xref: /titanic_52/usr/src/uts/common/c2/audit_event.c (revision 80feccabd0bc0fca1df2b60bfa50449d9a6e3e09)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <sys/tsol/label.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <netinet/in.h>
76 #include <sys/ddi.h>
77 #include <sys/port_impl.h>
78 
79 
80 int	au_naevent;
81 char	_depends_on[] = "fs/sockfs";
82 
83 static au_event_t	aui_null(au_event_t);
84 static au_event_t	aui_open(au_event_t);
85 static au_event_t	aui_fsat(au_event_t);
86 static au_event_t	aui_msgsys(au_event_t);
87 static au_event_t	aui_shmsys(au_event_t);
88 static au_event_t	aui_semsys(au_event_t);
89 static au_event_t	aui_utssys(au_event_t);
90 static au_event_t	aui_fcntl(au_event_t);
91 static au_event_t	aui_execv(au_event_t);
92 static au_event_t	aui_execve(au_event_t);
93 static au_event_t	aui_memcntl(au_event_t);
94 static au_event_t	aui_sysinfo(au_event_t);
95 static au_event_t	aui_portfs(au_event_t);
96 static au_event_t	aui_auditsys(au_event_t);
97 static au_event_t	aui_modctl(au_event_t);
98 static au_event_t	aui_acl(au_event_t);
99 static au_event_t	aui_doorfs(au_event_t);
100 static au_event_t	aui_privsys(au_event_t);
101 static au_event_t	aui_forksys(au_event_t);
102 
103 static void	aus_null(struct t_audit_data *);
104 static void	aus_open(struct t_audit_data *);
105 static void	aus_acl(struct t_audit_data *);
106 static void	aus_acct(struct t_audit_data *);
107 static void	aus_chown(struct t_audit_data *);
108 static void	aus_fchown(struct t_audit_data *);
109 static void	aus_lchown(struct t_audit_data *);
110 static void	aus_chmod(struct t_audit_data *);
111 static void	aus_facl(struct t_audit_data *);
112 static void	aus_fchmod(struct t_audit_data *);
113 static void	aus_fcntl(struct t_audit_data *);
114 static void	aus_fsat(struct t_audit_data *);
115 static void	aus_mkdir(struct t_audit_data *);
116 static void	aus_mknod(struct t_audit_data *);
117 static void	aus_mount(struct t_audit_data *);
118 static void	aus_umount(struct t_audit_data *);
119 static void	aus_umount2(struct t_audit_data *);
120 static void	aus_msgsys(struct t_audit_data *);
121 static void	aus_semsys(struct t_audit_data *);
122 static void	aus_close(struct t_audit_data *);
123 static void	aus_fstatfs(struct t_audit_data *);
124 static void	aus_setgid(struct t_audit_data *);
125 static void	aus_setuid(struct t_audit_data *);
126 static void	aus_shmsys(struct t_audit_data *);
127 static void	aus_doorfs(struct t_audit_data *);
128 static void	aus_ioctl(struct t_audit_data *);
129 static void	aus_memcntl(struct t_audit_data *);
130 static void	aus_mmap(struct t_audit_data *);
131 static void	aus_munmap(struct t_audit_data *);
132 static void	aus_priocntlsys(struct t_audit_data *);
133 static void	aus_setegid(struct t_audit_data *);
134 static void	aus_setgroups(struct t_audit_data *);
135 static void	aus_seteuid(struct t_audit_data *);
136 static void	aus_putmsg(struct t_audit_data *);
137 static void	aus_putpmsg(struct t_audit_data *);
138 static void	aus_getmsg(struct t_audit_data *);
139 static void	aus_getpmsg(struct t_audit_data *);
140 static void	aus_auditsys(struct t_audit_data *);
141 static void	aus_sysinfo(struct t_audit_data *);
142 static void	aus_modctl(struct t_audit_data *);
143 static void	aus_kill(struct t_audit_data *);
144 static void	aus_xmknod(struct t_audit_data *);
145 static void	aus_setregid(struct t_audit_data *);
146 static void	aus_setreuid(struct t_audit_data *);
147 
148 static void	auf_null(struct t_audit_data *, int, rval_t *);
149 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
150 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
151 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
152 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
153 #if 0
154 static void	auf_open(struct t_audit_data *, int, rval_t *);
155 #endif
156 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
157 static void	auf_read(struct t_audit_data *, int, rval_t *);
158 static void	auf_write(struct t_audit_data *, int, rval_t *);
159 
160 static void	aus_sigqueue(struct t_audit_data *);
161 static void	aus_p_online(struct t_audit_data *);
162 static void	aus_processor_bind(struct t_audit_data *);
163 static void	aus_inst_sync(struct t_audit_data *);
164 static void	aus_brandsys(struct t_audit_data *);
165 
166 static void	auf_accept(struct t_audit_data *, int, rval_t *);
167 
168 static void	auf_bind(struct t_audit_data *, int, rval_t *);
169 static void	auf_connect(struct t_audit_data *, int, rval_t *);
170 static void	aus_shutdown(struct t_audit_data *);
171 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
172 static void	aus_sockconfig(struct t_audit_data *);
173 static void	auf_recv(struct t_audit_data *, int, rval_t *);
174 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
175 static void	auf_send(struct t_audit_data *, int, rval_t *);
176 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
177 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
178 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
179 static void	aus_socket(struct t_audit_data *);
180 /*
181  * This table contains mapping information for converting system call numbers
182  * to audit event IDs. In several cases it is necessary to map a single system
183  * call to several events.
184  */
185 
186 struct audit_s2e audit_s2e[] =
187 {
188 /*
189  * ----------	---------- 	----------	----------
190  * INITIAL	AUDIT		START		SYSTEM
191  * PROCESSING	EVENT		PROCESSING	CALL
192  * ----------	----------	----------	-----------
193  *		FINISH		EVENT
194  *		PROCESSING	CONTROL
195  * ----------------------------------------------------------
196  */
197 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
198 		auf_null,	0,
199 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
200 		auf_null,	S2E_NPT,
201 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
202 		auf_null,	0,
203 aui_null,	AUE_READ,	aus_null,	/* 3 read */
204 		auf_read,	S2E_PUB,
205 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
206 		auf_write,	0,
207 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
208 		auf_null,	S2E_SP,
209 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
210 		auf_null,	0,
211 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
212 		auf_null,	0,
213 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
214 		auf_null,	S2E_SP,
215 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
216 		auf_null,	0,
217 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
218 		auf_null,	0,
219 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
220 		auf_null,	S2E_MLD,
221 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
222 		auf_null,	S2E_SP,
223 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
224 		auf_null,	0,
225 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
226 		auf_mknod,	0,
227 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
228 		auf_null,	0,
229 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
230 		auf_null,	0,
231 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
232 		auf_null,	0,
233 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
234 		auf_null,	S2E_PUB,
235 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
236 		auf_null,	0,
237 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
238 		auf_null,	0,
239 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
240 		auf_null,	S2E_MLD,
241 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
242 		auf_null,	0,
243 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
244 		auf_null,	0,
245 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
246 		auf_null,	0,
247 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
248 		auf_null,	0,
249 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
256 		auf_null,	0,
257 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
262 		auf_null,	0,
263 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
264 		auf_null,	S2E_PUB,
265 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
266 		auf_null,	0,
267 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
268 		auf_null,	S2E_PUB,
269 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
270 		auf_null,	0,
271 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
272 		auf_null,	0,
273 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
274 		auf_null,	S2E_PUB,
275 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
276 		auf_null,	0,
277 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
280 		auf_null,	0,
281 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
288 						/*	was proc lock */
289 		auf_null,	0,
290 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
291 		auf_null,	0,
292 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
293 		auf_null,	0,
294 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
295 		auf_null,	0,
296 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
297 		auf_msgsys,	0,
298 #if defined(__x86)
299 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
300 		auf_null,	0,
301 #else
302 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
303 		auf_null,	0,
304 #endif /* __x86 */
305 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
306 		auf_null,	0,
307 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
308 		auf_shmsys,	0,
309 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
310 		auf_semsys,	0,
311 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
312 		auf_null,	0,
313 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
314 		auf_null,	0,
315 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
316 		auf_null,	0,
317 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
318 		auf_null,	0,
319 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
320 		auf_null,	0,
321 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
322 		auf_null,	S2E_MLD,
323 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
324 		auf_null,	0,
325 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
326 		auf_null,	S2E_SP,
327 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
328 		auf_null,	0,
329 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
330 		auf_null,	0,
331 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
332 		auf_null,	0,
333 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
334 		auf_null,	0,
335 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
336 		auf_null,	0,
337 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
338 						/*	file locking call */
339 		auf_null,	0,
340 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
341 						/*	local system calls */
342 		auf_null,	0,
343 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
344 		auf_null,	0,
345 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
346 		auf_null,	0,
347 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
348 		auf_null,	0,
349 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
350 		auf_null,	0,
351 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
352 		auf_null,	0,
353 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
354 		auf_null,	0,
355 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
356 						/*	was sigret (SunOS) */
357 		auf_null,	0,
358 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
363 		auf_null,	0,
364 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
365 		auf_null,	0,
366 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
367 		auf_null,	0,
368 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
369 		auf_null,	0,
370 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
371 						/*	was libattach */
372 		auf_null,	0,
373 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
374 						/*	was libdetach */
375 		auf_null,	0,
376 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
377 		auf_null,	0,
378 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
379 		auf_null,	0,
380 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
381 		auf_null,	0,
382 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
383 		auf_null,	0,
384 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
385 		auf_null,	S2E_PUB,
386 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
387 		auf_null,	0,
388 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
389 		auf_null,	S2E_PUB,
390 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
391 		auf_null,	0,
392 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
393 		auf_null,	0,
394 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
395 		auf_null,	0,
396 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
411 		auf_null,	0,
412 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
413 						/*	was evtrapret */
414 		auf_null,	0,
415 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
416 		auf_null,	S2E_PUB,
417 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
418 		auf_null,	0,
419 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
422 		auf_null,	0,
423 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
424 		auf_null,	0,
425 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
426 		auf_null,	0,
427 #if defined(__x86)
428 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
429 		auf_null,	0,
430 #else
431 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
432 		auf_null,	0,
433 #endif /* __x86 */
434 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
435 		auf_null,	0,
436 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
437 		auf_null,	0,
438 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
439 		auf_null,	0,		/* 112 priocntlsys */
440 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
441 		auf_null,	S2E_PUB,
442 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
443 		auf_null,	0,
444 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
445 		auf_null,	0,
446 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
447 		auf_null,	0,
448 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
449 		auf_null,	0,
450 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
451 		auf_null,	0,
452 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
453 		auf_null,	0,
454 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
455 		auf_null,	0,
456 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
457 		auf_read,	S2E_PUB,
458 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
459 		auf_write,	0,
460 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
461 		auf_null,	S2E_PUB,
462 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
463 		auf_null,	S2E_PUB,
464 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
465 		auf_null,	0,
466 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
467 		auf_xmknod,	0,
468 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
469 		auf_null,	0,
470 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
471 		auf_null,	0,
472 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
473 		auf_null,	0,
474 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
475 		auf_null,	0,
476 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
477 		auf_null,	0,
478 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
479 		auf_null,	0,
480 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
481 		auf_null,	0,
482 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
483 		auf_null,	0,
484 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
485 		auf_null,	0,
486 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
487 		auf_null,	0,
488 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
489 		auf_null,	0,
490 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
491 		auf_null,	0,
492 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
493 		auf_null,	0,
494 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
495 		auf_null,	0,
496 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
497 		auf_null,	0,
498 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
499 		auf_null,	0,
500 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
501 		auf_null,	0,
502 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
517 		auf_null,	0,
518 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
519 		auf_null,	0,
520 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
521 		auf_null,	0,
522 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
545 						/*	was lwp_setprivate */
546 		auf_null,	0,
547 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
548 						/*	was lwp_getprivate */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
555 		auf_null,	0,
556 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
557 		auf_null,	0,
558 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
559 		auf_null,	0,
560 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
561 		auf_null,	0,
562 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
563 		auf_read,	S2E_PUB,
564 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
565 		auf_write,	0,
566 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
567 		auf_null,	0,
568 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
569 						/* aus_inst_sync */
570 		auf_null,	0,
571 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
580 		auf_null,	0,
581 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
582 		auf_null,	0,
583 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
584 		auf_null,	0,
585 aui_null,	AUE_NULL,	aus_null,	/* 184 (loadable) tsolsys */
586 		auf_null,	0,
587 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
588 		auf_null,	0,
589 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
590 		auf_null,	0,
591 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
592 		auf_null,	0,		/* 187 processor_bind */
593 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
594 		auf_null,	0,
595 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
596 		auf_null,	0,
597 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
600 		auf_null,	0,
601 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
616 		auf_null,	0,
617 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
618 		auf_null,	0,
619 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
620 		auf_null,	0,
621 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
622 		auf_null,	0,
623 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
644 		auf_null,	0,
645 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
646 		auf_null,	0,
647 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
648 		auf_null,	S2E_PUB,
649 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
652 		auf_null,	0,
653 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
654 		auf_null,	S2E_PUB,
655 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
656 		auf_null,	0,
657 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
658 		auf_null,	0,
659 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
662 		auf_read,	S2E_PUB,
663 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
664 		auf_write,	0,
665 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
666 		auf_null,	S2E_SP,
667 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
668 		auf_null,	S2E_SP,
669 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
676 		auf_null,	0,
677 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
678 		auf_null,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
680 		auf_null,	0,
681 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
682 		auf_bind,	0,
683 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
684 		auf_null,	0,
685 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
686 		auf_accept,	0,
687 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
688 		auf_connect,	0,
689 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
690 		auf_null,	0,
691 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
692 		auf_recv,	0,
693 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
694 		auf_recvfrom,	0,
695 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
696 		auf_recvmsg,	0,
697 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
698 		auf_send,	0,
699 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
700 		auf_sendmsg,	0,
701 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
702 		auf_sendto,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
704 		auf_null,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
708 		auf_null,	0,
709 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
710 		auf_setsockopt,	0,
711 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
714 		auf_null,	0,
715 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
726 		auf_null,	0,
727 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
728 		auf_null,	0
729 };
730 
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732 
733 /* null start function */
734 /*ARGSUSED*/
735 static void
736 aus_null(struct t_audit_data *tad)
737 {
738 }
739 
740 /* acct start function */
741 /*ARGSUSED*/
742 static void
743 aus_acct(struct t_audit_data *tad)
744 {
745 	klwp_t *clwp = ttolwp(curthread);
746 	uintptr_t fname;
747 
748 	struct a {
749 		long	fname;		/* char * */
750 	} *uap = (struct a *)clwp->lwp_ap;
751 
752 	fname = (uintptr_t)uap->fname;
753 
754 	if (fname == 0)
755 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
756 }
757 
758 /* chown start function */
759 /*ARGSUSED*/
760 static void
761 aus_chown(struct t_audit_data *tad)
762 {
763 	klwp_t *clwp = ttolwp(curthread);
764 	uint32_t uid, gid;
765 
766 	struct a {
767 		long	fname;		/* char * */
768 		long	uid;
769 		long	gid;
770 	} *uap = (struct a *)clwp->lwp_ap;
771 
772 	uid = (uint32_t)uap->uid;
773 	gid = (uint32_t)uap->gid;
774 
775 	au_uwrite(au_to_arg32(2, "new file uid", uid));
776 	au_uwrite(au_to_arg32(3, "new file gid", gid));
777 }
778 
779 /* fchown start function */
780 /*ARGSUSED*/
781 static void
782 aus_fchown(struct t_audit_data *tad)
783 {
784 	klwp_t *clwp = ttolwp(curthread);
785 	uint32_t uid, gid, fd;
786 	struct file  *fp;
787 	struct vnode *vp;
788 	struct f_audit_data *fad;
789 
790 	struct a {
791 		long fd;
792 		long uid;
793 		long gid;
794 	} *uap = (struct a *)clwp->lwp_ap;
795 
796 	fd  = (uint32_t)uap->fd;
797 	uid = (uint32_t)uap->uid;
798 	gid = (uint32_t)uap->gid;
799 
800 	au_uwrite(au_to_arg32(2, "new file uid", uid));
801 	au_uwrite(au_to_arg32(3, "new file gid", gid));
802 
803 		/*
804 		 * convert file pointer to file descriptor
805 		 *   Note: fd ref count incremented here.
806 		 */
807 	if ((fp = getf(fd)) == NULL)
808 		return;
809 
810 	/* get path from file struct here */
811 	fad = F2A(fp);
812 	if (fad->fad_aupath != NULL) {
813 		au_uwrite(au_to_path(fad->fad_aupath));
814 	} else {
815 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
816 	}
817 
818 	vp = fp->f_vnode;
819 	audit_attributes(vp);
820 
821 	/* decrement file descriptor reference count */
822 	releasef(fd);
823 }
824 
825 /*ARGSUSED*/
826 static void
827 aus_lchown(struct t_audit_data *tad)
828 {
829 	klwp_t *clwp = ttolwp(curthread);
830 	uint32_t uid, gid;
831 
832 
833 	struct a {
834 		long	fname;		/* char	* */
835 		long	uid;
836 		long	gid;
837 	} *uap = (struct a *)clwp->lwp_ap;
838 
839 	uid = (uint32_t)uap->uid;
840 	gid = (uint32_t)uap->gid;
841 
842 	au_uwrite(au_to_arg32(2, "new file uid", uid));
843 	au_uwrite(au_to_arg32(3, "new file gid", gid));
844 }
845 
846 /* chmod start function */
847 /*ARGSUSED*/
848 static void
849 aus_chmod(struct t_audit_data *tad)
850 {
851 	klwp_t *clwp = ttolwp(curthread);
852 	uint32_t fmode;
853 
854 	struct a {
855 		long	fname;		/* char	* */
856 		long	fmode;
857 	} *uap = (struct a *)clwp->lwp_ap;
858 
859 	fmode = (uint32_t)uap->fmode;
860 
861 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
862 }
863 
864 /* chmod start function */
865 /*ARGSUSED*/
866 static void
867 aus_fchmod(struct t_audit_data *tad)
868 {
869 	klwp_t *clwp = ttolwp(curthread);
870 	uint32_t fmode, fd;
871 	struct file  *fp;
872 	struct vnode *vp;
873 	struct f_audit_data *fad;
874 
875 	struct a {
876 		long	fd;
877 		long	fmode;
878 	} *uap = (struct a *)clwp->lwp_ap;
879 
880 	fd = (uint32_t)uap->fd;
881 	fmode = (uint32_t)uap->fmode;
882 
883 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
884 
885 		/*
886 		 * convert file pointer to file descriptor
887 		 *   Note: fd ref count incremented here.
888 		 */
889 	if ((fp = getf(fd)) == NULL)
890 		return;
891 
892 		/* get path from file struct here */
893 	fad = F2A(fp);
894 	if (fad->fad_aupath != NULL) {
895 		au_uwrite(au_to_path(fad->fad_aupath));
896 	} else {
897 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
898 	}
899 
900 	vp = fp->f_vnode;
901 	audit_attributes(vp);
902 
903 	/* decrement file descriptor reference count */
904 	releasef(fd);
905 }
906 
907 /* null function */
908 /*ARGSUSED*/
909 static void
910 auf_null(struct t_audit_data *tad, int error, rval_t *rval)
911 {
912 }
913 
914 /* null function */
915 static au_event_t
916 aui_null(au_event_t e)
917 {
918 	return (e);
919 }
920 
921 /* convert open to appropriate event */
922 static au_event_t
923 aui_open(au_event_t e)
924 {
925 	klwp_t *clwp = ttolwp(curthread);
926 	uint_t fm;
927 
928 	struct a {
929 		long	fnamep;		/* char	* */
930 		long	fmode;
931 		long	cmode;
932 	} *uap = (struct a *)clwp->lwp_ap;
933 
934 	fm = (uint_t)uap->fmode;
935 
936 	if (fm & O_WRONLY)
937 		e = AUE_OPEN_W;
938 	else if (fm & O_RDWR)
939 		e = AUE_OPEN_RW;
940 	else
941 		e = AUE_OPEN_R;
942 
943 	if (fm & O_CREAT)
944 		e += 1;
945 	if (fm & O_TRUNC)
946 		e += 2;
947 
948 	return (e);
949 }
950 
951 /*ARGSUSED*/
952 static void
953 aus_open(struct t_audit_data *tad)
954 {
955 	klwp_t *clwp = ttolwp(curthread);
956 	uint_t fm;
957 
958 	struct a {
959 		long	fnamep;		/* char	* */
960 		long	fmode;
961 		long	cmode;
962 	} *uap = (struct a *)clwp->lwp_ap;
963 
964 	fm = (uint_t)uap->fmode;
965 
966 	/* If no write, create, or trunc modes, mark as a public op */
967 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
968 		tad->tad_ctrl |= PAD_PUBLIC_EV;
969 }
970 
971 /* convert openat(2) to appropriate event */
972 static au_event_t
973 aui_fsat(au_event_t e)
974 {
975 	t_audit_data_t	*tad = U2A(u);
976 	klwp_t *clwp = ttolwp(curthread);
977 	uint_t fmcode, fm;
978 	struct a {
979 		long id;
980 		long arg1;
981 		long arg2;
982 		long arg3;
983 		long arg4;
984 		long arg5;
985 	} *uap = (struct a *)clwp->lwp_ap;
986 
987 	fmcode  = (uint_t)uap->id;
988 
989 	switch (fmcode) {
990 
991 	case 0: /* openat */
992 	case 1: /* openat64 */
993 		fm = (uint_t)uap->arg3;
994 		if (fm & O_WRONLY)
995 			e = AUE_OPENAT_W;
996 		else if (fm & O_RDWR)
997 			e = AUE_OPENAT_RW;
998 		else
999 			e = AUE_OPENAT_R;
1000 
1001 		/*
1002 		 * openat modes are defined in the following order:
1003 		 * Read only
1004 		 * Read|Create
1005 		 * Read|Trunc
1006 		 * Read|Create|Trunc
1007 		 * Write Only
1008 		 * Write|Create
1009 		 * Write|Trunc
1010 		 * Write|Create|Trunc * RW Only
1011 		 * RW|Create
1012 		 * RW|Trunc
1013 		 * RW|Create|Trunc
1014 		 */
1015 		if (fm & O_CREAT)
1016 			e += 1;		/* increment to include CREAT in mode */
1017 		if (fm & O_TRUNC)
1018 			e += 2;		/* increment to include TRUNC in mode */
1019 
1020 		/* convert to appropriate au_ctrl */
1021 		tad->tad_ctrl |= PAD_SAVPATH;
1022 		if (fm & FXATTR)
1023 			tad->tad_ctrl |= PAD_ATPATH;
1024 
1025 
1026 		break;
1027 	case 2: /* fstatat64 */
1028 	case 3: /* fstatat */
1029 		e = AUE_FSTATAT;
1030 		break;
1031 	case 4: /* fchownat */
1032 		e = AUE_FCHOWNAT;
1033 		break;
1034 	case 5: /* unlinkat */
1035 		e = AUE_UNLINKAT;
1036 		break;
1037 	case 6: /* futimesat */
1038 		e = AUE_FUTIMESAT;
1039 		break;
1040 	case 7: /* renameat */
1041 		e = AUE_RENAMEAT;
1042 		break;
1043 	case 9: /* __openattrdirat */
1044 		tad->tad_ctrl |= PAD_SAVPATH;
1045 		/*FALLTHROUGH*/
1046 	default:
1047 		e = AUE_NULL;
1048 		break;
1049 	}
1050 
1051 	return (e);
1052 }
1053 
1054 /*ARGSUSED*/
1055 static void
1056 aus_fsat(struct t_audit_data *tad)
1057 {
1058 	klwp_t *clwp = ttolwp(curthread);
1059 	uint_t fmcode, fm;
1060 	struct a {
1061 		long id;
1062 		long arg1;
1063 		long arg2;
1064 		long arg3;
1065 		long arg4;
1066 		long arg5;
1067 	} *uap = (struct a *)clwp->lwp_ap;
1068 
1069 	fmcode  = (uint_t)uap->id;
1070 
1071 	switch (fmcode) {
1072 
1073 	case 0: /* openat */
1074 	case 1: /* openat64 */
1075 		fm = (uint_t)uap->arg3;
1076 		/* If no write, create, or trunc modes, mark as a public op */
1077 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1078 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1079 
1080 		break;
1081 	case 2: /* fstatat64 */
1082 	case 3: /* fstatat */
1083 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1084 		break;
1085 	default:
1086 		break;
1087 	}
1088 }
1089 
1090 /* msgsys */
1091 static au_event_t
1092 aui_msgsys(au_event_t e)
1093 {
1094 	klwp_t *clwp = ttolwp(curthread);
1095 	uint_t fm;
1096 
1097 	struct a {
1098 		long	id;	/* function code id */
1099 		long	ap;	/* arg pointer for recvmsg */
1100 	} *uap = (struct a *)clwp->lwp_ap;
1101 
1102 	struct b {
1103 		long	msgid;
1104 		long	cmd;
1105 		long	buf;	/* struct msqid_ds * */
1106 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1107 
1108 	fm  = (uint_t)uap->id;
1109 
1110 	switch (fm) {
1111 	case 0:		/* msgget */
1112 		e = AUE_MSGGET;
1113 		break;
1114 	case 1:		/* msgctl */
1115 		switch ((uint_t)uap1->cmd) {
1116 		case IPC_RMID:
1117 			e = AUE_MSGCTL_RMID;
1118 			break;
1119 		case IPC_SET:
1120 			e = AUE_MSGCTL_SET;
1121 			break;
1122 		case IPC_STAT:
1123 			e = AUE_MSGCTL_STAT;
1124 			break;
1125 		default:
1126 			e = AUE_MSGCTL;
1127 			break;
1128 		}
1129 		break;
1130 	case 2:		/* msgrcv */
1131 		e = AUE_MSGRCV;
1132 		break;
1133 	case 3:		/* msgsnd */
1134 		e = AUE_MSGSND;
1135 		break;
1136 	default:	/* illegal system call */
1137 		e = AUE_NULL;
1138 		break;
1139 	}
1140 
1141 	return (e);
1142 }
1143 
1144 
1145 /* shmsys */
1146 static au_event_t
1147 aui_shmsys(au_event_t e)
1148 {
1149 	klwp_t *clwp = ttolwp(curthread);
1150 	int fm;
1151 
1152 	struct a {		/* shmsys */
1153 		long	id;	/* function code id */
1154 	} *uap = (struct a *)clwp->lwp_ap;
1155 
1156 	struct b {		/* ctrl */
1157 		long	shmid;
1158 		long	cmd;
1159 		long	arg;		/* struct shmid_ds * */
1160 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1161 	fm  = (uint_t)uap->id;
1162 
1163 	switch (fm) {
1164 	case 0:		/* shmat */
1165 		e = AUE_SHMAT;
1166 		break;
1167 	case 1:		/* shmctl */
1168 		switch ((uint_t)uap1->cmd) {
1169 		case IPC_RMID:
1170 			e = AUE_SHMCTL_RMID;
1171 			break;
1172 		case IPC_SET:
1173 			e = AUE_SHMCTL_SET;
1174 			break;
1175 		case IPC_STAT:
1176 			e = AUE_SHMCTL_STAT;
1177 			break;
1178 		default:
1179 			e = AUE_SHMCTL;
1180 			break;
1181 		}
1182 		break;
1183 	case 2:		/* shmdt */
1184 		e = AUE_SHMDT;
1185 		break;
1186 	case 3:		/* shmget */
1187 		e = AUE_SHMGET;
1188 		break;
1189 	default:	/* illegal system call */
1190 		e = AUE_NULL;
1191 		break;
1192 	}
1193 
1194 	return (e);
1195 }
1196 
1197 
1198 /* semsys */
1199 static au_event_t
1200 aui_semsys(au_event_t e)
1201 {
1202 	klwp_t *clwp = ttolwp(curthread);
1203 	uint_t fm;
1204 
1205 	struct a {		/* semsys */
1206 		long	id;
1207 	} *uap = (struct a *)clwp->lwp_ap;
1208 
1209 	struct b {		/* ctrl */
1210 		long	semid;
1211 		long	semnum;
1212 		long	cmd;
1213 		long	arg;
1214 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1215 
1216 	fm = (uint_t)uap->id;
1217 
1218 	switch (fm) {
1219 	case 0:		/* semctl */
1220 		switch ((uint_t)uap1->cmd) {
1221 		case IPC_RMID:
1222 			e = AUE_SEMCTL_RMID;
1223 			break;
1224 		case IPC_SET:
1225 			e = AUE_SEMCTL_SET;
1226 			break;
1227 		case IPC_STAT:
1228 			e = AUE_SEMCTL_STAT;
1229 			break;
1230 		case GETNCNT:
1231 			e = AUE_SEMCTL_GETNCNT;
1232 			break;
1233 		case GETPID:
1234 			e = AUE_SEMCTL_GETPID;
1235 			break;
1236 		case GETVAL:
1237 			e = AUE_SEMCTL_GETVAL;
1238 			break;
1239 		case GETALL:
1240 			e = AUE_SEMCTL_GETALL;
1241 			break;
1242 		case GETZCNT:
1243 			e = AUE_SEMCTL_GETZCNT;
1244 			break;
1245 		case SETVAL:
1246 			e = AUE_SEMCTL_SETVAL;
1247 			break;
1248 		case SETALL:
1249 			e = AUE_SEMCTL_SETALL;
1250 			break;
1251 		default:
1252 			e = AUE_SEMCTL;
1253 			break;
1254 		}
1255 		break;
1256 	case 1:		/* semget */
1257 		e = AUE_SEMGET;
1258 		break;
1259 	case 2:		/* semop */
1260 		e = AUE_SEMOP;
1261 		break;
1262 	default:	/* illegal system call */
1263 		e = AUE_NULL;
1264 		break;
1265 	}
1266 
1267 	return (e);
1268 }
1269 
1270 /* utssys - uname(2), ustat(2), fusers(2) */
1271 static au_event_t
1272 aui_utssys(au_event_t e)
1273 {
1274 	klwp_t *clwp = ttolwp(curthread);
1275 	uint_t type;
1276 
1277 	struct a {
1278 		union {
1279 			long	cbuf;		/* char * */
1280 			long	ubuf;		/* struct stat * */
1281 		} ub;
1282 		union {
1283 			long	mv;	/* for USTAT */
1284 			long	flags;	/* for FUSERS */
1285 		} un;
1286 		long	type;
1287 		long	outbp;		/* char * for FUSERS */
1288 	} *uap = (struct a *)clwp->lwp_ap;
1289 
1290 	type = (uint_t)uap->type;
1291 
1292 	if (type == UTS_FUSERS)
1293 		return (e);
1294 	else
1295 		return ((au_event_t)AUE_NULL);
1296 }
1297 
1298 static au_event_t
1299 aui_fcntl(au_event_t e)
1300 {
1301 	klwp_t *clwp = ttolwp(curthread);
1302 	uint_t cmd;
1303 
1304 	struct a {
1305 		long	fdes;
1306 		long	cmd;
1307 		long	arg;
1308 	} *uap = (struct a *)clwp->lwp_ap;
1309 
1310 	cmd = (uint_t)uap->cmd;
1311 
1312 	switch (cmd) {
1313 	case F_GETLK:
1314 	case F_SETLK:
1315 	case F_SETLKW:
1316 		break;
1317 	case F_SETFL:
1318 	case F_GETFL:
1319 	case F_GETFD:
1320 		break;
1321 	default:
1322 		e = (au_event_t)AUE_NULL;
1323 		break;
1324 	}
1325 	return ((au_event_t)e);
1326 }
1327 
1328 /* null function for now */
1329 static au_event_t
1330 aui_execv(au_event_t e)
1331 {
1332 	return (e);
1333 }
1334 
1335 /* null function for now */
1336 static au_event_t
1337 aui_execve(au_event_t e)
1338 {
1339 	return (e);
1340 }
1341 
1342 /*ARGSUSED*/
1343 static void
1344 aus_fcntl(struct t_audit_data *tad)
1345 {
1346 	klwp_t *clwp = ttolwp(curthread);
1347 	uint32_t cmd, fd;
1348 	struct file  *fp;
1349 	struct vnode *vp;
1350 	struct f_audit_data *fad;
1351 
1352 	struct a {
1353 		long	fd;
1354 		long	cmd;
1355 		long	arg;
1356 	} *uap = (struct a *)clwp->lwp_ap;
1357 
1358 	cmd = (uint32_t)uap->cmd;
1359 	fd  = (uint32_t)uap->fd;
1360 
1361 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1362 
1363 		/*
1364 		 * convert file pointer to file descriptor
1365 		 *   Note: fd ref count incremented here.
1366 		 */
1367 	if ((fp = getf(fd)) == NULL)
1368 		return;
1369 
1370 	/* get path from file struct here */
1371 	fad = F2A(fp);
1372 	if (fad->fad_aupath != NULL) {
1373 		au_uwrite(au_to_path(fad->fad_aupath));
1374 	} else {
1375 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1376 	}
1377 
1378 	vp = fp->f_vnode;
1379 	audit_attributes(vp);
1380 
1381 	/* decrement file descriptor reference count */
1382 	releasef(fd);
1383 }
1384 
1385 /*ARGSUSED*/
1386 static void
1387 aus_kill(struct t_audit_data *tad)
1388 {
1389 	klwp_t *clwp = ttolwp(curthread);
1390 	struct proc *p;
1391 	uint32_t signo;
1392 	uid_t uid, ruid;
1393 	gid_t gid, rgid;
1394 	pid_t pid;
1395 	const auditinfo_addr_t *ainfo;
1396 	cred_t *cr;
1397 
1398 	struct a {
1399 		long	pid;
1400 		long	signo;
1401 	} *uap = (struct a *)clwp->lwp_ap;
1402 
1403 	pid   = (pid_t)uap->pid;
1404 	signo = (uint32_t)uap->signo;
1405 
1406 	au_uwrite(au_to_arg32(2, "signal", signo));
1407 	if (pid > 0) {
1408 		mutex_enter(&pidlock);
1409 		if (((p = prfind(pid)) == (struct proc *)0) ||
1410 		    (p->p_stat == SIDL)) {
1411 			mutex_exit(&pidlock);
1412 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1413 			return;
1414 		}
1415 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1416 		mutex_exit(&pidlock);
1417 
1418 		mutex_enter(&p->p_crlock);
1419 		crhold(cr = p->p_cred);
1420 		mutex_exit(&p->p_crlock);
1421 		mutex_exit(&p->p_lock);
1422 
1423 		ainfo = crgetauinfo(cr);
1424 		if (ainfo == NULL) {
1425 			crfree(cr);
1426 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1427 			return;
1428 		}
1429 
1430 		uid  = crgetuid(cr);
1431 		gid  = crgetgid(cr);
1432 		ruid = crgetruid(cr);
1433 		rgid = crgetrgid(cr);
1434 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1435 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1436 
1437 		if (is_system_labeled())
1438 			au_uwrite(au_to_label(CR_SL(cr)));
1439 
1440 		crfree(cr);
1441 	}
1442 	else
1443 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1444 }
1445 
1446 /*ARGSUSED*/
1447 static void
1448 aus_mkdir(struct t_audit_data *tad)
1449 {
1450 	klwp_t *clwp = ttolwp(curthread);
1451 	uint32_t dmode;
1452 
1453 	struct a {
1454 		long	dirnamep;		/* char * */
1455 		long	dmode;
1456 	} *uap = (struct a *)clwp->lwp_ap;
1457 
1458 	dmode = (uint32_t)uap->dmode;
1459 
1460 	au_uwrite(au_to_arg32(2, "mode", dmode));
1461 }
1462 
1463 /*ARGSUSED*/
1464 static void
1465 aus_mknod(struct t_audit_data *tad)
1466 {
1467 	klwp_t *clwp = ttolwp(curthread);
1468 	uint32_t fmode;
1469 	dev_t dev;
1470 
1471 	struct a {
1472 		long	pnamep;		/* char * */
1473 		long	fmode;
1474 		long	dev;
1475 	} *uap = (struct a *)clwp->lwp_ap;
1476 
1477 	fmode = (uint32_t)uap->fmode;
1478 	dev   = (dev_t)uap->dev;
1479 
1480 	au_uwrite(au_to_arg32(2, "mode", fmode));
1481 #ifdef _LP64
1482 	au_uwrite(au_to_arg64(3, "dev", dev));
1483 #else
1484 	au_uwrite(au_to_arg32(3, "dev", dev));
1485 #endif
1486 }
1487 
1488 /*ARGSUSED*/
1489 static void
1490 aus_xmknod(struct t_audit_data *tad)
1491 {
1492 	klwp_t *clwp = ttolwp(curthread);
1493 	uint32_t fmode;
1494 	dev_t dev;
1495 
1496 	struct a {
1497 		long	version;	/* version */
1498 		long	pnamep;		/* char * */
1499 		long	fmode;
1500 		long	dev;
1501 	} *uap = (struct a *)clwp->lwp_ap;
1502 
1503 	fmode = (uint32_t)uap->fmode;
1504 	dev   = (dev_t)uap->dev;
1505 
1506 	au_uwrite(au_to_arg32(2, "mode", fmode));
1507 #ifdef _LP64
1508 	au_uwrite(au_to_arg64(3, "dev", dev));
1509 #else
1510 	au_uwrite(au_to_arg32(3, "dev", dev));
1511 #endif
1512 }
1513 
1514 /*ARGSUSED*/
1515 static void
1516 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1517 {
1518 	klwp_t *clwp = ttolwp(curthread);
1519 	vnode_t	*dvp;
1520 	caddr_t pnamep;
1521 
1522 	struct a {
1523 		long	pnamep;		/* char * */
1524 		long	fmode;
1525 		long	dev;
1526 	} *uap = (struct a *)clwp->lwp_ap;
1527 
1528 	/* no error, then already path token in audit record */
1529 	if (error != EPERM)
1530 		return;
1531 
1532 	/* not auditing this event, nothing then to do */
1533 	if (tad->tad_flag == 0)
1534 		return;
1535 
1536 	/* do the lookup to force generation of path token */
1537 	pnamep = (caddr_t)uap->pnamep;
1538 	tad->tad_ctrl |= PAD_NOATTRB;
1539 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1540 	if (error == 0)
1541 		VN_RELE(dvp);
1542 }
1543 
1544 /*ARGSUSED*/
1545 static void
1546 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1547 {
1548 	klwp_t *clwp = ttolwp(curthread);
1549 	vnode_t	*dvp;
1550 	caddr_t pnamep;
1551 
1552 	struct a {
1553 		long	version;	/* version */
1554 		long	pnamep;		/* char * */
1555 		long	fmode;
1556 		long	dev;
1557 	} *uap = (struct a *)clwp->lwp_arg;
1558 
1559 
1560 	/* no error, then already path token in audit record */
1561 	if (error != EPERM)
1562 		return;
1563 
1564 	/* not auditing this event, nothing then to do */
1565 	if (tad->tad_flag == 0)
1566 		return;
1567 
1568 	/* do the lookup to force generation of path token */
1569 	pnamep = (caddr_t)uap->pnamep;
1570 	tad->tad_ctrl |= PAD_NOATTRB;
1571 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1572 	if (error == 0)
1573 		VN_RELE(dvp);
1574 }
1575 
1576 /*ARGSUSED*/
1577 static void
1578 aus_mount(struct t_audit_data *tad)
1579 {	/* AUS_START */
1580 	klwp_t *clwp = ttolwp(curthread);
1581 	uint32_t flags;
1582 	uintptr_t u_fstype, dataptr;
1583 	STRUCT_DECL(nfs_args, nfsargs);
1584 	size_t len;
1585 	char *fstype, *hostname;
1586 
1587 	struct a {
1588 		long	spec;		/* char    * */
1589 		long	dir;		/* char    * */
1590 		long	flags;
1591 		long	fstype;		/* char    * */
1592 		long	dataptr;	/* char    * */
1593 		long	datalen;
1594 	} *uap = (struct a *)clwp->lwp_ap;
1595 
1596 	u_fstype = (uintptr_t)uap->fstype;
1597 	flags    = (uint32_t)uap->flags;
1598 	dataptr  = (uintptr_t)uap->dataptr;
1599 
1600 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1601 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1602 		goto mount_free_fstype;
1603 
1604 	au_uwrite(au_to_arg32(3, "flags", flags));
1605 	au_uwrite(au_to_text(fstype));
1606 
1607 	if (strncmp(fstype, "nfs", 3) == 0) {
1608 
1609 		STRUCT_INIT(nfsargs, get_udatamodel());
1610 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1611 
1612 		if (copyin((caddr_t)dataptr,
1613 				STRUCT_BUF(nfsargs),
1614 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1615 			/* DEBUG debug_enter((char *)NULL); */
1616 			goto mount_free_fstype;
1617 		}
1618 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1619 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1620 				(caddr_t)hostname,
1621 				MAXNAMELEN, &len)) {
1622 			goto mount_free_hostname;
1623 		}
1624 		au_uwrite(au_to_text(hostname));
1625 		au_uwrite(au_to_arg32(3, "internal flags",
1626 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1627 
1628 mount_free_hostname:
1629 		kmem_free(hostname, MAXNAMELEN);
1630 	}
1631 
1632 mount_free_fstype:
1633 	kmem_free(fstype, MAXNAMELEN);
1634 }	/* AUS_MOUNT */
1635 
1636 static void
1637 aus_umount_path(caddr_t umount_dir)
1638 {
1639 	char			*dir_path;
1640 	struct audit_path	*path;
1641 	size_t			path_len, dir_len;
1642 
1643 	/* length alloc'd for two string pointers */
1644 	path_len = sizeof (struct audit_path) + sizeof (char *);
1645 	path = kmem_alloc(path_len, KM_SLEEP);
1646 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1647 
1648 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1649 	    MAXPATHLEN, &dir_len))
1650 		goto umount2_free_dir;
1651 
1652 	/*
1653 	 * the audit_path struct assumes that the buffer pointed to
1654 	 * by audp_sect[n] contains string 0 immediatedly followed
1655 	 * by string 1.
1656 	 */
1657 	path->audp_sect[0] = dir_path;
1658 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1659 	path->audp_size = path_len;
1660 	path->audp_ref = 1;		/* not used */
1661 	path->audp_cnt = 1;		/* one path string */
1662 
1663 	au_uwrite(au_to_path(path));
1664 
1665 umount2_free_dir:
1666 	kmem_free(dir_path, MAXPATHLEN);
1667 	kmem_free(path, path_len);
1668 }
1669 
1670 /*
1671  * the umount syscall is implemented as a call to umount2, but the args
1672  * are different...
1673  */
1674 
1675 /*ARGSUSED*/
1676 static void
1677 aus_umount(struct t_audit_data *tad)
1678 {
1679 	klwp_t			*clwp = ttolwp(curthread);
1680 	struct a {
1681 		long	dir;		/* char    * */
1682 	} *uap = (struct a *)clwp->lwp_ap;
1683 
1684 	aus_umount_path((caddr_t)uap->dir);
1685 }
1686 
1687 /*ARGSUSED*/
1688 static void
1689 aus_umount2(struct t_audit_data *tad)
1690 {
1691 	klwp_t			*clwp = ttolwp(curthread);
1692 	struct a {
1693 		long	dir;		/* char    * */
1694 		long	flags;
1695 	} *uap = (struct a *)clwp->lwp_ap;
1696 
1697 	aus_umount_path((caddr_t)uap->dir);
1698 
1699 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1700 }
1701 
1702 static void
1703 aus_msgsys(struct t_audit_data *tad)
1704 {
1705 	klwp_t *clwp = ttolwp(curthread);
1706 	uint32_t msgid;
1707 
1708 	struct b {
1709 		long	msgid;
1710 		long	cmd;
1711 		long	buf;		/* struct msqid_ds * */
1712 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1713 
1714 	msgid = (uint32_t)uap1->msgid;
1715 
1716 
1717 	switch (tad->tad_event) {
1718 	case AUE_MSGGET:		/* msgget */
1719 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1720 		break;
1721 	case AUE_MSGCTL:		/* msgctl */
1722 	case AUE_MSGCTL_RMID:		/* msgctl */
1723 	case AUE_MSGCTL_STAT:		/* msgctl */
1724 	case AUE_MSGRCV:		/* msgrcv */
1725 	case AUE_MSGSND:		/* msgsnd */
1726 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1727 		break;
1728 	case AUE_MSGCTL_SET:		/* msgctl */
1729 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1730 		break;
1731 	}
1732 }
1733 
1734 /*ARGSUSED*/
1735 static void
1736 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1737 {
1738 	int id;
1739 
1740 	if (error != 0)
1741 		return;
1742 	if (tad->tad_event == AUE_MSGGET) {
1743 		uint32_t scid;
1744 		uint32_t sy_flags;
1745 
1746 		/* need to determine type of executing binary */
1747 		scid = tad->tad_scid;
1748 #ifdef _SYSCALL32_IMPL
1749 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1750 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1751 		else
1752 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1753 #else
1754 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1755 #endif
1756 		if (sy_flags == SE_32RVAL1)
1757 			id = rval->r_val1;
1758 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1759 			id = rval->r_val1;
1760 		if (sy_flags == SE_64RVAL)
1761 			id = (int)rval->r_vals;
1762 
1763 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1764 	}
1765 }
1766 
1767 static void
1768 aus_semsys(struct t_audit_data *tad)
1769 {
1770 	klwp_t *clwp = ttolwp(curthread);
1771 	uint32_t semid;
1772 
1773 	struct b {		/* ctrl */
1774 		long	semid;
1775 		long	semnum;
1776 		long	cmd;
1777 		long	arg;
1778 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1779 
1780 	semid = (uint32_t)uap1->semid;
1781 
1782 	switch (tad->tad_event) {
1783 	case AUE_SEMCTL_RMID:
1784 	case AUE_SEMCTL_STAT:
1785 	case AUE_SEMCTL_GETNCNT:
1786 	case AUE_SEMCTL_GETPID:
1787 	case AUE_SEMCTL_GETVAL:
1788 	case AUE_SEMCTL_GETALL:
1789 	case AUE_SEMCTL_GETZCNT:
1790 	case AUE_SEMCTL_SETVAL:
1791 	case AUE_SEMCTL_SETALL:
1792 	case AUE_SEMCTL:
1793 	case AUE_SEMOP:
1794 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1795 		break;
1796 	case AUE_SEMCTL_SET:
1797 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1798 		break;
1799 	case AUE_SEMGET:
1800 		au_uwrite(au_to_arg32(1, "sem key", semid));
1801 		break;
1802 	}
1803 }
1804 
1805 /*ARGSUSED*/
1806 static void
1807 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1808 {
1809 	int id;
1810 
1811 	if (error != 0)
1812 		return;
1813 	if (tad->tad_event == AUE_SEMGET) {
1814 		uint32_t scid;
1815 		uint32_t sy_flags;
1816 
1817 		/* need to determine type of executing binary */
1818 		scid = tad->tad_scid;
1819 #ifdef _SYSCALL32_IMPL
1820 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1821 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1822 		else
1823 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1824 #else
1825 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1826 #endif
1827 		if (sy_flags == SE_32RVAL1)
1828 			id = rval->r_val1;
1829 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1830 			id = rval->r_val1;
1831 		if (sy_flags == SE_64RVAL)
1832 			id = (int)rval->r_vals;
1833 
1834 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1835 	}
1836 }
1837 
1838 /*ARGSUSED*/
1839 static void
1840 aus_close(struct t_audit_data *tad)
1841 {
1842 	klwp_t *clwp = ttolwp(curthread);
1843 	uint32_t fd;
1844 	struct file *fp;
1845 	struct f_audit_data *fad;
1846 	struct vnode *vp;
1847 	struct vattr attr;
1848 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1849 
1850 	struct a {
1851 		long	i;
1852 	} *uap = (struct a *)clwp->lwp_ap;
1853 
1854 	fd = (uint32_t)uap->i;
1855 
1856 	attr.va_mask = 0;
1857 	au_uwrite(au_to_arg32(1, "fd", fd));
1858 
1859 		/*
1860 		 * convert file pointer to file descriptor
1861 		 *   Note: fd ref count incremented here.
1862 		 */
1863 	if ((fp = getf(fd)) == NULL)
1864 		return;
1865 
1866 	fad = F2A(fp);
1867 	tad->tad_evmod = (short)fad->fad_flags;
1868 	if (fad->fad_aupath != NULL) {
1869 		au_uwrite(au_to_path(fad->fad_aupath));
1870 		if ((vp = fp->f_vnode) != NULL) {
1871 			attr.va_mask = AT_ALL;
1872 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1873 				/*
1874 				 * When write was not used and the file can be
1875 				 * considered public, skip the audit.
1876 				 */
1877 				if (((fp->f_flag & FWRITE) == 0) &&
1878 				    file_is_public(&attr)) {
1879 					tad->tad_flag = 0;
1880 					tad->tad_evmod = 0;
1881 					/* free any residual audit data */
1882 					au_close(kctx, &(u_ad), 0, 0, 0);
1883 					releasef(fd);
1884 					return;
1885 				}
1886 				au_uwrite(au_to_attr(&attr));
1887 				audit_sec_attributes(&(u_ad), vp);
1888 			}
1889 		}
1890 	}
1891 
1892 	/* decrement file descriptor reference count */
1893 	releasef(fd);
1894 }
1895 
1896 /*ARGSUSED*/
1897 static void
1898 aus_fstatfs(struct t_audit_data *tad)
1899 {
1900 	klwp_t *clwp = ttolwp(curthread);
1901 	uint32_t fd;
1902 	struct file  *fp;
1903 	struct vnode *vp;
1904 	struct f_audit_data *fad;
1905 
1906 	struct a {
1907 		long	fd;
1908 		long	buf;		/* struct statfs * */
1909 	} *uap = (struct a *)clwp->lwp_ap;
1910 
1911 	fd = (uint_t)uap->fd;
1912 
1913 		/*
1914 		 * convert file pointer to file descriptor
1915 		 *   Note: fd ref count incremented here.
1916 		 */
1917 	if ((fp = getf(fd)) == NULL)
1918 		return;
1919 
1920 		/* get path from file struct here */
1921 	fad = F2A(fp);
1922 	if (fad->fad_aupath != NULL) {
1923 		au_uwrite(au_to_path(fad->fad_aupath));
1924 	} else {
1925 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1926 	}
1927 
1928 	vp = fp->f_vnode;
1929 	audit_attributes(vp);
1930 
1931 	/* decrement file descriptor reference count */
1932 	releasef(fd);
1933 }
1934 
1935 #ifdef NOTYET
1936 /*ARGSUSED*/
1937 static void
1938 aus_setpgrp(struct t_audit_data *tad)
1939 {
1940 	klwp_t *clwp = ttolwp(curthread);
1941 	uint32_t pgrp;
1942 	struct proc *p;
1943 	uid_t uid, ruid;
1944 	gid_t gid, rgid;
1945 	pid_t pid;
1946 	const auditinfo_addr_t *ainfo;
1947 	cred_t *cr;
1948 
1949 	struct a {
1950 		long	pid;
1951 		long	pgrp;
1952 	} *uap = (struct a *)clwp->lwp_ap;
1953 
1954 	pid  = (pid_t)uap->pid;
1955 	pgrp = (uint32_t)uap->pgrp;
1956 
1957 		/* current process? */
1958 	if (pid == 0)
1959 		(return);
1960 
1961 	mutex_enter(&pidlock);
1962 	p = prfind(pid);
1963 	if (p == NULL || p->p_as == &kas) {
1964 		mutex_exit(&pidlock);
1965 		return;
1966 	}
1967 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1968 	mutex_exit(&pidlock);
1969 
1970 	mutex_enter(&p->p_crlock);
1971 	crhold(cr = p->p_cred);
1972 	mutex_exit(&p->p_crlock);
1973 	mutex_exit(&p->p_lock);
1974 
1975 	ainfo = crgetauinfo(cr);
1976 	if (ainfo == NULL) {
1977 		crfree(cr);
1978 		return;
1979 	}
1980 
1981 	uid  = crgetuid(cr);
1982 	gid  = crgetgid(cr);
1983 	ruid = crgetruid(cr);
1984 	rgid = crgetrgid(cr);
1985 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1986 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1987 	crfree(cr);
1988 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1989 }
1990 #endif
1991 
1992 /*ARGSUSED*/
1993 static void
1994 aus_setregid(struct t_audit_data *tad)
1995 {
1996 	klwp_t *clwp = ttolwp(curthread);
1997 	uint32_t rgid, egid;
1998 
1999 	struct a {
2000 		long	 rgid;
2001 		long	 egid;
2002 	} *uap = (struct a *)clwp->lwp_ap;
2003 
2004 	rgid  = (uint32_t)uap->rgid;
2005 	egid  = (uint32_t)uap->egid;
2006 
2007 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2008 	au_uwrite(au_to_arg32(2, "egid", egid));
2009 }
2010 
2011 /*ARGSUSED*/
2012 static void
2013 aus_setgid(struct t_audit_data *tad)
2014 {
2015 	klwp_t *clwp = ttolwp(curthread);
2016 	uint32_t gid;
2017 
2018 	struct a {
2019 		long	gid;
2020 	} *uap = (struct a *)clwp->lwp_ap;
2021 
2022 	gid = (uint32_t)uap->gid;
2023 
2024 	au_uwrite(au_to_arg32(1, "gid", gid));
2025 }
2026 
2027 
2028 /*ARGSUSED*/
2029 static void
2030 aus_setreuid(struct t_audit_data *tad)
2031 {
2032 	klwp_t *clwp = ttolwp(curthread);
2033 	uint32_t ruid, euid;
2034 
2035 	struct a {
2036 		long	ruid;
2037 		long	euid;
2038 	} *uap = (struct a *)clwp->lwp_ap;
2039 
2040 	ruid = (uint32_t)uap->ruid;
2041 	euid  = (uint32_t)uap->euid;
2042 
2043 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2044 	au_uwrite(au_to_arg32(2, "euid", euid));
2045 }
2046 
2047 
2048 /*ARGSUSED*/
2049 static void
2050 aus_setuid(struct t_audit_data *tad)
2051 {
2052 	klwp_t *clwp = ttolwp(curthread);
2053 	uint32_t uid;
2054 
2055 	struct a {
2056 		long	uid;
2057 	} *uap = (struct a *)clwp->lwp_ap;
2058 
2059 	uid = (uint32_t)uap->uid;
2060 
2061 	au_uwrite(au_to_arg32(1, "uid", uid));
2062 }
2063 
2064 /*ARGSUSED*/
2065 static void
2066 aus_shmsys(struct t_audit_data *tad)
2067 {
2068 	klwp_t *clwp = ttolwp(curthread);
2069 	uint32_t id, cmd;
2070 
2071 	struct b {
2072 		long	id;
2073 		long	cmd;
2074 		long	buf;		/* struct shmid_ds * */
2075 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2076 
2077 	id  = (uint32_t)uap1->id;
2078 	cmd = (uint32_t)uap1->cmd;
2079 
2080 	switch (tad->tad_event) {
2081 	case AUE_SHMGET:			/* shmget */
2082 		au_uwrite(au_to_arg32(1, "shm key", id));
2083 		break;
2084 	case AUE_SHMCTL:			/* shmctl */
2085 	case AUE_SHMCTL_RMID:			/* shmctl */
2086 	case AUE_SHMCTL_STAT:			/* shmctl */
2087 	case AUE_SHMCTL_SET:			/* shmctl */
2088 		au_uwrite(au_to_arg32(1, "shm ID", id));
2089 		break;
2090 	case AUE_SHMDT:				/* shmdt */
2091 		au_uwrite(au_to_arg32(1, "shm adr", id));
2092 		break;
2093 	case AUE_SHMAT:				/* shmat */
2094 		au_uwrite(au_to_arg32(1, "shm ID", id));
2095 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2096 		break;
2097 	}
2098 }
2099 
2100 /*ARGSUSED*/
2101 static void
2102 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2103 {
2104 	int id;
2105 
2106 	if (error != 0)
2107 		return;
2108 	if (tad->tad_event == AUE_SHMGET) {
2109 		uint32_t scid;
2110 		uint32_t sy_flags;
2111 
2112 		/* need to determine type of executing binary */
2113 		scid = tad->tad_scid;
2114 #ifdef _SYSCALL32_IMPL
2115 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2116 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2117 		else
2118 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2119 #else
2120 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2121 #endif
2122 		if (sy_flags == SE_32RVAL1)
2123 			id = rval->r_val1;
2124 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2125 			id = rval->r_val1;
2126 		if (sy_flags == SE_64RVAL)
2127 			id = (int)rval->r_vals;
2128 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2129 	}
2130 }
2131 
2132 
2133 /*ARGSUSED*/
2134 static void
2135 aus_ioctl(struct t_audit_data *tad)
2136 {
2137 	klwp_t *clwp = ttolwp(curthread);
2138 	struct file *fp;
2139 	struct vnode *vp;
2140 	struct f_audit_data *fad;
2141 	uint32_t fd, cmd;
2142 	uintptr_t cmarg;
2143 
2144 	/* XX64 */
2145 	struct a {
2146 		long	fd;
2147 		long	cmd;
2148 		long	cmarg;		/* caddr_t */
2149 	} *uap = (struct a *)clwp->lwp_ap;
2150 
2151 	fd    = (uint32_t)uap->fd;
2152 	cmd   = (uint32_t)uap->cmd;
2153 	cmarg = (uintptr_t)uap->cmarg;
2154 
2155 		/*
2156 		 * convert file pointer to file descriptor
2157 		 *   Note: fd ref count incremented here.
2158 		 */
2159 	if ((fp = getf(fd)) == NULL) {
2160 		au_uwrite(au_to_arg32(1, "fd", fd));
2161 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2162 #ifndef _LP64
2163 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2164 #else
2165 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2166 #endif
2167 		return;
2168 	}
2169 
2170 	/* get path from file struct here */
2171 	fad = F2A(fp);
2172 	if (fad->fad_aupath != NULL) {
2173 		au_uwrite(au_to_path(fad->fad_aupath));
2174 	} else {
2175 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2176 	}
2177 
2178 	vp = fp->f_vnode;
2179 	audit_attributes(vp);
2180 
2181 	/* decrement file descriptor reference count */
2182 	releasef(fd);
2183 
2184 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2185 #ifndef _LP64
2186 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2187 #else
2188 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2189 #endif
2190 }
2191 
2192 /*
2193  * null function for memcntl for now. We might want to limit memcntl()
2194  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2195  * require privileges.
2196  */
2197 static au_event_t
2198 aui_memcntl(au_event_t e)
2199 {
2200 	return (e);
2201 }
2202 
2203 /*ARGSUSED*/
2204 static au_event_t
2205 aui_privsys(au_event_t e)
2206 {
2207 	klwp_t *clwp = ttolwp(curthread);
2208 
2209 	struct a {
2210 		long	opcode;
2211 	} *uap = (struct a *)clwp->lwp_ap;
2212 
2213 	switch (uap->opcode) {
2214 	case PRIVSYS_SETPPRIV:
2215 		return (AUE_SETPPRIV);
2216 	default:
2217 		return (AUE_NULL);
2218 	}
2219 }
2220 
2221 /*ARGSUSED*/
2222 static void
2223 aus_memcntl(struct t_audit_data *tad)
2224 {
2225 	klwp_t *clwp = ttolwp(curthread);
2226 
2227 	struct a {
2228 		long	addr;
2229 		long	len;
2230 		long	cmd;
2231 		long	arg;
2232 		long	attr;
2233 		long	mask;
2234 	} *uap = (struct a *)clwp->lwp_ap;
2235 
2236 #ifdef _LP64
2237 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2238 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2239 #else
2240 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2241 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2242 #endif
2243 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2244 #ifdef _LP64
2245 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2246 #else
2247 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2248 #endif
2249 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2250 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2251 }
2252 
2253 /*ARGSUSED*/
2254 static void
2255 aus_mmap(struct t_audit_data *tad)
2256 {
2257 	klwp_t *clwp = ttolwp(curthread);
2258 	struct file *fp;
2259 	struct f_audit_data *fad;
2260 	struct vnode *vp;
2261 	uint32_t fd;
2262 
2263 	struct a {
2264 		long	addr;
2265 		long	len;
2266 		long	prot;
2267 		long	flags;
2268 		long	fd;
2269 		long	pos;
2270 	} *uap = (struct a *)clwp->lwp_ap;
2271 
2272 	fd = (uint32_t)uap->fd;
2273 
2274 #ifdef _LP64
2275 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2276 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2277 #else
2278 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2279 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2280 #endif
2281 
2282 	if ((fp = getf(fd)) == NULL) {
2283 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2284 		return;
2285 	}
2286 
2287 	/*
2288 	 * Mark in the tad if write access is NOT requested... if
2289 	 * this is later detected (in audit_attributes) to be a
2290 	 * public object, the mmap event may be discarded.
2291 	 */
2292 	if (((uap->prot) & PROT_WRITE) == 0) {
2293 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2294 	}
2295 
2296 	fad = F2A(fp);
2297 	if (fad->fad_aupath != NULL) {
2298 		au_uwrite(au_to_path(fad->fad_aupath));
2299 	} else {
2300 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2301 	}
2302 
2303 	vp = (struct vnode *)fp->f_vnode;
2304 	audit_attributes(vp);
2305 
2306 	/* mark READ/WRITE since we can't predict access */
2307 	if (uap->prot & PROT_READ)
2308 		fad->fad_flags |= FAD_READ;
2309 	if (uap->prot & PROT_WRITE)
2310 		fad->fad_flags |= FAD_WRITE;
2311 
2312 	/* decrement file descriptor reference count */
2313 	releasef(fd);
2314 
2315 }	/* AUS_MMAP */
2316 
2317 
2318 
2319 
2320 /*ARGSUSED*/
2321 static void
2322 aus_munmap(struct t_audit_data *tad)
2323 {
2324 	klwp_t *clwp = ttolwp(curthread);
2325 
2326 	struct a {
2327 		long	addr;
2328 		long	len;
2329 	} *uap = (struct a *)clwp->lwp_ap;
2330 
2331 #ifdef _LP64
2332 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2333 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2334 #else
2335 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2336 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2337 #endif
2338 
2339 }	/* AUS_MUNMAP */
2340 
2341 
2342 
2343 
2344 
2345 
2346 
2347 /*ARGSUSED*/
2348 static void
2349 aus_priocntlsys(struct t_audit_data *tad)
2350 {
2351 	klwp_t *clwp = ttolwp(curthread);
2352 
2353 	struct a {
2354 		long	pc_version;
2355 		long	psp;		/* procset_t */
2356 		long	cmd;
2357 		long	arg;
2358 	} *uap = (struct a *)clwp->lwp_ap;
2359 
2360 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2361 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2362 
2363 }	/* AUS_PRIOCNTLSYS */
2364 
2365 
2366 /*ARGSUSED*/
2367 static void
2368 aus_setegid(struct t_audit_data *tad)
2369 {
2370 	klwp_t *clwp = ttolwp(curthread);
2371 	uint32_t gid;
2372 
2373 	struct a {
2374 		long	gid;
2375 	} *uap = (struct a *)clwp->lwp_ap;
2376 
2377 	gid = (uint32_t)uap->gid;
2378 
2379 	au_uwrite(au_to_arg32(1, "gid", gid));
2380 }	/* AUS_SETEGID */
2381 
2382 
2383 
2384 
2385 /*ARGSUSED*/
2386 static void
2387 aus_setgroups(struct t_audit_data *tad)
2388 {
2389 	klwp_t *clwp = ttolwp(curthread);
2390 	int i;
2391 	int gidsetsize;
2392 	uintptr_t gidset;
2393 	gid_t *gidlist;
2394 
2395 	struct a {
2396 		long	gidsetsize;
2397 		long	gidset;
2398 	} *uap = (struct a *)clwp->lwp_ap;
2399 
2400 	gidsetsize = (uint_t)uap->gidsetsize;
2401 	gidset = (uintptr_t)uap->gidset;
2402 
2403 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2404 		return;
2405 	if (gidsetsize != 0) {
2406 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2407 		    KM_SLEEP);
2408 		if (copyin((caddr_t)gidset, gidlist,
2409 		    gidsetsize * sizeof (gid_t)) == 0)
2410 			for (i = 0; i < gidsetsize; i++)
2411 				au_uwrite(au_to_arg32(1, "setgroups",
2412 				    (uint32_t)gidlist[i]));
2413 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2414 	} else
2415 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2416 
2417 }	/* AUS_SETGROUPS */
2418 
2419 
2420 
2421 
2422 
2423 /*ARGSUSED*/
2424 static void
2425 aus_seteuid(struct t_audit_data *tad)
2426 {
2427 	klwp_t *clwp = ttolwp(curthread);
2428 	uint32_t uid;
2429 
2430 	struct a {
2431 		long	uid;
2432 	} *uap = (struct a *)clwp->lwp_ap;
2433 
2434 	uid = (uint32_t)uap->uid;
2435 
2436 	au_uwrite(au_to_arg32(1, "euid", uid));
2437 
2438 }	/* AUS_SETEUID */
2439 
2440 /*ARGSUSED*/
2441 static void
2442 aus_putmsg(struct t_audit_data *tad)
2443 {
2444 	klwp_t *clwp = ttolwp(curthread);
2445 	uint32_t fd, pri;
2446 	struct file *fp;
2447 	struct f_audit_data *fad;
2448 
2449 	struct a {
2450 		long	fdes;
2451 		long	ctl;		/* struct strbuf * */
2452 		long	data;		/* struct strbuf * */
2453 		long	pri;
2454 	} *uap = (struct a *)clwp->lwp_ap;
2455 
2456 	fd  = (uint32_t)uap->fdes;
2457 	pri = (uint32_t)uap->pri;
2458 
2459 	au_uwrite(au_to_arg32(1, "fd", fd));
2460 
2461 	if ((fp = getf(fd)) != NULL) {
2462 		fad = F2A(fp);
2463 
2464 		fad->fad_flags |= FAD_WRITE;
2465 
2466 		/* add path name to audit record */
2467 		if (fad->fad_aupath != NULL) {
2468 			au_uwrite(au_to_path(fad->fad_aupath));
2469 		}
2470 		audit_attributes(fp->f_vnode);
2471 
2472 		releasef(fd);
2473 	}
2474 
2475 	au_uwrite(au_to_arg32(4, "pri", pri));
2476 }
2477 
2478 /*ARGSUSED*/
2479 static void
2480 aus_putpmsg(struct t_audit_data *tad)
2481 {
2482 	klwp_t *clwp = ttolwp(curthread);
2483 	uint32_t fd, pri, flags;
2484 	struct file *fp;
2485 	struct f_audit_data *fad;
2486 
2487 	struct a {
2488 		long	fdes;
2489 		long	ctl;		/* struct strbuf * */
2490 		long	data;		/* struct strbuf * */
2491 		long	pri;
2492 		long	flags;
2493 	} *uap = (struct a *)clwp->lwp_ap;
2494 
2495 	fd = (uint32_t)uap->fdes;
2496 	pri  = (uint32_t)uap->pri;
2497 	flags  = (uint32_t)uap->flags;
2498 
2499 	au_uwrite(au_to_arg32(1, "fd", fd));
2500 
2501 	if ((fp = getf(fd)) != NULL) {
2502 		fad = F2A(fp);
2503 
2504 		fad->fad_flags |= FAD_WRITE;
2505 
2506 		/* add path name to audit record */
2507 		if (fad->fad_aupath != NULL) {
2508 			au_uwrite(au_to_path(fad->fad_aupath));
2509 		}
2510 		audit_attributes(fp->f_vnode);
2511 
2512 		releasef(fd);
2513 	}
2514 
2515 
2516 	au_uwrite(au_to_arg32(4, "pri", pri));
2517 	au_uwrite(au_to_arg32(5, "flags", flags));
2518 }
2519 
2520 /*ARGSUSED*/
2521 static void
2522 aus_getmsg(struct t_audit_data *tad)
2523 {
2524 	klwp_t *clwp = ttolwp(curthread);
2525 	uint32_t fd, pri;
2526 	struct file *fp;
2527 	struct f_audit_data *fad;
2528 
2529 	struct a {
2530 		long	fdes;
2531 		long	ctl;		/* struct strbuf * */
2532 		long	data;		/* struct strbuf * */
2533 		long	pri;
2534 	} *uap = (struct a *)clwp->lwp_ap;
2535 
2536 	fd  = (uint32_t)uap->fdes;
2537 	pri = (uint32_t)uap->pri;
2538 
2539 	au_uwrite(au_to_arg32(1, "fd", fd));
2540 
2541 	if ((fp = getf(fd)) != NULL) {
2542 		fad = F2A(fp);
2543 
2544 		/*
2545 		 * read operation on this object
2546 		 */
2547 		fad->fad_flags |= FAD_READ;
2548 
2549 		/* add path name to audit record */
2550 		if (fad->fad_aupath != NULL) {
2551 			au_uwrite(au_to_path(fad->fad_aupath));
2552 		}
2553 		audit_attributes(fp->f_vnode);
2554 
2555 		releasef(fd);
2556 	}
2557 
2558 	au_uwrite(au_to_arg32(4, "pri", pri));
2559 }
2560 
2561 /*ARGSUSED*/
2562 static void
2563 aus_getpmsg(struct t_audit_data *tad)
2564 {
2565 	klwp_t *clwp = ttolwp(curthread);
2566 	uint32_t fd;
2567 	struct file *fp;
2568 	struct f_audit_data *fad;
2569 
2570 	struct a {
2571 		long	fdes;
2572 		long	ctl;		/* struct strbuf * */
2573 		long	data;		/* struct strbuf * */
2574 		long	pri;
2575 		long	flags;
2576 	} *uap = (struct a *)clwp->lwp_ap;
2577 
2578 	fd = (uint32_t)uap->fdes;
2579 
2580 	au_uwrite(au_to_arg32(1, "fd", fd));
2581 
2582 	if ((fp = getf(fd)) != NULL) {
2583 		fad = F2A(fp);
2584 
2585 		/*
2586 		 * read operation on this object
2587 		 */
2588 		fad->fad_flags |= FAD_READ;
2589 
2590 		/* add path name to audit record */
2591 		if (fad->fad_aupath != NULL) {
2592 			au_uwrite(au_to_path(fad->fad_aupath));
2593 		}
2594 		audit_attributes(fp->f_vnode);
2595 
2596 		releasef(fd);
2597 	}
2598 }
2599 
2600 static au_event_t
2601 aui_auditsys(au_event_t e)
2602 {
2603 	klwp_t *clwp = ttolwp(curthread);
2604 	uint32_t code;
2605 
2606 	struct a {
2607 		long	code;
2608 		long	a1;
2609 		long	a2;
2610 		long	a3;
2611 		long	a4;
2612 		long	a5;
2613 		long	a6;
2614 		long	a7;
2615 	} *uap = (struct a *)clwp->lwp_ap;
2616 
2617 	code = (uint32_t)uap->code;
2618 
2619 	switch (code) {
2620 
2621 	case BSM_GETAUID:
2622 		e = AUE_GETAUID;
2623 		break;
2624 	case BSM_SETAUID:
2625 		e = AUE_SETAUID;
2626 		break;
2627 	case BSM_GETAUDIT:
2628 		e = AUE_GETAUDIT;
2629 		break;
2630 	case BSM_GETAUDIT_ADDR:
2631 		e = AUE_GETAUDIT_ADDR;
2632 		break;
2633 	case BSM_SETAUDIT:
2634 		e = AUE_SETAUDIT;
2635 		break;
2636 	case BSM_SETAUDIT_ADDR:
2637 		e = AUE_SETAUDIT_ADDR;
2638 		break;
2639 	case BSM_AUDIT:
2640 		e = AUE_AUDIT;
2641 		break;
2642 	case BSM_GETPORTAUDIT:
2643 		e = AUE_GETPORTAUDIT;
2644 		break;
2645 	case BSM_AUDITON:
2646 	case BSM_AUDITCTL:
2647 
2648 		switch ((uint_t)uap->a1) {
2649 
2650 		case A_GETPOLICY:
2651 			e = AUE_AUDITON_GPOLICY;
2652 			break;
2653 		case A_SETPOLICY:
2654 			e = AUE_AUDITON_SPOLICY;
2655 			break;
2656 		case A_GETKMASK:
2657 			e = AUE_AUDITON_GETKMASK;
2658 			break;
2659 		case A_SETKMASK:
2660 			e = AUE_AUDITON_SETKMASK;
2661 			break;
2662 		case A_GETQCTRL:
2663 			e = AUE_AUDITON_GQCTRL;
2664 			break;
2665 		case A_SETQCTRL:
2666 			e = AUE_AUDITON_SQCTRL;
2667 			break;
2668 		case A_GETCWD:
2669 			e = AUE_AUDITON_GETCWD;
2670 			break;
2671 		case A_GETCAR:
2672 			e = AUE_AUDITON_GETCAR;
2673 			break;
2674 		case A_GETSTAT:
2675 			e = AUE_AUDITON_GETSTAT;
2676 			break;
2677 		case A_SETSTAT:
2678 			e = AUE_AUDITON_SETSTAT;
2679 			break;
2680 		case A_SETUMASK:
2681 			e = AUE_AUDITON_SETUMASK;
2682 			break;
2683 		case A_SETSMASK:
2684 			e = AUE_AUDITON_SETSMASK;
2685 			break;
2686 		case A_GETCOND:
2687 			e = AUE_AUDITON_GETCOND;
2688 			break;
2689 		case A_SETCOND:
2690 			e = AUE_AUDITON_SETCOND;
2691 			break;
2692 		case A_GETCLASS:
2693 			e = AUE_AUDITON_GETCLASS;
2694 			break;
2695 		case A_SETCLASS:
2696 			e = AUE_AUDITON_SETCLASS;
2697 			break;
2698 		default:
2699 			e = AUE_NULL;
2700 			break;
2701 		}
2702 		break;
2703 	default:
2704 		e = AUE_NULL;
2705 		break;
2706 	}
2707 
2708 	return (e);
2709 
2710 
2711 
2712 
2713 }	/* AUI_AUDITSYS */
2714 
2715 
2716 
2717 
2718 
2719 
2720 
2721 static void
2722 aus_auditsys(struct t_audit_data *tad)
2723 {
2724 	klwp_t *clwp = ttolwp(curthread);
2725 	uintptr_t a1, a2;
2726 	STRUCT_DECL(auditinfo, ainfo);
2727 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2728 	au_evclass_map_t event;
2729 	au_mask_t mask;
2730 	int auditstate, policy;
2731 	au_id_t auid;
2732 
2733 
2734 	struct a {
2735 		long	code;
2736 		long	a1;
2737 		long	a2;
2738 		long	a3;
2739 		long	a4;
2740 		long	a5;
2741 		long	a6;
2742 		long	a7;
2743 	} *uap = (struct a *)clwp->lwp_ap;
2744 
2745 	a1   = (uintptr_t)uap->a1;
2746 	a2   = (uintptr_t)uap->a2;
2747 
2748 	switch (tad->tad_event) {
2749 	case AUE_SETAUID:
2750 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2751 				return;
2752 		au_uwrite(au_to_arg32(2, "setauid", auid));
2753 		break;
2754 	case AUE_SETAUDIT:
2755 		STRUCT_INIT(ainfo, get_udatamodel());
2756 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2757 		    STRUCT_SIZE(ainfo))) {
2758 				return;
2759 		}
2760 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2761 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2762 #ifdef _LP64
2763 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2764 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2765 #else
2766 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2767 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2768 #endif
2769 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2770 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2771 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2772 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2773 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2774 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2775 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2776 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2777 		break;
2778 	case AUE_SETAUDIT_ADDR:
2779 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2780 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2781 		    STRUCT_SIZE(ainfo_addr))) {
2782 				return;
2783 		}
2784 		au_uwrite(au_to_arg32((char)1, "auid",
2785 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2786 #ifdef _LP64
2787 		au_uwrite(au_to_arg64((char)1, "port",
2788 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2789 #else
2790 		au_uwrite(au_to_arg32((char)1, "port",
2791 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2792 #endif
2793 		au_uwrite(au_to_arg32((char)1, "type",
2794 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2795 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2796 		    AU_IPv4) {
2797 			au_uwrite(au_to_in_addr(
2798 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2799 			    ai_termid.at_addr)));
2800 		} else {
2801 			au_uwrite(au_to_in_addr_ex(
2802 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2803 			    ai_termid.at_addr)));
2804 		}
2805 		au_uwrite(au_to_arg32((char)1, "as_success",
2806 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2807 		au_uwrite(au_to_arg32((char)1, "as_failure",
2808 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2809 		au_uwrite(au_to_arg32((char)1, "asid",
2810 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2811 		break;
2812 	case AUE_AUDITON_SETKMASK:
2813 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2814 				return;
2815 		au_uwrite(au_to_arg32(
2816 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2817 		au_uwrite(au_to_arg32(
2818 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2819 		break;
2820 	case AUE_AUDITON_SPOLICY:
2821 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2822 			return;
2823 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2824 		break;
2825 	case AUE_AUDITON_SQCTRL: {
2826 		STRUCT_DECL(au_qctrl, qctrl);
2827 		model_t model;
2828 
2829 		model = get_udatamodel();
2830 		STRUCT_INIT(qctrl, model);
2831 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2832 				return;
2833 		if (model == DATAMODEL_ILP32) {
2834 			au_uwrite(au_to_arg32(
2835 			    3, "setqctrl:aq_hiwater",
2836 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2837 			au_uwrite(au_to_arg32(
2838 			    3, "setqctrl:aq_lowater",
2839 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2840 			au_uwrite(au_to_arg32(
2841 			    3, "setqctrl:aq_bufsz",
2842 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2843 			au_uwrite(au_to_arg32(
2844 			    3, "setqctrl:aq_delay",
2845 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2846 		} else {
2847 			au_uwrite(au_to_arg64(
2848 			    3, "setqctrl:aq_hiwater",
2849 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2850 			au_uwrite(au_to_arg64(
2851 			    3, "setqctrl:aq_lowater",
2852 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2853 			au_uwrite(au_to_arg64(
2854 			    3, "setqctrl:aq_bufsz",
2855 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2856 			au_uwrite(au_to_arg64(
2857 			    3, "setqctrl:aq_delay",
2858 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2859 		}
2860 		break;
2861 	}
2862 	case AUE_AUDITON_SETUMASK:
2863 		STRUCT_INIT(ainfo, get_udatamodel());
2864 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2865 		    STRUCT_SIZE(ainfo))) {
2866 			return;
2867 		}
2868 		au_uwrite(au_to_arg32(3, "setumask:as_success",
2869 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2870 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
2871 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2872 		break;
2873 	case AUE_AUDITON_SETSMASK:
2874 		STRUCT_INIT(ainfo, get_udatamodel());
2875 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
2876 		    STRUCT_SIZE(ainfo))) {
2877 			return;
2878 		}
2879 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
2880 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2881 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
2882 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2883 		break;
2884 	case AUE_AUDITON_SETCOND:
2885 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
2886 			return;
2887 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
2888 		break;
2889 	case AUE_AUDITON_SETCLASS:
2890 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
2891 			return;
2892 		au_uwrite(au_to_arg32(
2893 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
2894 		au_uwrite(au_to_arg32(
2895 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
2896 		break;
2897 	case AUE_GETAUID:
2898 	case AUE_GETAUDIT:
2899 	case AUE_GETAUDIT_ADDR:
2900 	case AUE_AUDIT:
2901 	case AUE_GETPORTAUDIT:
2902 	case AUE_AUDITON_GPOLICY:
2903 	case AUE_AUDITON_GQCTRL:
2904 	case AUE_AUDITON_GETKMASK:
2905 	case AUE_AUDITON_GETCWD:
2906 	case AUE_AUDITON_GETCAR:
2907 	case AUE_AUDITON_GETSTAT:
2908 	case AUE_AUDITON_SETSTAT:
2909 	case AUE_AUDITON_GETCOND:
2910 	case AUE_AUDITON_GETCLASS:
2911 		break;
2912 	default:
2913 		break;
2914 	}
2915 
2916 }	/* AUS_AUDITSYS */
2917 
2918 
2919 /* only audit privileged operations for systeminfo(2) system call */
2920 static au_event_t
2921 aui_sysinfo(au_event_t e)
2922 {
2923 	klwp_t *clwp = ttolwp(curthread);
2924 	uint32_t command;
2925 
2926 	struct a {
2927 		long	command;
2928 		long	buf;		/* char * */
2929 		long	count;
2930 	} *uap = (struct a *)clwp->lwp_ap;
2931 
2932 	command = (uint32_t)uap->command;
2933 
2934 	switch (command) {
2935 	case SI_SET_HOSTNAME:
2936 	case SI_SET_SRPC_DOMAIN:
2937 		e = (au_event_t)AUE_SYSINFO;
2938 		break;
2939 	default:
2940 		e = (au_event_t)AUE_NULL;
2941 		break;
2942 	}
2943 	return (e);
2944 }
2945 
2946 /*ARGSUSED*/
2947 static void
2948 aus_sysinfo(struct t_audit_data *tad)
2949 {
2950 	klwp_t *clwp = ttolwp(curthread);
2951 	uint32_t command;
2952 	size_t len, maxlen;
2953 	char *name;
2954 	uintptr_t buf;
2955 
2956 	struct a {
2957 		long	command;
2958 		long	buf;		/* char * */
2959 		long	count;
2960 	} *uap = (struct a *)clwp->lwp_ap;
2961 
2962 	command = (uint32_t)uap->command;
2963 	buf = (uintptr_t)uap->buf;
2964 
2965 	au_uwrite(au_to_arg32(1, "cmd", command));
2966 
2967 	switch (command) {
2968 	case SI_SET_HOSTNAME:
2969 	{
2970 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
2971 			return;
2972 
2973 		maxlen = SYS_NMLN;
2974 		name = kmem_alloc(maxlen, KM_SLEEP);
2975 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
2976 			break;
2977 
2978 		/*
2979 		 * Must be non-NULL string and string
2980 		 * must be less than SYS_NMLN chars.
2981 		 */
2982 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
2983 			break;
2984 
2985 		au_uwrite(au_to_text(name));
2986 		break;
2987 	}
2988 
2989 	case SI_SET_SRPC_DOMAIN:
2990 	{
2991 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
2992 			return;
2993 
2994 		maxlen = SYS_NMLN;
2995 		name = kmem_alloc(maxlen, KM_SLEEP);
2996 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
2997 			break;
2998 
2999 		/*
3000 		 * If string passed in is longer than length
3001 		 * allowed for domain name, fail.
3002 		 */
3003 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3004 			break;
3005 
3006 		au_uwrite(au_to_text(name));
3007 		break;
3008 	}
3009 
3010 	default:
3011 		return;
3012 	}
3013 
3014 	kmem_free(name, maxlen);
3015 }
3016 
3017 static au_event_t
3018 aui_modctl(au_event_t e)
3019 {
3020 	klwp_t *clwp = ttolwp(curthread);
3021 	uint_t cmd;
3022 
3023 	struct a {
3024 		long	cmd;
3025 	} *uap = (struct a *)clwp->lwp_ap;
3026 
3027 	cmd = (uint_t)uap->cmd;
3028 
3029 	switch (cmd) {
3030 	case MODLOAD:
3031 		e = AUE_MODLOAD;
3032 		break;
3033 	case MODUNLOAD:
3034 		e = AUE_MODUNLOAD;
3035 		break;
3036 	case MODADDMAJBIND:
3037 		e = AUE_MODADDMAJ;
3038 		break;
3039 	case MODSETDEVPOLICY:
3040 		e = AUE_MODDEVPLCY;
3041 		break;
3042 	case MODALLOCPRIV:
3043 		e = AUE_MODADDPRIV;
3044 		break;
3045 	default:
3046 		e = AUE_NULL;
3047 		break;
3048 	}
3049 	return (e);
3050 }
3051 
3052 
3053 /*ARGSUSED*/
3054 static void
3055 aus_modctl(struct t_audit_data *tad)
3056 {
3057 	klwp_t *clwp = ttolwp(curthread);
3058 	void *a	= clwp->lwp_ap;
3059 	uint_t use_path;
3060 
3061 	switch (tad->tad_event) {
3062 	case AUE_MODLOAD: {
3063 		typedef struct {
3064 			long	cmd;
3065 			long	use_path;
3066 			long	filename;		/* char * */
3067 		} modloada_t;
3068 
3069 		char *filenamep;
3070 		uintptr_t fname;
3071 		extern char *default_path;
3072 
3073 		fname = (uintptr_t)((modloada_t *)a)->filename;
3074 		use_path = (uint_t)((modloada_t *)a)->use_path;
3075 
3076 			/* space to hold path */
3077 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3078 			/* get string */
3079 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3080 				/* free allocated path */
3081 			kmem_free(filenamep, MOD_MAXPATH);
3082 			return;
3083 		}
3084 			/* ensure it's null terminated */
3085 		filenamep[MOD_MAXPATH - 1] = 0;
3086 
3087 		if (use_path)
3088 			au_uwrite(au_to_text(default_path));
3089 		au_uwrite(au_to_text(filenamep));
3090 
3091 			/* release temporary memory */
3092 		kmem_free(filenamep, MOD_MAXPATH);
3093 		break;
3094 	}
3095 	case AUE_MODUNLOAD: {
3096 		typedef struct {
3097 			long	cmd;
3098 			long	id;
3099 		} modunloada_t;
3100 
3101 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3102 
3103 		au_uwrite(au_to_arg32(1, "id", id));
3104 		break;
3105 	}
3106 	case AUE_MODADDMAJ: {
3107 		STRUCT_DECL(modconfig, mc);
3108 		typedef struct {
3109 			long	cmd;
3110 			long	subcmd;
3111 			long	data;		/* int * */
3112 		} modconfiga_t;
3113 
3114 		STRUCT_DECL(aliases, alias);
3115 		caddr_t ap;
3116 		int i, num_aliases;
3117 		char *drvname, *mc_drvname;
3118 		char *name;
3119 		extern char *ddi_major_to_name(major_t);
3120 		model_t model;
3121 
3122 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3123 
3124 		model = get_udatamodel();
3125 		STRUCT_INIT(mc, model);
3126 			/* sanitize buffer */
3127 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3128 			/* get user arguments */
3129 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3130 		    STRUCT_SIZE(mc)) != 0)
3131 			return;
3132 
3133 		mc_drvname = STRUCT_FGET(mc, drvname);
3134 		if ((drvname = ddi_major_to_name(
3135 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3136 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3137 				/* safety */
3138 			if (mc_drvname[0] != '\0') {
3139 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3140 				au_uwrite(au_to_text(mc_drvname));
3141 			}
3142 				/* drvname != NULL from test above */
3143 			au_uwrite(au_to_text(drvname));
3144 			return;
3145 		}
3146 
3147 		if (mc_drvname[0] != '\0') {
3148 				/* safety */
3149 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3150 			au_uwrite(au_to_text(mc_drvname));
3151 		} else
3152 			au_uwrite(au_to_text("no drvname"));
3153 
3154 		num_aliases = STRUCT_FGET(mc, num_aliases);
3155 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3156 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3157 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3158 		STRUCT_INIT(alias, model);
3159 		for (i = 0; i < num_aliases; i++) {
3160 			bzero((caddr_t)STRUCT_BUF(alias),
3161 			    STRUCT_SIZE(alias));
3162 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3163 			    STRUCT_SIZE(alias)) != 0)
3164 				break;
3165 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3166 			    MAXMODCONFNAME, NULL) != 0) {
3167 				break;
3168 			}
3169 
3170 			au_uwrite(au_to_text(name));
3171 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3172 		}
3173 		kmem_free(name, MAXMODCONFNAME);
3174 		break;
3175 	}
3176 	default:
3177 		break;
3178 	}
3179 }
3180 
3181 
3182 /*ARGSUSED*/
3183 static void
3184 auf_accept(
3185 	struct t_audit_data *tad,
3186 	int	error,
3187 	rval_t	*rval)
3188 {
3189 	uint32_t scid;
3190 	uint32_t sy_flags;
3191 	int fd;
3192 	struct sonode *so;
3193 	char so_laddr[sizeof (struct sockaddr_in6)];
3194 	char so_faddr[sizeof (struct sockaddr_in6)];
3195 	int err;
3196 	int len;
3197 	short so_family, so_type;
3198 	int add_sock_token = 0;
3199 
3200 	/* need to determine type of executing binary */
3201 	scid = tad->tad_scid;
3202 #ifdef _SYSCALL32_IMPL
3203 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3204 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3205 	else
3206 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3207 #else
3208 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3209 #endif
3210 	if (sy_flags == SE_32RVAL1)
3211 		fd = rval->r_val1;
3212 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3213 		fd = rval->r_val1;
3214 	if (sy_flags == SE_64RVAL)
3215 		fd = (int)rval->r_vals;
3216 
3217 	if (error) {
3218 		/* can't trust socket contents. Just return */
3219 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3220 		return;
3221 	}
3222 
3223 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3224 		/*
3225 		 * not security relevant if doing a accept from non socket
3226 		 * so no extra tokens. Should probably turn off audit record
3227 		 * generation here.
3228 		 */
3229 		return;
3230 	}
3231 
3232 	so_family = so->so_family;
3233 	so_type   = so->so_type;
3234 
3235 	switch (so_family) {
3236 	case AF_INET:
3237 	case AF_INET6:
3238 		/*
3239 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3240 		 */
3241 		if (so->so_type == SOCK_STREAM) {
3242 
3243 			bzero((void *)so_laddr, sizeof (so_laddr));
3244 			bzero((void *)so_faddr, sizeof (so_faddr));
3245 
3246 			/*
3247 			 * no local address then need to get it from lower
3248 			 * levels. only put out record on first read ala
3249 			 * AUE_WRITE.
3250 			 */
3251 			if (so->so_state & SS_ISBOUND) {
3252 				/* only done once on a connection */
3253 				(void) SOP_GETSOCKNAME(so);
3254 				(void) SOP_GETPEERNAME(so);
3255 
3256 				/* get local and foreign addresses */
3257 				mutex_enter(&so->so_lock);
3258 				len = min(so->so_laddr_len, sizeof (so_laddr));
3259 				bcopy(so->so_laddr_sa, so_laddr, len);
3260 				len = min(so->so_faddr_len, sizeof (so_faddr));
3261 				bcopy(so->so_faddr_sa, so_faddr, len);
3262 				mutex_exit(&so->so_lock);
3263 			}
3264 
3265 			add_sock_token = 1;
3266 		}
3267 		break;
3268 
3269 	default:
3270 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3271 		break;
3272 	}
3273 
3274 	releasef(fd);
3275 
3276 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3277 
3278 	if (add_sock_token == 0) {
3279 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3280 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3281 		return;
3282 	}
3283 
3284 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3285 
3286 }
3287 
3288 /*ARGSUSED*/
3289 static void
3290 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3291 {
3292 	struct a {
3293 		long	fd;
3294 		long	addr;
3295 		long	len;
3296 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3297 
3298 	struct sonode *so;
3299 	char so_laddr[sizeof (struct sockaddr_in6)];
3300 	char so_faddr[sizeof (struct sockaddr_in6)];
3301 	int err, fd;
3302 	int len;
3303 	short so_family, so_type;
3304 	int add_sock_token = 0;
3305 
3306 	fd = (int)uap->fd;
3307 
3308 	/*
3309 	 * bind failed, then nothing extra to add to audit record.
3310 	 */
3311 	if (error) {
3312 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3313 		/* XXX may want to add failed address some day */
3314 		return;
3315 	}
3316 
3317 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3318 		/*
3319 		 * not security relevant if doing a bind from non socket
3320 		 * so no extra tokens. Should probably turn off audit record
3321 		 * generation here.
3322 		 */
3323 		return;
3324 	}
3325 
3326 	so_family = so->so_family;
3327 	so_type   = so->so_type;
3328 
3329 	switch (so_family) {
3330 	case AF_INET:
3331 	case AF_INET6:
3332 
3333 		bzero(so_faddr, sizeof (so_faddr));
3334 
3335 		if (so->so_state & SS_ISBOUND) {
3336 			/* only done once on a connection */
3337 			(void) SOP_GETSOCKNAME(so);
3338 		}
3339 
3340 		mutex_enter(&so->so_lock);
3341 		len = min(so->so_laddr_len, sizeof (so_laddr));
3342 		bcopy(so->so_laddr_sa, so_laddr, len);
3343 		mutex_exit(&so->so_lock);
3344 
3345 		add_sock_token = 1;
3346 
3347 		break;
3348 
3349 	case AF_UNIX:
3350 		/* token added by lookup */
3351 		break;
3352 	default:
3353 		/* AF_ROUTE, AF_KEY do not support accept */
3354 		break;
3355 	}
3356 
3357 	releasef(fd);
3358 
3359 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3360 
3361 	if (add_sock_token == 0) {
3362 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3363 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3364 		return;
3365 	}
3366 
3367 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3368 
3369 }
3370 
3371 /*ARGSUSED*/
3372 static void
3373 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3374 {
3375 	struct a {
3376 		long	fd;
3377 		long	addr;
3378 		long	len;
3379 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3380 
3381 	struct sonode *so;
3382 	char so_laddr[sizeof (struct sockaddr_in6)];
3383 	char so_faddr[sizeof (struct sockaddr_in6)];
3384 	int err, fd;
3385 	int len;
3386 	short so_family, so_type;
3387 	int add_sock_token = 0;
3388 
3389 	fd = (int)uap->fd;
3390 
3391 
3392 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3393 		/*
3394 		 * not security relevant if doing a connect from non socket
3395 		 * so no extra tokens. Should probably turn off audit record
3396 		 * generation here.
3397 		 */
3398 		return;
3399 	}
3400 
3401 	so_family = so->so_family;
3402 	so_type   = so->so_type;
3403 
3404 	switch (so_family) {
3405 	case AF_INET:
3406 	case AF_INET6:
3407 		/*
3408 		 * no local address then need to get it from lower
3409 		 * levels.
3410 		 */
3411 		if (so->so_state & SS_ISBOUND) {
3412 			/* only done once on a connection */
3413 			(void) SOP_GETSOCKNAME(so);
3414 			(void) SOP_GETPEERNAME(so);
3415 		}
3416 
3417 		bzero(so_laddr, sizeof (so_laddr));
3418 		bzero(so_faddr, sizeof (so_faddr));
3419 
3420 		mutex_enter(&so->so_lock);
3421 		len = min(so->so_laddr_len, sizeof (so_laddr));
3422 		bcopy(so->so_laddr_sa, so_laddr, len);
3423 		if (error) {
3424 			mutex_exit(&so->so_lock);
3425 			if (uap->addr == NULL)
3426 				break;
3427 			if (uap->len <= 0)
3428 				break;
3429 			len = min(uap->len, sizeof (so_faddr));
3430 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3431 				break;
3432 #ifdef NOTYET
3433 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3434 #endif
3435 		} else {
3436 			/* sanity check on length */
3437 			len = min(so->so_faddr_len, sizeof (so_faddr));
3438 			bcopy(so->so_faddr_sa, so_faddr, len);
3439 			mutex_exit(&so->so_lock);
3440 		}
3441 
3442 		add_sock_token = 1;
3443 
3444 		break;
3445 
3446 	case AF_UNIX:
3447 		/* does a lookup on name */
3448 		break;
3449 
3450 	default:
3451 		/* AF_ROUTE, AF_KEY do not support accept */
3452 		break;
3453 	}
3454 
3455 	releasef(fd);
3456 
3457 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3458 
3459 	if (add_sock_token == 0) {
3460 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3461 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3462 		return;
3463 	}
3464 
3465 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3466 
3467 }
3468 
3469 /*ARGSUSED*/
3470 static void
3471 aus_shutdown(struct t_audit_data *tad)
3472 {
3473 	struct a {
3474 		long	fd;
3475 		long	how;
3476 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3477 
3478 	struct sonode *so;
3479 	char so_laddr[sizeof (struct sockaddr_in6)];
3480 	char so_faddr[sizeof (struct sockaddr_in6)];
3481 	int err, fd;
3482 	int len;
3483 	short so_family, so_type;
3484 	int add_sock_token = 0;
3485 	file_t *fp;				/* unix domain sockets */
3486 	struct f_audit_data *fad;		/* unix domain sockets */
3487 
3488 	fd = (int)uap->fd;
3489 
3490 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3491 		/*
3492 		 * not security relevant if doing a shutdown using non socket
3493 		 * so no extra tokens. Should probably turn off audit record
3494 		 * generation here.
3495 		 */
3496 		return;
3497 	}
3498 
3499 	so_family = so->so_family;
3500 	so_type   = so->so_type;
3501 
3502 	switch (so_family) {
3503 	case AF_INET:
3504 	case AF_INET6:
3505 
3506 		bzero(so_laddr, sizeof (so_laddr));
3507 		bzero(so_faddr, sizeof (so_faddr));
3508 
3509 		if (so->so_state & SS_ISBOUND) {
3510 			/*
3511 			 * no local address then need to get it from lower
3512 			 * levels.
3513 			 */
3514 			if (so->so_laddr_len == 0)
3515 				(void) SOP_GETSOCKNAME(so);
3516 			if (so->so_faddr_len == 0)
3517 				(void) SOP_GETPEERNAME(so);
3518 		}
3519 
3520 		mutex_enter(&so->so_lock);
3521 		len = min(so->so_laddr_len, sizeof (so_laddr));
3522 		bcopy(so->so_laddr_sa, so_laddr, len);
3523 		len = min(so->so_faddr_len, sizeof (so_faddr));
3524 		bcopy(so->so_faddr_sa, so_faddr, len);
3525 		mutex_exit(&so->so_lock);
3526 
3527 		add_sock_token = 1;
3528 
3529 		break;
3530 
3531 	case AF_UNIX:
3532 
3533 		/* get path from file struct here */
3534 		fad = F2A(fp);
3535 		ASSERT(fad);
3536 
3537 		if (fad->fad_aupath != NULL) {
3538 			au_uwrite(au_to_path(fad->fad_aupath));
3539 		} else {
3540 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3541 		}
3542 
3543 		audit_attributes(fp->f_vnode);
3544 
3545 		break;
3546 
3547 	default:
3548 		/*
3549 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3550 		 * added.
3551 		 */
3552 		break;
3553 	}
3554 
3555 	releasef(fd);
3556 
3557 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3558 
3559 	if (add_sock_token == 0) {
3560 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3561 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3562 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3563 		return;
3564 	}
3565 
3566 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3567 
3568 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3569 
3570 }
3571 
3572 /*ARGSUSED*/
3573 static void
3574 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3575 {
3576 	struct a {
3577 		long	fd;
3578 		long	level;
3579 		long	optname;
3580 		long	*optval;
3581 		long	optlen;
3582 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3583 
3584 	struct sonode	*so;
3585 	char so_laddr[sizeof (struct sockaddr_in6)];
3586 	char so_faddr[sizeof (struct sockaddr_in6)];
3587 	char		val[AU_BUFSIZE];
3588 	int		err, fd;
3589 	int		len;
3590 	short so_family, so_type;
3591 	int		add_sock_token = 0;
3592 	file_t *fp;				/* unix domain sockets */
3593 	struct f_audit_data *fad;		/* unix domain sockets */
3594 
3595 	fd = (int)uap->fd;
3596 
3597 	if (error) {
3598 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3599 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3600 		/* XXX may want to include other arguments */
3601 		return;
3602 	}
3603 
3604 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3605 		/*
3606 		 * not security relevant if doing a setsockopt from non socket
3607 		 * so no extra tokens. Should probably turn off audit record
3608 		 * generation here.
3609 		 */
3610 		return;
3611 	}
3612 
3613 	so_family = so->so_family;
3614 	so_type   = so->so_type;
3615 
3616 	switch (so_family) {
3617 	case AF_INET:
3618 	case AF_INET6:
3619 
3620 		bzero((void *)so_laddr, sizeof (so_laddr));
3621 		bzero((void *)so_faddr, sizeof (so_faddr));
3622 
3623 		if (so->so_state & SS_ISBOUND) {
3624 			if (so->so_laddr_len == 0)
3625 				(void) SOP_GETSOCKNAME(so);
3626 			if (so->so_faddr_len == 0)
3627 				(void) SOP_GETPEERNAME(so);
3628 		}
3629 
3630 		/* get local and foreign addresses */
3631 		mutex_enter(&so->so_lock);
3632 		len = min(so->so_laddr_len, sizeof (so_laddr));
3633 		bcopy(so->so_laddr_sa, so_laddr, len);
3634 		len = min(so->so_faddr_len, sizeof (so_faddr));
3635 		bcopy(so->so_faddr_sa, so_faddr, len);
3636 		mutex_exit(&so->so_lock);
3637 
3638 		add_sock_token = 1;
3639 
3640 		break;
3641 
3642 	case AF_UNIX:
3643 
3644 		/* get path from file struct here */
3645 		fad = F2A(fp);
3646 		ASSERT(fad);
3647 
3648 		if (fad->fad_aupath != NULL) {
3649 			au_uwrite(au_to_path(fad->fad_aupath));
3650 		} else {
3651 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3652 		}
3653 
3654 		audit_attributes(fp->f_vnode);
3655 
3656 		break;
3657 
3658 	default:
3659 		/*
3660 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3661 		 * added.
3662 		 */
3663 		break;
3664 	}
3665 
3666 	releasef(fd);
3667 
3668 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3669 
3670 	if (add_sock_token == 0) {
3671 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3672 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3673 	}
3674 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3675 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3676 
3677 	bzero(val, sizeof (val));
3678 	len = min(uap->optlen, sizeof (val));
3679 	if ((len > 0) &&
3680 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3681 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3682 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3683 	}
3684 
3685 	if (add_sock_token == 0)
3686 		return;
3687 
3688 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3689 
3690 }
3691 
3692 /*ARGSUSED*/
3693 static void
3694 aus_sockconfig(tad)
3695 	struct t_audit_data *tad;
3696 {
3697 	struct a {
3698 		long	domain;
3699 		long	type;
3700 		long	protocol;
3701 		long	devpath;
3702 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3703 
3704 	char	*kdevpath;
3705 	int	kdevpathlen = MAXPATHLEN + 1;
3706 	size_t	size;
3707 
3708 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3709 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3710 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3711 
3712 	if (uap->devpath == 0) {
3713 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3714 	} else {
3715 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3716 
3717 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3718 			&size)) {
3719 			kmem_free(kdevpath, kdevpathlen);
3720 			return;
3721 		}
3722 
3723 		if (size > MAXPATHLEN) {
3724 			kmem_free(kdevpath, kdevpathlen);
3725 			return;
3726 		}
3727 
3728 		au_uwrite(au_to_text(kdevpath));
3729 		kmem_free(kdevpath, kdevpathlen);
3730 	}
3731 }
3732 
3733 /*
3734  * only audit recvmsg when the system call represents the creation of a new
3735  * circuit. This effectively occurs for all UDP packets and may occur for
3736  * special TCP situations where the local host has not set a local address
3737  * in the socket structure.
3738  */
3739 /*ARGSUSED*/
3740 static void
3741 auf_recvmsg(
3742 	struct t_audit_data *tad,
3743 	int error,
3744 	rval_t *rvp)
3745 {
3746 	struct a {
3747 		long	fd;
3748 		long	msg;	/* struct msghdr */
3749 		long	flags;
3750 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3751 
3752 	struct sonode	*so;
3753 	STRUCT_DECL(msghdr, msg);
3754 	caddr_t msg_name;
3755 	socklen_t msg_namelen;
3756 	int fd;
3757 	int err;
3758 	char so_laddr[sizeof (struct sockaddr_in6)];
3759 	char so_faddr[sizeof (struct sockaddr_in6)];
3760 	int len;
3761 	file_t *fp;				/* unix domain sockets */
3762 	struct f_audit_data *fad;		/* unix domain sockets */
3763 	short so_family, so_type;
3764 	int add_sock_token = 0;
3765 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3766 
3767 	fd = (int)uap->fd;
3768 
3769 	/* bail if an error */
3770 	if (error) {
3771 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3772 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3773 		return;
3774 	}
3775 
3776 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3777 		/*
3778 		 * not security relevant if doing a recvmsg from non socket
3779 		 * so no extra tokens. Should probably turn off audit record
3780 		 * generation here.
3781 		 */
3782 		return;
3783 	}
3784 
3785 	so_family = so->so_family;
3786 	so_type   = so->so_type;
3787 
3788 	/*
3789 	 * only putout SOCKET_EX token if INET/INET6 family.
3790 	 * XXX - what do we do about other families?
3791 	 */
3792 
3793 	switch (so_family) {
3794 	case AF_INET:
3795 	case AF_INET6:
3796 
3797 		/*
3798 		 * if datagram type socket, then just use what is in
3799 		 * socket structure for local address.
3800 		 * XXX - what do we do for other types?
3801 		 */
3802 		if ((so->so_type == SOCK_DGRAM) ||
3803 		    (so->so_type == SOCK_RAW)) {
3804 			add_sock_token = 1;
3805 
3806 			bzero((void *)so_laddr, sizeof (so_laddr));
3807 			bzero((void *)so_faddr, sizeof (so_faddr));
3808 
3809 			/* get local address */
3810 			mutex_enter(&so->so_lock);
3811 			len = min(so->so_laddr_len, sizeof (so_laddr));
3812 			bcopy(so->so_laddr_sa, so_laddr, len);
3813 			mutex_exit(&so->so_lock);
3814 
3815 			/* get peer address */
3816 			STRUCT_INIT(msg, get_udatamodel());
3817 
3818 			if (copyin((caddr_t)(uap->msg),
3819 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3820 				break;
3821 			}
3822 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3823 			if (msg_name == NULL) {
3824 				break;
3825 			}
3826 
3827 			/* length is value from recvmsg - sanity check */
3828 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3829 			if (msg_namelen == 0) {
3830 				break;
3831 			}
3832 			if (copyin(msg_name, so_faddr,
3833 			    sizeof (so_faddr)) != 0) {
3834 				break;
3835 			}
3836 
3837 		} else if (so->so_type == SOCK_STREAM) {
3838 
3839 			/* get path from file struct here */
3840 			fad = F2A(fp);
3841 			ASSERT(fad);
3842 
3843 			/*
3844 			 * already processed this file for read attempt
3845 			 */
3846 			if (fad->fad_flags & FAD_READ) {
3847 				/* don't want to audit every recvmsg attempt */
3848 				tad->tad_flag = 0;
3849 				/* free any residual audit data */
3850 				au_close(kctx, &(u_ad), 0, 0, 0);
3851 				releasef(fd);
3852 				return;
3853 			}
3854 			/*
3855 			 * mark things so we know what happened and don't
3856 			 * repeat things
3857 			 */
3858 			fad->fad_flags |= FAD_READ;
3859 
3860 			bzero((void *)so_laddr, sizeof (so_laddr));
3861 			bzero((void *)so_faddr, sizeof (so_faddr));
3862 
3863 			if (so->so_state & SS_ISBOUND) {
3864 
3865 				if (so->so_laddr_len == 0)
3866 					(void) SOP_GETSOCKNAME(so);
3867 				if (so->so_faddr_len == 0)
3868 					(void) SOP_GETPEERNAME(so);
3869 
3870 				/* get local and foreign addresses */
3871 				mutex_enter(&so->so_lock);
3872 				len = min(so->so_laddr_len, sizeof (so_laddr));
3873 				bcopy(so->so_laddr_sa, so_laddr, len);
3874 				len = min(so->so_faddr_len, sizeof (so_faddr));
3875 				bcopy(so->so_faddr_sa, so_faddr, len);
3876 				mutex_exit(&so->so_lock);
3877 			}
3878 
3879 			add_sock_token = 1;
3880 		}
3881 
3882 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3883 
3884 		break;
3885 
3886 	case AF_UNIX:
3887 		/*
3888 		 * first check if this is first time through. Too much
3889 		 * duplicate code to put this in an aui_ routine.
3890 		 */
3891 
3892 		/* get path from file struct here */
3893 		fad = F2A(fp);
3894 		ASSERT(fad);
3895 
3896 		/*
3897 		 * already processed this file for read attempt
3898 		 */
3899 		if (fad->fad_flags & FAD_READ) {
3900 			releasef(fd);
3901 			/* don't want to audit every recvmsg attempt */
3902 			tad->tad_flag = 0;
3903 			/* free any residual audit data */
3904 			au_close(kctx, &(u_ad), 0, 0, 0);
3905 			return;
3906 		}
3907 		/*
3908 		 * mark things so we know what happened and don't
3909 		 * repeat things
3910 		 */
3911 		fad->fad_flags |= FAD_READ;
3912 
3913 		if (fad->fad_aupath != NULL) {
3914 			au_uwrite(au_to_path(fad->fad_aupath));
3915 		} else {
3916 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3917 		}
3918 
3919 		audit_attributes(fp->f_vnode);
3920 
3921 		releasef(fd);
3922 
3923 		return;
3924 
3925 	default:
3926 		break;
3927 
3928 	}
3929 
3930 	releasef(fd);
3931 
3932 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3933 
3934 	if (add_sock_token == 0) {
3935 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
3936 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
3937 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3938 		return;
3939 	}
3940 
3941 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3942 
3943 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3944 
3945 }
3946 
3947 /*ARGSUSED*/
3948 static void
3949 auf_recvfrom(
3950 	struct t_audit_data *tad,
3951 	int error,
3952 	rval_t *rvp)
3953 {
3954 
3955 	struct a {
3956 		long	fd;
3957 		long	msg;	/* char */
3958 		long	len;
3959 		long	flags;
3960 		long	from;	/* struct sockaddr */
3961 		long	fromlen;
3962 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3963 
3964 	socklen_t	fromlen;
3965 	struct sonode	*so;
3966 	char so_laddr[sizeof (struct sockaddr_in6)];
3967 	char so_faddr[sizeof (struct sockaddr_in6)];
3968 	int		fd;
3969 	short so_family, so_type;
3970 	int add_sock_token = 0;
3971 	int len;
3972 	int err;
3973 	struct file *fp;
3974 	struct f_audit_data *fad;		/* unix domain sockets */
3975 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3976 
3977 	fd = (int)uap->fd;
3978 
3979 	/* bail if an error */
3980 	if (error) {
3981 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3982 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3983 		return;
3984 	}
3985 
3986 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3987 		/*
3988 		 * not security relevant if doing a recvmsg from non socket
3989 		 * so no extra tokens. Should probably turn off audit record
3990 		 * generation here.
3991 		 */
3992 		return;
3993 	}
3994 
3995 	so_family = so->so_family;
3996 	so_type   = so->so_type;
3997 
3998 	/*
3999 	 * only putout SOCKET_EX token if INET/INET6 family.
4000 	 * XXX - what do we do about other families?
4001 	 */
4002 
4003 	switch (so_family) {
4004 	case AF_INET:
4005 	case AF_INET6:
4006 
4007 		/*
4008 		 * if datagram type socket, then just use what is in
4009 		 * socket structure for local address.
4010 		 * XXX - what do we do for other types?
4011 		 */
4012 		if ((so->so_type == SOCK_DGRAM) ||
4013 		    (so->so_type == SOCK_RAW)) {
4014 			add_sock_token = 1;
4015 
4016 			/* get local address */
4017 			mutex_enter(&so->so_lock);
4018 			len = min(so->so_laddr_len, sizeof (so_laddr));
4019 			bcopy(so->so_laddr_sa, so_laddr, len);
4020 			mutex_exit(&so->so_lock);
4021 
4022 			/* get peer address */
4023 			bzero((void *)so_faddr, sizeof (so_faddr));
4024 
4025 			/* sanity check */
4026 			if (uap->from == NULL)
4027 				break;
4028 
4029 			/* sanity checks */
4030 			if (uap->fromlen == 0)
4031 				break;
4032 
4033 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4034 			    sizeof (fromlen)) != 0)
4035 				break;
4036 
4037 			if (fromlen == 0)
4038 				break;
4039 
4040 			/* enforce maximum size */
4041 			if (fromlen > sizeof (so_faddr))
4042 				fromlen = sizeof (so_faddr);
4043 
4044 			if (copyin((caddr_t)(uap->from), so_faddr,
4045 			    fromlen) != 0)
4046 				break;
4047 
4048 		} else if (so->so_type == SOCK_STREAM) {
4049 
4050 			/* get path from file struct here */
4051 			fad = F2A(fp);
4052 			ASSERT(fad);
4053 
4054 			/*
4055 			 * already processed this file for read attempt
4056 			 */
4057 			if (fad->fad_flags & FAD_READ) {
4058 				/* don't want to audit every recvfrom attempt */
4059 				tad->tad_flag = 0;
4060 				/* free any residual audit data */
4061 				au_close(kctx, &(u_ad), 0, 0, 0);
4062 				releasef(fd);
4063 				return;
4064 			}
4065 			/*
4066 			 * mark things so we know what happened and don't
4067 			 * repeat things
4068 			 */
4069 			fad->fad_flags |= FAD_READ;
4070 
4071 			bzero((void *)so_laddr, sizeof (so_laddr));
4072 			bzero((void *)so_faddr, sizeof (so_faddr));
4073 
4074 			if (so->so_state & SS_ISBOUND) {
4075 
4076 				if (so->so_laddr_len == 0)
4077 					(void) SOP_GETSOCKNAME(so);
4078 				if (so->so_faddr_len == 0)
4079 					(void) SOP_GETPEERNAME(so);
4080 
4081 				/* get local and foreign addresses */
4082 				mutex_enter(&so->so_lock);
4083 				len = min(so->so_laddr_len, sizeof (so_laddr));
4084 				bcopy(so->so_laddr_sa, so_laddr, len);
4085 				len = min(so->so_faddr_len, sizeof (so_faddr));
4086 				bcopy(so->so_faddr_sa, so_faddr, len);
4087 				mutex_exit(&so->so_lock);
4088 			}
4089 
4090 			add_sock_token = 1;
4091 		}
4092 
4093 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4094 
4095 		break;
4096 
4097 	case AF_UNIX:
4098 		/*
4099 		 * first check if this is first time through. Too much
4100 		 * duplicate code to put this in an aui_ routine.
4101 		 */
4102 
4103 		/* get path from file struct here */
4104 		fad = F2A(fp);
4105 		ASSERT(fad);
4106 
4107 		/*
4108 		 * already processed this file for read attempt
4109 		 */
4110 		if (fad->fad_flags & FAD_READ) {
4111 			/* don't want to audit every recvfrom attempt */
4112 			tad->tad_flag = 0;
4113 			/* free any residual audit data */
4114 			au_close(kctx, &(u_ad), 0, 0, 0);
4115 			releasef(fd);
4116 			return;
4117 		}
4118 		/*
4119 		 * mark things so we know what happened and don't
4120 		 * repeat things
4121 		 */
4122 		fad->fad_flags |= FAD_READ;
4123 
4124 		if (fad->fad_aupath != NULL) {
4125 			au_uwrite(au_to_path(fad->fad_aupath));
4126 		} else {
4127 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4128 		}
4129 
4130 		audit_attributes(fp->f_vnode);
4131 
4132 		releasef(fd);
4133 
4134 		return;
4135 
4136 	default:
4137 		break;
4138 
4139 	}
4140 
4141 	releasef(fd);
4142 
4143 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4144 
4145 	if (add_sock_token == 0) {
4146 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4147 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4148 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4149 		return;
4150 	}
4151 
4152 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4153 
4154 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4155 }
4156 
4157 /*ARGSUSED*/
4158 static void
4159 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4160 {
4161 	struct a {
4162 		long	fd;
4163 		long	msg;	/* struct msghdr */
4164 		long	flags;
4165 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4166 
4167 	struct sonode	*so;
4168 	char so_laddr[sizeof (struct sockaddr_in6)];
4169 	char so_faddr[sizeof (struct sockaddr_in6)];
4170 	int		err;
4171 	int		fd;
4172 	short so_family, so_type;
4173 	int		add_sock_token = 0;
4174 	int		len;
4175 	struct file	*fp;
4176 	struct f_audit_data *fad;
4177 	caddr_t		msg_name;
4178 	socklen_t	msg_namelen;
4179 	STRUCT_DECL(msghdr, msg);
4180 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4181 
4182 	fd = (int)uap->fd;
4183 
4184 	/* bail if an error */
4185 	if (error) {
4186 		/* XXX include destination address from system call arguments */
4187 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4188 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4189 		return;
4190 	}
4191 
4192 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4193 		/*
4194 		 * not security relevant if doing a sendmsg from non socket
4195 		 * so no extra tokens. Should probably turn off audit record
4196 		 * generation here.
4197 		 */
4198 		return;
4199 	}
4200 
4201 	so_family = so->so_family;
4202 	so_type   = so->so_type;
4203 
4204 	switch (so_family) {
4205 	case AF_INET:
4206 	case AF_INET6:
4207 		/*
4208 		 * if datagram type socket, then just use what is in
4209 		 * socket structure for local address.
4210 		 * XXX - what do we do for other types?
4211 		 */
4212 		if ((so->so_type == SOCK_DGRAM) ||
4213 		    (so->so_type == SOCK_RAW)) {
4214 
4215 			bzero((void *)so_laddr, sizeof (so_laddr));
4216 			bzero((void *)so_faddr, sizeof (so_faddr));
4217 
4218 			/* get local address */
4219 			mutex_enter(&so->so_lock);
4220 			len = min(so->so_laddr_len, sizeof (so_laddr));
4221 			bcopy(so->so_laddr_sa, so_laddr, len);
4222 			mutex_exit(&so->so_lock);
4223 
4224 			/* get peer address */
4225 			STRUCT_INIT(msg, get_udatamodel());
4226 
4227 			if (copyin((caddr_t)(uap->msg),
4228 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4229 				break;
4230 			}
4231 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4232 			if (msg_name == NULL)
4233 				break;
4234 
4235 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4236 			/* length is value from recvmsg - sanity check */
4237 			if (msg_namelen == 0)
4238 				break;
4239 
4240 			if (copyin(msg_name, so_faddr,
4241 			    sizeof (so_faddr)) != 0)
4242 				break;
4243 
4244 			add_sock_token = 1;
4245 
4246 		} else if (so->so_type == SOCK_STREAM) {
4247 
4248 			/* get path from file struct here */
4249 			fad = F2A(fp);
4250 			ASSERT(fad);
4251 
4252 			/*
4253 			 * already processed this file for write attempt
4254 			 */
4255 			if (fad->fad_flags & FAD_WRITE) {
4256 				releasef(fd);
4257 				/* don't want to audit every sendmsg attempt */
4258 				tad->tad_flag = 0;
4259 				/* free any residual audit data */
4260 				au_close(kctx, &(u_ad), 0, 0, 0);
4261 				return;
4262 			}
4263 
4264 			/*
4265 			 * mark things so we know what happened and don't
4266 			 * repeat things
4267 			 */
4268 			fad->fad_flags |= FAD_WRITE;
4269 
4270 			bzero((void *)so_laddr, sizeof (so_laddr));
4271 			bzero((void *)so_faddr, sizeof (so_faddr));
4272 
4273 			if (so->so_state & SS_ISBOUND) {
4274 
4275 				if (so->so_laddr_len == 0)
4276 					(void) SOP_GETSOCKNAME(so);
4277 				if (so->so_faddr_len == 0)
4278 					(void) SOP_GETPEERNAME(so);
4279 
4280 				/* get local and foreign addresses */
4281 				mutex_enter(&so->so_lock);
4282 				len = min(so->so_laddr_len, sizeof (so_laddr));
4283 				bcopy(so->so_laddr_sa, so_laddr, len);
4284 				len = min(so->so_faddr_len, sizeof (so_faddr));
4285 				bcopy(so->so_faddr_sa, so_faddr, len);
4286 				mutex_exit(&so->so_lock);
4287 			}
4288 
4289 			add_sock_token = 1;
4290 		}
4291 
4292 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4293 
4294 		break;
4295 
4296 	case AF_UNIX:
4297 		/*
4298 		 * first check if this is first time through. Too much
4299 		 * duplicate code to put this in an aui_ routine.
4300 		 */
4301 
4302 		/* get path from file struct here */
4303 		fad = F2A(fp);
4304 		ASSERT(fad);
4305 
4306 		/*
4307 		 * already processed this file for write attempt
4308 		 */
4309 		if (fad->fad_flags & FAD_WRITE) {
4310 			releasef(fd);
4311 			/* don't want to audit every sendmsg attempt */
4312 			tad->tad_flag = 0;
4313 			/* free any residual audit data */
4314 			au_close(kctx, &(u_ad), 0, 0, 0);
4315 			return;
4316 		}
4317 		/*
4318 		 * mark things so we know what happened and don't
4319 		 * repeat things
4320 		 */
4321 		fad->fad_flags |= FAD_WRITE;
4322 
4323 		if (fad->fad_aupath != NULL) {
4324 			au_uwrite(au_to_path(fad->fad_aupath));
4325 		} else {
4326 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4327 		}
4328 
4329 		audit_attributes(fp->f_vnode);
4330 
4331 		releasef(fd);
4332 
4333 		return;
4334 
4335 	default:
4336 		break;
4337 	}
4338 
4339 	releasef(fd);
4340 
4341 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4342 
4343 	if (add_sock_token == 0) {
4344 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4345 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4346 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4347 		return;
4348 	}
4349 
4350 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4351 
4352 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4353 }
4354 
4355 /*ARGSUSED*/
4356 static void
4357 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4358 {
4359 	struct a {
4360 		long	fd;
4361 		long	msg;	/* char */
4362 		long	len;
4363 		long	flags;
4364 		long	to;	/* struct sockaddr */
4365 		long	tolen;
4366 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4367 
4368 	struct sonode	*so;
4369 	char so_laddr[sizeof (struct sockaddr_in6)];
4370 	char so_faddr[sizeof (struct sockaddr_in6)];
4371 	socklen_t	tolen;
4372 	int		err;
4373 	int		fd;
4374 	int		len;
4375 	short so_family, so_type;
4376 	int		add_sock_token = 0;
4377 	struct file	*fp;
4378 	struct f_audit_data *fad;
4379 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4380 
4381 	fd = (int)uap->fd;
4382 
4383 	/* bail if an error */
4384 	if (error) {
4385 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4386 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4387 		/* XXX include destination address from system call arguments */
4388 		return;
4389 	}
4390 
4391 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4392 		/*
4393 		 * not security relevant if doing a sendto using non socket
4394 		 * so no extra tokens. Should probably turn off audit record
4395 		 * generation here.
4396 		 */
4397 		return;
4398 	}
4399 
4400 	so_family = so->so_family;
4401 	so_type   = so->so_type;
4402 
4403 	/*
4404 	 * only putout SOCKET_EX token if INET/INET6 family.
4405 	 * XXX - what do we do about other families?
4406 	 */
4407 
4408 	switch (so_family) {
4409 	case AF_INET:
4410 	case AF_INET6:
4411 
4412 		/*
4413 		 * if datagram type socket, then just use what is in
4414 		 * socket structure for local address.
4415 		 * XXX - what do we do for other types?
4416 		 */
4417 		if ((so->so_type == SOCK_DGRAM) ||
4418 		    (so->so_type == SOCK_RAW)) {
4419 
4420 			bzero((void *)so_laddr, sizeof (so_laddr));
4421 			bzero((void *)so_faddr, sizeof (so_faddr));
4422 
4423 			/* get local address */
4424 			mutex_enter(&so->so_lock);
4425 			len = min(so->so_laddr_len, sizeof (so_laddr));
4426 			bcopy(so->so_laddr_sa, so_laddr, len);
4427 			mutex_exit(&so->so_lock);
4428 
4429 			/* get peer address */
4430 
4431 			/* sanity check */
4432 			if (uap->to == NULL)
4433 				break;
4434 
4435 			/* sanity checks */
4436 			if (uap->tolen == 0)
4437 				break;
4438 
4439 			tolen = (socklen_t)uap->tolen;
4440 
4441 			/* enforce maximum size */
4442 			if (tolen > sizeof (so_faddr))
4443 				tolen = sizeof (so_faddr);
4444 
4445 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4446 				break;
4447 
4448 			add_sock_token = 1;
4449 		} else {
4450 			/*
4451 			 * check if this is first time through.
4452 			 */
4453 
4454 			/* get path from file struct here */
4455 			fad = F2A(fp);
4456 			ASSERT(fad);
4457 
4458 			/*
4459 			 * already processed this file for write attempt
4460 			 */
4461 			if (fad->fad_flags & FAD_WRITE) {
4462 				/* don't want to audit every sendto attempt */
4463 				tad->tad_flag = 0;
4464 				/* free any residual audit data */
4465 				au_close(kctx, &(u_ad), 0, 0, 0);
4466 				releasef(fd);
4467 				return;
4468 			}
4469 			/*
4470 			 * mark things so we know what happened and don't
4471 			 * repeat things
4472 			 */
4473 			fad->fad_flags |= FAD_WRITE;
4474 
4475 			bzero((void *)so_laddr, sizeof (so_laddr));
4476 			bzero((void *)so_faddr, sizeof (so_faddr));
4477 
4478 			if (so->so_state & SS_ISBOUND) {
4479 
4480 				if (so->so_laddr_len == 0)
4481 					(void) SOP_GETSOCKNAME(so);
4482 				if (so->so_faddr_len == 0)
4483 					(void) SOP_GETPEERNAME(so);
4484 
4485 				/* get local and foreign addresses */
4486 				mutex_enter(&so->so_lock);
4487 				len = min(so->so_laddr_len, sizeof (so_laddr));
4488 				bcopy(so->so_laddr_sa, so_laddr, len);
4489 				len = min(so->so_faddr_len, sizeof (so_faddr));
4490 				bcopy(so->so_faddr_sa, so_faddr, len);
4491 				mutex_exit(&so->so_lock);
4492 			}
4493 
4494 			add_sock_token = 1;
4495 		}
4496 
4497 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4498 
4499 		break;
4500 
4501 	case AF_UNIX:
4502 		/*
4503 		 * first check if this is first time through. Too much
4504 		 * duplicate code to put this in an aui_ routine.
4505 		 */
4506 
4507 		/* get path from file struct here */
4508 		fad = F2A(fp);
4509 		ASSERT(fad);
4510 
4511 		/*
4512 		 * already processed this file for write attempt
4513 		 */
4514 		if (fad->fad_flags & FAD_WRITE) {
4515 			/* don't want to audit every sendto attempt */
4516 			tad->tad_flag = 0;
4517 			/* free any residual audit data */
4518 			au_close(kctx, &(u_ad), 0, 0, 0);
4519 			releasef(fd);
4520 			return;
4521 		}
4522 		/*
4523 		 * mark things so we know what happened and don't
4524 		 * repeat things
4525 		 */
4526 		fad->fad_flags |= FAD_WRITE;
4527 
4528 		if (fad->fad_aupath != NULL) {
4529 			au_uwrite(au_to_path(fad->fad_aupath));
4530 		} else {
4531 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4532 		}
4533 
4534 		audit_attributes(fp->f_vnode);
4535 
4536 		releasef(fd);
4537 
4538 		return;
4539 
4540 	default:
4541 		break;
4542 
4543 	}
4544 
4545 	releasef(fd);
4546 
4547 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4548 
4549 	if (add_sock_token == 0) {
4550 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4551 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4552 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4553 		return;
4554 	}
4555 
4556 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4557 
4558 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4559 
4560 }
4561 
4562 /*
4563  * XXX socket(2) may be equivalent to open(2) on a unix domain
4564  * socket. This needs investigation.
4565  */
4566 
4567 /*ARGSUSED*/
4568 static void
4569 aus_socket(struct t_audit_data *tad)
4570 {
4571 	struct a {
4572 		long	domain;
4573 		long	type;
4574 		long	protocol;
4575 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4576 
4577 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4578 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4579 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4580 }
4581 
4582 /*ARGSUSED*/
4583 static void
4584 aus_sigqueue(struct t_audit_data *tad)
4585 {
4586 	struct a {
4587 		long	pid;
4588 		long	signo;
4589 		long	*val;
4590 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4591 	struct proc *p;
4592 	uid_t uid, ruid;
4593 	gid_t gid, rgid;
4594 	pid_t pid;
4595 	const auditinfo_addr_t *ainfo;
4596 	cred_t *cr;
4597 
4598 	pid = (pid_t)uap->pid;
4599 
4600 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4601 	if (pid > 0) {
4602 		mutex_enter(&pidlock);
4603 		if ((p = prfind(pid)) == (struct proc *)0) {
4604 			mutex_exit(&pidlock);
4605 			return;
4606 		}
4607 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4608 		mutex_exit(&pidlock);
4609 
4610 		mutex_enter(&p->p_crlock);
4611 		crhold(cr = p->p_cred);
4612 		mutex_exit(&p->p_crlock);
4613 		mutex_exit(&p->p_lock);
4614 
4615 		ainfo = crgetauinfo(cr);
4616 		if (ainfo == NULL) {
4617 			crfree(cr);
4618 			return;
4619 		}
4620 
4621 		uid  = crgetuid(cr);
4622 		gid  = crgetgid(cr);
4623 		ruid = crgetruid(cr);
4624 		rgid = crgetrgid(cr);
4625 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4626 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4627 		crfree(cr);
4628 	}
4629 	else
4630 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4631 }
4632 
4633 /*ARGSUSED*/
4634 static void
4635 aus_inst_sync(struct t_audit_data *tad)
4636 {
4637 	struct a {
4638 		long	name;	/* char */
4639 		long	flags;
4640 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4641 
4642 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4643 }
4644 
4645 /*ARGSUSED*/
4646 static void
4647 aus_brandsys(struct t_audit_data *tad)
4648 {
4649 	klwp_t *clwp = ttolwp(curthread);
4650 
4651 	struct a {
4652 		long	cmd;
4653 		long	arg1;
4654 		long	arg2;
4655 		long	arg3;
4656 		long	arg4;
4657 		long	arg5;
4658 		long	arg6;
4659 	} *uap = (struct a *)clwp->lwp_ap;
4660 
4661 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4662 #ifdef _LP64
4663 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4664 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4665 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4666 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4667 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4668 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4669 #else
4670 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4671 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4672 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4673 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4674 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4675 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4676 #endif
4677 }
4678 
4679 /*ARGSUSED*/
4680 static void
4681 aus_p_online(struct t_audit_data *tad)
4682 {
4683 	struct a {
4684 		long	processor_id;
4685 		long	flag;
4686 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4687 
4688 	struct flags {
4689 			int	flag;
4690 			char	*cflag;
4691 	} aflags[6] = {
4692 			{ P_ONLINE, "P_ONLINE"},
4693 			{ P_OFFLINE, "P_OFFLINE"},
4694 			{ P_NOINTR, "P_NOINTR"},
4695 			{ P_SPARE, "P_SPARE"},
4696 			{ P_FAULTED, "P_FAULTED"},
4697 			{ P_STATUS, "P_STATUS"}
4698 	};
4699 	int i;
4700 	char *cflag;
4701 
4702 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4703 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4704 
4705 	for (i = 0; i < 6; i++) {
4706 		if (aflags[i].flag == uap->flag)
4707 			break;
4708 	}
4709 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4710 
4711 	au_uwrite(au_to_text(cflag));
4712 }
4713 
4714 /*ARGSUSED*/
4715 static void
4716 aus_processor_bind(struct t_audit_data *tad)
4717 {
4718 	struct a {
4719 		long	id_type;
4720 		long	id;
4721 		long	processor_id;
4722 		long	obind;
4723 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4724 
4725 	struct proc *p;
4726 	int lwpcnt;
4727 	uid_t uid, ruid;
4728 	gid_t gid, rgid;
4729 	pid_t pid;
4730 	const auditinfo_addr_t *ainfo;
4731 	cred_t *cr;
4732 
4733 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4734 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4735 	if (uap->processor_id == PBIND_NONE)
4736 		au_uwrite(au_to_text("PBIND_NONE"));
4737 	else
4738 		au_uwrite(au_to_arg32(3, "processor_id",
4739 		    (uint32_t)uap->processor_id));
4740 
4741 	switch (uap->id_type) {
4742 	case P_MYID:
4743 	case P_LWPID:
4744 		mutex_enter(&pidlock);
4745 		p = ttoproc(curthread);
4746 		if (p == NULL || p->p_as == &kas) {
4747 			mutex_exit(&pidlock);
4748 			return;
4749 		}
4750 		mutex_enter(&p->p_lock);
4751 		mutex_exit(&pidlock);
4752 		lwpcnt = p->p_lwpcnt;
4753 		pid  = p->p_pid;
4754 
4755 		mutex_enter(&p->p_crlock);
4756 		crhold(cr = p->p_cred);
4757 		mutex_exit(&p->p_crlock);
4758 		mutex_exit(&p->p_lock);
4759 
4760 		ainfo = crgetauinfo(cr);
4761 		if (ainfo == NULL) {
4762 			crfree(cr);
4763 			return;
4764 		}
4765 
4766 		uid  = crgetuid(cr);
4767 		gid  = crgetgid(cr);
4768 		ruid = crgetruid(cr);
4769 		rgid = crgetrgid(cr);
4770 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4771 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4772 		crfree(cr);
4773 		break;
4774 	case P_PID:
4775 		mutex_enter(&pidlock);
4776 		p = prfind(uap->id);
4777 		if (p == NULL || p->p_as == &kas) {
4778 			mutex_exit(&pidlock);
4779 			return;
4780 		}
4781 		mutex_enter(&p->p_lock);
4782 		mutex_exit(&pidlock);
4783 		lwpcnt = p->p_lwpcnt;
4784 		pid  = p->p_pid;
4785 
4786 		mutex_enter(&p->p_crlock);
4787 		crhold(cr = p->p_cred);
4788 		mutex_exit(&p->p_crlock);
4789 		mutex_exit(&p->p_lock);
4790 
4791 		ainfo = crgetauinfo(cr);
4792 		if (ainfo == NULL) {
4793 			crfree(cr);
4794 			return;
4795 		}
4796 
4797 		uid  = crgetuid(cr);
4798 		gid  = crgetgid(cr);
4799 		ruid = crgetruid(cr);
4800 		rgid = crgetrgid(cr);
4801 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4802 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4803 		crfree(cr);
4804 
4805 		break;
4806 	default:
4807 		return;
4808 	}
4809 
4810 	if (uap->processor_id == PBIND_NONE &&
4811 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4812 		au_uwrite(au_to_text("PBIND_NONE for process"));
4813 	else
4814 		au_uwrite(au_to_arg32(3, "processor_id",
4815 		    (uint32_t)uap->processor_id));
4816 }
4817 
4818 /*ARGSUSED*/
4819 static au_event_t
4820 aui_doorfs(au_event_t e)
4821 {
4822 	uint32_t code;
4823 
4824 	struct a {		/* doorfs */
4825 		long	a1;
4826 		long	a2;
4827 		long	a3;
4828 		long	a4;
4829 		long	a5;
4830 		long	code;
4831 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4832 
4833 	/*
4834 	 *	audit formats for several of the
4835 	 *	door calls have not yet been determined
4836 	 */
4837 	code = (uint32_t)uap->code;
4838 	switch (code) {
4839 	case DOOR_CALL:
4840 		e = AUE_DOORFS_DOOR_CALL;
4841 		break;
4842 	case DOOR_RETURN:
4843 		e = AUE_NULL;
4844 		break;
4845 	case DOOR_CREATE:
4846 		e = AUE_DOORFS_DOOR_CREATE;
4847 		break;
4848 	case DOOR_REVOKE:
4849 		e = AUE_DOORFS_DOOR_REVOKE;
4850 		break;
4851 	case DOOR_INFO:
4852 		e = AUE_NULL;
4853 		break;
4854 	case DOOR_UCRED:
4855 		e = AUE_NULL;
4856 		break;
4857 	case DOOR_BIND:
4858 		e = AUE_NULL;
4859 		break;
4860 	case DOOR_UNBIND:
4861 		e = AUE_NULL;
4862 		break;
4863 	case DOOR_GETPARAM:
4864 		e = AUE_NULL;
4865 		break;
4866 	case DOOR_SETPARAM:
4867 		e = AUE_NULL;
4868 		break;
4869 	default:	/* illegal system call */
4870 		e = AUE_NULL;
4871 		break;
4872 	}
4873 
4874 	return (e);
4875 }
4876 
4877 static door_node_t *
4878 au_door_lookup(int did)
4879 {
4880 	vnode_t	*vp;
4881 	file_t *fp;
4882 
4883 	if ((fp = getf(did)) == NULL)
4884 		return (NULL);
4885 	/*
4886 	 * Use the underlying vnode (we may be namefs mounted)
4887 	 */
4888 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
4889 		vp = fp->f_vnode;
4890 
4891 	if (vp == NULL || vp->v_type != VDOOR) {
4892 		releasef(did);
4893 		return (NULL);
4894 	}
4895 
4896 	return (VTOD(vp));
4897 }
4898 
4899 /*ARGSUSED*/
4900 static void
4901 aus_doorfs(struct t_audit_data *tad)
4902 {
4903 
4904 	struct a {		/* doorfs */
4905 		long	a1;
4906 		long	a2;
4907 		long	a3;
4908 		long	a4;
4909 		long	a5;
4910 		long	code;
4911 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4912 
4913 	door_node_t	*dp;
4914 	struct proc	*p;
4915 	uint32_t	did;
4916 	uid_t uid, ruid;
4917 	gid_t gid, rgid;
4918 	pid_t pid;
4919 	const auditinfo_addr_t *ainfo;
4920 	cred_t *cr;
4921 
4922 	did = (uint32_t)uap->a1;
4923 
4924 	switch (tad->tad_event) {
4925 	case AUE_DOORFS_DOOR_CALL:
4926 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4927 		if ((dp = au_door_lookup(did)) == NULL)
4928 			break;
4929 
4930 		if (DOOR_INVALID(dp)) {
4931 			releasef(did);
4932 			break;
4933 		}
4934 
4935 		if ((p = dp->door_target) == NULL) {
4936 			releasef(did);
4937 			break;
4938 		}
4939 		mutex_enter(&p->p_lock);
4940 		releasef(did);
4941 
4942 		pid  = p->p_pid;
4943 
4944 		mutex_enter(&p->p_crlock);
4945 		crhold(cr = p->p_cred);
4946 		mutex_exit(&p->p_crlock);
4947 		mutex_exit(&p->p_lock);
4948 
4949 		ainfo = crgetauinfo(cr);
4950 		if (ainfo == NULL) {
4951 			crfree(cr);
4952 			return;
4953 		}
4954 		uid  = crgetuid(cr);
4955 		gid  = crgetgid(cr);
4956 		ruid = crgetruid(cr);
4957 		rgid = crgetrgid(cr);
4958 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4959 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4960 		crfree(cr);
4961 		break;
4962 	case AUE_DOORFS_DOOR_RETURN:
4963 		/*
4964 		 * We may want to write information about
4965 		 * all doors (if any) which will be copied
4966 		 * by this call to the user space
4967 		 */
4968 		break;
4969 	case AUE_DOORFS_DOOR_CREATE:
4970 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
4971 		break;
4972 	case AUE_DOORFS_DOOR_REVOKE:
4973 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
4974 		break;
4975 	case AUE_DOORFS_DOOR_INFO:
4976 		break;
4977 	case AUE_DOORFS_DOOR_CRED:
4978 		break;
4979 	case AUE_DOORFS_DOOR_BIND:
4980 		break;
4981 	case AUE_DOORFS_DOOR_UNBIND: {
4982 		break;
4983 	}
4984 	default:	/* illegal system call */
4985 		break;
4986 	}
4987 }
4988 
4989 /*ARGSUSED*/
4990 static au_event_t
4991 aui_acl(au_event_t e)
4992 {
4993 	struct a {
4994 		union {
4995 			long	name;	/* char */
4996 			long	fd;
4997 		}		obj;
4998 
4999 		long		cmd;
5000 		long		nentries;
5001 		long		arg;	/* aclent_t */
5002 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5003 
5004 	switch (uap->cmd) {
5005 	case SETACL:
5006 	case ACE_SETACL:
5007 		/*
5008 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5009 		 * are expected.
5010 		 */
5011 		break;
5012 	case GETACL:
5013 	case GETACLCNT:
5014 	case ACE_GETACLCNT:
5015 		/* do nothing for these two values. */
5016 		e = AUE_NULL;
5017 		break;
5018 	default:
5019 		/* illegal system call */
5020 		break;
5021 	}
5022 
5023 	return (e);
5024 }
5025 
5026 static void
5027 au_acl(int cmd, int nentries, caddr_t bufp)
5028 {
5029 	size_t		a_size;
5030 	aclent_t	*aclbufp;
5031 	ace_t		*acebufp;
5032 	int		i;
5033 
5034 	switch (cmd) {
5035 	case GETACL:
5036 	case GETACLCNT:
5037 		break;
5038 	case SETACL:
5039 		if (nentries < 3)
5040 			break;
5041 
5042 		a_size = nentries * sizeof (aclent_t);
5043 
5044 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5045 			break;
5046 		if (copyin(bufp, aclbufp, a_size)) {
5047 			kmem_free(aclbufp, a_size);
5048 			break;
5049 		}
5050 		for (i = 0; i < nentries; i++) {
5051 			au_uwrite(au_to_acl(aclbufp + i));
5052 		}
5053 		kmem_free(aclbufp, a_size);
5054 		break;
5055 
5056 	case ACE_SETACL:
5057 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5058 			break;
5059 
5060 		a_size = nentries * sizeof (ace_t);
5061 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5062 			break;
5063 		if (copyin(bufp, acebufp, a_size)) {
5064 			kmem_free(acebufp, a_size);
5065 			break;
5066 		}
5067 		for (i = 0; i < nentries; i++) {
5068 			au_uwrite(au_to_ace(acebufp + i));
5069 		}
5070 		kmem_free(acebufp, a_size);
5071 		break;
5072 	default:
5073 		break;
5074 	}
5075 }
5076 
5077 /*ARGSUSED*/
5078 static void
5079 aus_acl(struct t_audit_data *tad)
5080 {
5081 	struct a {
5082 		long	fname;
5083 		long	cmd;
5084 		long	nentries;
5085 		long	aclbufp;
5086 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5087 
5088 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5089 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5090 
5091 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5092 }
5093 
5094 /*ARGSUSED*/
5095 static void
5096 aus_facl(struct t_audit_data *tad)
5097 {
5098 	struct a {
5099 		long	fd;
5100 		long	cmd;
5101 		long	nentries;
5102 		long	aclbufp;
5103 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5104 	struct file  *fp;
5105 	struct vnode *vp;
5106 	struct f_audit_data *fad;
5107 	int fd;
5108 
5109 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5110 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5111 
5112 	fd = (int)uap->fd;
5113 
5114 	if ((fp = getf(fd)) == NULL)
5115 		return;
5116 
5117 	/* get path from file struct here */
5118 	fad = F2A(fp);
5119 	if (fad->fad_aupath != NULL) {
5120 		au_uwrite(au_to_path(fad->fad_aupath));
5121 	} else {
5122 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5123 	}
5124 
5125 	vp = fp->f_vnode;
5126 	audit_attributes(vp);
5127 
5128 	/* decrement file descriptor reference count */
5129 	releasef(fd);
5130 
5131 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5132 }
5133 
5134 /*ARGSUSED*/
5135 static void
5136 auf_read(tad, error, rval)
5137 	struct t_audit_data *tad;
5138 	int error;
5139 	rval_t *rval;
5140 {
5141 	struct file *fp;
5142 	struct f_audit_data *fad;
5143 	int fd;
5144 	register struct a {
5145 		long	fd;
5146 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5147 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5148 
5149 	fd = (int)uap->fd;
5150 
5151 	/*
5152 	 * convert file pointer to file descriptor
5153 	 *   Note: fd ref count incremented here.
5154 	 */
5155 	if ((fp = getf(fd)) == NULL)
5156 		return;
5157 
5158 	/* get path from file struct here */
5159 	fad = F2A(fp);
5160 	ASSERT(fad);
5161 
5162 	/*
5163 	 * already processed this file for read attempt
5164 	 *
5165 	 * XXX might be better to turn off auditing in a aui_read() routine.
5166 	 */
5167 	if (fad->fad_flags & FAD_READ) {
5168 		/* don't really want to audit every read attempt */
5169 		tad->tad_flag = 0;
5170 		/* free any residual audit data */
5171 		au_close(kctx, &(u_ad), 0, 0, 0);
5172 		releasef(fd);
5173 		return;
5174 	}
5175 	/* mark things so we know what happened and don't repeat things */
5176 	fad->fad_flags |= FAD_READ;
5177 
5178 	if (fad->fad_aupath != NULL) {
5179 		au_uwrite(au_to_path(fad->fad_aupath));
5180 	} else {
5181 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5182 	}
5183 
5184 	/* include attributes */
5185 	audit_attributes(fp->f_vnode);
5186 
5187 	/* decrement file descriptor reference count */
5188 	releasef(fd);
5189 }
5190 
5191 /*ARGSUSED*/
5192 static void
5193 auf_write(tad, error, rval)
5194 	struct t_audit_data *tad;
5195 	int error;
5196 	rval_t *rval;
5197 {
5198 	struct file *fp;
5199 	struct f_audit_data *fad;
5200 	int fd;
5201 	register struct a {
5202 		long	fd;
5203 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5204 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5205 
5206 	fd = (int)uap->fd;
5207 
5208 	/*
5209 	 * convert file pointer to file descriptor
5210 	 *   Note: fd ref count incremented here.
5211 	 */
5212 	if ((fp = getf(fd)) == NULL)
5213 		return;
5214 
5215 	/* get path from file struct here */
5216 	fad = F2A(fp);
5217 	ASSERT(fad);
5218 
5219 	/*
5220 	 * already processed this file for write attempt
5221 	 *
5222 	 * XXX might be better to turn off auditing in a aus_write() routine.
5223 	 */
5224 	if (fad->fad_flags & FAD_WRITE) {
5225 		/* don't really want to audit every write attempt */
5226 		tad->tad_flag = 0;
5227 		/* free any residual audit data */
5228 		au_close(kctx, &(u_ad), 0, 0, 0);
5229 		releasef(fd);
5230 		return;
5231 	}
5232 	/* mark things so we know what happened and don't repeat things */
5233 	fad->fad_flags |= FAD_WRITE;
5234 
5235 	if (fad->fad_aupath != NULL) {
5236 		au_uwrite(au_to_path(fad->fad_aupath));
5237 	} else {
5238 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5239 	}
5240 
5241 	/* include attributes */
5242 	audit_attributes(fp->f_vnode);
5243 
5244 	/* decrement file descriptor reference count */
5245 	releasef(fd);
5246 }
5247 
5248 /*ARGSUSED*/
5249 static void
5250 auf_recv(tad, error, rval)
5251 	struct t_audit_data *tad;
5252 	int error;
5253 	rval_t *rval;
5254 {
5255 	struct sonode *so;
5256 	char so_laddr[sizeof (struct sockaddr_in6)];
5257 	char so_faddr[sizeof (struct sockaddr_in6)];
5258 	struct file *fp;
5259 	struct f_audit_data *fad;
5260 	int fd;
5261 	int err;
5262 	int len;
5263 	short so_family, so_type;
5264 	register struct a {
5265 		long	fd;
5266 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5267 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5268 
5269 	/*
5270 	 * If there was an error, then nothing to do. Only generate
5271 	 * audit record on first successful recv.
5272 	 */
5273 	if (error) {
5274 		/* Turn off audit record generation here. */
5275 		tad->tad_flag = 0;
5276 		/* free any residual audit data */
5277 		au_close(kctx, &(u_ad), 0, 0, 0);
5278 		return;
5279 	}
5280 
5281 	fd = (int)uap->fd;
5282 
5283 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5284 		/* Turn off audit record generation here. */
5285 		tad->tad_flag = 0;
5286 		/* free any residual audit data */
5287 		au_close(kctx, &(u_ad), 0, 0, 0);
5288 		return;
5289 	}
5290 
5291 	/* get path from file struct here */
5292 	fad = F2A(fp);
5293 	ASSERT(fad);
5294 
5295 	/*
5296 	 * already processed this file for read attempt
5297 	 */
5298 	if (fad->fad_flags & FAD_READ) {
5299 		releasef(fd);
5300 		/* don't really want to audit every recv call */
5301 		tad->tad_flag = 0;
5302 		/* free any residual audit data */
5303 		au_close(kctx, &(u_ad), 0, 0, 0);
5304 		return;
5305 	}
5306 
5307 	/* mark things so we know what happened and don't repeat things */
5308 	fad->fad_flags |= FAD_READ;
5309 
5310 	so_family = so->so_family;
5311 	so_type   = so->so_type;
5312 
5313 	switch (so_family) {
5314 	case AF_INET:
5315 	case AF_INET6:
5316 		/*
5317 		 * Only for connections.
5318 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5319 		 */
5320 		if (so->so_state & SS_ISBOUND) {
5321 
5322 			bzero((void *)so_laddr, sizeof (so_laddr));
5323 			bzero((void *)so_faddr, sizeof (so_faddr));
5324 
5325 			/* only done once on a connection */
5326 			(void) SOP_GETSOCKNAME(so);
5327 			(void) SOP_GETPEERNAME(so);
5328 
5329 			/* get local and foreign addresses */
5330 			mutex_enter(&so->so_lock);
5331 			len = min(so->so_laddr_len, sizeof (so_laddr));
5332 			bcopy(so->so_laddr_sa, so_laddr, len);
5333 			len = min(so->so_faddr_len, sizeof (so_faddr));
5334 			bcopy(so->so_faddr_sa, so_faddr, len);
5335 			mutex_exit(&so->so_lock);
5336 
5337 			/*
5338 			 * only way to drop out of switch. Note that we
5339 			 * we release fd below.
5340 			 */
5341 
5342 			break;
5343 		}
5344 
5345 		releasef(fd);
5346 
5347 		/* don't really want to audit every recv call */
5348 		tad->tad_flag = 0;
5349 		/* free any residual audit data */
5350 		au_close(kctx, &(u_ad), 0, 0, 0);
5351 
5352 		return;
5353 
5354 	case AF_UNIX:
5355 
5356 		if (fad->fad_aupath != NULL) {
5357 			au_uwrite(au_to_path(fad->fad_aupath));
5358 		} else {
5359 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5360 		}
5361 
5362 		audit_attributes(fp->f_vnode);
5363 
5364 		releasef(fd);
5365 
5366 		return;
5367 
5368 	default:
5369 		releasef(fd);
5370 
5371 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5372 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5373 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5374 
5375 		return;
5376 	}
5377 
5378 	releasef(fd);
5379 
5380 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5381 
5382 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5383 
5384 }
5385 
5386 /*ARGSUSED*/
5387 static void
5388 auf_send(tad, error, rval)
5389 	struct t_audit_data *tad;
5390 	int error;
5391 	rval_t *rval;
5392 {
5393 	struct sonode *so;
5394 	char so_laddr[sizeof (struct sockaddr_in6)];
5395 	char so_faddr[sizeof (struct sockaddr_in6)];
5396 	struct file *fp;
5397 	struct f_audit_data *fad;
5398 	int fd;
5399 	int err;
5400 	int len;
5401 	short so_family, so_type;
5402 	register struct a {
5403 		long	fd;
5404 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5405 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5406 
5407 	fd = (int)uap->fd;
5408 
5409 	/*
5410 	 * If there was an error, then nothing to do. Only generate
5411 	 * audit record on first successful send.
5412 	 */
5413 	if (error != 0) {
5414 		/* Turn off audit record generation here. */
5415 		tad->tad_flag = 0;
5416 		/* free any residual audit data */
5417 		au_close(kctx, &(u_ad), 0, 0, 0);
5418 		return;
5419 	}
5420 
5421 	fd = (int)uap->fd;
5422 
5423 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5424 		/* Turn off audit record generation here. */
5425 		tad->tad_flag = 0;
5426 		/* free any residual audit data */
5427 		au_close(kctx, &(u_ad), 0, 0, 0);
5428 		return;
5429 	}
5430 
5431 	/* get path from file struct here */
5432 	fad = F2A(fp);
5433 	ASSERT(fad);
5434 
5435 	/*
5436 	 * already processed this file for write attempt
5437 	 */
5438 	if (fad->fad_flags & FAD_WRITE) {
5439 		releasef(fd);
5440 		/* don't really want to audit every send call */
5441 		tad->tad_flag = 0;
5442 		/* free any residual audit data */
5443 		au_close(kctx, &(u_ad), 0, 0, 0);
5444 		return;
5445 	}
5446 
5447 	/* mark things so we know what happened and don't repeat things */
5448 	fad->fad_flags |= FAD_WRITE;
5449 
5450 	so_family = so->so_family;
5451 	so_type   = so->so_type;
5452 
5453 	switch (so_family) {
5454 	case AF_INET:
5455 	case AF_INET6:
5456 		/*
5457 		 * Only for connections.
5458 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5459 		 */
5460 		if (so->so_state & SS_ISBOUND) {
5461 
5462 			bzero((void *)so_laddr, sizeof (so_laddr));
5463 			bzero((void *)so_faddr, sizeof (so_faddr));
5464 
5465 			/* only done once on a connection */
5466 			(void) SOP_GETSOCKNAME(so);
5467 			(void) SOP_GETPEERNAME(so);
5468 
5469 			/* get local and foreign addresses */
5470 			mutex_enter(&so->so_lock);
5471 			len = min(so->so_laddr_len, sizeof (so_laddr));
5472 			bcopy(so->so_laddr_sa, so_laddr, len);
5473 			len = min(so->so_faddr_len, sizeof (so_faddr));
5474 			bcopy(so->so_faddr_sa, so_faddr, len);
5475 			mutex_exit(&so->so_lock);
5476 
5477 			/*
5478 			 * only way to drop out of switch. Note that we
5479 			 * we release fd below.
5480 			 */
5481 
5482 			break;
5483 		}
5484 
5485 		releasef(fd);
5486 		/* don't really want to audit every send call */
5487 		tad->tad_flag = 0;
5488 		/* free any residual audit data */
5489 		au_close(kctx, &(u_ad), 0, 0, 0);
5490 
5491 		return;
5492 
5493 	case AF_UNIX:
5494 
5495 		if (fad->fad_aupath != NULL) {
5496 			au_uwrite(au_to_path(fad->fad_aupath));
5497 		} else {
5498 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5499 		}
5500 
5501 		audit_attributes(fp->f_vnode);
5502 
5503 		releasef(fd);
5504 
5505 		return;
5506 
5507 	default:
5508 		releasef(fd);
5509 
5510 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5511 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5512 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5513 
5514 		return;
5515 	}
5516 
5517 	releasef(fd);
5518 
5519 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5520 
5521 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5522 }
5523 
5524 static au_event_t
5525 aui_forksys(au_event_t e)
5526 {
5527 	struct a {
5528 		long	subcode;
5529 		long	flags;
5530 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5531 
5532 	switch ((uint_t)uap->subcode) {
5533 	case 0:
5534 		e = AUE_FORK1;
5535 		break;
5536 	case 1:
5537 		e = AUE_FORKALL;
5538 		break;
5539 	case 2:
5540 		e = AUE_VFORK;
5541 		break;
5542 	default:
5543 		e = AUE_NULL;
5544 		break;
5545 	}
5546 
5547 	return (e);
5548 }
5549 
5550 /*ARGSUSED*/
5551 static au_event_t
5552 aui_portfs(au_event_t e)
5553 {
5554 	struct a {		/* portfs */
5555 		long	a1;
5556 		long	a2;
5557 		long	a3;
5558 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5559 
5560 	/*
5561 	 * check opcode
5562 	 */
5563 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5564 	case PORT_ASSOCIATE:
5565 	case PORT_DISSOCIATE:
5566 		/*
5567 		 * check source
5568 		 */
5569 		if ((uint_t)uap->a3 == PORT_SOURCE_FILE) {
5570 			e = AUE_PORTFS;
5571 		} else {
5572 			e = AUE_NULL;
5573 		}
5574 		break;
5575 	default:
5576 		e = AUE_NULL;
5577 	}
5578 	return (e);
5579 }
5580