1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
  25  * Copyright (c) 2018, Joyent, Inc.
  26  */
  27 
  28 /*
  29  * This file contains the audit event table used to control the production
  30  * of audit records for each system call.
  31  */
  32 
  33 #include <sys/policy.h>
  34 #include <sys/cred.h>
  35 #include <sys/types.h>
  36 #include <sys/systm.h>
  37 #include <sys/systeminfo.h>       /* for sysinfo auditing */
  38 #include <sys/utsname.h>  /* for sysinfo auditing */
  39 #include <sys/proc.h>
  40 #include <sys/vnode.h>
  41 #include <sys/mman.h>             /* for mmap(2) auditing etc. */
  42 #include <sys/fcntl.h>
  43 #include <sys/modctl.h>           /* for modctl auditing */
  44 #include <sys/vnode.h>
  45 #include <sys/user.h>
  46 #include <sys/types.h>
  47 #include <sys/processor.h>
  48 #include <sys/procset.h>
  49 #include <sys/acl.h>
  50 #include <sys/ipc.h>
  51 #include <sys/door.h>
  52 #include <sys/sem.h>
  53 #include <sys/msg.h>
  54 #include <sys/shm.h>
  55 #include <sys/kmem.h>
  56 #include <sys/file.h>             /* for accept */
  57 #include <sys/utssys.h>           /* for fuser */
  58 #include <sys/tsol/label.h>
  59 #include <sys/tsol/tndb.h>
  60 #include <sys/tsol/tsyscall.h>
  61 #include <c2/audit.h>
  62 #include <c2/audit_kernel.h>
  63 #include <c2/audit_kevents.h>
  64 #include <c2/audit_record.h>
  65 #include <sys/procset.h>
  66 #include <nfs/mount.h>
  67 #include <sys/param.h>
  68 #include <sys/debug.h>
  69 #include <sys/sysmacros.h>
  70 #include <sys/stream.h>
  71 #include <sys/strsubr.h>
  72 #include <sys/stropts.h>
  73 #include <sys/tihdr.h>
  74 #include <sys/socket.h>
  75 #include <sys/socketvar.h>
  76 #include <sys/vfs_opreg.h>
  77 #include <fs/sockfs/sockcommon.h>
  78 #include <netinet/in.h>
  79 #include <sys/ddi.h>
  80 #include <sys/port_impl.h>
  81 #include <sys/secflags.h>
  82 
  83 static au_event_t       aui_fchownat(au_event_t);
  84 static au_event_t       aui_fchmodat(au_event_t);
  85 static au_event_t       aui_open(au_event_t);
  86 static au_event_t       aui_openat(au_event_t);
  87 static au_event_t       aui_unlinkat(au_event_t);
  88 static au_event_t       aui_fstatat(au_event_t);
  89 static au_event_t       aui_msgsys(au_event_t);
  90 static au_event_t       aui_shmsys(au_event_t);
  91 static au_event_t       aui_semsys(au_event_t);
  92 static au_event_t       aui_utssys(au_event_t);
  93 static au_event_t       aui_fcntl(au_event_t);
  94 static au_event_t       aui_execve(au_event_t);
  95 static au_event_t       aui_memcntl(au_event_t);
  96 static au_event_t       aui_sysinfo(au_event_t);
  97 static au_event_t       aui_portfs(au_event_t);
  98 static au_event_t       aui_auditsys(au_event_t);
  99 static au_event_t       aui_modctl(au_event_t);
 100 static au_event_t       aui_acl(au_event_t);
 101 static au_event_t       aui_doorfs(au_event_t);
 102 static au_event_t       aui_privsys(au_event_t);
 103 static au_event_t       aui_forksys(au_event_t);
 104 static au_event_t       aui_labelsys(au_event_t);
 105 static au_event_t       aui_setpgrp(au_event_t);
 106 
 107 
 108 static void     aus_exit(struct t_audit_data *);
 109 static void     aus_open(struct t_audit_data *);
 110 static void     aus_openat(struct t_audit_data *);
 111 static void     aus_acl(struct t_audit_data *);
 112 static void     aus_acct(struct t_audit_data *);
 113 static void     aus_chown(struct t_audit_data *);
 114 static void     aus_fchown(struct t_audit_data *);
 115 static void     aus_lchown(struct t_audit_data *);
 116 static void     aus_fchownat(struct t_audit_data *);
 117 static void     aus_chmod(struct t_audit_data *);
 118 static void     aus_facl(struct t_audit_data *);
 119 static void     aus_fchmod(struct t_audit_data *);
 120 static void     aus_fchmodat(struct t_audit_data *);
 121 static void     aus_fcntl(struct t_audit_data *);
 122 static void     aus_mkdir(struct t_audit_data *);
 123 static void     aus_mkdirat(struct t_audit_data *);
 124 static void     aus_mknod(struct t_audit_data *);
 125 static void     aus_mknodat(struct t_audit_data *);
 126 static void     aus_mount(struct t_audit_data *);
 127 static void     aus_umount2(struct t_audit_data *);
 128 static void     aus_msgsys(struct t_audit_data *);
 129 static void     aus_semsys(struct t_audit_data *);
 130 static void     aus_close(struct t_audit_data *);
 131 static void     aus_fstatfs(struct t_audit_data *);
 132 static void     aus_setgid(struct t_audit_data *);
 133 static void     aus_setpgrp(struct t_audit_data *);
 134 static void     aus_setuid(struct t_audit_data *);
 135 static void     aus_shmsys(struct t_audit_data *);
 136 static void     aus_doorfs(struct t_audit_data *);
 137 static void     aus_ioctl(struct t_audit_data *);
 138 static void     aus_memcntl(struct t_audit_data *);
 139 static void     aus_mmap(struct t_audit_data *);
 140 static void     aus_munmap(struct t_audit_data *);
 141 static void     aus_priocntlsys(struct t_audit_data *);
 142 static void     aus_setegid(struct t_audit_data *);
 143 static void     aus_setgroups(struct t_audit_data *);
 144 static void     aus_seteuid(struct t_audit_data *);
 145 static void     aus_putmsg(struct t_audit_data *);
 146 static void     aus_putpmsg(struct t_audit_data *);
 147 static void     aus_getmsg(struct t_audit_data *);
 148 static void     aus_getpmsg(struct t_audit_data *);
 149 static void     aus_auditsys(struct t_audit_data *);
 150 static void     aus_sysinfo(struct t_audit_data *);
 151 static void     aus_modctl(struct t_audit_data *);
 152 static void     aus_kill(struct t_audit_data *);
 153 static void     aus_setregid(struct t_audit_data *);
 154 static void     aus_setreuid(struct t_audit_data *);
 155 static void     aus_labelsys(struct t_audit_data *);
 156 
 157 static void     auf_mknod(struct t_audit_data *, int, rval_t *);
 158 static void     auf_mknodat(struct t_audit_data *, int, rval_t *);
 159 static void     auf_msgsys(struct t_audit_data *, int, rval_t *);
 160 static void     auf_semsys(struct t_audit_data *, int, rval_t *);
 161 static void     auf_shmsys(struct t_audit_data *, int, rval_t *);
 162 static void     auf_read(struct t_audit_data *, int, rval_t *);
 163 static void     auf_write(struct t_audit_data *, int, rval_t *);
 164 
 165 static void     aus_sigqueue(struct t_audit_data *);
 166 static void     aus_p_online(struct t_audit_data *);
 167 static void     aus_processor_bind(struct t_audit_data *);
 168 static void     aus_inst_sync(struct t_audit_data *);
 169 static void     aus_brandsys(struct t_audit_data *);
 170 
 171 static void     auf_accept(struct t_audit_data *, int, rval_t *);
 172 
 173 static void     auf_bind(struct t_audit_data *, int, rval_t *);
 174 static void     auf_connect(struct t_audit_data *, int, rval_t *);
 175 static void     aus_shutdown(struct t_audit_data *);
 176 static void     auf_setsockopt(struct t_audit_data *, int, rval_t *);
 177 static void     aus_sockconfig(struct t_audit_data *);
 178 static void     auf_recv(struct t_audit_data *, int, rval_t *);
 179 static void     auf_recvmsg(struct t_audit_data *, int, rval_t *);
 180 static void     auf_send(struct t_audit_data *, int, rval_t *);
 181 static void     auf_sendmsg(struct t_audit_data *, int, rval_t *);
 182 static void     auf_recvfrom(struct t_audit_data *, int, rval_t *);
 183 static void     auf_sendto(struct t_audit_data *, int, rval_t *);
 184 static void     aus_socket(struct t_audit_data *);
 185 /*
 186  * This table contains mapping information for converting system call numbers
 187  * to audit event IDs. In several cases it is necessary to map a single system
 188  * call to several events.
 189  */
 190 
 191 #define aui_null        NULL    /* NULL initialize function */
 192 #define aus_null        NULL    /* NULL start function */
 193 #define auf_null        NULL    /* NULL finish function */
 194 
 195 struct audit_s2e audit_s2e[] =
 196 {
 197 /*
 198  * ----------   ----------      ----------      ----------
 199  * INITIAL      AUDIT           START           SYSTEM
 200  * PROCESSING   EVENT           PROCESSING      CALL
 201  * ----------   ----------      ----------      -----------
 202  *              FINISH          EVENT
 203  *              PROCESSING      CONTROL
 204  * ----------------------------------------------------------
 205  */
 206 aui_null,       AUE_NULL,       aus_null,       /* 0 unused (indirect) */
 207                 auf_null,       0,
 208 aui_null,       AUE_EXIT,       aus_exit,       /* 1 exit */
 209                 auf_null,       S2E_NPT,
 210 aui_null,       AUE_PSECFLAGS,  aus_null,       /* 2 psecflags */
 211                 auf_null,       0,
 212 aui_null,       AUE_READ,       aus_null,       /* 3 read */
 213                 auf_read,       S2E_PUB,
 214 aui_null,       AUE_WRITE,      aus_null,       /* 4 write */
 215                 auf_write,      0,
 216 aui_open,       AUE_OPEN,       aus_open,       /* 5 open */
 217                 auf_null,       S2E_SP,
 218 aui_null,       AUE_CLOSE,      aus_close,      /* 6 close */
 219                 auf_null,       0,
 220 aui_null,       AUE_LINK,       aus_null,       /* 7 linkat */
 221                 auf_null,       0,
 222 aui_null,       AUE_NULL,       aus_null,       /* 8 (loadable) was creat */
 223                 auf_null,       0,
 224 aui_null,       AUE_LINK,       aus_null,       /* 9 link */
 225                 auf_null,       0,
 226 aui_null,       AUE_UNLINK,     aus_null,       /* 10 unlink */
 227                 auf_null,       0,
 228 aui_null,       AUE_SYMLINK,    aus_null,       /* 11 symlinkat */
 229                 auf_null,       0,
 230 aui_null,       AUE_CHDIR,      aus_null,       /* 12 chdir */
 231                 auf_null,       S2E_SP,
 232 aui_null,       AUE_NULL,       aus_null,       /* 13 time */
 233                 auf_null,       0,
 234 aui_null,       AUE_MKNOD,      aus_mknod,      /* 14 mknod */
 235                 auf_mknod,      S2E_MLD,
 236 aui_null,       AUE_CHMOD,      aus_chmod,      /* 15 chmod */
 237                 auf_null,       0,
 238 aui_null,       AUE_CHOWN,      aus_chown,      /* 16 chown */
 239                 auf_null,       0,
 240 aui_null,       AUE_NULL,       aus_null,       /* 17 brk */
 241                 auf_null,       0,
 242 aui_null,       AUE_STAT,       aus_null,       /* 18 stat */
 243                 auf_null,       S2E_PUB,
 244 aui_null,       AUE_NULL,       aus_null,       /* 19 lseek */
 245                 auf_null,       0,
 246 aui_null,       AUE_NULL,       aus_null,       /* 20 getpid */
 247                 auf_null,       0,
 248 aui_null,       AUE_MOUNT,      aus_mount,      /* 21 mount */
 249                 auf_null,       S2E_MLD,
 250 aui_null,       AUE_READLINK,   aus_null,       /* 22 readlinkat */
 251                 auf_null,       S2E_PUB,
 252 aui_null,       AUE_SETUID,     aus_setuid,     /* 23 setuid */
 253                 auf_null,       0,
 254 aui_null,       AUE_NULL,       aus_null,       /* 24 getuid */
 255                 auf_null,       0,
 256 aui_null,       AUE_STIME,      aus_null,       /* 25 stime */
 257                 auf_null,       0,
 258 aui_null,       AUE_NULL,       aus_null,       /* 26 pcsample */
 259                 auf_null,       0,
 260 aui_null,       AUE_NULL,       aus_null,       /* 27 alarm */
 261                 auf_null,       0,
 262 aui_null,       AUE_NULL,       aus_null,       /* 28 fstat */
 263                 auf_null,       0,
 264 aui_null,       AUE_NULL,       aus_null,       /* 29 pause */
 265                 auf_null,       0,
 266 aui_null,       AUE_NULL,       aus_null,       /* 30 (loadable) was utime */
 267                 auf_null,       0,
 268 aui_null,       AUE_NULL,       aus_null,       /* 31 stty (TIOCSETP-audit?) */
 269                 auf_null,       0,
 270 aui_null,       AUE_NULL,       aus_null,       /* 32 gtty */
 271                 auf_null,       0,
 272 aui_null,       AUE_ACCESS,     aus_null,       /* 33 access */
 273                 auf_null,       S2E_PUB,
 274 aui_null,       AUE_NICE,       aus_null,       /* 34 nice */
 275                 auf_null,       0,
 276 aui_null,       AUE_STATFS,     aus_null,       /* 35 statfs */
 277                 auf_null,       S2E_PUB,
 278 aui_null,       AUE_NULL,       aus_null,       /* 36 sync */
 279                 auf_null,       0,
 280 aui_null,       AUE_KILL,       aus_kill,       /* 37 kill */
 281                 auf_null,       0,
 282 aui_null,       AUE_FSTATFS,    aus_fstatfs,    /* 38 fstatfs */
 283                 auf_null,       S2E_PUB,
 284 aui_setpgrp,    AUE_SETPGRP,    aus_setpgrp,    /* 39 setpgrp */
 285                 auf_null,       0,
 286 aui_null,       AUE_NULL,       aus_null,       /* 40 uucopystr */
 287                 auf_null,       0,
 288 aui_null,       AUE_NULL,       aus_null,       /* 41 (loadable) was dup */
 289                 auf_null,       0,
 290 aui_null,       AUE_PIPE,       aus_null,       /* 42 (loadable) pipe */
 291                 auf_null,       0,
 292 aui_null,       AUE_NULL,       aus_null,       /* 43 times */
 293                 auf_null,       0,
 294 aui_null,       AUE_NULL,       aus_null,       /* 44 profil */
 295                 auf_null,       0,
 296 aui_null,       AUE_ACCESS,     aus_null,       /* 45 faccessat */
 297                 auf_null,       S2E_PUB,
 298 aui_null,       AUE_SETGID,     aus_setgid,     /* 46 setgid */
 299                 auf_null,       0,
 300 aui_null,       AUE_NULL,       aus_null,       /* 47 getgid */
 301                 auf_null,       0,
 302 aui_null,       AUE_MKNOD,      aus_mknodat,    /* 48 mknodat */
 303                 auf_mknodat,    S2E_MLD,
 304 aui_msgsys,     AUE_MSGSYS,     aus_msgsys,     /* 49 (loadable) msgsys */
 305                 auf_msgsys,     0,
 306 #if defined(__x86)
 307 aui_null,       AUE_NULL,       aus_null,       /* 50 sysi86 */
 308                 auf_null,       0,
 309 #else
 310 aui_null,       AUE_NULL,       aus_null,       /* 50 (loadable) was sys3b */
 311                 auf_null,       0,
 312 #endif /* __x86 */
 313 aui_null,       AUE_ACCT,       aus_acct,       /* 51 (loadable) sysacct */
 314                 auf_null,       0,
 315 aui_shmsys,     AUE_SHMSYS,     aus_shmsys,     /* 52 (loadable) shmsys */
 316                 auf_shmsys,     0,
 317 aui_semsys,     AUE_SEMSYS,     aus_semsys,     /* 53 (loadable) semsys */
 318                 auf_semsys,     0,
 319 aui_null,       AUE_IOCTL,      aus_ioctl,      /* 54 ioctl */
 320                 auf_null,       0,
 321 aui_null,       AUE_NULL,       aus_null,       /* 55 uadmin */
 322                 auf_null,       0,
 323 aui_fchownat,   AUE_NULL,       aus_fchownat,   /* 56 fchownat */
 324                 auf_null,       0,
 325 aui_utssys,     AUE_FUSERS,     aus_null,       /* 57 utssys */
 326                 auf_null,       0,
 327 aui_null,       AUE_NULL,       aus_null,       /* 58 fsync */
 328                 auf_null,       0,
 329 aui_execve,     AUE_EXECVE,     aus_null,       /* 59 exece */
 330                 auf_null,       S2E_MLD,
 331 aui_null,       AUE_NULL,       aus_null,       /* 60 umask */
 332                 auf_null,       0,
 333 aui_null,       AUE_CHROOT,     aus_null,       /* 61 chroot */
 334                 auf_null,       S2E_SP,
 335 aui_fcntl,      AUE_FCNTL,      aus_fcntl,      /* 62 fcntl */
 336                 auf_null,       0,
 337 aui_null,       AUE_NULL,       aus_null,       /* 63 ulimit */
 338                 auf_null,       0,
 339 aui_null,       AUE_RENAME,     aus_null,       /* 64 renameat */
 340                 auf_null,       0,
 341 aui_unlinkat,   AUE_NULL,       aus_null,       /* 65 unlinkat */
 342                 auf_null,       0,
 343 aui_fstatat,    AUE_NULL,       aus_null,       /* 66 fstatat */
 344                 auf_null,       S2E_PUB,
 345 aui_fstatat,    AUE_NULL,       aus_null,       /* 67 fstatat64 */
 346                 auf_null,       S2E_PUB,
 347 aui_openat,     AUE_OPEN,       aus_openat,     /* 68 openat */
 348                 auf_null,       S2E_SP,
 349 aui_openat,     AUE_OPEN,       aus_openat,     /* 69 openat64 */
 350                 auf_null,       S2E_SP,
 351 aui_null,       AUE_NULL,       aus_null,       /* 70 tasksys */
 352                 auf_null,       0,
 353 aui_null,       AUE_NULL,       aus_null,       /* 71 (loadable) acctctl */
 354                 auf_null,       0,
 355 aui_null,       AUE_NULL,       aus_null,       /* 72 (loadable) exacct */
 356                 auf_null,       0,
 357 aui_null,       AUE_NULL,       aus_null,       /* 73 getpagesizes */
 358                 auf_null,       0,
 359 aui_null,       AUE_NULL,       aus_null,       /* 74 rctlsys */
 360                 auf_null,       0,
 361 aui_null,       AUE_NULL,       aus_null,       /* 75 sidsys */
 362                 auf_null,       0,
 363 aui_null,       AUE_NULL,       aus_null,       /* 76 (loadable) was fsat */
 364                 auf_null,       0,
 365 aui_null,       AUE_NULL,       aus_null,       /* 77 syslwp_park */
 366                 auf_null,       0,
 367 aui_null,       AUE_NULL,       aus_null,       /* 78 sendfilev */
 368                 auf_null,       0,
 369 aui_null,       AUE_RMDIR,      aus_null,       /* 79 rmdir */
 370                 auf_null,       0,
 371 aui_null,       AUE_MKDIR,      aus_mkdir,      /* 80 mkdir */
 372                 auf_null,       0,
 373 aui_null,       AUE_NULL,       aus_null,       /* 81 getdents */
 374                 auf_null,       0,
 375 aui_privsys,    AUE_NULL,       aus_null,       /* 82 privsys */
 376                 auf_null,       0,
 377 aui_null,       AUE_NULL,       aus_null,       /* 83 ucredsys */
 378                 auf_null,       0,
 379 aui_null,       AUE_NULL,       aus_null,       /* 84 sysfs */
 380                 auf_null,       0,
 381 aui_null,       AUE_GETMSG,     aus_getmsg,     /* 85 getmsg */
 382                 auf_null,       0,
 383 aui_null,       AUE_PUTMSG,     aus_putmsg,     /* 86 putmsg */
 384                 auf_null,       0,
 385 aui_null,       AUE_NULL,       aus_null,       /* 87 (loadable) was poll */
 386                 auf_null,       0,
 387 aui_null,       AUE_LSTAT,      aus_null,       /* 88 lstat */
 388                 auf_null,       S2E_PUB,
 389 aui_null,       AUE_SYMLINK,    aus_null,       /* 89 symlink */
 390                 auf_null,       0,
 391 aui_null,       AUE_READLINK,   aus_null,       /* 90 readlink */
 392                 auf_null,       S2E_PUB,
 393 aui_null,       AUE_SETGROUPS,  aus_setgroups,  /* 91 setgroups */
 394                 auf_null,       0,
 395 aui_null,       AUE_NULL,       aus_null,       /* 92 getgroups */
 396                 auf_null,       0,
 397 aui_null,       AUE_FCHMOD,     aus_fchmod,     /* 93 fchmod */
 398                 auf_null,       0,
 399 aui_null,       AUE_FCHOWN,     aus_fchown,     /* 94 fchown */
 400                 auf_null,       0,
 401 aui_null,       AUE_NULL,       aus_null,       /* 95 sigprocmask */
 402                 auf_null,       0,
 403 aui_null,       AUE_NULL,       aus_null,       /* 96 sigsuspend */
 404                 auf_null,       0,
 405 aui_null,       AUE_NULL,       aus_null,       /* 97 sigaltstack */
 406                 auf_null,       0,
 407 aui_null,       AUE_NULL,       aus_null,       /* 98 sigaction */
 408                 auf_null,       0,
 409 aui_null,       AUE_NULL,       aus_null,       /* 99 sigpending */
 410                 auf_null,       0,
 411 aui_null,       AUE_NULL,       aus_null,       /* 100 setcontext */
 412                 auf_null,       0,
 413 aui_fchmodat,   AUE_NULL,       aus_fchmodat,   /* 101 fchmodat */
 414                 auf_null,       0,
 415 aui_null,       AUE_MKDIR,      aus_mkdirat,    /* 102 mkdirat */
 416                 auf_null,       0,
 417 aui_null,       AUE_STATVFS,    aus_null,       /* 103 statvfs */
 418                 auf_null,       S2E_PUB,
 419 aui_null,       AUE_NULL,       aus_null,       /* 104 fstatvfs */
 420                 auf_null,       0,
 421 aui_null,       AUE_NULL,       aus_null,       /* 105 getloadavg */
 422                 auf_null,       0,
 423 aui_null,       AUE_NULL,       aus_null,       /* 106 nfssys */
 424                 auf_null,       0,
 425 aui_null,       AUE_NULL,       aus_null,       /* 107 waitsys */
 426                 auf_null,       0,
 427 aui_null,       AUE_NULL,       aus_null,       /* 108 sigsendsys */
 428                 auf_null,       0,
 429 #if defined(__x86)
 430 aui_null,       AUE_NULL,       aus_null,       /* 109 hrtsys */
 431                 auf_null,       0,
 432 #else
 433 aui_null,       AUE_NULL,       aus_null,       /* 109 (loadable) */
 434                 auf_null,       0,
 435 #endif /* __x86 */
 436 aui_null,       AUE_UTIMES,     aus_null,       /* 110 utimesys */
 437                 auf_null,       0,
 438 aui_null,       AUE_NULL,       aus_null,       /* 111 sigresend */
 439                 auf_null,       0,
 440 aui_null,       AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
 441                 auf_null,       0,
 442 aui_null,       AUE_PATHCONF,   aus_null,       /* 113 pathconf */
 443                 auf_null,       S2E_PUB,
 444 aui_null,       AUE_NULL,       aus_null,       /* 114 mincore */
 445                 auf_null,       0,
 446 aui_null,       AUE_MMAP,       aus_mmap,       /* 115 mmap */
 447                 auf_null,       0,
 448 aui_null,       AUE_NULL,       aus_null,       /* 116 mprotect */
 449                 auf_null,       0,
 450 aui_null,       AUE_MUNMAP,     aus_munmap,     /* 117 munmap */
 451                 auf_null,       0,
 452 aui_null,       AUE_NULL,       aus_null,       /* 118 fpathconf */
 453                 auf_null,       0,
 454 aui_null,       AUE_VFORK,      aus_null,       /* 119 vfork */
 455                 auf_null,       0,
 456 aui_null,       AUE_FCHDIR,     aus_null,       /* 120 fchdir */
 457                 auf_null,       0,
 458 aui_null,       AUE_READ,       aus_null,       /* 121 readv */
 459                 auf_read,       S2E_PUB,
 460 aui_null,       AUE_WRITE,      aus_null,       /* 122 writev */
 461                 auf_write,      0,
 462 aui_null,       AUE_NULL,       aus_null,       /* 123 (loadable) was xstat */
 463                 auf_null,       0,
 464 aui_null,       AUE_NULL,       aus_null,       /* 124 (loadable) was lxstat */
 465                 auf_null,       0,
 466 aui_null,       AUE_NULL,       aus_null,       /* 125 (loadable) was fxstat */
 467                 auf_null,       0,
 468 aui_null,       AUE_NULL,       aus_null,       /* 126 (loadable) was xmknod */
 469                 auf_null,       0,
 470 aui_null,       AUE_NULL,       aus_null,       /* 127 mmapobj */
 471                 auf_null,       0,
 472 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 128 setrlimit */
 473                 auf_null,       0,
 474 aui_null,       AUE_NULL,       aus_null,       /* 129 getrlimit */
 475                 auf_null,       0,
 476 aui_null,       AUE_LCHOWN,     aus_lchown,     /* 130 lchown */
 477                 auf_null,       0,
 478 aui_memcntl,    AUE_MEMCNTL,    aus_memcntl,    /* 131 memcntl */
 479                 auf_null,       0,
 480 aui_null,       AUE_GETPMSG,    aus_getpmsg,    /* 132 getpmsg */
 481                 auf_null,       0,
 482 aui_null,       AUE_PUTPMSG,    aus_putpmsg,    /* 133 putpmsg */
 483                 auf_null,       0,
 484 aui_null,       AUE_RENAME,     aus_null,       /* 134 rename */
 485                 auf_null,       0,
 486 aui_null,       AUE_NULL,       aus_null,       /* 135 uname */
 487                 auf_null,       0,
 488 aui_null,       AUE_SETEGID,    aus_setegid,    /* 136 setegid */
 489                 auf_null,       0,
 490 aui_null,       AUE_NULL,       aus_null,       /* 137 sysconfig */
 491                 auf_null,       0,
 492 aui_null,       AUE_ADJTIME,    aus_null,       /* 138 adjtime */
 493                 auf_null,       0,
 494 aui_sysinfo,    AUE_SYSINFO,    aus_sysinfo,    /* 139 systeminfo */
 495                 auf_null,       0,
 496 aui_null,       AUE_NULL,       aus_null,       /* 140 (loadable) sharefs */
 497                 auf_null,       0,
 498 aui_null,       AUE_SETEUID,    aus_seteuid,    /* 141 seteuid */
 499                 auf_null,       0,
 500 aui_forksys,    AUE_NULL,       aus_null,       /* 142 forksys */
 501                 auf_null,       0,
 502 aui_null,       AUE_NULL,       aus_null,       /* 143 (loadable) was fork1 */
 503                 auf_null,       0,
 504 aui_null,       AUE_NULL,       aus_null,       /* 144 sigwait */
 505                 auf_null,       0,
 506 aui_null,       AUE_NULL,       aus_null,       /* 145 lwp_info */
 507                 auf_null,       0,
 508 aui_null,       AUE_NULL,       aus_null,       /* 146 yield */
 509                 auf_null,       0,
 510 aui_null,       AUE_NULL,       aus_null,       /* 147 (loadable) */
 511                                                 /*      was lwp_sema_wait */
 512                 auf_null,       0,
 513 aui_null,       AUE_NULL,       aus_null,       /* 148 lwp_sema_post */
 514                 auf_null,       0,
 515 aui_null,       AUE_NULL,       aus_null,       /* 149 lwp_sema_trywait */
 516                 auf_null,       0,
 517 aui_null,       AUE_NULL,       aus_null,       /* 150 lwp_detach */
 518                 auf_null,       0,
 519 aui_null,       AUE_NULL,       aus_null,       /* 151 corectl */
 520                 auf_null,       0,
 521 aui_modctl,     AUE_MODCTL,     aus_modctl,     /* 152 modctl */
 522                 auf_null,       0,
 523 aui_null,       AUE_FCHROOT,    aus_null,       /* 153 fchroot */
 524                 auf_null,       0,
 525 aui_null,       AUE_NULL,       aus_null,       /* 154 (loadable) was utimes */
 526                 auf_null,       0,
 527 aui_null,       AUE_NULL,       aus_null,       /* 155 vhangup */
 528                 auf_null,       0,
 529 aui_null,       AUE_NULL,       aus_null,       /* 156 gettimeofday */
 530                 auf_null,       0,
 531 aui_null,       AUE_NULL,       aus_null,       /* 157 getitimer */
 532                 auf_null,       0,
 533 aui_null,       AUE_NULL,       aus_null,       /* 158 setitimer */
 534                 auf_null,       0,
 535 aui_null,       AUE_NULL,       aus_null,       /* 159 lwp_create */
 536                 auf_null,       0,
 537 aui_null,       AUE_NULL,       aus_null,       /* 160 lwp_exit */
 538                 auf_null,       0,
 539 aui_null,       AUE_NULL,       aus_null,       /* 161 lwp_suspend */
 540                 auf_null,       0,
 541 aui_null,       AUE_NULL,       aus_null,       /* 162 lwp_continue */
 542                 auf_null,       0,
 543 aui_null,       AUE_NULL,       aus_null,       /* 163 lwp_kill */
 544                 auf_null,       0,
 545 aui_null,       AUE_NULL,       aus_null,       /* 164 lwp_self */
 546                 auf_null,       0,
 547 aui_null,       AUE_NULL,       aus_null,       /* 165 lwp_sigmask */
 548                 auf_null,       0,
 549 aui_null,       AUE_NULL,       aus_null,       /* 166 lwp_private */
 550                 auf_null,       0,
 551 aui_null,       AUE_NULL,       aus_null,       /* 167 lwp_wait */
 552                 auf_null,       0,
 553 aui_null,       AUE_NULL,       aus_null,       /* 168 lwp_mutex_wakeup  */
 554                 auf_null,       0,
 555 aui_null,       AUE_NULL,       aus_null,       /* 169 (loadable) */
 556                                                 /*      was lwp_mutex_lock */
 557                 auf_null,       0,
 558 aui_null,       AUE_NULL,       aus_null,       /* 170 lwp_cond_wait */
 559                 auf_null,       0,
 560 aui_null,       AUE_NULL,       aus_null,       /* 171 lwp_cond_signal */
 561                 auf_null,       0,
 562 aui_null,       AUE_NULL,       aus_null,       /* 172 lwp_cond_broadcast */
 563                 auf_null,       0,
 564 aui_null,       AUE_READ,       aus_null,       /* 173 pread */
 565                 auf_read,       S2E_PUB,
 566 aui_null,       AUE_WRITE,      aus_null,       /* 174 pwrite */
 567                 auf_write,      0,
 568 aui_null,       AUE_NULL,       aus_null,       /* 175 llseek */
 569                 auf_null,       0,
 570 aui_null,       AUE_INST_SYNC,  aus_inst_sync,  /* 176 (loadable) inst_sync */
 571                 auf_null,       0,
 572 aui_null,       AUE_BRANDSYS,   aus_brandsys,   /* 177 brandsys */
 573                 auf_null,       0,
 574 aui_null,       AUE_NULL,       aus_null,       /* 178 (loadable) kaio */
 575                 auf_null,       0,
 576 aui_null,       AUE_NULL,       aus_null,       /* 179 (loadable) cpc */
 577                 auf_null,       0,
 578 aui_null,       AUE_NULL,       aus_null,       /* 180 lgrpsys */
 579                 auf_null,       0,
 580 aui_null,       AUE_NULL,       aus_null,       /* 181 rusagesys */
 581                 auf_null,       0,
 582 aui_portfs,     AUE_PORTFS,     aus_null,       /* 182 (loadable) portfs */
 583                 auf_null,       S2E_MLD,
 584 aui_null,       AUE_NULL,       aus_null,       /* 183 pollsys */
 585                 auf_null,       0,
 586 aui_labelsys,   AUE_NULL,       aus_labelsys,   /* 184 labelsys */
 587                 auf_null,       0,
 588 aui_acl,        AUE_ACLSET,     aus_acl,        /* 185 acl */
 589                 auf_null,       0,
 590 aui_auditsys,   AUE_AUDITSYS,   aus_auditsys,   /* 186 auditsys  */
 591                 auf_null,       0,
 592 aui_null,       AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
 593                 auf_null,       0,
 594 aui_null,       AUE_NULL,       aus_null,       /* 188 processor_info */
 595                 auf_null,       0,
 596 aui_null,       AUE_P_ONLINE,   aus_p_online,   /* 189 p_online */
 597                 auf_null,       0,
 598 aui_null,       AUE_NULL,       aus_sigqueue,   /* 190 sigqueue */
 599                 auf_null,       0,
 600 aui_null,       AUE_NULL,       aus_null,       /* 191 clock_gettime */
 601                 auf_null,       0,
 602 aui_null,       AUE_CLOCK_SETTIME,      aus_null,       /* 192 clock_settime */
 603                 auf_null,       0,
 604 aui_null,       AUE_NULL,       aus_null,       /* 193 clock_getres */
 605                 auf_null,       0,
 606 aui_null,       AUE_NULL,       aus_null,       /* 194 timer_create */
 607                 auf_null,       0,
 608 aui_null,       AUE_NULL,       aus_null,       /* 195 timer_delete */
 609                 auf_null,       0,
 610 aui_null,       AUE_NULL,       aus_null,       /* 196 timer_settime */
 611                 auf_null,       0,
 612 aui_null,       AUE_NULL,       aus_null,       /* 197 timer_gettime */
 613                 auf_null,       0,
 614 aui_null,       AUE_NULL,       aus_null,       /* 198 timer_getoverrun */
 615                 auf_null,       0,
 616 aui_null,       AUE_NULL,       aus_null,       /* 199 nanosleep */
 617                 auf_null,       0,
 618 aui_acl,        AUE_FACLSET,    aus_facl,       /* 200 facl */
 619                 auf_null,       0,
 620 aui_doorfs,     AUE_DOORFS,     aus_doorfs,     /* 201 (loadable) doorfs */
 621                 auf_null,       0,
 622 aui_null,       AUE_SETREUID,   aus_setreuid,   /* 202 setreuid */
 623                 auf_null,       0,
 624 aui_null,       AUE_SETREGID,   aus_setregid,   /* 203 setregid */
 625                 auf_null,       0,
 626 aui_null,       AUE_NULL,       aus_null,       /* 204 install_utrap */
 627                 auf_null,       0,
 628 aui_null,       AUE_NULL,       aus_null,       /* 205 signotify */
 629                 auf_null,       0,
 630 aui_null,       AUE_NULL,       aus_null,       /* 206 schedctl */
 631                 auf_null,       0,
 632 aui_null,       AUE_NULL,       aus_null,       /* 207 (loadable) pset */
 633                 auf_null,       0,
 634 aui_null,       AUE_NULL,       aus_null,       /* 208 sparc_utrap_install */
 635                 auf_null,       0,
 636 aui_null,       AUE_NULL,       aus_null,       /* 209 resolvepath */
 637                 auf_null,       0,
 638 aui_null,       AUE_NULL,       aus_null,       /* 210 lwp_mutex_timedlock */
 639                 auf_null,       0,
 640 aui_null,       AUE_NULL,       aus_null,       /* 211 lwp_sema_timedwait */
 641                 auf_null,       0,
 642 aui_null,       AUE_NULL,       aus_null,       /* 212 lwp_rwlock_sys */
 643                 auf_null,       0,
 644 aui_null,       AUE_NULL,       aus_null,       /* 213 getdents64 */
 645                 auf_null,       0,
 646 aui_null,       AUE_MMAP,       aus_mmap,       /* 214 mmap64 */
 647                 auf_null,       0,
 648 aui_null,       AUE_STAT,       aus_null,       /* 215 stat64 */
 649                 auf_null,       S2E_PUB,
 650 aui_null,       AUE_LSTAT,      aus_null,       /* 216 lstat64 */
 651                 auf_null,       S2E_PUB,
 652 aui_null,       AUE_NULL,       aus_null,       /* 217 fstat64 */
 653                 auf_null,       0,
 654 aui_null,       AUE_STATVFS,    aus_null,       /* 218 statvfs64 */
 655                 auf_null,       S2E_PUB,
 656 aui_null,       AUE_NULL,       aus_null,       /* 219 fstatvfs64 */
 657                 auf_null,       0,
 658 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 220 setrlimit64 */
 659                 auf_null,       0,
 660 aui_null,       AUE_NULL,       aus_null,       /* 221 getrlimit64 */
 661                 auf_null,       0,
 662 aui_null,       AUE_READ,       aus_null,       /* 222 pread64  */
 663                 auf_read,       S2E_PUB,
 664 aui_null,       AUE_WRITE,      aus_null,       /* 223 pwrite64 */
 665                 auf_write,      0,
 666 aui_null,       AUE_NULL,       aus_null,       /* 224 (loadable) was creat64 */
 667                 auf_null,       0,
 668 aui_open,       AUE_OPEN,       aus_open,       /* 225 open64 */
 669                 auf_null,       S2E_SP,
 670 aui_null,       AUE_NULL,       aus_null,       /* 226 (loadable) rpcsys */
 671                 auf_null,       0,
 672 aui_null,       AUE_NULL,       aus_null,       /* 227 zone */
 673                 auf_null,       0,
 674 aui_null,       AUE_NULL,       aus_null,       /* 228 (loadable) autofssys */
 675                 auf_null,       0,
 676 aui_null,       AUE_NULL,       aus_null,       /* 229 getcwd */
 677                 auf_null,       0,
 678 aui_null,       AUE_SOCKET,     aus_socket,     /* 230 so_socket */
 679                 auf_null,       0,
 680 aui_null,       AUE_NULL,       aus_null,       /* 231 so_socketpair */
 681                 auf_null,       0,
 682 aui_null,       AUE_BIND,       aus_null,       /* 232 bind */
 683                 auf_bind,       0,
 684 aui_null,       AUE_NULL,       aus_null,       /* 233 listen */
 685                 auf_null,       0,
 686 aui_null,       AUE_ACCEPT,     aus_null,       /* 234 accept */
 687                 auf_accept,     0,
 688 aui_null,       AUE_CONNECT,    aus_null,       /* 235 connect */
 689                 auf_connect,    0,
 690 aui_null,       AUE_SHUTDOWN,   aus_shutdown,   /* 236 shutdown */
 691                 auf_null,       0,
 692 aui_null,       AUE_READ,       aus_null,       /* 237 recv */
 693                 auf_recv,       0,
 694 aui_null,       AUE_RECVFROM,   aus_null,       /* 238 recvfrom */
 695                 auf_recvfrom,   0,
 696 aui_null,       AUE_RECVMSG,    aus_null,       /* 239 recvmsg */
 697                 auf_recvmsg,    0,
 698 aui_null,       AUE_WRITE,      aus_null,       /* 240 send */
 699                 auf_send,       0,
 700 aui_null,       AUE_SENDMSG,    aus_null,       /* 241 sendmsg */
 701                 auf_sendmsg,    0,
 702 aui_null,       AUE_SENDTO,     aus_null,       /* 242 sendto */
 703                 auf_sendto,     0,
 704 aui_null,       AUE_NULL,       aus_null,       /* 243 getpeername */
 705                 auf_null,       0,
 706 aui_null,       AUE_NULL,       aus_null,       /* 244 getsockname */
 707                 auf_null,       0,
 708 aui_null,       AUE_NULL,       aus_null,       /* 245 getsockopt */
 709                 auf_null,       0,
 710 aui_null,       AUE_SETSOCKOPT, aus_null,       /* 246 setsockopt */
 711                 auf_setsockopt, 0,
 712 aui_null,       AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
 713                 auf_null,       0,
 714 aui_null,       AUE_NULL,       aus_null,       /* 248 ntp_gettime */
 715                 auf_null,       0,
 716 aui_null,       AUE_NTP_ADJTIME, aus_null,      /* 249 ntp_adjtime */
 717                 auf_null,       0,
 718 aui_null,       AUE_NULL,       aus_null,       /* 250 lwp_mutex_unlock */
 719                 auf_null,       0,
 720 aui_null,       AUE_NULL,       aus_null,       /* 251 lwp_mutex_trylock */
 721                 auf_null,       0,
 722 aui_null,       AUE_NULL,       aus_null,       /* 252 lwp_mutex_register */
 723                 auf_null,       0,
 724 aui_null,       AUE_NULL,       aus_null,       /* 253 cladm */
 725                 auf_null,       0,
 726 aui_null,       AUE_NULL,       aus_null,       /* 254 uucopy */
 727                 auf_null,       0,
 728 aui_null,       AUE_UMOUNT2,    aus_umount2,    /* 255 umount2 */
 729                 auf_null,       0
 730 };
 731 
 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
 733 
 734 
 735 /* exit start function */
 736 /*ARGSUSED*/
 737 static void
 738 aus_exit(struct t_audit_data *tad)
 739 {
 740         uint32_t rval;
 741         struct a {
 742                 long rval;
 743         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
 744 
 745         rval = (uint32_t)uap->rval;
 746         au_uwrite(au_to_arg32(1, "exit status", rval));
 747 }
 748 
 749 
 750 /* acct start function */
 751 /*ARGSUSED*/
 752 static void
 753 aus_acct(struct t_audit_data *tad)
 754 {
 755         klwp_t *clwp = ttolwp(curthread);
 756         uintptr_t fname;
 757 
 758         struct a {
 759                 long    fname;          /* char * */
 760         } *uap = (struct a *)clwp->lwp_ap;
 761 
 762         fname = (uintptr_t)uap->fname;
 763 
 764         if (fname == 0)
 765                 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
 766 }
 767 
 768 /* chown start function */
 769 /*ARGSUSED*/
 770 static void
 771 aus_chown(struct t_audit_data *tad)
 772 {
 773         klwp_t *clwp = ttolwp(curthread);
 774         uint32_t uid, gid;
 775 
 776         struct a {
 777                 long    fname;          /* char * */
 778                 long    uid;
 779                 long    gid;
 780         } *uap = (struct a *)clwp->lwp_ap;
 781 
 782         uid = (uint32_t)uap->uid;
 783         gid = (uint32_t)uap->gid;
 784 
 785         au_uwrite(au_to_arg32(2, "new file uid", uid));
 786         au_uwrite(au_to_arg32(3, "new file gid", gid));
 787 }
 788 
 789 /* fchown start function */
 790 /*ARGSUSED*/
 791 static void
 792 aus_fchown(struct t_audit_data *tad)
 793 {
 794         klwp_t *clwp = ttolwp(curthread);
 795         uint32_t uid, gid, fd;
 796         struct file  *fp;
 797         struct vnode *vp;
 798         struct f_audit_data *fad;
 799 
 800         struct a {
 801                 long fd;
 802                 long uid;
 803                 long gid;
 804         } *uap = (struct a *)clwp->lwp_ap;
 805 
 806         fd  = (uint32_t)uap->fd;
 807         uid = (uint32_t)uap->uid;
 808         gid = (uint32_t)uap->gid;
 809 
 810         au_uwrite(au_to_arg32(2, "new file uid", uid));
 811         au_uwrite(au_to_arg32(3, "new file gid", gid));
 812 
 813                 /*
 814                  * convert file pointer to file descriptor
 815                  *   Note: fd ref count incremented here.
 816                  */
 817         if ((fp = getf(fd)) == NULL)
 818                 return;
 819 
 820         /* get path from file struct here */
 821         fad = F2A(fp);
 822         if (fad->fad_aupath != NULL) {
 823                 au_uwrite(au_to_path(fad->fad_aupath));
 824         } else {
 825                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 826         }
 827 
 828         vp = fp->f_vnode;
 829         audit_attributes(vp);
 830 
 831         /* decrement file descriptor reference count */
 832         releasef(fd);
 833 }
 834 
 835 /*ARGSUSED*/
 836 static void
 837 aus_lchown(struct t_audit_data *tad)
 838 {
 839         klwp_t *clwp = ttolwp(curthread);
 840         uint32_t uid, gid;
 841 
 842 
 843         struct a {
 844                 long    fname;          /* char * */
 845                 long    uid;
 846                 long    gid;
 847         } *uap = (struct a *)clwp->lwp_ap;
 848 
 849         uid = (uint32_t)uap->uid;
 850         gid = (uint32_t)uap->gid;
 851 
 852         au_uwrite(au_to_arg32(2, "new file uid", uid));
 853         au_uwrite(au_to_arg32(3, "new file gid", gid));
 854 }
 855 
 856 static au_event_t
 857 aui_fchownat(au_event_t e)
 858 {
 859         klwp_t *clwp = ttolwp(curthread);
 860 
 861         struct a {
 862                 long    fd;
 863                 long    fname;          /* char * */
 864                 long    uid;
 865                 long    gid;
 866                 long    flags;
 867         } *uap = (struct a *)clwp->lwp_ap;
 868 
 869         if (uap->fname == 0)
 870                 e = AUE_FCHOWN;
 871         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
 872                 e = AUE_LCHOWN;
 873         else
 874                 e = AUE_CHOWN;
 875 
 876         return (e);
 877 }
 878 
 879 /*ARGSUSED*/
 880 static void
 881 aus_fchownat(struct t_audit_data *tad)
 882 {
 883         klwp_t *clwp = ttolwp(curthread);
 884         uint32_t uid, gid;
 885 
 886         struct a {
 887                 long    fd;
 888                 long    fname;          /* char * */
 889                 long    uid;
 890                 long    gid;
 891                 long    flags;
 892         } *uap = (struct a *)clwp->lwp_ap;
 893 
 894         uid = (uint32_t)uap->uid;
 895         gid = (uint32_t)uap->gid;
 896 
 897         au_uwrite(au_to_arg32(3, "new file uid", uid));
 898         au_uwrite(au_to_arg32(4, "new file gid", gid));
 899 }
 900 
 901 /*ARGSUSED*/
 902 static void
 903 aus_chmod(struct t_audit_data *tad)
 904 {
 905         klwp_t *clwp = ttolwp(curthread);
 906         uint32_t fmode;
 907 
 908         struct a {
 909                 long    fname;          /* char * */
 910                 long    fmode;
 911         } *uap = (struct a *)clwp->lwp_ap;
 912 
 913         fmode = (uint32_t)uap->fmode;
 914 
 915         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 916 }
 917 
 918 /*ARGSUSED*/
 919 static void
 920 aus_fchmod(struct t_audit_data *tad)
 921 {
 922         klwp_t *clwp = ttolwp(curthread);
 923         uint32_t fmode, fd;
 924         struct file  *fp;
 925         struct vnode *vp;
 926         struct f_audit_data *fad;
 927 
 928         struct a {
 929                 long    fd;
 930                 long    fmode;
 931         } *uap = (struct a *)clwp->lwp_ap;
 932 
 933         fd = (uint32_t)uap->fd;
 934         fmode = (uint32_t)uap->fmode;
 935 
 936         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 937 
 938         /*
 939          * convert file pointer to file descriptor
 940          *   Note: fd ref count incremented here.
 941          */
 942         if ((fp = getf(fd)) == NULL)
 943                 return;
 944 
 945         /* get path from file struct here */
 946         fad = F2A(fp);
 947         if (fad->fad_aupath != NULL) {
 948                 au_uwrite(au_to_path(fad->fad_aupath));
 949         } else {
 950                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 951         }
 952 
 953         vp = fp->f_vnode;
 954         audit_attributes(vp);
 955 
 956         /* decrement file descriptor reference count */
 957         releasef(fd);
 958 }
 959 
 960 static au_event_t
 961 aui_fchmodat(au_event_t e)
 962 {
 963         klwp_t *clwp = ttolwp(curthread);
 964 
 965         struct a {
 966                 long    fd;
 967                 long    fname;          /* char * */
 968                 long    fmode;
 969                 long    flag;
 970         } *uap = (struct a *)clwp->lwp_ap;
 971 
 972         if (uap->fname == 0)
 973                 e = AUE_FCHMOD;
 974         else
 975                 e = AUE_CHMOD;
 976 
 977         return (e);
 978 }
 979 
 980 /*ARGSUSED*/
 981 static void
 982 aus_fchmodat(struct t_audit_data *tad)
 983 {
 984         klwp_t *clwp = ttolwp(curthread);
 985         uint32_t fmode;
 986         uint32_t fd;
 987         struct file  *fp;
 988         struct vnode *vp;
 989         struct f_audit_data *fad;
 990 
 991         struct a {
 992                 long    fd;
 993                 long    fname;          /* char * */
 994                 long    fmode;
 995                 long    flag;
 996         } *uap = (struct a *)clwp->lwp_ap;
 997 
 998         fd = (uint32_t)uap->fd;
 999         fmode = (uint32_t)uap->fmode;
1000 
1001         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1002 
1003         if (fd == AT_FDCWD || uap->fname != 0)       /* same as chmod() */
1004                 return;
1005 
1006         /*
1007          * convert file pointer to file descriptor
1008          *   Note: fd ref count incremented here.
1009          */
1010         if ((fp = getf(fd)) == NULL)
1011                 return;
1012 
1013         /* get path from file struct here */
1014         fad = F2A(fp);
1015         if (fad->fad_aupath != NULL) {
1016                 au_uwrite(au_to_path(fad->fad_aupath));
1017         } else {
1018                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1019         }
1020 
1021         vp = fp->f_vnode;
1022         audit_attributes(vp);
1023 
1024         /* decrement file descriptor reference count */
1025         releasef(fd);
1026 }
1027 
1028 /*
1029  * convert open mode to appropriate open event
1030  */
1031 au_event_t
1032 open_event(uint_t fm)
1033 {
1034         au_event_t e;
1035 
1036         switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1037         case O_RDONLY:
1038                 e = AUE_OPEN_R;
1039                 break;
1040         case O_RDONLY | O_CREAT:
1041                 e = AUE_OPEN_RC;
1042                 break;
1043         case O_RDONLY | O_TRUNC:
1044                 e = AUE_OPEN_RT;
1045                 break;
1046         case O_RDONLY | O_TRUNC | O_CREAT:
1047                 e = AUE_OPEN_RTC;
1048                 break;
1049         case O_WRONLY:
1050                 e = AUE_OPEN_W;
1051                 break;
1052         case O_WRONLY | O_CREAT:
1053                 e = AUE_OPEN_WC;
1054                 break;
1055         case O_WRONLY | O_TRUNC:
1056                 e = AUE_OPEN_WT;
1057                 break;
1058         case O_WRONLY | O_TRUNC | O_CREAT:
1059                 e = AUE_OPEN_WTC;
1060                 break;
1061         case O_RDWR:
1062                 e = AUE_OPEN_RW;
1063                 break;
1064         case O_RDWR | O_CREAT:
1065                 e = AUE_OPEN_RWC;
1066                 break;
1067         case O_RDWR | O_TRUNC:
1068                 e = AUE_OPEN_RWT;
1069                 break;
1070         case O_RDWR | O_TRUNC | O_CREAT:
1071                 e = AUE_OPEN_RWTC;
1072                 break;
1073         case O_SEARCH:
1074                 e = AUE_OPEN_S;
1075                 break;
1076         case O_EXEC:
1077                 e = AUE_OPEN_E;
1078                 break;
1079         default:
1080                 e = AUE_NULL;
1081                 break;
1082         }
1083 
1084         return (e);
1085 }
1086 
1087 /* ARGSUSED */
1088 static au_event_t
1089 aui_open(au_event_t e)
1090 {
1091         klwp_t *clwp = ttolwp(curthread);
1092         uint_t fm;
1093 
1094         struct a {
1095                 long    fnamep;         /* char * */
1096                 long    fmode;
1097                 long    cmode;
1098         } *uap = (struct a *)clwp->lwp_ap;
1099 
1100         fm = (uint_t)uap->fmode;
1101 
1102         return (open_event(fm));
1103 }
1104 
1105 static void
1106 aus_open(struct t_audit_data *tad)
1107 {
1108         klwp_t *clwp = ttolwp(curthread);
1109         uint_t fm;
1110 
1111         struct a {
1112                 long    fnamep;         /* char * */
1113                 long    fmode;
1114                 long    cmode;
1115         } *uap = (struct a *)clwp->lwp_ap;
1116 
1117         fm = (uint_t)uap->fmode;
1118 
1119         /* If no write, create, or trunc modes, mark as a public op */
1120         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1121                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1122 }
1123 
1124 /* ARGSUSED */
1125 static au_event_t
1126 aui_openat(au_event_t e)
1127 {
1128         t_audit_data_t *tad = T2A(curthread);
1129         klwp_t *clwp = ttolwp(curthread);
1130         uint_t fm;
1131 
1132         struct a {
1133                 long    filedes;
1134                 long    fnamep;         /* char * */
1135                 long    fmode;
1136                 long    cmode;
1137         } *uap = (struct a *)clwp->lwp_ap;
1138 
1139         fm = (uint_t)uap->fmode;
1140 
1141         /*
1142          * __openattrdirat() does an extra pathname lookup in order to
1143          * enter the extended system attribute namespace of the referenced
1144          * extended attribute filename.
1145          */
1146         if (fm & FXATTRDIROPEN)
1147                 tad->tad_ctrl |= TAD_MLD;
1148 
1149         return (open_event(fm));
1150 }
1151 
1152 static void
1153 aus_openat(struct t_audit_data *tad)
1154 {
1155         klwp_t *clwp = ttolwp(curthread);
1156         uint_t fm;
1157 
1158         struct a {
1159                 long    filedes;
1160                 long    fnamep;         /* char * */
1161                 long    fmode;
1162                 long    cmode;
1163         } *uap = (struct a *)clwp->lwp_ap;
1164 
1165         fm = (uint_t)uap->fmode;
1166 
1167         /* If no write, create, or trunc modes, mark as a public op */
1168         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1169                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1170 }
1171 
1172 static au_event_t
1173 aui_unlinkat(au_event_t e)
1174 {
1175         klwp_t *clwp = ttolwp(curthread);
1176 
1177         struct a {
1178                 long    filedes;
1179                 long    fnamep;         /* char * */
1180                 long    flags;
1181         } *uap = (struct a *)clwp->lwp_ap;
1182 
1183         if (uap->flags & AT_REMOVEDIR)
1184                 e = AUE_RMDIR;
1185         else
1186                 e = AUE_UNLINK;
1187 
1188         return (e);
1189 }
1190 
1191 static au_event_t
1192 aui_fstatat(au_event_t e)
1193 {
1194         klwp_t *clwp = ttolwp(curthread);
1195 
1196         struct a {
1197                 long    filedes;
1198                 long    fnamep;         /* char * */
1199                 long    statb;
1200                 long    flags;
1201         } *uap = (struct a *)clwp->lwp_ap;
1202 
1203         if (uap->fnamep == 0)
1204                 e = AUE_FSTAT;
1205         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1206                 e = AUE_LSTAT;
1207         else
1208                 e = AUE_STAT;
1209 
1210         return (e);
1211 }
1212 
1213 /* msgsys */
1214 static au_event_t
1215 aui_msgsys(au_event_t e)
1216 {
1217         klwp_t *clwp = ttolwp(curthread);
1218         uint_t fm;
1219 
1220         struct a {
1221                 long    id;     /* function code id */
1222                 long    ap;     /* arg pointer for recvmsg */
1223         } *uap = (struct a *)clwp->lwp_ap;
1224 
1225         struct b {
1226                 long    msgid;
1227                 long    cmd;
1228                 long    buf;    /* struct msqid_ds * */
1229         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1230 
1231         fm  = (uint_t)uap->id;
1232 
1233         switch (fm) {
1234         case 0:         /* msgget */
1235                 e = AUE_MSGGET;
1236                 break;
1237         case 1:         /* msgctl */
1238                 switch ((uint_t)uap1->cmd) {
1239                 case IPC_RMID:
1240                         e = AUE_MSGCTL_RMID;
1241                         break;
1242                 case IPC_SET:
1243                         e = AUE_MSGCTL_SET;
1244                         break;
1245                 case IPC_STAT:
1246                         e = AUE_MSGCTL_STAT;
1247                         break;
1248                 default:
1249                         e = AUE_MSGCTL;
1250                         break;
1251                 }
1252                 break;
1253         case 2:         /* msgrcv */
1254                 e = AUE_MSGRCV;
1255                 break;
1256         case 3:         /* msgsnd */
1257                 e = AUE_MSGSND;
1258                 break;
1259         default:        /* illegal system call */
1260                 e = AUE_NULL;
1261                 break;
1262         }
1263 
1264         return (e);
1265 }
1266 
1267 
1268 /* shmsys */
1269 static au_event_t
1270 aui_shmsys(au_event_t e)
1271 {
1272         klwp_t *clwp = ttolwp(curthread);
1273         int fm;
1274 
1275         struct a {              /* shmsys */
1276                 long    id;     /* function code id */
1277         } *uap = (struct a *)clwp->lwp_ap;
1278 
1279         struct b {              /* ctrl */
1280                 long    shmid;
1281                 long    cmd;
1282                 long    arg;            /* struct shmid_ds * */
1283         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1284         fm  = (uint_t)uap->id;
1285 
1286         switch (fm) {
1287         case 0:         /* shmat */
1288                 e = AUE_SHMAT;
1289                 break;
1290         case 1:         /* shmctl */
1291                 switch ((uint_t)uap1->cmd) {
1292                 case IPC_RMID:
1293                         e = AUE_SHMCTL_RMID;
1294                         break;
1295                 case IPC_SET:
1296                         e = AUE_SHMCTL_SET;
1297                         break;
1298                 case IPC_STAT:
1299                         e = AUE_SHMCTL_STAT;
1300                         break;
1301                 default:
1302                         e = AUE_SHMCTL;
1303                         break;
1304                 }
1305                 break;
1306         case 2:         /* shmdt */
1307                 e = AUE_SHMDT;
1308                 break;
1309         case 3:         /* shmget */
1310                 e = AUE_SHMGET;
1311                 break;
1312         default:        /* illegal system call */
1313                 e = AUE_NULL;
1314                 break;
1315         }
1316 
1317         return (e);
1318 }
1319 
1320 
1321 /* semsys */
1322 static au_event_t
1323 aui_semsys(au_event_t e)
1324 {
1325         klwp_t *clwp = ttolwp(curthread);
1326         uint_t fm;
1327 
1328         struct a {              /* semsys */
1329                 long    id;
1330         } *uap = (struct a *)clwp->lwp_ap;
1331 
1332         struct b {              /* ctrl */
1333                 long    semid;
1334                 long    semnum;
1335                 long    cmd;
1336                 long    arg;
1337         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1338 
1339         fm = (uint_t)uap->id;
1340 
1341         switch (fm) {
1342         case 0:         /* semctl */
1343                 switch ((uint_t)uap1->cmd) {
1344                 case IPC_RMID:
1345                         e = AUE_SEMCTL_RMID;
1346                         break;
1347                 case IPC_SET:
1348                         e = AUE_SEMCTL_SET;
1349                         break;
1350                 case IPC_STAT:
1351                         e = AUE_SEMCTL_STAT;
1352                         break;
1353                 case GETNCNT:
1354                         e = AUE_SEMCTL_GETNCNT;
1355                         break;
1356                 case GETPID:
1357                         e = AUE_SEMCTL_GETPID;
1358                         break;
1359                 case GETVAL:
1360                         e = AUE_SEMCTL_GETVAL;
1361                         break;
1362                 case GETALL:
1363                         e = AUE_SEMCTL_GETALL;
1364                         break;
1365                 case GETZCNT:
1366                         e = AUE_SEMCTL_GETZCNT;
1367                         break;
1368                 case SETVAL:
1369                         e = AUE_SEMCTL_SETVAL;
1370                         break;
1371                 case SETALL:
1372                         e = AUE_SEMCTL_SETALL;
1373                         break;
1374                 default:
1375                         e = AUE_SEMCTL;
1376                         break;
1377                 }
1378                 break;
1379         case 1:         /* semget */
1380                 e = AUE_SEMGET;
1381                 break;
1382         case 2:         /* semop */
1383                 e = AUE_SEMOP;
1384                 break;
1385         default:        /* illegal system call */
1386                 e = AUE_NULL;
1387                 break;
1388         }
1389 
1390         return (e);
1391 }
1392 
1393 /* utssys - uname(2), ustat(2), fusers(2) */
1394 static au_event_t
1395 aui_utssys(au_event_t e)
1396 {
1397         klwp_t *clwp = ttolwp(curthread);
1398         uint_t type;
1399 
1400         struct a {
1401                 union {
1402                         long    cbuf;           /* char * */
1403                         long    ubuf;           /* struct stat * */
1404                 } ub;
1405                 union {
1406                         long    mv;     /* for USTAT */
1407                         long    flags;  /* for FUSERS */
1408                 } un;
1409                 long    type;
1410                 long    outbp;          /* char * for FUSERS */
1411         } *uap = (struct a *)clwp->lwp_ap;
1412 
1413         type = (uint_t)uap->type;
1414 
1415         if (type == UTS_FUSERS)
1416                 return (e);
1417         else
1418                 return ((au_event_t)AUE_NULL);
1419 }
1420 
1421 static au_event_t
1422 aui_fcntl(au_event_t e)
1423 {
1424         klwp_t *clwp = ttolwp(curthread);
1425         uint_t cmd;
1426 
1427         struct a {
1428                 long    fdes;
1429                 long    cmd;
1430                 long    arg;
1431         } *uap = (struct a *)clwp->lwp_ap;
1432 
1433         cmd = (uint_t)uap->cmd;
1434 
1435         switch (cmd) {
1436         case F_GETLK:
1437         case F_SETLK:
1438         case F_SETLKW:
1439                 break;
1440         case F_SETFL:
1441         case F_GETFL:
1442         case F_GETFD:
1443                 break;
1444         default:
1445                 e = (au_event_t)AUE_NULL;
1446                 break;
1447         }
1448         return ((au_event_t)e);
1449 }
1450 
1451 /* null function for now */
1452 static au_event_t
1453 aui_execve(au_event_t e)
1454 {
1455         return (e);
1456 }
1457 
1458 /*ARGSUSED*/
1459 static void
1460 aus_fcntl(struct t_audit_data *tad)
1461 {
1462         klwp_t *clwp = ttolwp(curthread);
1463         uint32_t cmd, fd, flags;
1464         struct file  *fp;
1465         struct vnode *vp;
1466         struct f_audit_data *fad;
1467 
1468         struct a {
1469                 long    fd;
1470                 long    cmd;
1471                 long    arg;
1472         } *uap = (struct a *)clwp->lwp_ap;
1473 
1474         cmd     = (uint32_t)uap->cmd;
1475         fd      = (uint32_t)uap->fd;
1476         flags   = (uint32_t)uap->arg;
1477 
1478         au_uwrite(au_to_arg32(2, "cmd", cmd));
1479 
1480         if (cmd == F_SETFL)
1481                 au_uwrite(au_to_arg32(3, "flags", flags));
1482 
1483                 /*
1484                  * convert file pointer to file descriptor
1485                  *   Note: fd ref count incremented here.
1486                  */
1487         if ((fp = getf(fd)) == NULL)
1488                 return;
1489 
1490         /* get path from file struct here */
1491         fad = F2A(fp);
1492         if (fad->fad_aupath != NULL) {
1493                 au_uwrite(au_to_path(fad->fad_aupath));
1494         } else {
1495                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1496         }
1497 
1498         vp = fp->f_vnode;
1499         audit_attributes(vp);
1500 
1501         /* decrement file descriptor reference count */
1502         releasef(fd);
1503 }
1504 
1505 /*ARGSUSED*/
1506 static void
1507 aus_kill(struct t_audit_data *tad)
1508 {
1509         klwp_t *clwp = ttolwp(curthread);
1510         struct proc *p;
1511         uint32_t signo;
1512         uid_t uid, ruid;
1513         gid_t gid, rgid;
1514         pid_t pid;
1515         const auditinfo_addr_t *ainfo;
1516         cred_t *cr;
1517 
1518         struct a {
1519                 long    pid;
1520                 long    signo;
1521         } *uap = (struct a *)clwp->lwp_ap;
1522 
1523         pid   = (pid_t)uap->pid;
1524         signo = (uint32_t)uap->signo;
1525 
1526         au_uwrite(au_to_arg32(2, "signal", signo));
1527         if (pid > 0) {
1528                 mutex_enter(&pidlock);
1529                 if (((p = prfind(pid)) == (struct proc *)0) ||
1530                     (p->p_stat == SIDL)) {
1531                         mutex_exit(&pidlock);
1532                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1533                         return;
1534                 }
1535                 mutex_enter(&p->p_lock); /* so process doesn't go away */
1536                 mutex_exit(&pidlock);
1537 
1538                 mutex_enter(&p->p_crlock);
1539                 crhold(cr = p->p_cred);
1540                 mutex_exit(&p->p_crlock);
1541                 mutex_exit(&p->p_lock);
1542 
1543                 ainfo = crgetauinfo(cr);
1544                 if (ainfo == NULL) {
1545                         crfree(cr);
1546                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1547                         return;
1548                 }
1549 
1550                 uid  = crgetuid(cr);
1551                 gid  = crgetgid(cr);
1552                 ruid = crgetruid(cr);
1553                 rgid = crgetrgid(cr);
1554                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1555                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1556 
1557                 if (is_system_labeled())
1558                         au_uwrite(au_to_label(CR_SL(cr)));
1559 
1560                 crfree(cr);
1561         }
1562         else
1563                 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1564 }
1565 
1566 /*ARGSUSED*/
1567 static void
1568 aus_mkdir(struct t_audit_data *tad)
1569 {
1570         klwp_t *clwp = ttolwp(curthread);
1571         uint32_t dmode;
1572 
1573         struct a {
1574                 long    dirnamep;               /* char * */
1575                 long    dmode;
1576         } *uap = (struct a *)clwp->lwp_ap;
1577 
1578         dmode = (uint32_t)uap->dmode;
1579 
1580         au_uwrite(au_to_arg32(2, "mode", dmode));
1581 }
1582 
1583 /*ARGSUSED*/
1584 static void
1585 aus_mkdirat(struct t_audit_data *tad)
1586 {
1587         klwp_t *clwp = ttolwp(curthread);
1588         uint32_t dmode;
1589 
1590         struct a {
1591                 long    fd;
1592                 long    dirnamep;               /* char * */
1593                 long    dmode;
1594         } *uap = (struct a *)clwp->lwp_ap;
1595 
1596         dmode = (uint32_t)uap->dmode;
1597 
1598         au_uwrite(au_to_arg32(2, "mode", dmode));
1599 }
1600 
1601 /*ARGSUSED*/
1602 static void
1603 aus_mknod(struct t_audit_data *tad)
1604 {
1605         klwp_t *clwp = ttolwp(curthread);
1606         uint32_t fmode;
1607         dev_t dev;
1608 
1609         struct a {
1610                 long    pnamep;         /* char * */
1611                 long    fmode;
1612                 long    dev;
1613         } *uap = (struct a *)clwp->lwp_ap;
1614 
1615         fmode = (uint32_t)uap->fmode;
1616         dev   = (dev_t)uap->dev;
1617 
1618         au_uwrite(au_to_arg32(2, "mode", fmode));
1619 #ifdef _LP64
1620         au_uwrite(au_to_arg64(3, "dev", dev));
1621 #else
1622         au_uwrite(au_to_arg32(3, "dev", dev));
1623 #endif
1624 }
1625 
1626 /*ARGSUSED*/
1627 static void
1628 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1629 {
1630         klwp_t *clwp = ttolwp(curthread);
1631         vnode_t *dvp;
1632         caddr_t pnamep;
1633 
1634         struct a {
1635                 long    pnamep;         /* char * */
1636                 long    fmode;
1637                 long    dev;
1638         } *uap = (struct a *)clwp->lwp_ap;
1639 
1640         /* no error, then already path token in audit record */
1641         if (error != EPERM && error != EINVAL)
1642                 return;
1643 
1644         /* do the lookup to force generation of path token */
1645         pnamep = (caddr_t)uap->pnamep;
1646         tad->tad_ctrl |= TAD_NOATTRB;
1647         error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1648         if (error == 0)
1649                 VN_RELE(dvp);
1650 }
1651 
1652 /*ARGSUSED*/
1653 static void
1654 aus_mknodat(struct t_audit_data *tad)
1655 {
1656         klwp_t *clwp = ttolwp(curthread);
1657         uint32_t fmode;
1658         dev_t dev;
1659 
1660         struct a {
1661                 long    fd;
1662                 long    pnamep;         /* char * */
1663                 long    fmode;
1664                 long    dev;
1665         } *uap = (struct a *)clwp->lwp_ap;
1666 
1667         fmode = (uint32_t)uap->fmode;
1668         dev   = (dev_t)uap->dev;
1669 
1670         au_uwrite(au_to_arg32(2, "mode", fmode));
1671 #ifdef _LP64
1672         au_uwrite(au_to_arg64(3, "dev", dev));
1673 #else
1674         au_uwrite(au_to_arg32(3, "dev", dev));
1675 #endif
1676 }
1677 
1678 /*ARGSUSED*/
1679 static void
1680 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1681 {
1682         klwp_t *clwp = ttolwp(curthread);
1683         vnode_t *startvp;
1684         vnode_t *dvp;
1685         caddr_t pnamep;
1686         int fd;
1687 
1688         struct a {
1689                 long    fd;
1690                 long    pnamep;         /* char * */
1691                 long    fmode;
1692                 long    dev;
1693         } *uap = (struct a *)clwp->lwp_ap;
1694 
1695         /* no error, then already path token in audit record */
1696         if (error != EPERM && error != EINVAL)
1697                 return;
1698 
1699         /* do the lookup to force generation of path token */
1700         fd = (int)uap->fd;
1701         pnamep = (caddr_t)uap->pnamep;
1702         if (pnamep == NULL ||
1703             fgetstartvp(fd, pnamep, &startvp) != 0)
1704                 return;
1705         tad->tad_ctrl |= TAD_NOATTRB;
1706         error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1707             startvp);
1708         if (error == 0)
1709                 VN_RELE(dvp);
1710         if (startvp != NULL)
1711                 VN_RELE(startvp);
1712 }
1713 
1714 /*ARGSUSED*/
1715 static void
1716 aus_mount(struct t_audit_data *tad)
1717 {
1718         /* AUS_START */
1719         klwp_t *clwp = ttolwp(curthread);
1720         uint32_t flags;
1721         uintptr_t u_fstype, dataptr;
1722         STRUCT_DECL(nfs_args, nfsargs);
1723         size_t len;
1724         char *fstype, *hostname;
1725 
1726         struct a {
1727                 long    spec;           /* char    * */
1728                 long    dir;            /* char    * */
1729                 long    flags;
1730                 long    fstype;         /* char    * */
1731                 long    dataptr;        /* char    * */
1732                 long    datalen;
1733         } *uap = (struct a *)clwp->lwp_ap;
1734 
1735         u_fstype = (uintptr_t)uap->fstype;
1736         flags    = (uint32_t)uap->flags;
1737         dataptr  = (uintptr_t)uap->dataptr;
1738 
1739         fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1740         if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1741                 goto mount_free_fstype;
1742 
1743         au_uwrite(au_to_arg32(3, "flags", flags));
1744         au_uwrite(au_to_text(fstype));
1745 
1746         if (strncmp(fstype, "nfs", 3) == 0) {
1747 
1748                 STRUCT_INIT(nfsargs, get_udatamodel());
1749                 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1750 
1751                 if (copyin((caddr_t)dataptr, STRUCT_BUF(nfsargs),
1752                     MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1753                         /* DEBUG debug_enter((char *)NULL); */
1754                         goto mount_free_fstype;
1755                 }
1756                 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1757                 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1758                     (caddr_t)hostname, MAXNAMELEN, &len)) {
1759                         goto mount_free_hostname;
1760                 }
1761                 au_uwrite(au_to_text(hostname));
1762                 au_uwrite(au_to_arg32(3, "internal flags",
1763                     (uint_t)STRUCT_FGET(nfsargs, flags)));
1764 
1765 mount_free_hostname:
1766                 kmem_free(hostname, MAXNAMELEN);
1767         }
1768 
1769 mount_free_fstype:
1770         kmem_free(fstype, MAXNAMELEN);
1771 }       /* AUS_MOUNT */
1772 
1773 static void
1774 aus_umount_path(caddr_t umount_dir)
1775 {
1776         char                    *dir_path;
1777         struct audit_path       *path;
1778         size_t                  path_len, dir_len;
1779 
1780         /* length alloc'd for two string pointers */
1781         path_len = sizeof (struct audit_path) + sizeof (char *);
1782         path = kmem_alloc(path_len, KM_SLEEP);
1783         dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1784 
1785         if (copyinstr(umount_dir, (caddr_t)dir_path,
1786             MAXPATHLEN, &dir_len))
1787                 goto umount2_free_dir;
1788 
1789         /*
1790          * the audit_path struct assumes that the buffer pointed to
1791          * by audp_sect[n] contains string 0 immediatedly followed
1792          * by string 1.
1793          */
1794         path->audp_sect[0] = dir_path;
1795         path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1796         path->audp_size = path_len;
1797         path->audp_ref = 1;          /* not used */
1798         path->audp_cnt = 1;          /* one path string */
1799 
1800         au_uwrite(au_to_path(path));
1801 
1802 umount2_free_dir:
1803         kmem_free(dir_path, MAXPATHLEN);
1804         kmem_free(path, path_len);
1805 }
1806 
1807 /*ARGSUSED*/
1808 static void
1809 aus_umount2(struct t_audit_data *tad)
1810 {
1811         klwp_t                  *clwp = ttolwp(curthread);
1812         struct a {
1813                 long    dir;            /* char    * */
1814                 long    flags;
1815         } *uap = (struct a *)clwp->lwp_ap;
1816 
1817         aus_umount_path((caddr_t)uap->dir);
1818 
1819         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1820 }
1821 
1822 static void
1823 aus_msgsys(struct t_audit_data *tad)
1824 {
1825         klwp_t *clwp = ttolwp(curthread);
1826         uint32_t msgid;
1827 
1828         struct b {
1829                 long    msgid;
1830                 long    cmd;
1831                 long    buf;            /* struct msqid_ds * */
1832         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1833 
1834         msgid = (uint32_t)uap1->msgid;
1835 
1836 
1837         switch (tad->tad_event) {
1838         case AUE_MSGGET:                /* msgget */
1839                 au_uwrite(au_to_arg32(1, "msg key", msgid));
1840                 break;
1841         case AUE_MSGCTL:                /* msgctl */
1842         case AUE_MSGCTL_RMID:           /* msgctl */
1843         case AUE_MSGCTL_SET:            /* msgctl */
1844         case AUE_MSGCTL_STAT:           /* msgctl */
1845         case AUE_MSGRCV:                /* msgrcv */
1846         case AUE_MSGSND:                /* msgsnd */
1847                 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1848                 break;
1849         }
1850 }
1851 
1852 /*ARGSUSED*/
1853 static void
1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1855 {
1856         int id;
1857 
1858         if (error != 0)
1859                 return;
1860         if (tad->tad_event == AUE_MSGGET) {
1861                 uint32_t scid;
1862                 uint32_t sy_flags;
1863 
1864                 /* need to determine type of executing binary */
1865                 scid = tad->tad_scid;
1866 #ifdef _SYSCALL32_IMPL
1867                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1868                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869                 else
1870                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1871 #else
1872                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1873 #endif
1874                 if (sy_flags == SE_32RVAL1)
1875                         id = rval->r_val1;
1876                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1877                         id = rval->r_val1;
1878                 if (sy_flags == SE_64RVAL)
1879                         id = (int)rval->r_vals;
1880 
1881                 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1882         }
1883 }
1884 
1885 static void
1886 aus_semsys(struct t_audit_data *tad)
1887 {
1888         klwp_t *clwp = ttolwp(curthread);
1889         uint32_t semid;
1890 
1891         struct b {              /* ctrl */
1892                 long    semid;
1893                 long    semnum;
1894                 long    cmd;
1895                 long    arg;
1896         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1897 
1898         semid = (uint32_t)uap1->semid;
1899 
1900         switch (tad->tad_event) {
1901         case AUE_SEMCTL_RMID:
1902         case AUE_SEMCTL_STAT:
1903         case AUE_SEMCTL_GETNCNT:
1904         case AUE_SEMCTL_GETPID:
1905         case AUE_SEMCTL_GETVAL:
1906         case AUE_SEMCTL_GETALL:
1907         case AUE_SEMCTL_GETZCNT:
1908         case AUE_SEMCTL_SET:
1909         case AUE_SEMCTL_SETVAL:
1910         case AUE_SEMCTL_SETALL:
1911         case AUE_SEMCTL:
1912         case AUE_SEMOP:
1913                 au_uwrite(au_to_arg32(1, "sem ID", semid));
1914                 break;
1915         case AUE_SEMGET:
1916                 au_uwrite(au_to_arg32(1, "sem key", semid));
1917                 break;
1918         }
1919 }
1920 
1921 /*ARGSUSED*/
1922 static void
1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1924 {
1925         int id;
1926 
1927         if (error != 0)
1928                 return;
1929         if (tad->tad_event == AUE_SEMGET) {
1930                 uint32_t scid;
1931                 uint32_t sy_flags;
1932 
1933                 /* need to determine type of executing binary */
1934                 scid = tad->tad_scid;
1935 #ifdef _SYSCALL32_IMPL
1936                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1937                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1938                 else
1939                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1940 #else
1941                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1942 #endif
1943                 if (sy_flags == SE_32RVAL1)
1944                         id = rval->r_val1;
1945                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1946                         id = rval->r_val1;
1947                 if (sy_flags == SE_64RVAL)
1948                         id = (int)rval->r_vals;
1949 
1950                 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1951         }
1952 }
1953 
1954 /*ARGSUSED*/
1955 static void
1956 aus_close(struct t_audit_data *tad)
1957 {
1958         klwp_t *clwp = ttolwp(curthread);
1959         uint32_t fd;
1960         struct file *fp;
1961         struct f_audit_data *fad;
1962         struct vnode *vp;
1963         struct vattr attr;
1964         au_kcontext_t   *kctx = GET_KCTX_PZ;
1965 
1966         struct a {
1967                 long    i;
1968         } *uap = (struct a *)clwp->lwp_ap;
1969 
1970         fd = (uint32_t)uap->i;
1971 
1972         attr.va_mask = 0;
1973         au_uwrite(au_to_arg32(1, "fd", fd));
1974 
1975                 /*
1976                  * convert file pointer to file descriptor
1977                  *   Note: fd ref count incremented here.
1978                  */
1979         if ((fp = getf(fd)) == NULL)
1980                 return;
1981 
1982         fad = F2A(fp);
1983         tad->tad_evmod = (au_emod_t)fad->fad_flags;
1984         if (fad->fad_aupath != NULL) {
1985                 au_uwrite(au_to_path(fad->fad_aupath));
1986                 if ((vp = fp->f_vnode) != NULL) {
1987                         attr.va_mask = AT_ALL;
1988                         if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1989                                 /*
1990                                  * When write was not used and the file can be
1991                                  * considered public, skip the audit.
1992                                  */
1993                                 if (((fp->f_flag & FWRITE) == 0) &&
1994                                     object_is_public(&attr)) {
1995                                         tad->tad_flag = 0;
1996                                         tad->tad_evmod = 0;
1997                                         /* free any residual audit data */
1998                                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1999                                         releasef(fd);
2000                                         return;
2001                                 }
2002                                 au_uwrite(au_to_attr(&attr));
2003                                 audit_sec_attributes(&(u_ad), vp);
2004                         }
2005                 }
2006         }
2007 
2008         /* decrement file descriptor reference count */
2009         releasef(fd);
2010 }
2011 
2012 /*ARGSUSED*/
2013 static void
2014 aus_fstatfs(struct t_audit_data *tad)
2015 {
2016         klwp_t *clwp = ttolwp(curthread);
2017         uint32_t fd;
2018         struct file  *fp;
2019         struct vnode *vp;
2020         struct f_audit_data *fad;
2021 
2022         struct a {
2023                 long    fd;
2024                 long    buf;            /* struct statfs * */
2025         } *uap = (struct a *)clwp->lwp_ap;
2026 
2027         fd = (uint_t)uap->fd;
2028 
2029                 /*
2030                  * convert file pointer to file descriptor
2031                  *   Note: fd ref count incremented here.
2032                  */
2033         if ((fp = getf(fd)) == NULL)
2034                 return;
2035 
2036                 /* get path from file struct here */
2037         fad = F2A(fp);
2038         if (fad->fad_aupath != NULL) {
2039                 au_uwrite(au_to_path(fad->fad_aupath));
2040         } else {
2041                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2042         }
2043 
2044         vp = fp->f_vnode;
2045         audit_attributes(vp);
2046 
2047         /* decrement file descriptor reference count */
2048         releasef(fd);
2049 }
2050 
2051 static au_event_t
2052 aui_setpgrp(au_event_t e)
2053 {
2054         klwp_t *clwp = ttolwp(curthread);
2055         int flag;
2056 
2057         struct a {
2058                 long    flag;
2059                 long    pid;
2060                 long    pgid;
2061         } *uap = (struct a *)clwp->lwp_ap;
2062 
2063         flag = (int)uap->flag;
2064 
2065 
2066         switch (flag) {
2067 
2068         case 1: /* setpgrp() */
2069                 e = AUE_SETPGRP;
2070                 break;
2071 
2072         case 3: /* setsid() */
2073                 e = AUE_SETSID;
2074                 break;
2075 
2076         case 5: /* setpgid() */
2077                 e = AUE_SETPGID;
2078                 break;
2079 
2080         case 0: /* getpgrp()    - not security relevant */
2081         case 2: /* getsid()     - not security relevant */
2082         case 4: /* getpgid()    - not security relevant */
2083                 e = AUE_NULL;
2084                 break;
2085 
2086         default:
2087                 e = AUE_NULL;
2088                 break;
2089         }
2090 
2091         return (e);
2092 }
2093 
2094 /*ARGSUSED*/
2095 static void
2096 aus_setpgrp(struct t_audit_data *tad)
2097 {
2098         klwp_t          *clwp = ttolwp(curthread);
2099         pid_t           pgid;
2100         struct proc     *p;
2101         uid_t           uid, ruid;
2102         gid_t           gid, rgid;
2103         pid_t           pid;
2104         cred_t          *cr;
2105         int             flag;
2106         const auditinfo_addr_t  *ainfo;
2107 
2108         struct a {
2109                 long    flag;
2110                 long    pid;
2111                 long    pgid;
2112         } *uap = (struct a *)clwp->lwp_ap;
2113 
2114         flag = (int)uap->flag;
2115         pid  = (pid_t)uap->pid;
2116         pgid = (pid_t)uap->pgid;
2117 
2118 
2119         switch (flag) {
2120 
2121         case 0: /* getpgrp() */
2122         case 1: /* setpgrp() */
2123         case 2: /* getsid() */
2124         case 3: /* setsid() */
2125         case 4: /* getpgid() */
2126                 break;
2127 
2128         case 5: /* setpgid() */
2129 
2130                 /* current process? */
2131                 if (pid == 0) {
2132                         return;
2133                 }
2134 
2135                 mutex_enter(&pidlock);
2136                 p = prfind(pid);
2137                 if (p == NULL || p->p_as == &kas ||
2138                     p->p_stat == SIDL || p->p_stat == SZOMB) {
2139                         mutex_exit(&pidlock);
2140                         return;
2141                 }
2142                 mutex_enter(&p->p_lock); /* so process doesn't go away */
2143                 mutex_exit(&pidlock);
2144 
2145                 mutex_enter(&p->p_crlock);
2146                 crhold(cr = p->p_cred);
2147                 mutex_exit(&p->p_crlock);
2148                 mutex_exit(&p->p_lock);
2149 
2150                 ainfo = crgetauinfo(cr);
2151                 if (ainfo == NULL) {
2152                         crfree(cr);
2153                         return;
2154                 }
2155 
2156                 uid  = crgetuid(cr);
2157                 gid  = crgetgid(cr);
2158                 ruid = crgetruid(cr);
2159                 rgid = crgetrgid(cr);
2160                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2161                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2162                 crfree(cr);
2163                 au_uwrite(au_to_arg32(2, "pgid", pgid));
2164                 break;
2165 
2166         default:
2167                 break;
2168         }
2169 }
2170 
2171 
2172 /*ARGSUSED*/
2173 static void
2174 aus_setregid(struct t_audit_data *tad)
2175 {
2176         klwp_t *clwp = ttolwp(curthread);
2177         uint32_t rgid, egid;
2178 
2179         struct a {
2180                 long     rgid;
2181                 long     egid;
2182         } *uap = (struct a *)clwp->lwp_ap;
2183 
2184         rgid  = (uint32_t)uap->rgid;
2185         egid  = (uint32_t)uap->egid;
2186 
2187         au_uwrite(au_to_arg32(1, "rgid", rgid));
2188         au_uwrite(au_to_arg32(2, "egid", egid));
2189 }
2190 
2191 /*ARGSUSED*/
2192 static void
2193 aus_setgid(struct t_audit_data *tad)
2194 {
2195         klwp_t *clwp = ttolwp(curthread);
2196         uint32_t gid;
2197 
2198         struct a {
2199                 long    gid;
2200         } *uap = (struct a *)clwp->lwp_ap;
2201 
2202         gid = (uint32_t)uap->gid;
2203 
2204         au_uwrite(au_to_arg32(1, "gid", gid));
2205 }
2206 
2207 
2208 /*ARGSUSED*/
2209 static void
2210 aus_setreuid(struct t_audit_data *tad)
2211 {
2212         klwp_t *clwp = ttolwp(curthread);
2213         uint32_t ruid, euid;
2214 
2215         struct a {
2216                 long    ruid;
2217                 long    euid;
2218         } *uap = (struct a *)clwp->lwp_ap;
2219 
2220         ruid = (uint32_t)uap->ruid;
2221         euid  = (uint32_t)uap->euid;
2222 
2223         au_uwrite(au_to_arg32(1, "ruid", ruid));
2224         au_uwrite(au_to_arg32(2, "euid", euid));
2225 }
2226 
2227 
2228 /*ARGSUSED*/
2229 static void
2230 aus_setuid(struct t_audit_data *tad)
2231 {
2232         klwp_t *clwp = ttolwp(curthread);
2233         uint32_t uid;
2234 
2235         struct a {
2236                 long    uid;
2237         } *uap = (struct a *)clwp->lwp_ap;
2238 
2239         uid = (uint32_t)uap->uid;
2240 
2241         au_uwrite(au_to_arg32(1, "uid", uid));
2242 }
2243 
2244 /*ARGSUSED*/
2245 static void
2246 aus_shmsys(struct t_audit_data *tad)
2247 {
2248         klwp_t *clwp = ttolwp(curthread);
2249         uint32_t id, cmd;
2250 
2251         struct b {
2252                 long    id;
2253                 long    cmd;
2254                 long    buf;            /* struct shmid_ds * */
2255         } *uap1 = (struct b *)&clwp->lwp_ap[1];
2256 
2257         id  = (uint32_t)uap1->id;
2258         cmd = (uint32_t)uap1->cmd;
2259 
2260         switch (tad->tad_event) {
2261         case AUE_SHMGET:                        /* shmget */
2262                 au_uwrite(au_to_arg32(1, "shm key", id));
2263                 break;
2264         case AUE_SHMCTL:                        /* shmctl */
2265         case AUE_SHMCTL_RMID:                   /* shmctl */
2266         case AUE_SHMCTL_STAT:                   /* shmctl */
2267         case AUE_SHMCTL_SET:                    /* shmctl */
2268                 au_uwrite(au_to_arg32(1, "shm ID", id));
2269                 break;
2270         case AUE_SHMDT:                         /* shmdt */
2271                 au_uwrite(au_to_arg32(1, "shm adr", id));
2272                 break;
2273         case AUE_SHMAT:                         /* shmat */
2274                 au_uwrite(au_to_arg32(1, "shm ID", id));
2275                 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2276                 break;
2277         }
2278 }
2279 
2280 /*ARGSUSED*/
2281 static void
2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2283 {
2284         int id;
2285 
2286         if (error != 0)
2287                 return;
2288         if (tad->tad_event == AUE_SHMGET) {
2289                 uint32_t scid;
2290                 uint32_t sy_flags;
2291 
2292                 /* need to determine type of executing binary */
2293                 scid = tad->tad_scid;
2294 #ifdef _SYSCALL32_IMPL
2295                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2296                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2297                 else
2298                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2299 #else
2300                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2301 #endif
2302                 if (sy_flags == SE_32RVAL1)
2303                         id = rval->r_val1;
2304                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2305                         id = rval->r_val1;
2306                 if (sy_flags == SE_64RVAL)
2307                         id = (int)rval->r_vals;
2308                 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2309         }
2310 }
2311 
2312 
2313 /*ARGSUSED*/
2314 static void
2315 aus_ioctl(struct t_audit_data *tad)
2316 {
2317         klwp_t *clwp = ttolwp(curthread);
2318         struct file *fp;
2319         struct vnode *vp;
2320         struct f_audit_data *fad;
2321         uint32_t fd, cmd;
2322         uintptr_t cmarg;
2323 
2324         /* XX64 */
2325         struct a {
2326                 long    fd;
2327                 long    cmd;
2328                 long    cmarg;          /* caddr_t */
2329         } *uap = (struct a *)clwp->lwp_ap;
2330 
2331         fd    = (uint32_t)uap->fd;
2332         cmd   = (uint32_t)uap->cmd;
2333         cmarg = (uintptr_t)uap->cmarg;
2334 
2335                 /*
2336                  * convert file pointer to file descriptor
2337                  *   Note: fd ref count incremented here.
2338                  */
2339         if ((fp = getf(fd)) == NULL) {
2340                 au_uwrite(au_to_arg32(1, "fd", fd));
2341                 au_uwrite(au_to_arg32(2, "cmd", cmd));
2342 #ifndef _LP64
2343                 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2344 #else
2345                 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2346 #endif
2347                 return;
2348         }
2349 
2350         /* get path from file struct here */
2351         fad = F2A(fp);
2352         if (fad->fad_aupath != NULL) {
2353                 au_uwrite(au_to_path(fad->fad_aupath));
2354         } else {
2355                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2356         }
2357 
2358         vp = fp->f_vnode;
2359         audit_attributes(vp);
2360 
2361         /* decrement file descriptor reference count */
2362         releasef(fd);
2363 
2364         au_uwrite(au_to_arg32(2, "cmd", cmd));
2365 #ifndef _LP64
2366         au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2367 #else
2368         au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2369 #endif
2370 }
2371 
2372 /*
2373  * null function for memcntl for now. We might want to limit memcntl()
2374  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2375  * require privileges.
2376  */
2377 static au_event_t
2378 aui_memcntl(au_event_t e)
2379 {
2380         return (e);
2381 }
2382 
2383 /*ARGSUSED*/
2384 static au_event_t
2385 aui_privsys(au_event_t e)
2386 {
2387         klwp_t *clwp = ttolwp(curthread);
2388 
2389         struct a {
2390                 long    opcode;
2391         } *uap = (struct a *)clwp->lwp_ap;
2392 
2393         switch (uap->opcode) {
2394         case PRIVSYS_SETPPRIV:
2395                 return (AUE_SETPPRIV);
2396         default:
2397                 return (AUE_NULL);
2398         }
2399 }
2400 
2401 /*ARGSUSED*/
2402 static void
2403 aus_memcntl(struct t_audit_data *tad)
2404 {
2405         klwp_t *clwp = ttolwp(curthread);
2406 
2407         struct a {
2408                 long    addr;
2409                 long    len;
2410                 long    cmd;
2411                 long    arg;
2412                 long    attr;
2413                 long    mask;
2414         } *uap = (struct a *)clwp->lwp_ap;
2415 
2416 #ifdef _LP64
2417         au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2418         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2419 #else
2420         au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2421         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2422 #endif
2423         au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2424 #ifdef _LP64
2425         au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2426 #else
2427         au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2428 #endif
2429         au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2430         au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2431 }
2432 
2433 /*ARGSUSED*/
2434 static void
2435 aus_mmap(struct t_audit_data *tad)
2436 {
2437         klwp_t *clwp = ttolwp(curthread);
2438         struct file *fp;
2439         struct f_audit_data *fad;
2440         struct vnode *vp;
2441         uint32_t fd;
2442 
2443         struct a {
2444                 long    addr;
2445                 long    len;
2446                 long    prot;
2447                 long    flags;
2448                 long    fd;
2449                 long    pos;
2450         } *uap = (struct a *)clwp->lwp_ap;
2451 
2452         fd = (uint32_t)uap->fd;
2453 
2454 #ifdef _LP64
2455         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2456         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2457 #else
2458         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2459         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2460 #endif
2461 
2462         if ((fp = getf(fd)) == NULL) {
2463                 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2464                 return;
2465         }
2466 
2467         /*
2468          * Mark in the tad if write access is NOT requested... if
2469          * this is later detected (in audit_attributes) to be a
2470          * public object, the mmap event may be discarded.
2471          */
2472         if (((uap->prot) & PROT_WRITE) == 0) {
2473                 tad->tad_ctrl |= TAD_PUBLIC_EV;
2474         }
2475 
2476         fad = F2A(fp);
2477         if (fad->fad_aupath != NULL) {
2478                 au_uwrite(au_to_path(fad->fad_aupath));
2479         } else {
2480                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2481         }
2482 
2483         vp = (struct vnode *)fp->f_vnode;
2484         audit_attributes(vp);
2485 
2486         /* mark READ/WRITE since we can't predict access */
2487         if (uap->prot & PROT_READ)
2488                 fad->fad_flags |= FAD_READ;
2489         if (uap->prot & PROT_WRITE)
2490                 fad->fad_flags |= FAD_WRITE;
2491 
2492         /* decrement file descriptor reference count */
2493         releasef(fd);
2494 
2495 }       /* AUS_MMAP */
2496 
2497 
2498 
2499 
2500 /*ARGSUSED*/
2501 static void
2502 aus_munmap(struct t_audit_data *tad)
2503 {
2504         klwp_t *clwp = ttolwp(curthread);
2505 
2506         struct a {
2507                 long    addr;
2508                 long    len;
2509         } *uap = (struct a *)clwp->lwp_ap;
2510 
2511 #ifdef _LP64
2512         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2513         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2514 #else
2515         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2516         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2517 #endif
2518 
2519 }       /* AUS_MUNMAP */
2520 
2521 
2522 
2523 
2524 
2525 
2526 
2527 /*ARGSUSED*/
2528 static void
2529 aus_priocntlsys(struct t_audit_data *tad)
2530 {
2531         klwp_t *clwp = ttolwp(curthread);
2532 
2533         struct a {
2534                 long    pc_version;
2535                 long    psp;            /* procset_t */
2536                 long    cmd;
2537                 long    arg;
2538         } *uap = (struct a *)clwp->lwp_ap;
2539 
2540         au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2541         au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2542 
2543 }       /* AUS_PRIOCNTLSYS */
2544 
2545 
2546 /*ARGSUSED*/
2547 static void
2548 aus_setegid(struct t_audit_data *tad)
2549 {
2550         klwp_t *clwp = ttolwp(curthread);
2551         uint32_t gid;
2552 
2553         struct a {
2554                 long    gid;
2555         } *uap = (struct a *)clwp->lwp_ap;
2556 
2557         gid = (uint32_t)uap->gid;
2558 
2559         au_uwrite(au_to_arg32(1, "gid", gid));
2560 }       /* AUS_SETEGID */
2561 
2562 
2563 
2564 
2565 /*ARGSUSED*/
2566 static void
2567 aus_setgroups(struct t_audit_data *tad)
2568 {
2569         klwp_t *clwp = ttolwp(curthread);
2570         int i;
2571         int gidsetsize;
2572         uintptr_t gidset;
2573         gid_t *gidlist;
2574 
2575         struct a {
2576                 long    gidsetsize;
2577                 long    gidset;
2578         } *uap = (struct a *)clwp->lwp_ap;
2579 
2580         gidsetsize = (uint_t)uap->gidsetsize;
2581         gidset = (uintptr_t)uap->gidset;
2582 
2583         if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2584                 return;
2585         if (gidsetsize != 0) {
2586                 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2587                     KM_SLEEP);
2588                 if (copyin((caddr_t)gidset, gidlist,
2589                     gidsetsize * sizeof (gid_t)) == 0)
2590                         for (i = 0; i < gidsetsize; i++)
2591                                 au_uwrite(au_to_arg32(1, "setgroups",
2592                                     (uint32_t)gidlist[i]));
2593                 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2594         } else
2595                 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2596 
2597 }       /* AUS_SETGROUPS */
2598 
2599 
2600 
2601 
2602 
2603 /*ARGSUSED*/
2604 static void
2605 aus_seteuid(struct t_audit_data *tad)
2606 {
2607         klwp_t *clwp = ttolwp(curthread);
2608         uint32_t uid;
2609 
2610         struct a {
2611                 long    uid;
2612         } *uap = (struct a *)clwp->lwp_ap;
2613 
2614         uid = (uint32_t)uap->uid;
2615 
2616         au_uwrite(au_to_arg32(1, "euid", uid));
2617 
2618 }       /* AUS_SETEUID */
2619 
2620 /*ARGSUSED*/
2621 static void
2622 aus_putmsg(struct t_audit_data *tad)
2623 {
2624         klwp_t *clwp = ttolwp(curthread);
2625         uint32_t fd, pri;
2626         struct file *fp;
2627         struct f_audit_data *fad;
2628 
2629         struct a {
2630                 long    fdes;
2631                 long    ctl;            /* struct strbuf * */
2632                 long    data;           /* struct strbuf * */
2633                 long    pri;
2634         } *uap = (struct a *)clwp->lwp_ap;
2635 
2636         fd  = (uint32_t)uap->fdes;
2637         pri = (uint32_t)uap->pri;
2638 
2639         au_uwrite(au_to_arg32(1, "fd", fd));
2640 
2641         if ((fp = getf(fd)) != NULL) {
2642                 fad = F2A(fp);
2643 
2644                 fad->fad_flags |= FAD_WRITE;
2645 
2646                 /* add path name to audit record */
2647                 if (fad->fad_aupath != NULL) {
2648                         au_uwrite(au_to_path(fad->fad_aupath));
2649                 }
2650                 audit_attributes(fp->f_vnode);
2651 
2652                 releasef(fd);
2653         }
2654 
2655         au_uwrite(au_to_arg32(4, "pri", pri));
2656 }
2657 
2658 /*ARGSUSED*/
2659 static void
2660 aus_putpmsg(struct t_audit_data *tad)
2661 {
2662         klwp_t *clwp = ttolwp(curthread);
2663         uint32_t fd, pri, flags;
2664         struct file *fp;
2665         struct f_audit_data *fad;
2666 
2667         struct a {
2668                 long    fdes;
2669                 long    ctl;            /* struct strbuf * */
2670                 long    data;           /* struct strbuf * */
2671                 long    pri;
2672                 long    flags;
2673         } *uap = (struct a *)clwp->lwp_ap;
2674 
2675         fd = (uint32_t)uap->fdes;
2676         pri  = (uint32_t)uap->pri;
2677         flags  = (uint32_t)uap->flags;
2678 
2679         au_uwrite(au_to_arg32(1, "fd", fd));
2680 
2681         if ((fp = getf(fd)) != NULL) {
2682                 fad = F2A(fp);
2683 
2684                 fad->fad_flags |= FAD_WRITE;
2685 
2686                 /* add path name to audit record */
2687                 if (fad->fad_aupath != NULL) {
2688                         au_uwrite(au_to_path(fad->fad_aupath));
2689                 }
2690                 audit_attributes(fp->f_vnode);
2691 
2692                 releasef(fd);
2693         }
2694 
2695 
2696         au_uwrite(au_to_arg32(4, "pri", pri));
2697         au_uwrite(au_to_arg32(5, "flags", flags));
2698 }
2699 
2700 /*ARGSUSED*/
2701 static void
2702 aus_getmsg(struct t_audit_data *tad)
2703 {
2704         klwp_t *clwp = ttolwp(curthread);
2705         uint32_t fd, pri;
2706         struct file *fp;
2707         struct f_audit_data *fad;
2708 
2709         struct a {
2710                 long    fdes;
2711                 long    ctl;            /* struct strbuf * */
2712                 long    data;           /* struct strbuf * */
2713                 long    pri;
2714         } *uap = (struct a *)clwp->lwp_ap;
2715 
2716         fd  = (uint32_t)uap->fdes;
2717         pri = (uint32_t)uap->pri;
2718 
2719         au_uwrite(au_to_arg32(1, "fd", fd));
2720 
2721         if ((fp = getf(fd)) != NULL) {
2722                 fad = F2A(fp);
2723 
2724                 /*
2725                  * read operation on this object
2726                  */
2727                 fad->fad_flags |= FAD_READ;
2728 
2729                 /* add path name to audit record */
2730                 if (fad->fad_aupath != NULL) {
2731                         au_uwrite(au_to_path(fad->fad_aupath));
2732                 }
2733                 audit_attributes(fp->f_vnode);
2734 
2735                 releasef(fd);
2736         }
2737 
2738         au_uwrite(au_to_arg32(4, "pri", pri));
2739 }
2740 
2741 /*ARGSUSED*/
2742 static void
2743 aus_getpmsg(struct t_audit_data *tad)
2744 {
2745         klwp_t *clwp = ttolwp(curthread);
2746         uint32_t fd;
2747         struct file *fp;
2748         struct f_audit_data *fad;
2749 
2750         struct a {
2751                 long    fdes;
2752                 long    ctl;            /* struct strbuf * */
2753                 long    data;           /* struct strbuf * */
2754                 long    pri;
2755                 long    flags;
2756         } *uap = (struct a *)clwp->lwp_ap;
2757 
2758         fd = (uint32_t)uap->fdes;
2759 
2760         au_uwrite(au_to_arg32(1, "fd", fd));
2761 
2762         if ((fp = getf(fd)) != NULL) {
2763                 fad = F2A(fp);
2764 
2765                 /*
2766                  * read operation on this object
2767                  */
2768                 fad->fad_flags |= FAD_READ;
2769 
2770                 /* add path name to audit record */
2771                 if (fad->fad_aupath != NULL) {
2772                         au_uwrite(au_to_path(fad->fad_aupath));
2773                 }
2774                 audit_attributes(fp->f_vnode);
2775 
2776                 releasef(fd);
2777         }
2778 }
2779 
2780 static au_event_t
2781 aui_labelsys(au_event_t e)
2782 {
2783         klwp_t *clwp = ttolwp(curthread);
2784         uint32_t code;
2785         uint32_t cmd;
2786 
2787         struct a {
2788                 long    code;
2789                 long    cmd;
2790         } *uap = (struct a *)clwp->lwp_ap;
2791 
2792         code = (uint32_t)uap->code;
2793         cmd = (uint32_t)uap->cmd;
2794 
2795         /* not security relevant if not changing kernel cache */
2796         if (cmd == TNDB_GET)
2797                 return (AUE_NULL);
2798 
2799         switch (code) {
2800         case TSOL_TNRH:
2801                 e = AUE_LABELSYS_TNRH;
2802                 break;
2803         case TSOL_TNRHTP:
2804                 e = AUE_LABELSYS_TNRHTP;
2805                 break;
2806         case TSOL_TNMLP:
2807                 e = AUE_LABELSYS_TNMLP;
2808                 break;
2809         default:
2810                 e = AUE_NULL;
2811                 break;
2812         }
2813 
2814         return (e);
2815 
2816 }
2817 
2818 static void
2819 aus_labelsys(struct t_audit_data *tad)
2820 {
2821         klwp_t *clwp = ttolwp(curthread);
2822         uint32_t cmd;
2823         uintptr_t a2;
2824 
2825         struct a {
2826                 long    code;
2827                 long    cmd;
2828                 long    a2;
2829         } *uap = (struct a *)clwp->lwp_ap;
2830 
2831         cmd = (uint32_t)uap->cmd;
2832         a2 = (uintptr_t)uap->a2;
2833 
2834         switch (tad->tad_event) {
2835         case AUE_LABELSYS_TNRH:
2836         {
2837                 tsol_rhent_t    *rhent;
2838                 tnaddr_t        *rh_addr;
2839 
2840                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2841 
2842                 /* Remaining args don't apply for FLUSH, so skip */
2843                 if (cmd == TNDB_FLUSH)
2844                         break;
2845 
2846                 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2847                 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2848                         kmem_free(rhent, sizeof (tsol_rhent_t));
2849                         return;
2850                 }
2851 
2852                 rh_addr = &rhent->rh_address;
2853                 if (rh_addr->ta_family == AF_INET) {
2854                         struct in_addr  *ipaddr;
2855 
2856                         ipaddr = &(rh_addr->ta_addr_v4);
2857                         au_uwrite(au_to_in_addr(ipaddr));
2858                 } else if (rh_addr->ta_family == AF_INET6) {
2859                         int32_t         *ipaddr;
2860 
2861                         ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2862                         au_uwrite(au_to_in_addr_ex(ipaddr));
2863                 }
2864                 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2865 
2866                 kmem_free(rhent, sizeof (tsol_rhent_t));
2867 
2868                 break;
2869         }
2870         case AUE_LABELSYS_TNRHTP:
2871         {
2872                 tsol_tpent_t    *tpent;
2873 
2874                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2875 
2876                 /* Remaining args don't apply for FLUSH, so skip */
2877                 if (cmd == TNDB_FLUSH)
2878                         break;
2879 
2880                 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2881                 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2882                         kmem_free(tpent, sizeof (tsol_tpent_t));
2883                         return;
2884                 }
2885 
2886                 /* Make sure that the template name is null-terminated. */
2887                 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2888 
2889                 au_uwrite(au_to_text(tpent->name));
2890                 kmem_free(tpent, sizeof (tsol_tpent_t));
2891 
2892                 break;
2893         }
2894         case AUE_LABELSYS_TNMLP:
2895         {
2896                 tsol_mlpent_t   *mlpent;
2897 
2898                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2899 
2900                 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2901                 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2902                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2903                         return;
2904                 }
2905 
2906                 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2907                         au_uwrite(au_to_text("shared"));
2908                 } else {
2909                         zone_t  *zone;
2910 
2911                         zone = zone_find_by_id(mlpent->tsme_zoneid);
2912                         if (zone != NULL) {
2913                                 au_uwrite(au_to_text(zone->zone_name));
2914                                 zone_rele(zone);
2915                         }
2916                 }
2917 
2918                 /* Remaining args don't apply for FLUSH, so skip */
2919                 if (cmd == TNDB_FLUSH) {
2920                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2921                         break;
2922                 }
2923 
2924                 au_uwrite(au_to_arg32(2, "proto num",
2925                     (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2926                 au_uwrite(au_to_arg32(2, "mlp_port",
2927                     (uint32_t)mlpent->tsme_mlp.mlp_port));
2928 
2929                 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2930                         au_uwrite(au_to_arg32(2, "mlp_port_upper",
2931                             (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2932 
2933                 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2934 
2935                 break;
2936         }
2937         default:
2938                 break;
2939         }
2940 }
2941 
2942 
2943 static au_event_t
2944 aui_auditsys(au_event_t e)
2945 {
2946         klwp_t *clwp = ttolwp(curthread);
2947         uint32_t code;
2948 
2949         struct a {
2950                 long    code;
2951                 long    a1;
2952                 long    a2;
2953                 long    a3;
2954                 long    a4;
2955                 long    a5;
2956                 long    a6;
2957                 long    a7;
2958         } *uap = (struct a *)clwp->lwp_ap;
2959 
2960         code = (uint32_t)uap->code;
2961 
2962         switch (code) {
2963 
2964         case BSM_GETAUID:
2965                 e = AUE_GETAUID;
2966                 break;
2967         case BSM_SETAUID:
2968                 e = AUE_SETAUID;
2969                 break;
2970         case BSM_GETAUDIT:
2971                 e = AUE_GETAUDIT;
2972                 break;
2973         case BSM_GETAUDIT_ADDR:
2974                 e = AUE_GETAUDIT_ADDR;
2975                 break;
2976         case BSM_SETAUDIT:
2977                 e = AUE_SETAUDIT;
2978                 break;
2979         case BSM_SETAUDIT_ADDR:
2980                 e = AUE_SETAUDIT_ADDR;
2981                 break;
2982         case BSM_AUDIT:
2983                 e = AUE_AUDIT;
2984                 break;
2985         case BSM_AUDITCTL:
2986                 switch ((uint_t)uap->a1) {
2987 
2988                 case A_GETPOLICY:
2989                         e = AUE_AUDITON_GPOLICY;
2990                         break;
2991                 case A_SETPOLICY:
2992                         e = AUE_AUDITON_SPOLICY;
2993                         break;
2994                 case A_GETAMASK:
2995                         e = AUE_AUDITON_GETAMASK;
2996                         break;
2997                 case A_SETAMASK:
2998                         e = AUE_AUDITON_SETAMASK;
2999                         break;
3000                 case A_GETKMASK:
3001                         e = AUE_AUDITON_GETKMASK;
3002                         break;
3003                 case A_SETKMASK:
3004                         e = AUE_AUDITON_SETKMASK;
3005                         break;
3006                 case A_GETQCTRL:
3007                         e = AUE_AUDITON_GQCTRL;
3008                         break;
3009                 case A_SETQCTRL:
3010                         e = AUE_AUDITON_SQCTRL;
3011                         break;
3012                 case A_GETCWD:
3013                         e = AUE_AUDITON_GETCWD;
3014                         break;
3015                 case A_GETCAR:
3016                         e = AUE_AUDITON_GETCAR;
3017                         break;
3018                 case A_GETSTAT:
3019                         e = AUE_AUDITON_GETSTAT;
3020                         break;
3021                 case A_SETSTAT:
3022                         e = AUE_AUDITON_SETSTAT;
3023                         break;
3024                 case A_SETUMASK:
3025                         e = AUE_AUDITON_SETUMASK;
3026                         break;
3027                 case A_SETSMASK:
3028                         e = AUE_AUDITON_SETSMASK;
3029                         break;
3030                 case A_GETCOND:
3031                         e = AUE_AUDITON_GETCOND;
3032                         break;
3033                 case A_SETCOND:
3034                         e = AUE_AUDITON_SETCOND;
3035                         break;
3036                 case A_GETCLASS:
3037                         e = AUE_AUDITON_GETCLASS;
3038                         break;
3039                 case A_SETCLASS:
3040                         e = AUE_AUDITON_SETCLASS;
3041                         break;
3042                 default:
3043                         e = AUE_NULL;
3044                         break;
3045                 }
3046                 break;
3047         default:
3048                 e = AUE_NULL;
3049                 break;
3050         }
3051 
3052         return (e);
3053 
3054 }       /* AUI_AUDITSYS */
3055 
3056 
3057 static void
3058 aus_auditsys(struct t_audit_data *tad)
3059 {
3060         klwp_t *clwp = ttolwp(curthread);
3061         uintptr_t a1, a2;
3062         STRUCT_DECL(auditinfo, ainfo);
3063         STRUCT_DECL(auditinfo_addr, ainfo_addr);
3064         au_evclass_map_t event;
3065         au_mask_t mask;
3066         int auditstate, policy;
3067         au_id_t auid;
3068 
3069 
3070         struct a {
3071                 long    code;
3072                 long    a1;
3073                 long    a2;
3074                 long    a3;
3075                 long    a4;
3076                 long    a5;
3077                 long    a6;
3078                 long    a7;
3079         } *uap = (struct a *)clwp->lwp_ap;
3080 
3081         a1   = (uintptr_t)uap->a1;
3082         a2   = (uintptr_t)uap->a2;
3083 
3084         switch (tad->tad_event) {
3085         case AUE_SETAUID:
3086                 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3087                                 return;
3088                 au_uwrite(au_to_arg32(2, "setauid", auid));
3089                 break;
3090         case AUE_SETAUDIT:
3091                 STRUCT_INIT(ainfo, get_udatamodel());
3092                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3093                     STRUCT_SIZE(ainfo))) {
3094                                 return;
3095                 }
3096                 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3097                     (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3098 #ifdef _LP64
3099                 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3100                     (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 #else
3102                 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3103                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3104 #endif
3105                 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3106                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3107                 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3108                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3109                 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3110                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3111                 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3112                     (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3113                 break;
3114         case AUE_SETAUDIT_ADDR:
3115                 STRUCT_INIT(ainfo_addr, get_udatamodel());
3116                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3117                     STRUCT_SIZE(ainfo_addr))) {
3118                                 return;
3119                 }
3120                 au_uwrite(au_to_arg32((char)1, "auid",
3121                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3122 #ifdef _LP64
3123                 au_uwrite(au_to_arg64((char)1, "port",
3124                     (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 #else
3126                 au_uwrite(au_to_arg32((char)1, "port",
3127                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3128 #endif
3129                 au_uwrite(au_to_arg32((char)1, "type",
3130                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3131                 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3132                     AU_IPv4) {
3133                         au_uwrite(au_to_in_addr(
3134                             (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3135                             ai_termid.at_addr)));
3136                 } else {
3137                         au_uwrite(au_to_in_addr_ex(
3138                             (int32_t *)STRUCT_FGETP(ainfo_addr,
3139                             ai_termid.at_addr)));
3140                 }
3141                 au_uwrite(au_to_arg32((char)1, "as_success",
3142                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3143                 au_uwrite(au_to_arg32((char)1, "as_failure",
3144                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3145                 au_uwrite(au_to_arg32((char)1, "asid",
3146                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3147                 break;
3148         case AUE_AUDITON_SETAMASK:
3149                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3150                                 return;
3151                 au_uwrite(au_to_arg32(
3152                     2, "setamask:as_success", (uint32_t)mask.as_success));
3153                 au_uwrite(au_to_arg32(
3154                     2, "setamask:as_failure", (uint32_t)mask.as_failure));
3155                 break;
3156         case AUE_AUDITON_SETKMASK:
3157                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3158                                 return;
3159                 au_uwrite(au_to_arg32(
3160                     2, "setkmask:as_success", (uint32_t)mask.as_success));
3161                 au_uwrite(au_to_arg32(
3162                     2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3163                 break;
3164         case AUE_AUDITON_SPOLICY:
3165                 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3166                         return;
3167                 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3168                 break;
3169         case AUE_AUDITON_SQCTRL: {
3170                 STRUCT_DECL(au_qctrl, qctrl);
3171                 model_t model;
3172 
3173                 model = get_udatamodel();
3174                 STRUCT_INIT(qctrl, model);
3175                 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3176                                 return;
3177                 if (model == DATAMODEL_ILP32) {
3178                         au_uwrite(au_to_arg32(
3179                             3, "setqctrl:aq_hiwater",
3180                             (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3181                         au_uwrite(au_to_arg32(
3182                             3, "setqctrl:aq_lowater",
3183                             (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3184                         au_uwrite(au_to_arg32(
3185                             3, "setqctrl:aq_bufsz",
3186                             (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3187                         au_uwrite(au_to_arg32(
3188                             3, "setqctrl:aq_delay",
3189                             (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3190                 } else {
3191                         au_uwrite(au_to_arg64(
3192                             3, "setqctrl:aq_hiwater",
3193                             (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3194                         au_uwrite(au_to_arg64(
3195                             3, "setqctrl:aq_lowater",
3196                             (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3197                         au_uwrite(au_to_arg64(
3198                             3, "setqctrl:aq_bufsz",
3199                             (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3200                         au_uwrite(au_to_arg64(
3201                             3, "setqctrl:aq_delay",
3202                             (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3203                 }
3204                 break;
3205         }
3206         case AUE_AUDITON_SETUMASK:
3207                 STRUCT_INIT(ainfo, get_udatamodel());
3208                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3209                     STRUCT_SIZE(ainfo))) {
3210                         return;
3211                 }
3212                 au_uwrite(au_to_arg32(3, "setumask:as_success",
3213                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3214                 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3215                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3216                 break;
3217         case AUE_AUDITON_SETSMASK:
3218                 STRUCT_INIT(ainfo, get_udatamodel());
3219                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3220                     STRUCT_SIZE(ainfo))) {
3221                         return;
3222                 }
3223                 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3224                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3225                 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3226                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3227                 break;
3228         case AUE_AUDITON_SETCOND:
3229                 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3230                         return;
3231                 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3232                 break;
3233         case AUE_AUDITON_SETCLASS:
3234                 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3235                         return;
3236                 au_uwrite(au_to_arg32(
3237                     2, "setclass:ec_event", (uint32_t)event.ec_number));
3238                 au_uwrite(au_to_arg32(
3239                     3, "setclass:ec_class", (uint32_t)event.ec_class));
3240                 break;
3241         case AUE_GETAUID:
3242         case AUE_GETAUDIT:
3243         case AUE_GETAUDIT_ADDR:
3244         case AUE_AUDIT:
3245         case AUE_AUDITON_GPOLICY:
3246         case AUE_AUDITON_GQCTRL:
3247         case AUE_AUDITON_GETAMASK:
3248         case AUE_AUDITON_GETKMASK:
3249         case AUE_AUDITON_GETCWD:
3250         case AUE_AUDITON_GETCAR:
3251         case AUE_AUDITON_GETSTAT:
3252         case AUE_AUDITON_SETSTAT:
3253         case AUE_AUDITON_GETCOND:
3254         case AUE_AUDITON_GETCLASS:
3255                 break;
3256         default:
3257                 break;
3258         }
3259 
3260 }       /* AUS_AUDITSYS */
3261 
3262 
3263 /* only audit privileged operations for systeminfo(2) system call */
3264 static au_event_t
3265 aui_sysinfo(au_event_t e)
3266 {
3267         klwp_t *clwp = ttolwp(curthread);
3268         uint32_t command;
3269 
3270         struct a {
3271                 long    command;
3272                 long    buf;            /* char * */
3273                 long    count;
3274         } *uap = (struct a *)clwp->lwp_ap;
3275 
3276         command = (uint32_t)uap->command;
3277 
3278         switch (command) {
3279         case SI_SET_HOSTNAME:
3280         case SI_SET_SRPC_DOMAIN:
3281                 e = (au_event_t)AUE_SYSINFO;
3282                 break;
3283         default:
3284                 e = (au_event_t)AUE_NULL;
3285                 break;
3286         }
3287         return (e);
3288 }
3289 
3290 /*ARGSUSED*/
3291 static void
3292 aus_sysinfo(struct t_audit_data *tad)
3293 {
3294         klwp_t *clwp = ttolwp(curthread);
3295         uint32_t command;
3296         size_t len, maxlen;
3297         char *name;
3298         uintptr_t buf;
3299 
3300         struct a {
3301                 long    command;
3302                 long    buf;            /* char * */
3303                 long    count;
3304         } *uap = (struct a *)clwp->lwp_ap;
3305 
3306         command = (uint32_t)uap->command;
3307         buf = (uintptr_t)uap->buf;
3308 
3309         au_uwrite(au_to_arg32(1, "cmd", command));
3310 
3311         switch (command) {
3312         case SI_SET_HOSTNAME:
3313         {
3314                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3315                         return;
3316 
3317                 maxlen = SYS_NMLN;
3318                 name = kmem_alloc(maxlen, KM_SLEEP);
3319                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3320                         break;
3321 
3322                 /*
3323                  * Must be non-NULL string and string
3324                  * must be less than SYS_NMLN chars.
3325                  */
3326                 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3327                         break;
3328 
3329                 au_uwrite(au_to_text(name));
3330                 break;
3331         }
3332 
3333         case SI_SET_SRPC_DOMAIN:
3334         {
3335                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3336                         return;
3337 
3338                 maxlen = SYS_NMLN;
3339                 name = kmem_alloc(maxlen, KM_SLEEP);
3340                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3341                         break;
3342 
3343                 /*
3344                  * If string passed in is longer than length
3345                  * allowed for domain name, fail.
3346                  */
3347                 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3348                         break;
3349 
3350                 au_uwrite(au_to_text(name));
3351                 break;
3352         }
3353 
3354         default:
3355                 return;
3356         }
3357 
3358         kmem_free(name, maxlen);
3359 }
3360 
3361 static au_event_t
3362 aui_modctl(au_event_t e)
3363 {
3364         klwp_t *clwp = ttolwp(curthread);
3365         uint_t cmd;
3366 
3367         struct a {
3368                 long    cmd;
3369         } *uap = (struct a *)clwp->lwp_ap;
3370 
3371         cmd = (uint_t)uap->cmd;
3372 
3373         switch (cmd) {
3374         case MODLOAD:
3375                 e = AUE_MODLOAD;
3376                 break;
3377         case MODUNLOAD:
3378                 e = AUE_MODUNLOAD;
3379                 break;
3380         case MODADDMAJBIND:
3381                 e = AUE_MODADDMAJ;
3382                 break;
3383         case MODSETDEVPOLICY:
3384                 e = AUE_MODDEVPLCY;
3385                 break;
3386         case MODALLOCPRIV:
3387                 e = AUE_MODADDPRIV;
3388                 break;
3389         default:
3390                 e = AUE_NULL;
3391                 break;
3392         }
3393         return (e);
3394 }
3395 
3396 
3397 /*ARGSUSED*/
3398 static void
3399 aus_modctl(struct t_audit_data *tad)
3400 {
3401         klwp_t *clwp = ttolwp(curthread);
3402         void *a = clwp->lwp_ap;
3403         uint_t use_path;
3404 
3405         switch (tad->tad_event) {
3406         case AUE_MODLOAD: {
3407                 typedef struct {
3408                         long    cmd;
3409                         long    use_path;
3410                         long    filename;               /* char * */
3411                 } modloada_t;
3412 
3413                 char *filenamep;
3414                 uintptr_t fname;
3415                 extern char *default_path;
3416 
3417                 fname = (uintptr_t)((modloada_t *)a)->filename;
3418                 use_path = (uint_t)((modloada_t *)a)->use_path;
3419 
3420                         /* space to hold path */
3421                 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3422                         /* get string */
3423                 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3424                                 /* free allocated path */
3425                         kmem_free(filenamep, MOD_MAXPATH);
3426                         return;
3427                 }
3428                         /* ensure it's null terminated */
3429                 filenamep[MOD_MAXPATH - 1] = 0;
3430 
3431                 if (use_path)
3432                         au_uwrite(au_to_text(default_path));
3433                 au_uwrite(au_to_text(filenamep));
3434 
3435                         /* release temporary memory */
3436                 kmem_free(filenamep, MOD_MAXPATH);
3437                 break;
3438         }
3439         case AUE_MODUNLOAD: {
3440                 typedef struct {
3441                         long    cmd;
3442                         long    id;
3443                 } modunloada_t;
3444 
3445                 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3446 
3447                 au_uwrite(au_to_arg32(1, "id", id));
3448                 break;
3449         }
3450         case AUE_MODADDMAJ: {
3451                 STRUCT_DECL(modconfig, mc);
3452                 typedef struct {
3453                         long    cmd;
3454                         long    subcmd;
3455                         long    data;           /* int * */
3456                 } modconfiga_t;
3457 
3458                 STRUCT_DECL(aliases, alias);
3459                 caddr_t ap;
3460                 int i, num_aliases;
3461                 char *drvname, *mc_drvname;
3462                 char *name;
3463                 extern char *ddi_major_to_name(major_t);
3464                 model_t model;
3465 
3466                 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3467 
3468                 model = get_udatamodel();
3469                 STRUCT_INIT(mc, model);
3470                         /* sanitize buffer */
3471                 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3472                         /* get user arguments */
3473                 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3474                     STRUCT_SIZE(mc)) != 0)
3475                         return;
3476 
3477                 mc_drvname = STRUCT_FGET(mc, drvname);
3478                 if ((drvname = ddi_major_to_name(
3479                     (major_t)STRUCT_FGET(mc, major))) != NULL &&
3480                     strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3481                                 /* safety */
3482                         if (mc_drvname[0] != '\0') {
3483                                 mc_drvname[MAXMODCONFNAME-1] = '\0';
3484                                 au_uwrite(au_to_text(mc_drvname));
3485                         }
3486                                 /* drvname != NULL from test above */
3487                         au_uwrite(au_to_text(drvname));
3488                         return;
3489                 }
3490 
3491                 if (mc_drvname[0] != '\0') {
3492                                 /* safety */
3493                         mc_drvname[MAXMODCONFNAME-1] = '\0';
3494                         au_uwrite(au_to_text(mc_drvname));
3495                 } else
3496                         au_uwrite(au_to_text("no drvname"));
3497 
3498                 num_aliases = STRUCT_FGET(mc, num_aliases);
3499                 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3500                 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3501                 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3502                 STRUCT_INIT(alias, model);
3503                 for (i = 0; i < num_aliases; i++) {
3504                         bzero((caddr_t)STRUCT_BUF(alias),
3505                             STRUCT_SIZE(alias));
3506                         if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3507                             STRUCT_SIZE(alias)) != 0)
3508                                 break;
3509                         if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3510                             MAXMODCONFNAME, NULL) != 0) {
3511                                 break;
3512                         }
3513 
3514                         au_uwrite(au_to_text(name));
3515                         ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3516                 }
3517                 kmem_free(name, MAXMODCONFNAME);
3518                 break;
3519         }
3520         default:
3521                 break;
3522         }
3523 }
3524 
3525 
3526 /*ARGSUSED*/
3527 static void
3528 auf_accept(
3529         struct t_audit_data *tad,
3530         int     error,
3531         rval_t  *rval)
3532 {
3533         uint32_t scid;
3534         uint32_t sy_flags;
3535         int fd;
3536         struct sonode *so;
3537         char so_laddr[sizeof (struct sockaddr_in6)];
3538         char so_faddr[sizeof (struct sockaddr_in6)];
3539         int err;
3540         short so_family, so_type;
3541         int add_sock_token = 0;
3542 
3543         /* need to determine type of executing binary */
3544         scid = tad->tad_scid;
3545 #ifdef _SYSCALL32_IMPL
3546         if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3547                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3548         else
3549                 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3550 #else
3551         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3552 #endif
3553         switch (sy_flags) {
3554         case SE_32RVAL1:
3555                 /* FALLTHRU */
3556         case SE_32RVAL2|SE_32RVAL1:
3557                 fd = rval->r_val1;
3558                 break;
3559         case SE_64RVAL:
3560                 fd = (int)rval->r_vals;
3561                 break;
3562         default:
3563                 /*
3564                  * should never happen, seems to be an internal error
3565                  * in sysent => no fd, nothing to audit here, returning
3566                  */
3567                 return;
3568         }
3569 
3570         if (error) {
3571                 /* can't trust socket contents. Just return */
3572                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3573                 return;
3574         }
3575 
3576         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3577                 /*
3578                  * not security relevant if doing a accept from non socket
3579                  * so no extra tokens. Should probably turn off audit record
3580                  * generation here.
3581                  */
3582                 return;
3583         }
3584 
3585         so_family = so->so_family;
3586         so_type   = so->so_type;
3587 
3588         switch (so_family) {
3589         case AF_INET:
3590         case AF_INET6:
3591                 /*
3592                  * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3593                  */
3594                 if (so->so_type == SOCK_STREAM) {
3595                         socklen_t len;
3596 
3597                         bzero((void *)so_laddr, sizeof (so_laddr));
3598                         bzero((void *)so_faddr, sizeof (so_faddr));
3599 
3600                         len = sizeof (so_laddr);
3601                         (void) socket_getsockname(so,
3602                             (struct sockaddr *)so_laddr, &len, CRED());
3603                         len = sizeof (so_faddr);
3604                         (void) socket_getpeername(so,
3605                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3606 
3607                         add_sock_token = 1;
3608                 }
3609                 break;
3610 
3611         default:
3612                 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3613                 break;
3614         }
3615 
3616         releasef(fd);
3617 
3618         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3619 
3620         if (add_sock_token == 0) {
3621                 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3622                 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3623                 return;
3624         }
3625 
3626         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3627 
3628 }
3629 
3630 /*ARGSUSED*/
3631 static void
3632 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3633 {
3634         struct a {
3635                 long    fd;
3636                 long    addr;
3637                 long    len;
3638         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3639 
3640         struct sonode *so;
3641         char so_laddr[sizeof (struct sockaddr_in6)];
3642         char so_faddr[sizeof (struct sockaddr_in6)];
3643         int err, fd;
3644         socklen_t len;
3645         short so_family, so_type;
3646         int add_sock_token = 0;
3647 
3648         fd = (int)uap->fd;
3649 
3650         /*
3651          * bind failed, then nothing extra to add to audit record.
3652          */
3653         if (error) {
3654                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3655                 /* XXX may want to add failed address some day */
3656                 return;
3657         }
3658 
3659         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3660                 /*
3661                  * not security relevant if doing a bind from non socket
3662                  * so no extra tokens. Should probably turn off audit record
3663                  * generation here.
3664                  */
3665                 return;
3666         }
3667 
3668         so_family = so->so_family;
3669         so_type   = so->so_type;
3670 
3671         switch (so_family) {
3672         case AF_INET:
3673         case AF_INET6:
3674 
3675                 bzero(so_faddr, sizeof (so_faddr));
3676                 len = sizeof (so_faddr);
3677 
3678                 (void) socket_getpeername(so,
3679                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3680                 add_sock_token = 1;
3681 
3682                 break;
3683 
3684         case AF_UNIX:
3685                 /* token added by lookup */
3686                 break;
3687         default:
3688                 /* AF_ROUTE, AF_KEY do not support accept */
3689                 break;
3690         }
3691 
3692         releasef(fd);
3693 
3694         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3695 
3696         if (add_sock_token == 0) {
3697                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3698                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3699                 return;
3700         }
3701 
3702         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3703 
3704 }
3705 
3706 /*ARGSUSED*/
3707 static void
3708 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3709 {
3710         struct a {
3711                 long    fd;
3712                 long    addr;
3713                 long    len;
3714         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3715 
3716         struct sonode *so;
3717         char so_laddr[sizeof (struct sockaddr_in6)];
3718         char so_faddr[sizeof (struct sockaddr_in6)];
3719         int err, fd;
3720         socklen_t len;
3721         short so_family, so_type;
3722         int add_sock_token = 0;
3723 
3724         fd = (int)uap->fd;
3725 
3726 
3727         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3728                 /*
3729                  * not security relevant if doing a connect from non socket
3730                  * so no extra tokens. Should probably turn off audit record
3731                  * generation here.
3732                  */
3733                 return;
3734         }
3735 
3736         so_family = so->so_family;
3737         so_type   = so->so_type;
3738 
3739         switch (so_family) {
3740         case AF_INET:
3741         case AF_INET6:
3742 
3743                 bzero(so_laddr, sizeof (so_laddr));
3744                 bzero(so_faddr, sizeof (so_faddr));
3745 
3746                 len = sizeof (so_laddr);
3747                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3748                     &len, CRED());
3749                 if (error) {
3750                         if (uap->addr == 0)
3751                                 break;
3752                         if (uap->len <= 0)
3753                                 break;
3754                         len = min(uap->len, sizeof (so_faddr));
3755                         if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3756                                 break;
3757 #ifdef NOTYET
3758                         au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3759 #endif
3760                 } else {
3761                         /* sanity check on length */
3762                         len = sizeof (so_faddr);
3763                         (void) socket_getpeername(so,
3764                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3765                 }
3766 
3767                 add_sock_token = 1;
3768 
3769                 break;
3770 
3771         case AF_UNIX:
3772                 /* does a lookup on name */
3773                 break;
3774 
3775         default:
3776                 /* AF_ROUTE, AF_KEY do not support accept */
3777                 break;
3778         }
3779 
3780         releasef(fd);
3781 
3782         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3783 
3784         if (add_sock_token == 0) {
3785                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3786                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3787                 return;
3788         }
3789 
3790         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3791 
3792 }
3793 
3794 /*ARGSUSED*/
3795 static void
3796 aus_shutdown(struct t_audit_data *tad)
3797 {
3798         struct a {
3799                 long    fd;
3800                 long    how;
3801         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3802 
3803         struct sonode *so;
3804         char so_laddr[sizeof (struct sockaddr_in6)];
3805         char so_faddr[sizeof (struct sockaddr_in6)];
3806         int err, fd;
3807         socklen_t len;
3808         short so_family, so_type;
3809         int add_sock_token = 0;
3810         file_t *fp;                             /* unix domain sockets */
3811         struct f_audit_data *fad;               /* unix domain sockets */
3812 
3813         fd = (int)uap->fd;
3814 
3815         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3816                 /*
3817                  * not security relevant if doing a shutdown using non socket
3818                  * so no extra tokens. Should probably turn off audit record
3819                  * generation here.
3820                  */
3821                 return;
3822         }
3823 
3824         so_family = so->so_family;
3825         so_type   = so->so_type;
3826 
3827         switch (so_family) {
3828         case AF_INET:
3829         case AF_INET6:
3830 
3831                 bzero(so_laddr, sizeof (so_laddr));
3832                 bzero(so_faddr, sizeof (so_faddr));
3833 
3834                 len = sizeof (so_laddr);
3835                 (void) socket_getsockname(so,
3836                     (struct sockaddr *)so_laddr, &len, CRED());
3837                 len = sizeof (so_faddr);
3838                 (void) socket_getpeername(so,
3839                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3840 
3841                 add_sock_token = 1;
3842 
3843                 break;
3844 
3845         case AF_UNIX:
3846 
3847                 /* get path from file struct here */
3848                 fad = F2A(fp);
3849                 ASSERT(fad);
3850 
3851                 if (fad->fad_aupath != NULL) {
3852                         au_uwrite(au_to_path(fad->fad_aupath));
3853                 } else {
3854                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
3855                 }
3856 
3857                 audit_attributes(fp->f_vnode);
3858 
3859                 break;
3860 
3861         default:
3862                 /*
3863                  * AF_KEY and AF_ROUTE support shutdown. No socket token
3864                  * added.
3865                  */
3866                 break;
3867         }
3868 
3869         releasef(fd);
3870 
3871         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3872 
3873         if (add_sock_token == 0) {
3874                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3875                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3876                 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3877                 return;
3878         }
3879 
3880         au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3881 
3882         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3883 
3884 }
3885 
3886 /*ARGSUSED*/
3887 static void
3888 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3889 {
3890         struct a {
3891                 long    fd;
3892                 long    level;
3893                 long    optname;
3894                 long    *optval;
3895                 long    optlen;
3896         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3897 
3898         struct sonode   *so;
3899         char so_laddr[sizeof (struct sockaddr_in6)];
3900         char so_faddr[sizeof (struct sockaddr_in6)];
3901         char            val[AU_BUFSIZE];
3902         int             err, fd;
3903         socklen_t       len;
3904         short so_family, so_type;
3905         int             add_sock_token = 0;
3906         file_t *fp;                             /* unix domain sockets */
3907         struct f_audit_data *fad;               /* unix domain sockets */
3908 
3909         fd = (int)uap->fd;
3910 
3911         if (error) {
3912                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3913                 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3914                 /* XXX may want to include other arguments */
3915                 return;
3916         }
3917 
3918         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3919                 /*
3920                  * not security relevant if doing a setsockopt from non socket
3921                  * so no extra tokens. Should probably turn off audit record
3922                  * generation here.
3923                  */
3924                 return;
3925         }
3926 
3927         so_family = so->so_family;
3928         so_type   = so->so_type;
3929 
3930         switch (so_family) {
3931         case AF_INET:
3932         case AF_INET6:
3933                 bzero((void *)so_laddr, sizeof (so_laddr));
3934                 bzero((void *)so_faddr, sizeof (so_faddr));
3935 
3936                 /* get local and foreign addresses */
3937                 len = sizeof (so_laddr);
3938                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3939                     &len, CRED());
3940                 len = sizeof (so_faddr);
3941                 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3942                     &len, B_FALSE, CRED());
3943 
3944                 add_sock_token = 1;
3945 
3946                 break;
3947 
3948         case AF_UNIX:
3949 
3950                 /* get path from file struct here */
3951                 fad = F2A(fp);
3952                 ASSERT(fad);
3953 
3954                 if (fad->fad_aupath != NULL) {
3955                         au_uwrite(au_to_path(fad->fad_aupath));
3956                 } else {
3957                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
3958                 }
3959 
3960                 audit_attributes(fp->f_vnode);
3961 
3962                 break;
3963 
3964         default:
3965                 /*
3966                  * AF_KEY and AF_ROUTE support setsockopt. No socket token
3967                  * added.
3968                  */
3969                 break;
3970         }
3971 
3972         releasef(fd);
3973 
3974         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3975 
3976         if (add_sock_token == 0) {
3977                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3978                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3979         }
3980         au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3981         au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3982 
3983         bzero(val, sizeof (val));
3984         len = min(uap->optlen, sizeof (val));
3985         if ((len > 0) &&
3986             (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3987                 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3988                 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3989         }
3990 
3991         if (add_sock_token == 0)
3992                 return;
3993 
3994         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3995 
3996 }
3997 
3998 /*ARGSUSED*/
3999 static void
4000 aus_sockconfig(struct t_audit_data *tad)
4001 {
4002         struct a {
4003                 long    cmd;
4004                 long    arg1;
4005                 long    arg2;
4006                 long    arg3;
4007                 long    arg4;
4008         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4009 
4010         char    *buf;
4011         int     buflen;
4012         size_t  size;
4013 
4014         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4015         switch (uap->cmd) {
4016         case SOCKCONFIG_ADD_SOCK:
4017         case SOCKCONFIG_REMOVE_SOCK:
4018                 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4019                 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4020                 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4021 
4022                 if (uap->arg4 == 0) {
4023                         au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4024                 } else {
4025                         buflen = MAXPATHLEN + 1;
4026                         buf = kmem_alloc(buflen, KM_SLEEP);
4027                         if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4028                             &size)) {
4029                                 kmem_free(buf, buflen);
4030                                 return;
4031                         }
4032 
4033                         if (size > MAXPATHLEN) {
4034                                 kmem_free(buf, buflen);
4035                                 return;
4036                         }
4037 
4038                         au_uwrite(au_to_text(buf));
4039                         kmem_free(buf, buflen);
4040                 }
4041                 break;
4042         case SOCKCONFIG_ADD_FILTER:
4043         case SOCKCONFIG_REMOVE_FILTER:
4044                 buflen = FILNAME_MAX;
4045                 buf = kmem_alloc(buflen, KM_SLEEP);
4046 
4047                 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4048                         kmem_free(buf, buflen);
4049                         return;
4050                 }
4051 
4052                 au_uwrite(au_to_text(buf));
4053                 kmem_free(buf, buflen);
4054                 break;
4055         default:
4056                 break;
4057         }
4058 }
4059 
4060 /*
4061  * only audit recvmsg when the system call represents the creation of a new
4062  * circuit. This effectively occurs for all UDP packets and may occur for
4063  * special TCP situations where the local host has not set a local address
4064  * in the socket structure.
4065  */
4066 /*ARGSUSED*/
4067 static void
4068 auf_recvmsg(
4069         struct t_audit_data *tad,
4070         int error,
4071         rval_t *rvp)
4072 {
4073         struct a {
4074                 long    fd;
4075                 long    msg;    /* struct msghdr */
4076                 long    flags;
4077         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4078 
4079         struct sonode   *so;
4080         STRUCT_DECL(msghdr, msg);
4081         caddr_t msg_name;
4082         socklen_t msg_namelen;
4083         int fd;
4084         int err;
4085         char so_laddr[sizeof (struct sockaddr_in6)];
4086         char so_faddr[sizeof (struct sockaddr_in6)];
4087         socklen_t len;
4088         file_t *fp;                             /* unix domain sockets */
4089         struct f_audit_data *fad;               /* unix domain sockets */
4090         short so_family, so_type;
4091         int add_sock_token = 0;
4092         au_kcontext_t   *kctx = GET_KCTX_PZ;
4093 
4094         fd = (int)uap->fd;
4095 
4096         /* bail if an error */
4097         if (error) {
4098                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4099                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4100                 return;
4101         }
4102 
4103         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4104                 /*
4105                  * not security relevant if doing a recvmsg from non socket
4106                  * so no extra tokens. Should probably turn off audit record
4107                  * generation here.
4108                  */
4109                 return;
4110         }
4111 
4112         so_family = so->so_family;
4113         so_type   = so->so_type;
4114 
4115         /*
4116          * only putout SOCKET_EX token if INET/INET6 family.
4117          * XXX - what do we do about other families?
4118          */
4119 
4120         switch (so_family) {
4121         case AF_INET:
4122         case AF_INET6:
4123 
4124                 /*
4125                  * if datagram type socket, then just use what is in
4126                  * socket structure for local address.
4127                  * XXX - what do we do for other types?
4128                  */
4129                 if ((so->so_type == SOCK_DGRAM) ||
4130                     (so->so_type == SOCK_RAW)) {
4131                         add_sock_token = 1;
4132 
4133                         bzero((void *)so_laddr, sizeof (so_laddr));
4134                         bzero((void *)so_faddr, sizeof (so_faddr));
4135 
4136                         /* get local address */
4137                         len = sizeof (so_laddr);
4138                         (void) socket_getsockname(so,
4139                             (struct sockaddr *)so_laddr, &len, CRED());
4140 
4141                         /* get peer address */
4142                         STRUCT_INIT(msg, get_udatamodel());
4143 
4144                         if (copyin((caddr_t)(uap->msg),
4145                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4146                                 break;
4147                         }
4148                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4149                         if (msg_name == NULL) {
4150                                 break;
4151                         }
4152 
4153                         /* length is value from recvmsg - sanity check */
4154                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4155                         if (msg_namelen == 0) {
4156                                 break;
4157                         }
4158                         if (copyin(msg_name, so_faddr,
4159                             sizeof (so_faddr)) != 0) {
4160                                 break;
4161                         }
4162 
4163                 } else if (so->so_type == SOCK_STREAM) {
4164 
4165                         /* get path from file struct here */
4166                         fad = F2A(fp);
4167                         ASSERT(fad);
4168 
4169                         /*
4170                          * already processed this file for read attempt
4171                          */
4172                         if (fad->fad_flags & FAD_READ) {
4173                                 /* don't want to audit every recvmsg attempt */
4174                                 tad->tad_flag = 0;
4175                                 /* free any residual audit data */
4176                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4177                                 releasef(fd);
4178                                 return;
4179                         }
4180                         /*
4181                          * mark things so we know what happened and don't
4182                          * repeat things
4183                          */
4184                         fad->fad_flags |= FAD_READ;
4185 
4186                         bzero((void *)so_laddr, sizeof (so_laddr));
4187                         bzero((void *)so_faddr, sizeof (so_faddr));
4188 
4189                         /* get local and foreign addresses */
4190                         len = sizeof (so_laddr);
4191                         (void) socket_getsockname(so,
4192                             (struct sockaddr *)so_laddr, &len, CRED());
4193                         len = sizeof (so_faddr);
4194                         (void) socket_getpeername(so,
4195                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4196 
4197                         add_sock_token = 1;
4198                 }
4199 
4200                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4201 
4202                 break;
4203 
4204         case AF_UNIX:
4205                 /*
4206                  * first check if this is first time through. Too much
4207                  * duplicate code to put this in an aui_ routine.
4208                  */
4209 
4210                 /* get path from file struct here */
4211                 fad = F2A(fp);
4212                 ASSERT(fad);
4213 
4214                 /*
4215                  * already processed this file for read attempt
4216                  */
4217                 if (fad->fad_flags & FAD_READ) {
4218                         releasef(fd);
4219                         /* don't want to audit every recvmsg attempt */
4220                         tad->tad_flag = 0;
4221                         /* free any residual audit data */
4222                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4223                         return;
4224                 }
4225                 /*
4226                  * mark things so we know what happened and don't
4227                  * repeat things
4228                  */
4229                 fad->fad_flags |= FAD_READ;
4230 
4231                 if (fad->fad_aupath != NULL) {
4232                         au_uwrite(au_to_path(fad->fad_aupath));
4233                 } else {
4234                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4235                 }
4236 
4237                 audit_attributes(fp->f_vnode);
4238 
4239                 releasef(fd);
4240 
4241                 return;
4242 
4243         default:
4244                 break;
4245 
4246         }
4247 
4248         releasef(fd);
4249 
4250         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4251 
4252         if (add_sock_token == 0) {
4253                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4254                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4255                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4256                 return;
4257         }
4258 
4259         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4260 
4261         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4262 
4263 }
4264 
4265 /*ARGSUSED*/
4266 static void
4267 auf_recvfrom(
4268         struct t_audit_data *tad,
4269         int error,
4270         rval_t *rvp)
4271 {
4272 
4273         struct a {
4274                 long    fd;
4275                 long    msg;    /* char */
4276                 long    len;
4277                 long    flags;
4278                 long    from;   /* struct sockaddr */
4279                 long    fromlen;
4280         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4281 
4282         socklen_t       fromlen;
4283         struct sonode   *so;
4284         char so_laddr[sizeof (struct sockaddr_in6)];
4285         char so_faddr[sizeof (struct sockaddr_in6)];
4286         int             fd;
4287         short so_family, so_type;
4288         int add_sock_token = 0;
4289         socklen_t len;
4290         int err;
4291         struct file *fp;
4292         struct f_audit_data *fad;               /* unix domain sockets */
4293         au_kcontext_t   *kctx = GET_KCTX_PZ;
4294 
4295         fd = (int)uap->fd;
4296 
4297         /* bail if an error */
4298         if (error) {
4299                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4300                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4301                 return;
4302         }
4303 
4304         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4305                 /*
4306                  * not security relevant if doing a recvmsg from non socket
4307                  * so no extra tokens. Should probably turn off audit record
4308                  * generation here.
4309                  */
4310                 return;
4311         }
4312 
4313         so_family = so->so_family;
4314         so_type   = so->so_type;
4315 
4316         /*
4317          * only putout SOCKET_EX token if INET/INET6 family.
4318          * XXX - what do we do about other families?
4319          */
4320 
4321         switch (so_family) {
4322         case AF_INET:
4323         case AF_INET6:
4324 
4325                 /*
4326                  * if datagram type socket, then just use what is in
4327                  * socket structure for local address.
4328                  * XXX - what do we do for other types?
4329                  */
4330                 if ((so->so_type == SOCK_DGRAM) ||
4331                     (so->so_type == SOCK_RAW)) {
4332                         add_sock_token = 1;
4333 
4334                         /* get local address */
4335                         len = sizeof (so_laddr);
4336                         (void) socket_getsockname(so,
4337                             (struct sockaddr *)so_laddr, &len, CRED());
4338 
4339                         /* get peer address */
4340                         bzero((void *)so_faddr, sizeof (so_faddr));
4341 
4342                         /* sanity check */
4343                         if (uap->from == 0)
4344                                 break;
4345 
4346                         /* sanity checks */
4347                         if (uap->fromlen == 0)
4348                                 break;
4349 
4350                         if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4351                             sizeof (fromlen)) != 0)
4352                                 break;
4353 
4354                         if (fromlen == 0)
4355                                 break;
4356 
4357                         /* enforce maximum size */
4358                         if (fromlen > sizeof (so_faddr))
4359                                 fromlen = sizeof (so_faddr);
4360 
4361                         if (copyin((caddr_t)(uap->from), so_faddr,
4362                             fromlen) != 0)
4363                                 break;
4364 
4365                 } else if (so->so_type == SOCK_STREAM) {
4366 
4367                         /* get path from file struct here */
4368                         fad = F2A(fp);
4369                         ASSERT(fad);
4370 
4371                         /*
4372                          * already processed this file for read attempt
4373                          */
4374                         if (fad->fad_flags & FAD_READ) {
4375                                 /* don't want to audit every recvfrom attempt */
4376                                 tad->tad_flag = 0;
4377                                 /* free any residual audit data */
4378                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4379                                 releasef(fd);
4380                                 return;
4381                         }
4382                         /*
4383                          * mark things so we know what happened and don't
4384                          * repeat things
4385                          */
4386                         fad->fad_flags |= FAD_READ;
4387 
4388                         bzero((void *)so_laddr, sizeof (so_laddr));
4389                         bzero((void *)so_faddr, sizeof (so_faddr));
4390 
4391                         /* get local and foreign addresses */
4392                         len = sizeof (so_laddr);
4393                         (void) socket_getsockname(so,
4394                             (struct sockaddr *)so_laddr, &len, CRED());
4395                         len = sizeof (so_faddr);
4396                         (void) socket_getpeername(so,
4397                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4398 
4399                         add_sock_token = 1;
4400                 }
4401 
4402                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4403 
4404                 break;
4405 
4406         case AF_UNIX:
4407                 /*
4408                  * first check if this is first time through. Too much
4409                  * duplicate code to put this in an aui_ routine.
4410                  */
4411 
4412                 /* get path from file struct here */
4413                 fad = F2A(fp);
4414                 ASSERT(fad);
4415 
4416                 /*
4417                  * already processed this file for read attempt
4418                  */
4419                 if (fad->fad_flags & FAD_READ) {
4420                         /* don't want to audit every recvfrom attempt */
4421                         tad->tad_flag = 0;
4422                         /* free any residual audit data */
4423                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4424                         releasef(fd);
4425                         return;
4426                 }
4427                 /*
4428                  * mark things so we know what happened and don't
4429                  * repeat things
4430                  */
4431                 fad->fad_flags |= FAD_READ;
4432 
4433                 if (fad->fad_aupath != NULL) {
4434                         au_uwrite(au_to_path(fad->fad_aupath));
4435                 } else {
4436                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4437                 }
4438 
4439                 audit_attributes(fp->f_vnode);
4440 
4441                 releasef(fd);
4442 
4443                 return;
4444 
4445         default:
4446                 break;
4447 
4448         }
4449 
4450         releasef(fd);
4451 
4452         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4453 
4454         if (add_sock_token == 0) {
4455                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4456                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4457                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4458                 return;
4459         }
4460 
4461         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4462 
4463         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4464 }
4465 
4466 /*ARGSUSED*/
4467 static void
4468 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4469 {
4470         struct a {
4471                 long    fd;
4472                 long    msg;    /* struct msghdr */
4473                 long    flags;
4474         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4475 
4476         struct sonode   *so;
4477         char so_laddr[sizeof (struct sockaddr_in6)];
4478         char so_faddr[sizeof (struct sockaddr_in6)];
4479         int             err;
4480         int             fd;
4481         short so_family, so_type;
4482         int             add_sock_token = 0;
4483         socklen_t       len;
4484         struct file     *fp;
4485         struct f_audit_data *fad;
4486         caddr_t         msg_name;
4487         socklen_t       msg_namelen;
4488         STRUCT_DECL(msghdr, msg);
4489         au_kcontext_t   *kctx = GET_KCTX_PZ;
4490 
4491         fd = (int)uap->fd;
4492 
4493         /* bail if an error */
4494         if (error) {
4495                 /* XXX include destination address from system call arguments */
4496                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4497                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4498                 return;
4499         }
4500 
4501         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4502                 /*
4503                  * not security relevant if doing a sendmsg from non socket
4504                  * so no extra tokens. Should probably turn off audit record
4505                  * generation here.
4506                  */
4507                 return;
4508         }
4509 
4510         so_family = so->so_family;
4511         so_type   = so->so_type;
4512 
4513         switch (so_family) {
4514         case AF_INET:
4515         case AF_INET6:
4516                 /*
4517                  * if datagram type socket, then just use what is in
4518                  * socket structure for local address.
4519                  * XXX - what do we do for other types?
4520                  */
4521                 if ((so->so_type == SOCK_DGRAM) ||
4522                     (so->so_type == SOCK_RAW)) {
4523 
4524                         bzero((void *)so_laddr, sizeof (so_laddr));
4525                         bzero((void *)so_faddr, sizeof (so_faddr));
4526 
4527                         /* get local address */
4528                         len = sizeof (so_laddr);
4529                         (void) socket_getsockname(so,
4530                             (struct sockaddr *)so_laddr, &len, CRED());
4531 
4532                         /* get peer address */
4533                         STRUCT_INIT(msg, get_udatamodel());
4534 
4535                         if (copyin((caddr_t)(uap->msg),
4536                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4537                                 break;
4538                         }
4539                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4540                         if (msg_name == NULL)
4541                                 break;
4542 
4543                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4544                         /* length is value from recvmsg - sanity check */
4545                         if (msg_namelen == 0)
4546                                 break;
4547 
4548                         if (copyin(msg_name, so_faddr,
4549                             sizeof (so_faddr)) != 0)
4550                                 break;
4551 
4552                         add_sock_token = 1;
4553 
4554                 } else if (so->so_type == SOCK_STREAM) {
4555 
4556                         /* get path from file struct here */
4557                         fad = F2A(fp);
4558                         ASSERT(fad);
4559 
4560                         /*
4561                          * already processed this file for write attempt
4562                          */
4563                         if (fad->fad_flags & FAD_WRITE) {
4564                                 releasef(fd);
4565                                 /* don't want to audit every sendmsg attempt */
4566                                 tad->tad_flag = 0;
4567                                 /* free any residual audit data */
4568                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4569                                 return;
4570                         }
4571 
4572                         /*
4573                          * mark things so we know what happened and don't
4574                          * repeat things
4575                          */
4576                         fad->fad_flags |= FAD_WRITE;
4577 
4578                         bzero((void *)so_laddr, sizeof (so_laddr));
4579                         bzero((void *)so_faddr, sizeof (so_faddr));
4580 
4581                         /* get local and foreign addresses */
4582                         len = sizeof (so_laddr);
4583                         (void) socket_getsockname(so,
4584                             (struct sockaddr *)so_laddr, &len, CRED());
4585                         len = sizeof (so_faddr);
4586                         (void) socket_getpeername(so,
4587                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4588 
4589                         add_sock_token = 1;
4590                 }
4591 
4592                 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4593 
4594                 break;
4595 
4596         case AF_UNIX:
4597                 /*
4598                  * first check if this is first time through. Too much
4599                  * duplicate code to put this in an aui_ routine.
4600                  */
4601 
4602                 /* get path from file struct here */
4603                 fad = F2A(fp);
4604                 ASSERT(fad);
4605 
4606                 /*
4607                  * already processed this file for write attempt
4608                  */
4609                 if (fad->fad_flags & FAD_WRITE) {
4610                         releasef(fd);
4611                         /* don't want to audit every sendmsg attempt */
4612                         tad->tad_flag = 0;
4613                         /* free any residual audit data */
4614                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4615                         return;
4616                 }
4617                 /*
4618                  * mark things so we know what happened and don't
4619                  * repeat things
4620                  */
4621                 fad->fad_flags |= FAD_WRITE;
4622 
4623                 if (fad->fad_aupath != NULL) {
4624                         au_uwrite(au_to_path(fad->fad_aupath));
4625                 } else {
4626                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4627                 }
4628 
4629                 audit_attributes(fp->f_vnode);
4630 
4631                 releasef(fd);
4632 
4633                 return;
4634 
4635         default:
4636                 break;
4637         }
4638 
4639         releasef(fd);
4640 
4641         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4642 
4643         if (add_sock_token == 0) {
4644                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4645                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4646                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4647                 return;
4648         }
4649 
4650         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4651 
4652         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4653 }
4654 
4655 /*ARGSUSED*/
4656 static void
4657 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4658 {
4659         struct a {
4660                 long    fd;
4661                 long    msg;    /* char */
4662                 long    len;
4663                 long    flags;
4664                 long    to;     /* struct sockaddr */
4665                 long    tolen;
4666         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4667 
4668         struct sonode   *so;
4669         char so_laddr[sizeof (struct sockaddr_in6)];
4670         char so_faddr[sizeof (struct sockaddr_in6)];
4671         socklen_t       tolen;
4672         int             err;
4673         int             fd;
4674         socklen_t       len;
4675         short so_family, so_type;
4676         int             add_sock_token = 0;
4677         struct file     *fp;
4678         struct f_audit_data *fad;
4679         au_kcontext_t   *kctx = GET_KCTX_PZ;
4680 
4681         fd = (int)uap->fd;
4682 
4683         /* bail if an error */
4684         if (error) {
4685                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4686                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4687                 /* XXX include destination address from system call arguments */
4688                 return;
4689         }
4690 
4691         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4692                 /*
4693                  * not security relevant if doing a sendto using non socket
4694                  * so no extra tokens. Should probably turn off audit record
4695                  * generation here.
4696                  */
4697                 return;
4698         }
4699 
4700         so_family = so->so_family;
4701         so_type   = so->so_type;
4702 
4703         /*
4704          * only putout SOCKET_EX token if INET/INET6 family.
4705          * XXX - what do we do about other families?
4706          */
4707 
4708         switch (so_family) {
4709         case AF_INET:
4710         case AF_INET6:
4711 
4712                 /*
4713                  * if datagram type socket, then just use what is in
4714                  * socket structure for local address.
4715                  * XXX - what do we do for other types?
4716                  */
4717                 if ((so->so_type == SOCK_DGRAM) ||
4718                     (so->so_type == SOCK_RAW)) {
4719 
4720                         bzero((void *)so_laddr, sizeof (so_laddr));
4721                         bzero((void *)so_faddr, sizeof (so_faddr));
4722 
4723                         /* get local address */
4724                         len = sizeof (so_laddr);
4725                         (void) socket_getsockname(so,
4726                             (struct sockaddr *)so_laddr, &len, CRED());
4727 
4728                         /* get peer address */
4729 
4730                         /* sanity check */
4731                         if (uap->to == 0)
4732                                 break;
4733 
4734                         /* sanity checks */
4735                         if (uap->tolen == 0)
4736                                 break;
4737 
4738                         tolen = (socklen_t)uap->tolen;
4739 
4740                         /* enforce maximum size */
4741                         if (tolen > sizeof (so_faddr))
4742                                 tolen = sizeof (so_faddr);
4743 
4744                         if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4745                                 break;
4746 
4747                         add_sock_token = 1;
4748                 } else {
4749                         /*
4750                          * check if this is first time through.
4751                          */
4752 
4753                         /* get path from file struct here */
4754                         fad = F2A(fp);
4755                         ASSERT(fad);
4756 
4757                         /*
4758                          * already processed this file for write attempt
4759                          */
4760                         if (fad->fad_flags & FAD_WRITE) {
4761                                 /* don't want to audit every sendto attempt */
4762                                 tad->tad_flag = 0;
4763                                 /* free any residual audit data */
4764                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4765                                 releasef(fd);
4766                                 return;
4767                         }
4768                         /*
4769                          * mark things so we know what happened and don't
4770                          * repeat things
4771                          */
4772                         fad->fad_flags |= FAD_WRITE;
4773 
4774                         bzero((void *)so_laddr, sizeof (so_laddr));
4775                         bzero((void *)so_faddr, sizeof (so_faddr));
4776 
4777                         /* get local and foreign addresses */
4778                         len = sizeof (so_laddr);
4779                         (void) socket_getsockname(so,
4780                             (struct sockaddr *)so_laddr, &len, CRED());
4781                         len = sizeof (so_faddr);
4782                         (void) socket_getpeername(so,
4783                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4784 
4785                         add_sock_token = 1;
4786                 }
4787 
4788                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4789 
4790                 break;
4791 
4792         case AF_UNIX:
4793                 /*
4794                  * first check if this is first time through. Too much
4795                  * duplicate code to put this in an aui_ routine.
4796                  */
4797 
4798                 /* get path from file struct here */
4799                 fad = F2A(fp);
4800                 ASSERT(fad);
4801 
4802                 /*
4803                  * already processed this file for write attempt
4804                  */
4805                 if (fad->fad_flags & FAD_WRITE) {
4806                         /* don't want to audit every sendto attempt */
4807                         tad->tad_flag = 0;
4808                         /* free any residual audit data */
4809                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4810                         releasef(fd);
4811                         return;
4812                 }
4813                 /*
4814                  * mark things so we know what happened and don't
4815                  * repeat things
4816                  */
4817                 fad->fad_flags |= FAD_WRITE;
4818 
4819                 if (fad->fad_aupath != NULL) {
4820                         au_uwrite(au_to_path(fad->fad_aupath));
4821                 } else {
4822                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4823                 }
4824 
4825                 audit_attributes(fp->f_vnode);
4826 
4827                 releasef(fd);
4828 
4829                 return;
4830 
4831         default:
4832                 break;
4833 
4834         }
4835 
4836         releasef(fd);
4837 
4838         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4839 
4840         if (add_sock_token == 0) {
4841                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4842                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4843                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4844                 return;
4845         }
4846 
4847         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4848 
4849         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4850 
4851 }
4852 
4853 /*
4854  * XXX socket(2) may be equivalent to open(2) on a unix domain
4855  * socket. This needs investigation.
4856  */
4857 
4858 /*ARGSUSED*/
4859 static void
4860 aus_socket(struct t_audit_data *tad)
4861 {
4862         struct a {
4863                 long    domain;
4864                 long    type;
4865                 long    protocol;
4866         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4867 
4868         au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4869         au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4870         au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4871 }
4872 
4873 /*ARGSUSED*/
4874 static void
4875 aus_sigqueue(struct t_audit_data *tad)
4876 {
4877         struct a {
4878                 long    pid;
4879                 long    signo;
4880                 long    *val;
4881         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4882         struct proc *p;
4883         uid_t uid, ruid;
4884         gid_t gid, rgid;
4885         pid_t pid;
4886         const auditinfo_addr_t *ainfo;
4887         cred_t *cr;
4888 
4889         pid = (pid_t)uap->pid;
4890 
4891         au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4892         if (pid > 0) {
4893                 mutex_enter(&pidlock);
4894                 if ((p = prfind(pid)) == (struct proc *)0) {
4895                         mutex_exit(&pidlock);
4896                         return;
4897                 }
4898                 mutex_enter(&p->p_lock); /* so process doesn't go away */
4899                 mutex_exit(&pidlock);
4900 
4901                 mutex_enter(&p->p_crlock);
4902                 crhold(cr = p->p_cred);
4903                 mutex_exit(&p->p_crlock);
4904                 mutex_exit(&p->p_lock);
4905 
4906                 ainfo = crgetauinfo(cr);
4907                 if (ainfo == NULL) {
4908                         crfree(cr);
4909                         return;
4910                 }
4911 
4912                 uid  = crgetuid(cr);
4913                 gid  = crgetgid(cr);
4914                 ruid = crgetruid(cr);
4915                 rgid = crgetrgid(cr);
4916                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4917                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4918                 crfree(cr);
4919         }
4920         else
4921                 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4922 }
4923 
4924 /*ARGSUSED*/
4925 static void
4926 aus_inst_sync(struct t_audit_data *tad)
4927 {
4928         struct a {
4929                 long    name;   /* char */
4930                 long    flags;
4931         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4932 
4933         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4934 }
4935 
4936 /*ARGSUSED*/
4937 static void
4938 aus_brandsys(struct t_audit_data *tad)
4939 {
4940         klwp_t *clwp = ttolwp(curthread);
4941 
4942         struct a {
4943                 long    cmd;
4944                 long    arg1;
4945                 long    arg2;
4946                 long    arg3;
4947                 long    arg4;
4948                 long    arg5;
4949                 long    arg6;
4950         } *uap = (struct a *)clwp->lwp_ap;
4951 
4952         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4953 #ifdef _LP64
4954         au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4955         au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4956         au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4957         au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4958         au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4959         au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4960 #else
4961         au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4962         au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4963         au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4964         au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4965         au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4966         au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4967 #endif
4968 }
4969 
4970 /*ARGSUSED*/
4971 static void
4972 aus_p_online(struct t_audit_data *tad)
4973 {
4974         struct a {
4975                 long    processor_id;
4976                 long    flag;
4977         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4978 
4979         struct flags {
4980                         int     flag;
4981                         char    *cflag;
4982         } aflags[6] = {
4983                         { P_ONLINE, "P_ONLINE"},
4984                         { P_OFFLINE, "P_OFFLINE"},
4985                         { P_NOINTR, "P_NOINTR"},
4986                         { P_SPARE, "P_SPARE"},
4987                         { P_FAULTED, "P_FAULTED"},
4988                         { P_STATUS, "P_STATUS"}
4989         };
4990         int i;
4991         char *cflag;
4992 
4993         au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4994         au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4995 
4996         for (i = 0; i < 6; i++) {
4997                 if (aflags[i].flag == uap->flag)
4998                         break;
4999         }
5000         cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5001 
5002         au_uwrite(au_to_text(cflag));
5003 }
5004 
5005 /*ARGSUSED*/
5006 static void
5007 aus_processor_bind(struct t_audit_data *tad)
5008 {
5009         struct a {
5010                 long    id_type;
5011                 long    id;
5012                 long    processor_id;
5013                 long    obind;
5014         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5015 
5016         struct proc *p;
5017         int lwpcnt;
5018         uid_t uid, ruid;
5019         gid_t gid, rgid;
5020         pid_t pid;
5021         const auditinfo_addr_t *ainfo;
5022         cred_t *cr;
5023 
5024         au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5025         au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5026         if (uap->processor_id == PBIND_NONE)
5027                 au_uwrite(au_to_text("PBIND_NONE"));
5028         else
5029                 au_uwrite(au_to_arg32(3, "processor_id",
5030                     (uint32_t)uap->processor_id));
5031 
5032         switch (uap->id_type) {
5033         case P_MYID:
5034         case P_LWPID:
5035                 mutex_enter(&pidlock);
5036                 p = ttoproc(curthread);
5037                 if (p == NULL || p->p_as == &kas) {
5038                         mutex_exit(&pidlock);
5039                         return;
5040                 }
5041                 mutex_enter(&p->p_lock);
5042                 mutex_exit(&pidlock);
5043                 lwpcnt = p->p_lwpcnt;
5044                 pid  = p->p_pid;
5045 
5046                 mutex_enter(&p->p_crlock);
5047                 crhold(cr = p->p_cred);
5048                 mutex_exit(&p->p_crlock);
5049                 mutex_exit(&p->p_lock);
5050 
5051                 ainfo = crgetauinfo(cr);
5052                 if (ainfo == NULL) {
5053                         crfree(cr);
5054                         return;
5055                 }
5056 
5057                 uid  = crgetuid(cr);
5058                 gid  = crgetgid(cr);
5059                 ruid = crgetruid(cr);
5060                 rgid = crgetrgid(cr);
5061                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5062                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5063                 crfree(cr);
5064                 break;
5065         case P_PID:
5066                 mutex_enter(&pidlock);
5067                 p = prfind(uap->id);
5068                 if (p == NULL || p->p_as == &kas) {
5069                         mutex_exit(&pidlock);
5070                         return;
5071                 }
5072                 mutex_enter(&p->p_lock);
5073                 mutex_exit(&pidlock);
5074                 lwpcnt = p->p_lwpcnt;
5075                 pid  = p->p_pid;
5076 
5077                 mutex_enter(&p->p_crlock);
5078                 crhold(cr = p->p_cred);
5079                 mutex_exit(&p->p_crlock);
5080                 mutex_exit(&p->p_lock);
5081 
5082                 ainfo = crgetauinfo(cr);
5083                 if (ainfo == NULL) {
5084                         crfree(cr);
5085                         return;
5086                 }
5087 
5088                 uid  = crgetuid(cr);
5089                 gid  = crgetgid(cr);
5090                 ruid = crgetruid(cr);
5091                 rgid = crgetrgid(cr);
5092                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5093                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5094                 crfree(cr);
5095 
5096                 break;
5097         default:
5098                 return;
5099         }
5100 
5101         if (uap->processor_id == PBIND_NONE &&
5102             (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5103                 au_uwrite(au_to_text("PBIND_NONE for process"));
5104         else
5105                 au_uwrite(au_to_arg32(3, "processor_id",
5106                     (uint32_t)uap->processor_id));
5107 }
5108 
5109 /*ARGSUSED*/
5110 static au_event_t
5111 aui_doorfs(au_event_t e)
5112 {
5113         uint32_t code;
5114 
5115         struct a {              /* doorfs */
5116                 long    a1;
5117                 long    a2;
5118                 long    a3;
5119                 long    a4;
5120                 long    a5;
5121                 long    code;
5122         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5123 
5124         /*
5125          *      audit formats for several of the
5126          *      door calls have not yet been determined
5127          */
5128         code = (uint32_t)uap->code;
5129         switch (code) {
5130         case DOOR_CALL:
5131                 e = AUE_DOORFS_DOOR_CALL;
5132                 break;
5133         case DOOR_RETURN:
5134                 e = AUE_NULL;
5135                 break;
5136         case DOOR_CREATE:
5137                 e = AUE_DOORFS_DOOR_CREATE;
5138                 break;
5139         case DOOR_REVOKE:
5140                 e = AUE_DOORFS_DOOR_REVOKE;
5141                 break;
5142         case DOOR_INFO:
5143                 e = AUE_NULL;
5144                 break;
5145         case DOOR_UCRED:
5146                 e = AUE_NULL;
5147                 break;
5148         case DOOR_BIND:
5149                 e = AUE_NULL;
5150                 break;
5151         case DOOR_UNBIND:
5152                 e = AUE_NULL;
5153                 break;
5154         case DOOR_GETPARAM:
5155                 e = AUE_NULL;
5156                 break;
5157         case DOOR_SETPARAM:
5158                 e = AUE_NULL;
5159                 break;
5160         default:        /* illegal system call */
5161                 e = AUE_NULL;
5162                 break;
5163         }
5164 
5165         return (e);
5166 }
5167 
5168 static door_node_t *
5169 au_door_lookup(int did)
5170 {
5171         vnode_t *vp;
5172         file_t *fp;
5173 
5174         if ((fp = getf(did)) == NULL)
5175                 return (NULL);
5176         /*
5177          * Use the underlying vnode (we may be namefs mounted)
5178          */
5179         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5180                 vp = fp->f_vnode;
5181 
5182         if (vp == NULL || vp->v_type != VDOOR) {
5183                 releasef(did);
5184                 return (NULL);
5185         }
5186 
5187         return (VTOD(vp));
5188 }
5189 
5190 /*ARGSUSED*/
5191 static void
5192 aus_doorfs(struct t_audit_data *tad)
5193 {
5194 
5195         struct a {              /* doorfs */
5196                 long    a1;
5197                 long    a2;
5198                 long    a3;
5199                 long    a4;
5200                 long    a5;
5201                 long    code;
5202         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5203 
5204         door_node_t     *dp;
5205         struct proc     *p;
5206         uint32_t        did;
5207         uid_t uid, ruid;
5208         gid_t gid, rgid;
5209         pid_t pid;
5210         const auditinfo_addr_t *ainfo;
5211         cred_t *cr;
5212 
5213         did = (uint32_t)uap->a1;
5214 
5215         switch (tad->tad_event) {
5216         case AUE_DOORFS_DOOR_CALL:
5217                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5218                 if ((dp = au_door_lookup(did)) == NULL)
5219                         break;
5220 
5221                 if (DOOR_INVALID(dp)) {
5222                         releasef(did);
5223                         break;
5224                 }
5225 
5226                 if ((p = dp->door_target) == NULL) {
5227                         releasef(did);
5228                         break;
5229                 }
5230                 mutex_enter(&p->p_lock);
5231                 releasef(did);
5232 
5233                 pid  = p->p_pid;
5234 
5235                 mutex_enter(&p->p_crlock);
5236                 crhold(cr = p->p_cred);
5237                 mutex_exit(&p->p_crlock);
5238                 mutex_exit(&p->p_lock);
5239 
5240                 ainfo = crgetauinfo(cr);
5241                 if (ainfo == NULL) {
5242                         crfree(cr);
5243                         return;
5244                 }
5245                 uid  = crgetuid(cr);
5246                 gid  = crgetgid(cr);
5247                 ruid = crgetruid(cr);
5248                 rgid = crgetrgid(cr);
5249                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5250                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5251                 crfree(cr);
5252                 break;
5253         case AUE_DOORFS_DOOR_RETURN:
5254                 /*
5255                  * We may want to write information about
5256                  * all doors (if any) which will be copied
5257                  * by this call to the user space
5258                  */
5259                 break;
5260         case AUE_DOORFS_DOOR_CREATE:
5261                 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5262                 break;
5263         case AUE_DOORFS_DOOR_REVOKE:
5264                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5265                 break;
5266         case AUE_DOORFS_DOOR_INFO:
5267                 break;
5268         case AUE_DOORFS_DOOR_CRED:
5269                 break;
5270         case AUE_DOORFS_DOOR_BIND:
5271                 break;
5272         case AUE_DOORFS_DOOR_UNBIND: {
5273                 break;
5274         }
5275         default:        /* illegal system call */
5276                 break;
5277         }
5278 }
5279 
5280 /*ARGSUSED*/
5281 static au_event_t
5282 aui_acl(au_event_t e)
5283 {
5284         struct a {
5285                 union {
5286                         long    name;   /* char */
5287                         long    fd;
5288                 }               obj;
5289 
5290                 long            cmd;
5291                 long            nentries;
5292                 long            arg;    /* aclent_t */
5293         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5294 
5295         switch (uap->cmd) {
5296         case SETACL:
5297         case ACE_SETACL:
5298                 /*
5299                  * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5300                  * are expected.
5301                  */
5302                 break;
5303         case GETACL:
5304         case GETACLCNT:
5305         case ACE_GETACL:
5306         case ACE_GETACLCNT:
5307                 /* do nothing for these four values. */
5308                 e = AUE_NULL;
5309                 break;
5310         default:
5311                 /* illegal system call */
5312                 break;
5313         }
5314 
5315         return (e);
5316 }
5317 
5318 static void
5319 au_acl(int cmd, int nentries, caddr_t bufp)
5320 {
5321         size_t          a_size;
5322         aclent_t        *aclbufp;
5323         ace_t           *acebufp;
5324         int             i;
5325 
5326         switch (cmd) {
5327         case GETACL:
5328         case GETACLCNT:
5329                 break;
5330         case SETACL:
5331                 if (nentries < 3)
5332                         break;
5333 
5334                 a_size = nentries * sizeof (aclent_t);
5335 
5336                 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5337                         break;
5338                 if (copyin(bufp, aclbufp, a_size)) {
5339                         kmem_free(aclbufp, a_size);
5340                         break;
5341                 }
5342                 for (i = 0; i < nentries; i++) {
5343                         au_uwrite(au_to_acl(aclbufp + i));
5344                 }
5345                 kmem_free(aclbufp, a_size);
5346                 break;
5347 
5348         case ACE_SETACL:
5349                 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5350                         break;
5351 
5352                 a_size = nentries * sizeof (ace_t);
5353                 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5354                         break;
5355                 if (copyin(bufp, acebufp, a_size)) {
5356                         kmem_free(acebufp, a_size);
5357                         break;
5358                 }
5359                 for (i = 0; i < nentries; i++) {
5360                         au_uwrite(au_to_ace(acebufp + i));
5361                 }
5362                 kmem_free(acebufp, a_size);
5363                 break;
5364         default:
5365                 break;
5366         }
5367 }
5368 
5369 /*ARGSUSED*/
5370 static void
5371 aus_acl(struct t_audit_data *tad)
5372 {
5373         struct a {
5374                 long    fname;
5375                 long    cmd;
5376                 long    nentries;
5377                 long    aclbufp;
5378         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5379 
5380         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5381         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5382 
5383         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5384 }
5385 
5386 /*ARGSUSED*/
5387 static void
5388 aus_facl(struct t_audit_data *tad)
5389 {
5390         struct a {
5391                 long    fd;
5392                 long    cmd;
5393                 long    nentries;
5394                 long    aclbufp;
5395         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5396         struct file  *fp;
5397         struct vnode *vp;
5398         struct f_audit_data *fad;
5399         int fd;
5400 
5401         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5402         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5403 
5404         fd = (int)uap->fd;
5405 
5406         if ((fp = getf(fd)) == NULL)
5407                 return;
5408 
5409         /* get path from file struct here */
5410         fad = F2A(fp);
5411         if (fad->fad_aupath != NULL) {
5412                 au_uwrite(au_to_path(fad->fad_aupath));
5413         } else {
5414                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5415         }
5416 
5417         vp = fp->f_vnode;
5418         audit_attributes(vp);
5419 
5420         /* decrement file descriptor reference count */
5421         releasef(fd);
5422 
5423         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5424 }
5425 
5426 /*ARGSUSED*/
5427 static void
5428 auf_read(struct t_audit_data *tad, int error, rval_t *rval)
5429 {
5430         struct file *fp;
5431         struct f_audit_data *fad;
5432         int fd;
5433         register struct a {
5434                 long    fd;
5435         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5436         au_kcontext_t   *kctx = GET_KCTX_PZ;
5437 
5438         fd = (int)uap->fd;
5439 
5440         /*
5441          * convert file pointer to file descriptor
5442          *   Note: fd ref count incremented here.
5443          */
5444         if ((fp = getf(fd)) == NULL)
5445                 return;
5446 
5447         /* get path from file struct here */
5448         fad = F2A(fp);
5449         ASSERT(fad);
5450 
5451         /*
5452          * already processed this file for read attempt
5453          *
5454          * XXX might be better to turn off auditing in a aui_read() routine.
5455          */
5456         if (fad->fad_flags & FAD_READ) {
5457                 /* don't really want to audit every read attempt */
5458                 tad->tad_flag = 0;
5459                 /* free any residual audit data */
5460                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5461                 releasef(fd);
5462                 return;
5463         }
5464         /* mark things so we know what happened and don't repeat things */
5465         fad->fad_flags |= FAD_READ;
5466 
5467         if (fad->fad_aupath != NULL) {
5468                 au_uwrite(au_to_path(fad->fad_aupath));
5469         } else {
5470                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5471         }
5472 
5473         /* include attributes */
5474         audit_attributes(fp->f_vnode);
5475 
5476         /* decrement file descriptor reference count */
5477         releasef(fd);
5478 }
5479 
5480 /*ARGSUSED*/
5481 static void
5482 auf_write(struct t_audit_data *tad, int error, rval_t *rval)
5483 {
5484         struct file *fp;
5485         struct f_audit_data *fad;
5486         int fd;
5487         register struct a {
5488                 long    fd;
5489         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5490         au_kcontext_t   *kctx = GET_KCTX_PZ;
5491 
5492         fd = (int)uap->fd;
5493 
5494         /*
5495          * convert file pointer to file descriptor
5496          *   Note: fd ref count incremented here.
5497          */
5498         if ((fp = getf(fd)) == NULL)
5499                 return;
5500 
5501         /* get path from file struct here */
5502         fad = F2A(fp);
5503         ASSERT(fad);
5504 
5505         /*
5506          * already processed this file for write attempt
5507          *
5508          * XXX might be better to turn off auditing in a aus_write() routine.
5509          */
5510         if (fad->fad_flags & FAD_WRITE) {
5511                 /* don't really want to audit every write attempt */
5512                 tad->tad_flag = 0;
5513                 /* free any residual audit data */
5514                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5515                 releasef(fd);
5516                 return;
5517         }
5518         /* mark things so we know what happened and don't repeat things */
5519         fad->fad_flags |= FAD_WRITE;
5520 
5521         if (fad->fad_aupath != NULL) {
5522                 au_uwrite(au_to_path(fad->fad_aupath));
5523         } else {
5524                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5525         }
5526 
5527         /* include attributes */
5528         audit_attributes(fp->f_vnode);
5529 
5530         /* decrement file descriptor reference count */
5531         releasef(fd);
5532 }
5533 
5534 /*ARGSUSED*/
5535 static void
5536 auf_recv(struct t_audit_data *tad, int error, rval_t *rval)
5537 {
5538         struct sonode *so;
5539         char so_laddr[sizeof (struct sockaddr_in6)];
5540         char so_faddr[sizeof (struct sockaddr_in6)];
5541         struct file *fp;
5542         struct f_audit_data *fad;
5543         int fd;
5544         int err;
5545         socklen_t len;
5546         short so_family, so_type;
5547         register struct a {
5548                 long    fd;
5549         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5550         au_kcontext_t   *kctx = GET_KCTX_PZ;
5551 
5552         /*
5553          * If there was an error, then nothing to do. Only generate
5554          * audit record on first successful recv.
5555          */
5556         if (error) {
5557                 /* Turn off audit record generation here. */
5558                 tad->tad_flag = 0;
5559                 /* free any residual audit data */
5560                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5561                 return;
5562         }
5563 
5564         fd = (int)uap->fd;
5565 
5566         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5567                 /* Turn off audit record generation here. */
5568                 tad->tad_flag = 0;
5569                 /* free any residual audit data */
5570                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5571                 return;
5572         }
5573 
5574         /* get path from file struct here */
5575         fad = F2A(fp);
5576         ASSERT(fad);
5577 
5578         /*
5579          * already processed this file for read attempt
5580          */
5581         if (fad->fad_flags & FAD_READ) {
5582                 releasef(fd);
5583                 /* don't really want to audit every recv call */
5584                 tad->tad_flag = 0;
5585                 /* free any residual audit data */
5586                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5587                 return;
5588         }
5589 
5590         /* mark things so we know what happened and don't repeat things */
5591         fad->fad_flags |= FAD_READ;
5592 
5593         so_family = so->so_family;
5594         so_type   = so->so_type;
5595 
5596         switch (so_family) {
5597         case AF_INET:
5598         case AF_INET6:
5599                 /*
5600                  * Only for connections.
5601                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5602                  */
5603                 if (so->so_state & SS_ISBOUND) {
5604 
5605                         bzero((void *)so_laddr, sizeof (so_laddr));
5606                         bzero((void *)so_faddr, sizeof (so_faddr));
5607 
5608                         /* get local and foreign addresses */
5609                         len = sizeof (so_laddr);
5610                         (void) socket_getsockname(so,
5611                             (struct sockaddr *)so_laddr, &len, CRED());
5612                         len = sizeof (so_faddr);
5613                         (void) socket_getpeername(so,
5614                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5615 
5616                         /*
5617                          * only way to drop out of switch. Note that we
5618                          * we release fd below.
5619                          */
5620 
5621                         break;
5622                 }
5623 
5624                 releasef(fd);
5625 
5626                 /* don't really want to audit every recv call */
5627                 tad->tad_flag = 0;
5628                 /* free any residual audit data */
5629                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5630 
5631                 return;
5632 
5633         case AF_UNIX:
5634 
5635                 if (fad->fad_aupath != NULL) {
5636                         au_uwrite(au_to_path(fad->fad_aupath));
5637                 } else {
5638                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5639                 }
5640 
5641                 audit_attributes(fp->f_vnode);
5642 
5643                 releasef(fd);
5644 
5645                 return;
5646 
5647         default:
5648                 releasef(fd);
5649 
5650                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5651                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5652                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5653 
5654                 return;
5655         }
5656 
5657         releasef(fd);
5658 
5659         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5660 
5661         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5662 
5663 }
5664 
5665 /*ARGSUSED*/
5666 static void
5667 auf_send(struct t_audit_data *tad, int error, rval_t *rval)
5668 {
5669         struct sonode *so;
5670         char so_laddr[sizeof (struct sockaddr_in6)];
5671         char so_faddr[sizeof (struct sockaddr_in6)];
5672         struct file *fp;
5673         struct f_audit_data *fad;
5674         int fd;
5675         int err;
5676         socklen_t len;
5677         short so_family, so_type;
5678         register struct a {
5679                 long    fd;
5680         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5681         au_kcontext_t   *kctx = GET_KCTX_PZ;
5682 
5683         fd = (int)uap->fd;
5684 
5685         /*
5686          * If there was an error, then nothing to do. Only generate
5687          * audit record on first successful send.
5688          */
5689         if (error != 0) {
5690                 /* Turn off audit record generation here. */
5691                 tad->tad_flag = 0;
5692                 /* free any residual audit data */
5693                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5694                 return;
5695         }
5696 
5697         fd = (int)uap->fd;
5698 
5699         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5700                 /* Turn off audit record generation here. */
5701                 tad->tad_flag = 0;
5702                 /* free any residual audit data */
5703                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5704                 return;
5705         }
5706 
5707         /* get path from file struct here */
5708         fad = F2A(fp);
5709         ASSERT(fad);
5710 
5711         /*
5712          * already processed this file for write attempt
5713          */
5714         if (fad->fad_flags & FAD_WRITE) {
5715                 releasef(fd);
5716                 /* don't really want to audit every send call */
5717                 tad->tad_flag = 0;
5718                 /* free any residual audit data */
5719                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5720                 return;
5721         }
5722 
5723         /* mark things so we know what happened and don't repeat things */
5724         fad->fad_flags |= FAD_WRITE;
5725 
5726         so_family = so->so_family;
5727         so_type   = so->so_type;
5728 
5729         switch (so_family) {
5730         case AF_INET:
5731         case AF_INET6:
5732                 /*
5733                  * Only for connections.
5734                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5735                  */
5736                 if (so->so_state & SS_ISBOUND) {
5737 
5738                         bzero((void *)so_laddr, sizeof (so_laddr));
5739                         bzero((void *)so_faddr, sizeof (so_faddr));
5740 
5741                         /* get local and foreign addresses */
5742                         len = sizeof (so_laddr);
5743                         (void) socket_getsockname(so,
5744                             (struct sockaddr *)so_laddr, &len, CRED());
5745                         len = sizeof (so_faddr);
5746                         (void) socket_getpeername(so,
5747                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5748 
5749                         /*
5750                          * only way to drop out of switch. Note that we
5751                          * we release fd below.
5752                          */
5753 
5754                         break;
5755                 }
5756 
5757                 releasef(fd);
5758                 /* don't really want to audit every send call */
5759                 tad->tad_flag = 0;
5760                 /* free any residual audit data */
5761                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5762 
5763                 return;
5764 
5765         case AF_UNIX:
5766 
5767                 if (fad->fad_aupath != NULL) {
5768                         au_uwrite(au_to_path(fad->fad_aupath));
5769                 } else {
5770                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5771                 }
5772 
5773                 audit_attributes(fp->f_vnode);
5774 
5775                 releasef(fd);
5776 
5777                 return;
5778 
5779         default:
5780                 releasef(fd);
5781 
5782                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5783                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5784                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5785 
5786                 return;
5787         }
5788 
5789         releasef(fd);
5790 
5791         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5792 
5793         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5794 }
5795 
5796 static au_event_t
5797 aui_forksys(au_event_t e)
5798 {
5799         struct a {
5800                 long    subcode;
5801                 long    flags;
5802         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5803 
5804         switch ((uint_t)uap->subcode) {
5805         case 0:
5806                 e = AUE_FORK1;
5807                 break;
5808         case 1:
5809                 e = AUE_FORKALL;
5810                 break;
5811         case 2:
5812                 e = AUE_VFORK;
5813                 break;
5814         default:
5815                 e = AUE_NULL;
5816                 break;
5817         }
5818 
5819         return (e);
5820 }
5821 
5822 /*ARGSUSED*/
5823 static au_event_t
5824 aui_portfs(au_event_t e)
5825 {
5826         struct a {              /* portfs */
5827                 long    a1;
5828                 long    a2;
5829                 long    a3;
5830         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5831 
5832         /*
5833          * check opcode
5834          */
5835         switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5836         case PORT_ASSOCIATE:
5837                 /* check source */
5838                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5839                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5840                         e = AUE_PORTFS_ASSOCIATE;
5841                 } else {
5842                         e = AUE_NULL;
5843                 }
5844                 break;
5845         case PORT_DISSOCIATE:
5846                 /* check source */
5847                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5848                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5849                         e = AUE_PORTFS_DISSOCIATE;
5850                 } else {
5851                         e = AUE_NULL;
5852                 }
5853                 break;
5854         default:
5855                 e = AUE_NULL;
5856         }
5857         return (e);
5858 }