xref: /titanic_51/usr/src/uts/common/c2/audit_syscalls.c (revision f500b19684bd0346ac05bec02a50af07f369da1a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 /*
27  * This file contains the auditing system call code.
28  *
29  */
30 
31 
32 #include <sys/param.h>
33 #include <sys/systm.h>
34 #include <sys/user.h>
35 #include <sys/vnode.h>
36 #include <sys/vfs.h>
37 #include <sys/session.h>	/* for session structure (auditctl(2) */
38 #include <sys/kmem.h>		/* for KM_SLEEP */
39 #include <sys/cred_impl.h>
40 #include <sys/types.h>
41 #include <sys/proc.h>
42 #include <sys/uio.h>
43 #include <sys/file.h>
44 #include <sys/stat.h>
45 #include <sys/pathname.h>
46 #include <sys/acct.h>
47 #include <sys/stropts.h>
48 #include <sys/exec.h>
49 #include <sys/thread.h>
50 #include <sys/cmn_err.h>
51 #include <sys/debug.h>
52 #include <sys/disp.h>
53 #include <sys/kobj.h>
54 #include <sys/sysmacros.h>
55 #include <sys/policy.h>
56 #include <sys/taskq.h>
57 #include <sys/zone.h>
58 
59 #include <c2/audit.h>
60 #include <c2/audit_kernel.h>
61 #include <c2/audit_record.h>
62 
63 #define	CLEAR_VAL	-1
64 
65 #define	HEADER_SIZE64	1;
66 #define	HEADER_SIZE32	0;
67 #define	AU_MIN_FILE_SZ	0x80000	/* minumum audit file size */
68 #define	AUDIT_REC_SIZE	0x8000	/* maximum user audit record size */
69 
70 extern kmutex_t pidlock;
71 
72 extern pri_t		minclsyspri;		/* priority for taskq */
73 
74 extern int audit_load;		/* defined in audit_start.c */
75 
76 int		au_auditstate = AUC_UNSET;	/* global audit state */
77 int		audit_policy;	/* global audit policies in force */
78 static clock_t	au_resid = 15;	/* wait .15 sec before droping a rec */
79 
80 static int	getauid(caddr_t);
81 static int	setauid(caddr_t);
82 static int	getaudit(caddr_t);
83 static int	getaudit_addr(caddr_t, int);
84 static int	setaudit(caddr_t);
85 static int	setaudit_addr(caddr_t, int);
86 static int	auditdoor(int);
87 static int	auditctl(int, caddr_t, int);
88 static int	audit_modsysent(char *, int, int (*)());
89 static void	au_output_thread();
90 /*
91  * This is the loadable module wrapper.
92  */
93 #include <sys/modctl.h>
94 #include "sys/syscall.h"
95 
96 static struct sysent auditsysent = {
97 	6,
98 	0,
99 	_auditsys
100 };
101 
102 /*
103  * Module linkage information for the kernel.
104  */
105 extern struct mod_ops mod_syscallops;
106 
107 static struct modlsys modlsys = {
108 	&mod_syscallops, "C2 system call", &auditsysent
109 };
110 
111 static struct modlinkage modlinkage = {
112 	MODREV_1, (void *)&modlsys, 0
113 };
114 
115 int
116 _init()
117 {
118 	int retval;
119 
120 	if (audit_load == 0)
121 		return (-1);
122 
123 	/*
124 	 * We are going to do an ugly thing here.
125 	 *  Because auditsys is already defined as a regular
126 	 *  syscall we have to change the definition for syscall
127 	 *  auditsys. Basically or in the SE_LOADABLE flag for
128 	 *  auditsys. We no have a static loadable syscall. Also
129 	 *  create an rw_lock.
130 	 */
131 
132 	if ((audit_modsysent("c2audit", SE_LOADABLE|SE_NOUNLOAD,
133 	    _auditsys)) == -1)
134 		return (-1);
135 
136 	if ((retval = mod_install(&modlinkage)) != 0)
137 		return (retval);
138 
139 	return (0);
140 }
141 
142 int
143 _fini()
144 {
145 	return (EBUSY);
146 }
147 
148 int
149 _info(struct modinfo *modinfop)
150 {
151 	return (mod_info(&modlinkage, modinfop));
152 }
153 
154 /*
155  * when auditing is updated to allow enable/disable without
156  * reboot (and when the audit stubs are removed) *most* of these
157  * calls should return an error when auditing is off -- some
158  * for local zones only.
159  */
160 
161 int
162 _auditsys(struct auditcalls *uap, rval_t *rvp)
163 {
164 	int result = 0;
165 
166 	switch (uap->code) {
167 	case BSM_GETAUID:
168 		result = getauid((caddr_t)uap->a1);
169 		break;
170 	case BSM_SETAUID:
171 		result = setauid((caddr_t)uap->a1);
172 		break;
173 	case BSM_GETAUDIT:
174 		result = getaudit((caddr_t)uap->a1);
175 		break;
176 	case BSM_GETAUDIT_ADDR:
177 
178 		result = getaudit_addr((caddr_t)uap->a1, (int)uap->a2);
179 		break;
180 	case BSM_SETAUDIT:
181 		result = setaudit((caddr_t)uap->a1);
182 		break;
183 	case BSM_SETAUDIT_ADDR:
184 		result = setaudit_addr((caddr_t)uap->a1, (int)uap->a2);
185 		break;
186 	case BSM_AUDIT:
187 		result = audit((caddr_t)uap->a1, (int)uap->a2);
188 		break;
189 	case BSM_AUDITDOOR:
190 		result = auditdoor((int)uap->a1);
191 		break;
192 	case BSM_AUDITON:
193 	case BSM_AUDITCTL:
194 		result = auditctl((int)uap->a1, (caddr_t)uap->a2, (int)uap->a3);
195 		break;
196 	default:
197 		result = EINVAL;
198 	}
199 	rvp->r_vals = result;
200 	return (result);
201 }
202 
203 /*
204  * Return the audit user ID for the current process.  Currently only
205  * the privileged processes may see the audit id.  That may change.
206  * If copyout is unsucessful return EFAULT.
207  */
208 static int
209 getauid(caddr_t auid_p)
210 {
211 	const auditinfo_addr_t	*ainfo;
212 
213 	if (secpolicy_audit_getattr(CRED()) != 0)
214 		return (EPERM);
215 
216 	ainfo = crgetauinfo(CRED());
217 	if (ainfo == NULL)
218 		return (EINVAL);
219 
220 	if (copyout(&ainfo->ai_auid, auid_p, sizeof (au_id_t)))
221 		return (EFAULT);
222 
223 	return (0);
224 }
225 
226 /*
227  * Set the audit userid, for a process.  This can only be changed by
228  * privileged processes.  The audit userid is inherited across forks & execs.
229  * Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT.
230  */
231 static int
232 setauid(caddr_t auid_p)
233 {
234 	proc_t *p;
235 	au_id_t	auid;
236 	cred_t *newcred;
237 	auditinfo_addr_t *auinfo;
238 
239 	if (secpolicy_audit_config(CRED()) != 0)
240 		return (EPERM);
241 
242 	if (copyin(auid_p, &auid, sizeof (au_id_t))) {
243 		return (EFAULT);
244 	}
245 
246 	newcred = cralloc();
247 	if ((auinfo = crgetauinfo_modifiable(newcred)) == NULL) {
248 		crfree(newcred);
249 		return (EINVAL);
250 	}
251 
252 	/* grab p_crlock and switch to new cred */
253 	p = curproc;
254 	mutex_enter(&p->p_crlock);
255 	crcopy_to(p->p_cred, newcred);
256 	p->p_cred = newcred;
257 
258 	auinfo->ai_auid = auid;			/* update the auid */
259 
260 	/* unlock and broadcast the cred changes */
261 	mutex_exit(&p->p_crlock);
262 	crset(p, newcred);
263 
264 	return (0);
265 }
266 
267 /*
268  * Get the audit state information from the current process.
269  * Return EFAULT if copyout fails.
270  */
271 static int
272 getaudit(caddr_t info_p)
273 {
274 	STRUCT_DECL(auditinfo, info);
275 	const auditinfo_addr_t	*ainfo;
276 	model_t	model;
277 
278 	if (secpolicy_audit_getattr(CRED()) != 0)
279 		return (EPERM);
280 
281 	model = get_udatamodel();
282 	STRUCT_INIT(info, model);
283 
284 	ainfo = crgetauinfo(CRED());
285 	if (ainfo == NULL)
286 		return (EINVAL);
287 
288 	/* trying to read a process with an IPv6 address? */
289 	if (ainfo->ai_termid.at_type == AU_IPv6)
290 		return (EOVERFLOW);
291 
292 	STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
293 	STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
294 #ifdef _LP64
295 	if (model == DATAMODEL_ILP32) {
296 		dev32_t dev;
297 		/* convert internal 64 bit form to 32 bit version */
298 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
299 			return (EOVERFLOW);
300 		}
301 		STRUCT_FSET(info, ai_termid.port, dev);
302 	} else
303 		STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
304 #else
305 	STRUCT_FSET(info, ai_termid.port, ainfo->ai_termid.at_port);
306 #endif
307 	STRUCT_FSET(info, ai_termid.machine, ainfo->ai_termid.at_addr[0]);
308 	STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
309 
310 	if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
311 		return (EFAULT);
312 
313 	return (0);
314 }
315 
316 /*
317  * Get the audit state information from the current process.
318  * Return EFAULT if copyout fails.
319  */
320 static int
321 getaudit_addr(caddr_t info_p, int len)
322 {
323 	STRUCT_DECL(auditinfo_addr, info);
324 	const auditinfo_addr_t	*ainfo;
325 	model_t	model;
326 
327 	if (secpolicy_audit_getattr(CRED()) != 0)
328 		return (EPERM);
329 
330 	model = get_udatamodel();
331 	STRUCT_INIT(info, model);
332 
333 	if (len < STRUCT_SIZE(info))
334 		return (EOVERFLOW);
335 
336 	ainfo = crgetauinfo(CRED());
337 
338 	if (ainfo == NULL)
339 		return (EINVAL);
340 
341 	STRUCT_FSET(info, ai_auid, ainfo->ai_auid);
342 	STRUCT_FSET(info, ai_mask, ainfo->ai_mask);
343 #ifdef _LP64
344 	if (model == DATAMODEL_ILP32) {
345 		dev32_t dev;
346 		/* convert internal 64 bit form to 32 bit version */
347 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
348 			return (EOVERFLOW);
349 		}
350 		STRUCT_FSET(info, ai_termid.at_port, dev);
351 	} else
352 		STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
353 #else
354 	STRUCT_FSET(info, ai_termid.at_port, ainfo->ai_termid.at_port);
355 #endif
356 	STRUCT_FSET(info, ai_termid.at_type, ainfo->ai_termid.at_type);
357 	STRUCT_FSET(info, ai_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
358 	STRUCT_FSET(info, ai_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
359 	STRUCT_FSET(info, ai_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
360 	STRUCT_FSET(info, ai_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
361 	STRUCT_FSET(info, ai_asid, ainfo->ai_asid);
362 
363 	if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
364 		return (EFAULT);
365 
366 	return (0);
367 }
368 
369 /*
370  * Set the audit state information for the current process.
371  * Return EFAULT if copyout fails.
372  */
373 static int
374 setaudit(caddr_t info_p)
375 {
376 	STRUCT_DECL(auditinfo, info);
377 	proc_t *p;
378 	cred_t	*newcred;
379 	model_t	model;
380 	auditinfo_addr_t *ainfo;
381 
382 	if (secpolicy_audit_config(CRED()) != 0)
383 		return (EPERM);
384 
385 	model = get_udatamodel();
386 	STRUCT_INIT(info, model);
387 
388 	if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
389 		return (EFAULT);
390 
391 	newcred = cralloc();
392 	if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
393 		crfree(newcred);
394 		return (EINVAL);
395 	}
396 
397 	/* grab p_crlock and switch to new cred */
398 	p = curproc;
399 	mutex_enter(&p->p_crlock);
400 	crcopy_to(p->p_cred, newcred);
401 	p->p_cred = newcred;
402 
403 	/* Set audit mask, id, termid and session id as specified */
404 	ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
405 #ifdef _LP64
406 	/* only convert to 64 bit if coming from a 32 bit binary */
407 	if (model == DATAMODEL_ILP32)
408 		ainfo->ai_termid.at_port =
409 		    DEVEXPL(STRUCT_FGET(info, ai_termid.port));
410 	else
411 		ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
412 #else
413 	ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
414 #endif
415 	ainfo->ai_termid.at_type = AU_IPv4;
416 	ainfo->ai_termid.at_addr[0] = STRUCT_FGET(info, ai_termid.machine);
417 	ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
418 	ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
419 
420 	/* unlock and broadcast the cred changes */
421 	mutex_exit(&p->p_crlock);
422 	crset(p, newcred);
423 
424 	return (0);
425 }
426 
427 /*
428  * Set the audit state information for the current process.
429  * Return EFAULT if copyin fails.
430  */
431 static int
432 setaudit_addr(caddr_t info_p, int len)
433 {
434 	STRUCT_DECL(auditinfo_addr, info);
435 	proc_t *p;
436 	cred_t	*newcred;
437 	model_t	model;
438 	int i;
439 	int type;
440 	auditinfo_addr_t *ainfo;
441 
442 	if (secpolicy_audit_config(CRED()) != 0)
443 		return (EPERM);
444 
445 	model = get_udatamodel();
446 	STRUCT_INIT(info, model);
447 
448 	if (len < STRUCT_SIZE(info))
449 		return (EOVERFLOW);
450 
451 	if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
452 		return (EFAULT);
453 
454 	type = STRUCT_FGET(info, ai_termid.at_type);
455 	if ((type != AU_IPv4) && (type != AU_IPv6))
456 		return (EINVAL);
457 
458 	newcred = cralloc();
459 	if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
460 		crfree(newcred);
461 		return (EINVAL);
462 	}
463 
464 	/* grab p_crlock and switch to new cred */
465 	p = curproc;
466 	mutex_enter(&p->p_crlock);
467 	crcopy_to(p->p_cred, newcred);
468 	p->p_cred = newcred;
469 
470 	/* Set audit mask, id, termid and session id as specified */
471 	ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
472 	ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
473 #ifdef _LP64
474 	/* only convert to 64 bit if coming from a 32 bit binary */
475 	if (model == DATAMODEL_ILP32)
476 		ainfo->ai_termid.at_port =
477 		    DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
478 	else
479 		ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
480 #else
481 	ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
482 #endif
483 	ainfo->ai_termid.at_type = type;
484 	bzero(&ainfo->ai_termid.at_addr[0], sizeof (ainfo->ai_termid.at_addr));
485 	for (i = 0; i < (type/sizeof (int)); i++)
486 		ainfo->ai_termid.at_addr[i] =
487 		    STRUCT_FGET(info, ai_termid.at_addr[i]);
488 
489 	if (ainfo->ai_termid.at_type == AU_IPv6 &&
490 	    IN6_IS_ADDR_V4MAPPED(((in6_addr_t *)ainfo->ai_termid.at_addr))) {
491 		ainfo->ai_termid.at_type = AU_IPv4;
492 		ainfo->ai_termid.at_addr[0] = ainfo->ai_termid.at_addr[3];
493 		ainfo->ai_termid.at_addr[1] = 0;
494 		ainfo->ai_termid.at_addr[2] = 0;
495 		ainfo->ai_termid.at_addr[3] = 0;
496 	}
497 
498 	ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
499 
500 	/* unlock and broadcast the cred changes */
501 	mutex_exit(&p->p_crlock);
502 	crset(p, newcred);
503 
504 	return (0);
505 }
506 
507 /*
508  * The audit system call. Trust what the user has sent down and save it
509  * away in the audit file. User passes a complete audit record and its
510  * length.  We will fill in the time stamp, check the header and the length
511  * Put a trailer and a sequence token if policy requires.
512  * In the future length might become size_t instead of an int.
513  *
514  * The call is valid whether or not AUDIT_PERZONE is set (think of
515  * login to a zone).  When the local audit state (auk_auditstate) is
516  * AUC_INIT_AUDIT, records are accepted even though auditd isn't
517  * running.
518  */
519 int
520 audit(caddr_t record, int length)
521 {
522 	char	c;
523 	int	count, l;
524 	token_t	*m, *n, *s, *ad;
525 	int	hdrlen, delta;
526 	adr_t	hadr;
527 	adr_t	sadr;
528 	int	size;	/* 0: 32 bit utility  1: 64 bit utility */
529 	int	host_len;
530 	size_t	zlen;
531 	au_kcontext_t	*kctx = GET_KCTX_PZ;
532 
533 	/* if auditing not enabled, then don't generate an audit record */
534 	if (kctx->auk_auditstate != AUC_AUDITING &&
535 	    kctx->auk_auditstate != AUC_INIT_AUDIT)
536 		return (0);
537 
538 	/* Only privileged processes can audit */
539 	if (secpolicy_audit_modify(CRED()) != 0)
540 		return (EPERM);
541 
542 	/* Max user record size is 32K */
543 	if (length > AUDIT_REC_SIZE)
544 		return (E2BIG);
545 
546 	/*
547 	 * The specified length must be at least as big as the smallest
548 	 * possible header token. Later after beginning to scan the
549 	 * header we'll determine the true minimum length according to
550 	 * the header type and attributes.
551 	 */
552 #define	AU_MIN_HEADER_LEN	(sizeof (char) + sizeof (int32_t) + \
553 	sizeof (char) + sizeof (short) + sizeof (short) + \
554 	(sizeof (int32_t) * 2))
555 
556 	if (length < AU_MIN_HEADER_LEN)
557 		return (EINVAL);
558 
559 	/* Read in user's audit record */
560 	count = length;
561 	m = n = s = ad = NULL;
562 	while (count) {
563 		m = au_getclr();
564 		if (!s)
565 			s = n = m;
566 		else {
567 			n->next_buf = m;
568 			n = m;
569 		}
570 		l = MIN(count, AU_BUFSIZE);
571 		if (copyin(record, memtod(m, caddr_t), (size_t)l)) {
572 			/* copyin failed release au_membuf */
573 			au_free_rec(s);
574 			return (EFAULT);
575 		}
576 		record += l;
577 		count -= l;
578 		m->len = (uchar_t)l;
579 	}
580 
581 	/* Now attach the entire thing to ad */
582 	au_write((caddr_t *)&(ad), s);
583 
584 	/* validate header token type. trust everything following it */
585 	adr_start(&hadr, memtod(s, char *));
586 	(void) adr_getchar(&hadr, &c);
587 	switch (c) {
588 	case AUT_HEADER32:
589 		/* size vers+event_ID+event_modifier fields */
590 		delta = 1 + 2 + 2;
591 		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
592 		size = HEADER_SIZE32;
593 		break;
594 
595 #ifdef _LP64
596 	case AUT_HEADER64:
597 		/* size vers+event_ID+event_modifier fields */
598 		delta = 1 + 2 + 2;
599 		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
600 		size = HEADER_SIZE64;
601 		break;
602 #endif
603 
604 	case AUT_HEADER32_EX:
605 		/*
606 		 * Skip over the length/version/type/mod fields and
607 		 * grab the host address type (length), then rewind.
608 		 * This is safe per the previous minimum length check.
609 		 */
610 		hadr.adr_now += 9;
611 		(void) adr_getint32(&hadr, &host_len);
612 		hadr.adr_now -= 9 + sizeof (int32_t);
613 
614 		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
615 		delta = 1 + 2 + 2 + 4 + host_len;
616 		hdrlen = 1 + 4 + delta + (sizeof (int32_t) * 2);
617 		size = HEADER_SIZE32;
618 		break;
619 
620 #ifdef _LP64
621 	case AUT_HEADER64_EX:
622 		/*
623 		 * Skip over the length/version/type/mod fields and grab
624 		 * the host address type (length), then rewind.
625 		 * This is safe per the previous minimum length check.
626 		 */
627 		hadr.adr_now += 9;
628 		(void) adr_getint32(&hadr, &host_len);
629 		hadr.adr_now -= 9 + sizeof (int32_t);
630 
631 		/* size: vers+event_ID+event_modifier+IP_type+IP_addr_array */
632 		delta = 1 + 2 + 2 + 4 + host_len;
633 		hdrlen = 1 + 4 + delta + (sizeof (int64_t) * 2);
634 		size = HEADER_SIZE64;
635 		break;
636 #endif
637 
638 	default:
639 		/* Header is wrong, reject message */
640 		au_free_rec(s);
641 		return (EINVAL);
642 	}
643 
644 	if (length < hdrlen) {
645 		au_free_rec(s);
646 		return (0);
647 	}
648 
649 	/* advance over header token length field */
650 	hadr.adr_now += 4;
651 
652 	/* validate version */
653 	(void) adr_getchar(&hadr, &c);
654 	if (c != TOKEN_VERSION) {
655 		/* version is wrong, reject message */
656 		au_free_rec(s);
657 		return (EINVAL);
658 	}
659 
660 	/* backup to header length field (including version field) */
661 	hadr.adr_now -= 5;
662 
663 	/*
664 	 * add on the zonename token if policy AUDIT_ZONENAME is set
665 	 */
666 	if (kctx->auk_policy & AUDIT_ZONENAME) {
667 		zlen = au_zonename_length(NULL);
668 		if (zlen > 0) {
669 			length += zlen;
670 			m = au_to_zonename(zlen, NULL);
671 			(void) au_append_rec(ad, m, AU_PACK);
672 		}
673 	}
674 	/* Add an (optional) sequence token. NULL offset if none */
675 	if (kctx->auk_policy & AUDIT_SEQ) {
676 		/* get the sequnce token */
677 		m = au_to_seq();
678 
679 		/* sequence token 5 bytes long */
680 		length += 5;
681 
682 		/* link to audit record (i.e. don't pack the data) */
683 		(void) au_append_rec(ad, m, AU_LINK);
684 
685 		/* advance to count field of token */
686 		adr_start(&sadr, memtod(m, char *));
687 		sadr.adr_now += 1;
688 	} else
689 		sadr.adr_now = (char *)NULL;
690 
691 	/* add the (optional) trailer token */
692 	if (kctx->auk_policy & AUDIT_TRAIL) {
693 		/* trailer token is 7 bytes long */
694 		length += 7;
695 
696 		/* append to audit record */
697 		(void) au_append_rec(ad, au_to_trailer(length), AU_PACK);
698 	}
699 
700 	/* audit record completely assembled. set the length */
701 	adr_int32(&hadr, (int32_t *)&length, 1);
702 
703 	/* advance to date/time field of header */
704 	hadr.adr_now += delta;
705 
706 	/* We are done  put it on the queue */
707 	AS_INC(as_generated, 1, kctx);
708 	AS_INC(as_audit, 1, kctx);
709 
710 	au_enqueue(kctx, s, &hadr, &sadr, size, 0);
711 
712 	AS_INC(as_totalsize, length, kctx);
713 
714 	return (0);
715 }
716 
717 static void
718 audit_dont_stop(void *kctx)
719 {
720 
721 	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
722 	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
723 		return;
724 
725 	mutex_enter(&(((au_kcontext_t *)kctx)->auk_queue.lock));
726 	cv_broadcast(&(((au_kcontext_t *)kctx)->auk_queue.write_cv));
727 	mutex_exit(&(((au_kcontext_t *)kctx)->auk_queue.lock));
728 }
729 
730 /*
731  * auditdoor starts a kernel thread to generate output from the audit
732  * queue.  The thread terminates when it detects auditing being turned
733  * off, such as when auditd exits with a SIGTERM.  If a subsequent
734  * auditdoor arrives while the thread is running, the door descriptor
735  * of the last auditdoor in will be used for output.  auditd is responsible
736  * for insuring that multiple copies are not running.
737  */
738 
739 static int
740 auditdoor(int fd)
741 {
742 	struct file	*fp;
743 	struct vnode	*vp;
744 	int		do_create = 0;
745 	au_kcontext_t	*kctx;
746 
747 	if (secpolicy_audit_config(CRED()) != 0)
748 		return (EPERM);
749 
750 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
751 		return (EINVAL);
752 
753 	kctx = GET_KCTX_NGZ;
754 
755 	/*
756 	 * convert file pointer to file descriptor
757 	 *   Note: fd ref count incremented here.
758 	 */
759 	if ((fp = (struct file *)getf(fd)) == NULL) {
760 		return (EBADF);
761 	}
762 	vp = fp->f_vnode;
763 	if (vp->v_type != VDOOR) {
764 		cmn_err(CE_WARN,
765 		    "auditdoor() did not get the expected door descriptor\n");
766 		releasef(fd);
767 		return (EINVAL);
768 	}
769 	/*
770 	 * If the output thread is already running, then replace the
771 	 * door descriptor with the new one and continue; otherwise
772 	 * create the thread too.  Since au_output_thread makes a call
773 	 * to au_doorio() which also does
774 	 * mutex_lock(&(kctx->auk_svc_lock)), the create/dispatch is
775 	 * done after the unlock...
776 	 */
777 	mutex_enter(&(kctx->auk_svc_lock));
778 
779 	if (kctx->auk_current_vp != NULL)
780 		VN_RELE(kctx->auk_current_vp);
781 
782 	kctx->auk_current_vp = vp;
783 	VN_HOLD(kctx->auk_current_vp);
784 	releasef(fd);
785 
786 	if (!kctx->auk_output_active) {
787 		kctx->auk_output_active = 1;
788 		do_create = 1;
789 	}
790 	mutex_exit(&(kctx->auk_svc_lock));
791 	if (do_create) {
792 		kctx->auk_taskq =
793 		    taskq_create("output_master", 1, minclsyspri, 1, 1, 0);
794 		(void) taskq_dispatch(kctx->auk_taskq,
795 		    (task_func_t *)au_output_thread,
796 		    kctx, TQ_SLEEP);
797 	}
798 	return (0);
799 }
800 
801 /*
802  * au_queue_kick -- wake up the output queue after delay ticks
803  */
804 static void
805 au_queue_kick(void *kctx)
806 {
807 	/*
808 	 * wakeup reader if its not running and there is something
809 	 * to do.  It also helps that kctx still be valid...
810 	 */
811 
812 	if ((((au_kcontext_t *)kctx)->auk_valid != AUK_VALID) ||
813 	    (((au_kcontext_t *)kctx)->auk_auditstate == AUC_NOAUDIT))
814 		return;
815 
816 	if (((au_kcontext_t *)kctx)->auk_queue.cnt &&
817 	    ((au_kcontext_t *)kctx)->auk_queue.rd_block)
818 		cv_broadcast(&((au_kcontext_t *)kctx)->auk_queue.read_cv);
819 
820 	/* fire off timeout event to kick audit queue awake */
821 	(void) timeout(au_queue_kick, kctx,
822 	    ((au_kcontext_t *)kctx)->auk_queue.delay);
823 }
824 
825 /*
826  * output thread
827  *
828  * this runs "forever" where "forever" means until either auk_auditstate
829  * changes from AUC_AUDITING or if the door descriptor becomes invalid.
830  *
831  * there is one thread per active zone if AUC_PERZONE is set.  Since
832  * there is the possibility that a zone may go down without auditd
833  * terminating properly, a zone shutdown kills its au_output_thread()
834  * via taskq_destroy().
835  */
836 
837 static void
838 au_output_thread(au_kcontext_t *kctx)
839 {
840 	int		error = 0;
841 
842 	(void) timeout(au_queue_kick, kctx, kctx->auk_queue.delay);
843 
844 	/*
845 	 * Wait for work, until a signal arrives,
846 	 * or until auditing is disabled.
847 	 */
848 
849 	while (!error) {
850 		if (kctx->auk_auditstate == AUC_AUDITING) {
851 			mutex_enter(&(kctx->auk_queue.lock));
852 			while (kctx->auk_queue.head == NULL) {
853 				/* safety check. kick writer awake */
854 				if (kctx->auk_queue.wt_block) {
855 					cv_broadcast(&(kctx->
856 					    auk_queue.write_cv));
857 				}
858 
859 				kctx->auk_queue.rd_block = 1;
860 				AS_INC(as_rblocked, 1, kctx);
861 
862 				cv_wait(&(kctx->auk_queue.read_cv),
863 				    &(kctx->auk_queue.lock));
864 				kctx->auk_queue.rd_block = 0;
865 
866 				if (kctx->auk_auditstate != AUC_AUDITING) {
867 					mutex_exit(&(kctx->auk_queue.lock));
868 					(void) timeout(audit_dont_stop, kctx,
869 					    au_resid);
870 					goto output_exit;
871 				}
872 				kctx->auk_queue.rd_block = 0;
873 			}
874 			mutex_exit(&(kctx->auk_queue.lock));
875 			/*
876 			 * au_doorio() calls au_door_upcall which holds
877 			 * auk_svc_lock; au_doorio empties the queue before
878 			 * returning.
879 			 */
880 
881 			error = au_doorio(kctx);
882 		} else {
883 			/* auditing turned off while we slept */
884 			break;
885 		}
886 	}
887 output_exit:
888 	mutex_enter(&(kctx->auk_svc_lock));
889 
890 	VN_RELE(kctx->auk_current_vp);
891 	kctx->auk_current_vp = NULL;
892 
893 	kctx->auk_output_active = 0;
894 
895 	mutex_exit(&(kctx->auk_svc_lock));
896 }
897 
898 
899 /*
900  * Get the global policy flag
901  */
902 
903 static int
904 getpolicy(caddr_t data)
905 {
906 	int	policy;
907 	au_kcontext_t	*kctx = GET_KCTX_PZ;
908 
909 	policy = audit_policy | kctx->auk_policy;
910 
911 	if (copyout(&policy, data, sizeof (int)))
912 		return (EFAULT);
913 	return (0);
914 }
915 
916 /*
917  * Set the global and local policy flags
918  *
919  * The global flags only make sense from the global zone;
920  * the local flags depend on the AUDIT_PERZONE policy:
921  * if the perzone policy is set, then policy is set separately
922  * per zone, else held only in the global zone.
923  *
924  * The initial value of a local zone's policy flag is determined
925  * by the value of the global zone's flags at the time the
926  * local zone is created.
927  *
928  * While auditconfig(1M) allows setting and unsetting policies one bit
929  * at a time, the mask passed in from auditconfig() is created by a
930  * syscall to getpolicy and then modified based on the auditconfig()
931  * cmd line, so the input policy value is used to replace the existing
932  * policy.
933  */
934 
935 
936 static int
937 setpolicy(caddr_t data)
938 {
939 	int	policy;
940 	au_kcontext_t	*kctx;
941 
942 	if (copyin(data, &policy, sizeof (int)))
943 		return (EFAULT);
944 
945 	kctx = GET_KCTX_NGZ;
946 
947 	if (INGLOBALZONE(curproc)) {
948 		if (policy & ~(AUDIT_GLOBAL | AUDIT_LOCAL))
949 			return (EINVAL);
950 
951 		audit_policy = policy & AUDIT_GLOBAL;
952 	} else {
953 		if (!(audit_policy & AUDIT_PERZONE))
954 			return (EINVAL);
955 
956 		if (policy & ~AUDIT_LOCAL)	/* global bits are a no-no */
957 			return (EINVAL);
958 	}
959 	kctx->auk_policy = policy & AUDIT_LOCAL;
960 
961 	/*
962 	 * auk_current_vp is NULL before auditd starts (or during early
963 	 * auditd starup) or if auditd is halted; in either case,
964 	 * notification of a policy change is not needed, since auditd
965 	 * reads policy as it comes up.  The error return from au_doormsg()
966 	 * is ignored to avoid a race condition -- for example if auditd
967 	 * segv's, the audit state may be "auditing" but the door may
968 	 * be closed.  Returning an error if the door is open makes it
969 	 * impossible for Greenline to restart auditd.
970 	 */
971 	if (kctx->auk_current_vp != NULL)
972 		(void) au_doormsg(kctx, AU_DBUF_POLICY, &policy);
973 
974 	/*
975 	 * Wake up anyone who might have blocked on full audit
976 	 * partitions. audit daemons need to set AUDIT_FULL when no
977 	 * space so we can tell if we should start dropping records.
978 	 */
979 	mutex_enter(&(kctx->auk_queue.lock));
980 
981 	if ((policy & (AUDIT_CNT | AUDIT_SCNT) &&
982 	    (kctx->auk_queue.cnt >= kctx->auk_queue.hiwater)))
983 		cv_broadcast(&(kctx->auk_queue.write_cv));
984 
985 	mutex_exit(&(kctx->auk_queue.lock));
986 
987 	return (0);
988 }
989 
990 static int
991 getkmask(caddr_t data)
992 {
993 	au_kcontext_t	*kctx;
994 
995 	kctx = GET_KCTX_PZ;
996 
997 	if (copyout(&kctx->auk_info.ai_mask, data, sizeof (au_mask_t)))
998 		return (EFAULT);
999 	return (0);
1000 }
1001 
1002 static int
1003 setkmask(caddr_t data)
1004 {
1005 	au_mask_t	mask;
1006 	au_kcontext_t	*kctx;
1007 
1008 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1009 		return (EINVAL);
1010 
1011 	kctx = GET_KCTX_NGZ;
1012 
1013 	if (copyin(data, &mask, sizeof (au_mask_t)))
1014 		return (EFAULT);
1015 
1016 	kctx->auk_info.ai_mask = mask;
1017 	return (0);
1018 }
1019 
1020 static int
1021 getkaudit(caddr_t info_p, int len)
1022 {
1023 	STRUCT_DECL(auditinfo_addr, info);
1024 	model_t model;
1025 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1026 
1027 	model = get_udatamodel();
1028 	STRUCT_INIT(info, model);
1029 
1030 	if (len < STRUCT_SIZE(info))
1031 		return (EOVERFLOW);
1032 
1033 	STRUCT_FSET(info, ai_auid, kctx->auk_info.ai_auid);
1034 	STRUCT_FSET(info, ai_mask, kctx->auk_info.ai_mask);
1035 #ifdef _LP64
1036 	if (model == DATAMODEL_ILP32) {
1037 		dev32_t dev;
1038 		/* convert internal 64 bit form to 32 bit version */
1039 		if (cmpldev(&dev, kctx->auk_info.ai_termid.at_port) == 0) {
1040 			return (EOVERFLOW);
1041 		}
1042 		STRUCT_FSET(info, ai_termid.at_port, dev);
1043 	} else {
1044 		STRUCT_FSET(info, ai_termid.at_port,
1045 		    kctx->auk_info.ai_termid.at_port);
1046 	}
1047 #else
1048 	STRUCT_FSET(info, ai_termid.at_port,
1049 	    kctx->auk_info.ai_termid.at_port);
1050 #endif
1051 	STRUCT_FSET(info, ai_termid.at_type,
1052 	    kctx->auk_info.ai_termid.at_type);
1053 	STRUCT_FSET(info, ai_termid.at_addr[0],
1054 	    kctx->auk_info.ai_termid.at_addr[0]);
1055 	STRUCT_FSET(info, ai_termid.at_addr[1],
1056 	    kctx->auk_info.ai_termid.at_addr[1]);
1057 	STRUCT_FSET(info, ai_termid.at_addr[2],
1058 	    kctx->auk_info.ai_termid.at_addr[2]);
1059 	STRUCT_FSET(info, ai_termid.at_addr[3],
1060 	    kctx->auk_info.ai_termid.at_addr[3]);
1061 	STRUCT_FSET(info, ai_asid, kctx->auk_info.ai_asid);
1062 
1063 	if (copyout(STRUCT_BUF(info), info_p, STRUCT_SIZE(info)))
1064 		return (EFAULT);
1065 
1066 	return (0);
1067 }
1068 
1069 /*
1070  * the host address for AUDIT_PERZONE == 0 is that of the global
1071  * zone and for local zones it is of the current zone.
1072  */
1073 
1074 static int
1075 setkaudit(caddr_t info_p, int len)
1076 {
1077 	STRUCT_DECL(auditinfo_addr, info);
1078 	model_t model;
1079 	au_kcontext_t	*kctx;
1080 
1081 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1082 		return (EINVAL);
1083 
1084 	kctx = GET_KCTX_NGZ;
1085 
1086 	model = get_udatamodel();
1087 	STRUCT_INIT(info, model);
1088 
1089 	if (len < STRUCT_SIZE(info))
1090 		return (EOVERFLOW);
1091 
1092 	if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
1093 		return (EFAULT);
1094 
1095 	if ((STRUCT_FGET(info, ai_termid.at_type) != AU_IPv4) &&
1096 	    (STRUCT_FGET(info, ai_termid.at_type) != AU_IPv6))
1097 		return (EINVAL);
1098 
1099 	/* Set audit mask, termid and session id as specified */
1100 	kctx->auk_info.ai_auid = STRUCT_FGET(info, ai_auid);
1101 	kctx->auk_info.ai_mask = STRUCT_FGET(info, ai_mask);
1102 #ifdef _LP64
1103 	/* only convert to 64 bit if coming from a 32 bit binary */
1104 	if (model == DATAMODEL_ILP32)
1105 		kctx->auk_info.ai_termid.at_port =
1106 		    DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
1107 	else
1108 		kctx->auk_info.ai_termid.at_port =
1109 		    STRUCT_FGET(info, ai_termid.at_port);
1110 #else
1111 	kctx->auk_info.ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
1112 #endif
1113 	kctx->auk_info.ai_termid.at_type = STRUCT_FGET(info, ai_termid.at_type);
1114 	bzero(&kctx->auk_info.ai_termid.at_addr[0],
1115 	    sizeof (kctx->auk_info.ai_termid.at_addr));
1116 	kctx->auk_info.ai_termid.at_addr[0] =
1117 	    STRUCT_FGET(info, ai_termid.at_addr[0]);
1118 	kctx->auk_info.ai_termid.at_addr[1] =
1119 	    STRUCT_FGET(info, ai_termid.at_addr[1]);
1120 	kctx->auk_info.ai_termid.at_addr[2] =
1121 	    STRUCT_FGET(info, ai_termid.at_addr[2]);
1122 	kctx->auk_info.ai_termid.at_addr[3] =
1123 	    STRUCT_FGET(info, ai_termid.at_addr[3]);
1124 	kctx->auk_info.ai_asid = STRUCT_FGET(info, ai_asid);
1125 
1126 	if (kctx->auk_info.ai_termid.at_type == AU_IPv6 &&
1127 	    IN6_IS_ADDR_V4MAPPED(
1128 	    ((in6_addr_t *)kctx->auk_info.ai_termid.at_addr))) {
1129 		kctx->auk_info.ai_termid.at_type = AU_IPv4;
1130 		kctx->auk_info.ai_termid.at_addr[0] =
1131 		    kctx->auk_info.ai_termid.at_addr[3];
1132 		kctx->auk_info.ai_termid.at_addr[1] = 0;
1133 		kctx->auk_info.ai_termid.at_addr[2] = 0;
1134 		kctx->auk_info.ai_termid.at_addr[3] = 0;
1135 	}
1136 	if (kctx->auk_info.ai_termid.at_type == AU_IPv6)
1137 		kctx->auk_hostaddr_valid = IN6_IS_ADDR_UNSPECIFIED(
1138 		    (in6_addr_t *)kctx->auk_info.ai_termid.at_addr) ? 0 : 1;
1139 	else
1140 		kctx->auk_hostaddr_valid =
1141 		    (kctx->auk_info.ai_termid.at_addr[0] ==
1142 		    htonl(INADDR_ANY)) ? 0 : 1;
1143 
1144 	return (0);
1145 }
1146 
1147 static int
1148 getqctrl(caddr_t data)
1149 {
1150 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1151 	STRUCT_DECL(au_qctrl, qctrl);
1152 	STRUCT_INIT(qctrl, get_udatamodel());
1153 
1154 	mutex_enter(&(kctx->auk_queue.lock));
1155 	STRUCT_FSET(qctrl, aq_hiwater, kctx->auk_queue.hiwater);
1156 	STRUCT_FSET(qctrl, aq_lowater, kctx->auk_queue.lowater);
1157 	STRUCT_FSET(qctrl, aq_bufsz, kctx->auk_queue.bufsz);
1158 	STRUCT_FSET(qctrl, aq_delay, kctx->auk_queue.delay);
1159 	mutex_exit(&(kctx->auk_queue.lock));
1160 
1161 	if (copyout(STRUCT_BUF(qctrl), data, STRUCT_SIZE(qctrl)))
1162 		return (EFAULT);
1163 
1164 	return (0);
1165 }
1166 
1167 static int
1168 setqctrl(caddr_t data)
1169 {
1170 	au_kcontext_t	*kctx;
1171 	struct au_qctrl qctrl_tmp;
1172 	STRUCT_DECL(au_qctrl, qctrl);
1173 	STRUCT_INIT(qctrl, get_udatamodel());
1174 
1175 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1176 		return (EINVAL);
1177 	kctx = GET_KCTX_NGZ;
1178 
1179 	if (copyin(data, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
1180 		return (EFAULT);
1181 
1182 	qctrl_tmp.aq_hiwater = (size_t)STRUCT_FGET(qctrl, aq_hiwater);
1183 	qctrl_tmp.aq_lowater = (size_t)STRUCT_FGET(qctrl, aq_lowater);
1184 	qctrl_tmp.aq_bufsz = (size_t)STRUCT_FGET(qctrl, aq_bufsz);
1185 	qctrl_tmp.aq_delay = (clock_t)STRUCT_FGET(qctrl, aq_delay);
1186 
1187 	/* enforce sane values */
1188 
1189 	if (qctrl_tmp.aq_hiwater <= qctrl_tmp.aq_lowater)
1190 		return (EINVAL);
1191 
1192 	if (qctrl_tmp.aq_hiwater < AQ_LOWATER)
1193 		return (EINVAL);
1194 
1195 	if (qctrl_tmp.aq_hiwater > AQ_MAXHIGH)
1196 		return (EINVAL);
1197 
1198 	if (qctrl_tmp.aq_bufsz < AQ_BUFSZ)
1199 		return (EINVAL);
1200 
1201 	if (qctrl_tmp.aq_bufsz > AQ_MAXBUFSZ)
1202 		return (EINVAL);
1203 
1204 	if (qctrl_tmp.aq_delay == 0)
1205 		return (EINVAL);
1206 
1207 	if (qctrl_tmp.aq_delay > AQ_MAXDELAY)
1208 		return (EINVAL);
1209 
1210 	/* update everything at once so things are consistant */
1211 	mutex_enter(&(kctx->auk_queue.lock));
1212 	kctx->auk_queue.hiwater = qctrl_tmp.aq_hiwater;
1213 	kctx->auk_queue.lowater = qctrl_tmp.aq_lowater;
1214 	kctx->auk_queue.bufsz = qctrl_tmp.aq_bufsz;
1215 	kctx->auk_queue.delay = qctrl_tmp.aq_delay;
1216 
1217 	if (kctx->auk_queue.rd_block &&
1218 	    kctx->auk_queue.cnt > kctx->auk_queue.lowater)
1219 		cv_broadcast(&(kctx->auk_queue.read_cv));
1220 
1221 	if (kctx->auk_queue.wt_block &&
1222 	    kctx->auk_queue.cnt < kctx->auk_queue.hiwater)
1223 		cv_broadcast(&(kctx->auk_queue.write_cv));
1224 
1225 	mutex_exit(&(kctx->auk_queue.lock));
1226 
1227 	return (0);
1228 }
1229 
1230 static int
1231 getcwd(caddr_t data, int length)
1232 {
1233 	struct p_audit_data	*pad;
1234 	struct audit_path	*app;
1235 	int	pathlen;
1236 
1237 	pad = P2A(curproc);
1238 	ASSERT(pad != NULL);
1239 
1240 	mutex_enter(&(pad->pad_lock));
1241 	app = pad->pad_cwd;
1242 	au_pathhold(app);
1243 	mutex_exit(&(pad->pad_lock));
1244 
1245 	pathlen = app->audp_sect[1] - app->audp_sect[0];
1246 	if (pathlen > length) {
1247 		au_pathrele(app);
1248 		return (E2BIG);
1249 	}
1250 
1251 	if (copyout(app->audp_sect[0], data, pathlen)) {
1252 		au_pathrele(app);
1253 		return (EFAULT);
1254 	}
1255 
1256 	au_pathrele(app);
1257 	return (0);
1258 }
1259 
1260 static int
1261 getcar(caddr_t data, int length)
1262 {
1263 	struct p_audit_data	*pad;
1264 	struct audit_path	*app;
1265 	int	pathlen;
1266 
1267 	pad = P2A(curproc);
1268 	ASSERT(pad != NULL);
1269 
1270 	mutex_enter(&(pad->pad_lock));
1271 	app = pad->pad_root;
1272 	au_pathhold(app);
1273 	mutex_exit(&(pad->pad_lock));
1274 
1275 	pathlen = app->audp_sect[1] - app->audp_sect[0];
1276 	if (pathlen > length) {
1277 		au_pathrele(app);
1278 		return (E2BIG);
1279 	}
1280 
1281 	if (copyout(app->audp_sect[0], data, pathlen)) {
1282 		au_pathrele(app);
1283 		return (EFAULT);
1284 	}
1285 
1286 	au_pathrele(app);
1287 	return (0);
1288 }
1289 
1290 static int
1291 getstat(caddr_t data)
1292 {
1293 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1294 
1295 	membar_consumer();
1296 
1297 	if (copyout((caddr_t)&(kctx->auk_statistics), data, sizeof (au_stat_t)))
1298 		return (EFAULT);
1299 	return (0);
1300 }
1301 
1302 
1303 static int
1304 setstat(caddr_t data)
1305 {
1306 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1307 	au_stat_t au_stat;
1308 
1309 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1310 		return (EINVAL);
1311 
1312 	if (copyin(data, &au_stat, sizeof (au_stat_t)))
1313 		return (EFAULT);
1314 
1315 	if (au_stat.as_generated == CLEAR_VAL)
1316 		kctx->auk_statistics.as_generated = 0;
1317 	if (au_stat.as_nonattrib == CLEAR_VAL)
1318 		kctx->auk_statistics.as_nonattrib = 0;
1319 	if (au_stat.as_kernel == CLEAR_VAL)
1320 		kctx->auk_statistics.as_kernel = 0;
1321 	if (au_stat.as_audit == CLEAR_VAL)
1322 		kctx->auk_statistics.as_audit = 0;
1323 	if (au_stat.as_auditctl == CLEAR_VAL)
1324 		kctx->auk_statistics.as_auditctl = 0;
1325 	if (au_stat.as_enqueue == CLEAR_VAL)
1326 		kctx->auk_statistics.as_enqueue = 0;
1327 	if (au_stat.as_written == CLEAR_VAL)
1328 		kctx->auk_statistics.as_written = 0;
1329 	if (au_stat.as_wblocked == CLEAR_VAL)
1330 		kctx->auk_statistics.as_wblocked = 0;
1331 	if (au_stat.as_rblocked == CLEAR_VAL)
1332 		kctx->auk_statistics.as_rblocked = 0;
1333 	if (au_stat.as_dropped == CLEAR_VAL)
1334 		kctx->auk_statistics.as_dropped = 0;
1335 	if (au_stat.as_totalsize == CLEAR_VAL)
1336 		kctx->auk_statistics.as_totalsize = 0;
1337 
1338 	membar_producer();
1339 
1340 	return (0);
1341 
1342 }
1343 
1344 static int
1345 setumask(caddr_t data)
1346 {
1347 	STRUCT_DECL(auditinfo, user_info);
1348 	struct proc *p;
1349 	const auditinfo_addr_t	*ainfo;
1350 	model_t	model;
1351 
1352 	model = get_udatamodel();
1353 	STRUCT_INIT(user_info, model);
1354 
1355 	if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
1356 		return (EFAULT);
1357 
1358 	mutex_enter(&pidlock);	/* lock the process queue against updates */
1359 	for (p = practive; p != NULL; p = p->p_next) {
1360 		cred_t	*cr;
1361 
1362 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1363 		mutex_enter(&p->p_crlock);
1364 		crhold(cr = p->p_cred);
1365 		mutex_exit(&p->p_crlock);
1366 		ainfo = crgetauinfo(cr);
1367 		if (ainfo == NULL) {
1368 			mutex_exit(&p->p_lock);
1369 			crfree(cr);
1370 			continue;
1371 		}
1372 
1373 		if (ainfo->ai_auid == STRUCT_FGET(user_info, ai_auid)) {
1374 			au_mask_t	mask;
1375 			int		err;
1376 
1377 			/*
1378 			 * Here's a process which matches the specified auid.
1379 			 * If its mask doesn't already match the new mask,
1380 			 * save the new mask in the pad, to be picked up
1381 			 * next syscall.
1382 			 */
1383 			mask = STRUCT_FGET(user_info, ai_mask);
1384 			err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
1385 			crfree(cr);
1386 			if (err != 0) {
1387 				struct p_audit_data *pad = P2A(p);
1388 				ASSERT(pad != NULL);
1389 
1390 				mutex_enter(&(pad->pad_lock));
1391 				pad->pad_flags |= PAD_SETMASK;
1392 				pad->pad_newmask = mask;
1393 				mutex_exit(&(pad->pad_lock));
1394 
1395 				/*
1396 				 * No need to call set_proc_pre_sys(), since
1397 				 * t_pre_sys is ALWAYS on when audit is
1398 				 * enabled...due to syscall auditing.
1399 				 */
1400 			}
1401 		} else {
1402 			crfree(cr);
1403 		}
1404 		mutex_exit(&p->p_lock);
1405 	}
1406 	mutex_exit(&pidlock);
1407 
1408 	return (0);
1409 }
1410 
1411 static int
1412 setsmask(caddr_t data)
1413 {
1414 	STRUCT_DECL(auditinfo, user_info);
1415 	struct proc *p;
1416 	const auditinfo_addr_t	*ainfo;
1417 	model_t	model;
1418 
1419 	model = get_udatamodel();
1420 	STRUCT_INIT(user_info, model);
1421 
1422 	if (copyin(data, STRUCT_BUF(user_info), STRUCT_SIZE(user_info)))
1423 		return (EFAULT);
1424 
1425 	mutex_enter(&pidlock);	/* lock the process queue against updates */
1426 	for (p = practive; p != NULL; p = p->p_next) {
1427 		cred_t	*cr;
1428 
1429 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1430 		mutex_enter(&p->p_crlock);
1431 		crhold(cr = p->p_cred);
1432 		mutex_exit(&p->p_crlock);
1433 		ainfo = crgetauinfo(cr);
1434 		if (ainfo == NULL) {
1435 			mutex_exit(&p->p_lock);
1436 			crfree(cr);
1437 			continue;
1438 		}
1439 
1440 		if (ainfo->ai_asid == STRUCT_FGET(user_info, ai_asid)) {
1441 			au_mask_t	mask;
1442 			int		err;
1443 
1444 			/*
1445 			 * Here's a process which matches the specified asid.
1446 			 * If its mask doesn't already match the new mask,
1447 			 * save the new mask in the pad, to be picked up
1448 			 * next syscall.
1449 			 */
1450 			mask = STRUCT_FGET(user_info, ai_mask);
1451 			err = bcmp(&mask, &ainfo->ai_mask, sizeof (au_mask_t));
1452 			crfree(cr);
1453 			if (err != 0) {
1454 				struct p_audit_data *pad = P2A(p);
1455 				ASSERT(pad != NULL);
1456 
1457 				mutex_enter(&(pad->pad_lock));
1458 				pad->pad_flags |= PAD_SETMASK;
1459 				pad->pad_newmask = mask;
1460 				mutex_exit(&(pad->pad_lock));
1461 
1462 				/*
1463 				 * No need to call set_proc_pre_sys(), since
1464 				 * t_pre_sys is ALWAYS on when audit is
1465 				 * enabled...due to syscall auditing.
1466 				 */
1467 			}
1468 		} else {
1469 			crfree(cr);
1470 		}
1471 		mutex_exit(&p->p_lock);
1472 	}
1473 	mutex_exit(&pidlock);
1474 
1475 	return (0);
1476 }
1477 
1478 /*
1479  * Get the current audit state of the system
1480  */
1481 static int
1482 getcond(caddr_t data)
1483 {
1484 	au_kcontext_t	*kctx;
1485 
1486 	if (au_auditstate == AUC_DISABLED)
1487 		if (copyout(&au_auditstate, data, sizeof (int)))
1488 			return (EFAULT);
1489 
1490 	kctx = GET_KCTX_PZ;
1491 
1492 	if (copyout(&(kctx->auk_auditstate), data, sizeof (int)))
1493 		return (EFAULT);
1494 
1495 	return (0);
1496 }
1497 
1498 /*
1499  * Set the current audit state of the system to on (AUC_AUDITING) or
1500  * off (AUC_NOAUDIT).
1501  */
1502 /* ARGSUSED */
1503 static int
1504 setcond(caddr_t data)
1505 {
1506 	int	auditstate;
1507 	au_kcontext_t	*kctx;
1508 
1509 	if (!(audit_policy & AUDIT_PERZONE) && (!INGLOBALZONE(curproc)))
1510 		return (EINVAL);
1511 
1512 	kctx = GET_KCTX_NGZ;
1513 
1514 	if (copyin(data, &auditstate, sizeof (int)))
1515 		return (EFAULT);
1516 
1517 	switch (auditstate) {
1518 	case AUC_AUDITING:		/* Turn auditing on */
1519 		kctx->auk_auditstate = AUC_AUDITING;
1520 		au_auditstate = AUC_ENABLED;
1521 		break;
1522 
1523 	case AUC_NOAUDIT:		/* Turn auditing off */
1524 		if (kctx->auk_auditstate == AUC_NOAUDIT)
1525 			break;
1526 		kctx->auk_auditstate = AUC_NOAUDIT;
1527 
1528 		/* clear out the audit queue */
1529 
1530 		mutex_enter(&(kctx->auk_queue.lock));
1531 		if (kctx->auk_queue.wt_block)
1532 			cv_broadcast(&(kctx->auk_queue.write_cv));
1533 
1534 		/* unblock au_output_thread */
1535 		cv_broadcast(&(kctx->auk_queue.read_cv));
1536 
1537 		mutex_exit(&(kctx->auk_queue.lock));
1538 		break;
1539 
1540 	default:
1541 		return (EINVAL);
1542 	}
1543 
1544 	return (0);
1545 }
1546 
1547 static int
1548 getclass(caddr_t data)
1549 {
1550 	au_evclass_map_t event;
1551 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1552 
1553 	if (copyin(data, &event, sizeof (au_evclass_map_t)))
1554 		return (EFAULT);
1555 
1556 	if (event.ec_number > MAX_KEVENTS)
1557 		return (EINVAL);
1558 
1559 	event.ec_class = kctx->auk_ets[event.ec_number];
1560 
1561 	if (copyout(&event, data, sizeof (au_evclass_map_t)))
1562 		return (EFAULT);
1563 
1564 	return (0);
1565 }
1566 
1567 static int
1568 setclass(caddr_t data)
1569 {
1570 	au_evclass_map_t event;
1571 	au_kcontext_t	*kctx;
1572 
1573 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1574 		return (EINVAL);
1575 
1576 	kctx = GET_KCTX_NGZ;
1577 
1578 	if (copyin(data, &event, sizeof (au_evclass_map_t)))
1579 		return (EFAULT);
1580 
1581 	if (event.ec_number > MAX_KEVENTS)
1582 		return (EINVAL);
1583 
1584 	kctx->auk_ets[event.ec_number] = event.ec_class;
1585 
1586 	return (0);
1587 }
1588 
1589 static int
1590 getpinfo(caddr_t data)
1591 {
1592 	STRUCT_DECL(auditpinfo, apinfo);
1593 	proc_t *proc;
1594 	const auditinfo_addr_t	*ainfo;
1595 	model_t	model;
1596 	cred_t	*cr, *newcred;
1597 
1598 	model = get_udatamodel();
1599 	STRUCT_INIT(apinfo, model);
1600 
1601 	if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1602 		return (EFAULT);
1603 
1604 	newcred = cralloc();
1605 
1606 	mutex_enter(&pidlock);
1607 	if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1608 		mutex_exit(&pidlock);
1609 		crfree(newcred);
1610 		return (ESRCH);		/* no such process */
1611 	}
1612 	mutex_enter(&proc->p_lock);	/* so process doesn't go away */
1613 	mutex_exit(&pidlock);
1614 
1615 	audit_update_context(proc, newcred);	/* make sure it's up-to-date */
1616 
1617 	mutex_enter(&proc->p_crlock);
1618 	crhold(cr = proc->p_cred);
1619 	mutex_exit(&proc->p_crlock);
1620 	mutex_exit(&proc->p_lock);
1621 
1622 	ainfo = crgetauinfo(cr);
1623 	if (ainfo == NULL) {
1624 		crfree(cr);
1625 		return (EINVAL);
1626 	}
1627 
1628 	/* designated process has an ipv6 address? */
1629 	if (ainfo->ai_termid.at_type == AU_IPv6) {
1630 		crfree(cr);
1631 		return (EOVERFLOW);
1632 	}
1633 
1634 	STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1635 	STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1636 #ifdef _LP64
1637 	if (model == DATAMODEL_ILP32) {
1638 		dev32_t dev;
1639 		/* convert internal 64 bit form to 32 bit version */
1640 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1641 			crfree(cr);
1642 			return (EOVERFLOW);
1643 		}
1644 		STRUCT_FSET(apinfo, ap_termid.port, dev);
1645 	} else
1646 		STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1647 #else
1648 	STRUCT_FSET(apinfo, ap_termid.port, ainfo->ai_termid.at_port);
1649 #endif
1650 	STRUCT_FSET(apinfo, ap_termid.machine, ainfo->ai_termid.at_addr[0]);
1651 	STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1652 
1653 	crfree(cr);
1654 
1655 	if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1656 		return (EFAULT);
1657 
1658 	return (0);
1659 }
1660 
1661 static int
1662 getpinfo_addr(caddr_t data, int len)
1663 {
1664 	STRUCT_DECL(auditpinfo_addr, apinfo);
1665 	proc_t *proc;
1666 	const auditinfo_addr_t	*ainfo;
1667 	model_t	model;
1668 	cred_t	*cr, *newcred;
1669 
1670 	model = get_udatamodel();
1671 	STRUCT_INIT(apinfo, model);
1672 
1673 	if (len < STRUCT_SIZE(apinfo))
1674 		return (EOVERFLOW);
1675 
1676 	if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1677 		return (EFAULT);
1678 
1679 	newcred = cralloc();
1680 
1681 	mutex_enter(&pidlock);
1682 	if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1683 		mutex_exit(&pidlock);
1684 		crfree(newcred);
1685 		return (ESRCH);
1686 	}
1687 	mutex_enter(&proc->p_lock);	/* so process doesn't go away */
1688 	mutex_exit(&pidlock);
1689 
1690 	audit_update_context(proc, newcred);	/* make sure it's up-to-date */
1691 
1692 	mutex_enter(&proc->p_crlock);
1693 	crhold(cr = proc->p_cred);
1694 	mutex_exit(&proc->p_crlock);
1695 	mutex_exit(&proc->p_lock);
1696 
1697 	ainfo = crgetauinfo(cr);
1698 	if (ainfo == NULL) {
1699 		crfree(cr);
1700 		return (EINVAL);
1701 	}
1702 
1703 	STRUCT_FSET(apinfo, ap_auid, ainfo->ai_auid);
1704 	STRUCT_FSET(apinfo, ap_asid, ainfo->ai_asid);
1705 #ifdef _LP64
1706 	if (model == DATAMODEL_ILP32) {
1707 		dev32_t dev;
1708 		/* convert internal 64 bit form to 32 bit version */
1709 		if (cmpldev(&dev, ainfo->ai_termid.at_port) == 0) {
1710 			crfree(cr);
1711 			return (EOVERFLOW);
1712 		}
1713 		STRUCT_FSET(apinfo, ap_termid.at_port, dev);
1714 	} else
1715 		STRUCT_FSET(apinfo, ap_termid.at_port,
1716 		    ainfo->ai_termid.at_port);
1717 #else
1718 	STRUCT_FSET(apinfo, ap_termid.at_port, ainfo->ai_termid.at_port);
1719 #endif
1720 	STRUCT_FSET(apinfo, ap_termid.at_type, ainfo->ai_termid.at_type);
1721 	STRUCT_FSET(apinfo, ap_termid.at_addr[0], ainfo->ai_termid.at_addr[0]);
1722 	STRUCT_FSET(apinfo, ap_termid.at_addr[1], ainfo->ai_termid.at_addr[1]);
1723 	STRUCT_FSET(apinfo, ap_termid.at_addr[2], ainfo->ai_termid.at_addr[2]);
1724 	STRUCT_FSET(apinfo, ap_termid.at_addr[3], ainfo->ai_termid.at_addr[3]);
1725 	STRUCT_FSET(apinfo, ap_mask, ainfo->ai_mask);
1726 
1727 	crfree(cr);
1728 
1729 	if (copyout(STRUCT_BUF(apinfo), data, STRUCT_SIZE(apinfo)))
1730 		return (EFAULT);
1731 
1732 	return (0);
1733 }
1734 
1735 static int
1736 setpmask(caddr_t data)
1737 {
1738 	STRUCT_DECL(auditpinfo, apinfo);
1739 	proc_t *proc;
1740 	cred_t	*newcred;
1741 	auditinfo_addr_t	*ainfo;
1742 	struct p_audit_data	*pad;
1743 
1744 	model_t	model;
1745 
1746 	model = get_udatamodel();
1747 	STRUCT_INIT(apinfo, model);
1748 
1749 	if (copyin(data, STRUCT_BUF(apinfo), STRUCT_SIZE(apinfo)))
1750 		return (EFAULT);
1751 
1752 	mutex_enter(&pidlock);
1753 	if ((proc = prfind(STRUCT_FGET(apinfo, ap_pid))) == NULL) {
1754 		mutex_exit(&pidlock);
1755 		return (ESRCH);
1756 	}
1757 	mutex_enter(&proc->p_lock);	/* so process doesn't go away */
1758 	mutex_exit(&pidlock);
1759 
1760 	newcred = cralloc();
1761 	if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
1762 		mutex_exit(&proc->p_lock);
1763 		crfree(newcred);
1764 		return (EINVAL);
1765 	}
1766 
1767 	mutex_enter(&proc->p_crlock);
1768 	crcopy_to(proc->p_cred, newcred);
1769 	proc->p_cred = newcred;
1770 
1771 	ainfo->ai_mask = STRUCT_FGET(apinfo, ap_mask);
1772 
1773 	/*
1774 	 * Unlock. No need to broadcast changes via set_proc_pre_sys(),
1775 	 * since t_pre_sys is ALWAYS on when audit is enabled... due to
1776 	 * syscall auditing.
1777 	 */
1778 	crfree(newcred);
1779 	mutex_exit(&proc->p_crlock);
1780 
1781 	/* Reset flag for any previous pending mask change; this supercedes */
1782 	pad = P2A(proc);
1783 	ASSERT(pad != NULL);
1784 	mutex_enter(&(pad->pad_lock));
1785 	pad->pad_flags &= ~PAD_SETMASK;
1786 	mutex_exit(&(pad->pad_lock));
1787 
1788 	mutex_exit(&proc->p_lock);
1789 
1790 	return (0);
1791 }
1792 
1793 static int
1794 getfsize(caddr_t data)
1795 {
1796 	au_fstat_t fstat;
1797 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1798 
1799 	mutex_enter(&(kctx->auk_fstat_lock));
1800 	fstat.af_filesz = kctx->auk_file_stat.af_filesz;
1801 	fstat.af_currsz = kctx->auk_file_stat.af_currsz;
1802 	mutex_exit(&(kctx->auk_fstat_lock));
1803 
1804 	if (copyout(&fstat, data, sizeof (au_fstat_t)))
1805 		return (EFAULT);
1806 
1807 	return (0);
1808 }
1809 
1810 static int
1811 setfsize(caddr_t data)
1812 {
1813 	au_fstat_t fstat;
1814 	au_kcontext_t	*kctx;
1815 
1816 	if (!(audit_policy & AUDIT_PERZONE) && !INGLOBALZONE(curproc))
1817 		return (EINVAL);
1818 
1819 	kctx = GET_KCTX_NGZ;
1820 
1821 	if (copyin(data, &fstat, sizeof (au_fstat_t)))
1822 		return (EFAULT);
1823 
1824 	if ((fstat.af_filesz != 0) && (fstat.af_filesz < AU_MIN_FILE_SZ))
1825 		return (EINVAL);
1826 
1827 	mutex_enter(&(kctx->auk_fstat_lock));
1828 	kctx->auk_file_stat.af_filesz = fstat.af_filesz;
1829 	mutex_exit(&(kctx->auk_fstat_lock));
1830 
1831 	return (0);
1832 }
1833 /*
1834  * The out of control system call
1835  * This is audit kitchen sink aka auditadm, aka auditon
1836  */
1837 static int
1838 auditctl(
1839 	int	cmd,
1840 	caddr_t data,
1841 	int	length)
1842 {
1843 	int result;
1844 
1845 	if (!audit_active)
1846 		return (EINVAL);
1847 
1848 	switch (cmd) {
1849 	case A_GETCOND:
1850 	case A_GETCAR:
1851 	case A_GETCLASS:
1852 	case A_GETCWD:
1853 	case A_GETFSIZE:
1854 	case A_GETKAUDIT:
1855 	case A_GETKMASK:
1856 	case A_GETPINFO:
1857 	case A_GETPINFO_ADDR:
1858 	case A_GETPOLICY:
1859 	case A_GETQCTRL:
1860 	case A_GETSTAT:
1861 		if (secpolicy_audit_getattr(CRED()) != 0)
1862 			return (EPERM);
1863 		break;
1864 	default:
1865 		if (secpolicy_audit_config(CRED()) != 0)
1866 			return (EPERM);
1867 		break;
1868 	}
1869 
1870 	switch (cmd) {
1871 	case A_GETPOLICY:
1872 		result = getpolicy(data);
1873 		break;
1874 	case A_SETPOLICY:
1875 		result = setpolicy(data);
1876 		break;
1877 	case A_GETKMASK:
1878 		result = getkmask(data);
1879 		break;
1880 	case A_SETKMASK:
1881 		result = setkmask(data);
1882 		break;
1883 	case A_GETKAUDIT:
1884 		result = getkaudit(data, length);
1885 		break;
1886 	case A_SETKAUDIT:
1887 		result = setkaudit(data, length);
1888 		break;
1889 	case A_GETQCTRL:
1890 		result = getqctrl(data);
1891 		break;
1892 	case A_SETQCTRL:
1893 		result = setqctrl(data);
1894 		break;
1895 	case A_GETCWD:
1896 		result = getcwd(data, length);
1897 		break;
1898 	case A_GETCAR:
1899 		result = getcar(data, length);
1900 		break;
1901 	case A_GETSTAT:
1902 		result = getstat(data);
1903 		break;
1904 	case A_SETSTAT:
1905 		result = setstat(data);
1906 		break;
1907 	case A_SETUMASK:
1908 		result = setumask(data);
1909 		break;
1910 	case A_SETSMASK:
1911 		result = setsmask(data);
1912 		break;
1913 	case A_GETCOND:
1914 		result = getcond(data);
1915 		break;
1916 	case A_SETCOND:
1917 		result = setcond(data);
1918 		break;
1919 	case A_GETCLASS:
1920 		result = getclass(data);
1921 		break;
1922 	case A_SETCLASS:
1923 		result = setclass(data);
1924 		break;
1925 	case A_GETPINFO:
1926 		result = getpinfo(data);
1927 		break;
1928 	case A_GETPINFO_ADDR:
1929 		result = getpinfo_addr(data, length);
1930 		break;
1931 	case A_SETPMASK:
1932 		result = setpmask(data);
1933 		break;
1934 	case A_SETFSIZE:
1935 		result = setfsize(data);
1936 		break;
1937 	case A_GETFSIZE:
1938 		result = getfsize(data);
1939 		break;
1940 	default:
1941 		result = EINVAL;
1942 		break;
1943 	}
1944 	return (result);
1945 }
1946 
1947 static int
1948 audit_modsysent(char *modname, int flags, int (*func)())
1949 {
1950 	struct sysent *sysp;
1951 	int sysnum;
1952 	krwlock_t *kl;
1953 
1954 	if ((sysnum = mod_getsysnum(modname)) == -1) {
1955 		cmn_err(CE_WARN, "system call missing from bind file");
1956 		return (-1);
1957 	}
1958 
1959 	kl = (krwlock_t *)kobj_zalloc(sizeof (krwlock_t), KM_SLEEP);
1960 
1961 	sysp = &sysent[sysnum];
1962 	sysp->sy_narg = auditsysent.sy_narg;
1963 #ifdef _LP64
1964 	sysp->sy_flags = (unsigned short)flags;
1965 #else
1966 	sysp->sy_flags = (unsigned char)flags;
1967 #endif
1968 	sysp->sy_call = func;
1969 	sysp->sy_lock = kl;
1970 
1971 #ifdef _SYSCALL32_IMPL
1972 	sysp = &sysent32[sysnum];
1973 	sysp->sy_narg = auditsysent.sy_narg;
1974 	sysp->sy_flags = (unsigned short)flags;
1975 	sysp->sy_call = func;
1976 	sysp->sy_lock = kl;
1977 #endif
1978 
1979 	rw_init(sysp->sy_lock, NULL, RW_DEFAULT, NULL);
1980 
1981 	return (0);
1982 }
1983