xref: /titanic_51/usr/src/uts/common/c2/audit.c (revision 8eea8e29cc4374d1ee24c25a07f45af132db3499)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * This file contains the audit hook support code for auditing.
29  */
30 
31 #pragma ident	"%Z%%M%	%I%	%E% SMI"
32 
33 #include <sys/types.h>
34 #include <sys/proc.h>
35 #include <sys/vnode.h>
36 #include <sys/vfs.h>
37 #include <sys/file.h>
38 #include <sys/user.h>
39 #include <sys/stropts.h>
40 #include <sys/systm.h>
41 #include <sys/pathname.h>
42 #include <sys/syscall.h>
43 #include <sys/fcntl.h>
44 #include <sys/ipc_impl.h>
45 #include <sys/msg_impl.h>
46 #include <sys/sem_impl.h>
47 #include <sys/shm_impl.h>
48 #include <sys/kmem.h>		/* for KM_SLEEP */
49 #include <sys/socket.h>
50 #include <sys/cmn_err.h>	/* snprintf... */
51 #include <sys/debug.h>
52 #include <sys/thread.h>
53 #include <netinet/in.h>
54 #include <c2/audit.h>		/* needs to be included before user.h */
55 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
56 #include <c2/audit_kevents.h>
57 #include <c2/audit_record.h>
58 #include <sys/strsubr.h>
59 #include <sys/tihdr.h>
60 #include <sys/tiuser.h>
61 #include <sys/timod.h>
62 #include <sys/model.h>		/* for model_t */
63 #include <sys/disp.h>		/* for servicing_interrupt() */
64 #include <sys/devpolicy.h>
65 #include <sys/crypto/ioctladmin.h>
66 
67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68 
69 static void audit_pathbuild(struct pathname *pnp);
70 
71 /*
72  * ROUTINE:	AUDIT_NEWPROC
73  * PURPOSE:	initialize the child p_audit_data structure
74  * CALLBY:	GETPROC
75  * NOTE:	All threads for the parent process are locked at this point.
76  *		We are essentially running singled threaded for this reason.
77  *		GETPROC is called when system creates a new process.
78  *		By the time AUDIT_NEWPROC is called, the child proc
79  *		structure has already been initialized. What we need
80  *		to do is to allocate the child p_audit_data and
81  *		initialize it with the content of current parent process.
82  */
83 
84 void
85 audit_newproc(struct proc *cp)	/* initialized child proc structure */
86 {
87 	p_audit_data_t *pad;	/* child process audit data */
88 	p_audit_data_t *opad;	/* parent process audit data */
89 
90 	pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
91 
92 	P2A(cp) = pad;
93 
94 	opad = P2A(curproc);
95 
96 	/*
97 	 * copy the audit data. Note that all threads of current
98 	 *   process have been "held". Thus there is no race condition
99 	 *   here with mutiple threads trying to alter the cwrd
100 	 *   structure (such as releasing it).
101 	 *
102 	 *   The audit context in the cred is "duplicated" for the new
103 	 *   proc by elsewhere crhold'ing the parent's cred which it shares.
104 	 *
105 	 *   We still want to hold things since auditon() [A_SETUMASK,
106 	 *   A_SETSMASK] could be walking through the processes to
107 	 *   update things.
108 	 */
109 	mutex_enter(&opad->pad_lock);	/* lock opad structure during copy */
110 	pad->pad_data = opad->pad_data;	/* copy parent's process audit data */
111 	au_pathhold(pad->pad_root);
112 	au_pathhold(pad->pad_cwd);
113 	mutex_exit(&opad->pad_lock);	/* current proc will keep cwrd open */
114 
115 	/*
116 	 * finish auditing of parent here so that it will be done
117 	 * before child has a chance to run. We include the child
118 	 * pid since the return value in the return token is a dummy
119 	 * one and contains no useful information (it is included to
120 	 * make the audit record structure consistant).
121 	 *
122 	 * tad_flag is set if auditing is on
123 	 */
124 	if (((t_audit_data_t *)T2A(curthread))->tad_flag)
125 		au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
126 
127 	/*
128 	 * finish up audit record generation here because child process
129 	 * is set to run before parent process. We distinguish here
130 	 * between FORK, FORK1, or VFORK by the saved system call ID.
131 	 */
132 	audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
133 }
134 
135 /*
136  * ROUTINE:	AUDIT_PFREE
137  * PURPOSE:	deallocate the per-process udit data structure
138  * CALLBY:	EXIT
139  *		FORK_FAIL
140  * NOTE:	all lwp except current one have stopped in SEXITLWPS
141  * 		why we are single threaded?
142  *		. all lwp except current one have stopped in SEXITLWPS.
143  */
144 void
145 audit_pfree(struct proc *p)		/* proc structure to be freed */
146 
147 {	/* AUDIT_PFREE */
148 
149 	p_audit_data_t *pad;
150 
151 	pad = P2A(p);
152 
153 	/* better be a per process audit data structure */
154 	ASSERT(pad != (p_audit_data_t *)0);
155 
156 	if (pad == pad0) {
157 		return;
158 	}
159 
160 	/* deallocate all auditing resources for this process */
161 	au_pathrele(pad->pad_root);
162 	au_pathrele(pad->pad_cwd);
163 
164 	/*
165 	 * Since the pad structure is completely overwritten after alloc,
166 	 * we don't bother to clear it.
167 	 */
168 
169 	kmem_cache_free(au_pad_cache, pad);
170 }
171 
172 /*
173  * ROUTINE:	AUDIT_THREAD_CREATE
174  * PURPOSE:	allocate per-process thread audit data structure
175  * CALLBY:	THREAD_CREATE
176  * NOTE:	This is called just after *t was bzero'd.
177  *		We are single threaded in this routine.
178  * TODO:
179  * QUESTION:
180  */
181 
182 void
183 audit_thread_create(kthread_id_t t)
184 {
185 	t_audit_data_t *tad;	/* per-thread audit data */
186 
187 	tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
188 
189 	T2A(t) = tad;		/* set up thread audit data ptr */
190 	tad->tad_thread = t;	/* back ptr to thread: DEBUG */
191 }
192 
193 /*
194  * ROUTINE:	AUDIT_THREAD_FREE
195  * PURPOSE:	free the per-thread audit data structure
196  * CALLBY:	THREAD_FREE
197  * NOTE:	most thread data is clear after return
198  */
199 void
200 audit_thread_free(kthread_t *t)
201 {
202 	t_audit_data_t *tad;
203 	au_defer_info_t	*attr;
204 
205 	tad = T2A(t);
206 
207 	/* thread audit data must still be set */
208 
209 	if (tad == tad0) {
210 		return;
211 	}
212 
213 	if (tad == NULL) {
214 		return;
215 	}
216 
217 	t->t_audit_data = 0;
218 
219 	/* must not have any audit record residual */
220 	ASSERT(tad->tad_ad == NULL);
221 
222 	/* saved path must be empty */
223 	ASSERT(tad->tad_aupath == NULL);
224 
225 	if (tad->tad_atpath)
226 		au_pathrele(tad->tad_atpath);
227 
228 	attr = tad->tad_defer_head;
229 	while (attr != NULL) {
230 		au_defer_info_t	*tmp_attr = attr;
231 
232 		au_free_rec(attr->audi_ad);
233 
234 		attr = attr->audi_next;
235 		kmem_free(tmp_attr, sizeof (au_defer_info_t));
236 	}
237 
238 	kmem_free(tad, sizeof (*tad));
239 }
240 
241 /*
242  * ROUTINE:	AUDIT_SAVEPATH
243  * PURPOSE:
244  * CALLBY:	LOOKUPPN
245  *
246  * NOTE:	We have reached the end of a path in fs/lookup.c.
247  *		We get two pieces of information here:
248  *		the vnode of the last component (vp) and
249  *		the status of the last access (flag).
250  * TODO:
251  * QUESTION:
252  */
253 
254 /*ARGSUSED*/
255 int
256 audit_savepath(
257 	struct pathname *pnp,		/* pathname to lookup */
258 	struct vnode *vp,		/* vnode of the last component */
259 	int    flag,			/* status of the last access */
260 	cred_t *cr)			/* cred of requestor */
261 {
262 
263 	t_audit_data_t *tad;	/* current thread */
264 	p_audit_data_t *pad;	/* current process */
265 	au_kcontext_t	*kctx = SET_KCTX_PZ;
266 
267 	if (kctx == NULL) {
268 		zone_status_t zstate = zone_status_get(curproc->p_zone);
269 		ASSERT(zstate != ZONE_IS_READY);
270 		return (0);
271 	}
272 
273 	tad = U2A(u);
274 	ASSERT(tad != (t_audit_data_t *)0);
275 	pad = P2A(curproc);
276 	ASSERT(pad != (p_audit_data_t *)0);
277 
278 	/*
279 	 * this event being audited or do we need path information
280 	 * later? This might be for a chdir/chroot or open (add path
281 	 * to file pointer. If the path has already been found for an
282 	 * open/creat then we don't need to process the path.
283 	 *
284 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
285 	 *	chroot, chdir, open, creat system call processing. It determines
286 	 *	if audit_savepath() will discard the path or we need it later.
287 	 * PAD_PATHFND means path already included in this audit record. It
288 	 *	is used in cases where multiple path lookups are done per
289 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
290 	 *	paths are allowed.
291 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 	 *	exit processing to inhibit any paths that may be added due to
293 	 *	closes.
294 	 */
295 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
296 		((tad->tad_ctrl & PAD_PATHFND) &&
297 		!(kctx->auk_policy & AUDIT_PATH)) ||
298 		(tad->tad_ctrl & PAD_NOPATH)) {
299 			return (0);
300 	}
301 
302 	audit_pathbuild(pnp);
303 	tad->tad_vn = vp;
304 
305 	/*
306 	 * are we auditing only if error, or if it is not open or create
307 	 * otherwise audit_setf will do it
308 	 */
309 
310 	if (tad->tad_flag) {
311 		if (flag && (tad->tad_scid == SYS_open ||
312 		    tad->tad_scid == SYS_open64 ||
313 		    tad->tad_scid == SYS_creat ||
314 		    tad->tad_scid == SYS_creat64 ||
315 		    tad->tad_scid == SYS_fsat)) {
316 			tad->tad_ctrl |= PAD_TRUE_CREATE;
317 		}
318 
319 		/* add token to audit record for this name */
320 		au_uwrite(au_to_path(tad->tad_aupath));
321 
322 		/* add the attributes of the object */
323 		if (vp) {
324 			/*
325 			 * only capture attributes when there is no error
326 			 * lookup will not return the vnode of the failing
327 			 * component.
328 			 *
329 			 * if there was a lookup error, then don't add
330 			 * attribute. if lookup in vn_create(),
331 			 * then don't add attribute,
332 			 * it will be added at end of vn_create().
333 			 */
334 			if (!flag && !(tad->tad_ctrl & PAD_NOATTRB))
335 				audit_attributes(vp);
336 		}
337 	}
338 
339 	/* free up space if we're not going to save path (open, crate) */
340 	if ((tad->tad_ctrl & PAD_SAVPATH) == 0) {
341 		if (tad->tad_aupath != NULL) {
342 			au_pathrele(tad->tad_aupath);
343 			tad->tad_aupath = NULL;
344 			tad->tad_vn = NULL;
345 		}
346 	}
347 	if (tad->tad_ctrl & PAD_MLD)
348 		tad->tad_ctrl |= PAD_PATHFND;
349 
350 	return (0);
351 }
352 
353 static void
354 audit_pathbuild(struct pathname *pnp)
355 {
356 	char *pp;	/* pointer to path */
357 	int len;	/* length of incoming segment */
358 	int newsect;	/* path requires a new section */
359 	struct audit_path	*pfxapp;	/* prefix for path */
360 	struct audit_path	*newapp;	/* new audit_path */
361 	t_audit_data_t *tad;	/* current thread */
362 	p_audit_data_t *pad;	/* current process */
363 
364 	tad = U2A(u);
365 	ASSERT(tad != NULL);
366 	pad = P2A(curproc);
367 	ASSERT(pad != NULL);
368 
369 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
370 	ASSERT(len > 0);
371 
372 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
373 	mutex_enter(&pad->pad_lock);
374 	if (tad->tad_aupath != NULL) {
375 		pfxapp = tad->tad_aupath;
376 	} else if (tad->tad_scid == SYS_fsat && pnp->pn_buf[0] != '/') {
377 		ASSERT(tad->tad_atpath != NULL);
378 		pfxapp = tad->tad_atpath;
379 	} else if (tad->tad_ctrl & PAD_ABSPATH) {
380 		pfxapp = pad->pad_root;
381 	} else {
382 		pfxapp = pad->pad_cwd;
383 	}
384 	au_pathhold(pfxapp);
385 	mutex_exit(&pad->pad_lock);
386 
387 	/* get an expanded buffer to hold the anchored path */
388 	newsect = tad->tad_ctrl & PAD_ATPATH;
389 	newapp = au_pathdup(pfxapp, newsect, len);
390 	au_pathrele(pfxapp);
391 
392 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
393 	if (!newsect) {
394 		/* overlay previous NUL terminator */
395 		*(pp - 1) = '/';
396 	}
397 
398 	/* now add string of processed path */
399 	bcopy(pnp->pn_buf, pp, len);
400 	pp[len - 1] = '\0';
401 
402 	/* perform path simplification as necessary */
403 	audit_fixpath(newapp, len);
404 
405 	if (tad->tad_aupath)
406 		au_pathrele(tad->tad_aupath);
407 	tad->tad_aupath = newapp;
408 
409 	/* for case where multiple lookups in one syscall (rename) */
410 	tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATPATH);
411 }
412 
413 
414 
415 /*ARGSUSED*/
416 
417 /*
418  * ROUTINE:	AUDIT_ADDCOMPONENT
419  * PURPOSE:	extend the path by the component accepted
420  * CALLBY:	LOOKUPPN
421  * NOTE:	This function is called only when there is an error in
422  *		parsing a path component
423  * TODO:	Add the error component to audit record
424  * QUESTION:	what is this for
425  */
426 
427 void
428 audit_addcomponent(struct pathname *pnp)
429 {
430 	au_kcontext_t	*kctx = SET_KCTX_PZ;
431 	t_audit_data_t *tad;
432 
433 	if (kctx == NULL) {
434 		zone_status_t zstate = zone_status_get(curproc->p_zone);
435 		ASSERT(zstate != ZONE_IS_READY);
436 		return;
437 	}
438 
439 	tad = U2A(u);
440 	/*
441 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
442 	 *	chroot, chdir, open, creat system call processing. It determines
443 	 *	if audit_savepath() will discard the path or we need it later.
444 	 * PAD_PATHFND means path already included in this audit record. It
445 	 *	is used in cases where multiple path lookups are done per
446 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
447 	 *	paths are allowed.
448 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
449 	 *	exit processing to inhibit any paths that may be added due to
450 	 *	closes.
451 	 */
452 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
453 		((tad->tad_ctrl & PAD_PATHFND) &&
454 		!(kctx->auk_policy & AUDIT_PATH)) ||
455 		(tad->tad_ctrl & PAD_NOPATH)) {
456 			return;
457 	}
458 
459 	return;
460 
461 }	/* AUDIT_ADDCOMPONENT */
462 
463 
464 
465 
466 
467 
468 
469 
470 /*
471  * ROUTINE:	AUDIT_ANCHORPATH
472  * PURPOSE:
473  * CALLBY:	LOOKUPPN
474  * NOTE:
475  * anchor path at "/". We have seen a symbolic link or entering for the
476  * first time we will throw away any saved path if path is anchored.
477  *
478  * flag = 0, path is relative.
479  * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH.
480  *
481  * If the (new) path is absolute, then we have to throw away whatever we have
482  * already accumulated since it is being superceeded by new path which is
483  * anchored at the root.
484  *		Note that if the path is relative, this function does nothing
485  * TODO:
486  * QUESTION:
487  */
488 /*ARGSUSED*/
489 void
490 audit_anchorpath(struct pathname *pnp, int flag)
491 {
492 	au_kcontext_t	*kctx = SET_KCTX_PZ;
493 	t_audit_data_t *tad;
494 
495 	if (kctx == NULL) {
496 		zone_status_t zstate = zone_status_get(curproc->p_zone);
497 		ASSERT(zstate != ZONE_IS_READY);
498 		return;
499 	}
500 
501 	tad = U2A(u);
502 
503 	/*
504 	 * this event being audited or do we need path information
505 	 * later? This might be for a chdir/chroot or open (add path
506 	 * to file pointer. If the path has already been found for an
507 	 * open/creat then we don't need to process the path.
508 	 *
509 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
510 	 *	chroot, chdir, open, creat system call processing. It determines
511 	 *	if audit_savepath() will discard the path or we need it later.
512 	 * PAD_PATHFND means path already included in this audit record. It
513 	 *	is used in cases where multiple path lookups are done per
514 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
515 	 *	paths are allowed.
516 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
517 	 *	exit processing to inhibit any paths that may be added due to
518 	 *	closes.
519 	 */
520 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
521 		((tad->tad_ctrl & PAD_PATHFND) &&
522 		!(kctx->auk_policy & AUDIT_PATH)) ||
523 		(tad->tad_ctrl & PAD_NOPATH)) {
524 			return;
525 	}
526 
527 	if (flag) {
528 		tad->tad_ctrl |= PAD_ABSPATH;
529 		if (tad->tad_aupath != NULL) {
530 			au_pathrele(tad->tad_aupath);
531 			tad->tad_aupath = NULL;
532 			tad->tad_vn = NULL;
533 		}
534 	}
535 }
536 
537 
538 /*
539  * symbolic link. Save previous components.
540  *
541  * the path seen so far looks like this
542  *
543  *  +-----------------------+----------------+
544  *  | path processed so far | remaining path |
545  *  +-----------------------+----------------+
546  *  \-----------------------/
547  *	save this string if
548  *	symbolic link relative
549  *	(but don't include  symlink component)
550  */
551 
552 /*ARGSUSED*/
553 
554 
555 /*
556  * ROUTINE:	AUDIT_SYMLINK
557  * PURPOSE:
558  * CALLBY:	LOOKUPPN
559  * NOTE:
560  * TODO:
561  * QUESTION:
562  */
563 void
564 audit_symlink(struct pathname *pnp, struct pathname *sympath)
565 {
566 	char *sp;	/* saved initial pp */
567 	char *cp;	/* start of symlink path */
568 	uint_t len_path;	/* processed path before symlink */
569 	t_audit_data_t *tad;
570 	au_kcontext_t	*kctx = SET_KCTX_PZ;
571 
572 	if (kctx == NULL) {
573 		zone_status_t zstate = zone_status_get(curproc->p_zone);
574 		ASSERT(zstate != ZONE_IS_READY);
575 		return;
576 	}
577 
578 	tad = U2A(u);
579 
580 	/*
581 	 * this event being audited or do we need path information
582 	 * later? This might be for a chdir/chroot or open (add path
583 	 * to file pointer. If the path has already been found for an
584 	 * open/creat then we don't need to process the path.
585 	 *
586 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
587 	 *	chroot, chdir, open, creat system call processing. It determines
588 	 *	if audit_savepath() will discard the path or we need it later.
589 	 * PAD_PATHFND means path already included in this audit record. It
590 	 *	is used in cases where multiple path lookups are done per
591 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
592 	 *	paths are allowed.
593 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
594 	 *	exit processing to inhibit any paths that may be added due to
595 	 *	closes.
596 	 */
597 	if ((tad->tad_flag == 0 &&
598 		!(tad->tad_ctrl & PAD_SAVPATH)) ||
599 		((tad->tad_ctrl & PAD_PATHFND) &&
600 		!(kctx->auk_policy & AUDIT_PATH)) ||
601 		(tad->tad_ctrl & PAD_NOPATH)) {
602 			return;
603 	}
604 
605 	/*
606 	 * if symbolic link is anchored at / then do nothing.
607 	 * When we cycle back to begin: in lookuppn() we will
608 	 * call audit_anchorpath() with a flag indicating if the
609 	 * path is anchored at / or is relative. We will release
610 	 * any saved path at that point.
611 	 *
612 	 * Note In the event that an error occurs in pn_combine then
613 	 * we want to remain pointing at the component that caused the
614 	 * path to overflow the pnp structure.
615 	 */
616 	if (sympath->pn_buf[0] == '/')
617 		return;
618 
619 	/* backup over last component */
620 	sp = cp = pnp->pn_path;
621 	while (*--cp != '/' && cp > pnp->pn_buf)
622 		;
623 
624 	len_path = cp - pnp->pn_buf;
625 
626 	/* is there anything to save? */
627 	if (len_path) {
628 		pnp->pn_path = cp;
629 		audit_pathbuild(pnp);
630 		pnp->pn_path = sp;
631 	}
632 }
633 
634 /*
635  * file_is_public : determine whether events for the file (corresponding to
636  * 			the specified file attr) should be audited or ignored.
637  *
638  * returns: 	1 - if audit policy and file attributes indicate that
639  *			file is effectively public. read events for
640  *			the file should not be audited.
641  *		0 - otherwise
642  *
643  * The required attributes to be considered a public object are:
644  * - owned by root, AND
645  * - world-readable (permissions for other include read), AND
646  * - NOT world-writeable (permissions for other don't
647  *	include write)
648  *   (mode doesn't need to be checked for symlinks)
649  */
650 int
651 file_is_public(struct vattr *attr)
652 {
653 	au_kcontext_t	*kctx = SET_KCTX_PZ;
654 
655 	if (kctx == NULL) {
656 		zone_status_t zstate = zone_status_get(curproc->p_zone);
657 		ASSERT(zstate != ZONE_IS_READY);
658 		return (0);
659 	}
660 
661 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
662 	    ((attr->va_type == VLNK) ||
663 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
664 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
665 		return (1);
666 	}
667 	return (0);
668 }
669 
670 
671 /*
672  * ROUTINE:	AUDIT_ATTRIBUTES
673  * PURPOSE:	Audit the attributes so we can tell why the error occured
674  * CALLBY:	AUDIT_SAVEPATH
675  *		AUDIT_VNCREATE_FINISH
676  *		AUS_FCHOWN...audit_event.c...audit_path.c
677  * NOTE:
678  * TODO:
679  * QUESTION:
680  */
681 void
682 audit_attributes(struct vnode *vp)
683 {
684 	struct vattr attr;
685 	struct t_audit_data *tad;
686 
687 	tad = U2A(u);
688 
689 	if (vp) {
690 		attr.va_mask = AT_ALL;
691 		if (VOP_GETATTR(vp, &attr, 0, CRED()) != 0)
692 			return;
693 
694 		if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) {
695 			/*
696 			 * This is a public object and a "public" event
697 			 * (i.e., read only) -- either by definition
698 			 * (e.g., stat, access...) or by virtue of write access
699 			 * not being requested (e.g. mmap).
700 			 * Flag it in the tad to prevent this audit at the end.
701 			 */
702 			tad->tad_ctrl |= PAD_NOAUDIT;
703 		} else {
704 			au_uwrite(au_to_attr(&attr));
705 		}
706 	}
707 }
708 
709 
710 /*
711  * ROUTINE:	AUDIT_FALLOC
712  * PURPOSE:	allocating a new file structure
713  * CALLBY:	FALLOC
714  * NOTE:	file structure already initialized
715  * TODO:
716  * QUESTION:
717  */
718 
719 void
720 audit_falloc(struct file *fp)
721 {	/* AUDIT_FALLOC */
722 
723 	f_audit_data_t *fad;
724 
725 	/* allocate per file audit structure if there a'int any */
726 	ASSERT(F2A(fp) == NULL);
727 
728 	fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
729 
730 	F2A(fp) = fad;
731 
732 	fad->fad_thread = curthread; 	/* file audit data back ptr; DEBUG */
733 }
734 
735 /*
736  * ROUTINE:	AUDIT_UNFALLOC
737  * PURPOSE:	deallocate file audit data structure
738  * CALLBY:	CLOSEF
739  *		UNFALLOC
740  * NOTE:
741  * TODO:
742  * QUESTION:
743  */
744 
745 void
746 audit_unfalloc(struct file *fp)
747 {
748 	f_audit_data_t *fad;
749 
750 	fad = F2A(fp);
751 
752 	if (!fad) {
753 		return;
754 	}
755 	if (fad->fad_aupath != NULL) {
756 		au_pathrele(fad->fad_aupath);
757 	}
758 	fp->f_audit_data = 0;
759 	kmem_free(fad, sizeof (struct f_audit_data));
760 }
761 
762 /*
763  * ROUTINE:	AUDIT_EXIT
764  * PURPOSE:
765  * CALLBY:	EXIT
766  * NOTE:
767  * TODO:
768  * QUESTION:	why cmw code as offset by 2 but not here
769  */
770 /* ARGSUSED */
771 void
772 audit_exit(int code, int what)
773 {
774 	struct t_audit_data *tad;
775 	tad = U2A(u);
776 
777 	/*
778 	 * tad_scid will be set by audit_start even if we are not auditing
779 	 * the event.
780 	 */
781 	if (tad->tad_scid == SYS_exit) {
782 		/*
783 		 * if we are auditing the exit system call, then complete
784 		 * audit record generation (no return from system call).
785 		 */
786 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
787 			audit_finish(0, SYS_exit, 0, 0);
788 		return;
789 	}
790 
791 	/*
792 	 * Anyone auditing the system call that was aborted?
793 	 */
794 	if (tad->tad_flag) {
795 		au_uwrite(au_to_text("event aborted"));
796 		audit_finish(0, tad->tad_scid, 0, 0);
797 	}
798 
799 	/*
800 	 * Generate an audit record for process exit if preselected.
801 	 */
802 	(void) audit_start(0, SYS_exit, 0, 0);
803 	audit_finish(0, SYS_exit, 0, 0);
804 }
805 
806 /*
807  * ROUTINE:	AUDIT_CORE_START
808  * PURPOSE:
809  * CALLBY: 	PSIG
810  * NOTE:
811  * TODO:
812  */
813 void
814 audit_core_start(int sig)
815 {
816 	au_event_t event;
817 	au_state_t estate;
818 	t_audit_data_t *tad;
819 	au_kcontext_t	*kctx;
820 
821 	tad = U2A(u);
822 
823 	ASSERT(tad != (t_audit_data_t *)0);
824 
825 	ASSERT(tad->tad_scid == 0);
826 	ASSERT(tad->tad_event == 0);
827 	ASSERT(tad->tad_evmod == 0);
828 	ASSERT(tad->tad_ctrl == 0);
829 	ASSERT(tad->tad_flag == 0);
830 	ASSERT(tad->tad_aupath == NULL);
831 
832 	kctx = SET_KCTX_PZ;
833 
834 	if (kctx == NULL) {
835 		zone_status_t zstate = zone_status_get(curproc->p_zone);
836 		ASSERT(zstate != ZONE_IS_READY);
837 		return;
838 	}
839 
840 	/* get basic event for system call */
841 	event = AUE_CORE;
842 	estate = kctx->auk_ets[event];
843 
844 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
845 		return;
846 
847 	/* reset the flags for non-user attributable events */
848 	tad->tad_ctrl   = PAD_CORE;
849 	tad->tad_scid   = 0;
850 
851 	/* if auditing not enabled, then don't generate an audit record */
852 
853 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
854 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
855 	    kctx->auk_auditstate == AUC_NOSPACE)) {
856 		tad->tad_flag = 0;
857 		tad->tad_ctrl = 0;
858 		return;
859 	}
860 
861 	tad->tad_event  = event;
862 	tad->tad_evmod  = 0;
863 
864 	ASSERT(tad->tad_ad == NULL);
865 
866 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
867 }
868 
869 /*
870  * ROUTINE:	AUDIT_CORE_FINISH
871  * PURPOSE:
872  * CALLBY:	PSIG
873  * NOTE:
874  * TODO:
875  * QUESTION:
876  */
877 
878 /*ARGSUSED*/
879 void
880 audit_core_finish(int code)
881 {
882 	int flag;
883 	t_audit_data_t *tad;
884 	au_kcontext_t	*kctx;
885 
886 	tad = U2A(u);
887 
888 	ASSERT(tad != (t_audit_data_t *)0);
889 
890 	if ((flag = tad->tad_flag) == 0) {
891 		tad->tad_event = 0;
892 		tad->tad_evmod = 0;
893 		tad->tad_ctrl  = 0;
894 		ASSERT(tad->tad_aupath == NULL);
895 		return;
896 	}
897 	tad->tad_flag = 0;
898 
899 	kctx = SET_KCTX_PZ;
900 	if (kctx == NULL) {
901 		zone_status_t zstate = zone_status_get(curproc->p_zone);
902 		ASSERT(zstate != ZONE_IS_READY);
903 		return;
904 	}
905 
906 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
907 	if (flag = audit_success(kctx, tad, 0)) {
908 		cred_t *cr = CRED();
909 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
910 
911 		ASSERT(ainfo != NULL);
912 
913 		/*
914 		 * Add a subject token (no locks since our private copy of
915 		 * credential
916 		 */
917 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo);
918 
919 		/* Add an optional group token */
920 		AUDIT_SETGROUP(&(u_ad), cr, kctx);
921 
922 		/* Add a return token (should use f argument) */
923 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
924 
925 		AS_INC(as_generated, 1, kctx);
926 		AS_INC(as_kernel, 1, kctx);
927 	}
928 
929 	/* Close up everything */
930 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod);
931 
932 	/* free up any space remaining with the path's */
933 	if (tad->tad_aupath != NULL) {
934 		au_pathrele(tad->tad_aupath);
935 		tad->tad_aupath = NULL;
936 		tad->tad_vn = NULL;
937 	}
938 	tad->tad_event = 0;
939 	tad->tad_evmod = 0;
940 	tad->tad_ctrl  = 0;
941 }
942 
943 /*ARGSUSED*/
944 void
945 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp)
946 {
947 }
948 
949 /*ARGSUSED*/
950 void
951 audit_strclose(struct vnode *vp, int flag, cred_t *crp)
952 {
953 }
954 
955 /*ARGSUSED*/
956 void
957 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag,
958     int copyflag, cred_t *crp, int *rvalp)
959 {
960 }
961 
962 
963 /*ARGSUSED*/
964 void
965 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
966     unsigned char *pri, int *flag, int fmode)
967 {
968 	struct stdata *stp;
969 	t_audit_data_t *tad = U2A(u);
970 
971 	ASSERT(tad != (t_audit_data_t *)0);
972 
973 	stp = vp->v_stream;
974 
975 	/* lock stdata from audit_sock */
976 	mutex_enter(&stp->sd_lock);
977 
978 	/* proceed ONLY if user is being audited */
979 	if (!tad->tad_flag) {
980 		/*
981 		 * this is so we will not add audit data onto
982 		 * a thread that is not being audited.
983 		 */
984 		stp->sd_t_audit_data = NULL;
985 		mutex_exit(&stp->sd_lock);
986 		return;
987 	}
988 
989 	stp->sd_t_audit_data = (caddr_t)curthread;
990 	mutex_exit(&stp->sd_lock);
991 }
992 
993 /*ARGSUSED*/
994 void
995 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
996     unsigned char pri, int flag, int fmode)
997 {
998 	struct stdata *stp;
999 	t_audit_data_t *tad = U2A(u);
1000 
1001 	ASSERT(tad != (t_audit_data_t *)0);
1002 
1003 	stp = vp->v_stream;
1004 
1005 	/* lock stdata from audit_sock */
1006 	mutex_enter(&stp->sd_lock);
1007 
1008 	/* proceed ONLY if user is being audited */
1009 	if (!tad->tad_flag) {
1010 		/*
1011 		 * this is so we will not add audit data onto
1012 		 * a thread that is not being audited.
1013 		 */
1014 		stp->sd_t_audit_data = NULL;
1015 		mutex_exit(&stp->sd_lock);
1016 		return;
1017 	}
1018 
1019 	stp->sd_t_audit_data = (caddr_t)curthread;
1020 	mutex_exit(&stp->sd_lock);
1021 }
1022 
1023 /*
1024  * ROUTINE:	AUDIT_CLOSEF
1025  * PURPOSE:
1026  * CALLBY:	CLOSEF
1027  * NOTE:
1028  * release per file audit resources when file structure is being released.
1029  *
1030  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
1031  *	on the audit queue if it becomes full. This means
1032  *	audit_closef can not be called when f_count == 0. Since
1033  *	f_count == 0 indicates the file structure is free, another
1034  *	process could attempt to use the file while we were still
1035  *	asleep waiting on the audit queue. This would cause the
1036  *	per file audit data to be corrupted when we finally do
1037  *	wakeup.
1038  * TODO:
1039  * QUESTION:
1040  */
1041 
1042 void
1043 audit_closef(struct file *fp)
1044 {	/* AUDIT_CLOSEF */
1045 	f_audit_data_t *fad;
1046 	t_audit_data_t *tad;
1047 	int success;
1048 	au_state_t estate;
1049 	struct vnode *vp;
1050 	token_t *ad = NULL;
1051 	struct vattr attr;
1052 	short evmod = 0;
1053 	const auditinfo_addr_t *ainfo;
1054 	int getattr_ret;
1055 	cred_t *cr;
1056 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1057 
1058 	if (kctx == NULL) {
1059 		zone_status_t zstate = zone_status_get(curproc->p_zone);
1060 		ASSERT(zstate != ZONE_IS_READY);
1061 		return;
1062 	}
1063 
1064 	fad = F2A(fp);
1065 	estate = kctx->auk_ets[AUE_CLOSE];
1066 	tad = U2A(u);
1067 	cr = CRED();
1068 
1069 	/* audit record already generated by system call envelope */
1070 	if (tad->tad_event == AUE_CLOSE) {
1071 		/* so close audit event will have bits set */
1072 		tad->tad_evmod |= (short)fad->fad_flags;
1073 		return;
1074 	}
1075 
1076 	/* if auditing not enabled, then don't generate an audit record */
1077 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
1078 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
1079 	    kctx->auk_auditstate == AUC_NOSPACE))
1080 		return;
1081 
1082 	ainfo = crgetauinfo(cr);
1083 	if (ainfo == NULL)
1084 		return;
1085 
1086 	success = ainfo->ai_mask.as_success & estate;
1087 
1088 	/* not selected for this event */
1089 	if (success == 0)
1090 		return;
1091 
1092 	/*
1093 	 * can't use audit_attributes here since we use a private audit area
1094 	 * to build the audit record instead of the one off the thread.
1095 	 */
1096 	if ((vp = fp->f_vnode) != NULL) {
1097 		attr.va_mask = AT_ALL;
1098 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED());
1099 	}
1100 
1101 	/*
1102 	 * When write was not used and the file can be considered public,
1103 	 * then skip the audit.
1104 	 */
1105 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
1106 		if (file_is_public(&attr)) {
1107 			return;
1108 		}
1109 	}
1110 
1111 	evmod = (short)fad->fad_flags;
1112 	if (fad->fad_aupath != NULL) {
1113 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
1114 	} else {
1115 #ifdef _LP64
1116 		au_write((caddr_t *)&(ad), au_to_arg64(
1117 			1, "no path: fp", (uint64_t)fp));
1118 #else
1119 		au_write((caddr_t *)&(ad), au_to_arg32(
1120 			1, "no path: fp", (uint32_t)fp));
1121 #endif
1122 	}
1123 
1124 	if (getattr_ret == 0) {
1125 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
1126 	}
1127 
1128 	/* Add a subject token */
1129 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo);
1130 
1131 	/* add an optional group token */
1132 	AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx);
1133 
1134 	/* add a return token */
1135 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
1136 
1137 	AS_INC(as_generated, 1, kctx);
1138 	AS_INC(as_kernel, 1, kctx);
1139 
1140 	/*
1141 	 * Close up everything
1142 	 * Note: path space recovery handled by normal system
1143 	 * call envelope if not at last close.
1144 	 * Note there is no failure at this point since
1145 	 *   this represents closes due to exit of process,
1146 	 *   thus we always indicate successful closes.
1147 	 */
1148 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
1149 	    AUE_CLOSE, evmod);
1150 }
1151 
1152 /*
1153  * ROUTINE:	AUDIT_SET
1154  * PURPOSE:	Audit the file path and file attributes.
1155  * CALLBY:	SETF
1156  * NOTE:	SETF associate a file pointer with user area's open files.
1157  * TODO:
1158  * call audit_finish directly ???
1159  * QUESTION:
1160  */
1161 
1162 /*ARGSUSED*/
1163 void
1164 audit_setf(file_t *fp, int fd)
1165 {
1166 	f_audit_data_t *fad;
1167 	t_audit_data_t *tad;
1168 
1169 	if (fp == NULL)
1170 		return;
1171 
1172 	tad = T2A(curthread);
1173 	fad = F2A(fp);
1174 
1175 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat ||
1176 	    tad->tad_scid == SYS_open64 || tad->tad_scid == SYS_creat64 ||
1177 	    tad->tad_scid == SYS_fsat))
1178 		return;
1179 
1180 	/* no path */
1181 	if (tad->tad_aupath == 0)
1182 		return;
1183 
1184 	/*
1185 	 * assign path information associated with file audit data
1186 	 * use tad hold
1187 	 */
1188 	fad->fad_aupath = tad->tad_aupath;
1189 	tad->tad_aupath = NULL;
1190 	tad->tad_vn = NULL;
1191 
1192 	if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) {
1193 	/* adjust event type */
1194 		switch (tad->tad_event) {
1195 		case AUE_OPEN_RC:
1196 			tad->tad_event = AUE_OPEN_R;
1197 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1198 			break;
1199 		case AUE_OPEN_RTC:
1200 			tad->tad_event = AUE_OPEN_RT;
1201 			break;
1202 		case AUE_OPEN_WC:
1203 			tad->tad_event = AUE_OPEN_W;
1204 			break;
1205 		case AUE_OPEN_WTC:
1206 			tad->tad_event = AUE_OPEN_WT;
1207 			break;
1208 		case AUE_OPEN_RWC:
1209 			tad->tad_event = AUE_OPEN_RW;
1210 			break;
1211 		case AUE_OPEN_RWTC:
1212 			tad->tad_event = AUE_OPEN_RWT;
1213 			break;
1214 		default:
1215 			break;
1216 		}
1217 	}
1218 }
1219 
1220 
1221 /*
1222  * ROUTINE:	AUDIT_COPEN
1223  * PURPOSE:
1224  * CALLBY:	COPEN
1225  * NOTE:
1226  * TODO:
1227  * QUESTION:
1228  */
1229 /*ARGSUSED*/
1230 void
1231 audit_copen(int fd, file_t *fp, vnode_t *vp)
1232 {
1233 }
1234 
1235 void
1236 audit_ipc(int type, int id, void *vp)
1237 {
1238 	/* if not auditing this event, then do nothing */
1239 	if (ad_flag == 0)
1240 		return;
1241 
1242 	switch (type) {
1243 	case AT_IPC_MSG:
1244 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1245 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1246 		break;
1247 	case AT_IPC_SEM:
1248 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1249 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1250 		break;
1251 	case AT_IPC_SHM:
1252 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
1253 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1254 		break;
1255 	}
1256 }
1257 
1258 void
1259 audit_ipcget(int type, void *vp)
1260 {
1261 	/* if not auditing this event, then do nothing */
1262 	if (ad_flag == 0)
1263 		return;
1264 
1265 	switch (type) {
1266 	case NULL:
1267 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
1268 		break;
1269 	case AT_IPC_MSG:
1270 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
1271 		break;
1272 	case AT_IPC_SEM:
1273 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
1274 		break;
1275 	case AT_IPC_SHM:
1276 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
1277 		break;
1278 	}
1279 }
1280 
1281 /*
1282  * ROUTINE:	AUDIT_REBOOT
1283  * PURPOSE:
1284  * CALLBY:
1285  * NOTE:
1286  * At this point we know that the system call reboot will not return. We thus
1287  * have to complete the audit record generation and put it onto the queue.
1288  * This might be fairly useless if the auditing daemon is already dead....
1289  * TODO:
1290  * QUESTION:	who calls audit_reboot
1291  */
1292 
1293 void
1294 audit_reboot(void)
1295 {
1296 	int flag;
1297 	t_audit_data_t *tad;
1298 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1299 
1300 	if (kctx == NULL) {
1301 		zone_status_t zstate = zone_status_get(curproc->p_zone);
1302 		ASSERT(zstate != ZONE_IS_READY);
1303 		return;
1304 	}
1305 
1306 	tad = U2A(u);
1307 
1308 	/* if not auditing this event, then do nothing */
1309 	if (tad->tad_flag == 0)
1310 		return;
1311 
1312 	/* do preselection on success/failure */
1313 	if (flag = audit_success(kctx, tad, 0)) {
1314 		/* add a process token */
1315 
1316 		cred_t *cr = CRED();
1317 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1318 
1319 		if (ainfo == NULL)
1320 			return;
1321 
1322 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo);
1323 
1324 		/* add an optional group token */
1325 		AUDIT_SETGROUP(&(u_ad), cr, kctx);
1326 
1327 		/* add a return token */
1328 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1329 
1330 		AS_INC(as_generated, 1, kctx);
1331 		AS_INC(as_kernel, 1, kctx);
1332 	}
1333 
1334 	/*
1335 	 * Flow control useless here since we're going
1336 	 * to drop everything in the queue anyway. Why
1337 	 * block and wait. There aint anyone left alive to
1338 	 * read the records remaining anyway.
1339 	 */
1340 
1341 	/* Close up everything */
1342 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1343 	    tad->tad_event, tad->tad_evmod);
1344 }
1345 
1346 void
1347 audit_setfsat_path(int argnum)
1348 {
1349 	klwp_id_t clwp = ttolwp(curthread);
1350 	struct file  *fp;
1351 	uint32_t fd;
1352 	t_audit_data_t *tad;
1353 	struct f_audit_data *fad;
1354 	p_audit_data_t *pad;	/* current process */
1355 
1356 	struct b {
1357 		long arg1;
1358 		long arg2;
1359 		long arg3;
1360 		long arg4;
1361 		long arg5;
1362 	} *uap1;
1363 
1364 	if (clwp == NULL)
1365 		return;
1366 	uap1 = (struct b *)&clwp->lwp_ap[1];
1367 
1368 	tad = U2A(u);
1369 
1370 	ASSERT(tad != NULL);
1371 
1372 	if (tad->tad_scid != SYS_fsat)
1373 		return;
1374 
1375 	switch (argnum) {
1376 	case 1:
1377 		fd = (uint32_t)uap1->arg1;
1378 		break;
1379 	case 2:
1380 		fd = (uint32_t)uap1->arg2;
1381 		break;
1382 	case 3:
1383 		fd = (uint32_t)uap1->arg3;
1384 		break;
1385 	case 4:
1386 		fd = (uint32_t)uap1->arg4;
1387 		break;
1388 	case 5:
1389 		fd = (uint32_t)uap1->arg5;
1390 		break;
1391 	default:
1392 		return;
1393 	}
1394 
1395 	if (tad->tad_atpath != NULL) {
1396 		au_pathrele(tad->tad_atpath);
1397 		tad->tad_atpath = NULL;
1398 	}
1399 	if (fd != AT_FDCWD) {
1400 		if ((fp = getf(fd)) == NULL)
1401 			return;
1402 
1403 		fad = F2A(fp);
1404 		ASSERT(fad);
1405 		au_pathhold(fad->fad_aupath);
1406 		tad->tad_atpath = fad->fad_aupath;
1407 		releasef(fd);
1408 	} else {
1409 		pad = P2A(curproc);
1410 		mutex_enter(&pad->pad_lock);
1411 		au_pathhold(pad->pad_cwd);
1412 		tad->tad_atpath = pad->pad_cwd;
1413 		mutex_exit(&pad->pad_lock);
1414 	}
1415 }
1416 
1417 void
1418 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1419 {
1420 	t_audit_data_t *tad;
1421 	vnode_t	*vp;
1422 
1423 	tad = U2A(u);
1424 
1425 	/* if not auditing this event, then do nothing */
1426 	if (tad->tad_flag == 0)
1427 		return;
1428 
1429 	au_uwrite(au_to_text(target));
1430 
1431 	if (error)
1432 		return;
1433 
1434 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, NO_FOLLOW, NULL, CRED());
1435 	if (error == 0) {
1436 		audit_attributes(vp);
1437 		VN_RELE(vp);
1438 	}
1439 }
1440 
1441 /*
1442  * ROUTINE:	AUDIT_VNCREATE_START
1443  * PURPOSE:	set flag so path name lookup in create will not add attribute
1444  * CALLBY:	VN_CREATE
1445  * NOTE:
1446  * TODO:
1447  * QUESTION:
1448  */
1449 
1450 void
1451 audit_vncreate_start()
1452 {
1453 	t_audit_data_t *tad;
1454 
1455 	tad = U2A(u);
1456 	tad->tad_ctrl |= PAD_NOATTRB;
1457 }
1458 
1459 /*
1460  * ROUTINE:	AUDIT_VNCREATE_FINISH
1461  * PURPOSE:
1462  * CALLBY:	VN_CREATE
1463  * NOTE:
1464  * TODO:
1465  * QUESTION:
1466  */
1467 void
1468 audit_vncreate_finish(struct vnode *vp, int error)
1469 {
1470 	t_audit_data_t *tad;
1471 
1472 	if (error)
1473 		return;
1474 
1475 	tad = U2A(u);
1476 
1477 	/* if not auditing this event, then do nothing */
1478 	if (tad->tad_flag == 0)
1479 		return;
1480 
1481 	if (tad->tad_ctrl & PAD_TRUE_CREATE) {
1482 		audit_attributes(vp);
1483 	}
1484 
1485 	if (tad->tad_ctrl & PAD_CORE) {
1486 		audit_attributes(vp);
1487 		tad->tad_ctrl &= ~PAD_CORE;
1488 	}
1489 
1490 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1491 			(tad->tad_event == AUE_MKDIR))) {
1492 		audit_attributes(vp);
1493 	}
1494 
1495 	/* for case where multiple lookups in one syscall (rename) */
1496 	tad->tad_ctrl &= ~PAD_NOATTRB;
1497 }
1498 
1499 
1500 
1501 
1502 
1503 
1504 
1505 
1506 /*
1507  * ROUTINE:	AUDIT_EXEC
1508  * PURPOSE:	Records the function arguments and environment variables
1509  * CALLBY:	EXEC_ARGS
1510  * NOTE:
1511  * TODO:
1512  * QUESTION:
1513  */
1514 
1515 /*ARGSUSED*/
1516 void
1517 audit_exec(
1518 	const char *argstr,	/* argument strings */
1519 	const char *envstr,	/* environment strings */
1520 	ssize_t argc,		/* total # arguments */
1521 	ssize_t envc)		/* total # environment variables */
1522 {
1523 	t_audit_data_t *tad;
1524 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1525 
1526 	ASSERT(kctx != NULL);
1527 
1528 	tad = U2A(u);
1529 
1530 	/* if not auditing this event, then do nothing */
1531 	if (!tad->tad_flag)
1532 		return;
1533 
1534 	/* return if not interested in argv or environment variables */
1535 	if (!(kctx->auk_policy & (AUDIT_ARGV|AUDIT_ARGE)))
1536 		return;
1537 
1538 	if (kctx->auk_policy & AUDIT_ARGV) {
1539 		au_uwrite(au_to_exec_args(argstr, argc));
1540 	}
1541 
1542 	if (kctx->auk_policy & AUDIT_ARGE) {
1543 		au_uwrite(au_to_exec_env(envstr, envc));
1544 	}
1545 }
1546 
1547 /*
1548  * ROUTINE:	AUDIT_ENTERPROM
1549  * PURPOSE:
1550  * CALLBY:	KBDINPUT
1551  *		ZSA_XSINT
1552  * NOTE:
1553  * TODO:
1554  * QUESTION:
1555  */
1556 void
1557 audit_enterprom(int flg)
1558 {
1559 	token_t *rp = NULL;
1560 	int sorf;
1561 
1562 	if (flg)
1563 		sorf = AUM_SUCC;
1564 	else
1565 		sorf = AUM_FAIL;
1566 
1567 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1568 
1569 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1570 
1571 	if (flg)
1572 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1573 	else
1574 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1575 
1576 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL);
1577 }
1578 
1579 
1580 /*
1581  * ROUTINE:	AUDIT_EXITPROM
1582  * PURPOSE:
1583  * CALLBY:	KBDINPUT
1584  *		ZSA_XSINT
1585  * NOTE:
1586  * TODO:
1587  * QUESTION:
1588  */
1589 void
1590 audit_exitprom(int flg)
1591 {
1592 	int sorf;
1593 	token_t *rp = NULL;
1594 
1595 	if (flg)
1596 		sorf = AUM_SUCC;
1597 	else
1598 		sorf = AUM_FAIL;
1599 
1600 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1601 
1602 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1603 
1604 	if (flg)
1605 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1606 	else
1607 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1608 
1609 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL);
1610 }
1611 
1612 struct fcntla {
1613 	int fdes;
1614 	int cmd;
1615 	intptr_t arg;
1616 };
1617 
1618 /*
1619  * ROUTINE:	AUDIT_C2_REVOKE
1620  * PURPOSE:
1621  * CALLBY:	FCNTL
1622  * NOTE:
1623  * TODO:
1624  * QUESTION:	are we keeping this func
1625  */
1626 
1627 /*ARGSUSED*/
1628 int
1629 audit_c2_revoke(struct fcntla *uap, rval_t *rvp)
1630 {
1631 	return (0);
1632 }
1633 
1634 
1635 /*
1636  * ROUTINE:	AUDIT_CHDIREC
1637  * PURPOSE:
1638  * CALLBY:	CHDIREC
1639  * NOTE:	The main function of CHDIREC
1640  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1641  * QUESTION:
1642  */
1643 
1644 /*ARGSUSED*/
1645 void
1646 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1647 {
1648 	int		chdir;
1649 	int		fchdir;
1650 	struct audit_path	**appp;
1651 	struct file	*fp;
1652 	f_audit_data_t *fad;
1653 	p_audit_data_t *pad = P2A(curproc);
1654 	t_audit_data_t *tad = T2A(curthread);
1655 
1656 	struct a {
1657 		long fd;
1658 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1659 
1660 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1661 		chdir = tad->tad_scid == SYS_chdir;
1662 		if (tad->tad_aupath) {
1663 			mutex_enter(&pad->pad_lock);
1664 			if (chdir)
1665 				appp = &(pad->pad_cwd);
1666 			else
1667 				appp = &(pad->pad_root);
1668 			au_pathrele(*appp);
1669 			/* use tad hold */
1670 			*appp = tad->tad_aupath;
1671 			tad->tad_aupath = NULL;
1672 			mutex_exit(&pad->pad_lock);
1673 		}
1674 	} else if ((tad->tad_scid == SYS_fchdir) ||
1675 	    (tad->tad_scid == SYS_fchroot)) {
1676 		fchdir = tad->tad_scid == SYS_fchdir;
1677 		if ((fp = getf(uap->fd)) == NULL)
1678 			return;
1679 		fad = F2A(fp);
1680 		if (fad->fad_aupath) {
1681 			au_pathhold(fad->fad_aupath);
1682 			mutex_enter(&pad->pad_lock);
1683 			if (fchdir)
1684 				appp = &(pad->pad_cwd);
1685 			else
1686 				appp = &(pad->pad_root);
1687 			au_pathrele(*appp);
1688 			*appp = fad->fad_aupath;
1689 			mutex_exit(&pad->pad_lock);
1690 			if (tad->tad_flag) {
1691 				au_uwrite(au_to_path(fad->fad_aupath));
1692 				audit_attributes(fp->f_vnode);
1693 			}
1694 		}
1695 		releasef(uap->fd);
1696 	}
1697 }
1698 
1699 /*
1700  * ROUTINE:	AUDIT_GETF
1701  * PURPOSE:
1702  * CALLBY:	GETF_INTERNAL
1703  * NOTE:	The main function of GETF_INTERNAL is to associate a given
1704  *		file descriptor with a file structure and increment the
1705  *		file pointer reference count.
1706  * TODO:	remove pass in of fpp.
1707  * increment a reference count so that even if a thread with same process delete
1708  * the same object, it will not panic our system
1709  * QUESTION:
1710  * where to decrement the f_count?????????????????
1711  * seems like I need to set a flag if f_count incrmented through audit_getf
1712  */
1713 
1714 /*ARGSUSED*/
1715 int
1716 audit_getf(int fd)
1717 {
1718 #ifdef NOTYET
1719 	t_audit_data_t *tad;
1720 
1721 	tad = T2A(curthread);
1722 
1723 	if (!(tad->tad_scid == SYS_open || tad->tad_scid == SYS_creat))
1724 		return;
1725 #endif
1726 	return (0);
1727 }
1728 
1729 /*
1730  *	Audit hook for stream based socket and tli request.
1731  *	Note that we do not have user context while executing
1732  *	this code so we had to record them earlier during the
1733  *	putmsg/getmsg to figure out which user we are dealing with.
1734  */
1735 
1736 /*ARGSUSED*/
1737 void
1738 audit_sock(
1739 	int type,	/* type of tihdr.h header requests */
1740 	queue_t *q,	/* contains the process and thread audit data */
1741 	mblk_t *mp,	/* contains the tihdr.h header structures */
1742 	int from)	/* timod or sockmod request */
1743 {
1744 	int32_t    len;
1745 	int32_t    offset;
1746 	struct sockaddr_in *sock_data;
1747 	struct T_conn_req *conn_req;
1748 	struct T_conn_ind *conn_ind;
1749 	struct T_unitdata_req *unitdata_req;
1750 	struct T_unitdata_ind *unitdata_ind;
1751 	au_state_t estate;
1752 	t_audit_data_t *tad;
1753 	caddr_t saved_thread_ptr;
1754 	au_mask_t amask;
1755 	const auditinfo_addr_t *ainfo;
1756 	au_kcontext_t	*kctx;
1757 	zone_status_t	zstate;
1758 
1759 	if (q->q_stream == NULL)
1760 		return;
1761 	mutex_enter(&q->q_stream->sd_lock);
1762 	/* are we being audited */
1763 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1764 	/* no pointer to thread, nothing to do */
1765 	if (saved_thread_ptr == NULL) {
1766 		mutex_exit(&q->q_stream->sd_lock);
1767 		return;
1768 	}
1769 	/* only allow one addition of a record token */
1770 	q->q_stream->sd_t_audit_data = NULL;
1771 	/*
1772 	 * thread is not the one being audited, then nothing to do
1773 	 * This could be the stream thread handling the module
1774 	 * service routine. In this case, the context for the audit
1775 	 * record can no longer be assumed. Simplest to just drop
1776 	 * the operation.
1777 	 */
1778 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1779 		mutex_exit(&q->q_stream->sd_lock);
1780 		return;
1781 	}
1782 	if (curthread->t_sysnum >= SYS_so_socket &&
1783 	    curthread->t_sysnum <= SYS_sockconfig) {
1784 		mutex_exit(&q->q_stream->sd_lock);
1785 		return;
1786 	}
1787 	mutex_exit(&q->q_stream->sd_lock);
1788 	/*
1789 	 * we know that the thread that did the put/getmsg is the
1790 	 * one running. Now we can get the TAD and see if we should
1791 	 * add an audit token.
1792 	 */
1793 	tad = U2A(u);
1794 
1795 	kctx = SET_KCTX_PZ;
1796 	if (kctx == NULL) {
1797 		zstate = zone_status_get(curproc->p_zone);
1798 		ASSERT(zstate != ZONE_IS_READY);
1799 		return;
1800 	}
1801 
1802 	/* proceed ONLY if user is being audited */
1803 	if (!tad->tad_flag)
1804 		return;
1805 
1806 	ainfo = crgetauinfo(CRED());
1807 	if (ainfo == NULL)
1808 		return;
1809 	amask = ainfo->ai_mask;
1810 
1811 	/*
1812 	 * Figure out the type of stream networking request here.
1813 	 * Note that getmsg and putmsg are always preselected
1814 	 * because during the beginning of the system call we have
1815 	 * not yet figure out which of the socket or tli request
1816 	 * we are looking at until we are here. So we need to check
1817 	 * against that specific request and reset the type of event.
1818 	 */
1819 	switch (type) {
1820 	case T_CONN_REQ:	/* connection request */
1821 		conn_req = (struct T_conn_req *)mp->b_rptr;
1822 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1823 			return;
1824 		offset = conn_req->DEST_offset;
1825 		len = conn_req->DEST_length;
1826 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1827 		if (amask.as_success & estate || amask.as_failure & estate) {
1828 			tad->tad_event = AUE_SOCKCONNECT;
1829 			break;
1830 		} else {
1831 			return;
1832 		}
1833 	case T_CONN_IND:	 /* connectionless receive request */
1834 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1835 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1836 			return;
1837 		offset = conn_ind->SRC_offset;
1838 		len = conn_ind->SRC_length;
1839 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1840 		if (amask.as_success & estate || amask.as_failure & estate) {
1841 			tad->tad_event = AUE_SOCKACCEPT;
1842 			break;
1843 		} else {
1844 			return;
1845 		}
1846 	case T_UNITDATA_REQ:	 /* connectionless send request */
1847 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1848 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1849 			return;
1850 		offset = unitdata_req->DEST_offset;
1851 		len = unitdata_req->DEST_length;
1852 		estate = kctx->auk_ets[AUE_SOCKSEND];
1853 		if (amask.as_success & estate || amask.as_failure & estate) {
1854 			tad->tad_event = AUE_SOCKSEND;
1855 			break;
1856 		} else {
1857 			return;
1858 		}
1859 	case T_UNITDATA_IND:	 /* connectionless receive request */
1860 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1861 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1862 			return;
1863 		offset = unitdata_ind->SRC_offset;
1864 		len = unitdata_ind->SRC_length;
1865 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1866 		if (amask.as_success & estate || amask.as_failure & estate) {
1867 			tad->tad_event = AUE_SOCKRECEIVE;
1868 			break;
1869 		} else {
1870 			return;
1871 		}
1872 	default:
1873 		return;
1874 	}
1875 
1876 	/*
1877 	 * we are only interested in tcp stream connections,
1878 	 * not unix domain stuff
1879 	 */
1880 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1881 		tad->tad_event = AUE_GETMSG;
1882 		return;
1883 	}
1884 	/* skip over TPI header and point to the ip address */
1885 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1886 
1887 	switch (sock_data->sin_family) {
1888 	case AF_INET:
1889 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1890 		break;
1891 	default:	/* reset to AUE_PUTMSG if not a inet request */
1892 		tad->tad_event = AUE_GETMSG;
1893 		break;
1894 	}
1895 }
1896 
1897 void
1898 audit_lookupname()
1899 {
1900 }
1901 
1902 /*ARGSUSED*/
1903 int
1904 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr)
1905 {
1906 	return (0);
1907 }
1908 
1909 static void
1910 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1911 {
1912 	unsigned int sy_flags;
1913 
1914 #ifdef _SYSCALL32_IMPL
1915 	if (lwp_getdatamodel(
1916 		ttolwp(curthread)) == DATAMODEL_NATIVE)
1917 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1918 	else
1919 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1920 #else
1921 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1922 #endif
1923 
1924 	if (sy_flags == SE_64RVAL)
1925 		au_write(ad, au_to_return64(err, rval));
1926 	else
1927 		au_write(ad, au_to_return32(err, rval));
1928 
1929 }
1930 
1931 /*ARGSUSED*/
1932 void
1933 audit_fdsend(fd, fp, error)
1934 	int fd;
1935 	struct file *fp;
1936 	int error;		/* ignore for now */
1937 {
1938 	t_audit_data_t *tad;	/* current thread */
1939 	f_audit_data_t *fad;	/* per file audit structure */
1940 	struct vnode *vp;	/* for file attributes */
1941 
1942 	/* is this system call being audited */
1943 	tad = U2A(u);
1944 	ASSERT(tad != (t_audit_data_t *)0);
1945 	if (!tad->tad_flag)
1946 		return;
1947 
1948 	fad = F2A(fp);
1949 
1950 	/* add path and file attributes */
1951 	if (fad != NULL && fad->fad_aupath != NULL) {
1952 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1953 		au_uwrite(au_to_path(fad->fad_aupath));
1954 	} else {
1955 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1956 #ifdef _LP64
1957 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1958 #else
1959 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1960 #endif
1961 	}
1962 	vp = fp->f_vnode;	/* include vnode attributes */
1963 	audit_attributes(vp);
1964 }
1965 
1966 /*
1967  * Record privileges sucessfully used and we attempted to use but
1968  * didn't have.
1969  */
1970 void
1971 audit_priv(int priv, const priv_set_t *set, int flag)
1972 {
1973 	t_audit_data_t *tad;
1974 	int sbit;
1975 	priv_set_t *target;
1976 
1977 	/* Make sure this isn't being called in an interrupt context */
1978 	ASSERT(servicing_interrupt() == 0);
1979 
1980 	tad = U2A(u);
1981 
1982 	if (tad->tad_flag == 0)
1983 		return;
1984 
1985 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1986 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1987 
1988 	/* Tell audit_success() and audit_finish() that we saw this case */
1989 	if (!(tad->tad_evmod & sbit)) {
1990 		/* Clear set first time around */
1991 		priv_emptyset(target);
1992 		tad->tad_evmod |= sbit;
1993 	}
1994 
1995 	/* Save the privileges in the tad */
1996 	if (priv == PRIV_ALL) {
1997 		priv_fillset(target);
1998 	} else {
1999 		ASSERT(set != NULL || priv != PRIV_NONE);
2000 		if (set != NULL)
2001 			priv_union(set, target);
2002 		if (priv != PRIV_NONE)
2003 			priv_addset(target, priv);
2004 	}
2005 }
2006 
2007 /*
2008  * Audit the setpriv() system call; the operation, the set name and
2009  * the current value as well as the set argument are put in the
2010  * audit trail.
2011  */
2012 void
2013 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
2014 {
2015 	t_audit_data_t *tad;
2016 	const priv_set_t *oldpriv;
2017 	priv_set_t report;
2018 	const char *setname;
2019 
2020 	tad = U2A(u);
2021 
2022 	if (tad->tad_flag == 0)
2023 		return;
2024 
2025 	oldpriv = priv_getset(ocr, set);
2026 
2027 	/* Generate the actual record, include the before and after */
2028 	au_uwrite(au_to_arg32(2, "op", op));
2029 	setname = priv_getsetbynum(set);
2030 
2031 	switch (op) {
2032 	case PRIV_OFF:
2033 		/* Report privileges actually switched off */
2034 		report = *oldpriv;
2035 		priv_intersect(newpriv, &report);
2036 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
2037 		break;
2038 	case PRIV_ON:
2039 		/* Report privileges actually switched on */
2040 		report = *oldpriv;
2041 		priv_inverse(&report);
2042 		priv_intersect(newpriv, &report);
2043 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
2044 		break;
2045 	case PRIV_SET:
2046 		/* Report before and after */
2047 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
2048 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
2049 		break;
2050 	}
2051 }
2052 
2053 /*
2054  * Dump the full device policy setting in the audit trail.
2055  */
2056 void
2057 audit_devpolicy(int nitems, const devplcysys_t *items)
2058 {
2059 	t_audit_data_t *tad;
2060 	int i;
2061 
2062 	tad = U2A(u);
2063 
2064 	if (tad->tad_flag == 0)
2065 		return;
2066 
2067 	for (i = 0; i < nitems; i++) {
2068 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
2069 		if (items[i].dps_minornm[0] == '\0') {
2070 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
2071 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
2072 		} else
2073 			au_uwrite(au_to_text(items[i].dps_minornm));
2074 
2075 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
2076 		    AUT_PRIV, 0));
2077 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
2078 		    AUT_PRIV, 0));
2079 	}
2080 }
2081 
2082 /*ARGSUSED*/
2083 void
2084 audit_fdrecv(fd, fp)
2085 	int fd;
2086 	struct file *fp;
2087 {
2088 	t_audit_data_t *tad;	/* current thread */
2089 	f_audit_data_t *fad;	/* per file audit structure */
2090 	struct vnode *vp;	/* for file attributes */
2091 
2092 	/* is this system call being audited */
2093 	tad = U2A(u);
2094 	ASSERT(tad != (t_audit_data_t *)0);
2095 	if (!tad->tad_flag)
2096 		return;
2097 
2098 	fad = F2A(fp);
2099 
2100 	/* add path and file attributes */
2101 	if (fad != NULL && fad->fad_aupath != NULL) {
2102 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2103 		au_uwrite(au_to_path(fad->fad_aupath));
2104 	} else {
2105 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
2106 #ifdef _LP64
2107 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
2108 #else
2109 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
2110 #endif
2111 	}
2112 	vp = fp->f_vnode;	/* include vnode attributes */
2113 	audit_attributes(vp);
2114 }
2115 
2116 /*
2117  * ROUTINE:	AUDIT_CRYPTOADM
2118  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
2119  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
2120  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
2121  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
2122  *		CRYPTO_LOAD_DOOR
2123  * NOTE:
2124  * TODO:
2125  * QUESTION:
2126  */
2127 
2128 void
2129 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
2130     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
2131 {
2132 	boolean_t		mech_list_required = B_FALSE;
2133 	cred_t			*cr = CRED();
2134 	t_audit_data_t		*tad;
2135 	token_t			*ad = NULL;
2136 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2137 	char			buffer[MAXNAMELEN * 2];
2138 	au_kcontext_t		*kctx = SET_KCTX_PZ;
2139 
2140 	ASSERT(kctx != NULL);
2141 
2142 	tad = U2A(u);
2143 	if (tad == NULL)
2144 		return;
2145 
2146 	if (ainfo == NULL)
2147 		return;
2148 
2149 	tad->tad_event = AUE_CRYPTOADM;
2150 
2151 	if (audit_success(kctx, tad, error) != AU_OK)
2152 		return;
2153 
2154 	/* Add a subject token */
2155 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo);
2156 
2157 	/* add an optional group token */
2158 	AUDIT_SETGROUP((caddr_t *)&(ad), cr, kctx);
2159 
2160 	switch (cmd) {
2161 	case CRYPTO_LOAD_DEV_DISABLED:
2162 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2163 			(void) snprintf(buffer, sizeof (buffer),
2164 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
2165 			    " dev_instance=%d",
2166 			    module_name, device_instance);
2167 			mech_list_required = B_TRUE;
2168 		} else {
2169 			(void) snprintf(buffer, sizeof (buffer),
2170 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
2171 		}
2172 		break;
2173 
2174 	case CRYPTO_LOAD_SOFT_DISABLED:
2175 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2176 			(void) snprintf(buffer, sizeof (buffer),
2177 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
2178 			    module_name);
2179 			mech_list_required = B_TRUE;
2180 		} else {
2181 			(void) snprintf(buffer, sizeof (buffer),
2182 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
2183 		}
2184 		break;
2185 
2186 	case CRYPTO_UNLOAD_SOFT_MODULE:
2187 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2188 			(void) snprintf(buffer, sizeof (buffer),
2189 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
2190 			    module_name);
2191 		} else {
2192 			(void) snprintf(buffer, sizeof (buffer),
2193 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
2194 		}
2195 		break;
2196 
2197 	case CRYPTO_LOAD_SOFT_CONFIG:
2198 		if (error == 0 && rv == CRYPTO_SUCCESS) {
2199 			(void) snprintf(buffer, sizeof (buffer),
2200 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
2201 			    module_name);
2202 			mech_list_required = B_TRUE;
2203 		} else {
2204 			(void) snprintf(buffer, sizeof (buffer),
2205 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
2206 		}
2207 		break;
2208 
2209 	case CRYPTO_POOL_CREATE:
2210 		(void) snprintf(buffer, sizeof (buffer),
2211 		    "op=CRYPTO_POOL_CREATE");
2212 		break;
2213 
2214 	case CRYPTO_POOL_WAIT:
2215 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
2216 		break;
2217 
2218 	case CRYPTO_POOL_RUN:
2219 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
2220 		break;
2221 
2222 	case CRYPTO_LOAD_DOOR:
2223 		if (error == 0 && rv == CRYPTO_SUCCESS)
2224 			(void) snprintf(buffer, sizeof (buffer),
2225 			    "op=CRYPTO_LOAD_DOOR");
2226 		else
2227 			(void) snprintf(buffer, sizeof (buffer),
2228 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
2229 		break;
2230 
2231 	default:
2232 		return;
2233 	}
2234 
2235 	au_write((caddr_t *)&ad, au_to_text(buffer));
2236 
2237 	if (mech_list_required) {
2238 		int i;
2239 
2240 		if (mech_count == 0) {
2241 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
2242 		} else {
2243 			char	*pb = buffer;
2244 			size_t	l = sizeof (buffer);
2245 			size_t	n;
2246 			char	space[2] = ":";
2247 
2248 			n = snprintf(pb, l, "mech=");
2249 
2250 			for (i = 0; i < mech_count; i++) {
2251 				pb += n;
2252 				l -= n;
2253 				if (l < 0)
2254 					l = 0;
2255 
2256 				if (i == mech_count - 1)
2257 					(void) strcpy(space, "");
2258 
2259 				n = snprintf(pb, l, "%s%s", mech_names[i],
2260 				    space);
2261 			}
2262 			au_write((caddr_t *)&ad, au_to_text(buffer));
2263 		}
2264 	}
2265 
2266 	/* add a return token */
2267 	if (error || (rv != CRYPTO_SUCCESS))
2268 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
2269 	else
2270 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
2271 
2272 	AS_INC(as_generated, 1, kctx);
2273 	AS_INC(as_kernel, 1, kctx);
2274 
2275 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, 0);
2276 }
2277