1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 */
26
27 /*
28 * This file contains the audit event table used to control the production
29 * of audit records for each system call.
30 */
31
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h> /* for sysinfo auditing */
37 #include <sys/utsname.h> /* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h> /* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h> /* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h> /* for accept */
56 #include <sys/utssys.h> /* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80
81 static au_event_t aui_fchownat(au_event_t);
82 static au_event_t aui_fchmodat(au_event_t);
83 static au_event_t aui_open(au_event_t);
84 static au_event_t aui_openat(au_event_t);
85 static au_event_t aui_unlinkat(au_event_t);
86 static au_event_t aui_fstatat(au_event_t);
87 static au_event_t aui_msgsys(au_event_t);
88 static au_event_t aui_shmsys(au_event_t);
89 static au_event_t aui_semsys(au_event_t);
90 static au_event_t aui_utssys(au_event_t);
91 static au_event_t aui_fcntl(au_event_t);
92 static au_event_t aui_execve(au_event_t);
93 static au_event_t aui_memcntl(au_event_t);
94 static au_event_t aui_sysinfo(au_event_t);
95 static au_event_t aui_portfs(au_event_t);
96 static au_event_t aui_auditsys(au_event_t);
97 static au_event_t aui_modctl(au_event_t);
98 static au_event_t aui_acl(au_event_t);
99 static au_event_t aui_doorfs(au_event_t);
100 static au_event_t aui_privsys(au_event_t);
101 static au_event_t aui_forksys(au_event_t);
102 static au_event_t aui_labelsys(au_event_t);
103 static au_event_t aui_setpgrp(au_event_t);
104
105 static void aus_exit(struct t_audit_data *);
106 static void aus_open(struct t_audit_data *);
107 static void aus_openat(struct t_audit_data *);
108 static void aus_acl(struct t_audit_data *);
109 static void aus_acct(struct t_audit_data *);
110 static void aus_chown(struct t_audit_data *);
111 static void aus_fchown(struct t_audit_data *);
112 static void aus_lchown(struct t_audit_data *);
113 static void aus_fchownat(struct t_audit_data *);
114 static void aus_chmod(struct t_audit_data *);
115 static void aus_facl(struct t_audit_data *);
116 static void aus_fchmod(struct t_audit_data *);
117 static void aus_fchmodat(struct t_audit_data *);
118 static void aus_fcntl(struct t_audit_data *);
119 static void aus_mkdir(struct t_audit_data *);
120 static void aus_mkdirat(struct t_audit_data *);
121 static void aus_mknod(struct t_audit_data *);
122 static void aus_mknodat(struct t_audit_data *);
123 static void aus_mount(struct t_audit_data *);
124 static void aus_umount2(struct t_audit_data *);
125 static void aus_msgsys(struct t_audit_data *);
126 static void aus_semsys(struct t_audit_data *);
127 static void aus_close(struct t_audit_data *);
128 static void aus_fstatfs(struct t_audit_data *);
129 static void aus_setgid(struct t_audit_data *);
130 static void aus_setpgrp(struct t_audit_data *);
131 static void aus_setuid(struct t_audit_data *);
132 static void aus_shmsys(struct t_audit_data *);
133 static void aus_doorfs(struct t_audit_data *);
134 static void aus_ioctl(struct t_audit_data *);
135 static void aus_memcntl(struct t_audit_data *);
136 static void aus_mmap(struct t_audit_data *);
137 static void aus_munmap(struct t_audit_data *);
138 static void aus_priocntlsys(struct t_audit_data *);
139 static void aus_setegid(struct t_audit_data *);
140 static void aus_setgroups(struct t_audit_data *);
141 static void aus_seteuid(struct t_audit_data *);
142 static void aus_putmsg(struct t_audit_data *);
143 static void aus_putpmsg(struct t_audit_data *);
144 static void aus_getmsg(struct t_audit_data *);
145 static void aus_getpmsg(struct t_audit_data *);
146 static void aus_auditsys(struct t_audit_data *);
147 static void aus_sysinfo(struct t_audit_data *);
148 static void aus_modctl(struct t_audit_data *);
149 static void aus_kill(struct t_audit_data *);
150 static void aus_setregid(struct t_audit_data *);
151 static void aus_setreuid(struct t_audit_data *);
152 static void aus_labelsys(struct t_audit_data *);
153
154 static void auf_mknod(struct t_audit_data *, int, rval_t *);
155 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
156 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
157 static void auf_semsys(struct t_audit_data *, int, rval_t *);
158 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
159 static void auf_read(struct t_audit_data *, int, rval_t *);
160 static void auf_write(struct t_audit_data *, int, rval_t *);
161
162 static void aus_sigqueue(struct t_audit_data *);
163 static void aus_p_online(struct t_audit_data *);
164 static void aus_processor_bind(struct t_audit_data *);
165 static void aus_inst_sync(struct t_audit_data *);
166 static void aus_brandsys(struct t_audit_data *);
167
168 static void auf_accept(struct t_audit_data *, int, rval_t *);
169
170 static void auf_bind(struct t_audit_data *, int, rval_t *);
171 static void auf_connect(struct t_audit_data *, int, rval_t *);
172 static void aus_shutdown(struct t_audit_data *);
173 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
174 static void aus_sockconfig(struct t_audit_data *);
175 static void auf_recv(struct t_audit_data *, int, rval_t *);
176 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
177 static void auf_send(struct t_audit_data *, int, rval_t *);
178 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
179 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
180 static void auf_sendto(struct t_audit_data *, int, rval_t *);
181 static void aus_socket(struct t_audit_data *);
182 /*
183 * This table contains mapping information for converting system call numbers
184 * to audit event IDs. In several cases it is necessary to map a single system
185 * call to several events.
186 */
187
188 #define aui_null NULL /* NULL initialize function */
189 #define aus_null NULL /* NULL start function */
190 #define auf_null NULL /* NULL finish function */
191
192 struct audit_s2e audit_s2e[] =
193 {
194 /*
195 * ---------- ---------- ---------- ----------
196 * INITIAL AUDIT START SYSTEM
197 * PROCESSING EVENT PROCESSING CALL
198 * ---------- ---------- ---------- -----------
199 * FINISH EVENT
200 * PROCESSING CONTROL
201 * ----------------------------------------------------------
202 */
203 /* BEGIN CSTYLED */
204 { aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
205 auf_null, 0 },
206 { aui_null, AUE_EXIT, aus_exit, /* 1 exit */
207 auf_null, S2E_NPT },
208 { aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */
209 auf_null, 0 },
210 { aui_null, AUE_READ, aus_null, /* 3 read */
211 auf_read, S2E_PUB },
212 { aui_null, AUE_WRITE, aus_null, /* 4 write */
213 auf_write, 0 },
214 { aui_open, AUE_OPEN, aus_open, /* 5 open */
215 auf_null, S2E_SP },
216 { aui_null, AUE_CLOSE, aus_close, /* 6 close */
217 auf_null, 0 },
218 { aui_null, AUE_LINK, aus_null, /* 7 linkat */
219 auf_null, 0 },
220 { aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
221 auf_null, 0 },
222 { aui_null, AUE_LINK, aus_null, /* 9 link */
223 auf_null, 0 },
224 { aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
225 auf_null, 0 },
226 { aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
227 auf_null, 0 },
228 { aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
229 auf_null, S2E_SP },
230 { aui_null, AUE_NULL, aus_null, /* 13 time */
231 auf_null, 0 },
232 { aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
233 auf_mknod, S2E_MLD },
234 { aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
235 auf_null, 0 },
236 { aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
237 auf_null, 0 },
238 { aui_null, AUE_NULL, aus_null, /* 17 brk */
239 auf_null, 0 },
240 { aui_null, AUE_STAT, aus_null, /* 18 stat */
241 auf_null, S2E_PUB },
242 { aui_null, AUE_NULL, aus_null, /* 19 lseek */
243 auf_null, 0 },
244 { aui_null, AUE_NULL, aus_null, /* 20 getpid */
245 auf_null, 0 },
246 { aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
247 auf_null, S2E_MLD },
248 { aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
249 auf_null, S2E_PUB },
250 { aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
251 auf_null, 0 },
252 { aui_null, AUE_NULL, aus_null, /* 24 getuid */
253 auf_null, 0 },
254 { aui_null, AUE_STIME, aus_null, /* 25 stime */
255 auf_null, 0 },
256 { aui_null, AUE_NULL, aus_null, /* 26 pcsample */
257 auf_null, 0 },
258 { aui_null, AUE_NULL, aus_null, /* 27 alarm */
259 auf_null, 0 },
260 { aui_null, AUE_NULL, aus_null, /* 28 fstat */
261 auf_null, 0 },
262 { aui_null, AUE_NULL, aus_null, /* 29 pause */
263 auf_null, 0 },
264 { aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
265 auf_null, 0 },
266 { aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
267 auf_null, 0 },
268 { aui_null, AUE_NULL, aus_null, /* 32 gtty */
269 auf_null, 0 },
270 { aui_null, AUE_ACCESS, aus_null, /* 33 access */
271 auf_null, S2E_PUB },
272 { aui_null, AUE_NICE, aus_null, /* 34 nice */
273 auf_null, 0 },
274 { aui_null, AUE_STATFS, aus_null, /* 35 statfs */
275 auf_null, S2E_PUB },
276 { aui_null, AUE_NULL, aus_null, /* 36 sync */
277 auf_null, 0 },
278 { aui_null, AUE_KILL, aus_kill, /* 37 kill */
279 auf_null, 0 },
280 { aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
281 auf_null, S2E_PUB },
282 { aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
283 auf_null, 0 },
284 { aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
285 auf_null, 0 },
286 { aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
287 auf_null, 0 },
288 { aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
289 auf_null, 0 },
290 { aui_null, AUE_NULL, aus_null, /* 43 times */
291 auf_null, 0 },
292 { aui_null, AUE_NULL, aus_null, /* 44 profil */
293 auf_null, 0 },
294 { aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
295 auf_null, S2E_PUB },
296 { aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
297 auf_null, 0 },
298 { aui_null, AUE_NULL, aus_null, /* 47 getgid */
299 auf_null, 0 },
300 { aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
301 auf_mknodat, S2E_MLD },
302 { aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
303 auf_msgsys, 0 },
304 #if defined(__x86)
305 { aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
306 auf_null, 0 },
307 #else
308 { aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
309 auf_null, 0 },
310 #endif /* __x86 */
311 { aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
312 auf_null, 0 },
313 { aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
314 auf_shmsys, 0 },
315 { aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
316 auf_semsys, 0 },
317 { aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
318 auf_null, 0 },
319 { aui_null, AUE_NULL, aus_null, /* 55 uadmin */
320 auf_null, 0 },
321 { aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
322 auf_null, 0 },
323 { aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
324 auf_null, 0 },
325 { aui_null, AUE_NULL, aus_null, /* 58 fsync */
326 auf_null, 0 },
327 { aui_execve, AUE_EXECVE, aus_null, /* 59 exece */
328 auf_null, S2E_MLD },
329 { aui_null, AUE_NULL, aus_null, /* 60 umask */
330 auf_null, 0 },
331 { aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
332 auf_null, S2E_SP },
333 { aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
334 auf_null, 0 },
335 { aui_null, AUE_NULL, aus_null, /* 63 ulimit */
336 auf_null, 0 },
337 { aui_null, AUE_RENAME, aus_null, /* 64 renameat */
338 auf_null, 0 },
339 { aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
340 auf_null, 0 },
341 { aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
342 auf_null, S2E_PUB },
343 { aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
344 auf_null, S2E_PUB },
345 { aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
346 auf_null, S2E_SP },
347 { aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
348 auf_null, S2E_SP },
349 { aui_null, AUE_NULL, aus_null, /* 70 tasksys */
350 auf_null, 0 },
351 { aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
352 auf_null, 0 },
353 { aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
354 auf_null, 0 },
355 { aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
356 auf_null, 0 },
357 { aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
358 auf_null, 0 },
359 { aui_null, AUE_NULL, aus_null, /* 75 sidsys */
360 auf_null, 0 },
361 { aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
362 auf_null, 0 },
363 { aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
364 auf_null, 0 },
365 { aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
366 auf_null, 0 },
367 { aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
368 auf_null, 0 },
369 { aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
370 auf_null, 0 },
371 { aui_null, AUE_NULL, aus_null, /* 81 getdents */
372 auf_null, 0 },
373 { aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
374 auf_null, 0 },
375 { aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
376 auf_null, 0 },
377 { aui_null, AUE_NULL, aus_null, /* 84 sysfs */
378 auf_null, 0 },
379 { aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
380 auf_null, 0 },
381 { aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
382 auf_null, 0 },
383 { aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
384 auf_null, 0 },
385 { aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
386 auf_null, S2E_PUB },
387 { aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
388 auf_null, 0 },
389 { aui_null, AUE_READLINK, aus_null, /* 90 readlink */
390 auf_null, S2E_PUB },
391 { aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
392 auf_null, 0 },
393 { aui_null, AUE_NULL, aus_null, /* 92 getgroups */
394 auf_null, 0 },
395 { aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
396 auf_null, 0 },
397 { aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
398 auf_null, 0 },
399 { aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
400 auf_null, 0 },
401 { aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
402 auf_null, 0 },
403 { aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
404 auf_null, 0 },
405 { aui_null, AUE_NULL, aus_null, /* 98 sigaction */
406 auf_null, 0 },
407 { aui_null, AUE_NULL, aus_null, /* 99 sigpending */
408 auf_null, 0 },
409 { aui_null, AUE_NULL, aus_null, /* 100 setcontext */
410 auf_null, 0 },
411 { aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
412 auf_null, 0 },
413 { aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
414 auf_null, 0 },
415 { aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
416 auf_null, S2E_PUB },
417 { aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
418 auf_null, 0 },
419 { aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
420 auf_null, 0 },
421 { aui_null, AUE_NULL, aus_null, /* 106 nfssys */
422 auf_null, 0 },
423 { aui_null, AUE_NULL, aus_null, /* 107 waitsys */
424 auf_null, 0 },
425 { aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
426 auf_null, 0 },
427 #if defined(__x86)
428 { aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
429 auf_null, 0 },
430 #else
431 { aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
432 auf_null, 0 },
433 #endif /* __x86 */
434 { aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
435 auf_null, 0 },
436 { aui_null, AUE_NULL, aus_null, /* 111 sigresend */
437 auf_null, 0 },
438 { aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
439 auf_null, 0 },
440 { aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
441 auf_null, S2E_PUB },
442 { aui_null, AUE_NULL, aus_null, /* 114 mincore */
443 auf_null, 0 },
444 { aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
445 auf_null, 0 },
446 { aui_null, AUE_NULL, aus_null, /* 116 mprotect */
447 auf_null, 0 },
448 { aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
449 auf_null, 0 },
450 { aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
451 auf_null, 0 },
452 { aui_null, AUE_VFORK, aus_null, /* 119 vfork */
453 auf_null, 0 },
454 { aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
455 auf_null, 0 },
456 { aui_null, AUE_READ, aus_null, /* 121 readv */
457 auf_read, S2E_PUB },
458 { aui_null, AUE_WRITE, aus_null, /* 122 writev */
459 auf_write, 0 },
460 { aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
461 auf_null, 0 },
462 { aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
463 auf_null, 0 },
464 { aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
465 auf_null, 0 },
466 { aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
467 auf_null, 0 },
468 { aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
469 auf_null, 0 },
470 { aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
471 auf_null, 0 },
472 { aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
473 auf_null, 0 },
474 { aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
475 auf_null, 0 },
476 { aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
477 auf_null, 0 },
478 { aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
479 auf_null, 0 },
480 { aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
481 auf_null, 0 },
482 { aui_null, AUE_RENAME, aus_null, /* 134 rename */
483 auf_null, 0 },
484 { aui_null, AUE_NULL, aus_null, /* 135 uname */
485 auf_null, 0 },
486 { aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
487 auf_null, 0 },
488 { aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
489 auf_null, 0 },
490 { aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
491 auf_null, 0 },
492 { aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
493 auf_null, 0 },
494 { aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
495 auf_null, 0 },
496 { aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
497 auf_null, 0 },
498 { aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
499 auf_null, 0 },
500 { aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
501 auf_null, 0 },
502 { aui_null, AUE_NULL, aus_null, /* 144 sigwait */
503 auf_null, 0 },
504 { aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
505 auf_null, 0 },
506 { aui_null, AUE_NULL, aus_null, /* 146 yield */
507 auf_null, 0 },
508 { aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
509 /* was lwp_sema_wait */
510 auf_null, 0 },
511 { aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
512 auf_null, 0 },
513 { aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
514 auf_null, 0 },
515 { aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
516 auf_null, 0 },
517 { aui_null, AUE_NULL, aus_null, /* 151 corectl */
518 auf_null, 0 },
519 { aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
520 auf_null, 0 },
521 { aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
522 auf_null, 0 },
523 { aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
524 auf_null, 0 },
525 { aui_null, AUE_NULL, aus_null, /* 155 vhangup */
526 auf_null, 0 },
527 { aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
528 auf_null, 0 },
529 { aui_null, AUE_NULL, aus_null, /* 157 getitimer */
530 auf_null, 0 },
531 { aui_null, AUE_NULL, aus_null, /* 158 setitimer */
532 auf_null, 0 },
533 { aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
534 auf_null, 0 },
535 { aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
536 auf_null, 0 },
537 { aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
538 auf_null, 0 },
539 { aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
540 auf_null, 0 },
541 { aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
542 auf_null, 0 },
543 { aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
544 auf_null, 0 },
545 { aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
546 auf_null, 0 },
547 { aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
548 auf_null, 0 },
549 { aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
550 auf_null, 0 },
551 { aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
552 auf_null, 0 },
553 { aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
554 /* was lwp_mutex_lock */
555 auf_null, 0 },
556 { aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
557 auf_null, 0 },
558 { aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
559 auf_null, 0 },
560 { aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
561 auf_null, 0 },
562 { aui_null, AUE_READ, aus_null, /* 173 pread */
563 auf_read, S2E_PUB },
564 { aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
565 auf_write, 0 },
566 { aui_null, AUE_NULL, aus_null, /* 175 llseek */
567 auf_null, 0 },
568 { aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
569 auf_null, 0 },
570 { aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
571 auf_null, 0 },
572 { aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
573 auf_null, 0 },
574 { aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
575 auf_null, 0 },
576 { aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
577 auf_null, 0 },
578 { aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
579 auf_null, 0 },
580 { aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
581 auf_null, S2E_MLD },
582 { aui_null, AUE_NULL, aus_null, /* 183 pollsys */
583 auf_null, 0 },
584 { aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
585 auf_null, 0 },
586 { aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
587 auf_null, 0 },
588 { aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
589 auf_null, 0 },
590 { aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
591 auf_null, 0 },
592 { aui_null, AUE_NULL, aus_null, /* 188 processor_info */
593 auf_null, 0 },
594 { aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
595 auf_null, 0 },
596 { aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
597 auf_null, 0 },
598 { aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
599 auf_null, 0 },
600 { aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
601 auf_null, 0 },
602 { aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
603 auf_null, 0 },
604 { aui_null, AUE_NULL, aus_null, /* 194 timer_create */
605 auf_null, 0 },
606 { aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
607 auf_null, 0 },
608 { aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
609 auf_null, 0 },
610 { aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
611 auf_null, 0 },
612 { aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
613 auf_null, 0 },
614 { aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
615 auf_null, 0 },
616 { aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
617 auf_null, 0 },
618 { aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
619 auf_null, 0 },
620 { aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
621 auf_null, 0 },
622 { aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
623 auf_null, 0 },
624 { aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
625 auf_null, 0 },
626 { aui_null, AUE_NULL, aus_null, /* 205 signotify */
627 auf_null, 0 },
628 { aui_null, AUE_NULL, aus_null, /* 206 schedctl */
629 auf_null, 0 },
630 { aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
631 auf_null, 0 },
632 { aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
633 auf_null, 0 },
634 { aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
635 auf_null, 0 },
636 { aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
637 auf_null, 0 },
638 { aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
639 auf_null, 0 },
640 { aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
641 auf_null, 0 },
642 { aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
643 auf_null, 0 },
644 { aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
645 auf_null, 0 },
646 { aui_null, AUE_STAT, aus_null, /* 215 stat64 */
647 auf_null, S2E_PUB },
648 { aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
649 auf_null, S2E_PUB },
650 { aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
651 auf_null, 0 },
652 { aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
653 auf_null, S2E_PUB },
654 { aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
655 auf_null, 0 },
656 { aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
657 auf_null, 0 },
658 { aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
659 auf_null, 0 },
660 { aui_null, AUE_READ, aus_null, /* 222 pread64 */
661 auf_read, S2E_PUB },
662 { aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
663 auf_write, 0 },
664 { aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
665 auf_null, 0 },
666 { aui_open, AUE_OPEN, aus_open, /* 225 open64 */
667 auf_null, S2E_SP },
668 { aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
669 auf_null, 0 },
670 { aui_null, AUE_NULL, aus_null, /* 227 zone */
671 auf_null, 0 },
672 { aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
673 auf_null, 0 },
674 { aui_null, AUE_NULL, aus_null, /* 229 getcwd */
675 auf_null, 0 },
676 { aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
677 auf_null, 0 },
678 { aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
679 auf_null, 0 },
680 { aui_null, AUE_BIND, aus_null, /* 232 bind */
681 auf_bind, 0 },
682 { aui_null, AUE_NULL, aus_null, /* 233 listen */
683 auf_null, 0 },
684 { aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
685 auf_accept, 0 },
686 { aui_null, AUE_CONNECT, aus_null, /* 235 connect */
687 auf_connect, 0 },
688 { aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
689 auf_null, 0 },
690 { aui_null, AUE_READ, aus_null, /* 237 recv */
691 auf_recv, 0 },
692 { aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
693 auf_recvfrom, 0 },
694 { aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
695 auf_recvmsg, 0 },
696 { aui_null, AUE_WRITE, aus_null, /* 240 send */
697 auf_send, 0 },
698 { aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
699 auf_sendmsg, 0 },
700 { aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
701 auf_sendto, 0 },
702 { aui_null, AUE_NULL, aus_null, /* 243 getpeername */
703 auf_null, 0 },
704 { aui_null, AUE_NULL, aus_null, /* 244 getsockname */
705 auf_null, 0 },
706 { aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
707 auf_null, 0 },
708 { aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
709 auf_setsockopt, 0 },
710 { aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
711 auf_null, 0 },
712 { aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
713 auf_null, 0 },
714 { aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
715 auf_null, 0 },
716 { aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
717 auf_null, 0 },
718 { aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
719 auf_null, 0 },
720 { aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
721 auf_null, 0 },
722 { aui_null, AUE_NULL, aus_null, /* 253 cladm */
723 auf_null, 0 },
724 { aui_null, AUE_NULL, aus_null, /* 254 uucopy */
725 auf_null, 0 },
726 { aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
727 auf_null, 0 } /* END CSTYLED */
728 };
729
730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
731
732
733 /* exit start function */
734 /*ARGSUSED*/
735 static void
736 aus_exit(struct t_audit_data *tad)
737 {
738 uint32_t rval;
739 struct a {
740 long rval;
741 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
742
743 rval = (uint32_t)uap->rval;
744 au_uwrite(au_to_arg32(1, "exit status", rval));
745 }
746
747 /* acct start function */
748 /*ARGSUSED*/
749 static void
750 aus_acct(struct t_audit_data *tad)
751 {
752 klwp_t *clwp = ttolwp(curthread);
753 uintptr_t fname;
754
755 struct a {
756 long fname; /* char * */
757 } *uap = (struct a *)clwp->lwp_ap;
758
759 fname = (uintptr_t)uap->fname;
760
761 if (fname == 0)
762 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
763 }
764
765 /* chown start function */
766 /*ARGSUSED*/
767 static void
768 aus_chown(struct t_audit_data *tad)
769 {
770 klwp_t *clwp = ttolwp(curthread);
771 uint32_t uid, gid;
772
773 struct a {
774 long fname; /* char * */
775 long uid;
776 long gid;
777 } *uap = (struct a *)clwp->lwp_ap;
778
779 uid = (uint32_t)uap->uid;
780 gid = (uint32_t)uap->gid;
781
782 au_uwrite(au_to_arg32(2, "new file uid", uid));
783 au_uwrite(au_to_arg32(3, "new file gid", gid));
784 }
785
786 /* fchown start function */
787 /*ARGSUSED*/
788 static void
789 aus_fchown(struct t_audit_data *tad)
790 {
791 klwp_t *clwp = ttolwp(curthread);
792 uint32_t uid, gid, fd;
793 struct file *fp;
794 struct vnode *vp;
795 struct f_audit_data *fad;
796
797 struct a {
798 long fd;
799 long uid;
800 long gid;
801 } *uap = (struct a *)clwp->lwp_ap;
802
803 fd = (uint32_t)uap->fd;
804 uid = (uint32_t)uap->uid;
805 gid = (uint32_t)uap->gid;
806
807 au_uwrite(au_to_arg32(2, "new file uid", uid));
808 au_uwrite(au_to_arg32(3, "new file gid", gid));
809
810 /*
811 * convert file pointer to file descriptor
812 * Note: fd ref count incremented here.
813 */
814 if ((fp = getf(fd)) == NULL)
815 return;
816
817 /* get path from file struct here */
818 fad = F2A(fp);
819 if (fad->fad_aupath != NULL) {
820 au_uwrite(au_to_path(fad->fad_aupath));
821 } else {
822 au_uwrite(au_to_arg32(1, "no path: fd", fd));
823 }
824
825 vp = fp->f_vnode;
826 audit_attributes(vp);
827
828 /* decrement file descriptor reference count */
829 releasef(fd);
830 }
831
832 /*ARGSUSED*/
833 static void
834 aus_lchown(struct t_audit_data *tad)
835 {
836 klwp_t *clwp = ttolwp(curthread);
837 uint32_t uid, gid;
838
839
840 struct a {
841 long fname; /* char * */
842 long uid;
843 long gid;
844 } *uap = (struct a *)clwp->lwp_ap;
845
846 uid = (uint32_t)uap->uid;
847 gid = (uint32_t)uap->gid;
848
849 au_uwrite(au_to_arg32(2, "new file uid", uid));
850 au_uwrite(au_to_arg32(3, "new file gid", gid));
851 }
852
853 static au_event_t
854 aui_fchownat(au_event_t e)
855 {
856 klwp_t *clwp = ttolwp(curthread);
857
858 struct a {
859 long fd;
860 long fname; /* char * */
861 long uid;
862 long gid;
863 long flags;
864 } *uap = (struct a *)clwp->lwp_ap;
865
866 if (uap->fname == NULL)
867 e = AUE_FCHOWN;
868 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
869 e = AUE_LCHOWN;
870 else
871 e = AUE_CHOWN;
872
873 return (e);
874 }
875
876 /*ARGSUSED*/
877 static void
878 aus_fchownat(struct t_audit_data *tad)
879 {
880 klwp_t *clwp = ttolwp(curthread);
881 uint32_t uid, gid;
882
883 struct a {
884 long fd;
885 long fname; /* char * */
886 long uid;
887 long gid;
888 long flags;
889 } *uap = (struct a *)clwp->lwp_ap;
890
891 uid = (uint32_t)uap->uid;
892 gid = (uint32_t)uap->gid;
893
894 au_uwrite(au_to_arg32(3, "new file uid", uid));
895 au_uwrite(au_to_arg32(4, "new file gid", gid));
896 }
897
898 /*ARGSUSED*/
899 static void
900 aus_chmod(struct t_audit_data *tad)
901 {
902 klwp_t *clwp = ttolwp(curthread);
903 uint32_t fmode;
904
905 struct a {
906 long fname; /* char * */
907 long fmode;
908 } *uap = (struct a *)clwp->lwp_ap;
909
910 fmode = (uint32_t)uap->fmode;
911
912 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
913 }
914
915 /*ARGSUSED*/
916 static void
917 aus_fchmod(struct t_audit_data *tad)
918 {
919 klwp_t *clwp = ttolwp(curthread);
920 uint32_t fmode, fd;
921 struct file *fp;
922 struct vnode *vp;
923 struct f_audit_data *fad;
924
925 struct a {
926 long fd;
927 long fmode;
928 } *uap = (struct a *)clwp->lwp_ap;
929
930 fd = (uint32_t)uap->fd;
931 fmode = (uint32_t)uap->fmode;
932
933 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
934
935 /*
936 * convert file pointer to file descriptor
937 * Note: fd ref count incremented here.
938 */
939 if ((fp = getf(fd)) == NULL)
940 return;
941
942 /* get path from file struct here */
943 fad = F2A(fp);
944 if (fad->fad_aupath != NULL) {
945 au_uwrite(au_to_path(fad->fad_aupath));
946 } else {
947 au_uwrite(au_to_arg32(1, "no path: fd", fd));
948 }
949
950 vp = fp->f_vnode;
951 audit_attributes(vp);
952
953 /* decrement file descriptor reference count */
954 releasef(fd);
955 }
956
957 static au_event_t
958 aui_fchmodat(au_event_t e)
959 {
960 klwp_t *clwp = ttolwp(curthread);
961
962 struct a {
963 long fd;
964 long fname; /* char * */
965 long fmode;
966 long flag;
967 } *uap = (struct a *)clwp->lwp_ap;
968
969 if (uap->fname == NULL)
970 e = AUE_FCHMOD;
971 else
972 e = AUE_CHMOD;
973
974 return (e);
975 }
976
977 /*ARGSUSED*/
978 static void
979 aus_fchmodat(struct t_audit_data *tad)
980 {
981 klwp_t *clwp = ttolwp(curthread);
982 uint32_t fmode;
983 uint32_t fd;
984 struct file *fp;
985 struct vnode *vp;
986 struct f_audit_data *fad;
987
988 struct a {
989 long fd;
990 long fname; /* char * */
991 long fmode;
992 long flag;
993 } *uap = (struct a *)clwp->lwp_ap;
994
995 fd = (uint32_t)uap->fd;
996 fmode = (uint32_t)uap->fmode;
997
998 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
999
1000 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */
1001 return;
1002
1003 /*
1004 * convert file pointer to file descriptor
1005 * Note: fd ref count incremented here.
1006 */
1007 if ((fp = getf(fd)) == NULL)
1008 return;
1009
1010 /* get path from file struct here */
1011 fad = F2A(fp);
1012 if (fad->fad_aupath != NULL) {
1013 au_uwrite(au_to_path(fad->fad_aupath));
1014 } else {
1015 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1016 }
1017
1018 vp = fp->f_vnode;
1019 audit_attributes(vp);
1020
1021 /* decrement file descriptor reference count */
1022 releasef(fd);
1023 }
1024
1025 /*
1026 * convert open mode to appropriate open event
1027 */
1028 au_event_t
1029 open_event(uint_t fm)
1030 {
1031 au_event_t e;
1032
1033 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1034 case O_RDONLY:
1035 e = AUE_OPEN_R;
1036 break;
1037 case O_RDONLY | O_CREAT:
1038 e = AUE_OPEN_RC;
1039 break;
1040 case O_RDONLY | O_TRUNC:
1041 e = AUE_OPEN_RT;
1042 break;
1043 case O_RDONLY | O_TRUNC | O_CREAT:
1044 e = AUE_OPEN_RTC;
1045 break;
1046 case O_WRONLY:
1047 e = AUE_OPEN_W;
1048 break;
1049 case O_WRONLY | O_CREAT:
1050 e = AUE_OPEN_WC;
1051 break;
1052 case O_WRONLY | O_TRUNC:
1053 e = AUE_OPEN_WT;
1054 break;
1055 case O_WRONLY | O_TRUNC | O_CREAT:
1056 e = AUE_OPEN_WTC;
1057 break;
1058 case O_RDWR:
1059 e = AUE_OPEN_RW;
1060 break;
1061 case O_RDWR | O_CREAT:
1062 e = AUE_OPEN_RWC;
1063 break;
1064 case O_RDWR | O_TRUNC:
1065 e = AUE_OPEN_RWT;
1066 break;
1067 case O_RDWR | O_TRUNC | O_CREAT:
1068 e = AUE_OPEN_RWTC;
1069 break;
1070 case O_SEARCH:
1071 e = AUE_OPEN_S;
1072 break;
1073 case O_EXEC:
1074 e = AUE_OPEN_E;
1075 break;
1076 default:
1077 e = AUE_NULL;
1078 break;
1079 }
1080
1081 return (e);
1082 }
1083
1084 /* ARGSUSED */
1085 static au_event_t
1086 aui_open(au_event_t e)
1087 {
1088 klwp_t *clwp = ttolwp(curthread);
1089 uint_t fm;
1090
1091 struct a {
1092 long fnamep; /* char * */
1093 long fmode;
1094 long cmode;
1095 } *uap = (struct a *)clwp->lwp_ap;
1096
1097 fm = (uint_t)uap->fmode;
1098
1099 return (open_event(fm));
1100 }
1101
1102 static void
1103 aus_open(struct t_audit_data *tad)
1104 {
1105 klwp_t *clwp = ttolwp(curthread);
1106 uint_t fm;
1107
1108 struct a {
1109 long fnamep; /* char * */
1110 long fmode;
1111 long cmode;
1112 } *uap = (struct a *)clwp->lwp_ap;
1113
1114 fm = (uint_t)uap->fmode;
1115
1116 /* If no write, create, or trunc modes, mark as a public op */
1117 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1118 tad->tad_ctrl |= TAD_PUBLIC_EV;
1119 }
1120
1121 /* ARGSUSED */
1122 static au_event_t
1123 aui_openat(au_event_t e)
1124 {
1125 t_audit_data_t *tad = T2A(curthread);
1126 klwp_t *clwp = ttolwp(curthread);
1127 uint_t fm;
1128
1129 struct a {
1130 long filedes;
1131 long fnamep; /* char * */
1132 long fmode;
1133 long cmode;
1134 } *uap = (struct a *)clwp->lwp_ap;
1135
1136 fm = (uint_t)uap->fmode;
1137
1138 /*
1139 * __openattrdirat() does an extra pathname lookup in order to
1140 * enter the extended system attribute namespace of the referenced
1141 * extended attribute filename.
1142 */
1143 if (fm & FXATTRDIROPEN)
1144 tad->tad_ctrl |= TAD_MLD;
1145
1146 return (open_event(fm));
1147 }
1148
1149 static void
1150 aus_openat(struct t_audit_data *tad)
1151 {
1152 klwp_t *clwp = ttolwp(curthread);
1153 uint_t fm;
1154
1155 struct a {
1156 long filedes;
1157 long fnamep; /* char * */
1158 long fmode;
1159 long cmode;
1160 } *uap = (struct a *)clwp->lwp_ap;
1161
1162 fm = (uint_t)uap->fmode;
1163
1164 /* If no write, create, or trunc modes, mark as a public op */
1165 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1166 tad->tad_ctrl |= TAD_PUBLIC_EV;
1167 }
1168
1169 static au_event_t
1170 aui_unlinkat(au_event_t e)
1171 {
1172 klwp_t *clwp = ttolwp(curthread);
1173
1174 struct a {
1175 long filedes;
1176 long fnamep; /* char * */
1177 long flags;
1178 } *uap = (struct a *)clwp->lwp_ap;
1179
1180 if (uap->flags & AT_REMOVEDIR)
1181 e = AUE_RMDIR;
1182 else
1183 e = AUE_UNLINK;
1184
1185 return (e);
1186 }
1187
1188 static au_event_t
1189 aui_fstatat(au_event_t e)
1190 {
1191 klwp_t *clwp = ttolwp(curthread);
1192
1193 struct a {
1194 long filedes;
1195 long fnamep; /* char * */
1196 long statb;
1197 long flags;
1198 } *uap = (struct a *)clwp->lwp_ap;
1199
1200 if (uap->fnamep == NULL)
1201 e = AUE_FSTAT;
1202 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1203 e = AUE_LSTAT;
1204 else
1205 e = AUE_STAT;
1206
1207 return (e);
1208 }
1209
1210 /* msgsys */
1211 static au_event_t
1212 aui_msgsys(au_event_t e)
1213 {
1214 klwp_t *clwp = ttolwp(curthread);
1215 uint_t fm;
1216
1217 struct a {
1218 long id; /* function code id */
1219 long ap; /* arg pointer for recvmsg */
1220 } *uap = (struct a *)clwp->lwp_ap;
1221
1222 struct b {
1223 long msgid;
1224 long cmd;
1225 long buf; /* struct msqid_ds * */
1226 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1227
1228 fm = (uint_t)uap->id;
1229
1230 switch (fm) {
1231 case 0: /* msgget */
1232 e = AUE_MSGGET;
1233 break;
1234 case 1: /* msgctl */
1235 switch ((uint_t)uap1->cmd) {
1236 case IPC_RMID:
1237 e = AUE_MSGCTL_RMID;
1238 break;
1239 case IPC_SET:
1240 e = AUE_MSGCTL_SET;
1241 break;
1242 case IPC_STAT:
1243 e = AUE_MSGCTL_STAT;
1244 break;
1245 default:
1246 e = AUE_MSGCTL;
1247 break;
1248 }
1249 break;
1250 case 2: /* msgrcv */
1251 e = AUE_MSGRCV;
1252 break;
1253 case 3: /* msgsnd */
1254 e = AUE_MSGSND;
1255 break;
1256 default: /* illegal system call */
1257 e = AUE_NULL;
1258 break;
1259 }
1260
1261 return (e);
1262 }
1263
1264
1265 /* shmsys */
1266 static au_event_t
1267 aui_shmsys(au_event_t e)
1268 {
1269 klwp_t *clwp = ttolwp(curthread);
1270 int fm;
1271
1272 struct a { /* shmsys */
1273 long id; /* function code id */
1274 } *uap = (struct a *)clwp->lwp_ap;
1275
1276 struct b { /* ctrl */
1277 long shmid;
1278 long cmd;
1279 long arg; /* struct shmid_ds * */
1280 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1281 fm = (uint_t)uap->id;
1282
1283 switch (fm) {
1284 case 0: /* shmat */
1285 e = AUE_SHMAT;
1286 break;
1287 case 1: /* shmctl */
1288 switch ((uint_t)uap1->cmd) {
1289 case IPC_RMID:
1290 e = AUE_SHMCTL_RMID;
1291 break;
1292 case IPC_SET:
1293 e = AUE_SHMCTL_SET;
1294 break;
1295 case IPC_STAT:
1296 e = AUE_SHMCTL_STAT;
1297 break;
1298 default:
1299 e = AUE_SHMCTL;
1300 break;
1301 }
1302 break;
1303 case 2: /* shmdt */
1304 e = AUE_SHMDT;
1305 break;
1306 case 3: /* shmget */
1307 e = AUE_SHMGET;
1308 break;
1309 default: /* illegal system call */
1310 e = AUE_NULL;
1311 break;
1312 }
1313
1314 return (e);
1315 }
1316
1317
1318 /* semsys */
1319 static au_event_t
1320 aui_semsys(au_event_t e)
1321 {
1322 klwp_t *clwp = ttolwp(curthread);
1323 uint_t fm;
1324
1325 struct a { /* semsys */
1326 long id;
1327 } *uap = (struct a *)clwp->lwp_ap;
1328
1329 struct b { /* ctrl */
1330 long semid;
1331 long semnum;
1332 long cmd;
1333 long arg;
1334 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1335
1336 fm = (uint_t)uap->id;
1337
1338 switch (fm) {
1339 case 0: /* semctl */
1340 switch ((uint_t)uap1->cmd) {
1341 case IPC_RMID:
1342 e = AUE_SEMCTL_RMID;
1343 break;
1344 case IPC_SET:
1345 e = AUE_SEMCTL_SET;
1346 break;
1347 case IPC_STAT:
1348 e = AUE_SEMCTL_STAT;
1349 break;
1350 case GETNCNT:
1351 e = AUE_SEMCTL_GETNCNT;
1352 break;
1353 case GETPID:
1354 e = AUE_SEMCTL_GETPID;
1355 break;
1356 case GETVAL:
1357 e = AUE_SEMCTL_GETVAL;
1358 break;
1359 case GETALL:
1360 e = AUE_SEMCTL_GETALL;
1361 break;
1362 case GETZCNT:
1363 e = AUE_SEMCTL_GETZCNT;
1364 break;
1365 case SETVAL:
1366 e = AUE_SEMCTL_SETVAL;
1367 break;
1368 case SETALL:
1369 e = AUE_SEMCTL_SETALL;
1370 break;
1371 default:
1372 e = AUE_SEMCTL;
1373 break;
1374 }
1375 break;
1376 case 1: /* semget */
1377 e = AUE_SEMGET;
1378 break;
1379 case 2: /* semop */
1380 e = AUE_SEMOP;
1381 break;
1382 default: /* illegal system call */
1383 e = AUE_NULL;
1384 break;
1385 }
1386
1387 return (e);
1388 }
1389
1390 /* utssys - uname(2), ustat(2), fusers(2) */
1391 static au_event_t
1392 aui_utssys(au_event_t e)
1393 {
1394 klwp_t *clwp = ttolwp(curthread);
1395 uint_t type;
1396
1397 struct a {
1398 union {
1399 long cbuf; /* char * */
1400 long ubuf; /* struct stat * */
1401 } ub;
1402 union {
1403 long mv; /* for USTAT */
1404 long flags; /* for FUSERS */
1405 } un;
1406 long type;
1407 long outbp; /* char * for FUSERS */
1408 } *uap = (struct a *)clwp->lwp_ap;
1409
1410 type = (uint_t)uap->type;
1411
1412 if (type == UTS_FUSERS)
1413 return (e);
1414 else
1415 return ((au_event_t)AUE_NULL);
1416 }
1417
1418 static au_event_t
1419 aui_fcntl(au_event_t e)
1420 {
1421 klwp_t *clwp = ttolwp(curthread);
1422 uint_t cmd;
1423
1424 struct a {
1425 long fdes;
1426 long cmd;
1427 long arg;
1428 } *uap = (struct a *)clwp->lwp_ap;
1429
1430 cmd = (uint_t)uap->cmd;
1431
1432 switch (cmd) {
1433 case F_GETLK:
1434 case F_SETLK:
1435 case F_SETLKW:
1436 break;
1437 case F_SETFL:
1438 case F_GETFL:
1439 case F_GETFD:
1440 break;
1441 default:
1442 e = (au_event_t)AUE_NULL;
1443 break;
1444 }
1445 return ((au_event_t)e);
1446 }
1447
1448 /* null function for now */
1449 static au_event_t
1450 aui_execve(au_event_t e)
1451 {
1452 return (e);
1453 }
1454
1455 /*ARGSUSED*/
1456 static void
1457 aus_fcntl(struct t_audit_data *tad)
1458 {
1459 klwp_t *clwp = ttolwp(curthread);
1460 uint32_t cmd, fd, flags;
1461 struct file *fp;
1462 struct vnode *vp;
1463 struct f_audit_data *fad;
1464
1465 struct a {
1466 long fd;
1467 long cmd;
1468 long arg;
1469 } *uap = (struct a *)clwp->lwp_ap;
1470
1471 cmd = (uint32_t)uap->cmd;
1472 fd = (uint32_t)uap->fd;
1473 flags = (uint32_t)uap->arg;
1474
1475 au_uwrite(au_to_arg32(2, "cmd", cmd));
1476
1477 if (cmd == F_SETFL)
1478 au_uwrite(au_to_arg32(3, "flags", flags));
1479
1480 /*
1481 * convert file pointer to file descriptor
1482 * Note: fd ref count incremented here.
1483 */
1484 if ((fp = getf(fd)) == NULL)
1485 return;
1486
1487 /* get path from file struct here */
1488 fad = F2A(fp);
1489 if (fad->fad_aupath != NULL) {
1490 au_uwrite(au_to_path(fad->fad_aupath));
1491 } else {
1492 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1493 }
1494
1495 vp = fp->f_vnode;
1496 audit_attributes(vp);
1497
1498 /* decrement file descriptor reference count */
1499 releasef(fd);
1500 }
1501
1502 /*ARGSUSED*/
1503 static void
1504 aus_kill(struct t_audit_data *tad)
1505 {
1506 klwp_t *clwp = ttolwp(curthread);
1507 struct proc *p;
1508 uint32_t signo;
1509 uid_t uid, ruid;
1510 gid_t gid, rgid;
1511 pid_t pid;
1512 const auditinfo_addr_t *ainfo;
1513 cred_t *cr;
1514
1515 struct a {
1516 long pid;
1517 long signo;
1518 } *uap = (struct a *)clwp->lwp_ap;
1519
1520 pid = (pid_t)uap->pid;
1521 signo = (uint32_t)uap->signo;
1522
1523 au_uwrite(au_to_arg32(2, "signal", signo));
1524 if (pid > 0) {
1525 mutex_enter(&pidlock);
1526 if (((p = prfind(pid)) == (struct proc *)0) ||
1527 (p->p_stat == SIDL)) {
1528 mutex_exit(&pidlock);
1529 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1530 return;
1531 }
1532 mutex_enter(&p->p_lock); /* so process doesn't go away */
1533 mutex_exit(&pidlock);
1534
1535 mutex_enter(&p->p_crlock);
1536 crhold(cr = p->p_cred);
1537 mutex_exit(&p->p_crlock);
1538 mutex_exit(&p->p_lock);
1539
1540 ainfo = crgetauinfo(cr);
1541 if (ainfo == NULL) {
1542 crfree(cr);
1543 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1544 return;
1545 }
1546
1547 uid = crgetuid(cr);
1548 gid = crgetgid(cr);
1549 ruid = crgetruid(cr);
1550 rgid = crgetrgid(cr);
1551 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1552 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1553
1554 if (is_system_labeled())
1555 au_uwrite(au_to_label(CR_SL(cr)));
1556
1557 crfree(cr);
1558 }
1559 else
1560 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1561 }
1562
1563 /*ARGSUSED*/
1564 static void
1565 aus_mkdir(struct t_audit_data *tad)
1566 {
1567 klwp_t *clwp = ttolwp(curthread);
1568 uint32_t dmode;
1569
1570 struct a {
1571 long dirnamep; /* char * */
1572 long dmode;
1573 } *uap = (struct a *)clwp->lwp_ap;
1574
1575 dmode = (uint32_t)uap->dmode;
1576
1577 au_uwrite(au_to_arg32(2, "mode", dmode));
1578 }
1579
1580 /*ARGSUSED*/
1581 static void
1582 aus_mkdirat(struct t_audit_data *tad)
1583 {
1584 klwp_t *clwp = ttolwp(curthread);
1585 uint32_t dmode;
1586
1587 struct a {
1588 long fd;
1589 long dirnamep; /* char * */
1590 long dmode;
1591 } *uap = (struct a *)clwp->lwp_ap;
1592
1593 dmode = (uint32_t)uap->dmode;
1594
1595 au_uwrite(au_to_arg32(2, "mode", dmode));
1596 }
1597
1598 /*ARGSUSED*/
1599 static void
1600 aus_mknod(struct t_audit_data *tad)
1601 {
1602 klwp_t *clwp = ttolwp(curthread);
1603 uint32_t fmode;
1604 dev_t dev;
1605
1606 struct a {
1607 long pnamep; /* char * */
1608 long fmode;
1609 long dev;
1610 } *uap = (struct a *)clwp->lwp_ap;
1611
1612 fmode = (uint32_t)uap->fmode;
1613 dev = (dev_t)uap->dev;
1614
1615 au_uwrite(au_to_arg32(2, "mode", fmode));
1616 #ifdef _LP64
1617 au_uwrite(au_to_arg64(3, "dev", dev));
1618 #else
1619 au_uwrite(au_to_arg32(3, "dev", dev));
1620 #endif
1621 }
1622
1623 /*ARGSUSED*/
1624 static void
1625 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1626 {
1627 klwp_t *clwp = ttolwp(curthread);
1628 vnode_t *dvp;
1629 caddr_t pnamep;
1630
1631 struct a {
1632 long pnamep; /* char * */
1633 long fmode;
1634 long dev;
1635 } *uap = (struct a *)clwp->lwp_ap;
1636
1637 /* no error, then already path token in audit record */
1638 if (error != EPERM && error != EINVAL)
1639 return;
1640
1641 /* do the lookup to force generation of path token */
1642 pnamep = (caddr_t)uap->pnamep;
1643 tad->tad_ctrl |= TAD_NOATTRB;
1644 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1645 if (error == 0)
1646 VN_RELE(dvp);
1647 }
1648
1649 /*ARGSUSED*/
1650 static void
1651 aus_mknodat(struct t_audit_data *tad)
1652 {
1653 klwp_t *clwp = ttolwp(curthread);
1654 uint32_t fmode;
1655 dev_t dev;
1656
1657 struct a {
1658 long fd;
1659 long pnamep; /* char * */
1660 long fmode;
1661 long dev;
1662 } *uap = (struct a *)clwp->lwp_ap;
1663
1664 fmode = (uint32_t)uap->fmode;
1665 dev = (dev_t)uap->dev;
1666
1667 au_uwrite(au_to_arg32(2, "mode", fmode));
1668 #ifdef _LP64
1669 au_uwrite(au_to_arg64(3, "dev", dev));
1670 #else
1671 au_uwrite(au_to_arg32(3, "dev", dev));
1672 #endif
1673 }
1674
1675 /*ARGSUSED*/
1676 static void
1677 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1678 {
1679 klwp_t *clwp = ttolwp(curthread);
1680 vnode_t *startvp;
1681 vnode_t *dvp;
1682 caddr_t pnamep;
1683 int fd;
1684
1685 struct a {
1686 long fd;
1687 long pnamep; /* char * */
1688 long fmode;
1689 long dev;
1690 } *uap = (struct a *)clwp->lwp_ap;
1691
1692 /* no error, then already path token in audit record */
1693 if (error != EPERM && error != EINVAL)
1694 return;
1695
1696 /* do the lookup to force generation of path token */
1697 fd = (int)uap->fd;
1698 pnamep = (caddr_t)uap->pnamep;
1699 if (pnamep == NULL ||
1700 fgetstartvp(fd, pnamep, &startvp) != 0)
1701 return;
1702 tad->tad_ctrl |= TAD_NOATTRB;
1703 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1704 startvp);
1705 if (error == 0)
1706 VN_RELE(dvp);
1707 if (startvp != NULL)
1708 VN_RELE(startvp);
1709 }
1710
1711 /*ARGSUSED*/
1712 static void
1713 aus_mount(struct t_audit_data *tad)
1714 { /* AUS_START */
1715 klwp_t *clwp = ttolwp(curthread);
1716 uint32_t flags;
1717 uintptr_t u_fstype, dataptr;
1718 STRUCT_DECL(nfs_args, nfsargs);
1719 size_t len;
1720 char *fstype, *hostname;
1721
1722 struct a {
1723 long spec; /* char * */
1724 long dir; /* char * */
1725 long flags;
1726 long fstype; /* char * */
1727 long dataptr; /* char * */
1728 long datalen;
1729 } *uap = (struct a *)clwp->lwp_ap;
1730
1731 u_fstype = (uintptr_t)uap->fstype;
1732 flags = (uint32_t)uap->flags;
1733 dataptr = (uintptr_t)uap->dataptr;
1734
1735 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1736 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1737 goto mount_free_fstype;
1738
1739 au_uwrite(au_to_arg32(3, "flags", flags));
1740 au_uwrite(au_to_text(fstype));
1741
1742 if (strncmp(fstype, "nfs", 3) == 0) {
1743
1744 STRUCT_INIT(nfsargs, get_udatamodel());
1745 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1746
1747 if (copyin((caddr_t)dataptr,
1748 STRUCT_BUF(nfsargs),
1749 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1750 /* DEBUG debug_enter((char *)NULL); */
1751 goto mount_free_fstype;
1752 }
1753 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1754 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1755 (caddr_t)hostname,
1756 MAXNAMELEN, &len)) {
1757 goto mount_free_hostname;
1758 }
1759 au_uwrite(au_to_text(hostname));
1760 au_uwrite(au_to_arg32(3, "internal flags",
1761 (uint_t)STRUCT_FGET(nfsargs, flags)));
1762
1763 mount_free_hostname:
1764 kmem_free(hostname, MAXNAMELEN);
1765 }
1766
1767 mount_free_fstype:
1768 kmem_free(fstype, MAXNAMELEN);
1769 } /* AUS_MOUNT */
1770
1771 static void
1772 aus_umount_path(caddr_t umount_dir)
1773 {
1774 char *dir_path;
1775 struct audit_path *path;
1776 size_t path_len, dir_len;
1777
1778 /* length alloc'd for two string pointers */
1779 path_len = sizeof (struct audit_path) + sizeof (char *);
1780 path = kmem_alloc(path_len, KM_SLEEP);
1781 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1782
1783 if (copyinstr(umount_dir, (caddr_t)dir_path,
1784 MAXPATHLEN, &dir_len))
1785 goto umount2_free_dir;
1786
1787 /*
1788 * the audit_path struct assumes that the buffer pointed to
1789 * by audp_sect[n] contains string 0 immediatedly followed
1790 * by string 1.
1791 */
1792 path->audp_sect[0] = dir_path;
1793 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1794 path->audp_size = path_len;
1795 path->audp_ref = 1; /* not used */
1796 path->audp_cnt = 1; /* one path string */
1797
1798 au_uwrite(au_to_path(path));
1799
1800 umount2_free_dir:
1801 kmem_free(dir_path, MAXPATHLEN);
1802 kmem_free(path, path_len);
1803 }
1804
1805 /*ARGSUSED*/
1806 static void
1807 aus_umount2(struct t_audit_data *tad)
1808 {
1809 klwp_t *clwp = ttolwp(curthread);
1810 struct a {
1811 long dir; /* char * */
1812 long flags;
1813 } *uap = (struct a *)clwp->lwp_ap;
1814
1815 aus_umount_path((caddr_t)uap->dir);
1816
1817 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1818 }
1819
1820 static void
1821 aus_msgsys(struct t_audit_data *tad)
1822 {
1823 klwp_t *clwp = ttolwp(curthread);
1824 uint32_t msgid;
1825
1826 struct b {
1827 long msgid;
1828 long cmd;
1829 long buf; /* struct msqid_ds * */
1830 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1831
1832 msgid = (uint32_t)uap1->msgid;
1833
1834
1835 switch (tad->tad_event) {
1836 case AUE_MSGGET: /* msgget */
1837 au_uwrite(au_to_arg32(1, "msg key", msgid));
1838 break;
1839 case AUE_MSGCTL: /* msgctl */
1840 case AUE_MSGCTL_RMID: /* msgctl */
1841 case AUE_MSGCTL_SET: /* msgctl */
1842 case AUE_MSGCTL_STAT: /* msgctl */
1843 case AUE_MSGRCV: /* msgrcv */
1844 case AUE_MSGSND: /* msgsnd */
1845 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1846 break;
1847 }
1848 }
1849
1850 /*ARGSUSED*/
1851 static void
1852 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1853 {
1854 int id;
1855
1856 if (error != 0)
1857 return;
1858 if (tad->tad_event == AUE_MSGGET) {
1859 uint32_t scid;
1860 uint32_t sy_flags;
1861
1862 /* need to determine type of executing binary */
1863 scid = tad->tad_scid;
1864 #ifdef _SYSCALL32_IMPL
1865 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1866 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1867 else
1868 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1869 #else
1870 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1871 #endif
1872 if (sy_flags == SE_32RVAL1)
1873 id = rval->r_val1;
1874 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1875 id = rval->r_val1;
1876 if (sy_flags == SE_64RVAL)
1877 id = (int)rval->r_vals;
1878
1879 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1880 }
1881 }
1882
1883 static void
1884 aus_semsys(struct t_audit_data *tad)
1885 {
1886 klwp_t *clwp = ttolwp(curthread);
1887 uint32_t semid;
1888
1889 struct b { /* ctrl */
1890 long semid;
1891 long semnum;
1892 long cmd;
1893 long arg;
1894 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1895
1896 semid = (uint32_t)uap1->semid;
1897
1898 switch (tad->tad_event) {
1899 case AUE_SEMCTL_RMID:
1900 case AUE_SEMCTL_STAT:
1901 case AUE_SEMCTL_GETNCNT:
1902 case AUE_SEMCTL_GETPID:
1903 case AUE_SEMCTL_GETVAL:
1904 case AUE_SEMCTL_GETALL:
1905 case AUE_SEMCTL_GETZCNT:
1906 case AUE_SEMCTL_SET:
1907 case AUE_SEMCTL_SETVAL:
1908 case AUE_SEMCTL_SETALL:
1909 case AUE_SEMCTL:
1910 case AUE_SEMOP:
1911 au_uwrite(au_to_arg32(1, "sem ID", semid));
1912 break;
1913 case AUE_SEMGET:
1914 au_uwrite(au_to_arg32(1, "sem key", semid));
1915 break;
1916 }
1917 }
1918
1919 /*ARGSUSED*/
1920 static void
1921 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1922 {
1923 int id;
1924
1925 if (error != 0)
1926 return;
1927 if (tad->tad_event == AUE_SEMGET) {
1928 uint32_t scid;
1929 uint32_t sy_flags;
1930
1931 /* need to determine type of executing binary */
1932 scid = tad->tad_scid;
1933 #ifdef _SYSCALL32_IMPL
1934 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1935 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1936 else
1937 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1938 #else
1939 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1940 #endif
1941 if (sy_flags == SE_32RVAL1)
1942 id = rval->r_val1;
1943 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1944 id = rval->r_val1;
1945 if (sy_flags == SE_64RVAL)
1946 id = (int)rval->r_vals;
1947
1948 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1949 }
1950 }
1951
1952 /*ARGSUSED*/
1953 static void
1954 aus_close(struct t_audit_data *tad)
1955 {
1956 klwp_t *clwp = ttolwp(curthread);
1957 uint32_t fd;
1958 struct file *fp;
1959 struct f_audit_data *fad;
1960 struct vnode *vp;
1961 struct vattr attr;
1962 au_kcontext_t *kctx = GET_KCTX_PZ;
1963
1964 struct a {
1965 long i;
1966 } *uap = (struct a *)clwp->lwp_ap;
1967
1968 fd = (uint32_t)uap->i;
1969
1970 attr.va_mask = 0;
1971 au_uwrite(au_to_arg32(1, "fd", fd));
1972
1973 /*
1974 * convert file pointer to file descriptor
1975 * Note: fd ref count incremented here.
1976 */
1977 if ((fp = getf(fd)) == NULL)
1978 return;
1979
1980 fad = F2A(fp);
1981 tad->tad_evmod = (au_emod_t)fad->fad_flags;
1982 if (fad->fad_aupath != NULL) {
1983 au_uwrite(au_to_path(fad->fad_aupath));
1984 if ((vp = fp->f_vnode) != NULL) {
1985 attr.va_mask = AT_ALL;
1986 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1987 /*
1988 * When write was not used and the file can be
1989 * considered public, skip the audit.
1990 */
1991 if (((fp->f_flag & FWRITE) == 0) &&
1992 object_is_public(&attr)) {
1993 tad->tad_flag = 0;
1994 tad->tad_evmod = 0;
1995 /* free any residual audit data */
1996 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1997 releasef(fd);
1998 return;
1999 }
2000 au_uwrite(au_to_attr(&attr));
2001 audit_sec_attributes(&(u_ad), vp);
2002 }
2003 }
2004 }
2005
2006 /* decrement file descriptor reference count */
2007 releasef(fd);
2008 }
2009
2010 /*ARGSUSED*/
2011 static void
2012 aus_fstatfs(struct t_audit_data *tad)
2013 {
2014 klwp_t *clwp = ttolwp(curthread);
2015 uint32_t fd;
2016 struct file *fp;
2017 struct vnode *vp;
2018 struct f_audit_data *fad;
2019
2020 struct a {
2021 long fd;
2022 long buf; /* struct statfs * */
2023 } *uap = (struct a *)clwp->lwp_ap;
2024
2025 fd = (uint_t)uap->fd;
2026
2027 /*
2028 * convert file pointer to file descriptor
2029 * Note: fd ref count incremented here.
2030 */
2031 if ((fp = getf(fd)) == NULL)
2032 return;
2033
2034 /* get path from file struct here */
2035 fad = F2A(fp);
2036 if (fad->fad_aupath != NULL) {
2037 au_uwrite(au_to_path(fad->fad_aupath));
2038 } else {
2039 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2040 }
2041
2042 vp = fp->f_vnode;
2043 audit_attributes(vp);
2044
2045 /* decrement file descriptor reference count */
2046 releasef(fd);
2047 }
2048
2049 static au_event_t
2050 aui_setpgrp(au_event_t e)
2051 {
2052 klwp_t *clwp = ttolwp(curthread);
2053 int flag;
2054
2055 struct a {
2056 long flag;
2057 long pid;
2058 long pgid;
2059 } *uap = (struct a *)clwp->lwp_ap;
2060
2061 flag = (int)uap->flag;
2062
2063
2064 switch (flag) {
2065
2066 case 1: /* setpgrp() */
2067 e = AUE_SETPGRP;
2068 break;
2069
2070 case 3: /* setsid() */
2071 e = AUE_SETSID;
2072 break;
2073
2074 case 5: /* setpgid() */
2075 e = AUE_SETPGID;
2076 break;
2077
2078 case 0: /* getpgrp() - not security relevant */
2079 case 2: /* getsid() - not security relevant */
2080 case 4: /* getpgid() - not security relevant */
2081 e = AUE_NULL;
2082 break;
2083
2084 default:
2085 e = AUE_NULL;
2086 break;
2087 }
2088
2089 return (e);
2090 }
2091
2092 /*ARGSUSED*/
2093 static void
2094 aus_setpgrp(struct t_audit_data *tad)
2095 {
2096 klwp_t *clwp = ttolwp(curthread);
2097 pid_t pgid;
2098 struct proc *p;
2099 uid_t uid, ruid;
2100 gid_t gid, rgid;
2101 pid_t pid;
2102 cred_t *cr;
2103 int flag;
2104 const auditinfo_addr_t *ainfo;
2105
2106 struct a {
2107 long flag;
2108 long pid;
2109 long pgid;
2110 } *uap = (struct a *)clwp->lwp_ap;
2111
2112 flag = (int)uap->flag;
2113 pid = (pid_t)uap->pid;
2114 pgid = (pid_t)uap->pgid;
2115
2116
2117 switch (flag) {
2118
2119 case 0: /* getpgrp() */
2120 case 1: /* setpgrp() */
2121 case 2: /* getsid() */
2122 case 3: /* setsid() */
2123 case 4: /* getpgid() */
2124 break;
2125
2126 case 5: /* setpgid() */
2127
2128 /* current process? */
2129 if (pid == 0) {
2130 return;
2131 }
2132
2133 mutex_enter(&pidlock);
2134 p = prfind(pid);
2135 if (p == NULL || p->p_as == &kas ||
2136 p->p_stat == SIDL || p->p_stat == SZOMB) {
2137 mutex_exit(&pidlock);
2138 return;
2139 }
2140 mutex_enter(&p->p_lock); /* so process doesn't go away */
2141 mutex_exit(&pidlock);
2142
2143 mutex_enter(&p->p_crlock);
2144 crhold(cr = p->p_cred);
2145 mutex_exit(&p->p_crlock);
2146 mutex_exit(&p->p_lock);
2147
2148 ainfo = crgetauinfo(cr);
2149 if (ainfo == NULL) {
2150 crfree(cr);
2151 return;
2152 }
2153
2154 uid = crgetuid(cr);
2155 gid = crgetgid(cr);
2156 ruid = crgetruid(cr);
2157 rgid = crgetrgid(cr);
2158 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2159 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2160 crfree(cr);
2161 au_uwrite(au_to_arg32(2, "pgid", pgid));
2162 break;
2163
2164 default:
2165 break;
2166 }
2167 }
2168
2169
2170 /*ARGSUSED*/
2171 static void
2172 aus_setregid(struct t_audit_data *tad)
2173 {
2174 klwp_t *clwp = ttolwp(curthread);
2175 uint32_t rgid, egid;
2176
2177 struct a {
2178 long rgid;
2179 long egid;
2180 } *uap = (struct a *)clwp->lwp_ap;
2181
2182 rgid = (uint32_t)uap->rgid;
2183 egid = (uint32_t)uap->egid;
2184
2185 au_uwrite(au_to_arg32(1, "rgid", rgid));
2186 au_uwrite(au_to_arg32(2, "egid", egid));
2187 }
2188
2189 /*ARGSUSED*/
2190 static void
2191 aus_setgid(struct t_audit_data *tad)
2192 {
2193 klwp_t *clwp = ttolwp(curthread);
2194 uint32_t gid;
2195
2196 struct a {
2197 long gid;
2198 } *uap = (struct a *)clwp->lwp_ap;
2199
2200 gid = (uint32_t)uap->gid;
2201
2202 au_uwrite(au_to_arg32(1, "gid", gid));
2203 }
2204
2205
2206 /*ARGSUSED*/
2207 static void
2208 aus_setreuid(struct t_audit_data *tad)
2209 {
2210 klwp_t *clwp = ttolwp(curthread);
2211 uint32_t ruid, euid;
2212
2213 struct a {
2214 long ruid;
2215 long euid;
2216 } *uap = (struct a *)clwp->lwp_ap;
2217
2218 ruid = (uint32_t)uap->ruid;
2219 euid = (uint32_t)uap->euid;
2220
2221 au_uwrite(au_to_arg32(1, "ruid", ruid));
2222 au_uwrite(au_to_arg32(2, "euid", euid));
2223 }
2224
2225
2226 /*ARGSUSED*/
2227 static void
2228 aus_setuid(struct t_audit_data *tad)
2229 {
2230 klwp_t *clwp = ttolwp(curthread);
2231 uint32_t uid;
2232
2233 struct a {
2234 long uid;
2235 } *uap = (struct a *)clwp->lwp_ap;
2236
2237 uid = (uint32_t)uap->uid;
2238
2239 au_uwrite(au_to_arg32(1, "uid", uid));
2240 }
2241
2242 /*ARGSUSED*/
2243 static void
2244 aus_shmsys(struct t_audit_data *tad)
2245 {
2246 klwp_t *clwp = ttolwp(curthread);
2247 uint32_t id, cmd;
2248
2249 struct b {
2250 long id;
2251 long cmd;
2252 long buf; /* struct shmid_ds * */
2253 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2254
2255 id = (uint32_t)uap1->id;
2256 cmd = (uint32_t)uap1->cmd;
2257
2258 switch (tad->tad_event) {
2259 case AUE_SHMGET: /* shmget */
2260 au_uwrite(au_to_arg32(1, "shm key", id));
2261 break;
2262 case AUE_SHMCTL: /* shmctl */
2263 case AUE_SHMCTL_RMID: /* shmctl */
2264 case AUE_SHMCTL_STAT: /* shmctl */
2265 case AUE_SHMCTL_SET: /* shmctl */
2266 au_uwrite(au_to_arg32(1, "shm ID", id));
2267 break;
2268 case AUE_SHMDT: /* shmdt */
2269 au_uwrite(au_to_arg32(1, "shm adr", id));
2270 break;
2271 case AUE_SHMAT: /* shmat */
2272 au_uwrite(au_to_arg32(1, "shm ID", id));
2273 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2274 break;
2275 }
2276 }
2277
2278 /*ARGSUSED*/
2279 static void
2280 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2281 {
2282 int id;
2283
2284 if (error != 0)
2285 return;
2286 if (tad->tad_event == AUE_SHMGET) {
2287 uint32_t scid;
2288 uint32_t sy_flags;
2289
2290 /* need to determine type of executing binary */
2291 scid = tad->tad_scid;
2292 #ifdef _SYSCALL32_IMPL
2293 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2294 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2295 else
2296 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2297 #else
2298 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2299 #endif
2300 if (sy_flags == SE_32RVAL1)
2301 id = rval->r_val1;
2302 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2303 id = rval->r_val1;
2304 if (sy_flags == SE_64RVAL)
2305 id = (int)rval->r_vals;
2306 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2307 }
2308 }
2309
2310
2311 /*ARGSUSED*/
2312 static void
2313 aus_ioctl(struct t_audit_data *tad)
2314 {
2315 klwp_t *clwp = ttolwp(curthread);
2316 struct file *fp;
2317 struct vnode *vp;
2318 struct f_audit_data *fad;
2319 uint32_t fd, cmd;
2320 uintptr_t cmarg;
2321
2322 /* XX64 */
2323 struct a {
2324 long fd;
2325 long cmd;
2326 long cmarg; /* caddr_t */
2327 } *uap = (struct a *)clwp->lwp_ap;
2328
2329 fd = (uint32_t)uap->fd;
2330 cmd = (uint32_t)uap->cmd;
2331 cmarg = (uintptr_t)uap->cmarg;
2332
2333 /*
2334 * convert file pointer to file descriptor
2335 * Note: fd ref count incremented here.
2336 */
2337 if ((fp = getf(fd)) == NULL) {
2338 au_uwrite(au_to_arg32(1, "fd", fd));
2339 au_uwrite(au_to_arg32(2, "cmd", cmd));
2340 #ifndef _LP64
2341 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2342 #else
2343 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2344 #endif
2345 return;
2346 }
2347
2348 /* get path from file struct here */
2349 fad = F2A(fp);
2350 if (fad->fad_aupath != NULL) {
2351 au_uwrite(au_to_path(fad->fad_aupath));
2352 } else {
2353 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2354 }
2355
2356 vp = fp->f_vnode;
2357 audit_attributes(vp);
2358
2359 /* decrement file descriptor reference count */
2360 releasef(fd);
2361
2362 au_uwrite(au_to_arg32(2, "cmd", cmd));
2363 #ifndef _LP64
2364 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2365 #else
2366 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2367 #endif
2368 }
2369
2370 /*
2371 * null function for memcntl for now. We might want to limit memcntl()
2372 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2373 * require privileges.
2374 */
2375 static au_event_t
2376 aui_memcntl(au_event_t e)
2377 {
2378 return (e);
2379 }
2380
2381 /*ARGSUSED*/
2382 static au_event_t
2383 aui_privsys(au_event_t e)
2384 {
2385 klwp_t *clwp = ttolwp(curthread);
2386
2387 struct a {
2388 long opcode;
2389 } *uap = (struct a *)clwp->lwp_ap;
2390
2391 switch (uap->opcode) {
2392 case PRIVSYS_SETPPRIV:
2393 return (AUE_SETPPRIV);
2394 default:
2395 return (AUE_NULL);
2396 }
2397 }
2398
2399 /*ARGSUSED*/
2400 static void
2401 aus_memcntl(struct t_audit_data *tad)
2402 {
2403 klwp_t *clwp = ttolwp(curthread);
2404
2405 struct a {
2406 long addr;
2407 long len;
2408 long cmd;
2409 long arg;
2410 long attr;
2411 long mask;
2412 } *uap = (struct a *)clwp->lwp_ap;
2413
2414 #ifdef _LP64
2415 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2416 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2417 #else
2418 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2419 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2420 #endif
2421 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2422 #ifdef _LP64
2423 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2424 #else
2425 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2426 #endif
2427 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2428 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2429 }
2430
2431 /*ARGSUSED*/
2432 static void
2433 aus_mmap(struct t_audit_data *tad)
2434 {
2435 klwp_t *clwp = ttolwp(curthread);
2436 struct file *fp;
2437 struct f_audit_data *fad;
2438 struct vnode *vp;
2439 uint32_t fd;
2440
2441 struct a {
2442 long addr;
2443 long len;
2444 long prot;
2445 long flags;
2446 long fd;
2447 long pos;
2448 } *uap = (struct a *)clwp->lwp_ap;
2449
2450 fd = (uint32_t)uap->fd;
2451
2452 #ifdef _LP64
2453 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2454 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2455 #else
2456 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2457 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2458 #endif
2459
2460 if ((fp = getf(fd)) == NULL) {
2461 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2462 return;
2463 }
2464
2465 /*
2466 * Mark in the tad if write access is NOT requested... if
2467 * this is later detected (in audit_attributes) to be a
2468 * public object, the mmap event may be discarded.
2469 */
2470 if (((uap->prot) & PROT_WRITE) == 0) {
2471 tad->tad_ctrl |= TAD_PUBLIC_EV;
2472 }
2473
2474 fad = F2A(fp);
2475 if (fad->fad_aupath != NULL) {
2476 au_uwrite(au_to_path(fad->fad_aupath));
2477 } else {
2478 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2479 }
2480
2481 vp = (struct vnode *)fp->f_vnode;
2482 audit_attributes(vp);
2483
2484 /* mark READ/WRITE since we can't predict access */
2485 if (uap->prot & PROT_READ)
2486 fad->fad_flags |= FAD_READ;
2487 if (uap->prot & PROT_WRITE)
2488 fad->fad_flags |= FAD_WRITE;
2489
2490 /* decrement file descriptor reference count */
2491 releasef(fd);
2492
2493 } /* AUS_MMAP */
2494
2495
2496
2497
2498 /*ARGSUSED*/
2499 static void
2500 aus_munmap(struct t_audit_data *tad)
2501 {
2502 klwp_t *clwp = ttolwp(curthread);
2503
2504 struct a {
2505 long addr;
2506 long len;
2507 } *uap = (struct a *)clwp->lwp_ap;
2508
2509 #ifdef _LP64
2510 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2511 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2512 #else
2513 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2514 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2515 #endif
2516
2517 } /* AUS_MUNMAP */
2518
2519
2520
2521
2522
2523
2524
2525 /*ARGSUSED*/
2526 static void
2527 aus_priocntlsys(struct t_audit_data *tad)
2528 {
2529 klwp_t *clwp = ttolwp(curthread);
2530
2531 struct a {
2532 long pc_version;
2533 long psp; /* procset_t */
2534 long cmd;
2535 long arg;
2536 } *uap = (struct a *)clwp->lwp_ap;
2537
2538 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2539 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2540
2541 } /* AUS_PRIOCNTLSYS */
2542
2543
2544 /*ARGSUSED*/
2545 static void
2546 aus_setegid(struct t_audit_data *tad)
2547 {
2548 klwp_t *clwp = ttolwp(curthread);
2549 uint32_t gid;
2550
2551 struct a {
2552 long gid;
2553 } *uap = (struct a *)clwp->lwp_ap;
2554
2555 gid = (uint32_t)uap->gid;
2556
2557 au_uwrite(au_to_arg32(1, "gid", gid));
2558 } /* AUS_SETEGID */
2559
2560
2561
2562
2563 /*ARGSUSED*/
2564 static void
2565 aus_setgroups(struct t_audit_data *tad)
2566 {
2567 klwp_t *clwp = ttolwp(curthread);
2568 int i;
2569 int gidsetsize;
2570 uintptr_t gidset;
2571 gid_t *gidlist;
2572
2573 struct a {
2574 long gidsetsize;
2575 long gidset;
2576 } *uap = (struct a *)clwp->lwp_ap;
2577
2578 gidsetsize = (uint_t)uap->gidsetsize;
2579 gidset = (uintptr_t)uap->gidset;
2580
2581 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2582 return;
2583 if (gidsetsize != 0) {
2584 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2585 KM_SLEEP);
2586 if (copyin((caddr_t)gidset, gidlist,
2587 gidsetsize * sizeof (gid_t)) == 0)
2588 for (i = 0; i < gidsetsize; i++)
2589 au_uwrite(au_to_arg32(1, "setgroups",
2590 (uint32_t)gidlist[i]));
2591 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2592 } else
2593 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2594
2595 } /* AUS_SETGROUPS */
2596
2597
2598
2599
2600
2601 /*ARGSUSED*/
2602 static void
2603 aus_seteuid(struct t_audit_data *tad)
2604 {
2605 klwp_t *clwp = ttolwp(curthread);
2606 uint32_t uid;
2607
2608 struct a {
2609 long uid;
2610 } *uap = (struct a *)clwp->lwp_ap;
2611
2612 uid = (uint32_t)uap->uid;
2613
2614 au_uwrite(au_to_arg32(1, "euid", uid));
2615
2616 } /* AUS_SETEUID */
2617
2618 /*ARGSUSED*/
2619 static void
2620 aus_putmsg(struct t_audit_data *tad)
2621 {
2622 klwp_t *clwp = ttolwp(curthread);
2623 uint32_t fd, pri;
2624 struct file *fp;
2625 struct f_audit_data *fad;
2626
2627 struct a {
2628 long fdes;
2629 long ctl; /* struct strbuf * */
2630 long data; /* struct strbuf * */
2631 long pri;
2632 } *uap = (struct a *)clwp->lwp_ap;
2633
2634 fd = (uint32_t)uap->fdes;
2635 pri = (uint32_t)uap->pri;
2636
2637 au_uwrite(au_to_arg32(1, "fd", fd));
2638
2639 if ((fp = getf(fd)) != NULL) {
2640 fad = F2A(fp);
2641
2642 fad->fad_flags |= FAD_WRITE;
2643
2644 /* add path name to audit record */
2645 if (fad->fad_aupath != NULL) {
2646 au_uwrite(au_to_path(fad->fad_aupath));
2647 }
2648 audit_attributes(fp->f_vnode);
2649
2650 releasef(fd);
2651 }
2652
2653 au_uwrite(au_to_arg32(4, "pri", pri));
2654 }
2655
2656 /*ARGSUSED*/
2657 static void
2658 aus_putpmsg(struct t_audit_data *tad)
2659 {
2660 klwp_t *clwp = ttolwp(curthread);
2661 uint32_t fd, pri, flags;
2662 struct file *fp;
2663 struct f_audit_data *fad;
2664
2665 struct a {
2666 long fdes;
2667 long ctl; /* struct strbuf * */
2668 long data; /* struct strbuf * */
2669 long pri;
2670 long flags;
2671 } *uap = (struct a *)clwp->lwp_ap;
2672
2673 fd = (uint32_t)uap->fdes;
2674 pri = (uint32_t)uap->pri;
2675 flags = (uint32_t)uap->flags;
2676
2677 au_uwrite(au_to_arg32(1, "fd", fd));
2678
2679 if ((fp = getf(fd)) != NULL) {
2680 fad = F2A(fp);
2681
2682 fad->fad_flags |= FAD_WRITE;
2683
2684 /* add path name to audit record */
2685 if (fad->fad_aupath != NULL) {
2686 au_uwrite(au_to_path(fad->fad_aupath));
2687 }
2688 audit_attributes(fp->f_vnode);
2689
2690 releasef(fd);
2691 }
2692
2693
2694 au_uwrite(au_to_arg32(4, "pri", pri));
2695 au_uwrite(au_to_arg32(5, "flags", flags));
2696 }
2697
2698 /*ARGSUSED*/
2699 static void
2700 aus_getmsg(struct t_audit_data *tad)
2701 {
2702 klwp_t *clwp = ttolwp(curthread);
2703 uint32_t fd, pri;
2704 struct file *fp;
2705 struct f_audit_data *fad;
2706
2707 struct a {
2708 long fdes;
2709 long ctl; /* struct strbuf * */
2710 long data; /* struct strbuf * */
2711 long pri;
2712 } *uap = (struct a *)clwp->lwp_ap;
2713
2714 fd = (uint32_t)uap->fdes;
2715 pri = (uint32_t)uap->pri;
2716
2717 au_uwrite(au_to_arg32(1, "fd", fd));
2718
2719 if ((fp = getf(fd)) != NULL) {
2720 fad = F2A(fp);
2721
2722 /*
2723 * read operation on this object
2724 */
2725 fad->fad_flags |= FAD_READ;
2726
2727 /* add path name to audit record */
2728 if (fad->fad_aupath != NULL) {
2729 au_uwrite(au_to_path(fad->fad_aupath));
2730 }
2731 audit_attributes(fp->f_vnode);
2732
2733 releasef(fd);
2734 }
2735
2736 au_uwrite(au_to_arg32(4, "pri", pri));
2737 }
2738
2739 /*ARGSUSED*/
2740 static void
2741 aus_getpmsg(struct t_audit_data *tad)
2742 {
2743 klwp_t *clwp = ttolwp(curthread);
2744 uint32_t fd;
2745 struct file *fp;
2746 struct f_audit_data *fad;
2747
2748 struct a {
2749 long fdes;
2750 long ctl; /* struct strbuf * */
2751 long data; /* struct strbuf * */
2752 long pri;
2753 long flags;
2754 } *uap = (struct a *)clwp->lwp_ap;
2755
2756 fd = (uint32_t)uap->fdes;
2757
2758 au_uwrite(au_to_arg32(1, "fd", fd));
2759
2760 if ((fp = getf(fd)) != NULL) {
2761 fad = F2A(fp);
2762
2763 /*
2764 * read operation on this object
2765 */
2766 fad->fad_flags |= FAD_READ;
2767
2768 /* add path name to audit record */
2769 if (fad->fad_aupath != NULL) {
2770 au_uwrite(au_to_path(fad->fad_aupath));
2771 }
2772 audit_attributes(fp->f_vnode);
2773
2774 releasef(fd);
2775 }
2776 }
2777
2778 static au_event_t
2779 aui_labelsys(au_event_t e)
2780 {
2781 klwp_t *clwp = ttolwp(curthread);
2782 uint32_t code;
2783 uint32_t cmd;
2784
2785 struct a {
2786 long code;
2787 long cmd;
2788 } *uap = (struct a *)clwp->lwp_ap;
2789
2790 code = (uint32_t)uap->code;
2791 cmd = (uint32_t)uap->cmd;
2792
2793 /* not security relevant if not changing kernel cache */
2794 if (cmd == TNDB_GET)
2795 return (AUE_NULL);
2796
2797 switch (code) {
2798 case TSOL_TNRH:
2799 e = AUE_LABELSYS_TNRH;
2800 break;
2801 case TSOL_TNRHTP:
2802 e = AUE_LABELSYS_TNRHTP;
2803 break;
2804 case TSOL_TNMLP:
2805 e = AUE_LABELSYS_TNMLP;
2806 break;
2807 default:
2808 e = AUE_NULL;
2809 break;
2810 }
2811
2812 return (e);
2813
2814 }
2815
2816 static void
2817 aus_labelsys(struct t_audit_data *tad)
2818 {
2819 klwp_t *clwp = ttolwp(curthread);
2820 uint32_t cmd;
2821 uintptr_t a2;
2822
2823 struct a {
2824 long code;
2825 long cmd;
2826 long a2;
2827 } *uap = (struct a *)clwp->lwp_ap;
2828
2829 cmd = (uint32_t)uap->cmd;
2830 a2 = (uintptr_t)uap->a2;
2831
2832 switch (tad->tad_event) {
2833 case AUE_LABELSYS_TNRH:
2834 {
2835 tsol_rhent_t *rhent;
2836 tnaddr_t *rh_addr;
2837
2838 au_uwrite(au_to_arg32(1, "cmd", cmd));
2839
2840 /* Remaining args don't apply for FLUSH, so skip */
2841 if (cmd == TNDB_FLUSH)
2842 break;
2843
2844 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2845 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2846 kmem_free(rhent, sizeof (tsol_rhent_t));
2847 return;
2848 }
2849
2850 rh_addr = &rhent->rh_address;
2851 if (rh_addr->ta_family == AF_INET) {
2852 struct in_addr *ipaddr;
2853
2854 ipaddr = &(rh_addr->ta_addr_v4);
2855 au_uwrite(au_to_in_addr(ipaddr));
2856 } else if (rh_addr->ta_family == AF_INET6) {
2857 int32_t *ipaddr;
2858
2859 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2860 au_uwrite(au_to_in_addr_ex(ipaddr));
2861 }
2862 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2863
2864 kmem_free(rhent, sizeof (tsol_rhent_t));
2865
2866 break;
2867 }
2868 case AUE_LABELSYS_TNRHTP:
2869 {
2870 tsol_tpent_t *tpent;
2871
2872 au_uwrite(au_to_arg32(1, "cmd", cmd));
2873
2874 /* Remaining args don't apply for FLUSH, so skip */
2875 if (cmd == TNDB_FLUSH)
2876 break;
2877
2878 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2879 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2880 kmem_free(tpent, sizeof (tsol_tpent_t));
2881 return;
2882 }
2883
2884 /* Make sure that the template name is null-terminated. */
2885 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2886
2887 au_uwrite(au_to_text(tpent->name));
2888 kmem_free(tpent, sizeof (tsol_tpent_t));
2889
2890 break;
2891 }
2892 case AUE_LABELSYS_TNMLP:
2893 {
2894 tsol_mlpent_t *mlpent;
2895
2896 au_uwrite(au_to_arg32(1, "cmd", cmd));
2897
2898 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2899 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2900 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2901 return;
2902 }
2903
2904 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2905 au_uwrite(au_to_text("shared"));
2906 } else {
2907 zone_t *zone;
2908
2909 zone = zone_find_by_id(mlpent->tsme_zoneid);
2910 if (zone != NULL) {
2911 au_uwrite(au_to_text(zone->zone_name));
2912 zone_rele(zone);
2913 }
2914 }
2915
2916 /* Remaining args don't apply for FLUSH, so skip */
2917 if (cmd == TNDB_FLUSH) {
2918 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2919 break;
2920 }
2921
2922 au_uwrite(au_to_arg32(2, "proto num",
2923 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2924 au_uwrite(au_to_arg32(2, "mlp_port",
2925 (uint32_t)mlpent->tsme_mlp.mlp_port));
2926
2927 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2928 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2929 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2930
2931 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2932
2933 break;
2934 }
2935 default:
2936 break;
2937 }
2938 }
2939
2940
2941 static au_event_t
2942 aui_auditsys(au_event_t e)
2943 {
2944 klwp_t *clwp = ttolwp(curthread);
2945 uint32_t code;
2946
2947 struct a {
2948 long code;
2949 long a1;
2950 long a2;
2951 long a3;
2952 long a4;
2953 long a5;
2954 long a6;
2955 long a7;
2956 } *uap = (struct a *)clwp->lwp_ap;
2957
2958 code = (uint32_t)uap->code;
2959
2960 switch (code) {
2961
2962 case BSM_GETAUID:
2963 e = AUE_GETAUID;
2964 break;
2965 case BSM_SETAUID:
2966 e = AUE_SETAUID;
2967 break;
2968 case BSM_GETAUDIT:
2969 e = AUE_GETAUDIT;
2970 break;
2971 case BSM_GETAUDIT_ADDR:
2972 e = AUE_GETAUDIT_ADDR;
2973 break;
2974 case BSM_SETAUDIT:
2975 e = AUE_SETAUDIT;
2976 break;
2977 case BSM_SETAUDIT_ADDR:
2978 e = AUE_SETAUDIT_ADDR;
2979 break;
2980 case BSM_AUDIT:
2981 e = AUE_AUDIT;
2982 break;
2983 case BSM_AUDITCTL:
2984 switch ((uint_t)uap->a1) {
2985
2986 case A_GETPOLICY:
2987 e = AUE_AUDITON_GPOLICY;
2988 break;
2989 case A_SETPOLICY:
2990 e = AUE_AUDITON_SPOLICY;
2991 break;
2992 case A_GETAMASK:
2993 e = AUE_AUDITON_GETAMASK;
2994 break;
2995 case A_SETAMASK:
2996 e = AUE_AUDITON_SETAMASK;
2997 break;
2998 case A_GETKMASK:
2999 e = AUE_AUDITON_GETKMASK;
3000 break;
3001 case A_SETKMASK:
3002 e = AUE_AUDITON_SETKMASK;
3003 break;
3004 case A_GETQCTRL:
3005 e = AUE_AUDITON_GQCTRL;
3006 break;
3007 case A_SETQCTRL:
3008 e = AUE_AUDITON_SQCTRL;
3009 break;
3010 case A_GETCWD:
3011 e = AUE_AUDITON_GETCWD;
3012 break;
3013 case A_GETCAR:
3014 e = AUE_AUDITON_GETCAR;
3015 break;
3016 case A_GETSTAT:
3017 e = AUE_AUDITON_GETSTAT;
3018 break;
3019 case A_SETSTAT:
3020 e = AUE_AUDITON_SETSTAT;
3021 break;
3022 case A_SETUMASK:
3023 e = AUE_AUDITON_SETUMASK;
3024 break;
3025 case A_SETSMASK:
3026 e = AUE_AUDITON_SETSMASK;
3027 break;
3028 case A_GETCOND:
3029 e = AUE_AUDITON_GETCOND;
3030 break;
3031 case A_SETCOND:
3032 e = AUE_AUDITON_SETCOND;
3033 break;
3034 case A_GETCLASS:
3035 e = AUE_AUDITON_GETCLASS;
3036 break;
3037 case A_SETCLASS:
3038 e = AUE_AUDITON_SETCLASS;
3039 break;
3040 default:
3041 e = AUE_NULL;
3042 break;
3043 }
3044 break;
3045 default:
3046 e = AUE_NULL;
3047 break;
3048 }
3049
3050 return (e);
3051
3052 } /* AUI_AUDITSYS */
3053
3054
3055 static void
3056 aus_auditsys(struct t_audit_data *tad)
3057 {
3058 klwp_t *clwp = ttolwp(curthread);
3059 uintptr_t a1, a2;
3060 STRUCT_DECL(auditinfo, ainfo);
3061 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3062 au_evclass_map_t event;
3063 au_mask_t mask;
3064 int auditstate, policy;
3065 au_id_t auid;
3066
3067
3068 struct a {
3069 long code;
3070 long a1;
3071 long a2;
3072 long a3;
3073 long a4;
3074 long a5;
3075 long a6;
3076 long a7;
3077 } *uap = (struct a *)clwp->lwp_ap;
3078
3079 a1 = (uintptr_t)uap->a1;
3080 a2 = (uintptr_t)uap->a2;
3081
3082 switch (tad->tad_event) {
3083 case AUE_SETAUID:
3084 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3085 return;
3086 au_uwrite(au_to_arg32(2, "setauid", auid));
3087 break;
3088 case AUE_SETAUDIT:
3089 STRUCT_INIT(ainfo, get_udatamodel());
3090 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3091 STRUCT_SIZE(ainfo))) {
3092 return;
3093 }
3094 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3095 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3096 #ifdef _LP64
3097 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3098 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3099 #else
3100 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3101 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3102 #endif
3103 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3104 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3105 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3106 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3107 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3108 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3109 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3110 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3111 break;
3112 case AUE_SETAUDIT_ADDR:
3113 STRUCT_INIT(ainfo_addr, get_udatamodel());
3114 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3115 STRUCT_SIZE(ainfo_addr))) {
3116 return;
3117 }
3118 au_uwrite(au_to_arg32((char)1, "auid",
3119 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3120 #ifdef _LP64
3121 au_uwrite(au_to_arg64((char)1, "port",
3122 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3123 #else
3124 au_uwrite(au_to_arg32((char)1, "port",
3125 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3126 #endif
3127 au_uwrite(au_to_arg32((char)1, "type",
3128 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3129 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3130 AU_IPv4) {
3131 au_uwrite(au_to_in_addr(
3132 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3133 ai_termid.at_addr)));
3134 } else {
3135 au_uwrite(au_to_in_addr_ex(
3136 (int32_t *)STRUCT_FGETP(ainfo_addr,
3137 ai_termid.at_addr)));
3138 }
3139 au_uwrite(au_to_arg32((char)1, "as_success",
3140 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3141 au_uwrite(au_to_arg32((char)1, "as_failure",
3142 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3143 au_uwrite(au_to_arg32((char)1, "asid",
3144 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3145 break;
3146 case AUE_AUDITON_SETAMASK:
3147 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3148 return;
3149 au_uwrite(au_to_arg32(
3150 2, "setamask:as_success", (uint32_t)mask.as_success));
3151 au_uwrite(au_to_arg32(
3152 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3153 break;
3154 case AUE_AUDITON_SETKMASK:
3155 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3156 return;
3157 au_uwrite(au_to_arg32(
3158 2, "setkmask:as_success", (uint32_t)mask.as_success));
3159 au_uwrite(au_to_arg32(
3160 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3161 break;
3162 case AUE_AUDITON_SPOLICY:
3163 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3164 return;
3165 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3166 break;
3167 case AUE_AUDITON_SQCTRL: {
3168 STRUCT_DECL(au_qctrl, qctrl);
3169 model_t model;
3170
3171 model = get_udatamodel();
3172 STRUCT_INIT(qctrl, model);
3173 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3174 return;
3175 if (model == DATAMODEL_ILP32) {
3176 au_uwrite(au_to_arg32(
3177 3, "setqctrl:aq_hiwater",
3178 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3179 au_uwrite(au_to_arg32(
3180 3, "setqctrl:aq_lowater",
3181 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3182 au_uwrite(au_to_arg32(
3183 3, "setqctrl:aq_bufsz",
3184 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3185 au_uwrite(au_to_arg32(
3186 3, "setqctrl:aq_delay",
3187 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3188 } else {
3189 au_uwrite(au_to_arg64(
3190 3, "setqctrl:aq_hiwater",
3191 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3192 au_uwrite(au_to_arg64(
3193 3, "setqctrl:aq_lowater",
3194 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3195 au_uwrite(au_to_arg64(
3196 3, "setqctrl:aq_bufsz",
3197 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3198 au_uwrite(au_to_arg64(
3199 3, "setqctrl:aq_delay",
3200 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3201 }
3202 break;
3203 }
3204 case AUE_AUDITON_SETUMASK:
3205 STRUCT_INIT(ainfo, get_udatamodel());
3206 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3207 STRUCT_SIZE(ainfo))) {
3208 return;
3209 }
3210 au_uwrite(au_to_arg32(3, "setumask:as_success",
3211 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3212 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3213 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3214 break;
3215 case AUE_AUDITON_SETSMASK:
3216 STRUCT_INIT(ainfo, get_udatamodel());
3217 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3218 STRUCT_SIZE(ainfo))) {
3219 return;
3220 }
3221 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3222 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3223 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3224 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3225 break;
3226 case AUE_AUDITON_SETCOND:
3227 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3228 return;
3229 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3230 break;
3231 case AUE_AUDITON_SETCLASS:
3232 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3233 return;
3234 au_uwrite(au_to_arg32(
3235 2, "setclass:ec_event", (uint32_t)event.ec_number));
3236 au_uwrite(au_to_arg32(
3237 3, "setclass:ec_class", (uint32_t)event.ec_class));
3238 break;
3239 case AUE_GETAUID:
3240 case AUE_GETAUDIT:
3241 case AUE_GETAUDIT_ADDR:
3242 case AUE_AUDIT:
3243 case AUE_AUDITON_GPOLICY:
3244 case AUE_AUDITON_GQCTRL:
3245 case AUE_AUDITON_GETAMASK:
3246 case AUE_AUDITON_GETKMASK:
3247 case AUE_AUDITON_GETCWD:
3248 case AUE_AUDITON_GETCAR:
3249 case AUE_AUDITON_GETSTAT:
3250 case AUE_AUDITON_SETSTAT:
3251 case AUE_AUDITON_GETCOND:
3252 case AUE_AUDITON_GETCLASS:
3253 break;
3254 default:
3255 break;
3256 }
3257
3258 } /* AUS_AUDITSYS */
3259
3260
3261 /* only audit privileged operations for systeminfo(2) system call */
3262 static au_event_t
3263 aui_sysinfo(au_event_t e)
3264 {
3265 klwp_t *clwp = ttolwp(curthread);
3266 uint32_t command;
3267
3268 struct a {
3269 long command;
3270 long buf; /* char * */
3271 long count;
3272 } *uap = (struct a *)clwp->lwp_ap;
3273
3274 command = (uint32_t)uap->command;
3275
3276 switch (command) {
3277 case SI_SET_HOSTNAME:
3278 case SI_SET_SRPC_DOMAIN:
3279 e = (au_event_t)AUE_SYSINFO;
3280 break;
3281 default:
3282 e = (au_event_t)AUE_NULL;
3283 break;
3284 }
3285 return (e);
3286 }
3287
3288 /*ARGSUSED*/
3289 static void
3290 aus_sysinfo(struct t_audit_data *tad)
3291 {
3292 klwp_t *clwp = ttolwp(curthread);
3293 uint32_t command;
3294 size_t len, maxlen;
3295 char *name;
3296 uintptr_t buf;
3297
3298 struct a {
3299 long command;
3300 long buf; /* char * */
3301 long count;
3302 } *uap = (struct a *)clwp->lwp_ap;
3303
3304 command = (uint32_t)uap->command;
3305 buf = (uintptr_t)uap->buf;
3306
3307 au_uwrite(au_to_arg32(1, "cmd", command));
3308
3309 switch (command) {
3310 case SI_SET_HOSTNAME:
3311 {
3312 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3313 return;
3314
3315 maxlen = SYS_NMLN;
3316 name = kmem_alloc(maxlen, KM_SLEEP);
3317 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3318 break;
3319
3320 /*
3321 * Must be non-NULL string and string
3322 * must be less than SYS_NMLN chars.
3323 */
3324 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3325 break;
3326
3327 au_uwrite(au_to_text(name));
3328 break;
3329 }
3330
3331 case SI_SET_SRPC_DOMAIN:
3332 {
3333 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3334 return;
3335
3336 maxlen = SYS_NMLN;
3337 name = kmem_alloc(maxlen, KM_SLEEP);
3338 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3339 break;
3340
3341 /*
3342 * If string passed in is longer than length
3343 * allowed for domain name, fail.
3344 */
3345 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3346 break;
3347
3348 au_uwrite(au_to_text(name));
3349 break;
3350 }
3351
3352 default:
3353 return;
3354 }
3355
3356 kmem_free(name, maxlen);
3357 }
3358
3359 static au_event_t
3360 aui_modctl(au_event_t e)
3361 {
3362 klwp_t *clwp = ttolwp(curthread);
3363 uint_t cmd;
3364
3365 struct a {
3366 long cmd;
3367 } *uap = (struct a *)clwp->lwp_ap;
3368
3369 cmd = (uint_t)uap->cmd;
3370
3371 switch (cmd) {
3372 case MODLOAD:
3373 e = AUE_MODLOAD;
3374 break;
3375 case MODUNLOAD:
3376 e = AUE_MODUNLOAD;
3377 break;
3378 case MODADDMAJBIND:
3379 e = AUE_MODADDMAJ;
3380 break;
3381 case MODSETDEVPOLICY:
3382 e = AUE_MODDEVPLCY;
3383 break;
3384 case MODALLOCPRIV:
3385 e = AUE_MODADDPRIV;
3386 break;
3387 default:
3388 e = AUE_NULL;
3389 break;
3390 }
3391 return (e);
3392 }
3393
3394
3395 /*ARGSUSED*/
3396 static void
3397 aus_modctl(struct t_audit_data *tad)
3398 {
3399 klwp_t *clwp = ttolwp(curthread);
3400 void *a = clwp->lwp_ap;
3401 uint_t use_path;
3402
3403 switch (tad->tad_event) {
3404 case AUE_MODLOAD: {
3405 typedef struct {
3406 long cmd;
3407 long use_path;
3408 long filename; /* char * */
3409 } modloada_t;
3410
3411 char *filenamep;
3412 uintptr_t fname;
3413 extern char *default_path;
3414
3415 fname = (uintptr_t)((modloada_t *)a)->filename;
3416 use_path = (uint_t)((modloada_t *)a)->use_path;
3417
3418 /* space to hold path */
3419 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3420 /* get string */
3421 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3422 /* free allocated path */
3423 kmem_free(filenamep, MOD_MAXPATH);
3424 return;
3425 }
3426 /* ensure it's null terminated */
3427 filenamep[MOD_MAXPATH - 1] = 0;
3428
3429 if (use_path)
3430 au_uwrite(au_to_text(default_path));
3431 au_uwrite(au_to_text(filenamep));
3432
3433 /* release temporary memory */
3434 kmem_free(filenamep, MOD_MAXPATH);
3435 break;
3436 }
3437 case AUE_MODUNLOAD: {
3438 typedef struct {
3439 long cmd;
3440 long id;
3441 } modunloada_t;
3442
3443 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3444
3445 au_uwrite(au_to_arg32(1, "id", id));
3446 break;
3447 }
3448 case AUE_MODADDMAJ: {
3449 STRUCT_DECL(modconfig, mc);
3450 typedef struct {
3451 long cmd;
3452 long subcmd;
3453 long data; /* int * */
3454 } modconfiga_t;
3455
3456 STRUCT_DECL(aliases, alias);
3457 caddr_t ap;
3458 int i, num_aliases;
3459 char *drvname, *mc_drvname;
3460 char *name;
3461 extern char *ddi_major_to_name(major_t);
3462 model_t model;
3463
3464 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3465
3466 model = get_udatamodel();
3467 STRUCT_INIT(mc, model);
3468 /* sanitize buffer */
3469 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3470 /* get user arguments */
3471 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3472 STRUCT_SIZE(mc)) != 0)
3473 return;
3474
3475 mc_drvname = STRUCT_FGET(mc, drvname);
3476 if ((drvname = ddi_major_to_name(
3477 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3478 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3479 /* safety */
3480 if (mc_drvname[0] != '\0') {
3481 mc_drvname[MAXMODCONFNAME-1] = '\0';
3482 au_uwrite(au_to_text(mc_drvname));
3483 }
3484 /* drvname != NULL from test above */
3485 au_uwrite(au_to_text(drvname));
3486 return;
3487 }
3488
3489 if (mc_drvname[0] != '\0') {
3490 /* safety */
3491 mc_drvname[MAXMODCONFNAME-1] = '\0';
3492 au_uwrite(au_to_text(mc_drvname));
3493 } else
3494 au_uwrite(au_to_text("no drvname"));
3495
3496 num_aliases = STRUCT_FGET(mc, num_aliases);
3497 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3498 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3499 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3500 STRUCT_INIT(alias, model);
3501 for (i = 0; i < num_aliases; i++) {
3502 bzero((caddr_t)STRUCT_BUF(alias),
3503 STRUCT_SIZE(alias));
3504 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3505 STRUCT_SIZE(alias)) != 0)
3506 break;
3507 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3508 MAXMODCONFNAME, NULL) != 0) {
3509 break;
3510 }
3511
3512 au_uwrite(au_to_text(name));
3513 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3514 }
3515 kmem_free(name, MAXMODCONFNAME);
3516 break;
3517 }
3518 default:
3519 break;
3520 }
3521 }
3522
3523
3524 /*ARGSUSED*/
3525 static void
3526 auf_accept(
3527 struct t_audit_data *tad,
3528 int error,
3529 rval_t *rval)
3530 {
3531 uint32_t scid;
3532 uint32_t sy_flags;
3533 int fd;
3534 struct sonode *so;
3535 char so_laddr[sizeof (struct sockaddr_in6)];
3536 char so_faddr[sizeof (struct sockaddr_in6)];
3537 int err;
3538 short so_family, so_type;
3539 int add_sock_token = 0;
3540
3541 /* need to determine type of executing binary */
3542 scid = tad->tad_scid;
3543 #ifdef _SYSCALL32_IMPL
3544 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3545 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3546 else
3547 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3548 #else
3549 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3550 #endif
3551 switch (sy_flags) {
3552 case SE_32RVAL1:
3553 /* FALLTHRU */
3554 case SE_32RVAL2|SE_32RVAL1:
3555 fd = rval->r_val1;
3556 break;
3557 case SE_64RVAL:
3558 fd = (int)rval->r_vals;
3559 break;
3560 default:
3561 /*
3562 * should never happen, seems to be an internal error
3563 * in sysent => no fd, nothing to audit here, returning
3564 */
3565 return;
3566 }
3567
3568 if (error) {
3569 /* can't trust socket contents. Just return */
3570 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3571 return;
3572 }
3573
3574 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3575 /*
3576 * not security relevant if doing a accept from non socket
3577 * so no extra tokens. Should probably turn off audit record
3578 * generation here.
3579 */
3580 return;
3581 }
3582
3583 so_family = so->so_family;
3584 so_type = so->so_type;
3585
3586 switch (so_family) {
3587 case AF_INET:
3588 case AF_INET6:
3589 /*
3590 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3591 */
3592 if (so->so_type == SOCK_STREAM) {
3593 socklen_t len;
3594
3595 bzero((void *)so_laddr, sizeof (so_laddr));
3596 bzero((void *)so_faddr, sizeof (so_faddr));
3597
3598 len = sizeof (so_laddr);
3599 (void) socket_getsockname(so,
3600 (struct sockaddr *)so_laddr, &len, CRED());
3601 len = sizeof (so_faddr);
3602 (void) socket_getpeername(so,
3603 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3604
3605 add_sock_token = 1;
3606 }
3607 break;
3608
3609 default:
3610 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3611 break;
3612 }
3613
3614 releasef(fd);
3615
3616 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3617
3618 if (add_sock_token == 0) {
3619 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3620 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3621 return;
3622 }
3623
3624 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3625
3626 }
3627
3628 /*ARGSUSED*/
3629 static void
3630 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3631 {
3632 struct a {
3633 long fd;
3634 long addr;
3635 long len;
3636 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3637
3638 struct sonode *so;
3639 char so_laddr[sizeof (struct sockaddr_in6)];
3640 char so_faddr[sizeof (struct sockaddr_in6)];
3641 int err, fd;
3642 socklen_t len;
3643 short so_family, so_type;
3644 int add_sock_token = 0;
3645
3646 fd = (int)uap->fd;
3647
3648 /*
3649 * bind failed, then nothing extra to add to audit record.
3650 */
3651 if (error) {
3652 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3653 /* XXX may want to add failed address some day */
3654 return;
3655 }
3656
3657 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3658 /*
3659 * not security relevant if doing a bind from non socket
3660 * so no extra tokens. Should probably turn off audit record
3661 * generation here.
3662 */
3663 return;
3664 }
3665
3666 so_family = so->so_family;
3667 so_type = so->so_type;
3668
3669 switch (so_family) {
3670 case AF_INET:
3671 case AF_INET6:
3672
3673 bzero(so_faddr, sizeof (so_faddr));
3674 len = sizeof (so_faddr);
3675
3676 (void) socket_getpeername(so,
3677 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3678 add_sock_token = 1;
3679
3680 break;
3681
3682 case AF_UNIX:
3683 /* token added by lookup */
3684 break;
3685 default:
3686 /* AF_ROUTE, AF_KEY do not support accept */
3687 break;
3688 }
3689
3690 releasef(fd);
3691
3692 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3693
3694 if (add_sock_token == 0) {
3695 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3696 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3697 return;
3698 }
3699
3700 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3701
3702 }
3703
3704 /*ARGSUSED*/
3705 static void
3706 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3707 {
3708 struct a {
3709 long fd;
3710 long addr;
3711 long len;
3712 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3713
3714 struct sonode *so;
3715 char so_laddr[sizeof (struct sockaddr_in6)];
3716 char so_faddr[sizeof (struct sockaddr_in6)];
3717 int err, fd;
3718 socklen_t len;
3719 short so_family, so_type;
3720 int add_sock_token = 0;
3721
3722 fd = (int)uap->fd;
3723
3724
3725 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3726 /*
3727 * not security relevant if doing a connect from non socket
3728 * so no extra tokens. Should probably turn off audit record
3729 * generation here.
3730 */
3731 return;
3732 }
3733
3734 so_family = so->so_family;
3735 so_type = so->so_type;
3736
3737 switch (so_family) {
3738 case AF_INET:
3739 case AF_INET6:
3740
3741 bzero(so_laddr, sizeof (so_laddr));
3742 bzero(so_faddr, sizeof (so_faddr));
3743
3744 len = sizeof (so_laddr);
3745 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3746 &len, CRED());
3747 if (error) {
3748 if (uap->addr == NULL)
3749 break;
3750 if (uap->len <= 0)
3751 break;
3752 len = min(uap->len, sizeof (so_faddr));
3753 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3754 break;
3755 #ifdef NOTYET
3756 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3757 #endif
3758 } else {
3759 /* sanity check on length */
3760 len = sizeof (so_faddr);
3761 (void) socket_getpeername(so,
3762 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3763 }
3764
3765 add_sock_token = 1;
3766
3767 break;
3768
3769 case AF_UNIX:
3770 /* does a lookup on name */
3771 break;
3772
3773 default:
3774 /* AF_ROUTE, AF_KEY do not support accept */
3775 break;
3776 }
3777
3778 releasef(fd);
3779
3780 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3781
3782 if (add_sock_token == 0) {
3783 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3784 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3785 return;
3786 }
3787
3788 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3789
3790 }
3791
3792 /*ARGSUSED*/
3793 static void
3794 aus_shutdown(struct t_audit_data *tad)
3795 {
3796 struct a {
3797 long fd;
3798 long how;
3799 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3800
3801 struct sonode *so;
3802 char so_laddr[sizeof (struct sockaddr_in6)];
3803 char so_faddr[sizeof (struct sockaddr_in6)];
3804 int err, fd;
3805 socklen_t len;
3806 short so_family, so_type;
3807 int add_sock_token = 0;
3808 file_t *fp; /* unix domain sockets */
3809 struct f_audit_data *fad; /* unix domain sockets */
3810
3811 fd = (int)uap->fd;
3812
3813 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3814 /*
3815 * not security relevant if doing a shutdown using non socket
3816 * so no extra tokens. Should probably turn off audit record
3817 * generation here.
3818 */
3819 return;
3820 }
3821
3822 so_family = so->so_family;
3823 so_type = so->so_type;
3824
3825 switch (so_family) {
3826 case AF_INET:
3827 case AF_INET6:
3828
3829 bzero(so_laddr, sizeof (so_laddr));
3830 bzero(so_faddr, sizeof (so_faddr));
3831
3832 len = sizeof (so_laddr);
3833 (void) socket_getsockname(so,
3834 (struct sockaddr *)so_laddr, &len, CRED());
3835 len = sizeof (so_faddr);
3836 (void) socket_getpeername(so,
3837 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3838
3839 add_sock_token = 1;
3840
3841 break;
3842
3843 case AF_UNIX:
3844
3845 /* get path from file struct here */
3846 fad = F2A(fp);
3847 ASSERT(fad);
3848
3849 if (fad->fad_aupath != NULL) {
3850 au_uwrite(au_to_path(fad->fad_aupath));
3851 } else {
3852 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3853 }
3854
3855 audit_attributes(fp->f_vnode);
3856
3857 break;
3858
3859 default:
3860 /*
3861 * AF_KEY and AF_ROUTE support shutdown. No socket token
3862 * added.
3863 */
3864 break;
3865 }
3866
3867 releasef(fd);
3868
3869 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3870
3871 if (add_sock_token == 0) {
3872 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3873 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3874 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3875 return;
3876 }
3877
3878 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3879
3880 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3881
3882 }
3883
3884 /*ARGSUSED*/
3885 static void
3886 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3887 {
3888 struct a {
3889 long fd;
3890 long level;
3891 long optname;
3892 long *optval;
3893 long optlen;
3894 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3895
3896 struct sonode *so;
3897 char so_laddr[sizeof (struct sockaddr_in6)];
3898 char so_faddr[sizeof (struct sockaddr_in6)];
3899 char val[AU_BUFSIZE];
3900 int err, fd;
3901 socklen_t len;
3902 short so_family, so_type;
3903 int add_sock_token = 0;
3904 file_t *fp; /* unix domain sockets */
3905 struct f_audit_data *fad; /* unix domain sockets */
3906
3907 fd = (int)uap->fd;
3908
3909 if (error) {
3910 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3911 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3912 /* XXX may want to include other arguments */
3913 return;
3914 }
3915
3916 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3917 /*
3918 * not security relevant if doing a setsockopt from non socket
3919 * so no extra tokens. Should probably turn off audit record
3920 * generation here.
3921 */
3922 return;
3923 }
3924
3925 so_family = so->so_family;
3926 so_type = so->so_type;
3927
3928 switch (so_family) {
3929 case AF_INET:
3930 case AF_INET6:
3931 bzero((void *)so_laddr, sizeof (so_laddr));
3932 bzero((void *)so_faddr, sizeof (so_faddr));
3933
3934 /* get local and foreign addresses */
3935 len = sizeof (so_laddr);
3936 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3937 &len, CRED());
3938 len = sizeof (so_faddr);
3939 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3940 &len, B_FALSE, CRED());
3941
3942 add_sock_token = 1;
3943
3944 break;
3945
3946 case AF_UNIX:
3947
3948 /* get path from file struct here */
3949 fad = F2A(fp);
3950 ASSERT(fad);
3951
3952 if (fad->fad_aupath != NULL) {
3953 au_uwrite(au_to_path(fad->fad_aupath));
3954 } else {
3955 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3956 }
3957
3958 audit_attributes(fp->f_vnode);
3959
3960 break;
3961
3962 default:
3963 /*
3964 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3965 * added.
3966 */
3967 break;
3968 }
3969
3970 releasef(fd);
3971
3972 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3973
3974 if (add_sock_token == 0) {
3975 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3976 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3977 }
3978 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3979 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3980
3981 bzero(val, sizeof (val));
3982 len = min(uap->optlen, sizeof (val));
3983 if ((len > 0) &&
3984 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3985 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3986 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3987 }
3988
3989 if (add_sock_token == 0)
3990 return;
3991
3992 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3993
3994 }
3995
3996 /*ARGSUSED*/
3997 static void
3998 aus_sockconfig(tad)
3999 struct t_audit_data *tad;
4000 {
4001 struct a {
4002 long cmd;
4003 long arg1;
4004 long arg2;
4005 long arg3;
4006 long arg4;
4007 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4008
4009 char *buf;
4010 int buflen;
4011 size_t size;
4012
4013 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4014 switch (uap->cmd) {
4015 case SOCKCONFIG_ADD_SOCK:
4016 case SOCKCONFIG_REMOVE_SOCK:
4017 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4018 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4019 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4020
4021 if (uap->arg4 == 0) {
4022 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4023 } else {
4024 buflen = MAXPATHLEN + 1;
4025 buf = kmem_alloc(buflen, KM_SLEEP);
4026 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4027 &size)) {
4028 kmem_free(buf, buflen);
4029 return;
4030 }
4031
4032 if (size > MAXPATHLEN) {
4033 kmem_free(buf, buflen);
4034 return;
4035 }
4036
4037 au_uwrite(au_to_text(buf));
4038 kmem_free(buf, buflen);
4039 }
4040 break;
4041 case SOCKCONFIG_ADD_FILTER:
4042 case SOCKCONFIG_REMOVE_FILTER:
4043 buflen = FILNAME_MAX;
4044 buf = kmem_alloc(buflen, KM_SLEEP);
4045
4046 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4047 kmem_free(buf, buflen);
4048 return;
4049 }
4050
4051 au_uwrite(au_to_text(buf));
4052 kmem_free(buf, buflen);
4053 break;
4054 default:
4055 break;
4056 }
4057 }
4058
4059 /*
4060 * only audit recvmsg when the system call represents the creation of a new
4061 * circuit. This effectively occurs for all UDP packets and may occur for
4062 * special TCP situations where the local host has not set a local address
4063 * in the socket structure.
4064 */
4065 /*ARGSUSED*/
4066 static void
4067 auf_recvmsg(
4068 struct t_audit_data *tad,
4069 int error,
4070 rval_t *rvp)
4071 {
4072 struct a {
4073 long fd;
4074 long msg; /* struct msghdr */
4075 long flags;
4076 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4077
4078 struct sonode *so;
4079 STRUCT_DECL(msghdr, msg);
4080 caddr_t msg_name;
4081 socklen_t msg_namelen;
4082 int fd;
4083 int err;
4084 char so_laddr[sizeof (struct sockaddr_in6)];
4085 char so_faddr[sizeof (struct sockaddr_in6)];
4086 socklen_t len;
4087 file_t *fp; /* unix domain sockets */
4088 struct f_audit_data *fad; /* unix domain sockets */
4089 short so_family, so_type;
4090 int add_sock_token = 0;
4091 au_kcontext_t *kctx = GET_KCTX_PZ;
4092
4093 fd = (int)uap->fd;
4094
4095 /* bail if an error */
4096 if (error) {
4097 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4098 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4099 return;
4100 }
4101
4102 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4103 /*
4104 * not security relevant if doing a recvmsg from non socket
4105 * so no extra tokens. Should probably turn off audit record
4106 * generation here.
4107 */
4108 return;
4109 }
4110
4111 so_family = so->so_family;
4112 so_type = so->so_type;
4113
4114 /*
4115 * only putout SOCKET_EX token if INET/INET6 family.
4116 * XXX - what do we do about other families?
4117 */
4118
4119 switch (so_family) {
4120 case AF_INET:
4121 case AF_INET6:
4122
4123 /*
4124 * if datagram type socket, then just use what is in
4125 * socket structure for local address.
4126 * XXX - what do we do for other types?
4127 */
4128 if ((so->so_type == SOCK_DGRAM) ||
4129 (so->so_type == SOCK_RAW)) {
4130 add_sock_token = 1;
4131
4132 bzero((void *)so_laddr, sizeof (so_laddr));
4133 bzero((void *)so_faddr, sizeof (so_faddr));
4134
4135 /* get local address */
4136 len = sizeof (so_laddr);
4137 (void) socket_getsockname(so,
4138 (struct sockaddr *)so_laddr, &len, CRED());
4139
4140 /* get peer address */
4141 STRUCT_INIT(msg, get_udatamodel());
4142
4143 if (copyin((caddr_t)(uap->msg),
4144 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4145 break;
4146 }
4147 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4148 if (msg_name == NULL) {
4149 break;
4150 }
4151
4152 /* length is value from recvmsg - sanity check */
4153 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4154 if (msg_namelen == 0) {
4155 break;
4156 }
4157 if (copyin(msg_name, so_faddr,
4158 sizeof (so_faddr)) != 0) {
4159 break;
4160 }
4161
4162 } else if (so->so_type == SOCK_STREAM) {
4163
4164 /* get path from file struct here */
4165 fad = F2A(fp);
4166 ASSERT(fad);
4167
4168 /*
4169 * already processed this file for read attempt
4170 */
4171 if (fad->fad_flags & FAD_READ) {
4172 /* don't want to audit every recvmsg attempt */
4173 tad->tad_flag = 0;
4174 /* free any residual audit data */
4175 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4176 releasef(fd);
4177 return;
4178 }
4179 /*
4180 * mark things so we know what happened and don't
4181 * repeat things
4182 */
4183 fad->fad_flags |= FAD_READ;
4184
4185 bzero((void *)so_laddr, sizeof (so_laddr));
4186 bzero((void *)so_faddr, sizeof (so_faddr));
4187
4188 /* get local and foreign addresses */
4189 len = sizeof (so_laddr);
4190 (void) socket_getsockname(so,
4191 (struct sockaddr *)so_laddr, &len, CRED());
4192 len = sizeof (so_faddr);
4193 (void) socket_getpeername(so,
4194 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4195
4196 add_sock_token = 1;
4197 }
4198
4199 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4200
4201 break;
4202
4203 case AF_UNIX:
4204 /*
4205 * first check if this is first time through. Too much
4206 * duplicate code to put this in an aui_ routine.
4207 */
4208
4209 /* get path from file struct here */
4210 fad = F2A(fp);
4211 ASSERT(fad);
4212
4213 /*
4214 * already processed this file for read attempt
4215 */
4216 if (fad->fad_flags & FAD_READ) {
4217 releasef(fd);
4218 /* don't want to audit every recvmsg attempt */
4219 tad->tad_flag = 0;
4220 /* free any residual audit data */
4221 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4222 return;
4223 }
4224 /*
4225 * mark things so we know what happened and don't
4226 * repeat things
4227 */
4228 fad->fad_flags |= FAD_READ;
4229
4230 if (fad->fad_aupath != NULL) {
4231 au_uwrite(au_to_path(fad->fad_aupath));
4232 } else {
4233 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4234 }
4235
4236 audit_attributes(fp->f_vnode);
4237
4238 releasef(fd);
4239
4240 return;
4241
4242 default:
4243 break;
4244
4245 }
4246
4247 releasef(fd);
4248
4249 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4250
4251 if (add_sock_token == 0) {
4252 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4253 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4254 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4255 return;
4256 }
4257
4258 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4259
4260 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4261
4262 }
4263
4264 /*ARGSUSED*/
4265 static void
4266 auf_recvfrom(
4267 struct t_audit_data *tad,
4268 int error,
4269 rval_t *rvp)
4270 {
4271
4272 struct a {
4273 long fd;
4274 long msg; /* char */
4275 long len;
4276 long flags;
4277 long from; /* struct sockaddr */
4278 long fromlen;
4279 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4280
4281 socklen_t fromlen;
4282 struct sonode *so;
4283 char so_laddr[sizeof (struct sockaddr_in6)];
4284 char so_faddr[sizeof (struct sockaddr_in6)];
4285 int fd;
4286 short so_family, so_type;
4287 int add_sock_token = 0;
4288 socklen_t len;
4289 int err;
4290 struct file *fp;
4291 struct f_audit_data *fad; /* unix domain sockets */
4292 au_kcontext_t *kctx = GET_KCTX_PZ;
4293
4294 fd = (int)uap->fd;
4295
4296 /* bail if an error */
4297 if (error) {
4298 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4299 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4300 return;
4301 }
4302
4303 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4304 /*
4305 * not security relevant if doing a recvmsg from non socket
4306 * so no extra tokens. Should probably turn off audit record
4307 * generation here.
4308 */
4309 return;
4310 }
4311
4312 so_family = so->so_family;
4313 so_type = so->so_type;
4314
4315 /*
4316 * only putout SOCKET_EX token if INET/INET6 family.
4317 * XXX - what do we do about other families?
4318 */
4319
4320 switch (so_family) {
4321 case AF_INET:
4322 case AF_INET6:
4323
4324 /*
4325 * if datagram type socket, then just use what is in
4326 * socket structure for local address.
4327 * XXX - what do we do for other types?
4328 */
4329 if ((so->so_type == SOCK_DGRAM) ||
4330 (so->so_type == SOCK_RAW)) {
4331 add_sock_token = 1;
4332
4333 /* get local address */
4334 len = sizeof (so_laddr);
4335 (void) socket_getsockname(so,
4336 (struct sockaddr *)so_laddr, &len, CRED());
4337
4338 /* get peer address */
4339 bzero((void *)so_faddr, sizeof (so_faddr));
4340
4341 /* sanity check */
4342 if (uap->from == NULL)
4343 break;
4344
4345 /* sanity checks */
4346 if (uap->fromlen == 0)
4347 break;
4348
4349 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4350 sizeof (fromlen)) != 0)
4351 break;
4352
4353 if (fromlen == 0)
4354 break;
4355
4356 /* enforce maximum size */
4357 if (fromlen > sizeof (so_faddr))
4358 fromlen = sizeof (so_faddr);
4359
4360 if (copyin((caddr_t)(uap->from), so_faddr,
4361 fromlen) != 0)
4362 break;
4363
4364 } else if (so->so_type == SOCK_STREAM) {
4365
4366 /* get path from file struct here */
4367 fad = F2A(fp);
4368 ASSERT(fad);
4369
4370 /*
4371 * already processed this file for read attempt
4372 */
4373 if (fad->fad_flags & FAD_READ) {
4374 /* don't want to audit every recvfrom attempt */
4375 tad->tad_flag = 0;
4376 /* free any residual audit data */
4377 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4378 releasef(fd);
4379 return;
4380 }
4381 /*
4382 * mark things so we know what happened and don't
4383 * repeat things
4384 */
4385 fad->fad_flags |= FAD_READ;
4386
4387 bzero((void *)so_laddr, sizeof (so_laddr));
4388 bzero((void *)so_faddr, sizeof (so_faddr));
4389
4390 /* get local and foreign addresses */
4391 len = sizeof (so_laddr);
4392 (void) socket_getsockname(so,
4393 (struct sockaddr *)so_laddr, &len, CRED());
4394 len = sizeof (so_faddr);
4395 (void) socket_getpeername(so,
4396 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4397
4398 add_sock_token = 1;
4399 }
4400
4401 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4402
4403 break;
4404
4405 case AF_UNIX:
4406 /*
4407 * first check if this is first time through. Too much
4408 * duplicate code to put this in an aui_ routine.
4409 */
4410
4411 /* get path from file struct here */
4412 fad = F2A(fp);
4413 ASSERT(fad);
4414
4415 /*
4416 * already processed this file for read attempt
4417 */
4418 if (fad->fad_flags & FAD_READ) {
4419 /* don't want to audit every recvfrom attempt */
4420 tad->tad_flag = 0;
4421 /* free any residual audit data */
4422 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4423 releasef(fd);
4424 return;
4425 }
4426 /*
4427 * mark things so we know what happened and don't
4428 * repeat things
4429 */
4430 fad->fad_flags |= FAD_READ;
4431
4432 if (fad->fad_aupath != NULL) {
4433 au_uwrite(au_to_path(fad->fad_aupath));
4434 } else {
4435 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4436 }
4437
4438 audit_attributes(fp->f_vnode);
4439
4440 releasef(fd);
4441
4442 return;
4443
4444 default:
4445 break;
4446
4447 }
4448
4449 releasef(fd);
4450
4451 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4452
4453 if (add_sock_token == 0) {
4454 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4455 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4456 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4457 return;
4458 }
4459
4460 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4461
4462 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4463 }
4464
4465 /*ARGSUSED*/
4466 static void
4467 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4468 {
4469 struct a {
4470 long fd;
4471 long msg; /* struct msghdr */
4472 long flags;
4473 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4474
4475 struct sonode *so;
4476 char so_laddr[sizeof (struct sockaddr_in6)];
4477 char so_faddr[sizeof (struct sockaddr_in6)];
4478 int err;
4479 int fd;
4480 short so_family, so_type;
4481 int add_sock_token = 0;
4482 socklen_t len;
4483 struct file *fp;
4484 struct f_audit_data *fad;
4485 caddr_t msg_name;
4486 socklen_t msg_namelen;
4487 STRUCT_DECL(msghdr, msg);
4488 au_kcontext_t *kctx = GET_KCTX_PZ;
4489
4490 fd = (int)uap->fd;
4491
4492 /* bail if an error */
4493 if (error) {
4494 /* XXX include destination address from system call arguments */
4495 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4496 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4497 return;
4498 }
4499
4500 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4501 /*
4502 * not security relevant if doing a sendmsg from non socket
4503 * so no extra tokens. Should probably turn off audit record
4504 * generation here.
4505 */
4506 return;
4507 }
4508
4509 so_family = so->so_family;
4510 so_type = so->so_type;
4511
4512 switch (so_family) {
4513 case AF_INET:
4514 case AF_INET6:
4515 /*
4516 * if datagram type socket, then just use what is in
4517 * socket structure for local address.
4518 * XXX - what do we do for other types?
4519 */
4520 if ((so->so_type == SOCK_DGRAM) ||
4521 (so->so_type == SOCK_RAW)) {
4522
4523 bzero((void *)so_laddr, sizeof (so_laddr));
4524 bzero((void *)so_faddr, sizeof (so_faddr));
4525
4526 /* get local address */
4527 len = sizeof (so_laddr);
4528 (void) socket_getsockname(so,
4529 (struct sockaddr *)so_laddr, &len, CRED());
4530
4531 /* get peer address */
4532 STRUCT_INIT(msg, get_udatamodel());
4533
4534 if (copyin((caddr_t)(uap->msg),
4535 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4536 break;
4537 }
4538 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4539 if (msg_name == NULL)
4540 break;
4541
4542 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4543 /* length is value from recvmsg - sanity check */
4544 if (msg_namelen == 0)
4545 break;
4546
4547 if (copyin(msg_name, so_faddr,
4548 sizeof (so_faddr)) != 0)
4549 break;
4550
4551 add_sock_token = 1;
4552
4553 } else if (so->so_type == SOCK_STREAM) {
4554
4555 /* get path from file struct here */
4556 fad = F2A(fp);
4557 ASSERT(fad);
4558
4559 /*
4560 * already processed this file for write attempt
4561 */
4562 if (fad->fad_flags & FAD_WRITE) {
4563 releasef(fd);
4564 /* don't want to audit every sendmsg attempt */
4565 tad->tad_flag = 0;
4566 /* free any residual audit data */
4567 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4568 return;
4569 }
4570
4571 /*
4572 * mark things so we know what happened and don't
4573 * repeat things
4574 */
4575 fad->fad_flags |= FAD_WRITE;
4576
4577 bzero((void *)so_laddr, sizeof (so_laddr));
4578 bzero((void *)so_faddr, sizeof (so_faddr));
4579
4580 /* get local and foreign addresses */
4581 len = sizeof (so_laddr);
4582 (void) socket_getsockname(so,
4583 (struct sockaddr *)so_laddr, &len, CRED());
4584 len = sizeof (so_faddr);
4585 (void) socket_getpeername(so,
4586 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4587
4588 add_sock_token = 1;
4589 }
4590
4591 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4592
4593 break;
4594
4595 case AF_UNIX:
4596 /*
4597 * first check if this is first time through. Too much
4598 * duplicate code to put this in an aui_ routine.
4599 */
4600
4601 /* get path from file struct here */
4602 fad = F2A(fp);
4603 ASSERT(fad);
4604
4605 /*
4606 * already processed this file for write attempt
4607 */
4608 if (fad->fad_flags & FAD_WRITE) {
4609 releasef(fd);
4610 /* don't want to audit every sendmsg attempt */
4611 tad->tad_flag = 0;
4612 /* free any residual audit data */
4613 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4614 return;
4615 }
4616 /*
4617 * mark things so we know what happened and don't
4618 * repeat things
4619 */
4620 fad->fad_flags |= FAD_WRITE;
4621
4622 if (fad->fad_aupath != NULL) {
4623 au_uwrite(au_to_path(fad->fad_aupath));
4624 } else {
4625 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4626 }
4627
4628 audit_attributes(fp->f_vnode);
4629
4630 releasef(fd);
4631
4632 return;
4633
4634 default:
4635 break;
4636 }
4637
4638 releasef(fd);
4639
4640 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4641
4642 if (add_sock_token == 0) {
4643 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4644 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4645 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4646 return;
4647 }
4648
4649 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4650
4651 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4652 }
4653
4654 /*ARGSUSED*/
4655 static void
4656 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4657 {
4658 struct a {
4659 long fd;
4660 long msg; /* char */
4661 long len;
4662 long flags;
4663 long to; /* struct sockaddr */
4664 long tolen;
4665 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4666
4667 struct sonode *so;
4668 char so_laddr[sizeof (struct sockaddr_in6)];
4669 char so_faddr[sizeof (struct sockaddr_in6)];
4670 socklen_t tolen;
4671 int err;
4672 int fd;
4673 socklen_t len;
4674 short so_family, so_type;
4675 int add_sock_token = 0;
4676 struct file *fp;
4677 struct f_audit_data *fad;
4678 au_kcontext_t *kctx = GET_KCTX_PZ;
4679
4680 fd = (int)uap->fd;
4681
4682 /* bail if an error */
4683 if (error) {
4684 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4685 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4686 /* XXX include destination address from system call arguments */
4687 return;
4688 }
4689
4690 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4691 /*
4692 * not security relevant if doing a sendto using non socket
4693 * so no extra tokens. Should probably turn off audit record
4694 * generation here.
4695 */
4696 return;
4697 }
4698
4699 so_family = so->so_family;
4700 so_type = so->so_type;
4701
4702 /*
4703 * only putout SOCKET_EX token if INET/INET6 family.
4704 * XXX - what do we do about other families?
4705 */
4706
4707 switch (so_family) {
4708 case AF_INET:
4709 case AF_INET6:
4710
4711 /*
4712 * if datagram type socket, then just use what is in
4713 * socket structure for local address.
4714 * XXX - what do we do for other types?
4715 */
4716 if ((so->so_type == SOCK_DGRAM) ||
4717 (so->so_type == SOCK_RAW)) {
4718
4719 bzero((void *)so_laddr, sizeof (so_laddr));
4720 bzero((void *)so_faddr, sizeof (so_faddr));
4721
4722 /* get local address */
4723 len = sizeof (so_laddr);
4724 (void) socket_getsockname(so,
4725 (struct sockaddr *)so_laddr, &len, CRED());
4726
4727 /* get peer address */
4728
4729 /* sanity check */
4730 if (uap->to == NULL)
4731 break;
4732
4733 /* sanity checks */
4734 if (uap->tolen == 0)
4735 break;
4736
4737 tolen = (socklen_t)uap->tolen;
4738
4739 /* enforce maximum size */
4740 if (tolen > sizeof (so_faddr))
4741 tolen = sizeof (so_faddr);
4742
4743 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4744 break;
4745
4746 add_sock_token = 1;
4747 } else {
4748 /*
4749 * check if this is first time through.
4750 */
4751
4752 /* get path from file struct here */
4753 fad = F2A(fp);
4754 ASSERT(fad);
4755
4756 /*
4757 * already processed this file for write attempt
4758 */
4759 if (fad->fad_flags & FAD_WRITE) {
4760 /* don't want to audit every sendto attempt */
4761 tad->tad_flag = 0;
4762 /* free any residual audit data */
4763 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4764 releasef(fd);
4765 return;
4766 }
4767 /*
4768 * mark things so we know what happened and don't
4769 * repeat things
4770 */
4771 fad->fad_flags |= FAD_WRITE;
4772
4773 bzero((void *)so_laddr, sizeof (so_laddr));
4774 bzero((void *)so_faddr, sizeof (so_faddr));
4775
4776 /* get local and foreign addresses */
4777 len = sizeof (so_laddr);
4778 (void) socket_getsockname(so,
4779 (struct sockaddr *)so_laddr, &len, CRED());
4780 len = sizeof (so_faddr);
4781 (void) socket_getpeername(so,
4782 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4783
4784 add_sock_token = 1;
4785 }
4786
4787 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4788
4789 break;
4790
4791 case AF_UNIX:
4792 /*
4793 * first check if this is first time through. Too much
4794 * duplicate code to put this in an aui_ routine.
4795 */
4796
4797 /* get path from file struct here */
4798 fad = F2A(fp);
4799 ASSERT(fad);
4800
4801 /*
4802 * already processed this file for write attempt
4803 */
4804 if (fad->fad_flags & FAD_WRITE) {
4805 /* don't want to audit every sendto attempt */
4806 tad->tad_flag = 0;
4807 /* free any residual audit data */
4808 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4809 releasef(fd);
4810 return;
4811 }
4812 /*
4813 * mark things so we know what happened and don't
4814 * repeat things
4815 */
4816 fad->fad_flags |= FAD_WRITE;
4817
4818 if (fad->fad_aupath != NULL) {
4819 au_uwrite(au_to_path(fad->fad_aupath));
4820 } else {
4821 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4822 }
4823
4824 audit_attributes(fp->f_vnode);
4825
4826 releasef(fd);
4827
4828 return;
4829
4830 default:
4831 break;
4832
4833 }
4834
4835 releasef(fd);
4836
4837 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4838
4839 if (add_sock_token == 0) {
4840 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4841 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4842 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4843 return;
4844 }
4845
4846 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4847
4848 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4849
4850 }
4851
4852 /*
4853 * XXX socket(2) may be equivalent to open(2) on a unix domain
4854 * socket. This needs investigation.
4855 */
4856
4857 /*ARGSUSED*/
4858 static void
4859 aus_socket(struct t_audit_data *tad)
4860 {
4861 struct a {
4862 long domain;
4863 long type;
4864 long protocol;
4865 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4866
4867 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4868 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4869 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4870 }
4871
4872 /*ARGSUSED*/
4873 static void
4874 aus_sigqueue(struct t_audit_data *tad)
4875 {
4876 struct a {
4877 long pid;
4878 long signo;
4879 long *val;
4880 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4881 struct proc *p;
4882 uid_t uid, ruid;
4883 gid_t gid, rgid;
4884 pid_t pid;
4885 const auditinfo_addr_t *ainfo;
4886 cred_t *cr;
4887
4888 pid = (pid_t)uap->pid;
4889
4890 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4891 if (pid > 0) {
4892 mutex_enter(&pidlock);
4893 if ((p = prfind(pid)) == (struct proc *)0) {
4894 mutex_exit(&pidlock);
4895 return;
4896 }
4897 mutex_enter(&p->p_lock); /* so process doesn't go away */
4898 mutex_exit(&pidlock);
4899
4900 mutex_enter(&p->p_crlock);
4901 crhold(cr = p->p_cred);
4902 mutex_exit(&p->p_crlock);
4903 mutex_exit(&p->p_lock);
4904
4905 ainfo = crgetauinfo(cr);
4906 if (ainfo == NULL) {
4907 crfree(cr);
4908 return;
4909 }
4910
4911 uid = crgetuid(cr);
4912 gid = crgetgid(cr);
4913 ruid = crgetruid(cr);
4914 rgid = crgetrgid(cr);
4915 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4916 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4917 crfree(cr);
4918 }
4919 else
4920 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4921 }
4922
4923 /*ARGSUSED*/
4924 static void
4925 aus_inst_sync(struct t_audit_data *tad)
4926 {
4927 struct a {
4928 long name; /* char */
4929 long flags;
4930 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4931
4932 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4933 }
4934
4935 /*ARGSUSED*/
4936 static void
4937 aus_brandsys(struct t_audit_data *tad)
4938 {
4939 klwp_t *clwp = ttolwp(curthread);
4940
4941 struct a {
4942 long cmd;
4943 long arg1;
4944 long arg2;
4945 long arg3;
4946 long arg4;
4947 long arg5;
4948 long arg6;
4949 } *uap = (struct a *)clwp->lwp_ap;
4950
4951 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4952 #ifdef _LP64
4953 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4954 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4955 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4956 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4957 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4958 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4959 #else
4960 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4961 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4962 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4963 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4964 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4965 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4966 #endif
4967 }
4968
4969 /*ARGSUSED*/
4970 static void
4971 aus_p_online(struct t_audit_data *tad)
4972 {
4973 struct a {
4974 long processor_id;
4975 long flag;
4976 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4977
4978 struct flags {
4979 int flag;
4980 char *cflag;
4981 } aflags[6] = {
4982 { P_ONLINE, "P_ONLINE"},
4983 { P_OFFLINE, "P_OFFLINE"},
4984 { P_NOINTR, "P_NOINTR"},
4985 { P_SPARE, "P_SPARE"},
4986 { P_FAULTED, "P_FAULTED"},
4987 { P_STATUS, "P_STATUS"}
4988 };
4989 int i;
4990 char *cflag;
4991
4992 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4993 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4994
4995 for (i = 0; i < 6; i++) {
4996 if (aflags[i].flag == uap->flag)
4997 break;
4998 }
4999 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5000
5001 au_uwrite(au_to_text(cflag));
5002 }
5003
5004 /*ARGSUSED*/
5005 static void
5006 aus_processor_bind(struct t_audit_data *tad)
5007 {
5008 struct a {
5009 long id_type;
5010 long id;
5011 long processor_id;
5012 long obind;
5013 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5014
5015 struct proc *p;
5016 int lwpcnt;
5017 uid_t uid, ruid;
5018 gid_t gid, rgid;
5019 pid_t pid;
5020 const auditinfo_addr_t *ainfo;
5021 cred_t *cr;
5022
5023 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5024 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5025 if (uap->processor_id == PBIND_NONE)
5026 au_uwrite(au_to_text("PBIND_NONE"));
5027 else
5028 au_uwrite(au_to_arg32(3, "processor_id",
5029 (uint32_t)uap->processor_id));
5030
5031 switch (uap->id_type) {
5032 case P_MYID:
5033 case P_LWPID:
5034 mutex_enter(&pidlock);
5035 p = ttoproc(curthread);
5036 if (p == NULL || p->p_as == &kas) {
5037 mutex_exit(&pidlock);
5038 return;
5039 }
5040 mutex_enter(&p->p_lock);
5041 mutex_exit(&pidlock);
5042 lwpcnt = p->p_lwpcnt;
5043 pid = p->p_pid;
5044
5045 mutex_enter(&p->p_crlock);
5046 crhold(cr = p->p_cred);
5047 mutex_exit(&p->p_crlock);
5048 mutex_exit(&p->p_lock);
5049
5050 ainfo = crgetauinfo(cr);
5051 if (ainfo == NULL) {
5052 crfree(cr);
5053 return;
5054 }
5055
5056 uid = crgetuid(cr);
5057 gid = crgetgid(cr);
5058 ruid = crgetruid(cr);
5059 rgid = crgetrgid(cr);
5060 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5061 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5062 crfree(cr);
5063 break;
5064 case P_PID:
5065 mutex_enter(&pidlock);
5066 p = prfind(uap->id);
5067 if (p == NULL || p->p_as == &kas) {
5068 mutex_exit(&pidlock);
5069 return;
5070 }
5071 mutex_enter(&p->p_lock);
5072 mutex_exit(&pidlock);
5073 lwpcnt = p->p_lwpcnt;
5074 pid = p->p_pid;
5075
5076 mutex_enter(&p->p_crlock);
5077 crhold(cr = p->p_cred);
5078 mutex_exit(&p->p_crlock);
5079 mutex_exit(&p->p_lock);
5080
5081 ainfo = crgetauinfo(cr);
5082 if (ainfo == NULL) {
5083 crfree(cr);
5084 return;
5085 }
5086
5087 uid = crgetuid(cr);
5088 gid = crgetgid(cr);
5089 ruid = crgetruid(cr);
5090 rgid = crgetrgid(cr);
5091 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5092 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5093 crfree(cr);
5094
5095 break;
5096 default:
5097 return;
5098 }
5099
5100 if (uap->processor_id == PBIND_NONE &&
5101 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5102 au_uwrite(au_to_text("PBIND_NONE for process"));
5103 else
5104 au_uwrite(au_to_arg32(3, "processor_id",
5105 (uint32_t)uap->processor_id));
5106 }
5107
5108 /*ARGSUSED*/
5109 static au_event_t
5110 aui_doorfs(au_event_t e)
5111 {
5112 uint32_t code;
5113
5114 struct a { /* doorfs */
5115 long a1;
5116 long a2;
5117 long a3;
5118 long a4;
5119 long a5;
5120 long code;
5121 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5122
5123 /*
5124 * audit formats for several of the
5125 * door calls have not yet been determined
5126 */
5127 code = (uint32_t)uap->code;
5128 switch (code) {
5129 case DOOR_CALL:
5130 e = AUE_DOORFS_DOOR_CALL;
5131 break;
5132 case DOOR_RETURN:
5133 e = AUE_NULL;
5134 break;
5135 case DOOR_CREATE:
5136 e = AUE_DOORFS_DOOR_CREATE;
5137 break;
5138 case DOOR_REVOKE:
5139 e = AUE_DOORFS_DOOR_REVOKE;
5140 break;
5141 case DOOR_INFO:
5142 e = AUE_NULL;
5143 break;
5144 case DOOR_UCRED:
5145 e = AUE_NULL;
5146 break;
5147 case DOOR_BIND:
5148 e = AUE_NULL;
5149 break;
5150 case DOOR_UNBIND:
5151 e = AUE_NULL;
5152 break;
5153 case DOOR_GETPARAM:
5154 e = AUE_NULL;
5155 break;
5156 case DOOR_SETPARAM:
5157 e = AUE_NULL;
5158 break;
5159 default: /* illegal system call */
5160 e = AUE_NULL;
5161 break;
5162 }
5163
5164 return (e);
5165 }
5166
5167 static door_node_t *
5168 au_door_lookup(int did)
5169 {
5170 vnode_t *vp;
5171 file_t *fp;
5172
5173 if ((fp = getf(did)) == NULL)
5174 return (NULL);
5175 /*
5176 * Use the underlying vnode (we may be namefs mounted)
5177 */
5178 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5179 vp = fp->f_vnode;
5180
5181 if (vp == NULL || vp->v_type != VDOOR) {
5182 releasef(did);
5183 return (NULL);
5184 }
5185
5186 return (VTOD(vp));
5187 }
5188
5189 /*ARGSUSED*/
5190 static void
5191 aus_doorfs(struct t_audit_data *tad)
5192 {
5193
5194 struct a { /* doorfs */
5195 long a1;
5196 long a2;
5197 long a3;
5198 long a4;
5199 long a5;
5200 long code;
5201 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5202
5203 door_node_t *dp;
5204 struct proc *p;
5205 uint32_t did;
5206 uid_t uid, ruid;
5207 gid_t gid, rgid;
5208 pid_t pid;
5209 const auditinfo_addr_t *ainfo;
5210 cred_t *cr;
5211
5212 did = (uint32_t)uap->a1;
5213
5214 switch (tad->tad_event) {
5215 case AUE_DOORFS_DOOR_CALL:
5216 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5217 if ((dp = au_door_lookup(did)) == NULL)
5218 break;
5219
5220 if (DOOR_INVALID(dp)) {
5221 releasef(did);
5222 break;
5223 }
5224
5225 if ((p = dp->door_target) == NULL) {
5226 releasef(did);
5227 break;
5228 }
5229 mutex_enter(&p->p_lock);
5230 releasef(did);
5231
5232 pid = p->p_pid;
5233
5234 mutex_enter(&p->p_crlock);
5235 crhold(cr = p->p_cred);
5236 mutex_exit(&p->p_crlock);
5237 mutex_exit(&p->p_lock);
5238
5239 ainfo = crgetauinfo(cr);
5240 if (ainfo == NULL) {
5241 crfree(cr);
5242 return;
5243 }
5244 uid = crgetuid(cr);
5245 gid = crgetgid(cr);
5246 ruid = crgetruid(cr);
5247 rgid = crgetrgid(cr);
5248 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5249 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5250 crfree(cr);
5251 break;
5252 case AUE_DOORFS_DOOR_RETURN:
5253 /*
5254 * We may want to write information about
5255 * all doors (if any) which will be copied
5256 * by this call to the user space
5257 */
5258 break;
5259 case AUE_DOORFS_DOOR_CREATE:
5260 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5261 break;
5262 case AUE_DOORFS_DOOR_REVOKE:
5263 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5264 break;
5265 case AUE_DOORFS_DOOR_INFO:
5266 break;
5267 case AUE_DOORFS_DOOR_CRED:
5268 break;
5269 case AUE_DOORFS_DOOR_BIND:
5270 break;
5271 case AUE_DOORFS_DOOR_UNBIND: {
5272 break;
5273 }
5274 default: /* illegal system call */
5275 break;
5276 }
5277 }
5278
5279 /*ARGSUSED*/
5280 static au_event_t
5281 aui_acl(au_event_t e)
5282 {
5283 struct a {
5284 union {
5285 long name; /* char */
5286 long fd;
5287 } obj;
5288
5289 long cmd;
5290 long nentries;
5291 long arg; /* aclent_t */
5292 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5293
5294 switch (uap->cmd) {
5295 case SETACL:
5296 case ACE_SETACL:
5297 /*
5298 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5299 * are expected.
5300 */
5301 break;
5302 case GETACL:
5303 case GETACLCNT:
5304 case ACE_GETACL:
5305 case ACE_GETACLCNT:
5306 /* do nothing for these four values. */
5307 e = AUE_NULL;
5308 break;
5309 default:
5310 /* illegal system call */
5311 break;
5312 }
5313
5314 return (e);
5315 }
5316
5317 static void
5318 au_acl(int cmd, int nentries, caddr_t bufp)
5319 {
5320 size_t a_size;
5321 aclent_t *aclbufp;
5322 ace_t *acebufp;
5323 int i;
5324
5325 switch (cmd) {
5326 case GETACL:
5327 case GETACLCNT:
5328 break;
5329 case SETACL:
5330 if (nentries < 3)
5331 break;
5332
5333 a_size = nentries * sizeof (aclent_t);
5334
5335 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5336 break;
5337 if (copyin(bufp, aclbufp, a_size)) {
5338 kmem_free(aclbufp, a_size);
5339 break;
5340 }
5341 for (i = 0; i < nentries; i++) {
5342 au_uwrite(au_to_acl(aclbufp + i));
5343 }
5344 kmem_free(aclbufp, a_size);
5345 break;
5346
5347 case ACE_SETACL:
5348 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5349 break;
5350
5351 a_size = nentries * sizeof (ace_t);
5352 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5353 break;
5354 if (copyin(bufp, acebufp, a_size)) {
5355 kmem_free(acebufp, a_size);
5356 break;
5357 }
5358 for (i = 0; i < nentries; i++) {
5359 au_uwrite(au_to_ace(acebufp + i));
5360 }
5361 kmem_free(acebufp, a_size);
5362 break;
5363 default:
5364 break;
5365 }
5366 }
5367
5368 /*ARGSUSED*/
5369 static void
5370 aus_acl(struct t_audit_data *tad)
5371 {
5372 struct a {
5373 long fname;
5374 long cmd;
5375 long nentries;
5376 long aclbufp;
5377 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5378
5379 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5380 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5381
5382 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5383 }
5384
5385 /*ARGSUSED*/
5386 static void
5387 aus_facl(struct t_audit_data *tad)
5388 {
5389 struct a {
5390 long fd;
5391 long cmd;
5392 long nentries;
5393 long aclbufp;
5394 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5395 struct file *fp;
5396 struct vnode *vp;
5397 struct f_audit_data *fad;
5398 int fd;
5399
5400 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5401 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5402
5403 fd = (int)uap->fd;
5404
5405 if ((fp = getf(fd)) == NULL)
5406 return;
5407
5408 /* get path from file struct here */
5409 fad = F2A(fp);
5410 if (fad->fad_aupath != NULL) {
5411 au_uwrite(au_to_path(fad->fad_aupath));
5412 } else {
5413 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5414 }
5415
5416 vp = fp->f_vnode;
5417 audit_attributes(vp);
5418
5419 /* decrement file descriptor reference count */
5420 releasef(fd);
5421
5422 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5423 }
5424
5425 /*ARGSUSED*/
5426 static void
5427 auf_read(tad, error, rval)
5428 struct t_audit_data *tad;
5429 int error;
5430 rval_t *rval;
5431 {
5432 struct file *fp;
5433 struct f_audit_data *fad;
5434 int fd;
5435 register struct a {
5436 long fd;
5437 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5438 au_kcontext_t *kctx = GET_KCTX_PZ;
5439
5440 fd = (int)uap->fd;
5441
5442 /*
5443 * convert file pointer to file descriptor
5444 * Note: fd ref count incremented here.
5445 */
5446 if ((fp = getf(fd)) == NULL)
5447 return;
5448
5449 /* get path from file struct here */
5450 fad = F2A(fp);
5451 ASSERT(fad);
5452
5453 /*
5454 * already processed this file for read attempt
5455 *
5456 * XXX might be better to turn off auditing in a aui_read() routine.
5457 */
5458 if (fad->fad_flags & FAD_READ) {
5459 /* don't really want to audit every read attempt */
5460 tad->tad_flag = 0;
5461 /* free any residual audit data */
5462 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5463 releasef(fd);
5464 return;
5465 }
5466 /* mark things so we know what happened and don't repeat things */
5467 fad->fad_flags |= FAD_READ;
5468
5469 if (fad->fad_aupath != NULL) {
5470 au_uwrite(au_to_path(fad->fad_aupath));
5471 } else {
5472 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5473 }
5474
5475 /* include attributes */
5476 audit_attributes(fp->f_vnode);
5477
5478 /* decrement file descriptor reference count */
5479 releasef(fd);
5480 }
5481
5482 /*ARGSUSED*/
5483 static void
5484 auf_write(tad, error, rval)
5485 struct t_audit_data *tad;
5486 int error;
5487 rval_t *rval;
5488 {
5489 struct file *fp;
5490 struct f_audit_data *fad;
5491 int fd;
5492 register struct a {
5493 long fd;
5494 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5495 au_kcontext_t *kctx = GET_KCTX_PZ;
5496
5497 fd = (int)uap->fd;
5498
5499 /*
5500 * convert file pointer to file descriptor
5501 * Note: fd ref count incremented here.
5502 */
5503 if ((fp = getf(fd)) == NULL)
5504 return;
5505
5506 /* get path from file struct here */
5507 fad = F2A(fp);
5508 ASSERT(fad);
5509
5510 /*
5511 * already processed this file for write attempt
5512 *
5513 * XXX might be better to turn off auditing in a aus_write() routine.
5514 */
5515 if (fad->fad_flags & FAD_WRITE) {
5516 /* don't really want to audit every write attempt */
5517 tad->tad_flag = 0;
5518 /* free any residual audit data */
5519 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5520 releasef(fd);
5521 return;
5522 }
5523 /* mark things so we know what happened and don't repeat things */
5524 fad->fad_flags |= FAD_WRITE;
5525
5526 if (fad->fad_aupath != NULL) {
5527 au_uwrite(au_to_path(fad->fad_aupath));
5528 } else {
5529 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5530 }
5531
5532 /* include attributes */
5533 audit_attributes(fp->f_vnode);
5534
5535 /* decrement file descriptor reference count */
5536 releasef(fd);
5537 }
5538
5539 /*ARGSUSED*/
5540 static void
5541 auf_recv(tad, error, rval)
5542 struct t_audit_data *tad;
5543 int error;
5544 rval_t *rval;
5545 {
5546 struct sonode *so;
5547 char so_laddr[sizeof (struct sockaddr_in6)];
5548 char so_faddr[sizeof (struct sockaddr_in6)];
5549 struct file *fp;
5550 struct f_audit_data *fad;
5551 int fd;
5552 int err;
5553 socklen_t len;
5554 short so_family, so_type;
5555 register struct a {
5556 long fd;
5557 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5558 au_kcontext_t *kctx = GET_KCTX_PZ;
5559
5560 /*
5561 * If there was an error, then nothing to do. Only generate
5562 * audit record on first successful recv.
5563 */
5564 if (error) {
5565 /* Turn off audit record generation here. */
5566 tad->tad_flag = 0;
5567 /* free any residual audit data */
5568 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5569 return;
5570 }
5571
5572 fd = (int)uap->fd;
5573
5574 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5575 /* Turn off audit record generation here. */
5576 tad->tad_flag = 0;
5577 /* free any residual audit data */
5578 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5579 return;
5580 }
5581
5582 /* get path from file struct here */
5583 fad = F2A(fp);
5584 ASSERT(fad);
5585
5586 /*
5587 * already processed this file for read attempt
5588 */
5589 if (fad->fad_flags & FAD_READ) {
5590 releasef(fd);
5591 /* don't really want to audit every recv call */
5592 tad->tad_flag = 0;
5593 /* free any residual audit data */
5594 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5595 return;
5596 }
5597
5598 /* mark things so we know what happened and don't repeat things */
5599 fad->fad_flags |= FAD_READ;
5600
5601 so_family = so->so_family;
5602 so_type = so->so_type;
5603
5604 switch (so_family) {
5605 case AF_INET:
5606 case AF_INET6:
5607 /*
5608 * Only for connections.
5609 * XXX - do we need to worry about SOCK_DGRAM or other types???
5610 */
5611 if (so->so_state & SS_ISBOUND) {
5612
5613 bzero((void *)so_laddr, sizeof (so_laddr));
5614 bzero((void *)so_faddr, sizeof (so_faddr));
5615
5616 /* get local and foreign addresses */
5617 len = sizeof (so_laddr);
5618 (void) socket_getsockname(so,
5619 (struct sockaddr *)so_laddr, &len, CRED());
5620 len = sizeof (so_faddr);
5621 (void) socket_getpeername(so,
5622 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5623
5624 /*
5625 * only way to drop out of switch. Note that we
5626 * we release fd below.
5627 */
5628
5629 break;
5630 }
5631
5632 releasef(fd);
5633
5634 /* don't really want to audit every recv call */
5635 tad->tad_flag = 0;
5636 /* free any residual audit data */
5637 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5638
5639 return;
5640
5641 case AF_UNIX:
5642
5643 if (fad->fad_aupath != NULL) {
5644 au_uwrite(au_to_path(fad->fad_aupath));
5645 } else {
5646 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5647 }
5648
5649 audit_attributes(fp->f_vnode);
5650
5651 releasef(fd);
5652
5653 return;
5654
5655 default:
5656 releasef(fd);
5657
5658 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5659 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5660 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5661
5662 return;
5663 }
5664
5665 releasef(fd);
5666
5667 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5668
5669 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5670
5671 }
5672
5673 /*ARGSUSED*/
5674 static void
5675 auf_send(tad, error, rval)
5676 struct t_audit_data *tad;
5677 int error;
5678 rval_t *rval;
5679 {
5680 struct sonode *so;
5681 char so_laddr[sizeof (struct sockaddr_in6)];
5682 char so_faddr[sizeof (struct sockaddr_in6)];
5683 struct file *fp;
5684 struct f_audit_data *fad;
5685 int fd;
5686 int err;
5687 socklen_t len;
5688 short so_family, so_type;
5689 register struct a {
5690 long fd;
5691 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5692 au_kcontext_t *kctx = GET_KCTX_PZ;
5693
5694 fd = (int)uap->fd;
5695
5696 /*
5697 * If there was an error, then nothing to do. Only generate
5698 * audit record on first successful send.
5699 */
5700 if (error != 0) {
5701 /* Turn off audit record generation here. */
5702 tad->tad_flag = 0;
5703 /* free any residual audit data */
5704 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5705 return;
5706 }
5707
5708 fd = (int)uap->fd;
5709
5710 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5711 /* Turn off audit record generation here. */
5712 tad->tad_flag = 0;
5713 /* free any residual audit data */
5714 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5715 return;
5716 }
5717
5718 /* get path from file struct here */
5719 fad = F2A(fp);
5720 ASSERT(fad);
5721
5722 /*
5723 * already processed this file for write attempt
5724 */
5725 if (fad->fad_flags & FAD_WRITE) {
5726 releasef(fd);
5727 /* don't really want to audit every send call */
5728 tad->tad_flag = 0;
5729 /* free any residual audit data */
5730 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5731 return;
5732 }
5733
5734 /* mark things so we know what happened and don't repeat things */
5735 fad->fad_flags |= FAD_WRITE;
5736
5737 so_family = so->so_family;
5738 so_type = so->so_type;
5739
5740 switch (so_family) {
5741 case AF_INET:
5742 case AF_INET6:
5743 /*
5744 * Only for connections.
5745 * XXX - do we need to worry about SOCK_DGRAM or other types???
5746 */
5747 if (so->so_state & SS_ISBOUND) {
5748
5749 bzero((void *)so_laddr, sizeof (so_laddr));
5750 bzero((void *)so_faddr, sizeof (so_faddr));
5751
5752 /* get local and foreign addresses */
5753 len = sizeof (so_laddr);
5754 (void) socket_getsockname(so,
5755 (struct sockaddr *)so_laddr, &len, CRED());
5756 len = sizeof (so_faddr);
5757 (void) socket_getpeername(so,
5758 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5759
5760 /*
5761 * only way to drop out of switch. Note that we
5762 * we release fd below.
5763 */
5764
5765 break;
5766 }
5767
5768 releasef(fd);
5769 /* don't really want to audit every send call */
5770 tad->tad_flag = 0;
5771 /* free any residual audit data */
5772 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5773
5774 return;
5775
5776 case AF_UNIX:
5777
5778 if (fad->fad_aupath != NULL) {
5779 au_uwrite(au_to_path(fad->fad_aupath));
5780 } else {
5781 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5782 }
5783
5784 audit_attributes(fp->f_vnode);
5785
5786 releasef(fd);
5787
5788 return;
5789
5790 default:
5791 releasef(fd);
5792
5793 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5794 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5795 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5796
5797 return;
5798 }
5799
5800 releasef(fd);
5801
5802 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5803
5804 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5805 }
5806
5807 static au_event_t
5808 aui_forksys(au_event_t e)
5809 {
5810 struct a {
5811 long subcode;
5812 long flags;
5813 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5814
5815 switch ((uint_t)uap->subcode) {
5816 case 0:
5817 e = AUE_FORK1;
5818 break;
5819 case 1:
5820 e = AUE_FORKALL;
5821 break;
5822 case 2:
5823 e = AUE_VFORK;
5824 break;
5825 default:
5826 e = AUE_NULL;
5827 break;
5828 }
5829
5830 return (e);
5831 }
5832
5833 /*ARGSUSED*/
5834 static au_event_t
5835 aui_portfs(au_event_t e)
5836 {
5837 struct a { /* portfs */
5838 long a1;
5839 long a2;
5840 long a3;
5841 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5842
5843 /*
5844 * check opcode
5845 */
5846 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5847 case PORT_ASSOCIATE:
5848 /* check source */
5849 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5850 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5851 e = AUE_PORTFS_ASSOCIATE;
5852 } else {
5853 e = AUE_NULL;
5854 }
5855 break;
5856 case PORT_DISSOCIATE:
5857 /* check source */
5858 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5859 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5860 e = AUE_PORTFS_DISSOCIATE;
5861 } else {
5862 e = AUE_NULL;
5863 }
5864 break;
5865 default:
5866 e = AUE_NULL;
5867 }
5868 return (e);
5869 }