xref: /titanic_52/usr/src/uts/common/c2/audit_event.c (revision 3f7d54a6b84904c8f4d8daa4c7b577bede7df8b9)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 
81 
82 char	_depends_on[] = "fs/sockfs";
83 
84 static au_event_t	aui_fchownat(au_event_t);
85 static au_event_t	aui_open(au_event_t);
86 static au_event_t	aui_openat(au_event_t);
87 static au_event_t	aui_unlinkat(au_event_t);
88 static au_event_t	aui_fstatat(au_event_t);
89 static au_event_t	aui_msgsys(au_event_t);
90 static au_event_t	aui_shmsys(au_event_t);
91 static au_event_t	aui_semsys(au_event_t);
92 static au_event_t	aui_utssys(au_event_t);
93 static au_event_t	aui_fcntl(au_event_t);
94 static au_event_t	aui_execve(au_event_t);
95 static au_event_t	aui_memcntl(au_event_t);
96 static au_event_t	aui_sysinfo(au_event_t);
97 static au_event_t	aui_portfs(au_event_t);
98 static au_event_t	aui_auditsys(au_event_t);
99 static au_event_t	aui_modctl(au_event_t);
100 static au_event_t	aui_acl(au_event_t);
101 static au_event_t	aui_doorfs(au_event_t);
102 static au_event_t	aui_privsys(au_event_t);
103 static au_event_t	aui_forksys(au_event_t);
104 static au_event_t	aui_labelsys(au_event_t);
105 static au_event_t	aui_setpgrp(au_event_t);
106 
107 static void	aus_exit(struct t_audit_data *);
108 static void	aus_open(struct t_audit_data *);
109 static void	aus_openat(struct t_audit_data *);
110 static void	aus_acl(struct t_audit_data *);
111 static void	aus_acct(struct t_audit_data *);
112 static void	aus_chown(struct t_audit_data *);
113 static void	aus_fchown(struct t_audit_data *);
114 static void	aus_lchown(struct t_audit_data *);
115 static void	aus_fchownat(struct t_audit_data *);
116 static void	aus_chmod(struct t_audit_data *);
117 static void	aus_facl(struct t_audit_data *);
118 static void	aus_fchmod(struct t_audit_data *);
119 static void	aus_fcntl(struct t_audit_data *);
120 static void	aus_mkdir(struct t_audit_data *);
121 static void	aus_mknod(struct t_audit_data *);
122 static void	aus_mount(struct t_audit_data *);
123 static void	aus_umount2(struct t_audit_data *);
124 static void	aus_msgsys(struct t_audit_data *);
125 static void	aus_semsys(struct t_audit_data *);
126 static void	aus_close(struct t_audit_data *);
127 static void	aus_fstatfs(struct t_audit_data *);
128 static void	aus_setgid(struct t_audit_data *);
129 static void	aus_setpgrp(struct t_audit_data *);
130 static void	aus_setuid(struct t_audit_data *);
131 static void	aus_shmsys(struct t_audit_data *);
132 static void	aus_doorfs(struct t_audit_data *);
133 static void	aus_ioctl(struct t_audit_data *);
134 static void	aus_memcntl(struct t_audit_data *);
135 static void	aus_mmap(struct t_audit_data *);
136 static void	aus_munmap(struct t_audit_data *);
137 static void	aus_priocntlsys(struct t_audit_data *);
138 static void	aus_setegid(struct t_audit_data *);
139 static void	aus_setgroups(struct t_audit_data *);
140 static void	aus_seteuid(struct t_audit_data *);
141 static void	aus_putmsg(struct t_audit_data *);
142 static void	aus_putpmsg(struct t_audit_data *);
143 static void	aus_getmsg(struct t_audit_data *);
144 static void	aus_getpmsg(struct t_audit_data *);
145 static void	aus_auditsys(struct t_audit_data *);
146 static void	aus_sysinfo(struct t_audit_data *);
147 static void	aus_modctl(struct t_audit_data *);
148 static void	aus_kill(struct t_audit_data *);
149 static void	aus_setregid(struct t_audit_data *);
150 static void	aus_setreuid(struct t_audit_data *);
151 static void	aus_labelsys(struct t_audit_data *);
152 
153 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
154 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
155 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
156 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
157 static void	auf_read(struct t_audit_data *, int, rval_t *);
158 static void	auf_write(struct t_audit_data *, int, rval_t *);
159 
160 static void	aus_sigqueue(struct t_audit_data *);
161 static void	aus_p_online(struct t_audit_data *);
162 static void	aus_processor_bind(struct t_audit_data *);
163 static void	aus_inst_sync(struct t_audit_data *);
164 static void	aus_brandsys(struct t_audit_data *);
165 
166 static void	auf_accept(struct t_audit_data *, int, rval_t *);
167 
168 static void	auf_bind(struct t_audit_data *, int, rval_t *);
169 static void	auf_connect(struct t_audit_data *, int, rval_t *);
170 static void	aus_shutdown(struct t_audit_data *);
171 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
172 static void	aus_sockconfig(struct t_audit_data *);
173 static void	auf_recv(struct t_audit_data *, int, rval_t *);
174 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
175 static void	auf_send(struct t_audit_data *, int, rval_t *);
176 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
177 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
178 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
179 static void	aus_socket(struct t_audit_data *);
180 /*
181  * This table contains mapping information for converting system call numbers
182  * to audit event IDs. In several cases it is necessary to map a single system
183  * call to several events.
184  */
185 
186 #define	aui_null	NULL	/* NULL initialize function */
187 #define	aus_null	NULL	/* NULL start function */
188 #define	auf_null	NULL	/* NULL finish function */
189 
190 struct audit_s2e audit_s2e[] =
191 {
192 /*
193  * ----------	---------- 	----------	----------
194  * INITIAL	AUDIT		START		SYSTEM
195  * PROCESSING	EVENT		PROCESSING	CALL
196  * ----------	----------	----------	-----------
197  *		FINISH		EVENT
198  *		PROCESSING	CONTROL
199  * ----------------------------------------------------------
200  */
201 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
202 		auf_null,	0,
203 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
204 		auf_null,	S2E_NPT,
205 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
206 		auf_null,	0,
207 aui_null,	AUE_READ,	aus_null,	/* 3 read */
208 		auf_read,	S2E_PUB,
209 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
210 		auf_write,	0,
211 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
212 		auf_null,	S2E_SP,
213 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
214 		auf_null,	0,
215 aui_null,	AUE_NULL,	aus_null,	/* 7 (loadable) was wait */
216 		auf_null,	0,
217 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
218 		auf_null,	0,
219 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
220 		auf_null,	0,
221 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
222 		auf_null,	0,
223 aui_null,	AUE_NULL,	aus_null,	/* 11 (loadable) was exec */
224 		auf_null,	0,
225 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
226 		auf_null,	S2E_SP,
227 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
228 		auf_null,	0,
229 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
230 		auf_mknod,	0,
231 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
232 		auf_null,	0,
233 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
234 		auf_null,	0,
235 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
236 		auf_null,	0,
237 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
238 		auf_null,	S2E_PUB,
239 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
240 		auf_null,	0,
241 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
242 		auf_null,	0,
243 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
244 		auf_null,	S2E_MLD,
245 aui_null,	AUE_NULL,	aus_null,	/* 22 (loadable) was umount */
246 		auf_null,	0,
247 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
248 		auf_null,	0,
249 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
250 		auf_null,	0,
251 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
264 		auf_null,	0,
265 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
266 		auf_null,	0,
267 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
268 		auf_null,	S2E_PUB,
269 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
270 		auf_null,	0,
271 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
272 		auf_null,	S2E_PUB,
273 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
274 		auf_null,	0,
275 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
276 		auf_null,	0,
277 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
278 		auf_null,	S2E_PUB,
279 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
284 		auf_null,	0,
285 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
288 		auf_null,	0,
289 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
290 		auf_null,	0,
291 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
292 		auf_null,	S2E_PUB | S2E_ATC,
293 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
294 		auf_null,	0,
295 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
296 		auf_null,	0,
297 aui_null,	AUE_NULL,	aus_null,	/* 48 (loadable) was ssig */
298 		auf_null,	0,
299 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
300 		auf_msgsys,	0,
301 #if defined(__x86)
302 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
303 		auf_null,	0,
304 #else
305 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
306 		auf_null,	0,
307 #endif /* __x86 */
308 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
309 		auf_null,	0,
310 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
311 		auf_shmsys,	0,
312 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
313 		auf_semsys,	0,
314 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
315 		auf_null,	0,
316 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
317 		auf_null,	0,
318 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
319 		auf_null,	S2E_ATC,
320 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
321 		auf_null,	0,
322 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
323 		auf_null,	0,
324 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
325 		auf_null,	S2E_MLD,
326 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
327 		auf_null,	0,
328 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
329 		auf_null,	S2E_SP,
330 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
331 		auf_null,	0,
332 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
333 		auf_null,	0,
334 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
335 		auf_null,	S2E_ATC,
336 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
337 		auf_null,	S2E_ATC,
338 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
339 		auf_null,	S2E_PUB | S2E_ATC,
340 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
341 		auf_null,	S2E_PUB | S2E_ATC,
342 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
343 		auf_null,	S2E_SP | S2E_ATC,
344 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
345 		auf_null,	S2E_SP | S2E_ATC,
346 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
363 		auf_null,	0,
364 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
365 		auf_null,	0,
366 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
367 		auf_null,	0,
368 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
369 		auf_null,	0,
370 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
373 		auf_null,	0,
374 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
375 		auf_null,	0,
376 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
377 		auf_null,	0,
378 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
379 		auf_null,	0,
380 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
381 		auf_null,	0,
382 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
383 		auf_null,	S2E_PUB,
384 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
385 		auf_null,	0,
386 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
389 		auf_null,	0,
390 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
391 		auf_null,	0,
392 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
393 		auf_null,	0,
394 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
395 		auf_null,	0,
396 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
411 		auf_null,	0,
412 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
413 		auf_null,	S2E_PUB,
414 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
415 		auf_null,	0,
416 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
423 		auf_null,	0,
424 #if defined(__x86)
425 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
426 		auf_null,	0,
427 #else
428 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
429 		auf_null,	0,
430 #endif /* __x86 */
431 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
432 		auf_null,	S2E_ATC,
433 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
434 		auf_null,	0,
435 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
436 		auf_null,	0,
437 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
438 		auf_null,	S2E_PUB,
439 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
440 		auf_null,	0,
441 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
442 		auf_null,	0,
443 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
444 		auf_null,	0,
445 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
446 		auf_null,	0,
447 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
448 		auf_null,	0,
449 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
450 		auf_null,	0,
451 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
452 		auf_null,	0,
453 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
454 		auf_read,	S2E_PUB,
455 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
456 		auf_write,	0,
457 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
458 		auf_null,	0,
459 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
460 		auf_null,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
464 		auf_null,	0,
465 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
466 		auf_null,	0,
467 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
468 		auf_null,	0,
469 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
470 		auf_null,	0,
471 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
472 		auf_null,	0,
473 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
474 		auf_null,	0,
475 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
476 		auf_null,	0,
477 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
478 		auf_null,	0,
479 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
480 		auf_null,	0,
481 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
482 		auf_null,	0,
483 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
484 		auf_null,	0,
485 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
486 		auf_null,	0,
487 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
488 		auf_null,	0,
489 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
490 		auf_null,	0,
491 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
492 		auf_null,	0,
493 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
494 		auf_null,	0,
495 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
496 		auf_null,	0,
497 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
498 		auf_null,	0,
499 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
506 						/*	was lwp_sema_wait */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
515 		auf_null,	0,
516 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
517 		auf_null,	0,
518 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
519 		auf_null,	0,
520 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
521 		auf_null,	0,
522 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
551 						/*	was lwp_mutex_lock */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
558 		auf_null,	0,
559 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
560 		auf_read,	S2E_PUB,
561 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
562 		auf_write,	0,
563 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
564 		auf_null,	0,
565 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
566 		auf_null,	0,
567 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
568 		auf_null,	0,
569 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
570 		auf_null,	0,
571 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
576 		auf_null,	0,
577 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
578 		auf_null,	S2E_MLD,
579 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
580 		auf_null,	0,
581 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
582 		auf_null,	0,
583 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
584 		auf_null,	0,
585 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
586 		auf_null,	0,
587 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
588 		auf_null,	0,
589 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
590 		auf_null,	0,
591 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
594 		auf_null,	0,
595 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
596 		auf_null,	0,
597 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
612 		auf_null,	0,
613 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
614 		auf_null,	0,
615 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
616 		auf_null,	0,
617 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
618 		auf_null,	0,
619 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
620 		auf_null,	0,
621 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
622 		auf_null,	0,
623 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
640 		auf_null,	0,
641 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
642 		auf_null,	0,
643 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
644 		auf_null,	S2E_PUB,
645 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
646 		auf_null,	S2E_PUB,
647 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
648 		auf_null,	0,
649 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
652 		auf_null,	0,
653 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
654 		auf_null,	0,
655 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
656 		auf_null,	0,
657 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
658 		auf_read,	S2E_PUB,
659 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
660 		auf_write,	0,
661 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
662 		auf_null,	0,
663 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
664 		auf_null,	S2E_SP,
665 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
666 		auf_null,	0,
667 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
668 		auf_null,	0,
669 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
672 		auf_null,	0,
673 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
676 		auf_null,	0,
677 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
678 		auf_bind,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
680 		auf_null,	0,
681 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
682 		auf_accept,	0,
683 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
684 		auf_connect,	0,
685 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
686 		auf_null,	0,
687 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
688 		auf_recv,	0,
689 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
690 		auf_recvfrom,	0,
691 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
692 		auf_recvmsg,	0,
693 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
694 		auf_send,	0,
695 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
696 		auf_sendmsg,	0,
697 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
698 		auf_sendto,	0,
699 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
700 		auf_null,	0,
701 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
702 		auf_null,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
704 		auf_null,	0,
705 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
706 		auf_setsockopt,	0,
707 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
708 		auf_null,	0,
709 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
710 		auf_null,	0,
711 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
722 		auf_null,	0,
723 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
724 		auf_null,	0
725 };
726 
727 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
728 
729 
730 /* exit start function */
731 /*ARGSUSED*/
732 static void
733 aus_exit(struct t_audit_data *tad)
734 {
735 	uint32_t rval;
736 	struct a {
737 		long rval;
738 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
739 
740 	rval = (uint32_t)uap->rval;
741 	au_uwrite(au_to_arg32(1, "exit status", rval));
742 }
743 
744 /* acct start function */
745 /*ARGSUSED*/
746 static void
747 aus_acct(struct t_audit_data *tad)
748 {
749 	klwp_t *clwp = ttolwp(curthread);
750 	uintptr_t fname;
751 
752 	struct a {
753 		long	fname;		/* char * */
754 	} *uap = (struct a *)clwp->lwp_ap;
755 
756 	fname = (uintptr_t)uap->fname;
757 
758 	if (fname == 0)
759 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
760 }
761 
762 /* chown start function */
763 /*ARGSUSED*/
764 static void
765 aus_chown(struct t_audit_data *tad)
766 {
767 	klwp_t *clwp = ttolwp(curthread);
768 	uint32_t uid, gid;
769 
770 	struct a {
771 		long	fname;		/* char * */
772 		long	uid;
773 		long	gid;
774 	} *uap = (struct a *)clwp->lwp_ap;
775 
776 	uid = (uint32_t)uap->uid;
777 	gid = (uint32_t)uap->gid;
778 
779 	au_uwrite(au_to_arg32(2, "new file uid", uid));
780 	au_uwrite(au_to_arg32(3, "new file gid", gid));
781 }
782 
783 /* fchown start function */
784 /*ARGSUSED*/
785 static void
786 aus_fchown(struct t_audit_data *tad)
787 {
788 	klwp_t *clwp = ttolwp(curthread);
789 	uint32_t uid, gid, fd;
790 	struct file  *fp;
791 	struct vnode *vp;
792 	struct f_audit_data *fad;
793 
794 	struct a {
795 		long fd;
796 		long uid;
797 		long gid;
798 	} *uap = (struct a *)clwp->lwp_ap;
799 
800 	fd  = (uint32_t)uap->fd;
801 	uid = (uint32_t)uap->uid;
802 	gid = (uint32_t)uap->gid;
803 
804 	au_uwrite(au_to_arg32(2, "new file uid", uid));
805 	au_uwrite(au_to_arg32(3, "new file gid", gid));
806 
807 		/*
808 		 * convert file pointer to file descriptor
809 		 *   Note: fd ref count incremented here.
810 		 */
811 	if ((fp = getf(fd)) == NULL)
812 		return;
813 
814 	/* get path from file struct here */
815 	fad = F2A(fp);
816 	if (fad->fad_aupath != NULL) {
817 		au_uwrite(au_to_path(fad->fad_aupath));
818 	} else {
819 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
820 	}
821 
822 	vp = fp->f_vnode;
823 	audit_attributes(vp);
824 
825 	/* decrement file descriptor reference count */
826 	releasef(fd);
827 }
828 
829 /*ARGSUSED*/
830 static void
831 aus_lchown(struct t_audit_data *tad)
832 {
833 	klwp_t *clwp = ttolwp(curthread);
834 	uint32_t uid, gid;
835 
836 
837 	struct a {
838 		long	fname;		/* char	* */
839 		long	uid;
840 		long	gid;
841 	} *uap = (struct a *)clwp->lwp_ap;
842 
843 	uid = (uint32_t)uap->uid;
844 	gid = (uint32_t)uap->gid;
845 
846 	au_uwrite(au_to_arg32(2, "new file uid", uid));
847 	au_uwrite(au_to_arg32(3, "new file gid", gid));
848 }
849 
850 static au_event_t
851 aui_fchownat(au_event_t e)
852 {
853 	klwp_t *clwp = ttolwp(curthread);
854 
855 	struct a {
856 		long	fd;
857 		long	fname;		/* char * */
858 		long	uid;
859 		long	gid;
860 		long	flags;
861 	} *uap = (struct a *)clwp->lwp_ap;
862 
863 	if (uap->fname == NULL)
864 		e = AUE_FCHOWN;
865 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
866 		e = AUE_LCHOWN;
867 	else
868 		e = AUE_CHOWN;
869 
870 	return (e);
871 }
872 
873 /*ARGSUSED*/
874 static void
875 aus_fchownat(struct t_audit_data *tad)
876 {
877 	klwp_t *clwp = ttolwp(curthread);
878 	uint32_t uid, gid;
879 
880 	struct a {
881 		long	fd;
882 		long	fname;		/* char * */
883 		long	uid;
884 		long	gid;
885 		long	flags;
886 	} *uap = (struct a *)clwp->lwp_ap;
887 
888 	uid = (uint32_t)uap->uid;
889 	gid = (uint32_t)uap->gid;
890 
891 	au_uwrite(au_to_arg32(3, "new file uid", uid));
892 	au_uwrite(au_to_arg32(4, "new file gid", gid));
893 }
894 
895 /* chmod start function */
896 /*ARGSUSED*/
897 static void
898 aus_chmod(struct t_audit_data *tad)
899 {
900 	klwp_t *clwp = ttolwp(curthread);
901 	uint32_t fmode;
902 
903 	struct a {
904 		long	fname;		/* char	* */
905 		long	fmode;
906 	} *uap = (struct a *)clwp->lwp_ap;
907 
908 	fmode = (uint32_t)uap->fmode;
909 
910 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
911 }
912 
913 /* chmod start function */
914 /*ARGSUSED*/
915 static void
916 aus_fchmod(struct t_audit_data *tad)
917 {
918 	klwp_t *clwp = ttolwp(curthread);
919 	uint32_t fmode, fd;
920 	struct file  *fp;
921 	struct vnode *vp;
922 	struct f_audit_data *fad;
923 
924 	struct a {
925 		long	fd;
926 		long	fmode;
927 	} *uap = (struct a *)clwp->lwp_ap;
928 
929 	fd = (uint32_t)uap->fd;
930 	fmode = (uint32_t)uap->fmode;
931 
932 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
933 
934 		/*
935 		 * convert file pointer to file descriptor
936 		 *   Note: fd ref count incremented here.
937 		 */
938 	if ((fp = getf(fd)) == NULL)
939 		return;
940 
941 		/* get path from file struct here */
942 	fad = F2A(fp);
943 	if (fad->fad_aupath != NULL) {
944 		au_uwrite(au_to_path(fad->fad_aupath));
945 	} else {
946 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
947 	}
948 
949 	vp = fp->f_vnode;
950 	audit_attributes(vp);
951 
952 	/* decrement file descriptor reference count */
953 	releasef(fd);
954 }
955 
956 /*
957  * convert open mode to appropriate open event
958  */
959 au_event_t
960 open_event(uint_t fm)
961 {
962 	au_event_t e;
963 
964 	switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) {
965 	case O_RDONLY:
966 		e = AUE_OPEN_R;
967 		break;
968 	case O_RDONLY | O_CREAT:
969 		e = AUE_OPEN_RC;
970 		break;
971 	case O_RDONLY | O_TRUNC:
972 		e = AUE_OPEN_RT;
973 		break;
974 	case O_RDONLY | O_TRUNC | O_CREAT:
975 		e = AUE_OPEN_RTC;
976 		break;
977 	case O_WRONLY:
978 		e = AUE_OPEN_W;
979 		break;
980 	case O_WRONLY | O_CREAT:
981 		e = AUE_OPEN_WC;
982 		break;
983 	case O_WRONLY | O_TRUNC:
984 		e = AUE_OPEN_WT;
985 		break;
986 	case O_WRONLY | O_TRUNC | O_CREAT:
987 		e = AUE_OPEN_WTC;
988 		break;
989 	case O_RDWR:
990 		e = AUE_OPEN_RW;
991 		break;
992 	case O_RDWR | O_CREAT:
993 		e = AUE_OPEN_RWC;
994 		break;
995 	case O_RDWR | O_TRUNC:
996 		e = AUE_OPEN_RWT;
997 		break;
998 	case O_RDWR | O_TRUNC | O_CREAT:
999 		e = AUE_OPEN_RWTC;
1000 		break;
1001 	default:
1002 		e = AUE_NULL;
1003 		break;
1004 	}
1005 
1006 	return (e);
1007 }
1008 
1009 /* ARGSUSED */
1010 static au_event_t
1011 aui_open(au_event_t e)
1012 {
1013 	t_audit_data_t *tad = T2A(curthread);
1014 	klwp_t *clwp = ttolwp(curthread);
1015 	uint_t fm;
1016 
1017 	struct a {
1018 		long	fnamep;		/* char	* */
1019 		long	fmode;
1020 		long	cmode;
1021 	} *uap = (struct a *)clwp->lwp_ap;
1022 
1023 	fm = (uint_t)uap->fmode;
1024 
1025 	/* convert to appropriate au_ctrl */
1026 	if (fm & (FXATTR | FXATTRDIROPEN))
1027 		tad->tad_ctrl |= PAD_ATTPATH;
1028 
1029 	return (open_event(fm));
1030 }
1031 
1032 static void
1033 aus_open(struct t_audit_data *tad)
1034 {
1035 	klwp_t *clwp = ttolwp(curthread);
1036 	uint_t fm;
1037 
1038 	struct a {
1039 		long	fnamep;		/* char	* */
1040 		long	fmode;
1041 		long	cmode;
1042 	} *uap = (struct a *)clwp->lwp_ap;
1043 
1044 	fm = (uint_t)uap->fmode;
1045 
1046 	/* If no write, create, or trunc modes, mark as a public op */
1047 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1048 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1049 }
1050 
1051 /* ARGSUSED */
1052 static au_event_t
1053 aui_openat(au_event_t e)
1054 {
1055 	t_audit_data_t *tad = T2A(curthread);
1056 	klwp_t *clwp = ttolwp(curthread);
1057 	uint_t fm;
1058 
1059 	struct a {
1060 		long	filedes;
1061 		long	fnamep;		/* char	* */
1062 		long	fmode;
1063 		long	cmode;
1064 	} *uap = (struct a *)clwp->lwp_ap;
1065 
1066 	fm = (uint_t)uap->fmode;
1067 
1068 	/* convert to appropriate au_ctrl */
1069 	if (fm & (FXATTR | FXATTRDIROPEN))
1070 		tad->tad_ctrl |= PAD_ATTPATH;
1071 
1072 	return (open_event(fm));
1073 }
1074 
1075 static void
1076 aus_openat(struct t_audit_data *tad)
1077 {
1078 	klwp_t *clwp = ttolwp(curthread);
1079 	uint_t fm;
1080 
1081 	struct a {
1082 		long	filedes;
1083 		long	fnamep;		/* char	* */
1084 		long	fmode;
1085 		long	cmode;
1086 	} *uap = (struct a *)clwp->lwp_ap;
1087 
1088 	fm = (uint_t)uap->fmode;
1089 
1090 	/* If no write, create, or trunc modes, mark as a public op */
1091 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1092 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1093 }
1094 
1095 static au_event_t
1096 aui_unlinkat(au_event_t e)
1097 {
1098 	klwp_t *clwp = ttolwp(curthread);
1099 
1100 	struct a {
1101 		long	filedes;
1102 		long	fnamep;		/* char	* */
1103 		long	flags;
1104 	} *uap = (struct a *)clwp->lwp_ap;
1105 
1106 	if (uap->flags & AT_REMOVEDIR)
1107 		e = AUE_RMDIR;
1108 	else
1109 		e = AUE_UNLINK;
1110 
1111 	return (e);
1112 }
1113 
1114 static au_event_t
1115 aui_fstatat(au_event_t e)
1116 {
1117 	klwp_t *clwp = ttolwp(curthread);
1118 
1119 	struct a {
1120 		long	filedes;
1121 		long	fnamep;		/* char	* */
1122 		long	statb;
1123 		long	flags;
1124 	} *uap = (struct a *)clwp->lwp_ap;
1125 
1126 	if (uap->fnamep == NULL)
1127 		e = AUE_FSTAT;
1128 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1129 		e = AUE_LSTAT;
1130 	else
1131 		e = AUE_STAT;
1132 
1133 	return (e);
1134 }
1135 
1136 /* msgsys */
1137 static au_event_t
1138 aui_msgsys(au_event_t e)
1139 {
1140 	klwp_t *clwp = ttolwp(curthread);
1141 	uint_t fm;
1142 
1143 	struct a {
1144 		long	id;	/* function code id */
1145 		long	ap;	/* arg pointer for recvmsg */
1146 	} *uap = (struct a *)clwp->lwp_ap;
1147 
1148 	struct b {
1149 		long	msgid;
1150 		long	cmd;
1151 		long	buf;	/* struct msqid_ds * */
1152 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1153 
1154 	fm  = (uint_t)uap->id;
1155 
1156 	switch (fm) {
1157 	case 0:		/* msgget */
1158 		e = AUE_MSGGET;
1159 		break;
1160 	case 1:		/* msgctl */
1161 		switch ((uint_t)uap1->cmd) {
1162 		case IPC_RMID:
1163 			e = AUE_MSGCTL_RMID;
1164 			break;
1165 		case IPC_SET:
1166 			e = AUE_MSGCTL_SET;
1167 			break;
1168 		case IPC_STAT:
1169 			e = AUE_MSGCTL_STAT;
1170 			break;
1171 		default:
1172 			e = AUE_MSGCTL;
1173 			break;
1174 		}
1175 		break;
1176 	case 2:		/* msgrcv */
1177 		e = AUE_MSGRCV;
1178 		break;
1179 	case 3:		/* msgsnd */
1180 		e = AUE_MSGSND;
1181 		break;
1182 	default:	/* illegal system call */
1183 		e = AUE_NULL;
1184 		break;
1185 	}
1186 
1187 	return (e);
1188 }
1189 
1190 
1191 /* shmsys */
1192 static au_event_t
1193 aui_shmsys(au_event_t e)
1194 {
1195 	klwp_t *clwp = ttolwp(curthread);
1196 	int fm;
1197 
1198 	struct a {		/* shmsys */
1199 		long	id;	/* function code id */
1200 	} *uap = (struct a *)clwp->lwp_ap;
1201 
1202 	struct b {		/* ctrl */
1203 		long	shmid;
1204 		long	cmd;
1205 		long	arg;		/* struct shmid_ds * */
1206 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1207 	fm  = (uint_t)uap->id;
1208 
1209 	switch (fm) {
1210 	case 0:		/* shmat */
1211 		e = AUE_SHMAT;
1212 		break;
1213 	case 1:		/* shmctl */
1214 		switch ((uint_t)uap1->cmd) {
1215 		case IPC_RMID:
1216 			e = AUE_SHMCTL_RMID;
1217 			break;
1218 		case IPC_SET:
1219 			e = AUE_SHMCTL_SET;
1220 			break;
1221 		case IPC_STAT:
1222 			e = AUE_SHMCTL_STAT;
1223 			break;
1224 		default:
1225 			e = AUE_SHMCTL;
1226 			break;
1227 		}
1228 		break;
1229 	case 2:		/* shmdt */
1230 		e = AUE_SHMDT;
1231 		break;
1232 	case 3:		/* shmget */
1233 		e = AUE_SHMGET;
1234 		break;
1235 	default:	/* illegal system call */
1236 		e = AUE_NULL;
1237 		break;
1238 	}
1239 
1240 	return (e);
1241 }
1242 
1243 
1244 /* semsys */
1245 static au_event_t
1246 aui_semsys(au_event_t e)
1247 {
1248 	klwp_t *clwp = ttolwp(curthread);
1249 	uint_t fm;
1250 
1251 	struct a {		/* semsys */
1252 		long	id;
1253 	} *uap = (struct a *)clwp->lwp_ap;
1254 
1255 	struct b {		/* ctrl */
1256 		long	semid;
1257 		long	semnum;
1258 		long	cmd;
1259 		long	arg;
1260 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1261 
1262 	fm = (uint_t)uap->id;
1263 
1264 	switch (fm) {
1265 	case 0:		/* semctl */
1266 		switch ((uint_t)uap1->cmd) {
1267 		case IPC_RMID:
1268 			e = AUE_SEMCTL_RMID;
1269 			break;
1270 		case IPC_SET:
1271 			e = AUE_SEMCTL_SET;
1272 			break;
1273 		case IPC_STAT:
1274 			e = AUE_SEMCTL_STAT;
1275 			break;
1276 		case GETNCNT:
1277 			e = AUE_SEMCTL_GETNCNT;
1278 			break;
1279 		case GETPID:
1280 			e = AUE_SEMCTL_GETPID;
1281 			break;
1282 		case GETVAL:
1283 			e = AUE_SEMCTL_GETVAL;
1284 			break;
1285 		case GETALL:
1286 			e = AUE_SEMCTL_GETALL;
1287 			break;
1288 		case GETZCNT:
1289 			e = AUE_SEMCTL_GETZCNT;
1290 			break;
1291 		case SETVAL:
1292 			e = AUE_SEMCTL_SETVAL;
1293 			break;
1294 		case SETALL:
1295 			e = AUE_SEMCTL_SETALL;
1296 			break;
1297 		default:
1298 			e = AUE_SEMCTL;
1299 			break;
1300 		}
1301 		break;
1302 	case 1:		/* semget */
1303 		e = AUE_SEMGET;
1304 		break;
1305 	case 2:		/* semop */
1306 		e = AUE_SEMOP;
1307 		break;
1308 	default:	/* illegal system call */
1309 		e = AUE_NULL;
1310 		break;
1311 	}
1312 
1313 	return (e);
1314 }
1315 
1316 /* utssys - uname(2), ustat(2), fusers(2) */
1317 static au_event_t
1318 aui_utssys(au_event_t e)
1319 {
1320 	klwp_t *clwp = ttolwp(curthread);
1321 	uint_t type;
1322 
1323 	struct a {
1324 		union {
1325 			long	cbuf;		/* char * */
1326 			long	ubuf;		/* struct stat * */
1327 		} ub;
1328 		union {
1329 			long	mv;	/* for USTAT */
1330 			long	flags;	/* for FUSERS */
1331 		} un;
1332 		long	type;
1333 		long	outbp;		/* char * for FUSERS */
1334 	} *uap = (struct a *)clwp->lwp_ap;
1335 
1336 	type = (uint_t)uap->type;
1337 
1338 	if (type == UTS_FUSERS)
1339 		return (e);
1340 	else
1341 		return ((au_event_t)AUE_NULL);
1342 }
1343 
1344 static au_event_t
1345 aui_fcntl(au_event_t e)
1346 {
1347 	klwp_t *clwp = ttolwp(curthread);
1348 	uint_t cmd;
1349 
1350 	struct a {
1351 		long	fdes;
1352 		long	cmd;
1353 		long	arg;
1354 	} *uap = (struct a *)clwp->lwp_ap;
1355 
1356 	cmd = (uint_t)uap->cmd;
1357 
1358 	switch (cmd) {
1359 	case F_GETLK:
1360 	case F_SETLK:
1361 	case F_SETLKW:
1362 		break;
1363 	case F_SETFL:
1364 	case F_GETFL:
1365 	case F_GETFD:
1366 		break;
1367 	default:
1368 		e = (au_event_t)AUE_NULL;
1369 		break;
1370 	}
1371 	return ((au_event_t)e);
1372 }
1373 
1374 /* null function for now */
1375 static au_event_t
1376 aui_execve(au_event_t e)
1377 {
1378 	return (e);
1379 }
1380 
1381 /*ARGSUSED*/
1382 static void
1383 aus_fcntl(struct t_audit_data *tad)
1384 {
1385 	klwp_t *clwp = ttolwp(curthread);
1386 	uint32_t cmd, fd, flags;
1387 	struct file  *fp;
1388 	struct vnode *vp;
1389 	struct f_audit_data *fad;
1390 
1391 	struct a {
1392 		long	fd;
1393 		long	cmd;
1394 		long	arg;
1395 	} *uap = (struct a *)clwp->lwp_ap;
1396 
1397 	cmd	= (uint32_t)uap->cmd;
1398 	fd	= (uint32_t)uap->fd;
1399 	flags	= (uint32_t)uap->arg;
1400 
1401 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1402 
1403 	if (cmd == F_SETFL)
1404 		au_uwrite(au_to_arg32(3, "flags", flags));
1405 
1406 		/*
1407 		 * convert file pointer to file descriptor
1408 		 *   Note: fd ref count incremented here.
1409 		 */
1410 	if ((fp = getf(fd)) == NULL)
1411 		return;
1412 
1413 	/* get path from file struct here */
1414 	fad = F2A(fp);
1415 	if (fad->fad_aupath != NULL) {
1416 		au_uwrite(au_to_path(fad->fad_aupath));
1417 	} else {
1418 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1419 	}
1420 
1421 	vp = fp->f_vnode;
1422 	audit_attributes(vp);
1423 
1424 	/* decrement file descriptor reference count */
1425 	releasef(fd);
1426 }
1427 
1428 /*ARGSUSED*/
1429 static void
1430 aus_kill(struct t_audit_data *tad)
1431 {
1432 	klwp_t *clwp = ttolwp(curthread);
1433 	struct proc *p;
1434 	uint32_t signo;
1435 	uid_t uid, ruid;
1436 	gid_t gid, rgid;
1437 	pid_t pid;
1438 	const auditinfo_addr_t *ainfo;
1439 	cred_t *cr;
1440 
1441 	struct a {
1442 		long	pid;
1443 		long	signo;
1444 	} *uap = (struct a *)clwp->lwp_ap;
1445 
1446 	pid   = (pid_t)uap->pid;
1447 	signo = (uint32_t)uap->signo;
1448 
1449 	au_uwrite(au_to_arg32(2, "signal", signo));
1450 	if (pid > 0) {
1451 		mutex_enter(&pidlock);
1452 		if (((p = prfind(pid)) == (struct proc *)0) ||
1453 		    (p->p_stat == SIDL)) {
1454 			mutex_exit(&pidlock);
1455 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1456 			return;
1457 		}
1458 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1459 		mutex_exit(&pidlock);
1460 
1461 		mutex_enter(&p->p_crlock);
1462 		crhold(cr = p->p_cred);
1463 		mutex_exit(&p->p_crlock);
1464 		mutex_exit(&p->p_lock);
1465 
1466 		ainfo = crgetauinfo(cr);
1467 		if (ainfo == NULL) {
1468 			crfree(cr);
1469 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1470 			return;
1471 		}
1472 
1473 		uid  = crgetuid(cr);
1474 		gid  = crgetgid(cr);
1475 		ruid = crgetruid(cr);
1476 		rgid = crgetrgid(cr);
1477 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1478 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1479 
1480 		if (is_system_labeled())
1481 			au_uwrite(au_to_label(CR_SL(cr)));
1482 
1483 		crfree(cr);
1484 	}
1485 	else
1486 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1487 }
1488 
1489 /*ARGSUSED*/
1490 static void
1491 aus_mkdir(struct t_audit_data *tad)
1492 {
1493 	klwp_t *clwp = ttolwp(curthread);
1494 	uint32_t dmode;
1495 
1496 	struct a {
1497 		long	dirnamep;		/* char * */
1498 		long	dmode;
1499 	} *uap = (struct a *)clwp->lwp_ap;
1500 
1501 	dmode = (uint32_t)uap->dmode;
1502 
1503 	au_uwrite(au_to_arg32(2, "mode", dmode));
1504 }
1505 
1506 /*ARGSUSED*/
1507 static void
1508 aus_mknod(struct t_audit_data *tad)
1509 {
1510 	klwp_t *clwp = ttolwp(curthread);
1511 	uint32_t fmode;
1512 	dev_t dev;
1513 
1514 	struct a {
1515 		long	pnamep;		/* char * */
1516 		long	fmode;
1517 		long	dev;
1518 	} *uap = (struct a *)clwp->lwp_ap;
1519 
1520 	fmode = (uint32_t)uap->fmode;
1521 	dev   = (dev_t)uap->dev;
1522 
1523 	au_uwrite(au_to_arg32(2, "mode", fmode));
1524 #ifdef _LP64
1525 	au_uwrite(au_to_arg64(3, "dev", dev));
1526 #else
1527 	au_uwrite(au_to_arg32(3, "dev", dev));
1528 #endif
1529 }
1530 
1531 /*ARGSUSED*/
1532 static void
1533 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1534 {
1535 	klwp_t *clwp = ttolwp(curthread);
1536 	vnode_t	*dvp;
1537 	caddr_t pnamep;
1538 
1539 	struct a {
1540 		long	pnamep;		/* char * */
1541 		long	fmode;
1542 		long	dev;
1543 	} *uap = (struct a *)clwp->lwp_ap;
1544 
1545 	/* no error, then already path token in audit record */
1546 	if (error != EPERM)
1547 		return;
1548 
1549 	/* not auditing this event, nothing then to do */
1550 	if (tad->tad_flag == 0)
1551 		return;
1552 
1553 	/* do the lookup to force generation of path token */
1554 	pnamep = (caddr_t)uap->pnamep;
1555 	tad->tad_ctrl |= PAD_NOATTRB;
1556 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1557 	if (error == 0)
1558 		VN_RELE(dvp);
1559 }
1560 
1561 /*ARGSUSED*/
1562 static void
1563 aus_mount(struct t_audit_data *tad)
1564 {	/* AUS_START */
1565 	klwp_t *clwp = ttolwp(curthread);
1566 	uint32_t flags;
1567 	uintptr_t u_fstype, dataptr;
1568 	STRUCT_DECL(nfs_args, nfsargs);
1569 	size_t len;
1570 	char *fstype, *hostname;
1571 
1572 	struct a {
1573 		long	spec;		/* char    * */
1574 		long	dir;		/* char    * */
1575 		long	flags;
1576 		long	fstype;		/* char    * */
1577 		long	dataptr;	/* char    * */
1578 		long	datalen;
1579 	} *uap = (struct a *)clwp->lwp_ap;
1580 
1581 	u_fstype = (uintptr_t)uap->fstype;
1582 	flags    = (uint32_t)uap->flags;
1583 	dataptr  = (uintptr_t)uap->dataptr;
1584 
1585 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1586 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1587 		goto mount_free_fstype;
1588 
1589 	au_uwrite(au_to_arg32(3, "flags", flags));
1590 	au_uwrite(au_to_text(fstype));
1591 
1592 	if (strncmp(fstype, "nfs", 3) == 0) {
1593 
1594 		STRUCT_INIT(nfsargs, get_udatamodel());
1595 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1596 
1597 		if (copyin((caddr_t)dataptr,
1598 				STRUCT_BUF(nfsargs),
1599 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1600 			/* DEBUG debug_enter((char *)NULL); */
1601 			goto mount_free_fstype;
1602 		}
1603 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1604 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1605 				(caddr_t)hostname,
1606 				MAXNAMELEN, &len)) {
1607 			goto mount_free_hostname;
1608 		}
1609 		au_uwrite(au_to_text(hostname));
1610 		au_uwrite(au_to_arg32(3, "internal flags",
1611 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1612 
1613 mount_free_hostname:
1614 		kmem_free(hostname, MAXNAMELEN);
1615 	}
1616 
1617 mount_free_fstype:
1618 	kmem_free(fstype, MAXNAMELEN);
1619 }	/* AUS_MOUNT */
1620 
1621 static void
1622 aus_umount_path(caddr_t umount_dir)
1623 {
1624 	char			*dir_path;
1625 	struct audit_path	*path;
1626 	size_t			path_len, dir_len;
1627 
1628 	/* length alloc'd for two string pointers */
1629 	path_len = sizeof (struct audit_path) + sizeof (char *);
1630 	path = kmem_alloc(path_len, KM_SLEEP);
1631 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1632 
1633 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1634 	    MAXPATHLEN, &dir_len))
1635 		goto umount2_free_dir;
1636 
1637 	/*
1638 	 * the audit_path struct assumes that the buffer pointed to
1639 	 * by audp_sect[n] contains string 0 immediatedly followed
1640 	 * by string 1.
1641 	 */
1642 	path->audp_sect[0] = dir_path;
1643 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1644 	path->audp_size = path_len;
1645 	path->audp_ref = 1;		/* not used */
1646 	path->audp_cnt = 1;		/* one path string */
1647 
1648 	au_uwrite(au_to_path(path));
1649 
1650 umount2_free_dir:
1651 	kmem_free(dir_path, MAXPATHLEN);
1652 	kmem_free(path, path_len);
1653 }
1654 
1655 /*ARGSUSED*/
1656 static void
1657 aus_umount2(struct t_audit_data *tad)
1658 {
1659 	klwp_t			*clwp = ttolwp(curthread);
1660 	struct a {
1661 		long	dir;		/* char    * */
1662 		long	flags;
1663 	} *uap = (struct a *)clwp->lwp_ap;
1664 
1665 	aus_umount_path((caddr_t)uap->dir);
1666 
1667 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1668 }
1669 
1670 static void
1671 aus_msgsys(struct t_audit_data *tad)
1672 {
1673 	klwp_t *clwp = ttolwp(curthread);
1674 	uint32_t msgid;
1675 
1676 	struct b {
1677 		long	msgid;
1678 		long	cmd;
1679 		long	buf;		/* struct msqid_ds * */
1680 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1681 
1682 	msgid = (uint32_t)uap1->msgid;
1683 
1684 
1685 	switch (tad->tad_event) {
1686 	case AUE_MSGGET:		/* msgget */
1687 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1688 		break;
1689 	case AUE_MSGCTL:		/* msgctl */
1690 	case AUE_MSGCTL_RMID:		/* msgctl */
1691 	case AUE_MSGCTL_SET:		/* msgctl */
1692 	case AUE_MSGCTL_STAT:		/* msgctl */
1693 	case AUE_MSGRCV:		/* msgrcv */
1694 	case AUE_MSGSND:		/* msgsnd */
1695 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1696 		break;
1697 	}
1698 }
1699 
1700 /*ARGSUSED*/
1701 static void
1702 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1703 {
1704 	int id;
1705 
1706 	if (error != 0)
1707 		return;
1708 	if (tad->tad_event == AUE_MSGGET) {
1709 		uint32_t scid;
1710 		uint32_t sy_flags;
1711 
1712 		/* need to determine type of executing binary */
1713 		scid = tad->tad_scid;
1714 #ifdef _SYSCALL32_IMPL
1715 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1716 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1717 		else
1718 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1719 #else
1720 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1721 #endif
1722 		if (sy_flags == SE_32RVAL1)
1723 			id = rval->r_val1;
1724 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1725 			id = rval->r_val1;
1726 		if (sy_flags == SE_64RVAL)
1727 			id = (int)rval->r_vals;
1728 
1729 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1730 	}
1731 }
1732 
1733 static void
1734 aus_semsys(struct t_audit_data *tad)
1735 {
1736 	klwp_t *clwp = ttolwp(curthread);
1737 	uint32_t semid;
1738 
1739 	struct b {		/* ctrl */
1740 		long	semid;
1741 		long	semnum;
1742 		long	cmd;
1743 		long	arg;
1744 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1745 
1746 	semid = (uint32_t)uap1->semid;
1747 
1748 	switch (tad->tad_event) {
1749 	case AUE_SEMCTL_RMID:
1750 	case AUE_SEMCTL_STAT:
1751 	case AUE_SEMCTL_GETNCNT:
1752 	case AUE_SEMCTL_GETPID:
1753 	case AUE_SEMCTL_GETVAL:
1754 	case AUE_SEMCTL_GETALL:
1755 	case AUE_SEMCTL_GETZCNT:
1756 	case AUE_SEMCTL_SET:
1757 	case AUE_SEMCTL_SETVAL:
1758 	case AUE_SEMCTL_SETALL:
1759 	case AUE_SEMCTL:
1760 	case AUE_SEMOP:
1761 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1762 		break;
1763 	case AUE_SEMGET:
1764 		au_uwrite(au_to_arg32(1, "sem key", semid));
1765 		break;
1766 	}
1767 }
1768 
1769 /*ARGSUSED*/
1770 static void
1771 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1772 {
1773 	int id;
1774 
1775 	if (error != 0)
1776 		return;
1777 	if (tad->tad_event == AUE_SEMGET) {
1778 		uint32_t scid;
1779 		uint32_t sy_flags;
1780 
1781 		/* need to determine type of executing binary */
1782 		scid = tad->tad_scid;
1783 #ifdef _SYSCALL32_IMPL
1784 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1785 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1786 		else
1787 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1788 #else
1789 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1790 #endif
1791 		if (sy_flags == SE_32RVAL1)
1792 			id = rval->r_val1;
1793 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1794 			id = rval->r_val1;
1795 		if (sy_flags == SE_64RVAL)
1796 			id = (int)rval->r_vals;
1797 
1798 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1799 	}
1800 }
1801 
1802 /*ARGSUSED*/
1803 static void
1804 aus_close(struct t_audit_data *tad)
1805 {
1806 	klwp_t *clwp = ttolwp(curthread);
1807 	uint32_t fd;
1808 	struct file *fp;
1809 	struct f_audit_data *fad;
1810 	struct vnode *vp;
1811 	struct vattr attr;
1812 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1813 
1814 	struct a {
1815 		long	i;
1816 	} *uap = (struct a *)clwp->lwp_ap;
1817 
1818 	fd = (uint32_t)uap->i;
1819 
1820 	attr.va_mask = 0;
1821 	au_uwrite(au_to_arg32(1, "fd", fd));
1822 
1823 		/*
1824 		 * convert file pointer to file descriptor
1825 		 *   Note: fd ref count incremented here.
1826 		 */
1827 	if ((fp = getf(fd)) == NULL)
1828 		return;
1829 
1830 	fad = F2A(fp);
1831 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1832 	if (fad->fad_aupath != NULL) {
1833 		au_uwrite(au_to_path(fad->fad_aupath));
1834 		if ((vp = fp->f_vnode) != NULL) {
1835 			attr.va_mask = AT_ALL;
1836 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1837 				/*
1838 				 * When write was not used and the file can be
1839 				 * considered public, skip the audit.
1840 				 */
1841 				if (((fp->f_flag & FWRITE) == 0) &&
1842 				    file_is_public(&attr)) {
1843 					tad->tad_flag = 0;
1844 					tad->tad_evmod = 0;
1845 					/* free any residual audit data */
1846 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1847 					releasef(fd);
1848 					return;
1849 				}
1850 				au_uwrite(au_to_attr(&attr));
1851 				audit_sec_attributes(&(u_ad), vp);
1852 			}
1853 		}
1854 	}
1855 
1856 	/* decrement file descriptor reference count */
1857 	releasef(fd);
1858 }
1859 
1860 /*ARGSUSED*/
1861 static void
1862 aus_fstatfs(struct t_audit_data *tad)
1863 {
1864 	klwp_t *clwp = ttolwp(curthread);
1865 	uint32_t fd;
1866 	struct file  *fp;
1867 	struct vnode *vp;
1868 	struct f_audit_data *fad;
1869 
1870 	struct a {
1871 		long	fd;
1872 		long	buf;		/* struct statfs * */
1873 	} *uap = (struct a *)clwp->lwp_ap;
1874 
1875 	fd = (uint_t)uap->fd;
1876 
1877 		/*
1878 		 * convert file pointer to file descriptor
1879 		 *   Note: fd ref count incremented here.
1880 		 */
1881 	if ((fp = getf(fd)) == NULL)
1882 		return;
1883 
1884 		/* get path from file struct here */
1885 	fad = F2A(fp);
1886 	if (fad->fad_aupath != NULL) {
1887 		au_uwrite(au_to_path(fad->fad_aupath));
1888 	} else {
1889 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1890 	}
1891 
1892 	vp = fp->f_vnode;
1893 	audit_attributes(vp);
1894 
1895 	/* decrement file descriptor reference count */
1896 	releasef(fd);
1897 }
1898 
1899 static au_event_t
1900 aui_setpgrp(au_event_t e)
1901 {
1902 	klwp_t *clwp = ttolwp(curthread);
1903 	int flag;
1904 
1905 	struct a {
1906 		long	flag;
1907 		long	pid;
1908 		long	pgid;
1909 	} *uap = (struct a *)clwp->lwp_ap;
1910 
1911 	flag = (int)uap->flag;
1912 
1913 
1914 	switch (flag) {
1915 
1916 	case 1:	/* setpgrp() */
1917 		e = AUE_SETPGRP;
1918 		break;
1919 
1920 	case 3: /* setsid() */
1921 		e = AUE_SETSID;
1922 		break;
1923 
1924 	case 5: /* setpgid() */
1925 		e = AUE_SETPGID;
1926 		break;
1927 
1928 	case 0: /* getpgrp()	- not security relevant */
1929 	case 2: /* getsid()	- not security relevant */
1930 	case 4: /* getpgid() 	- not security relevant */
1931 		e = AUE_NULL;
1932 		break;
1933 
1934 	default:
1935 		e = AUE_NULL;
1936 		break;
1937 	}
1938 
1939 	return (e);
1940 }
1941 
1942 /*ARGSUSED*/
1943 static void
1944 aus_setpgrp(struct t_audit_data *tad)
1945 {
1946 	klwp_t		*clwp = ttolwp(curthread);
1947 	pid_t		pgid;
1948 	struct proc	*p;
1949 	uid_t		uid, ruid;
1950 	gid_t		gid, rgid;
1951 	pid_t		pid;
1952 	cred_t		*cr;
1953 	int		flag;
1954 	const auditinfo_addr_t	*ainfo;
1955 
1956 	struct a {
1957 		long	flag;
1958 		long	pid;
1959 		long	pgid;
1960 	} *uap = (struct a *)clwp->lwp_ap;
1961 
1962 	flag = (int)uap->flag;
1963 	pid  = (pid_t)uap->pid;
1964 	pgid = (pid_t)uap->pgid;
1965 
1966 
1967 	switch (flag) {
1968 
1969 	case 0: /* getpgrp() */
1970 	case 1: /* setpgrp() */
1971 	case 2: /* getsid() */
1972 	case 3: /* setsid() */
1973 	case 4: /* getpgid() */
1974 		break;
1975 
1976 	case 5: /* setpgid() */
1977 
1978 		/* current process? */
1979 		if (pid == 0) {
1980 			return;
1981 		}
1982 
1983 		mutex_enter(&pidlock);
1984 		p = prfind(pid);
1985 		if (p == NULL || p->p_as == &kas ||
1986 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
1987 			mutex_exit(&pidlock);
1988 			return;
1989 		}
1990 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1991 		mutex_exit(&pidlock);
1992 
1993 		mutex_enter(&p->p_crlock);
1994 		crhold(cr = p->p_cred);
1995 		mutex_exit(&p->p_crlock);
1996 		mutex_exit(&p->p_lock);
1997 
1998 		ainfo = crgetauinfo(cr);
1999 		if (ainfo == NULL) {
2000 			crfree(cr);
2001 			return;
2002 		}
2003 
2004 		uid  = crgetuid(cr);
2005 		gid  = crgetgid(cr);
2006 		ruid = crgetruid(cr);
2007 		rgid = crgetrgid(cr);
2008 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2009 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2010 		crfree(cr);
2011 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2012 		break;
2013 
2014 	default:
2015 		break;
2016 	}
2017 }
2018 
2019 
2020 /*ARGSUSED*/
2021 static void
2022 aus_setregid(struct t_audit_data *tad)
2023 {
2024 	klwp_t *clwp = ttolwp(curthread);
2025 	uint32_t rgid, egid;
2026 
2027 	struct a {
2028 		long	 rgid;
2029 		long	 egid;
2030 	} *uap = (struct a *)clwp->lwp_ap;
2031 
2032 	rgid  = (uint32_t)uap->rgid;
2033 	egid  = (uint32_t)uap->egid;
2034 
2035 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2036 	au_uwrite(au_to_arg32(2, "egid", egid));
2037 }
2038 
2039 /*ARGSUSED*/
2040 static void
2041 aus_setgid(struct t_audit_data *tad)
2042 {
2043 	klwp_t *clwp = ttolwp(curthread);
2044 	uint32_t gid;
2045 
2046 	struct a {
2047 		long	gid;
2048 	} *uap = (struct a *)clwp->lwp_ap;
2049 
2050 	gid = (uint32_t)uap->gid;
2051 
2052 	au_uwrite(au_to_arg32(1, "gid", gid));
2053 }
2054 
2055 
2056 /*ARGSUSED*/
2057 static void
2058 aus_setreuid(struct t_audit_data *tad)
2059 {
2060 	klwp_t *clwp = ttolwp(curthread);
2061 	uint32_t ruid, euid;
2062 
2063 	struct a {
2064 		long	ruid;
2065 		long	euid;
2066 	} *uap = (struct a *)clwp->lwp_ap;
2067 
2068 	ruid = (uint32_t)uap->ruid;
2069 	euid  = (uint32_t)uap->euid;
2070 
2071 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2072 	au_uwrite(au_to_arg32(2, "euid", euid));
2073 }
2074 
2075 
2076 /*ARGSUSED*/
2077 static void
2078 aus_setuid(struct t_audit_data *tad)
2079 {
2080 	klwp_t *clwp = ttolwp(curthread);
2081 	uint32_t uid;
2082 
2083 	struct a {
2084 		long	uid;
2085 	} *uap = (struct a *)clwp->lwp_ap;
2086 
2087 	uid = (uint32_t)uap->uid;
2088 
2089 	au_uwrite(au_to_arg32(1, "uid", uid));
2090 }
2091 
2092 /*ARGSUSED*/
2093 static void
2094 aus_shmsys(struct t_audit_data *tad)
2095 {
2096 	klwp_t *clwp = ttolwp(curthread);
2097 	uint32_t id, cmd;
2098 
2099 	struct b {
2100 		long	id;
2101 		long	cmd;
2102 		long	buf;		/* struct shmid_ds * */
2103 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2104 
2105 	id  = (uint32_t)uap1->id;
2106 	cmd = (uint32_t)uap1->cmd;
2107 
2108 	switch (tad->tad_event) {
2109 	case AUE_SHMGET:			/* shmget */
2110 		au_uwrite(au_to_arg32(1, "shm key", id));
2111 		break;
2112 	case AUE_SHMCTL:			/* shmctl */
2113 	case AUE_SHMCTL_RMID:			/* shmctl */
2114 	case AUE_SHMCTL_STAT:			/* shmctl */
2115 	case AUE_SHMCTL_SET:			/* shmctl */
2116 		au_uwrite(au_to_arg32(1, "shm ID", id));
2117 		break;
2118 	case AUE_SHMDT:				/* shmdt */
2119 		au_uwrite(au_to_arg32(1, "shm adr", id));
2120 		break;
2121 	case AUE_SHMAT:				/* shmat */
2122 		au_uwrite(au_to_arg32(1, "shm ID", id));
2123 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2124 		break;
2125 	}
2126 }
2127 
2128 /*ARGSUSED*/
2129 static void
2130 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2131 {
2132 	int id;
2133 
2134 	if (error != 0)
2135 		return;
2136 	if (tad->tad_event == AUE_SHMGET) {
2137 		uint32_t scid;
2138 		uint32_t sy_flags;
2139 
2140 		/* need to determine type of executing binary */
2141 		scid = tad->tad_scid;
2142 #ifdef _SYSCALL32_IMPL
2143 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2144 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2145 		else
2146 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2147 #else
2148 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2149 #endif
2150 		if (sy_flags == SE_32RVAL1)
2151 			id = rval->r_val1;
2152 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2153 			id = rval->r_val1;
2154 		if (sy_flags == SE_64RVAL)
2155 			id = (int)rval->r_vals;
2156 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2157 	}
2158 }
2159 
2160 
2161 /*ARGSUSED*/
2162 static void
2163 aus_ioctl(struct t_audit_data *tad)
2164 {
2165 	klwp_t *clwp = ttolwp(curthread);
2166 	struct file *fp;
2167 	struct vnode *vp;
2168 	struct f_audit_data *fad;
2169 	uint32_t fd, cmd;
2170 	uintptr_t cmarg;
2171 
2172 	/* XX64 */
2173 	struct a {
2174 		long	fd;
2175 		long	cmd;
2176 		long	cmarg;		/* caddr_t */
2177 	} *uap = (struct a *)clwp->lwp_ap;
2178 
2179 	fd    = (uint32_t)uap->fd;
2180 	cmd   = (uint32_t)uap->cmd;
2181 	cmarg = (uintptr_t)uap->cmarg;
2182 
2183 		/*
2184 		 * convert file pointer to file descriptor
2185 		 *   Note: fd ref count incremented here.
2186 		 */
2187 	if ((fp = getf(fd)) == NULL) {
2188 		au_uwrite(au_to_arg32(1, "fd", fd));
2189 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2190 #ifndef _LP64
2191 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2192 #else
2193 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2194 #endif
2195 		return;
2196 	}
2197 
2198 	/* get path from file struct here */
2199 	fad = F2A(fp);
2200 	if (fad->fad_aupath != NULL) {
2201 		au_uwrite(au_to_path(fad->fad_aupath));
2202 	} else {
2203 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2204 	}
2205 
2206 	vp = fp->f_vnode;
2207 	audit_attributes(vp);
2208 
2209 	/* decrement file descriptor reference count */
2210 	releasef(fd);
2211 
2212 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2213 #ifndef _LP64
2214 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2215 #else
2216 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2217 #endif
2218 }
2219 
2220 /*
2221  * null function for memcntl for now. We might want to limit memcntl()
2222  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2223  * require privileges.
2224  */
2225 static au_event_t
2226 aui_memcntl(au_event_t e)
2227 {
2228 	return (e);
2229 }
2230 
2231 /*ARGSUSED*/
2232 static au_event_t
2233 aui_privsys(au_event_t e)
2234 {
2235 	klwp_t *clwp = ttolwp(curthread);
2236 
2237 	struct a {
2238 		long	opcode;
2239 	} *uap = (struct a *)clwp->lwp_ap;
2240 
2241 	switch (uap->opcode) {
2242 	case PRIVSYS_SETPPRIV:
2243 		return (AUE_SETPPRIV);
2244 	default:
2245 		return (AUE_NULL);
2246 	}
2247 }
2248 
2249 /*ARGSUSED*/
2250 static void
2251 aus_memcntl(struct t_audit_data *tad)
2252 {
2253 	klwp_t *clwp = ttolwp(curthread);
2254 
2255 	struct a {
2256 		long	addr;
2257 		long	len;
2258 		long	cmd;
2259 		long	arg;
2260 		long	attr;
2261 		long	mask;
2262 	} *uap = (struct a *)clwp->lwp_ap;
2263 
2264 #ifdef _LP64
2265 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2266 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2267 #else
2268 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2269 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2270 #endif
2271 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2272 #ifdef _LP64
2273 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2274 #else
2275 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2276 #endif
2277 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2278 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2279 }
2280 
2281 /*ARGSUSED*/
2282 static void
2283 aus_mmap(struct t_audit_data *tad)
2284 {
2285 	klwp_t *clwp = ttolwp(curthread);
2286 	struct file *fp;
2287 	struct f_audit_data *fad;
2288 	struct vnode *vp;
2289 	uint32_t fd;
2290 
2291 	struct a {
2292 		long	addr;
2293 		long	len;
2294 		long	prot;
2295 		long	flags;
2296 		long	fd;
2297 		long	pos;
2298 	} *uap = (struct a *)clwp->lwp_ap;
2299 
2300 	fd = (uint32_t)uap->fd;
2301 
2302 #ifdef _LP64
2303 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2304 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2305 #else
2306 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2307 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2308 #endif
2309 
2310 	if ((fp = getf(fd)) == NULL) {
2311 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2312 		return;
2313 	}
2314 
2315 	/*
2316 	 * Mark in the tad if write access is NOT requested... if
2317 	 * this is later detected (in audit_attributes) to be a
2318 	 * public object, the mmap event may be discarded.
2319 	 */
2320 	if (((uap->prot) & PROT_WRITE) == 0) {
2321 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2322 	}
2323 
2324 	fad = F2A(fp);
2325 	if (fad->fad_aupath != NULL) {
2326 		au_uwrite(au_to_path(fad->fad_aupath));
2327 	} else {
2328 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2329 	}
2330 
2331 	vp = (struct vnode *)fp->f_vnode;
2332 	audit_attributes(vp);
2333 
2334 	/* mark READ/WRITE since we can't predict access */
2335 	if (uap->prot & PROT_READ)
2336 		fad->fad_flags |= FAD_READ;
2337 	if (uap->prot & PROT_WRITE)
2338 		fad->fad_flags |= FAD_WRITE;
2339 
2340 	/* decrement file descriptor reference count */
2341 	releasef(fd);
2342 
2343 }	/* AUS_MMAP */
2344 
2345 
2346 
2347 
2348 /*ARGSUSED*/
2349 static void
2350 aus_munmap(struct t_audit_data *tad)
2351 {
2352 	klwp_t *clwp = ttolwp(curthread);
2353 
2354 	struct a {
2355 		long	addr;
2356 		long	len;
2357 	} *uap = (struct a *)clwp->lwp_ap;
2358 
2359 #ifdef _LP64
2360 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2361 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2362 #else
2363 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2364 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2365 #endif
2366 
2367 }	/* AUS_MUNMAP */
2368 
2369 
2370 
2371 
2372 
2373 
2374 
2375 /*ARGSUSED*/
2376 static void
2377 aus_priocntlsys(struct t_audit_data *tad)
2378 {
2379 	klwp_t *clwp = ttolwp(curthread);
2380 
2381 	struct a {
2382 		long	pc_version;
2383 		long	psp;		/* procset_t */
2384 		long	cmd;
2385 		long	arg;
2386 	} *uap = (struct a *)clwp->lwp_ap;
2387 
2388 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2389 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2390 
2391 }	/* AUS_PRIOCNTLSYS */
2392 
2393 
2394 /*ARGSUSED*/
2395 static void
2396 aus_setegid(struct t_audit_data *tad)
2397 {
2398 	klwp_t *clwp = ttolwp(curthread);
2399 	uint32_t gid;
2400 
2401 	struct a {
2402 		long	gid;
2403 	} *uap = (struct a *)clwp->lwp_ap;
2404 
2405 	gid = (uint32_t)uap->gid;
2406 
2407 	au_uwrite(au_to_arg32(1, "gid", gid));
2408 }	/* AUS_SETEGID */
2409 
2410 
2411 
2412 
2413 /*ARGSUSED*/
2414 static void
2415 aus_setgroups(struct t_audit_data *tad)
2416 {
2417 	klwp_t *clwp = ttolwp(curthread);
2418 	int i;
2419 	int gidsetsize;
2420 	uintptr_t gidset;
2421 	gid_t *gidlist;
2422 
2423 	struct a {
2424 		long	gidsetsize;
2425 		long	gidset;
2426 	} *uap = (struct a *)clwp->lwp_ap;
2427 
2428 	gidsetsize = (uint_t)uap->gidsetsize;
2429 	gidset = (uintptr_t)uap->gidset;
2430 
2431 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2432 		return;
2433 	if (gidsetsize != 0) {
2434 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2435 		    KM_SLEEP);
2436 		if (copyin((caddr_t)gidset, gidlist,
2437 		    gidsetsize * sizeof (gid_t)) == 0)
2438 			for (i = 0; i < gidsetsize; i++)
2439 				au_uwrite(au_to_arg32(1, "setgroups",
2440 				    (uint32_t)gidlist[i]));
2441 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2442 	} else
2443 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2444 
2445 }	/* AUS_SETGROUPS */
2446 
2447 
2448 
2449 
2450 
2451 /*ARGSUSED*/
2452 static void
2453 aus_seteuid(struct t_audit_data *tad)
2454 {
2455 	klwp_t *clwp = ttolwp(curthread);
2456 	uint32_t uid;
2457 
2458 	struct a {
2459 		long	uid;
2460 	} *uap = (struct a *)clwp->lwp_ap;
2461 
2462 	uid = (uint32_t)uap->uid;
2463 
2464 	au_uwrite(au_to_arg32(1, "euid", uid));
2465 
2466 }	/* AUS_SETEUID */
2467 
2468 /*ARGSUSED*/
2469 static void
2470 aus_putmsg(struct t_audit_data *tad)
2471 {
2472 	klwp_t *clwp = ttolwp(curthread);
2473 	uint32_t fd, pri;
2474 	struct file *fp;
2475 	struct f_audit_data *fad;
2476 
2477 	struct a {
2478 		long	fdes;
2479 		long	ctl;		/* struct strbuf * */
2480 		long	data;		/* struct strbuf * */
2481 		long	pri;
2482 	} *uap = (struct a *)clwp->lwp_ap;
2483 
2484 	fd  = (uint32_t)uap->fdes;
2485 	pri = (uint32_t)uap->pri;
2486 
2487 	au_uwrite(au_to_arg32(1, "fd", fd));
2488 
2489 	if ((fp = getf(fd)) != NULL) {
2490 		fad = F2A(fp);
2491 
2492 		fad->fad_flags |= FAD_WRITE;
2493 
2494 		/* add path name to audit record */
2495 		if (fad->fad_aupath != NULL) {
2496 			au_uwrite(au_to_path(fad->fad_aupath));
2497 		}
2498 		audit_attributes(fp->f_vnode);
2499 
2500 		releasef(fd);
2501 	}
2502 
2503 	au_uwrite(au_to_arg32(4, "pri", pri));
2504 }
2505 
2506 /*ARGSUSED*/
2507 static void
2508 aus_putpmsg(struct t_audit_data *tad)
2509 {
2510 	klwp_t *clwp = ttolwp(curthread);
2511 	uint32_t fd, pri, flags;
2512 	struct file *fp;
2513 	struct f_audit_data *fad;
2514 
2515 	struct a {
2516 		long	fdes;
2517 		long	ctl;		/* struct strbuf * */
2518 		long	data;		/* struct strbuf * */
2519 		long	pri;
2520 		long	flags;
2521 	} *uap = (struct a *)clwp->lwp_ap;
2522 
2523 	fd = (uint32_t)uap->fdes;
2524 	pri  = (uint32_t)uap->pri;
2525 	flags  = (uint32_t)uap->flags;
2526 
2527 	au_uwrite(au_to_arg32(1, "fd", fd));
2528 
2529 	if ((fp = getf(fd)) != NULL) {
2530 		fad = F2A(fp);
2531 
2532 		fad->fad_flags |= FAD_WRITE;
2533 
2534 		/* add path name to audit record */
2535 		if (fad->fad_aupath != NULL) {
2536 			au_uwrite(au_to_path(fad->fad_aupath));
2537 		}
2538 		audit_attributes(fp->f_vnode);
2539 
2540 		releasef(fd);
2541 	}
2542 
2543 
2544 	au_uwrite(au_to_arg32(4, "pri", pri));
2545 	au_uwrite(au_to_arg32(5, "flags", flags));
2546 }
2547 
2548 /*ARGSUSED*/
2549 static void
2550 aus_getmsg(struct t_audit_data *tad)
2551 {
2552 	klwp_t *clwp = ttolwp(curthread);
2553 	uint32_t fd, pri;
2554 	struct file *fp;
2555 	struct f_audit_data *fad;
2556 
2557 	struct a {
2558 		long	fdes;
2559 		long	ctl;		/* struct strbuf * */
2560 		long	data;		/* struct strbuf * */
2561 		long	pri;
2562 	} *uap = (struct a *)clwp->lwp_ap;
2563 
2564 	fd  = (uint32_t)uap->fdes;
2565 	pri = (uint32_t)uap->pri;
2566 
2567 	au_uwrite(au_to_arg32(1, "fd", fd));
2568 
2569 	if ((fp = getf(fd)) != NULL) {
2570 		fad = F2A(fp);
2571 
2572 		/*
2573 		 * read operation on this object
2574 		 */
2575 		fad->fad_flags |= FAD_READ;
2576 
2577 		/* add path name to audit record */
2578 		if (fad->fad_aupath != NULL) {
2579 			au_uwrite(au_to_path(fad->fad_aupath));
2580 		}
2581 		audit_attributes(fp->f_vnode);
2582 
2583 		releasef(fd);
2584 	}
2585 
2586 	au_uwrite(au_to_arg32(4, "pri", pri));
2587 }
2588 
2589 /*ARGSUSED*/
2590 static void
2591 aus_getpmsg(struct t_audit_data *tad)
2592 {
2593 	klwp_t *clwp = ttolwp(curthread);
2594 	uint32_t fd;
2595 	struct file *fp;
2596 	struct f_audit_data *fad;
2597 
2598 	struct a {
2599 		long	fdes;
2600 		long	ctl;		/* struct strbuf * */
2601 		long	data;		/* struct strbuf * */
2602 		long	pri;
2603 		long	flags;
2604 	} *uap = (struct a *)clwp->lwp_ap;
2605 
2606 	fd = (uint32_t)uap->fdes;
2607 
2608 	au_uwrite(au_to_arg32(1, "fd", fd));
2609 
2610 	if ((fp = getf(fd)) != NULL) {
2611 		fad = F2A(fp);
2612 
2613 		/*
2614 		 * read operation on this object
2615 		 */
2616 		fad->fad_flags |= FAD_READ;
2617 
2618 		/* add path name to audit record */
2619 		if (fad->fad_aupath != NULL) {
2620 			au_uwrite(au_to_path(fad->fad_aupath));
2621 		}
2622 		audit_attributes(fp->f_vnode);
2623 
2624 		releasef(fd);
2625 	}
2626 }
2627 
2628 static au_event_t
2629 aui_labelsys(au_event_t e)
2630 {
2631 	klwp_t *clwp = ttolwp(curthread);
2632 	uint32_t code;
2633 	uint32_t cmd;
2634 
2635 	struct a {
2636 		long	code;
2637 		long	cmd;
2638 	} *uap = (struct a *)clwp->lwp_ap;
2639 
2640 	code = (uint32_t)uap->code;
2641 	cmd = (uint32_t)uap->cmd;
2642 
2643 	/* not security relevant if not changing kernel cache */
2644 	if (cmd == TNDB_GET)
2645 		return (AUE_NULL);
2646 
2647 	switch (code) {
2648 	case TSOL_TNRH:
2649 		e = AUE_LABELSYS_TNRH;
2650 		break;
2651 	case TSOL_TNRHTP:
2652 		e = AUE_LABELSYS_TNRHTP;
2653 		break;
2654 	case TSOL_TNMLP:
2655 		e = AUE_LABELSYS_TNMLP;
2656 		break;
2657 	default:
2658 		e = AUE_NULL;
2659 		break;
2660 	}
2661 
2662 	return (e);
2663 
2664 }
2665 
2666 static void
2667 aus_labelsys(struct t_audit_data *tad)
2668 {
2669 	klwp_t *clwp = ttolwp(curthread);
2670 	uint32_t cmd;
2671 	uintptr_t a2;
2672 
2673 	struct a {
2674 		long	code;
2675 		long	cmd;
2676 		long	a2;
2677 	} *uap = (struct a *)clwp->lwp_ap;
2678 
2679 	cmd = (uint32_t)uap->cmd;
2680 	a2 = (uintptr_t)uap->a2;
2681 
2682 	switch (tad->tad_event) {
2683 	case AUE_LABELSYS_TNRH:
2684 	{
2685 		tsol_rhent_t	*rhent;
2686 		tnaddr_t	*rh_addr;
2687 
2688 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2689 
2690 		/* Remaining args don't apply for FLUSH, so skip */
2691 		if (cmd == TNDB_FLUSH)
2692 			break;
2693 
2694 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2695 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2696 			kmem_free(rhent, sizeof (tsol_rhent_t));
2697 			return;
2698 		}
2699 
2700 		rh_addr = &rhent->rh_address;
2701 		if (rh_addr->ta_family == AF_INET) {
2702 			struct in_addr	*ipaddr;
2703 
2704 			ipaddr = &(rh_addr->ta_addr_v4);
2705 			au_uwrite(au_to_in_addr(ipaddr));
2706 		} else if (rh_addr->ta_family == AF_INET6) {
2707 			int32_t		*ipaddr;
2708 
2709 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2710 			au_uwrite(au_to_in_addr_ex(ipaddr));
2711 		}
2712 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2713 
2714 		kmem_free(rhent, sizeof (tsol_rhent_t));
2715 
2716 		break;
2717 	}
2718 	case AUE_LABELSYS_TNRHTP:
2719 	{
2720 		tsol_tpent_t	*tpent;
2721 
2722 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2723 
2724 		/* Remaining args don't apply for FLUSH, so skip */
2725 		if (cmd == TNDB_FLUSH)
2726 			break;
2727 
2728 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2729 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2730 			kmem_free(tpent, sizeof (tsol_tpent_t));
2731 			return;
2732 		}
2733 
2734 		/* Make sure that the template name is null-terminated. */
2735 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2736 
2737 		au_uwrite(au_to_text(tpent->name));
2738 		kmem_free(tpent, sizeof (tsol_tpent_t));
2739 
2740 		break;
2741 	}
2742 	case AUE_LABELSYS_TNMLP:
2743 	{
2744 		tsol_mlpent_t	*mlpent;
2745 
2746 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2747 
2748 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2749 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2750 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2751 			return;
2752 		}
2753 
2754 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2755 			au_uwrite(au_to_text("shared"));
2756 		} else {
2757 			zone_t	*zone;
2758 
2759 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2760 			if (zone != NULL) {
2761 				au_uwrite(au_to_text(zone->zone_name));
2762 				zone_rele(zone);
2763 			}
2764 		}
2765 
2766 		/* Remaining args don't apply for FLUSH, so skip */
2767 		if (cmd == TNDB_FLUSH) {
2768 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2769 			break;
2770 		}
2771 
2772 		au_uwrite(au_to_arg32(2, "proto num",
2773 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2774 		au_uwrite(au_to_arg32(2, "mlp_port",
2775 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2776 
2777 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2778 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2779 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2780 
2781 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2782 
2783 		break;
2784 	}
2785 	default:
2786 		break;
2787 	}
2788 }
2789 
2790 
2791 static au_event_t
2792 aui_auditsys(au_event_t e)
2793 {
2794 	klwp_t *clwp = ttolwp(curthread);
2795 	uint32_t code;
2796 
2797 	struct a {
2798 		long	code;
2799 		long	a1;
2800 		long	a2;
2801 		long	a3;
2802 		long	a4;
2803 		long	a5;
2804 		long	a6;
2805 		long	a7;
2806 	} *uap = (struct a *)clwp->lwp_ap;
2807 
2808 	code = (uint32_t)uap->code;
2809 
2810 	switch (code) {
2811 
2812 	case BSM_GETAUID:
2813 		e = AUE_GETAUID;
2814 		break;
2815 	case BSM_SETAUID:
2816 		e = AUE_SETAUID;
2817 		break;
2818 	case BSM_GETAUDIT:
2819 		e = AUE_GETAUDIT;
2820 		break;
2821 	case BSM_GETAUDIT_ADDR:
2822 		e = AUE_GETAUDIT_ADDR;
2823 		break;
2824 	case BSM_SETAUDIT:
2825 		e = AUE_SETAUDIT;
2826 		break;
2827 	case BSM_SETAUDIT_ADDR:
2828 		e = AUE_SETAUDIT_ADDR;
2829 		break;
2830 	case BSM_AUDIT:
2831 		e = AUE_AUDIT;
2832 		break;
2833 	case BSM_AUDITCTL:
2834 		switch ((uint_t)uap->a1) {
2835 
2836 		case A_GETPOLICY:
2837 			e = AUE_AUDITON_GPOLICY;
2838 			break;
2839 		case A_SETPOLICY:
2840 			e = AUE_AUDITON_SPOLICY;
2841 			break;
2842 		case A_GETKMASK:
2843 			e = AUE_AUDITON_GETKMASK;
2844 			break;
2845 		case A_SETKMASK:
2846 			e = AUE_AUDITON_SETKMASK;
2847 			break;
2848 		case A_GETQCTRL:
2849 			e = AUE_AUDITON_GQCTRL;
2850 			break;
2851 		case A_SETQCTRL:
2852 			e = AUE_AUDITON_SQCTRL;
2853 			break;
2854 		case A_GETCWD:
2855 			e = AUE_AUDITON_GETCWD;
2856 			break;
2857 		case A_GETCAR:
2858 			e = AUE_AUDITON_GETCAR;
2859 			break;
2860 		case A_GETSTAT:
2861 			e = AUE_AUDITON_GETSTAT;
2862 			break;
2863 		case A_SETSTAT:
2864 			e = AUE_AUDITON_SETSTAT;
2865 			break;
2866 		case A_SETUMASK:
2867 			e = AUE_AUDITON_SETUMASK;
2868 			break;
2869 		case A_SETSMASK:
2870 			e = AUE_AUDITON_SETSMASK;
2871 			break;
2872 		case A_GETCOND:
2873 			e = AUE_AUDITON_GETCOND;
2874 			break;
2875 		case A_SETCOND:
2876 			e = AUE_AUDITON_SETCOND;
2877 			break;
2878 		case A_GETCLASS:
2879 			e = AUE_AUDITON_GETCLASS;
2880 			break;
2881 		case A_SETCLASS:
2882 			e = AUE_AUDITON_SETCLASS;
2883 			break;
2884 		default:
2885 			e = AUE_NULL;
2886 			break;
2887 		}
2888 		break;
2889 	default:
2890 		e = AUE_NULL;
2891 		break;
2892 	}
2893 
2894 	return (e);
2895 
2896 }	/* AUI_AUDITSYS */
2897 
2898 
2899 static void
2900 aus_auditsys(struct t_audit_data *tad)
2901 {
2902 	klwp_t *clwp = ttolwp(curthread);
2903 	uintptr_t a1, a2;
2904 	STRUCT_DECL(auditinfo, ainfo);
2905 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2906 	au_evclass_map_t event;
2907 	au_mask_t mask;
2908 	int auditstate, policy;
2909 	au_id_t auid;
2910 
2911 
2912 	struct a {
2913 		long	code;
2914 		long	a1;
2915 		long	a2;
2916 		long	a3;
2917 		long	a4;
2918 		long	a5;
2919 		long	a6;
2920 		long	a7;
2921 	} *uap = (struct a *)clwp->lwp_ap;
2922 
2923 	a1   = (uintptr_t)uap->a1;
2924 	a2   = (uintptr_t)uap->a2;
2925 
2926 	switch (tad->tad_event) {
2927 	case AUE_SETAUID:
2928 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2929 				return;
2930 		au_uwrite(au_to_arg32(2, "setauid", auid));
2931 		break;
2932 	case AUE_SETAUDIT:
2933 		STRUCT_INIT(ainfo, get_udatamodel());
2934 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2935 		    STRUCT_SIZE(ainfo))) {
2936 				return;
2937 		}
2938 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2939 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2940 #ifdef _LP64
2941 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2942 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2943 #else
2944 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2945 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2946 #endif
2947 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2948 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2949 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2950 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2951 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2952 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2953 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2954 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2955 		break;
2956 	case AUE_SETAUDIT_ADDR:
2957 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2958 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2959 		    STRUCT_SIZE(ainfo_addr))) {
2960 				return;
2961 		}
2962 		au_uwrite(au_to_arg32((char)1, "auid",
2963 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2964 #ifdef _LP64
2965 		au_uwrite(au_to_arg64((char)1, "port",
2966 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2967 #else
2968 		au_uwrite(au_to_arg32((char)1, "port",
2969 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2970 #endif
2971 		au_uwrite(au_to_arg32((char)1, "type",
2972 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2973 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2974 		    AU_IPv4) {
2975 			au_uwrite(au_to_in_addr(
2976 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2977 			    ai_termid.at_addr)));
2978 		} else {
2979 			au_uwrite(au_to_in_addr_ex(
2980 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2981 			    ai_termid.at_addr)));
2982 		}
2983 		au_uwrite(au_to_arg32((char)1, "as_success",
2984 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2985 		au_uwrite(au_to_arg32((char)1, "as_failure",
2986 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2987 		au_uwrite(au_to_arg32((char)1, "asid",
2988 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2989 		break;
2990 	case AUE_AUDITON_SETKMASK:
2991 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2992 				return;
2993 		au_uwrite(au_to_arg32(
2994 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2995 		au_uwrite(au_to_arg32(
2996 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2997 		break;
2998 	case AUE_AUDITON_SPOLICY:
2999 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
3000 			return;
3001 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3002 		break;
3003 	case AUE_AUDITON_SQCTRL: {
3004 		STRUCT_DECL(au_qctrl, qctrl);
3005 		model_t model;
3006 
3007 		model = get_udatamodel();
3008 		STRUCT_INIT(qctrl, model);
3009 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3010 				return;
3011 		if (model == DATAMODEL_ILP32) {
3012 			au_uwrite(au_to_arg32(
3013 			    3, "setqctrl:aq_hiwater",
3014 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3015 			au_uwrite(au_to_arg32(
3016 			    3, "setqctrl:aq_lowater",
3017 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3018 			au_uwrite(au_to_arg32(
3019 			    3, "setqctrl:aq_bufsz",
3020 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3021 			au_uwrite(au_to_arg32(
3022 			    3, "setqctrl:aq_delay",
3023 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3024 		} else {
3025 			au_uwrite(au_to_arg64(
3026 			    3, "setqctrl:aq_hiwater",
3027 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3028 			au_uwrite(au_to_arg64(
3029 			    3, "setqctrl:aq_lowater",
3030 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3031 			au_uwrite(au_to_arg64(
3032 			    3, "setqctrl:aq_bufsz",
3033 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3034 			au_uwrite(au_to_arg64(
3035 			    3, "setqctrl:aq_delay",
3036 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3037 		}
3038 		break;
3039 	}
3040 	case AUE_AUDITON_SETUMASK:
3041 		STRUCT_INIT(ainfo, get_udatamodel());
3042 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3043 		    STRUCT_SIZE(ainfo))) {
3044 			return;
3045 		}
3046 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3047 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3048 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3049 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3050 		break;
3051 	case AUE_AUDITON_SETSMASK:
3052 		STRUCT_INIT(ainfo, get_udatamodel());
3053 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3054 		    STRUCT_SIZE(ainfo))) {
3055 			return;
3056 		}
3057 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3058 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3059 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3060 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3061 		break;
3062 	case AUE_AUDITON_SETCOND:
3063 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3064 			return;
3065 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3066 		break;
3067 	case AUE_AUDITON_SETCLASS:
3068 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3069 			return;
3070 		au_uwrite(au_to_arg32(
3071 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3072 		au_uwrite(au_to_arg32(
3073 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3074 		break;
3075 	case AUE_GETAUID:
3076 	case AUE_GETAUDIT:
3077 	case AUE_GETAUDIT_ADDR:
3078 	case AUE_AUDIT:
3079 	case AUE_AUDITON_GPOLICY:
3080 	case AUE_AUDITON_GQCTRL:
3081 	case AUE_AUDITON_GETKMASK:
3082 	case AUE_AUDITON_GETCWD:
3083 	case AUE_AUDITON_GETCAR:
3084 	case AUE_AUDITON_GETSTAT:
3085 	case AUE_AUDITON_SETSTAT:
3086 	case AUE_AUDITON_GETCOND:
3087 	case AUE_AUDITON_GETCLASS:
3088 		break;
3089 	default:
3090 		break;
3091 	}
3092 
3093 }	/* AUS_AUDITSYS */
3094 
3095 
3096 /* only audit privileged operations for systeminfo(2) system call */
3097 static au_event_t
3098 aui_sysinfo(au_event_t e)
3099 {
3100 	klwp_t *clwp = ttolwp(curthread);
3101 	uint32_t command;
3102 
3103 	struct a {
3104 		long	command;
3105 		long	buf;		/* char * */
3106 		long	count;
3107 	} *uap = (struct a *)clwp->lwp_ap;
3108 
3109 	command = (uint32_t)uap->command;
3110 
3111 	switch (command) {
3112 	case SI_SET_HOSTNAME:
3113 	case SI_SET_SRPC_DOMAIN:
3114 		e = (au_event_t)AUE_SYSINFO;
3115 		break;
3116 	default:
3117 		e = (au_event_t)AUE_NULL;
3118 		break;
3119 	}
3120 	return (e);
3121 }
3122 
3123 /*ARGSUSED*/
3124 static void
3125 aus_sysinfo(struct t_audit_data *tad)
3126 {
3127 	klwp_t *clwp = ttolwp(curthread);
3128 	uint32_t command;
3129 	size_t len, maxlen;
3130 	char *name;
3131 	uintptr_t buf;
3132 
3133 	struct a {
3134 		long	command;
3135 		long	buf;		/* char * */
3136 		long	count;
3137 	} *uap = (struct a *)clwp->lwp_ap;
3138 
3139 	command = (uint32_t)uap->command;
3140 	buf = (uintptr_t)uap->buf;
3141 
3142 	au_uwrite(au_to_arg32(1, "cmd", command));
3143 
3144 	switch (command) {
3145 	case SI_SET_HOSTNAME:
3146 	{
3147 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3148 			return;
3149 
3150 		maxlen = SYS_NMLN;
3151 		name = kmem_alloc(maxlen, KM_SLEEP);
3152 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3153 			break;
3154 
3155 		/*
3156 		 * Must be non-NULL string and string
3157 		 * must be less than SYS_NMLN chars.
3158 		 */
3159 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3160 			break;
3161 
3162 		au_uwrite(au_to_text(name));
3163 		break;
3164 	}
3165 
3166 	case SI_SET_SRPC_DOMAIN:
3167 	{
3168 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3169 			return;
3170 
3171 		maxlen = SYS_NMLN;
3172 		name = kmem_alloc(maxlen, KM_SLEEP);
3173 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3174 			break;
3175 
3176 		/*
3177 		 * If string passed in is longer than length
3178 		 * allowed for domain name, fail.
3179 		 */
3180 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3181 			break;
3182 
3183 		au_uwrite(au_to_text(name));
3184 		break;
3185 	}
3186 
3187 	default:
3188 		return;
3189 	}
3190 
3191 	kmem_free(name, maxlen);
3192 }
3193 
3194 static au_event_t
3195 aui_modctl(au_event_t e)
3196 {
3197 	klwp_t *clwp = ttolwp(curthread);
3198 	uint_t cmd;
3199 
3200 	struct a {
3201 		long	cmd;
3202 	} *uap = (struct a *)clwp->lwp_ap;
3203 
3204 	cmd = (uint_t)uap->cmd;
3205 
3206 	switch (cmd) {
3207 	case MODLOAD:
3208 		e = AUE_MODLOAD;
3209 		break;
3210 	case MODUNLOAD:
3211 		e = AUE_MODUNLOAD;
3212 		break;
3213 	case MODADDMAJBIND:
3214 		e = AUE_MODADDMAJ;
3215 		break;
3216 	case MODSETDEVPOLICY:
3217 		e = AUE_MODDEVPLCY;
3218 		break;
3219 	case MODALLOCPRIV:
3220 		e = AUE_MODADDPRIV;
3221 		break;
3222 	default:
3223 		e = AUE_NULL;
3224 		break;
3225 	}
3226 	return (e);
3227 }
3228 
3229 
3230 /*ARGSUSED*/
3231 static void
3232 aus_modctl(struct t_audit_data *tad)
3233 {
3234 	klwp_t *clwp = ttolwp(curthread);
3235 	void *a	= clwp->lwp_ap;
3236 	uint_t use_path;
3237 
3238 	switch (tad->tad_event) {
3239 	case AUE_MODLOAD: {
3240 		typedef struct {
3241 			long	cmd;
3242 			long	use_path;
3243 			long	filename;		/* char * */
3244 		} modloada_t;
3245 
3246 		char *filenamep;
3247 		uintptr_t fname;
3248 		extern char *default_path;
3249 
3250 		fname = (uintptr_t)((modloada_t *)a)->filename;
3251 		use_path = (uint_t)((modloada_t *)a)->use_path;
3252 
3253 			/* space to hold path */
3254 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3255 			/* get string */
3256 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3257 				/* free allocated path */
3258 			kmem_free(filenamep, MOD_MAXPATH);
3259 			return;
3260 		}
3261 			/* ensure it's null terminated */
3262 		filenamep[MOD_MAXPATH - 1] = 0;
3263 
3264 		if (use_path)
3265 			au_uwrite(au_to_text(default_path));
3266 		au_uwrite(au_to_text(filenamep));
3267 
3268 			/* release temporary memory */
3269 		kmem_free(filenamep, MOD_MAXPATH);
3270 		break;
3271 	}
3272 	case AUE_MODUNLOAD: {
3273 		typedef struct {
3274 			long	cmd;
3275 			long	id;
3276 		} modunloada_t;
3277 
3278 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3279 
3280 		au_uwrite(au_to_arg32(1, "id", id));
3281 		break;
3282 	}
3283 	case AUE_MODADDMAJ: {
3284 		STRUCT_DECL(modconfig, mc);
3285 		typedef struct {
3286 			long	cmd;
3287 			long	subcmd;
3288 			long	data;		/* int * */
3289 		} modconfiga_t;
3290 
3291 		STRUCT_DECL(aliases, alias);
3292 		caddr_t ap;
3293 		int i, num_aliases;
3294 		char *drvname, *mc_drvname;
3295 		char *name;
3296 		extern char *ddi_major_to_name(major_t);
3297 		model_t model;
3298 
3299 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3300 
3301 		model = get_udatamodel();
3302 		STRUCT_INIT(mc, model);
3303 			/* sanitize buffer */
3304 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3305 			/* get user arguments */
3306 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3307 		    STRUCT_SIZE(mc)) != 0)
3308 			return;
3309 
3310 		mc_drvname = STRUCT_FGET(mc, drvname);
3311 		if ((drvname = ddi_major_to_name(
3312 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3313 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3314 				/* safety */
3315 			if (mc_drvname[0] != '\0') {
3316 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3317 				au_uwrite(au_to_text(mc_drvname));
3318 			}
3319 				/* drvname != NULL from test above */
3320 			au_uwrite(au_to_text(drvname));
3321 			return;
3322 		}
3323 
3324 		if (mc_drvname[0] != '\0') {
3325 				/* safety */
3326 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3327 			au_uwrite(au_to_text(mc_drvname));
3328 		} else
3329 			au_uwrite(au_to_text("no drvname"));
3330 
3331 		num_aliases = STRUCT_FGET(mc, num_aliases);
3332 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3333 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3334 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3335 		STRUCT_INIT(alias, model);
3336 		for (i = 0; i < num_aliases; i++) {
3337 			bzero((caddr_t)STRUCT_BUF(alias),
3338 			    STRUCT_SIZE(alias));
3339 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3340 			    STRUCT_SIZE(alias)) != 0)
3341 				break;
3342 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3343 			    MAXMODCONFNAME, NULL) != 0) {
3344 				break;
3345 			}
3346 
3347 			au_uwrite(au_to_text(name));
3348 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3349 		}
3350 		kmem_free(name, MAXMODCONFNAME);
3351 		break;
3352 	}
3353 	default:
3354 		break;
3355 	}
3356 }
3357 
3358 
3359 /*ARGSUSED*/
3360 static void
3361 auf_accept(
3362 	struct t_audit_data *tad,
3363 	int	error,
3364 	rval_t	*rval)
3365 {
3366 	uint32_t scid;
3367 	uint32_t sy_flags;
3368 	int fd;
3369 	struct sonode *so;
3370 	char so_laddr[sizeof (struct sockaddr_in6)];
3371 	char so_faddr[sizeof (struct sockaddr_in6)];
3372 	int err;
3373 	short so_family, so_type;
3374 	int add_sock_token = 0;
3375 
3376 	/* need to determine type of executing binary */
3377 	scid = tad->tad_scid;
3378 #ifdef _SYSCALL32_IMPL
3379 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3380 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3381 	else
3382 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3383 #else
3384 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3385 #endif
3386 	if (sy_flags == SE_32RVAL1)
3387 		fd = rval->r_val1;
3388 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3389 		fd = rval->r_val1;
3390 	if (sy_flags == SE_64RVAL)
3391 		fd = (int)rval->r_vals;
3392 
3393 	if (error) {
3394 		/* can't trust socket contents. Just return */
3395 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3396 		return;
3397 	}
3398 
3399 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3400 		/*
3401 		 * not security relevant if doing a accept from non socket
3402 		 * so no extra tokens. Should probably turn off audit record
3403 		 * generation here.
3404 		 */
3405 		return;
3406 	}
3407 
3408 	so_family = so->so_family;
3409 	so_type   = so->so_type;
3410 
3411 	switch (so_family) {
3412 	case AF_INET:
3413 	case AF_INET6:
3414 		/*
3415 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3416 		 */
3417 		if (so->so_type == SOCK_STREAM) {
3418 			socklen_t len;
3419 
3420 			bzero((void *)so_laddr, sizeof (so_laddr));
3421 			bzero((void *)so_faddr, sizeof (so_faddr));
3422 
3423 			len = sizeof (so_laddr);
3424 			(void) socket_getsockname(so,
3425 			    (struct sockaddr *)so_laddr, &len, CRED());
3426 			len = sizeof (so_faddr);
3427 			(void) socket_getpeername(so,
3428 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3429 
3430 			add_sock_token = 1;
3431 		}
3432 		break;
3433 
3434 	default:
3435 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3436 		break;
3437 	}
3438 
3439 	releasef(fd);
3440 
3441 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3442 
3443 	if (add_sock_token == 0) {
3444 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3445 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3446 		return;
3447 	}
3448 
3449 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3450 
3451 }
3452 
3453 /*ARGSUSED*/
3454 static void
3455 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3456 {
3457 	struct a {
3458 		long	fd;
3459 		long	addr;
3460 		long	len;
3461 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3462 
3463 	struct sonode *so;
3464 	char so_laddr[sizeof (struct sockaddr_in6)];
3465 	char so_faddr[sizeof (struct sockaddr_in6)];
3466 	int err, fd;
3467 	socklen_t len;
3468 	short so_family, so_type;
3469 	int add_sock_token = 0;
3470 
3471 	fd = (int)uap->fd;
3472 
3473 	/*
3474 	 * bind failed, then nothing extra to add to audit record.
3475 	 */
3476 	if (error) {
3477 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3478 		/* XXX may want to add failed address some day */
3479 		return;
3480 	}
3481 
3482 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3483 		/*
3484 		 * not security relevant if doing a bind from non socket
3485 		 * so no extra tokens. Should probably turn off audit record
3486 		 * generation here.
3487 		 */
3488 		return;
3489 	}
3490 
3491 	so_family = so->so_family;
3492 	so_type   = so->so_type;
3493 
3494 	switch (so_family) {
3495 	case AF_INET:
3496 	case AF_INET6:
3497 
3498 		bzero(so_faddr, sizeof (so_faddr));
3499 		len = sizeof (so_faddr);
3500 
3501 		(void) socket_getpeername(so,
3502 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3503 		add_sock_token = 1;
3504 
3505 		break;
3506 
3507 	case AF_UNIX:
3508 		/* token added by lookup */
3509 		break;
3510 	default:
3511 		/* AF_ROUTE, AF_KEY do not support accept */
3512 		break;
3513 	}
3514 
3515 	releasef(fd);
3516 
3517 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3518 
3519 	if (add_sock_token == 0) {
3520 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3521 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3522 		return;
3523 	}
3524 
3525 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3526 
3527 }
3528 
3529 /*ARGSUSED*/
3530 static void
3531 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3532 {
3533 	struct a {
3534 		long	fd;
3535 		long	addr;
3536 		long	len;
3537 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3538 
3539 	struct sonode *so;
3540 	char so_laddr[sizeof (struct sockaddr_in6)];
3541 	char so_faddr[sizeof (struct sockaddr_in6)];
3542 	int err, fd;
3543 	socklen_t len;
3544 	short so_family, so_type;
3545 	int add_sock_token = 0;
3546 
3547 	fd = (int)uap->fd;
3548 
3549 
3550 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3551 		/*
3552 		 * not security relevant if doing a connect from non socket
3553 		 * so no extra tokens. Should probably turn off audit record
3554 		 * generation here.
3555 		 */
3556 		return;
3557 	}
3558 
3559 	so_family = so->so_family;
3560 	so_type   = so->so_type;
3561 
3562 	switch (so_family) {
3563 	case AF_INET:
3564 	case AF_INET6:
3565 
3566 		bzero(so_laddr, sizeof (so_laddr));
3567 		bzero(so_faddr, sizeof (so_faddr));
3568 
3569 		len = sizeof (so_laddr);
3570 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3571 		    &len, CRED());
3572 		if (error) {
3573 			if (uap->addr == NULL)
3574 				break;
3575 			if (uap->len <= 0)
3576 				break;
3577 			len = min(uap->len, sizeof (so_faddr));
3578 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3579 				break;
3580 #ifdef NOTYET
3581 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3582 #endif
3583 		} else {
3584 			/* sanity check on length */
3585 			len = sizeof (so_faddr);
3586 			(void) socket_getpeername(so,
3587 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3588 		}
3589 
3590 		add_sock_token = 1;
3591 
3592 		break;
3593 
3594 	case AF_UNIX:
3595 		/* does a lookup on name */
3596 		break;
3597 
3598 	default:
3599 		/* AF_ROUTE, AF_KEY do not support accept */
3600 		break;
3601 	}
3602 
3603 	releasef(fd);
3604 
3605 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3606 
3607 	if (add_sock_token == 0) {
3608 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3609 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3610 		return;
3611 	}
3612 
3613 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3614 
3615 }
3616 
3617 /*ARGSUSED*/
3618 static void
3619 aus_shutdown(struct t_audit_data *tad)
3620 {
3621 	struct a {
3622 		long	fd;
3623 		long	how;
3624 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3625 
3626 	struct sonode *so;
3627 	char so_laddr[sizeof (struct sockaddr_in6)];
3628 	char so_faddr[sizeof (struct sockaddr_in6)];
3629 	int err, fd;
3630 	socklen_t len;
3631 	short so_family, so_type;
3632 	int add_sock_token = 0;
3633 	file_t *fp;				/* unix domain sockets */
3634 	struct f_audit_data *fad;		/* unix domain sockets */
3635 
3636 	fd = (int)uap->fd;
3637 
3638 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3639 		/*
3640 		 * not security relevant if doing a shutdown using non socket
3641 		 * so no extra tokens. Should probably turn off audit record
3642 		 * generation here.
3643 		 */
3644 		return;
3645 	}
3646 
3647 	so_family = so->so_family;
3648 	so_type   = so->so_type;
3649 
3650 	switch (so_family) {
3651 	case AF_INET:
3652 	case AF_INET6:
3653 
3654 		bzero(so_laddr, sizeof (so_laddr));
3655 		bzero(so_faddr, sizeof (so_faddr));
3656 
3657 		len = sizeof (so_laddr);
3658 		(void) socket_getsockname(so,
3659 		    (struct sockaddr *)so_laddr, &len, CRED());
3660 		len = sizeof (so_faddr);
3661 		(void) socket_getpeername(so,
3662 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3663 
3664 		add_sock_token = 1;
3665 
3666 		break;
3667 
3668 	case AF_UNIX:
3669 
3670 		/* get path from file struct here */
3671 		fad = F2A(fp);
3672 		ASSERT(fad);
3673 
3674 		if (fad->fad_aupath != NULL) {
3675 			au_uwrite(au_to_path(fad->fad_aupath));
3676 		} else {
3677 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3678 		}
3679 
3680 		audit_attributes(fp->f_vnode);
3681 
3682 		break;
3683 
3684 	default:
3685 		/*
3686 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3687 		 * added.
3688 		 */
3689 		break;
3690 	}
3691 
3692 	releasef(fd);
3693 
3694 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3695 
3696 	if (add_sock_token == 0) {
3697 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3698 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3699 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3700 		return;
3701 	}
3702 
3703 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3704 
3705 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3706 
3707 }
3708 
3709 /*ARGSUSED*/
3710 static void
3711 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3712 {
3713 	struct a {
3714 		long	fd;
3715 		long	level;
3716 		long	optname;
3717 		long	*optval;
3718 		long	optlen;
3719 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3720 
3721 	struct sonode	*so;
3722 	char so_laddr[sizeof (struct sockaddr_in6)];
3723 	char so_faddr[sizeof (struct sockaddr_in6)];
3724 	char		val[AU_BUFSIZE];
3725 	int		err, fd;
3726 	socklen_t	len;
3727 	short so_family, so_type;
3728 	int		add_sock_token = 0;
3729 	file_t *fp;				/* unix domain sockets */
3730 	struct f_audit_data *fad;		/* unix domain sockets */
3731 
3732 	fd = (int)uap->fd;
3733 
3734 	if (error) {
3735 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3736 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3737 		/* XXX may want to include other arguments */
3738 		return;
3739 	}
3740 
3741 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3742 		/*
3743 		 * not security relevant if doing a setsockopt from non socket
3744 		 * so no extra tokens. Should probably turn off audit record
3745 		 * generation here.
3746 		 */
3747 		return;
3748 	}
3749 
3750 	so_family = so->so_family;
3751 	so_type   = so->so_type;
3752 
3753 	switch (so_family) {
3754 	case AF_INET:
3755 	case AF_INET6:
3756 		bzero((void *)so_laddr, sizeof (so_laddr));
3757 		bzero((void *)so_faddr, sizeof (so_faddr));
3758 
3759 		/* get local and foreign addresses */
3760 		len = sizeof (so_laddr);
3761 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3762 		    &len, CRED());
3763 		len = sizeof (so_faddr);
3764 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3765 		    &len, B_FALSE, CRED());
3766 
3767 		add_sock_token = 1;
3768 
3769 		break;
3770 
3771 	case AF_UNIX:
3772 
3773 		/* get path from file struct here */
3774 		fad = F2A(fp);
3775 		ASSERT(fad);
3776 
3777 		if (fad->fad_aupath != NULL) {
3778 			au_uwrite(au_to_path(fad->fad_aupath));
3779 		} else {
3780 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3781 		}
3782 
3783 		audit_attributes(fp->f_vnode);
3784 
3785 		break;
3786 
3787 	default:
3788 		/*
3789 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3790 		 * added.
3791 		 */
3792 		break;
3793 	}
3794 
3795 	releasef(fd);
3796 
3797 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3798 
3799 	if (add_sock_token == 0) {
3800 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3801 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3802 	}
3803 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3804 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3805 
3806 	bzero(val, sizeof (val));
3807 	len = min(uap->optlen, sizeof (val));
3808 	if ((len > 0) &&
3809 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3810 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3811 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3812 	}
3813 
3814 	if (add_sock_token == 0)
3815 		return;
3816 
3817 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3818 
3819 }
3820 
3821 /*ARGSUSED*/
3822 static void
3823 aus_sockconfig(tad)
3824 	struct t_audit_data *tad;
3825 {
3826 	struct a {
3827 		long	domain;
3828 		long	type;
3829 		long	protocol;
3830 		long	devpath;
3831 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3832 
3833 	char	*kdevpath;
3834 	int	kdevpathlen = MAXPATHLEN + 1;
3835 	size_t	size;
3836 
3837 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3838 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3839 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3840 
3841 	if (uap->devpath == 0) {
3842 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3843 	} else {
3844 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3845 
3846 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3847 			&size)) {
3848 			kmem_free(kdevpath, kdevpathlen);
3849 			return;
3850 		}
3851 
3852 		if (size > MAXPATHLEN) {
3853 			kmem_free(kdevpath, kdevpathlen);
3854 			return;
3855 		}
3856 
3857 		au_uwrite(au_to_text(kdevpath));
3858 		kmem_free(kdevpath, kdevpathlen);
3859 	}
3860 }
3861 
3862 /*
3863  * only audit recvmsg when the system call represents the creation of a new
3864  * circuit. This effectively occurs for all UDP packets and may occur for
3865  * special TCP situations where the local host has not set a local address
3866  * in the socket structure.
3867  */
3868 /*ARGSUSED*/
3869 static void
3870 auf_recvmsg(
3871 	struct t_audit_data *tad,
3872 	int error,
3873 	rval_t *rvp)
3874 {
3875 	struct a {
3876 		long	fd;
3877 		long	msg;	/* struct msghdr */
3878 		long	flags;
3879 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3880 
3881 	struct sonode	*so;
3882 	STRUCT_DECL(msghdr, msg);
3883 	caddr_t msg_name;
3884 	socklen_t msg_namelen;
3885 	int fd;
3886 	int err;
3887 	char so_laddr[sizeof (struct sockaddr_in6)];
3888 	char so_faddr[sizeof (struct sockaddr_in6)];
3889 	socklen_t len;
3890 	file_t *fp;				/* unix domain sockets */
3891 	struct f_audit_data *fad;		/* unix domain sockets */
3892 	short so_family, so_type;
3893 	int add_sock_token = 0;
3894 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3895 
3896 	fd = (int)uap->fd;
3897 
3898 	/* bail if an error */
3899 	if (error) {
3900 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3901 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3902 		return;
3903 	}
3904 
3905 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3906 		/*
3907 		 * not security relevant if doing a recvmsg from non socket
3908 		 * so no extra tokens. Should probably turn off audit record
3909 		 * generation here.
3910 		 */
3911 		return;
3912 	}
3913 
3914 	so_family = so->so_family;
3915 	so_type   = so->so_type;
3916 
3917 	/*
3918 	 * only putout SOCKET_EX token if INET/INET6 family.
3919 	 * XXX - what do we do about other families?
3920 	 */
3921 
3922 	switch (so_family) {
3923 	case AF_INET:
3924 	case AF_INET6:
3925 
3926 		/*
3927 		 * if datagram type socket, then just use what is in
3928 		 * socket structure for local address.
3929 		 * XXX - what do we do for other types?
3930 		 */
3931 		if ((so->so_type == SOCK_DGRAM) ||
3932 		    (so->so_type == SOCK_RAW)) {
3933 			add_sock_token = 1;
3934 
3935 			bzero((void *)so_laddr, sizeof (so_laddr));
3936 			bzero((void *)so_faddr, sizeof (so_faddr));
3937 
3938 			/* get local address */
3939 			len = sizeof (so_laddr);
3940 			(void) socket_getsockname(so,
3941 			    (struct sockaddr *)so_laddr, &len, CRED());
3942 
3943 			/* get peer address */
3944 			STRUCT_INIT(msg, get_udatamodel());
3945 
3946 			if (copyin((caddr_t)(uap->msg),
3947 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3948 				break;
3949 			}
3950 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3951 			if (msg_name == NULL) {
3952 				break;
3953 			}
3954 
3955 			/* length is value from recvmsg - sanity check */
3956 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3957 			if (msg_namelen == 0) {
3958 				break;
3959 			}
3960 			if (copyin(msg_name, so_faddr,
3961 			    sizeof (so_faddr)) != 0) {
3962 				break;
3963 			}
3964 
3965 		} else if (so->so_type == SOCK_STREAM) {
3966 
3967 			/* get path from file struct here */
3968 			fad = F2A(fp);
3969 			ASSERT(fad);
3970 
3971 			/*
3972 			 * already processed this file for read attempt
3973 			 */
3974 			if (fad->fad_flags & FAD_READ) {
3975 				/* don't want to audit every recvmsg attempt */
3976 				tad->tad_flag = 0;
3977 				/* free any residual audit data */
3978 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
3979 				releasef(fd);
3980 				return;
3981 			}
3982 			/*
3983 			 * mark things so we know what happened and don't
3984 			 * repeat things
3985 			 */
3986 			fad->fad_flags |= FAD_READ;
3987 
3988 			bzero((void *)so_laddr, sizeof (so_laddr));
3989 			bzero((void *)so_faddr, sizeof (so_faddr));
3990 
3991 			/* get local and foreign addresses */
3992 			len = sizeof (so_laddr);
3993 			(void) socket_getsockname(so,
3994 			    (struct sockaddr *)so_laddr, &len, CRED());
3995 			len = sizeof (so_faddr);
3996 			(void) socket_getpeername(so,
3997 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3998 
3999 			add_sock_token = 1;
4000 		}
4001 
4002 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4003 
4004 		break;
4005 
4006 	case AF_UNIX:
4007 		/*
4008 		 * first check if this is first time through. Too much
4009 		 * duplicate code to put this in an aui_ routine.
4010 		 */
4011 
4012 		/* get path from file struct here */
4013 		fad = F2A(fp);
4014 		ASSERT(fad);
4015 
4016 		/*
4017 		 * already processed this file for read attempt
4018 		 */
4019 		if (fad->fad_flags & FAD_READ) {
4020 			releasef(fd);
4021 			/* don't want to audit every recvmsg attempt */
4022 			tad->tad_flag = 0;
4023 			/* free any residual audit data */
4024 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4025 			return;
4026 		}
4027 		/*
4028 		 * mark things so we know what happened and don't
4029 		 * repeat things
4030 		 */
4031 		fad->fad_flags |= FAD_READ;
4032 
4033 		if (fad->fad_aupath != NULL) {
4034 			au_uwrite(au_to_path(fad->fad_aupath));
4035 		} else {
4036 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4037 		}
4038 
4039 		audit_attributes(fp->f_vnode);
4040 
4041 		releasef(fd);
4042 
4043 		return;
4044 
4045 	default:
4046 		break;
4047 
4048 	}
4049 
4050 	releasef(fd);
4051 
4052 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4053 
4054 	if (add_sock_token == 0) {
4055 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4056 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4057 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4058 		return;
4059 	}
4060 
4061 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4062 
4063 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4064 
4065 }
4066 
4067 /*ARGSUSED*/
4068 static void
4069 auf_recvfrom(
4070 	struct t_audit_data *tad,
4071 	int error,
4072 	rval_t *rvp)
4073 {
4074 
4075 	struct a {
4076 		long	fd;
4077 		long	msg;	/* char */
4078 		long	len;
4079 		long	flags;
4080 		long	from;	/* struct sockaddr */
4081 		long	fromlen;
4082 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4083 
4084 	socklen_t	fromlen;
4085 	struct sonode	*so;
4086 	char so_laddr[sizeof (struct sockaddr_in6)];
4087 	char so_faddr[sizeof (struct sockaddr_in6)];
4088 	int		fd;
4089 	short so_family, so_type;
4090 	int add_sock_token = 0;
4091 	socklen_t len;
4092 	int err;
4093 	struct file *fp;
4094 	struct f_audit_data *fad;		/* unix domain sockets */
4095 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4096 
4097 	fd = (int)uap->fd;
4098 
4099 	/* bail if an error */
4100 	if (error) {
4101 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4102 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4103 		return;
4104 	}
4105 
4106 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4107 		/*
4108 		 * not security relevant if doing a recvmsg from non socket
4109 		 * so no extra tokens. Should probably turn off audit record
4110 		 * generation here.
4111 		 */
4112 		return;
4113 	}
4114 
4115 	so_family = so->so_family;
4116 	so_type   = so->so_type;
4117 
4118 	/*
4119 	 * only putout SOCKET_EX token if INET/INET6 family.
4120 	 * XXX - what do we do about other families?
4121 	 */
4122 
4123 	switch (so_family) {
4124 	case AF_INET:
4125 	case AF_INET6:
4126 
4127 		/*
4128 		 * if datagram type socket, then just use what is in
4129 		 * socket structure for local address.
4130 		 * XXX - what do we do for other types?
4131 		 */
4132 		if ((so->so_type == SOCK_DGRAM) ||
4133 		    (so->so_type == SOCK_RAW)) {
4134 			add_sock_token = 1;
4135 
4136 			/* get local address */
4137 			len = sizeof (so_laddr);
4138 			(void) socket_getsockname(so,
4139 			    (struct sockaddr *)so_laddr, &len, CRED());
4140 
4141 			/* get peer address */
4142 			bzero((void *)so_faddr, sizeof (so_faddr));
4143 
4144 			/* sanity check */
4145 			if (uap->from == NULL)
4146 				break;
4147 
4148 			/* sanity checks */
4149 			if (uap->fromlen == 0)
4150 				break;
4151 
4152 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4153 			    sizeof (fromlen)) != 0)
4154 				break;
4155 
4156 			if (fromlen == 0)
4157 				break;
4158 
4159 			/* enforce maximum size */
4160 			if (fromlen > sizeof (so_faddr))
4161 				fromlen = sizeof (so_faddr);
4162 
4163 			if (copyin((caddr_t)(uap->from), so_faddr,
4164 			    fromlen) != 0)
4165 				break;
4166 
4167 		} else if (so->so_type == SOCK_STREAM) {
4168 
4169 			/* get path from file struct here */
4170 			fad = F2A(fp);
4171 			ASSERT(fad);
4172 
4173 			/*
4174 			 * already processed this file for read attempt
4175 			 */
4176 			if (fad->fad_flags & FAD_READ) {
4177 				/* don't want to audit every recvfrom attempt */
4178 				tad->tad_flag = 0;
4179 				/* free any residual audit data */
4180 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4181 				releasef(fd);
4182 				return;
4183 			}
4184 			/*
4185 			 * mark things so we know what happened and don't
4186 			 * repeat things
4187 			 */
4188 			fad->fad_flags |= FAD_READ;
4189 
4190 			bzero((void *)so_laddr, sizeof (so_laddr));
4191 			bzero((void *)so_faddr, sizeof (so_faddr));
4192 
4193 			/* get local and foreign addresses */
4194 			len = sizeof (so_laddr);
4195 			(void) socket_getsockname(so,
4196 			    (struct sockaddr *)so_laddr, &len, CRED());
4197 			len = sizeof (so_faddr);
4198 			(void) socket_getpeername(so,
4199 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4200 
4201 			add_sock_token = 1;
4202 		}
4203 
4204 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4205 
4206 		break;
4207 
4208 	case AF_UNIX:
4209 		/*
4210 		 * first check if this is first time through. Too much
4211 		 * duplicate code to put this in an aui_ routine.
4212 		 */
4213 
4214 		/* get path from file struct here */
4215 		fad = F2A(fp);
4216 		ASSERT(fad);
4217 
4218 		/*
4219 		 * already processed this file for read attempt
4220 		 */
4221 		if (fad->fad_flags & FAD_READ) {
4222 			/* don't want to audit every recvfrom attempt */
4223 			tad->tad_flag = 0;
4224 			/* free any residual audit data */
4225 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4226 			releasef(fd);
4227 			return;
4228 		}
4229 		/*
4230 		 * mark things so we know what happened and don't
4231 		 * repeat things
4232 		 */
4233 		fad->fad_flags |= FAD_READ;
4234 
4235 		if (fad->fad_aupath != NULL) {
4236 			au_uwrite(au_to_path(fad->fad_aupath));
4237 		} else {
4238 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4239 		}
4240 
4241 		audit_attributes(fp->f_vnode);
4242 
4243 		releasef(fd);
4244 
4245 		return;
4246 
4247 	default:
4248 		break;
4249 
4250 	}
4251 
4252 	releasef(fd);
4253 
4254 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4255 
4256 	if (add_sock_token == 0) {
4257 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4258 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4259 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4260 		return;
4261 	}
4262 
4263 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4264 
4265 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4266 }
4267 
4268 /*ARGSUSED*/
4269 static void
4270 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4271 {
4272 	struct a {
4273 		long	fd;
4274 		long	msg;	/* struct msghdr */
4275 		long	flags;
4276 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4277 
4278 	struct sonode	*so;
4279 	char so_laddr[sizeof (struct sockaddr_in6)];
4280 	char so_faddr[sizeof (struct sockaddr_in6)];
4281 	int		err;
4282 	int		fd;
4283 	short so_family, so_type;
4284 	int		add_sock_token = 0;
4285 	socklen_t	len;
4286 	struct file	*fp;
4287 	struct f_audit_data *fad;
4288 	caddr_t		msg_name;
4289 	socklen_t	msg_namelen;
4290 	STRUCT_DECL(msghdr, msg);
4291 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4292 
4293 	fd = (int)uap->fd;
4294 
4295 	/* bail if an error */
4296 	if (error) {
4297 		/* XXX include destination address from system call arguments */
4298 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4299 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4300 		return;
4301 	}
4302 
4303 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4304 		/*
4305 		 * not security relevant if doing a sendmsg from non socket
4306 		 * so no extra tokens. Should probably turn off audit record
4307 		 * generation here.
4308 		 */
4309 		return;
4310 	}
4311 
4312 	so_family = so->so_family;
4313 	so_type   = so->so_type;
4314 
4315 	switch (so_family) {
4316 	case AF_INET:
4317 	case AF_INET6:
4318 		/*
4319 		 * if datagram type socket, then just use what is in
4320 		 * socket structure for local address.
4321 		 * XXX - what do we do for other types?
4322 		 */
4323 		if ((so->so_type == SOCK_DGRAM) ||
4324 		    (so->so_type == SOCK_RAW)) {
4325 
4326 			bzero((void *)so_laddr, sizeof (so_laddr));
4327 			bzero((void *)so_faddr, sizeof (so_faddr));
4328 
4329 			/* get local address */
4330 			len = sizeof (so_laddr);
4331 			(void) socket_getsockname(so,
4332 			    (struct sockaddr *)so_laddr, &len, CRED());
4333 
4334 			/* get peer address */
4335 			STRUCT_INIT(msg, get_udatamodel());
4336 
4337 			if (copyin((caddr_t)(uap->msg),
4338 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4339 				break;
4340 			}
4341 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4342 			if (msg_name == NULL)
4343 				break;
4344 
4345 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4346 			/* length is value from recvmsg - sanity check */
4347 			if (msg_namelen == 0)
4348 				break;
4349 
4350 			if (copyin(msg_name, so_faddr,
4351 			    sizeof (so_faddr)) != 0)
4352 				break;
4353 
4354 			add_sock_token = 1;
4355 
4356 		} else if (so->so_type == SOCK_STREAM) {
4357 
4358 			/* get path from file struct here */
4359 			fad = F2A(fp);
4360 			ASSERT(fad);
4361 
4362 			/*
4363 			 * already processed this file for write attempt
4364 			 */
4365 			if (fad->fad_flags & FAD_WRITE) {
4366 				releasef(fd);
4367 				/* don't want to audit every sendmsg attempt */
4368 				tad->tad_flag = 0;
4369 				/* free any residual audit data */
4370 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4371 				return;
4372 			}
4373 
4374 			/*
4375 			 * mark things so we know what happened and don't
4376 			 * repeat things
4377 			 */
4378 			fad->fad_flags |= FAD_WRITE;
4379 
4380 			bzero((void *)so_laddr, sizeof (so_laddr));
4381 			bzero((void *)so_faddr, sizeof (so_faddr));
4382 
4383 			/* get local and foreign addresses */
4384 			len = sizeof (so_laddr);
4385 			(void) socket_getsockname(so,
4386 			    (struct sockaddr *)so_laddr, &len, CRED());
4387 			len = sizeof (so_faddr);
4388 			(void) socket_getpeername(so,
4389 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4390 
4391 			add_sock_token = 1;
4392 		}
4393 
4394 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4395 
4396 		break;
4397 
4398 	case AF_UNIX:
4399 		/*
4400 		 * first check if this is first time through. Too much
4401 		 * duplicate code to put this in an aui_ routine.
4402 		 */
4403 
4404 		/* get path from file struct here */
4405 		fad = F2A(fp);
4406 		ASSERT(fad);
4407 
4408 		/*
4409 		 * already processed this file for write attempt
4410 		 */
4411 		if (fad->fad_flags & FAD_WRITE) {
4412 			releasef(fd);
4413 			/* don't want to audit every sendmsg attempt */
4414 			tad->tad_flag = 0;
4415 			/* free any residual audit data */
4416 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4417 			return;
4418 		}
4419 		/*
4420 		 * mark things so we know what happened and don't
4421 		 * repeat things
4422 		 */
4423 		fad->fad_flags |= FAD_WRITE;
4424 
4425 		if (fad->fad_aupath != NULL) {
4426 			au_uwrite(au_to_path(fad->fad_aupath));
4427 		} else {
4428 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4429 		}
4430 
4431 		audit_attributes(fp->f_vnode);
4432 
4433 		releasef(fd);
4434 
4435 		return;
4436 
4437 	default:
4438 		break;
4439 	}
4440 
4441 	releasef(fd);
4442 
4443 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4444 
4445 	if (add_sock_token == 0) {
4446 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4447 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4448 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4449 		return;
4450 	}
4451 
4452 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4453 
4454 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4455 }
4456 
4457 /*ARGSUSED*/
4458 static void
4459 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4460 {
4461 	struct a {
4462 		long	fd;
4463 		long	msg;	/* char */
4464 		long	len;
4465 		long	flags;
4466 		long	to;	/* struct sockaddr */
4467 		long	tolen;
4468 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4469 
4470 	struct sonode	*so;
4471 	char so_laddr[sizeof (struct sockaddr_in6)];
4472 	char so_faddr[sizeof (struct sockaddr_in6)];
4473 	socklen_t	tolen;
4474 	int		err;
4475 	int		fd;
4476 	socklen_t	len;
4477 	short so_family, so_type;
4478 	int		add_sock_token = 0;
4479 	struct file	*fp;
4480 	struct f_audit_data *fad;
4481 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4482 
4483 	fd = (int)uap->fd;
4484 
4485 	/* bail if an error */
4486 	if (error) {
4487 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4488 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4489 		/* XXX include destination address from system call arguments */
4490 		return;
4491 	}
4492 
4493 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4494 		/*
4495 		 * not security relevant if doing a sendto using non socket
4496 		 * so no extra tokens. Should probably turn off audit record
4497 		 * generation here.
4498 		 */
4499 		return;
4500 	}
4501 
4502 	so_family = so->so_family;
4503 	so_type   = so->so_type;
4504 
4505 	/*
4506 	 * only putout SOCKET_EX token if INET/INET6 family.
4507 	 * XXX - what do we do about other families?
4508 	 */
4509 
4510 	switch (so_family) {
4511 	case AF_INET:
4512 	case AF_INET6:
4513 
4514 		/*
4515 		 * if datagram type socket, then just use what is in
4516 		 * socket structure for local address.
4517 		 * XXX - what do we do for other types?
4518 		 */
4519 		if ((so->so_type == SOCK_DGRAM) ||
4520 		    (so->so_type == SOCK_RAW)) {
4521 
4522 			bzero((void *)so_laddr, sizeof (so_laddr));
4523 			bzero((void *)so_faddr, sizeof (so_faddr));
4524 
4525 			/* get local address */
4526 			len = sizeof (so_laddr);
4527 			(void) socket_getsockname(so,
4528 			    (struct sockaddr *)so_laddr, &len, CRED());
4529 
4530 			/* get peer address */
4531 
4532 			/* sanity check */
4533 			if (uap->to == NULL)
4534 				break;
4535 
4536 			/* sanity checks */
4537 			if (uap->tolen == 0)
4538 				break;
4539 
4540 			tolen = (socklen_t)uap->tolen;
4541 
4542 			/* enforce maximum size */
4543 			if (tolen > sizeof (so_faddr))
4544 				tolen = sizeof (so_faddr);
4545 
4546 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4547 				break;
4548 
4549 			add_sock_token = 1;
4550 		} else {
4551 			/*
4552 			 * check if this is first time through.
4553 			 */
4554 
4555 			/* get path from file struct here */
4556 			fad = F2A(fp);
4557 			ASSERT(fad);
4558 
4559 			/*
4560 			 * already processed this file for write attempt
4561 			 */
4562 			if (fad->fad_flags & FAD_WRITE) {
4563 				/* don't want to audit every sendto attempt */
4564 				tad->tad_flag = 0;
4565 				/* free any residual audit data */
4566 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4567 				releasef(fd);
4568 				return;
4569 			}
4570 			/*
4571 			 * mark things so we know what happened and don't
4572 			 * repeat things
4573 			 */
4574 			fad->fad_flags |= FAD_WRITE;
4575 
4576 			bzero((void *)so_laddr, sizeof (so_laddr));
4577 			bzero((void *)so_faddr, sizeof (so_faddr));
4578 
4579 			/* get local and foreign addresses */
4580 			len = sizeof (so_laddr);
4581 			(void) socket_getsockname(so,
4582 			    (struct sockaddr *)so_laddr, &len, CRED());
4583 			len = sizeof (so_faddr);
4584 			(void) socket_getpeername(so,
4585 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4586 
4587 			add_sock_token = 1;
4588 		}
4589 
4590 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4591 
4592 		break;
4593 
4594 	case AF_UNIX:
4595 		/*
4596 		 * first check if this is first time through. Too much
4597 		 * duplicate code to put this in an aui_ routine.
4598 		 */
4599 
4600 		/* get path from file struct here */
4601 		fad = F2A(fp);
4602 		ASSERT(fad);
4603 
4604 		/*
4605 		 * already processed this file for write attempt
4606 		 */
4607 		if (fad->fad_flags & FAD_WRITE) {
4608 			/* don't want to audit every sendto attempt */
4609 			tad->tad_flag = 0;
4610 			/* free any residual audit data */
4611 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4612 			releasef(fd);
4613 			return;
4614 		}
4615 		/*
4616 		 * mark things so we know what happened and don't
4617 		 * repeat things
4618 		 */
4619 		fad->fad_flags |= FAD_WRITE;
4620 
4621 		if (fad->fad_aupath != NULL) {
4622 			au_uwrite(au_to_path(fad->fad_aupath));
4623 		} else {
4624 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4625 		}
4626 
4627 		audit_attributes(fp->f_vnode);
4628 
4629 		releasef(fd);
4630 
4631 		return;
4632 
4633 	default:
4634 		break;
4635 
4636 	}
4637 
4638 	releasef(fd);
4639 
4640 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4641 
4642 	if (add_sock_token == 0) {
4643 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4644 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4645 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4646 		return;
4647 	}
4648 
4649 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4650 
4651 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4652 
4653 }
4654 
4655 /*
4656  * XXX socket(2) may be equivalent to open(2) on a unix domain
4657  * socket. This needs investigation.
4658  */
4659 
4660 /*ARGSUSED*/
4661 static void
4662 aus_socket(struct t_audit_data *tad)
4663 {
4664 	struct a {
4665 		long	domain;
4666 		long	type;
4667 		long	protocol;
4668 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4669 
4670 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4671 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4672 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4673 }
4674 
4675 /*ARGSUSED*/
4676 static void
4677 aus_sigqueue(struct t_audit_data *tad)
4678 {
4679 	struct a {
4680 		long	pid;
4681 		long	signo;
4682 		long	*val;
4683 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4684 	struct proc *p;
4685 	uid_t uid, ruid;
4686 	gid_t gid, rgid;
4687 	pid_t pid;
4688 	const auditinfo_addr_t *ainfo;
4689 	cred_t *cr;
4690 
4691 	pid = (pid_t)uap->pid;
4692 
4693 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4694 	if (pid > 0) {
4695 		mutex_enter(&pidlock);
4696 		if ((p = prfind(pid)) == (struct proc *)0) {
4697 			mutex_exit(&pidlock);
4698 			return;
4699 		}
4700 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4701 		mutex_exit(&pidlock);
4702 
4703 		mutex_enter(&p->p_crlock);
4704 		crhold(cr = p->p_cred);
4705 		mutex_exit(&p->p_crlock);
4706 		mutex_exit(&p->p_lock);
4707 
4708 		ainfo = crgetauinfo(cr);
4709 		if (ainfo == NULL) {
4710 			crfree(cr);
4711 			return;
4712 		}
4713 
4714 		uid  = crgetuid(cr);
4715 		gid  = crgetgid(cr);
4716 		ruid = crgetruid(cr);
4717 		rgid = crgetrgid(cr);
4718 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4719 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4720 		crfree(cr);
4721 	}
4722 	else
4723 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4724 }
4725 
4726 /*ARGSUSED*/
4727 static void
4728 aus_inst_sync(struct t_audit_data *tad)
4729 {
4730 	struct a {
4731 		long	name;	/* char */
4732 		long	flags;
4733 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4734 
4735 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4736 }
4737 
4738 /*ARGSUSED*/
4739 static void
4740 aus_brandsys(struct t_audit_data *tad)
4741 {
4742 	klwp_t *clwp = ttolwp(curthread);
4743 
4744 	struct a {
4745 		long	cmd;
4746 		long	arg1;
4747 		long	arg2;
4748 		long	arg3;
4749 		long	arg4;
4750 		long	arg5;
4751 		long	arg6;
4752 	} *uap = (struct a *)clwp->lwp_ap;
4753 
4754 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4755 #ifdef _LP64
4756 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4757 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4758 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4759 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4760 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4761 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4762 #else
4763 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4764 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4765 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4766 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4767 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4768 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4769 #endif
4770 }
4771 
4772 /*ARGSUSED*/
4773 static void
4774 aus_p_online(struct t_audit_data *tad)
4775 {
4776 	struct a {
4777 		long	processor_id;
4778 		long	flag;
4779 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4780 
4781 	struct flags {
4782 			int	flag;
4783 			char	*cflag;
4784 	} aflags[6] = {
4785 			{ P_ONLINE, "P_ONLINE"},
4786 			{ P_OFFLINE, "P_OFFLINE"},
4787 			{ P_NOINTR, "P_NOINTR"},
4788 			{ P_SPARE, "P_SPARE"},
4789 			{ P_FAULTED, "P_FAULTED"},
4790 			{ P_STATUS, "P_STATUS"}
4791 	};
4792 	int i;
4793 	char *cflag;
4794 
4795 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4796 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4797 
4798 	for (i = 0; i < 6; i++) {
4799 		if (aflags[i].flag == uap->flag)
4800 			break;
4801 	}
4802 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4803 
4804 	au_uwrite(au_to_text(cflag));
4805 }
4806 
4807 /*ARGSUSED*/
4808 static void
4809 aus_processor_bind(struct t_audit_data *tad)
4810 {
4811 	struct a {
4812 		long	id_type;
4813 		long	id;
4814 		long	processor_id;
4815 		long	obind;
4816 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4817 
4818 	struct proc *p;
4819 	int lwpcnt;
4820 	uid_t uid, ruid;
4821 	gid_t gid, rgid;
4822 	pid_t pid;
4823 	const auditinfo_addr_t *ainfo;
4824 	cred_t *cr;
4825 
4826 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4827 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4828 	if (uap->processor_id == PBIND_NONE)
4829 		au_uwrite(au_to_text("PBIND_NONE"));
4830 	else
4831 		au_uwrite(au_to_arg32(3, "processor_id",
4832 		    (uint32_t)uap->processor_id));
4833 
4834 	switch (uap->id_type) {
4835 	case P_MYID:
4836 	case P_LWPID:
4837 		mutex_enter(&pidlock);
4838 		p = ttoproc(curthread);
4839 		if (p == NULL || p->p_as == &kas) {
4840 			mutex_exit(&pidlock);
4841 			return;
4842 		}
4843 		mutex_enter(&p->p_lock);
4844 		mutex_exit(&pidlock);
4845 		lwpcnt = p->p_lwpcnt;
4846 		pid  = p->p_pid;
4847 
4848 		mutex_enter(&p->p_crlock);
4849 		crhold(cr = p->p_cred);
4850 		mutex_exit(&p->p_crlock);
4851 		mutex_exit(&p->p_lock);
4852 
4853 		ainfo = crgetauinfo(cr);
4854 		if (ainfo == NULL) {
4855 			crfree(cr);
4856 			return;
4857 		}
4858 
4859 		uid  = crgetuid(cr);
4860 		gid  = crgetgid(cr);
4861 		ruid = crgetruid(cr);
4862 		rgid = crgetrgid(cr);
4863 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4864 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4865 		crfree(cr);
4866 		break;
4867 	case P_PID:
4868 		mutex_enter(&pidlock);
4869 		p = prfind(uap->id);
4870 		if (p == NULL || p->p_as == &kas) {
4871 			mutex_exit(&pidlock);
4872 			return;
4873 		}
4874 		mutex_enter(&p->p_lock);
4875 		mutex_exit(&pidlock);
4876 		lwpcnt = p->p_lwpcnt;
4877 		pid  = p->p_pid;
4878 
4879 		mutex_enter(&p->p_crlock);
4880 		crhold(cr = p->p_cred);
4881 		mutex_exit(&p->p_crlock);
4882 		mutex_exit(&p->p_lock);
4883 
4884 		ainfo = crgetauinfo(cr);
4885 		if (ainfo == NULL) {
4886 			crfree(cr);
4887 			return;
4888 		}
4889 
4890 		uid  = crgetuid(cr);
4891 		gid  = crgetgid(cr);
4892 		ruid = crgetruid(cr);
4893 		rgid = crgetrgid(cr);
4894 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4895 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4896 		crfree(cr);
4897 
4898 		break;
4899 	default:
4900 		return;
4901 	}
4902 
4903 	if (uap->processor_id == PBIND_NONE &&
4904 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4905 		au_uwrite(au_to_text("PBIND_NONE for process"));
4906 	else
4907 		au_uwrite(au_to_arg32(3, "processor_id",
4908 		    (uint32_t)uap->processor_id));
4909 }
4910 
4911 /*ARGSUSED*/
4912 static au_event_t
4913 aui_doorfs(au_event_t e)
4914 {
4915 	uint32_t code;
4916 
4917 	struct a {		/* doorfs */
4918 		long	a1;
4919 		long	a2;
4920 		long	a3;
4921 		long	a4;
4922 		long	a5;
4923 		long	code;
4924 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4925 
4926 	/*
4927 	 *	audit formats for several of the
4928 	 *	door calls have not yet been determined
4929 	 */
4930 	code = (uint32_t)uap->code;
4931 	switch (code) {
4932 	case DOOR_CALL:
4933 		e = AUE_DOORFS_DOOR_CALL;
4934 		break;
4935 	case DOOR_RETURN:
4936 		e = AUE_NULL;
4937 		break;
4938 	case DOOR_CREATE:
4939 		e = AUE_DOORFS_DOOR_CREATE;
4940 		break;
4941 	case DOOR_REVOKE:
4942 		e = AUE_DOORFS_DOOR_REVOKE;
4943 		break;
4944 	case DOOR_INFO:
4945 		e = AUE_NULL;
4946 		break;
4947 	case DOOR_UCRED:
4948 		e = AUE_NULL;
4949 		break;
4950 	case DOOR_BIND:
4951 		e = AUE_NULL;
4952 		break;
4953 	case DOOR_UNBIND:
4954 		e = AUE_NULL;
4955 		break;
4956 	case DOOR_GETPARAM:
4957 		e = AUE_NULL;
4958 		break;
4959 	case DOOR_SETPARAM:
4960 		e = AUE_NULL;
4961 		break;
4962 	default:	/* illegal system call */
4963 		e = AUE_NULL;
4964 		break;
4965 	}
4966 
4967 	return (e);
4968 }
4969 
4970 static door_node_t *
4971 au_door_lookup(int did)
4972 {
4973 	vnode_t	*vp;
4974 	file_t *fp;
4975 
4976 	if ((fp = getf(did)) == NULL)
4977 		return (NULL);
4978 	/*
4979 	 * Use the underlying vnode (we may be namefs mounted)
4980 	 */
4981 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
4982 		vp = fp->f_vnode;
4983 
4984 	if (vp == NULL || vp->v_type != VDOOR) {
4985 		releasef(did);
4986 		return (NULL);
4987 	}
4988 
4989 	return (VTOD(vp));
4990 }
4991 
4992 /*ARGSUSED*/
4993 static void
4994 aus_doorfs(struct t_audit_data *tad)
4995 {
4996 
4997 	struct a {		/* doorfs */
4998 		long	a1;
4999 		long	a2;
5000 		long	a3;
5001 		long	a4;
5002 		long	a5;
5003 		long	code;
5004 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5005 
5006 	door_node_t	*dp;
5007 	struct proc	*p;
5008 	uint32_t	did;
5009 	uid_t uid, ruid;
5010 	gid_t gid, rgid;
5011 	pid_t pid;
5012 	const auditinfo_addr_t *ainfo;
5013 	cred_t *cr;
5014 
5015 	did = (uint32_t)uap->a1;
5016 
5017 	switch (tad->tad_event) {
5018 	case AUE_DOORFS_DOOR_CALL:
5019 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5020 		if ((dp = au_door_lookup(did)) == NULL)
5021 			break;
5022 
5023 		if (DOOR_INVALID(dp)) {
5024 			releasef(did);
5025 			break;
5026 		}
5027 
5028 		if ((p = dp->door_target) == NULL) {
5029 			releasef(did);
5030 			break;
5031 		}
5032 		mutex_enter(&p->p_lock);
5033 		releasef(did);
5034 
5035 		pid  = p->p_pid;
5036 
5037 		mutex_enter(&p->p_crlock);
5038 		crhold(cr = p->p_cred);
5039 		mutex_exit(&p->p_crlock);
5040 		mutex_exit(&p->p_lock);
5041 
5042 		ainfo = crgetauinfo(cr);
5043 		if (ainfo == NULL) {
5044 			crfree(cr);
5045 			return;
5046 		}
5047 		uid  = crgetuid(cr);
5048 		gid  = crgetgid(cr);
5049 		ruid = crgetruid(cr);
5050 		rgid = crgetrgid(cr);
5051 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5052 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5053 		crfree(cr);
5054 		break;
5055 	case AUE_DOORFS_DOOR_RETURN:
5056 		/*
5057 		 * We may want to write information about
5058 		 * all doors (if any) which will be copied
5059 		 * by this call to the user space
5060 		 */
5061 		break;
5062 	case AUE_DOORFS_DOOR_CREATE:
5063 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5064 		break;
5065 	case AUE_DOORFS_DOOR_REVOKE:
5066 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5067 		break;
5068 	case AUE_DOORFS_DOOR_INFO:
5069 		break;
5070 	case AUE_DOORFS_DOOR_CRED:
5071 		break;
5072 	case AUE_DOORFS_DOOR_BIND:
5073 		break;
5074 	case AUE_DOORFS_DOOR_UNBIND: {
5075 		break;
5076 	}
5077 	default:	/* illegal system call */
5078 		break;
5079 	}
5080 }
5081 
5082 /*ARGSUSED*/
5083 static au_event_t
5084 aui_acl(au_event_t e)
5085 {
5086 	struct a {
5087 		union {
5088 			long	name;	/* char */
5089 			long	fd;
5090 		}		obj;
5091 
5092 		long		cmd;
5093 		long		nentries;
5094 		long		arg;	/* aclent_t */
5095 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5096 
5097 	switch (uap->cmd) {
5098 	case SETACL:
5099 	case ACE_SETACL:
5100 		/*
5101 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5102 		 * are expected.
5103 		 */
5104 		break;
5105 	case GETACL:
5106 	case GETACLCNT:
5107 	case ACE_GETACL:
5108 	case ACE_GETACLCNT:
5109 		/* do nothing for these four values. */
5110 		e = AUE_NULL;
5111 		break;
5112 	default:
5113 		/* illegal system call */
5114 		break;
5115 	}
5116 
5117 	return (e);
5118 }
5119 
5120 static void
5121 au_acl(int cmd, int nentries, caddr_t bufp)
5122 {
5123 	size_t		a_size;
5124 	aclent_t	*aclbufp;
5125 	ace_t		*acebufp;
5126 	int		i;
5127 
5128 	switch (cmd) {
5129 	case GETACL:
5130 	case GETACLCNT:
5131 		break;
5132 	case SETACL:
5133 		if (nentries < 3)
5134 			break;
5135 
5136 		a_size = nentries * sizeof (aclent_t);
5137 
5138 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5139 			break;
5140 		if (copyin(bufp, aclbufp, a_size)) {
5141 			kmem_free(aclbufp, a_size);
5142 			break;
5143 		}
5144 		for (i = 0; i < nentries; i++) {
5145 			au_uwrite(au_to_acl(aclbufp + i));
5146 		}
5147 		kmem_free(aclbufp, a_size);
5148 		break;
5149 
5150 	case ACE_SETACL:
5151 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5152 			break;
5153 
5154 		a_size = nentries * sizeof (ace_t);
5155 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5156 			break;
5157 		if (copyin(bufp, acebufp, a_size)) {
5158 			kmem_free(acebufp, a_size);
5159 			break;
5160 		}
5161 		for (i = 0; i < nentries; i++) {
5162 			au_uwrite(au_to_ace(acebufp + i));
5163 		}
5164 		kmem_free(acebufp, a_size);
5165 		break;
5166 	default:
5167 		break;
5168 	}
5169 }
5170 
5171 /*ARGSUSED*/
5172 static void
5173 aus_acl(struct t_audit_data *tad)
5174 {
5175 	struct a {
5176 		long	fname;
5177 		long	cmd;
5178 		long	nentries;
5179 		long	aclbufp;
5180 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5181 
5182 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5183 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5184 
5185 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5186 }
5187 
5188 /*ARGSUSED*/
5189 static void
5190 aus_facl(struct t_audit_data *tad)
5191 {
5192 	struct a {
5193 		long	fd;
5194 		long	cmd;
5195 		long	nentries;
5196 		long	aclbufp;
5197 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5198 	struct file  *fp;
5199 	struct vnode *vp;
5200 	struct f_audit_data *fad;
5201 	int fd;
5202 
5203 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5204 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5205 
5206 	fd = (int)uap->fd;
5207 
5208 	if ((fp = getf(fd)) == NULL)
5209 		return;
5210 
5211 	/* get path from file struct here */
5212 	fad = F2A(fp);
5213 	if (fad->fad_aupath != NULL) {
5214 		au_uwrite(au_to_path(fad->fad_aupath));
5215 	} else {
5216 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5217 	}
5218 
5219 	vp = fp->f_vnode;
5220 	audit_attributes(vp);
5221 
5222 	/* decrement file descriptor reference count */
5223 	releasef(fd);
5224 
5225 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5226 }
5227 
5228 /*ARGSUSED*/
5229 static void
5230 auf_read(tad, error, rval)
5231 	struct t_audit_data *tad;
5232 	int error;
5233 	rval_t *rval;
5234 {
5235 	struct file *fp;
5236 	struct f_audit_data *fad;
5237 	int fd;
5238 	register struct a {
5239 		long	fd;
5240 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5241 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5242 
5243 	fd = (int)uap->fd;
5244 
5245 	/*
5246 	 * convert file pointer to file descriptor
5247 	 *   Note: fd ref count incremented here.
5248 	 */
5249 	if ((fp = getf(fd)) == NULL)
5250 		return;
5251 
5252 	/* get path from file struct here */
5253 	fad = F2A(fp);
5254 	ASSERT(fad);
5255 
5256 	/*
5257 	 * already processed this file for read attempt
5258 	 *
5259 	 * XXX might be better to turn off auditing in a aui_read() routine.
5260 	 */
5261 	if (fad->fad_flags & FAD_READ) {
5262 		/* don't really want to audit every read attempt */
5263 		tad->tad_flag = 0;
5264 		/* free any residual audit data */
5265 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5266 		releasef(fd);
5267 		return;
5268 	}
5269 	/* mark things so we know what happened and don't repeat things */
5270 	fad->fad_flags |= FAD_READ;
5271 
5272 	if (fad->fad_aupath != NULL) {
5273 		au_uwrite(au_to_path(fad->fad_aupath));
5274 	} else {
5275 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5276 	}
5277 
5278 	/* include attributes */
5279 	audit_attributes(fp->f_vnode);
5280 
5281 	/* decrement file descriptor reference count */
5282 	releasef(fd);
5283 }
5284 
5285 /*ARGSUSED*/
5286 static void
5287 auf_write(tad, error, rval)
5288 	struct t_audit_data *tad;
5289 	int error;
5290 	rval_t *rval;
5291 {
5292 	struct file *fp;
5293 	struct f_audit_data *fad;
5294 	int fd;
5295 	register struct a {
5296 		long	fd;
5297 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5298 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5299 
5300 	fd = (int)uap->fd;
5301 
5302 	/*
5303 	 * convert file pointer to file descriptor
5304 	 *   Note: fd ref count incremented here.
5305 	 */
5306 	if ((fp = getf(fd)) == NULL)
5307 		return;
5308 
5309 	/* get path from file struct here */
5310 	fad = F2A(fp);
5311 	ASSERT(fad);
5312 
5313 	/*
5314 	 * already processed this file for write attempt
5315 	 *
5316 	 * XXX might be better to turn off auditing in a aus_write() routine.
5317 	 */
5318 	if (fad->fad_flags & FAD_WRITE) {
5319 		/* don't really want to audit every write attempt */
5320 		tad->tad_flag = 0;
5321 		/* free any residual audit data */
5322 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5323 		releasef(fd);
5324 		return;
5325 	}
5326 	/* mark things so we know what happened and don't repeat things */
5327 	fad->fad_flags |= FAD_WRITE;
5328 
5329 	if (fad->fad_aupath != NULL) {
5330 		au_uwrite(au_to_path(fad->fad_aupath));
5331 	} else {
5332 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5333 	}
5334 
5335 	/* include attributes */
5336 	audit_attributes(fp->f_vnode);
5337 
5338 	/* decrement file descriptor reference count */
5339 	releasef(fd);
5340 }
5341 
5342 /*ARGSUSED*/
5343 static void
5344 auf_recv(tad, error, rval)
5345 	struct t_audit_data *tad;
5346 	int error;
5347 	rval_t *rval;
5348 {
5349 	struct sonode *so;
5350 	char so_laddr[sizeof (struct sockaddr_in6)];
5351 	char so_faddr[sizeof (struct sockaddr_in6)];
5352 	struct file *fp;
5353 	struct f_audit_data *fad;
5354 	int fd;
5355 	int err;
5356 	socklen_t len;
5357 	short so_family, so_type;
5358 	register struct a {
5359 		long	fd;
5360 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5361 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5362 
5363 	/*
5364 	 * If there was an error, then nothing to do. Only generate
5365 	 * audit record on first successful recv.
5366 	 */
5367 	if (error) {
5368 		/* Turn off audit record generation here. */
5369 		tad->tad_flag = 0;
5370 		/* free any residual audit data */
5371 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5372 		return;
5373 	}
5374 
5375 	fd = (int)uap->fd;
5376 
5377 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5378 		/* Turn off audit record generation here. */
5379 		tad->tad_flag = 0;
5380 		/* free any residual audit data */
5381 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5382 		return;
5383 	}
5384 
5385 	/* get path from file struct here */
5386 	fad = F2A(fp);
5387 	ASSERT(fad);
5388 
5389 	/*
5390 	 * already processed this file for read attempt
5391 	 */
5392 	if (fad->fad_flags & FAD_READ) {
5393 		releasef(fd);
5394 		/* don't really want to audit every recv call */
5395 		tad->tad_flag = 0;
5396 		/* free any residual audit data */
5397 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5398 		return;
5399 	}
5400 
5401 	/* mark things so we know what happened and don't repeat things */
5402 	fad->fad_flags |= FAD_READ;
5403 
5404 	so_family = so->so_family;
5405 	so_type   = so->so_type;
5406 
5407 	switch (so_family) {
5408 	case AF_INET:
5409 	case AF_INET6:
5410 		/*
5411 		 * Only for connections.
5412 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5413 		 */
5414 		if (so->so_state & SS_ISBOUND) {
5415 
5416 			bzero((void *)so_laddr, sizeof (so_laddr));
5417 			bzero((void *)so_faddr, sizeof (so_faddr));
5418 
5419 			/* get local and foreign addresses */
5420 			len = sizeof (so_laddr);
5421 			(void) socket_getsockname(so,
5422 			    (struct sockaddr *)so_laddr, &len, CRED());
5423 			len = sizeof (so_faddr);
5424 			(void) socket_getpeername(so,
5425 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5426 
5427 			/*
5428 			 * only way to drop out of switch. Note that we
5429 			 * we release fd below.
5430 			 */
5431 
5432 			break;
5433 		}
5434 
5435 		releasef(fd);
5436 
5437 		/* don't really want to audit every recv call */
5438 		tad->tad_flag = 0;
5439 		/* free any residual audit data */
5440 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5441 
5442 		return;
5443 
5444 	case AF_UNIX:
5445 
5446 		if (fad->fad_aupath != NULL) {
5447 			au_uwrite(au_to_path(fad->fad_aupath));
5448 		} else {
5449 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5450 		}
5451 
5452 		audit_attributes(fp->f_vnode);
5453 
5454 		releasef(fd);
5455 
5456 		return;
5457 
5458 	default:
5459 		releasef(fd);
5460 
5461 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5462 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5463 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5464 
5465 		return;
5466 	}
5467 
5468 	releasef(fd);
5469 
5470 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5471 
5472 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5473 
5474 }
5475 
5476 /*ARGSUSED*/
5477 static void
5478 auf_send(tad, error, rval)
5479 	struct t_audit_data *tad;
5480 	int error;
5481 	rval_t *rval;
5482 {
5483 	struct sonode *so;
5484 	char so_laddr[sizeof (struct sockaddr_in6)];
5485 	char so_faddr[sizeof (struct sockaddr_in6)];
5486 	struct file *fp;
5487 	struct f_audit_data *fad;
5488 	int fd;
5489 	int err;
5490 	socklen_t len;
5491 	short so_family, so_type;
5492 	register struct a {
5493 		long	fd;
5494 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5495 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5496 
5497 	fd = (int)uap->fd;
5498 
5499 	/*
5500 	 * If there was an error, then nothing to do. Only generate
5501 	 * audit record on first successful send.
5502 	 */
5503 	if (error != 0) {
5504 		/* Turn off audit record generation here. */
5505 		tad->tad_flag = 0;
5506 		/* free any residual audit data */
5507 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5508 		return;
5509 	}
5510 
5511 	fd = (int)uap->fd;
5512 
5513 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5514 		/* Turn off audit record generation here. */
5515 		tad->tad_flag = 0;
5516 		/* free any residual audit data */
5517 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5518 		return;
5519 	}
5520 
5521 	/* get path from file struct here */
5522 	fad = F2A(fp);
5523 	ASSERT(fad);
5524 
5525 	/*
5526 	 * already processed this file for write attempt
5527 	 */
5528 	if (fad->fad_flags & FAD_WRITE) {
5529 		releasef(fd);
5530 		/* don't really want to audit every send call */
5531 		tad->tad_flag = 0;
5532 		/* free any residual audit data */
5533 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5534 		return;
5535 	}
5536 
5537 	/* mark things so we know what happened and don't repeat things */
5538 	fad->fad_flags |= FAD_WRITE;
5539 
5540 	so_family = so->so_family;
5541 	so_type   = so->so_type;
5542 
5543 	switch (so_family) {
5544 	case AF_INET:
5545 	case AF_INET6:
5546 		/*
5547 		 * Only for connections.
5548 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5549 		 */
5550 		if (so->so_state & SS_ISBOUND) {
5551 
5552 			bzero((void *)so_laddr, sizeof (so_laddr));
5553 			bzero((void *)so_faddr, sizeof (so_faddr));
5554 
5555 			/* get local and foreign addresses */
5556 			len = sizeof (so_laddr);
5557 			(void) socket_getsockname(so,
5558 			    (struct sockaddr *)so_laddr, &len, CRED());
5559 			len = sizeof (so_faddr);
5560 			(void) socket_getpeername(so,
5561 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5562 
5563 			/*
5564 			 * only way to drop out of switch. Note that we
5565 			 * we release fd below.
5566 			 */
5567 
5568 			break;
5569 		}
5570 
5571 		releasef(fd);
5572 		/* don't really want to audit every send call */
5573 		tad->tad_flag = 0;
5574 		/* free any residual audit data */
5575 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5576 
5577 		return;
5578 
5579 	case AF_UNIX:
5580 
5581 		if (fad->fad_aupath != NULL) {
5582 			au_uwrite(au_to_path(fad->fad_aupath));
5583 		} else {
5584 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5585 		}
5586 
5587 		audit_attributes(fp->f_vnode);
5588 
5589 		releasef(fd);
5590 
5591 		return;
5592 
5593 	default:
5594 		releasef(fd);
5595 
5596 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5597 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5598 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5599 
5600 		return;
5601 	}
5602 
5603 	releasef(fd);
5604 
5605 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5606 
5607 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5608 }
5609 
5610 static au_event_t
5611 aui_forksys(au_event_t e)
5612 {
5613 	struct a {
5614 		long	subcode;
5615 		long	flags;
5616 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5617 
5618 	switch ((uint_t)uap->subcode) {
5619 	case 0:
5620 		e = AUE_FORK1;
5621 		break;
5622 	case 1:
5623 		e = AUE_FORKALL;
5624 		break;
5625 	case 2:
5626 		e = AUE_VFORK;
5627 		break;
5628 	default:
5629 		e = AUE_NULL;
5630 		break;
5631 	}
5632 
5633 	return (e);
5634 }
5635 
5636 /*ARGSUSED*/
5637 static au_event_t
5638 aui_portfs(au_event_t e)
5639 {
5640 	struct a {		/* portfs */
5641 		long	a1;
5642 		long	a2;
5643 		long	a3;
5644 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5645 
5646 	/*
5647 	 * check opcode
5648 	 */
5649 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5650 	case PORT_ASSOCIATE:
5651 		/* check source */
5652 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5653 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5654 			e = AUE_PORTFS_ASSOCIATE;
5655 		} else {
5656 			e = AUE_NULL;
5657 		}
5658 		break;
5659 	case PORT_DISSOCIATE:
5660 		/* check source */
5661 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5662 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5663 			e = AUE_PORTFS_DISSOCIATE;
5664 		} else {
5665 			e = AUE_NULL;
5666 		}
5667 		break;
5668 	default:
5669 		e = AUE_NULL;
5670 	}
5671 	return (e);
5672 }
5673