xref: /titanic_52/usr/src/uts/common/c2/audit_event.c (revision 88e8a7f2124e61277dc5f6bf9718881bfb8b724e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * This file contains the audit event table used to control the production
29  * of audit records for each system call.
30  */
31 
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h>	/* for sysinfo auditing */
37 #include <sys/utsname.h>	/* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h>		/* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h>		/* for accept */
56 #include <sys/utssys.h>		/* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 
81 
82 char	_depends_on[] = "fs/sockfs";
83 
84 static au_event_t	aui_fchownat(au_event_t);
85 static au_event_t	aui_open(au_event_t);
86 static au_event_t	aui_openat(au_event_t);
87 static au_event_t	aui_unlinkat(au_event_t);
88 static au_event_t	aui_fstatat(au_event_t);
89 static au_event_t	aui_msgsys(au_event_t);
90 static au_event_t	aui_shmsys(au_event_t);
91 static au_event_t	aui_semsys(au_event_t);
92 static au_event_t	aui_utssys(au_event_t);
93 static au_event_t	aui_fcntl(au_event_t);
94 static au_event_t	aui_execve(au_event_t);
95 static au_event_t	aui_memcntl(au_event_t);
96 static au_event_t	aui_sysinfo(au_event_t);
97 static au_event_t	aui_portfs(au_event_t);
98 static au_event_t	aui_auditsys(au_event_t);
99 static au_event_t	aui_modctl(au_event_t);
100 static au_event_t	aui_acl(au_event_t);
101 static au_event_t	aui_doorfs(au_event_t);
102 static au_event_t	aui_privsys(au_event_t);
103 static au_event_t	aui_forksys(au_event_t);
104 static au_event_t	aui_labelsys(au_event_t);
105 static au_event_t	aui_setpgrp(au_event_t);
106 
107 static void	aus_exit(struct t_audit_data *);
108 static void	aus_open(struct t_audit_data *);
109 static void	aus_openat(struct t_audit_data *);
110 static void	aus_acl(struct t_audit_data *);
111 static void	aus_acct(struct t_audit_data *);
112 static void	aus_chown(struct t_audit_data *);
113 static void	aus_fchown(struct t_audit_data *);
114 static void	aus_lchown(struct t_audit_data *);
115 static void	aus_fchownat(struct t_audit_data *);
116 static void	aus_chmod(struct t_audit_data *);
117 static void	aus_facl(struct t_audit_data *);
118 static void	aus_fchmod(struct t_audit_data *);
119 static void	aus_fcntl(struct t_audit_data *);
120 static void	aus_mkdir(struct t_audit_data *);
121 static void	aus_mknod(struct t_audit_data *);
122 static void	aus_mount(struct t_audit_data *);
123 static void	aus_umount2(struct t_audit_data *);
124 static void	aus_msgsys(struct t_audit_data *);
125 static void	aus_semsys(struct t_audit_data *);
126 static void	aus_close(struct t_audit_data *);
127 static void	aus_fstatfs(struct t_audit_data *);
128 static void	aus_setgid(struct t_audit_data *);
129 static void	aus_setpgrp(struct t_audit_data *);
130 static void	aus_setuid(struct t_audit_data *);
131 static void	aus_shmsys(struct t_audit_data *);
132 static void	aus_doorfs(struct t_audit_data *);
133 static void	aus_ioctl(struct t_audit_data *);
134 static void	aus_memcntl(struct t_audit_data *);
135 static void	aus_mmap(struct t_audit_data *);
136 static void	aus_munmap(struct t_audit_data *);
137 static void	aus_priocntlsys(struct t_audit_data *);
138 static void	aus_setegid(struct t_audit_data *);
139 static void	aus_setgroups(struct t_audit_data *);
140 static void	aus_seteuid(struct t_audit_data *);
141 static void	aus_putmsg(struct t_audit_data *);
142 static void	aus_putpmsg(struct t_audit_data *);
143 static void	aus_getmsg(struct t_audit_data *);
144 static void	aus_getpmsg(struct t_audit_data *);
145 static void	aus_auditsys(struct t_audit_data *);
146 static void	aus_sysinfo(struct t_audit_data *);
147 static void	aus_modctl(struct t_audit_data *);
148 static void	aus_kill(struct t_audit_data *);
149 static void	aus_setregid(struct t_audit_data *);
150 static void	aus_setreuid(struct t_audit_data *);
151 static void	aus_labelsys(struct t_audit_data *);
152 
153 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
154 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
155 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
156 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
157 static void	auf_read(struct t_audit_data *, int, rval_t *);
158 static void	auf_write(struct t_audit_data *, int, rval_t *);
159 
160 static void	aus_sigqueue(struct t_audit_data *);
161 static void	aus_p_online(struct t_audit_data *);
162 static void	aus_processor_bind(struct t_audit_data *);
163 static void	aus_inst_sync(struct t_audit_data *);
164 static void	aus_brandsys(struct t_audit_data *);
165 
166 static void	auf_accept(struct t_audit_data *, int, rval_t *);
167 
168 static void	auf_bind(struct t_audit_data *, int, rval_t *);
169 static void	auf_connect(struct t_audit_data *, int, rval_t *);
170 static void	aus_shutdown(struct t_audit_data *);
171 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
172 static void	aus_sockconfig(struct t_audit_data *);
173 static void	auf_recv(struct t_audit_data *, int, rval_t *);
174 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
175 static void	auf_send(struct t_audit_data *, int, rval_t *);
176 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
177 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
178 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
179 static void	aus_socket(struct t_audit_data *);
180 /*
181  * This table contains mapping information for converting system call numbers
182  * to audit event IDs. In several cases it is necessary to map a single system
183  * call to several events.
184  */
185 
186 #define	aui_null	NULL	/* NULL initialize function */
187 #define	aus_null	NULL	/* NULL start function */
188 #define	auf_null	NULL	/* NULL finish function */
189 
190 struct audit_s2e audit_s2e[] =
191 {
192 /*
193  * ----------	---------- 	----------	----------
194  * INITIAL	AUDIT		START		SYSTEM
195  * PROCESSING	EVENT		PROCESSING	CALL
196  * ----------	----------	----------	-----------
197  *		FINISH		EVENT
198  *		PROCESSING	CONTROL
199  * ----------------------------------------------------------
200  */
201 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
202 		auf_null,	0,
203 aui_null,	AUE_EXIT,	aus_exit,	/* 1 exit */
204 		auf_null,	S2E_NPT,
205 aui_null,	AUE_NULL,	aus_null,	/* 2 (loadable) was forkall */
206 		auf_null,	0,
207 aui_null,	AUE_READ,	aus_null,	/* 3 read */
208 		auf_read,	S2E_PUB,
209 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
210 		auf_write,	0,
211 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
212 		auf_null,	S2E_SP,
213 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
214 		auf_null,	0,
215 aui_null,	AUE_NULL,	aus_null,	/* 7 (loadable) was wait */
216 		auf_null,	0,
217 aui_null,	AUE_NULL,	aus_null,	/* 8 (loadable) was creat */
218 		auf_null,	0,
219 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
220 		auf_null,	0,
221 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
222 		auf_null,	0,
223 aui_null,	AUE_NULL,	aus_null,	/* 11 (loadable) was exec */
224 		auf_null,	0,
225 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
226 		auf_null,	S2E_SP,
227 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
228 		auf_null,	0,
229 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
230 		auf_mknod,	0,
231 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
232 		auf_null,	0,
233 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
234 		auf_null,	0,
235 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
236 		auf_null,	0,
237 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
238 		auf_null,	S2E_PUB,
239 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
240 		auf_null,	0,
241 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
242 		auf_null,	0,
243 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
244 		auf_null,	S2E_MLD,
245 aui_null,	AUE_NULL,	aus_null,	/* 22 (loadable) was umount */
246 		auf_null,	0,
247 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
248 		auf_null,	0,
249 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
250 		auf_null,	0,
251 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 26 pcsample */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
258 		auf_null,	0,
259 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 30 (loadable) was utime */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
264 		auf_null,	0,
265 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
266 		auf_null,	0,
267 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
268 		auf_null,	S2E_PUB,
269 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
270 		auf_null,	0,
271 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
272 		auf_null,	S2E_PUB,
273 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
274 		auf_null,	0,
275 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
276 		auf_null,	0,
277 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
278 		auf_null,	S2E_PUB,
279 aui_setpgrp,	AUE_SETPGRP,	aus_setpgrp,	/* 39 setpgrp */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
282 		auf_null,	0,
283 aui_null,	AUE_NULL,	aus_null,	/* 41 (loadable) was dup */
284 		auf_null,	0,
285 aui_null,	AUE_PIPE,	aus_null,	/* 42 (loadable) pipe */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
288 		auf_null,	0,
289 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
290 		auf_null,	0,
291 aui_null,	AUE_ACCESS,	aus_null,	/* 45 faccessat */
292 		auf_null,	S2E_PUB | S2E_ATC,
293 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
294 		auf_null,	0,
295 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
296 		auf_null,	0,
297 aui_null,	AUE_NULL,	aus_null,	/* 48 (loadable) was ssig */
298 		auf_null,	0,
299 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) msgsys */
300 		auf_msgsys,	0,
301 #if defined(__x86)
302 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
303 		auf_null,	0,
304 #else
305 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
306 		auf_null,	0,
307 #endif /* __x86 */
308 aui_null,	AUE_ACCT,	aus_acct,	/* 51 (loadable) sysacct */
309 		auf_null,	0,
310 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 (loadable) shmsys */
311 		auf_shmsys,	0,
312 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 (loadable) semsys */
313 		auf_semsys,	0,
314 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
315 		auf_null,	0,
316 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
317 		auf_null,	0,
318 aui_fchownat,	AUE_NULL,	aus_fchownat,	/* 56 fchownat */
319 		auf_null,	S2E_ATC,
320 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
321 		auf_null,	0,
322 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
323 		auf_null,	0,
324 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
325 		auf_null,	S2E_MLD,
326 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
327 		auf_null,	0,
328 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
329 		auf_null,	S2E_SP,
330 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
331 		auf_null,	0,
332 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
333 		auf_null,	0,
334 aui_null,	AUE_RENAME,	aus_null,	/* 64 renameat */
335 		auf_null,	S2E_ATC,
336 aui_unlinkat,	AUE_NULL,	aus_null,	/* 65 unlinkat */
337 		auf_null,	S2E_ATC,
338 aui_fstatat,	AUE_NULL,	aus_null,	/* 66 fstatat */
339 		auf_null,	S2E_PUB | S2E_ATC,
340 aui_fstatat,	AUE_NULL,	aus_null,	/* 67 fstatat64 */
341 		auf_null,	S2E_PUB | S2E_ATC,
342 aui_openat,	AUE_OPEN,	aus_openat,	/* 68 openat */
343 		auf_null,	S2E_SP | S2E_ATC,
344 aui_openat,	AUE_OPEN,	aus_openat,	/* 69 openat64 */
345 		auf_null,	S2E_SP | S2E_ATC,
346 aui_null,	AUE_NULL,	aus_null,	/* 70 tasksys */
347 		auf_null,	0,
348 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) acctctl */
349 		auf_null,	0,
350 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) exacct */
351 		auf_null,	0,
352 aui_null,	AUE_NULL,	aus_null,	/* 73 getpagesizes */
353 		auf_null,	0,
354 aui_null,	AUE_NULL,	aus_null,	/* 74 rctlsys */
355 		auf_null,	0,
356 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
357 		auf_null,	0,
358 aui_null,	AUE_NULL,	aus_null,	/* 76 (loadable) was fsat */
359 		auf_null,	0,
360 aui_null,	AUE_NULL,	aus_null,	/* 77 syslwp_park */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 78 sendfilev */
363 		auf_null,	0,
364 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
365 		auf_null,	0,
366 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
367 		auf_null,	0,
368 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
369 		auf_null,	0,
370 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
371 		auf_null,	0,
372 aui_null,	AUE_NULL,	aus_null,	/* 83 ucredsys */
373 		auf_null,	0,
374 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
375 		auf_null,	0,
376 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
377 		auf_null,	0,
378 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
379 		auf_null,	0,
380 aui_null,	AUE_NULL,	aus_null,	/* 87 (loadable) was poll */
381 		auf_null,	0,
382 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
383 		auf_null,	S2E_PUB,
384 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
385 		auf_null,	0,
386 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
389 		auf_null,	0,
390 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
391 		auf_null,	0,
392 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
393 		auf_null,	0,
394 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
395 		auf_null,	0,
396 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
397 		auf_null,	0,
398 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
411 		auf_null,	0,
412 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
413 		auf_null,	S2E_PUB,
414 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
415 		auf_null,	0,
416 aui_null,	AUE_NULL,	aus_null,	/* 105 getloadavg */
417 		auf_null,	0,
418 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
419 		auf_null,	0,
420 aui_null,	AUE_NULL,	aus_null,	/* 107 waitsys */
421 		auf_null,	0,
422 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendsys */
423 		auf_null,	0,
424 #if defined(__x86)
425 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
426 		auf_null,	0,
427 #else
428 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
429 		auf_null,	0,
430 #endif /* __x86 */
431 aui_null,	AUE_UTIMES,	aus_null,	/* 110 utimesys */
432 		auf_null,	S2E_ATC,
433 aui_null,	AUE_NULL,	aus_null,	/* 111 sigresend */
434 		auf_null,	0,
435 aui_null,	AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
436 		auf_null,	0,
437 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
438 		auf_null,	S2E_PUB,
439 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
440 		auf_null,	0,
441 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
442 		auf_null,	0,
443 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
444 		auf_null,	0,
445 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
446 		auf_null,	0,
447 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
448 		auf_null,	0,
449 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
450 		auf_null,	0,
451 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
452 		auf_null,	0,
453 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
454 		auf_read,	S2E_PUB,
455 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
456 		auf_write,	0,
457 aui_null,	AUE_NULL,	aus_null,	/* 123 (loadable) was xstat */
458 		auf_null,	0,
459 aui_null,	AUE_NULL,	aus_null,	/* 124 (loadable) was lxstat */
460 		auf_null,	0,
461 aui_null,	AUE_NULL,	aus_null,	/* 125 (loadable) was fxstat */
462 		auf_null,	0,
463 aui_null,	AUE_NULL,	aus_null,	/* 126 (loadable) was xmknod */
464 		auf_null,	0,
465 aui_null,	AUE_NULL,	aus_null,	/* 127 mmapobj */
466 		auf_null,	0,
467 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
468 		auf_null,	0,
469 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
470 		auf_null,	0,
471 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
472 		auf_null,	0,
473 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
474 		auf_null,	0,
475 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
476 		auf_null,	0,
477 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
478 		auf_null,	0,
479 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
480 		auf_null,	0,
481 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
482 		auf_null,	0,
483 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
484 		auf_null,	0,
485 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
486 		auf_null,	0,
487 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
488 		auf_null,	0,
489 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
490 		auf_null,	0,
491 aui_null,	AUE_NULL,	aus_null,	/* 140 (loadable) sharefs */
492 		auf_null,	0,
493 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
494 		auf_null,	0,
495 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
496 		auf_null,	0,
497 aui_null,	AUE_NULL,	aus_null,	/* 143 (loadable) was fork1 */
498 		auf_null,	0,
499 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
500 		auf_null,	0,
501 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
502 		auf_null,	0,
503 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
504 		auf_null,	0,
505 aui_null,	AUE_NULL,	aus_null,	/* 147 (loadable) */
506 						/*	was lwp_sema_wait */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 150 lwp_detach */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 151 corectl */
515 		auf_null,	0,
516 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
517 		auf_null,	0,
518 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
519 		auf_null,	0,
520 aui_null,	AUE_NULL,	aus_null,	/* 154 (loadable) was utimes */
521 		auf_null,	0,
522 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
523 		auf_null,	0,
524 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 165 lwp_sigmask */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 166 lwp_private */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
547 		auf_null,	0,
548 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
549 		auf_null,	0,
550 aui_null,	AUE_NULL,	aus_null,	/* 169 (loadable) */
551 						/*	was lwp_mutex_lock */
552 		auf_null,	0,
553 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
554 		auf_null,	0,
555 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
556 		auf_null,	0,
557 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
558 		auf_null,	0,
559 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
560 		auf_read,	S2E_PUB,
561 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
562 		auf_write,	0,
563 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
564 		auf_null,	0,
565 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) inst_sync */
566 		auf_null,	0,
567 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
568 		auf_null,	0,
569 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) kaio */
570 		auf_null,	0,
571 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) cpc */
572 		auf_null,	0,
573 aui_null,	AUE_NULL,	aus_null,	/* 180 lgrpsys */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 181 rusagesys */
576 		auf_null,	0,
577 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
578 		auf_null,	S2E_MLD,
579 aui_null,	AUE_NULL,	aus_null,	/* 183 pollsys */
580 		auf_null,	0,
581 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
582 		auf_null,	0,
583 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
584 		auf_null,	0,
585 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
586 		auf_null,	0,
587 aui_null,	AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
588 		auf_null,	0,
589 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
590 		auf_null,	0,
591 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
592 		auf_null,	0,
593 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
594 		auf_null,	0,
595 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
596 		auf_null,	0,
597 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
602 		auf_null,	0,
603 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
612 		auf_null,	0,
613 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
614 		auf_null,	0,
615 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
616 		auf_null,	0,
617 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
618 		auf_null,	0,
619 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
620 		auf_null,	0,
621 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
622 		auf_null,	0,
623 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
624 		auf_null,	0,
625 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 208 sparc_utrap_install */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 */
640 		auf_null,	0,
641 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
642 		auf_null,	0,
643 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
644 		auf_null,	S2E_PUB,
645 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
646 		auf_null,	S2E_PUB,
647 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
648 		auf_null,	0,
649 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
652 		auf_null,	0,
653 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
654 		auf_null,	0,
655 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
656 		auf_null,	0,
657 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
658 		auf_read,	S2E_PUB,
659 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
660 		auf_write,	0,
661 aui_null,	AUE_NULL,	aus_null,	/* 224 (loadable) was creat64 */
662 		auf_null,	0,
663 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
664 		auf_null,	S2E_SP,
665 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
666 		auf_null,	0,
667 aui_null,	AUE_NULL,	aus_null,	/* 227 zone */
668 		auf_null,	0,
669 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) autofssys */
670 		auf_null,	0,
671 aui_null,	AUE_NULL,	aus_null,	/* 229 getcwd */
672 		auf_null,	0,
673 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
676 		auf_null,	0,
677 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
678 		auf_bind,	0,
679 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
680 		auf_null,	0,
681 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
682 		auf_accept,	0,
683 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
684 		auf_connect,	0,
685 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
686 		auf_null,	0,
687 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
688 		auf_recv,	0,
689 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
690 		auf_recvfrom,	0,
691 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
692 		auf_recvmsg,	0,
693 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
694 		auf_send,	0,
695 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
696 		auf_sendmsg,	0,
697 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
698 		auf_sendto,	0,
699 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
700 		auf_null,	0,
701 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
702 		auf_null,	0,
703 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
704 		auf_null,	0,
705 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
706 		auf_setsockopt,	0,
707 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
708 		auf_null,	0,
709 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
710 		auf_null,	0,
711 aui_null,	AUE_NTP_ADJTIME, aus_null,	/* 249 ntp_adjtime */
712 		auf_null,	0,
713 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
716 		auf_null,	0,
717 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
722 		auf_null,	0,
723 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
724 		auf_null,	0
725 };
726 
727 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
728 
729 
730 /* exit start function */
731 /*ARGSUSED*/
732 static void
733 aus_exit(struct t_audit_data *tad)
734 {
735 	uint32_t rval;
736 	struct a {
737 		long rval;
738 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
739 
740 	rval = (uint32_t)uap->rval;
741 	au_uwrite(au_to_arg32(1, "exit status", rval));
742 }
743 
744 /* acct start function */
745 /*ARGSUSED*/
746 static void
747 aus_acct(struct t_audit_data *tad)
748 {
749 	klwp_t *clwp = ttolwp(curthread);
750 	uintptr_t fname;
751 
752 	struct a {
753 		long	fname;		/* char * */
754 	} *uap = (struct a *)clwp->lwp_ap;
755 
756 	fname = (uintptr_t)uap->fname;
757 
758 	if (fname == 0)
759 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
760 }
761 
762 /* chown start function */
763 /*ARGSUSED*/
764 static void
765 aus_chown(struct t_audit_data *tad)
766 {
767 	klwp_t *clwp = ttolwp(curthread);
768 	uint32_t uid, gid;
769 
770 	struct a {
771 		long	fname;		/* char * */
772 		long	uid;
773 		long	gid;
774 	} *uap = (struct a *)clwp->lwp_ap;
775 
776 	uid = (uint32_t)uap->uid;
777 	gid = (uint32_t)uap->gid;
778 
779 	au_uwrite(au_to_arg32(2, "new file uid", uid));
780 	au_uwrite(au_to_arg32(3, "new file gid", gid));
781 }
782 
783 /* fchown start function */
784 /*ARGSUSED*/
785 static void
786 aus_fchown(struct t_audit_data *tad)
787 {
788 	klwp_t *clwp = ttolwp(curthread);
789 	uint32_t uid, gid, fd;
790 	struct file  *fp;
791 	struct vnode *vp;
792 	struct f_audit_data *fad;
793 
794 	struct a {
795 		long fd;
796 		long uid;
797 		long gid;
798 	} *uap = (struct a *)clwp->lwp_ap;
799 
800 	fd  = (uint32_t)uap->fd;
801 	uid = (uint32_t)uap->uid;
802 	gid = (uint32_t)uap->gid;
803 
804 	au_uwrite(au_to_arg32(2, "new file uid", uid));
805 	au_uwrite(au_to_arg32(3, "new file gid", gid));
806 
807 		/*
808 		 * convert file pointer to file descriptor
809 		 *   Note: fd ref count incremented here.
810 		 */
811 	if ((fp = getf(fd)) == NULL)
812 		return;
813 
814 	/* get path from file struct here */
815 	fad = F2A(fp);
816 	if (fad->fad_aupath != NULL) {
817 		au_uwrite(au_to_path(fad->fad_aupath));
818 	} else {
819 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
820 	}
821 
822 	vp = fp->f_vnode;
823 	audit_attributes(vp);
824 
825 	/* decrement file descriptor reference count */
826 	releasef(fd);
827 }
828 
829 /*ARGSUSED*/
830 static void
831 aus_lchown(struct t_audit_data *tad)
832 {
833 	klwp_t *clwp = ttolwp(curthread);
834 	uint32_t uid, gid;
835 
836 
837 	struct a {
838 		long	fname;		/* char	* */
839 		long	uid;
840 		long	gid;
841 	} *uap = (struct a *)clwp->lwp_ap;
842 
843 	uid = (uint32_t)uap->uid;
844 	gid = (uint32_t)uap->gid;
845 
846 	au_uwrite(au_to_arg32(2, "new file uid", uid));
847 	au_uwrite(au_to_arg32(3, "new file gid", gid));
848 }
849 
850 static au_event_t
851 aui_fchownat(au_event_t e)
852 {
853 	klwp_t *clwp = ttolwp(curthread);
854 
855 	struct a {
856 		long	fd;
857 		long	fname;		/* char * */
858 		long	uid;
859 		long	gid;
860 		long	flags;
861 	} *uap = (struct a *)clwp->lwp_ap;
862 
863 	if (uap->fname == NULL)
864 		e = AUE_FCHOWN;
865 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
866 		e = AUE_LCHOWN;
867 	else
868 		e = AUE_CHOWN;
869 
870 	return (e);
871 }
872 
873 /*ARGSUSED*/
874 static void
875 aus_fchownat(struct t_audit_data *tad)
876 {
877 	klwp_t *clwp = ttolwp(curthread);
878 	uint32_t uid, gid;
879 
880 	struct a {
881 		long	fd;
882 		long	fname;		/* char * */
883 		long	uid;
884 		long	gid;
885 		long	flags;
886 	} *uap = (struct a *)clwp->lwp_ap;
887 
888 	uid = (uint32_t)uap->uid;
889 	gid = (uint32_t)uap->gid;
890 
891 	au_uwrite(au_to_arg32(3, "new file uid", uid));
892 	au_uwrite(au_to_arg32(4, "new file gid", gid));
893 }
894 
895 /* chmod start function */
896 /*ARGSUSED*/
897 static void
898 aus_chmod(struct t_audit_data *tad)
899 {
900 	klwp_t *clwp = ttolwp(curthread);
901 	uint32_t fmode;
902 
903 	struct a {
904 		long	fname;		/* char	* */
905 		long	fmode;
906 	} *uap = (struct a *)clwp->lwp_ap;
907 
908 	fmode = (uint32_t)uap->fmode;
909 
910 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
911 }
912 
913 /* chmod start function */
914 /*ARGSUSED*/
915 static void
916 aus_fchmod(struct t_audit_data *tad)
917 {
918 	klwp_t *clwp = ttolwp(curthread);
919 	uint32_t fmode, fd;
920 	struct file  *fp;
921 	struct vnode *vp;
922 	struct f_audit_data *fad;
923 
924 	struct a {
925 		long	fd;
926 		long	fmode;
927 	} *uap = (struct a *)clwp->lwp_ap;
928 
929 	fd = (uint32_t)uap->fd;
930 	fmode = (uint32_t)uap->fmode;
931 
932 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
933 
934 		/*
935 		 * convert file pointer to file descriptor
936 		 *   Note: fd ref count incremented here.
937 		 */
938 	if ((fp = getf(fd)) == NULL)
939 		return;
940 
941 		/* get path from file struct here */
942 	fad = F2A(fp);
943 	if (fad->fad_aupath != NULL) {
944 		au_uwrite(au_to_path(fad->fad_aupath));
945 	} else {
946 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
947 	}
948 
949 	vp = fp->f_vnode;
950 	audit_attributes(vp);
951 
952 	/* decrement file descriptor reference count */
953 	releasef(fd);
954 }
955 
956 /*
957  * convert open mode to appropriate open event
958  */
959 au_event_t
960 open_event(uint_t fm)
961 {
962 	au_event_t e;
963 
964 	switch (fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) {
965 	case O_RDONLY:
966 		e = AUE_OPEN_R;
967 		break;
968 	case O_RDONLY | O_CREAT:
969 		e = AUE_OPEN_RC;
970 		break;
971 	case O_RDONLY | O_TRUNC:
972 		e = AUE_OPEN_RT;
973 		break;
974 	case O_RDONLY | O_TRUNC | O_CREAT:
975 		e = AUE_OPEN_RTC;
976 		break;
977 	case O_WRONLY:
978 		e = AUE_OPEN_W;
979 		break;
980 	case O_WRONLY | O_CREAT:
981 		e = AUE_OPEN_WC;
982 		break;
983 	case O_WRONLY | O_TRUNC:
984 		e = AUE_OPEN_WT;
985 		break;
986 	case O_WRONLY | O_TRUNC | O_CREAT:
987 		e = AUE_OPEN_WTC;
988 		break;
989 	case O_RDWR:
990 		e = AUE_OPEN_RW;
991 		break;
992 	case O_RDWR | O_CREAT:
993 		e = AUE_OPEN_RWC;
994 		break;
995 	case O_RDWR | O_TRUNC:
996 		e = AUE_OPEN_RWT;
997 		break;
998 	case O_RDWR | O_TRUNC | O_CREAT:
999 		e = AUE_OPEN_RWTC;
1000 		break;
1001 	default:
1002 		e = AUE_NULL;
1003 		break;
1004 	}
1005 
1006 	return (e);
1007 }
1008 
1009 /* ARGSUSED */
1010 static au_event_t
1011 aui_open(au_event_t e)
1012 {
1013 	t_audit_data_t *tad = T2A(curthread);
1014 	klwp_t *clwp = ttolwp(curthread);
1015 	uint_t fm;
1016 
1017 	struct a {
1018 		long	fnamep;		/* char	* */
1019 		long	fmode;
1020 		long	cmode;
1021 	} *uap = (struct a *)clwp->lwp_ap;
1022 
1023 	fm = (uint_t)uap->fmode;
1024 
1025 	/* convert to appropriate au_ctrl */
1026 	if (fm & (FXATTR | FXATTRDIROPEN))
1027 		tad->tad_ctrl |= PAD_ATTPATH;
1028 
1029 	return (open_event(fm));
1030 }
1031 
1032 static void
1033 aus_open(struct t_audit_data *tad)
1034 {
1035 	klwp_t *clwp = ttolwp(curthread);
1036 	uint_t fm;
1037 
1038 	struct a {
1039 		long	fnamep;		/* char	* */
1040 		long	fmode;
1041 		long	cmode;
1042 	} *uap = (struct a *)clwp->lwp_ap;
1043 
1044 	fm = (uint_t)uap->fmode;
1045 
1046 	/* If no write, create, or trunc modes, mark as a public op */
1047 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1048 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1049 }
1050 
1051 /* ARGSUSED */
1052 static au_event_t
1053 aui_openat(au_event_t e)
1054 {
1055 	t_audit_data_t *tad = T2A(curthread);
1056 	klwp_t *clwp = ttolwp(curthread);
1057 	uint_t fm;
1058 
1059 	struct a {
1060 		long	filedes;
1061 		long	fnamep;		/* char	* */
1062 		long	fmode;
1063 		long	cmode;
1064 	} *uap = (struct a *)clwp->lwp_ap;
1065 
1066 	fm = (uint_t)uap->fmode;
1067 
1068 	/* convert to appropriate au_ctrl */
1069 	if (fm & (FXATTR | FXATTRDIROPEN))
1070 		tad->tad_ctrl |= PAD_ATTPATH;
1071 
1072 	return (open_event(fm));
1073 }
1074 
1075 static void
1076 aus_openat(struct t_audit_data *tad)
1077 {
1078 	klwp_t *clwp = ttolwp(curthread);
1079 	uint_t fm;
1080 
1081 	struct a {
1082 		long	filedes;
1083 		long	fnamep;		/* char	* */
1084 		long	fmode;
1085 		long	cmode;
1086 	} *uap = (struct a *)clwp->lwp_ap;
1087 
1088 	fm = (uint_t)uap->fmode;
1089 
1090 	/* If no write, create, or trunc modes, mark as a public op */
1091 	if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1092 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1093 }
1094 
1095 static au_event_t
1096 aui_unlinkat(au_event_t e)
1097 {
1098 	klwp_t *clwp = ttolwp(curthread);
1099 
1100 	struct a {
1101 		long	filedes;
1102 		long	fnamep;		/* char	* */
1103 		long	flags;
1104 	} *uap = (struct a *)clwp->lwp_ap;
1105 
1106 	if (uap->flags & AT_REMOVEDIR)
1107 		e = AUE_RMDIR;
1108 	else
1109 		e = AUE_UNLINK;
1110 
1111 	return (e);
1112 }
1113 
1114 static au_event_t
1115 aui_fstatat(au_event_t e)
1116 {
1117 	klwp_t *clwp = ttolwp(curthread);
1118 
1119 	struct a {
1120 		long	filedes;
1121 		long	fnamep;		/* char	* */
1122 		long	statb;
1123 		long	flags;
1124 	} *uap = (struct a *)clwp->lwp_ap;
1125 
1126 	if (uap->fnamep == NULL)
1127 		e = AUE_FSTAT;
1128 	else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1129 		e = AUE_LSTAT;
1130 	else
1131 		e = AUE_STAT;
1132 
1133 	return (e);
1134 }
1135 
1136 /* msgsys */
1137 static au_event_t
1138 aui_msgsys(au_event_t e)
1139 {
1140 	klwp_t *clwp = ttolwp(curthread);
1141 	uint_t fm;
1142 
1143 	struct a {
1144 		long	id;	/* function code id */
1145 		long	ap;	/* arg pointer for recvmsg */
1146 	} *uap = (struct a *)clwp->lwp_ap;
1147 
1148 	struct b {
1149 		long	msgid;
1150 		long	cmd;
1151 		long	buf;	/* struct msqid_ds * */
1152 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1153 
1154 	fm  = (uint_t)uap->id;
1155 
1156 	switch (fm) {
1157 	case 0:		/* msgget */
1158 		e = AUE_MSGGET;
1159 		break;
1160 	case 1:		/* msgctl */
1161 		switch ((uint_t)uap1->cmd) {
1162 		case IPC_RMID:
1163 			e = AUE_MSGCTL_RMID;
1164 			break;
1165 		case IPC_SET:
1166 			e = AUE_MSGCTL_SET;
1167 			break;
1168 		case IPC_STAT:
1169 			e = AUE_MSGCTL_STAT;
1170 			break;
1171 		default:
1172 			e = AUE_MSGCTL;
1173 			break;
1174 		}
1175 		break;
1176 	case 2:		/* msgrcv */
1177 		e = AUE_MSGRCV;
1178 		break;
1179 	case 3:		/* msgsnd */
1180 		e = AUE_MSGSND;
1181 		break;
1182 	default:	/* illegal system call */
1183 		e = AUE_NULL;
1184 		break;
1185 	}
1186 
1187 	return (e);
1188 }
1189 
1190 
1191 /* shmsys */
1192 static au_event_t
1193 aui_shmsys(au_event_t e)
1194 {
1195 	klwp_t *clwp = ttolwp(curthread);
1196 	int fm;
1197 
1198 	struct a {		/* shmsys */
1199 		long	id;	/* function code id */
1200 	} *uap = (struct a *)clwp->lwp_ap;
1201 
1202 	struct b {		/* ctrl */
1203 		long	shmid;
1204 		long	cmd;
1205 		long	arg;		/* struct shmid_ds * */
1206 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1207 	fm  = (uint_t)uap->id;
1208 
1209 	switch (fm) {
1210 	case 0:		/* shmat */
1211 		e = AUE_SHMAT;
1212 		break;
1213 	case 1:		/* shmctl */
1214 		switch ((uint_t)uap1->cmd) {
1215 		case IPC_RMID:
1216 			e = AUE_SHMCTL_RMID;
1217 			break;
1218 		case IPC_SET:
1219 			e = AUE_SHMCTL_SET;
1220 			break;
1221 		case IPC_STAT:
1222 			e = AUE_SHMCTL_STAT;
1223 			break;
1224 		default:
1225 			e = AUE_SHMCTL;
1226 			break;
1227 		}
1228 		break;
1229 	case 2:		/* shmdt */
1230 		e = AUE_SHMDT;
1231 		break;
1232 	case 3:		/* shmget */
1233 		e = AUE_SHMGET;
1234 		break;
1235 	default:	/* illegal system call */
1236 		e = AUE_NULL;
1237 		break;
1238 	}
1239 
1240 	return (e);
1241 }
1242 
1243 
1244 /* semsys */
1245 static au_event_t
1246 aui_semsys(au_event_t e)
1247 {
1248 	klwp_t *clwp = ttolwp(curthread);
1249 	uint_t fm;
1250 
1251 	struct a {		/* semsys */
1252 		long	id;
1253 	} *uap = (struct a *)clwp->lwp_ap;
1254 
1255 	struct b {		/* ctrl */
1256 		long	semid;
1257 		long	semnum;
1258 		long	cmd;
1259 		long	arg;
1260 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1261 
1262 	fm = (uint_t)uap->id;
1263 
1264 	switch (fm) {
1265 	case 0:		/* semctl */
1266 		switch ((uint_t)uap1->cmd) {
1267 		case IPC_RMID:
1268 			e = AUE_SEMCTL_RMID;
1269 			break;
1270 		case IPC_SET:
1271 			e = AUE_SEMCTL_SET;
1272 			break;
1273 		case IPC_STAT:
1274 			e = AUE_SEMCTL_STAT;
1275 			break;
1276 		case GETNCNT:
1277 			e = AUE_SEMCTL_GETNCNT;
1278 			break;
1279 		case GETPID:
1280 			e = AUE_SEMCTL_GETPID;
1281 			break;
1282 		case GETVAL:
1283 			e = AUE_SEMCTL_GETVAL;
1284 			break;
1285 		case GETALL:
1286 			e = AUE_SEMCTL_GETALL;
1287 			break;
1288 		case GETZCNT:
1289 			e = AUE_SEMCTL_GETZCNT;
1290 			break;
1291 		case SETVAL:
1292 			e = AUE_SEMCTL_SETVAL;
1293 			break;
1294 		case SETALL:
1295 			e = AUE_SEMCTL_SETALL;
1296 			break;
1297 		default:
1298 			e = AUE_SEMCTL;
1299 			break;
1300 		}
1301 		break;
1302 	case 1:		/* semget */
1303 		e = AUE_SEMGET;
1304 		break;
1305 	case 2:		/* semop */
1306 		e = AUE_SEMOP;
1307 		break;
1308 	default:	/* illegal system call */
1309 		e = AUE_NULL;
1310 		break;
1311 	}
1312 
1313 	return (e);
1314 }
1315 
1316 /* utssys - uname(2), ustat(2), fusers(2) */
1317 static au_event_t
1318 aui_utssys(au_event_t e)
1319 {
1320 	klwp_t *clwp = ttolwp(curthread);
1321 	uint_t type;
1322 
1323 	struct a {
1324 		union {
1325 			long	cbuf;		/* char * */
1326 			long	ubuf;		/* struct stat * */
1327 		} ub;
1328 		union {
1329 			long	mv;	/* for USTAT */
1330 			long	flags;	/* for FUSERS */
1331 		} un;
1332 		long	type;
1333 		long	outbp;		/* char * for FUSERS */
1334 	} *uap = (struct a *)clwp->lwp_ap;
1335 
1336 	type = (uint_t)uap->type;
1337 
1338 	if (type == UTS_FUSERS)
1339 		return (e);
1340 	else
1341 		return ((au_event_t)AUE_NULL);
1342 }
1343 
1344 static au_event_t
1345 aui_fcntl(au_event_t e)
1346 {
1347 	klwp_t *clwp = ttolwp(curthread);
1348 	uint_t cmd;
1349 
1350 	struct a {
1351 		long	fdes;
1352 		long	cmd;
1353 		long	arg;
1354 	} *uap = (struct a *)clwp->lwp_ap;
1355 
1356 	cmd = (uint_t)uap->cmd;
1357 
1358 	switch (cmd) {
1359 	case F_GETLK:
1360 	case F_SETLK:
1361 	case F_SETLKW:
1362 		break;
1363 	case F_SETFL:
1364 	case F_GETFL:
1365 	case F_GETFD:
1366 		break;
1367 	default:
1368 		e = (au_event_t)AUE_NULL;
1369 		break;
1370 	}
1371 	return ((au_event_t)e);
1372 }
1373 
1374 /* null function for now */
1375 static au_event_t
1376 aui_execve(au_event_t e)
1377 {
1378 	return (e);
1379 }
1380 
1381 /*ARGSUSED*/
1382 static void
1383 aus_fcntl(struct t_audit_data *tad)
1384 {
1385 	klwp_t *clwp = ttolwp(curthread);
1386 	uint32_t cmd, fd;
1387 	struct file  *fp;
1388 	struct vnode *vp;
1389 	struct f_audit_data *fad;
1390 
1391 	struct a {
1392 		long	fd;
1393 		long	cmd;
1394 		long	arg;
1395 	} *uap = (struct a *)clwp->lwp_ap;
1396 
1397 	cmd = (uint32_t)uap->cmd;
1398 	fd  = (uint32_t)uap->fd;
1399 
1400 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1401 
1402 		/*
1403 		 * convert file pointer to file descriptor
1404 		 *   Note: fd ref count incremented here.
1405 		 */
1406 	if ((fp = getf(fd)) == NULL)
1407 		return;
1408 
1409 	/* get path from file struct here */
1410 	fad = F2A(fp);
1411 	if (fad->fad_aupath != NULL) {
1412 		au_uwrite(au_to_path(fad->fad_aupath));
1413 	} else {
1414 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1415 	}
1416 
1417 	vp = fp->f_vnode;
1418 	audit_attributes(vp);
1419 
1420 	/* decrement file descriptor reference count */
1421 	releasef(fd);
1422 }
1423 
1424 /*ARGSUSED*/
1425 static void
1426 aus_kill(struct t_audit_data *tad)
1427 {
1428 	klwp_t *clwp = ttolwp(curthread);
1429 	struct proc *p;
1430 	uint32_t signo;
1431 	uid_t uid, ruid;
1432 	gid_t gid, rgid;
1433 	pid_t pid;
1434 	const auditinfo_addr_t *ainfo;
1435 	cred_t *cr;
1436 
1437 	struct a {
1438 		long	pid;
1439 		long	signo;
1440 	} *uap = (struct a *)clwp->lwp_ap;
1441 
1442 	pid   = (pid_t)uap->pid;
1443 	signo = (uint32_t)uap->signo;
1444 
1445 	au_uwrite(au_to_arg32(2, "signal", signo));
1446 	if (pid > 0) {
1447 		mutex_enter(&pidlock);
1448 		if (((p = prfind(pid)) == (struct proc *)0) ||
1449 		    (p->p_stat == SIDL)) {
1450 			mutex_exit(&pidlock);
1451 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1452 			return;
1453 		}
1454 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1455 		mutex_exit(&pidlock);
1456 
1457 		mutex_enter(&p->p_crlock);
1458 		crhold(cr = p->p_cred);
1459 		mutex_exit(&p->p_crlock);
1460 		mutex_exit(&p->p_lock);
1461 
1462 		ainfo = crgetauinfo(cr);
1463 		if (ainfo == NULL) {
1464 			crfree(cr);
1465 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1466 			return;
1467 		}
1468 
1469 		uid  = crgetuid(cr);
1470 		gid  = crgetgid(cr);
1471 		ruid = crgetruid(cr);
1472 		rgid = crgetrgid(cr);
1473 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1474 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1475 
1476 		if (is_system_labeled())
1477 			au_uwrite(au_to_label(CR_SL(cr)));
1478 
1479 		crfree(cr);
1480 	}
1481 	else
1482 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1483 }
1484 
1485 /*ARGSUSED*/
1486 static void
1487 aus_mkdir(struct t_audit_data *tad)
1488 {
1489 	klwp_t *clwp = ttolwp(curthread);
1490 	uint32_t dmode;
1491 
1492 	struct a {
1493 		long	dirnamep;		/* char * */
1494 		long	dmode;
1495 	} *uap = (struct a *)clwp->lwp_ap;
1496 
1497 	dmode = (uint32_t)uap->dmode;
1498 
1499 	au_uwrite(au_to_arg32(2, "mode", dmode));
1500 }
1501 
1502 /*ARGSUSED*/
1503 static void
1504 aus_mknod(struct t_audit_data *tad)
1505 {
1506 	klwp_t *clwp = ttolwp(curthread);
1507 	uint32_t fmode;
1508 	dev_t dev;
1509 
1510 	struct a {
1511 		long	pnamep;		/* char * */
1512 		long	fmode;
1513 		long	dev;
1514 	} *uap = (struct a *)clwp->lwp_ap;
1515 
1516 	fmode = (uint32_t)uap->fmode;
1517 	dev   = (dev_t)uap->dev;
1518 
1519 	au_uwrite(au_to_arg32(2, "mode", fmode));
1520 #ifdef _LP64
1521 	au_uwrite(au_to_arg64(3, "dev", dev));
1522 #else
1523 	au_uwrite(au_to_arg32(3, "dev", dev));
1524 #endif
1525 }
1526 
1527 /*ARGSUSED*/
1528 static void
1529 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1530 {
1531 	klwp_t *clwp = ttolwp(curthread);
1532 	vnode_t	*dvp;
1533 	caddr_t pnamep;
1534 
1535 	struct a {
1536 		long	pnamep;		/* char * */
1537 		long	fmode;
1538 		long	dev;
1539 	} *uap = (struct a *)clwp->lwp_ap;
1540 
1541 	/* no error, then already path token in audit record */
1542 	if (error != EPERM)
1543 		return;
1544 
1545 	/* not auditing this event, nothing then to do */
1546 	if (tad->tad_flag == 0)
1547 		return;
1548 
1549 	/* do the lookup to force generation of path token */
1550 	pnamep = (caddr_t)uap->pnamep;
1551 	tad->tad_ctrl |= PAD_NOATTRB;
1552 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1553 	if (error == 0)
1554 		VN_RELE(dvp);
1555 }
1556 
1557 /*ARGSUSED*/
1558 static void
1559 aus_mount(struct t_audit_data *tad)
1560 {	/* AUS_START */
1561 	klwp_t *clwp = ttolwp(curthread);
1562 	uint32_t flags;
1563 	uintptr_t u_fstype, dataptr;
1564 	STRUCT_DECL(nfs_args, nfsargs);
1565 	size_t len;
1566 	char *fstype, *hostname;
1567 
1568 	struct a {
1569 		long	spec;		/* char    * */
1570 		long	dir;		/* char    * */
1571 		long	flags;
1572 		long	fstype;		/* char    * */
1573 		long	dataptr;	/* char    * */
1574 		long	datalen;
1575 	} *uap = (struct a *)clwp->lwp_ap;
1576 
1577 	u_fstype = (uintptr_t)uap->fstype;
1578 	flags    = (uint32_t)uap->flags;
1579 	dataptr  = (uintptr_t)uap->dataptr;
1580 
1581 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1582 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1583 		goto mount_free_fstype;
1584 
1585 	au_uwrite(au_to_arg32(3, "flags", flags));
1586 	au_uwrite(au_to_text(fstype));
1587 
1588 	if (strncmp(fstype, "nfs", 3) == 0) {
1589 
1590 		STRUCT_INIT(nfsargs, get_udatamodel());
1591 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1592 
1593 		if (copyin((caddr_t)dataptr,
1594 				STRUCT_BUF(nfsargs),
1595 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1596 			/* DEBUG debug_enter((char *)NULL); */
1597 			goto mount_free_fstype;
1598 		}
1599 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1600 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1601 				(caddr_t)hostname,
1602 				MAXNAMELEN, &len)) {
1603 			goto mount_free_hostname;
1604 		}
1605 		au_uwrite(au_to_text(hostname));
1606 		au_uwrite(au_to_arg32(3, "internal flags",
1607 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1608 
1609 mount_free_hostname:
1610 		kmem_free(hostname, MAXNAMELEN);
1611 	}
1612 
1613 mount_free_fstype:
1614 	kmem_free(fstype, MAXNAMELEN);
1615 }	/* AUS_MOUNT */
1616 
1617 static void
1618 aus_umount_path(caddr_t umount_dir)
1619 {
1620 	char			*dir_path;
1621 	struct audit_path	*path;
1622 	size_t			path_len, dir_len;
1623 
1624 	/* length alloc'd for two string pointers */
1625 	path_len = sizeof (struct audit_path) + sizeof (char *);
1626 	path = kmem_alloc(path_len, KM_SLEEP);
1627 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1628 
1629 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1630 	    MAXPATHLEN, &dir_len))
1631 		goto umount2_free_dir;
1632 
1633 	/*
1634 	 * the audit_path struct assumes that the buffer pointed to
1635 	 * by audp_sect[n] contains string 0 immediatedly followed
1636 	 * by string 1.
1637 	 */
1638 	path->audp_sect[0] = dir_path;
1639 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1640 	path->audp_size = path_len;
1641 	path->audp_ref = 1;		/* not used */
1642 	path->audp_cnt = 1;		/* one path string */
1643 
1644 	au_uwrite(au_to_path(path));
1645 
1646 umount2_free_dir:
1647 	kmem_free(dir_path, MAXPATHLEN);
1648 	kmem_free(path, path_len);
1649 }
1650 
1651 /*ARGSUSED*/
1652 static void
1653 aus_umount2(struct t_audit_data *tad)
1654 {
1655 	klwp_t			*clwp = ttolwp(curthread);
1656 	struct a {
1657 		long	dir;		/* char    * */
1658 		long	flags;
1659 	} *uap = (struct a *)clwp->lwp_ap;
1660 
1661 	aus_umount_path((caddr_t)uap->dir);
1662 
1663 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1664 }
1665 
1666 static void
1667 aus_msgsys(struct t_audit_data *tad)
1668 {
1669 	klwp_t *clwp = ttolwp(curthread);
1670 	uint32_t msgid;
1671 
1672 	struct b {
1673 		long	msgid;
1674 		long	cmd;
1675 		long	buf;		/* struct msqid_ds * */
1676 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1677 
1678 	msgid = (uint32_t)uap1->msgid;
1679 
1680 
1681 	switch (tad->tad_event) {
1682 	case AUE_MSGGET:		/* msgget */
1683 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1684 		break;
1685 	case AUE_MSGCTL:		/* msgctl */
1686 	case AUE_MSGCTL_RMID:		/* msgctl */
1687 	case AUE_MSGCTL_SET:		/* msgctl */
1688 	case AUE_MSGCTL_STAT:		/* msgctl */
1689 	case AUE_MSGRCV:		/* msgrcv */
1690 	case AUE_MSGSND:		/* msgsnd */
1691 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1692 		break;
1693 	}
1694 }
1695 
1696 /*ARGSUSED*/
1697 static void
1698 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1699 {
1700 	int id;
1701 
1702 	if (error != 0)
1703 		return;
1704 	if (tad->tad_event == AUE_MSGGET) {
1705 		uint32_t scid;
1706 		uint32_t sy_flags;
1707 
1708 		/* need to determine type of executing binary */
1709 		scid = tad->tad_scid;
1710 #ifdef _SYSCALL32_IMPL
1711 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1712 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1713 		else
1714 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1715 #else
1716 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1717 #endif
1718 		if (sy_flags == SE_32RVAL1)
1719 			id = rval->r_val1;
1720 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1721 			id = rval->r_val1;
1722 		if (sy_flags == SE_64RVAL)
1723 			id = (int)rval->r_vals;
1724 
1725 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1726 	}
1727 }
1728 
1729 static void
1730 aus_semsys(struct t_audit_data *tad)
1731 {
1732 	klwp_t *clwp = ttolwp(curthread);
1733 	uint32_t semid;
1734 
1735 	struct b {		/* ctrl */
1736 		long	semid;
1737 		long	semnum;
1738 		long	cmd;
1739 		long	arg;
1740 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1741 
1742 	semid = (uint32_t)uap1->semid;
1743 
1744 	switch (tad->tad_event) {
1745 	case AUE_SEMCTL_RMID:
1746 	case AUE_SEMCTL_STAT:
1747 	case AUE_SEMCTL_GETNCNT:
1748 	case AUE_SEMCTL_GETPID:
1749 	case AUE_SEMCTL_GETVAL:
1750 	case AUE_SEMCTL_GETALL:
1751 	case AUE_SEMCTL_GETZCNT:
1752 	case AUE_SEMCTL_SET:
1753 	case AUE_SEMCTL_SETVAL:
1754 	case AUE_SEMCTL_SETALL:
1755 	case AUE_SEMCTL:
1756 	case AUE_SEMOP:
1757 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1758 		break;
1759 	case AUE_SEMGET:
1760 		au_uwrite(au_to_arg32(1, "sem key", semid));
1761 		break;
1762 	}
1763 }
1764 
1765 /*ARGSUSED*/
1766 static void
1767 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1768 {
1769 	int id;
1770 
1771 	if (error != 0)
1772 		return;
1773 	if (tad->tad_event == AUE_SEMGET) {
1774 		uint32_t scid;
1775 		uint32_t sy_flags;
1776 
1777 		/* need to determine type of executing binary */
1778 		scid = tad->tad_scid;
1779 #ifdef _SYSCALL32_IMPL
1780 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1781 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1782 		else
1783 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1784 #else
1785 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1786 #endif
1787 		if (sy_flags == SE_32RVAL1)
1788 			id = rval->r_val1;
1789 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1790 			id = rval->r_val1;
1791 		if (sy_flags == SE_64RVAL)
1792 			id = (int)rval->r_vals;
1793 
1794 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1795 	}
1796 }
1797 
1798 /*ARGSUSED*/
1799 static void
1800 aus_close(struct t_audit_data *tad)
1801 {
1802 	klwp_t *clwp = ttolwp(curthread);
1803 	uint32_t fd;
1804 	struct file *fp;
1805 	struct f_audit_data *fad;
1806 	struct vnode *vp;
1807 	struct vattr attr;
1808 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1809 
1810 	struct a {
1811 		long	i;
1812 	} *uap = (struct a *)clwp->lwp_ap;
1813 
1814 	fd = (uint32_t)uap->i;
1815 
1816 	attr.va_mask = 0;
1817 	au_uwrite(au_to_arg32(1, "fd", fd));
1818 
1819 		/*
1820 		 * convert file pointer to file descriptor
1821 		 *   Note: fd ref count incremented here.
1822 		 */
1823 	if ((fp = getf(fd)) == NULL)
1824 		return;
1825 
1826 	fad = F2A(fp);
1827 	tad->tad_evmod = (au_emod_t)fad->fad_flags;
1828 	if (fad->fad_aupath != NULL) {
1829 		au_uwrite(au_to_path(fad->fad_aupath));
1830 		if ((vp = fp->f_vnode) != NULL) {
1831 			attr.va_mask = AT_ALL;
1832 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1833 				/*
1834 				 * When write was not used and the file can be
1835 				 * considered public, skip the audit.
1836 				 */
1837 				if (((fp->f_flag & FWRITE) == 0) &&
1838 				    file_is_public(&attr)) {
1839 					tad->tad_flag = 0;
1840 					tad->tad_evmod = 0;
1841 					/* free any residual audit data */
1842 					au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1843 					releasef(fd);
1844 					return;
1845 				}
1846 				au_uwrite(au_to_attr(&attr));
1847 				audit_sec_attributes(&(u_ad), vp);
1848 			}
1849 		}
1850 	}
1851 
1852 	/* decrement file descriptor reference count */
1853 	releasef(fd);
1854 }
1855 
1856 /*ARGSUSED*/
1857 static void
1858 aus_fstatfs(struct t_audit_data *tad)
1859 {
1860 	klwp_t *clwp = ttolwp(curthread);
1861 	uint32_t fd;
1862 	struct file  *fp;
1863 	struct vnode *vp;
1864 	struct f_audit_data *fad;
1865 
1866 	struct a {
1867 		long	fd;
1868 		long	buf;		/* struct statfs * */
1869 	} *uap = (struct a *)clwp->lwp_ap;
1870 
1871 	fd = (uint_t)uap->fd;
1872 
1873 		/*
1874 		 * convert file pointer to file descriptor
1875 		 *   Note: fd ref count incremented here.
1876 		 */
1877 	if ((fp = getf(fd)) == NULL)
1878 		return;
1879 
1880 		/* get path from file struct here */
1881 	fad = F2A(fp);
1882 	if (fad->fad_aupath != NULL) {
1883 		au_uwrite(au_to_path(fad->fad_aupath));
1884 	} else {
1885 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1886 	}
1887 
1888 	vp = fp->f_vnode;
1889 	audit_attributes(vp);
1890 
1891 	/* decrement file descriptor reference count */
1892 	releasef(fd);
1893 }
1894 
1895 static au_event_t
1896 aui_setpgrp(au_event_t e)
1897 {
1898 	klwp_t *clwp = ttolwp(curthread);
1899 	int flag;
1900 
1901 	struct a {
1902 		long	flag;
1903 		long	pid;
1904 		long	pgid;
1905 	} *uap = (struct a *)clwp->lwp_ap;
1906 
1907 	flag = (int)uap->flag;
1908 
1909 
1910 	switch (flag) {
1911 
1912 	case 1:	/* setpgrp() */
1913 		e = AUE_SETPGRP;
1914 		break;
1915 
1916 	case 3: /* setsid() */
1917 		e = AUE_SETSID;
1918 		break;
1919 
1920 	case 5: /* setpgid() */
1921 		e = AUE_SETPGID;
1922 		break;
1923 
1924 	case 0: /* getpgrp()	- not security relevant */
1925 	case 2: /* getsid()	- not security relevant */
1926 	case 4: /* getpgid() 	- not security relevant */
1927 		e = AUE_NULL;
1928 		break;
1929 
1930 	default:
1931 		e = AUE_NULL;
1932 		break;
1933 	}
1934 
1935 	return (e);
1936 }
1937 
1938 /*ARGSUSED*/
1939 static void
1940 aus_setpgrp(struct t_audit_data *tad)
1941 {
1942 	klwp_t		*clwp = ttolwp(curthread);
1943 	pid_t		pgid;
1944 	struct proc	*p;
1945 	uid_t		uid, ruid;
1946 	gid_t		gid, rgid;
1947 	pid_t		pid;
1948 	cred_t		*cr;
1949 	int		flag;
1950 	const auditinfo_addr_t	*ainfo;
1951 
1952 	struct a {
1953 		long	flag;
1954 		long	pid;
1955 		long	pgid;
1956 	} *uap = (struct a *)clwp->lwp_ap;
1957 
1958 	flag = (int)uap->flag;
1959 	pid  = (pid_t)uap->pid;
1960 	pgid = (pid_t)uap->pgid;
1961 
1962 
1963 	switch (flag) {
1964 
1965 	case 0: /* getpgrp() */
1966 	case 1: /* setpgrp() */
1967 	case 2: /* getsid() */
1968 	case 3: /* setsid() */
1969 	case 4: /* getpgid() */
1970 		break;
1971 
1972 	case 5: /* setpgid() */
1973 
1974 		/* current process? */
1975 		if (pid == 0) {
1976 			return;
1977 		}
1978 
1979 		mutex_enter(&pidlock);
1980 		p = prfind(pid);
1981 		if (p == NULL || p->p_as == &kas ||
1982 		    p->p_stat == SIDL || p->p_stat == SZOMB) {
1983 			mutex_exit(&pidlock);
1984 			return;
1985 		}
1986 		mutex_enter(&p->p_lock);	/* so process doesn't go away */
1987 		mutex_exit(&pidlock);
1988 
1989 		mutex_enter(&p->p_crlock);
1990 		crhold(cr = p->p_cred);
1991 		mutex_exit(&p->p_crlock);
1992 		mutex_exit(&p->p_lock);
1993 
1994 		ainfo = crgetauinfo(cr);
1995 		if (ainfo == NULL) {
1996 			crfree(cr);
1997 			return;
1998 		}
1999 
2000 		uid  = crgetuid(cr);
2001 		gid  = crgetgid(cr);
2002 		ruid = crgetruid(cr);
2003 		rgid = crgetrgid(cr);
2004 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2005 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2006 		crfree(cr);
2007 		au_uwrite(au_to_arg32(2, "pgid", pgid));
2008 		break;
2009 
2010 	default:
2011 		break;
2012 	}
2013 }
2014 
2015 
2016 /*ARGSUSED*/
2017 static void
2018 aus_setregid(struct t_audit_data *tad)
2019 {
2020 	klwp_t *clwp = ttolwp(curthread);
2021 	uint32_t rgid, egid;
2022 
2023 	struct a {
2024 		long	 rgid;
2025 		long	 egid;
2026 	} *uap = (struct a *)clwp->lwp_ap;
2027 
2028 	rgid  = (uint32_t)uap->rgid;
2029 	egid  = (uint32_t)uap->egid;
2030 
2031 	au_uwrite(au_to_arg32(1, "rgid", rgid));
2032 	au_uwrite(au_to_arg32(2, "egid", egid));
2033 }
2034 
2035 /*ARGSUSED*/
2036 static void
2037 aus_setgid(struct t_audit_data *tad)
2038 {
2039 	klwp_t *clwp = ttolwp(curthread);
2040 	uint32_t gid;
2041 
2042 	struct a {
2043 		long	gid;
2044 	} *uap = (struct a *)clwp->lwp_ap;
2045 
2046 	gid = (uint32_t)uap->gid;
2047 
2048 	au_uwrite(au_to_arg32(1, "gid", gid));
2049 }
2050 
2051 
2052 /*ARGSUSED*/
2053 static void
2054 aus_setreuid(struct t_audit_data *tad)
2055 {
2056 	klwp_t *clwp = ttolwp(curthread);
2057 	uint32_t ruid, euid;
2058 
2059 	struct a {
2060 		long	ruid;
2061 		long	euid;
2062 	} *uap = (struct a *)clwp->lwp_ap;
2063 
2064 	ruid = (uint32_t)uap->ruid;
2065 	euid  = (uint32_t)uap->euid;
2066 
2067 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2068 	au_uwrite(au_to_arg32(2, "euid", euid));
2069 }
2070 
2071 
2072 /*ARGSUSED*/
2073 static void
2074 aus_setuid(struct t_audit_data *tad)
2075 {
2076 	klwp_t *clwp = ttolwp(curthread);
2077 	uint32_t uid;
2078 
2079 	struct a {
2080 		long	uid;
2081 	} *uap = (struct a *)clwp->lwp_ap;
2082 
2083 	uid = (uint32_t)uap->uid;
2084 
2085 	au_uwrite(au_to_arg32(1, "uid", uid));
2086 }
2087 
2088 /*ARGSUSED*/
2089 static void
2090 aus_shmsys(struct t_audit_data *tad)
2091 {
2092 	klwp_t *clwp = ttolwp(curthread);
2093 	uint32_t id, cmd;
2094 
2095 	struct b {
2096 		long	id;
2097 		long	cmd;
2098 		long	buf;		/* struct shmid_ds * */
2099 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2100 
2101 	id  = (uint32_t)uap1->id;
2102 	cmd = (uint32_t)uap1->cmd;
2103 
2104 	switch (tad->tad_event) {
2105 	case AUE_SHMGET:			/* shmget */
2106 		au_uwrite(au_to_arg32(1, "shm key", id));
2107 		break;
2108 	case AUE_SHMCTL:			/* shmctl */
2109 	case AUE_SHMCTL_RMID:			/* shmctl */
2110 	case AUE_SHMCTL_STAT:			/* shmctl */
2111 	case AUE_SHMCTL_SET:			/* shmctl */
2112 		au_uwrite(au_to_arg32(1, "shm ID", id));
2113 		break;
2114 	case AUE_SHMDT:				/* shmdt */
2115 		au_uwrite(au_to_arg32(1, "shm adr", id));
2116 		break;
2117 	case AUE_SHMAT:				/* shmat */
2118 		au_uwrite(au_to_arg32(1, "shm ID", id));
2119 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2120 		break;
2121 	}
2122 }
2123 
2124 /*ARGSUSED*/
2125 static void
2126 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2127 {
2128 	int id;
2129 
2130 	if (error != 0)
2131 		return;
2132 	if (tad->tad_event == AUE_SHMGET) {
2133 		uint32_t scid;
2134 		uint32_t sy_flags;
2135 
2136 		/* need to determine type of executing binary */
2137 		scid = tad->tad_scid;
2138 #ifdef _SYSCALL32_IMPL
2139 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2140 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2141 		else
2142 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2143 #else
2144 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2145 #endif
2146 		if (sy_flags == SE_32RVAL1)
2147 			id = rval->r_val1;
2148 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2149 			id = rval->r_val1;
2150 		if (sy_flags == SE_64RVAL)
2151 			id = (int)rval->r_vals;
2152 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2153 	}
2154 }
2155 
2156 
2157 /*ARGSUSED*/
2158 static void
2159 aus_ioctl(struct t_audit_data *tad)
2160 {
2161 	klwp_t *clwp = ttolwp(curthread);
2162 	struct file *fp;
2163 	struct vnode *vp;
2164 	struct f_audit_data *fad;
2165 	uint32_t fd, cmd;
2166 	uintptr_t cmarg;
2167 
2168 	/* XX64 */
2169 	struct a {
2170 		long	fd;
2171 		long	cmd;
2172 		long	cmarg;		/* caddr_t */
2173 	} *uap = (struct a *)clwp->lwp_ap;
2174 
2175 	fd    = (uint32_t)uap->fd;
2176 	cmd   = (uint32_t)uap->cmd;
2177 	cmarg = (uintptr_t)uap->cmarg;
2178 
2179 		/*
2180 		 * convert file pointer to file descriptor
2181 		 *   Note: fd ref count incremented here.
2182 		 */
2183 	if ((fp = getf(fd)) == NULL) {
2184 		au_uwrite(au_to_arg32(1, "fd", fd));
2185 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2186 #ifndef _LP64
2187 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2188 #else
2189 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2190 #endif
2191 		return;
2192 	}
2193 
2194 	/* get path from file struct here */
2195 	fad = F2A(fp);
2196 	if (fad->fad_aupath != NULL) {
2197 		au_uwrite(au_to_path(fad->fad_aupath));
2198 	} else {
2199 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2200 	}
2201 
2202 	vp = fp->f_vnode;
2203 	audit_attributes(vp);
2204 
2205 	/* decrement file descriptor reference count */
2206 	releasef(fd);
2207 
2208 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2209 #ifndef _LP64
2210 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2211 #else
2212 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2213 #endif
2214 }
2215 
2216 /*
2217  * null function for memcntl for now. We might want to limit memcntl()
2218  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2219  * require privileges.
2220  */
2221 static au_event_t
2222 aui_memcntl(au_event_t e)
2223 {
2224 	return (e);
2225 }
2226 
2227 /*ARGSUSED*/
2228 static au_event_t
2229 aui_privsys(au_event_t e)
2230 {
2231 	klwp_t *clwp = ttolwp(curthread);
2232 
2233 	struct a {
2234 		long	opcode;
2235 	} *uap = (struct a *)clwp->lwp_ap;
2236 
2237 	switch (uap->opcode) {
2238 	case PRIVSYS_SETPPRIV:
2239 		return (AUE_SETPPRIV);
2240 	default:
2241 		return (AUE_NULL);
2242 	}
2243 }
2244 
2245 /*ARGSUSED*/
2246 static void
2247 aus_memcntl(struct t_audit_data *tad)
2248 {
2249 	klwp_t *clwp = ttolwp(curthread);
2250 
2251 	struct a {
2252 		long	addr;
2253 		long	len;
2254 		long	cmd;
2255 		long	arg;
2256 		long	attr;
2257 		long	mask;
2258 	} *uap = (struct a *)clwp->lwp_ap;
2259 
2260 #ifdef _LP64
2261 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2262 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2263 #else
2264 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2265 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2266 #endif
2267 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2268 #ifdef _LP64
2269 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2270 #else
2271 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2272 #endif
2273 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2274 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2275 }
2276 
2277 /*ARGSUSED*/
2278 static void
2279 aus_mmap(struct t_audit_data *tad)
2280 {
2281 	klwp_t *clwp = ttolwp(curthread);
2282 	struct file *fp;
2283 	struct f_audit_data *fad;
2284 	struct vnode *vp;
2285 	uint32_t fd;
2286 
2287 	struct a {
2288 		long	addr;
2289 		long	len;
2290 		long	prot;
2291 		long	flags;
2292 		long	fd;
2293 		long	pos;
2294 	} *uap = (struct a *)clwp->lwp_ap;
2295 
2296 	fd = (uint32_t)uap->fd;
2297 
2298 #ifdef _LP64
2299 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2300 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2301 #else
2302 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2303 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2304 #endif
2305 
2306 	if ((fp = getf(fd)) == NULL) {
2307 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2308 		return;
2309 	}
2310 
2311 	/*
2312 	 * Mark in the tad if write access is NOT requested... if
2313 	 * this is later detected (in audit_attributes) to be a
2314 	 * public object, the mmap event may be discarded.
2315 	 */
2316 	if (((uap->prot) & PROT_WRITE) == 0) {
2317 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2318 	}
2319 
2320 	fad = F2A(fp);
2321 	if (fad->fad_aupath != NULL) {
2322 		au_uwrite(au_to_path(fad->fad_aupath));
2323 	} else {
2324 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2325 	}
2326 
2327 	vp = (struct vnode *)fp->f_vnode;
2328 	audit_attributes(vp);
2329 
2330 	/* mark READ/WRITE since we can't predict access */
2331 	if (uap->prot & PROT_READ)
2332 		fad->fad_flags |= FAD_READ;
2333 	if (uap->prot & PROT_WRITE)
2334 		fad->fad_flags |= FAD_WRITE;
2335 
2336 	/* decrement file descriptor reference count */
2337 	releasef(fd);
2338 
2339 }	/* AUS_MMAP */
2340 
2341 
2342 
2343 
2344 /*ARGSUSED*/
2345 static void
2346 aus_munmap(struct t_audit_data *tad)
2347 {
2348 	klwp_t *clwp = ttolwp(curthread);
2349 
2350 	struct a {
2351 		long	addr;
2352 		long	len;
2353 	} *uap = (struct a *)clwp->lwp_ap;
2354 
2355 #ifdef _LP64
2356 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2357 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2358 #else
2359 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2360 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2361 #endif
2362 
2363 }	/* AUS_MUNMAP */
2364 
2365 
2366 
2367 
2368 
2369 
2370 
2371 /*ARGSUSED*/
2372 static void
2373 aus_priocntlsys(struct t_audit_data *tad)
2374 {
2375 	klwp_t *clwp = ttolwp(curthread);
2376 
2377 	struct a {
2378 		long	pc_version;
2379 		long	psp;		/* procset_t */
2380 		long	cmd;
2381 		long	arg;
2382 	} *uap = (struct a *)clwp->lwp_ap;
2383 
2384 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2385 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2386 
2387 }	/* AUS_PRIOCNTLSYS */
2388 
2389 
2390 /*ARGSUSED*/
2391 static void
2392 aus_setegid(struct t_audit_data *tad)
2393 {
2394 	klwp_t *clwp = ttolwp(curthread);
2395 	uint32_t gid;
2396 
2397 	struct a {
2398 		long	gid;
2399 	} *uap = (struct a *)clwp->lwp_ap;
2400 
2401 	gid = (uint32_t)uap->gid;
2402 
2403 	au_uwrite(au_to_arg32(1, "gid", gid));
2404 }	/* AUS_SETEGID */
2405 
2406 
2407 
2408 
2409 /*ARGSUSED*/
2410 static void
2411 aus_setgroups(struct t_audit_data *tad)
2412 {
2413 	klwp_t *clwp = ttolwp(curthread);
2414 	int i;
2415 	int gidsetsize;
2416 	uintptr_t gidset;
2417 	gid_t *gidlist;
2418 
2419 	struct a {
2420 		long	gidsetsize;
2421 		long	gidset;
2422 	} *uap = (struct a *)clwp->lwp_ap;
2423 
2424 	gidsetsize = (uint_t)uap->gidsetsize;
2425 	gidset = (uintptr_t)uap->gidset;
2426 
2427 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2428 		return;
2429 	if (gidsetsize != 0) {
2430 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2431 		    KM_SLEEP);
2432 		if (copyin((caddr_t)gidset, gidlist,
2433 		    gidsetsize * sizeof (gid_t)) == 0)
2434 			for (i = 0; i < gidsetsize; i++)
2435 				au_uwrite(au_to_arg32(1, "setgroups",
2436 				    (uint32_t)gidlist[i]));
2437 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2438 	} else
2439 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2440 
2441 }	/* AUS_SETGROUPS */
2442 
2443 
2444 
2445 
2446 
2447 /*ARGSUSED*/
2448 static void
2449 aus_seteuid(struct t_audit_data *tad)
2450 {
2451 	klwp_t *clwp = ttolwp(curthread);
2452 	uint32_t uid;
2453 
2454 	struct a {
2455 		long	uid;
2456 	} *uap = (struct a *)clwp->lwp_ap;
2457 
2458 	uid = (uint32_t)uap->uid;
2459 
2460 	au_uwrite(au_to_arg32(1, "euid", uid));
2461 
2462 }	/* AUS_SETEUID */
2463 
2464 /*ARGSUSED*/
2465 static void
2466 aus_putmsg(struct t_audit_data *tad)
2467 {
2468 	klwp_t *clwp = ttolwp(curthread);
2469 	uint32_t fd, pri;
2470 	struct file *fp;
2471 	struct f_audit_data *fad;
2472 
2473 	struct a {
2474 		long	fdes;
2475 		long	ctl;		/* struct strbuf * */
2476 		long	data;		/* struct strbuf * */
2477 		long	pri;
2478 	} *uap = (struct a *)clwp->lwp_ap;
2479 
2480 	fd  = (uint32_t)uap->fdes;
2481 	pri = (uint32_t)uap->pri;
2482 
2483 	au_uwrite(au_to_arg32(1, "fd", fd));
2484 
2485 	if ((fp = getf(fd)) != NULL) {
2486 		fad = F2A(fp);
2487 
2488 		fad->fad_flags |= FAD_WRITE;
2489 
2490 		/* add path name to audit record */
2491 		if (fad->fad_aupath != NULL) {
2492 			au_uwrite(au_to_path(fad->fad_aupath));
2493 		}
2494 		audit_attributes(fp->f_vnode);
2495 
2496 		releasef(fd);
2497 	}
2498 
2499 	au_uwrite(au_to_arg32(4, "pri", pri));
2500 }
2501 
2502 /*ARGSUSED*/
2503 static void
2504 aus_putpmsg(struct t_audit_data *tad)
2505 {
2506 	klwp_t *clwp = ttolwp(curthread);
2507 	uint32_t fd, pri, flags;
2508 	struct file *fp;
2509 	struct f_audit_data *fad;
2510 
2511 	struct a {
2512 		long	fdes;
2513 		long	ctl;		/* struct strbuf * */
2514 		long	data;		/* struct strbuf * */
2515 		long	pri;
2516 		long	flags;
2517 	} *uap = (struct a *)clwp->lwp_ap;
2518 
2519 	fd = (uint32_t)uap->fdes;
2520 	pri  = (uint32_t)uap->pri;
2521 	flags  = (uint32_t)uap->flags;
2522 
2523 	au_uwrite(au_to_arg32(1, "fd", fd));
2524 
2525 	if ((fp = getf(fd)) != NULL) {
2526 		fad = F2A(fp);
2527 
2528 		fad->fad_flags |= FAD_WRITE;
2529 
2530 		/* add path name to audit record */
2531 		if (fad->fad_aupath != NULL) {
2532 			au_uwrite(au_to_path(fad->fad_aupath));
2533 		}
2534 		audit_attributes(fp->f_vnode);
2535 
2536 		releasef(fd);
2537 	}
2538 
2539 
2540 	au_uwrite(au_to_arg32(4, "pri", pri));
2541 	au_uwrite(au_to_arg32(5, "flags", flags));
2542 }
2543 
2544 /*ARGSUSED*/
2545 static void
2546 aus_getmsg(struct t_audit_data *tad)
2547 {
2548 	klwp_t *clwp = ttolwp(curthread);
2549 	uint32_t fd, pri;
2550 	struct file *fp;
2551 	struct f_audit_data *fad;
2552 
2553 	struct a {
2554 		long	fdes;
2555 		long	ctl;		/* struct strbuf * */
2556 		long	data;		/* struct strbuf * */
2557 		long	pri;
2558 	} *uap = (struct a *)clwp->lwp_ap;
2559 
2560 	fd  = (uint32_t)uap->fdes;
2561 	pri = (uint32_t)uap->pri;
2562 
2563 	au_uwrite(au_to_arg32(1, "fd", fd));
2564 
2565 	if ((fp = getf(fd)) != NULL) {
2566 		fad = F2A(fp);
2567 
2568 		/*
2569 		 * read operation on this object
2570 		 */
2571 		fad->fad_flags |= FAD_READ;
2572 
2573 		/* add path name to audit record */
2574 		if (fad->fad_aupath != NULL) {
2575 			au_uwrite(au_to_path(fad->fad_aupath));
2576 		}
2577 		audit_attributes(fp->f_vnode);
2578 
2579 		releasef(fd);
2580 	}
2581 
2582 	au_uwrite(au_to_arg32(4, "pri", pri));
2583 }
2584 
2585 /*ARGSUSED*/
2586 static void
2587 aus_getpmsg(struct t_audit_data *tad)
2588 {
2589 	klwp_t *clwp = ttolwp(curthread);
2590 	uint32_t fd;
2591 	struct file *fp;
2592 	struct f_audit_data *fad;
2593 
2594 	struct a {
2595 		long	fdes;
2596 		long	ctl;		/* struct strbuf * */
2597 		long	data;		/* struct strbuf * */
2598 		long	pri;
2599 		long	flags;
2600 	} *uap = (struct a *)clwp->lwp_ap;
2601 
2602 	fd = (uint32_t)uap->fdes;
2603 
2604 	au_uwrite(au_to_arg32(1, "fd", fd));
2605 
2606 	if ((fp = getf(fd)) != NULL) {
2607 		fad = F2A(fp);
2608 
2609 		/*
2610 		 * read operation on this object
2611 		 */
2612 		fad->fad_flags |= FAD_READ;
2613 
2614 		/* add path name to audit record */
2615 		if (fad->fad_aupath != NULL) {
2616 			au_uwrite(au_to_path(fad->fad_aupath));
2617 		}
2618 		audit_attributes(fp->f_vnode);
2619 
2620 		releasef(fd);
2621 	}
2622 }
2623 
2624 static au_event_t
2625 aui_labelsys(au_event_t e)
2626 {
2627 	klwp_t *clwp = ttolwp(curthread);
2628 	uint32_t code;
2629 	uint32_t cmd;
2630 
2631 	struct a {
2632 		long	code;
2633 		long	cmd;
2634 	} *uap = (struct a *)clwp->lwp_ap;
2635 
2636 	code = (uint32_t)uap->code;
2637 	cmd = (uint32_t)uap->cmd;
2638 
2639 	/* not security relevant if not changing kernel cache */
2640 	if (cmd == TNDB_GET)
2641 		return (AUE_NULL);
2642 
2643 	switch (code) {
2644 	case TSOL_TNRH:
2645 		e = AUE_LABELSYS_TNRH;
2646 		break;
2647 	case TSOL_TNRHTP:
2648 		e = AUE_LABELSYS_TNRHTP;
2649 		break;
2650 	case TSOL_TNMLP:
2651 		e = AUE_LABELSYS_TNMLP;
2652 		break;
2653 	default:
2654 		e = AUE_NULL;
2655 		break;
2656 	}
2657 
2658 	return (e);
2659 
2660 }
2661 
2662 static void
2663 aus_labelsys(struct t_audit_data *tad)
2664 {
2665 	klwp_t *clwp = ttolwp(curthread);
2666 	uint32_t cmd;
2667 	uintptr_t a2;
2668 
2669 	struct a {
2670 		long	code;
2671 		long	cmd;
2672 		long	a2;
2673 	} *uap = (struct a *)clwp->lwp_ap;
2674 
2675 	cmd = (uint32_t)uap->cmd;
2676 	a2 = (uintptr_t)uap->a2;
2677 
2678 	switch (tad->tad_event) {
2679 	case AUE_LABELSYS_TNRH:
2680 	{
2681 		tsol_rhent_t	*rhent;
2682 		tnaddr_t	*rh_addr;
2683 
2684 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2685 
2686 		/* Remaining args don't apply for FLUSH, so skip */
2687 		if (cmd == TNDB_FLUSH)
2688 			break;
2689 
2690 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2691 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2692 			kmem_free(rhent, sizeof (tsol_rhent_t));
2693 			return;
2694 		}
2695 
2696 		rh_addr = &rhent->rh_address;
2697 		if (rh_addr->ta_family == AF_INET) {
2698 			struct in_addr	*ipaddr;
2699 
2700 			ipaddr = &(rh_addr->ta_addr_v4);
2701 			au_uwrite(au_to_in_addr(ipaddr));
2702 		} else if (rh_addr->ta_family == AF_INET6) {
2703 			int32_t		*ipaddr;
2704 
2705 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2706 			au_uwrite(au_to_in_addr_ex(ipaddr));
2707 		}
2708 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2709 
2710 		kmem_free(rhent, sizeof (tsol_rhent_t));
2711 
2712 		break;
2713 	}
2714 	case AUE_LABELSYS_TNRHTP:
2715 	{
2716 		tsol_tpent_t	*tpent;
2717 
2718 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2719 
2720 		/* Remaining args don't apply for FLUSH, so skip */
2721 		if (cmd == TNDB_FLUSH)
2722 			break;
2723 
2724 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2725 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2726 			kmem_free(tpent, sizeof (tsol_tpent_t));
2727 			return;
2728 		}
2729 
2730 		/* Make sure that the template name is null-terminated. */
2731 		*(tpent->name + TNTNAMSIZ - 1) = '\0';
2732 
2733 		au_uwrite(au_to_text(tpent->name));
2734 		kmem_free(tpent, sizeof (tsol_tpent_t));
2735 
2736 		break;
2737 	}
2738 	case AUE_LABELSYS_TNMLP:
2739 	{
2740 		tsol_mlpent_t	*mlpent;
2741 
2742 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2743 
2744 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2745 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2746 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2747 			return;
2748 		}
2749 
2750 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2751 			au_uwrite(au_to_text("shared"));
2752 		} else {
2753 			zone_t	*zone;
2754 
2755 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2756 			if (zone != NULL) {
2757 				au_uwrite(au_to_text(zone->zone_name));
2758 				zone_rele(zone);
2759 			}
2760 		}
2761 
2762 		/* Remaining args don't apply for FLUSH, so skip */
2763 		if (cmd == TNDB_FLUSH) {
2764 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2765 			break;
2766 		}
2767 
2768 		au_uwrite(au_to_arg32(2, "proto num",
2769 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2770 		au_uwrite(au_to_arg32(2, "mlp_port",
2771 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2772 
2773 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2774 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2775 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2776 
2777 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2778 
2779 		break;
2780 	}
2781 	default:
2782 		break;
2783 	}
2784 }
2785 
2786 
2787 static au_event_t
2788 aui_auditsys(au_event_t e)
2789 {
2790 	klwp_t *clwp = ttolwp(curthread);
2791 	uint32_t code;
2792 
2793 	struct a {
2794 		long	code;
2795 		long	a1;
2796 		long	a2;
2797 		long	a3;
2798 		long	a4;
2799 		long	a5;
2800 		long	a6;
2801 		long	a7;
2802 	} *uap = (struct a *)clwp->lwp_ap;
2803 
2804 	code = (uint32_t)uap->code;
2805 
2806 	switch (code) {
2807 
2808 	case BSM_GETAUID:
2809 		e = AUE_GETAUID;
2810 		break;
2811 	case BSM_SETAUID:
2812 		e = AUE_SETAUID;
2813 		break;
2814 	case BSM_GETAUDIT:
2815 		e = AUE_GETAUDIT;
2816 		break;
2817 	case BSM_GETAUDIT_ADDR:
2818 		e = AUE_GETAUDIT_ADDR;
2819 		break;
2820 	case BSM_SETAUDIT:
2821 		e = AUE_SETAUDIT;
2822 		break;
2823 	case BSM_SETAUDIT_ADDR:
2824 		e = AUE_SETAUDIT_ADDR;
2825 		break;
2826 	case BSM_AUDIT:
2827 		e = AUE_AUDIT;
2828 		break;
2829 	case BSM_AUDITCTL:
2830 		switch ((uint_t)uap->a1) {
2831 
2832 		case A_GETPOLICY:
2833 			e = AUE_AUDITON_GPOLICY;
2834 			break;
2835 		case A_SETPOLICY:
2836 			e = AUE_AUDITON_SPOLICY;
2837 			break;
2838 		case A_GETKMASK:
2839 			e = AUE_AUDITON_GETKMASK;
2840 			break;
2841 		case A_SETKMASK:
2842 			e = AUE_AUDITON_SETKMASK;
2843 			break;
2844 		case A_GETQCTRL:
2845 			e = AUE_AUDITON_GQCTRL;
2846 			break;
2847 		case A_SETQCTRL:
2848 			e = AUE_AUDITON_SQCTRL;
2849 			break;
2850 		case A_GETCWD:
2851 			e = AUE_AUDITON_GETCWD;
2852 			break;
2853 		case A_GETCAR:
2854 			e = AUE_AUDITON_GETCAR;
2855 			break;
2856 		case A_GETSTAT:
2857 			e = AUE_AUDITON_GETSTAT;
2858 			break;
2859 		case A_SETSTAT:
2860 			e = AUE_AUDITON_SETSTAT;
2861 			break;
2862 		case A_SETUMASK:
2863 			e = AUE_AUDITON_SETUMASK;
2864 			break;
2865 		case A_SETSMASK:
2866 			e = AUE_AUDITON_SETSMASK;
2867 			break;
2868 		case A_GETCOND:
2869 			e = AUE_AUDITON_GETCOND;
2870 			break;
2871 		case A_SETCOND:
2872 			e = AUE_AUDITON_SETCOND;
2873 			break;
2874 		case A_GETCLASS:
2875 			e = AUE_AUDITON_GETCLASS;
2876 			break;
2877 		case A_SETCLASS:
2878 			e = AUE_AUDITON_SETCLASS;
2879 			break;
2880 		default:
2881 			e = AUE_NULL;
2882 			break;
2883 		}
2884 		break;
2885 	default:
2886 		e = AUE_NULL;
2887 		break;
2888 	}
2889 
2890 	return (e);
2891 
2892 }	/* AUI_AUDITSYS */
2893 
2894 
2895 static void
2896 aus_auditsys(struct t_audit_data *tad)
2897 {
2898 	klwp_t *clwp = ttolwp(curthread);
2899 	uintptr_t a1, a2;
2900 	STRUCT_DECL(auditinfo, ainfo);
2901 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2902 	au_evclass_map_t event;
2903 	au_mask_t mask;
2904 	int auditstate, policy;
2905 	au_id_t auid;
2906 
2907 
2908 	struct a {
2909 		long	code;
2910 		long	a1;
2911 		long	a2;
2912 		long	a3;
2913 		long	a4;
2914 		long	a5;
2915 		long	a6;
2916 		long	a7;
2917 	} *uap = (struct a *)clwp->lwp_ap;
2918 
2919 	a1   = (uintptr_t)uap->a1;
2920 	a2   = (uintptr_t)uap->a2;
2921 
2922 	switch (tad->tad_event) {
2923 	case AUE_SETAUID:
2924 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2925 				return;
2926 		au_uwrite(au_to_arg32(2, "setauid", auid));
2927 		break;
2928 	case AUE_SETAUDIT:
2929 		STRUCT_INIT(ainfo, get_udatamodel());
2930 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2931 		    STRUCT_SIZE(ainfo))) {
2932 				return;
2933 		}
2934 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2935 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2936 #ifdef _LP64
2937 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2938 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2939 #else
2940 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2941 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2942 #endif
2943 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2944 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2945 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2946 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2947 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2948 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2949 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2950 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2951 		break;
2952 	case AUE_SETAUDIT_ADDR:
2953 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2954 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2955 		    STRUCT_SIZE(ainfo_addr))) {
2956 				return;
2957 		}
2958 		au_uwrite(au_to_arg32((char)1, "auid",
2959 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2960 #ifdef _LP64
2961 		au_uwrite(au_to_arg64((char)1, "port",
2962 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2963 #else
2964 		au_uwrite(au_to_arg32((char)1, "port",
2965 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2966 #endif
2967 		au_uwrite(au_to_arg32((char)1, "type",
2968 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2969 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2970 		    AU_IPv4) {
2971 			au_uwrite(au_to_in_addr(
2972 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2973 			    ai_termid.at_addr)));
2974 		} else {
2975 			au_uwrite(au_to_in_addr_ex(
2976 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2977 			    ai_termid.at_addr)));
2978 		}
2979 		au_uwrite(au_to_arg32((char)1, "as_success",
2980 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2981 		au_uwrite(au_to_arg32((char)1, "as_failure",
2982 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2983 		au_uwrite(au_to_arg32((char)1, "asid",
2984 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2985 		break;
2986 	case AUE_AUDITON_SETKMASK:
2987 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2988 				return;
2989 		au_uwrite(au_to_arg32(
2990 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2991 		au_uwrite(au_to_arg32(
2992 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2993 		break;
2994 	case AUE_AUDITON_SPOLICY:
2995 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2996 			return;
2997 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2998 		break;
2999 	case AUE_AUDITON_SQCTRL: {
3000 		STRUCT_DECL(au_qctrl, qctrl);
3001 		model_t model;
3002 
3003 		model = get_udatamodel();
3004 		STRUCT_INIT(qctrl, model);
3005 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3006 				return;
3007 		if (model == DATAMODEL_ILP32) {
3008 			au_uwrite(au_to_arg32(
3009 			    3, "setqctrl:aq_hiwater",
3010 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3011 			au_uwrite(au_to_arg32(
3012 			    3, "setqctrl:aq_lowater",
3013 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3014 			au_uwrite(au_to_arg32(
3015 			    3, "setqctrl:aq_bufsz",
3016 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3017 			au_uwrite(au_to_arg32(
3018 			    3, "setqctrl:aq_delay",
3019 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3020 		} else {
3021 			au_uwrite(au_to_arg64(
3022 			    3, "setqctrl:aq_hiwater",
3023 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3024 			au_uwrite(au_to_arg64(
3025 			    3, "setqctrl:aq_lowater",
3026 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3027 			au_uwrite(au_to_arg64(
3028 			    3, "setqctrl:aq_bufsz",
3029 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3030 			au_uwrite(au_to_arg64(
3031 			    3, "setqctrl:aq_delay",
3032 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3033 		}
3034 		break;
3035 	}
3036 	case AUE_AUDITON_SETUMASK:
3037 		STRUCT_INIT(ainfo, get_udatamodel());
3038 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3039 		    STRUCT_SIZE(ainfo))) {
3040 			return;
3041 		}
3042 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3043 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3044 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3045 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3046 		break;
3047 	case AUE_AUDITON_SETSMASK:
3048 		STRUCT_INIT(ainfo, get_udatamodel());
3049 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3050 		    STRUCT_SIZE(ainfo))) {
3051 			return;
3052 		}
3053 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3054 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3055 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3056 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3057 		break;
3058 	case AUE_AUDITON_SETCOND:
3059 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3060 			return;
3061 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3062 		break;
3063 	case AUE_AUDITON_SETCLASS:
3064 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3065 			return;
3066 		au_uwrite(au_to_arg32(
3067 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3068 		au_uwrite(au_to_arg32(
3069 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3070 		break;
3071 	case AUE_GETAUID:
3072 	case AUE_GETAUDIT:
3073 	case AUE_GETAUDIT_ADDR:
3074 	case AUE_AUDIT:
3075 	case AUE_AUDITON_GPOLICY:
3076 	case AUE_AUDITON_GQCTRL:
3077 	case AUE_AUDITON_GETKMASK:
3078 	case AUE_AUDITON_GETCWD:
3079 	case AUE_AUDITON_GETCAR:
3080 	case AUE_AUDITON_GETSTAT:
3081 	case AUE_AUDITON_SETSTAT:
3082 	case AUE_AUDITON_GETCOND:
3083 	case AUE_AUDITON_GETCLASS:
3084 		break;
3085 	default:
3086 		break;
3087 	}
3088 
3089 }	/* AUS_AUDITSYS */
3090 
3091 
3092 /* only audit privileged operations for systeminfo(2) system call */
3093 static au_event_t
3094 aui_sysinfo(au_event_t e)
3095 {
3096 	klwp_t *clwp = ttolwp(curthread);
3097 	uint32_t command;
3098 
3099 	struct a {
3100 		long	command;
3101 		long	buf;		/* char * */
3102 		long	count;
3103 	} *uap = (struct a *)clwp->lwp_ap;
3104 
3105 	command = (uint32_t)uap->command;
3106 
3107 	switch (command) {
3108 	case SI_SET_HOSTNAME:
3109 	case SI_SET_SRPC_DOMAIN:
3110 		e = (au_event_t)AUE_SYSINFO;
3111 		break;
3112 	default:
3113 		e = (au_event_t)AUE_NULL;
3114 		break;
3115 	}
3116 	return (e);
3117 }
3118 
3119 /*ARGSUSED*/
3120 static void
3121 aus_sysinfo(struct t_audit_data *tad)
3122 {
3123 	klwp_t *clwp = ttolwp(curthread);
3124 	uint32_t command;
3125 	size_t len, maxlen;
3126 	char *name;
3127 	uintptr_t buf;
3128 
3129 	struct a {
3130 		long	command;
3131 		long	buf;		/* char * */
3132 		long	count;
3133 	} *uap = (struct a *)clwp->lwp_ap;
3134 
3135 	command = (uint32_t)uap->command;
3136 	buf = (uintptr_t)uap->buf;
3137 
3138 	au_uwrite(au_to_arg32(1, "cmd", command));
3139 
3140 	switch (command) {
3141 	case SI_SET_HOSTNAME:
3142 	{
3143 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3144 			return;
3145 
3146 		maxlen = SYS_NMLN;
3147 		name = kmem_alloc(maxlen, KM_SLEEP);
3148 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3149 			break;
3150 
3151 		/*
3152 		 * Must be non-NULL string and string
3153 		 * must be less than SYS_NMLN chars.
3154 		 */
3155 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3156 			break;
3157 
3158 		au_uwrite(au_to_text(name));
3159 		break;
3160 	}
3161 
3162 	case SI_SET_SRPC_DOMAIN:
3163 	{
3164 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3165 			return;
3166 
3167 		maxlen = SYS_NMLN;
3168 		name = kmem_alloc(maxlen, KM_SLEEP);
3169 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3170 			break;
3171 
3172 		/*
3173 		 * If string passed in is longer than length
3174 		 * allowed for domain name, fail.
3175 		 */
3176 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3177 			break;
3178 
3179 		au_uwrite(au_to_text(name));
3180 		break;
3181 	}
3182 
3183 	default:
3184 		return;
3185 	}
3186 
3187 	kmem_free(name, maxlen);
3188 }
3189 
3190 static au_event_t
3191 aui_modctl(au_event_t e)
3192 {
3193 	klwp_t *clwp = ttolwp(curthread);
3194 	uint_t cmd;
3195 
3196 	struct a {
3197 		long	cmd;
3198 	} *uap = (struct a *)clwp->lwp_ap;
3199 
3200 	cmd = (uint_t)uap->cmd;
3201 
3202 	switch (cmd) {
3203 	case MODLOAD:
3204 		e = AUE_MODLOAD;
3205 		break;
3206 	case MODUNLOAD:
3207 		e = AUE_MODUNLOAD;
3208 		break;
3209 	case MODADDMAJBIND:
3210 		e = AUE_MODADDMAJ;
3211 		break;
3212 	case MODSETDEVPOLICY:
3213 		e = AUE_MODDEVPLCY;
3214 		break;
3215 	case MODALLOCPRIV:
3216 		e = AUE_MODADDPRIV;
3217 		break;
3218 	default:
3219 		e = AUE_NULL;
3220 		break;
3221 	}
3222 	return (e);
3223 }
3224 
3225 
3226 /*ARGSUSED*/
3227 static void
3228 aus_modctl(struct t_audit_data *tad)
3229 {
3230 	klwp_t *clwp = ttolwp(curthread);
3231 	void *a	= clwp->lwp_ap;
3232 	uint_t use_path;
3233 
3234 	switch (tad->tad_event) {
3235 	case AUE_MODLOAD: {
3236 		typedef struct {
3237 			long	cmd;
3238 			long	use_path;
3239 			long	filename;		/* char * */
3240 		} modloada_t;
3241 
3242 		char *filenamep;
3243 		uintptr_t fname;
3244 		extern char *default_path;
3245 
3246 		fname = (uintptr_t)((modloada_t *)a)->filename;
3247 		use_path = (uint_t)((modloada_t *)a)->use_path;
3248 
3249 			/* space to hold path */
3250 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3251 			/* get string */
3252 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3253 				/* free allocated path */
3254 			kmem_free(filenamep, MOD_MAXPATH);
3255 			return;
3256 		}
3257 			/* ensure it's null terminated */
3258 		filenamep[MOD_MAXPATH - 1] = 0;
3259 
3260 		if (use_path)
3261 			au_uwrite(au_to_text(default_path));
3262 		au_uwrite(au_to_text(filenamep));
3263 
3264 			/* release temporary memory */
3265 		kmem_free(filenamep, MOD_MAXPATH);
3266 		break;
3267 	}
3268 	case AUE_MODUNLOAD: {
3269 		typedef struct {
3270 			long	cmd;
3271 			long	id;
3272 		} modunloada_t;
3273 
3274 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3275 
3276 		au_uwrite(au_to_arg32(1, "id", id));
3277 		break;
3278 	}
3279 	case AUE_MODADDMAJ: {
3280 		STRUCT_DECL(modconfig, mc);
3281 		typedef struct {
3282 			long	cmd;
3283 			long	subcmd;
3284 			long	data;		/* int * */
3285 		} modconfiga_t;
3286 
3287 		STRUCT_DECL(aliases, alias);
3288 		caddr_t ap;
3289 		int i, num_aliases;
3290 		char *drvname, *mc_drvname;
3291 		char *name;
3292 		extern char *ddi_major_to_name(major_t);
3293 		model_t model;
3294 
3295 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3296 
3297 		model = get_udatamodel();
3298 		STRUCT_INIT(mc, model);
3299 			/* sanitize buffer */
3300 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3301 			/* get user arguments */
3302 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3303 		    STRUCT_SIZE(mc)) != 0)
3304 			return;
3305 
3306 		mc_drvname = STRUCT_FGET(mc, drvname);
3307 		if ((drvname = ddi_major_to_name(
3308 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3309 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3310 				/* safety */
3311 			if (mc_drvname[0] != '\0') {
3312 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3313 				au_uwrite(au_to_text(mc_drvname));
3314 			}
3315 				/* drvname != NULL from test above */
3316 			au_uwrite(au_to_text(drvname));
3317 			return;
3318 		}
3319 
3320 		if (mc_drvname[0] != '\0') {
3321 				/* safety */
3322 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3323 			au_uwrite(au_to_text(mc_drvname));
3324 		} else
3325 			au_uwrite(au_to_text("no drvname"));
3326 
3327 		num_aliases = STRUCT_FGET(mc, num_aliases);
3328 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3329 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3330 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3331 		STRUCT_INIT(alias, model);
3332 		for (i = 0; i < num_aliases; i++) {
3333 			bzero((caddr_t)STRUCT_BUF(alias),
3334 			    STRUCT_SIZE(alias));
3335 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3336 			    STRUCT_SIZE(alias)) != 0)
3337 				break;
3338 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3339 			    MAXMODCONFNAME, NULL) != 0) {
3340 				break;
3341 			}
3342 
3343 			au_uwrite(au_to_text(name));
3344 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3345 		}
3346 		kmem_free(name, MAXMODCONFNAME);
3347 		break;
3348 	}
3349 	default:
3350 		break;
3351 	}
3352 }
3353 
3354 
3355 /*ARGSUSED*/
3356 static void
3357 auf_accept(
3358 	struct t_audit_data *tad,
3359 	int	error,
3360 	rval_t	*rval)
3361 {
3362 	uint32_t scid;
3363 	uint32_t sy_flags;
3364 	int fd;
3365 	struct sonode *so;
3366 	char so_laddr[sizeof (struct sockaddr_in6)];
3367 	char so_faddr[sizeof (struct sockaddr_in6)];
3368 	int err;
3369 	short so_family, so_type;
3370 	int add_sock_token = 0;
3371 
3372 	/* need to determine type of executing binary */
3373 	scid = tad->tad_scid;
3374 #ifdef _SYSCALL32_IMPL
3375 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3376 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3377 	else
3378 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3379 #else
3380 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3381 #endif
3382 	if (sy_flags == SE_32RVAL1)
3383 		fd = rval->r_val1;
3384 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3385 		fd = rval->r_val1;
3386 	if (sy_flags == SE_64RVAL)
3387 		fd = (int)rval->r_vals;
3388 
3389 	if (error) {
3390 		/* can't trust socket contents. Just return */
3391 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3392 		return;
3393 	}
3394 
3395 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3396 		/*
3397 		 * not security relevant if doing a accept from non socket
3398 		 * so no extra tokens. Should probably turn off audit record
3399 		 * generation here.
3400 		 */
3401 		return;
3402 	}
3403 
3404 	so_family = so->so_family;
3405 	so_type   = so->so_type;
3406 
3407 	switch (so_family) {
3408 	case AF_INET:
3409 	case AF_INET6:
3410 		/*
3411 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3412 		 */
3413 		if (so->so_type == SOCK_STREAM) {
3414 			socklen_t len;
3415 
3416 			bzero((void *)so_laddr, sizeof (so_laddr));
3417 			bzero((void *)so_faddr, sizeof (so_faddr));
3418 
3419 			len = sizeof (so_laddr);
3420 			(void) socket_getsockname(so,
3421 			    (struct sockaddr *)so_laddr, &len, CRED());
3422 			len = sizeof (so_faddr);
3423 			(void) socket_getpeername(so,
3424 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3425 
3426 			add_sock_token = 1;
3427 		}
3428 		break;
3429 
3430 	default:
3431 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3432 		break;
3433 	}
3434 
3435 	releasef(fd);
3436 
3437 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3438 
3439 	if (add_sock_token == 0) {
3440 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3441 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3442 		return;
3443 	}
3444 
3445 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3446 
3447 }
3448 
3449 /*ARGSUSED*/
3450 static void
3451 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3452 {
3453 	struct a {
3454 		long	fd;
3455 		long	addr;
3456 		long	len;
3457 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3458 
3459 	struct sonode *so;
3460 	char so_laddr[sizeof (struct sockaddr_in6)];
3461 	char so_faddr[sizeof (struct sockaddr_in6)];
3462 	int err, fd;
3463 	socklen_t len;
3464 	short so_family, so_type;
3465 	int add_sock_token = 0;
3466 
3467 	fd = (int)uap->fd;
3468 
3469 	/*
3470 	 * bind failed, then nothing extra to add to audit record.
3471 	 */
3472 	if (error) {
3473 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3474 		/* XXX may want to add failed address some day */
3475 		return;
3476 	}
3477 
3478 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3479 		/*
3480 		 * not security relevant if doing a bind from non socket
3481 		 * so no extra tokens. Should probably turn off audit record
3482 		 * generation here.
3483 		 */
3484 		return;
3485 	}
3486 
3487 	so_family = so->so_family;
3488 	so_type   = so->so_type;
3489 
3490 	switch (so_family) {
3491 	case AF_INET:
3492 	case AF_INET6:
3493 
3494 		bzero(so_faddr, sizeof (so_faddr));
3495 		len = sizeof (so_faddr);
3496 
3497 		(void) socket_getpeername(so,
3498 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3499 		add_sock_token = 1;
3500 
3501 		break;
3502 
3503 	case AF_UNIX:
3504 		/* token added by lookup */
3505 		break;
3506 	default:
3507 		/* AF_ROUTE, AF_KEY do not support accept */
3508 		break;
3509 	}
3510 
3511 	releasef(fd);
3512 
3513 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3514 
3515 	if (add_sock_token == 0) {
3516 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3517 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3518 		return;
3519 	}
3520 
3521 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3522 
3523 }
3524 
3525 /*ARGSUSED*/
3526 static void
3527 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3528 {
3529 	struct a {
3530 		long	fd;
3531 		long	addr;
3532 		long	len;
3533 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3534 
3535 	struct sonode *so;
3536 	char so_laddr[sizeof (struct sockaddr_in6)];
3537 	char so_faddr[sizeof (struct sockaddr_in6)];
3538 	int err, fd;
3539 	socklen_t len;
3540 	short so_family, so_type;
3541 	int add_sock_token = 0;
3542 
3543 	fd = (int)uap->fd;
3544 
3545 
3546 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3547 		/*
3548 		 * not security relevant if doing a connect from non socket
3549 		 * so no extra tokens. Should probably turn off audit record
3550 		 * generation here.
3551 		 */
3552 		return;
3553 	}
3554 
3555 	so_family = so->so_family;
3556 	so_type   = so->so_type;
3557 
3558 	switch (so_family) {
3559 	case AF_INET:
3560 	case AF_INET6:
3561 
3562 		bzero(so_laddr, sizeof (so_laddr));
3563 		bzero(so_faddr, sizeof (so_faddr));
3564 
3565 		len = sizeof (so_laddr);
3566 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3567 		    &len, CRED());
3568 		if (error) {
3569 			if (uap->addr == NULL)
3570 				break;
3571 			if (uap->len <= 0)
3572 				break;
3573 			len = min(uap->len, sizeof (so_faddr));
3574 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3575 				break;
3576 #ifdef NOTYET
3577 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3578 #endif
3579 		} else {
3580 			/* sanity check on length */
3581 			len = sizeof (so_faddr);
3582 			(void) socket_getpeername(so,
3583 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3584 		}
3585 
3586 		add_sock_token = 1;
3587 
3588 		break;
3589 
3590 	case AF_UNIX:
3591 		/* does a lookup on name */
3592 		break;
3593 
3594 	default:
3595 		/* AF_ROUTE, AF_KEY do not support accept */
3596 		break;
3597 	}
3598 
3599 	releasef(fd);
3600 
3601 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3602 
3603 	if (add_sock_token == 0) {
3604 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3605 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3606 		return;
3607 	}
3608 
3609 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3610 
3611 }
3612 
3613 /*ARGSUSED*/
3614 static void
3615 aus_shutdown(struct t_audit_data *tad)
3616 {
3617 	struct a {
3618 		long	fd;
3619 		long	how;
3620 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3621 
3622 	struct sonode *so;
3623 	char so_laddr[sizeof (struct sockaddr_in6)];
3624 	char so_faddr[sizeof (struct sockaddr_in6)];
3625 	int err, fd;
3626 	socklen_t len;
3627 	short so_family, so_type;
3628 	int add_sock_token = 0;
3629 	file_t *fp;				/* unix domain sockets */
3630 	struct f_audit_data *fad;		/* unix domain sockets */
3631 
3632 	fd = (int)uap->fd;
3633 
3634 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3635 		/*
3636 		 * not security relevant if doing a shutdown using non socket
3637 		 * so no extra tokens. Should probably turn off audit record
3638 		 * generation here.
3639 		 */
3640 		return;
3641 	}
3642 
3643 	so_family = so->so_family;
3644 	so_type   = so->so_type;
3645 
3646 	switch (so_family) {
3647 	case AF_INET:
3648 	case AF_INET6:
3649 
3650 		bzero(so_laddr, sizeof (so_laddr));
3651 		bzero(so_faddr, sizeof (so_faddr));
3652 
3653 		len = sizeof (so_laddr);
3654 		(void) socket_getsockname(so,
3655 		    (struct sockaddr *)so_laddr, &len, CRED());
3656 		len = sizeof (so_faddr);
3657 		(void) socket_getpeername(so,
3658 		    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3659 
3660 		add_sock_token = 1;
3661 
3662 		break;
3663 
3664 	case AF_UNIX:
3665 
3666 		/* get path from file struct here */
3667 		fad = F2A(fp);
3668 		ASSERT(fad);
3669 
3670 		if (fad->fad_aupath != NULL) {
3671 			au_uwrite(au_to_path(fad->fad_aupath));
3672 		} else {
3673 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3674 		}
3675 
3676 		audit_attributes(fp->f_vnode);
3677 
3678 		break;
3679 
3680 	default:
3681 		/*
3682 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3683 		 * added.
3684 		 */
3685 		break;
3686 	}
3687 
3688 	releasef(fd);
3689 
3690 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3691 
3692 	if (add_sock_token == 0) {
3693 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3694 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3695 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3696 		return;
3697 	}
3698 
3699 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3700 
3701 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3702 
3703 }
3704 
3705 /*ARGSUSED*/
3706 static void
3707 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3708 {
3709 	struct a {
3710 		long	fd;
3711 		long	level;
3712 		long	optname;
3713 		long	*optval;
3714 		long	optlen;
3715 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3716 
3717 	struct sonode	*so;
3718 	char so_laddr[sizeof (struct sockaddr_in6)];
3719 	char so_faddr[sizeof (struct sockaddr_in6)];
3720 	char		val[AU_BUFSIZE];
3721 	int		err, fd;
3722 	socklen_t	len;
3723 	short so_family, so_type;
3724 	int		add_sock_token = 0;
3725 	file_t *fp;				/* unix domain sockets */
3726 	struct f_audit_data *fad;		/* unix domain sockets */
3727 
3728 	fd = (int)uap->fd;
3729 
3730 	if (error) {
3731 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3732 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3733 		/* XXX may want to include other arguments */
3734 		return;
3735 	}
3736 
3737 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3738 		/*
3739 		 * not security relevant if doing a setsockopt from non socket
3740 		 * so no extra tokens. Should probably turn off audit record
3741 		 * generation here.
3742 		 */
3743 		return;
3744 	}
3745 
3746 	so_family = so->so_family;
3747 	so_type   = so->so_type;
3748 
3749 	switch (so_family) {
3750 	case AF_INET:
3751 	case AF_INET6:
3752 		bzero((void *)so_laddr, sizeof (so_laddr));
3753 		bzero((void *)so_faddr, sizeof (so_faddr));
3754 
3755 		/* get local and foreign addresses */
3756 		len = sizeof (so_laddr);
3757 		(void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3758 		    &len, CRED());
3759 		len = sizeof (so_faddr);
3760 		(void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3761 		    &len, B_FALSE, CRED());
3762 
3763 		add_sock_token = 1;
3764 
3765 		break;
3766 
3767 	case AF_UNIX:
3768 
3769 		/* get path from file struct here */
3770 		fad = F2A(fp);
3771 		ASSERT(fad);
3772 
3773 		if (fad->fad_aupath != NULL) {
3774 			au_uwrite(au_to_path(fad->fad_aupath));
3775 		} else {
3776 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3777 		}
3778 
3779 		audit_attributes(fp->f_vnode);
3780 
3781 		break;
3782 
3783 	default:
3784 		/*
3785 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3786 		 * added.
3787 		 */
3788 		break;
3789 	}
3790 
3791 	releasef(fd);
3792 
3793 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3794 
3795 	if (add_sock_token == 0) {
3796 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3797 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3798 	}
3799 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3800 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3801 
3802 	bzero(val, sizeof (val));
3803 	len = min(uap->optlen, sizeof (val));
3804 	if ((len > 0) &&
3805 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3806 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3807 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3808 	}
3809 
3810 	if (add_sock_token == 0)
3811 		return;
3812 
3813 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3814 
3815 }
3816 
3817 /*ARGSUSED*/
3818 static void
3819 aus_sockconfig(tad)
3820 	struct t_audit_data *tad;
3821 {
3822 	struct a {
3823 		long	domain;
3824 		long	type;
3825 		long	protocol;
3826 		long	devpath;
3827 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3828 
3829 	char	*kdevpath;
3830 	int	kdevpathlen = MAXPATHLEN + 1;
3831 	size_t	size;
3832 
3833 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3834 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3835 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3836 
3837 	if (uap->devpath == 0) {
3838 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3839 	} else {
3840 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3841 
3842 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3843 			&size)) {
3844 			kmem_free(kdevpath, kdevpathlen);
3845 			return;
3846 		}
3847 
3848 		if (size > MAXPATHLEN) {
3849 			kmem_free(kdevpath, kdevpathlen);
3850 			return;
3851 		}
3852 
3853 		au_uwrite(au_to_text(kdevpath));
3854 		kmem_free(kdevpath, kdevpathlen);
3855 	}
3856 }
3857 
3858 /*
3859  * only audit recvmsg when the system call represents the creation of a new
3860  * circuit. This effectively occurs for all UDP packets and may occur for
3861  * special TCP situations where the local host has not set a local address
3862  * in the socket structure.
3863  */
3864 /*ARGSUSED*/
3865 static void
3866 auf_recvmsg(
3867 	struct t_audit_data *tad,
3868 	int error,
3869 	rval_t *rvp)
3870 {
3871 	struct a {
3872 		long	fd;
3873 		long	msg;	/* struct msghdr */
3874 		long	flags;
3875 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3876 
3877 	struct sonode	*so;
3878 	STRUCT_DECL(msghdr, msg);
3879 	caddr_t msg_name;
3880 	socklen_t msg_namelen;
3881 	int fd;
3882 	int err;
3883 	char so_laddr[sizeof (struct sockaddr_in6)];
3884 	char so_faddr[sizeof (struct sockaddr_in6)];
3885 	socklen_t len;
3886 	file_t *fp;				/* unix domain sockets */
3887 	struct f_audit_data *fad;		/* unix domain sockets */
3888 	short so_family, so_type;
3889 	int add_sock_token = 0;
3890 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3891 
3892 	fd = (int)uap->fd;
3893 
3894 	/* bail if an error */
3895 	if (error) {
3896 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3897 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3898 		return;
3899 	}
3900 
3901 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3902 		/*
3903 		 * not security relevant if doing a recvmsg from non socket
3904 		 * so no extra tokens. Should probably turn off audit record
3905 		 * generation here.
3906 		 */
3907 		return;
3908 	}
3909 
3910 	so_family = so->so_family;
3911 	so_type   = so->so_type;
3912 
3913 	/*
3914 	 * only putout SOCKET_EX token if INET/INET6 family.
3915 	 * XXX - what do we do about other families?
3916 	 */
3917 
3918 	switch (so_family) {
3919 	case AF_INET:
3920 	case AF_INET6:
3921 
3922 		/*
3923 		 * if datagram type socket, then just use what is in
3924 		 * socket structure for local address.
3925 		 * XXX - what do we do for other types?
3926 		 */
3927 		if ((so->so_type == SOCK_DGRAM) ||
3928 		    (so->so_type == SOCK_RAW)) {
3929 			add_sock_token = 1;
3930 
3931 			bzero((void *)so_laddr, sizeof (so_laddr));
3932 			bzero((void *)so_faddr, sizeof (so_faddr));
3933 
3934 			/* get local address */
3935 			len = sizeof (so_laddr);
3936 			(void) socket_getsockname(so,
3937 			    (struct sockaddr *)so_laddr, &len, CRED());
3938 
3939 			/* get peer address */
3940 			STRUCT_INIT(msg, get_udatamodel());
3941 
3942 			if (copyin((caddr_t)(uap->msg),
3943 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3944 				break;
3945 			}
3946 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3947 			if (msg_name == NULL) {
3948 				break;
3949 			}
3950 
3951 			/* length is value from recvmsg - sanity check */
3952 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3953 			if (msg_namelen == 0) {
3954 				break;
3955 			}
3956 			if (copyin(msg_name, so_faddr,
3957 			    sizeof (so_faddr)) != 0) {
3958 				break;
3959 			}
3960 
3961 		} else if (so->so_type == SOCK_STREAM) {
3962 
3963 			/* get path from file struct here */
3964 			fad = F2A(fp);
3965 			ASSERT(fad);
3966 
3967 			/*
3968 			 * already processed this file for read attempt
3969 			 */
3970 			if (fad->fad_flags & FAD_READ) {
3971 				/* don't want to audit every recvmsg attempt */
3972 				tad->tad_flag = 0;
3973 				/* free any residual audit data */
3974 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
3975 				releasef(fd);
3976 				return;
3977 			}
3978 			/*
3979 			 * mark things so we know what happened and don't
3980 			 * repeat things
3981 			 */
3982 			fad->fad_flags |= FAD_READ;
3983 
3984 			bzero((void *)so_laddr, sizeof (so_laddr));
3985 			bzero((void *)so_faddr, sizeof (so_faddr));
3986 
3987 			/* get local and foreign addresses */
3988 			len = sizeof (so_laddr);
3989 			(void) socket_getsockname(so,
3990 			    (struct sockaddr *)so_laddr, &len, CRED());
3991 			len = sizeof (so_faddr);
3992 			(void) socket_getpeername(so,
3993 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3994 
3995 			add_sock_token = 1;
3996 		}
3997 
3998 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
3999 
4000 		break;
4001 
4002 	case AF_UNIX:
4003 		/*
4004 		 * first check if this is first time through. Too much
4005 		 * duplicate code to put this in an aui_ routine.
4006 		 */
4007 
4008 		/* get path from file struct here */
4009 		fad = F2A(fp);
4010 		ASSERT(fad);
4011 
4012 		/*
4013 		 * already processed this file for read attempt
4014 		 */
4015 		if (fad->fad_flags & FAD_READ) {
4016 			releasef(fd);
4017 			/* don't want to audit every recvmsg attempt */
4018 			tad->tad_flag = 0;
4019 			/* free any residual audit data */
4020 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4021 			return;
4022 		}
4023 		/*
4024 		 * mark things so we know what happened and don't
4025 		 * repeat things
4026 		 */
4027 		fad->fad_flags |= FAD_READ;
4028 
4029 		if (fad->fad_aupath != NULL) {
4030 			au_uwrite(au_to_path(fad->fad_aupath));
4031 		} else {
4032 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4033 		}
4034 
4035 		audit_attributes(fp->f_vnode);
4036 
4037 		releasef(fd);
4038 
4039 		return;
4040 
4041 	default:
4042 		break;
4043 
4044 	}
4045 
4046 	releasef(fd);
4047 
4048 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4049 
4050 	if (add_sock_token == 0) {
4051 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4052 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4053 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4054 		return;
4055 	}
4056 
4057 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4058 
4059 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4060 
4061 }
4062 
4063 /*ARGSUSED*/
4064 static void
4065 auf_recvfrom(
4066 	struct t_audit_data *tad,
4067 	int error,
4068 	rval_t *rvp)
4069 {
4070 
4071 	struct a {
4072 		long	fd;
4073 		long	msg;	/* char */
4074 		long	len;
4075 		long	flags;
4076 		long	from;	/* struct sockaddr */
4077 		long	fromlen;
4078 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4079 
4080 	socklen_t	fromlen;
4081 	struct sonode	*so;
4082 	char so_laddr[sizeof (struct sockaddr_in6)];
4083 	char so_faddr[sizeof (struct sockaddr_in6)];
4084 	int		fd;
4085 	short so_family, so_type;
4086 	int add_sock_token = 0;
4087 	socklen_t len;
4088 	int err;
4089 	struct file *fp;
4090 	struct f_audit_data *fad;		/* unix domain sockets */
4091 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4092 
4093 	fd = (int)uap->fd;
4094 
4095 	/* bail if an error */
4096 	if (error) {
4097 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4098 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4099 		return;
4100 	}
4101 
4102 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4103 		/*
4104 		 * not security relevant if doing a recvmsg from non socket
4105 		 * so no extra tokens. Should probably turn off audit record
4106 		 * generation here.
4107 		 */
4108 		return;
4109 	}
4110 
4111 	so_family = so->so_family;
4112 	so_type   = so->so_type;
4113 
4114 	/*
4115 	 * only putout SOCKET_EX token if INET/INET6 family.
4116 	 * XXX - what do we do about other families?
4117 	 */
4118 
4119 	switch (so_family) {
4120 	case AF_INET:
4121 	case AF_INET6:
4122 
4123 		/*
4124 		 * if datagram type socket, then just use what is in
4125 		 * socket structure for local address.
4126 		 * XXX - what do we do for other types?
4127 		 */
4128 		if ((so->so_type == SOCK_DGRAM) ||
4129 		    (so->so_type == SOCK_RAW)) {
4130 			add_sock_token = 1;
4131 
4132 			/* get local address */
4133 			len = sizeof (so_laddr);
4134 			(void) socket_getsockname(so,
4135 			    (struct sockaddr *)so_laddr, &len, CRED());
4136 
4137 			/* get peer address */
4138 			bzero((void *)so_faddr, sizeof (so_faddr));
4139 
4140 			/* sanity check */
4141 			if (uap->from == NULL)
4142 				break;
4143 
4144 			/* sanity checks */
4145 			if (uap->fromlen == 0)
4146 				break;
4147 
4148 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4149 			    sizeof (fromlen)) != 0)
4150 				break;
4151 
4152 			if (fromlen == 0)
4153 				break;
4154 
4155 			/* enforce maximum size */
4156 			if (fromlen > sizeof (so_faddr))
4157 				fromlen = sizeof (so_faddr);
4158 
4159 			if (copyin((caddr_t)(uap->from), so_faddr,
4160 			    fromlen) != 0)
4161 				break;
4162 
4163 		} else if (so->so_type == SOCK_STREAM) {
4164 
4165 			/* get path from file struct here */
4166 			fad = F2A(fp);
4167 			ASSERT(fad);
4168 
4169 			/*
4170 			 * already processed this file for read attempt
4171 			 */
4172 			if (fad->fad_flags & FAD_READ) {
4173 				/* don't want to audit every recvfrom attempt */
4174 				tad->tad_flag = 0;
4175 				/* free any residual audit data */
4176 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4177 				releasef(fd);
4178 				return;
4179 			}
4180 			/*
4181 			 * mark things so we know what happened and don't
4182 			 * repeat things
4183 			 */
4184 			fad->fad_flags |= FAD_READ;
4185 
4186 			bzero((void *)so_laddr, sizeof (so_laddr));
4187 			bzero((void *)so_faddr, sizeof (so_faddr));
4188 
4189 			/* get local and foreign addresses */
4190 			len = sizeof (so_laddr);
4191 			(void) socket_getsockname(so,
4192 			    (struct sockaddr *)so_laddr, &len, CRED());
4193 			len = sizeof (so_faddr);
4194 			(void) socket_getpeername(so,
4195 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4196 
4197 			add_sock_token = 1;
4198 		}
4199 
4200 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4201 
4202 		break;
4203 
4204 	case AF_UNIX:
4205 		/*
4206 		 * first check if this is first time through. Too much
4207 		 * duplicate code to put this in an aui_ routine.
4208 		 */
4209 
4210 		/* get path from file struct here */
4211 		fad = F2A(fp);
4212 		ASSERT(fad);
4213 
4214 		/*
4215 		 * already processed this file for read attempt
4216 		 */
4217 		if (fad->fad_flags & FAD_READ) {
4218 			/* don't want to audit every recvfrom attempt */
4219 			tad->tad_flag = 0;
4220 			/* free any residual audit data */
4221 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4222 			releasef(fd);
4223 			return;
4224 		}
4225 		/*
4226 		 * mark things so we know what happened and don't
4227 		 * repeat things
4228 		 */
4229 		fad->fad_flags |= FAD_READ;
4230 
4231 		if (fad->fad_aupath != NULL) {
4232 			au_uwrite(au_to_path(fad->fad_aupath));
4233 		} else {
4234 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4235 		}
4236 
4237 		audit_attributes(fp->f_vnode);
4238 
4239 		releasef(fd);
4240 
4241 		return;
4242 
4243 	default:
4244 		break;
4245 
4246 	}
4247 
4248 	releasef(fd);
4249 
4250 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4251 
4252 	if (add_sock_token == 0) {
4253 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4254 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4255 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4256 		return;
4257 	}
4258 
4259 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4260 
4261 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4262 }
4263 
4264 /*ARGSUSED*/
4265 static void
4266 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4267 {
4268 	struct a {
4269 		long	fd;
4270 		long	msg;	/* struct msghdr */
4271 		long	flags;
4272 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4273 
4274 	struct sonode	*so;
4275 	char so_laddr[sizeof (struct sockaddr_in6)];
4276 	char so_faddr[sizeof (struct sockaddr_in6)];
4277 	int		err;
4278 	int		fd;
4279 	short so_family, so_type;
4280 	int		add_sock_token = 0;
4281 	socklen_t	len;
4282 	struct file	*fp;
4283 	struct f_audit_data *fad;
4284 	caddr_t		msg_name;
4285 	socklen_t	msg_namelen;
4286 	STRUCT_DECL(msghdr, msg);
4287 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4288 
4289 	fd = (int)uap->fd;
4290 
4291 	/* bail if an error */
4292 	if (error) {
4293 		/* XXX include destination address from system call arguments */
4294 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4295 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4296 		return;
4297 	}
4298 
4299 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4300 		/*
4301 		 * not security relevant if doing a sendmsg from non socket
4302 		 * so no extra tokens. Should probably turn off audit record
4303 		 * generation here.
4304 		 */
4305 		return;
4306 	}
4307 
4308 	so_family = so->so_family;
4309 	so_type   = so->so_type;
4310 
4311 	switch (so_family) {
4312 	case AF_INET:
4313 	case AF_INET6:
4314 		/*
4315 		 * if datagram type socket, then just use what is in
4316 		 * socket structure for local address.
4317 		 * XXX - what do we do for other types?
4318 		 */
4319 		if ((so->so_type == SOCK_DGRAM) ||
4320 		    (so->so_type == SOCK_RAW)) {
4321 
4322 			bzero((void *)so_laddr, sizeof (so_laddr));
4323 			bzero((void *)so_faddr, sizeof (so_faddr));
4324 
4325 			/* get local address */
4326 			len = sizeof (so_laddr);
4327 			(void) socket_getsockname(so,
4328 			    (struct sockaddr *)so_laddr, &len, CRED());
4329 
4330 			/* get peer address */
4331 			STRUCT_INIT(msg, get_udatamodel());
4332 
4333 			if (copyin((caddr_t)(uap->msg),
4334 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4335 				break;
4336 			}
4337 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4338 			if (msg_name == NULL)
4339 				break;
4340 
4341 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4342 			/* length is value from recvmsg - sanity check */
4343 			if (msg_namelen == 0)
4344 				break;
4345 
4346 			if (copyin(msg_name, so_faddr,
4347 			    sizeof (so_faddr)) != 0)
4348 				break;
4349 
4350 			add_sock_token = 1;
4351 
4352 		} else if (so->so_type == SOCK_STREAM) {
4353 
4354 			/* get path from file struct here */
4355 			fad = F2A(fp);
4356 			ASSERT(fad);
4357 
4358 			/*
4359 			 * already processed this file for write attempt
4360 			 */
4361 			if (fad->fad_flags & FAD_WRITE) {
4362 				releasef(fd);
4363 				/* don't want to audit every sendmsg attempt */
4364 				tad->tad_flag = 0;
4365 				/* free any residual audit data */
4366 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4367 				return;
4368 			}
4369 
4370 			/*
4371 			 * mark things so we know what happened and don't
4372 			 * repeat things
4373 			 */
4374 			fad->fad_flags |= FAD_WRITE;
4375 
4376 			bzero((void *)so_laddr, sizeof (so_laddr));
4377 			bzero((void *)so_faddr, sizeof (so_faddr));
4378 
4379 			/* get local and foreign addresses */
4380 			len = sizeof (so_laddr);
4381 			(void) socket_getsockname(so,
4382 			    (struct sockaddr *)so_laddr, &len, CRED());
4383 			len = sizeof (so_faddr);
4384 			(void) socket_getpeername(so,
4385 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4386 
4387 			add_sock_token = 1;
4388 		}
4389 
4390 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4391 
4392 		break;
4393 
4394 	case AF_UNIX:
4395 		/*
4396 		 * first check if this is first time through. Too much
4397 		 * duplicate code to put this in an aui_ routine.
4398 		 */
4399 
4400 		/* get path from file struct here */
4401 		fad = F2A(fp);
4402 		ASSERT(fad);
4403 
4404 		/*
4405 		 * already processed this file for write attempt
4406 		 */
4407 		if (fad->fad_flags & FAD_WRITE) {
4408 			releasef(fd);
4409 			/* don't want to audit every sendmsg attempt */
4410 			tad->tad_flag = 0;
4411 			/* free any residual audit data */
4412 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4413 			return;
4414 		}
4415 		/*
4416 		 * mark things so we know what happened and don't
4417 		 * repeat things
4418 		 */
4419 		fad->fad_flags |= FAD_WRITE;
4420 
4421 		if (fad->fad_aupath != NULL) {
4422 			au_uwrite(au_to_path(fad->fad_aupath));
4423 		} else {
4424 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4425 		}
4426 
4427 		audit_attributes(fp->f_vnode);
4428 
4429 		releasef(fd);
4430 
4431 		return;
4432 
4433 	default:
4434 		break;
4435 	}
4436 
4437 	releasef(fd);
4438 
4439 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4440 
4441 	if (add_sock_token == 0) {
4442 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4443 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4444 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4445 		return;
4446 	}
4447 
4448 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4449 
4450 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4451 }
4452 
4453 /*ARGSUSED*/
4454 static void
4455 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4456 {
4457 	struct a {
4458 		long	fd;
4459 		long	msg;	/* char */
4460 		long	len;
4461 		long	flags;
4462 		long	to;	/* struct sockaddr */
4463 		long	tolen;
4464 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4465 
4466 	struct sonode	*so;
4467 	char so_laddr[sizeof (struct sockaddr_in6)];
4468 	char so_faddr[sizeof (struct sockaddr_in6)];
4469 	socklen_t	tolen;
4470 	int		err;
4471 	int		fd;
4472 	socklen_t	len;
4473 	short so_family, so_type;
4474 	int		add_sock_token = 0;
4475 	struct file	*fp;
4476 	struct f_audit_data *fad;
4477 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4478 
4479 	fd = (int)uap->fd;
4480 
4481 	/* bail if an error */
4482 	if (error) {
4483 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4484 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4485 		/* XXX include destination address from system call arguments */
4486 		return;
4487 	}
4488 
4489 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4490 		/*
4491 		 * not security relevant if doing a sendto using non socket
4492 		 * so no extra tokens. Should probably turn off audit record
4493 		 * generation here.
4494 		 */
4495 		return;
4496 	}
4497 
4498 	so_family = so->so_family;
4499 	so_type   = so->so_type;
4500 
4501 	/*
4502 	 * only putout SOCKET_EX token if INET/INET6 family.
4503 	 * XXX - what do we do about other families?
4504 	 */
4505 
4506 	switch (so_family) {
4507 	case AF_INET:
4508 	case AF_INET6:
4509 
4510 		/*
4511 		 * if datagram type socket, then just use what is in
4512 		 * socket structure for local address.
4513 		 * XXX - what do we do for other types?
4514 		 */
4515 		if ((so->so_type == SOCK_DGRAM) ||
4516 		    (so->so_type == SOCK_RAW)) {
4517 
4518 			bzero((void *)so_laddr, sizeof (so_laddr));
4519 			bzero((void *)so_faddr, sizeof (so_faddr));
4520 
4521 			/* get local address */
4522 			len = sizeof (so_laddr);
4523 			(void) socket_getsockname(so,
4524 			    (struct sockaddr *)so_laddr, &len, CRED());
4525 
4526 			/* get peer address */
4527 
4528 			/* sanity check */
4529 			if (uap->to == NULL)
4530 				break;
4531 
4532 			/* sanity checks */
4533 			if (uap->tolen == 0)
4534 				break;
4535 
4536 			tolen = (socklen_t)uap->tolen;
4537 
4538 			/* enforce maximum size */
4539 			if (tolen > sizeof (so_faddr))
4540 				tolen = sizeof (so_faddr);
4541 
4542 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4543 				break;
4544 
4545 			add_sock_token = 1;
4546 		} else {
4547 			/*
4548 			 * check if this is first time through.
4549 			 */
4550 
4551 			/* get path from file struct here */
4552 			fad = F2A(fp);
4553 			ASSERT(fad);
4554 
4555 			/*
4556 			 * already processed this file for write attempt
4557 			 */
4558 			if (fad->fad_flags & FAD_WRITE) {
4559 				/* don't want to audit every sendto attempt */
4560 				tad->tad_flag = 0;
4561 				/* free any residual audit data */
4562 				au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4563 				releasef(fd);
4564 				return;
4565 			}
4566 			/*
4567 			 * mark things so we know what happened and don't
4568 			 * repeat things
4569 			 */
4570 			fad->fad_flags |= FAD_WRITE;
4571 
4572 			bzero((void *)so_laddr, sizeof (so_laddr));
4573 			bzero((void *)so_faddr, sizeof (so_faddr));
4574 
4575 			/* get local and foreign addresses */
4576 			len = sizeof (so_laddr);
4577 			(void) socket_getsockname(so,
4578 			    (struct sockaddr *)so_laddr, &len, CRED());
4579 			len = sizeof (so_faddr);
4580 			(void) socket_getpeername(so,
4581 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4582 
4583 			add_sock_token = 1;
4584 		}
4585 
4586 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4587 
4588 		break;
4589 
4590 	case AF_UNIX:
4591 		/*
4592 		 * first check if this is first time through. Too much
4593 		 * duplicate code to put this in an aui_ routine.
4594 		 */
4595 
4596 		/* get path from file struct here */
4597 		fad = F2A(fp);
4598 		ASSERT(fad);
4599 
4600 		/*
4601 		 * already processed this file for write attempt
4602 		 */
4603 		if (fad->fad_flags & FAD_WRITE) {
4604 			/* don't want to audit every sendto attempt */
4605 			tad->tad_flag = 0;
4606 			/* free any residual audit data */
4607 			au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4608 			releasef(fd);
4609 			return;
4610 		}
4611 		/*
4612 		 * mark things so we know what happened and don't
4613 		 * repeat things
4614 		 */
4615 		fad->fad_flags |= FAD_WRITE;
4616 
4617 		if (fad->fad_aupath != NULL) {
4618 			au_uwrite(au_to_path(fad->fad_aupath));
4619 		} else {
4620 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4621 		}
4622 
4623 		audit_attributes(fp->f_vnode);
4624 
4625 		releasef(fd);
4626 
4627 		return;
4628 
4629 	default:
4630 		break;
4631 
4632 	}
4633 
4634 	releasef(fd);
4635 
4636 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4637 
4638 	if (add_sock_token == 0) {
4639 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4640 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4641 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4642 		return;
4643 	}
4644 
4645 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4646 
4647 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4648 
4649 }
4650 
4651 /*
4652  * XXX socket(2) may be equivalent to open(2) on a unix domain
4653  * socket. This needs investigation.
4654  */
4655 
4656 /*ARGSUSED*/
4657 static void
4658 aus_socket(struct t_audit_data *tad)
4659 {
4660 	struct a {
4661 		long	domain;
4662 		long	type;
4663 		long	protocol;
4664 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4665 
4666 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4667 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4668 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4669 }
4670 
4671 /*ARGSUSED*/
4672 static void
4673 aus_sigqueue(struct t_audit_data *tad)
4674 {
4675 	struct a {
4676 		long	pid;
4677 		long	signo;
4678 		long	*val;
4679 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4680 	struct proc *p;
4681 	uid_t uid, ruid;
4682 	gid_t gid, rgid;
4683 	pid_t pid;
4684 	const auditinfo_addr_t *ainfo;
4685 	cred_t *cr;
4686 
4687 	pid = (pid_t)uap->pid;
4688 
4689 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4690 	if (pid > 0) {
4691 		mutex_enter(&pidlock);
4692 		if ((p = prfind(pid)) == (struct proc *)0) {
4693 			mutex_exit(&pidlock);
4694 			return;
4695 		}
4696 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4697 		mutex_exit(&pidlock);
4698 
4699 		mutex_enter(&p->p_crlock);
4700 		crhold(cr = p->p_cred);
4701 		mutex_exit(&p->p_crlock);
4702 		mutex_exit(&p->p_lock);
4703 
4704 		ainfo = crgetauinfo(cr);
4705 		if (ainfo == NULL) {
4706 			crfree(cr);
4707 			return;
4708 		}
4709 
4710 		uid  = crgetuid(cr);
4711 		gid  = crgetgid(cr);
4712 		ruid = crgetruid(cr);
4713 		rgid = crgetrgid(cr);
4714 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4715 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4716 		crfree(cr);
4717 	}
4718 	else
4719 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4720 }
4721 
4722 /*ARGSUSED*/
4723 static void
4724 aus_inst_sync(struct t_audit_data *tad)
4725 {
4726 	struct a {
4727 		long	name;	/* char */
4728 		long	flags;
4729 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4730 
4731 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4732 }
4733 
4734 /*ARGSUSED*/
4735 static void
4736 aus_brandsys(struct t_audit_data *tad)
4737 {
4738 	klwp_t *clwp = ttolwp(curthread);
4739 
4740 	struct a {
4741 		long	cmd;
4742 		long	arg1;
4743 		long	arg2;
4744 		long	arg3;
4745 		long	arg4;
4746 		long	arg5;
4747 		long	arg6;
4748 	} *uap = (struct a *)clwp->lwp_ap;
4749 
4750 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4751 #ifdef _LP64
4752 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4753 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4754 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4755 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4756 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4757 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4758 #else
4759 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4760 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4761 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4762 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4763 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4764 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4765 #endif
4766 }
4767 
4768 /*ARGSUSED*/
4769 static void
4770 aus_p_online(struct t_audit_data *tad)
4771 {
4772 	struct a {
4773 		long	processor_id;
4774 		long	flag;
4775 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4776 
4777 	struct flags {
4778 			int	flag;
4779 			char	*cflag;
4780 	} aflags[6] = {
4781 			{ P_ONLINE, "P_ONLINE"},
4782 			{ P_OFFLINE, "P_OFFLINE"},
4783 			{ P_NOINTR, "P_NOINTR"},
4784 			{ P_SPARE, "P_SPARE"},
4785 			{ P_FAULTED, "P_FAULTED"},
4786 			{ P_STATUS, "P_STATUS"}
4787 	};
4788 	int i;
4789 	char *cflag;
4790 
4791 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4792 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4793 
4794 	for (i = 0; i < 6; i++) {
4795 		if (aflags[i].flag == uap->flag)
4796 			break;
4797 	}
4798 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4799 
4800 	au_uwrite(au_to_text(cflag));
4801 }
4802 
4803 /*ARGSUSED*/
4804 static void
4805 aus_processor_bind(struct t_audit_data *tad)
4806 {
4807 	struct a {
4808 		long	id_type;
4809 		long	id;
4810 		long	processor_id;
4811 		long	obind;
4812 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4813 
4814 	struct proc *p;
4815 	int lwpcnt;
4816 	uid_t uid, ruid;
4817 	gid_t gid, rgid;
4818 	pid_t pid;
4819 	const auditinfo_addr_t *ainfo;
4820 	cred_t *cr;
4821 
4822 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4823 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4824 	if (uap->processor_id == PBIND_NONE)
4825 		au_uwrite(au_to_text("PBIND_NONE"));
4826 	else
4827 		au_uwrite(au_to_arg32(3, "processor_id",
4828 		    (uint32_t)uap->processor_id));
4829 
4830 	switch (uap->id_type) {
4831 	case P_MYID:
4832 	case P_LWPID:
4833 		mutex_enter(&pidlock);
4834 		p = ttoproc(curthread);
4835 		if (p == NULL || p->p_as == &kas) {
4836 			mutex_exit(&pidlock);
4837 			return;
4838 		}
4839 		mutex_enter(&p->p_lock);
4840 		mutex_exit(&pidlock);
4841 		lwpcnt = p->p_lwpcnt;
4842 		pid  = p->p_pid;
4843 
4844 		mutex_enter(&p->p_crlock);
4845 		crhold(cr = p->p_cred);
4846 		mutex_exit(&p->p_crlock);
4847 		mutex_exit(&p->p_lock);
4848 
4849 		ainfo = crgetauinfo(cr);
4850 		if (ainfo == NULL) {
4851 			crfree(cr);
4852 			return;
4853 		}
4854 
4855 		uid  = crgetuid(cr);
4856 		gid  = crgetgid(cr);
4857 		ruid = crgetruid(cr);
4858 		rgid = crgetrgid(cr);
4859 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4860 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4861 		crfree(cr);
4862 		break;
4863 	case P_PID:
4864 		mutex_enter(&pidlock);
4865 		p = prfind(uap->id);
4866 		if (p == NULL || p->p_as == &kas) {
4867 			mutex_exit(&pidlock);
4868 			return;
4869 		}
4870 		mutex_enter(&p->p_lock);
4871 		mutex_exit(&pidlock);
4872 		lwpcnt = p->p_lwpcnt;
4873 		pid  = p->p_pid;
4874 
4875 		mutex_enter(&p->p_crlock);
4876 		crhold(cr = p->p_cred);
4877 		mutex_exit(&p->p_crlock);
4878 		mutex_exit(&p->p_lock);
4879 
4880 		ainfo = crgetauinfo(cr);
4881 		if (ainfo == NULL) {
4882 			crfree(cr);
4883 			return;
4884 		}
4885 
4886 		uid  = crgetuid(cr);
4887 		gid  = crgetgid(cr);
4888 		ruid = crgetruid(cr);
4889 		rgid = crgetrgid(cr);
4890 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4891 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4892 		crfree(cr);
4893 
4894 		break;
4895 	default:
4896 		return;
4897 	}
4898 
4899 	if (uap->processor_id == PBIND_NONE &&
4900 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4901 		au_uwrite(au_to_text("PBIND_NONE for process"));
4902 	else
4903 		au_uwrite(au_to_arg32(3, "processor_id",
4904 		    (uint32_t)uap->processor_id));
4905 }
4906 
4907 /*ARGSUSED*/
4908 static au_event_t
4909 aui_doorfs(au_event_t e)
4910 {
4911 	uint32_t code;
4912 
4913 	struct a {		/* doorfs */
4914 		long	a1;
4915 		long	a2;
4916 		long	a3;
4917 		long	a4;
4918 		long	a5;
4919 		long	code;
4920 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4921 
4922 	/*
4923 	 *	audit formats for several of the
4924 	 *	door calls have not yet been determined
4925 	 */
4926 	code = (uint32_t)uap->code;
4927 	switch (code) {
4928 	case DOOR_CALL:
4929 		e = AUE_DOORFS_DOOR_CALL;
4930 		break;
4931 	case DOOR_RETURN:
4932 		e = AUE_NULL;
4933 		break;
4934 	case DOOR_CREATE:
4935 		e = AUE_DOORFS_DOOR_CREATE;
4936 		break;
4937 	case DOOR_REVOKE:
4938 		e = AUE_DOORFS_DOOR_REVOKE;
4939 		break;
4940 	case DOOR_INFO:
4941 		e = AUE_NULL;
4942 		break;
4943 	case DOOR_UCRED:
4944 		e = AUE_NULL;
4945 		break;
4946 	case DOOR_BIND:
4947 		e = AUE_NULL;
4948 		break;
4949 	case DOOR_UNBIND:
4950 		e = AUE_NULL;
4951 		break;
4952 	case DOOR_GETPARAM:
4953 		e = AUE_NULL;
4954 		break;
4955 	case DOOR_SETPARAM:
4956 		e = AUE_NULL;
4957 		break;
4958 	default:	/* illegal system call */
4959 		e = AUE_NULL;
4960 		break;
4961 	}
4962 
4963 	return (e);
4964 }
4965 
4966 static door_node_t *
4967 au_door_lookup(int did)
4968 {
4969 	vnode_t	*vp;
4970 	file_t *fp;
4971 
4972 	if ((fp = getf(did)) == NULL)
4973 		return (NULL);
4974 	/*
4975 	 * Use the underlying vnode (we may be namefs mounted)
4976 	 */
4977 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
4978 		vp = fp->f_vnode;
4979 
4980 	if (vp == NULL || vp->v_type != VDOOR) {
4981 		releasef(did);
4982 		return (NULL);
4983 	}
4984 
4985 	return (VTOD(vp));
4986 }
4987 
4988 /*ARGSUSED*/
4989 static void
4990 aus_doorfs(struct t_audit_data *tad)
4991 {
4992 
4993 	struct a {		/* doorfs */
4994 		long	a1;
4995 		long	a2;
4996 		long	a3;
4997 		long	a4;
4998 		long	a5;
4999 		long	code;
5000 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5001 
5002 	door_node_t	*dp;
5003 	struct proc	*p;
5004 	uint32_t	did;
5005 	uid_t uid, ruid;
5006 	gid_t gid, rgid;
5007 	pid_t pid;
5008 	const auditinfo_addr_t *ainfo;
5009 	cred_t *cr;
5010 
5011 	did = (uint32_t)uap->a1;
5012 
5013 	switch (tad->tad_event) {
5014 	case AUE_DOORFS_DOOR_CALL:
5015 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5016 		if ((dp = au_door_lookup(did)) == NULL)
5017 			break;
5018 
5019 		if (DOOR_INVALID(dp)) {
5020 			releasef(did);
5021 			break;
5022 		}
5023 
5024 		if ((p = dp->door_target) == NULL) {
5025 			releasef(did);
5026 			break;
5027 		}
5028 		mutex_enter(&p->p_lock);
5029 		releasef(did);
5030 
5031 		pid  = p->p_pid;
5032 
5033 		mutex_enter(&p->p_crlock);
5034 		crhold(cr = p->p_cred);
5035 		mutex_exit(&p->p_crlock);
5036 		mutex_exit(&p->p_lock);
5037 
5038 		ainfo = crgetauinfo(cr);
5039 		if (ainfo == NULL) {
5040 			crfree(cr);
5041 			return;
5042 		}
5043 		uid  = crgetuid(cr);
5044 		gid  = crgetgid(cr);
5045 		ruid = crgetruid(cr);
5046 		rgid = crgetrgid(cr);
5047 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5048 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5049 		crfree(cr);
5050 		break;
5051 	case AUE_DOORFS_DOOR_RETURN:
5052 		/*
5053 		 * We may want to write information about
5054 		 * all doors (if any) which will be copied
5055 		 * by this call to the user space
5056 		 */
5057 		break;
5058 	case AUE_DOORFS_DOOR_CREATE:
5059 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5060 		break;
5061 	case AUE_DOORFS_DOOR_REVOKE:
5062 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5063 		break;
5064 	case AUE_DOORFS_DOOR_INFO:
5065 		break;
5066 	case AUE_DOORFS_DOOR_CRED:
5067 		break;
5068 	case AUE_DOORFS_DOOR_BIND:
5069 		break;
5070 	case AUE_DOORFS_DOOR_UNBIND: {
5071 		break;
5072 	}
5073 	default:	/* illegal system call */
5074 		break;
5075 	}
5076 }
5077 
5078 /*ARGSUSED*/
5079 static au_event_t
5080 aui_acl(au_event_t e)
5081 {
5082 	struct a {
5083 		union {
5084 			long	name;	/* char */
5085 			long	fd;
5086 		}		obj;
5087 
5088 		long		cmd;
5089 		long		nentries;
5090 		long		arg;	/* aclent_t */
5091 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5092 
5093 	switch (uap->cmd) {
5094 	case SETACL:
5095 	case ACE_SETACL:
5096 		/*
5097 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5098 		 * are expected.
5099 		 */
5100 		break;
5101 	case GETACL:
5102 	case GETACLCNT:
5103 	case ACE_GETACL:
5104 	case ACE_GETACLCNT:
5105 		/* do nothing for these four values. */
5106 		e = AUE_NULL;
5107 		break;
5108 	default:
5109 		/* illegal system call */
5110 		break;
5111 	}
5112 
5113 	return (e);
5114 }
5115 
5116 static void
5117 au_acl(int cmd, int nentries, caddr_t bufp)
5118 {
5119 	size_t		a_size;
5120 	aclent_t	*aclbufp;
5121 	ace_t		*acebufp;
5122 	int		i;
5123 
5124 	switch (cmd) {
5125 	case GETACL:
5126 	case GETACLCNT:
5127 		break;
5128 	case SETACL:
5129 		if (nentries < 3)
5130 			break;
5131 
5132 		a_size = nentries * sizeof (aclent_t);
5133 
5134 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5135 			break;
5136 		if (copyin(bufp, aclbufp, a_size)) {
5137 			kmem_free(aclbufp, a_size);
5138 			break;
5139 		}
5140 		for (i = 0; i < nentries; i++) {
5141 			au_uwrite(au_to_acl(aclbufp + i));
5142 		}
5143 		kmem_free(aclbufp, a_size);
5144 		break;
5145 
5146 	case ACE_SETACL:
5147 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5148 			break;
5149 
5150 		a_size = nentries * sizeof (ace_t);
5151 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5152 			break;
5153 		if (copyin(bufp, acebufp, a_size)) {
5154 			kmem_free(acebufp, a_size);
5155 			break;
5156 		}
5157 		for (i = 0; i < nentries; i++) {
5158 			au_uwrite(au_to_ace(acebufp + i));
5159 		}
5160 		kmem_free(acebufp, a_size);
5161 		break;
5162 	default:
5163 		break;
5164 	}
5165 }
5166 
5167 /*ARGSUSED*/
5168 static void
5169 aus_acl(struct t_audit_data *tad)
5170 {
5171 	struct a {
5172 		long	fname;
5173 		long	cmd;
5174 		long	nentries;
5175 		long	aclbufp;
5176 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5177 
5178 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5179 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5180 
5181 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5182 }
5183 
5184 /*ARGSUSED*/
5185 static void
5186 aus_facl(struct t_audit_data *tad)
5187 {
5188 	struct a {
5189 		long	fd;
5190 		long	cmd;
5191 		long	nentries;
5192 		long	aclbufp;
5193 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5194 	struct file  *fp;
5195 	struct vnode *vp;
5196 	struct f_audit_data *fad;
5197 	int fd;
5198 
5199 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5200 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5201 
5202 	fd = (int)uap->fd;
5203 
5204 	if ((fp = getf(fd)) == NULL)
5205 		return;
5206 
5207 	/* get path from file struct here */
5208 	fad = F2A(fp);
5209 	if (fad->fad_aupath != NULL) {
5210 		au_uwrite(au_to_path(fad->fad_aupath));
5211 	} else {
5212 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5213 	}
5214 
5215 	vp = fp->f_vnode;
5216 	audit_attributes(vp);
5217 
5218 	/* decrement file descriptor reference count */
5219 	releasef(fd);
5220 
5221 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5222 }
5223 
5224 /*ARGSUSED*/
5225 static void
5226 auf_read(tad, error, rval)
5227 	struct t_audit_data *tad;
5228 	int error;
5229 	rval_t *rval;
5230 {
5231 	struct file *fp;
5232 	struct f_audit_data *fad;
5233 	int fd;
5234 	register struct a {
5235 		long	fd;
5236 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5237 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5238 
5239 	fd = (int)uap->fd;
5240 
5241 	/*
5242 	 * convert file pointer to file descriptor
5243 	 *   Note: fd ref count incremented here.
5244 	 */
5245 	if ((fp = getf(fd)) == NULL)
5246 		return;
5247 
5248 	/* get path from file struct here */
5249 	fad = F2A(fp);
5250 	ASSERT(fad);
5251 
5252 	/*
5253 	 * already processed this file for read attempt
5254 	 *
5255 	 * XXX might be better to turn off auditing in a aui_read() routine.
5256 	 */
5257 	if (fad->fad_flags & FAD_READ) {
5258 		/* don't really want to audit every read attempt */
5259 		tad->tad_flag = 0;
5260 		/* free any residual audit data */
5261 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5262 		releasef(fd);
5263 		return;
5264 	}
5265 	/* mark things so we know what happened and don't repeat things */
5266 	fad->fad_flags |= FAD_READ;
5267 
5268 	if (fad->fad_aupath != NULL) {
5269 		au_uwrite(au_to_path(fad->fad_aupath));
5270 	} else {
5271 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5272 	}
5273 
5274 	/* include attributes */
5275 	audit_attributes(fp->f_vnode);
5276 
5277 	/* decrement file descriptor reference count */
5278 	releasef(fd);
5279 }
5280 
5281 /*ARGSUSED*/
5282 static void
5283 auf_write(tad, error, rval)
5284 	struct t_audit_data *tad;
5285 	int error;
5286 	rval_t *rval;
5287 {
5288 	struct file *fp;
5289 	struct f_audit_data *fad;
5290 	int fd;
5291 	register struct a {
5292 		long	fd;
5293 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5294 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5295 
5296 	fd = (int)uap->fd;
5297 
5298 	/*
5299 	 * convert file pointer to file descriptor
5300 	 *   Note: fd ref count incremented here.
5301 	 */
5302 	if ((fp = getf(fd)) == NULL)
5303 		return;
5304 
5305 	/* get path from file struct here */
5306 	fad = F2A(fp);
5307 	ASSERT(fad);
5308 
5309 	/*
5310 	 * already processed this file for write attempt
5311 	 *
5312 	 * XXX might be better to turn off auditing in a aus_write() routine.
5313 	 */
5314 	if (fad->fad_flags & FAD_WRITE) {
5315 		/* don't really want to audit every write attempt */
5316 		tad->tad_flag = 0;
5317 		/* free any residual audit data */
5318 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5319 		releasef(fd);
5320 		return;
5321 	}
5322 	/* mark things so we know what happened and don't repeat things */
5323 	fad->fad_flags |= FAD_WRITE;
5324 
5325 	if (fad->fad_aupath != NULL) {
5326 		au_uwrite(au_to_path(fad->fad_aupath));
5327 	} else {
5328 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5329 	}
5330 
5331 	/* include attributes */
5332 	audit_attributes(fp->f_vnode);
5333 
5334 	/* decrement file descriptor reference count */
5335 	releasef(fd);
5336 }
5337 
5338 /*ARGSUSED*/
5339 static void
5340 auf_recv(tad, error, rval)
5341 	struct t_audit_data *tad;
5342 	int error;
5343 	rval_t *rval;
5344 {
5345 	struct sonode *so;
5346 	char so_laddr[sizeof (struct sockaddr_in6)];
5347 	char so_faddr[sizeof (struct sockaddr_in6)];
5348 	struct file *fp;
5349 	struct f_audit_data *fad;
5350 	int fd;
5351 	int err;
5352 	socklen_t len;
5353 	short so_family, so_type;
5354 	register struct a {
5355 		long	fd;
5356 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5357 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5358 
5359 	/*
5360 	 * If there was an error, then nothing to do. Only generate
5361 	 * audit record on first successful recv.
5362 	 */
5363 	if (error) {
5364 		/* Turn off audit record generation here. */
5365 		tad->tad_flag = 0;
5366 		/* free any residual audit data */
5367 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5368 		return;
5369 	}
5370 
5371 	fd = (int)uap->fd;
5372 
5373 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5374 		/* Turn off audit record generation here. */
5375 		tad->tad_flag = 0;
5376 		/* free any residual audit data */
5377 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5378 		return;
5379 	}
5380 
5381 	/* get path from file struct here */
5382 	fad = F2A(fp);
5383 	ASSERT(fad);
5384 
5385 	/*
5386 	 * already processed this file for read attempt
5387 	 */
5388 	if (fad->fad_flags & FAD_READ) {
5389 		releasef(fd);
5390 		/* don't really want to audit every recv call */
5391 		tad->tad_flag = 0;
5392 		/* free any residual audit data */
5393 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5394 		return;
5395 	}
5396 
5397 	/* mark things so we know what happened and don't repeat things */
5398 	fad->fad_flags |= FAD_READ;
5399 
5400 	so_family = so->so_family;
5401 	so_type   = so->so_type;
5402 
5403 	switch (so_family) {
5404 	case AF_INET:
5405 	case AF_INET6:
5406 		/*
5407 		 * Only for connections.
5408 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5409 		 */
5410 		if (so->so_state & SS_ISBOUND) {
5411 
5412 			bzero((void *)so_laddr, sizeof (so_laddr));
5413 			bzero((void *)so_faddr, sizeof (so_faddr));
5414 
5415 			/* get local and foreign addresses */
5416 			len = sizeof (so_laddr);
5417 			(void) socket_getsockname(so,
5418 			    (struct sockaddr *)so_laddr, &len, CRED());
5419 			len = sizeof (so_faddr);
5420 			(void) socket_getpeername(so,
5421 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5422 
5423 			/*
5424 			 * only way to drop out of switch. Note that we
5425 			 * we release fd below.
5426 			 */
5427 
5428 			break;
5429 		}
5430 
5431 		releasef(fd);
5432 
5433 		/* don't really want to audit every recv call */
5434 		tad->tad_flag = 0;
5435 		/* free any residual audit data */
5436 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5437 
5438 		return;
5439 
5440 	case AF_UNIX:
5441 
5442 		if (fad->fad_aupath != NULL) {
5443 			au_uwrite(au_to_path(fad->fad_aupath));
5444 		} else {
5445 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5446 		}
5447 
5448 		audit_attributes(fp->f_vnode);
5449 
5450 		releasef(fd);
5451 
5452 		return;
5453 
5454 	default:
5455 		releasef(fd);
5456 
5457 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5458 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5459 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5460 
5461 		return;
5462 	}
5463 
5464 	releasef(fd);
5465 
5466 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5467 
5468 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5469 
5470 }
5471 
5472 /*ARGSUSED*/
5473 static void
5474 auf_send(tad, error, rval)
5475 	struct t_audit_data *tad;
5476 	int error;
5477 	rval_t *rval;
5478 {
5479 	struct sonode *so;
5480 	char so_laddr[sizeof (struct sockaddr_in6)];
5481 	char so_faddr[sizeof (struct sockaddr_in6)];
5482 	struct file *fp;
5483 	struct f_audit_data *fad;
5484 	int fd;
5485 	int err;
5486 	socklen_t len;
5487 	short so_family, so_type;
5488 	register struct a {
5489 		long	fd;
5490 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5491 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5492 
5493 	fd = (int)uap->fd;
5494 
5495 	/*
5496 	 * If there was an error, then nothing to do. Only generate
5497 	 * audit record on first successful send.
5498 	 */
5499 	if (error != 0) {
5500 		/* Turn off audit record generation here. */
5501 		tad->tad_flag = 0;
5502 		/* free any residual audit data */
5503 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5504 		return;
5505 	}
5506 
5507 	fd = (int)uap->fd;
5508 
5509 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5510 		/* Turn off audit record generation here. */
5511 		tad->tad_flag = 0;
5512 		/* free any residual audit data */
5513 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5514 		return;
5515 	}
5516 
5517 	/* get path from file struct here */
5518 	fad = F2A(fp);
5519 	ASSERT(fad);
5520 
5521 	/*
5522 	 * already processed this file for write attempt
5523 	 */
5524 	if (fad->fad_flags & FAD_WRITE) {
5525 		releasef(fd);
5526 		/* don't really want to audit every send call */
5527 		tad->tad_flag = 0;
5528 		/* free any residual audit data */
5529 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5530 		return;
5531 	}
5532 
5533 	/* mark things so we know what happened and don't repeat things */
5534 	fad->fad_flags |= FAD_WRITE;
5535 
5536 	so_family = so->so_family;
5537 	so_type   = so->so_type;
5538 
5539 	switch (so_family) {
5540 	case AF_INET:
5541 	case AF_INET6:
5542 		/*
5543 		 * Only for connections.
5544 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5545 		 */
5546 		if (so->so_state & SS_ISBOUND) {
5547 
5548 			bzero((void *)so_laddr, sizeof (so_laddr));
5549 			bzero((void *)so_faddr, sizeof (so_faddr));
5550 
5551 			/* get local and foreign addresses */
5552 			len = sizeof (so_laddr);
5553 			(void) socket_getsockname(so,
5554 			    (struct sockaddr *)so_laddr, &len, CRED());
5555 			len = sizeof (so_faddr);
5556 			(void) socket_getpeername(so,
5557 			    (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5558 
5559 			/*
5560 			 * only way to drop out of switch. Note that we
5561 			 * we release fd below.
5562 			 */
5563 
5564 			break;
5565 		}
5566 
5567 		releasef(fd);
5568 		/* don't really want to audit every send call */
5569 		tad->tad_flag = 0;
5570 		/* free any residual audit data */
5571 		au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5572 
5573 		return;
5574 
5575 	case AF_UNIX:
5576 
5577 		if (fad->fad_aupath != NULL) {
5578 			au_uwrite(au_to_path(fad->fad_aupath));
5579 		} else {
5580 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5581 		}
5582 
5583 		audit_attributes(fp->f_vnode);
5584 
5585 		releasef(fd);
5586 
5587 		return;
5588 
5589 	default:
5590 		releasef(fd);
5591 
5592 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5593 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5594 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5595 
5596 		return;
5597 	}
5598 
5599 	releasef(fd);
5600 
5601 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5602 
5603 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5604 }
5605 
5606 static au_event_t
5607 aui_forksys(au_event_t e)
5608 {
5609 	struct a {
5610 		long	subcode;
5611 		long	flags;
5612 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5613 
5614 	switch ((uint_t)uap->subcode) {
5615 	case 0:
5616 		e = AUE_FORK1;
5617 		break;
5618 	case 1:
5619 		e = AUE_FORKALL;
5620 		break;
5621 	case 2:
5622 		e = AUE_VFORK;
5623 		break;
5624 	default:
5625 		e = AUE_NULL;
5626 		break;
5627 	}
5628 
5629 	return (e);
5630 }
5631 
5632 /*ARGSUSED*/
5633 static au_event_t
5634 aui_portfs(au_event_t e)
5635 {
5636 	struct a {		/* portfs */
5637 		long	a1;
5638 		long	a2;
5639 		long	a3;
5640 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5641 
5642 	/*
5643 	 * check opcode
5644 	 */
5645 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5646 	case PORT_ASSOCIATE:
5647 		/* check source */
5648 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5649 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5650 			e = AUE_PORTFS_ASSOCIATE;
5651 		} else {
5652 			e = AUE_NULL;
5653 		}
5654 		break;
5655 	case PORT_DISSOCIATE:
5656 		/* check source */
5657 		if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5658 		    ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5659 			e = AUE_PORTFS_DISSOCIATE;
5660 		} else {
5661 			e = AUE_NULL;
5662 		}
5663 		break;
5664 	default:
5665 		e = AUE_NULL;
5666 	}
5667 	return (e);
5668 }
5669