1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
  25  */
  26 
  27 /*
  28  * This file contains the audit event table used to control the production
  29  * of audit records for each system call.
  30  */
  31 
  32 #include <sys/policy.h>
  33 #include <sys/cred.h>
  34 #include <sys/types.h>
  35 #include <sys/systm.h>
  36 #include <sys/systeminfo.h>       /* for sysinfo auditing */
  37 #include <sys/utsname.h>  /* for sysinfo auditing */
  38 #include <sys/proc.h>
  39 #include <sys/vnode.h>
  40 #include <sys/mman.h>             /* for mmap(2) auditing etc. */
  41 #include <sys/fcntl.h>
  42 #include <sys/modctl.h>           /* for modctl auditing */
  43 #include <sys/vnode.h>
  44 #include <sys/user.h>
  45 #include <sys/types.h>
  46 #include <sys/processor.h>
  47 #include <sys/procset.h>
  48 #include <sys/acl.h>
  49 #include <sys/ipc.h>
  50 #include <sys/door.h>
  51 #include <sys/sem.h>
  52 #include <sys/msg.h>
  53 #include <sys/shm.h>
  54 #include <sys/kmem.h>
  55 #include <sys/file.h>             /* for accept */
  56 #include <sys/utssys.h>           /* for fuser */
  57 #include <sys/tsol/label.h>
  58 #include <sys/tsol/tndb.h>
  59 #include <sys/tsol/tsyscall.h>
  60 #include <c2/audit.h>
  61 #include <c2/audit_kernel.h>
  62 #include <c2/audit_kevents.h>
  63 #include <c2/audit_record.h>
  64 #include <sys/procset.h>
  65 #include <nfs/mount.h>
  66 #include <sys/param.h>
  67 #include <sys/debug.h>
  68 #include <sys/sysmacros.h>
  69 #include <sys/stream.h>
  70 #include <sys/strsubr.h>
  71 #include <sys/stropts.h>
  72 #include <sys/tihdr.h>
  73 #include <sys/socket.h>
  74 #include <sys/socketvar.h>
  75 #include <sys/vfs_opreg.h>
  76 #include <fs/sockfs/sockcommon.h>
  77 #include <netinet/in.h>
  78 #include <sys/ddi.h>
  79 #include <sys/port_impl.h>
  80 #include <sys/secflags.h>
  81 
  82 static au_event_t       aui_fchownat(au_event_t);
  83 static au_event_t       aui_fchmodat(au_event_t);
  84 static au_event_t       aui_open(au_event_t);
  85 static au_event_t       aui_openat(au_event_t);
  86 static au_event_t       aui_unlinkat(au_event_t);
  87 static au_event_t       aui_fstatat(au_event_t);
  88 static au_event_t       aui_msgsys(au_event_t);
  89 static au_event_t       aui_shmsys(au_event_t);
  90 static au_event_t       aui_semsys(au_event_t);
  91 static au_event_t       aui_utssys(au_event_t);
  92 static au_event_t       aui_fcntl(au_event_t);
  93 static au_event_t       aui_execve(au_event_t);
  94 static au_event_t       aui_memcntl(au_event_t);
  95 static au_event_t       aui_sysinfo(au_event_t);
  96 static au_event_t       aui_portfs(au_event_t);
  97 static au_event_t       aui_auditsys(au_event_t);
  98 static au_event_t       aui_modctl(au_event_t);
  99 static au_event_t       aui_acl(au_event_t);
 100 static au_event_t       aui_doorfs(au_event_t);
 101 static au_event_t       aui_privsys(au_event_t);
 102 static au_event_t       aui_forksys(au_event_t);
 103 static au_event_t       aui_labelsys(au_event_t);
 104 static au_event_t       aui_setpgrp(au_event_t);
 105 
 106 
 107 static void     aus_exit(struct t_audit_data *);
 108 static void     aus_open(struct t_audit_data *);
 109 static void     aus_openat(struct t_audit_data *);
 110 static void     aus_acl(struct t_audit_data *);
 111 static void     aus_acct(struct t_audit_data *);
 112 static void     aus_chown(struct t_audit_data *);
 113 static void     aus_fchown(struct t_audit_data *);
 114 static void     aus_lchown(struct t_audit_data *);
 115 static void     aus_fchownat(struct t_audit_data *);
 116 static void     aus_chmod(struct t_audit_data *);
 117 static void     aus_facl(struct t_audit_data *);
 118 static void     aus_fchmod(struct t_audit_data *);
 119 static void     aus_fchmodat(struct t_audit_data *);
 120 static void     aus_fcntl(struct t_audit_data *);
 121 static void     aus_mkdir(struct t_audit_data *);
 122 static void     aus_mkdirat(struct t_audit_data *);
 123 static void     aus_mknod(struct t_audit_data *);
 124 static void     aus_mknodat(struct t_audit_data *);
 125 static void     aus_mount(struct t_audit_data *);
 126 static void     aus_umount2(struct t_audit_data *);
 127 static void     aus_msgsys(struct t_audit_data *);
 128 static void     aus_semsys(struct t_audit_data *);
 129 static void     aus_close(struct t_audit_data *);
 130 static void     aus_fstatfs(struct t_audit_data *);
 131 static void     aus_setgid(struct t_audit_data *);
 132 static void     aus_setpgrp(struct t_audit_data *);
 133 static void     aus_setuid(struct t_audit_data *);
 134 static void     aus_shmsys(struct t_audit_data *);
 135 static void     aus_doorfs(struct t_audit_data *);
 136 static void     aus_ioctl(struct t_audit_data *);
 137 static void     aus_memcntl(struct t_audit_data *);
 138 static void     aus_mmap(struct t_audit_data *);
 139 static void     aus_munmap(struct t_audit_data *);
 140 static void     aus_priocntlsys(struct t_audit_data *);
 141 static void     aus_setegid(struct t_audit_data *);
 142 static void     aus_setgroups(struct t_audit_data *);
 143 static void     aus_seteuid(struct t_audit_data *);
 144 static void     aus_putmsg(struct t_audit_data *);
 145 static void     aus_putpmsg(struct t_audit_data *);
 146 static void     aus_getmsg(struct t_audit_data *);
 147 static void     aus_getpmsg(struct t_audit_data *);
 148 static void     aus_auditsys(struct t_audit_data *);
 149 static void     aus_sysinfo(struct t_audit_data *);
 150 static void     aus_modctl(struct t_audit_data *);
 151 static void     aus_kill(struct t_audit_data *);
 152 static void     aus_setregid(struct t_audit_data *);
 153 static void     aus_setreuid(struct t_audit_data *);
 154 static void     aus_labelsys(struct t_audit_data *);
 155 
 156 static void     auf_mknod(struct t_audit_data *, int, rval_t *);
 157 static void     auf_mknodat(struct t_audit_data *, int, rval_t *);
 158 static void     auf_msgsys(struct t_audit_data *, int, rval_t *);
 159 static void     auf_semsys(struct t_audit_data *, int, rval_t *);
 160 static void     auf_shmsys(struct t_audit_data *, int, rval_t *);
 161 static void     auf_read(struct t_audit_data *, int, rval_t *);
 162 static void     auf_write(struct t_audit_data *, int, rval_t *);
 163 
 164 static void     aus_sigqueue(struct t_audit_data *);
 165 static void     aus_p_online(struct t_audit_data *);
 166 static void     aus_processor_bind(struct t_audit_data *);
 167 static void     aus_inst_sync(struct t_audit_data *);
 168 static void     aus_brandsys(struct t_audit_data *);
 169 
 170 static void     auf_accept(struct t_audit_data *, int, rval_t *);
 171 
 172 static void     auf_bind(struct t_audit_data *, int, rval_t *);
 173 static void     auf_connect(struct t_audit_data *, int, rval_t *);
 174 static void     aus_shutdown(struct t_audit_data *);
 175 static void     auf_setsockopt(struct t_audit_data *, int, rval_t *);
 176 static void     aus_sockconfig(struct t_audit_data *);
 177 static void     auf_recv(struct t_audit_data *, int, rval_t *);
 178 static void     auf_recvmsg(struct t_audit_data *, int, rval_t *);
 179 static void     auf_send(struct t_audit_data *, int, rval_t *);
 180 static void     auf_sendmsg(struct t_audit_data *, int, rval_t *);
 181 static void     auf_recvfrom(struct t_audit_data *, int, rval_t *);
 182 static void     auf_sendto(struct t_audit_data *, int, rval_t *);
 183 static void     aus_socket(struct t_audit_data *);
 184 /*
 185  * This table contains mapping information for converting system call numbers
 186  * to audit event IDs. In several cases it is necessary to map a single system
 187  * call to several events.
 188  */
 189 
 190 #define aui_null        NULL    /* NULL initialize function */
 191 #define aus_null        NULL    /* NULL start function */
 192 #define auf_null        NULL    /* NULL finish function */
 193 
 194 struct audit_s2e audit_s2e[] =
 195 {
 196 /*
 197  * ----------   ----------      ----------      ----------
 198  * INITIAL      AUDIT           START           SYSTEM
 199  * PROCESSING   EVENT           PROCESSING      CALL
 200  * ----------   ----------      ----------      -----------
 201  *              FINISH          EVENT
 202  *              PROCESSING      CONTROL
 203  * ----------------------------------------------------------
 204  */
 205 aui_null,       AUE_NULL,       aus_null,       /* 0 unused (indirect) */
 206                 auf_null,       0,
 207 aui_null,       AUE_EXIT,       aus_exit,       /* 1 exit */
 208                 auf_null,       S2E_NPT,
 209 aui_null,       AUE_PSECFLAGS,  aus_null,       /* 2 psecflags */
 210                 auf_null,       0,
 211 aui_null,       AUE_READ,       aus_null,       /* 3 read */
 212                 auf_read,       S2E_PUB,
 213 aui_null,       AUE_WRITE,      aus_null,       /* 4 write */
 214                 auf_write,      0,
 215 aui_open,       AUE_OPEN,       aus_open,       /* 5 open */
 216                 auf_null,       S2E_SP,
 217 aui_null,       AUE_CLOSE,      aus_close,      /* 6 close */
 218                 auf_null,       0,
 219 aui_null,       AUE_LINK,       aus_null,       /* 7 linkat */
 220                 auf_null,       0,
 221 aui_null,       AUE_NULL,       aus_null,       /* 8 (loadable) was creat */
 222                 auf_null,       0,
 223 aui_null,       AUE_LINK,       aus_null,       /* 9 link */
 224                 auf_null,       0,
 225 aui_null,       AUE_UNLINK,     aus_null,       /* 10 unlink */
 226                 auf_null,       0,
 227 aui_null,       AUE_SYMLINK,    aus_null,       /* 11 symlinkat */
 228                 auf_null,       0,
 229 aui_null,       AUE_CHDIR,      aus_null,       /* 12 chdir */
 230                 auf_null,       S2E_SP,
 231 aui_null,       AUE_NULL,       aus_null,       /* 13 time */
 232                 auf_null,       0,
 233 aui_null,       AUE_MKNOD,      aus_mknod,      /* 14 mknod */
 234                 auf_mknod,      S2E_MLD,
 235 aui_null,       AUE_CHMOD,      aus_chmod,      /* 15 chmod */
 236                 auf_null,       0,
 237 aui_null,       AUE_CHOWN,      aus_chown,      /* 16 chown */
 238                 auf_null,       0,
 239 aui_null,       AUE_NULL,       aus_null,       /* 17 brk */
 240                 auf_null,       0,
 241 aui_null,       AUE_STAT,       aus_null,       /* 18 stat */
 242                 auf_null,       S2E_PUB,
 243 aui_null,       AUE_NULL,       aus_null,       /* 19 lseek */
 244                 auf_null,       0,
 245 aui_null,       AUE_NULL,       aus_null,       /* 20 getpid */
 246                 auf_null,       0,
 247 aui_null,       AUE_MOUNT,      aus_mount,      /* 21 mount */
 248                 auf_null,       S2E_MLD,
 249 aui_null,       AUE_READLINK,   aus_null,       /* 22 readlinkat */
 250                 auf_null,       S2E_PUB,
 251 aui_null,       AUE_SETUID,     aus_setuid,     /* 23 setuid */
 252                 auf_null,       0,
 253 aui_null,       AUE_NULL,       aus_null,       /* 24 getuid */
 254                 auf_null,       0,
 255 aui_null,       AUE_STIME,      aus_null,       /* 25 stime */
 256                 auf_null,       0,
 257 aui_null,       AUE_NULL,       aus_null,       /* 26 pcsample */
 258                 auf_null,       0,
 259 aui_null,       AUE_NULL,       aus_null,       /* 27 alarm */
 260                 auf_null,       0,
 261 aui_null,       AUE_NULL,       aus_null,       /* 28 fstat */
 262                 auf_null,       0,
 263 aui_null,       AUE_NULL,       aus_null,       /* 29 pause */
 264                 auf_null,       0,
 265 aui_null,       AUE_NULL,       aus_null,       /* 30 (loadable) was utime */
 266                 auf_null,       0,
 267 aui_null,       AUE_NULL,       aus_null,       /* 31 stty (TIOCSETP-audit?) */
 268                 auf_null,       0,
 269 aui_null,       AUE_NULL,       aus_null,       /* 32 gtty */
 270                 auf_null,       0,
 271 aui_null,       AUE_ACCESS,     aus_null,       /* 33 access */
 272                 auf_null,       S2E_PUB,
 273 aui_null,       AUE_NICE,       aus_null,       /* 34 nice */
 274                 auf_null,       0,
 275 aui_null,       AUE_STATFS,     aus_null,       /* 35 statfs */
 276                 auf_null,       S2E_PUB,
 277 aui_null,       AUE_NULL,       aus_null,       /* 36 sync */
 278                 auf_null,       0,
 279 aui_null,       AUE_KILL,       aus_kill,       /* 37 kill */
 280                 auf_null,       0,
 281 aui_null,       AUE_FSTATFS,    aus_fstatfs,    /* 38 fstatfs */
 282                 auf_null,       S2E_PUB,
 283 aui_setpgrp,    AUE_SETPGRP,    aus_setpgrp,    /* 39 setpgrp */
 284                 auf_null,       0,
 285 aui_null,       AUE_NULL,       aus_null,       /* 40 uucopystr */
 286                 auf_null,       0,
 287 aui_null,       AUE_NULL,       aus_null,       /* 41 (loadable) was dup */
 288                 auf_null,       0,
 289 aui_null,       AUE_PIPE,       aus_null,       /* 42 (loadable) pipe */
 290                 auf_null,       0,
 291 aui_null,       AUE_NULL,       aus_null,       /* 43 times */
 292                 auf_null,       0,
 293 aui_null,       AUE_NULL,       aus_null,       /* 44 profil */
 294                 auf_null,       0,
 295 aui_null,       AUE_ACCESS,     aus_null,       /* 45 faccessat */
 296                 auf_null,       S2E_PUB,
 297 aui_null,       AUE_SETGID,     aus_setgid,     /* 46 setgid */
 298                 auf_null,       0,
 299 aui_null,       AUE_NULL,       aus_null,       /* 47 getgid */
 300                 auf_null,       0,
 301 aui_null,       AUE_MKNOD,      aus_mknodat,    /* 48 mknodat */
 302                 auf_mknodat,    S2E_MLD,
 303 aui_msgsys,     AUE_MSGSYS,     aus_msgsys,     /* 49 (loadable) msgsys */
 304                 auf_msgsys,     0,
 305 #if defined(__x86)
 306 aui_null,       AUE_NULL,       aus_null,       /* 50 sysi86 */
 307                 auf_null,       0,
 308 #else
 309 aui_null,       AUE_NULL,       aus_null,       /* 50 (loadable) was sys3b */
 310                 auf_null,       0,
 311 #endif /* __x86 */
 312 aui_null,       AUE_ACCT,       aus_acct,       /* 51 (loadable) sysacct */
 313                 auf_null,       0,
 314 aui_shmsys,     AUE_SHMSYS,     aus_shmsys,     /* 52 (loadable) shmsys */
 315                 auf_shmsys,     0,
 316 aui_semsys,     AUE_SEMSYS,     aus_semsys,     /* 53 (loadable) semsys */
 317                 auf_semsys,     0,
 318 aui_null,       AUE_IOCTL,      aus_ioctl,      /* 54 ioctl */
 319                 auf_null,       0,
 320 aui_null,       AUE_NULL,       aus_null,       /* 55 uadmin */
 321                 auf_null,       0,
 322 aui_fchownat,   AUE_NULL,       aus_fchownat,   /* 56 fchownat */
 323                 auf_null,       0,
 324 aui_utssys,     AUE_FUSERS,     aus_null,       /* 57 utssys */
 325                 auf_null,       0,
 326 aui_null,       AUE_NULL,       aus_null,       /* 58 fsync */
 327                 auf_null,       0,
 328 aui_execve,     AUE_EXECVE,     aus_null,       /* 59 exece */
 329                 auf_null,       S2E_MLD,
 330 aui_null,       AUE_NULL,       aus_null,       /* 60 umask */
 331                 auf_null,       0,
 332 aui_null,       AUE_CHROOT,     aus_null,       /* 61 chroot */
 333                 auf_null,       S2E_SP,
 334 aui_fcntl,      AUE_FCNTL,      aus_fcntl,      /* 62 fcntl */
 335                 auf_null,       0,
 336 aui_null,       AUE_NULL,       aus_null,       /* 63 ulimit */
 337                 auf_null,       0,
 338 aui_null,       AUE_RENAME,     aus_null,       /* 64 renameat */
 339                 auf_null,       0,
 340 aui_unlinkat,   AUE_NULL,       aus_null,       /* 65 unlinkat */
 341                 auf_null,       0,
 342 aui_fstatat,    AUE_NULL,       aus_null,       /* 66 fstatat */
 343                 auf_null,       S2E_PUB,
 344 aui_fstatat,    AUE_NULL,       aus_null,       /* 67 fstatat64 */
 345                 auf_null,       S2E_PUB,
 346 aui_openat,     AUE_OPEN,       aus_openat,     /* 68 openat */
 347                 auf_null,       S2E_SP,
 348 aui_openat,     AUE_OPEN,       aus_openat,     /* 69 openat64 */
 349                 auf_null,       S2E_SP,
 350 aui_null,       AUE_NULL,       aus_null,       /* 70 tasksys */
 351                 auf_null,       0,
 352 aui_null,       AUE_NULL,       aus_null,       /* 71 (loadable) acctctl */
 353                 auf_null,       0,
 354 aui_null,       AUE_NULL,       aus_null,       /* 72 (loadable) exacct */
 355                 auf_null,       0,
 356 aui_null,       AUE_NULL,       aus_null,       /* 73 getpagesizes */
 357                 auf_null,       0,
 358 aui_null,       AUE_NULL,       aus_null,       /* 74 rctlsys */
 359                 auf_null,       0,
 360 aui_null,       AUE_NULL,       aus_null,       /* 75 sidsys */
 361                 auf_null,       0,
 362 aui_null,       AUE_NULL,       aus_null,       /* 76 (loadable) was fsat */
 363                 auf_null,       0,
 364 aui_null,       AUE_NULL,       aus_null,       /* 77 syslwp_park */
 365                 auf_null,       0,
 366 aui_null,       AUE_NULL,       aus_null,       /* 78 sendfilev */
 367                 auf_null,       0,
 368 aui_null,       AUE_RMDIR,      aus_null,       /* 79 rmdir */
 369                 auf_null,       0,
 370 aui_null,       AUE_MKDIR,      aus_mkdir,      /* 80 mkdir */
 371                 auf_null,       0,
 372 aui_null,       AUE_NULL,       aus_null,       /* 81 getdents */
 373                 auf_null,       0,
 374 aui_privsys,    AUE_NULL,       aus_null,       /* 82 privsys */
 375                 auf_null,       0,
 376 aui_null,       AUE_NULL,       aus_null,       /* 83 ucredsys */
 377                 auf_null,       0,
 378 aui_null,       AUE_NULL,       aus_null,       /* 84 sysfs */
 379                 auf_null,       0,
 380 aui_null,       AUE_GETMSG,     aus_getmsg,     /* 85 getmsg */
 381                 auf_null,       0,
 382 aui_null,       AUE_PUTMSG,     aus_putmsg,     /* 86 putmsg */
 383                 auf_null,       0,
 384 aui_null,       AUE_NULL,       aus_null,       /* 87 (loadable) was poll */
 385                 auf_null,       0,
 386 aui_null,       AUE_LSTAT,      aus_null,       /* 88 lstat */
 387                 auf_null,       S2E_PUB,
 388 aui_null,       AUE_SYMLINK,    aus_null,       /* 89 symlink */
 389                 auf_null,       0,
 390 aui_null,       AUE_READLINK,   aus_null,       /* 90 readlink */
 391                 auf_null,       S2E_PUB,
 392 aui_null,       AUE_SETGROUPS,  aus_setgroups,  /* 91 setgroups */
 393                 auf_null,       0,
 394 aui_null,       AUE_NULL,       aus_null,       /* 92 getgroups */
 395                 auf_null,       0,
 396 aui_null,       AUE_FCHMOD,     aus_fchmod,     /* 93 fchmod */
 397                 auf_null,       0,
 398 aui_null,       AUE_FCHOWN,     aus_fchown,     /* 94 fchown */
 399                 auf_null,       0,
 400 aui_null,       AUE_NULL,       aus_null,       /* 95 sigprocmask */
 401                 auf_null,       0,
 402 aui_null,       AUE_NULL,       aus_null,       /* 96 sigsuspend */
 403                 auf_null,       0,
 404 aui_null,       AUE_NULL,       aus_null,       /* 97 sigaltstack */
 405                 auf_null,       0,
 406 aui_null,       AUE_NULL,       aus_null,       /* 98 sigaction */
 407                 auf_null,       0,
 408 aui_null,       AUE_NULL,       aus_null,       /* 99 sigpending */
 409                 auf_null,       0,
 410 aui_null,       AUE_NULL,       aus_null,       /* 100 setcontext */
 411                 auf_null,       0,
 412 aui_fchmodat,   AUE_NULL,       aus_fchmodat,   /* 101 fchmodat */
 413                 auf_null,       0,
 414 aui_null,       AUE_MKDIR,      aus_mkdirat,    /* 102 mkdirat */
 415                 auf_null,       0,
 416 aui_null,       AUE_STATVFS,    aus_null,       /* 103 statvfs */
 417                 auf_null,       S2E_PUB,
 418 aui_null,       AUE_NULL,       aus_null,       /* 104 fstatvfs */
 419                 auf_null,       0,
 420 aui_null,       AUE_NULL,       aus_null,       /* 105 getloadavg */
 421                 auf_null,       0,
 422 aui_null,       AUE_NULL,       aus_null,       /* 106 nfssys */
 423                 auf_null,       0,
 424 aui_null,       AUE_NULL,       aus_null,       /* 107 waitsys */
 425                 auf_null,       0,
 426 aui_null,       AUE_NULL,       aus_null,       /* 108 sigsendsys */
 427                 auf_null,       0,
 428 #if defined(__x86)
 429 aui_null,       AUE_NULL,       aus_null,       /* 109 hrtsys */
 430                 auf_null,       0,
 431 #else
 432 aui_null,       AUE_NULL,       aus_null,       /* 109 (loadable) */
 433                 auf_null,       0,
 434 #endif /* __x86 */
 435 aui_null,       AUE_UTIMES,     aus_null,       /* 110 utimesys */
 436                 auf_null,       0,
 437 aui_null,       AUE_NULL,       aus_null,       /* 111 sigresend */
 438                 auf_null,       0,
 439 aui_null,       AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
 440                 auf_null,       0,
 441 aui_null,       AUE_PATHCONF,   aus_null,       /* 113 pathconf */
 442                 auf_null,       S2E_PUB,
 443 aui_null,       AUE_NULL,       aus_null,       /* 114 mincore */
 444                 auf_null,       0,
 445 aui_null,       AUE_MMAP,       aus_mmap,       /* 115 mmap */
 446                 auf_null,       0,
 447 aui_null,       AUE_NULL,       aus_null,       /* 116 mprotect */
 448                 auf_null,       0,
 449 aui_null,       AUE_MUNMAP,     aus_munmap,     /* 117 munmap */
 450                 auf_null,       0,
 451 aui_null,       AUE_NULL,       aus_null,       /* 118 fpathconf */
 452                 auf_null,       0,
 453 aui_null,       AUE_VFORK,      aus_null,       /* 119 vfork */
 454                 auf_null,       0,
 455 aui_null,       AUE_FCHDIR,     aus_null,       /* 120 fchdir */
 456                 auf_null,       0,
 457 aui_null,       AUE_READ,       aus_null,       /* 121 readv */
 458                 auf_read,       S2E_PUB,
 459 aui_null,       AUE_WRITE,      aus_null,       /* 122 writev */
 460                 auf_write,      0,
 461 aui_null,       AUE_NULL,       aus_null,       /* 123 (loadable) was xstat */
 462                 auf_null,       0,
 463 aui_null,       AUE_NULL,       aus_null,       /* 124 (loadable) was lxstat */
 464                 auf_null,       0,
 465 aui_null,       AUE_NULL,       aus_null,       /* 125 (loadable) was fxstat */
 466                 auf_null,       0,
 467 aui_null,       AUE_NULL,       aus_null,       /* 126 (loadable) was xmknod */
 468                 auf_null,       0,
 469 aui_null,       AUE_NULL,       aus_null,       /* 127 mmapobj */
 470                 auf_null,       0,
 471 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 128 setrlimit */
 472                 auf_null,       0,
 473 aui_null,       AUE_NULL,       aus_null,       /* 129 getrlimit */
 474                 auf_null,       0,
 475 aui_null,       AUE_LCHOWN,     aus_lchown,     /* 130 lchown */
 476                 auf_null,       0,
 477 aui_memcntl,    AUE_MEMCNTL,    aus_memcntl,    /* 131 memcntl */
 478                 auf_null,       0,
 479 aui_null,       AUE_GETPMSG,    aus_getpmsg,    /* 132 getpmsg */
 480                 auf_null,       0,
 481 aui_null,       AUE_PUTPMSG,    aus_putpmsg,    /* 133 putpmsg */
 482                 auf_null,       0,
 483 aui_null,       AUE_RENAME,     aus_null,       /* 134 rename */
 484                 auf_null,       0,
 485 aui_null,       AUE_NULL,       aus_null,       /* 135 uname */
 486                 auf_null,       0,
 487 aui_null,       AUE_SETEGID,    aus_setegid,    /* 136 setegid */
 488                 auf_null,       0,
 489 aui_null,       AUE_NULL,       aus_null,       /* 137 sysconfig */
 490                 auf_null,       0,
 491 aui_null,       AUE_ADJTIME,    aus_null,       /* 138 adjtime */
 492                 auf_null,       0,
 493 aui_sysinfo,    AUE_SYSINFO,    aus_sysinfo,    /* 139 systeminfo */
 494                 auf_null,       0,
 495 aui_null,       AUE_NULL,       aus_null,       /* 140 (loadable) sharefs */
 496                 auf_null,       0,
 497 aui_null,       AUE_SETEUID,    aus_seteuid,    /* 141 seteuid */
 498                 auf_null,       0,
 499 aui_forksys,    AUE_NULL,       aus_null,       /* 142 forksys */
 500                 auf_null,       0,
 501 aui_null,       AUE_NULL,       aus_null,       /* 143 (loadable) was fork1 */
 502                 auf_null,       0,
 503 aui_null,       AUE_NULL,       aus_null,       /* 144 sigwait */
 504                 auf_null,       0,
 505 aui_null,       AUE_NULL,       aus_null,       /* 145 lwp_info */
 506                 auf_null,       0,
 507 aui_null,       AUE_NULL,       aus_null,       /* 146 yield */
 508                 auf_null,       0,
 509 aui_null,       AUE_NULL,       aus_null,       /* 147 (loadable) */
 510                                                 /*      was lwp_sema_wait */
 511                 auf_null,       0,
 512 aui_null,       AUE_NULL,       aus_null,       /* 148 lwp_sema_post */
 513                 auf_null,       0,
 514 aui_null,       AUE_NULL,       aus_null,       /* 149 lwp_sema_trywait */
 515                 auf_null,       0,
 516 aui_null,       AUE_NULL,       aus_null,       /* 150 lwp_detach */
 517                 auf_null,       0,
 518 aui_null,       AUE_NULL,       aus_null,       /* 151 corectl */
 519                 auf_null,       0,
 520 aui_modctl,     AUE_MODCTL,     aus_modctl,     /* 152 modctl */
 521                 auf_null,       0,
 522 aui_null,       AUE_FCHROOT,    aus_null,       /* 153 fchroot */
 523                 auf_null,       0,
 524 aui_null,       AUE_NULL,       aus_null,       /* 154 (loadable) was utimes */
 525                 auf_null,       0,
 526 aui_null,       AUE_NULL,       aus_null,       /* 155 vhangup */
 527                 auf_null,       0,
 528 aui_null,       AUE_NULL,       aus_null,       /* 156 gettimeofday */
 529                 auf_null,       0,
 530 aui_null,       AUE_NULL,       aus_null,       /* 157 getitimer */
 531                 auf_null,       0,
 532 aui_null,       AUE_NULL,       aus_null,       /* 158 setitimer */
 533                 auf_null,       0,
 534 aui_null,       AUE_NULL,       aus_null,       /* 159 lwp_create */
 535                 auf_null,       0,
 536 aui_null,       AUE_NULL,       aus_null,       /* 160 lwp_exit */
 537                 auf_null,       0,
 538 aui_null,       AUE_NULL,       aus_null,       /* 161 lwp_suspend */
 539                 auf_null,       0,
 540 aui_null,       AUE_NULL,       aus_null,       /* 162 lwp_continue */
 541                 auf_null,       0,
 542 aui_null,       AUE_NULL,       aus_null,       /* 163 lwp_kill */
 543                 auf_null,       0,
 544 aui_null,       AUE_NULL,       aus_null,       /* 164 lwp_self */
 545                 auf_null,       0,
 546 aui_null,       AUE_NULL,       aus_null,       /* 165 lwp_sigmask */
 547                 auf_null,       0,
 548 aui_null,       AUE_NULL,       aus_null,       /* 166 lwp_private */
 549                 auf_null,       0,
 550 aui_null,       AUE_NULL,       aus_null,       /* 167 lwp_wait */
 551                 auf_null,       0,
 552 aui_null,       AUE_NULL,       aus_null,       /* 168 lwp_mutex_wakeup  */
 553                 auf_null,       0,
 554 aui_null,       AUE_NULL,       aus_null,       /* 169 (loadable) */
 555                                                 /*      was lwp_mutex_lock */
 556                 auf_null,       0,
 557 aui_null,       AUE_NULL,       aus_null,       /* 170 lwp_cond_wait */
 558                 auf_null,       0,
 559 aui_null,       AUE_NULL,       aus_null,       /* 171 lwp_cond_signal */
 560                 auf_null,       0,
 561 aui_null,       AUE_NULL,       aus_null,       /* 172 lwp_cond_broadcast */
 562                 auf_null,       0,
 563 aui_null,       AUE_READ,       aus_null,       /* 173 pread */
 564                 auf_read,       S2E_PUB,
 565 aui_null,       AUE_WRITE,      aus_null,       /* 174 pwrite */
 566                 auf_write,      0,
 567 aui_null,       AUE_NULL,       aus_null,       /* 175 llseek */
 568                 auf_null,       0,
 569 aui_null,       AUE_INST_SYNC,  aus_inst_sync,  /* 176 (loadable) inst_sync */
 570                 auf_null,       0,
 571 aui_null,       AUE_BRANDSYS,   aus_brandsys,   /* 177 brandsys */
 572                 auf_null,       0,
 573 aui_null,       AUE_NULL,       aus_null,       /* 178 (loadable) kaio */
 574                 auf_null,       0,
 575 aui_null,       AUE_NULL,       aus_null,       /* 179 (loadable) cpc */
 576                 auf_null,       0,
 577 aui_null,       AUE_NULL,       aus_null,       /* 180 lgrpsys */
 578                 auf_null,       0,
 579 aui_null,       AUE_NULL,       aus_null,       /* 181 rusagesys */
 580                 auf_null,       0,
 581 aui_portfs,     AUE_PORTFS,     aus_null,       /* 182 (loadable) portfs */
 582                 auf_null,       S2E_MLD,
 583 aui_null,       AUE_NULL,       aus_null,       /* 183 pollsys */
 584                 auf_null,       0,
 585 aui_labelsys,   AUE_NULL,       aus_labelsys,   /* 184 labelsys */
 586                 auf_null,       0,
 587 aui_acl,        AUE_ACLSET,     aus_acl,        /* 185 acl */
 588                 auf_null,       0,
 589 aui_auditsys,   AUE_AUDITSYS,   aus_auditsys,   /* 186 auditsys  */
 590                 auf_null,       0,
 591 aui_null,       AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
 592                 auf_null,       0,
 593 aui_null,       AUE_NULL,       aus_null,       /* 188 processor_info */
 594                 auf_null,       0,
 595 aui_null,       AUE_P_ONLINE,   aus_p_online,   /* 189 p_online */
 596                 auf_null,       0,
 597 aui_null,       AUE_NULL,       aus_sigqueue,   /* 190 sigqueue */
 598                 auf_null,       0,
 599 aui_null,       AUE_NULL,       aus_null,       /* 191 clock_gettime */
 600                 auf_null,       0,
 601 aui_null,       AUE_CLOCK_SETTIME,      aus_null,       /* 192 clock_settime */
 602                 auf_null,       0,
 603 aui_null,       AUE_NULL,       aus_null,       /* 193 clock_getres */
 604                 auf_null,       0,
 605 aui_null,       AUE_NULL,       aus_null,       /* 194 timer_create */
 606                 auf_null,       0,
 607 aui_null,       AUE_NULL,       aus_null,       /* 195 timer_delete */
 608                 auf_null,       0,
 609 aui_null,       AUE_NULL,       aus_null,       /* 196 timer_settime */
 610                 auf_null,       0,
 611 aui_null,       AUE_NULL,       aus_null,       /* 197 timer_gettime */
 612                 auf_null,       0,
 613 aui_null,       AUE_NULL,       aus_null,       /* 198 timer_getoverrun */
 614                 auf_null,       0,
 615 aui_null,       AUE_NULL,       aus_null,       /* 199 nanosleep */
 616                 auf_null,       0,
 617 aui_acl,        AUE_FACLSET,    aus_facl,       /* 200 facl */
 618                 auf_null,       0,
 619 aui_doorfs,     AUE_DOORFS,     aus_doorfs,     /* 201 (loadable) doorfs */
 620                 auf_null,       0,
 621 aui_null,       AUE_SETREUID,   aus_setreuid,   /* 202 setreuid */
 622                 auf_null,       0,
 623 aui_null,       AUE_SETREGID,   aus_setregid,   /* 203 setregid */
 624                 auf_null,       0,
 625 aui_null,       AUE_NULL,       aus_null,       /* 204 install_utrap */
 626                 auf_null,       0,
 627 aui_null,       AUE_NULL,       aus_null,       /* 205 signotify */
 628                 auf_null,       0,
 629 aui_null,       AUE_NULL,       aus_null,       /* 206 schedctl */
 630                 auf_null,       0,
 631 aui_null,       AUE_NULL,       aus_null,       /* 207 (loadable) pset */
 632                 auf_null,       0,
 633 aui_null,       AUE_NULL,       aus_null,       /* 208 sparc_utrap_install */
 634                 auf_null,       0,
 635 aui_null,       AUE_NULL,       aus_null,       /* 209 resolvepath */
 636                 auf_null,       0,
 637 aui_null,       AUE_NULL,       aus_null,       /* 210 lwp_mutex_timedlock */
 638                 auf_null,       0,
 639 aui_null,       AUE_NULL,       aus_null,       /* 211 lwp_sema_timedwait */
 640                 auf_null,       0,
 641 aui_null,       AUE_NULL,       aus_null,       /* 212 lwp_rwlock_sys */
 642                 auf_null,       0,
 643 aui_null,       AUE_NULL,       aus_null,       /* 213 getdents64 */
 644                 auf_null,       0,
 645 aui_null,       AUE_MMAP,       aus_mmap,       /* 214 mmap64 */
 646                 auf_null,       0,
 647 aui_null,       AUE_STAT,       aus_null,       /* 215 stat64 */
 648                 auf_null,       S2E_PUB,
 649 aui_null,       AUE_LSTAT,      aus_null,       /* 216 lstat64 */
 650                 auf_null,       S2E_PUB,
 651 aui_null,       AUE_NULL,       aus_null,       /* 217 fstat64 */
 652                 auf_null,       0,
 653 aui_null,       AUE_STATVFS,    aus_null,       /* 218 statvfs64 */
 654                 auf_null,       S2E_PUB,
 655 aui_null,       AUE_NULL,       aus_null,       /* 219 fstatvfs64 */
 656                 auf_null,       0,
 657 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 220 setrlimit64 */
 658                 auf_null,       0,
 659 aui_null,       AUE_NULL,       aus_null,       /* 221 getrlimit64 */
 660                 auf_null,       0,
 661 aui_null,       AUE_READ,       aus_null,       /* 222 pread64  */
 662                 auf_read,       S2E_PUB,
 663 aui_null,       AUE_WRITE,      aus_null,       /* 223 pwrite64 */
 664                 auf_write,      0,
 665 aui_null,       AUE_NULL,       aus_null,       /* 224 (loadable) was creat64 */
 666                 auf_null,       0,
 667 aui_open,       AUE_OPEN,       aus_open,       /* 225 open64 */
 668                 auf_null,       S2E_SP,
 669 aui_null,       AUE_NULL,       aus_null,       /* 226 (loadable) rpcsys */
 670                 auf_null,       0,
 671 aui_null,       AUE_NULL,       aus_null,       /* 227 zone */
 672                 auf_null,       0,
 673 aui_null,       AUE_NULL,       aus_null,       /* 228 (loadable) autofssys */
 674                 auf_null,       0,
 675 aui_null,       AUE_NULL,       aus_null,       /* 229 getcwd */
 676                 auf_null,       0,
 677 aui_null,       AUE_SOCKET,     aus_socket,     /* 230 so_socket */
 678                 auf_null,       0,
 679 aui_null,       AUE_NULL,       aus_null,       /* 231 so_socketpair */
 680                 auf_null,       0,
 681 aui_null,       AUE_BIND,       aus_null,       /* 232 bind */
 682                 auf_bind,       0,
 683 aui_null,       AUE_NULL,       aus_null,       /* 233 listen */
 684                 auf_null,       0,
 685 aui_null,       AUE_ACCEPT,     aus_null,       /* 234 accept */
 686                 auf_accept,     0,
 687 aui_null,       AUE_CONNECT,    aus_null,       /* 235 connect */
 688                 auf_connect,    0,
 689 aui_null,       AUE_SHUTDOWN,   aus_shutdown,   /* 236 shutdown */
 690                 auf_null,       0,
 691 aui_null,       AUE_READ,       aus_null,       /* 237 recv */
 692                 auf_recv,       0,
 693 aui_null,       AUE_RECVFROM,   aus_null,       /* 238 recvfrom */
 694                 auf_recvfrom,   0,
 695 aui_null,       AUE_RECVMSG,    aus_null,       /* 239 recvmsg */
 696                 auf_recvmsg,    0,
 697 aui_null,       AUE_WRITE,      aus_null,       /* 240 send */
 698                 auf_send,       0,
 699 aui_null,       AUE_SENDMSG,    aus_null,       /* 241 sendmsg */
 700                 auf_sendmsg,    0,
 701 aui_null,       AUE_SENDTO,     aus_null,       /* 242 sendto */
 702                 auf_sendto,     0,
 703 aui_null,       AUE_NULL,       aus_null,       /* 243 getpeername */
 704                 auf_null,       0,
 705 aui_null,       AUE_NULL,       aus_null,       /* 244 getsockname */
 706                 auf_null,       0,
 707 aui_null,       AUE_NULL,       aus_null,       /* 245 getsockopt */
 708                 auf_null,       0,
 709 aui_null,       AUE_SETSOCKOPT, aus_null,       /* 246 setsockopt */
 710                 auf_setsockopt, 0,
 711 aui_null,       AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
 712                 auf_null,       0,
 713 aui_null,       AUE_NULL,       aus_null,       /* 248 ntp_gettime */
 714                 auf_null,       0,
 715 aui_null,       AUE_NTP_ADJTIME, aus_null,      /* 249 ntp_adjtime */
 716                 auf_null,       0,
 717 aui_null,       AUE_NULL,       aus_null,       /* 250 lwp_mutex_unlock */
 718                 auf_null,       0,
 719 aui_null,       AUE_NULL,       aus_null,       /* 251 lwp_mutex_trylock */
 720                 auf_null,       0,
 721 aui_null,       AUE_NULL,       aus_null,       /* 252 lwp_mutex_register */
 722                 auf_null,       0,
 723 aui_null,       AUE_NULL,       aus_null,       /* 253 cladm */
 724                 auf_null,       0,
 725 aui_null,       AUE_NULL,       aus_null,       /* 254 uucopy */
 726                 auf_null,       0,
 727 aui_null,       AUE_UMOUNT2,    aus_umount2,    /* 255 umount2 */
 728                 auf_null,       0
 729 };
 730 
 731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
 732 
 733 
 734 /* exit start function */
 735 /*ARGSUSED*/
 736 static void
 737 aus_exit(struct t_audit_data *tad)
 738 {
 739         uint32_t rval;
 740         struct a {
 741                 long rval;
 742         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
 743 
 744         rval = (uint32_t)uap->rval;
 745         au_uwrite(au_to_arg32(1, "exit status", rval));
 746 }
 747 
 748 
 749 /* acct start function */
 750 /*ARGSUSED*/
 751 static void
 752 aus_acct(struct t_audit_data *tad)
 753 {
 754         klwp_t *clwp = ttolwp(curthread);
 755         uintptr_t fname;
 756 
 757         struct a {
 758                 long    fname;          /* char * */
 759         } *uap = (struct a *)clwp->lwp_ap;
 760 
 761         fname = (uintptr_t)uap->fname;
 762 
 763         if (fname == 0)
 764                 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
 765 }
 766 
 767 /* chown start function */
 768 /*ARGSUSED*/
 769 static void
 770 aus_chown(struct t_audit_data *tad)
 771 {
 772         klwp_t *clwp = ttolwp(curthread);
 773         uint32_t uid, gid;
 774 
 775         struct a {
 776                 long    fname;          /* char * */
 777                 long    uid;
 778                 long    gid;
 779         } *uap = (struct a *)clwp->lwp_ap;
 780 
 781         uid = (uint32_t)uap->uid;
 782         gid = (uint32_t)uap->gid;
 783 
 784         au_uwrite(au_to_arg32(2, "new file uid", uid));
 785         au_uwrite(au_to_arg32(3, "new file gid", gid));
 786 }
 787 
 788 /* fchown start function */
 789 /*ARGSUSED*/
 790 static void
 791 aus_fchown(struct t_audit_data *tad)
 792 {
 793         klwp_t *clwp = ttolwp(curthread);
 794         uint32_t uid, gid, fd;
 795         struct file  *fp;
 796         struct vnode *vp;
 797         struct f_audit_data *fad;
 798 
 799         struct a {
 800                 long fd;
 801                 long uid;
 802                 long gid;
 803         } *uap = (struct a *)clwp->lwp_ap;
 804 
 805         fd  = (uint32_t)uap->fd;
 806         uid = (uint32_t)uap->uid;
 807         gid = (uint32_t)uap->gid;
 808 
 809         au_uwrite(au_to_arg32(2, "new file uid", uid));
 810         au_uwrite(au_to_arg32(3, "new file gid", gid));
 811 
 812                 /*
 813                  * convert file pointer to file descriptor
 814                  *   Note: fd ref count incremented here.
 815                  */
 816         if ((fp = getf(fd)) == NULL)
 817                 return;
 818 
 819         /* get path from file struct here */
 820         fad = F2A(fp);
 821         if (fad->fad_aupath != NULL) {
 822                 au_uwrite(au_to_path(fad->fad_aupath));
 823         } else {
 824                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 825         }
 826 
 827         vp = fp->f_vnode;
 828         audit_attributes(vp);
 829 
 830         /* decrement file descriptor reference count */
 831         releasef(fd);
 832 }
 833 
 834 /*ARGSUSED*/
 835 static void
 836 aus_lchown(struct t_audit_data *tad)
 837 {
 838         klwp_t *clwp = ttolwp(curthread);
 839         uint32_t uid, gid;
 840 
 841 
 842         struct a {
 843                 long    fname;          /* char * */
 844                 long    uid;
 845                 long    gid;
 846         } *uap = (struct a *)clwp->lwp_ap;
 847 
 848         uid = (uint32_t)uap->uid;
 849         gid = (uint32_t)uap->gid;
 850 
 851         au_uwrite(au_to_arg32(2, "new file uid", uid));
 852         au_uwrite(au_to_arg32(3, "new file gid", gid));
 853 }
 854 
 855 static au_event_t
 856 aui_fchownat(au_event_t e)
 857 {
 858         klwp_t *clwp = ttolwp(curthread);
 859 
 860         struct a {
 861                 long    fd;
 862                 long    fname;          /* char * */
 863                 long    uid;
 864                 long    gid;
 865                 long    flags;
 866         } *uap = (struct a *)clwp->lwp_ap;
 867 
 868         if (uap->fname == NULL)
 869                 e = AUE_FCHOWN;
 870         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
 871                 e = AUE_LCHOWN;
 872         else
 873                 e = AUE_CHOWN;
 874 
 875         return (e);
 876 }
 877 
 878 /*ARGSUSED*/
 879 static void
 880 aus_fchownat(struct t_audit_data *tad)
 881 {
 882         klwp_t *clwp = ttolwp(curthread);
 883         uint32_t uid, gid;
 884 
 885         struct a {
 886                 long    fd;
 887                 long    fname;          /* char * */
 888                 long    uid;
 889                 long    gid;
 890                 long    flags;
 891         } *uap = (struct a *)clwp->lwp_ap;
 892 
 893         uid = (uint32_t)uap->uid;
 894         gid = (uint32_t)uap->gid;
 895 
 896         au_uwrite(au_to_arg32(3, "new file uid", uid));
 897         au_uwrite(au_to_arg32(4, "new file gid", gid));
 898 }
 899 
 900 /*ARGSUSED*/
 901 static void
 902 aus_chmod(struct t_audit_data *tad)
 903 {
 904         klwp_t *clwp = ttolwp(curthread);
 905         uint32_t fmode;
 906 
 907         struct a {
 908                 long    fname;          /* char * */
 909                 long    fmode;
 910         } *uap = (struct a *)clwp->lwp_ap;
 911 
 912         fmode = (uint32_t)uap->fmode;
 913 
 914         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 915 }
 916 
 917 /*ARGSUSED*/
 918 static void
 919 aus_fchmod(struct t_audit_data *tad)
 920 {
 921         klwp_t *clwp = ttolwp(curthread);
 922         uint32_t fmode, fd;
 923         struct file  *fp;
 924         struct vnode *vp;
 925         struct f_audit_data *fad;
 926 
 927         struct a {
 928                 long    fd;
 929                 long    fmode;
 930         } *uap = (struct a *)clwp->lwp_ap;
 931 
 932         fd = (uint32_t)uap->fd;
 933         fmode = (uint32_t)uap->fmode;
 934 
 935         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 936 
 937         /*
 938          * convert file pointer to file descriptor
 939          *   Note: fd ref count incremented here.
 940          */
 941         if ((fp = getf(fd)) == NULL)
 942                 return;
 943 
 944         /* get path from file struct here */
 945         fad = F2A(fp);
 946         if (fad->fad_aupath != NULL) {
 947                 au_uwrite(au_to_path(fad->fad_aupath));
 948         } else {
 949                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 950         }
 951 
 952         vp = fp->f_vnode;
 953         audit_attributes(vp);
 954 
 955         /* decrement file descriptor reference count */
 956         releasef(fd);
 957 }
 958 
 959 static au_event_t
 960 aui_fchmodat(au_event_t e)
 961 {
 962         klwp_t *clwp = ttolwp(curthread);
 963 
 964         struct a {
 965                 long    fd;
 966                 long    fname;          /* char * */
 967                 long    fmode;
 968                 long    flag;
 969         } *uap = (struct a *)clwp->lwp_ap;
 970 
 971         if (uap->fname == NULL)
 972                 e = AUE_FCHMOD;
 973         else
 974                 e = AUE_CHMOD;
 975 
 976         return (e);
 977 }
 978 
 979 /*ARGSUSED*/
 980 static void
 981 aus_fchmodat(struct t_audit_data *tad)
 982 {
 983         klwp_t *clwp = ttolwp(curthread);
 984         uint32_t fmode;
 985         uint32_t fd;
 986         struct file  *fp;
 987         struct vnode *vp;
 988         struct f_audit_data *fad;
 989 
 990         struct a {
 991                 long    fd;
 992                 long    fname;          /* char * */
 993                 long    fmode;
 994                 long    flag;
 995         } *uap = (struct a *)clwp->lwp_ap;
 996 
 997         fd = (uint32_t)uap->fd;
 998         fmode = (uint32_t)uap->fmode;
 999 
1000         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1001 
1002         if (fd == AT_FDCWD || uap->fname != NULL)    /* same as chmod() */
1003                 return;
1004 
1005         /*
1006          * convert file pointer to file descriptor
1007          *   Note: fd ref count incremented here.
1008          */
1009         if ((fp = getf(fd)) == NULL)
1010                 return;
1011 
1012         /* get path from file struct here */
1013         fad = F2A(fp);
1014         if (fad->fad_aupath != NULL) {
1015                 au_uwrite(au_to_path(fad->fad_aupath));
1016         } else {
1017                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1018         }
1019 
1020         vp = fp->f_vnode;
1021         audit_attributes(vp);
1022 
1023         /* decrement file descriptor reference count */
1024         releasef(fd);
1025 }
1026 
1027 /*
1028  * convert open mode to appropriate open event
1029  */
1030 au_event_t
1031 open_event(uint_t fm)
1032 {
1033         au_event_t e;
1034 
1035         switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1036         case O_RDONLY:
1037                 e = AUE_OPEN_R;
1038                 break;
1039         case O_RDONLY | O_CREAT:
1040                 e = AUE_OPEN_RC;
1041                 break;
1042         case O_RDONLY | O_TRUNC:
1043                 e = AUE_OPEN_RT;
1044                 break;
1045         case O_RDONLY | O_TRUNC | O_CREAT:
1046                 e = AUE_OPEN_RTC;
1047                 break;
1048         case O_WRONLY:
1049                 e = AUE_OPEN_W;
1050                 break;
1051         case O_WRONLY | O_CREAT:
1052                 e = AUE_OPEN_WC;
1053                 break;
1054         case O_WRONLY | O_TRUNC:
1055                 e = AUE_OPEN_WT;
1056                 break;
1057         case O_WRONLY | O_TRUNC | O_CREAT:
1058                 e = AUE_OPEN_WTC;
1059                 break;
1060         case O_RDWR:
1061                 e = AUE_OPEN_RW;
1062                 break;
1063         case O_RDWR | O_CREAT:
1064                 e = AUE_OPEN_RWC;
1065                 break;
1066         case O_RDWR | O_TRUNC:
1067                 e = AUE_OPEN_RWT;
1068                 break;
1069         case O_RDWR | O_TRUNC | O_CREAT:
1070                 e = AUE_OPEN_RWTC;
1071                 break;
1072         case O_SEARCH:
1073                 e = AUE_OPEN_S;
1074                 break;
1075         case O_EXEC:
1076                 e = AUE_OPEN_E;
1077                 break;
1078         default:
1079                 e = AUE_NULL;
1080                 break;
1081         }
1082 
1083         return (e);
1084 }
1085 
1086 /* ARGSUSED */
1087 static au_event_t
1088 aui_open(au_event_t e)
1089 {
1090         klwp_t *clwp = ttolwp(curthread);
1091         uint_t fm;
1092 
1093         struct a {
1094                 long    fnamep;         /* char * */
1095                 long    fmode;
1096                 long    cmode;
1097         } *uap = (struct a *)clwp->lwp_ap;
1098 
1099         fm = (uint_t)uap->fmode;
1100 
1101         return (open_event(fm));
1102 }
1103 
1104 static void
1105 aus_open(struct t_audit_data *tad)
1106 {
1107         klwp_t *clwp = ttolwp(curthread);
1108         uint_t fm;
1109 
1110         struct a {
1111                 long    fnamep;         /* char * */
1112                 long    fmode;
1113                 long    cmode;
1114         } *uap = (struct a *)clwp->lwp_ap;
1115 
1116         fm = (uint_t)uap->fmode;
1117 
1118         /* If no write, create, or trunc modes, mark as a public op */
1119         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1120                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1121 }
1122 
1123 /* ARGSUSED */
1124 static au_event_t
1125 aui_openat(au_event_t e)
1126 {
1127         t_audit_data_t *tad = T2A(curthread);
1128         klwp_t *clwp = ttolwp(curthread);
1129         uint_t fm;
1130 
1131         struct a {
1132                 long    filedes;
1133                 long    fnamep;         /* char * */
1134                 long    fmode;
1135                 long    cmode;
1136         } *uap = (struct a *)clwp->lwp_ap;
1137 
1138         fm = (uint_t)uap->fmode;
1139 
1140         /*
1141          * __openattrdirat() does an extra pathname lookup in order to
1142          * enter the extended system attribute namespace of the referenced
1143          * extended attribute filename.
1144          */
1145         if (fm & FXATTRDIROPEN)
1146                 tad->tad_ctrl |= TAD_MLD;
1147 
1148         return (open_event(fm));
1149 }
1150 
1151 static void
1152 aus_openat(struct t_audit_data *tad)
1153 {
1154         klwp_t *clwp = ttolwp(curthread);
1155         uint_t fm;
1156 
1157         struct a {
1158                 long    filedes;
1159                 long    fnamep;         /* char * */
1160                 long    fmode;
1161                 long    cmode;
1162         } *uap = (struct a *)clwp->lwp_ap;
1163 
1164         fm = (uint_t)uap->fmode;
1165 
1166         /* If no write, create, or trunc modes, mark as a public op */
1167         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1168                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1169 }
1170 
1171 static au_event_t
1172 aui_unlinkat(au_event_t e)
1173 {
1174         klwp_t *clwp = ttolwp(curthread);
1175 
1176         struct a {
1177                 long    filedes;
1178                 long    fnamep;         /* char * */
1179                 long    flags;
1180         } *uap = (struct a *)clwp->lwp_ap;
1181 
1182         if (uap->flags & AT_REMOVEDIR)
1183                 e = AUE_RMDIR;
1184         else
1185                 e = AUE_UNLINK;
1186 
1187         return (e);
1188 }
1189 
1190 static au_event_t
1191 aui_fstatat(au_event_t e)
1192 {
1193         klwp_t *clwp = ttolwp(curthread);
1194 
1195         struct a {
1196                 long    filedes;
1197                 long    fnamep;         /* char * */
1198                 long    statb;
1199                 long    flags;
1200         } *uap = (struct a *)clwp->lwp_ap;
1201 
1202         if (uap->fnamep == NULL)
1203                 e = AUE_FSTAT;
1204         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1205                 e = AUE_LSTAT;
1206         else
1207                 e = AUE_STAT;
1208 
1209         return (e);
1210 }
1211 
1212 /* msgsys */
1213 static au_event_t
1214 aui_msgsys(au_event_t e)
1215 {
1216         klwp_t *clwp = ttolwp(curthread);
1217         uint_t fm;
1218 
1219         struct a {
1220                 long    id;     /* function code id */
1221                 long    ap;     /* arg pointer for recvmsg */
1222         } *uap = (struct a *)clwp->lwp_ap;
1223 
1224         struct b {
1225                 long    msgid;
1226                 long    cmd;
1227                 long    buf;    /* struct msqid_ds * */
1228         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1229 
1230         fm  = (uint_t)uap->id;
1231 
1232         switch (fm) {
1233         case 0:         /* msgget */
1234                 e = AUE_MSGGET;
1235                 break;
1236         case 1:         /* msgctl */
1237                 switch ((uint_t)uap1->cmd) {
1238                 case IPC_RMID:
1239                         e = AUE_MSGCTL_RMID;
1240                         break;
1241                 case IPC_SET:
1242                         e = AUE_MSGCTL_SET;
1243                         break;
1244                 case IPC_STAT:
1245                         e = AUE_MSGCTL_STAT;
1246                         break;
1247                 default:
1248                         e = AUE_MSGCTL;
1249                         break;
1250                 }
1251                 break;
1252         case 2:         /* msgrcv */
1253                 e = AUE_MSGRCV;
1254                 break;
1255         case 3:         /* msgsnd */
1256                 e = AUE_MSGSND;
1257                 break;
1258         default:        /* illegal system call */
1259                 e = AUE_NULL;
1260                 break;
1261         }
1262 
1263         return (e);
1264 }
1265 
1266 
1267 /* shmsys */
1268 static au_event_t
1269 aui_shmsys(au_event_t e)
1270 {
1271         klwp_t *clwp = ttolwp(curthread);
1272         int fm;
1273 
1274         struct a {              /* shmsys */
1275                 long    id;     /* function code id */
1276         } *uap = (struct a *)clwp->lwp_ap;
1277 
1278         struct b {              /* ctrl */
1279                 long    shmid;
1280                 long    cmd;
1281                 long    arg;            /* struct shmid_ds * */
1282         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1283         fm  = (uint_t)uap->id;
1284 
1285         switch (fm) {
1286         case 0:         /* shmat */
1287                 e = AUE_SHMAT;
1288                 break;
1289         case 1:         /* shmctl */
1290                 switch ((uint_t)uap1->cmd) {
1291                 case IPC_RMID:
1292                         e = AUE_SHMCTL_RMID;
1293                         break;
1294                 case IPC_SET:
1295                         e = AUE_SHMCTL_SET;
1296                         break;
1297                 case IPC_STAT:
1298                         e = AUE_SHMCTL_STAT;
1299                         break;
1300                 default:
1301                         e = AUE_SHMCTL;
1302                         break;
1303                 }
1304                 break;
1305         case 2:         /* shmdt */
1306                 e = AUE_SHMDT;
1307                 break;
1308         case 3:         /* shmget */
1309                 e = AUE_SHMGET;
1310                 break;
1311         default:        /* illegal system call */
1312                 e = AUE_NULL;
1313                 break;
1314         }
1315 
1316         return (e);
1317 }
1318 
1319 
1320 /* semsys */
1321 static au_event_t
1322 aui_semsys(au_event_t e)
1323 {
1324         klwp_t *clwp = ttolwp(curthread);
1325         uint_t fm;
1326 
1327         struct a {              /* semsys */
1328                 long    id;
1329         } *uap = (struct a *)clwp->lwp_ap;
1330 
1331         struct b {              /* ctrl */
1332                 long    semid;
1333                 long    semnum;
1334                 long    cmd;
1335                 long    arg;
1336         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1337 
1338         fm = (uint_t)uap->id;
1339 
1340         switch (fm) {
1341         case 0:         /* semctl */
1342                 switch ((uint_t)uap1->cmd) {
1343                 case IPC_RMID:
1344                         e = AUE_SEMCTL_RMID;
1345                         break;
1346                 case IPC_SET:
1347                         e = AUE_SEMCTL_SET;
1348                         break;
1349                 case IPC_STAT:
1350                         e = AUE_SEMCTL_STAT;
1351                         break;
1352                 case GETNCNT:
1353                         e = AUE_SEMCTL_GETNCNT;
1354                         break;
1355                 case GETPID:
1356                         e = AUE_SEMCTL_GETPID;
1357                         break;
1358                 case GETVAL:
1359                         e = AUE_SEMCTL_GETVAL;
1360                         break;
1361                 case GETALL:
1362                         e = AUE_SEMCTL_GETALL;
1363                         break;
1364                 case GETZCNT:
1365                         e = AUE_SEMCTL_GETZCNT;
1366                         break;
1367                 case SETVAL:
1368                         e = AUE_SEMCTL_SETVAL;
1369                         break;
1370                 case SETALL:
1371                         e = AUE_SEMCTL_SETALL;
1372                         break;
1373                 default:
1374                         e = AUE_SEMCTL;
1375                         break;
1376                 }
1377                 break;
1378         case 1:         /* semget */
1379                 e = AUE_SEMGET;
1380                 break;
1381         case 2:         /* semop */
1382                 e = AUE_SEMOP;
1383                 break;
1384         default:        /* illegal system call */
1385                 e = AUE_NULL;
1386                 break;
1387         }
1388 
1389         return (e);
1390 }
1391 
1392 /* utssys - uname(2), ustat(2), fusers(2) */
1393 static au_event_t
1394 aui_utssys(au_event_t e)
1395 {
1396         klwp_t *clwp = ttolwp(curthread);
1397         uint_t type;
1398 
1399         struct a {
1400                 union {
1401                         long    cbuf;           /* char * */
1402                         long    ubuf;           /* struct stat * */
1403                 } ub;
1404                 union {
1405                         long    mv;     /* for USTAT */
1406                         long    flags;  /* for FUSERS */
1407                 } un;
1408                 long    type;
1409                 long    outbp;          /* char * for FUSERS */
1410         } *uap = (struct a *)clwp->lwp_ap;
1411 
1412         type = (uint_t)uap->type;
1413 
1414         if (type == UTS_FUSERS)
1415                 return (e);
1416         else
1417                 return ((au_event_t)AUE_NULL);
1418 }
1419 
1420 static au_event_t
1421 aui_fcntl(au_event_t e)
1422 {
1423         klwp_t *clwp = ttolwp(curthread);
1424         uint_t cmd;
1425 
1426         struct a {
1427                 long    fdes;
1428                 long    cmd;
1429                 long    arg;
1430         } *uap = (struct a *)clwp->lwp_ap;
1431 
1432         cmd = (uint_t)uap->cmd;
1433 
1434         switch (cmd) {
1435         case F_GETLK:
1436         case F_SETLK:
1437         case F_SETLKW:
1438                 break;
1439         case F_SETFL:
1440         case F_GETFL:
1441         case F_GETFD:
1442                 break;
1443         default:
1444                 e = (au_event_t)AUE_NULL;
1445                 break;
1446         }
1447         return ((au_event_t)e);
1448 }
1449 
1450 /* null function for now */
1451 static au_event_t
1452 aui_execve(au_event_t e)
1453 {
1454         return (e);
1455 }
1456 
1457 /*ARGSUSED*/
1458 static void
1459 aus_fcntl(struct t_audit_data *tad)
1460 {
1461         klwp_t *clwp = ttolwp(curthread);
1462         uint32_t cmd, fd, flags;
1463         struct file  *fp;
1464         struct vnode *vp;
1465         struct f_audit_data *fad;
1466 
1467         struct a {
1468                 long    fd;
1469                 long    cmd;
1470                 long    arg;
1471         } *uap = (struct a *)clwp->lwp_ap;
1472 
1473         cmd     = (uint32_t)uap->cmd;
1474         fd      = (uint32_t)uap->fd;
1475         flags   = (uint32_t)uap->arg;
1476 
1477         au_uwrite(au_to_arg32(2, "cmd", cmd));
1478 
1479         if (cmd == F_SETFL)
1480                 au_uwrite(au_to_arg32(3, "flags", flags));
1481 
1482                 /*
1483                  * convert file pointer to file descriptor
1484                  *   Note: fd ref count incremented here.
1485                  */
1486         if ((fp = getf(fd)) == NULL)
1487                 return;
1488 
1489         /* get path from file struct here */
1490         fad = F2A(fp);
1491         if (fad->fad_aupath != NULL) {
1492                 au_uwrite(au_to_path(fad->fad_aupath));
1493         } else {
1494                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1495         }
1496 
1497         vp = fp->f_vnode;
1498         audit_attributes(vp);
1499 
1500         /* decrement file descriptor reference count */
1501         releasef(fd);
1502 }
1503 
1504 /*ARGSUSED*/
1505 static void
1506 aus_kill(struct t_audit_data *tad)
1507 {
1508         klwp_t *clwp = ttolwp(curthread);
1509         struct proc *p;
1510         uint32_t signo;
1511         uid_t uid, ruid;
1512         gid_t gid, rgid;
1513         pid_t pid;
1514         const auditinfo_addr_t *ainfo;
1515         cred_t *cr;
1516 
1517         struct a {
1518                 long    pid;
1519                 long    signo;
1520         } *uap = (struct a *)clwp->lwp_ap;
1521 
1522         pid   = (pid_t)uap->pid;
1523         signo = (uint32_t)uap->signo;
1524 
1525         au_uwrite(au_to_arg32(2, "signal", signo));
1526         if (pid > 0) {
1527                 mutex_enter(&pidlock);
1528                 if (((p = prfind(pid)) == (struct proc *)0) ||
1529                     (p->p_stat == SIDL)) {
1530                         mutex_exit(&pidlock);
1531                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1532                         return;
1533                 }
1534                 mutex_enter(&p->p_lock); /* so process doesn't go away */
1535                 mutex_exit(&pidlock);
1536 
1537                 mutex_enter(&p->p_crlock);
1538                 crhold(cr = p->p_cred);
1539                 mutex_exit(&p->p_crlock);
1540                 mutex_exit(&p->p_lock);
1541 
1542                 ainfo = crgetauinfo(cr);
1543                 if (ainfo == NULL) {
1544                         crfree(cr);
1545                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1546                         return;
1547                 }
1548 
1549                 uid  = crgetuid(cr);
1550                 gid  = crgetgid(cr);
1551                 ruid = crgetruid(cr);
1552                 rgid = crgetrgid(cr);
1553                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1554                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1555 
1556                 if (is_system_labeled())
1557                         au_uwrite(au_to_label(CR_SL(cr)));
1558 
1559                 crfree(cr);
1560         }
1561         else
1562                 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1563 }
1564 
1565 /*ARGSUSED*/
1566 static void
1567 aus_mkdir(struct t_audit_data *tad)
1568 {
1569         klwp_t *clwp = ttolwp(curthread);
1570         uint32_t dmode;
1571 
1572         struct a {
1573                 long    dirnamep;               /* char * */
1574                 long    dmode;
1575         } *uap = (struct a *)clwp->lwp_ap;
1576 
1577         dmode = (uint32_t)uap->dmode;
1578 
1579         au_uwrite(au_to_arg32(2, "mode", dmode));
1580 }
1581 
1582 /*ARGSUSED*/
1583 static void
1584 aus_mkdirat(struct t_audit_data *tad)
1585 {
1586         klwp_t *clwp = ttolwp(curthread);
1587         uint32_t dmode;
1588 
1589         struct a {
1590                 long    fd;
1591                 long    dirnamep;               /* char * */
1592                 long    dmode;
1593         } *uap = (struct a *)clwp->lwp_ap;
1594 
1595         dmode = (uint32_t)uap->dmode;
1596 
1597         au_uwrite(au_to_arg32(2, "mode", dmode));
1598 }
1599 
1600 /*ARGSUSED*/
1601 static void
1602 aus_mknod(struct t_audit_data *tad)
1603 {
1604         klwp_t *clwp = ttolwp(curthread);
1605         uint32_t fmode;
1606         dev_t dev;
1607 
1608         struct a {
1609                 long    pnamep;         /* char * */
1610                 long    fmode;
1611                 long    dev;
1612         } *uap = (struct a *)clwp->lwp_ap;
1613 
1614         fmode = (uint32_t)uap->fmode;
1615         dev   = (dev_t)uap->dev;
1616 
1617         au_uwrite(au_to_arg32(2, "mode", fmode));
1618 #ifdef _LP64
1619         au_uwrite(au_to_arg64(3, "dev", dev));
1620 #else
1621         au_uwrite(au_to_arg32(3, "dev", dev));
1622 #endif
1623 }
1624 
1625 /*ARGSUSED*/
1626 static void
1627 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1628 {
1629         klwp_t *clwp = ttolwp(curthread);
1630         vnode_t *dvp;
1631         caddr_t pnamep;
1632 
1633         struct a {
1634                 long    pnamep;         /* char * */
1635                 long    fmode;
1636                 long    dev;
1637         } *uap = (struct a *)clwp->lwp_ap;
1638 
1639         /* no error, then already path token in audit record */
1640         if (error != EPERM && error != EINVAL)
1641                 return;
1642 
1643         /* do the lookup to force generation of path token */
1644         pnamep = (caddr_t)uap->pnamep;
1645         tad->tad_ctrl |= TAD_NOATTRB;
1646         error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1647         if (error == 0)
1648                 VN_RELE(dvp);
1649 }
1650 
1651 /*ARGSUSED*/
1652 static void
1653 aus_mknodat(struct t_audit_data *tad)
1654 {
1655         klwp_t *clwp = ttolwp(curthread);
1656         uint32_t fmode;
1657         dev_t dev;
1658 
1659         struct a {
1660                 long    fd;
1661                 long    pnamep;         /* char * */
1662                 long    fmode;
1663                 long    dev;
1664         } *uap = (struct a *)clwp->lwp_ap;
1665 
1666         fmode = (uint32_t)uap->fmode;
1667         dev   = (dev_t)uap->dev;
1668 
1669         au_uwrite(au_to_arg32(2, "mode", fmode));
1670 #ifdef _LP64
1671         au_uwrite(au_to_arg64(3, "dev", dev));
1672 #else
1673         au_uwrite(au_to_arg32(3, "dev", dev));
1674 #endif
1675 }
1676 
1677 /*ARGSUSED*/
1678 static void
1679 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1680 {
1681         klwp_t *clwp = ttolwp(curthread);
1682         vnode_t *startvp;
1683         vnode_t *dvp;
1684         caddr_t pnamep;
1685         int fd;
1686 
1687         struct a {
1688                 long    fd;
1689                 long    pnamep;         /* char * */
1690                 long    fmode;
1691                 long    dev;
1692         } *uap = (struct a *)clwp->lwp_ap;
1693 
1694         /* no error, then already path token in audit record */
1695         if (error != EPERM && error != EINVAL)
1696                 return;
1697 
1698         /* do the lookup to force generation of path token */
1699         fd = (int)uap->fd;
1700         pnamep = (caddr_t)uap->pnamep;
1701         if (pnamep == NULL ||
1702             fgetstartvp(fd, pnamep, &startvp) != 0)
1703                 return;
1704         tad->tad_ctrl |= TAD_NOATTRB;
1705         error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1706             startvp);
1707         if (error == 0)
1708                 VN_RELE(dvp);
1709         if (startvp != NULL)
1710                 VN_RELE(startvp);
1711 }
1712 
1713 /*ARGSUSED*/
1714 static void
1715 aus_mount(struct t_audit_data *tad)
1716 {       /* AUS_START */
1717         klwp_t *clwp = ttolwp(curthread);
1718         uint32_t flags;
1719         uintptr_t u_fstype, dataptr;
1720         STRUCT_DECL(nfs_args, nfsargs);
1721         size_t len;
1722         char *fstype, *hostname;
1723 
1724         struct a {
1725                 long    spec;           /* char    * */
1726                 long    dir;            /* char    * */
1727                 long    flags;
1728                 long    fstype;         /* char    * */
1729                 long    dataptr;        /* char    * */
1730                 long    datalen;
1731         } *uap = (struct a *)clwp->lwp_ap;
1732 
1733         u_fstype = (uintptr_t)uap->fstype;
1734         flags    = (uint32_t)uap->flags;
1735         dataptr  = (uintptr_t)uap->dataptr;
1736 
1737         fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1738         if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1739                 goto mount_free_fstype;
1740 
1741         au_uwrite(au_to_arg32(3, "flags", flags));
1742         au_uwrite(au_to_text(fstype));
1743 
1744         if (strncmp(fstype, "nfs", 3) == 0) {
1745 
1746                 STRUCT_INIT(nfsargs, get_udatamodel());
1747                 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1748 
1749                 if (copyin((caddr_t)dataptr,
1750                                 STRUCT_BUF(nfsargs),
1751                                 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1752                         /* DEBUG debug_enter((char *)NULL); */
1753                         goto mount_free_fstype;
1754                 }
1755                 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1756                 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1757                                 (caddr_t)hostname,
1758                                 MAXNAMELEN, &len)) {
1759                         goto mount_free_hostname;
1760                 }
1761                 au_uwrite(au_to_text(hostname));
1762                 au_uwrite(au_to_arg32(3, "internal flags",
1763                         (uint_t)STRUCT_FGET(nfsargs, flags)));
1764 
1765 mount_free_hostname:
1766                 kmem_free(hostname, MAXNAMELEN);
1767         }
1768 
1769 mount_free_fstype:
1770         kmem_free(fstype, MAXNAMELEN);
1771 }       /* AUS_MOUNT */
1772 
1773 static void
1774 aus_umount_path(caddr_t umount_dir)
1775 {
1776         char                    *dir_path;
1777         struct audit_path       *path;
1778         size_t                  path_len, dir_len;
1779 
1780         /* length alloc'd for two string pointers */
1781         path_len = sizeof (struct audit_path) + sizeof (char *);
1782         path = kmem_alloc(path_len, KM_SLEEP);
1783         dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1784 
1785         if (copyinstr(umount_dir, (caddr_t)dir_path,
1786             MAXPATHLEN, &dir_len))
1787                 goto umount2_free_dir;
1788 
1789         /*
1790          * the audit_path struct assumes that the buffer pointed to
1791          * by audp_sect[n] contains string 0 immediatedly followed
1792          * by string 1.
1793          */
1794         path->audp_sect[0] = dir_path;
1795         path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1796         path->audp_size = path_len;
1797         path->audp_ref = 1;          /* not used */
1798         path->audp_cnt = 1;          /* one path string */
1799 
1800         au_uwrite(au_to_path(path));
1801 
1802 umount2_free_dir:
1803         kmem_free(dir_path, MAXPATHLEN);
1804         kmem_free(path, path_len);
1805 }
1806 
1807 /*ARGSUSED*/
1808 static void
1809 aus_umount2(struct t_audit_data *tad)
1810 {
1811         klwp_t                  *clwp = ttolwp(curthread);
1812         struct a {
1813                 long    dir;            /* char    * */
1814                 long    flags;
1815         } *uap = (struct a *)clwp->lwp_ap;
1816 
1817         aus_umount_path((caddr_t)uap->dir);
1818 
1819         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1820 }
1821 
1822 static void
1823 aus_msgsys(struct t_audit_data *tad)
1824 {
1825         klwp_t *clwp = ttolwp(curthread);
1826         uint32_t msgid;
1827 
1828         struct b {
1829                 long    msgid;
1830                 long    cmd;
1831                 long    buf;            /* struct msqid_ds * */
1832         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1833 
1834         msgid = (uint32_t)uap1->msgid;
1835 
1836 
1837         switch (tad->tad_event) {
1838         case AUE_MSGGET:                /* msgget */
1839                 au_uwrite(au_to_arg32(1, "msg key", msgid));
1840                 break;
1841         case AUE_MSGCTL:                /* msgctl */
1842         case AUE_MSGCTL_RMID:           /* msgctl */
1843         case AUE_MSGCTL_SET:            /* msgctl */
1844         case AUE_MSGCTL_STAT:           /* msgctl */
1845         case AUE_MSGRCV:                /* msgrcv */
1846         case AUE_MSGSND:                /* msgsnd */
1847                 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1848                 break;
1849         }
1850 }
1851 
1852 /*ARGSUSED*/
1853 static void
1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1855 {
1856         int id;
1857 
1858         if (error != 0)
1859                 return;
1860         if (tad->tad_event == AUE_MSGGET) {
1861                 uint32_t scid;
1862                 uint32_t sy_flags;
1863 
1864                 /* need to determine type of executing binary */
1865                 scid = tad->tad_scid;
1866 #ifdef _SYSCALL32_IMPL
1867                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1868                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869                 else
1870                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1871 #else
1872                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1873 #endif
1874                 if (sy_flags == SE_32RVAL1)
1875                         id = rval->r_val1;
1876                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1877                         id = rval->r_val1;
1878                 if (sy_flags == SE_64RVAL)
1879                         id = (int)rval->r_vals;
1880 
1881                 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1882         }
1883 }
1884 
1885 static void
1886 aus_semsys(struct t_audit_data *tad)
1887 {
1888         klwp_t *clwp = ttolwp(curthread);
1889         uint32_t semid;
1890 
1891         struct b {              /* ctrl */
1892                 long    semid;
1893                 long    semnum;
1894                 long    cmd;
1895                 long    arg;
1896         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1897 
1898         semid = (uint32_t)uap1->semid;
1899 
1900         switch (tad->tad_event) {
1901         case AUE_SEMCTL_RMID:
1902         case AUE_SEMCTL_STAT:
1903         case AUE_SEMCTL_GETNCNT:
1904         case AUE_SEMCTL_GETPID:
1905         case AUE_SEMCTL_GETVAL:
1906         case AUE_SEMCTL_GETALL:
1907         case AUE_SEMCTL_GETZCNT:
1908         case AUE_SEMCTL_SET:
1909         case AUE_SEMCTL_SETVAL:
1910         case AUE_SEMCTL_SETALL:
1911         case AUE_SEMCTL:
1912         case AUE_SEMOP:
1913                 au_uwrite(au_to_arg32(1, "sem ID", semid));
1914                 break;
1915         case AUE_SEMGET:
1916                 au_uwrite(au_to_arg32(1, "sem key", semid));
1917                 break;
1918         }
1919 }
1920 
1921 /*ARGSUSED*/
1922 static void
1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1924 {
1925         int id;
1926 
1927         if (error != 0)
1928                 return;
1929         if (tad->tad_event == AUE_SEMGET) {
1930                 uint32_t scid;
1931                 uint32_t sy_flags;
1932 
1933                 /* need to determine type of executing binary */
1934                 scid = tad->tad_scid;
1935 #ifdef _SYSCALL32_IMPL
1936                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1937                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1938                 else
1939                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1940 #else
1941                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1942 #endif
1943                 if (sy_flags == SE_32RVAL1)
1944                         id = rval->r_val1;
1945                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1946                         id = rval->r_val1;
1947                 if (sy_flags == SE_64RVAL)
1948                         id = (int)rval->r_vals;
1949 
1950                 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1951         }
1952 }
1953 
1954 /*ARGSUSED*/
1955 static void
1956 aus_close(struct t_audit_data *tad)
1957 {
1958         klwp_t *clwp = ttolwp(curthread);
1959         uint32_t fd;
1960         struct file *fp;
1961         struct f_audit_data *fad;
1962         struct vnode *vp;
1963         struct vattr attr;
1964         au_kcontext_t   *kctx = GET_KCTX_PZ;
1965 
1966         struct a {
1967                 long    i;
1968         } *uap = (struct a *)clwp->lwp_ap;
1969 
1970         fd = (uint32_t)uap->i;
1971 
1972         attr.va_mask = 0;
1973         au_uwrite(au_to_arg32(1, "fd", fd));
1974 
1975                 /*
1976                  * convert file pointer to file descriptor
1977                  *   Note: fd ref count incremented here.
1978                  */
1979         if ((fp = getf(fd)) == NULL)
1980                 return;
1981 
1982         fad = F2A(fp);
1983         tad->tad_evmod = (au_emod_t)fad->fad_flags;
1984         if (fad->fad_aupath != NULL) {
1985                 au_uwrite(au_to_path(fad->fad_aupath));
1986                 if ((vp = fp->f_vnode) != NULL) {
1987                         attr.va_mask = AT_ALL;
1988                         if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1989                                 /*
1990                                  * When write was not used and the file can be
1991                                  * considered public, skip the audit.
1992                                  */
1993                                 if (((fp->f_flag & FWRITE) == 0) &&
1994                                     object_is_public(&attr)) {
1995                                         tad->tad_flag = 0;
1996                                         tad->tad_evmod = 0;
1997                                         /* free any residual audit data */
1998                                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1999                                         releasef(fd);
2000                                         return;
2001                                 }
2002                                 au_uwrite(au_to_attr(&attr));
2003                                 audit_sec_attributes(&(u_ad), vp);
2004                         }
2005                 }
2006         }
2007 
2008         /* decrement file descriptor reference count */
2009         releasef(fd);
2010 }
2011 
2012 /*ARGSUSED*/
2013 static void
2014 aus_fstatfs(struct t_audit_data *tad)
2015 {
2016         klwp_t *clwp = ttolwp(curthread);
2017         uint32_t fd;
2018         struct file  *fp;
2019         struct vnode *vp;
2020         struct f_audit_data *fad;
2021 
2022         struct a {
2023                 long    fd;
2024                 long    buf;            /* struct statfs * */
2025         } *uap = (struct a *)clwp->lwp_ap;
2026 
2027         fd = (uint_t)uap->fd;
2028 
2029                 /*
2030                  * convert file pointer to file descriptor
2031                  *   Note: fd ref count incremented here.
2032                  */
2033         if ((fp = getf(fd)) == NULL)
2034                 return;
2035 
2036                 /* get path from file struct here */
2037         fad = F2A(fp);
2038         if (fad->fad_aupath != NULL) {
2039                 au_uwrite(au_to_path(fad->fad_aupath));
2040         } else {
2041                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2042         }
2043 
2044         vp = fp->f_vnode;
2045         audit_attributes(vp);
2046 
2047         /* decrement file descriptor reference count */
2048         releasef(fd);
2049 }
2050 
2051 static au_event_t
2052 aui_setpgrp(au_event_t e)
2053 {
2054         klwp_t *clwp = ttolwp(curthread);
2055         int flag;
2056 
2057         struct a {
2058                 long    flag;
2059                 long    pid;
2060                 long    pgid;
2061         } *uap = (struct a *)clwp->lwp_ap;
2062 
2063         flag = (int)uap->flag;
2064 
2065 
2066         switch (flag) {
2067 
2068         case 1: /* setpgrp() */
2069                 e = AUE_SETPGRP;
2070                 break;
2071 
2072         case 3: /* setsid() */
2073                 e = AUE_SETSID;
2074                 break;
2075 
2076         case 5: /* setpgid() */
2077                 e = AUE_SETPGID;
2078                 break;
2079 
2080         case 0: /* getpgrp()    - not security relevant */
2081         case 2: /* getsid()     - not security relevant */
2082         case 4: /* getpgid()    - not security relevant */
2083                 e = AUE_NULL;
2084                 break;
2085 
2086         default:
2087                 e = AUE_NULL;
2088                 break;
2089         }
2090 
2091         return (e);
2092 }
2093 
2094 /*ARGSUSED*/
2095 static void
2096 aus_setpgrp(struct t_audit_data *tad)
2097 {
2098         klwp_t          *clwp = ttolwp(curthread);
2099         pid_t           pgid;
2100         struct proc     *p;
2101         uid_t           uid, ruid;
2102         gid_t           gid, rgid;
2103         pid_t           pid;
2104         cred_t          *cr;
2105         int             flag;
2106         const auditinfo_addr_t  *ainfo;
2107 
2108         struct a {
2109                 long    flag;
2110                 long    pid;
2111                 long    pgid;
2112         } *uap = (struct a *)clwp->lwp_ap;
2113 
2114         flag = (int)uap->flag;
2115         pid  = (pid_t)uap->pid;
2116         pgid = (pid_t)uap->pgid;
2117 
2118 
2119         switch (flag) {
2120 
2121         case 0: /* getpgrp() */
2122         case 1: /* setpgrp() */
2123         case 2: /* getsid() */
2124         case 3: /* setsid() */
2125         case 4: /* getpgid() */
2126                 break;
2127 
2128         case 5: /* setpgid() */
2129 
2130                 /* current process? */
2131                 if (pid == 0) {
2132                         return;
2133                 }
2134 
2135                 mutex_enter(&pidlock);
2136                 p = prfind(pid);
2137                 if (p == NULL || p->p_as == &kas ||
2138                     p->p_stat == SIDL || p->p_stat == SZOMB) {
2139                         mutex_exit(&pidlock);
2140                         return;
2141                 }
2142                 mutex_enter(&p->p_lock); /* so process doesn't go away */
2143                 mutex_exit(&pidlock);
2144 
2145                 mutex_enter(&p->p_crlock);
2146                 crhold(cr = p->p_cred);
2147                 mutex_exit(&p->p_crlock);
2148                 mutex_exit(&p->p_lock);
2149 
2150                 ainfo = crgetauinfo(cr);
2151                 if (ainfo == NULL) {
2152                         crfree(cr);
2153                         return;
2154                 }
2155 
2156                 uid  = crgetuid(cr);
2157                 gid  = crgetgid(cr);
2158                 ruid = crgetruid(cr);
2159                 rgid = crgetrgid(cr);
2160                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2161                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2162                 crfree(cr);
2163                 au_uwrite(au_to_arg32(2, "pgid", pgid));
2164                 break;
2165 
2166         default:
2167                 break;
2168         }
2169 }
2170 
2171 
2172 /*ARGSUSED*/
2173 static void
2174 aus_setregid(struct t_audit_data *tad)
2175 {
2176         klwp_t *clwp = ttolwp(curthread);
2177         uint32_t rgid, egid;
2178 
2179         struct a {
2180                 long     rgid;
2181                 long     egid;
2182         } *uap = (struct a *)clwp->lwp_ap;
2183 
2184         rgid  = (uint32_t)uap->rgid;
2185         egid  = (uint32_t)uap->egid;
2186 
2187         au_uwrite(au_to_arg32(1, "rgid", rgid));
2188         au_uwrite(au_to_arg32(2, "egid", egid));
2189 }
2190 
2191 /*ARGSUSED*/
2192 static void
2193 aus_setgid(struct t_audit_data *tad)
2194 {
2195         klwp_t *clwp = ttolwp(curthread);
2196         uint32_t gid;
2197 
2198         struct a {
2199                 long    gid;
2200         } *uap = (struct a *)clwp->lwp_ap;
2201 
2202         gid = (uint32_t)uap->gid;
2203 
2204         au_uwrite(au_to_arg32(1, "gid", gid));
2205 }
2206 
2207 
2208 /*ARGSUSED*/
2209 static void
2210 aus_setreuid(struct t_audit_data *tad)
2211 {
2212         klwp_t *clwp = ttolwp(curthread);
2213         uint32_t ruid, euid;
2214 
2215         struct a {
2216                 long    ruid;
2217                 long    euid;
2218         } *uap = (struct a *)clwp->lwp_ap;
2219 
2220         ruid = (uint32_t)uap->ruid;
2221         euid  = (uint32_t)uap->euid;
2222 
2223         au_uwrite(au_to_arg32(1, "ruid", ruid));
2224         au_uwrite(au_to_arg32(2, "euid", euid));
2225 }
2226 
2227 
2228 /*ARGSUSED*/
2229 static void
2230 aus_setuid(struct t_audit_data *tad)
2231 {
2232         klwp_t *clwp = ttolwp(curthread);
2233         uint32_t uid;
2234 
2235         struct a {
2236                 long    uid;
2237         } *uap = (struct a *)clwp->lwp_ap;
2238 
2239         uid = (uint32_t)uap->uid;
2240 
2241         au_uwrite(au_to_arg32(1, "uid", uid));
2242 }
2243 
2244 /*ARGSUSED*/
2245 static void
2246 aus_shmsys(struct t_audit_data *tad)
2247 {
2248         klwp_t *clwp = ttolwp(curthread);
2249         uint32_t id, cmd;
2250 
2251         struct b {
2252                 long    id;
2253                 long    cmd;
2254                 long    buf;            /* struct shmid_ds * */
2255         } *uap1 = (struct b *)&clwp->lwp_ap[1];
2256 
2257         id  = (uint32_t)uap1->id;
2258         cmd = (uint32_t)uap1->cmd;
2259 
2260         switch (tad->tad_event) {
2261         case AUE_SHMGET:                        /* shmget */
2262                 au_uwrite(au_to_arg32(1, "shm key", id));
2263                 break;
2264         case AUE_SHMCTL:                        /* shmctl */
2265         case AUE_SHMCTL_RMID:                   /* shmctl */
2266         case AUE_SHMCTL_STAT:                   /* shmctl */
2267         case AUE_SHMCTL_SET:                    /* shmctl */
2268                 au_uwrite(au_to_arg32(1, "shm ID", id));
2269                 break;
2270         case AUE_SHMDT:                         /* shmdt */
2271                 au_uwrite(au_to_arg32(1, "shm adr", id));
2272                 break;
2273         case AUE_SHMAT:                         /* shmat */
2274                 au_uwrite(au_to_arg32(1, "shm ID", id));
2275                 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2276                 break;
2277         }
2278 }
2279 
2280 /*ARGSUSED*/
2281 static void
2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2283 {
2284         int id;
2285 
2286         if (error != 0)
2287                 return;
2288         if (tad->tad_event == AUE_SHMGET) {
2289                 uint32_t scid;
2290                 uint32_t sy_flags;
2291 
2292                 /* need to determine type of executing binary */
2293                 scid = tad->tad_scid;
2294 #ifdef _SYSCALL32_IMPL
2295                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2296                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2297                 else
2298                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2299 #else
2300                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2301 #endif
2302                 if (sy_flags == SE_32RVAL1)
2303                         id = rval->r_val1;
2304                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2305                         id = rval->r_val1;
2306                 if (sy_flags == SE_64RVAL)
2307                         id = (int)rval->r_vals;
2308                 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2309         }
2310 }
2311 
2312 
2313 /*ARGSUSED*/
2314 static void
2315 aus_ioctl(struct t_audit_data *tad)
2316 {
2317         klwp_t *clwp = ttolwp(curthread);
2318         struct file *fp;
2319         struct vnode *vp;
2320         struct f_audit_data *fad;
2321         uint32_t fd, cmd;
2322         uintptr_t cmarg;
2323 
2324         /* XX64 */
2325         struct a {
2326                 long    fd;
2327                 long    cmd;
2328                 long    cmarg;          /* caddr_t */
2329         } *uap = (struct a *)clwp->lwp_ap;
2330 
2331         fd    = (uint32_t)uap->fd;
2332         cmd   = (uint32_t)uap->cmd;
2333         cmarg = (uintptr_t)uap->cmarg;
2334 
2335                 /*
2336                  * convert file pointer to file descriptor
2337                  *   Note: fd ref count incremented here.
2338                  */
2339         if ((fp = getf(fd)) == NULL) {
2340                 au_uwrite(au_to_arg32(1, "fd", fd));
2341                 au_uwrite(au_to_arg32(2, "cmd", cmd));
2342 #ifndef _LP64
2343                         au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2344 #else
2345                         au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2346 #endif
2347                 return;
2348         }
2349 
2350         /* get path from file struct here */
2351         fad = F2A(fp);
2352         if (fad->fad_aupath != NULL) {
2353                 au_uwrite(au_to_path(fad->fad_aupath));
2354         } else {
2355                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2356         }
2357 
2358         vp = fp->f_vnode;
2359         audit_attributes(vp);
2360 
2361         /* decrement file descriptor reference count */
2362         releasef(fd);
2363 
2364         au_uwrite(au_to_arg32(2, "cmd", cmd));
2365 #ifndef _LP64
2366                 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2367 #else
2368                 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2369 #endif
2370 }
2371 
2372 /*
2373  * null function for memcntl for now. We might want to limit memcntl()
2374  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2375  * require privileges.
2376  */
2377 static au_event_t
2378 aui_memcntl(au_event_t e)
2379 {
2380         return (e);
2381 }
2382 
2383 /*ARGSUSED*/
2384 static au_event_t
2385 aui_privsys(au_event_t e)
2386 {
2387         klwp_t *clwp = ttolwp(curthread);
2388 
2389         struct a {
2390                 long    opcode;
2391         } *uap = (struct a *)clwp->lwp_ap;
2392 
2393         switch (uap->opcode) {
2394         case PRIVSYS_SETPPRIV:
2395                 return (AUE_SETPPRIV);
2396         default:
2397                 return (AUE_NULL);
2398         }
2399 }
2400 
2401 /*ARGSUSED*/
2402 static void
2403 aus_memcntl(struct t_audit_data *tad)
2404 {
2405         klwp_t *clwp = ttolwp(curthread);
2406 
2407         struct a {
2408                 long    addr;
2409                 long    len;
2410                 long    cmd;
2411                 long    arg;
2412                 long    attr;
2413                 long    mask;
2414         } *uap = (struct a *)clwp->lwp_ap;
2415 
2416 #ifdef _LP64
2417         au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2418         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2419 #else
2420         au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2421         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2422 #endif
2423         au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2424 #ifdef _LP64
2425         au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2426 #else
2427         au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2428 #endif
2429         au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2430         au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2431 }
2432 
2433 /*ARGSUSED*/
2434 static void
2435 aus_mmap(struct t_audit_data *tad)
2436 {
2437         klwp_t *clwp = ttolwp(curthread);
2438         struct file *fp;
2439         struct f_audit_data *fad;
2440         struct vnode *vp;
2441         uint32_t fd;
2442 
2443         struct a {
2444                 long    addr;
2445                 long    len;
2446                 long    prot;
2447                 long    flags;
2448                 long    fd;
2449                 long    pos;
2450         } *uap = (struct a *)clwp->lwp_ap;
2451 
2452         fd = (uint32_t)uap->fd;
2453 
2454 #ifdef _LP64
2455         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2456         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2457 #else
2458         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2459         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2460 #endif
2461 
2462         if ((fp = getf(fd)) == NULL) {
2463                 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2464                 return;
2465         }
2466 
2467         /*
2468          * Mark in the tad if write access is NOT requested... if
2469          * this is later detected (in audit_attributes) to be a
2470          * public object, the mmap event may be discarded.
2471          */
2472         if (((uap->prot) & PROT_WRITE) == 0) {
2473                 tad->tad_ctrl |= TAD_PUBLIC_EV;
2474         }
2475 
2476         fad = F2A(fp);
2477         if (fad->fad_aupath != NULL) {
2478                 au_uwrite(au_to_path(fad->fad_aupath));
2479         } else {
2480                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2481         }
2482 
2483         vp = (struct vnode *)fp->f_vnode;
2484         audit_attributes(vp);
2485 
2486         /* mark READ/WRITE since we can't predict access */
2487         if (uap->prot & PROT_READ)
2488                 fad->fad_flags |= FAD_READ;
2489         if (uap->prot & PROT_WRITE)
2490                 fad->fad_flags |= FAD_WRITE;
2491 
2492         /* decrement file descriptor reference count */
2493         releasef(fd);
2494 
2495 }       /* AUS_MMAP */
2496 
2497 
2498 
2499 
2500 /*ARGSUSED*/
2501 static void
2502 aus_munmap(struct t_audit_data *tad)
2503 {
2504         klwp_t *clwp = ttolwp(curthread);
2505 
2506         struct a {
2507                 long    addr;
2508                 long    len;
2509         } *uap = (struct a *)clwp->lwp_ap;
2510 
2511 #ifdef _LP64
2512         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2513         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2514 #else
2515         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2516         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2517 #endif
2518 
2519 }       /* AUS_MUNMAP */
2520 
2521 
2522 
2523 
2524 
2525 
2526 
2527 /*ARGSUSED*/
2528 static void
2529 aus_priocntlsys(struct t_audit_data *tad)
2530 {
2531         klwp_t *clwp = ttolwp(curthread);
2532 
2533         struct a {
2534                 long    pc_version;
2535                 long    psp;            /* procset_t */
2536                 long    cmd;
2537                 long    arg;
2538         } *uap = (struct a *)clwp->lwp_ap;
2539 
2540         au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2541         au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2542 
2543 }       /* AUS_PRIOCNTLSYS */
2544 
2545 
2546 /*ARGSUSED*/
2547 static void
2548 aus_setegid(struct t_audit_data *tad)
2549 {
2550         klwp_t *clwp = ttolwp(curthread);
2551         uint32_t gid;
2552 
2553         struct a {
2554                 long    gid;
2555         } *uap = (struct a *)clwp->lwp_ap;
2556 
2557         gid = (uint32_t)uap->gid;
2558 
2559         au_uwrite(au_to_arg32(1, "gid", gid));
2560 }       /* AUS_SETEGID */
2561 
2562 
2563 
2564 
2565 /*ARGSUSED*/
2566 static void
2567 aus_setgroups(struct t_audit_data *tad)
2568 {
2569         klwp_t *clwp = ttolwp(curthread);
2570         int i;
2571         int gidsetsize;
2572         uintptr_t gidset;
2573         gid_t *gidlist;
2574 
2575         struct a {
2576                 long    gidsetsize;
2577                 long    gidset;
2578         } *uap = (struct a *)clwp->lwp_ap;
2579 
2580         gidsetsize = (uint_t)uap->gidsetsize;
2581         gidset = (uintptr_t)uap->gidset;
2582 
2583         if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2584                 return;
2585         if (gidsetsize != 0) {
2586                 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2587                     KM_SLEEP);
2588                 if (copyin((caddr_t)gidset, gidlist,
2589                     gidsetsize * sizeof (gid_t)) == 0)
2590                         for (i = 0; i < gidsetsize; i++)
2591                                 au_uwrite(au_to_arg32(1, "setgroups",
2592                                     (uint32_t)gidlist[i]));
2593                 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2594         } else
2595                 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2596 
2597 }       /* AUS_SETGROUPS */
2598 
2599 
2600 
2601 
2602 
2603 /*ARGSUSED*/
2604 static void
2605 aus_seteuid(struct t_audit_data *tad)
2606 {
2607         klwp_t *clwp = ttolwp(curthread);
2608         uint32_t uid;
2609 
2610         struct a {
2611                 long    uid;
2612         } *uap = (struct a *)clwp->lwp_ap;
2613 
2614         uid = (uint32_t)uap->uid;
2615 
2616         au_uwrite(au_to_arg32(1, "euid", uid));
2617 
2618 }       /* AUS_SETEUID */
2619 
2620 /*ARGSUSED*/
2621 static void
2622 aus_putmsg(struct t_audit_data *tad)
2623 {
2624         klwp_t *clwp = ttolwp(curthread);
2625         uint32_t fd, pri;
2626         struct file *fp;
2627         struct f_audit_data *fad;
2628 
2629         struct a {
2630                 long    fdes;
2631                 long    ctl;            /* struct strbuf * */
2632                 long    data;           /* struct strbuf * */
2633                 long    pri;
2634         } *uap = (struct a *)clwp->lwp_ap;
2635 
2636         fd  = (uint32_t)uap->fdes;
2637         pri = (uint32_t)uap->pri;
2638 
2639         au_uwrite(au_to_arg32(1, "fd", fd));
2640 
2641         if ((fp = getf(fd)) != NULL) {
2642                 fad = F2A(fp);
2643 
2644                 fad->fad_flags |= FAD_WRITE;
2645 
2646                 /* add path name to audit record */
2647                 if (fad->fad_aupath != NULL) {
2648                         au_uwrite(au_to_path(fad->fad_aupath));
2649                 }
2650                 audit_attributes(fp->f_vnode);
2651 
2652                 releasef(fd);
2653         }
2654 
2655         au_uwrite(au_to_arg32(4, "pri", pri));
2656 }
2657 
2658 /*ARGSUSED*/
2659 static void
2660 aus_putpmsg(struct t_audit_data *tad)
2661 {
2662         klwp_t *clwp = ttolwp(curthread);
2663         uint32_t fd, pri, flags;
2664         struct file *fp;
2665         struct f_audit_data *fad;
2666 
2667         struct a {
2668                 long    fdes;
2669                 long    ctl;            /* struct strbuf * */
2670                 long    data;           /* struct strbuf * */
2671                 long    pri;
2672                 long    flags;
2673         } *uap = (struct a *)clwp->lwp_ap;
2674 
2675         fd = (uint32_t)uap->fdes;
2676         pri  = (uint32_t)uap->pri;
2677         flags  = (uint32_t)uap->flags;
2678 
2679         au_uwrite(au_to_arg32(1, "fd", fd));
2680 
2681         if ((fp = getf(fd)) != NULL) {
2682                 fad = F2A(fp);
2683 
2684                 fad->fad_flags |= FAD_WRITE;
2685 
2686                 /* add path name to audit record */
2687                 if (fad->fad_aupath != NULL) {
2688                         au_uwrite(au_to_path(fad->fad_aupath));
2689                 }
2690                 audit_attributes(fp->f_vnode);
2691 
2692                 releasef(fd);
2693         }
2694 
2695 
2696         au_uwrite(au_to_arg32(4, "pri", pri));
2697         au_uwrite(au_to_arg32(5, "flags", flags));
2698 }
2699 
2700 /*ARGSUSED*/
2701 static void
2702 aus_getmsg(struct t_audit_data *tad)
2703 {
2704         klwp_t *clwp = ttolwp(curthread);
2705         uint32_t fd, pri;
2706         struct file *fp;
2707         struct f_audit_data *fad;
2708 
2709         struct a {
2710                 long    fdes;
2711                 long    ctl;            /* struct strbuf * */
2712                 long    data;           /* struct strbuf * */
2713                 long    pri;
2714         } *uap = (struct a *)clwp->lwp_ap;
2715 
2716         fd  = (uint32_t)uap->fdes;
2717         pri = (uint32_t)uap->pri;
2718 
2719         au_uwrite(au_to_arg32(1, "fd", fd));
2720 
2721         if ((fp = getf(fd)) != NULL) {
2722                 fad = F2A(fp);
2723 
2724                 /*
2725                  * read operation on this object
2726                  */
2727                 fad->fad_flags |= FAD_READ;
2728 
2729                 /* add path name to audit record */
2730                 if (fad->fad_aupath != NULL) {
2731                         au_uwrite(au_to_path(fad->fad_aupath));
2732                 }
2733                 audit_attributes(fp->f_vnode);
2734 
2735                 releasef(fd);
2736         }
2737 
2738         au_uwrite(au_to_arg32(4, "pri", pri));
2739 }
2740 
2741 /*ARGSUSED*/
2742 static void
2743 aus_getpmsg(struct t_audit_data *tad)
2744 {
2745         klwp_t *clwp = ttolwp(curthread);
2746         uint32_t fd;
2747         struct file *fp;
2748         struct f_audit_data *fad;
2749 
2750         struct a {
2751                 long    fdes;
2752                 long    ctl;            /* struct strbuf * */
2753                 long    data;           /* struct strbuf * */
2754                 long    pri;
2755                 long    flags;
2756         } *uap = (struct a *)clwp->lwp_ap;
2757 
2758         fd = (uint32_t)uap->fdes;
2759 
2760         au_uwrite(au_to_arg32(1, "fd", fd));
2761 
2762         if ((fp = getf(fd)) != NULL) {
2763                 fad = F2A(fp);
2764 
2765                 /*
2766                  * read operation on this object
2767                  */
2768                 fad->fad_flags |= FAD_READ;
2769 
2770                 /* add path name to audit record */
2771                 if (fad->fad_aupath != NULL) {
2772                         au_uwrite(au_to_path(fad->fad_aupath));
2773                 }
2774                 audit_attributes(fp->f_vnode);
2775 
2776                 releasef(fd);
2777         }
2778 }
2779 
2780 static au_event_t
2781 aui_labelsys(au_event_t e)
2782 {
2783         klwp_t *clwp = ttolwp(curthread);
2784         uint32_t code;
2785         uint32_t cmd;
2786 
2787         struct a {
2788                 long    code;
2789                 long    cmd;
2790         } *uap = (struct a *)clwp->lwp_ap;
2791 
2792         code = (uint32_t)uap->code;
2793         cmd = (uint32_t)uap->cmd;
2794 
2795         /* not security relevant if not changing kernel cache */
2796         if (cmd == TNDB_GET)
2797                 return (AUE_NULL);
2798 
2799         switch (code) {
2800         case TSOL_TNRH:
2801                 e = AUE_LABELSYS_TNRH;
2802                 break;
2803         case TSOL_TNRHTP:
2804                 e = AUE_LABELSYS_TNRHTP;
2805                 break;
2806         case TSOL_TNMLP:
2807                 e = AUE_LABELSYS_TNMLP;
2808                 break;
2809         default:
2810                 e = AUE_NULL;
2811                 break;
2812         }
2813 
2814         return (e);
2815 
2816 }
2817 
2818 static void
2819 aus_labelsys(struct t_audit_data *tad)
2820 {
2821         klwp_t *clwp = ttolwp(curthread);
2822         uint32_t cmd;
2823         uintptr_t a2;
2824 
2825         struct a {
2826                 long    code;
2827                 long    cmd;
2828                 long    a2;
2829         } *uap = (struct a *)clwp->lwp_ap;
2830 
2831         cmd = (uint32_t)uap->cmd;
2832         a2 = (uintptr_t)uap->a2;
2833 
2834         switch (tad->tad_event) {
2835         case AUE_LABELSYS_TNRH:
2836         {
2837                 tsol_rhent_t    *rhent;
2838                 tnaddr_t        *rh_addr;
2839 
2840                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2841 
2842                 /* Remaining args don't apply for FLUSH, so skip */
2843                 if (cmd == TNDB_FLUSH)
2844                         break;
2845 
2846                 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2847                 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2848                         kmem_free(rhent, sizeof (tsol_rhent_t));
2849                         return;
2850                 }
2851 
2852                 rh_addr = &rhent->rh_address;
2853                 if (rh_addr->ta_family == AF_INET) {
2854                         struct in_addr  *ipaddr;
2855 
2856                         ipaddr = &(rh_addr->ta_addr_v4);
2857                         au_uwrite(au_to_in_addr(ipaddr));
2858                 } else if (rh_addr->ta_family == AF_INET6) {
2859                         int32_t         *ipaddr;
2860 
2861                         ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2862                         au_uwrite(au_to_in_addr_ex(ipaddr));
2863                 }
2864                 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2865 
2866                 kmem_free(rhent, sizeof (tsol_rhent_t));
2867 
2868                 break;
2869         }
2870         case AUE_LABELSYS_TNRHTP:
2871         {
2872                 tsol_tpent_t    *tpent;
2873 
2874                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2875 
2876                 /* Remaining args don't apply for FLUSH, so skip */
2877                 if (cmd == TNDB_FLUSH)
2878                         break;
2879 
2880                 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2881                 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2882                         kmem_free(tpent, sizeof (tsol_tpent_t));
2883                         return;
2884                 }
2885 
2886                 /* Make sure that the template name is null-terminated. */
2887                 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2888 
2889                 au_uwrite(au_to_text(tpent->name));
2890                 kmem_free(tpent, sizeof (tsol_tpent_t));
2891 
2892                 break;
2893         }
2894         case AUE_LABELSYS_TNMLP:
2895         {
2896                 tsol_mlpent_t   *mlpent;
2897 
2898                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2899 
2900                 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2901                 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2902                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2903                         return;
2904                 }
2905 
2906                 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2907                         au_uwrite(au_to_text("shared"));
2908                 } else {
2909                         zone_t  *zone;
2910 
2911                         zone = zone_find_by_id(mlpent->tsme_zoneid);
2912                         if (zone != NULL) {
2913                                 au_uwrite(au_to_text(zone->zone_name));
2914                                 zone_rele(zone);
2915                         }
2916                 }
2917 
2918                 /* Remaining args don't apply for FLUSH, so skip */
2919                 if (cmd == TNDB_FLUSH) {
2920                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2921                         break;
2922                 }
2923 
2924                 au_uwrite(au_to_arg32(2, "proto num",
2925                     (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2926                 au_uwrite(au_to_arg32(2, "mlp_port",
2927                     (uint32_t)mlpent->tsme_mlp.mlp_port));
2928 
2929                 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2930                         au_uwrite(au_to_arg32(2, "mlp_port_upper",
2931                             (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2932 
2933                 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2934 
2935                 break;
2936         }
2937         default:
2938                 break;
2939         }
2940 }
2941 
2942 
2943 static au_event_t
2944 aui_auditsys(au_event_t e)
2945 {
2946         klwp_t *clwp = ttolwp(curthread);
2947         uint32_t code;
2948 
2949         struct a {
2950                 long    code;
2951                 long    a1;
2952                 long    a2;
2953                 long    a3;
2954                 long    a4;
2955                 long    a5;
2956                 long    a6;
2957                 long    a7;
2958         } *uap = (struct a *)clwp->lwp_ap;
2959 
2960         code = (uint32_t)uap->code;
2961 
2962         switch (code) {
2963 
2964         case BSM_GETAUID:
2965                 e = AUE_GETAUID;
2966                 break;
2967         case BSM_SETAUID:
2968                 e = AUE_SETAUID;
2969                 break;
2970         case BSM_GETAUDIT:
2971                 e = AUE_GETAUDIT;
2972                 break;
2973         case BSM_GETAUDIT_ADDR:
2974                 e = AUE_GETAUDIT_ADDR;
2975                 break;
2976         case BSM_SETAUDIT:
2977                 e = AUE_SETAUDIT;
2978                 break;
2979         case BSM_SETAUDIT_ADDR:
2980                 e = AUE_SETAUDIT_ADDR;
2981                 break;
2982         case BSM_AUDIT:
2983                 e = AUE_AUDIT;
2984                 break;
2985         case BSM_AUDITCTL:
2986                 switch ((uint_t)uap->a1) {
2987 
2988                 case A_GETPOLICY:
2989                         e = AUE_AUDITON_GPOLICY;
2990                         break;
2991                 case A_SETPOLICY:
2992                         e = AUE_AUDITON_SPOLICY;
2993                         break;
2994                 case A_GETAMASK:
2995                         e = AUE_AUDITON_GETAMASK;
2996                         break;
2997                 case A_SETAMASK:
2998                         e = AUE_AUDITON_SETAMASK;
2999                         break;
3000                 case A_GETKMASK:
3001                         e = AUE_AUDITON_GETKMASK;
3002                         break;
3003                 case A_SETKMASK:
3004                         e = AUE_AUDITON_SETKMASK;
3005                         break;
3006                 case A_GETQCTRL:
3007                         e = AUE_AUDITON_GQCTRL;
3008                         break;
3009                 case A_SETQCTRL:
3010                         e = AUE_AUDITON_SQCTRL;
3011                         break;
3012                 case A_GETCWD:
3013                         e = AUE_AUDITON_GETCWD;
3014                         break;
3015                 case A_GETCAR:
3016                         e = AUE_AUDITON_GETCAR;
3017                         break;
3018                 case A_GETSTAT:
3019                         e = AUE_AUDITON_GETSTAT;
3020                         break;
3021                 case A_SETSTAT:
3022                         e = AUE_AUDITON_SETSTAT;
3023                         break;
3024                 case A_SETUMASK:
3025                         e = AUE_AUDITON_SETUMASK;
3026                         break;
3027                 case A_SETSMASK:
3028                         e = AUE_AUDITON_SETSMASK;
3029                         break;
3030                 case A_GETCOND:
3031                         e = AUE_AUDITON_GETCOND;
3032                         break;
3033                 case A_SETCOND:
3034                         e = AUE_AUDITON_SETCOND;
3035                         break;
3036                 case A_GETCLASS:
3037                         e = AUE_AUDITON_GETCLASS;
3038                         break;
3039                 case A_SETCLASS:
3040                         e = AUE_AUDITON_SETCLASS;
3041                         break;
3042                 default:
3043                         e = AUE_NULL;
3044                         break;
3045                 }
3046                 break;
3047         default:
3048                 e = AUE_NULL;
3049                 break;
3050         }
3051 
3052         return (e);
3053 
3054 }       /* AUI_AUDITSYS */
3055 
3056 
3057 static void
3058 aus_auditsys(struct t_audit_data *tad)
3059 {
3060         klwp_t *clwp = ttolwp(curthread);
3061         uintptr_t a1, a2;
3062         STRUCT_DECL(auditinfo, ainfo);
3063         STRUCT_DECL(auditinfo_addr, ainfo_addr);
3064         au_evclass_map_t event;
3065         au_mask_t mask;
3066         int auditstate, policy;
3067         au_id_t auid;
3068 
3069 
3070         struct a {
3071                 long    code;
3072                 long    a1;
3073                 long    a2;
3074                 long    a3;
3075                 long    a4;
3076                 long    a5;
3077                 long    a6;
3078                 long    a7;
3079         } *uap = (struct a *)clwp->lwp_ap;
3080 
3081         a1   = (uintptr_t)uap->a1;
3082         a2   = (uintptr_t)uap->a2;
3083 
3084         switch (tad->tad_event) {
3085         case AUE_SETAUID:
3086                 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3087                                 return;
3088                 au_uwrite(au_to_arg32(2, "setauid", auid));
3089                 break;
3090         case AUE_SETAUDIT:
3091                 STRUCT_INIT(ainfo, get_udatamodel());
3092                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3093                     STRUCT_SIZE(ainfo))) {
3094                                 return;
3095                 }
3096                 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3097                     (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3098 #ifdef _LP64
3099                 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3100                     (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 #else
3102                 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3103                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3104 #endif
3105                 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3106                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3107                 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3108                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3109                 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3110                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3111                 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3112                     (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3113                 break;
3114         case AUE_SETAUDIT_ADDR:
3115                 STRUCT_INIT(ainfo_addr, get_udatamodel());
3116                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3117                     STRUCT_SIZE(ainfo_addr))) {
3118                                 return;
3119                 }
3120                 au_uwrite(au_to_arg32((char)1, "auid",
3121                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3122 #ifdef _LP64
3123                 au_uwrite(au_to_arg64((char)1, "port",
3124                     (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 #else
3126                 au_uwrite(au_to_arg32((char)1, "port",
3127                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3128 #endif
3129                 au_uwrite(au_to_arg32((char)1, "type",
3130                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3131                 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3132                     AU_IPv4) {
3133                         au_uwrite(au_to_in_addr(
3134                             (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3135                             ai_termid.at_addr)));
3136                 } else {
3137                         au_uwrite(au_to_in_addr_ex(
3138                             (int32_t *)STRUCT_FGETP(ainfo_addr,
3139                             ai_termid.at_addr)));
3140                 }
3141                 au_uwrite(au_to_arg32((char)1, "as_success",
3142                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3143                 au_uwrite(au_to_arg32((char)1, "as_failure",
3144                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3145                 au_uwrite(au_to_arg32((char)1, "asid",
3146                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3147                 break;
3148         case AUE_AUDITON_SETAMASK:
3149                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3150                                 return;
3151                 au_uwrite(au_to_arg32(
3152                     2, "setamask:as_success", (uint32_t)mask.as_success));
3153                 au_uwrite(au_to_arg32(
3154                     2, "setamask:as_failure", (uint32_t)mask.as_failure));
3155                 break;
3156         case AUE_AUDITON_SETKMASK:
3157                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3158                                 return;
3159                 au_uwrite(au_to_arg32(
3160                     2, "setkmask:as_success", (uint32_t)mask.as_success));
3161                 au_uwrite(au_to_arg32(
3162                     2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3163                 break;
3164         case AUE_AUDITON_SPOLICY:
3165                 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3166                         return;
3167                 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3168                 break;
3169         case AUE_AUDITON_SQCTRL: {
3170                 STRUCT_DECL(au_qctrl, qctrl);
3171                 model_t model;
3172 
3173                 model = get_udatamodel();
3174                 STRUCT_INIT(qctrl, model);
3175                 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3176                                 return;
3177                 if (model == DATAMODEL_ILP32) {
3178                         au_uwrite(au_to_arg32(
3179                             3, "setqctrl:aq_hiwater",
3180                             (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3181                         au_uwrite(au_to_arg32(
3182                             3, "setqctrl:aq_lowater",
3183                             (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3184                         au_uwrite(au_to_arg32(
3185                             3, "setqctrl:aq_bufsz",
3186                             (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3187                         au_uwrite(au_to_arg32(
3188                             3, "setqctrl:aq_delay",
3189                             (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3190                 } else {
3191                         au_uwrite(au_to_arg64(
3192                             3, "setqctrl:aq_hiwater",
3193                             (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3194                         au_uwrite(au_to_arg64(
3195                             3, "setqctrl:aq_lowater",
3196                             (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3197                         au_uwrite(au_to_arg64(
3198                             3, "setqctrl:aq_bufsz",
3199                             (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3200                         au_uwrite(au_to_arg64(
3201                             3, "setqctrl:aq_delay",
3202                             (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3203                 }
3204                 break;
3205         }
3206         case AUE_AUDITON_SETUMASK:
3207                 STRUCT_INIT(ainfo, get_udatamodel());
3208                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3209                     STRUCT_SIZE(ainfo))) {
3210                         return;
3211                 }
3212                 au_uwrite(au_to_arg32(3, "setumask:as_success",
3213                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3214                 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3215                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3216                 break;
3217         case AUE_AUDITON_SETSMASK:
3218                 STRUCT_INIT(ainfo, get_udatamodel());
3219                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3220                     STRUCT_SIZE(ainfo))) {
3221                         return;
3222                 }
3223                 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3224                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3225                 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3226                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3227                 break;
3228         case AUE_AUDITON_SETCOND:
3229                 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3230                         return;
3231                 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3232                 break;
3233         case AUE_AUDITON_SETCLASS:
3234                 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3235                         return;
3236                 au_uwrite(au_to_arg32(
3237                     2, "setclass:ec_event", (uint32_t)event.ec_number));
3238                 au_uwrite(au_to_arg32(
3239                     3, "setclass:ec_class", (uint32_t)event.ec_class));
3240                 break;
3241         case AUE_GETAUID:
3242         case AUE_GETAUDIT:
3243         case AUE_GETAUDIT_ADDR:
3244         case AUE_AUDIT:
3245         case AUE_AUDITON_GPOLICY:
3246         case AUE_AUDITON_GQCTRL:
3247         case AUE_AUDITON_GETAMASK:
3248         case AUE_AUDITON_GETKMASK:
3249         case AUE_AUDITON_GETCWD:
3250         case AUE_AUDITON_GETCAR:
3251         case AUE_AUDITON_GETSTAT:
3252         case AUE_AUDITON_SETSTAT:
3253         case AUE_AUDITON_GETCOND:
3254         case AUE_AUDITON_GETCLASS:
3255                 break;
3256         default:
3257                 break;
3258         }
3259 
3260 }       /* AUS_AUDITSYS */
3261 
3262 
3263 /* only audit privileged operations for systeminfo(2) system call */
3264 static au_event_t
3265 aui_sysinfo(au_event_t e)
3266 {
3267         klwp_t *clwp = ttolwp(curthread);
3268         uint32_t command;
3269 
3270         struct a {
3271                 long    command;
3272                 long    buf;            /* char * */
3273                 long    count;
3274         } *uap = (struct a *)clwp->lwp_ap;
3275 
3276         command = (uint32_t)uap->command;
3277 
3278         switch (command) {
3279         case SI_SET_HOSTNAME:
3280         case SI_SET_SRPC_DOMAIN:
3281                 e = (au_event_t)AUE_SYSINFO;
3282                 break;
3283         default:
3284                 e = (au_event_t)AUE_NULL;
3285                 break;
3286         }
3287         return (e);
3288 }
3289 
3290 /*ARGSUSED*/
3291 static void
3292 aus_sysinfo(struct t_audit_data *tad)
3293 {
3294         klwp_t *clwp = ttolwp(curthread);
3295         uint32_t command;
3296         size_t len, maxlen;
3297         char *name;
3298         uintptr_t buf;
3299 
3300         struct a {
3301                 long    command;
3302                 long    buf;            /* char * */
3303                 long    count;
3304         } *uap = (struct a *)clwp->lwp_ap;
3305 
3306         command = (uint32_t)uap->command;
3307         buf = (uintptr_t)uap->buf;
3308 
3309         au_uwrite(au_to_arg32(1, "cmd", command));
3310 
3311         switch (command) {
3312         case SI_SET_HOSTNAME:
3313         {
3314                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3315                         return;
3316 
3317                 maxlen = SYS_NMLN;
3318                 name = kmem_alloc(maxlen, KM_SLEEP);
3319                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3320                         break;
3321 
3322                 /*
3323                  * Must be non-NULL string and string
3324                  * must be less than SYS_NMLN chars.
3325                  */
3326                 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3327                         break;
3328 
3329                 au_uwrite(au_to_text(name));
3330                 break;
3331         }
3332 
3333         case SI_SET_SRPC_DOMAIN:
3334         {
3335                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3336                         return;
3337 
3338                 maxlen = SYS_NMLN;
3339                 name = kmem_alloc(maxlen, KM_SLEEP);
3340                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3341                         break;
3342 
3343                 /*
3344                  * If string passed in is longer than length
3345                  * allowed for domain name, fail.
3346                  */
3347                 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3348                         break;
3349 
3350                 au_uwrite(au_to_text(name));
3351                 break;
3352         }
3353 
3354         default:
3355                 return;
3356         }
3357 
3358         kmem_free(name, maxlen);
3359 }
3360 
3361 static au_event_t
3362 aui_modctl(au_event_t e)
3363 {
3364         klwp_t *clwp = ttolwp(curthread);
3365         uint_t cmd;
3366 
3367         struct a {
3368                 long    cmd;
3369         } *uap = (struct a *)clwp->lwp_ap;
3370 
3371         cmd = (uint_t)uap->cmd;
3372 
3373         switch (cmd) {
3374         case MODLOAD:
3375                 e = AUE_MODLOAD;
3376                 break;
3377         case MODUNLOAD:
3378                 e = AUE_MODUNLOAD;
3379                 break;
3380         case MODADDMAJBIND:
3381                 e = AUE_MODADDMAJ;
3382                 break;
3383         case MODSETDEVPOLICY:
3384                 e = AUE_MODDEVPLCY;
3385                 break;
3386         case MODALLOCPRIV:
3387                 e = AUE_MODADDPRIV;
3388                 break;
3389         default:
3390                 e = AUE_NULL;
3391                 break;
3392         }
3393         return (e);
3394 }
3395 
3396 
3397 /*ARGSUSED*/
3398 static void
3399 aus_modctl(struct t_audit_data *tad)
3400 {
3401         klwp_t *clwp = ttolwp(curthread);
3402         void *a = clwp->lwp_ap;
3403         uint_t use_path;
3404 
3405         switch (tad->tad_event) {
3406         case AUE_MODLOAD: {
3407                 typedef struct {
3408                         long    cmd;
3409                         long    use_path;
3410                         long    filename;               /* char * */
3411                 } modloada_t;
3412 
3413                 char *filenamep;
3414                 uintptr_t fname;
3415                 extern char *default_path;
3416 
3417                 fname = (uintptr_t)((modloada_t *)a)->filename;
3418                 use_path = (uint_t)((modloada_t *)a)->use_path;
3419 
3420                         /* space to hold path */
3421                 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3422                         /* get string */
3423                 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3424                                 /* free allocated path */
3425                         kmem_free(filenamep, MOD_MAXPATH);
3426                         return;
3427                 }
3428                         /* ensure it's null terminated */
3429                 filenamep[MOD_MAXPATH - 1] = 0;
3430 
3431                 if (use_path)
3432                         au_uwrite(au_to_text(default_path));
3433                 au_uwrite(au_to_text(filenamep));
3434 
3435                         /* release temporary memory */
3436                 kmem_free(filenamep, MOD_MAXPATH);
3437                 break;
3438         }
3439         case AUE_MODUNLOAD: {
3440                 typedef struct {
3441                         long    cmd;
3442                         long    id;
3443                 } modunloada_t;
3444 
3445                 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3446 
3447                 au_uwrite(au_to_arg32(1, "id", id));
3448                 break;
3449         }
3450         case AUE_MODADDMAJ: {
3451                 STRUCT_DECL(modconfig, mc);
3452                 typedef struct {
3453                         long    cmd;
3454                         long    subcmd;
3455                         long    data;           /* int * */
3456                 } modconfiga_t;
3457 
3458                 STRUCT_DECL(aliases, alias);
3459                 caddr_t ap;
3460                 int i, num_aliases;
3461                 char *drvname, *mc_drvname;
3462                 char *name;
3463                 extern char *ddi_major_to_name(major_t);
3464                 model_t model;
3465 
3466                 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3467 
3468                 model = get_udatamodel();
3469                 STRUCT_INIT(mc, model);
3470                         /* sanitize buffer */
3471                 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3472                         /* get user arguments */
3473                 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3474                     STRUCT_SIZE(mc)) != 0)
3475                         return;
3476 
3477                 mc_drvname = STRUCT_FGET(mc, drvname);
3478                 if ((drvname = ddi_major_to_name(
3479                     (major_t)STRUCT_FGET(mc, major))) != NULL &&
3480                     strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3481                                 /* safety */
3482                         if (mc_drvname[0] != '\0') {
3483                                 mc_drvname[MAXMODCONFNAME-1] = '\0';
3484                                 au_uwrite(au_to_text(mc_drvname));
3485                         }
3486                                 /* drvname != NULL from test above */
3487                         au_uwrite(au_to_text(drvname));
3488                         return;
3489                 }
3490 
3491                 if (mc_drvname[0] != '\0') {
3492                                 /* safety */
3493                         mc_drvname[MAXMODCONFNAME-1] = '\0';
3494                         au_uwrite(au_to_text(mc_drvname));
3495                 } else
3496                         au_uwrite(au_to_text("no drvname"));
3497 
3498                 num_aliases = STRUCT_FGET(mc, num_aliases);
3499                 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3500                 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3501                 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3502                 STRUCT_INIT(alias, model);
3503                 for (i = 0; i < num_aliases; i++) {
3504                         bzero((caddr_t)STRUCT_BUF(alias),
3505                             STRUCT_SIZE(alias));
3506                         if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3507                             STRUCT_SIZE(alias)) != 0)
3508                                 break;
3509                         if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3510                             MAXMODCONFNAME, NULL) != 0) {
3511                                 break;
3512                         }
3513 
3514                         au_uwrite(au_to_text(name));
3515                         ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3516                 }
3517                 kmem_free(name, MAXMODCONFNAME);
3518                 break;
3519         }
3520         default:
3521                 break;
3522         }
3523 }
3524 
3525 
3526 /*ARGSUSED*/
3527 static void
3528 auf_accept(
3529         struct t_audit_data *tad,
3530         int     error,
3531         rval_t  *rval)
3532 {
3533         uint32_t scid;
3534         uint32_t sy_flags;
3535         int fd;
3536         struct sonode *so;
3537         char so_laddr[sizeof (struct sockaddr_in6)];
3538         char so_faddr[sizeof (struct sockaddr_in6)];
3539         int err;
3540         short so_family, so_type;
3541         int add_sock_token = 0;
3542 
3543         /* need to determine type of executing binary */
3544         scid = tad->tad_scid;
3545 #ifdef _SYSCALL32_IMPL
3546         if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3547                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3548         else
3549                 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3550 #else
3551         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3552 #endif
3553         switch (sy_flags) {
3554         case SE_32RVAL1:
3555                 /* FALLTHRU */
3556         case SE_32RVAL2|SE_32RVAL1:
3557                 fd = rval->r_val1;
3558                 break;
3559         case SE_64RVAL:
3560                 fd = (int)rval->r_vals;
3561                 break;
3562         default:
3563                 /*
3564                  * should never happen, seems to be an internal error
3565                  * in sysent => no fd, nothing to audit here, returning
3566                  */
3567                 return;
3568         }
3569 
3570         if (error) {
3571                 /* can't trust socket contents. Just return */
3572                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3573                 return;
3574         }
3575 
3576         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3577                 /*
3578                  * not security relevant if doing a accept from non socket
3579                  * so no extra tokens. Should probably turn off audit record
3580                  * generation here.
3581                  */
3582                 return;
3583         }
3584 
3585         so_family = so->so_family;
3586         so_type   = so->so_type;
3587 
3588         switch (so_family) {
3589         case AF_INET:
3590         case AF_INET6:
3591                 /*
3592                  * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3593                  */
3594                 if (so->so_type == SOCK_STREAM) {
3595                         socklen_t len;
3596 
3597                         bzero((void *)so_laddr, sizeof (so_laddr));
3598                         bzero((void *)so_faddr, sizeof (so_faddr));
3599 
3600                         len = sizeof (so_laddr);
3601                         (void) socket_getsockname(so,
3602                             (struct sockaddr *)so_laddr, &len, CRED());
3603                         len = sizeof (so_faddr);
3604                         (void) socket_getpeername(so,
3605                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3606 
3607                         add_sock_token = 1;
3608                 }
3609                 break;
3610 
3611         default:
3612                 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3613                 break;
3614         }
3615 
3616         releasef(fd);
3617 
3618         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3619 
3620         if (add_sock_token == 0) {
3621                 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3622                 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3623                 return;
3624         }
3625 
3626         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3627 
3628 }
3629 
3630 /*ARGSUSED*/
3631 static void
3632 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3633 {
3634         struct a {
3635                 long    fd;
3636                 long    addr;
3637                 long    len;
3638         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3639 
3640         struct sonode *so;
3641         char so_laddr[sizeof (struct sockaddr_in6)];
3642         char so_faddr[sizeof (struct sockaddr_in6)];
3643         int err, fd;
3644         socklen_t len;
3645         short so_family, so_type;
3646         int add_sock_token = 0;
3647 
3648         fd = (int)uap->fd;
3649 
3650         /*
3651          * bind failed, then nothing extra to add to audit record.
3652          */
3653         if (error) {
3654                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3655                 /* XXX may want to add failed address some day */
3656                 return;
3657         }
3658 
3659         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3660                 /*
3661                  * not security relevant if doing a bind from non socket
3662                  * so no extra tokens. Should probably turn off audit record
3663                  * generation here.
3664                  */
3665                 return;
3666         }
3667 
3668         so_family = so->so_family;
3669         so_type   = so->so_type;
3670 
3671         switch (so_family) {
3672         case AF_INET:
3673         case AF_INET6:
3674 
3675                 bzero(so_faddr, sizeof (so_faddr));
3676                 len = sizeof (so_faddr);
3677 
3678                 (void) socket_getpeername(so,
3679                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3680                 add_sock_token = 1;
3681 
3682                 break;
3683 
3684         case AF_UNIX:
3685                 /* token added by lookup */
3686                 break;
3687         default:
3688                 /* AF_ROUTE, AF_KEY do not support accept */
3689                 break;
3690         }
3691 
3692         releasef(fd);
3693 
3694         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3695 
3696         if (add_sock_token == 0) {
3697                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3698                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3699                 return;
3700         }
3701 
3702         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3703 
3704 }
3705 
3706 /*ARGSUSED*/
3707 static void
3708 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3709 {
3710         struct a {
3711                 long    fd;
3712                 long    addr;
3713                 long    len;
3714         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3715 
3716         struct sonode *so;
3717         char so_laddr[sizeof (struct sockaddr_in6)];
3718         char so_faddr[sizeof (struct sockaddr_in6)];
3719         int err, fd;
3720         socklen_t len;
3721         short so_family, so_type;
3722         int add_sock_token = 0;
3723 
3724         fd = (int)uap->fd;
3725 
3726 
3727         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3728                 /*
3729                  * not security relevant if doing a connect from non socket
3730                  * so no extra tokens. Should probably turn off audit record
3731                  * generation here.
3732                  */
3733                 return;
3734         }
3735 
3736         so_family = so->so_family;
3737         so_type   = so->so_type;
3738 
3739         switch (so_family) {
3740         case AF_INET:
3741         case AF_INET6:
3742 
3743                 bzero(so_laddr, sizeof (so_laddr));
3744                 bzero(so_faddr, sizeof (so_faddr));
3745 
3746                 len = sizeof (so_laddr);
3747                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3748                     &len, CRED());
3749                 if (error) {
3750                         if (uap->addr == NULL)
3751                                 break;
3752                         if (uap->len <= 0)
3753                                 break;
3754                         len = min(uap->len, sizeof (so_faddr));
3755                         if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3756                                 break;
3757 #ifdef NOTYET
3758                         au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3759 #endif
3760                 } else {
3761                         /* sanity check on length */
3762                         len = sizeof (so_faddr);
3763                         (void) socket_getpeername(so,
3764                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3765                 }
3766 
3767                 add_sock_token = 1;
3768 
3769                 break;
3770 
3771         case AF_UNIX:
3772                 /* does a lookup on name */
3773                 break;
3774 
3775         default:
3776                 /* AF_ROUTE, AF_KEY do not support accept */
3777                 break;
3778         }
3779 
3780         releasef(fd);
3781 
3782         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3783 
3784         if (add_sock_token == 0) {
3785                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3786                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3787                 return;
3788         }
3789 
3790         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3791 
3792 }
3793 
3794 /*ARGSUSED*/
3795 static void
3796 aus_shutdown(struct t_audit_data *tad)
3797 {
3798         struct a {
3799                 long    fd;
3800                 long    how;
3801         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3802 
3803         struct sonode *so;
3804         char so_laddr[sizeof (struct sockaddr_in6)];
3805         char so_faddr[sizeof (struct sockaddr_in6)];
3806         int err, fd;
3807         socklen_t len;
3808         short so_family, so_type;
3809         int add_sock_token = 0;
3810         file_t *fp;                             /* unix domain sockets */
3811         struct f_audit_data *fad;               /* unix domain sockets */
3812 
3813         fd = (int)uap->fd;
3814 
3815         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3816                 /*
3817                  * not security relevant if doing a shutdown using non socket
3818                  * so no extra tokens. Should probably turn off audit record
3819                  * generation here.
3820                  */
3821                 return;
3822         }
3823 
3824         so_family = so->so_family;
3825         so_type   = so->so_type;
3826 
3827         switch (so_family) {
3828         case AF_INET:
3829         case AF_INET6:
3830 
3831                 bzero(so_laddr, sizeof (so_laddr));
3832                 bzero(so_faddr, sizeof (so_faddr));
3833 
3834                 len = sizeof (so_laddr);
3835                 (void) socket_getsockname(so,
3836                     (struct sockaddr *)so_laddr, &len, CRED());
3837                 len = sizeof (so_faddr);
3838                 (void) socket_getpeername(so,
3839                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3840 
3841                 add_sock_token = 1;
3842 
3843                 break;
3844 
3845         case AF_UNIX:
3846 
3847                 /* get path from file struct here */
3848                 fad = F2A(fp);
3849                 ASSERT(fad);
3850 
3851                 if (fad->fad_aupath != NULL) {
3852                         au_uwrite(au_to_path(fad->fad_aupath));
3853                 } else {
3854                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
3855                 }
3856 
3857                 audit_attributes(fp->f_vnode);
3858 
3859                 break;
3860 
3861         default:
3862                 /*
3863                  * AF_KEY and AF_ROUTE support shutdown. No socket token
3864                  * added.
3865                  */
3866                 break;
3867         }
3868 
3869         releasef(fd);
3870 
3871         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3872 
3873         if (add_sock_token == 0) {
3874                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3875                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3876                 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3877                 return;
3878         }
3879 
3880         au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3881 
3882         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3883 
3884 }
3885 
3886 /*ARGSUSED*/
3887 static void
3888 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3889 {
3890         struct a {
3891                 long    fd;
3892                 long    level;
3893                 long    optname;
3894                 long    *optval;
3895                 long    optlen;
3896         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3897 
3898         struct sonode   *so;
3899         char so_laddr[sizeof (struct sockaddr_in6)];
3900         char so_faddr[sizeof (struct sockaddr_in6)];
3901         char            val[AU_BUFSIZE];
3902         int             err, fd;
3903         socklen_t       len;
3904         short so_family, so_type;
3905         int             add_sock_token = 0;
3906         file_t *fp;                             /* unix domain sockets */
3907         struct f_audit_data *fad;               /* unix domain sockets */
3908 
3909         fd = (int)uap->fd;
3910 
3911         if (error) {
3912                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3913                 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3914                 /* XXX may want to include other arguments */
3915                 return;
3916         }
3917 
3918         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3919                 /*
3920                  * not security relevant if doing a setsockopt from non socket
3921                  * so no extra tokens. Should probably turn off audit record
3922                  * generation here.
3923                  */
3924                 return;
3925         }
3926 
3927         so_family = so->so_family;
3928         so_type   = so->so_type;
3929 
3930         switch (so_family) {
3931         case AF_INET:
3932         case AF_INET6:
3933                 bzero((void *)so_laddr, sizeof (so_laddr));
3934                 bzero((void *)so_faddr, sizeof (so_faddr));
3935 
3936                 /* get local and foreign addresses */
3937                 len = sizeof (so_laddr);
3938                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3939                     &len, CRED());
3940                 len = sizeof (so_faddr);
3941                 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3942                     &len, B_FALSE, CRED());
3943 
3944                 add_sock_token = 1;
3945 
3946                 break;
3947 
3948         case AF_UNIX:
3949 
3950                 /* get path from file struct here */
3951                 fad = F2A(fp);
3952                 ASSERT(fad);
3953 
3954                 if (fad->fad_aupath != NULL) {
3955                         au_uwrite(au_to_path(fad->fad_aupath));
3956                 } else {
3957                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
3958                 }
3959 
3960                 audit_attributes(fp->f_vnode);
3961 
3962                 break;
3963 
3964         default:
3965                 /*
3966                  * AF_KEY and AF_ROUTE support setsockopt. No socket token
3967                  * added.
3968                  */
3969                 break;
3970         }
3971 
3972         releasef(fd);
3973 
3974         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3975 
3976         if (add_sock_token == 0) {
3977                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3978                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3979         }
3980         au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3981         au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3982 
3983         bzero(val, sizeof (val));
3984         len = min(uap->optlen, sizeof (val));
3985         if ((len > 0) &&
3986             (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3987                 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3988                 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3989         }
3990 
3991         if (add_sock_token == 0)
3992                 return;
3993 
3994         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3995 
3996 }
3997 
3998 /*ARGSUSED*/
3999 static void
4000 aus_sockconfig(tad)
4001         struct t_audit_data *tad;
4002 {
4003         struct a {
4004                 long    cmd;
4005                 long    arg1;
4006                 long    arg2;
4007                 long    arg3;
4008                 long    arg4;
4009         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4010 
4011         char    *buf;
4012         int     buflen;
4013         size_t  size;
4014 
4015         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4016         switch (uap->cmd) {
4017         case SOCKCONFIG_ADD_SOCK:
4018         case SOCKCONFIG_REMOVE_SOCK:
4019                 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4020                 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4021                 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4022 
4023                 if (uap->arg4 == 0) {
4024                         au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4025                 } else {
4026                         buflen = MAXPATHLEN + 1;
4027                         buf = kmem_alloc(buflen, KM_SLEEP);
4028                         if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4029                             &size)) {
4030                                 kmem_free(buf, buflen);
4031                                 return;
4032                         }
4033 
4034                         if (size > MAXPATHLEN) {
4035                                 kmem_free(buf, buflen);
4036                                 return;
4037                         }
4038 
4039                         au_uwrite(au_to_text(buf));
4040                         kmem_free(buf, buflen);
4041                 }
4042                 break;
4043         case SOCKCONFIG_ADD_FILTER:
4044         case SOCKCONFIG_REMOVE_FILTER:
4045                 buflen = FILNAME_MAX;
4046                 buf = kmem_alloc(buflen, KM_SLEEP);
4047 
4048                 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4049                         kmem_free(buf, buflen);
4050                         return;
4051                 }
4052 
4053                 au_uwrite(au_to_text(buf));
4054                 kmem_free(buf, buflen);
4055                 break;
4056         default:
4057                 break;
4058         }
4059 }
4060 
4061 /*
4062  * only audit recvmsg when the system call represents the creation of a new
4063  * circuit. This effectively occurs for all UDP packets and may occur for
4064  * special TCP situations where the local host has not set a local address
4065  * in the socket structure.
4066  */
4067 /*ARGSUSED*/
4068 static void
4069 auf_recvmsg(
4070         struct t_audit_data *tad,
4071         int error,
4072         rval_t *rvp)
4073 {
4074         struct a {
4075                 long    fd;
4076                 long    msg;    /* struct msghdr */
4077                 long    flags;
4078         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4079 
4080         struct sonode   *so;
4081         STRUCT_DECL(msghdr, msg);
4082         caddr_t msg_name;
4083         socklen_t msg_namelen;
4084         int fd;
4085         int err;
4086         char so_laddr[sizeof (struct sockaddr_in6)];
4087         char so_faddr[sizeof (struct sockaddr_in6)];
4088         socklen_t len;
4089         file_t *fp;                             /* unix domain sockets */
4090         struct f_audit_data *fad;               /* unix domain sockets */
4091         short so_family, so_type;
4092         int add_sock_token = 0;
4093         au_kcontext_t   *kctx = GET_KCTX_PZ;
4094 
4095         fd = (int)uap->fd;
4096 
4097         /* bail if an error */
4098         if (error) {
4099                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4100                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4101                 return;
4102         }
4103 
4104         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4105                 /*
4106                  * not security relevant if doing a recvmsg from non socket
4107                  * so no extra tokens. Should probably turn off audit record
4108                  * generation here.
4109                  */
4110                 return;
4111         }
4112 
4113         so_family = so->so_family;
4114         so_type   = so->so_type;
4115 
4116         /*
4117          * only putout SOCKET_EX token if INET/INET6 family.
4118          * XXX - what do we do about other families?
4119          */
4120 
4121         switch (so_family) {
4122         case AF_INET:
4123         case AF_INET6:
4124 
4125                 /*
4126                  * if datagram type socket, then just use what is in
4127                  * socket structure for local address.
4128                  * XXX - what do we do for other types?
4129                  */
4130                 if ((so->so_type == SOCK_DGRAM) ||
4131                     (so->so_type == SOCK_RAW)) {
4132                         add_sock_token = 1;
4133 
4134                         bzero((void *)so_laddr, sizeof (so_laddr));
4135                         bzero((void *)so_faddr, sizeof (so_faddr));
4136 
4137                         /* get local address */
4138                         len = sizeof (so_laddr);
4139                         (void) socket_getsockname(so,
4140                             (struct sockaddr *)so_laddr, &len, CRED());
4141 
4142                         /* get peer address */
4143                         STRUCT_INIT(msg, get_udatamodel());
4144 
4145                         if (copyin((caddr_t)(uap->msg),
4146                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4147                                 break;
4148                         }
4149                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4150                         if (msg_name == NULL) {
4151                                 break;
4152                         }
4153 
4154                         /* length is value from recvmsg - sanity check */
4155                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4156                         if (msg_namelen == 0) {
4157                                 break;
4158                         }
4159                         if (copyin(msg_name, so_faddr,
4160                             sizeof (so_faddr)) != 0) {
4161                                 break;
4162                         }
4163 
4164                 } else if (so->so_type == SOCK_STREAM) {
4165 
4166                         /* get path from file struct here */
4167                         fad = F2A(fp);
4168                         ASSERT(fad);
4169 
4170                         /*
4171                          * already processed this file for read attempt
4172                          */
4173                         if (fad->fad_flags & FAD_READ) {
4174                                 /* don't want to audit every recvmsg attempt */
4175                                 tad->tad_flag = 0;
4176                                 /* free any residual audit data */
4177                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4178                                 releasef(fd);
4179                                 return;
4180                         }
4181                         /*
4182                          * mark things so we know what happened and don't
4183                          * repeat things
4184                          */
4185                         fad->fad_flags |= FAD_READ;
4186 
4187                         bzero((void *)so_laddr, sizeof (so_laddr));
4188                         bzero((void *)so_faddr, sizeof (so_faddr));
4189 
4190                         /* get local and foreign addresses */
4191                         len = sizeof (so_laddr);
4192                         (void) socket_getsockname(so,
4193                             (struct sockaddr *)so_laddr, &len, CRED());
4194                         len = sizeof (so_faddr);
4195                         (void) socket_getpeername(so,
4196                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4197 
4198                         add_sock_token = 1;
4199                 }
4200 
4201                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4202 
4203                 break;
4204 
4205         case AF_UNIX:
4206                 /*
4207                  * first check if this is first time through. Too much
4208                  * duplicate code to put this in an aui_ routine.
4209                  */
4210 
4211                 /* get path from file struct here */
4212                 fad = F2A(fp);
4213                 ASSERT(fad);
4214 
4215                 /*
4216                  * already processed this file for read attempt
4217                  */
4218                 if (fad->fad_flags & FAD_READ) {
4219                         releasef(fd);
4220                         /* don't want to audit every recvmsg attempt */
4221                         tad->tad_flag = 0;
4222                         /* free any residual audit data */
4223                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4224                         return;
4225                 }
4226                 /*
4227                  * mark things so we know what happened and don't
4228                  * repeat things
4229                  */
4230                 fad->fad_flags |= FAD_READ;
4231 
4232                 if (fad->fad_aupath != NULL) {
4233                         au_uwrite(au_to_path(fad->fad_aupath));
4234                 } else {
4235                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4236                 }
4237 
4238                 audit_attributes(fp->f_vnode);
4239 
4240                 releasef(fd);
4241 
4242                 return;
4243 
4244         default:
4245                 break;
4246 
4247         }
4248 
4249         releasef(fd);
4250 
4251         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4252 
4253         if (add_sock_token == 0) {
4254                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4255                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4256                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4257                 return;
4258         }
4259 
4260         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4261 
4262         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4263 
4264 }
4265 
4266 /*ARGSUSED*/
4267 static void
4268 auf_recvfrom(
4269         struct t_audit_data *tad,
4270         int error,
4271         rval_t *rvp)
4272 {
4273 
4274         struct a {
4275                 long    fd;
4276                 long    msg;    /* char */
4277                 long    len;
4278                 long    flags;
4279                 long    from;   /* struct sockaddr */
4280                 long    fromlen;
4281         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4282 
4283         socklen_t       fromlen;
4284         struct sonode   *so;
4285         char so_laddr[sizeof (struct sockaddr_in6)];
4286         char so_faddr[sizeof (struct sockaddr_in6)];
4287         int             fd;
4288         short so_family, so_type;
4289         int add_sock_token = 0;
4290         socklen_t len;
4291         int err;
4292         struct file *fp;
4293         struct f_audit_data *fad;               /* unix domain sockets */
4294         au_kcontext_t   *kctx = GET_KCTX_PZ;
4295 
4296         fd = (int)uap->fd;
4297 
4298         /* bail if an error */
4299         if (error) {
4300                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4301                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4302                 return;
4303         }
4304 
4305         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4306                 /*
4307                  * not security relevant if doing a recvmsg from non socket
4308                  * so no extra tokens. Should probably turn off audit record
4309                  * generation here.
4310                  */
4311                 return;
4312         }
4313 
4314         so_family = so->so_family;
4315         so_type   = so->so_type;
4316 
4317         /*
4318          * only putout SOCKET_EX token if INET/INET6 family.
4319          * XXX - what do we do about other families?
4320          */
4321 
4322         switch (so_family) {
4323         case AF_INET:
4324         case AF_INET6:
4325 
4326                 /*
4327                  * if datagram type socket, then just use what is in
4328                  * socket structure for local address.
4329                  * XXX - what do we do for other types?
4330                  */
4331                 if ((so->so_type == SOCK_DGRAM) ||
4332                     (so->so_type == SOCK_RAW)) {
4333                         add_sock_token = 1;
4334 
4335                         /* get local address */
4336                         len = sizeof (so_laddr);
4337                         (void) socket_getsockname(so,
4338                             (struct sockaddr *)so_laddr, &len, CRED());
4339 
4340                         /* get peer address */
4341                         bzero((void *)so_faddr, sizeof (so_faddr));
4342 
4343                         /* sanity check */
4344                         if (uap->from == NULL)
4345                                 break;
4346 
4347                         /* sanity checks */
4348                         if (uap->fromlen == 0)
4349                                 break;
4350 
4351                         if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4352                             sizeof (fromlen)) != 0)
4353                                 break;
4354 
4355                         if (fromlen == 0)
4356                                 break;
4357 
4358                         /* enforce maximum size */
4359                         if (fromlen > sizeof (so_faddr))
4360                                 fromlen = sizeof (so_faddr);
4361 
4362                         if (copyin((caddr_t)(uap->from), so_faddr,
4363                             fromlen) != 0)
4364                                 break;
4365 
4366                 } else if (so->so_type == SOCK_STREAM) {
4367 
4368                         /* get path from file struct here */
4369                         fad = F2A(fp);
4370                         ASSERT(fad);
4371 
4372                         /*
4373                          * already processed this file for read attempt
4374                          */
4375                         if (fad->fad_flags & FAD_READ) {
4376                                 /* don't want to audit every recvfrom attempt */
4377                                 tad->tad_flag = 0;
4378                                 /* free any residual audit data */
4379                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4380                                 releasef(fd);
4381                                 return;
4382                         }
4383                         /*
4384                          * mark things so we know what happened and don't
4385                          * repeat things
4386                          */
4387                         fad->fad_flags |= FAD_READ;
4388 
4389                         bzero((void *)so_laddr, sizeof (so_laddr));
4390                         bzero((void *)so_faddr, sizeof (so_faddr));
4391 
4392                         /* get local and foreign addresses */
4393                         len = sizeof (so_laddr);
4394                         (void) socket_getsockname(so,
4395                             (struct sockaddr *)so_laddr, &len, CRED());
4396                         len = sizeof (so_faddr);
4397                         (void) socket_getpeername(so,
4398                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4399 
4400                         add_sock_token = 1;
4401                 }
4402 
4403                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4404 
4405                 break;
4406 
4407         case AF_UNIX:
4408                 /*
4409                  * first check if this is first time through. Too much
4410                  * duplicate code to put this in an aui_ routine.
4411                  */
4412 
4413                 /* get path from file struct here */
4414                 fad = F2A(fp);
4415                 ASSERT(fad);
4416 
4417                 /*
4418                  * already processed this file for read attempt
4419                  */
4420                 if (fad->fad_flags & FAD_READ) {
4421                         /* don't want to audit every recvfrom attempt */
4422                         tad->tad_flag = 0;
4423                         /* free any residual audit data */
4424                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4425                         releasef(fd);
4426                         return;
4427                 }
4428                 /*
4429                  * mark things so we know what happened and don't
4430                  * repeat things
4431                  */
4432                 fad->fad_flags |= FAD_READ;
4433 
4434                 if (fad->fad_aupath != NULL) {
4435                         au_uwrite(au_to_path(fad->fad_aupath));
4436                 } else {
4437                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4438                 }
4439 
4440                 audit_attributes(fp->f_vnode);
4441 
4442                 releasef(fd);
4443 
4444                 return;
4445 
4446         default:
4447                 break;
4448 
4449         }
4450 
4451         releasef(fd);
4452 
4453         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4454 
4455         if (add_sock_token == 0) {
4456                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4457                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4458                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4459                 return;
4460         }
4461 
4462         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4463 
4464         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4465 }
4466 
4467 /*ARGSUSED*/
4468 static void
4469 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4470 {
4471         struct a {
4472                 long    fd;
4473                 long    msg;    /* struct msghdr */
4474                 long    flags;
4475         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4476 
4477         struct sonode   *so;
4478         char so_laddr[sizeof (struct sockaddr_in6)];
4479         char so_faddr[sizeof (struct sockaddr_in6)];
4480         int             err;
4481         int             fd;
4482         short so_family, so_type;
4483         int             add_sock_token = 0;
4484         socklen_t       len;
4485         struct file     *fp;
4486         struct f_audit_data *fad;
4487         caddr_t         msg_name;
4488         socklen_t       msg_namelen;
4489         STRUCT_DECL(msghdr, msg);
4490         au_kcontext_t   *kctx = GET_KCTX_PZ;
4491 
4492         fd = (int)uap->fd;
4493 
4494         /* bail if an error */
4495         if (error) {
4496                 /* XXX include destination address from system call arguments */
4497                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4498                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4499                 return;
4500         }
4501 
4502         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4503                 /*
4504                  * not security relevant if doing a sendmsg from non socket
4505                  * so no extra tokens. Should probably turn off audit record
4506                  * generation here.
4507                  */
4508                 return;
4509         }
4510 
4511         so_family = so->so_family;
4512         so_type   = so->so_type;
4513 
4514         switch (so_family) {
4515         case AF_INET:
4516         case AF_INET6:
4517                 /*
4518                  * if datagram type socket, then just use what is in
4519                  * socket structure for local address.
4520                  * XXX - what do we do for other types?
4521                  */
4522                 if ((so->so_type == SOCK_DGRAM) ||
4523                     (so->so_type == SOCK_RAW)) {
4524 
4525                         bzero((void *)so_laddr, sizeof (so_laddr));
4526                         bzero((void *)so_faddr, sizeof (so_faddr));
4527 
4528                         /* get local address */
4529                         len = sizeof (so_laddr);
4530                         (void) socket_getsockname(so,
4531                             (struct sockaddr *)so_laddr, &len, CRED());
4532 
4533                         /* get peer address */
4534                         STRUCT_INIT(msg, get_udatamodel());
4535 
4536                         if (copyin((caddr_t)(uap->msg),
4537                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4538                                 break;
4539                         }
4540                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4541                         if (msg_name == NULL)
4542                                 break;
4543 
4544                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4545                         /* length is value from recvmsg - sanity check */
4546                         if (msg_namelen == 0)
4547                                 break;
4548 
4549                         if (copyin(msg_name, so_faddr,
4550                             sizeof (so_faddr)) != 0)
4551                                 break;
4552 
4553                         add_sock_token = 1;
4554 
4555                 } else if (so->so_type == SOCK_STREAM) {
4556 
4557                         /* get path from file struct here */
4558                         fad = F2A(fp);
4559                         ASSERT(fad);
4560 
4561                         /*
4562                          * already processed this file for write attempt
4563                          */
4564                         if (fad->fad_flags & FAD_WRITE) {
4565                                 releasef(fd);
4566                                 /* don't want to audit every sendmsg attempt */
4567                                 tad->tad_flag = 0;
4568                                 /* free any residual audit data */
4569                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4570                                 return;
4571                         }
4572 
4573                         /*
4574                          * mark things so we know what happened and don't
4575                          * repeat things
4576                          */
4577                         fad->fad_flags |= FAD_WRITE;
4578 
4579                         bzero((void *)so_laddr, sizeof (so_laddr));
4580                         bzero((void *)so_faddr, sizeof (so_faddr));
4581 
4582                         /* get local and foreign addresses */
4583                         len = sizeof (so_laddr);
4584                         (void) socket_getsockname(so,
4585                             (struct sockaddr *)so_laddr, &len, CRED());
4586                         len = sizeof (so_faddr);
4587                         (void) socket_getpeername(so,
4588                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4589 
4590                         add_sock_token = 1;
4591                 }
4592 
4593                 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4594 
4595                 break;
4596 
4597         case AF_UNIX:
4598                 /*
4599                  * first check if this is first time through. Too much
4600                  * duplicate code to put this in an aui_ routine.
4601                  */
4602 
4603                 /* get path from file struct here */
4604                 fad = F2A(fp);
4605                 ASSERT(fad);
4606 
4607                 /*
4608                  * already processed this file for write attempt
4609                  */
4610                 if (fad->fad_flags & FAD_WRITE) {
4611                         releasef(fd);
4612                         /* don't want to audit every sendmsg attempt */
4613                         tad->tad_flag = 0;
4614                         /* free any residual audit data */
4615                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4616                         return;
4617                 }
4618                 /*
4619                  * mark things so we know what happened and don't
4620                  * repeat things
4621                  */
4622                 fad->fad_flags |= FAD_WRITE;
4623 
4624                 if (fad->fad_aupath != NULL) {
4625                         au_uwrite(au_to_path(fad->fad_aupath));
4626                 } else {
4627                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4628                 }
4629 
4630                 audit_attributes(fp->f_vnode);
4631 
4632                 releasef(fd);
4633 
4634                 return;
4635 
4636         default:
4637                 break;
4638         }
4639 
4640         releasef(fd);
4641 
4642         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4643 
4644         if (add_sock_token == 0) {
4645                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4646                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4647                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4648                 return;
4649         }
4650 
4651         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4652 
4653         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4654 }
4655 
4656 /*ARGSUSED*/
4657 static void
4658 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4659 {
4660         struct a {
4661                 long    fd;
4662                 long    msg;    /* char */
4663                 long    len;
4664                 long    flags;
4665                 long    to;     /* struct sockaddr */
4666                 long    tolen;
4667         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4668 
4669         struct sonode   *so;
4670         char so_laddr[sizeof (struct sockaddr_in6)];
4671         char so_faddr[sizeof (struct sockaddr_in6)];
4672         socklen_t       tolen;
4673         int             err;
4674         int             fd;
4675         socklen_t       len;
4676         short so_family, so_type;
4677         int             add_sock_token = 0;
4678         struct file     *fp;
4679         struct f_audit_data *fad;
4680         au_kcontext_t   *kctx = GET_KCTX_PZ;
4681 
4682         fd = (int)uap->fd;
4683 
4684         /* bail if an error */
4685         if (error) {
4686                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4687                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4688                 /* XXX include destination address from system call arguments */
4689                 return;
4690         }
4691 
4692         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4693                 /*
4694                  * not security relevant if doing a sendto using non socket
4695                  * so no extra tokens. Should probably turn off audit record
4696                  * generation here.
4697                  */
4698                 return;
4699         }
4700 
4701         so_family = so->so_family;
4702         so_type   = so->so_type;
4703 
4704         /*
4705          * only putout SOCKET_EX token if INET/INET6 family.
4706          * XXX - what do we do about other families?
4707          */
4708 
4709         switch (so_family) {
4710         case AF_INET:
4711         case AF_INET6:
4712 
4713                 /*
4714                  * if datagram type socket, then just use what is in
4715                  * socket structure for local address.
4716                  * XXX - what do we do for other types?
4717                  */
4718                 if ((so->so_type == SOCK_DGRAM) ||
4719                     (so->so_type == SOCK_RAW)) {
4720 
4721                         bzero((void *)so_laddr, sizeof (so_laddr));
4722                         bzero((void *)so_faddr, sizeof (so_faddr));
4723 
4724                         /* get local address */
4725                         len = sizeof (so_laddr);
4726                         (void) socket_getsockname(so,
4727                             (struct sockaddr *)so_laddr, &len, CRED());
4728 
4729                         /* get peer address */
4730 
4731                         /* sanity check */
4732                         if (uap->to == NULL)
4733                                 break;
4734 
4735                         /* sanity checks */
4736                         if (uap->tolen == 0)
4737                                 break;
4738 
4739                         tolen = (socklen_t)uap->tolen;
4740 
4741                         /* enforce maximum size */
4742                         if (tolen > sizeof (so_faddr))
4743                                 tolen = sizeof (so_faddr);
4744 
4745                         if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4746                                 break;
4747 
4748                         add_sock_token = 1;
4749                 } else {
4750                         /*
4751                          * check if this is first time through.
4752                          */
4753 
4754                         /* get path from file struct here */
4755                         fad = F2A(fp);
4756                         ASSERT(fad);
4757 
4758                         /*
4759                          * already processed this file for write attempt
4760                          */
4761                         if (fad->fad_flags & FAD_WRITE) {
4762                                 /* don't want to audit every sendto attempt */
4763                                 tad->tad_flag = 0;
4764                                 /* free any residual audit data */
4765                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4766                                 releasef(fd);
4767                                 return;
4768                         }
4769                         /*
4770                          * mark things so we know what happened and don't
4771                          * repeat things
4772                          */
4773                         fad->fad_flags |= FAD_WRITE;
4774 
4775                         bzero((void *)so_laddr, sizeof (so_laddr));
4776                         bzero((void *)so_faddr, sizeof (so_faddr));
4777 
4778                         /* get local and foreign addresses */
4779                         len = sizeof (so_laddr);
4780                         (void) socket_getsockname(so,
4781                             (struct sockaddr *)so_laddr, &len, CRED());
4782                         len = sizeof (so_faddr);
4783                         (void) socket_getpeername(so,
4784                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4785 
4786                         add_sock_token = 1;
4787                 }
4788 
4789                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4790 
4791                 break;
4792 
4793         case AF_UNIX:
4794                 /*
4795                  * first check if this is first time through. Too much
4796                  * duplicate code to put this in an aui_ routine.
4797                  */
4798 
4799                 /* get path from file struct here */
4800                 fad = F2A(fp);
4801                 ASSERT(fad);
4802 
4803                 /*
4804                  * already processed this file for write attempt
4805                  */
4806                 if (fad->fad_flags & FAD_WRITE) {
4807                         /* don't want to audit every sendto attempt */
4808                         tad->tad_flag = 0;
4809                         /* free any residual audit data */
4810                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4811                         releasef(fd);
4812                         return;
4813                 }
4814                 /*
4815                  * mark things so we know what happened and don't
4816                  * repeat things
4817                  */
4818                 fad->fad_flags |= FAD_WRITE;
4819 
4820                 if (fad->fad_aupath != NULL) {
4821                         au_uwrite(au_to_path(fad->fad_aupath));
4822                 } else {
4823                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4824                 }
4825 
4826                 audit_attributes(fp->f_vnode);
4827 
4828                 releasef(fd);
4829 
4830                 return;
4831 
4832         default:
4833                 break;
4834 
4835         }
4836 
4837         releasef(fd);
4838 
4839         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4840 
4841         if (add_sock_token == 0) {
4842                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4843                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4844                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4845                 return;
4846         }
4847 
4848         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4849 
4850         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4851 
4852 }
4853 
4854 /*
4855  * XXX socket(2) may be equivalent to open(2) on a unix domain
4856  * socket. This needs investigation.
4857  */
4858 
4859 /*ARGSUSED*/
4860 static void
4861 aus_socket(struct t_audit_data *tad)
4862 {
4863         struct a {
4864                 long    domain;
4865                 long    type;
4866                 long    protocol;
4867         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4868 
4869         au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4870         au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4871         au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4872 }
4873 
4874 /*ARGSUSED*/
4875 static void
4876 aus_sigqueue(struct t_audit_data *tad)
4877 {
4878         struct a {
4879                 long    pid;
4880                 long    signo;
4881                 long    *val;
4882         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4883         struct proc *p;
4884         uid_t uid, ruid;
4885         gid_t gid, rgid;
4886         pid_t pid;
4887         const auditinfo_addr_t *ainfo;
4888         cred_t *cr;
4889 
4890         pid = (pid_t)uap->pid;
4891 
4892         au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4893         if (pid > 0) {
4894                 mutex_enter(&pidlock);
4895                 if ((p = prfind(pid)) == (struct proc *)0) {
4896                         mutex_exit(&pidlock);
4897                         return;
4898                 }
4899                 mutex_enter(&p->p_lock); /* so process doesn't go away */
4900                 mutex_exit(&pidlock);
4901 
4902                 mutex_enter(&p->p_crlock);
4903                 crhold(cr = p->p_cred);
4904                 mutex_exit(&p->p_crlock);
4905                 mutex_exit(&p->p_lock);
4906 
4907                 ainfo = crgetauinfo(cr);
4908                 if (ainfo == NULL) {
4909                         crfree(cr);
4910                         return;
4911                 }
4912 
4913                 uid  = crgetuid(cr);
4914                 gid  = crgetgid(cr);
4915                 ruid = crgetruid(cr);
4916                 rgid = crgetrgid(cr);
4917                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4918                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4919                 crfree(cr);
4920         }
4921         else
4922                 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4923 }
4924 
4925 /*ARGSUSED*/
4926 static void
4927 aus_inst_sync(struct t_audit_data *tad)
4928 {
4929         struct a {
4930                 long    name;   /* char */
4931                 long    flags;
4932         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4933 
4934         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4935 }
4936 
4937 /*ARGSUSED*/
4938 static void
4939 aus_brandsys(struct t_audit_data *tad)
4940 {
4941         klwp_t *clwp = ttolwp(curthread);
4942 
4943         struct a {
4944                 long    cmd;
4945                 long    arg1;
4946                 long    arg2;
4947                 long    arg3;
4948                 long    arg4;
4949                 long    arg5;
4950                 long    arg6;
4951         } *uap = (struct a *)clwp->lwp_ap;
4952 
4953         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4954 #ifdef _LP64
4955         au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4956         au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4957         au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4958         au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4959         au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4960         au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4961 #else
4962         au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4963         au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4964         au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4965         au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4966         au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4967         au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4968 #endif
4969 }
4970 
4971 /*ARGSUSED*/
4972 static void
4973 aus_p_online(struct t_audit_data *tad)
4974 {
4975         struct a {
4976                 long    processor_id;
4977                 long    flag;
4978         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4979 
4980         struct flags {
4981                         int     flag;
4982                         char    *cflag;
4983         } aflags[6] = {
4984                         { P_ONLINE, "P_ONLINE"},
4985                         { P_OFFLINE, "P_OFFLINE"},
4986                         { P_NOINTR, "P_NOINTR"},
4987                         { P_SPARE, "P_SPARE"},
4988                         { P_FAULTED, "P_FAULTED"},
4989                         { P_STATUS, "P_STATUS"}
4990         };
4991         int i;
4992         char *cflag;
4993 
4994         au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4995         au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4996 
4997         for (i = 0; i < 6; i++) {
4998                 if (aflags[i].flag == uap->flag)
4999                         break;
5000         }
5001         cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5002 
5003         au_uwrite(au_to_text(cflag));
5004 }
5005 
5006 /*ARGSUSED*/
5007 static void
5008 aus_processor_bind(struct t_audit_data *tad)
5009 {
5010         struct a {
5011                 long    id_type;
5012                 long    id;
5013                 long    processor_id;
5014                 long    obind;
5015         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5016 
5017         struct proc *p;
5018         int lwpcnt;
5019         uid_t uid, ruid;
5020         gid_t gid, rgid;
5021         pid_t pid;
5022         const auditinfo_addr_t *ainfo;
5023         cred_t *cr;
5024 
5025         au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5026         au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5027         if (uap->processor_id == PBIND_NONE)
5028                 au_uwrite(au_to_text("PBIND_NONE"));
5029         else
5030                 au_uwrite(au_to_arg32(3, "processor_id",
5031                     (uint32_t)uap->processor_id));
5032 
5033         switch (uap->id_type) {
5034         case P_MYID:
5035         case P_LWPID:
5036                 mutex_enter(&pidlock);
5037                 p = ttoproc(curthread);
5038                 if (p == NULL || p->p_as == &kas) {
5039                         mutex_exit(&pidlock);
5040                         return;
5041                 }
5042                 mutex_enter(&p->p_lock);
5043                 mutex_exit(&pidlock);
5044                 lwpcnt = p->p_lwpcnt;
5045                 pid  = p->p_pid;
5046 
5047                 mutex_enter(&p->p_crlock);
5048                 crhold(cr = p->p_cred);
5049                 mutex_exit(&p->p_crlock);
5050                 mutex_exit(&p->p_lock);
5051 
5052                 ainfo = crgetauinfo(cr);
5053                 if (ainfo == NULL) {
5054                         crfree(cr);
5055                         return;
5056                 }
5057 
5058                 uid  = crgetuid(cr);
5059                 gid  = crgetgid(cr);
5060                 ruid = crgetruid(cr);
5061                 rgid = crgetrgid(cr);
5062                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5063                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5064                 crfree(cr);
5065                 break;
5066         case P_PID:
5067                 mutex_enter(&pidlock);
5068                 p = prfind(uap->id);
5069                 if (p == NULL || p->p_as == &kas) {
5070                         mutex_exit(&pidlock);
5071                         return;
5072                 }
5073                 mutex_enter(&p->p_lock);
5074                 mutex_exit(&pidlock);
5075                 lwpcnt = p->p_lwpcnt;
5076                 pid  = p->p_pid;
5077 
5078                 mutex_enter(&p->p_crlock);
5079                 crhold(cr = p->p_cred);
5080                 mutex_exit(&p->p_crlock);
5081                 mutex_exit(&p->p_lock);
5082 
5083                 ainfo = crgetauinfo(cr);
5084                 if (ainfo == NULL) {
5085                         crfree(cr);
5086                         return;
5087                 }
5088 
5089                 uid  = crgetuid(cr);
5090                 gid  = crgetgid(cr);
5091                 ruid = crgetruid(cr);
5092                 rgid = crgetrgid(cr);
5093                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5094                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5095                 crfree(cr);
5096 
5097                 break;
5098         default:
5099                 return;
5100         }
5101 
5102         if (uap->processor_id == PBIND_NONE &&
5103             (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5104                 au_uwrite(au_to_text("PBIND_NONE for process"));
5105         else
5106                 au_uwrite(au_to_arg32(3, "processor_id",
5107                     (uint32_t)uap->processor_id));
5108 }
5109 
5110 /*ARGSUSED*/
5111 static au_event_t
5112 aui_doorfs(au_event_t e)
5113 {
5114         uint32_t code;
5115 
5116         struct a {              /* doorfs */
5117                 long    a1;
5118                 long    a2;
5119                 long    a3;
5120                 long    a4;
5121                 long    a5;
5122                 long    code;
5123         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5124 
5125         /*
5126          *      audit formats for several of the
5127          *      door calls have not yet been determined
5128          */
5129         code = (uint32_t)uap->code;
5130         switch (code) {
5131         case DOOR_CALL:
5132                 e = AUE_DOORFS_DOOR_CALL;
5133                 break;
5134         case DOOR_RETURN:
5135                 e = AUE_NULL;
5136                 break;
5137         case DOOR_CREATE:
5138                 e = AUE_DOORFS_DOOR_CREATE;
5139                 break;
5140         case DOOR_REVOKE:
5141                 e = AUE_DOORFS_DOOR_REVOKE;
5142                 break;
5143         case DOOR_INFO:
5144                 e = AUE_NULL;
5145                 break;
5146         case DOOR_UCRED:
5147                 e = AUE_NULL;
5148                 break;
5149         case DOOR_BIND:
5150                 e = AUE_NULL;
5151                 break;
5152         case DOOR_UNBIND:
5153                 e = AUE_NULL;
5154                 break;
5155         case DOOR_GETPARAM:
5156                 e = AUE_NULL;
5157                 break;
5158         case DOOR_SETPARAM:
5159                 e = AUE_NULL;
5160                 break;
5161         default:        /* illegal system call */
5162                 e = AUE_NULL;
5163                 break;
5164         }
5165 
5166         return (e);
5167 }
5168 
5169 static door_node_t *
5170 au_door_lookup(int did)
5171 {
5172         vnode_t *vp;
5173         file_t *fp;
5174 
5175         if ((fp = getf(did)) == NULL)
5176                 return (NULL);
5177         /*
5178          * Use the underlying vnode (we may be namefs mounted)
5179          */
5180         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5181                 vp = fp->f_vnode;
5182 
5183         if (vp == NULL || vp->v_type != VDOOR) {
5184                 releasef(did);
5185                 return (NULL);
5186         }
5187 
5188         return (VTOD(vp));
5189 }
5190 
5191 /*ARGSUSED*/
5192 static void
5193 aus_doorfs(struct t_audit_data *tad)
5194 {
5195 
5196         struct a {              /* doorfs */
5197                 long    a1;
5198                 long    a2;
5199                 long    a3;
5200                 long    a4;
5201                 long    a5;
5202                 long    code;
5203         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5204 
5205         door_node_t     *dp;
5206         struct proc     *p;
5207         uint32_t        did;
5208         uid_t uid, ruid;
5209         gid_t gid, rgid;
5210         pid_t pid;
5211         const auditinfo_addr_t *ainfo;
5212         cred_t *cr;
5213 
5214         did = (uint32_t)uap->a1;
5215 
5216         switch (tad->tad_event) {
5217         case AUE_DOORFS_DOOR_CALL:
5218                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5219                 if ((dp = au_door_lookup(did)) == NULL)
5220                         break;
5221 
5222                 if (DOOR_INVALID(dp)) {
5223                         releasef(did);
5224                         break;
5225                 }
5226 
5227                 if ((p = dp->door_target) == NULL) {
5228                         releasef(did);
5229                         break;
5230                 }
5231                 mutex_enter(&p->p_lock);
5232                 releasef(did);
5233 
5234                 pid  = p->p_pid;
5235 
5236                 mutex_enter(&p->p_crlock);
5237                 crhold(cr = p->p_cred);
5238                 mutex_exit(&p->p_crlock);
5239                 mutex_exit(&p->p_lock);
5240 
5241                 ainfo = crgetauinfo(cr);
5242                 if (ainfo == NULL) {
5243                         crfree(cr);
5244                         return;
5245                 }
5246                 uid  = crgetuid(cr);
5247                 gid  = crgetgid(cr);
5248                 ruid = crgetruid(cr);
5249                 rgid = crgetrgid(cr);
5250                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5251                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5252                 crfree(cr);
5253                 break;
5254         case AUE_DOORFS_DOOR_RETURN:
5255                 /*
5256                  * We may want to write information about
5257                  * all doors (if any) which will be copied
5258                  * by this call to the user space
5259                  */
5260                 break;
5261         case AUE_DOORFS_DOOR_CREATE:
5262                 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5263                 break;
5264         case AUE_DOORFS_DOOR_REVOKE:
5265                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5266                 break;
5267         case AUE_DOORFS_DOOR_INFO:
5268                 break;
5269         case AUE_DOORFS_DOOR_CRED:
5270                 break;
5271         case AUE_DOORFS_DOOR_BIND:
5272                 break;
5273         case AUE_DOORFS_DOOR_UNBIND: {
5274                 break;
5275         }
5276         default:        /* illegal system call */
5277                 break;
5278         }
5279 }
5280 
5281 /*ARGSUSED*/
5282 static au_event_t
5283 aui_acl(au_event_t e)
5284 {
5285         struct a {
5286                 union {
5287                         long    name;   /* char */
5288                         long    fd;
5289                 }               obj;
5290 
5291                 long            cmd;
5292                 long            nentries;
5293                 long            arg;    /* aclent_t */
5294         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5295 
5296         switch (uap->cmd) {
5297         case SETACL:
5298         case ACE_SETACL:
5299                 /*
5300                  * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5301                  * are expected.
5302                  */
5303                 break;
5304         case GETACL:
5305         case GETACLCNT:
5306         case ACE_GETACL:
5307         case ACE_GETACLCNT:
5308                 /* do nothing for these four values. */
5309                 e = AUE_NULL;
5310                 break;
5311         default:
5312                 /* illegal system call */
5313                 break;
5314         }
5315 
5316         return (e);
5317 }
5318 
5319 static void
5320 au_acl(int cmd, int nentries, caddr_t bufp)
5321 {
5322         size_t          a_size;
5323         aclent_t        *aclbufp;
5324         ace_t           *acebufp;
5325         int             i;
5326 
5327         switch (cmd) {
5328         case GETACL:
5329         case GETACLCNT:
5330                 break;
5331         case SETACL:
5332                 if (nentries < 3)
5333                         break;
5334 
5335                 a_size = nentries * sizeof (aclent_t);
5336 
5337                 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5338                         break;
5339                 if (copyin(bufp, aclbufp, a_size)) {
5340                         kmem_free(aclbufp, a_size);
5341                         break;
5342                 }
5343                 for (i = 0; i < nentries; i++) {
5344                         au_uwrite(au_to_acl(aclbufp + i));
5345                 }
5346                 kmem_free(aclbufp, a_size);
5347                 break;
5348 
5349         case ACE_SETACL:
5350                 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5351                         break;
5352 
5353                 a_size = nentries * sizeof (ace_t);
5354                 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5355                         break;
5356                 if (copyin(bufp, acebufp, a_size)) {
5357                         kmem_free(acebufp, a_size);
5358                         break;
5359                 }
5360                 for (i = 0; i < nentries; i++) {
5361                         au_uwrite(au_to_ace(acebufp + i));
5362                 }
5363                 kmem_free(acebufp, a_size);
5364                 break;
5365         default:
5366                 break;
5367         }
5368 }
5369 
5370 /*ARGSUSED*/
5371 static void
5372 aus_acl(struct t_audit_data *tad)
5373 {
5374         struct a {
5375                 long    fname;
5376                 long    cmd;
5377                 long    nentries;
5378                 long    aclbufp;
5379         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5380 
5381         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5382         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5383 
5384         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5385 }
5386 
5387 /*ARGSUSED*/
5388 static void
5389 aus_facl(struct t_audit_data *tad)
5390 {
5391         struct a {
5392                 long    fd;
5393                 long    cmd;
5394                 long    nentries;
5395                 long    aclbufp;
5396         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5397         struct file  *fp;
5398         struct vnode *vp;
5399         struct f_audit_data *fad;
5400         int fd;
5401 
5402         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5403         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5404 
5405         fd = (int)uap->fd;
5406 
5407         if ((fp = getf(fd)) == NULL)
5408                 return;
5409 
5410         /* get path from file struct here */
5411         fad = F2A(fp);
5412         if (fad->fad_aupath != NULL) {
5413                 au_uwrite(au_to_path(fad->fad_aupath));
5414         } else {
5415                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5416         }
5417 
5418         vp = fp->f_vnode;
5419         audit_attributes(vp);
5420 
5421         /* decrement file descriptor reference count */
5422         releasef(fd);
5423 
5424         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5425 }
5426 
5427 /*ARGSUSED*/
5428 static void
5429 auf_read(tad, error, rval)
5430         struct t_audit_data *tad;
5431         int error;
5432         rval_t *rval;
5433 {
5434         struct file *fp;
5435         struct f_audit_data *fad;
5436         int fd;
5437         register struct a {
5438                 long    fd;
5439         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5440         au_kcontext_t   *kctx = GET_KCTX_PZ;
5441 
5442         fd = (int)uap->fd;
5443 
5444         /*
5445          * convert file pointer to file descriptor
5446          *   Note: fd ref count incremented here.
5447          */
5448         if ((fp = getf(fd)) == NULL)
5449                 return;
5450 
5451         /* get path from file struct here */
5452         fad = F2A(fp);
5453         ASSERT(fad);
5454 
5455         /*
5456          * already processed this file for read attempt
5457          *
5458          * XXX might be better to turn off auditing in a aui_read() routine.
5459          */
5460         if (fad->fad_flags & FAD_READ) {
5461                 /* don't really want to audit every read attempt */
5462                 tad->tad_flag = 0;
5463                 /* free any residual audit data */
5464                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5465                 releasef(fd);
5466                 return;
5467         }
5468         /* mark things so we know what happened and don't repeat things */
5469         fad->fad_flags |= FAD_READ;
5470 
5471         if (fad->fad_aupath != NULL) {
5472                 au_uwrite(au_to_path(fad->fad_aupath));
5473         } else {
5474                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5475         }
5476 
5477         /* include attributes */
5478         audit_attributes(fp->f_vnode);
5479 
5480         /* decrement file descriptor reference count */
5481         releasef(fd);
5482 }
5483 
5484 /*ARGSUSED*/
5485 static void
5486 auf_write(tad, error, rval)
5487         struct t_audit_data *tad;
5488         int error;
5489         rval_t *rval;
5490 {
5491         struct file *fp;
5492         struct f_audit_data *fad;
5493         int fd;
5494         register struct a {
5495                 long    fd;
5496         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5497         au_kcontext_t   *kctx = GET_KCTX_PZ;
5498 
5499         fd = (int)uap->fd;
5500 
5501         /*
5502          * convert file pointer to file descriptor
5503          *   Note: fd ref count incremented here.
5504          */
5505         if ((fp = getf(fd)) == NULL)
5506                 return;
5507 
5508         /* get path from file struct here */
5509         fad = F2A(fp);
5510         ASSERT(fad);
5511 
5512         /*
5513          * already processed this file for write attempt
5514          *
5515          * XXX might be better to turn off auditing in a aus_write() routine.
5516          */
5517         if (fad->fad_flags & FAD_WRITE) {
5518                 /* don't really want to audit every write attempt */
5519                 tad->tad_flag = 0;
5520                 /* free any residual audit data */
5521                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5522                 releasef(fd);
5523                 return;
5524         }
5525         /* mark things so we know what happened and don't repeat things */
5526         fad->fad_flags |= FAD_WRITE;
5527 
5528         if (fad->fad_aupath != NULL) {
5529                 au_uwrite(au_to_path(fad->fad_aupath));
5530         } else {
5531                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5532         }
5533 
5534         /* include attributes */
5535         audit_attributes(fp->f_vnode);
5536 
5537         /* decrement file descriptor reference count */
5538         releasef(fd);
5539 }
5540 
5541 /*ARGSUSED*/
5542 static void
5543 auf_recv(tad, error, rval)
5544         struct t_audit_data *tad;
5545         int error;
5546         rval_t *rval;
5547 {
5548         struct sonode *so;
5549         char so_laddr[sizeof (struct sockaddr_in6)];
5550         char so_faddr[sizeof (struct sockaddr_in6)];
5551         struct file *fp;
5552         struct f_audit_data *fad;
5553         int fd;
5554         int err;
5555         socklen_t len;
5556         short so_family, so_type;
5557         register struct a {
5558                 long    fd;
5559         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5560         au_kcontext_t   *kctx = GET_KCTX_PZ;
5561 
5562         /*
5563          * If there was an error, then nothing to do. Only generate
5564          * audit record on first successful recv.
5565          */
5566         if (error) {
5567                 /* Turn off audit record generation here. */
5568                 tad->tad_flag = 0;
5569                 /* free any residual audit data */
5570                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5571                 return;
5572         }
5573 
5574         fd = (int)uap->fd;
5575 
5576         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5577                 /* Turn off audit record generation here. */
5578                 tad->tad_flag = 0;
5579                 /* free any residual audit data */
5580                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5581                 return;
5582         }
5583 
5584         /* get path from file struct here */
5585         fad = F2A(fp);
5586         ASSERT(fad);
5587 
5588         /*
5589          * already processed this file for read attempt
5590          */
5591         if (fad->fad_flags & FAD_READ) {
5592                 releasef(fd);
5593                 /* don't really want to audit every recv call */
5594                 tad->tad_flag = 0;
5595                 /* free any residual audit data */
5596                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5597                 return;
5598         }
5599 
5600         /* mark things so we know what happened and don't repeat things */
5601         fad->fad_flags |= FAD_READ;
5602 
5603         so_family = so->so_family;
5604         so_type   = so->so_type;
5605 
5606         switch (so_family) {
5607         case AF_INET:
5608         case AF_INET6:
5609                 /*
5610                  * Only for connections.
5611                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5612                  */
5613                 if (so->so_state & SS_ISBOUND) {
5614 
5615                         bzero((void *)so_laddr, sizeof (so_laddr));
5616                         bzero((void *)so_faddr, sizeof (so_faddr));
5617 
5618                         /* get local and foreign addresses */
5619                         len = sizeof (so_laddr);
5620                         (void) socket_getsockname(so,
5621                             (struct sockaddr *)so_laddr, &len, CRED());
5622                         len = sizeof (so_faddr);
5623                         (void) socket_getpeername(so,
5624                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5625 
5626                         /*
5627                          * only way to drop out of switch. Note that we
5628                          * we release fd below.
5629                          */
5630 
5631                         break;
5632                 }
5633 
5634                 releasef(fd);
5635 
5636                 /* don't really want to audit every recv call */
5637                 tad->tad_flag = 0;
5638                 /* free any residual audit data */
5639                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5640 
5641                 return;
5642 
5643         case AF_UNIX:
5644 
5645                 if (fad->fad_aupath != NULL) {
5646                         au_uwrite(au_to_path(fad->fad_aupath));
5647                 } else {
5648                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5649                 }
5650 
5651                 audit_attributes(fp->f_vnode);
5652 
5653                 releasef(fd);
5654 
5655                 return;
5656 
5657         default:
5658                 releasef(fd);
5659 
5660                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5661                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5662                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5663 
5664                 return;
5665         }
5666 
5667         releasef(fd);
5668 
5669         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5670 
5671         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5672 
5673 }
5674 
5675 /*ARGSUSED*/
5676 static void
5677 auf_send(tad, error, rval)
5678         struct t_audit_data *tad;
5679         int error;
5680         rval_t *rval;
5681 {
5682         struct sonode *so;
5683         char so_laddr[sizeof (struct sockaddr_in6)];
5684         char so_faddr[sizeof (struct sockaddr_in6)];
5685         struct file *fp;
5686         struct f_audit_data *fad;
5687         int fd;
5688         int err;
5689         socklen_t len;
5690         short so_family, so_type;
5691         register struct a {
5692                 long    fd;
5693         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5694         au_kcontext_t   *kctx = GET_KCTX_PZ;
5695 
5696         fd = (int)uap->fd;
5697 
5698         /*
5699          * If there was an error, then nothing to do. Only generate
5700          * audit record on first successful send.
5701          */
5702         if (error != 0) {
5703                 /* Turn off audit record generation here. */
5704                 tad->tad_flag = 0;
5705                 /* free any residual audit data */
5706                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5707                 return;
5708         }
5709 
5710         fd = (int)uap->fd;
5711 
5712         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5713                 /* Turn off audit record generation here. */
5714                 tad->tad_flag = 0;
5715                 /* free any residual audit data */
5716                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5717                 return;
5718         }
5719 
5720         /* get path from file struct here */
5721         fad = F2A(fp);
5722         ASSERT(fad);
5723 
5724         /*
5725          * already processed this file for write attempt
5726          */
5727         if (fad->fad_flags & FAD_WRITE) {
5728                 releasef(fd);
5729                 /* don't really want to audit every send call */
5730                 tad->tad_flag = 0;
5731                 /* free any residual audit data */
5732                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5733                 return;
5734         }
5735 
5736         /* mark things so we know what happened and don't repeat things */
5737         fad->fad_flags |= FAD_WRITE;
5738 
5739         so_family = so->so_family;
5740         so_type   = so->so_type;
5741 
5742         switch (so_family) {
5743         case AF_INET:
5744         case AF_INET6:
5745                 /*
5746                  * Only for connections.
5747                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5748                  */
5749                 if (so->so_state & SS_ISBOUND) {
5750 
5751                         bzero((void *)so_laddr, sizeof (so_laddr));
5752                         bzero((void *)so_faddr, sizeof (so_faddr));
5753 
5754                         /* get local and foreign addresses */
5755                         len = sizeof (so_laddr);
5756                         (void) socket_getsockname(so,
5757                             (struct sockaddr *)so_laddr, &len, CRED());
5758                         len = sizeof (so_faddr);
5759                         (void) socket_getpeername(so,
5760                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5761 
5762                         /*
5763                          * only way to drop out of switch. Note that we
5764                          * we release fd below.
5765                          */
5766 
5767                         break;
5768                 }
5769 
5770                 releasef(fd);
5771                 /* don't really want to audit every send call */
5772                 tad->tad_flag = 0;
5773                 /* free any residual audit data */
5774                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5775 
5776                 return;
5777 
5778         case AF_UNIX:
5779 
5780                 if (fad->fad_aupath != NULL) {
5781                         au_uwrite(au_to_path(fad->fad_aupath));
5782                 } else {
5783                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5784                 }
5785 
5786                 audit_attributes(fp->f_vnode);
5787 
5788                 releasef(fd);
5789 
5790                 return;
5791 
5792         default:
5793                 releasef(fd);
5794 
5795                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5796                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5797                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5798 
5799                 return;
5800         }
5801 
5802         releasef(fd);
5803 
5804         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5805 
5806         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5807 }
5808 
5809 static au_event_t
5810 aui_forksys(au_event_t e)
5811 {
5812         struct a {
5813                 long    subcode;
5814                 long    flags;
5815         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5816 
5817         switch ((uint_t)uap->subcode) {
5818         case 0:
5819                 e = AUE_FORK1;
5820                 break;
5821         case 1:
5822                 e = AUE_FORKALL;
5823                 break;
5824         case 2:
5825                 e = AUE_VFORK;
5826                 break;
5827         default:
5828                 e = AUE_NULL;
5829                 break;
5830         }
5831 
5832         return (e);
5833 }
5834 
5835 /*ARGSUSED*/
5836 static au_event_t
5837 aui_portfs(au_event_t e)
5838 {
5839         struct a {              /* portfs */
5840                 long    a1;
5841                 long    a2;
5842                 long    a3;
5843         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5844 
5845         /*
5846          * check opcode
5847          */
5848         switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5849         case PORT_ASSOCIATE:
5850                 /* check source */
5851                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5852                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5853                         e = AUE_PORTFS_ASSOCIATE;
5854                 } else {
5855                         e = AUE_NULL;
5856                 }
5857                 break;
5858         case PORT_DISSOCIATE:
5859                 /* check source */
5860                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5861                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5862                         e = AUE_PORTFS_DISSOCIATE;
5863                 } else {
5864                         e = AUE_NULL;
5865                 }
5866                 break;
5867         default:
5868                 e = AUE_NULL;
5869         }
5870         return (e);
5871 }