1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 #pragma ident "%Z%%M% %I% %E% SMI" 28 29 /* 30 * This file contains the audit event table used to control the production 31 * of audit records for each system call. 32 */ 33 34 #include <sys/policy.h> 35 #include <sys/cred.h> 36 #include <sys/types.h> 37 #include <sys/systm.h> 38 #include <sys/systeminfo.h> /* for sysinfo auditing */ 39 #include <sys/utsname.h> /* for sysinfo auditing */ 40 #include <sys/proc.h> 41 #include <sys/vnode.h> 42 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 43 #include <sys/fcntl.h> 44 #include <sys/modctl.h> /* for modctl auditing */ 45 #include <sys/vnode.h> 46 #include <sys/user.h> 47 #include <sys/types.h> 48 #include <sys/processor.h> 49 #include <sys/procset.h> 50 #include <sys/acl.h> 51 #include <sys/ipc.h> 52 #include <sys/door.h> 53 #include <sys/sem.h> 54 #include <sys/msg.h> 55 #include <sys/shm.h> 56 #include <sys/kmem.h> 57 #include <sys/file.h> /* for accept */ 58 #include <sys/utssys.h> /* for fuser */ 59 #include <sys/tsol/label.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <netinet/in.h> 76 #include <sys/ddi.h> 77 78 extern token_t *au_to_sock_inet(struct sockaddr_in *); 79 80 int au_naevent; 81 char _depends_on[] = "fs/sockfs"; 82 83 static au_event_t aui_null(au_event_t); 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_auditsys(au_event_t); 96 static au_event_t aui_modctl(au_event_t); 97 static au_event_t aui_acl(au_event_t); 98 static au_event_t aui_doorfs(au_event_t); 99 static au_event_t aui_privsys(au_event_t); 100 static au_event_t aui_forksys(au_event_t); 101 102 static void aus_null(struct t_audit_data *); 103 static void aus_open(struct t_audit_data *); 104 static void aus_acl(struct t_audit_data *); 105 static void aus_acct(struct t_audit_data *); 106 static void aus_chown(struct t_audit_data *); 107 static void aus_fchown(struct t_audit_data *); 108 static void aus_lchown(struct t_audit_data *); 109 static void aus_chmod(struct t_audit_data *); 110 static void aus_facl(struct t_audit_data *); 111 static void aus_fchmod(struct t_audit_data *); 112 static void aus_fcntl(struct t_audit_data *); 113 static void aus_fsat(struct t_audit_data *); 114 static void aus_mkdir(struct t_audit_data *); 115 static void aus_mknod(struct t_audit_data *); 116 static void aus_mount(struct t_audit_data *); 117 static void aus_umount(struct t_audit_data *); 118 static void aus_umount2(struct t_audit_data *); 119 static void aus_msgsys(struct t_audit_data *); 120 static void aus_semsys(struct t_audit_data *); 121 static void aus_close(struct t_audit_data *); 122 static void aus_fstatfs(struct t_audit_data *); 123 static void aus_setgid(struct t_audit_data *); 124 static void aus_setuid(struct t_audit_data *); 125 static void aus_shmsys(struct t_audit_data *); 126 static void aus_doorfs(struct t_audit_data *); 127 static void aus_ioctl(struct t_audit_data *); 128 static void aus_memcntl(struct t_audit_data *); 129 static void aus_mmap(struct t_audit_data *); 130 static void aus_munmap(struct t_audit_data *); 131 static void aus_priocntlsys(struct t_audit_data *); 132 static void aus_setegid(struct t_audit_data *); 133 static void aus_setgroups(struct t_audit_data *); 134 static void aus_seteuid(struct t_audit_data *); 135 static void aus_putmsg(struct t_audit_data *); 136 static void aus_putpmsg(struct t_audit_data *); 137 static void aus_getmsg(struct t_audit_data *); 138 static void aus_getpmsg(struct t_audit_data *); 139 static void aus_auditsys(struct t_audit_data *); 140 static void aus_sysinfo(struct t_audit_data *); 141 static void aus_modctl(struct t_audit_data *); 142 static void aus_kill(struct t_audit_data *); 143 static void aus_xmknod(struct t_audit_data *); 144 static void aus_setregid(struct t_audit_data *); 145 static void aus_setreuid(struct t_audit_data *); 146 147 static void auf_null(struct t_audit_data *, int, rval_t *); 148 static void auf_mknod(struct t_audit_data *, int, rval_t *); 149 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 150 static void auf_semsys(struct t_audit_data *, int, rval_t *); 151 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 152 #if 0 153 static void auf_open(struct t_audit_data *, int, rval_t *); 154 #endif 155 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 156 static void auf_read(struct t_audit_data *, int, rval_t *); 157 static void auf_write(struct t_audit_data *, int, rval_t *); 158 159 static void aus_sigqueue(struct t_audit_data *); 160 static void aus_p_online(struct t_audit_data *); 161 static void aus_processor_bind(struct t_audit_data *); 162 static void aus_inst_sync(struct t_audit_data *); 163 static void aus_brandsys(struct t_audit_data *); 164 165 static void auf_accept(struct t_audit_data *, int, rval_t *); 166 167 static void auf_bind(struct t_audit_data *, int, rval_t *); 168 static void auf_connect(struct t_audit_data *, int, rval_t *); 169 static void aus_shutdown(struct t_audit_data *); 170 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 171 static void aus_sockconfig(struct t_audit_data *); 172 static void auf_recv(struct t_audit_data *, int, rval_t *); 173 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_send(struct t_audit_data *, int, rval_t *); 175 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 176 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 177 static void auf_sendto(struct t_audit_data *, int, rval_t *); 178 static void aus_socket(struct t_audit_data *); 179 /* 180 * This table contains mapping information for converting system call numbers 181 * to audit event IDs. In several cases it is necessary to map a single system 182 * call to several events. 183 */ 184 185 struct audit_s2e audit_s2e[] = 186 { 187 /* 188 * ---------- ---------- ---------- ---------- 189 * INITIAL AUDIT START SYSTEM 190 * PROCESSING EVENT PROCESSING CALL 191 * ---------- ---------- ---------- ----------- 192 * FINISH EVENT 193 * PROCESSING CONTROL 194 * ---------------------------------------------------------- 195 */ 196 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 197 auf_null, 0, 198 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 199 auf_null, S2E_NPT, 200 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 201 auf_null, 0, 202 aui_null, AUE_READ, aus_null, /* 3 read */ 203 auf_read, S2E_PUB, 204 aui_null, AUE_WRITE, aus_null, /* 4 write */ 205 auf_write, 0, 206 aui_open, AUE_OPEN, aus_open, /* 5 open */ 207 auf_null, S2E_SP, 208 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 209 auf_null, 0, 210 aui_null, AUE_NULL, aus_null, /* 7 wait */ 211 auf_null, 0, 212 aui_null, AUE_CREAT, aus_null, /* 8 create */ 213 auf_null, S2E_SP, 214 aui_null, AUE_LINK, aus_null, /* 9 link */ 215 auf_null, 0, 216 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 217 auf_null, 0, 218 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 219 auf_null, S2E_MLD, 220 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 221 auf_null, S2E_SP, 222 aui_null, AUE_NULL, aus_null, /* 13 time */ 223 auf_null, 0, 224 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 225 auf_mknod, 0, 226 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 227 auf_null, 0, 228 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 229 auf_null, 0, 230 aui_null, AUE_NULL, aus_null, /* 17 brk */ 231 auf_null, 0, 232 aui_null, AUE_STAT, aus_null, /* 18 stat */ 233 auf_null, S2E_PUB, 234 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 235 auf_null, 0, 236 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 237 auf_null, 0, 238 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 239 auf_null, S2E_MLD, 240 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 241 auf_null, 0, 242 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 243 auf_null, 0, 244 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 245 auf_null, 0, 246 aui_null, AUE_STIME, aus_null, /* 25 stime */ 247 auf_null, 0, 248 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 249 auf_null, 0, 250 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 29 pause */ 255 auf_null, 0, 256 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 257 auf_null, 0, 258 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 261 auf_null, 0, 262 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 263 auf_null, S2E_PUB, 264 aui_null, AUE_NICE, aus_null, /* 34 nice */ 265 auf_null, 0, 266 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 267 auf_null, S2E_PUB, 268 aui_null, AUE_NULL, aus_null, /* 36 sync */ 269 auf_null, 0, 270 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 271 auf_null, 0, 272 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 273 auf_null, S2E_PUB, 274 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 275 auf_null, 0, 276 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 277 auf_null, 0, 278 aui_null, AUE_NULL, aus_null, /* 41 dup */ 279 auf_null, 0, 280 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 281 auf_null, 0, 282 aui_null, AUE_NULL, aus_null, /* 43 times */ 283 auf_null, 0, 284 aui_null, AUE_NULL, aus_null, /* 44 profil */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 287 /* was proc lock */ 288 auf_null, 0, 289 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 290 auf_null, 0, 291 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 48 sig */ 294 auf_null, 0, 295 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 296 auf_msgsys, 0, 297 #if defined(__x86) 298 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 299 auf_null, 0, 300 #else 301 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 302 auf_null, 0, 303 #endif /* __x86 */ 304 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 305 auf_null, 0, 306 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 307 auf_shmsys, 0, 308 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 309 auf_semsys, 0, 310 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 311 auf_null, 0, 312 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 315 auf_null, 0, 316 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 317 auf_null, 0, 318 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 319 auf_null, 0, 320 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 321 auf_null, S2E_MLD, 322 aui_null, AUE_NULL, aus_null, /* 60 umask */ 323 auf_null, 0, 324 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 325 auf_null, S2E_SP, 326 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 327 auf_null, 0, 328 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 337 /* file locking call */ 338 auf_null, 0, 339 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 340 /* local system calls */ 341 auf_null, 0, 342 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 343 auf_null, 0, 344 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 355 /* was sigret (SunOS) */ 356 auf_null, 0, 357 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 358 auf_null, 0, 359 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 362 auf_null, 0, 363 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 364 auf_null, 0, 365 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 366 auf_null, 0, 367 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 368 auf_null, 0, 369 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 370 /* was libattach */ 371 auf_null, 0, 372 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 373 /* was libdetach */ 374 auf_null, 0, 375 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 376 auf_null, 0, 377 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 378 auf_null, 0, 379 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 380 auf_null, 0, 381 aui_null, AUE_NULL, aus_null, /* 87 poll */ 382 auf_null, 0, 383 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 384 auf_null, S2E_PUB, 385 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 386 auf_null, 0, 387 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 388 auf_null, S2E_PUB, 389 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 390 auf_null, 0, 391 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 392 auf_null, 0, 393 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 394 auf_null, 0, 395 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 396 auf_null, 0, 397 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 412 /* was evtrapret */ 413 auf_null, 0, 414 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 415 auf_null, S2E_PUB, 416 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 417 auf_null, 0, 418 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 425 auf_null, 0, 426 #if defined(__x86) 427 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 428 auf_null, 0, 429 #else 430 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 431 auf_null, 0, 432 #endif /* __x86 */ 433 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 434 auf_null, 0, 435 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 436 auf_null, 0, 437 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 438 auf_null, 0, /* 112 priocntlsys */ 439 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 440 auf_null, S2E_PUB, 441 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 442 auf_null, 0, 443 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 444 auf_null, 0, 445 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 446 auf_null, 0, 447 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 448 auf_null, 0, 449 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 450 auf_null, 0, 451 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 452 auf_null, 0, 453 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 454 auf_null, 0, 455 aui_null, AUE_READ, aus_null, /* 121 readv */ 456 auf_read, S2E_PUB, 457 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 458 auf_write, 0, 459 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 460 auf_null, S2E_PUB, 461 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 462 auf_null, S2E_PUB, 463 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 464 auf_null, 0, 465 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 466 auf_xmknod, 0, 467 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 468 auf_null, 0, 469 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 470 auf_null, 0, 471 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 472 auf_null, 0, 473 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 474 auf_null, 0, 475 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 476 auf_null, 0, 477 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 478 auf_null, 0, 479 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 480 auf_null, 0, 481 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 482 auf_null, 0, 483 aui_null, AUE_NULL, aus_null, /* 135 uname */ 484 auf_null, 0, 485 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 486 auf_null, 0, 487 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 488 auf_null, 0, 489 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 490 auf_null, 0, 491 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 492 auf_null, 0, 493 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 494 auf_null, 0, 495 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 496 auf_null, 0, 497 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 498 auf_null, 0, 499 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 500 auf_null, 0, 501 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 146 yield */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 516 auf_null, 0, 517 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 518 auf_null, 0, 519 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 520 auf_null, 0, 521 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 522 auf_null, 0, 523 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 544 /* was lwp_setprivate */ 545 auf_null, 0, 546 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 547 /* was lwp_getprivate */ 548 auf_null, 0, 549 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_unlock */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 560 auf_null, 0, 561 aui_null, AUE_READ, aus_null, /* 173 pread */ 562 auf_read, S2E_PUB, 563 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 564 auf_write, 0, 565 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 566 auf_null, 0, 567 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 568 /* aus_inst_sync */ 569 auf_null, 0, 570 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 571 auf_null, 0, 572 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 182 (loadable) */ 581 auf_null, 0, 582 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 583 auf_null, 0, 584 aui_null, AUE_NULL, aus_null, /* 184 (loadable) tsolsys */ 585 auf_null, 0, 586 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 587 auf_null, 0, 588 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 589 auf_null, 0, 590 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 591 auf_null, 0, /* 187 processor_bind */ 592 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 593 auf_null, 0, 594 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 595 auf_null, 0, 596 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 599 auf_null, 0, 600 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 601 auf_null, 0, 602 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 615 auf_null, 0, 616 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 617 auf_null, 0, 618 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 619 auf_null, 0, 620 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 621 auf_null, 0, 622 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 623 auf_null, 0, 624 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 643 auf_null, 0, 644 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 645 auf_null, 0, 646 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 647 auf_null, S2E_PUB, 648 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 651 auf_null, 0, 652 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 653 auf_null, S2E_PUB, 654 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 655 auf_null, 0, 656 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 657 auf_null, 0, 658 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 661 auf_read, S2E_PUB, 662 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 663 auf_write, 0, 664 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 665 auf_null, S2E_SP, 666 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 667 auf_null, S2E_SP, 668 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 669 auf_null, 0, 670 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 677 auf_null, 0, 678 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 679 auf_null, 0, 680 aui_null, AUE_BIND, aus_null, /* 232 bind */ 681 auf_bind, 0, 682 aui_null, AUE_NULL, aus_null, /* 233 listen */ 683 auf_null, 0, 684 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 685 auf_accept, 0, 686 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 687 auf_connect, 0, 688 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 689 auf_null, 0, 690 aui_null, AUE_READ, aus_null, /* 237 recv */ 691 auf_recv, 0, 692 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 693 auf_recvfrom, 0, 694 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 695 auf_recvmsg, 0, 696 aui_null, AUE_WRITE, aus_null, /* 240 send */ 697 auf_send, 0, 698 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 699 auf_sendmsg, 0, 700 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 701 auf_sendto, 0, 702 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 703 auf_null, 0, 704 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 707 auf_null, 0, 708 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 709 auf_setsockopt, 0, 710 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 711 auf_null, 0, 712 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 713 auf_null, 0, 714 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 715 auf_null, 0, 716 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_init */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 725 auf_null, 0, 726 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 727 auf_null, 0 728 }; 729 730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 731 732 char *so_not_bound = "socket not bound"; 733 char *so_not_conn = "socket not connected"; 734 char *so_bad_addr = "bad socket address"; 735 char *so_bad_peer_addr = "bad peer address"; 736 737 /* null start function */ 738 /*ARGSUSED*/ 739 static void 740 aus_null(struct t_audit_data *tad) 741 { 742 } 743 744 /* acct start function */ 745 /*ARGSUSED*/ 746 static void 747 aus_acct(struct t_audit_data *tad) 748 { 749 klwp_t *clwp = ttolwp(curthread); 750 uintptr_t fname; 751 752 struct a { 753 long fname; /* char * */ 754 } *uap = (struct a *)clwp->lwp_ap; 755 756 fname = (uintptr_t)uap->fname; 757 758 if (fname == 0) 759 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 760 } 761 762 /* chown start function */ 763 /*ARGSUSED*/ 764 static void 765 aus_chown(struct t_audit_data *tad) 766 { 767 klwp_t *clwp = ttolwp(curthread); 768 uint32_t uid, gid; 769 770 struct a { 771 long fname; /* char * */ 772 long uid; 773 long gid; 774 } *uap = (struct a *)clwp->lwp_ap; 775 776 uid = (uint32_t)uap->uid; 777 gid = (uint32_t)uap->gid; 778 779 au_uwrite(au_to_arg32(2, "new file uid", uid)); 780 au_uwrite(au_to_arg32(3, "new file gid", gid)); 781 } 782 783 /* fchown start function */ 784 /*ARGSUSED*/ 785 static void 786 aus_fchown(struct t_audit_data *tad) 787 { 788 klwp_t *clwp = ttolwp(curthread); 789 uint32_t uid, gid, fd; 790 struct file *fp; 791 struct vnode *vp; 792 struct f_audit_data *fad; 793 794 struct a { 795 long fd; 796 long uid; 797 long gid; 798 } *uap = (struct a *)clwp->lwp_ap; 799 800 fd = (uint32_t)uap->fd; 801 uid = (uint32_t)uap->uid; 802 gid = (uint32_t)uap->gid; 803 804 au_uwrite(au_to_arg32(2, "new file uid", uid)); 805 au_uwrite(au_to_arg32(3, "new file gid", gid)); 806 807 /* 808 * convert file pointer to file descriptor 809 * Note: fd ref count incremented here. 810 */ 811 if ((fp = getf(fd)) == NULL) 812 return; 813 814 /* get path from file struct here */ 815 fad = F2A(fp); 816 if (fad->fad_aupath != NULL) { 817 au_uwrite(au_to_path(fad->fad_aupath)); 818 } else { 819 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 820 } 821 822 vp = fp->f_vnode; 823 audit_attributes(vp); 824 825 /* decrement file descriptor reference count */ 826 releasef(fd); 827 } 828 829 /*ARGSUSED*/ 830 static void 831 aus_lchown(struct t_audit_data *tad) 832 { 833 klwp_t *clwp = ttolwp(curthread); 834 uint32_t uid, gid; 835 836 837 struct a { 838 long fname; /* char * */ 839 long uid; 840 long gid; 841 } *uap = (struct a *)clwp->lwp_ap; 842 843 uid = (uint32_t)uap->uid; 844 gid = (uint32_t)uap->gid; 845 846 au_uwrite(au_to_arg32(2, "new file uid", uid)); 847 au_uwrite(au_to_arg32(3, "new file gid", gid)); 848 } 849 850 /* chmod start function */ 851 /*ARGSUSED*/ 852 static void 853 aus_chmod(struct t_audit_data *tad) 854 { 855 klwp_t *clwp = ttolwp(curthread); 856 uint32_t fmode; 857 858 struct a { 859 long fname; /* char * */ 860 long fmode; 861 } *uap = (struct a *)clwp->lwp_ap; 862 863 fmode = (uint32_t)uap->fmode; 864 865 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 866 } 867 868 /* chmod start function */ 869 /*ARGSUSED*/ 870 static void 871 aus_fchmod(struct t_audit_data *tad) 872 { 873 klwp_t *clwp = ttolwp(curthread); 874 uint32_t fmode, fd; 875 struct file *fp; 876 struct vnode *vp; 877 struct f_audit_data *fad; 878 879 struct a { 880 long fd; 881 long fmode; 882 } *uap = (struct a *)clwp->lwp_ap; 883 884 fd = (uint32_t)uap->fd; 885 fmode = (uint32_t)uap->fmode; 886 887 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 888 889 /* 890 * convert file pointer to file descriptor 891 * Note: fd ref count incremented here. 892 */ 893 if ((fp = getf(fd)) == NULL) 894 return; 895 896 /* get path from file struct here */ 897 fad = F2A(fp); 898 if (fad->fad_aupath != NULL) { 899 au_uwrite(au_to_path(fad->fad_aupath)); 900 } else { 901 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 902 } 903 904 vp = fp->f_vnode; 905 audit_attributes(vp); 906 907 /* decrement file descriptor reference count */ 908 releasef(fd); 909 } 910 911 /* null function */ 912 /*ARGSUSED*/ 913 static void 914 auf_null(struct t_audit_data *tad, int error, rval_t *rval) 915 { 916 } 917 918 /* null function */ 919 static au_event_t 920 aui_null(au_event_t e) 921 { 922 return (e); 923 } 924 925 /* convert open to appropriate event */ 926 static au_event_t 927 aui_open(au_event_t e) 928 { 929 klwp_t *clwp = ttolwp(curthread); 930 uint_t fm; 931 932 struct a { 933 long fnamep; /* char * */ 934 long fmode; 935 long cmode; 936 } *uap = (struct a *)clwp->lwp_ap; 937 938 fm = (uint_t)uap->fmode; 939 940 if (fm & O_WRONLY) 941 e = AUE_OPEN_W; 942 else if (fm & O_RDWR) 943 e = AUE_OPEN_RW; 944 else 945 e = AUE_OPEN_R; 946 947 if (fm & O_CREAT) 948 e += 1; 949 if (fm & O_TRUNC) 950 e += 2; 951 952 return (e); 953 } 954 955 /*ARGSUSED*/ 956 static void 957 aus_open(struct t_audit_data *tad) 958 { 959 klwp_t *clwp = ttolwp(curthread); 960 uint_t fm; 961 962 struct a { 963 long fnamep; /* char * */ 964 long fmode; 965 long cmode; 966 } *uap = (struct a *)clwp->lwp_ap; 967 968 fm = (uint_t)uap->fmode; 969 970 /* If no write, create, or trunc modes, mark as a public op */ 971 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 972 tad->tad_ctrl |= PAD_PUBLIC_EV; 973 } 974 975 /* convert openat(2) to appropriate event */ 976 static au_event_t 977 aui_fsat(au_event_t e) 978 { 979 t_audit_data_t *tad = U2A(u); 980 klwp_t *clwp = ttolwp(curthread); 981 uint_t fmcode, fm; 982 struct a { 983 long id; 984 long arg1; 985 long arg2; 986 long arg3; 987 long arg4; 988 long arg5; 989 } *uap = (struct a *)clwp->lwp_ap; 990 991 fmcode = (uint_t)uap->id; 992 993 switch (fmcode) { 994 995 case 0: /* openat */ 996 case 1: /* openat64 */ 997 fm = (uint_t)uap->arg3; 998 if (fm & O_WRONLY) 999 e = AUE_OPENAT_W; 1000 else if (fm & O_RDWR) 1001 e = AUE_OPENAT_RW; 1002 else 1003 e = AUE_OPENAT_R; 1004 1005 /* 1006 * openat modes are defined in the following order: 1007 * Read only 1008 * Read|Create 1009 * Read|Trunc 1010 * Read|Create|Trunc 1011 * Write Only 1012 * Write|Create 1013 * Write|Trunc 1014 * Write|Create|Trunc * RW Only 1015 * RW|Create 1016 * RW|Trunc 1017 * RW|Create|Trunc 1018 */ 1019 if (fm & O_CREAT) 1020 e += 1; /* increment to include CREAT in mode */ 1021 if (fm & O_TRUNC) 1022 e += 2; /* increment to include TRUNC in mode */ 1023 1024 /* convert to appropriate au_ctrl */ 1025 tad->tad_ctrl |= PAD_SAVPATH; 1026 if (fm & FXATTR) 1027 tad->tad_ctrl |= PAD_ATPATH; 1028 1029 1030 break; 1031 case 2: /* fstatat64 */ 1032 case 3: /* fstatat */ 1033 e = AUE_FSTATAT; 1034 break; 1035 case 4: /* fchownat */ 1036 e = AUE_FCHOWNAT; 1037 break; 1038 case 5: /* unlinkat */ 1039 e = AUE_UNLINKAT; 1040 break; 1041 case 6: /* futimesat */ 1042 e = AUE_FUTIMESAT; 1043 break; 1044 case 7: /* renameat */ 1045 e = AUE_RENAMEAT; 1046 break; 1047 default: 1048 e = AUE_NULL; 1049 break; 1050 } 1051 1052 return (e); 1053 } 1054 1055 /*ARGSUSED*/ 1056 static void 1057 aus_fsat(struct t_audit_data *tad) 1058 { 1059 klwp_t *clwp = ttolwp(curthread); 1060 uint_t fmcode, fm; 1061 struct a { 1062 long id; 1063 long arg1; 1064 long arg2; 1065 long arg3; 1066 long arg4; 1067 long arg5; 1068 } *uap = (struct a *)clwp->lwp_ap; 1069 1070 fmcode = (uint_t)uap->id; 1071 1072 switch (fmcode) { 1073 1074 case 0: /* openat */ 1075 case 1: /* openat64 */ 1076 fm = (uint_t)uap->arg3; 1077 /* If no write, create, or trunc modes, mark as a public op */ 1078 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1079 tad->tad_ctrl |= PAD_PUBLIC_EV; 1080 1081 break; 1082 case 2: /* fstatat64 */ 1083 case 3: /* fstatat */ 1084 tad->tad_ctrl |= PAD_PUBLIC_EV; 1085 break; 1086 default: 1087 break; 1088 } 1089 } 1090 1091 /* msgsys */ 1092 static au_event_t 1093 aui_msgsys(au_event_t e) 1094 { 1095 klwp_t *clwp = ttolwp(curthread); 1096 uint_t fm; 1097 1098 struct a { 1099 long id; /* function code id */ 1100 long ap; /* arg pointer for recvmsg */ 1101 } *uap = (struct a *)clwp->lwp_ap; 1102 1103 struct b { 1104 long msgid; 1105 long cmd; 1106 long buf; /* struct msqid_ds * */ 1107 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1108 1109 fm = (uint_t)uap->id; 1110 1111 switch (fm) { 1112 case 0: /* msgget */ 1113 e = AUE_MSGGET; 1114 break; 1115 case 1: /* msgctl */ 1116 switch ((uint_t)uap1->cmd) { 1117 case IPC_RMID: 1118 e = AUE_MSGCTL_RMID; 1119 break; 1120 case IPC_SET: 1121 e = AUE_MSGCTL_SET; 1122 break; 1123 case IPC_STAT: 1124 e = AUE_MSGCTL_STAT; 1125 break; 1126 default: 1127 e = AUE_MSGCTL; 1128 break; 1129 } 1130 break; 1131 case 2: /* msgrcv */ 1132 e = AUE_MSGRCV; 1133 break; 1134 case 3: /* msgsnd */ 1135 e = AUE_MSGSND; 1136 break; 1137 default: /* illegal system call */ 1138 e = AUE_NULL; 1139 break; 1140 } 1141 1142 return (e); 1143 } 1144 1145 1146 /* shmsys */ 1147 static au_event_t 1148 aui_shmsys(au_event_t e) 1149 { 1150 klwp_t *clwp = ttolwp(curthread); 1151 int fm; 1152 1153 struct a { /* shmsys */ 1154 long id; /* function code id */ 1155 } *uap = (struct a *)clwp->lwp_ap; 1156 1157 struct b { /* ctrl */ 1158 long shmid; 1159 long cmd; 1160 long arg; /* struct shmid_ds * */ 1161 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1162 fm = (uint_t)uap->id; 1163 1164 switch (fm) { 1165 case 0: /* shmat */ 1166 e = AUE_SHMAT; 1167 break; 1168 case 1: /* shmctl */ 1169 switch ((uint_t)uap1->cmd) { 1170 case IPC_RMID: 1171 e = AUE_SHMCTL_RMID; 1172 break; 1173 case IPC_SET: 1174 e = AUE_SHMCTL_SET; 1175 break; 1176 case IPC_STAT: 1177 e = AUE_SHMCTL_STAT; 1178 break; 1179 default: 1180 e = AUE_SHMCTL; 1181 break; 1182 } 1183 break; 1184 case 2: /* shmdt */ 1185 e = AUE_SHMDT; 1186 break; 1187 case 3: /* shmget */ 1188 e = AUE_SHMGET; 1189 break; 1190 default: /* illegal system call */ 1191 e = AUE_NULL; 1192 break; 1193 } 1194 1195 return (e); 1196 } 1197 1198 1199 /* semsys */ 1200 static au_event_t 1201 aui_semsys(au_event_t e) 1202 { 1203 klwp_t *clwp = ttolwp(curthread); 1204 uint_t fm; 1205 1206 struct a { /* semsys */ 1207 long id; 1208 } *uap = (struct a *)clwp->lwp_ap; 1209 1210 struct b { /* ctrl */ 1211 long semid; 1212 long semnum; 1213 long cmd; 1214 long arg; 1215 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1216 1217 fm = (uint_t)uap->id; 1218 1219 switch (fm) { 1220 case 0: /* semctl */ 1221 switch ((uint_t)uap1->cmd) { 1222 case IPC_RMID: 1223 e = AUE_SEMCTL_RMID; 1224 break; 1225 case IPC_SET: 1226 e = AUE_SEMCTL_SET; 1227 break; 1228 case IPC_STAT: 1229 e = AUE_SEMCTL_STAT; 1230 break; 1231 case GETNCNT: 1232 e = AUE_SEMCTL_GETNCNT; 1233 break; 1234 case GETPID: 1235 e = AUE_SEMCTL_GETPID; 1236 break; 1237 case GETVAL: 1238 e = AUE_SEMCTL_GETVAL; 1239 break; 1240 case GETALL: 1241 e = AUE_SEMCTL_GETALL; 1242 break; 1243 case GETZCNT: 1244 e = AUE_SEMCTL_GETZCNT; 1245 break; 1246 case SETVAL: 1247 e = AUE_SEMCTL_SETVAL; 1248 break; 1249 case SETALL: 1250 e = AUE_SEMCTL_SETALL; 1251 break; 1252 default: 1253 e = AUE_SEMCTL; 1254 break; 1255 } 1256 break; 1257 case 1: /* semget */ 1258 e = AUE_SEMGET; 1259 break; 1260 case 2: /* semop */ 1261 e = AUE_SEMOP; 1262 break; 1263 default: /* illegal system call */ 1264 e = AUE_NULL; 1265 break; 1266 } 1267 1268 return (e); 1269 } 1270 1271 /* utssys - uname(2), ustat(2), fusers(2) */ 1272 static au_event_t 1273 aui_utssys(au_event_t e) 1274 { 1275 klwp_t *clwp = ttolwp(curthread); 1276 uint_t type; 1277 1278 struct a { 1279 union { 1280 long cbuf; /* char * */ 1281 long ubuf; /* struct stat * */ 1282 } ub; 1283 union { 1284 long mv; /* for USTAT */ 1285 long flags; /* for FUSERS */ 1286 } un; 1287 long type; 1288 long outbp; /* char * for FUSERS */ 1289 } *uap = (struct a *)clwp->lwp_ap; 1290 1291 type = (uint_t)uap->type; 1292 1293 if (type == UTS_FUSERS) 1294 return (e); 1295 else 1296 return ((au_event_t)AUE_NULL); 1297 } 1298 1299 static au_event_t 1300 aui_fcntl(au_event_t e) 1301 { 1302 klwp_t *clwp = ttolwp(curthread); 1303 uint_t cmd; 1304 1305 struct a { 1306 long fdes; 1307 long cmd; 1308 long arg; 1309 } *uap = (struct a *)clwp->lwp_ap; 1310 1311 cmd = (uint_t)uap->cmd; 1312 1313 switch (cmd) { 1314 case F_GETLK: 1315 case F_SETLK: 1316 case F_SETLKW: 1317 break; 1318 case F_SETFL: 1319 case F_GETFL: 1320 case F_GETFD: 1321 break; 1322 default: 1323 e = (au_event_t)AUE_NULL; 1324 break; 1325 } 1326 return ((au_event_t)e); 1327 } 1328 1329 /* null function for now */ 1330 static au_event_t 1331 aui_execv(au_event_t e) 1332 { 1333 return (e); 1334 } 1335 1336 /* null function for now */ 1337 static au_event_t 1338 aui_execve(au_event_t e) 1339 { 1340 return (e); 1341 } 1342 1343 /*ARGSUSED*/ 1344 static void 1345 aus_fcntl(struct t_audit_data *tad) 1346 { 1347 klwp_t *clwp = ttolwp(curthread); 1348 uint32_t cmd, fd; 1349 struct file *fp; 1350 struct vnode *vp; 1351 struct f_audit_data *fad; 1352 1353 struct a { 1354 long fd; 1355 long cmd; 1356 long arg; 1357 } *uap = (struct a *)clwp->lwp_ap; 1358 1359 cmd = (uint32_t)uap->cmd; 1360 fd = (uint32_t)uap->fd; 1361 1362 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1363 1364 /* 1365 * convert file pointer to file descriptor 1366 * Note: fd ref count incremented here. 1367 */ 1368 if ((fp = getf(fd)) == NULL) 1369 return; 1370 1371 /* get path from file struct here */ 1372 fad = F2A(fp); 1373 if (fad->fad_aupath != NULL) { 1374 au_uwrite(au_to_path(fad->fad_aupath)); 1375 } else { 1376 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1377 } 1378 1379 vp = fp->f_vnode; 1380 audit_attributes(vp); 1381 1382 /* decrement file descriptor reference count */ 1383 releasef(fd); 1384 } 1385 1386 /*ARGSUSED*/ 1387 static void 1388 aus_kill(struct t_audit_data *tad) 1389 { 1390 klwp_t *clwp = ttolwp(curthread); 1391 struct proc *p; 1392 uint32_t signo; 1393 uid_t uid, ruid; 1394 gid_t gid, rgid; 1395 pid_t pid; 1396 const auditinfo_addr_t *ainfo; 1397 cred_t *cr; 1398 1399 struct a { 1400 long pid; 1401 long signo; 1402 } *uap = (struct a *)clwp->lwp_ap; 1403 1404 pid = (pid_t)uap->pid; 1405 signo = (uint32_t)uap->signo; 1406 1407 au_uwrite(au_to_arg32(2, "signal", signo)); 1408 if (pid > 0) { 1409 mutex_enter(&pidlock); 1410 if (((p = prfind(pid)) == (struct proc *)0) || 1411 (p->p_stat == SIDL)) { 1412 mutex_exit(&pidlock); 1413 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1414 return; 1415 } 1416 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1417 mutex_exit(&pidlock); 1418 1419 mutex_enter(&p->p_crlock); 1420 crhold(cr = p->p_cred); 1421 mutex_exit(&p->p_crlock); 1422 mutex_exit(&p->p_lock); 1423 1424 ainfo = crgetauinfo(cr); 1425 if (ainfo == NULL) { 1426 crfree(cr); 1427 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1428 return; 1429 } 1430 1431 uid = crgetuid(cr); 1432 gid = crgetgid(cr); 1433 ruid = crgetruid(cr); 1434 rgid = crgetrgid(cr); 1435 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1436 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1437 1438 if (is_system_labeled()) 1439 au_uwrite(au_to_label(CR_SL(cr))); 1440 1441 crfree(cr); 1442 } 1443 else 1444 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1445 } 1446 1447 /*ARGSUSED*/ 1448 static void 1449 aus_mkdir(struct t_audit_data *tad) 1450 { 1451 klwp_t *clwp = ttolwp(curthread); 1452 uint32_t dmode; 1453 1454 struct a { 1455 long dirnamep; /* char * */ 1456 long dmode; 1457 } *uap = (struct a *)clwp->lwp_ap; 1458 1459 dmode = (uint32_t)uap->dmode; 1460 1461 au_uwrite(au_to_arg32(2, "mode", dmode)); 1462 } 1463 1464 /*ARGSUSED*/ 1465 static void 1466 aus_mknod(struct t_audit_data *tad) 1467 { 1468 klwp_t *clwp = ttolwp(curthread); 1469 uint32_t fmode; 1470 dev_t dev; 1471 1472 struct a { 1473 long pnamep; /* char * */ 1474 long fmode; 1475 long dev; 1476 } *uap = (struct a *)clwp->lwp_ap; 1477 1478 fmode = (uint32_t)uap->fmode; 1479 dev = (dev_t)uap->dev; 1480 1481 au_uwrite(au_to_arg32(2, "mode", fmode)); 1482 #ifdef _LP64 1483 au_uwrite(au_to_arg64(3, "dev", dev)); 1484 #else 1485 au_uwrite(au_to_arg32(3, "dev", dev)); 1486 #endif 1487 } 1488 1489 /*ARGSUSED*/ 1490 static void 1491 aus_xmknod(struct t_audit_data *tad) 1492 { 1493 klwp_t *clwp = ttolwp(curthread); 1494 uint32_t fmode; 1495 dev_t dev; 1496 1497 struct a { 1498 long version; /* version */ 1499 long pnamep; /* char * */ 1500 long fmode; 1501 long dev; 1502 } *uap = (struct a *)clwp->lwp_ap; 1503 1504 fmode = (uint32_t)uap->fmode; 1505 dev = (dev_t)uap->dev; 1506 1507 au_uwrite(au_to_arg32(2, "mode", fmode)); 1508 #ifdef _LP64 1509 au_uwrite(au_to_arg64(3, "dev", dev)); 1510 #else 1511 au_uwrite(au_to_arg32(3, "dev", dev)); 1512 #endif 1513 } 1514 1515 /*ARGSUSED*/ 1516 static void 1517 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1518 { 1519 klwp_t *clwp = ttolwp(curthread); 1520 vnode_t *dvp; 1521 caddr_t pnamep; 1522 1523 struct a { 1524 long pnamep; /* char * */ 1525 long fmode; 1526 long dev; 1527 } *uap = (struct a *)clwp->lwp_ap; 1528 1529 /* no error, then already path token in audit record */ 1530 if (error != EPERM) 1531 return; 1532 1533 /* not auditing this event, nothing then to do */ 1534 if (tad->tad_flag == 0) 1535 return; 1536 1537 /* do the lookup to force generation of path token */ 1538 pnamep = (caddr_t)uap->pnamep; 1539 tad->tad_ctrl |= PAD_NOATTRB; 1540 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1541 if (error == 0) 1542 VN_RELE(dvp); 1543 } 1544 1545 /*ARGSUSED*/ 1546 static void 1547 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1548 { 1549 klwp_t *clwp = ttolwp(curthread); 1550 vnode_t *dvp; 1551 caddr_t pnamep; 1552 1553 struct a { 1554 long version; /* version */ 1555 long pnamep; /* char * */ 1556 long fmode; 1557 long dev; 1558 } *uap = (struct a *)clwp->lwp_arg; 1559 1560 1561 /* no error, then already path token in audit record */ 1562 if (error != EPERM) 1563 return; 1564 1565 /* not auditing this event, nothing then to do */ 1566 if (tad->tad_flag == 0) 1567 return; 1568 1569 /* do the lookup to force generation of path token */ 1570 pnamep = (caddr_t)uap->pnamep; 1571 tad->tad_ctrl |= PAD_NOATTRB; 1572 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1573 if (error == 0) 1574 VN_RELE(dvp); 1575 } 1576 1577 /*ARGSUSED*/ 1578 static void 1579 aus_mount(struct t_audit_data *tad) 1580 { /* AUS_START */ 1581 klwp_t *clwp = ttolwp(curthread); 1582 uint32_t flags; 1583 uintptr_t u_fstype, dataptr; 1584 STRUCT_DECL(nfs_args, nfsargs); 1585 size_t len; 1586 char *fstype, *hostname; 1587 1588 struct a { 1589 long spec; /* char * */ 1590 long dir; /* char * */ 1591 long flags; 1592 long fstype; /* char * */ 1593 long dataptr; /* char * */ 1594 long datalen; 1595 } *uap = (struct a *)clwp->lwp_ap; 1596 1597 u_fstype = (uintptr_t)uap->fstype; 1598 flags = (uint32_t)uap->flags; 1599 dataptr = (uintptr_t)uap->dataptr; 1600 1601 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1602 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1603 goto mount_free_fstype; 1604 1605 au_uwrite(au_to_arg32(3, "flags", flags)); 1606 au_uwrite(au_to_text(fstype)); 1607 1608 if (strncmp(fstype, "nfs", 3) == 0) { 1609 1610 STRUCT_INIT(nfsargs, get_udatamodel()); 1611 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1612 1613 if (copyin((caddr_t)dataptr, 1614 STRUCT_BUF(nfsargs), 1615 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1616 /* DEBUG debug_enter((char *)NULL); */ 1617 goto mount_free_fstype; 1618 } 1619 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1620 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1621 (caddr_t)hostname, 1622 MAXNAMELEN, &len)) { 1623 goto mount_free_hostname; 1624 } 1625 au_uwrite(au_to_text(hostname)); 1626 au_uwrite(au_to_arg32(3, "internal flags", 1627 (uint_t)STRUCT_FGET(nfsargs, flags))); 1628 1629 mount_free_hostname: 1630 kmem_free(hostname, MAXNAMELEN); 1631 } 1632 1633 mount_free_fstype: 1634 kmem_free(fstype, MAXNAMELEN); 1635 } /* AUS_MOUNT */ 1636 1637 static void 1638 aus_umount_path(caddr_t umount_dir) 1639 { 1640 char *dir_path; 1641 struct audit_path *path; 1642 size_t path_len, dir_len; 1643 1644 /* length alloc'd for two string pointers */ 1645 path_len = sizeof (struct audit_path) + sizeof (char *); 1646 path = kmem_alloc(path_len, KM_SLEEP); 1647 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1648 1649 if (copyinstr(umount_dir, (caddr_t)dir_path, 1650 MAXPATHLEN, &dir_len)) 1651 goto umount2_free_dir; 1652 1653 /* 1654 * the audit_path struct assumes that the buffer pointed to 1655 * by audp_sect[n] contains string 0 immediatedly followed 1656 * by string 1. 1657 */ 1658 path->audp_sect[0] = dir_path; 1659 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1660 path->audp_size = path_len; 1661 path->audp_ref = 1; /* not used */ 1662 path->audp_cnt = 1; /* one path string */ 1663 1664 au_uwrite(au_to_path(path)); 1665 1666 umount2_free_dir: 1667 kmem_free(dir_path, MAXPATHLEN); 1668 kmem_free(path, path_len); 1669 } 1670 1671 /* 1672 * the umount syscall is implemented as a call to umount2, but the args 1673 * are different... 1674 */ 1675 1676 /*ARGSUSED*/ 1677 static void 1678 aus_umount(struct t_audit_data *tad) 1679 { 1680 klwp_t *clwp = ttolwp(curthread); 1681 struct a { 1682 long dir; /* char * */ 1683 } *uap = (struct a *)clwp->lwp_ap; 1684 1685 aus_umount_path((caddr_t)uap->dir); 1686 } 1687 1688 /*ARGSUSED*/ 1689 static void 1690 aus_umount2(struct t_audit_data *tad) 1691 { 1692 klwp_t *clwp = ttolwp(curthread); 1693 struct a { 1694 long dir; /* char * */ 1695 long flags; 1696 } *uap = (struct a *)clwp->lwp_ap; 1697 1698 aus_umount_path((caddr_t)uap->dir); 1699 1700 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1701 } 1702 1703 static void 1704 aus_msgsys(struct t_audit_data *tad) 1705 { 1706 klwp_t *clwp = ttolwp(curthread); 1707 uint32_t msgid; 1708 1709 struct b { 1710 long msgid; 1711 long cmd; 1712 long buf; /* struct msqid_ds * */ 1713 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1714 1715 msgid = (uint32_t)uap1->msgid; 1716 1717 1718 switch (tad->tad_event) { 1719 case AUE_MSGGET: /* msgget */ 1720 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1721 break; 1722 case AUE_MSGCTL: /* msgctl */ 1723 case AUE_MSGCTL_RMID: /* msgctl */ 1724 case AUE_MSGCTL_STAT: /* msgctl */ 1725 case AUE_MSGRCV: /* msgrcv */ 1726 case AUE_MSGSND: /* msgsnd */ 1727 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1728 break; 1729 case AUE_MSGCTL_SET: /* msgctl */ 1730 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1731 break; 1732 } 1733 } 1734 1735 /*ARGSUSED*/ 1736 static void 1737 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1738 { 1739 int id; 1740 1741 if (error != 0) 1742 return; 1743 if (tad->tad_event == AUE_MSGGET) { 1744 uint32_t scid; 1745 uint32_t sy_flags; 1746 1747 /* need to determine type of executing binary */ 1748 scid = tad->tad_scid; 1749 #ifdef _SYSCALL32_IMPL 1750 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1751 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1752 else 1753 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1754 #else 1755 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1756 #endif 1757 if (sy_flags == SE_32RVAL1) 1758 id = rval->r_val1; 1759 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1760 id = rval->r_val1; 1761 if (sy_flags == SE_64RVAL) 1762 id = (int)rval->r_vals; 1763 1764 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1765 } 1766 } 1767 1768 static void 1769 aus_semsys(struct t_audit_data *tad) 1770 { 1771 klwp_t *clwp = ttolwp(curthread); 1772 uint32_t semid; 1773 1774 struct b { /* ctrl */ 1775 long semid; 1776 long semnum; 1777 long cmd; 1778 long arg; 1779 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1780 1781 semid = (uint32_t)uap1->semid; 1782 1783 switch (tad->tad_event) { 1784 case AUE_SEMCTL_RMID: 1785 case AUE_SEMCTL_STAT: 1786 case AUE_SEMCTL_GETNCNT: 1787 case AUE_SEMCTL_GETPID: 1788 case AUE_SEMCTL_GETVAL: 1789 case AUE_SEMCTL_GETALL: 1790 case AUE_SEMCTL_GETZCNT: 1791 case AUE_SEMCTL_SETVAL: 1792 case AUE_SEMCTL_SETALL: 1793 case AUE_SEMCTL: 1794 case AUE_SEMOP: 1795 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1796 break; 1797 case AUE_SEMCTL_SET: 1798 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1799 break; 1800 case AUE_SEMGET: 1801 au_uwrite(au_to_arg32(1, "sem key", semid)); 1802 break; 1803 } 1804 } 1805 1806 /*ARGSUSED*/ 1807 static void 1808 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1809 { 1810 int id; 1811 1812 if (error != 0) 1813 return; 1814 if (tad->tad_event == AUE_SEMGET) { 1815 uint32_t scid; 1816 uint32_t sy_flags; 1817 1818 /* need to determine type of executing binary */ 1819 scid = tad->tad_scid; 1820 #ifdef _SYSCALL32_IMPL 1821 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1822 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1823 else 1824 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1825 #else 1826 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1827 #endif 1828 if (sy_flags == SE_32RVAL1) 1829 id = rval->r_val1; 1830 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1831 id = rval->r_val1; 1832 if (sy_flags == SE_64RVAL) 1833 id = (int)rval->r_vals; 1834 1835 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1836 } 1837 } 1838 1839 /*ARGSUSED*/ 1840 static void 1841 aus_close(struct t_audit_data *tad) 1842 { 1843 klwp_t *clwp = ttolwp(curthread); 1844 uint32_t fd; 1845 struct file *fp; 1846 struct f_audit_data *fad; 1847 struct vnode *vp; 1848 struct vattr attr; 1849 au_kcontext_t *kctx = GET_KCTX_PZ; 1850 1851 struct a { 1852 long i; 1853 } *uap = (struct a *)clwp->lwp_ap; 1854 1855 fd = (uint32_t)uap->i; 1856 1857 attr.va_mask = 0; 1858 au_uwrite(au_to_arg32(1, "fd", fd)); 1859 1860 /* 1861 * convert file pointer to file descriptor 1862 * Note: fd ref count incremented here. 1863 */ 1864 if ((fp = getf(fd)) == NULL) 1865 return; 1866 1867 fad = F2A(fp); 1868 tad->tad_evmod = (short)fad->fad_flags; 1869 if (fad->fad_aupath != NULL) { 1870 au_uwrite(au_to_path(fad->fad_aupath)); 1871 if ((vp = fp->f_vnode) != NULL) { 1872 attr.va_mask = AT_ALL; 1873 if (VOP_GETATTR(vp, &attr, 0, CRED()) == 0) { 1874 /* 1875 * When write was not used and the file can be 1876 * considered public, skip the audit. 1877 */ 1878 if (((fp->f_flag & FWRITE) == 0) && 1879 file_is_public(&attr)) { 1880 tad->tad_flag = 0; 1881 tad->tad_evmod = 0; 1882 /* free any residual audit data */ 1883 au_close(kctx, &(u_ad), 0, 0, 0); 1884 releasef(fd); 1885 return; 1886 } 1887 au_uwrite(au_to_attr(&attr)); 1888 audit_sec_attributes(&(u_ad), vp); 1889 } 1890 } 1891 } 1892 1893 /* decrement file descriptor reference count */ 1894 releasef(fd); 1895 } 1896 1897 /*ARGSUSED*/ 1898 static void 1899 aus_fstatfs(struct t_audit_data *tad) 1900 { 1901 klwp_t *clwp = ttolwp(curthread); 1902 uint32_t fd; 1903 struct file *fp; 1904 struct vnode *vp; 1905 struct f_audit_data *fad; 1906 1907 struct a { 1908 long fd; 1909 long buf; /* struct statfs * */ 1910 } *uap = (struct a *)clwp->lwp_ap; 1911 1912 fd = (uint_t)uap->fd; 1913 1914 /* 1915 * convert file pointer to file descriptor 1916 * Note: fd ref count incremented here. 1917 */ 1918 if ((fp = getf(fd)) == NULL) 1919 return; 1920 1921 /* get path from file struct here */ 1922 fad = F2A(fp); 1923 if (fad->fad_aupath != NULL) { 1924 au_uwrite(au_to_path(fad->fad_aupath)); 1925 } else { 1926 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1927 } 1928 1929 vp = fp->f_vnode; 1930 audit_attributes(vp); 1931 1932 /* decrement file descriptor reference count */ 1933 releasef(fd); 1934 } 1935 1936 #ifdef NOTYET 1937 /*ARGSUSED*/ 1938 static void 1939 aus_setpgrp(struct t_audit_data *tad) 1940 { 1941 klwp_t *clwp = ttolwp(curthread); 1942 uint32_t pgrp; 1943 struct proc *p; 1944 uid_t uid, ruid; 1945 gid_t gid, rgid; 1946 pid_t pid; 1947 const auditinfo_addr_t *ainfo; 1948 cred_t *cr; 1949 1950 struct a { 1951 long pid; 1952 long pgrp; 1953 } *uap = (struct a *)clwp->lwp_ap; 1954 1955 pid = (pid_t)uap->pid; 1956 pgrp = (uint32_t)uap->pgrp; 1957 1958 /* current process? */ 1959 if (pid == 0) 1960 (return); 1961 1962 mutex_enter(&pidlock); 1963 p = prfind(pid); 1964 if (p == NULL || p->p_as == &kas) { 1965 mutex_exit(&pidlock); 1966 return; 1967 } 1968 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1969 mutex_exit(&pidlock); 1970 1971 mutex_enter(&p->p_crlock); 1972 crhold(cr = p->p_cred); 1973 mutex_exit(&p->p_crlock); 1974 mutex_exit(&p->p_lock); 1975 1976 ainfo = crgetauinfo(cr); 1977 if (ainfo == NULL) { 1978 crfree(cr); 1979 return; 1980 } 1981 1982 uid = crgetuid(cr); 1983 gid = crgetgid(cr); 1984 ruid = crgetruid(cr); 1985 rgid = crgetrgid(cr); 1986 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1987 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1988 crfree(cr); 1989 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1990 } 1991 #endif 1992 1993 /*ARGSUSED*/ 1994 static void 1995 aus_setregid(struct t_audit_data *tad) 1996 { 1997 klwp_t *clwp = ttolwp(curthread); 1998 uint32_t rgid, egid; 1999 2000 struct a { 2001 long rgid; 2002 long egid; 2003 } *uap = (struct a *)clwp->lwp_ap; 2004 2005 rgid = (uint32_t)uap->rgid; 2006 egid = (uint32_t)uap->egid; 2007 2008 au_uwrite(au_to_arg32(1, "rgid", rgid)); 2009 au_uwrite(au_to_arg32(2, "egid", egid)); 2010 } 2011 2012 /*ARGSUSED*/ 2013 static void 2014 aus_setgid(struct t_audit_data *tad) 2015 { 2016 klwp_t *clwp = ttolwp(curthread); 2017 uint32_t gid; 2018 2019 struct a { 2020 long gid; 2021 } *uap = (struct a *)clwp->lwp_ap; 2022 2023 gid = (uint32_t)uap->gid; 2024 2025 au_uwrite(au_to_arg32(1, "gid", gid)); 2026 } 2027 2028 2029 /*ARGSUSED*/ 2030 static void 2031 aus_setreuid(struct t_audit_data *tad) 2032 { 2033 klwp_t *clwp = ttolwp(curthread); 2034 uint32_t ruid, euid; 2035 2036 struct a { 2037 long ruid; 2038 long euid; 2039 } *uap = (struct a *)clwp->lwp_ap; 2040 2041 ruid = (uint32_t)uap->ruid; 2042 euid = (uint32_t)uap->euid; 2043 2044 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2045 au_uwrite(au_to_arg32(2, "euid", euid)); 2046 } 2047 2048 2049 /*ARGSUSED*/ 2050 static void 2051 aus_setuid(struct t_audit_data *tad) 2052 { 2053 klwp_t *clwp = ttolwp(curthread); 2054 uint32_t uid; 2055 2056 struct a { 2057 long uid; 2058 } *uap = (struct a *)clwp->lwp_ap; 2059 2060 uid = (uint32_t)uap->uid; 2061 2062 au_uwrite(au_to_arg32(1, "uid", uid)); 2063 } 2064 2065 /*ARGSUSED*/ 2066 static void 2067 aus_shmsys(struct t_audit_data *tad) 2068 { 2069 klwp_t *clwp = ttolwp(curthread); 2070 uint32_t id, cmd; 2071 2072 struct b { 2073 long id; 2074 long cmd; 2075 long buf; /* struct shmid_ds * */ 2076 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2077 2078 id = (uint32_t)uap1->id; 2079 cmd = (uint32_t)uap1->cmd; 2080 2081 switch (tad->tad_event) { 2082 case AUE_SHMGET: /* shmget */ 2083 au_uwrite(au_to_arg32(1, "shm key", id)); 2084 break; 2085 case AUE_SHMCTL: /* shmctl */ 2086 case AUE_SHMCTL_RMID: /* shmctl */ 2087 case AUE_SHMCTL_STAT: /* shmctl */ 2088 case AUE_SHMCTL_SET: /* shmctl */ 2089 au_uwrite(au_to_arg32(1, "shm ID", id)); 2090 break; 2091 case AUE_SHMDT: /* shmdt */ 2092 au_uwrite(au_to_arg32(1, "shm adr", id)); 2093 break; 2094 case AUE_SHMAT: /* shmat */ 2095 au_uwrite(au_to_arg32(1, "shm ID", id)); 2096 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2097 break; 2098 } 2099 } 2100 2101 /*ARGSUSED*/ 2102 static void 2103 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2104 { 2105 int id; 2106 2107 if (error != 0) 2108 return; 2109 if (tad->tad_event == AUE_SHMGET) { 2110 uint32_t scid; 2111 uint32_t sy_flags; 2112 2113 /* need to determine type of executing binary */ 2114 scid = tad->tad_scid; 2115 #ifdef _SYSCALL32_IMPL 2116 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2117 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2118 else 2119 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2120 #else 2121 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2122 #endif 2123 if (sy_flags == SE_32RVAL1) 2124 id = rval->r_val1; 2125 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2126 id = rval->r_val1; 2127 if (sy_flags == SE_64RVAL) 2128 id = (int)rval->r_vals; 2129 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2130 } 2131 } 2132 2133 2134 /*ARGSUSED*/ 2135 static void 2136 aus_ioctl(struct t_audit_data *tad) 2137 { 2138 klwp_t *clwp = ttolwp(curthread); 2139 struct file *fp; 2140 struct vnode *vp; 2141 struct f_audit_data *fad; 2142 uint32_t fd, cmd; 2143 uintptr_t cmarg; 2144 2145 /* XX64 */ 2146 struct a { 2147 long fd; 2148 long cmd; 2149 long cmarg; /* caddr_t */ 2150 } *uap = (struct a *)clwp->lwp_ap; 2151 2152 fd = (uint32_t)uap->fd; 2153 cmd = (uint32_t)uap->cmd; 2154 cmarg = (uintptr_t)uap->cmarg; 2155 2156 /* 2157 * convert file pointer to file descriptor 2158 * Note: fd ref count incremented here. 2159 */ 2160 if ((fp = getf(fd)) == NULL) { 2161 au_uwrite(au_to_arg32(1, "fd", fd)); 2162 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2163 #ifndef _LP64 2164 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2165 #else 2166 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2167 #endif 2168 return; 2169 } 2170 2171 /* get path from file struct here */ 2172 fad = F2A(fp); 2173 if (fad->fad_aupath != NULL) { 2174 au_uwrite(au_to_path(fad->fad_aupath)); 2175 } else { 2176 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2177 } 2178 2179 vp = fp->f_vnode; 2180 audit_attributes(vp); 2181 2182 /* decrement file descriptor reference count */ 2183 releasef(fd); 2184 2185 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2186 #ifndef _LP64 2187 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2188 #else 2189 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2190 #endif 2191 } 2192 2193 /* 2194 * null function for memcntl for now. We might want to limit memcntl() 2195 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2196 * require privileges. 2197 */ 2198 static au_event_t 2199 aui_memcntl(au_event_t e) 2200 { 2201 return (e); 2202 } 2203 2204 /*ARGSUSED*/ 2205 static au_event_t 2206 aui_privsys(au_event_t e) 2207 { 2208 klwp_t *clwp = ttolwp(curthread); 2209 2210 struct a { 2211 long opcode; 2212 } *uap = (struct a *)clwp->lwp_ap; 2213 2214 switch (uap->opcode) { 2215 case PRIVSYS_SETPPRIV: 2216 return (AUE_SETPPRIV); 2217 default: 2218 return (AUE_NULL); 2219 } 2220 } 2221 2222 /*ARGSUSED*/ 2223 static void 2224 aus_memcntl(struct t_audit_data *tad) 2225 { 2226 klwp_t *clwp = ttolwp(curthread); 2227 2228 struct a { 2229 long addr; 2230 long len; 2231 long cmd; 2232 long arg; 2233 long attr; 2234 long mask; 2235 } *uap = (struct a *)clwp->lwp_ap; 2236 2237 #ifdef _LP64 2238 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2239 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2240 #else 2241 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2242 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2243 #endif 2244 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2245 #ifdef _LP64 2246 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2247 #else 2248 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2249 #endif 2250 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2251 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2252 } 2253 2254 /*ARGSUSED*/ 2255 static void 2256 aus_mmap(struct t_audit_data *tad) 2257 { 2258 klwp_t *clwp = ttolwp(curthread); 2259 struct file *fp; 2260 struct f_audit_data *fad; 2261 struct vnode *vp; 2262 uint32_t fd; 2263 2264 struct a { 2265 long addr; 2266 long len; 2267 long prot; 2268 long flags; 2269 long fd; 2270 long pos; 2271 } *uap = (struct a *)clwp->lwp_ap; 2272 2273 fd = (uint32_t)uap->fd; 2274 2275 #ifdef _LP64 2276 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2277 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2278 #else 2279 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2280 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2281 #endif 2282 2283 if ((fp = getf(fd)) == NULL) { 2284 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2285 return; 2286 } 2287 2288 /* 2289 * Mark in the tad if write access is NOT requested... if 2290 * this is later detected (in audit_attributes) to be a 2291 * public object, the mmap event may be discarded. 2292 */ 2293 if (((uap->prot) & PROT_WRITE) == 0) { 2294 tad->tad_ctrl |= PAD_PUBLIC_EV; 2295 } 2296 2297 fad = F2A(fp); 2298 if (fad->fad_aupath != NULL) { 2299 au_uwrite(au_to_path(fad->fad_aupath)); 2300 } else { 2301 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2302 } 2303 2304 vp = (struct vnode *)fp->f_vnode; 2305 audit_attributes(vp); 2306 2307 /* mark READ/WRITE since we can't predict access */ 2308 if (uap->prot & PROT_READ) 2309 fad->fad_flags |= FAD_READ; 2310 if (uap->prot & PROT_WRITE) 2311 fad->fad_flags |= FAD_WRITE; 2312 2313 /* decrement file descriptor reference count */ 2314 releasef(fd); 2315 2316 } /* AUS_MMAP */ 2317 2318 2319 2320 2321 /*ARGSUSED*/ 2322 static void 2323 aus_munmap(struct t_audit_data *tad) 2324 { 2325 klwp_t *clwp = ttolwp(curthread); 2326 2327 struct a { 2328 long addr; 2329 long len; 2330 } *uap = (struct a *)clwp->lwp_ap; 2331 2332 #ifdef _LP64 2333 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2334 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2335 #else 2336 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2337 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2338 #endif 2339 2340 } /* AUS_MUNMAP */ 2341 2342 2343 2344 2345 2346 2347 2348 /*ARGSUSED*/ 2349 static void 2350 aus_priocntlsys(struct t_audit_data *tad) 2351 { 2352 klwp_t *clwp = ttolwp(curthread); 2353 2354 struct a { 2355 long pc_version; 2356 long psp; /* procset_t */ 2357 long cmd; 2358 long arg; 2359 } *uap = (struct a *)clwp->lwp_ap; 2360 2361 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2362 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2363 2364 } /* AUS_PRIOCNTLSYS */ 2365 2366 2367 /*ARGSUSED*/ 2368 static void 2369 aus_setegid(struct t_audit_data *tad) 2370 { 2371 klwp_t *clwp = ttolwp(curthread); 2372 uint32_t gid; 2373 2374 struct a { 2375 long gid; 2376 } *uap = (struct a *)clwp->lwp_ap; 2377 2378 gid = (uint32_t)uap->gid; 2379 2380 au_uwrite(au_to_arg32(1, "gid", gid)); 2381 } /* AUS_SETEGID */ 2382 2383 2384 2385 2386 /*ARGSUSED*/ 2387 static void 2388 aus_setgroups(struct t_audit_data *tad) 2389 { 2390 klwp_t *clwp = ttolwp(curthread); 2391 int i; 2392 int gidsetsize; 2393 uintptr_t gidset; 2394 gid_t *gidlist; 2395 2396 struct a { 2397 long gidsetsize; 2398 long gidset; 2399 } *uap = (struct a *)clwp->lwp_ap; 2400 2401 gidsetsize = (uint_t)uap->gidsetsize; 2402 gidset = (uintptr_t)uap->gidset; 2403 2404 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2405 return; 2406 if (gidsetsize != 0) { 2407 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2408 KM_SLEEP); 2409 if (copyin((caddr_t)gidset, gidlist, 2410 gidsetsize * sizeof (gid_t)) == 0) 2411 for (i = 0; i < gidsetsize; i++) 2412 au_uwrite(au_to_arg32(1, "setgroups", 2413 (uint32_t)gidlist[i])); 2414 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2415 } else 2416 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2417 2418 } /* AUS_SETGROUPS */ 2419 2420 2421 2422 2423 2424 /*ARGSUSED*/ 2425 static void 2426 aus_seteuid(struct t_audit_data *tad) 2427 { 2428 klwp_t *clwp = ttolwp(curthread); 2429 uint32_t uid; 2430 2431 struct a { 2432 long uid; 2433 } *uap = (struct a *)clwp->lwp_ap; 2434 2435 uid = (uint32_t)uap->uid; 2436 2437 au_uwrite(au_to_arg32(1, "euid", uid)); 2438 2439 } /* AUS_SETEUID */ 2440 2441 /*ARGSUSED*/ 2442 static void 2443 aus_putmsg(struct t_audit_data *tad) 2444 { 2445 klwp_t *clwp = ttolwp(curthread); 2446 uint32_t fd, pri; 2447 struct file *fp; 2448 struct f_audit_data *fad; 2449 2450 struct a { 2451 long fdes; 2452 long ctl; /* struct strbuf * */ 2453 long data; /* struct strbuf * */ 2454 long pri; 2455 } *uap = (struct a *)clwp->lwp_ap; 2456 2457 fd = (uint32_t)uap->fdes; 2458 pri = (uint32_t)uap->pri; 2459 2460 au_uwrite(au_to_arg32(1, "fd", fd)); 2461 2462 if ((fp = getf(fd)) != NULL) { 2463 fad = F2A(fp); 2464 2465 fad->fad_flags |= FAD_WRITE; 2466 2467 /* add path name to audit record */ 2468 if (fad->fad_aupath != NULL) { 2469 au_uwrite(au_to_path(fad->fad_aupath)); 2470 } 2471 audit_attributes(fp->f_vnode); 2472 2473 releasef(fd); 2474 } 2475 2476 au_uwrite(au_to_arg32(4, "pri", pri)); 2477 } 2478 2479 /*ARGSUSED*/ 2480 static void 2481 aus_putpmsg(struct t_audit_data *tad) 2482 { 2483 klwp_t *clwp = ttolwp(curthread); 2484 uint32_t fd, pri, flags; 2485 struct file *fp; 2486 struct f_audit_data *fad; 2487 2488 struct a { 2489 long fdes; 2490 long ctl; /* struct strbuf * */ 2491 long data; /* struct strbuf * */ 2492 long pri; 2493 long flags; 2494 } *uap = (struct a *)clwp->lwp_ap; 2495 2496 fd = (uint32_t)uap->fdes; 2497 pri = (uint32_t)uap->pri; 2498 flags = (uint32_t)uap->flags; 2499 2500 au_uwrite(au_to_arg32(1, "fd", fd)); 2501 2502 if ((fp = getf(fd)) != NULL) { 2503 fad = F2A(fp); 2504 2505 fad->fad_flags |= FAD_WRITE; 2506 2507 /* add path name to audit record */ 2508 if (fad->fad_aupath != NULL) { 2509 au_uwrite(au_to_path(fad->fad_aupath)); 2510 } 2511 audit_attributes(fp->f_vnode); 2512 2513 releasef(fd); 2514 } 2515 2516 2517 au_uwrite(au_to_arg32(4, "pri", pri)); 2518 au_uwrite(au_to_arg32(5, "flags", flags)); 2519 } 2520 2521 /*ARGSUSED*/ 2522 static void 2523 aus_getmsg(struct t_audit_data *tad) 2524 { 2525 klwp_t *clwp = ttolwp(curthread); 2526 uint32_t fd, pri; 2527 struct file *fp; 2528 struct f_audit_data *fad; 2529 2530 struct a { 2531 long fdes; 2532 long ctl; /* struct strbuf * */ 2533 long data; /* struct strbuf * */ 2534 long pri; 2535 } *uap = (struct a *)clwp->lwp_ap; 2536 2537 fd = (uint32_t)uap->fdes; 2538 pri = (uint32_t)uap->pri; 2539 2540 au_uwrite(au_to_arg32(1, "fd", fd)); 2541 2542 if ((fp = getf(fd)) != NULL) { 2543 fad = F2A(fp); 2544 2545 /* 2546 * read operation on this object 2547 */ 2548 fad->fad_flags |= FAD_READ; 2549 2550 /* add path name to audit record */ 2551 if (fad->fad_aupath != NULL) { 2552 au_uwrite(au_to_path(fad->fad_aupath)); 2553 } 2554 audit_attributes(fp->f_vnode); 2555 2556 releasef(fd); 2557 } 2558 2559 au_uwrite(au_to_arg32(4, "pri", pri)); 2560 } 2561 2562 /*ARGSUSED*/ 2563 static void 2564 aus_getpmsg(struct t_audit_data *tad) 2565 { 2566 klwp_t *clwp = ttolwp(curthread); 2567 uint32_t fd; 2568 struct file *fp; 2569 struct f_audit_data *fad; 2570 2571 struct a { 2572 long fdes; 2573 long ctl; /* struct strbuf * */ 2574 long data; /* struct strbuf * */ 2575 long pri; 2576 long flags; 2577 } *uap = (struct a *)clwp->lwp_ap; 2578 2579 fd = (uint32_t)uap->fdes; 2580 2581 au_uwrite(au_to_arg32(1, "fd", fd)); 2582 2583 if ((fp = getf(fd)) != NULL) { 2584 fad = F2A(fp); 2585 2586 /* 2587 * read operation on this object 2588 */ 2589 fad->fad_flags |= FAD_READ; 2590 2591 /* add path name to audit record */ 2592 if (fad->fad_aupath != NULL) { 2593 au_uwrite(au_to_path(fad->fad_aupath)); 2594 } 2595 audit_attributes(fp->f_vnode); 2596 2597 releasef(fd); 2598 } 2599 } 2600 2601 static au_event_t 2602 aui_auditsys(au_event_t e) 2603 { 2604 klwp_t *clwp = ttolwp(curthread); 2605 uint32_t code; 2606 2607 struct a { 2608 long code; 2609 long a1; 2610 long a2; 2611 long a3; 2612 long a4; 2613 long a5; 2614 long a6; 2615 long a7; 2616 } *uap = (struct a *)clwp->lwp_ap; 2617 2618 code = (uint32_t)uap->code; 2619 2620 switch (code) { 2621 2622 case BSM_GETAUID: 2623 e = AUE_GETAUID; 2624 break; 2625 case BSM_SETAUID: 2626 e = AUE_SETAUID; 2627 break; 2628 case BSM_GETAUDIT: 2629 e = AUE_GETAUDIT; 2630 break; 2631 case BSM_GETAUDIT_ADDR: 2632 e = AUE_GETAUDIT_ADDR; 2633 break; 2634 case BSM_SETAUDIT: 2635 e = AUE_SETAUDIT; 2636 break; 2637 case BSM_SETAUDIT_ADDR: 2638 e = AUE_SETAUDIT_ADDR; 2639 break; 2640 case BSM_AUDIT: 2641 e = AUE_AUDIT; 2642 break; 2643 case BSM_AUDITSVC: 2644 e = AUE_AUDITSVC; 2645 break; 2646 case BSM_GETPORTAUDIT: 2647 e = AUE_GETPORTAUDIT; 2648 break; 2649 case BSM_AUDITON: 2650 case BSM_AUDITCTL: 2651 2652 switch ((uint_t)uap->a1) { 2653 2654 case A_GETPOLICY: 2655 e = AUE_AUDITON_GPOLICY; 2656 break; 2657 case A_SETPOLICY: 2658 e = AUE_AUDITON_SPOLICY; 2659 break; 2660 case A_GETKMASK: 2661 e = AUE_AUDITON_GETKMASK; 2662 break; 2663 case A_SETKMASK: 2664 e = AUE_AUDITON_SETKMASK; 2665 break; 2666 case A_GETQCTRL: 2667 e = AUE_AUDITON_GQCTRL; 2668 break; 2669 case A_SETQCTRL: 2670 e = AUE_AUDITON_SQCTRL; 2671 break; 2672 case A_GETCWD: 2673 e = AUE_AUDITON_GETCWD; 2674 break; 2675 case A_GETCAR: 2676 e = AUE_AUDITON_GETCAR; 2677 break; 2678 case A_GETSTAT: 2679 e = AUE_AUDITON_GETSTAT; 2680 break; 2681 case A_SETSTAT: 2682 e = AUE_AUDITON_SETSTAT; 2683 break; 2684 case A_SETUMASK: 2685 e = AUE_AUDITON_SETUMASK; 2686 break; 2687 case A_SETSMASK: 2688 e = AUE_AUDITON_SETSMASK; 2689 break; 2690 case A_GETCOND: 2691 e = AUE_AUDITON_GETCOND; 2692 break; 2693 case A_SETCOND: 2694 e = AUE_AUDITON_SETCOND; 2695 break; 2696 case A_GETCLASS: 2697 e = AUE_AUDITON_GETCLASS; 2698 break; 2699 case A_SETCLASS: 2700 e = AUE_AUDITON_SETCLASS; 2701 break; 2702 default: 2703 e = AUE_NULL; 2704 break; 2705 } 2706 break; 2707 default: 2708 e = AUE_NULL; 2709 break; 2710 } 2711 2712 return (e); 2713 2714 2715 2716 2717 } /* AUI_AUDITSYS */ 2718 2719 2720 2721 2722 2723 2724 2725 static void 2726 aus_auditsys(struct t_audit_data *tad) 2727 { 2728 klwp_t *clwp = ttolwp(curthread); 2729 uintptr_t a1, a2; 2730 struct file *fp; 2731 struct f_audit_data *fad; 2732 struct vnode *vp; 2733 STRUCT_DECL(auditinfo, ainfo); 2734 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2735 au_evclass_map_t event; 2736 au_mask_t mask; 2737 int auditstate, policy; 2738 au_id_t auid; 2739 2740 2741 struct a { 2742 long code; 2743 long a1; 2744 long a2; 2745 long a3; 2746 long a4; 2747 long a5; 2748 long a6; 2749 long a7; 2750 } *uap = (struct a *)clwp->lwp_ap; 2751 2752 a1 = (uintptr_t)uap->a1; 2753 a2 = (uintptr_t)uap->a2; 2754 2755 switch (tad->tad_event) { 2756 case AUE_SETAUID: 2757 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2758 return; 2759 au_uwrite(au_to_arg32(2, "setauid", auid)); 2760 break; 2761 case AUE_SETAUDIT: 2762 STRUCT_INIT(ainfo, get_udatamodel()); 2763 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2764 STRUCT_SIZE(ainfo))) { 2765 return; 2766 } 2767 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2768 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2769 #ifdef _LP64 2770 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2771 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2772 #else 2773 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2774 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2775 #endif 2776 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2777 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2778 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2779 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2780 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2781 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2782 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2783 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2784 break; 2785 case AUE_SETAUDIT_ADDR: 2786 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2787 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2788 STRUCT_SIZE(ainfo_addr))) { 2789 return; 2790 } 2791 au_uwrite(au_to_arg32((char)1, "auid", 2792 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2793 #ifdef _LP64 2794 au_uwrite(au_to_arg64((char)1, "port", 2795 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2796 #else 2797 au_uwrite(au_to_arg32((char)1, "port", 2798 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2799 #endif 2800 au_uwrite(au_to_arg32((char)1, "type", 2801 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2802 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2803 AU_IPv4) { 2804 au_uwrite(au_to_in_addr( 2805 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2806 ai_termid.at_addr))); 2807 } else { 2808 au_uwrite(au_to_in_addr_ex( 2809 (int32_t *)STRUCT_FGETP(ainfo_addr, 2810 ai_termid.at_addr))); 2811 } 2812 au_uwrite(au_to_arg32((char)1, "as_success", 2813 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2814 au_uwrite(au_to_arg32((char)1, "as_failure", 2815 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2816 au_uwrite(au_to_arg32((char)1, "asid", 2817 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2818 break; 2819 case AUE_AUDITSVC: 2820 /* 2821 * convert file pointer to file descriptor 2822 * Note: fd ref count incremented here 2823 */ 2824 if ((fp = getf((uint_t)a1)) == NULL) 2825 return; 2826 fad = F2A(fp); 2827 if (fad->fad_aupath != NULL) { 2828 au_uwrite(au_to_path(fad->fad_aupath)); 2829 } else { 2830 au_uwrite(au_to_arg32(2, "no path: fd", (uint32_t)a1)); 2831 } 2832 2833 vp = fp->f_vnode; /* include vnode attributes */ 2834 audit_attributes(vp); 2835 2836 /* decrement file descriptor ref count */ 2837 releasef((uint_t)a1); 2838 2839 au_uwrite(au_to_arg32(3, "limit", (uint32_t)a2)); 2840 break; 2841 case AUE_AUDITON_SETKMASK: 2842 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2843 return; 2844 au_uwrite(au_to_arg32( 2845 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2846 au_uwrite(au_to_arg32( 2847 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2848 break; 2849 case AUE_AUDITON_SPOLICY: 2850 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2851 return; 2852 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2853 break; 2854 case AUE_AUDITON_SQCTRL: { 2855 STRUCT_DECL(au_qctrl, qctrl); 2856 model_t model; 2857 2858 model = get_udatamodel(); 2859 STRUCT_INIT(qctrl, model); 2860 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2861 return; 2862 if (model == DATAMODEL_ILP32) { 2863 au_uwrite(au_to_arg32( 2864 3, "setqctrl:aq_hiwater", 2865 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2866 au_uwrite(au_to_arg32( 2867 3, "setqctrl:aq_lowater", 2868 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2869 au_uwrite(au_to_arg32( 2870 3, "setqctrl:aq_bufsz", 2871 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2872 au_uwrite(au_to_arg32( 2873 3, "setqctrl:aq_delay", 2874 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2875 } else { 2876 au_uwrite(au_to_arg64( 2877 3, "setqctrl:aq_hiwater", 2878 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2879 au_uwrite(au_to_arg64( 2880 3, "setqctrl:aq_lowater", 2881 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2882 au_uwrite(au_to_arg64( 2883 3, "setqctrl:aq_bufsz", 2884 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2885 au_uwrite(au_to_arg64( 2886 3, "setqctrl:aq_delay", 2887 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2888 } 2889 break; 2890 } 2891 case AUE_AUDITON_SETUMASK: 2892 STRUCT_INIT(ainfo, get_udatamodel()); 2893 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2894 STRUCT_SIZE(ainfo))) { 2895 return; 2896 } 2897 au_uwrite(au_to_arg32(3, "setumask:as_success", 2898 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2899 au_uwrite(au_to_arg32(3, "setumask:as_failure", 2900 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2901 break; 2902 case AUE_AUDITON_SETSMASK: 2903 STRUCT_INIT(ainfo, get_udatamodel()); 2904 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2905 STRUCT_SIZE(ainfo))) { 2906 return; 2907 } 2908 au_uwrite(au_to_arg32(3, "setsmask:as_success", 2909 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2910 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 2911 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2912 break; 2913 case AUE_AUDITON_SETCOND: 2914 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 2915 return; 2916 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 2917 break; 2918 case AUE_AUDITON_SETCLASS: 2919 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 2920 return; 2921 au_uwrite(au_to_arg32( 2922 2, "setclass:ec_event", (uint32_t)event.ec_number)); 2923 au_uwrite(au_to_arg32( 2924 3, "setclass:ec_class", (uint32_t)event.ec_class)); 2925 break; 2926 case AUE_GETAUID: 2927 case AUE_GETAUDIT: 2928 case AUE_GETAUDIT_ADDR: 2929 case AUE_AUDIT: 2930 case AUE_GETPORTAUDIT: 2931 case AUE_AUDITON_GPOLICY: 2932 case AUE_AUDITON_GQCTRL: 2933 case AUE_AUDITON_GETKMASK: 2934 case AUE_AUDITON_GETCWD: 2935 case AUE_AUDITON_GETCAR: 2936 case AUE_AUDITON_GETSTAT: 2937 case AUE_AUDITON_SETSTAT: 2938 case AUE_AUDITON_GETCOND: 2939 case AUE_AUDITON_GETCLASS: 2940 break; 2941 default: 2942 break; 2943 } 2944 2945 } /* AUS_AUDITSYS */ 2946 2947 2948 /* only audit privileged operations for systeminfo(2) system call */ 2949 static au_event_t 2950 aui_sysinfo(au_event_t e) 2951 { 2952 klwp_t *clwp = ttolwp(curthread); 2953 uint32_t command; 2954 2955 struct a { 2956 long command; 2957 long buf; /* char * */ 2958 long count; 2959 } *uap = (struct a *)clwp->lwp_ap; 2960 2961 command = (uint32_t)uap->command; 2962 2963 switch (command) { 2964 case SI_SET_HOSTNAME: 2965 case SI_SET_SRPC_DOMAIN: 2966 e = (au_event_t)AUE_SYSINFO; 2967 break; 2968 default: 2969 e = (au_event_t)AUE_NULL; 2970 break; 2971 } 2972 return (e); 2973 } 2974 2975 /*ARGSUSED*/ 2976 static void 2977 aus_sysinfo(struct t_audit_data *tad) 2978 { 2979 klwp_t *clwp = ttolwp(curthread); 2980 uint32_t command; 2981 size_t len, maxlen; 2982 char *name; 2983 uintptr_t buf; 2984 2985 struct a { 2986 long command; 2987 long buf; /* char * */ 2988 long count; 2989 } *uap = (struct a *)clwp->lwp_ap; 2990 2991 command = (uint32_t)uap->command; 2992 buf = (uintptr_t)uap->buf; 2993 2994 au_uwrite(au_to_arg32(1, "cmd", command)); 2995 2996 switch (command) { 2997 case SI_SET_HOSTNAME: 2998 { 2999 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3000 return; 3001 3002 maxlen = SYS_NMLN; 3003 name = kmem_alloc(maxlen, KM_SLEEP); 3004 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3005 break; 3006 3007 /* 3008 * Must be non-NULL string and string 3009 * must be less than SYS_NMLN chars. 3010 */ 3011 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3012 break; 3013 3014 au_uwrite(au_to_text(name)); 3015 break; 3016 } 3017 3018 case SI_SET_SRPC_DOMAIN: 3019 { 3020 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3021 return; 3022 3023 maxlen = SYS_NMLN; 3024 name = kmem_alloc(maxlen, KM_SLEEP); 3025 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3026 break; 3027 3028 /* 3029 * If string passed in is longer than length 3030 * allowed for domain name, fail. 3031 */ 3032 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3033 break; 3034 3035 au_uwrite(au_to_text(name)); 3036 break; 3037 } 3038 3039 default: 3040 return; 3041 } 3042 3043 kmem_free(name, maxlen); 3044 } 3045 3046 static au_event_t 3047 aui_modctl(au_event_t e) 3048 { 3049 klwp_t *clwp = ttolwp(curthread); 3050 uint_t cmd; 3051 3052 struct a { 3053 long cmd; 3054 } *uap = (struct a *)clwp->lwp_ap; 3055 3056 cmd = (uint_t)uap->cmd; 3057 3058 switch (cmd) { 3059 case MODLOAD: 3060 e = AUE_MODLOAD; 3061 break; 3062 case MODUNLOAD: 3063 e = AUE_MODUNLOAD; 3064 break; 3065 case MODADDMAJBIND: 3066 e = AUE_MODADDMAJ; 3067 break; 3068 case MODSETDEVPOLICY: 3069 e = AUE_MODDEVPLCY; 3070 break; 3071 case MODALLOCPRIV: 3072 e = AUE_MODADDPRIV; 3073 break; 3074 default: 3075 e = AUE_NULL; 3076 break; 3077 } 3078 return (e); 3079 } 3080 3081 3082 /*ARGSUSED*/ 3083 static void 3084 aus_modctl(struct t_audit_data *tad) 3085 { 3086 klwp_t *clwp = ttolwp(curthread); 3087 void *a = clwp->lwp_ap; 3088 uint_t use_path; 3089 3090 switch (tad->tad_event) { 3091 case AUE_MODLOAD: { 3092 typedef struct { 3093 long cmd; 3094 long use_path; 3095 long filename; /* char * */ 3096 } modloada_t; 3097 3098 char *filenamep; 3099 uintptr_t fname; 3100 extern char *default_path; 3101 3102 fname = (uintptr_t)((modloada_t *)a)->filename; 3103 use_path = (uint_t)((modloada_t *)a)->use_path; 3104 3105 /* space to hold path */ 3106 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3107 /* get string */ 3108 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3109 /* free allocated path */ 3110 kmem_free(filenamep, MOD_MAXPATH); 3111 return; 3112 } 3113 /* ensure it's null terminated */ 3114 filenamep[MOD_MAXPATH - 1] = 0; 3115 3116 if (use_path) 3117 au_uwrite(au_to_text(default_path)); 3118 au_uwrite(au_to_text(filenamep)); 3119 3120 /* release temporary memory */ 3121 kmem_free(filenamep, MOD_MAXPATH); 3122 break; 3123 } 3124 case AUE_MODUNLOAD: { 3125 typedef struct { 3126 long cmd; 3127 long id; 3128 } modunloada_t; 3129 3130 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3131 3132 au_uwrite(au_to_arg32(1, "id", id)); 3133 break; 3134 } 3135 case AUE_MODADDMAJ: { 3136 STRUCT_DECL(modconfig, mc); 3137 typedef struct { 3138 long cmd; 3139 long subcmd; 3140 long data; /* int * */ 3141 } modconfiga_t; 3142 3143 STRUCT_DECL(aliases, alias); 3144 caddr_t ap; 3145 int i, num_aliases; 3146 char *drvname, *mc_drvname; 3147 char *name; 3148 extern char *ddi_major_to_name(major_t); 3149 model_t model; 3150 3151 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3152 3153 model = get_udatamodel(); 3154 STRUCT_INIT(mc, model); 3155 /* sanitize buffer */ 3156 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3157 /* get user arguments */ 3158 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3159 STRUCT_SIZE(mc)) != 0) 3160 return; 3161 3162 mc_drvname = STRUCT_FGET(mc, drvname); 3163 if ((drvname = ddi_major_to_name( 3164 (major_t)STRUCT_FGET(mc, major))) != NULL && 3165 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3166 /* safety */ 3167 if (mc_drvname[0] != '\0') { 3168 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3169 au_uwrite(au_to_text(mc_drvname)); 3170 } 3171 /* drvname != NULL from test above */ 3172 au_uwrite(au_to_text(drvname)); 3173 return; 3174 } 3175 3176 if (mc_drvname[0] != '\0') { 3177 /* safety */ 3178 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3179 au_uwrite(au_to_text(mc_drvname)); 3180 } else 3181 au_uwrite(au_to_text("no drvname")); 3182 3183 num_aliases = STRUCT_FGET(mc, num_aliases); 3184 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3185 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3186 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3187 STRUCT_INIT(alias, model); 3188 for (i = 0; i < num_aliases; i++) { 3189 bzero((caddr_t)STRUCT_BUF(alias), 3190 STRUCT_SIZE(alias)); 3191 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3192 STRUCT_SIZE(alias)) != 0) 3193 break; 3194 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3195 MAXMODCONFNAME, NULL) != 0) { 3196 break; 3197 } 3198 3199 au_uwrite(au_to_text(name)); 3200 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3201 } 3202 kmem_free(name, MAXMODCONFNAME); 3203 break; 3204 } 3205 default: 3206 break; 3207 } 3208 } 3209 3210 /* 3211 * private version of getsonode that does not do eprintsoline() 3212 */ 3213 static struct sonode * 3214 au_getsonode(int sock, int *errorp, file_t **fpp) 3215 { 3216 file_t *fp; 3217 register vnode_t *vp; 3218 struct sonode *so; 3219 3220 if ((fp = getf(sock)) == NULL) { 3221 *errorp = EBADF; 3222 return (NULL); 3223 } 3224 vp = fp->f_vnode; 3225 /* Check if it is a socket */ 3226 if (vp->v_type != VSOCK) { 3227 releasef(sock); 3228 *errorp = ENOTSOCK; 3229 return (NULL); 3230 } 3231 /* 3232 * Use the stream head to find the real socket vnode. 3233 * This is needed when namefs sits above sockfs. 3234 */ 3235 ASSERT(vp->v_stream); 3236 ASSERT(vp->v_stream->sd_vnode); 3237 vp = vp->v_stream->sd_vnode; 3238 so = VTOSO(vp); 3239 if (so->so_version == SOV_STREAM) { 3240 releasef(sock); 3241 *errorp = ENOTSOCK; 3242 return (NULL); 3243 } 3244 if (fpp) 3245 *fpp = fp; 3246 return (so); 3247 } 3248 3249 /*ARGSUSED*/ 3250 static void 3251 auf_accept( 3252 struct t_audit_data *tad, 3253 int error, 3254 rval_t *rval) 3255 { 3256 uint32_t scid; 3257 uint32_t sy_flags; 3258 int fd; 3259 struct sonode *so; 3260 char so_laddr[sizeof (struct sockaddr_in6)]; 3261 char so_faddr[sizeof (struct sockaddr_in6)]; 3262 int err; 3263 int len; 3264 short so_family, so_type; 3265 int add_sock_token = 0; 3266 3267 /* need to determine type of executing binary */ 3268 scid = tad->tad_scid; 3269 #ifdef _SYSCALL32_IMPL 3270 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3271 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3272 else 3273 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3274 #else 3275 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3276 #endif 3277 if (sy_flags == SE_32RVAL1) 3278 fd = rval->r_val1; 3279 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3280 fd = rval->r_val1; 3281 if (sy_flags == SE_64RVAL) 3282 fd = (int)rval->r_vals; 3283 3284 if (error) { 3285 /* can't trust socket contents. Just return */ 3286 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3287 return; 3288 } 3289 3290 if ((so = au_getsonode((int)fd, &err, NULL)) == NULL) { 3291 /* 3292 * not security relevant if doing a accept from non socket 3293 * so no extra tokens. Should probably turn off audit record 3294 * generation here. 3295 */ 3296 return; 3297 } 3298 3299 so_family = so->so_family; 3300 so_type = so->so_type; 3301 3302 switch (so_family) { 3303 case AF_INET: 3304 case AF_INET6: 3305 /* 3306 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3307 */ 3308 if (so->so_type == SOCK_STREAM) { 3309 3310 bzero((void *)so_laddr, sizeof (so_laddr)); 3311 bzero((void *)so_faddr, sizeof (so_faddr)); 3312 3313 /* 3314 * no local address then need to get it from lower 3315 * levels. only put out record on first read ala 3316 * AUE_WRITE. 3317 */ 3318 if (so->so_state & SS_ISBOUND) { 3319 /* only done once on a connection */ 3320 (void) SOP_GETSOCKNAME(so); 3321 (void) SOP_GETPEERNAME(so); 3322 3323 /* get local and foreign addresses */ 3324 mutex_enter(&so->so_lock); 3325 len = min(so->so_laddr_len, sizeof (so_laddr)); 3326 bcopy(so->so_laddr_sa, so_laddr, len); 3327 len = min(so->so_faddr_len, sizeof (so_faddr)); 3328 bcopy(so->so_faddr_sa, so_faddr, len); 3329 mutex_exit(&so->so_lock); 3330 } 3331 3332 add_sock_token = 1; 3333 } 3334 break; 3335 3336 default: 3337 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3338 break; 3339 } 3340 3341 releasef(fd); 3342 3343 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3344 3345 if (add_sock_token == 0) { 3346 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3347 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3348 return; 3349 } 3350 3351 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3352 3353 } 3354 3355 /*ARGSUSED*/ 3356 static void 3357 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3358 { 3359 struct a { 3360 long fd; 3361 long addr; 3362 long len; 3363 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3364 3365 struct sonode *so; 3366 char so_laddr[sizeof (struct sockaddr_in6)]; 3367 char so_faddr[sizeof (struct sockaddr_in6)]; 3368 int err, fd; 3369 int len; 3370 short so_family, so_type; 3371 int add_sock_token = 0; 3372 3373 fd = (int)uap->fd; 3374 3375 /* 3376 * bind failed, then nothing extra to add to audit record. 3377 */ 3378 if (error) { 3379 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3380 /* XXX may want to add failed address some day */ 3381 return; 3382 } 3383 3384 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3385 /* 3386 * not security relevant if doing a bind from non socket 3387 * so no extra tokens. Should probably turn off audit record 3388 * generation here. 3389 */ 3390 return; 3391 } 3392 3393 so_family = so->so_family; 3394 so_type = so->so_type; 3395 3396 switch (so_family) { 3397 case AF_INET: 3398 case AF_INET6: 3399 3400 bzero(so_faddr, sizeof (so_faddr)); 3401 3402 if (so->so_state & SS_ISBOUND) { 3403 /* only done once on a connection */ 3404 (void) SOP_GETSOCKNAME(so); 3405 } 3406 3407 mutex_enter(&so->so_lock); 3408 len = min(so->so_laddr_len, sizeof (so_laddr)); 3409 bcopy(so->so_laddr_sa, so_laddr, len); 3410 mutex_exit(&so->so_lock); 3411 3412 add_sock_token = 1; 3413 3414 break; 3415 3416 case AF_UNIX: 3417 /* token added by lookup */ 3418 break; 3419 default: 3420 /* AF_ROUTE, AF_KEY do not support accept */ 3421 break; 3422 } 3423 3424 releasef(fd); 3425 3426 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3427 3428 if (add_sock_token == 0) { 3429 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3430 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3431 return; 3432 } 3433 3434 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3435 3436 } 3437 3438 /*ARGSUSED*/ 3439 static void 3440 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3441 { 3442 struct a { 3443 long fd; 3444 long addr; 3445 long len; 3446 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3447 3448 struct sonode *so; 3449 char so_laddr[sizeof (struct sockaddr_in6)]; 3450 char so_faddr[sizeof (struct sockaddr_in6)]; 3451 int err, fd; 3452 int len; 3453 short so_family, so_type; 3454 int add_sock_token = 0; 3455 3456 fd = (int)uap->fd; 3457 3458 3459 if ((so = au_getsonode(fd, &err, NULL)) == NULL) { 3460 /* 3461 * not security relevant if doing a connect from non socket 3462 * so no extra tokens. Should probably turn off audit record 3463 * generation here. 3464 */ 3465 return; 3466 } 3467 3468 so_family = so->so_family; 3469 so_type = so->so_type; 3470 3471 switch (so_family) { 3472 case AF_INET: 3473 case AF_INET6: 3474 /* 3475 * no local address then need to get it from lower 3476 * levels. 3477 */ 3478 if (so->so_state & SS_ISBOUND) { 3479 /* only done once on a connection */ 3480 (void) SOP_GETSOCKNAME(so); 3481 (void) SOP_GETPEERNAME(so); 3482 } 3483 3484 bzero(so_laddr, sizeof (so_laddr)); 3485 bzero(so_faddr, sizeof (so_faddr)); 3486 3487 mutex_enter(&so->so_lock); 3488 len = min(so->so_laddr_len, sizeof (so_laddr)); 3489 bcopy(so->so_laddr_sa, so_laddr, len); 3490 if (error) { 3491 mutex_exit(&so->so_lock); 3492 if (uap->addr == NULL) 3493 break; 3494 if (uap->len <= 0) 3495 break; 3496 len = min(uap->len, sizeof (so_faddr)); 3497 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3498 break; 3499 #ifdef NOTYET 3500 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3501 #endif 3502 } else { 3503 /* sanity check on length */ 3504 len = min(so->so_faddr_len, sizeof (so_faddr)); 3505 bcopy(so->so_faddr_sa, so_faddr, len); 3506 mutex_exit(&so->so_lock); 3507 } 3508 3509 add_sock_token = 1; 3510 3511 break; 3512 3513 case AF_UNIX: 3514 /* does a lookup on name */ 3515 break; 3516 3517 default: 3518 /* AF_ROUTE, AF_KEY do not support accept */ 3519 break; 3520 } 3521 3522 releasef(fd); 3523 3524 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3525 3526 if (add_sock_token == 0) { 3527 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3528 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3529 return; 3530 } 3531 3532 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3533 3534 } 3535 3536 /*ARGSUSED*/ 3537 static void 3538 aus_shutdown(struct t_audit_data *tad) 3539 { 3540 struct a { 3541 long fd; 3542 long how; 3543 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3544 3545 struct sonode *so; 3546 char so_laddr[sizeof (struct sockaddr_in6)]; 3547 char so_faddr[sizeof (struct sockaddr_in6)]; 3548 int err, fd; 3549 int len; 3550 short so_family, so_type; 3551 int add_sock_token = 0; 3552 file_t *fp; /* unix domain sockets */ 3553 struct f_audit_data *fad; /* unix domain sockets */ 3554 3555 fd = (int)uap->fd; 3556 3557 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3558 /* 3559 * not security relevant if doing a shutdown using non socket 3560 * so no extra tokens. Should probably turn off audit record 3561 * generation here. 3562 */ 3563 return; 3564 } 3565 3566 so_family = so->so_family; 3567 so_type = so->so_type; 3568 3569 switch (so_family) { 3570 case AF_INET: 3571 case AF_INET6: 3572 3573 bzero(so_laddr, sizeof (so_laddr)); 3574 bzero(so_faddr, sizeof (so_faddr)); 3575 3576 if (so->so_state & SS_ISBOUND) { 3577 /* 3578 * no local address then need to get it from lower 3579 * levels. 3580 */ 3581 if (so->so_laddr_len == 0) 3582 (void) SOP_GETSOCKNAME(so); 3583 if (so->so_faddr_len == 0) 3584 (void) SOP_GETPEERNAME(so); 3585 } 3586 3587 mutex_enter(&so->so_lock); 3588 len = min(so->so_laddr_len, sizeof (so_laddr)); 3589 bcopy(so->so_laddr_sa, so_laddr, len); 3590 len = min(so->so_faddr_len, sizeof (so_faddr)); 3591 bcopy(so->so_faddr_sa, so_faddr, len); 3592 mutex_exit(&so->so_lock); 3593 3594 add_sock_token = 1; 3595 3596 break; 3597 3598 case AF_UNIX: 3599 3600 /* get path from file struct here */ 3601 fad = F2A(fp); 3602 ASSERT(fad); 3603 3604 if (fad->fad_aupath != NULL) { 3605 au_uwrite(au_to_path(fad->fad_aupath)); 3606 } else { 3607 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3608 } 3609 3610 audit_attributes(fp->f_vnode); 3611 3612 break; 3613 3614 default: 3615 /* 3616 * AF_KEY and AF_ROUTE support shutdown. No socket token 3617 * added. 3618 */ 3619 break; 3620 } 3621 3622 releasef(fd); 3623 3624 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3625 3626 if (add_sock_token == 0) { 3627 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3628 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3629 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3630 return; 3631 } 3632 3633 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3634 3635 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3636 3637 } 3638 3639 /*ARGSUSED*/ 3640 static void 3641 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3642 { 3643 struct a { 3644 long fd; 3645 long level; 3646 long optname; 3647 long *optval; 3648 long optlen; 3649 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3650 3651 struct sonode *so; 3652 char so_laddr[sizeof (struct sockaddr_in6)]; 3653 char so_faddr[sizeof (struct sockaddr_in6)]; 3654 char val[AU_BUFSIZE]; 3655 int err, fd; 3656 int len; 3657 short so_family, so_type; 3658 int add_sock_token = 0; 3659 file_t *fp; /* unix domain sockets */ 3660 struct f_audit_data *fad; /* unix domain sockets */ 3661 3662 fd = (int)uap->fd; 3663 3664 if (error) { 3665 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3666 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3667 /* XXX may want to include other arguments */ 3668 return; 3669 } 3670 3671 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3672 /* 3673 * not security relevant if doing a setsockopt from non socket 3674 * so no extra tokens. Should probably turn off audit record 3675 * generation here. 3676 */ 3677 return; 3678 } 3679 3680 so_family = so->so_family; 3681 so_type = so->so_type; 3682 3683 switch (so_family) { 3684 case AF_INET: 3685 case AF_INET6: 3686 3687 bzero((void *)so_laddr, sizeof (so_laddr)); 3688 bzero((void *)so_faddr, sizeof (so_faddr)); 3689 3690 if (so->so_state & SS_ISBOUND) { 3691 if (so->so_laddr_len == 0) 3692 (void) SOP_GETSOCKNAME(so); 3693 if (so->so_faddr_len == 0) 3694 (void) SOP_GETPEERNAME(so); 3695 } 3696 3697 /* get local and foreign addresses */ 3698 mutex_enter(&so->so_lock); 3699 len = min(so->so_laddr_len, sizeof (so_laddr)); 3700 bcopy(so->so_laddr_sa, so_laddr, len); 3701 len = min(so->so_faddr_len, sizeof (so_faddr)); 3702 bcopy(so->so_faddr_sa, so_faddr, len); 3703 mutex_exit(&so->so_lock); 3704 3705 add_sock_token = 1; 3706 3707 break; 3708 3709 case AF_UNIX: 3710 3711 /* get path from file struct here */ 3712 fad = F2A(fp); 3713 ASSERT(fad); 3714 3715 if (fad->fad_aupath != NULL) { 3716 au_uwrite(au_to_path(fad->fad_aupath)); 3717 } else { 3718 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3719 } 3720 3721 audit_attributes(fp->f_vnode); 3722 3723 break; 3724 3725 default: 3726 /* 3727 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3728 * added. 3729 */ 3730 break; 3731 } 3732 3733 releasef(fd); 3734 3735 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3736 3737 if (add_sock_token == 0) { 3738 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3739 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3740 } 3741 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3742 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3743 3744 bzero(val, sizeof (val)); 3745 len = min(uap->optlen, sizeof (val)); 3746 if ((len > 0) && 3747 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3748 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3749 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3750 } 3751 3752 if (add_sock_token == 0) 3753 return; 3754 3755 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3756 3757 } 3758 3759 /*ARGSUSED*/ 3760 static void 3761 aus_sockconfig(tad) 3762 struct t_audit_data *tad; 3763 { 3764 struct a { 3765 long domain; 3766 long type; 3767 long protocol; 3768 long devpath; 3769 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3770 3771 char *kdevpath; 3772 int kdevpathlen = MAXPATHLEN + 1; 3773 size_t size; 3774 3775 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3776 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3777 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3778 3779 if (uap->devpath == 0) { 3780 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3781 } else { 3782 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3783 3784 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3785 &size)) { 3786 kmem_free(kdevpath, kdevpathlen); 3787 return; 3788 } 3789 3790 if (size > MAXPATHLEN) { 3791 kmem_free(kdevpath, kdevpathlen); 3792 return; 3793 } 3794 3795 au_uwrite(au_to_text(kdevpath)); 3796 kmem_free(kdevpath, kdevpathlen); 3797 } 3798 } 3799 3800 /* 3801 * only audit recvmsg when the system call represents the creation of a new 3802 * circuit. This effectively occurs for all UDP packets and may occur for 3803 * special TCP situations where the local host has not set a local address 3804 * in the socket structure. 3805 */ 3806 /*ARGSUSED*/ 3807 static void 3808 auf_recvmsg( 3809 struct t_audit_data *tad, 3810 int error, 3811 rval_t *rvp) 3812 { 3813 struct a { 3814 long fd; 3815 long msg; /* struct msghdr */ 3816 long flags; 3817 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3818 3819 struct sonode *so; 3820 STRUCT_DECL(msghdr, msg); 3821 caddr_t msg_name; 3822 socklen_t msg_namelen; 3823 int fd; 3824 int err; 3825 char so_laddr[sizeof (struct sockaddr_in6)]; 3826 char so_faddr[sizeof (struct sockaddr_in6)]; 3827 int len; 3828 file_t *fp; /* unix domain sockets */ 3829 struct f_audit_data *fad; /* unix domain sockets */ 3830 short so_family, so_type; 3831 int add_sock_token = 0; 3832 au_kcontext_t *kctx = GET_KCTX_PZ; 3833 3834 fd = (int)uap->fd; 3835 3836 /* bail if an error */ 3837 if (error) { 3838 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3839 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3840 return; 3841 } 3842 3843 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 3844 /* 3845 * not security relevant if doing a recvmsg from non socket 3846 * so no extra tokens. Should probably turn off audit record 3847 * generation here. 3848 */ 3849 return; 3850 } 3851 3852 so_family = so->so_family; 3853 so_type = so->so_type; 3854 3855 /* 3856 * only putout SOCKET_EX token if INET/INET6 family. 3857 * XXX - what do we do about other families? 3858 */ 3859 3860 switch (so_family) { 3861 case AF_INET: 3862 case AF_INET6: 3863 3864 /* 3865 * if datagram type socket, then just use what is in 3866 * socket structure for local address. 3867 * XXX - what do we do for other types? 3868 */ 3869 if ((so->so_type == SOCK_DGRAM) || 3870 (so->so_type == SOCK_RAW)) { 3871 add_sock_token = 1; 3872 3873 bzero((void *)so_laddr, sizeof (so_laddr)); 3874 bzero((void *)so_faddr, sizeof (so_faddr)); 3875 3876 /* get local address */ 3877 mutex_enter(&so->so_lock); 3878 len = min(so->so_laddr_len, sizeof (so_laddr)); 3879 bcopy(so->so_laddr_sa, so_laddr, len); 3880 mutex_exit(&so->so_lock); 3881 3882 /* get peer address */ 3883 STRUCT_INIT(msg, get_udatamodel()); 3884 3885 if (copyin((caddr_t)(uap->msg), 3886 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3887 break; 3888 } 3889 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3890 if (msg_name == NULL) { 3891 break; 3892 } 3893 3894 /* length is value from recvmsg - sanity check */ 3895 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3896 if (msg_namelen == 0) { 3897 break; 3898 } 3899 if (copyin(msg_name, so_faddr, 3900 sizeof (so_faddr)) != 0) { 3901 break; 3902 } 3903 3904 } else if (so->so_type == SOCK_STREAM) { 3905 3906 /* get path from file struct here */ 3907 fad = F2A(fp); 3908 ASSERT(fad); 3909 3910 /* 3911 * already processed this file for read attempt 3912 */ 3913 if (fad->fad_flags & FAD_READ) { 3914 /* don't want to audit every recvmsg attempt */ 3915 tad->tad_flag = 0; 3916 /* free any residual audit data */ 3917 au_close(kctx, &(u_ad), 0, 0, 0); 3918 releasef(fd); 3919 return; 3920 } 3921 /* 3922 * mark things so we know what happened and don't 3923 * repeat things 3924 */ 3925 fad->fad_flags |= FAD_READ; 3926 3927 bzero((void *)so_laddr, sizeof (so_laddr)); 3928 bzero((void *)so_faddr, sizeof (so_faddr)); 3929 3930 if (so->so_state & SS_ISBOUND) { 3931 3932 if (so->so_laddr_len == 0) 3933 (void) SOP_GETSOCKNAME(so); 3934 if (so->so_faddr_len == 0) 3935 (void) SOP_GETPEERNAME(so); 3936 3937 /* get local and foreign addresses */ 3938 mutex_enter(&so->so_lock); 3939 len = min(so->so_laddr_len, sizeof (so_laddr)); 3940 bcopy(so->so_laddr_sa, so_laddr, len); 3941 len = min(so->so_faddr_len, sizeof (so_faddr)); 3942 bcopy(so->so_faddr_sa, so_faddr, len); 3943 mutex_exit(&so->so_lock); 3944 } 3945 3946 add_sock_token = 1; 3947 } 3948 3949 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3950 3951 break; 3952 3953 case AF_UNIX: 3954 /* 3955 * first check if this is first time through. Too much 3956 * duplicate code to put this in an aui_ routine. 3957 */ 3958 3959 /* get path from file struct here */ 3960 fad = F2A(fp); 3961 ASSERT(fad); 3962 3963 /* 3964 * already processed this file for read attempt 3965 */ 3966 if (fad->fad_flags & FAD_READ) { 3967 releasef(fd); 3968 /* don't want to audit every recvmsg attempt */ 3969 tad->tad_flag = 0; 3970 /* free any residual audit data */ 3971 au_close(kctx, &(u_ad), 0, 0, 0); 3972 return; 3973 } 3974 /* 3975 * mark things so we know what happened and don't 3976 * repeat things 3977 */ 3978 fad->fad_flags |= FAD_READ; 3979 3980 if (fad->fad_aupath != NULL) { 3981 au_uwrite(au_to_path(fad->fad_aupath)); 3982 } else { 3983 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3984 } 3985 3986 audit_attributes(fp->f_vnode); 3987 3988 releasef(fd); 3989 3990 return; 3991 3992 default: 3993 break; 3994 3995 } 3996 3997 releasef(fd); 3998 3999 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4000 4001 if (add_sock_token == 0) { 4002 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4003 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4004 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4005 return; 4006 } 4007 4008 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4009 4010 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4011 4012 } 4013 4014 /*ARGSUSED*/ 4015 static void 4016 auf_recvfrom( 4017 struct t_audit_data *tad, 4018 int error, 4019 rval_t *rvp) 4020 { 4021 4022 struct a { 4023 long fd; 4024 long msg; /* char */ 4025 long len; 4026 long flags; 4027 long from; /* struct sockaddr */ 4028 long fromlen; 4029 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4030 4031 socklen_t fromlen; 4032 struct sonode *so; 4033 char so_laddr[sizeof (struct sockaddr_in6)]; 4034 char so_faddr[sizeof (struct sockaddr_in6)]; 4035 int fd; 4036 short so_family, so_type; 4037 int add_sock_token = 0; 4038 int len; 4039 int err; 4040 struct file *fp; 4041 struct f_audit_data *fad; /* unix domain sockets */ 4042 au_kcontext_t *kctx = GET_KCTX_PZ; 4043 4044 fd = (int)uap->fd; 4045 4046 /* bail if an error */ 4047 if (error) { 4048 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4049 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4050 return; 4051 } 4052 4053 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4054 /* 4055 * not security relevant if doing a recvmsg from non socket 4056 * so no extra tokens. Should probably turn off audit record 4057 * generation here. 4058 */ 4059 return; 4060 } 4061 4062 so_family = so->so_family; 4063 so_type = so->so_type; 4064 4065 /* 4066 * only putout SOCKET_EX token if INET/INET6 family. 4067 * XXX - what do we do about other families? 4068 */ 4069 4070 switch (so_family) { 4071 case AF_INET: 4072 case AF_INET6: 4073 4074 /* 4075 * if datagram type socket, then just use what is in 4076 * socket structure for local address. 4077 * XXX - what do we do for other types? 4078 */ 4079 if ((so->so_type == SOCK_DGRAM) || 4080 (so->so_type == SOCK_RAW)) { 4081 add_sock_token = 1; 4082 4083 /* get local address */ 4084 mutex_enter(&so->so_lock); 4085 len = min(so->so_laddr_len, sizeof (so_laddr)); 4086 bcopy(so->so_laddr_sa, so_laddr, len); 4087 mutex_exit(&so->so_lock); 4088 4089 /* get peer address */ 4090 bzero((void *)so_faddr, sizeof (so_faddr)); 4091 4092 /* sanity check */ 4093 if (uap->from == NULL) 4094 break; 4095 4096 /* sanity checks */ 4097 if (uap->fromlen == 0) 4098 break; 4099 4100 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4101 sizeof (fromlen)) != 0) 4102 break; 4103 4104 if (fromlen == 0) 4105 break; 4106 4107 /* enforce maximum size */ 4108 if (fromlen > sizeof (so_faddr)) 4109 fromlen = sizeof (so_faddr); 4110 4111 if (copyin((caddr_t)(uap->from), so_faddr, 4112 fromlen) != 0) 4113 break; 4114 4115 } else if (so->so_type == SOCK_STREAM) { 4116 4117 /* get path from file struct here */ 4118 fad = F2A(fp); 4119 ASSERT(fad); 4120 4121 /* 4122 * already processed this file for read attempt 4123 */ 4124 if (fad->fad_flags & FAD_READ) { 4125 /* don't want to audit every recvfrom attempt */ 4126 tad->tad_flag = 0; 4127 /* free any residual audit data */ 4128 au_close(kctx, &(u_ad), 0, 0, 0); 4129 releasef(fd); 4130 return; 4131 } 4132 /* 4133 * mark things so we know what happened and don't 4134 * repeat things 4135 */ 4136 fad->fad_flags |= FAD_READ; 4137 4138 bzero((void *)so_laddr, sizeof (so_laddr)); 4139 bzero((void *)so_faddr, sizeof (so_faddr)); 4140 4141 if (so->so_state & SS_ISBOUND) { 4142 4143 if (so->so_laddr_len == 0) 4144 (void) SOP_GETSOCKNAME(so); 4145 if (so->so_faddr_len == 0) 4146 (void) SOP_GETPEERNAME(so); 4147 4148 /* get local and foreign addresses */ 4149 mutex_enter(&so->so_lock); 4150 len = min(so->so_laddr_len, sizeof (so_laddr)); 4151 bcopy(so->so_laddr_sa, so_laddr, len); 4152 len = min(so->so_faddr_len, sizeof (so_faddr)); 4153 bcopy(so->so_faddr_sa, so_faddr, len); 4154 mutex_exit(&so->so_lock); 4155 } 4156 4157 add_sock_token = 1; 4158 } 4159 4160 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4161 4162 break; 4163 4164 case AF_UNIX: 4165 /* 4166 * first check if this is first time through. Too much 4167 * duplicate code to put this in an aui_ routine. 4168 */ 4169 4170 /* get path from file struct here */ 4171 fad = F2A(fp); 4172 ASSERT(fad); 4173 4174 /* 4175 * already processed this file for read attempt 4176 */ 4177 if (fad->fad_flags & FAD_READ) { 4178 /* don't want to audit every recvfrom attempt */ 4179 tad->tad_flag = 0; 4180 /* free any residual audit data */ 4181 au_close(kctx, &(u_ad), 0, 0, 0); 4182 releasef(fd); 4183 return; 4184 } 4185 /* 4186 * mark things so we know what happened and don't 4187 * repeat things 4188 */ 4189 fad->fad_flags |= FAD_READ; 4190 4191 if (fad->fad_aupath != NULL) { 4192 au_uwrite(au_to_path(fad->fad_aupath)); 4193 } else { 4194 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4195 } 4196 4197 audit_attributes(fp->f_vnode); 4198 4199 releasef(fd); 4200 4201 return; 4202 4203 default: 4204 break; 4205 4206 } 4207 4208 releasef(fd); 4209 4210 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4211 4212 if (add_sock_token == 0) { 4213 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4214 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4215 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4216 return; 4217 } 4218 4219 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4220 4221 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4222 } 4223 4224 /*ARGSUSED*/ 4225 static void 4226 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4227 { 4228 struct a { 4229 long fd; 4230 long msg; /* struct msghdr */ 4231 long flags; 4232 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4233 4234 struct sonode *so; 4235 char so_laddr[sizeof (struct sockaddr_in6)]; 4236 char so_faddr[sizeof (struct sockaddr_in6)]; 4237 int err; 4238 int fd; 4239 short so_family, so_type; 4240 int add_sock_token = 0; 4241 int len; 4242 struct file *fp; 4243 struct f_audit_data *fad; 4244 caddr_t msg_name; 4245 socklen_t msg_namelen; 4246 STRUCT_DECL(msghdr, msg); 4247 au_kcontext_t *kctx = GET_KCTX_PZ; 4248 4249 fd = (int)uap->fd; 4250 4251 /* bail if an error */ 4252 if (error) { 4253 /* XXX include destination address from system call arguments */ 4254 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4255 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4256 return; 4257 } 4258 4259 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4260 /* 4261 * not security relevant if doing a sendmsg from non socket 4262 * so no extra tokens. Should probably turn off audit record 4263 * generation here. 4264 */ 4265 return; 4266 } 4267 4268 so_family = so->so_family; 4269 so_type = so->so_type; 4270 4271 switch (so_family) { 4272 case AF_INET: 4273 case AF_INET6: 4274 /* 4275 * if datagram type socket, then just use what is in 4276 * socket structure for local address. 4277 * XXX - what do we do for other types? 4278 */ 4279 if ((so->so_type == SOCK_DGRAM) || 4280 (so->so_type == SOCK_RAW)) { 4281 4282 bzero((void *)so_laddr, sizeof (so_laddr)); 4283 bzero((void *)so_faddr, sizeof (so_faddr)); 4284 4285 /* get local address */ 4286 mutex_enter(&so->so_lock); 4287 len = min(so->so_laddr_len, sizeof (so_laddr)); 4288 bcopy(so->so_laddr_sa, so_laddr, len); 4289 mutex_exit(&so->so_lock); 4290 4291 /* get peer address */ 4292 STRUCT_INIT(msg, get_udatamodel()); 4293 4294 if (copyin((caddr_t)(uap->msg), 4295 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4296 break; 4297 } 4298 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4299 if (msg_name == NULL) 4300 break; 4301 4302 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4303 /* length is value from recvmsg - sanity check */ 4304 if (msg_namelen == 0) 4305 break; 4306 4307 if (copyin(msg_name, so_faddr, 4308 sizeof (so_faddr)) != 0) 4309 break; 4310 4311 add_sock_token = 1; 4312 4313 } else if (so->so_type == SOCK_STREAM) { 4314 4315 /* get path from file struct here */ 4316 fad = F2A(fp); 4317 ASSERT(fad); 4318 4319 /* 4320 * already processed this file for write attempt 4321 */ 4322 if (fad->fad_flags & FAD_WRITE) { 4323 releasef(fd); 4324 /* don't want to audit every sendmsg attempt */ 4325 tad->tad_flag = 0; 4326 /* free any residual audit data */ 4327 au_close(kctx, &(u_ad), 0, 0, 0); 4328 return; 4329 } 4330 4331 /* 4332 * mark things so we know what happened and don't 4333 * repeat things 4334 */ 4335 fad->fad_flags |= FAD_WRITE; 4336 4337 bzero((void *)so_laddr, sizeof (so_laddr)); 4338 bzero((void *)so_faddr, sizeof (so_faddr)); 4339 4340 if (so->so_state & SS_ISBOUND) { 4341 4342 if (so->so_laddr_len == 0) 4343 (void) SOP_GETSOCKNAME(so); 4344 if (so->so_faddr_len == 0) 4345 (void) SOP_GETPEERNAME(so); 4346 4347 /* get local and foreign addresses */ 4348 mutex_enter(&so->so_lock); 4349 len = min(so->so_laddr_len, sizeof (so_laddr)); 4350 bcopy(so->so_laddr_sa, so_laddr, len); 4351 len = min(so->so_faddr_len, sizeof (so_faddr)); 4352 bcopy(so->so_faddr_sa, so_faddr, len); 4353 mutex_exit(&so->so_lock); 4354 } 4355 4356 add_sock_token = 1; 4357 } 4358 4359 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4360 4361 break; 4362 4363 case AF_UNIX: 4364 /* 4365 * first check if this is first time through. Too much 4366 * duplicate code to put this in an aui_ routine. 4367 */ 4368 4369 /* get path from file struct here */ 4370 fad = F2A(fp); 4371 ASSERT(fad); 4372 4373 /* 4374 * already processed this file for write attempt 4375 */ 4376 if (fad->fad_flags & FAD_WRITE) { 4377 releasef(fd); 4378 /* don't want to audit every sendmsg attempt */ 4379 tad->tad_flag = 0; 4380 /* free any residual audit data */ 4381 au_close(kctx, &(u_ad), 0, 0, 0); 4382 return; 4383 } 4384 /* 4385 * mark things so we know what happened and don't 4386 * repeat things 4387 */ 4388 fad->fad_flags |= FAD_WRITE; 4389 4390 if (fad->fad_aupath != NULL) { 4391 au_uwrite(au_to_path(fad->fad_aupath)); 4392 } else { 4393 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4394 } 4395 4396 audit_attributes(fp->f_vnode); 4397 4398 releasef(fd); 4399 4400 return; 4401 4402 default: 4403 break; 4404 } 4405 4406 releasef(fd); 4407 4408 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4409 4410 if (add_sock_token == 0) { 4411 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4412 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4413 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4414 return; 4415 } 4416 4417 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4418 4419 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4420 } 4421 4422 /*ARGSUSED*/ 4423 static void 4424 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4425 { 4426 struct a { 4427 long fd; 4428 long msg; /* char */ 4429 long len; 4430 long flags; 4431 long to; /* struct sockaddr */ 4432 long tolen; 4433 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4434 4435 struct sonode *so; 4436 char so_laddr[sizeof (struct sockaddr_in6)]; 4437 char so_faddr[sizeof (struct sockaddr_in6)]; 4438 socklen_t tolen; 4439 int err; 4440 int fd; 4441 int len; 4442 short so_family, so_type; 4443 int add_sock_token = 0; 4444 struct file *fp; 4445 struct f_audit_data *fad; 4446 au_kcontext_t *kctx = GET_KCTX_PZ; 4447 4448 fd = (int)uap->fd; 4449 4450 /* bail if an error */ 4451 if (error) { 4452 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4453 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4454 /* XXX include destination address from system call arguments */ 4455 return; 4456 } 4457 4458 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 4459 /* 4460 * not security relevant if doing a sendto using non socket 4461 * so no extra tokens. Should probably turn off audit record 4462 * generation here. 4463 */ 4464 return; 4465 } 4466 4467 so_family = so->so_family; 4468 so_type = so->so_type; 4469 4470 /* 4471 * only putout SOCKET_EX token if INET/INET6 family. 4472 * XXX - what do we do about other families? 4473 */ 4474 4475 switch (so_family) { 4476 case AF_INET: 4477 case AF_INET6: 4478 4479 /* 4480 * if datagram type socket, then just use what is in 4481 * socket structure for local address. 4482 * XXX - what do we do for other types? 4483 */ 4484 if ((so->so_type == SOCK_DGRAM) || 4485 (so->so_type == SOCK_RAW)) { 4486 4487 bzero((void *)so_laddr, sizeof (so_laddr)); 4488 bzero((void *)so_faddr, sizeof (so_faddr)); 4489 4490 /* get local address */ 4491 mutex_enter(&so->so_lock); 4492 len = min(so->so_laddr_len, sizeof (so_laddr)); 4493 bcopy(so->so_laddr_sa, so_laddr, len); 4494 mutex_exit(&so->so_lock); 4495 4496 /* get peer address */ 4497 4498 /* sanity check */ 4499 if (uap->to == NULL) 4500 break; 4501 4502 /* sanity checks */ 4503 if (uap->tolen == 0) 4504 break; 4505 4506 tolen = (socklen_t)uap->tolen; 4507 4508 /* enforce maximum size */ 4509 if (tolen > sizeof (so_faddr)) 4510 tolen = sizeof (so_faddr); 4511 4512 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4513 break; 4514 4515 add_sock_token = 1; 4516 } else { 4517 /* 4518 * check if this is first time through. 4519 */ 4520 4521 /* get path from file struct here */ 4522 fad = F2A(fp); 4523 ASSERT(fad); 4524 4525 /* 4526 * already processed this file for write attempt 4527 */ 4528 if (fad->fad_flags & FAD_WRITE) { 4529 /* don't want to audit every sendto attempt */ 4530 tad->tad_flag = 0; 4531 /* free any residual audit data */ 4532 au_close(kctx, &(u_ad), 0, 0, 0); 4533 releasef(fd); 4534 return; 4535 } 4536 /* 4537 * mark things so we know what happened and don't 4538 * repeat things 4539 */ 4540 fad->fad_flags |= FAD_WRITE; 4541 4542 bzero((void *)so_laddr, sizeof (so_laddr)); 4543 bzero((void *)so_faddr, sizeof (so_faddr)); 4544 4545 if (so->so_state & SS_ISBOUND) { 4546 4547 if (so->so_laddr_len == 0) 4548 (void) SOP_GETSOCKNAME(so); 4549 if (so->so_faddr_len == 0) 4550 (void) SOP_GETPEERNAME(so); 4551 4552 /* get local and foreign addresses */ 4553 mutex_enter(&so->so_lock); 4554 len = min(so->so_laddr_len, sizeof (so_laddr)); 4555 bcopy(so->so_laddr_sa, so_laddr, len); 4556 len = min(so->so_faddr_len, sizeof (so_faddr)); 4557 bcopy(so->so_faddr_sa, so_faddr, len); 4558 mutex_exit(&so->so_lock); 4559 } 4560 4561 add_sock_token = 1; 4562 } 4563 4564 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4565 4566 break; 4567 4568 case AF_UNIX: 4569 /* 4570 * first check if this is first time through. Too much 4571 * duplicate code to put this in an aui_ routine. 4572 */ 4573 4574 /* get path from file struct here */ 4575 fad = F2A(fp); 4576 ASSERT(fad); 4577 4578 /* 4579 * already processed this file for write attempt 4580 */ 4581 if (fad->fad_flags & FAD_WRITE) { 4582 /* don't want to audit every sendto attempt */ 4583 tad->tad_flag = 0; 4584 /* free any residual audit data */ 4585 au_close(kctx, &(u_ad), 0, 0, 0); 4586 releasef(fd); 4587 return; 4588 } 4589 /* 4590 * mark things so we know what happened and don't 4591 * repeat things 4592 */ 4593 fad->fad_flags |= FAD_WRITE; 4594 4595 if (fad->fad_aupath != NULL) { 4596 au_uwrite(au_to_path(fad->fad_aupath)); 4597 } else { 4598 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4599 } 4600 4601 audit_attributes(fp->f_vnode); 4602 4603 releasef(fd); 4604 4605 return; 4606 4607 default: 4608 break; 4609 4610 } 4611 4612 releasef(fd); 4613 4614 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4615 4616 if (add_sock_token == 0) { 4617 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4618 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4619 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4620 return; 4621 } 4622 4623 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4624 4625 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4626 4627 } 4628 4629 /* 4630 * XXX socket(2) may be equivilent to open(2) on a unix domain 4631 * socket. This needs investigation. 4632 */ 4633 4634 /*ARGSUSED*/ 4635 static void 4636 aus_socket(struct t_audit_data *tad) 4637 { 4638 struct a { 4639 long domain; 4640 long type; 4641 long protocol; 4642 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4643 4644 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4645 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4646 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4647 } 4648 4649 /*ARGSUSED*/ 4650 static void 4651 aus_sigqueue(struct t_audit_data *tad) 4652 { 4653 struct a { 4654 long pid; 4655 long signo; 4656 long *val; 4657 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4658 struct proc *p; 4659 uid_t uid, ruid; 4660 gid_t gid, rgid; 4661 pid_t pid; 4662 const auditinfo_addr_t *ainfo; 4663 cred_t *cr; 4664 4665 pid = (pid_t)uap->pid; 4666 4667 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4668 if (pid > 0) { 4669 mutex_enter(&pidlock); 4670 if ((p = prfind(pid)) == (struct proc *)0) { 4671 mutex_exit(&pidlock); 4672 return; 4673 } 4674 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4675 mutex_exit(&pidlock); 4676 4677 mutex_enter(&p->p_crlock); 4678 crhold(cr = p->p_cred); 4679 mutex_exit(&p->p_crlock); 4680 mutex_exit(&p->p_lock); 4681 4682 ainfo = crgetauinfo(cr); 4683 if (ainfo == NULL) { 4684 crfree(cr); 4685 return; 4686 } 4687 4688 uid = crgetuid(cr); 4689 gid = crgetgid(cr); 4690 ruid = crgetruid(cr); 4691 rgid = crgetrgid(cr); 4692 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4693 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4694 crfree(cr); 4695 } 4696 else 4697 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4698 } 4699 4700 /*ARGSUSED*/ 4701 static void 4702 aus_inst_sync(struct t_audit_data *tad) 4703 { 4704 struct a { 4705 long name; /* char */ 4706 long flags; 4707 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4708 4709 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4710 } 4711 4712 /*ARGSUSED*/ 4713 static void 4714 aus_brandsys(struct t_audit_data *tad) 4715 { 4716 klwp_t *clwp = ttolwp(curthread); 4717 4718 struct a { 4719 long cmd; 4720 long arg1; 4721 long arg2; 4722 long arg3; 4723 long arg4; 4724 long arg5; 4725 long arg6; 4726 } *uap = (struct a *)clwp->lwp_ap; 4727 4728 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4729 #ifdef _LP64 4730 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4731 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4732 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4733 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4734 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4735 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4736 #else 4737 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4738 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4739 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4740 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4741 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4742 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4743 #endif 4744 } 4745 4746 /*ARGSUSED*/ 4747 static void 4748 aus_p_online(struct t_audit_data *tad) 4749 { 4750 struct a { 4751 long processor_id; 4752 long flag; 4753 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4754 4755 struct flags { 4756 int flag; 4757 char *cflag; 4758 } aflags[6] = { 4759 { P_ONLINE, "P_ONLINE"}, 4760 { P_OFFLINE, "P_OFFLINE"}, 4761 { P_NOINTR, "P_NOINTR"}, 4762 { P_SPARE, "P_SPARE"}, 4763 { P_FAULTED, "P_FAULTED"}, 4764 { P_STATUS, "P_STATUS"} 4765 }; 4766 int i; 4767 char *cflag; 4768 4769 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4770 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4771 4772 for (i = 0; i < 6; i++) { 4773 if (aflags[i].flag == uap->flag) 4774 break; 4775 } 4776 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4777 4778 au_uwrite(au_to_text(cflag)); 4779 } 4780 4781 /*ARGSUSED*/ 4782 static void 4783 aus_processor_bind(struct t_audit_data *tad) 4784 { 4785 struct a { 4786 long id_type; 4787 long id; 4788 long processor_id; 4789 long obind; 4790 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4791 4792 struct proc *p; 4793 int lwpcnt; 4794 uid_t uid, ruid; 4795 gid_t gid, rgid; 4796 pid_t pid; 4797 const auditinfo_addr_t *ainfo; 4798 cred_t *cr; 4799 4800 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4801 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4802 if (uap->processor_id == PBIND_NONE) 4803 au_uwrite(au_to_text("PBIND_NONE")); 4804 else 4805 au_uwrite(au_to_arg32(3, "processor_id", 4806 (uint32_t)uap->processor_id)); 4807 4808 switch (uap->id_type) { 4809 case P_MYID: 4810 case P_LWPID: 4811 mutex_enter(&pidlock); 4812 p = ttoproc(curthread); 4813 if (p == NULL || p->p_as == &kas) { 4814 mutex_exit(&pidlock); 4815 return; 4816 } 4817 mutex_enter(&p->p_lock); 4818 mutex_exit(&pidlock); 4819 lwpcnt = p->p_lwpcnt; 4820 pid = p->p_pid; 4821 4822 mutex_enter(&p->p_crlock); 4823 crhold(cr = p->p_cred); 4824 mutex_exit(&p->p_crlock); 4825 mutex_exit(&p->p_lock); 4826 4827 ainfo = crgetauinfo(cr); 4828 if (ainfo == NULL) { 4829 crfree(cr); 4830 return; 4831 } 4832 4833 uid = crgetuid(cr); 4834 gid = crgetgid(cr); 4835 ruid = crgetruid(cr); 4836 rgid = crgetrgid(cr); 4837 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4838 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4839 crfree(cr); 4840 break; 4841 case P_PID: 4842 mutex_enter(&pidlock); 4843 p = prfind(uap->id); 4844 if (p == NULL || p->p_as == &kas) { 4845 mutex_exit(&pidlock); 4846 return; 4847 } 4848 mutex_enter(&p->p_lock); 4849 mutex_exit(&pidlock); 4850 lwpcnt = p->p_lwpcnt; 4851 pid = p->p_pid; 4852 4853 mutex_enter(&p->p_crlock); 4854 crhold(cr = p->p_cred); 4855 mutex_exit(&p->p_crlock); 4856 mutex_exit(&p->p_lock); 4857 4858 ainfo = crgetauinfo(cr); 4859 if (ainfo == NULL) { 4860 crfree(cr); 4861 return; 4862 } 4863 4864 uid = crgetuid(cr); 4865 gid = crgetgid(cr); 4866 ruid = crgetruid(cr); 4867 rgid = crgetrgid(cr); 4868 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4869 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4870 crfree(cr); 4871 4872 break; 4873 default: 4874 return; 4875 } 4876 4877 if (uap->processor_id == PBIND_NONE && 4878 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4879 au_uwrite(au_to_text("PBIND_NONE for process")); 4880 else 4881 au_uwrite(au_to_arg32(3, "processor_id", 4882 (uint32_t)uap->processor_id)); 4883 } 4884 4885 /*ARGSUSED*/ 4886 static au_event_t 4887 aui_doorfs(au_event_t e) 4888 { 4889 uint32_t code; 4890 4891 struct a { /* doorfs */ 4892 long a1; 4893 long a2; 4894 long a3; 4895 long a4; 4896 long a5; 4897 long code; 4898 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4899 4900 /* 4901 * audit formats for several of the 4902 * door calls have not yet been determined 4903 */ 4904 code = (uint32_t)uap->code; 4905 switch (code) { 4906 case DOOR_CALL: 4907 e = AUE_DOORFS_DOOR_CALL; 4908 break; 4909 case DOOR_RETURN: 4910 e = AUE_NULL; 4911 break; 4912 case DOOR_CREATE: 4913 e = AUE_DOORFS_DOOR_CREATE; 4914 break; 4915 case DOOR_REVOKE: 4916 e = AUE_DOORFS_DOOR_REVOKE; 4917 break; 4918 case DOOR_INFO: 4919 e = AUE_NULL; 4920 break; 4921 case DOOR_UCRED: 4922 e = AUE_NULL; 4923 break; 4924 case DOOR_BIND: 4925 e = AUE_NULL; 4926 break; 4927 case DOOR_UNBIND: 4928 e = AUE_NULL; 4929 break; 4930 case DOOR_GETPARAM: 4931 e = AUE_NULL; 4932 break; 4933 case DOOR_SETPARAM: 4934 e = AUE_NULL; 4935 break; 4936 default: /* illegal system call */ 4937 e = AUE_NULL; 4938 break; 4939 } 4940 4941 return (e); 4942 } 4943 4944 static door_node_t * 4945 au_door_lookup(int did) 4946 { 4947 vnode_t *vp; 4948 file_t *fp; 4949 4950 if ((fp = getf(did)) == NULL) 4951 return (NULL); 4952 /* 4953 * Use the underlying vnode (we may be namefs mounted) 4954 */ 4955 if (VOP_REALVP(fp->f_vnode, &vp)) 4956 vp = fp->f_vnode; 4957 4958 if (vp == NULL || vp->v_type != VDOOR) { 4959 releasef(did); 4960 return (NULL); 4961 } 4962 4963 return (VTOD(vp)); 4964 } 4965 4966 /*ARGSUSED*/ 4967 static void 4968 aus_doorfs(struct t_audit_data *tad) 4969 { 4970 4971 struct a { /* doorfs */ 4972 long a1; 4973 long a2; 4974 long a3; 4975 long a4; 4976 long a5; 4977 long code; 4978 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4979 4980 door_node_t *dp; 4981 struct proc *p; 4982 uint32_t did; 4983 uid_t uid, ruid; 4984 gid_t gid, rgid; 4985 pid_t pid; 4986 const auditinfo_addr_t *ainfo; 4987 cred_t *cr; 4988 4989 did = (uint32_t)uap->a1; 4990 4991 switch (tad->tad_event) { 4992 case AUE_DOORFS_DOOR_CALL: 4993 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4994 if ((dp = au_door_lookup(did)) == NULL) 4995 break; 4996 4997 if (DOOR_INVALID(dp)) { 4998 releasef(did); 4999 break; 5000 } 5001 5002 if ((p = dp->door_target) == NULL) { 5003 releasef(did); 5004 break; 5005 } 5006 mutex_enter(&p->p_lock); 5007 releasef(did); 5008 5009 pid = p->p_pid; 5010 5011 mutex_enter(&p->p_crlock); 5012 crhold(cr = p->p_cred); 5013 mutex_exit(&p->p_crlock); 5014 mutex_exit(&p->p_lock); 5015 5016 ainfo = crgetauinfo(cr); 5017 if (ainfo == NULL) { 5018 crfree(cr); 5019 return; 5020 } 5021 uid = crgetuid(cr); 5022 gid = crgetgid(cr); 5023 ruid = crgetruid(cr); 5024 rgid = crgetrgid(cr); 5025 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5026 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5027 crfree(cr); 5028 break; 5029 case AUE_DOORFS_DOOR_RETURN: 5030 /* 5031 * We may want to write information about 5032 * all doors (if any) which will be copied 5033 * by this call to the user space 5034 */ 5035 break; 5036 case AUE_DOORFS_DOOR_CREATE: 5037 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5038 break; 5039 case AUE_DOORFS_DOOR_REVOKE: 5040 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5041 break; 5042 case AUE_DOORFS_DOOR_INFO: 5043 break; 5044 case AUE_DOORFS_DOOR_CRED: 5045 break; 5046 case AUE_DOORFS_DOOR_BIND: 5047 break; 5048 case AUE_DOORFS_DOOR_UNBIND: { 5049 break; 5050 } 5051 default: /* illegal system call */ 5052 break; 5053 } 5054 } 5055 5056 /*ARGSUSED*/ 5057 static au_event_t 5058 aui_acl(au_event_t e) 5059 { 5060 struct a { 5061 union { 5062 long name; /* char */ 5063 long fd; 5064 } obj; 5065 5066 long cmd; 5067 long nentries; 5068 long arg; /* aclent_t */ 5069 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5070 5071 switch (uap->cmd) { 5072 case SETACL: 5073 /* ok, acl(SETACL, ...) and facl(SETACL, ...) are expected. */ 5074 break; 5075 case GETACL: 5076 case GETACLCNT: 5077 /* do nothing for these two values. */ 5078 e = AUE_NULL; 5079 break; 5080 default: 5081 /* illegal system call */ 5082 break; 5083 } 5084 5085 return (e); 5086 } 5087 5088 5089 /*ARGSUSED*/ 5090 static void 5091 aus_acl(struct t_audit_data *tad) 5092 { 5093 struct a { 5094 long fname; 5095 long cmd; 5096 long nentries; 5097 long aclbufp; 5098 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5099 struct acl *aclbufp; 5100 5101 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5102 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5103 5104 switch (uap->cmd) { 5105 case GETACL: 5106 case GETACLCNT: 5107 break; 5108 case SETACL: 5109 if (uap->nentries < 3) 5110 break; 5111 else { 5112 size_t a_size = uap->nentries * sizeof (struct acl); 5113 int i; 5114 5115 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5116 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5117 kmem_free(aclbufp, a_size); 5118 break; 5119 } 5120 for (i = 0; i < uap->nentries; i++) { 5121 au_uwrite(au_to_acl(aclbufp + i)); 5122 } 5123 kmem_free(aclbufp, a_size); 5124 break; 5125 } 5126 default: 5127 break; 5128 } 5129 } 5130 5131 /*ARGSUSED*/ 5132 static void 5133 aus_facl(struct t_audit_data *tad) 5134 { 5135 struct a { 5136 long fd; 5137 long cmd; 5138 long nentries; 5139 long aclbufp; 5140 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5141 struct file *fp; 5142 struct vnode *vp; 5143 struct f_audit_data *fad; 5144 struct acl *aclbufp; 5145 int fd; 5146 5147 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5148 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5149 5150 fd = (int)uap->fd; 5151 5152 if ((fp = getf(fd)) == NULL) 5153 return; 5154 5155 /* get path from file struct here */ 5156 fad = F2A(fp); 5157 if (fad->fad_aupath != NULL) { 5158 au_uwrite(au_to_path(fad->fad_aupath)); 5159 } else { 5160 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5161 } 5162 5163 vp = fp->f_vnode; 5164 audit_attributes(vp); 5165 5166 /* decrement file descriptor reference count */ 5167 releasef(fd); 5168 5169 switch (uap->cmd) { 5170 case GETACL: 5171 case GETACLCNT: 5172 break; 5173 case SETACL: 5174 if (uap->nentries < 3) 5175 break; 5176 else { 5177 size_t a_size = uap->nentries * sizeof (struct acl); 5178 int i; 5179 5180 aclbufp = kmem_alloc(a_size, KM_SLEEP); 5181 if (copyin((caddr_t)(uap->aclbufp), aclbufp, a_size)) { 5182 kmem_free(aclbufp, a_size); 5183 break; 5184 } 5185 for (i = 0; i < uap->nentries; i++) { 5186 au_uwrite(au_to_acl(aclbufp + i)); 5187 } 5188 kmem_free(aclbufp, a_size); 5189 break; 5190 } 5191 default: 5192 break; 5193 } 5194 } 5195 5196 /*ARGSUSED*/ 5197 static void 5198 auf_read(tad, error, rval) 5199 struct t_audit_data *tad; 5200 int error; 5201 rval_t *rval; 5202 { 5203 struct file *fp; 5204 struct f_audit_data *fad; 5205 int fd; 5206 register struct a { 5207 long fd; 5208 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5209 au_kcontext_t *kctx = GET_KCTX_PZ; 5210 5211 fd = (int)uap->fd; 5212 5213 /* 5214 * convert file pointer to file descriptor 5215 * Note: fd ref count incremented here. 5216 */ 5217 if ((fp = getf(fd)) == NULL) 5218 return; 5219 5220 /* get path from file struct here */ 5221 fad = F2A(fp); 5222 ASSERT(fad); 5223 5224 /* 5225 * already processed this file for read attempt 5226 * 5227 * XXX might be better to turn off auditing in a aui_read() routine. 5228 */ 5229 if (fad->fad_flags & FAD_READ) { 5230 /* don't really want to audit every read attempt */ 5231 tad->tad_flag = 0; 5232 /* free any residual audit data */ 5233 au_close(kctx, &(u_ad), 0, 0, 0); 5234 releasef(fd); 5235 return; 5236 } 5237 /* mark things so we know what happened and don't repeat things */ 5238 fad->fad_flags |= FAD_READ; 5239 5240 if (fad->fad_aupath != NULL) { 5241 au_uwrite(au_to_path(fad->fad_aupath)); 5242 } else { 5243 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5244 } 5245 5246 /* include attributes */ 5247 audit_attributes(fp->f_vnode); 5248 5249 /* decrement file descriptor reference count */ 5250 releasef(fd); 5251 } 5252 5253 /*ARGSUSED*/ 5254 static void 5255 auf_write(tad, error, rval) 5256 struct t_audit_data *tad; 5257 int error; 5258 rval_t *rval; 5259 { 5260 struct file *fp; 5261 struct f_audit_data *fad; 5262 int fd; 5263 register struct a { 5264 long fd; 5265 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5266 au_kcontext_t *kctx = GET_KCTX_PZ; 5267 5268 fd = (int)uap->fd; 5269 5270 /* 5271 * convert file pointer to file descriptor 5272 * Note: fd ref count incremented here. 5273 */ 5274 if ((fp = getf(fd)) == NULL) 5275 return; 5276 5277 /* get path from file struct here */ 5278 fad = F2A(fp); 5279 ASSERT(fad); 5280 5281 /* 5282 * already processed this file for write attempt 5283 * 5284 * XXX might be better to turn off auditing in a aus_write() routine. 5285 */ 5286 if (fad->fad_flags & FAD_WRITE) { 5287 /* don't really want to audit every write attempt */ 5288 tad->tad_flag = 0; 5289 /* free any residual audit data */ 5290 au_close(kctx, &(u_ad), 0, 0, 0); 5291 releasef(fd); 5292 return; 5293 } 5294 /* mark things so we know what happened and don't repeat things */ 5295 fad->fad_flags |= FAD_WRITE; 5296 5297 if (fad->fad_aupath != NULL) { 5298 au_uwrite(au_to_path(fad->fad_aupath)); 5299 } else { 5300 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5301 } 5302 5303 /* include attributes */ 5304 audit_attributes(fp->f_vnode); 5305 5306 /* decrement file descriptor reference count */ 5307 releasef(fd); 5308 } 5309 5310 /*ARGSUSED*/ 5311 static void 5312 auf_recv(tad, error, rval) 5313 struct t_audit_data *tad; 5314 int error; 5315 rval_t *rval; 5316 { 5317 struct sonode *so; 5318 char so_laddr[sizeof (struct sockaddr_in6)]; 5319 char so_faddr[sizeof (struct sockaddr_in6)]; 5320 struct file *fp; 5321 struct f_audit_data *fad; 5322 int fd; 5323 int err; 5324 int len; 5325 short so_family, so_type; 5326 register struct a { 5327 long fd; 5328 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5329 au_kcontext_t *kctx = GET_KCTX_PZ; 5330 5331 /* 5332 * If there was an error, then nothing to do. Only generate 5333 * audit record on first successful recv. 5334 */ 5335 if (error) { 5336 /* Turn off audit record generation here. */ 5337 tad->tad_flag = 0; 5338 /* free any residual audit data */ 5339 au_close(kctx, &(u_ad), 0, 0, 0); 5340 return; 5341 } 5342 5343 fd = (int)uap->fd; 5344 5345 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5346 /* Turn off audit record generation here. */ 5347 tad->tad_flag = 0; 5348 /* free any residual audit data */ 5349 au_close(kctx, &(u_ad), 0, 0, 0); 5350 return; 5351 } 5352 5353 /* get path from file struct here */ 5354 fad = F2A(fp); 5355 ASSERT(fad); 5356 5357 /* 5358 * already processed this file for read attempt 5359 */ 5360 if (fad->fad_flags & FAD_READ) { 5361 releasef(fd); 5362 /* don't really want to audit every recv call */ 5363 tad->tad_flag = 0; 5364 /* free any residual audit data */ 5365 au_close(kctx, &(u_ad), 0, 0, 0); 5366 return; 5367 } 5368 5369 /* mark things so we know what happened and don't repeat things */ 5370 fad->fad_flags |= FAD_READ; 5371 5372 so_family = so->so_family; 5373 so_type = so->so_type; 5374 5375 switch (so_family) { 5376 case AF_INET: 5377 case AF_INET6: 5378 /* 5379 * Only for connections. 5380 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5381 */ 5382 if (so->so_state & SS_ISBOUND) { 5383 5384 bzero((void *)so_laddr, sizeof (so_laddr)); 5385 bzero((void *)so_faddr, sizeof (so_faddr)); 5386 5387 /* only done once on a connection */ 5388 (void) SOP_GETSOCKNAME(so); 5389 (void) SOP_GETPEERNAME(so); 5390 5391 /* get local and foreign addresses */ 5392 mutex_enter(&so->so_lock); 5393 len = min(so->so_laddr_len, sizeof (so_laddr)); 5394 bcopy(so->so_laddr_sa, so_laddr, len); 5395 len = min(so->so_faddr_len, sizeof (so_faddr)); 5396 bcopy(so->so_faddr_sa, so_faddr, len); 5397 mutex_exit(&so->so_lock); 5398 5399 /* 5400 * only way to drop out of switch. Note that we 5401 * we release fd below. 5402 */ 5403 5404 break; 5405 } 5406 5407 releasef(fd); 5408 5409 /* don't really want to audit every recv call */ 5410 tad->tad_flag = 0; 5411 /* free any residual audit data */ 5412 au_close(kctx, &(u_ad), 0, 0, 0); 5413 5414 return; 5415 5416 case AF_UNIX: 5417 5418 if (fad->fad_aupath != NULL) { 5419 au_uwrite(au_to_path(fad->fad_aupath)); 5420 } else { 5421 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5422 } 5423 5424 audit_attributes(fp->f_vnode); 5425 5426 releasef(fd); 5427 5428 return; 5429 5430 default: 5431 releasef(fd); 5432 5433 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5434 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5435 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5436 5437 return; 5438 } 5439 5440 releasef(fd); 5441 5442 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5443 5444 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5445 5446 } 5447 5448 /*ARGSUSED*/ 5449 static void 5450 auf_send(tad, error, rval) 5451 struct t_audit_data *tad; 5452 int error; 5453 rval_t *rval; 5454 { 5455 struct sonode *so; 5456 char so_laddr[sizeof (struct sockaddr_in6)]; 5457 char so_faddr[sizeof (struct sockaddr_in6)]; 5458 struct file *fp; 5459 struct f_audit_data *fad; 5460 int fd; 5461 int err; 5462 int len; 5463 short so_family, so_type; 5464 register struct a { 5465 long fd; 5466 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5467 au_kcontext_t *kctx = GET_KCTX_PZ; 5468 5469 fd = (int)uap->fd; 5470 5471 /* 5472 * If there was an error, then nothing to do. Only generate 5473 * audit record on first successful send. 5474 */ 5475 if (error != 0) { 5476 /* Turn off audit record generation here. */ 5477 tad->tad_flag = 0; 5478 /* free any residual audit data */ 5479 au_close(kctx, &(u_ad), 0, 0, 0); 5480 return; 5481 } 5482 5483 fd = (int)uap->fd; 5484 5485 if ((so = au_getsonode(fd, &err, &fp)) == NULL) { 5486 /* Turn off audit record generation here. */ 5487 tad->tad_flag = 0; 5488 /* free any residual audit data */ 5489 au_close(kctx, &(u_ad), 0, 0, 0); 5490 return; 5491 } 5492 5493 /* get path from file struct here */ 5494 fad = F2A(fp); 5495 ASSERT(fad); 5496 5497 /* 5498 * already processed this file for write attempt 5499 */ 5500 if (fad->fad_flags & FAD_WRITE) { 5501 releasef(fd); 5502 /* don't really want to audit every send call */ 5503 tad->tad_flag = 0; 5504 /* free any residual audit data */ 5505 au_close(kctx, &(u_ad), 0, 0, 0); 5506 return; 5507 } 5508 5509 /* mark things so we know what happened and don't repeat things */ 5510 fad->fad_flags |= FAD_WRITE; 5511 5512 so_family = so->so_family; 5513 so_type = so->so_type; 5514 5515 switch (so_family) { 5516 case AF_INET: 5517 case AF_INET6: 5518 /* 5519 * Only for connections. 5520 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5521 */ 5522 if (so->so_state & SS_ISBOUND) { 5523 5524 bzero((void *)so_laddr, sizeof (so_laddr)); 5525 bzero((void *)so_faddr, sizeof (so_faddr)); 5526 5527 /* only done once on a connection */ 5528 (void) SOP_GETSOCKNAME(so); 5529 (void) SOP_GETPEERNAME(so); 5530 5531 /* get local and foreign addresses */ 5532 mutex_enter(&so->so_lock); 5533 len = min(so->so_laddr_len, sizeof (so_laddr)); 5534 bcopy(so->so_laddr_sa, so_laddr, len); 5535 len = min(so->so_faddr_len, sizeof (so_faddr)); 5536 bcopy(so->so_faddr_sa, so_faddr, len); 5537 mutex_exit(&so->so_lock); 5538 5539 /* 5540 * only way to drop out of switch. Note that we 5541 * we release fd below. 5542 */ 5543 5544 break; 5545 } 5546 5547 releasef(fd); 5548 /* don't really want to audit every send call */ 5549 tad->tad_flag = 0; 5550 /* free any residual audit data */ 5551 au_close(kctx, &(u_ad), 0, 0, 0); 5552 5553 return; 5554 5555 case AF_UNIX: 5556 5557 if (fad->fad_aupath != NULL) { 5558 au_uwrite(au_to_path(fad->fad_aupath)); 5559 } else { 5560 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5561 } 5562 5563 audit_attributes(fp->f_vnode); 5564 5565 releasef(fd); 5566 5567 return; 5568 5569 default: 5570 releasef(fd); 5571 5572 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5573 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5574 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5575 5576 return; 5577 } 5578 5579 releasef(fd); 5580 5581 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5582 5583 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5584 } 5585 5586 static au_event_t 5587 aui_forksys(au_event_t e) 5588 { 5589 struct a { 5590 long subcode; 5591 long flags; 5592 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5593 5594 switch ((uint_t)uap->subcode) { 5595 case 0: 5596 e = AUE_FORK1; 5597 break; 5598 case 1: 5599 e = AUE_FORKALL; 5600 break; 5601 case 2: 5602 e = AUE_VFORK; 5603 break; 5604 default: 5605 e = AUE_NULL; 5606 break; 5607 } 5608 5609 return (e); 5610 } 5611