xref: /titanic_52/usr/src/uts/common/c2/audit_event.c (revision 922d2c76afbee21520ffa2088c4e60dcb80d3945)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 /*
30  * This file contains the audit event table used to control the production
31  * of audit records for each system call.
32  */
33 
34 #include <sys/policy.h>
35 #include <sys/cred.h>
36 #include <sys/types.h>
37 #include <sys/systm.h>
38 #include <sys/systeminfo.h>	/* for sysinfo auditing */
39 #include <sys/utsname.h>	/* for sysinfo auditing */
40 #include <sys/proc.h>
41 #include <sys/vnode.h>
42 #include <sys/mman.h>		/* for mmap(2) auditing etc. */
43 #include <sys/fcntl.h>
44 #include <sys/modctl.h>		/* for modctl auditing */
45 #include <sys/vnode.h>
46 #include <sys/user.h>
47 #include <sys/types.h>
48 #include <sys/processor.h>
49 #include <sys/procset.h>
50 #include <sys/acl.h>
51 #include <sys/ipc.h>
52 #include <sys/door.h>
53 #include <sys/sem.h>
54 #include <sys/msg.h>
55 #include <sys/shm.h>
56 #include <sys/kmem.h>
57 #include <sys/file.h>		/* for accept */
58 #include <sys/utssys.h>		/* for fuser */
59 #include <sys/tsol/label.h>
60 #include <sys/tsol/tndb.h>
61 #include <sys/tsol/tsyscall.h>
62 #include <c2/audit.h>
63 #include <c2/audit_kernel.h>
64 #include <c2/audit_kevents.h>
65 #include <c2/audit_record.h>
66 #include <sys/procset.h>
67 #include <nfs/mount.h>
68 #include <sys/param.h>
69 #include <sys/debug.h>
70 #include <sys/sysmacros.h>
71 #include <sys/stream.h>
72 #include <sys/strsubr.h>
73 #include <sys/stropts.h>
74 #include <sys/tihdr.h>
75 #include <sys/socket.h>
76 #include <sys/socketvar.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 
81 
82 int	au_naevent;
83 char	_depends_on[] = "fs/sockfs";
84 
85 static au_event_t	aui_open(au_event_t);
86 static au_event_t	aui_fsat(au_event_t);
87 static au_event_t	aui_msgsys(au_event_t);
88 static au_event_t	aui_shmsys(au_event_t);
89 static au_event_t	aui_semsys(au_event_t);
90 static au_event_t	aui_utssys(au_event_t);
91 static au_event_t	aui_fcntl(au_event_t);
92 static au_event_t	aui_execv(au_event_t);
93 static au_event_t	aui_execve(au_event_t);
94 static au_event_t	aui_memcntl(au_event_t);
95 static au_event_t	aui_sysinfo(au_event_t);
96 static au_event_t	aui_portfs(au_event_t);
97 static au_event_t	aui_auditsys(au_event_t);
98 static au_event_t	aui_modctl(au_event_t);
99 static au_event_t	aui_acl(au_event_t);
100 static au_event_t	aui_doorfs(au_event_t);
101 static au_event_t	aui_privsys(au_event_t);
102 static au_event_t	aui_forksys(au_event_t);
103 static au_event_t	aui_labelsys(au_event_t);
104 
105 static void	aus_open(struct t_audit_data *);
106 static void	aus_acl(struct t_audit_data *);
107 static void	aus_acct(struct t_audit_data *);
108 static void	aus_chown(struct t_audit_data *);
109 static void	aus_fchown(struct t_audit_data *);
110 static void	aus_lchown(struct t_audit_data *);
111 static void	aus_chmod(struct t_audit_data *);
112 static void	aus_facl(struct t_audit_data *);
113 static void	aus_fchmod(struct t_audit_data *);
114 static void	aus_fcntl(struct t_audit_data *);
115 static void	aus_fsat(struct t_audit_data *);
116 static void	aus_mkdir(struct t_audit_data *);
117 static void	aus_mknod(struct t_audit_data *);
118 static void	aus_mount(struct t_audit_data *);
119 static void	aus_umount(struct t_audit_data *);
120 static void	aus_umount2(struct t_audit_data *);
121 static void	aus_msgsys(struct t_audit_data *);
122 static void	aus_semsys(struct t_audit_data *);
123 static void	aus_close(struct t_audit_data *);
124 static void	aus_fstatfs(struct t_audit_data *);
125 static void	aus_setgid(struct t_audit_data *);
126 static void	aus_setuid(struct t_audit_data *);
127 static void	aus_shmsys(struct t_audit_data *);
128 static void	aus_doorfs(struct t_audit_data *);
129 static void	aus_ioctl(struct t_audit_data *);
130 static void	aus_memcntl(struct t_audit_data *);
131 static void	aus_mmap(struct t_audit_data *);
132 static void	aus_munmap(struct t_audit_data *);
133 static void	aus_priocntlsys(struct t_audit_data *);
134 static void	aus_setegid(struct t_audit_data *);
135 static void	aus_setgroups(struct t_audit_data *);
136 static void	aus_seteuid(struct t_audit_data *);
137 static void	aus_putmsg(struct t_audit_data *);
138 static void	aus_putpmsg(struct t_audit_data *);
139 static void	aus_getmsg(struct t_audit_data *);
140 static void	aus_getpmsg(struct t_audit_data *);
141 static void	aus_auditsys(struct t_audit_data *);
142 static void	aus_sysinfo(struct t_audit_data *);
143 static void	aus_modctl(struct t_audit_data *);
144 static void	aus_kill(struct t_audit_data *);
145 static void	aus_xmknod(struct t_audit_data *);
146 static void	aus_setregid(struct t_audit_data *);
147 static void	aus_setreuid(struct t_audit_data *);
148 static void	aus_labelsys(struct t_audit_data *);
149 
150 static void	auf_mknod(struct t_audit_data *, int, rval_t *);
151 static void	auf_msgsys(struct t_audit_data *, int, rval_t *);
152 static void	auf_semsys(struct t_audit_data *, int, rval_t *);
153 static void	auf_shmsys(struct t_audit_data *, int, rval_t *);
154 static void	auf_xmknod(struct t_audit_data *, int, rval_t *);
155 static void	auf_read(struct t_audit_data *, int, rval_t *);
156 static void	auf_write(struct t_audit_data *, int, rval_t *);
157 
158 static void	aus_sigqueue(struct t_audit_data *);
159 static void	aus_p_online(struct t_audit_data *);
160 static void	aus_processor_bind(struct t_audit_data *);
161 static void	aus_inst_sync(struct t_audit_data *);
162 static void	aus_brandsys(struct t_audit_data *);
163 
164 static void	auf_accept(struct t_audit_data *, int, rval_t *);
165 
166 static void	auf_bind(struct t_audit_data *, int, rval_t *);
167 static void	auf_connect(struct t_audit_data *, int, rval_t *);
168 static void	aus_shutdown(struct t_audit_data *);
169 static void	auf_setsockopt(struct t_audit_data *, int, rval_t *);
170 static void	aus_sockconfig(struct t_audit_data *);
171 static void	auf_recv(struct t_audit_data *, int, rval_t *);
172 static void	auf_recvmsg(struct t_audit_data *, int, rval_t *);
173 static void	auf_send(struct t_audit_data *, int, rval_t *);
174 static void	auf_sendmsg(struct t_audit_data *, int, rval_t *);
175 static void	auf_recvfrom(struct t_audit_data *, int, rval_t *);
176 static void	auf_sendto(struct t_audit_data *, int, rval_t *);
177 static void	aus_socket(struct t_audit_data *);
178 /*
179  * This table contains mapping information for converting system call numbers
180  * to audit event IDs. In several cases it is necessary to map a single system
181  * call to several events.
182  */
183 
184 #define	aui_null	NULL	/* NULL initialize function */
185 #define	aus_null	NULL	/* NULL start function */
186 #define	auf_null	NULL	/* NULL finish function */
187 
188 struct audit_s2e audit_s2e[] =
189 {
190 /*
191  * ----------	---------- 	----------	----------
192  * INITIAL	AUDIT		START		SYSTEM
193  * PROCESSING	EVENT		PROCESSING	CALL
194  * ----------	----------	----------	-----------
195  *		FINISH		EVENT
196  *		PROCESSING	CONTROL
197  * ----------------------------------------------------------
198  */
199 aui_null,	AUE_NULL,	aus_null,	/* 0 unused (indirect) */
200 		auf_null,	0,
201 aui_null,	AUE_EXIT,	aus_null,	/* 1 exit */
202 		auf_null,	S2E_NPT,
203 aui_null,	AUE_FORKALL,	aus_null,	/* 2 forkall */
204 		auf_null,	0,
205 aui_null,	AUE_READ,	aus_null,	/* 3 read */
206 		auf_read,	S2E_PUB,
207 aui_null,	AUE_WRITE,	aus_null,	/* 4 write */
208 		auf_write,	0,
209 aui_open,	AUE_OPEN,	aus_open,	/* 5 open */
210 		auf_null,	S2E_SP,
211 aui_null,	AUE_CLOSE,	aus_close,	/* 6 close */
212 		auf_null,	0,
213 aui_null,	AUE_NULL,	aus_null,	/* 7 wait */
214 		auf_null,	0,
215 aui_null,	AUE_CREAT,	aus_null,	/* 8 create */
216 		auf_null,	S2E_SP,
217 aui_null,	AUE_LINK,	aus_null,	/* 9 link */
218 		auf_null,	0,
219 aui_null,	AUE_UNLINK,	aus_null,	/* 10 unlink */
220 		auf_null,	0,
221 aui_execv,	AUE_EXEC,	aus_null,	/* 11 exec */
222 		auf_null,	S2E_MLD,
223 aui_null,	AUE_CHDIR,	aus_null,	/* 12 chdir */
224 		auf_null,	S2E_SP,
225 aui_null,	AUE_NULL,	aus_null,	/* 13 time */
226 		auf_null,	0,
227 aui_null,	AUE_MKNOD,	aus_mknod,	/* 14 mknod */
228 		auf_mknod,	0,
229 aui_null,	AUE_CHMOD,	aus_chmod,	/* 15 chmod */
230 		auf_null,	0,
231 aui_null,	AUE_CHOWN,	aus_chown,	/* 16 chown */
232 		auf_null,	0,
233 aui_null,	AUE_NULL,	aus_null,	/* 17 brk */
234 		auf_null,	0,
235 aui_null,	AUE_STAT,	aus_null,	/* 18 stat */
236 		auf_null,	S2E_PUB,
237 aui_null,	AUE_NULL,	aus_null,	/* 19 lseek */
238 		auf_null,	0,
239 aui_null,	AUE_NULL,	aus_null,	/* 20 getpid */
240 		auf_null,	0,
241 aui_null,	AUE_MOUNT,	aus_mount,	/* 21 mount */
242 		auf_null,	S2E_MLD,
243 aui_null,	AUE_UMOUNT,	aus_umount,	/* 22 umount */
244 		auf_null,	0,
245 aui_null,	AUE_SETUID,	aus_setuid,	/* 23 setuid */
246 		auf_null,	0,
247 aui_null,	AUE_NULL,	aus_null,	/* 24 getuid */
248 		auf_null,	0,
249 aui_null,	AUE_STIME,	aus_null,	/* 25 stime */
250 		auf_null,	0,
251 aui_null,	AUE_NULL,	aus_null,	/* 26 (loadable) was ptrace */
252 		auf_null,	0,
253 aui_null,	AUE_NULL,	aus_null,	/* 27 alarm */
254 		auf_null,	0,
255 aui_null,	AUE_NULL,	aus_null,	/* 28 fstat */
256 		auf_null,	0,
257 aui_null,	AUE_NULL,	aus_null,	/* 29 pause */
258 		auf_null,	0,
259 aui_null,	AUE_UTIME,	aus_null,	/* 30 utime */
260 		auf_null,	0,
261 aui_null,	AUE_NULL,	aus_null,	/* 31 stty (TIOCSETP-audit?) */
262 		auf_null,	0,
263 aui_null,	AUE_NULL,	aus_null,	/* 32 gtty */
264 		auf_null,	0,
265 aui_null,	AUE_ACCESS,	aus_null,	/* 33 access */
266 		auf_null,	S2E_PUB,
267 aui_null,	AUE_NICE,	aus_null,	/* 34 nice */
268 		auf_null,	0,
269 aui_null,	AUE_STATFS,	aus_null,	/* 35 statfs */
270 		auf_null,	S2E_PUB,
271 aui_null,	AUE_NULL,	aus_null,	/* 36 sync */
272 		auf_null,	0,
273 aui_null,	AUE_KILL,	aus_kill,	/* 37 kill */
274 		auf_null,	0,
275 aui_null,	AUE_FSTATFS,	aus_fstatfs,	/* 38 fstatfs */
276 		auf_null,	S2E_PUB,
277 aui_null,	AUE_SETPGRP,	aus_null,	/* 39 setpgrp */
278 		auf_null,	0,
279 aui_null,	AUE_NULL,	aus_null,	/* 40 uucopystr */
280 		auf_null,	0,
281 aui_null,	AUE_NULL,	aus_null,	/* 41 dup */
282 		auf_null,	0,
283 aui_null,	AUE_PIPE,	aus_null,	/* 42 pipe */
284 		auf_null,	0,
285 aui_null,	AUE_NULL,	aus_null,	/* 43 times */
286 		auf_null,	0,
287 aui_null,	AUE_NULL,	aus_null,	/* 44 profil */
288 		auf_null,	0,
289 aui_null,	AUE_NULL,	aus_null,	/* 45 (loadable) */
290 						/*	was proc lock */
291 		auf_null,	0,
292 aui_null,	AUE_SETGID,	aus_setgid,	/* 46 setgid */
293 		auf_null,	0,
294 aui_null,	AUE_NULL,	aus_null,	/* 47 getgid */
295 		auf_null,	0,
296 aui_null,	AUE_NULL,	aus_null,	/* 48 sig */
297 		auf_null,	0,
298 aui_msgsys,	AUE_MSGSYS,	aus_msgsys,	/* 49 (loadable) was msgsys */
299 		auf_msgsys,	0,
300 #if defined(__x86)
301 aui_null,	AUE_NULL,	aus_null,	/* 50 sysi86 */
302 		auf_null,	0,
303 #else
304 aui_null,	AUE_NULL,	aus_null,	/* 50 (loadable) was sys3b */
305 		auf_null,	0,
306 #endif /* __x86 */
307 aui_null,	AUE_ACCT,	aus_acct,	/* 51 acct */
308 		auf_null,	0,
309 aui_shmsys,	AUE_SHMSYS,	aus_shmsys,	/* 52 shared memory */
310 		auf_shmsys,	0,
311 aui_semsys,	AUE_SEMSYS,	aus_semsys,	/* 53 IPC semaphores */
312 		auf_semsys,	0,
313 aui_null,	AUE_IOCTL,	aus_ioctl,	/* 54 ioctl */
314 		auf_null,	0,
315 aui_null,	AUE_NULL,	aus_null,	/* 55 uadmin */
316 		auf_null,	0,
317 aui_null,	AUE_NULL,	aus_null,	/* 56 (loadable) was uexch */
318 		auf_null,	0,
319 aui_utssys,	AUE_FUSERS,	aus_null,	/* 57 utssys */
320 		auf_null,	0,
321 aui_null,	AUE_NULL,	aus_null,	/* 58 fsync */
322 		auf_null,	0,
323 aui_execve,	AUE_EXECVE,	aus_null,	/* 59 exece */
324 		auf_null,	S2E_MLD,
325 aui_null,	AUE_NULL,	aus_null,	/* 60 umask */
326 		auf_null,	0,
327 aui_null,	AUE_CHROOT,	aus_null,	/* 61 chroot */
328 		auf_null,	S2E_SP,
329 aui_fcntl,	AUE_FCNTL,	aus_fcntl,	/* 62 fcntl */
330 		auf_null,	0,
331 aui_null,	AUE_NULL,	aus_null,	/* 63 ulimit */
332 		auf_null,	0,
333 aui_null,	AUE_NULL,	aus_null,	/* 64 (loadable) */
334 		auf_null,	0,
335 aui_null,	AUE_NULL,	aus_null,	/* 65 (loadable) */
336 		auf_null,	0,
337 aui_null,	AUE_NULL,	aus_null,	/* 66 (loadable) */
338 		auf_null,	0,
339 aui_null,	AUE_NULL,	aus_null,	/* 67 (loadable) */
340 						/*	file locking call */
341 		auf_null,	0,
342 aui_null,	AUE_NULL,	aus_null,	/* 68 (loadable) */
343 						/*	local system calls */
344 		auf_null,	0,
345 aui_null,	AUE_NULL,	aus_null,	/* 69 (loadable) inode open */
346 		auf_null,	0,
347 aui_null,	AUE_NULL,	aus_null,	/* 70 (loadable) was advfs */
348 		auf_null,	0,
349 aui_null,	AUE_NULL,	aus_null,	/* 71 (loadable) was unadvfs */
350 		auf_null,	0,
351 aui_null,	AUE_NULL,	aus_null,	/* 72 (loadable) was notused */
352 		auf_null,	0,
353 aui_null,	AUE_NULL,	aus_null,	/* 73 (loadable) was notused */
354 		auf_null,	0,
355 aui_null,	AUE_NULL,	aus_null,	/* 74 (loadable) was notused */
356 		auf_null,	0,
357 aui_null,	AUE_NULL,	aus_null,	/* 75 sidsys */
358 						/*	was sigret (SunOS) */
359 		auf_null,	0,
360 aui_fsat,	AUE_FSAT,	aus_fsat,	/* 76 fsat */
361 		auf_null,	0,
362 aui_null,	AUE_NULL,	aus_null,	/* 77 (loadable) was rfstop */
363 		auf_null,	0,
364 aui_null,	AUE_NULL,	aus_null,	/* 78 (loadable) was rfssys */
365 		auf_null,	0,
366 aui_null,	AUE_RMDIR,	aus_null,	/* 79 rmdir */
367 		auf_null,	0,
368 aui_null,	AUE_MKDIR,	aus_mkdir,	/* 80 mkdir */
369 		auf_null,	0,
370 aui_null,	AUE_NULL,	aus_null,	/* 81 getdents */
371 		auf_null,	0,
372 aui_privsys,	AUE_NULL,	aus_null,	/* 82 privsys */
373 						/*	was libattach */
374 		auf_null,	0,
375 aui_null,	AUE_NULL,	aus_null,	/* 83 (loadable) */
376 						/*	was libdetach */
377 		auf_null,	0,
378 aui_null,	AUE_NULL,	aus_null,	/* 84 sysfs */
379 		auf_null,	0,
380 aui_null,	AUE_GETMSG,	aus_getmsg,	/* 85 getmsg */
381 		auf_null,	0,
382 aui_null,	AUE_PUTMSG,	aus_putmsg,	/* 86 putmsg */
383 		auf_null,	0,
384 aui_null,	AUE_NULL,	aus_null,	/* 87 poll */
385 		auf_null,	0,
386 aui_null,	AUE_LSTAT,	aus_null,	/* 88 lstat */
387 		auf_null,	S2E_PUB,
388 aui_null,	AUE_SYMLINK,	aus_null,	/* 89 symlink */
389 		auf_null,	0,
390 aui_null,	AUE_READLINK,	aus_null,	/* 90 readlink */
391 		auf_null,	S2E_PUB,
392 aui_null,	AUE_SETGROUPS,	aus_setgroups,	/* 91 setgroups */
393 		auf_null,	0,
394 aui_null,	AUE_NULL,	aus_null,	/* 92 getgroups */
395 		auf_null,	0,
396 aui_null,	AUE_FCHMOD,	aus_fchmod,	/* 93 fchmod */
397 		auf_null,	0,
398 aui_null,	AUE_FCHOWN,	aus_fchown,	/* 94 fchown */
399 		auf_null,	0,
400 aui_null,	AUE_NULL,	aus_null,	/* 95 sigprocmask */
401 		auf_null,	0,
402 aui_null,	AUE_NULL,	aus_null,	/* 96 sigsuspend */
403 		auf_null,	0,
404 aui_null,	AUE_NULL,	aus_null,	/* 97 sigaltstack */
405 		auf_null,	0,
406 aui_null,	AUE_NULL,	aus_null,	/* 98 sigaction */
407 		auf_null,	0,
408 aui_null,	AUE_NULL,	aus_null,	/* 99 sigpending */
409 		auf_null,	0,
410 aui_null,	AUE_NULL,	aus_null,	/* 100 setcontext */
411 		auf_null,	0,
412 aui_null,	AUE_NULL,	aus_null,	/* 101 (loadable) was evsys */
413 		auf_null,	0,
414 aui_null,	AUE_NULL,	aus_null,	/* 102 (loadable) */
415 						/*	was evtrapret */
416 		auf_null,	0,
417 aui_null,	AUE_STATVFS,	aus_null,	/* 103 statvfs */
418 		auf_null,	S2E_PUB,
419 aui_null,	AUE_NULL,	aus_null,	/* 104 fstatvfs */
420 		auf_null,	0,
421 aui_null,	AUE_NULL,	aus_null,	/* 105 (loadable) */
422 		auf_null,	0,
423 aui_null,	AUE_NULL,	aus_null,	/* 106 nfssys */
424 		auf_null,	0,
425 aui_null,	AUE_NULL,	aus_null,	/* 107 waitset */
426 		auf_null,	0,
427 aui_null,	AUE_NULL,	aus_null,	/* 108 sigsendset */
428 		auf_null,	0,
429 #if defined(__x86)
430 aui_null,	AUE_NULL,	aus_null,	/* 109 hrtsys */
431 		auf_null,	0,
432 #else
433 aui_null,	AUE_NULL,	aus_null,	/* 109 (loadable) */
434 		auf_null,	0,
435 #endif /* __x86 */
436 aui_null,	AUE_NULL,	aus_null,	/* 110 (loadable) was acancel */
437 		auf_null,	0,
438 aui_null,	AUE_NULL,	aus_null,	/* 111 (loadable) was async */
439 		auf_null,	0,
440 aui_null,	AUE_PRIOCNTLSYS,	aus_priocntlsys,
441 		auf_null,	0,		/* 112 priocntlsys */
442 aui_null,	AUE_PATHCONF,	aus_null,	/* 113 pathconf */
443 		auf_null,	S2E_PUB,
444 aui_null,	AUE_NULL,	aus_null,	/* 114 mincore */
445 		auf_null,	0,
446 aui_null,	AUE_MMAP,	aus_mmap,	/* 115 mmap */
447 		auf_null,	0,
448 aui_null,	AUE_NULL,	aus_null,	/* 116 mprotect */
449 		auf_null,	0,
450 aui_null,	AUE_MUNMAP,	aus_munmap,	/* 117 munmap */
451 		auf_null,	0,
452 aui_null,	AUE_NULL,	aus_null,	/* 118 fpathconf */
453 		auf_null,	0,
454 aui_null,	AUE_VFORK,	aus_null,	/* 119 vfork */
455 		auf_null,	0,
456 aui_null,	AUE_FCHDIR,	aus_null,	/* 120 fchdir */
457 		auf_null,	0,
458 aui_null,	AUE_READ,	aus_null,	/* 121 readv */
459 		auf_read,	S2E_PUB,
460 aui_null,	AUE_WRITE,	aus_null,	/* 122 writev */
461 		auf_write,	0,
462 aui_null,	AUE_STAT,	aus_null,	/* 123 xstat (x86) */
463 		auf_null,	S2E_PUB,
464 aui_null,	AUE_LSTAT,	aus_null,	/* 124 lxstat (x86) */
465 		auf_null,	S2E_PUB,
466 aui_null,	AUE_NULL,	aus_null,	/* 125 fxstat (x86) */
467 		auf_null,	0,
468 aui_null,	AUE_MKNOD,	aus_xmknod,	/* 126 xmknod (x86) */
469 		auf_xmknod,	0,
470 aui_null,	AUE_NULL,	aus_null,	/* 127 (loadable) was clocal */
471 		auf_null,	0,
472 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 128 setrlimit */
473 		auf_null,	0,
474 aui_null,	AUE_NULL,	aus_null,	/* 129 getrlimit */
475 		auf_null,	0,
476 aui_null,	AUE_LCHOWN,	aus_lchown,	/* 130 lchown */
477 		auf_null,	0,
478 aui_memcntl,	AUE_MEMCNTL,	aus_memcntl,	/* 131 memcntl */
479 		auf_null,	0,
480 aui_null,	AUE_GETPMSG,	aus_getpmsg,	/* 132 getpmsg */
481 		auf_null,	0,
482 aui_null,	AUE_PUTPMSG,	aus_putpmsg,	/* 133 putpmsg */
483 		auf_null,	0,
484 aui_null,	AUE_RENAME,	aus_null,	/* 134 rename */
485 		auf_null,	0,
486 aui_null,	AUE_NULL,	aus_null,	/* 135 uname */
487 		auf_null,	0,
488 aui_null,	AUE_SETEGID,	aus_setegid,	/* 136 setegid */
489 		auf_null,	0,
490 aui_null,	AUE_NULL,	aus_null,	/* 137 sysconfig */
491 		auf_null,	0,
492 aui_null,	AUE_ADJTIME,	aus_null,	/* 138 adjtime */
493 		auf_null,	0,
494 aui_sysinfo,	AUE_SYSINFO,	aus_sysinfo,	/* 139 systeminfo */
495 		auf_null,	0,
496 aui_null,	AUE_NULL,	aus_null,	/* 140 reserved */
497 		auf_null,	0,
498 aui_null,	AUE_SETEUID,	aus_seteuid,	/* 141 seteuid */
499 		auf_null,	0,
500 aui_forksys,	AUE_NULL,	aus_null,	/* 142 forksys */
501 		auf_null,	0,
502 aui_null,	AUE_FORK1,	aus_null,	/* 143 fork1 */
503 		auf_null,	0,
504 aui_null,	AUE_NULL,	aus_null,	/* 144 sigwait */
505 		auf_null,	0,
506 aui_null,	AUE_NULL,	aus_null,	/* 145 lwp_info */
507 		auf_null,	0,
508 aui_null,	AUE_NULL,	aus_null,	/* 146 yield */
509 		auf_null,	0,
510 aui_null,	AUE_NULL,	aus_null,	/* 147 lwp_sema_wait */
511 		auf_null,	0,
512 aui_null,	AUE_NULL,	aus_null,	/* 148 lwp_sema_post */
513 		auf_null,	0,
514 aui_null,	AUE_NULL,	aus_null,	/* 149 lwp_sema_trywait */
515 		auf_null,	0,
516 aui_null,	AUE_NULL,	aus_null,	/* 150 (loadable reserved) */
517 		auf_null,	0,
518 aui_null,	AUE_NULL,	aus_null,	/* 151 (loadable reserved) */
519 		auf_null,	0,
520 aui_modctl,	AUE_MODCTL,	aus_modctl,	/* 152 modctl */
521 		auf_null,	0,
522 aui_null,	AUE_FCHROOT,	aus_null,	/* 153 fchroot */
523 		auf_null,	0,
524 aui_null,	AUE_UTIMES,	aus_null,	/* 154 utimes */
525 		auf_null,	0,
526 aui_null,	AUE_NULL,	aus_null,	/* 155 vhangup */
527 		auf_null,	0,
528 aui_null,	AUE_NULL,	aus_null,	/* 156 gettimeofday */
529 		auf_null,	0,
530 aui_null,	AUE_NULL,	aus_null,	/* 157 getitimer */
531 		auf_null,	0,
532 aui_null,	AUE_NULL,	aus_null,	/* 158 setitimer */
533 		auf_null,	0,
534 aui_null,	AUE_NULL,	aus_null,	/* 159 lwp_create */
535 		auf_null,	0,
536 aui_null,	AUE_NULL,	aus_null,	/* 160 lwp_exit */
537 		auf_null,	0,
538 aui_null,	AUE_NULL,	aus_null,	/* 161 lwp_suspend */
539 		auf_null,	0,
540 aui_null,	AUE_NULL,	aus_null,	/* 162 lwp_continue */
541 		auf_null,	0,
542 aui_null,	AUE_NULL,	aus_null,	/* 163 lwp_kill */
543 		auf_null,	0,
544 aui_null,	AUE_NULL,	aus_null,	/* 164 lwp_self */
545 		auf_null,	0,
546 aui_null,	AUE_NULL,	aus_null,	/* 165 (loadable) */
547 						/*	was lwp_setprivate */
548 		auf_null,	0,
549 aui_null,	AUE_NULL,	aus_null,	/* 166 (loadable) */
550 						/*	was lwp_getprivate */
551 		auf_null,	0,
552 aui_null,	AUE_NULL,	aus_null,	/* 167 lwp_wait */
553 		auf_null,	0,
554 aui_null,	AUE_NULL,	aus_null,	/* 168 lwp_mutex_wakeup  */
555 		auf_null,	0,
556 aui_null,	AUE_NULL,	aus_null,	/* 169 lwp_mutex_lock */
557 		auf_null,	0,
558 aui_null,	AUE_NULL,	aus_null,	/* 170 lwp_cond_wait */
559 		auf_null,	0,
560 aui_null,	AUE_NULL,	aus_null,	/* 171 lwp_cond_signal */
561 		auf_null,	0,
562 aui_null,	AUE_NULL,	aus_null,	/* 172 lwp_cond_broadcast */
563 		auf_null,	0,
564 aui_null,	AUE_READ,	aus_null,	/* 173 pread */
565 		auf_read,	S2E_PUB,
566 aui_null,	AUE_WRITE,	aus_null,	/* 174 pwrite */
567 		auf_write,	0,
568 aui_null,	AUE_NULL,	aus_null,	/* 175 llseek */
569 		auf_null,	0,
570 aui_null,	AUE_INST_SYNC,	aus_inst_sync,  /* 176 (loadable) */
571 						/* aus_inst_sync */
572 		auf_null,	0,
573 aui_null,	AUE_BRANDSYS,	aus_brandsys,	/* 177 brandsys */
574 		auf_null,	0,
575 aui_null,	AUE_NULL,	aus_null,	/* 178 (loadable) */
576 		auf_null,	0,
577 aui_null,	AUE_NULL,	aus_null,	/* 179 (loadable) */
578 		auf_null,	0,
579 aui_null,	AUE_NULL,	aus_null,	/* 180 (loadable) kaio */
580 		auf_null,	0,
581 aui_null,	AUE_NULL,	aus_null,	/* 181 (loadable) */
582 		auf_null,	0,
583 aui_portfs,	AUE_PORTFS,	aus_null,	/* 182 (loadable) portfs */
584 		auf_null,	0,
585 aui_null,	AUE_NULL,	aus_null,	/* 183 (loadable) */
586 		auf_null,	0,
587 aui_labelsys,	AUE_NULL,	aus_labelsys,	/* 184 labelsys */
588 		auf_null,	0,
589 aui_acl,	AUE_ACLSET,	aus_acl,	/* 185 acl */
590 		auf_null,	0,
591 aui_auditsys,	AUE_AUDITSYS,	aus_auditsys,	/* 186 auditsys  */
592 		auf_null,	0,
593 aui_null,	AUE_PROCESSOR_BIND,	aus_processor_bind,
594 		auf_null,	0,		/* 187 processor_bind */
595 aui_null,	AUE_NULL,	aus_null,	/* 188 processor_info */
596 		auf_null,	0,
597 aui_null,	AUE_P_ONLINE,	aus_p_online,	/* 189 p_online */
598 		auf_null,	0,
599 aui_null,	AUE_NULL,	aus_sigqueue,	/* 190 sigqueue */
600 		auf_null,	0,
601 aui_null,	AUE_NULL,	aus_null,	/* 191 clock_gettime */
602 		auf_null,	0,
603 aui_null,	AUE_CLOCK_SETTIME,	aus_null,	/* 192 clock_settime */
604 		auf_null,	0,
605 aui_null,	AUE_NULL,	aus_null,	/* 193 clock_getres */
606 		auf_null,	0,
607 aui_null,	AUE_NULL,	aus_null,	/* 194 timer_create */
608 		auf_null,	0,
609 aui_null,	AUE_NULL,	aus_null,	/* 195 timer_delete */
610 		auf_null,	0,
611 aui_null,	AUE_NULL,	aus_null,	/* 196 timer_settime */
612 		auf_null,	0,
613 aui_null,	AUE_NULL,	aus_null,	/* 197 timer_gettime */
614 		auf_null,	0,
615 aui_null,	AUE_NULL,	aus_null,	/* 198 timer_getoverrun */
616 		auf_null,	0,
617 aui_null,	AUE_NULL,	aus_null,	/* 199 nanosleep */
618 		auf_null,	0,
619 aui_acl,	AUE_FACLSET,	aus_facl,	/* 200 facl */
620 		auf_null,	0,
621 aui_doorfs,	AUE_DOORFS,	aus_doorfs,	/* 201 (loadable) doorfs */
622 		auf_null,	0,
623 aui_null,	AUE_SETREUID,	aus_setreuid,	/* 202 setreuid */
624 		auf_null,	0,
625 aui_null,	AUE_SETREGID,	aus_setregid,	/* 203 setregid */
626 		auf_null,	0,
627 aui_null,	AUE_NULL,	aus_null,	/* 204 install_utrap */
628 		auf_null,	0,
629 aui_null,	AUE_NULL,	aus_null,	/* 205 signotify */
630 		auf_null,	0,
631 aui_null,	AUE_NULL,	aus_null,	/* 206 schedctl */
632 		auf_null,	0,
633 aui_null,	AUE_NULL,	aus_null,	/* 207 (loadable) pset */
634 		auf_null,	0,
635 aui_null,	AUE_NULL,	aus_null,	/* 208 (loadable) */
636 		auf_null,	0,
637 aui_null,	AUE_NULL,	aus_null,	/* 209 resolvepath */
638 		auf_null,	0,
639 aui_null,	AUE_NULL,	aus_null,	/* 210 lwp_mutex_timedlock */
640 		auf_null,	0,
641 aui_null,	AUE_NULL,	aus_null,	/* 211 lwp_sema_timedwait */
642 		auf_null,	0,
643 aui_null,	AUE_NULL,	aus_null,	/* 212 lwp_rwlock_sys */
644 		auf_null,	0,
645 aui_null,	AUE_NULL,	aus_null,	/* 213 getdents64 (__ppc) */
646 		auf_null,	0,
647 aui_null,	AUE_MMAP,	aus_mmap,	/* 214 mmap64 */
648 		auf_null,	0,
649 aui_null,	AUE_STAT,	aus_null,	/* 215 stat64 */
650 		auf_null,	S2E_PUB,
651 aui_null,	AUE_LSTAT,	aus_null,	/* 216 lstat64 */
652 		auf_null,	S2E_PUB,
653 aui_null,	AUE_NULL,	aus_null,	/* 217 fstat64 */
654 		auf_null,	0,
655 aui_null,	AUE_STATVFS,	aus_null,	/* 218 statvfs64 */
656 		auf_null,	S2E_PUB,
657 aui_null,	AUE_NULL,	aus_null,	/* 219 fstatvfs64 */
658 		auf_null,	0,
659 aui_null,	AUE_SETRLIMIT,	aus_null,	/* 220 setrlimit64 */
660 		auf_null,	0,
661 aui_null,	AUE_NULL,	aus_null,	/* 221 getrlimit64 */
662 		auf_null,	0,
663 aui_null,	AUE_READ,	aus_null,	/* 222 pread64  */
664 		auf_read,	S2E_PUB,
665 aui_null,	AUE_WRITE,	aus_null,	/* 223 pwrite64 */
666 		auf_write,	0,
667 aui_null,	AUE_CREAT,	aus_null,	/* 224 creat64 */
668 		auf_null,	S2E_SP,
669 aui_open,	AUE_OPEN,	aus_open,	/* 225 open64 */
670 		auf_null,	S2E_SP,
671 aui_null,	AUE_NULL,	aus_null,	/* 226 (loadable) rpcsys */
672 		auf_null,	0,
673 aui_null,	AUE_NULL,	aus_null,	/* 227 (loadable) */
674 		auf_null,	0,
675 aui_null,	AUE_NULL,	aus_null,	/* 228 (loadable) */
676 		auf_null,	0,
677 aui_null,	AUE_NULL,	aus_null,	/* 229 (loadable) */
678 		auf_null,	0,
679 aui_null,	AUE_SOCKET,	aus_socket,	/* 230 so_socket */
680 		auf_null,	0,
681 aui_null,	AUE_NULL,	aus_null,	/* 231 so_socketpair */
682 		auf_null,	0,
683 aui_null,	AUE_BIND,	aus_null,	/* 232 bind */
684 		auf_bind,	0,
685 aui_null,	AUE_NULL,	aus_null,	/* 233 listen */
686 		auf_null,	0,
687 aui_null,	AUE_ACCEPT,	aus_null,	/* 234 accept */
688 		auf_accept,	0,
689 aui_null,	AUE_CONNECT,	aus_null,	/* 235 connect */
690 		auf_connect,	0,
691 aui_null,	AUE_SHUTDOWN,	aus_shutdown,	/* 236 shutdown */
692 		auf_null,	0,
693 aui_null,	AUE_READ,	aus_null,	/* 237 recv */
694 		auf_recv,	0,
695 aui_null,	AUE_RECVFROM,	aus_null,	/* 238 recvfrom */
696 		auf_recvfrom,	0,
697 aui_null,	AUE_RECVMSG,	aus_null,	/* 239 recvmsg */
698 		auf_recvmsg,	0,
699 aui_null,	AUE_WRITE,	aus_null,	/* 240 send */
700 		auf_send,	0,
701 aui_null,	AUE_SENDMSG,	aus_null,	/* 241 sendmsg */
702 		auf_sendmsg,	0,
703 aui_null,	AUE_SENDTO,	aus_null,	/* 242 sendto */
704 		auf_sendto,	0,
705 aui_null,	AUE_NULL,	aus_null,	/* 243 getpeername */
706 		auf_null,	0,
707 aui_null,	AUE_NULL,	aus_null,	/* 244 getsockname */
708 		auf_null,	0,
709 aui_null,	AUE_NULL,	aus_null,	/* 245 getsockopt */
710 		auf_null,	0,
711 aui_null,	AUE_SETSOCKOPT,	aus_null,	/* 246 setsockopt */
712 		auf_setsockopt,	0,
713 aui_null,	AUE_SOCKCONFIG,	aus_sockconfig,	/* 247 sockconfig */
714 		auf_null,	0,
715 aui_null,	AUE_NULL,	aus_null,	/* 248 ntp_gettime */
716 		auf_null,	0,
717 aui_null,	AUE_NTP_ADJTIME,	aus_null,	/* 249 ntp_adjtime */
718 		auf_null,	0,
719 aui_null,	AUE_NULL,	aus_null,	/* 250 lwp_mutex_unlock */
720 		auf_null,	0,
721 aui_null,	AUE_NULL,	aus_null,	/* 251 lwp_mutex_trylock */
722 		auf_null,	0,
723 aui_null,	AUE_NULL,	aus_null,	/* 252 lwp_mutex_register */
724 		auf_null,	0,
725 aui_null,	AUE_NULL,	aus_null,	/* 253 cladm */
726 		auf_null,	0,
727 aui_null,	AUE_NULL,	aus_null,	/* 254 uucopy */
728 		auf_null,	0,
729 aui_null,	AUE_UMOUNT2,	aus_umount2,	/* 255 umount2 */
730 		auf_null,	0
731 };
732 
733 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
734 
735 
736 /* acct start function */
737 /*ARGSUSED*/
738 static void
739 aus_acct(struct t_audit_data *tad)
740 {
741 	klwp_t *clwp = ttolwp(curthread);
742 	uintptr_t fname;
743 
744 	struct a {
745 		long	fname;		/* char * */
746 	} *uap = (struct a *)clwp->lwp_ap;
747 
748 	fname = (uintptr_t)uap->fname;
749 
750 	if (fname == 0)
751 		au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
752 }
753 
754 /* chown start function */
755 /*ARGSUSED*/
756 static void
757 aus_chown(struct t_audit_data *tad)
758 {
759 	klwp_t *clwp = ttolwp(curthread);
760 	uint32_t uid, gid;
761 
762 	struct a {
763 		long	fname;		/* char * */
764 		long	uid;
765 		long	gid;
766 	} *uap = (struct a *)clwp->lwp_ap;
767 
768 	uid = (uint32_t)uap->uid;
769 	gid = (uint32_t)uap->gid;
770 
771 	au_uwrite(au_to_arg32(2, "new file uid", uid));
772 	au_uwrite(au_to_arg32(3, "new file gid", gid));
773 }
774 
775 /* fchown start function */
776 /*ARGSUSED*/
777 static void
778 aus_fchown(struct t_audit_data *tad)
779 {
780 	klwp_t *clwp = ttolwp(curthread);
781 	uint32_t uid, gid, fd;
782 	struct file  *fp;
783 	struct vnode *vp;
784 	struct f_audit_data *fad;
785 
786 	struct a {
787 		long fd;
788 		long uid;
789 		long gid;
790 	} *uap = (struct a *)clwp->lwp_ap;
791 
792 	fd  = (uint32_t)uap->fd;
793 	uid = (uint32_t)uap->uid;
794 	gid = (uint32_t)uap->gid;
795 
796 	au_uwrite(au_to_arg32(2, "new file uid", uid));
797 	au_uwrite(au_to_arg32(3, "new file gid", gid));
798 
799 		/*
800 		 * convert file pointer to file descriptor
801 		 *   Note: fd ref count incremented here.
802 		 */
803 	if ((fp = getf(fd)) == NULL)
804 		return;
805 
806 	/* get path from file struct here */
807 	fad = F2A(fp);
808 	if (fad->fad_aupath != NULL) {
809 		au_uwrite(au_to_path(fad->fad_aupath));
810 	} else {
811 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
812 	}
813 
814 	vp = fp->f_vnode;
815 	audit_attributes(vp);
816 
817 	/* decrement file descriptor reference count */
818 	releasef(fd);
819 }
820 
821 /*ARGSUSED*/
822 static void
823 aus_lchown(struct t_audit_data *tad)
824 {
825 	klwp_t *clwp = ttolwp(curthread);
826 	uint32_t uid, gid;
827 
828 
829 	struct a {
830 		long	fname;		/* char	* */
831 		long	uid;
832 		long	gid;
833 	} *uap = (struct a *)clwp->lwp_ap;
834 
835 	uid = (uint32_t)uap->uid;
836 	gid = (uint32_t)uap->gid;
837 
838 	au_uwrite(au_to_arg32(2, "new file uid", uid));
839 	au_uwrite(au_to_arg32(3, "new file gid", gid));
840 }
841 
842 /* chmod start function */
843 /*ARGSUSED*/
844 static void
845 aus_chmod(struct t_audit_data *tad)
846 {
847 	klwp_t *clwp = ttolwp(curthread);
848 	uint32_t fmode;
849 
850 	struct a {
851 		long	fname;		/* char	* */
852 		long	fmode;
853 	} *uap = (struct a *)clwp->lwp_ap;
854 
855 	fmode = (uint32_t)uap->fmode;
856 
857 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
858 }
859 
860 /* chmod start function */
861 /*ARGSUSED*/
862 static void
863 aus_fchmod(struct t_audit_data *tad)
864 {
865 	klwp_t *clwp = ttolwp(curthread);
866 	uint32_t fmode, fd;
867 	struct file  *fp;
868 	struct vnode *vp;
869 	struct f_audit_data *fad;
870 
871 	struct a {
872 		long	fd;
873 		long	fmode;
874 	} *uap = (struct a *)clwp->lwp_ap;
875 
876 	fd = (uint32_t)uap->fd;
877 	fmode = (uint32_t)uap->fmode;
878 
879 	au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
880 
881 		/*
882 		 * convert file pointer to file descriptor
883 		 *   Note: fd ref count incremented here.
884 		 */
885 	if ((fp = getf(fd)) == NULL)
886 		return;
887 
888 		/* get path from file struct here */
889 	fad = F2A(fp);
890 	if (fad->fad_aupath != NULL) {
891 		au_uwrite(au_to_path(fad->fad_aupath));
892 	} else {
893 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
894 	}
895 
896 	vp = fp->f_vnode;
897 	audit_attributes(vp);
898 
899 	/* decrement file descriptor reference count */
900 	releasef(fd);
901 }
902 
903 
904 /* convert open to appropriate event */
905 static au_event_t
906 aui_open(au_event_t e)
907 {
908 	klwp_t *clwp = ttolwp(curthread);
909 	uint_t fm;
910 
911 	struct a {
912 		long	fnamep;		/* char	* */
913 		long	fmode;
914 		long	cmode;
915 	} *uap = (struct a *)clwp->lwp_ap;
916 
917 	fm = (uint_t)uap->fmode;
918 
919 	if (fm & O_WRONLY)
920 		e = AUE_OPEN_W;
921 	else if (fm & O_RDWR)
922 		e = AUE_OPEN_RW;
923 	else
924 		e = AUE_OPEN_R;
925 
926 	if (fm & O_CREAT)
927 		e += 1;
928 	if (fm & O_TRUNC)
929 		e += 2;
930 
931 	return (e);
932 }
933 
934 /*ARGSUSED*/
935 static void
936 aus_open(struct t_audit_data *tad)
937 {
938 	klwp_t *clwp = ttolwp(curthread);
939 	uint_t fm;
940 
941 	struct a {
942 		long	fnamep;		/* char	* */
943 		long	fmode;
944 		long	cmode;
945 	} *uap = (struct a *)clwp->lwp_ap;
946 
947 	fm = (uint_t)uap->fmode;
948 
949 	/* If no write, create, or trunc modes, mark as a public op */
950 	if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
951 		tad->tad_ctrl |= PAD_PUBLIC_EV;
952 }
953 
954 /* convert openat(2) to appropriate event */
955 static au_event_t
956 aui_fsat(au_event_t e)
957 {
958 	t_audit_data_t	*tad = U2A(u);
959 	klwp_t *clwp = ttolwp(curthread);
960 	uint_t fmcode, fm;
961 	struct a {
962 		long id;
963 		long arg1;
964 		long arg2;
965 		long arg3;
966 		long arg4;
967 		long arg5;
968 	} *uap = (struct a *)clwp->lwp_ap;
969 
970 	fmcode  = (uint_t)uap->id;
971 
972 	switch (fmcode) {
973 
974 	case 0: /* openat */
975 	case 1: /* openat64 */
976 		fm = (uint_t)uap->arg3;
977 		if (fm & O_WRONLY)
978 			e = AUE_OPENAT_W;
979 		else if (fm & O_RDWR)
980 			e = AUE_OPENAT_RW;
981 		else
982 			e = AUE_OPENAT_R;
983 
984 		/*
985 		 * openat modes are defined in the following order:
986 		 * Read only
987 		 * Read|Create
988 		 * Read|Trunc
989 		 * Read|Create|Trunc
990 		 * Write Only
991 		 * Write|Create
992 		 * Write|Trunc
993 		 * Write|Create|Trunc * RW Only
994 		 * RW|Create
995 		 * RW|Trunc
996 		 * RW|Create|Trunc
997 		 */
998 		if (fm & O_CREAT)
999 			e += 1;		/* increment to include CREAT in mode */
1000 		if (fm & O_TRUNC)
1001 			e += 2;		/* increment to include TRUNC in mode */
1002 
1003 		/* convert to appropriate au_ctrl */
1004 		tad->tad_ctrl |= PAD_SAVPATH;
1005 		if (fm & FXATTR)
1006 			tad->tad_ctrl |= PAD_ATPATH;
1007 
1008 
1009 		break;
1010 	case 2: /* fstatat64 */
1011 	case 3: /* fstatat */
1012 		e = AUE_FSTATAT;
1013 		break;
1014 	case 4: /* fchownat */
1015 		e = AUE_FCHOWNAT;
1016 		break;
1017 	case 5: /* unlinkat */
1018 		e = AUE_UNLINKAT;
1019 		break;
1020 	case 6: /* futimesat */
1021 		e = AUE_FUTIMESAT;
1022 		break;
1023 	case 7: /* renameat */
1024 		e = AUE_RENAMEAT;
1025 		break;
1026 	case 9: /* __openattrdirat */
1027 		tad->tad_ctrl |= PAD_SAVPATH;
1028 		/*FALLTHROUGH*/
1029 	default:
1030 		e = AUE_NULL;
1031 		break;
1032 	}
1033 
1034 	return (e);
1035 }
1036 
1037 /*ARGSUSED*/
1038 static void
1039 aus_fsat(struct t_audit_data *tad)
1040 {
1041 	klwp_t *clwp = ttolwp(curthread);
1042 	uint_t fmcode, fm;
1043 	struct a {
1044 		long id;
1045 		long arg1;
1046 		long arg2;
1047 		long arg3;
1048 		long arg4;
1049 		long arg5;
1050 	} *uap = (struct a *)clwp->lwp_ap;
1051 
1052 	fmcode  = (uint_t)uap->id;
1053 
1054 	switch (fmcode) {
1055 
1056 	case 0: /* openat */
1057 	case 1: /* openat64 */
1058 		fm = (uint_t)uap->arg3;
1059 		/* If no write, create, or trunc modes, mark as a public op */
1060 		if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)))
1061 			tad->tad_ctrl |= PAD_PUBLIC_EV;
1062 
1063 		break;
1064 	case 2: /* fstatat64 */
1065 	case 3: /* fstatat */
1066 		tad->tad_ctrl |= PAD_PUBLIC_EV;
1067 		break;
1068 	default:
1069 		break;
1070 	}
1071 }
1072 
1073 /* msgsys */
1074 static au_event_t
1075 aui_msgsys(au_event_t e)
1076 {
1077 	klwp_t *clwp = ttolwp(curthread);
1078 	uint_t fm;
1079 
1080 	struct a {
1081 		long	id;	/* function code id */
1082 		long	ap;	/* arg pointer for recvmsg */
1083 	} *uap = (struct a *)clwp->lwp_ap;
1084 
1085 	struct b {
1086 		long	msgid;
1087 		long	cmd;
1088 		long	buf;	/* struct msqid_ds * */
1089 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1090 
1091 	fm  = (uint_t)uap->id;
1092 
1093 	switch (fm) {
1094 	case 0:		/* msgget */
1095 		e = AUE_MSGGET;
1096 		break;
1097 	case 1:		/* msgctl */
1098 		switch ((uint_t)uap1->cmd) {
1099 		case IPC_RMID:
1100 			e = AUE_MSGCTL_RMID;
1101 			break;
1102 		case IPC_SET:
1103 			e = AUE_MSGCTL_SET;
1104 			break;
1105 		case IPC_STAT:
1106 			e = AUE_MSGCTL_STAT;
1107 			break;
1108 		default:
1109 			e = AUE_MSGCTL;
1110 			break;
1111 		}
1112 		break;
1113 	case 2:		/* msgrcv */
1114 		e = AUE_MSGRCV;
1115 		break;
1116 	case 3:		/* msgsnd */
1117 		e = AUE_MSGSND;
1118 		break;
1119 	default:	/* illegal system call */
1120 		e = AUE_NULL;
1121 		break;
1122 	}
1123 
1124 	return (e);
1125 }
1126 
1127 
1128 /* shmsys */
1129 static au_event_t
1130 aui_shmsys(au_event_t e)
1131 {
1132 	klwp_t *clwp = ttolwp(curthread);
1133 	int fm;
1134 
1135 	struct a {		/* shmsys */
1136 		long	id;	/* function code id */
1137 	} *uap = (struct a *)clwp->lwp_ap;
1138 
1139 	struct b {		/* ctrl */
1140 		long	shmid;
1141 		long	cmd;
1142 		long	arg;		/* struct shmid_ds * */
1143 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1144 	fm  = (uint_t)uap->id;
1145 
1146 	switch (fm) {
1147 	case 0:		/* shmat */
1148 		e = AUE_SHMAT;
1149 		break;
1150 	case 1:		/* shmctl */
1151 		switch ((uint_t)uap1->cmd) {
1152 		case IPC_RMID:
1153 			e = AUE_SHMCTL_RMID;
1154 			break;
1155 		case IPC_SET:
1156 			e = AUE_SHMCTL_SET;
1157 			break;
1158 		case IPC_STAT:
1159 			e = AUE_SHMCTL_STAT;
1160 			break;
1161 		default:
1162 			e = AUE_SHMCTL;
1163 			break;
1164 		}
1165 		break;
1166 	case 2:		/* shmdt */
1167 		e = AUE_SHMDT;
1168 		break;
1169 	case 3:		/* shmget */
1170 		e = AUE_SHMGET;
1171 		break;
1172 	default:	/* illegal system call */
1173 		e = AUE_NULL;
1174 		break;
1175 	}
1176 
1177 	return (e);
1178 }
1179 
1180 
1181 /* semsys */
1182 static au_event_t
1183 aui_semsys(au_event_t e)
1184 {
1185 	klwp_t *clwp = ttolwp(curthread);
1186 	uint_t fm;
1187 
1188 	struct a {		/* semsys */
1189 		long	id;
1190 	} *uap = (struct a *)clwp->lwp_ap;
1191 
1192 	struct b {		/* ctrl */
1193 		long	semid;
1194 		long	semnum;
1195 		long	cmd;
1196 		long	arg;
1197 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1198 
1199 	fm = (uint_t)uap->id;
1200 
1201 	switch (fm) {
1202 	case 0:		/* semctl */
1203 		switch ((uint_t)uap1->cmd) {
1204 		case IPC_RMID:
1205 			e = AUE_SEMCTL_RMID;
1206 			break;
1207 		case IPC_SET:
1208 			e = AUE_SEMCTL_SET;
1209 			break;
1210 		case IPC_STAT:
1211 			e = AUE_SEMCTL_STAT;
1212 			break;
1213 		case GETNCNT:
1214 			e = AUE_SEMCTL_GETNCNT;
1215 			break;
1216 		case GETPID:
1217 			e = AUE_SEMCTL_GETPID;
1218 			break;
1219 		case GETVAL:
1220 			e = AUE_SEMCTL_GETVAL;
1221 			break;
1222 		case GETALL:
1223 			e = AUE_SEMCTL_GETALL;
1224 			break;
1225 		case GETZCNT:
1226 			e = AUE_SEMCTL_GETZCNT;
1227 			break;
1228 		case SETVAL:
1229 			e = AUE_SEMCTL_SETVAL;
1230 			break;
1231 		case SETALL:
1232 			e = AUE_SEMCTL_SETALL;
1233 			break;
1234 		default:
1235 			e = AUE_SEMCTL;
1236 			break;
1237 		}
1238 		break;
1239 	case 1:		/* semget */
1240 		e = AUE_SEMGET;
1241 		break;
1242 	case 2:		/* semop */
1243 		e = AUE_SEMOP;
1244 		break;
1245 	default:	/* illegal system call */
1246 		e = AUE_NULL;
1247 		break;
1248 	}
1249 
1250 	return (e);
1251 }
1252 
1253 /* utssys - uname(2), ustat(2), fusers(2) */
1254 static au_event_t
1255 aui_utssys(au_event_t e)
1256 {
1257 	klwp_t *clwp = ttolwp(curthread);
1258 	uint_t type;
1259 
1260 	struct a {
1261 		union {
1262 			long	cbuf;		/* char * */
1263 			long	ubuf;		/* struct stat * */
1264 		} ub;
1265 		union {
1266 			long	mv;	/* for USTAT */
1267 			long	flags;	/* for FUSERS */
1268 		} un;
1269 		long	type;
1270 		long	outbp;		/* char * for FUSERS */
1271 	} *uap = (struct a *)clwp->lwp_ap;
1272 
1273 	type = (uint_t)uap->type;
1274 
1275 	if (type == UTS_FUSERS)
1276 		return (e);
1277 	else
1278 		return ((au_event_t)AUE_NULL);
1279 }
1280 
1281 static au_event_t
1282 aui_fcntl(au_event_t e)
1283 {
1284 	klwp_t *clwp = ttolwp(curthread);
1285 	uint_t cmd;
1286 
1287 	struct a {
1288 		long	fdes;
1289 		long	cmd;
1290 		long	arg;
1291 	} *uap = (struct a *)clwp->lwp_ap;
1292 
1293 	cmd = (uint_t)uap->cmd;
1294 
1295 	switch (cmd) {
1296 	case F_GETLK:
1297 	case F_SETLK:
1298 	case F_SETLKW:
1299 		break;
1300 	case F_SETFL:
1301 	case F_GETFL:
1302 	case F_GETFD:
1303 		break;
1304 	default:
1305 		e = (au_event_t)AUE_NULL;
1306 		break;
1307 	}
1308 	return ((au_event_t)e);
1309 }
1310 
1311 /* null function for now */
1312 static au_event_t
1313 aui_execv(au_event_t e)
1314 {
1315 	return (e);
1316 }
1317 
1318 /* null function for now */
1319 static au_event_t
1320 aui_execve(au_event_t e)
1321 {
1322 	return (e);
1323 }
1324 
1325 /*ARGSUSED*/
1326 static void
1327 aus_fcntl(struct t_audit_data *tad)
1328 {
1329 	klwp_t *clwp = ttolwp(curthread);
1330 	uint32_t cmd, fd;
1331 	struct file  *fp;
1332 	struct vnode *vp;
1333 	struct f_audit_data *fad;
1334 
1335 	struct a {
1336 		long	fd;
1337 		long	cmd;
1338 		long	arg;
1339 	} *uap = (struct a *)clwp->lwp_ap;
1340 
1341 	cmd = (uint32_t)uap->cmd;
1342 	fd  = (uint32_t)uap->fd;
1343 
1344 	au_uwrite(au_to_arg32(2, "cmd", cmd));
1345 
1346 		/*
1347 		 * convert file pointer to file descriptor
1348 		 *   Note: fd ref count incremented here.
1349 		 */
1350 	if ((fp = getf(fd)) == NULL)
1351 		return;
1352 
1353 	/* get path from file struct here */
1354 	fad = F2A(fp);
1355 	if (fad->fad_aupath != NULL) {
1356 		au_uwrite(au_to_path(fad->fad_aupath));
1357 	} else {
1358 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1359 	}
1360 
1361 	vp = fp->f_vnode;
1362 	audit_attributes(vp);
1363 
1364 	/* decrement file descriptor reference count */
1365 	releasef(fd);
1366 }
1367 
1368 /*ARGSUSED*/
1369 static void
1370 aus_kill(struct t_audit_data *tad)
1371 {
1372 	klwp_t *clwp = ttolwp(curthread);
1373 	struct proc *p;
1374 	uint32_t signo;
1375 	uid_t uid, ruid;
1376 	gid_t gid, rgid;
1377 	pid_t pid;
1378 	const auditinfo_addr_t *ainfo;
1379 	cred_t *cr;
1380 
1381 	struct a {
1382 		long	pid;
1383 		long	signo;
1384 	} *uap = (struct a *)clwp->lwp_ap;
1385 
1386 	pid   = (pid_t)uap->pid;
1387 	signo = (uint32_t)uap->signo;
1388 
1389 	au_uwrite(au_to_arg32(2, "signal", signo));
1390 	if (pid > 0) {
1391 		mutex_enter(&pidlock);
1392 		if (((p = prfind(pid)) == (struct proc *)0) ||
1393 		    (p->p_stat == SIDL)) {
1394 			mutex_exit(&pidlock);
1395 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1396 			return;
1397 		}
1398 		mutex_enter(&p->p_lock); /* so process doesn't go away */
1399 		mutex_exit(&pidlock);
1400 
1401 		mutex_enter(&p->p_crlock);
1402 		crhold(cr = p->p_cred);
1403 		mutex_exit(&p->p_crlock);
1404 		mutex_exit(&p->p_lock);
1405 
1406 		ainfo = crgetauinfo(cr);
1407 		if (ainfo == NULL) {
1408 			crfree(cr);
1409 			au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1410 			return;
1411 		}
1412 
1413 		uid  = crgetuid(cr);
1414 		gid  = crgetgid(cr);
1415 		ruid = crgetruid(cr);
1416 		rgid = crgetrgid(cr);
1417 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1418 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1419 
1420 		if (is_system_labeled())
1421 			au_uwrite(au_to_label(CR_SL(cr)));
1422 
1423 		crfree(cr);
1424 	}
1425 	else
1426 		au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1427 }
1428 
1429 /*ARGSUSED*/
1430 static void
1431 aus_mkdir(struct t_audit_data *tad)
1432 {
1433 	klwp_t *clwp = ttolwp(curthread);
1434 	uint32_t dmode;
1435 
1436 	struct a {
1437 		long	dirnamep;		/* char * */
1438 		long	dmode;
1439 	} *uap = (struct a *)clwp->lwp_ap;
1440 
1441 	dmode = (uint32_t)uap->dmode;
1442 
1443 	au_uwrite(au_to_arg32(2, "mode", dmode));
1444 }
1445 
1446 /*ARGSUSED*/
1447 static void
1448 aus_mknod(struct t_audit_data *tad)
1449 {
1450 	klwp_t *clwp = ttolwp(curthread);
1451 	uint32_t fmode;
1452 	dev_t dev;
1453 
1454 	struct a {
1455 		long	pnamep;		/* char * */
1456 		long	fmode;
1457 		long	dev;
1458 	} *uap = (struct a *)clwp->lwp_ap;
1459 
1460 	fmode = (uint32_t)uap->fmode;
1461 	dev   = (dev_t)uap->dev;
1462 
1463 	au_uwrite(au_to_arg32(2, "mode", fmode));
1464 #ifdef _LP64
1465 	au_uwrite(au_to_arg64(3, "dev", dev));
1466 #else
1467 	au_uwrite(au_to_arg32(3, "dev", dev));
1468 #endif
1469 }
1470 
1471 /*ARGSUSED*/
1472 static void
1473 aus_xmknod(struct t_audit_data *tad)
1474 {
1475 	klwp_t *clwp = ttolwp(curthread);
1476 	uint32_t fmode;
1477 	dev_t dev;
1478 
1479 	struct a {
1480 		long	version;	/* version */
1481 		long	pnamep;		/* char * */
1482 		long	fmode;
1483 		long	dev;
1484 	} *uap = (struct a *)clwp->lwp_ap;
1485 
1486 	fmode = (uint32_t)uap->fmode;
1487 	dev   = (dev_t)uap->dev;
1488 
1489 	au_uwrite(au_to_arg32(2, "mode", fmode));
1490 #ifdef _LP64
1491 	au_uwrite(au_to_arg64(3, "dev", dev));
1492 #else
1493 	au_uwrite(au_to_arg32(3, "dev", dev));
1494 #endif
1495 }
1496 
1497 /*ARGSUSED*/
1498 static void
1499 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1500 {
1501 	klwp_t *clwp = ttolwp(curthread);
1502 	vnode_t	*dvp;
1503 	caddr_t pnamep;
1504 
1505 	struct a {
1506 		long	pnamep;		/* char * */
1507 		long	fmode;
1508 		long	dev;
1509 	} *uap = (struct a *)clwp->lwp_ap;
1510 
1511 	/* no error, then already path token in audit record */
1512 	if (error != EPERM)
1513 		return;
1514 
1515 	/* not auditing this event, nothing then to do */
1516 	if (tad->tad_flag == 0)
1517 		return;
1518 
1519 	/* do the lookup to force generation of path token */
1520 	pnamep = (caddr_t)uap->pnamep;
1521 	tad->tad_ctrl |= PAD_NOATTRB;
1522 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1523 	if (error == 0)
1524 		VN_RELE(dvp);
1525 }
1526 
1527 /*ARGSUSED*/
1528 static void
1529 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval)
1530 {
1531 	klwp_t *clwp = ttolwp(curthread);
1532 	vnode_t	*dvp;
1533 	caddr_t pnamep;
1534 
1535 	struct a {
1536 		long	version;	/* version */
1537 		long	pnamep;		/* char * */
1538 		long	fmode;
1539 		long	dev;
1540 	} *uap = (struct a *)clwp->lwp_arg;
1541 
1542 
1543 	/* no error, then already path token in audit record */
1544 	if (error != EPERM)
1545 		return;
1546 
1547 	/* not auditing this event, nothing then to do */
1548 	if (tad->tad_flag == 0)
1549 		return;
1550 
1551 	/* do the lookup to force generation of path token */
1552 	pnamep = (caddr_t)uap->pnamep;
1553 	tad->tad_ctrl |= PAD_NOATTRB;
1554 	error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1555 	if (error == 0)
1556 		VN_RELE(dvp);
1557 }
1558 
1559 /*ARGSUSED*/
1560 static void
1561 aus_mount(struct t_audit_data *tad)
1562 {	/* AUS_START */
1563 	klwp_t *clwp = ttolwp(curthread);
1564 	uint32_t flags;
1565 	uintptr_t u_fstype, dataptr;
1566 	STRUCT_DECL(nfs_args, nfsargs);
1567 	size_t len;
1568 	char *fstype, *hostname;
1569 
1570 	struct a {
1571 		long	spec;		/* char    * */
1572 		long	dir;		/* char    * */
1573 		long	flags;
1574 		long	fstype;		/* char    * */
1575 		long	dataptr;	/* char    * */
1576 		long	datalen;
1577 	} *uap = (struct a *)clwp->lwp_ap;
1578 
1579 	u_fstype = (uintptr_t)uap->fstype;
1580 	flags    = (uint32_t)uap->flags;
1581 	dataptr  = (uintptr_t)uap->dataptr;
1582 
1583 	fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1584 	if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1585 		goto mount_free_fstype;
1586 
1587 	au_uwrite(au_to_arg32(3, "flags", flags));
1588 	au_uwrite(au_to_text(fstype));
1589 
1590 	if (strncmp(fstype, "nfs", 3) == 0) {
1591 
1592 		STRUCT_INIT(nfsargs, get_udatamodel());
1593 		bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1594 
1595 		if (copyin((caddr_t)dataptr,
1596 				STRUCT_BUF(nfsargs),
1597 				MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1598 			/* DEBUG debug_enter((char *)NULL); */
1599 			goto mount_free_fstype;
1600 		}
1601 		hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1602 		if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1603 				(caddr_t)hostname,
1604 				MAXNAMELEN, &len)) {
1605 			goto mount_free_hostname;
1606 		}
1607 		au_uwrite(au_to_text(hostname));
1608 		au_uwrite(au_to_arg32(3, "internal flags",
1609 			(uint_t)STRUCT_FGET(nfsargs, flags)));
1610 
1611 mount_free_hostname:
1612 		kmem_free(hostname, MAXNAMELEN);
1613 	}
1614 
1615 mount_free_fstype:
1616 	kmem_free(fstype, MAXNAMELEN);
1617 }	/* AUS_MOUNT */
1618 
1619 static void
1620 aus_umount_path(caddr_t umount_dir)
1621 {
1622 	char			*dir_path;
1623 	struct audit_path	*path;
1624 	size_t			path_len, dir_len;
1625 
1626 	/* length alloc'd for two string pointers */
1627 	path_len = sizeof (struct audit_path) + sizeof (char *);
1628 	path = kmem_alloc(path_len, KM_SLEEP);
1629 	dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1630 
1631 	if (copyinstr(umount_dir, (caddr_t)dir_path,
1632 	    MAXPATHLEN, &dir_len))
1633 		goto umount2_free_dir;
1634 
1635 	/*
1636 	 * the audit_path struct assumes that the buffer pointed to
1637 	 * by audp_sect[n] contains string 0 immediatedly followed
1638 	 * by string 1.
1639 	 */
1640 	path->audp_sect[0] = dir_path;
1641 	path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1642 	path->audp_size = path_len;
1643 	path->audp_ref = 1;		/* not used */
1644 	path->audp_cnt = 1;		/* one path string */
1645 
1646 	au_uwrite(au_to_path(path));
1647 
1648 umount2_free_dir:
1649 	kmem_free(dir_path, MAXPATHLEN);
1650 	kmem_free(path, path_len);
1651 }
1652 
1653 /*
1654  * the umount syscall is implemented as a call to umount2, but the args
1655  * are different...
1656  */
1657 
1658 /*ARGSUSED*/
1659 static void
1660 aus_umount(struct t_audit_data *tad)
1661 {
1662 	klwp_t			*clwp = ttolwp(curthread);
1663 	struct a {
1664 		long	dir;		/* char    * */
1665 	} *uap = (struct a *)clwp->lwp_ap;
1666 
1667 	aus_umount_path((caddr_t)uap->dir);
1668 }
1669 
1670 /*ARGSUSED*/
1671 static void
1672 aus_umount2(struct t_audit_data *tad)
1673 {
1674 	klwp_t			*clwp = ttolwp(curthread);
1675 	struct a {
1676 		long	dir;		/* char    * */
1677 		long	flags;
1678 	} *uap = (struct a *)clwp->lwp_ap;
1679 
1680 	aus_umount_path((caddr_t)uap->dir);
1681 
1682 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1683 }
1684 
1685 static void
1686 aus_msgsys(struct t_audit_data *tad)
1687 {
1688 	klwp_t *clwp = ttolwp(curthread);
1689 	uint32_t msgid;
1690 
1691 	struct b {
1692 		long	msgid;
1693 		long	cmd;
1694 		long	buf;		/* struct msqid_ds * */
1695 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1696 
1697 	msgid = (uint32_t)uap1->msgid;
1698 
1699 
1700 	switch (tad->tad_event) {
1701 	case AUE_MSGGET:		/* msgget */
1702 		au_uwrite(au_to_arg32(1, "msg key", msgid));
1703 		break;
1704 	case AUE_MSGCTL:		/* msgctl */
1705 	case AUE_MSGCTL_RMID:		/* msgctl */
1706 	case AUE_MSGCTL_STAT:		/* msgctl */
1707 	case AUE_MSGRCV:		/* msgrcv */
1708 	case AUE_MSGSND:		/* msgsnd */
1709 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1710 		break;
1711 	case AUE_MSGCTL_SET:		/* msgctl */
1712 		au_uwrite(au_to_arg32(1, "msg ID", msgid));
1713 		break;
1714 	}
1715 }
1716 
1717 /*ARGSUSED*/
1718 static void
1719 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1720 {
1721 	int id;
1722 
1723 	if (error != 0)
1724 		return;
1725 	if (tad->tad_event == AUE_MSGGET) {
1726 		uint32_t scid;
1727 		uint32_t sy_flags;
1728 
1729 		/* need to determine type of executing binary */
1730 		scid = tad->tad_scid;
1731 #ifdef _SYSCALL32_IMPL
1732 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1733 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1734 		else
1735 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1736 #else
1737 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1738 #endif
1739 		if (sy_flags == SE_32RVAL1)
1740 			id = rval->r_val1;
1741 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1742 			id = rval->r_val1;
1743 		if (sy_flags == SE_64RVAL)
1744 			id = (int)rval->r_vals;
1745 
1746 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1747 	}
1748 }
1749 
1750 static void
1751 aus_semsys(struct t_audit_data *tad)
1752 {
1753 	klwp_t *clwp = ttolwp(curthread);
1754 	uint32_t semid;
1755 
1756 	struct b {		/* ctrl */
1757 		long	semid;
1758 		long	semnum;
1759 		long	cmd;
1760 		long	arg;
1761 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
1762 
1763 	semid = (uint32_t)uap1->semid;
1764 
1765 	switch (tad->tad_event) {
1766 	case AUE_SEMCTL_RMID:
1767 	case AUE_SEMCTL_STAT:
1768 	case AUE_SEMCTL_GETNCNT:
1769 	case AUE_SEMCTL_GETPID:
1770 	case AUE_SEMCTL_GETVAL:
1771 	case AUE_SEMCTL_GETALL:
1772 	case AUE_SEMCTL_GETZCNT:
1773 	case AUE_SEMCTL_SETVAL:
1774 	case AUE_SEMCTL_SETALL:
1775 	case AUE_SEMCTL:
1776 	case AUE_SEMOP:
1777 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1778 		break;
1779 	case AUE_SEMCTL_SET:
1780 		au_uwrite(au_to_arg32(1, "sem ID", semid));
1781 		break;
1782 	case AUE_SEMGET:
1783 		au_uwrite(au_to_arg32(1, "sem key", semid));
1784 		break;
1785 	}
1786 }
1787 
1788 /*ARGSUSED*/
1789 static void
1790 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1791 {
1792 	int id;
1793 
1794 	if (error != 0)
1795 		return;
1796 	if (tad->tad_event == AUE_SEMGET) {
1797 		uint32_t scid;
1798 		uint32_t sy_flags;
1799 
1800 		/* need to determine type of executing binary */
1801 		scid = tad->tad_scid;
1802 #ifdef _SYSCALL32_IMPL
1803 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1804 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1805 		else
1806 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1807 #else
1808 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1809 #endif
1810 		if (sy_flags == SE_32RVAL1)
1811 			id = rval->r_val1;
1812 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1813 			id = rval->r_val1;
1814 		if (sy_flags == SE_64RVAL)
1815 			id = (int)rval->r_vals;
1816 
1817 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1818 	}
1819 }
1820 
1821 /*ARGSUSED*/
1822 static void
1823 aus_close(struct t_audit_data *tad)
1824 {
1825 	klwp_t *clwp = ttolwp(curthread);
1826 	uint32_t fd;
1827 	struct file *fp;
1828 	struct f_audit_data *fad;
1829 	struct vnode *vp;
1830 	struct vattr attr;
1831 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1832 
1833 	struct a {
1834 		long	i;
1835 	} *uap = (struct a *)clwp->lwp_ap;
1836 
1837 	fd = (uint32_t)uap->i;
1838 
1839 	attr.va_mask = 0;
1840 	au_uwrite(au_to_arg32(1, "fd", fd));
1841 
1842 		/*
1843 		 * convert file pointer to file descriptor
1844 		 *   Note: fd ref count incremented here.
1845 		 */
1846 	if ((fp = getf(fd)) == NULL)
1847 		return;
1848 
1849 	fad = F2A(fp);
1850 	tad->tad_evmod = (short)fad->fad_flags;
1851 	if (fad->fad_aupath != NULL) {
1852 		au_uwrite(au_to_path(fad->fad_aupath));
1853 		if ((vp = fp->f_vnode) != NULL) {
1854 			attr.va_mask = AT_ALL;
1855 			if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1856 				/*
1857 				 * When write was not used and the file can be
1858 				 * considered public, skip the audit.
1859 				 */
1860 				if (((fp->f_flag & FWRITE) == 0) &&
1861 				    file_is_public(&attr)) {
1862 					tad->tad_flag = 0;
1863 					tad->tad_evmod = 0;
1864 					/* free any residual audit data */
1865 					au_close(kctx, &(u_ad), 0, 0, 0);
1866 					releasef(fd);
1867 					return;
1868 				}
1869 				au_uwrite(au_to_attr(&attr));
1870 				audit_sec_attributes(&(u_ad), vp);
1871 			}
1872 		}
1873 	}
1874 
1875 	/* decrement file descriptor reference count */
1876 	releasef(fd);
1877 }
1878 
1879 /*ARGSUSED*/
1880 static void
1881 aus_fstatfs(struct t_audit_data *tad)
1882 {
1883 	klwp_t *clwp = ttolwp(curthread);
1884 	uint32_t fd;
1885 	struct file  *fp;
1886 	struct vnode *vp;
1887 	struct f_audit_data *fad;
1888 
1889 	struct a {
1890 		long	fd;
1891 		long	buf;		/* struct statfs * */
1892 	} *uap = (struct a *)clwp->lwp_ap;
1893 
1894 	fd = (uint_t)uap->fd;
1895 
1896 		/*
1897 		 * convert file pointer to file descriptor
1898 		 *   Note: fd ref count incremented here.
1899 		 */
1900 	if ((fp = getf(fd)) == NULL)
1901 		return;
1902 
1903 		/* get path from file struct here */
1904 	fad = F2A(fp);
1905 	if (fad->fad_aupath != NULL) {
1906 		au_uwrite(au_to_path(fad->fad_aupath));
1907 	} else {
1908 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
1909 	}
1910 
1911 	vp = fp->f_vnode;
1912 	audit_attributes(vp);
1913 
1914 	/* decrement file descriptor reference count */
1915 	releasef(fd);
1916 }
1917 
1918 #ifdef NOTYET
1919 /*ARGSUSED*/
1920 static void
1921 aus_setpgrp(struct t_audit_data *tad)
1922 {
1923 	klwp_t *clwp = ttolwp(curthread);
1924 	uint32_t pgrp;
1925 	struct proc *p;
1926 	uid_t uid, ruid;
1927 	gid_t gid, rgid;
1928 	pid_t pid;
1929 	const auditinfo_addr_t *ainfo;
1930 	cred_t *cr;
1931 
1932 	struct a {
1933 		long	pid;
1934 		long	pgrp;
1935 	} *uap = (struct a *)clwp->lwp_ap;
1936 
1937 	pid  = (pid_t)uap->pid;
1938 	pgrp = (uint32_t)uap->pgrp;
1939 
1940 		/* current process? */
1941 	if (pid == 0)
1942 		(return);
1943 
1944 	mutex_enter(&pidlock);
1945 	p = prfind(pid);
1946 	if (p == NULL || p->p_as == &kas) {
1947 		mutex_exit(&pidlock);
1948 		return;
1949 	}
1950 	mutex_enter(&p->p_lock);	/* so process doesn't go away */
1951 	mutex_exit(&pidlock);
1952 
1953 	mutex_enter(&p->p_crlock);
1954 	crhold(cr = p->p_cred);
1955 	mutex_exit(&p->p_crlock);
1956 	mutex_exit(&p->p_lock);
1957 
1958 	ainfo = crgetauinfo(cr);
1959 	if (ainfo == NULL) {
1960 		crfree(cr);
1961 		return;
1962 	}
1963 
1964 	uid  = crgetuid(cr);
1965 	gid  = crgetgid(cr);
1966 	ruid = crgetruid(cr);
1967 	rgid = crgetrgid(cr);
1968 	au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1969 	    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1970 	crfree(cr);
1971 	au_uwrite(au_to_arg32(2, "pgrp", pgrp));
1972 }
1973 #endif
1974 
1975 /*ARGSUSED*/
1976 static void
1977 aus_setregid(struct t_audit_data *tad)
1978 {
1979 	klwp_t *clwp = ttolwp(curthread);
1980 	uint32_t rgid, egid;
1981 
1982 	struct a {
1983 		long	 rgid;
1984 		long	 egid;
1985 	} *uap = (struct a *)clwp->lwp_ap;
1986 
1987 	rgid  = (uint32_t)uap->rgid;
1988 	egid  = (uint32_t)uap->egid;
1989 
1990 	au_uwrite(au_to_arg32(1, "rgid", rgid));
1991 	au_uwrite(au_to_arg32(2, "egid", egid));
1992 }
1993 
1994 /*ARGSUSED*/
1995 static void
1996 aus_setgid(struct t_audit_data *tad)
1997 {
1998 	klwp_t *clwp = ttolwp(curthread);
1999 	uint32_t gid;
2000 
2001 	struct a {
2002 		long	gid;
2003 	} *uap = (struct a *)clwp->lwp_ap;
2004 
2005 	gid = (uint32_t)uap->gid;
2006 
2007 	au_uwrite(au_to_arg32(1, "gid", gid));
2008 }
2009 
2010 
2011 /*ARGSUSED*/
2012 static void
2013 aus_setreuid(struct t_audit_data *tad)
2014 {
2015 	klwp_t *clwp = ttolwp(curthread);
2016 	uint32_t ruid, euid;
2017 
2018 	struct a {
2019 		long	ruid;
2020 		long	euid;
2021 	} *uap = (struct a *)clwp->lwp_ap;
2022 
2023 	ruid = (uint32_t)uap->ruid;
2024 	euid  = (uint32_t)uap->euid;
2025 
2026 	au_uwrite(au_to_arg32(1, "ruid", ruid));
2027 	au_uwrite(au_to_arg32(2, "euid", euid));
2028 }
2029 
2030 
2031 /*ARGSUSED*/
2032 static void
2033 aus_setuid(struct t_audit_data *tad)
2034 {
2035 	klwp_t *clwp = ttolwp(curthread);
2036 	uint32_t uid;
2037 
2038 	struct a {
2039 		long	uid;
2040 	} *uap = (struct a *)clwp->lwp_ap;
2041 
2042 	uid = (uint32_t)uap->uid;
2043 
2044 	au_uwrite(au_to_arg32(1, "uid", uid));
2045 }
2046 
2047 /*ARGSUSED*/
2048 static void
2049 aus_shmsys(struct t_audit_data *tad)
2050 {
2051 	klwp_t *clwp = ttolwp(curthread);
2052 	uint32_t id, cmd;
2053 
2054 	struct b {
2055 		long	id;
2056 		long	cmd;
2057 		long	buf;		/* struct shmid_ds * */
2058 	} *uap1 = (struct b *)&clwp->lwp_ap[1];
2059 
2060 	id  = (uint32_t)uap1->id;
2061 	cmd = (uint32_t)uap1->cmd;
2062 
2063 	switch (tad->tad_event) {
2064 	case AUE_SHMGET:			/* shmget */
2065 		au_uwrite(au_to_arg32(1, "shm key", id));
2066 		break;
2067 	case AUE_SHMCTL:			/* shmctl */
2068 	case AUE_SHMCTL_RMID:			/* shmctl */
2069 	case AUE_SHMCTL_STAT:			/* shmctl */
2070 	case AUE_SHMCTL_SET:			/* shmctl */
2071 		au_uwrite(au_to_arg32(1, "shm ID", id));
2072 		break;
2073 	case AUE_SHMDT:				/* shmdt */
2074 		au_uwrite(au_to_arg32(1, "shm adr", id));
2075 		break;
2076 	case AUE_SHMAT:				/* shmat */
2077 		au_uwrite(au_to_arg32(1, "shm ID", id));
2078 		au_uwrite(au_to_arg32(2, "shm adr", cmd));
2079 		break;
2080 	}
2081 }
2082 
2083 /*ARGSUSED*/
2084 static void
2085 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2086 {
2087 	int id;
2088 
2089 	if (error != 0)
2090 		return;
2091 	if (tad->tad_event == AUE_SHMGET) {
2092 		uint32_t scid;
2093 		uint32_t sy_flags;
2094 
2095 		/* need to determine type of executing binary */
2096 		scid = tad->tad_scid;
2097 #ifdef _SYSCALL32_IMPL
2098 		if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2099 			sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2100 		else
2101 			sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2102 #else
2103 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2104 #endif
2105 		if (sy_flags == SE_32RVAL1)
2106 			id = rval->r_val1;
2107 		if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2108 			id = rval->r_val1;
2109 		if (sy_flags == SE_64RVAL)
2110 			id = (int)rval->r_vals;
2111 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2112 	}
2113 }
2114 
2115 
2116 /*ARGSUSED*/
2117 static void
2118 aus_ioctl(struct t_audit_data *tad)
2119 {
2120 	klwp_t *clwp = ttolwp(curthread);
2121 	struct file *fp;
2122 	struct vnode *vp;
2123 	struct f_audit_data *fad;
2124 	uint32_t fd, cmd;
2125 	uintptr_t cmarg;
2126 
2127 	/* XX64 */
2128 	struct a {
2129 		long	fd;
2130 		long	cmd;
2131 		long	cmarg;		/* caddr_t */
2132 	} *uap = (struct a *)clwp->lwp_ap;
2133 
2134 	fd    = (uint32_t)uap->fd;
2135 	cmd   = (uint32_t)uap->cmd;
2136 	cmarg = (uintptr_t)uap->cmarg;
2137 
2138 		/*
2139 		 * convert file pointer to file descriptor
2140 		 *   Note: fd ref count incremented here.
2141 		 */
2142 	if ((fp = getf(fd)) == NULL) {
2143 		au_uwrite(au_to_arg32(1, "fd", fd));
2144 		au_uwrite(au_to_arg32(2, "cmd", cmd));
2145 #ifndef _LP64
2146 			au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2147 #else
2148 			au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2149 #endif
2150 		return;
2151 	}
2152 
2153 	/* get path from file struct here */
2154 	fad = F2A(fp);
2155 	if (fad->fad_aupath != NULL) {
2156 		au_uwrite(au_to_path(fad->fad_aupath));
2157 	} else {
2158 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2159 	}
2160 
2161 	vp = fp->f_vnode;
2162 	audit_attributes(vp);
2163 
2164 	/* decrement file descriptor reference count */
2165 	releasef(fd);
2166 
2167 	au_uwrite(au_to_arg32(2, "cmd", cmd));
2168 #ifndef _LP64
2169 		au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2170 #else
2171 		au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2172 #endif
2173 }
2174 
2175 /*
2176  * null function for memcntl for now. We might want to limit memcntl()
2177  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2178  * require privileges.
2179  */
2180 static au_event_t
2181 aui_memcntl(au_event_t e)
2182 {
2183 	return (e);
2184 }
2185 
2186 /*ARGSUSED*/
2187 static au_event_t
2188 aui_privsys(au_event_t e)
2189 {
2190 	klwp_t *clwp = ttolwp(curthread);
2191 
2192 	struct a {
2193 		long	opcode;
2194 	} *uap = (struct a *)clwp->lwp_ap;
2195 
2196 	switch (uap->opcode) {
2197 	case PRIVSYS_SETPPRIV:
2198 		return (AUE_SETPPRIV);
2199 	default:
2200 		return (AUE_NULL);
2201 	}
2202 }
2203 
2204 /*ARGSUSED*/
2205 static void
2206 aus_memcntl(struct t_audit_data *tad)
2207 {
2208 	klwp_t *clwp = ttolwp(curthread);
2209 
2210 	struct a {
2211 		long	addr;
2212 		long	len;
2213 		long	cmd;
2214 		long	arg;
2215 		long	attr;
2216 		long	mask;
2217 	} *uap = (struct a *)clwp->lwp_ap;
2218 
2219 #ifdef _LP64
2220 	au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2221 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2222 #else
2223 	au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2224 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2225 #endif
2226 	au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2227 #ifdef _LP64
2228 	au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2229 #else
2230 	au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2231 #endif
2232 	au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2233 	au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2234 }
2235 
2236 /*ARGSUSED*/
2237 static void
2238 aus_mmap(struct t_audit_data *tad)
2239 {
2240 	klwp_t *clwp = ttolwp(curthread);
2241 	struct file *fp;
2242 	struct f_audit_data *fad;
2243 	struct vnode *vp;
2244 	uint32_t fd;
2245 
2246 	struct a {
2247 		long	addr;
2248 		long	len;
2249 		long	prot;
2250 		long	flags;
2251 		long	fd;
2252 		long	pos;
2253 	} *uap = (struct a *)clwp->lwp_ap;
2254 
2255 	fd = (uint32_t)uap->fd;
2256 
2257 #ifdef _LP64
2258 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2259 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2260 #else
2261 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2262 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2263 #endif
2264 
2265 	if ((fp = getf(fd)) == NULL) {
2266 		au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2267 		return;
2268 	}
2269 
2270 	/*
2271 	 * Mark in the tad if write access is NOT requested... if
2272 	 * this is later detected (in audit_attributes) to be a
2273 	 * public object, the mmap event may be discarded.
2274 	 */
2275 	if (((uap->prot) & PROT_WRITE) == 0) {
2276 		tad->tad_ctrl |= PAD_PUBLIC_EV;
2277 	}
2278 
2279 	fad = F2A(fp);
2280 	if (fad->fad_aupath != NULL) {
2281 		au_uwrite(au_to_path(fad->fad_aupath));
2282 	} else {
2283 		au_uwrite(au_to_arg32(1, "no path: fd", fd));
2284 	}
2285 
2286 	vp = (struct vnode *)fp->f_vnode;
2287 	audit_attributes(vp);
2288 
2289 	/* mark READ/WRITE since we can't predict access */
2290 	if (uap->prot & PROT_READ)
2291 		fad->fad_flags |= FAD_READ;
2292 	if (uap->prot & PROT_WRITE)
2293 		fad->fad_flags |= FAD_WRITE;
2294 
2295 	/* decrement file descriptor reference count */
2296 	releasef(fd);
2297 
2298 }	/* AUS_MMAP */
2299 
2300 
2301 
2302 
2303 /*ARGSUSED*/
2304 static void
2305 aus_munmap(struct t_audit_data *tad)
2306 {
2307 	klwp_t *clwp = ttolwp(curthread);
2308 
2309 	struct a {
2310 		long	addr;
2311 		long	len;
2312 	} *uap = (struct a *)clwp->lwp_ap;
2313 
2314 #ifdef _LP64
2315 	au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2316 	au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2317 #else
2318 	au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2319 	au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2320 #endif
2321 
2322 }	/* AUS_MUNMAP */
2323 
2324 
2325 
2326 
2327 
2328 
2329 
2330 /*ARGSUSED*/
2331 static void
2332 aus_priocntlsys(struct t_audit_data *tad)
2333 {
2334 	klwp_t *clwp = ttolwp(curthread);
2335 
2336 	struct a {
2337 		long	pc_version;
2338 		long	psp;		/* procset_t */
2339 		long	cmd;
2340 		long	arg;
2341 	} *uap = (struct a *)clwp->lwp_ap;
2342 
2343 	au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2344 	au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2345 
2346 }	/* AUS_PRIOCNTLSYS */
2347 
2348 
2349 /*ARGSUSED*/
2350 static void
2351 aus_setegid(struct t_audit_data *tad)
2352 {
2353 	klwp_t *clwp = ttolwp(curthread);
2354 	uint32_t gid;
2355 
2356 	struct a {
2357 		long	gid;
2358 	} *uap = (struct a *)clwp->lwp_ap;
2359 
2360 	gid = (uint32_t)uap->gid;
2361 
2362 	au_uwrite(au_to_arg32(1, "gid", gid));
2363 }	/* AUS_SETEGID */
2364 
2365 
2366 
2367 
2368 /*ARGSUSED*/
2369 static void
2370 aus_setgroups(struct t_audit_data *tad)
2371 {
2372 	klwp_t *clwp = ttolwp(curthread);
2373 	int i;
2374 	int gidsetsize;
2375 	uintptr_t gidset;
2376 	gid_t *gidlist;
2377 
2378 	struct a {
2379 		long	gidsetsize;
2380 		long	gidset;
2381 	} *uap = (struct a *)clwp->lwp_ap;
2382 
2383 	gidsetsize = (uint_t)uap->gidsetsize;
2384 	gidset = (uintptr_t)uap->gidset;
2385 
2386 	if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2387 		return;
2388 	if (gidsetsize != 0) {
2389 		gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2390 		    KM_SLEEP);
2391 		if (copyin((caddr_t)gidset, gidlist,
2392 		    gidsetsize * sizeof (gid_t)) == 0)
2393 			for (i = 0; i < gidsetsize; i++)
2394 				au_uwrite(au_to_arg32(1, "setgroups",
2395 				    (uint32_t)gidlist[i]));
2396 		kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2397 	} else
2398 		au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2399 
2400 }	/* AUS_SETGROUPS */
2401 
2402 
2403 
2404 
2405 
2406 /*ARGSUSED*/
2407 static void
2408 aus_seteuid(struct t_audit_data *tad)
2409 {
2410 	klwp_t *clwp = ttolwp(curthread);
2411 	uint32_t uid;
2412 
2413 	struct a {
2414 		long	uid;
2415 	} *uap = (struct a *)clwp->lwp_ap;
2416 
2417 	uid = (uint32_t)uap->uid;
2418 
2419 	au_uwrite(au_to_arg32(1, "euid", uid));
2420 
2421 }	/* AUS_SETEUID */
2422 
2423 /*ARGSUSED*/
2424 static void
2425 aus_putmsg(struct t_audit_data *tad)
2426 {
2427 	klwp_t *clwp = ttolwp(curthread);
2428 	uint32_t fd, pri;
2429 	struct file *fp;
2430 	struct f_audit_data *fad;
2431 
2432 	struct a {
2433 		long	fdes;
2434 		long	ctl;		/* struct strbuf * */
2435 		long	data;		/* struct strbuf * */
2436 		long	pri;
2437 	} *uap = (struct a *)clwp->lwp_ap;
2438 
2439 	fd  = (uint32_t)uap->fdes;
2440 	pri = (uint32_t)uap->pri;
2441 
2442 	au_uwrite(au_to_arg32(1, "fd", fd));
2443 
2444 	if ((fp = getf(fd)) != NULL) {
2445 		fad = F2A(fp);
2446 
2447 		fad->fad_flags |= FAD_WRITE;
2448 
2449 		/* add path name to audit record */
2450 		if (fad->fad_aupath != NULL) {
2451 			au_uwrite(au_to_path(fad->fad_aupath));
2452 		}
2453 		audit_attributes(fp->f_vnode);
2454 
2455 		releasef(fd);
2456 	}
2457 
2458 	au_uwrite(au_to_arg32(4, "pri", pri));
2459 }
2460 
2461 /*ARGSUSED*/
2462 static void
2463 aus_putpmsg(struct t_audit_data *tad)
2464 {
2465 	klwp_t *clwp = ttolwp(curthread);
2466 	uint32_t fd, pri, flags;
2467 	struct file *fp;
2468 	struct f_audit_data *fad;
2469 
2470 	struct a {
2471 		long	fdes;
2472 		long	ctl;		/* struct strbuf * */
2473 		long	data;		/* struct strbuf * */
2474 		long	pri;
2475 		long	flags;
2476 	} *uap = (struct a *)clwp->lwp_ap;
2477 
2478 	fd = (uint32_t)uap->fdes;
2479 	pri  = (uint32_t)uap->pri;
2480 	flags  = (uint32_t)uap->flags;
2481 
2482 	au_uwrite(au_to_arg32(1, "fd", fd));
2483 
2484 	if ((fp = getf(fd)) != NULL) {
2485 		fad = F2A(fp);
2486 
2487 		fad->fad_flags |= FAD_WRITE;
2488 
2489 		/* add path name to audit record */
2490 		if (fad->fad_aupath != NULL) {
2491 			au_uwrite(au_to_path(fad->fad_aupath));
2492 		}
2493 		audit_attributes(fp->f_vnode);
2494 
2495 		releasef(fd);
2496 	}
2497 
2498 
2499 	au_uwrite(au_to_arg32(4, "pri", pri));
2500 	au_uwrite(au_to_arg32(5, "flags", flags));
2501 }
2502 
2503 /*ARGSUSED*/
2504 static void
2505 aus_getmsg(struct t_audit_data *tad)
2506 {
2507 	klwp_t *clwp = ttolwp(curthread);
2508 	uint32_t fd, pri;
2509 	struct file *fp;
2510 	struct f_audit_data *fad;
2511 
2512 	struct a {
2513 		long	fdes;
2514 		long	ctl;		/* struct strbuf * */
2515 		long	data;		/* struct strbuf * */
2516 		long	pri;
2517 	} *uap = (struct a *)clwp->lwp_ap;
2518 
2519 	fd  = (uint32_t)uap->fdes;
2520 	pri = (uint32_t)uap->pri;
2521 
2522 	au_uwrite(au_to_arg32(1, "fd", fd));
2523 
2524 	if ((fp = getf(fd)) != NULL) {
2525 		fad = F2A(fp);
2526 
2527 		/*
2528 		 * read operation on this object
2529 		 */
2530 		fad->fad_flags |= FAD_READ;
2531 
2532 		/* add path name to audit record */
2533 		if (fad->fad_aupath != NULL) {
2534 			au_uwrite(au_to_path(fad->fad_aupath));
2535 		}
2536 		audit_attributes(fp->f_vnode);
2537 
2538 		releasef(fd);
2539 	}
2540 
2541 	au_uwrite(au_to_arg32(4, "pri", pri));
2542 }
2543 
2544 /*ARGSUSED*/
2545 static void
2546 aus_getpmsg(struct t_audit_data *tad)
2547 {
2548 	klwp_t *clwp = ttolwp(curthread);
2549 	uint32_t fd;
2550 	struct file *fp;
2551 	struct f_audit_data *fad;
2552 
2553 	struct a {
2554 		long	fdes;
2555 		long	ctl;		/* struct strbuf * */
2556 		long	data;		/* struct strbuf * */
2557 		long	pri;
2558 		long	flags;
2559 	} *uap = (struct a *)clwp->lwp_ap;
2560 
2561 	fd = (uint32_t)uap->fdes;
2562 
2563 	au_uwrite(au_to_arg32(1, "fd", fd));
2564 
2565 	if ((fp = getf(fd)) != NULL) {
2566 		fad = F2A(fp);
2567 
2568 		/*
2569 		 * read operation on this object
2570 		 */
2571 		fad->fad_flags |= FAD_READ;
2572 
2573 		/* add path name to audit record */
2574 		if (fad->fad_aupath != NULL) {
2575 			au_uwrite(au_to_path(fad->fad_aupath));
2576 		}
2577 		audit_attributes(fp->f_vnode);
2578 
2579 		releasef(fd);
2580 	}
2581 }
2582 
2583 static au_event_t
2584 aui_labelsys(au_event_t e)
2585 {
2586 	klwp_t *clwp = ttolwp(curthread);
2587 	uint32_t code;
2588 	uint32_t cmd;
2589 
2590 	struct a {
2591 		long	code;
2592 		long	cmd;
2593 	} *uap = (struct a *)clwp->lwp_ap;
2594 
2595 	code = (uint32_t)uap->code;
2596 	cmd = (uint32_t)uap->cmd;
2597 
2598 	/* not security relevant if not changing kernel cache */
2599 	if (cmd == TNDB_GET)
2600 		return (NULL);
2601 
2602 	switch (code) {
2603 	case TSOL_TNRH:
2604 		e = AUE_LABELSYS_TNRH;
2605 		break;
2606 	case TSOL_TNRHTP:
2607 		e = AUE_LABELSYS_TNRHTP;
2608 		break;
2609 	case TSOL_TNMLP:
2610 		e = AUE_LABELSYS_TNMLP;
2611 		break;
2612 	default:
2613 		e = AUE_NULL;
2614 		break;
2615 	}
2616 
2617 	return (e);
2618 
2619 }
2620 
2621 /*ARGSUSED*/
2622 static void
2623 aus_labelsys(struct t_audit_data *tad)
2624 {
2625 	klwp_t *clwp = ttolwp(curthread);
2626 	uint32_t cmd;
2627 	uintptr_t a2;
2628 
2629 	struct a {
2630 		long	code;
2631 		long	cmd;
2632 		long	a2;
2633 	} *uap = (struct a *)clwp->lwp_ap;
2634 
2635 	cmd = (uint32_t)uap->cmd;
2636 	a2 = (uintptr_t)uap->a2;
2637 
2638 	switch (tad->tad_event) {
2639 	case AUE_LABELSYS_TNRH:
2640 	{
2641 		tsol_rhent_t	*rhent;
2642 		tnaddr_t	*rh_addr;
2643 
2644 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2645 
2646 		/* Remaining args don't apply for FLUSH, so skip */
2647 		if (cmd == TNDB_FLUSH)
2648 			break;
2649 
2650 		rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2651 		if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2652 			kmem_free(rhent, sizeof (tsol_rhent_t));
2653 			return;
2654 		}
2655 
2656 		rh_addr = &rhent->rh_address;
2657 		if (rh_addr->ta_family == AF_INET) {
2658 			struct in_addr	*ipaddr;
2659 
2660 			ipaddr = &(rh_addr->ta_addr_v4);
2661 			au_uwrite(au_to_in_addr(ipaddr));
2662 		} else if (rh_addr->ta_family == AF_INET6) {
2663 			int32_t		*ipaddr;
2664 
2665 			ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2666 			au_uwrite(au_to_in_addr_ex(ipaddr));
2667 		}
2668 		au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2669 
2670 		kmem_free(rhent, sizeof (tsol_rhent_t));
2671 
2672 		break;
2673 	}
2674 	case AUE_LABELSYS_TNRHTP:
2675 	{
2676 		tsol_tpent_t	*tpent;
2677 
2678 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2679 
2680 		/* Remaining args don't apply for FLUSH, so skip */
2681 		if (cmd == TNDB_FLUSH)
2682 			break;
2683 
2684 		tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2685 		if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2686 			kmem_free(tpent, sizeof (tsol_tpent_t));
2687 			return;
2688 		}
2689 
2690 		au_uwrite(au_to_text(tpent->name));
2691 		kmem_free(tpent, sizeof (tsol_tpent_t));
2692 
2693 		break;
2694 	}
2695 	case AUE_LABELSYS_TNMLP:
2696 	{
2697 		tsol_mlpent_t	*mlpent;
2698 
2699 		au_uwrite(au_to_arg32(1, "cmd", cmd));
2700 
2701 		mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2702 		if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2703 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2704 			return;
2705 		}
2706 
2707 		if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2708 			au_uwrite(au_to_text("shared"));
2709 		} else {
2710 			zone_t	*zone;
2711 
2712 			zone = zone_find_by_id(mlpent->tsme_zoneid);
2713 			if (zone != NULL) {
2714 				au_uwrite(au_to_text(zone->zone_name));
2715 				zone_rele(zone);
2716 			}
2717 		}
2718 
2719 		/* Remaining args don't apply for FLUSH, so skip */
2720 		if (cmd == TNDB_FLUSH) {
2721 			kmem_free(mlpent, sizeof (tsol_mlpent_t));
2722 			break;
2723 		}
2724 
2725 		au_uwrite(au_to_arg32(2, "proto num",
2726 		    (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2727 		au_uwrite(au_to_arg32(2, "mlp_port",
2728 		    (uint32_t)mlpent->tsme_mlp.mlp_port));
2729 
2730 		if (mlpent->tsme_mlp.mlp_port_upper != 0)
2731 			au_uwrite(au_to_arg32(2, "mlp_port_upper",
2732 			    (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2733 
2734 		kmem_free(mlpent, sizeof (tsol_mlpent_t));
2735 
2736 		break;
2737 	}
2738 	default:
2739 		break;
2740 	}
2741 }
2742 
2743 
2744 static au_event_t
2745 aui_auditsys(au_event_t e)
2746 {
2747 	klwp_t *clwp = ttolwp(curthread);
2748 	uint32_t code;
2749 
2750 	struct a {
2751 		long	code;
2752 		long	a1;
2753 		long	a2;
2754 		long	a3;
2755 		long	a4;
2756 		long	a5;
2757 		long	a6;
2758 		long	a7;
2759 	} *uap = (struct a *)clwp->lwp_ap;
2760 
2761 	code = (uint32_t)uap->code;
2762 
2763 	switch (code) {
2764 
2765 	case BSM_GETAUID:
2766 		e = AUE_GETAUID;
2767 		break;
2768 	case BSM_SETAUID:
2769 		e = AUE_SETAUID;
2770 		break;
2771 	case BSM_GETAUDIT:
2772 		e = AUE_GETAUDIT;
2773 		break;
2774 	case BSM_GETAUDIT_ADDR:
2775 		e = AUE_GETAUDIT_ADDR;
2776 		break;
2777 	case BSM_SETAUDIT:
2778 		e = AUE_SETAUDIT;
2779 		break;
2780 	case BSM_SETAUDIT_ADDR:
2781 		e = AUE_SETAUDIT_ADDR;
2782 		break;
2783 	case BSM_AUDIT:
2784 		e = AUE_AUDIT;
2785 		break;
2786 	case BSM_GETPORTAUDIT:
2787 		e = AUE_GETPORTAUDIT;
2788 		break;
2789 	case BSM_AUDITON:
2790 	case BSM_AUDITCTL:
2791 
2792 		switch ((uint_t)uap->a1) {
2793 
2794 		case A_GETPOLICY:
2795 			e = AUE_AUDITON_GPOLICY;
2796 			break;
2797 		case A_SETPOLICY:
2798 			e = AUE_AUDITON_SPOLICY;
2799 			break;
2800 		case A_GETKMASK:
2801 			e = AUE_AUDITON_GETKMASK;
2802 			break;
2803 		case A_SETKMASK:
2804 			e = AUE_AUDITON_SETKMASK;
2805 			break;
2806 		case A_GETQCTRL:
2807 			e = AUE_AUDITON_GQCTRL;
2808 			break;
2809 		case A_SETQCTRL:
2810 			e = AUE_AUDITON_SQCTRL;
2811 			break;
2812 		case A_GETCWD:
2813 			e = AUE_AUDITON_GETCWD;
2814 			break;
2815 		case A_GETCAR:
2816 			e = AUE_AUDITON_GETCAR;
2817 			break;
2818 		case A_GETSTAT:
2819 			e = AUE_AUDITON_GETSTAT;
2820 			break;
2821 		case A_SETSTAT:
2822 			e = AUE_AUDITON_SETSTAT;
2823 			break;
2824 		case A_SETUMASK:
2825 			e = AUE_AUDITON_SETUMASK;
2826 			break;
2827 		case A_SETSMASK:
2828 			e = AUE_AUDITON_SETSMASK;
2829 			break;
2830 		case A_GETCOND:
2831 			e = AUE_AUDITON_GETCOND;
2832 			break;
2833 		case A_SETCOND:
2834 			e = AUE_AUDITON_SETCOND;
2835 			break;
2836 		case A_GETCLASS:
2837 			e = AUE_AUDITON_GETCLASS;
2838 			break;
2839 		case A_SETCLASS:
2840 			e = AUE_AUDITON_SETCLASS;
2841 			break;
2842 		default:
2843 			e = AUE_NULL;
2844 			break;
2845 		}
2846 		break;
2847 	default:
2848 		e = AUE_NULL;
2849 		break;
2850 	}
2851 
2852 	return (e);
2853 
2854 }	/* AUI_AUDITSYS */
2855 
2856 
2857 static void
2858 aus_auditsys(struct t_audit_data *tad)
2859 {
2860 	klwp_t *clwp = ttolwp(curthread);
2861 	uintptr_t a1, a2;
2862 	STRUCT_DECL(auditinfo, ainfo);
2863 	STRUCT_DECL(auditinfo_addr, ainfo_addr);
2864 	au_evclass_map_t event;
2865 	au_mask_t mask;
2866 	int auditstate, policy;
2867 	au_id_t auid;
2868 
2869 
2870 	struct a {
2871 		long	code;
2872 		long	a1;
2873 		long	a2;
2874 		long	a3;
2875 		long	a4;
2876 		long	a5;
2877 		long	a6;
2878 		long	a7;
2879 	} *uap = (struct a *)clwp->lwp_ap;
2880 
2881 	a1   = (uintptr_t)uap->a1;
2882 	a2   = (uintptr_t)uap->a2;
2883 
2884 	switch (tad->tad_event) {
2885 	case AUE_SETAUID:
2886 		if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
2887 				return;
2888 		au_uwrite(au_to_arg32(2, "setauid", auid));
2889 		break;
2890 	case AUE_SETAUDIT:
2891 		STRUCT_INIT(ainfo, get_udatamodel());
2892 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
2893 		    STRUCT_SIZE(ainfo))) {
2894 				return;
2895 		}
2896 		au_uwrite(au_to_arg32((char)1, "setaudit:auid",
2897 		    (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
2898 #ifdef _LP64
2899 		au_uwrite(au_to_arg64((char)1, "setaudit:port",
2900 		    (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
2901 #else
2902 		au_uwrite(au_to_arg32((char)1, "setaudit:port",
2903 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
2904 #endif
2905 		au_uwrite(au_to_arg32((char)1, "setaudit:machine",
2906 		    (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
2907 		au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
2908 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
2909 		au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
2910 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
2911 		au_uwrite(au_to_arg32((char)1, "setaudit:asid",
2912 		    (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
2913 		break;
2914 	case AUE_SETAUDIT_ADDR:
2915 		STRUCT_INIT(ainfo_addr, get_udatamodel());
2916 		if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
2917 		    STRUCT_SIZE(ainfo_addr))) {
2918 				return;
2919 		}
2920 		au_uwrite(au_to_arg32((char)1, "auid",
2921 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
2922 #ifdef _LP64
2923 		au_uwrite(au_to_arg64((char)1, "port",
2924 		    (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2925 #else
2926 		au_uwrite(au_to_arg32((char)1, "port",
2927 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
2928 #endif
2929 		au_uwrite(au_to_arg32((char)1, "type",
2930 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
2931 		if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
2932 		    AU_IPv4) {
2933 			au_uwrite(au_to_in_addr(
2934 			    (struct in_addr *)STRUCT_FGETP(ainfo_addr,
2935 			    ai_termid.at_addr)));
2936 		} else {
2937 			au_uwrite(au_to_in_addr_ex(
2938 			    (int32_t *)STRUCT_FGETP(ainfo_addr,
2939 			    ai_termid.at_addr)));
2940 		}
2941 		au_uwrite(au_to_arg32((char)1, "as_success",
2942 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
2943 		au_uwrite(au_to_arg32((char)1, "as_failure",
2944 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
2945 		au_uwrite(au_to_arg32((char)1, "asid",
2946 		    (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
2947 		break;
2948 	case AUE_AUDITON_SETKMASK:
2949 		if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
2950 				return;
2951 		au_uwrite(au_to_arg32(
2952 		    2, "setkmask:as_success", (uint32_t)mask.as_success));
2953 		au_uwrite(au_to_arg32(
2954 		    2, "setkmask:as_failure", (uint32_t)mask.as_failure));
2955 		break;
2956 	case AUE_AUDITON_SPOLICY:
2957 		if (copyin((caddr_t)a2, &policy, sizeof (int)))
2958 			return;
2959 		au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
2960 		break;
2961 	case AUE_AUDITON_SQCTRL: {
2962 		STRUCT_DECL(au_qctrl, qctrl);
2963 		model_t model;
2964 
2965 		model = get_udatamodel();
2966 		STRUCT_INIT(qctrl, model);
2967 		if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
2968 				return;
2969 		if (model == DATAMODEL_ILP32) {
2970 			au_uwrite(au_to_arg32(
2971 			    3, "setqctrl:aq_hiwater",
2972 			    (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
2973 			au_uwrite(au_to_arg32(
2974 			    3, "setqctrl:aq_lowater",
2975 			    (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
2976 			au_uwrite(au_to_arg32(
2977 			    3, "setqctrl:aq_bufsz",
2978 			    (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
2979 			au_uwrite(au_to_arg32(
2980 			    3, "setqctrl:aq_delay",
2981 			    (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
2982 		} else {
2983 			au_uwrite(au_to_arg64(
2984 			    3, "setqctrl:aq_hiwater",
2985 			    (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
2986 			au_uwrite(au_to_arg64(
2987 			    3, "setqctrl:aq_lowater",
2988 			    (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
2989 			au_uwrite(au_to_arg64(
2990 			    3, "setqctrl:aq_bufsz",
2991 			    (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
2992 			au_uwrite(au_to_arg64(
2993 			    3, "setqctrl:aq_delay",
2994 			    (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
2995 		}
2996 		break;
2997 	}
2998 	case AUE_AUDITON_SETUMASK:
2999 		STRUCT_INIT(ainfo, get_udatamodel());
3000 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3001 		    STRUCT_SIZE(ainfo))) {
3002 			return;
3003 		}
3004 		au_uwrite(au_to_arg32(3, "setumask:as_success",
3005 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3006 		au_uwrite(au_to_arg32(3, "setumask:as_failure",
3007 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3008 		break;
3009 	case AUE_AUDITON_SETSMASK:
3010 		STRUCT_INIT(ainfo, get_udatamodel());
3011 		if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3012 		    STRUCT_SIZE(ainfo))) {
3013 			return;
3014 		}
3015 		au_uwrite(au_to_arg32(3, "setsmask:as_success",
3016 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3017 		au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3018 		    (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3019 		break;
3020 	case AUE_AUDITON_SETCOND:
3021 		if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3022 			return;
3023 		au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3024 		break;
3025 	case AUE_AUDITON_SETCLASS:
3026 		if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3027 			return;
3028 		au_uwrite(au_to_arg32(
3029 		    2, "setclass:ec_event", (uint32_t)event.ec_number));
3030 		au_uwrite(au_to_arg32(
3031 		    3, "setclass:ec_class", (uint32_t)event.ec_class));
3032 		break;
3033 	case AUE_GETAUID:
3034 	case AUE_GETAUDIT:
3035 	case AUE_GETAUDIT_ADDR:
3036 	case AUE_AUDIT:
3037 	case AUE_GETPORTAUDIT:
3038 	case AUE_AUDITON_GPOLICY:
3039 	case AUE_AUDITON_GQCTRL:
3040 	case AUE_AUDITON_GETKMASK:
3041 	case AUE_AUDITON_GETCWD:
3042 	case AUE_AUDITON_GETCAR:
3043 	case AUE_AUDITON_GETSTAT:
3044 	case AUE_AUDITON_SETSTAT:
3045 	case AUE_AUDITON_GETCOND:
3046 	case AUE_AUDITON_GETCLASS:
3047 		break;
3048 	default:
3049 		break;
3050 	}
3051 
3052 }	/* AUS_AUDITSYS */
3053 
3054 
3055 /* only audit privileged operations for systeminfo(2) system call */
3056 static au_event_t
3057 aui_sysinfo(au_event_t e)
3058 {
3059 	klwp_t *clwp = ttolwp(curthread);
3060 	uint32_t command;
3061 
3062 	struct a {
3063 		long	command;
3064 		long	buf;		/* char * */
3065 		long	count;
3066 	} *uap = (struct a *)clwp->lwp_ap;
3067 
3068 	command = (uint32_t)uap->command;
3069 
3070 	switch (command) {
3071 	case SI_SET_HOSTNAME:
3072 	case SI_SET_SRPC_DOMAIN:
3073 		e = (au_event_t)AUE_SYSINFO;
3074 		break;
3075 	default:
3076 		e = (au_event_t)AUE_NULL;
3077 		break;
3078 	}
3079 	return (e);
3080 }
3081 
3082 /*ARGSUSED*/
3083 static void
3084 aus_sysinfo(struct t_audit_data *tad)
3085 {
3086 	klwp_t *clwp = ttolwp(curthread);
3087 	uint32_t command;
3088 	size_t len, maxlen;
3089 	char *name;
3090 	uintptr_t buf;
3091 
3092 	struct a {
3093 		long	command;
3094 		long	buf;		/* char * */
3095 		long	count;
3096 	} *uap = (struct a *)clwp->lwp_ap;
3097 
3098 	command = (uint32_t)uap->command;
3099 	buf = (uintptr_t)uap->buf;
3100 
3101 	au_uwrite(au_to_arg32(1, "cmd", command));
3102 
3103 	switch (command) {
3104 	case SI_SET_HOSTNAME:
3105 	{
3106 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3107 			return;
3108 
3109 		maxlen = SYS_NMLN;
3110 		name = kmem_alloc(maxlen, KM_SLEEP);
3111 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3112 			break;
3113 
3114 		/*
3115 		 * Must be non-NULL string and string
3116 		 * must be less than SYS_NMLN chars.
3117 		 */
3118 		if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3119 			break;
3120 
3121 		au_uwrite(au_to_text(name));
3122 		break;
3123 	}
3124 
3125 	case SI_SET_SRPC_DOMAIN:
3126 	{
3127 		if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3128 			return;
3129 
3130 		maxlen = SYS_NMLN;
3131 		name = kmem_alloc(maxlen, KM_SLEEP);
3132 		if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3133 			break;
3134 
3135 		/*
3136 		 * If string passed in is longer than length
3137 		 * allowed for domain name, fail.
3138 		 */
3139 		if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3140 			break;
3141 
3142 		au_uwrite(au_to_text(name));
3143 		break;
3144 	}
3145 
3146 	default:
3147 		return;
3148 	}
3149 
3150 	kmem_free(name, maxlen);
3151 }
3152 
3153 static au_event_t
3154 aui_modctl(au_event_t e)
3155 {
3156 	klwp_t *clwp = ttolwp(curthread);
3157 	uint_t cmd;
3158 
3159 	struct a {
3160 		long	cmd;
3161 	} *uap = (struct a *)clwp->lwp_ap;
3162 
3163 	cmd = (uint_t)uap->cmd;
3164 
3165 	switch (cmd) {
3166 	case MODLOAD:
3167 		e = AUE_MODLOAD;
3168 		break;
3169 	case MODUNLOAD:
3170 		e = AUE_MODUNLOAD;
3171 		break;
3172 	case MODADDMAJBIND:
3173 		e = AUE_MODADDMAJ;
3174 		break;
3175 	case MODSETDEVPOLICY:
3176 		e = AUE_MODDEVPLCY;
3177 		break;
3178 	case MODALLOCPRIV:
3179 		e = AUE_MODADDPRIV;
3180 		break;
3181 	default:
3182 		e = AUE_NULL;
3183 		break;
3184 	}
3185 	return (e);
3186 }
3187 
3188 
3189 /*ARGSUSED*/
3190 static void
3191 aus_modctl(struct t_audit_data *tad)
3192 {
3193 	klwp_t *clwp = ttolwp(curthread);
3194 	void *a	= clwp->lwp_ap;
3195 	uint_t use_path;
3196 
3197 	switch (tad->tad_event) {
3198 	case AUE_MODLOAD: {
3199 		typedef struct {
3200 			long	cmd;
3201 			long	use_path;
3202 			long	filename;		/* char * */
3203 		} modloada_t;
3204 
3205 		char *filenamep;
3206 		uintptr_t fname;
3207 		extern char *default_path;
3208 
3209 		fname = (uintptr_t)((modloada_t *)a)->filename;
3210 		use_path = (uint_t)((modloada_t *)a)->use_path;
3211 
3212 			/* space to hold path */
3213 		filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3214 			/* get string */
3215 		if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3216 				/* free allocated path */
3217 			kmem_free(filenamep, MOD_MAXPATH);
3218 			return;
3219 		}
3220 			/* ensure it's null terminated */
3221 		filenamep[MOD_MAXPATH - 1] = 0;
3222 
3223 		if (use_path)
3224 			au_uwrite(au_to_text(default_path));
3225 		au_uwrite(au_to_text(filenamep));
3226 
3227 			/* release temporary memory */
3228 		kmem_free(filenamep, MOD_MAXPATH);
3229 		break;
3230 	}
3231 	case AUE_MODUNLOAD: {
3232 		typedef struct {
3233 			long	cmd;
3234 			long	id;
3235 		} modunloada_t;
3236 
3237 		uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3238 
3239 		au_uwrite(au_to_arg32(1, "id", id));
3240 		break;
3241 	}
3242 	case AUE_MODADDMAJ: {
3243 		STRUCT_DECL(modconfig, mc);
3244 		typedef struct {
3245 			long	cmd;
3246 			long	subcmd;
3247 			long	data;		/* int * */
3248 		} modconfiga_t;
3249 
3250 		STRUCT_DECL(aliases, alias);
3251 		caddr_t ap;
3252 		int i, num_aliases;
3253 		char *drvname, *mc_drvname;
3254 		char *name;
3255 		extern char *ddi_major_to_name(major_t);
3256 		model_t model;
3257 
3258 		uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3259 
3260 		model = get_udatamodel();
3261 		STRUCT_INIT(mc, model);
3262 			/* sanitize buffer */
3263 		bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3264 			/* get user arguments */
3265 		if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3266 		    STRUCT_SIZE(mc)) != 0)
3267 			return;
3268 
3269 		mc_drvname = STRUCT_FGET(mc, drvname);
3270 		if ((drvname = ddi_major_to_name(
3271 		    (major_t)STRUCT_FGET(mc, major))) != NULL &&
3272 		    strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3273 				/* safety */
3274 			if (mc_drvname[0] != '\0') {
3275 				mc_drvname[MAXMODCONFNAME-1] = '\0';
3276 				au_uwrite(au_to_text(mc_drvname));
3277 			}
3278 				/* drvname != NULL from test above */
3279 			au_uwrite(au_to_text(drvname));
3280 			return;
3281 		}
3282 
3283 		if (mc_drvname[0] != '\0') {
3284 				/* safety */
3285 			mc_drvname[MAXMODCONFNAME-1] = '\0';
3286 			au_uwrite(au_to_text(mc_drvname));
3287 		} else
3288 			au_uwrite(au_to_text("no drvname"));
3289 
3290 		num_aliases = STRUCT_FGET(mc, num_aliases);
3291 		au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3292 		ap = (caddr_t)STRUCT_FGETP(mc, ap);
3293 		name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3294 		STRUCT_INIT(alias, model);
3295 		for (i = 0; i < num_aliases; i++) {
3296 			bzero((caddr_t)STRUCT_BUF(alias),
3297 			    STRUCT_SIZE(alias));
3298 			if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3299 			    STRUCT_SIZE(alias)) != 0)
3300 				break;
3301 			if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3302 			    MAXMODCONFNAME, NULL) != 0) {
3303 				break;
3304 			}
3305 
3306 			au_uwrite(au_to_text(name));
3307 			ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3308 		}
3309 		kmem_free(name, MAXMODCONFNAME);
3310 		break;
3311 	}
3312 	default:
3313 		break;
3314 	}
3315 }
3316 
3317 
3318 /*ARGSUSED*/
3319 static void
3320 auf_accept(
3321 	struct t_audit_data *tad,
3322 	int	error,
3323 	rval_t	*rval)
3324 {
3325 	uint32_t scid;
3326 	uint32_t sy_flags;
3327 	int fd;
3328 	struct sonode *so;
3329 	char so_laddr[sizeof (struct sockaddr_in6)];
3330 	char so_faddr[sizeof (struct sockaddr_in6)];
3331 	int err;
3332 	int len;
3333 	short so_family, so_type;
3334 	int add_sock_token = 0;
3335 
3336 	/* need to determine type of executing binary */
3337 	scid = tad->tad_scid;
3338 #ifdef _SYSCALL32_IMPL
3339 	if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3340 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3341 	else
3342 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3343 #else
3344 	sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3345 #endif
3346 	if (sy_flags == SE_32RVAL1)
3347 		fd = rval->r_val1;
3348 	if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
3349 		fd = rval->r_val1;
3350 	if (sy_flags == SE_64RVAL)
3351 		fd = (int)rval->r_vals;
3352 
3353 	if (error) {
3354 		/* can't trust socket contents. Just return */
3355 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3356 		return;
3357 	}
3358 
3359 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3360 		/*
3361 		 * not security relevant if doing a accept from non socket
3362 		 * so no extra tokens. Should probably turn off audit record
3363 		 * generation here.
3364 		 */
3365 		return;
3366 	}
3367 
3368 	so_family = so->so_family;
3369 	so_type   = so->so_type;
3370 
3371 	switch (so_family) {
3372 	case AF_INET:
3373 	case AF_INET6:
3374 		/*
3375 		 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3376 		 */
3377 		if (so->so_type == SOCK_STREAM) {
3378 
3379 			bzero((void *)so_laddr, sizeof (so_laddr));
3380 			bzero((void *)so_faddr, sizeof (so_faddr));
3381 
3382 			/*
3383 			 * no local address then need to get it from lower
3384 			 * levels. only put out record on first read ala
3385 			 * AUE_WRITE.
3386 			 */
3387 			if (so->so_state & SS_ISBOUND) {
3388 				/* only done once on a connection */
3389 				(void) SOP_GETSOCKNAME(so);
3390 				(void) SOP_GETPEERNAME(so);
3391 
3392 				/* get local and foreign addresses */
3393 				mutex_enter(&so->so_lock);
3394 				len = min(so->so_laddr_len, sizeof (so_laddr));
3395 				bcopy(so->so_laddr_sa, so_laddr, len);
3396 				len = min(so->so_faddr_len, sizeof (so_faddr));
3397 				bcopy(so->so_faddr_sa, so_faddr, len);
3398 				mutex_exit(&so->so_lock);
3399 			}
3400 
3401 			add_sock_token = 1;
3402 		}
3403 		break;
3404 
3405 	default:
3406 		/* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3407 		break;
3408 	}
3409 
3410 	releasef(fd);
3411 
3412 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3413 
3414 	if (add_sock_token == 0) {
3415 		au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3416 		au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3417 		return;
3418 	}
3419 
3420 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3421 
3422 }
3423 
3424 /*ARGSUSED*/
3425 static void
3426 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3427 {
3428 	struct a {
3429 		long	fd;
3430 		long	addr;
3431 		long	len;
3432 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3433 
3434 	struct sonode *so;
3435 	char so_laddr[sizeof (struct sockaddr_in6)];
3436 	char so_faddr[sizeof (struct sockaddr_in6)];
3437 	int err, fd;
3438 	int len;
3439 	short so_family, so_type;
3440 	int add_sock_token = 0;
3441 
3442 	fd = (int)uap->fd;
3443 
3444 	/*
3445 	 * bind failed, then nothing extra to add to audit record.
3446 	 */
3447 	if (error) {
3448 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3449 		/* XXX may want to add failed address some day */
3450 		return;
3451 	}
3452 
3453 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3454 		/*
3455 		 * not security relevant if doing a bind from non socket
3456 		 * so no extra tokens. Should probably turn off audit record
3457 		 * generation here.
3458 		 */
3459 		return;
3460 	}
3461 
3462 	so_family = so->so_family;
3463 	so_type   = so->so_type;
3464 
3465 	switch (so_family) {
3466 	case AF_INET:
3467 	case AF_INET6:
3468 
3469 		bzero(so_faddr, sizeof (so_faddr));
3470 
3471 		if (so->so_state & SS_ISBOUND) {
3472 			/* only done once on a connection */
3473 			(void) SOP_GETSOCKNAME(so);
3474 		}
3475 
3476 		mutex_enter(&so->so_lock);
3477 		len = min(so->so_laddr_len, sizeof (so_laddr));
3478 		bcopy(so->so_laddr_sa, so_laddr, len);
3479 		mutex_exit(&so->so_lock);
3480 
3481 		add_sock_token = 1;
3482 
3483 		break;
3484 
3485 	case AF_UNIX:
3486 		/* token added by lookup */
3487 		break;
3488 	default:
3489 		/* AF_ROUTE, AF_KEY do not support accept */
3490 		break;
3491 	}
3492 
3493 	releasef(fd);
3494 
3495 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3496 
3497 	if (add_sock_token == 0) {
3498 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3499 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3500 		return;
3501 	}
3502 
3503 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3504 
3505 }
3506 
3507 /*ARGSUSED*/
3508 static void
3509 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3510 {
3511 	struct a {
3512 		long	fd;
3513 		long	addr;
3514 		long	len;
3515 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3516 
3517 	struct sonode *so;
3518 	char so_laddr[sizeof (struct sockaddr_in6)];
3519 	char so_faddr[sizeof (struct sockaddr_in6)];
3520 	int err, fd;
3521 	int len;
3522 	short so_family, so_type;
3523 	int add_sock_token = 0;
3524 
3525 	fd = (int)uap->fd;
3526 
3527 
3528 	if ((so = getsonode(fd, &err, NULL)) == NULL) {
3529 		/*
3530 		 * not security relevant if doing a connect from non socket
3531 		 * so no extra tokens. Should probably turn off audit record
3532 		 * generation here.
3533 		 */
3534 		return;
3535 	}
3536 
3537 	so_family = so->so_family;
3538 	so_type   = so->so_type;
3539 
3540 	switch (so_family) {
3541 	case AF_INET:
3542 	case AF_INET6:
3543 		/*
3544 		 * no local address then need to get it from lower
3545 		 * levels.
3546 		 */
3547 		if (so->so_state & SS_ISBOUND) {
3548 			/* only done once on a connection */
3549 			(void) SOP_GETSOCKNAME(so);
3550 			(void) SOP_GETPEERNAME(so);
3551 		}
3552 
3553 		bzero(so_laddr, sizeof (so_laddr));
3554 		bzero(so_faddr, sizeof (so_faddr));
3555 
3556 		mutex_enter(&so->so_lock);
3557 		len = min(so->so_laddr_len, sizeof (so_laddr));
3558 		bcopy(so->so_laddr_sa, so_laddr, len);
3559 		if (error) {
3560 			mutex_exit(&so->so_lock);
3561 			if (uap->addr == NULL)
3562 				break;
3563 			if (uap->len <= 0)
3564 				break;
3565 			len = min(uap->len, sizeof (so_faddr));
3566 			if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3567 				break;
3568 #ifdef NOTYET
3569 			au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3570 #endif
3571 		} else {
3572 			/* sanity check on length */
3573 			len = min(so->so_faddr_len, sizeof (so_faddr));
3574 			bcopy(so->so_faddr_sa, so_faddr, len);
3575 			mutex_exit(&so->so_lock);
3576 		}
3577 
3578 		add_sock_token = 1;
3579 
3580 		break;
3581 
3582 	case AF_UNIX:
3583 		/* does a lookup on name */
3584 		break;
3585 
3586 	default:
3587 		/* AF_ROUTE, AF_KEY do not support accept */
3588 		break;
3589 	}
3590 
3591 	releasef(fd);
3592 
3593 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3594 
3595 	if (add_sock_token == 0) {
3596 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3597 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3598 		return;
3599 	}
3600 
3601 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3602 
3603 }
3604 
3605 /*ARGSUSED*/
3606 static void
3607 aus_shutdown(struct t_audit_data *tad)
3608 {
3609 	struct a {
3610 		long	fd;
3611 		long	how;
3612 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3613 
3614 	struct sonode *so;
3615 	char so_laddr[sizeof (struct sockaddr_in6)];
3616 	char so_faddr[sizeof (struct sockaddr_in6)];
3617 	int err, fd;
3618 	int len;
3619 	short so_family, so_type;
3620 	int add_sock_token = 0;
3621 	file_t *fp;				/* unix domain sockets */
3622 	struct f_audit_data *fad;		/* unix domain sockets */
3623 
3624 	fd = (int)uap->fd;
3625 
3626 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3627 		/*
3628 		 * not security relevant if doing a shutdown using non socket
3629 		 * so no extra tokens. Should probably turn off audit record
3630 		 * generation here.
3631 		 */
3632 		return;
3633 	}
3634 
3635 	so_family = so->so_family;
3636 	so_type   = so->so_type;
3637 
3638 	switch (so_family) {
3639 	case AF_INET:
3640 	case AF_INET6:
3641 
3642 		bzero(so_laddr, sizeof (so_laddr));
3643 		bzero(so_faddr, sizeof (so_faddr));
3644 
3645 		if (so->so_state & SS_ISBOUND) {
3646 			/*
3647 			 * no local address then need to get it from lower
3648 			 * levels.
3649 			 */
3650 			if (so->so_laddr_len == 0)
3651 				(void) SOP_GETSOCKNAME(so);
3652 			if (so->so_faddr_len == 0)
3653 				(void) SOP_GETPEERNAME(so);
3654 		}
3655 
3656 		mutex_enter(&so->so_lock);
3657 		len = min(so->so_laddr_len, sizeof (so_laddr));
3658 		bcopy(so->so_laddr_sa, so_laddr, len);
3659 		len = min(so->so_faddr_len, sizeof (so_faddr));
3660 		bcopy(so->so_faddr_sa, so_faddr, len);
3661 		mutex_exit(&so->so_lock);
3662 
3663 		add_sock_token = 1;
3664 
3665 		break;
3666 
3667 	case AF_UNIX:
3668 
3669 		/* get path from file struct here */
3670 		fad = F2A(fp);
3671 		ASSERT(fad);
3672 
3673 		if (fad->fad_aupath != NULL) {
3674 			au_uwrite(au_to_path(fad->fad_aupath));
3675 		} else {
3676 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3677 		}
3678 
3679 		audit_attributes(fp->f_vnode);
3680 
3681 		break;
3682 
3683 	default:
3684 		/*
3685 		 * AF_KEY and AF_ROUTE support shutdown. No socket token
3686 		 * added.
3687 		 */
3688 		break;
3689 	}
3690 
3691 	releasef(fd);
3692 
3693 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3694 
3695 	if (add_sock_token == 0) {
3696 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3697 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3698 		au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3699 		return;
3700 	}
3701 
3702 	au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3703 
3704 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3705 
3706 }
3707 
3708 /*ARGSUSED*/
3709 static void
3710 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3711 {
3712 	struct a {
3713 		long	fd;
3714 		long	level;
3715 		long	optname;
3716 		long	*optval;
3717 		long	optlen;
3718 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3719 
3720 	struct sonode	*so;
3721 	char so_laddr[sizeof (struct sockaddr_in6)];
3722 	char so_faddr[sizeof (struct sockaddr_in6)];
3723 	char		val[AU_BUFSIZE];
3724 	int		err, fd;
3725 	int		len;
3726 	short so_family, so_type;
3727 	int		add_sock_token = 0;
3728 	file_t *fp;				/* unix domain sockets */
3729 	struct f_audit_data *fad;		/* unix domain sockets */
3730 
3731 	fd = (int)uap->fd;
3732 
3733 	if (error) {
3734 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3735 		au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3736 		/* XXX may want to include other arguments */
3737 		return;
3738 	}
3739 
3740 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3741 		/*
3742 		 * not security relevant if doing a setsockopt from non socket
3743 		 * so no extra tokens. Should probably turn off audit record
3744 		 * generation here.
3745 		 */
3746 		return;
3747 	}
3748 
3749 	so_family = so->so_family;
3750 	so_type   = so->so_type;
3751 
3752 	switch (so_family) {
3753 	case AF_INET:
3754 	case AF_INET6:
3755 
3756 		bzero((void *)so_laddr, sizeof (so_laddr));
3757 		bzero((void *)so_faddr, sizeof (so_faddr));
3758 
3759 		if (so->so_state & SS_ISBOUND) {
3760 			if (so->so_laddr_len == 0)
3761 				(void) SOP_GETSOCKNAME(so);
3762 			if (so->so_faddr_len == 0)
3763 				(void) SOP_GETPEERNAME(so);
3764 		}
3765 
3766 		/* get local and foreign addresses */
3767 		mutex_enter(&so->so_lock);
3768 		len = min(so->so_laddr_len, sizeof (so_laddr));
3769 		bcopy(so->so_laddr_sa, so_laddr, len);
3770 		len = min(so->so_faddr_len, sizeof (so_faddr));
3771 		bcopy(so->so_faddr_sa, so_faddr, len);
3772 		mutex_exit(&so->so_lock);
3773 
3774 		add_sock_token = 1;
3775 
3776 		break;
3777 
3778 	case AF_UNIX:
3779 
3780 		/* get path from file struct here */
3781 		fad = F2A(fp);
3782 		ASSERT(fad);
3783 
3784 		if (fad->fad_aupath != NULL) {
3785 			au_uwrite(au_to_path(fad->fad_aupath));
3786 		} else {
3787 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
3788 		}
3789 
3790 		audit_attributes(fp->f_vnode);
3791 
3792 		break;
3793 
3794 	default:
3795 		/*
3796 		 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3797 		 * added.
3798 		 */
3799 		break;
3800 	}
3801 
3802 	releasef(fd);
3803 
3804 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3805 
3806 	if (add_sock_token == 0) {
3807 		au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3808 		au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3809 	}
3810 	au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3811 	au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3812 
3813 	bzero(val, sizeof (val));
3814 	len = min(uap->optlen, sizeof (val));
3815 	if ((len > 0) &&
3816 	    (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3817 		au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3818 		au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3819 	}
3820 
3821 	if (add_sock_token == 0)
3822 		return;
3823 
3824 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3825 
3826 }
3827 
3828 /*ARGSUSED*/
3829 static void
3830 aus_sockconfig(tad)
3831 	struct t_audit_data *tad;
3832 {
3833 	struct a {
3834 		long	domain;
3835 		long	type;
3836 		long	protocol;
3837 		long	devpath;
3838 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3839 
3840 	char	*kdevpath;
3841 	int	kdevpathlen = MAXPATHLEN + 1;
3842 	size_t	size;
3843 
3844 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
3845 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
3846 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
3847 
3848 	if (uap->devpath == 0) {
3849 		au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0));
3850 	} else {
3851 		kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP);
3852 
3853 		if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen,
3854 			&size)) {
3855 			kmem_free(kdevpath, kdevpathlen);
3856 			return;
3857 		}
3858 
3859 		if (size > MAXPATHLEN) {
3860 			kmem_free(kdevpath, kdevpathlen);
3861 			return;
3862 		}
3863 
3864 		au_uwrite(au_to_text(kdevpath));
3865 		kmem_free(kdevpath, kdevpathlen);
3866 	}
3867 }
3868 
3869 /*
3870  * only audit recvmsg when the system call represents the creation of a new
3871  * circuit. This effectively occurs for all UDP packets and may occur for
3872  * special TCP situations where the local host has not set a local address
3873  * in the socket structure.
3874  */
3875 /*ARGSUSED*/
3876 static void
3877 auf_recvmsg(
3878 	struct t_audit_data *tad,
3879 	int error,
3880 	rval_t *rvp)
3881 {
3882 	struct a {
3883 		long	fd;
3884 		long	msg;	/* struct msghdr */
3885 		long	flags;
3886 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3887 
3888 	struct sonode	*so;
3889 	STRUCT_DECL(msghdr, msg);
3890 	caddr_t msg_name;
3891 	socklen_t msg_namelen;
3892 	int fd;
3893 	int err;
3894 	char so_laddr[sizeof (struct sockaddr_in6)];
3895 	char so_faddr[sizeof (struct sockaddr_in6)];
3896 	int len;
3897 	file_t *fp;				/* unix domain sockets */
3898 	struct f_audit_data *fad;		/* unix domain sockets */
3899 	short so_family, so_type;
3900 	int add_sock_token = 0;
3901 	au_kcontext_t	*kctx = GET_KCTX_PZ;
3902 
3903 	fd = (int)uap->fd;
3904 
3905 	/* bail if an error */
3906 	if (error) {
3907 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3908 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
3909 		return;
3910 	}
3911 
3912 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
3913 		/*
3914 		 * not security relevant if doing a recvmsg from non socket
3915 		 * so no extra tokens. Should probably turn off audit record
3916 		 * generation here.
3917 		 */
3918 		return;
3919 	}
3920 
3921 	so_family = so->so_family;
3922 	so_type   = so->so_type;
3923 
3924 	/*
3925 	 * only putout SOCKET_EX token if INET/INET6 family.
3926 	 * XXX - what do we do about other families?
3927 	 */
3928 
3929 	switch (so_family) {
3930 	case AF_INET:
3931 	case AF_INET6:
3932 
3933 		/*
3934 		 * if datagram type socket, then just use what is in
3935 		 * socket structure for local address.
3936 		 * XXX - what do we do for other types?
3937 		 */
3938 		if ((so->so_type == SOCK_DGRAM) ||
3939 		    (so->so_type == SOCK_RAW)) {
3940 			add_sock_token = 1;
3941 
3942 			bzero((void *)so_laddr, sizeof (so_laddr));
3943 			bzero((void *)so_faddr, sizeof (so_faddr));
3944 
3945 			/* get local address */
3946 			mutex_enter(&so->so_lock);
3947 			len = min(so->so_laddr_len, sizeof (so_laddr));
3948 			bcopy(so->so_laddr_sa, so_laddr, len);
3949 			mutex_exit(&so->so_lock);
3950 
3951 			/* get peer address */
3952 			STRUCT_INIT(msg, get_udatamodel());
3953 
3954 			if (copyin((caddr_t)(uap->msg),
3955 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
3956 				break;
3957 			}
3958 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
3959 			if (msg_name == NULL) {
3960 				break;
3961 			}
3962 
3963 			/* length is value from recvmsg - sanity check */
3964 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
3965 			if (msg_namelen == 0) {
3966 				break;
3967 			}
3968 			if (copyin(msg_name, so_faddr,
3969 			    sizeof (so_faddr)) != 0) {
3970 				break;
3971 			}
3972 
3973 		} else if (so->so_type == SOCK_STREAM) {
3974 
3975 			/* get path from file struct here */
3976 			fad = F2A(fp);
3977 			ASSERT(fad);
3978 
3979 			/*
3980 			 * already processed this file for read attempt
3981 			 */
3982 			if (fad->fad_flags & FAD_READ) {
3983 				/* don't want to audit every recvmsg attempt */
3984 				tad->tad_flag = 0;
3985 				/* free any residual audit data */
3986 				au_close(kctx, &(u_ad), 0, 0, 0);
3987 				releasef(fd);
3988 				return;
3989 			}
3990 			/*
3991 			 * mark things so we know what happened and don't
3992 			 * repeat things
3993 			 */
3994 			fad->fad_flags |= FAD_READ;
3995 
3996 			bzero((void *)so_laddr, sizeof (so_laddr));
3997 			bzero((void *)so_faddr, sizeof (so_faddr));
3998 
3999 			if (so->so_state & SS_ISBOUND) {
4000 
4001 				if (so->so_laddr_len == 0)
4002 					(void) SOP_GETSOCKNAME(so);
4003 				if (so->so_faddr_len == 0)
4004 					(void) SOP_GETPEERNAME(so);
4005 
4006 				/* get local and foreign addresses */
4007 				mutex_enter(&so->so_lock);
4008 				len = min(so->so_laddr_len, sizeof (so_laddr));
4009 				bcopy(so->so_laddr_sa, so_laddr, len);
4010 				len = min(so->so_faddr_len, sizeof (so_faddr));
4011 				bcopy(so->so_faddr_sa, so_faddr, len);
4012 				mutex_exit(&so->so_lock);
4013 			}
4014 
4015 			add_sock_token = 1;
4016 		}
4017 
4018 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4019 
4020 		break;
4021 
4022 	case AF_UNIX:
4023 		/*
4024 		 * first check if this is first time through. Too much
4025 		 * duplicate code to put this in an aui_ routine.
4026 		 */
4027 
4028 		/* get path from file struct here */
4029 		fad = F2A(fp);
4030 		ASSERT(fad);
4031 
4032 		/*
4033 		 * already processed this file for read attempt
4034 		 */
4035 		if (fad->fad_flags & FAD_READ) {
4036 			releasef(fd);
4037 			/* don't want to audit every recvmsg attempt */
4038 			tad->tad_flag = 0;
4039 			/* free any residual audit data */
4040 			au_close(kctx, &(u_ad), 0, 0, 0);
4041 			return;
4042 		}
4043 		/*
4044 		 * mark things so we know what happened and don't
4045 		 * repeat things
4046 		 */
4047 		fad->fad_flags |= FAD_READ;
4048 
4049 		if (fad->fad_aupath != NULL) {
4050 			au_uwrite(au_to_path(fad->fad_aupath));
4051 		} else {
4052 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4053 		}
4054 
4055 		audit_attributes(fp->f_vnode);
4056 
4057 		releasef(fd);
4058 
4059 		return;
4060 
4061 	default:
4062 		break;
4063 
4064 	}
4065 
4066 	releasef(fd);
4067 
4068 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4069 
4070 	if (add_sock_token == 0) {
4071 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4072 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4073 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4074 		return;
4075 	}
4076 
4077 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4078 
4079 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4080 
4081 }
4082 
4083 /*ARGSUSED*/
4084 static void
4085 auf_recvfrom(
4086 	struct t_audit_data *tad,
4087 	int error,
4088 	rval_t *rvp)
4089 {
4090 
4091 	struct a {
4092 		long	fd;
4093 		long	msg;	/* char */
4094 		long	len;
4095 		long	flags;
4096 		long	from;	/* struct sockaddr */
4097 		long	fromlen;
4098 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4099 
4100 	socklen_t	fromlen;
4101 	struct sonode	*so;
4102 	char so_laddr[sizeof (struct sockaddr_in6)];
4103 	char so_faddr[sizeof (struct sockaddr_in6)];
4104 	int		fd;
4105 	short so_family, so_type;
4106 	int add_sock_token = 0;
4107 	int len;
4108 	int err;
4109 	struct file *fp;
4110 	struct f_audit_data *fad;		/* unix domain sockets */
4111 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4112 
4113 	fd = (int)uap->fd;
4114 
4115 	/* bail if an error */
4116 	if (error) {
4117 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4118 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4119 		return;
4120 	}
4121 
4122 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4123 		/*
4124 		 * not security relevant if doing a recvmsg from non socket
4125 		 * so no extra tokens. Should probably turn off audit record
4126 		 * generation here.
4127 		 */
4128 		return;
4129 	}
4130 
4131 	so_family = so->so_family;
4132 	so_type   = so->so_type;
4133 
4134 	/*
4135 	 * only putout SOCKET_EX token if INET/INET6 family.
4136 	 * XXX - what do we do about other families?
4137 	 */
4138 
4139 	switch (so_family) {
4140 	case AF_INET:
4141 	case AF_INET6:
4142 
4143 		/*
4144 		 * if datagram type socket, then just use what is in
4145 		 * socket structure for local address.
4146 		 * XXX - what do we do for other types?
4147 		 */
4148 		if ((so->so_type == SOCK_DGRAM) ||
4149 		    (so->so_type == SOCK_RAW)) {
4150 			add_sock_token = 1;
4151 
4152 			/* get local address */
4153 			mutex_enter(&so->so_lock);
4154 			len = min(so->so_laddr_len, sizeof (so_laddr));
4155 			bcopy(so->so_laddr_sa, so_laddr, len);
4156 			mutex_exit(&so->so_lock);
4157 
4158 			/* get peer address */
4159 			bzero((void *)so_faddr, sizeof (so_faddr));
4160 
4161 			/* sanity check */
4162 			if (uap->from == NULL)
4163 				break;
4164 
4165 			/* sanity checks */
4166 			if (uap->fromlen == 0)
4167 				break;
4168 
4169 			if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4170 			    sizeof (fromlen)) != 0)
4171 				break;
4172 
4173 			if (fromlen == 0)
4174 				break;
4175 
4176 			/* enforce maximum size */
4177 			if (fromlen > sizeof (so_faddr))
4178 				fromlen = sizeof (so_faddr);
4179 
4180 			if (copyin((caddr_t)(uap->from), so_faddr,
4181 			    fromlen) != 0)
4182 				break;
4183 
4184 		} else if (so->so_type == SOCK_STREAM) {
4185 
4186 			/* get path from file struct here */
4187 			fad = F2A(fp);
4188 			ASSERT(fad);
4189 
4190 			/*
4191 			 * already processed this file for read attempt
4192 			 */
4193 			if (fad->fad_flags & FAD_READ) {
4194 				/* don't want to audit every recvfrom attempt */
4195 				tad->tad_flag = 0;
4196 				/* free any residual audit data */
4197 				au_close(kctx, &(u_ad), 0, 0, 0);
4198 				releasef(fd);
4199 				return;
4200 			}
4201 			/*
4202 			 * mark things so we know what happened and don't
4203 			 * repeat things
4204 			 */
4205 			fad->fad_flags |= FAD_READ;
4206 
4207 			bzero((void *)so_laddr, sizeof (so_laddr));
4208 			bzero((void *)so_faddr, sizeof (so_faddr));
4209 
4210 			if (so->so_state & SS_ISBOUND) {
4211 
4212 				if (so->so_laddr_len == 0)
4213 					(void) SOP_GETSOCKNAME(so);
4214 				if (so->so_faddr_len == 0)
4215 					(void) SOP_GETPEERNAME(so);
4216 
4217 				/* get local and foreign addresses */
4218 				mutex_enter(&so->so_lock);
4219 				len = min(so->so_laddr_len, sizeof (so_laddr));
4220 				bcopy(so->so_laddr_sa, so_laddr, len);
4221 				len = min(so->so_faddr_len, sizeof (so_faddr));
4222 				bcopy(so->so_faddr_sa, so_faddr, len);
4223 				mutex_exit(&so->so_lock);
4224 			}
4225 
4226 			add_sock_token = 1;
4227 		}
4228 
4229 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4230 
4231 		break;
4232 
4233 	case AF_UNIX:
4234 		/*
4235 		 * first check if this is first time through. Too much
4236 		 * duplicate code to put this in an aui_ routine.
4237 		 */
4238 
4239 		/* get path from file struct here */
4240 		fad = F2A(fp);
4241 		ASSERT(fad);
4242 
4243 		/*
4244 		 * already processed this file for read attempt
4245 		 */
4246 		if (fad->fad_flags & FAD_READ) {
4247 			/* don't want to audit every recvfrom attempt */
4248 			tad->tad_flag = 0;
4249 			/* free any residual audit data */
4250 			au_close(kctx, &(u_ad), 0, 0, 0);
4251 			releasef(fd);
4252 			return;
4253 		}
4254 		/*
4255 		 * mark things so we know what happened and don't
4256 		 * repeat things
4257 		 */
4258 		fad->fad_flags |= FAD_READ;
4259 
4260 		if (fad->fad_aupath != NULL) {
4261 			au_uwrite(au_to_path(fad->fad_aupath));
4262 		} else {
4263 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4264 		}
4265 
4266 		audit_attributes(fp->f_vnode);
4267 
4268 		releasef(fd);
4269 
4270 		return;
4271 
4272 	default:
4273 		break;
4274 
4275 	}
4276 
4277 	releasef(fd);
4278 
4279 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4280 
4281 	if (add_sock_token == 0) {
4282 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4283 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4284 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4285 		return;
4286 	}
4287 
4288 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4289 
4290 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4291 }
4292 
4293 /*ARGSUSED*/
4294 static void
4295 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4296 {
4297 	struct a {
4298 		long	fd;
4299 		long	msg;	/* struct msghdr */
4300 		long	flags;
4301 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4302 
4303 	struct sonode	*so;
4304 	char so_laddr[sizeof (struct sockaddr_in6)];
4305 	char so_faddr[sizeof (struct sockaddr_in6)];
4306 	int		err;
4307 	int		fd;
4308 	short so_family, so_type;
4309 	int		add_sock_token = 0;
4310 	int		len;
4311 	struct file	*fp;
4312 	struct f_audit_data *fad;
4313 	caddr_t		msg_name;
4314 	socklen_t	msg_namelen;
4315 	STRUCT_DECL(msghdr, msg);
4316 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4317 
4318 	fd = (int)uap->fd;
4319 
4320 	/* bail if an error */
4321 	if (error) {
4322 		/* XXX include destination address from system call arguments */
4323 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4324 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4325 		return;
4326 	}
4327 
4328 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4329 		/*
4330 		 * not security relevant if doing a sendmsg from non socket
4331 		 * so no extra tokens. Should probably turn off audit record
4332 		 * generation here.
4333 		 */
4334 		return;
4335 	}
4336 
4337 	so_family = so->so_family;
4338 	so_type   = so->so_type;
4339 
4340 	switch (so_family) {
4341 	case AF_INET:
4342 	case AF_INET6:
4343 		/*
4344 		 * if datagram type socket, then just use what is in
4345 		 * socket structure for local address.
4346 		 * XXX - what do we do for other types?
4347 		 */
4348 		if ((so->so_type == SOCK_DGRAM) ||
4349 		    (so->so_type == SOCK_RAW)) {
4350 
4351 			bzero((void *)so_laddr, sizeof (so_laddr));
4352 			bzero((void *)so_faddr, sizeof (so_faddr));
4353 
4354 			/* get local address */
4355 			mutex_enter(&so->so_lock);
4356 			len = min(so->so_laddr_len, sizeof (so_laddr));
4357 			bcopy(so->so_laddr_sa, so_laddr, len);
4358 			mutex_exit(&so->so_lock);
4359 
4360 			/* get peer address */
4361 			STRUCT_INIT(msg, get_udatamodel());
4362 
4363 			if (copyin((caddr_t)(uap->msg),
4364 			    (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4365 				break;
4366 			}
4367 			msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4368 			if (msg_name == NULL)
4369 				break;
4370 
4371 			msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4372 			/* length is value from recvmsg - sanity check */
4373 			if (msg_namelen == 0)
4374 				break;
4375 
4376 			if (copyin(msg_name, so_faddr,
4377 			    sizeof (so_faddr)) != 0)
4378 				break;
4379 
4380 			add_sock_token = 1;
4381 
4382 		} else if (so->so_type == SOCK_STREAM) {
4383 
4384 			/* get path from file struct here */
4385 			fad = F2A(fp);
4386 			ASSERT(fad);
4387 
4388 			/*
4389 			 * already processed this file for write attempt
4390 			 */
4391 			if (fad->fad_flags & FAD_WRITE) {
4392 				releasef(fd);
4393 				/* don't want to audit every sendmsg attempt */
4394 				tad->tad_flag = 0;
4395 				/* free any residual audit data */
4396 				au_close(kctx, &(u_ad), 0, 0, 0);
4397 				return;
4398 			}
4399 
4400 			/*
4401 			 * mark things so we know what happened and don't
4402 			 * repeat things
4403 			 */
4404 			fad->fad_flags |= FAD_WRITE;
4405 
4406 			bzero((void *)so_laddr, sizeof (so_laddr));
4407 			bzero((void *)so_faddr, sizeof (so_faddr));
4408 
4409 			if (so->so_state & SS_ISBOUND) {
4410 
4411 				if (so->so_laddr_len == 0)
4412 					(void) SOP_GETSOCKNAME(so);
4413 				if (so->so_faddr_len == 0)
4414 					(void) SOP_GETPEERNAME(so);
4415 
4416 				/* get local and foreign addresses */
4417 				mutex_enter(&so->so_lock);
4418 				len = min(so->so_laddr_len, sizeof (so_laddr));
4419 				bcopy(so->so_laddr_sa, so_laddr, len);
4420 				len = min(so->so_faddr_len, sizeof (so_faddr));
4421 				bcopy(so->so_faddr_sa, so_faddr, len);
4422 				mutex_exit(&so->so_lock);
4423 			}
4424 
4425 			add_sock_token = 1;
4426 		}
4427 
4428 		/* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4429 
4430 		break;
4431 
4432 	case AF_UNIX:
4433 		/*
4434 		 * first check if this is first time through. Too much
4435 		 * duplicate code to put this in an aui_ routine.
4436 		 */
4437 
4438 		/* get path from file struct here */
4439 		fad = F2A(fp);
4440 		ASSERT(fad);
4441 
4442 		/*
4443 		 * already processed this file for write attempt
4444 		 */
4445 		if (fad->fad_flags & FAD_WRITE) {
4446 			releasef(fd);
4447 			/* don't want to audit every sendmsg attempt */
4448 			tad->tad_flag = 0;
4449 			/* free any residual audit data */
4450 			au_close(kctx, &(u_ad), 0, 0, 0);
4451 			return;
4452 		}
4453 		/*
4454 		 * mark things so we know what happened and don't
4455 		 * repeat things
4456 		 */
4457 		fad->fad_flags |= FAD_WRITE;
4458 
4459 		if (fad->fad_aupath != NULL) {
4460 			au_uwrite(au_to_path(fad->fad_aupath));
4461 		} else {
4462 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4463 		}
4464 
4465 		audit_attributes(fp->f_vnode);
4466 
4467 		releasef(fd);
4468 
4469 		return;
4470 
4471 	default:
4472 		break;
4473 	}
4474 
4475 	releasef(fd);
4476 
4477 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4478 
4479 	if (add_sock_token == 0) {
4480 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4481 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4482 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4483 		return;
4484 	}
4485 
4486 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4487 
4488 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4489 }
4490 
4491 /*ARGSUSED*/
4492 static void
4493 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4494 {
4495 	struct a {
4496 		long	fd;
4497 		long	msg;	/* char */
4498 		long	len;
4499 		long	flags;
4500 		long	to;	/* struct sockaddr */
4501 		long	tolen;
4502 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4503 
4504 	struct sonode	*so;
4505 	char so_laddr[sizeof (struct sockaddr_in6)];
4506 	char so_faddr[sizeof (struct sockaddr_in6)];
4507 	socklen_t	tolen;
4508 	int		err;
4509 	int		fd;
4510 	int		len;
4511 	short so_family, so_type;
4512 	int		add_sock_token = 0;
4513 	struct file	*fp;
4514 	struct f_audit_data *fad;
4515 	au_kcontext_t	*kctx = GET_KCTX_PZ;
4516 
4517 	fd = (int)uap->fd;
4518 
4519 	/* bail if an error */
4520 	if (error) {
4521 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4522 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4523 		/* XXX include destination address from system call arguments */
4524 		return;
4525 	}
4526 
4527 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
4528 		/*
4529 		 * not security relevant if doing a sendto using non socket
4530 		 * so no extra tokens. Should probably turn off audit record
4531 		 * generation here.
4532 		 */
4533 		return;
4534 	}
4535 
4536 	so_family = so->so_family;
4537 	so_type   = so->so_type;
4538 
4539 	/*
4540 	 * only putout SOCKET_EX token if INET/INET6 family.
4541 	 * XXX - what do we do about other families?
4542 	 */
4543 
4544 	switch (so_family) {
4545 	case AF_INET:
4546 	case AF_INET6:
4547 
4548 		/*
4549 		 * if datagram type socket, then just use what is in
4550 		 * socket structure for local address.
4551 		 * XXX - what do we do for other types?
4552 		 */
4553 		if ((so->so_type == SOCK_DGRAM) ||
4554 		    (so->so_type == SOCK_RAW)) {
4555 
4556 			bzero((void *)so_laddr, sizeof (so_laddr));
4557 			bzero((void *)so_faddr, sizeof (so_faddr));
4558 
4559 			/* get local address */
4560 			mutex_enter(&so->so_lock);
4561 			len = min(so->so_laddr_len, sizeof (so_laddr));
4562 			bcopy(so->so_laddr_sa, so_laddr, len);
4563 			mutex_exit(&so->so_lock);
4564 
4565 			/* get peer address */
4566 
4567 			/* sanity check */
4568 			if (uap->to == NULL)
4569 				break;
4570 
4571 			/* sanity checks */
4572 			if (uap->tolen == 0)
4573 				break;
4574 
4575 			tolen = (socklen_t)uap->tolen;
4576 
4577 			/* enforce maximum size */
4578 			if (tolen > sizeof (so_faddr))
4579 				tolen = sizeof (so_faddr);
4580 
4581 			if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4582 				break;
4583 
4584 			add_sock_token = 1;
4585 		} else {
4586 			/*
4587 			 * check if this is first time through.
4588 			 */
4589 
4590 			/* get path from file struct here */
4591 			fad = F2A(fp);
4592 			ASSERT(fad);
4593 
4594 			/*
4595 			 * already processed this file for write attempt
4596 			 */
4597 			if (fad->fad_flags & FAD_WRITE) {
4598 				/* don't want to audit every sendto attempt */
4599 				tad->tad_flag = 0;
4600 				/* free any residual audit data */
4601 				au_close(kctx, &(u_ad), 0, 0, 0);
4602 				releasef(fd);
4603 				return;
4604 			}
4605 			/*
4606 			 * mark things so we know what happened and don't
4607 			 * repeat things
4608 			 */
4609 			fad->fad_flags |= FAD_WRITE;
4610 
4611 			bzero((void *)so_laddr, sizeof (so_laddr));
4612 			bzero((void *)so_faddr, sizeof (so_faddr));
4613 
4614 			if (so->so_state & SS_ISBOUND) {
4615 
4616 				if (so->so_laddr_len == 0)
4617 					(void) SOP_GETSOCKNAME(so);
4618 				if (so->so_faddr_len == 0)
4619 					(void) SOP_GETPEERNAME(so);
4620 
4621 				/* get local and foreign addresses */
4622 				mutex_enter(&so->so_lock);
4623 				len = min(so->so_laddr_len, sizeof (so_laddr));
4624 				bcopy(so->so_laddr_sa, so_laddr, len);
4625 				len = min(so->so_faddr_len, sizeof (so_faddr));
4626 				bcopy(so->so_faddr_sa, so_faddr, len);
4627 				mutex_exit(&so->so_lock);
4628 			}
4629 
4630 			add_sock_token = 1;
4631 		}
4632 
4633 		/* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4634 
4635 		break;
4636 
4637 	case AF_UNIX:
4638 		/*
4639 		 * first check if this is first time through. Too much
4640 		 * duplicate code to put this in an aui_ routine.
4641 		 */
4642 
4643 		/* get path from file struct here */
4644 		fad = F2A(fp);
4645 		ASSERT(fad);
4646 
4647 		/*
4648 		 * already processed this file for write attempt
4649 		 */
4650 		if (fad->fad_flags & FAD_WRITE) {
4651 			/* don't want to audit every sendto attempt */
4652 			tad->tad_flag = 0;
4653 			/* free any residual audit data */
4654 			au_close(kctx, &(u_ad), 0, 0, 0);
4655 			releasef(fd);
4656 			return;
4657 		}
4658 		/*
4659 		 * mark things so we know what happened and don't
4660 		 * repeat things
4661 		 */
4662 		fad->fad_flags |= FAD_WRITE;
4663 
4664 		if (fad->fad_aupath != NULL) {
4665 			au_uwrite(au_to_path(fad->fad_aupath));
4666 		} else {
4667 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
4668 		}
4669 
4670 		audit_attributes(fp->f_vnode);
4671 
4672 		releasef(fd);
4673 
4674 		return;
4675 
4676 	default:
4677 		break;
4678 
4679 	}
4680 
4681 	releasef(fd);
4682 
4683 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4684 
4685 	if (add_sock_token == 0) {
4686 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4687 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4688 		au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4689 		return;
4690 	}
4691 
4692 	au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4693 
4694 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4695 
4696 }
4697 
4698 /*
4699  * XXX socket(2) may be equivalent to open(2) on a unix domain
4700  * socket. This needs investigation.
4701  */
4702 
4703 /*ARGSUSED*/
4704 static void
4705 aus_socket(struct t_audit_data *tad)
4706 {
4707 	struct a {
4708 		long	domain;
4709 		long	type;
4710 		long	protocol;
4711 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4712 
4713 	au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4714 	au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4715 	au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4716 }
4717 
4718 /*ARGSUSED*/
4719 static void
4720 aus_sigqueue(struct t_audit_data *tad)
4721 {
4722 	struct a {
4723 		long	pid;
4724 		long	signo;
4725 		long	*val;
4726 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4727 	struct proc *p;
4728 	uid_t uid, ruid;
4729 	gid_t gid, rgid;
4730 	pid_t pid;
4731 	const auditinfo_addr_t *ainfo;
4732 	cred_t *cr;
4733 
4734 	pid = (pid_t)uap->pid;
4735 
4736 	au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4737 	if (pid > 0) {
4738 		mutex_enter(&pidlock);
4739 		if ((p = prfind(pid)) == (struct proc *)0) {
4740 			mutex_exit(&pidlock);
4741 			return;
4742 		}
4743 		mutex_enter(&p->p_lock); /* so process doesn't go away */
4744 		mutex_exit(&pidlock);
4745 
4746 		mutex_enter(&p->p_crlock);
4747 		crhold(cr = p->p_cred);
4748 		mutex_exit(&p->p_crlock);
4749 		mutex_exit(&p->p_lock);
4750 
4751 		ainfo = crgetauinfo(cr);
4752 		if (ainfo == NULL) {
4753 			crfree(cr);
4754 			return;
4755 		}
4756 
4757 		uid  = crgetuid(cr);
4758 		gid  = crgetgid(cr);
4759 		ruid = crgetruid(cr);
4760 		rgid = crgetrgid(cr);
4761 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4762 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4763 		crfree(cr);
4764 	}
4765 	else
4766 		au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4767 }
4768 
4769 /*ARGSUSED*/
4770 static void
4771 aus_inst_sync(struct t_audit_data *tad)
4772 {
4773 	struct a {
4774 		long	name;	/* char */
4775 		long	flags;
4776 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4777 
4778 	au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4779 }
4780 
4781 /*ARGSUSED*/
4782 static void
4783 aus_brandsys(struct t_audit_data *tad)
4784 {
4785 	klwp_t *clwp = ttolwp(curthread);
4786 
4787 	struct a {
4788 		long	cmd;
4789 		long	arg1;
4790 		long	arg2;
4791 		long	arg3;
4792 		long	arg4;
4793 		long	arg5;
4794 		long	arg6;
4795 	} *uap = (struct a *)clwp->lwp_ap;
4796 
4797 	au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4798 #ifdef _LP64
4799 	au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4800 	au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4801 	au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4802 	au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4803 	au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4804 	au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4805 #else
4806 	au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4807 	au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4808 	au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4809 	au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4810 	au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4811 	au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4812 #endif
4813 }
4814 
4815 /*ARGSUSED*/
4816 static void
4817 aus_p_online(struct t_audit_data *tad)
4818 {
4819 	struct a {
4820 		long	processor_id;
4821 		long	flag;
4822 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4823 
4824 	struct flags {
4825 			int	flag;
4826 			char	*cflag;
4827 	} aflags[6] = {
4828 			{ P_ONLINE, "P_ONLINE"},
4829 			{ P_OFFLINE, "P_OFFLINE"},
4830 			{ P_NOINTR, "P_NOINTR"},
4831 			{ P_SPARE, "P_SPARE"},
4832 			{ P_FAULTED, "P_FAULTED"},
4833 			{ P_STATUS, "P_STATUS"}
4834 	};
4835 	int i;
4836 	char *cflag;
4837 
4838 	au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4839 	au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4840 
4841 	for (i = 0; i < 6; i++) {
4842 		if (aflags[i].flag == uap->flag)
4843 			break;
4844 	}
4845 	cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4846 
4847 	au_uwrite(au_to_text(cflag));
4848 }
4849 
4850 /*ARGSUSED*/
4851 static void
4852 aus_processor_bind(struct t_audit_data *tad)
4853 {
4854 	struct a {
4855 		long	id_type;
4856 		long	id;
4857 		long	processor_id;
4858 		long	obind;
4859 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4860 
4861 	struct proc *p;
4862 	int lwpcnt;
4863 	uid_t uid, ruid;
4864 	gid_t gid, rgid;
4865 	pid_t pid;
4866 	const auditinfo_addr_t *ainfo;
4867 	cred_t *cr;
4868 
4869 	au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
4870 	au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
4871 	if (uap->processor_id == PBIND_NONE)
4872 		au_uwrite(au_to_text("PBIND_NONE"));
4873 	else
4874 		au_uwrite(au_to_arg32(3, "processor_id",
4875 		    (uint32_t)uap->processor_id));
4876 
4877 	switch (uap->id_type) {
4878 	case P_MYID:
4879 	case P_LWPID:
4880 		mutex_enter(&pidlock);
4881 		p = ttoproc(curthread);
4882 		if (p == NULL || p->p_as == &kas) {
4883 			mutex_exit(&pidlock);
4884 			return;
4885 		}
4886 		mutex_enter(&p->p_lock);
4887 		mutex_exit(&pidlock);
4888 		lwpcnt = p->p_lwpcnt;
4889 		pid  = p->p_pid;
4890 
4891 		mutex_enter(&p->p_crlock);
4892 		crhold(cr = p->p_cred);
4893 		mutex_exit(&p->p_crlock);
4894 		mutex_exit(&p->p_lock);
4895 
4896 		ainfo = crgetauinfo(cr);
4897 		if (ainfo == NULL) {
4898 			crfree(cr);
4899 			return;
4900 		}
4901 
4902 		uid  = crgetuid(cr);
4903 		gid  = crgetgid(cr);
4904 		ruid = crgetruid(cr);
4905 		rgid = crgetrgid(cr);
4906 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4907 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4908 		crfree(cr);
4909 		break;
4910 	case P_PID:
4911 		mutex_enter(&pidlock);
4912 		p = prfind(uap->id);
4913 		if (p == NULL || p->p_as == &kas) {
4914 			mutex_exit(&pidlock);
4915 			return;
4916 		}
4917 		mutex_enter(&p->p_lock);
4918 		mutex_exit(&pidlock);
4919 		lwpcnt = p->p_lwpcnt;
4920 		pid  = p->p_pid;
4921 
4922 		mutex_enter(&p->p_crlock);
4923 		crhold(cr = p->p_cred);
4924 		mutex_exit(&p->p_crlock);
4925 		mutex_exit(&p->p_lock);
4926 
4927 		ainfo = crgetauinfo(cr);
4928 		if (ainfo == NULL) {
4929 			crfree(cr);
4930 			return;
4931 		}
4932 
4933 		uid  = crgetuid(cr);
4934 		gid  = crgetgid(cr);
4935 		ruid = crgetruid(cr);
4936 		rgid = crgetrgid(cr);
4937 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4938 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4939 		crfree(cr);
4940 
4941 		break;
4942 	default:
4943 		return;
4944 	}
4945 
4946 	if (uap->processor_id == PBIND_NONE &&
4947 	    (!(uap->id_type == P_LWPID && lwpcnt > 1)))
4948 		au_uwrite(au_to_text("PBIND_NONE for process"));
4949 	else
4950 		au_uwrite(au_to_arg32(3, "processor_id",
4951 		    (uint32_t)uap->processor_id));
4952 }
4953 
4954 /*ARGSUSED*/
4955 static au_event_t
4956 aui_doorfs(au_event_t e)
4957 {
4958 	uint32_t code;
4959 
4960 	struct a {		/* doorfs */
4961 		long	a1;
4962 		long	a2;
4963 		long	a3;
4964 		long	a4;
4965 		long	a5;
4966 		long	code;
4967 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4968 
4969 	/*
4970 	 *	audit formats for several of the
4971 	 *	door calls have not yet been determined
4972 	 */
4973 	code = (uint32_t)uap->code;
4974 	switch (code) {
4975 	case DOOR_CALL:
4976 		e = AUE_DOORFS_DOOR_CALL;
4977 		break;
4978 	case DOOR_RETURN:
4979 		e = AUE_NULL;
4980 		break;
4981 	case DOOR_CREATE:
4982 		e = AUE_DOORFS_DOOR_CREATE;
4983 		break;
4984 	case DOOR_REVOKE:
4985 		e = AUE_DOORFS_DOOR_REVOKE;
4986 		break;
4987 	case DOOR_INFO:
4988 		e = AUE_NULL;
4989 		break;
4990 	case DOOR_UCRED:
4991 		e = AUE_NULL;
4992 		break;
4993 	case DOOR_BIND:
4994 		e = AUE_NULL;
4995 		break;
4996 	case DOOR_UNBIND:
4997 		e = AUE_NULL;
4998 		break;
4999 	case DOOR_GETPARAM:
5000 		e = AUE_NULL;
5001 		break;
5002 	case DOOR_SETPARAM:
5003 		e = AUE_NULL;
5004 		break;
5005 	default:	/* illegal system call */
5006 		e = AUE_NULL;
5007 		break;
5008 	}
5009 
5010 	return (e);
5011 }
5012 
5013 static door_node_t *
5014 au_door_lookup(int did)
5015 {
5016 	vnode_t	*vp;
5017 	file_t *fp;
5018 
5019 	if ((fp = getf(did)) == NULL)
5020 		return (NULL);
5021 	/*
5022 	 * Use the underlying vnode (we may be namefs mounted)
5023 	 */
5024 	if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5025 		vp = fp->f_vnode;
5026 
5027 	if (vp == NULL || vp->v_type != VDOOR) {
5028 		releasef(did);
5029 		return (NULL);
5030 	}
5031 
5032 	return (VTOD(vp));
5033 }
5034 
5035 /*ARGSUSED*/
5036 static void
5037 aus_doorfs(struct t_audit_data *tad)
5038 {
5039 
5040 	struct a {		/* doorfs */
5041 		long	a1;
5042 		long	a2;
5043 		long	a3;
5044 		long	a4;
5045 		long	a5;
5046 		long	code;
5047 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5048 
5049 	door_node_t	*dp;
5050 	struct proc	*p;
5051 	uint32_t	did;
5052 	uid_t uid, ruid;
5053 	gid_t gid, rgid;
5054 	pid_t pid;
5055 	const auditinfo_addr_t *ainfo;
5056 	cred_t *cr;
5057 
5058 	did = (uint32_t)uap->a1;
5059 
5060 	switch (tad->tad_event) {
5061 	case AUE_DOORFS_DOOR_CALL:
5062 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5063 		if ((dp = au_door_lookup(did)) == NULL)
5064 			break;
5065 
5066 		if (DOOR_INVALID(dp)) {
5067 			releasef(did);
5068 			break;
5069 		}
5070 
5071 		if ((p = dp->door_target) == NULL) {
5072 			releasef(did);
5073 			break;
5074 		}
5075 		mutex_enter(&p->p_lock);
5076 		releasef(did);
5077 
5078 		pid  = p->p_pid;
5079 
5080 		mutex_enter(&p->p_crlock);
5081 		crhold(cr = p->p_cred);
5082 		mutex_exit(&p->p_crlock);
5083 		mutex_exit(&p->p_lock);
5084 
5085 		ainfo = crgetauinfo(cr);
5086 		if (ainfo == NULL) {
5087 			crfree(cr);
5088 			return;
5089 		}
5090 		uid  = crgetuid(cr);
5091 		gid  = crgetgid(cr);
5092 		ruid = crgetruid(cr);
5093 		rgid = crgetrgid(cr);
5094 		au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5095 		    ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5096 		crfree(cr);
5097 		break;
5098 	case AUE_DOORFS_DOOR_RETURN:
5099 		/*
5100 		 * We may want to write information about
5101 		 * all doors (if any) which will be copied
5102 		 * by this call to the user space
5103 		 */
5104 		break;
5105 	case AUE_DOORFS_DOOR_CREATE:
5106 		au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5107 		break;
5108 	case AUE_DOORFS_DOOR_REVOKE:
5109 		au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5110 		break;
5111 	case AUE_DOORFS_DOOR_INFO:
5112 		break;
5113 	case AUE_DOORFS_DOOR_CRED:
5114 		break;
5115 	case AUE_DOORFS_DOOR_BIND:
5116 		break;
5117 	case AUE_DOORFS_DOOR_UNBIND: {
5118 		break;
5119 	}
5120 	default:	/* illegal system call */
5121 		break;
5122 	}
5123 }
5124 
5125 /*ARGSUSED*/
5126 static au_event_t
5127 aui_acl(au_event_t e)
5128 {
5129 	struct a {
5130 		union {
5131 			long	name;	/* char */
5132 			long	fd;
5133 		}		obj;
5134 
5135 		long		cmd;
5136 		long		nentries;
5137 		long		arg;	/* aclent_t */
5138 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5139 
5140 	switch (uap->cmd) {
5141 	case SETACL:
5142 	case ACE_SETACL:
5143 		/*
5144 		 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5145 		 * are expected.
5146 		 */
5147 		break;
5148 	case GETACL:
5149 	case GETACLCNT:
5150 	case ACE_GETACLCNT:
5151 		/* do nothing for these two values. */
5152 		e = AUE_NULL;
5153 		break;
5154 	default:
5155 		/* illegal system call */
5156 		break;
5157 	}
5158 
5159 	return (e);
5160 }
5161 
5162 static void
5163 au_acl(int cmd, int nentries, caddr_t bufp)
5164 {
5165 	size_t		a_size;
5166 	aclent_t	*aclbufp;
5167 	ace_t		*acebufp;
5168 	int		i;
5169 
5170 	switch (cmd) {
5171 	case GETACL:
5172 	case GETACLCNT:
5173 		break;
5174 	case SETACL:
5175 		if (nentries < 3)
5176 			break;
5177 
5178 		a_size = nentries * sizeof (aclent_t);
5179 
5180 		if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5181 			break;
5182 		if (copyin(bufp, aclbufp, a_size)) {
5183 			kmem_free(aclbufp, a_size);
5184 			break;
5185 		}
5186 		for (i = 0; i < nentries; i++) {
5187 			au_uwrite(au_to_acl(aclbufp + i));
5188 		}
5189 		kmem_free(aclbufp, a_size);
5190 		break;
5191 
5192 	case ACE_SETACL:
5193 		if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5194 			break;
5195 
5196 		a_size = nentries * sizeof (ace_t);
5197 		if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5198 			break;
5199 		if (copyin(bufp, acebufp, a_size)) {
5200 			kmem_free(acebufp, a_size);
5201 			break;
5202 		}
5203 		for (i = 0; i < nentries; i++) {
5204 			au_uwrite(au_to_ace(acebufp + i));
5205 		}
5206 		kmem_free(acebufp, a_size);
5207 		break;
5208 	default:
5209 		break;
5210 	}
5211 }
5212 
5213 /*ARGSUSED*/
5214 static void
5215 aus_acl(struct t_audit_data *tad)
5216 {
5217 	struct a {
5218 		long	fname;
5219 		long	cmd;
5220 		long	nentries;
5221 		long	aclbufp;
5222 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5223 
5224 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5225 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5226 
5227 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5228 }
5229 
5230 /*ARGSUSED*/
5231 static void
5232 aus_facl(struct t_audit_data *tad)
5233 {
5234 	struct a {
5235 		long	fd;
5236 		long	cmd;
5237 		long	nentries;
5238 		long	aclbufp;
5239 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5240 	struct file  *fp;
5241 	struct vnode *vp;
5242 	struct f_audit_data *fad;
5243 	int fd;
5244 
5245 	au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5246 	au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5247 
5248 	fd = (int)uap->fd;
5249 
5250 	if ((fp = getf(fd)) == NULL)
5251 		return;
5252 
5253 	/* get path from file struct here */
5254 	fad = F2A(fp);
5255 	if (fad->fad_aupath != NULL) {
5256 		au_uwrite(au_to_path(fad->fad_aupath));
5257 	} else {
5258 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5259 	}
5260 
5261 	vp = fp->f_vnode;
5262 	audit_attributes(vp);
5263 
5264 	/* decrement file descriptor reference count */
5265 	releasef(fd);
5266 
5267 	au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5268 }
5269 
5270 /*ARGSUSED*/
5271 static void
5272 auf_read(tad, error, rval)
5273 	struct t_audit_data *tad;
5274 	int error;
5275 	rval_t *rval;
5276 {
5277 	struct file *fp;
5278 	struct f_audit_data *fad;
5279 	int fd;
5280 	register struct a {
5281 		long	fd;
5282 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5283 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5284 
5285 	fd = (int)uap->fd;
5286 
5287 	/*
5288 	 * convert file pointer to file descriptor
5289 	 *   Note: fd ref count incremented here.
5290 	 */
5291 	if ((fp = getf(fd)) == NULL)
5292 		return;
5293 
5294 	/* get path from file struct here */
5295 	fad = F2A(fp);
5296 	ASSERT(fad);
5297 
5298 	/*
5299 	 * already processed this file for read attempt
5300 	 *
5301 	 * XXX might be better to turn off auditing in a aui_read() routine.
5302 	 */
5303 	if (fad->fad_flags & FAD_READ) {
5304 		/* don't really want to audit every read attempt */
5305 		tad->tad_flag = 0;
5306 		/* free any residual audit data */
5307 		au_close(kctx, &(u_ad), 0, 0, 0);
5308 		releasef(fd);
5309 		return;
5310 	}
5311 	/* mark things so we know what happened and don't repeat things */
5312 	fad->fad_flags |= FAD_READ;
5313 
5314 	if (fad->fad_aupath != NULL) {
5315 		au_uwrite(au_to_path(fad->fad_aupath));
5316 	} else {
5317 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5318 	}
5319 
5320 	/* include attributes */
5321 	audit_attributes(fp->f_vnode);
5322 
5323 	/* decrement file descriptor reference count */
5324 	releasef(fd);
5325 }
5326 
5327 /*ARGSUSED*/
5328 static void
5329 auf_write(tad, error, rval)
5330 	struct t_audit_data *tad;
5331 	int error;
5332 	rval_t *rval;
5333 {
5334 	struct file *fp;
5335 	struct f_audit_data *fad;
5336 	int fd;
5337 	register struct a {
5338 		long	fd;
5339 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5340 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5341 
5342 	fd = (int)uap->fd;
5343 
5344 	/*
5345 	 * convert file pointer to file descriptor
5346 	 *   Note: fd ref count incremented here.
5347 	 */
5348 	if ((fp = getf(fd)) == NULL)
5349 		return;
5350 
5351 	/* get path from file struct here */
5352 	fad = F2A(fp);
5353 	ASSERT(fad);
5354 
5355 	/*
5356 	 * already processed this file for write attempt
5357 	 *
5358 	 * XXX might be better to turn off auditing in a aus_write() routine.
5359 	 */
5360 	if (fad->fad_flags & FAD_WRITE) {
5361 		/* don't really want to audit every write attempt */
5362 		tad->tad_flag = 0;
5363 		/* free any residual audit data */
5364 		au_close(kctx, &(u_ad), 0, 0, 0);
5365 		releasef(fd);
5366 		return;
5367 	}
5368 	/* mark things so we know what happened and don't repeat things */
5369 	fad->fad_flags |= FAD_WRITE;
5370 
5371 	if (fad->fad_aupath != NULL) {
5372 		au_uwrite(au_to_path(fad->fad_aupath));
5373 	} else {
5374 		au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5375 	}
5376 
5377 	/* include attributes */
5378 	audit_attributes(fp->f_vnode);
5379 
5380 	/* decrement file descriptor reference count */
5381 	releasef(fd);
5382 }
5383 
5384 /*ARGSUSED*/
5385 static void
5386 auf_recv(tad, error, rval)
5387 	struct t_audit_data *tad;
5388 	int error;
5389 	rval_t *rval;
5390 {
5391 	struct sonode *so;
5392 	char so_laddr[sizeof (struct sockaddr_in6)];
5393 	char so_faddr[sizeof (struct sockaddr_in6)];
5394 	struct file *fp;
5395 	struct f_audit_data *fad;
5396 	int fd;
5397 	int err;
5398 	int len;
5399 	short so_family, so_type;
5400 	register struct a {
5401 		long	fd;
5402 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5403 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5404 
5405 	/*
5406 	 * If there was an error, then nothing to do. Only generate
5407 	 * audit record on first successful recv.
5408 	 */
5409 	if (error) {
5410 		/* Turn off audit record generation here. */
5411 		tad->tad_flag = 0;
5412 		/* free any residual audit data */
5413 		au_close(kctx, &(u_ad), 0, 0, 0);
5414 		return;
5415 	}
5416 
5417 	fd = (int)uap->fd;
5418 
5419 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5420 		/* Turn off audit record generation here. */
5421 		tad->tad_flag = 0;
5422 		/* free any residual audit data */
5423 		au_close(kctx, &(u_ad), 0, 0, 0);
5424 		return;
5425 	}
5426 
5427 	/* get path from file struct here */
5428 	fad = F2A(fp);
5429 	ASSERT(fad);
5430 
5431 	/*
5432 	 * already processed this file for read attempt
5433 	 */
5434 	if (fad->fad_flags & FAD_READ) {
5435 		releasef(fd);
5436 		/* don't really want to audit every recv call */
5437 		tad->tad_flag = 0;
5438 		/* free any residual audit data */
5439 		au_close(kctx, &(u_ad), 0, 0, 0);
5440 		return;
5441 	}
5442 
5443 	/* mark things so we know what happened and don't repeat things */
5444 	fad->fad_flags |= FAD_READ;
5445 
5446 	so_family = so->so_family;
5447 	so_type   = so->so_type;
5448 
5449 	switch (so_family) {
5450 	case AF_INET:
5451 	case AF_INET6:
5452 		/*
5453 		 * Only for connections.
5454 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5455 		 */
5456 		if (so->so_state & SS_ISBOUND) {
5457 
5458 			bzero((void *)so_laddr, sizeof (so_laddr));
5459 			bzero((void *)so_faddr, sizeof (so_faddr));
5460 
5461 			/* only done once on a connection */
5462 			(void) SOP_GETSOCKNAME(so);
5463 			(void) SOP_GETPEERNAME(so);
5464 
5465 			/* get local and foreign addresses */
5466 			mutex_enter(&so->so_lock);
5467 			len = min(so->so_laddr_len, sizeof (so_laddr));
5468 			bcopy(so->so_laddr_sa, so_laddr, len);
5469 			len = min(so->so_faddr_len, sizeof (so_faddr));
5470 			bcopy(so->so_faddr_sa, so_faddr, len);
5471 			mutex_exit(&so->so_lock);
5472 
5473 			/*
5474 			 * only way to drop out of switch. Note that we
5475 			 * we release fd below.
5476 			 */
5477 
5478 			break;
5479 		}
5480 
5481 		releasef(fd);
5482 
5483 		/* don't really want to audit every recv call */
5484 		tad->tad_flag = 0;
5485 		/* free any residual audit data */
5486 		au_close(kctx, &(u_ad), 0, 0, 0);
5487 
5488 		return;
5489 
5490 	case AF_UNIX:
5491 
5492 		if (fad->fad_aupath != NULL) {
5493 			au_uwrite(au_to_path(fad->fad_aupath));
5494 		} else {
5495 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5496 		}
5497 
5498 		audit_attributes(fp->f_vnode);
5499 
5500 		releasef(fd);
5501 
5502 		return;
5503 
5504 	default:
5505 		releasef(fd);
5506 
5507 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5508 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5509 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5510 
5511 		return;
5512 	}
5513 
5514 	releasef(fd);
5515 
5516 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5517 
5518 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5519 
5520 }
5521 
5522 /*ARGSUSED*/
5523 static void
5524 auf_send(tad, error, rval)
5525 	struct t_audit_data *tad;
5526 	int error;
5527 	rval_t *rval;
5528 {
5529 	struct sonode *so;
5530 	char so_laddr[sizeof (struct sockaddr_in6)];
5531 	char so_faddr[sizeof (struct sockaddr_in6)];
5532 	struct file *fp;
5533 	struct f_audit_data *fad;
5534 	int fd;
5535 	int err;
5536 	int len;
5537 	short so_family, so_type;
5538 	register struct a {
5539 		long	fd;
5540 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5541 	au_kcontext_t	*kctx = GET_KCTX_PZ;
5542 
5543 	fd = (int)uap->fd;
5544 
5545 	/*
5546 	 * If there was an error, then nothing to do. Only generate
5547 	 * audit record on first successful send.
5548 	 */
5549 	if (error != 0) {
5550 		/* Turn off audit record generation here. */
5551 		tad->tad_flag = 0;
5552 		/* free any residual audit data */
5553 		au_close(kctx, &(u_ad), 0, 0, 0);
5554 		return;
5555 	}
5556 
5557 	fd = (int)uap->fd;
5558 
5559 	if ((so = getsonode(fd, &err, &fp)) == NULL) {
5560 		/* Turn off audit record generation here. */
5561 		tad->tad_flag = 0;
5562 		/* free any residual audit data */
5563 		au_close(kctx, &(u_ad), 0, 0, 0);
5564 		return;
5565 	}
5566 
5567 	/* get path from file struct here */
5568 	fad = F2A(fp);
5569 	ASSERT(fad);
5570 
5571 	/*
5572 	 * already processed this file for write attempt
5573 	 */
5574 	if (fad->fad_flags & FAD_WRITE) {
5575 		releasef(fd);
5576 		/* don't really want to audit every send call */
5577 		tad->tad_flag = 0;
5578 		/* free any residual audit data */
5579 		au_close(kctx, &(u_ad), 0, 0, 0);
5580 		return;
5581 	}
5582 
5583 	/* mark things so we know what happened and don't repeat things */
5584 	fad->fad_flags |= FAD_WRITE;
5585 
5586 	so_family = so->so_family;
5587 	so_type   = so->so_type;
5588 
5589 	switch (so_family) {
5590 	case AF_INET:
5591 	case AF_INET6:
5592 		/*
5593 		 * Only for connections.
5594 		 * XXX - do we need to worry about SOCK_DGRAM or other types???
5595 		 */
5596 		if (so->so_state & SS_ISBOUND) {
5597 
5598 			bzero((void *)so_laddr, sizeof (so_laddr));
5599 			bzero((void *)so_faddr, sizeof (so_faddr));
5600 
5601 			/* only done once on a connection */
5602 			(void) SOP_GETSOCKNAME(so);
5603 			(void) SOP_GETPEERNAME(so);
5604 
5605 			/* get local and foreign addresses */
5606 			mutex_enter(&so->so_lock);
5607 			len = min(so->so_laddr_len, sizeof (so_laddr));
5608 			bcopy(so->so_laddr_sa, so_laddr, len);
5609 			len = min(so->so_faddr_len, sizeof (so_faddr));
5610 			bcopy(so->so_faddr_sa, so_faddr, len);
5611 			mutex_exit(&so->so_lock);
5612 
5613 			/*
5614 			 * only way to drop out of switch. Note that we
5615 			 * we release fd below.
5616 			 */
5617 
5618 			break;
5619 		}
5620 
5621 		releasef(fd);
5622 		/* don't really want to audit every send call */
5623 		tad->tad_flag = 0;
5624 		/* free any residual audit data */
5625 		au_close(kctx, &(u_ad), 0, 0, 0);
5626 
5627 		return;
5628 
5629 	case AF_UNIX:
5630 
5631 		if (fad->fad_aupath != NULL) {
5632 			au_uwrite(au_to_path(fad->fad_aupath));
5633 		} else {
5634 			au_uwrite(au_to_arg32(1, "no path: fd", fd));
5635 		}
5636 
5637 		audit_attributes(fp->f_vnode);
5638 
5639 		releasef(fd);
5640 
5641 		return;
5642 
5643 	default:
5644 		releasef(fd);
5645 
5646 		au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5647 		au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5648 		au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5649 
5650 		return;
5651 	}
5652 
5653 	releasef(fd);
5654 
5655 	au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5656 
5657 	au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5658 }
5659 
5660 static au_event_t
5661 aui_forksys(au_event_t e)
5662 {
5663 	struct a {
5664 		long	subcode;
5665 		long	flags;
5666 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5667 
5668 	switch ((uint_t)uap->subcode) {
5669 	case 0:
5670 		e = AUE_FORK1;
5671 		break;
5672 	case 1:
5673 		e = AUE_FORKALL;
5674 		break;
5675 	case 2:
5676 		e = AUE_VFORK;
5677 		break;
5678 	default:
5679 		e = AUE_NULL;
5680 		break;
5681 	}
5682 
5683 	return (e);
5684 }
5685 
5686 /*ARGSUSED*/
5687 static au_event_t
5688 aui_portfs(au_event_t e)
5689 {
5690 	struct a {		/* portfs */
5691 		long	a1;
5692 		long	a2;
5693 		long	a3;
5694 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5695 
5696 	/*
5697 	 * check opcode
5698 	 */
5699 	switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5700 	case PORT_ASSOCIATE:
5701 	case PORT_DISSOCIATE:
5702 		/*
5703 		 * check source
5704 		 */
5705 		if ((uint_t)uap->a3 == PORT_SOURCE_FILE) {
5706 			e = AUE_PORTFS;
5707 		} else {
5708 			e = AUE_NULL;
5709 		}
5710 		break;
5711 	default:
5712 		e = AUE_NULL;
5713 	}
5714 	return (e);
5715 }
5716