xref: /titanic_52/usr/src/uts/common/c2/audit_event.c (revision 0b1b4412cfd6c4ac5467dbe6f4088dcec4f55fe8)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 int	au_naevent;
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_open(au_event_t);
84 static au_event_t	aui_fsat(au_event_t);
85 static au_event_t	aui_msgsys(au_event_t);
86 static au_event_t	aui_shmsys(au_event_t);
87 static au_event_t	aui_semsys(au_event_t);
88 static au_event_t	aui_utssys(au_event_t);
89 static au_event_t	aui_fcntl(au_event_t);
90 static au_event_t	aui_execv(au_event_t);
91 static au_event_t	aui_execve(au_event_t);
92 static au_event_t	aui_memcntl(au_event_t);
93 static au_event_t	aui_sysinfo(au_event_t);
94 static au_event_t	aui_portfs(au_event_t);
95 static au_event_t	aui_auditsys(au_event_t);
96 static au_event_t	aui_modctl(au_event_t);
97 static au_event_t	aui_acl(au_event_t);
98 static au_event_t	aui_doorfs(au_event_t);
99 static au_event_t	aui_privsys(au_event_t);
100 static au_event_t	aui_forksys(au_event_t);
101 static au_event_t	aui_labelsys(au_event_t);
102 
103 static void	aus_open(struct t_audit_data *);
104 static void	aus_acl(struct t_audit_data *);
105 static void	aus_acct(struct t_audit_data *);
106 static void	aus_chown(struct t_audit_data *);
107 static void	aus_fchown(struct t_audit_data *);
108 static void	aus_lchown(struct t_audit_data *);
109 static void	aus_chmod(struct t_audit_data *);
110 static void	aus_facl(struct t_audit_data *);
111 static void	aus_fchmod(struct t_audit_data *);
112 static void	aus_fcntl(struct t_audit_data *);
113 static void	aus_fsat(struct t_audit_data *);
114 static void	aus_mkdir(struct t_audit_data *);
115 static void	aus_mknod(struct t_audit_data *);
116 static void	aus_mount(struct t_audit_data *);
117 static void	aus_umount(struct t_audit_data *);
118 static void	aus_umount2(struct t_audit_data *);
119 static void	aus_msgsys(struct t_audit_data *);
120 static void	aus_semsys(struct t_audit_data *);
121 static void	aus_close(struct t_audit_data *);
122 static void	aus_fstatfs(struct t_audit_data *);
123 static void	aus_setgid(struct t_audit_data *);
124 static void	aus_setuid(struct t_audit_data *);
125 static void	aus_shmsys(struct t_audit_data *);
126 static void	aus_doorfs(struct t_audit_data *);
127 static void	aus_ioctl(struct t_audit_data *);
128 static void	aus_memcntl(struct t_audit_data *);
129 static void	aus_mmap(struct t_audit_data *);
130 static void	aus_munmap(struct t_audit_data *);
131 static void	aus_priocntlsys(struct t_audit_data *);
132 static void	aus_setegid(struct t_audit_data *);
133 static void	aus_setgroups(struct t_audit_data *);
134 static void	aus_seteuid(struct t_audit_data *);
135 static void	aus_putmsg(struct t_audit_data *);
136 static void	aus_putpmsg(struct t_audit_data *);
137 static void	aus_getmsg(struct t_audit_data *);
138 static void	aus_getpmsg(struct t_audit_data *);
139 static void	aus_auditsys(struct t_audit_data *);
140 static void	aus_sysinfo(struct t_audit_data *);
141 static void	aus_modctl(struct t_audit_data *);
142 static void	aus_kill(struct t_audit_data *);
143 static void	aus_xmknod(struct t_audit_data *);
144 static void	aus_setregid(struct t_audit_data *);
145 static void	aus_setreuid(struct t_audit_data *);
146 static void	aus_labelsys(struct t_audit_data *);
147 
148 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
149 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
150 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
151 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
152 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
153 static void	auf_read(struct t_audit_data *, int, rval_t *);
154 static void	auf_write(struct t_audit_data *, int, rval_t *);
155 
156 static void	aus_sigqueue(struct t_audit_data *);
157 static void	aus_p_online(struct t_audit_data *);
158 static void	aus_processor_bind(struct t_audit_data *);
159 static void	aus_inst_sync(struct t_audit_data *);
160 static void	aus_brandsys(struct t_audit_data *);
161 
162 static void	auf_accept(struct t_audit_data *, int, rval_t *);
163 
164 static void	auf_bind(struct t_audit_data *, int, rval_t *);
165 static void	auf_connect(struct t_audit_data *, int, rval_t *);
166 static void	aus_shutdown(struct t_audit_data *);
167 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
168 static void	aus_sockconfig(struct t_audit_data *);
169 static void	auf_recv(struct t_audit_data *, int, rval_t *);
170 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
171 static void	auf_send(struct t_audit_data *, int, rval_t *);
172 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
173 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
174 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
175 static void	aus_socket(struct t_audit_data *);
176 /*
177  * This table contains mapping information for converting system call numbers
178  * to audit event IDs. In several cases it is necessary to map a single system
179  * call to several events.
180  */
181 
182 #define	aui_null	NULL	/* NULL initialize function */
183 #define	aus_null	NULL	/* NULL start function */
184 #define	auf_null	NULL	/* NULL finish function */
185 
186 struct audit_s2e audit_s2e[] =
187 {
188 /*
189  * ----------	---------- 	----------	----------
190  * INITIAL	AUDIT		START		SYSTEM
191  * PROCESSING	EVENT		PROCESSING	CALL
192  * ----------	----------	----------	-----------
193  *		FINISH		EVENT
194  *		PROCESSING	CONTROL
195  * ----------------------------------------------------------
196  */
197 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
198 		auf_null,	0,
199 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
200 		auf_null,	S2E_NPT,
201 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
202 		auf_null,	0,
203 aui_null,	AUE_READ,	aus_null,	/* 3 read */
204 		auf_read,	S2E_PUB,
205 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
206 		auf_write,	0,
207 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
208 		auf_null,	S2E_SP,
209 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
210 		auf_null,	0,
211 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
212 		auf_null,	0,
213 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
214 		auf_null,	S2E_SP,
215 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
216 		auf_null,	0,
217 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
218 		auf_null,	0,
219 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
220 		auf_null,	S2E_MLD,
221 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
222 		auf_null,	S2E_SP,
223 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
224 		auf_null,	0,
225 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
226 		auf_mknod,	0,
227 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
228 		auf_null,	0,
229 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
230 		auf_null,	0,
231 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
232 		auf_null,	0,
233 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
234 		auf_null,	S2E_PUB,
235 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
236 		auf_null,	0,
237 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
238 		auf_null,	0,
239 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
240 		auf_null,	S2E_MLD,
241 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
242 		auf_null,	0,
243 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
244 		auf_null,	0,
245 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
246 		auf_null,	0,
247 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
248 		auf_null,	0,
249 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
256 		auf_null,	0,
257 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
262 		auf_null,	0,
263 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
264 		auf_null,	S2E_PUB,
265 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
266 		auf_null,	0,
267 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
268 		auf_null,	S2E_PUB,
269 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
270 		auf_null,	0,
271 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
272 		auf_null,	0,
273 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
274 		auf_null,	S2E_PUB,
275 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
276 		auf_null,	0,
277 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
280 		auf_null,	0,
281 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
288 						/*	was proc lock */
289 		auf_null,	0,
290 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
291 		auf_null,	0,
292 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
293 		auf_null,	0,
294 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
295 		auf_null,	0,
296 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
297 		auf_msgsys,	0,
298 #if defined(__x86)
299 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
300 		auf_null,	0,
301 #else
302 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
303 		auf_null,	0,
304 #endif /* __x86 */
305 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
306 		auf_null,	0,
307 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
308 		auf_shmsys,	0,
309 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
310 		auf_semsys,	0,
311 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
312 		auf_null,	0,
313 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
314 		auf_null,	0,
315 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
316 		auf_null,	0,
317 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
318 		auf_null,	0,
319 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
320 		auf_null,	0,
321 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
322 		auf_null,	S2E_MLD,
323 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
324 		auf_null,	0,
325 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
326 		auf_null,	S2E_SP,
327 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
328 		auf_null,	0,
329 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
330 		auf_null,	0,
331 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
332 		auf_null,	0,
333 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
334 		auf_null,	0,
335 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
336 		auf_null,	0,
337 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
338 						/*	file locking call */
339 		auf_null,	0,
340 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
341 						/*	local system calls */
342 		auf_null,	0,
343 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
344 		auf_null,	0,
345 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
346 		auf_null,	0,
347 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
348 		auf_null,	0,
349 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
350 		auf_null,	0,
351 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
352 		auf_null,	0,
353 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
354 		auf_null,	0,
355 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
356 						/*	was sigret (SunOS) */
357 		auf_null,	0,
358 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
363 		auf_null,	0,
364 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
365 		auf_null,	0,
366 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
367 		auf_null,	0,
368 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
369 		auf_null,	0,
370 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
371 						/*	was libattach */
372 		auf_null,	0,
373 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
374 						/*	was libdetach */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
377 		auf_null,	0,
378 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
379 		auf_null,	0,
380 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
381 		auf_null,	0,
382 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
383 		auf_null,	0,
384 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
385 		auf_null,	S2E_PUB,
386 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
387 		auf_null,	0,
388 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
389 		auf_null,	S2E_PUB,
390 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
391 		auf_null,	0,
392 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
393 		auf_null,	0,
394 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
395 		auf_null,	0,
396 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
411 		auf_null,	0,
412 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
413 						/*	was evtrapret */
414 		auf_null,	0,
415 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
416 		auf_null,	S2E_PUB,
417 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
418 		auf_null,	0,
419 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
422 		auf_null,	0,
423 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
424 		auf_null,	0,
425 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
426 		auf_null,	0,
427 #if defined(__x86)
428 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
429 		auf_null,	0,
430 #else
431 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
432 		auf_null,	0,
433 #endif /* __x86 */
434 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
435 		auf_null,	0,
436 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
437 		auf_null,	0,
438 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
439 		auf_null,	0,		/* 112 priocntlsys */
440 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
441 		auf_null,	S2E_PUB,
442 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
443 		auf_null,	0,
444 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
445 		auf_null,	0,
446 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
447 		auf_null,	0,
448 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
449 		auf_null,	0,
450 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
451 		auf_null,	0,
452 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
453 		auf_null,	0,
454 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
455 		auf_null,	0,
456 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
457 		auf_read,	S2E_PUB,
458 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
459 		auf_write,	0,
460 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
461 		auf_null,	S2E_PUB,
462 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
463 		auf_null,	S2E_PUB,
464 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
465 		auf_null,	0,
466 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
467 		auf_xmknod,	0,
468 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
469 		auf_null,	0,
470 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
471 		auf_null,	0,
472 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
473 		auf_null,	0,
474 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
475 		auf_null,	0,
476 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
477 		auf_null,	0,
478 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
479 		auf_null,	0,
480 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
481 		auf_null,	0,
482 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
483 		auf_null,	0,
484 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
485 		auf_null,	0,
486 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
487 		auf_null,	0,
488 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
489 		auf_null,	0,
490 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
491 		auf_null,	0,
492 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
493 		auf_null,	0,
494 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
495 		auf_null,	0,
496 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
497 		auf_null,	0,
498 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
499 		auf_null,	0,
500 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
501 		auf_null,	0,
502 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
517 		auf_null,	0,
518 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
519 		auf_null,	0,
520 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
521 		auf_null,	0,
522 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
545 						/*	was lwp_setprivate */
546 		auf_null,	0,
547 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
548 						/*	was lwp_getprivate */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
555 		auf_null,	0,
556 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
557 		auf_null,	0,
558 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
559 		auf_null,	0,
560 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
561 		auf_null,	0,
562 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
563 		auf_read,	S2E_PUB,
564 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
565 		auf_write,	0,
566 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
567 		auf_null,	0,
568 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
569 						/* aus_inst_sync */
570 		auf_null,	0,
571 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
580 		auf_null,	0,
581 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
582 		auf_null,	0,
583 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
584 		auf_null,	0,
585 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
586 		auf_null,	0,
587 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
588 		auf_null,	0,
589 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
590 		auf_null,	0,
591 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
592 		auf_null,	0,		/* 187 processor_bind */
593 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
594 		auf_null,	0,
595 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
600 		auf_null,	0,
601 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
616 		auf_null,	0,
617 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
618 		auf_null,	0,
619 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
620 		auf_null,	0,
621 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
622 		auf_null,	0,
623 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
644 		auf_null,	0,
645 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
646 		auf_null,	0,
647 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
652 		auf_null,	0,
653 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
654 		auf_null,	S2E_PUB,
655 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
656 		auf_null,	0,
657 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
662 		auf_read,	S2E_PUB,
663 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
664 		auf_write,	0,
665 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
666 		auf_null,	S2E_SP,
667 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
668 		auf_null,	S2E_SP,
669 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
676 		auf_null,	0,
677 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
678 		auf_null,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
680 		auf_null,	0,
681 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
682 		auf_bind,	0,
683 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
684 		auf_null,	0,
685 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
686 		auf_accept,	0,
687 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
688 		auf_connect,	0,
689 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
690 		auf_null,	0,
691 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
692 		auf_recv,	0,
693 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
694 		auf_recvfrom,	0,
695 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
696 		auf_recvmsg,	0,
697 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
698 		auf_send,	0,
699 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
700 		auf_sendmsg,	0,
701 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
702 		auf_sendto,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
708 		auf_null,	0,
709 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
710 		auf_setsockopt,	0,
711 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
714 		auf_null,	0,
715 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
726 		auf_null,	0,
727 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
728 		auf_null,	0
729 };
730 
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732 
733 
734 /* acct start function */
735 /*ARGSUSED*/
736 static void
737 aus_acct(struct t_audit_data *tad)
738 {
739 	klwp_t *clwp = ttolwp(curthread);
740 	uintptr_t fname;
741 
742 	struct a {
743 		long	fname;		/* char * */
744 	} *uap = (struct a *)clwp->lwp_ap;
745 
746 	fname = (uintptr_t)uap->fname;
747 
748 	if (fname == 0)
749 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
750 }
751 
752 /* chown start function */
753 /*ARGSUSED*/
754 static void
755 aus_chown(struct t_audit_data *tad)
756 {
757 	klwp_t *clwp = ttolwp(curthread);
758 	uint32_t uid, gid;
759 
760 	struct a {
761 		long	fname;		/* char * */
762 		long	uid;
763 		long	gid;
764 	} *uap = (struct a *)clwp->lwp_ap;
765 
766 	uid = (uint32_t)uap->uid;
767 	gid = (uint32_t)uap->gid;
768 
769 	au_uwrite(au_to_arg32(2, "new file uid", uid));
770 	au_uwrite(au_to_arg32(3, "new file gid", gid));
771 }
772 
773 /* fchown start function */
774 /*ARGSUSED*/
775 static void
776 aus_fchown(struct t_audit_data *tad)
777 {
778 	klwp_t *clwp = ttolwp(curthread);
779 	uint32_t uid, gid, fd;
780 	struct file  *fp;
781 	struct vnode *vp;
782 	struct f_audit_data *fad;
783 
784 	struct a {
785 		long fd;
786 		long uid;
787 		long gid;
788 	} *uap = (struct a *)clwp->lwp_ap;
789 
790 	fd  = (uint32_t)uap->fd;
791 	uid = (uint32_t)uap->uid;
792 	gid = (uint32_t)uap->gid;
793 
794 	au_uwrite(au_to_arg32(2, "new file uid", uid));
795 	au_uwrite(au_to_arg32(3, "new file gid", gid));
796 
797 		/*
798 		 * convert file pointer to file descriptor
799 		 *   Note: fd ref count incremented here.
800 		 */
801 	if ((fp = getf(fd)) == NULL)
802 		return;
803 
804 	/* get path from file struct here */
805 	fad = F2A(fp);
806 	if (fad->fad_aupath != NULL) {
807 		au_uwrite(au_to_path(fad->fad_aupath));
808 	} else {
809 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
810 	}
811 
812 	vp = fp->f_vnode;
813 	audit_attributes(vp);
814 
815 	/* decrement file descriptor reference count */
816 	releasef(fd);
817 }
818 
819 /*ARGSUSED*/
820 static void
821 aus_lchown(struct t_audit_data *tad)
822 {
823 	klwp_t *clwp = ttolwp(curthread);
824 	uint32_t uid, gid;
825 
826 
827 	struct a {
828 		long	fname;		/* char	* */
829 		long	uid;
830 		long	gid;
831 	} *uap = (struct a *)clwp->lwp_ap;
832 
833 	uid = (uint32_t)uap->uid;
834 	gid = (uint32_t)uap->gid;
835 
836 	au_uwrite(au_to_arg32(2, "new file uid", uid));
837 	au_uwrite(au_to_arg32(3, "new file gid", gid));
838 }
839 
840 /* chmod start function */
841 /*ARGSUSED*/
842 static void
843 aus_chmod(struct t_audit_data *tad)
844 {
845 	klwp_t *clwp = ttolwp(curthread);
846 	uint32_t fmode;
847 
848 	struct a {
849 		long	fname;		/* char	* */
850 		long	fmode;
851 	} *uap = (struct a *)clwp->lwp_ap;
852 
853 	fmode = (uint32_t)uap->fmode;
854 
855 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
856 }
857 
858 /* chmod start function */
859 /*ARGSUSED*/
860 static void
861 aus_fchmod(struct t_audit_data *tad)
862 {
863 	klwp_t *clwp = ttolwp(curthread);
864 	uint32_t fmode, fd;
865 	struct file  *fp;
866 	struct vnode *vp;
867 	struct f_audit_data *fad;
868 
869 	struct a {
870 		long	fd;
871 		long	fmode;
872 	} *uap = (struct a *)clwp->lwp_ap;
873 
874 	fd = (uint32_t)uap->fd;
875 	fmode = (uint32_t)uap->fmode;
876 
877 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
878 
879 		/*
880 		 * convert file pointer to file descriptor
881 		 *   Note: fd ref count incremented here.
882 		 */
883 	if ((fp = getf(fd)) == NULL)
884 		return;
885 
886 		/* get path from file struct here */
887 	fad = F2A(fp);
888 	if (fad->fad_aupath != NULL) {
889 		au_uwrite(au_to_path(fad->fad_aupath));
890 	} else {
891 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
892 	}
893 
894 	vp = fp->f_vnode;
895 	audit_attributes(vp);
896 
897 	/* decrement file descriptor reference count */
898 	releasef(fd);
899 }
900 
901 
902 /* convert open to appropriate event */
903 static au_event_t
904 aui_open(au_event_t e)
905 {
906 	klwp_t *clwp = ttolwp(curthread);
907 	uint_t fm;
908 
909 	struct a {
910 		long	fnamep;		/* char	* */
911 		long	fmode;
912 		long	cmode;
913 	} *uap = (struct a *)clwp->lwp_ap;
914 
915 	fm = (uint_t)uap->fmode;
916 
917 	if (fm & O_WRONLY)
918 		e = AUE_OPEN_W;
919 	else if (fm & O_RDWR)
920 		e = AUE_OPEN_RW;
921 	else
922 		e = AUE_OPEN_R;
923 
924 	if (fm & O_CREAT)
925 		e += 1;
926 	if (fm & O_TRUNC)
927 		e += 2;
928 
929 	return (e);
930 }
931 
932 /*ARGSUSED*/
933 static void
934 aus_open(struct t_audit_data *tad)
935 {
936 	klwp_t *clwp = ttolwp(curthread);
937 	uint_t fm;
938 
939 	struct a {
940 		long	fnamep;		/* char	* */
941 		long	fmode;
942 		long	cmode;
943 	} *uap = (struct a *)clwp->lwp_ap;
944 
945 	fm = (uint_t)uap->fmode;
946 
947 	/* If no write, create, or trunc modes, mark as a public op */
948 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
949 		tad->tad_ctrl |= PAD_PUBLIC_EV;
950 }
951 
952 /* convert openat(2) to appropriate event */
953 static au_event_t
954 aui_fsat(au_event_t e)
955 {
956 	t_audit_data_t	*tad = U2A(u);
957 	klwp_t *clwp = ttolwp(curthread);
958 	uint_t fmcode, fm;
959 	struct a {
960 		long id;
961 		long arg1;
962 		long arg2;
963 		long arg3;
964 		long arg4;
965 		long arg5;
966 	} *uap = (struct a *)clwp->lwp_ap;
967 
968 	fmcode  = (uint_t)uap->id;
969 
970 	switch (fmcode) {
971 
972 	case 0: /* openat */
973 	case 1: /* openat64 */
974 		fm = (uint_t)uap->arg3;
975 		if (fm & O_WRONLY)
976 			e = AUE_OPENAT_W;
977 		else if (fm & O_RDWR)
978 			e = AUE_OPENAT_RW;
979 		else
980 			e = AUE_OPENAT_R;
981 
982 		/*
983 		 * openat modes are defined in the following order:
984 		 * Read only
985 		 * Read|Create
986 		 * Read|Trunc
987 		 * Read|Create|Trunc
988 		 * Write Only
989 		 * Write|Create
990 		 * Write|Trunc
991 		 * Write|Create|Trunc * RW Only
992 		 * RW|Create
993 		 * RW|Trunc
994 		 * RW|Create|Trunc
995 		 */
996 		if (fm & O_CREAT)
997 			e += 1;		/* increment to include CREAT in mode */
998 		if (fm & O_TRUNC)
999 			e += 2;		/* increment to include TRUNC in mode */
1000 
1001 		/* convert to appropriate au_ctrl */
1002 		tad->tad_ctrl |= PAD_SAVPATH;
1003 		if (fm & FXATTR)
1004 			tad->tad_ctrl |= PAD_ATPATH;
1005 
1006 
1007 		break;
1008 	case 2: /* fstatat64 */
1009 	case 3: /* fstatat */
1010 		e = AUE_FSTATAT;
1011 		break;
1012 	case 4: /* fchownat */
1013 		e = AUE_FCHOWNAT;
1014 		break;
1015 	case 5: /* unlinkat */
1016 		e = AUE_UNLINKAT;
1017 		break;
1018 	case 6: /* futimesat */
1019 		e = AUE_FUTIMESAT;
1020 		break;
1021 	case 7: /* renameat */
1022 		e = AUE_RENAMEAT;
1023 		break;
1024 	case 9: /* __openattrdirat */
1025 		tad->tad_ctrl |= PAD_SAVPATH;
1026 		/*FALLTHROUGH*/
1027 	default:
1028 		e = AUE_NULL;
1029 		break;
1030 	}
1031 
1032 	return (e);
1033 }
1034 
1035 /*ARGSUSED*/
1036 static void
1037 aus_fsat(struct t_audit_data *tad)
1038 {
1039 	klwp_t *clwp = ttolwp(curthread);
1040 	uint_t fmcode, fm;
1041 	struct a {
1042 		long id;
1043 		long arg1;
1044 		long arg2;
1045 		long arg3;
1046 		long arg4;
1047 		long arg5;
1048 	} *uap = (struct a *)clwp->lwp_ap;
1049 
1050 	fmcode  = (uint_t)uap->id;
1051 
1052 	switch (fmcode) {
1053 
1054 	case 0: /* openat */
1055 	case 1: /* openat64 */
1056 		fm = (uint_t)uap->arg3;
1057 		/* If no write, create, or trunc modes, mark as a public op */
1058 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1059 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1060 
1061 		break;
1062 	case 2: /* fstatat64 */
1063 	case 3: /* fstatat */
1064 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1065 		break;
1066 	default:
1067 		break;
1068 	}
1069 }
1070 
1071 /* msgsys */
1072 static au_event_t
1073 aui_msgsys(au_event_t e)
1074 {
1075 	klwp_t *clwp = ttolwp(curthread);
1076 	uint_t fm;
1077 
1078 	struct a {
1079 		long	id;	/* function code id */
1080 		long	ap;	/* arg pointer for recvmsg */
1081 	} *uap = (struct a *)clwp->lwp_ap;
1082 
1083 	struct b {
1084 		long	msgid;
1085 		long	cmd;
1086 		long	buf;	/* struct msqid_ds * */
1087 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1088 
1089 	fm  = (uint_t)uap->id;
1090 
1091 	switch (fm) {
1092 	case 0:		/* msgget */
1093 		e = AUE_MSGGET;
1094 		break;
1095 	case 1:		/* msgctl */
1096 		switch ((uint_t)uap1->cmd) {
1097 		case IPC_RMID:
1098 			e = AUE_MSGCTL_RMID;
1099 			break;
1100 		case IPC_SET:
1101 			e = AUE_MSGCTL_SET;
1102 			break;
1103 		case IPC_STAT:
1104 			e = AUE_MSGCTL_STAT;
1105 			break;
1106 		default:
1107 			e = AUE_MSGCTL;
1108 			break;
1109 		}
1110 		break;
1111 	case 2:		/* msgrcv */
1112 		e = AUE_MSGRCV;
1113 		break;
1114 	case 3:		/* msgsnd */
1115 		e = AUE_MSGSND;
1116 		break;
1117 	default:	/* illegal system call */
1118 		e = AUE_NULL;
1119 		break;
1120 	}
1121 
1122 	return (e);
1123 }
1124 
1125 
1126 /* shmsys */
1127 static au_event_t
1128 aui_shmsys(au_event_t e)
1129 {
1130 	klwp_t *clwp = ttolwp(curthread);
1131 	int fm;
1132 
1133 	struct a {		/* shmsys */
1134 		long	id;	/* function code id */
1135 	} *uap = (struct a *)clwp->lwp_ap;
1136 
1137 	struct b {		/* ctrl */
1138 		long	shmid;
1139 		long	cmd;
1140 		long	arg;		/* struct shmid_ds * */
1141 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1142 	fm  = (uint_t)uap->id;
1143 
1144 	switch (fm) {
1145 	case 0:		/* shmat */
1146 		e = AUE_SHMAT;
1147 		break;
1148 	case 1:		/* shmctl */
1149 		switch ((uint_t)uap1->cmd) {
1150 		case IPC_RMID:
1151 			e = AUE_SHMCTL_RMID;
1152 			break;
1153 		case IPC_SET:
1154 			e = AUE_SHMCTL_SET;
1155 			break;
1156 		case IPC_STAT:
1157 			e = AUE_SHMCTL_STAT;
1158 			break;
1159 		default:
1160 			e = AUE_SHMCTL;
1161 			break;
1162 		}
1163 		break;
1164 	case 2:		/* shmdt */
1165 		e = AUE_SHMDT;
1166 		break;
1167 	case 3:		/* shmget */
1168 		e = AUE_SHMGET;
1169 		break;
1170 	default:	/* illegal system call */
1171 		e = AUE_NULL;
1172 		break;
1173 	}
1174 
1175 	return (e);
1176 }
1177 
1178 
1179 /* semsys */
1180 static au_event_t
1181 aui_semsys(au_event_t e)
1182 {
1183 	klwp_t *clwp = ttolwp(curthread);
1184 	uint_t fm;
1185 
1186 	struct a {		/* semsys */
1187 		long	id;
1188 	} *uap = (struct a *)clwp->lwp_ap;
1189 
1190 	struct b {		/* ctrl */
1191 		long	semid;
1192 		long	semnum;
1193 		long	cmd;
1194 		long	arg;
1195 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1196 
1197 	fm = (uint_t)uap->id;
1198 
1199 	switch (fm) {
1200 	case 0:		/* semctl */
1201 		switch ((uint_t)uap1->cmd) {
1202 		case IPC_RMID:
1203 			e = AUE_SEMCTL_RMID;
1204 			break;
1205 		case IPC_SET:
1206 			e = AUE_SEMCTL_SET;
1207 			break;
1208 		case IPC_STAT:
1209 			e = AUE_SEMCTL_STAT;
1210 			break;
1211 		case GETNCNT:
1212 			e = AUE_SEMCTL_GETNCNT;
1213 			break;
1214 		case GETPID:
1215 			e = AUE_SEMCTL_GETPID;
1216 			break;
1217 		case GETVAL:
1218 			e = AUE_SEMCTL_GETVAL;
1219 			break;
1220 		case GETALL:
1221 			e = AUE_SEMCTL_GETALL;
1222 			break;
1223 		case GETZCNT:
1224 			e = AUE_SEMCTL_GETZCNT;
1225 			break;
1226 		case SETVAL:
1227 			e = AUE_SEMCTL_SETVAL;
1228 			break;
1229 		case SETALL:
1230 			e = AUE_SEMCTL_SETALL;
1231 			break;
1232 		default:
1233 			e = AUE_SEMCTL;
1234 			break;
1235 		}
1236 		break;
1237 	case 1:		/* semget */
1238 		e = AUE_SEMGET;
1239 		break;
1240 	case 2:		/* semop */
1241 		e = AUE_SEMOP;
1242 		break;
1243 	default:	/* illegal system call */
1244 		e = AUE_NULL;
1245 		break;
1246 	}
1247 
1248 	return (e);
1249 }
1250 
1251 /* utssys - uname(2), ustat(2), fusers(2) */
1252 static au_event_t
1253 aui_utssys(au_event_t e)
1254 {
1255 	klwp_t *clwp = ttolwp(curthread);
1256 	uint_t type;
1257 
1258 	struct a {
1259 		union {
1260 			long	cbuf;		/* char * */
1261 			long	ubuf;		/* struct stat * */
1262 		} ub;
1263 		union {
1264 			long	mv;	/* for USTAT */
1265 			long	flags;	/* for FUSERS */
1266 		} un;
1267 		long	type;
1268 		long	outbp;		/* char * for FUSERS */
1269 	} *uap = (struct a *)clwp->lwp_ap;
1270 
1271 	type = (uint_t)uap->type;
1272 
1273 	if (type == UTS_FUSERS)
1274 		return (e);
1275 	else
1276 		return ((au_event_t)AUE_NULL);
1277 }
1278 
1279 static au_event_t
1280 aui_fcntl(au_event_t e)
1281 {
1282 	klwp_t *clwp = ttolwp(curthread);
1283 	uint_t cmd;
1284 
1285 	struct a {
1286 		long	fdes;
1287 		long	cmd;
1288 		long	arg;
1289 	} *uap = (struct a *)clwp->lwp_ap;
1290 
1291 	cmd = (uint_t)uap->cmd;
1292 
1293 	switch (cmd) {
1294 	case F_GETLK:
1295 	case F_SETLK:
1296 	case F_SETLKW:
1297 		break;
1298 	case F_SETFL:
1299 	case F_GETFL:
1300 	case F_GETFD:
1301 		break;
1302 	default:
1303 		e = (au_event_t)AUE_NULL;
1304 		break;
1305 	}
1306 	return ((au_event_t)e);
1307 }
1308 
1309 /* null function for now */
1310 static au_event_t
1311 aui_execv(au_event_t e)
1312 {
1313 	return (e);
1314 }
1315 
1316 /* null function for now */
1317 static au_event_t
1318 aui_execve(au_event_t e)
1319 {
1320 	return (e);
1321 }
1322 
1323 /*ARGSUSED*/
1324 static void
1325 aus_fcntl(struct t_audit_data *tad)
1326 {
1327 	klwp_t *clwp = ttolwp(curthread);
1328 	uint32_t cmd, fd;
1329 	struct file  *fp;
1330 	struct vnode *vp;
1331 	struct f_audit_data *fad;
1332 
1333 	struct a {
1334 		long	fd;
1335 		long	cmd;
1336 		long	arg;
1337 	} *uap = (struct a *)clwp->lwp_ap;
1338 
1339 	cmd = (uint32_t)uap->cmd;
1340 	fd  = (uint32_t)uap->fd;
1341 
1342 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1343 
1344 		/*
1345 		 * convert file pointer to file descriptor
1346 		 *   Note: fd ref count incremented here.
1347 		 */
1348 	if ((fp = getf(fd)) == NULL)
1349 		return;
1350 
1351 	/* get path from file struct here */
1352 	fad = F2A(fp);
1353 	if (fad->fad_aupath != NULL) {
1354 		au_uwrite(au_to_path(fad->fad_aupath));
1355 	} else {
1356 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1357 	}
1358 
1359 	vp = fp->f_vnode;
1360 	audit_attributes(vp);
1361 
1362 	/* decrement file descriptor reference count */
1363 	releasef(fd);
1364 }
1365 
1366 /*ARGSUSED*/
1367 static void
1368 aus_kill(struct t_audit_data *tad)
1369 {
1370 	klwp_t *clwp = ttolwp(curthread);
1371 	struct proc *p;
1372 	uint32_t signo;
1373 	uid_t uid, ruid;
1374 	gid_t gid, rgid;
1375 	pid_t pid;
1376 	const auditinfo_addr_t *ainfo;
1377 	cred_t *cr;
1378 
1379 	struct a {
1380 		long	pid;
1381 		long	signo;
1382 	} *uap = (struct a *)clwp->lwp_ap;
1383 
1384 	pid   = (pid_t)uap->pid;
1385 	signo = (uint32_t)uap->signo;
1386 
1387 	au_uwrite(au_to_arg32(2, "signal", signo));
1388 	if (pid > 0) {
1389 		mutex_enter(&pidlock);
1390 		if (((p = prfind(pid)) == (struct proc *)0) ||
1391 		    (p->p_stat == SIDL)) {
1392 			mutex_exit(&pidlock);
1393 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1394 			return;
1395 		}
1396 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1397 		mutex_exit(&pidlock);
1398 
1399 		mutex_enter(&p->p_crlock);
1400 		crhold(cr = p->p_cred);
1401 		mutex_exit(&p->p_crlock);
1402 		mutex_exit(&p->p_lock);
1403 
1404 		ainfo = crgetauinfo(cr);
1405 		if (ainfo == NULL) {
1406 			crfree(cr);
1407 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1408 			return;
1409 		}
1410 
1411 		uid  = crgetuid(cr);
1412 		gid  = crgetgid(cr);
1413 		ruid = crgetruid(cr);
1414 		rgid = crgetrgid(cr);
1415 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1416 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1417 
1418 		if (is_system_labeled())
1419 			au_uwrite(au_to_label(CR_SL(cr)));
1420 
1421 		crfree(cr);
1422 	}
1423 	else
1424 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1425 }
1426 
1427 /*ARGSUSED*/
1428 static void
1429 aus_mkdir(struct t_audit_data *tad)
1430 {
1431 	klwp_t *clwp = ttolwp(curthread);
1432 	uint32_t dmode;
1433 
1434 	struct a {
1435 		long	dirnamep;		/* char * */
1436 		long	dmode;
1437 	} *uap = (struct a *)clwp->lwp_ap;
1438 
1439 	dmode = (uint32_t)uap->dmode;
1440 
1441 	au_uwrite(au_to_arg32(2, "mode", dmode));
1442 }
1443 
1444 /*ARGSUSED*/
1445 static void
1446 aus_mknod(struct t_audit_data *tad)
1447 {
1448 	klwp_t *clwp = ttolwp(curthread);
1449 	uint32_t fmode;
1450 	dev_t dev;
1451 
1452 	struct a {
1453 		long	pnamep;		/* char * */
1454 		long	fmode;
1455 		long	dev;
1456 	} *uap = (struct a *)clwp->lwp_ap;
1457 
1458 	fmode = (uint32_t)uap->fmode;
1459 	dev   = (dev_t)uap->dev;
1460 
1461 	au_uwrite(au_to_arg32(2, "mode", fmode));
1462 #ifdef _LP64
1463 	au_uwrite(au_to_arg64(3, "dev", dev));
1464 #else
1465 	au_uwrite(au_to_arg32(3, "dev", dev));
1466 #endif
1467 }
1468 
1469 /*ARGSUSED*/
1470 static void
1471 aus_xmknod(struct t_audit_data *tad)
1472 {
1473 	klwp_t *clwp = ttolwp(curthread);
1474 	uint32_t fmode;
1475 	dev_t dev;
1476 
1477 	struct a {
1478 		long	version;	/* version */
1479 		long	pnamep;		/* char * */
1480 		long	fmode;
1481 		long	dev;
1482 	} *uap = (struct a *)clwp->lwp_ap;
1483 
1484 	fmode = (uint32_t)uap->fmode;
1485 	dev   = (dev_t)uap->dev;
1486 
1487 	au_uwrite(au_to_arg32(2, "mode", fmode));
1488 #ifdef _LP64
1489 	au_uwrite(au_to_arg64(3, "dev", dev));
1490 #else
1491 	au_uwrite(au_to_arg32(3, "dev", dev));
1492 #endif
1493 }
1494 
1495 /*ARGSUSED*/
1496 static void
1497 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1498 {
1499 	klwp_t *clwp = ttolwp(curthread);
1500 	vnode_t	*dvp;
1501 	caddr_t pnamep;
1502 
1503 	struct a {
1504 		long	pnamep;		/* char * */
1505 		long	fmode;
1506 		long	dev;
1507 	} *uap = (struct a *)clwp->lwp_ap;
1508 
1509 	/* no error, then already path token in audit record */
1510 	if (error != EPERM)
1511 		return;
1512 
1513 	/* not auditing this event, nothing then to do */
1514 	if (tad->tad_flag == 0)
1515 		return;
1516 
1517 	/* do the lookup to force generation of path token */
1518 	pnamep = (caddr_t)uap->pnamep;
1519 	tad->tad_ctrl |= PAD_NOATTRB;
1520 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1521 	if (error == 0)
1522 		VN_RELE(dvp);
1523 }
1524 
1525 /*ARGSUSED*/
1526 static void
1527 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1528 {
1529 	klwp_t *clwp = ttolwp(curthread);
1530 	vnode_t	*dvp;
1531 	caddr_t pnamep;
1532 
1533 	struct a {
1534 		long	version;	/* version */
1535 		long	pnamep;		/* char * */
1536 		long	fmode;
1537 		long	dev;
1538 	} *uap = (struct a *)clwp->lwp_arg;
1539 
1540 
1541 	/* no error, then already path token in audit record */
1542 	if (error != EPERM)
1543 		return;
1544 
1545 	/* not auditing this event, nothing then to do */
1546 	if (tad->tad_flag == 0)
1547 		return;
1548 
1549 	/* do the lookup to force generation of path token */
1550 	pnamep = (caddr_t)uap->pnamep;
1551 	tad->tad_ctrl |= PAD_NOATTRB;
1552 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1553 	if (error == 0)
1554 		VN_RELE(dvp);
1555 }
1556 
1557 /*ARGSUSED*/
1558 static void
1559 aus_mount(struct t_audit_data *tad)
1560 {	/* AUS_START */
1561 	klwp_t *clwp = ttolwp(curthread);
1562 	uint32_t flags;
1563 	uintptr_t u_fstype, dataptr;
1564 	STRUCT_DECL(nfs_args, nfsargs);
1565 	size_t len;
1566 	char *fstype, *hostname;
1567 
1568 	struct a {
1569 		long	spec;		/* char    * */
1570 		long	dir;		/* char    * */
1571 		long	flags;
1572 		long	fstype;		/* char    * */
1573 		long	dataptr;	/* char    * */
1574 		long	datalen;
1575 	} *uap = (struct a *)clwp->lwp_ap;
1576 
1577 	u_fstype = (uintptr_t)uap->fstype;
1578 	flags    = (uint32_t)uap->flags;
1579 	dataptr  = (uintptr_t)uap->dataptr;
1580 
1581 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1582 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1583 		goto mount_free_fstype;
1584 
1585 	au_uwrite(au_to_arg32(3, "flags", flags));
1586 	au_uwrite(au_to_text(fstype));
1587 
1588 	if (strncmp(fstype, "nfs", 3) == 0) {
1589 
1590 		STRUCT_INIT(nfsargs, get_udatamodel());
1591 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1592 
1593 		if (copyin((caddr_t)dataptr,
1594 				STRUCT_BUF(nfsargs),
1595 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1596 			/* DEBUG debug_enter((char *)NULL); */
1597 			goto mount_free_fstype;
1598 		}
1599 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1600 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1601 				(caddr_t)hostname,
1602 				MAXNAMELEN, &len)) {
1603 			goto mount_free_hostname;
1604 		}
1605 		au_uwrite(au_to_text(hostname));
1606 		au_uwrite(au_to_arg32(3, "internal flags",
1607 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1608 
1609 mount_free_hostname:
1610 		kmem_free(hostname, MAXNAMELEN);
1611 	}
1612 
1613 mount_free_fstype:
1614 	kmem_free(fstype, MAXNAMELEN);
1615 }	/* AUS_MOUNT */
1616 
1617 static void
1618 aus_umount_path(caddr_t umount_dir)
1619 {
1620 	char			*dir_path;
1621 	struct audit_path	*path;
1622 	size_t			path_len, dir_len;
1623 
1624 	/* length alloc'd for two string pointers */
1625 	path_len = sizeof (struct audit_path) + sizeof (char *);
1626 	path = kmem_alloc(path_len, KM_SLEEP);
1627 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1628 
1629 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1630 	    MAXPATHLEN, &dir_len))
1631 		goto umount2_free_dir;
1632 
1633 	/*
1634 	 * the audit_path struct assumes that the buffer pointed to
1635 	 * by audp_sect[n] contains string 0 immediatedly followed
1636 	 * by string 1.
1637 	 */
1638 	path->audp_sect[0] = dir_path;
1639 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1640 	path->audp_size = path_len;
1641 	path->audp_ref = 1;		/* not used */
1642 	path->audp_cnt = 1;		/* one path string */
1643 
1644 	au_uwrite(au_to_path(path));
1645 
1646 umount2_free_dir:
1647 	kmem_free(dir_path, MAXPATHLEN);
1648 	kmem_free(path, path_len);
1649 }
1650 
1651 /*
1652  * the umount syscall is implemented as a call to umount2, but the args
1653  * are different...
1654  */
1655 
1656 /*ARGSUSED*/
1657 static void
1658 aus_umount(struct t_audit_data *tad)
1659 {
1660 	klwp_t			*clwp = ttolwp(curthread);
1661 	struct a {
1662 		long	dir;		/* char    * */
1663 	} *uap = (struct a *)clwp->lwp_ap;
1664 
1665 	aus_umount_path((caddr_t)uap->dir);
1666 }
1667 
1668 /*ARGSUSED*/
1669 static void
1670 aus_umount2(struct t_audit_data *tad)
1671 {
1672 	klwp_t			*clwp = ttolwp(curthread);
1673 	struct a {
1674 		long	dir;		/* char    * */
1675 		long	flags;
1676 	} *uap = (struct a *)clwp->lwp_ap;
1677 
1678 	aus_umount_path((caddr_t)uap->dir);
1679 
1680 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1681 }
1682 
1683 static void
1684 aus_msgsys(struct t_audit_data *tad)
1685 {
1686 	klwp_t *clwp = ttolwp(curthread);
1687 	uint32_t msgid;
1688 
1689 	struct b {
1690 		long	msgid;
1691 		long	cmd;
1692 		long	buf;		/* struct msqid_ds * */
1693 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1694 
1695 	msgid = (uint32_t)uap1->msgid;
1696 
1697 
1698 	switch (tad->tad_event) {
1699 	case AUE_MSGGET:		/* msgget */
1700 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1701 		break;
1702 	case AUE_MSGCTL:		/* msgctl */
1703 	case AUE_MSGCTL_RMID:		/* msgctl */
1704 	case AUE_MSGCTL_STAT:		/* msgctl */
1705 	case AUE_MSGRCV:		/* msgrcv */
1706 	case AUE_MSGSND:		/* msgsnd */
1707 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1708 		break;
1709 	case AUE_MSGCTL_SET:		/* msgctl */
1710 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1711 		break;
1712 	}
1713 }
1714 
1715 /*ARGSUSED*/
1716 static void
1717 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1718 {
1719 	int id;
1720 
1721 	if (error != 0)
1722 		return;
1723 	if (tad->tad_event == AUE_MSGGET) {
1724 		uint32_t scid;
1725 		uint32_t sy_flags;
1726 
1727 		/* need to determine type of executing binary */
1728 		scid = tad->tad_scid;
1729 #ifdef _SYSCALL32_IMPL
1730 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1731 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1732 		else
1733 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1734 #else
1735 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1736 #endif
1737 		if (sy_flags == SE_32RVAL1)
1738 			id = rval->r_val1;
1739 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1740 			id = rval->r_val1;
1741 		if (sy_flags == SE_64RVAL)
1742 			id = (int)rval->r_vals;
1743 
1744 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1745 	}
1746 }
1747 
1748 static void
1749 aus_semsys(struct t_audit_data *tad)
1750 {
1751 	klwp_t *clwp = ttolwp(curthread);
1752 	uint32_t semid;
1753 
1754 	struct b {		/* ctrl */
1755 		long	semid;
1756 		long	semnum;
1757 		long	cmd;
1758 		long	arg;
1759 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1760 
1761 	semid = (uint32_t)uap1->semid;
1762 
1763 	switch (tad->tad_event) {
1764 	case AUE_SEMCTL_RMID:
1765 	case AUE_SEMCTL_STAT:
1766 	case AUE_SEMCTL_GETNCNT:
1767 	case AUE_SEMCTL_GETPID:
1768 	case AUE_SEMCTL_GETVAL:
1769 	case AUE_SEMCTL_GETALL:
1770 	case AUE_SEMCTL_GETZCNT:
1771 	case AUE_SEMCTL_SETVAL:
1772 	case AUE_SEMCTL_SETALL:
1773 	case AUE_SEMCTL:
1774 	case AUE_SEMOP:
1775 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1776 		break;
1777 	case AUE_SEMCTL_SET:
1778 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1779 		break;
1780 	case AUE_SEMGET:
1781 		au_uwrite(au_to_arg32(1, "sem key", semid));
1782 		break;
1783 	}
1784 }
1785 
1786 /*ARGSUSED*/
1787 static void
1788 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1789 {
1790 	int id;
1791 
1792 	if (error != 0)
1793 		return;
1794 	if (tad->tad_event == AUE_SEMGET) {
1795 		uint32_t scid;
1796 		uint32_t sy_flags;
1797 
1798 		/* need to determine type of executing binary */
1799 		scid = tad->tad_scid;
1800 #ifdef _SYSCALL32_IMPL
1801 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1802 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1803 		else
1804 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1805 #else
1806 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1807 #endif
1808 		if (sy_flags == SE_32RVAL1)
1809 			id = rval->r_val1;
1810 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1811 			id = rval->r_val1;
1812 		if (sy_flags == SE_64RVAL)
1813 			id = (int)rval->r_vals;
1814 
1815 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1816 	}
1817 }
1818 
1819 /*ARGSUSED*/
1820 static void
1821 aus_close(struct t_audit_data *tad)
1822 {
1823 	klwp_t *clwp = ttolwp(curthread);
1824 	uint32_t fd;
1825 	struct file *fp;
1826 	struct f_audit_data *fad;
1827 	struct vnode *vp;
1828 	struct vattr attr;
1829 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1830 
1831 	struct a {
1832 		long	i;
1833 	} *uap = (struct a *)clwp->lwp_ap;
1834 
1835 	fd = (uint32_t)uap->i;
1836 
1837 	attr.va_mask = 0;
1838 	au_uwrite(au_to_arg32(1, "fd", fd));
1839 
1840 		/*
1841 		 * convert file pointer to file descriptor
1842 		 *   Note: fd ref count incremented here.
1843 		 */
1844 	if ((fp = getf(fd)) == NULL)
1845 		return;
1846 
1847 	fad = F2A(fp);
1848 	tad->tad_evmod = (short)fad->fad_flags;
1849 	if (fad->fad_aupath != NULL) {
1850 		au_uwrite(au_to_path(fad->fad_aupath));
1851 		if ((vp = fp->f_vnode) != NULL) {
1852 			attr.va_mask = AT_ALL;
1853 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1854 				/*
1855 				 * When write was not used and the file can be
1856 				 * considered public, skip the audit.
1857 				 */
1858 				if (((fp->f_flag & FWRITE) == 0) &&
1859 				    file_is_public(&attr)) {
1860 					tad->tad_flag = 0;
1861 					tad->tad_evmod = 0;
1862 					/* free any residual audit data */
1863 					au_close(kctx, &(u_ad), 0, 0, 0);
1864 					releasef(fd);
1865 					return;
1866 				}
1867 				au_uwrite(au_to_attr(&attr));
1868 				audit_sec_attributes(&(u_ad), vp);
1869 			}
1870 		}
1871 	}
1872 
1873 	/* decrement file descriptor reference count */
1874 	releasef(fd);
1875 }
1876 
1877 /*ARGSUSED*/
1878 static void
1879 aus_fstatfs(struct t_audit_data *tad)
1880 {
1881 	klwp_t *clwp = ttolwp(curthread);
1882 	uint32_t fd;
1883 	struct file  *fp;
1884 	struct vnode *vp;
1885 	struct f_audit_data *fad;
1886 
1887 	struct a {
1888 		long	fd;
1889 		long	buf;		/* struct statfs * */
1890 	} *uap = (struct a *)clwp->lwp_ap;
1891 
1892 	fd = (uint_t)uap->fd;
1893 
1894 		/*
1895 		 * convert file pointer to file descriptor
1896 		 *   Note: fd ref count incremented here.
1897 		 */
1898 	if ((fp = getf(fd)) == NULL)
1899 		return;
1900 
1901 		/* get path from file struct here */
1902 	fad = F2A(fp);
1903 	if (fad->fad_aupath != NULL) {
1904 		au_uwrite(au_to_path(fad->fad_aupath));
1905 	} else {
1906 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1907 	}
1908 
1909 	vp = fp->f_vnode;
1910 	audit_attributes(vp);
1911 
1912 	/* decrement file descriptor reference count */
1913 	releasef(fd);
1914 }
1915 
1916 #ifdef NOTYET
1917 /*ARGSUSED*/
1918 static void
1919 aus_setpgrp(struct t_audit_data *tad)
1920 {
1921 	klwp_t *clwp = ttolwp(curthread);
1922 	uint32_t pgrp;
1923 	struct proc *p;
1924 	uid_t uid, ruid;
1925 	gid_t gid, rgid;
1926 	pid_t pid;
1927 	const auditinfo_addr_t *ainfo;
1928 	cred_t *cr;
1929 
1930 	struct a {
1931 		long	pid;
1932 		long	pgrp;
1933 	} *uap = (struct a *)clwp->lwp_ap;
1934 
1935 	pid  = (pid_t)uap->pid;
1936 	pgrp = (uint32_t)uap->pgrp;
1937 
1938 		/* current process? */
1939 	if (pid == 0)
1940 		(return);
1941 
1942 	mutex_enter(&pidlock);
1943 	p = prfind(pid);
1944 	if (p == NULL || p->p_as == &kas) {
1945 		mutex_exit(&pidlock);
1946 		return;
1947 	}
1948 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1949 	mutex_exit(&pidlock);
1950 
1951 	mutex_enter(&p->p_crlock);
1952 	crhold(cr = p->p_cred);
1953 	mutex_exit(&p->p_crlock);
1954 	mutex_exit(&p->p_lock);
1955 
1956 	ainfo = crgetauinfo(cr);
1957 	if (ainfo == NULL) {
1958 		crfree(cr);
1959 		return;
1960 	}
1961 
1962 	uid  = crgetuid(cr);
1963 	gid  = crgetgid(cr);
1964 	ruid = crgetruid(cr);
1965 	rgid = crgetrgid(cr);
1966 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1967 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1968 	crfree(cr);
1969 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1970 }
1971 #endif
1972 
1973 /*ARGSUSED*/
1974 static void
1975 aus_setregid(struct t_audit_data *tad)
1976 {
1977 	klwp_t *clwp = ttolwp(curthread);
1978 	uint32_t rgid, egid;
1979 
1980 	struct a {
1981 		long	 rgid;
1982 		long	 egid;
1983 	} *uap = (struct a *)clwp->lwp_ap;
1984 
1985 	rgid  = (uint32_t)uap->rgid;
1986 	egid  = (uint32_t)uap->egid;
1987 
1988 	au_uwrite(au_to_arg32(1, "rgid", rgid));
1989 	au_uwrite(au_to_arg32(2, "egid", egid));
1990 }
1991 
1992 /*ARGSUSED*/
1993 static void
1994 aus_setgid(struct t_audit_data *tad)
1995 {
1996 	klwp_t *clwp = ttolwp(curthread);
1997 	uint32_t gid;
1998 
1999 	struct a {
2000 		long	gid;
2001 	} *uap = (struct a *)clwp->lwp_ap;
2002 
2003 	gid = (uint32_t)uap->gid;
2004 
2005 	au_uwrite(au_to_arg32(1, "gid", gid));
2006 }
2007 
2008 
2009 /*ARGSUSED*/
2010 static void
2011 aus_setreuid(struct t_audit_data *tad)
2012 {
2013 	klwp_t *clwp = ttolwp(curthread);
2014 	uint32_t ruid, euid;
2015 
2016 	struct a {
2017 		long	ruid;
2018 		long	euid;
2019 	} *uap = (struct a *)clwp->lwp_ap;
2020 
2021 	ruid = (uint32_t)uap->ruid;
2022 	euid  = (uint32_t)uap->euid;
2023 
2024 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2025 	au_uwrite(au_to_arg32(2, "euid", euid));
2026 }
2027 
2028 
2029 /*ARGSUSED*/
2030 static void
2031 aus_setuid(struct t_audit_data *tad)
2032 {
2033 	klwp_t *clwp = ttolwp(curthread);
2034 	uint32_t uid;
2035 
2036 	struct a {
2037 		long	uid;
2038 	} *uap = (struct a *)clwp->lwp_ap;
2039 
2040 	uid = (uint32_t)uap->uid;
2041 
2042 	au_uwrite(au_to_arg32(1, "uid", uid));
2043 }
2044 
2045 /*ARGSUSED*/
2046 static void
2047 aus_shmsys(struct t_audit_data *tad)
2048 {
2049 	klwp_t *clwp = ttolwp(curthread);
2050 	uint32_t id, cmd;
2051 
2052 	struct b {
2053 		long	id;
2054 		long	cmd;
2055 		long	buf;		/* struct shmid_ds * */
2056 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2057 
2058 	id  = (uint32_t)uap1->id;
2059 	cmd = (uint32_t)uap1->cmd;
2060 
2061 	switch (tad->tad_event) {
2062 	case AUE_SHMGET:			/* shmget */
2063 		au_uwrite(au_to_arg32(1, "shm key", id));
2064 		break;
2065 	case AUE_SHMCTL:			/* shmctl */
2066 	case AUE_SHMCTL_RMID:			/* shmctl */
2067 	case AUE_SHMCTL_STAT:			/* shmctl */
2068 	case AUE_SHMCTL_SET:			/* shmctl */
2069 		au_uwrite(au_to_arg32(1, "shm ID", id));
2070 		break;
2071 	case AUE_SHMDT:				/* shmdt */
2072 		au_uwrite(au_to_arg32(1, "shm adr", id));
2073 		break;
2074 	case AUE_SHMAT:				/* shmat */
2075 		au_uwrite(au_to_arg32(1, "shm ID", id));
2076 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2077 		break;
2078 	}
2079 }
2080 
2081 /*ARGSUSED*/
2082 static void
2083 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2084 {
2085 	int id;
2086 
2087 	if (error != 0)
2088 		return;
2089 	if (tad->tad_event == AUE_SHMGET) {
2090 		uint32_t scid;
2091 		uint32_t sy_flags;
2092 
2093 		/* need to determine type of executing binary */
2094 		scid = tad->tad_scid;
2095 #ifdef _SYSCALL32_IMPL
2096 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2097 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2098 		else
2099 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2100 #else
2101 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2102 #endif
2103 		if (sy_flags == SE_32RVAL1)
2104 			id = rval->r_val1;
2105 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2106 			id = rval->r_val1;
2107 		if (sy_flags == SE_64RVAL)
2108 			id = (int)rval->r_vals;
2109 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2110 	}
2111 }
2112 
2113 
2114 /*ARGSUSED*/
2115 static void
2116 aus_ioctl(struct t_audit_data *tad)
2117 {
2118 	klwp_t *clwp = ttolwp(curthread);
2119 	struct file *fp;
2120 	struct vnode *vp;
2121 	struct f_audit_data *fad;
2122 	uint32_t fd, cmd;
2123 	uintptr_t cmarg;
2124 
2125 	/* XX64 */
2126 	struct a {
2127 		long	fd;
2128 		long	cmd;
2129 		long	cmarg;		/* caddr_t */
2130 	} *uap = (struct a *)clwp->lwp_ap;
2131 
2132 	fd    = (uint32_t)uap->fd;
2133 	cmd   = (uint32_t)uap->cmd;
2134 	cmarg = (uintptr_t)uap->cmarg;
2135 
2136 		/*
2137 		 * convert file pointer to file descriptor
2138 		 *   Note: fd ref count incremented here.
2139 		 */
2140 	if ((fp = getf(fd)) == NULL) {
2141 		au_uwrite(au_to_arg32(1, "fd", fd));
2142 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2143 #ifndef _LP64
2144 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2145 #else
2146 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2147 #endif
2148 		return;
2149 	}
2150 
2151 	/* get path from file struct here */
2152 	fad = F2A(fp);
2153 	if (fad->fad_aupath != NULL) {
2154 		au_uwrite(au_to_path(fad->fad_aupath));
2155 	} else {
2156 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2157 	}
2158 
2159 	vp = fp->f_vnode;
2160 	audit_attributes(vp);
2161 
2162 	/* decrement file descriptor reference count */
2163 	releasef(fd);
2164 
2165 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2166 #ifndef _LP64
2167 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2168 #else
2169 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2170 #endif
2171 }
2172 
2173 /*
2174  * null function for memcntl for now. We might want to limit memcntl()
2175  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2176  * require privileges.
2177  */
2178 static au_event_t
2179 aui_memcntl(au_event_t e)
2180 {
2181 	return (e);
2182 }
2183 
2184 /*ARGSUSED*/
2185 static au_event_t
2186 aui_privsys(au_event_t e)
2187 {
2188 	klwp_t *clwp = ttolwp(curthread);
2189 
2190 	struct a {
2191 		long	opcode;
2192 	} *uap = (struct a *)clwp->lwp_ap;
2193 
2194 	switch (uap->opcode) {
2195 	case PRIVSYS_SETPPRIV:
2196 		return (AUE_SETPPRIV);
2197 	default:
2198 		return (AUE_NULL);
2199 	}
2200 }
2201 
2202 /*ARGSUSED*/
2203 static void
2204 aus_memcntl(struct t_audit_data *tad)
2205 {
2206 	klwp_t *clwp = ttolwp(curthread);
2207 
2208 	struct a {
2209 		long	addr;
2210 		long	len;
2211 		long	cmd;
2212 		long	arg;
2213 		long	attr;
2214 		long	mask;
2215 	} *uap = (struct a *)clwp->lwp_ap;
2216 
2217 #ifdef _LP64
2218 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2219 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2220 #else
2221 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2222 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2223 #endif
2224 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2225 #ifdef _LP64
2226 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2227 #else
2228 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2229 #endif
2230 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2231 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2232 }
2233 
2234 /*ARGSUSED*/
2235 static void
2236 aus_mmap(struct t_audit_data *tad)
2237 {
2238 	klwp_t *clwp = ttolwp(curthread);
2239 	struct file *fp;
2240 	struct f_audit_data *fad;
2241 	struct vnode *vp;
2242 	uint32_t fd;
2243 
2244 	struct a {
2245 		long	addr;
2246 		long	len;
2247 		long	prot;
2248 		long	flags;
2249 		long	fd;
2250 		long	pos;
2251 	} *uap = (struct a *)clwp->lwp_ap;
2252 
2253 	fd = (uint32_t)uap->fd;
2254 
2255 #ifdef _LP64
2256 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2257 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2258 #else
2259 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2260 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2261 #endif
2262 
2263 	if ((fp = getf(fd)) == NULL) {
2264 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2265 		return;
2266 	}
2267 
2268 	/*
2269 	 * Mark in the tad if write access is NOT requested... if
2270 	 * this is later detected (in audit_attributes) to be a
2271 	 * public object, the mmap event may be discarded.
2272 	 */
2273 	if (((uap->prot) & PROT_WRITE) == 0) {
2274 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2275 	}
2276 
2277 	fad = F2A(fp);
2278 	if (fad->fad_aupath != NULL) {
2279 		au_uwrite(au_to_path(fad->fad_aupath));
2280 	} else {
2281 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2282 	}
2283 
2284 	vp = (struct vnode *)fp->f_vnode;
2285 	audit_attributes(vp);
2286 
2287 	/* mark READ/WRITE since we can't predict access */
2288 	if (uap->prot & PROT_READ)
2289 		fad->fad_flags |= FAD_READ;
2290 	if (uap->prot & PROT_WRITE)
2291 		fad->fad_flags |= FAD_WRITE;
2292 
2293 	/* decrement file descriptor reference count */
2294 	releasef(fd);
2295 
2296 }	/* AUS_MMAP */
2297 
2298 
2299 
2300 
2301 /*ARGSUSED*/
2302 static void
2303 aus_munmap(struct t_audit_data *tad)
2304 {
2305 	klwp_t *clwp = ttolwp(curthread);
2306 
2307 	struct a {
2308 		long	addr;
2309 		long	len;
2310 	} *uap = (struct a *)clwp->lwp_ap;
2311 
2312 #ifdef _LP64
2313 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2314 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2315 #else
2316 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2317 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2318 #endif
2319 
2320 }	/* AUS_MUNMAP */
2321 
2322 
2323 
2324 
2325 
2326 
2327 
2328 /*ARGSUSED*/
2329 static void
2330 aus_priocntlsys(struct t_audit_data *tad)
2331 {
2332 	klwp_t *clwp = ttolwp(curthread);
2333 
2334 	struct a {
2335 		long	pc_version;
2336 		long	psp;		/* procset_t */
2337 		long	cmd;
2338 		long	arg;
2339 	} *uap = (struct a *)clwp->lwp_ap;
2340 
2341 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2342 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2343 
2344 }	/* AUS_PRIOCNTLSYS */
2345 
2346 
2347 /*ARGSUSED*/
2348 static void
2349 aus_setegid(struct t_audit_data *tad)
2350 {
2351 	klwp_t *clwp = ttolwp(curthread);
2352 	uint32_t gid;
2353 
2354 	struct a {
2355 		long	gid;
2356 	} *uap = (struct a *)clwp->lwp_ap;
2357 
2358 	gid = (uint32_t)uap->gid;
2359 
2360 	au_uwrite(au_to_arg32(1, "gid", gid));
2361 }	/* AUS_SETEGID */
2362 
2363 
2364 
2365 
2366 /*ARGSUSED*/
2367 static void
2368 aus_setgroups(struct t_audit_data *tad)
2369 {
2370 	klwp_t *clwp = ttolwp(curthread);
2371 	int i;
2372 	int gidsetsize;
2373 	uintptr_t gidset;
2374 	gid_t *gidlist;
2375 
2376 	struct a {
2377 		long	gidsetsize;
2378 		long	gidset;
2379 	} *uap = (struct a *)clwp->lwp_ap;
2380 
2381 	gidsetsize = (uint_t)uap->gidsetsize;
2382 	gidset = (uintptr_t)uap->gidset;
2383 
2384 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2385 		return;
2386 	if (gidsetsize != 0) {
2387 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2388 		    KM_SLEEP);
2389 		if (copyin((caddr_t)gidset, gidlist,
2390 		    gidsetsize * sizeof (gid_t)) == 0)
2391 			for (i = 0; i < gidsetsize; i++)
2392 				au_uwrite(au_to_arg32(1, "setgroups",
2393 				    (uint32_t)gidlist[i]));
2394 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2395 	} else
2396 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2397 
2398 }	/* AUS_SETGROUPS */
2399 
2400 
2401 
2402 
2403 
2404 /*ARGSUSED*/
2405 static void
2406 aus_seteuid(struct t_audit_data *tad)
2407 {
2408 	klwp_t *clwp = ttolwp(curthread);
2409 	uint32_t uid;
2410 
2411 	struct a {
2412 		long	uid;
2413 	} *uap = (struct a *)clwp->lwp_ap;
2414 
2415 	uid = (uint32_t)uap->uid;
2416 
2417 	au_uwrite(au_to_arg32(1, "euid", uid));
2418 
2419 }	/* AUS_SETEUID */
2420 
2421 /*ARGSUSED*/
2422 static void
2423 aus_putmsg(struct t_audit_data *tad)
2424 {
2425 	klwp_t *clwp = ttolwp(curthread);
2426 	uint32_t fd, pri;
2427 	struct file *fp;
2428 	struct f_audit_data *fad;
2429 
2430 	struct a {
2431 		long	fdes;
2432 		long	ctl;		/* struct strbuf * */
2433 		long	data;		/* struct strbuf * */
2434 		long	pri;
2435 	} *uap = (struct a *)clwp->lwp_ap;
2436 
2437 	fd  = (uint32_t)uap->fdes;
2438 	pri = (uint32_t)uap->pri;
2439 
2440 	au_uwrite(au_to_arg32(1, "fd", fd));
2441 
2442 	if ((fp = getf(fd)) != NULL) {
2443 		fad = F2A(fp);
2444 
2445 		fad->fad_flags |= FAD_WRITE;
2446 
2447 		/* add path name to audit record */
2448 		if (fad->fad_aupath != NULL) {
2449 			au_uwrite(au_to_path(fad->fad_aupath));
2450 		}
2451 		audit_attributes(fp->f_vnode);
2452 
2453 		releasef(fd);
2454 	}
2455 
2456 	au_uwrite(au_to_arg32(4, "pri", pri));
2457 }
2458 
2459 /*ARGSUSED*/
2460 static void
2461 aus_putpmsg(struct t_audit_data *tad)
2462 {
2463 	klwp_t *clwp = ttolwp(curthread);
2464 	uint32_t fd, pri, flags;
2465 	struct file *fp;
2466 	struct f_audit_data *fad;
2467 
2468 	struct a {
2469 		long	fdes;
2470 		long	ctl;		/* struct strbuf * */
2471 		long	data;		/* struct strbuf * */
2472 		long	pri;
2473 		long	flags;
2474 	} *uap = (struct a *)clwp->lwp_ap;
2475 
2476 	fd = (uint32_t)uap->fdes;
2477 	pri  = (uint32_t)uap->pri;
2478 	flags  = (uint32_t)uap->flags;
2479 
2480 	au_uwrite(au_to_arg32(1, "fd", fd));
2481 
2482 	if ((fp = getf(fd)) != NULL) {
2483 		fad = F2A(fp);
2484 
2485 		fad->fad_flags |= FAD_WRITE;
2486 
2487 		/* add path name to audit record */
2488 		if (fad->fad_aupath != NULL) {
2489 			au_uwrite(au_to_path(fad->fad_aupath));
2490 		}
2491 		audit_attributes(fp->f_vnode);
2492 
2493 		releasef(fd);
2494 	}
2495 
2496 
2497 	au_uwrite(au_to_arg32(4, "pri", pri));
2498 	au_uwrite(au_to_arg32(5, "flags", flags));
2499 }
2500 
2501 /*ARGSUSED*/
2502 static void
2503 aus_getmsg(struct t_audit_data *tad)
2504 {
2505 	klwp_t *clwp = ttolwp(curthread);
2506 	uint32_t fd, pri;
2507 	struct file *fp;
2508 	struct f_audit_data *fad;
2509 
2510 	struct a {
2511 		long	fdes;
2512 		long	ctl;		/* struct strbuf * */
2513 		long	data;		/* struct strbuf * */
2514 		long	pri;
2515 	} *uap = (struct a *)clwp->lwp_ap;
2516 
2517 	fd  = (uint32_t)uap->fdes;
2518 	pri = (uint32_t)uap->pri;
2519 
2520 	au_uwrite(au_to_arg32(1, "fd", fd));
2521 
2522 	if ((fp = getf(fd)) != NULL) {
2523 		fad = F2A(fp);
2524 
2525 		/*
2526 		 * read operation on this object
2527 		 */
2528 		fad->fad_flags |= FAD_READ;
2529 
2530 		/* add path name to audit record */
2531 		if (fad->fad_aupath != NULL) {
2532 			au_uwrite(au_to_path(fad->fad_aupath));
2533 		}
2534 		audit_attributes(fp->f_vnode);
2535 
2536 		releasef(fd);
2537 	}
2538 
2539 	au_uwrite(au_to_arg32(4, "pri", pri));
2540 }
2541 
2542 /*ARGSUSED*/
2543 static void
2544 aus_getpmsg(struct t_audit_data *tad)
2545 {
2546 	klwp_t *clwp = ttolwp(curthread);
2547 	uint32_t fd;
2548 	struct file *fp;
2549 	struct f_audit_data *fad;
2550 
2551 	struct a {
2552 		long	fdes;
2553 		long	ctl;		/* struct strbuf * */
2554 		long	data;		/* struct strbuf * */
2555 		long	pri;
2556 		long	flags;
2557 	} *uap = (struct a *)clwp->lwp_ap;
2558 
2559 	fd = (uint32_t)uap->fdes;
2560 
2561 	au_uwrite(au_to_arg32(1, "fd", fd));
2562 
2563 	if ((fp = getf(fd)) != NULL) {
2564 		fad = F2A(fp);
2565 
2566 		/*
2567 		 * read operation on this object
2568 		 */
2569 		fad->fad_flags |= FAD_READ;
2570 
2571 		/* add path name to audit record */
2572 		if (fad->fad_aupath != NULL) {
2573 			au_uwrite(au_to_path(fad->fad_aupath));
2574 		}
2575 		audit_attributes(fp->f_vnode);
2576 
2577 		releasef(fd);
2578 	}
2579 }
2580 
2581 static au_event_t
2582 aui_labelsys(au_event_t e)
2583 {
2584 	klwp_t *clwp = ttolwp(curthread);
2585 	uint32_t code;
2586 	uint32_t cmd;
2587 
2588 	struct a {
2589 		long	code;
2590 		long	cmd;
2591 	} *uap = (struct a *)clwp->lwp_ap;
2592 
2593 	code = (uint32_t)uap->code;
2594 	cmd = (uint32_t)uap->cmd;
2595 
2596 	/* not security relevant if not changing kernel cache */
2597 	if (cmd == TNDB_GET)
2598 		return (AUE_NULL);
2599 
2600 	switch (code) {
2601 	case TSOL_TNRH:
2602 		e = AUE_LABELSYS_TNRH;
2603 		break;
2604 	case TSOL_TNRHTP:
2605 		e = AUE_LABELSYS_TNRHTP;
2606 		break;
2607 	case TSOL_TNMLP:
2608 		e = AUE_LABELSYS_TNMLP;
2609 		break;
2610 	default:
2611 		e = AUE_NULL;
2612 		break;
2613 	}
2614 
2615 	return (e);
2616 
2617 }
2618 
2619 static void
2620 aus_labelsys(struct t_audit_data *tad)
2621 {
2622 	klwp_t *clwp = ttolwp(curthread);
2623 	uint32_t cmd;
2624 	uintptr_t a2;
2625 
2626 	struct a {
2627 		long	code;
2628 		long	cmd;
2629 		long	a2;
2630 	} *uap = (struct a *)clwp->lwp_ap;
2631 
2632 	cmd = (uint32_t)uap->cmd;
2633 	a2 = (uintptr_t)uap->a2;
2634 
2635 	switch (tad->tad_event) {
2636 	case AUE_LABELSYS_TNRH:
2637 	{
2638 		tsol_rhent_t	*rhent;
2639 		tnaddr_t	*rh_addr;
2640 
2641 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2642 
2643 		/* Remaining args don't apply for FLUSH, so skip */
2644 		if (cmd == TNDB_FLUSH)
2645 			break;
2646 
2647 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2648 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2649 			kmem_free(rhent, sizeof (tsol_rhent_t));
2650 			return;
2651 		}
2652 
2653 		rh_addr = &rhent->rh_address;
2654 		if (rh_addr->ta_family == AF_INET) {
2655 			struct in_addr	*ipaddr;
2656 
2657 			ipaddr = &(rh_addr->ta_addr_v4);
2658 			au_uwrite(au_to_in_addr(ipaddr));
2659 		} else if (rh_addr->ta_family == AF_INET6) {
2660 			int32_t		*ipaddr;
2661 
2662 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2663 			au_uwrite(au_to_in_addr_ex(ipaddr));
2664 		}
2665 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2666 
2667 		kmem_free(rhent, sizeof (tsol_rhent_t));
2668 
2669 		break;
2670 	}
2671 	case AUE_LABELSYS_TNRHTP:
2672 	{
2673 		tsol_tpent_t	*tpent;
2674 
2675 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2676 
2677 		/* Remaining args don't apply for FLUSH, so skip */
2678 		if (cmd == TNDB_FLUSH)
2679 			break;
2680 
2681 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2682 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2683 			kmem_free(tpent, sizeof (tsol_tpent_t));
2684 			return;
2685 		}
2686 
2687 		/* Make sure that the template name is null-terminated. */
2688 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2689 
2690 		au_uwrite(au_to_text(tpent->name));
2691 		kmem_free(tpent, sizeof (tsol_tpent_t));
2692 
2693 		break;
2694 	}
2695 	case AUE_LABELSYS_TNMLP:
2696 	{
2697 		tsol_mlpent_t	*mlpent;
2698 
2699 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2700 
2701 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2702 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2703 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2704 			return;
2705 		}
2706 
2707 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2708 			au_uwrite(au_to_text("shared"));
2709 		} else {
2710 			zone_t	*zone;
2711 
2712 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2713 			if (zone != NULL) {
2714 				au_uwrite(au_to_text(zone->zone_name));
2715 				zone_rele(zone);
2716 			}
2717 		}
2718 
2719 		/* Remaining args don't apply for FLUSH, so skip */
2720 		if (cmd == TNDB_FLUSH) {
2721 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2722 			break;
2723 		}
2724 
2725 		au_uwrite(au_to_arg32(2, "proto num",
2726 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2727 		au_uwrite(au_to_arg32(2, "mlp_port",
2728 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2729 
2730 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2731 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2732 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2733 
2734 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2735 
2736 		break;
2737 	}
2738 	default:
2739 		break;
2740 	}
2741 }
2742 
2743 
2744 static au_event_t
2745 aui_auditsys(au_event_t e)
2746 {
2747 	klwp_t *clwp = ttolwp(curthread);
2748 	uint32_t code;
2749 
2750 	struct a {
2751 		long	code;
2752 		long	a1;
2753 		long	a2;
2754 		long	a3;
2755 		long	a4;
2756 		long	a5;
2757 		long	a6;
2758 		long	a7;
2759 	} *uap = (struct a *)clwp->lwp_ap;
2760 
2761 	code = (uint32_t)uap->code;
2762 
2763 	switch (code) {
2764 
2765 	case BSM_GETAUID:
2766 		e = AUE_GETAUID;
2767 		break;
2768 	case BSM_SETAUID:
2769 		e = AUE_SETAUID;
2770 		break;
2771 	case BSM_GETAUDIT:
2772 		e = AUE_GETAUDIT;
2773 		break;
2774 	case BSM_GETAUDIT_ADDR:
2775 		e = AUE_GETAUDIT_ADDR;
2776 		break;
2777 	case BSM_SETAUDIT:
2778 		e = AUE_SETAUDIT;
2779 		break;
2780 	case BSM_SETAUDIT_ADDR:
2781 		e = AUE_SETAUDIT_ADDR;
2782 		break;
2783 	case BSM_AUDIT:
2784 		e = AUE_AUDIT;
2785 		break;
2786 	case BSM_GETPORTAUDIT:
2787 		e = AUE_GETPORTAUDIT;
2788 		break;
2789 	case BSM_AUDITON:
2790 	case BSM_AUDITCTL:
2791 
2792 		switch ((uint_t)uap->a1) {
2793 
2794 		case A_GETPOLICY:
2795 			e = AUE_AUDITON_GPOLICY;
2796 			break;
2797 		case A_SETPOLICY:
2798 			e = AUE_AUDITON_SPOLICY;
2799 			break;
2800 		case A_GETKMASK:
2801 			e = AUE_AUDITON_GETKMASK;
2802 			break;
2803 		case A_SETKMASK:
2804 			e = AUE_AUDITON_SETKMASK;
2805 			break;
2806 		case A_GETQCTRL:
2807 			e = AUE_AUDITON_GQCTRL;
2808 			break;
2809 		case A_SETQCTRL:
2810 			e = AUE_AUDITON_SQCTRL;
2811 			break;
2812 		case A_GETCWD:
2813 			e = AUE_AUDITON_GETCWD;
2814 			break;
2815 		case A_GETCAR:
2816 			e = AUE_AUDITON_GETCAR;
2817 			break;
2818 		case A_GETSTAT:
2819 			e = AUE_AUDITON_GETSTAT;
2820 			break;
2821 		case A_SETSTAT:
2822 			e = AUE_AUDITON_SETSTAT;
2823 			break;
2824 		case A_SETUMASK:
2825 			e = AUE_AUDITON_SETUMASK;
2826 			break;
2827 		case A_SETSMASK:
2828 			e = AUE_AUDITON_SETSMASK;
2829 			break;
2830 		case A_GETCOND:
2831 			e = AUE_AUDITON_GETCOND;
2832 			break;
2833 		case A_SETCOND:
2834 			e = AUE_AUDITON_SETCOND;
2835 			break;
2836 		case A_GETCLASS:
2837 			e = AUE_AUDITON_GETCLASS;
2838 			break;
2839 		case A_SETCLASS:
2840 			e = AUE_AUDITON_SETCLASS;
2841 			break;
2842 		default:
2843 			e = AUE_NULL;
2844 			break;
2845 		}
2846 		break;
2847 	default:
2848 		e = AUE_NULL;
2849 		break;
2850 	}
2851 
2852 	return (e);
2853 
2854 }	/* AUI_AUDITSYS */
2855 
2856 
2857 static void
2858 aus_auditsys(struct t_audit_data *tad)
2859 {
2860 	klwp_t *clwp = ttolwp(curthread);
2861 	uintptr_t a1, a2;
2862 	STRUCT_DECL(auditinfo, ainfo);
2863 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2864 	au_evclass_map_t event;
2865 	au_mask_t mask;
2866 	int auditstate, policy;
2867 	au_id_t auid;
2868 
2869 
2870 	struct a {
2871 		long	code;
2872 		long	a1;
2873 		long	a2;
2874 		long	a3;
2875 		long	a4;
2876 		long	a5;
2877 		long	a6;
2878 		long	a7;
2879 	} *uap = (struct a *)clwp->lwp_ap;
2880 
2881 	a1   = (uintptr_t)uap->a1;
2882 	a2   = (uintptr_t)uap->a2;
2883 
2884 	switch (tad->tad_event) {
2885 	case AUE_SETAUID:
2886 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2887 				return;
2888 		au_uwrite(au_to_arg32(2, "setauid", auid));
2889 		break;
2890 	case AUE_SETAUDIT:
2891 		STRUCT_INIT(ainfo, get_udatamodel());
2892 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2893 		    STRUCT_SIZE(ainfo))) {
2894 				return;
2895 		}
2896 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2897 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2898 #ifdef _LP64
2899 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2900 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2901 #else
2902 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2903 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2904 #endif
2905 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2906 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2907 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2908 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2909 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2910 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2911 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2912 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2913 		break;
2914 	case AUE_SETAUDIT_ADDR:
2915 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2916 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2917 		    STRUCT_SIZE(ainfo_addr))) {
2918 				return;
2919 		}
2920 		au_uwrite(au_to_arg32((char)1, "auid",
2921 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2922 #ifdef _LP64
2923 		au_uwrite(au_to_arg64((char)1, "port",
2924 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2925 #else
2926 		au_uwrite(au_to_arg32((char)1, "port",
2927 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2928 #endif
2929 		au_uwrite(au_to_arg32((char)1, "type",
2930 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2931 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2932 		    AU_IPv4) {
2933 			au_uwrite(au_to_in_addr(
2934 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2935 			    ai_termid.at_addr)));
2936 		} else {
2937 			au_uwrite(au_to_in_addr_ex(
2938 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2939 			    ai_termid.at_addr)));
2940 		}
2941 		au_uwrite(au_to_arg32((char)1, "as_success",
2942 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2943 		au_uwrite(au_to_arg32((char)1, "as_failure",
2944 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2945 		au_uwrite(au_to_arg32((char)1, "asid",
2946 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2947 		break;
2948 	case AUE_AUDITON_SETKMASK:
2949 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2950 				return;
2951 		au_uwrite(au_to_arg32(
2952 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2953 		au_uwrite(au_to_arg32(
2954 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2955 		break;
2956 	case AUE_AUDITON_SPOLICY:
2957 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2958 			return;
2959 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2960 		break;
2961 	case AUE_AUDITON_SQCTRL: {
2962 		STRUCT_DECL(au_qctrl, qctrl);
2963 		model_t model;
2964 
2965 		model = get_udatamodel();
2966 		STRUCT_INIT(qctrl, model);
2967 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2968 				return;
2969 		if (model == DATAMODEL_ILP32) {
2970 			au_uwrite(au_to_arg32(
2971 			    3, "setqctrl:aq_hiwater",
2972 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2973 			au_uwrite(au_to_arg32(
2974 			    3, "setqctrl:aq_lowater",
2975 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2976 			au_uwrite(au_to_arg32(
2977 			    3, "setqctrl:aq_bufsz",
2978 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2979 			au_uwrite(au_to_arg32(
2980 			    3, "setqctrl:aq_delay",
2981 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2982 		} else {
2983 			au_uwrite(au_to_arg64(
2984 			    3, "setqctrl:aq_hiwater",
2985 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2986 			au_uwrite(au_to_arg64(
2987 			    3, "setqctrl:aq_lowater",
2988 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2989 			au_uwrite(au_to_arg64(
2990 			    3, "setqctrl:aq_bufsz",
2991 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2992 			au_uwrite(au_to_arg64(
2993 			    3, "setqctrl:aq_delay",
2994 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2995 		}
2996 		break;
2997 	}
2998 	case AUE_AUDITON_SETUMASK:
2999 		STRUCT_INIT(ainfo, get_udatamodel());
3000 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3001 		    STRUCT_SIZE(ainfo))) {
3002 			return;
3003 		}
3004 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3005 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3006 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3007 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3008 		break;
3009 	case AUE_AUDITON_SETSMASK:
3010 		STRUCT_INIT(ainfo, get_udatamodel());
3011 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3012 		    STRUCT_SIZE(ainfo))) {
3013 			return;
3014 		}
3015 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3016 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3017 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3018 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3019 		break;
3020 	case AUE_AUDITON_SETCOND:
3021 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3022 			return;
3023 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3024 		break;
3025 	case AUE_AUDITON_SETCLASS:
3026 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3027 			return;
3028 		au_uwrite(au_to_arg32(
3029 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3030 		au_uwrite(au_to_arg32(
3031 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3032 		break;
3033 	case AUE_GETAUID:
3034 	case AUE_GETAUDIT:
3035 	case AUE_GETAUDIT_ADDR:
3036 	case AUE_AUDIT:
3037 	case AUE_GETPORTAUDIT:
3038 	case AUE_AUDITON_GPOLICY:
3039 	case AUE_AUDITON_GQCTRL:
3040 	case AUE_AUDITON_GETKMASK:
3041 	case AUE_AUDITON_GETCWD:
3042 	case AUE_AUDITON_GETCAR:
3043 	case AUE_AUDITON_GETSTAT:
3044 	case AUE_AUDITON_SETSTAT:
3045 	case AUE_AUDITON_GETCOND:
3046 	case AUE_AUDITON_GETCLASS:
3047 		break;
3048 	default:
3049 		break;
3050 	}
3051 
3052 }	/* AUS_AUDITSYS */
3053 
3054 
3055 /* only audit privileged operations for systeminfo(2) system call */
3056 static au_event_t
3057 aui_sysinfo(au_event_t e)
3058 {
3059 	klwp_t *clwp = ttolwp(curthread);
3060 	uint32_t command;
3061 
3062 	struct a {
3063 		long	command;
3064 		long	buf;		/* char * */
3065 		long	count;
3066 	} *uap = (struct a *)clwp->lwp_ap;
3067 
3068 	command = (uint32_t)uap->command;
3069 
3070 	switch (command) {
3071 	case SI_SET_HOSTNAME:
3072 	case SI_SET_SRPC_DOMAIN:
3073 		e = (au_event_t)AUE_SYSINFO;
3074 		break;
3075 	default:
3076 		e = (au_event_t)AUE_NULL;
3077 		break;
3078 	}
3079 	return (e);
3080 }
3081 
3082 /*ARGSUSED*/
3083 static void
3084 aus_sysinfo(struct t_audit_data *tad)
3085 {
3086 	klwp_t *clwp = ttolwp(curthread);
3087 	uint32_t command;
3088 	size_t len, maxlen;
3089 	char *name;
3090 	uintptr_t buf;
3091 
3092 	struct a {
3093 		long	command;
3094 		long	buf;		/* char * */
3095 		long	count;
3096 	} *uap = (struct a *)clwp->lwp_ap;
3097 
3098 	command = (uint32_t)uap->command;
3099 	buf = (uintptr_t)uap->buf;
3100 
3101 	au_uwrite(au_to_arg32(1, "cmd", command));
3102 
3103 	switch (command) {
3104 	case SI_SET_HOSTNAME:
3105 	{
3106 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3107 			return;
3108 
3109 		maxlen = SYS_NMLN;
3110 		name = kmem_alloc(maxlen, KM_SLEEP);
3111 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3112 			break;
3113 
3114 		/*
3115 		 * Must be non-NULL string and string
3116 		 * must be less than SYS_NMLN chars.
3117 		 */
3118 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3119 			break;
3120 
3121 		au_uwrite(au_to_text(name));
3122 		break;
3123 	}
3124 
3125 	case SI_SET_SRPC_DOMAIN:
3126 	{
3127 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3128 			return;
3129 
3130 		maxlen = SYS_NMLN;
3131 		name = kmem_alloc(maxlen, KM_SLEEP);
3132 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3133 			break;
3134 
3135 		/*
3136 		 * If string passed in is longer than length
3137 		 * allowed for domain name, fail.
3138 		 */
3139 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3140 			break;
3141 
3142 		au_uwrite(au_to_text(name));
3143 		break;
3144 	}
3145 
3146 	default:
3147 		return;
3148 	}
3149 
3150 	kmem_free(name, maxlen);
3151 }
3152 
3153 static au_event_t
3154 aui_modctl(au_event_t e)
3155 {
3156 	klwp_t *clwp = ttolwp(curthread);
3157 	uint_t cmd;
3158 
3159 	struct a {
3160 		long	cmd;
3161 	} *uap = (struct a *)clwp->lwp_ap;
3162 
3163 	cmd = (uint_t)uap->cmd;
3164 
3165 	switch (cmd) {
3166 	case MODLOAD:
3167 		e = AUE_MODLOAD;
3168 		break;
3169 	case MODUNLOAD:
3170 		e = AUE_MODUNLOAD;
3171 		break;
3172 	case MODADDMAJBIND:
3173 		e = AUE_MODADDMAJ;
3174 		break;
3175 	case MODSETDEVPOLICY:
3176 		e = AUE_MODDEVPLCY;
3177 		break;
3178 	case MODALLOCPRIV:
3179 		e = AUE_MODADDPRIV;
3180 		break;
3181 	default:
3182 		e = AUE_NULL;
3183 		break;
3184 	}
3185 	return (e);
3186 }
3187 
3188 
3189 /*ARGSUSED*/
3190 static void
3191 aus_modctl(struct t_audit_data *tad)
3192 {
3193 	klwp_t *clwp = ttolwp(curthread);
3194 	void *a	= clwp->lwp_ap;
3195 	uint_t use_path;
3196 
3197 	switch (tad->tad_event) {
3198 	case AUE_MODLOAD: {
3199 		typedef struct {
3200 			long	cmd;
3201 			long	use_path;
3202 			long	filename;		/* char * */
3203 		} modloada_t;
3204 
3205 		char *filenamep;
3206 		uintptr_t fname;
3207 		extern char *default_path;
3208 
3209 		fname = (uintptr_t)((modloada_t *)a)->filename;
3210 		use_path = (uint_t)((modloada_t *)a)->use_path;
3211 
3212 			/* space to hold path */
3213 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3214 			/* get string */
3215 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3216 				/* free allocated path */
3217 			kmem_free(filenamep, MOD_MAXPATH);
3218 			return;
3219 		}
3220 			/* ensure it's null terminated */
3221 		filenamep[MOD_MAXPATH - 1] = 0;
3222 
3223 		if (use_path)
3224 			au_uwrite(au_to_text(default_path));
3225 		au_uwrite(au_to_text(filenamep));
3226 
3227 			/* release temporary memory */
3228 		kmem_free(filenamep, MOD_MAXPATH);
3229 		break;
3230 	}
3231 	case AUE_MODUNLOAD: {
3232 		typedef struct {
3233 			long	cmd;
3234 			long	id;
3235 		} modunloada_t;
3236 
3237 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3238 
3239 		au_uwrite(au_to_arg32(1, "id", id));
3240 		break;
3241 	}
3242 	case AUE_MODADDMAJ: {
3243 		STRUCT_DECL(modconfig, mc);
3244 		typedef struct {
3245 			long	cmd;
3246 			long	subcmd;
3247 			long	data;		/* int * */
3248 		} modconfiga_t;
3249 
3250 		STRUCT_DECL(aliases, alias);
3251 		caddr_t ap;
3252 		int i, num_aliases;
3253 		char *drvname, *mc_drvname;
3254 		char *name;
3255 		extern char *ddi_major_to_name(major_t);
3256 		model_t model;
3257 
3258 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3259 
3260 		model = get_udatamodel();
3261 		STRUCT_INIT(mc, model);
3262 			/* sanitize buffer */
3263 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3264 			/* get user arguments */
3265 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3266 		    STRUCT_SIZE(mc)) != 0)
3267 			return;
3268 
3269 		mc_drvname = STRUCT_FGET(mc, drvname);
3270 		if ((drvname = ddi_major_to_name(
3271 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3272 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3273 				/* safety */
3274 			if (mc_drvname[0] != '\0') {
3275 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3276 				au_uwrite(au_to_text(mc_drvname));
3277 			}
3278 				/* drvname != NULL from test above */
3279 			au_uwrite(au_to_text(drvname));
3280 			return;
3281 		}
3282 
3283 		if (mc_drvname[0] != '\0') {
3284 				/* safety */
3285 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3286 			au_uwrite(au_to_text(mc_drvname));
3287 		} else
3288 			au_uwrite(au_to_text("no drvname"));
3289 
3290 		num_aliases = STRUCT_FGET(mc, num_aliases);
3291 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3292 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3293 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3294 		STRUCT_INIT(alias, model);
3295 		for (i = 0; i < num_aliases; i++) {
3296 			bzero((caddr_t)STRUCT_BUF(alias),
3297 			    STRUCT_SIZE(alias));
3298 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3299 			    STRUCT_SIZE(alias)) != 0)
3300 				break;
3301 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3302 			    MAXMODCONFNAME, NULL) != 0) {
3303 				break;
3304 			}
3305 
3306 			au_uwrite(au_to_text(name));
3307 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3308 		}
3309 		kmem_free(name, MAXMODCONFNAME);
3310 		break;
3311 	}
3312 	default:
3313 		break;
3314 	}
3315 }
3316 
3317 
3318 /*ARGSUSED*/
3319 static void
3320 auf_accept(
3321 	struct t_audit_data *tad,
3322 	int	error,
3323 	rval_t	*rval)
3324 {
3325 	uint32_t scid;
3326 	uint32_t sy_flags;
3327 	int fd;
3328 	struct sonode *so;
3329 	char so_laddr[sizeof (struct sockaddr_in6)];
3330 	char so_faddr[sizeof (struct sockaddr_in6)];
3331 	int err;
3332 	int len;
3333 	short so_family, so_type;
3334 	int add_sock_token = 0;
3335 
3336 	/* need to determine type of executing binary */
3337 	scid = tad->tad_scid;
3338 #ifdef _SYSCALL32_IMPL
3339 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3340 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3341 	else
3342 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3343 #else
3344 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3345 #endif
3346 	if (sy_flags == SE_32RVAL1)
3347 		fd = rval->r_val1;
3348 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3349 		fd = rval->r_val1;
3350 	if (sy_flags == SE_64RVAL)
3351 		fd = (int)rval->r_vals;
3352 
3353 	if (error) {
3354 		/* can't trust socket contents. Just return */
3355 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3356 		return;
3357 	}
3358 
3359 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3360 		/*
3361 		 * not security relevant if doing a accept from non socket
3362 		 * so no extra tokens. Should probably turn off audit record
3363 		 * generation here.
3364 		 */
3365 		return;
3366 	}
3367 
3368 	so_family = so->so_family;
3369 	so_type   = so->so_type;
3370 
3371 	switch (so_family) {
3372 	case AF_INET:
3373 	case AF_INET6:
3374 		/*
3375 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3376 		 */
3377 		if (so->so_type == SOCK_STREAM) {
3378 
3379 			bzero((void *)so_laddr, sizeof (so_laddr));
3380 			bzero((void *)so_faddr, sizeof (so_faddr));
3381 
3382 			/*
3383 			 * no local address then need to get it from lower
3384 			 * levels. only put out record on first read ala
3385 			 * AUE_WRITE.
3386 			 */
3387 			if (so->so_state & SS_ISBOUND) {
3388 				/* only done once on a connection */
3389 				(void) SOP_GETSOCKNAME(so);
3390 				(void) SOP_GETPEERNAME(so);
3391 
3392 				/* get local and foreign addresses */
3393 				mutex_enter(&so->so_lock);
3394 				len = min(so->so_laddr_len, sizeof (so_laddr));
3395 				bcopy(so->so_laddr_sa, so_laddr, len);
3396 				len = min(so->so_faddr_len, sizeof (so_faddr));
3397 				bcopy(so->so_faddr_sa, so_faddr, len);
3398 				mutex_exit(&so->so_lock);
3399 			}
3400 
3401 			add_sock_token = 1;
3402 		}
3403 		break;
3404 
3405 	default:
3406 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3407 		break;
3408 	}
3409 
3410 	releasef(fd);
3411 
3412 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3413 
3414 	if (add_sock_token == 0) {
3415 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3416 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3417 		return;
3418 	}
3419 
3420 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3421 
3422 }
3423 
3424 /*ARGSUSED*/
3425 static void
3426 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3427 {
3428 	struct a {
3429 		long	fd;
3430 		long	addr;
3431 		long	len;
3432 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3433 
3434 	struct sonode *so;
3435 	char so_laddr[sizeof (struct sockaddr_in6)];
3436 	char so_faddr[sizeof (struct sockaddr_in6)];
3437 	int err, fd;
3438 	int len;
3439 	short so_family, so_type;
3440 	int add_sock_token = 0;
3441 
3442 	fd = (int)uap->fd;
3443 
3444 	/*
3445 	 * bind failed, then nothing extra to add to audit record.
3446 	 */
3447 	if (error) {
3448 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3449 		/* XXX may want to add failed address some day */
3450 		return;
3451 	}
3452 
3453 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3454 		/*
3455 		 * not security relevant if doing a bind from non socket
3456 		 * so no extra tokens. Should probably turn off audit record
3457 		 * generation here.
3458 		 */
3459 		return;
3460 	}
3461 
3462 	so_family = so->so_family;
3463 	so_type   = so->so_type;
3464 
3465 	switch (so_family) {
3466 	case AF_INET:
3467 	case AF_INET6:
3468 
3469 		bzero(so_faddr, sizeof (so_faddr));
3470 
3471 		if (so->so_state & SS_ISBOUND) {
3472 			/* only done once on a connection */
3473 			(void) SOP_GETSOCKNAME(so);
3474 		}
3475 
3476 		mutex_enter(&so->so_lock);
3477 		len = min(so->so_laddr_len, sizeof (so_laddr));
3478 		bcopy(so->so_laddr_sa, so_laddr, len);
3479 		mutex_exit(&so->so_lock);
3480 
3481 		add_sock_token = 1;
3482 
3483 		break;
3484 
3485 	case AF_UNIX:
3486 		/* token added by lookup */
3487 		break;
3488 	default:
3489 		/* AF_ROUTE, AF_KEY do not support accept */
3490 		break;
3491 	}
3492 
3493 	releasef(fd);
3494 
3495 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3496 
3497 	if (add_sock_token == 0) {
3498 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3499 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3500 		return;
3501 	}
3502 
3503 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3504 
3505 }
3506 
3507 /*ARGSUSED*/
3508 static void
3509 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3510 {
3511 	struct a {
3512 		long	fd;
3513 		long	addr;
3514 		long	len;
3515 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3516 
3517 	struct sonode *so;
3518 	char so_laddr[sizeof (struct sockaddr_in6)];
3519 	char so_faddr[sizeof (struct sockaddr_in6)];
3520 	int err, fd;
3521 	int len;
3522 	short so_family, so_type;
3523 	int add_sock_token = 0;
3524 
3525 	fd = (int)uap->fd;
3526 
3527 
3528 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3529 		/*
3530 		 * not security relevant if doing a connect from non socket
3531 		 * so no extra tokens. Should probably turn off audit record
3532 		 * generation here.
3533 		 */
3534 		return;
3535 	}
3536 
3537 	so_family = so->so_family;
3538 	so_type   = so->so_type;
3539 
3540 	switch (so_family) {
3541 	case AF_INET:
3542 	case AF_INET6:
3543 		/*
3544 		 * no local address then need to get it from lower
3545 		 * levels.
3546 		 */
3547 		if (so->so_state & SS_ISBOUND) {
3548 			/* only done once on a connection */
3549 			(void) SOP_GETSOCKNAME(so);
3550 			(void) SOP_GETPEERNAME(so);
3551 		}
3552 
3553 		bzero(so_laddr, sizeof (so_laddr));
3554 		bzero(so_faddr, sizeof (so_faddr));
3555 
3556 		mutex_enter(&so->so_lock);
3557 		len = min(so->so_laddr_len, sizeof (so_laddr));
3558 		bcopy(so->so_laddr_sa, so_laddr, len);
3559 		if (error) {
3560 			mutex_exit(&so->so_lock);
3561 			if (uap->addr == NULL)
3562 				break;
3563 			if (uap->len <= 0)
3564 				break;
3565 			len = min(uap->len, sizeof (so_faddr));
3566 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3567 				break;
3568 #ifdef NOTYET
3569 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3570 #endif
3571 		} else {
3572 			/* sanity check on length */
3573 			len = min(so->so_faddr_len, sizeof (so_faddr));
3574 			bcopy(so->so_faddr_sa, so_faddr, len);
3575 			mutex_exit(&so->so_lock);
3576 		}
3577 
3578 		add_sock_token = 1;
3579 
3580 		break;
3581 
3582 	case AF_UNIX:
3583 		/* does a lookup on name */
3584 		break;
3585 
3586 	default:
3587 		/* AF_ROUTE, AF_KEY do not support accept */
3588 		break;
3589 	}
3590 
3591 	releasef(fd);
3592 
3593 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3594 
3595 	if (add_sock_token == 0) {
3596 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3597 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3598 		return;
3599 	}
3600 
3601 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3602 
3603 }
3604 
3605 /*ARGSUSED*/
3606 static void
3607 aus_shutdown(struct t_audit_data *tad)
3608 {
3609 	struct a {
3610 		long	fd;
3611 		long	how;
3612 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3613 
3614 	struct sonode *so;
3615 	char so_laddr[sizeof (struct sockaddr_in6)];
3616 	char so_faddr[sizeof (struct sockaddr_in6)];
3617 	int err, fd;
3618 	int len;
3619 	short so_family, so_type;
3620 	int add_sock_token = 0;
3621 	file_t *fp;				/* unix domain sockets */
3622 	struct f_audit_data *fad;		/* unix domain sockets */
3623 
3624 	fd = (int)uap->fd;
3625 
3626 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3627 		/*
3628 		 * not security relevant if doing a shutdown using non socket
3629 		 * so no extra tokens. Should probably turn off audit record
3630 		 * generation here.
3631 		 */
3632 		return;
3633 	}
3634 
3635 	so_family = so->so_family;
3636 	so_type   = so->so_type;
3637 
3638 	switch (so_family) {
3639 	case AF_INET:
3640 	case AF_INET6:
3641 
3642 		bzero(so_laddr, sizeof (so_laddr));
3643 		bzero(so_faddr, sizeof (so_faddr));
3644 
3645 		if (so->so_state & SS_ISBOUND) {
3646 			/*
3647 			 * no local address then need to get it from lower
3648 			 * levels.
3649 			 */
3650 			if (so->so_laddr_len == 0)
3651 				(void) SOP_GETSOCKNAME(so);
3652 			if (so->so_faddr_len == 0)
3653 				(void) SOP_GETPEERNAME(so);
3654 		}
3655 
3656 		mutex_enter(&so->so_lock);
3657 		len = min(so->so_laddr_len, sizeof (so_laddr));
3658 		bcopy(so->so_laddr_sa, so_laddr, len);
3659 		len = min(so->so_faddr_len, sizeof (so_faddr));
3660 		bcopy(so->so_faddr_sa, so_faddr, len);
3661 		mutex_exit(&so->so_lock);
3662 
3663 		add_sock_token = 1;
3664 
3665 		break;
3666 
3667 	case AF_UNIX:
3668 
3669 		/* get path from file struct here */
3670 		fad = F2A(fp);
3671 		ASSERT(fad);
3672 
3673 		if (fad->fad_aupath != NULL) {
3674 			au_uwrite(au_to_path(fad->fad_aupath));
3675 		} else {
3676 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3677 		}
3678 
3679 		audit_attributes(fp->f_vnode);
3680 
3681 		break;
3682 
3683 	default:
3684 		/*
3685 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3686 		 * added.
3687 		 */
3688 		break;
3689 	}
3690 
3691 	releasef(fd);
3692 
3693 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3694 
3695 	if (add_sock_token == 0) {
3696 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3697 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3698 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3699 		return;
3700 	}
3701 
3702 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3703 
3704 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3705 
3706 }
3707 
3708 /*ARGSUSED*/
3709 static void
3710 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3711 {
3712 	struct a {
3713 		long	fd;
3714 		long	level;
3715 		long	optname;
3716 		long	*optval;
3717 		long	optlen;
3718 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3719 
3720 	struct sonode	*so;
3721 	char so_laddr[sizeof (struct sockaddr_in6)];
3722 	char so_faddr[sizeof (struct sockaddr_in6)];
3723 	char		val[AU_BUFSIZE];
3724 	int		err, fd;
3725 	int		len;
3726 	short so_family, so_type;
3727 	int		add_sock_token = 0;
3728 	file_t *fp;				/* unix domain sockets */
3729 	struct f_audit_data *fad;		/* unix domain sockets */
3730 
3731 	fd = (int)uap->fd;
3732 
3733 	if (error) {
3734 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3735 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3736 		/* XXX may want to include other arguments */
3737 		return;
3738 	}
3739 
3740 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3741 		/*
3742 		 * not security relevant if doing a setsockopt from non socket
3743 		 * so no extra tokens. Should probably turn off audit record
3744 		 * generation here.
3745 		 */
3746 		return;
3747 	}
3748 
3749 	so_family = so->so_family;
3750 	so_type   = so->so_type;
3751 
3752 	switch (so_family) {
3753 	case AF_INET:
3754 	case AF_INET6:
3755 
3756 		bzero((void *)so_laddr, sizeof (so_laddr));
3757 		bzero((void *)so_faddr, sizeof (so_faddr));
3758 
3759 		if (so->so_state & SS_ISBOUND) {
3760 			if (so->so_laddr_len == 0)
3761 				(void) SOP_GETSOCKNAME(so);
3762 			if (so->so_faddr_len == 0)
3763 				(void) SOP_GETPEERNAME(so);
3764 		}
3765 
3766 		/* get local and foreign addresses */
3767 		mutex_enter(&so->so_lock);
3768 		len = min(so->so_laddr_len, sizeof (so_laddr));
3769 		bcopy(so->so_laddr_sa, so_laddr, len);
3770 		len = min(so->so_faddr_len, sizeof (so_faddr));
3771 		bcopy(so->so_faddr_sa, so_faddr, len);
3772 		mutex_exit(&so->so_lock);
3773 
3774 		add_sock_token = 1;
3775 
3776 		break;
3777 
3778 	case AF_UNIX:
3779 
3780 		/* get path from file struct here */
3781 		fad = F2A(fp);
3782 		ASSERT(fad);
3783 
3784 		if (fad->fad_aupath != NULL) {
3785 			au_uwrite(au_to_path(fad->fad_aupath));
3786 		} else {
3787 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3788 		}
3789 
3790 		audit_attributes(fp->f_vnode);
3791 
3792 		break;
3793 
3794 	default:
3795 		/*
3796 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3797 		 * added.
3798 		 */
3799 		break;
3800 	}
3801 
3802 	releasef(fd);
3803 
3804 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3805 
3806 	if (add_sock_token == 0) {
3807 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3808 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3809 	}
3810 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3811 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3812 
3813 	bzero(val, sizeof (val));
3814 	len = min(uap->optlen, sizeof (val));
3815 	if ((len > 0) &&
3816 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3817 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3818 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3819 	}
3820 
3821 	if (add_sock_token == 0)
3822 		return;
3823 
3824 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3825 
3826 }
3827 
3828 /*ARGSUSED*/
3829 static void
3830 aus_sockconfig(tad)
3831 	struct t_audit_data *tad;
3832 {
3833 	struct a {
3834 		long	domain;
3835 		long	type;
3836 		long	protocol;
3837 		long	devpath;
3838 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3839 
3840 	char	*kdevpath;
3841 	int	kdevpathlen = MAXPATHLEN + 1;
3842 	size_t	size;
3843 
3844 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3845 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3846 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3847 
3848 	if (uap->devpath == 0) {
3849 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3850 	} else {
3851 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3852 
3853 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3854 			&size)) {
3855 			kmem_free(kdevpath, kdevpathlen);
3856 			return;
3857 		}
3858 
3859 		if (size > MAXPATHLEN) {
3860 			kmem_free(kdevpath, kdevpathlen);
3861 			return;
3862 		}
3863 
3864 		au_uwrite(au_to_text(kdevpath));
3865 		kmem_free(kdevpath, kdevpathlen);
3866 	}
3867 }
3868 
3869 /*
3870  * only audit recvmsg when the system call represents the creation of a new
3871  * circuit. This effectively occurs for all UDP packets and may occur for
3872  * special TCP situations where the local host has not set a local address
3873  * in the socket structure.
3874  */
3875 /*ARGSUSED*/
3876 static void
3877 auf_recvmsg(
3878 	struct t_audit_data *tad,
3879 	int error,
3880 	rval_t *rvp)
3881 {
3882 	struct a {
3883 		long	fd;
3884 		long	msg;	/* struct msghdr */
3885 		long	flags;
3886 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3887 
3888 	struct sonode	*so;
3889 	STRUCT_DECL(msghdr, msg);
3890 	caddr_t msg_name;
3891 	socklen_t msg_namelen;
3892 	int fd;
3893 	int err;
3894 	char so_laddr[sizeof (struct sockaddr_in6)];
3895 	char so_faddr[sizeof (struct sockaddr_in6)];
3896 	int len;
3897 	file_t *fp;				/* unix domain sockets */
3898 	struct f_audit_data *fad;		/* unix domain sockets */
3899 	short so_family, so_type;
3900 	int add_sock_token = 0;
3901 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3902 
3903 	fd = (int)uap->fd;
3904 
3905 	/* bail if an error */
3906 	if (error) {
3907 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3908 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3909 		return;
3910 	}
3911 
3912 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3913 		/*
3914 		 * not security relevant if doing a recvmsg from non socket
3915 		 * so no extra tokens. Should probably turn off audit record
3916 		 * generation here.
3917 		 */
3918 		return;
3919 	}
3920 
3921 	so_family = so->so_family;
3922 	so_type   = so->so_type;
3923 
3924 	/*
3925 	 * only putout SOCKET_EX token if INET/INET6 family.
3926 	 * XXX - what do we do about other families?
3927 	 */
3928 
3929 	switch (so_family) {
3930 	case AF_INET:
3931 	case AF_INET6:
3932 
3933 		/*
3934 		 * if datagram type socket, then just use what is in
3935 		 * socket structure for local address.
3936 		 * XXX - what do we do for other types?
3937 		 */
3938 		if ((so->so_type == SOCK_DGRAM) ||
3939 		    (so->so_type == SOCK_RAW)) {
3940 			add_sock_token = 1;
3941 
3942 			bzero((void *)so_laddr, sizeof (so_laddr));
3943 			bzero((void *)so_faddr, sizeof (so_faddr));
3944 
3945 			/* get local address */
3946 			mutex_enter(&so->so_lock);
3947 			len = min(so->so_laddr_len, sizeof (so_laddr));
3948 			bcopy(so->so_laddr_sa, so_laddr, len);
3949 			mutex_exit(&so->so_lock);
3950 
3951 			/* get peer address */
3952 			STRUCT_INIT(msg, get_udatamodel());
3953 
3954 			if (copyin((caddr_t)(uap->msg),
3955 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3956 				break;
3957 			}
3958 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3959 			if (msg_name == NULL) {
3960 				break;
3961 			}
3962 
3963 			/* length is value from recvmsg - sanity check */
3964 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3965 			if (msg_namelen == 0) {
3966 				break;
3967 			}
3968 			if (copyin(msg_name, so_faddr,
3969 			    sizeof (so_faddr)) != 0) {
3970 				break;
3971 			}
3972 
3973 		} else if (so->so_type == SOCK_STREAM) {
3974 
3975 			/* get path from file struct here */
3976 			fad = F2A(fp);
3977 			ASSERT(fad);
3978 
3979 			/*
3980 			 * already processed this file for read attempt
3981 			 */
3982 			if (fad->fad_flags & FAD_READ) {
3983 				/* don't want to audit every recvmsg attempt */
3984 				tad->tad_flag = 0;
3985 				/* free any residual audit data */
3986 				au_close(kctx, &(u_ad), 0, 0, 0);
3987 				releasef(fd);
3988 				return;
3989 			}
3990 			/*
3991 			 * mark things so we know what happened and don't
3992 			 * repeat things
3993 			 */
3994 			fad->fad_flags |= FAD_READ;
3995 
3996 			bzero((void *)so_laddr, sizeof (so_laddr));
3997 			bzero((void *)so_faddr, sizeof (so_faddr));
3998 
3999 			if (so->so_state & SS_ISBOUND) {
4000 
4001 				if (so->so_laddr_len == 0)
4002 					(void) SOP_GETSOCKNAME(so);
4003 				if (so->so_faddr_len == 0)
4004 					(void) SOP_GETPEERNAME(so);
4005 
4006 				/* get local and foreign addresses */
4007 				mutex_enter(&so->so_lock);
4008 				len = min(so->so_laddr_len, sizeof (so_laddr));
4009 				bcopy(so->so_laddr_sa, so_laddr, len);
4010 				len = min(so->so_faddr_len, sizeof (so_faddr));
4011 				bcopy(so->so_faddr_sa, so_faddr, len);
4012 				mutex_exit(&so->so_lock);
4013 			}
4014 
4015 			add_sock_token = 1;
4016 		}
4017 
4018 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4019 
4020 		break;
4021 
4022 	case AF_UNIX:
4023 		/*
4024 		 * first check if this is first time through. Too much
4025 		 * duplicate code to put this in an aui_ routine.
4026 		 */
4027 
4028 		/* get path from file struct here */
4029 		fad = F2A(fp);
4030 		ASSERT(fad);
4031 
4032 		/*
4033 		 * already processed this file for read attempt
4034 		 */
4035 		if (fad->fad_flags & FAD_READ) {
4036 			releasef(fd);
4037 			/* don't want to audit every recvmsg attempt */
4038 			tad->tad_flag = 0;
4039 			/* free any residual audit data */
4040 			au_close(kctx, &(u_ad), 0, 0, 0);
4041 			return;
4042 		}
4043 		/*
4044 		 * mark things so we know what happened and don't
4045 		 * repeat things
4046 		 */
4047 		fad->fad_flags |= FAD_READ;
4048 
4049 		if (fad->fad_aupath != NULL) {
4050 			au_uwrite(au_to_path(fad->fad_aupath));
4051 		} else {
4052 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4053 		}
4054 
4055 		audit_attributes(fp->f_vnode);
4056 
4057 		releasef(fd);
4058 
4059 		return;
4060 
4061 	default:
4062 		break;
4063 
4064 	}
4065 
4066 	releasef(fd);
4067 
4068 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4069 
4070 	if (add_sock_token == 0) {
4071 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4072 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4073 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4074 		return;
4075 	}
4076 
4077 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4078 
4079 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4080 
4081 }
4082 
4083 /*ARGSUSED*/
4084 static void
4085 auf_recvfrom(
4086 	struct t_audit_data *tad,
4087 	int error,
4088 	rval_t *rvp)
4089 {
4090 
4091 	struct a {
4092 		long	fd;
4093 		long	msg;	/* char */
4094 		long	len;
4095 		long	flags;
4096 		long	from;	/* struct sockaddr */
4097 		long	fromlen;
4098 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4099 
4100 	socklen_t	fromlen;
4101 	struct sonode	*so;
4102 	char so_laddr[sizeof (struct sockaddr_in6)];
4103 	char so_faddr[sizeof (struct sockaddr_in6)];
4104 	int		fd;
4105 	short so_family, so_type;
4106 	int add_sock_token = 0;
4107 	int len;
4108 	int err;
4109 	struct file *fp;
4110 	struct f_audit_data *fad;		/* unix domain sockets */
4111 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4112 
4113 	fd = (int)uap->fd;
4114 
4115 	/* bail if an error */
4116 	if (error) {
4117 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4118 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4119 		return;
4120 	}
4121 
4122 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4123 		/*
4124 		 * not security relevant if doing a recvmsg from non socket
4125 		 * so no extra tokens. Should probably turn off audit record
4126 		 * generation here.
4127 		 */
4128 		return;
4129 	}
4130 
4131 	so_family = so->so_family;
4132 	so_type   = so->so_type;
4133 
4134 	/*
4135 	 * only putout SOCKET_EX token if INET/INET6 family.
4136 	 * XXX - what do we do about other families?
4137 	 */
4138 
4139 	switch (so_family) {
4140 	case AF_INET:
4141 	case AF_INET6:
4142 
4143 		/*
4144 		 * if datagram type socket, then just use what is in
4145 		 * socket structure for local address.
4146 		 * XXX - what do we do for other types?
4147 		 */
4148 		if ((so->so_type == SOCK_DGRAM) ||
4149 		    (so->so_type == SOCK_RAW)) {
4150 			add_sock_token = 1;
4151 
4152 			/* get local address */
4153 			mutex_enter(&so->so_lock);
4154 			len = min(so->so_laddr_len, sizeof (so_laddr));
4155 			bcopy(so->so_laddr_sa, so_laddr, len);
4156 			mutex_exit(&so->so_lock);
4157 
4158 			/* get peer address */
4159 			bzero((void *)so_faddr, sizeof (so_faddr));
4160 
4161 			/* sanity check */
4162 			if (uap->from == NULL)
4163 				break;
4164 
4165 			/* sanity checks */
4166 			if (uap->fromlen == 0)
4167 				break;
4168 
4169 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4170 			    sizeof (fromlen)) != 0)
4171 				break;
4172 
4173 			if (fromlen == 0)
4174 				break;
4175 
4176 			/* enforce maximum size */
4177 			if (fromlen > sizeof (so_faddr))
4178 				fromlen = sizeof (so_faddr);
4179 
4180 			if (copyin((caddr_t)(uap->from), so_faddr,
4181 			    fromlen) != 0)
4182 				break;
4183 
4184 		} else if (so->so_type == SOCK_STREAM) {
4185 
4186 			/* get path from file struct here */
4187 			fad = F2A(fp);
4188 			ASSERT(fad);
4189 
4190 			/*
4191 			 * already processed this file for read attempt
4192 			 */
4193 			if (fad->fad_flags & FAD_READ) {
4194 				/* don't want to audit every recvfrom attempt */
4195 				tad->tad_flag = 0;
4196 				/* free any residual audit data */
4197 				au_close(kctx, &(u_ad), 0, 0, 0);
4198 				releasef(fd);
4199 				return;
4200 			}
4201 			/*
4202 			 * mark things so we know what happened and don't
4203 			 * repeat things
4204 			 */
4205 			fad->fad_flags |= FAD_READ;
4206 
4207 			bzero((void *)so_laddr, sizeof (so_laddr));
4208 			bzero((void *)so_faddr, sizeof (so_faddr));
4209 
4210 			if (so->so_state & SS_ISBOUND) {
4211 
4212 				if (so->so_laddr_len == 0)
4213 					(void) SOP_GETSOCKNAME(so);
4214 				if (so->so_faddr_len == 0)
4215 					(void) SOP_GETPEERNAME(so);
4216 
4217 				/* get local and foreign addresses */
4218 				mutex_enter(&so->so_lock);
4219 				len = min(so->so_laddr_len, sizeof (so_laddr));
4220 				bcopy(so->so_laddr_sa, so_laddr, len);
4221 				len = min(so->so_faddr_len, sizeof (so_faddr));
4222 				bcopy(so->so_faddr_sa, so_faddr, len);
4223 				mutex_exit(&so->so_lock);
4224 			}
4225 
4226 			add_sock_token = 1;
4227 		}
4228 
4229 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4230 
4231 		break;
4232 
4233 	case AF_UNIX:
4234 		/*
4235 		 * first check if this is first time through. Too much
4236 		 * duplicate code to put this in an aui_ routine.
4237 		 */
4238 
4239 		/* get path from file struct here */
4240 		fad = F2A(fp);
4241 		ASSERT(fad);
4242 
4243 		/*
4244 		 * already processed this file for read attempt
4245 		 */
4246 		if (fad->fad_flags & FAD_READ) {
4247 			/* don't want to audit every recvfrom attempt */
4248 			tad->tad_flag = 0;
4249 			/* free any residual audit data */
4250 			au_close(kctx, &(u_ad), 0, 0, 0);
4251 			releasef(fd);
4252 			return;
4253 		}
4254 		/*
4255 		 * mark things so we know what happened and don't
4256 		 * repeat things
4257 		 */
4258 		fad->fad_flags |= FAD_READ;
4259 
4260 		if (fad->fad_aupath != NULL) {
4261 			au_uwrite(au_to_path(fad->fad_aupath));
4262 		} else {
4263 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4264 		}
4265 
4266 		audit_attributes(fp->f_vnode);
4267 
4268 		releasef(fd);
4269 
4270 		return;
4271 
4272 	default:
4273 		break;
4274 
4275 	}
4276 
4277 	releasef(fd);
4278 
4279 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4280 
4281 	if (add_sock_token == 0) {
4282 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4283 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4284 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4285 		return;
4286 	}
4287 
4288 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4289 
4290 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4291 }
4292 
4293 /*ARGSUSED*/
4294 static void
4295 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4296 {
4297 	struct a {
4298 		long	fd;
4299 		long	msg;	/* struct msghdr */
4300 		long	flags;
4301 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4302 
4303 	struct sonode	*so;
4304 	char so_laddr[sizeof (struct sockaddr_in6)];
4305 	char so_faddr[sizeof (struct sockaddr_in6)];
4306 	int		err;
4307 	int		fd;
4308 	short so_family, so_type;
4309 	int		add_sock_token = 0;
4310 	int		len;
4311 	struct file	*fp;
4312 	struct f_audit_data *fad;
4313 	caddr_t		msg_name;
4314 	socklen_t	msg_namelen;
4315 	STRUCT_DECL(msghdr, msg);
4316 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4317 
4318 	fd = (int)uap->fd;
4319 
4320 	/* bail if an error */
4321 	if (error) {
4322 		/* XXX include destination address from system call arguments */
4323 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4324 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4325 		return;
4326 	}
4327 
4328 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4329 		/*
4330 		 * not security relevant if doing a sendmsg from non socket
4331 		 * so no extra tokens. Should probably turn off audit record
4332 		 * generation here.
4333 		 */
4334 		return;
4335 	}
4336 
4337 	so_family = so->so_family;
4338 	so_type   = so->so_type;
4339 
4340 	switch (so_family) {
4341 	case AF_INET:
4342 	case AF_INET6:
4343 		/*
4344 		 * if datagram type socket, then just use what is in
4345 		 * socket structure for local address.
4346 		 * XXX - what do we do for other types?
4347 		 */
4348 		if ((so->so_type == SOCK_DGRAM) ||
4349 		    (so->so_type == SOCK_RAW)) {
4350 
4351 			bzero((void *)so_laddr, sizeof (so_laddr));
4352 			bzero((void *)so_faddr, sizeof (so_faddr));
4353 
4354 			/* get local address */
4355 			mutex_enter(&so->so_lock);
4356 			len = min(so->so_laddr_len, sizeof (so_laddr));
4357 			bcopy(so->so_laddr_sa, so_laddr, len);
4358 			mutex_exit(&so->so_lock);
4359 
4360 			/* get peer address */
4361 			STRUCT_INIT(msg, get_udatamodel());
4362 
4363 			if (copyin((caddr_t)(uap->msg),
4364 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4365 				break;
4366 			}
4367 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4368 			if (msg_name == NULL)
4369 				break;
4370 
4371 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4372 			/* length is value from recvmsg - sanity check */
4373 			if (msg_namelen == 0)
4374 				break;
4375 
4376 			if (copyin(msg_name, so_faddr,
4377 			    sizeof (so_faddr)) != 0)
4378 				break;
4379 
4380 			add_sock_token = 1;
4381 
4382 		} else if (so->so_type == SOCK_STREAM) {
4383 
4384 			/* get path from file struct here */
4385 			fad = F2A(fp);
4386 			ASSERT(fad);
4387 
4388 			/*
4389 			 * already processed this file for write attempt
4390 			 */
4391 			if (fad->fad_flags & FAD_WRITE) {
4392 				releasef(fd);
4393 				/* don't want to audit every sendmsg attempt */
4394 				tad->tad_flag = 0;
4395 				/* free any residual audit data */
4396 				au_close(kctx, &(u_ad), 0, 0, 0);
4397 				return;
4398 			}
4399 
4400 			/*
4401 			 * mark things so we know what happened and don't
4402 			 * repeat things
4403 			 */
4404 			fad->fad_flags |= FAD_WRITE;
4405 
4406 			bzero((void *)so_laddr, sizeof (so_laddr));
4407 			bzero((void *)so_faddr, sizeof (so_faddr));
4408 
4409 			if (so->so_state & SS_ISBOUND) {
4410 
4411 				if (so->so_laddr_len == 0)
4412 					(void) SOP_GETSOCKNAME(so);
4413 				if (so->so_faddr_len == 0)
4414 					(void) SOP_GETPEERNAME(so);
4415 
4416 				/* get local and foreign addresses */
4417 				mutex_enter(&so->so_lock);
4418 				len = min(so->so_laddr_len, sizeof (so_laddr));
4419 				bcopy(so->so_laddr_sa, so_laddr, len);
4420 				len = min(so->so_faddr_len, sizeof (so_faddr));
4421 				bcopy(so->so_faddr_sa, so_faddr, len);
4422 				mutex_exit(&so->so_lock);
4423 			}
4424 
4425 			add_sock_token = 1;
4426 		}
4427 
4428 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4429 
4430 		break;
4431 
4432 	case AF_UNIX:
4433 		/*
4434 		 * first check if this is first time through. Too much
4435 		 * duplicate code to put this in an aui_ routine.
4436 		 */
4437 
4438 		/* get path from file struct here */
4439 		fad = F2A(fp);
4440 		ASSERT(fad);
4441 
4442 		/*
4443 		 * already processed this file for write attempt
4444 		 */
4445 		if (fad->fad_flags & FAD_WRITE) {
4446 			releasef(fd);
4447 			/* don't want to audit every sendmsg attempt */
4448 			tad->tad_flag = 0;
4449 			/* free any residual audit data */
4450 			au_close(kctx, &(u_ad), 0, 0, 0);
4451 			return;
4452 		}
4453 		/*
4454 		 * mark things so we know what happened and don't
4455 		 * repeat things
4456 		 */
4457 		fad->fad_flags |= FAD_WRITE;
4458 
4459 		if (fad->fad_aupath != NULL) {
4460 			au_uwrite(au_to_path(fad->fad_aupath));
4461 		} else {
4462 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4463 		}
4464 
4465 		audit_attributes(fp->f_vnode);
4466 
4467 		releasef(fd);
4468 
4469 		return;
4470 
4471 	default:
4472 		break;
4473 	}
4474 
4475 	releasef(fd);
4476 
4477 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4478 
4479 	if (add_sock_token == 0) {
4480 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4481 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4482 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4483 		return;
4484 	}
4485 
4486 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4487 
4488 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4489 }
4490 
4491 /*ARGSUSED*/
4492 static void
4493 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4494 {
4495 	struct a {
4496 		long	fd;
4497 		long	msg;	/* char */
4498 		long	len;
4499 		long	flags;
4500 		long	to;	/* struct sockaddr */
4501 		long	tolen;
4502 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4503 
4504 	struct sonode	*so;
4505 	char so_laddr[sizeof (struct sockaddr_in6)];
4506 	char so_faddr[sizeof (struct sockaddr_in6)];
4507 	socklen_t	tolen;
4508 	int		err;
4509 	int		fd;
4510 	int		len;
4511 	short so_family, so_type;
4512 	int		add_sock_token = 0;
4513 	struct file	*fp;
4514 	struct f_audit_data *fad;
4515 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4516 
4517 	fd = (int)uap->fd;
4518 
4519 	/* bail if an error */
4520 	if (error) {
4521 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4522 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4523 		/* XXX include destination address from system call arguments */
4524 		return;
4525 	}
4526 
4527 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4528 		/*
4529 		 * not security relevant if doing a sendto using non socket
4530 		 * so no extra tokens. Should probably turn off audit record
4531 		 * generation here.
4532 		 */
4533 		return;
4534 	}
4535 
4536 	so_family = so->so_family;
4537 	so_type   = so->so_type;
4538 
4539 	/*
4540 	 * only putout SOCKET_EX token if INET/INET6 family.
4541 	 * XXX - what do we do about other families?
4542 	 */
4543 
4544 	switch (so_family) {
4545 	case AF_INET:
4546 	case AF_INET6:
4547 
4548 		/*
4549 		 * if datagram type socket, then just use what is in
4550 		 * socket structure for local address.
4551 		 * XXX - what do we do for other types?
4552 		 */
4553 		if ((so->so_type == SOCK_DGRAM) ||
4554 		    (so->so_type == SOCK_RAW)) {
4555 
4556 			bzero((void *)so_laddr, sizeof (so_laddr));
4557 			bzero((void *)so_faddr, sizeof (so_faddr));
4558 
4559 			/* get local address */
4560 			mutex_enter(&so->so_lock);
4561 			len = min(so->so_laddr_len, sizeof (so_laddr));
4562 			bcopy(so->so_laddr_sa, so_laddr, len);
4563 			mutex_exit(&so->so_lock);
4564 
4565 			/* get peer address */
4566 
4567 			/* sanity check */
4568 			if (uap->to == NULL)
4569 				break;
4570 
4571 			/* sanity checks */
4572 			if (uap->tolen == 0)
4573 				break;
4574 
4575 			tolen = (socklen_t)uap->tolen;
4576 
4577 			/* enforce maximum size */
4578 			if (tolen > sizeof (so_faddr))
4579 				tolen = sizeof (so_faddr);
4580 
4581 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4582 				break;
4583 
4584 			add_sock_token = 1;
4585 		} else {
4586 			/*
4587 			 * check if this is first time through.
4588 			 */
4589 
4590 			/* get path from file struct here */
4591 			fad = F2A(fp);
4592 			ASSERT(fad);
4593 
4594 			/*
4595 			 * already processed this file for write attempt
4596 			 */
4597 			if (fad->fad_flags & FAD_WRITE) {
4598 				/* don't want to audit every sendto attempt */
4599 				tad->tad_flag = 0;
4600 				/* free any residual audit data */
4601 				au_close(kctx, &(u_ad), 0, 0, 0);
4602 				releasef(fd);
4603 				return;
4604 			}
4605 			/*
4606 			 * mark things so we know what happened and don't
4607 			 * repeat things
4608 			 */
4609 			fad->fad_flags |= FAD_WRITE;
4610 
4611 			bzero((void *)so_laddr, sizeof (so_laddr));
4612 			bzero((void *)so_faddr, sizeof (so_faddr));
4613 
4614 			if (so->so_state & SS_ISBOUND) {
4615 
4616 				if (so->so_laddr_len == 0)
4617 					(void) SOP_GETSOCKNAME(so);
4618 				if (so->so_faddr_len == 0)
4619 					(void) SOP_GETPEERNAME(so);
4620 
4621 				/* get local and foreign addresses */
4622 				mutex_enter(&so->so_lock);
4623 				len = min(so->so_laddr_len, sizeof (so_laddr));
4624 				bcopy(so->so_laddr_sa, so_laddr, len);
4625 				len = min(so->so_faddr_len, sizeof (so_faddr));
4626 				bcopy(so->so_faddr_sa, so_faddr, len);
4627 				mutex_exit(&so->so_lock);
4628 			}
4629 
4630 			add_sock_token = 1;
4631 		}
4632 
4633 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4634 
4635 		break;
4636 
4637 	case AF_UNIX:
4638 		/*
4639 		 * first check if this is first time through. Too much
4640 		 * duplicate code to put this in an aui_ routine.
4641 		 */
4642 
4643 		/* get path from file struct here */
4644 		fad = F2A(fp);
4645 		ASSERT(fad);
4646 
4647 		/*
4648 		 * already processed this file for write attempt
4649 		 */
4650 		if (fad->fad_flags & FAD_WRITE) {
4651 			/* don't want to audit every sendto attempt */
4652 			tad->tad_flag = 0;
4653 			/* free any residual audit data */
4654 			au_close(kctx, &(u_ad), 0, 0, 0);
4655 			releasef(fd);
4656 			return;
4657 		}
4658 		/*
4659 		 * mark things so we know what happened and don't
4660 		 * repeat things
4661 		 */
4662 		fad->fad_flags |= FAD_WRITE;
4663 
4664 		if (fad->fad_aupath != NULL) {
4665 			au_uwrite(au_to_path(fad->fad_aupath));
4666 		} else {
4667 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4668 		}
4669 
4670 		audit_attributes(fp->f_vnode);
4671 
4672 		releasef(fd);
4673 
4674 		return;
4675 
4676 	default:
4677 		break;
4678 
4679 	}
4680 
4681 	releasef(fd);
4682 
4683 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4684 
4685 	if (add_sock_token == 0) {
4686 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4687 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4688 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4689 		return;
4690 	}
4691 
4692 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4693 
4694 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4695 
4696 }
4697 
4698 /*
4699  * XXX socket(2) may be equivalent to open(2) on a unix domain
4700  * socket. This needs investigation.
4701  */
4702 
4703 /*ARGSUSED*/
4704 static void
4705 aus_socket(struct t_audit_data *tad)
4706 {
4707 	struct a {
4708 		long	domain;
4709 		long	type;
4710 		long	protocol;
4711 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4712 
4713 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4714 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4715 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4716 }
4717 
4718 /*ARGSUSED*/
4719 static void
4720 aus_sigqueue(struct t_audit_data *tad)
4721 {
4722 	struct a {
4723 		long	pid;
4724 		long	signo;
4725 		long	*val;
4726 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4727 	struct proc *p;
4728 	uid_t uid, ruid;
4729 	gid_t gid, rgid;
4730 	pid_t pid;
4731 	const auditinfo_addr_t *ainfo;
4732 	cred_t *cr;
4733 
4734 	pid = (pid_t)uap->pid;
4735 
4736 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4737 	if (pid > 0) {
4738 		mutex_enter(&pidlock);
4739 		if ((p = prfind(pid)) == (struct proc *)0) {
4740 			mutex_exit(&pidlock);
4741 			return;
4742 		}
4743 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4744 		mutex_exit(&pidlock);
4745 
4746 		mutex_enter(&p->p_crlock);
4747 		crhold(cr = p->p_cred);
4748 		mutex_exit(&p->p_crlock);
4749 		mutex_exit(&p->p_lock);
4750 
4751 		ainfo = crgetauinfo(cr);
4752 		if (ainfo == NULL) {
4753 			crfree(cr);
4754 			return;
4755 		}
4756 
4757 		uid  = crgetuid(cr);
4758 		gid  = crgetgid(cr);
4759 		ruid = crgetruid(cr);
4760 		rgid = crgetrgid(cr);
4761 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4762 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4763 		crfree(cr);
4764 	}
4765 	else
4766 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4767 }
4768 
4769 /*ARGSUSED*/
4770 static void
4771 aus_inst_sync(struct t_audit_data *tad)
4772 {
4773 	struct a {
4774 		long	name;	/* char */
4775 		long	flags;
4776 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4777 
4778 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4779 }
4780 
4781 /*ARGSUSED*/
4782 static void
4783 aus_brandsys(struct t_audit_data *tad)
4784 {
4785 	klwp_t *clwp = ttolwp(curthread);
4786 
4787 	struct a {
4788 		long	cmd;
4789 		long	arg1;
4790 		long	arg2;
4791 		long	arg3;
4792 		long	arg4;
4793 		long	arg5;
4794 		long	arg6;
4795 	} *uap = (struct a *)clwp->lwp_ap;
4796 
4797 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4798 #ifdef _LP64
4799 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4800 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4801 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4802 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4803 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4804 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4805 #else
4806 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4807 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4808 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4809 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4810 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4811 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4812 #endif
4813 }
4814 
4815 /*ARGSUSED*/
4816 static void
4817 aus_p_online(struct t_audit_data *tad)
4818 {
4819 	struct a {
4820 		long	processor_id;
4821 		long	flag;
4822 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4823 
4824 	struct flags {
4825 			int	flag;
4826 			char	*cflag;
4827 	} aflags[6] = {
4828 			{ P_ONLINE, "P_ONLINE"},
4829 			{ P_OFFLINE, "P_OFFLINE"},
4830 			{ P_NOINTR, "P_NOINTR"},
4831 			{ P_SPARE, "P_SPARE"},
4832 			{ P_FAULTED, "P_FAULTED"},
4833 			{ P_STATUS, "P_STATUS"}
4834 	};
4835 	int i;
4836 	char *cflag;
4837 
4838 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4839 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4840 
4841 	for (i = 0; i < 6; i++) {
4842 		if (aflags[i].flag == uap->flag)
4843 			break;
4844 	}
4845 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4846 
4847 	au_uwrite(au_to_text(cflag));
4848 }
4849 
4850 /*ARGSUSED*/
4851 static void
4852 aus_processor_bind(struct t_audit_data *tad)
4853 {
4854 	struct a {
4855 		long	id_type;
4856 		long	id;
4857 		long	processor_id;
4858 		long	obind;
4859 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4860 
4861 	struct proc *p;
4862 	int lwpcnt;
4863 	uid_t uid, ruid;
4864 	gid_t gid, rgid;
4865 	pid_t pid;
4866 	const auditinfo_addr_t *ainfo;
4867 	cred_t *cr;
4868 
4869 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4870 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4871 	if (uap->processor_id == PBIND_NONE)
4872 		au_uwrite(au_to_text("PBIND_NONE"));
4873 	else
4874 		au_uwrite(au_to_arg32(3, "processor_id",
4875 		    (uint32_t)uap->processor_id));
4876 
4877 	switch (uap->id_type) {
4878 	case P_MYID:
4879 	case P_LWPID:
4880 		mutex_enter(&pidlock);
4881 		p = ttoproc(curthread);
4882 		if (p == NULL || p->p_as == &kas) {
4883 			mutex_exit(&pidlock);
4884 			return;
4885 		}
4886 		mutex_enter(&p->p_lock);
4887 		mutex_exit(&pidlock);
4888 		lwpcnt = p->p_lwpcnt;
4889 		pid  = p->p_pid;
4890 
4891 		mutex_enter(&p->p_crlock);
4892 		crhold(cr = p->p_cred);
4893 		mutex_exit(&p->p_crlock);
4894 		mutex_exit(&p->p_lock);
4895 
4896 		ainfo = crgetauinfo(cr);
4897 		if (ainfo == NULL) {
4898 			crfree(cr);
4899 			return;
4900 		}
4901 
4902 		uid  = crgetuid(cr);
4903 		gid  = crgetgid(cr);
4904 		ruid = crgetruid(cr);
4905 		rgid = crgetrgid(cr);
4906 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4907 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4908 		crfree(cr);
4909 		break;
4910 	case P_PID:
4911 		mutex_enter(&pidlock);
4912 		p = prfind(uap->id);
4913 		if (p == NULL || p->p_as == &kas) {
4914 			mutex_exit(&pidlock);
4915 			return;
4916 		}
4917 		mutex_enter(&p->p_lock);
4918 		mutex_exit(&pidlock);
4919 		lwpcnt = p->p_lwpcnt;
4920 		pid  = p->p_pid;
4921 
4922 		mutex_enter(&p->p_crlock);
4923 		crhold(cr = p->p_cred);
4924 		mutex_exit(&p->p_crlock);
4925 		mutex_exit(&p->p_lock);
4926 
4927 		ainfo = crgetauinfo(cr);
4928 		if (ainfo == NULL) {
4929 			crfree(cr);
4930 			return;
4931 		}
4932 
4933 		uid  = crgetuid(cr);
4934 		gid  = crgetgid(cr);
4935 		ruid = crgetruid(cr);
4936 		rgid = crgetrgid(cr);
4937 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4938 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4939 		crfree(cr);
4940 
4941 		break;
4942 	default:
4943 		return;
4944 	}
4945 
4946 	if (uap->processor_id == PBIND_NONE &&
4947 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4948 		au_uwrite(au_to_text("PBIND_NONE for process"));
4949 	else
4950 		au_uwrite(au_to_arg32(3, "processor_id",
4951 		    (uint32_t)uap->processor_id));
4952 }
4953 
4954 /*ARGSUSED*/
4955 static au_event_t
4956 aui_doorfs(au_event_t e)
4957 {
4958 	uint32_t code;
4959 
4960 	struct a {		/* doorfs */
4961 		long	a1;
4962 		long	a2;
4963 		long	a3;
4964 		long	a4;
4965 		long	a5;
4966 		long	code;
4967 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4968 
4969 	/*
4970 	 *	audit formats for several of the
4971 	 *	door calls have not yet been determined
4972 	 */
4973 	code = (uint32_t)uap->code;
4974 	switch (code) {
4975 	case DOOR_CALL:
4976 		e = AUE_DOORFS_DOOR_CALL;
4977 		break;
4978 	case DOOR_RETURN:
4979 		e = AUE_NULL;
4980 		break;
4981 	case DOOR_CREATE:
4982 		e = AUE_DOORFS_DOOR_CREATE;
4983 		break;
4984 	case DOOR_REVOKE:
4985 		e = AUE_DOORFS_DOOR_REVOKE;
4986 		break;
4987 	case DOOR_INFO:
4988 		e = AUE_NULL;
4989 		break;
4990 	case DOOR_UCRED:
4991 		e = AUE_NULL;
4992 		break;
4993 	case DOOR_BIND:
4994 		e = AUE_NULL;
4995 		break;
4996 	case DOOR_UNBIND:
4997 		e = AUE_NULL;
4998 		break;
4999 	case DOOR_GETPARAM:
5000 		e = AUE_NULL;
5001 		break;
5002 	case DOOR_SETPARAM:
5003 		e = AUE_NULL;
5004 		break;
5005 	default:	/* illegal system call */
5006 		e = AUE_NULL;
5007 		break;
5008 	}
5009 
5010 	return (e);
5011 }
5012 
5013 static door_node_t *
5014 au_door_lookup(int did)
5015 {
5016 	vnode_t	*vp;
5017 	file_t *fp;
5018 
5019 	if ((fp = getf(did)) == NULL)
5020 		return (NULL);
5021 	/*
5022 	 * Use the underlying vnode (we may be namefs mounted)
5023 	 */
5024 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5025 		vp = fp->f_vnode;
5026 
5027 	if (vp == NULL || vp->v_type != VDOOR) {
5028 		releasef(did);
5029 		return (NULL);
5030 	}
5031 
5032 	return (VTOD(vp));
5033 }
5034 
5035 /*ARGSUSED*/
5036 static void
5037 aus_doorfs(struct t_audit_data *tad)
5038 {
5039 
5040 	struct a {		/* doorfs */
5041 		long	a1;
5042 		long	a2;
5043 		long	a3;
5044 		long	a4;
5045 		long	a5;
5046 		long	code;
5047 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5048 
5049 	door_node_t	*dp;
5050 	struct proc	*p;
5051 	uint32_t	did;
5052 	uid_t uid, ruid;
5053 	gid_t gid, rgid;
5054 	pid_t pid;
5055 	const auditinfo_addr_t *ainfo;
5056 	cred_t *cr;
5057 
5058 	did = (uint32_t)uap->a1;
5059 
5060 	switch (tad->tad_event) {
5061 	case AUE_DOORFS_DOOR_CALL:
5062 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5063 		if ((dp = au_door_lookup(did)) == NULL)
5064 			break;
5065 
5066 		if (DOOR_INVALID(dp)) {
5067 			releasef(did);
5068 			break;
5069 		}
5070 
5071 		if ((p = dp->door_target) == NULL) {
5072 			releasef(did);
5073 			break;
5074 		}
5075 		mutex_enter(&p->p_lock);
5076 		releasef(did);
5077 
5078 		pid  = p->p_pid;
5079 
5080 		mutex_enter(&p->p_crlock);
5081 		crhold(cr = p->p_cred);
5082 		mutex_exit(&p->p_crlock);
5083 		mutex_exit(&p->p_lock);
5084 
5085 		ainfo = crgetauinfo(cr);
5086 		if (ainfo == NULL) {
5087 			crfree(cr);
5088 			return;
5089 		}
5090 		uid  = crgetuid(cr);
5091 		gid  = crgetgid(cr);
5092 		ruid = crgetruid(cr);
5093 		rgid = crgetrgid(cr);
5094 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5095 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5096 		crfree(cr);
5097 		break;
5098 	case AUE_DOORFS_DOOR_RETURN:
5099 		/*
5100 		 * We may want to write information about
5101 		 * all doors (if any) which will be copied
5102 		 * by this call to the user space
5103 		 */
5104 		break;
5105 	case AUE_DOORFS_DOOR_CREATE:
5106 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5107 		break;
5108 	case AUE_DOORFS_DOOR_REVOKE:
5109 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5110 		break;
5111 	case AUE_DOORFS_DOOR_INFO:
5112 		break;
5113 	case AUE_DOORFS_DOOR_CRED:
5114 		break;
5115 	case AUE_DOORFS_DOOR_BIND:
5116 		break;
5117 	case AUE_DOORFS_DOOR_UNBIND: {
5118 		break;
5119 	}
5120 	default:	/* illegal system call */
5121 		break;
5122 	}
5123 }
5124 
5125 /*ARGSUSED*/
5126 static au_event_t
5127 aui_acl(au_event_t e)
5128 {
5129 	struct a {
5130 		union {
5131 			long	name;	/* char */
5132 			long	fd;
5133 		}		obj;
5134 
5135 		long		cmd;
5136 		long		nentries;
5137 		long		arg;	/* aclent_t */
5138 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5139 
5140 	switch (uap->cmd) {
5141 	case SETACL:
5142 	case ACE_SETACL:
5143 		/*
5144 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5145 		 * are expected.
5146 		 */
5147 		break;
5148 	case GETACL:
5149 	case GETACLCNT:
5150 	case ACE_GETACLCNT:
5151 		/* do nothing for these two values. */
5152 		e = AUE_NULL;
5153 		break;
5154 	default:
5155 		/* illegal system call */
5156 		break;
5157 	}
5158 
5159 	return (e);
5160 }
5161 
5162 static void
5163 au_acl(int cmd, int nentries, caddr_t bufp)
5164 {
5165 	size_t		a_size;
5166 	aclent_t	*aclbufp;
5167 	ace_t		*acebufp;
5168 	int		i;
5169 
5170 	switch (cmd) {
5171 	case GETACL:
5172 	case GETACLCNT:
5173 		break;
5174 	case SETACL:
5175 		if (nentries < 3)
5176 			break;
5177 
5178 		a_size = nentries * sizeof (aclent_t);
5179 
5180 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5181 			break;
5182 		if (copyin(bufp, aclbufp, a_size)) {
5183 			kmem_free(aclbufp, a_size);
5184 			break;
5185 		}
5186 		for (i = 0; i < nentries; i++) {
5187 			au_uwrite(au_to_acl(aclbufp + i));
5188 		}
5189 		kmem_free(aclbufp, a_size);
5190 		break;
5191 
5192 	case ACE_SETACL:
5193 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5194 			break;
5195 
5196 		a_size = nentries * sizeof (ace_t);
5197 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5198 			break;
5199 		if (copyin(bufp, acebufp, a_size)) {
5200 			kmem_free(acebufp, a_size);
5201 			break;
5202 		}
5203 		for (i = 0; i < nentries; i++) {
5204 			au_uwrite(au_to_ace(acebufp + i));
5205 		}
5206 		kmem_free(acebufp, a_size);
5207 		break;
5208 	default:
5209 		break;
5210 	}
5211 }
5212 
5213 /*ARGSUSED*/
5214 static void
5215 aus_acl(struct t_audit_data *tad)
5216 {
5217 	struct a {
5218 		long	fname;
5219 		long	cmd;
5220 		long	nentries;
5221 		long	aclbufp;
5222 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5223 
5224 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5225 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5226 
5227 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5228 }
5229 
5230 /*ARGSUSED*/
5231 static void
5232 aus_facl(struct t_audit_data *tad)
5233 {
5234 	struct a {
5235 		long	fd;
5236 		long	cmd;
5237 		long	nentries;
5238 		long	aclbufp;
5239 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5240 	struct file  *fp;
5241 	struct vnode *vp;
5242 	struct f_audit_data *fad;
5243 	int fd;
5244 
5245 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5246 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5247 
5248 	fd = (int)uap->fd;
5249 
5250 	if ((fp = getf(fd)) == NULL)
5251 		return;
5252 
5253 	/* get path from file struct here */
5254 	fad = F2A(fp);
5255 	if (fad->fad_aupath != NULL) {
5256 		au_uwrite(au_to_path(fad->fad_aupath));
5257 	} else {
5258 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5259 	}
5260 
5261 	vp = fp->f_vnode;
5262 	audit_attributes(vp);
5263 
5264 	/* decrement file descriptor reference count */
5265 	releasef(fd);
5266 
5267 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5268 }
5269 
5270 /*ARGSUSED*/
5271 static void
5272 auf_read(tad, error, rval)
5273 	struct t_audit_data *tad;
5274 	int error;
5275 	rval_t *rval;
5276 {
5277 	struct file *fp;
5278 	struct f_audit_data *fad;
5279 	int fd;
5280 	register struct a {
5281 		long	fd;
5282 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5283 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5284 
5285 	fd = (int)uap->fd;
5286 
5287 	/*
5288 	 * convert file pointer to file descriptor
5289 	 *   Note: fd ref count incremented here.
5290 	 */
5291 	if ((fp = getf(fd)) == NULL)
5292 		return;
5293 
5294 	/* get path from file struct here */
5295 	fad = F2A(fp);
5296 	ASSERT(fad);
5297 
5298 	/*
5299 	 * already processed this file for read attempt
5300 	 *
5301 	 * XXX might be better to turn off auditing in a aui_read() routine.
5302 	 */
5303 	if (fad->fad_flags & FAD_READ) {
5304 		/* don't really want to audit every read attempt */
5305 		tad->tad_flag = 0;
5306 		/* free any residual audit data */
5307 		au_close(kctx, &(u_ad), 0, 0, 0);
5308 		releasef(fd);
5309 		return;
5310 	}
5311 	/* mark things so we know what happened and don't repeat things */
5312 	fad->fad_flags |= FAD_READ;
5313 
5314 	if (fad->fad_aupath != NULL) {
5315 		au_uwrite(au_to_path(fad->fad_aupath));
5316 	} else {
5317 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5318 	}
5319 
5320 	/* include attributes */
5321 	audit_attributes(fp->f_vnode);
5322 
5323 	/* decrement file descriptor reference count */
5324 	releasef(fd);
5325 }
5326 
5327 /*ARGSUSED*/
5328 static void
5329 auf_write(tad, error, rval)
5330 	struct t_audit_data *tad;
5331 	int error;
5332 	rval_t *rval;
5333 {
5334 	struct file *fp;
5335 	struct f_audit_data *fad;
5336 	int fd;
5337 	register struct a {
5338 		long	fd;
5339 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5340 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5341 
5342 	fd = (int)uap->fd;
5343 
5344 	/*
5345 	 * convert file pointer to file descriptor
5346 	 *   Note: fd ref count incremented here.
5347 	 */
5348 	if ((fp = getf(fd)) == NULL)
5349 		return;
5350 
5351 	/* get path from file struct here */
5352 	fad = F2A(fp);
5353 	ASSERT(fad);
5354 
5355 	/*
5356 	 * already processed this file for write attempt
5357 	 *
5358 	 * XXX might be better to turn off auditing in a aus_write() routine.
5359 	 */
5360 	if (fad->fad_flags & FAD_WRITE) {
5361 		/* don't really want to audit every write attempt */
5362 		tad->tad_flag = 0;
5363 		/* free any residual audit data */
5364 		au_close(kctx, &(u_ad), 0, 0, 0);
5365 		releasef(fd);
5366 		return;
5367 	}
5368 	/* mark things so we know what happened and don't repeat things */
5369 	fad->fad_flags |= FAD_WRITE;
5370 
5371 	if (fad->fad_aupath != NULL) {
5372 		au_uwrite(au_to_path(fad->fad_aupath));
5373 	} else {
5374 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5375 	}
5376 
5377 	/* include attributes */
5378 	audit_attributes(fp->f_vnode);
5379 
5380 	/* decrement file descriptor reference count */
5381 	releasef(fd);
5382 }
5383 
5384 /*ARGSUSED*/
5385 static void
5386 auf_recv(tad, error, rval)
5387 	struct t_audit_data *tad;
5388 	int error;
5389 	rval_t *rval;
5390 {
5391 	struct sonode *so;
5392 	char so_laddr[sizeof (struct sockaddr_in6)];
5393 	char so_faddr[sizeof (struct sockaddr_in6)];
5394 	struct file *fp;
5395 	struct f_audit_data *fad;
5396 	int fd;
5397 	int err;
5398 	int len;
5399 	short so_family, so_type;
5400 	register struct a {
5401 		long	fd;
5402 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5403 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5404 
5405 	/*
5406 	 * If there was an error, then nothing to do. Only generate
5407 	 * audit record on first successful recv.
5408 	 */
5409 	if (error) {
5410 		/* Turn off audit record generation here. */
5411 		tad->tad_flag = 0;
5412 		/* free any residual audit data */
5413 		au_close(kctx, &(u_ad), 0, 0, 0);
5414 		return;
5415 	}
5416 
5417 	fd = (int)uap->fd;
5418 
5419 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5420 		/* Turn off audit record generation here. */
5421 		tad->tad_flag = 0;
5422 		/* free any residual audit data */
5423 		au_close(kctx, &(u_ad), 0, 0, 0);
5424 		return;
5425 	}
5426 
5427 	/* get path from file struct here */
5428 	fad = F2A(fp);
5429 	ASSERT(fad);
5430 
5431 	/*
5432 	 * already processed this file for read attempt
5433 	 */
5434 	if (fad->fad_flags & FAD_READ) {
5435 		releasef(fd);
5436 		/* don't really want to audit every recv call */
5437 		tad->tad_flag = 0;
5438 		/* free any residual audit data */
5439 		au_close(kctx, &(u_ad), 0, 0, 0);
5440 		return;
5441 	}
5442 
5443 	/* mark things so we know what happened and don't repeat things */
5444 	fad->fad_flags |= FAD_READ;
5445 
5446 	so_family = so->so_family;
5447 	so_type   = so->so_type;
5448 
5449 	switch (so_family) {
5450 	case AF_INET:
5451 	case AF_INET6:
5452 		/*
5453 		 * Only for connections.
5454 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5455 		 */
5456 		if (so->so_state & SS_ISBOUND) {
5457 
5458 			bzero((void *)so_laddr, sizeof (so_laddr));
5459 			bzero((void *)so_faddr, sizeof (so_faddr));
5460 
5461 			/* only done once on a connection */
5462 			(void) SOP_GETSOCKNAME(so);
5463 			(void) SOP_GETPEERNAME(so);
5464 
5465 			/* get local and foreign addresses */
5466 			mutex_enter(&so->so_lock);
5467 			len = min(so->so_laddr_len, sizeof (so_laddr));
5468 			bcopy(so->so_laddr_sa, so_laddr, len);
5469 			len = min(so->so_faddr_len, sizeof (so_faddr));
5470 			bcopy(so->so_faddr_sa, so_faddr, len);
5471 			mutex_exit(&so->so_lock);
5472 
5473 			/*
5474 			 * only way to drop out of switch. Note that we
5475 			 * we release fd below.
5476 			 */
5477 
5478 			break;
5479 		}
5480 
5481 		releasef(fd);
5482 
5483 		/* don't really want to audit every recv call */
5484 		tad->tad_flag = 0;
5485 		/* free any residual audit data */
5486 		au_close(kctx, &(u_ad), 0, 0, 0);
5487 
5488 		return;
5489 
5490 	case AF_UNIX:
5491 
5492 		if (fad->fad_aupath != NULL) {
5493 			au_uwrite(au_to_path(fad->fad_aupath));
5494 		} else {
5495 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5496 		}
5497 
5498 		audit_attributes(fp->f_vnode);
5499 
5500 		releasef(fd);
5501 
5502 		return;
5503 
5504 	default:
5505 		releasef(fd);
5506 
5507 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5508 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5509 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5510 
5511 		return;
5512 	}
5513 
5514 	releasef(fd);
5515 
5516 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5517 
5518 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5519 
5520 }
5521 
5522 /*ARGSUSED*/
5523 static void
5524 auf_send(tad, error, rval)
5525 	struct t_audit_data *tad;
5526 	int error;
5527 	rval_t *rval;
5528 {
5529 	struct sonode *so;
5530 	char so_laddr[sizeof (struct sockaddr_in6)];
5531 	char so_faddr[sizeof (struct sockaddr_in6)];
5532 	struct file *fp;
5533 	struct f_audit_data *fad;
5534 	int fd;
5535 	int err;
5536 	int len;
5537 	short so_family, so_type;
5538 	register struct a {
5539 		long	fd;
5540 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5541 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5542 
5543 	fd = (int)uap->fd;
5544 
5545 	/*
5546 	 * If there was an error, then nothing to do. Only generate
5547 	 * audit record on first successful send.
5548 	 */
5549 	if (error != 0) {
5550 		/* Turn off audit record generation here. */
5551 		tad->tad_flag = 0;
5552 		/* free any residual audit data */
5553 		au_close(kctx, &(u_ad), 0, 0, 0);
5554 		return;
5555 	}
5556 
5557 	fd = (int)uap->fd;
5558 
5559 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5560 		/* Turn off audit record generation here. */
5561 		tad->tad_flag = 0;
5562 		/* free any residual audit data */
5563 		au_close(kctx, &(u_ad), 0, 0, 0);
5564 		return;
5565 	}
5566 
5567 	/* get path from file struct here */
5568 	fad = F2A(fp);
5569 	ASSERT(fad);
5570 
5571 	/*
5572 	 * already processed this file for write attempt
5573 	 */
5574 	if (fad->fad_flags & FAD_WRITE) {
5575 		releasef(fd);
5576 		/* don't really want to audit every send call */
5577 		tad->tad_flag = 0;
5578 		/* free any residual audit data */
5579 		au_close(kctx, &(u_ad), 0, 0, 0);
5580 		return;
5581 	}
5582 
5583 	/* mark things so we know what happened and don't repeat things */
5584 	fad->fad_flags |= FAD_WRITE;
5585 
5586 	so_family = so->so_family;
5587 	so_type   = so->so_type;
5588 
5589 	switch (so_family) {
5590 	case AF_INET:
5591 	case AF_INET6:
5592 		/*
5593 		 * Only for connections.
5594 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5595 		 */
5596 		if (so->so_state & SS_ISBOUND) {
5597 
5598 			bzero((void *)so_laddr, sizeof (so_laddr));
5599 			bzero((void *)so_faddr, sizeof (so_faddr));
5600 
5601 			/* only done once on a connection */
5602 			(void) SOP_GETSOCKNAME(so);
5603 			(void) SOP_GETPEERNAME(so);
5604 
5605 			/* get local and foreign addresses */
5606 			mutex_enter(&so->so_lock);
5607 			len = min(so->so_laddr_len, sizeof (so_laddr));
5608 			bcopy(so->so_laddr_sa, so_laddr, len);
5609 			len = min(so->so_faddr_len, sizeof (so_faddr));
5610 			bcopy(so->so_faddr_sa, so_faddr, len);
5611 			mutex_exit(&so->so_lock);
5612 
5613 			/*
5614 			 * only way to drop out of switch. Note that we
5615 			 * we release fd below.
5616 			 */
5617 
5618 			break;
5619 		}
5620 
5621 		releasef(fd);
5622 		/* don't really want to audit every send call */
5623 		tad->tad_flag = 0;
5624 		/* free any residual audit data */
5625 		au_close(kctx, &(u_ad), 0, 0, 0);
5626 
5627 		return;
5628 
5629 	case AF_UNIX:
5630 
5631 		if (fad->fad_aupath != NULL) {
5632 			au_uwrite(au_to_path(fad->fad_aupath));
5633 		} else {
5634 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5635 		}
5636 
5637 		audit_attributes(fp->f_vnode);
5638 
5639 		releasef(fd);
5640 
5641 		return;
5642 
5643 	default:
5644 		releasef(fd);
5645 
5646 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5647 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5648 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5649 
5650 		return;
5651 	}
5652 
5653 	releasef(fd);
5654 
5655 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5656 
5657 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5658 }
5659 
5660 static au_event_t
5661 aui_forksys(au_event_t e)
5662 {
5663 	struct a {
5664 		long	subcode;
5665 		long	flags;
5666 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5667 
5668 	switch ((uint_t)uap->subcode) {
5669 	case 0:
5670 		e = AUE_FORK1;
5671 		break;
5672 	case 1:
5673 		e = AUE_FORKALL;
5674 		break;
5675 	case 2:
5676 		e = AUE_VFORK;
5677 		break;
5678 	default:
5679 		e = AUE_NULL;
5680 		break;
5681 	}
5682 
5683 	return (e);
5684 }
5685 
5686 /*ARGSUSED*/
5687 static au_event_t
5688 aui_portfs(au_event_t e)
5689 {
5690 	struct a {		/* portfs */
5691 		long	a1;
5692 		long	a2;
5693 		long	a3;
5694 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5695 
5696 	/*
5697 	 * check opcode
5698 	 */
5699 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5700 	case PORT_ASSOCIATE:
5701 	case PORT_DISSOCIATE:
5702 		/*
5703 		 * check source
5704 		 */
5705 		if ((uint_t)uap->a3 == PORT_SOURCE_FILE) {
5706 			e = AUE_PORTFS;
5707 		} else {
5708 			e = AUE_NULL;
5709 		}
5710 		break;
5711 	default:
5712 		e = AUE_NULL;
5713 	}
5714 	return (e);
5715 }
5716