1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 78 extern token_t *au_to_sock_inet(struct sockaddr_in *); 79 80 int au_naevent; 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_null(au_event_t); 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_auditsys(au_event_t); 96 static au_event_t aui_modctl(au_event_t); 97 static au_event_t aui_acl(au_event_t); 98 static au_event_t aui_doorfs(au_event_t); 99 static au_event_t aui_privsys(au_event_t); 100 static au_event_t aui_forksys(au_event_t); 101 102 static void aus_null(struct t_audit_data *); 103 static void aus_open(struct t_audit_data *); 104 static void aus_acl(struct t_audit_data *); 105 static void aus_acct(struct t_audit_data *); 106 static void aus_chown(struct t_audit_data *); 107 static void aus_fchown(struct t_audit_data *); 108 static void aus_lchown(struct t_audit_data *); 109 static void aus_chmod(struct t_audit_data *); 110 static void aus_facl(struct t_audit_data *); 111 static void aus_fchmod(struct t_audit_data *); 112 static void aus_fcntl(struct t_audit_data *); 113 static void aus_fsat(struct t_audit_data *); 114 static void aus_mkdir(struct t_audit_data *); 115 static void aus_mknod(struct t_audit_data *); 116 static void aus_mount(struct t_audit_data *); 117 static void aus_umount(struct t_audit_data *); 118 static void aus_umount2(struct t_audit_data *); 119 static void aus_msgsys(struct t_audit_data *); 120 static void aus_semsys(struct t_audit_data *); 121 static void aus_close(struct t_audit_data *); 122 static void aus_fstatfs(struct t_audit_data *); 123 static void aus_setgid(struct t_audit_data *); 124 static void aus_setuid(struct t_audit_data *); 125 static void aus_shmsys(struct t_audit_data *); 126 static void aus_doorfs(struct t_audit_data *); 127 static void aus_ioctl(struct t_audit_data *); 128 static void aus_memcntl(struct t_audit_data *); 129 static void aus_mmap(struct t_audit_data *); 130 static void aus_munmap(struct t_audit_data *); 131 static void aus_priocntlsys(struct t_audit_data *); 132 static void aus_setegid(struct t_audit_data *); 133 static void aus_setgroups(struct t_audit_data *); 134 static void aus_seteuid(struct t_audit_data *); 135 static void aus_putmsg(struct t_audit_data *); 136 static void aus_putpmsg(struct t_audit_data *); 137 static void aus_getmsg(struct t_audit_data *); 138 static void aus_getpmsg(struct t_audit_data *); 139 static void aus_auditsys(struct t_audit_data *); 140 static void aus_sysinfo(struct t_audit_data *); 141 static void aus_modctl(struct t_audit_data *); 142 static void aus_kill(struct t_audit_data *); 143 static void aus_xmknod(struct t_audit_data *); 144 static void aus_setregid(struct t_audit_data *); 145 static void aus_setreuid(struct t_audit_data *); 146 147 static void auf_null(struct t_audit_data *, int, rval_t *); 148 static void auf_mknod(struct t_audit_data *, int, rval_t *); 149 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 150 static void auf_semsys(struct t_audit_data *, int, rval_t *); 151 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 152 #if 0 153 static void auf_open(struct t_audit_data *, int, rval_t *); 154 #endif 155 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 156 static void auf_read(struct t_audit_data *, int, rval_t *); 157 static void auf_write(struct t_audit_data *, int, rval_t *); 158 159 static void aus_sigqueue(struct t_audit_data *); 160 static void aus_p_online(struct t_audit_data *); 161 static void aus_processor_bind(struct t_audit_data *); 162 static void aus_inst_sync(struct t_audit_data *); 163 static void aus_brandsys(struct t_audit_data *); 164 165 static void auf_accept(struct t_audit_data *, int, rval_t *); 166 167 static void auf_bind(struct t_audit_data *, int, rval_t *); 168 static void auf_connect(struct t_audit_data *, int, rval_t *); 169 static void aus_shutdown(struct t_audit_data *); 170 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 171 static void aus_sockconfig(struct t_audit_data *); 172 static void auf_recv(struct t_audit_data *, int, rval_t *); 173 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_send(struct t_audit_data *, int, rval_t *); 175 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 176 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 177 static void auf_sendto(struct t_audit_data *, int, rval_t *); 178 static void aus_socket(struct t_audit_data *); 179 /* 180 * This table contains mapping information for converting system call numbers 181 * to audit event IDs. In several cases it is necessary to map a single system 182 * call to several events. 183 */ 184 185 struct audit_s2e audit_s2e[] = 186 { 187 /* 188 * ---------- ---------- ---------- ---------- 189 * INITIAL AUDIT START SYSTEM 190 * PROCESSING EVENT PROCESSING CALL 191 * ---------- ---------- ---------- ----------- 192 * FINISH EVENT 193 * PROCESSING CONTROL 194 * ---------------------------------------------------------- 195 */ 196 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 197 auf_null, 0, 198 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 199 auf_null, S2E_NPT, 200 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 201 auf_null, 0, 202 aui_null, AUE_READ, aus_null, /* 3 read */ 203 auf_read, S2E_PUB, 204 aui_null, AUE_WRITE, aus_null, /* 4 write */ 205 auf_write, 0, 206 aui_open, AUE_OPEN, aus_open, /* 5 open */ 207 auf_null, S2E_SP, 208 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 209 auf_null, 0, 210 aui_null, AUE_NULL, aus_null, /* 7 wait */ 211 auf_null, 0, 212 aui_null, AUE_CREAT, aus_null, /* 8 create */ 213 auf_null, S2E_SP, 214 aui_null, AUE_LINK, aus_null, /* 9 link */ 215 auf_null, 0, 216 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 217 auf_null, 0, 218 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 219 auf_null, S2E_MLD, 220 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 221 auf_null, S2E_SP, 222 aui_null, AUE_NULL, aus_null, /* 13 time */ 223 auf_null, 0, 224 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 225 auf_mknod, 0, 226 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 227 auf_null, 0, 228 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 229 auf_null, 0, 230 aui_null, AUE_NULL, aus_null, /* 17 brk */ 231 auf_null, 0, 232 aui_null, AUE_STAT, aus_null, /* 18 stat */ 233 auf_null, S2E_PUB, 234 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 235 auf_null, 0, 236 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 237 auf_null, 0, 238 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 239 auf_null, S2E_MLD, 240 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 241 auf_null, 0, 242 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 243 auf_null, 0, 244 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 245 auf_null, 0, 246 aui_null, AUE_STIME, aus_null, /* 25 stime */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 249 auf_null, 0, 250 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 29 pause */ 255 auf_null, 0, 256 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 261 auf_null, 0, 262 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 263 auf_null, S2E_PUB, 264 aui_null, AUE_NICE, aus_null, /* 34 nice */ 265 auf_null, 0, 266 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NULL, aus_null, /* 36 sync */ 269 auf_null, 0, 270 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 271 auf_null, 0, 272 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 273 auf_null, S2E_PUB, 274 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 275 auf_null, 0, 276 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 277 auf_null, 0, 278 aui_null, AUE_NULL, aus_null, /* 41 dup */ 279 auf_null, 0, 280 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 43 times */ 283 auf_null, 0, 284 aui_null, AUE_NULL, aus_null, /* 44 profil */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 287 /* was proc lock */ 288 auf_null, 0, 289 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 48 sig */ 294 auf_null, 0, 295 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 296 auf_msgsys, 0, 297 #if defined(__x86) 298 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 299 auf_null, 0, 300 #else 301 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 302 auf_null, 0, 303 #endif /* __x86 */ 304 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 305 auf_null, 0, 306 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 307 auf_shmsys, 0, 308 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 309 auf_semsys, 0, 310 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 311 auf_null, 0, 312 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 315 auf_null, 0, 316 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 319 auf_null, 0, 320 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 321 auf_null, S2E_MLD, 322 aui_null, AUE_NULL, aus_null, /* 60 umask */ 323 auf_null, 0, 324 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 325 auf_null, S2E_SP, 326 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 327 auf_null, 0, 328 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 337 /* file locking call */ 338 auf_null, 0, 339 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 340 /* local system calls */ 341 auf_null, 0, 342 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 343 auf_null, 0, 344 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 355 /* was sigret (SunOS) */ 356 auf_null, 0, 357 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 358 auf_null, 0, 359 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 362 auf_null, 0, 363 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 364 auf_null, 0, 365 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 366 auf_null, 0, 367 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 368 auf_null, 0, 369 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 370 /* was libattach */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 373 /* was libdetach */ 374 auf_null, 0, 375 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 376 auf_null, 0, 377 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 378 auf_null, 0, 379 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 380 auf_null, 0, 381 aui_null, AUE_NULL, aus_null, /* 87 poll */ 382 auf_null, 0, 383 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 384 auf_null, S2E_PUB, 385 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 386 auf_null, 0, 387 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 390 auf_null, 0, 391 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 392 auf_null, 0, 393 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 394 auf_null, 0, 395 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 396 auf_null, 0, 397 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 412 /* was evtrapret */ 413 auf_null, 0, 414 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 415 auf_null, S2E_PUB, 416 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 425 auf_null, 0, 426 #if defined(__x86) 427 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 428 auf_null, 0, 429 #else 430 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 431 auf_null, 0, 432 #endif /* __x86 */ 433 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 434 auf_null, 0, 435 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 436 auf_null, 0, 437 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 438 auf_null, 0, /* 112 priocntlsys */ 439 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 440 auf_null, S2E_PUB, 441 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 442 auf_null, 0, 443 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 444 auf_null, 0, 445 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 446 auf_null, 0, 447 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 450 auf_null, 0, 451 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 452 auf_null, 0, 453 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 454 auf_null, 0, 455 aui_null, AUE_READ, aus_null, /* 121 readv */ 456 auf_read, S2E_PUB, 457 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 458 auf_write, 0, 459 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 460 auf_null, S2E_PUB, 461 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 462 auf_null, S2E_PUB, 463 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 464 auf_null, 0, 465 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 466 auf_xmknod, 0, 467 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 468 auf_null, 0, 469 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 470 auf_null, 0, 471 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 472 auf_null, 0, 473 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 474 auf_null, 0, 475 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 476 auf_null, 0, 477 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 478 auf_null, 0, 479 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 480 auf_null, 0, 481 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 482 auf_null, 0, 483 aui_null, AUE_NULL, aus_null, /* 135 uname */ 484 auf_null, 0, 485 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 488 auf_null, 0, 489 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 490 auf_null, 0, 491 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 492 auf_null, 0, 493 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 494 auf_null, 0, 495 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 496 auf_null, 0, 497 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 498 auf_null, 0, 499 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 146 yield */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 516 auf_null, 0, 517 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 518 auf_null, 0, 519 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 520 auf_null, 0, 521 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 522 auf_null, 0, 523 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 544 /* was lwp_setprivate */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 547 /* was lwp_getprivate */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_unlock */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 560 auf_null, 0, 561 aui_null, AUE_READ, aus_null, /* 173 pread */ 562 auf_read, S2E_PUB, 563 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 564 auf_write, 0, 565 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 566 auf_null, 0, 567 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 568 /* aus_inst_sync */ 569 auf_null, 0, 570 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 571 auf_null, 0, 572 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 182 (loadable) */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 583 auf_null, 0, 584 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 585 auf_null, 0, 586 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 587 auf_null, 0, 588 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 589 auf_null, 0, 590 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 591 auf_null, 0, /* 187 processor_bind */ 592 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 593 auf_null, 0, 594 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 595 auf_null, 0, 596 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 599 auf_null, 0, 600 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 615 auf_null, 0, 616 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 617 auf_null, 0, 618 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 619 auf_null, 0, 620 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 621 auf_null, 0, 622 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 623 auf_null, 0, 624 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 643 auf_null, 0, 644 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 645 auf_null, 0, 646 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 647 auf_null, S2E_PUB, 648 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 651 auf_null, 0, 652 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 653 auf_null, S2E_PUB, 654 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 655 auf_null, 0, 656 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 657 auf_null, 0, 658 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 661 auf_read, S2E_PUB, 662 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 663 auf_write, 0, 664 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 665 auf_null, S2E_SP, 666 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 667 auf_null, S2E_SP, 668 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 669 auf_null, 0, 670 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 677 auf_null, 0, 678 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 679 auf_null, 0, 680 aui_null, AUE_BIND, aus_null, /* 232 bind */ 681 auf_bind, 0, 682 aui_null, AUE_NULL, aus_null, /* 233 listen */ 683 auf_null, 0, 684 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 685 auf_accept, 0, 686 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 687 auf_connect, 0, 688 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 689 auf_null, 0, 690 aui_null, AUE_READ, aus_null, /* 237 recv */ 691 auf_recv, 0, 692 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 693 auf_recvfrom, 0, 694 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 695 auf_recvmsg, 0, 696 aui_null, AUE_WRITE, aus_null, /* 240 send */ 697 auf_send, 0, 698 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 699 auf_sendmsg, 0, 700 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 701 auf_sendto, 0, 702 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 703 auf_null, 0, 704 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 707 auf_null, 0, 708 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 709 auf_setsockopt, 0, 710 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 711 auf_null, 0, 712 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 713 auf_null, 0, 714 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_init */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 725 auf_null, 0, 726 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 727 auf_null, 0 728 }; 729 730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 731 732 char *so_not_bound = "socket not bound"; 733 char *so_not_conn = "socket not connected"; 734 char *so_bad_addr = "bad socket address"; 735 char *so_bad_peer_addr = "bad peer address"; 736 737 /* null start function */ 738 /*ARGSUSED*/ 739 static void 740 aus_null(struct t_audit_data *tad) 741 { 742 } 743 744 /* acct start function */ 745 /*ARGSUSED*/ 746 static void 747 aus_acct(struct t_audit_data *tad) 748 { 749 klwp_t *clwp = ttolwp(curthread); 750 uintptr_t fname; 751 752 struct a { 753 long fname; /* char * */ 754 } *uap = (struct a *)clwp->lwp_ap; 755 756 fname = (uintptr_t)uap->fname; 757 758 if (fname == 0) 759 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 760 } 761 762 /* chown start function */ 763 /*ARGSUSED*/ 764 static void 765 aus_chown(struct t_audit_data *tad) 766 { 767 klwp_t *clwp = ttolwp(curthread); 768 uint32_t uid, gid; 769 770 struct a { 771 long fname; /* char * */ 772 long uid; 773 long gid; 774 } *uap = (struct a *)clwp->lwp_ap; 775 776 uid = (uint32_t)uap->uid; 777 gid = (uint32_t)uap->gid; 778 779 au_uwrite(au_to_arg32(2, "new file uid", uid)); 780 au_uwrite(au_to_arg32(3, "new file gid", gid)); 781 } 782 783 /* fchown start function */ 784 /*ARGSUSED*/ 785 static void 786 aus_fchown(struct t_audit_data *tad) 787 { 788 klwp_t *clwp = ttolwp(curthread); 789 uint32_t uid, gid, fd; 790 struct file *fp; 791 struct vnode *vp; 792 struct f_audit_data *fad; 793 794 struct a { 795 long fd; 796 long uid; 797 long gid; 798 } *uap = (struct a *)clwp->lwp_ap; 799 800 fd = (uint32_t)uap->fd; 801 uid = (uint32_t)uap->uid; 802 gid = (uint32_t)uap->gid; 803 804 au_uwrite(au_to_arg32(2, "new file uid", uid)); 805 au_uwrite(au_to_arg32(3, "new file gid", gid)); 806 807 /* 808 * convert file pointer to file descriptor 809 * Note: fd ref count incremented here. 810 */ 811 if ((fp = getf(fd)) == NULL) 812 return; 813 814 /* get path from file struct here */ 815 fad = F2A(fp); 816 if (fad->fad_aupath != NULL) { 817 au_uwrite(au_to_path(fad->fad_aupath)); 818 } else { 819 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 820 } 821 822 vp = fp->f_vnode; 823 audit_attributes(vp); 824 825 /* decrement file descriptor reference count */ 826 releasef(fd); 827 } 828 829 /*ARGSUSED*/ 830 static void 831 aus_lchown(struct t_audit_data *tad) 832 { 833 klwp_t *clwp = ttolwp(curthread); 834 uint32_t uid, gid; 835 836 837 struct a { 838 long fname; /* char * */ 839 long uid; 840 long gid; 841 } *uap = (struct a *)clwp->lwp_ap; 842 843 uid = (uint32_t)uap->uid; 844 gid = (uint32_t)uap->gid; 845 846 au_uwrite(au_to_arg32(2, "new file uid", uid)); 847 au_uwrite(au_to_arg32(3, "new file gid", gid)); 848 } 849 850 /* chmod start function */ 851 /*ARGSUSED*/ 852 static void 853 aus_chmod(struct t_audit_data *tad) 854 { 855 klwp_t *clwp = ttolwp(curthread); 856 uint32_t fmode; 857 858 struct a { 859 long fname; /* char * */ 860 long fmode; 861 } *uap = (struct a *)clwp->lwp_ap; 862 863 fmode = (uint32_t)uap->fmode; 864 865 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 866 } 867 868 /* chmod start function */ 869 /*ARGSUSED*/ 870 static void 871 aus_fchmod(struct t_audit_data *tad) 872 { 873 klwp_t *clwp = ttolwp(curthread); 874 uint32_t fmode, fd; 875 struct file *fp; 876 struct vnode *vp; 877 struct f_audit_data *fad; 878 879 struct a { 880 long fd; 881 long fmode; 882 } *uap = (struct a *)clwp->lwp_ap; 883 884 fd = (uint32_t)uap->fd; 885 fmode = (uint32_t)uap->fmode; 886 887 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 888 889 /* 890 * convert file pointer to file descriptor 891 * Note: fd ref count incremented here. 892 */ 893 if ((fp = getf(fd)) == NULL) 894 return; 895 896 /* get path from file struct here */ 897 fad = F2A(fp); 898 if (fad->fad_aupath != NULL) { 899 au_uwrite(au_to_path(fad->fad_aupath)); 900 } else { 901 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 902 } 903 904 vp = fp->f_vnode; 905 audit_attributes(vp); 906 907 /* decrement file descriptor reference count */ 908 releasef(fd); 909 } 910 911 /* null function */ 912 /*ARGSUSED*/ 913 static void 914 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 915 { 916 } 917 918 /* null function */ 919 static au_event_t 920 aui_null(au_event_t e) 921 { 922 return (e); 923 } 924 925 /* convert open to appropriate event */ 926 static au_event_t 927 aui_open(au_event_t e) 928 { 929 klwp_t *clwp = ttolwp(curthread); 930 uint_t fm; 931 932 struct a { 933 long fnamep; /* char * */ 934 long fmode; 935 long cmode; 936 } *uap = (struct a *)clwp->lwp_ap; 937 938 fm = (uint_t)uap->fmode; 939 940 if (fm & O_WRONLY) 941 e = AUE_OPEN_W; 942 else if (fm & O_RDWR) 943 e = AUE_OPEN_RW; 944 else 945 e = AUE_OPEN_R; 946 947 if (fm & O_CREAT) 948 e += 1; 949 if (fm & O_TRUNC) 950 e += 2; 951 952 return (e); 953 } 954 955 /*ARGSUSED*/ 956 static void 957 aus_open(struct t_audit_data *tad) 958 { 959 klwp_t *clwp = ttolwp(curthread); 960 uint_t fm; 961 962 struct a { 963 long fnamep; /* char * */ 964 long fmode; 965 long cmode; 966 } *uap = (struct a *)clwp->lwp_ap; 967 968 fm = (uint_t)uap->fmode; 969 970 /* If no write, create, or trunc modes, mark as a public op */ 971 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 972 tad->tad_ctrl |= PAD_PUBLIC_EV; 973 } 974 975 /* convert openat(2) to appropriate event */ 976 static au_event_t 977 aui_fsat(au_event_t e) 978 { 979 t_audit_data_t *tad = U2A(u); 980 klwp_t *clwp = ttolwp(curthread); 981 uint_t fmcode, fm; 982 struct a { 983 long id; 984 long arg1; 985 long arg2; 986 long arg3; 987 long arg4; 988 long arg5; 989 } *uap = (struct a *)clwp->lwp_ap; 990 991 fmcode = (uint_t)uap->id; 992 993 switch (fmcode) { 994 995 case 0: /* openat */ 996 case 1: /* openat64 */ 997 fm = (uint_t)uap->arg3; 998 if (fm & O_WRONLY) 999 e = AUE_OPENAT_W; 1000 else if (fm & O_RDWR) 1001 e = AUE_OPENAT_RW; 1002 else 1003 e = AUE_OPENAT_R; 1004 1005 /* 1006 * openat modes are defined in the following order: 1007 * Read only 1008 * Read|Create 1009 * Read|Trunc 1010 * Read|Create|Trunc 1011 * Write Only 1012 * Write|Create 1013 * Write|Trunc 1014 * Write|Create|Trunc * RW Only 1015 * RW|Create 1016 * RW|Trunc 1017 * RW|Create|Trunc 1018 */ 1019 if (fm & O_CREAT) 1020 e += 1; /* increment to include CREAT in mode */ 1021 if (fm & O_TRUNC) 1022 e += 2; /* increment to include TRUNC in mode */ 1023 1024 /* convert to appropriate au_ctrl */ 1025 tad->tad_ctrl |= PAD_SAVPATH; 1026 if (fm & FXATTR) 1027 tad->tad_ctrl |= PAD_ATPATH; 1028 1029 1030 break; 1031 case 2: /* fstatat64 */ 1032 case 3: /* fstatat */ 1033 e = AUE_FSTATAT; 1034 break; 1035 case 4: /* fchownat */ 1036 e = AUE_FCHOWNAT; 1037 break; 1038 case 5: /* unlinkat */ 1039 e = AUE_UNLINKAT; 1040 break; 1041 case 6: /* futimesat */ 1042 e = AUE_FUTIMESAT; 1043 break; 1044 case 7: /* renameat */ 1045 e = AUE_RENAMEAT; 1046 break; 1047 default: 1048 e = AUE_NULL; 1049 break; 1050 } 1051 1052 return (e); 1053 } 1054 1055 /*ARGSUSED*/ 1056 static void 1057 aus_fsat(struct t_audit_data *tad) 1058 { 1059 klwp_t *clwp = ttolwp(curthread); 1060 uint_t fmcode, fm; 1061 struct a { 1062 long id; 1063 long arg1; 1064 long arg2; 1065 long arg3; 1066 long arg4; 1067 long arg5; 1068 } *uap = (struct a *)clwp->lwp_ap; 1069 1070 fmcode = (uint_t)uap->id; 1071 1072 switch (fmcode) { 1073 1074 case 0: /* openat */ 1075 case 1: /* openat64 */ 1076 fm = (uint_t)uap->arg3; 1077 /* If no write, create, or trunc modes, mark as a public op */ 1078 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1079 tad->tad_ctrl |= PAD_PUBLIC_EV; 1080 1081 break; 1082 case 2: /* fstatat64 */ 1083 case 3: /* fstatat */ 1084 tad->tad_ctrl |= PAD_PUBLIC_EV; 1085 break; 1086 default: 1087 break; 1088 } 1089 } 1090 1091 /* msgsys */ 1092 static au_event_t 1093 aui_msgsys(au_event_t e) 1094 { 1095 klwp_t *clwp = ttolwp(curthread); 1096 uint_t fm; 1097 1098 struct a { 1099 long id; /* function code id */ 1100 long ap; /* arg pointer for recvmsg */ 1101 } *uap = (struct a *)clwp->lwp_ap; 1102 1103 struct b { 1104 long msgid; 1105 long cmd; 1106 long buf; /* struct msqid_ds * */ 1107 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1108 1109 fm = (uint_t)uap->id; 1110 1111 switch (fm) { 1112 case 0: /* msgget */ 1113 e = AUE_MSGGET; 1114 break; 1115 case 1: /* msgctl */ 1116 switch ((uint_t)uap1->cmd) { 1117 case IPC_RMID: 1118 e = AUE_MSGCTL_RMID; 1119 break; 1120 case IPC_SET: 1121 e = AUE_MSGCTL_SET; 1122 break; 1123 case IPC_STAT: 1124 e = AUE_MSGCTL_STAT; 1125 break; 1126 default: 1127 e = AUE_MSGCTL; 1128 break; 1129 } 1130 break; 1131 case 2: /* msgrcv */ 1132 e = AUE_MSGRCV; 1133 break; 1134 case 3: /* msgsnd */ 1135 e = AUE_MSGSND; 1136 break; 1137 default: /* illegal system call */ 1138 e = AUE_NULL; 1139 break; 1140 } 1141 1142 return (e); 1143 } 1144 1145 1146 /* shmsys */ 1147 static au_event_t 1148 aui_shmsys(au_event_t e) 1149 { 1150 klwp_t *clwp = ttolwp(curthread); 1151 int fm; 1152 1153 struct a { /* shmsys */ 1154 long id; /* function code id */ 1155 } *uap = (struct a *)clwp->lwp_ap; 1156 1157 struct b { /* ctrl */ 1158 long shmid; 1159 long cmd; 1160 long arg; /* struct shmid_ds * */ 1161 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1162 fm = (uint_t)uap->id; 1163 1164 switch (fm) { 1165 case 0: /* shmat */ 1166 e = AUE_SHMAT; 1167 break; 1168 case 1: /* shmctl */ 1169 switch ((uint_t)uap1->cmd) { 1170 case IPC_RMID: 1171 e = AUE_SHMCTL_RMID; 1172 break; 1173 case IPC_SET: 1174 e = AUE_SHMCTL_SET; 1175 break; 1176 case IPC_STAT: 1177 e = AUE_SHMCTL_STAT; 1178 break; 1179 default: 1180 e = AUE_SHMCTL; 1181 break; 1182 } 1183 break; 1184 case 2: /* shmdt */ 1185 e = AUE_SHMDT; 1186 break; 1187 case 3: /* shmget */ 1188 e = AUE_SHMGET; 1189 break; 1190 default: /* illegal system call */ 1191 e = AUE_NULL; 1192 break; 1193 } 1194 1195 return (e); 1196 } 1197 1198 1199 /* semsys */ 1200 static au_event_t 1201 aui_semsys(au_event_t e) 1202 { 1203 klwp_t *clwp = ttolwp(curthread); 1204 uint_t fm; 1205 1206 struct a { /* semsys */ 1207 long id; 1208 } *uap = (struct a *)clwp->lwp_ap; 1209 1210 struct b { /* ctrl */ 1211 long semid; 1212 long semnum; 1213 long cmd; 1214 long arg; 1215 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1216 1217 fm = (uint_t)uap->id; 1218 1219 switch (fm) { 1220 case 0: /* semctl */ 1221 switch ((uint_t)uap1->cmd) { 1222 case IPC_RMID: 1223 e = AUE_SEMCTL_RMID; 1224 break; 1225 case IPC_SET: 1226 e = AUE_SEMCTL_SET; 1227 break; 1228 case IPC_STAT: 1229 e = AUE_SEMCTL_STAT; 1230 break; 1231 case GETNCNT: 1232 e = AUE_SEMCTL_GETNCNT; 1233 break; 1234 case GETPID: 1235 e = AUE_SEMCTL_GETPID; 1236 break; 1237 case GETVAL: 1238 e = AUE_SEMCTL_GETVAL; 1239 break; 1240 case GETALL: 1241 e = AUE_SEMCTL_GETALL; 1242 break; 1243 case GETZCNT: 1244 e = AUE_SEMCTL_GETZCNT; 1245 break; 1246 case SETVAL: 1247 e = AUE_SEMCTL_SETVAL; 1248 break; 1249 case SETALL: 1250 e = AUE_SEMCTL_SETALL; 1251 break; 1252 default: 1253 e = AUE_SEMCTL; 1254 break; 1255 } 1256 break; 1257 case 1: /* semget */ 1258 e = AUE_SEMGET; 1259 break; 1260 case 2: /* semop */ 1261 e = AUE_SEMOP; 1262 break; 1263 default: /* illegal system call */ 1264 e = AUE_NULL; 1265 break; 1266 } 1267 1268 return (e); 1269 } 1270 1271 /* utssys - uname(2), ustat(2), fusers(2) */ 1272 static au_event_t 1273 aui_utssys(au_event_t e) 1274 { 1275 klwp_t *clwp = ttolwp(curthread); 1276 uint_t type; 1277 1278 struct a { 1279 union { 1280 long cbuf; /* char * */ 1281 long ubuf; /* struct stat * */ 1282 } ub; 1283 union { 1284 long mv; /* for USTAT */ 1285 long flags; /* for FUSERS */ 1286 } un; 1287 long type; 1288 long outbp; /* char * for FUSERS */ 1289 } *uap = (struct a *)clwp->lwp_ap; 1290 1291 type = (uint_t)uap->type; 1292 1293 if (type == UTS_FUSERS) 1294 return (e); 1295 else 1296 return ((au_event_t)AUE_NULL); 1297 } 1298 1299 static au_event_t 1300 aui_fcntl(au_event_t e) 1301 { 1302 klwp_t *clwp = ttolwp(curthread); 1303 uint_t cmd; 1304 1305 struct a { 1306 long fdes; 1307 long cmd; 1308 long arg; 1309 } *uap = (struct a *)clwp->lwp_ap; 1310 1311 cmd = (uint_t)uap->cmd; 1312 1313 switch (cmd) { 1314 case F_GETLK: 1315 case F_SETLK: 1316 case F_SETLKW: 1317 break; 1318 case F_SETFL: 1319 case F_GETFL: 1320 case F_GETFD: 1321 break; 1322 default: 1323 e = (au_event_t)AUE_NULL; 1324 break; 1325 } 1326 return ((au_event_t)e); 1327 } 1328 1329 /* null function for now */ 1330 static au_event_t 1331 aui_execv(au_event_t e) 1332 { 1333 return (e); 1334 } 1335 1336 /* null function for now */ 1337 static au_event_t 1338 aui_execve(au_event_t e) 1339 { 1340 return (e); 1341 } 1342 1343 /*ARGSUSED*/ 1344 static void 1345 aus_fcntl(struct t_audit_data *tad) 1346 { 1347 klwp_t *clwp = ttolwp(curthread); 1348 uint32_t cmd, fd; 1349 struct file *fp; 1350 struct vnode *vp; 1351 struct f_audit_data *fad; 1352 1353 struct a { 1354 long fd; 1355 long cmd; 1356 long arg; 1357 } *uap = (struct a *)clwp->lwp_ap; 1358 1359 cmd = (uint32_t)uap->cmd; 1360 fd = (uint32_t)uap->fd; 1361 1362 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1363 1364 /* 1365 * convert file pointer to file descriptor 1366 * Note: fd ref count incremented here. 1367 */ 1368 if ((fp = getf(fd)) == NULL) 1369 return; 1370 1371 /* get path from file struct here */ 1372 fad = F2A(fp); 1373 if (fad->fad_aupath != NULL) { 1374 au_uwrite(au_to_path(fad->fad_aupath)); 1375 } else { 1376 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1377 } 1378 1379 vp = fp->f_vnode; 1380 audit_attributes(vp); 1381 1382 /* decrement file descriptor reference count */ 1383 releasef(fd); 1384 } 1385 1386 /*ARGSUSED*/ 1387 static void 1388 aus_kill(struct t_audit_data *tad) 1389 { 1390 klwp_t *clwp = ttolwp(curthread); 1391 struct proc *p; 1392 uint32_t signo; 1393 uid_t uid, ruid; 1394 gid_t gid, rgid; 1395 pid_t pid; 1396 const auditinfo_addr_t *ainfo; 1397 cred_t *cr; 1398 1399 struct a { 1400 long pid; 1401 long signo; 1402 } *uap = (struct a *)clwp->lwp_ap; 1403 1404 pid = (pid_t)uap->pid; 1405 signo = (uint32_t)uap->signo; 1406 1407 au_uwrite(au_to_arg32(2, "signal", signo)); 1408 if (pid > 0) { 1409 mutex_enter(&pidlock); 1410 if (((p = prfind(pid)) == (struct proc *)0) || 1411 (p->p_stat == SIDL)) { 1412 mutex_exit(&pidlock); 1413 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1414 return; 1415 } 1416 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1417 mutex_exit(&pidlock); 1418 1419 mutex_enter(&p->p_crlock); 1420 crhold(cr = p->p_cred); 1421 mutex_exit(&p->p_crlock); 1422 mutex_exit(&p->p_lock); 1423 1424 ainfo = crgetauinfo(cr); 1425 if (ainfo == NULL) { 1426 crfree(cr); 1427 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1428 return; 1429 } 1430 1431 uid = crgetuid(cr); 1432 gid = crgetgid(cr); 1433 ruid = crgetruid(cr); 1434 rgid = crgetrgid(cr); 1435 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1436 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1437 1438 if (is_system_labeled()) 1439 au_uwrite(au_to_label(CR_SL(cr))); 1440 1441 crfree(cr); 1442 } 1443 else 1444 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1445 } 1446 1447 /*ARGSUSED*/ 1448 static void 1449 aus_mkdir(struct t_audit_data *tad) 1450 { 1451 klwp_t *clwp = ttolwp(curthread); 1452 uint32_t dmode; 1453 1454 struct a { 1455 long dirnamep; /* char * */ 1456 long dmode; 1457 } *uap = (struct a *)clwp->lwp_ap; 1458 1459 dmode = (uint32_t)uap->dmode; 1460 1461 au_uwrite(au_to_arg32(2, "mode", dmode)); 1462 } 1463 1464 /*ARGSUSED*/ 1465 static void 1466 aus_mknod(struct t_audit_data *tad) 1467 { 1468 klwp_t *clwp = ttolwp(curthread); 1469 uint32_t fmode; 1470 dev_t dev; 1471 1472 struct a { 1473 long pnamep; /* char * */ 1474 long fmode; 1475 long dev; 1476 } *uap = (struct a *)clwp->lwp_ap; 1477 1478 fmode = (uint32_t)uap->fmode; 1479 dev = (dev_t)uap->dev; 1480 1481 au_uwrite(au_to_arg32(2, "mode", fmode)); 1482 #ifdef _LP64 1483 au_uwrite(au_to_arg64(3, "dev", dev)); 1484 #else 1485 au_uwrite(au_to_arg32(3, "dev", dev)); 1486 #endif 1487 } 1488 1489 /*ARGSUSED*/ 1490 static void 1491 aus_xmknod(struct t_audit_data *tad) 1492 { 1493 klwp_t *clwp = ttolwp(curthread); 1494 uint32_t fmode; 1495 dev_t dev; 1496 1497 struct a { 1498 long version; /* version */ 1499 long pnamep; /* char * */ 1500 long fmode; 1501 long dev; 1502 } *uap = (struct a *)clwp->lwp_ap; 1503 1504 fmode = (uint32_t)uap->fmode; 1505 dev = (dev_t)uap->dev; 1506 1507 au_uwrite(au_to_arg32(2, "mode", fmode)); 1508 #ifdef _LP64 1509 au_uwrite(au_to_arg64(3, "dev", dev)); 1510 #else 1511 au_uwrite(au_to_arg32(3, "dev", dev)); 1512 #endif 1513 } 1514 1515 /*ARGSUSED*/ 1516 static void 1517 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1518 { 1519 klwp_t *clwp = ttolwp(curthread); 1520 vnode_t *dvp; 1521 caddr_t pnamep; 1522 1523 struct a { 1524 long pnamep; /* char * */ 1525 long fmode; 1526 long dev; 1527 } *uap = (struct a *)clwp->lwp_ap; 1528 1529 /* no error, then already path token in audit record */ 1530 if (error != EPERM) 1531 return; 1532 1533 /* not auditing this event, nothing then to do */ 1534 if (tad->tad_flag == 0) 1535 return; 1536 1537 /* do the lookup to force generation of path token */ 1538 pnamep = (caddr_t)uap->pnamep; 1539 tad->tad_ctrl |= PAD_NOATTRB; 1540 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1541 if (error == 0) 1542 VN_RELE(dvp); 1543 } 1544 1545 /*ARGSUSED*/ 1546 static void 1547 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1548 { 1549 klwp_t *clwp = ttolwp(curthread); 1550 vnode_t *dvp; 1551 caddr_t pnamep; 1552 1553 struct a { 1554 long version; /* version */ 1555 long pnamep; /* char * */ 1556 long fmode; 1557 long dev; 1558 } *uap = (struct a *)clwp->lwp_arg; 1559 1560 1561 /* no error, then already path token in audit record */ 1562 if (error != EPERM) 1563 return; 1564 1565 /* not auditing this event, nothing then to do */ 1566 if (tad->tad_flag == 0) 1567 return; 1568 1569 /* do the lookup to force generation of path token */ 1570 pnamep = (caddr_t)uap->pnamep; 1571 tad->tad_ctrl |= PAD_NOATTRB; 1572 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1573 if (error == 0) 1574 VN_RELE(dvp); 1575 } 1576 1577 /*ARGSUSED*/ 1578 static void 1579 aus_mount(struct t_audit_data *tad) 1580 { /* AUS_START */ 1581 klwp_t *clwp = ttolwp(curthread); 1582 uint32_t flags; 1583 uintptr_t u_fstype, dataptr; 1584 STRUCT_DECL(nfs_args, nfsargs); 1585 size_t len; 1586 char *fstype, *hostname; 1587 1588 struct a { 1589 long spec; /* char * */ 1590 long dir; /* char * */ 1591 long flags; 1592 long fstype; /* char * */ 1593 long dataptr; /* char * */ 1594 long datalen; 1595 } *uap = (struct a *)clwp->lwp_ap; 1596 1597 u_fstype = (uintptr_t)uap->fstype; 1598 flags = (uint32_t)uap->flags; 1599 dataptr = (uintptr_t)uap->dataptr; 1600 1601 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1602 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1603 goto mount_free_fstype; 1604 1605 au_uwrite(au_to_arg32(3, "flags", flags)); 1606 au_uwrite(au_to_text(fstype)); 1607 1608 if (strncmp(fstype, "nfs", 3) == 0) { 1609 1610 STRUCT_INIT(nfsargs, get_udatamodel()); 1611 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1612 1613 if (copyin((caddr_t)dataptr, 1614 STRUCT_BUF(nfsargs), 1615 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1616 /* DEBUG debug_enter((char *)NULL); */ 1617 goto mount_free_fstype; 1618 } 1619 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1620 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1621 (caddr_t)hostname, 1622 MAXNAMELEN, &len)) { 1623 goto mount_free_hostname; 1624 } 1625 au_uwrite(au_to_text(hostname)); 1626 au_uwrite(au_to_arg32(3, "internal flags", 1627 (uint_t)STRUCT_FGET(nfsargs, flags))); 1628 1629 mount_free_hostname: 1630 kmem_free(hostname, MAXNAMELEN); 1631 } 1632 1633 mount_free_fstype: 1634 kmem_free(fstype, MAXNAMELEN); 1635 } /* AUS_MOUNT */ 1636 1637 static void 1638 aus_umount_path(caddr_t umount_dir) 1639 { 1640 char *dir_path; 1641 struct audit_path *path; 1642 size_t path_len, dir_len; 1643 1644 /* length alloc'd for two string pointers */ 1645 path_len = sizeof (struct audit_path) + sizeof (char *); 1646 path = kmem_alloc(path_len, KM_SLEEP); 1647 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1648 1649 if (copyinstr(umount_dir, (caddr_t)dir_path, 1650 MAXPATHLEN, &dir_len)) 1651 goto umount2_free_dir; 1652 1653 /* 1654 * the audit_path struct assumes that the buffer pointed to 1655 * by audp_sect[n] contains string 0 immediatedly followed 1656 * by string 1. 1657 */ 1658 path->audp_sect[0] = dir_path; 1659 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1660 path->audp_size = path_len; 1661 path->audp_ref = 1; /* not used */ 1662 path->audp_cnt = 1; /* one path string */ 1663 1664 au_uwrite(au_to_path(path)); 1665 1666 umount2_free_dir: 1667 kmem_free(dir_path, MAXPATHLEN); 1668 kmem_free(path, path_len); 1669 } 1670 1671 /* 1672 * the umount syscall is implemented as a call to umount2, but the args 1673 * are different... 1674 */ 1675 1676 /*ARGSUSED*/ 1677 static void 1678 aus_umount(struct t_audit_data *tad) 1679 { 1680 klwp_t *clwp = ttolwp(curthread); 1681 struct a { 1682 long dir; /* char * */ 1683 } *uap = (struct a *)clwp->lwp_ap; 1684 1685 aus_umount_path((caddr_t)uap->dir); 1686 } 1687 1688 /*ARGSUSED*/ 1689 static void 1690 aus_umount2(struct t_audit_data *tad) 1691 { 1692 klwp_t *clwp = ttolwp(curthread); 1693 struct a { 1694 long dir; /* char * */ 1695 long flags; 1696 } *uap = (struct a *)clwp->lwp_ap; 1697 1698 aus_umount_path((caddr_t)uap->dir); 1699 1700 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1701 } 1702 1703 static void 1704 aus_msgsys(struct t_audit_data *tad) 1705 { 1706 klwp_t *clwp = ttolwp(curthread); 1707 uint32_t msgid; 1708 1709 struct b { 1710 long msgid; 1711 long cmd; 1712 long buf; /* struct msqid_ds * */ 1713 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1714 1715 msgid = (uint32_t)uap1->msgid; 1716 1717 1718 switch (tad->tad_event) { 1719 case AUE_MSGGET: /* msgget */ 1720 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1721 break; 1722 case AUE_MSGCTL: /* msgctl */ 1723 case AUE_MSGCTL_RMID: /* msgctl */ 1724 case AUE_MSGCTL_STAT: /* msgctl */ 1725 case AUE_MSGRCV: /* msgrcv */ 1726 case AUE_MSGSND: /* msgsnd */ 1727 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1728 break; 1729 case AUE_MSGCTL_SET: /* msgctl */ 1730 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1731 break; 1732 } 1733 } 1734 1735 /*ARGSUSED*/ 1736 static void 1737 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1738 { 1739 int id; 1740 1741 if (error != 0) 1742 return; 1743 if (tad->tad_event == AUE_MSGGET) { 1744 uint32_t scid; 1745 uint32_t sy_flags; 1746 1747 /* need to determine type of executing binary */ 1748 scid = tad->tad_scid; 1749 #ifdef _SYSCALL32_IMPL 1750 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1751 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1752 else 1753 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1754 #else 1755 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1756 #endif 1757 if (sy_flags == SE_32RVAL1) 1758 id = rval->r_val1; 1759 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1760 id = rval->r_val1; 1761 if (sy_flags == SE_64RVAL) 1762 id = (int)rval->r_vals; 1763 1764 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1765 } 1766 } 1767 1768 static void 1769 aus_semsys(struct t_audit_data *tad) 1770 { 1771 klwp_t *clwp = ttolwp(curthread); 1772 uint32_t semid; 1773 1774 struct b { /* ctrl */ 1775 long semid; 1776 long semnum; 1777 long cmd; 1778 long arg; 1779 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1780 1781 semid = (uint32_t)uap1->semid; 1782 1783 switch (tad->tad_event) { 1784 case AUE_SEMCTL_RMID: 1785 case AUE_SEMCTL_STAT: 1786 case AUE_SEMCTL_GETNCNT: 1787 case AUE_SEMCTL_GETPID: 1788 case AUE_SEMCTL_GETVAL: 1789 case AUE_SEMCTL_GETALL: 1790 case AUE_SEMCTL_GETZCNT: 1791 case AUE_SEMCTL_SETVAL: 1792 case AUE_SEMCTL_SETALL: 1793 case AUE_SEMCTL: 1794 case AUE_SEMOP: 1795 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1796 break; 1797 case AUE_SEMCTL_SET: 1798 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1799 break; 1800 case AUE_SEMGET: 1801 au_uwrite(au_to_arg32(1, "sem key", semid)); 1802 break; 1803 } 1804 } 1805 1806 /*ARGSUSED*/ 1807 static void 1808 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1809 { 1810 int id; 1811 1812 if (error != 0) 1813 return; 1814 if (tad->tad_event == AUE_SEMGET) { 1815 uint32_t scid; 1816 uint32_t sy_flags; 1817 1818 /* need to determine type of executing binary */ 1819 scid = tad->tad_scid; 1820 #ifdef _SYSCALL32_IMPL 1821 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1822 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1823 else 1824 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1825 #else 1826 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1827 #endif 1828 if (sy_flags == SE_32RVAL1) 1829 id = rval->r_val1; 1830 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1831 id = rval->r_val1; 1832 if (sy_flags == SE_64RVAL) 1833 id = (int)rval->r_vals; 1834 1835 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1836 } 1837 } 1838 1839 /*ARGSUSED*/ 1840 static void 1841 aus_close(struct t_audit_data *tad) 1842 { 1843 klwp_t *clwp = ttolwp(curthread); 1844 uint32_t fd; 1845 struct file *fp; 1846 struct f_audit_data *fad; 1847 struct vnode *vp; 1848 struct vattr attr; 1849 au_kcontext_t *kctx = GET_KCTX_PZ; 1850 1851 struct a { 1852 long i; 1853 } *uap = (struct a *)clwp->lwp_ap; 1854 1855 fd = (uint32_t)uap->i; 1856 1857 attr.va_mask = 0; 1858 au_uwrite(au_to_arg32(1, "fd", fd)); 1859 1860 /* 1861 * convert file pointer to file descriptor 1862 * Note: fd ref count incremented here. 1863 */ 1864 if ((fp = getf(fd)) == NULL) 1865 return; 1866 1867 fad = F2A(fp); 1868 tad->tad_evmod = (short)fad->fad_flags; 1869 if (fad->fad_aupath != NULL) { 1870 au_uwrite(au_to_path(fad->fad_aupath)); 1871 if ((vp = fp->f_vnode) != NULL) { 1872 attr.va_mask = AT_ALL; 1873 if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) { 1874 /* 1875 * When write was not used and the file can be 1876 * considered public, skip the audit. 1877 */ 1878 if (((fp->f_flag & FWRITE) == 0) && 1879 file_is_public(&attr)) { 1880 tad->tad_flag = 0; 1881 tad->tad_evmod = 0; 1882 /* free any residual audit data */ 1883 au_close(kctx, &(u_ad), 0, 0, 0); 1884 releasef(fd); 1885 return; 1886 } 1887 au_uwrite(au_to_attr(&attr)); 1888 audit_sec_attributes(&(u_ad), vp); 1889 } 1890 } 1891 } 1892 1893 /* decrement file descriptor reference count */ 1894 releasef(fd); 1895 } 1896 1897 /*ARGSUSED*/ 1898 static void 1899 aus_fstatfs(struct t_audit_data *tad) 1900 { 1901 klwp_t *clwp = ttolwp(curthread); 1902 uint32_t fd; 1903 struct file *fp; 1904 struct vnode *vp; 1905 struct f_audit_data *fad; 1906 1907 struct a { 1908 long fd; 1909 long buf; /* struct statfs * */ 1910 } *uap = (struct a *)clwp->lwp_ap; 1911 1912 fd = (uint_t)uap->fd; 1913 1914 /* 1915 * convert file pointer to file descriptor 1916 * Note: fd ref count incremented here. 1917 */ 1918 if ((fp = getf(fd)) == NULL) 1919 return; 1920 1921 /* get path from file struct here */ 1922 fad = F2A(fp); 1923 if (fad->fad_aupath != NULL) { 1924 au_uwrite(au_to_path(fad->fad_aupath)); 1925 } else { 1926 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1927 } 1928 1929 vp = fp->f_vnode; 1930 audit_attributes(vp); 1931 1932 /* decrement file descriptor reference count */ 1933 releasef(fd); 1934 } 1935 1936 #ifdef NOTYET 1937 /*ARGSUSED*/ 1938 static void 1939 aus_setpgrp(struct t_audit_data *tad) 1940 { 1941 klwp_t *clwp = ttolwp(curthread); 1942 uint32_t pgrp; 1943 struct proc *p; 1944 uid_t uid, ruid; 1945 gid_t gid, rgid; 1946 pid_t pid; 1947 const auditinfo_addr_t *ainfo; 1948 cred_t *cr; 1949 1950 struct a { 1951 long pid; 1952 long pgrp; 1953 } *uap = (struct a *)clwp->lwp_ap; 1954 1955 pid = (pid_t)uap->pid; 1956 pgrp = (uint32_t)uap->pgrp; 1957 1958 /* current process? */ 1959 if (pid == 0) 1960 (return); 1961 1962 mutex_enter(&pidlock); 1963 p = prfind(pid); 1964 if (p == NULL || p->p_as == &kas) { 1965 mutex_exit(&pidlock); 1966 return; 1967 } 1968 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1969 mutex_exit(&pidlock); 1970 1971 mutex_enter(&p->p_crlock); 1972 crhold(cr = p->p_cred); 1973 mutex_exit(&p->p_crlock); 1974 mutex_exit(&p->p_lock); 1975 1976 ainfo = crgetauinfo(cr); 1977 if (ainfo == NULL) { 1978 crfree(cr); 1979 return; 1980 } 1981 1982 uid = crgetuid(cr); 1983 gid = crgetgid(cr); 1984 ruid = crgetruid(cr); 1985 rgid = crgetrgid(cr); 1986 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1987 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1988 crfree(cr); 1989 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1990 } 1991 #endif 1992 1993 /*ARGSUSED*/ 1994 static void 1995 aus_setregid(struct t_audit_data *tad) 1996 { 1997 klwp_t *clwp = ttolwp(curthread); 1998 uint32_t rgid, egid; 1999 2000 struct a { 2001 long rgid; 2002 long egid; 2003 } *uap = (struct a *)clwp->lwp_ap; 2004 2005 rgid = (uint32_t)uap->rgid; 2006 egid = (uint32_t)uap->egid; 2007 2008 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2009 au_uwrite(au_to_arg32(2, "egid", egid)); 2010 } 2011 2012 /*ARGSUSED*/ 2013 static void 2014 aus_setgid(struct t_audit_data *tad) 2015 { 2016 klwp_t *clwp = ttolwp(curthread); 2017 uint32_t gid; 2018 2019 struct a { 2020 long gid; 2021 } *uap = (struct a *)clwp->lwp_ap; 2022 2023 gid = (uint32_t)uap->gid; 2024 2025 au_uwrite(au_to_arg32(1, "gid", gid)); 2026 } 2027 2028 2029 /*ARGSUSED*/ 2030 static void 2031 aus_setreuid(struct t_audit_data *tad) 2032 { 2033 klwp_t *clwp = ttolwp(curthread); 2034 uint32_t ruid, euid; 2035 2036 struct a { 2037 long ruid; 2038 long euid; 2039 } *uap = (struct a *)clwp->lwp_ap; 2040 2041 ruid = (uint32_t)uap->ruid; 2042 euid = (uint32_t)uap->euid; 2043 2044 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2045 au_uwrite(au_to_arg32(2, "euid", euid)); 2046 } 2047 2048 2049 /*ARGSUSED*/ 2050 static void 2051 aus_setuid(struct t_audit_data *tad) 2052 { 2053 klwp_t *clwp = ttolwp(curthread); 2054 uint32_t uid; 2055 2056 struct a { 2057 long uid; 2058 } *uap = (struct a *)clwp->lwp_ap; 2059 2060 uid = (uint32_t)uap->uid; 2061 2062 au_uwrite(au_to_arg32(1, "uid", uid)); 2063 } 2064 2065 /*ARGSUSED*/ 2066 static void 2067 aus_shmsys(struct t_audit_data *tad) 2068 { 2069 klwp_t *clwp = ttolwp(curthread); 2070 uint32_t id, cmd; 2071 2072 struct b { 2073 long id; 2074 long cmd; 2075 long buf; /* struct shmid_ds * */ 2076 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2077 2078 id = (uint32_t)uap1->id; 2079 cmd = (uint32_t)uap1->cmd; 2080 2081 switch (tad->tad_event) { 2082 case AUE_SHMGET: /* shmget */ 2083 au_uwrite(au_to_arg32(1, "shm key", id)); 2084 break; 2085 case AUE_SHMCTL: /* shmctl */ 2086 case AUE_SHMCTL_RMID: /* shmctl */ 2087 case AUE_SHMCTL_STAT: /* shmctl */ 2088 case AUE_SHMCTL_SET: /* shmctl */ 2089 au_uwrite(au_to_arg32(1, "shm ID", id)); 2090 break; 2091 case AUE_SHMDT: /* shmdt */ 2092 au_uwrite(au_to_arg32(1, "shm adr", id)); 2093 break; 2094 case AUE_SHMAT: /* shmat */ 2095 au_uwrite(au_to_arg32(1, "shm ID", id)); 2096 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2097 break; 2098 } 2099 } 2100 2101 /*ARGSUSED*/ 2102 static void 2103 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2104 { 2105 int id; 2106 2107 if (error != 0) 2108 return; 2109 if (tad->tad_event == AUE_SHMGET) { 2110 uint32_t scid; 2111 uint32_t sy_flags; 2112 2113 /* need to determine type of executing binary */ 2114 scid = tad->tad_scid; 2115 #ifdef _SYSCALL32_IMPL 2116 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2117 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2118 else 2119 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2120 #else 2121 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2122 #endif 2123 if (sy_flags == SE_32RVAL1) 2124 id = rval->r_val1; 2125 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2126 id = rval->r_val1; 2127 if (sy_flags == SE_64RVAL) 2128 id = (int)rval->r_vals; 2129 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2130 } 2131 } 2132 2133 2134 /*ARGSUSED*/ 2135 static void 2136 aus_ioctl(struct t_audit_data *tad) 2137 { 2138 klwp_t *clwp = ttolwp(curthread); 2139 struct file *fp; 2140 struct vnode *vp; 2141 struct f_audit_data *fad; 2142 uint32_t fd, cmd; 2143 uintptr_t cmarg; 2144 2145 /* XX64 */ 2146 struct a { 2147 long fd; 2148 long cmd; 2149 long cmarg; /* caddr_t */ 2150 } *uap = (struct a *)clwp->lwp_ap; 2151 2152 fd = (uint32_t)uap->fd; 2153 cmd = (uint32_t)uap->cmd; 2154 cmarg = (uintptr_t)uap->cmarg; 2155 2156 /* 2157 * convert file pointer to file descriptor 2158 * Note: fd ref count incremented here. 2159 */ 2160 if ((fp = getf(fd)) == NULL) { 2161 au_uwrite(au_to_arg32(1, "fd", fd)); 2162 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2163 #ifndef _LP64 2164 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2165 #else 2166 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2167 #endif 2168 return; 2169 } 2170 2171 /* get path from file struct here */ 2172 fad = F2A(fp); 2173 if (fad->fad_aupath != NULL) { 2174 au_uwrite(au_to_path(fad->fad_aupath)); 2175 } else { 2176 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2177 } 2178 2179 vp = fp->f_vnode; 2180 audit_attributes(vp); 2181 2182 /* decrement file descriptor reference count */ 2183 releasef(fd); 2184 2185 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2186 #ifndef _LP64 2187 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2188 #else 2189 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2190 #endif 2191 } 2192 2193 /* 2194 * null function for memcntl for now. We might want to limit memcntl() 2195 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2196 * require privileges. 2197 */ 2198 static au_event_t 2199 aui_memcntl(au_event_t e) 2200 { 2201 return (e); 2202 } 2203 2204 /*ARGSUSED*/ 2205 static au_event_t 2206 aui_privsys(au_event_t e) 2207 { 2208 klwp_t *clwp = ttolwp(curthread); 2209 2210 struct a { 2211 long opcode; 2212 } *uap = (struct a *)clwp->lwp_ap; 2213 2214 switch (uap->opcode) { 2215 case PRIVSYS_SETPPRIV: 2216 return (AUE_SETPPRIV); 2217 default: 2218 return (AUE_NULL); 2219 } 2220 } 2221 2222 /*ARGSUSED*/ 2223 static void 2224 aus_memcntl(struct t_audit_data *tad) 2225 { 2226 klwp_t *clwp = ttolwp(curthread); 2227 2228 struct a { 2229 long addr; 2230 long len; 2231 long cmd; 2232 long arg; 2233 long attr; 2234 long mask; 2235 } *uap = (struct a *)clwp->lwp_ap; 2236 2237 #ifdef _LP64 2238 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2239 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2240 #else 2241 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2242 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2243 #endif 2244 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2245 #ifdef _LP64 2246 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2247 #else 2248 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2249 #endif 2250 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2251 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2252 } 2253 2254 /*ARGSUSED*/ 2255 static void 2256 aus_mmap(struct t_audit_data *tad) 2257 { 2258 klwp_t *clwp = ttolwp(curthread); 2259 struct file *fp; 2260 struct f_audit_data *fad; 2261 struct vnode *vp; 2262 uint32_t fd; 2263 2264 struct a { 2265 long addr; 2266 long len; 2267 long prot; 2268 long flags; 2269 long fd; 2270 long pos; 2271 } *uap = (struct a *)clwp->lwp_ap; 2272 2273 fd = (uint32_t)uap->fd; 2274 2275 #ifdef _LP64 2276 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2277 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2278 #else 2279 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2280 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2281 #endif 2282 2283 if ((fp = getf(fd)) == NULL) { 2284 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2285 return; 2286 } 2287 2288 /* 2289 * Mark in the tad if write access is NOT requested... if 2290 * this is later detected (in audit_attributes) to be a 2291 * public object, the mmap event may be discarded. 2292 */ 2293 if (((uap->prot) & PROT_WRITE) == 0) { 2294 tad->tad_ctrl |= PAD_PUBLIC_EV; 2295 } 2296 2297 fad = F2A(fp); 2298 if (fad->fad_aupath != NULL) { 2299 au_uwrite(au_to_path(fad->fad_aupath)); 2300 } else { 2301 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2302 } 2303 2304 vp = (struct vnode *)fp->f_vnode; 2305 audit_attributes(vp); 2306 2307 /* mark READ/WRITE since we can't predict access */ 2308 if (uap->prot & PROT_READ) 2309 fad->fad_flags |= FAD_READ; 2310 if (uap->prot & PROT_WRITE) 2311 fad->fad_flags |= FAD_WRITE; 2312 2313 /* decrement file descriptor reference count */ 2314 releasef(fd); 2315 2316 } /* AUS_MMAP */ 2317 2318 2319 2320 2321 /*ARGSUSED*/ 2322 static void 2323 aus_munmap(struct t_audit_data *tad) 2324 { 2325 klwp_t *clwp = ttolwp(curthread); 2326 2327 struct a { 2328 long addr; 2329 long len; 2330 } *uap = (struct a *)clwp->lwp_ap; 2331 2332 #ifdef _LP64 2333 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2334 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2335 #else 2336 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2337 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2338 #endif 2339 2340 } /* AUS_MUNMAP */ 2341 2342 2343 2344 2345 2346 2347 2348 /*ARGSUSED*/ 2349 static void 2350 aus_priocntlsys(struct t_audit_data *tad) 2351 { 2352 klwp_t *clwp = ttolwp(curthread); 2353 2354 struct a { 2355 long pc_version; 2356 long psp; /* procset_t */ 2357 long cmd; 2358 long arg; 2359 } *uap = (struct a *)clwp->lwp_ap; 2360 2361 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2362 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2363 2364 } /* AUS_PRIOCNTLSYS */ 2365 2366 2367 /*ARGSUSED*/ 2368 static void 2369 aus_setegid(struct t_audit_data *tad) 2370 { 2371 klwp_t *clwp = ttolwp(curthread); 2372 uint32_t gid; 2373 2374 struct a { 2375 long gid; 2376 } *uap = (struct a *)clwp->lwp_ap; 2377 2378 gid = (uint32_t)uap->gid; 2379 2380 au_uwrite(au_to_arg32(1, "gid", gid)); 2381 } /* AUS_SETEGID */ 2382 2383 2384 2385 2386 /*ARGSUSED*/ 2387 static void 2388 aus_setgroups(struct t_audit_data *tad) 2389 { 2390 klwp_t *clwp = ttolwp(curthread); 2391 int i; 2392 int gidsetsize; 2393 uintptr_t gidset; 2394 gid_t *gidlist; 2395 2396 struct a { 2397 long gidsetsize; 2398 long gidset; 2399 } *uap = (struct a *)clwp->lwp_ap; 2400 2401 gidsetsize = (uint_t)uap->gidsetsize; 2402 gidset = (uintptr_t)uap->gidset; 2403 2404 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2405 return; 2406 if (gidsetsize != 0) { 2407 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2408 KM_SLEEP); 2409 if (copyin((caddr_t)gidset, gidlist, 2410 gidsetsize * sizeof (gid_t)) == 0) 2411 for (i = 0; i < gidsetsize; i++) 2412 au_uwrite(au_to_arg32(1, "setgroups", 2413 (uint32_t)gidlist[i])); 2414 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2415 } else 2416 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2417 2418 } /* AUS_SETGROUPS */ 2419 2420 2421 2422 2423 2424 /*ARGSUSED*/ 2425 static void 2426 aus_seteuid(struct t_audit_data *tad) 2427 { 2428 klwp_t *clwp = ttolwp(curthread); 2429 uint32_t uid; 2430 2431 struct a { 2432 long uid; 2433 } *uap = (struct a *)clwp->lwp_ap; 2434 2435 uid = (uint32_t)uap->uid; 2436 2437 au_uwrite(au_to_arg32(1, "euid", uid)); 2438 2439 } /* AUS_SETEUID */ 2440 2441 /*ARGSUSED*/ 2442 static void 2443 aus_putmsg(struct t_audit_data *tad) 2444 { 2445 klwp_t *clwp = ttolwp(curthread); 2446 uint32_t fd, pri; 2447 struct file *fp; 2448 struct f_audit_data *fad; 2449 2450 struct a { 2451 long fdes; 2452 long ctl; /* struct strbuf * */ 2453 long data; /* struct strbuf * */ 2454 long pri; 2455 } *uap = (struct a *)clwp->lwp_ap; 2456 2457 fd = (uint32_t)uap->fdes; 2458 pri = (uint32_t)uap->pri; 2459 2460 au_uwrite(au_to_arg32(1, "fd", fd)); 2461 2462 if ((fp = getf(fd)) != NULL) { 2463 fad = F2A(fp); 2464 2465 fad->fad_flags |= FAD_WRITE; 2466 2467 /* add path name to audit record */ 2468 if (fad->fad_aupath != NULL) { 2469 au_uwrite(au_to_path(fad->fad_aupath)); 2470 } 2471 audit_attributes(fp->f_vnode); 2472 2473 releasef(fd); 2474 } 2475 2476 au_uwrite(au_to_arg32(4, "pri", pri)); 2477 } 2478 2479 /*ARGSUSED*/ 2480 static void 2481 aus_putpmsg(struct t_audit_data *tad) 2482 { 2483 klwp_t *clwp = ttolwp(curthread); 2484 uint32_t fd, pri, flags; 2485 struct file *fp; 2486 struct f_audit_data *fad; 2487 2488 struct a { 2489 long fdes; 2490 long ctl; /* struct strbuf * */ 2491 long data; /* struct strbuf * */ 2492 long pri; 2493 long flags; 2494 } *uap = (struct a *)clwp->lwp_ap; 2495 2496 fd = (uint32_t)uap->fdes; 2497 pri = (uint32_t)uap->pri; 2498 flags = (uint32_t)uap->flags; 2499 2500 au_uwrite(au_to_arg32(1, "fd", fd)); 2501 2502 if ((fp = getf(fd)) != NULL) { 2503 fad = F2A(fp); 2504 2505 fad->fad_flags |= FAD_WRITE; 2506 2507 /* add path name to audit record */ 2508 if (fad->fad_aupath != NULL) { 2509 au_uwrite(au_to_path(fad->fad_aupath)); 2510 } 2511 audit_attributes(fp->f_vnode); 2512 2513 releasef(fd); 2514 } 2515 2516 2517 au_uwrite(au_to_arg32(4, "pri", pri)); 2518 au_uwrite(au_to_arg32(5, "flags", flags)); 2519 } 2520 2521 /*ARGSUSED*/ 2522 static void 2523 aus_getmsg(struct t_audit_data *tad) 2524 { 2525 klwp_t *clwp = ttolwp(curthread); 2526 uint32_t fd, pri; 2527 struct file *fp; 2528 struct f_audit_data *fad; 2529 2530 struct a { 2531 long fdes; 2532 long ctl; /* struct strbuf * */ 2533 long data; /* struct strbuf * */ 2534 long pri; 2535 } *uap = (struct a *)clwp->lwp_ap; 2536 2537 fd = (uint32_t)uap->fdes; 2538 pri = (uint32_t)uap->pri; 2539 2540 au_uwrite(au_to_arg32(1, "fd", fd)); 2541 2542 if ((fp = getf(fd)) != NULL) { 2543 fad = F2A(fp); 2544 2545 /* 2546 * read operation on this object 2547 */ 2548 fad->fad_flags |= FAD_READ; 2549 2550 /* add path name to audit record */ 2551 if (fad->fad_aupath != NULL) { 2552 au_uwrite(au_to_path(fad->fad_aupath)); 2553 } 2554 audit_attributes(fp->f_vnode); 2555 2556 releasef(fd); 2557 } 2558 2559 au_uwrite(au_to_arg32(4, "pri", pri)); 2560 } 2561 2562 /*ARGSUSED*/ 2563 static void 2564 aus_getpmsg(struct t_audit_data *tad) 2565 { 2566 klwp_t *clwp = ttolwp(curthread); 2567 uint32_t fd; 2568 struct file *fp; 2569 struct f_audit_data *fad; 2570 2571 struct a { 2572 long fdes; 2573 long ctl; /* struct strbuf * */ 2574 long data; /* struct strbuf * */ 2575 long pri; 2576 long flags; 2577 } *uap = (struct a *)clwp->lwp_ap; 2578 2579 fd = (uint32_t)uap->fdes; 2580 2581 au_uwrite(au_to_arg32(1, "fd", fd)); 2582 2583 if ((fp = getf(fd)) != NULL) { 2584 fad = F2A(fp); 2585 2586 /* 2587 * read operation on this object 2588 */ 2589 fad->fad_flags |= FAD_READ; 2590 2591 /* add path name to audit record */ 2592 if (fad->fad_aupath != NULL) { 2593 au_uwrite(au_to_path(fad->fad_aupath)); 2594 } 2595 audit_attributes(fp->f_vnode); 2596 2597 releasef(fd); 2598 } 2599 } 2600 2601 static au_event_t 2602 aui_auditsys(au_event_t e) 2603 { 2604 klwp_t *clwp = ttolwp(curthread); 2605 uint32_t code; 2606 2607 struct a { 2608 long code; 2609 long a1; 2610 long a2; 2611 long a3; 2612 long a4; 2613 long a5; 2614 long a6; 2615 long a7; 2616 } *uap = (struct a *)clwp->lwp_ap; 2617 2618 code = (uint32_t)uap->code; 2619 2620 switch (code) { 2621 2622 case BSM_GETAUID: 2623 e = AUE_GETAUID; 2624 break; 2625 case BSM_SETAUID: 2626 e = AUE_SETAUID; 2627 break; 2628 case BSM_GETAUDIT: 2629 e = AUE_GETAUDIT; 2630 break; 2631 case BSM_GETAUDIT_ADDR: 2632 e = AUE_GETAUDIT_ADDR; 2633 break; 2634 case BSM_SETAUDIT: 2635 e = AUE_SETAUDIT; 2636 break; 2637 case BSM_SETAUDIT_ADDR: 2638 e = AUE_SETAUDIT_ADDR; 2639 break; 2640 case BSM_AUDIT: 2641 e = AUE_AUDIT; 2642 break; 2643 case BSM_AUDITSVC: 2644 e = AUE_AUDITSVC; 2645 break; 2646 case BSM_GETPORTAUDIT: 2647 e = AUE_GETPORTAUDIT; 2648 break; 2649 case BSM_AUDITON: 2650 case BSM_AUDITCTL: 2651 2652 switch ((uint_t)uap->a1) { 2653 2654 case A_GETPOLICY: 2655 e = AUE_AUDITON_GPOLICY; 2656 break; 2657 case A_SETPOLICY: 2658 e = AUE_AUDITON_SPOLICY; 2659 break; 2660 case A_GETKMASK: 2661 e = AUE_AUDITON_GETKMASK; 2662 break; 2663 case A_SETKMASK: 2664 e = AUE_AUDITON_SETKMASK; 2665 break; 2666 case A_GETQCTRL: 2667 e = AUE_AUDITON_GQCTRL; 2668 break; 2669 case A_SETQCTRL: 2670 e = AUE_AUDITON_SQCTRL; 2671 break; 2672 case A_GETCWD: 2673 e = AUE_AUDITON_GETCWD; 2674 break; 2675 case A_GETCAR: 2676 e = AUE_AUDITON_GETCAR; 2677 break; 2678 case A_GETSTAT: 2679 e = AUE_AUDITON_GETSTAT; 2680 break; 2681 case A_SETSTAT: 2682 e = AUE_AUDITON_SETSTAT; 2683 break; 2684 case A_SETUMASK: 2685 e = AUE_AUDITON_SETUMASK; 2686 break; 2687 case A_SETSMASK: 2688 e = AUE_AUDITON_SETSMASK; 2689 break; 2690 case A_GETCOND: 2691 e = AUE_AUDITON_GETCOND; 2692 break; 2693 case A_SETCOND: 2694 e = AUE_AUDITON_SETCOND; 2695 break; 2696 case A_GETCLASS: 2697 e = AUE_AUDITON_GETCLASS; 2698 break; 2699 case A_SETCLASS: 2700 e = AUE_AUDITON_SETCLASS; 2701 break; 2702 default: 2703 e = AUE_NULL; 2704 break; 2705 } 2706 break; 2707 default: 2708 e = AUE_NULL; 2709 break; 2710 } 2711 2712 return (e); 2713 2714 2715 2716 2717 } /* AUI_AUDITSYS */ 2718 2719 2720 2721 2722 2723 2724 2725 static void 2726 aus_auditsys(struct t_audit_data *tad) 2727 { 2728 klwp_t *clwp = ttolwp(curthread); 2729 uintptr_t a1, a2; 2730 struct file *fp; 2731 struct f_audit_data *fad; 2732 struct vnode *vp; 2733 STRUCT_DECL(auditinfo, ainfo); 2734 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2735 au_evclass_map_t event; 2736 au_mask_t mask; 2737 int auditstate, policy; 2738 2739 2740 struct a { 2741 long code; 2742 long a1; 2743 long a2; 2744 long a3; 2745 long a4; 2746 long a5; 2747 long a6; 2748 long a7; 2749 } *uap = (struct a *)clwp->lwp_ap; 2750 2751 a1 = (uintptr_t)uap->a1; 2752 a2 = (uintptr_t)uap->a2; 2753 2754 switch (tad->tad_event) { 2755 case AUE_SETAUID: 2756 au_uwrite(au_to_arg32(2, "setauid", (uint32_t)a1)); 2757 break; 2758 case AUE_SETAUDIT: 2759 STRUCT_INIT(ainfo, get_udatamodel()); 2760 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2761 STRUCT_SIZE(ainfo))) { 2762 return; 2763 } 2764 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2765 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2766 #ifdef _LP64 2767 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2768 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2769 #else 2770 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2771 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2772 #endif 2773 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2774 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2775 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2776 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2777 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2778 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2779 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2780 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2781 break; 2782 case AUE_SETAUDIT_ADDR: 2783 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2784 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2785 STRUCT_SIZE(ainfo_addr))) { 2786 return; 2787 } 2788 au_uwrite(au_to_arg32((char)1, "auid", 2789 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2790 #ifdef _LP64 2791 au_uwrite(au_to_arg64((char)1, "port", 2792 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2793 #else 2794 au_uwrite(au_to_arg32((char)1, "port", 2795 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2796 #endif 2797 au_uwrite(au_to_arg32((char)1, "type", 2798 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2799 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2800 AU_IPv4) { 2801 au_uwrite(au_to_in_addr( 2802 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2803 ai_termid.at_addr))); 2804 } else { 2805 au_uwrite(au_to_in_addr_ex( 2806 (int32_t *)STRUCT_FGETP(ainfo_addr, 2807 ai_termid.at_addr))); 2808 } 2809 au_uwrite(au_to_arg32((char)1, "as_success", 2810 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2811 au_uwrite(au_to_arg32((char)1, "as_failure", 2812 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2813 au_uwrite(au_to_arg32((char)1, "asid", 2814 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2815 break; 2816 case AUE_AUDITSVC: 2817 /* 2818 * convert file pointer to file descriptor 2819 * Note: fd ref count incremented here 2820 */ 2821 if ((fp = getf((uint_t)a1)) == NULL) 2822 return; 2823 fad = F2A(fp); 2824 if (fad->fad_aupath != NULL) { 2825 au_uwrite(au_to_path(fad->fad_aupath)); 2826 } else { 2827 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2828 } 2829 2830 vp = fp->f_vnode; /* include vnode attributes */ 2831 audit_attributes(vp); 2832 2833 /* decrement file descriptor ref count */ 2834 releasef((uint_t)a1); 2835 2836 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2837 break; 2838 case AUE_AUDITON_SETKMASK: 2839 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2840 return; 2841 au_uwrite(au_to_arg32( 2842 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2843 au_uwrite(au_to_arg32( 2844 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2845 break; 2846 case AUE_AUDITON_SPOLICY: 2847 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2848 return; 2849 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2850 break; 2851 case AUE_AUDITON_SQCTRL: { 2852 STRUCT_DECL(au_qctrl, qctrl); 2853 model_t model; 2854 2855 model = get_udatamodel(); 2856 STRUCT_INIT(qctrl, model); 2857 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2858 return; 2859 if (model == DATAMODEL_ILP32) { 2860 au_uwrite(au_to_arg32( 2861 3, "setqctrl:aq_hiwater", 2862 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2863 au_uwrite(au_to_arg32( 2864 3, "setqctrl:aq_lowater", 2865 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2866 au_uwrite(au_to_arg32( 2867 3, "setqctrl:aq_bufsz", 2868 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2869 au_uwrite(au_to_arg32( 2870 3, "setqctrl:aq_delay", 2871 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2872 } else { 2873 au_uwrite(au_to_arg64( 2874 3, "setqctrl:aq_hiwater", 2875 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2876 au_uwrite(au_to_arg64( 2877 3, "setqctrl:aq_lowater", 2878 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2879 au_uwrite(au_to_arg64( 2880 3, "setqctrl:aq_bufsz", 2881 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2882 au_uwrite(au_to_arg64( 2883 3, "setqctrl:aq_delay", 2884 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2885 } 2886 break; 2887 } 2888 case AUE_AUDITON_SETUMASK: 2889 STRUCT_INIT(ainfo, get_udatamodel()); 2890 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2891 STRUCT_SIZE(ainfo))) { 2892 return; 2893 } 2894 au_uwrite(au_to_arg32(3, "setumask:as_success", 2895 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2896 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2897 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2898 break; 2899 case AUE_AUDITON_SETSMASK: 2900 STRUCT_INIT(ainfo, get_udatamodel()); 2901 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2902 STRUCT_SIZE(ainfo))) { 2903 return; 2904 } 2905 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2906 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2907 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2908 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2909 break; 2910 case AUE_AUDITON_SETCOND: 2911 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2912 return; 2913 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2914 break; 2915 case AUE_AUDITON_SETCLASS: 2916 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2917 return; 2918 au_uwrite(au_to_arg32( 2919 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2920 au_uwrite(au_to_arg32( 2921 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2922 break; 2923 case AUE_GETAUID: 2924 case AUE_GETAUDIT: 2925 case AUE_GETAUDIT_ADDR: 2926 case AUE_AUDIT: 2927 case AUE_GETPORTAUDIT: 2928 case AUE_AUDITON_GPOLICY: 2929 case AUE_AUDITON_GQCTRL: 2930 case AUE_AUDITON_GETKMASK: 2931 case AUE_AUDITON_GETCWD: 2932 case AUE_AUDITON_GETCAR: 2933 case AUE_AUDITON_GETSTAT: 2934 case AUE_AUDITON_SETSTAT: 2935 case AUE_AUDITON_GETCOND: 2936 case AUE_AUDITON_GETCLASS: 2937 break; 2938 default: 2939 break; 2940 } 2941 2942 } /* AUS_AUDITSYS */ 2943 2944 2945 /* only audit privileged operations for systeminfo(2) system call */ 2946 static au_event_t 2947 aui_sysinfo(au_event_t e) 2948 { 2949 klwp_t *clwp = ttolwp(curthread); 2950 uint32_t command; 2951 2952 struct a { 2953 long command; 2954 long buf; /* char * */ 2955 long count; 2956 } *uap = (struct a *)clwp->lwp_ap; 2957 2958 command = (uint32_t)uap->command; 2959 2960 switch (command) { 2961 case SI_SET_HOSTNAME: 2962 case SI_SET_SRPC_DOMAIN: 2963 e = (au_event_t)AUE_SYSINFO; 2964 break; 2965 default: 2966 e = (au_event_t)AUE_NULL; 2967 break; 2968 } 2969 return (e); 2970 } 2971 2972 /*ARGSUSED*/ 2973 static void 2974 aus_sysinfo(struct t_audit_data *tad) 2975 { 2976 klwp_t *clwp = ttolwp(curthread); 2977 uint32_t command; 2978 size_t len, maxlen; 2979 char *name; 2980 uintptr_t buf; 2981 2982 struct a { 2983 long command; 2984 long buf; /* char * */ 2985 long count; 2986 } *uap = (struct a *)clwp->lwp_ap; 2987 2988 command = (uint32_t)uap->command; 2989 buf = (uintptr_t)uap->buf; 2990 2991 au_uwrite(au_to_arg32(1, "cmd", command)); 2992 2993 switch (command) { 2994 case SI_SET_HOSTNAME: 2995 { 2996 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 2997 return; 2998 2999 maxlen = SYS_NMLN; 3000 name = kmem_alloc(maxlen, KM_SLEEP); 3001 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3002 break; 3003 3004 /* 3005 * Must be non-NULL string and string 3006 * must be less than SYS_NMLN chars. 3007 */ 3008 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3009 break; 3010 3011 au_uwrite(au_to_text(name)); 3012 break; 3013 } 3014 3015 case SI_SET_SRPC_DOMAIN: 3016 { 3017 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3018 return; 3019 3020 maxlen = SYS_NMLN; 3021 name = kmem_alloc(maxlen, KM_SLEEP); 3022 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3023 break; 3024 3025 /* 3026 * If string passed in is longer than length 3027 * allowed for domain name, fail. 3028 */ 3029 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3030 break; 3031 3032 au_uwrite(au_to_text(name)); 3033 break; 3034 } 3035 3036 default: 3037 return; 3038 } 3039 3040 kmem_free(name, maxlen); 3041 } 3042 3043 static au_event_t 3044 aui_modctl(au_event_t e) 3045 { 3046 klwp_t *clwp = ttolwp(curthread); 3047 uint_t cmd; 3048 3049 struct a { 3050 long cmd; 3051 } *uap = (struct a *)clwp->lwp_ap; 3052 3053 cmd = (uint_t)uap->cmd; 3054 3055 switch (cmd) { 3056 case MODLOAD: 3057 e = AUE_MODLOAD; 3058 break; 3059 case MODUNLOAD: 3060 e = AUE_MODUNLOAD; 3061 break; 3062 case MODADDMAJBIND: 3063 e = AUE_MODADDMAJ; 3064 break; 3065 case MODSETDEVPOLICY: 3066 e = AUE_MODDEVPLCY; 3067 break; 3068 case MODALLOCPRIV: 3069 e = AUE_MODADDPRIV; 3070 break; 3071 default: 3072 e = AUE_NULL; 3073 break; 3074 } 3075 return (e); 3076 } 3077 3078 3079 /*ARGSUSED*/ 3080 static void 3081 aus_modctl(struct t_audit_data *tad) 3082 { 3083 klwp_t *clwp = ttolwp(curthread); 3084 void *a = clwp->lwp_ap; 3085 uint_t use_path; 3086 3087 switch (tad->tad_event) { 3088 case AUE_MODLOAD: { 3089 typedef struct { 3090 long cmd; 3091 long use_path; 3092 long filename; /* char * */ 3093 } modloada_t; 3094 3095 char *filenamep; 3096 uintptr_t fname; 3097 extern char *default_path; 3098 3099 fname = (uintptr_t)((modloada_t *)a)->filename; 3100 use_path = (uint_t)((modloada_t *)a)->use_path; 3101 3102 /* space to hold path */ 3103 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3104 /* get string */ 3105 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3106 /* free allocated path */ 3107 kmem_free(filenamep, MOD_MAXPATH); 3108 return; 3109 } 3110 /* ensure it's null terminated */ 3111 filenamep[MOD_MAXPATH - 1] = 0; 3112 3113 if (use_path) 3114 au_uwrite(au_to_text(default_path)); 3115 au_uwrite(au_to_text(filenamep)); 3116 3117 /* release temporary memory */ 3118 kmem_free(filenamep, MOD_MAXPATH); 3119 break; 3120 } 3121 case AUE_MODUNLOAD: { 3122 typedef struct { 3123 long cmd; 3124 long id; 3125 } modunloada_t; 3126 3127 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3128 3129 au_uwrite(au_to_arg32(1, "id", id)); 3130 break; 3131 } 3132 case AUE_MODADDMAJ: { 3133 STRUCT_DECL(modconfig, mc); 3134 typedef struct { 3135 long cmd; 3136 long subcmd; 3137 long data; /* int * */ 3138 } modconfiga_t; 3139 3140 STRUCT_DECL(aliases, alias); 3141 caddr_t ap; 3142 int i, num_aliases; 3143 char *drvname, *mc_drvname; 3144 char *name; 3145 extern char *ddi_major_to_name(major_t); 3146 model_t model; 3147 3148 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3149 3150 model = get_udatamodel(); 3151 STRUCT_INIT(mc, model); 3152 /* sanitize buffer */ 3153 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3154 /* get user arguments */ 3155 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3156 STRUCT_SIZE(mc)) != 0) 3157 return; 3158 3159 mc_drvname = STRUCT_FGET(mc, drvname); 3160 if ((drvname = ddi_major_to_name( 3161 (major_t)STRUCT_FGET(mc, major))) != NULL && 3162 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3163 /* safety */ 3164 if (mc_drvname[0] != '\0') { 3165 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3166 au_uwrite(au_to_text(mc_drvname)); 3167 } 3168 /* drvname != NULL from test above */ 3169 au_uwrite(au_to_text(drvname)); 3170 return; 3171 } 3172 3173 if (mc_drvname[0] != '\0') { 3174 /* safety */ 3175 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3176 au_uwrite(au_to_text(mc_drvname)); 3177 } else 3178 au_uwrite(au_to_text("no drvname")); 3179 3180 num_aliases = STRUCT_FGET(mc, num_aliases); 3181 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3182 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3183 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3184 STRUCT_INIT(alias, model); 3185 for (i = 0; i < num_aliases; i++) { 3186 bzero((caddr_t)STRUCT_BUF(alias), 3187 STRUCT_SIZE(alias)); 3188 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3189 STRUCT_SIZE(alias)) != 0) 3190 break; 3191 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3192 MAXMODCONFNAME, NULL) != 0) { 3193 break; 3194 } 3195 3196 au_uwrite(au_to_text(name)); 3197 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3198 } 3199 kmem_free(name, MAXMODCONFNAME); 3200 break; 3201 } 3202 default: 3203 break; 3204 } 3205 } 3206 3207 /* 3208 * private version of getsonode that does not do eprintsoline() 3209 */ 3210 static struct sonode * 3211 au_getsonode(int sock, int *errorp, file_t **fpp) 3212 { 3213 file_t *fp; 3214 register vnode_t *vp; 3215 struct sonode *so; 3216 3217 if ((fp = getf(sock)) == NULL) { 3218 *errorp = EBADF; 3219 return (NULL); 3220 } 3221 vp = fp->f_vnode; 3222 /* Check if it is a socket */ 3223 if (vp->v_type != VSOCK) { 3224 releasef(sock); 3225 *errorp = ENOTSOCK; 3226 return (NULL); 3227 } 3228 /* 3229 * Use the stream head to find the real socket vnode. 3230 * This is needed when namefs sits above sockfs. 3231 */ 3232 ASSERT(vp->v_stream); 3233 ASSERT(vp->v_stream->sd_vnode); 3234 vp = vp->v_stream->sd_vnode; 3235 so = VTOSO(vp); 3236 if (so->so_version == SOV_STREAM) { 3237 releasef(sock); 3238 *errorp = ENOTSOCK; 3239 return (NULL); 3240 } 3241 if (fpp) 3242 *fpp = fp; 3243 return (so); 3244 } 3245 3246 /*ARGSUSED*/ 3247 static void 3248 auf_accept( 3249 struct t_audit_data *tad, 3250 int error, 3251 rval_t *rval) 3252 { 3253 uint32_t scid; 3254 uint32_t sy_flags; 3255 int fd; 3256 struct sonode *so; 3257 char so_laddr[sizeof (struct sockaddr_in6)]; 3258 char so_faddr[sizeof (struct sockaddr_in6)]; 3259 int err; 3260 int len; 3261 short so_family, so_type; 3262 int add_sock_token = 0; 3263 3264 /* need to determine type of executing binary */ 3265 scid = tad->tad_scid; 3266 #ifdef _SYSCALL32_IMPL 3267 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3268 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3269 else 3270 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3271 #else 3272 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3273 #endif 3274 if (sy_flags == SE_32RVAL1) 3275 fd = rval->r_val1; 3276 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3277 fd = rval->r_val1; 3278 if (sy_flags == SE_64RVAL) 3279 fd = (int)rval->r_vals; 3280 3281 if (error) { 3282 /* can't trust socket contents. Just return */ 3283 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3284 return; 3285 } 3286 3287 if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) { 3288 /* 3289 * not security relevant if doing a accept from non socket 3290 * so no extra tokens. Should probably turn off audit record 3291 * generation here. 3292 */ 3293 return; 3294 } 3295 3296 so_family = so->so_family; 3297 so_type = so->so_type; 3298 3299 switch (so_family) { 3300 case AF_INET: 3301 case AF_INET6: 3302 /* 3303 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3304 */ 3305 if (so->so_type == SOCK_STREAM) { 3306 3307 bzero((void *)so_laddr, sizeof (so_laddr)); 3308 bzero((void *)so_faddr, sizeof (so_faddr)); 3309 3310 /* 3311 * no local address then need to get it from lower 3312 * levels. only put out record on first read ala 3313 * AUE_WRITE. 3314 */ 3315 if (so->so_state & SS_ISBOUND) { 3316 /* only done once on a connection */ 3317 (void) SOP_GETSOCKNAME(so); 3318 (void) SOP_GETPEERNAME(so); 3319 3320 /* get local and foreign addresses */ 3321 mutex_enter(&so->so_lock); 3322 len = min(so->so_laddr_len, sizeof (so_laddr)); 3323 bcopy(so->so_laddr_sa, so_laddr, len); 3324 len = min(so->so_faddr_len, sizeof (so_faddr)); 3325 bcopy(so->so_faddr_sa, so_faddr, len); 3326 mutex_exit(&so->so_lock); 3327 } 3328 3329 add_sock_token = 1; 3330 } 3331 break; 3332 3333 default: 3334 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3335 break; 3336 } 3337 3338 releasef(fd); 3339 3340 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3341 3342 if (add_sock_token == 0) { 3343 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3344 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3345 return; 3346 } 3347 3348 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3349 3350 } 3351 3352 /*ARGSUSED*/ 3353 static void 3354 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3355 { 3356 struct a { 3357 long fd; 3358 long addr; 3359 long len; 3360 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3361 3362 struct sonode *so; 3363 char so_laddr[sizeof (struct sockaddr_in6)]; 3364 char so_faddr[sizeof (struct sockaddr_in6)]; 3365 int err, fd; 3366 int len; 3367 short so_family, so_type; 3368 int add_sock_token = 0; 3369 3370 fd = (int)uap->fd; 3371 3372 /* 3373 * bind failed, then nothing extra to add to audit record. 3374 */ 3375 if (error) { 3376 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3377 /* XXX may want to add failed address some day */ 3378 return; 3379 } 3380 3381 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3382 /* 3383 * not security relevant if doing a bind from non socket 3384 * so no extra tokens. Should probably turn off audit record 3385 * generation here. 3386 */ 3387 return; 3388 } 3389 3390 so_family = so->so_family; 3391 so_type = so->so_type; 3392 3393 switch (so_family) { 3394 case AF_INET: 3395 case AF_INET6: 3396 3397 bzero(so_faddr, sizeof (so_faddr)); 3398 3399 if (so->so_state & SS_ISBOUND) { 3400 /* only done once on a connection */ 3401 (void) SOP_GETSOCKNAME(so); 3402 } 3403 3404 mutex_enter(&so->so_lock); 3405 len = min(so->so_laddr_len, sizeof (so_laddr)); 3406 bcopy(so->so_laddr_sa, so_laddr, len); 3407 mutex_exit(&so->so_lock); 3408 3409 add_sock_token = 1; 3410 3411 break; 3412 3413 case AF_UNIX: 3414 /* token added by lookup */ 3415 break; 3416 default: 3417 /* AF_ROUTE, AF_KEY do not support accept */ 3418 break; 3419 } 3420 3421 releasef(fd); 3422 3423 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3424 3425 if (add_sock_token == 0) { 3426 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3427 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3428 return; 3429 } 3430 3431 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3432 3433 } 3434 3435 /*ARGSUSED*/ 3436 static void 3437 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3438 { 3439 struct a { 3440 long fd; 3441 long addr; 3442 long len; 3443 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3444 3445 struct sonode *so; 3446 char so_laddr[sizeof (struct sockaddr_in6)]; 3447 char so_faddr[sizeof (struct sockaddr_in6)]; 3448 int err, fd; 3449 int len; 3450 short so_family, so_type; 3451 int add_sock_token = 0; 3452 3453 fd = (int)uap->fd; 3454 3455 3456 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3457 /* 3458 * not security relevant if doing a connect from non socket 3459 * so no extra tokens. Should probably turn off audit record 3460 * generation here. 3461 */ 3462 return; 3463 } 3464 3465 so_family = so->so_family; 3466 so_type = so->so_type; 3467 3468 switch (so_family) { 3469 case AF_INET: 3470 case AF_INET6: 3471 /* 3472 * no local address then need to get it from lower 3473 * levels. 3474 */ 3475 if (so->so_state & SS_ISBOUND) { 3476 /* only done once on a connection */ 3477 (void) SOP_GETSOCKNAME(so); 3478 (void) SOP_GETPEERNAME(so); 3479 } 3480 3481 bzero(so_laddr, sizeof (so_laddr)); 3482 bzero(so_faddr, sizeof (so_faddr)); 3483 3484 mutex_enter(&so->so_lock); 3485 len = min(so->so_laddr_len, sizeof (so_laddr)); 3486 bcopy(so->so_laddr_sa, so_laddr, len); 3487 if (error) { 3488 mutex_exit(&so->so_lock); 3489 if (uap->addr == NULL) 3490 break; 3491 if (uap->len <= 0) 3492 break; 3493 len = min(uap->len, sizeof (so_faddr)); 3494 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3495 break; 3496 #ifdef NOTYET 3497 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3498 #endif 3499 } else { 3500 /* sanity check on length */ 3501 len = min(so->so_faddr_len, sizeof (so_faddr)); 3502 bcopy(so->so_faddr_sa, so_faddr, len); 3503 mutex_exit(&so->so_lock); 3504 } 3505 3506 add_sock_token = 1; 3507 3508 break; 3509 3510 case AF_UNIX: 3511 /* does a lookup on name */ 3512 break; 3513 3514 default: 3515 /* AF_ROUTE, AF_KEY do not support accept */ 3516 break; 3517 } 3518 3519 releasef(fd); 3520 3521 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3522 3523 if (add_sock_token == 0) { 3524 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3525 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3526 return; 3527 } 3528 3529 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3530 3531 } 3532 3533 /*ARGSUSED*/ 3534 static void 3535 aus_shutdown(struct t_audit_data *tad) 3536 { 3537 struct a { 3538 long fd; 3539 long how; 3540 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3541 3542 struct sonode *so; 3543 char so_laddr[sizeof (struct sockaddr_in6)]; 3544 char so_faddr[sizeof (struct sockaddr_in6)]; 3545 int err, fd; 3546 int len; 3547 short so_family, so_type; 3548 int add_sock_token = 0; 3549 file_t *fp; /* unix domain sockets */ 3550 struct f_audit_data *fad; /* unix domain sockets */ 3551 3552 fd = (int)uap->fd; 3553 3554 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3555 /* 3556 * not security relevant if doing a shutdown using non socket 3557 * so no extra tokens. Should probably turn off audit record 3558 * generation here. 3559 */ 3560 return; 3561 } 3562 3563 so_family = so->so_family; 3564 so_type = so->so_type; 3565 3566 switch (so_family) { 3567 case AF_INET: 3568 case AF_INET6: 3569 3570 bzero(so_laddr, sizeof (so_laddr)); 3571 bzero(so_faddr, sizeof (so_faddr)); 3572 3573 if (so->so_state & SS_ISBOUND) { 3574 /* 3575 * no local address then need to get it from lower 3576 * levels. 3577 */ 3578 if (so->so_laddr_len == 0) 3579 (void) SOP_GETSOCKNAME(so); 3580 if (so->so_faddr_len == 0) 3581 (void) SOP_GETPEERNAME(so); 3582 } 3583 3584 mutex_enter(&so->so_lock); 3585 len = min(so->so_laddr_len, sizeof (so_laddr)); 3586 bcopy(so->so_laddr_sa, so_laddr, len); 3587 len = min(so->so_faddr_len, sizeof (so_faddr)); 3588 bcopy(so->so_faddr_sa, so_faddr, len); 3589 mutex_exit(&so->so_lock); 3590 3591 add_sock_token = 1; 3592 3593 break; 3594 3595 case AF_UNIX: 3596 3597 /* get path from file struct here */ 3598 fad = F2A(fp); 3599 ASSERT(fad); 3600 3601 if (fad->fad_aupath != NULL) { 3602 au_uwrite(au_to_path(fad->fad_aupath)); 3603 } else { 3604 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3605 } 3606 3607 audit_attributes(fp->f_vnode); 3608 3609 break; 3610 3611 default: 3612 /* 3613 * AF_KEY and AF_ROUTE support shutdown. No socket token 3614 * added. 3615 */ 3616 break; 3617 } 3618 3619 releasef(fd); 3620 3621 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3622 3623 if (add_sock_token == 0) { 3624 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3625 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3626 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3627 return; 3628 } 3629 3630 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3631 3632 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3633 3634 } 3635 3636 /*ARGSUSED*/ 3637 static void 3638 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3639 { 3640 struct a { 3641 long fd; 3642 long level; 3643 long optname; 3644 long *optval; 3645 long optlen; 3646 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3647 3648 struct sonode *so; 3649 char so_laddr[sizeof (struct sockaddr_in6)]; 3650 char so_faddr[sizeof (struct sockaddr_in6)]; 3651 char val[AU_BUFSIZE]; 3652 int err, fd; 3653 int len; 3654 short so_family, so_type; 3655 int add_sock_token = 0; 3656 file_t *fp; /* unix domain sockets */ 3657 struct f_audit_data *fad; /* unix domain sockets */ 3658 3659 fd = (int)uap->fd; 3660 3661 if (error) { 3662 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3663 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3664 /* XXX may want to include other arguments */ 3665 return; 3666 } 3667 3668 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3669 /* 3670 * not security relevant if doing a setsockopt from non socket 3671 * so no extra tokens. Should probably turn off audit record 3672 * generation here. 3673 */ 3674 return; 3675 } 3676 3677 so_family = so->so_family; 3678 so_type = so->so_type; 3679 3680 switch (so_family) { 3681 case AF_INET: 3682 case AF_INET6: 3683 3684 bzero((void *)so_laddr, sizeof (so_laddr)); 3685 bzero((void *)so_faddr, sizeof (so_faddr)); 3686 3687 if (so->so_state & SS_ISBOUND) { 3688 if (so->so_laddr_len == 0) 3689 (void) SOP_GETSOCKNAME(so); 3690 if (so->so_faddr_len == 0) 3691 (void) SOP_GETPEERNAME(so); 3692 } 3693 3694 /* get local and foreign addresses */ 3695 mutex_enter(&so->so_lock); 3696 len = min(so->so_laddr_len, sizeof (so_laddr)); 3697 bcopy(so->so_laddr_sa, so_laddr, len); 3698 len = min(so->so_faddr_len, sizeof (so_faddr)); 3699 bcopy(so->so_faddr_sa, so_faddr, len); 3700 mutex_exit(&so->so_lock); 3701 3702 add_sock_token = 1; 3703 3704 break; 3705 3706 case AF_UNIX: 3707 3708 /* get path from file struct here */ 3709 fad = F2A(fp); 3710 ASSERT(fad); 3711 3712 if (fad->fad_aupath != NULL) { 3713 au_uwrite(au_to_path(fad->fad_aupath)); 3714 } else { 3715 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3716 } 3717 3718 audit_attributes(fp->f_vnode); 3719 3720 break; 3721 3722 default: 3723 /* 3724 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3725 * added. 3726 */ 3727 break; 3728 } 3729 3730 releasef(fd); 3731 3732 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3733 3734 if (add_sock_token == 0) { 3735 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3736 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3737 } 3738 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3739 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3740 3741 bzero(val, sizeof (val)); 3742 len = min(uap->optlen, sizeof (val)); 3743 if ((len > 0) && 3744 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3745 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3746 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3747 } 3748 3749 if (add_sock_token == 0) 3750 return; 3751 3752 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3753 3754 } 3755 3756 /*ARGSUSED*/ 3757 static void 3758 aus_sockconfig(tad) 3759 struct t_audit_data *tad; 3760 { 3761 struct a { 3762 long domain; 3763 long type; 3764 long protocol; 3765 long devpath; 3766 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3767 3768 char *kdevpath; 3769 int kdevpathlen = MAXPATHLEN + 1; 3770 size_t size; 3771 3772 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3773 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3774 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3775 3776 if (uap->devpath == 0) { 3777 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3778 } else { 3779 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3780 3781 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3782 &size)) { 3783 kmem_free(kdevpath, kdevpathlen); 3784 return; 3785 } 3786 3787 if (size > MAXPATHLEN) { 3788 kmem_free(kdevpath, kdevpathlen); 3789 return; 3790 } 3791 3792 au_uwrite(au_to_text(kdevpath)); 3793 kmem_free(kdevpath, kdevpathlen); 3794 } 3795 } 3796 3797 /* 3798 * only audit recvmsg when the system call represents the creation of a new 3799 * circuit. This effectively occurs for all UDP packets and may occur for 3800 * special TCP situations where the local host has not set a local address 3801 * in the socket structure. 3802 */ 3803 /*ARGSUSED*/ 3804 static void 3805 auf_recvmsg( 3806 struct t_audit_data *tad, 3807 int error, 3808 rval_t *rvp) 3809 { 3810 struct a { 3811 long fd; 3812 long msg; /* struct msghdr */ 3813 long flags; 3814 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3815 3816 struct sonode *so; 3817 STRUCT_DECL(msghdr, msg); 3818 caddr_t msg_name; 3819 socklen_t msg_namelen; 3820 int fd; 3821 int err; 3822 char so_laddr[sizeof (struct sockaddr_in6)]; 3823 char so_faddr[sizeof (struct sockaddr_in6)]; 3824 int len; 3825 file_t *fp; /* unix domain sockets */ 3826 struct f_audit_data *fad; /* unix domain sockets */ 3827 short so_family, so_type; 3828 int add_sock_token = 0; 3829 au_kcontext_t *kctx = GET_KCTX_PZ; 3830 3831 fd = (int)uap->fd; 3832 3833 /* bail if an error */ 3834 if (error) { 3835 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3836 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3837 return; 3838 } 3839 3840 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3841 /* 3842 * not security relevant if doing a recvmsg from non socket 3843 * so no extra tokens. Should probably turn off audit record 3844 * generation here. 3845 */ 3846 return; 3847 } 3848 3849 so_family = so->so_family; 3850 so_type = so->so_type; 3851 3852 /* 3853 * only putout SOCKET_EX token if INET/INET6 family. 3854 * XXX - what do we do about other families? 3855 */ 3856 3857 switch (so_family) { 3858 case AF_INET: 3859 case AF_INET6: 3860 3861 /* 3862 * if datagram type socket, then just use what is in 3863 * socket structure for local address. 3864 * XXX - what do we do for other types? 3865 */ 3866 if ((so->so_type == SOCK_DGRAM) || 3867 (so->so_type == SOCK_RAW)) { 3868 add_sock_token = 1; 3869 3870 bzero((void *)so_laddr, sizeof (so_laddr)); 3871 bzero((void *)so_faddr, sizeof (so_faddr)); 3872 3873 /* get local address */ 3874 mutex_enter(&so->so_lock); 3875 len = min(so->so_laddr_len, sizeof (so_laddr)); 3876 bcopy(so->so_laddr_sa, so_laddr, len); 3877 mutex_exit(&so->so_lock); 3878 3879 /* get peer address */ 3880 STRUCT_INIT(msg, get_udatamodel()); 3881 3882 if (copyin((caddr_t)(uap->msg), 3883 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3884 break; 3885 } 3886 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3887 if (msg_name == NULL) { 3888 break; 3889 } 3890 3891 /* length is value from recvmsg - sanity check */ 3892 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3893 if (msg_namelen == 0) { 3894 break; 3895 } 3896 if (copyin(msg_name, so_faddr, 3897 sizeof (so_faddr)) != 0) { 3898 break; 3899 } 3900 3901 } else if (so->so_type == SOCK_STREAM) { 3902 3903 /* get path from file struct here */ 3904 fad = F2A(fp); 3905 ASSERT(fad); 3906 3907 /* 3908 * already processed this file for read attempt 3909 */ 3910 if (fad->fad_flags & FAD_READ) { 3911 /* don't want to audit every recvmsg attempt */ 3912 tad->tad_flag = 0; 3913 /* free any residual audit data */ 3914 au_close(kctx, &(u_ad), 0, 0, 0); 3915 releasef(fd); 3916 return; 3917 } 3918 /* 3919 * mark things so we know what happened and don't 3920 * repeat things 3921 */ 3922 fad->fad_flags |= FAD_READ; 3923 3924 bzero((void *)so_laddr, sizeof (so_laddr)); 3925 bzero((void *)so_faddr, sizeof (so_faddr)); 3926 3927 if (so->so_state & SS_ISBOUND) { 3928 3929 if (so->so_laddr_len == 0) 3930 (void) SOP_GETSOCKNAME(so); 3931 if (so->so_faddr_len == 0) 3932 (void) SOP_GETPEERNAME(so); 3933 3934 /* get local and foreign addresses */ 3935 mutex_enter(&so->so_lock); 3936 len = min(so->so_laddr_len, sizeof (so_laddr)); 3937 bcopy(so->so_laddr_sa, so_laddr, len); 3938 len = min(so->so_faddr_len, sizeof (so_faddr)); 3939 bcopy(so->so_faddr_sa, so_faddr, len); 3940 mutex_exit(&so->so_lock); 3941 } 3942 3943 add_sock_token = 1; 3944 } 3945 3946 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3947 3948 break; 3949 3950 case AF_UNIX: 3951 /* 3952 * first check if this is first time through. Too much 3953 * duplicate code to put this in an aui_ routine. 3954 */ 3955 3956 /* get path from file struct here */ 3957 fad = F2A(fp); 3958 ASSERT(fad); 3959 3960 /* 3961 * already processed this file for read attempt 3962 */ 3963 if (fad->fad_flags & FAD_READ) { 3964 releasef(fd); 3965 /* don't want to audit every recvmsg attempt */ 3966 tad->tad_flag = 0; 3967 /* free any residual audit data */ 3968 au_close(kctx, &(u_ad), 0, 0, 0); 3969 return; 3970 } 3971 /* 3972 * mark things so we know what happened and don't 3973 * repeat things 3974 */ 3975 fad->fad_flags |= FAD_READ; 3976 3977 if (fad->fad_aupath != NULL) { 3978 au_uwrite(au_to_path(fad->fad_aupath)); 3979 } else { 3980 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3981 } 3982 3983 audit_attributes(fp->f_vnode); 3984 3985 releasef(fd); 3986 3987 return; 3988 3989 default: 3990 break; 3991 3992 } 3993 3994 releasef(fd); 3995 3996 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3997 3998 if (add_sock_token == 0) { 3999 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4000 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4001 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4002 return; 4003 } 4004 4005 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4006 4007 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4008 4009 } 4010 4011 /*ARGSUSED*/ 4012 static void 4013 auf_recvfrom( 4014 struct t_audit_data *tad, 4015 int error, 4016 rval_t *rvp) 4017 { 4018 4019 struct a { 4020 long fd; 4021 long msg; /* char */ 4022 long len; 4023 long flags; 4024 long from; /* struct sockaddr */ 4025 long fromlen; 4026 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4027 4028 socklen_t fromlen; 4029 struct sonode *so; 4030 char so_laddr[sizeof (struct sockaddr_in6)]; 4031 char so_faddr[sizeof (struct sockaddr_in6)]; 4032 int fd; 4033 short so_family, so_type; 4034 int add_sock_token = 0; 4035 int len; 4036 int err; 4037 struct file *fp; 4038 struct f_audit_data *fad; /* unix domain sockets */ 4039 au_kcontext_t *kctx = GET_KCTX_PZ; 4040 4041 fd = (int)uap->fd; 4042 4043 /* bail if an error */ 4044 if (error) { 4045 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4046 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4047 return; 4048 } 4049 4050 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4051 /* 4052 * not security relevant if doing a recvmsg from non socket 4053 * so no extra tokens. Should probably turn off audit record 4054 * generation here. 4055 */ 4056 return; 4057 } 4058 4059 so_family = so->so_family; 4060 so_type = so->so_type; 4061 4062 /* 4063 * only putout SOCKET_EX token if INET/INET6 family. 4064 * XXX - what do we do about other families? 4065 */ 4066 4067 switch (so_family) { 4068 case AF_INET: 4069 case AF_INET6: 4070 4071 /* 4072 * if datagram type socket, then just use what is in 4073 * socket structure for local address. 4074 * XXX - what do we do for other types? 4075 */ 4076 if ((so->so_type == SOCK_DGRAM) || 4077 (so->so_type == SOCK_RAW)) { 4078 add_sock_token = 1; 4079 4080 /* get local address */ 4081 mutex_enter(&so->so_lock); 4082 len = min(so->so_laddr_len, sizeof (so_laddr)); 4083 bcopy(so->so_laddr_sa, so_laddr, len); 4084 mutex_exit(&so->so_lock); 4085 4086 /* get peer address */ 4087 bzero((void *)so_faddr, sizeof (so_faddr)); 4088 4089 /* sanity check */ 4090 if (uap->from == NULL) 4091 break; 4092 4093 /* sanity checks */ 4094 if (uap->fromlen == 0) 4095 break; 4096 4097 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4098 sizeof (fromlen)) != 0) 4099 break; 4100 4101 if (fromlen == 0) 4102 break; 4103 4104 /* enforce maximum size */ 4105 if (fromlen > sizeof (so_faddr)) 4106 fromlen = sizeof (so_faddr); 4107 4108 if (copyin((caddr_t)(uap->from), so_faddr, 4109 fromlen) != 0) 4110 break; 4111 4112 } else if (so->so_type == SOCK_STREAM) { 4113 4114 /* get path from file struct here */ 4115 fad = F2A(fp); 4116 ASSERT(fad); 4117 4118 /* 4119 * already processed this file for read attempt 4120 */ 4121 if (fad->fad_flags & FAD_READ) { 4122 /* don't want to audit every recvfrom attempt */ 4123 tad->tad_flag = 0; 4124 /* free any residual audit data */ 4125 au_close(kctx, &(u_ad), 0, 0, 0); 4126 releasef(fd); 4127 return; 4128 } 4129 /* 4130 * mark things so we know what happened and don't 4131 * repeat things 4132 */ 4133 fad->fad_flags |= FAD_READ; 4134 4135 bzero((void *)so_laddr, sizeof (so_laddr)); 4136 bzero((void *)so_faddr, sizeof (so_faddr)); 4137 4138 if (so->so_state & SS_ISBOUND) { 4139 4140 if (so->so_laddr_len == 0) 4141 (void) SOP_GETSOCKNAME(so); 4142 if (so->so_faddr_len == 0) 4143 (void) SOP_GETPEERNAME(so); 4144 4145 /* get local and foreign addresses */ 4146 mutex_enter(&so->so_lock); 4147 len = min(so->so_laddr_len, sizeof (so_laddr)); 4148 bcopy(so->so_laddr_sa, so_laddr, len); 4149 len = min(so->so_faddr_len, sizeof (so_faddr)); 4150 bcopy(so->so_faddr_sa, so_faddr, len); 4151 mutex_exit(&so->so_lock); 4152 } 4153 4154 add_sock_token = 1; 4155 } 4156 4157 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4158 4159 break; 4160 4161 case AF_UNIX: 4162 /* 4163 * first check if this is first time through. Too much 4164 * duplicate code to put this in an aui_ routine. 4165 */ 4166 4167 /* get path from file struct here */ 4168 fad = F2A(fp); 4169 ASSERT(fad); 4170 4171 /* 4172 * already processed this file for read attempt 4173 */ 4174 if (fad->fad_flags & FAD_READ) { 4175 /* don't want to audit every recvfrom attempt */ 4176 tad->tad_flag = 0; 4177 /* free any residual audit data */ 4178 au_close(kctx, &(u_ad), 0, 0, 0); 4179 releasef(fd); 4180 return; 4181 } 4182 /* 4183 * mark things so we know what happened and don't 4184 * repeat things 4185 */ 4186 fad->fad_flags |= FAD_READ; 4187 4188 if (fad->fad_aupath != NULL) { 4189 au_uwrite(au_to_path(fad->fad_aupath)); 4190 } else { 4191 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4192 } 4193 4194 audit_attributes(fp->f_vnode); 4195 4196 releasef(fd); 4197 4198 return; 4199 4200 default: 4201 break; 4202 4203 } 4204 4205 releasef(fd); 4206 4207 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4208 4209 if (add_sock_token == 0) { 4210 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4211 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4212 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4213 return; 4214 } 4215 4216 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4217 4218 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4219 } 4220 4221 /*ARGSUSED*/ 4222 static void 4223 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4224 { 4225 struct a { 4226 long fd; 4227 long msg; /* struct msghdr */ 4228 long flags; 4229 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4230 4231 struct sonode *so; 4232 char so_laddr[sizeof (struct sockaddr_in6)]; 4233 char so_faddr[sizeof (struct sockaddr_in6)]; 4234 int err; 4235 int fd; 4236 short so_family, so_type; 4237 int add_sock_token = 0; 4238 int len; 4239 struct file *fp; 4240 struct f_audit_data *fad; 4241 caddr_t msg_name; 4242 socklen_t msg_namelen; 4243 STRUCT_DECL(msghdr, msg); 4244 au_kcontext_t *kctx = GET_KCTX_PZ; 4245 4246 fd = (int)uap->fd; 4247 4248 /* bail if an error */ 4249 if (error) { 4250 /* XXX include destination address from system call arguments */ 4251 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4252 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4253 return; 4254 } 4255 4256 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4257 /* 4258 * not security relevant if doing a sendmsg from non socket 4259 * so no extra tokens. Should probably turn off audit record 4260 * generation here. 4261 */ 4262 return; 4263 } 4264 4265 so_family = so->so_family; 4266 so_type = so->so_type; 4267 4268 switch (so_family) { 4269 case AF_INET: 4270 case AF_INET6: 4271 /* 4272 * if datagram type socket, then just use what is in 4273 * socket structure for local address. 4274 * XXX - what do we do for other types? 4275 */ 4276 if ((so->so_type == SOCK_DGRAM) || 4277 (so->so_type == SOCK_RAW)) { 4278 4279 bzero((void *)so_laddr, sizeof (so_laddr)); 4280 bzero((void *)so_faddr, sizeof (so_faddr)); 4281 4282 /* get local address */ 4283 mutex_enter(&so->so_lock); 4284 len = min(so->so_laddr_len, sizeof (so_laddr)); 4285 bcopy(so->so_laddr_sa, so_laddr, len); 4286 mutex_exit(&so->so_lock); 4287 4288 /* get peer address */ 4289 STRUCT_INIT(msg, get_udatamodel()); 4290 4291 if (copyin((caddr_t)(uap->msg), 4292 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4293 break; 4294 } 4295 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4296 if (msg_name == NULL) 4297 break; 4298 4299 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4300 /* length is value from recvmsg - sanity check */ 4301 if (msg_namelen == 0) 4302 break; 4303 4304 if (copyin(msg_name, so_faddr, 4305 sizeof (so_faddr)) != 0) 4306 break; 4307 4308 add_sock_token = 1; 4309 4310 } else if (so->so_type == SOCK_STREAM) { 4311 4312 /* get path from file struct here */ 4313 fad = F2A(fp); 4314 ASSERT(fad); 4315 4316 /* 4317 * already processed this file for write attempt 4318 */ 4319 if (fad->fad_flags & FAD_WRITE) { 4320 releasef(fd); 4321 /* don't want to audit every sendmsg attempt */ 4322 tad->tad_flag = 0; 4323 /* free any residual audit data */ 4324 au_close(kctx, &(u_ad), 0, 0, 0); 4325 return; 4326 } 4327 4328 /* 4329 * mark things so we know what happened and don't 4330 * repeat things 4331 */ 4332 fad->fad_flags |= FAD_WRITE; 4333 4334 bzero((void *)so_laddr, sizeof (so_laddr)); 4335 bzero((void *)so_faddr, sizeof (so_faddr)); 4336 4337 if (so->so_state & SS_ISBOUND) { 4338 4339 if (so->so_laddr_len == 0) 4340 (void) SOP_GETSOCKNAME(so); 4341 if (so->so_faddr_len == 0) 4342 (void) SOP_GETPEERNAME(so); 4343 4344 /* get local and foreign addresses */ 4345 mutex_enter(&so->so_lock); 4346 len = min(so->so_laddr_len, sizeof (so_laddr)); 4347 bcopy(so->so_laddr_sa, so_laddr, len); 4348 len = min(so->so_faddr_len, sizeof (so_faddr)); 4349 bcopy(so->so_faddr_sa, so_faddr, len); 4350 mutex_exit(&so->so_lock); 4351 } 4352 4353 add_sock_token = 1; 4354 } 4355 4356 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4357 4358 break; 4359 4360 case AF_UNIX: 4361 /* 4362 * first check if this is first time through. Too much 4363 * duplicate code to put this in an aui_ routine. 4364 */ 4365 4366 /* get path from file struct here */ 4367 fad = F2A(fp); 4368 ASSERT(fad); 4369 4370 /* 4371 * already processed this file for write attempt 4372 */ 4373 if (fad->fad_flags & FAD_WRITE) { 4374 releasef(fd); 4375 /* don't want to audit every sendmsg attempt */ 4376 tad->tad_flag = 0; 4377 /* free any residual audit data */ 4378 au_close(kctx, &(u_ad), 0, 0, 0); 4379 return; 4380 } 4381 /* 4382 * mark things so we know what happened and don't 4383 * repeat things 4384 */ 4385 fad->fad_flags |= FAD_WRITE; 4386 4387 if (fad->fad_aupath != NULL) { 4388 au_uwrite(au_to_path(fad->fad_aupath)); 4389 } else { 4390 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4391 } 4392 4393 audit_attributes(fp->f_vnode); 4394 4395 releasef(fd); 4396 4397 return; 4398 4399 default: 4400 break; 4401 } 4402 4403 releasef(fd); 4404 4405 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4406 4407 if (add_sock_token == 0) { 4408 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4409 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4410 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4411 return; 4412 } 4413 4414 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4415 4416 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4417 } 4418 4419 /*ARGSUSED*/ 4420 static void 4421 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4422 { 4423 struct a { 4424 long fd; 4425 long msg; /* char */ 4426 long len; 4427 long flags; 4428 long to; /* struct sockaddr */ 4429 long tolen; 4430 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4431 4432 struct sonode *so; 4433 char so_laddr[sizeof (struct sockaddr_in6)]; 4434 char so_faddr[sizeof (struct sockaddr_in6)]; 4435 socklen_t tolen; 4436 int err; 4437 int fd; 4438 int len; 4439 short so_family, so_type; 4440 int add_sock_token = 0; 4441 struct file *fp; 4442 struct f_audit_data *fad; 4443 au_kcontext_t *kctx = GET_KCTX_PZ; 4444 4445 fd = (int)uap->fd; 4446 4447 /* bail if an error */ 4448 if (error) { 4449 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4450 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4451 /* XXX include destination address from system call arguments */ 4452 return; 4453 } 4454 4455 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4456 /* 4457 * not security relevant if doing a sendto using non socket 4458 * so no extra tokens. Should probably turn off audit record 4459 * generation here. 4460 */ 4461 return; 4462 } 4463 4464 so_family = so->so_family; 4465 so_type = so->so_type; 4466 4467 /* 4468 * only putout SOCKET_EX token if INET/INET6 family. 4469 * XXX - what do we do about other families? 4470 */ 4471 4472 switch (so_family) { 4473 case AF_INET: 4474 case AF_INET6: 4475 4476 /* 4477 * if datagram type socket, then just use what is in 4478 * socket structure for local address. 4479 * XXX - what do we do for other types? 4480 */ 4481 if ((so->so_type == SOCK_DGRAM) || 4482 (so->so_type == SOCK_RAW)) { 4483 4484 bzero((void *)so_laddr, sizeof (so_laddr)); 4485 bzero((void *)so_faddr, sizeof (so_faddr)); 4486 4487 /* get local address */ 4488 mutex_enter(&so->so_lock); 4489 len = min(so->so_laddr_len, sizeof (so_laddr)); 4490 bcopy(so->so_laddr_sa, so_laddr, len); 4491 mutex_exit(&so->so_lock); 4492 4493 /* get peer address */ 4494 4495 /* sanity check */ 4496 if (uap->to == NULL) 4497 break; 4498 4499 /* sanity checks */ 4500 if (uap->tolen == 0) 4501 break; 4502 4503 tolen = (socklen_t)uap->tolen; 4504 4505 /* enforce maximum size */ 4506 if (tolen > sizeof (so_faddr)) 4507 tolen = sizeof (so_faddr); 4508 4509 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4510 break; 4511 4512 add_sock_token = 1; 4513 } else { 4514 /* 4515 * check if this is first time through. 4516 */ 4517 4518 /* get path from file struct here */ 4519 fad = F2A(fp); 4520 ASSERT(fad); 4521 4522 /* 4523 * already processed this file for write attempt 4524 */ 4525 if (fad->fad_flags & FAD_WRITE) { 4526 /* don't want to audit every sendto attempt */ 4527 tad->tad_flag = 0; 4528 /* free any residual audit data */ 4529 au_close(kctx, &(u_ad), 0, 0, 0); 4530 releasef(fd); 4531 return; 4532 } 4533 /* 4534 * mark things so we know what happened and don't 4535 * repeat things 4536 */ 4537 fad->fad_flags |= FAD_WRITE; 4538 4539 bzero((void *)so_laddr, sizeof (so_laddr)); 4540 bzero((void *)so_faddr, sizeof (so_faddr)); 4541 4542 if (so->so_state & SS_ISBOUND) { 4543 4544 if (so->so_laddr_len == 0) 4545 (void) SOP_GETSOCKNAME(so); 4546 if (so->so_faddr_len == 0) 4547 (void) SOP_GETPEERNAME(so); 4548 4549 /* get local and foreign addresses */ 4550 mutex_enter(&so->so_lock); 4551 len = min(so->so_laddr_len, sizeof (so_laddr)); 4552 bcopy(so->so_laddr_sa, so_laddr, len); 4553 len = min(so->so_faddr_len, sizeof (so_faddr)); 4554 bcopy(so->so_faddr_sa, so_faddr, len); 4555 mutex_exit(&so->so_lock); 4556 } 4557 4558 add_sock_token = 1; 4559 } 4560 4561 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4562 4563 break; 4564 4565 case AF_UNIX: 4566 /* 4567 * first check if this is first time through. Too much 4568 * duplicate code to put this in an aui_ routine. 4569 */ 4570 4571 /* get path from file struct here */ 4572 fad = F2A(fp); 4573 ASSERT(fad); 4574 4575 /* 4576 * already processed this file for write attempt 4577 */ 4578 if (fad->fad_flags & FAD_WRITE) { 4579 /* don't want to audit every sendto attempt */ 4580 tad->tad_flag = 0; 4581 /* free any residual audit data */ 4582 au_close(kctx, &(u_ad), 0, 0, 0); 4583 releasef(fd); 4584 return; 4585 } 4586 /* 4587 * mark things so we know what happened and don't 4588 * repeat things 4589 */ 4590 fad->fad_flags |= FAD_WRITE; 4591 4592 if (fad->fad_aupath != NULL) { 4593 au_uwrite(au_to_path(fad->fad_aupath)); 4594 } else { 4595 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4596 } 4597 4598 audit_attributes(fp->f_vnode); 4599 4600 releasef(fd); 4601 4602 return; 4603 4604 default: 4605 break; 4606 4607 } 4608 4609 releasef(fd); 4610 4611 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4612 4613 if (add_sock_token == 0) { 4614 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4615 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4616 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4617 return; 4618 } 4619 4620 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4621 4622 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4623 4624 } 4625 4626 /* 4627 * XXX socket(2) may be equivilent to open(2) on a unix domain 4628 * socket. This needs investigation. 4629 */ 4630 4631 /*ARGSUSED*/ 4632 static void 4633 aus_socket(struct t_audit_data *tad) 4634 { 4635 struct a { 4636 long domain; 4637 long type; 4638 long protocol; 4639 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4640 4641 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4642 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4643 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4644 } 4645 4646 /*ARGSUSED*/ 4647 static void 4648 aus_sigqueue(struct t_audit_data *tad) 4649 { 4650 struct a { 4651 long pid; 4652 long signo; 4653 long *val; 4654 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4655 struct proc *p; 4656 uid_t uid, ruid; 4657 gid_t gid, rgid; 4658 pid_t pid; 4659 const auditinfo_addr_t *ainfo; 4660 cred_t *cr; 4661 4662 pid = (pid_t)uap->pid; 4663 4664 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4665 if (pid > 0) { 4666 mutex_enter(&pidlock); 4667 if ((p = prfind(pid)) == (struct proc *)0) { 4668 mutex_exit(&pidlock); 4669 return; 4670 } 4671 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4672 mutex_exit(&pidlock); 4673 4674 mutex_enter(&p->p_crlock); 4675 crhold(cr = p->p_cred); 4676 mutex_exit(&p->p_crlock); 4677 mutex_exit(&p->p_lock); 4678 4679 ainfo = crgetauinfo(cr); 4680 if (ainfo == NULL) { 4681 crfree(cr); 4682 return; 4683 } 4684 4685 uid = crgetuid(cr); 4686 gid = crgetgid(cr); 4687 ruid = crgetruid(cr); 4688 rgid = crgetrgid(cr); 4689 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4690 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4691 crfree(cr); 4692 } 4693 else 4694 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4695 } 4696 4697 /*ARGSUSED*/ 4698 static void 4699 aus_inst_sync(struct t_audit_data *tad) 4700 { 4701 struct a { 4702 long name; /* char */ 4703 long flags; 4704 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4705 4706 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4707 } 4708 4709 /*ARGSUSED*/ 4710 static void 4711 aus_brandsys(struct t_audit_data *tad) 4712 { 4713 klwp_t *clwp = ttolwp(curthread); 4714 4715 struct a { 4716 long cmd; 4717 long arg1; 4718 long arg2; 4719 long arg3; 4720 long arg4; 4721 long arg5; 4722 long arg6; 4723 } *uap = (struct a *)clwp->lwp_ap; 4724 4725 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4726 #ifdef _LP64 4727 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4728 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4729 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4730 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4731 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4732 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4733 #else 4734 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4735 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4736 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4737 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4738 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4739 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4740 #endif 4741 } 4742 4743 /*ARGSUSED*/ 4744 static void 4745 aus_p_online(struct t_audit_data *tad) 4746 { 4747 struct a { 4748 long processor_id; 4749 long flag; 4750 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4751 4752 struct flags { 4753 int flag; 4754 char *cflag; 4755 } aflags[6] = { 4756 { P_ONLINE, "P_ONLINE"}, 4757 { P_OFFLINE, "P_OFFLINE"}, 4758 { P_NOINTR, "P_NOINTR"}, 4759 { P_SPARE, "P_SPARE"}, 4760 { P_FAULTED, "P_FAULTED"}, 4761 { P_STATUS, "P_STATUS"} 4762 }; 4763 int i; 4764 char *cflag; 4765 4766 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4767 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4768 4769 for (i = 0; i < 6; i++) { 4770 if (aflags[i].flag == uap->flag) 4771 break; 4772 } 4773 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4774 4775 au_uwrite(au_to_text(cflag)); 4776 } 4777 4778 /*ARGSUSED*/ 4779 static void 4780 aus_processor_bind(struct t_audit_data *tad) 4781 { 4782 struct a { 4783 long id_type; 4784 long id; 4785 long processor_id; 4786 long obind; 4787 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4788 4789 struct proc *p; 4790 int lwpcnt; 4791 uid_t uid, ruid; 4792 gid_t gid, rgid; 4793 pid_t pid; 4794 const auditinfo_addr_t *ainfo; 4795 cred_t *cr; 4796 4797 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4798 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4799 if (uap->processor_id == PBIND_NONE) 4800 au_uwrite(au_to_text("PBIND_NONE")); 4801 else 4802 au_uwrite(au_to_arg32(3, "processor_id", 4803 (uint32_t)uap->processor_id)); 4804 4805 switch (uap->id_type) { 4806 case P_MYID: 4807 case P_LWPID: 4808 mutex_enter(&pidlock); 4809 p = ttoproc(curthread); 4810 if (p == NULL || p->p_as == &kas) { 4811 mutex_exit(&pidlock); 4812 return; 4813 } 4814 mutex_enter(&p->p_lock); 4815 mutex_exit(&pidlock); 4816 lwpcnt = p->p_lwpcnt; 4817 pid = p->p_pid; 4818 4819 mutex_enter(&p->p_crlock); 4820 crhold(cr = p->p_cred); 4821 mutex_exit(&p->p_crlock); 4822 mutex_exit(&p->p_lock); 4823 4824 ainfo = crgetauinfo(cr); 4825 if (ainfo == NULL) { 4826 crfree(cr); 4827 return; 4828 } 4829 4830 uid = crgetuid(cr); 4831 gid = crgetgid(cr); 4832 ruid = crgetruid(cr); 4833 rgid = crgetrgid(cr); 4834 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4835 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4836 crfree(cr); 4837 break; 4838 case P_PID: 4839 mutex_enter(&pidlock); 4840 p = prfind(uap->id); 4841 if (p == NULL || p->p_as == &kas) { 4842 mutex_exit(&pidlock); 4843 return; 4844 } 4845 mutex_enter(&p->p_lock); 4846 mutex_exit(&pidlock); 4847 lwpcnt = p->p_lwpcnt; 4848 pid = p->p_pid; 4849 4850 mutex_enter(&p->p_crlock); 4851 crhold(cr = p->p_cred); 4852 mutex_exit(&p->p_crlock); 4853 mutex_exit(&p->p_lock); 4854 4855 ainfo = crgetauinfo(cr); 4856 if (ainfo == NULL) { 4857 crfree(cr); 4858 return; 4859 } 4860 4861 uid = crgetuid(cr); 4862 gid = crgetgid(cr); 4863 ruid = crgetruid(cr); 4864 rgid = crgetrgid(cr); 4865 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4866 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4867 crfree(cr); 4868 4869 break; 4870 default: 4871 return; 4872 } 4873 4874 if (uap->processor_id == PBIND_NONE && 4875 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4876 au_uwrite(au_to_text("PBIND_NONE for process")); 4877 else 4878 au_uwrite(au_to_arg32(3, "processor_id", 4879 (uint32_t)uap->processor_id)); 4880 } 4881 4882 /*ARGSUSED*/ 4883 static au_event_t 4884 aui_doorfs(au_event_t e) 4885 { 4886 uint32_t code; 4887 4888 struct a { /* doorfs */ 4889 long a1; 4890 long a2; 4891 long a3; 4892 long a4; 4893 long a5; 4894 long code; 4895 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4896 4897 /* 4898 * audit formats for several of the 4899 * door calls have not yet been determined 4900 */ 4901 code = (uint32_t)uap->code; 4902 switch (code) { 4903 case DOOR_CALL: 4904 e = AUE_DOORFS_DOOR_CALL; 4905 break; 4906 case DOOR_RETURN: 4907 e = AUE_NULL; 4908 break; 4909 case DOOR_CREATE: 4910 e = AUE_DOORFS_DOOR_CREATE; 4911 break; 4912 case DOOR_REVOKE: 4913 e = AUE_DOORFS_DOOR_REVOKE; 4914 break; 4915 case DOOR_INFO: 4916 e = AUE_NULL; 4917 break; 4918 case DOOR_UCRED: 4919 e = AUE_NULL; 4920 break; 4921 case DOOR_BIND: 4922 e = AUE_NULL; 4923 break; 4924 case DOOR_UNBIND: 4925 e = AUE_NULL; 4926 break; 4927 case DOOR_GETPARAM: 4928 e = AUE_NULL; 4929 break; 4930 case DOOR_SETPARAM: 4931 e = AUE_NULL; 4932 break; 4933 default: /* illegal system call */ 4934 e = AUE_NULL; 4935 break; 4936 } 4937 4938 return (e); 4939 } 4940 4941 static door_node_t * 4942 au_door_lookup(int did) 4943 { 4944 vnode_t *vp; 4945 file_t *fp; 4946 4947 if ((fp = getf(did)) == NULL) 4948 return (NULL); 4949 /* 4950 * Use the underlying vnode (we may be namefs mounted) 4951 */ 4952 if (VOP_REALVP(fp->f_vnode, &vp)) 4953 vp = fp->f_vnode; 4954 4955 if (vp == NULL || vp->v_type != VDOOR) { 4956 releasef(did); 4957 return (NULL); 4958 } 4959 4960 return (VTOD(vp)); 4961 } 4962 4963 /*ARGSUSED*/ 4964 static void 4965 aus_doorfs(struct t_audit_data *tad) 4966 { 4967 4968 struct a { /* doorfs */ 4969 long a1; 4970 long a2; 4971 long a3; 4972 long a4; 4973 long a5; 4974 long code; 4975 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4976 4977 door_node_t *dp; 4978 struct proc *p; 4979 uint32_t did; 4980 uid_t uid, ruid; 4981 gid_t gid, rgid; 4982 pid_t pid; 4983 const auditinfo_addr_t *ainfo; 4984 cred_t *cr; 4985 4986 did = (uint32_t)uap->a1; 4987 4988 switch (tad->tad_event) { 4989 case AUE_DOORFS_DOOR_CALL: 4990 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4991 if ((dp = au_door_lookup(did)) == NULL) 4992 break; 4993 4994 if (DOOR_INVALID(dp)) { 4995 releasef(did); 4996 break; 4997 } 4998 4999 if ((p = dp->door_target) == NULL) { 5000 releasef(did); 5001 break; 5002 } 5003 mutex_enter(&p->p_lock); 5004 releasef(did); 5005 5006 pid = p->p_pid; 5007 5008 mutex_enter(&p->p_crlock); 5009 crhold(cr = p->p_cred); 5010 mutex_exit(&p->p_crlock); 5011 mutex_exit(&p->p_lock); 5012 5013 ainfo = crgetauinfo(cr); 5014 if (ainfo == NULL) { 5015 crfree(cr); 5016 return; 5017 } 5018 uid = crgetuid(cr); 5019 gid = crgetgid(cr); 5020 ruid = crgetruid(cr); 5021 rgid = crgetrgid(cr); 5022 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5023 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5024 crfree(cr); 5025 break; 5026 case AUE_DOORFS_DOOR_RETURN: 5027 /* 5028 * We may want to write information about 5029 * all doors (if any) which will be copied 5030 * by this call to the user space 5031 */ 5032 break; 5033 case AUE_DOORFS_DOOR_CREATE: 5034 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5035 break; 5036 case AUE_DOORFS_DOOR_REVOKE: 5037 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5038 break; 5039 case AUE_DOORFS_DOOR_INFO: 5040 break; 5041 case AUE_DOORFS_DOOR_CRED: 5042 break; 5043 case AUE_DOORFS_DOOR_BIND: 5044 break; 5045 case AUE_DOORFS_DOOR_UNBIND: { 5046 break; 5047 } 5048 default: /* illegal system call */ 5049 break; 5050 } 5051 } 5052 5053 /*ARGSUSED*/ 5054 static au_event_t 5055 aui_acl(au_event_t e) 5056 { 5057 struct a { 5058 union { 5059 long name; /* char */ 5060 long fd; 5061 } obj; 5062 5063 long cmd; 5064 long nentries; 5065 long arg; /* aclent_t */ 5066 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5067 5068 switch (uap->cmd) { 5069 case SETACL: 5070 /* ok, acl(SETACL, ...) and facl(SETACL, ...) are expected. */ 5071 break; 5072 case GETACL: 5073 case GETACLCNT: 5074 /* do nothing for these two values. */ 5075 e = AUE_NULL; 5076 break; 5077 default: 5078 /* illegal system call */ 5079 break; 5080 } 5081 5082 return (e); 5083 } 5084 5085 5086 /*ARGSUSED*/ 5087 static void 5088 aus_acl(struct t_audit_data *tad) 5089 { 5090 struct a { 5091 long fname; 5092 long cmd; 5093 long nentries; 5094 long aclbufp; 5095 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5096 struct acl *aclbufp; 5097 5098 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5099 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5100 5101 switch (uap->cmd) { 5102 case GETACL: 5103 case GETACLCNT: 5104 break; 5105 case SETACL: 5106 if (uap->nentries < 3) 5107 break; 5108 else { 5109 size_t a_size = uap->nentries * sizeof (struct acl); 5110 int i; 5111 5112 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5113 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5114 kmem_free(aclbufp, a_size); 5115 break; 5116 } 5117 for (i = 0; i < uap->nentries; i++) { 5118 au_uwrite(au_to_acl(aclbufp + i)); 5119 } 5120 kmem_free(aclbufp, a_size); 5121 break; 5122 } 5123 default: 5124 break; 5125 } 5126 } 5127 5128 /*ARGSUSED*/ 5129 static void 5130 aus_facl(struct t_audit_data *tad) 5131 { 5132 struct a { 5133 long fd; 5134 long cmd; 5135 long nentries; 5136 long aclbufp; 5137 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5138 struct file *fp; 5139 struct vnode *vp; 5140 struct f_audit_data *fad; 5141 struct acl *aclbufp; 5142 int fd; 5143 5144 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5145 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5146 5147 fd = (int)uap->fd; 5148 5149 if ((fp = getf(fd)) == NULL) 5150 return; 5151 5152 /* get path from file struct here */ 5153 fad = F2A(fp); 5154 if (fad->fad_aupath != NULL) { 5155 au_uwrite(au_to_path(fad->fad_aupath)); 5156 } else { 5157 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5158 } 5159 5160 vp = fp->f_vnode; 5161 audit_attributes(vp); 5162 5163 /* decrement file descriptor reference count */ 5164 releasef(fd); 5165 5166 switch (uap->cmd) { 5167 case GETACL: 5168 case GETACLCNT: 5169 break; 5170 case SETACL: 5171 if (uap->nentries < 3) 5172 break; 5173 else { 5174 size_t a_size = uap->nentries * sizeof (struct acl); 5175 int i; 5176 5177 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5178 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5179 kmem_free(aclbufp, a_size); 5180 break; 5181 } 5182 for (i = 0; i < uap->nentries; i++) { 5183 au_uwrite(au_to_acl(aclbufp + i)); 5184 } 5185 kmem_free(aclbufp, a_size); 5186 break; 5187 } 5188 default: 5189 break; 5190 } 5191 } 5192 5193 /*ARGSUSED*/ 5194 static void 5195 auf_read(tad, error, rval) 5196 struct t_audit_data *tad; 5197 int error; 5198 rval_t *rval; 5199 { 5200 struct file *fp; 5201 struct f_audit_data *fad; 5202 int fd; 5203 register struct a { 5204 long fd; 5205 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5206 au_kcontext_t *kctx = GET_KCTX_PZ; 5207 5208 fd = (int)uap->fd; 5209 5210 /* 5211 * convert file pointer to file descriptor 5212 * Note: fd ref count incremented here. 5213 */ 5214 if ((fp = getf(fd)) == NULL) 5215 return; 5216 5217 /* get path from file struct here */ 5218 fad = F2A(fp); 5219 ASSERT(fad); 5220 5221 /* 5222 * already processed this file for read attempt 5223 * 5224 * XXX might be better to turn off auditing in a aui_read() routine. 5225 */ 5226 if (fad->fad_flags & FAD_READ) { 5227 /* don't really want to audit every read attempt */ 5228 tad->tad_flag = 0; 5229 /* free any residual audit data */ 5230 au_close(kctx, &(u_ad), 0, 0, 0); 5231 releasef(fd); 5232 return; 5233 } 5234 /* mark things so we know what happened and don't repeat things */ 5235 fad->fad_flags |= FAD_READ; 5236 5237 if (fad->fad_aupath != NULL) { 5238 au_uwrite(au_to_path(fad->fad_aupath)); 5239 } else { 5240 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5241 } 5242 5243 /* include attributes */ 5244 audit_attributes(fp->f_vnode); 5245 5246 /* decrement file descriptor reference count */ 5247 releasef(fd); 5248 } 5249 5250 /*ARGSUSED*/ 5251 static void 5252 auf_write(tad, error, rval) 5253 struct t_audit_data *tad; 5254 int error; 5255 rval_t *rval; 5256 { 5257 struct file *fp; 5258 struct f_audit_data *fad; 5259 int fd; 5260 register struct a { 5261 long fd; 5262 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5263 au_kcontext_t *kctx = GET_KCTX_PZ; 5264 5265 fd = (int)uap->fd; 5266 5267 /* 5268 * convert file pointer to file descriptor 5269 * Note: fd ref count incremented here. 5270 */ 5271 if ((fp = getf(fd)) == NULL) 5272 return; 5273 5274 /* get path from file struct here */ 5275 fad = F2A(fp); 5276 ASSERT(fad); 5277 5278 /* 5279 * already processed this file for write attempt 5280 * 5281 * XXX might be better to turn off auditing in a aus_write() routine. 5282 */ 5283 if (fad->fad_flags & FAD_WRITE) { 5284 /* don't really want to audit every write attempt */ 5285 tad->tad_flag = 0; 5286 /* free any residual audit data */ 5287 au_close(kctx, &(u_ad), 0, 0, 0); 5288 releasef(fd); 5289 return; 5290 } 5291 /* mark things so we know what happened and don't repeat things */ 5292 fad->fad_flags |= FAD_WRITE; 5293 5294 if (fad->fad_aupath != NULL) { 5295 au_uwrite(au_to_path(fad->fad_aupath)); 5296 } else { 5297 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5298 } 5299 5300 /* include attributes */ 5301 audit_attributes(fp->f_vnode); 5302 5303 /* decrement file descriptor reference count */ 5304 releasef(fd); 5305 } 5306 5307 /*ARGSUSED*/ 5308 static void 5309 auf_recv(tad, error, rval) 5310 struct t_audit_data *tad; 5311 int error; 5312 rval_t *rval; 5313 { 5314 struct sonode *so; 5315 char so_laddr[sizeof (struct sockaddr_in6)]; 5316 char so_faddr[sizeof (struct sockaddr_in6)]; 5317 struct file *fp; 5318 struct f_audit_data *fad; 5319 int fd; 5320 int err; 5321 int len; 5322 short so_family, so_type; 5323 register struct a { 5324 long fd; 5325 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5326 au_kcontext_t *kctx = GET_KCTX_PZ; 5327 5328 /* 5329 * If there was an error, then nothing to do. Only generate 5330 * audit record on first successful recv. 5331 */ 5332 if (error) { 5333 /* Turn off audit record generation here. */ 5334 tad->tad_flag = 0; 5335 /* free any residual audit data */ 5336 au_close(kctx, &(u_ad), 0, 0, 0); 5337 return; 5338 } 5339 5340 fd = (int)uap->fd; 5341 5342 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5343 /* Turn off audit record generation here. */ 5344 tad->tad_flag = 0; 5345 /* free any residual audit data */ 5346 au_close(kctx, &(u_ad), 0, 0, 0); 5347 return; 5348 } 5349 5350 /* get path from file struct here */ 5351 fad = F2A(fp); 5352 ASSERT(fad); 5353 5354 /* 5355 * already processed this file for read attempt 5356 */ 5357 if (fad->fad_flags & FAD_READ) { 5358 releasef(fd); 5359 /* don't really want to audit every recv call */ 5360 tad->tad_flag = 0; 5361 /* free any residual audit data */ 5362 au_close(kctx, &(u_ad), 0, 0, 0); 5363 return; 5364 } 5365 5366 /* mark things so we know what happened and don't repeat things */ 5367 fad->fad_flags |= FAD_READ; 5368 5369 so_family = so->so_family; 5370 so_type = so->so_type; 5371 5372 switch (so_family) { 5373 case AF_INET: 5374 case AF_INET6: 5375 /* 5376 * Only for connections. 5377 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5378 */ 5379 if (so->so_state & SS_ISBOUND) { 5380 5381 bzero((void *)so_laddr, sizeof (so_laddr)); 5382 bzero((void *)so_faddr, sizeof (so_faddr)); 5383 5384 /* only done once on a connection */ 5385 (void) SOP_GETSOCKNAME(so); 5386 (void) SOP_GETPEERNAME(so); 5387 5388 /* get local and foreign addresses */ 5389 mutex_enter(&so->so_lock); 5390 len = min(so->so_laddr_len, sizeof (so_laddr)); 5391 bcopy(so->so_laddr_sa, so_laddr, len); 5392 len = min(so->so_faddr_len, sizeof (so_faddr)); 5393 bcopy(so->so_faddr_sa, so_faddr, len); 5394 mutex_exit(&so->so_lock); 5395 5396 /* 5397 * only way to drop out of switch. Note that we 5398 * we release fd below. 5399 */ 5400 5401 break; 5402 } 5403 5404 releasef(fd); 5405 5406 /* don't really want to audit every recv call */ 5407 tad->tad_flag = 0; 5408 /* free any residual audit data */ 5409 au_close(kctx, &(u_ad), 0, 0, 0); 5410 5411 return; 5412 5413 case AF_UNIX: 5414 5415 if (fad->fad_aupath != NULL) { 5416 au_uwrite(au_to_path(fad->fad_aupath)); 5417 } else { 5418 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5419 } 5420 5421 audit_attributes(fp->f_vnode); 5422 5423 releasef(fd); 5424 5425 return; 5426 5427 default: 5428 releasef(fd); 5429 5430 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5431 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5432 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5433 5434 return; 5435 } 5436 5437 releasef(fd); 5438 5439 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5440 5441 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5442 5443 } 5444 5445 /*ARGSUSED*/ 5446 static void 5447 auf_send(tad, error, rval) 5448 struct t_audit_data *tad; 5449 int error; 5450 rval_t *rval; 5451 { 5452 struct sonode *so; 5453 char so_laddr[sizeof (struct sockaddr_in6)]; 5454 char so_faddr[sizeof (struct sockaddr_in6)]; 5455 struct file *fp; 5456 struct f_audit_data *fad; 5457 int fd; 5458 int err; 5459 int len; 5460 short so_family, so_type; 5461 register struct a { 5462 long fd; 5463 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5464 au_kcontext_t *kctx = GET_KCTX_PZ; 5465 5466 fd = (int)uap->fd; 5467 5468 /* 5469 * If there was an error, then nothing to do. Only generate 5470 * audit record on first successful send. 5471 */ 5472 if (error != 0) { 5473 /* Turn off audit record generation here. */ 5474 tad->tad_flag = 0; 5475 /* free any residual audit data */ 5476 au_close(kctx, &(u_ad), 0, 0, 0); 5477 return; 5478 } 5479 5480 fd = (int)uap->fd; 5481 5482 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5483 /* Turn off audit record generation here. */ 5484 tad->tad_flag = 0; 5485 /* free any residual audit data */ 5486 au_close(kctx, &(u_ad), 0, 0, 0); 5487 return; 5488 } 5489 5490 /* get path from file struct here */ 5491 fad = F2A(fp); 5492 ASSERT(fad); 5493 5494 /* 5495 * already processed this file for write attempt 5496 */ 5497 if (fad->fad_flags & FAD_WRITE) { 5498 releasef(fd); 5499 /* don't really want to audit every send call */ 5500 tad->tad_flag = 0; 5501 /* free any residual audit data */ 5502 au_close(kctx, &(u_ad), 0, 0, 0); 5503 return; 5504 } 5505 5506 /* mark things so we know what happened and don't repeat things */ 5507 fad->fad_flags |= FAD_WRITE; 5508 5509 so_family = so->so_family; 5510 so_type = so->so_type; 5511 5512 switch (so_family) { 5513 case AF_INET: 5514 case AF_INET6: 5515 /* 5516 * Only for connections. 5517 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5518 */ 5519 if (so->so_state & SS_ISBOUND) { 5520 5521 bzero((void *)so_laddr, sizeof (so_laddr)); 5522 bzero((void *)so_faddr, sizeof (so_faddr)); 5523 5524 /* only done once on a connection */ 5525 (void) SOP_GETSOCKNAME(so); 5526 (void) SOP_GETPEERNAME(so); 5527 5528 /* get local and foreign addresses */ 5529 mutex_enter(&so->so_lock); 5530 len = min(so->so_laddr_len, sizeof (so_laddr)); 5531 bcopy(so->so_laddr_sa, so_laddr, len); 5532 len = min(so->so_faddr_len, sizeof (so_faddr)); 5533 bcopy(so->so_faddr_sa, so_faddr, len); 5534 mutex_exit(&so->so_lock); 5535 5536 /* 5537 * only way to drop out of switch. Note that we 5538 * we release fd below. 5539 */ 5540 5541 break; 5542 } 5543 5544 releasef(fd); 5545 /* don't really want to audit every send call */ 5546 tad->tad_flag = 0; 5547 /* free any residual audit data */ 5548 au_close(kctx, &(u_ad), 0, 0, 0); 5549 5550 return; 5551 5552 case AF_UNIX: 5553 5554 if (fad->fad_aupath != NULL) { 5555 au_uwrite(au_to_path(fad->fad_aupath)); 5556 } else { 5557 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5558 } 5559 5560 audit_attributes(fp->f_vnode); 5561 5562 releasef(fd); 5563 5564 return; 5565 5566 default: 5567 releasef(fd); 5568 5569 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5570 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5571 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5572 5573 return; 5574 } 5575 5576 releasef(fd); 5577 5578 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5579 5580 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5581 } 5582 5583 static au_event_t 5584 aui_forksys(au_event_t e) 5585 { 5586 struct a { 5587 long subcode; 5588 long flags; 5589 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5590 5591 switch ((uint_t)uap->subcode) { 5592 case 0: 5593 e = AUE_FORK1; 5594 break; 5595 case 1: 5596 e = AUE_FORKALL; 5597 break; 5598 case 2: 5599 e = AUE_VFORK; 5600 break; 5601 default: 5602 e = AUE_NULL; 5603 break; 5604 } 5605 5606 return (e); 5607 } 5608