xref: /titanic_50/usr/src/uts/common/c2/audit_syscalls.c (revision 70818f5837509317d1f5dac4d82d7b5a2d547c29)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the auditing system call code.
28  *
29  */
30 
31 #pragma ident	"%Z%%M%	%I%	%E% SMI"
32 
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/user.h>
36 #include <sys/vnode.h>
37 #include <sys/vfs.h>
38 #include <sys/session.h>	/* for session structure (auditctl(2) */
39 #include <sys/kmem.h>		/* for KM_SLEEP */
40 #include <sys/cred_impl.h>
41 #include <sys/types.h>
42 #include <sys/proc.h>
43 #include <sys/uio.h>
44 #include <sys/file.h>
45 #include <sys/stat.h>
46 #include <sys/pathname.h>
47 #include <sys/acct.h>
48 #include <sys/stropts.h>
49 #include <sys/exec.h>
50 #include <sys/thread.h>
51 #include <sys/cmn_err.h>
52 #include <sys/debug.h>
53 #include <sys/disp.h>
54 #include <sys/kobj.h>
55 #include <sys/sysmacros.h>
56 #include <sys/policy.h>
57 #include <sys/taskq.h>
58 #include <sys/zone.h>
59 
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_record.h>
63 
64 #define	CLEAR_VAL	-1
65 
66 #define	HEADER_SIZE64	1;
67 #define	HEADER_SIZE32	0;
68 #define	AU_MIN_FILE_SZ	0x80000	/* minumum audit file size */
69 #define	AUDIT_REC_SIZE	0x8000	/* maximum user audit record size */
70 
71 extern kmutex_t pidlock;
72 
73 extern pri_t		minclsyspri;		/* priority for taskq */
74 
75 extern int audit_load;		/* defined in audit_start.c */
76 
77 int		au_auditstate = AUC_UNSET;	/* global audit state */
78 int		audit_policy;	/* global audit policies in force */
79 static clock_t	au_resid = 15;	/* wait .15 sec before droping a rec */
80 
81 static int	getauid(caddr_t);
82 static int	setauid(caddr_t);
83 static int	getaudit(caddr_t);
84 static int	getaudit_addr(caddr_t, int);
85 static int	setaudit(caddr_t);
86 static int	setaudit_addr(caddr_t, int);
87 static int	auditdoor(int);
88 static int	auditctl(int, caddr_t, int);
89 static int	audit_modsysent(char *, int, int (*)());
90 static void	au_output_thread();
91 /*
92  * This is the loadable module wrapper.
93  */
94 #include <sys/modctl.h>
95 #include "sys/syscall.h"
96 
97 static struct sysent auditsysent = {
98 	6,
99 	0,
100 	_auditsys
101 };
102 
103 /*
104  * Module linkage information for the kernel.
105  */
106 extern struct mod_ops mod_syscallops;
107 
108 static struct modlsys modlsys = {
109 	&mod_syscallops, "C2 system call", &auditsysent
110 };
111 
112 static struct modlinkage modlinkage = {
113 	MODREV_1, (void *)&modlsys, 0
114 };
115 
116 int
117 _init()
118 {
119 	int retval;
120 
121 	if (audit_load == 0)
122 		return (-1);
123 
124 	/*
125 	 * We are going to do an ugly thing here.
126 	 *  Because auditsys is already defined as a regular
127 	 *  syscall we have to change the definition for syscall
128 	 *  auditsys. Basically or in the SE_LOADABLE flag for
129 	 *  auditsys. We no have a static loadable syscall. Also
130 	 *  create an rw_lock.
131 	 */
132 
133 	if ((audit_modsysent("c2audit", SE_LOADABLE|SE_NOUNLOAD,
134 	    _auditsys)) == -1)
135 		return (-1);
136 
137 	if ((retval = mod_install(&modlinkage)) != 0)
138 		return (retval);
139 
140 	return (0);
141 }
142 
143 int
144 _fini()
145 {
146 	return (EBUSY);
147 }
148 
149 int
150 _info(struct modinfo *modinfop)
151 {
152 	return (mod_info(&modlinkage, modinfop));
153 }
154 
155 /*
156  * when auditing is updated to allow enable/disable without
157  * reboot (and when the audit stubs are removed) *most* of these
158  * calls should return an error when auditing is off -- some
159  * for local zones only.
160  */
161 
162 int
163 _auditsys(struct auditcalls *uap, rval_t *rvp)
164 {
165 	int result = 0;
166 
167 	switch (uap->code) {
168 	case BSM_GETAUID:
169 		result = getauid((caddr_t)uap->a1);
170 		break;
171 	case BSM_SETAUID:
172 		result = setauid((caddr_t)uap->a1);
173 		break;
174 	case BSM_GETAUDIT:
175 		result = getaudit((caddr_t)uap->a1);
176 		break;
177 	case BSM_GETAUDIT_ADDR:
178 
179 		result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2);
180 		break;
181 	case BSM_SETAUDIT:
182 		result = setaudit((caddr_t)uap->a1);
183 		break;
184 	case BSM_SETAUDIT_ADDR:
185 		result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2);
186 		break;
187 	case BSM_AUDIT:
188 		result = audit((caddr_t)uap->a1, (int)uap->a2);
189 		break;
190 	case BSM_AUDITDOOR:
191 		result = auditdoor((int)uap->a1);
192 		break;
193 	case BSM_AUDITON:
194 	case BSM_AUDITCTL:
195 		result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3);
196 		break;
197 	default:
198 		result = EINVAL;
199 	}
200 	rvp->r_vals = result;
201 	return (result);
202 }
203 
204 /*
205  * Return the audit user ID for the current process.  Currently only
206  * the privileged processes may see the audit id.  That may change.
207  * If copyout is unsucessful return EFAULT.
208  */
209 static int
210 getauid(caddr_t auid_p)
211 {
212 	const auditinfo_addr_t	*ainfo;
213 
214 	if (secpolicy_audit_getattr(CRED()) != 0)
215 		return (EPERM);
216 
217 	ainfo = crgetauinfo(CRED());
218 	if (ainfo == NULL)
219 		return (EINVAL);
220 
221 	if (copyout(&ainfo->ai_auid, auid_p, sizeof (au_id_t)))
222 		return (EFAULT);
223 
224 	return (0);
225 }
226 
227 /*
228  * Set the audit userid, for a process.  This can only be changed by
229  * privileged processes.  The audit userid is inherited across forks & execs.
230  * Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT.
231  */
232 static int
233 setauid(caddr_t auid_p)
234 {
235 	proc_t *p;
236 	au_id_t	auid;
237 	cred_t *newcred;
238 	auditinfo_addr_t *auinfo;
239 
240 	if (secpolicy_audit_config(CRED()) != 0)
241 		return (EPERM);
242 
243 	if (copyin(auid_p, &auid, sizeof (au_id_t))) {
244 		return (EFAULT);
245 	}
246 
247 	newcred = cralloc();
248 	if ((auinfo = crgetauinfo_modifiable(newcred)) == NULL) {
249 		crfree(newcred);
250 		return (EINVAL);
251 	}
252 
253 	/* grab p_crlock and switch to new cred */
254 	p = curproc;
255 	mutex_enter(&p->p_crlock);
256 	crcopy_to(p->p_cred, newcred);
257 	p->p_cred = newcred;
258 
259 	auinfo->ai_auid = auid;			/* update the auid */
260 
261 	/* unlock and broadcast the cred changes */
262 	mutex_exit(&p->p_crlock);
263 	crset(p, newcred);
264 
265 	return (0);
266 }
267 
268 /*
269  * Get the audit state information from the current process.
270  * Return EFAULT if copyout fails.
271  */
272 static int
273 getaudit(caddr_t info_p)
274 {
275 	STRUCT_DECL(auditinfo, info);
276 	const auditinfo_addr_t	*ainfo;
277 	model_t	model;
278 
279 	if (secpolicy_audit_getattr(CRED()) != 0)
280 		return (EPERM);
281 
282 	model = get_udatamodel();
283 	STRUCT_INIT(info, model);
284 
285 	ainfo = crgetauinfo(CRED());
286 	if (ainfo == NULL)
287 		return (EINVAL);
288 
289 	/* trying to read a process with an IPv6 address? */
290 	if (ainfo->ai_termid.at_type == AU_IPv6)
291 		return (EOVERFLOW);
292 
293 	STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
294 	STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
295 #ifdef _LP64
296 	if (model == DATAMODEL_ILP32) {
297 		dev32_t dev;
298 		/* convert internal 64 bit form to 32 bit version */
299 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
300 			return (EOVERFLOW);
301 		}
302 		STRUCT_FSET(info, ai_termid.port, dev);
303 	} else
304 		STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
305 #else
306 	STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
307 #endif
308 	STRUCT_FSET(info, ai_termid.machine, ainfo->ai_termid.at_addr[0]);
309 	STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
310 
311 	if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
312 		return (EFAULT);
313 
314 	return (0);
315 }
316 
317 /*
318  * Get the audit state information from the current process.
319  * Return EFAULT if copyout fails.
320  */
321 static int
322 getaudit_addr(caddr_t info_p, int len)
323 {
324 	STRUCT_DECL(auditinfo_addr, info);
325 	const auditinfo_addr_t	*ainfo;
326 	model_t	model;
327 
328 	if (secpolicy_audit_getattr(CRED()) != 0)
329 		return (EPERM);
330 
331 	model = get_udatamodel();
332 	STRUCT_INIT(info, model);
333 
334 	if (len < STRUCT_SIZE(info))
335 		return (EOVERFLOW);
336 
337 	ainfo = crgetauinfo(CRED());
338 
339 	if (ainfo == NULL)
340 		return (EINVAL);
341 
342 	STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
343 	STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
344 #ifdef _LP64
345 	if (model == DATAMODEL_ILP32) {
346 		dev32_t dev;
347 		/* convert internal 64 bit form to 32 bit version */
348 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
349 			return (EOVERFLOW);
350 		}
351 		STRUCT_FSET(info, ai_termid.at_port, dev);
352 	} else
353 		STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
354 #else
355 	STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
356 #endif
357 	STRUCT_FSET(info, ai_termid.at_type, ainfo->ai_termid.at_type);
358 	STRUCT_FSET(info, ai_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
359 	STRUCT_FSET(info, ai_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
360 	STRUCT_FSET(info, ai_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
361 	STRUCT_FSET(info, ai_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
362 	STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
363 
364 	if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
365 		return (EFAULT);
366 
367 	return (0);
368 }
369 
370 /*
371  * Set the audit state information for the current process.
372  * Return EFAULT if copyout fails.
373  */
374 static int
375 setaudit(caddr_t info_p)
376 {
377 	STRUCT_DECL(auditinfo, info);
378 	proc_t *p;
379 	cred_t	*newcred;
380 	model_t	model;
381 	auditinfo_addr_t *ainfo;
382 
383 	if (secpolicy_audit_config(CRED()) != 0)
384 		return (EPERM);
385 
386 	model = get_udatamodel();
387 	STRUCT_INIT(info, model);
388 
389 	if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
390 		return (EFAULT);
391 
392 	newcred = cralloc();
393 	if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
394 		crfree(newcred);
395 		return (EINVAL);
396 	}
397 
398 	/* grab p_crlock and switch to new cred */
399 	p = curproc;
400 	mutex_enter(&p->p_crlock);
401 	crcopy_to(p->p_cred, newcred);
402 	p->p_cred = newcred;
403 
404 	/* Set audit mask, id, termid and session id as specified */
405 	ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
406 #ifdef _LP64
407 	/* only convert to 64 bit if coming from a 32 bit binary */
408 	if (model == DATAMODEL_ILP32)
409 		ainfo->ai_termid.at_port =
410 		    DEVEXPL(STRUCT_FGET(info, ai_termid.port));
411 	else
412 		ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
413 #else
414 	ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
415 #endif
416 	ainfo->ai_termid.at_type = AU_IPv4;
417 	ainfo->ai_termid.at_addr[0] = STRUCT_FGET(info, ai_termid.machine);
418 	ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
419 	ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
420 
421 	/* unlock and broadcast the cred changes */
422 	mutex_exit(&p->p_crlock);
423 	crset(p, newcred);
424 
425 	return (0);
426 }
427 
428 /*
429  * Set the audit state information for the current process.
430  * Return EFAULT if copyin fails.
431  */
432 static int
433 setaudit_addr(caddr_t info_p, int len)
434 {
435 	STRUCT_DECL(auditinfo_addr, info);
436 	proc_t *p;
437 	cred_t	*newcred;
438 	model_t	model;
439 	int i;
440 	int type;
441 	auditinfo_addr_t *ainfo;
442 
443 	if (secpolicy_audit_config(CRED()) != 0)
444 		return (EPERM);
445 
446 	model = get_udatamodel();
447 	STRUCT_INIT(info, model);
448 
449 	if (len < STRUCT_SIZE(info))
450 		return (EOVERFLOW);
451 
452 	if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
453 		return (EFAULT);
454 
455 	type = STRUCT_FGET(info, ai_termid.at_type);
456 	if ((type != AU_IPv4) && (type != AU_IPv6))
457 		return (EINVAL);
458 
459 	newcred = cralloc();
460 	if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
461 		crfree(newcred);
462 		return (EINVAL);
463 	}
464 
465 	/* grab p_crlock and switch to new cred */
466 	p = curproc;
467 	mutex_enter(&p->p_crlock);
468 	crcopy_to(p->p_cred, newcred);
469 	p->p_cred = newcred;
470 
471 	/* Set audit mask, id, termid and session id as specified */
472 	ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
473 	ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
474 #ifdef _LP64
475 	/* only convert to 64 bit if coming from a 32 bit binary */
476 	if (model == DATAMODEL_ILP32)
477 		ainfo->ai_termid.at_port =
478 		    DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
479 	else
480 		ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
481 #else
482 	ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
483 #endif
484 	ainfo->ai_termid.at_type = type;
485 	bzero(&ainfo->ai_termid.at_addr[0], sizeof (ainfo->ai_termid.at_addr));
486 	for (i = 0; i < (type/sizeof (int)); i++)
487 		ainfo->ai_termid.at_addr[i] =
488 		    STRUCT_FGET(info, ai_termid.at_addr[i]);
489 
490 	if (ainfo->ai_termid.at_type == AU_IPv6 &&
491 	    IN6_IS_ADDR_V4MAPPED(((in6_addr_t *)ainfo->ai_termid.at_addr))) {
492 		ainfo->ai_termid.at_type = AU_IPv4;
493 		ainfo->ai_termid.at_addr[0] = ainfo->ai_termid.at_addr[3];
494 		ainfo->ai_termid.at_addr[1] = 0;
495 		ainfo->ai_termid.at_addr[2] = 0;
496 		ainfo->ai_termid.at_addr[3] = 0;
497 	}
498 
499 	ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
500 
501 	/* unlock and broadcast the cred changes */
502 	mutex_exit(&p->p_crlock);
503 	crset(p, newcred);
504 
505 	return (0);
506 }
507 
508 /*
509  * The audit system call. Trust what the user has sent down and save it
510  * away in the audit file. User passes a complete audit record and its
511  * length.  We will fill in the time stamp, check the header and the length
512  * Put a trailer and a sequence token if policy requires.
513  * In the future length might become size_t instead of an int.
514  *
515  * The call is valid whether or not AUDIT_PERZONE is set (think of
516  * login to a zone).  When the local audit state (auk_auditstate) is
517  * AUC_INIT_AUDIT, records are accepted even though auditd isn't
518  * running.
519  */
520 int
521 audit(caddr_t record, int length)
522 {
523 	char	c;
524 	int	count, l;
525 	token_t	*m, *n, *s, *ad;
526 	int	hdrlen, delta;
527 	adr_t	hadr;
528 	adr_t	sadr;
529 	int	size;	/* 0: 32 bit utility  1: 64 bit utility */
530 	int	host_len;
531 	size_t	zlen;
532 	au_kcontext_t	*kctx = GET_KCTX_PZ;
533 
534 	/* if auditing not enabled, then don't generate an audit record */
535 	if (kctx->auk_auditstate != AUC_AUDITING &&
536 	    kctx->auk_auditstate != AUC_INIT_AUDIT)
537 		return (0);
538 
539 	/* Only privileged processes can audit */
540 	if (secpolicy_audit_modify(CRED()) != 0)
541 		return (EPERM);
542 
543 	/* Max user record size is 32K */
544 	if (length > AUDIT_REC_SIZE)
545 		return (E2BIG);
546 
547 	/*
548 	 * The specified length must be at least as big as the smallest
549 	 * possible header token. Later after beginning to scan the
550 	 * header we'll determine the true minimum length according to
551 	 * the header type and attributes.
552 	 */
553 #define	AU_MIN_HEADER_LEN	(sizeof (char) + sizeof (int32_t) + \
554 	sizeof (char) + sizeof (short) + sizeof (short) + \
555 	(sizeof (int32_t) * 2))
556 
557 	if (length < AU_MIN_HEADER_LEN)
558 		return (EINVAL);
559 
560 	/* Read in user's audit record */
561 	count = length;
562 	m = n = s = ad = NULL;
563 	while (count) {
564 		m = au_getclr();
565 		if (!s)
566 			s = n = m;
567 		else {
568 			n->next_buf = m;
569 			n = m;
570 		}
571 		l = MIN(count, AU_BUFSIZE);
572 		if (copyin(record, memtod(m, caddr_t), (size_t)l)) {
573 			/* copyin failed release au_membuf */
574 			au_free_rec(s);
575 			return (EFAULT);
576 		}
577 		record += l;
578 		count -= l;
579 		m->len = (uchar_t)l;
580 	}
581 
582 	/* Now attach the entire thing to ad */
583 	au_write((caddr_t *)&(ad), s);
584 
585 	/* validate header token type. trust everything following it */
586 	adr_start(&hadr, memtod(s, char *));
587 	(void) adr_getchar(&hadr, &c);
588 	switch (c) {
589 	case AUT_HEADER32:
590 		/* size vers+event_ID+event_modifier fields */
591 		delta = 1 + 2 + 2;
592 		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
593 		size = HEADER_SIZE32;
594 		break;
595 
596 #ifdef _LP64
597 	case AUT_HEADER64:
598 		/* size vers+event_ID+event_modifier fields */
599 		delta = 1 + 2 + 2;
600 		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
601 		size = HEADER_SIZE64;
602 		break;
603 #endif
604 
605 	case AUT_HEADER32_EX:
606 		/*
607 		 * Skip over the length/version/type/mod fields and
608 		 * grab the host address type (length), then rewind.
609 		 * This is safe per the previous minimum length check.
610 		 */
611 		hadr.adr_now += 9;
612 		(void) adr_getint32(&hadr, &host_len);
613 		hadr.adr_now -= 9 + sizeof (int32_t);
614 
615 		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
616 		delta = 1 + 2 + 2 + 4 + host_len;
617 		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
618 		size = HEADER_SIZE32;
619 		break;
620 
621 #ifdef _LP64
622 	case AUT_HEADER64_EX:
623 		/*
624 		 * Skip over the length/version/type/mod fields and grab
625 		 * the host address type (length), then rewind.
626 		 * This is safe per the previous minimum length check.
627 		 */
628 		hadr.adr_now += 9;
629 		(void) adr_getint32(&hadr, &host_len);
630 		hadr.adr_now -= 9 + sizeof (int32_t);
631 
632 		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
633 		delta = 1 + 2 + 2 + 4 + host_len;
634 		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
635 		size = HEADER_SIZE64;
636 		break;
637 #endif
638 
639 	default:
640 		/* Header is wrong, reject message */
641 		au_free_rec(s);
642 		return (EINVAL);
643 	}
644 
645 	if (length < hdrlen) {
646 		au_free_rec(s);
647 		return (0);
648 	}
649 
650 	/* advance over header token length field */
651 	hadr.adr_now += 4;
652 
653 	/* validate version */
654 	(void) adr_getchar(&hadr, &c);
655 	if (c != TOKEN_VERSION) {
656 		/* version is wrong, reject message */
657 		au_free_rec(s);
658 		return (EINVAL);
659 	}
660 
661 	/* backup to header length field (including version field) */
662 	hadr.adr_now -= 5;
663 
664 	/*
665 	 * add on the zonename token if policy AUDIT_ZONENAME is set
666 	 */
667 	if (kctx->auk_policy & AUDIT_ZONENAME) {
668 		zlen = au_zonename_length(NULL);
669 		if (zlen > 0) {
670 			length += zlen;
671 			m = au_to_zonename(zlen, NULL);
672 			(void) au_append_rec(ad, m, AU_PACK);
673 		}
674 	}
675 	/* Add an (optional) sequence token. NULL offset if none */
676 	if (kctx->auk_policy & AUDIT_SEQ) {
677 		/* get the sequnce token */
678 		m = au_to_seq();
679 
680 		/* sequence token 5 bytes long */
681 		length += 5;
682 
683 		/* link to audit record (i.e. don't pack the data) */
684 		(void) au_append_rec(ad, m, AU_LINK);
685 
686 		/* advance to count field of token */
687 		adr_start(&sadr, memtod(m, char *));
688 		sadr.adr_now += 1;
689 	} else
690 		sadr.adr_now = (char *)NULL;
691 
692 	/* add the (optional) trailer token */
693 	if (kctx->auk_policy & AUDIT_TRAIL) {
694 		/* trailer token is 7 bytes long */
695 		length += 7;
696 
697 		/* append to audit record */
698 		(void) au_append_rec(ad, au_to_trailer(length), AU_PACK);
699 	}
700 
701 	/* audit record completely assembled. set the length */
702 	adr_int32(&hadr, (int32_t *)&length, 1);
703 
704 	/* advance to date/time field of header */
705 	hadr.adr_now += delta;
706 
707 	/* We are done  put it on the queue */
708 	AS_INC(as_generated, 1, kctx);
709 	AS_INC(as_audit, 1, kctx);
710 
711 	au_enqueue(kctx, s, &hadr, &sadr, size, 0);
712 
713 	AS_INC(as_totalsize, length, kctx);
714 
715 	return (0);
716 }
717 
718 static void
719 audit_dont_stop(void *kctx)
720 {
721 
722 	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
723 	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
724 		return;
725 
726 	mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock));
727 	cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv));
728 	mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock));
729 }
730 
731 /*
732  * auditdoor starts a kernel thread to generate output from the audit
733  * queue.  The thread terminates when it detects auditing being turned
734  * off, such as when auditd exits with a SIGTERM.  If a subsequent
735  * auditdoor arrives while the thread is running, the door descriptor
736  * of the last auditdoor in will be used for output.  auditd is responsible
737  * for insuring that multiple copies are not running.
738  */
739 
740 static int
741 auditdoor(int fd)
742 {
743 	struct file	*fp;
744 	struct vnode	*vp;
745 	int		do_create = 0;
746 	au_kcontext_t	*kctx;
747 
748 	if (secpolicy_audit_config(CRED()) != 0)
749 		return (EPERM);
750 
751 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
752 		return (EINVAL);
753 
754 	kctx = GET_KCTX_NGZ;
755 
756 	/*
757 	 * convert file pointer to file descriptor
758 	 *   Note: fd ref count incremented here.
759 	 */
760 	if ((fp = (struct file *)getf(fd)) == NULL) {
761 		return (EBADF);
762 	}
763 	vp = fp->f_vnode;
764 	if (vp->v_type != VDOOR) {
765 		cmn_err(CE_WARN,
766 		    "auditdoor() did not get the expected door descriptor\n");
767 		releasef(fd);
768 		return (EINVAL);
769 	}
770 	/*
771 	 * If the output thread is already running, then replace the
772 	 * door descriptor with the new one and continue; otherwise
773 	 * create the thread too.  Since au_output_thread makes a call
774 	 * to au_doorio() which also does
775 	 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is
776 	 * done after the unlock...
777 	 */
778 	mutex_enter(&(kctx->auk_svc_lock));
779 
780 	if (kctx->auk_current_vp != NULL)
781 		VN_RELE(kctx->auk_current_vp);
782 
783 	kctx->auk_current_vp = vp;
784 	VN_HOLD(kctx->auk_current_vp);
785 	releasef(fd);
786 
787 	if (!kctx->auk_output_active) {
788 		kctx->auk_output_active = 1;
789 		do_create = 1;
790 	}
791 	mutex_exit(&(kctx->auk_svc_lock));
792 	if (do_create) {
793 		kctx->auk_taskq =
794 		    taskq_create("output_master", 1, minclsyspri, 1, 1, 0);
795 		(void) taskq_dispatch(kctx->auk_taskq,
796 		    (task_func_t *)au_output_thread,
797 		    kctx, TQ_SLEEP);
798 	}
799 	return (0);
800 }
801 
802 /*
803  * au_queue_kick -- wake up the output queue after delay ticks
804  */
805 static void
806 au_queue_kick(void *kctx)
807 {
808 	/*
809 	 * wakeup reader if its not running and there is something
810 	 * to do.  It also helps that kctx still be valid...
811 	 */
812 
813 	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
814 	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
815 		return;
816 
817 	if (((au_kcontext_t *)kctx)->auk_queue.cnt &&
818 	    ((au_kcontext_t *)kctx)->auk_queue.rd_block)
819 		cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv);
820 
821 	/* fire off timeout event to kick audit queue awake */
822 	(void) timeout(au_queue_kick, kctx,
823 	    ((au_kcontext_t *)kctx)->auk_queue.delay);
824 }
825 
826 /*
827  * output thread
828  *
829  * this runs "forever" where "forever" means until either auk_auditstate
830  * changes from AUC_AUDITING or if the door descriptor becomes invalid.
831  *
832  * there is one thread per active zone if AUC_PERZONE is set.  Since
833  * there is the possibility that a zone may go down without auditd
834  * terminating properly, a zone shutdown kills its au_output_thread()
835  * via taskq_destroy().
836  */
837 
838 static void
839 au_output_thread(au_kcontext_t *kctx)
840 {
841 	int		error = 0;
842 
843 	(void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay);
844 
845 	/*
846 	 * Wait for work, until a signal arrives,
847 	 * or until auditing is disabled.
848 	 */
849 
850 	while (!error) {
851 		if (kctx->auk_auditstate == AUC_AUDITING) {
852 			mutex_enter(&(kctx->auk_queue.lock));
853 			while (kctx->auk_queue.head == NULL) {
854 				/* safety check. kick writer awake */
855 				if (kctx->auk_queue.wt_block) {
856 					cv_broadcast(&(kctx->
857 					    auk_queue.write_cv));
858 				}
859 
860 				kctx->auk_queue.rd_block = 1;
861 				AS_INC(as_rblocked, 1, kctx);
862 
863 				cv_wait(&(kctx->auk_queue.read_cv),
864 				    &(kctx->auk_queue.lock));
865 				kctx->auk_queue.rd_block = 0;
866 
867 				if (kctx->auk_auditstate != AUC_AUDITING) {
868 					mutex_exit(&(kctx->auk_queue.lock));
869 					(void) timeout(audit_dont_stop, kctx,
870 					    au_resid);
871 					goto output_exit;
872 				}
873 				kctx->auk_queue.rd_block = 0;
874 			}
875 			mutex_exit(&(kctx->auk_queue.lock));
876 			/*
877 			 * au_doorio() calls au_door_upcall which holds
878 			 * auk_svc_lock; au_doorio empties the queue before
879 			 * returning.
880 			 */
881 
882 			error = au_doorio(kctx);
883 		} else {
884 			/* auditing turned off while we slept */
885 			break;
886 		}
887 	}
888 output_exit:
889 	mutex_enter(&(kctx->auk_svc_lock));
890 
891 	VN_RELE(kctx->auk_current_vp);
892 	kctx->auk_current_vp = NULL;
893 
894 	kctx->auk_output_active = 0;
895 
896 	mutex_exit(&(kctx->auk_svc_lock));
897 }
898 
899 
900 /*
901  * Get the global policy flag
902  */
903 
904 static int
905 getpolicy(caddr_t data)
906 {
907 	int	policy;
908 	au_kcontext_t	*kctx = GET_KCTX_PZ;
909 
910 	policy = audit_policy | kctx->auk_policy;
911 
912 	if (copyout(&policy, data, sizeof (int)))
913 		return (EFAULT);
914 	return (0);
915 }
916 
917 /*
918  * Set the global and local policy flags
919  *
920  * The global flags only make sense from the global zone;
921  * the local flags depend on the AUDIT_PERZONE policy:
922  * if the perzone policy is set, then policy is set separately
923  * per zone, else held only in the global zone.
924  *
925  * The initial value of a local zone's policy flag is determined
926  * by the value of the global zone's flags at the time the
927  * local zone is created.
928  *
929  * While auditconfig(1M) allows setting and unsetting policies one bit
930  * at a time, the mask passed in from auditconfig() is created by a
931  * syscall to getpolicy and then modified based on the auditconfig()
932  * cmd line, so the input policy value is used to replace the existing
933  * policy.
934  */
935 
936 
937 static int
938 setpolicy(caddr_t data)
939 {
940 	int	policy;
941 	au_kcontext_t	*kctx;
942 
943 	if (copyin(data, &policy, sizeof (int)))
944 		return (EFAULT);
945 
946 	kctx = GET_KCTX_NGZ;
947 
948 	if (INGLOBALZONE(curproc)) {
949 		if (policy & ~(AUDIT_GLOBAL | AUDIT_LOCAL))
950 			return (EINVAL);
951 
952 		audit_policy = policy & AUDIT_GLOBAL;
953 	} else {
954 		if (!(audit_policy & AUDIT_PERZONE))
955 			return (EINVAL);
956 
957 		if (policy & ~AUDIT_LOCAL)	/* global bits are a no-no */
958 			return (EINVAL);
959 	}
960 	kctx->auk_policy = policy & AUDIT_LOCAL;
961 
962 	/*
963 	 * auk_current_vp is NULL before auditd starts (or during early
964 	 * auditd starup) or if auditd is halted; in either case,
965 	 * notification of a policy change is not needed, since auditd
966 	 * reads policy as it comes up.  The error return from au_doormsg()
967 	 * is ignored to avoid a race condition -- for example if auditd
968 	 * segv's, the audit state may be "auditing" but the door may
969 	 * be closed.  Returning an error if the door is open makes it
970 	 * impossible for Greenline to restart auditd.
971 	 */
972 	if (kctx->auk_current_vp != NULL)
973 		(void) au_doormsg(kctx, AU_DBUF_POLICY, &policy);
974 
975 	/*
976 	 * Wake up anyone who might have blocked on full audit
977 	 * partitions. audit daemons need to set AUDIT_FULL when no
978 	 * space so we can tell if we should start dropping records.
979 	 */
980 	mutex_enter(&(kctx->auk_queue.lock));
981 
982 	if ((policy & (AUDIT_CNT | AUDIT_SCNT) &&
983 	    (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater)))
984 		cv_broadcast(&(kctx->auk_queue.write_cv));
985 
986 	mutex_exit(&(kctx->auk_queue.lock));
987 
988 	return (0);
989 }
990 
991 static int
992 getkmask(caddr_t data)
993 {
994 	au_kcontext_t	*kctx;
995 
996 	kctx = GET_KCTX_PZ;
997 
998 	if (copyout(&kctx->auk_info.ai_mask, data, sizeof (au_mask_t)))
999 		return (EFAULT);
1000 	return (0);
1001 }
1002 
1003 static int
1004 setkmask(caddr_t data)
1005 {
1006 	au_mask_t	mask;
1007 	au_kcontext_t	*kctx;
1008 
1009 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1010 		return (EINVAL);
1011 
1012 	kctx = GET_KCTX_NGZ;
1013 
1014 	if (copyin(data, &mask, sizeof (au_mask_t)))
1015 		return (EFAULT);
1016 
1017 	kctx->auk_info.ai_mask = mask;
1018 	return (0);
1019 }
1020 
1021 static int
1022 getkaudit(caddr_t info_p, int len)
1023 {
1024 	STRUCT_DECL(auditinfo_addr, info);
1025 	model_t model;
1026 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1027 
1028 	model = get_udatamodel();
1029 	STRUCT_INIT(info, model);
1030 
1031 	if (len < STRUCT_SIZE(info))
1032 		return (EOVERFLOW);
1033 
1034 	STRUCT_FSET(info, ai_auid, kctx->auk_info.ai_auid);
1035 	STRUCT_FSET(info, ai_mask, kctx->auk_info.ai_mask);
1036 #ifdef _LP64
1037 	if (model == DATAMODEL_ILP32) {
1038 		dev32_t dev;
1039 		/* convert internal 64 bit form to 32 bit version */
1040 		if (cmpldev(&dev, kctx->auk_info.ai_termid.at_port) == 0) {
1041 			return (EOVERFLOW);
1042 		}
1043 		STRUCT_FSET(info, ai_termid.at_port, dev);
1044 	} else {
1045 		STRUCT_FSET(info, ai_termid.at_port,
1046 		    kctx->auk_info.ai_termid.at_port);
1047 	}
1048 #else
1049 	STRUCT_FSET(info, ai_termid.at_port,
1050 	    kctx->auk_info.ai_termid.at_port);
1051 #endif
1052 	STRUCT_FSET(info, ai_termid.at_type,
1053 	    kctx->auk_info.ai_termid.at_type);
1054 	STRUCT_FSET(info, ai_termid.at_addr[0],
1055 	    kctx->auk_info.ai_termid.at_addr[0]);
1056 	STRUCT_FSET(info, ai_termid.at_addr[1],
1057 	    kctx->auk_info.ai_termid.at_addr[1]);
1058 	STRUCT_FSET(info, ai_termid.at_addr[2],
1059 	    kctx->auk_info.ai_termid.at_addr[2]);
1060 	STRUCT_FSET(info, ai_termid.at_addr[3],
1061 	    kctx->auk_info.ai_termid.at_addr[3]);
1062 	STRUCT_FSET(info, ai_asid, kctx->auk_info.ai_asid);
1063 
1064 	if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
1065 		return (EFAULT);
1066 
1067 	return (0);
1068 }
1069 
1070 /*
1071  * the host address for AUDIT_PERZONE == 0 is that of the global
1072  * zone and for local zones it is of the current zone.
1073  */
1074 
1075 static int
1076 setkaudit(caddr_t info_p, int len)
1077 {
1078 	STRUCT_DECL(auditinfo_addr, info);
1079 	model_t model;
1080 	au_kcontext_t	*kctx;
1081 
1082 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1083 		return (EINVAL);
1084 
1085 	kctx = GET_KCTX_NGZ;
1086 
1087 	model = get_udatamodel();
1088 	STRUCT_INIT(info, model);
1089 
1090 	if (len < STRUCT_SIZE(info))
1091 		return (EOVERFLOW);
1092 
1093 	if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
1094 		return (EFAULT);
1095 
1096 	if ((STRUCT_FGET(info, ai_termid.at_type) != AU_IPv4) &&
1097 	    (STRUCT_FGET(info, ai_termid.at_type) != AU_IPv6))
1098 		return (EINVAL);
1099 
1100 	/* Set audit mask, termid and session id as specified */
1101 	kctx->auk_info.ai_auid = STRUCT_FGET(info, ai_auid);
1102 	kctx->auk_info.ai_mask = STRUCT_FGET(info, ai_mask);
1103 #ifdef _LP64
1104 	/* only convert to 64 bit if coming from a 32 bit binary */
1105 	if (model == DATAMODEL_ILP32)
1106 		kctx->auk_info.ai_termid.at_port =
1107 		    DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
1108 	else
1109 		kctx->auk_info.ai_termid.at_port =
1110 		    STRUCT_FGET(info, ai_termid.at_port);
1111 #else
1112 	kctx->auk_info.ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
1113 #endif
1114 	kctx->auk_info.ai_termid.at_type = STRUCT_FGET(info, ai_termid.at_type);
1115 	bzero(&kctx->auk_info.ai_termid.at_addr[0],
1116 	    sizeof (kctx->auk_info.ai_termid.at_addr));
1117 	kctx->auk_info.ai_termid.at_addr[0] =
1118 	    STRUCT_FGET(info, ai_termid.at_addr[0]);
1119 	kctx->auk_info.ai_termid.at_addr[1] =
1120 	    STRUCT_FGET(info, ai_termid.at_addr[1]);
1121 	kctx->auk_info.ai_termid.at_addr[2] =
1122 	    STRUCT_FGET(info, ai_termid.at_addr[2]);
1123 	kctx->auk_info.ai_termid.at_addr[3] =
1124 	    STRUCT_FGET(info, ai_termid.at_addr[3]);
1125 	kctx->auk_info.ai_asid = STRUCT_FGET(info, ai_asid);
1126 
1127 	if (kctx->auk_info.ai_termid.at_type == AU_IPv6 &&
1128 	    IN6_IS_ADDR_V4MAPPED(
1129 	    ((in6_addr_t *)kctx->auk_info.ai_termid.at_addr))) {
1130 		kctx->auk_info.ai_termid.at_type = AU_IPv4;
1131 		kctx->auk_info.ai_termid.at_addr[0] =
1132 		    kctx->auk_info.ai_termid.at_addr[3];
1133 		kctx->auk_info.ai_termid.at_addr[1] = 0;
1134 		kctx->auk_info.ai_termid.at_addr[2] = 0;
1135 		kctx->auk_info.ai_termid.at_addr[3] = 0;
1136 	}
1137 	if (kctx->auk_info.ai_termid.at_type == AU_IPv6)
1138 		kctx->auk_hostaddr_valid = IN6_IS_ADDR_UNSPECIFIED(
1139 		    (in6_addr_t *)kctx->auk_info.ai_termid.at_addr) ? 0 : 1;
1140 	else
1141 		kctx->auk_hostaddr_valid =
1142 		    (kctx->auk_info.ai_termid.at_addr[0] ==
1143 		    htonl(INADDR_ANY)) ? 0 : 1;
1144 
1145 	return (0);
1146 }
1147 
1148 static int
1149 getqctrl(caddr_t data)
1150 {
1151 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1152 	STRUCT_DECL(au_qctrl, qctrl);
1153 	STRUCT_INIT(qctrl, get_udatamodel());
1154 
1155 	mutex_enter(&(kctx->auk_queue.lock));
1156 	STRUCT_FSET(qctrl, aq_hiwater, kctx->auk_queue.hiwater);
1157 	STRUCT_FSET(qctrl, aq_lowater, kctx->auk_queue.lowater);
1158 	STRUCT_FSET(qctrl, aq_bufsz, kctx->auk_queue.bufsz);
1159 	STRUCT_FSET(qctrl, aq_delay, kctx->auk_queue.delay);
1160 	mutex_exit(&(kctx->auk_queue.lock));
1161 
1162 	if (copyout(STRUCT_BUF(qctrl), data, STRUCT_SIZE(qctrl)))
1163 		return (EFAULT);
1164 
1165 	return (0);
1166 }
1167 
1168 static int
1169 setqctrl(caddr_t data)
1170 {
1171 	au_kcontext_t	*kctx;
1172 	struct au_qctrl qctrl_tmp;
1173 	STRUCT_DECL(au_qctrl, qctrl);
1174 	STRUCT_INIT(qctrl, get_udatamodel());
1175 
1176 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1177 		return (EINVAL);
1178 	kctx = GET_KCTX_NGZ;
1179 
1180 	if (copyin(data, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
1181 		return (EFAULT);
1182 
1183 	qctrl_tmp.aq_hiwater = (size_t)STRUCT_FGET(qctrl, aq_hiwater);
1184 	qctrl_tmp.aq_lowater = (size_t)STRUCT_FGET(qctrl, aq_lowater);
1185 	qctrl_tmp.aq_bufsz = (size_t)STRUCT_FGET(qctrl, aq_bufsz);
1186 	qctrl_tmp.aq_delay = (clock_t)STRUCT_FGET(qctrl, aq_delay);
1187 
1188 	/* enforce sane values */
1189 
1190 	if (qctrl_tmp.aq_hiwater <= qctrl_tmp.aq_lowater)
1191 		return (EINVAL);
1192 
1193 	if (qctrl_tmp.aq_hiwater < AQ_LOWATER)
1194 		return (EINVAL);
1195 
1196 	if (qctrl_tmp.aq_hiwater > AQ_MAXHIGH)
1197 		return (EINVAL);
1198 
1199 	if (qctrl_tmp.aq_bufsz < AQ_BUFSZ)
1200 		return (EINVAL);
1201 
1202 	if (qctrl_tmp.aq_bufsz > AQ_MAXBUFSZ)
1203 		return (EINVAL);
1204 
1205 	if (qctrl_tmp.aq_delay == 0)
1206 		return (EINVAL);
1207 
1208 	if (qctrl_tmp.aq_delay > AQ_MAXDELAY)
1209 		return (EINVAL);
1210 
1211 	/* update everything at once so things are consistant */
1212 	mutex_enter(&(kctx->auk_queue.lock));
1213 	kctx->auk_queue.hiwater = qctrl_tmp.aq_hiwater;
1214 	kctx->auk_queue.lowater = qctrl_tmp.aq_lowater;
1215 	kctx->auk_queue.bufsz = qctrl_tmp.aq_bufsz;
1216 	kctx->auk_queue.delay = qctrl_tmp.aq_delay;
1217 
1218 	if (kctx->auk_queue.rd_block &&
1219 	    kctx->auk_queue.cnt > kctx->auk_queue.lowater)
1220 		cv_broadcast(&(kctx->auk_queue.read_cv));
1221 
1222 	if (kctx->auk_queue.wt_block &&
1223 	    kctx->auk_queue.cnt < kctx->auk_queue.hiwater)
1224 		cv_broadcast(&(kctx->auk_queue.write_cv));
1225 
1226 	mutex_exit(&(kctx->auk_queue.lock));
1227 
1228 	return (0);
1229 }
1230 
1231 static int
1232 getcwd(caddr_t data, int length)
1233 {
1234 	struct p_audit_data	*pad;
1235 	struct audit_path	*app;
1236 	int	pathlen;
1237 
1238 	pad = P2A(curproc);
1239 	ASSERT(pad != NULL);
1240 
1241 	mutex_enter(&(pad->pad_lock));
1242 	app = pad->pad_cwd;
1243 	au_pathhold(app);
1244 	mutex_exit(&(pad->pad_lock));
1245 
1246 	pathlen = app->audp_sect[1] - app->audp_sect[0];
1247 	if (pathlen > length) {
1248 		au_pathrele(app);
1249 		return (E2BIG);
1250 	}
1251 
1252 	if (copyout(app->audp_sect[0], data, pathlen)) {
1253 		au_pathrele(app);
1254 		return (EFAULT);
1255 	}
1256 
1257 	au_pathrele(app);
1258 	return (0);
1259 }
1260 
1261 static int
1262 getcar(caddr_t data, int length)
1263 {
1264 	struct p_audit_data	*pad;
1265 	struct audit_path	*app;
1266 	int	pathlen;
1267 
1268 	pad = P2A(curproc);
1269 	ASSERT(pad != NULL);
1270 
1271 	mutex_enter(&(pad->pad_lock));
1272 	app = pad->pad_root;
1273 	au_pathhold(app);
1274 	mutex_exit(&(pad->pad_lock));
1275 
1276 	pathlen = app->audp_sect[1] - app->audp_sect[0];
1277 	if (pathlen > length) {
1278 		au_pathrele(app);
1279 		return (E2BIG);
1280 	}
1281 
1282 	if (copyout(app->audp_sect[0], data, pathlen)) {
1283 		au_pathrele(app);
1284 		return (EFAULT);
1285 	}
1286 
1287 	au_pathrele(app);
1288 	return (0);
1289 }
1290 
1291 static int
1292 getstat(caddr_t data)
1293 {
1294 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1295 
1296 	membar_consumer();
1297 
1298 	if (copyout((caddr_t)&(kctx->auk_statistics), data, sizeof (au_stat_t)))
1299 		return (EFAULT);
1300 	return (0);
1301 }
1302 
1303 
1304 static int
1305 setstat(caddr_t data)
1306 {
1307 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1308 	au_stat_t au_stat;
1309 
1310 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1311 		return (EINVAL);
1312 
1313 	if (copyin(data, &au_stat, sizeof (au_stat_t)))
1314 		return (EFAULT);
1315 
1316 	if (au_stat.as_generated == CLEAR_VAL)
1317 		kctx->auk_statistics.as_generated = 0;
1318 	if (au_stat.as_nonattrib == CLEAR_VAL)
1319 		kctx->auk_statistics.as_nonattrib = 0;
1320 	if (au_stat.as_kernel == CLEAR_VAL)
1321 		kctx->auk_statistics.as_kernel = 0;
1322 	if (au_stat.as_audit == CLEAR_VAL)
1323 		kctx->auk_statistics.as_audit = 0;
1324 	if (au_stat.as_auditctl == CLEAR_VAL)
1325 		kctx->auk_statistics.as_auditctl = 0;
1326 	if (au_stat.as_enqueue == CLEAR_VAL)
1327 		kctx->auk_statistics.as_enqueue = 0;
1328 	if (au_stat.as_written == CLEAR_VAL)
1329 		kctx->auk_statistics.as_written = 0;
1330 	if (au_stat.as_wblocked == CLEAR_VAL)
1331 		kctx->auk_statistics.as_wblocked = 0;
1332 	if (au_stat.as_rblocked == CLEAR_VAL)
1333 		kctx->auk_statistics.as_rblocked = 0;
1334 	if (au_stat.as_dropped == CLEAR_VAL)
1335 		kctx->auk_statistics.as_dropped = 0;
1336 	if (au_stat.as_totalsize == CLEAR_VAL)
1337 		kctx->auk_statistics.as_totalsize = 0;
1338 
1339 	membar_producer();
1340 
1341 	return (0);
1342 
1343 }
1344 
1345 static int
1346 setumask(caddr_t data)
1347 {
1348 	STRUCT_DECL(auditinfo, user_info);
1349 	struct proc *p;
1350 	const auditinfo_addr_t	*ainfo;
1351 	model_t	model;
1352 
1353 	model = get_udatamodel();
1354 	STRUCT_INIT(user_info, model);
1355 
1356 	if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
1357 		return (EFAULT);
1358 
1359 	mutex_enter(&pidlock);	/* lock the process queue against updates */
1360 	for (p = practive; p != NULL; p = p->p_next) {
1361 		cred_t	*cr;
1362 
1363 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1364 		mutex_enter(&p->p_crlock);
1365 		crhold(cr = p->p_cred);
1366 		mutex_exit(&p->p_crlock);
1367 		ainfo = crgetauinfo(cr);
1368 		if (ainfo == NULL) {
1369 			mutex_exit(&p->p_lock);
1370 			crfree(cr);
1371 			continue;
1372 		}
1373 
1374 		if (ainfo->ai_auid == STRUCT_FGET(user_info, ai_auid)) {
1375 			au_mask_t	mask;
1376 			int		err;
1377 
1378 			/*
1379 			 * Here's a process which matches the specified auid.
1380 			 * If its mask doesn't already match the new mask,
1381 			 * save the new mask in the pad, to be picked up
1382 			 * next syscall.
1383 			 */
1384 			mask = STRUCT_FGET(user_info, ai_mask);
1385 			err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
1386 			crfree(cr);
1387 			if (err != 0) {
1388 				struct p_audit_data *pad = P2A(p);
1389 				ASSERT(pad != NULL);
1390 
1391 				mutex_enter(&(pad->pad_lock));
1392 				pad->pad_flags |= PAD_SETMASK;
1393 				pad->pad_newmask = mask;
1394 				mutex_exit(&(pad->pad_lock));
1395 
1396 				/*
1397 				 * No need to call set_proc_pre_sys(), since
1398 				 * t_pre_sys is ALWAYS on when audit is
1399 				 * enabled...due to syscall auditing.
1400 				 */
1401 			}
1402 		} else {
1403 			crfree(cr);
1404 		}
1405 		mutex_exit(&p->p_lock);
1406 	}
1407 	mutex_exit(&pidlock);
1408 
1409 	return (0);
1410 }
1411 
1412 static int
1413 setsmask(caddr_t data)
1414 {
1415 	STRUCT_DECL(auditinfo, user_info);
1416 	struct proc *p;
1417 	const auditinfo_addr_t	*ainfo;
1418 	model_t	model;
1419 
1420 	model = get_udatamodel();
1421 	STRUCT_INIT(user_info, model);
1422 
1423 	if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
1424 		return (EFAULT);
1425 
1426 	mutex_enter(&pidlock);	/* lock the process queue against updates */
1427 	for (p = practive; p != NULL; p = p->p_next) {
1428 		cred_t	*cr;
1429 
1430 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1431 		mutex_enter(&p->p_crlock);
1432 		crhold(cr = p->p_cred);
1433 		mutex_exit(&p->p_crlock);
1434 		ainfo = crgetauinfo(cr);
1435 		if (ainfo == NULL) {
1436 			mutex_exit(&p->p_lock);
1437 			crfree(cr);
1438 			continue;
1439 		}
1440 
1441 		if (ainfo->ai_asid == STRUCT_FGET(user_info, ai_asid)) {
1442 			au_mask_t	mask;
1443 			int		err;
1444 
1445 			/*
1446 			 * Here's a process which matches the specified asid.
1447 			 * If its mask doesn't already match the new mask,
1448 			 * save the new mask in the pad, to be picked up
1449 			 * next syscall.
1450 			 */
1451 			mask = STRUCT_FGET(user_info, ai_mask);
1452 			err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
1453 			crfree(cr);
1454 			if (err != 0) {
1455 				struct p_audit_data *pad = P2A(p);
1456 				ASSERT(pad != NULL);
1457 
1458 				mutex_enter(&(pad->pad_lock));
1459 				pad->pad_flags |= PAD_SETMASK;
1460 				pad->pad_newmask = mask;
1461 				mutex_exit(&(pad->pad_lock));
1462 
1463 				/*
1464 				 * No need to call set_proc_pre_sys(), since
1465 				 * t_pre_sys is ALWAYS on when audit is
1466 				 * enabled...due to syscall auditing.
1467 				 */
1468 			}
1469 		} else {
1470 			crfree(cr);
1471 		}
1472 		mutex_exit(&p->p_lock);
1473 	}
1474 	mutex_exit(&pidlock);
1475 
1476 	return (0);
1477 }
1478 
1479 /*
1480  * Get the current audit state of the system
1481  */
1482 static int
1483 getcond(caddr_t data)
1484 {
1485 	au_kcontext_t	*kctx;
1486 
1487 	if (au_auditstate == AUC_DISABLED)
1488 		if (copyout(&au_auditstate, data, sizeof (int)))
1489 			return (EFAULT);
1490 
1491 	kctx = GET_KCTX_PZ;
1492 
1493 	if (copyout(&(kctx->auk_auditstate), data, sizeof (int)))
1494 		return (EFAULT);
1495 
1496 	return (0);
1497 }
1498 
1499 /*
1500  * Set the current audit state of the system to on (AUC_AUDITING) or
1501  * off (AUC_NOAUDIT).
1502  */
1503 /* ARGSUSED */
1504 static int
1505 setcond(caddr_t data)
1506 {
1507 	int	auditstate;
1508 	au_kcontext_t	*kctx;
1509 
1510 	if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
1511 		return (EINVAL);
1512 
1513 	kctx = GET_KCTX_NGZ;
1514 
1515 	if (copyin(data, &auditstate, sizeof (int)))
1516 		return (EFAULT);
1517 
1518 	switch (auditstate) {
1519 	case AUC_AUDITING:		/* Turn auditing on */
1520 		kctx->auk_auditstate = AUC_AUDITING;
1521 		au_auditstate = AUC_ENABLED;
1522 		break;
1523 
1524 	case AUC_NOAUDIT:		/* Turn auditing off */
1525 		if (kctx->auk_auditstate == AUC_NOAUDIT)
1526 			break;
1527 		kctx->auk_auditstate = AUC_NOAUDIT;
1528 
1529 		/* clear out the audit queue */
1530 
1531 		mutex_enter(&(kctx->auk_queue.lock));
1532 		if (kctx->auk_queue.wt_block)
1533 			cv_broadcast(&(kctx->auk_queue.write_cv));
1534 
1535 		/* unblock au_output_thread */
1536 		cv_broadcast(&(kctx->auk_queue.read_cv));
1537 
1538 		mutex_exit(&(kctx->auk_queue.lock));
1539 		break;
1540 
1541 	default:
1542 		return (EINVAL);
1543 	}
1544 
1545 	return (0);
1546 }
1547 
1548 static int
1549 getclass(caddr_t data)
1550 {
1551 	au_evclass_map_t event;
1552 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1553 
1554 	if (copyin(data, &event, sizeof (au_evclass_map_t)))
1555 		return (EFAULT);
1556 
1557 	if (event.ec_number < 0 || event.ec_number > (au_naevent - 1))
1558 		return (EINVAL);
1559 
1560 	event.ec_class = kctx->auk_ets[event.ec_number];
1561 
1562 	if (copyout(&event, data, sizeof (au_evclass_map_t)))
1563 		return (EFAULT);
1564 
1565 	return (0);
1566 }
1567 
1568 static int
1569 setclass(caddr_t data)
1570 {
1571 	au_evclass_map_t event;
1572 	au_kcontext_t	*kctx;
1573 
1574 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1575 		return (EINVAL);
1576 
1577 	kctx = GET_KCTX_NGZ;
1578 
1579 	if (copyin(data, &event, sizeof (au_evclass_map_t)))
1580 		return (EFAULT);
1581 
1582 	if (event.ec_number < 0 || event.ec_number > (au_naevent - 1))
1583 		return (EINVAL);
1584 
1585 	kctx->auk_ets[event.ec_number] = event.ec_class;
1586 
1587 	return (0);
1588 }
1589 
1590 static int
1591 getpinfo(caddr_t data)
1592 {
1593 	STRUCT_DECL(auditpinfo, apinfo);
1594 	proc_t *proc;
1595 	const auditinfo_addr_t	*ainfo;
1596 	model_t	model;
1597 	cred_t	*cr, *newcred;
1598 
1599 	model = get_udatamodel();
1600 	STRUCT_INIT(apinfo, model);
1601 
1602 	if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1603 		return (EFAULT);
1604 
1605 	newcred = cralloc();
1606 
1607 	mutex_enter(&pidlock);
1608 	if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1609 		mutex_exit(&pidlock);
1610 		crfree(newcred);
1611 		return (ESRCH);		/* no such process */
1612 	}
1613 	mutex_enter(&proc->p_lock);	/* so process doesn't go away */
1614 	mutex_exit(&pidlock);
1615 
1616 	audit_update_context(proc, newcred);	/* make sure it's up-to-date */
1617 
1618 	mutex_enter(&proc->p_crlock);
1619 	crhold(cr = proc->p_cred);
1620 	mutex_exit(&proc->p_crlock);
1621 	mutex_exit(&proc->p_lock);
1622 
1623 	ainfo = crgetauinfo(cr);
1624 	if (ainfo == NULL) {
1625 		crfree(cr);
1626 		return (EINVAL);
1627 	}
1628 
1629 	/* designated process has an ipv6 address? */
1630 	if (ainfo->ai_termid.at_type == AU_IPv6) {
1631 		crfree(cr);
1632 		return (EOVERFLOW);
1633 	}
1634 
1635 	STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1636 	STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1637 #ifdef _LP64
1638 	if (model == DATAMODEL_ILP32) {
1639 		dev32_t dev;
1640 		/* convert internal 64 bit form to 32 bit version */
1641 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1642 			crfree(cr);
1643 			return (EOVERFLOW);
1644 		}
1645 		STRUCT_FSET(apinfo, ap_termid.port, dev);
1646 	} else
1647 		STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1648 #else
1649 	STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1650 #endif
1651 	STRUCT_FSET(apinfo, ap_termid.machine, ainfo->ai_termid.at_addr[0]);
1652 	STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1653 
1654 	crfree(cr);
1655 
1656 	if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1657 		return (EFAULT);
1658 
1659 	return (0);
1660 }
1661 
1662 static int
1663 getpinfo_addr(caddr_t data, int len)
1664 {
1665 	STRUCT_DECL(auditpinfo_addr, apinfo);
1666 	proc_t *proc;
1667 	const auditinfo_addr_t	*ainfo;
1668 	model_t	model;
1669 	cred_t	*cr, *newcred;
1670 
1671 	model = get_udatamodel();
1672 	STRUCT_INIT(apinfo, model);
1673 
1674 	if (len < STRUCT_SIZE(apinfo))
1675 		return (EOVERFLOW);
1676 
1677 	if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1678 		return (EFAULT);
1679 
1680 	newcred = cralloc();
1681 
1682 	mutex_enter(&pidlock);
1683 	if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1684 		mutex_exit(&pidlock);
1685 		crfree(newcred);
1686 		return (ESRCH);
1687 	}
1688 	mutex_enter(&proc->p_lock);	/* so process doesn't go away */
1689 	mutex_exit(&pidlock);
1690 
1691 	audit_update_context(proc, newcred);	/* make sure it's up-to-date */
1692 
1693 	mutex_enter(&proc->p_crlock);
1694 	crhold(cr = proc->p_cred);
1695 	mutex_exit(&proc->p_crlock);
1696 	mutex_exit(&proc->p_lock);
1697 
1698 	ainfo = crgetauinfo(cr);
1699 	if (ainfo == NULL) {
1700 		crfree(cr);
1701 		return (EINVAL);
1702 	}
1703 
1704 	STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1705 	STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1706 #ifdef _LP64
1707 	if (model == DATAMODEL_ILP32) {
1708 		dev32_t dev;
1709 		/* convert internal 64 bit form to 32 bit version */
1710 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1711 			crfree(cr);
1712 			return (EOVERFLOW);
1713 		}
1714 		STRUCT_FSET(apinfo, ap_termid.at_port, dev);
1715 	} else
1716 		STRUCT_FSET(apinfo, ap_termid.at_port,
1717 		    ainfo->ai_termid.at_port);
1718 #else
1719 	STRUCT_FSET(apinfo, ap_termid.at_port, ainfo->ai_termid.at_port);
1720 #endif
1721 	STRUCT_FSET(apinfo, ap_termid.at_type, ainfo->ai_termid.at_type);
1722 	STRUCT_FSET(apinfo, ap_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
1723 	STRUCT_FSET(apinfo, ap_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
1724 	STRUCT_FSET(apinfo, ap_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
1725 	STRUCT_FSET(apinfo, ap_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
1726 	STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1727 
1728 	crfree(cr);
1729 
1730 	if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1731 		return (EFAULT);
1732 
1733 	return (0);
1734 }
1735 
1736 static int
1737 setpmask(caddr_t data)
1738 {
1739 	STRUCT_DECL(auditpinfo, apinfo);
1740 	proc_t *proc;
1741 	cred_t	*newcred;
1742 	auditinfo_addr_t	*ainfo;
1743 	struct p_audit_data	*pad;
1744 
1745 	model_t	model;
1746 
1747 	model = get_udatamodel();
1748 	STRUCT_INIT(apinfo, model);
1749 
1750 	if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1751 		return (EFAULT);
1752 
1753 	mutex_enter(&pidlock);
1754 	if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1755 		mutex_exit(&pidlock);
1756 		return (ESRCH);
1757 	}
1758 	mutex_enter(&proc->p_lock);	/* so process doesn't go away */
1759 	mutex_exit(&pidlock);
1760 
1761 	newcred = cralloc();
1762 	if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
1763 		mutex_exit(&proc->p_lock);
1764 		crfree(newcred);
1765 		return (EINVAL);
1766 	}
1767 
1768 	mutex_enter(&proc->p_crlock);
1769 	crcopy_to(proc->p_cred, newcred);
1770 	proc->p_cred = newcred;
1771 
1772 	ainfo->ai_mask = STRUCT_FGET(apinfo, ap_mask);
1773 
1774 	/*
1775 	 * Unlock. No need to broadcast changes via set_proc_pre_sys(),
1776 	 * since t_pre_sys is ALWAYS on when audit is enabled... due to
1777 	 * syscall auditing.
1778 	 */
1779 	crfree(newcred);
1780 	mutex_exit(&proc->p_crlock);
1781 
1782 	/* Reset flag for any previous pending mask change; this supercedes */
1783 	pad = P2A(proc);
1784 	ASSERT(pad != NULL);
1785 	mutex_enter(&(pad->pad_lock));
1786 	pad->pad_flags &= ~PAD_SETMASK;
1787 	mutex_exit(&(pad->pad_lock));
1788 
1789 	mutex_exit(&proc->p_lock);
1790 
1791 	return (0);
1792 }
1793 
1794 static int
1795 getfsize(caddr_t data)
1796 {
1797 	au_fstat_t fstat;
1798 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1799 
1800 	mutex_enter(&(kctx->auk_fstat_lock));
1801 	fstat.af_filesz = kctx->auk_file_stat.af_filesz;
1802 	fstat.af_currsz = kctx->auk_file_stat.af_currsz;
1803 	mutex_exit(&(kctx->auk_fstat_lock));
1804 
1805 	if (copyout(&fstat, data, sizeof (au_fstat_t)))
1806 		return (EFAULT);
1807 
1808 	return (0);
1809 }
1810 
1811 static int
1812 setfsize(caddr_t data)
1813 {
1814 	au_fstat_t fstat;
1815 	au_kcontext_t	*kctx;
1816 
1817 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1818 		return (EINVAL);
1819 
1820 	kctx = GET_KCTX_NGZ;
1821 
1822 	if (copyin(data, &fstat, sizeof (au_fstat_t)))
1823 		return (EFAULT);
1824 
1825 	if ((fstat.af_filesz != 0) && (fstat.af_filesz < AU_MIN_FILE_SZ))
1826 		return (EINVAL);
1827 
1828 	mutex_enter(&(kctx->auk_fstat_lock));
1829 	kctx->auk_file_stat.af_filesz = fstat.af_filesz;
1830 	mutex_exit(&(kctx->auk_fstat_lock));
1831 
1832 	return (0);
1833 }
1834 /*
1835  * The out of control system call
1836  * This is audit kitchen sink aka auditadm, aka auditon
1837  */
1838 static int
1839 auditctl(
1840 	int	cmd,
1841 	caddr_t data,
1842 	int	length)
1843 {
1844 	int result;
1845 
1846 	if (!audit_active)
1847 		return (EINVAL);
1848 
1849 	switch (cmd) {
1850 	case A_GETCOND:
1851 	case A_GETCAR:
1852 	case A_GETCLASS:
1853 	case A_GETCWD:
1854 	case A_GETFSIZE:
1855 	case A_GETKAUDIT:
1856 	case A_GETKMASK:
1857 	case A_GETPINFO:
1858 	case A_GETPINFO_ADDR:
1859 	case A_GETPOLICY:
1860 	case A_GETQCTRL:
1861 	case A_GETSTAT:
1862 		if (secpolicy_audit_getattr(CRED()) != 0)
1863 			return (EPERM);
1864 		break;
1865 	default:
1866 		if (secpolicy_audit_config(CRED()) != 0)
1867 			return (EPERM);
1868 		break;
1869 	}
1870 
1871 	switch (cmd) {
1872 	case A_GETPOLICY:
1873 		result = getpolicy(data);
1874 		break;
1875 	case A_SETPOLICY:
1876 		result = setpolicy(data);
1877 		break;
1878 	case A_GETKMASK:
1879 		result = getkmask(data);
1880 		break;
1881 	case A_SETKMASK:
1882 		result = setkmask(data);
1883 		break;
1884 	case A_GETKAUDIT:
1885 		result = getkaudit(data, length);
1886 		break;
1887 	case A_SETKAUDIT:
1888 		result = setkaudit(data, length);
1889 		break;
1890 	case A_GETQCTRL:
1891 		result = getqctrl(data);
1892 		break;
1893 	case A_SETQCTRL:
1894 		result = setqctrl(data);
1895 		break;
1896 	case A_GETCWD:
1897 		result = getcwd(data, length);
1898 		break;
1899 	case A_GETCAR:
1900 		result = getcar(data, length);
1901 		break;
1902 	case A_GETSTAT:
1903 		result = getstat(data);
1904 		break;
1905 	case A_SETSTAT:
1906 		result = setstat(data);
1907 		break;
1908 	case A_SETUMASK:
1909 		result = setumask(data);
1910 		break;
1911 	case A_SETSMASK:
1912 		result = setsmask(data);
1913 		break;
1914 	case A_GETCOND:
1915 		result = getcond(data);
1916 		break;
1917 	case A_SETCOND:
1918 		result = setcond(data);
1919 		break;
1920 	case A_GETCLASS:
1921 		result = getclass(data);
1922 		break;
1923 	case A_SETCLASS:
1924 		result = setclass(data);
1925 		break;
1926 	case A_GETPINFO:
1927 		result = getpinfo(data);
1928 		break;
1929 	case A_GETPINFO_ADDR:
1930 		result = getpinfo_addr(data, length);
1931 		break;
1932 	case A_SETPMASK:
1933 		result = setpmask(data);
1934 		break;
1935 	case A_SETFSIZE:
1936 		result = setfsize(data);
1937 		break;
1938 	case A_GETFSIZE:
1939 		result = getfsize(data);
1940 		break;
1941 	default:
1942 		result = EINVAL;
1943 		break;
1944 	}
1945 	return (result);
1946 }
1947 
1948 static int
1949 audit_modsysent(char *modname, int flags, int (*func)())
1950 {
1951 	struct sysent *sysp;
1952 	int sysnum;
1953 	krwlock_t *kl;
1954 
1955 	if ((sysnum = mod_getsysnum(modname)) == -1) {
1956 		cmn_err(CE_WARN, "system call missing from bind file");
1957 		return (-1);
1958 	}
1959 
1960 	kl = (krwlock_t *)kobj_zalloc(sizeof (krwlock_t), KM_SLEEP);
1961 
1962 	sysp = &sysent[sysnum];
1963 	sysp->sy_narg = auditsysent.sy_narg;
1964 #ifdef _LP64
1965 	sysp->sy_flags = (unsigned short)flags;
1966 #else
1967 	sysp->sy_flags = (unsigned char)flags;
1968 #endif
1969 	sysp->sy_call = func;
1970 	sysp->sy_lock = kl;
1971 
1972 #ifdef _SYSCALL32_IMPL
1973 	sysp = &sysent32[sysnum];
1974 	sysp->sy_narg = auditsysent.sy_narg;
1975 	sysp->sy_flags = (unsigned short)flags;
1976 	sysp->sy_call = func;
1977 	sysp->sy_lock = kl;
1978 #endif
1979 
1980 	rw_init(sysp->sy_lock, NULL, RW_DEFAULT, NULL);
1981 
1982 	return (0);
1983 }
1984