xref: /titanic_51/usr/src/uts/common/c2/audit_event.c (revision 554ff184129088135ad2643c1c9832174a17be88)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <c2/audit.h>
60 #include <c2/audit_kernel.h>
61 #include <c2/audit_kevents.h>
62 #include <c2/audit_record.h>
63 #include <sys/procset.h>
64 #include <nfs/mount.h>
65 #include <sys/param.h>
66 #include <sys/debug.h>
67 #include <sys/sysmacros.h>
68 #include <sys/stream.h>
69 #include <sys/strsubr.h>
70 #include <sys/stropts.h>
71 #include <sys/tihdr.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <netinet/in.h>
75 #include <sys/ddi.h>
76 
77 extern token_t	*au_to_sock_inet(struct sockaddr_in *);
78 
79 int	au_naevent;
80 char	_depends_on[] = "fs/sockfs";
81 
82 static au_event_t	aui_null(au_event_t);
83 static au_event_t	aui_open(au_event_t);
84 static au_event_t	aui_fsat(au_event_t);
85 static au_event_t	aui_msgsys(au_event_t);
86 static au_event_t	aui_shmsys(au_event_t);
87 static au_event_t	aui_semsys(au_event_t);
88 static au_event_t	aui_utssys(au_event_t);
89 static au_event_t	aui_fcntl(au_event_t);
90 static au_event_t	aui_execv(au_event_t);
91 static au_event_t	aui_execve(au_event_t);
92 static au_event_t	aui_memcntl(au_event_t);
93 static au_event_t	aui_sysinfo(au_event_t);
94 static au_event_t	aui_auditsys(au_event_t);
95 static au_event_t	aui_modctl(au_event_t);
96 static au_event_t	aui_acl(au_event_t);
97 static au_event_t	aui_doorfs(au_event_t);
98 static au_event_t	aui_privsys(au_event_t);
99 
100 static void	aus_null(struct t_audit_data *);
101 static void	aus_open(struct t_audit_data *);
102 static void	aus_acl(struct t_audit_data *);
103 static void	aus_acct(struct t_audit_data *);
104 static void	aus_chown(struct t_audit_data *);
105 static void	aus_fchown(struct t_audit_data *);
106 static void	aus_lchown(struct t_audit_data *);
107 static void	aus_chmod(struct t_audit_data *);
108 static void	aus_facl(struct t_audit_data *);
109 static void	aus_fchmod(struct t_audit_data *);
110 static void	aus_fcntl(struct t_audit_data *);
111 static void	aus_fsat(struct t_audit_data *);
112 static void	aus_mkdir(struct t_audit_data *);
113 static void	aus_mknod(struct t_audit_data *);
114 static void	aus_mount(struct t_audit_data *);
115 static void	aus_umount(struct t_audit_data *);
116 static void	aus_umount2(struct t_audit_data *);
117 static void	aus_msgsys(struct t_audit_data *);
118 static void	aus_semsys(struct t_audit_data *);
119 static void	aus_close(struct t_audit_data *);
120 static void	aus_fstatfs(struct t_audit_data *);
121 static void	aus_setgid(struct t_audit_data *);
122 static void	aus_setuid(struct t_audit_data *);
123 static void	aus_shmsys(struct t_audit_data *);
124 static void	aus_doorfs(struct t_audit_data *);
125 static void	aus_ioctl(struct t_audit_data *);
126 static void	aus_memcntl(struct t_audit_data *);
127 static void	aus_mmap(struct t_audit_data *);
128 static void	aus_munmap(struct t_audit_data *);
129 static void	aus_priocntlsys(struct t_audit_data *);
130 static void	aus_setegid(struct t_audit_data *);
131 static void	aus_setgroups(struct t_audit_data *);
132 static void	aus_seteuid(struct t_audit_data *);
133 static void	aus_putmsg(struct t_audit_data *);
134 static void	aus_putpmsg(struct t_audit_data *);
135 static void	aus_getmsg(struct t_audit_data *);
136 static void	aus_getpmsg(struct t_audit_data *);
137 static void	aus_auditsys(struct t_audit_data *);
138 static void	aus_sysinfo(struct t_audit_data *);
139 static void	aus_modctl(struct t_audit_data *);
140 static void	aus_kill(struct t_audit_data *);
141 static void	aus_xmknod(struct t_audit_data *);
142 static void	aus_setregid(struct t_audit_data *);
143 static void	aus_setreuid(struct t_audit_data *);
144 
145 static void	auf_null(struct t_audit_data *, int, rval_t *);
146 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
147 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
148 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
149 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
150 #if 0
151 static void	auf_open(struct t_audit_data *, int, rval_t *);
152 #endif
153 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
154 static void	auf_read(struct t_audit_data *, int, rval_t *);
155 static void	auf_write(struct t_audit_data *, int, rval_t *);
156 
157 static void	aus_sigqueue(struct t_audit_data *);
158 static void	aus_p_online(struct t_audit_data *);
159 static void	aus_processor_bind(struct t_audit_data *);
160 static void	aus_inst_sync(struct t_audit_data *);
161 
162 static void	auf_accept(struct t_audit_data *, int, rval_t *);
163 
164 static void	auf_bind(struct t_audit_data *, int, rval_t *);
165 static void	auf_connect(struct t_audit_data *, int, rval_t *);
166 static void	aus_shutdown(struct t_audit_data *);
167 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
168 static void	aus_sockconfig(struct t_audit_data *);
169 static void	auf_recv(struct t_audit_data *, int, rval_t *);
170 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
171 static void	auf_send(struct t_audit_data *, int, rval_t *);
172 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
173 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
174 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
175 static void	aus_socket(struct t_audit_data *);
176 /*
177  * This table contains mapping information for converting system call numbers
178  * to audit event IDs. In several cases it is necessary to map a single system
179  * call to several events.
180  */
181 
182 struct audit_s2e audit_s2e[] =
183 {
184 /*
185  * ----------	---------- 	----------	----------
186  * INITIAL	AUDIT		START		SYSTEM
187  * PROCESSING	EVENT		PROCESSING	CALL
188  * ----------	----------	----------	-----------
189  *		FINISH		EVENT
190  *		PROCESSING	CONTROL
191  * ----------------------------------------------------------
192  */
193 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
194 		auf_null,	0,
195 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
196 		auf_null,	S2E_NPT,
197 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
198 		auf_null,	0,
199 aui_null,	AUE_READ,	aus_null,	/* 3 read */
200 		auf_read,	S2E_PUB,
201 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
202 		auf_write,	0,
203 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
204 		auf_null,	S2E_SP,
205 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
206 		auf_null,	0,
207 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
208 		auf_null,	0,
209 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
210 		auf_null,	S2E_SP,
211 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
212 		auf_null,	0,
213 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
214 		auf_null,	0,
215 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
216 		auf_null,	S2E_MLD,
217 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
218 		auf_null,	S2E_SP,
219 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
220 		auf_null,	0,
221 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
222 		auf_mknod,	0,
223 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
224 		auf_null,	0,
225 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
226 		auf_null,	0,
227 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
228 		auf_null,	0,
229 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
230 		auf_null,	S2E_PUB,
231 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
232 		auf_null,	0,
233 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
234 		auf_null,	0,
235 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
236 		auf_null,	S2E_MLD,
237 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
238 		auf_null,	0,
239 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
240 		auf_null,	0,
241 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
242 		auf_null,	0,
243 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
244 		auf_null,	0,
245 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
246 		auf_null,	0,
247 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
248 		auf_null,	0,
249 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
252 		auf_null,	0,
253 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
258 		auf_null,	0,
259 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
260 		auf_null,	S2E_PUB,
261 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
262 		auf_null,	0,
263 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
264 		auf_null,	S2E_PUB,
265 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
266 		auf_null,	0,
267 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
268 		auf_null,	0,
269 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
270 		auf_null,	S2E_PUB,
271 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
272 		auf_null,	0,
273 aui_null,	AUE_NULL,	aus_null,	/* 40 (loadable) was cxenix */
274 		auf_null,	0,
275 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
276 		auf_null,	0,
277 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
284 						/*	was proc lock */
285 		auf_null,	0,
286 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
287 		auf_null,	0,
288 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
289 		auf_null,	0,
290 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
291 		auf_null,	0,
292 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
293 		auf_msgsys,	0,
294 #if defined(__x86)
295 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
296 		auf_null,	0,
297 #else
298 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
299 		auf_null,	0,
300 #endif /* __x86 */
301 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
302 		auf_null,	0,
303 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
304 		auf_shmsys,	0,
305 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
306 		auf_semsys,	0,
307 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
308 		auf_null,	0,
309 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
310 		auf_null,	0,
311 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
312 		auf_null,	0,
313 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
314 		auf_null,	0,
315 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
316 		auf_null,	0,
317 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
318 		auf_null,	S2E_MLD,
319 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
320 		auf_null,	0,
321 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
322 		auf_null,	S2E_SP,
323 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
324 		auf_null,	0,
325 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
326 		auf_null,	0,
327 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
328 		auf_null,	0,
329 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
330 		auf_null,	0,
331 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
332 		auf_null,	0,
333 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
334 						/*	file locking call */
335 		auf_null,	0,
336 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
337 						/*	local system calls */
338 		auf_null,	0,
339 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
340 		auf_null,	0,
341 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
342 		auf_null,	0,
343 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
344 		auf_null,	0,
345 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
346 		auf_null,	0,
347 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
348 		auf_null,	0,
349 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
350 		auf_null,	0,
351 aui_null,	AUE_NULL,	aus_null,	/* 75 issetugid */
352 						/*	was sigret (SunOS) */
353 		auf_null,	0,
354 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
359 		auf_null,	0,
360 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
361 		auf_null,	0,
362 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
363 		auf_null,	0,
364 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
365 		auf_null,	0,
366 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
367 						/*	was libattach */
368 		auf_null,	0,
369 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
370 						/*	was libdetach */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
373 		auf_null,	0,
374 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
375 		auf_null,	0,
376 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
379 		auf_null,	0,
380 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
381 		auf_null,	S2E_PUB,
382 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
383 		auf_null,	0,
384 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
385 		auf_null,	S2E_PUB,
386 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
387 		auf_null,	0,
388 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
389 		auf_null,	0,
390 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
391 		auf_null,	0,
392 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
395 		auf_null,	0,
396 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
409 						/*	was evtrapret */
410 		auf_null,	0,
411 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
412 		auf_null,	S2E_PUB,
413 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
414 		auf_null,	0,
415 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
416 		auf_null,	0,
417 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
418 		auf_null,	0,
419 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
422 		auf_null,	0,
423 #if defined(__x86)
424 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
425 		auf_null,	0,
426 #else
427 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
428 		auf_null,	0,
429 #endif /* __x86 */
430 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
431 		auf_null,	0,
432 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
433 		auf_null,	0,
434 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
435 		auf_null,	0,		/* 112 priocntlsys */
436 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
437 		auf_null,	S2E_PUB,
438 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
439 		auf_null,	0,
440 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
441 		auf_null,	0,
442 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
443 		auf_null,	0,
444 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
445 		auf_null,	0,
446 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
447 		auf_null,	0,
448 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
449 		auf_null,	0,
450 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
451 		auf_null,	0,
452 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
453 		auf_read,	S2E_PUB,
454 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
455 		auf_write,	0,
456 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
457 		auf_null,	S2E_PUB,
458 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
459 		auf_null,	S2E_PUB,
460 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
461 		auf_null,	0,
462 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
463 		auf_xmknod,	0,
464 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
465 		auf_null,	0,
466 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
467 		auf_null,	0,
468 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
469 		auf_null,	0,
470 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
471 		auf_null,	0,
472 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
473 		auf_null,	0,
474 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
475 		auf_null,	0,
476 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
477 		auf_null,	0,
478 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
479 		auf_null,	0,
480 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
481 		auf_null,	0,
482 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
483 		auf_null,	0,
484 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
485 		auf_null,	0,
486 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
487 		auf_null,	0,
488 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
489 		auf_null,	0,
490 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
491 		auf_null,	0,
492 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
493 		auf_null,	0,
494 aui_null,	AUE_NULL,	aus_null,	/* 142 (loadable reserved) */
495 		auf_null,	0,
496 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
497 		auf_null,	0,
498 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
499 		auf_null,	0,
500 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
501 		auf_null,	0,
502 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
513 		auf_null,	0,
514 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
515 		auf_null,	0,
516 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
517 		auf_null,	0,
518 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
519 		auf_null,	0,
520 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
521 		auf_null,	0,
522 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
541 						/*	was lwp_setprivate */
542 		auf_null,	0,
543 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
544 						/*	was lwp_getprivate */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_unlock  */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
555 		auf_null,	0,
556 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
557 		auf_null,	0,
558 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
559 		auf_read,	S2E_PUB,
560 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
561 		auf_write,	0,
562 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
563 		auf_null,	0,
564 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
565 						/* aus_inst_sync */
566 		auf_null,	0,
567 aui_null,	AUE_NULL,	aus_null,	/* 177 (loadable) */
568 		auf_null,	0,
569 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
570 		auf_null,	0,
571 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 182 (loadable) */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
580 		auf_null,	0,
581 aui_null,	AUE_NULL,	aus_null,	/* 184 (loadable) tsolsys */
582 		auf_null,	0,
583 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
584 		auf_null,	0,
585 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
586 		auf_null,	0,
587 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
588 		auf_null,	0,		/* 187 processor_bind */
589 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
590 		auf_null,	0,
591 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
594 		auf_null,	0,
595 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
596 		auf_null,	0,
597 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
612 		auf_null,	0,
613 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
614 		auf_null,	0,
615 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
616 		auf_null,	0,
617 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
618 		auf_null,	0,
619 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
620 		auf_null,	0,
621 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
622 		auf_null,	0,
623 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
640 		auf_null,	0,
641 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
642 		auf_null,	0,
643 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
644 		auf_null,	S2E_PUB,
645 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
646 		auf_null,	S2E_PUB,
647 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
648 		auf_null,	0,
649 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
652 		auf_null,	0,
653 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
654 		auf_null,	0,
655 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
656 		auf_null,	0,
657 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
658 		auf_read,	S2E_PUB,
659 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
660 		auf_write,	0,
661 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
662 		auf_null,	S2E_SP,
663 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
664 		auf_null,	S2E_SP,
665 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
666 		auf_null,	0,
667 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
668 		auf_null,	0,
669 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
672 		auf_null,	0,
673 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
676 		auf_null,	0,
677 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
678 		auf_bind,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
680 		auf_null,	0,
681 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
682 		auf_accept,	0,
683 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
684 		auf_connect,	0,
685 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
686 		auf_null,	0,
687 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
688 		auf_recv,	0,
689 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
690 		auf_recvfrom,	0,
691 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
692 		auf_recvmsg,	0,
693 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
694 		auf_send,	0,
695 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
696 		auf_sendmsg,	0,
697 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
698 		auf_sendto,	0,
699 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
700 		auf_null,	0,
701 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
702 		auf_null,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
704 		auf_null,	0,
705 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
706 		auf_setsockopt,	0,
707 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
708 		auf_null,	0,
709 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
710 		auf_null,	0,
711 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_init */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 254 (loadable) */
722 						/*	was lwp_sigtimedwait */
723 		auf_null,	0,
724 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
725 		auf_null,	0
726 };
727 
728 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
729 
730 char *so_not_bound = "socket not bound";
731 char *so_not_conn  = "socket not connected";
732 char *so_bad_addr  = "bad socket address";
733 char *so_bad_peer_addr  = "bad peer address";
734 
735 /* null start function */
736 /*ARGSUSED*/
737 static void
738 aus_null(struct t_audit_data *tad)
739 {
740 }
741 
742 /* acct start function */
743 /*ARGSUSED*/
744 static void
745 aus_acct(struct t_audit_data *tad)
746 {
747 	klwp_t *clwp = ttolwp(curthread);
748 	uintptr_t fname;
749 
750 	struct a {
751 		long	fname;		/* char * */
752 	} *uap = (struct a *)clwp->lwp_ap;
753 
754 	fname = (uintptr_t)uap->fname;
755 
756 	if (fname == 0)
757 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
758 }
759 
760 /* chown start function */
761 /*ARGSUSED*/
762 static void
763 aus_chown(struct t_audit_data *tad)
764 {
765 	klwp_t *clwp = ttolwp(curthread);
766 	uint32_t uid, gid;
767 
768 	struct a {
769 		long	fname;		/* char * */
770 		long	uid;
771 		long	gid;
772 	} *uap = (struct a *)clwp->lwp_ap;
773 
774 	uid = (uint32_t)uap->uid;
775 	gid = (uint32_t)uap->gid;
776 
777 	au_uwrite(au_to_arg32(2, "new file uid", uid));
778 	au_uwrite(au_to_arg32(3, "new file gid", gid));
779 }
780 
781 /* fchown start function */
782 /*ARGSUSED*/
783 static void
784 aus_fchown(struct t_audit_data *tad)
785 {
786 	klwp_t *clwp = ttolwp(curthread);
787 	uint32_t uid, gid, fd;
788 	struct file  *fp;
789 	struct vnode *vp;
790 	struct f_audit_data *fad;
791 
792 	struct a {
793 		long fd;
794 		long uid;
795 		long gid;
796 	} *uap = (struct a *)clwp->lwp_ap;
797 
798 	fd  = (uint32_t)uap->fd;
799 	uid = (uint32_t)uap->uid;
800 	gid = (uint32_t)uap->gid;
801 
802 	au_uwrite(au_to_arg32(2, "new file uid", uid));
803 	au_uwrite(au_to_arg32(3, "new file gid", gid));
804 
805 		/*
806 		 * convert file pointer to file descriptor
807 		 *   Note: fd ref count incremented here.
808 		 */
809 	if ((fp = getf(fd)) == NULL)
810 		return;
811 
812 	/* get path from file struct here */
813 	fad = F2A(fp);
814 	if (fad->fad_aupath != NULL) {
815 		au_uwrite(au_to_path(fad->fad_aupath));
816 	} else {
817 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
818 	}
819 
820 	vp = fp->f_vnode;
821 	audit_attributes(vp);
822 
823 	/* decrement file descriptor reference count */
824 	releasef(fd);
825 }
826 
827 /*ARGSUSED*/
828 static void
829 aus_lchown(struct t_audit_data *tad)
830 {
831 	klwp_t *clwp = ttolwp(curthread);
832 	uint32_t uid, gid;
833 
834 
835 	struct a {
836 		long	fname;		/* char	* */
837 		long	uid;
838 		long	gid;
839 	} *uap = (struct a *)clwp->lwp_ap;
840 
841 	uid = (uint32_t)uap->uid;
842 	gid = (uint32_t)uap->gid;
843 
844 	au_uwrite(au_to_arg32(2, "new file uid", uid));
845 	au_uwrite(au_to_arg32(3, "new file gid", gid));
846 }
847 
848 /* chmod start function */
849 /*ARGSUSED*/
850 static void
851 aus_chmod(struct t_audit_data *tad)
852 {
853 	klwp_t *clwp = ttolwp(curthread);
854 	uint32_t fmode;
855 
856 	struct a {
857 		long	fname;		/* char	* */
858 		long	fmode;
859 	} *uap = (struct a *)clwp->lwp_ap;
860 
861 	fmode = (uint32_t)uap->fmode;
862 
863 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
864 }
865 
866 /* chmod start function */
867 /*ARGSUSED*/
868 static void
869 aus_fchmod(struct t_audit_data *tad)
870 {
871 	klwp_t *clwp = ttolwp(curthread);
872 	uint32_t fmode, fd;
873 	struct file  *fp;
874 	struct vnode *vp;
875 	struct f_audit_data *fad;
876 
877 	struct a {
878 		long	fd;
879 		long	fmode;
880 	} *uap = (struct a *)clwp->lwp_ap;
881 
882 	fd = (uint32_t)uap->fd;
883 	fmode = (uint32_t)uap->fmode;
884 
885 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
886 
887 		/*
888 		 * convert file pointer to file descriptor
889 		 *   Note: fd ref count incremented here.
890 		 */
891 	if ((fp = getf(fd)) == NULL)
892 		return;
893 
894 		/* get path from file struct here */
895 	fad = F2A(fp);
896 	if (fad->fad_aupath != NULL) {
897 		au_uwrite(au_to_path(fad->fad_aupath));
898 	} else {
899 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
900 	}
901 
902 	vp = fp->f_vnode;
903 	audit_attributes(vp);
904 
905 	/* decrement file descriptor reference count */
906 	releasef(fd);
907 }
908 
909 /* null function */
910 /*ARGSUSED*/
911 static void
912 auf_null(struct t_audit_data *tad, int error, rval_t *rval)
913 {
914 }
915 
916 /* null function */
917 static au_event_t
918 aui_null(au_event_t e)
919 {
920 	return (e);
921 }
922 
923 /* convert open to appropriate event */
924 static au_event_t
925 aui_open(au_event_t e)
926 {
927 	klwp_t *clwp = ttolwp(curthread);
928 	uint_t fm;
929 
930 	struct a {
931 		long	fnamep;		/* char	* */
932 		long	fmode;
933 		long	cmode;
934 	} *uap = (struct a *)clwp->lwp_ap;
935 
936 	fm = (uint_t)uap->fmode;
937 
938 	if (fm & O_WRONLY)
939 		e = AUE_OPEN_W;
940 	else if (fm & O_RDWR)
941 		e = AUE_OPEN_RW;
942 	else
943 		e = AUE_OPEN_R;
944 
945 	if (fm & O_CREAT)
946 		e += 1;
947 	if (fm & O_TRUNC)
948 		e += 2;
949 
950 	return (e);
951 }
952 
953 /*ARGSUSED*/
954 static void
955 aus_open(struct t_audit_data *tad)
956 {
957 	klwp_t *clwp = ttolwp(curthread);
958 	uint_t fm;
959 
960 	struct a {
961 		long	fnamep;		/* char	* */
962 		long	fmode;
963 		long	cmode;
964 	} *uap = (struct a *)clwp->lwp_ap;
965 
966 	fm = (uint_t)uap->fmode;
967 
968 	/* If no write, create, or trunc modes, mark as a public op */
969 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
970 		tad->tad_ctrl |= PAD_PUBLIC_EV;
971 }
972 
973 /* convert openat(2) to appropriate event */
974 static au_event_t
975 aui_fsat(au_event_t e)
976 {
977 	t_audit_data_t	*tad = U2A(u);
978 	klwp_t *clwp = ttolwp(curthread);
979 	uint_t fmcode, fm;
980 	struct a {
981 		long id;
982 		long arg1;
983 		long arg2;
984 		long arg3;
985 		long arg4;
986 		long arg5;
987 	} *uap = (struct a *)clwp->lwp_ap;
988 
989 	fmcode  = (uint_t)uap->id;
990 
991 	switch (fmcode) {
992 
993 	case 0: /* openat */
994 	case 1: /* openat64 */
995 		fm = (uint_t)uap->arg3;
996 		if (fm & O_WRONLY)
997 			e = AUE_OPENAT_W;
998 		else if (fm & O_RDWR)
999 			e = AUE_OPENAT_RW;
1000 		else
1001 			e = AUE_OPENAT_R;
1002 
1003 		/*
1004 		 * openat modes are defined in the following order:
1005 		 * Read only
1006 		 * Read|Create
1007 		 * Read|Trunc
1008 		 * Read|Create|Trunc
1009 		 * Write Only
1010 		 * Write|Create
1011 		 * Write|Trunc
1012 		 * Write|Create|Trunc * RW Only
1013 		 * RW|Create
1014 		 * RW|Trunc
1015 		 * RW|Create|Trunc
1016 		 */
1017 		if (fm & O_CREAT)
1018 			e += 1;		/* increment to include CREAT in mode */
1019 		if (fm & O_TRUNC)
1020 			e += 2;		/* increment to include TRUNC in mode */
1021 
1022 		/* convert to appropriate au_ctrl */
1023 		tad->tad_ctrl |= PAD_SAVPATH;
1024 		if (fm & FXATTR)
1025 			tad->tad_ctrl |= PAD_ATPATH;
1026 
1027 
1028 		break;
1029 	case 2: /* fstatat64 */
1030 	case 3: /* fstatat */
1031 		e = AUE_FSTATAT;
1032 		break;
1033 	case 4: /* fchownat */
1034 		e = AUE_FCHOWNAT;
1035 		break;
1036 	case 5: /* unlinkat */
1037 		e = AUE_UNLINKAT;
1038 		break;
1039 	case 6: /* futimesat */
1040 		e = AUE_FUTIMESAT;
1041 		break;
1042 	case 7: /* renameat */
1043 		e = AUE_RENAMEAT;
1044 		break;
1045 	default:
1046 		e = AUE_NULL;
1047 		break;
1048 	}
1049 
1050 	return (e);
1051 }
1052 
1053 /*ARGSUSED*/
1054 static void
1055 aus_fsat(struct t_audit_data *tad)
1056 {
1057 	klwp_t *clwp = ttolwp(curthread);
1058 	uint_t fmcode, fm;
1059 	struct a {
1060 		long id;
1061 		long arg1;
1062 		long arg2;
1063 		long arg3;
1064 		long arg4;
1065 		long arg5;
1066 	} *uap = (struct a *)clwp->lwp_ap;
1067 
1068 	fmcode  = (uint_t)uap->id;
1069 
1070 	switch (fmcode) {
1071 
1072 	case 0: /* openat */
1073 	case 1: /* openat64 */
1074 		fm = (uint_t)uap->arg3;
1075 		/* If no write, create, or trunc modes, mark as a public op */
1076 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1077 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1078 
1079 		break;
1080 	case 2: /* fstatat64 */
1081 	case 3: /* fstatat */
1082 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1083 		break;
1084 	default:
1085 		break;
1086 	}
1087 }
1088 
1089 /* msgsys */
1090 static au_event_t
1091 aui_msgsys(au_event_t e)
1092 {
1093 	klwp_t *clwp = ttolwp(curthread);
1094 	uint_t fm;
1095 
1096 	struct a {
1097 		long	id;	/* function code id */
1098 		long	ap;	/* arg pointer for recvmsg */
1099 	} *uap = (struct a *)clwp->lwp_ap;
1100 
1101 	struct b {
1102 		long	msgid;
1103 		long	cmd;
1104 		long	buf;	/* struct msqid_ds * */
1105 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1106 
1107 	fm  = (uint_t)uap->id;
1108 
1109 	switch (fm) {
1110 	case 0:		/* msgget */
1111 		e = AUE_MSGGET;
1112 		break;
1113 	case 1:		/* msgctl */
1114 		switch ((uint_t)uap1->cmd) {
1115 		case IPC_RMID:
1116 			e = AUE_MSGCTL_RMID;
1117 			break;
1118 		case IPC_SET:
1119 			e = AUE_MSGCTL_SET;
1120 			break;
1121 		case IPC_STAT:
1122 			e = AUE_MSGCTL_STAT;
1123 			break;
1124 		default:
1125 			e = AUE_MSGCTL;
1126 			break;
1127 		}
1128 		break;
1129 	case 2:		/* msgrcv */
1130 		e = AUE_MSGRCV;
1131 		break;
1132 	case 3:		/* msgsnd */
1133 		e = AUE_MSGSND;
1134 		break;
1135 	default:	/* illegal system call */
1136 		e = AUE_NULL;
1137 		break;
1138 	}
1139 
1140 	return (e);
1141 }
1142 
1143 
1144 /* shmsys */
1145 static au_event_t
1146 aui_shmsys(au_event_t e)
1147 {
1148 	klwp_t *clwp = ttolwp(curthread);
1149 	int fm;
1150 
1151 	struct a {		/* shmsys */
1152 		long	id;	/* function code id */
1153 	} *uap = (struct a *)clwp->lwp_ap;
1154 
1155 	struct b {		/* ctrl */
1156 		long	shmid;
1157 		long	cmd;
1158 		long	arg;		/* struct shmid_ds * */
1159 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1160 	fm  = (uint_t)uap->id;
1161 
1162 	switch (fm) {
1163 	case 0:		/* shmat */
1164 		e = AUE_SHMAT;
1165 		break;
1166 	case 1:		/* shmctl */
1167 		switch ((uint_t)uap1->cmd) {
1168 		case IPC_RMID:
1169 			e = AUE_SHMCTL_RMID;
1170 			break;
1171 		case IPC_SET:
1172 			e = AUE_SHMCTL_SET;
1173 			break;
1174 		case IPC_STAT:
1175 			e = AUE_SHMCTL_STAT;
1176 			break;
1177 		default:
1178 			e = AUE_SHMCTL;
1179 			break;
1180 		}
1181 		break;
1182 	case 2:		/* shmdt */
1183 		e = AUE_SHMDT;
1184 		break;
1185 	case 3:		/* shmget */
1186 		e = AUE_SHMGET;
1187 		break;
1188 	default:	/* illegal system call */
1189 		e = AUE_NULL;
1190 		break;
1191 	}
1192 
1193 	return (e);
1194 }
1195 
1196 
1197 /* semsys */
1198 static au_event_t
1199 aui_semsys(au_event_t e)
1200 {
1201 	klwp_t *clwp = ttolwp(curthread);
1202 	uint_t fm;
1203 
1204 	struct a {		/* semsys */
1205 		long	id;
1206 	} *uap = (struct a *)clwp->lwp_ap;
1207 
1208 	struct b {		/* ctrl */
1209 		long	semid;
1210 		long	semnum;
1211 		long	cmd;
1212 		long	arg;
1213 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1214 
1215 	fm = (uint_t)uap->id;
1216 
1217 	switch (fm) {
1218 	case 0:		/* semctl */
1219 		switch ((uint_t)uap1->cmd) {
1220 		case IPC_RMID:
1221 			e = AUE_SEMCTL_RMID;
1222 			break;
1223 		case IPC_SET:
1224 			e = AUE_SEMCTL_SET;
1225 			break;
1226 		case IPC_STAT:
1227 			e = AUE_SEMCTL_STAT;
1228 			break;
1229 		case GETNCNT:
1230 			e = AUE_SEMCTL_GETNCNT;
1231 			break;
1232 		case GETPID:
1233 			e = AUE_SEMCTL_GETPID;
1234 			break;
1235 		case GETVAL:
1236 			e = AUE_SEMCTL_GETVAL;
1237 			break;
1238 		case GETALL:
1239 			e = AUE_SEMCTL_GETALL;
1240 			break;
1241 		case GETZCNT:
1242 			e = AUE_SEMCTL_GETZCNT;
1243 			break;
1244 		case SETVAL:
1245 			e = AUE_SEMCTL_SETVAL;
1246 			break;
1247 		case SETALL:
1248 			e = AUE_SEMCTL_SETALL;
1249 			break;
1250 		default:
1251 			e = AUE_SEMCTL;
1252 			break;
1253 		}
1254 		break;
1255 	case 1:		/* semget */
1256 		e = AUE_SEMGET;
1257 		break;
1258 	case 2:		/* semop */
1259 		e = AUE_SEMOP;
1260 		break;
1261 	default:	/* illegal system call */
1262 		e = AUE_NULL;
1263 		break;
1264 	}
1265 
1266 	return (e);
1267 }
1268 
1269 /* utssys - uname(2), ustat(2), fusers(2) */
1270 static au_event_t
1271 aui_utssys(au_event_t e)
1272 {
1273 	klwp_t *clwp = ttolwp(curthread);
1274 	uint_t type;
1275 
1276 	struct a {
1277 		union {
1278 			long	cbuf;		/* char * */
1279 			long	ubuf;		/* struct stat * */
1280 		} ub;
1281 		union {
1282 			long	mv;	/* for USTAT */
1283 			long	flags;	/* for FUSERS */
1284 		} un;
1285 		long	type;
1286 		long	outbp;		/* char * for FUSERS */
1287 	} *uap = (struct a *)clwp->lwp_ap;
1288 
1289 	type = (uint_t)uap->type;
1290 
1291 	if (type == UTS_FUSERS)
1292 		return (e);
1293 	else
1294 		return ((au_event_t)AUE_NULL);
1295 }
1296 
1297 static au_event_t
1298 aui_fcntl(au_event_t e)
1299 {
1300 	klwp_t *clwp = ttolwp(curthread);
1301 	uint_t cmd;
1302 
1303 	struct a {
1304 		long	fdes;
1305 		long	cmd;
1306 		long	arg;
1307 	} *uap = (struct a *)clwp->lwp_ap;
1308 
1309 	cmd = (uint_t)uap->cmd;
1310 
1311 	switch (cmd) {
1312 	case F_GETLK:
1313 	case F_SETLK:
1314 	case F_SETLKW:
1315 		break;
1316 	case F_SETFL:
1317 	case F_GETFL:
1318 	case F_GETFD:
1319 		break;
1320 	default:
1321 		e = (au_event_t)AUE_NULL;
1322 		break;
1323 	}
1324 	return ((au_event_t)e);
1325 }
1326 
1327 /* null function for now */
1328 static au_event_t
1329 aui_execv(au_event_t e)
1330 {
1331 	return (e);
1332 }
1333 
1334 /* null function for now */
1335 static au_event_t
1336 aui_execve(au_event_t e)
1337 {
1338 	return (e);
1339 }
1340 
1341 /*ARGSUSED*/
1342 static void
1343 aus_fcntl(struct t_audit_data *tad)
1344 {
1345 	klwp_t *clwp = ttolwp(curthread);
1346 	uint32_t cmd, fd;
1347 	struct file  *fp;
1348 	struct vnode *vp;
1349 	struct f_audit_data *fad;
1350 
1351 	struct a {
1352 		long	fd;
1353 		long	cmd;
1354 		long	arg;
1355 	} *uap = (struct a *)clwp->lwp_ap;
1356 
1357 	cmd = (uint32_t)uap->cmd;
1358 	fd  = (uint32_t)uap->fd;
1359 
1360 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1361 
1362 		/*
1363 		 * convert file pointer to file descriptor
1364 		 *   Note: fd ref count incremented here.
1365 		 */
1366 	if ((fp = getf(fd)) == NULL)
1367 		return;
1368 
1369 	/* get path from file struct here */
1370 	fad = F2A(fp);
1371 	if (fad->fad_aupath != NULL) {
1372 		au_uwrite(au_to_path(fad->fad_aupath));
1373 	} else {
1374 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1375 	}
1376 
1377 	vp = fp->f_vnode;
1378 	audit_attributes(vp);
1379 
1380 	/* decrement file descriptor reference count */
1381 	releasef(fd);
1382 }
1383 
1384 /*ARGSUSED*/
1385 static void
1386 aus_kill(struct t_audit_data *tad)
1387 {
1388 	klwp_t *clwp = ttolwp(curthread);
1389 	struct proc *p;
1390 	uint32_t signo;
1391 	uid_t uid, ruid;
1392 	gid_t gid, rgid;
1393 	pid_t pid;
1394 	const auditinfo_addr_t *ainfo;
1395 	cred_t *cr;
1396 
1397 	struct a {
1398 		long	pid;
1399 		long	signo;
1400 	} *uap = (struct a *)clwp->lwp_ap;
1401 
1402 	pid   = (pid_t)uap->pid;
1403 	signo = (uint32_t)uap->signo;
1404 
1405 	au_uwrite(au_to_arg32(2, "signal", signo));
1406 	if (pid > 0) {
1407 		mutex_enter(&pidlock);
1408 		if (((p = prfind(pid)) == (struct proc *)0) ||
1409 		    (p->p_stat == SIDL)) {
1410 			mutex_exit(&pidlock);
1411 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1412 			return;
1413 		}
1414 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1415 		mutex_exit(&pidlock);
1416 
1417 		mutex_enter(&p->p_crlock);
1418 		crhold(cr = p->p_cred);
1419 		mutex_exit(&p->p_crlock);
1420 		mutex_exit(&p->p_lock);
1421 
1422 		ainfo = crgetauinfo(cr);
1423 		if (ainfo == NULL) {
1424 			crfree(cr);
1425 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1426 			return;
1427 		}
1428 
1429 		uid  = crgetuid(cr);
1430 		gid  = crgetgid(cr);
1431 		ruid = crgetruid(cr);
1432 		rgid = crgetrgid(cr);
1433 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1434 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1435 		crfree(cr);
1436 	}
1437 	else
1438 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1439 }
1440 
1441 /*ARGSUSED*/
1442 static void
1443 aus_mkdir(struct t_audit_data *tad)
1444 {
1445 	klwp_t *clwp = ttolwp(curthread);
1446 	uint32_t dmode;
1447 
1448 	struct a {
1449 		long	dirnamep;		/* char * */
1450 		long	dmode;
1451 	} *uap = (struct a *)clwp->lwp_ap;
1452 
1453 	dmode = (uint32_t)uap->dmode;
1454 
1455 	au_uwrite(au_to_arg32(2, "mode", dmode));
1456 }
1457 
1458 /*ARGSUSED*/
1459 static void
1460 aus_mknod(struct t_audit_data *tad)
1461 {
1462 	klwp_t *clwp = ttolwp(curthread);
1463 	uint32_t fmode;
1464 	dev_t dev;
1465 
1466 	struct a {
1467 		long	pnamep;		/* char * */
1468 		long	fmode;
1469 		long	dev;
1470 	} *uap = (struct a *)clwp->lwp_ap;
1471 
1472 	fmode = (uint32_t)uap->fmode;
1473 	dev   = (dev_t)uap->dev;
1474 
1475 	au_uwrite(au_to_arg32(2, "mode", fmode));
1476 #ifdef _LP64
1477 	au_uwrite(au_to_arg64(3, "dev", dev));
1478 #else
1479 	au_uwrite(au_to_arg32(3, "dev", dev));
1480 #endif
1481 }
1482 
1483 /*ARGSUSED*/
1484 static void
1485 aus_xmknod(struct t_audit_data *tad)
1486 {
1487 	klwp_t *clwp = ttolwp(curthread);
1488 	uint32_t fmode;
1489 	dev_t dev;
1490 
1491 	struct a {
1492 		long	version;	/* version */
1493 		long	pnamep;		/* char * */
1494 		long	fmode;
1495 		long	dev;
1496 	} *uap = (struct a *)clwp->lwp_ap;
1497 
1498 	fmode = (uint32_t)uap->fmode;
1499 	dev   = (dev_t)uap->dev;
1500 
1501 	au_uwrite(au_to_arg32(2, "mode", fmode));
1502 #ifdef _LP64
1503 	au_uwrite(au_to_arg64(3, "dev", dev));
1504 #else
1505 	au_uwrite(au_to_arg32(3, "dev", dev));
1506 #endif
1507 }
1508 
1509 /*ARGSUSED*/
1510 static void
1511 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1512 {
1513 	klwp_t *clwp = ttolwp(curthread);
1514 	vnode_t	*dvp;
1515 	caddr_t pnamep;
1516 
1517 	struct a {
1518 		long	pnamep;		/* char * */
1519 		long	fmode;
1520 		long	dev;
1521 	} *uap = (struct a *)clwp->lwp_ap;
1522 
1523 	/* no error, then already path token in audit record */
1524 	if (error != EPERM)
1525 		return;
1526 
1527 	/* not auditing this event, nothing then to do */
1528 	if (tad->tad_flag == 0)
1529 		return;
1530 
1531 	/* do the lookup to force generation of path token */
1532 	pnamep = (caddr_t)uap->pnamep;
1533 	tad->tad_ctrl |= PAD_NOATTRB;
1534 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1535 	if (error == 0)
1536 		VN_RELE(dvp);
1537 }
1538 
1539 /*ARGSUSED*/
1540 static void
1541 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1542 {
1543 	klwp_t *clwp = ttolwp(curthread);
1544 	vnode_t	*dvp;
1545 	caddr_t pnamep;
1546 
1547 	struct a {
1548 		long	version;	/* version */
1549 		long	pnamep;		/* char * */
1550 		long	fmode;
1551 		long	dev;
1552 	} *uap = (struct a *)clwp->lwp_arg;
1553 
1554 
1555 	/* no error, then already path token in audit record */
1556 	if (error != EPERM)
1557 		return;
1558 
1559 	/* not auditing this event, nothing then to do */
1560 	if (tad->tad_flag == 0)
1561 		return;
1562 
1563 	/* do the lookup to force generation of path token */
1564 	pnamep = (caddr_t)uap->pnamep;
1565 	tad->tad_ctrl |= PAD_NOATTRB;
1566 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1567 	if (error == 0)
1568 		VN_RELE(dvp);
1569 }
1570 
1571 /*ARGSUSED*/
1572 static void
1573 aus_mount(struct t_audit_data *tad)
1574 {	/* AUS_START */
1575 	klwp_t *clwp = ttolwp(curthread);
1576 	uint32_t flags;
1577 	uintptr_t u_fstype, dataptr;
1578 	STRUCT_DECL(nfs_args, nfsargs);
1579 	size_t len;
1580 	char *fstype, *hostname;
1581 
1582 	struct a {
1583 		long	spec;		/* char    * */
1584 		long	dir;		/* char    * */
1585 		long	flags;
1586 		long	fstype;		/* char    * */
1587 		long	dataptr;	/* char    * */
1588 		long	datalen;
1589 	} *uap = (struct a *)clwp->lwp_ap;
1590 
1591 	u_fstype = (uintptr_t)uap->fstype;
1592 	flags    = (uint32_t)uap->flags;
1593 	dataptr  = (uintptr_t)uap->dataptr;
1594 
1595 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1596 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1597 		goto mount_free_fstype;
1598 
1599 	au_uwrite(au_to_arg32(3, "flags", flags));
1600 	au_uwrite(au_to_text(fstype));
1601 
1602 	if (strncmp(fstype, "nfs", 3) == 0) {
1603 
1604 		STRUCT_INIT(nfsargs, get_udatamodel());
1605 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1606 
1607 		if (copyin((caddr_t)dataptr,
1608 				STRUCT_BUF(nfsargs),
1609 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1610 			/* DEBUG debug_enter((char *)NULL); */
1611 			goto mount_free_fstype;
1612 		}
1613 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1614 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1615 				(caddr_t)hostname,
1616 				MAXNAMELEN, &len)) {
1617 			goto mount_free_hostname;
1618 		}
1619 		au_uwrite(au_to_text(hostname));
1620 		au_uwrite(au_to_arg32(3, "internal flags",
1621 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1622 
1623 mount_free_hostname:
1624 		kmem_free(hostname, MAXNAMELEN);
1625 	}
1626 
1627 mount_free_fstype:
1628 	kmem_free(fstype, MAXNAMELEN);
1629 }	/* AUS_MOUNT */
1630 
1631 static void
1632 aus_umount_path(caddr_t umount_dir)
1633 {
1634 	char			*dir_path;
1635 	struct audit_path	*path;
1636 	size_t			path_len, dir_len;
1637 
1638 	/* length alloc'd for two string pointers */
1639 	path_len = sizeof (struct audit_path) + sizeof (char *);
1640 	path = kmem_alloc(path_len, KM_SLEEP);
1641 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1642 
1643 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1644 	    MAXPATHLEN, &dir_len))
1645 		goto umount2_free_dir;
1646 
1647 	/*
1648 	 * the audit_path struct assumes that the buffer pointed to
1649 	 * by audp_sect[n] contains string 0 immediatedly followed
1650 	 * by string 1.
1651 	 */
1652 	path->audp_sect[0] = dir_path;
1653 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1654 	path->audp_size = path_len;
1655 	path->audp_ref = 1;		/* not used */
1656 	path->audp_cnt = 1;		/* one path string */
1657 
1658 	au_uwrite(au_to_path(path));
1659 
1660 umount2_free_dir:
1661 	kmem_free(dir_path, MAXPATHLEN);
1662 	kmem_free(path, path_len);
1663 }
1664 
1665 /*
1666  * the umount syscall is implemented as a call to umount2, but the args
1667  * are different...
1668  */
1669 
1670 /*ARGSUSED*/
1671 static void
1672 aus_umount(struct t_audit_data *tad)
1673 {
1674 	klwp_t			*clwp = ttolwp(curthread);
1675 	struct a {
1676 		long	dir;		/* char    * */
1677 	} *uap = (struct a *)clwp->lwp_ap;
1678 
1679 	aus_umount_path((caddr_t)uap->dir);
1680 }
1681 
1682 /*ARGSUSED*/
1683 static void
1684 aus_umount2(struct t_audit_data *tad)
1685 {
1686 	klwp_t			*clwp = ttolwp(curthread);
1687 	struct a {
1688 		long	dir;		/* char    * */
1689 		long	flags;
1690 	} *uap = (struct a *)clwp->lwp_ap;
1691 
1692 	aus_umount_path((caddr_t)uap->dir);
1693 
1694 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1695 }
1696 
1697 static void
1698 aus_msgsys(struct t_audit_data *tad)
1699 {
1700 	klwp_t *clwp = ttolwp(curthread);
1701 	uint32_t msgid;
1702 
1703 	struct b {
1704 		long	msgid;
1705 		long	cmd;
1706 		long	buf;		/* struct msqid_ds * */
1707 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1708 
1709 	msgid = (uint32_t)uap1->msgid;
1710 
1711 
1712 	switch (tad->tad_event) {
1713 	case AUE_MSGGET:		/* msgget */
1714 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1715 		break;
1716 	case AUE_MSGCTL:		/* msgctl */
1717 	case AUE_MSGCTL_RMID:		/* msgctl */
1718 	case AUE_MSGCTL_STAT:		/* msgctl */
1719 	case AUE_MSGRCV:		/* msgrcv */
1720 	case AUE_MSGSND:		/* msgsnd */
1721 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1722 		break;
1723 	case AUE_MSGCTL_SET:		/* msgctl */
1724 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1725 		break;
1726 	}
1727 }
1728 
1729 /*ARGSUSED*/
1730 static void
1731 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1732 {
1733 	int id;
1734 
1735 	if (error != 0)
1736 		return;
1737 	if (tad->tad_event == AUE_MSGGET) {
1738 		uint32_t scid;
1739 		uint32_t sy_flags;
1740 
1741 		/* need to determine type of executing binary */
1742 		scid = tad->tad_scid;
1743 #ifdef _SYSCALL32_IMPL
1744 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1745 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1746 		else
1747 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1748 #else
1749 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1750 #endif
1751 		if (sy_flags == SE_32RVAL1)
1752 			id = rval->r_val1;
1753 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1754 			id = rval->r_val1;
1755 		if (sy_flags == SE_64RVAL)
1756 			id = (int)rval->r_vals;
1757 
1758 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1759 	}
1760 }
1761 
1762 static void
1763 aus_semsys(struct t_audit_data *tad)
1764 {
1765 	klwp_t *clwp = ttolwp(curthread);
1766 	uint32_t semid;
1767 
1768 	struct b {		/* ctrl */
1769 		long	semid;
1770 		long	semnum;
1771 		long	cmd;
1772 		long	arg;
1773 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1774 
1775 	semid = (uint32_t)uap1->semid;
1776 
1777 	switch (tad->tad_event) {
1778 	case AUE_SEMCTL_RMID:
1779 	case AUE_SEMCTL_STAT:
1780 	case AUE_SEMCTL_GETNCNT:
1781 	case AUE_SEMCTL_GETPID:
1782 	case AUE_SEMCTL_GETVAL:
1783 	case AUE_SEMCTL_GETALL:
1784 	case AUE_SEMCTL_GETZCNT:
1785 	case AUE_SEMCTL_SETVAL:
1786 	case AUE_SEMCTL_SETALL:
1787 	case AUE_SEMCTL:
1788 	case AUE_SEMOP:
1789 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1790 		break;
1791 	case AUE_SEMCTL_SET:
1792 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1793 		break;
1794 	case AUE_SEMGET:
1795 		au_uwrite(au_to_arg32(1, "sem key", semid));
1796 		break;
1797 	}
1798 }
1799 
1800 /*ARGSUSED*/
1801 static void
1802 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1803 {
1804 	int id;
1805 
1806 	if (error != 0)
1807 		return;
1808 	if (tad->tad_event == AUE_SEMGET) {
1809 		uint32_t scid;
1810 		uint32_t sy_flags;
1811 
1812 		/* need to determine type of executing binary */
1813 		scid = tad->tad_scid;
1814 #ifdef _SYSCALL32_IMPL
1815 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1816 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1817 		else
1818 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1819 #else
1820 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1821 #endif
1822 		if (sy_flags == SE_32RVAL1)
1823 			id = rval->r_val1;
1824 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1825 			id = rval->r_val1;
1826 		if (sy_flags == SE_64RVAL)
1827 			id = (int)rval->r_vals;
1828 
1829 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1830 	}
1831 }
1832 
1833 /*ARGSUSED*/
1834 static void
1835 aus_close(struct t_audit_data *tad)
1836 {
1837 	klwp_t *clwp = ttolwp(curthread);
1838 	uint32_t fd;
1839 	struct file *fp;
1840 	struct f_audit_data *fad;
1841 	struct vnode *vp;
1842 	struct vattr attr;
1843 	au_kcontext_t	*kctx = SET_KCTX_PZ;
1844 
1845 	struct a {
1846 		long	i;
1847 	} *uap = (struct a *)clwp->lwp_ap;
1848 
1849 	fd = (uint32_t)uap->i;
1850 
1851 	attr.va_mask = 0;
1852 	au_uwrite(au_to_arg32(1, "fd", fd));
1853 
1854 		/*
1855 		 * convert file pointer to file descriptor
1856 		 *   Note: fd ref count incremented here.
1857 		 */
1858 	if ((fp = getf(fd)) == NULL)
1859 		return;
1860 
1861 	fad = F2A(fp);
1862 	tad->tad_evmod = (short)fad->fad_flags;
1863 	if (fad->fad_aupath != NULL) {
1864 		au_uwrite(au_to_path(fad->fad_aupath));
1865 		if ((vp = fp->f_vnode) != NULL) {
1866 			attr.va_mask = AT_ALL;
1867 			if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) {
1868 				au_uwrite(au_to_attr(&attr));
1869 				/*
1870 				 * When write was not used and the file can be
1871 				 * considered public, skip the audit.
1872 				 */
1873 				if (((fp->f_flag & FWRITE) == 0) &&
1874 				    file_is_public(&attr)) {
1875 					tad->tad_flag = 0;
1876 					tad->tad_evmod = 0;
1877 					/* free any residual audit data */
1878 					au_close(kctx, &(u_ad), 0, 0, 0);
1879 					releasef(fd);
1880 					return;
1881 				}
1882 			}
1883 		}
1884 	}
1885 
1886 	/* decrement file descriptor reference count */
1887 	releasef(fd);
1888 }
1889 
1890 /*ARGSUSED*/
1891 static void
1892 aus_fstatfs(struct t_audit_data *tad)
1893 {
1894 	klwp_t *clwp = ttolwp(curthread);
1895 	uint32_t fd;
1896 	struct file  *fp;
1897 	struct vnode *vp;
1898 	struct f_audit_data *fad;
1899 
1900 	struct a {
1901 		long	fd;
1902 		long	buf;		/* struct statfs * */
1903 	} *uap = (struct a *)clwp->lwp_ap;
1904 
1905 	fd = (uint_t)uap->fd;
1906 
1907 		/*
1908 		 * convert file pointer to file descriptor
1909 		 *   Note: fd ref count incremented here.
1910 		 */
1911 	if ((fp = getf(fd)) == NULL)
1912 		return;
1913 
1914 		/* get path from file struct here */
1915 	fad = F2A(fp);
1916 	if (fad->fad_aupath != NULL) {
1917 		au_uwrite(au_to_path(fad->fad_aupath));
1918 	} else {
1919 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1920 	}
1921 
1922 	vp = fp->f_vnode;
1923 	audit_attributes(vp);
1924 
1925 	/* decrement file descriptor reference count */
1926 	releasef(fd);
1927 }
1928 
1929 #ifdef NOTYET
1930 /*ARGSUSED*/
1931 static void
1932 aus_setpgrp(struct t_audit_data *tad)
1933 {
1934 	klwp_t *clwp = ttolwp(curthread);
1935 	uint32_t pgrp;
1936 	struct proc *p;
1937 	uid_t uid, ruid;
1938 	gid_t gid, rgid;
1939 	pid_t pid;
1940 	const auditinfo_addr_t *ainfo;
1941 	cred_t *cr;
1942 
1943 	struct a {
1944 		long	pid;
1945 		long	pgrp;
1946 	} *uap = (struct a *)clwp->lwp_ap;
1947 
1948 	pid  = (pid_t)uap->pid;
1949 	pgrp = (uint32_t)uap->pgrp;
1950 
1951 		/* current process? */
1952 	if (pid == 0)
1953 		(return);
1954 
1955 	mutex_enter(&pidlock);
1956 	p = prfind(pid);
1957 	if (p == NULL || p->p_as == &kas) {
1958 		mutex_exit(&pidlock);
1959 		return;
1960 	}
1961 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1962 	mutex_exit(&pidlock);
1963 
1964 	mutex_enter(&p->p_crlock);
1965 	crhold(cr = p->p_cred);
1966 	mutex_exit(&p->p_crlock);
1967 	mutex_exit(&p->p_lock);
1968 
1969 	ainfo = crgetauinfo(cr);
1970 	if (ainfo == NULL) {
1971 		crfree(cr);
1972 		return;
1973 	}
1974 
1975 	uid  = crgetuid(cr);
1976 	gid  = crgetgid(cr);
1977 	ruid = crgetruid(cr);
1978 	rgid = crgetrgid(cr);
1979 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1980 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1981 	crfree(cr);
1982 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1983 }
1984 #endif
1985 
1986 /*ARGSUSED*/
1987 static void
1988 aus_setregid(struct t_audit_data *tad)
1989 {
1990 	klwp_t *clwp = ttolwp(curthread);
1991 	uint32_t rgid, egid;
1992 
1993 	struct a {
1994 		long	 rgid;
1995 		long	 egid;
1996 	} *uap = (struct a *)clwp->lwp_ap;
1997 
1998 	rgid  = (uint32_t)uap->rgid;
1999 	egid  = (uint32_t)uap->egid;
2000 
2001 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2002 	au_uwrite(au_to_arg32(2, "egid", egid));
2003 }
2004 
2005 /*ARGSUSED*/
2006 static void
2007 aus_setgid(struct t_audit_data *tad)
2008 {
2009 	klwp_t *clwp = ttolwp(curthread);
2010 	uint32_t gid;
2011 
2012 	struct a {
2013 		long	gid;
2014 	} *uap = (struct a *)clwp->lwp_ap;
2015 
2016 	gid = (uint32_t)uap->gid;
2017 
2018 	au_uwrite(au_to_arg32(1, "gid", gid));
2019 }
2020 
2021 
2022 /*ARGSUSED*/
2023 static void
2024 aus_setreuid(struct t_audit_data *tad)
2025 {
2026 	klwp_t *clwp = ttolwp(curthread);
2027 	uint32_t ruid, euid;
2028 
2029 	struct a {
2030 		long	ruid;
2031 		long	euid;
2032 	} *uap = (struct a *)clwp->lwp_ap;
2033 
2034 	ruid = (uint32_t)uap->ruid;
2035 	euid  = (uint32_t)uap->euid;
2036 
2037 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2038 	au_uwrite(au_to_arg32(2, "euid", euid));
2039 }
2040 
2041 
2042 /*ARGSUSED*/
2043 static void
2044 aus_setuid(struct t_audit_data *tad)
2045 {
2046 	klwp_t *clwp = ttolwp(curthread);
2047 	uint32_t uid;
2048 
2049 	struct a {
2050 		long	uid;
2051 	} *uap = (struct a *)clwp->lwp_ap;
2052 
2053 	uid = (uint32_t)uap->uid;
2054 
2055 	au_uwrite(au_to_arg32(1, "uid", uid));
2056 }
2057 
2058 /*ARGSUSED*/
2059 static void
2060 aus_shmsys(struct t_audit_data *tad)
2061 {
2062 	klwp_t *clwp = ttolwp(curthread);
2063 	uint32_t id, cmd;
2064 
2065 	struct b {
2066 		long	id;
2067 		long	cmd;
2068 		long	buf;		/* struct shmid_ds * */
2069 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2070 
2071 	id  = (uint32_t)uap1->id;
2072 	cmd = (uint32_t)uap1->cmd;
2073 
2074 	switch (tad->tad_event) {
2075 	case AUE_SHMGET:			/* shmget */
2076 		au_uwrite(au_to_arg32(1, "shm key", id));
2077 		break;
2078 	case AUE_SHMCTL:			/* shmctl */
2079 	case AUE_SHMCTL_RMID:			/* shmctl */
2080 	case AUE_SHMCTL_STAT:			/* shmctl */
2081 	case AUE_SHMCTL_SET:			/* shmctl */
2082 		au_uwrite(au_to_arg32(1, "shm ID", id));
2083 		break;
2084 	case AUE_SHMDT:				/* shmdt */
2085 		au_uwrite(au_to_arg32(1, "shm adr", id));
2086 		break;
2087 	case AUE_SHMAT:				/* shmat */
2088 		au_uwrite(au_to_arg32(1, "shm ID", id));
2089 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2090 		break;
2091 	}
2092 }
2093 
2094 /*ARGSUSED*/
2095 static void
2096 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2097 {
2098 	int id;
2099 
2100 	if (error != 0)
2101 		return;
2102 	if (tad->tad_event == AUE_SHMGET) {
2103 		uint32_t scid;
2104 		uint32_t sy_flags;
2105 
2106 		/* need to determine type of executing binary */
2107 		scid = tad->tad_scid;
2108 #ifdef _SYSCALL32_IMPL
2109 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2110 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2111 		else
2112 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2113 #else
2114 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2115 #endif
2116 		if (sy_flags == SE_32RVAL1)
2117 			id = rval->r_val1;
2118 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2119 			id = rval->r_val1;
2120 		if (sy_flags == SE_64RVAL)
2121 			id = (int)rval->r_vals;
2122 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2123 	}
2124 }
2125 
2126 
2127 /*ARGSUSED*/
2128 static void
2129 aus_ioctl(struct t_audit_data *tad)
2130 {
2131 	klwp_t *clwp = ttolwp(curthread);
2132 	struct file *fp;
2133 	struct vnode *vp;
2134 	struct f_audit_data *fad;
2135 	uint32_t fd, cmd;
2136 	uintptr_t cmarg;
2137 
2138 	/* XX64 */
2139 	struct a {
2140 		long	fd;
2141 		long	cmd;
2142 		long	cmarg;		/* caddr_t */
2143 	} *uap = (struct a *)clwp->lwp_ap;
2144 
2145 	fd    = (uint32_t)uap->fd;
2146 	cmd   = (uint32_t)uap->cmd;
2147 	cmarg = (uintptr_t)uap->cmarg;
2148 
2149 		/*
2150 		 * convert file pointer to file descriptor
2151 		 *   Note: fd ref count incremented here.
2152 		 */
2153 	if ((fp = getf(fd)) == NULL) {
2154 		au_uwrite(au_to_arg32(1, "fd", fd));
2155 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2156 #ifndef _LP64
2157 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2158 #else
2159 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2160 #endif
2161 		return;
2162 	}
2163 
2164 	/* get path from file struct here */
2165 	fad = F2A(fp);
2166 	if (fad->fad_aupath != NULL) {
2167 		au_uwrite(au_to_path(fad->fad_aupath));
2168 	} else {
2169 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2170 	}
2171 
2172 	vp = fp->f_vnode;
2173 	audit_attributes(vp);
2174 
2175 	/* decrement file descriptor reference count */
2176 	releasef(fd);
2177 
2178 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2179 #ifndef _LP64
2180 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2181 #else
2182 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2183 #endif
2184 }
2185 
2186 /*
2187  * null function for memcntl for now. We might want to limit memcntl()
2188  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2189  * require privileges.
2190  */
2191 static au_event_t
2192 aui_memcntl(au_event_t e)
2193 {
2194 	return (e);
2195 }
2196 
2197 /*ARGSUSED*/
2198 static au_event_t
2199 aui_privsys(au_event_t e)
2200 {
2201 	klwp_t *clwp = ttolwp(curthread);
2202 
2203 	struct a {
2204 		long	opcode;
2205 	} *uap = (struct a *)clwp->lwp_ap;
2206 
2207 	switch (uap->opcode) {
2208 	case PRIVSYS_SETPPRIV:
2209 		return (AUE_SETPPRIV);
2210 	default:
2211 		return (AUE_NULL);
2212 	}
2213 }
2214 
2215 /*ARGSUSED*/
2216 static void
2217 aus_memcntl(struct t_audit_data *tad)
2218 {
2219 	klwp_t *clwp = ttolwp(curthread);
2220 
2221 	struct a {
2222 		long	addr;
2223 		long	len;
2224 		long	cmd;
2225 		long	arg;
2226 		long	attr;
2227 		long	mask;
2228 	} *uap = (struct a *)clwp->lwp_ap;
2229 
2230 #ifdef _LP64
2231 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2232 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2233 #else
2234 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2235 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2236 #endif
2237 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2238 #ifdef _LP64
2239 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2240 #else
2241 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2242 #endif
2243 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2244 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2245 }
2246 
2247 /*ARGSUSED*/
2248 static void
2249 aus_mmap(struct t_audit_data *tad)
2250 {
2251 	klwp_t *clwp = ttolwp(curthread);
2252 	struct file *fp;
2253 	struct f_audit_data *fad;
2254 	struct vnode *vp;
2255 	uint32_t fd;
2256 
2257 	struct a {
2258 		long	addr;
2259 		long	len;
2260 		long	prot;
2261 		long	flags;
2262 		long	fd;
2263 		long	pos;
2264 	} *uap = (struct a *)clwp->lwp_ap;
2265 
2266 	fd = (uint32_t)uap->fd;
2267 
2268 #ifdef _LP64
2269 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2270 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2271 #else
2272 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2273 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2274 #endif
2275 
2276 	if ((fp = getf(fd)) == NULL) {
2277 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2278 		return;
2279 	}
2280 
2281 	/*
2282 	 * Mark in the tad if write access is NOT requested... if
2283 	 * this is later detected (in audit_attributes) to be a
2284 	 * public object, the mmap event may be discarded.
2285 	 */
2286 	if (((uap->prot) & PROT_WRITE) == 0) {
2287 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2288 	}
2289 
2290 	fad = F2A(fp);
2291 	if (fad->fad_aupath != NULL) {
2292 		au_uwrite(au_to_path(fad->fad_aupath));
2293 	} else {
2294 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2295 	}
2296 
2297 	vp = (struct vnode *)fp->f_vnode;
2298 	audit_attributes(vp);
2299 
2300 	/* mark READ/WRITE since we can't predict access */
2301 	if (uap->prot & PROT_READ)
2302 		fad->fad_flags |= FAD_READ;
2303 	if (uap->prot & PROT_WRITE)
2304 		fad->fad_flags |= FAD_WRITE;
2305 
2306 	/* decrement file descriptor reference count */
2307 	releasef(fd);
2308 
2309 }	/* AUS_MMAP */
2310 
2311 
2312 
2313 
2314 /*ARGSUSED*/
2315 static void
2316 aus_munmap(struct t_audit_data *tad)
2317 {
2318 	klwp_t *clwp = ttolwp(curthread);
2319 
2320 	struct a {
2321 		long	addr;
2322 		long	len;
2323 	} *uap = (struct a *)clwp->lwp_ap;
2324 
2325 #ifdef _LP64
2326 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2327 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2328 #else
2329 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2330 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2331 #endif
2332 
2333 }	/* AUS_MUNMAP */
2334 
2335 
2336 
2337 
2338 
2339 
2340 
2341 /*ARGSUSED*/
2342 static void
2343 aus_priocntlsys(struct t_audit_data *tad)
2344 {
2345 	klwp_t *clwp = ttolwp(curthread);
2346 
2347 	struct a {
2348 		long	pc_version;
2349 		long	psp;		/* procset_t */
2350 		long	cmd;
2351 		long	arg;
2352 	} *uap = (struct a *)clwp->lwp_ap;
2353 
2354 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2355 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2356 
2357 }	/* AUS_PRIOCNTLSYS */
2358 
2359 
2360 /*ARGSUSED*/
2361 static void
2362 aus_setegid(struct t_audit_data *tad)
2363 {
2364 	klwp_t *clwp = ttolwp(curthread);
2365 	uint32_t gid;
2366 
2367 	struct a {
2368 		long	gid;
2369 	} *uap = (struct a *)clwp->lwp_ap;
2370 
2371 	gid = (uint32_t)uap->gid;
2372 
2373 	au_uwrite(au_to_arg32(1, "gid", gid));
2374 }	/* AUS_SETEGID */
2375 
2376 
2377 
2378 
2379 /*ARGSUSED*/
2380 static void
2381 aus_setgroups(struct t_audit_data *tad)
2382 {
2383 	klwp_t *clwp = ttolwp(curthread);
2384 	int i;
2385 	int gidsetsize;
2386 	uintptr_t gidset;
2387 	gid_t *gidlist;
2388 
2389 	struct a {
2390 		long	gidsetsize;
2391 		long	gidset;
2392 	} *uap = (struct a *)clwp->lwp_ap;
2393 
2394 	gidsetsize = (uint_t)uap->gidsetsize;
2395 	gidset = (uintptr_t)uap->gidset;
2396 
2397 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2398 		return;
2399 	if (gidsetsize != 0) {
2400 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2401 						KM_SLEEP);
2402 		if (copyin((caddr_t)gidset, gidlist,
2403 			gidsetsize * sizeof (gid_t)) == 0)
2404 			for (i = 0; i < gidsetsize; i++)
2405 				au_uwrite(au_to_arg32(1, "setgroups",
2406 						(uint32_t)gidlist[i]));
2407 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2408 	} else
2409 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2410 
2411 }	/* AUS_SETGROUPS */
2412 
2413 
2414 
2415 
2416 
2417 /*ARGSUSED*/
2418 static void
2419 aus_seteuid(struct t_audit_data *tad)
2420 {
2421 	klwp_t *clwp = ttolwp(curthread);
2422 	uint32_t uid;
2423 
2424 	struct a {
2425 		long	uid;
2426 	} *uap = (struct a *)clwp->lwp_ap;
2427 
2428 	uid = (uint32_t)uap->uid;
2429 
2430 	au_uwrite(au_to_arg32(1, "euid", uid));
2431 
2432 }	/* AUS_SETEUID */
2433 
2434 /*ARGSUSED*/
2435 static void
2436 aus_putmsg(struct t_audit_data *tad)
2437 {
2438 	klwp_t *clwp = ttolwp(curthread);
2439 	uint32_t fd, pri;
2440 	struct file *fp;
2441 	struct f_audit_data *fad;
2442 
2443 	struct a {
2444 		long	fdes;
2445 		long	ctl;		/* struct strbuf * */
2446 		long	data;		/* struct strbuf * */
2447 		long	pri;
2448 	} *uap = (struct a *)clwp->lwp_ap;
2449 
2450 	fd  = (uint32_t)uap->fdes;
2451 	pri = (uint32_t)uap->pri;
2452 
2453 	au_uwrite(au_to_arg32(1, "fd", fd));
2454 
2455 	if ((fp = getf(fd)) != NULL) {
2456 		fad = F2A(fp);
2457 
2458 		fad->fad_flags |= FAD_WRITE;
2459 
2460 		/* add path name to audit record */
2461 		if (fad->fad_aupath != NULL) {
2462 			au_uwrite(au_to_path(fad->fad_aupath));
2463 		}
2464 		audit_attributes(fp->f_vnode);
2465 
2466 		releasef(fd);
2467 	}
2468 
2469 	au_uwrite(au_to_arg32(4, "pri", pri));
2470 }
2471 
2472 /*ARGSUSED*/
2473 static void
2474 aus_putpmsg(struct t_audit_data *tad)
2475 {
2476 	klwp_t *clwp = ttolwp(curthread);
2477 	uint32_t fd, pri, flags;
2478 	struct file *fp;
2479 	struct f_audit_data *fad;
2480 
2481 	struct a {
2482 		long	fdes;
2483 		long	ctl;		/* struct strbuf * */
2484 		long	data;		/* struct strbuf * */
2485 		long	pri;
2486 		long	flags;
2487 	} *uap = (struct a *)clwp->lwp_ap;
2488 
2489 	fd = (uint32_t)uap->fdes;
2490 	pri  = (uint32_t)uap->pri;
2491 	flags  = (uint32_t)uap->flags;
2492 
2493 	au_uwrite(au_to_arg32(1, "fd", fd));
2494 
2495 	if ((fp = getf(fd)) != NULL) {
2496 		fad = F2A(fp);
2497 
2498 		fad->fad_flags |= FAD_WRITE;
2499 
2500 		/* add path name to audit record */
2501 		if (fad->fad_aupath != NULL) {
2502 			au_uwrite(au_to_path(fad->fad_aupath));
2503 		}
2504 		audit_attributes(fp->f_vnode);
2505 
2506 		releasef(fd);
2507 	}
2508 
2509 
2510 	au_uwrite(au_to_arg32(4, "pri", pri));
2511 	au_uwrite(au_to_arg32(5, "flags", flags));
2512 }
2513 
2514 /*ARGSUSED*/
2515 static void
2516 aus_getmsg(struct t_audit_data *tad)
2517 {
2518 	klwp_t *clwp = ttolwp(curthread);
2519 	uint32_t fd, pri;
2520 	struct file *fp;
2521 	struct f_audit_data *fad;
2522 
2523 	struct a {
2524 		long	fdes;
2525 		long	ctl;		/* struct strbuf * */
2526 		long	data;		/* struct strbuf * */
2527 		long	pri;
2528 	} *uap = (struct a *)clwp->lwp_ap;
2529 
2530 	fd  = (uint32_t)uap->fdes;
2531 	pri = (uint32_t)uap->pri;
2532 
2533 	au_uwrite(au_to_arg32(1, "fd", fd));
2534 
2535 	if ((fp = getf(fd)) != NULL) {
2536 		fad = F2A(fp);
2537 
2538 		/*
2539 		 * read operation on this object
2540 		 */
2541 		fad->fad_flags |= FAD_READ;
2542 
2543 		/* add path name to audit record */
2544 		if (fad->fad_aupath != NULL) {
2545 			au_uwrite(au_to_path(fad->fad_aupath));
2546 		}
2547 		audit_attributes(fp->f_vnode);
2548 
2549 		releasef(fd);
2550 	}
2551 
2552 	au_uwrite(au_to_arg32(4, "pri", pri));
2553 }
2554 
2555 /*ARGSUSED*/
2556 static void
2557 aus_getpmsg(struct t_audit_data *tad)
2558 {
2559 	klwp_t *clwp = ttolwp(curthread);
2560 	uint32_t fd;
2561 	struct file *fp;
2562 	struct f_audit_data *fad;
2563 
2564 	struct a {
2565 		long	fdes;
2566 		long	ctl;		/* struct strbuf * */
2567 		long	data;		/* struct strbuf * */
2568 		long	pri;
2569 		long	flags;
2570 	} *uap = (struct a *)clwp->lwp_ap;
2571 
2572 	fd = (uint32_t)uap->fdes;
2573 
2574 	au_uwrite(au_to_arg32(1, "fd", fd));
2575 
2576 	if ((fp = getf(fd)) != NULL) {
2577 		fad = F2A(fp);
2578 
2579 		/*
2580 		 * read operation on this object
2581 		 */
2582 		fad->fad_flags |= FAD_READ;
2583 
2584 		/* add path name to audit record */
2585 		if (fad->fad_aupath != NULL) {
2586 			au_uwrite(au_to_path(fad->fad_aupath));
2587 		}
2588 		audit_attributes(fp->f_vnode);
2589 
2590 		releasef(fd);
2591 	}
2592 }
2593 
2594 static au_event_t
2595 aui_auditsys(au_event_t e)
2596 {
2597 	klwp_t *clwp = ttolwp(curthread);
2598 	uint32_t code;
2599 
2600 	struct a {
2601 		long	code;
2602 		long	a1;
2603 		long	a2;
2604 		long	a3;
2605 		long	a4;
2606 		long	a5;
2607 		long	a6;
2608 		long	a7;
2609 	} *uap = (struct a *)clwp->lwp_ap;
2610 
2611 	code = (uint32_t)uap->code;
2612 
2613 	switch (code) {
2614 
2615 	case BSM_GETAUID:
2616 		e = AUE_GETAUID;
2617 		break;
2618 	case BSM_SETAUID:
2619 		e = AUE_SETAUID;
2620 		break;
2621 	case BSM_GETAUDIT:
2622 		e = AUE_GETAUDIT;
2623 		break;
2624 	case BSM_GETAUDIT_ADDR:
2625 		e = AUE_GETAUDIT_ADDR;
2626 		break;
2627 	case BSM_SETAUDIT:
2628 		e = AUE_SETAUDIT;
2629 		break;
2630 	case BSM_SETAUDIT_ADDR:
2631 		e = AUE_SETAUDIT_ADDR;
2632 		break;
2633 	case BSM_AUDIT:
2634 		e = AUE_AUDIT;
2635 		break;
2636 	case BSM_AUDITSVC:
2637 		e = AUE_AUDITSVC;
2638 		break;
2639 	case BSM_GETPORTAUDIT:
2640 		e = AUE_GETPORTAUDIT;
2641 		break;
2642 	case BSM_AUDITON:
2643 	case BSM_AUDITCTL:
2644 
2645 		switch ((uint_t)uap->a1) {
2646 
2647 		case A_GETPOLICY:
2648 			e = AUE_AUDITON_GPOLICY;
2649 			break;
2650 		case A_SETPOLICY:
2651 			e = AUE_AUDITON_SPOLICY;
2652 			break;
2653 		case A_GETKMASK:
2654 			e = AUE_AUDITON_GETKMASK;
2655 			break;
2656 		case A_SETKMASK:
2657 			e = AUE_AUDITON_SETKMASK;
2658 			break;
2659 		case A_GETQCTRL:
2660 			e = AUE_AUDITON_GQCTRL;
2661 			break;
2662 		case A_SETQCTRL:
2663 			e = AUE_AUDITON_SQCTRL;
2664 			break;
2665 		case A_GETCWD:
2666 			e = AUE_AUDITON_GETCWD;
2667 			break;
2668 		case A_GETCAR:
2669 			e = AUE_AUDITON_GETCAR;
2670 			break;
2671 		case A_GETSTAT:
2672 			e = AUE_AUDITON_GETSTAT;
2673 			break;
2674 		case A_SETSTAT:
2675 			e = AUE_AUDITON_SETSTAT;
2676 			break;
2677 		case A_SETUMASK:
2678 			e = AUE_AUDITON_SETUMASK;
2679 			break;
2680 		case A_SETSMASK:
2681 			e = AUE_AUDITON_SETSMASK;
2682 			break;
2683 		case A_GETCOND:
2684 			e = AUE_AUDITON_GETCOND;
2685 			break;
2686 		case A_SETCOND:
2687 			e = AUE_AUDITON_SETCOND;
2688 			break;
2689 		case A_GETCLASS:
2690 			e = AUE_AUDITON_GETCLASS;
2691 			break;
2692 		case A_SETCLASS:
2693 			e = AUE_AUDITON_SETCLASS;
2694 			break;
2695 		default:
2696 			e = AUE_NULL;
2697 			break;
2698 		}
2699 		break;
2700 	default:
2701 		e = AUE_NULL;
2702 		break;
2703 	}
2704 
2705 	return (e);
2706 
2707 
2708 
2709 
2710 }	/* AUI_AUDITSYS */
2711 
2712 
2713 
2714 
2715 
2716 
2717 
2718 static void
2719 aus_auditsys(struct t_audit_data *tad)
2720 {
2721 	klwp_t *clwp = ttolwp(curthread);
2722 	uintptr_t a1, a2;
2723 	struct file *fp;
2724 	struct f_audit_data *fad;
2725 	struct vnode *vp;
2726 	STRUCT_DECL(auditinfo, ainfo);
2727 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2728 	au_evclass_map_t event;
2729 	au_mask_t mask;
2730 	int auditstate, policy;
2731 
2732 
2733 	struct a {
2734 		long	code;
2735 		long	a1;
2736 		long	a2;
2737 		long	a3;
2738 		long	a4;
2739 		long	a5;
2740 		long	a6;
2741 		long	a7;
2742 	} *uap = (struct a *)clwp->lwp_ap;
2743 
2744 	a1   = (uintptr_t)uap->a1;
2745 	a2   = (uintptr_t)uap->a2;
2746 
2747 	switch (tad->tad_event) {
2748 	case AUE_SETAUID:
2749 		au_uwrite(au_to_arg32(2, "setauid", (uint32_t)a1));
2750 		break;
2751 	case AUE_SETAUDIT:
2752 		STRUCT_INIT(ainfo, get_udatamodel());
2753 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2754 				STRUCT_SIZE(ainfo))) {
2755 				return;
2756 		}
2757 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2758 			(uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2759 #ifdef _LP64
2760 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2761 			(uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2762 #else
2763 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2764 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2765 #endif
2766 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2767 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2768 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2769 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2770 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2771 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2772 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2773 			(uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2774 		break;
2775 	case AUE_SETAUDIT_ADDR:
2776 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2777 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2778 				STRUCT_SIZE(ainfo_addr))) {
2779 				return;
2780 		}
2781 		au_uwrite(au_to_arg32((char)1, "auid",
2782 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2783 #ifdef _LP64
2784 		au_uwrite(au_to_arg64((char)1, "port",
2785 			(uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2786 #else
2787 		au_uwrite(au_to_arg32((char)1, "port",
2788 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2789 #endif
2790 		au_uwrite(au_to_arg32((char)1, "type",
2791 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2792 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2793 		    AU_IPv4) {
2794 			au_uwrite(au_to_in_addr(
2795 				(struct in_addr *)STRUCT_FGETP(ainfo_addr,
2796 					ai_termid.at_addr)));
2797 		} else {
2798 			au_uwrite(au_to_in_addr_ex(
2799 				(int32_t *)STRUCT_FGETP(ainfo_addr,
2800 					ai_termid.at_addr)));
2801 		}
2802 		au_uwrite(au_to_arg32((char)1, "as_success",
2803 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2804 		au_uwrite(au_to_arg32((char)1, "as_failure",
2805 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2806 		au_uwrite(au_to_arg32((char)1, "asid",
2807 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2808 		break;
2809 	case AUE_AUDITSVC:
2810 		/*
2811 		 * convert file pointer to file descriptor
2812 		 * Note: fd ref count incremented here
2813 		 */
2814 		if ((fp = getf((uint_t)a1)) == NULL)
2815 			return;
2816 		fad = F2A(fp);
2817 		if (fad->fad_aupath != NULL) {
2818 			au_uwrite(au_to_path(fad->fad_aupath));
2819 		} else {
2820 			au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1));
2821 		}
2822 
2823 		vp = fp->f_vnode;	/* include vnode attributes */
2824 		audit_attributes(vp);
2825 
2826 		/* decrement file descriptor ref count */
2827 		releasef((uint_t)a1);
2828 
2829 		au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2));
2830 		break;
2831 	case AUE_AUDITON_SETKMASK:
2832 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2833 				return;
2834 		au_uwrite(au_to_arg32(
2835 			2, "setkmask:as_success", (uint32_t)mask.as_success));
2836 		au_uwrite(au_to_arg32(
2837 			2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2838 		break;
2839 	case AUE_AUDITON_SPOLICY:
2840 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2841 			return;
2842 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2843 		break;
2844 	case AUE_AUDITON_SQCTRL: {
2845 		STRUCT_DECL(au_qctrl, qctrl);
2846 		model_t model;
2847 
2848 		model = get_udatamodel();
2849 		STRUCT_INIT(qctrl, model);
2850 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2851 				return;
2852 		if (model == DATAMODEL_ILP32) {
2853 			au_uwrite(au_to_arg32(
2854 				3, "setqctrl:aq_hiwater",
2855 				(uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2856 			au_uwrite(au_to_arg32(
2857 				3, "setqctrl:aq_lowater",
2858 				(uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2859 			au_uwrite(au_to_arg32(
2860 				3, "setqctrl:aq_bufsz",
2861 				(uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2862 			au_uwrite(au_to_arg32(
2863 				3, "setqctrl:aq_delay",
2864 				(uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2865 		} else {
2866 			au_uwrite(au_to_arg64(
2867 				3, "setqctrl:aq_hiwater",
2868 				(uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2869 			au_uwrite(au_to_arg64(
2870 				3, "setqctrl:aq_lowater",
2871 				(uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2872 			au_uwrite(au_to_arg64(
2873 				3, "setqctrl:aq_bufsz",
2874 				(uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2875 			au_uwrite(au_to_arg64(
2876 				3, "setqctrl:aq_delay",
2877 				(uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2878 		}
2879 		break;
2880 	}
2881 	case AUE_AUDITON_SETUMASK:
2882 		STRUCT_INIT(ainfo, get_udatamodel());
2883 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2884 				STRUCT_SIZE(ainfo))) {
2885 				return;
2886 		}
2887 		au_uwrite(au_to_arg32(3, "setumask:as_success",
2888 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2889 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
2890 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2891 		break;
2892 	case AUE_AUDITON_SETSMASK:
2893 		STRUCT_INIT(ainfo, get_udatamodel());
2894 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2895 				STRUCT_SIZE(ainfo))) {
2896 				return;
2897 		}
2898 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
2899 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2900 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
2901 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2902 		break;
2903 	case AUE_AUDITON_SETCOND:
2904 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
2905 			return;
2906 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
2907 		break;
2908 	case AUE_AUDITON_SETCLASS:
2909 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
2910 			return;
2911 		au_uwrite(au_to_arg32(
2912 			2, "setclass:ec_event", (uint32_t)event.ec_number));
2913 		au_uwrite(au_to_arg32(
2914 			3, "setclass:ec_class", (uint32_t)event.ec_class));
2915 		break;
2916 	case AUE_GETAUID:
2917 	case AUE_GETAUDIT:
2918 	case AUE_GETAUDIT_ADDR:
2919 	case AUE_AUDIT:
2920 	case AUE_GETPORTAUDIT:
2921 	case AUE_AUDITON_GPOLICY:
2922 	case AUE_AUDITON_GQCTRL:
2923 	case AUE_AUDITON_GETKMASK:
2924 	case AUE_AUDITON_GETCWD:
2925 	case AUE_AUDITON_GETCAR:
2926 	case AUE_AUDITON_GETSTAT:
2927 	case AUE_AUDITON_SETSTAT:
2928 	case AUE_AUDITON_GETCOND:
2929 	case AUE_AUDITON_GETCLASS:
2930 		break;
2931 	default:
2932 		break;
2933 	}
2934 
2935 }	/* AUS_AUDITSYS */
2936 
2937 
2938 /* only audit privileged operations for systeminfo(2) system call */
2939 static au_event_t
2940 aui_sysinfo(au_event_t e)
2941 {
2942 	klwp_t *clwp = ttolwp(curthread);
2943 	uint32_t command;
2944 
2945 	struct a {
2946 		long	command;
2947 		long	buf;		/* char * */
2948 		long	count;
2949 	} *uap = (struct a *)clwp->lwp_ap;
2950 
2951 	command = (uint32_t)uap->command;
2952 
2953 	switch (command) {
2954 	case SI_SET_HOSTNAME:
2955 	case SI_SET_SRPC_DOMAIN:
2956 		e = (au_event_t)AUE_SYSINFO;
2957 		break;
2958 	default:
2959 		e = (au_event_t)AUE_NULL;
2960 		break;
2961 	}
2962 	return (e);
2963 }
2964 
2965 /*ARGSUSED*/
2966 static void
2967 aus_sysinfo(struct t_audit_data *tad)
2968 {
2969 	klwp_t *clwp = ttolwp(curthread);
2970 	uint32_t command;
2971 	size_t len, maxlen;
2972 	char *name;
2973 	uintptr_t buf;
2974 
2975 	struct a {
2976 		long	command;
2977 		long	buf;		/* char * */
2978 		long	count;
2979 	} *uap = (struct a *)clwp->lwp_ap;
2980 
2981 	command = (uint32_t)uap->command;
2982 	buf = (uintptr_t)uap->buf;
2983 
2984 	au_uwrite(au_to_arg32(1, "cmd", command));
2985 
2986 	switch (command) {
2987 	case SI_SET_HOSTNAME:
2988 	{
2989 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
2990 			return;
2991 
2992 		maxlen = SYS_NMLN;
2993 		name = kmem_alloc(maxlen, KM_SLEEP);
2994 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
2995 			break;
2996 
2997 		/*
2998 		 * Must be non-NULL string and string
2999 		 * must be less than SYS_NMLN chars.
3000 		 */
3001 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3002 			break;
3003 
3004 		au_uwrite(au_to_text(name));
3005 		break;
3006 	}
3007 
3008 	case SI_SET_SRPC_DOMAIN:
3009 	{
3010 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3011 			return;
3012 
3013 		maxlen = SYS_NMLN;
3014 		name = kmem_alloc(maxlen, KM_SLEEP);
3015 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3016 			break;
3017 
3018 		/*
3019 		 * If string passed in is longer than length
3020 		 * allowed for domain name, fail.
3021 		 */
3022 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3023 			break;
3024 
3025 		au_uwrite(au_to_text(name));
3026 		break;
3027 	}
3028 
3029 	default:
3030 		return;
3031 	}
3032 
3033 	kmem_free(name, maxlen);
3034 }
3035 
3036 static au_event_t
3037 aui_modctl(au_event_t e)
3038 {
3039 	klwp_t *clwp = ttolwp(curthread);
3040 	uint_t cmd;
3041 
3042 	struct a {
3043 		long	cmd;
3044 	} *uap = (struct a *)clwp->lwp_ap;
3045 
3046 	cmd = (uint_t)uap->cmd;
3047 
3048 	switch (cmd) {
3049 	case MODLOAD:
3050 		e = AUE_MODLOAD;
3051 		break;
3052 	case MODUNLOAD:
3053 		e = AUE_MODUNLOAD;
3054 		break;
3055 	case MODADDMAJBIND:
3056 		e = AUE_MODADDMAJ;
3057 		break;
3058 	case MODSETDEVPOLICY:
3059 		e = AUE_MODDEVPLCY;
3060 		break;
3061 	case MODALLOCPRIV:
3062 		e = AUE_MODADDPRIV;
3063 		break;
3064 	default:
3065 		e = AUE_NULL;
3066 		break;
3067 	}
3068 	return (e);
3069 }
3070 
3071 
3072 /*ARGSUSED*/
3073 static void
3074 aus_modctl(struct t_audit_data *tad)
3075 {
3076 	klwp_t *clwp = ttolwp(curthread);
3077 	void *a	= clwp->lwp_ap;
3078 	uint_t use_path;
3079 
3080 	switch (tad->tad_event) {
3081 	case AUE_MODLOAD: {
3082 		typedef struct {
3083 			long	cmd;
3084 			long	use_path;
3085 			long	filename;		/* char * */
3086 		} modloada_t;
3087 
3088 		char *filenamep;
3089 		uintptr_t fname;
3090 		extern char *default_path;
3091 
3092 		fname = (uintptr_t)((modloada_t *)a)->filename;
3093 		use_path = (uint_t)((modloada_t *)a)->use_path;
3094 
3095 			/* space to hold path */
3096 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3097 			/* get string */
3098 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3099 				/* free allocated path */
3100 			kmem_free(filenamep, MOD_MAXPATH);
3101 			return;
3102 		}
3103 			/* ensure it's null terminated */
3104 		filenamep[MOD_MAXPATH - 1] = 0;
3105 
3106 		if (use_path)
3107 			au_uwrite(au_to_text(default_path));
3108 		au_uwrite(au_to_text(filenamep));
3109 
3110 			/* release temporary memory */
3111 		kmem_free(filenamep, MOD_MAXPATH);
3112 		break;
3113 	}
3114 	case AUE_MODUNLOAD: {
3115 		typedef struct {
3116 			long	cmd;
3117 			long	id;
3118 		} modunloada_t;
3119 
3120 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3121 
3122 		au_uwrite(au_to_arg32(1, "id", id));
3123 		break;
3124 	}
3125 	case AUE_MODADDMAJ: {
3126 		STRUCT_DECL(modconfig, mc);
3127 		typedef struct {
3128 			long	cmd;
3129 			long	subcmd;
3130 			long	data;		/* int * */
3131 		} modconfiga_t;
3132 
3133 		STRUCT_DECL(aliases, alias);
3134 		caddr_t ap;
3135 		int i, num_aliases;
3136 		char *drvname, *mc_drvname;
3137 		char *name;
3138 		extern char *ddi_major_to_name(major_t);
3139 		model_t model;
3140 
3141 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3142 
3143 		model = get_udatamodel();
3144 		STRUCT_INIT(mc, model);
3145 			/* sanitize buffer */
3146 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3147 			/* get user arguments */
3148 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3149 				STRUCT_SIZE(mc)) != 0)
3150 			return;
3151 
3152 		mc_drvname = STRUCT_FGET(mc, drvname);
3153 		if ((drvname = ddi_major_to_name(
3154 			(major_t)STRUCT_FGET(mc, major))) != NULL &&
3155 			strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3156 				/* safety */
3157 			if (mc_drvname[0] != '\0') {
3158 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3159 				au_uwrite(au_to_text(mc_drvname));
3160 			}
3161 				/* drvname != NULL from test above */
3162 			au_uwrite(au_to_text(drvname));
3163 			return;
3164 		}
3165 
3166 		if (mc_drvname[0] != '\0') {
3167 				/* safety */
3168 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3169 			au_uwrite(au_to_text(mc_drvname));
3170 		} else
3171 			au_uwrite(au_to_text("no drvname"));
3172 
3173 		num_aliases = STRUCT_FGET(mc, num_aliases);
3174 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3175 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3176 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3177 		STRUCT_INIT(alias, model);
3178 		for (i = 0; i < num_aliases; i++) {
3179 			bzero((caddr_t)STRUCT_BUF(alias),
3180 					STRUCT_SIZE(alias));
3181 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3182 					STRUCT_SIZE(alias)) != 0)
3183 				break;
3184 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3185 			    MAXMODCONFNAME, NULL) != 0) {
3186 				break;
3187 			}
3188 
3189 			au_uwrite(au_to_text(name));
3190 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3191 		}
3192 		kmem_free(name, MAXMODCONFNAME);
3193 		break;
3194 	}
3195 	default:
3196 		break;
3197 	}
3198 }
3199 
3200 /*
3201  * private version of getsonode that does not do eprintsoline()
3202  */
3203 static struct sonode *
3204 au_getsonode(int sock, int *errorp, file_t **fpp)
3205 {
3206 	file_t *fp;
3207 	register vnode_t *vp;
3208 	struct sonode *so;
3209 
3210 	if ((fp = getf(sock)) == NULL) {
3211 		*errorp = EBADF;
3212 		return (NULL);
3213 	}
3214 	vp = fp->f_vnode;
3215 	/* Check if it is a socket */
3216 	if (vp->v_type != VSOCK) {
3217 		releasef(sock);
3218 		*errorp = ENOTSOCK;
3219 		return (NULL);
3220 	}
3221 	/*
3222 	 * Use the stream head to find the real socket vnode.
3223 	 * This is needed when namefs sits above sockfs.
3224 	 */
3225 	ASSERT(vp->v_stream);
3226 	ASSERT(vp->v_stream->sd_vnode);
3227 	vp = vp->v_stream->sd_vnode;
3228 	so = VTOSO(vp);
3229 	if (so->so_version == SOV_STREAM) {
3230 		releasef(sock);
3231 		*errorp = ENOTSOCK;
3232 		return (NULL);
3233 	}
3234 	if (fpp)
3235 		*fpp = fp;
3236 	return (so);
3237 }
3238 
3239 /*ARGSUSED*/
3240 static void
3241 auf_accept(
3242 	struct t_audit_data *tad,
3243 	int	error,
3244 	rval_t	*rval)
3245 {
3246 	uint32_t scid;
3247 	uint32_t sy_flags;
3248 	int fd;
3249 	struct sonode *so;
3250 	char so_laddr[sizeof (struct sockaddr_in6)];
3251 	char so_faddr[sizeof (struct sockaddr_in6)];
3252 	int err;
3253 	int len;
3254 	short so_family, so_type;
3255 	int add_sock_token = 0;
3256 
3257 	/* need to determine type of executing binary */
3258 	scid = tad->tad_scid;
3259 #ifdef _SYSCALL32_IMPL
3260 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3261 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3262 	else
3263 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3264 #else
3265 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3266 #endif
3267 	if (sy_flags == SE_32RVAL1)
3268 		fd = rval->r_val1;
3269 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3270 		fd = rval->r_val1;
3271 	if (sy_flags == SE_64RVAL)
3272 		fd = (int)rval->r_vals;
3273 
3274 	if (error) {
3275 		/* can't trust socket contents. Just return */
3276 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3277 		return;
3278 	}
3279 
3280 	if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) {
3281 		/*
3282 		 * not security relevant if doing a accept from non socket
3283 		 * so no extra tokens. Should probably turn off audit record
3284 		 * generation here.
3285 		 */
3286 		return;
3287 	}
3288 
3289 	so_family = so->so_family;
3290 	so_type   = so->so_type;
3291 
3292 	switch (so_family) {
3293 	case AF_INET:
3294 	case AF_INET6:
3295 		/*
3296 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3297 		 */
3298 		if (so->so_type == SOCK_STREAM) {
3299 
3300 			bzero((void *)so_laddr, sizeof (so_laddr));
3301 			bzero((void *)so_faddr, sizeof (so_faddr));
3302 
3303 			/*
3304 			 * no local address then need to get it from lower
3305 			 * levels. only put out record on first read ala
3306 			 * AUE_WRITE.
3307 			 */
3308 			if (so->so_state & SS_ISBOUND) {
3309 				/* only done once on a connection */
3310 				(void) SOP_GETSOCKNAME(so);
3311 				(void) SOP_GETPEERNAME(so);
3312 
3313 				/* get local and foreign addresses */
3314 				mutex_enter(&so->so_lock);
3315 				len = min(so->so_laddr_len, sizeof (so_laddr));
3316 				bcopy(so->so_laddr_sa, so_laddr, len);
3317 				len = min(so->so_faddr_len, sizeof (so_faddr));
3318 				bcopy(so->so_faddr_sa, so_faddr, len);
3319 				mutex_exit(&so->so_lock);
3320 			}
3321 
3322 			add_sock_token = 1;
3323 		}
3324 		break;
3325 
3326 	default:
3327 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3328 		break;
3329 	}
3330 
3331 	releasef(fd);
3332 
3333 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3334 
3335 	if (add_sock_token == 0) {
3336 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3337 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3338 		return;
3339 	}
3340 
3341 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3342 
3343 }
3344 
3345 /*ARGSUSED*/
3346 static void
3347 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3348 {
3349 	struct a {
3350 		long	fd;
3351 		long	addr;
3352 		long	len;
3353 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3354 
3355 	struct sonode *so;
3356 	char so_laddr[sizeof (struct sockaddr_in6)];
3357 	char so_faddr[sizeof (struct sockaddr_in6)];
3358 	int err, fd;
3359 	int len;
3360 	short so_family, so_type;
3361 	int add_sock_token = 0;
3362 
3363 	fd = (int)uap->fd;
3364 
3365 	/*
3366 	 * bind failed, then nothing extra to add to audit record.
3367 	 */
3368 	if (error) {
3369 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3370 		/* XXX may want to add failed address some day */
3371 		return;
3372 	}
3373 
3374 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3375 		/*
3376 		 * not security relevant if doing a bind from non socket
3377 		 * so no extra tokens. Should probably turn off audit record
3378 		 * generation here.
3379 		 */
3380 		return;
3381 	}
3382 
3383 	so_family = so->so_family;
3384 	so_type   = so->so_type;
3385 
3386 	switch (so_family) {
3387 	case AF_INET:
3388 	case AF_INET6:
3389 
3390 		bzero(so_faddr, sizeof (so_faddr));
3391 
3392 		if (so->so_state & SS_ISBOUND) {
3393 			/* only done once on a connection */
3394 			(void) SOP_GETSOCKNAME(so);
3395 		}
3396 
3397 		mutex_enter(&so->so_lock);
3398 		len = min(so->so_laddr_len, sizeof (so_laddr));
3399 		bcopy(so->so_laddr_sa, so_laddr, len);
3400 		mutex_exit(&so->so_lock);
3401 
3402 		add_sock_token = 1;
3403 
3404 		break;
3405 
3406 	case AF_UNIX:
3407 		/* token added by lookup */
3408 		break;
3409 	default:
3410 		/* AF_ROUTE, AF_KEY do not support accept */
3411 		break;
3412 	}
3413 
3414 	releasef(fd);
3415 
3416 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3417 
3418 	if (add_sock_token == 0) {
3419 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3420 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3421 		return;
3422 	}
3423 
3424 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3425 
3426 }
3427 
3428 /*ARGSUSED*/
3429 static void
3430 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3431 {
3432 	struct a {
3433 		long	fd;
3434 		long	addr;
3435 		long	len;
3436 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3437 
3438 	struct sonode *so;
3439 	char so_laddr[sizeof (struct sockaddr_in6)];
3440 	char so_faddr[sizeof (struct sockaddr_in6)];
3441 	int err, fd;
3442 	int len;
3443 	short so_family, so_type;
3444 	int add_sock_token = 0;
3445 
3446 	fd = (int)uap->fd;
3447 
3448 
3449 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3450 		/*
3451 		 * not security relevant if doing a connect from non socket
3452 		 * so no extra tokens. Should probably turn off audit record
3453 		 * generation here.
3454 		 */
3455 		return;
3456 	}
3457 
3458 	so_family = so->so_family;
3459 	so_type   = so->so_type;
3460 
3461 	switch (so_family) {
3462 	case AF_INET:
3463 	case AF_INET6:
3464 		/*
3465 		 * no local address then need to get it from lower
3466 		 * levels.
3467 		 */
3468 		if (so->so_state & SS_ISBOUND) {
3469 			/* only done once on a connection */
3470 			(void) SOP_GETSOCKNAME(so);
3471 			(void) SOP_GETPEERNAME(so);
3472 		}
3473 
3474 		bzero(so_laddr, sizeof (so_laddr));
3475 		bzero(so_faddr, sizeof (so_faddr));
3476 
3477 		mutex_enter(&so->so_lock);
3478 		len = min(so->so_laddr_len, sizeof (so_laddr));
3479 		bcopy(so->so_laddr_sa, so_laddr, len);
3480 		if (error) {
3481 			mutex_exit(&so->so_lock);
3482 			if (uap->addr == NULL)
3483 				break;
3484 			if (uap->len <= 0)
3485 				break;
3486 			len = min(uap->len, sizeof (so_faddr));
3487 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3488 				break;
3489 #ifdef NOTYET
3490 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3491 #endif
3492 		} else {
3493 			/* sanity check on length */
3494 			len = min(so->so_faddr_len, sizeof (so_faddr));
3495 			bcopy(so->so_faddr_sa, so_faddr, len);
3496 			mutex_exit(&so->so_lock);
3497 		}
3498 
3499 		add_sock_token = 1;
3500 
3501 		break;
3502 
3503 	case AF_UNIX:
3504 		/* does a lookup on name */
3505 		break;
3506 
3507 	default:
3508 		/* AF_ROUTE, AF_KEY do not support accept */
3509 		break;
3510 	}
3511 
3512 	releasef(fd);
3513 
3514 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3515 
3516 	if (add_sock_token == 0) {
3517 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3518 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3519 		return;
3520 	}
3521 
3522 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3523 
3524 }
3525 
3526 /*ARGSUSED*/
3527 static void
3528 aus_shutdown(struct t_audit_data *tad)
3529 {
3530 	struct a {
3531 		long	fd;
3532 		long	how;
3533 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3534 
3535 	struct sonode *so;
3536 	char so_laddr[sizeof (struct sockaddr_in6)];
3537 	char so_faddr[sizeof (struct sockaddr_in6)];
3538 	int err, fd;
3539 	int len;
3540 	short so_family, so_type;
3541 	int add_sock_token = 0;
3542 	file_t *fp;				/* unix domain sockets */
3543 	struct f_audit_data *fad;		/* unix domain sockets */
3544 
3545 	fd = (int)uap->fd;
3546 
3547 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3548 		/*
3549 		 * not security relevant if doing a shutdown using non socket
3550 		 * so no extra tokens. Should probably turn off audit record
3551 		 * generation here.
3552 		 */
3553 		return;
3554 	}
3555 
3556 	so_family = so->so_family;
3557 	so_type   = so->so_type;
3558 
3559 	switch (so_family) {
3560 	case AF_INET:
3561 	case AF_INET6:
3562 
3563 		bzero(so_laddr, sizeof (so_laddr));
3564 		bzero(so_faddr, sizeof (so_faddr));
3565 
3566 		if (so->so_state & SS_ISBOUND) {
3567 			/*
3568 			 * no local address then need to get it from lower
3569 			 * levels.
3570 			 */
3571 			if (so->so_laddr_len == 0)
3572 				(void) SOP_GETSOCKNAME(so);
3573 			if (so->so_faddr_len == 0)
3574 				(void) SOP_GETPEERNAME(so);
3575 		}
3576 
3577 		mutex_enter(&so->so_lock);
3578 		len = min(so->so_laddr_len, sizeof (so_laddr));
3579 		bcopy(so->so_laddr_sa, so_laddr, len);
3580 		len = min(so->so_faddr_len, sizeof (so_faddr));
3581 		bcopy(so->so_faddr_sa, so_faddr, len);
3582 		mutex_exit(&so->so_lock);
3583 
3584 		add_sock_token = 1;
3585 
3586 		break;
3587 
3588 	case AF_UNIX:
3589 
3590 		/* get path from file struct here */
3591 		fad = F2A(fp);
3592 		ASSERT(fad);
3593 
3594 		if (fad->fad_aupath != NULL) {
3595 			au_uwrite(au_to_path(fad->fad_aupath));
3596 		} else {
3597 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3598 		}
3599 
3600 		audit_attributes(fp->f_vnode);
3601 
3602 		break;
3603 
3604 	default:
3605 		/*
3606 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3607 		 * added.
3608 		 */
3609 		break;
3610 	}
3611 
3612 	releasef(fd);
3613 
3614 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3615 
3616 	if (add_sock_token == 0) {
3617 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3618 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3619 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3620 		return;
3621 	}
3622 
3623 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3624 
3625 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3626 
3627 }
3628 
3629 /*ARGSUSED*/
3630 static void
3631 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3632 {
3633 	struct a {
3634 		long	fd;
3635 		long	level;
3636 		long	optname;
3637 		long	*optval;
3638 		long	optlen;
3639 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3640 
3641 	struct sonode	*so;
3642 	char so_laddr[sizeof (struct sockaddr_in6)];
3643 	char so_faddr[sizeof (struct sockaddr_in6)];
3644 	char		val[AU_BUFSIZE];
3645 	int		err, fd;
3646 	int		len;
3647 	short so_family, so_type;
3648 	int		add_sock_token = 0;
3649 	file_t *fp;				/* unix domain sockets */
3650 	struct f_audit_data *fad;		/* unix domain sockets */
3651 
3652 	fd = (int)uap->fd;
3653 
3654 	if (error) {
3655 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3656 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3657 		/* XXX may want to include other arguments */
3658 		return;
3659 	}
3660 
3661 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3662 		/*
3663 		 * not security relevant if doing a setsockopt from non socket
3664 		 * so no extra tokens. Should probably turn off audit record
3665 		 * generation here.
3666 		 */
3667 		return;
3668 	}
3669 
3670 	so_family = so->so_family;
3671 	so_type   = so->so_type;
3672 
3673 	switch (so_family) {
3674 	case AF_INET:
3675 	case AF_INET6:
3676 
3677 		bzero((void *)so_laddr, sizeof (so_laddr));
3678 		bzero((void *)so_faddr, sizeof (so_faddr));
3679 
3680 		if (so->so_state & SS_ISBOUND) {
3681 			if (so->so_laddr_len == 0)
3682 				(void) SOP_GETSOCKNAME(so);
3683 			if (so->so_faddr_len == 0)
3684 				(void) SOP_GETPEERNAME(so);
3685 		}
3686 
3687 		/* get local and foreign addresses */
3688 		mutex_enter(&so->so_lock);
3689 		len = min(so->so_laddr_len, sizeof (so_laddr));
3690 		bcopy(so->so_laddr_sa, so_laddr, len);
3691 		len = min(so->so_faddr_len, sizeof (so_faddr));
3692 		bcopy(so->so_faddr_sa, so_faddr, len);
3693 		mutex_exit(&so->so_lock);
3694 
3695 		add_sock_token = 1;
3696 
3697 		break;
3698 
3699 	case AF_UNIX:
3700 
3701 		/* get path from file struct here */
3702 		fad = F2A(fp);
3703 		ASSERT(fad);
3704 
3705 		if (fad->fad_aupath != NULL) {
3706 			au_uwrite(au_to_path(fad->fad_aupath));
3707 		} else {
3708 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3709 		}
3710 
3711 		audit_attributes(fp->f_vnode);
3712 
3713 		break;
3714 
3715 	default:
3716 		/*
3717 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3718 		 * added.
3719 		 */
3720 		break;
3721 	}
3722 
3723 	releasef(fd);
3724 
3725 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3726 
3727 	if (add_sock_token == 0) {
3728 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3729 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3730 	}
3731 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3732 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3733 
3734 	bzero(val, sizeof (val));
3735 	len = min(uap->optlen, sizeof (val));
3736 	if ((len > 0) &&
3737 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3738 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3739 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3740 	}
3741 
3742 	if (add_sock_token == 0)
3743 		return;
3744 
3745 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3746 
3747 }
3748 
3749 /*ARGSUSED*/
3750 static void
3751 aus_sockconfig(tad)
3752 	struct t_audit_data *tad;
3753 {
3754 	struct a {
3755 		long	domain;
3756 		long	type;
3757 		long	protocol;
3758 		long	devpath;
3759 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3760 
3761 	char	*kdevpath;
3762 	int	kdevpathlen = MAXPATHLEN + 1;
3763 	size_t	size;
3764 
3765 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3766 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3767 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3768 
3769 	if (uap->devpath == 0) {
3770 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3771 	} else {
3772 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3773 
3774 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3775 			&size)) {
3776 			kmem_free(kdevpath, kdevpathlen);
3777 			return;
3778 		}
3779 
3780 		if (size > MAXPATHLEN) {
3781 			kmem_free(kdevpath, kdevpathlen);
3782 			return;
3783 		}
3784 
3785 		au_uwrite(au_to_text(kdevpath));
3786 		kmem_free(kdevpath, kdevpathlen);
3787 	}
3788 }
3789 
3790 /*
3791  * only audit recvmsg when the system call represents the creation of a new
3792  * circuit. This effectively occurs for all UDP packets and may occur for
3793  * special TCP situations where the local host has not set a local address
3794  * in the socket structure.
3795  */
3796 /*ARGSUSED*/
3797 static void
3798 auf_recvmsg(
3799 	struct t_audit_data *tad,
3800 	int error,
3801 	rval_t *rvp)
3802 {
3803 	struct a {
3804 		long	fd;
3805 		long	msg;	/* struct msghdr */
3806 		long	flags;
3807 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3808 
3809 	struct sonode	*so;
3810 	STRUCT_DECL(msghdr, msg);
3811 	caddr_t msg_name;
3812 	socklen_t msg_namelen;
3813 	int fd;
3814 	int err;
3815 	char so_laddr[sizeof (struct sockaddr_in6)];
3816 	char so_faddr[sizeof (struct sockaddr_in6)];
3817 	int len;
3818 	file_t *fp;				/* unix domain sockets */
3819 	struct f_audit_data *fad;		/* unix domain sockets */
3820 	short so_family, so_type;
3821 	int add_sock_token = 0;
3822 	au_kcontext_t	*kctx = SET_KCTX_PZ;
3823 
3824 	fd = (int)uap->fd;
3825 
3826 	/* bail if an error */
3827 	if (error) {
3828 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3829 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3830 		return;
3831 	}
3832 
3833 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3834 		/*
3835 		 * not security relevant if doing a recvmsg from non socket
3836 		 * so no extra tokens. Should probably turn off audit record
3837 		 * generation here.
3838 		 */
3839 		return;
3840 	}
3841 
3842 	so_family = so->so_family;
3843 	so_type   = so->so_type;
3844 
3845 	/*
3846 	 * only putout SOCKET_EX token if INET/INET6 family.
3847 	 * XXX - what do we do about other families?
3848 	 */
3849 
3850 	switch (so_family) {
3851 	case AF_INET:
3852 	case AF_INET6:
3853 
3854 		/*
3855 		 * if datagram type socket, then just use what is in
3856 		 * socket structure for local address.
3857 		 * XXX - what do we do for other types?
3858 		 */
3859 		if ((so->so_type == SOCK_DGRAM) ||
3860 		    (so->so_type == SOCK_RAW)) {
3861 			add_sock_token = 1;
3862 
3863 			bzero((void *)so_laddr, sizeof (so_laddr));
3864 			bzero((void *)so_faddr, sizeof (so_faddr));
3865 
3866 			/* get local address */
3867 			mutex_enter(&so->so_lock);
3868 			len = min(so->so_laddr_len, sizeof (so_laddr));
3869 			bcopy(so->so_laddr_sa, so_laddr, len);
3870 			mutex_exit(&so->so_lock);
3871 
3872 			/* get peer address */
3873 			STRUCT_INIT(msg, get_udatamodel());
3874 
3875 			if (copyin((caddr_t)(uap->msg),
3876 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3877 				break;
3878 			}
3879 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3880 			if (msg_name == NULL) {
3881 				break;
3882 			}
3883 
3884 			/* length is value from recvmsg - sanity check */
3885 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3886 			if (msg_namelen == 0) {
3887 				break;
3888 			}
3889 			if (copyin(msg_name, so_faddr,
3890 			    sizeof (so_faddr)) != 0) {
3891 				break;
3892 			}
3893 
3894 		} else if (so->so_type == SOCK_STREAM) {
3895 
3896 			/* get path from file struct here */
3897 			fad = F2A(fp);
3898 			ASSERT(fad);
3899 
3900 			/*
3901 			 * already processed this file for read attempt
3902 			 */
3903 			if (fad->fad_flags & FAD_READ) {
3904 				/* don't want to audit every recvmsg attempt */
3905 				tad->tad_flag = 0;
3906 				/* free any residual audit data */
3907 				au_close(kctx, &(u_ad), 0, 0, 0);
3908 				releasef(fd);
3909 				return;
3910 			}
3911 			/*
3912 			 * mark things so we know what happened and don't
3913 			 * repeat things
3914 			 */
3915 			fad->fad_flags |= FAD_READ;
3916 
3917 			bzero((void *)so_laddr, sizeof (so_laddr));
3918 			bzero((void *)so_faddr, sizeof (so_faddr));
3919 
3920 			if (so->so_state & SS_ISBOUND) {
3921 
3922 				if (so->so_laddr_len == 0)
3923 					(void) SOP_GETSOCKNAME(so);
3924 				if (so->so_faddr_len == 0)
3925 					(void) SOP_GETPEERNAME(so);
3926 
3927 				/* get local and foreign addresses */
3928 				mutex_enter(&so->so_lock);
3929 				len = min(so->so_laddr_len, sizeof (so_laddr));
3930 				bcopy(so->so_laddr_sa, so_laddr, len);
3931 				len = min(so->so_faddr_len, sizeof (so_faddr));
3932 				bcopy(so->so_faddr_sa, so_faddr, len);
3933 				mutex_exit(&so->so_lock);
3934 			}
3935 
3936 			add_sock_token = 1;
3937 		}
3938 
3939 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3940 
3941 		break;
3942 
3943 	case AF_UNIX:
3944 		/*
3945 		 * first check if this is first time through. Too much
3946 		 * duplicate code to put this in an aui_ routine.
3947 		 */
3948 
3949 		/* get path from file struct here */
3950 		fad = F2A(fp);
3951 		ASSERT(fad);
3952 
3953 		/*
3954 		 * already processed this file for read attempt
3955 		 */
3956 		if (fad->fad_flags & FAD_READ) {
3957 			releasef(fd);
3958 			/* don't want to audit every recvmsg attempt */
3959 			tad->tad_flag = 0;
3960 			/* free any residual audit data */
3961 			au_close(kctx, &(u_ad), 0, 0, 0);
3962 			return;
3963 		}
3964 		/*
3965 		 * mark things so we know what happened and don't
3966 		 * repeat things
3967 		 */
3968 		fad->fad_flags |= FAD_READ;
3969 
3970 		if (fad->fad_aupath != NULL) {
3971 			au_uwrite(au_to_path(fad->fad_aupath));
3972 		} else {
3973 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3974 		}
3975 
3976 		audit_attributes(fp->f_vnode);
3977 
3978 		releasef(fd);
3979 
3980 		return;
3981 
3982 	default:
3983 		break;
3984 
3985 	}
3986 
3987 	releasef(fd);
3988 
3989 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3990 
3991 	if (add_sock_token == 0) {
3992 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
3993 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
3994 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3995 		return;
3996 	}
3997 
3998 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3999 
4000 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4001 
4002 }
4003 
4004 /*ARGSUSED*/
4005 static void
4006 auf_recvfrom(
4007 	struct t_audit_data *tad,
4008 	int error,
4009 	rval_t *rvp)
4010 {
4011 
4012 	struct a {
4013 		long	fd;
4014 		long	msg;	/* char */
4015 		long	len;
4016 		long	flags;
4017 		long	from;	/* struct sockaddr */
4018 		long	fromlen;
4019 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4020 
4021 	socklen_t	fromlen;
4022 	struct sonode	*so;
4023 	char so_laddr[sizeof (struct sockaddr_in6)];
4024 	char so_faddr[sizeof (struct sockaddr_in6)];
4025 	int		fd;
4026 	short so_family, so_type;
4027 	int add_sock_token = 0;
4028 	int len;
4029 	int err;
4030 	struct file *fp;
4031 	struct f_audit_data *fad;		/* unix domain sockets */
4032 	au_kcontext_t	*kctx = SET_KCTX_PZ;
4033 
4034 	fd = (int)uap->fd;
4035 
4036 	/* bail if an error */
4037 	if (error) {
4038 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4039 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4040 		return;
4041 	}
4042 
4043 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4044 		/*
4045 		 * not security relevant if doing a recvmsg from non socket
4046 		 * so no extra tokens. Should probably turn off audit record
4047 		 * generation here.
4048 		 */
4049 		return;
4050 	}
4051 
4052 	so_family = so->so_family;
4053 	so_type   = so->so_type;
4054 
4055 	/*
4056 	 * only putout SOCKET_EX token if INET/INET6 family.
4057 	 * XXX - what do we do about other families?
4058 	 */
4059 
4060 	switch (so_family) {
4061 	case AF_INET:
4062 	case AF_INET6:
4063 
4064 		/*
4065 		 * if datagram type socket, then just use what is in
4066 		 * socket structure for local address.
4067 		 * XXX - what do we do for other types?
4068 		 */
4069 		if ((so->so_type == SOCK_DGRAM) ||
4070 		    (so->so_type == SOCK_RAW)) {
4071 			add_sock_token = 1;
4072 
4073 			/* get local address */
4074 			mutex_enter(&so->so_lock);
4075 			len = min(so->so_laddr_len, sizeof (so_laddr));
4076 			bcopy(so->so_laddr_sa, so_laddr, len);
4077 			mutex_exit(&so->so_lock);
4078 
4079 			/* get peer address */
4080 			bzero((void *)so_faddr, sizeof (so_faddr));
4081 
4082 			/* sanity check */
4083 			if (uap->from == NULL)
4084 				break;
4085 
4086 			/* sanity checks */
4087 			if (uap->fromlen == 0)
4088 				break;
4089 
4090 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4091 			    sizeof (fromlen)) != 0)
4092 				break;
4093 
4094 			if (fromlen == 0)
4095 				break;
4096 
4097 			/* enforce maximum size */
4098 			if (fromlen > sizeof (so_faddr))
4099 				fromlen = sizeof (so_faddr);
4100 
4101 			if (copyin((caddr_t)(uap->from), so_faddr,
4102 			    fromlen) != 0)
4103 				break;
4104 
4105 		} else if (so->so_type == SOCK_STREAM) {
4106 
4107 			/* get path from file struct here */
4108 			fad = F2A(fp);
4109 			ASSERT(fad);
4110 
4111 			/*
4112 			 * already processed this file for read attempt
4113 			 */
4114 			if (fad->fad_flags & FAD_READ) {
4115 				/* don't want to audit every recvfrom attempt */
4116 				tad->tad_flag = 0;
4117 				/* free any residual audit data */
4118 				au_close(kctx, &(u_ad), 0, 0, 0);
4119 				releasef(fd);
4120 				return;
4121 			}
4122 			/*
4123 			 * mark things so we know what happened and don't
4124 			 * repeat things
4125 			 */
4126 			fad->fad_flags |= FAD_READ;
4127 
4128 			bzero((void *)so_laddr, sizeof (so_laddr));
4129 			bzero((void *)so_faddr, sizeof (so_faddr));
4130 
4131 			if (so->so_state & SS_ISBOUND) {
4132 
4133 				if (so->so_laddr_len == 0)
4134 					(void) SOP_GETSOCKNAME(so);
4135 				if (so->so_faddr_len == 0)
4136 					(void) SOP_GETPEERNAME(so);
4137 
4138 				/* get local and foreign addresses */
4139 				mutex_enter(&so->so_lock);
4140 				len = min(so->so_laddr_len, sizeof (so_laddr));
4141 				bcopy(so->so_laddr_sa, so_laddr, len);
4142 				len = min(so->so_faddr_len, sizeof (so_faddr));
4143 				bcopy(so->so_faddr_sa, so_faddr, len);
4144 				mutex_exit(&so->so_lock);
4145 			}
4146 
4147 			add_sock_token = 1;
4148 		}
4149 
4150 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4151 
4152 		break;
4153 
4154 	case AF_UNIX:
4155 		/*
4156 		 * first check if this is first time through. Too much
4157 		 * duplicate code to put this in an aui_ routine.
4158 		 */
4159 
4160 		/* get path from file struct here */
4161 		fad = F2A(fp);
4162 		ASSERT(fad);
4163 
4164 		/*
4165 		 * already processed this file for read attempt
4166 		 */
4167 		if (fad->fad_flags & FAD_READ) {
4168 			/* don't want to audit every recvfrom attempt */
4169 			tad->tad_flag = 0;
4170 			/* free any residual audit data */
4171 			au_close(kctx, &(u_ad), 0, 0, 0);
4172 			releasef(fd);
4173 			return;
4174 		}
4175 		/*
4176 		 * mark things so we know what happened and don't
4177 		 * repeat things
4178 		 */
4179 		fad->fad_flags |= FAD_READ;
4180 
4181 		if (fad->fad_aupath != NULL) {
4182 			au_uwrite(au_to_path(fad->fad_aupath));
4183 		} else {
4184 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4185 		}
4186 
4187 		audit_attributes(fp->f_vnode);
4188 
4189 		releasef(fd);
4190 
4191 		return;
4192 
4193 	default:
4194 		break;
4195 
4196 	}
4197 
4198 	releasef(fd);
4199 
4200 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4201 
4202 	if (add_sock_token == 0) {
4203 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4204 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4205 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4206 		return;
4207 	}
4208 
4209 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4210 
4211 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4212 }
4213 
4214 /*ARGSUSED*/
4215 static void
4216 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4217 {
4218 	struct a {
4219 		long	fd;
4220 		long	msg;	/* struct msghdr */
4221 		long	flags;
4222 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4223 
4224 	struct sonode	*so;
4225 	char so_laddr[sizeof (struct sockaddr_in6)];
4226 	char so_faddr[sizeof (struct sockaddr_in6)];
4227 	int		err;
4228 	int		fd;
4229 	short so_family, so_type;
4230 	int		add_sock_token = 0;
4231 	int		len;
4232 	struct file	*fp;
4233 	struct f_audit_data *fad;
4234 	caddr_t		msg_name;
4235 	socklen_t	msg_namelen;
4236 	STRUCT_DECL(msghdr, msg);
4237 	au_kcontext_t	*kctx = SET_KCTX_PZ;
4238 
4239 	fd = (int)uap->fd;
4240 
4241 	/* bail if an error */
4242 	if (error) {
4243 		/* XXX include destination address from system call arguments */
4244 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4245 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4246 		return;
4247 	}
4248 
4249 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4250 		/*
4251 		 * not security relevant if doing a sendmsg from non socket
4252 		 * so no extra tokens. Should probably turn off audit record
4253 		 * generation here.
4254 		 */
4255 		return;
4256 	}
4257 
4258 	so_family = so->so_family;
4259 	so_type   = so->so_type;
4260 
4261 	switch (so_family) {
4262 	case AF_INET:
4263 	case AF_INET6:
4264 		/*
4265 		 * if datagram type socket, then just use what is in
4266 		 * socket structure for local address.
4267 		 * XXX - what do we do for other types?
4268 		 */
4269 		if ((so->so_type == SOCK_DGRAM) ||
4270 		    (so->so_type == SOCK_RAW)) {
4271 
4272 			bzero((void *)so_laddr, sizeof (so_laddr));
4273 			bzero((void *)so_faddr, sizeof (so_faddr));
4274 
4275 			/* get local address */
4276 			mutex_enter(&so->so_lock);
4277 			len = min(so->so_laddr_len, sizeof (so_laddr));
4278 			bcopy(so->so_laddr_sa, so_laddr, len);
4279 			mutex_exit(&so->so_lock);
4280 
4281 			/* get peer address */
4282 			STRUCT_INIT(msg, get_udatamodel());
4283 
4284 			if (copyin((caddr_t)(uap->msg),
4285 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4286 				break;
4287 			}
4288 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4289 			if (msg_name == NULL)
4290 				break;
4291 
4292 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4293 			/* length is value from recvmsg - sanity check */
4294 			if (msg_namelen == 0)
4295 				break;
4296 
4297 			if (copyin(msg_name, so_faddr,
4298 			    sizeof (so_faddr)) != 0)
4299 				break;
4300 
4301 			add_sock_token = 1;
4302 
4303 		} else if (so->so_type == SOCK_STREAM) {
4304 
4305 			/* get path from file struct here */
4306 			fad = F2A(fp);
4307 			ASSERT(fad);
4308 
4309 			/*
4310 			 * already processed this file for write attempt
4311 			 */
4312 			if (fad->fad_flags & FAD_WRITE) {
4313 				releasef(fd);
4314 				/* don't want to audit every sendmsg attempt */
4315 				tad->tad_flag = 0;
4316 				/* free any residual audit data */
4317 				au_close(kctx, &(u_ad), 0, 0, 0);
4318 				return;
4319 			}
4320 
4321 			/*
4322 			 * mark things so we know what happened and don't
4323 			 * repeat things
4324 			 */
4325 			fad->fad_flags |= FAD_WRITE;
4326 
4327 			bzero((void *)so_laddr, sizeof (so_laddr));
4328 			bzero((void *)so_faddr, sizeof (so_faddr));
4329 
4330 			if (so->so_state & SS_ISBOUND) {
4331 
4332 				if (so->so_laddr_len == 0)
4333 					(void) SOP_GETSOCKNAME(so);
4334 				if (so->so_faddr_len == 0)
4335 					(void) SOP_GETPEERNAME(so);
4336 
4337 				/* get local and foreign addresses */
4338 				mutex_enter(&so->so_lock);
4339 				len = min(so->so_laddr_len, sizeof (so_laddr));
4340 				bcopy(so->so_laddr_sa, so_laddr, len);
4341 				len = min(so->so_faddr_len, sizeof (so_faddr));
4342 				bcopy(so->so_faddr_sa, so_faddr, len);
4343 				mutex_exit(&so->so_lock);
4344 			}
4345 
4346 			add_sock_token = 1;
4347 		}
4348 
4349 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4350 
4351 		break;
4352 
4353 	case AF_UNIX:
4354 		/*
4355 		 * first check if this is first time through. Too much
4356 		 * duplicate code to put this in an aui_ routine.
4357 		 */
4358 
4359 		/* get path from file struct here */
4360 		fad = F2A(fp);
4361 		ASSERT(fad);
4362 
4363 		/*
4364 		 * already processed this file for write attempt
4365 		 */
4366 		if (fad->fad_flags & FAD_WRITE) {
4367 			releasef(fd);
4368 			/* don't want to audit every sendmsg attempt */
4369 			tad->tad_flag = 0;
4370 			/* free any residual audit data */
4371 			au_close(kctx, &(u_ad), 0, 0, 0);
4372 			return;
4373 		}
4374 		/*
4375 		 * mark things so we know what happened and don't
4376 		 * repeat things
4377 		 */
4378 		fad->fad_flags |= FAD_WRITE;
4379 
4380 		if (fad->fad_aupath != NULL) {
4381 			au_uwrite(au_to_path(fad->fad_aupath));
4382 		} else {
4383 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4384 		}
4385 
4386 		audit_attributes(fp->f_vnode);
4387 
4388 		releasef(fd);
4389 
4390 		return;
4391 
4392 	default:
4393 		break;
4394 	}
4395 
4396 	releasef(fd);
4397 
4398 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4399 
4400 	if (add_sock_token == 0) {
4401 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4402 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4403 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4404 		return;
4405 	}
4406 
4407 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4408 
4409 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4410 }
4411 
4412 /*ARGSUSED*/
4413 static void
4414 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4415 {
4416 	struct a {
4417 		long	fd;
4418 		long	msg;	/* char */
4419 		long	len;
4420 		long	flags;
4421 		long	to;	/* struct sockaddr */
4422 		long	tolen;
4423 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4424 
4425 	struct sonode	*so;
4426 	char so_laddr[sizeof (struct sockaddr_in6)];
4427 	char so_faddr[sizeof (struct sockaddr_in6)];
4428 	socklen_t	tolen;
4429 	int		err;
4430 	int		fd;
4431 	int		len;
4432 	short so_family, so_type;
4433 	int		add_sock_token = 0;
4434 	struct file	*fp;
4435 	struct f_audit_data *fad;
4436 	au_kcontext_t	*kctx = SET_KCTX_PZ;
4437 
4438 	fd = (int)uap->fd;
4439 
4440 	/* bail if an error */
4441 	if (error) {
4442 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4443 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4444 		/* XXX include destination address from system call arguments */
4445 		return;
4446 	}
4447 
4448 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4449 		/*
4450 		 * not security relevant if doing a sendto using non socket
4451 		 * so no extra tokens. Should probably turn off audit record
4452 		 * generation here.
4453 		 */
4454 		return;
4455 	}
4456 
4457 	so_family = so->so_family;
4458 	so_type   = so->so_type;
4459 
4460 	/*
4461 	 * only putout SOCKET_EX token if INET/INET6 family.
4462 	 * XXX - what do we do about other families?
4463 	 */
4464 
4465 	switch (so_family) {
4466 	case AF_INET:
4467 	case AF_INET6:
4468 
4469 		/*
4470 		 * if datagram type socket, then just use what is in
4471 		 * socket structure for local address.
4472 		 * XXX - what do we do for other types?
4473 		 */
4474 		if ((so->so_type == SOCK_DGRAM) ||
4475 		    (so->so_type == SOCK_RAW)) {
4476 
4477 			bzero((void *)so_laddr, sizeof (so_laddr));
4478 			bzero((void *)so_faddr, sizeof (so_faddr));
4479 
4480 			/* get local address */
4481 			mutex_enter(&so->so_lock);
4482 			len = min(so->so_laddr_len, sizeof (so_laddr));
4483 			bcopy(so->so_laddr_sa, so_laddr, len);
4484 			mutex_exit(&so->so_lock);
4485 
4486 			/* get peer address */
4487 
4488 			/* sanity check */
4489 			if (uap->to == NULL)
4490 				break;
4491 
4492 			/* sanity checks */
4493 			if (uap->tolen == 0)
4494 				break;
4495 
4496 			tolen = (socklen_t)uap->tolen;
4497 
4498 			/* enforce maximum size */
4499 			if (tolen > sizeof (so_faddr))
4500 				tolen = sizeof (so_faddr);
4501 
4502 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4503 				break;
4504 
4505 			add_sock_token = 1;
4506 		} else {
4507 			/*
4508 			 * check if this is first time through.
4509 			 */
4510 
4511 			/* get path from file struct here */
4512 			fad = F2A(fp);
4513 			ASSERT(fad);
4514 
4515 			/*
4516 			 * already processed this file for write attempt
4517 			 */
4518 			if (fad->fad_flags & FAD_WRITE) {
4519 				/* don't want to audit every sendto attempt */
4520 				tad->tad_flag = 0;
4521 				/* free any residual audit data */
4522 				au_close(kctx, &(u_ad), 0, 0, 0);
4523 				releasef(fd);
4524 				return;
4525 			}
4526 			/*
4527 			 * mark things so we know what happened and don't
4528 			 * repeat things
4529 			 */
4530 			fad->fad_flags |= FAD_WRITE;
4531 
4532 			bzero((void *)so_laddr, sizeof (so_laddr));
4533 			bzero((void *)so_faddr, sizeof (so_faddr));
4534 
4535 			if (so->so_state & SS_ISBOUND) {
4536 
4537 				if (so->so_laddr_len == 0)
4538 					(void) SOP_GETSOCKNAME(so);
4539 				if (so->so_faddr_len == 0)
4540 					(void) SOP_GETPEERNAME(so);
4541 
4542 				/* get local and foreign addresses */
4543 				mutex_enter(&so->so_lock);
4544 				len = min(so->so_laddr_len, sizeof (so_laddr));
4545 				bcopy(so->so_laddr_sa, so_laddr, len);
4546 				len = min(so->so_faddr_len, sizeof (so_faddr));
4547 				bcopy(so->so_faddr_sa, so_faddr, len);
4548 				mutex_exit(&so->so_lock);
4549 			}
4550 
4551 			add_sock_token = 1;
4552 		}
4553 
4554 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4555 
4556 		break;
4557 
4558 	case AF_UNIX:
4559 		/*
4560 		 * first check if this is first time through. Too much
4561 		 * duplicate code to put this in an aui_ routine.
4562 		 */
4563 
4564 		/* get path from file struct here */
4565 		fad = F2A(fp);
4566 		ASSERT(fad);
4567 
4568 		/*
4569 		 * already processed this file for write attempt
4570 		 */
4571 		if (fad->fad_flags & FAD_WRITE) {
4572 			/* don't want to audit every sendto attempt */
4573 			tad->tad_flag = 0;
4574 			/* free any residual audit data */
4575 			au_close(kctx, &(u_ad), 0, 0, 0);
4576 			releasef(fd);
4577 			return;
4578 		}
4579 		/*
4580 		 * mark things so we know what happened and don't
4581 		 * repeat things
4582 		 */
4583 		fad->fad_flags |= FAD_WRITE;
4584 
4585 		if (fad->fad_aupath != NULL) {
4586 			au_uwrite(au_to_path(fad->fad_aupath));
4587 		} else {
4588 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4589 		}
4590 
4591 		audit_attributes(fp->f_vnode);
4592 
4593 		releasef(fd);
4594 
4595 		return;
4596 
4597 	default:
4598 		break;
4599 
4600 	}
4601 
4602 	releasef(fd);
4603 
4604 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4605 
4606 	if (add_sock_token == 0) {
4607 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4608 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4609 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4610 		return;
4611 	}
4612 
4613 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4614 
4615 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4616 
4617 }
4618 
4619 /*
4620  * XXX socket(2) may be equivilent to open(2) on a unix domain
4621  * socket. This needs investigation.
4622  */
4623 
4624 /*ARGSUSED*/
4625 static void
4626 aus_socket(struct t_audit_data *tad)
4627 {
4628 	struct a {
4629 		long	domain;
4630 		long	type;
4631 		long	protocol;
4632 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4633 
4634 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4635 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4636 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4637 }
4638 
4639 /*ARGSUSED*/
4640 static void
4641 aus_sigqueue(struct t_audit_data *tad)
4642 {
4643 	struct a {
4644 		long	pid;
4645 		long	signo;
4646 		long	*val;
4647 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4648 	struct proc *p;
4649 	uid_t uid, ruid;
4650 	gid_t gid, rgid;
4651 	pid_t pid;
4652 	const auditinfo_addr_t *ainfo;
4653 	cred_t *cr;
4654 
4655 	pid = (pid_t)uap->pid;
4656 
4657 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4658 	if (pid > 0) {
4659 		mutex_enter(&pidlock);
4660 		if ((p = prfind(pid)) == (struct proc *)0) {
4661 			mutex_exit(&pidlock);
4662 			return;
4663 		}
4664 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4665 		mutex_exit(&pidlock);
4666 
4667 		mutex_enter(&p->p_crlock);
4668 		crhold(cr = p->p_cred);
4669 		mutex_exit(&p->p_crlock);
4670 		mutex_exit(&p->p_lock);
4671 
4672 		ainfo = crgetauinfo(cr);
4673 		if (ainfo == NULL) {
4674 			crfree(cr);
4675 			return;
4676 		}
4677 
4678 		uid  = crgetuid(cr);
4679 		gid  = crgetgid(cr);
4680 		ruid = crgetruid(cr);
4681 		rgid = crgetrgid(cr);
4682 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4683 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4684 		crfree(cr);
4685 	}
4686 	else
4687 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4688 }
4689 
4690 /*ARGSUSED*/
4691 static void
4692 aus_inst_sync(struct t_audit_data *tad)
4693 {
4694 	struct a {
4695 		long	name;	/* char */
4696 		long	flags;
4697 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4698 
4699 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4700 }
4701 
4702 /*ARGSUSED*/
4703 static void
4704 aus_p_online(struct t_audit_data *tad)
4705 {
4706 	struct a {
4707 		long	processor_id;
4708 		long	flag;
4709 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4710 
4711 	struct flags {
4712 			int	flag;
4713 			char	*cflag;
4714 	} aflags[6] = {
4715 			{ P_ONLINE, "P_ONLINE"},
4716 			{ P_OFFLINE, "P_OFFLINE"},
4717 			{ P_NOINTR, "P_NOINTR"},
4718 			{ P_SPARE, "P_SPARE"},
4719 			{ P_FAULTED, "P_FAULTED"},
4720 			{ P_STATUS, "P_STATUS"}
4721 	};
4722 	int i;
4723 	char *cflag;
4724 
4725 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4726 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4727 
4728 	for (i = 0; i < 6; i++) {
4729 		if (aflags[i].flag == uap->flag)
4730 			break;
4731 	}
4732 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4733 
4734 	au_uwrite(au_to_text(cflag));
4735 }
4736 
4737 /*ARGSUSED*/
4738 static void
4739 aus_processor_bind(struct t_audit_data *tad)
4740 {
4741 	struct a {
4742 		long	id_type;
4743 		long	id;
4744 		long	processor_id;
4745 		long	obind;
4746 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4747 
4748 	struct proc *p;
4749 	int lwpcnt;
4750 	uid_t uid, ruid;
4751 	gid_t gid, rgid;
4752 	pid_t pid;
4753 	const auditinfo_addr_t *ainfo;
4754 	cred_t *cr;
4755 
4756 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4757 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4758 	if (uap->processor_id == PBIND_NONE)
4759 		au_uwrite(au_to_text("PBIND_NONE"));
4760 	else
4761 		au_uwrite(au_to_arg32(3, "processor_id",
4762 					(uint32_t)uap->processor_id));
4763 
4764 	switch (uap->id_type) {
4765 	case P_MYID:
4766 	case P_LWPID:
4767 		mutex_enter(&pidlock);
4768 		p = ttoproc(curthread);
4769 		if (p == NULL || p->p_as == &kas) {
4770 			mutex_exit(&pidlock);
4771 			return;
4772 		}
4773 		mutex_enter(&p->p_lock);
4774 		mutex_exit(&pidlock);
4775 		lwpcnt = p->p_lwpcnt;
4776 		pid  = p->p_pid;
4777 
4778 		mutex_enter(&p->p_crlock);
4779 		crhold(cr = p->p_cred);
4780 		mutex_exit(&p->p_crlock);
4781 		mutex_exit(&p->p_lock);
4782 
4783 		ainfo = crgetauinfo(cr);
4784 		if (ainfo == NULL) {
4785 			crfree(cr);
4786 			return;
4787 		}
4788 
4789 		uid  = crgetuid(cr);
4790 		gid  = crgetgid(cr);
4791 		ruid = crgetruid(cr);
4792 		rgid = crgetrgid(cr);
4793 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4794 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4795 		crfree(cr);
4796 		break;
4797 	case P_PID:
4798 		mutex_enter(&pidlock);
4799 		p = prfind(uap->id);
4800 		if (p == NULL || p->p_as == &kas) {
4801 			mutex_exit(&pidlock);
4802 			return;
4803 		}
4804 		mutex_enter(&p->p_lock);
4805 		mutex_exit(&pidlock);
4806 		lwpcnt = p->p_lwpcnt;
4807 		pid  = p->p_pid;
4808 
4809 		mutex_enter(&p->p_crlock);
4810 		crhold(cr = p->p_cred);
4811 		mutex_exit(&p->p_crlock);
4812 		mutex_exit(&p->p_lock);
4813 
4814 		ainfo = crgetauinfo(cr);
4815 		if (ainfo == NULL) {
4816 			crfree(cr);
4817 			return;
4818 		}
4819 
4820 		uid  = crgetuid(cr);
4821 		gid  = crgetgid(cr);
4822 		ruid = crgetruid(cr);
4823 		rgid = crgetrgid(cr);
4824 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4825 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4826 		crfree(cr);
4827 
4828 		break;
4829 	default:
4830 		return;
4831 	}
4832 
4833 	if (uap->processor_id == PBIND_NONE &&
4834 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4835 		au_uwrite(au_to_text("PBIND_NONE for process"));
4836 	else
4837 		au_uwrite(au_to_arg32(3, "processor_id",
4838 					(uint32_t)uap->processor_id));
4839 }
4840 
4841 /*ARGSUSED*/
4842 static au_event_t
4843 aui_doorfs(au_event_t e)
4844 {
4845 	uint32_t code;
4846 
4847 	struct a {		/* doorfs */
4848 		long	a1;
4849 		long	a2;
4850 		long	a3;
4851 		long	a4;
4852 		long	a5;
4853 		long	code;
4854 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4855 
4856 	/*
4857 	 *	audit formats for several of the
4858 	 *	door calls have not yet been determined
4859 	 */
4860 	code = (uint32_t)uap->code;
4861 	switch (code) {
4862 	case DOOR_CALL:
4863 		e = AUE_DOORFS_DOOR_CALL;
4864 		break;
4865 	case DOOR_RETURN:
4866 		e = AUE_NULL;
4867 		break;
4868 	case DOOR_CREATE:
4869 		e = AUE_DOORFS_DOOR_CREATE;
4870 		break;
4871 	case DOOR_REVOKE:
4872 		e = AUE_DOORFS_DOOR_REVOKE;
4873 		break;
4874 	case DOOR_INFO:
4875 		e = AUE_NULL;
4876 		break;
4877 	case DOOR_UCRED:
4878 		e = AUE_NULL;
4879 		break;
4880 	case DOOR_BIND:
4881 		e = AUE_NULL;
4882 		break;
4883 	case DOOR_UNBIND:
4884 		e = AUE_NULL;
4885 		break;
4886 	case DOOR_GETPARAM:
4887 		e = AUE_NULL;
4888 		break;
4889 	case DOOR_SETPARAM:
4890 		e = AUE_NULL;
4891 		break;
4892 	default:	/* illegal system call */
4893 		e = AUE_NULL;
4894 		break;
4895 	}
4896 
4897 	return (e);
4898 }
4899 
4900 static door_node_t *
4901 au_door_lookup(int did)
4902 {
4903 	vnode_t	*vp;
4904 	file_t *fp;
4905 
4906 	if ((fp = getf(did)) == NULL)
4907 		return (NULL);
4908 	/*
4909 	 * Use the underlying vnode (we may be namefs mounted)
4910 	 */
4911 	if (VOP_REALVP(fp->f_vnode, &vp))
4912 		vp = fp->f_vnode;
4913 
4914 	if (vp == NULL || vp->v_type != VDOOR) {
4915 		releasef(did);
4916 		return (NULL);
4917 	}
4918 
4919 	return (VTOD(vp));
4920 }
4921 
4922 /*ARGSUSED*/
4923 static void
4924 aus_doorfs(struct t_audit_data *tad)
4925 {
4926 
4927 	struct a {		/* doorfs */
4928 		long	a1;
4929 		long	a2;
4930 		long	a3;
4931 		long	a4;
4932 		long	a5;
4933 		long	code;
4934 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4935 
4936 	door_node_t	*dp;
4937 	struct proc	*p;
4938 	uint32_t	did;
4939 	uid_t uid, ruid;
4940 	gid_t gid, rgid;
4941 	pid_t pid;
4942 	const auditinfo_addr_t *ainfo;
4943 	cred_t *cr;
4944 
4945 	did = (uint32_t)uap->a1;
4946 
4947 	switch (tad->tad_event) {
4948 	case AUE_DOORFS_DOOR_CALL:
4949 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4950 		if ((dp = au_door_lookup(did)) == NULL)
4951 			break;
4952 
4953 		if (DOOR_INVALID(dp)) {
4954 			releasef(did);
4955 			break;
4956 		}
4957 
4958 		if ((p = dp->door_target) == NULL) {
4959 			releasef(did);
4960 			break;
4961 		}
4962 		mutex_enter(&p->p_lock);
4963 		releasef(did);
4964 
4965 		pid  = p->p_pid;
4966 
4967 		mutex_enter(&p->p_crlock);
4968 		crhold(cr = p->p_cred);
4969 		mutex_exit(&p->p_crlock);
4970 		mutex_exit(&p->p_lock);
4971 
4972 		ainfo = crgetauinfo(cr);
4973 		if (ainfo == NULL) {
4974 			crfree(cr);
4975 			return;
4976 		}
4977 		uid  = crgetuid(cr);
4978 		gid  = crgetgid(cr);
4979 		ruid = crgetruid(cr);
4980 		rgid = crgetrgid(cr);
4981 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4982 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4983 		crfree(cr);
4984 		break;
4985 	case AUE_DOORFS_DOOR_RETURN:
4986 		/*
4987 		 * We may want to write information about
4988 		 * all doors (if any) which will be copied
4989 		 * by this call to the user space
4990 		 */
4991 		break;
4992 	case AUE_DOORFS_DOOR_CREATE:
4993 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
4994 		break;
4995 	case AUE_DOORFS_DOOR_REVOKE:
4996 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4997 		break;
4998 	case AUE_DOORFS_DOOR_INFO:
4999 		break;
5000 	case AUE_DOORFS_DOOR_CRED:
5001 		break;
5002 	case AUE_DOORFS_DOOR_BIND:
5003 		break;
5004 	case AUE_DOORFS_DOOR_UNBIND: {
5005 		break;
5006 	}
5007 	default:	/* illegal system call */
5008 		break;
5009 	}
5010 }
5011 
5012 /*ARGSUSED*/
5013 static au_event_t
5014 aui_acl(au_event_t e)
5015 {
5016 	struct a {
5017 		union {
5018 			long	name;	/* char */
5019 			long	fd;
5020 		}		obj;
5021 
5022 		long		cmd;
5023 		long		nentries;
5024 		long		arg;	/* aclent_t */
5025 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5026 
5027 	switch (uap->cmd) {
5028 	case SETACL:
5029 		/* ok, acl(SETACL, ...) and facl(SETACL, ...)  are expected. */
5030 		break;
5031 	case GETACL:
5032 	case GETACLCNT:
5033 		/* do nothing for these two values. */
5034 		e = AUE_NULL;
5035 		break;
5036 	default:
5037 		/* illegal system call */
5038 		break;
5039 	}
5040 
5041 	return (e);
5042 }
5043 
5044 
5045 /*ARGSUSED*/
5046 static void
5047 aus_acl(struct t_audit_data *tad)
5048 {
5049 	struct a {
5050 		long	fname;
5051 		long	cmd;
5052 		long	nentries;
5053 		long	aclbufp;
5054 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5055 	struct acl *aclbufp;
5056 
5057 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5058 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5059 
5060 	switch (uap->cmd) {
5061 	case GETACL:
5062 	case GETACLCNT:
5063 		break;
5064 	case SETACL:
5065 	    if (uap->nentries < 3)
5066 		break;
5067 	    else {
5068 		size_t a_size = uap->nentries * sizeof (struct acl);
5069 		int i;
5070 
5071 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5072 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5073 			kmem_free(aclbufp, a_size);
5074 			break;
5075 		}
5076 		for (i = 0; i < uap->nentries; i++) {
5077 			au_uwrite(au_to_acl(aclbufp + i));
5078 		}
5079 		kmem_free(aclbufp, a_size);
5080 		break;
5081 	}
5082 	default:
5083 		break;
5084 	}
5085 }
5086 
5087 /*ARGSUSED*/
5088 static void
5089 aus_facl(struct t_audit_data *tad)
5090 {
5091 	struct a {
5092 		long	fd;
5093 		long	cmd;
5094 		long	nentries;
5095 		long	aclbufp;
5096 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5097 	struct file  *fp;
5098 	struct vnode *vp;
5099 	struct f_audit_data *fad;
5100 	struct acl *aclbufp;
5101 	int fd;
5102 
5103 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5104 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5105 
5106 	fd = (int)uap->fd;
5107 
5108 	if ((fp = getf(fd)) == NULL)
5109 		return;
5110 
5111 	/* get path from file struct here */
5112 	fad = F2A(fp);
5113 	if (fad->fad_aupath != NULL) {
5114 		au_uwrite(au_to_path(fad->fad_aupath));
5115 	} else {
5116 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5117 	}
5118 
5119 	vp = fp->f_vnode;
5120 	audit_attributes(vp);
5121 
5122 	/* decrement file descriptor reference count */
5123 	releasef(fd);
5124 
5125 	switch (uap->cmd) {
5126 	case GETACL:
5127 	case GETACLCNT:
5128 		break;
5129 	case SETACL:
5130 	    if (uap->nentries < 3)
5131 		break;
5132 	    else {
5133 		size_t a_size = uap->nentries * sizeof (struct acl);
5134 		int i;
5135 
5136 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5137 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5138 			kmem_free(aclbufp, a_size);
5139 			break;
5140 		}
5141 		for (i = 0; i < uap->nentries; i++) {
5142 			au_uwrite(au_to_acl(aclbufp + i));
5143 		}
5144 		kmem_free(aclbufp, a_size);
5145 		break;
5146 	}
5147 	default:
5148 		break;
5149 	}
5150 }
5151 
5152 /*ARGSUSED*/
5153 static void
5154 auf_read(tad, error, rval)
5155 	struct t_audit_data *tad;
5156 	int error;
5157 	rval_t *rval;
5158 {
5159 	struct file *fp;
5160 	struct f_audit_data *fad;
5161 	int fd;
5162 	register struct a {
5163 		long	fd;
5164 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5165 	au_kcontext_t	*kctx = SET_KCTX_PZ;
5166 
5167 	fd = (int)uap->fd;
5168 
5169 	/*
5170 	 * convert file pointer to file descriptor
5171 	 *   Note: fd ref count incremented here.
5172 	 */
5173 	if ((fp = getf(fd)) == NULL)
5174 		return;
5175 
5176 	/* get path from file struct here */
5177 	fad = F2A(fp);
5178 	ASSERT(fad);
5179 
5180 	/*
5181 	 * already processed this file for read attempt
5182 	 *
5183 	 * XXX might be better to turn off auditing in a aui_read() routine.
5184 	 */
5185 	if (fad->fad_flags & FAD_READ) {
5186 		/* don't really want to audit every read attempt */
5187 		tad->tad_flag = 0;
5188 		/* free any residual audit data */
5189 		au_close(kctx, &(u_ad), 0, 0, 0);
5190 		releasef(fd);
5191 		return;
5192 	}
5193 	/* mark things so we know what happened and don't repeat things */
5194 	fad->fad_flags |= FAD_READ;
5195 
5196 	if (fad->fad_aupath != NULL) {
5197 		au_uwrite(au_to_path(fad->fad_aupath));
5198 	} else {
5199 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5200 	}
5201 
5202 	/* include attributes */
5203 	audit_attributes(fp->f_vnode);
5204 
5205 	/* decrement file descriptor reference count */
5206 	releasef(fd);
5207 }
5208 
5209 /*ARGSUSED*/
5210 static void
5211 auf_write(tad, error, rval)
5212 	struct t_audit_data *tad;
5213 	int error;
5214 	rval_t *rval;
5215 {
5216 	struct file *fp;
5217 	struct f_audit_data *fad;
5218 	int fd;
5219 	register struct a {
5220 		long	fd;
5221 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5222 	au_kcontext_t	*kctx = SET_KCTX_PZ;
5223 
5224 	fd = (int)uap->fd;
5225 
5226 	/*
5227 	 * convert file pointer to file descriptor
5228 	 *   Note: fd ref count incremented here.
5229 	 */
5230 	if ((fp = getf(fd)) == NULL)
5231 		return;
5232 
5233 	/* get path from file struct here */
5234 	fad = F2A(fp);
5235 	ASSERT(fad);
5236 
5237 	/*
5238 	 * already processed this file for write attempt
5239 	 *
5240 	 * XXX might be better to turn off auditing in a aus_write() routine.
5241 	 */
5242 	if (fad->fad_flags & FAD_WRITE) {
5243 		/* don't really want to audit every write attempt */
5244 		tad->tad_flag = 0;
5245 		/* free any residual audit data */
5246 		au_close(kctx, &(u_ad), 0, 0, 0);
5247 		releasef(fd);
5248 		return;
5249 	}
5250 	/* mark things so we know what happened and don't repeat things */
5251 	fad->fad_flags |= FAD_WRITE;
5252 
5253 	if (fad->fad_aupath != NULL) {
5254 		au_uwrite(au_to_path(fad->fad_aupath));
5255 	} else {
5256 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5257 	}
5258 
5259 	/* include attributes */
5260 	audit_attributes(fp->f_vnode);
5261 
5262 	/* decrement file descriptor reference count */
5263 	releasef(fd);
5264 }
5265 
5266 /*ARGSUSED*/
5267 static void
5268 auf_recv(tad, error, rval)
5269 	struct t_audit_data *tad;
5270 	int error;
5271 	rval_t *rval;
5272 {
5273 	struct sonode *so;
5274 	char so_laddr[sizeof (struct sockaddr_in6)];
5275 	char so_faddr[sizeof (struct sockaddr_in6)];
5276 	struct file *fp;
5277 	struct f_audit_data *fad;
5278 	int fd;
5279 	int err;
5280 	int len;
5281 	short so_family, so_type;
5282 	register struct a {
5283 		long	fd;
5284 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5285 	au_kcontext_t	*kctx = SET_KCTX_PZ;
5286 
5287 	/*
5288 	 * If there was an error, then nothing to do. Only generate
5289 	 * audit record on first successful recv.
5290 	 */
5291 	if (error) {
5292 		/* Turn off audit record generation here. */
5293 		tad->tad_flag = 0;
5294 		/* free any residual audit data */
5295 		au_close(kctx, &(u_ad), 0, 0, 0);
5296 		return;
5297 	}
5298 
5299 	fd = (int)uap->fd;
5300 
5301 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5302 		/* Turn off audit record generation here. */
5303 		tad->tad_flag = 0;
5304 		/* free any residual audit data */
5305 		au_close(kctx, &(u_ad), 0, 0, 0);
5306 		return;
5307 	}
5308 
5309 	/* get path from file struct here */
5310 	fad = F2A(fp);
5311 	ASSERT(fad);
5312 
5313 	/*
5314 	 * already processed this file for read attempt
5315 	 */
5316 	if (fad->fad_flags & FAD_READ) {
5317 		releasef(fd);
5318 		/* don't really want to audit every recv call */
5319 		tad->tad_flag = 0;
5320 		/* free any residual audit data */
5321 		au_close(kctx, &(u_ad), 0, 0, 0);
5322 		return;
5323 	}
5324 
5325 	/* mark things so we know what happened and don't repeat things */
5326 	fad->fad_flags |= FAD_READ;
5327 
5328 	so_family = so->so_family;
5329 	so_type   = so->so_type;
5330 
5331 	switch (so_family) {
5332 	case AF_INET:
5333 	case AF_INET6:
5334 		/*
5335 		 * Only for connections.
5336 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5337 		 */
5338 		if (so->so_state & SS_ISBOUND) {
5339 
5340 			bzero((void *)so_laddr, sizeof (so_laddr));
5341 			bzero((void *)so_faddr, sizeof (so_faddr));
5342 
5343 			/* only done once on a connection */
5344 			(void) SOP_GETSOCKNAME(so);
5345 			(void) SOP_GETPEERNAME(so);
5346 
5347 			/* get local and foreign addresses */
5348 			mutex_enter(&so->so_lock);
5349 			len = min(so->so_laddr_len, sizeof (so_laddr));
5350 			bcopy(so->so_laddr_sa, so_laddr, len);
5351 			len = min(so->so_faddr_len, sizeof (so_faddr));
5352 			bcopy(so->so_faddr_sa, so_faddr, len);
5353 			mutex_exit(&so->so_lock);
5354 
5355 			/*
5356 			 * only way to drop out of switch. Note that we
5357 			 * we release fd below.
5358 			 */
5359 
5360 			break;
5361 		}
5362 
5363 		releasef(fd);
5364 
5365 		/* don't really want to audit every recv call */
5366 		tad->tad_flag = 0;
5367 		/* free any residual audit data */
5368 		au_close(kctx, &(u_ad), 0, 0, 0);
5369 
5370 		return;
5371 
5372 	case AF_UNIX:
5373 
5374 		if (fad->fad_aupath != NULL) {
5375 			au_uwrite(au_to_path(fad->fad_aupath));
5376 		} else {
5377 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5378 		}
5379 
5380 		audit_attributes(fp->f_vnode);
5381 
5382 		releasef(fd);
5383 
5384 		return;
5385 
5386 	default:
5387 		releasef(fd);
5388 
5389 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5390 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5391 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5392 
5393 		return;
5394 	}
5395 
5396 	releasef(fd);
5397 
5398 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5399 
5400 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5401 
5402 }
5403 
5404 /*ARGSUSED*/
5405 static void
5406 auf_send(tad, error, rval)
5407 	struct t_audit_data *tad;
5408 	int error;
5409 	rval_t *rval;
5410 {
5411 	struct sonode *so;
5412 	char so_laddr[sizeof (struct sockaddr_in6)];
5413 	char so_faddr[sizeof (struct sockaddr_in6)];
5414 	struct file *fp;
5415 	struct f_audit_data *fad;
5416 	int fd;
5417 	int err;
5418 	int len;
5419 	short so_family, so_type;
5420 	register struct a {
5421 		long	fd;
5422 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5423 	au_kcontext_t	*kctx = SET_KCTX_PZ;
5424 
5425 	fd = (int)uap->fd;
5426 
5427 	/*
5428 	 * If there was an error, then nothing to do. Only generate
5429 	 * audit record on first successful send.
5430 	 */
5431 	if (error != 0) {
5432 		/* Turn off audit record generation here. */
5433 		tad->tad_flag = 0;
5434 		/* free any residual audit data */
5435 		au_close(kctx, &(u_ad), 0, 0, 0);
5436 		return;
5437 	}
5438 
5439 	fd = (int)uap->fd;
5440 
5441 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5442 		/* Turn off audit record generation here. */
5443 		tad->tad_flag = 0;
5444 		/* free any residual audit data */
5445 		au_close(kctx, &(u_ad), 0, 0, 0);
5446 		return;
5447 	}
5448 
5449 	/* get path from file struct here */
5450 	fad = F2A(fp);
5451 	ASSERT(fad);
5452 
5453 	/*
5454 	 * already processed this file for write attempt
5455 	 */
5456 	if (fad->fad_flags & FAD_WRITE) {
5457 		releasef(fd);
5458 		/* don't really want to audit every send call */
5459 		tad->tad_flag = 0;
5460 		/* free any residual audit data */
5461 		au_close(kctx, &(u_ad), 0, 0, 0);
5462 		return;
5463 	}
5464 
5465 	/* mark things so we know what happened and don't repeat things */
5466 	fad->fad_flags |= FAD_WRITE;
5467 
5468 	so_family = so->so_family;
5469 	so_type   = so->so_type;
5470 
5471 	switch (so_family) {
5472 	case AF_INET:
5473 	case AF_INET6:
5474 		/*
5475 		 * Only for connections.
5476 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5477 		 */
5478 		if (so->so_state & SS_ISBOUND) {
5479 
5480 			bzero((void *)so_laddr, sizeof (so_laddr));
5481 			bzero((void *)so_faddr, sizeof (so_faddr));
5482 
5483 			/* only done once on a connection */
5484 			(void) SOP_GETSOCKNAME(so);
5485 			(void) SOP_GETPEERNAME(so);
5486 
5487 			/* get local and foreign addresses */
5488 			mutex_enter(&so->so_lock);
5489 			len = min(so->so_laddr_len, sizeof (so_laddr));
5490 			bcopy(so->so_laddr_sa, so_laddr, len);
5491 			len = min(so->so_faddr_len, sizeof (so_faddr));
5492 			bcopy(so->so_faddr_sa, so_faddr, len);
5493 			mutex_exit(&so->so_lock);
5494 
5495 			/*
5496 			 * only way to drop out of switch. Note that we
5497 			 * we release fd below.
5498 			 */
5499 
5500 			break;
5501 		}
5502 
5503 		releasef(fd);
5504 		/* don't really want to audit every send call */
5505 		tad->tad_flag = 0;
5506 		/* free any residual audit data */
5507 		au_close(kctx, &(u_ad), 0, 0, 0);
5508 
5509 		return;
5510 
5511 	case AF_UNIX:
5512 
5513 		if (fad->fad_aupath != NULL) {
5514 			au_uwrite(au_to_path(fad->fad_aupath));
5515 		} else {
5516 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5517 		}
5518 
5519 		audit_attributes(fp->f_vnode);
5520 
5521 		releasef(fd);
5522 
5523 		return;
5524 
5525 	default:
5526 		releasef(fd);
5527 
5528 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5529 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5530 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5531 
5532 		return;
5533 	}
5534 
5535 	releasef(fd);
5536 
5537 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5538 
5539 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5540 }
5541