_faddr, len);
3503 			mutex_exit(&so->so_lock);
3504 		}
3505 
3506 		add_sock_token = 1;
3507 
3508 		break;
3509 
3510 	case AF_UNIX:
3511 		/* does a lookup on name */
3512 		break;
3513 
3514 	default:
3515 		/* AF_ROUTE, AF_KEY do not support accept */
3516 		break;
3517 	}
3518 
3519 	releasef(fd);
3520 
3521 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3522 
3523 	if (add_sock_token == 0) {
3524 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3525 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3526 		return;
3527 	}
3528 
3529 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3530 
3531 }
3532 
3533 /*ARGSUSED*/
3534 static void
3535 aus_shutdown(struct t_audit_data *tad)
3536 {
3537 	struct a {
3538 		long	fd;
3539 		long	how;
3540 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3541 
3542 	struct sonode *so;
3543 	char so_laddr[sizeof (struct sockaddr_in6)];
3544 	char so_faddr[sizeof (struct sockaddr_in6)];
3545 	int err, fd;
3546 	int len;
3547 	short so_family, so_type;
3548 	int add_sock_token = 0;
3549 	file_t *fp;				/* unix domain sockets */
3550 	struct f_audit_data *fad;		/* unix domain sockets */
3551 
3552 	fd = (int)uap->fd;
3553 
3554 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3555 		/*
3556 		 * not security relevant if doing a shutdown using non socket
3557 		 * so no extra tokens. Should probably turn off audit record
3558 		 * generation here.
3559 		 */
3560 		return;
3561 	}
3562 
3563 	so_family = so->so_family;
3564 	so_type   = so->so_type;
3565 
3566 	switch (so_family) {
3567 	case AF_INET:
3568 	case AF_INET6:
3569 
3570 		bzero(so_laddr, sizeof (so_laddr));
3571 		bzero(so_faddr, sizeof (so_faddr));
3572 
3573 		if (so->so_state & SS_ISBOUND) {
3574 			/*
3575 			 * no local address then need to get it from lower
3576 			 * levels.
3577 			 */
3578 			if (so->so_laddr_len == 0)
3579 				(void) SOP_GETSOCKNAME(so);
3580 			if (so->so_faddr_len == 0)
3581 				(void) SOP_GETPEERNAME(so);
3582 		}
3583 
3584 		mutex_enter(&so->so_lock);
3585 		len = min(so->so_laddr_len, sizeof (so_laddr));
3586 		bcopy(so->so_laddr_sa, so_laddr, len);
3587 		len = min(so->so_faddr_len, sizeof (so_faddr));
3588 		bcopy(so->so_faddr_sa, so_faddr, len);
3589 		mutex_exit(&so->so_lock);
3590 
3591 		add_sock_token = 1;
3592 
3593 		break;
3594 
3595 	case AF_UNIX:
3596 
3597 		/* get path from file struct here */
3598 		fad = F2A(fp);
3599 		ASSERT(fad);
3600 
3601 		if (fad->fad_aupath != NULL) {
3602 			au_uwrite(au_to_path(fad->fad_aupath));
3603 		} else {
3604 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3605 		}
3606 
3607 		audit_attributes(fp->f_vnode);
3608 
3609 		break;
3610 
3611 	default:
3612 		/*
3613 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3614 		 * added.
3615 		 */
3616 		break;
3617 	}
3618 
3619 	releasef(fd);
3620 
3621 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3622 
3623 	if (add_sock_token == 0) {
3624 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3625 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3626 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3627 		return;
3628 	}
3629 
3630 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3631 
3632 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3633 
3634 }
3635 
3636 /*ARGSUSED*/
3637 static void
3638 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3639 {
3640 	struct a {
3641 		long	fd;
3642 		long	level;
3643 		long	optname;
3644 		long	*optval;
3645 		long	optlen;
3646 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3647 
3648 	struct sonode	*so;
3649 	char so_laddr[sizeof (struct sockaddr_in6)];
3650 	char so_faddr[sizeof (struct sockaddr_in6)];
3651 	char		val[AU_BUFSIZE];
3652 	int		err, fd;
3653 	int		len;
3654 	short so_family, so_type;
3655 	int		add_sock_token = 0;
3656 	file_t *fp;				/* unix domain sockets */
3657 	struct f_audit_data *fad;		/* unix domain sockets */
3658 
3659 	fd = (int)uap->fd;
3660 
3661 	if (error) {
3662 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3663 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3664 		/* XXX may want to include other arguments */
3665 		return;
3666 	}
3667 
3668 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3669 		/*
3670 		 * not security relevant if doing a setsockopt from non socket
3671 		 * so no extra tokens. Should probably turn off audit record
3672 		 * generation here.
3673 		 */
3674 		return;
3675 	}
3676 
3677 	so_family = so->so_family;
3678 	so_type   = so->so_type;
3679 
3680 	switch (so_family) {
3681 	case AF_INET:
3682 	case AF_INET6:
3683 
3684 		bzero((void *)so_laddr, sizeof (so_laddr));
3685 		bzero((void *)so_faddr, sizeof (so_faddr));
3686 
3687 		if (so->so_state & SS_ISBOUND) {
3688 			if (so->so_laddr_len == 0)
3689 				(void) SOP_GETSOCKNAME(so);
3690 			if (so->so_faddr_len == 0)
3691 				(void) SOP_GETPEERNAME(so);
3692 		}
3693 
3694 		/* get local and foreign addresses */
3695 		mutex_enter(&so->so_lock);
3696 		len = min(so->so_laddr_len, sizeof (so_laddr));
3697 		bcopy(so->so_laddr_sa, so_laddr, len);
3698 		len = min(so->so_faddr_len, sizeof (so_faddr));
3699 		bcopy(so->so_faddr_sa, so_faddr, len);
3700 		mutex_exit(&so->so_lock);
3701 
3702 		add_sock_token = 1;
3703 
3704 		break;
3705 
3706 	case AF_UNIX:
3707 
3708 		/* get path from file struct here */
3709 		fad = F2A(fp);
3710 		ASSERT(fad);
3711 
3712 		if (fad->fad_aupath != NULL) {
3713 			au_uwrite(au_to_path(fad->fad_aupath));
3714 		} else {
3715 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3716 		}
3717 
3718 		audit_attributes(fp->f_vnode);
3719 
3720 		break;
3721 
3722 	default:
3723 		/*
3724 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3725 		 * added.
3726 		 */
3727 		break;
3728 	}
3729 
3730 	releasef(fd);
3731 
3732 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3733 
3734 	if (add_sock_token == 0) {
3735 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3736 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3737 	}
3738 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3739 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3740 
3741 	bzero(val, sizeof (val));
3742 	len = min(uap->optlen, sizeof (val));
3743 	if ((len > 0) &&
3744 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3745 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3746 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3747 	}
3748 
3749 	if (add_sock_token == 0)
3750 		return;
3751 
3752 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3753 
3754 }
3755 
3756 /*ARGSUSED*/
3757 static void
3758 aus_sockconfig(tad)
3759 	struct t_audit_data *tad;
3760 {
3761 	struct a {
3762 		long	domain;
3763 		long	type;
3764 		long	protocol;
3765 		long	devpath;
3766 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3767 
3768 	char	*kdevpath;
3769 	int	kdevpathlen = MAXPATHLEN + 1;
3770 	size_t	size;
3771 
3772 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3773 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3774 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3775 
3776 	if (uap->devpath == 0) {
3777 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3778 	} else {
3779 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3780 
3781 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3782 			&size)) {
3783 			kmem_free(kdevpath, kdevpathlen);
3784 			return;
3785 		}
3786 
3787 		if (size > MAXPATHLEN) {
3788 			kmem_free(kdevpath, kdevpathlen);
3789 			return;
3790 		}
3791 
3792 		au_uwrite(au_to_text(kdevpath));
3793 		kmem_free(kdevpath, kdevpathlen);
3794 	}
3795 }
3796 
3797 /*
3798  * only audit recvmsg when the system call represents the creation of a new
3799  * circuit. This effectively occurs for all UDP packets and may occur for
3800  * special TCP situations where the local host has not set a local address
3801  * in the socket structure.
3802  */
3803 /*ARGSUSED*/
3804 static void
3805 auf_recvmsg(
3806 	struct t_audit_data *tad,
3807 	int error,
3808 	rval_t *rvp)
3809 {
3810 	struct a {
3811 		long	fd;
3812 		long	msg;	/* struct msghdr */
3813 		long	flags;
3814 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3815 
3816 	struct sonode	*so;
3817 	STRUCT_DECL(msghdr, msg);
3818 	caddr_t msg_name;
3819 	socklen_t msg_namelen;
3820 	int fd;
3821 	int err;
3822 	char so_laddr[sizeof (struct sockaddr_in6)];
3823 	char so_faddr[sizeof (struct sockaddr_in6)];
3824 	int len;
3825 	file_t *fp;				/* unix domain sockets */
3826 	struct f_audit_data *fad;		/* unix domain sockets */
3827 	short so_family, so_type;
3828 	int add_sock_token = 0;
3829 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3830 
3831 	fd = (int)uap->fd;
3832 
3833 	/* bail if an error */
3834 	if (error) {
3835 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3836 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3837 		return;
3838 	}
3839 
3840 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3841 		/*
3842 		 * not security relevant if doing a recvmsg from non socket
3843 		 * so no extra tokens. Should probably turn off audit record
3844 		 * generation here.
3845 		 */
3846 		return;
3847 	}
3848 
3849 	so_family = so->so_family;
3850 	so_type   = so->so_type;
3851 
3852 	/*
3853 	 * only putout SOCKET_EX token if INET/INET6 family.
3854 	 * XXX - what do we do about other families?
3855 	 */
3856 
3857 	switch (so_family) {
3858 	case AF_INET:
3859 	case AF_INET6:
3860 
3861 		/*
3862 		 * if datagram type socket, then just use what is in
3863 		 * socket structure for local address.
3864 		 * XXX - what do we do for other types?
3865 		 */
3866 		if ((so->so_type == SOCK_DGRAM) ||
3867 		    (so->so_type == SOCK_RAW)) {
3868 			add_sock_token = 1;
3869 
3870 			bzero((void *)so_laddr, sizeof (so_laddr));
3871 			bzero((void *)so_faddr, sizeof (so_faddr));
3872 
3873 			/* get local address */
3874 			mutex_enter(&so->so_lock);
3875 			len = min(so->so_laddr_len, sizeof (so_laddr));
3876 			bcopy(so->so_laddr_sa, so_laddr, len);
3877 			mutex_exit(&so->so_lock);
3878 
3879 			/* get peer address */
3880 			STRUCT_INIT(msg, get_udatamodel());
3881 
3882 			if (copyin((caddr_t)(uap->msg),
3883 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3884 				break;
3885 			}
3886 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3887 			if (msg_name == NULL) {
3888 				break;
3889 			}
3890 
3891 			/* length is value from recvmsg - sanity check */
3892 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3893 			if (msg_namelen == 0) {
3894 				break;
3895 			}
3896 			if (copyin(msg_name, so_faddr,
3897 			    sizeof (so_faddr)) != 0) {
3898 				break;
3899 			}
3900 
3901 		} else if (so->so_type == SOCK_STREAM) {
3902 
3903 			/* get path from file struct here */
3904 			fad = F2A(fp);
3905 			ASSERT(fad);
3906 
3907 			/*
3908 			 * already processed this file for read attempt
3909 			 */
3910 			if (fad->fad_flags & FAD_READ) {
3911 				/* don't want to audit every recvmsg attempt */
3912 				tad->tad_flag = 0;
3913 				/* free any residual audit data */
3914 				au_close(kctx, &(u_ad), 0, 0, 0);
3915 				releasef(fd);
3916 				return;
3917 			}
3918 			/*
3919 			 * mark things so we know what happened and don't
3920 			 * repeat things
3921 			 */
3922 			fad->fad_flags |= FAD_READ;
3923 
3924 			bzero((void *)so_laddr, sizeof (so_laddr));
3925 			bzero((void *)so_faddr, sizeof (so_faddr));
3926 
3927 			if (so->so_state & SS_ISBOUND) {
3928 
3929 				if (so->so_laddr_len == 0)
3930 					(void) SOP_GETSOCKNAME(so);
3931 				if (so->so_faddr_len == 0)
3932 					(void) SOP_GETPEERNAME(so);
3933 
3934 				/* get local and foreign addresses */
3935 				mutex_enter(&so->so_lock);
3936 				len = min(so->so_laddr_len, sizeof (so_laddr));
3937 				bcopy(so->so_laddr_sa, so_laddr, len);
3938 				len = min(so->so_faddr_len, sizeof (so_faddr));
3939 				bcopy(so->so_faddr_sa, so_faddr, len);
3940 				mutex_exit(&so->so_lock);
3941 			}
3942 
3943 			add_sock_token = 1;
3944 		}
3945 
3946 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3947 
3948 		break;
3949 
3950 	case AF_UNIX:
3951 		/*
3952 		 * first check if this is first time through. Too much
3953 		 * duplicate code to put this in an aui_ routine.
3954 		 */
3955 
3956 		/* get path from file struct here */
3957 		fad = F2A(fp);
3958 		ASSERT(fad);
3959 
3960 		/*
3961 		 * already processed this file for read attempt
3962 		 */
3963 		if (fad->fad_flags & FAD_READ) {
3964 			releasef(fd);
3965 			/* don't want to audit every recvmsg attempt */
3966 			tad->tad_flag = 0;
3967 			/* free any residual audit data */
3968 			au_close(kctx, &(u_ad), 0, 0, 0);
3969 			return;
3970 		}
3971 		/*
3972 		 * mark things so we know what happened and don't
3973 		 * repeat things
3974 		 */
3975 		fad->fad_flags |= FAD_READ;
3976 
3977 		if (fad->fad_aupath != NULL) {
3978 			au_uwrite(au_to_path(fad->fad_aupath));
3979 		} else {
3980 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3981 		}
3982 
3983 		audit_attributes(fp->f_vnode);
3984 
3985 		releasef(fd);
3986 
3987 		return;
3988 
3989 	default:
3990 		break;
3991 
3992 	}
3993 
3994 	releasef(fd);
3995 
3996 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3997 
3998 	if (add_sock_token == 0) {
3999 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4000 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4001 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4002 		return;
4003 	}
4004 
4005 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4006 
4007 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4008 
4009 }
4010 
4011 /*ARGSUSED*/
4012 static void
4013 auf_recvfrom(
4014 	struct t_audit_data *tad,
4015 	int error,
4016 	rval_t *rvp)
4017 {
4018 
4019 	struct a {
4020 		long	fd;
4021 		long	msg;	/* char */
4022 		long	len;
4023 		long	flags;
4024 		long	from;	/* struct sockaddr */
4025 		long	fromlen;
4026 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4027 
4028 	socklen_t	fromlen;
4029 	struct sonode	*so;
4030 	char so_laddr[sizeof (struct sockaddr_in6)];
4031 	char so_faddr[sizeof (struct sockaddr_in6)];
4032 	int		fd;
4033 	short so_family, so_type;
4034 	int add_sock_token = 0;
4035 	int len;
4036 	int err;
4037 	struct file *fp;
4038 	struct f_audit_data *fad;		/* unix domain sockets */
4039 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4040 
4041 	fd = (int)uap->fd;
4042 
4043 	/* bail if an error */
4044 	if (error) {
4045 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4046 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4047 		return;
4048 	}
4049 
4050 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4051 		/*
4052 		 * not security relevant if doing a recvmsg from non socket
4053 		 * so no extra tokens. Should probably turn off audit record
4054 		 * generation here.
4055 		 */
4056 		return;
4057 	}
4058 
4059 	so_family = so->so_family;
4060 	so_type   = so->so_type;
4061 
4062 	/*
4063 	 * only putout SOCKET_EX token if INET/INET6 family.
4064 	 * XXX - what do we do about other families?
4065 	 */
4066 
4067 	switch (so_family) {
4068 	case AF_INET:
4069 	case AF_INET6:
4070 
4071 		/*
4072 		 * if datagram type socket, then just use what is in
4073 		 * socket structure for local address.
4074 		 * XXX - what do we do for other types?
4075 		 */
4076 		if ((so->so_type == SOCK_DGRAM) ||
4077 		    (so->so_type == SOCK_RAW)) {
4078 			add_sock_token = 1;
4079 
4080 			/* get local address */
4081 			mutex_enter(&so->so_lock);
4082 			len = min(so->so_laddr_len, sizeof (so_laddr));
4083 			bcopy(so->so_laddr_sa, so_laddr, len);
4084 			mutex_exit(&so->so_lock);
4085 
4086 			/* get peer address */
4087 			bzero((void *)so_faddr, sizeof (so_faddr));
4088 
4089 			/* sanity check */
4090 			if (uap->from == NULL)
4091 				break;
4092 
4093 			/* sanity checks */
4094 			if (uap->fromlen == 0)
4095 				break;
4096 
4097 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4098 			    sizeof (fromlen)) != 0)
4099 				break;
4100 
4101 			if (fromlen == 0)
4102 				break;
4103 
4104 			/* enforce maximum size */
4105 			if (fromlen > sizeof (so_faddr))
4106 				fromlen = sizeof (so_faddr);
4107 
4108 			if (copyin((caddr_t)(uap->from), so_faddr,
4109 			    fromlen) != 0)
4110 				break;
4111 
4112 		} else if (so->so_type == SOCK_STREAM) {
4113 
4114 			/* get path from file struct here */
4115 			fad = F2A(fp);
4116 			ASSERT(fad);
4117 
4118 			/*
4119 			 * already processed this file for read attempt
4120 			 */
4121 			if (fad->fad_flags & FAD_READ) {
4122 				/* don't want to audit every recvfrom attempt */
4123 				tad->tad_flag = 0;
4124 				/* free any residual audit data */
4125 				au_close(kctx, &(u_ad), 0, 0, 0);
4126 				releasef(fd);
4127 				return;
4128 			}
4129 			/*
4130 			 * mark things so we know what happened and don't
4131 			 * repeat things
4132 			 */
4133 			fad->fad_flags |= FAD_READ;
4134 
4135 			bzero((void *)so_laddr, sizeof (so_laddr));
4136 			bzero((void *)so_faddr, sizeof (so_faddr));
4137 
4138 			if (so->so_state & SS_ISBOUND) {
4139 
4140 				if (so->so_laddr_len == 0)
4141 					(void) SOP_GETSOCKNAME(so);
4142 				if (so->so_faddr_len == 0)
4143 					(void) SOP_GETPEERNAME(so);
4144 
4145 				/* get local and foreign addresses */
4146 				mutex_enter(&so->so_lock);
4147 				len = min(so->so_laddr_len, sizeof (so_laddr));
4148 				bcopy(so->so_laddr_sa, so_laddr, len);
4149 				len = min(so->so_faddr_len, sizeof (so_faddr));
4150 				bcopy(so->so_faddr_sa, so_faddr, len);
4151 				mutex_exit(&so->so_lock);
4152 			}
4153 
4154 			add_sock_token = 1;
4155 		}
4156 
4157 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4158 
4159 		break;
4160 
4161 	case AF_UNIX:
4162 		/*
4163 		 * first check if this is first time through. Too much
4164 		 * duplicate code to put this in an aui_ routine.
4165 		 */
4166 
4167 		/* get path from file struct here */
4168 		fad = F2A(fp);
4169 		ASSERT(fad);
4170 
4171 		/*
4172 		 * already processed this file for read attempt
4173 		 */
4174 		if (fad->fad_flags & FAD_READ) {
4175 			/* don't want to audit every recvfrom attempt */
4176 			tad->tad_flag = 0;
4177 			/* free any residual audit data */
4178 			au_close(kctx, &(u_ad), 0, 0, 0);
4179 			releasef(fd);
4180 			return;
4181 		}
4182 		/*
4183 		 * mark things so we know what happened and don't
4184 		 * repeat things
4185 		 */
4186 		fad->fad_flags |= FAD_READ;
4187 
4188 		if (fad->fad_aupath != NULL) {
4189 			au_uwrite(au_to_path(fad->fad_aupath));
4190 		} else {
4191 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4192 		}
4193 
4194 		audit_attributes(fp->f_vnode);
4195 
4196 		releasef(fd);
4197 
4198 		return;
4199 
4200 	default:
4201 		break;
4202 
4203 	}
4204 
4205 	releasef(fd);
4206 
4207 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4208 
4209 	if (add_sock_token == 0) {
4210 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4211 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4212 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4213 		return;
4214 	}
4215 
4216 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4217 
4218 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4219 }
4220 
4221 /*ARGSUSED*/
4222 static void
4223 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4224 {
4225 	struct a {
4226 		long	fd;
4227 		long	msg;	/* struct msghdr */
4228 		long	flags;
4229 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4230 
4231 	struct sonode	*so;
4232 	char so_laddr[sizeof (struct sockaddr_in6)];
4233 	char so_faddr[sizeof (struct sockaddr_in6)];
4234 	int		err;
4235 	int		fd;
4236 	short so_family, so_type;
4237 	int		add_sock_token = 0;
4238 	int		len;
4239 	struct file	*fp;
4240 	struct f_audit_data *fad;
4241 	caddr_t		msg_name;
4242 	socklen_t	msg_namelen;
4243 	STRUCT_DECL(msghdr, msg);
4244 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4245 
4246 	fd = (int)uap->fd;
4247 
4248 	/* bail if an error */
4249 	if (error) {
4250 		/* XXX include destination address from system call arguments */
4251 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4252 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4253 		return;
4254 	}
4255 
4256 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4257 		/*
4258 		 * not security relevant if doing a sendmsg from non socket
4259 		 * so no extra tokens. Should probably turn off audit record
4260 		 * generation here.
4261 		 */
4262 		return;
4263 	}
4264 
4265 	so_family = so->so_family;
4266 	so_type   = so->so_type;
4267 
4268 	switch (so_family) {
4269 	case AF_INET:
4270 	case AF_INET6:
4271 		/*
4272 		 * if datagram type socket, then just use what is in
4273 		 * socket structure for local address.
4274 		 * XXX - what do we do for other types?
4275 		 */
4276 		if ((so->so_type == SOCK_DGRAM) ||
4277 		    (so->so_type == SOCK_RAW)) {
4278 
4279 			bzero((void *)so_laddr, sizeof (so_laddr));
4280 			bzero((void *)so_faddr, sizeof (so_faddr));
4281 
4282 			/* get local address */
4283 			mutex_enter(&so->so_lock);
4284 			len = min(so->so_laddr_len, sizeof (so_laddr));
4285 			bcopy(so->so_laddr_sa, so_laddr, len);
4286 			mutex_exit(&so->so_lock);
4287 
4288 			/* get peer address */
4289 			STRUCT_INIT(msg, get_udatamodel());
4290 
4291 			if (copyin((caddr_t)(uap->msg),
4292 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4293 				break;
4294 			}
4295 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4296 			if (msg_name == NULL)
4297 				break;
4298 
4299 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4300 			/* length is value from recvmsg - sanity check */
4301 			if (msg_namelen == 0)
4302 				break;
4303 
4304 			if (copyin(msg_name, so_faddr,
4305 			    sizeof (so_faddr)) != 0)
4306 				break;
4307 
4308 			add_sock_token = 1;
4309 
4310 		} else if (so->so_type == SOCK_STREAM) {
4311 
4312 			/* get path from file struct here */
4313 			fad = F2A(fp);
4314 			ASSERT(fad);
4315 
4316 			/*
4317 			 * already processed this file for write attempt
4318 			 */
4319 			if (fad->fad_flags & FAD_WRITE) {
4320 				releasef(fd);
4321 				/* don't want to audit every sendmsg attempt */
4322 				tad->tad_flag = 0;
4323 				/* free any residual audit data */
4324 				au_close(kctx, &(u_ad), 0, 0, 0);
4325 				return;
4326 			}
4327 
4328 			/*
4329 			 * mark things so we know what happened and don't
4330 			 * repeat things
4331 			 */
4332 			fad->fad_flags |= FAD_WRITE;
4333 
4334 			bzero((void *)so_laddr, sizeof (so_laddr));
4335 			bzero((void *)so_faddr, sizeof (so_faddr));
4336 
4337 			if (so->so_state & SS_ISBOUND) {
4338 
4339 				if (so->so_laddr_len == 0)
4340 					(void) SOP_GETSOCKNAME(so);
4341 				if (so->so_faddr_len == 0)
4342 					(void) SOP_GETPEERNAME(so);
4343 
4344 				/* get local and foreign addresses */
4345 				mutex_enter(&so->so_lock);
4346 				len = min(so->so_laddr_len, sizeof (so_laddr));
4347 				bcopy(so->so_laddr_sa, so_laddr, len);
4348 				len = min(so->so_faddr_len, sizeof (so_faddr));
4349 				bcopy(so->so_faddr_sa, so_faddr, len);
4350 				mutex_exit(&so->so_lock);
4351 			}
4352 
4353 			add_sock_token = 1;
4354 		}
4355 
4356 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4357 
4358 		break;
4359 
4360 	case AF_UNIX:
4361 		/*
4362 		 * first check if this is first time through. Too much
4363 		 * duplicate code to put this in an aui_ routine.
4364 		 */
4365 
4366 		/* get path from file struct here */
4367 		fad = F2A(fp);
4368 		ASSERT(fad);
4369 
4370 		/*
4371 		 * already processed this file for write attempt
4372 		 */
4373 		if (fad->fad_flags & FAD_WRITE) {
4374 			releasef(fd);
4375 			/* don't want to audit every sendmsg attempt */
4376 			tad->tad_flag = 0;
4377 			/* free any residual audit data */
4378 			au_close(kctx, &(u_ad), 0, 0, 0);
4379 			return;
4380 		}
4381 		/*
4382 		 * mark things so we know what happened and don't
4383 		 * repeat things
4384 		 */
4385 		fad->fad_flags |= FAD_WRITE;
4386 
4387 		if (fad->fad_aupath != NULL) {
4388 			au_uwrite(au_to_path(fad->fad_aupath));
4389 		} else {
4390 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4391 		}
4392 
4393 		audit_attributes(fp->f_vnode);
4394 
4395 		releasef(fd);
4396 
4397 		return;
4398 
4399 	default:
4400 		break;
4401 	}
4402 
4403 	releasef(fd);
4404 
4405 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4406 
4407 	if (add_sock_token == 0) {
4408 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4409 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4410 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4411 		return;
4412 	}
4413 
4414 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4415 
4416 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4417 }
4418 
4419 /*ARGSUSED*/
4420 static void
4421 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4422 {
4423 	struct a {
4424 		long	fd;
4425 		long	msg;	/* char */
4426 		long	len;
4427 		long	flags;
4428 		long	to;	/* struct sockaddr */
4429 		long	tolen;
4430 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4431 
4432 	struct sonode	*so;
4433 	char so_laddr[sizeof (struct sockaddr_in6)];
4434 	char so_faddr[sizeof (struct sockaddr_in6)];
4435 	socklen_t	tolen;
4436 	int		err;
4437 	int		fd;
4438 	int		len;
4439 	short so_family, so_type;
4440 	int		add_sock_token = 0;
4441 	struct file	*fp;
4442 	struct f_audit_data *fad;
4443 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4444 
4445 	fd = (int)uap->fd;
4446 
4447 	/* bail if an error */
4448 	if (error) {
4449 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4450 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4451 		/* XXX include destination address from system call arguments */
4452 		return;
4453 	}
4454 
4455 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4456 		/*
4457 		 * not security relevant if doing a sendto using non socket
4458 		 * so no extra tokens. Should probably turn off audit record
4459 		 * generation here.
4460 		 */
4461 		return;
4462 	}
4463 
4464 	so_family = so->so_family;
4465 	so_type   = so->so_type;
4466 
4467 	/*
4468 	 * only putout SOCKET_EX token if INET/INET6 family.
4469 	 * XXX - what do we do about other families?
4470 	 */
4471 
4472 	switch (so_family) {
4473 	case AF_INET:
4474 	case AF_INET6:
4475 
4476 		/*
4477 		 * if datagram type socket, then just use what is in
4478 		 * socket structure for local address.
4479 		 * XXX - what do we do for other types?
4480 		 */
4481 		if ((so->so_type == SOCK_DGRAM) ||
4482 		    (so->so_type == SOCK_RAW)) {
4483 
4484 			bzero((void *)so_laddr, sizeof (so_laddr));
4485 			bzero((void *)so_faddr, sizeof (so_faddr));
4486 
4487 			/* get local address */
4488 			mutex_enter(&so->so_lock);
4489 			len = min(so->so_laddr_len, sizeof (so_laddr));
4490 			bcopy(so->so_laddr_sa, so_laddr, len);
4491 			mutex_exit(&so->so_lock);
4492 
4493 			/* get peer address */
4494 
4495 			/* sanity check */
4496 			if (uap->to == NULL)
4497 				break;
4498 
4499 			/* sanity checks */
4500 			if (uap->tolen == 0)
4501 				break;
4502 
4503 			tolen = (socklen_t)uap->tolen;
4504 
4505 			/* enforce maximum size */
4506 			if (tolen > sizeof (so_faddr))
4507 				tolen = sizeof (so_faddr);
4508 
4509 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4510 				break;
4511 
4512 			add_sock_token = 1;
4513 		} else {
4514 			/*
4515 			 * check if this is first time through.
4516 			 */
4517 
4518 			/* get path from file struct here */
4519 			fad = F2A(fp);
4520 			ASSERT(fad);
4521 
4522 			/*
4523 			 * already processed this file for write attempt
4524 			 */
4525 			if (fad->fad_flags & FAD_WRITE) {
4526 				/* don't want to audit every sendto attempt */
4527 				tad->tad_flag = 0;
4528 				/* free any residual audit data */
4529 				au_close(kctx, &(u_ad), 0, 0, 0);
4530 				releasef(fd);
4531 				return;
4532 			}
4533 			/*
4534 			 * mark things so we know what happened and don't
4535 			 * repeat things
4536 			 */
4537 			fad->fad_flags |= FAD_WRITE;
4538 
4539 			bzero((void *)so_laddr, sizeof (so_laddr));
4540 			bzero((void *)so_faddr, sizeof (so_faddr));
4541 
4542 			if (so->so_state & SS_ISBOUND) {
4543 
4544 				if (so->so_laddr_len == 0)
4545 					(void) SOP_GETSOCKNAME(so);
4546 				if (so->so_faddr_len == 0)
4547 					(void) SOP_GETPEERNAME(so);
4548 
4549 				/* get local and foreign addresses */
4550 				mutex_enter(&so->so_lock);
4551 				len = min(so->so_laddr_len, sizeof (so_laddr));
4552 				bcopy(so->so_laddr_sa, so_laddr, len);
4553 				len = min(so->so_faddr_len, sizeof (so_faddr));
4554 				bcopy(so->so_faddr_sa, so_faddr, len);
4555 				mutex_exit(&so->so_lock);
4556 			}
4557 
4558 			add_sock_token = 1;
4559 		}
4560 
4561 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4562 
4563 		break;
4564 
4565 	case AF_UNIX:
4566 		/*
4567 		 * first check if this is first time through. Too much
4568 		 * duplicate code to put this in an aui_ routine.
4569 		 */
4570 
4571 		/* get path from file struct here */
4572 		fad = F2A(fp);
4573 		ASSERT(fad);
4574 
4575 		/*
4576 		 * already processed this file for write attempt
4577 		 */
4578 		if (fad->fad_flags & FAD_WRITE) {
4579 			/* don't want to audit every sendto attempt */
4580 			tad->tad_flag = 0;
4581 			/* free any residual audit data */
4582 			au_close(kctx, &(u_ad), 0, 0, 0);
4583 			releasef(fd);
4584 			return;
4585 		}
4586 		/*
4587 		 * mark things so we know what happened and don't
4588 		 * repeat things
4589 		 */
4590 		fad->fad_flags |= FAD_WRITE;
4591 
4592 		if (fad->fad_aupath != NULL) {
4593 			au_uwrite(au_to_path(fad->fad_aupath));
4594 		} else {
4595 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4596 		}
4597 
4598 		audit_attributes(fp->f_vnode);
4599 
4600 		releasef(fd);
4601 
4602 		return;
4603 
4604 	default:
4605 		break;
4606 
4607 	}
4608 
4609 	releasef(fd);
4610 
4611 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4612 
4613 	if (add_sock_token == 0) {
4614 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4615 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4616 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4617 		return;
4618 	}
4619 
4620 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4621 
4622 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4623 
4624 }
4625 
4626 /*
4627  * XXX socket(2) may be equivilent to open(2) on a unix domain
4628  * socket. This needs investigation.
4629  */
4630 
4631 /*ARGSUSED*/
4632 static void
4633 aus_socket(struct t_audit_data *tad)
4634 {
4635 	struct a {
4636 		long	domain;
4637 		long	type;
4638 		long	protocol;
4639 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4640 
4641 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4642 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4643 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4644 }
4645 
4646 /*ARGSUSED*/
4647 static void
4648 aus_sigqueue(struct t_audit_data *tad)
4649 {
4650 	struct a {
4651 		long	pid;
4652 		long	signo;
4653 		long	*val;
4654 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4655 	struct proc *p;
4656 	uid_t uid, ruid;
4657 	gid_t gid, rgid;
4658 	pid_t pid;
4659 	const auditinfo_addr_t *ainfo;
4660 	cred_t *cr;
4661 
4662 	pid = (pid_t)uap->pid;
4663 
4664 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4665 	if (pid > 0) {
4666 		mutex_enter(&pidlock);
4667 		if ((p = prfind(pid)) == (struct proc *)0) {
4668 			mutex_exit(&pidlock);
4669 			return;
4670 		}
4671 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4672 		mutex_exit(&pidlock);
4673 
4674 		mutex_enter(&p->p_crlock);
4675 		crhold(cr = p->p_cred);
4676 		mutex_exit(&p->p_crlock);
4677 		mutex_exit(&p->p_lock);
4678 
4679 		ainfo = crgetauinfo(cr);
4680 		if (ainfo == NULL) {
4681 			crfree(cr);
4682 			return;
4683 		}
4684 
4685 		uid  = crgetuid(cr);
4686 		gid  = crgetgid(cr);
4687 		ruid = crgetruid(cr);
4688 		rgid = crgetrgid(cr);
4689 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4690 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4691 		crfree(cr);
4692 	}
4693 	else
4694 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4695 }
4696 
4697 /*ARGSUSED*/
4698 static void
4699 aus_inst_sync(struct t_audit_data *tad)
4700 {
4701 	struct a {
4702 		long	name;	/* char */
4703 		long	flags;
4704 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4705 
4706 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4707 }
4708 
4709 /*ARGSUSED*/
4710 static void
4711 aus_brandsys(struct t_audit_data *tad)
4712 {
4713 	klwp_t *clwp = ttolwp(curthread);
4714 
4715 	struct a {
4716 		long	cmd;
4717 		long	arg1;
4718 		long	arg2;
4719 		long	arg3;
4720 		long	arg4;
4721 		long	arg5;
4722 		long	arg6;
4723 	} *uap = (struct a *)clwp->lwp_ap;
4724 
4725 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4726 #ifdef _LP64
4727 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4728 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4729 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4730 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4731 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4732 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4733 #else
4734 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4735 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4736 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4737 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4738 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4739 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4740 #endif
4741 }
4742 
4743 /*ARGSUSED*/
4744 static void
4745 aus_p_online(struct t_audit_data *tad)
4746 {
4747 	struct a {
4748 		long	processor_id;
4749 		long	flag;
4750 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4751 
4752 	struct flags {
4753 			int	flag;
4754 			char	*cflag;
4755 	} aflags[6] = {
4756 			{ P_ONLINE, "P_ONLINE"},
4757 			{ P_OFFLINE, "P_OFFLINE"},
4758 			{ P_NOINTR, "P_NOINTR"},
4759 			{ P_SPARE, "P_SPARE"},
4760 			{ P_FAULTED, "P_FAULTED"},
4761 			{ P_STATUS, "P_STATUS"}
4762 	};
4763 	int i;
4764 	char *cflag;
4765 
4766 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4767 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4768 
4769 	for (i = 0; i < 6; i++) {
4770 		if (aflags[i].flag == uap->flag)
4771 			break;
4772 	}
4773 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4774 
4775 	au_uwrite(au_to_text(cflag));
4776 }
4777 
4778 /*ARGSUSED*/
4779 static void
4780 aus_processor_bind(struct t_audit_data *tad)
4781 {
4782 	struct a {
4783 		long	id_type;
4784 		long	id;
4785 		long	processor_id;
4786 		long	obind;
4787 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4788 
4789 	struct proc *p;
4790 	int lwpcnt;
4791 	uid_t uid, ruid;
4792 	gid_t gid, rgid;
4793 	pid_t pid;
4794 	const auditinfo_addr_t *ainfo;
4795 	cred_t *cr;
4796 
4797 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4798 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4799 	if (uap->processor_id == PBIND_NONE)
4800 		au_uwrite(au_to_text("PBIND_NONE"));
4801 	else
4802 		au_uwrite(au_to_arg32(3, "processor_id",
4803 					(uint32_t)uap->processor_id));
4804 
4805 	switch (uap->id_type) {
4806 	case P_MYID:
4807 	case P_LWPID:
4808 		mutex_enter(&pidlock);
4809 		p = ttoproc(curthread);
4810 		if (p == NULL || p->p_as == &kas) {
4811 			mutex_exit(&pidlock);
4812 			return;
4813 		}
4814 		mutex_enter(&p->p_lock);
4815 		mutex_exit(&pidlock);
4816 		lwpcnt = p->p_lwpcnt;
4817 		pid  = p->p_pid;
4818 
4819 		mutex_enter(&p->p_crlock);
4820 		crhold(cr = p->p_cred);
4821 		mutex_exit(&p->p_crlock);
4822 		mutex_exit(&p->p_lock);
4823 
4824 		ainfo = crgetauinfo(cr);
4825 		if (ainfo == NULL) {
4826 			crfree(cr);
4827 			return;
4828 		}
4829 
4830 		uid  = crgetuid(cr);
4831 		gid  = crgetgid(cr);
4832 		ruid = crgetruid(cr);
4833 		rgid = crgetrgid(cr);
4834 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4835 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4836 		crfree(cr);
4837 		break;
4838 	case P_PID:
4839 		mutex_enter(&pidlock);
4840 		p = prfind(uap->id);
4841 		if (p == NULL || p->p_as == &kas) {
4842 			mutex_exit(&pidlock);
4843 			return;
4844 		}
4845 		mutex_enter(&p->p_lock);
4846 		mutex_exit(&pidlock);
4847 		lwpcnt = p->p_lwpcnt;
4848 		pid  = p->p_pid;
4849 
4850 		mutex_enter(&p->p_crlock);
4851 		crhold(cr = p->p_cred);
4852 		mutex_exit(&p->p_crlock);
4853 		mutex_exit(&p->p_lock);
4854 
4855 		ainfo = crgetauinfo(cr);
4856 		if (ainfo == NULL) {
4857 			crfree(cr);
4858 			return;
4859 		}
4860 
4861 		uid  = crgetuid(cr);
4862 		gid  = crgetgid(cr);
4863 		ruid = crgetruid(cr);
4864 		rgid = crgetrgid(cr);
4865 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4866 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4867 		crfree(cr);
4868 
4869 		break;
4870 	default:
4871 		return;
4872 	}
4873 
4874 	if (uap->processor_id == PBIND_NONE &&
4875 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4876 		au_uwrite(au_to_text("PBIND_NONE for process"));
4877 	else
4878 		au_uwrite(au_to_arg32(3, "processor_id",
4879 					(uint32_t)uap->processor_id));
4880 }
4881 
4882 /*ARGSUSED*/
4883 static au_event_t
4884 aui_doorfs(au_event_t e)
4885 {
4886 	uint32_t code;
4887 
4888 	struct a {		/* doorfs */
4889 		long	a1;
4890 		long	a2;
4891 		long	a3;
4892 		long	a4;
4893 		long	a5;
4894 		long	code;
4895 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4896 
4897 	/*
4898 	 *	audit formats for several of the
4899 	 *	door calls have not yet been determined
4900 	 */
4901 	code = (uint32_t)uap->code;
4902 	switch (code) {
4903 	case DOOR_CALL:
4904 		e = AUE_DOORFS_DOOR_CALL;
4905 		break;
4906 	case DOOR_RETURN:
4907 		e = AUE_NULL;
4908 		break;
4909 	case DOOR_CREATE:
4910 		e = AUE_DOORFS_DOOR_CREATE;
4911 		break;
4912 	case DOOR_REVOKE:
4913 		e = AUE_DOORFS_DOOR_REVOKE;
4914 		break;
4915 	case DOOR_INFO:
4916 		e = AUE_NULL;
4917 		break;
4918 	case DOOR_UCRED:
4919 		e = AUE_NULL;
4920 		break;
4921 	case DOOR_BIND:
4922 		e = AUE_NULL;
4923 		break;
4924 	case DOOR_UNBIND:
4925 		e = AUE_NULL;
4926 		break;
4927 	case DOOR_GETPARAM:
4928 		e = AUE_NULL;
4929 		break;
4930 	case DOOR_SETPARAM:
4931 		e = AUE_NULL;
4932 		break;
4933 	default:	/* illegal system call */
4934 		e = AUE_NULL;
4935 		break;
4936 	}
4937 
4938 	return (e);
4939 }
4940 
4941 static door_node_t *
4942 au_door_lookup(int did)
4943 {
4944 	vnode_t	*vp;
4945 	file_t *fp;
4946 
4947 	if ((fp = getf(did)) == NULL)
4948 		return (NULL);
4949 	/*
4950 	 * Use the underlying vnode (we may be namefs mounted)
4951 	 */
4952 	if (VOP_REALVP(fp->f_vnode, &vp))
4953 		vp = fp->f_vnode;
4954 
4955 	if (vp == NULL || vp->v_type != VDOOR) {
4956 		releasef(did);
4957 		return (NULL);
4958 	}
4959 
4960 	return (VTOD(vp));
4961 }
4962 
4963 /*ARGSUSED*/
4964 static void
4965 aus_doorfs(struct t_audit_data *tad)
4966 {
4967 
4968 	struct a {		/* doorfs */
4969 		long	a1;
4970 		long	a2;
4971 		long	a3;
4972 		long	a4;
4973 		long	a5;
4974 		long	code;
4975 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4976 
4977 	door_node_t	*dp;
4978 	struct proc	*p;
4979 	uint32_t	did;
4980 	uid_t uid, ruid;
4981 	gid_t gid, rgid;
4982 	pid_t pid;
4983 	const auditinfo_addr_t *ainfo;
4984 	cred_t *cr;
4985 
4986 	did = (uint32_t)uap->a1;
4987 
4988 	switch (tad->tad_event) {
4989 	case AUE_DOORFS_DOOR_CALL:
4990 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4991 		if ((dp = au_door_lookup(did)) == NULL)
4992 			break;
4993 
4994 		if (DOOR_INVALID(dp)) {
4995 			releasef(did);
4996 			break;
4997 		}
4998 
4999 		if ((p = dp->door_target) == NULL) {
5000 			releasef(did);
5001 			break;
5002 		}
5003 		mutex_enter(&p->p_lock);
5004 		releasef(did);
5005 
5006 		pid  = p->p_pid;
5007 
5008 		mutex_enter(&p->p_crlock);
5009 		crhold(cr = p->p_cred);
5010 		mutex_exit(&p->p_crlock);
5011 		mutex_exit(&p->p_lock);
5012 
5013 		ainfo = crgetauinfo(cr);
5014 		if (ainfo == NULL) {
5015 			crfree(cr);
5016 			return;
5017 		}
5018 		uid  = crgetuid(cr);
5019 		gid  = crgetgid(cr);
5020 		ruid = crgetruid(cr);
5021 		rgid = crgetrgid(cr);
5022 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5023 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5024 		crfree(cr);
5025 		break;
5026 	case AUE_DOORFS_DOOR_RETURN:
5027 		/*
5028 		 * We may want to write information about
5029 		 * all doors (if any) which will be copied
5030 		 * by this call to the user space
5031 		 */
5032 		break;
5033 	case AUE_DOORFS_DOOR_CREATE:
5034 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5035 		break;
5036 	case AUE_DOORFS_DOOR_REVOKE:
5037 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5038 		break;
5039 	case AUE_DOORFS_DOOR_INFO:
5040 		break;
5041 	case AUE_DOORFS_DOOR_CRED:
5042 		break;
5043 	case AUE_DOORFS_DOOR_BIND:
5044 		break;
5045 	case AUE_DOORFS_DOOR_UNBIND: {
5046 		break;
5047 	}
5048 	default:	/* illegal system call */
5049 		break;
5050 	}
5051 }
5052 
5053 /*ARGSUSED*/
5054 static au_event_t
5055 aui_acl(au_event_t e)
5056 {
5057 	struct a {
5058 		union {
5059 			long	name;	/* char */
5060 			long	fd;
5061 		}		obj;
5062 
5063 		long		cmd;
5064 		long		nentries;
5065 		long		arg;	/* aclent_t */
5066 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5067 
5068 	switch (uap->cmd) {
5069 	case SETACL:
5070 		/* ok, acl(SETACL, ...) and facl(SETACL, ...)  are expected. */
5071 		break;
5072 	case GETACL:
5073 	case GETACLCNT:
5074 		/* do nothing for these two values. */
5075 		e = AUE_NULL;
5076 		break;
5077 	default:
5078 		/* illegal system call */
5079 		break;
5080 	}
5081 
5082 	return (e);
5083 }
5084 
5085 
5086 /*ARGSUSED*/
5087 static void
5088 aus_acl(struct t_audit_data *tad)
5089 {
5090 	struct a {
5091 		long	fname;
5092 		long	cmd;
5093 		long	nentries;
5094 		long	aclbufp;
5095 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5096 	struct acl *aclbufp;
5097 
5098 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5099 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5100 
5101 	switch (uap->cmd) {
5102 	case GETACL:
5103 	case GETACLCNT:
5104 		break;
5105 	case SETACL:
5106 	    if (uap->nentries < 3)
5107 		break;
5108 	    else {
5109 		size_t a_size = uap->nentries * sizeof (struct acl);
5110 		int i;
5111 
5112 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5113 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5114 			kmem_free(aclbufp, a_size);
5115 			break;
5116 		}
5117 		for (i = 0; i < uap->nentries; i++) {
5118 			au_uwrite(au_to_acl(aclbufp + i));
5119 		}
5120 		kmem_free(aclbufp, a_size);
5121 		break;
5122 	}
5123 	default:
5124 		break;
5125 	}
5126 }
5127 
5128 /*ARGSUSED*/
5129 static void
5130 aus_facl(struct t_audit_data *tad)
5131 {
5132 	struct a {
5133 		long	fd;
5134 		long	cmd;
5135 		long	nentries;
5136 		long	aclbufp;
5137 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5138 	struct file  *fp;
5139 	struct vnode *vp;
5140 	struct f_audit_data *fad;
5141 	struct acl *aclbufp;
5142 	int fd;
5143 
5144 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5145 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5146 
5147 	fd = (int)uap->fd;
5148 
5149 	if ((fp = getf(fd)) == NULL)
5150 		return;
5151 
5152 	/* get path from file struct here */
5153 	fad = F2A(fp);
5154 	if (fad->fad_aupath != NULL) {
5155 		au_uwrite(au_to_path(fad->fad_aupath));
5156 	} else {
5157 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5158 	}
5159 
5160 	vp = fp->f_vnode;
5161 	audit_attributes(vp);
5162 
5163 	/* decrement file descriptor reference count */
5164 	releasef(fd);
5165 
5166 	switch (uap->cmd) {
5167 	case GETACL:
5168 	case GETACLCNT:
5169 		break;
5170 	case SETACL:
5171 	    if (uap->nentries < 3)
5172 		break;
5173 	    else {
5174 		size_t a_size = uap->nentries * sizeof (struct acl);
5175 		int i;
5176 
5177 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5178 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5179 			kmem_free(aclbufp, a_size);
5180 			break;
5181 		}
5182 		for (i = 0; i < uap->nentries; i++) {
5183 			au_uwrite(au_to_acl(aclbufp + i));
5184 		}
5185 		kmem_free(aclbufp, a_size);
5186 		break;
5187 	}
5188 	default:
5189 		break;
5190 	}
5191 }
5192 
5193 /*ARGSUSED*/
5194 static void
5195 auf_read(tad, error, rval)
5196 	struct t_audit_data *tad;
5197 	int error;
5198 	rval_t *rval;
5199 {
5200 	struct file *fp;
5201 	struct f_audit_data *fad;
5202 	int fd;
5203 	register struct a {
5204 		long	fd;
5205 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5206 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5207 
5208 	fd = (int)uap->fd;
5209 
5210 	/*
5211 	 * convert file pointer to file descriptor
5212 	 *   Note: fd ref count incremented here.
5213 	 */
5214 	if ((fp = getf(fd)) == NULL)
5215 		return;
5216 
5217 	/* get path from file struct here */
5218 	fad = F2A(fp);
5219 	ASSERT(fad);
5220 
5221 	/*
5222 	 * already processed this file for read attempt
5223 	 *
5224 	 * XXX might be better to turn off auditing in a aui_read() routine.
5225 	 */
5226 	if (fad->fad_flags & FAD_READ) {
5227 		/* don't really want to audit every read attempt */
5228 		tad->tad_flag = 0;
5229 		/* free any residual audit data */
5230 		au_close(kctx, &(u_ad), 0, 0, 0);
5231 		releasef(fd);
5232 		return;
5233 	}
5234 	/* mark things so we know what happened and don't repeat things */
5235 	fad->fad_flags |= FAD_READ;
5236 
5237 	if (fad->fad_aupath != NULL) {
5238 		au_uwrite(au_to_path(fad->fad_aupath));
5239 	} else {
5240 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5241 	}
5242 
5243 	/* include attributes */
5244 	audit_attributes(fp->f_vnode);
5245 
5246 	/* decrement file descriptor reference count */
5247 	releasef(fd);
5248 }
5249 
5250 /*ARGSUSED*/
5251 static void
5252 auf_write(tad, error, rval)
5253 	struct t_audit_data *tad;
5254 	int error;
5255 	rval_t *rval;
5256 {
5257 	struct file *fp;
5258 	struct f_audit_data *fad;
5259 	int fd;
5260 	register struct a {
5261 		long	fd;
5262 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5263 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5264 
5265 	fd = (int)uap->fd;
5266 
5267 	/*
5268 	 * convert file pointer to file descriptor
5269 	 *   Note: fd ref count incremented here.
5270 	 */
5271 	if ((fp = getf(fd)) == NULL)
5272 		return;
5273 
5274 	/* get path from file struct here */
5275 	fad = F2A(fp);
5276 	ASSERT(fad);
5277 
5278 	/*
5279 	 * already processed this file for write attempt
5280 	 *
5281 	 * XXX might be better to turn off auditing in a aus_write() routine.
5282 	 */
5283 	if (fad->fad_flags & FAD_WRITE) {
5284 		/* don't really want to audit every write attempt */
5285 		tad->tad_flag = 0;
5286 		/* free any residual audit data */
5287 		au_close(kctx, &(u_ad), 0, 0, 0);
5288 		releasef(fd);
5289 		return;
5290 	}
5291 	/* mark things so we know what happened and don't repeat things */
5292 	fad->fad_flags |= FAD_WRITE;
5293 
5294 	if (fad->fad_aupath != NULL) {
5295 		au_uwrite(au_to_path(fad->fad_aupath));
5296 	} else {
5297 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5298 	}
5299 
5300 	/* include attributes */
5301 	audit_attributes(fp->f_vnode);
5302 
5303 	/* decrement file descriptor reference count */
5304 	releasef(fd);
5305 }
5306 
5307 /*ARGSUSED*/
5308 static void
5309 auf_recv(tad, error, rval)
5310 	struct t_audit_data *tad;
5311 	int error;
5312 	rval_t *rval;
5313 {
5314 	struct sonode *so;
5315 	char so_laddr[sizeof (struct sockaddr_in6)];
5316 	char so_faddr[sizeof (struct sockaddr_in6)];
5317 	struct file *fp;
5318 	struct f_audit_data *fad;
5319 	int fd;
5320 	int err;
5321 	int len;
5322 	short so_family, so_type;
5323 	register struct a {
5324 		long	fd;
5325 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5326 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5327 
5328 	/*
5329 	 * If there was an error, then nothing to do. Only generate
5330 	 * audit record on first successful recv.
5331 	 */
5332 	if (error) {
5333 		/* Turn off audit record generation here. */
5334 		tad->tad_flag = 0;
5335 		/* free any residual audit data */
5336 		au_close(kctx, &(u_ad), 0, 0, 0);
5337 		return;
5338 	}
5339 
5340 	fd = (int)uap->fd;
5341 
5342 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5343 		/* Turn off audit record generation here. */
5344 		tad->tad_flag = 0;
5345 		/* free any residual audit data */
5346 		au_close(kctx, &(u_ad), 0, 0, 0);
5347 		return;
5348 	}
5349 
5350 	/* get path from file struct here */
5351 	fad = F2A(fp);
5352 	ASSERT(fad);
5353 
5354 	/*
5355 	 * already processed this file for read attempt
5356 	 */
5357 	if (fad->fad_flags & FAD_READ) {
5358 		releasef(fd);
5359 		/* don't really want to audit every recv call */
5360 		tad->tad_flag = 0;
5361 		/* free any residual audit data */
5362 		au_close(kctx, &(u_ad), 0, 0, 0);
5363 		return;
5364 	}
5365 
5366 	/* mark things so we know what happened and don't repeat things */
5367 	fad->fad_flags |= FAD_READ;
5368 
5369 	so_family = so->so_family;
5370 	so_type   = so->so_type;
5371 
5372 	switch (so_family) {
5373 	case AF_INET:
5374 	case AF_INET6:
5375 		/*
5376 		 * Only for connections.
5377 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5378 		 */
5379 		if (so->so_state & SS_ISBOUND) {
5380 
5381 			bzero((void *)so_laddr, sizeof (so_laddr));
5382 			bzero((void *)so_faddr, sizeof (so_faddr));
5383 
5384 			/* only done once on a connection */
5385 			(void) SOP_GETSOCKNAME(so);
5386 			(void) SOP_GETPEERNAME(so);
5387 
5388 			/* get local and foreign addresses */
5389 			mutex_enter(&so->so_lock);
5390 			len = min(so->so_laddr_len, sizeof (so_laddr));
5391 			bcopy(so->so_laddr_sa, so_laddr, len);
5392 			len = min(so->so_faddr_len, sizeof (so_faddr));
5393 			bcopy(so->so_faddr_sa, so_faddr, len);
5394 			mutex_exit(&so->so_lock);
5395 
5396 			/*
5397 			 * only way to drop out of switch. Note that we
5398 			 * we release fd below.
5399 			 */
5400 
5401 			break;
5402 		}
5403 
5404 		releasef(fd);
5405 
5406 		/* don't really want to audit every recv call */
5407 		tad->tad_flag = 0;
5408 		/* free any residual audit data */
5409 		au_close(kctx, &(u_ad), 0, 0, 0);
5410 
5411 		return;
5412 
5413 	case AF_UNIX:
5414 
5415 		if (fad->fad_aupath != NULL) {
5416 			au_uwrite(au_to_path(fad->fad_aupath));
5417 		} else {
5418 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5419 		}
5420 
5421 		audit_attributes(fp->f_vnode);
5422 
5423 		releasef(fd);
5424 
5425 		return;
5426 
5427 	default:
5428 		releasef(fd);
5429 
5430 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5431 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5432 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5433 
5434 		return;
5435 	}
5436 
5437 	releasef(fd);
5438 
5439 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5440 
5441 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5442 
5443 }
5444 
5445 /*ARGSUSED*/
5446 static void
5447 auf_send(tad, error, rval)
5448 	struct t_audit_data *tad;
5449 	int error;
5450 	rval_t *rval;
5451 {
5452 	struct sonode *so;
5453 	char so_laddr[sizeof (struct sockaddr_in6)];
5454 	char so_faddr[sizeof (struct sockaddr_in6)];
5455 	struct file *fp;
5456 	struct f_audit_data *fad;
5457 	int fd;
5458 	int err;
5459 	int len;
5460 	short so_family, so_type;
5461 	register struct a {
5462 		long	fd;
5463 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5464 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5465 
5466 	fd = (int)uap->fd;
5467 
5468 	/*
5469 	 * If there was an error, then nothing to do. Only generate
5470 	 * audit record on first successful send.
5471 	 */
5472 	if (error != 0) {
5473 		/* Turn off audit record generation here. */
5474 		tad->tad_flag = 0;
5475 		/* free any residual audit data */
5476 		au_close(kctx, &(u_ad), 0, 0, 0);
5477 		return;
5478 	}
5479 
5480 	fd = (int)uap->fd;
5481 
5482 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5483 		/* Turn off audit record generation here. */
5484 		tad->tad_flag = 0;
5485 		/* free any residual audit data */
5486 		au_close(kctx, &(u_ad), 0, 0, 0);
5487 		return;
5488 	}
5489 
5490 	/* get path from file struct here */
5491 	fad = F2A(fp);
5492 	ASSERT(fad);
5493 
5494 	/*
5495 	 * already processed this file for write attempt
5496 	 */
5497 	if (fad->fad_flags & FAD_WRITE) {
5498 		releasef(fd);
5499 		/* don't really want to audit every send call */
5500 		tad->tad_flag = 0;
5501 		/* free any residual audit data */
5502 		au_close(kctx, &(u_ad), 0, 0, 0);
5503 		return;
5504 	}
5505 
5506 	/* mark things so we know what happened and don't repeat things */
5507 	fad->fad_flags |= FAD_WRITE;
5508 
5509 	so_family = so->so_family;
5510 	so_type   = so->so_type;
5511 
5512 	switch (so_family) {
5513 	case AF_INET:
5514 	case AF_INET6:
5515 		/*
5516 		 * Only for connections.
5517 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5518 		 */
5519 		if (so->so_state & SS_ISBOUND) {
5520 
5521 			bzero((void *)so_laddr, sizeof (so_laddr));
5522 			bzero((void *)so_faddr, sizeof (so_faddr));
5523 
5524 			/* only done once on a connection */
5525 			(void) SOP_GETSOCKNAME(so);
5526 			(void) SOP_GETPEERNAME(so);
5527 
5528 			/* get local and foreign addresses */
5529 			mutex_enter(&so->so_lock);
5530 			len = min(so->so_laddr_len, sizeof (so_laddr));
5531 			bcopy(so->so_laddr_sa, so_laddr, len);
5532 			len = min(so->so_faddr_len, sizeof (so_faddr));
5533 			bcopy(so->so_faddr_sa, so_faddr, len);
5534 			mutex_exit(&so->so_lock);
5535 
5536 			/*
5537 			 * only way to drop out of switch. Note that we
5538 			 * we release fd below.
5539 			 */
5540 
5541 			break;
5542 		}
5543 
5544 		releasef(fd);
5545 		/* don't really want to audit every send call */
5546 		tad->tad_flag = 0;
5547 		/* free any residual audit data */
5548 		au_close(kctx, &(u_ad), 0, 0, 0);
5549 
5550 		return;
5551 
5552 	case AF_UNIX:
5553 
5554 		if (fad->fad_aupath != NULL) {
5555 			au_uwrite(au_to_path(fad->fad_aupath));
5556 		} else {
5557 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5558 		}
5559 
5560 		audit_attributes(fp->f_vnode);
5561 
5562 		releasef(fd);
5563 
5564 		return;
5565 
5566 	default:
5567 		releasef(fd);
5568 
5569 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5570 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5571 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5572 
5573 		return;
5574 	}
5575 
5576 	releasef(fd);
5577 
5578 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5579 
5580 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5581 }
5582 
5583 static au_event_t
5584 aui_forksys(au_event_t e)
5585 {
5586 	struct a {
5587 		long	subcode;
5588 		long	flags;
5589 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5590 
5591 	switch ((uint_t)uap->subcode) {
5592 	case 0:
5593 		e = AUE_FORK1;
5594 		break;
5595 	case 1:
5596 		e = AUE_FORKALL;
5597 		break;
5598 	case 2:
5599 		e = AUE_VFORK;
5600 		break;
5601 	default:
5602 		e = AUE_NULL;
5603 		break;
5604 	}
5605 
5606 	return (e);
5607 }
5608