xref: /titanic_51/usr/src/uts/common/c2/audit.c (revision 8a40a695ee676a322b094e9afe5375567bfb51e3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the audit hook support code for auditing.
28  */
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #include <sys/types.h>
33 #include <sys/proc.h>
34 #include <sys/vnode.h>
35 #include <sys/vfs.h>
36 #include <sys/file.h>
37 #include <sys/user.h>
38 #include <sys/stropts.h>
39 #include <sys/systm.h>
40 #include <sys/pathname.h>
41 #include <sys/syscall.h>
42 #include <sys/fcntl.h>
43 #include <sys/ipc_impl.h>
44 #include <sys/msg_impl.h>
45 #include <sys/sem_impl.h>
46 #include <sys/shm_impl.h>
47 #include <sys/kmem.h>		/* for KM_SLEEP */
48 #include <sys/socket.h>
49 #include <sys/cmn_err.h>	/* snprintf... */
50 #include <sys/debug.h>
51 #include <sys/thread.h>
52 #include <netinet/in.h>
53 #include <c2/audit.h>		/* needs to be included before user.h */
54 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
55 #include <c2/audit_kevents.h>
56 #include <c2/audit_record.h>
57 #include <sys/strsubr.h>
58 #include <sys/tihdr.h>
59 #include <sys/tiuser.h>
60 #include <sys/timod.h>
61 #include <sys/model.h>		/* for model_t */
62 #include <sys/disp.h>		/* for servicing_interrupt() */
63 #include <sys/devpolicy.h>
64 #include <sys/crypto/ioctladmin.h>
65 #include <inet/kssl/kssl.h>
66 
67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68 
69 static void audit_pathbuild(struct pathname *pnp);
70 
71 /*
72  * ROUTINE:	AUDIT_NEWPROC
73  * PURPOSE:	initialize the child p_audit_data structure
74  * CALLBY:	GETPROC
75  * NOTE:	All threads for the parent process are locked at this point.
76  *		We are essentially running singled threaded for this reason.
77  *		GETPROC is called when system creates a new process.
78  *		By the time AUDIT_NEWPROC is called, the child proc
79  *		structure has already been initialized. What we need
80  *		to do is to allocate the child p_audit_data and
81  *		initialize it with the content of current parent process.
82  */
83 
84 void
85 audit_newproc(struct proc *cp)	/* initialized child proc structure */
86 {
87 	p_audit_data_t *pad;	/* child process audit data */
88 	p_audit_data_t *opad;	/* parent process audit data */
89 
90 	pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
91 
92 	P2A(cp) = pad;
93 
94 	opad = P2A(curproc);
95 
96 	/*
97 	 * copy the audit data. Note that all threads of current
98 	 *   process have been "held". Thus there is no race condition
99 	 *   here with mutiple threads trying to alter the cwrd
100 	 *   structure (such as releasing it).
101 	 *
102 	 *   The audit context in the cred is "duplicated" for the new
103 	 *   proc by elsewhere crhold'ing the parent's cred which it shares.
104 	 *
105 	 *   We still want to hold things since auditon() [A_SETUMASK,
106 	 *   A_SETSMASK] could be walking through the processes to
107 	 *   update things.
108 	 */
109 	mutex_enter(&opad->pad_lock);	/* lock opad structure during copy */
110 	pad->pad_data = opad->pad_data;	/* copy parent's process audit data */
111 	au_pathhold(pad->pad_root);
112 	au_pathhold(pad->pad_cwd);
113 	mutex_exit(&opad->pad_lock);	/* current proc will keep cwrd open */
114 
115 	/*
116 	 * finish auditing of parent here so that it will be done
117 	 * before child has a chance to run. We include the child
118 	 * pid since the return value in the return token is a dummy
119 	 * one and contains no useful information (it is included to
120 	 * make the audit record structure consistant).
121 	 *
122 	 * tad_flag is set if auditing is on
123 	 */
124 	if (((t_audit_data_t *)T2A(curthread))->tad_flag)
125 		au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
126 
127 	/*
128 	 * finish up audit record generation here because child process
129 	 * is set to run before parent process. We distinguish here
130 	 * between FORK, FORK1, or VFORK by the saved system call ID.
131 	 */
132 	audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
133 }
134 
135 /*
136  * ROUTINE:	AUDIT_PFREE
137  * PURPOSE:	deallocate the per-process udit data structure
138  * CALLBY:	EXIT
139  *		FORK_FAIL
140  * NOTE:	all lwp except current one have stopped in SEXITLWPS
141  * 		why we are single threaded?
142  *		. all lwp except current one have stopped in SEXITLWPS.
143  */
144 void
145 audit_pfree(struct proc *p)		/* proc structure to be freed */
146 
147 {	/* AUDIT_PFREE */
148 
149 	p_audit_data_t *pad;
150 
151 	pad = P2A(p);
152 
153 	/* better be a per process audit data structure */
154 	ASSERT(pad != (p_audit_data_t *)0);
155 
156 	if (pad == pad0) {
157 		return;
158 	}
159 
160 	/* deallocate all auditing resources for this process */
161 	au_pathrele(pad->pad_root);
162 	au_pathrele(pad->pad_cwd);
163 
164 	/*
165 	 * Since the pad structure is completely overwritten after alloc,
166 	 * we don't bother to clear it.
167 	 */
168 
169 	kmem_cache_free(au_pad_cache, pad);
170 }
171 
172 /*
173  * ROUTINE:	AUDIT_THREAD_CREATE
174  * PURPOSE:	allocate per-process thread audit data structure
175  * CALLBY:	THREAD_CREATE
176  * NOTE:	This is called just after *t was bzero'd.
177  *		We are single threaded in this routine.
178  * TODO:
179  * QUESTION:
180  */
181 
182 void
183 audit_thread_create(kthread_id_t t)
184 {
185 	t_audit_data_t *tad;	/* per-thread audit data */
186 
187 	tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
188 
189 	T2A(t) = tad;		/* set up thread audit data ptr */
190 	tad->tad_thread = t;	/* back ptr to thread: DEBUG */
191 }
192 
193 /*
194  * ROUTINE:	AUDIT_THREAD_FREE
195  * PURPOSE:	free the per-thread audit data structure
196  * CALLBY:	THREAD_FREE
197  * NOTE:	most thread data is clear after return
198  */
199 void
200 audit_thread_free(kthread_t *t)
201 {
202 	t_audit_data_t *tad;
203 	au_defer_info_t	*attr;
204 
205 	tad = T2A(t);
206 
207 	/* thread audit data must still be set */
208 
209 	if (tad == tad0) {
210 		return;
211 	}
212 
213 	if (tad == NULL) {
214 		return;
215 	}
216 
217 	t->t_audit_data = 0;
218 
219 	/* must not have any audit record residual */
220 	ASSERT(tad->tad_ad == NULL);
221 
222 	/* saved path must be empty */
223 	ASSERT(tad->tad_aupath == NULL);
224 
225 	if (tad->tad_atpath)
226 		au_pathrele(tad->tad_atpath);
227 
228 	attr = tad->tad_defer_head;
229 	while (attr != NULL) {
230 		au_defer_info_t	*tmp_attr = attr;
231 
232 		au_free_rec(attr->audi_ad);
233 
234 		attr = attr->audi_next;
235 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
236 	}
237 
238 	kmem_free(tad, sizeof (*tad));
239 }
240 
241 /*
242  * ROUTINE:	AUDIT_SAVEPATH
243  * PURPOSE:
244  * CALLBY:	LOOKUPPN
245  *
246  * NOTE:	We have reached the end of a path in fs/lookup.c.
247  *		We get two pieces of information here:
248  *		the vnode of the last component (vp) and
249  *		the status of the last access (flag).
250  * TODO:
251  * QUESTION:
252  */
253 
254 /*ARGSUSED*/
255 int
256 audit_savepath(
257 	struct pathname *pnp,		/* pathname to lookup */
258 	struct vnode *vp,		/* vnode of the last component */
259 	int    flag,			/* status of the last access */
260 	cred_t *cr)			/* cred of requestor */
261 {
262 
263 	t_audit_data_t *tad;	/* current thread */
264 	p_audit_data_t *pad;	/* current process */
265 	au_kcontext_t	*kctx = SET_KCTX_PZ;
266 
267 	if (kctx == NULL) {
268 		zone_status_t zstate = zone_status_get(curproc->p_zone);
269 		ASSERT(zstate != ZONE_IS_READY);
270 		return (0);
271 	}
272 
273 	tad = U2A(u);
274 	ASSERT(tad != (t_audit_data_t *)0);
275 	pad = P2A(curproc);
276 	ASSERT(pad != (p_audit_data_t *)0);
277 
278 	/*
279 	 * this event being audited or do we need path information
280 	 * later? This might be for a chdir/chroot or open (add path
281 	 * to file pointer. If the path has already been found for an
282 	 * open/creat then we don't need to process the path.
283 	 *
284 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
285 	 *	chroot, chdir, open, creat system call processing. It determines
286 	 *	if audit_savepath() will discard the path or we need it later.
287 	 * PAD_PATHFND means path already included in this audit record. It
288 	 *	is used in cases where multiple path lookups are done per
289 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
290 	 *	paths are allowed.
291 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 	 *	exit processing to inhibit any paths that may be added due to
293 	 *	closes.
294 	 */
295 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
296 		((tad->tad_ctrl & PAD_PATHFND) &&
297 		!(kctx->auk_policy & AUDIT_PATH)) ||
298 		(tad->tad_ctrl & PAD_NOPATH)) {
299 			return (0);
300 	}
301 
302 	tad->tad_ctrl |= PAD_NOPATH;		/* prevent possible reentry */
303 
304 	audit_pathbuild(pnp);
305 	tad->tad_vn = vp;
306 
307 	/*
308 	 * are we auditing only if error, or if it is not open or create
309 	 * otherwise audit_setf will do it
310 	 */
311 
312 	if (tad->tad_flag) {
313 		if (flag && (tad->tad_scid == SYS_open ||
314 		    tad->tad_scid == SYS_open64 ||
315 		    tad->tad_scid == SYS_creat ||
316 		    tad->tad_scid == SYS_creat64 ||
317 		    tad->tad_scid == SYS_fsat)) {
318 			tad->tad_ctrl |= PAD_TRUE_CREATE;
319 		}
320 
321 		/* add token to audit record for this name */
322 		au_uwrite(au_to_path(tad->tad_aupath));
323 
324 		/* add the attributes of the object */
325 		if (vp) {
326 			/*
327 			 * only capture attributes when there is no error
328 			 * lookup will not return the vnode of the failing
329 			 * component.
330 			 *
331 			 * if there was a lookup error, then don't add
332 			 * attribute. if lookup in vn_create(),
333 			 * then don't add attribute,
334 			 * it will be added at end of vn_create().
335 			 */
336 			if (!flag && !(tad->tad_ctrl & PAD_NOATTRB))
337 				audit_attributes(vp);
338 		}
339 	}
340 
341 	/* free up space if we're not going to save path (open, crate) */
342 	if ((tad->tad_ctrl & PAD_SAVPATH) == 0) {
343 		if (tad->tad_aupath != NULL) {
344 			au_pathrele(tad->tad_aupath);
345 			tad->tad_aupath = NULL;
346 			tad->tad_vn = NULL;
347 		}
348 	}
349 	if (tad->tad_ctrl & PAD_MLD)
350 		tad->tad_ctrl |= PAD_PATHFND;
351 
352 	tad->tad_ctrl &= ~PAD_NOPATH;		/* restore */
353 	return (0);
354 }
355 
356 static void
357 audit_pathbuild(struct pathname *pnp)
358 {
359 	char *pp;	/* pointer to path */
360 	int len;	/* length of incoming segment */
361 	int newsect;	/* path requires a new section */
362 	struct audit_path	*pfxapp;	/* prefix for path */
363 	struct audit_path	*newapp;	/* new audit_path */
364 	t_audit_data_t *tad;	/* current thread */
365 	p_audit_data_t *pad;	/* current process */
366 
367 	tad = U2A(u);
368 	ASSERT(tad != NULL);
369 	pad = P2A(curproc);
370 	ASSERT(pad != NULL);
371 
372 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
373 	ASSERT(len > 0);
374 
375 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
376 	mutex_enter(&pad->pad_lock);
377 	if (tad->tad_aupath != NULL) {
378 		pfxapp = tad->tad_aupath;
379 	} else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') {
380 		ASSERT(tad->tad_atpath != NULL);
381 		pfxapp = tad->tad_atpath;
382 	} else if (tad->tad_ctrl & PAD_ABSPATH) {
383 		pfxapp = pad->pad_root;
384 	} else {
385 		pfxapp = pad->pad_cwd;
386 	}
387 	au_pathhold(pfxapp);
388 	mutex_exit(&pad->pad_lock);
389 
390 	/* get an expanded buffer to hold the anchored path */
391 	newsect = tad->tad_ctrl & PAD_ATPATH;
392 	newapp = au_pathdup(pfxapp, newsect, len);
393 	au_pathrele(pfxapp);
394 
395 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
396 	if (!newsect) {
397 		/* overlay previous NUL terminator */
398 		*(pp - 1) = '/';
399 	}
400 
401 	/* now add string of processed path */
402 	bcopy(pnp->pn_buf, pp, len);
403 	pp[len - 1] = '\0';
404 
405 	/* perform path simplification as necessary */
406 	audit_fixpath(newapp, len);
407 
408 	if (tad->tad_aupath)
409 		au_pathrele(tad->tad_aupath);
410 	tad->tad_aupath = newapp;
411 
412 	/* for case where multiple lookups in one syscall (rename) */
413 	tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH);
414 }
415 
416 
417 
418 /*ARGSUSED*/
419 
420 /*
421  * ROUTINE:	AUDIT_ADDCOMPONENT
422  * PURPOSE:	extend the path by the component accepted
423  * CALLBY:	LOOKUPPN
424  * NOTE:	This function is called only when there is an error in
425  *		parsing a path component
426  * TODO:	Add the error component to audit record
427  * QUESTION:	what is this for
428  */
429 
430 void
431 audit_addcomponent(struct pathname *pnp)
432 {
433 	au_kcontext_t	*kctx = SET_KCTX_PZ;
434 	t_audit_data_t *tad;
435 
436 	if (kctx == NULL) {
437 		zone_status_t zstate = zone_status_get(curproc->p_zone);
438 		ASSERT(zstate != ZONE_IS_READY);
439 		return;
440 	}
441 
442 	tad = U2A(u);
443 	/*
444 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
445 	 *	chroot, chdir, open, creat system call processing. It determines
446 	 *	if audit_savepath() will discard the path or we need it later.
447 	 * PAD_PATHFND means path already included in this audit record. It
448 	 *	is used in cases where multiple path lookups are done per
449 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
450 	 *	paths are allowed.
451 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
452 	 *	exit processing to inhibit any paths that may be added due to
453 	 *	closes.
454 	 */
455 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
456 		((tad->tad_ctrl & PAD_PATHFND) &&
457 		!(kctx->auk_policy & AUDIT_PATH)) ||
458 		(tad->tad_ctrl & PAD_NOPATH)) {
459 			return;
460 	}
461 
462 	return;
463 
464 }	/* AUDIT_ADDCOMPONENT */
465 
466 
467 
468 
469 
470 
471 
472 
473 /*
474  * ROUTINE:	AUDIT_ANCHORPATH
475  * PURPOSE:
476  * CALLBY:	LOOKUPPN
477  * NOTE:
478  * anchor path at "/". We have seen a symbolic link or entering for the
479  * first time we will throw away any saved path if path is anchored.
480  *
481  * flag = 0, path is relative.
482  * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH.
483  *
484  * If the (new) path is absolute, then we have to throw away whatever we have
485  * already accumulated since it is being superceeded by new path which is
486  * anchored at the root.
487  *		Note that if the path is relative, this function does nothing
488  * TODO:
489  * QUESTION:
490  */
491 /*ARGSUSED*/
492 void
493 audit_anchorpath(struct pathname *pnp, int flag)
494 {
495 	au_kcontext_t	*kctx = SET_KCTX_PZ;
496 	t_audit_data_t *tad;
497 
498 	if (kctx == NULL) {
499 		zone_status_t zstate = zone_status_get(curproc->p_zone);
500 		ASSERT(zstate != ZONE_IS_READY);
501 		return;
502 	}
503 
504 	tad = U2A(u);
505 
506 	/*
507 	 * this event being audited or do we need path information
508 	 * later? This might be for a chdir/chroot or open (add path
509 	 * to file pointer. If the path has already been found for an
510 	 * open/creat then we don't need to process the path.
511 	 *
512 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
513 	 *	chroot, chdir, open, creat system call processing. It determines
514 	 *	if audit_savepath() will discard the path or we need it later.
515 	 * PAD_PATHFND means path already included in this audit record. It
516 	 *	is used in cases where multiple path lookups are done per
517 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
518 	 *	paths are allowed.
519 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
520 	 *	exit processing to inhibit any paths that may be added due to
521 	 *	closes.
522 	 */
523 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
524 		((tad->tad_ctrl & PAD_PATHFND) &&
525 		!(kctx->auk_policy & AUDIT_PATH)) ||
526 		(tad->tad_ctrl & PAD_NOPATH)) {
527 			return;
528 	}
529 
530 	if (flag) {
531 		tad->tad_ctrl |= PAD_ABSPATH;
532 		if (tad->tad_aupath != NULL) {
533 			au_pathrele(tad->tad_aupath);
534 			tad->tad_aupath = NULL;
535 			tad->tad_vn = NULL;
536 		}
537 	}
538 }
539 
540 
541 /*
542  * symbolic link. Save previous components.
543  *
544  * the path seen so far looks like this
545  *
546  *  +-----------------------+----------------+
547  *  | path processed so far | remaining path |
548  *  +-----------------------+----------------+
549  *  \-----------------------/
550  *	save this string if
551  *	symbolic link relative
552  *	(but don't include  symlink component)
553  */
554 
555 /*ARGSUSED*/
556 
557 
558 /*
559  * ROUTINE:	AUDIT_SYMLINK
560  * PURPOSE:
561  * CALLBY:	LOOKUPPN
562  * NOTE:
563  * TODO:
564  * QUESTION:
565  */
566 void
567 audit_symlink(struct pathname *pnp, struct pathname *sympath)
568 {
569 	char *sp;	/* saved initial pp */
570 	char *cp;	/* start of symlink path */
571 	uint_t len_path;	/* processed path before symlink */
572 	t_audit_data_t *tad;
573 	au_kcontext_t	*kctx = SET_KCTX_PZ;
574 
575 	if (kctx == NULL) {
576 		zone_status_t zstate = zone_status_get(curproc->p_zone);
577 		ASSERT(zstate != ZONE_IS_READY);
578 		return;
579 	}
580 
581 	tad = U2A(u);
582 
583 	/*
584 	 * this event being audited or do we need path information
585 	 * later? This might be for a chdir/chroot or open (add path
586 	 * to file pointer. If the path has already been found for an
587 	 * open/creat then we don't need to process the path.
588 	 *
589 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
590 	 *	chroot, chdir, open, creat system call processing. It determines
591 	 *	if audit_savepath() will discard the path or we need it later.
592 	 * PAD_PATHFND means path already included in this audit record. It
593 	 *	is used in cases where multiple path lookups are done per
594 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
595 	 *	paths are allowed.
596 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
597 	 *	exit processing to inhibit any paths that may be added due to
598 	 *	closes.
599 	 */
600 	if ((tad->tad_flag == 0 &&
601 		!(tad->tad_ctrl & PAD_SAVPATH)) ||
602 		((tad->tad_ctrl & PAD_PATHFND) &&
603 		!(kctx->auk_policy & AUDIT_PATH)) ||
604 		(tad->tad_ctrl & PAD_NOPATH)) {
605 			return;
606 	}
607 
608 	/*
609 	 * if symbolic link is anchored at / then do nothing.
610 	 * When we cycle back to begin: in lookuppn() we will
611 	 * call audit_anchorpath() with a flag indicating if the
612 	 * path is anchored at / or is relative. We will release
613 	 * any saved path at that point.
614 	 *
615 	 * Note In the event that an error occurs in pn_combine then
616 	 * we want to remain pointing at the component that caused the
617 	 * path to overflow the pnp structure.
618 	 */
619 	if (sympath->pn_buf[0] == '/')
620 		return;
621 
622 	/* backup over last component */
623 	sp = cp = pnp->pn_path;
624 	while (*--cp != '/' && cp > pnp->pn_buf)
625 		;
626 
627 	len_path = cp - pnp->pn_buf;
628 
629 	/* is there anything to save? */
630 	if (len_path) {
631 		pnp->pn_path = cp;
632 		audit_pathbuild(pnp);
633 		pnp->pn_path = sp;
634 	}
635 }
636 
637 /*
638  * file_is_public : determine whether events for the file (corresponding to
639  * 			the specified file attr) should be audited or ignored.
640  *
641  * returns: 	1 - if audit policy and file attributes indicate that
642  *			file is effectively public. read events for
643  *			the file should not be audited.
644  *		0 - otherwise
645  *
646  * The required attributes to be considered a public object are:
647  * - owned by root, AND
648  * - world-readable (permissions for other include read), AND
649  * - NOT world-writeable (permissions for other don't
650  *	include write)
651  *   (mode doesn't need to be checked for symlinks)
652  */
653 int
654 file_is_public(struct vattr *attr)
655 {
656 	au_kcontext_t	*kctx = SET_KCTX_PZ;
657 
658 	if (kctx == NULL) {
659 		zone_status_t zstate = zone_status_get(curproc->p_zone);
660 		ASSERT(zstate != ZONE_IS_READY);
661 		return (0);
662 	}
663 
664 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
665 	    ((attr->va_type == VLNK) ||
666 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
667 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
668 		return (1);
669 	}
670 	return (0);
671 }
672 
673 
674 /*
675  * ROUTINE:	AUDIT_ATTRIBUTES
676  * PURPOSE:	Audit the attributes so we can tell why the error occured
677  * CALLBY:	AUDIT_SAVEPATH
678  *		AUDIT_VNCREATE_FINISH
679  *		AUS_FCHOWN...audit_event.c...audit_path.c
680  * NOTE:
681  * TODO:
682  * QUESTION:
683  */
684 void
685 audit_attributes(struct vnode *vp)
686 {
687 	struct vattr attr;
688 	struct t_audit_data *tad;
689 
690 	tad = U2A(u);
691 
692 	if (vp) {
693 		attr.va_mask = AT_ALL;
694 		if (VOP_GETATTR(vp, &attr, 0, CRED()) != 0)
695 			return;
696 
697 		if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) {
698 			/*
699 			 * This is a public object and a "public" event
700 			 * (i.e., read only) -- either by definition
701 			 * (e.g., stat, access...) or by virtue of write access
702 			 * not being requested (e.g. mmap).
703 			 * Flag it in the tad to prevent this audit at the end.
704 			 */
705 			tad->tad_ctrl |= PAD_NOAUDIT;
706 		} else {
707 			au_uwrite(au_to_attr(&attr));
708 			audit_sec_attributes(&(u_ad), vp);
709 		}
710 	}
711 }
712 
713 
714 /*
715  * ROUTINE:	AUDIT_FALLOC
716  * PURPOSE:	allocating a new file structure
717  * CALLBY:	FALLOC
718  * NOTE:	file structure already initialized
719  * TODO:
720  * QUESTION:
721  */
722 
723 void
724 audit_falloc(struct file *fp)
725 {	/* AUDIT_FALLOC */
726 
727 	f_audit_data_t *fad;
728 
729 	/* allocate per file audit structure if there a'int any */
730 	ASSERT(F2A(fp) == NULL);
731 
732 	fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
733 
734 	F2A(fp) = fad;
735 
736 	fad->fad_thread = curthread; 	/* file audit data back ptr; DEBUG */
737 }
738 
739 /*
740  * ROUTINE:	AUDIT_UNFALLOC
741  * PURPOSE:	deallocate file audit data structure
742  * CALLBY:	CLOSEF
743  *		UNFALLOC
744  * NOTE:
745  * TODO:
746  * QUESTION:
747  */
748 
749 void
750 audit_unfalloc(struct file *fp)
751 {
752 	f_audit_data_t *fad;
753 
754 	fad = F2A(fp);
755 
756 	if (!fad) {
757 		return;
758 	}
759 	if (fad->fad_aupath != NULL) {
760 		au_pathrele(fad->fad_aupath);
761 	}
762 	fp->f_audit_data = 0;
763 	kmem_free(fad, sizeof (struct f_audit_data));
764 }
765 
766 /*
767  * ROUTINE:	AUDIT_EXIT
768  * PURPOSE:
769  * CALLBY:	EXIT
770  * NOTE:
771  * TODO:
772  * QUESTION:	why cmw code as offset by 2 but not here
773  */
774 /* ARGSUSED */
775 void
776 audit_exit(int code, int what)
777 {
778 	struct t_audit_data *tad;
779 	tad = U2A(u);
780 
781 	/*
782 	 * tad_scid will be set by audit_start even if we are not auditing
783 	 * the event.
784 	 */
785 	if (tad->tad_scid == SYS_exit) {
786 		/*
787 		 * if we are auditing the exit system call, then complete
788 		 * audit record generation (no return from system call).
789 		 */
790 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
791 			audit_finish(0, SYS_exit, 0, 0);
792 		return;
793 	}
794 
795 	/*
796 	 * Anyone auditing the system call that was aborted?
797 	 */
798 	if (tad->tad_flag) {
799 		au_uwrite(au_to_text("event aborted"));
800 		audit_finish(0, tad->tad_scid, 0, 0);
801 	}
802 
803 	/*
804 	 * Generate an audit record for process exit if preselected.
805 	 */
806 	(void) audit_start(0, SYS_exit, 0, 0);
807 	audit_finish(0, SYS_exit, 0, 0);
808 }
809 
810 /*
811  * ROUTINE:	AUDIT_CORE_START
812  * PURPOSE:
813  * CALLBY: 	PSIG
814  * NOTE:
815  * TODO:
816  */
817 void
818 audit_core_start(int sig)
819 {
820 	au_event_t event;
821 	au_state_t estate;
822 	t_audit_data_t *tad;
823 	au_kcontext_t	*kctx;
824 
825 	tad = U2A(u);
826 
827 	ASSERT(tad != (t_audit_data_t *)0);
828 
829 	ASSERT(tad->tad_scid == 0);
830 	ASSERT(tad->tad_event == 0);
831 	ASSERT(tad->tad_evmod == 0);
832 	ASSERT(tad->tad_ctrl == 0);
833 	ASSERT(tad->tad_flag == 0);
834 	ASSERT(tad->tad_aupath == NULL);
835 
836 	kctx = SET_KCTX_PZ;
837 
838 	if (kctx == NULL) {
839 		zone_status_t zstate = zone_status_get(curproc->p_zone);
840 		ASSERT(zstate != ZONE_IS_READY);
841 		return;
842 	}
843 
844 	/* get basic event for system call */
845 	event = AUE_CORE;
846 	estate = kctx->auk_ets[event];
847 
848 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
849 		return;
850 
851 	/* reset the flags for non-user attributable events */
852 	tad->tad_ctrl   = PAD_CORE;
853 	tad->tad_scid   = 0;
854 
855 	/* if auditing not enabled, then don't generate an audit record */
856 
857 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
858 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
859 	    kctx->auk_auditstate == AUC_NOSPACE)) {
860 		tad->tad_flag = 0;
861 		tad->tad_ctrl = 0;
862 		return;
863 	}
864 
865 	tad->tad_event  = event;
866 	tad->tad_evmod  = 0;
867 
868 	ASSERT(tad->tad_ad == NULL);
869 
870 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
871 }
872 
873 /*
874  * ROUTINE:	AUDIT_CORE_FINISH
875  * PURPOSE:
876  * CALLBY:	PSIG
877  * NOTE:
878  * TODO:
879  * QUESTION:
880  */
881 
882 /*ARGSUSED*/
883 void
884 audit_core_finish(int code)
885 {
886 	int flag;
887 	t_audit_data_t *tad;
888 	au_kcontext_t	*kctx;
889 
890 	tad = U2A(u);
891 
892 	ASSERT(tad != (t_audit_data_t *)0);
893 
894 	if ((flag = tad->tad_flag) == 0) {
895 		tad->tad_event = 0;
896 		tad->tad_evmod = 0;
897 		tad->tad_ctrl  = 0;
898 		ASSERT(tad->tad_aupath == NULL);
899 		return;
900 	}
901 	tad->tad_flag = 0;
902 
903 	kctx = SET_KCTX_PZ;
904 	if (kctx == NULL) {
905 		zone_status_t zstate = zone_status_get(curproc->p_zone);
906 		ASSERT(zstate != ZONE_IS_READY);
907 		return;
908 	}
909 
910 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
911 	if (flag = audit_success(kctx, tad, 0)) {
912 		cred_t *cr = CRED();
913 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
914 
915 		ASSERT(ainfo != NULL);
916 
917 		/*
918 		 * Add subject information (no locks since our private copy of
919 		 * credential
920 		 */
921 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
922 
923 		/* Add a return token (should use f argument) */
924 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
925 
926 		AS_INC(as_generated, 1, kctx);
927 		AS_INC(as_kernel, 1, kctx);
928 	}
929 
930 	/* Close up everything */
931 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
932 
933 	/* free up any space remaining with the path's */
934 	if (tad->tad_aupath != NULL) {
935 		au_pathrele(tad->tad_aupath);
936 		tad->tad_aupath = NULL;
937 		tad->tad_vn = NULL;
938 	}
939 	tad->tad_event = 0;
940 	tad->tad_evmod = 0;
941 	tad->tad_ctrl  = 0;
942 }
943 
944 /*ARGSUSED*/
945 void
946 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp)
947 {
948 }
949 
950 /*ARGSUSED*/
951 void
952 audit_strclose(struct vnode *vp, int flag, cred_t *crp)
953 {
954 }
955 
956 /*ARGSUSED*/
957 void
958 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag,
959     int copyflag, cred_t *crp, int *rvalp)
960 {
961 }
962 
963 
964 /*ARGSUSED*/
965 void
966 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
967     unsigned char *pri, int *flag, int fmode)
968 {
969 	struct stdata *stp;
970 	t_audit_data_t *tad = U2A(u);
971 
972 	ASSERT(tad != (t_audit_data_t *)0);
973 
974 	stp = vp->v_stream;
975 
976 	/* lock stdata from audit_sock */
977 	mutex_enter(&stp->sd_lock);
978 
979 	/* proceed ONLY if user is being audited */
980 	if (!tad->tad_flag) {
981 		/*
982 		 * this is so we will not add audit data onto
983 		 * a thread that is not being audited.
984 		 */
985 		stp->sd_t_audit_data = NULL;
986 		mutex_exit(&stp->sd_lock);
987 		return;
988 	}
989 
990 	stp->sd_t_audit_data = (caddr_t)curthread;
991 	mutex_exit(&stp->sd_lock);
992 }
993 
994 /*ARGSUSED*/
995 void
996 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
997     unsigned char pri, int flag, int fmode)
998 {
999 	struct stdata *stp;
1000 	t_audit_data_t *tad = U2A(u);
1001 
1002 	ASSERT(tad != (t_audit_data_t *)0);
1003 
1004 	stp = vp->v_stream;
1005 
1006 	/* lock stdata from audit_sock */
1007 	mutex_enter(&stp->sd_lock);
1008 
1009 	/* proceed ONLY if user is being audited */
1010 	if (!tad->tad_flag) {
1011 		/*
1012 		 * this is so we will not add audit data onto
1013 		 * a thread that is not being audited.
1014 		 */
1015 		stp->sd_t_audit_data = NULL;
1016 		mutex_exit(&stp->sd_lock);
1017 		return;
1018 	}
1019 
1020 	stp->sd_t_audit_data = (caddr_t)curthread;
1021 	mutex_exit(&stp->sd_lock);
1022 }
1023 
1024 /*
1025  * ROUTINE:	AUDIT_CLOSEF
1026  * PURPOSE:
1027  * CALLBY:	CLOSEF
1028  * NOTE:
1029  * release per file audit resources when file structure is being released.
1030  *
1031  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
1032  *	on the audit queue if it becomes full. This means
1033  *	audit_closef can not be called when f_count == 0. Since
1034  *	f_count == 0 indicates the file structure is free, another
1035  *	process could attempt to use the file while we were still
1036  *	asleep waiting on the audit queue. This would cause the
1037  *	per file audit data to be corrupted when we finally do
1038  *	wakeup.
1039  * TODO:
1040  * QUESTION:
1041  */
1042 
1043 void
1044 audit_closef(struct file *fp)
1045 {	/* AUDIT_CLOSEF */
1046 	f_audit_data_t *fad;
1047 	t_audit_data_t *tad;
1048 	int success;
1049 	au_state_t estate;
1050 	struct vnode *vp;
1051 	token_t *ad = NULL;
1052 	struct vattr attr;
1053 	short evmod = 0;
1054 	const auditinfo_addr_t *ainfo;
1055 	int getattr_ret;
1056 	cred_t *cr;
1057 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1058 
1059 	if (kctx == NULL) {
1060 		zone_status_t zstate = zone_status_get(curproc->p_zone);
1061 		ASSERT(zstate != ZONE_IS_READY);
1062 		return;
1063 	}
1064 
1065 	fad = F2A(fp);
1066 	estate = kctx->auk_ets[AUE_CLOSE];
1067 	tad = U2A(u);
1068 	cr = CRED();
1069 
1070 	/* audit record already generated by system call envelope */
1071 	if (tad->tad_event == AUE_CLOSE) {
1072 		/* so close audit event will have bits set */
1073 		tad->tad_evmod |= (short)fad->fad_flags;
1074 		return;
1075 	}
1076 
1077 	/* if auditing not enabled, then don't generate an audit record */
1078 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
1079 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
1080 	    kctx->auk_auditstate == AUC_NOSPACE))
1081 		return;
1082 
1083 	ainfo = crgetauinfo(cr);
1084 	if (ainfo == NULL)
1085 		return;
1086 
1087 	success = ainfo->ai_mask.as_success & estate;
1088 
1089 	/* not selected for this event */
1090 	if (success == 0)
1091 		return;
1092 
1093 	/*
1094 	 * can't use audit_attributes here since we use a private audit area
1095 	 * to build the audit record instead of the one off the thread.
1096 	 */
1097 	if ((vp = fp->f_vnode) != NULL) {
1098 		attr.va_mask = AT_ALL;
1099 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED());
1100 	}
1101 
1102 	/*
1103 	 * When write was not used and the file can be considered public,
1104 	 * then skip the audit.
1105 	 */
1106 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
1107 		if (file_is_public(&attr)) {
1108 			return;
1109 		}
1110 	}
1111 
1112 	evmod = (short)fad->fad_flags;
1113 	if (fad->fad_aupath != NULL) {
1114 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
1115 	} else {
1116 #ifdef _LP64
1117 		au_write((caddr_t *)&(ad), au_to_arg64(
1118 			1, "no path: fp", (uint64_t)fp));
1119 #else
1120 		au_write((caddr_t *)&(ad), au_to_arg32(
1121 			1, "no path: fp", (uint32_t)fp));
1122 #endif
1123 	}
1124 
1125 	if (getattr_ret == 0) {
1126 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
1127 		audit_sec_attributes((caddr_t *)&(ad), vp);
1128 	}
1129 
1130 	/* Add subject information */
1131 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1132 
1133 	/* add a return token */
1134 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
1135 
1136 	AS_INC(as_generated, 1, kctx);
1137 	AS_INC(as_kernel, 1, kctx);
1138 
1139 	/*
1140 	 * Close up everything
1141 	 * Note: path space recovery handled by normal system
1142 	 * call envelope if not at last close.
1143 	 * Note there is no failure at this point since
1144 	 *   this represents closes due to exit of process,
1145 	 *   thus we always indicate successful closes.
1146 	 */
1147 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
1148 	    AUE_CLOSE, evmod);
1149 }
1150 
1151 /*
1152  * ROUTINE:	AUDIT_SET
1153  * PURPOSE:	Audit the file path and file attributes.
1154  * CALLBY:	SETF
1155  * NOTE:	SETF associate a file pointer with user area's open files.
1156  * TODO:
1157  * call audit_finish directly ???
1158  * QUESTION:
1159  */
1160 
1161 /*ARGSUSED*/
1162 void
1163 audit_setf(file_t *fp, int fd)
1164 {
1165 	f_audit_data_t *fad;
1166 	t_audit_data_t *tad;
1167 
1168 	if (fp == NULL)
1169 		return;
1170 
1171 	tad = T2A(curthread);
1172 	fad = F2A(fp);
1173 
1174 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat ||
1175 	    tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 ||
1176 	    tad->tad_scid == SYS_fsat))
1177 		return;
1178 
1179 	/* no path */
1180 	if (tad->tad_aupath == 0)
1181 		return;
1182 
1183 	/*
1184 	 * assign path information associated with file audit data
1185 	 * use tad hold
1186 	 */
1187 	fad->fad_aupath = tad->tad_aupath;
1188 	tad->tad_aupath = NULL;
1189 	tad->tad_vn = NULL;
1190 
1191 	if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) {
1192 	/* adjust event type */
1193 		switch (tad->tad_event) {
1194 		case AUE_OPEN_RC:
1195 			tad->tad_event = AUE_OPEN_R;
1196 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1197 			break;
1198 		case AUE_OPEN_RTC:
1199 			tad->tad_event = AUE_OPEN_RT;
1200 			break;
1201 		case AUE_OPEN_WC:
1202 			tad->tad_event = AUE_OPEN_W;
1203 			break;
1204 		case AUE_OPEN_WTC:
1205 			tad->tad_event = AUE_OPEN_WT;
1206 			break;
1207 		case AUE_OPEN_RWC:
1208 			tad->tad_event = AUE_OPEN_RW;
1209 			break;
1210 		case AUE_OPEN_RWTC:
1211 			tad->tad_event = AUE_OPEN_RWT;
1212 			break;
1213 		default:
1214 			break;
1215 		}
1216 	}
1217 }
1218 
1219 
1220 /*
1221  * ROUTINE:	AUDIT_COPEN
1222  * PURPOSE:
1223  * CALLBY:	COPEN
1224  * NOTE:
1225  * TODO:
1226  * QUESTION:
1227  */
1228 /*ARGSUSED*/
1229 void
1230 audit_copen(int fd, file_t *fp, vnode_t *vp)
1231 {
1232 }
1233 
1234 void
1235 audit_ipc(int type, int id, void *vp)
1236 {
1237 	/* if not auditing this event, then do nothing */
1238 	if (ad_flag == 0)
1239 		return;
1240 
1241 	switch (type) {
1242 	case AT_IPC_MSG:
1243 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1244 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1245 		break;
1246 	case AT_IPC_SEM:
1247 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1248 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1249 		break;
1250 	case AT_IPC_SHM:
1251 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
1252 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1253 		break;
1254 	}
1255 }
1256 
1257 void
1258 audit_ipcget(int type, void *vp)
1259 {
1260 	/* if not auditing this event, then do nothing */
1261 	if (ad_flag == 0)
1262 		return;
1263 
1264 	switch (type) {
1265 	case NULL:
1266 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
1267 		break;
1268 	case AT_IPC_MSG:
1269 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1270 		break;
1271 	case AT_IPC_SEM:
1272 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1273 		break;
1274 	case AT_IPC_SHM:
1275 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1276 		break;
1277 	}
1278 }
1279 
1280 /*
1281  * ROUTINE:	AUDIT_REBOOT
1282  * PURPOSE:
1283  * CALLBY:
1284  * NOTE:
1285  * At this point we know that the system call reboot will not return. We thus
1286  * have to complete the audit record generation and put it onto the queue.
1287  * This might be fairly useless if the auditing daemon is already dead....
1288  * TODO:
1289  * QUESTION:	who calls audit_reboot
1290  */
1291 
1292 void
1293 audit_reboot(void)
1294 {
1295 	int flag;
1296 	t_audit_data_t *tad;
1297 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1298 
1299 	if (kctx == NULL) {
1300 		zone_status_t zstate = zone_status_get(curproc->p_zone);
1301 		ASSERT(zstate != ZONE_IS_READY);
1302 		return;
1303 	}
1304 
1305 	tad = U2A(u);
1306 
1307 	/* if not auditing this event, then do nothing */
1308 	if (tad->tad_flag == 0)
1309 		return;
1310 
1311 	/* do preselection on success/failure */
1312 	if (flag = audit_success(kctx, tad, 0)) {
1313 		/* add a process token */
1314 
1315 		cred_t *cr = CRED();
1316 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1317 
1318 		if (ainfo == NULL)
1319 			return;
1320 
1321 		/* Add subject information */
1322 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
1323 
1324 		/* add a return token */
1325 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1326 
1327 		AS_INC(as_generated, 1, kctx);
1328 		AS_INC(as_kernel, 1, kctx);
1329 	}
1330 
1331 	/*
1332 	 * Flow control useless here since we're going
1333 	 * to drop everything in the queue anyway. Why
1334 	 * block and wait. There aint anyone left alive to
1335 	 * read the records remaining anyway.
1336 	 */
1337 
1338 	/* Close up everything */
1339 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1340 	    tad->tad_event, tad->tad_evmod);
1341 }
1342 
1343 void
1344 audit_setfsat_path(int argnum)
1345 {
1346 	klwp_id_t clwp = ttolwp(curthread);
1347 	struct file  *fp;
1348 	uint32_t fd;
1349 	t_audit_data_t *tad;
1350 	struct f_audit_data *fad;
1351 	p_audit_data_t *pad;	/* current process */
1352 
1353 	struct b {
1354 		long arg1;
1355 		long arg2;
1356 		long arg3;
1357 		long arg4;
1358 		long arg5;
1359 	} *uap1;
1360 
1361 	if (clwp == NULL)
1362 		return;
1363 	uap1 = (struct b *)&clwp->lwp_ap[1];
1364 
1365 	tad = U2A(u);
1366 
1367 	ASSERT(tad != NULL);
1368 
1369 	if (tad->tad_scid != SYS_fsat)
1370 		return;
1371 
1372 	switch (argnum) {
1373 	case 1:
1374 		fd = (uint32_t)uap1->arg1;
1375 		break;
1376 	case 2:
1377 		fd = (uint32_t)uap1->arg2;
1378 		break;
1379 	case 3:
1380 		fd = (uint32_t)uap1->arg3;
1381 		break;
1382 	case 4:
1383 		fd = (uint32_t)uap1->arg4;
1384 		break;
1385 	case 5:
1386 		fd = (uint32_t)uap1->arg5;
1387 		break;
1388 	default:
1389 		return;
1390 	}
1391 
1392 	if (tad->tad_atpath != NULL) {
1393 		au_pathrele(tad->tad_atpath);
1394 		tad->tad_atpath = NULL;
1395 	}
1396 	if (fd != AT_FDCWD) {
1397 		if ((fp = getf(fd)) == NULL)
1398 			return;
1399 
1400 		fad = F2A(fp);
1401 		ASSERT(fad);
1402 		au_pathhold(fad->fad_aupath);
1403 		tad->tad_atpath = fad->fad_aupath;
1404 		releasef(fd);
1405 	} else {
1406 		pad = P2A(curproc);
1407 		mutex_enter(&pad->pad_lock);
1408 		au_pathhold(pad->pad_cwd);
1409 		tad->tad_atpath = pad->pad_cwd;
1410 		mutex_exit(&pad->pad_lock);
1411 	}
1412 }
1413 
1414 void
1415 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1416 {
1417 	t_audit_data_t *tad;
1418 	vnode_t	*vp;
1419 
1420 	tad = U2A(u);
1421 
1422 	/* if not auditing this event, then do nothing */
1423 	if (tad->tad_flag == 0)
1424 		return;
1425 
1426 	au_uwrite(au_to_text(target));
1427 
1428 	if (error)
1429 		return;
1430 
1431 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, NO_FOLLOW, NULL, CRED());
1432 	if (error == 0) {
1433 		audit_attributes(vp);
1434 		VN_RELE(vp);
1435 	}
1436 }
1437 
1438 /*
1439  * ROUTINE:	AUDIT_VNCREATE_START
1440  * PURPOSE:	set flag so path name lookup in create will not add attribute
1441  * CALLBY:	VN_CREATE
1442  * NOTE:
1443  * TODO:
1444  * QUESTION:
1445  */
1446 
1447 void
1448 audit_vncreate_start()
1449 {
1450 	t_audit_data_t *tad;
1451 
1452 	tad = U2A(u);
1453 	tad->tad_ctrl |= PAD_NOATTRB;
1454 }
1455 
1456 /*
1457  * ROUTINE:	AUDIT_VNCREATE_FINISH
1458  * PURPOSE:
1459  * CALLBY:	VN_CREATE
1460  * NOTE:
1461  * TODO:
1462  * QUESTION:
1463  */
1464 void
1465 audit_vncreate_finish(struct vnode *vp, int error)
1466 {
1467 	t_audit_data_t *tad;
1468 
1469 	if (error)
1470 		return;
1471 
1472 	tad = U2A(u);
1473 
1474 	/* if not auditing this event, then do nothing */
1475 	if (tad->tad_flag == 0)
1476 		return;
1477 
1478 	if (tad->tad_ctrl & PAD_TRUE_CREATE) {
1479 		audit_attributes(vp);
1480 	}
1481 
1482 	if (tad->tad_ctrl & PAD_CORE) {
1483 		audit_attributes(vp);
1484 		tad->tad_ctrl &= ~PAD_CORE;
1485 	}
1486 
1487 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1488 			(tad->tad_event == AUE_MKDIR))) {
1489 		audit_attributes(vp);
1490 	}
1491 
1492 	/* for case where multiple lookups in one syscall (rename) */
1493 	tad->tad_ctrl &= ~PAD_NOATTRB;
1494 }
1495 
1496 
1497 
1498 
1499 
1500 
1501 
1502 
1503 /*
1504  * ROUTINE:	AUDIT_EXEC
1505  * PURPOSE:	Records the function arguments and environment variables
1506  * CALLBY:	EXEC_ARGS
1507  * NOTE:
1508  * TODO:
1509  * QUESTION:
1510  */
1511 
1512 /*ARGSUSED*/
1513 void
1514 audit_exec(
1515 	const char *argstr,	/* argument strings */
1516 	const char *envstr,	/* environment strings */
1517 	ssize_t argc,		/* total # arguments */
1518 	ssize_t envc)		/* total # environment variables */
1519 {
1520 	t_audit_data_t *tad;
1521 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1522 
1523 	ASSERT(kctx != NULL);
1524 
1525 	tad = U2A(u);
1526 
1527 	/* if not auditing this event, then do nothing */
1528 	if (!tad->tad_flag)
1529 		return;
1530 
1531 	/* return if not interested in argv or environment variables */
1532 	if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE)))
1533 		return;
1534 
1535 	if (kctx->auk_policy & AUDIT_ARGV) {
1536 		au_uwrite(au_to_exec_args(argstr, argc));
1537 	}
1538 
1539 	if (kctx->auk_policy & AUDIT_ARGE) {
1540 		au_uwrite(au_to_exec_env(envstr, envc));
1541 	}
1542 }
1543 
1544 /*
1545  * ROUTINE:	AUDIT_ENTERPROM
1546  * PURPOSE:
1547  * CALLBY:	KBDINPUT
1548  *		ZSA_XSINT
1549  * NOTE:
1550  * TODO:
1551  * QUESTION:
1552  */
1553 void
1554 audit_enterprom(int flg)
1555 {
1556 	token_t *rp = NULL;
1557 	int sorf;
1558 
1559 	if (flg)
1560 		sorf = AUM_SUCC;
1561 	else
1562 		sorf = AUM_FAIL;
1563 
1564 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1565 
1566 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1567 
1568 	if (flg)
1569 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1570 	else
1571 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1572 
1573 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL);
1574 }
1575 
1576 
1577 /*
1578  * ROUTINE:	AUDIT_EXITPROM
1579  * PURPOSE:
1580  * CALLBY:	KBDINPUT
1581  *		ZSA_XSINT
1582  * NOTE:
1583  * TODO:
1584  * QUESTION:
1585  */
1586 void
1587 audit_exitprom(int flg)
1588 {
1589 	int sorf;
1590 	token_t *rp = NULL;
1591 
1592 	if (flg)
1593 		sorf = AUM_SUCC;
1594 	else
1595 		sorf = AUM_FAIL;
1596 
1597 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1598 
1599 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1600 
1601 	if (flg)
1602 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1603 	else
1604 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1605 
1606 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL);
1607 }
1608 
1609 struct fcntla {
1610 	int fdes;
1611 	int cmd;
1612 	intptr_t arg;
1613 };
1614 
1615 /*
1616  * ROUTINE:	AUDIT_C2_REVOKE
1617  * PURPOSE:
1618  * CALLBY:	FCNTL
1619  * NOTE:
1620  * TODO:
1621  * QUESTION:	are we keeping this func
1622  */
1623 
1624 /*ARGSUSED*/
1625 int
1626 audit_c2_revoke(struct fcntla *uap, rval_t *rvp)
1627 {
1628 	return (0);
1629 }
1630 
1631 
1632 /*
1633  * ROUTINE:	AUDIT_CHDIREC
1634  * PURPOSE:
1635  * CALLBY:	CHDIREC
1636  * NOTE:	The main function of CHDIREC
1637  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1638  * QUESTION:
1639  */
1640 
1641 /*ARGSUSED*/
1642 void
1643 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1644 {
1645 	int		chdir;
1646 	int		fchdir;
1647 	struct audit_path	**appp;
1648 	struct file	*fp;
1649 	f_audit_data_t *fad;
1650 	p_audit_data_t *pad = P2A(curproc);
1651 	t_audit_data_t *tad = T2A(curthread);
1652 
1653 	struct a {
1654 		long fd;
1655 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1656 
1657 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1658 		chdir = tad->tad_scid == SYS_chdir;
1659 		if (tad->tad_aupath) {
1660 			mutex_enter(&pad->pad_lock);
1661 			if (chdir)
1662 				appp = &(pad->pad_cwd);
1663 			else
1664 				appp = &(pad->pad_root);
1665 			au_pathrele(*appp);
1666 			/* use tad hold */
1667 			*appp = tad->tad_aupath;
1668 			tad->tad_aupath = NULL;
1669 			mutex_exit(&pad->pad_lock);
1670 		}
1671 	} else if ((tad->tad_scid == SYS_fchdir) ||
1672 	    (tad->tad_scid == SYS_fchroot)) {
1673 		fchdir = tad->tad_scid == SYS_fchdir;
1674 		if ((fp = getf(uap->fd)) == NULL)
1675 			return;
1676 		fad = F2A(fp);
1677 		if (fad->fad_aupath) {
1678 			au_pathhold(fad->fad_aupath);
1679 			mutex_enter(&pad->pad_lock);
1680 			if (fchdir)
1681 				appp = &(pad->pad_cwd);
1682 			else
1683 				appp = &(pad->pad_root);
1684 			au_pathrele(*appp);
1685 			*appp = fad->fad_aupath;
1686 			mutex_exit(&pad->pad_lock);
1687 			if (tad->tad_flag) {
1688 				au_uwrite(au_to_path(fad->fad_aupath));
1689 				audit_attributes(fp->f_vnode);
1690 			}
1691 		}
1692 		releasef(uap->fd);
1693 	}
1694 }
1695 
1696 /*
1697  * ROUTINE:	AUDIT_GETF
1698  * PURPOSE:
1699  * CALLBY:	GETF_INTERNAL
1700  * NOTE:	The main function of GETF_INTERNAL is to associate a given
1701  *		file descriptor with a file structure and increment the
1702  *		file pointer reference count.
1703  * TODO:	remove pass in of fpp.
1704  * increment a reference count so that even if a thread with same process delete
1705  * the same object, it will not panic our system
1706  * QUESTION:
1707  * where to decrement the f_count?????????????????
1708  * seems like I need to set a flag if f_count incrmented through audit_getf
1709  */
1710 
1711 /*ARGSUSED*/
1712 int
1713 audit_getf(int fd)
1714 {
1715 #ifdef NOTYET
1716 	t_audit_data_t *tad;
1717 
1718 	tad = T2A(curthread);
1719 
1720 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat))
1721 		return;
1722 #endif
1723 	return (0);
1724 }
1725 
1726 /*
1727  *	Audit hook for stream based socket and tli request.
1728  *	Note that we do not have user context while executing
1729  *	this code so we had to record them earlier during the
1730  *	putmsg/getmsg to figure out which user we are dealing with.
1731  */
1732 
1733 /*ARGSUSED*/
1734 void
1735 audit_sock(
1736 	int type,	/* type of tihdr.h header requests */
1737 	queue_t *q,	/* contains the process and thread audit data */
1738 	mblk_t *mp,	/* contains the tihdr.h header structures */
1739 	int from)	/* timod or sockmod request */
1740 {
1741 	int32_t    len;
1742 	int32_t    offset;
1743 	struct sockaddr_in *sock_data;
1744 	struct T_conn_req *conn_req;
1745 	struct T_conn_ind *conn_ind;
1746 	struct T_unitdata_req *unitdata_req;
1747 	struct T_unitdata_ind *unitdata_ind;
1748 	au_state_t estate;
1749 	t_audit_data_t *tad;
1750 	caddr_t saved_thread_ptr;
1751 	au_mask_t amask;
1752 	const auditinfo_addr_t *ainfo;
1753 	au_kcontext_t	*kctx;
1754 	zone_status_t	zstate;
1755 
1756 	if (q->q_stream == NULL)
1757 		return;
1758 	mutex_enter(&q->q_stream->sd_lock);
1759 	/* are we being audited */
1760 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1761 	/* no pointer to thread, nothing to do */
1762 	if (saved_thread_ptr == NULL) {
1763 		mutex_exit(&q->q_stream->sd_lock);
1764 		return;
1765 	}
1766 	/* only allow one addition of a record token */
1767 	q->q_stream->sd_t_audit_data = NULL;
1768 	/*
1769 	 * thread is not the one being audited, then nothing to do
1770 	 * This could be the stream thread handling the module
1771 	 * service routine. In this case, the context for the audit
1772 	 * record can no longer be assumed. Simplest to just drop
1773 	 * the operation.
1774 	 */
1775 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1776 		mutex_exit(&q->q_stream->sd_lock);
1777 		return;
1778 	}
1779 	if (curthread->t_sysnum >= SYS_so_socket &&
1780 	    curthread->t_sysnum <= SYS_sockconfig) {
1781 		mutex_exit(&q->q_stream->sd_lock);
1782 		return;
1783 	}
1784 	mutex_exit(&q->q_stream->sd_lock);
1785 	/*
1786 	 * we know that the thread that did the put/getmsg is the
1787 	 * one running. Now we can get the TAD and see if we should
1788 	 * add an audit token.
1789 	 */
1790 	tad = U2A(u);
1791 
1792 	kctx = SET_KCTX_PZ;
1793 	if (kctx == NULL) {
1794 		zstate = zone_status_get(curproc->p_zone);
1795 		ASSERT(zstate != ZONE_IS_READY);
1796 		return;
1797 	}
1798 
1799 	/* proceed ONLY if user is being audited */
1800 	if (!tad->tad_flag)
1801 		return;
1802 
1803 	ainfo = crgetauinfo(CRED());
1804 	if (ainfo == NULL)
1805 		return;
1806 	amask = ainfo->ai_mask;
1807 
1808 	/*
1809 	 * Figure out the type of stream networking request here.
1810 	 * Note that getmsg and putmsg are always preselected
1811 	 * because during the beginning of the system call we have
1812 	 * not yet figure out which of the socket or tli request
1813 	 * we are looking at until we are here. So we need to check
1814 	 * against that specific request and reset the type of event.
1815 	 */
1816 	switch (type) {
1817 	case T_CONN_REQ:	/* connection request */
1818 		conn_req = (struct T_conn_req *)mp->b_rptr;
1819 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1820 			return;
1821 		offset = conn_req->DEST_offset;
1822 		len = conn_req->DEST_length;
1823 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1824 		if (amask.as_success & estate || amask.as_failure & estate) {
1825 			tad->tad_event = AUE_SOCKCONNECT;
1826 			break;
1827 		} else {
1828 			return;
1829 		}
1830 	case T_CONN_IND:	 /* connectionless receive request */
1831 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1832 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1833 			return;
1834 		offset = conn_ind->SRC_offset;
1835 		len = conn_ind->SRC_length;
1836 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1837 		if (amask.as_success & estate || amask.as_failure & estate) {
1838 			tad->tad_event = AUE_SOCKACCEPT;
1839 			break;
1840 		} else {
1841 			return;
1842 		}
1843 	case T_UNITDATA_REQ:	 /* connectionless send request */
1844 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1845 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1846 			return;
1847 		offset = unitdata_req->DEST_offset;
1848 		len = unitdata_req->DEST_length;
1849 		estate = kctx->auk_ets[AUE_SOCKSEND];
1850 		if (amask.as_success & estate || amask.as_failure & estate) {
1851 			tad->tad_event = AUE_SOCKSEND;
1852 			break;
1853 		} else {
1854 			return;
1855 		}
1856 	case T_UNITDATA_IND:	 /* connectionless receive request */
1857 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1858 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1859 			return;
1860 		offset = unitdata_ind->SRC_offset;
1861 		len = unitdata_ind->SRC_length;
1862 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1863 		if (amask.as_success & estate || amask.as_failure & estate) {
1864 			tad->tad_event = AUE_SOCKRECEIVE;
1865 			break;
1866 		} else {
1867 			return;
1868 		}
1869 	default:
1870 		return;
1871 	}
1872 
1873 	/*
1874 	 * we are only interested in tcp stream connections,
1875 	 * not unix domain stuff
1876 	 */
1877 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1878 		tad->tad_event = AUE_GETMSG;
1879 		return;
1880 	}
1881 	/* skip over TPI header and point to the ip address */
1882 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1883 
1884 	switch (sock_data->sin_family) {
1885 	case AF_INET:
1886 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1887 		break;
1888 	default:	/* reset to AUE_PUTMSG if not a inet request */
1889 		tad->tad_event = AUE_GETMSG;
1890 		break;
1891 	}
1892 }
1893 
1894 void
1895 audit_lookupname()
1896 {
1897 }
1898 
1899 /*ARGSUSED*/
1900 int
1901 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr)
1902 {
1903 	return (0);
1904 }
1905 
1906 static void
1907 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1908 {
1909 	unsigned int sy_flags;
1910 
1911 #ifdef _SYSCALL32_IMPL
1912 	if (lwp_getdatamodel(
1913 		ttolwp(curthread)) == DATAMODEL_NATIVE)
1914 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1915 	else
1916 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1917 #else
1918 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1919 #endif
1920 
1921 	if (sy_flags == SE_64RVAL)
1922 		au_write(ad, au_to_return64(err, rval));
1923 	else
1924 		au_write(ad, au_to_return32(err, rval));
1925 
1926 }
1927 
1928 /*ARGSUSED*/
1929 void
1930 audit_fdsend(fd, fp, error)
1931 	int fd;
1932 	struct file *fp;
1933 	int error;		/* ignore for now */
1934 {
1935 	t_audit_data_t *tad;	/* current thread */
1936 	f_audit_data_t *fad;	/* per file audit structure */
1937 	struct vnode *vp;	/* for file attributes */
1938 
1939 	/* is this system call being audited */
1940 	tad = U2A(u);
1941 	ASSERT(tad != (t_audit_data_t *)0);
1942 	if (!tad->tad_flag)
1943 		return;
1944 
1945 	fad = F2A(fp);
1946 
1947 	/* add path and file attributes */
1948 	if (fad != NULL && fad->fad_aupath != NULL) {
1949 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1950 		au_uwrite(au_to_path(fad->fad_aupath));
1951 	} else {
1952 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1953 #ifdef _LP64
1954 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1955 #else
1956 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1957 #endif
1958 	}
1959 	vp = fp->f_vnode;	/* include vnode attributes */
1960 	audit_attributes(vp);
1961 }
1962 
1963 /*
1964  * Record privileges sucessfully used and we attempted to use but
1965  * didn't have.
1966  */
1967 void
1968 audit_priv(int priv, const priv_set_t *set, int flag)
1969 {
1970 	t_audit_data_t *tad;
1971 	int sbit;
1972 	priv_set_t *target;
1973 
1974 	/* Make sure this isn't being called in an interrupt context */
1975 	ASSERT(servicing_interrupt() == 0);
1976 
1977 	tad = U2A(u);
1978 
1979 	if (tad->tad_flag == 0)
1980 		return;
1981 
1982 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1983 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1984 
1985 	/* Tell audit_success() and audit_finish() that we saw this case */
1986 	if (!(tad->tad_evmod & sbit)) {
1987 		/* Clear set first time around */
1988 		priv_emptyset(target);
1989 		tad->tad_evmod |= sbit;
1990 	}
1991 
1992 	/* Save the privileges in the tad */
1993 	if (priv == PRIV_ALL) {
1994 		priv_fillset(target);
1995 	} else {
1996 		ASSERT(set != NULL || priv != PRIV_NONE);
1997 		if (set != NULL)
1998 			priv_union(set, target);
1999 		if (priv != PRIV_NONE)
2000 			priv_addset(target, priv);
2001 	}
2002 }
2003 
2004 /*
2005  * Audit the setpriv() system call; the operation, the set name and
2006  * the current value as well as the set argument are put in the
2007  * audit trail.
2008  */
2009 void
2010 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
2011 {
2012 	t_audit_data_t *tad;
2013 	const priv_set_t *oldpriv;
2014 	priv_set_t report;
2015 	const char *setname;
2016 
2017 	tad = U2A(u);
2018 
2019 	if (tad->tad_flag == 0)
2020 		return;
2021 
2022 	oldpriv = priv_getset(ocr, set);
2023 
2024 	/* Generate the actual record, include the before and after */
2025 	au_uwrite(au_to_arg32(2, "op", op));
2026 	setname = priv_getsetbynum(set);
2027 
2028 	switch (op) {
2029 	case PRIV_OFF:
2030 		/* Report privileges actually switched off */
2031 		report = *oldpriv;
2032 		priv_intersect(newpriv, &report);
2033 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
2034 		break;
2035 	case PRIV_ON:
2036 		/* Report privileges actually switched on */
2037 		report = *oldpriv;
2038 		priv_inverse(&report);
2039 		priv_intersect(newpriv, &report);
2040 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
2041 		break;
2042 	case PRIV_SET:
2043 		/* Report before and after */
2044 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
2045 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
2046 		break;
2047 	}
2048 }
2049 
2050 /*
2051  * Dump the full device policy setting in the audit trail.
2052  */
2053 void
2054 audit_devpolicy(int nitems, const devplcysys_t *items)
2055 {
2056 	t_audit_data_t *tad;
2057 	int i;
2058 
2059 	tad = U2A(u);
2060 
2061 	if (tad->tad_flag == 0)
2062 		return;
2063 
2064 	for (i = 0; i < nitems; i++) {
2065 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
2066 		if (items[i].dps_minornm[0] == '\0') {
2067 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
2068 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
2069 		} else
2070 			au_uwrite(au_to_text(items[i].dps_minornm));
2071 
2072 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
2073 		    AUT_PRIV, 0));
2074 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
2075 		    AUT_PRIV, 0));
2076 	}
2077 }
2078 
2079 /*ARGSUSED*/
2080 void
2081 audit_fdrecv(fd, fp)
2082 	int fd;
2083 	struct file *fp;
2084 {
2085 	t_audit_data_t *tad;	/* current thread */
2086 	f_audit_data_t *fad;	/* per file audit structure */
2087 	struct vnode *vp;	/* for file attributes */
2088 
2089 	/* is this system call being audited */
2090 	tad = U2A(u);
2091 	ASSERT(tad != (t_audit_data_t *)0);
2092 	if (!tad->tad_flag)
2093 		return;
2094 
2095 	fad = F2A(fp);
2096 
2097 	/* add path and file attributes */
2098 	if (fad != NULL && fad->fad_aupath != NULL) {
2099 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2100 		au_uwrite(au_to_path(fad->fad_aupath));
2101 	} else {
2102 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2103 #ifdef _LP64
2104 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
2105 #else
2106 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
2107 #endif
2108 	}
2109 	vp = fp->f_vnode;	/* include vnode attributes */
2110 	audit_attributes(vp);
2111 }
2112 
2113 /*
2114  * ROUTINE:	AUDIT_CRYPTOADM
2115  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
2116  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
2117  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
2118  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
2119  *		CRYPTO_LOAD_DOOR
2120  * NOTE:
2121  * TODO:
2122  * QUESTION:
2123  */
2124 
2125 void
2126 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
2127     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
2128 {
2129 	boolean_t		mech_list_required = B_FALSE;
2130 	cred_t			*cr = CRED();
2131 	t_audit_data_t		*tad;
2132 	token_t			*ad = NULL;
2133 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2134 	char			buffer[MAXNAMELEN * 2];
2135 	au_kcontext_t		*kctx = SET_KCTX_PZ;
2136 
2137 	ASSERT(kctx != NULL);
2138 
2139 	tad = U2A(u);
2140 	if (tad == NULL)
2141 		return;
2142 
2143 	if (ainfo == NULL)
2144 		return;
2145 
2146 	tad->tad_event = AUE_CRYPTOADM;
2147 
2148 	if (audit_success(kctx, tad, error) != AU_OK)
2149 		return;
2150 
2151 	/* Add subject information */
2152 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
2153 
2154 	switch (cmd) {
2155 	case CRYPTO_LOAD_DEV_DISABLED:
2156 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2157 			(void) snprintf(buffer, sizeof (buffer),
2158 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
2159 			    " dev_instance=%d",
2160 			    module_name, device_instance);
2161 			mech_list_required = B_TRUE;
2162 		} else {
2163 			(void) snprintf(buffer, sizeof (buffer),
2164 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
2165 		}
2166 		break;
2167 
2168 	case CRYPTO_LOAD_SOFT_DISABLED:
2169 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2170 			(void) snprintf(buffer, sizeof (buffer),
2171 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
2172 			    module_name);
2173 			mech_list_required = B_TRUE;
2174 		} else {
2175 			(void) snprintf(buffer, sizeof (buffer),
2176 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
2177 		}
2178 		break;
2179 
2180 	case CRYPTO_UNLOAD_SOFT_MODULE:
2181 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2182 			(void) snprintf(buffer, sizeof (buffer),
2183 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
2184 			    module_name);
2185 		} else {
2186 			(void) snprintf(buffer, sizeof (buffer),
2187 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
2188 		}
2189 		break;
2190 
2191 	case CRYPTO_LOAD_SOFT_CONFIG:
2192 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2193 			(void) snprintf(buffer, sizeof (buffer),
2194 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
2195 			    module_name);
2196 			mech_list_required = B_TRUE;
2197 		} else {
2198 			(void) snprintf(buffer, sizeof (buffer),
2199 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
2200 		}
2201 		break;
2202 
2203 	case CRYPTO_POOL_CREATE:
2204 		(void) snprintf(buffer, sizeof (buffer),
2205 		    "op=CRYPTO_POOL_CREATE");
2206 		break;
2207 
2208 	case CRYPTO_POOL_WAIT:
2209 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
2210 		break;
2211 
2212 	case CRYPTO_POOL_RUN:
2213 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
2214 		break;
2215 
2216 	case CRYPTO_LOAD_DOOR:
2217 		if (error == 0 && rv == CRYPTO_SUCCESS)
2218 			(void) snprintf(buffer, sizeof (buffer),
2219 			    "op=CRYPTO_LOAD_DOOR");
2220 		else
2221 			(void) snprintf(buffer, sizeof (buffer),
2222 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
2223 		break;
2224 
2225 	default:
2226 		return;
2227 	}
2228 
2229 	au_write((caddr_t *)&ad, au_to_text(buffer));
2230 
2231 	if (mech_list_required) {
2232 		int i;
2233 
2234 		if (mech_count == 0) {
2235 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
2236 		} else {
2237 			char	*pb = buffer;
2238 			size_t	l = sizeof (buffer);
2239 			size_t	n;
2240 			char	space[2] = ":";
2241 
2242 			n = snprintf(pb, l, "mech=");
2243 
2244 			for (i = 0; i < mech_count; i++) {
2245 				pb += n;
2246 				l -= n;
2247 				if (l < 0)
2248 					l = 0;
2249 
2250 				if (i == mech_count - 1)
2251 					(void) strcpy(space, "");
2252 
2253 				n = snprintf(pb, l, "%s%s", mech_names[i],
2254 				    space);
2255 			}
2256 			au_write((caddr_t *)&ad, au_to_text(buffer));
2257 		}
2258 	}
2259 
2260 	/* add a return token */
2261 	if (error || (rv != CRYPTO_SUCCESS))
2262 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
2263 	else
2264 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
2265 
2266 	AS_INC(as_generated, 1, kctx);
2267 	AS_INC(as_kernel, 1, kctx);
2268 
2269 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0);
2270 }
2271 
2272 /*
2273  * Audit the kernel SSL administration command. The address and the
2274  * port number for the SSL instance, and the proxy port are put in the
2275  * audit trail.
2276  */
2277 void
2278 audit_kssl(int cmd, void *params, int error)
2279 {
2280 	cred_t			*cr = CRED();
2281 	t_audit_data_t		*tad;
2282 	token_t			*ad = NULL;
2283 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2284 	au_kcontext_t		*kctx = SET_KCTX_PZ;
2285 
2286 	ASSERT(kctx != NULL);
2287 	tad = U2A(u);
2288 
2289 	if (ainfo == NULL)
2290 		return;
2291 
2292 	tad->tad_event = AUE_CONFIGKSSL;
2293 
2294 	if (audit_success(kctx, tad, error) != AU_OK)
2295 		return;
2296 
2297 	/* Add subject information */
2298 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2299 
2300 	switch (cmd) {
2301 	case KSSL_ADD_ENTRY: {
2302 		char buf[32];
2303 		kssl_params_t *kp = (kssl_params_t *)params;
2304 		struct sockaddr_in *saddr = &(kp->kssl_addr);
2305 
2306 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2307 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2308 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2309 		    saddr->sin_port);
2310 		au_write((caddr_t *)&ad, au_to_text(buf));
2311 
2312 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
2313 		    kp->kssl_proxy_port);
2314 		au_write((caddr_t *)&ad, au_to_text(buf));
2315 		break;
2316 	}
2317 
2318 	case KSSL_DELETE_ENTRY: {
2319 		char buf[32];
2320 		struct sockaddr_in *saddr = (struct sockaddr_in *)params;
2321 
2322 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2323 		au_write((caddr_t *)&ad, au_to_in_addr(&(saddr->sin_addr)));
2324 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2325 		    saddr->sin_port);
2326 		au_write((caddr_t *)&ad, au_to_text(buf));
2327 		break;
2328 	}
2329 
2330 	default:
2331 		return;
2332 	}
2333 
2334 	/* add a return token */
2335 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2336 
2337 	AS_INC(as_generated, 1, kctx);
2338 	AS_INC(as_kernel, 1, kctx);
2339 
2340 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, 0);
2341 }
2342 
2343 /*
2344  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2345  * PURPOSE:	Add security attributes
2346  * CALLBY:	AUDIT_ATTRIBUTES
2347  *		AUDIT_CLOSEF
2348  *		AUS_CLOSE
2349  * NOTE:
2350  * TODO:
2351  * QUESTION:
2352  */
2353 
2354 void
2355 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2356 {
2357 	/* Dump the SL */
2358 	if (is_system_labeled()) {
2359 		ts_label_t	*tsl;
2360 		bslabel_t	*bsl;
2361 
2362 		tsl = getflabel(vp);
2363 		if (tsl == NULL)
2364 			return;			/* nothing else to do */
2365 
2366 		bsl = label2bslabel(tsl);
2367 		if (bsl == NULL)
2368 			return;			/* nothing else to do */
2369 		au_write(ad, au_to_label(bsl));
2370 		label_rele(tsl);
2371 	}
2372 
2373 }	/* AUDIT_SEC_ATTRIBUTES */
2374