xref: /titanic_51/usr/src/uts/common/c2/audit_event.c (revision 821da340f9590922ba8761a64fadda18843a0e88)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <sys/tsol/label.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 extern token_t	*au_to_sock_inet(struct sockaddr_in *);
81 
82 int	au_naevent;
83 char	_depends_on[] = "fs/sockfs";
84 
85 static au_event_t	aui_null(au_event_t);
86 static au_event_t	aui_open(au_event_t);
87 static au_event_t	aui_fsat(au_event_t);
88 static au_event_t	aui_msgsys(au_event_t);
89 static au_event_t	aui_shmsys(au_event_t);
90 static au_event_t	aui_semsys(au_event_t);
91 static au_event_t	aui_utssys(au_event_t);
92 static au_event_t	aui_fcntl(au_event_t);
93 static au_event_t	aui_execv(au_event_t);
94 static au_event_t	aui_execve(au_event_t);
95 static au_event_t	aui_memcntl(au_event_t);
96 static au_event_t	aui_sysinfo(au_event_t);
97 static au_event_t	aui_portfs(au_event_t);
98 static au_event_t	aui_auditsys(au_event_t);
99 static au_event_t	aui_modctl(au_event_t);
100 static au_event_t	aui_acl(au_event_t);
101 static au_event_t	aui_doorfs(au_event_t);
102 static au_event_t	aui_privsys(au_event_t);
103 static au_event_t	aui_forksys(au_event_t);
104 
105 static void	aus_null(struct t_audit_data *);
106 static void	aus_open(struct t_audit_data *);
107 static void	aus_acl(struct t_audit_data *);
108 static void	aus_acct(struct t_audit_data *);
109 static void	aus_chown(struct t_audit_data *);
110 static void	aus_fchown(struct t_audit_data *);
111 static void	aus_lchown(struct t_audit_data *);
112 static void	aus_chmod(struct t_audit_data *);
113 static void	aus_facl(struct t_audit_data *);
114 static void	aus_fchmod(struct t_audit_data *);
115 static void	aus_fcntl(struct t_audit_data *);
116 static void	aus_fsat(struct t_audit_data *);
117 static void	aus_mkdir(struct t_audit_data *);
118 static void	aus_mknod(struct t_audit_data *);
119 static void	aus_mount(struct t_audit_data *);
120 static void	aus_umount(struct t_audit_data *);
121 static void	aus_umount2(struct t_audit_data *);
122 static void	aus_msgsys(struct t_audit_data *);
123 static void	aus_semsys(struct t_audit_data *);
124 static void	aus_close(struct t_audit_data *);
125 static void	aus_fstatfs(struct t_audit_data *);
126 static void	aus_setgid(struct t_audit_data *);
127 static void	aus_setuid(struct t_audit_data *);
128 static void	aus_shmsys(struct t_audit_data *);
129 static void	aus_doorfs(struct t_audit_data *);
130 static void	aus_ioctl(struct t_audit_data *);
131 static void	aus_memcntl(struct t_audit_data *);
132 static void	aus_mmap(struct t_audit_data *);
133 static void	aus_munmap(struct t_audit_data *);
134 static void	aus_priocntlsys(struct t_audit_data *);
135 static void	aus_setegid(struct t_audit_data *);
136 static void	aus_setgroups(struct t_audit_data *);
137 static void	aus_seteuid(struct t_audit_data *);
138 static void	aus_putmsg(struct t_audit_data *);
139 static void	aus_putpmsg(struct t_audit_data *);
140 static void	aus_getmsg(struct t_audit_data *);
141 static void	aus_getpmsg(struct t_audit_data *);
142 static void	aus_auditsys(struct t_audit_data *);
143 static void	aus_sysinfo(struct t_audit_data *);
144 static void	aus_modctl(struct t_audit_data *);
145 static void	aus_kill(struct t_audit_data *);
146 static void	aus_xmknod(struct t_audit_data *);
147 static void	aus_setregid(struct t_audit_data *);
148 static void	aus_setreuid(struct t_audit_data *);
149 
150 static void	auf_null(struct t_audit_data *, int, rval_t *);
151 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
152 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
153 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
154 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
155 #if 0
156 static void	auf_open(struct t_audit_data *, int, rval_t *);
157 #endif
158 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
159 static void	auf_read(struct t_audit_data *, int, rval_t *);
160 static void	auf_write(struct t_audit_data *, int, rval_t *);
161 
162 static void	aus_sigqueue(struct t_audit_data *);
163 static void	aus_p_online(struct t_audit_data *);
164 static void	aus_processor_bind(struct t_audit_data *);
165 static void	aus_inst_sync(struct t_audit_data *);
166 static void	aus_brandsys(struct t_audit_data *);
167 
168 static void	auf_accept(struct t_audit_data *, int, rval_t *);
169 
170 static void	auf_bind(struct t_audit_data *, int, rval_t *);
171 static void	auf_connect(struct t_audit_data *, int, rval_t *);
172 static void	aus_shutdown(struct t_audit_data *);
173 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
174 static void	aus_sockconfig(struct t_audit_data *);
175 static void	auf_recv(struct t_audit_data *, int, rval_t *);
176 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
177 static void	auf_send(struct t_audit_data *, int, rval_t *);
178 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
179 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
180 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
181 static void	aus_socket(struct t_audit_data *);
182 /*
183  * This table contains mapping information for converting system call numbers
184  * to audit event IDs. In several cases it is necessary to map a single system
185  * call to several events.
186  */
187 
188 struct audit_s2e audit_s2e[] =
189 {
190 /*
191  * ----------	---------- 	----------	----------
192  * INITIAL	AUDIT		START		SYSTEM
193  * PROCESSING	EVENT		PROCESSING	CALL
194  * ----------	----------	----------	-----------
195  *		FINISH		EVENT
196  *		PROCESSING	CONTROL
197  * ----------------------------------------------------------
198  */
199 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
200 		auf_null,	0,
201 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
202 		auf_null,	S2E_NPT,
203 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
204 		auf_null,	0,
205 aui_null,	AUE_READ,	aus_null,	/* 3 read */
206 		auf_read,	S2E_PUB,
207 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
208 		auf_write,	0,
209 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
210 		auf_null,	S2E_SP,
211 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
212 		auf_null,	0,
213 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
214 		auf_null,	0,
215 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
216 		auf_null,	S2E_SP,
217 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
218 		auf_null,	0,
219 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
220 		auf_null,	0,
221 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
222 		auf_null,	S2E_MLD,
223 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
224 		auf_null,	S2E_SP,
225 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
226 		auf_null,	0,
227 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
228 		auf_mknod,	0,
229 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
230 		auf_null,	0,
231 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
232 		auf_null,	0,
233 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
234 		auf_null,	0,
235 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
236 		auf_null,	S2E_PUB,
237 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
238 		auf_null,	0,
239 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
240 		auf_null,	0,
241 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
242 		auf_null,	S2E_MLD,
243 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
244 		auf_null,	0,
245 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
246 		auf_null,	0,
247 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
248 		auf_null,	0,
249 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
258 		auf_null,	0,
259 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
264 		auf_null,	0,
265 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
266 		auf_null,	S2E_PUB,
267 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
268 		auf_null,	0,
269 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
270 		auf_null,	S2E_PUB,
271 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
272 		auf_null,	0,
273 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
274 		auf_null,	0,
275 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
276 		auf_null,	S2E_PUB,
277 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
282 		auf_null,	0,
283 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
288 		auf_null,	0,
289 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
290 						/*	was proc lock */
291 		auf_null,	0,
292 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
293 		auf_null,	0,
294 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
295 		auf_null,	0,
296 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
297 		auf_null,	0,
298 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
299 		auf_msgsys,	0,
300 #if defined(__x86)
301 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
302 		auf_null,	0,
303 #else
304 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
305 		auf_null,	0,
306 #endif /* __x86 */
307 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
308 		auf_null,	0,
309 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
310 		auf_shmsys,	0,
311 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
312 		auf_semsys,	0,
313 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
314 		auf_null,	0,
315 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
316 		auf_null,	0,
317 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
318 		auf_null,	0,
319 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
320 		auf_null,	0,
321 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
322 		auf_null,	0,
323 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
324 		auf_null,	S2E_MLD,
325 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
326 		auf_null,	0,
327 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
328 		auf_null,	S2E_SP,
329 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
330 		auf_null,	0,
331 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
332 		auf_null,	0,
333 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
334 		auf_null,	0,
335 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
336 		auf_null,	0,
337 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
338 		auf_null,	0,
339 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
340 						/*	file locking call */
341 		auf_null,	0,
342 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
343 						/*	local system calls */
344 		auf_null,	0,
345 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
346 		auf_null,	0,
347 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
348 		auf_null,	0,
349 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
350 		auf_null,	0,
351 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
352 		auf_null,	0,
353 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
354 		auf_null,	0,
355 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
356 		auf_null,	0,
357 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
358 						/*	was sigret (SunOS) */
359 		auf_null,	0,
360 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
363 		auf_null,	0,
364 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
365 		auf_null,	0,
366 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
367 		auf_null,	0,
368 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
369 		auf_null,	0,
370 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
371 		auf_null,	0,
372 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
373 						/*	was libattach */
374 		auf_null,	0,
375 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
376 						/*	was libdetach */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
379 		auf_null,	0,
380 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
381 		auf_null,	0,
382 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
383 		auf_null,	0,
384 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
385 		auf_null,	0,
386 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
389 		auf_null,	0,
390 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
391 		auf_null,	S2E_PUB,
392 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
395 		auf_null,	0,
396 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
397 		auf_null,	0,
398 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
411 		auf_null,	0,
412 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
413 		auf_null,	0,
414 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
415 						/*	was evtrapret */
416 		auf_null,	0,
417 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
418 		auf_null,	S2E_PUB,
419 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
422 		auf_null,	0,
423 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
424 		auf_null,	0,
425 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
426 		auf_null,	0,
427 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
428 		auf_null,	0,
429 #if defined(__x86)
430 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
431 		auf_null,	0,
432 #else
433 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
434 		auf_null,	0,
435 #endif /* __x86 */
436 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
437 		auf_null,	0,
438 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
439 		auf_null,	0,
440 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
441 		auf_null,	0,		/* 112 priocntlsys */
442 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
443 		auf_null,	S2E_PUB,
444 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
445 		auf_null,	0,
446 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
447 		auf_null,	0,
448 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
449 		auf_null,	0,
450 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
451 		auf_null,	0,
452 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
453 		auf_null,	0,
454 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
455 		auf_null,	0,
456 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
457 		auf_null,	0,
458 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
459 		auf_read,	S2E_PUB,
460 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
461 		auf_write,	0,
462 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
463 		auf_null,	S2E_PUB,
464 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
465 		auf_null,	S2E_PUB,
466 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
467 		auf_null,	0,
468 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
469 		auf_xmknod,	0,
470 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
471 		auf_null,	0,
472 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
473 		auf_null,	0,
474 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
475 		auf_null,	0,
476 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
477 		auf_null,	0,
478 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
479 		auf_null,	0,
480 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
481 		auf_null,	0,
482 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
483 		auf_null,	0,
484 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
485 		auf_null,	0,
486 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
487 		auf_null,	0,
488 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
489 		auf_null,	0,
490 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
491 		auf_null,	0,
492 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
493 		auf_null,	0,
494 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
495 		auf_null,	0,
496 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
497 		auf_null,	0,
498 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
499 		auf_null,	0,
500 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
501 		auf_null,	0,
502 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
517 		auf_null,	0,
518 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
519 		auf_null,	0,
520 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
521 		auf_null,	0,
522 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
523 		auf_null,	0,
524 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
547 						/*	was lwp_setprivate */
548 		auf_null,	0,
549 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
550 						/*	was lwp_getprivate */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
555 		auf_null,	0,
556 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
557 		auf_null,	0,
558 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
559 		auf_null,	0,
560 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
561 		auf_null,	0,
562 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
563 		auf_null,	0,
564 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
565 		auf_read,	S2E_PUB,
566 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
567 		auf_write,	0,
568 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
569 		auf_null,	0,
570 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
571 						/* aus_inst_sync */
572 		auf_null,	0,
573 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
580 		auf_null,	0,
581 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
582 		auf_null,	0,
583 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
584 		auf_null,	0,
585 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
586 		auf_null,	0,
587 aui_null,	AUE_NULL,	aus_null,	/* 184 (loadable) tsolsys */
588 		auf_null,	0,
589 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
590 		auf_null,	0,
591 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
592 		auf_null,	0,
593 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
594 		auf_null,	0,		/* 187 processor_bind */
595 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
596 		auf_null,	0,
597 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
602 		auf_null,	0,
603 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
616 		auf_null,	0,
617 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
618 		auf_null,	0,
619 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
620 		auf_null,	0,
621 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
622 		auf_null,	0,
623 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
624 		auf_null,	0,
625 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
644 		auf_null,	0,
645 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
646 		auf_null,	0,
647 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
648 		auf_null,	0,
649 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
652 		auf_null,	S2E_PUB,
653 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
654 		auf_null,	0,
655 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
656 		auf_null,	S2E_PUB,
657 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
658 		auf_null,	0,
659 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
662 		auf_null,	0,
663 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
664 		auf_read,	S2E_PUB,
665 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
666 		auf_write,	0,
667 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
668 		auf_null,	S2E_SP,
669 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
670 		auf_null,	S2E_SP,
671 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
676 		auf_null,	0,
677 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
678 		auf_null,	0,
679 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
680 		auf_null,	0,
681 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
682 		auf_null,	0,
683 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
684 		auf_bind,	0,
685 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
686 		auf_null,	0,
687 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
688 		auf_accept,	0,
689 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
690 		auf_connect,	0,
691 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
692 		auf_null,	0,
693 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
694 		auf_recv,	0,
695 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
696 		auf_recvfrom,	0,
697 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
698 		auf_recvmsg,	0,
699 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
700 		auf_send,	0,
701 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
702 		auf_sendmsg,	0,
703 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
704 		auf_sendto,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
708 		auf_null,	0,
709 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
710 		auf_null,	0,
711 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
712 		auf_setsockopt,	0,
713 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
716 		auf_null,	0,
717 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
726 		auf_null,	0,
727 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
728 		auf_null,	0,
729 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
730 		auf_null,	0
731 };
732 
733 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
734 
735 char *so_not_bound = "socket not bound";
736 char *so_not_conn  = "socket not connected";
737 char *so_bad_addr  = "bad socket address";
738 char *so_bad_peer_addr  = "bad peer address";
739 
740 /* null start function */
741 /*ARGSUSED*/
742 static void
743 aus_null(struct t_audit_data *tad)
744 {
745 }
746 
747 /* acct start function */
748 /*ARGSUSED*/
749 static void
750 aus_acct(struct t_audit_data *tad)
751 {
752 	klwp_t *clwp = ttolwp(curthread);
753 	uintptr_t fname;
754 
755 	struct a {
756 		long	fname;		/* char * */
757 	} *uap = (struct a *)clwp->lwp_ap;
758 
759 	fname = (uintptr_t)uap->fname;
760 
761 	if (fname == 0)
762 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
763 }
764 
765 /* chown start function */
766 /*ARGSUSED*/
767 static void
768 aus_chown(struct t_audit_data *tad)
769 {
770 	klwp_t *clwp = ttolwp(curthread);
771 	uint32_t uid, gid;
772 
773 	struct a {
774 		long	fname;		/* char * */
775 		long	uid;
776 		long	gid;
777 	} *uap = (struct a *)clwp->lwp_ap;
778 
779 	uid = (uint32_t)uap->uid;
780 	gid = (uint32_t)uap->gid;
781 
782 	au_uwrite(au_to_arg32(2, "new file uid", uid));
783 	au_uwrite(au_to_arg32(3, "new file gid", gid));
784 }
785 
786 /* fchown start function */
787 /*ARGSUSED*/
788 static void
789 aus_fchown(struct t_audit_data *tad)
790 {
791 	klwp_t *clwp = ttolwp(curthread);
792 	uint32_t uid, gid, fd;
793 	struct file  *fp;
794 	struct vnode *vp;
795 	struct f_audit_data *fad;
796 
797 	struct a {
798 		long fd;
799 		long uid;
800 		long gid;
801 	} *uap = (struct a *)clwp->lwp_ap;
802 
803 	fd  = (uint32_t)uap->fd;
804 	uid = (uint32_t)uap->uid;
805 	gid = (uint32_t)uap->gid;
806 
807 	au_uwrite(au_to_arg32(2, "new file uid", uid));
808 	au_uwrite(au_to_arg32(3, "new file gid", gid));
809 
810 		/*
811 		 * convert file pointer to file descriptor
812 		 *   Note: fd ref count incremented here.
813 		 */
814 	if ((fp = getf(fd)) == NULL)
815 		return;
816 
817 	/* get path from file struct here */
818 	fad = F2A(fp);
819 	if (fad->fad_aupath != NULL) {
820 		au_uwrite(au_to_path(fad->fad_aupath));
821 	} else {
822 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
823 	}
824 
825 	vp = fp->f_vnode;
826 	audit_attributes(vp);
827 
828 	/* decrement file descriptor reference count */
829 	releasef(fd);
830 }
831 
832 /*ARGSUSED*/
833 static void
834 aus_lchown(struct t_audit_data *tad)
835 {
836 	klwp_t *clwp = ttolwp(curthread);
837 	uint32_t uid, gid;
838 
839 
840 	struct a {
841 		long	fname;		/* char	* */
842 		long	uid;
843 		long	gid;
844 	} *uap = (struct a *)clwp->lwp_ap;
845 
846 	uid = (uint32_t)uap->uid;
847 	gid = (uint32_t)uap->gid;
848 
849 	au_uwrite(au_to_arg32(2, "new file uid", uid));
850 	au_uwrite(au_to_arg32(3, "new file gid", gid));
851 }
852 
853 /* chmod start function */
854 /*ARGSUSED*/
855 static void
856 aus_chmod(struct t_audit_data *tad)
857 {
858 	klwp_t *clwp = ttolwp(curthread);
859 	uint32_t fmode;
860 
861 	struct a {
862 		long	fname;		/* char	* */
863 		long	fmode;
864 	} *uap = (struct a *)clwp->lwp_ap;
865 
866 	fmode = (uint32_t)uap->fmode;
867 
868 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
869 }
870 
871 /* chmod start function */
872 /*ARGSUSED*/
873 static void
874 aus_fchmod(struct t_audit_data *tad)
875 {
876 	klwp_t *clwp = ttolwp(curthread);
877 	uint32_t fmode, fd;
878 	struct file  *fp;
879 	struct vnode *vp;
880 	struct f_audit_data *fad;
881 
882 	struct a {
883 		long	fd;
884 		long	fmode;
885 	} *uap = (struct a *)clwp->lwp_ap;
886 
887 	fd = (uint32_t)uap->fd;
888 	fmode = (uint32_t)uap->fmode;
889 
890 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
891 
892 		/*
893 		 * convert file pointer to file descriptor
894 		 *   Note: fd ref count incremented here.
895 		 */
896 	if ((fp = getf(fd)) == NULL)
897 		return;
898 
899 		/* get path from file struct here */
900 	fad = F2A(fp);
901 	if (fad->fad_aupath != NULL) {
902 		au_uwrite(au_to_path(fad->fad_aupath));
903 	} else {
904 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
905 	}
906 
907 	vp = fp->f_vnode;
908 	audit_attributes(vp);
909 
910 	/* decrement file descriptor reference count */
911 	releasef(fd);
912 }
913 
914 /* null function */
915 /*ARGSUSED*/
916 static void
917 auf_null(struct t_audit_data *tad, int error, rval_t *rval)
918 {
919 }
920 
921 /* null function */
922 static au_event_t
923 aui_null(au_event_t e)
924 {
925 	return (e);
926 }
927 
928 /* convert open to appropriate event */
929 static au_event_t
930 aui_open(au_event_t e)
931 {
932 	klwp_t *clwp = ttolwp(curthread);
933 	uint_t fm;
934 
935 	struct a {
936 		long	fnamep;		/* char	* */
937 		long	fmode;
938 		long	cmode;
939 	} *uap = (struct a *)clwp->lwp_ap;
940 
941 	fm = (uint_t)uap->fmode;
942 
943 	if (fm & O_WRONLY)
944 		e = AUE_OPEN_W;
945 	else if (fm & O_RDWR)
946 		e = AUE_OPEN_RW;
947 	else
948 		e = AUE_OPEN_R;
949 
950 	if (fm & O_CREAT)
951 		e += 1;
952 	if (fm & O_TRUNC)
953 		e += 2;
954 
955 	return (e);
956 }
957 
958 /*ARGSUSED*/
959 static void
960 aus_open(struct t_audit_data *tad)
961 {
962 	klwp_t *clwp = ttolwp(curthread);
963 	uint_t fm;
964 
965 	struct a {
966 		long	fnamep;		/* char	* */
967 		long	fmode;
968 		long	cmode;
969 	} *uap = (struct a *)clwp->lwp_ap;
970 
971 	fm = (uint_t)uap->fmode;
972 
973 	/* If no write, create, or trunc modes, mark as a public op */
974 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
975 		tad->tad_ctrl |= PAD_PUBLIC_EV;
976 }
977 
978 /* convert openat(2) to appropriate event */
979 static au_event_t
980 aui_fsat(au_event_t e)
981 {
982 	t_audit_data_t	*tad = U2A(u);
983 	klwp_t *clwp = ttolwp(curthread);
984 	uint_t fmcode, fm;
985 	struct a {
986 		long id;
987 		long arg1;
988 		long arg2;
989 		long arg3;
990 		long arg4;
991 		long arg5;
992 	} *uap = (struct a *)clwp->lwp_ap;
993 
994 	fmcode  = (uint_t)uap->id;
995 
996 	switch (fmcode) {
997 
998 	case 0: /* openat */
999 	case 1: /* openat64 */
1000 		fm = (uint_t)uap->arg3;
1001 		if (fm & O_WRONLY)
1002 			e = AUE_OPENAT_W;
1003 		else if (fm & O_RDWR)
1004 			e = AUE_OPENAT_RW;
1005 		else
1006 			e = AUE_OPENAT_R;
1007 
1008 		/*
1009 		 * openat modes are defined in the following order:
1010 		 * Read only
1011 		 * Read|Create
1012 		 * Read|Trunc
1013 		 * Read|Create|Trunc
1014 		 * Write Only
1015 		 * Write|Create
1016 		 * Write|Trunc
1017 		 * Write|Create|Trunc * RW Only
1018 		 * RW|Create
1019 		 * RW|Trunc
1020 		 * RW|Create|Trunc
1021 		 */
1022 		if (fm & O_CREAT)
1023 			e += 1;		/* increment to include CREAT in mode */
1024 		if (fm & O_TRUNC)
1025 			e += 2;		/* increment to include TRUNC in mode */
1026 
1027 		/* convert to appropriate au_ctrl */
1028 		tad->tad_ctrl |= PAD_SAVPATH;
1029 		if (fm & FXATTR)
1030 			tad->tad_ctrl |= PAD_ATPATH;
1031 
1032 
1033 		break;
1034 	case 2: /* fstatat64 */
1035 	case 3: /* fstatat */
1036 		e = AUE_FSTATAT;
1037 		break;
1038 	case 4: /* fchownat */
1039 		e = AUE_FCHOWNAT;
1040 		break;
1041 	case 5: /* unlinkat */
1042 		e = AUE_UNLINKAT;
1043 		break;
1044 	case 6: /* futimesat */
1045 		e = AUE_FUTIMESAT;
1046 		break;
1047 	case 7: /* renameat */
1048 		e = AUE_RENAMEAT;
1049 		break;
1050 	default:
1051 		e = AUE_NULL;
1052 		break;
1053 	}
1054 
1055 	return (e);
1056 }
1057 
1058 /*ARGSUSED*/
1059 static void
1060 aus_fsat(struct t_audit_data *tad)
1061 {
1062 	klwp_t *clwp = ttolwp(curthread);
1063 	uint_t fmcode, fm;
1064 	struct a {
1065 		long id;
1066 		long arg1;
1067 		long arg2;
1068 		long arg3;
1069 		long arg4;
1070 		long arg5;
1071 	} *uap = (struct a *)clwp->lwp_ap;
1072 
1073 	fmcode  = (uint_t)uap->id;
1074 
1075 	switch (fmcode) {
1076 
1077 	case 0: /* openat */
1078 	case 1: /* openat64 */
1079 		fm = (uint_t)uap->arg3;
1080 		/* If no write, create, or trunc modes, mark as a public op */
1081 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1082 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1083 
1084 		break;
1085 	case 2: /* fstatat64 */
1086 	case 3: /* fstatat */
1087 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1088 		break;
1089 	default:
1090 		break;
1091 	}
1092 }
1093 
1094 /* msgsys */
1095 static au_event_t
1096 aui_msgsys(au_event_t e)
1097 {
1098 	klwp_t *clwp = ttolwp(curthread);
1099 	uint_t fm;
1100 
1101 	struct a {
1102 		long	id;	/* function code id */
1103 		long	ap;	/* arg pointer for recvmsg */
1104 	} *uap = (struct a *)clwp->lwp_ap;
1105 
1106 	struct b {
1107 		long	msgid;
1108 		long	cmd;
1109 		long	buf;	/* struct msqid_ds * */
1110 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1111 
1112 	fm  = (uint_t)uap->id;
1113 
1114 	switch (fm) {
1115 	case 0:		/* msgget */
1116 		e = AUE_MSGGET;
1117 		break;
1118 	case 1:		/* msgctl */
1119 		switch ((uint_t)uap1->cmd) {
1120 		case IPC_RMID:
1121 			e = AUE_MSGCTL_RMID;
1122 			break;
1123 		case IPC_SET:
1124 			e = AUE_MSGCTL_SET;
1125 			break;
1126 		case IPC_STAT:
1127 			e = AUE_MSGCTL_STAT;
1128 			break;
1129 		default:
1130 			e = AUE_MSGCTL;
1131 			break;
1132 		}
1133 		break;
1134 	case 2:		/* msgrcv */
1135 		e = AUE_MSGRCV;
1136 		break;
1137 	case 3:		/* msgsnd */
1138 		e = AUE_MSGSND;
1139 		break;
1140 	default:	/* illegal system call */
1141 		e = AUE_NULL;
1142 		break;
1143 	}
1144 
1145 	return (e);
1146 }
1147 
1148 
1149 /* shmsys */
1150 static au_event_t
1151 aui_shmsys(au_event_t e)
1152 {
1153 	klwp_t *clwp = ttolwp(curthread);
1154 	int fm;
1155 
1156 	struct a {		/* shmsys */
1157 		long	id;	/* function code id */
1158 	} *uap = (struct a *)clwp->lwp_ap;
1159 
1160 	struct b {		/* ctrl */
1161 		long	shmid;
1162 		long	cmd;
1163 		long	arg;		/* struct shmid_ds * */
1164 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1165 	fm  = (uint_t)uap->id;
1166 
1167 	switch (fm) {
1168 	case 0:		/* shmat */
1169 		e = AUE_SHMAT;
1170 		break;
1171 	case 1:		/* shmctl */
1172 		switch ((uint_t)uap1->cmd) {
1173 		case IPC_RMID:
1174 			e = AUE_SHMCTL_RMID;
1175 			break;
1176 		case IPC_SET:
1177 			e = AUE_SHMCTL_SET;
1178 			break;
1179 		case IPC_STAT:
1180 			e = AUE_SHMCTL_STAT;
1181 			break;
1182 		default:
1183 			e = AUE_SHMCTL;
1184 			break;
1185 		}
1186 		break;
1187 	case 2:		/* shmdt */
1188 		e = AUE_SHMDT;
1189 		break;
1190 	case 3:		/* shmget */
1191 		e = AUE_SHMGET;
1192 		break;
1193 	default:	/* illegal system call */
1194 		e = AUE_NULL;
1195 		break;
1196 	}
1197 
1198 	return (e);
1199 }
1200 
1201 
1202 /* semsys */
1203 static au_event_t
1204 aui_semsys(au_event_t e)
1205 {
1206 	klwp_t *clwp = ttolwp(curthread);
1207 	uint_t fm;
1208 
1209 	struct a {		/* semsys */
1210 		long	id;
1211 	} *uap = (struct a *)clwp->lwp_ap;
1212 
1213 	struct b {		/* ctrl */
1214 		long	semid;
1215 		long	semnum;
1216 		long	cmd;
1217 		long	arg;
1218 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1219 
1220 	fm = (uint_t)uap->id;
1221 
1222 	switch (fm) {
1223 	case 0:		/* semctl */
1224 		switch ((uint_t)uap1->cmd) {
1225 		case IPC_RMID:
1226 			e = AUE_SEMCTL_RMID;
1227 			break;
1228 		case IPC_SET:
1229 			e = AUE_SEMCTL_SET;
1230 			break;
1231 		case IPC_STAT:
1232 			e = AUE_SEMCTL_STAT;
1233 			break;
1234 		case GETNCNT:
1235 			e = AUE_SEMCTL_GETNCNT;
1236 			break;
1237 		case GETPID:
1238 			e = AUE_SEMCTL_GETPID;
1239 			break;
1240 		case GETVAL:
1241 			e = AUE_SEMCTL_GETVAL;
1242 			break;
1243 		case GETALL:
1244 			e = AUE_SEMCTL_GETALL;
1245 			break;
1246 		case GETZCNT:
1247 			e = AUE_SEMCTL_GETZCNT;
1248 			break;
1249 		case SETVAL:
1250 			e = AUE_SEMCTL_SETVAL;
1251 			break;
1252 		case SETALL:
1253 			e = AUE_SEMCTL_SETALL;
1254 			break;
1255 		default:
1256 			e = AUE_SEMCTL;
1257 			break;
1258 		}
1259 		break;
1260 	case 1:		/* semget */
1261 		e = AUE_SEMGET;
1262 		break;
1263 	case 2:		/* semop */
1264 		e = AUE_SEMOP;
1265 		break;
1266 	default:	/* illegal system call */
1267 		e = AUE_NULL;
1268 		break;
1269 	}
1270 
1271 	return (e);
1272 }
1273 
1274 /* utssys - uname(2), ustat(2), fusers(2) */
1275 static au_event_t
1276 aui_utssys(au_event_t e)
1277 {
1278 	klwp_t *clwp = ttolwp(curthread);
1279 	uint_t type;
1280 
1281 	struct a {
1282 		union {
1283 			long	cbuf;		/* char * */
1284 			long	ubuf;		/* struct stat * */
1285 		} ub;
1286 		union {
1287 			long	mv;	/* for USTAT */
1288 			long	flags;	/* for FUSERS */
1289 		} un;
1290 		long	type;
1291 		long	outbp;		/* char * for FUSERS */
1292 	} *uap = (struct a *)clwp->lwp_ap;
1293 
1294 	type = (uint_t)uap->type;
1295 
1296 	if (type == UTS_FUSERS)
1297 		return (e);
1298 	else
1299 		return ((au_event_t)AUE_NULL);
1300 }
1301 
1302 static au_event_t
1303 aui_fcntl(au_event_t e)
1304 {
1305 	klwp_t *clwp = ttolwp(curthread);
1306 	uint_t cmd;
1307 
1308 	struct a {
1309 		long	fdes;
1310 		long	cmd;
1311 		long	arg;
1312 	} *uap = (struct a *)clwp->lwp_ap;
1313 
1314 	cmd = (uint_t)uap->cmd;
1315 
1316 	switch (cmd) {
1317 	case F_GETLK:
1318 	case F_SETLK:
1319 	case F_SETLKW:
1320 		break;
1321 	case F_SETFL:
1322 	case F_GETFL:
1323 	case F_GETFD:
1324 		break;
1325 	default:
1326 		e = (au_event_t)AUE_NULL;
1327 		break;
1328 	}
1329 	return ((au_event_t)e);
1330 }
1331 
1332 /* null function for now */
1333 static au_event_t
1334 aui_execv(au_event_t e)
1335 {
1336 	return (e);
1337 }
1338 
1339 /* null function for now */
1340 static au_event_t
1341 aui_execve(au_event_t e)
1342 {
1343 	return (e);
1344 }
1345 
1346 /*ARGSUSED*/
1347 static void
1348 aus_fcntl(struct t_audit_data *tad)
1349 {
1350 	klwp_t *clwp = ttolwp(curthread);
1351 	uint32_t cmd, fd;
1352 	struct file  *fp;
1353 	struct vnode *vp;
1354 	struct f_audit_data *fad;
1355 
1356 	struct a {
1357 		long	fd;
1358 		long	cmd;
1359 		long	arg;
1360 	} *uap = (struct a *)clwp->lwp_ap;
1361 
1362 	cmd = (uint32_t)uap->cmd;
1363 	fd  = (uint32_t)uap->fd;
1364 
1365 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1366 
1367 		/*
1368 		 * convert file pointer to file descriptor
1369 		 *   Note: fd ref count incremented here.
1370 		 */
1371 	if ((fp = getf(fd)) == NULL)
1372 		return;
1373 
1374 	/* get path from file struct here */
1375 	fad = F2A(fp);
1376 	if (fad->fad_aupath != NULL) {
1377 		au_uwrite(au_to_path(fad->fad_aupath));
1378 	} else {
1379 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1380 	}
1381 
1382 	vp = fp->f_vnode;
1383 	audit_attributes(vp);
1384 
1385 	/* decrement file descriptor reference count */
1386 	releasef(fd);
1387 }
1388 
1389 /*ARGSUSED*/
1390 static void
1391 aus_kill(struct t_audit_data *tad)
1392 {
1393 	klwp_t *clwp = ttolwp(curthread);
1394 	struct proc *p;
1395 	uint32_t signo;
1396 	uid_t uid, ruid;
1397 	gid_t gid, rgid;
1398 	pid_t pid;
1399 	const auditinfo_addr_t *ainfo;
1400 	cred_t *cr;
1401 
1402 	struct a {
1403 		long	pid;
1404 		long	signo;
1405 	} *uap = (struct a *)clwp->lwp_ap;
1406 
1407 	pid   = (pid_t)uap->pid;
1408 	signo = (uint32_t)uap->signo;
1409 
1410 	au_uwrite(au_to_arg32(2, "signal", signo));
1411 	if (pid > 0) {
1412 		mutex_enter(&pidlock);
1413 		if (((p = prfind(pid)) == (struct proc *)0) ||
1414 		    (p->p_stat == SIDL)) {
1415 			mutex_exit(&pidlock);
1416 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1417 			return;
1418 		}
1419 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1420 		mutex_exit(&pidlock);
1421 
1422 		mutex_enter(&p->p_crlock);
1423 		crhold(cr = p->p_cred);
1424 		mutex_exit(&p->p_crlock);
1425 		mutex_exit(&p->p_lock);
1426 
1427 		ainfo = crgetauinfo(cr);
1428 		if (ainfo == NULL) {
1429 			crfree(cr);
1430 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1431 			return;
1432 		}
1433 
1434 		uid  = crgetuid(cr);
1435 		gid  = crgetgid(cr);
1436 		ruid = crgetruid(cr);
1437 		rgid = crgetrgid(cr);
1438 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1439 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1440 
1441 		if (is_system_labeled())
1442 			au_uwrite(au_to_label(CR_SL(cr)));
1443 
1444 		crfree(cr);
1445 	}
1446 	else
1447 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1448 }
1449 
1450 /*ARGSUSED*/
1451 static void
1452 aus_mkdir(struct t_audit_data *tad)
1453 {
1454 	klwp_t *clwp = ttolwp(curthread);
1455 	uint32_t dmode;
1456 
1457 	struct a {
1458 		long	dirnamep;		/* char * */
1459 		long	dmode;
1460 	} *uap = (struct a *)clwp->lwp_ap;
1461 
1462 	dmode = (uint32_t)uap->dmode;
1463 
1464 	au_uwrite(au_to_arg32(2, "mode", dmode));
1465 }
1466 
1467 /*ARGSUSED*/
1468 static void
1469 aus_mknod(struct t_audit_data *tad)
1470 {
1471 	klwp_t *clwp = ttolwp(curthread);
1472 	uint32_t fmode;
1473 	dev_t dev;
1474 
1475 	struct a {
1476 		long	pnamep;		/* char * */
1477 		long	fmode;
1478 		long	dev;
1479 	} *uap = (struct a *)clwp->lwp_ap;
1480 
1481 	fmode = (uint32_t)uap->fmode;
1482 	dev   = (dev_t)uap->dev;
1483 
1484 	au_uwrite(au_to_arg32(2, "mode", fmode));
1485 #ifdef _LP64
1486 	au_uwrite(au_to_arg64(3, "dev", dev));
1487 #else
1488 	au_uwrite(au_to_arg32(3, "dev", dev));
1489 #endif
1490 }
1491 
1492 /*ARGSUSED*/
1493 static void
1494 aus_xmknod(struct t_audit_data *tad)
1495 {
1496 	klwp_t *clwp = ttolwp(curthread);
1497 	uint32_t fmode;
1498 	dev_t dev;
1499 
1500 	struct a {
1501 		long	version;	/* version */
1502 		long	pnamep;		/* char * */
1503 		long	fmode;
1504 		long	dev;
1505 	} *uap = (struct a *)clwp->lwp_ap;
1506 
1507 	fmode = (uint32_t)uap->fmode;
1508 	dev   = (dev_t)uap->dev;
1509 
1510 	au_uwrite(au_to_arg32(2, "mode", fmode));
1511 #ifdef _LP64
1512 	au_uwrite(au_to_arg64(3, "dev", dev));
1513 #else
1514 	au_uwrite(au_to_arg32(3, "dev", dev));
1515 #endif
1516 }
1517 
1518 /*ARGSUSED*/
1519 static void
1520 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1521 {
1522 	klwp_t *clwp = ttolwp(curthread);
1523 	vnode_t	*dvp;
1524 	caddr_t pnamep;
1525 
1526 	struct a {
1527 		long	pnamep;		/* char * */
1528 		long	fmode;
1529 		long	dev;
1530 	} *uap = (struct a *)clwp->lwp_ap;
1531 
1532 	/* no error, then already path token in audit record */
1533 	if (error != EPERM)
1534 		return;
1535 
1536 	/* not auditing this event, nothing then to do */
1537 	if (tad->tad_flag == 0)
1538 		return;
1539 
1540 	/* do the lookup to force generation of path token */
1541 	pnamep = (caddr_t)uap->pnamep;
1542 	tad->tad_ctrl |= PAD_NOATTRB;
1543 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1544 	if (error == 0)
1545 		VN_RELE(dvp);
1546 }
1547 
1548 /*ARGSUSED*/
1549 static void
1550 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1551 {
1552 	klwp_t *clwp = ttolwp(curthread);
1553 	vnode_t	*dvp;
1554 	caddr_t pnamep;
1555 
1556 	struct a {
1557 		long	version;	/* version */
1558 		long	pnamep;		/* char * */
1559 		long	fmode;
1560 		long	dev;
1561 	} *uap = (struct a *)clwp->lwp_arg;
1562 
1563 
1564 	/* no error, then already path token in audit record */
1565 	if (error != EPERM)
1566 		return;
1567 
1568 	/* not auditing this event, nothing then to do */
1569 	if (tad->tad_flag == 0)
1570 		return;
1571 
1572 	/* do the lookup to force generation of path token */
1573 	pnamep = (caddr_t)uap->pnamep;
1574 	tad->tad_ctrl |= PAD_NOATTRB;
1575 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1576 	if (error == 0)
1577 		VN_RELE(dvp);
1578 }
1579 
1580 /*ARGSUSED*/
1581 static void
1582 aus_mount(struct t_audit_data *tad)
1583 {	/* AUS_START */
1584 	klwp_t *clwp = ttolwp(curthread);
1585 	uint32_t flags;
1586 	uintptr_t u_fstype, dataptr;
1587 	STRUCT_DECL(nfs_args, nfsargs);
1588 	size_t len;
1589 	char *fstype, *hostname;
1590 
1591 	struct a {
1592 		long	spec;		/* char    * */
1593 		long	dir;		/* char    * */
1594 		long	flags;
1595 		long	fstype;		/* char    * */
1596 		long	dataptr;	/* char    * */
1597 		long	datalen;
1598 	} *uap = (struct a *)clwp->lwp_ap;
1599 
1600 	u_fstype = (uintptr_t)uap->fstype;
1601 	flags    = (uint32_t)uap->flags;
1602 	dataptr  = (uintptr_t)uap->dataptr;
1603 
1604 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1605 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1606 		goto mount_free_fstype;
1607 
1608 	au_uwrite(au_to_arg32(3, "flags", flags));
1609 	au_uwrite(au_to_text(fstype));
1610 
1611 	if (strncmp(fstype, "nfs", 3) == 0) {
1612 
1613 		STRUCT_INIT(nfsargs, get_udatamodel());
1614 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1615 
1616 		if (copyin((caddr_t)dataptr,
1617 				STRUCT_BUF(nfsargs),
1618 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1619 			/* DEBUG debug_enter((char *)NULL); */
1620 			goto mount_free_fstype;
1621 		}
1622 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1623 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1624 				(caddr_t)hostname,
1625 				MAXNAMELEN, &len)) {
1626 			goto mount_free_hostname;
1627 		}
1628 		au_uwrite(au_to_text(hostname));
1629 		au_uwrite(au_to_arg32(3, "internal flags",
1630 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1631 
1632 mount_free_hostname:
1633 		kmem_free(hostname, MAXNAMELEN);
1634 	}
1635 
1636 mount_free_fstype:
1637 	kmem_free(fstype, MAXNAMELEN);
1638 }	/* AUS_MOUNT */
1639 
1640 static void
1641 aus_umount_path(caddr_t umount_dir)
1642 {
1643 	char			*dir_path;
1644 	struct audit_path	*path;
1645 	size_t			path_len, dir_len;
1646 
1647 	/* length alloc'd for two string pointers */
1648 	path_len = sizeof (struct audit_path) + sizeof (char *);
1649 	path = kmem_alloc(path_len, KM_SLEEP);
1650 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1651 
1652 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1653 	    MAXPATHLEN, &dir_len))
1654 		goto umount2_free_dir;
1655 
1656 	/*
1657 	 * the audit_path struct assumes that the buffer pointed to
1658 	 * by audp_sect[n] contains string 0 immediatedly followed
1659 	 * by string 1.
1660 	 */
1661 	path->audp_sect[0] = dir_path;
1662 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1663 	path->audp_size = path_len;
1664 	path->audp_ref = 1;		/* not used */
1665 	path->audp_cnt = 1;		/* one path string */
1666 
1667 	au_uwrite(au_to_path(path));
1668 
1669 umount2_free_dir:
1670 	kmem_free(dir_path, MAXPATHLEN);
1671 	kmem_free(path, path_len);
1672 }
1673 
1674 /*
1675  * the umount syscall is implemented as a call to umount2, but the args
1676  * are different...
1677  */
1678 
1679 /*ARGSUSED*/
1680 static void
1681 aus_umount(struct t_audit_data *tad)
1682 {
1683 	klwp_t			*clwp = ttolwp(curthread);
1684 	struct a {
1685 		long	dir;		/* char    * */
1686 	} *uap = (struct a *)clwp->lwp_ap;
1687 
1688 	aus_umount_path((caddr_t)uap->dir);
1689 }
1690 
1691 /*ARGSUSED*/
1692 static void
1693 aus_umount2(struct t_audit_data *tad)
1694 {
1695 	klwp_t			*clwp = ttolwp(curthread);
1696 	struct a {
1697 		long	dir;		/* char    * */
1698 		long	flags;
1699 	} *uap = (struct a *)clwp->lwp_ap;
1700 
1701 	aus_umount_path((caddr_t)uap->dir);
1702 
1703 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1704 }
1705 
1706 static void
1707 aus_msgsys(struct t_audit_data *tad)
1708 {
1709 	klwp_t *clwp = ttolwp(curthread);
1710 	uint32_t msgid;
1711 
1712 	struct b {
1713 		long	msgid;
1714 		long	cmd;
1715 		long	buf;		/* struct msqid_ds * */
1716 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1717 
1718 	msgid = (uint32_t)uap1->msgid;
1719 
1720 
1721 	switch (tad->tad_event) {
1722 	case AUE_MSGGET:		/* msgget */
1723 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1724 		break;
1725 	case AUE_MSGCTL:		/* msgctl */
1726 	case AUE_MSGCTL_RMID:		/* msgctl */
1727 	case AUE_MSGCTL_STAT:		/* msgctl */
1728 	case AUE_MSGRCV:		/* msgrcv */
1729 	case AUE_MSGSND:		/* msgsnd */
1730 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1731 		break;
1732 	case AUE_MSGCTL_SET:		/* msgctl */
1733 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1734 		break;
1735 	}
1736 }
1737 
1738 /*ARGSUSED*/
1739 static void
1740 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1741 {
1742 	int id;
1743 
1744 	if (error != 0)
1745 		return;
1746 	if (tad->tad_event == AUE_MSGGET) {
1747 		uint32_t scid;
1748 		uint32_t sy_flags;
1749 
1750 		/* need to determine type of executing binary */
1751 		scid = tad->tad_scid;
1752 #ifdef _SYSCALL32_IMPL
1753 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1754 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1755 		else
1756 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1757 #else
1758 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1759 #endif
1760 		if (sy_flags == SE_32RVAL1)
1761 			id = rval->r_val1;
1762 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1763 			id = rval->r_val1;
1764 		if (sy_flags == SE_64RVAL)
1765 			id = (int)rval->r_vals;
1766 
1767 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1768 	}
1769 }
1770 
1771 static void
1772 aus_semsys(struct t_audit_data *tad)
1773 {
1774 	klwp_t *clwp = ttolwp(curthread);
1775 	uint32_t semid;
1776 
1777 	struct b {		/* ctrl */
1778 		long	semid;
1779 		long	semnum;
1780 		long	cmd;
1781 		long	arg;
1782 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1783 
1784 	semid = (uint32_t)uap1->semid;
1785 
1786 	switch (tad->tad_event) {
1787 	case AUE_SEMCTL_RMID:
1788 	case AUE_SEMCTL_STAT:
1789 	case AUE_SEMCTL_GETNCNT:
1790 	case AUE_SEMCTL_GETPID:
1791 	case AUE_SEMCTL_GETVAL:
1792 	case AUE_SEMCTL_GETALL:
1793 	case AUE_SEMCTL_GETZCNT:
1794 	case AUE_SEMCTL_SETVAL:
1795 	case AUE_SEMCTL_SETALL:
1796 	case AUE_SEMCTL:
1797 	case AUE_SEMOP:
1798 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1799 		break;
1800 	case AUE_SEMCTL_SET:
1801 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1802 		break;
1803 	case AUE_SEMGET:
1804 		au_uwrite(au_to_arg32(1, "sem key", semid));
1805 		break;
1806 	}
1807 }
1808 
1809 /*ARGSUSED*/
1810 static void
1811 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1812 {
1813 	int id;
1814 
1815 	if (error != 0)
1816 		return;
1817 	if (tad->tad_event == AUE_SEMGET) {
1818 		uint32_t scid;
1819 		uint32_t sy_flags;
1820 
1821 		/* need to determine type of executing binary */
1822 		scid = tad->tad_scid;
1823 #ifdef _SYSCALL32_IMPL
1824 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1825 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1826 		else
1827 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1828 #else
1829 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1830 #endif
1831 		if (sy_flags == SE_32RVAL1)
1832 			id = rval->r_val1;
1833 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1834 			id = rval->r_val1;
1835 		if (sy_flags == SE_64RVAL)
1836 			id = (int)rval->r_vals;
1837 
1838 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1839 	}
1840 }
1841 
1842 /*ARGSUSED*/
1843 static void
1844 aus_close(struct t_audit_data *tad)
1845 {
1846 	klwp_t *clwp = ttolwp(curthread);
1847 	uint32_t fd;
1848 	struct file *fp;
1849 	struct f_audit_data *fad;
1850 	struct vnode *vp;
1851 	struct vattr attr;
1852 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1853 
1854 	struct a {
1855 		long	i;
1856 	} *uap = (struct a *)clwp->lwp_ap;
1857 
1858 	fd = (uint32_t)uap->i;
1859 
1860 	attr.va_mask = 0;
1861 	au_uwrite(au_to_arg32(1, "fd", fd));
1862 
1863 		/*
1864 		 * convert file pointer to file descriptor
1865 		 *   Note: fd ref count incremented here.
1866 		 */
1867 	if ((fp = getf(fd)) == NULL)
1868 		return;
1869 
1870 	fad = F2A(fp);
1871 	tad->tad_evmod = (short)fad->fad_flags;
1872 	if (fad->fad_aupath != NULL) {
1873 		au_uwrite(au_to_path(fad->fad_aupath));
1874 		if ((vp = fp->f_vnode) != NULL) {
1875 			attr.va_mask = AT_ALL;
1876 			if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) {
1877 				/*
1878 				 * When write was not used and the file can be
1879 				 * considered public, skip the audit.
1880 				 */
1881 				if (((fp->f_flag & FWRITE) == 0) &&
1882 				    file_is_public(&attr)) {
1883 					tad->tad_flag = 0;
1884 					tad->tad_evmod = 0;
1885 					/* free any residual audit data */
1886 					au_close(kctx, &(u_ad), 0, 0, 0);
1887 					releasef(fd);
1888 					return;
1889 				}
1890 				au_uwrite(au_to_attr(&attr));
1891 				audit_sec_attributes(&(u_ad), vp);
1892 			}
1893 		}
1894 	}
1895 
1896 	/* decrement file descriptor reference count */
1897 	releasef(fd);
1898 }
1899 
1900 /*ARGSUSED*/
1901 static void
1902 aus_fstatfs(struct t_audit_data *tad)
1903 {
1904 	klwp_t *clwp = ttolwp(curthread);
1905 	uint32_t fd;
1906 	struct file  *fp;
1907 	struct vnode *vp;
1908 	struct f_audit_data *fad;
1909 
1910 	struct a {
1911 		long	fd;
1912 		long	buf;		/* struct statfs * */
1913 	} *uap = (struct a *)clwp->lwp_ap;
1914 
1915 	fd = (uint_t)uap->fd;
1916 
1917 		/*
1918 		 * convert file pointer to file descriptor
1919 		 *   Note: fd ref count incremented here.
1920 		 */
1921 	if ((fp = getf(fd)) == NULL)
1922 		return;
1923 
1924 		/* get path from file struct here */
1925 	fad = F2A(fp);
1926 	if (fad->fad_aupath != NULL) {
1927 		au_uwrite(au_to_path(fad->fad_aupath));
1928 	} else {
1929 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1930 	}
1931 
1932 	vp = fp->f_vnode;
1933 	audit_attributes(vp);
1934 
1935 	/* decrement file descriptor reference count */
1936 	releasef(fd);
1937 }
1938 
1939 #ifdef NOTYET
1940 /*ARGSUSED*/
1941 static void
1942 aus_setpgrp(struct t_audit_data *tad)
1943 {
1944 	klwp_t *clwp = ttolwp(curthread);
1945 	uint32_t pgrp;
1946 	struct proc *p;
1947 	uid_t uid, ruid;
1948 	gid_t gid, rgid;
1949 	pid_t pid;
1950 	const auditinfo_addr_t *ainfo;
1951 	cred_t *cr;
1952 
1953 	struct a {
1954 		long	pid;
1955 		long	pgrp;
1956 	} *uap = (struct a *)clwp->lwp_ap;
1957 
1958 	pid  = (pid_t)uap->pid;
1959 	pgrp = (uint32_t)uap->pgrp;
1960 
1961 		/* current process? */
1962 	if (pid == 0)
1963 		(return);
1964 
1965 	mutex_enter(&pidlock);
1966 	p = prfind(pid);
1967 	if (p == NULL || p->p_as == &kas) {
1968 		mutex_exit(&pidlock);
1969 		return;
1970 	}
1971 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1972 	mutex_exit(&pidlock);
1973 
1974 	mutex_enter(&p->p_crlock);
1975 	crhold(cr = p->p_cred);
1976 	mutex_exit(&p->p_crlock);
1977 	mutex_exit(&p->p_lock);
1978 
1979 	ainfo = crgetauinfo(cr);
1980 	if (ainfo == NULL) {
1981 		crfree(cr);
1982 		return;
1983 	}
1984 
1985 	uid  = crgetuid(cr);
1986 	gid  = crgetgid(cr);
1987 	ruid = crgetruid(cr);
1988 	rgid = crgetrgid(cr);
1989 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1990 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1991 	crfree(cr);
1992 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1993 }
1994 #endif
1995 
1996 /*ARGSUSED*/
1997 static void
1998 aus_setregid(struct t_audit_data *tad)
1999 {
2000 	klwp_t *clwp = ttolwp(curthread);
2001 	uint32_t rgid, egid;
2002 
2003 	struct a {
2004 		long	 rgid;
2005 		long	 egid;
2006 	} *uap = (struct a *)clwp->lwp_ap;
2007 
2008 	rgid  = (uint32_t)uap->rgid;
2009 	egid  = (uint32_t)uap->egid;
2010 
2011 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2012 	au_uwrite(au_to_arg32(2, "egid", egid));
2013 }
2014 
2015 /*ARGSUSED*/
2016 static void
2017 aus_setgid(struct t_audit_data *tad)
2018 {
2019 	klwp_t *clwp = ttolwp(curthread);
2020 	uint32_t gid;
2021 
2022 	struct a {
2023 		long	gid;
2024 	} *uap = (struct a *)clwp->lwp_ap;
2025 
2026 	gid = (uint32_t)uap->gid;
2027 
2028 	au_uwrite(au_to_arg32(1, "gid", gid));
2029 }
2030 
2031 
2032 /*ARGSUSED*/
2033 static void
2034 aus_setreuid(struct t_audit_data *tad)
2035 {
2036 	klwp_t *clwp = ttolwp(curthread);
2037 	uint32_t ruid, euid;
2038 
2039 	struct a {
2040 		long	ruid;
2041 		long	euid;
2042 	} *uap = (struct a *)clwp->lwp_ap;
2043 
2044 	ruid = (uint32_t)uap->ruid;
2045 	euid  = (uint32_t)uap->euid;
2046 
2047 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2048 	au_uwrite(au_to_arg32(2, "euid", euid));
2049 }
2050 
2051 
2052 /*ARGSUSED*/
2053 static void
2054 aus_setuid(struct t_audit_data *tad)
2055 {
2056 	klwp_t *clwp = ttolwp(curthread);
2057 	uint32_t uid;
2058 
2059 	struct a {
2060 		long	uid;
2061 	} *uap = (struct a *)clwp->lwp_ap;
2062 
2063 	uid = (uint32_t)uap->uid;
2064 
2065 	au_uwrite(au_to_arg32(1, "uid", uid));
2066 }
2067 
2068 /*ARGSUSED*/
2069 static void
2070 aus_shmsys(struct t_audit_data *tad)
2071 {
2072 	klwp_t *clwp = ttolwp(curthread);
2073 	uint32_t id, cmd;
2074 
2075 	struct b {
2076 		long	id;
2077 		long	cmd;
2078 		long	buf;		/* struct shmid_ds * */
2079 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2080 
2081 	id  = (uint32_t)uap1->id;
2082 	cmd = (uint32_t)uap1->cmd;
2083 
2084 	switch (tad->tad_event) {
2085 	case AUE_SHMGET:			/* shmget */
2086 		au_uwrite(au_to_arg32(1, "shm key", id));
2087 		break;
2088 	case AUE_SHMCTL:			/* shmctl */
2089 	case AUE_SHMCTL_RMID:			/* shmctl */
2090 	case AUE_SHMCTL_STAT:			/* shmctl */
2091 	case AUE_SHMCTL_SET:			/* shmctl */
2092 		au_uwrite(au_to_arg32(1, "shm ID", id));
2093 		break;
2094 	case AUE_SHMDT:				/* shmdt */
2095 		au_uwrite(au_to_arg32(1, "shm adr", id));
2096 		break;
2097 	case AUE_SHMAT:				/* shmat */
2098 		au_uwrite(au_to_arg32(1, "shm ID", id));
2099 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2100 		break;
2101 	}
2102 }
2103 
2104 /*ARGSUSED*/
2105 static void
2106 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2107 {
2108 	int id;
2109 
2110 	if (error != 0)
2111 		return;
2112 	if (tad->tad_event == AUE_SHMGET) {
2113 		uint32_t scid;
2114 		uint32_t sy_flags;
2115 
2116 		/* need to determine type of executing binary */
2117 		scid = tad->tad_scid;
2118 #ifdef _SYSCALL32_IMPL
2119 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2120 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2121 		else
2122 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2123 #else
2124 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2125 #endif
2126 		if (sy_flags == SE_32RVAL1)
2127 			id = rval->r_val1;
2128 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2129 			id = rval->r_val1;
2130 		if (sy_flags == SE_64RVAL)
2131 			id = (int)rval->r_vals;
2132 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2133 	}
2134 }
2135 
2136 
2137 /*ARGSUSED*/
2138 static void
2139 aus_ioctl(struct t_audit_data *tad)
2140 {
2141 	klwp_t *clwp = ttolwp(curthread);
2142 	struct file *fp;
2143 	struct vnode *vp;
2144 	struct f_audit_data *fad;
2145 	uint32_t fd, cmd;
2146 	uintptr_t cmarg;
2147 
2148 	/* XX64 */
2149 	struct a {
2150 		long	fd;
2151 		long	cmd;
2152 		long	cmarg;		/* caddr_t */
2153 	} *uap = (struct a *)clwp->lwp_ap;
2154 
2155 	fd    = (uint32_t)uap->fd;
2156 	cmd   = (uint32_t)uap->cmd;
2157 	cmarg = (uintptr_t)uap->cmarg;
2158 
2159 		/*
2160 		 * convert file pointer to file descriptor
2161 		 *   Note: fd ref count incremented here.
2162 		 */
2163 	if ((fp = getf(fd)) == NULL) {
2164 		au_uwrite(au_to_arg32(1, "fd", fd));
2165 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2166 #ifndef _LP64
2167 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2168 #else
2169 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2170 #endif
2171 		return;
2172 	}
2173 
2174 	/* get path from file struct here */
2175 	fad = F2A(fp);
2176 	if (fad->fad_aupath != NULL) {
2177 		au_uwrite(au_to_path(fad->fad_aupath));
2178 	} else {
2179 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2180 	}
2181 
2182 	vp = fp->f_vnode;
2183 	audit_attributes(vp);
2184 
2185 	/* decrement file descriptor reference count */
2186 	releasef(fd);
2187 
2188 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2189 #ifndef _LP64
2190 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2191 #else
2192 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2193 #endif
2194 }
2195 
2196 /*
2197  * null function for memcntl for now. We might want to limit memcntl()
2198  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2199  * require privileges.
2200  */
2201 static au_event_t
2202 aui_memcntl(au_event_t e)
2203 {
2204 	return (e);
2205 }
2206 
2207 /*ARGSUSED*/
2208 static au_event_t
2209 aui_privsys(au_event_t e)
2210 {
2211 	klwp_t *clwp = ttolwp(curthread);
2212 
2213 	struct a {
2214 		long	opcode;
2215 	} *uap = (struct a *)clwp->lwp_ap;
2216 
2217 	switch (uap->opcode) {
2218 	case PRIVSYS_SETPPRIV:
2219 		return (AUE_SETPPRIV);
2220 	default:
2221 		return (AUE_NULL);
2222 	}
2223 }
2224 
2225 /*ARGSUSED*/
2226 static void
2227 aus_memcntl(struct t_audit_data *tad)
2228 {
2229 	klwp_t *clwp = ttolwp(curthread);
2230 
2231 	struct a {
2232 		long	addr;
2233 		long	len;
2234 		long	cmd;
2235 		long	arg;
2236 		long	attr;
2237 		long	mask;
2238 	} *uap = (struct a *)clwp->lwp_ap;
2239 
2240 #ifdef _LP64
2241 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2242 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2243 #else
2244 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2245 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2246 #endif
2247 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2248 #ifdef _LP64
2249 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2250 #else
2251 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2252 #endif
2253 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2254 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2255 }
2256 
2257 /*ARGSUSED*/
2258 static void
2259 aus_mmap(struct t_audit_data *tad)
2260 {
2261 	klwp_t *clwp = ttolwp(curthread);
2262 	struct file *fp;
2263 	struct f_audit_data *fad;
2264 	struct vnode *vp;
2265 	uint32_t fd;
2266 
2267 	struct a {
2268 		long	addr;
2269 		long	len;
2270 		long	prot;
2271 		long	flags;
2272 		long	fd;
2273 		long	pos;
2274 	} *uap = (struct a *)clwp->lwp_ap;
2275 
2276 	fd = (uint32_t)uap->fd;
2277 
2278 #ifdef _LP64
2279 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2280 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2281 #else
2282 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2283 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2284 #endif
2285 
2286 	if ((fp = getf(fd)) == NULL) {
2287 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2288 		return;
2289 	}
2290 
2291 	/*
2292 	 * Mark in the tad if write access is NOT requested... if
2293 	 * this is later detected (in audit_attributes) to be a
2294 	 * public object, the mmap event may be discarded.
2295 	 */
2296 	if (((uap->prot) & PROT_WRITE) == 0) {
2297 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2298 	}
2299 
2300 	fad = F2A(fp);
2301 	if (fad->fad_aupath != NULL) {
2302 		au_uwrite(au_to_path(fad->fad_aupath));
2303 	} else {
2304 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2305 	}
2306 
2307 	vp = (struct vnode *)fp->f_vnode;
2308 	audit_attributes(vp);
2309 
2310 	/* mark READ/WRITE since we can't predict access */
2311 	if (uap->prot & PROT_READ)
2312 		fad->fad_flags |= FAD_READ;
2313 	if (uap->prot & PROT_WRITE)
2314 		fad->fad_flags |= FAD_WRITE;
2315 
2316 	/* decrement file descriptor reference count */
2317 	releasef(fd);
2318 
2319 }	/* AUS_MMAP */
2320 
2321 
2322 
2323 
2324 /*ARGSUSED*/
2325 static void
2326 aus_munmap(struct t_audit_data *tad)
2327 {
2328 	klwp_t *clwp = ttolwp(curthread);
2329 
2330 	struct a {
2331 		long	addr;
2332 		long	len;
2333 	} *uap = (struct a *)clwp->lwp_ap;
2334 
2335 #ifdef _LP64
2336 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2337 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2338 #else
2339 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2340 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2341 #endif
2342 
2343 }	/* AUS_MUNMAP */
2344 
2345 
2346 
2347 
2348 
2349 
2350 
2351 /*ARGSUSED*/
2352 static void
2353 aus_priocntlsys(struct t_audit_data *tad)
2354 {
2355 	klwp_t *clwp = ttolwp(curthread);
2356 
2357 	struct a {
2358 		long	pc_version;
2359 		long	psp;		/* procset_t */
2360 		long	cmd;
2361 		long	arg;
2362 	} *uap = (struct a *)clwp->lwp_ap;
2363 
2364 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2365 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2366 
2367 }	/* AUS_PRIOCNTLSYS */
2368 
2369 
2370 /*ARGSUSED*/
2371 static void
2372 aus_setegid(struct t_audit_data *tad)
2373 {
2374 	klwp_t *clwp = ttolwp(curthread);
2375 	uint32_t gid;
2376 
2377 	struct a {
2378 		long	gid;
2379 	} *uap = (struct a *)clwp->lwp_ap;
2380 
2381 	gid = (uint32_t)uap->gid;
2382 
2383 	au_uwrite(au_to_arg32(1, "gid", gid));
2384 }	/* AUS_SETEGID */
2385 
2386 
2387 
2388 
2389 /*ARGSUSED*/
2390 static void
2391 aus_setgroups(struct t_audit_data *tad)
2392 {
2393 	klwp_t *clwp = ttolwp(curthread);
2394 	int i;
2395 	int gidsetsize;
2396 	uintptr_t gidset;
2397 	gid_t *gidlist;
2398 
2399 	struct a {
2400 		long	gidsetsize;
2401 		long	gidset;
2402 	} *uap = (struct a *)clwp->lwp_ap;
2403 
2404 	gidsetsize = (uint_t)uap->gidsetsize;
2405 	gidset = (uintptr_t)uap->gidset;
2406 
2407 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2408 		return;
2409 	if (gidsetsize != 0) {
2410 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2411 						KM_SLEEP);
2412 		if (copyin((caddr_t)gidset, gidlist,
2413 			gidsetsize * sizeof (gid_t)) == 0)
2414 			for (i = 0; i < gidsetsize; i++)
2415 				au_uwrite(au_to_arg32(1, "setgroups",
2416 						(uint32_t)gidlist[i]));
2417 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2418 	} else
2419 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2420 
2421 }	/* AUS_SETGROUPS */
2422 
2423 
2424 
2425 
2426 
2427 /*ARGSUSED*/
2428 static void
2429 aus_seteuid(struct t_audit_data *tad)
2430 {
2431 	klwp_t *clwp = ttolwp(curthread);
2432 	uint32_t uid;
2433 
2434 	struct a {
2435 		long	uid;
2436 	} *uap = (struct a *)clwp->lwp_ap;
2437 
2438 	uid = (uint32_t)uap->uid;
2439 
2440 	au_uwrite(au_to_arg32(1, "euid", uid));
2441 
2442 }	/* AUS_SETEUID */
2443 
2444 /*ARGSUSED*/
2445 static void
2446 aus_putmsg(struct t_audit_data *tad)
2447 {
2448 	klwp_t *clwp = ttolwp(curthread);
2449 	uint32_t fd, pri;
2450 	struct file *fp;
2451 	struct f_audit_data *fad;
2452 
2453 	struct a {
2454 		long	fdes;
2455 		long	ctl;		/* struct strbuf * */
2456 		long	data;		/* struct strbuf * */
2457 		long	pri;
2458 	} *uap = (struct a *)clwp->lwp_ap;
2459 
2460 	fd  = (uint32_t)uap->fdes;
2461 	pri = (uint32_t)uap->pri;
2462 
2463 	au_uwrite(au_to_arg32(1, "fd", fd));
2464 
2465 	if ((fp = getf(fd)) != NULL) {
2466 		fad = F2A(fp);
2467 
2468 		fad->fad_flags |= FAD_WRITE;
2469 
2470 		/* add path name to audit record */
2471 		if (fad->fad_aupath != NULL) {
2472 			au_uwrite(au_to_path(fad->fad_aupath));
2473 		}
2474 		audit_attributes(fp->f_vnode);
2475 
2476 		releasef(fd);
2477 	}
2478 
2479 	au_uwrite(au_to_arg32(4, "pri", pri));
2480 }
2481 
2482 /*ARGSUSED*/
2483 static void
2484 aus_putpmsg(struct t_audit_data *tad)
2485 {
2486 	klwp_t *clwp = ttolwp(curthread);
2487 	uint32_t fd, pri, flags;
2488 	struct file *fp;
2489 	struct f_audit_data *fad;
2490 
2491 	struct a {
2492 		long	fdes;
2493 		long	ctl;		/* struct strbuf * */
2494 		long	data;		/* struct strbuf * */
2495 		long	pri;
2496 		long	flags;
2497 	} *uap = (struct a *)clwp->lwp_ap;
2498 
2499 	fd = (uint32_t)uap->fdes;
2500 	pri  = (uint32_t)uap->pri;
2501 	flags  = (uint32_t)uap->flags;
2502 
2503 	au_uwrite(au_to_arg32(1, "fd", fd));
2504 
2505 	if ((fp = getf(fd)) != NULL) {
2506 		fad = F2A(fp);
2507 
2508 		fad->fad_flags |= FAD_WRITE;
2509 
2510 		/* add path name to audit record */
2511 		if (fad->fad_aupath != NULL) {
2512 			au_uwrite(au_to_path(fad->fad_aupath));
2513 		}
2514 		audit_attributes(fp->f_vnode);
2515 
2516 		releasef(fd);
2517 	}
2518 
2519 
2520 	au_uwrite(au_to_arg32(4, "pri", pri));
2521 	au_uwrite(au_to_arg32(5, "flags", flags));
2522 }
2523 
2524 /*ARGSUSED*/
2525 static void
2526 aus_getmsg(struct t_audit_data *tad)
2527 {
2528 	klwp_t *clwp = ttolwp(curthread);
2529 	uint32_t fd, pri;
2530 	struct file *fp;
2531 	struct f_audit_data *fad;
2532 
2533 	struct a {
2534 		long	fdes;
2535 		long	ctl;		/* struct strbuf * */
2536 		long	data;		/* struct strbuf * */
2537 		long	pri;
2538 	} *uap = (struct a *)clwp->lwp_ap;
2539 
2540 	fd  = (uint32_t)uap->fdes;
2541 	pri = (uint32_t)uap->pri;
2542 
2543 	au_uwrite(au_to_arg32(1, "fd", fd));
2544 
2545 	if ((fp = getf(fd)) != NULL) {
2546 		fad = F2A(fp);
2547 
2548 		/*
2549 		 * read operation on this object
2550 		 */
2551 		fad->fad_flags |= FAD_READ;
2552 
2553 		/* add path name to audit record */
2554 		if (fad->fad_aupath != NULL) {
2555 			au_uwrite(au_to_path(fad->fad_aupath));
2556 		}
2557 		audit_attributes(fp->f_vnode);
2558 
2559 		releasef(fd);
2560 	}
2561 
2562 	au_uwrite(au_to_arg32(4, "pri", pri));
2563 }
2564 
2565 /*ARGSUSED*/
2566 static void
2567 aus_getpmsg(struct t_audit_data *tad)
2568 {
2569 	klwp_t *clwp = ttolwp(curthread);
2570 	uint32_t fd;
2571 	struct file *fp;
2572 	struct f_audit_data *fad;
2573 
2574 	struct a {
2575 		long	fdes;
2576 		long	ctl;		/* struct strbuf * */
2577 		long	data;		/* struct strbuf * */
2578 		long	pri;
2579 		long	flags;
2580 	} *uap = (struct a *)clwp->lwp_ap;
2581 
2582 	fd = (uint32_t)uap->fdes;
2583 
2584 	au_uwrite(au_to_arg32(1, "fd", fd));
2585 
2586 	if ((fp = getf(fd)) != NULL) {
2587 		fad = F2A(fp);
2588 
2589 		/*
2590 		 * read operation on this object
2591 		 */
2592 		fad->fad_flags |= FAD_READ;
2593 
2594 		/* add path name to audit record */
2595 		if (fad->fad_aupath != NULL) {
2596 			au_uwrite(au_to_path(fad->fad_aupath));
2597 		}
2598 		audit_attributes(fp->f_vnode);
2599 
2600 		releasef(fd);
2601 	}
2602 }
2603 
2604 static au_event_t
2605 aui_auditsys(au_event_t e)
2606 {
2607 	klwp_t *clwp = ttolwp(curthread);
2608 	uint32_t code;
2609 
2610 	struct a {
2611 		long	code;
2612 		long	a1;
2613 		long	a2;
2614 		long	a3;
2615 		long	a4;
2616 		long	a5;
2617 		long	a6;
2618 		long	a7;
2619 	} *uap = (struct a *)clwp->lwp_ap;
2620 
2621 	code = (uint32_t)uap->code;
2622 
2623 	switch (code) {
2624 
2625 	case BSM_GETAUID:
2626 		e = AUE_GETAUID;
2627 		break;
2628 	case BSM_SETAUID:
2629 		e = AUE_SETAUID;
2630 		break;
2631 	case BSM_GETAUDIT:
2632 		e = AUE_GETAUDIT;
2633 		break;
2634 	case BSM_GETAUDIT_ADDR:
2635 		e = AUE_GETAUDIT_ADDR;
2636 		break;
2637 	case BSM_SETAUDIT:
2638 		e = AUE_SETAUDIT;
2639 		break;
2640 	case BSM_SETAUDIT_ADDR:
2641 		e = AUE_SETAUDIT_ADDR;
2642 		break;
2643 	case BSM_AUDIT:
2644 		e = AUE_AUDIT;
2645 		break;
2646 	case BSM_AUDITSVC:
2647 		e = AUE_AUDITSVC;
2648 		break;
2649 	case BSM_GETPORTAUDIT:
2650 		e = AUE_GETPORTAUDIT;
2651 		break;
2652 	case BSM_AUDITON:
2653 	case BSM_AUDITCTL:
2654 
2655 		switch ((uint_t)uap->a1) {
2656 
2657 		case A_GETPOLICY:
2658 			e = AUE_AUDITON_GPOLICY;
2659 			break;
2660 		case A_SETPOLICY:
2661 			e = AUE_AUDITON_SPOLICY;
2662 			break;
2663 		case A_GETKMASK:
2664 			e = AUE_AUDITON_GETKMASK;
2665 			break;
2666 		case A_SETKMASK:
2667 			e = AUE_AUDITON_SETKMASK;
2668 			break;
2669 		case A_GETQCTRL:
2670 			e = AUE_AUDITON_GQCTRL;
2671 			break;
2672 		case A_SETQCTRL:
2673 			e = AUE_AUDITON_SQCTRL;
2674 			break;
2675 		case A_GETCWD:
2676 			e = AUE_AUDITON_GETCWD;
2677 			break;
2678 		case A_GETCAR:
2679 			e = AUE_AUDITON_GETCAR;
2680 			break;
2681 		case A_GETSTAT:
2682 			e = AUE_AUDITON_GETSTAT;
2683 			break;
2684 		case A_SETSTAT:
2685 			e = AUE_AUDITON_SETSTAT;
2686 			break;
2687 		case A_SETUMASK:
2688 			e = AUE_AUDITON_SETUMASK;
2689 			break;
2690 		case A_SETSMASK:
2691 			e = AUE_AUDITON_SETSMASK;
2692 			break;
2693 		case A_GETCOND:
2694 			e = AUE_AUDITON_GETCOND;
2695 			break;
2696 		case A_SETCOND:
2697 			e = AUE_AUDITON_SETCOND;
2698 			break;
2699 		case A_GETCLASS:
2700 			e = AUE_AUDITON_GETCLASS;
2701 			break;
2702 		case A_SETCLASS:
2703 			e = AUE_AUDITON_SETCLASS;
2704 			break;
2705 		default:
2706 			e = AUE_NULL;
2707 			break;
2708 		}
2709 		break;
2710 	default:
2711 		e = AUE_NULL;
2712 		break;
2713 	}
2714 
2715 	return (e);
2716 
2717 
2718 
2719 
2720 }	/* AUI_AUDITSYS */
2721 
2722 
2723 
2724 
2725 
2726 
2727 
2728 static void
2729 aus_auditsys(struct t_audit_data *tad)
2730 {
2731 	klwp_t *clwp = ttolwp(curthread);
2732 	uintptr_t a1, a2;
2733 	struct file *fp;
2734 	struct f_audit_data *fad;
2735 	struct vnode *vp;
2736 	STRUCT_DECL(auditinfo, ainfo);
2737 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2738 	au_evclass_map_t event;
2739 	au_mask_t mask;
2740 	int auditstate, policy;
2741 	au_id_t auid;
2742 
2743 
2744 	struct a {
2745 		long	code;
2746 		long	a1;
2747 		long	a2;
2748 		long	a3;
2749 		long	a4;
2750 		long	a5;
2751 		long	a6;
2752 		long	a7;
2753 	} *uap = (struct a *)clwp->lwp_ap;
2754 
2755 	a1   = (uintptr_t)uap->a1;
2756 	a2   = (uintptr_t)uap->a2;
2757 
2758 	switch (tad->tad_event) {
2759 	case AUE_SETAUID:
2760 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2761 				return;
2762 		au_uwrite(au_to_arg32(2, "setauid", auid));
2763 		break;
2764 	case AUE_SETAUDIT:
2765 		STRUCT_INIT(ainfo, get_udatamodel());
2766 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2767 				STRUCT_SIZE(ainfo))) {
2768 				return;
2769 		}
2770 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2771 			(uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2772 #ifdef _LP64
2773 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2774 			(uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2775 #else
2776 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2777 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2778 #endif
2779 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2780 			(uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2781 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2782 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2783 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2784 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2785 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2786 			(uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2787 		break;
2788 	case AUE_SETAUDIT_ADDR:
2789 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2790 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2791 				STRUCT_SIZE(ainfo_addr))) {
2792 				return;
2793 		}
2794 		au_uwrite(au_to_arg32((char)1, "auid",
2795 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2796 #ifdef _LP64
2797 		au_uwrite(au_to_arg64((char)1, "port",
2798 			(uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2799 #else
2800 		au_uwrite(au_to_arg32((char)1, "port",
2801 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2802 #endif
2803 		au_uwrite(au_to_arg32((char)1, "type",
2804 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2805 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2806 		    AU_IPv4) {
2807 			au_uwrite(au_to_in_addr(
2808 				(struct in_addr *)STRUCT_FGETP(ainfo_addr,
2809 					ai_termid.at_addr)));
2810 		} else {
2811 			au_uwrite(au_to_in_addr_ex(
2812 				(int32_t *)STRUCT_FGETP(ainfo_addr,
2813 					ai_termid.at_addr)));
2814 		}
2815 		au_uwrite(au_to_arg32((char)1, "as_success",
2816 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2817 		au_uwrite(au_to_arg32((char)1, "as_failure",
2818 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2819 		au_uwrite(au_to_arg32((char)1, "asid",
2820 			(uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2821 		break;
2822 	case AUE_AUDITSVC:
2823 		/*
2824 		 * convert file pointer to file descriptor
2825 		 * Note: fd ref count incremented here
2826 		 */
2827 		if ((fp = getf((uint_t)a1)) == NULL)
2828 			return;
2829 		fad = F2A(fp);
2830 		if (fad->fad_aupath != NULL) {
2831 			au_uwrite(au_to_path(fad->fad_aupath));
2832 		} else {
2833 			au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1));
2834 		}
2835 
2836 		vp = fp->f_vnode;	/* include vnode attributes */
2837 		audit_attributes(vp);
2838 
2839 		/* decrement file descriptor ref count */
2840 		releasef((uint_t)a1);
2841 
2842 		au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2));
2843 		break;
2844 	case AUE_AUDITON_SETKMASK:
2845 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2846 				return;
2847 		au_uwrite(au_to_arg32(
2848 			2, "setkmask:as_success", (uint32_t)mask.as_success));
2849 		au_uwrite(au_to_arg32(
2850 			2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2851 		break;
2852 	case AUE_AUDITON_SPOLICY:
2853 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2854 			return;
2855 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2856 		break;
2857 	case AUE_AUDITON_SQCTRL: {
2858 		STRUCT_DECL(au_qctrl, qctrl);
2859 		model_t model;
2860 
2861 		model = get_udatamodel();
2862 		STRUCT_INIT(qctrl, model);
2863 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2864 				return;
2865 		if (model == DATAMODEL_ILP32) {
2866 			au_uwrite(au_to_arg32(
2867 				3, "setqctrl:aq_hiwater",
2868 				(uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2869 			au_uwrite(au_to_arg32(
2870 				3, "setqctrl:aq_lowater",
2871 				(uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2872 			au_uwrite(au_to_arg32(
2873 				3, "setqctrl:aq_bufsz",
2874 				(uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2875 			au_uwrite(au_to_arg32(
2876 				3, "setqctrl:aq_delay",
2877 				(uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2878 		} else {
2879 			au_uwrite(au_to_arg64(
2880 				3, "setqctrl:aq_hiwater",
2881 				(uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2882 			au_uwrite(au_to_arg64(
2883 				3, "setqctrl:aq_lowater",
2884 				(uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2885 			au_uwrite(au_to_arg64(
2886 				3, "setqctrl:aq_bufsz",
2887 				(uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2888 			au_uwrite(au_to_arg64(
2889 				3, "setqctrl:aq_delay",
2890 				(uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2891 		}
2892 		break;
2893 	}
2894 	case AUE_AUDITON_SETUMASK:
2895 		STRUCT_INIT(ainfo, get_udatamodel());
2896 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2897 				STRUCT_SIZE(ainfo))) {
2898 				return;
2899 		}
2900 		au_uwrite(au_to_arg32(3, "setumask:as_success",
2901 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2902 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
2903 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2904 		break;
2905 	case AUE_AUDITON_SETSMASK:
2906 		STRUCT_INIT(ainfo, get_udatamodel());
2907 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2908 				STRUCT_SIZE(ainfo))) {
2909 				return;
2910 		}
2911 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
2912 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2913 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
2914 			(uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2915 		break;
2916 	case AUE_AUDITON_SETCOND:
2917 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
2918 			return;
2919 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
2920 		break;
2921 	case AUE_AUDITON_SETCLASS:
2922 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
2923 			return;
2924 		au_uwrite(au_to_arg32(
2925 			2, "setclass:ec_event", (uint32_t)event.ec_number));
2926 		au_uwrite(au_to_arg32(
2927 			3, "setclass:ec_class", (uint32_t)event.ec_class));
2928 		break;
2929 	case AUE_GETAUID:
2930 	case AUE_GETAUDIT:
2931 	case AUE_GETAUDIT_ADDR:
2932 	case AUE_AUDIT:
2933 	case AUE_GETPORTAUDIT:
2934 	case AUE_AUDITON_GPOLICY:
2935 	case AUE_AUDITON_GQCTRL:
2936 	case AUE_AUDITON_GETKMASK:
2937 	case AUE_AUDITON_GETCWD:
2938 	case AUE_AUDITON_GETCAR:
2939 	case AUE_AUDITON_GETSTAT:
2940 	case AUE_AUDITON_SETSTAT:
2941 	case AUE_AUDITON_GETCOND:
2942 	case AUE_AUDITON_GETCLASS:
2943 		break;
2944 	default:
2945 		break;
2946 	}
2947 
2948 }	/* AUS_AUDITSYS */
2949 
2950 
2951 /* only audit privileged operations for systeminfo(2) system call */
2952 static au_event_t
2953 aui_sysinfo(au_event_t e)
2954 {
2955 	klwp_t *clwp = ttolwp(curthread);
2956 	uint32_t command;
2957 
2958 	struct a {
2959 		long	command;
2960 		long	buf;		/* char * */
2961 		long	count;
2962 	} *uap = (struct a *)clwp->lwp_ap;
2963 
2964 	command = (uint32_t)uap->command;
2965 
2966 	switch (command) {
2967 	case SI_SET_HOSTNAME:
2968 	case SI_SET_SRPC_DOMAIN:
2969 		e = (au_event_t)AUE_SYSINFO;
2970 		break;
2971 	default:
2972 		e = (au_event_t)AUE_NULL;
2973 		break;
2974 	}
2975 	return (e);
2976 }
2977 
2978 /*ARGSUSED*/
2979 static void
2980 aus_sysinfo(struct t_audit_data *tad)
2981 {
2982 	klwp_t *clwp = ttolwp(curthread);
2983 	uint32_t command;
2984 	size_t len, maxlen;
2985 	char *name;
2986 	uintptr_t buf;
2987 
2988 	struct a {
2989 		long	command;
2990 		long	buf;		/* char * */
2991 		long	count;
2992 	} *uap = (struct a *)clwp->lwp_ap;
2993 
2994 	command = (uint32_t)uap->command;
2995 	buf = (uintptr_t)uap->buf;
2996 
2997 	au_uwrite(au_to_arg32(1, "cmd", command));
2998 
2999 	switch (command) {
3000 	case SI_SET_HOSTNAME:
3001 	{
3002 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3003 			return;
3004 
3005 		maxlen = SYS_NMLN;
3006 		name = kmem_alloc(maxlen, KM_SLEEP);
3007 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3008 			break;
3009 
3010 		/*
3011 		 * Must be non-NULL string and string
3012 		 * must be less than SYS_NMLN chars.
3013 		 */
3014 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3015 			break;
3016 
3017 		au_uwrite(au_to_text(name));
3018 		break;
3019 	}
3020 
3021 	case SI_SET_SRPC_DOMAIN:
3022 	{
3023 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3024 			return;
3025 
3026 		maxlen = SYS_NMLN;
3027 		name = kmem_alloc(maxlen, KM_SLEEP);
3028 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3029 			break;
3030 
3031 		/*
3032 		 * If string passed in is longer than length
3033 		 * allowed for domain name, fail.
3034 		 */
3035 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3036 			break;
3037 
3038 		au_uwrite(au_to_text(name));
3039 		break;
3040 	}
3041 
3042 	default:
3043 		return;
3044 	}
3045 
3046 	kmem_free(name, maxlen);
3047 }
3048 
3049 static au_event_t
3050 aui_modctl(au_event_t e)
3051 {
3052 	klwp_t *clwp = ttolwp(curthread);
3053 	uint_t cmd;
3054 
3055 	struct a {
3056 		long	cmd;
3057 	} *uap = (struct a *)clwp->lwp_ap;
3058 
3059 	cmd = (uint_t)uap->cmd;
3060 
3061 	switch (cmd) {
3062 	case MODLOAD:
3063 		e = AUE_MODLOAD;
3064 		break;
3065 	case MODUNLOAD:
3066 		e = AUE_MODUNLOAD;
3067 		break;
3068 	case MODADDMAJBIND:
3069 		e = AUE_MODADDMAJ;
3070 		break;
3071 	case MODSETDEVPOLICY:
3072 		e = AUE_MODDEVPLCY;
3073 		break;
3074 	case MODALLOCPRIV:
3075 		e = AUE_MODADDPRIV;
3076 		break;
3077 	default:
3078 		e = AUE_NULL;
3079 		break;
3080 	}
3081 	return (e);
3082 }
3083 
3084 
3085 /*ARGSUSED*/
3086 static void
3087 aus_modctl(struct t_audit_data *tad)
3088 {
3089 	klwp_t *clwp = ttolwp(curthread);
3090 	void *a	= clwp->lwp_ap;
3091 	uint_t use_path;
3092 
3093 	switch (tad->tad_event) {
3094 	case AUE_MODLOAD: {
3095 		typedef struct {
3096 			long	cmd;
3097 			long	use_path;
3098 			long	filename;		/* char * */
3099 		} modloada_t;
3100 
3101 		char *filenamep;
3102 		uintptr_t fname;
3103 		extern char *default_path;
3104 
3105 		fname = (uintptr_t)((modloada_t *)a)->filename;
3106 		use_path = (uint_t)((modloada_t *)a)->use_path;
3107 
3108 			/* space to hold path */
3109 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3110 			/* get string */
3111 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3112 				/* free allocated path */
3113 			kmem_free(filenamep, MOD_MAXPATH);
3114 			return;
3115 		}
3116 			/* ensure it's null terminated */
3117 		filenamep[MOD_MAXPATH - 1] = 0;
3118 
3119 		if (use_path)
3120 			au_uwrite(au_to_text(default_path));
3121 		au_uwrite(au_to_text(filenamep));
3122 
3123 			/* release temporary memory */
3124 		kmem_free(filenamep, MOD_MAXPATH);
3125 		break;
3126 	}
3127 	case AUE_MODUNLOAD: {
3128 		typedef struct {
3129 			long	cmd;
3130 			long	id;
3131 		} modunloada_t;
3132 
3133 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3134 
3135 		au_uwrite(au_to_arg32(1, "id", id));
3136 		break;
3137 	}
3138 	case AUE_MODADDMAJ: {
3139 		STRUCT_DECL(modconfig, mc);
3140 		typedef struct {
3141 			long	cmd;
3142 			long	subcmd;
3143 			long	data;		/* int * */
3144 		} modconfiga_t;
3145 
3146 		STRUCT_DECL(aliases, alias);
3147 		caddr_t ap;
3148 		int i, num_aliases;
3149 		char *drvname, *mc_drvname;
3150 		char *name;
3151 		extern char *ddi_major_to_name(major_t);
3152 		model_t model;
3153 
3154 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3155 
3156 		model = get_udatamodel();
3157 		STRUCT_INIT(mc, model);
3158 			/* sanitize buffer */
3159 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3160 			/* get user arguments */
3161 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3162 				STRUCT_SIZE(mc)) != 0)
3163 			return;
3164 
3165 		mc_drvname = STRUCT_FGET(mc, drvname);
3166 		if ((drvname = ddi_major_to_name(
3167 			(major_t)STRUCT_FGET(mc, major))) != NULL &&
3168 			strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3169 				/* safety */
3170 			if (mc_drvname[0] != '\0') {
3171 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3172 				au_uwrite(au_to_text(mc_drvname));
3173 			}
3174 				/* drvname != NULL from test above */
3175 			au_uwrite(au_to_text(drvname));
3176 			return;
3177 		}
3178 
3179 		if (mc_drvname[0] != '\0') {
3180 				/* safety */
3181 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3182 			au_uwrite(au_to_text(mc_drvname));
3183 		} else
3184 			au_uwrite(au_to_text("no drvname"));
3185 
3186 		num_aliases = STRUCT_FGET(mc, num_aliases);
3187 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3188 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3189 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3190 		STRUCT_INIT(alias, model);
3191 		for (i = 0; i < num_aliases; i++) {
3192 			bzero((caddr_t)STRUCT_BUF(alias),
3193 					STRUCT_SIZE(alias));
3194 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3195 					STRUCT_SIZE(alias)) != 0)
3196 				break;
3197 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3198 			    MAXMODCONFNAME, NULL) != 0) {
3199 				break;
3200 			}
3201 
3202 			au_uwrite(au_to_text(name));
3203 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3204 		}
3205 		kmem_free(name, MAXMODCONFNAME);
3206 		break;
3207 	}
3208 	default:
3209 		break;
3210 	}
3211 }
3212 
3213 /*
3214  * private version of getsonode that does not do eprintsoline()
3215  */
3216 static struct sonode *
3217 au_getsonode(int sock, int *errorp, file_t **fpp)
3218 {
3219 	file_t *fp;
3220 	register vnode_t *vp;
3221 	struct sonode *so;
3222 
3223 	if ((fp = getf(sock)) == NULL) {
3224 		*errorp = EBADF;
3225 		return (NULL);
3226 	}
3227 	vp = fp->f_vnode;
3228 	/* Check if it is a socket */
3229 	if (vp->v_type != VSOCK) {
3230 		releasef(sock);
3231 		*errorp = ENOTSOCK;
3232 		return (NULL);
3233 	}
3234 	/*
3235 	 * Use the stream head to find the real socket vnode.
3236 	 * This is needed when namefs sits above sockfs.
3237 	 */
3238 	ASSERT(vp->v_stream);
3239 	ASSERT(vp->v_stream->sd_vnode);
3240 	vp = vp->v_stream->sd_vnode;
3241 	so = VTOSO(vp);
3242 	if (so->so_version == SOV_STREAM) {
3243 		releasef(sock);
3244 		*errorp = ENOTSOCK;
3245 		return (NULL);
3246 	}
3247 	if (fpp)
3248 		*fpp = fp;
3249 	return (so);
3250 }
3251 
3252 /*ARGSUSED*/
3253 static void
3254 auf_accept(
3255 	struct t_audit_data *tad,
3256 	int	error,
3257 	rval_t	*rval)
3258 {
3259 	uint32_t scid;
3260 	uint32_t sy_flags;
3261 	int fd;
3262 	struct sonode *so;
3263 	char so_laddr[sizeof (struct sockaddr_in6)];
3264 	char so_faddr[sizeof (struct sockaddr_in6)];
3265 	int err;
3266 	int len;
3267 	short so_family, so_type;
3268 	int add_sock_token = 0;
3269 
3270 	/* need to determine type of executing binary */
3271 	scid = tad->tad_scid;
3272 #ifdef _SYSCALL32_IMPL
3273 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3274 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3275 	else
3276 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3277 #else
3278 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3279 #endif
3280 	if (sy_flags == SE_32RVAL1)
3281 		fd = rval->r_val1;
3282 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3283 		fd = rval->r_val1;
3284 	if (sy_flags == SE_64RVAL)
3285 		fd = (int)rval->r_vals;
3286 
3287 	if (error) {
3288 		/* can't trust socket contents. Just return */
3289 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3290 		return;
3291 	}
3292 
3293 	if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) {
3294 		/*
3295 		 * not security relevant if doing a accept from non socket
3296 		 * so no extra tokens. Should probably turn off audit record
3297 		 * generation here.
3298 		 */
3299 		return;
3300 	}
3301 
3302 	so_family = so->so_family;
3303 	so_type   = so->so_type;
3304 
3305 	switch (so_family) {
3306 	case AF_INET:
3307 	case AF_INET6:
3308 		/*
3309 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3310 		 */
3311 		if (so->so_type == SOCK_STREAM) {
3312 
3313 			bzero((void *)so_laddr, sizeof (so_laddr));
3314 			bzero((void *)so_faddr, sizeof (so_faddr));
3315 
3316 			/*
3317 			 * no local address then need to get it from lower
3318 			 * levels. only put out record on first read ala
3319 			 * AUE_WRITE.
3320 			 */
3321 			if (so->so_state & SS_ISBOUND) {
3322 				/* only done once on a connection */
3323 				(void) SOP_GETSOCKNAME(so);
3324 				(void) SOP_GETPEERNAME(so);
3325 
3326 				/* get local and foreign addresses */
3327 				mutex_enter(&so->so_lock);
3328 				len = min(so->so_laddr_len, sizeof (so_laddr));
3329 				bcopy(so->so_laddr_sa, so_laddr, len);
3330 				len = min(so->so_faddr_len, sizeof (so_faddr));
3331 				bcopy(so->so_faddr_sa, so_faddr, len);
3332 				mutex_exit(&so->so_lock);
3333 			}
3334 
3335 			add_sock_token = 1;
3336 		}
3337 		break;
3338 
3339 	default:
3340 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3341 		break;
3342 	}
3343 
3344 	releasef(fd);
3345 
3346 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3347 
3348 	if (add_sock_token == 0) {
3349 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3350 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3351 		return;
3352 	}
3353 
3354 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3355 
3356 }
3357 
3358 /*ARGSUSED*/
3359 static void
3360 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3361 {
3362 	struct a {
3363 		long	fd;
3364 		long	addr;
3365 		long	len;
3366 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3367 
3368 	struct sonode *so;
3369 	char so_laddr[sizeof (struct sockaddr_in6)];
3370 	char so_faddr[sizeof (struct sockaddr_in6)];
3371 	int err, fd;
3372 	int len;
3373 	short so_family, so_type;
3374 	int add_sock_token = 0;
3375 
3376 	fd = (int)uap->fd;
3377 
3378 	/*
3379 	 * bind failed, then nothing extra to add to audit record.
3380 	 */
3381 	if (error) {
3382 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3383 		/* XXX may want to add failed address some day */
3384 		return;
3385 	}
3386 
3387 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3388 		/*
3389 		 * not security relevant if doing a bind from non socket
3390 		 * so no extra tokens. Should probably turn off audit record
3391 		 * generation here.
3392 		 */
3393 		return;
3394 	}
3395 
3396 	so_family = so->so_family;
3397 	so_type   = so->so_type;
3398 
3399 	switch (so_family) {
3400 	case AF_INET:
3401 	case AF_INET6:
3402 
3403 		bzero(so_faddr, sizeof (so_faddr));
3404 
3405 		if (so->so_state & SS_ISBOUND) {
3406 			/* only done once on a connection */
3407 			(void) SOP_GETSOCKNAME(so);
3408 		}
3409 
3410 		mutex_enter(&so->so_lock);
3411 		len = min(so->so_laddr_len, sizeof (so_laddr));
3412 		bcopy(so->so_laddr_sa, so_laddr, len);
3413 		mutex_exit(&so->so_lock);
3414 
3415 		add_sock_token = 1;
3416 
3417 		break;
3418 
3419 	case AF_UNIX:
3420 		/* token added by lookup */
3421 		break;
3422 	default:
3423 		/* AF_ROUTE, AF_KEY do not support accept */
3424 		break;
3425 	}
3426 
3427 	releasef(fd);
3428 
3429 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3430 
3431 	if (add_sock_token == 0) {
3432 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3433 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3434 		return;
3435 	}
3436 
3437 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3438 
3439 }
3440 
3441 /*ARGSUSED*/
3442 static void
3443 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3444 {
3445 	struct a {
3446 		long	fd;
3447 		long	addr;
3448 		long	len;
3449 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3450 
3451 	struct sonode *so;
3452 	char so_laddr[sizeof (struct sockaddr_in6)];
3453 	char so_faddr[sizeof (struct sockaddr_in6)];
3454 	int err, fd;
3455 	int len;
3456 	short so_family, so_type;
3457 	int add_sock_token = 0;
3458 
3459 	fd = (int)uap->fd;
3460 
3461 
3462 	if ((so = au_getsonode(fd, &err, NULL)) == NULL) {
3463 		/*
3464 		 * not security relevant if doing a connect from non socket
3465 		 * so no extra tokens. Should probably turn off audit record
3466 		 * generation here.
3467 		 */
3468 		return;
3469 	}
3470 
3471 	so_family = so->so_family;
3472 	so_type   = so->so_type;
3473 
3474 	switch (so_family) {
3475 	case AF_INET:
3476 	case AF_INET6:
3477 		/*
3478 		 * no local address then need to get it from lower
3479 		 * levels.
3480 		 */
3481 		if (so->so_state & SS_ISBOUND) {
3482 			/* only done once on a connection */
3483 			(void) SOP_GETSOCKNAME(so);
3484 			(void) SOP_GETPEERNAME(so);
3485 		}
3486 
3487 		bzero(so_laddr, sizeof (so_laddr));
3488 		bzero(so_faddr, sizeof (so_faddr));
3489 
3490 		mutex_enter(&so->so_lock);
3491 		len = min(so->so_laddr_len, sizeof (so_laddr));
3492 		bcopy(so->so_laddr_sa, so_laddr, len);
3493 		if (error) {
3494 			mutex_exit(&so->so_lock);
3495 			if (uap->addr == NULL)
3496 				break;
3497 			if (uap->len <= 0)
3498 				break;
3499 			len = min(uap->len, sizeof (so_faddr));
3500 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3501 				break;
3502 #ifdef NOTYET
3503 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3504 #endif
3505 		} else {
3506 			/* sanity check on length */
3507 			len = min(so->so_faddr_len, sizeof (so_faddr));
3508 			bcopy(so->so_faddr_sa, so_faddr, len);
3509 			mutex_exit(&so->so_lock);
3510 		}
3511 
3512 		add_sock_token = 1;
3513 
3514 		break;
3515 
3516 	case AF_UNIX:
3517 		/* does a lookup on name */
3518 		break;
3519 
3520 	default:
3521 		/* AF_ROUTE, AF_KEY do not support accept */
3522 		break;
3523 	}
3524 
3525 	releasef(fd);
3526 
3527 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3528 
3529 	if (add_sock_token == 0) {
3530 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3531 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3532 		return;
3533 	}
3534 
3535 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3536 
3537 }
3538 
3539 /*ARGSUSED*/
3540 static void
3541 aus_shutdown(struct t_audit_data *tad)
3542 {
3543 	struct a {
3544 		long	fd;
3545 		long	how;
3546 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3547 
3548 	struct sonode *so;
3549 	char so_laddr[sizeof (struct sockaddr_in6)];
3550 	char so_faddr[sizeof (struct sockaddr_in6)];
3551 	int err, fd;
3552 	int len;
3553 	short so_family, so_type;
3554 	int add_sock_token = 0;
3555 	file_t *fp;				/* unix domain sockets */
3556 	struct f_audit_data *fad;		/* unix domain sockets */
3557 
3558 	fd = (int)uap->fd;
3559 
3560 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3561 		/*
3562 		 * not security relevant if doing a shutdown using non socket
3563 		 * so no extra tokens. Should probably turn off audit record
3564 		 * generation here.
3565 		 */
3566 		return;
3567 	}
3568 
3569 	so_family = so->so_family;
3570 	so_type   = so->so_type;
3571 
3572 	switch (so_family) {
3573 	case AF_INET:
3574 	case AF_INET6:
3575 
3576 		bzero(so_laddr, sizeof (so_laddr));
3577 		bzero(so_faddr, sizeof (so_faddr));
3578 
3579 		if (so->so_state & SS_ISBOUND) {
3580 			/*
3581 			 * no local address then need to get it from lower
3582 			 * levels.
3583 			 */
3584 			if (so->so_laddr_len == 0)
3585 				(void) SOP_GETSOCKNAME(so);
3586 			if (so->so_faddr_len == 0)
3587 				(void) SOP_GETPEERNAME(so);
3588 		}
3589 
3590 		mutex_enter(&so->so_lock);
3591 		len = min(so->so_laddr_len, sizeof (so_laddr));
3592 		bcopy(so->so_laddr_sa, so_laddr, len);
3593 		len = min(so->so_faddr_len, sizeof (so_faddr));
3594 		bcopy(so->so_faddr_sa, so_faddr, len);
3595 		mutex_exit(&so->so_lock);
3596 
3597 		add_sock_token = 1;
3598 
3599 		break;
3600 
3601 	case AF_UNIX:
3602 
3603 		/* get path from file struct here */
3604 		fad = F2A(fp);
3605 		ASSERT(fad);
3606 
3607 		if (fad->fad_aupath != NULL) {
3608 			au_uwrite(au_to_path(fad->fad_aupath));
3609 		} else {
3610 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3611 		}
3612 
3613 		audit_attributes(fp->f_vnode);
3614 
3615 		break;
3616 
3617 	default:
3618 		/*
3619 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3620 		 * added.
3621 		 */
3622 		break;
3623 	}
3624 
3625 	releasef(fd);
3626 
3627 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3628 
3629 	if (add_sock_token == 0) {
3630 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3631 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3632 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3633 		return;
3634 	}
3635 
3636 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3637 
3638 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3639 
3640 }
3641 
3642 /*ARGSUSED*/
3643 static void
3644 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3645 {
3646 	struct a {
3647 		long	fd;
3648 		long	level;
3649 		long	optname;
3650 		long	*optval;
3651 		long	optlen;
3652 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3653 
3654 	struct sonode	*so;
3655 	char so_laddr[sizeof (struct sockaddr_in6)];
3656 	char so_faddr[sizeof (struct sockaddr_in6)];
3657 	char		val[AU_BUFSIZE];
3658 	int		err, fd;
3659 	int		len;
3660 	short so_family, so_type;
3661 	int		add_sock_token = 0;
3662 	file_t *fp;				/* unix domain sockets */
3663 	struct f_audit_data *fad;		/* unix domain sockets */
3664 
3665 	fd = (int)uap->fd;
3666 
3667 	if (error) {
3668 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3669 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3670 		/* XXX may want to include other arguments */
3671 		return;
3672 	}
3673 
3674 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3675 		/*
3676 		 * not security relevant if doing a setsockopt from non socket
3677 		 * so no extra tokens. Should probably turn off audit record
3678 		 * generation here.
3679 		 */
3680 		return;
3681 	}
3682 
3683 	so_family = so->so_family;
3684 	so_type   = so->so_type;
3685 
3686 	switch (so_family) {
3687 	case AF_INET:
3688 	case AF_INET6:
3689 
3690 		bzero((void *)so_laddr, sizeof (so_laddr));
3691 		bzero((void *)so_faddr, sizeof (so_faddr));
3692 
3693 		if (so->so_state & SS_ISBOUND) {
3694 			if (so->so_laddr_len == 0)
3695 				(void) SOP_GETSOCKNAME(so);
3696 			if (so->so_faddr_len == 0)
3697 				(void) SOP_GETPEERNAME(so);
3698 		}
3699 
3700 		/* get local and foreign addresses */
3701 		mutex_enter(&so->so_lock);
3702 		len = min(so->so_laddr_len, sizeof (so_laddr));
3703 		bcopy(so->so_laddr_sa, so_laddr, len);
3704 		len = min(so->so_faddr_len, sizeof (so_faddr));
3705 		bcopy(so->so_faddr_sa, so_faddr, len);
3706 		mutex_exit(&so->so_lock);
3707 
3708 		add_sock_token = 1;
3709 
3710 		break;
3711 
3712 	case AF_UNIX:
3713 
3714 		/* get path from file struct here */
3715 		fad = F2A(fp);
3716 		ASSERT(fad);
3717 
3718 		if (fad->fad_aupath != NULL) {
3719 			au_uwrite(au_to_path(fad->fad_aupath));
3720 		} else {
3721 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3722 		}
3723 
3724 		audit_attributes(fp->f_vnode);
3725 
3726 		break;
3727 
3728 	default:
3729 		/*
3730 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3731 		 * added.
3732 		 */
3733 		break;
3734 	}
3735 
3736 	releasef(fd);
3737 
3738 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3739 
3740 	if (add_sock_token == 0) {
3741 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3742 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3743 	}
3744 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3745 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3746 
3747 	bzero(val, sizeof (val));
3748 	len = min(uap->optlen, sizeof (val));
3749 	if ((len > 0) &&
3750 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3751 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3752 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3753 	}
3754 
3755 	if (add_sock_token == 0)
3756 		return;
3757 
3758 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3759 
3760 }
3761 
3762 /*ARGSUSED*/
3763 static void
3764 aus_sockconfig(tad)
3765 	struct t_audit_data *tad;
3766 {
3767 	struct a {
3768 		long	domain;
3769 		long	type;
3770 		long	protocol;
3771 		long	devpath;
3772 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3773 
3774 	char	*kdevpath;
3775 	int	kdevpathlen = MAXPATHLEN + 1;
3776 	size_t	size;
3777 
3778 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3779 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3780 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3781 
3782 	if (uap->devpath == 0) {
3783 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3784 	} else {
3785 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3786 
3787 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3788 			&size)) {
3789 			kmem_free(kdevpath, kdevpathlen);
3790 			return;
3791 		}
3792 
3793 		if (size > MAXPATHLEN) {
3794 			kmem_free(kdevpath, kdevpathlen);
3795 			return;
3796 		}
3797 
3798 		au_uwrite(au_to_text(kdevpath));
3799 		kmem_free(kdevpath, kdevpathlen);
3800 	}
3801 }
3802 
3803 /*
3804  * only audit recvmsg when the system call represents the creation of a new
3805  * circuit. This effectively occurs for all UDP packets and may occur for
3806  * special TCP situations where the local host has not set a local address
3807  * in the socket structure.
3808  */
3809 /*ARGSUSED*/
3810 static void
3811 auf_recvmsg(
3812 	struct t_audit_data *tad,
3813 	int error,
3814 	rval_t *rvp)
3815 {
3816 	struct a {
3817 		long	fd;
3818 		long	msg;	/* struct msghdr */
3819 		long	flags;
3820 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3821 
3822 	struct sonode	*so;
3823 	STRUCT_DECL(msghdr, msg);
3824 	caddr_t msg_name;
3825 	socklen_t msg_namelen;
3826 	int fd;
3827 	int err;
3828 	char so_laddr[sizeof (struct sockaddr_in6)];
3829 	char so_faddr[sizeof (struct sockaddr_in6)];
3830 	int len;
3831 	file_t *fp;				/* unix domain sockets */
3832 	struct f_audit_data *fad;		/* unix domain sockets */
3833 	short so_family, so_type;
3834 	int add_sock_token = 0;
3835 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3836 
3837 	fd = (int)uap->fd;
3838 
3839 	/* bail if an error */
3840 	if (error) {
3841 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3842 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3843 		return;
3844 	}
3845 
3846 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
3847 		/*
3848 		 * not security relevant if doing a recvmsg from non socket
3849 		 * so no extra tokens. Should probably turn off audit record
3850 		 * generation here.
3851 		 */
3852 		return;
3853 	}
3854 
3855 	so_family = so->so_family;
3856 	so_type   = so->so_type;
3857 
3858 	/*
3859 	 * only putout SOCKET_EX token if INET/INET6 family.
3860 	 * XXX - what do we do about other families?
3861 	 */
3862 
3863 	switch (so_family) {
3864 	case AF_INET:
3865 	case AF_INET6:
3866 
3867 		/*
3868 		 * if datagram type socket, then just use what is in
3869 		 * socket structure for local address.
3870 		 * XXX - what do we do for other types?
3871 		 */
3872 		if ((so->so_type == SOCK_DGRAM) ||
3873 		    (so->so_type == SOCK_RAW)) {
3874 			add_sock_token = 1;
3875 
3876 			bzero((void *)so_laddr, sizeof (so_laddr));
3877 			bzero((void *)so_faddr, sizeof (so_faddr));
3878 
3879 			/* get local address */
3880 			mutex_enter(&so->so_lock);
3881 			len = min(so->so_laddr_len, sizeof (so_laddr));
3882 			bcopy(so->so_laddr_sa, so_laddr, len);
3883 			mutex_exit(&so->so_lock);
3884 
3885 			/* get peer address */
3886 			STRUCT_INIT(msg, get_udatamodel());
3887 
3888 			if (copyin((caddr_t)(uap->msg),
3889 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3890 				break;
3891 			}
3892 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3893 			if (msg_name == NULL) {
3894 				break;
3895 			}
3896 
3897 			/* length is value from recvmsg - sanity check */
3898 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3899 			if (msg_namelen == 0) {
3900 				break;
3901 			}
3902 			if (copyin(msg_name, so_faddr,
3903 			    sizeof (so_faddr)) != 0) {
3904 				break;
3905 			}
3906 
3907 		} else if (so->so_type == SOCK_STREAM) {
3908 
3909 			/* get path from file struct here */
3910 			fad = F2A(fp);
3911 			ASSERT(fad);
3912 
3913 			/*
3914 			 * already processed this file for read attempt
3915 			 */
3916 			if (fad->fad_flags & FAD_READ) {
3917 				/* don't want to audit every recvmsg attempt */
3918 				tad->tad_flag = 0;
3919 				/* free any residual audit data */
3920 				au_close(kctx, &(u_ad), 0, 0, 0);
3921 				releasef(fd);
3922 				return;
3923 			}
3924 			/*
3925 			 * mark things so we know what happened and don't
3926 			 * repeat things
3927 			 */
3928 			fad->fad_flags |= FAD_READ;
3929 
3930 			bzero((void *)so_laddr, sizeof (so_laddr));
3931 			bzero((void *)so_faddr, sizeof (so_faddr));
3932 
3933 			if (so->so_state & SS_ISBOUND) {
3934 
3935 				if (so->so_laddr_len == 0)
3936 					(void) SOP_GETSOCKNAME(so);
3937 				if (so->so_faddr_len == 0)
3938 					(void) SOP_GETPEERNAME(so);
3939 
3940 				/* get local and foreign addresses */
3941 				mutex_enter(&so->so_lock);
3942 				len = min(so->so_laddr_len, sizeof (so_laddr));
3943 				bcopy(so->so_laddr_sa, so_laddr, len);
3944 				len = min(so->so_faddr_len, sizeof (so_faddr));
3945 				bcopy(so->so_faddr_sa, so_faddr, len);
3946 				mutex_exit(&so->so_lock);
3947 			}
3948 
3949 			add_sock_token = 1;
3950 		}
3951 
3952 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3953 
3954 		break;
3955 
3956 	case AF_UNIX:
3957 		/*
3958 		 * first check if this is first time through. Too much
3959 		 * duplicate code to put this in an aui_ routine.
3960 		 */
3961 
3962 		/* get path from file struct here */
3963 		fad = F2A(fp);
3964 		ASSERT(fad);
3965 
3966 		/*
3967 		 * already processed this file for read attempt
3968 		 */
3969 		if (fad->fad_flags & FAD_READ) {
3970 			releasef(fd);
3971 			/* don't want to audit every recvmsg attempt */
3972 			tad->tad_flag = 0;
3973 			/* free any residual audit data */
3974 			au_close(kctx, &(u_ad), 0, 0, 0);
3975 			return;
3976 		}
3977 		/*
3978 		 * mark things so we know what happened and don't
3979 		 * repeat things
3980 		 */
3981 		fad->fad_flags |= FAD_READ;
3982 
3983 		if (fad->fad_aupath != NULL) {
3984 			au_uwrite(au_to_path(fad->fad_aupath));
3985 		} else {
3986 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3987 		}
3988 
3989 		audit_attributes(fp->f_vnode);
3990 
3991 		releasef(fd);
3992 
3993 		return;
3994 
3995 	default:
3996 		break;
3997 
3998 	}
3999 
4000 	releasef(fd);
4001 
4002 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4003 
4004 	if (add_sock_token == 0) {
4005 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4006 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4007 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4008 		return;
4009 	}
4010 
4011 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4012 
4013 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4014 
4015 }
4016 
4017 /*ARGSUSED*/
4018 static void
4019 auf_recvfrom(
4020 	struct t_audit_data *tad,
4021 	int error,
4022 	rval_t *rvp)
4023 {
4024 
4025 	struct a {
4026 		long	fd;
4027 		long	msg;	/* char */
4028 		long	len;
4029 		long	flags;
4030 		long	from;	/* struct sockaddr */
4031 		long	fromlen;
4032 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4033 
4034 	socklen_t	fromlen;
4035 	struct sonode	*so;
4036 	char so_laddr[sizeof (struct sockaddr_in6)];
4037 	char so_faddr[sizeof (struct sockaddr_in6)];
4038 	int		fd;
4039 	short so_family, so_type;
4040 	int add_sock_token = 0;
4041 	int len;
4042 	int err;
4043 	struct file *fp;
4044 	struct f_audit_data *fad;		/* unix domain sockets */
4045 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4046 
4047 	fd = (int)uap->fd;
4048 
4049 	/* bail if an error */
4050 	if (error) {
4051 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4052 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4053 		return;
4054 	}
4055 
4056 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4057 		/*
4058 		 * not security relevant if doing a recvmsg from non socket
4059 		 * so no extra tokens. Should probably turn off audit record
4060 		 * generation here.
4061 		 */
4062 		return;
4063 	}
4064 
4065 	so_family = so->so_family;
4066 	so_type   = so->so_type;
4067 
4068 	/*
4069 	 * only putout SOCKET_EX token if INET/INET6 family.
4070 	 * XXX - what do we do about other families?
4071 	 */
4072 
4073 	switch (so_family) {
4074 	case AF_INET:
4075 	case AF_INET6:
4076 
4077 		/*
4078 		 * if datagram type socket, then just use what is in
4079 		 * socket structure for local address.
4080 		 * XXX - what do we do for other types?
4081 		 */
4082 		if ((so->so_type == SOCK_DGRAM) ||
4083 		    (so->so_type == SOCK_RAW)) {
4084 			add_sock_token = 1;
4085 
4086 			/* get local address */
4087 			mutex_enter(&so->so_lock);
4088 			len = min(so->so_laddr_len, sizeof (so_laddr));
4089 			bcopy(so->so_laddr_sa, so_laddr, len);
4090 			mutex_exit(&so->so_lock);
4091 
4092 			/* get peer address */
4093 			bzero((void *)so_faddr, sizeof (so_faddr));
4094 
4095 			/* sanity check */
4096 			if (uap->from == NULL)
4097 				break;
4098 
4099 			/* sanity checks */
4100 			if (uap->fromlen == 0)
4101 				break;
4102 
4103 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4104 			    sizeof (fromlen)) != 0)
4105 				break;
4106 
4107 			if (fromlen == 0)
4108 				break;
4109 
4110 			/* enforce maximum size */
4111 			if (fromlen > sizeof (so_faddr))
4112 				fromlen = sizeof (so_faddr);
4113 
4114 			if (copyin((caddr_t)(uap->from), so_faddr,
4115 			    fromlen) != 0)
4116 				break;
4117 
4118 		} else if (so->so_type == SOCK_STREAM) {
4119 
4120 			/* get path from file struct here */
4121 			fad = F2A(fp);
4122 			ASSERT(fad);
4123 
4124 			/*
4125 			 * already processed this file for read attempt
4126 			 */
4127 			if (fad->fad_flags & FAD_READ) {
4128 				/* don't want to audit every recvfrom attempt */
4129 				tad->tad_flag = 0;
4130 				/* free any residual audit data */
4131 				au_close(kctx, &(u_ad), 0, 0, 0);
4132 				releasef(fd);
4133 				return;
4134 			}
4135 			/*
4136 			 * mark things so we know what happened and don't
4137 			 * repeat things
4138 			 */
4139 			fad->fad_flags |= FAD_READ;
4140 
4141 			bzero((void *)so_laddr, sizeof (so_laddr));
4142 			bzero((void *)so_faddr, sizeof (so_faddr));
4143 
4144 			if (so->so_state & SS_ISBOUND) {
4145 
4146 				if (so->so_laddr_len == 0)
4147 					(void) SOP_GETSOCKNAME(so);
4148 				if (so->so_faddr_len == 0)
4149 					(void) SOP_GETPEERNAME(so);
4150 
4151 				/* get local and foreign addresses */
4152 				mutex_enter(&so->so_lock);
4153 				len = min(so->so_laddr_len, sizeof (so_laddr));
4154 				bcopy(so->so_laddr_sa, so_laddr, len);
4155 				len = min(so->so_faddr_len, sizeof (so_faddr));
4156 				bcopy(so->so_faddr_sa, so_faddr, len);
4157 				mutex_exit(&so->so_lock);
4158 			}
4159 
4160 			add_sock_token = 1;
4161 		}
4162 
4163 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4164 
4165 		break;
4166 
4167 	case AF_UNIX:
4168 		/*
4169 		 * first check if this is first time through. Too much
4170 		 * duplicate code to put this in an aui_ routine.
4171 		 */
4172 
4173 		/* get path from file struct here */
4174 		fad = F2A(fp);
4175 		ASSERT(fad);
4176 
4177 		/*
4178 		 * already processed this file for read attempt
4179 		 */
4180 		if (fad->fad_flags & FAD_READ) {
4181 			/* don't want to audit every recvfrom attempt */
4182 			tad->tad_flag = 0;
4183 			/* free any residual audit data */
4184 			au_close(kctx, &(u_ad), 0, 0, 0);
4185 			releasef(fd);
4186 			return;
4187 		}
4188 		/*
4189 		 * mark things so we know what happened and don't
4190 		 * repeat things
4191 		 */
4192 		fad->fad_flags |= FAD_READ;
4193 
4194 		if (fad->fad_aupath != NULL) {
4195 			au_uwrite(au_to_path(fad->fad_aupath));
4196 		} else {
4197 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4198 		}
4199 
4200 		audit_attributes(fp->f_vnode);
4201 
4202 		releasef(fd);
4203 
4204 		return;
4205 
4206 	default:
4207 		break;
4208 
4209 	}
4210 
4211 	releasef(fd);
4212 
4213 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4214 
4215 	if (add_sock_token == 0) {
4216 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4217 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4218 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4219 		return;
4220 	}
4221 
4222 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4223 
4224 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4225 }
4226 
4227 /*ARGSUSED*/
4228 static void
4229 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4230 {
4231 	struct a {
4232 		long	fd;
4233 		long	msg;	/* struct msghdr */
4234 		long	flags;
4235 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4236 
4237 	struct sonode	*so;
4238 	char so_laddr[sizeof (struct sockaddr_in6)];
4239 	char so_faddr[sizeof (struct sockaddr_in6)];
4240 	int		err;
4241 	int		fd;
4242 	short so_family, so_type;
4243 	int		add_sock_token = 0;
4244 	int		len;
4245 	struct file	*fp;
4246 	struct f_audit_data *fad;
4247 	caddr_t		msg_name;
4248 	socklen_t	msg_namelen;
4249 	STRUCT_DECL(msghdr, msg);
4250 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4251 
4252 	fd = (int)uap->fd;
4253 
4254 	/* bail if an error */
4255 	if (error) {
4256 		/* XXX include destination address from system call arguments */
4257 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4258 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4259 		return;
4260 	}
4261 
4262 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4263 		/*
4264 		 * not security relevant if doing a sendmsg from non socket
4265 		 * so no extra tokens. Should probably turn off audit record
4266 		 * generation here.
4267 		 */
4268 		return;
4269 	}
4270 
4271 	so_family = so->so_family;
4272 	so_type   = so->so_type;
4273 
4274 	switch (so_family) {
4275 	case AF_INET:
4276 	case AF_INET6:
4277 		/*
4278 		 * if datagram type socket, then just use what is in
4279 		 * socket structure for local address.
4280 		 * XXX - what do we do for other types?
4281 		 */
4282 		if ((so->so_type == SOCK_DGRAM) ||
4283 		    (so->so_type == SOCK_RAW)) {
4284 
4285 			bzero((void *)so_laddr, sizeof (so_laddr));
4286 			bzero((void *)so_faddr, sizeof (so_faddr));
4287 
4288 			/* get local address */
4289 			mutex_enter(&so->so_lock);
4290 			len = min(so->so_laddr_len, sizeof (so_laddr));
4291 			bcopy(so->so_laddr_sa, so_laddr, len);
4292 			mutex_exit(&so->so_lock);
4293 
4294 			/* get peer address */
4295 			STRUCT_INIT(msg, get_udatamodel());
4296 
4297 			if (copyin((caddr_t)(uap->msg),
4298 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4299 				break;
4300 			}
4301 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4302 			if (msg_name == NULL)
4303 				break;
4304 
4305 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4306 			/* length is value from recvmsg - sanity check */
4307 			if (msg_namelen == 0)
4308 				break;
4309 
4310 			if (copyin(msg_name, so_faddr,
4311 			    sizeof (so_faddr)) != 0)
4312 				break;
4313 
4314 			add_sock_token = 1;
4315 
4316 		} else if (so->so_type == SOCK_STREAM) {
4317 
4318 			/* get path from file struct here */
4319 			fad = F2A(fp);
4320 			ASSERT(fad);
4321 
4322 			/*
4323 			 * already processed this file for write attempt
4324 			 */
4325 			if (fad->fad_flags & FAD_WRITE) {
4326 				releasef(fd);
4327 				/* don't want to audit every sendmsg attempt */
4328 				tad->tad_flag = 0;
4329 				/* free any residual audit data */
4330 				au_close(kctx, &(u_ad), 0, 0, 0);
4331 				return;
4332 			}
4333 
4334 			/*
4335 			 * mark things so we know what happened and don't
4336 			 * repeat things
4337 			 */
4338 			fad->fad_flags |= FAD_WRITE;
4339 
4340 			bzero((void *)so_laddr, sizeof (so_laddr));
4341 			bzero((void *)so_faddr, sizeof (so_faddr));
4342 
4343 			if (so->so_state & SS_ISBOUND) {
4344 
4345 				if (so->so_laddr_len == 0)
4346 					(void) SOP_GETSOCKNAME(so);
4347 				if (so->so_faddr_len == 0)
4348 					(void) SOP_GETPEERNAME(so);
4349 
4350 				/* get local and foreign addresses */
4351 				mutex_enter(&so->so_lock);
4352 				len = min(so->so_laddr_len, sizeof (so_laddr));
4353 				bcopy(so->so_laddr_sa, so_laddr, len);
4354 				len = min(so->so_faddr_len, sizeof (so_faddr));
4355 				bcopy(so->so_faddr_sa, so_faddr, len);
4356 				mutex_exit(&so->so_lock);
4357 			}
4358 
4359 			add_sock_token = 1;
4360 		}
4361 
4362 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4363 
4364 		break;
4365 
4366 	case AF_UNIX:
4367 		/*
4368 		 * first check if this is first time through. Too much
4369 		 * duplicate code to put this in an aui_ routine.
4370 		 */
4371 
4372 		/* get path from file struct here */
4373 		fad = F2A(fp);
4374 		ASSERT(fad);
4375 
4376 		/*
4377 		 * already processed this file for write attempt
4378 		 */
4379 		if (fad->fad_flags & FAD_WRITE) {
4380 			releasef(fd);
4381 			/* don't want to audit every sendmsg attempt */
4382 			tad->tad_flag = 0;
4383 			/* free any residual audit data */
4384 			au_close(kctx, &(u_ad), 0, 0, 0);
4385 			return;
4386 		}
4387 		/*
4388 		 * mark things so we know what happened and don't
4389 		 * repeat things
4390 		 */
4391 		fad->fad_flags |= FAD_WRITE;
4392 
4393 		if (fad->fad_aupath != NULL) {
4394 			au_uwrite(au_to_path(fad->fad_aupath));
4395 		} else {
4396 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4397 		}
4398 
4399 		audit_attributes(fp->f_vnode);
4400 
4401 		releasef(fd);
4402 
4403 		return;
4404 
4405 	default:
4406 		break;
4407 	}
4408 
4409 	releasef(fd);
4410 
4411 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4412 
4413 	if (add_sock_token == 0) {
4414 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4415 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4416 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4417 		return;
4418 	}
4419 
4420 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4421 
4422 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4423 }
4424 
4425 /*ARGSUSED*/
4426 static void
4427 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4428 {
4429 	struct a {
4430 		long	fd;
4431 		long	msg;	/* char */
4432 		long	len;
4433 		long	flags;
4434 		long	to;	/* struct sockaddr */
4435 		long	tolen;
4436 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4437 
4438 	struct sonode	*so;
4439 	char so_laddr[sizeof (struct sockaddr_in6)];
4440 	char so_faddr[sizeof (struct sockaddr_in6)];
4441 	socklen_t	tolen;
4442 	int		err;
4443 	int		fd;
4444 	int		len;
4445 	short so_family, so_type;
4446 	int		add_sock_token = 0;
4447 	struct file	*fp;
4448 	struct f_audit_data *fad;
4449 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4450 
4451 	fd = (int)uap->fd;
4452 
4453 	/* bail if an error */
4454 	if (error) {
4455 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4456 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4457 		/* XXX include destination address from system call arguments */
4458 		return;
4459 	}
4460 
4461 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
4462 		/*
4463 		 * not security relevant if doing a sendto using non socket
4464 		 * so no extra tokens. Should probably turn off audit record
4465 		 * generation here.
4466 		 */
4467 		return;
4468 	}
4469 
4470 	so_family = so->so_family;
4471 	so_type   = so->so_type;
4472 
4473 	/*
4474 	 * only putout SOCKET_EX token if INET/INET6 family.
4475 	 * XXX - what do we do about other families?
4476 	 */
4477 
4478 	switch (so_family) {
4479 	case AF_INET:
4480 	case AF_INET6:
4481 
4482 		/*
4483 		 * if datagram type socket, then just use what is in
4484 		 * socket structure for local address.
4485 		 * XXX - what do we do for other types?
4486 		 */
4487 		if ((so->so_type == SOCK_DGRAM) ||
4488 		    (so->so_type == SOCK_RAW)) {
4489 
4490 			bzero((void *)so_laddr, sizeof (so_laddr));
4491 			bzero((void *)so_faddr, sizeof (so_faddr));
4492 
4493 			/* get local address */
4494 			mutex_enter(&so->so_lock);
4495 			len = min(so->so_laddr_len, sizeof (so_laddr));
4496 			bcopy(so->so_laddr_sa, so_laddr, len);
4497 			mutex_exit(&so->so_lock);
4498 
4499 			/* get peer address */
4500 
4501 			/* sanity check */
4502 			if (uap->to == NULL)
4503 				break;
4504 
4505 			/* sanity checks */
4506 			if (uap->tolen == 0)
4507 				break;
4508 
4509 			tolen = (socklen_t)uap->tolen;
4510 
4511 			/* enforce maximum size */
4512 			if (tolen > sizeof (so_faddr))
4513 				tolen = sizeof (so_faddr);
4514 
4515 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4516 				break;
4517 
4518 			add_sock_token = 1;
4519 		} else {
4520 			/*
4521 			 * check if this is first time through.
4522 			 */
4523 
4524 			/* get path from file struct here */
4525 			fad = F2A(fp);
4526 			ASSERT(fad);
4527 
4528 			/*
4529 			 * already processed this file for write attempt
4530 			 */
4531 			if (fad->fad_flags & FAD_WRITE) {
4532 				/* don't want to audit every sendto attempt */
4533 				tad->tad_flag = 0;
4534 				/* free any residual audit data */
4535 				au_close(kctx, &(u_ad), 0, 0, 0);
4536 				releasef(fd);
4537 				return;
4538 			}
4539 			/*
4540 			 * mark things so we know what happened and don't
4541 			 * repeat things
4542 			 */
4543 			fad->fad_flags |= FAD_WRITE;
4544 
4545 			bzero((void *)so_laddr, sizeof (so_laddr));
4546 			bzero((void *)so_faddr, sizeof (so_faddr));
4547 
4548 			if (so->so_state & SS_ISBOUND) {
4549 
4550 				if (so->so_laddr_len == 0)
4551 					(void) SOP_GETSOCKNAME(so);
4552 				if (so->so_faddr_len == 0)
4553 					(void) SOP_GETPEERNAME(so);
4554 
4555 				/* get local and foreign addresses */
4556 				mutex_enter(&so->so_lock);
4557 				len = min(so->so_laddr_len, sizeof (so_laddr));
4558 				bcopy(so->so_laddr_sa, so_laddr, len);
4559 				len = min(so->so_faddr_len, sizeof (so_faddr));
4560 				bcopy(so->so_faddr_sa, so_faddr, len);
4561 				mutex_exit(&so->so_lock);
4562 			}
4563 
4564 			add_sock_token = 1;
4565 		}
4566 
4567 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4568 
4569 		break;
4570 
4571 	case AF_UNIX:
4572 		/*
4573 		 * first check if this is first time through. Too much
4574 		 * duplicate code to put this in an aui_ routine.
4575 		 */
4576 
4577 		/* get path from file struct here */
4578 		fad = F2A(fp);
4579 		ASSERT(fad);
4580 
4581 		/*
4582 		 * already processed this file for write attempt
4583 		 */
4584 		if (fad->fad_flags & FAD_WRITE) {
4585 			/* don't want to audit every sendto attempt */
4586 			tad->tad_flag = 0;
4587 			/* free any residual audit data */
4588 			au_close(kctx, &(u_ad), 0, 0, 0);
4589 			releasef(fd);
4590 			return;
4591 		}
4592 		/*
4593 		 * mark things so we know what happened and don't
4594 		 * repeat things
4595 		 */
4596 		fad->fad_flags |= FAD_WRITE;
4597 
4598 		if (fad->fad_aupath != NULL) {
4599 			au_uwrite(au_to_path(fad->fad_aupath));
4600 		} else {
4601 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4602 		}
4603 
4604 		audit_attributes(fp->f_vnode);
4605 
4606 		releasef(fd);
4607 
4608 		return;
4609 
4610 	default:
4611 		break;
4612 
4613 	}
4614 
4615 	releasef(fd);
4616 
4617 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4618 
4619 	if (add_sock_token == 0) {
4620 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4621 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4622 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4623 		return;
4624 	}
4625 
4626 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4627 
4628 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4629 
4630 }
4631 
4632 /*
4633  * XXX socket(2) may be equivilent to open(2) on a unix domain
4634  * socket. This needs investigation.
4635  */
4636 
4637 /*ARGSUSED*/
4638 static void
4639 aus_socket(struct t_audit_data *tad)
4640 {
4641 	struct a {
4642 		long	domain;
4643 		long	type;
4644 		long	protocol;
4645 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4646 
4647 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4648 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4649 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4650 }
4651 
4652 /*ARGSUSED*/
4653 static void
4654 aus_sigqueue(struct t_audit_data *tad)
4655 {
4656 	struct a {
4657 		long	pid;
4658 		long	signo;
4659 		long	*val;
4660 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4661 	struct proc *p;
4662 	uid_t uid, ruid;
4663 	gid_t gid, rgid;
4664 	pid_t pid;
4665 	const auditinfo_addr_t *ainfo;
4666 	cred_t *cr;
4667 
4668 	pid = (pid_t)uap->pid;
4669 
4670 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4671 	if (pid > 0) {
4672 		mutex_enter(&pidlock);
4673 		if ((p = prfind(pid)) == (struct proc *)0) {
4674 			mutex_exit(&pidlock);
4675 			return;
4676 		}
4677 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4678 		mutex_exit(&pidlock);
4679 
4680 		mutex_enter(&p->p_crlock);
4681 		crhold(cr = p->p_cred);
4682 		mutex_exit(&p->p_crlock);
4683 		mutex_exit(&p->p_lock);
4684 
4685 		ainfo = crgetauinfo(cr);
4686 		if (ainfo == NULL) {
4687 			crfree(cr);
4688 			return;
4689 		}
4690 
4691 		uid  = crgetuid(cr);
4692 		gid  = crgetgid(cr);
4693 		ruid = crgetruid(cr);
4694 		rgid = crgetrgid(cr);
4695 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4696 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4697 		crfree(cr);
4698 	}
4699 	else
4700 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4701 }
4702 
4703 /*ARGSUSED*/
4704 static void
4705 aus_inst_sync(struct t_audit_data *tad)
4706 {
4707 	struct a {
4708 		long	name;	/* char */
4709 		long	flags;
4710 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4711 
4712 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4713 }
4714 
4715 /*ARGSUSED*/
4716 static void
4717 aus_brandsys(struct t_audit_data *tad)
4718 {
4719 	klwp_t *clwp = ttolwp(curthread);
4720 
4721 	struct a {
4722 		long	cmd;
4723 		long	arg1;
4724 		long	arg2;
4725 		long	arg3;
4726 		long	arg4;
4727 		long	arg5;
4728 		long	arg6;
4729 	} *uap = (struct a *)clwp->lwp_ap;
4730 
4731 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4732 #ifdef _LP64
4733 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4734 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4735 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4736 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4737 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4738 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4739 #else
4740 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4741 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4742 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4743 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4744 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4745 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4746 #endif
4747 }
4748 
4749 /*ARGSUSED*/
4750 static void
4751 aus_p_online(struct t_audit_data *tad)
4752 {
4753 	struct a {
4754 		long	processor_id;
4755 		long	flag;
4756 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4757 
4758 	struct flags {
4759 			int	flag;
4760 			char	*cflag;
4761 	} aflags[6] = {
4762 			{ P_ONLINE, "P_ONLINE"},
4763 			{ P_OFFLINE, "P_OFFLINE"},
4764 			{ P_NOINTR, "P_NOINTR"},
4765 			{ P_SPARE, "P_SPARE"},
4766 			{ P_FAULTED, "P_FAULTED"},
4767 			{ P_STATUS, "P_STATUS"}
4768 	};
4769 	int i;
4770 	char *cflag;
4771 
4772 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4773 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4774 
4775 	for (i = 0; i < 6; i++) {
4776 		if (aflags[i].flag == uap->flag)
4777 			break;
4778 	}
4779 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4780 
4781 	au_uwrite(au_to_text(cflag));
4782 }
4783 
4784 /*ARGSUSED*/
4785 static void
4786 aus_processor_bind(struct t_audit_data *tad)
4787 {
4788 	struct a {
4789 		long	id_type;
4790 		long	id;
4791 		long	processor_id;
4792 		long	obind;
4793 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4794 
4795 	struct proc *p;
4796 	int lwpcnt;
4797 	uid_t uid, ruid;
4798 	gid_t gid, rgid;
4799 	pid_t pid;
4800 	const auditinfo_addr_t *ainfo;
4801 	cred_t *cr;
4802 
4803 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4804 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4805 	if (uap->processor_id == PBIND_NONE)
4806 		au_uwrite(au_to_text("PBIND_NONE"));
4807 	else
4808 		au_uwrite(au_to_arg32(3, "processor_id",
4809 					(uint32_t)uap->processor_id));
4810 
4811 	switch (uap->id_type) {
4812 	case P_MYID:
4813 	case P_LWPID:
4814 		mutex_enter(&pidlock);
4815 		p = ttoproc(curthread);
4816 		if (p == NULL || p->p_as == &kas) {
4817 			mutex_exit(&pidlock);
4818 			return;
4819 		}
4820 		mutex_enter(&p->p_lock);
4821 		mutex_exit(&pidlock);
4822 		lwpcnt = p->p_lwpcnt;
4823 		pid  = p->p_pid;
4824 
4825 		mutex_enter(&p->p_crlock);
4826 		crhold(cr = p->p_cred);
4827 		mutex_exit(&p->p_crlock);
4828 		mutex_exit(&p->p_lock);
4829 
4830 		ainfo = crgetauinfo(cr);
4831 		if (ainfo == NULL) {
4832 			crfree(cr);
4833 			return;
4834 		}
4835 
4836 		uid  = crgetuid(cr);
4837 		gid  = crgetgid(cr);
4838 		ruid = crgetruid(cr);
4839 		rgid = crgetrgid(cr);
4840 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4841 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4842 		crfree(cr);
4843 		break;
4844 	case P_PID:
4845 		mutex_enter(&pidlock);
4846 		p = prfind(uap->id);
4847 		if (p == NULL || p->p_as == &kas) {
4848 			mutex_exit(&pidlock);
4849 			return;
4850 		}
4851 		mutex_enter(&p->p_lock);
4852 		mutex_exit(&pidlock);
4853 		lwpcnt = p->p_lwpcnt;
4854 		pid  = p->p_pid;
4855 
4856 		mutex_enter(&p->p_crlock);
4857 		crhold(cr = p->p_cred);
4858 		mutex_exit(&p->p_crlock);
4859 		mutex_exit(&p->p_lock);
4860 
4861 		ainfo = crgetauinfo(cr);
4862 		if (ainfo == NULL) {
4863 			crfree(cr);
4864 			return;
4865 		}
4866 
4867 		uid  = crgetuid(cr);
4868 		gid  = crgetgid(cr);
4869 		ruid = crgetruid(cr);
4870 		rgid = crgetrgid(cr);
4871 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4872 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4873 		crfree(cr);
4874 
4875 		break;
4876 	default:
4877 		return;
4878 	}
4879 
4880 	if (uap->processor_id == PBIND_NONE &&
4881 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4882 		au_uwrite(au_to_text("PBIND_NONE for process"));
4883 	else
4884 		au_uwrite(au_to_arg32(3, "processor_id",
4885 					(uint32_t)uap->processor_id));
4886 }
4887 
4888 /*ARGSUSED*/
4889 static au_event_t
4890 aui_doorfs(au_event_t e)
4891 {
4892 	uint32_t code;
4893 
4894 	struct a {		/* doorfs */
4895 		long	a1;
4896 		long	a2;
4897 		long	a3;
4898 		long	a4;
4899 		long	a5;
4900 		long	code;
4901 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4902 
4903 	/*
4904 	 *	audit formats for several of the
4905 	 *	door calls have not yet been determined
4906 	 */
4907 	code = (uint32_t)uap->code;
4908 	switch (code) {
4909 	case DOOR_CALL:
4910 		e = AUE_DOORFS_DOOR_CALL;
4911 		break;
4912 	case DOOR_RETURN:
4913 		e = AUE_NULL;
4914 		break;
4915 	case DOOR_CREATE:
4916 		e = AUE_DOORFS_DOOR_CREATE;
4917 		break;
4918 	case DOOR_REVOKE:
4919 		e = AUE_DOORFS_DOOR_REVOKE;
4920 		break;
4921 	case DOOR_INFO:
4922 		e = AUE_NULL;
4923 		break;
4924 	case DOOR_UCRED:
4925 		e = AUE_NULL;
4926 		break;
4927 	case DOOR_BIND:
4928 		e = AUE_NULL;
4929 		break;
4930 	case DOOR_UNBIND:
4931 		e = AUE_NULL;
4932 		break;
4933 	case DOOR_GETPARAM:
4934 		e = AUE_NULL;
4935 		break;
4936 	case DOOR_SETPARAM:
4937 		e = AUE_NULL;
4938 		break;
4939 	default:	/* illegal system call */
4940 		e = AUE_NULL;
4941 		break;
4942 	}
4943 
4944 	return (e);
4945 }
4946 
4947 static door_node_t *
4948 au_door_lookup(int did)
4949 {
4950 	vnode_t	*vp;
4951 	file_t *fp;
4952 
4953 	if ((fp = getf(did)) == NULL)
4954 		return (NULL);
4955 	/*
4956 	 * Use the underlying vnode (we may be namefs mounted)
4957 	 */
4958 	if (VOP_REALVP(fp->f_vnode, &vp))
4959 		vp = fp->f_vnode;
4960 
4961 	if (vp == NULL || vp->v_type != VDOOR) {
4962 		releasef(did);
4963 		return (NULL);
4964 	}
4965 
4966 	return (VTOD(vp));
4967 }
4968 
4969 /*ARGSUSED*/
4970 static void
4971 aus_doorfs(struct t_audit_data *tad)
4972 {
4973 
4974 	struct a {		/* doorfs */
4975 		long	a1;
4976 		long	a2;
4977 		long	a3;
4978 		long	a4;
4979 		long	a5;
4980 		long	code;
4981 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4982 
4983 	door_node_t	*dp;
4984 	struct proc	*p;
4985 	uint32_t	did;
4986 	uid_t uid, ruid;
4987 	gid_t gid, rgid;
4988 	pid_t pid;
4989 	const auditinfo_addr_t *ainfo;
4990 	cred_t *cr;
4991 
4992 	did = (uint32_t)uap->a1;
4993 
4994 	switch (tad->tad_event) {
4995 	case AUE_DOORFS_DOOR_CALL:
4996 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4997 		if ((dp = au_door_lookup(did)) == NULL)
4998 			break;
4999 
5000 		if (DOOR_INVALID(dp)) {
5001 			releasef(did);
5002 			break;
5003 		}
5004 
5005 		if ((p = dp->door_target) == NULL) {
5006 			releasef(did);
5007 			break;
5008 		}
5009 		mutex_enter(&p->p_lock);
5010 		releasef(did);
5011 
5012 		pid  = p->p_pid;
5013 
5014 		mutex_enter(&p->p_crlock);
5015 		crhold(cr = p->p_cred);
5016 		mutex_exit(&p->p_crlock);
5017 		mutex_exit(&p->p_lock);
5018 
5019 		ainfo = crgetauinfo(cr);
5020 		if (ainfo == NULL) {
5021 			crfree(cr);
5022 			return;
5023 		}
5024 		uid  = crgetuid(cr);
5025 		gid  = crgetgid(cr);
5026 		ruid = crgetruid(cr);
5027 		rgid = crgetrgid(cr);
5028 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5029 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5030 		crfree(cr);
5031 		break;
5032 	case AUE_DOORFS_DOOR_RETURN:
5033 		/*
5034 		 * We may want to write information about
5035 		 * all doors (if any) which will be copied
5036 		 * by this call to the user space
5037 		 */
5038 		break;
5039 	case AUE_DOORFS_DOOR_CREATE:
5040 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5041 		break;
5042 	case AUE_DOORFS_DOOR_REVOKE:
5043 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5044 		break;
5045 	case AUE_DOORFS_DOOR_INFO:
5046 		break;
5047 	case AUE_DOORFS_DOOR_CRED:
5048 		break;
5049 	case AUE_DOORFS_DOOR_BIND:
5050 		break;
5051 	case AUE_DOORFS_DOOR_UNBIND: {
5052 		break;
5053 	}
5054 	default:	/* illegal system call */
5055 		break;
5056 	}
5057 }
5058 
5059 /*ARGSUSED*/
5060 static au_event_t
5061 aui_acl(au_event_t e)
5062 {
5063 	struct a {
5064 		union {
5065 			long	name;	/* char */
5066 			long	fd;
5067 		}		obj;
5068 
5069 		long		cmd;
5070 		long		nentries;
5071 		long		arg;	/* aclent_t */
5072 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5073 
5074 	switch (uap->cmd) {
5075 	case SETACL:
5076 		/* ok, acl(SETACL, ...) and facl(SETACL, ...)  are expected. */
5077 		break;
5078 	case GETACL:
5079 	case GETACLCNT:
5080 		/* do nothing for these two values. */
5081 		e = AUE_NULL;
5082 		break;
5083 	default:
5084 		/* illegal system call */
5085 		break;
5086 	}
5087 
5088 	return (e);
5089 }
5090 
5091 
5092 /*ARGSUSED*/
5093 static void
5094 aus_acl(struct t_audit_data *tad)
5095 {
5096 	struct a {
5097 		long	fname;
5098 		long	cmd;
5099 		long	nentries;
5100 		long	aclbufp;
5101 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5102 	struct acl *aclbufp;
5103 
5104 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5105 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5106 
5107 	switch (uap->cmd) {
5108 	case GETACL:
5109 	case GETACLCNT:
5110 		break;
5111 	case SETACL:
5112 	    if (uap->nentries < 3)
5113 		break;
5114 	    else {
5115 		size_t a_size = uap->nentries * sizeof (struct acl);
5116 		int i;
5117 
5118 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5119 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5120 			kmem_free(aclbufp, a_size);
5121 			break;
5122 		}
5123 		for (i = 0; i < uap->nentries; i++) {
5124 			au_uwrite(au_to_acl(aclbufp + i));
5125 		}
5126 		kmem_free(aclbufp, a_size);
5127 		break;
5128 	}
5129 	default:
5130 		break;
5131 	}
5132 }
5133 
5134 /*ARGSUSED*/
5135 static void
5136 aus_facl(struct t_audit_data *tad)
5137 {
5138 	struct a {
5139 		long	fd;
5140 		long	cmd;
5141 		long	nentries;
5142 		long	aclbufp;
5143 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5144 	struct file  *fp;
5145 	struct vnode *vp;
5146 	struct f_audit_data *fad;
5147 	struct acl *aclbufp;
5148 	int fd;
5149 
5150 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5151 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5152 
5153 	fd = (int)uap->fd;
5154 
5155 	if ((fp = getf(fd)) == NULL)
5156 		return;
5157 
5158 	/* get path from file struct here */
5159 	fad = F2A(fp);
5160 	if (fad->fad_aupath != NULL) {
5161 		au_uwrite(au_to_path(fad->fad_aupath));
5162 	} else {
5163 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5164 	}
5165 
5166 	vp = fp->f_vnode;
5167 	audit_attributes(vp);
5168 
5169 	/* decrement file descriptor reference count */
5170 	releasef(fd);
5171 
5172 	switch (uap->cmd) {
5173 	case GETACL:
5174 	case GETACLCNT:
5175 		break;
5176 	case SETACL:
5177 	    if (uap->nentries < 3)
5178 		break;
5179 	    else {
5180 		size_t a_size = uap->nentries * sizeof (struct acl);
5181 		int i;
5182 
5183 		aclbufp = kmem_alloc(a_size, KM_SLEEP);
5184 		if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) {
5185 			kmem_free(aclbufp, a_size);
5186 			break;
5187 		}
5188 		for (i = 0; i < uap->nentries; i++) {
5189 			au_uwrite(au_to_acl(aclbufp + i));
5190 		}
5191 		kmem_free(aclbufp, a_size);
5192 		break;
5193 	}
5194 	default:
5195 		break;
5196 	}
5197 }
5198 
5199 /*ARGSUSED*/
5200 static void
5201 auf_read(tad, error, rval)
5202 	struct t_audit_data *tad;
5203 	int error;
5204 	rval_t *rval;
5205 {
5206 	struct file *fp;
5207 	struct f_audit_data *fad;
5208 	int fd;
5209 	register struct a {
5210 		long	fd;
5211 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5212 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5213 
5214 	fd = (int)uap->fd;
5215 
5216 	/*
5217 	 * convert file pointer to file descriptor
5218 	 *   Note: fd ref count incremented here.
5219 	 */
5220 	if ((fp = getf(fd)) == NULL)
5221 		return;
5222 
5223 	/* get path from file struct here */
5224 	fad = F2A(fp);
5225 	ASSERT(fad);
5226 
5227 	/*
5228 	 * already processed this file for read attempt
5229 	 *
5230 	 * XXX might be better to turn off auditing in a aui_read() routine.
5231 	 */
5232 	if (fad->fad_flags & FAD_READ) {
5233 		/* don't really want to audit every read attempt */
5234 		tad->tad_flag = 0;
5235 		/* free any residual audit data */
5236 		au_close(kctx, &(u_ad), 0, 0, 0);
5237 		releasef(fd);
5238 		return;
5239 	}
5240 	/* mark things so we know what happened and don't repeat things */
5241 	fad->fad_flags |= FAD_READ;
5242 
5243 	if (fad->fad_aupath != NULL) {
5244 		au_uwrite(au_to_path(fad->fad_aupath));
5245 	} else {
5246 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5247 	}
5248 
5249 	/* include attributes */
5250 	audit_attributes(fp->f_vnode);
5251 
5252 	/* decrement file descriptor reference count */
5253 	releasef(fd);
5254 }
5255 
5256 /*ARGSUSED*/
5257 static void
5258 auf_write(tad, error, rval)
5259 	struct t_audit_data *tad;
5260 	int error;
5261 	rval_t *rval;
5262 {
5263 	struct file *fp;
5264 	struct f_audit_data *fad;
5265 	int fd;
5266 	register struct a {
5267 		long	fd;
5268 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5269 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5270 
5271 	fd = (int)uap->fd;
5272 
5273 	/*
5274 	 * convert file pointer to file descriptor
5275 	 *   Note: fd ref count incremented here.
5276 	 */
5277 	if ((fp = getf(fd)) == NULL)
5278 		return;
5279 
5280 	/* get path from file struct here */
5281 	fad = F2A(fp);
5282 	ASSERT(fad);
5283 
5284 	/*
5285 	 * already processed this file for write attempt
5286 	 *
5287 	 * XXX might be better to turn off auditing in a aus_write() routine.
5288 	 */
5289 	if (fad->fad_flags & FAD_WRITE) {
5290 		/* don't really want to audit every write attempt */
5291 		tad->tad_flag = 0;
5292 		/* free any residual audit data */
5293 		au_close(kctx, &(u_ad), 0, 0, 0);
5294 		releasef(fd);
5295 		return;
5296 	}
5297 	/* mark things so we know what happened and don't repeat things */
5298 	fad->fad_flags |= FAD_WRITE;
5299 
5300 	if (fad->fad_aupath != NULL) {
5301 		au_uwrite(au_to_path(fad->fad_aupath));
5302 	} else {
5303 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5304 	}
5305 
5306 	/* include attributes */
5307 	audit_attributes(fp->f_vnode);
5308 
5309 	/* decrement file descriptor reference count */
5310 	releasef(fd);
5311 }
5312 
5313 /*ARGSUSED*/
5314 static void
5315 auf_recv(tad, error, rval)
5316 	struct t_audit_data *tad;
5317 	int error;
5318 	rval_t *rval;
5319 {
5320 	struct sonode *so;
5321 	char so_laddr[sizeof (struct sockaddr_in6)];
5322 	char so_faddr[sizeof (struct sockaddr_in6)];
5323 	struct file *fp;
5324 	struct f_audit_data *fad;
5325 	int fd;
5326 	int err;
5327 	int len;
5328 	short so_family, so_type;
5329 	register struct a {
5330 		long	fd;
5331 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5332 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5333 
5334 	/*
5335 	 * If there was an error, then nothing to do. Only generate
5336 	 * audit record on first successful recv.
5337 	 */
5338 	if (error) {
5339 		/* Turn off audit record generation here. */
5340 		tad->tad_flag = 0;
5341 		/* free any residual audit data */
5342 		au_close(kctx, &(u_ad), 0, 0, 0);
5343 		return;
5344 	}
5345 
5346 	fd = (int)uap->fd;
5347 
5348 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5349 		/* Turn off audit record generation here. */
5350 		tad->tad_flag = 0;
5351 		/* free any residual audit data */
5352 		au_close(kctx, &(u_ad), 0, 0, 0);
5353 		return;
5354 	}
5355 
5356 	/* get path from file struct here */
5357 	fad = F2A(fp);
5358 	ASSERT(fad);
5359 
5360 	/*
5361 	 * already processed this file for read attempt
5362 	 */
5363 	if (fad->fad_flags & FAD_READ) {
5364 		releasef(fd);
5365 		/* don't really want to audit every recv call */
5366 		tad->tad_flag = 0;
5367 		/* free any residual audit data */
5368 		au_close(kctx, &(u_ad), 0, 0, 0);
5369 		return;
5370 	}
5371 
5372 	/* mark things so we know what happened and don't repeat things */
5373 	fad->fad_flags |= FAD_READ;
5374 
5375 	so_family = so->so_family;
5376 	so_type   = so->so_type;
5377 
5378 	switch (so_family) {
5379 	case AF_INET:
5380 	case AF_INET6:
5381 		/*
5382 		 * Only for connections.
5383 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5384 		 */
5385 		if (so->so_state & SS_ISBOUND) {
5386 
5387 			bzero((void *)so_laddr, sizeof (so_laddr));
5388 			bzero((void *)so_faddr, sizeof (so_faddr));
5389 
5390 			/* only done once on a connection */
5391 			(void) SOP_GETSOCKNAME(so);
5392 			(void) SOP_GETPEERNAME(so);
5393 
5394 			/* get local and foreign addresses */
5395 			mutex_enter(&so->so_lock);
5396 			len = min(so->so_laddr_len, sizeof (so_laddr));
5397 			bcopy(so->so_laddr_sa, so_laddr, len);
5398 			len = min(so->so_faddr_len, sizeof (so_faddr));
5399 			bcopy(so->so_faddr_sa, so_faddr, len);
5400 			mutex_exit(&so->so_lock);
5401 
5402 			/*
5403 			 * only way to drop out of switch. Note that we
5404 			 * we release fd below.
5405 			 */
5406 
5407 			break;
5408 		}
5409 
5410 		releasef(fd);
5411 
5412 		/* don't really want to audit every recv call */
5413 		tad->tad_flag = 0;
5414 		/* free any residual audit data */
5415 		au_close(kctx, &(u_ad), 0, 0, 0);
5416 
5417 		return;
5418 
5419 	case AF_UNIX:
5420 
5421 		if (fad->fad_aupath != NULL) {
5422 			au_uwrite(au_to_path(fad->fad_aupath));
5423 		} else {
5424 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5425 		}
5426 
5427 		audit_attributes(fp->f_vnode);
5428 
5429 		releasef(fd);
5430 
5431 		return;
5432 
5433 	default:
5434 		releasef(fd);
5435 
5436 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5437 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5438 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5439 
5440 		return;
5441 	}
5442 
5443 	releasef(fd);
5444 
5445 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5446 
5447 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5448 
5449 }
5450 
5451 /*ARGSUSED*/
5452 static void
5453 auf_send(tad, error, rval)
5454 	struct t_audit_data *tad;
5455 	int error;
5456 	rval_t *rval;
5457 {
5458 	struct sonode *so;
5459 	char so_laddr[sizeof (struct sockaddr_in6)];
5460 	char so_faddr[sizeof (struct sockaddr_in6)];
5461 	struct file *fp;
5462 	struct f_audit_data *fad;
5463 	int fd;
5464 	int err;
5465 	int len;
5466 	short so_family, so_type;
5467 	register struct a {
5468 		long	fd;
5469 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5470 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5471 
5472 	fd = (int)uap->fd;
5473 
5474 	/*
5475 	 * If there was an error, then nothing to do. Only generate
5476 	 * audit record on first successful send.
5477 	 */
5478 	if (error != 0) {
5479 		/* Turn off audit record generation here. */
5480 		tad->tad_flag = 0;
5481 		/* free any residual audit data */
5482 		au_close(kctx, &(u_ad), 0, 0, 0);
5483 		return;
5484 	}
5485 
5486 	fd = (int)uap->fd;
5487 
5488 	if ((so = au_getsonode(fd, &err, &fp)) == NULL) {
5489 		/* Turn off audit record generation here. */
5490 		tad->tad_flag = 0;
5491 		/* free any residual audit data */
5492 		au_close(kctx, &(u_ad), 0, 0, 0);
5493 		return;
5494 	}
5495 
5496 	/* get path from file struct here */
5497 	fad = F2A(fp);
5498 	ASSERT(fad);
5499 
5500 	/*
5501 	 * already processed this file for write attempt
5502 	 */
5503 	if (fad->fad_flags & FAD_WRITE) {
5504 		releasef(fd);
5505 		/* don't really want to audit every send call */
5506 		tad->tad_flag = 0;
5507 		/* free any residual audit data */
5508 		au_close(kctx, &(u_ad), 0, 0, 0);
5509 		return;
5510 	}
5511 
5512 	/* mark things so we know what happened and don't repeat things */
5513 	fad->fad_flags |= FAD_WRITE;
5514 
5515 	so_family = so->so_family;
5516 	so_type   = so->so_type;
5517 
5518 	switch (so_family) {
5519 	case AF_INET:
5520 	case AF_INET6:
5521 		/*
5522 		 * Only for connections.
5523 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5524 		 */
5525 		if (so->so_state & SS_ISBOUND) {
5526 
5527 			bzero((void *)so_laddr, sizeof (so_laddr));
5528 			bzero((void *)so_faddr, sizeof (so_faddr));
5529 
5530 			/* only done once on a connection */
5531 			(void) SOP_GETSOCKNAME(so);
5532 			(void) SOP_GETPEERNAME(so);
5533 
5534 			/* get local and foreign addresses */
5535 			mutex_enter(&so->so_lock);
5536 			len = min(so->so_laddr_len, sizeof (so_laddr));
5537 			bcopy(so->so_laddr_sa, so_laddr, len);
5538 			len = min(so->so_faddr_len, sizeof (so_faddr));
5539 			bcopy(so->so_faddr_sa, so_faddr, len);
5540 			mutex_exit(&so->so_lock);
5541 
5542 			/*
5543 			 * only way to drop out of switch. Note that we
5544 			 * we release fd below.
5545 			 */
5546 
5547 			break;
5548 		}
5549 
5550 		releasef(fd);
5551 		/* don't really want to audit every send call */
5552 		tad->tad_flag = 0;
5553 		/* free any residual audit data */
5554 		au_close(kctx, &(u_ad), 0, 0, 0);
5555 
5556 		return;
5557 
5558 	case AF_UNIX:
5559 
5560 		if (fad->fad_aupath != NULL) {
5561 			au_uwrite(au_to_path(fad->fad_aupath));
5562 		} else {
5563 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5564 		}
5565 
5566 		audit_attributes(fp->f_vnode);
5567 
5568 		releasef(fd);
5569 
5570 		return;
5571 
5572 	default:
5573 		releasef(fd);
5574 
5575 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5576 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5577 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5578 
5579 		return;
5580 	}
5581 
5582 	releasef(fd);
5583 
5584 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5585 
5586 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5587 }
5588 
5589 static au_event_t
5590 aui_forksys(au_event_t e)
5591 {
5592 	struct a {
5593 		long	subcode;
5594 		long	flags;
5595 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5596 
5597 	switch ((uint_t)uap->subcode) {
5598 	case 0:
5599 		e = AUE_FORK1;
5600 		break;
5601 	case 1:
5602 		e = AUE_FORKALL;
5603 		break;
5604 	case 2:
5605 		e = AUE_VFORK;
5606 		break;
5607 	default:
5608 		e = AUE_NULL;
5609 		break;
5610 	}
5611 
5612 	return (e);
5613 }
5614 
5615 /*ARGSUSED*/
5616 static au_event_t
5617 aui_portfs(au_event_t e)
5618 {
5619 	struct a {		/* portfs */
5620 		long	a1;
5621 		long	a2;
5622 		long	a3;
5623 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5624 
5625 	/*
5626 	 * check opcode
5627 	 */
5628 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5629 	case PORT_ASSOCIATE:
5630 	case PORT_DISSOCIATE:
5631 		/*
5632 		 * check source
5633 		 */
5634 		if ((uint_t)uap->a3 == PORT_SOURCE_FILE) {
5635 			e = AUE_PORTFS;
5636 		} else {
5637 			e = AUE_NULL;
5638 		}
5639 		break;
5640 	default:
5641 		e = AUE_NULL;
5642 	}
5643 	return (e);
5644 }
5645