1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 static au_event_t aui_setpgrp(au_event_t); 104 105 static void aus_open(struct t_audit_data *); 106 static void aus_acl(struct t_audit_data *); 107 static void aus_acct(struct t_audit_data *); 108 static void aus_chown(struct t_audit_data *); 109 static void aus_fchown(struct t_audit_data *); 110 static void aus_lchown(struct t_audit_data *); 111 static void aus_chmod(struct t_audit_data *); 112 static void aus_facl(struct t_audit_data *); 113 static void aus_fchmod(struct t_audit_data *); 114 static void aus_fcntl(struct t_audit_data *); 115 static void aus_fsat(struct t_audit_data *); 116 static void aus_mkdir(struct t_audit_data *); 117 static void aus_mknod(struct t_audit_data *); 118 static void aus_mount(struct t_audit_data *); 119 static void aus_umount(struct t_audit_data *); 120 static void aus_umount2(struct t_audit_data *); 121 static void aus_msgsys(struct t_audit_data *); 122 static void aus_semsys(struct t_audit_data *); 123 static void aus_close(struct t_audit_data *); 124 static void aus_fstatfs(struct t_audit_data *); 125 static void aus_setgid(struct t_audit_data *); 126 static void aus_setpgrp(struct t_audit_data *); 127 static void aus_setuid(struct t_audit_data *); 128 static void aus_shmsys(struct t_audit_data *); 129 static void aus_doorfs(struct t_audit_data *); 130 static void aus_ioctl(struct t_audit_data *); 131 static void aus_memcntl(struct t_audit_data *); 132 static void aus_mmap(struct t_audit_data *); 133 static void aus_munmap(struct t_audit_data *); 134 static void aus_priocntlsys(struct t_audit_data *); 135 static void aus_setegid(struct t_audit_data *); 136 static void aus_setgroups(struct t_audit_data *); 137 static void aus_seteuid(struct t_audit_data *); 138 static void aus_putmsg(struct t_audit_data *); 139 static void aus_putpmsg(struct t_audit_data *); 140 static void aus_getmsg(struct t_audit_data *); 141 static void aus_getpmsg(struct t_audit_data *); 142 static void aus_auditsys(struct t_audit_data *); 143 static void aus_sysinfo(struct t_audit_data *); 144 static void aus_modctl(struct t_audit_data *); 145 static void aus_kill(struct t_audit_data *); 146 static void aus_xmknod(struct t_audit_data *); 147 static void aus_setregid(struct t_audit_data *); 148 static void aus_setreuid(struct t_audit_data *); 149 static void aus_labelsys(struct t_audit_data *); 150 151 static void auf_mknod(struct t_audit_data *, int, rval_t *); 152 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 153 static void auf_semsys(struct t_audit_data *, int, rval_t *); 154 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 155 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 156 static void auf_read(struct t_audit_data *, int, rval_t *); 157 static void auf_write(struct t_audit_data *, int, rval_t *); 158 159 static void aus_sigqueue(struct t_audit_data *); 160 static void aus_p_online(struct t_audit_data *); 161 static void aus_processor_bind(struct t_audit_data *); 162 static void aus_inst_sync(struct t_audit_data *); 163 static void aus_brandsys(struct t_audit_data *); 164 165 static void auf_accept(struct t_audit_data *, int, rval_t *); 166 167 static void auf_bind(struct t_audit_data *, int, rval_t *); 168 static void auf_connect(struct t_audit_data *, int, rval_t *); 169 static void aus_shutdown(struct t_audit_data *); 170 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 171 static void aus_sockconfig(struct t_audit_data *); 172 static void auf_recv(struct t_audit_data *, int, rval_t *); 173 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_send(struct t_audit_data *, int, rval_t *); 175 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 176 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 177 static void auf_sendto(struct t_audit_data *, int, rval_t *); 178 static void aus_socket(struct t_audit_data *); 179 /* 180 * This table contains mapping information for converting system call numbers 181 * to audit event IDs. In several cases it is necessary to map a single system 182 * call to several events. 183 */ 184 185 #define aui_null NULL /* NULL initialize function */ 186 #define aus_null NULL /* NULL start function */ 187 #define auf_null NULL /* NULL finish function */ 188 189 struct audit_s2e audit_s2e[] = 190 { 191 /* 192 * ---------- ---------- ---------- ---------- 193 * INITIAL AUDIT START SYSTEM 194 * PROCESSING EVENT PROCESSING CALL 195 * ---------- ---------- ---------- ----------- 196 * FINISH EVENT 197 * PROCESSING CONTROL 198 * ---------------------------------------------------------- 199 */ 200 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 201 auf_null, 0, 202 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 203 auf_null, S2E_NPT, 204 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 205 auf_null, 0, 206 aui_null, AUE_READ, aus_null, /* 3 read */ 207 auf_read, S2E_PUB, 208 aui_null, AUE_WRITE, aus_null, /* 4 write */ 209 auf_write, 0, 210 aui_open, AUE_OPEN, aus_open, /* 5 open */ 211 auf_null, S2E_SP, 212 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 213 auf_null, 0, 214 aui_null, AUE_NULL, aus_null, /* 7 wait */ 215 auf_null, 0, 216 aui_null, AUE_CREAT, aus_null, /* 8 create */ 217 auf_null, S2E_SP, 218 aui_null, AUE_LINK, aus_null, /* 9 link */ 219 auf_null, 0, 220 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 221 auf_null, 0, 222 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 223 auf_null, S2E_MLD, 224 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 225 auf_null, S2E_SP, 226 aui_null, AUE_NULL, aus_null, /* 13 time */ 227 auf_null, 0, 228 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 229 auf_mknod, 0, 230 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 231 auf_null, 0, 232 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 233 auf_null, 0, 234 aui_null, AUE_NULL, aus_null, /* 17 brk */ 235 auf_null, 0, 236 aui_null, AUE_STAT, aus_null, /* 18 stat */ 237 auf_null, S2E_PUB, 238 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 239 auf_null, 0, 240 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 241 auf_null, 0, 242 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 243 auf_null, S2E_MLD, 244 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 245 auf_null, 0, 246 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 249 auf_null, 0, 250 aui_null, AUE_STIME, aus_null, /* 25 stime */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 29 pause */ 259 auf_null, 0, 260 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 263 auf_null, 0, 264 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 265 auf_null, 0, 266 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NICE, aus_null, /* 34 nice */ 269 auf_null, 0, 270 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 271 auf_null, S2E_PUB, 272 aui_null, AUE_NULL, aus_null, /* 36 sync */ 273 auf_null, 0, 274 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 275 auf_null, 0, 276 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 277 auf_null, S2E_PUB, 278 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 41 dup */ 283 auf_null, 0, 284 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 43 times */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 44 profil */ 289 auf_null, 0, 290 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 291 /* was proc lock */ 292 auf_null, 0, 293 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 296 auf_null, 0, 297 aui_null, AUE_NULL, aus_null, /* 48 sig */ 298 auf_null, 0, 299 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 300 auf_msgsys, 0, 301 #if defined(__x86) 302 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 303 auf_null, 0, 304 #else 305 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 306 auf_null, 0, 307 #endif /* __x86 */ 308 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 309 auf_null, 0, 310 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 311 auf_shmsys, 0, 312 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 313 auf_semsys, 0, 314 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 319 auf_null, 0, 320 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 321 auf_null, 0, 322 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 323 auf_null, 0, 324 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 325 auf_null, S2E_MLD, 326 aui_null, AUE_NULL, aus_null, /* 60 umask */ 327 auf_null, 0, 328 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 329 auf_null, S2E_SP, 330 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 339 auf_null, 0, 340 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 341 /* file locking call */ 342 auf_null, 0, 343 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 344 /* local system calls */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 357 auf_null, 0, 358 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 359 /* was sigret (SunOS) */ 360 auf_null, 0, 361 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 364 auf_null, 0, 365 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 366 auf_null, 0, 367 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 368 auf_null, 0, 369 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 370 auf_null, 0, 371 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 372 auf_null, 0, 373 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 374 /* was libattach */ 375 auf_null, 0, 376 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 377 /* was libdetach */ 378 auf_null, 0, 379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 380 auf_null, 0, 381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 382 auf_null, 0, 383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 384 auf_null, 0, 385 aui_null, AUE_NULL, aus_null, /* 87 poll */ 386 auf_null, 0, 387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 390 auf_null, 0, 391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 392 auf_null, S2E_PUB, 393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 394 auf_null, 0, 395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 396 auf_null, 0, 397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 398 auf_null, 0, 399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 412 auf_null, 0, 413 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 414 auf_null, 0, 415 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 416 /* was evtrapret */ 417 auf_null, 0, 418 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 419 auf_null, S2E_PUB, 420 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 427 auf_null, 0, 428 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 429 auf_null, 0, 430 #if defined(__x86) 431 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 432 auf_null, 0, 433 #else 434 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 435 auf_null, 0, 436 #endif /* __x86 */ 437 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 438 auf_null, 0, 439 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 440 auf_null, 0, 441 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 442 auf_null, 0, /* 112 priocntlsys */ 443 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 444 auf_null, S2E_PUB, 445 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 446 auf_null, 0, 447 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 450 auf_null, 0, 451 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 452 auf_null, 0, 453 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 454 auf_null, 0, 455 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 456 auf_null, 0, 457 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 458 auf_null, 0, 459 aui_null, AUE_READ, aus_null, /* 121 readv */ 460 auf_read, S2E_PUB, 461 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 462 auf_write, 0, 463 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 464 auf_null, S2E_PUB, 465 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 466 auf_null, S2E_PUB, 467 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 468 auf_null, 0, 469 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 470 auf_xmknod, 0, 471 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 472 auf_null, 0, 473 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 474 auf_null, 0, 475 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 476 auf_null, 0, 477 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 478 auf_null, 0, 479 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 480 auf_null, 0, 481 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 482 auf_null, 0, 483 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 484 auf_null, 0, 485 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 135 uname */ 488 auf_null, 0, 489 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 490 auf_null, 0, 491 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 492 auf_null, 0, 493 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 494 auf_null, 0, 495 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 496 auf_null, 0, 497 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 498 auf_null, 0, 499 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 500 auf_null, 0, 501 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 502 auf_null, 0, 503 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 146 yield */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 518 auf_null, 0, 519 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 520 auf_null, 0, 521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 522 auf_null, 0, 523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 524 auf_null, 0, 525 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 546 auf_null, 0, 547 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 548 /* was lwp_setprivate */ 549 auf_null, 0, 550 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 551 /* was lwp_getprivate */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 562 auf_null, 0, 563 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 564 auf_null, 0, 565 aui_null, AUE_READ, aus_null, /* 173 pread */ 566 auf_read, S2E_PUB, 567 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 568 auf_write, 0, 569 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 570 auf_null, 0, 571 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 572 /* aus_inst_sync */ 573 auf_null, 0, 574 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 583 auf_null, 0, 584 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 585 auf_null, S2E_MLD, 586 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 587 auf_null, 0, 588 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 589 auf_null, 0, 590 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 591 auf_null, 0, 592 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 593 auf_null, 0, 594 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 595 auf_null, 0, /* 187 processor_bind */ 596 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 597 auf_null, 0, 598 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 603 auf_null, 0, 604 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 617 auf_null, 0, 618 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 619 auf_null, 0, 620 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 621 auf_null, 0, 622 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 623 auf_null, 0, 624 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 625 auf_null, 0, 626 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 645 auf_null, 0, 646 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 647 auf_null, 0, 648 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 649 auf_null, 0, 650 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 653 auf_null, S2E_PUB, 654 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 655 auf_null, 0, 656 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 657 auf_null, S2E_PUB, 658 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 659 auf_null, 0, 660 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 663 auf_null, 0, 664 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 665 auf_read, S2E_PUB, 666 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 667 auf_write, 0, 668 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 669 auf_null, S2E_SP, 670 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 671 auf_null, S2E_SP, 672 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 677 auf_null, 0, 678 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 679 auf_null, 0, 680 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 681 auf_null, 0, 682 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 683 auf_null, 0, 684 aui_null, AUE_BIND, aus_null, /* 232 bind */ 685 auf_bind, 0, 686 aui_null, AUE_NULL, aus_null, /* 233 listen */ 687 auf_null, 0, 688 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 689 auf_accept, 0, 690 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 691 auf_connect, 0, 692 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 693 auf_null, 0, 694 aui_null, AUE_READ, aus_null, /* 237 recv */ 695 auf_recv, 0, 696 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 697 auf_recvfrom, 0, 698 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 699 auf_recvmsg, 0, 700 aui_null, AUE_WRITE, aus_null, /* 240 send */ 701 auf_send, 0, 702 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 703 auf_sendmsg, 0, 704 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 705 auf_sendto, 0, 706 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 709 auf_null, 0, 710 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 711 auf_null, 0, 712 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 713 auf_setsockopt, 0, 714 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 717 auf_null, 0, 718 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 727 auf_null, 0, 728 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 729 auf_null, 0, 730 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 731 auf_null, 0 732 }; 733 734 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 735 736 737 /* acct start function */ 738 /*ARGSUSED*/ 739 static void 740 aus_acct(struct t_audit_data *tad) 741 { 742 klwp_t *clwp = ttolwp(curthread); 743 uintptr_t fname; 744 745 struct a { 746 long fname; /* char * */ 747 } *uap = (struct a *)clwp->lwp_ap; 748 749 fname = (uintptr_t)uap->fname; 750 751 if (fname == 0) 752 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 753 } 754 755 /* chown start function */ 756 /*ARGSUSED*/ 757 static void 758 aus_chown(struct t_audit_data *tad) 759 { 760 klwp_t *clwp = ttolwp(curthread); 761 uint32_t uid, gid; 762 763 struct a { 764 long fname; /* char * */ 765 long uid; 766 long gid; 767 } *uap = (struct a *)clwp->lwp_ap; 768 769 uid = (uint32_t)uap->uid; 770 gid = (uint32_t)uap->gid; 771 772 au_uwrite(au_to_arg32(2, "new file uid", uid)); 773 au_uwrite(au_to_arg32(3, "new file gid", gid)); 774 } 775 776 /* fchown start function */ 777 /*ARGSUSED*/ 778 static void 779 aus_fchown(struct t_audit_data *tad) 780 { 781 klwp_t *clwp = ttolwp(curthread); 782 uint32_t uid, gid, fd; 783 struct file *fp; 784 struct vnode *vp; 785 struct f_audit_data *fad; 786 787 struct a { 788 long fd; 789 long uid; 790 long gid; 791 } *uap = (struct a *)clwp->lwp_ap; 792 793 fd = (uint32_t)uap->fd; 794 uid = (uint32_t)uap->uid; 795 gid = (uint32_t)uap->gid; 796 797 au_uwrite(au_to_arg32(2, "new file uid", uid)); 798 au_uwrite(au_to_arg32(3, "new file gid", gid)); 799 800 /* 801 * convert file pointer to file descriptor 802 * Note: fd ref count incremented here. 803 */ 804 if ((fp = getf(fd)) == NULL) 805 return; 806 807 /* get path from file struct here */ 808 fad = F2A(fp); 809 if (fad->fad_aupath != NULL) { 810 au_uwrite(au_to_path(fad->fad_aupath)); 811 } else { 812 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 813 } 814 815 vp = fp->f_vnode; 816 audit_attributes(vp); 817 818 /* decrement file descriptor reference count */ 819 releasef(fd); 820 } 821 822 /*ARGSUSED*/ 823 static void 824 aus_lchown(struct t_audit_data *tad) 825 { 826 klwp_t *clwp = ttolwp(curthread); 827 uint32_t uid, gid; 828 829 830 struct a { 831 long fname; /* char * */ 832 long uid; 833 long gid; 834 } *uap = (struct a *)clwp->lwp_ap; 835 836 uid = (uint32_t)uap->uid; 837 gid = (uint32_t)uap->gid; 838 839 au_uwrite(au_to_arg32(2, "new file uid", uid)); 840 au_uwrite(au_to_arg32(3, "new file gid", gid)); 841 } 842 843 /* chmod start function */ 844 /*ARGSUSED*/ 845 static void 846 aus_chmod(struct t_audit_data *tad) 847 { 848 klwp_t *clwp = ttolwp(curthread); 849 uint32_t fmode; 850 851 struct a { 852 long fname; /* char * */ 853 long fmode; 854 } *uap = (struct a *)clwp->lwp_ap; 855 856 fmode = (uint32_t)uap->fmode; 857 858 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 859 } 860 861 /* chmod start function */ 862 /*ARGSUSED*/ 863 static void 864 aus_fchmod(struct t_audit_data *tad) 865 { 866 klwp_t *clwp = ttolwp(curthread); 867 uint32_t fmode, fd; 868 struct file *fp; 869 struct vnode *vp; 870 struct f_audit_data *fad; 871 872 struct a { 873 long fd; 874 long fmode; 875 } *uap = (struct a *)clwp->lwp_ap; 876 877 fd = (uint32_t)uap->fd; 878 fmode = (uint32_t)uap->fmode; 879 880 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 881 882 /* 883 * convert file pointer to file descriptor 884 * Note: fd ref count incremented here. 885 */ 886 if ((fp = getf(fd)) == NULL) 887 return; 888 889 /* get path from file struct here */ 890 fad = F2A(fp); 891 if (fad->fad_aupath != NULL) { 892 au_uwrite(au_to_path(fad->fad_aupath)); 893 } else { 894 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 895 } 896 897 vp = fp->f_vnode; 898 audit_attributes(vp); 899 900 /* decrement file descriptor reference count */ 901 releasef(fd); 902 } 903 904 905 /* convert open to appropriate event */ 906 static au_event_t 907 aui_open(au_event_t e) 908 { 909 klwp_t *clwp = ttolwp(curthread); 910 uint_t fm; 911 912 struct a { 913 long fnamep; /* char * */ 914 long fmode; 915 long cmode; 916 } *uap = (struct a *)clwp->lwp_ap; 917 918 fm = (uint_t)uap->fmode; 919 920 if (fm & O_WRONLY) 921 e = AUE_OPEN_W; 922 else if (fm & O_RDWR) 923 e = AUE_OPEN_RW; 924 else 925 e = AUE_OPEN_R; 926 927 if (fm & O_CREAT) 928 e += 1; 929 if (fm & O_TRUNC) 930 e += 2; 931 932 return (e); 933 } 934 935 /*ARGSUSED*/ 936 static void 937 aus_open(struct t_audit_data *tad) 938 { 939 klwp_t *clwp = ttolwp(curthread); 940 uint_t fm; 941 942 struct a { 943 long fnamep; /* char * */ 944 long fmode; 945 long cmode; 946 } *uap = (struct a *)clwp->lwp_ap; 947 948 fm = (uint_t)uap->fmode; 949 950 /* If no write, create, or trunc modes, mark as a public op */ 951 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 952 tad->tad_ctrl |= PAD_PUBLIC_EV; 953 } 954 955 /* convert openat(2) to appropriate event */ 956 static au_event_t 957 aui_fsat(au_event_t e) 958 { 959 t_audit_data_t *tad = U2A(u); 960 klwp_t *clwp = ttolwp(curthread); 961 uint_t fmcode, fm; 962 struct a { 963 long id; 964 long arg1; 965 long arg2; 966 long arg3; 967 long arg4; 968 long arg5; 969 } *uap = (struct a *)clwp->lwp_ap; 970 971 fmcode = (uint_t)uap->id; 972 973 switch (fmcode) { 974 975 case 0: /* openat */ 976 case 1: /* openat64 */ 977 fm = (uint_t)uap->arg3; 978 if (fm & O_WRONLY) 979 e = AUE_OPENAT_W; 980 else if (fm & O_RDWR) 981 e = AUE_OPENAT_RW; 982 else 983 e = AUE_OPENAT_R; 984 985 /* 986 * openat modes are defined in the following order: 987 * Read only 988 * Read|Create 989 * Read|Trunc 990 * Read|Create|Trunc 991 * Write Only 992 * Write|Create 993 * Write|Trunc 994 * Write|Create|Trunc * RW Only 995 * RW|Create 996 * RW|Trunc 997 * RW|Create|Trunc 998 */ 999 if (fm & O_CREAT) 1000 e += 1; /* increment to include CREAT in mode */ 1001 if (fm & O_TRUNC) 1002 e += 2; /* increment to include TRUNC in mode */ 1003 1004 /* convert to appropriate au_ctrl */ 1005 tad->tad_ctrl |= PAD_SAVPATH; 1006 if (fm & FXATTR) 1007 tad->tad_ctrl |= PAD_ATPATH; 1008 1009 1010 break; 1011 case 2: /* fstatat64 */ 1012 case 3: /* fstatat */ 1013 e = AUE_FSTATAT; 1014 break; 1015 case 4: /* fchownat */ 1016 e = AUE_FCHOWNAT; 1017 break; 1018 case 5: /* unlinkat */ 1019 e = AUE_UNLINKAT; 1020 break; 1021 case 6: /* futimesat */ 1022 e = AUE_FUTIMESAT; 1023 break; 1024 case 7: /* renameat */ 1025 e = AUE_RENAMEAT; 1026 break; 1027 case 9: /* __openattrdirat */ 1028 tad->tad_ctrl |= PAD_SAVPATH; 1029 /*FALLTHROUGH*/ 1030 default: 1031 e = AUE_NULL; 1032 break; 1033 } 1034 1035 return (e); 1036 } 1037 1038 /*ARGSUSED*/ 1039 static void 1040 aus_fsat(struct t_audit_data *tad) 1041 { 1042 klwp_t *clwp = ttolwp(curthread); 1043 uint_t fmcode, fm; 1044 struct a { 1045 long id; 1046 long arg1; 1047 long arg2; 1048 long arg3; 1049 long arg4; 1050 long arg5; 1051 } *uap = (struct a *)clwp->lwp_ap; 1052 1053 fmcode = (uint_t)uap->id; 1054 1055 switch (fmcode) { 1056 1057 case 0: /* openat */ 1058 case 1: /* openat64 */ 1059 fm = (uint_t)uap->arg3; 1060 /* If no write, create, or trunc modes, mark as a public op */ 1061 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1062 tad->tad_ctrl |= PAD_PUBLIC_EV; 1063 1064 break; 1065 case 2: /* fstatat64 */ 1066 case 3: /* fstatat */ 1067 tad->tad_ctrl |= PAD_PUBLIC_EV; 1068 break; 1069 default: 1070 break; 1071 } 1072 } 1073 1074 /* msgsys */ 1075 static au_event_t 1076 aui_msgsys(au_event_t e) 1077 { 1078 klwp_t *clwp = ttolwp(curthread); 1079 uint_t fm; 1080 1081 struct a { 1082 long id; /* function code id */ 1083 long ap; /* arg pointer for recvmsg */ 1084 } *uap = (struct a *)clwp->lwp_ap; 1085 1086 struct b { 1087 long msgid; 1088 long cmd; 1089 long buf; /* struct msqid_ds * */ 1090 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1091 1092 fm = (uint_t)uap->id; 1093 1094 switch (fm) { 1095 case 0: /* msgget */ 1096 e = AUE_MSGGET; 1097 break; 1098 case 1: /* msgctl */ 1099 switch ((uint_t)uap1->cmd) { 1100 case IPC_RMID: 1101 e = AUE_MSGCTL_RMID; 1102 break; 1103 case IPC_SET: 1104 e = AUE_MSGCTL_SET; 1105 break; 1106 case IPC_STAT: 1107 e = AUE_MSGCTL_STAT; 1108 break; 1109 default: 1110 e = AUE_MSGCTL; 1111 break; 1112 } 1113 break; 1114 case 2: /* msgrcv */ 1115 e = AUE_MSGRCV; 1116 break; 1117 case 3: /* msgsnd */ 1118 e = AUE_MSGSND; 1119 break; 1120 default: /* illegal system call */ 1121 e = AUE_NULL; 1122 break; 1123 } 1124 1125 return (e); 1126 } 1127 1128 1129 /* shmsys */ 1130 static au_event_t 1131 aui_shmsys(au_event_t e) 1132 { 1133 klwp_t *clwp = ttolwp(curthread); 1134 int fm; 1135 1136 struct a { /* shmsys */ 1137 long id; /* function code id */ 1138 } *uap = (struct a *)clwp->lwp_ap; 1139 1140 struct b { /* ctrl */ 1141 long shmid; 1142 long cmd; 1143 long arg; /* struct shmid_ds * */ 1144 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1145 fm = (uint_t)uap->id; 1146 1147 switch (fm) { 1148 case 0: /* shmat */ 1149 e = AUE_SHMAT; 1150 break; 1151 case 1: /* shmctl */ 1152 switch ((uint_t)uap1->cmd) { 1153 case IPC_RMID: 1154 e = AUE_SHMCTL_RMID; 1155 break; 1156 case IPC_SET: 1157 e = AUE_SHMCTL_SET; 1158 break; 1159 case IPC_STAT: 1160 e = AUE_SHMCTL_STAT; 1161 break; 1162 default: 1163 e = AUE_SHMCTL; 1164 break; 1165 } 1166 break; 1167 case 2: /* shmdt */ 1168 e = AUE_SHMDT; 1169 break; 1170 case 3: /* shmget */ 1171 e = AUE_SHMGET; 1172 break; 1173 default: /* illegal system call */ 1174 e = AUE_NULL; 1175 break; 1176 } 1177 1178 return (e); 1179 } 1180 1181 1182 /* semsys */ 1183 static au_event_t 1184 aui_semsys(au_event_t e) 1185 { 1186 klwp_t *clwp = ttolwp(curthread); 1187 uint_t fm; 1188 1189 struct a { /* semsys */ 1190 long id; 1191 } *uap = (struct a *)clwp->lwp_ap; 1192 1193 struct b { /* ctrl */ 1194 long semid; 1195 long semnum; 1196 long cmd; 1197 long arg; 1198 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1199 1200 fm = (uint_t)uap->id; 1201 1202 switch (fm) { 1203 case 0: /* semctl */ 1204 switch ((uint_t)uap1->cmd) { 1205 case IPC_RMID: 1206 e = AUE_SEMCTL_RMID; 1207 break; 1208 case IPC_SET: 1209 e = AUE_SEMCTL_SET; 1210 break; 1211 case IPC_STAT: 1212 e = AUE_SEMCTL_STAT; 1213 break; 1214 case GETNCNT: 1215 e = AUE_SEMCTL_GETNCNT; 1216 break; 1217 case GETPID: 1218 e = AUE_SEMCTL_GETPID; 1219 break; 1220 case GETVAL: 1221 e = AUE_SEMCTL_GETVAL; 1222 break; 1223 case GETALL: 1224 e = AUE_SEMCTL_GETALL; 1225 break; 1226 case GETZCNT: 1227 e = AUE_SEMCTL_GETZCNT; 1228 break; 1229 case SETVAL: 1230 e = AUE_SEMCTL_SETVAL; 1231 break; 1232 case SETALL: 1233 e = AUE_SEMCTL_SETALL; 1234 break; 1235 default: 1236 e = AUE_SEMCTL; 1237 break; 1238 } 1239 break; 1240 case 1: /* semget */ 1241 e = AUE_SEMGET; 1242 break; 1243 case 2: /* semop */ 1244 e = AUE_SEMOP; 1245 break; 1246 default: /* illegal system call */ 1247 e = AUE_NULL; 1248 break; 1249 } 1250 1251 return (e); 1252 } 1253 1254 /* utssys - uname(2), ustat(2), fusers(2) */ 1255 static au_event_t 1256 aui_utssys(au_event_t e) 1257 { 1258 klwp_t *clwp = ttolwp(curthread); 1259 uint_t type; 1260 1261 struct a { 1262 union { 1263 long cbuf; /* char * */ 1264 long ubuf; /* struct stat * */ 1265 } ub; 1266 union { 1267 long mv; /* for USTAT */ 1268 long flags; /* for FUSERS */ 1269 } un; 1270 long type; 1271 long outbp; /* char * for FUSERS */ 1272 } *uap = (struct a *)clwp->lwp_ap; 1273 1274 type = (uint_t)uap->type; 1275 1276 if (type == UTS_FUSERS) 1277 return (e); 1278 else 1279 return ((au_event_t)AUE_NULL); 1280 } 1281 1282 static au_event_t 1283 aui_fcntl(au_event_t e) 1284 { 1285 klwp_t *clwp = ttolwp(curthread); 1286 uint_t cmd; 1287 1288 struct a { 1289 long fdes; 1290 long cmd; 1291 long arg; 1292 } *uap = (struct a *)clwp->lwp_ap; 1293 1294 cmd = (uint_t)uap->cmd; 1295 1296 switch (cmd) { 1297 case F_GETLK: 1298 case F_SETLK: 1299 case F_SETLKW: 1300 break; 1301 case F_SETFL: 1302 case F_GETFL: 1303 case F_GETFD: 1304 break; 1305 default: 1306 e = (au_event_t)AUE_NULL; 1307 break; 1308 } 1309 return ((au_event_t)e); 1310 } 1311 1312 /* null function for now */ 1313 static au_event_t 1314 aui_execv(au_event_t e) 1315 { 1316 return (e); 1317 } 1318 1319 /* null function for now */ 1320 static au_event_t 1321 aui_execve(au_event_t e) 1322 { 1323 return (e); 1324 } 1325 1326 /*ARGSUSED*/ 1327 static void 1328 aus_fcntl(struct t_audit_data *tad) 1329 { 1330 klwp_t *clwp = ttolwp(curthread); 1331 uint32_t cmd, fd; 1332 struct file *fp; 1333 struct vnode *vp; 1334 struct f_audit_data *fad; 1335 1336 struct a { 1337 long fd; 1338 long cmd; 1339 long arg; 1340 } *uap = (struct a *)clwp->lwp_ap; 1341 1342 cmd = (uint32_t)uap->cmd; 1343 fd = (uint32_t)uap->fd; 1344 1345 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1346 1347 /* 1348 * convert file pointer to file descriptor 1349 * Note: fd ref count incremented here. 1350 */ 1351 if ((fp = getf(fd)) == NULL) 1352 return; 1353 1354 /* get path from file struct here */ 1355 fad = F2A(fp); 1356 if (fad->fad_aupath != NULL) { 1357 au_uwrite(au_to_path(fad->fad_aupath)); 1358 } else { 1359 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1360 } 1361 1362 vp = fp->f_vnode; 1363 audit_attributes(vp); 1364 1365 /* decrement file descriptor reference count */ 1366 releasef(fd); 1367 } 1368 1369 /*ARGSUSED*/ 1370 static void 1371 aus_kill(struct t_audit_data *tad) 1372 { 1373 klwp_t *clwp = ttolwp(curthread); 1374 struct proc *p; 1375 uint32_t signo; 1376 uid_t uid, ruid; 1377 gid_t gid, rgid; 1378 pid_t pid; 1379 const auditinfo_addr_t *ainfo; 1380 cred_t *cr; 1381 1382 struct a { 1383 long pid; 1384 long signo; 1385 } *uap = (struct a *)clwp->lwp_ap; 1386 1387 pid = (pid_t)uap->pid; 1388 signo = (uint32_t)uap->signo; 1389 1390 au_uwrite(au_to_arg32(2, "signal", signo)); 1391 if (pid > 0) { 1392 mutex_enter(&pidlock); 1393 if (((p = prfind(pid)) == (struct proc *)0) || 1394 (p->p_stat == SIDL)) { 1395 mutex_exit(&pidlock); 1396 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1397 return; 1398 } 1399 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1400 mutex_exit(&pidlock); 1401 1402 mutex_enter(&p->p_crlock); 1403 crhold(cr = p->p_cred); 1404 mutex_exit(&p->p_crlock); 1405 mutex_exit(&p->p_lock); 1406 1407 ainfo = crgetauinfo(cr); 1408 if (ainfo == NULL) { 1409 crfree(cr); 1410 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1411 return; 1412 } 1413 1414 uid = crgetuid(cr); 1415 gid = crgetgid(cr); 1416 ruid = crgetruid(cr); 1417 rgid = crgetrgid(cr); 1418 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1419 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1420 1421 if (is_system_labeled()) 1422 au_uwrite(au_to_label(CR_SL(cr))); 1423 1424 crfree(cr); 1425 } 1426 else 1427 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1428 } 1429 1430 /*ARGSUSED*/ 1431 static void 1432 aus_mkdir(struct t_audit_data *tad) 1433 { 1434 klwp_t *clwp = ttolwp(curthread); 1435 uint32_t dmode; 1436 1437 struct a { 1438 long dirnamep; /* char * */ 1439 long dmode; 1440 } *uap = (struct a *)clwp->lwp_ap; 1441 1442 dmode = (uint32_t)uap->dmode; 1443 1444 au_uwrite(au_to_arg32(2, "mode", dmode)); 1445 } 1446 1447 /*ARGSUSED*/ 1448 static void 1449 aus_mknod(struct t_audit_data *tad) 1450 { 1451 klwp_t *clwp = ttolwp(curthread); 1452 uint32_t fmode; 1453 dev_t dev; 1454 1455 struct a { 1456 long pnamep; /* char * */ 1457 long fmode; 1458 long dev; 1459 } *uap = (struct a *)clwp->lwp_ap; 1460 1461 fmode = (uint32_t)uap->fmode; 1462 dev = (dev_t)uap->dev; 1463 1464 au_uwrite(au_to_arg32(2, "mode", fmode)); 1465 #ifdef _LP64 1466 au_uwrite(au_to_arg64(3, "dev", dev)); 1467 #else 1468 au_uwrite(au_to_arg32(3, "dev", dev)); 1469 #endif 1470 } 1471 1472 /*ARGSUSED*/ 1473 static void 1474 aus_xmknod(struct t_audit_data *tad) 1475 { 1476 klwp_t *clwp = ttolwp(curthread); 1477 uint32_t fmode; 1478 dev_t dev; 1479 1480 struct a { 1481 long version; /* version */ 1482 long pnamep; /* char * */ 1483 long fmode; 1484 long dev; 1485 } *uap = (struct a *)clwp->lwp_ap; 1486 1487 fmode = (uint32_t)uap->fmode; 1488 dev = (dev_t)uap->dev; 1489 1490 au_uwrite(au_to_arg32(2, "mode", fmode)); 1491 #ifdef _LP64 1492 au_uwrite(au_to_arg64(3, "dev", dev)); 1493 #else 1494 au_uwrite(au_to_arg32(3, "dev", dev)); 1495 #endif 1496 } 1497 1498 /*ARGSUSED*/ 1499 static void 1500 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1501 { 1502 klwp_t *clwp = ttolwp(curthread); 1503 vnode_t *dvp; 1504 caddr_t pnamep; 1505 1506 struct a { 1507 long pnamep; /* char * */ 1508 long fmode; 1509 long dev; 1510 } *uap = (struct a *)clwp->lwp_ap; 1511 1512 /* no error, then already path token in audit record */ 1513 if (error != EPERM) 1514 return; 1515 1516 /* not auditing this event, nothing then to do */ 1517 if (tad->tad_flag == 0) 1518 return; 1519 1520 /* do the lookup to force generation of path token */ 1521 pnamep = (caddr_t)uap->pnamep; 1522 tad->tad_ctrl |= PAD_NOATTRB; 1523 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1524 if (error == 0) 1525 VN_RELE(dvp); 1526 } 1527 1528 /*ARGSUSED*/ 1529 static void 1530 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1531 { 1532 klwp_t *clwp = ttolwp(curthread); 1533 vnode_t *dvp; 1534 caddr_t pnamep; 1535 1536 struct a { 1537 long version; /* version */ 1538 long pnamep; /* char * */ 1539 long fmode; 1540 long dev; 1541 } *uap = (struct a *)clwp->lwp_arg; 1542 1543 1544 /* no error, then already path token in audit record */ 1545 if (error != EPERM) 1546 return; 1547 1548 /* not auditing this event, nothing then to do */ 1549 if (tad->tad_flag == 0) 1550 return; 1551 1552 /* do the lookup to force generation of path token */ 1553 pnamep = (caddr_t)uap->pnamep; 1554 tad->tad_ctrl |= PAD_NOATTRB; 1555 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1556 if (error == 0) 1557 VN_RELE(dvp); 1558 } 1559 1560 /*ARGSUSED*/ 1561 static void 1562 aus_mount(struct t_audit_data *tad) 1563 { /* AUS_START */ 1564 klwp_t *clwp = ttolwp(curthread); 1565 uint32_t flags; 1566 uintptr_t u_fstype, dataptr; 1567 STRUCT_DECL(nfs_args, nfsargs); 1568 size_t len; 1569 char *fstype, *hostname; 1570 1571 struct a { 1572 long spec; /* char * */ 1573 long dir; /* char * */ 1574 long flags; 1575 long fstype; /* char * */ 1576 long dataptr; /* char * */ 1577 long datalen; 1578 } *uap = (struct a *)clwp->lwp_ap; 1579 1580 u_fstype = (uintptr_t)uap->fstype; 1581 flags = (uint32_t)uap->flags; 1582 dataptr = (uintptr_t)uap->dataptr; 1583 1584 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1585 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1586 goto mount_free_fstype; 1587 1588 au_uwrite(au_to_arg32(3, "flags", flags)); 1589 au_uwrite(au_to_text(fstype)); 1590 1591 if (strncmp(fstype, "nfs", 3) == 0) { 1592 1593 STRUCT_INIT(nfsargs, get_udatamodel()); 1594 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1595 1596 if (copyin((caddr_t)dataptr, 1597 STRUCT_BUF(nfsargs), 1598 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1599 /* DEBUG debug_enter((char *)NULL); */ 1600 goto mount_free_fstype; 1601 } 1602 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1603 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1604 (caddr_t)hostname, 1605 MAXNAMELEN, &len)) { 1606 goto mount_free_hostname; 1607 } 1608 au_uwrite(au_to_text(hostname)); 1609 au_uwrite(au_to_arg32(3, "internal flags", 1610 (uint_t)STRUCT_FGET(nfsargs, flags))); 1611 1612 mount_free_hostname: 1613 kmem_free(hostname, MAXNAMELEN); 1614 } 1615 1616 mount_free_fstype: 1617 kmem_free(fstype, MAXNAMELEN); 1618 } /* AUS_MOUNT */ 1619 1620 static void 1621 aus_umount_path(caddr_t umount_dir) 1622 { 1623 char *dir_path; 1624 struct audit_path *path; 1625 size_t path_len, dir_len; 1626 1627 /* length alloc'd for two string pointers */ 1628 path_len = sizeof (struct audit_path) + sizeof (char *); 1629 path = kmem_alloc(path_len, KM_SLEEP); 1630 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1631 1632 if (copyinstr(umount_dir, (caddr_t)dir_path, 1633 MAXPATHLEN, &dir_len)) 1634 goto umount2_free_dir; 1635 1636 /* 1637 * the audit_path struct assumes that the buffer pointed to 1638 * by audp_sect[n] contains string 0 immediatedly followed 1639 * by string 1. 1640 */ 1641 path->audp_sect[0] = dir_path; 1642 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1643 path->audp_size = path_len; 1644 path->audp_ref = 1; /* not used */ 1645 path->audp_cnt = 1; /* one path string */ 1646 1647 au_uwrite(au_to_path(path)); 1648 1649 umount2_free_dir: 1650 kmem_free(dir_path, MAXPATHLEN); 1651 kmem_free(path, path_len); 1652 } 1653 1654 /* 1655 * the umount syscall is implemented as a call to umount2, but the args 1656 * are different... 1657 */ 1658 1659 /*ARGSUSED*/ 1660 static void 1661 aus_umount(struct t_audit_data *tad) 1662 { 1663 klwp_t *clwp = ttolwp(curthread); 1664 struct a { 1665 long dir; /* char * */ 1666 } *uap = (struct a *)clwp->lwp_ap; 1667 1668 aus_umount_path((caddr_t)uap->dir); 1669 } 1670 1671 /*ARGSUSED*/ 1672 static void 1673 aus_umount2(struct t_audit_data *tad) 1674 { 1675 klwp_t *clwp = ttolwp(curthread); 1676 struct a { 1677 long dir; /* char * */ 1678 long flags; 1679 } *uap = (struct a *)clwp->lwp_ap; 1680 1681 aus_umount_path((caddr_t)uap->dir); 1682 1683 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1684 } 1685 1686 static void 1687 aus_msgsys(struct t_audit_data *tad) 1688 { 1689 klwp_t *clwp = ttolwp(curthread); 1690 uint32_t msgid; 1691 1692 struct b { 1693 long msgid; 1694 long cmd; 1695 long buf; /* struct msqid_ds * */ 1696 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1697 1698 msgid = (uint32_t)uap1->msgid; 1699 1700 1701 switch (tad->tad_event) { 1702 case AUE_MSGGET: /* msgget */ 1703 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1704 break; 1705 case AUE_MSGCTL: /* msgctl */ 1706 case AUE_MSGCTL_RMID: /* msgctl */ 1707 case AUE_MSGCTL_SET: /* msgctl */ 1708 case AUE_MSGCTL_STAT: /* msgctl */ 1709 case AUE_MSGRCV: /* msgrcv */ 1710 case AUE_MSGSND: /* msgsnd */ 1711 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1712 break; 1713 } 1714 } 1715 1716 /*ARGSUSED*/ 1717 static void 1718 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1719 { 1720 int id; 1721 1722 if (error != 0) 1723 return; 1724 if (tad->tad_event == AUE_MSGGET) { 1725 uint32_t scid; 1726 uint32_t sy_flags; 1727 1728 /* need to determine type of executing binary */ 1729 scid = tad->tad_scid; 1730 #ifdef _SYSCALL32_IMPL 1731 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1732 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1733 else 1734 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1735 #else 1736 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1737 #endif 1738 if (sy_flags == SE_32RVAL1) 1739 id = rval->r_val1; 1740 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1741 id = rval->r_val1; 1742 if (sy_flags == SE_64RVAL) 1743 id = (int)rval->r_vals; 1744 1745 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1746 } 1747 } 1748 1749 static void 1750 aus_semsys(struct t_audit_data *tad) 1751 { 1752 klwp_t *clwp = ttolwp(curthread); 1753 uint32_t semid; 1754 1755 struct b { /* ctrl */ 1756 long semid; 1757 long semnum; 1758 long cmd; 1759 long arg; 1760 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1761 1762 semid = (uint32_t)uap1->semid; 1763 1764 switch (tad->tad_event) { 1765 case AUE_SEMCTL_RMID: 1766 case AUE_SEMCTL_STAT: 1767 case AUE_SEMCTL_GETNCNT: 1768 case AUE_SEMCTL_GETPID: 1769 case AUE_SEMCTL_GETVAL: 1770 case AUE_SEMCTL_GETALL: 1771 case AUE_SEMCTL_GETZCNT: 1772 case AUE_SEMCTL_SET: 1773 case AUE_SEMCTL_SETVAL: 1774 case AUE_SEMCTL_SETALL: 1775 case AUE_SEMCTL: 1776 case AUE_SEMOP: 1777 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1778 break; 1779 case AUE_SEMGET: 1780 au_uwrite(au_to_arg32(1, "sem key", semid)); 1781 break; 1782 } 1783 } 1784 1785 /*ARGSUSED*/ 1786 static void 1787 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1788 { 1789 int id; 1790 1791 if (error != 0) 1792 return; 1793 if (tad->tad_event == AUE_SEMGET) { 1794 uint32_t scid; 1795 uint32_t sy_flags; 1796 1797 /* need to determine type of executing binary */ 1798 scid = tad->tad_scid; 1799 #ifdef _SYSCALL32_IMPL 1800 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1801 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1802 else 1803 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1804 #else 1805 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1806 #endif 1807 if (sy_flags == SE_32RVAL1) 1808 id = rval->r_val1; 1809 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1810 id = rval->r_val1; 1811 if (sy_flags == SE_64RVAL) 1812 id = (int)rval->r_vals; 1813 1814 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1815 } 1816 } 1817 1818 /*ARGSUSED*/ 1819 static void 1820 aus_close(struct t_audit_data *tad) 1821 { 1822 klwp_t *clwp = ttolwp(curthread); 1823 uint32_t fd; 1824 struct file *fp; 1825 struct f_audit_data *fad; 1826 struct vnode *vp; 1827 struct vattr attr; 1828 au_kcontext_t *kctx = GET_KCTX_PZ; 1829 1830 struct a { 1831 long i; 1832 } *uap = (struct a *)clwp->lwp_ap; 1833 1834 fd = (uint32_t)uap->i; 1835 1836 attr.va_mask = 0; 1837 au_uwrite(au_to_arg32(1, "fd", fd)); 1838 1839 /* 1840 * convert file pointer to file descriptor 1841 * Note: fd ref count incremented here. 1842 */ 1843 if ((fp = getf(fd)) == NULL) 1844 return; 1845 1846 fad = F2A(fp); 1847 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1848 if (fad->fad_aupath != NULL) { 1849 au_uwrite(au_to_path(fad->fad_aupath)); 1850 if ((vp = fp->f_vnode) != NULL) { 1851 attr.va_mask = AT_ALL; 1852 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1853 /* 1854 * When write was not used and the file can be 1855 * considered public, skip the audit. 1856 */ 1857 if (((fp->f_flag & FWRITE) == 0) && 1858 file_is_public(&attr)) { 1859 tad->tad_flag = 0; 1860 tad->tad_evmod = 0; 1861 /* free any residual audit data */ 1862 au_close(kctx, &(u_ad), 0, 0, 0); 1863 releasef(fd); 1864 return; 1865 } 1866 au_uwrite(au_to_attr(&attr)); 1867 audit_sec_attributes(&(u_ad), vp); 1868 } 1869 } 1870 } 1871 1872 /* decrement file descriptor reference count */ 1873 releasef(fd); 1874 } 1875 1876 /*ARGSUSED*/ 1877 static void 1878 aus_fstatfs(struct t_audit_data *tad) 1879 { 1880 klwp_t *clwp = ttolwp(curthread); 1881 uint32_t fd; 1882 struct file *fp; 1883 struct vnode *vp; 1884 struct f_audit_data *fad; 1885 1886 struct a { 1887 long fd; 1888 long buf; /* struct statfs * */ 1889 } *uap = (struct a *)clwp->lwp_ap; 1890 1891 fd = (uint_t)uap->fd; 1892 1893 /* 1894 * convert file pointer to file descriptor 1895 * Note: fd ref count incremented here. 1896 */ 1897 if ((fp = getf(fd)) == NULL) 1898 return; 1899 1900 /* get path from file struct here */ 1901 fad = F2A(fp); 1902 if (fad->fad_aupath != NULL) { 1903 au_uwrite(au_to_path(fad->fad_aupath)); 1904 } else { 1905 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1906 } 1907 1908 vp = fp->f_vnode; 1909 audit_attributes(vp); 1910 1911 /* decrement file descriptor reference count */ 1912 releasef(fd); 1913 } 1914 1915 static au_event_t 1916 aui_setpgrp(au_event_t e) 1917 { 1918 klwp_t *clwp = ttolwp(curthread); 1919 int flag; 1920 1921 struct a { 1922 long flag; 1923 long pid; 1924 long pgid; 1925 } *uap = (struct a *)clwp->lwp_ap; 1926 1927 flag = (int)uap->flag; 1928 1929 1930 switch (flag) { 1931 1932 case 1: /* setpgrp() */ 1933 e = AUE_SETPGRP; 1934 break; 1935 1936 case 3: /* setsid() */ 1937 e = AUE_SETSID; 1938 break; 1939 1940 case 5: /* setpgid() */ 1941 e = AUE_SETPGID; 1942 break; 1943 1944 case 0: /* getpgrp() - not security relevant */ 1945 case 2: /* getsid() - not security relevant */ 1946 case 4: /* getpgid() - not security relevant */ 1947 e = AUE_NULL; 1948 break; 1949 1950 default: 1951 e = AUE_NULL; 1952 break; 1953 } 1954 1955 return (e); 1956 } 1957 1958 static void 1959 aus_setpgrp(struct t_audit_data *tad) 1960 { 1961 klwp_t *clwp = ttolwp(curthread); 1962 pid_t pgid; 1963 struct proc *p; 1964 uid_t uid, ruid; 1965 gid_t gid, rgid; 1966 pid_t pid; 1967 cred_t *cr; 1968 int flag; 1969 const auditinfo_addr_t *ainfo; 1970 1971 struct a { 1972 long flag; 1973 long pid; 1974 long pgid; 1975 } *uap = (struct a *)clwp->lwp_ap; 1976 1977 flag = (int)uap->flag; 1978 pid = (pid_t)uap->pid; 1979 pgid = (pid_t)uap->pgid; 1980 1981 1982 switch (flag) { 1983 1984 case 0: /* getpgrp() */ 1985 case 1: /* setpgrp() */ 1986 case 2: /* getsid() */ 1987 case 3: /* setsid() */ 1988 case 4: /* getpgid() */ 1989 break; 1990 1991 case 5: /* setpgid() */ 1992 1993 /* current process? */ 1994 if (pid == 0) { 1995 return; 1996 } 1997 1998 mutex_enter(&pidlock); 1999 p = prfind(pid); 2000 if (p == NULL || p->p_as == &kas || 2001 p->p_stat == SIDL || p->p_stat == SZOMB) { 2002 mutex_exit(&pidlock); 2003 return; 2004 } 2005 mutex_enter(&p->p_lock); /* so process doesn't go away */ 2006 mutex_exit(&pidlock); 2007 2008 mutex_enter(&p->p_crlock); 2009 crhold(cr = p->p_cred); 2010 mutex_exit(&p->p_crlock); 2011 mutex_exit(&p->p_lock); 2012 2013 ainfo = crgetauinfo(cr); 2014 if (ainfo == NULL) { 2015 crfree(cr); 2016 return; 2017 } 2018 2019 uid = crgetuid(cr); 2020 gid = crgetgid(cr); 2021 ruid = crgetruid(cr); 2022 rgid = crgetrgid(cr); 2023 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 2024 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 2025 crfree(cr); 2026 au_uwrite(au_to_arg32(2, "pgid", pgid)); 2027 break; 2028 2029 default: 2030 break; 2031 } 2032 } 2033 2034 2035 /*ARGSUSED*/ 2036 static void 2037 aus_setregid(struct t_audit_data *tad) 2038 { 2039 klwp_t *clwp = ttolwp(curthread); 2040 uint32_t rgid, egid; 2041 2042 struct a { 2043 long rgid; 2044 long egid; 2045 } *uap = (struct a *)clwp->lwp_ap; 2046 2047 rgid = (uint32_t)uap->rgid; 2048 egid = (uint32_t)uap->egid; 2049 2050 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2051 au_uwrite(au_to_arg32(2, "egid", egid)); 2052 } 2053 2054 /*ARGSUSED*/ 2055 static void 2056 aus_setgid(struct t_audit_data *tad) 2057 { 2058 klwp_t *clwp = ttolwp(curthread); 2059 uint32_t gid; 2060 2061 struct a { 2062 long gid; 2063 } *uap = (struct a *)clwp->lwp_ap; 2064 2065 gid = (uint32_t)uap->gid; 2066 2067 au_uwrite(au_to_arg32(1, "gid", gid)); 2068 } 2069 2070 2071 /*ARGSUSED*/ 2072 static void 2073 aus_setreuid(struct t_audit_data *tad) 2074 { 2075 klwp_t *clwp = ttolwp(curthread); 2076 uint32_t ruid, euid; 2077 2078 struct a { 2079 long ruid; 2080 long euid; 2081 } *uap = (struct a *)clwp->lwp_ap; 2082 2083 ruid = (uint32_t)uap->ruid; 2084 euid = (uint32_t)uap->euid; 2085 2086 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2087 au_uwrite(au_to_arg32(2, "euid", euid)); 2088 } 2089 2090 2091 /*ARGSUSED*/ 2092 static void 2093 aus_setuid(struct t_audit_data *tad) 2094 { 2095 klwp_t *clwp = ttolwp(curthread); 2096 uint32_t uid; 2097 2098 struct a { 2099 long uid; 2100 } *uap = (struct a *)clwp->lwp_ap; 2101 2102 uid = (uint32_t)uap->uid; 2103 2104 au_uwrite(au_to_arg32(1, "uid", uid)); 2105 } 2106 2107 /*ARGSUSED*/ 2108 static void 2109 aus_shmsys(struct t_audit_data *tad) 2110 { 2111 klwp_t *clwp = ttolwp(curthread); 2112 uint32_t id, cmd; 2113 2114 struct b { 2115 long id; 2116 long cmd; 2117 long buf; /* struct shmid_ds * */ 2118 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2119 2120 id = (uint32_t)uap1->id; 2121 cmd = (uint32_t)uap1->cmd; 2122 2123 switch (tad->tad_event) { 2124 case AUE_SHMGET: /* shmget */ 2125 au_uwrite(au_to_arg32(1, "shm key", id)); 2126 break; 2127 case AUE_SHMCTL: /* shmctl */ 2128 case AUE_SHMCTL_RMID: /* shmctl */ 2129 case AUE_SHMCTL_STAT: /* shmctl */ 2130 case AUE_SHMCTL_SET: /* shmctl */ 2131 au_uwrite(au_to_arg32(1, "shm ID", id)); 2132 break; 2133 case AUE_SHMDT: /* shmdt */ 2134 au_uwrite(au_to_arg32(1, "shm adr", id)); 2135 break; 2136 case AUE_SHMAT: /* shmat */ 2137 au_uwrite(au_to_arg32(1, "shm ID", id)); 2138 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2139 break; 2140 } 2141 } 2142 2143 /*ARGSUSED*/ 2144 static void 2145 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2146 { 2147 int id; 2148 2149 if (error != 0) 2150 return; 2151 if (tad->tad_event == AUE_SHMGET) { 2152 uint32_t scid; 2153 uint32_t sy_flags; 2154 2155 /* need to determine type of executing binary */ 2156 scid = tad->tad_scid; 2157 #ifdef _SYSCALL32_IMPL 2158 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2159 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2160 else 2161 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2162 #else 2163 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2164 #endif 2165 if (sy_flags == SE_32RVAL1) 2166 id = rval->r_val1; 2167 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2168 id = rval->r_val1; 2169 if (sy_flags == SE_64RVAL) 2170 id = (int)rval->r_vals; 2171 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2172 } 2173 } 2174 2175 2176 /*ARGSUSED*/ 2177 static void 2178 aus_ioctl(struct t_audit_data *tad) 2179 { 2180 klwp_t *clwp = ttolwp(curthread); 2181 struct file *fp; 2182 struct vnode *vp; 2183 struct f_audit_data *fad; 2184 uint32_t fd, cmd; 2185 uintptr_t cmarg; 2186 2187 /* XX64 */ 2188 struct a { 2189 long fd; 2190 long cmd; 2191 long cmarg; /* caddr_t */ 2192 } *uap = (struct a *)clwp->lwp_ap; 2193 2194 fd = (uint32_t)uap->fd; 2195 cmd = (uint32_t)uap->cmd; 2196 cmarg = (uintptr_t)uap->cmarg; 2197 2198 /* 2199 * convert file pointer to file descriptor 2200 * Note: fd ref count incremented here. 2201 */ 2202 if ((fp = getf(fd)) == NULL) { 2203 au_uwrite(au_to_arg32(1, "fd", fd)); 2204 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2205 #ifndef _LP64 2206 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2207 #else 2208 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2209 #endif 2210 return; 2211 } 2212 2213 /* get path from file struct here */ 2214 fad = F2A(fp); 2215 if (fad->fad_aupath != NULL) { 2216 au_uwrite(au_to_path(fad->fad_aupath)); 2217 } else { 2218 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2219 } 2220 2221 vp = fp->f_vnode; 2222 audit_attributes(vp); 2223 2224 /* decrement file descriptor reference count */ 2225 releasef(fd); 2226 2227 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2228 #ifndef _LP64 2229 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2230 #else 2231 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2232 #endif 2233 } 2234 2235 /* 2236 * null function for memcntl for now. We might want to limit memcntl() 2237 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2238 * require privileges. 2239 */ 2240 static au_event_t 2241 aui_memcntl(au_event_t e) 2242 { 2243 return (e); 2244 } 2245 2246 /*ARGSUSED*/ 2247 static au_event_t 2248 aui_privsys(au_event_t e) 2249 { 2250 klwp_t *clwp = ttolwp(curthread); 2251 2252 struct a { 2253 long opcode; 2254 } *uap = (struct a *)clwp->lwp_ap; 2255 2256 switch (uap->opcode) { 2257 case PRIVSYS_SETPPRIV: 2258 return (AUE_SETPPRIV); 2259 default: 2260 return (AUE_NULL); 2261 } 2262 } 2263 2264 /*ARGSUSED*/ 2265 static void 2266 aus_memcntl(struct t_audit_data *tad) 2267 { 2268 klwp_t *clwp = ttolwp(curthread); 2269 2270 struct a { 2271 long addr; 2272 long len; 2273 long cmd; 2274 long arg; 2275 long attr; 2276 long mask; 2277 } *uap = (struct a *)clwp->lwp_ap; 2278 2279 #ifdef _LP64 2280 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2281 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2282 #else 2283 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2284 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2285 #endif 2286 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2287 #ifdef _LP64 2288 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2289 #else 2290 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2291 #endif 2292 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2293 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2294 } 2295 2296 /*ARGSUSED*/ 2297 static void 2298 aus_mmap(struct t_audit_data *tad) 2299 { 2300 klwp_t *clwp = ttolwp(curthread); 2301 struct file *fp; 2302 struct f_audit_data *fad; 2303 struct vnode *vp; 2304 uint32_t fd; 2305 2306 struct a { 2307 long addr; 2308 long len; 2309 long prot; 2310 long flags; 2311 long fd; 2312 long pos; 2313 } *uap = (struct a *)clwp->lwp_ap; 2314 2315 fd = (uint32_t)uap->fd; 2316 2317 #ifdef _LP64 2318 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2319 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2320 #else 2321 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2322 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2323 #endif 2324 2325 if ((fp = getf(fd)) == NULL) { 2326 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2327 return; 2328 } 2329 2330 /* 2331 * Mark in the tad if write access is NOT requested... if 2332 * this is later detected (in audit_attributes) to be a 2333 * public object, the mmap event may be discarded. 2334 */ 2335 if (((uap->prot) & PROT_WRITE) == 0) { 2336 tad->tad_ctrl |= PAD_PUBLIC_EV; 2337 } 2338 2339 fad = F2A(fp); 2340 if (fad->fad_aupath != NULL) { 2341 au_uwrite(au_to_path(fad->fad_aupath)); 2342 } else { 2343 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2344 } 2345 2346 vp = (struct vnode *)fp->f_vnode; 2347 audit_attributes(vp); 2348 2349 /* mark READ/WRITE since we can't predict access */ 2350 if (uap->prot & PROT_READ) 2351 fad->fad_flags |= FAD_READ; 2352 if (uap->prot & PROT_WRITE) 2353 fad->fad_flags |= FAD_WRITE; 2354 2355 /* decrement file descriptor reference count */ 2356 releasef(fd); 2357 2358 } /* AUS_MMAP */ 2359 2360 2361 2362 2363 /*ARGSUSED*/ 2364 static void 2365 aus_munmap(struct t_audit_data *tad) 2366 { 2367 klwp_t *clwp = ttolwp(curthread); 2368 2369 struct a { 2370 long addr; 2371 long len; 2372 } *uap = (struct a *)clwp->lwp_ap; 2373 2374 #ifdef _LP64 2375 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2376 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2377 #else 2378 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2379 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2380 #endif 2381 2382 } /* AUS_MUNMAP */ 2383 2384 2385 2386 2387 2388 2389 2390 /*ARGSUSED*/ 2391 static void 2392 aus_priocntlsys(struct t_audit_data *tad) 2393 { 2394 klwp_t *clwp = ttolwp(curthread); 2395 2396 struct a { 2397 long pc_version; 2398 long psp; /* procset_t */ 2399 long cmd; 2400 long arg; 2401 } *uap = (struct a *)clwp->lwp_ap; 2402 2403 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2404 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2405 2406 } /* AUS_PRIOCNTLSYS */ 2407 2408 2409 /*ARGSUSED*/ 2410 static void 2411 aus_setegid(struct t_audit_data *tad) 2412 { 2413 klwp_t *clwp = ttolwp(curthread); 2414 uint32_t gid; 2415 2416 struct a { 2417 long gid; 2418 } *uap = (struct a *)clwp->lwp_ap; 2419 2420 gid = (uint32_t)uap->gid; 2421 2422 au_uwrite(au_to_arg32(1, "gid", gid)); 2423 } /* AUS_SETEGID */ 2424 2425 2426 2427 2428 /*ARGSUSED*/ 2429 static void 2430 aus_setgroups(struct t_audit_data *tad) 2431 { 2432 klwp_t *clwp = ttolwp(curthread); 2433 int i; 2434 int gidsetsize; 2435 uintptr_t gidset; 2436 gid_t *gidlist; 2437 2438 struct a { 2439 long gidsetsize; 2440 long gidset; 2441 } *uap = (struct a *)clwp->lwp_ap; 2442 2443 gidsetsize = (uint_t)uap->gidsetsize; 2444 gidset = (uintptr_t)uap->gidset; 2445 2446 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2447 return; 2448 if (gidsetsize != 0) { 2449 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2450 KM_SLEEP); 2451 if (copyin((caddr_t)gidset, gidlist, 2452 gidsetsize * sizeof (gid_t)) == 0) 2453 for (i = 0; i < gidsetsize; i++) 2454 au_uwrite(au_to_arg32(1, "setgroups", 2455 (uint32_t)gidlist[i])); 2456 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2457 } else 2458 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2459 2460 } /* AUS_SETGROUPS */ 2461 2462 2463 2464 2465 2466 /*ARGSUSED*/ 2467 static void 2468 aus_seteuid(struct t_audit_data *tad) 2469 { 2470 klwp_t *clwp = ttolwp(curthread); 2471 uint32_t uid; 2472 2473 struct a { 2474 long uid; 2475 } *uap = (struct a *)clwp->lwp_ap; 2476 2477 uid = (uint32_t)uap->uid; 2478 2479 au_uwrite(au_to_arg32(1, "euid", uid)); 2480 2481 } /* AUS_SETEUID */ 2482 2483 /*ARGSUSED*/ 2484 static void 2485 aus_putmsg(struct t_audit_data *tad) 2486 { 2487 klwp_t *clwp = ttolwp(curthread); 2488 uint32_t fd, pri; 2489 struct file *fp; 2490 struct f_audit_data *fad; 2491 2492 struct a { 2493 long fdes; 2494 long ctl; /* struct strbuf * */ 2495 long data; /* struct strbuf * */ 2496 long pri; 2497 } *uap = (struct a *)clwp->lwp_ap; 2498 2499 fd = (uint32_t)uap->fdes; 2500 pri = (uint32_t)uap->pri; 2501 2502 au_uwrite(au_to_arg32(1, "fd", fd)); 2503 2504 if ((fp = getf(fd)) != NULL) { 2505 fad = F2A(fp); 2506 2507 fad->fad_flags |= FAD_WRITE; 2508 2509 /* add path name to audit record */ 2510 if (fad->fad_aupath != NULL) { 2511 au_uwrite(au_to_path(fad->fad_aupath)); 2512 } 2513 audit_attributes(fp->f_vnode); 2514 2515 releasef(fd); 2516 } 2517 2518 au_uwrite(au_to_arg32(4, "pri", pri)); 2519 } 2520 2521 /*ARGSUSED*/ 2522 static void 2523 aus_putpmsg(struct t_audit_data *tad) 2524 { 2525 klwp_t *clwp = ttolwp(curthread); 2526 uint32_t fd, pri, flags; 2527 struct file *fp; 2528 struct f_audit_data *fad; 2529 2530 struct a { 2531 long fdes; 2532 long ctl; /* struct strbuf * */ 2533 long data; /* struct strbuf * */ 2534 long pri; 2535 long flags; 2536 } *uap = (struct a *)clwp->lwp_ap; 2537 2538 fd = (uint32_t)uap->fdes; 2539 pri = (uint32_t)uap->pri; 2540 flags = (uint32_t)uap->flags; 2541 2542 au_uwrite(au_to_arg32(1, "fd", fd)); 2543 2544 if ((fp = getf(fd)) != NULL) { 2545 fad = F2A(fp); 2546 2547 fad->fad_flags |= FAD_WRITE; 2548 2549 /* add path name to audit record */ 2550 if (fad->fad_aupath != NULL) { 2551 au_uwrite(au_to_path(fad->fad_aupath)); 2552 } 2553 audit_attributes(fp->f_vnode); 2554 2555 releasef(fd); 2556 } 2557 2558 2559 au_uwrite(au_to_arg32(4, "pri", pri)); 2560 au_uwrite(au_to_arg32(5, "flags", flags)); 2561 } 2562 2563 /*ARGSUSED*/ 2564 static void 2565 aus_getmsg(struct t_audit_data *tad) 2566 { 2567 klwp_t *clwp = ttolwp(curthread); 2568 uint32_t fd, pri; 2569 struct file *fp; 2570 struct f_audit_data *fad; 2571 2572 struct a { 2573 long fdes; 2574 long ctl; /* struct strbuf * */ 2575 long data; /* struct strbuf * */ 2576 long pri; 2577 } *uap = (struct a *)clwp->lwp_ap; 2578 2579 fd = (uint32_t)uap->fdes; 2580 pri = (uint32_t)uap->pri; 2581 2582 au_uwrite(au_to_arg32(1, "fd", fd)); 2583 2584 if ((fp = getf(fd)) != NULL) { 2585 fad = F2A(fp); 2586 2587 /* 2588 * read operation on this object 2589 */ 2590 fad->fad_flags |= FAD_READ; 2591 2592 /* add path name to audit record */ 2593 if (fad->fad_aupath != NULL) { 2594 au_uwrite(au_to_path(fad->fad_aupath)); 2595 } 2596 audit_attributes(fp->f_vnode); 2597 2598 releasef(fd); 2599 } 2600 2601 au_uwrite(au_to_arg32(4, "pri", pri)); 2602 } 2603 2604 /*ARGSUSED*/ 2605 static void 2606 aus_getpmsg(struct t_audit_data *tad) 2607 { 2608 klwp_t *clwp = ttolwp(curthread); 2609 uint32_t fd; 2610 struct file *fp; 2611 struct f_audit_data *fad; 2612 2613 struct a { 2614 long fdes; 2615 long ctl; /* struct strbuf * */ 2616 long data; /* struct strbuf * */ 2617 long pri; 2618 long flags; 2619 } *uap = (struct a *)clwp->lwp_ap; 2620 2621 fd = (uint32_t)uap->fdes; 2622 2623 au_uwrite(au_to_arg32(1, "fd", fd)); 2624 2625 if ((fp = getf(fd)) != NULL) { 2626 fad = F2A(fp); 2627 2628 /* 2629 * read operation on this object 2630 */ 2631 fad->fad_flags |= FAD_READ; 2632 2633 /* add path name to audit record */ 2634 if (fad->fad_aupath != NULL) { 2635 au_uwrite(au_to_path(fad->fad_aupath)); 2636 } 2637 audit_attributes(fp->f_vnode); 2638 2639 releasef(fd); 2640 } 2641 } 2642 2643 static au_event_t 2644 aui_labelsys(au_event_t e) 2645 { 2646 klwp_t *clwp = ttolwp(curthread); 2647 uint32_t code; 2648 uint32_t cmd; 2649 2650 struct a { 2651 long code; 2652 long cmd; 2653 } *uap = (struct a *)clwp->lwp_ap; 2654 2655 code = (uint32_t)uap->code; 2656 cmd = (uint32_t)uap->cmd; 2657 2658 /* not security relevant if not changing kernel cache */ 2659 if (cmd == TNDB_GET) 2660 return (AUE_NULL); 2661 2662 switch (code) { 2663 case TSOL_TNRH: 2664 e = AUE_LABELSYS_TNRH; 2665 break; 2666 case TSOL_TNRHTP: 2667 e = AUE_LABELSYS_TNRHTP; 2668 break; 2669 case TSOL_TNMLP: 2670 e = AUE_LABELSYS_TNMLP; 2671 break; 2672 default: 2673 e = AUE_NULL; 2674 break; 2675 } 2676 2677 return (e); 2678 2679 } 2680 2681 static void 2682 aus_labelsys(struct t_audit_data *tad) 2683 { 2684 klwp_t *clwp = ttolwp(curthread); 2685 uint32_t cmd; 2686 uintptr_t a2; 2687 2688 struct a { 2689 long code; 2690 long cmd; 2691 long a2; 2692 } *uap = (struct a *)clwp->lwp_ap; 2693 2694 cmd = (uint32_t)uap->cmd; 2695 a2 = (uintptr_t)uap->a2; 2696 2697 switch (tad->tad_event) { 2698 case AUE_LABELSYS_TNRH: 2699 { 2700 tsol_rhent_t *rhent; 2701 tnaddr_t *rh_addr; 2702 2703 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2704 2705 /* Remaining args don't apply for FLUSH, so skip */ 2706 if (cmd == TNDB_FLUSH) 2707 break; 2708 2709 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2710 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2711 kmem_free(rhent, sizeof (tsol_rhent_t)); 2712 return; 2713 } 2714 2715 rh_addr = &rhent->rh_address; 2716 if (rh_addr->ta_family == AF_INET) { 2717 struct in_addr *ipaddr; 2718 2719 ipaddr = &(rh_addr->ta_addr_v4); 2720 au_uwrite(au_to_in_addr(ipaddr)); 2721 } else if (rh_addr->ta_family == AF_INET6) { 2722 int32_t *ipaddr; 2723 2724 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2725 au_uwrite(au_to_in_addr_ex(ipaddr)); 2726 } 2727 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2728 2729 kmem_free(rhent, sizeof (tsol_rhent_t)); 2730 2731 break; 2732 } 2733 case AUE_LABELSYS_TNRHTP: 2734 { 2735 tsol_tpent_t *tpent; 2736 2737 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2738 2739 /* Remaining args don't apply for FLUSH, so skip */ 2740 if (cmd == TNDB_FLUSH) 2741 break; 2742 2743 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2744 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2745 kmem_free(tpent, sizeof (tsol_tpent_t)); 2746 return; 2747 } 2748 2749 /* Make sure that the template name is null-terminated. */ 2750 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2751 2752 au_uwrite(au_to_text(tpent->name)); 2753 kmem_free(tpent, sizeof (tsol_tpent_t)); 2754 2755 break; 2756 } 2757 case AUE_LABELSYS_TNMLP: 2758 { 2759 tsol_mlpent_t *mlpent; 2760 2761 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2762 2763 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2764 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2765 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2766 return; 2767 } 2768 2769 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2770 au_uwrite(au_to_text("shared")); 2771 } else { 2772 zone_t *zone; 2773 2774 zone = zone_find_by_id(mlpent->tsme_zoneid); 2775 if (zone != NULL) { 2776 au_uwrite(au_to_text(zone->zone_name)); 2777 zone_rele(zone); 2778 } 2779 } 2780 2781 /* Remaining args don't apply for FLUSH, so skip */ 2782 if (cmd == TNDB_FLUSH) { 2783 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2784 break; 2785 } 2786 2787 au_uwrite(au_to_arg32(2, "proto num", 2788 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2789 au_uwrite(au_to_arg32(2, "mlp_port", 2790 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2791 2792 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2793 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2794 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2795 2796 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2797 2798 break; 2799 } 2800 default: 2801 break; 2802 } 2803 } 2804 2805 2806 static au_event_t 2807 aui_auditsys(au_event_t e) 2808 { 2809 klwp_t *clwp = ttolwp(curthread); 2810 uint32_t code; 2811 2812 struct a { 2813 long code; 2814 long a1; 2815 long a2; 2816 long a3; 2817 long a4; 2818 long a5; 2819 long a6; 2820 long a7; 2821 } *uap = (struct a *)clwp->lwp_ap; 2822 2823 code = (uint32_t)uap->code; 2824 2825 switch (code) { 2826 2827 case BSM_GETAUID: 2828 e = AUE_GETAUID; 2829 break; 2830 case BSM_SETAUID: 2831 e = AUE_SETAUID; 2832 break; 2833 case BSM_GETAUDIT: 2834 e = AUE_GETAUDIT; 2835 break; 2836 case BSM_GETAUDIT_ADDR: 2837 e = AUE_GETAUDIT_ADDR; 2838 break; 2839 case BSM_SETAUDIT: 2840 e = AUE_SETAUDIT; 2841 break; 2842 case BSM_SETAUDIT_ADDR: 2843 e = AUE_SETAUDIT_ADDR; 2844 break; 2845 case BSM_AUDIT: 2846 e = AUE_AUDIT; 2847 break; 2848 case BSM_AUDITON: 2849 case BSM_AUDITCTL: 2850 2851 switch ((uint_t)uap->a1) { 2852 2853 case A_GETPOLICY: 2854 e = AUE_AUDITON_GPOLICY; 2855 break; 2856 case A_SETPOLICY: 2857 e = AUE_AUDITON_SPOLICY; 2858 break; 2859 case A_GETKMASK: 2860 e = AUE_AUDITON_GETKMASK; 2861 break; 2862 case A_SETKMASK: 2863 e = AUE_AUDITON_SETKMASK; 2864 break; 2865 case A_GETQCTRL: 2866 e = AUE_AUDITON_GQCTRL; 2867 break; 2868 case A_SETQCTRL: 2869 e = AUE_AUDITON_SQCTRL; 2870 break; 2871 case A_GETCWD: 2872 e = AUE_AUDITON_GETCWD; 2873 break; 2874 case A_GETCAR: 2875 e = AUE_AUDITON_GETCAR; 2876 break; 2877 case A_GETSTAT: 2878 e = AUE_AUDITON_GETSTAT; 2879 break; 2880 case A_SETSTAT: 2881 e = AUE_AUDITON_SETSTAT; 2882 break; 2883 case A_SETUMASK: 2884 e = AUE_AUDITON_SETUMASK; 2885 break; 2886 case A_SETSMASK: 2887 e = AUE_AUDITON_SETSMASK; 2888 break; 2889 case A_GETCOND: 2890 e = AUE_AUDITON_GETCOND; 2891 break; 2892 case A_SETCOND: 2893 e = AUE_AUDITON_SETCOND; 2894 break; 2895 case A_GETCLASS: 2896 e = AUE_AUDITON_GETCLASS; 2897 break; 2898 case A_SETCLASS: 2899 e = AUE_AUDITON_SETCLASS; 2900 break; 2901 default: 2902 e = AUE_NULL; 2903 break; 2904 } 2905 break; 2906 default: 2907 e = AUE_NULL; 2908 break; 2909 } 2910 2911 return (e); 2912 2913 } /* AUI_AUDITSYS */ 2914 2915 2916 static void 2917 aus_auditsys(struct t_audit_data *tad) 2918 { 2919 klwp_t *clwp = ttolwp(curthread); 2920 uintptr_t a1, a2; 2921 STRUCT_DECL(auditinfo, ainfo); 2922 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2923 au_evclass_map_t event; 2924 au_mask_t mask; 2925 int auditstate, policy; 2926 au_id_t auid; 2927 2928 2929 struct a { 2930 long code; 2931 long a1; 2932 long a2; 2933 long a3; 2934 long a4; 2935 long a5; 2936 long a6; 2937 long a7; 2938 } *uap = (struct a *)clwp->lwp_ap; 2939 2940 a1 = (uintptr_t)uap->a1; 2941 a2 = (uintptr_t)uap->a2; 2942 2943 switch (tad->tad_event) { 2944 case AUE_SETAUID: 2945 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2946 return; 2947 au_uwrite(au_to_arg32(2, "setauid", auid)); 2948 break; 2949 case AUE_SETAUDIT: 2950 STRUCT_INIT(ainfo, get_udatamodel()); 2951 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2952 STRUCT_SIZE(ainfo))) { 2953 return; 2954 } 2955 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2956 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2957 #ifdef _LP64 2958 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2959 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2960 #else 2961 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2962 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2963 #endif 2964 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2965 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2966 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2967 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2968 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2969 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2970 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2971 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2972 break; 2973 case AUE_SETAUDIT_ADDR: 2974 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2975 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2976 STRUCT_SIZE(ainfo_addr))) { 2977 return; 2978 } 2979 au_uwrite(au_to_arg32((char)1, "auid", 2980 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2981 #ifdef _LP64 2982 au_uwrite(au_to_arg64((char)1, "port", 2983 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2984 #else 2985 au_uwrite(au_to_arg32((char)1, "port", 2986 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2987 #endif 2988 au_uwrite(au_to_arg32((char)1, "type", 2989 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2990 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2991 AU_IPv4) { 2992 au_uwrite(au_to_in_addr( 2993 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2994 ai_termid.at_addr))); 2995 } else { 2996 au_uwrite(au_to_in_addr_ex( 2997 (int32_t *)STRUCT_FGETP(ainfo_addr, 2998 ai_termid.at_addr))); 2999 } 3000 au_uwrite(au_to_arg32((char)1, "as_success", 3001 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 3002 au_uwrite(au_to_arg32((char)1, "as_failure", 3003 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 3004 au_uwrite(au_to_arg32((char)1, "asid", 3005 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 3006 break; 3007 case AUE_AUDITON_SETKMASK: 3008 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 3009 return; 3010 au_uwrite(au_to_arg32( 3011 2, "setkmask:as_success", (uint32_t)mask.as_success)); 3012 au_uwrite(au_to_arg32( 3013 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 3014 break; 3015 case AUE_AUDITON_SPOLICY: 3016 if (copyin((caddr_t)a2, &policy, sizeof (int))) 3017 return; 3018 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 3019 break; 3020 case AUE_AUDITON_SQCTRL: { 3021 STRUCT_DECL(au_qctrl, qctrl); 3022 model_t model; 3023 3024 model = get_udatamodel(); 3025 STRUCT_INIT(qctrl, model); 3026 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 3027 return; 3028 if (model == DATAMODEL_ILP32) { 3029 au_uwrite(au_to_arg32( 3030 3, "setqctrl:aq_hiwater", 3031 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 3032 au_uwrite(au_to_arg32( 3033 3, "setqctrl:aq_lowater", 3034 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 3035 au_uwrite(au_to_arg32( 3036 3, "setqctrl:aq_bufsz", 3037 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 3038 au_uwrite(au_to_arg32( 3039 3, "setqctrl:aq_delay", 3040 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 3041 } else { 3042 au_uwrite(au_to_arg64( 3043 3, "setqctrl:aq_hiwater", 3044 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 3045 au_uwrite(au_to_arg64( 3046 3, "setqctrl:aq_lowater", 3047 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 3048 au_uwrite(au_to_arg64( 3049 3, "setqctrl:aq_bufsz", 3050 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 3051 au_uwrite(au_to_arg64( 3052 3, "setqctrl:aq_delay", 3053 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 3054 } 3055 break; 3056 } 3057 case AUE_AUDITON_SETUMASK: 3058 STRUCT_INIT(ainfo, get_udatamodel()); 3059 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3060 STRUCT_SIZE(ainfo))) { 3061 return; 3062 } 3063 au_uwrite(au_to_arg32(3, "setumask:as_success", 3064 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3065 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3066 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3067 break; 3068 case AUE_AUDITON_SETSMASK: 3069 STRUCT_INIT(ainfo, get_udatamodel()); 3070 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3071 STRUCT_SIZE(ainfo))) { 3072 return; 3073 } 3074 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3075 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3076 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3077 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3078 break; 3079 case AUE_AUDITON_SETCOND: 3080 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3081 return; 3082 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3083 break; 3084 case AUE_AUDITON_SETCLASS: 3085 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3086 return; 3087 au_uwrite(au_to_arg32( 3088 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3089 au_uwrite(au_to_arg32( 3090 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3091 break; 3092 case AUE_GETAUID: 3093 case AUE_GETAUDIT: 3094 case AUE_GETAUDIT_ADDR: 3095 case AUE_AUDIT: 3096 case AUE_AUDITON_GPOLICY: 3097 case AUE_AUDITON_GQCTRL: 3098 case AUE_AUDITON_GETKMASK: 3099 case AUE_AUDITON_GETCWD: 3100 case AUE_AUDITON_GETCAR: 3101 case AUE_AUDITON_GETSTAT: 3102 case AUE_AUDITON_SETSTAT: 3103 case AUE_AUDITON_GETCOND: 3104 case AUE_AUDITON_GETCLASS: 3105 break; 3106 default: 3107 break; 3108 } 3109 3110 } /* AUS_AUDITSYS */ 3111 3112 3113 /* only audit privileged operations for systeminfo(2) system call */ 3114 static au_event_t 3115 aui_sysinfo(au_event_t e) 3116 { 3117 klwp_t *clwp = ttolwp(curthread); 3118 uint32_t command; 3119 3120 struct a { 3121 long command; 3122 long buf; /* char * */ 3123 long count; 3124 } *uap = (struct a *)clwp->lwp_ap; 3125 3126 command = (uint32_t)uap->command; 3127 3128 switch (command) { 3129 case SI_SET_HOSTNAME: 3130 case SI_SET_SRPC_DOMAIN: 3131 e = (au_event_t)AUE_SYSINFO; 3132 break; 3133 default: 3134 e = (au_event_t)AUE_NULL; 3135 break; 3136 } 3137 return (e); 3138 } 3139 3140 /*ARGSUSED*/ 3141 static void 3142 aus_sysinfo(struct t_audit_data *tad) 3143 { 3144 klwp_t *clwp = ttolwp(curthread); 3145 uint32_t command; 3146 size_t len, maxlen; 3147 char *name; 3148 uintptr_t buf; 3149 3150 struct a { 3151 long command; 3152 long buf; /* char * */ 3153 long count; 3154 } *uap = (struct a *)clwp->lwp_ap; 3155 3156 command = (uint32_t)uap->command; 3157 buf = (uintptr_t)uap->buf; 3158 3159 au_uwrite(au_to_arg32(1, "cmd", command)); 3160 3161 switch (command) { 3162 case SI_SET_HOSTNAME: 3163 { 3164 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3165 return; 3166 3167 maxlen = SYS_NMLN; 3168 name = kmem_alloc(maxlen, KM_SLEEP); 3169 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3170 break; 3171 3172 /* 3173 * Must be non-NULL string and string 3174 * must be less than SYS_NMLN chars. 3175 */ 3176 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3177 break; 3178 3179 au_uwrite(au_to_text(name)); 3180 break; 3181 } 3182 3183 case SI_SET_SRPC_DOMAIN: 3184 { 3185 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3186 return; 3187 3188 maxlen = SYS_NMLN; 3189 name = kmem_alloc(maxlen, KM_SLEEP); 3190 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3191 break; 3192 3193 /* 3194 * If string passed in is longer than length 3195 * allowed for domain name, fail. 3196 */ 3197 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3198 break; 3199 3200 au_uwrite(au_to_text(name)); 3201 break; 3202 } 3203 3204 default: 3205 return; 3206 } 3207 3208 kmem_free(name, maxlen); 3209 } 3210 3211 static au_event_t 3212 aui_modctl(au_event_t e) 3213 { 3214 klwp_t *clwp = ttolwp(curthread); 3215 uint_t cmd; 3216 3217 struct a { 3218 long cmd; 3219 } *uap = (struct a *)clwp->lwp_ap; 3220 3221 cmd = (uint_t)uap->cmd; 3222 3223 switch (cmd) { 3224 case MODLOAD: 3225 e = AUE_MODLOAD; 3226 break; 3227 case MODUNLOAD: 3228 e = AUE_MODUNLOAD; 3229 break; 3230 case MODADDMAJBIND: 3231 e = AUE_MODADDMAJ; 3232 break; 3233 case MODSETDEVPOLICY: 3234 e = AUE_MODDEVPLCY; 3235 break; 3236 case MODALLOCPRIV: 3237 e = AUE_MODADDPRIV; 3238 break; 3239 default: 3240 e = AUE_NULL; 3241 break; 3242 } 3243 return (e); 3244 } 3245 3246 3247 /*ARGSUSED*/ 3248 static void 3249 aus_modctl(struct t_audit_data *tad) 3250 { 3251 klwp_t *clwp = ttolwp(curthread); 3252 void *a = clwp->lwp_ap; 3253 uint_t use_path; 3254 3255 switch (tad->tad_event) { 3256 case AUE_MODLOAD: { 3257 typedef struct { 3258 long cmd; 3259 long use_path; 3260 long filename; /* char * */ 3261 } modloada_t; 3262 3263 char *filenamep; 3264 uintptr_t fname; 3265 extern char *default_path; 3266 3267 fname = (uintptr_t)((modloada_t *)a)->filename; 3268 use_path = (uint_t)((modloada_t *)a)->use_path; 3269 3270 /* space to hold path */ 3271 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3272 /* get string */ 3273 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3274 /* free allocated path */ 3275 kmem_free(filenamep, MOD_MAXPATH); 3276 return; 3277 } 3278 /* ensure it's null terminated */ 3279 filenamep[MOD_MAXPATH - 1] = 0; 3280 3281 if (use_path) 3282 au_uwrite(au_to_text(default_path)); 3283 au_uwrite(au_to_text(filenamep)); 3284 3285 /* release temporary memory */ 3286 kmem_free(filenamep, MOD_MAXPATH); 3287 break; 3288 } 3289 case AUE_MODUNLOAD: { 3290 typedef struct { 3291 long cmd; 3292 long id; 3293 } modunloada_t; 3294 3295 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3296 3297 au_uwrite(au_to_arg32(1, "id", id)); 3298 break; 3299 } 3300 case AUE_MODADDMAJ: { 3301 STRUCT_DECL(modconfig, mc); 3302 typedef struct { 3303 long cmd; 3304 long subcmd; 3305 long data; /* int * */ 3306 } modconfiga_t; 3307 3308 STRUCT_DECL(aliases, alias); 3309 caddr_t ap; 3310 int i, num_aliases; 3311 char *drvname, *mc_drvname; 3312 char *name; 3313 extern char *ddi_major_to_name(major_t); 3314 model_t model; 3315 3316 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3317 3318 model = get_udatamodel(); 3319 STRUCT_INIT(mc, model); 3320 /* sanitize buffer */ 3321 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3322 /* get user arguments */ 3323 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3324 STRUCT_SIZE(mc)) != 0) 3325 return; 3326 3327 mc_drvname = STRUCT_FGET(mc, drvname); 3328 if ((drvname = ddi_major_to_name( 3329 (major_t)STRUCT_FGET(mc, major))) != NULL && 3330 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3331 /* safety */ 3332 if (mc_drvname[0] != '\0') { 3333 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3334 au_uwrite(au_to_text(mc_drvname)); 3335 } 3336 /* drvname != NULL from test above */ 3337 au_uwrite(au_to_text(drvname)); 3338 return; 3339 } 3340 3341 if (mc_drvname[0] != '\0') { 3342 /* safety */ 3343 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3344 au_uwrite(au_to_text(mc_drvname)); 3345 } else 3346 au_uwrite(au_to_text("no drvname")); 3347 3348 num_aliases = STRUCT_FGET(mc, num_aliases); 3349 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3350 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3351 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3352 STRUCT_INIT(alias, model); 3353 for (i = 0; i < num_aliases; i++) { 3354 bzero((caddr_t)STRUCT_BUF(alias), 3355 STRUCT_SIZE(alias)); 3356 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3357 STRUCT_SIZE(alias)) != 0) 3358 break; 3359 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3360 MAXMODCONFNAME, NULL) != 0) { 3361 break; 3362 } 3363 3364 au_uwrite(au_to_text(name)); 3365 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3366 } 3367 kmem_free(name, MAXMODCONFNAME); 3368 break; 3369 } 3370 default: 3371 break; 3372 } 3373 } 3374 3375 3376 /*ARGSUSED*/ 3377 static void 3378 auf_accept( 3379 struct t_audit_data *tad, 3380 int error, 3381 rval_t *rval) 3382 { 3383 uint32_t scid; 3384 uint32_t sy_flags; 3385 int fd; 3386 struct sonode *so; 3387 char so_laddr[sizeof (struct sockaddr_in6)]; 3388 char so_faddr[sizeof (struct sockaddr_in6)]; 3389 int err; 3390 short so_family, so_type; 3391 int add_sock_token = 0; 3392 3393 /* need to determine type of executing binary */ 3394 scid = tad->tad_scid; 3395 #ifdef _SYSCALL32_IMPL 3396 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3397 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3398 else 3399 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3400 #else 3401 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3402 #endif 3403 if (sy_flags == SE_32RVAL1) 3404 fd = rval->r_val1; 3405 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3406 fd = rval->r_val1; 3407 if (sy_flags == SE_64RVAL) 3408 fd = (int)rval->r_vals; 3409 3410 if (error) { 3411 /* can't trust socket contents. Just return */ 3412 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3413 return; 3414 } 3415 3416 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3417 /* 3418 * not security relevant if doing a accept from non socket 3419 * so no extra tokens. Should probably turn off audit record 3420 * generation here. 3421 */ 3422 return; 3423 } 3424 3425 so_family = so->so_family; 3426 so_type = so->so_type; 3427 3428 switch (so_family) { 3429 case AF_INET: 3430 case AF_INET6: 3431 /* 3432 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3433 */ 3434 if (so->so_type == SOCK_STREAM) { 3435 socklen_t len; 3436 3437 bzero((void *)so_laddr, sizeof (so_laddr)); 3438 bzero((void *)so_faddr, sizeof (so_faddr)); 3439 3440 len = sizeof (so_laddr); 3441 (void) socket_getsockname(so, 3442 (struct sockaddr *)so_laddr, &len, CRED()); 3443 len = sizeof (so_faddr); 3444 (void) socket_getpeername(so, 3445 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3446 3447 add_sock_token = 1; 3448 } 3449 break; 3450 3451 default: 3452 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3453 break; 3454 } 3455 3456 releasef(fd); 3457 3458 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3459 3460 if (add_sock_token == 0) { 3461 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3462 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3463 return; 3464 } 3465 3466 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3467 3468 } 3469 3470 /*ARGSUSED*/ 3471 static void 3472 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3473 { 3474 struct a { 3475 long fd; 3476 long addr; 3477 long len; 3478 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3479 3480 struct sonode *so; 3481 char so_laddr[sizeof (struct sockaddr_in6)]; 3482 char so_faddr[sizeof (struct sockaddr_in6)]; 3483 int err, fd; 3484 socklen_t len; 3485 short so_family, so_type; 3486 int add_sock_token = 0; 3487 3488 fd = (int)uap->fd; 3489 3490 /* 3491 * bind failed, then nothing extra to add to audit record. 3492 */ 3493 if (error) { 3494 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3495 /* XXX may want to add failed address some day */ 3496 return; 3497 } 3498 3499 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3500 /* 3501 * not security relevant if doing a bind from non socket 3502 * so no extra tokens. Should probably turn off audit record 3503 * generation here. 3504 */ 3505 return; 3506 } 3507 3508 so_family = so->so_family; 3509 so_type = so->so_type; 3510 3511 switch (so_family) { 3512 case AF_INET: 3513 case AF_INET6: 3514 3515 bzero(so_faddr, sizeof (so_faddr)); 3516 len = sizeof (so_faddr); 3517 3518 (void) socket_getpeername(so, 3519 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3520 add_sock_token = 1; 3521 3522 break; 3523 3524 case AF_UNIX: 3525 /* token added by lookup */ 3526 break; 3527 default: 3528 /* AF_ROUTE, AF_KEY do not support accept */ 3529 break; 3530 } 3531 3532 releasef(fd); 3533 3534 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3535 3536 if (add_sock_token == 0) { 3537 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3538 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3539 return; 3540 } 3541 3542 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3543 3544 } 3545 3546 /*ARGSUSED*/ 3547 static void 3548 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3549 { 3550 struct a { 3551 long fd; 3552 long addr; 3553 long len; 3554 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3555 3556 struct sonode *so; 3557 char so_laddr[sizeof (struct sockaddr_in6)]; 3558 char so_faddr[sizeof (struct sockaddr_in6)]; 3559 int err, fd; 3560 socklen_t len; 3561 short so_family, so_type; 3562 int add_sock_token = 0; 3563 3564 fd = (int)uap->fd; 3565 3566 3567 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3568 /* 3569 * not security relevant if doing a connect from non socket 3570 * so no extra tokens. Should probably turn off audit record 3571 * generation here. 3572 */ 3573 return; 3574 } 3575 3576 so_family = so->so_family; 3577 so_type = so->so_type; 3578 3579 switch (so_family) { 3580 case AF_INET: 3581 case AF_INET6: 3582 3583 bzero(so_laddr, sizeof (so_laddr)); 3584 bzero(so_faddr, sizeof (so_faddr)); 3585 3586 len = sizeof (so_laddr); 3587 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3588 &len, CRED()); 3589 if (error) { 3590 if (uap->addr == NULL) 3591 break; 3592 if (uap->len <= 0) 3593 break; 3594 len = min(uap->len, sizeof (so_faddr)); 3595 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3596 break; 3597 #ifdef NOTYET 3598 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3599 #endif 3600 } else { 3601 /* sanity check on length */ 3602 len = sizeof (so_faddr); 3603 (void) socket_getpeername(so, 3604 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3605 } 3606 3607 add_sock_token = 1; 3608 3609 break; 3610 3611 case AF_UNIX: 3612 /* does a lookup on name */ 3613 break; 3614 3615 default: 3616 /* AF_ROUTE, AF_KEY do not support accept */ 3617 break; 3618 } 3619 3620 releasef(fd); 3621 3622 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3623 3624 if (add_sock_token == 0) { 3625 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3626 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3627 return; 3628 } 3629 3630 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3631 3632 } 3633 3634 /*ARGSUSED*/ 3635 static void 3636 aus_shutdown(struct t_audit_data *tad) 3637 { 3638 struct a { 3639 long fd; 3640 long how; 3641 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3642 3643 struct sonode *so; 3644 char so_laddr[sizeof (struct sockaddr_in6)]; 3645 char so_faddr[sizeof (struct sockaddr_in6)]; 3646 int err, fd; 3647 socklen_t len; 3648 short so_family, so_type; 3649 int add_sock_token = 0; 3650 file_t *fp; /* unix domain sockets */ 3651 struct f_audit_data *fad; /* unix domain sockets */ 3652 3653 fd = (int)uap->fd; 3654 3655 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3656 /* 3657 * not security relevant if doing a shutdown using non socket 3658 * so no extra tokens. Should probably turn off audit record 3659 * generation here. 3660 */ 3661 return; 3662 } 3663 3664 so_family = so->so_family; 3665 so_type = so->so_type; 3666 3667 switch (so_family) { 3668 case AF_INET: 3669 case AF_INET6: 3670 3671 bzero(so_laddr, sizeof (so_laddr)); 3672 bzero(so_faddr, sizeof (so_faddr)); 3673 3674 len = sizeof (so_laddr); 3675 (void) socket_getsockname(so, 3676 (struct sockaddr *)so_laddr, &len, CRED()); 3677 len = sizeof (so_faddr); 3678 (void) socket_getpeername(so, 3679 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3680 3681 add_sock_token = 1; 3682 3683 break; 3684 3685 case AF_UNIX: 3686 3687 /* get path from file struct here */ 3688 fad = F2A(fp); 3689 ASSERT(fad); 3690 3691 if (fad->fad_aupath != NULL) { 3692 au_uwrite(au_to_path(fad->fad_aupath)); 3693 } else { 3694 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3695 } 3696 3697 audit_attributes(fp->f_vnode); 3698 3699 break; 3700 3701 default: 3702 /* 3703 * AF_KEY and AF_ROUTE support shutdown. No socket token 3704 * added. 3705 */ 3706 break; 3707 } 3708 3709 releasef(fd); 3710 3711 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3712 3713 if (add_sock_token == 0) { 3714 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3715 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3716 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3717 return; 3718 } 3719 3720 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3721 3722 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3723 3724 } 3725 3726 /*ARGSUSED*/ 3727 static void 3728 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3729 { 3730 struct a { 3731 long fd; 3732 long level; 3733 long optname; 3734 long *optval; 3735 long optlen; 3736 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3737 3738 struct sonode *so; 3739 char so_laddr[sizeof (struct sockaddr_in6)]; 3740 char so_faddr[sizeof (struct sockaddr_in6)]; 3741 char val[AU_BUFSIZE]; 3742 int err, fd; 3743 socklen_t len; 3744 short so_family, so_type; 3745 int add_sock_token = 0; 3746 file_t *fp; /* unix domain sockets */ 3747 struct f_audit_data *fad; /* unix domain sockets */ 3748 3749 fd = (int)uap->fd; 3750 3751 if (error) { 3752 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3753 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3754 /* XXX may want to include other arguments */ 3755 return; 3756 } 3757 3758 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3759 /* 3760 * not security relevant if doing a setsockopt from non socket 3761 * so no extra tokens. Should probably turn off audit record 3762 * generation here. 3763 */ 3764 return; 3765 } 3766 3767 so_family = so->so_family; 3768 so_type = so->so_type; 3769 3770 switch (so_family) { 3771 case AF_INET: 3772 case AF_INET6: 3773 bzero((void *)so_laddr, sizeof (so_laddr)); 3774 bzero((void *)so_faddr, sizeof (so_faddr)); 3775 3776 /* get local and foreign addresses */ 3777 len = sizeof (so_laddr); 3778 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3779 &len, CRED()); 3780 len = sizeof (so_faddr); 3781 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3782 &len, B_FALSE, CRED()); 3783 3784 add_sock_token = 1; 3785 3786 break; 3787 3788 case AF_UNIX: 3789 3790 /* get path from file struct here */ 3791 fad = F2A(fp); 3792 ASSERT(fad); 3793 3794 if (fad->fad_aupath != NULL) { 3795 au_uwrite(au_to_path(fad->fad_aupath)); 3796 } else { 3797 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3798 } 3799 3800 audit_attributes(fp->f_vnode); 3801 3802 break; 3803 3804 default: 3805 /* 3806 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3807 * added. 3808 */ 3809 break; 3810 } 3811 3812 releasef(fd); 3813 3814 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3815 3816 if (add_sock_token == 0) { 3817 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3818 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3819 } 3820 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3821 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3822 3823 bzero(val, sizeof (val)); 3824 len = min(uap->optlen, sizeof (val)); 3825 if ((len > 0) && 3826 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3827 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3828 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3829 } 3830 3831 if (add_sock_token == 0) 3832 return; 3833 3834 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3835 3836 } 3837 3838 /*ARGSUSED*/ 3839 static void 3840 aus_sockconfig(tad) 3841 struct t_audit_data *tad; 3842 { 3843 struct a { 3844 long domain; 3845 long type; 3846 long protocol; 3847 long devpath; 3848 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3849 3850 char *kdevpath; 3851 int kdevpathlen = MAXPATHLEN + 1; 3852 size_t size; 3853 3854 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3855 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3856 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3857 3858 if (uap->devpath == 0) { 3859 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3860 } else { 3861 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3862 3863 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3864 &size)) { 3865 kmem_free(kdevpath, kdevpathlen); 3866 return; 3867 } 3868 3869 if (size > MAXPATHLEN) { 3870 kmem_free(kdevpath, kdevpathlen); 3871 return; 3872 } 3873 3874 au_uwrite(au_to_text(kdevpath)); 3875 kmem_free(kdevpath, kdevpathlen); 3876 } 3877 } 3878 3879 /* 3880 * only audit recvmsg when the system call represents the creation of a new 3881 * circuit. This effectively occurs for all UDP packets and may occur for 3882 * special TCP situations where the local host has not set a local address 3883 * in the socket structure. 3884 */ 3885 /*ARGSUSED*/ 3886 static void 3887 auf_recvmsg( 3888 struct t_audit_data *tad, 3889 int error, 3890 rval_t *rvp) 3891 { 3892 struct a { 3893 long fd; 3894 long msg; /* struct msghdr */ 3895 long flags; 3896 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3897 3898 struct sonode *so; 3899 STRUCT_DECL(msghdr, msg); 3900 caddr_t msg_name; 3901 socklen_t msg_namelen; 3902 int fd; 3903 int err; 3904 char so_laddr[sizeof (struct sockaddr_in6)]; 3905 char so_faddr[sizeof (struct sockaddr_in6)]; 3906 socklen_t len; 3907 file_t *fp; /* unix domain sockets */ 3908 struct f_audit_data *fad; /* unix domain sockets */ 3909 short so_family, so_type; 3910 int add_sock_token = 0; 3911 au_kcontext_t *kctx = GET_KCTX_PZ; 3912 3913 fd = (int)uap->fd; 3914 3915 /* bail if an error */ 3916 if (error) { 3917 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3918 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3919 return; 3920 } 3921 3922 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3923 /* 3924 * not security relevant if doing a recvmsg from non socket 3925 * so no extra tokens. Should probably turn off audit record 3926 * generation here. 3927 */ 3928 return; 3929 } 3930 3931 so_family = so->so_family; 3932 so_type = so->so_type; 3933 3934 /* 3935 * only putout SOCKET_EX token if INET/INET6 family. 3936 * XXX - what do we do about other families? 3937 */ 3938 3939 switch (so_family) { 3940 case AF_INET: 3941 case AF_INET6: 3942 3943 /* 3944 * if datagram type socket, then just use what is in 3945 * socket structure for local address. 3946 * XXX - what do we do for other types? 3947 */ 3948 if ((so->so_type == SOCK_DGRAM) || 3949 (so->so_type == SOCK_RAW)) { 3950 add_sock_token = 1; 3951 3952 bzero((void *)so_laddr, sizeof (so_laddr)); 3953 bzero((void *)so_faddr, sizeof (so_faddr)); 3954 3955 /* get local address */ 3956 len = sizeof (so_laddr); 3957 (void) socket_getsockname(so, 3958 (struct sockaddr *)so_laddr, &len, CRED()); 3959 3960 /* get peer address */ 3961 STRUCT_INIT(msg, get_udatamodel()); 3962 3963 if (copyin((caddr_t)(uap->msg), 3964 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3965 break; 3966 } 3967 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3968 if (msg_name == NULL) { 3969 break; 3970 } 3971 3972 /* length is value from recvmsg - sanity check */ 3973 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3974 if (msg_namelen == 0) { 3975 break; 3976 } 3977 if (copyin(msg_name, so_faddr, 3978 sizeof (so_faddr)) != 0) { 3979 break; 3980 } 3981 3982 } else if (so->so_type == SOCK_STREAM) { 3983 3984 /* get path from file struct here */ 3985 fad = F2A(fp); 3986 ASSERT(fad); 3987 3988 /* 3989 * already processed this file for read attempt 3990 */ 3991 if (fad->fad_flags & FAD_READ) { 3992 /* don't want to audit every recvmsg attempt */ 3993 tad->tad_flag = 0; 3994 /* free any residual audit data */ 3995 au_close(kctx, &(u_ad), 0, 0, 0); 3996 releasef(fd); 3997 return; 3998 } 3999 /* 4000 * mark things so we know what happened and don't 4001 * repeat things 4002 */ 4003 fad->fad_flags |= FAD_READ; 4004 4005 bzero((void *)so_laddr, sizeof (so_laddr)); 4006 bzero((void *)so_faddr, sizeof (so_faddr)); 4007 4008 /* get local and foreign addresses */ 4009 len = sizeof (so_laddr); 4010 (void) socket_getsockname(so, 4011 (struct sockaddr *)so_laddr, &len, CRED()); 4012 len = sizeof (so_faddr); 4013 (void) socket_getpeername(so, 4014 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4015 4016 add_sock_token = 1; 4017 } 4018 4019 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4020 4021 break; 4022 4023 case AF_UNIX: 4024 /* 4025 * first check if this is first time through. Too much 4026 * duplicate code to put this in an aui_ routine. 4027 */ 4028 4029 /* get path from file struct here */ 4030 fad = F2A(fp); 4031 ASSERT(fad); 4032 4033 /* 4034 * already processed this file for read attempt 4035 */ 4036 if (fad->fad_flags & FAD_READ) { 4037 releasef(fd); 4038 /* don't want to audit every recvmsg attempt */ 4039 tad->tad_flag = 0; 4040 /* free any residual audit data */ 4041 au_close(kctx, &(u_ad), 0, 0, 0); 4042 return; 4043 } 4044 /* 4045 * mark things so we know what happened and don't 4046 * repeat things 4047 */ 4048 fad->fad_flags |= FAD_READ; 4049 4050 if (fad->fad_aupath != NULL) { 4051 au_uwrite(au_to_path(fad->fad_aupath)); 4052 } else { 4053 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4054 } 4055 4056 audit_attributes(fp->f_vnode); 4057 4058 releasef(fd); 4059 4060 return; 4061 4062 default: 4063 break; 4064 4065 } 4066 4067 releasef(fd); 4068 4069 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4070 4071 if (add_sock_token == 0) { 4072 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4073 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4074 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4075 return; 4076 } 4077 4078 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4079 4080 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4081 4082 } 4083 4084 /*ARGSUSED*/ 4085 static void 4086 auf_recvfrom( 4087 struct t_audit_data *tad, 4088 int error, 4089 rval_t *rvp) 4090 { 4091 4092 struct a { 4093 long fd; 4094 long msg; /* char */ 4095 long len; 4096 long flags; 4097 long from; /* struct sockaddr */ 4098 long fromlen; 4099 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4100 4101 socklen_t fromlen; 4102 struct sonode *so; 4103 char so_laddr[sizeof (struct sockaddr_in6)]; 4104 char so_faddr[sizeof (struct sockaddr_in6)]; 4105 int fd; 4106 short so_family, so_type; 4107 int add_sock_token = 0; 4108 socklen_t len; 4109 int err; 4110 struct file *fp; 4111 struct f_audit_data *fad; /* unix domain sockets */ 4112 au_kcontext_t *kctx = GET_KCTX_PZ; 4113 4114 fd = (int)uap->fd; 4115 4116 /* bail if an error */ 4117 if (error) { 4118 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4119 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4120 return; 4121 } 4122 4123 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4124 /* 4125 * not security relevant if doing a recvmsg from non socket 4126 * so no extra tokens. Should probably turn off audit record 4127 * generation here. 4128 */ 4129 return; 4130 } 4131 4132 so_family = so->so_family; 4133 so_type = so->so_type; 4134 4135 /* 4136 * only putout SOCKET_EX token if INET/INET6 family. 4137 * XXX - what do we do about other families? 4138 */ 4139 4140 switch (so_family) { 4141 case AF_INET: 4142 case AF_INET6: 4143 4144 /* 4145 * if datagram type socket, then just use what is in 4146 * socket structure for local address. 4147 * XXX - what do we do for other types? 4148 */ 4149 if ((so->so_type == SOCK_DGRAM) || 4150 (so->so_type == SOCK_RAW)) { 4151 add_sock_token = 1; 4152 4153 /* get local address */ 4154 len = sizeof (so_laddr); 4155 (void) socket_getsockname(so, 4156 (struct sockaddr *)so_laddr, &len, CRED()); 4157 4158 /* get peer address */ 4159 bzero((void *)so_faddr, sizeof (so_faddr)); 4160 4161 /* sanity check */ 4162 if (uap->from == NULL) 4163 break; 4164 4165 /* sanity checks */ 4166 if (uap->fromlen == 0) 4167 break; 4168 4169 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4170 sizeof (fromlen)) != 0) 4171 break; 4172 4173 if (fromlen == 0) 4174 break; 4175 4176 /* enforce maximum size */ 4177 if (fromlen > sizeof (so_faddr)) 4178 fromlen = sizeof (so_faddr); 4179 4180 if (copyin((caddr_t)(uap->from), so_faddr, 4181 fromlen) != 0) 4182 break; 4183 4184 } else if (so->so_type == SOCK_STREAM) { 4185 4186 /* get path from file struct here */ 4187 fad = F2A(fp); 4188 ASSERT(fad); 4189 4190 /* 4191 * already processed this file for read attempt 4192 */ 4193 if (fad->fad_flags & FAD_READ) { 4194 /* don't want to audit every recvfrom attempt */ 4195 tad->tad_flag = 0; 4196 /* free any residual audit data */ 4197 au_close(kctx, &(u_ad), 0, 0, 0); 4198 releasef(fd); 4199 return; 4200 } 4201 /* 4202 * mark things so we know what happened and don't 4203 * repeat things 4204 */ 4205 fad->fad_flags |= FAD_READ; 4206 4207 bzero((void *)so_laddr, sizeof (so_laddr)); 4208 bzero((void *)so_faddr, sizeof (so_faddr)); 4209 4210 /* get local and foreign addresses */ 4211 len = sizeof (so_laddr); 4212 (void) socket_getsockname(so, 4213 (struct sockaddr *)so_laddr, &len, CRED()); 4214 len = sizeof (so_faddr); 4215 (void) socket_getpeername(so, 4216 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4217 4218 add_sock_token = 1; 4219 } 4220 4221 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4222 4223 break; 4224 4225 case AF_UNIX: 4226 /* 4227 * first check if this is first time through. Too much 4228 * duplicate code to put this in an aui_ routine. 4229 */ 4230 4231 /* get path from file struct here */ 4232 fad = F2A(fp); 4233 ASSERT(fad); 4234 4235 /* 4236 * already processed this file for read attempt 4237 */ 4238 if (fad->fad_flags & FAD_READ) { 4239 /* don't want to audit every recvfrom attempt */ 4240 tad->tad_flag = 0; 4241 /* free any residual audit data */ 4242 au_close(kctx, &(u_ad), 0, 0, 0); 4243 releasef(fd); 4244 return; 4245 } 4246 /* 4247 * mark things so we know what happened and don't 4248 * repeat things 4249 */ 4250 fad->fad_flags |= FAD_READ; 4251 4252 if (fad->fad_aupath != NULL) { 4253 au_uwrite(au_to_path(fad->fad_aupath)); 4254 } else { 4255 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4256 } 4257 4258 audit_attributes(fp->f_vnode); 4259 4260 releasef(fd); 4261 4262 return; 4263 4264 default: 4265 break; 4266 4267 } 4268 4269 releasef(fd); 4270 4271 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4272 4273 if (add_sock_token == 0) { 4274 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4275 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4276 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4277 return; 4278 } 4279 4280 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4281 4282 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4283 } 4284 4285 /*ARGSUSED*/ 4286 static void 4287 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4288 { 4289 struct a { 4290 long fd; 4291 long msg; /* struct msghdr */ 4292 long flags; 4293 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4294 4295 struct sonode *so; 4296 char so_laddr[sizeof (struct sockaddr_in6)]; 4297 char so_faddr[sizeof (struct sockaddr_in6)]; 4298 int err; 4299 int fd; 4300 short so_family, so_type; 4301 int add_sock_token = 0; 4302 socklen_t len; 4303 struct file *fp; 4304 struct f_audit_data *fad; 4305 caddr_t msg_name; 4306 socklen_t msg_namelen; 4307 STRUCT_DECL(msghdr, msg); 4308 au_kcontext_t *kctx = GET_KCTX_PZ; 4309 4310 fd = (int)uap->fd; 4311 4312 /* bail if an error */ 4313 if (error) { 4314 /* XXX include destination address from system call arguments */ 4315 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4316 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4317 return; 4318 } 4319 4320 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4321 /* 4322 * not security relevant if doing a sendmsg from non socket 4323 * so no extra tokens. Should probably turn off audit record 4324 * generation here. 4325 */ 4326 return; 4327 } 4328 4329 so_family = so->so_family; 4330 so_type = so->so_type; 4331 4332 switch (so_family) { 4333 case AF_INET: 4334 case AF_INET6: 4335 /* 4336 * if datagram type socket, then just use what is in 4337 * socket structure for local address. 4338 * XXX - what do we do for other types? 4339 */ 4340 if ((so->so_type == SOCK_DGRAM) || 4341 (so->so_type == SOCK_RAW)) { 4342 4343 bzero((void *)so_laddr, sizeof (so_laddr)); 4344 bzero((void *)so_faddr, sizeof (so_faddr)); 4345 4346 /* get local address */ 4347 len = sizeof (so_laddr); 4348 (void) socket_getsockname(so, 4349 (struct sockaddr *)so_laddr, &len, CRED()); 4350 4351 /* get peer address */ 4352 STRUCT_INIT(msg, get_udatamodel()); 4353 4354 if (copyin((caddr_t)(uap->msg), 4355 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4356 break; 4357 } 4358 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4359 if (msg_name == NULL) 4360 break; 4361 4362 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4363 /* length is value from recvmsg - sanity check */ 4364 if (msg_namelen == 0) 4365 break; 4366 4367 if (copyin(msg_name, so_faddr, 4368 sizeof (so_faddr)) != 0) 4369 break; 4370 4371 add_sock_token = 1; 4372 4373 } else if (so->so_type == SOCK_STREAM) { 4374 4375 /* get path from file struct here */ 4376 fad = F2A(fp); 4377 ASSERT(fad); 4378 4379 /* 4380 * already processed this file for write attempt 4381 */ 4382 if (fad->fad_flags & FAD_WRITE) { 4383 releasef(fd); 4384 /* don't want to audit every sendmsg attempt */ 4385 tad->tad_flag = 0; 4386 /* free any residual audit data */ 4387 au_close(kctx, &(u_ad), 0, 0, 0); 4388 return; 4389 } 4390 4391 /* 4392 * mark things so we know what happened and don't 4393 * repeat things 4394 */ 4395 fad->fad_flags |= FAD_WRITE; 4396 4397 bzero((void *)so_laddr, sizeof (so_laddr)); 4398 bzero((void *)so_faddr, sizeof (so_faddr)); 4399 4400 /* get local and foreign addresses */ 4401 len = sizeof (so_laddr); 4402 (void) socket_getsockname(so, 4403 (struct sockaddr *)so_laddr, &len, CRED()); 4404 len = sizeof (so_faddr); 4405 (void) socket_getpeername(so, 4406 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4407 4408 add_sock_token = 1; 4409 } 4410 4411 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4412 4413 break; 4414 4415 case AF_UNIX: 4416 /* 4417 * first check if this is first time through. Too much 4418 * duplicate code to put this in an aui_ routine. 4419 */ 4420 4421 /* get path from file struct here */ 4422 fad = F2A(fp); 4423 ASSERT(fad); 4424 4425 /* 4426 * already processed this file for write attempt 4427 */ 4428 if (fad->fad_flags & FAD_WRITE) { 4429 releasef(fd); 4430 /* don't want to audit every sendmsg attempt */ 4431 tad->tad_flag = 0; 4432 /* free any residual audit data */ 4433 au_close(kctx, &(u_ad), 0, 0, 0); 4434 return; 4435 } 4436 /* 4437 * mark things so we know what happened and don't 4438 * repeat things 4439 */ 4440 fad->fad_flags |= FAD_WRITE; 4441 4442 if (fad->fad_aupath != NULL) { 4443 au_uwrite(au_to_path(fad->fad_aupath)); 4444 } else { 4445 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4446 } 4447 4448 audit_attributes(fp->f_vnode); 4449 4450 releasef(fd); 4451 4452 return; 4453 4454 default: 4455 break; 4456 } 4457 4458 releasef(fd); 4459 4460 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4461 4462 if (add_sock_token == 0) { 4463 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4464 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4465 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4466 return; 4467 } 4468 4469 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4470 4471 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4472 } 4473 4474 /*ARGSUSED*/ 4475 static void 4476 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4477 { 4478 struct a { 4479 long fd; 4480 long msg; /* char */ 4481 long len; 4482 long flags; 4483 long to; /* struct sockaddr */ 4484 long tolen; 4485 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4486 4487 struct sonode *so; 4488 char so_laddr[sizeof (struct sockaddr_in6)]; 4489 char so_faddr[sizeof (struct sockaddr_in6)]; 4490 socklen_t tolen; 4491 int err; 4492 int fd; 4493 socklen_t len; 4494 short so_family, so_type; 4495 int add_sock_token = 0; 4496 struct file *fp; 4497 struct f_audit_data *fad; 4498 au_kcontext_t *kctx = GET_KCTX_PZ; 4499 4500 fd = (int)uap->fd; 4501 4502 /* bail if an error */ 4503 if (error) { 4504 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4505 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4506 /* XXX include destination address from system call arguments */ 4507 return; 4508 } 4509 4510 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4511 /* 4512 * not security relevant if doing a sendto using non socket 4513 * so no extra tokens. Should probably turn off audit record 4514 * generation here. 4515 */ 4516 return; 4517 } 4518 4519 so_family = so->so_family; 4520 so_type = so->so_type; 4521 4522 /* 4523 * only putout SOCKET_EX token if INET/INET6 family. 4524 * XXX - what do we do about other families? 4525 */ 4526 4527 switch (so_family) { 4528 case AF_INET: 4529 case AF_INET6: 4530 4531 /* 4532 * if datagram type socket, then just use what is in 4533 * socket structure for local address. 4534 * XXX - what do we do for other types? 4535 */ 4536 if ((so->so_type == SOCK_DGRAM) || 4537 (so->so_type == SOCK_RAW)) { 4538 4539 bzero((void *)so_laddr, sizeof (so_laddr)); 4540 bzero((void *)so_faddr, sizeof (so_faddr)); 4541 4542 /* get local address */ 4543 len = sizeof (so_laddr); 4544 (void) socket_getsockname(so, 4545 (struct sockaddr *)so_laddr, &len, CRED()); 4546 4547 /* get peer address */ 4548 4549 /* sanity check */ 4550 if (uap->to == NULL) 4551 break; 4552 4553 /* sanity checks */ 4554 if (uap->tolen == 0) 4555 break; 4556 4557 tolen = (socklen_t)uap->tolen; 4558 4559 /* enforce maximum size */ 4560 if (tolen > sizeof (so_faddr)) 4561 tolen = sizeof (so_faddr); 4562 4563 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4564 break; 4565 4566 add_sock_token = 1; 4567 } else { 4568 /* 4569 * check if this is first time through. 4570 */ 4571 4572 /* get path from file struct here */ 4573 fad = F2A(fp); 4574 ASSERT(fad); 4575 4576 /* 4577 * already processed this file for write attempt 4578 */ 4579 if (fad->fad_flags & FAD_WRITE) { 4580 /* don't want to audit every sendto attempt */ 4581 tad->tad_flag = 0; 4582 /* free any residual audit data */ 4583 au_close(kctx, &(u_ad), 0, 0, 0); 4584 releasef(fd); 4585 return; 4586 } 4587 /* 4588 * mark things so we know what happened and don't 4589 * repeat things 4590 */ 4591 fad->fad_flags |= FAD_WRITE; 4592 4593 bzero((void *)so_laddr, sizeof (so_laddr)); 4594 bzero((void *)so_faddr, sizeof (so_faddr)); 4595 4596 /* get local and foreign addresses */ 4597 len = sizeof (so_laddr); 4598 (void) socket_getsockname(so, 4599 (struct sockaddr *)so_laddr, &len, CRED()); 4600 len = sizeof (so_faddr); 4601 (void) socket_getpeername(so, 4602 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4603 4604 add_sock_token = 1; 4605 } 4606 4607 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4608 4609 break; 4610 4611 case AF_UNIX: 4612 /* 4613 * first check if this is first time through. Too much 4614 * duplicate code to put this in an aui_ routine. 4615 */ 4616 4617 /* get path from file struct here */ 4618 fad = F2A(fp); 4619 ASSERT(fad); 4620 4621 /* 4622 * already processed this file for write attempt 4623 */ 4624 if (fad->fad_flags & FAD_WRITE) { 4625 /* don't want to audit every sendto attempt */ 4626 tad->tad_flag = 0; 4627 /* free any residual audit data */ 4628 au_close(kctx, &(u_ad), 0, 0, 0); 4629 releasef(fd); 4630 return; 4631 } 4632 /* 4633 * mark things so we know what happened and don't 4634 * repeat things 4635 */ 4636 fad->fad_flags |= FAD_WRITE; 4637 4638 if (fad->fad_aupath != NULL) { 4639 au_uwrite(au_to_path(fad->fad_aupath)); 4640 } else { 4641 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4642 } 4643 4644 audit_attributes(fp->f_vnode); 4645 4646 releasef(fd); 4647 4648 return; 4649 4650 default: 4651 break; 4652 4653 } 4654 4655 releasef(fd); 4656 4657 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4658 4659 if (add_sock_token == 0) { 4660 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4661 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4662 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4663 return; 4664 } 4665 4666 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4667 4668 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4669 4670 } 4671 4672 /* 4673 * XXX socket(2) may be equivalent to open(2) on a unix domain 4674 * socket. This needs investigation. 4675 */ 4676 4677 /*ARGSUSED*/ 4678 static void 4679 aus_socket(struct t_audit_data *tad) 4680 { 4681 struct a { 4682 long domain; 4683 long type; 4684 long protocol; 4685 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4686 4687 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4688 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4689 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4690 } 4691 4692 /*ARGSUSED*/ 4693 static void 4694 aus_sigqueue(struct t_audit_data *tad) 4695 { 4696 struct a { 4697 long pid; 4698 long signo; 4699 long *val; 4700 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4701 struct proc *p; 4702 uid_t uid, ruid; 4703 gid_t gid, rgid; 4704 pid_t pid; 4705 const auditinfo_addr_t *ainfo; 4706 cred_t *cr; 4707 4708 pid = (pid_t)uap->pid; 4709 4710 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4711 if (pid > 0) { 4712 mutex_enter(&pidlock); 4713 if ((p = prfind(pid)) == (struct proc *)0) { 4714 mutex_exit(&pidlock); 4715 return; 4716 } 4717 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4718 mutex_exit(&pidlock); 4719 4720 mutex_enter(&p->p_crlock); 4721 crhold(cr = p->p_cred); 4722 mutex_exit(&p->p_crlock); 4723 mutex_exit(&p->p_lock); 4724 4725 ainfo = crgetauinfo(cr); 4726 if (ainfo == NULL) { 4727 crfree(cr); 4728 return; 4729 } 4730 4731 uid = crgetuid(cr); 4732 gid = crgetgid(cr); 4733 ruid = crgetruid(cr); 4734 rgid = crgetrgid(cr); 4735 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4736 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4737 crfree(cr); 4738 } 4739 else 4740 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4741 } 4742 4743 /*ARGSUSED*/ 4744 static void 4745 aus_inst_sync(struct t_audit_data *tad) 4746 { 4747 struct a { 4748 long name; /* char */ 4749 long flags; 4750 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4751 4752 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4753 } 4754 4755 /*ARGSUSED*/ 4756 static void 4757 aus_brandsys(struct t_audit_data *tad) 4758 { 4759 klwp_t *clwp = ttolwp(curthread); 4760 4761 struct a { 4762 long cmd; 4763 long arg1; 4764 long arg2; 4765 long arg3; 4766 long arg4; 4767 long arg5; 4768 long arg6; 4769 } *uap = (struct a *)clwp->lwp_ap; 4770 4771 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4772 #ifdef _LP64 4773 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4774 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4775 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4776 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4777 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4778 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4779 #else 4780 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4781 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4782 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4783 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4784 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4785 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4786 #endif 4787 } 4788 4789 /*ARGSUSED*/ 4790 static void 4791 aus_p_online(struct t_audit_data *tad) 4792 { 4793 struct a { 4794 long processor_id; 4795 long flag; 4796 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4797 4798 struct flags { 4799 int flag; 4800 char *cflag; 4801 } aflags[6] = { 4802 { P_ONLINE, "P_ONLINE"}, 4803 { P_OFFLINE, "P_OFFLINE"}, 4804 { P_NOINTR, "P_NOINTR"}, 4805 { P_SPARE, "P_SPARE"}, 4806 { P_FAULTED, "P_FAULTED"}, 4807 { P_STATUS, "P_STATUS"} 4808 }; 4809 int i; 4810 char *cflag; 4811 4812 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4813 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4814 4815 for (i = 0; i < 6; i++) { 4816 if (aflags[i].flag == uap->flag) 4817 break; 4818 } 4819 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4820 4821 au_uwrite(au_to_text(cflag)); 4822 } 4823 4824 /*ARGSUSED*/ 4825 static void 4826 aus_processor_bind(struct t_audit_data *tad) 4827 { 4828 struct a { 4829 long id_type; 4830 long id; 4831 long processor_id; 4832 long obind; 4833 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4834 4835 struct proc *p; 4836 int lwpcnt; 4837 uid_t uid, ruid; 4838 gid_t gid, rgid; 4839 pid_t pid; 4840 const auditinfo_addr_t *ainfo; 4841 cred_t *cr; 4842 4843 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4844 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4845 if (uap->processor_id == PBIND_NONE) 4846 au_uwrite(au_to_text("PBIND_NONE")); 4847 else 4848 au_uwrite(au_to_arg32(3, "processor_id", 4849 (uint32_t)uap->processor_id)); 4850 4851 switch (uap->id_type) { 4852 case P_MYID: 4853 case P_LWPID: 4854 mutex_enter(&pidlock); 4855 p = ttoproc(curthread); 4856 if (p == NULL || p->p_as == &kas) { 4857 mutex_exit(&pidlock); 4858 return; 4859 } 4860 mutex_enter(&p->p_lock); 4861 mutex_exit(&pidlock); 4862 lwpcnt = p->p_lwpcnt; 4863 pid = p->p_pid; 4864 4865 mutex_enter(&p->p_crlock); 4866 crhold(cr = p->p_cred); 4867 mutex_exit(&p->p_crlock); 4868 mutex_exit(&p->p_lock); 4869 4870 ainfo = crgetauinfo(cr); 4871 if (ainfo == NULL) { 4872 crfree(cr); 4873 return; 4874 } 4875 4876 uid = crgetuid(cr); 4877 gid = crgetgid(cr); 4878 ruid = crgetruid(cr); 4879 rgid = crgetrgid(cr); 4880 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4881 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4882 crfree(cr); 4883 break; 4884 case P_PID: 4885 mutex_enter(&pidlock); 4886 p = prfind(uap->id); 4887 if (p == NULL || p->p_as == &kas) { 4888 mutex_exit(&pidlock); 4889 return; 4890 } 4891 mutex_enter(&p->p_lock); 4892 mutex_exit(&pidlock); 4893 lwpcnt = p->p_lwpcnt; 4894 pid = p->p_pid; 4895 4896 mutex_enter(&p->p_crlock); 4897 crhold(cr = p->p_cred); 4898 mutex_exit(&p->p_crlock); 4899 mutex_exit(&p->p_lock); 4900 4901 ainfo = crgetauinfo(cr); 4902 if (ainfo == NULL) { 4903 crfree(cr); 4904 return; 4905 } 4906 4907 uid = crgetuid(cr); 4908 gid = crgetgid(cr); 4909 ruid = crgetruid(cr); 4910 rgid = crgetrgid(cr); 4911 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4912 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4913 crfree(cr); 4914 4915 break; 4916 default: 4917 return; 4918 } 4919 4920 if (uap->processor_id == PBIND_NONE && 4921 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4922 au_uwrite(au_to_text("PBIND_NONE for process")); 4923 else 4924 au_uwrite(au_to_arg32(3, "processor_id", 4925 (uint32_t)uap->processor_id)); 4926 } 4927 4928 /*ARGSUSED*/ 4929 static au_event_t 4930 aui_doorfs(au_event_t e) 4931 { 4932 uint32_t code; 4933 4934 struct a { /* doorfs */ 4935 long a1; 4936 long a2; 4937 long a3; 4938 long a4; 4939 long a5; 4940 long code; 4941 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4942 4943 /* 4944 * audit formats for several of the 4945 * door calls have not yet been determined 4946 */ 4947 code = (uint32_t)uap->code; 4948 switch (code) { 4949 case DOOR_CALL: 4950 e = AUE_DOORFS_DOOR_CALL; 4951 break; 4952 case DOOR_RETURN: 4953 e = AUE_NULL; 4954 break; 4955 case DOOR_CREATE: 4956 e = AUE_DOORFS_DOOR_CREATE; 4957 break; 4958 case DOOR_REVOKE: 4959 e = AUE_DOORFS_DOOR_REVOKE; 4960 break; 4961 case DOOR_INFO: 4962 e = AUE_NULL; 4963 break; 4964 case DOOR_UCRED: 4965 e = AUE_NULL; 4966 break; 4967 case DOOR_BIND: 4968 e = AUE_NULL; 4969 break; 4970 case DOOR_UNBIND: 4971 e = AUE_NULL; 4972 break; 4973 case DOOR_GETPARAM: 4974 e = AUE_NULL; 4975 break; 4976 case DOOR_SETPARAM: 4977 e = AUE_NULL; 4978 break; 4979 default: /* illegal system call */ 4980 e = AUE_NULL; 4981 break; 4982 } 4983 4984 return (e); 4985 } 4986 4987 static door_node_t * 4988 au_door_lookup(int did) 4989 { 4990 vnode_t *vp; 4991 file_t *fp; 4992 4993 if ((fp = getf(did)) == NULL) 4994 return (NULL); 4995 /* 4996 * Use the underlying vnode (we may be namefs mounted) 4997 */ 4998 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4999 vp = fp->f_vnode; 5000 5001 if (vp == NULL || vp->v_type != VDOOR) { 5002 releasef(did); 5003 return (NULL); 5004 } 5005 5006 return (VTOD(vp)); 5007 } 5008 5009 /*ARGSUSED*/ 5010 static void 5011 aus_doorfs(struct t_audit_data *tad) 5012 { 5013 5014 struct a { /* doorfs */ 5015 long a1; 5016 long a2; 5017 long a3; 5018 long a4; 5019 long a5; 5020 long code; 5021 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5022 5023 door_node_t *dp; 5024 struct proc *p; 5025 uint32_t did; 5026 uid_t uid, ruid; 5027 gid_t gid, rgid; 5028 pid_t pid; 5029 const auditinfo_addr_t *ainfo; 5030 cred_t *cr; 5031 5032 did = (uint32_t)uap->a1; 5033 5034 switch (tad->tad_event) { 5035 case AUE_DOORFS_DOOR_CALL: 5036 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5037 if ((dp = au_door_lookup(did)) == NULL) 5038 break; 5039 5040 if (DOOR_INVALID(dp)) { 5041 releasef(did); 5042 break; 5043 } 5044 5045 if ((p = dp->door_target) == NULL) { 5046 releasef(did); 5047 break; 5048 } 5049 mutex_enter(&p->p_lock); 5050 releasef(did); 5051 5052 pid = p->p_pid; 5053 5054 mutex_enter(&p->p_crlock); 5055 crhold(cr = p->p_cred); 5056 mutex_exit(&p->p_crlock); 5057 mutex_exit(&p->p_lock); 5058 5059 ainfo = crgetauinfo(cr); 5060 if (ainfo == NULL) { 5061 crfree(cr); 5062 return; 5063 } 5064 uid = crgetuid(cr); 5065 gid = crgetgid(cr); 5066 ruid = crgetruid(cr); 5067 rgid = crgetrgid(cr); 5068 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5069 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5070 crfree(cr); 5071 break; 5072 case AUE_DOORFS_DOOR_RETURN: 5073 /* 5074 * We may want to write information about 5075 * all doors (if any) which will be copied 5076 * by this call to the user space 5077 */ 5078 break; 5079 case AUE_DOORFS_DOOR_CREATE: 5080 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5081 break; 5082 case AUE_DOORFS_DOOR_REVOKE: 5083 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5084 break; 5085 case AUE_DOORFS_DOOR_INFO: 5086 break; 5087 case AUE_DOORFS_DOOR_CRED: 5088 break; 5089 case AUE_DOORFS_DOOR_BIND: 5090 break; 5091 case AUE_DOORFS_DOOR_UNBIND: { 5092 break; 5093 } 5094 default: /* illegal system call */ 5095 break; 5096 } 5097 } 5098 5099 /*ARGSUSED*/ 5100 static au_event_t 5101 aui_acl(au_event_t e) 5102 { 5103 struct a { 5104 union { 5105 long name; /* char */ 5106 long fd; 5107 } obj; 5108 5109 long cmd; 5110 long nentries; 5111 long arg; /* aclent_t */ 5112 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5113 5114 switch (uap->cmd) { 5115 case SETACL: 5116 case ACE_SETACL: 5117 /* 5118 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5119 * are expected. 5120 */ 5121 break; 5122 case GETACL: 5123 case GETACLCNT: 5124 case ACE_GETACL: 5125 case ACE_GETACLCNT: 5126 /* do nothing for these four values. */ 5127 e = AUE_NULL; 5128 break; 5129 default: 5130 /* illegal system call */ 5131 break; 5132 } 5133 5134 return (e); 5135 } 5136 5137 static void 5138 au_acl(int cmd, int nentries, caddr_t bufp) 5139 { 5140 size_t a_size; 5141 aclent_t *aclbufp; 5142 ace_t *acebufp; 5143 int i; 5144 5145 switch (cmd) { 5146 case GETACL: 5147 case GETACLCNT: 5148 break; 5149 case SETACL: 5150 if (nentries < 3) 5151 break; 5152 5153 a_size = nentries * sizeof (aclent_t); 5154 5155 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5156 break; 5157 if (copyin(bufp, aclbufp, a_size)) { 5158 kmem_free(aclbufp, a_size); 5159 break; 5160 } 5161 for (i = 0; i < nentries; i++) { 5162 au_uwrite(au_to_acl(aclbufp + i)); 5163 } 5164 kmem_free(aclbufp, a_size); 5165 break; 5166 5167 case ACE_SETACL: 5168 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5169 break; 5170 5171 a_size = nentries * sizeof (ace_t); 5172 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5173 break; 5174 if (copyin(bufp, acebufp, a_size)) { 5175 kmem_free(acebufp, a_size); 5176 break; 5177 } 5178 for (i = 0; i < nentries; i++) { 5179 au_uwrite(au_to_ace(acebufp + i)); 5180 } 5181 kmem_free(acebufp, a_size); 5182 break; 5183 default: 5184 break; 5185 } 5186 } 5187 5188 /*ARGSUSED*/ 5189 static void 5190 aus_acl(struct t_audit_data *tad) 5191 { 5192 struct a { 5193 long fname; 5194 long cmd; 5195 long nentries; 5196 long aclbufp; 5197 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5198 5199 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5200 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5201 5202 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5203 } 5204 5205 /*ARGSUSED*/ 5206 static void 5207 aus_facl(struct t_audit_data *tad) 5208 { 5209 struct a { 5210 long fd; 5211 long cmd; 5212 long nentries; 5213 long aclbufp; 5214 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5215 struct file *fp; 5216 struct vnode *vp; 5217 struct f_audit_data *fad; 5218 int fd; 5219 5220 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5221 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5222 5223 fd = (int)uap->fd; 5224 5225 if ((fp = getf(fd)) == NULL) 5226 return; 5227 5228 /* get path from file struct here */ 5229 fad = F2A(fp); 5230 if (fad->fad_aupath != NULL) { 5231 au_uwrite(au_to_path(fad->fad_aupath)); 5232 } else { 5233 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5234 } 5235 5236 vp = fp->f_vnode; 5237 audit_attributes(vp); 5238 5239 /* decrement file descriptor reference count */ 5240 releasef(fd); 5241 5242 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5243 } 5244 5245 /*ARGSUSED*/ 5246 static void 5247 auf_read(tad, error, rval) 5248 struct t_audit_data *tad; 5249 int error; 5250 rval_t *rval; 5251 { 5252 struct file *fp; 5253 struct f_audit_data *fad; 5254 int fd; 5255 register struct a { 5256 long fd; 5257 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5258 au_kcontext_t *kctx = GET_KCTX_PZ; 5259 5260 fd = (int)uap->fd; 5261 5262 /* 5263 * convert file pointer to file descriptor 5264 * Note: fd ref count incremented here. 5265 */ 5266 if ((fp = getf(fd)) == NULL) 5267 return; 5268 5269 /* get path from file struct here */ 5270 fad = F2A(fp); 5271 ASSERT(fad); 5272 5273 /* 5274 * already processed this file for read attempt 5275 * 5276 * XXX might be better to turn off auditing in a aui_read() routine. 5277 */ 5278 if (fad->fad_flags & FAD_READ) { 5279 /* don't really want to audit every read attempt */ 5280 tad->tad_flag = 0; 5281 /* free any residual audit data */ 5282 au_close(kctx, &(u_ad), 0, 0, 0); 5283 releasef(fd); 5284 return; 5285 } 5286 /* mark things so we know what happened and don't repeat things */ 5287 fad->fad_flags |= FAD_READ; 5288 5289 if (fad->fad_aupath != NULL) { 5290 au_uwrite(au_to_path(fad->fad_aupath)); 5291 } else { 5292 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5293 } 5294 5295 /* include attributes */ 5296 audit_attributes(fp->f_vnode); 5297 5298 /* decrement file descriptor reference count */ 5299 releasef(fd); 5300 } 5301 5302 /*ARGSUSED*/ 5303 static void 5304 auf_write(tad, error, rval) 5305 struct t_audit_data *tad; 5306 int error; 5307 rval_t *rval; 5308 { 5309 struct file *fp; 5310 struct f_audit_data *fad; 5311 int fd; 5312 register struct a { 5313 long fd; 5314 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5315 au_kcontext_t *kctx = GET_KCTX_PZ; 5316 5317 fd = (int)uap->fd; 5318 5319 /* 5320 * convert file pointer to file descriptor 5321 * Note: fd ref count incremented here. 5322 */ 5323 if ((fp = getf(fd)) == NULL) 5324 return; 5325 5326 /* get path from file struct here */ 5327 fad = F2A(fp); 5328 ASSERT(fad); 5329 5330 /* 5331 * already processed this file for write attempt 5332 * 5333 * XXX might be better to turn off auditing in a aus_write() routine. 5334 */ 5335 if (fad->fad_flags & FAD_WRITE) { 5336 /* don't really want to audit every write attempt */ 5337 tad->tad_flag = 0; 5338 /* free any residual audit data */ 5339 au_close(kctx, &(u_ad), 0, 0, 0); 5340 releasef(fd); 5341 return; 5342 } 5343 /* mark things so we know what happened and don't repeat things */ 5344 fad->fad_flags |= FAD_WRITE; 5345 5346 if (fad->fad_aupath != NULL) { 5347 au_uwrite(au_to_path(fad->fad_aupath)); 5348 } else { 5349 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5350 } 5351 5352 /* include attributes */ 5353 audit_attributes(fp->f_vnode); 5354 5355 /* decrement file descriptor reference count */ 5356 releasef(fd); 5357 } 5358 5359 /*ARGSUSED*/ 5360 static void 5361 auf_recv(tad, error, rval) 5362 struct t_audit_data *tad; 5363 int error; 5364 rval_t *rval; 5365 { 5366 struct sonode *so; 5367 char so_laddr[sizeof (struct sockaddr_in6)]; 5368 char so_faddr[sizeof (struct sockaddr_in6)]; 5369 struct file *fp; 5370 struct f_audit_data *fad; 5371 int fd; 5372 int err; 5373 socklen_t len; 5374 short so_family, so_type; 5375 register struct a { 5376 long fd; 5377 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5378 au_kcontext_t *kctx = GET_KCTX_PZ; 5379 5380 /* 5381 * If there was an error, then nothing to do. Only generate 5382 * audit record on first successful recv. 5383 */ 5384 if (error) { 5385 /* Turn off audit record generation here. */ 5386 tad->tad_flag = 0; 5387 /* free any residual audit data */ 5388 au_close(kctx, &(u_ad), 0, 0, 0); 5389 return; 5390 } 5391 5392 fd = (int)uap->fd; 5393 5394 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5395 /* Turn off audit record generation here. */ 5396 tad->tad_flag = 0; 5397 /* free any residual audit data */ 5398 au_close(kctx, &(u_ad), 0, 0, 0); 5399 return; 5400 } 5401 5402 /* get path from file struct here */ 5403 fad = F2A(fp); 5404 ASSERT(fad); 5405 5406 /* 5407 * already processed this file for read attempt 5408 */ 5409 if (fad->fad_flags & FAD_READ) { 5410 releasef(fd); 5411 /* don't really want to audit every recv call */ 5412 tad->tad_flag = 0; 5413 /* free any residual audit data */ 5414 au_close(kctx, &(u_ad), 0, 0, 0); 5415 return; 5416 } 5417 5418 /* mark things so we know what happened and don't repeat things */ 5419 fad->fad_flags |= FAD_READ; 5420 5421 so_family = so->so_family; 5422 so_type = so->so_type; 5423 5424 switch (so_family) { 5425 case AF_INET: 5426 case AF_INET6: 5427 /* 5428 * Only for connections. 5429 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5430 */ 5431 if (so->so_state & SS_ISBOUND) { 5432 5433 bzero((void *)so_laddr, sizeof (so_laddr)); 5434 bzero((void *)so_faddr, sizeof (so_faddr)); 5435 5436 /* get local and foreign addresses */ 5437 len = sizeof (so_laddr); 5438 (void) socket_getsockname(so, 5439 (struct sockaddr *)so_laddr, &len, CRED()); 5440 len = sizeof (so_faddr); 5441 (void) socket_getpeername(so, 5442 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5443 5444 /* 5445 * only way to drop out of switch. Note that we 5446 * we release fd below. 5447 */ 5448 5449 break; 5450 } 5451 5452 releasef(fd); 5453 5454 /* don't really want to audit every recv call */ 5455 tad->tad_flag = 0; 5456 /* free any residual audit data */ 5457 au_close(kctx, &(u_ad), 0, 0, 0); 5458 5459 return; 5460 5461 case AF_UNIX: 5462 5463 if (fad->fad_aupath != NULL) { 5464 au_uwrite(au_to_path(fad->fad_aupath)); 5465 } else { 5466 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5467 } 5468 5469 audit_attributes(fp->f_vnode); 5470 5471 releasef(fd); 5472 5473 return; 5474 5475 default: 5476 releasef(fd); 5477 5478 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5479 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5480 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5481 5482 return; 5483 } 5484 5485 releasef(fd); 5486 5487 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5488 5489 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5490 5491 } 5492 5493 /*ARGSUSED*/ 5494 static void 5495 auf_send(tad, error, rval) 5496 struct t_audit_data *tad; 5497 int error; 5498 rval_t *rval; 5499 { 5500 struct sonode *so; 5501 char so_laddr[sizeof (struct sockaddr_in6)]; 5502 char so_faddr[sizeof (struct sockaddr_in6)]; 5503 struct file *fp; 5504 struct f_audit_data *fad; 5505 int fd; 5506 int err; 5507 socklen_t len; 5508 short so_family, so_type; 5509 register struct a { 5510 long fd; 5511 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5512 au_kcontext_t *kctx = GET_KCTX_PZ; 5513 5514 fd = (int)uap->fd; 5515 5516 /* 5517 * If there was an error, then nothing to do. Only generate 5518 * audit record on first successful send. 5519 */ 5520 if (error != 0) { 5521 /* Turn off audit record generation here. */ 5522 tad->tad_flag = 0; 5523 /* free any residual audit data */ 5524 au_close(kctx, &(u_ad), 0, 0, 0); 5525 return; 5526 } 5527 5528 fd = (int)uap->fd; 5529 5530 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5531 /* Turn off audit record generation here. */ 5532 tad->tad_flag = 0; 5533 /* free any residual audit data */ 5534 au_close(kctx, &(u_ad), 0, 0, 0); 5535 return; 5536 } 5537 5538 /* get path from file struct here */ 5539 fad = F2A(fp); 5540 ASSERT(fad); 5541 5542 /* 5543 * already processed this file for write attempt 5544 */ 5545 if (fad->fad_flags & FAD_WRITE) { 5546 releasef(fd); 5547 /* don't really want to audit every send call */ 5548 tad->tad_flag = 0; 5549 /* free any residual audit data */ 5550 au_close(kctx, &(u_ad), 0, 0, 0); 5551 return; 5552 } 5553 5554 /* mark things so we know what happened and don't repeat things */ 5555 fad->fad_flags |= FAD_WRITE; 5556 5557 so_family = so->so_family; 5558 so_type = so->so_type; 5559 5560 switch (so_family) { 5561 case AF_INET: 5562 case AF_INET6: 5563 /* 5564 * Only for connections. 5565 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5566 */ 5567 if (so->so_state & SS_ISBOUND) { 5568 5569 bzero((void *)so_laddr, sizeof (so_laddr)); 5570 bzero((void *)so_faddr, sizeof (so_faddr)); 5571 5572 /* get local and foreign addresses */ 5573 len = sizeof (so_laddr); 5574 (void) socket_getsockname(so, 5575 (struct sockaddr *)so_laddr, &len, CRED()); 5576 len = sizeof (so_faddr); 5577 (void) socket_getpeername(so, 5578 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5579 5580 /* 5581 * only way to drop out of switch. Note that we 5582 * we release fd below. 5583 */ 5584 5585 break; 5586 } 5587 5588 releasef(fd); 5589 /* don't really want to audit every send call */ 5590 tad->tad_flag = 0; 5591 /* free any residual audit data */ 5592 au_close(kctx, &(u_ad), 0, 0, 0); 5593 5594 return; 5595 5596 case AF_UNIX: 5597 5598 if (fad->fad_aupath != NULL) { 5599 au_uwrite(au_to_path(fad->fad_aupath)); 5600 } else { 5601 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5602 } 5603 5604 audit_attributes(fp->f_vnode); 5605 5606 releasef(fd); 5607 5608 return; 5609 5610 default: 5611 releasef(fd); 5612 5613 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5614 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5615 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5616 5617 return; 5618 } 5619 5620 releasef(fd); 5621 5622 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5623 5624 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5625 } 5626 5627 static au_event_t 5628 aui_forksys(au_event_t e) 5629 { 5630 struct a { 5631 long subcode; 5632 long flags; 5633 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5634 5635 switch ((uint_t)uap->subcode) { 5636 case 0: 5637 e = AUE_FORK1; 5638 break; 5639 case 1: 5640 e = AUE_FORKALL; 5641 break; 5642 case 2: 5643 e = AUE_VFORK; 5644 break; 5645 default: 5646 e = AUE_NULL; 5647 break; 5648 } 5649 5650 return (e); 5651 } 5652 5653 /*ARGSUSED*/ 5654 static au_event_t 5655 aui_portfs(au_event_t e) 5656 { 5657 struct a { /* portfs */ 5658 long a1; 5659 long a2; 5660 long a3; 5661 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5662 5663 /* 5664 * check opcode 5665 */ 5666 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5667 case PORT_ASSOCIATE: 5668 /* check source */ 5669 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5670 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5671 e = AUE_PORTFS_ASSOCIATE; 5672 } else { 5673 e = AUE_NULL; 5674 } 5675 break; 5676 case PORT_DISSOCIATE: 5677 /* check source */ 5678 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5679 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5680 e = AUE_PORTFS_DISSOCIATE; 5681 } else { 5682 e = AUE_NULL; 5683 } 5684 break; 5685 default: 5686 e = AUE_NULL; 5687 } 5688 return (e); 5689 } 5690