xref: /titanic_51/usr/src/uts/common/c2/audit_event.c (revision 3d09a4fec6be19a6f09e277d5d5d17942bb4abf4)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 
81 
82 char	_depends_on[] = "fs/sockfs";
83 
84 static au_event_t	aui_open(au_event_t);
85 static au_event_t	aui_fsat(au_event_t);
86 static au_event_t	aui_msgsys(au_event_t);
87 static au_event_t	aui_shmsys(au_event_t);
88 static au_event_t	aui_semsys(au_event_t);
89 static au_event_t	aui_utssys(au_event_t);
90 static au_event_t	aui_fcntl(au_event_t);
91 static au_event_t	aui_execv(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_portfs(au_event_t);
96 static au_event_t	aui_auditsys(au_event_t);
97 static au_event_t	aui_modctl(au_event_t);
98 static au_event_t	aui_acl(au_event_t);
99 static au_event_t	aui_doorfs(au_event_t);
100 static au_event_t	aui_privsys(au_event_t);
101 static au_event_t	aui_forksys(au_event_t);
102 static au_event_t	aui_labelsys(au_event_t);
103 static au_event_t	aui_setpgrp(au_event_t);
104 
105 static void	aus_open(struct t_audit_data *);
106 static void	aus_acl(struct t_audit_data *);
107 static void	aus_acct(struct t_audit_data *);
108 static void	aus_chown(struct t_audit_data *);
109 static void	aus_fchown(struct t_audit_data *);
110 static void	aus_lchown(struct t_audit_data *);
111 static void	aus_chmod(struct t_audit_data *);
112 static void	aus_facl(struct t_audit_data *);
113 static void	aus_fchmod(struct t_audit_data *);
114 static void	aus_fcntl(struct t_audit_data *);
115 static void	aus_fsat(struct t_audit_data *);
116 static void	aus_mkdir(struct t_audit_data *);
117 static void	aus_mknod(struct t_audit_data *);
118 static void	aus_mount(struct t_audit_data *);
119 static void	aus_umount(struct t_audit_data *);
120 static void	aus_umount2(struct t_audit_data *);
121 static void	aus_msgsys(struct t_audit_data *);
122 static void	aus_semsys(struct t_audit_data *);
123 static void	aus_close(struct t_audit_data *);
124 static void	aus_fstatfs(struct t_audit_data *);
125 static void	aus_setgid(struct t_audit_data *);
126 static void	aus_setpgrp(struct t_audit_data *);
127 static void	aus_setuid(struct t_audit_data *);
128 static void	aus_shmsys(struct t_audit_data *);
129 static void	aus_doorfs(struct t_audit_data *);
130 static void	aus_ioctl(struct t_audit_data *);
131 static void	aus_memcntl(struct t_audit_data *);
132 static void	aus_mmap(struct t_audit_data *);
133 static void	aus_munmap(struct t_audit_data *);
134 static void	aus_priocntlsys(struct t_audit_data *);
135 static void	aus_setegid(struct t_audit_data *);
136 static void	aus_setgroups(struct t_audit_data *);
137 static void	aus_seteuid(struct t_audit_data *);
138 static void	aus_putmsg(struct t_audit_data *);
139 static void	aus_putpmsg(struct t_audit_data *);
140 static void	aus_getmsg(struct t_audit_data *);
141 static void	aus_getpmsg(struct t_audit_data *);
142 static void	aus_auditsys(struct t_audit_data *);
143 static void	aus_sysinfo(struct t_audit_data *);
144 static void	aus_modctl(struct t_audit_data *);
145 static void	aus_kill(struct t_audit_data *);
146 static void	aus_xmknod(struct t_audit_data *);
147 static void	aus_setregid(struct t_audit_data *);
148 static void	aus_setreuid(struct t_audit_data *);
149 static void	aus_labelsys(struct t_audit_data *);
150 
151 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
152 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
153 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
154 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
155 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
156 static void	auf_read(struct t_audit_data *, int, rval_t *);
157 static void	auf_write(struct t_audit_data *, int, rval_t *);
158 
159 static void	aus_sigqueue(struct t_audit_data *);
160 static void	aus_p_online(struct t_audit_data *);
161 static void	aus_processor_bind(struct t_audit_data *);
162 static void	aus_inst_sync(struct t_audit_data *);
163 static void	aus_brandsys(struct t_audit_data *);
164 
165 static void	auf_accept(struct t_audit_data *, int, rval_t *);
166 
167 static void	auf_bind(struct t_audit_data *, int, rval_t *);
168 static void	auf_connect(struct t_audit_data *, int, rval_t *);
169 static void	aus_shutdown(struct t_audit_data *);
170 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
171 static void	aus_sockconfig(struct t_audit_data *);
172 static void	auf_recv(struct t_audit_data *, int, rval_t *);
173 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
174 static void	auf_send(struct t_audit_data *, int, rval_t *);
175 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
176 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
177 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
178 static void	aus_socket(struct t_audit_data *);
179 /*
180  * This table contains mapping information for converting system call numbers
181  * to audit event IDs. In several cases it is necessary to map a single system
182  * call to several events.
183  */
184 
185 #define	aui_null	NULL	/* NULL initialize function */
186 #define	aus_null	NULL	/* NULL start function */
187 #define	auf_null	NULL	/* NULL finish function */
188 
189 struct audit_s2e audit_s2e[] =
190 {
191 /*
192  * ----------	---------- 	----------	----------
193  * INITIAL	AUDIT		START		SYSTEM
194  * PROCESSING	EVENT		PROCESSING	CALL
195  * ----------	----------	----------	-----------
196  *		FINISH		EVENT
197  *		PROCESSING	CONTROL
198  * ----------------------------------------------------------
199  */
200 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
201 		auf_null,	0,
202 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
203 		auf_null,	S2E_NPT,
204 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
205 		auf_null,	0,
206 aui_null,	AUE_READ,	aus_null,	/* 3 read */
207 		auf_read,	S2E_PUB,
208 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
209 		auf_write,	0,
210 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
211 		auf_null,	S2E_SP,
212 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
213 		auf_null,	0,
214 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
215 		auf_null,	0,
216 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
217 		auf_null,	S2E_SP,
218 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
219 		auf_null,	0,
220 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
221 		auf_null,	0,
222 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
223 		auf_null,	S2E_MLD,
224 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
225 		auf_null,	S2E_SP,
226 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
227 		auf_null,	0,
228 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
229 		auf_mknod,	0,
230 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
231 		auf_null,	0,
232 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
233 		auf_null,	0,
234 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
235 		auf_null,	0,
236 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
237 		auf_null,	S2E_PUB,
238 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
239 		auf_null,	0,
240 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
241 		auf_null,	0,
242 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
243 		auf_null,	S2E_MLD,
244 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
245 		auf_null,	0,
246 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
247 		auf_null,	0,
248 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
249 		auf_null,	0,
250 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
251 		auf_null,	0,
252 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
253 		auf_null,	0,
254 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
255 		auf_null,	0,
256 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
257 		auf_null,	0,
258 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
259 		auf_null,	0,
260 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
261 		auf_null,	0,
262 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
263 		auf_null,	0,
264 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
265 		auf_null,	0,
266 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
267 		auf_null,	S2E_PUB,
268 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
269 		auf_null,	0,
270 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
271 		auf_null,	S2E_PUB,
272 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
273 		auf_null,	0,
274 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
275 		auf_null,	0,
276 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
277 		auf_null,	S2E_PUB,
278 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
279 		auf_null,	0,
280 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
281 		auf_null,	0,
282 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
283 		auf_null,	0,
284 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
285 		auf_null,	0,
286 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
287 		auf_null,	0,
288 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
289 		auf_null,	0,
290 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
291 						/*	was proc lock */
292 		auf_null,	0,
293 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
294 		auf_null,	0,
295 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
296 		auf_null,	0,
297 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
298 		auf_null,	0,
299 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
300 		auf_msgsys,	0,
301 #if defined(__x86)
302 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
303 		auf_null,	0,
304 #else
305 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
306 		auf_null,	0,
307 #endif /* __x86 */
308 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
309 		auf_null,	0,
310 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
311 		auf_shmsys,	0,
312 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
313 		auf_semsys,	0,
314 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
315 		auf_null,	0,
316 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
317 		auf_null,	0,
318 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
319 		auf_null,	0,
320 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
321 		auf_null,	0,
322 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
323 		auf_null,	0,
324 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
325 		auf_null,	S2E_MLD,
326 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
327 		auf_null,	0,
328 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
329 		auf_null,	S2E_SP,
330 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
331 		auf_null,	0,
332 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
333 		auf_null,	0,
334 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
337 		auf_null,	0,
338 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
339 		auf_null,	0,
340 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
341 						/*	file locking call */
342 		auf_null,	0,
343 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
344 						/*	local system calls */
345 		auf_null,	0,
346 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
359 						/*	was sigret (SunOS) */
360 		auf_null,	0,
361 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
362 		auf_null,	0,
363 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
364 		auf_null,	0,
365 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
366 		auf_null,	0,
367 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
368 		auf_null,	0,
369 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
370 		auf_null,	0,
371 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
372 		auf_null,	0,
373 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
374 						/*	was libattach */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
377 						/*	was libdetach */
378 		auf_null,	0,
379 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
380 		auf_null,	0,
381 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
382 		auf_null,	0,
383 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
384 		auf_null,	0,
385 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
386 		auf_null,	0,
387 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
388 		auf_null,	S2E_PUB,
389 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
390 		auf_null,	0,
391 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
392 		auf_null,	S2E_PUB,
393 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
394 		auf_null,	0,
395 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
396 		auf_null,	0,
397 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
398 		auf_null,	0,
399 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
400 		auf_null,	0,
401 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
402 		auf_null,	0,
403 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
404 		auf_null,	0,
405 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
406 		auf_null,	0,
407 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
408 		auf_null,	0,
409 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
410 		auf_null,	0,
411 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
412 		auf_null,	0,
413 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
414 		auf_null,	0,
415 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
416 						/*	was evtrapret */
417 		auf_null,	0,
418 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
419 		auf_null,	S2E_PUB,
420 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
423 		auf_null,	0,
424 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
425 		auf_null,	0,
426 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
427 		auf_null,	0,
428 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
429 		auf_null,	0,
430 #if defined(__x86)
431 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
432 		auf_null,	0,
433 #else
434 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
435 		auf_null,	0,
436 #endif /* __x86 */
437 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
438 		auf_null,	0,
439 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
440 		auf_null,	0,
441 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
442 		auf_null,	0,		/* 112 priocntlsys */
443 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
444 		auf_null,	S2E_PUB,
445 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
446 		auf_null,	0,
447 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
448 		auf_null,	0,
449 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
450 		auf_null,	0,
451 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
452 		auf_null,	0,
453 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
454 		auf_null,	0,
455 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
456 		auf_null,	0,
457 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
458 		auf_null,	0,
459 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
460 		auf_read,	S2E_PUB,
461 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
462 		auf_write,	0,
463 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
464 		auf_null,	S2E_PUB,
465 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
466 		auf_null,	S2E_PUB,
467 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
468 		auf_null,	0,
469 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
470 		auf_xmknod,	0,
471 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
472 		auf_null,	0,
473 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
474 		auf_null,	0,
475 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
476 		auf_null,	0,
477 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
478 		auf_null,	0,
479 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
480 		auf_null,	0,
481 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
482 		auf_null,	0,
483 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
484 		auf_null,	0,
485 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
486 		auf_null,	0,
487 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
488 		auf_null,	0,
489 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
490 		auf_null,	0,
491 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
492 		auf_null,	0,
493 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
494 		auf_null,	0,
495 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
496 		auf_null,	0,
497 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
498 		auf_null,	0,
499 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
500 		auf_null,	0,
501 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
502 		auf_null,	0,
503 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
506 		auf_null,	0,
507 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
508 		auf_null,	0,
509 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
510 		auf_null,	0,
511 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
512 		auf_null,	0,
513 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
514 		auf_null,	0,
515 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
516 		auf_null,	0,
517 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
518 		auf_null,	0,
519 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
520 		auf_null,	0,
521 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
522 		auf_null,	0,
523 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
524 		auf_null,	0,
525 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
526 		auf_null,	0,
527 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
528 		auf_null,	0,
529 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
530 		auf_null,	0,
531 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
532 		auf_null,	0,
533 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
534 		auf_null,	0,
535 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
536 		auf_null,	0,
537 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
538 		auf_null,	0,
539 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
540 		auf_null,	0,
541 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
542 		auf_null,	0,
543 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
544 		auf_null,	0,
545 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
546 		auf_null,	0,
547 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
548 						/*	was lwp_setprivate */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
551 						/*	was lwp_getprivate */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
558 		auf_null,	0,
559 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
560 		auf_null,	0,
561 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
562 		auf_null,	0,
563 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
564 		auf_null,	0,
565 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
566 		auf_read,	S2E_PUB,
567 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
568 		auf_write,	0,
569 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
570 		auf_null,	0,
571 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
572 						/* aus_inst_sync */
573 		auf_null,	0,
574 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
575 		auf_null,	0,
576 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
577 		auf_null,	0,
578 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
579 		auf_null,	0,
580 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
581 		auf_null,	0,
582 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
583 		auf_null,	0,
584 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
585 		auf_null,	S2E_MLD,
586 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
587 		auf_null,	0,
588 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
589 		auf_null,	0,
590 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
591 		auf_null,	0,
592 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
593 		auf_null,	0,
594 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
595 		auf_null,	0,		/* 187 processor_bind */
596 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
597 		auf_null,	0,
598 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
599 		auf_null,	0,
600 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
601 		auf_null,	0,
602 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
603 		auf_null,	0,
604 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
605 		auf_null,	0,
606 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
607 		auf_null,	0,
608 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
609 		auf_null,	0,
610 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
611 		auf_null,	0,
612 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
613 		auf_null,	0,
614 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
615 		auf_null,	0,
616 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
617 		auf_null,	0,
618 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
619 		auf_null,	0,
620 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
621 		auf_null,	0,
622 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
623 		auf_null,	0,
624 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
625 		auf_null,	0,
626 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
627 		auf_null,	0,
628 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
629 		auf_null,	0,
630 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
631 		auf_null,	0,
632 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
633 		auf_null,	0,
634 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
635 		auf_null,	0,
636 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
637 		auf_null,	0,
638 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
639 		auf_null,	0,
640 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
641 		auf_null,	0,
642 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
643 		auf_null,	0,
644 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
645 		auf_null,	0,
646 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
647 		auf_null,	0,
648 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
649 		auf_null,	0,
650 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
651 		auf_null,	S2E_PUB,
652 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
653 		auf_null,	S2E_PUB,
654 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
655 		auf_null,	0,
656 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
657 		auf_null,	S2E_PUB,
658 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
659 		auf_null,	0,
660 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
661 		auf_null,	0,
662 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
663 		auf_null,	0,
664 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
665 		auf_read,	S2E_PUB,
666 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
667 		auf_write,	0,
668 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
669 		auf_null,	S2E_SP,
670 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
671 		auf_null,	S2E_SP,
672 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
673 		auf_null,	0,
674 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
675 		auf_null,	0,
676 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
677 		auf_null,	0,
678 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
679 		auf_null,	0,
680 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
681 		auf_null,	0,
682 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
683 		auf_null,	0,
684 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
685 		auf_bind,	0,
686 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
687 		auf_null,	0,
688 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
689 		auf_accept,	0,
690 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
691 		auf_connect,	0,
692 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
693 		auf_null,	0,
694 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
695 		auf_recv,	0,
696 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
697 		auf_recvfrom,	0,
698 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
699 		auf_recvmsg,	0,
700 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
701 		auf_send,	0,
702 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
703 		auf_sendmsg,	0,
704 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
705 		auf_sendto,	0,
706 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
707 		auf_null,	0,
708 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
709 		auf_null,	0,
710 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
711 		auf_null,	0,
712 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
713 		auf_setsockopt,	0,
714 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
715 		auf_null,	0,
716 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
717 		auf_null,	0,
718 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
719 		auf_null,	0,
720 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
721 		auf_null,	0,
722 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
723 		auf_null,	0,
724 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
725 		auf_null,	0,
726 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
727 		auf_null,	0,
728 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
729 		auf_null,	0,
730 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
731 		auf_null,	0
732 };
733 
734 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
735 
736 
737 /* acct start function */
738 /*ARGSUSED*/
739 static void
740 aus_acct(struct t_audit_data *tad)
741 {
742 	klwp_t *clwp = ttolwp(curthread);
743 	uintptr_t fname;
744 
745 	struct a {
746 		long	fname;		/* char * */
747 	} *uap = (struct a *)clwp->lwp_ap;
748 
749 	fname = (uintptr_t)uap->fname;
750 
751 	if (fname == 0)
752 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
753 }
754 
755 /* chown start function */
756 /*ARGSUSED*/
757 static void
758 aus_chown(struct t_audit_data *tad)
759 {
760 	klwp_t *clwp = ttolwp(curthread);
761 	uint32_t uid, gid;
762 
763 	struct a {
764 		long	fname;		/* char * */
765 		long	uid;
766 		long	gid;
767 	} *uap = (struct a *)clwp->lwp_ap;
768 
769 	uid = (uint32_t)uap->uid;
770 	gid = (uint32_t)uap->gid;
771 
772 	au_uwrite(au_to_arg32(2, "new file uid", uid));
773 	au_uwrite(au_to_arg32(3, "new file gid", gid));
774 }
775 
776 /* fchown start function */
777 /*ARGSUSED*/
778 static void
779 aus_fchown(struct t_audit_data *tad)
780 {
781 	klwp_t *clwp = ttolwp(curthread);
782 	uint32_t uid, gid, fd;
783 	struct file  *fp;
784 	struct vnode *vp;
785 	struct f_audit_data *fad;
786 
787 	struct a {
788 		long fd;
789 		long uid;
790 		long gid;
791 	} *uap = (struct a *)clwp->lwp_ap;
792 
793 	fd  = (uint32_t)uap->fd;
794 	uid = (uint32_t)uap->uid;
795 	gid = (uint32_t)uap->gid;
796 
797 	au_uwrite(au_to_arg32(2, "new file uid", uid));
798 	au_uwrite(au_to_arg32(3, "new file gid", gid));
799 
800 		/*
801 		 * convert file pointer to file descriptor
802 		 *   Note: fd ref count incremented here.
803 		 */
804 	if ((fp = getf(fd)) == NULL)
805 		return;
806 
807 	/* get path from file struct here */
808 	fad = F2A(fp);
809 	if (fad->fad_aupath != NULL) {
810 		au_uwrite(au_to_path(fad->fad_aupath));
811 	} else {
812 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
813 	}
814 
815 	vp = fp->f_vnode;
816 	audit_attributes(vp);
817 
818 	/* decrement file descriptor reference count */
819 	releasef(fd);
820 }
821 
822 /*ARGSUSED*/
823 static void
824 aus_lchown(struct t_audit_data *tad)
825 {
826 	klwp_t *clwp = ttolwp(curthread);
827 	uint32_t uid, gid;
828 
829 
830 	struct a {
831 		long	fname;		/* char	* */
832 		long	uid;
833 		long	gid;
834 	} *uap = (struct a *)clwp->lwp_ap;
835 
836 	uid = (uint32_t)uap->uid;
837 	gid = (uint32_t)uap->gid;
838 
839 	au_uwrite(au_to_arg32(2, "new file uid", uid));
840 	au_uwrite(au_to_arg32(3, "new file gid", gid));
841 }
842 
843 /* chmod start function */
844 /*ARGSUSED*/
845 static void
846 aus_chmod(struct t_audit_data *tad)
847 {
848 	klwp_t *clwp = ttolwp(curthread);
849 	uint32_t fmode;
850 
851 	struct a {
852 		long	fname;		/* char	* */
853 		long	fmode;
854 	} *uap = (struct a *)clwp->lwp_ap;
855 
856 	fmode = (uint32_t)uap->fmode;
857 
858 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
859 }
860 
861 /* chmod start function */
862 /*ARGSUSED*/
863 static void
864 aus_fchmod(struct t_audit_data *tad)
865 {
866 	klwp_t *clwp = ttolwp(curthread);
867 	uint32_t fmode, fd;
868 	struct file  *fp;
869 	struct vnode *vp;
870 	struct f_audit_data *fad;
871 
872 	struct a {
873 		long	fd;
874 		long	fmode;
875 	} *uap = (struct a *)clwp->lwp_ap;
876 
877 	fd = (uint32_t)uap->fd;
878 	fmode = (uint32_t)uap->fmode;
879 
880 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
881 
882 		/*
883 		 * convert file pointer to file descriptor
884 		 *   Note: fd ref count incremented here.
885 		 */
886 	if ((fp = getf(fd)) == NULL)
887 		return;
888 
889 		/* get path from file struct here */
890 	fad = F2A(fp);
891 	if (fad->fad_aupath != NULL) {
892 		au_uwrite(au_to_path(fad->fad_aupath));
893 	} else {
894 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
895 	}
896 
897 	vp = fp->f_vnode;
898 	audit_attributes(vp);
899 
900 	/* decrement file descriptor reference count */
901 	releasef(fd);
902 }
903 
904 
905 /* convert open to appropriate event */
906 static au_event_t
907 aui_open(au_event_t e)
908 {
909 	klwp_t *clwp = ttolwp(curthread);
910 	uint_t fm;
911 
912 	struct a {
913 		long	fnamep;		/* char	* */
914 		long	fmode;
915 		long	cmode;
916 	} *uap = (struct a *)clwp->lwp_ap;
917 
918 	fm = (uint_t)uap->fmode;
919 
920 	if (fm & O_WRONLY)
921 		e = AUE_OPEN_W;
922 	else if (fm & O_RDWR)
923 		e = AUE_OPEN_RW;
924 	else
925 		e = AUE_OPEN_R;
926 
927 	if (fm & O_CREAT)
928 		e += 1;
929 	if (fm & O_TRUNC)
930 		e += 2;
931 
932 	return (e);
933 }
934 
935 /*ARGSUSED*/
936 static void
937 aus_open(struct t_audit_data *tad)
938 {
939 	klwp_t *clwp = ttolwp(curthread);
940 	uint_t fm;
941 
942 	struct a {
943 		long	fnamep;		/* char	* */
944 		long	fmode;
945 		long	cmode;
946 	} *uap = (struct a *)clwp->lwp_ap;
947 
948 	fm = (uint_t)uap->fmode;
949 
950 	/* If no write, create, or trunc modes, mark as a public op */
951 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
952 		tad->tad_ctrl |= PAD_PUBLIC_EV;
953 }
954 
955 /* convert openat(2) to appropriate event */
956 static au_event_t
957 aui_fsat(au_event_t e)
958 {
959 	t_audit_data_t	*tad = U2A(u);
960 	klwp_t *clwp = ttolwp(curthread);
961 	uint_t fmcode, fm;
962 	struct a {
963 		long id;
964 		long arg1;
965 		long arg2;
966 		long arg3;
967 		long arg4;
968 		long arg5;
969 	} *uap = (struct a *)clwp->lwp_ap;
970 
971 	fmcode  = (uint_t)uap->id;
972 
973 	switch (fmcode) {
974 
975 	case 0: /* openat */
976 	case 1: /* openat64 */
977 		fm = (uint_t)uap->arg3;
978 		if (fm & O_WRONLY)
979 			e = AUE_OPENAT_W;
980 		else if (fm & O_RDWR)
981 			e = AUE_OPENAT_RW;
982 		else
983 			e = AUE_OPENAT_R;
984 
985 		/*
986 		 * openat modes are defined in the following order:
987 		 * Read only
988 		 * Read|Create
989 		 * Read|Trunc
990 		 * Read|Create|Trunc
991 		 * Write Only
992 		 * Write|Create
993 		 * Write|Trunc
994 		 * Write|Create|Trunc * RW Only
995 		 * RW|Create
996 		 * RW|Trunc
997 		 * RW|Create|Trunc
998 		 */
999 		if (fm & O_CREAT)
1000 			e += 1;		/* increment to include CREAT in mode */
1001 		if (fm & O_TRUNC)
1002 			e += 2;		/* increment to include TRUNC in mode */
1003 
1004 		/* convert to appropriate au_ctrl */
1005 		tad->tad_ctrl |= PAD_SAVPATH;
1006 		if (fm & FXATTR)
1007 			tad->tad_ctrl |= PAD_ATPATH;
1008 
1009 
1010 		break;
1011 	case 2: /* fstatat64 */
1012 	case 3: /* fstatat */
1013 		e = AUE_FSTATAT;
1014 		break;
1015 	case 4: /* fchownat */
1016 		e = AUE_FCHOWNAT;
1017 		break;
1018 	case 5: /* unlinkat */
1019 		e = AUE_UNLINKAT;
1020 		break;
1021 	case 6: /* futimesat */
1022 		e = AUE_FUTIMESAT;
1023 		break;
1024 	case 7: /* renameat */
1025 		e = AUE_RENAMEAT;
1026 		break;
1027 	case 9: /* __openattrdirat */
1028 		tad->tad_ctrl |= PAD_SAVPATH;
1029 		/*FALLTHROUGH*/
1030 	default:
1031 		e = AUE_NULL;
1032 		break;
1033 	}
1034 
1035 	return (e);
1036 }
1037 
1038 /*ARGSUSED*/
1039 static void
1040 aus_fsat(struct t_audit_data *tad)
1041 {
1042 	klwp_t *clwp = ttolwp(curthread);
1043 	uint_t fmcode, fm;
1044 	struct a {
1045 		long id;
1046 		long arg1;
1047 		long arg2;
1048 		long arg3;
1049 		long arg4;
1050 		long arg5;
1051 	} *uap = (struct a *)clwp->lwp_ap;
1052 
1053 	fmcode  = (uint_t)uap->id;
1054 
1055 	switch (fmcode) {
1056 
1057 	case 0: /* openat */
1058 	case 1: /* openat64 */
1059 		fm = (uint_t)uap->arg3;
1060 		/* If no write, create, or trunc modes, mark as a public op */
1061 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1062 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1063 
1064 		break;
1065 	case 2: /* fstatat64 */
1066 	case 3: /* fstatat */
1067 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1068 		break;
1069 	default:
1070 		break;
1071 	}
1072 }
1073 
1074 /* msgsys */
1075 static au_event_t
1076 aui_msgsys(au_event_t e)
1077 {
1078 	klwp_t *clwp = ttolwp(curthread);
1079 	uint_t fm;
1080 
1081 	struct a {
1082 		long	id;	/* function code id */
1083 		long	ap;	/* arg pointer for recvmsg */
1084 	} *uap = (struct a *)clwp->lwp_ap;
1085 
1086 	struct b {
1087 		long	msgid;
1088 		long	cmd;
1089 		long	buf;	/* struct msqid_ds * */
1090 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1091 
1092 	fm  = (uint_t)uap->id;
1093 
1094 	switch (fm) {
1095 	case 0:		/* msgget */
1096 		e = AUE_MSGGET;
1097 		break;
1098 	case 1:		/* msgctl */
1099 		switch ((uint_t)uap1->cmd) {
1100 		case IPC_RMID:
1101 			e = AUE_MSGCTL_RMID;
1102 			break;
1103 		case IPC_SET:
1104 			e = AUE_MSGCTL_SET;
1105 			break;
1106 		case IPC_STAT:
1107 			e = AUE_MSGCTL_STAT;
1108 			break;
1109 		default:
1110 			e = AUE_MSGCTL;
1111 			break;
1112 		}
1113 		break;
1114 	case 2:		/* msgrcv */
1115 		e = AUE_MSGRCV;
1116 		break;
1117 	case 3:		/* msgsnd */
1118 		e = AUE_MSGSND;
1119 		break;
1120 	default:	/* illegal system call */
1121 		e = AUE_NULL;
1122 		break;
1123 	}
1124 
1125 	return (e);
1126 }
1127 
1128 
1129 /* shmsys */
1130 static au_event_t
1131 aui_shmsys(au_event_t e)
1132 {
1133 	klwp_t *clwp = ttolwp(curthread);
1134 	int fm;
1135 
1136 	struct a {		/* shmsys */
1137 		long	id;	/* function code id */
1138 	} *uap = (struct a *)clwp->lwp_ap;
1139 
1140 	struct b {		/* ctrl */
1141 		long	shmid;
1142 		long	cmd;
1143 		long	arg;		/* struct shmid_ds * */
1144 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1145 	fm  = (uint_t)uap->id;
1146 
1147 	switch (fm) {
1148 	case 0:		/* shmat */
1149 		e = AUE_SHMAT;
1150 		break;
1151 	case 1:		/* shmctl */
1152 		switch ((uint_t)uap1->cmd) {
1153 		case IPC_RMID:
1154 			e = AUE_SHMCTL_RMID;
1155 			break;
1156 		case IPC_SET:
1157 			e = AUE_SHMCTL_SET;
1158 			break;
1159 		case IPC_STAT:
1160 			e = AUE_SHMCTL_STAT;
1161 			break;
1162 		default:
1163 			e = AUE_SHMCTL;
1164 			break;
1165 		}
1166 		break;
1167 	case 2:		/* shmdt */
1168 		e = AUE_SHMDT;
1169 		break;
1170 	case 3:		/* shmget */
1171 		e = AUE_SHMGET;
1172 		break;
1173 	default:	/* illegal system call */
1174 		e = AUE_NULL;
1175 		break;
1176 	}
1177 
1178 	return (e);
1179 }
1180 
1181 
1182 /* semsys */
1183 static au_event_t
1184 aui_semsys(au_event_t e)
1185 {
1186 	klwp_t *clwp = ttolwp(curthread);
1187 	uint_t fm;
1188 
1189 	struct a {		/* semsys */
1190 		long	id;
1191 	} *uap = (struct a *)clwp->lwp_ap;
1192 
1193 	struct b {		/* ctrl */
1194 		long	semid;
1195 		long	semnum;
1196 		long	cmd;
1197 		long	arg;
1198 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1199 
1200 	fm = (uint_t)uap->id;
1201 
1202 	switch (fm) {
1203 	case 0:		/* semctl */
1204 		switch ((uint_t)uap1->cmd) {
1205 		case IPC_RMID:
1206 			e = AUE_SEMCTL_RMID;
1207 			break;
1208 		case IPC_SET:
1209 			e = AUE_SEMCTL_SET;
1210 			break;
1211 		case IPC_STAT:
1212 			e = AUE_SEMCTL_STAT;
1213 			break;
1214 		case GETNCNT:
1215 			e = AUE_SEMCTL_GETNCNT;
1216 			break;
1217 		case GETPID:
1218 			e = AUE_SEMCTL_GETPID;
1219 			break;
1220 		case GETVAL:
1221 			e = AUE_SEMCTL_GETVAL;
1222 			break;
1223 		case GETALL:
1224 			e = AUE_SEMCTL_GETALL;
1225 			break;
1226 		case GETZCNT:
1227 			e = AUE_SEMCTL_GETZCNT;
1228 			break;
1229 		case SETVAL:
1230 			e = AUE_SEMCTL_SETVAL;
1231 			break;
1232 		case SETALL:
1233 			e = AUE_SEMCTL_SETALL;
1234 			break;
1235 		default:
1236 			e = AUE_SEMCTL;
1237 			break;
1238 		}
1239 		break;
1240 	case 1:		/* semget */
1241 		e = AUE_SEMGET;
1242 		break;
1243 	case 2:		/* semop */
1244 		e = AUE_SEMOP;
1245 		break;
1246 	default:	/* illegal system call */
1247 		e = AUE_NULL;
1248 		break;
1249 	}
1250 
1251 	return (e);
1252 }
1253 
1254 /* utssys - uname(2), ustat(2), fusers(2) */
1255 static au_event_t
1256 aui_utssys(au_event_t e)
1257 {
1258 	klwp_t *clwp = ttolwp(curthread);
1259 	uint_t type;
1260 
1261 	struct a {
1262 		union {
1263 			long	cbuf;		/* char * */
1264 			long	ubuf;		/* struct stat * */
1265 		} ub;
1266 		union {
1267 			long	mv;	/* for USTAT */
1268 			long	flags;	/* for FUSERS */
1269 		} un;
1270 		long	type;
1271 		long	outbp;		/* char * for FUSERS */
1272 	} *uap = (struct a *)clwp->lwp_ap;
1273 
1274 	type = (uint_t)uap->type;
1275 
1276 	if (type == UTS_FUSERS)
1277 		return (e);
1278 	else
1279 		return ((au_event_t)AUE_NULL);
1280 }
1281 
1282 static au_event_t
1283 aui_fcntl(au_event_t e)
1284 {
1285 	klwp_t *clwp = ttolwp(curthread);
1286 	uint_t cmd;
1287 
1288 	struct a {
1289 		long	fdes;
1290 		long	cmd;
1291 		long	arg;
1292 	} *uap = (struct a *)clwp->lwp_ap;
1293 
1294 	cmd = (uint_t)uap->cmd;
1295 
1296 	switch (cmd) {
1297 	case F_GETLK:
1298 	case F_SETLK:
1299 	case F_SETLKW:
1300 		break;
1301 	case F_SETFL:
1302 	case F_GETFL:
1303 	case F_GETFD:
1304 		break;
1305 	default:
1306 		e = (au_event_t)AUE_NULL;
1307 		break;
1308 	}
1309 	return ((au_event_t)e);
1310 }
1311 
1312 /* null function for now */
1313 static au_event_t
1314 aui_execv(au_event_t e)
1315 {
1316 	return (e);
1317 }
1318 
1319 /* null function for now */
1320 static au_event_t
1321 aui_execve(au_event_t e)
1322 {
1323 	return (e);
1324 }
1325 
1326 /*ARGSUSED*/
1327 static void
1328 aus_fcntl(struct t_audit_data *tad)
1329 {
1330 	klwp_t *clwp = ttolwp(curthread);
1331 	uint32_t cmd, fd;
1332 	struct file  *fp;
1333 	struct vnode *vp;
1334 	struct f_audit_data *fad;
1335 
1336 	struct a {
1337 		long	fd;
1338 		long	cmd;
1339 		long	arg;
1340 	} *uap = (struct a *)clwp->lwp_ap;
1341 
1342 	cmd = (uint32_t)uap->cmd;
1343 	fd  = (uint32_t)uap->fd;
1344 
1345 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1346 
1347 		/*
1348 		 * convert file pointer to file descriptor
1349 		 *   Note: fd ref count incremented here.
1350 		 */
1351 	if ((fp = getf(fd)) == NULL)
1352 		return;
1353 
1354 	/* get path from file struct here */
1355 	fad = F2A(fp);
1356 	if (fad->fad_aupath != NULL) {
1357 		au_uwrite(au_to_path(fad->fad_aupath));
1358 	} else {
1359 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1360 	}
1361 
1362 	vp = fp->f_vnode;
1363 	audit_attributes(vp);
1364 
1365 	/* decrement file descriptor reference count */
1366 	releasef(fd);
1367 }
1368 
1369 /*ARGSUSED*/
1370 static void
1371 aus_kill(struct t_audit_data *tad)
1372 {
1373 	klwp_t *clwp = ttolwp(curthread);
1374 	struct proc *p;
1375 	uint32_t signo;
1376 	uid_t uid, ruid;
1377 	gid_t gid, rgid;
1378 	pid_t pid;
1379 	const auditinfo_addr_t *ainfo;
1380 	cred_t *cr;
1381 
1382 	struct a {
1383 		long	pid;
1384 		long	signo;
1385 	} *uap = (struct a *)clwp->lwp_ap;
1386 
1387 	pid   = (pid_t)uap->pid;
1388 	signo = (uint32_t)uap->signo;
1389 
1390 	au_uwrite(au_to_arg32(2, "signal", signo));
1391 	if (pid > 0) {
1392 		mutex_enter(&pidlock);
1393 		if (((p = prfind(pid)) == (struct proc *)0) ||
1394 		    (p->p_stat == SIDL)) {
1395 			mutex_exit(&pidlock);
1396 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1397 			return;
1398 		}
1399 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1400 		mutex_exit(&pidlock);
1401 
1402 		mutex_enter(&p->p_crlock);
1403 		crhold(cr = p->p_cred);
1404 		mutex_exit(&p->p_crlock);
1405 		mutex_exit(&p->p_lock);
1406 
1407 		ainfo = crgetauinfo(cr);
1408 		if (ainfo == NULL) {
1409 			crfree(cr);
1410 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1411 			return;
1412 		}
1413 
1414 		uid  = crgetuid(cr);
1415 		gid  = crgetgid(cr);
1416 		ruid = crgetruid(cr);
1417 		rgid = crgetrgid(cr);
1418 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1419 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1420 
1421 		if (is_system_labeled())
1422 			au_uwrite(au_to_label(CR_SL(cr)));
1423 
1424 		crfree(cr);
1425 	}
1426 	else
1427 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1428 }
1429 
1430 /*ARGSUSED*/
1431 static void
1432 aus_mkdir(struct t_audit_data *tad)
1433 {
1434 	klwp_t *clwp = ttolwp(curthread);
1435 	uint32_t dmode;
1436 
1437 	struct a {
1438 		long	dirnamep;		/* char * */
1439 		long	dmode;
1440 	} *uap = (struct a *)clwp->lwp_ap;
1441 
1442 	dmode = (uint32_t)uap->dmode;
1443 
1444 	au_uwrite(au_to_arg32(2, "mode", dmode));
1445 }
1446 
1447 /*ARGSUSED*/
1448 static void
1449 aus_mknod(struct t_audit_data *tad)
1450 {
1451 	klwp_t *clwp = ttolwp(curthread);
1452 	uint32_t fmode;
1453 	dev_t dev;
1454 
1455 	struct a {
1456 		long	pnamep;		/* char * */
1457 		long	fmode;
1458 		long	dev;
1459 	} *uap = (struct a *)clwp->lwp_ap;
1460 
1461 	fmode = (uint32_t)uap->fmode;
1462 	dev   = (dev_t)uap->dev;
1463 
1464 	au_uwrite(au_to_arg32(2, "mode", fmode));
1465 #ifdef _LP64
1466 	au_uwrite(au_to_arg64(3, "dev", dev));
1467 #else
1468 	au_uwrite(au_to_arg32(3, "dev", dev));
1469 #endif
1470 }
1471 
1472 /*ARGSUSED*/
1473 static void
1474 aus_xmknod(struct t_audit_data *tad)
1475 {
1476 	klwp_t *clwp = ttolwp(curthread);
1477 	uint32_t fmode;
1478 	dev_t dev;
1479 
1480 	struct a {
1481 		long	version;	/* version */
1482 		long	pnamep;		/* char * */
1483 		long	fmode;
1484 		long	dev;
1485 	} *uap = (struct a *)clwp->lwp_ap;
1486 
1487 	fmode = (uint32_t)uap->fmode;
1488 	dev   = (dev_t)uap->dev;
1489 
1490 	au_uwrite(au_to_arg32(2, "mode", fmode));
1491 #ifdef _LP64
1492 	au_uwrite(au_to_arg64(3, "dev", dev));
1493 #else
1494 	au_uwrite(au_to_arg32(3, "dev", dev));
1495 #endif
1496 }
1497 
1498 /*ARGSUSED*/
1499 static void
1500 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1501 {
1502 	klwp_t *clwp = ttolwp(curthread);
1503 	vnode_t	*dvp;
1504 	caddr_t pnamep;
1505 
1506 	struct a {
1507 		long	pnamep;		/* char * */
1508 		long	fmode;
1509 		long	dev;
1510 	} *uap = (struct a *)clwp->lwp_ap;
1511 
1512 	/* no error, then already path token in audit record */
1513 	if (error != EPERM)
1514 		return;
1515 
1516 	/* not auditing this event, nothing then to do */
1517 	if (tad->tad_flag == 0)
1518 		return;
1519 
1520 	/* do the lookup to force generation of path token */
1521 	pnamep = (caddr_t)uap->pnamep;
1522 	tad->tad_ctrl |= PAD_NOATTRB;
1523 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1524 	if (error == 0)
1525 		VN_RELE(dvp);
1526 }
1527 
1528 /*ARGSUSED*/
1529 static void
1530 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1531 {
1532 	klwp_t *clwp = ttolwp(curthread);
1533 	vnode_t	*dvp;
1534 	caddr_t pnamep;
1535 
1536 	struct a {
1537 		long	version;	/* version */
1538 		long	pnamep;		/* char * */
1539 		long	fmode;
1540 		long	dev;
1541 	} *uap = (struct a *)clwp->lwp_arg;
1542 
1543 
1544 	/* no error, then already path token in audit record */
1545 	if (error != EPERM)
1546 		return;
1547 
1548 	/* not auditing this event, nothing then to do */
1549 	if (tad->tad_flag == 0)
1550 		return;
1551 
1552 	/* do the lookup to force generation of path token */
1553 	pnamep = (caddr_t)uap->pnamep;
1554 	tad->tad_ctrl |= PAD_NOATTRB;
1555 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1556 	if (error == 0)
1557 		VN_RELE(dvp);
1558 }
1559 
1560 /*ARGSUSED*/
1561 static void
1562 aus_mount(struct t_audit_data *tad)
1563 {	/* AUS_START */
1564 	klwp_t *clwp = ttolwp(curthread);
1565 	uint32_t flags;
1566 	uintptr_t u_fstype, dataptr;
1567 	STRUCT_DECL(nfs_args, nfsargs);
1568 	size_t len;
1569 	char *fstype, *hostname;
1570 
1571 	struct a {
1572 		long	spec;		/* char    * */
1573 		long	dir;		/* char    * */
1574 		long	flags;
1575 		long	fstype;		/* char    * */
1576 		long	dataptr;	/* char    * */
1577 		long	datalen;
1578 	} *uap = (struct a *)clwp->lwp_ap;
1579 
1580 	u_fstype = (uintptr_t)uap->fstype;
1581 	flags    = (uint32_t)uap->flags;
1582 	dataptr  = (uintptr_t)uap->dataptr;
1583 
1584 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1585 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1586 		goto mount_free_fstype;
1587 
1588 	au_uwrite(au_to_arg32(3, "flags", flags));
1589 	au_uwrite(au_to_text(fstype));
1590 
1591 	if (strncmp(fstype, "nfs", 3) == 0) {
1592 
1593 		STRUCT_INIT(nfsargs, get_udatamodel());
1594 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1595 
1596 		if (copyin((caddr_t)dataptr,
1597 				STRUCT_BUF(nfsargs),
1598 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1599 			/* DEBUG debug_enter((char *)NULL); */
1600 			goto mount_free_fstype;
1601 		}
1602 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1603 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1604 				(caddr_t)hostname,
1605 				MAXNAMELEN, &len)) {
1606 			goto mount_free_hostname;
1607 		}
1608 		au_uwrite(au_to_text(hostname));
1609 		au_uwrite(au_to_arg32(3, "internal flags",
1610 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1611 
1612 mount_free_hostname:
1613 		kmem_free(hostname, MAXNAMELEN);
1614 	}
1615 
1616 mount_free_fstype:
1617 	kmem_free(fstype, MAXNAMELEN);
1618 }	/* AUS_MOUNT */
1619 
1620 static void
1621 aus_umount_path(caddr_t umount_dir)
1622 {
1623 	char			*dir_path;
1624 	struct audit_path	*path;
1625 	size_t			path_len, dir_len;
1626 
1627 	/* length alloc'd for two string pointers */
1628 	path_len = sizeof (struct audit_path) + sizeof (char *);
1629 	path = kmem_alloc(path_len, KM_SLEEP);
1630 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1631 
1632 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1633 	    MAXPATHLEN, &dir_len))
1634 		goto umount2_free_dir;
1635 
1636 	/*
1637 	 * the audit_path struct assumes that the buffer pointed to
1638 	 * by audp_sect[n] contains string 0 immediatedly followed
1639 	 * by string 1.
1640 	 */
1641 	path->audp_sect[0] = dir_path;
1642 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1643 	path->audp_size = path_len;
1644 	path->audp_ref = 1;		/* not used */
1645 	path->audp_cnt = 1;		/* one path string */
1646 
1647 	au_uwrite(au_to_path(path));
1648 
1649 umount2_free_dir:
1650 	kmem_free(dir_path, MAXPATHLEN);
1651 	kmem_free(path, path_len);
1652 }
1653 
1654 /*
1655  * the umount syscall is implemented as a call to umount2, but the args
1656  * are different...
1657  */
1658 
1659 /*ARGSUSED*/
1660 static void
1661 aus_umount(struct t_audit_data *tad)
1662 {
1663 	klwp_t			*clwp = ttolwp(curthread);
1664 	struct a {
1665 		long	dir;		/* char    * */
1666 	} *uap = (struct a *)clwp->lwp_ap;
1667 
1668 	aus_umount_path((caddr_t)uap->dir);
1669 }
1670 
1671 /*ARGSUSED*/
1672 static void
1673 aus_umount2(struct t_audit_data *tad)
1674 {
1675 	klwp_t			*clwp = ttolwp(curthread);
1676 	struct a {
1677 		long	dir;		/* char    * */
1678 		long	flags;
1679 	} *uap = (struct a *)clwp->lwp_ap;
1680 
1681 	aus_umount_path((caddr_t)uap->dir);
1682 
1683 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1684 }
1685 
1686 static void
1687 aus_msgsys(struct t_audit_data *tad)
1688 {
1689 	klwp_t *clwp = ttolwp(curthread);
1690 	uint32_t msgid;
1691 
1692 	struct b {
1693 		long	msgid;
1694 		long	cmd;
1695 		long	buf;		/* struct msqid_ds * */
1696 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1697 
1698 	msgid = (uint32_t)uap1->msgid;
1699 
1700 
1701 	switch (tad->tad_event) {
1702 	case AUE_MSGGET:		/* msgget */
1703 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1704 		break;
1705 	case AUE_MSGCTL:		/* msgctl */
1706 	case AUE_MSGCTL_RMID:		/* msgctl */
1707 	case AUE_MSGCTL_SET:		/* msgctl */
1708 	case AUE_MSGCTL_STAT:		/* msgctl */
1709 	case AUE_MSGRCV:		/* msgrcv */
1710 	case AUE_MSGSND:		/* msgsnd */
1711 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1712 		break;
1713 	}
1714 }
1715 
1716 /*ARGSUSED*/
1717 static void
1718 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1719 {
1720 	int id;
1721 
1722 	if (error != 0)
1723 		return;
1724 	if (tad->tad_event == AUE_MSGGET) {
1725 		uint32_t scid;
1726 		uint32_t sy_flags;
1727 
1728 		/* need to determine type of executing binary */
1729 		scid = tad->tad_scid;
1730 #ifdef _SYSCALL32_IMPL
1731 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1732 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1733 		else
1734 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1735 #else
1736 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1737 #endif
1738 		if (sy_flags == SE_32RVAL1)
1739 			id = rval->r_val1;
1740 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1741 			id = rval->r_val1;
1742 		if (sy_flags == SE_64RVAL)
1743 			id = (int)rval->r_vals;
1744 
1745 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1746 	}
1747 }
1748 
1749 static void
1750 aus_semsys(struct t_audit_data *tad)
1751 {
1752 	klwp_t *clwp = ttolwp(curthread);
1753 	uint32_t semid;
1754 
1755 	struct b {		/* ctrl */
1756 		long	semid;
1757 		long	semnum;
1758 		long	cmd;
1759 		long	arg;
1760 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1761 
1762 	semid = (uint32_t)uap1->semid;
1763 
1764 	switch (tad->tad_event) {
1765 	case AUE_SEMCTL_RMID:
1766 	case AUE_SEMCTL_STAT:
1767 	case AUE_SEMCTL_GETNCNT:
1768 	case AUE_SEMCTL_GETPID:
1769 	case AUE_SEMCTL_GETVAL:
1770 	case AUE_SEMCTL_GETALL:
1771 	case AUE_SEMCTL_GETZCNT:
1772 	case AUE_SEMCTL_SET:
1773 	case AUE_SEMCTL_SETVAL:
1774 	case AUE_SEMCTL_SETALL:
1775 	case AUE_SEMCTL:
1776 	case AUE_SEMOP:
1777 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1778 		break;
1779 	case AUE_SEMGET:
1780 		au_uwrite(au_to_arg32(1, "sem key", semid));
1781 		break;
1782 	}
1783 }
1784 
1785 /*ARGSUSED*/
1786 static void
1787 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1788 {
1789 	int id;
1790 
1791 	if (error != 0)
1792 		return;
1793 	if (tad->tad_event == AUE_SEMGET) {
1794 		uint32_t scid;
1795 		uint32_t sy_flags;
1796 
1797 		/* need to determine type of executing binary */
1798 		scid = tad->tad_scid;
1799 #ifdef _SYSCALL32_IMPL
1800 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1801 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1802 		else
1803 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1804 #else
1805 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1806 #endif
1807 		if (sy_flags == SE_32RVAL1)
1808 			id = rval->r_val1;
1809 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1810 			id = rval->r_val1;
1811 		if (sy_flags == SE_64RVAL)
1812 			id = (int)rval->r_vals;
1813 
1814 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1815 	}
1816 }
1817 
1818 /*ARGSUSED*/
1819 static void
1820 aus_close(struct t_audit_data *tad)
1821 {
1822 	klwp_t *clwp = ttolwp(curthread);
1823 	uint32_t fd;
1824 	struct file *fp;
1825 	struct f_audit_data *fad;
1826 	struct vnode *vp;
1827 	struct vattr attr;
1828 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1829 
1830 	struct a {
1831 		long	i;
1832 	} *uap = (struct a *)clwp->lwp_ap;
1833 
1834 	fd = (uint32_t)uap->i;
1835 
1836 	attr.va_mask = 0;
1837 	au_uwrite(au_to_arg32(1, "fd", fd));
1838 
1839 		/*
1840 		 * convert file pointer to file descriptor
1841 		 *   Note: fd ref count incremented here.
1842 		 */
1843 	if ((fp = getf(fd)) == NULL)
1844 		return;
1845 
1846 	fad = F2A(fp);
1847 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1848 	if (fad->fad_aupath != NULL) {
1849 		au_uwrite(au_to_path(fad->fad_aupath));
1850 		if ((vp = fp->f_vnode) != NULL) {
1851 			attr.va_mask = AT_ALL;
1852 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1853 				/*
1854 				 * When write was not used and the file can be
1855 				 * considered public, skip the audit.
1856 				 */
1857 				if (((fp->f_flag & FWRITE) == 0) &&
1858 				    file_is_public(&attr)) {
1859 					tad->tad_flag = 0;
1860 					tad->tad_evmod = 0;
1861 					/* free any residual audit data */
1862 					au_close(kctx, &(u_ad), 0, 0, 0);
1863 					releasef(fd);
1864 					return;
1865 				}
1866 				au_uwrite(au_to_attr(&attr));
1867 				audit_sec_attributes(&(u_ad), vp);
1868 			}
1869 		}
1870 	}
1871 
1872 	/* decrement file descriptor reference count */
1873 	releasef(fd);
1874 }
1875 
1876 /*ARGSUSED*/
1877 static void
1878 aus_fstatfs(struct t_audit_data *tad)
1879 {
1880 	klwp_t *clwp = ttolwp(curthread);
1881 	uint32_t fd;
1882 	struct file  *fp;
1883 	struct vnode *vp;
1884 	struct f_audit_data *fad;
1885 
1886 	struct a {
1887 		long	fd;
1888 		long	buf;		/* struct statfs * */
1889 	} *uap = (struct a *)clwp->lwp_ap;
1890 
1891 	fd = (uint_t)uap->fd;
1892 
1893 		/*
1894 		 * convert file pointer to file descriptor
1895 		 *   Note: fd ref count incremented here.
1896 		 */
1897 	if ((fp = getf(fd)) == NULL)
1898 		return;
1899 
1900 		/* get path from file struct here */
1901 	fad = F2A(fp);
1902 	if (fad->fad_aupath != NULL) {
1903 		au_uwrite(au_to_path(fad->fad_aupath));
1904 	} else {
1905 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1906 	}
1907 
1908 	vp = fp->f_vnode;
1909 	audit_attributes(vp);
1910 
1911 	/* decrement file descriptor reference count */
1912 	releasef(fd);
1913 }
1914 
1915 static au_event_t
1916 aui_setpgrp(au_event_t e)
1917 {
1918 	klwp_t *clwp = ttolwp(curthread);
1919 	int flag;
1920 
1921 	struct a {
1922 		long	flag;
1923 		long	pid;
1924 		long	pgid;
1925 	} *uap = (struct a *)clwp->lwp_ap;
1926 
1927 	flag = (int)uap->flag;
1928 
1929 
1930 	switch (flag) {
1931 
1932 	case 1:	/* setpgrp() */
1933 		e = AUE_SETPGRP;
1934 		break;
1935 
1936 	case 3: /* setsid() */
1937 		e = AUE_SETSID;
1938 		break;
1939 
1940 	case 5: /* setpgid() */
1941 		e = AUE_SETPGID;
1942 		break;
1943 
1944 	case 0: /* getpgrp()	- not security relevant */
1945 	case 2: /* getsid()	- not security relevant */
1946 	case 4: /* getpgid() 	- not security relevant */
1947 		e = AUE_NULL;
1948 		break;
1949 
1950 	default:
1951 		e = AUE_NULL;
1952 		break;
1953 	}
1954 
1955 	return (e);
1956 }
1957 
1958 /*ARGSUSED*/
1959 static void
1960 aus_setpgrp(struct t_audit_data *tad)
1961 {
1962 	klwp_t		*clwp = ttolwp(curthread);
1963 	pid_t		pgid;
1964 	struct proc	*p;
1965 	uid_t		uid, ruid;
1966 	gid_t		gid, rgid;
1967 	pid_t		pid;
1968 	cred_t		*cr;
1969 	int		flag;
1970 	const auditinfo_addr_t	*ainfo;
1971 
1972 	struct a {
1973 		long	flag;
1974 		long	pid;
1975 		long	pgid;
1976 	} *uap = (struct a *)clwp->lwp_ap;
1977 
1978 	flag = (int)uap->flag;
1979 	pid  = (pid_t)uap->pid;
1980 	pgid = (pid_t)uap->pgid;
1981 
1982 
1983 	switch (flag) {
1984 
1985 	case 0: /* getpgrp() */
1986 	case 1: /* setpgrp() */
1987 	case 2: /* getsid() */
1988 	case 3: /* setsid() */
1989 	case 4: /* getpgid() */
1990 		break;
1991 
1992 	case 5: /* setpgid() */
1993 
1994 		/* current process? */
1995 		if (pid == 0) {
1996 			return;
1997 		}
1998 
1999 		mutex_enter(&pidlock);
2000 		p = prfind(pid);
2001 		if (p == NULL || p->p_as == &kas ||
2002 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
2003 			mutex_exit(&pidlock);
2004 			return;
2005 		}
2006 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
2007 		mutex_exit(&pidlock);
2008 
2009 		mutex_enter(&p->p_crlock);
2010 		crhold(cr = p->p_cred);
2011 		mutex_exit(&p->p_crlock);
2012 		mutex_exit(&p->p_lock);
2013 
2014 		ainfo = crgetauinfo(cr);
2015 		if (ainfo == NULL) {
2016 			crfree(cr);
2017 			return;
2018 		}
2019 
2020 		uid  = crgetuid(cr);
2021 		gid  = crgetgid(cr);
2022 		ruid = crgetruid(cr);
2023 		rgid = crgetrgid(cr);
2024 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2025 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2026 		crfree(cr);
2027 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2028 		break;
2029 
2030 	default:
2031 		break;
2032 	}
2033 }
2034 
2035 
2036 /*ARGSUSED*/
2037 static void
2038 aus_setregid(struct t_audit_data *tad)
2039 {
2040 	klwp_t *clwp = ttolwp(curthread);
2041 	uint32_t rgid, egid;
2042 
2043 	struct a {
2044 		long	 rgid;
2045 		long	 egid;
2046 	} *uap = (struct a *)clwp->lwp_ap;
2047 
2048 	rgid  = (uint32_t)uap->rgid;
2049 	egid  = (uint32_t)uap->egid;
2050 
2051 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2052 	au_uwrite(au_to_arg32(2, "egid", egid));
2053 }
2054 
2055 /*ARGSUSED*/
2056 static void
2057 aus_setgid(struct t_audit_data *tad)
2058 {
2059 	klwp_t *clwp = ttolwp(curthread);
2060 	uint32_t gid;
2061 
2062 	struct a {
2063 		long	gid;
2064 	} *uap = (struct a *)clwp->lwp_ap;
2065 
2066 	gid = (uint32_t)uap->gid;
2067 
2068 	au_uwrite(au_to_arg32(1, "gid", gid));
2069 }
2070 
2071 
2072 /*ARGSUSED*/
2073 static void
2074 aus_setreuid(struct t_audit_data *tad)
2075 {
2076 	klwp_t *clwp = ttolwp(curthread);
2077 	uint32_t ruid, euid;
2078 
2079 	struct a {
2080 		long	ruid;
2081 		long	euid;
2082 	} *uap = (struct a *)clwp->lwp_ap;
2083 
2084 	ruid = (uint32_t)uap->ruid;
2085 	euid  = (uint32_t)uap->euid;
2086 
2087 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2088 	au_uwrite(au_to_arg32(2, "euid", euid));
2089 }
2090 
2091 
2092 /*ARGSUSED*/
2093 static void
2094 aus_setuid(struct t_audit_data *tad)
2095 {
2096 	klwp_t *clwp = ttolwp(curthread);
2097 	uint32_t uid;
2098 
2099 	struct a {
2100 		long	uid;
2101 	} *uap = (struct a *)clwp->lwp_ap;
2102 
2103 	uid = (uint32_t)uap->uid;
2104 
2105 	au_uwrite(au_to_arg32(1, "uid", uid));
2106 }
2107 
2108 /*ARGSUSED*/
2109 static void
2110 aus_shmsys(struct t_audit_data *tad)
2111 {
2112 	klwp_t *clwp = ttolwp(curthread);
2113 	uint32_t id, cmd;
2114 
2115 	struct b {
2116 		long	id;
2117 		long	cmd;
2118 		long	buf;		/* struct shmid_ds * */
2119 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2120 
2121 	id  = (uint32_t)uap1->id;
2122 	cmd = (uint32_t)uap1->cmd;
2123 
2124 	switch (tad->tad_event) {
2125 	case AUE_SHMGET:			/* shmget */
2126 		au_uwrite(au_to_arg32(1, "shm key", id));
2127 		break;
2128 	case AUE_SHMCTL:			/* shmctl */
2129 	case AUE_SHMCTL_RMID:			/* shmctl */
2130 	case AUE_SHMCTL_STAT:			/* shmctl */
2131 	case AUE_SHMCTL_SET:			/* shmctl */
2132 		au_uwrite(au_to_arg32(1, "shm ID", id));
2133 		break;
2134 	case AUE_SHMDT:				/* shmdt */
2135 		au_uwrite(au_to_arg32(1, "shm adr", id));
2136 		break;
2137 	case AUE_SHMAT:				/* shmat */
2138 		au_uwrite(au_to_arg32(1, "shm ID", id));
2139 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2140 		break;
2141 	}
2142 }
2143 
2144 /*ARGSUSED*/
2145 static void
2146 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2147 {
2148 	int id;
2149 
2150 	if (error != 0)
2151 		return;
2152 	if (tad->tad_event == AUE_SHMGET) {
2153 		uint32_t scid;
2154 		uint32_t sy_flags;
2155 
2156 		/* need to determine type of executing binary */
2157 		scid = tad->tad_scid;
2158 #ifdef _SYSCALL32_IMPL
2159 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2160 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2161 		else
2162 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2163 #else
2164 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2165 #endif
2166 		if (sy_flags == SE_32RVAL1)
2167 			id = rval->r_val1;
2168 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2169 			id = rval->r_val1;
2170 		if (sy_flags == SE_64RVAL)
2171 			id = (int)rval->r_vals;
2172 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2173 	}
2174 }
2175 
2176 
2177 /*ARGSUSED*/
2178 static void
2179 aus_ioctl(struct t_audit_data *tad)
2180 {
2181 	klwp_t *clwp = ttolwp(curthread);
2182 	struct file *fp;
2183 	struct vnode *vp;
2184 	struct f_audit_data *fad;
2185 	uint32_t fd, cmd;
2186 	uintptr_t cmarg;
2187 
2188 	/* XX64 */
2189 	struct a {
2190 		long	fd;
2191 		long	cmd;
2192 		long	cmarg;		/* caddr_t */
2193 	} *uap = (struct a *)clwp->lwp_ap;
2194 
2195 	fd    = (uint32_t)uap->fd;
2196 	cmd   = (uint32_t)uap->cmd;
2197 	cmarg = (uintptr_t)uap->cmarg;
2198 
2199 		/*
2200 		 * convert file pointer to file descriptor
2201 		 *   Note: fd ref count incremented here.
2202 		 */
2203 	if ((fp = getf(fd)) == NULL) {
2204 		au_uwrite(au_to_arg32(1, "fd", fd));
2205 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2206 #ifndef _LP64
2207 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2208 #else
2209 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2210 #endif
2211 		return;
2212 	}
2213 
2214 	/* get path from file struct here */
2215 	fad = F2A(fp);
2216 	if (fad->fad_aupath != NULL) {
2217 		au_uwrite(au_to_path(fad->fad_aupath));
2218 	} else {
2219 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2220 	}
2221 
2222 	vp = fp->f_vnode;
2223 	audit_attributes(vp);
2224 
2225 	/* decrement file descriptor reference count */
2226 	releasef(fd);
2227 
2228 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2229 #ifndef _LP64
2230 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2231 #else
2232 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2233 #endif
2234 }
2235 
2236 /*
2237  * null function for memcntl for now. We might want to limit memcntl()
2238  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2239  * require privileges.
2240  */
2241 static au_event_t
2242 aui_memcntl(au_event_t e)
2243 {
2244 	return (e);
2245 }
2246 
2247 /*ARGSUSED*/
2248 static au_event_t
2249 aui_privsys(au_event_t e)
2250 {
2251 	klwp_t *clwp = ttolwp(curthread);
2252 
2253 	struct a {
2254 		long	opcode;
2255 	} *uap = (struct a *)clwp->lwp_ap;
2256 
2257 	switch (uap->opcode) {
2258 	case PRIVSYS_SETPPRIV:
2259 		return (AUE_SETPPRIV);
2260 	default:
2261 		return (AUE_NULL);
2262 	}
2263 }
2264 
2265 /*ARGSUSED*/
2266 static void
2267 aus_memcntl(struct t_audit_data *tad)
2268 {
2269 	klwp_t *clwp = ttolwp(curthread);
2270 
2271 	struct a {
2272 		long	addr;
2273 		long	len;
2274 		long	cmd;
2275 		long	arg;
2276 		long	attr;
2277 		long	mask;
2278 	} *uap = (struct a *)clwp->lwp_ap;
2279 
2280 #ifdef _LP64
2281 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2282 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2283 #else
2284 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2285 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2286 #endif
2287 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2288 #ifdef _LP64
2289 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2290 #else
2291 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2292 #endif
2293 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2294 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2295 }
2296 
2297 /*ARGSUSED*/
2298 static void
2299 aus_mmap(struct t_audit_data *tad)
2300 {
2301 	klwp_t *clwp = ttolwp(curthread);
2302 	struct file *fp;
2303 	struct f_audit_data *fad;
2304 	struct vnode *vp;
2305 	uint32_t fd;
2306 
2307 	struct a {
2308 		long	addr;
2309 		long	len;
2310 		long	prot;
2311 		long	flags;
2312 		long	fd;
2313 		long	pos;
2314 	} *uap = (struct a *)clwp->lwp_ap;
2315 
2316 	fd = (uint32_t)uap->fd;
2317 
2318 #ifdef _LP64
2319 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2320 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2321 #else
2322 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2323 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2324 #endif
2325 
2326 	if ((fp = getf(fd)) == NULL) {
2327 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2328 		return;
2329 	}
2330 
2331 	/*
2332 	 * Mark in the tad if write access is NOT requested... if
2333 	 * this is later detected (in audit_attributes) to be a
2334 	 * public object, the mmap event may be discarded.
2335 	 */
2336 	if (((uap->prot) & PROT_WRITE) == 0) {
2337 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2338 	}
2339 
2340 	fad = F2A(fp);
2341 	if (fad->fad_aupath != NULL) {
2342 		au_uwrite(au_to_path(fad->fad_aupath));
2343 	} else {
2344 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2345 	}
2346 
2347 	vp = (struct vnode *)fp->f_vnode;
2348 	audit_attributes(vp);
2349 
2350 	/* mark READ/WRITE since we can't predict access */
2351 	if (uap->prot & PROT_READ)
2352 		fad->fad_flags |= FAD_READ;
2353 	if (uap->prot & PROT_WRITE)
2354 		fad->fad_flags |= FAD_WRITE;
2355 
2356 	/* decrement file descriptor reference count */
2357 	releasef(fd);
2358 
2359 }	/* AUS_MMAP */
2360 
2361 
2362 
2363 
2364 /*ARGSUSED*/
2365 static void
2366 aus_munmap(struct t_audit_data *tad)
2367 {
2368 	klwp_t *clwp = ttolwp(curthread);
2369 
2370 	struct a {
2371 		long	addr;
2372 		long	len;
2373 	} *uap = (struct a *)clwp->lwp_ap;
2374 
2375 #ifdef _LP64
2376 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2377 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2378 #else
2379 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2380 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2381 #endif
2382 
2383 }	/* AUS_MUNMAP */
2384 
2385 
2386 
2387 
2388 
2389 
2390 
2391 /*ARGSUSED*/
2392 static void
2393 aus_priocntlsys(struct t_audit_data *tad)
2394 {
2395 	klwp_t *clwp = ttolwp(curthread);
2396 
2397 	struct a {
2398 		long	pc_version;
2399 		long	psp;		/* procset_t */
2400 		long	cmd;
2401 		long	arg;
2402 	} *uap = (struct a *)clwp->lwp_ap;
2403 
2404 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2405 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2406 
2407 }	/* AUS_PRIOCNTLSYS */
2408 
2409 
2410 /*ARGSUSED*/
2411 static void
2412 aus_setegid(struct t_audit_data *tad)
2413 {
2414 	klwp_t *clwp = ttolwp(curthread);
2415 	uint32_t gid;
2416 
2417 	struct a {
2418 		long	gid;
2419 	} *uap = (struct a *)clwp->lwp_ap;
2420 
2421 	gid = (uint32_t)uap->gid;
2422 
2423 	au_uwrite(au_to_arg32(1, "gid", gid));
2424 }	/* AUS_SETEGID */
2425 
2426 
2427 
2428 
2429 /*ARGSUSED*/
2430 static void
2431 aus_setgroups(struct t_audit_data *tad)
2432 {
2433 	klwp_t *clwp = ttolwp(curthread);
2434 	int i;
2435 	int gidsetsize;
2436 	uintptr_t gidset;
2437 	gid_t *gidlist;
2438 
2439 	struct a {
2440 		long	gidsetsize;
2441 		long	gidset;
2442 	} *uap = (struct a *)clwp->lwp_ap;
2443 
2444 	gidsetsize = (uint_t)uap->gidsetsize;
2445 	gidset = (uintptr_t)uap->gidset;
2446 
2447 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2448 		return;
2449 	if (gidsetsize != 0) {
2450 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2451 		    KM_SLEEP);
2452 		if (copyin((caddr_t)gidset, gidlist,
2453 		    gidsetsize * sizeof (gid_t)) == 0)
2454 			for (i = 0; i < gidsetsize; i++)
2455 				au_uwrite(au_to_arg32(1, "setgroups",
2456 				    (uint32_t)gidlist[i]));
2457 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2458 	} else
2459 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2460 
2461 }	/* AUS_SETGROUPS */
2462 
2463 
2464 
2465 
2466 
2467 /*ARGSUSED*/
2468 static void
2469 aus_seteuid(struct t_audit_data *tad)
2470 {
2471 	klwp_t *clwp = ttolwp(curthread);
2472 	uint32_t uid;
2473 
2474 	struct a {
2475 		long	uid;
2476 	} *uap = (struct a *)clwp->lwp_ap;
2477 
2478 	uid = (uint32_t)uap->uid;
2479 
2480 	au_uwrite(au_to_arg32(1, "euid", uid));
2481 
2482 }	/* AUS_SETEUID */
2483 
2484 /*ARGSUSED*/
2485 static void
2486 aus_putmsg(struct t_audit_data *tad)
2487 {
2488 	klwp_t *clwp = ttolwp(curthread);
2489 	uint32_t fd, pri;
2490 	struct file *fp;
2491 	struct f_audit_data *fad;
2492 
2493 	struct a {
2494 		long	fdes;
2495 		long	ctl;		/* struct strbuf * */
2496 		long	data;		/* struct strbuf * */
2497 		long	pri;
2498 	} *uap = (struct a *)clwp->lwp_ap;
2499 
2500 	fd  = (uint32_t)uap->fdes;
2501 	pri = (uint32_t)uap->pri;
2502 
2503 	au_uwrite(au_to_arg32(1, "fd", fd));
2504 
2505 	if ((fp = getf(fd)) != NULL) {
2506 		fad = F2A(fp);
2507 
2508 		fad->fad_flags |= FAD_WRITE;
2509 
2510 		/* add path name to audit record */
2511 		if (fad->fad_aupath != NULL) {
2512 			au_uwrite(au_to_path(fad->fad_aupath));
2513 		}
2514 		audit_attributes(fp->f_vnode);
2515 
2516 		releasef(fd);
2517 	}
2518 
2519 	au_uwrite(au_to_arg32(4, "pri", pri));
2520 }
2521 
2522 /*ARGSUSED*/
2523 static void
2524 aus_putpmsg(struct t_audit_data *tad)
2525 {
2526 	klwp_t *clwp = ttolwp(curthread);
2527 	uint32_t fd, pri, flags;
2528 	struct file *fp;
2529 	struct f_audit_data *fad;
2530 
2531 	struct a {
2532 		long	fdes;
2533 		long	ctl;		/* struct strbuf * */
2534 		long	data;		/* struct strbuf * */
2535 		long	pri;
2536 		long	flags;
2537 	} *uap = (struct a *)clwp->lwp_ap;
2538 
2539 	fd = (uint32_t)uap->fdes;
2540 	pri  = (uint32_t)uap->pri;
2541 	flags  = (uint32_t)uap->flags;
2542 
2543 	au_uwrite(au_to_arg32(1, "fd", fd));
2544 
2545 	if ((fp = getf(fd)) != NULL) {
2546 		fad = F2A(fp);
2547 
2548 		fad->fad_flags |= FAD_WRITE;
2549 
2550 		/* add path name to audit record */
2551 		if (fad->fad_aupath != NULL) {
2552 			au_uwrite(au_to_path(fad->fad_aupath));
2553 		}
2554 		audit_attributes(fp->f_vnode);
2555 
2556 		releasef(fd);
2557 	}
2558 
2559 
2560 	au_uwrite(au_to_arg32(4, "pri", pri));
2561 	au_uwrite(au_to_arg32(5, "flags", flags));
2562 }
2563 
2564 /*ARGSUSED*/
2565 static void
2566 aus_getmsg(struct t_audit_data *tad)
2567 {
2568 	klwp_t *clwp = ttolwp(curthread);
2569 	uint32_t fd, pri;
2570 	struct file *fp;
2571 	struct f_audit_data *fad;
2572 
2573 	struct a {
2574 		long	fdes;
2575 		long	ctl;		/* struct strbuf * */
2576 		long	data;		/* struct strbuf * */
2577 		long	pri;
2578 	} *uap = (struct a *)clwp->lwp_ap;
2579 
2580 	fd  = (uint32_t)uap->fdes;
2581 	pri = (uint32_t)uap->pri;
2582 
2583 	au_uwrite(au_to_arg32(1, "fd", fd));
2584 
2585 	if ((fp = getf(fd)) != NULL) {
2586 		fad = F2A(fp);
2587 
2588 		/*
2589 		 * read operation on this object
2590 		 */
2591 		fad->fad_flags |= FAD_READ;
2592 
2593 		/* add path name to audit record */
2594 		if (fad->fad_aupath != NULL) {
2595 			au_uwrite(au_to_path(fad->fad_aupath));
2596 		}
2597 		audit_attributes(fp->f_vnode);
2598 
2599 		releasef(fd);
2600 	}
2601 
2602 	au_uwrite(au_to_arg32(4, "pri", pri));
2603 }
2604 
2605 /*ARGSUSED*/
2606 static void
2607 aus_getpmsg(struct t_audit_data *tad)
2608 {
2609 	klwp_t *clwp = ttolwp(curthread);
2610 	uint32_t fd;
2611 	struct file *fp;
2612 	struct f_audit_data *fad;
2613 
2614 	struct a {
2615 		long	fdes;
2616 		long	ctl;		/* struct strbuf * */
2617 		long	data;		/* struct strbuf * */
2618 		long	pri;
2619 		long	flags;
2620 	} *uap = (struct a *)clwp->lwp_ap;
2621 
2622 	fd = (uint32_t)uap->fdes;
2623 
2624 	au_uwrite(au_to_arg32(1, "fd", fd));
2625 
2626 	if ((fp = getf(fd)) != NULL) {
2627 		fad = F2A(fp);
2628 
2629 		/*
2630 		 * read operation on this object
2631 		 */
2632 		fad->fad_flags |= FAD_READ;
2633 
2634 		/* add path name to audit record */
2635 		if (fad->fad_aupath != NULL) {
2636 			au_uwrite(au_to_path(fad->fad_aupath));
2637 		}
2638 		audit_attributes(fp->f_vnode);
2639 
2640 		releasef(fd);
2641 	}
2642 }
2643 
2644 static au_event_t
2645 aui_labelsys(au_event_t e)
2646 {
2647 	klwp_t *clwp = ttolwp(curthread);
2648 	uint32_t code;
2649 	uint32_t cmd;
2650 
2651 	struct a {
2652 		long	code;
2653 		long	cmd;
2654 	} *uap = (struct a *)clwp->lwp_ap;
2655 
2656 	code = (uint32_t)uap->code;
2657 	cmd = (uint32_t)uap->cmd;
2658 
2659 	/* not security relevant if not changing kernel cache */
2660 	if (cmd == TNDB_GET)
2661 		return (AUE_NULL);
2662 
2663 	switch (code) {
2664 	case TSOL_TNRH:
2665 		e = AUE_LABELSYS_TNRH;
2666 		break;
2667 	case TSOL_TNRHTP:
2668 		e = AUE_LABELSYS_TNRHTP;
2669 		break;
2670 	case TSOL_TNMLP:
2671 		e = AUE_LABELSYS_TNMLP;
2672 		break;
2673 	default:
2674 		e = AUE_NULL;
2675 		break;
2676 	}
2677 
2678 	return (e);
2679 
2680 }
2681 
2682 static void
2683 aus_labelsys(struct t_audit_data *tad)
2684 {
2685 	klwp_t *clwp = ttolwp(curthread);
2686 	uint32_t cmd;
2687 	uintptr_t a2;
2688 
2689 	struct a {
2690 		long	code;
2691 		long	cmd;
2692 		long	a2;
2693 	} *uap = (struct a *)clwp->lwp_ap;
2694 
2695 	cmd = (uint32_t)uap->cmd;
2696 	a2 = (uintptr_t)uap->a2;
2697 
2698 	switch (tad->tad_event) {
2699 	case AUE_LABELSYS_TNRH:
2700 	{
2701 		tsol_rhent_t	*rhent;
2702 		tnaddr_t	*rh_addr;
2703 
2704 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2705 
2706 		/* Remaining args don't apply for FLUSH, so skip */
2707 		if (cmd == TNDB_FLUSH)
2708 			break;
2709 
2710 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2711 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2712 			kmem_free(rhent, sizeof (tsol_rhent_t));
2713 			return;
2714 		}
2715 
2716 		rh_addr = &rhent->rh_address;
2717 		if (rh_addr->ta_family == AF_INET) {
2718 			struct in_addr	*ipaddr;
2719 
2720 			ipaddr = &(rh_addr->ta_addr_v4);
2721 			au_uwrite(au_to_in_addr(ipaddr));
2722 		} else if (rh_addr->ta_family == AF_INET6) {
2723 			int32_t		*ipaddr;
2724 
2725 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2726 			au_uwrite(au_to_in_addr_ex(ipaddr));
2727 		}
2728 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2729 
2730 		kmem_free(rhent, sizeof (tsol_rhent_t));
2731 
2732 		break;
2733 	}
2734 	case AUE_LABELSYS_TNRHTP:
2735 	{
2736 		tsol_tpent_t	*tpent;
2737 
2738 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2739 
2740 		/* Remaining args don't apply for FLUSH, so skip */
2741 		if (cmd == TNDB_FLUSH)
2742 			break;
2743 
2744 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2745 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2746 			kmem_free(tpent, sizeof (tsol_tpent_t));
2747 			return;
2748 		}
2749 
2750 		/* Make sure that the template name is null-terminated. */
2751 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2752 
2753 		au_uwrite(au_to_text(tpent->name));
2754 		kmem_free(tpent, sizeof (tsol_tpent_t));
2755 
2756 		break;
2757 	}
2758 	case AUE_LABELSYS_TNMLP:
2759 	{
2760 		tsol_mlpent_t	*mlpent;
2761 
2762 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2763 
2764 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2765 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2766 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2767 			return;
2768 		}
2769 
2770 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2771 			au_uwrite(au_to_text("shared"));
2772 		} else {
2773 			zone_t	*zone;
2774 
2775 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2776 			if (zone != NULL) {
2777 				au_uwrite(au_to_text(zone->zone_name));
2778 				zone_rele(zone);
2779 			}
2780 		}
2781 
2782 		/* Remaining args don't apply for FLUSH, so skip */
2783 		if (cmd == TNDB_FLUSH) {
2784 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2785 			break;
2786 		}
2787 
2788 		au_uwrite(au_to_arg32(2, "proto num",
2789 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2790 		au_uwrite(au_to_arg32(2, "mlp_port",
2791 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2792 
2793 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2794 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2795 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2796 
2797 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2798 
2799 		break;
2800 	}
2801 	default:
2802 		break;
2803 	}
2804 }
2805 
2806 
2807 static au_event_t
2808 aui_auditsys(au_event_t e)
2809 {
2810 	klwp_t *clwp = ttolwp(curthread);
2811 	uint32_t code;
2812 
2813 	struct a {
2814 		long	code;
2815 		long	a1;
2816 		long	a2;
2817 		long	a3;
2818 		long	a4;
2819 		long	a5;
2820 		long	a6;
2821 		long	a7;
2822 	} *uap = (struct a *)clwp->lwp_ap;
2823 
2824 	code = (uint32_t)uap->code;
2825 
2826 	switch (code) {
2827 
2828 	case BSM_GETAUID:
2829 		e = AUE_GETAUID;
2830 		break;
2831 	case BSM_SETAUID:
2832 		e = AUE_SETAUID;
2833 		break;
2834 	case BSM_GETAUDIT:
2835 		e = AUE_GETAUDIT;
2836 		break;
2837 	case BSM_GETAUDIT_ADDR:
2838 		e = AUE_GETAUDIT_ADDR;
2839 		break;
2840 	case BSM_SETAUDIT:
2841 		e = AUE_SETAUDIT;
2842 		break;
2843 	case BSM_SETAUDIT_ADDR:
2844 		e = AUE_SETAUDIT_ADDR;
2845 		break;
2846 	case BSM_AUDIT:
2847 		e = AUE_AUDIT;
2848 		break;
2849 	case BSM_AUDITON:
2850 	case BSM_AUDITCTL:
2851 
2852 		switch ((uint_t)uap->a1) {
2853 
2854 		case A_GETPOLICY:
2855 			e = AUE_AUDITON_GPOLICY;
2856 			break;
2857 		case A_SETPOLICY:
2858 			e = AUE_AUDITON_SPOLICY;
2859 			break;
2860 		case A_GETKMASK:
2861 			e = AUE_AUDITON_GETKMASK;
2862 			break;
2863 		case A_SETKMASK:
2864 			e = AUE_AUDITON_SETKMASK;
2865 			break;
2866 		case A_GETQCTRL:
2867 			e = AUE_AUDITON_GQCTRL;
2868 			break;
2869 		case A_SETQCTRL:
2870 			e = AUE_AUDITON_SQCTRL;
2871 			break;
2872 		case A_GETCWD:
2873 			e = AUE_AUDITON_GETCWD;
2874 			break;
2875 		case A_GETCAR:
2876 			e = AUE_AUDITON_GETCAR;
2877 			break;
2878 		case A_GETSTAT:
2879 			e = AUE_AUDITON_GETSTAT;
2880 			break;
2881 		case A_SETSTAT:
2882 			e = AUE_AUDITON_SETSTAT;
2883 			break;
2884 		case A_SETUMASK:
2885 			e = AUE_AUDITON_SETUMASK;
2886 			break;
2887 		case A_SETSMASK:
2888 			e = AUE_AUDITON_SETSMASK;
2889 			break;
2890 		case A_GETCOND:
2891 			e = AUE_AUDITON_GETCOND;
2892 			break;
2893 		case A_SETCOND:
2894 			e = AUE_AUDITON_SETCOND;
2895 			break;
2896 		case A_GETCLASS:
2897 			e = AUE_AUDITON_GETCLASS;
2898 			break;
2899 		case A_SETCLASS:
2900 			e = AUE_AUDITON_SETCLASS;
2901 			break;
2902 		default:
2903 			e = AUE_NULL;
2904 			break;
2905 		}
2906 		break;
2907 	default:
2908 		e = AUE_NULL;
2909 		break;
2910 	}
2911 
2912 	return (e);
2913 
2914 }	/* AUI_AUDITSYS */
2915 
2916 
2917 static void
2918 aus_auditsys(struct t_audit_data *tad)
2919 {
2920 	klwp_t *clwp = ttolwp(curthread);
2921 	uintptr_t a1, a2;
2922 	STRUCT_DECL(auditinfo, ainfo);
2923 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2924 	au_evclass_map_t event;
2925 	au_mask_t mask;
2926 	int auditstate, policy;
2927 	au_id_t auid;
2928 
2929 
2930 	struct a {
2931 		long	code;
2932 		long	a1;
2933 		long	a2;
2934 		long	a3;
2935 		long	a4;
2936 		long	a5;
2937 		long	a6;
2938 		long	a7;
2939 	} *uap = (struct a *)clwp->lwp_ap;
2940 
2941 	a1   = (uintptr_t)uap->a1;
2942 	a2   = (uintptr_t)uap->a2;
2943 
2944 	switch (tad->tad_event) {
2945 	case AUE_SETAUID:
2946 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2947 				return;
2948 		au_uwrite(au_to_arg32(2, "setauid", auid));
2949 		break;
2950 	case AUE_SETAUDIT:
2951 		STRUCT_INIT(ainfo, get_udatamodel());
2952 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2953 		    STRUCT_SIZE(ainfo))) {
2954 				return;
2955 		}
2956 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2957 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2958 #ifdef _LP64
2959 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2960 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2961 #else
2962 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2963 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2964 #endif
2965 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2966 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2967 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2968 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2969 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2970 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2971 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2972 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2973 		break;
2974 	case AUE_SETAUDIT_ADDR:
2975 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2976 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2977 		    STRUCT_SIZE(ainfo_addr))) {
2978 				return;
2979 		}
2980 		au_uwrite(au_to_arg32((char)1, "auid",
2981 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2982 #ifdef _LP64
2983 		au_uwrite(au_to_arg64((char)1, "port",
2984 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2985 #else
2986 		au_uwrite(au_to_arg32((char)1, "port",
2987 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2988 #endif
2989 		au_uwrite(au_to_arg32((char)1, "type",
2990 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2991 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2992 		    AU_IPv4) {
2993 			au_uwrite(au_to_in_addr(
2994 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2995 			    ai_termid.at_addr)));
2996 		} else {
2997 			au_uwrite(au_to_in_addr_ex(
2998 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2999 			    ai_termid.at_addr)));
3000 		}
3001 		au_uwrite(au_to_arg32((char)1, "as_success",
3002 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3003 		au_uwrite(au_to_arg32((char)1, "as_failure",
3004 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3005 		au_uwrite(au_to_arg32((char)1, "asid",
3006 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3007 		break;
3008 	case AUE_AUDITON_SETKMASK:
3009 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3010 				return;
3011 		au_uwrite(au_to_arg32(
3012 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
3013 		au_uwrite(au_to_arg32(
3014 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3015 		break;
3016 	case AUE_AUDITON_SPOLICY:
3017 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3018 			return;
3019 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3020 		break;
3021 	case AUE_AUDITON_SQCTRL: {
3022 		STRUCT_DECL(au_qctrl, qctrl);
3023 		model_t model;
3024 
3025 		model = get_udatamodel();
3026 		STRUCT_INIT(qctrl, model);
3027 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3028 				return;
3029 		if (model == DATAMODEL_ILP32) {
3030 			au_uwrite(au_to_arg32(
3031 			    3, "setqctrl:aq_hiwater",
3032 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3033 			au_uwrite(au_to_arg32(
3034 			    3, "setqctrl:aq_lowater",
3035 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3036 			au_uwrite(au_to_arg32(
3037 			    3, "setqctrl:aq_bufsz",
3038 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3039 			au_uwrite(au_to_arg32(
3040 			    3, "setqctrl:aq_delay",
3041 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3042 		} else {
3043 			au_uwrite(au_to_arg64(
3044 			    3, "setqctrl:aq_hiwater",
3045 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3046 			au_uwrite(au_to_arg64(
3047 			    3, "setqctrl:aq_lowater",
3048 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3049 			au_uwrite(au_to_arg64(
3050 			    3, "setqctrl:aq_bufsz",
3051 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3052 			au_uwrite(au_to_arg64(
3053 			    3, "setqctrl:aq_delay",
3054 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3055 		}
3056 		break;
3057 	}
3058 	case AUE_AUDITON_SETUMASK:
3059 		STRUCT_INIT(ainfo, get_udatamodel());
3060 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3061 		    STRUCT_SIZE(ainfo))) {
3062 			return;
3063 		}
3064 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3065 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3066 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3067 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3068 		break;
3069 	case AUE_AUDITON_SETSMASK:
3070 		STRUCT_INIT(ainfo, get_udatamodel());
3071 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3072 		    STRUCT_SIZE(ainfo))) {
3073 			return;
3074 		}
3075 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3076 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3077 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3078 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3079 		break;
3080 	case AUE_AUDITON_SETCOND:
3081 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3082 			return;
3083 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3084 		break;
3085 	case AUE_AUDITON_SETCLASS:
3086 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3087 			return;
3088 		au_uwrite(au_to_arg32(
3089 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3090 		au_uwrite(au_to_arg32(
3091 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3092 		break;
3093 	case AUE_GETAUID:
3094 	case AUE_GETAUDIT:
3095 	case AUE_GETAUDIT_ADDR:
3096 	case AUE_AUDIT:
3097 	case AUE_AUDITON_GPOLICY:
3098 	case AUE_AUDITON_GQCTRL:
3099 	case AUE_AUDITON_GETKMASK:
3100 	case AUE_AUDITON_GETCWD:
3101 	case AUE_AUDITON_GETCAR:
3102 	case AUE_AUDITON_GETSTAT:
3103 	case AUE_AUDITON_SETSTAT:
3104 	case AUE_AUDITON_GETCOND:
3105 	case AUE_AUDITON_GETCLASS:
3106 		break;
3107 	default:
3108 		break;
3109 	}
3110 
3111 }	/* AUS_AUDITSYS */
3112 
3113 
3114 /* only audit privileged operations for systeminfo(2) system call */
3115 static au_event_t
3116 aui_sysinfo(au_event_t e)
3117 {
3118 	klwp_t *clwp = ttolwp(curthread);
3119 	uint32_t command;
3120 
3121 	struct a {
3122 		long	command;
3123 		long	buf;		/* char * */
3124 		long	count;
3125 	} *uap = (struct a *)clwp->lwp_ap;
3126 
3127 	command = (uint32_t)uap->command;
3128 
3129 	switch (command) {
3130 	case SI_SET_HOSTNAME:
3131 	case SI_SET_SRPC_DOMAIN:
3132 		e = (au_event_t)AUE_SYSINFO;
3133 		break;
3134 	default:
3135 		e = (au_event_t)AUE_NULL;
3136 		break;
3137 	}
3138 	return (e);
3139 }
3140 
3141 /*ARGSUSED*/
3142 static void
3143 aus_sysinfo(struct t_audit_data *tad)
3144 {
3145 	klwp_t *clwp = ttolwp(curthread);
3146 	uint32_t command;
3147 	size_t len, maxlen;
3148 	char *name;
3149 	uintptr_t buf;
3150 
3151 	struct a {
3152 		long	command;
3153 		long	buf;		/* char * */
3154 		long	count;
3155 	} *uap = (struct a *)clwp->lwp_ap;
3156 
3157 	command = (uint32_t)uap->command;
3158 	buf = (uintptr_t)uap->buf;
3159 
3160 	au_uwrite(au_to_arg32(1, "cmd", command));
3161 
3162 	switch (command) {
3163 	case SI_SET_HOSTNAME:
3164 	{
3165 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3166 			return;
3167 
3168 		maxlen = SYS_NMLN;
3169 		name = kmem_alloc(maxlen, KM_SLEEP);
3170 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3171 			break;
3172 
3173 		/*
3174 		 * Must be non-NULL string and string
3175 		 * must be less than SYS_NMLN chars.
3176 		 */
3177 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3178 			break;
3179 
3180 		au_uwrite(au_to_text(name));
3181 		break;
3182 	}
3183 
3184 	case SI_SET_SRPC_DOMAIN:
3185 	{
3186 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3187 			return;
3188 
3189 		maxlen = SYS_NMLN;
3190 		name = kmem_alloc(maxlen, KM_SLEEP);
3191 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3192 			break;
3193 
3194 		/*
3195 		 * If string passed in is longer than length
3196 		 * allowed for domain name, fail.
3197 		 */
3198 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3199 			break;
3200 
3201 		au_uwrite(au_to_text(name));
3202 		break;
3203 	}
3204 
3205 	default:
3206 		return;
3207 	}
3208 
3209 	kmem_free(name, maxlen);
3210 }
3211 
3212 static au_event_t
3213 aui_modctl(au_event_t e)
3214 {
3215 	klwp_t *clwp = ttolwp(curthread);
3216 	uint_t cmd;
3217 
3218 	struct a {
3219 		long	cmd;
3220 	} *uap = (struct a *)clwp->lwp_ap;
3221 
3222 	cmd = (uint_t)uap->cmd;
3223 
3224 	switch (cmd) {
3225 	case MODLOAD:
3226 		e = AUE_MODLOAD;
3227 		break;
3228 	case MODUNLOAD:
3229 		e = AUE_MODUNLOAD;
3230 		break;
3231 	case MODADDMAJBIND:
3232 		e = AUE_MODADDMAJ;
3233 		break;
3234 	case MODSETDEVPOLICY:
3235 		e = AUE_MODDEVPLCY;
3236 		break;
3237 	case MODALLOCPRIV:
3238 		e = AUE_MODADDPRIV;
3239 		break;
3240 	default:
3241 		e = AUE_NULL;
3242 		break;
3243 	}
3244 	return (e);
3245 }
3246 
3247 
3248 /*ARGSUSED*/
3249 static void
3250 aus_modctl(struct t_audit_data *tad)
3251 {
3252 	klwp_t *clwp = ttolwp(curthread);
3253 	void *a	= clwp->lwp_ap;
3254 	uint_t use_path;
3255 
3256 	switch (tad->tad_event) {
3257 	case AUE_MODLOAD: {
3258 		typedef struct {
3259 			long	cmd;
3260 			long	use_path;
3261 			long	filename;		/* char * */
3262 		} modloada_t;
3263 
3264 		char *filenamep;
3265 		uintptr_t fname;
3266 		extern char *default_path;
3267 
3268 		fname = (uintptr_t)((modloada_t *)a)->filename;
3269 		use_path = (uint_t)((modloada_t *)a)->use_path;
3270 
3271 			/* space to hold path */
3272 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3273 			/* get string */
3274 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3275 				/* free allocated path */
3276 			kmem_free(filenamep, MOD_MAXPATH);
3277 			return;
3278 		}
3279 			/* ensure it's null terminated */
3280 		filenamep[MOD_MAXPATH - 1] = 0;
3281 
3282 		if (use_path)
3283 			au_uwrite(au_to_text(default_path));
3284 		au_uwrite(au_to_text(filenamep));
3285 
3286 			/* release temporary memory */
3287 		kmem_free(filenamep, MOD_MAXPATH);
3288 		break;
3289 	}
3290 	case AUE_MODUNLOAD: {
3291 		typedef struct {
3292 			long	cmd;
3293 			long	id;
3294 		} modunloada_t;
3295 
3296 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3297 
3298 		au_uwrite(au_to_arg32(1, "id", id));
3299 		break;
3300 	}
3301 	case AUE_MODADDMAJ: {
3302 		STRUCT_DECL(modconfig, mc);
3303 		typedef struct {
3304 			long	cmd;
3305 			long	subcmd;
3306 			long	data;		/* int * */
3307 		} modconfiga_t;
3308 
3309 		STRUCT_DECL(aliases, alias);
3310 		caddr_t ap;
3311 		int i, num_aliases;
3312 		char *drvname, *mc_drvname;
3313 		char *name;
3314 		extern char *ddi_major_to_name(major_t);
3315 		model_t model;
3316 
3317 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3318 
3319 		model = get_udatamodel();
3320 		STRUCT_INIT(mc, model);
3321 			/* sanitize buffer */
3322 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3323 			/* get user arguments */
3324 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3325 		    STRUCT_SIZE(mc)) != 0)
3326 			return;
3327 
3328 		mc_drvname = STRUCT_FGET(mc, drvname);
3329 		if ((drvname = ddi_major_to_name(
3330 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3331 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3332 				/* safety */
3333 			if (mc_drvname[0] != '\0') {
3334 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3335 				au_uwrite(au_to_text(mc_drvname));
3336 			}
3337 				/* drvname != NULL from test above */
3338 			au_uwrite(au_to_text(drvname));
3339 			return;
3340 		}
3341 
3342 		if (mc_drvname[0] != '\0') {
3343 				/* safety */
3344 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3345 			au_uwrite(au_to_text(mc_drvname));
3346 		} else
3347 			au_uwrite(au_to_text("no drvname"));
3348 
3349 		num_aliases = STRUCT_FGET(mc, num_aliases);
3350 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3351 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3352 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3353 		STRUCT_INIT(alias, model);
3354 		for (i = 0; i < num_aliases; i++) {
3355 			bzero((caddr_t)STRUCT_BUF(alias),
3356 			    STRUCT_SIZE(alias));
3357 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3358 			    STRUCT_SIZE(alias)) != 0)
3359 				break;
3360 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3361 			    MAXMODCONFNAME, NULL) != 0) {
3362 				break;
3363 			}
3364 
3365 			au_uwrite(au_to_text(name));
3366 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3367 		}
3368 		kmem_free(name, MAXMODCONFNAME);
3369 		break;
3370 	}
3371 	default:
3372 		break;
3373 	}
3374 }
3375 
3376 
3377 /*ARGSUSED*/
3378 static void
3379 auf_accept(
3380 	struct t_audit_data *tad,
3381 	int	error,
3382 	rval_t	*rval)
3383 {
3384 	uint32_t scid;
3385 	uint32_t sy_flags;
3386 	int fd;
3387 	struct sonode *so;
3388 	char so_laddr[sizeof (struct sockaddr_in6)];
3389 	char so_faddr[sizeof (struct sockaddr_in6)];
3390 	int err;
3391 	short so_family, so_type;
3392 	int add_sock_token = 0;
3393 
3394 	/* need to determine type of executing binary */
3395 	scid = tad->tad_scid;
3396 #ifdef _SYSCALL32_IMPL
3397 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3398 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3399 	else
3400 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3401 #else
3402 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3403 #endif
3404 	if (sy_flags == SE_32RVAL1)
3405 		fd = rval->r_val1;
3406 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3407 		fd = rval->r_val1;
3408 	if (sy_flags == SE_64RVAL)
3409 		fd = (int)rval->r_vals;
3410 
3411 	if (error) {
3412 		/* can't trust socket contents. Just return */
3413 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3414 		return;
3415 	}
3416 
3417 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3418 		/*
3419 		 * not security relevant if doing a accept from non socket
3420 		 * so no extra tokens. Should probably turn off audit record
3421 		 * generation here.
3422 		 */
3423 		return;
3424 	}
3425 
3426 	so_family = so->so_family;
3427 	so_type   = so->so_type;
3428 
3429 	switch (so_family) {
3430 	case AF_INET:
3431 	case AF_INET6:
3432 		/*
3433 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3434 		 */
3435 		if (so->so_type == SOCK_STREAM) {
3436 			socklen_t len;
3437 
3438 			bzero((void *)so_laddr, sizeof (so_laddr));
3439 			bzero((void *)so_faddr, sizeof (so_faddr));
3440 
3441 			len = sizeof (so_laddr);
3442 			(void) socket_getsockname(so,
3443 			    (struct sockaddr *)so_laddr, &len, CRED());
3444 			len = sizeof (so_faddr);
3445 			(void) socket_getpeername(so,
3446 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3447 
3448 			add_sock_token = 1;
3449 		}
3450 		break;
3451 
3452 	default:
3453 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3454 		break;
3455 	}
3456 
3457 	releasef(fd);
3458 
3459 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3460 
3461 	if (add_sock_token == 0) {
3462 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3463 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3464 		return;
3465 	}
3466 
3467 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3468 
3469 }
3470 
3471 /*ARGSUSED*/
3472 static void
3473 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3474 {
3475 	struct a {
3476 		long	fd;
3477 		long	addr;
3478 		long	len;
3479 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3480 
3481 	struct sonode *so;
3482 	char so_laddr[sizeof (struct sockaddr_in6)];
3483 	char so_faddr[sizeof (struct sockaddr_in6)];
3484 	int err, fd;
3485 	socklen_t len;
3486 	short so_family, so_type;
3487 	int add_sock_token = 0;
3488 
3489 	fd = (int)uap->fd;
3490 
3491 	/*
3492 	 * bind failed, then nothing extra to add to audit record.
3493 	 */
3494 	if (error) {
3495 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3496 		/* XXX may want to add failed address some day */
3497 		return;
3498 	}
3499 
3500 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3501 		/*
3502 		 * not security relevant if doing a bind from non socket
3503 		 * so no extra tokens. Should probably turn off audit record
3504 		 * generation here.
3505 		 */
3506 		return;
3507 	}
3508 
3509 	so_family = so->so_family;
3510 	so_type   = so->so_type;
3511 
3512 	switch (so_family) {
3513 	case AF_INET:
3514 	case AF_INET6:
3515 
3516 		bzero(so_faddr, sizeof (so_faddr));
3517 		len = sizeof (so_faddr);
3518 
3519 		(void) socket_getpeername(so,
3520 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3521 		add_sock_token = 1;
3522 
3523 		break;
3524 
3525 	case AF_UNIX:
3526 		/* token added by lookup */
3527 		break;
3528 	default:
3529 		/* AF_ROUTE, AF_KEY do not support accept */
3530 		break;
3531 	}
3532 
3533 	releasef(fd);
3534 
3535 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3536 
3537 	if (add_sock_token == 0) {
3538 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3539 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3540 		return;
3541 	}
3542 
3543 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3544 
3545 }
3546 
3547 /*ARGSUSED*/
3548 static void
3549 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3550 {
3551 	struct a {
3552 		long	fd;
3553 		long	addr;
3554 		long	len;
3555 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3556 
3557 	struct sonode *so;
3558 	char so_laddr[sizeof (struct sockaddr_in6)];
3559 	char so_faddr[sizeof (struct sockaddr_in6)];
3560 	int err, fd;
3561 	socklen_t len;
3562 	short so_family, so_type;
3563 	int add_sock_token = 0;
3564 
3565 	fd = (int)uap->fd;
3566 
3567 
3568 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3569 		/*
3570 		 * not security relevant if doing a connect from non socket
3571 		 * so no extra tokens. Should probably turn off audit record
3572 		 * generation here.
3573 		 */
3574 		return;
3575 	}
3576 
3577 	so_family = so->so_family;
3578 	so_type   = so->so_type;
3579 
3580 	switch (so_family) {
3581 	case AF_INET:
3582 	case AF_INET6:
3583 
3584 		bzero(so_laddr, sizeof (so_laddr));
3585 		bzero(so_faddr, sizeof (so_faddr));
3586 
3587 		len = sizeof (so_laddr);
3588 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3589 		    &len, CRED());
3590 		if (error) {
3591 			if (uap->addr == NULL)
3592 				break;
3593 			if (uap->len <= 0)
3594 				break;
3595 			len = min(uap->len, sizeof (so_faddr));
3596 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3597 				break;
3598 #ifdef NOTYET
3599 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3600 #endif
3601 		} else {
3602 			/* sanity check on length */
3603 			len = sizeof (so_faddr);
3604 			(void) socket_getpeername(so,
3605 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3606 		}
3607 
3608 		add_sock_token = 1;
3609 
3610 		break;
3611 
3612 	case AF_UNIX:
3613 		/* does a lookup on name */
3614 		break;
3615 
3616 	default:
3617 		/* AF_ROUTE, AF_KEY do not support accept */
3618 		break;
3619 	}
3620 
3621 	releasef(fd);
3622 
3623 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3624 
3625 	if (add_sock_token == 0) {
3626 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3627 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3628 		return;
3629 	}
3630 
3631 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3632 
3633 }
3634 
3635 /*ARGSUSED*/
3636 static void
3637 aus_shutdown(struct t_audit_data *tad)
3638 {
3639 	struct a {
3640 		long	fd;
3641 		long	how;
3642 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3643 
3644 	struct sonode *so;
3645 	char so_laddr[sizeof (struct sockaddr_in6)];
3646 	char so_faddr[sizeof (struct sockaddr_in6)];
3647 	int err, fd;
3648 	socklen_t len;
3649 	short so_family, so_type;
3650 	int add_sock_token = 0;
3651 	file_t *fp;				/* unix domain sockets */
3652 	struct f_audit_data *fad;		/* unix domain sockets */
3653 
3654 	fd = (int)uap->fd;
3655 
3656 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3657 		/*
3658 		 * not security relevant if doing a shutdown using non socket
3659 		 * so no extra tokens. Should probably turn off audit record
3660 		 * generation here.
3661 		 */
3662 		return;
3663 	}
3664 
3665 	so_family = so->so_family;
3666 	so_type   = so->so_type;
3667 
3668 	switch (so_family) {
3669 	case AF_INET:
3670 	case AF_INET6:
3671 
3672 		bzero(so_laddr, sizeof (so_laddr));
3673 		bzero(so_faddr, sizeof (so_faddr));
3674 
3675 		len = sizeof (so_laddr);
3676 		(void) socket_getsockname(so,
3677 		    (struct sockaddr *)so_laddr, &len, CRED());
3678 		len = sizeof (so_faddr);
3679 		(void) socket_getpeername(so,
3680 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3681 
3682 		add_sock_token = 1;
3683 
3684 		break;
3685 
3686 	case AF_UNIX:
3687 
3688 		/* get path from file struct here */
3689 		fad = F2A(fp);
3690 		ASSERT(fad);
3691 
3692 		if (fad->fad_aupath != NULL) {
3693 			au_uwrite(au_to_path(fad->fad_aupath));
3694 		} else {
3695 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3696 		}
3697 
3698 		audit_attributes(fp->f_vnode);
3699 
3700 		break;
3701 
3702 	default:
3703 		/*
3704 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3705 		 * added.
3706 		 */
3707 		break;
3708 	}
3709 
3710 	releasef(fd);
3711 
3712 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3713 
3714 	if (add_sock_token == 0) {
3715 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3716 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3717 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3718 		return;
3719 	}
3720 
3721 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3722 
3723 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3724 
3725 }
3726 
3727 /*ARGSUSED*/
3728 static void
3729 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3730 {
3731 	struct a {
3732 		long	fd;
3733 		long	level;
3734 		long	optname;
3735 		long	*optval;
3736 		long	optlen;
3737 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3738 
3739 	struct sonode	*so;
3740 	char so_laddr[sizeof (struct sockaddr_in6)];
3741 	char so_faddr[sizeof (struct sockaddr_in6)];
3742 	char		val[AU_BUFSIZE];
3743 	int		err, fd;
3744 	socklen_t	len;
3745 	short so_family, so_type;
3746 	int		add_sock_token = 0;
3747 	file_t *fp;				/* unix domain sockets */
3748 	struct f_audit_data *fad;		/* unix domain sockets */
3749 
3750 	fd = (int)uap->fd;
3751 
3752 	if (error) {
3753 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3754 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3755 		/* XXX may want to include other arguments */
3756 		return;
3757 	}
3758 
3759 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3760 		/*
3761 		 * not security relevant if doing a setsockopt from non socket
3762 		 * so no extra tokens. Should probably turn off audit record
3763 		 * generation here.
3764 		 */
3765 		return;
3766 	}
3767 
3768 	so_family = so->so_family;
3769 	so_type   = so->so_type;
3770 
3771 	switch (so_family) {
3772 	case AF_INET:
3773 	case AF_INET6:
3774 		bzero((void *)so_laddr, sizeof (so_laddr));
3775 		bzero((void *)so_faddr, sizeof (so_faddr));
3776 
3777 		/* get local and foreign addresses */
3778 		len = sizeof (so_laddr);
3779 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3780 		    &len, CRED());
3781 		len = sizeof (so_faddr);
3782 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3783 		    &len, B_FALSE, CRED());
3784 
3785 		add_sock_token = 1;
3786 
3787 		break;
3788 
3789 	case AF_UNIX:
3790 
3791 		/* get path from file struct here */
3792 		fad = F2A(fp);
3793 		ASSERT(fad);
3794 
3795 		if (fad->fad_aupath != NULL) {
3796 			au_uwrite(au_to_path(fad->fad_aupath));
3797 		} else {
3798 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3799 		}
3800 
3801 		audit_attributes(fp->f_vnode);
3802 
3803 		break;
3804 
3805 	default:
3806 		/*
3807 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3808 		 * added.
3809 		 */
3810 		break;
3811 	}
3812 
3813 	releasef(fd);
3814 
3815 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3816 
3817 	if (add_sock_token == 0) {
3818 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3819 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3820 	}
3821 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3822 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3823 
3824 	bzero(val, sizeof (val));
3825 	len = min(uap->optlen, sizeof (val));
3826 	if ((len > 0) &&
3827 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3828 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3829 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3830 	}
3831 
3832 	if (add_sock_token == 0)
3833 		return;
3834 
3835 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3836 
3837 }
3838 
3839 /*ARGSUSED*/
3840 static void
3841 aus_sockconfig(tad)
3842 	struct t_audit_data *tad;
3843 {
3844 	struct a {
3845 		long	domain;
3846 		long	type;
3847 		long	protocol;
3848 		long	devpath;
3849 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3850 
3851 	char	*kdevpath;
3852 	int	kdevpathlen = MAXPATHLEN + 1;
3853 	size_t	size;
3854 
3855 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3856 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3857 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3858 
3859 	if (uap->devpath == 0) {
3860 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3861 	} else {
3862 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3863 
3864 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3865 			&size)) {
3866 			kmem_free(kdevpath, kdevpathlen);
3867 			return;
3868 		}
3869 
3870 		if (size > MAXPATHLEN) {
3871 			kmem_free(kdevpath, kdevpathlen);
3872 			return;
3873 		}
3874 
3875 		au_uwrite(au_to_text(kdevpath));
3876 		kmem_free(kdevpath, kdevpathlen);
3877 	}
3878 }
3879 
3880 /*
3881  * only audit recvmsg when the system call represents the creation of a new
3882  * circuit. This effectively occurs for all UDP packets and may occur for
3883  * special TCP situations where the local host has not set a local address
3884  * in the socket structure.
3885  */
3886 /*ARGSUSED*/
3887 static void
3888 auf_recvmsg(
3889 	struct t_audit_data *tad,
3890 	int error,
3891 	rval_t *rvp)
3892 {
3893 	struct a {
3894 		long	fd;
3895 		long	msg;	/* struct msghdr */
3896 		long	flags;
3897 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3898 
3899 	struct sonode	*so;
3900 	STRUCT_DECL(msghdr, msg);
3901 	caddr_t msg_name;
3902 	socklen_t msg_namelen;
3903 	int fd;
3904 	int err;
3905 	char so_laddr[sizeof (struct sockaddr_in6)];
3906 	char so_faddr[sizeof (struct sockaddr_in6)];
3907 	socklen_t len;
3908 	file_t *fp;				/* unix domain sockets */
3909 	struct f_audit_data *fad;		/* unix domain sockets */
3910 	short so_family, so_type;
3911 	int add_sock_token = 0;
3912 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3913 
3914 	fd = (int)uap->fd;
3915 
3916 	/* bail if an error */
3917 	if (error) {
3918 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3919 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3920 		return;
3921 	}
3922 
3923 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3924 		/*
3925 		 * not security relevant if doing a recvmsg from non socket
3926 		 * so no extra tokens. Should probably turn off audit record
3927 		 * generation here.
3928 		 */
3929 		return;
3930 	}
3931 
3932 	so_family = so->so_family;
3933 	so_type   = so->so_type;
3934 
3935 	/*
3936 	 * only putout SOCKET_EX token if INET/INET6 family.
3937 	 * XXX - what do we do about other families?
3938 	 */
3939 
3940 	switch (so_family) {
3941 	case AF_INET:
3942 	case AF_INET6:
3943 
3944 		/*
3945 		 * if datagram type socket, then just use what is in
3946 		 * socket structure for local address.
3947 		 * XXX - what do we do for other types?
3948 		 */
3949 		if ((so->so_type == SOCK_DGRAM) ||
3950 		    (so->so_type == SOCK_RAW)) {
3951 			add_sock_token = 1;
3952 
3953 			bzero((void *)so_laddr, sizeof (so_laddr));
3954 			bzero((void *)so_faddr, sizeof (so_faddr));
3955 
3956 			/* get local address */
3957 			len = sizeof (so_laddr);
3958 			(void) socket_getsockname(so,
3959 			    (struct sockaddr *)so_laddr, &len, CRED());
3960 
3961 			/* get peer address */
3962 			STRUCT_INIT(msg, get_udatamodel());
3963 
3964 			if (copyin((caddr_t)(uap->msg),
3965 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3966 				break;
3967 			}
3968 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3969 			if (msg_name == NULL) {
3970 				break;
3971 			}
3972 
3973 			/* length is value from recvmsg - sanity check */
3974 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3975 			if (msg_namelen == 0) {
3976 				break;
3977 			}
3978 			if (copyin(msg_name, so_faddr,
3979 			    sizeof (so_faddr)) != 0) {
3980 				break;
3981 			}
3982 
3983 		} else if (so->so_type == SOCK_STREAM) {
3984 
3985 			/* get path from file struct here */
3986 			fad = F2A(fp);
3987 			ASSERT(fad);
3988 
3989 			/*
3990 			 * already processed this file for read attempt
3991 			 */
3992 			if (fad->fad_flags & FAD_READ) {
3993 				/* don't want to audit every recvmsg attempt */
3994 				tad->tad_flag = 0;
3995 				/* free any residual audit data */
3996 				au_close(kctx, &(u_ad), 0, 0, 0);
3997 				releasef(fd);
3998 				return;
3999 			}
4000 			/*
4001 			 * mark things so we know what happened and don't
4002 			 * repeat things
4003 			 */
4004 			fad->fad_flags |= FAD_READ;
4005 
4006 			bzero((void *)so_laddr, sizeof (so_laddr));
4007 			bzero((void *)so_faddr, sizeof (so_faddr));
4008 
4009 			/* get local and foreign addresses */
4010 			len = sizeof (so_laddr);
4011 			(void) socket_getsockname(so,
4012 			    (struct sockaddr *)so_laddr, &len, CRED());
4013 			len = sizeof (so_faddr);
4014 			(void) socket_getpeername(so,
4015 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4016 
4017 			add_sock_token = 1;
4018 		}
4019 
4020 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4021 
4022 		break;
4023 
4024 	case AF_UNIX:
4025 		/*
4026 		 * first check if this is first time through. Too much
4027 		 * duplicate code to put this in an aui_ routine.
4028 		 */
4029 
4030 		/* get path from file struct here */
4031 		fad = F2A(fp);
4032 		ASSERT(fad);
4033 
4034 		/*
4035 		 * already processed this file for read attempt
4036 		 */
4037 		if (fad->fad_flags & FAD_READ) {
4038 			releasef(fd);
4039 			/* don't want to audit every recvmsg attempt */
4040 			tad->tad_flag = 0;
4041 			/* free any residual audit data */
4042 			au_close(kctx, &(u_ad), 0, 0, 0);
4043 			return;
4044 		}
4045 		/*
4046 		 * mark things so we know what happened and don't
4047 		 * repeat things
4048 		 */
4049 		fad->fad_flags |= FAD_READ;
4050 
4051 		if (fad->fad_aupath != NULL) {
4052 			au_uwrite(au_to_path(fad->fad_aupath));
4053 		} else {
4054 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4055 		}
4056 
4057 		audit_attributes(fp->f_vnode);
4058 
4059 		releasef(fd);
4060 
4061 		return;
4062 
4063 	default:
4064 		break;
4065 
4066 	}
4067 
4068 	releasef(fd);
4069 
4070 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4071 
4072 	if (add_sock_token == 0) {
4073 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4074 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4075 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4076 		return;
4077 	}
4078 
4079 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4080 
4081 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4082 
4083 }
4084 
4085 /*ARGSUSED*/
4086 static void
4087 auf_recvfrom(
4088 	struct t_audit_data *tad,
4089 	int error,
4090 	rval_t *rvp)
4091 {
4092 
4093 	struct a {
4094 		long	fd;
4095 		long	msg;	/* char */
4096 		long	len;
4097 		long	flags;
4098 		long	from;	/* struct sockaddr */
4099 		long	fromlen;
4100 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4101 
4102 	socklen_t	fromlen;
4103 	struct sonode	*so;
4104 	char so_laddr[sizeof (struct sockaddr_in6)];
4105 	char so_faddr[sizeof (struct sockaddr_in6)];
4106 	int		fd;
4107 	short so_family, so_type;
4108 	int add_sock_token = 0;
4109 	socklen_t len;
4110 	int err;
4111 	struct file *fp;
4112 	struct f_audit_data *fad;		/* unix domain sockets */
4113 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4114 
4115 	fd = (int)uap->fd;
4116 
4117 	/* bail if an error */
4118 	if (error) {
4119 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4120 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4121 		return;
4122 	}
4123 
4124 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4125 		/*
4126 		 * not security relevant if doing a recvmsg from non socket
4127 		 * so no extra tokens. Should probably turn off audit record
4128 		 * generation here.
4129 		 */
4130 		return;
4131 	}
4132 
4133 	so_family = so->so_family;
4134 	so_type   = so->so_type;
4135 
4136 	/*
4137 	 * only putout SOCKET_EX token if INET/INET6 family.
4138 	 * XXX - what do we do about other families?
4139 	 */
4140 
4141 	switch (so_family) {
4142 	case AF_INET:
4143 	case AF_INET6:
4144 
4145 		/*
4146 		 * if datagram type socket, then just use what is in
4147 		 * socket structure for local address.
4148 		 * XXX - what do we do for other types?
4149 		 */
4150 		if ((so->so_type == SOCK_DGRAM) ||
4151 		    (so->so_type == SOCK_RAW)) {
4152 			add_sock_token = 1;
4153 
4154 			/* get local address */
4155 			len = sizeof (so_laddr);
4156 			(void) socket_getsockname(so,
4157 			    (struct sockaddr *)so_laddr, &len, CRED());
4158 
4159 			/* get peer address */
4160 			bzero((void *)so_faddr, sizeof (so_faddr));
4161 
4162 			/* sanity check */
4163 			if (uap->from == NULL)
4164 				break;
4165 
4166 			/* sanity checks */
4167 			if (uap->fromlen == 0)
4168 				break;
4169 
4170 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4171 			    sizeof (fromlen)) != 0)
4172 				break;
4173 
4174 			if (fromlen == 0)
4175 				break;
4176 
4177 			/* enforce maximum size */
4178 			if (fromlen > sizeof (so_faddr))
4179 				fromlen = sizeof (so_faddr);
4180 
4181 			if (copyin((caddr_t)(uap->from), so_faddr,
4182 			    fromlen) != 0)
4183 				break;
4184 
4185 		} else if (so->so_type == SOCK_STREAM) {
4186 
4187 			/* get path from file struct here */
4188 			fad = F2A(fp);
4189 			ASSERT(fad);
4190 
4191 			/*
4192 			 * already processed this file for read attempt
4193 			 */
4194 			if (fad->fad_flags & FAD_READ) {
4195 				/* don't want to audit every recvfrom attempt */
4196 				tad->tad_flag = 0;
4197 				/* free any residual audit data */
4198 				au_close(kctx, &(u_ad), 0, 0, 0);
4199 				releasef(fd);
4200 				return;
4201 			}
4202 			/*
4203 			 * mark things so we know what happened and don't
4204 			 * repeat things
4205 			 */
4206 			fad->fad_flags |= FAD_READ;
4207 
4208 			bzero((void *)so_laddr, sizeof (so_laddr));
4209 			bzero((void *)so_faddr, sizeof (so_faddr));
4210 
4211 			/* get local and foreign addresses */
4212 			len = sizeof (so_laddr);
4213 			(void) socket_getsockname(so,
4214 			    (struct sockaddr *)so_laddr, &len, CRED());
4215 			len = sizeof (so_faddr);
4216 			(void) socket_getpeername(so,
4217 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4218 
4219 			add_sock_token = 1;
4220 		}
4221 
4222 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4223 
4224 		break;
4225 
4226 	case AF_UNIX:
4227 		/*
4228 		 * first check if this is first time through. Too much
4229 		 * duplicate code to put this in an aui_ routine.
4230 		 */
4231 
4232 		/* get path from file struct here */
4233 		fad = F2A(fp);
4234 		ASSERT(fad);
4235 
4236 		/*
4237 		 * already processed this file for read attempt
4238 		 */
4239 		if (fad->fad_flags & FAD_READ) {
4240 			/* don't want to audit every recvfrom attempt */
4241 			tad->tad_flag = 0;
4242 			/* free any residual audit data */
4243 			au_close(kctx, &(u_ad), 0, 0, 0);
4244 			releasef(fd);
4245 			return;
4246 		}
4247 		/*
4248 		 * mark things so we know what happened and don't
4249 		 * repeat things
4250 		 */
4251 		fad->fad_flags |= FAD_READ;
4252 
4253 		if (fad->fad_aupath != NULL) {
4254 			au_uwrite(au_to_path(fad->fad_aupath));
4255 		} else {
4256 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4257 		}
4258 
4259 		audit_attributes(fp->f_vnode);
4260 
4261 		releasef(fd);
4262 
4263 		return;
4264 
4265 	default:
4266 		break;
4267 
4268 	}
4269 
4270 	releasef(fd);
4271 
4272 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4273 
4274 	if (add_sock_token == 0) {
4275 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4276 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4277 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4278 		return;
4279 	}
4280 
4281 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4282 
4283 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4284 }
4285 
4286 /*ARGSUSED*/
4287 static void
4288 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4289 {
4290 	struct a {
4291 		long	fd;
4292 		long	msg;	/* struct msghdr */
4293 		long	flags;
4294 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4295 
4296 	struct sonode	*so;
4297 	char so_laddr[sizeof (struct sockaddr_in6)];
4298 	char so_faddr[sizeof (struct sockaddr_in6)];
4299 	int		err;
4300 	int		fd;
4301 	short so_family, so_type;
4302 	int		add_sock_token = 0;
4303 	socklen_t	len;
4304 	struct file	*fp;
4305 	struct f_audit_data *fad;
4306 	caddr_t		msg_name;
4307 	socklen_t	msg_namelen;
4308 	STRUCT_DECL(msghdr, msg);
4309 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4310 
4311 	fd = (int)uap->fd;
4312 
4313 	/* bail if an error */
4314 	if (error) {
4315 		/* XXX include destination address from system call arguments */
4316 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4317 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4318 		return;
4319 	}
4320 
4321 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4322 		/*
4323 		 * not security relevant if doing a sendmsg from non socket
4324 		 * so no extra tokens. Should probably turn off audit record
4325 		 * generation here.
4326 		 */
4327 		return;
4328 	}
4329 
4330 	so_family = so->so_family;
4331 	so_type   = so->so_type;
4332 
4333 	switch (so_family) {
4334 	case AF_INET:
4335 	case AF_INET6:
4336 		/*
4337 		 * if datagram type socket, then just use what is in
4338 		 * socket structure for local address.
4339 		 * XXX - what do we do for other types?
4340 		 */
4341 		if ((so->so_type == SOCK_DGRAM) ||
4342 		    (so->so_type == SOCK_RAW)) {
4343 
4344 			bzero((void *)so_laddr, sizeof (so_laddr));
4345 			bzero((void *)so_faddr, sizeof (so_faddr));
4346 
4347 			/* get local address */
4348 			len = sizeof (so_laddr);
4349 			(void) socket_getsockname(so,
4350 			    (struct sockaddr *)so_laddr, &len, CRED());
4351 
4352 			/* get peer address */
4353 			STRUCT_INIT(msg, get_udatamodel());
4354 
4355 			if (copyin((caddr_t)(uap->msg),
4356 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4357 				break;
4358 			}
4359 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4360 			if (msg_name == NULL)
4361 				break;
4362 
4363 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4364 			/* length is value from recvmsg - sanity check */
4365 			if (msg_namelen == 0)
4366 				break;
4367 
4368 			if (copyin(msg_name, so_faddr,
4369 			    sizeof (so_faddr)) != 0)
4370 				break;
4371 
4372 			add_sock_token = 1;
4373 
4374 		} else if (so->so_type == SOCK_STREAM) {
4375 
4376 			/* get path from file struct here */
4377 			fad = F2A(fp);
4378 			ASSERT(fad);
4379 
4380 			/*
4381 			 * already processed this file for write attempt
4382 			 */
4383 			if (fad->fad_flags & FAD_WRITE) {
4384 				releasef(fd);
4385 				/* don't want to audit every sendmsg attempt */
4386 				tad->tad_flag = 0;
4387 				/* free any residual audit data */
4388 				au_close(kctx, &(u_ad), 0, 0, 0);
4389 				return;
4390 			}
4391 
4392 			/*
4393 			 * mark things so we know what happened and don't
4394 			 * repeat things
4395 			 */
4396 			fad->fad_flags |= FAD_WRITE;
4397 
4398 			bzero((void *)so_laddr, sizeof (so_laddr));
4399 			bzero((void *)so_faddr, sizeof (so_faddr));
4400 
4401 			/* get local and foreign addresses */
4402 			len = sizeof (so_laddr);
4403 			(void) socket_getsockname(so,
4404 			    (struct sockaddr *)so_laddr, &len, CRED());
4405 			len = sizeof (so_faddr);
4406 			(void) socket_getpeername(so,
4407 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4408 
4409 			add_sock_token = 1;
4410 		}
4411 
4412 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4413 
4414 		break;
4415 
4416 	case AF_UNIX:
4417 		/*
4418 		 * first check if this is first time through. Too much
4419 		 * duplicate code to put this in an aui_ routine.
4420 		 */
4421 
4422 		/* get path from file struct here */
4423 		fad = F2A(fp);
4424 		ASSERT(fad);
4425 
4426 		/*
4427 		 * already processed this file for write attempt
4428 		 */
4429 		if (fad->fad_flags & FAD_WRITE) {
4430 			releasef(fd);
4431 			/* don't want to audit every sendmsg attempt */
4432 			tad->tad_flag = 0;
4433 			/* free any residual audit data */
4434 			au_close(kctx, &(u_ad), 0, 0, 0);
4435 			return;
4436 		}
4437 		/*
4438 		 * mark things so we know what happened and don't
4439 		 * repeat things
4440 		 */
4441 		fad->fad_flags |= FAD_WRITE;
4442 
4443 		if (fad->fad_aupath != NULL) {
4444 			au_uwrite(au_to_path(fad->fad_aupath));
4445 		} else {
4446 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4447 		}
4448 
4449 		audit_attributes(fp->f_vnode);
4450 
4451 		releasef(fd);
4452 
4453 		return;
4454 
4455 	default:
4456 		break;
4457 	}
4458 
4459 	releasef(fd);
4460 
4461 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4462 
4463 	if (add_sock_token == 0) {
4464 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4465 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4466 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4467 		return;
4468 	}
4469 
4470 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4471 
4472 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4473 }
4474 
4475 /*ARGSUSED*/
4476 static void
4477 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4478 {
4479 	struct a {
4480 		long	fd;
4481 		long	msg;	/* char */
4482 		long	len;
4483 		long	flags;
4484 		long	to;	/* struct sockaddr */
4485 		long	tolen;
4486 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4487 
4488 	struct sonode	*so;
4489 	char so_laddr[sizeof (struct sockaddr_in6)];
4490 	char so_faddr[sizeof (struct sockaddr_in6)];
4491 	socklen_t	tolen;
4492 	int		err;
4493 	int		fd;
4494 	socklen_t	len;
4495 	short so_family, so_type;
4496 	int		add_sock_token = 0;
4497 	struct file	*fp;
4498 	struct f_audit_data *fad;
4499 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4500 
4501 	fd = (int)uap->fd;
4502 
4503 	/* bail if an error */
4504 	if (error) {
4505 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4506 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4507 		/* XXX include destination address from system call arguments */
4508 		return;
4509 	}
4510 
4511 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4512 		/*
4513 		 * not security relevant if doing a sendto using non socket
4514 		 * so no extra tokens. Should probably turn off audit record
4515 		 * generation here.
4516 		 */
4517 		return;
4518 	}
4519 
4520 	so_family = so->so_family;
4521 	so_type   = so->so_type;
4522 
4523 	/*
4524 	 * only putout SOCKET_EX token if INET/INET6 family.
4525 	 * XXX - what do we do about other families?
4526 	 */
4527 
4528 	switch (so_family) {
4529 	case AF_INET:
4530 	case AF_INET6:
4531 
4532 		/*
4533 		 * if datagram type socket, then just use what is in
4534 		 * socket structure for local address.
4535 		 * XXX - what do we do for other types?
4536 		 */
4537 		if ((so->so_type == SOCK_DGRAM) ||
4538 		    (so->so_type == SOCK_RAW)) {
4539 
4540 			bzero((void *)so_laddr, sizeof (so_laddr));
4541 			bzero((void *)so_faddr, sizeof (so_faddr));
4542 
4543 			/* get local address */
4544 			len = sizeof (so_laddr);
4545 			(void) socket_getsockname(so,
4546 			    (struct sockaddr *)so_laddr, &len, CRED());
4547 
4548 			/* get peer address */
4549 
4550 			/* sanity check */
4551 			if (uap->to == NULL)
4552 				break;
4553 
4554 			/* sanity checks */
4555 			if (uap->tolen == 0)
4556 				break;
4557 
4558 			tolen = (socklen_t)uap->tolen;
4559 
4560 			/* enforce maximum size */
4561 			if (tolen > sizeof (so_faddr))
4562 				tolen = sizeof (so_faddr);
4563 
4564 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4565 				break;
4566 
4567 			add_sock_token = 1;
4568 		} else {
4569 			/*
4570 			 * check if this is first time through.
4571 			 */
4572 
4573 			/* get path from file struct here */
4574 			fad = F2A(fp);
4575 			ASSERT(fad);
4576 
4577 			/*
4578 			 * already processed this file for write attempt
4579 			 */
4580 			if (fad->fad_flags & FAD_WRITE) {
4581 				/* don't want to audit every sendto attempt */
4582 				tad->tad_flag = 0;
4583 				/* free any residual audit data */
4584 				au_close(kctx, &(u_ad), 0, 0, 0);
4585 				releasef(fd);
4586 				return;
4587 			}
4588 			/*
4589 			 * mark things so we know what happened and don't
4590 			 * repeat things
4591 			 */
4592 			fad->fad_flags |= FAD_WRITE;
4593 
4594 			bzero((void *)so_laddr, sizeof (so_laddr));
4595 			bzero((void *)so_faddr, sizeof (so_faddr));
4596 
4597 			/* get local and foreign addresses */
4598 			len = sizeof (so_laddr);
4599 			(void) socket_getsockname(so,
4600 			    (struct sockaddr *)so_laddr, &len, CRED());
4601 			len = sizeof (so_faddr);
4602 			(void) socket_getpeername(so,
4603 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4604 
4605 			add_sock_token = 1;
4606 		}
4607 
4608 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4609 
4610 		break;
4611 
4612 	case AF_UNIX:
4613 		/*
4614 		 * first check if this is first time through. Too much
4615 		 * duplicate code to put this in an aui_ routine.
4616 		 */
4617 
4618 		/* get path from file struct here */
4619 		fad = F2A(fp);
4620 		ASSERT(fad);
4621 
4622 		/*
4623 		 * already processed this file for write attempt
4624 		 */
4625 		if (fad->fad_flags & FAD_WRITE) {
4626 			/* don't want to audit every sendto attempt */
4627 			tad->tad_flag = 0;
4628 			/* free any residual audit data */
4629 			au_close(kctx, &(u_ad), 0, 0, 0);
4630 			releasef(fd);
4631 			return;
4632 		}
4633 		/*
4634 		 * mark things so we know what happened and don't
4635 		 * repeat things
4636 		 */
4637 		fad->fad_flags |= FAD_WRITE;
4638 
4639 		if (fad->fad_aupath != NULL) {
4640 			au_uwrite(au_to_path(fad->fad_aupath));
4641 		} else {
4642 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4643 		}
4644 
4645 		audit_attributes(fp->f_vnode);
4646 
4647 		releasef(fd);
4648 
4649 		return;
4650 
4651 	default:
4652 		break;
4653 
4654 	}
4655 
4656 	releasef(fd);
4657 
4658 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4659 
4660 	if (add_sock_token == 0) {
4661 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4662 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4663 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4664 		return;
4665 	}
4666 
4667 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4668 
4669 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4670 
4671 }
4672 
4673 /*
4674  * XXX socket(2) may be equivalent to open(2) on a unix domain
4675  * socket. This needs investigation.
4676  */
4677 
4678 /*ARGSUSED*/
4679 static void
4680 aus_socket(struct t_audit_data *tad)
4681 {
4682 	struct a {
4683 		long	domain;
4684 		long	type;
4685 		long	protocol;
4686 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4687 
4688 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4689 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4690 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4691 }
4692 
4693 /*ARGSUSED*/
4694 static void
4695 aus_sigqueue(struct t_audit_data *tad)
4696 {
4697 	struct a {
4698 		long	pid;
4699 		long	signo;
4700 		long	*val;
4701 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4702 	struct proc *p;
4703 	uid_t uid, ruid;
4704 	gid_t gid, rgid;
4705 	pid_t pid;
4706 	const auditinfo_addr_t *ainfo;
4707 	cred_t *cr;
4708 
4709 	pid = (pid_t)uap->pid;
4710 
4711 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4712 	if (pid > 0) {
4713 		mutex_enter(&pidlock);
4714 		if ((p = prfind(pid)) == (struct proc *)0) {
4715 			mutex_exit(&pidlock);
4716 			return;
4717 		}
4718 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4719 		mutex_exit(&pidlock);
4720 
4721 		mutex_enter(&p->p_crlock);
4722 		crhold(cr = p->p_cred);
4723 		mutex_exit(&p->p_crlock);
4724 		mutex_exit(&p->p_lock);
4725 
4726 		ainfo = crgetauinfo(cr);
4727 		if (ainfo == NULL) {
4728 			crfree(cr);
4729 			return;
4730 		}
4731 
4732 		uid  = crgetuid(cr);
4733 		gid  = crgetgid(cr);
4734 		ruid = crgetruid(cr);
4735 		rgid = crgetrgid(cr);
4736 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4737 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4738 		crfree(cr);
4739 	}
4740 	else
4741 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4742 }
4743 
4744 /*ARGSUSED*/
4745 static void
4746 aus_inst_sync(struct t_audit_data *tad)
4747 {
4748 	struct a {
4749 		long	name;	/* char */
4750 		long	flags;
4751 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4752 
4753 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4754 }
4755 
4756 /*ARGSUSED*/
4757 static void
4758 aus_brandsys(struct t_audit_data *tad)
4759 {
4760 	klwp_t *clwp = ttolwp(curthread);
4761 
4762 	struct a {
4763 		long	cmd;
4764 		long	arg1;
4765 		long	arg2;
4766 		long	arg3;
4767 		long	arg4;
4768 		long	arg5;
4769 		long	arg6;
4770 	} *uap = (struct a *)clwp->lwp_ap;
4771 
4772 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4773 #ifdef _LP64
4774 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4775 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4776 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4777 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4778 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4779 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4780 #else
4781 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4782 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4783 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4784 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4785 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4786 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4787 #endif
4788 }
4789 
4790 /*ARGSUSED*/
4791 static void
4792 aus_p_online(struct t_audit_data *tad)
4793 {
4794 	struct a {
4795 		long	processor_id;
4796 		long	flag;
4797 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4798 
4799 	struct flags {
4800 			int	flag;
4801 			char	*cflag;
4802 	} aflags[6] = {
4803 			{ P_ONLINE, "P_ONLINE"},
4804 			{ P_OFFLINE, "P_OFFLINE"},
4805 			{ P_NOINTR, "P_NOINTR"},
4806 			{ P_SPARE, "P_SPARE"},
4807 			{ P_FAULTED, "P_FAULTED"},
4808 			{ P_STATUS, "P_STATUS"}
4809 	};
4810 	int i;
4811 	char *cflag;
4812 
4813 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4814 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4815 
4816 	for (i = 0; i < 6; i++) {
4817 		if (aflags[i].flag == uap->flag)
4818 			break;
4819 	}
4820 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4821 
4822 	au_uwrite(au_to_text(cflag));
4823 }
4824 
4825 /*ARGSUSED*/
4826 static void
4827 aus_processor_bind(struct t_audit_data *tad)
4828 {
4829 	struct a {
4830 		long	id_type;
4831 		long	id;
4832 		long	processor_id;
4833 		long	obind;
4834 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4835 
4836 	struct proc *p;
4837 	int lwpcnt;
4838 	uid_t uid, ruid;
4839 	gid_t gid, rgid;
4840 	pid_t pid;
4841 	const auditinfo_addr_t *ainfo;
4842 	cred_t *cr;
4843 
4844 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4845 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4846 	if (uap->processor_id == PBIND_NONE)
4847 		au_uwrite(au_to_text("PBIND_NONE"));
4848 	else
4849 		au_uwrite(au_to_arg32(3, "processor_id",
4850 		    (uint32_t)uap->processor_id));
4851 
4852 	switch (uap->id_type) {
4853 	case P_MYID:
4854 	case P_LWPID:
4855 		mutex_enter(&pidlock);
4856 		p = ttoproc(curthread);
4857 		if (p == NULL || p->p_as == &kas) {
4858 			mutex_exit(&pidlock);
4859 			return;
4860 		}
4861 		mutex_enter(&p->p_lock);
4862 		mutex_exit(&pidlock);
4863 		lwpcnt = p->p_lwpcnt;
4864 		pid  = p->p_pid;
4865 
4866 		mutex_enter(&p->p_crlock);
4867 		crhold(cr = p->p_cred);
4868 		mutex_exit(&p->p_crlock);
4869 		mutex_exit(&p->p_lock);
4870 
4871 		ainfo = crgetauinfo(cr);
4872 		if (ainfo == NULL) {
4873 			crfree(cr);
4874 			return;
4875 		}
4876 
4877 		uid  = crgetuid(cr);
4878 		gid  = crgetgid(cr);
4879 		ruid = crgetruid(cr);
4880 		rgid = crgetrgid(cr);
4881 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4882 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4883 		crfree(cr);
4884 		break;
4885 	case P_PID:
4886 		mutex_enter(&pidlock);
4887 		p = prfind(uap->id);
4888 		if (p == NULL || p->p_as == &kas) {
4889 			mutex_exit(&pidlock);
4890 			return;
4891 		}
4892 		mutex_enter(&p->p_lock);
4893 		mutex_exit(&pidlock);
4894 		lwpcnt = p->p_lwpcnt;
4895 		pid  = p->p_pid;
4896 
4897 		mutex_enter(&p->p_crlock);
4898 		crhold(cr = p->p_cred);
4899 		mutex_exit(&p->p_crlock);
4900 		mutex_exit(&p->p_lock);
4901 
4902 		ainfo = crgetauinfo(cr);
4903 		if (ainfo == NULL) {
4904 			crfree(cr);
4905 			return;
4906 		}
4907 
4908 		uid  = crgetuid(cr);
4909 		gid  = crgetgid(cr);
4910 		ruid = crgetruid(cr);
4911 		rgid = crgetrgid(cr);
4912 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4913 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4914 		crfree(cr);
4915 
4916 		break;
4917 	default:
4918 		return;
4919 	}
4920 
4921 	if (uap->processor_id == PBIND_NONE &&
4922 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4923 		au_uwrite(au_to_text("PBIND_NONE for process"));
4924 	else
4925 		au_uwrite(au_to_arg32(3, "processor_id",
4926 		    (uint32_t)uap->processor_id));
4927 }
4928 
4929 /*ARGSUSED*/
4930 static au_event_t
4931 aui_doorfs(au_event_t e)
4932 {
4933 	uint32_t code;
4934 
4935 	struct a {		/* doorfs */
4936 		long	a1;
4937 		long	a2;
4938 		long	a3;
4939 		long	a4;
4940 		long	a5;
4941 		long	code;
4942 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4943 
4944 	/*
4945 	 *	audit formats for several of the
4946 	 *	door calls have not yet been determined
4947 	 */
4948 	code = (uint32_t)uap->code;
4949 	switch (code) {
4950 	case DOOR_CALL:
4951 		e = AUE_DOORFS_DOOR_CALL;
4952 		break;
4953 	case DOOR_RETURN:
4954 		e = AUE_NULL;
4955 		break;
4956 	case DOOR_CREATE:
4957 		e = AUE_DOORFS_DOOR_CREATE;
4958 		break;
4959 	case DOOR_REVOKE:
4960 		e = AUE_DOORFS_DOOR_REVOKE;
4961 		break;
4962 	case DOOR_INFO:
4963 		e = AUE_NULL;
4964 		break;
4965 	case DOOR_UCRED:
4966 		e = AUE_NULL;
4967 		break;
4968 	case DOOR_BIND:
4969 		e = AUE_NULL;
4970 		break;
4971 	case DOOR_UNBIND:
4972 		e = AUE_NULL;
4973 		break;
4974 	case DOOR_GETPARAM:
4975 		e = AUE_NULL;
4976 		break;
4977 	case DOOR_SETPARAM:
4978 		e = AUE_NULL;
4979 		break;
4980 	default:	/* illegal system call */
4981 		e = AUE_NULL;
4982 		break;
4983 	}
4984 
4985 	return (e);
4986 }
4987 
4988 static door_node_t *
4989 au_door_lookup(int did)
4990 {
4991 	vnode_t	*vp;
4992 	file_t *fp;
4993 
4994 	if ((fp = getf(did)) == NULL)
4995 		return (NULL);
4996 	/*
4997 	 * Use the underlying vnode (we may be namefs mounted)
4998 	 */
4999 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5000 		vp = fp->f_vnode;
5001 
5002 	if (vp == NULL || vp->v_type != VDOOR) {
5003 		releasef(did);
5004 		return (NULL);
5005 	}
5006 
5007 	return (VTOD(vp));
5008 }
5009 
5010 /*ARGSUSED*/
5011 static void
5012 aus_doorfs(struct t_audit_data *tad)
5013 {
5014 
5015 	struct a {		/* doorfs */
5016 		long	a1;
5017 		long	a2;
5018 		long	a3;
5019 		long	a4;
5020 		long	a5;
5021 		long	code;
5022 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5023 
5024 	door_node_t	*dp;
5025 	struct proc	*p;
5026 	uint32_t	did;
5027 	uid_t uid, ruid;
5028 	gid_t gid, rgid;
5029 	pid_t pid;
5030 	const auditinfo_addr_t *ainfo;
5031 	cred_t *cr;
5032 
5033 	did = (uint32_t)uap->a1;
5034 
5035 	switch (tad->tad_event) {
5036 	case AUE_DOORFS_DOOR_CALL:
5037 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5038 		if ((dp = au_door_lookup(did)) == NULL)
5039 			break;
5040 
5041 		if (DOOR_INVALID(dp)) {
5042 			releasef(did);
5043 			break;
5044 		}
5045 
5046 		if ((p = dp->door_target) == NULL) {
5047 			releasef(did);
5048 			break;
5049 		}
5050 		mutex_enter(&p->p_lock);
5051 		releasef(did);
5052 
5053 		pid  = p->p_pid;
5054 
5055 		mutex_enter(&p->p_crlock);
5056 		crhold(cr = p->p_cred);
5057 		mutex_exit(&p->p_crlock);
5058 		mutex_exit(&p->p_lock);
5059 
5060 		ainfo = crgetauinfo(cr);
5061 		if (ainfo == NULL) {
5062 			crfree(cr);
5063 			return;
5064 		}
5065 		uid  = crgetuid(cr);
5066 		gid  = crgetgid(cr);
5067 		ruid = crgetruid(cr);
5068 		rgid = crgetrgid(cr);
5069 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5070 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5071 		crfree(cr);
5072 		break;
5073 	case AUE_DOORFS_DOOR_RETURN:
5074 		/*
5075 		 * We may want to write information about
5076 		 * all doors (if any) which will be copied
5077 		 * by this call to the user space
5078 		 */
5079 		break;
5080 	case AUE_DOORFS_DOOR_CREATE:
5081 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5082 		break;
5083 	case AUE_DOORFS_DOOR_REVOKE:
5084 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5085 		break;
5086 	case AUE_DOORFS_DOOR_INFO:
5087 		break;
5088 	case AUE_DOORFS_DOOR_CRED:
5089 		break;
5090 	case AUE_DOORFS_DOOR_BIND:
5091 		break;
5092 	case AUE_DOORFS_DOOR_UNBIND: {
5093 		break;
5094 	}
5095 	default:	/* illegal system call */
5096 		break;
5097 	}
5098 }
5099 
5100 /*ARGSUSED*/
5101 static au_event_t
5102 aui_acl(au_event_t e)
5103 {
5104 	struct a {
5105 		union {
5106 			long	name;	/* char */
5107 			long	fd;
5108 		}		obj;
5109 
5110 		long		cmd;
5111 		long		nentries;
5112 		long		arg;	/* aclent_t */
5113 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5114 
5115 	switch (uap->cmd) {
5116 	case SETACL:
5117 	case ACE_SETACL:
5118 		/*
5119 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5120 		 * are expected.
5121 		 */
5122 		break;
5123 	case GETACL:
5124 	case GETACLCNT:
5125 	case ACE_GETACL:
5126 	case ACE_GETACLCNT:
5127 		/* do nothing for these four values. */
5128 		e = AUE_NULL;
5129 		break;
5130 	default:
5131 		/* illegal system call */
5132 		break;
5133 	}
5134 
5135 	return (e);
5136 }
5137 
5138 static void
5139 au_acl(int cmd, int nentries, caddr_t bufp)
5140 {
5141 	size_t		a_size;
5142 	aclent_t	*aclbufp;
5143 	ace_t		*acebufp;
5144 	int		i;
5145 
5146 	switch (cmd) {
5147 	case GETACL:
5148 	case GETACLCNT:
5149 		break;
5150 	case SETACL:
5151 		if (nentries < 3)
5152 			break;
5153 
5154 		a_size = nentries * sizeof (aclent_t);
5155 
5156 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5157 			break;
5158 		if (copyin(bufp, aclbufp, a_size)) {
5159 			kmem_free(aclbufp, a_size);
5160 			break;
5161 		}
5162 		for (i = 0; i < nentries; i++) {
5163 			au_uwrite(au_to_acl(aclbufp + i));
5164 		}
5165 		kmem_free(aclbufp, a_size);
5166 		break;
5167 
5168 	case ACE_SETACL:
5169 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5170 			break;
5171 
5172 		a_size = nentries * sizeof (ace_t);
5173 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5174 			break;
5175 		if (copyin(bufp, acebufp, a_size)) {
5176 			kmem_free(acebufp, a_size);
5177 			break;
5178 		}
5179 		for (i = 0; i < nentries; i++) {
5180 			au_uwrite(au_to_ace(acebufp + i));
5181 		}
5182 		kmem_free(acebufp, a_size);
5183 		break;
5184 	default:
5185 		break;
5186 	}
5187 }
5188 
5189 /*ARGSUSED*/
5190 static void
5191 aus_acl(struct t_audit_data *tad)
5192 {
5193 	struct a {
5194 		long	fname;
5195 		long	cmd;
5196 		long	nentries;
5197 		long	aclbufp;
5198 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5199 
5200 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5201 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5202 
5203 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5204 }
5205 
5206 /*ARGSUSED*/
5207 static void
5208 aus_facl(struct t_audit_data *tad)
5209 {
5210 	struct a {
5211 		long	fd;
5212 		long	cmd;
5213 		long	nentries;
5214 		long	aclbufp;
5215 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5216 	struct file  *fp;
5217 	struct vnode *vp;
5218 	struct f_audit_data *fad;
5219 	int fd;
5220 
5221 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5222 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5223 
5224 	fd = (int)uap->fd;
5225 
5226 	if ((fp = getf(fd)) == NULL)
5227 		return;
5228 
5229 	/* get path from file struct here */
5230 	fad = F2A(fp);
5231 	if (fad->fad_aupath != NULL) {
5232 		au_uwrite(au_to_path(fad->fad_aupath));
5233 	} else {
5234 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5235 	}
5236 
5237 	vp = fp->f_vnode;
5238 	audit_attributes(vp);
5239 
5240 	/* decrement file descriptor reference count */
5241 	releasef(fd);
5242 
5243 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5244 }
5245 
5246 /*ARGSUSED*/
5247 static void
5248 auf_read(tad, error, rval)
5249 	struct t_audit_data *tad;
5250 	int error;
5251 	rval_t *rval;
5252 {
5253 	struct file *fp;
5254 	struct f_audit_data *fad;
5255 	int fd;
5256 	register struct a {
5257 		long	fd;
5258 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5259 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5260 
5261 	fd = (int)uap->fd;
5262 
5263 	/*
5264 	 * convert file pointer to file descriptor
5265 	 *   Note: fd ref count incremented here.
5266 	 */
5267 	if ((fp = getf(fd)) == NULL)
5268 		return;
5269 
5270 	/* get path from file struct here */
5271 	fad = F2A(fp);
5272 	ASSERT(fad);
5273 
5274 	/*
5275 	 * already processed this file for read attempt
5276 	 *
5277 	 * XXX might be better to turn off auditing in a aui_read() routine.
5278 	 */
5279 	if (fad->fad_flags & FAD_READ) {
5280 		/* don't really want to audit every read attempt */
5281 		tad->tad_flag = 0;
5282 		/* free any residual audit data */
5283 		au_close(kctx, &(u_ad), 0, 0, 0);
5284 		releasef(fd);
5285 		return;
5286 	}
5287 	/* mark things so we know what happened and don't repeat things */
5288 	fad->fad_flags |= FAD_READ;
5289 
5290 	if (fad->fad_aupath != NULL) {
5291 		au_uwrite(au_to_path(fad->fad_aupath));
5292 	} else {
5293 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5294 	}
5295 
5296 	/* include attributes */
5297 	audit_attributes(fp->f_vnode);
5298 
5299 	/* decrement file descriptor reference count */
5300 	releasef(fd);
5301 }
5302 
5303 /*ARGSUSED*/
5304 static void
5305 auf_write(tad, error, rval)
5306 	struct t_audit_data *tad;
5307 	int error;
5308 	rval_t *rval;
5309 {
5310 	struct file *fp;
5311 	struct f_audit_data *fad;
5312 	int fd;
5313 	register struct a {
5314 		long	fd;
5315 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5316 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5317 
5318 	fd = (int)uap->fd;
5319 
5320 	/*
5321 	 * convert file pointer to file descriptor
5322 	 *   Note: fd ref count incremented here.
5323 	 */
5324 	if ((fp = getf(fd)) == NULL)
5325 		return;
5326 
5327 	/* get path from file struct here */
5328 	fad = F2A(fp);
5329 	ASSERT(fad);
5330 
5331 	/*
5332 	 * already processed this file for write attempt
5333 	 *
5334 	 * XXX might be better to turn off auditing in a aus_write() routine.
5335 	 */
5336 	if (fad->fad_flags & FAD_WRITE) {
5337 		/* don't really want to audit every write attempt */
5338 		tad->tad_flag = 0;
5339 		/* free any residual audit data */
5340 		au_close(kctx, &(u_ad), 0, 0, 0);
5341 		releasef(fd);
5342 		return;
5343 	}
5344 	/* mark things so we know what happened and don't repeat things */
5345 	fad->fad_flags |= FAD_WRITE;
5346 
5347 	if (fad->fad_aupath != NULL) {
5348 		au_uwrite(au_to_path(fad->fad_aupath));
5349 	} else {
5350 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5351 	}
5352 
5353 	/* include attributes */
5354 	audit_attributes(fp->f_vnode);
5355 
5356 	/* decrement file descriptor reference count */
5357 	releasef(fd);
5358 }
5359 
5360 /*ARGSUSED*/
5361 static void
5362 auf_recv(tad, error, rval)
5363 	struct t_audit_data *tad;
5364 	int error;
5365 	rval_t *rval;
5366 {
5367 	struct sonode *so;
5368 	char so_laddr[sizeof (struct sockaddr_in6)];
5369 	char so_faddr[sizeof (struct sockaddr_in6)];
5370 	struct file *fp;
5371 	struct f_audit_data *fad;
5372 	int fd;
5373 	int err;
5374 	socklen_t len;
5375 	short so_family, so_type;
5376 	register struct a {
5377 		long	fd;
5378 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5379 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5380 
5381 	/*
5382 	 * If there was an error, then nothing to do. Only generate
5383 	 * audit record on first successful recv.
5384 	 */
5385 	if (error) {
5386 		/* Turn off audit record generation here. */
5387 		tad->tad_flag = 0;
5388 		/* free any residual audit data */
5389 		au_close(kctx, &(u_ad), 0, 0, 0);
5390 		return;
5391 	}
5392 
5393 	fd = (int)uap->fd;
5394 
5395 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5396 		/* Turn off audit record generation here. */
5397 		tad->tad_flag = 0;
5398 		/* free any residual audit data */
5399 		au_close(kctx, &(u_ad), 0, 0, 0);
5400 		return;
5401 	}
5402 
5403 	/* get path from file struct here */
5404 	fad = F2A(fp);
5405 	ASSERT(fad);
5406 
5407 	/*
5408 	 * already processed this file for read attempt
5409 	 */
5410 	if (fad->fad_flags & FAD_READ) {
5411 		releasef(fd);
5412 		/* don't really want to audit every recv call */
5413 		tad->tad_flag = 0;
5414 		/* free any residual audit data */
5415 		au_close(kctx, &(u_ad), 0, 0, 0);
5416 		return;
5417 	}
5418 
5419 	/* mark things so we know what happened and don't repeat things */
5420 	fad->fad_flags |= FAD_READ;
5421 
5422 	so_family = so->so_family;
5423 	so_type   = so->so_type;
5424 
5425 	switch (so_family) {
5426 	case AF_INET:
5427 	case AF_INET6:
5428 		/*
5429 		 * Only for connections.
5430 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5431 		 */
5432 		if (so->so_state & SS_ISBOUND) {
5433 
5434 			bzero((void *)so_laddr, sizeof (so_laddr));
5435 			bzero((void *)so_faddr, sizeof (so_faddr));
5436 
5437 			/* get local and foreign addresses */
5438 			len = sizeof (so_laddr);
5439 			(void) socket_getsockname(so,
5440 			    (struct sockaddr *)so_laddr, &len, CRED());
5441 			len = sizeof (so_faddr);
5442 			(void) socket_getpeername(so,
5443 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5444 
5445 			/*
5446 			 * only way to drop out of switch. Note that we
5447 			 * we release fd below.
5448 			 */
5449 
5450 			break;
5451 		}
5452 
5453 		releasef(fd);
5454 
5455 		/* don't really want to audit every recv call */
5456 		tad->tad_flag = 0;
5457 		/* free any residual audit data */
5458 		au_close(kctx, &(u_ad), 0, 0, 0);
5459 
5460 		return;
5461 
5462 	case AF_UNIX:
5463 
5464 		if (fad->fad_aupath != NULL) {
5465 			au_uwrite(au_to_path(fad->fad_aupath));
5466 		} else {
5467 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5468 		}
5469 
5470 		audit_attributes(fp->f_vnode);
5471 
5472 		releasef(fd);
5473 
5474 		return;
5475 
5476 	default:
5477 		releasef(fd);
5478 
5479 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5480 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5481 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5482 
5483 		return;
5484 	}
5485 
5486 	releasef(fd);
5487 
5488 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5489 
5490 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5491 
5492 }
5493 
5494 /*ARGSUSED*/
5495 static void
5496 auf_send(tad, error, rval)
5497 	struct t_audit_data *tad;
5498 	int error;
5499 	rval_t *rval;
5500 {
5501 	struct sonode *so;
5502 	char so_laddr[sizeof (struct sockaddr_in6)];
5503 	char so_faddr[sizeof (struct sockaddr_in6)];
5504 	struct file *fp;
5505 	struct f_audit_data *fad;
5506 	int fd;
5507 	int err;
5508 	socklen_t len;
5509 	short so_family, so_type;
5510 	register struct a {
5511 		long	fd;
5512 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5513 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5514 
5515 	fd = (int)uap->fd;
5516 
5517 	/*
5518 	 * If there was an error, then nothing to do. Only generate
5519 	 * audit record on first successful send.
5520 	 */
5521 	if (error != 0) {
5522 		/* Turn off audit record generation here. */
5523 		tad->tad_flag = 0;
5524 		/* free any residual audit data */
5525 		au_close(kctx, &(u_ad), 0, 0, 0);
5526 		return;
5527 	}
5528 
5529 	fd = (int)uap->fd;
5530 
5531 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5532 		/* Turn off audit record generation here. */
5533 		tad->tad_flag = 0;
5534 		/* free any residual audit data */
5535 		au_close(kctx, &(u_ad), 0, 0, 0);
5536 		return;
5537 	}
5538 
5539 	/* get path from file struct here */
5540 	fad = F2A(fp);
5541 	ASSERT(fad);
5542 
5543 	/*
5544 	 * already processed this file for write attempt
5545 	 */
5546 	if (fad->fad_flags & FAD_WRITE) {
5547 		releasef(fd);
5548 		/* don't really want to audit every send call */
5549 		tad->tad_flag = 0;
5550 		/* free any residual audit data */
5551 		au_close(kctx, &(u_ad), 0, 0, 0);
5552 		return;
5553 	}
5554 
5555 	/* mark things so we know what happened and don't repeat things */
5556 	fad->fad_flags |= FAD_WRITE;
5557 
5558 	so_family = so->so_family;
5559 	so_type   = so->so_type;
5560 
5561 	switch (so_family) {
5562 	case AF_INET:
5563 	case AF_INET6:
5564 		/*
5565 		 * Only for connections.
5566 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5567 		 */
5568 		if (so->so_state & SS_ISBOUND) {
5569 
5570 			bzero((void *)so_laddr, sizeof (so_laddr));
5571 			bzero((void *)so_faddr, sizeof (so_faddr));
5572 
5573 			/* get local and foreign addresses */
5574 			len = sizeof (so_laddr);
5575 			(void) socket_getsockname(so,
5576 			    (struct sockaddr *)so_laddr, &len, CRED());
5577 			len = sizeof (so_faddr);
5578 			(void) socket_getpeername(so,
5579 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5580 
5581 			/*
5582 			 * only way to drop out of switch. Note that we
5583 			 * we release fd below.
5584 			 */
5585 
5586 			break;
5587 		}
5588 
5589 		releasef(fd);
5590 		/* don't really want to audit every send call */
5591 		tad->tad_flag = 0;
5592 		/* free any residual audit data */
5593 		au_close(kctx, &(u_ad), 0, 0, 0);
5594 
5595 		return;
5596 
5597 	case AF_UNIX:
5598 
5599 		if (fad->fad_aupath != NULL) {
5600 			au_uwrite(au_to_path(fad->fad_aupath));
5601 		} else {
5602 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5603 		}
5604 
5605 		audit_attributes(fp->f_vnode);
5606 
5607 		releasef(fd);
5608 
5609 		return;
5610 
5611 	default:
5612 		releasef(fd);
5613 
5614 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5615 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5616 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5617 
5618 		return;
5619 	}
5620 
5621 	releasef(fd);
5622 
5623 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5624 
5625 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5626 }
5627 
5628 static au_event_t
5629 aui_forksys(au_event_t e)
5630 {
5631 	struct a {
5632 		long	subcode;
5633 		long	flags;
5634 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5635 
5636 	switch ((uint_t)uap->subcode) {
5637 	case 0:
5638 		e = AUE_FORK1;
5639 		break;
5640 	case 1:
5641 		e = AUE_FORKALL;
5642 		break;
5643 	case 2:
5644 		e = AUE_VFORK;
5645 		break;
5646 	default:
5647 		e = AUE_NULL;
5648 		break;
5649 	}
5650 
5651 	return (e);
5652 }
5653 
5654 /*ARGSUSED*/
5655 static au_event_t
5656 aui_portfs(au_event_t e)
5657 {
5658 	struct a {		/* portfs */
5659 		long	a1;
5660 		long	a2;
5661 		long	a3;
5662 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5663 
5664 	/*
5665 	 * check opcode
5666 	 */
5667 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5668 	case PORT_ASSOCIATE:
5669 		/* check source */
5670 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5671 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5672 			e = AUE_PORTFS_ASSOCIATE;
5673 		} else {
5674 			e = AUE_NULL;
5675 		}
5676 		break;
5677 	case PORT_DISSOCIATE:
5678 		/* check source */
5679 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5680 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5681 			e = AUE_PORTFS_DISSOCIATE;
5682 		} else {
5683 			e = AUE_NULL;
5684 		}
5685 		break;
5686 	default:
5687 		e = AUE_NULL;
5688 	}
5689 	return (e);
5690 }
5691