1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
  25  * Copyright (c) 2018, Joyent, Inc.
  26  */
  27 
  28 /*
  29  * This file contains the audit event table used to control the production
  30  * of audit records for each system call.
  31  */
  32 
  33 #include <sys/policy.h>
  34 #include <sys/cred.h>
  35 #include <sys/types.h>
  36 #include <sys/systm.h>
  37 #include <sys/systeminfo.h>       /* for sysinfo auditing */
  38 #include <sys/utsname.h>  /* for sysinfo auditing */
  39 #include <sys/proc.h>
  40 #include <sys/vnode.h>
  41 #include <sys/mman.h>             /* for mmap(2) auditing etc. */
  42 #include <sys/fcntl.h>
  43 #include <sys/modctl.h>           /* for modctl auditing */
  44 #include <sys/vnode.h>
  45 #include <sys/user.h>
  46 #include <sys/types.h>
  47 #include <sys/processor.h>
  48 #include <sys/procset.h>
  49 #include <sys/acl.h>
  50 #include <sys/ipc.h>
  51 #include <sys/door.h>
  52 #include <sys/sem.h>
  53 #include <sys/msg.h>
  54 #include <sys/shm.h>
  55 #include <sys/kmem.h>
  56 #include <sys/file.h>             /* for accept */
  57 #include <sys/utssys.h>           /* for fuser */
  58 #include <sys/tsol/label.h>
  59 #include <sys/tsol/tndb.h>
  60 #include <sys/tsol/tsyscall.h>
  61 #include <c2/audit.h>
  62 #include <c2/audit_kernel.h>
  63 #include <c2/audit_kevents.h>
  64 #include <c2/audit_record.h>
  65 #include <sys/procset.h>
  66 #include <nfs/mount.h>
  67 #include <sys/param.h>
  68 #include <sys/debug.h>
  69 #include <sys/sysmacros.h>
  70 #include <sys/stream.h>
  71 #include <sys/strsubr.h>
  72 #include <sys/stropts.h>
  73 #include <sys/tihdr.h>
  74 #include <sys/socket.h>
  75 #include <sys/socketvar.h>
  76 #include <sys/vfs_opreg.h>
  77 #include <fs/sockfs/sockcommon.h>
  78 #include <netinet/in.h>
  79 #include <sys/ddi.h>
  80 #include <sys/port_impl.h>
  81 #include <sys/secflags.h>
  82 
  83 static au_event_t       aui_fchownat(au_event_t);
  84 static au_event_t       aui_fchmodat(au_event_t);
  85 static au_event_t       aui_open(au_event_t);
  86 static au_event_t       aui_openat(au_event_t);
  87 static au_event_t       aui_unlinkat(au_event_t);
  88 static au_event_t       aui_fstatat(au_event_t);
  89 static au_event_t       aui_msgsys(au_event_t);
  90 static au_event_t       aui_shmsys(au_event_t);
  91 static au_event_t       aui_semsys(au_event_t);
  92 static au_event_t       aui_utssys(au_event_t);
  93 static au_event_t       aui_fcntl(au_event_t);
  94 static au_event_t       aui_execve(au_event_t);
  95 static au_event_t       aui_memcntl(au_event_t);
  96 static au_event_t       aui_sysinfo(au_event_t);
  97 static au_event_t       aui_portfs(au_event_t);
  98 static au_event_t       aui_auditsys(au_event_t);
  99 static au_event_t       aui_modctl(au_event_t);
 100 static au_event_t       aui_acl(au_event_t);
 101 static au_event_t       aui_doorfs(au_event_t);
 102 static au_event_t       aui_privsys(au_event_t);
 103 static au_event_t       aui_forksys(au_event_t);
 104 static au_event_t       aui_labelsys(au_event_t);
 105 static au_event_t       aui_setpgrp(au_event_t);
 106 
 107 
 108 static void     aus_exit(struct t_audit_data *);
 109 static void     aus_open(struct t_audit_data *);
 110 static void     aus_openat(struct t_audit_data *);
 111 static void     aus_acl(struct t_audit_data *);
 112 static void     aus_acct(struct t_audit_data *);
 113 static void     aus_chown(struct t_audit_data *);
 114 static void     aus_fchown(struct t_audit_data *);
 115 static void     aus_lchown(struct t_audit_data *);
 116 static void     aus_fchownat(struct t_audit_data *);
 117 static void     aus_chmod(struct t_audit_data *);
 118 static void     aus_facl(struct t_audit_data *);
 119 static void     aus_fchmod(struct t_audit_data *);
 120 static void     aus_fchmodat(struct t_audit_data *);
 121 static void     aus_fcntl(struct t_audit_data *);
 122 static void     aus_mkdir(struct t_audit_data *);
 123 static void     aus_mkdirat(struct t_audit_data *);
 124 static void     aus_mknod(struct t_audit_data *);
 125 static void     aus_mknodat(struct t_audit_data *);
 126 static void     aus_mount(struct t_audit_data *);
 127 static void     aus_umount2(struct t_audit_data *);
 128 static void     aus_msgsys(struct t_audit_data *);
 129 static void     aus_semsys(struct t_audit_data *);
 130 static void     aus_close(struct t_audit_data *);
 131 static void     aus_fstatfs(struct t_audit_data *);
 132 static void     aus_setgid(struct t_audit_data *);
 133 static void     aus_setpgrp(struct t_audit_data *);
 134 static void     aus_setuid(struct t_audit_data *);
 135 static void     aus_shmsys(struct t_audit_data *);
 136 static void     aus_doorfs(struct t_audit_data *);
 137 static void     aus_ioctl(struct t_audit_data *);
 138 static void     aus_memcntl(struct t_audit_data *);
 139 static void     aus_mmap(struct t_audit_data *);
 140 static void     aus_munmap(struct t_audit_data *);
 141 static void     aus_priocntlsys(struct t_audit_data *);
 142 static void     aus_setegid(struct t_audit_data *);
 143 static void     aus_setgroups(struct t_audit_data *);
 144 static void     aus_seteuid(struct t_audit_data *);
 145 static void     aus_putmsg(struct t_audit_data *);
 146 static void     aus_putpmsg(struct t_audit_data *);
 147 static void     aus_getmsg(struct t_audit_data *);
 148 static void     aus_getpmsg(struct t_audit_data *);
 149 static void     aus_auditsys(struct t_audit_data *);
 150 static void     aus_sysinfo(struct t_audit_data *);
 151 static void     aus_modctl(struct t_audit_data *);
 152 static void     aus_kill(struct t_audit_data *);
 153 static void     aus_setregid(struct t_audit_data *);
 154 static void     aus_setreuid(struct t_audit_data *);
 155 static void     aus_labelsys(struct t_audit_data *);
 156 
 157 static void     auf_mknod(struct t_audit_data *, int, rval_t *);
 158 static void     auf_mknodat(struct t_audit_data *, int, rval_t *);
 159 static void     auf_msgsys(struct t_audit_data *, int, rval_t *);
 160 static void     auf_semsys(struct t_audit_data *, int, rval_t *);
 161 static void     auf_shmsys(struct t_audit_data *, int, rval_t *);
 162 static void     auf_read(struct t_audit_data *, int, rval_t *);
 163 static void     auf_write(struct t_audit_data *, int, rval_t *);
 164 
 165 static void     aus_sigqueue(struct t_audit_data *);
 166 static void     aus_p_online(struct t_audit_data *);
 167 static void     aus_processor_bind(struct t_audit_data *);
 168 static void     aus_inst_sync(struct t_audit_data *);
 169 static void     aus_brandsys(struct t_audit_data *);
 170 
 171 static void     auf_accept(struct t_audit_data *, int, rval_t *);
 172 
 173 static void     auf_bind(struct t_audit_data *, int, rval_t *);
 174 static void     auf_connect(struct t_audit_data *, int, rval_t *);
 175 static void     aus_shutdown(struct t_audit_data *);
 176 static void     auf_setsockopt(struct t_audit_data *, int, rval_t *);
 177 static void     aus_sockconfig(struct t_audit_data *);
 178 static void     auf_recv(struct t_audit_data *, int, rval_t *);
 179 static void     auf_recvmsg(struct t_audit_data *, int, rval_t *);
 180 static void     auf_send(struct t_audit_data *, int, rval_t *);
 181 static void     auf_sendmsg(struct t_audit_data *, int, rval_t *);
 182 static void     auf_recvfrom(struct t_audit_data *, int, rval_t *);
 183 static void     auf_sendto(struct t_audit_data *, int, rval_t *);
 184 static void     aus_socket(struct t_audit_data *);
 185 /*
 186  * This table contains mapping information for converting system call numbers
 187  * to audit event IDs. In several cases it is necessary to map a single system
 188  * call to several events.
 189  */
 190 
 191 #define aui_null        NULL    /* NULL initialize function */
 192 #define aus_null        NULL    /* NULL start function */
 193 #define auf_null        NULL    /* NULL finish function */
 194 
 195 struct audit_s2e audit_s2e[] =
 196 {
 197 /*
 198  * ----------   ----------      ----------      ----------
 199  * INITIAL      AUDIT           START           SYSTEM
 200  * PROCESSING   EVENT           PROCESSING      CALL
 201  * ----------   ----------      ----------      -----------
 202  *              FINISH          EVENT
 203  *              PROCESSING      CONTROL
 204  * ----------------------------------------------------------
 205  */
 206 aui_null,       AUE_NULL,       aus_null,       /* 0 unused (indirect) */
 207                 auf_null,       0,
 208 aui_null,       AUE_EXIT,       aus_exit,       /* 1 exit */
 209                 auf_null,       S2E_NPT,
 210 aui_null,       AUE_PSECFLAGS,  aus_null,       /* 2 psecflags */
 211                 auf_null,       0,
 212 aui_null,       AUE_READ,       aus_null,       /* 3 read */
 213                 auf_read,       S2E_PUB,
 214 aui_null,       AUE_WRITE,      aus_null,       /* 4 write */
 215                 auf_write,      0,
 216 aui_open,       AUE_OPEN,       aus_open,       /* 5 open */
 217                 auf_null,       S2E_SP,
 218 aui_null,       AUE_CLOSE,      aus_close,      /* 6 close */
 219                 auf_null,       0,
 220 aui_null,       AUE_LINK,       aus_null,       /* 7 linkat */
 221                 auf_null,       0,
 222 aui_null,       AUE_NULL,       aus_null,       /* 8 (loadable) was creat */
 223                 auf_null,       0,
 224 aui_null,       AUE_LINK,       aus_null,       /* 9 link */
 225                 auf_null,       0,
 226 aui_null,       AUE_UNLINK,     aus_null,       /* 10 unlink */
 227                 auf_null,       0,
 228 aui_null,       AUE_SYMLINK,    aus_null,       /* 11 symlinkat */
 229                 auf_null,       0,
 230 aui_null,       AUE_CHDIR,      aus_null,       /* 12 chdir */
 231                 auf_null,       S2E_SP,
 232 aui_null,       AUE_NULL,       aus_null,       /* 13 time */
 233                 auf_null,       0,
 234 aui_null,       AUE_MKNOD,      aus_mknod,      /* 14 mknod */
 235                 auf_mknod,      S2E_MLD,
 236 aui_null,       AUE_CHMOD,      aus_chmod,      /* 15 chmod */
 237                 auf_null,       0,
 238 aui_null,       AUE_CHOWN,      aus_chown,      /* 16 chown */
 239                 auf_null,       0,
 240 aui_null,       AUE_NULL,       aus_null,       /* 17 brk */
 241                 auf_null,       0,
 242 aui_null,       AUE_STAT,       aus_null,       /* 18 stat */
 243                 auf_null,       S2E_PUB,
 244 aui_null,       AUE_NULL,       aus_null,       /* 19 lseek */
 245                 auf_null,       0,
 246 aui_null,       AUE_NULL,       aus_null,       /* 20 getpid */
 247                 auf_null,       0,
 248 aui_null,       AUE_MOUNT,      aus_mount,      /* 21 mount */
 249                 auf_null,       S2E_MLD,
 250 aui_null,       AUE_READLINK,   aus_null,       /* 22 readlinkat */
 251                 auf_null,       S2E_PUB,
 252 aui_null,       AUE_SETUID,     aus_setuid,     /* 23 setuid */
 253                 auf_null,       0,
 254 aui_null,       AUE_NULL,       aus_null,       /* 24 getuid */
 255                 auf_null,       0,
 256 aui_null,       AUE_STIME,      aus_null,       /* 25 stime */
 257                 auf_null,       0,
 258 aui_null,       AUE_NULL,       aus_null,       /* 26 pcsample */
 259                 auf_null,       0,
 260 aui_null,       AUE_NULL,       aus_null,       /* 27 alarm */
 261                 auf_null,       0,
 262 aui_null,       AUE_NULL,       aus_null,       /* 28 fstat */
 263                 auf_null,       0,
 264 aui_null,       AUE_NULL,       aus_null,       /* 29 pause */
 265                 auf_null,       0,
 266 aui_null,       AUE_NULL,       aus_null,       /* 30 (loadable) was utime */
 267                 auf_null,       0,
 268 aui_null,       AUE_NULL,       aus_null,       /* 31 stty (TIOCSETP-audit?) */
 269                 auf_null,       0,
 270 aui_null,       AUE_NULL,       aus_null,       /* 32 gtty */
 271                 auf_null,       0,
 272 aui_null,       AUE_ACCESS,     aus_null,       /* 33 access */
 273                 auf_null,       S2E_PUB,
 274 aui_null,       AUE_NICE,       aus_null,       /* 34 nice */
 275                 auf_null,       0,
 276 aui_null,       AUE_STATFS,     aus_null,       /* 35 statfs */
 277                 auf_null,       S2E_PUB,
 278 aui_null,       AUE_NULL,       aus_null,       /* 36 sync */
 279                 auf_null,       0,
 280 aui_null,       AUE_KILL,       aus_kill,       /* 37 kill */
 281                 auf_null,       0,
 282 aui_null,       AUE_FSTATFS,    aus_fstatfs,    /* 38 fstatfs */
 283                 auf_null,       S2E_PUB,
 284 aui_setpgrp,    AUE_SETPGRP,    aus_setpgrp,    /* 39 setpgrp */
 285                 auf_null,       0,
 286 aui_null,       AUE_NULL,       aus_null,       /* 40 uucopystr */
 287                 auf_null,       0,
 288 aui_null,       AUE_NULL,       aus_null,       /* 41 (loadable) was dup */
 289                 auf_null,       0,
 290 aui_null,       AUE_PIPE,       aus_null,       /* 42 (loadable) pipe */
 291                 auf_null,       0,
 292 aui_null,       AUE_NULL,       aus_null,       /* 43 times */
 293                 auf_null,       0,
 294 aui_null,       AUE_NULL,       aus_null,       /* 44 profil */
 295                 auf_null,       0,
 296 aui_null,       AUE_ACCESS,     aus_null,       /* 45 faccessat */
 297                 auf_null,       S2E_PUB,
 298 aui_null,       AUE_SETGID,     aus_setgid,     /* 46 setgid */
 299                 auf_null,       0,
 300 aui_null,       AUE_NULL,       aus_null,       /* 47 getgid */
 301                 auf_null,       0,
 302 aui_null,       AUE_MKNOD,      aus_mknodat,    /* 48 mknodat */
 303                 auf_mknodat,    S2E_MLD,
 304 aui_msgsys,     AUE_MSGSYS,     aus_msgsys,     /* 49 (loadable) msgsys */
 305                 auf_msgsys,     0,
 306 #if defined(__x86)
 307 aui_null,       AUE_NULL,       aus_null,       /* 50 sysi86 */
 308                 auf_null,       0,
 309 #else
 310 aui_null,       AUE_NULL,       aus_null,       /* 50 (loadable) was sys3b */
 311                 auf_null,       0,
 312 #endif /* __x86 */
 313 aui_null,       AUE_ACCT,       aus_acct,       /* 51 (loadable) sysacct */
 314                 auf_null,       0,
 315 aui_shmsys,     AUE_SHMSYS,     aus_shmsys,     /* 52 (loadable) shmsys */
 316                 auf_shmsys,     0,
 317 aui_semsys,     AUE_SEMSYS,     aus_semsys,     /* 53 (loadable) semsys */
 318                 auf_semsys,     0,
 319 aui_null,       AUE_IOCTL,      aus_ioctl,      /* 54 ioctl */
 320                 auf_null,       0,
 321 aui_null,       AUE_NULL,       aus_null,       /* 55 uadmin */
 322                 auf_null,       0,
 323 aui_fchownat,   AUE_NULL,       aus_fchownat,   /* 56 fchownat */
 324                 auf_null,       0,
 325 aui_utssys,     AUE_FUSERS,     aus_null,       /* 57 utssys */
 326                 auf_null,       0,
 327 aui_null,       AUE_NULL,       aus_null,       /* 58 fsync */
 328                 auf_null,       0,
 329 aui_execve,     AUE_EXECVE,     aus_null,       /* 59 exece */
 330                 auf_null,       S2E_MLD,
 331 aui_null,       AUE_NULL,       aus_null,       /* 60 umask */
 332                 auf_null,       0,
 333 aui_null,       AUE_CHROOT,     aus_null,       /* 61 chroot */
 334                 auf_null,       S2E_SP,
 335 aui_fcntl,      AUE_FCNTL,      aus_fcntl,      /* 62 fcntl */
 336                 auf_null,       0,
 337 aui_null,       AUE_NULL,       aus_null,       /* 63 ulimit */
 338                 auf_null,       0,
 339 aui_null,       AUE_RENAME,     aus_null,       /* 64 renameat */
 340                 auf_null,       0,
 341 aui_unlinkat,   AUE_NULL,       aus_null,       /* 65 unlinkat */
 342                 auf_null,       0,
 343 aui_fstatat,    AUE_NULL,       aus_null,       /* 66 fstatat */
 344                 auf_null,       S2E_PUB,
 345 aui_fstatat,    AUE_NULL,       aus_null,       /* 67 fstatat64 */
 346                 auf_null,       S2E_PUB,
 347 aui_openat,     AUE_OPEN,       aus_openat,     /* 68 openat */
 348                 auf_null,       S2E_SP,
 349 aui_openat,     AUE_OPEN,       aus_openat,     /* 69 openat64 */
 350                 auf_null,       S2E_SP,
 351 aui_null,       AUE_NULL,       aus_null,       /* 70 tasksys */
 352                 auf_null,       0,
 353 aui_null,       AUE_NULL,       aus_null,       /* 71 (loadable) acctctl */
 354                 auf_null,       0,
 355 aui_null,       AUE_NULL,       aus_null,       /* 72 (loadable) exacct */
 356                 auf_null,       0,
 357 aui_null,       AUE_NULL,       aus_null,       /* 73 getpagesizes */
 358                 auf_null,       0,
 359 aui_null,       AUE_NULL,       aus_null,       /* 74 rctlsys */
 360                 auf_null,       0,
 361 aui_null,       AUE_NULL,       aus_null,       /* 75 sidsys */
 362                 auf_null,       0,
 363 aui_null,       AUE_NULL,       aus_null,       /* 76 (loadable) was fsat */
 364                 auf_null,       0,
 365 aui_null,       AUE_NULL,       aus_null,       /* 77 syslwp_park */
 366                 auf_null,       0,
 367 aui_null,       AUE_NULL,       aus_null,       /* 78 sendfilev */
 368                 auf_null,       0,
 369 aui_null,       AUE_RMDIR,      aus_null,       /* 79 rmdir */
 370                 auf_null,       0,
 371 aui_null,       AUE_MKDIR,      aus_mkdir,      /* 80 mkdir */
 372                 auf_null,       0,
 373 aui_null,       AUE_NULL,       aus_null,       /* 81 getdents */
 374                 auf_null,       0,
 375 aui_privsys,    AUE_NULL,       aus_null,       /* 82 privsys */
 376                 auf_null,       0,
 377 aui_null,       AUE_NULL,       aus_null,       /* 83 ucredsys */
 378                 auf_null,       0,
 379 aui_null,       AUE_NULL,       aus_null,       /* 84 sysfs */
 380                 auf_null,       0,
 381 aui_null,       AUE_GETMSG,     aus_getmsg,     /* 85 getmsg */
 382                 auf_null,       0,
 383 aui_null,       AUE_PUTMSG,     aus_putmsg,     /* 86 putmsg */
 384                 auf_null,       0,
 385 aui_null,       AUE_NULL,       aus_null,       /* 87 (loadable) was poll */
 386                 auf_null,       0,
 387 aui_null,       AUE_LSTAT,      aus_null,       /* 88 lstat */
 388                 auf_null,       S2E_PUB,
 389 aui_null,       AUE_SYMLINK,    aus_null,       /* 89 symlink */
 390                 auf_null,       0,
 391 aui_null,       AUE_READLINK,   aus_null,       /* 90 readlink */
 392                 auf_null,       S2E_PUB,
 393 aui_null,       AUE_SETGROUPS,  aus_setgroups,  /* 91 setgroups */
 394                 auf_null,       0,
 395 aui_null,       AUE_NULL,       aus_null,       /* 92 getgroups */
 396                 auf_null,       0,
 397 aui_null,       AUE_FCHMOD,     aus_fchmod,     /* 93 fchmod */
 398                 auf_null,       0,
 399 aui_null,       AUE_FCHOWN,     aus_fchown,     /* 94 fchown */
 400                 auf_null,       0,
 401 aui_null,       AUE_NULL,       aus_null,       /* 95 sigprocmask */
 402                 auf_null,       0,
 403 aui_null,       AUE_NULL,       aus_null,       /* 96 sigsuspend */
 404                 auf_null,       0,
 405 aui_null,       AUE_NULL,       aus_null,       /* 97 sigaltstack */
 406                 auf_null,       0,
 407 aui_null,       AUE_NULL,       aus_null,       /* 98 sigaction */
 408                 auf_null,       0,
 409 aui_null,       AUE_NULL,       aus_null,       /* 99 sigpending */
 410                 auf_null,       0,
 411 aui_null,       AUE_NULL,       aus_null,       /* 100 setcontext */
 412                 auf_null,       0,
 413 aui_fchmodat,   AUE_NULL,       aus_fchmodat,   /* 101 fchmodat */
 414                 auf_null,       0,
 415 aui_null,       AUE_MKDIR,      aus_mkdirat,    /* 102 mkdirat */
 416                 auf_null,       0,
 417 aui_null,       AUE_STATVFS,    aus_null,       /* 103 statvfs */
 418                 auf_null,       S2E_PUB,
 419 aui_null,       AUE_NULL,       aus_null,       /* 104 fstatvfs */
 420                 auf_null,       0,
 421 aui_null,       AUE_NULL,       aus_null,       /* 105 getloadavg */
 422                 auf_null,       0,
 423 aui_null,       AUE_NULL,       aus_null,       /* 106 nfssys */
 424                 auf_null,       0,
 425 aui_null,       AUE_NULL,       aus_null,       /* 107 waitsys */
 426                 auf_null,       0,
 427 aui_null,       AUE_NULL,       aus_null,       /* 108 sigsendsys */
 428                 auf_null,       0,
 429 #if defined(__x86)
 430 aui_null,       AUE_NULL,       aus_null,       /* 109 hrtsys */
 431                 auf_null,       0,
 432 #else
 433 aui_null,       AUE_NULL,       aus_null,       /* 109 (loadable) */
 434                 auf_null,       0,
 435 #endif /* __x86 */
 436 aui_null,       AUE_UTIMES,     aus_null,       /* 110 utimesys */
 437                 auf_null,       0,
 438 aui_null,       AUE_NULL,       aus_null,       /* 111 sigresend */
 439                 auf_null,       0,
 440 aui_null,       AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
 441                 auf_null,       0,
 442 aui_null,       AUE_PATHCONF,   aus_null,       /* 113 pathconf */
 443                 auf_null,       S2E_PUB,
 444 aui_null,       AUE_NULL,       aus_null,       /* 114 mincore */
 445                 auf_null,       0,
 446 aui_null,       AUE_MMAP,       aus_mmap,       /* 115 mmap */
 447                 auf_null,       0,
 448 aui_null,       AUE_NULL,       aus_null,       /* 116 mprotect */
 449                 auf_null,       0,
 450 aui_null,       AUE_MUNMAP,     aus_munmap,     /* 117 munmap */
 451                 auf_null,       0,
 452 aui_null,       AUE_NULL,       aus_null,       /* 118 fpathconf */
 453                 auf_null,       0,
 454 aui_null,       AUE_VFORK,      aus_null,       /* 119 vfork */
 455                 auf_null,       0,
 456 aui_null,       AUE_FCHDIR,     aus_null,       /* 120 fchdir */
 457                 auf_null,       0,
 458 aui_null,       AUE_READ,       aus_null,       /* 121 readv */
 459                 auf_read,       S2E_PUB,
 460 aui_null,       AUE_WRITE,      aus_null,       /* 122 writev */
 461                 auf_write,      0,
 462 aui_null,       AUE_NULL,       aus_null,       /* 123 (loadable) was xstat */
 463                 auf_null,       0,
 464 aui_null,       AUE_NULL,       aus_null,       /* 124 (loadable) was lxstat */
 465                 auf_null,       0,
 466 aui_null,       AUE_NULL,       aus_null,       /* 125 (loadable) was fxstat */
 467                 auf_null,       0,
 468 aui_null,       AUE_NULL,       aus_null,       /* 126 (loadable) was xmknod */
 469                 auf_null,       0,
 470 aui_null,       AUE_NULL,       aus_null,       /* 127 mmapobj */
 471                 auf_null,       0,
 472 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 128 setrlimit */
 473                 auf_null,       0,
 474 aui_null,       AUE_NULL,       aus_null,       /* 129 getrlimit */
 475                 auf_null,       0,
 476 aui_null,       AUE_LCHOWN,     aus_lchown,     /* 130 lchown */
 477                 auf_null,       0,
 478 aui_memcntl,    AUE_MEMCNTL,    aus_memcntl,    /* 131 memcntl */
 479                 auf_null,       0,
 480 aui_null,       AUE_GETPMSG,    aus_getpmsg,    /* 132 getpmsg */
 481                 auf_null,       0,
 482 aui_null,       AUE_PUTPMSG,    aus_putpmsg,    /* 133 putpmsg */
 483                 auf_null,       0,
 484 aui_null,       AUE_RENAME,     aus_null,       /* 134 rename */
 485                 auf_null,       0,
 486 aui_null,       AUE_NULL,       aus_null,       /* 135 uname */
 487                 auf_null,       0,
 488 aui_null,       AUE_SETEGID,    aus_setegid,    /* 136 setegid */
 489                 auf_null,       0,
 490 aui_null,       AUE_NULL,       aus_null,       /* 137 sysconfig */
 491                 auf_null,       0,
 492 aui_null,       AUE_ADJTIME,    aus_null,       /* 138 adjtime */
 493                 auf_null,       0,
 494 aui_sysinfo,    AUE_SYSINFO,    aus_sysinfo,    /* 139 systeminfo */
 495                 auf_null,       0,
 496 aui_null,       AUE_NULL,       aus_null,       /* 140 (loadable) sharefs */
 497                 auf_null,       0,
 498 aui_null,       AUE_SETEUID,    aus_seteuid,    /* 141 seteuid */
 499                 auf_null,       0,
 500 aui_forksys,    AUE_NULL,       aus_null,       /* 142 forksys */
 501                 auf_null,       0,
 502 aui_null,       AUE_NULL,       aus_null,       /* 143 (loadable) was fork1 */
 503                 auf_null,       0,
 504 aui_null,       AUE_NULL,       aus_null,       /* 144 sigwait */
 505                 auf_null,       0,
 506 aui_null,       AUE_NULL,       aus_null,       /* 145 lwp_info */
 507                 auf_null,       0,
 508 aui_null,       AUE_NULL,       aus_null,       /* 146 yield */
 509                 auf_null,       0,
 510 aui_null,       AUE_NULL,       aus_null,       /* 147 (loadable) */
 511                                                 /*      was lwp_sema_wait */
 512                 auf_null,       0,
 513 aui_null,       AUE_NULL,       aus_null,       /* 148 lwp_sema_post */
 514                 auf_null,       0,
 515 aui_null,       AUE_NULL,       aus_null,       /* 149 lwp_sema_trywait */
 516                 auf_null,       0,
 517 aui_null,       AUE_NULL,       aus_null,       /* 150 lwp_detach */
 518                 auf_null,       0,
 519 aui_null,       AUE_NULL,       aus_null,       /* 151 corectl */
 520                 auf_null,       0,
 521 aui_modctl,     AUE_MODCTL,     aus_modctl,     /* 152 modctl */
 522                 auf_null,       0,
 523 aui_null,       AUE_FCHROOT,    aus_null,       /* 153 fchroot */
 524                 auf_null,       0,
 525 aui_null,       AUE_NULL,       aus_null,       /* 154 (loadable) was utimes */
 526                 auf_null,       0,
 527 aui_null,       AUE_NULL,       aus_null,       /* 155 vhangup */
 528                 auf_null,       0,
 529 aui_null,       AUE_NULL,       aus_null,       /* 156 gettimeofday */
 530                 auf_null,       0,
 531 aui_null,       AUE_NULL,       aus_null,       /* 157 getitimer */
 532                 auf_null,       0,
 533 aui_null,       AUE_NULL,       aus_null,       /* 158 setitimer */
 534                 auf_null,       0,
 535 aui_null,       AUE_NULL,       aus_null,       /* 159 lwp_create */
 536                 auf_null,       0,
 537 aui_null,       AUE_NULL,       aus_null,       /* 160 lwp_exit */
 538                 auf_null,       0,
 539 aui_null,       AUE_NULL,       aus_null,       /* 161 lwp_suspend */
 540                 auf_null,       0,
 541 aui_null,       AUE_NULL,       aus_null,       /* 162 lwp_continue */
 542                 auf_null,       0,
 543 aui_null,       AUE_NULL,       aus_null,       /* 163 lwp_kill */
 544                 auf_null,       0,
 545 aui_null,       AUE_NULL,       aus_null,       /* 164 lwp_self */
 546                 auf_null,       0,
 547 aui_null,       AUE_NULL,       aus_null,       /* 165 lwp_sigmask */
 548                 auf_null,       0,
 549 aui_null,       AUE_NULL,       aus_null,       /* 166 lwp_private */
 550                 auf_null,       0,
 551 aui_null,       AUE_NULL,       aus_null,       /* 167 lwp_wait */
 552                 auf_null,       0,
 553 aui_null,       AUE_NULL,       aus_null,       /* 168 lwp_mutex_wakeup  */
 554                 auf_null,       0,
 555 aui_null,       AUE_NULL,       aus_null,       /* 169 (loadable) */
 556                                                 /*      was lwp_mutex_lock */
 557                 auf_null,       0,
 558 aui_null,       AUE_NULL,       aus_null,       /* 170 lwp_cond_wait */
 559                 auf_null,       0,
 560 aui_null,       AUE_NULL,       aus_null,       /* 171 lwp_cond_signal */
 561                 auf_null,       0,
 562 aui_null,       AUE_NULL,       aus_null,       /* 172 lwp_cond_broadcast */
 563                 auf_null,       0,
 564 aui_null,       AUE_READ,       aus_null,       /* 173 pread */
 565                 auf_read,       S2E_PUB,
 566 aui_null,       AUE_WRITE,      aus_null,       /* 174 pwrite */
 567                 auf_write,      0,
 568 aui_null,       AUE_NULL,       aus_null,       /* 175 llseek */
 569                 auf_null,       0,
 570 aui_null,       AUE_INST_SYNC,  aus_inst_sync,  /* 176 (loadable) inst_sync */
 571                 auf_null,       0,
 572 aui_null,       AUE_BRANDSYS,   aus_brandsys,   /* 177 brandsys */
 573                 auf_null,       0,
 574 aui_null,       AUE_NULL,       aus_null,       /* 178 (loadable) kaio */
 575                 auf_null,       0,
 576 aui_null,       AUE_NULL,       aus_null,       /* 179 (loadable) cpc */
 577                 auf_null,       0,
 578 aui_null,       AUE_NULL,       aus_null,       /* 180 lgrpsys */
 579                 auf_null,       0,
 580 aui_null,       AUE_NULL,       aus_null,       /* 181 rusagesys */
 581                 auf_null,       0,
 582 aui_portfs,     AUE_PORTFS,     aus_null,       /* 182 (loadable) portfs */
 583                 auf_null,       S2E_MLD,
 584 aui_null,       AUE_NULL,       aus_null,       /* 183 pollsys */
 585                 auf_null,       0,
 586 aui_labelsys,   AUE_NULL,       aus_labelsys,   /* 184 labelsys */
 587                 auf_null,       0,
 588 aui_acl,        AUE_ACLSET,     aus_acl,        /* 185 acl */
 589                 auf_null,       0,
 590 aui_auditsys,   AUE_AUDITSYS,   aus_auditsys,   /* 186 auditsys  */
 591                 auf_null,       0,
 592 aui_null,       AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
 593                 auf_null,       0,
 594 aui_null,       AUE_NULL,       aus_null,       /* 188 processor_info */
 595                 auf_null,       0,
 596 aui_null,       AUE_P_ONLINE,   aus_p_online,   /* 189 p_online */
 597                 auf_null,       0,
 598 aui_null,       AUE_NULL,       aus_sigqueue,   /* 190 sigqueue */
 599                 auf_null,       0,
 600 aui_null,       AUE_NULL,       aus_null,       /* 191 clock_gettime */
 601                 auf_null,       0,
 602 aui_null,       AUE_CLOCK_SETTIME,      aus_null,       /* 192 clock_settime */
 603                 auf_null,       0,
 604 aui_null,       AUE_NULL,       aus_null,       /* 193 clock_getres */
 605                 auf_null,       0,
 606 aui_null,       AUE_NULL,       aus_null,       /* 194 timer_create */
 607                 auf_null,       0,
 608 aui_null,       AUE_NULL,       aus_null,       /* 195 timer_delete */
 609                 auf_null,       0,
 610 aui_null,       AUE_NULL,       aus_null,       /* 196 timer_settime */
 611                 auf_null,       0,
 612 aui_null,       AUE_NULL,       aus_null,       /* 197 timer_gettime */
 613                 auf_null,       0,
 614 aui_null,       AUE_NULL,       aus_null,       /* 198 timer_getoverrun */
 615                 auf_null,       0,
 616 aui_null,       AUE_NULL,       aus_null,       /* 199 nanosleep */
 617                 auf_null,       0,
 618 aui_acl,        AUE_FACLSET,    aus_facl,       /* 200 facl */
 619                 auf_null,       0,
 620 aui_doorfs,     AUE_DOORFS,     aus_doorfs,     /* 201 (loadable) doorfs */
 621                 auf_null,       0,
 622 aui_null,       AUE_SETREUID,   aus_setreuid,   /* 202 setreuid */
 623                 auf_null,       0,
 624 aui_null,       AUE_SETREGID,   aus_setregid,   /* 203 setregid */
 625                 auf_null,       0,
 626 aui_null,       AUE_NULL,       aus_null,       /* 204 install_utrap */
 627                 auf_null,       0,
 628 aui_null,       AUE_NULL,       aus_null,       /* 205 signotify */
 629                 auf_null,       0,
 630 aui_null,       AUE_NULL,       aus_null,       /* 206 schedctl */
 631                 auf_null,       0,
 632 aui_null,       AUE_NULL,       aus_null,       /* 207 (loadable) pset */
 633                 auf_null,       0,
 634 aui_null,       AUE_NULL,       aus_null,       /* 208 sparc_utrap_install */
 635                 auf_null,       0,
 636 aui_null,       AUE_NULL,       aus_null,       /* 209 resolvepath */
 637                 auf_null,       0,
 638 aui_null,       AUE_NULL,       aus_null,       /* 210 lwp_mutex_timedlock */
 639                 auf_null,       0,
 640 aui_null,       AUE_NULL,       aus_null,       /* 211 lwp_sema_timedwait */
 641                 auf_null,       0,
 642 aui_null,       AUE_NULL,       aus_null,       /* 212 lwp_rwlock_sys */
 643                 auf_null,       0,
 644 aui_null,       AUE_NULL,       aus_null,       /* 213 getdents64 */
 645                 auf_null,       0,
 646 aui_null,       AUE_MMAP,       aus_mmap,       /* 214 mmap64 */
 647                 auf_null,       0,
 648 aui_null,       AUE_STAT,       aus_null,       /* 215 stat64 */
 649                 auf_null,       S2E_PUB,
 650 aui_null,       AUE_LSTAT,      aus_null,       /* 216 lstat64 */
 651                 auf_null,       S2E_PUB,
 652 aui_null,       AUE_NULL,       aus_null,       /* 217 fstat64 */
 653                 auf_null,       0,
 654 aui_null,       AUE_STATVFS,    aus_null,       /* 218 statvfs64 */
 655                 auf_null,       S2E_PUB,
 656 aui_null,       AUE_NULL,       aus_null,       /* 219 fstatvfs64 */
 657                 auf_null,       0,
 658 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 220 setrlimit64 */
 659                 auf_null,       0,
 660 aui_null,       AUE_NULL,       aus_null,       /* 221 getrlimit64 */
 661                 auf_null,       0,
 662 aui_null,       AUE_READ,       aus_null,       /* 222 pread64  */
 663                 auf_read,       S2E_PUB,
 664 aui_null,       AUE_WRITE,      aus_null,       /* 223 pwrite64 */
 665                 auf_write,      0,
 666 aui_null,       AUE_NULL,       aus_null,       /* 224 (loadable) was creat64 */
 667                 auf_null,       0,
 668 aui_open,       AUE_OPEN,       aus_open,       /* 225 open64 */
 669                 auf_null,       S2E_SP,
 670 aui_null,       AUE_NULL,       aus_null,       /* 226 (loadable) rpcsys */
 671                 auf_null,       0,
 672 aui_null,       AUE_NULL,       aus_null,       /* 227 zone */
 673                 auf_null,       0,
 674 aui_null,       AUE_NULL,       aus_null,       /* 228 (loadable) autofssys */
 675                 auf_null,       0,
 676 aui_null,       AUE_NULL,       aus_null,       /* 229 getcwd */
 677                 auf_null,       0,
 678 aui_null,       AUE_SOCKET,     aus_socket,     /* 230 so_socket */
 679                 auf_null,       0,
 680 aui_null,       AUE_NULL,       aus_null,       /* 231 so_socketpair */
 681                 auf_null,       0,
 682 aui_null,       AUE_BIND,       aus_null,       /* 232 bind */
 683                 auf_bind,       0,
 684 aui_null,       AUE_NULL,       aus_null,       /* 233 listen */
 685                 auf_null,       0,
 686 aui_null,       AUE_ACCEPT,     aus_null,       /* 234 accept */
 687                 auf_accept,     0,
 688 aui_null,       AUE_CONNECT,    aus_null,       /* 235 connect */
 689                 auf_connect,    0,
 690 aui_null,       AUE_SHUTDOWN,   aus_shutdown,   /* 236 shutdown */
 691                 auf_null,       0,
 692 aui_null,       AUE_READ,       aus_null,       /* 237 recv */
 693                 auf_recv,       0,
 694 aui_null,       AUE_RECVFROM,   aus_null,       /* 238 recvfrom */
 695                 auf_recvfrom,   0,
 696 aui_null,       AUE_RECVMSG,    aus_null,       /* 239 recvmsg */
 697                 auf_recvmsg,    0,
 698 aui_null,       AUE_WRITE,      aus_null,       /* 240 send */
 699                 auf_send,       0,
 700 aui_null,       AUE_SENDMSG,    aus_null,       /* 241 sendmsg */
 701                 auf_sendmsg,    0,
 702 aui_null,       AUE_SENDTO,     aus_null,       /* 242 sendto */
 703                 auf_sendto,     0,
 704 aui_null,       AUE_NULL,       aus_null,       /* 243 getpeername */
 705                 auf_null,       0,
 706 aui_null,       AUE_NULL,       aus_null,       /* 244 getsockname */
 707                 auf_null,       0,
 708 aui_null,       AUE_NULL,       aus_null,       /* 245 getsockopt */
 709                 auf_null,       0,
 710 aui_null,       AUE_SETSOCKOPT, aus_null,       /* 246 setsockopt */
 711                 auf_setsockopt, 0,
 712 aui_null,       AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
 713                 auf_null,       0,
 714 aui_null,       AUE_NULL,       aus_null,       /* 248 ntp_gettime */
 715                 auf_null,       0,
 716 aui_null,       AUE_NTP_ADJTIME, aus_null,      /* 249 ntp_adjtime */
 717                 auf_null,       0,
 718 aui_null,       AUE_NULL,       aus_null,       /* 250 lwp_mutex_unlock */
 719                 auf_null,       0,
 720 aui_null,       AUE_NULL,       aus_null,       /* 251 lwp_mutex_trylock */
 721                 auf_null,       0,
 722 aui_null,       AUE_NULL,       aus_null,       /* 252 lwp_mutex_register */
 723                 auf_null,       0,
 724 aui_null,       AUE_NULL,       aus_null,       /* 253 cladm */
 725                 auf_null,       0,
 726 aui_null,       AUE_NULL,       aus_null,       /* 254 uucopy */
 727                 auf_null,       0,
 728 aui_null,       AUE_UMOUNT2,    aus_umount2,    /* 255 umount2 */
 729                 auf_null,       0
 730 };
 731 
 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
 733 
 734 
 735 /* exit start function */
 736 /*ARGSUSED*/
 737 static void
 738 aus_exit(struct t_audit_data *tad)
 739 {
 740         uint32_t rval;
 741         struct a {
 742                 long rval;
 743         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
 744 
 745         rval = (uint32_t)uap->rval;
 746         au_uwrite(au_to_arg32(1, "exit status", rval));
 747 }
 748 
 749 
 750 /* acct start function */
 751 /*ARGSUSED*/
 752 static void
 753 aus_acct(struct t_audit_data *tad)
 754 {
 755         klwp_t *clwp = ttolwp(curthread);
 756         uintptr_t fname;
 757 
 758         struct a {
 759                 long    fname;          /* char * */
 760         } *uap = (struct a *)clwp->lwp_ap;
 761 
 762         fname = (uintptr_t)uap->fname;
 763 
 764         if (fname == 0)
 765                 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
 766 }
 767 
 768 /* chown start function */
 769 /*ARGSUSED*/
 770 static void
 771 aus_chown(struct t_audit_data *tad)
 772 {
 773         klwp_t *clwp = ttolwp(curthread);
 774         uint32_t uid, gid;
 775 
 776         struct a {
 777                 long    fname;          /* char * */
 778                 long    uid;
 779                 long    gid;
 780         } *uap = (struct a *)clwp->lwp_ap;
 781 
 782         uid = (uint32_t)uap->uid;
 783         gid = (uint32_t)uap->gid;
 784 
 785         au_uwrite(au_to_arg32(2, "new file uid", uid));
 786         au_uwrite(au_to_arg32(3, "new file gid", gid));
 787 }
 788 
 789 /* fchown start function */
 790 /*ARGSUSED*/
 791 static void
 792 aus_fchown(struct t_audit_data *tad)
 793 {
 794         klwp_t *clwp = ttolwp(curthread);
 795         uint32_t uid, gid, fd;
 796         struct file  *fp;
 797         struct vnode *vp;
 798         struct f_audit_data *fad;
 799 
 800         struct a {
 801                 long fd;
 802                 long uid;
 803                 long gid;
 804         } *uap = (struct a *)clwp->lwp_ap;
 805 
 806         fd  = (uint32_t)uap->fd;
 807         uid = (uint32_t)uap->uid;
 808         gid = (uint32_t)uap->gid;
 809 
 810         au_uwrite(au_to_arg32(2, "new file uid", uid));
 811         au_uwrite(au_to_arg32(3, "new file gid", gid));
 812 
 813                 /*
 814                  * convert file pointer to file descriptor
 815                  *   Note: fd ref count incremented here.
 816                  */
 817         if ((fp = getf(fd)) == NULL)
 818                 return;
 819 
 820         /* get path from file struct here */
 821         fad = F2A(fp);
 822         if (fad->fad_aupath != NULL) {
 823                 au_uwrite(au_to_path(fad->fad_aupath));
 824         } else {
 825                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 826         }
 827 
 828         vp = fp->f_vnode;
 829         audit_attributes(vp);
 830 
 831         /* decrement file descriptor reference count */
 832         releasef(fd);
 833 }
 834 
 835 /*ARGSUSED*/
 836 static void
 837 aus_lchown(struct t_audit_data *tad)
 838 {
 839         klwp_t *clwp = ttolwp(curthread);
 840         uint32_t uid, gid;
 841 
 842 
 843         struct a {
 844                 long    fname;          /* char * */
 845                 long    uid;
 846                 long    gid;
 847         } *uap = (struct a *)clwp->lwp_ap;
 848 
 849         uid = (uint32_t)uap->uid;
 850         gid = (uint32_t)uap->gid;
 851 
 852         au_uwrite(au_to_arg32(2, "new file uid", uid));
 853         au_uwrite(au_to_arg32(3, "new file gid", gid));
 854 }
 855 
 856 static au_event_t
 857 aui_fchownat(au_event_t e)
 858 {
 859         klwp_t *clwp = ttolwp(curthread);
 860 
 861         struct a {
 862                 long    fd;
 863                 long    fname;          /* char * */
 864                 long    uid;
 865                 long    gid;
 866                 long    flags;
 867         } *uap = (struct a *)clwp->lwp_ap;
 868 
 869         if (uap->fname == 0)
 870                 e = AUE_FCHOWN;
 871         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
 872                 e = AUE_LCHOWN;
 873         else
 874                 e = AUE_CHOWN;
 875 
 876         return (e);
 877 }
 878 
 879 /*ARGSUSED*/
 880 static void
 881 aus_fchownat(struct t_audit_data *tad)
 882 {
 883         klwp_t *clwp = ttolwp(curthread);
 884         uint32_t uid, gid;
 885 
 886         struct a {
 887                 long    fd;
 888                 long    fname;          /* char * */
 889                 long    uid;
 890                 long    gid;
 891                 long    flags;
 892         } *uap = (struct a *)clwp->lwp_ap;
 893 
 894         uid = (uint32_t)uap->uid;
 895         gid = (uint32_t)uap->gid;
 896 
 897         au_uwrite(au_to_arg32(3, "new file uid", uid));
 898         au_uwrite(au_to_arg32(4, "new file gid", gid));
 899 }
 900 
 901 /*ARGSUSED*/
 902 static void
 903 aus_chmod(struct t_audit_data *tad)
 904 {
 905         klwp_t *clwp = ttolwp(curthread);
 906         uint32_t fmode;
 907 
 908         struct a {
 909                 long    fname;          /* char * */
 910                 long    fmode;
 911         } *uap = (struct a *)clwp->lwp_ap;
 912 
 913         fmode = (uint32_t)uap->fmode;
 914 
 915         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 916 }
 917 
 918 /*ARGSUSED*/
 919 static void
 920 aus_fchmod(struct t_audit_data *tad)
 921 {
 922         klwp_t *clwp = ttolwp(curthread);
 923         uint32_t fmode, fd;
 924         struct file  *fp;
 925         struct vnode *vp;
 926         struct f_audit_data *fad;
 927 
 928         struct a {
 929                 long    fd;
 930                 long    fmode;
 931         } *uap = (struct a *)clwp->lwp_ap;
 932 
 933         fd = (uint32_t)uap->fd;
 934         fmode = (uint32_t)uap->fmode;
 935 
 936         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 937 
 938         /*
 939          * convert file pointer to file descriptor
 940          *   Note: fd ref count incremented here.
 941          */
 942         if ((fp = getf(fd)) == NULL)
 943                 return;
 944 
 945         /* get path from file struct here */
 946         fad = F2A(fp);
 947         if (fad->fad_aupath != NULL) {
 948                 au_uwrite(au_to_path(fad->fad_aupath));
 949         } else {
 950                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 951         }
 952 
 953         vp = fp->f_vnode;
 954         audit_attributes(vp);
 955 
 956         /* decrement file descriptor reference count */
 957         releasef(fd);
 958 }
 959 
 960 static au_event_t
 961 aui_fchmodat(au_event_t e)
 962 {
 963         klwp_t *clwp = ttolwp(curthread);
 964 
 965         struct a {
 966                 long    fd;
 967                 long    fname;          /* char * */
 968                 long    fmode;
 969                 long    flag;
 970         } *uap = (struct a *)clwp->lwp_ap;
 971 
 972         if (uap->fname == 0)
 973                 e = AUE_FCHMOD;
 974         else
 975                 e = AUE_CHMOD;
 976 
 977         return (e);
 978 }
 979 
 980 /*ARGSUSED*/
 981 static void
 982 aus_fchmodat(struct t_audit_data *tad)
 983 {
 984         klwp_t *clwp = ttolwp(curthread);
 985         uint32_t fmode;
 986         uint32_t fd;
 987         struct file  *fp;
 988         struct vnode *vp;
 989         struct f_audit_data *fad;
 990 
 991         struct a {
 992                 long    fd;
 993                 long    fname;          /* char * */
 994                 long    fmode;
 995                 long    flag;
 996         } *uap = (struct a *)clwp->lwp_ap;
 997 
 998         fd = (uint32_t)uap->fd;
 999         fmode = (uint32_t)uap->fmode;
1000 
1001         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1002 
1003         if (fd == AT_FDCWD || uap->fname != 0)       /* same as chmod() */
1004                 return;
1005 
1006         /*
1007          * convert file pointer to file descriptor
1008          *   Note: fd ref count incremented here.
1009          */
1010         if ((fp = getf(fd)) == NULL)
1011                 return;
1012 
1013         /* get path from file struct here */
1014         fad = F2A(fp);
1015         if (fad->fad_aupath != NULL) {
1016                 au_uwrite(au_to_path(fad->fad_aupath));
1017         } else {
1018                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1019         }
1020 
1021         vp = fp->f_vnode;
1022         audit_attributes(vp);
1023 
1024         /* decrement file descriptor reference count */
1025         releasef(fd);
1026 }
1027 
1028 /*
1029  * convert open mode to appropriate open event
1030  */
1031 au_event_t
1032 open_event(uint_t fm)
1033 {
1034         au_event_t e;
1035 
1036         switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1037         case O_RDONLY:
1038                 e = AUE_OPEN_R;
1039                 break;
1040         case O_RDONLY | O_CREAT:
1041                 e = AUE_OPEN_RC;
1042                 break;
1043         case O_RDONLY | O_TRUNC:
1044                 e = AUE_OPEN_RT;
1045                 break;
1046         case O_RDONLY | O_TRUNC | O_CREAT:
1047                 e = AUE_OPEN_RTC;
1048                 break;
1049         case O_WRONLY:
1050                 e = AUE_OPEN_W;
1051                 break;
1052         case O_WRONLY | O_CREAT:
1053                 e = AUE_OPEN_WC;
1054                 break;
1055         case O_WRONLY | O_TRUNC:
1056                 e = AUE_OPEN_WT;
1057                 break;
1058         case O_WRONLY | O_TRUNC | O_CREAT:
1059                 e = AUE_OPEN_WTC;
1060                 break;
1061         case O_RDWR:
1062                 e = AUE_OPEN_RW;
1063                 break;
1064         case O_RDWR | O_CREAT:
1065                 e = AUE_OPEN_RWC;
1066                 break;
1067         case O_RDWR | O_TRUNC:
1068                 e = AUE_OPEN_RWT;
1069                 break;
1070         case O_RDWR | O_TRUNC | O_CREAT:
1071                 e = AUE_OPEN_RWTC;
1072                 break;
1073         case O_SEARCH:
1074                 e = AUE_OPEN_S;
1075                 break;
1076         case O_EXEC:
1077                 e = AUE_OPEN_E;
1078                 break;
1079         default:
1080                 e = AUE_NULL;
1081                 break;
1082         }
1083 
1084         return (e);
1085 }
1086 
1087 /* ARGSUSED */
1088 static au_event_t
1089 aui_open(au_event_t e)
1090 {
1091         klwp_t *clwp = ttolwp(curthread);
1092         uint_t fm;
1093 
1094         struct a {
1095                 long    fnamep;         /* char * */
1096                 long    fmode;
1097                 long    cmode;
1098         } *uap = (struct a *)clwp->lwp_ap;
1099 
1100         fm = (uint_t)uap->fmode;
1101 
1102         return (open_event(fm));
1103 }
1104 
1105 static void
1106 aus_open(struct t_audit_data *tad)
1107 {
1108         klwp_t *clwp = ttolwp(curthread);
1109         uint_t fm;
1110 
1111         struct a {
1112                 long    fnamep;         /* char * */
1113                 long    fmode;
1114                 long    cmode;
1115         } *uap = (struct a *)clwp->lwp_ap;
1116 
1117         fm = (uint_t)uap->fmode;
1118 
1119         /* If no write, create, or trunc modes, mark as a public op */
1120         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1121                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1122 }
1123 
1124 /* ARGSUSED */
1125 static au_event_t
1126 aui_openat(au_event_t e)
1127 {
1128         t_audit_data_t *tad = T2A(curthread);
1129         klwp_t *clwp = ttolwp(curthread);
1130         uint_t fm;
1131 
1132         struct a {
1133                 long    filedes;
1134                 long    fnamep;         /* char * */
1135                 long    fmode;
1136                 long    cmode;
1137         } *uap = (struct a *)clwp->lwp_ap;
1138 
1139         fm = (uint_t)uap->fmode;
1140 
1141         /*
1142          * __openattrdirat() does an extra pathname lookup in order to
1143          * enter the extended system attribute namespace of the referenced
1144          * extended attribute filename.
1145          */
1146         if (fm & FXATTRDIROPEN)
1147                 tad->tad_ctrl |= TAD_MLD;
1148 
1149         return (open_event(fm));
1150 }
1151 
1152 static void
1153 aus_openat(struct t_audit_data *tad)
1154 {
1155         klwp_t *clwp = ttolwp(curthread);
1156         uint_t fm;
1157 
1158         struct a {
1159                 long    filedes;
1160                 long    fnamep;         /* char * */
1161                 long    fmode;
1162                 long    cmode;
1163         } *uap = (struct a *)clwp->lwp_ap;
1164 
1165         fm = (uint_t)uap->fmode;
1166 
1167         /* If no write, create, or trunc modes, mark as a public op */
1168         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1169                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1170 }
1171 
1172 static au_event_t
1173 aui_unlinkat(au_event_t e)
1174 {
1175         klwp_t *clwp = ttolwp(curthread);
1176 
1177         struct a {
1178                 long    filedes;
1179                 long    fnamep;         /* char * */
1180                 long    flags;
1181         } *uap = (struct a *)clwp->lwp_ap;
1182 
1183         if (uap->flags & AT_REMOVEDIR)
1184                 e = AUE_RMDIR;
1185         else
1186                 e = AUE_UNLINK;
1187 
1188         return (e);
1189 }
1190 
1191 static au_event_t
1192 aui_fstatat(au_event_t e)
1193 {
1194         klwp_t *clwp = ttolwp(curthread);
1195 
1196         struct a {
1197                 long    filedes;
1198                 long    fnamep;         /* char * */
1199                 long    statb;
1200                 long    flags;
1201         } *uap = (struct a *)clwp->lwp_ap;
1202 
1203         if (uap->fnamep == 0)
1204                 e = AUE_FSTAT;
1205         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1206                 e = AUE_LSTAT;
1207         else
1208                 e = AUE_STAT;
1209 
1210         return (e);
1211 }
1212 
1213 /* msgsys */
1214 static au_event_t
1215 aui_msgsys(au_event_t e)
1216 {
1217         klwp_t *clwp = ttolwp(curthread);
1218         uint_t fm;
1219 
1220         struct a {
1221                 long    id;     /* function code id */
1222                 long    ap;     /* arg pointer for recvmsg */
1223         } *uap = (struct a *)clwp->lwp_ap;
1224 
1225         struct b {
1226                 long    msgid;
1227                 long    cmd;
1228                 long    buf;    /* struct msqid_ds * */
1229         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1230 
1231         fm  = (uint_t)uap->id;
1232 
1233         switch (fm) {
1234         case 0:         /* msgget */
1235                 e = AUE_MSGGET;
1236                 break;
1237         case 1:         /* msgctl */
1238                 switch ((uint_t)uap1->cmd) {
1239                 case IPC_RMID:
1240                         e = AUE_MSGCTL_RMID;
1241                         break;
1242                 case IPC_SET:
1243                         e = AUE_MSGCTL_SET;
1244                         break;
1245                 case IPC_STAT:
1246                         e = AUE_MSGCTL_STAT;
1247                         break;
1248                 default:
1249                         e = AUE_MSGCTL;
1250                         break;
1251                 }
1252                 break;
1253         case 2:         /* msgrcv */
1254                 e = AUE_MSGRCV;
1255                 break;
1256         case 3:         /* msgsnd */
1257                 e = AUE_MSGSND;
1258                 break;
1259         default:        /* illegal system call */
1260                 e = AUE_NULL;
1261                 break;
1262         }
1263 
1264         return (e);
1265 }
1266 
1267 
1268 /* shmsys */
1269 static au_event_t
1270 aui_shmsys(au_event_t e)
1271 {
1272         klwp_t *clwp = ttolwp(curthread);
1273         int fm;
1274 
1275         struct a {              /* shmsys */
1276                 long    id;     /* function code id */
1277         } *uap = (struct a *)clwp->lwp_ap;
1278 
1279         struct b {              /* ctrl */
1280                 long    shmid;
1281                 long    cmd;
1282                 long    arg;            /* struct shmid_ds * */
1283         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1284         fm  = (uint_t)uap->id;
1285 
1286         switch (fm) {
1287         case 0:         /* shmat */
1288                 e = AUE_SHMAT;
1289                 break;
1290         case 1:         /* shmctl */
1291                 switch ((uint_t)uap1->cmd) {
1292                 case IPC_RMID:
1293                         e = AUE_SHMCTL_RMID;
1294                         break;
1295                 case IPC_SET:
1296                         e = AUE_SHMCTL_SET;
1297                         break;
1298                 case IPC_STAT:
1299                         e = AUE_SHMCTL_STAT;
1300                         break;
1301                 default:
1302                         e = AUE_SHMCTL;
1303                         break;
1304                 }
1305                 break;
1306         case 2:         /* shmdt */
1307                 e = AUE_SHMDT;
1308                 break;
1309         case 3:         /* shmget */
1310                 e = AUE_SHMGET;
1311                 break;
1312         default:        /* illegal system call */
1313                 e = AUE_NULL;
1314                 break;
1315         }
1316 
1317         return (e);
1318 }
1319 
1320 
1321 /* semsys */
1322 static au_event_t
1323 aui_semsys(au_event_t e)
1324 {
1325         klwp_t *clwp = ttolwp(curthread);
1326         uint_t fm;
1327 
1328         struct a {              /* semsys */
1329                 long    id;
1330         } *uap = (struct a *)clwp->lwp_ap;
1331 
1332         struct b {              /* ctrl */
1333                 long    semid;
1334                 long    semnum;
1335                 long    cmd;
1336                 long    arg;
1337         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1338 
1339         fm = (uint_t)uap->id;
1340 
1341         switch (fm) {
1342         case 0:         /* semctl */
1343                 switch ((uint_t)uap1->cmd) {
1344                 case IPC_RMID:
1345                         e = AUE_SEMCTL_RMID;
1346                         break;
1347                 case IPC_SET:
1348                         e = AUE_SEMCTL_SET;
1349                         break;
1350                 case IPC_STAT:
1351                         e = AUE_SEMCTL_STAT;
1352                         break;
1353                 case GETNCNT:
1354                         e = AUE_SEMCTL_GETNCNT;
1355                         break;
1356                 case GETPID:
1357                         e = AUE_SEMCTL_GETPID;
1358                         break;
1359                 case GETVAL:
1360                         e = AUE_SEMCTL_GETVAL;
1361                         break;
1362                 case GETALL:
1363                         e = AUE_SEMCTL_GETALL;
1364                         break;
1365                 case GETZCNT:
1366                         e = AUE_SEMCTL_GETZCNT;
1367                         break;
1368                 case SETVAL:
1369                         e = AUE_SEMCTL_SETVAL;
1370                         break;
1371                 case SETALL:
1372                         e = AUE_SEMCTL_SETALL;
1373                         break;
1374                 default:
1375                         e = AUE_SEMCTL;
1376                         break;
1377                 }
1378                 break;
1379         case 1:         /* semget */
1380                 e = AUE_SEMGET;
1381                 break;
1382         case 2:         /* semop */
1383                 e = AUE_SEMOP;
1384                 break;
1385         default:        /* illegal system call */
1386                 e = AUE_NULL;
1387                 break;
1388         }
1389 
1390         return (e);
1391 }
1392 
1393 /* utssys - uname(2), ustat(2), fusers(2) */
1394 static au_event_t
1395 aui_utssys(au_event_t e)
1396 {
1397         klwp_t *clwp = ttolwp(curthread);
1398         uint_t type;
1399 
1400         struct a {
1401                 union {
1402                         long    cbuf;           /* char * */
1403                         long    ubuf;           /* struct stat * */
1404                 } ub;
1405                 union {
1406                         long    mv;     /* for USTAT */
1407                         long    flags;  /* for FUSERS */
1408                 } un;
1409                 long    type;
1410                 long    outbp;          /* char * for FUSERS */
1411         } *uap = (struct a *)clwp->lwp_ap;
1412 
1413         type = (uint_t)uap->type;
1414 
1415         if (type == UTS_FUSERS)
1416                 return (e);
1417         else
1418                 return ((au_event_t)AUE_NULL);
1419 }
1420 
1421 static au_event_t
1422 aui_fcntl(au_event_t e)
1423 {
1424         klwp_t *clwp = ttolwp(curthread);
1425         uint_t cmd;
1426 
1427         struct a {
1428                 long    fdes;
1429                 long    cmd;
1430                 long    arg;
1431         } *uap = (struct a *)clwp->lwp_ap;
1432 
1433         cmd = (uint_t)uap->cmd;
1434 
1435         switch (cmd) {
1436         case F_GETLK:
1437         case F_SETLK:
1438         case F_SETLKW:
1439                 break;
1440         case F_SETFL:
1441         case F_GETFL:
1442         case F_GETFD:
1443                 break;
1444         default:
1445                 e = (au_event_t)AUE_NULL;
1446                 break;
1447         }
1448         return ((au_event_t)e);
1449 }
1450 
1451 /* null function for now */
1452 static au_event_t
1453 aui_execve(au_event_t e)
1454 {
1455         return (e);
1456 }
1457 
1458 /*ARGSUSED*/
1459 static void
1460 aus_fcntl(struct t_audit_data *tad)
1461 {
1462         klwp_t *clwp = ttolwp(curthread);
1463         uint32_t cmd, fd, flags;
1464         struct file  *fp;
1465         struct vnode *vp;
1466         struct f_audit_data *fad;
1467 
1468         struct a {
1469                 long    fd;
1470                 long    cmd;
1471                 long    arg;
1472         } *uap = (struct a *)clwp->lwp_ap;
1473 
1474         cmd     = (uint32_t)uap->cmd;
1475         fd      = (uint32_t)uap->fd;
1476         flags   = (uint32_t)uap->arg;
1477 
1478         au_uwrite(au_to_arg32(2, "cmd", cmd));
1479 
1480         if (cmd == F_SETFL)
1481                 au_uwrite(au_to_arg32(3, "flags", flags));
1482 
1483                 /*
1484                  * convert file pointer to file descriptor
1485                  *   Note: fd ref count incremented here.
1486                  */
1487         if ((fp = getf(fd)) == NULL)
1488                 return;
1489 
1490         /* get path from file struct here */
1491         fad = F2A(fp);
1492         if (fad->fad_aupath != NULL) {
1493                 au_uwrite(au_to_path(fad->fad_aupath));
1494         } else {
1495                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1496         }
1497 
1498         vp = fp->f_vnode;
1499         audit_attributes(vp);
1500 
1501         /* decrement file descriptor reference count */
1502         releasef(fd);
1503 }
1504 
1505 /*ARGSUSED*/
1506 static void
1507 aus_kill(struct t_audit_data *tad)
1508 {
1509         klwp_t *clwp = ttolwp(curthread);
1510         struct proc *p;
1511         uint32_t signo;
1512         uid_t uid, ruid;
1513         gid_t gid, rgid;
1514         pid_t pid;
1515         const auditinfo_addr_t *ainfo;
1516         cred_t *cr;
1517 
1518         struct a {
1519                 long    pid;
1520                 long    signo;
1521         } *uap = (struct a *)clwp->lwp_ap;
1522 
1523         pid   = (pid_t)uap->pid;
1524         signo = (uint32_t)uap->signo;
1525 
1526         au_uwrite(au_to_arg32(2, "signal", signo));
1527         if (pid > 0) {
1528                 mutex_enter(&pidlock);
1529                 if (((p = prfind(pid)) == (struct proc *)0) ||
1530                     (p->p_stat == SIDL)) {
1531                         mutex_exit(&pidlock);
1532                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1533                         return;
1534                 }
1535                 mutex_enter(&p->p_lock); /* so process doesn't go away */
1536                 mutex_exit(&pidlock);
1537 
1538                 mutex_enter(&p->p_crlock);
1539                 crhold(cr = p->p_cred);
1540                 mutex_exit(&p->p_crlock);
1541                 mutex_exit(&p->p_lock);
1542 
1543                 ainfo = crgetauinfo(cr);
1544                 if (ainfo == NULL) {
1545                         crfree(cr);
1546                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1547                         return;
1548                 }
1549 
1550                 uid  = crgetuid(cr);
1551                 gid  = crgetgid(cr);
1552                 ruid = crgetruid(cr);
1553                 rgid = crgetrgid(cr);
1554                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1555                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1556 
1557                 if (is_system_labeled())
1558                         au_uwrite(au_to_label(CR_SL(cr)));
1559 
1560                 crfree(cr);
1561         }
1562         else
1563                 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1564 }
1565 
1566 /*ARGSUSED*/
1567 static void
1568 aus_mkdir(struct t_audit_data *tad)
1569 {
1570         klwp_t *clwp = ttolwp(curthread);
1571         uint32_t dmode;
1572 
1573         struct a {
1574                 long    dirnamep;               /* char * */
1575                 long    dmode;
1576         } *uap = (struct a *)clwp->lwp_ap;
1577 
1578         dmode = (uint32_t)uap->dmode;
1579 
1580         au_uwrite(au_to_arg32(2, "mode", dmode));
1581 }
1582 
1583 /*ARGSUSED*/
1584 static void
1585 aus_mkdirat(struct t_audit_data *tad)
1586 {
1587         klwp_t *clwp = ttolwp(curthread);
1588         uint32_t dmode;
1589 
1590         struct a {
1591                 long    fd;
1592                 long    dirnamep;               /* char * */
1593                 long    dmode;
1594         } *uap = (struct a *)clwp->lwp_ap;
1595 
1596         dmode = (uint32_t)uap->dmode;
1597 
1598         au_uwrite(au_to_arg32(2, "mode", dmode));
1599 }
1600 
1601 /*ARGSUSED*/
1602 static void
1603 aus_mknod(struct t_audit_data *tad)
1604 {
1605         klwp_t *clwp = ttolwp(curthread);
1606         uint32_t fmode;
1607         dev_t dev;
1608 
1609         struct a {
1610                 long    pnamep;         /* char * */
1611                 long    fmode;
1612                 long    dev;
1613         } *uap = (struct a *)clwp->lwp_ap;
1614 
1615         fmode = (uint32_t)uap->fmode;
1616         dev   = (dev_t)uap->dev;
1617 
1618         au_uwrite(au_to_arg32(2, "mode", fmode));
1619 #ifdef _LP64
1620         au_uwrite(au_to_arg64(3, "dev", dev));
1621 #else
1622         au_uwrite(au_to_arg32(3, "dev", dev));
1623 #endif
1624 }
1625 
1626 /*ARGSUSED*/
1627 static void
1628 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1629 {
1630         klwp_t *clwp = ttolwp(curthread);
1631         vnode_t *dvp;
1632         caddr_t pnamep;
1633 
1634         struct a {
1635                 long    pnamep;         /* char * */
1636                 long    fmode;
1637                 long    dev;
1638         } *uap = (struct a *)clwp->lwp_ap;
1639 
1640         /* no error, then already path token in audit record */
1641         if (error != EPERM && error != EINVAL)
1642                 return;
1643 
1644         /* do the lookup to force generation of path token */
1645         pnamep = (caddr_t)uap->pnamep;
1646         tad->tad_ctrl |= TAD_NOATTRB;
1647         error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1648         if (error == 0)
1649                 VN_RELE(dvp);
1650 }
1651 
1652 /*ARGSUSED*/
1653 static void
1654 aus_mknodat(struct t_audit_data *tad)
1655 {
1656         klwp_t *clwp = ttolwp(curthread);
1657         uint32_t fmode;
1658         dev_t dev;
1659 
1660         struct a {
1661                 long    fd;
1662                 long    pnamep;         /* char * */
1663                 long    fmode;
1664                 long    dev;
1665         } *uap = (struct a *)clwp->lwp_ap;
1666 
1667         fmode = (uint32_t)uap->fmode;
1668         dev   = (dev_t)uap->dev;
1669 
1670         au_uwrite(au_to_arg32(2, "mode", fmode));
1671 #ifdef _LP64
1672         au_uwrite(au_to_arg64(3, "dev", dev));
1673 #else
1674         au_uwrite(au_to_arg32(3, "dev", dev));
1675 #endif
1676 }
1677 
1678 /*ARGSUSED*/
1679 static void
1680 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1681 {
1682         klwp_t *clwp = ttolwp(curthread);
1683         vnode_t *startvp;
1684         vnode_t *dvp;
1685         caddr_t pnamep;
1686         int fd;
1687 
1688         struct a {
1689                 long    fd;
1690                 long    pnamep;         /* char * */
1691                 long    fmode;
1692                 long    dev;
1693         } *uap = (struct a *)clwp->lwp_ap;
1694 
1695         /* no error, then already path token in audit record */
1696         if (error != EPERM && error != EINVAL)
1697                 return;
1698 
1699         /* do the lookup to force generation of path token */
1700         fd = (int)uap->fd;
1701         pnamep = (caddr_t)uap->pnamep;
1702         if (pnamep == NULL ||
1703             fgetstartvp(fd, pnamep, &startvp) != 0)
1704                 return;
1705         tad->tad_ctrl |= TAD_NOATTRB;
1706         error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1707             startvp);
1708         if (error == 0)
1709                 VN_RELE(dvp);
1710         if (startvp != NULL)
1711                 VN_RELE(startvp);
1712 }
1713 
1714 /*ARGSUSED*/
1715 static void
1716 aus_mount(struct t_audit_data *tad)
1717 {
1718         /* AUS_START */
1719         klwp_t *clwp = ttolwp(curthread);
1720         uint32_t flags;
1721         uintptr_t u_fstype, dataptr;
1722         STRUCT_DECL(nfs_args, nfsargs);
1723         size_t len;
1724         char *fstype, *hostname;
1725 
1726         struct a {
1727                 long    spec;           /* char    * */
1728                 long    dir;            /* char    * */
1729                 long    flags;
1730                 long    fstype;         /* char    * */
1731                 long    dataptr;        /* char    * */
1732                 long    datalen;
1733         } *uap = (struct a *)clwp->lwp_ap;
1734 
1735         u_fstype = (uintptr_t)uap->fstype;
1736         flags    = (uint32_t)uap->flags;
1737         dataptr  = (uintptr_t)uap->dataptr;
1738 
1739         fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1740         if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1741                 goto mount_free_fstype;
1742 
1743         au_uwrite(au_to_arg32(3, "flags", flags));
1744         au_uwrite(au_to_text(fstype));
1745 
1746         if (strncmp(fstype, "nfs", 3) == 0) {
1747 
1748                 STRUCT_INIT(nfsargs, get_udatamodel());
1749                 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1750 
1751                 if (copyin((caddr_t)dataptr, STRUCT_BUF(nfsargs),
1752                     MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1753                         /* DEBUG debug_enter((char *)NULL); */
1754                         goto mount_free_fstype;
1755                 }
1756                 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1757                 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1758                     (caddr_t)hostname, MAXNAMELEN, &len)) {
1759                         goto mount_free_hostname;
1760                 }
1761                 au_uwrite(au_to_text(hostname));
1762                 au_uwrite(au_to_arg32(3, "internal flags",
1763                     (uint_t)STRUCT_FGET(nfsargs, flags)));
1764 
1765 mount_free_hostname:
1766                 kmem_free(hostname, MAXNAMELEN);
1767         }
1768 
1769 mount_free_fstype:
1770         kmem_free(fstype, MAXNAMELEN);
1771 }       /* AUS_MOUNT */
1772 
1773 static void
1774 aus_umount_path(caddr_t umount_dir)
1775 {
1776         char                    *dir_path;
1777         struct audit_path       *path;
1778         size_t                  path_len, dir_len;
1779 
1780         /* length alloc'd for two string pointers */
1781         path_len = sizeof (struct audit_path) + sizeof (char *);
1782         path = kmem_alloc(path_len, KM_SLEEP);
1783         dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1784 
1785         if (copyinstr(umount_dir, (caddr_t)dir_path,
1786             MAXPATHLEN, &dir_len))
1787                 goto umount2_free_dir;
1788 
1789         /*
1790          * the audit_path struct assumes that the buffer pointed to
1791          * by audp_sect[n] contains string 0 immediatedly followed
1792          * by string 1.
1793          */
1794         path->audp_sect[0] = dir_path;
1795         path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1796         path->audp_size = path_len;
1797         path->audp_ref = 1;          /* not used */
1798         path->audp_cnt = 1;          /* one path string */
1799 
1800         au_uwrite(au_to_path(path));
1801 
1802 umount2_free_dir:
1803         kmem_free(dir_path, MAXPATHLEN);
1804         kmem_free(path, path_len);
1805 }
1806 
1807 /*ARGSUSED*/
1808 static void
1809 aus_umount2(struct t_audit_data *tad)
1810 {
1811         klwp_t                  *clwp = ttolwp(curthread);
1812         struct a {
1813                 long    dir;            /* char    * */
1814                 long    flags;
1815         } *uap = (struct a *)clwp->lwp_ap;
1816 
1817         aus_umount_path((caddr_t)uap->dir);
1818 
1819         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1820 }
1821 
1822 static void
1823 aus_msgsys(struct t_audit_data *tad)
1824 {
1825         klwp_t *clwp = ttolwp(curthread);
1826         uint32_t msgid;
1827 
1828         struct b {
1829                 long    msgid;
1830                 long    cmd;
1831                 long    buf;            /* struct msqid_ds * */
1832         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1833 
1834         msgid = (uint32_t)uap1->msgid;
1835 
1836 
1837         switch (tad->tad_event) {
1838         case AUE_MSGGET:                /* msgget */
1839                 au_uwrite(au_to_arg32(1, "msg key", msgid));
1840                 break;
1841         case AUE_MSGCTL:                /* msgctl */
1842         case AUE_MSGCTL_RMID:           /* msgctl */
1843         case AUE_MSGCTL_SET:            /* msgctl */
1844         case AUE_MSGCTL_STAT:           /* msgctl */
1845         case AUE_MSGRCV:                /* msgrcv */
1846         case AUE_MSGSND:                /* msgsnd */
1847                 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1848                 break;
1849         }
1850 }
1851 
1852 /*ARGSUSED*/
1853 static void
1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1855 {
1856         int id;
1857 
1858         if (error != 0)
1859                 return;
1860         if (tad->tad_event == AUE_MSGGET) {
1861                 uint32_t scid;
1862                 uint32_t sy_flags;
1863 
1864                 /* need to determine type of executing binary */
1865                 scid = tad->tad_scid;
1866 #ifdef _SYSCALL32_IMPL
1867                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1868                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869                 else
1870                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1871 #else
1872                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1873 #endif
1874                 if (sy_flags == SE_32RVAL1)
1875                         id = rval->r_val1;
1876                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1877                         id = rval->r_val1;
1878                 if (sy_flags == SE_64RVAL)
1879                         id = (int)rval->r_vals;
1880 
1881                 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1882         }
1883 }
1884 
1885 static void
1886 aus_semsys(struct t_audit_data *tad)
1887 {
1888         klwp_t *clwp = ttolwp(curthread);
1889         uint32_t semid;
1890 
1891         struct b {              /* ctrl */
1892                 long    semid;
1893                 long    semnum;
1894                 long    cmd;
1895                 long    arg;
1896         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1897 
1898         semid = (uint32_t)uap1->semid;
1899 
1900         switch (tad->tad_event) {
1901         case AUE_SEMCTL_RMID:
1902         case AUE_SEMCTL_STAT:
1903         case AUE_SEMCTL_GETNCNT:
1904         case AUE_SEMCTL_GETPID:
1905         case AUE_SEMCTL_GETVAL:
1906         case AUE_SEMCTL_GETALL:
1907         case AUE_SEMCTL_GETZCNT:
1908         case AUE_SEMCTL_SET:
1909         case AUE_SEMCTL_SETVAL:
1910         case AUE_SEMCTL_SETALL:
1911         case AUE_SEMCTL:
1912         case AUE_SEMOP:
1913                 au_uwrite(au_to_arg32(1, "sem ID", semid));
1914                 break;
1915         case AUE_SEMGET:
1916                 au_uwrite(au_to_arg32(1, "sem key", semid));
1917                 break;
1918         }
1919 }
1920 
1921 /*ARGSUSED*/
1922 static void
1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1924 {
1925         int id;
1926 
1927         if (error != 0)
1928                 return;
1929         if (tad->tad_event == AUE_SEMGET) {
1930                 uint32_t scid;
1931                 uint32_t sy_flags;
1932 
1933                 /* need to determine type of executing binary */
1934                 scid = tad->tad_scid;
1935 #ifdef _SYSCALL32_IMPL
1936                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1937                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1938                 else
1939                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1940 #else
1941                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1942 #endif
1943                 if (sy_flags == SE_32RVAL1)
1944                         id = rval->r_val1;
1945                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1946                         id = rval->r_val1;
1947                 if (sy_flags == SE_64RVAL)
1948                         id = (int)rval->r_vals;
1949 
1950                 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1951         }
1952 }
1953 
1954 /*ARGSUSED*/
1955 static void
1956 aus_close(struct t_audit_data *tad)
1957 {
1958         klwp_t *clwp = ttolwp(curthread);
1959         uint32_t fd;
1960         struct file *fp;
1961         struct f_audit_data *fad;
1962         struct vnode *vp;
1963         struct vattr attr;
1964         au_kcontext_t   *kctx = GET_KCTX_PZ;
1965 
1966         struct a {
1967                 long    i;
1968         } *uap = (struct a *)clwp->lwp_ap;
1969 
1970         fd = (uint32_t)uap->i;
1971 
1972         attr.va_mask = 0;
1973         au_uwrite(au_to_arg32(1, "fd", fd));
1974 
1975                 /*
1976                  * convert file pointer to file descriptor
1977                  *   Note: fd ref count incremented here.
1978                  */
1979         if ((fp = getf(fd)) == NULL)
1980                 return;
1981 
1982         fad = F2A(fp);
1983         tad->tad_evmod = (au_emod_t)fad->fad_flags;
1984         if (fad->fad_aupath != NULL) {
1985                 au_uwrite(au_to_path(fad->fad_aupath));
1986                 if ((vp = fp->f_vnode) != NULL) {
1987                         attr.va_mask = AT_ALL;
1988                         if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1989                                 /*
1990                                  * When write was not used and the file can be
1991                                  * considered public, skip the audit.
1992                                  */
1993                                 if (((fp->f_flag & FWRITE) == 0) &&
1994                                     object_is_public(&attr)) {
1995                                         tad->tad_flag = 0;
1996                                         tad->tad_evmod = 0;
1997                                         /* free any residual audit data */
1998                                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1999                                         releasef(fd);
2000                                         return;
2001                                 }
2002                                 au_uwrite(au_to_attr(&attr));
2003                                 audit_sec_attributes(&(u_ad), vp);
2004                         }
2005                 }
2006         }
2007 
2008         /* decrement file descriptor reference count */
2009         releasef(fd);
2010 }
2011 
2012 /*ARGSUSED*/
2013 static void
2014 aus_fstatfs(struct t_audit_data *tad)
2015 {
2016         klwp_t *clwp = ttolwp(curthread);
2017         uint32_t fd;
2018         struct file  *fp;
2019         struct vnode *vp;
2020         struct f_audit_data *fad;
2021 
2022         struct a {
2023                 long    fd;
2024                 long    buf;            /* struct statfs * */
2025         } *uap = (struct a *)clwp->lwp_ap;
2026 
2027         fd = (uint_t)uap->fd;
2028 
2029                 /*
2030                  * convert file pointer to file descriptor
2031                  *   Note: fd ref count incremented here.
2032                  */
2033         if ((fp = getf(fd)) == NULL)
2034                 return;
2035 
2036                 /* get path from file struct here */
2037         fad = F2A(fp);
2038         if (fad->fad_aupath != NULL) {
2039                 au_uwrite(au_to_path(fad->fad_aupath));
2040         } else {
2041                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2042         }
2043 
2044         vp = fp->f_vnode;
2045         audit_attributes(vp);
2046 
2047         /* decrement file descriptor reference count */
2048         releasef(fd);
2049 }
2050 
2051 static au_event_t
2052 aui_setpgrp(au_event_t e)
2053 {
2054         klwp_t *clwp = ttolwp(curthread);
2055         int flag;
2056 
2057         struct a {
2058                 long    flag;
2059                 long    pid;
2060                 long    pgid;
2061         } *uap = (struct a *)clwp->lwp_ap;
2062 
2063         flag = (int)uap->flag;
2064 
2065 
2066         switch (flag) {
2067 
2068         case 1: /* setpgrp() */
2069                 e = AUE_SETPGRP;
2070                 break;
2071 
2072         case 3: /* setsid() */
2073                 e = AUE_SETSID;
2074                 break;
2075 
2076         case 5: /* setpgid() */
2077                 e = AUE_SETPGID;
2078                 break;
2079 
2080         case 0: /* getpgrp()    - not security relevant */
2081         case 2: /* getsid()     - not security relevant */
2082         case 4: /* getpgid()    - not security relevant */
2083                 e = AUE_NULL;
2084                 break;
2085 
2086         default:
2087                 e = AUE_NULL;
2088                 break;
2089         }
2090 
2091         return (e);
2092 }
2093 
2094 /*ARGSUSED*/
2095 static void
2096 aus_setpgrp(struct t_audit_data *tad)
2097 {
2098         klwp_t          *clwp = ttolwp(curthread);
2099         pid_t           pgid;
2100         struct proc     *p;
2101         uid_t           uid, ruid;
2102         gid_t           gid, rgid;
2103         pid_t           pid;
2104         cred_t          *cr;
2105         int             flag;
2106         const auditinfo_addr_t  *ainfo;
2107 
2108         struct a {
2109                 long    flag;
2110                 long    pid;
2111                 long    pgid;
2112         } *uap = (struct a *)clwp->lwp_ap;
2113 
2114         flag = (int)uap->flag;
2115         pid  = (pid_t)uap->pid;
2116         pgid = (pid_t)uap->pgid;
2117 
2118 
2119         switch (flag) {
2120 
2121         case 0: /* getpgrp() */
2122         case 1: /* setpgrp() */
2123         case 2: /* getsid() */
2124         case 3: /* setsid() */
2125         case 4: /* getpgid() */
2126                 break;
2127 
2128         case 5: /* setpgid() */
2129 
2130                 /* current process? */
2131                 if (pid == 0) {
2132                         return;
2133                 }
2134 
2135                 mutex_enter(&pidlock);
2136                 p = prfind(pid);
2137                 if (p == NULL || p->p_as == &kas ||
2138                     p->p_stat == SIDL || p->p_stat == SZOMB) {
2139                         mutex_exit(&pidlock);
2140                         return;
2141                 }
2142                 mutex_enter(&p->p_lock); /* so process doesn't go away */
2143                 mutex_exit(&pidlock);
2144 
2145                 mutex_enter(&p->p_crlock);
2146                 crhold(cr = p->p_cred);
2147                 mutex_exit(&p->p_crlock);
2148                 mutex_exit(&p->p_lock);
2149 
2150                 ainfo = crgetauinfo(cr);
2151                 if (ainfo == NULL) {
2152                         crfree(cr);
2153                         return;
2154                 }
2155 
2156                 uid  = crgetuid(cr);
2157                 gid  = crgetgid(cr);
2158                 ruid = crgetruid(cr);
2159                 rgid = crgetrgid(cr);
2160                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2161                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2162                 crfree(cr);
2163                 au_uwrite(au_to_arg32(2, "pgid", pgid));
2164                 break;
2165 
2166         default:
2167                 break;
2168         }
2169 }
2170 
2171 
2172 /*ARGSUSED*/
2173 static void
2174 aus_setregid(struct t_audit_data *tad)
2175 {
2176         klwp_t *clwp = ttolwp(curthread);
2177         uint32_t rgid, egid;
2178 
2179         struct a {
2180                 long     rgid;
2181                 long     egid;
2182         } *uap = (struct a *)clwp->lwp_ap;
2183 
2184         rgid  = (uint32_t)uap->rgid;
2185         egid  = (uint32_t)uap->egid;
2186 
2187         au_uwrite(au_to_arg32(1, "rgid", rgid));
2188         au_uwrite(au_to_arg32(2, "egid", egid));
2189 }
2190 
2191 /*ARGSUSED*/
2192 static void
2193 aus_setgid(struct t_audit_data *tad)
2194 {
2195         klwp_t *clwp = ttolwp(curthread);
2196         uint32_t gid;
2197 
2198         struct a {
2199                 long    gid;
2200         } *uap = (struct a *)clwp->lwp_ap;
2201 
2202         gid = (uint32_t)uap->gid;
2203 
2204         au_uwrite(au_to_arg32(1, "gid", gid));
2205 }
2206 
2207 
2208 /*ARGSUSED*/
2209 static void
2210 aus_setreuid(struct t_audit_data *tad)
2211 {
2212         klwp_t *clwp = ttolwp(curthread);
2213         uint32_t ruid, euid;
2214 
2215         struct a {
2216                 long    ruid;
2217                 long    euid;
2218         } *uap = (struct a *)clwp->lwp_ap;
2219 
2220         ruid = (uint32_t)uap->ruid;
2221         euid  = (uint32_t)uap->euid;
2222 
2223         au_uwrite(au_to_arg32(1, "ruid", ruid));
2224         au_uwrite(au_to_arg32(2, "euid", euid));
2225 }
2226 
2227 
2228 /*ARGSUSED*/
2229 static void
2230 aus_setuid(struct t_audit_data *tad)
2231 {
2232         klwp_t *clwp = ttolwp(curthread);
2233         uint32_t uid;
2234 
2235         struct a {
2236                 long    uid;
2237         } *uap = (struct a *)clwp->lwp_ap;
2238 
2239         uid = (uint32_t)uap->uid;
2240 
2241         au_uwrite(au_to_arg32(1, "uid", uid));
2242 }
2243 
2244 /*ARGSUSED*/
2245 static void
2246 aus_shmsys(struct t_audit_data *tad)
2247 {
2248         klwp_t *clwp = ttolwp(curthread);
2249         uint32_t id, cmd;
2250 
2251         struct b {
2252                 long    id;
2253                 long    cmd;
2254                 long    buf;            /* struct shmid_ds * */
2255         } *uap1 = (struct b *)&clwp->lwp_ap[1];
2256 
2257         id  = (uint32_t)uap1->id;
2258         cmd = (uint32_t)uap1->cmd;
2259 
2260         switch (tad->tad_event) {
2261         case AUE_SHMGET:                        /* shmget */
2262                 au_uwrite(au_to_arg32(1, "shm key", id));
2263                 break;
2264         case AUE_SHMCTL:                        /* shmctl */
2265         case AUE_SHMCTL_RMID:                   /* shmctl */
2266         case AUE_SHMCTL_STAT:                   /* shmctl */
2267         case AUE_SHMCTL_SET:                    /* shmctl */
2268                 au_uwrite(au_to_arg32(1, "shm ID", id));
2269                 break;
2270         case AUE_SHMDT:                         /* shmdt */
2271                 au_uwrite(au_to_arg32(1, "shm adr", id));
2272                 break;
2273         case AUE_SHMAT:                         /* shmat */
2274                 au_uwrite(au_to_arg32(1, "shm ID", id));
2275                 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2276                 break;
2277         }
2278 }
2279 
2280 /*ARGSUSED*/
2281 static void
2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2283 {
2284         int id;
2285 
2286         if (error != 0)
2287                 return;
2288         if (tad->tad_event == AUE_SHMGET) {
2289                 uint32_t scid;
2290                 uint32_t sy_flags;
2291 
2292                 /* need to determine type of executing binary */
2293                 scid = tad->tad_scid;
2294 #ifdef _SYSCALL32_IMPL
2295                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2296                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2297                 else
2298                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2299 #else
2300                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2301 #endif
2302                 if (sy_flags == SE_32RVAL1)
2303                         id = rval->r_val1;
2304                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2305                         id = rval->r_val1;
2306                 if (sy_flags == SE_64RVAL)
2307                         id = (int)rval->r_vals;
2308                 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2309         }
2310 }
2311 
2312 
2313 /*ARGSUSED*/
2314 static void
2315 aus_ioctl(struct t_audit_data *tad)
2316 {
2317         klwp_t *clwp = ttolwp(curthread);
2318         struct file *fp;
2319         struct vnode *vp;
2320         struct f_audit_data *fad;
2321         uint32_t fd, cmd;
2322         uintptr_t cmarg;
2323 
2324         /* XX64 */
2325         struct a {
2326                 long    fd;
2327                 long    cmd;
2328                 long    cmarg;          /* caddr_t */
2329         } *uap = (struct a *)clwp->lwp_ap;
2330 
2331         fd    = (uint32_t)uap->fd;
2332         cmd   = (uint32_t)uap->cmd;
2333         cmarg = (uintptr_t)uap->cmarg;
2334 
2335                 /*
2336                  * convert file pointer to file descriptor
2337                  *   Note: fd ref count incremented here.
2338                  */
2339         if ((fp = getf(fd)) == NULL) {
2340                 au_uwrite(au_to_arg32(1, "fd", fd));
2341                 au_uwrite(au_to_arg32(2, "cmd", cmd));
2342 #ifndef _LP64
2343                 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2344 #else
2345                 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2346 #endif
2347                 return;
2348         }
2349 
2350         /* get path from file struct here */
2351         fad = F2A(fp);
2352         if (fad->fad_aupath != NULL) {
2353                 au_uwrite(au_to_path(fad->fad_aupath));
2354         } else {
2355                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2356         }
2357 
2358         vp = fp->f_vnode;
2359         audit_attributes(vp);
2360 
2361         /* decrement file descriptor reference count */
2362         releasef(fd);
2363 
2364         au_uwrite(au_to_arg32(2, "cmd", cmd));
2365 #ifndef _LP64
2366         au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2367 #else
2368         au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2369 #endif
2370 }
2371 
2372 /*
2373  * null function for memcntl for now. We might want to limit memcntl()
2374  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2375  * require privileges.
2376  */
2377 static au_event_t
2378 aui_memcntl(au_event_t e)
2379 {
2380         return (e);
2381 }
2382 
2383 /*ARGSUSED*/
2384 static au_event_t
2385 aui_privsys(au_event_t e)
2386 {
2387         klwp_t *clwp = ttolwp(curthread);
2388 
2389         struct a {
2390                 long    opcode;
2391         } *uap = (struct a *)clwp->lwp_ap;
2392 
2393         switch (uap->opcode) {
2394         case PRIVSYS_SETPPRIV:
2395                 return (AUE_SETPPRIV);
2396         default:
2397                 return (AUE_NULL);
2398         }
2399 }
2400 
2401 /*ARGSUSED*/
2402 static void
2403 aus_memcntl(struct t_audit_data *tad)
2404 {
2405         klwp_t *clwp = ttolwp(curthread);
2406 
2407         struct a {
2408                 long    addr;
2409                 long    len;
2410                 long    cmd;
2411                 long    arg;
2412                 long    attr;
2413                 long    mask;
2414         } *uap = (struct a *)clwp->lwp_ap;
2415 
2416 #ifdef _LP64
2417         au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2418         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2419 #else
2420         au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2421         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2422 #endif
2423         au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2424 #ifdef _LP64
2425         au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2426 #else
2427         au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2428 #endif
2429         au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2430         au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2431 }
2432 
2433 /*ARGSUSED*/
2434 static void
2435 aus_mmap(struct t_audit_data *tad)
2436 {
2437         klwp_t *clwp = ttolwp(curthread);
2438         struct file *fp;
2439         struct f_audit_data *fad;
2440         struct vnode *vp;
2441         uint32_t fd;
2442 
2443         struct a {
2444                 long    addr;
2445                 long    len;
2446                 long    prot;
2447                 long    flags;
2448                 long    fd;
2449                 long    pos;
2450         } *uap = (struct a *)clwp->lwp_ap;
2451 
2452         fd = (uint32_t)uap->fd;
2453 
2454 #ifdef _LP64
2455         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2456         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2457 #else
2458         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2459         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2460 #endif
2461 
2462         if ((fp = getf(fd)) == NULL) {
2463                 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2464                 return;
2465         }
2466 
2467         /*
2468          * Mark in the tad if write access is NOT requested... if
2469          * this is later detected (in audit_attributes) to be a
2470          * public object, the mmap event may be discarded.
2471          */
2472         if (((uap->prot) & PROT_WRITE) == 0) {
2473                 tad->tad_ctrl |= TAD_PUBLIC_EV;
2474         }
2475 
2476         fad = F2A(fp);
2477         if (fad->fad_aupath != NULL) {
2478                 au_uwrite(au_to_path(fad->fad_aupath));
2479         } else {
2480                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2481         }
2482 
2483         vp = (struct vnode *)fp->f_vnode;
2484         audit_attributes(vp);
2485 
2486         /* mark READ/WRITE since we can't predict access */
2487         if (uap->prot & PROT_READ)
2488                 fad->fad_flags |= FAD_READ;
2489         if (uap->prot & PROT_WRITE)
2490                 fad->fad_flags |= FAD_WRITE;
2491 
2492         /* decrement file descriptor reference count */
2493         releasef(fd);
2494 
2495 }       /* AUS_MMAP */
2496 
2497 
2498 
2499 
2500 /*ARGSUSED*/
2501 static void
2502 aus_munmap(struct t_audit_data *tad)
2503 {
2504         klwp_t *clwp = ttolwp(curthread);
2505 
2506         struct a {
2507                 long    addr;
2508                 long    len;
2509         } *uap = (struct a *)clwp->lwp_ap;
2510 
2511 #ifdef _LP64
2512         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2513         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2514 #else
2515         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2516         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2517 #endif
2518 
2519 }       /* AUS_MUNMAP */
2520 
2521 
2522 
2523 
2524 
2525 
2526 
2527 /*ARGSUSED*/
2528 static void
2529 aus_priocntlsys(struct t_audit_data *tad)
2530 {
2531         klwp_t *clwp = ttolwp(curthread);
2532 
2533         struct a {
2534                 long    pc_version;
2535                 long    psp;            /* procset_t */
2536                 long    cmd;
2537                 long    arg;
2538         } *uap = (struct a *)clwp->lwp_ap;
2539 
2540         au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2541         au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2542 
2543 }       /* AUS_PRIOCNTLSYS */
2544 
2545 
2546 /*ARGSUSED*/
2547 static void
2548 aus_setegid(struct t_audit_data *tad)
2549 {
2550         klwp_t *clwp = ttolwp(curthread);
2551         uint32_t gid;
2552 
2553         struct a {
2554                 long    gid;
2555         } *uap = (struct a *)clwp->lwp_ap;
2556 
2557         gid = (uint32_t)uap->gid;
2558 
2559         au_uwrite(au_to_arg32(1, "gid", gid));
2560 }       /* AUS_SETEGID */
2561 
2562 
2563 
2564 
2565 /*ARGSUSED*/
2566 static void
2567 aus_setgroups(struct t_audit_data *tad)
2568 {
2569         klwp_t *clwp = ttolwp(curthread);
2570         int i;
2571         int gidsetsize;
2572         uintptr_t gidset;
2573         gid_t *gidlist;
2574 
2575         struct a {
2576                 long    gidsetsize;
2577                 long    gidset;
2578         } *uap = (struct a *)clwp->lwp_ap;
2579 
2580         gidsetsize = (uint_t)uap->gidsetsize;
2581         gidset = (uintptr_t)uap->gidset;
2582 
2583         if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2584                 return;
2585         if (gidsetsize != 0) {
2586                 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2587                     KM_SLEEP);
2588                 if (copyin((caddr_t)gidset, gidlist,
2589                     gidsetsize * sizeof (gid_t)) == 0)
2590                         for (i = 0; i < gidsetsize; i++)
2591                                 au_uwrite(au_to_arg32(1, "setgroups",
2592                                     (uint32_t)gidlist[i]));
2593                 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2594         } else
2595                 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2596 
2597 }       /* AUS_SETGROUPS */
2598 
2599 
2600 
2601 
2602 
2603 /*ARGSUSED*/
2604 static void
2605 aus_seteuid(struct t_audit_data *tad)
2606 {
2607         klwp_t *clwp = ttolwp(curthread);
2608         uint32_t uid;
2609 
2610         struct a {
2611                 long    uid;
2612         } *uap = (struct a *)clwp->lwp_ap;
2613 
2614         uid = (uint32_t)uap->uid;
2615 
2616         au_uwrite(au_to_arg32(1, "euid", uid));
2617 
2618 }       /* AUS_SETEUID */
2619 
2620 /*ARGSUSED*/
2621 static void
2622 aus_putmsg(struct t_audit_data *tad)
2623 {
2624         klwp_t *clwp = ttolwp(curthread);
2625         uint32_t fd, pri;
2626         struct file *fp;
2627         struct f_audit_data *fad;
2628 
2629         struct a {
2630                 long    fdes;
2631                 long    ctl;            /* struct strbuf * */
2632                 long    data;           /* struct strbuf * */
2633                 long    pri;
2634         } *uap = (struct a *)clwp->lwp_ap;
2635 
2636         fd  = (uint32_t)uap->fdes;
2637         pri = (uint32_t)uap->pri;
2638 
2639         au_uwrite(au_to_arg32(1, "fd", fd));
2640 
2641         if ((fp = getf(fd)) != NULL) {
2642                 fad = F2A(fp);
2643 
2644                 fad->fad_flags |= FAD_WRITE;
2645 
2646                 /* add path name to audit record */
2647                 if (fad->fad_aupath != NULL) {
2648                         au_uwrite(au_to_path(fad->fad_aupath));
2649                 }
2650                 audit_attributes(fp->f_vnode);
2651 
2652                 releasef(fd);
2653         }
2654 
2655         au_uwrite(au_to_arg32(4, "pri", pri));
2656 }
2657 
2658 /*ARGSUSED*/
2659 static void
2660 aus_putpmsg(struct t_audit_data *tad)
2661 {
2662         klwp_t *clwp = ttolwp(curthread);
2663         uint32_t fd, pri, flags;
2664         struct file *fp;
2665         struct f_audit_data *fad;
2666 
2667         struct a {
2668                 long    fdes;
2669                 long    ctl;            /* struct strbuf * */
2670                 long    data;           /* struct strbuf * */
2671                 long    pri;
2672                 long    flags;
2673         } *uap = (struct a *)clwp->lwp_ap;
2674 
2675         fd = (uint32_t)uap->fdes;
2676         pri  = (uint32_t)uap->pri;
2677         flags  = (uint32_t)uap->flags;
2678 
2679         au_uwrite(au_to_arg32(1, "fd", fd));
2680 
2681         if ((fp = getf(fd)) != NULL) {
2682                 fad = F2A(fp);
2683 
2684                 fad->fad_flags |= FAD_WRITE;
2685 
2686                 /* add path name to audit record */
2687                 if (fad->fad_aupath != NULL) {
2688                         au_uwrite(au_to_path(fad->fad_aupath));
2689                 }
2690                 audit_attributes(fp->f_vnode);
2691 
2692                 releasef(fd);
2693         }
2694 
2695 
2696         au_uwrite(au_to_arg32(4, "pri", pri));
2697         au_uwrite(au_to_arg32(5, "flags", flags));
2698 }
2699 
2700 /*ARGSUSED*/
2701 static void
2702 aus_getmsg(struct t_audit_data *tad)
2703 {
2704         klwp_t *clwp = ttolwp(curthread);
2705         uint32_t fd, pri;
2706         struct file *fp;
2707         struct f_audit_data *fad;
2708 
2709         struct a {
2710                 long    fdes;
2711                 long    ctl;            /* struct strbuf * */
2712                 long    data;           /* struct strbuf * */
2713                 long    pri;
2714         } *uap = (struct a *)clwp->lwp_ap;
2715 
2716         fd  = (uint32_t)uap->fdes;
2717         pri = (uint32_t)uap->pri;
2718 
2719         au_uwrite(au_to_arg32(1, "fd", fd));
2720 
2721         if ((fp = getf(fd)) != NULL) {
2722                 fad = F2A(fp);
2723 
2724                 /*
2725                  * read operation on this object
2726                  */
2727                 fad->fad_flags |= FAD_READ;
2728 
2729                 /* add path name to audit record */
2730                 if (fad->fad_aupath != NULL) {
2731                         au_uwrite(au_to_path(fad->fad_aupath));
2732                 }
2733                 audit_attributes(fp->f_vnode);
2734 
2735                 releasef(fd);
2736         }
2737 
2738         au_uwrite(au_to_arg32(4, "pri", pri));
2739 }
2740 
2741 /*ARGSUSED*/
2742 static void
2743 aus_getpmsg(struct t_audit_data *tad)
2744 {
2745         klwp_t *clwp = ttolwp(curthread);
2746         uint32_t fd;
2747         struct file *fp;
2748         struct f_audit_data *fad;
2749 
2750         struct a {
2751                 long    fdes;
2752                 long    ctl;            /* struct strbuf * */
2753                 long    data;           /* struct strbuf * */
2754                 long    pri;
2755                 long    flags;
2756         } *uap = (struct a *)clwp->lwp_ap;
2757 
2758         fd = (uint32_t)uap->fdes;
2759 
2760         au_uwrite(au_to_arg32(1, "fd", fd));
2761 
2762         if ((fp = getf(fd)) != NULL) {
2763                 fad = F2A(fp);
2764 
2765                 /*
2766                  * read operation on this object
2767                  */
2768                 fad->fad_flags |= FAD_READ;
2769 
2770                 /* add path name to audit record */
2771                 if (fad->fad_aupath != NULL) {
2772                         au_uwrite(au_to_path(fad->fad_aupath));
2773                 }
2774                 audit_attributes(fp->f_vnode);
2775 
2776                 releasef(fd);
2777         }
2778 }
2779 
2780 static au_event_t
2781 aui_labelsys(au_event_t e)
2782 {
2783         klwp_t *clwp = ttolwp(curthread);
2784         uint32_t code;
2785         uint32_t cmd;
2786 
2787         struct a {
2788                 long    code;
2789                 long    cmd;
2790         } *uap = (struct a *)clwp->lwp_ap;
2791 
2792         code = (uint32_t)uap->code;
2793         cmd = (uint32_t)uap->cmd;
2794 
2795         /* not security relevant if not changing kernel cache */
2796         if (cmd == TNDB_GET)
2797                 return (AUE_NULL);
2798 
2799         switch (code) {
2800         case TSOL_TNRH:
2801                 e = AUE_LABELSYS_TNRH;
2802                 break;
2803         case TSOL_TNRHTP:
2804                 e = AUE_LABELSYS_TNRHTP;
2805                 break;
2806         case TSOL_TNMLP:
2807                 e = AUE_LABELSYS_TNMLP;
2808                 break;
2809         default:
2810                 e = AUE_NULL;
2811                 break;
2812         }
2813 
2814         return (e);
2815 
2816 }
2817 
2818 static void
2819 aus_labelsys(struct t_audit_data *tad)
2820 {
2821         klwp_t *clwp = ttolwp(curthread);
2822         uint32_t cmd;
2823         uintptr_t a2;
2824 
2825         struct a {
2826                 long    code;
2827                 long    cmd;
2828                 long    a2;
2829         } *uap = (struct a *)clwp->lwp_ap;
2830 
2831         cmd = (uint32_t)uap->cmd;
2832         a2 = (uintptr_t)uap->a2;
2833 
2834         switch (tad->tad_event) {
2835         case AUE_LABELSYS_TNRH:
2836         {
2837                 tsol_rhent_t    *rhent;
2838                 tnaddr_t        *rh_addr;
2839 
2840                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2841 
2842                 /* Remaining args don't apply for FLUSH, so skip */
2843                 if (cmd == TNDB_FLUSH)
2844                         break;
2845 
2846                 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2847                 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2848                         kmem_free(rhent, sizeof (tsol_rhent_t));
2849                         return;
2850                 }
2851 
2852                 rh_addr = &rhent->rh_address;
2853                 if (rh_addr->ta_family == AF_INET) {
2854                         struct in_addr  *ipaddr;
2855 
2856                         ipaddr = &(rh_addr->ta_addr_v4);
2857                         au_uwrite(au_to_in_addr(ipaddr));
2858                 } else if (rh_addr->ta_family == AF_INET6) {
2859                         int32_t         *ipaddr;
2860 
2861                         ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2862                         au_uwrite(au_to_in_addr_ex(ipaddr));
2863                 }
2864                 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2865 
2866                 kmem_free(rhent, sizeof (tsol_rhent_t));
2867 
2868                 break;
2869         }
2870         case AUE_LABELSYS_TNRHTP:
2871         {
2872                 tsol_tpent_t    *tpent;
2873 
2874                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2875 
2876                 /* Remaining args don't apply for FLUSH, so skip */
2877                 if (cmd == TNDB_FLUSH)
2878                         break;
2879 
2880                 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2881                 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2882                         kmem_free(tpent, sizeof (tsol_tpent_t));
2883                         return;
2884                 }
2885 
2886                 /* Make sure that the template name is null-terminated. */
2887                 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2888 
2889                 au_uwrite(au_to_text(tpent->name));
2890                 kmem_free(tpent, sizeof (tsol_tpent_t));
2891 
2892                 break;
2893         }
2894         case AUE_LABELSYS_TNMLP:
2895         {
2896                 tsol_mlpent_t   *mlpent;
2897 
2898                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2899 
2900                 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2901                 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2902                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2903                         return;
2904                 }
2905 
2906                 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2907                         au_uwrite(au_to_text("shared"));
2908                 } else {
2909                         zone_t  *zone;
2910 
2911                         zone = zone_find_by_id(mlpent->tsme_zoneid);
2912                         if (zone != NULL) {
2913                                 au_uwrite(au_to_text(zone->zone_name));
2914                                 zone_rele(zone);
2915                         }
2916                 }
2917 
2918                 /* Remaining args don't apply for FLUSH, so skip */
2919                 if (cmd == TNDB_FLUSH) {
2920                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2921                         break;
2922                 }
2923 
2924                 au_uwrite(au_to_arg32(2, "proto num",
2925                     (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2926                 au_uwrite(au_to_arg32(2, "mlp_port",
2927                     (uint32_t)mlpent->tsme_mlp.mlp_port));
2928 
2929                 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2930                         au_uwrite(au_to_arg32(2, "mlp_port_upper",
2931                             (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2932 
2933                 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2934 
2935                 break;
2936         }
2937         default:
2938                 break;
2939         }
2940 }
2941 
2942 
2943 static au_event_t
2944 aui_auditsys(au_event_t e)
2945 {
2946         klwp_t *clwp = ttolwp(curthread);
2947         uint32_t code;
2948 
2949         struct a {
2950                 long    code;
2951                 long    a1;
2952                 long    a2;
2953                 long    a3;
2954                 long    a4;
2955                 long    a5;
2956                 long    a6;
2957                 long    a7;
2958         } *uap = (struct a *)clwp->lwp_ap;
2959 
2960         code = (uint32_t)uap->code;
2961 
2962         switch (code) {
2963 
2964         case BSM_GETAUID:
2965                 e = AUE_GETAUID;
2966                 break;
2967         case BSM_SETAUID:
2968                 e = AUE_SETAUID;
2969                 break;
2970         case BSM_GETAUDIT:
2971                 e = AUE_GETAUDIT;
2972                 break;
2973         case BSM_GETAUDIT_ADDR:
2974                 e = AUE_GETAUDIT_ADDR;
2975                 break;
2976         case BSM_SETAUDIT:
2977                 e = AUE_SETAUDIT;
2978                 break;
2979         case BSM_SETAUDIT_ADDR:
2980                 e = AUE_SETAUDIT_ADDR;
2981                 break;
2982         case BSM_AUDIT:
2983                 e = AUE_AUDIT;
2984                 break;
2985         case BSM_AUDITCTL:
2986                 switch ((uint_t)uap->a1) {
2987 
2988                 case A_GETPOLICY:
2989                         e = AUE_AUDITON_GPOLICY;
2990                         break;
2991                 case A_SETPOLICY:
2992                         e = AUE_AUDITON_SPOLICY;
2993                         break;
2994                 case A_GETAMASK:
2995                         e = AUE_AUDITON_GETAMASK;
2996                         break;
2997                 case A_SETAMASK:
2998                         e = AUE_AUDITON_SETAMASK;
2999                         break;
3000                 case A_GETKMASK:
3001                         e = AUE_AUDITON_GETKMASK;
3002                         break;
3003                 case A_SETKMASK:
3004                         e = AUE_AUDITON_SETKMASK;
3005                         break;
3006                 case A_GETQCTRL:
3007                         e = AUE_AUDITON_GQCTRL;
3008                         break;
3009                 case A_SETQCTRL:
3010                         e = AUE_AUDITON_SQCTRL;
3011                         break;
3012                 case A_GETCWD:
3013                         e = AUE_AUDITON_GETCWD;
3014                         break;
3015                 case A_GETCAR:
3016                         e = AUE_AUDITON_GETCAR;
3017                         break;
3018                 case A_GETSTAT:
3019                         e = AUE_AUDITON_GETSTAT;
3020                         break;
3021                 case A_SETSTAT:
3022                         e = AUE_AUDITON_SETSTAT;
3023                         break;
3024                 case A_SETUMASK:
3025                         e = AUE_AUDITON_SETUMASK;
3026                         break;
3027                 case A_SETSMASK:
3028                         e = AUE_AUDITON_SETSMASK;
3029                         break;
3030                 case A_GETCOND:
3031                         e = AUE_AUDITON_GETCOND;
3032                         break;
3033                 case A_SETCOND:
3034                         e = AUE_AUDITON_SETCOND;
3035                         break;
3036                 case A_GETCLASS:
3037                         e = AUE_AUDITON_GETCLASS;
3038                         break;
3039                 case A_SETCLASS:
3040                         e = AUE_AUDITON_SETCLASS;
3041                         break;
3042                 case A_GETPINFO:
3043                 case A_GETPINFO_ADDR:
3044                         e = AUE_AUDITON_GETPINFO;
3045                         break;
3046                 case A_SETPMASK:
3047                         e = AUE_AUDITON_SETPMASK;
3048                         break;
3049                 case A_GETKAUDIT:
3050                         e = AUE_AUDITON_GETKAUDIT;
3051                         break;
3052                 case A_SETKAUDIT:
3053                         e = AUE_AUDITON_SETKAUDIT;
3054                         break;
3055                 default:
3056                         e = AUE_AUDITON_OTHER;
3057                         break;
3058                 }
3059                 break;
3060         default:
3061                 e = AUE_NULL;
3062                 break;
3063         }
3064 
3065         return (e);
3066 
3067 }       /* AUI_AUDITSYS */
3068 
3069 
3070 static void
3071 aus_auditsys(struct t_audit_data *tad)
3072 {
3073         klwp_t *clwp = ttolwp(curthread);
3074         uintptr_t a1, a2;
3075         STRUCT_DECL(auditinfo, ainfo);
3076         STRUCT_DECL(auditinfo_addr, ainfo_addr);
3077         STRUCT_DECL(auditpinfo, apinfo);
3078         au_evclass_map_t event;
3079         au_mask_t mask;
3080         int auditstate, policy;
3081         au_id_t auid;
3082 
3083 
3084         struct a {
3085                 long    code;
3086                 long    a1;
3087                 long    a2;
3088                 long    a3;
3089                 long    a4;
3090                 long    a5;
3091                 long    a6;
3092                 long    a7;
3093         } *uap = (struct a *)clwp->lwp_ap;
3094 
3095         a1   = (uintptr_t)uap->a1;
3096         a2   = (uintptr_t)uap->a2;
3097 
3098         switch (tad->tad_event) {
3099         case AUE_SETAUID:
3100                 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3101                                 return;
3102                 au_uwrite(au_to_arg32(2, "setauid", auid));
3103                 break;
3104         case AUE_SETAUDIT:
3105                 STRUCT_INIT(ainfo, get_udatamodel());
3106                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3107                     STRUCT_SIZE(ainfo))) {
3108                                 return;
3109                 }
3110                 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3111                     (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3112 #ifdef _LP64
3113                 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3114                     (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3115 #else
3116                 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3117                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3118 #endif
3119                 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3120                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3121                 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3122                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3123                 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3124                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3125                 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3126                     (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3127                 break;
3128         case AUE_SETAUDIT_ADDR:
3129                 STRUCT_INIT(ainfo_addr, get_udatamodel());
3130                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3131                     STRUCT_SIZE(ainfo_addr))) {
3132                                 return;
3133                 }
3134                 au_uwrite(au_to_arg32((char)1, "auid",
3135                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3136 #ifdef _LP64
3137                 au_uwrite(au_to_arg64((char)1, "port",
3138                     (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3139 #else
3140                 au_uwrite(au_to_arg32((char)1, "port",
3141                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3142 #endif
3143                 au_uwrite(au_to_arg32((char)1, "type",
3144                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3145                 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3146                     AU_IPv4) {
3147                         au_uwrite(au_to_in_addr(
3148                             (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3149                             ai_termid.at_addr)));
3150                 } else {
3151                         au_uwrite(au_to_in_addr_ex(
3152                             (int32_t *)STRUCT_FGETP(ainfo_addr,
3153                             ai_termid.at_addr)));
3154                 }
3155                 au_uwrite(au_to_arg32((char)1, "as_success",
3156                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3157                 au_uwrite(au_to_arg32((char)1, "as_failure",
3158                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3159                 au_uwrite(au_to_arg32((char)1, "asid",
3160                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3161                 break;
3162         case AUE_AUDITON_SETAMASK:
3163                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3164                                 return;
3165                 au_uwrite(au_to_arg32(
3166                     2, "setamask:as_success", (uint32_t)mask.as_success));
3167                 au_uwrite(au_to_arg32(
3168                     2, "setamask:as_failure", (uint32_t)mask.as_failure));
3169                 break;
3170         case AUE_AUDITON_SETKMASK:
3171                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3172                                 return;
3173                 au_uwrite(au_to_arg32(
3174                     2, "setkmask:as_success", (uint32_t)mask.as_success));
3175                 au_uwrite(au_to_arg32(
3176                     2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3177                 break;
3178         case AUE_AUDITON_SPOLICY:
3179                 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3180                         return;
3181                 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3182                 break;
3183         case AUE_AUDITON_SQCTRL: {
3184                 STRUCT_DECL(au_qctrl, qctrl);
3185                 model_t model;
3186 
3187                 model = get_udatamodel();
3188                 STRUCT_INIT(qctrl, model);
3189                 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3190                                 return;
3191                 if (model == DATAMODEL_ILP32) {
3192                         au_uwrite(au_to_arg32(
3193                             3, "setqctrl:aq_hiwater",
3194                             (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3195                         au_uwrite(au_to_arg32(
3196                             3, "setqctrl:aq_lowater",
3197                             (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3198                         au_uwrite(au_to_arg32(
3199                             3, "setqctrl:aq_bufsz",
3200                             (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3201                         au_uwrite(au_to_arg32(
3202                             3, "setqctrl:aq_delay",
3203                             (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3204                 } else {
3205                         au_uwrite(au_to_arg64(
3206                             3, "setqctrl:aq_hiwater",
3207                             (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3208                         au_uwrite(au_to_arg64(
3209                             3, "setqctrl:aq_lowater",
3210                             (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3211                         au_uwrite(au_to_arg64(
3212                             3, "setqctrl:aq_bufsz",
3213                             (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3214                         au_uwrite(au_to_arg64(
3215                             3, "setqctrl:aq_delay",
3216                             (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3217                 }
3218                 break;
3219         }
3220         case AUE_AUDITON_SETUMASK:
3221                 STRUCT_INIT(ainfo, get_udatamodel());
3222                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3223                     STRUCT_SIZE(ainfo))) {
3224                         return;
3225                 }
3226                 au_uwrite(au_to_arg32(3, "setumask:as_success",
3227                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3228                 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3229                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3230                 break;
3231         case AUE_AUDITON_SETSMASK:
3232                 STRUCT_INIT(ainfo, get_udatamodel());
3233                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3234                     STRUCT_SIZE(ainfo))) {
3235                         return;
3236                 }
3237                 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3238                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3239                 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3240                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3241                 break;
3242         case AUE_AUDITON_SETCOND:
3243                 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3244                         return;
3245                 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3246                 break;
3247         case AUE_AUDITON_SETCLASS:
3248                 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3249                         return;
3250                 au_uwrite(au_to_arg32(
3251                     2, "setclass:ec_event", (uint32_t)event.ec_number));
3252                 au_uwrite(au_to_arg32(
3253                     3, "setclass:ec_class", (uint32_t)event.ec_class));
3254                 break;
3255         case AUE_AUDITON_SETPMASK:
3256                 STRUCT_INIT(apinfo, get_udatamodel());
3257                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(apinfo),
3258                     STRUCT_SIZE(apinfo))) {
3259                         return;
3260                 }
3261                 au_uwrite(au_to_arg32(3, "setpmask:pid",
3262                     (uint32_t)STRUCT_FGET(apinfo, ap_pid)));
3263                 au_uwrite(au_to_arg32(3, "setpmask:as_success",
3264                     (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_success)));
3265                 au_uwrite(au_to_arg32(3, "setpmask:as_failure",
3266                     (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_failure)));
3267                 break;
3268         case AUE_AUDITON_SETKAUDIT:
3269                 STRUCT_INIT(ainfo_addr, get_udatamodel());
3270                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3271                     STRUCT_SIZE(ainfo_addr))) {
3272                                 return;
3273                 }
3274                 au_uwrite(au_to_arg32((char)1, "auid",
3275                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3276 #ifdef _LP64
3277                 au_uwrite(au_to_arg64((char)1, "port",
3278                     (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3279 #else
3280                 au_uwrite(au_to_arg32((char)1, "port",
3281                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3282 #endif
3283                 au_uwrite(au_to_arg32((char)1, "type",
3284                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3285                 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3286                     AU_IPv4) {
3287                         au_uwrite(au_to_in_addr(
3288                             (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3289                             ai_termid.at_addr)));
3290                 } else {
3291                         au_uwrite(au_to_in_addr_ex(
3292                             (int32_t *)STRUCT_FGETP(ainfo_addr,
3293                             ai_termid.at_addr)));
3294                 }
3295                 au_uwrite(au_to_arg32((char)1, "as_success",
3296                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3297                 au_uwrite(au_to_arg32((char)1, "as_failure",
3298                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3299                 au_uwrite(au_to_arg32((char)1, "asid",
3300                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3301                 break;
3302         case AUE_GETAUID:
3303         case AUE_GETAUDIT:
3304         case AUE_GETAUDIT_ADDR:
3305         case AUE_AUDIT:
3306         case AUE_AUDITON_GPOLICY:
3307         case AUE_AUDITON_GQCTRL:
3308         case AUE_AUDITON_GETAMASK:
3309         case AUE_AUDITON_GETKMASK:
3310         case AUE_AUDITON_GETCWD:
3311         case AUE_AUDITON_GETCAR:
3312         case AUE_AUDITON_GETSTAT:
3313         case AUE_AUDITON_SETSTAT:
3314         case AUE_AUDITON_GETCOND:
3315         case AUE_AUDITON_GETCLASS:
3316         case AUE_AUDITON_GETPINFO:
3317         case AUE_AUDITON_GETKAUDIT:
3318         case AUE_AUDITON_OTHER:
3319                 break;
3320         default:
3321                 break;
3322         }
3323 
3324 }       /* AUS_AUDITSYS */
3325 
3326 
3327 /* only audit privileged operations for systeminfo(2) system call */
3328 static au_event_t
3329 aui_sysinfo(au_event_t e)
3330 {
3331         klwp_t *clwp = ttolwp(curthread);
3332         uint32_t command;
3333 
3334         struct a {
3335                 long    command;
3336                 long    buf;            /* char * */
3337                 long    count;
3338         } *uap = (struct a *)clwp->lwp_ap;
3339 
3340         command = (uint32_t)uap->command;
3341 
3342         switch (command) {
3343         case SI_SET_HOSTNAME:
3344         case SI_SET_SRPC_DOMAIN:
3345                 e = (au_event_t)AUE_SYSINFO;
3346                 break;
3347         default:
3348                 e = (au_event_t)AUE_NULL;
3349                 break;
3350         }
3351         return (e);
3352 }
3353 
3354 /*ARGSUSED*/
3355 static void
3356 aus_sysinfo(struct t_audit_data *tad)
3357 {
3358         klwp_t *clwp = ttolwp(curthread);
3359         uint32_t command;
3360         size_t len, maxlen;
3361         char *name;
3362         uintptr_t buf;
3363 
3364         struct a {
3365                 long    command;
3366                 long    buf;            /* char * */
3367                 long    count;
3368         } *uap = (struct a *)clwp->lwp_ap;
3369 
3370         command = (uint32_t)uap->command;
3371         buf = (uintptr_t)uap->buf;
3372 
3373         au_uwrite(au_to_arg32(1, "cmd", command));
3374 
3375         switch (command) {
3376         case SI_SET_HOSTNAME:
3377         {
3378                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3379                         return;
3380 
3381                 maxlen = SYS_NMLN;
3382                 name = kmem_alloc(maxlen, KM_SLEEP);
3383                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3384                         break;
3385 
3386                 /*
3387                  * Must be non-NULL string and string
3388                  * must be less than SYS_NMLN chars.
3389                  */
3390                 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3391                         break;
3392 
3393                 au_uwrite(au_to_text(name));
3394                 break;
3395         }
3396 
3397         case SI_SET_SRPC_DOMAIN:
3398         {
3399                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3400                         return;
3401 
3402                 maxlen = SYS_NMLN;
3403                 name = kmem_alloc(maxlen, KM_SLEEP);
3404                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3405                         break;
3406 
3407                 /*
3408                  * If string passed in is longer than length
3409                  * allowed for domain name, fail.
3410                  */
3411                 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3412                         break;
3413 
3414                 au_uwrite(au_to_text(name));
3415                 break;
3416         }
3417 
3418         default:
3419                 return;
3420         }
3421 
3422         kmem_free(name, maxlen);
3423 }
3424 
3425 static au_event_t
3426 aui_modctl(au_event_t e)
3427 {
3428         klwp_t *clwp = ttolwp(curthread);
3429         uint_t cmd;
3430 
3431         struct a {
3432                 long    cmd;
3433         } *uap = (struct a *)clwp->lwp_ap;
3434 
3435         cmd = (uint_t)uap->cmd;
3436 
3437         switch (cmd) {
3438         case MODLOAD:
3439                 e = AUE_MODLOAD;
3440                 break;
3441         case MODUNLOAD:
3442                 e = AUE_MODUNLOAD;
3443                 break;
3444         case MODADDMAJBIND:
3445                 e = AUE_MODADDMAJ;
3446                 break;
3447         case MODSETDEVPOLICY:
3448                 e = AUE_MODDEVPLCY;
3449                 break;
3450         case MODALLOCPRIV:
3451                 e = AUE_MODADDPRIV;
3452                 break;
3453         default:
3454                 e = AUE_NULL;
3455                 break;
3456         }
3457         return (e);
3458 }
3459 
3460 
3461 /*ARGSUSED*/
3462 static void
3463 aus_modctl(struct t_audit_data *tad)
3464 {
3465         klwp_t *clwp = ttolwp(curthread);
3466         void *a = clwp->lwp_ap;
3467         uint_t use_path;
3468 
3469         switch (tad->tad_event) {
3470         case AUE_MODLOAD: {
3471                 typedef struct {
3472                         long    cmd;
3473                         long    use_path;
3474                         long    filename;               /* char * */
3475                 } modloada_t;
3476 
3477                 char *filenamep;
3478                 uintptr_t fname;
3479                 extern char *default_path;
3480 
3481                 fname = (uintptr_t)((modloada_t *)a)->filename;
3482                 use_path = (uint_t)((modloada_t *)a)->use_path;
3483 
3484                         /* space to hold path */
3485                 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3486                         /* get string */
3487                 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3488                                 /* free allocated path */
3489                         kmem_free(filenamep, MOD_MAXPATH);
3490                         return;
3491                 }
3492                         /* ensure it's null terminated */
3493                 filenamep[MOD_MAXPATH - 1] = 0;
3494 
3495                 if (use_path)
3496                         au_uwrite(au_to_text(default_path));
3497                 au_uwrite(au_to_text(filenamep));
3498 
3499                         /* release temporary memory */
3500                 kmem_free(filenamep, MOD_MAXPATH);
3501                 break;
3502         }
3503         case AUE_MODUNLOAD: {
3504                 typedef struct {
3505                         long    cmd;
3506                         long    id;
3507                 } modunloada_t;
3508 
3509                 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3510 
3511                 au_uwrite(au_to_arg32(1, "id", id));
3512                 break;
3513         }
3514         case AUE_MODADDMAJ: {
3515                 STRUCT_DECL(modconfig, mc);
3516                 typedef struct {
3517                         long    cmd;
3518                         long    subcmd;
3519                         long    data;           /* int * */
3520                 } modconfiga_t;
3521 
3522                 STRUCT_DECL(aliases, alias);
3523                 caddr_t ap;
3524                 int i, num_aliases;
3525                 char *drvname, *mc_drvname;
3526                 char *name;
3527                 extern char *ddi_major_to_name(major_t);
3528                 model_t model;
3529 
3530                 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3531 
3532                 model = get_udatamodel();
3533                 STRUCT_INIT(mc, model);
3534                         /* sanitize buffer */
3535                 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3536                         /* get user arguments */
3537                 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3538                     STRUCT_SIZE(mc)) != 0)
3539                         return;
3540 
3541                 mc_drvname = STRUCT_FGET(mc, drvname);
3542                 if ((drvname = ddi_major_to_name(
3543                     (major_t)STRUCT_FGET(mc, major))) != NULL &&
3544                     strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3545                                 /* safety */
3546                         if (mc_drvname[0] != '\0') {
3547                                 mc_drvname[MAXMODCONFNAME-1] = '\0';
3548                                 au_uwrite(au_to_text(mc_drvname));
3549                         }
3550                                 /* drvname != NULL from test above */
3551                         au_uwrite(au_to_text(drvname));
3552                         return;
3553                 }
3554 
3555                 if (mc_drvname[0] != '\0') {
3556                                 /* safety */
3557                         mc_drvname[MAXMODCONFNAME-1] = '\0';
3558                         au_uwrite(au_to_text(mc_drvname));
3559                 } else
3560                         au_uwrite(au_to_text("no drvname"));
3561 
3562                 num_aliases = STRUCT_FGET(mc, num_aliases);
3563                 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3564                 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3565                 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3566                 STRUCT_INIT(alias, model);
3567                 for (i = 0; i < num_aliases; i++) {
3568                         bzero((caddr_t)STRUCT_BUF(alias),
3569                             STRUCT_SIZE(alias));
3570                         if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3571                             STRUCT_SIZE(alias)) != 0)
3572                                 break;
3573                         if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3574                             MAXMODCONFNAME, NULL) != 0) {
3575                                 break;
3576                         }
3577 
3578                         au_uwrite(au_to_text(name));
3579                         ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3580                 }
3581                 kmem_free(name, MAXMODCONFNAME);
3582                 break;
3583         }
3584         default:
3585                 break;
3586         }
3587 }
3588 
3589 
3590 /*ARGSUSED*/
3591 static void
3592 auf_accept(
3593         struct t_audit_data *tad,
3594         int     error,
3595         rval_t  *rval)
3596 {
3597         uint32_t scid;
3598         uint32_t sy_flags;
3599         int fd;
3600         struct sonode *so;
3601         char so_laddr[sizeof (struct sockaddr_in6)];
3602         char so_faddr[sizeof (struct sockaddr_in6)];
3603         int err;
3604         short so_family, so_type;
3605         int add_sock_token = 0;
3606 
3607         /* need to determine type of executing binary */
3608         scid = tad->tad_scid;
3609 #ifdef _SYSCALL32_IMPL
3610         if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3611                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3612         else
3613                 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3614 #else
3615         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3616 #endif
3617         switch (sy_flags) {
3618         case SE_32RVAL1:
3619                 /* FALLTHRU */
3620         case SE_32RVAL2|SE_32RVAL1:
3621                 fd = rval->r_val1;
3622                 break;
3623         case SE_64RVAL:
3624                 fd = (int)rval->r_vals;
3625                 break;
3626         default:
3627                 /*
3628                  * should never happen, seems to be an internal error
3629                  * in sysent => no fd, nothing to audit here, returning
3630                  */
3631                 return;
3632         }
3633 
3634         if (error) {
3635                 /* can't trust socket contents. Just return */
3636                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3637                 return;
3638         }
3639 
3640         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3641                 /*
3642                  * not security relevant if doing a accept from non socket
3643                  * so no extra tokens. Should probably turn off audit record
3644                  * generation here.
3645                  */
3646                 return;
3647         }
3648 
3649         so_family = so->so_family;
3650         so_type   = so->so_type;
3651 
3652         switch (so_family) {
3653         case AF_INET:
3654         case AF_INET6:
3655                 /*
3656                  * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3657                  */
3658                 if (so->so_type == SOCK_STREAM) {
3659                         socklen_t len;
3660 
3661                         bzero((void *)so_laddr, sizeof (so_laddr));
3662                         bzero((void *)so_faddr, sizeof (so_faddr));
3663 
3664                         len = sizeof (so_laddr);
3665                         (void) socket_getsockname(so,
3666                             (struct sockaddr *)so_laddr, &len, CRED());
3667                         len = sizeof (so_faddr);
3668                         (void) socket_getpeername(so,
3669                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3670 
3671                         add_sock_token = 1;
3672                 }
3673                 break;
3674 
3675         default:
3676                 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3677                 break;
3678         }
3679 
3680         releasef(fd);
3681 
3682         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3683 
3684         if (add_sock_token == 0) {
3685                 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3686                 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3687                 return;
3688         }
3689 
3690         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3691 
3692 }
3693 
3694 /*ARGSUSED*/
3695 static void
3696 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3697 {
3698         struct a {
3699                 long    fd;
3700                 long    addr;
3701                 long    len;
3702         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3703 
3704         struct sonode *so;
3705         char so_laddr[sizeof (struct sockaddr_in6)];
3706         char so_faddr[sizeof (struct sockaddr_in6)];
3707         int err, fd;
3708         socklen_t len;
3709         short so_family, so_type;
3710         int add_sock_token = 0;
3711 
3712         fd = (int)uap->fd;
3713 
3714         /*
3715          * bind failed, then nothing extra to add to audit record.
3716          */
3717         if (error) {
3718                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3719                 /* XXX may want to add failed address some day */
3720                 return;
3721         }
3722 
3723         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3724                 /*
3725                  * not security relevant if doing a bind from non socket
3726                  * so no extra tokens. Should probably turn off audit record
3727                  * generation here.
3728                  */
3729                 return;
3730         }
3731 
3732         so_family = so->so_family;
3733         so_type   = so->so_type;
3734 
3735         switch (so_family) {
3736         case AF_INET:
3737         case AF_INET6:
3738 
3739                 bzero(so_faddr, sizeof (so_faddr));
3740                 len = sizeof (so_faddr);
3741 
3742                 (void) socket_getpeername(so,
3743                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3744                 add_sock_token = 1;
3745 
3746                 break;
3747 
3748         case AF_UNIX:
3749                 /* token added by lookup */
3750                 break;
3751         default:
3752                 /* AF_ROUTE, AF_KEY do not support accept */
3753                 break;
3754         }
3755 
3756         releasef(fd);
3757 
3758         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3759 
3760         if (add_sock_token == 0) {
3761                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3762                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3763                 return;
3764         }
3765 
3766         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3767 
3768 }
3769 
3770 /*ARGSUSED*/
3771 static void
3772 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3773 {
3774         struct a {
3775                 long    fd;
3776                 long    addr;
3777                 long    len;
3778         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3779 
3780         struct sonode *so;
3781         char so_laddr[sizeof (struct sockaddr_in6)];
3782         char so_faddr[sizeof (struct sockaddr_in6)];
3783         int err, fd;
3784         socklen_t len;
3785         short so_family, so_type;
3786         int add_sock_token = 0;
3787 
3788         fd = (int)uap->fd;
3789 
3790 
3791         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3792                 /*
3793                  * not security relevant if doing a connect from non socket
3794                  * so no extra tokens. Should probably turn off audit record
3795                  * generation here.
3796                  */
3797                 return;
3798         }
3799 
3800         so_family = so->so_family;
3801         so_type   = so->so_type;
3802 
3803         switch (so_family) {
3804         case AF_INET:
3805         case AF_INET6:
3806 
3807                 bzero(so_laddr, sizeof (so_laddr));
3808                 bzero(so_faddr, sizeof (so_faddr));
3809 
3810                 len = sizeof (so_laddr);
3811                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3812                     &len, CRED());
3813                 if (error) {
3814                         if (uap->addr == 0)
3815                                 break;
3816                         if (uap->len <= 0)
3817                                 break;
3818                         len = min(uap->len, sizeof (so_faddr));
3819                         if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3820                                 break;
3821 #ifdef NOTYET
3822                         au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3823 #endif
3824                 } else {
3825                         /* sanity check on length */
3826                         len = sizeof (so_faddr);
3827                         (void) socket_getpeername(so,
3828                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3829                 }
3830 
3831                 add_sock_token = 1;
3832 
3833                 break;
3834 
3835         case AF_UNIX:
3836                 /* does a lookup on name */
3837                 break;
3838 
3839         default:
3840                 /* AF_ROUTE, AF_KEY do not support accept */
3841                 break;
3842         }
3843 
3844         releasef(fd);
3845 
3846         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3847 
3848         if (add_sock_token == 0) {
3849                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3850                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3851                 return;
3852         }
3853 
3854         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3855 
3856 }
3857 
3858 /*ARGSUSED*/
3859 static void
3860 aus_shutdown(struct t_audit_data *tad)
3861 {
3862         struct a {
3863                 long    fd;
3864                 long    how;
3865         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3866 
3867         struct sonode *so;
3868         char so_laddr[sizeof (struct sockaddr_in6)];
3869         char so_faddr[sizeof (struct sockaddr_in6)];
3870         int err, fd;
3871         socklen_t len;
3872         short so_family, so_type;
3873         int add_sock_token = 0;
3874         file_t *fp;                             /* unix domain sockets */
3875         struct f_audit_data *fad;               /* unix domain sockets */
3876 
3877         fd = (int)uap->fd;
3878 
3879         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3880                 /*
3881                  * not security relevant if doing a shutdown using non socket
3882                  * so no extra tokens. Should probably turn off audit record
3883                  * generation here.
3884                  */
3885                 return;
3886         }
3887 
3888         so_family = so->so_family;
3889         so_type   = so->so_type;
3890 
3891         switch (so_family) {
3892         case AF_INET:
3893         case AF_INET6:
3894 
3895                 bzero(so_laddr, sizeof (so_laddr));
3896                 bzero(so_faddr, sizeof (so_faddr));
3897 
3898                 len = sizeof (so_laddr);
3899                 (void) socket_getsockname(so,
3900                     (struct sockaddr *)so_laddr, &len, CRED());
3901                 len = sizeof (so_faddr);
3902                 (void) socket_getpeername(so,
3903                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3904 
3905                 add_sock_token = 1;
3906 
3907                 break;
3908 
3909         case AF_UNIX:
3910 
3911                 /* get path from file struct here */
3912                 fad = F2A(fp);
3913                 ASSERT(fad);
3914 
3915                 if (fad->fad_aupath != NULL) {
3916                         au_uwrite(au_to_path(fad->fad_aupath));
3917                 } else {
3918                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
3919                 }
3920 
3921                 audit_attributes(fp->f_vnode);
3922 
3923                 break;
3924 
3925         default:
3926                 /*
3927                  * AF_KEY and AF_ROUTE support shutdown. No socket token
3928                  * added.
3929                  */
3930                 break;
3931         }
3932 
3933         releasef(fd);
3934 
3935         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3936 
3937         if (add_sock_token == 0) {
3938                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3939                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3940                 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3941                 return;
3942         }
3943 
3944         au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3945 
3946         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3947 
3948 }
3949 
3950 /*ARGSUSED*/
3951 static void
3952 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3953 {
3954         struct a {
3955                 long    fd;
3956                 long    level;
3957                 long    optname;
3958                 long    *optval;
3959                 long    optlen;
3960         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3961 
3962         struct sonode   *so;
3963         char so_laddr[sizeof (struct sockaddr_in6)];
3964         char so_faddr[sizeof (struct sockaddr_in6)];
3965         char            val[AU_BUFSIZE];
3966         int             err, fd;
3967         socklen_t       len;
3968         short so_family, so_type;
3969         int             add_sock_token = 0;
3970         file_t *fp;                             /* unix domain sockets */
3971         struct f_audit_data *fad;               /* unix domain sockets */
3972 
3973         fd = (int)uap->fd;
3974 
3975         if (error) {
3976                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3977                 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3978                 /* XXX may want to include other arguments */
3979                 return;
3980         }
3981 
3982         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3983                 /*
3984                  * not security relevant if doing a setsockopt from non socket
3985                  * so no extra tokens. Should probably turn off audit record
3986                  * generation here.
3987                  */
3988                 return;
3989         }
3990 
3991         so_family = so->so_family;
3992         so_type   = so->so_type;
3993 
3994         switch (so_family) {
3995         case AF_INET:
3996         case AF_INET6:
3997                 bzero((void *)so_laddr, sizeof (so_laddr));
3998                 bzero((void *)so_faddr, sizeof (so_faddr));
3999 
4000                 /* get local and foreign addresses */
4001                 len = sizeof (so_laddr);
4002                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
4003                     &len, CRED());
4004                 len = sizeof (so_faddr);
4005                 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
4006                     &len, B_FALSE, CRED());
4007 
4008                 add_sock_token = 1;
4009 
4010                 break;
4011 
4012         case AF_UNIX:
4013 
4014                 /* get path from file struct here */
4015                 fad = F2A(fp);
4016                 ASSERT(fad);
4017 
4018                 if (fad->fad_aupath != NULL) {
4019                         au_uwrite(au_to_path(fad->fad_aupath));
4020                 } else {
4021                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4022                 }
4023 
4024                 audit_attributes(fp->f_vnode);
4025 
4026                 break;
4027 
4028         default:
4029                 /*
4030                  * AF_KEY and AF_ROUTE support setsockopt. No socket token
4031                  * added.
4032                  */
4033                 break;
4034         }
4035 
4036         releasef(fd);
4037 
4038         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4039 
4040         if (add_sock_token == 0) {
4041                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
4042                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
4043         }
4044         au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
4045         au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
4046 
4047         bzero(val, sizeof (val));
4048         len = min(uap->optlen, sizeof (val));
4049         if ((len > 0) &&
4050             (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
4051                 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
4052                 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
4053         }
4054 
4055         if (add_sock_token == 0)
4056                 return;
4057 
4058         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4059 
4060 }
4061 
4062 /*ARGSUSED*/
4063 static void
4064 aus_sockconfig(struct t_audit_data *tad)
4065 {
4066         struct a {
4067                 long    cmd;
4068                 long    arg1;
4069                 long    arg2;
4070                 long    arg3;
4071                 long    arg4;
4072         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4073 
4074         char    *buf;
4075         int     buflen;
4076         size_t  size;
4077 
4078         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4079         switch (uap->cmd) {
4080         case SOCKCONFIG_ADD_SOCK:
4081         case SOCKCONFIG_REMOVE_SOCK:
4082                 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4083                 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4084                 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4085 
4086                 if (uap->arg4 == 0) {
4087                         au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4088                 } else {
4089                         buflen = MAXPATHLEN + 1;
4090                         buf = kmem_alloc(buflen, KM_SLEEP);
4091                         if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4092                             &size)) {
4093                                 kmem_free(buf, buflen);
4094                                 return;
4095                         }
4096 
4097                         if (size > MAXPATHLEN) {
4098                                 kmem_free(buf, buflen);
4099                                 return;
4100                         }
4101 
4102                         au_uwrite(au_to_text(buf));
4103                         kmem_free(buf, buflen);
4104                 }
4105                 break;
4106         case SOCKCONFIG_ADD_FILTER:
4107         case SOCKCONFIG_REMOVE_FILTER:
4108                 buflen = FILNAME_MAX;
4109                 buf = kmem_alloc(buflen, KM_SLEEP);
4110 
4111                 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4112                         kmem_free(buf, buflen);
4113                         return;
4114                 }
4115 
4116                 au_uwrite(au_to_text(buf));
4117                 kmem_free(buf, buflen);
4118                 break;
4119         default:
4120                 break;
4121         }
4122 }
4123 
4124 /*
4125  * only audit recvmsg when the system call represents the creation of a new
4126  * circuit. This effectively occurs for all UDP packets and may occur for
4127  * special TCP situations where the local host has not set a local address
4128  * in the socket structure.
4129  */
4130 /*ARGSUSED*/
4131 static void
4132 auf_recvmsg(
4133         struct t_audit_data *tad,
4134         int error,
4135         rval_t *rvp)
4136 {
4137         struct a {
4138                 long    fd;
4139                 long    msg;    /* struct msghdr */
4140                 long    flags;
4141         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4142 
4143         struct sonode   *so;
4144         STRUCT_DECL(msghdr, msg);
4145         caddr_t msg_name;
4146         socklen_t msg_namelen;
4147         int fd;
4148         int err;
4149         char so_laddr[sizeof (struct sockaddr_in6)];
4150         char so_faddr[sizeof (struct sockaddr_in6)];
4151         socklen_t len;
4152         file_t *fp;                             /* unix domain sockets */
4153         struct f_audit_data *fad;               /* unix domain sockets */
4154         short so_family, so_type;
4155         int add_sock_token = 0;
4156         au_kcontext_t   *kctx = GET_KCTX_PZ;
4157 
4158         fd = (int)uap->fd;
4159 
4160         /* bail if an error */
4161         if (error) {
4162                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4163                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4164                 return;
4165         }
4166 
4167         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4168                 /*
4169                  * not security relevant if doing a recvmsg from non socket
4170                  * so no extra tokens. Should probably turn off audit record
4171                  * generation here.
4172                  */
4173                 return;
4174         }
4175 
4176         so_family = so->so_family;
4177         so_type   = so->so_type;
4178 
4179         /*
4180          * only putout SOCKET_EX token if INET/INET6 family.
4181          * XXX - what do we do about other families?
4182          */
4183 
4184         switch (so_family) {
4185         case AF_INET:
4186         case AF_INET6:
4187 
4188                 /*
4189                  * if datagram type socket, then just use what is in
4190                  * socket structure for local address.
4191                  * XXX - what do we do for other types?
4192                  */
4193                 if ((so->so_type == SOCK_DGRAM) ||
4194                     (so->so_type == SOCK_RAW)) {
4195                         add_sock_token = 1;
4196 
4197                         bzero((void *)so_laddr, sizeof (so_laddr));
4198                         bzero((void *)so_faddr, sizeof (so_faddr));
4199 
4200                         /* get local address */
4201                         len = sizeof (so_laddr);
4202                         (void) socket_getsockname(so,
4203                             (struct sockaddr *)so_laddr, &len, CRED());
4204 
4205                         /* get peer address */
4206                         STRUCT_INIT(msg, get_udatamodel());
4207 
4208                         if (copyin((caddr_t)(uap->msg),
4209                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4210                                 break;
4211                         }
4212                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4213                         if (msg_name == NULL) {
4214                                 break;
4215                         }
4216 
4217                         /* length is value from recvmsg - sanity check */
4218                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4219                         if (msg_namelen == 0) {
4220                                 break;
4221                         }
4222                         if (copyin(msg_name, so_faddr,
4223                             sizeof (so_faddr)) != 0) {
4224                                 break;
4225                         }
4226 
4227                 } else if (so->so_type == SOCK_STREAM) {
4228 
4229                         /* get path from file struct here */
4230                         fad = F2A(fp);
4231                         ASSERT(fad);
4232 
4233                         /*
4234                          * already processed this file for read attempt
4235                          */
4236                         if (fad->fad_flags & FAD_READ) {
4237                                 /* don't want to audit every recvmsg attempt */
4238                                 tad->tad_flag = 0;
4239                                 /* free any residual audit data */
4240                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4241                                 releasef(fd);
4242                                 return;
4243                         }
4244                         /*
4245                          * mark things so we know what happened and don't
4246                          * repeat things
4247                          */
4248                         fad->fad_flags |= FAD_READ;
4249 
4250                         bzero((void *)so_laddr, sizeof (so_laddr));
4251                         bzero((void *)so_faddr, sizeof (so_faddr));
4252 
4253                         /* get local and foreign addresses */
4254                         len = sizeof (so_laddr);
4255                         (void) socket_getsockname(so,
4256                             (struct sockaddr *)so_laddr, &len, CRED());
4257                         len = sizeof (so_faddr);
4258                         (void) socket_getpeername(so,
4259                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4260 
4261                         add_sock_token = 1;
4262                 }
4263 
4264                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4265 
4266                 break;
4267 
4268         case AF_UNIX:
4269                 /*
4270                  * first check if this is first time through. Too much
4271                  * duplicate code to put this in an aui_ routine.
4272                  */
4273 
4274                 /* get path from file struct here */
4275                 fad = F2A(fp);
4276                 ASSERT(fad);
4277 
4278                 /*
4279                  * already processed this file for read attempt
4280                  */
4281                 if (fad->fad_flags & FAD_READ) {
4282                         releasef(fd);
4283                         /* don't want to audit every recvmsg attempt */
4284                         tad->tad_flag = 0;
4285                         /* free any residual audit data */
4286                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4287                         return;
4288                 }
4289                 /*
4290                  * mark things so we know what happened and don't
4291                  * repeat things
4292                  */
4293                 fad->fad_flags |= FAD_READ;
4294 
4295                 if (fad->fad_aupath != NULL) {
4296                         au_uwrite(au_to_path(fad->fad_aupath));
4297                 } else {
4298                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4299                 }
4300 
4301                 audit_attributes(fp->f_vnode);
4302 
4303                 releasef(fd);
4304 
4305                 return;
4306 
4307         default:
4308                 break;
4309 
4310         }
4311 
4312         releasef(fd);
4313 
4314         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4315 
4316         if (add_sock_token == 0) {
4317                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4318                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4319                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4320                 return;
4321         }
4322 
4323         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4324 
4325         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4326 
4327 }
4328 
4329 /*ARGSUSED*/
4330 static void
4331 auf_recvfrom(
4332         struct t_audit_data *tad,
4333         int error,
4334         rval_t *rvp)
4335 {
4336 
4337         struct a {
4338                 long    fd;
4339                 long    msg;    /* char */
4340                 long    len;
4341                 long    flags;
4342                 long    from;   /* struct sockaddr */
4343                 long    fromlen;
4344         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4345 
4346         socklen_t       fromlen;
4347         struct sonode   *so;
4348         char so_laddr[sizeof (struct sockaddr_in6)];
4349         char so_faddr[sizeof (struct sockaddr_in6)];
4350         int             fd;
4351         short so_family, so_type;
4352         int add_sock_token = 0;
4353         socklen_t len;
4354         int err;
4355         struct file *fp;
4356         struct f_audit_data *fad;               /* unix domain sockets */
4357         au_kcontext_t   *kctx = GET_KCTX_PZ;
4358 
4359         fd = (int)uap->fd;
4360 
4361         /* bail if an error */
4362         if (error) {
4363                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4364                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4365                 return;
4366         }
4367 
4368         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4369                 /*
4370                  * not security relevant if doing a recvmsg from non socket
4371                  * so no extra tokens. Should probably turn off audit record
4372                  * generation here.
4373                  */
4374                 return;
4375         }
4376 
4377         so_family = so->so_family;
4378         so_type   = so->so_type;
4379 
4380         /*
4381          * only putout SOCKET_EX token if INET/INET6 family.
4382          * XXX - what do we do about other families?
4383          */
4384 
4385         switch (so_family) {
4386         case AF_INET:
4387         case AF_INET6:
4388 
4389                 /*
4390                  * if datagram type socket, then just use what is in
4391                  * socket structure for local address.
4392                  * XXX - what do we do for other types?
4393                  */
4394                 if ((so->so_type == SOCK_DGRAM) ||
4395                     (so->so_type == SOCK_RAW)) {
4396                         add_sock_token = 1;
4397 
4398                         /* get local address */
4399                         len = sizeof (so_laddr);
4400                         (void) socket_getsockname(so,
4401                             (struct sockaddr *)so_laddr, &len, CRED());
4402 
4403                         /* get peer address */
4404                         bzero((void *)so_faddr, sizeof (so_faddr));
4405 
4406                         /* sanity check */
4407                         if (uap->from == 0)
4408                                 break;
4409 
4410                         /* sanity checks */
4411                         if (uap->fromlen == 0)
4412                                 break;
4413 
4414                         if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4415                             sizeof (fromlen)) != 0)
4416                                 break;
4417 
4418                         if (fromlen == 0)
4419                                 break;
4420 
4421                         /* enforce maximum size */
4422                         if (fromlen > sizeof (so_faddr))
4423                                 fromlen = sizeof (so_faddr);
4424 
4425                         if (copyin((caddr_t)(uap->from), so_faddr,
4426                             fromlen) != 0)
4427                                 break;
4428 
4429                 } else if (so->so_type == SOCK_STREAM) {
4430 
4431                         /* get path from file struct here */
4432                         fad = F2A(fp);
4433                         ASSERT(fad);
4434 
4435                         /*
4436                          * already processed this file for read attempt
4437                          */
4438                         if (fad->fad_flags & FAD_READ) {
4439                                 /* don't want to audit every recvfrom attempt */
4440                                 tad->tad_flag = 0;
4441                                 /* free any residual audit data */
4442                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4443                                 releasef(fd);
4444                                 return;
4445                         }
4446                         /*
4447                          * mark things so we know what happened and don't
4448                          * repeat things
4449                          */
4450                         fad->fad_flags |= FAD_READ;
4451 
4452                         bzero((void *)so_laddr, sizeof (so_laddr));
4453                         bzero((void *)so_faddr, sizeof (so_faddr));
4454 
4455                         /* get local and foreign addresses */
4456                         len = sizeof (so_laddr);
4457                         (void) socket_getsockname(so,
4458                             (struct sockaddr *)so_laddr, &len, CRED());
4459                         len = sizeof (so_faddr);
4460                         (void) socket_getpeername(so,
4461                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4462 
4463                         add_sock_token = 1;
4464                 }
4465 
4466                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4467 
4468                 break;
4469 
4470         case AF_UNIX:
4471                 /*
4472                  * first check if this is first time through. Too much
4473                  * duplicate code to put this in an aui_ routine.
4474                  */
4475 
4476                 /* get path from file struct here */
4477                 fad = F2A(fp);
4478                 ASSERT(fad);
4479 
4480                 /*
4481                  * already processed this file for read attempt
4482                  */
4483                 if (fad->fad_flags & FAD_READ) {
4484                         /* don't want to audit every recvfrom attempt */
4485                         tad->tad_flag = 0;
4486                         /* free any residual audit data */
4487                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4488                         releasef(fd);
4489                         return;
4490                 }
4491                 /*
4492                  * mark things so we know what happened and don't
4493                  * repeat things
4494                  */
4495                 fad->fad_flags |= FAD_READ;
4496 
4497                 if (fad->fad_aupath != NULL) {
4498                         au_uwrite(au_to_path(fad->fad_aupath));
4499                 } else {
4500                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4501                 }
4502 
4503                 audit_attributes(fp->f_vnode);
4504 
4505                 releasef(fd);
4506 
4507                 return;
4508 
4509         default:
4510                 break;
4511 
4512         }
4513 
4514         releasef(fd);
4515 
4516         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4517 
4518         if (add_sock_token == 0) {
4519                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4520                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4521                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4522                 return;
4523         }
4524 
4525         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4526 
4527         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4528 }
4529 
4530 /*ARGSUSED*/
4531 static void
4532 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4533 {
4534         struct a {
4535                 long    fd;
4536                 long    msg;    /* struct msghdr */
4537                 long    flags;
4538         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4539 
4540         struct sonode   *so;
4541         char so_laddr[sizeof (struct sockaddr_in6)];
4542         char so_faddr[sizeof (struct sockaddr_in6)];
4543         int             err;
4544         int             fd;
4545         short so_family, so_type;
4546         int             add_sock_token = 0;
4547         socklen_t       len;
4548         struct file     *fp;
4549         struct f_audit_data *fad;
4550         caddr_t         msg_name;
4551         socklen_t       msg_namelen;
4552         STRUCT_DECL(msghdr, msg);
4553         au_kcontext_t   *kctx = GET_KCTX_PZ;
4554 
4555         fd = (int)uap->fd;
4556 
4557         /* bail if an error */
4558         if (error) {
4559                 /* XXX include destination address from system call arguments */
4560                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4561                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4562                 return;
4563         }
4564 
4565         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4566                 /*
4567                  * not security relevant if doing a sendmsg from non socket
4568                  * so no extra tokens. Should probably turn off audit record
4569                  * generation here.
4570                  */
4571                 return;
4572         }
4573 
4574         so_family = so->so_family;
4575         so_type   = so->so_type;
4576 
4577         switch (so_family) {
4578         case AF_INET:
4579         case AF_INET6:
4580                 /*
4581                  * if datagram type socket, then just use what is in
4582                  * socket structure for local address.
4583                  * XXX - what do we do for other types?
4584                  */
4585                 if ((so->so_type == SOCK_DGRAM) ||
4586                     (so->so_type == SOCK_RAW)) {
4587 
4588                         bzero((void *)so_laddr, sizeof (so_laddr));
4589                         bzero((void *)so_faddr, sizeof (so_faddr));
4590 
4591                         /* get local address */
4592                         len = sizeof (so_laddr);
4593                         (void) socket_getsockname(so,
4594                             (struct sockaddr *)so_laddr, &len, CRED());
4595 
4596                         /* get peer address */
4597                         STRUCT_INIT(msg, get_udatamodel());
4598 
4599                         if (copyin((caddr_t)(uap->msg),
4600                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4601                                 break;
4602                         }
4603                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4604                         if (msg_name == NULL)
4605                                 break;
4606 
4607                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4608                         /* length is value from recvmsg - sanity check */
4609                         if (msg_namelen == 0)
4610                                 break;
4611 
4612                         if (copyin(msg_name, so_faddr,
4613                             sizeof (so_faddr)) != 0)
4614                                 break;
4615 
4616                         add_sock_token = 1;
4617 
4618                 } else if (so->so_type == SOCK_STREAM) {
4619 
4620                         /* get path from file struct here */
4621                         fad = F2A(fp);
4622                         ASSERT(fad);
4623 
4624                         /*
4625                          * already processed this file for write attempt
4626                          */
4627                         if (fad->fad_flags & FAD_WRITE) {
4628                                 releasef(fd);
4629                                 /* don't want to audit every sendmsg attempt */
4630                                 tad->tad_flag = 0;
4631                                 /* free any residual audit data */
4632                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4633                                 return;
4634                         }
4635 
4636                         /*
4637                          * mark things so we know what happened and don't
4638                          * repeat things
4639                          */
4640                         fad->fad_flags |= FAD_WRITE;
4641 
4642                         bzero((void *)so_laddr, sizeof (so_laddr));
4643                         bzero((void *)so_faddr, sizeof (so_faddr));
4644 
4645                         /* get local and foreign addresses */
4646                         len = sizeof (so_laddr);
4647                         (void) socket_getsockname(so,
4648                             (struct sockaddr *)so_laddr, &len, CRED());
4649                         len = sizeof (so_faddr);
4650                         (void) socket_getpeername(so,
4651                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4652 
4653                         add_sock_token = 1;
4654                 }
4655 
4656                 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4657 
4658                 break;
4659 
4660         case AF_UNIX:
4661                 /*
4662                  * first check if this is first time through. Too much
4663                  * duplicate code to put this in an aui_ routine.
4664                  */
4665 
4666                 /* get path from file struct here */
4667                 fad = F2A(fp);
4668                 ASSERT(fad);
4669 
4670                 /*
4671                  * already processed this file for write attempt
4672                  */
4673                 if (fad->fad_flags & FAD_WRITE) {
4674                         releasef(fd);
4675                         /* don't want to audit every sendmsg attempt */
4676                         tad->tad_flag = 0;
4677                         /* free any residual audit data */
4678                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4679                         return;
4680                 }
4681                 /*
4682                  * mark things so we know what happened and don't
4683                  * repeat things
4684                  */
4685                 fad->fad_flags |= FAD_WRITE;
4686 
4687                 if (fad->fad_aupath != NULL) {
4688                         au_uwrite(au_to_path(fad->fad_aupath));
4689                 } else {
4690                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4691                 }
4692 
4693                 audit_attributes(fp->f_vnode);
4694 
4695                 releasef(fd);
4696 
4697                 return;
4698 
4699         default:
4700                 break;
4701         }
4702 
4703         releasef(fd);
4704 
4705         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4706 
4707         if (add_sock_token == 0) {
4708                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4709                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4710                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4711                 return;
4712         }
4713 
4714         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4715 
4716         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4717 }
4718 
4719 /*ARGSUSED*/
4720 static void
4721 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4722 {
4723         struct a {
4724                 long    fd;
4725                 long    msg;    /* char */
4726                 long    len;
4727                 long    flags;
4728                 long    to;     /* struct sockaddr */
4729                 long    tolen;
4730         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4731 
4732         struct sonode   *so;
4733         char so_laddr[sizeof (struct sockaddr_in6)];
4734         char so_faddr[sizeof (struct sockaddr_in6)];
4735         socklen_t       tolen;
4736         int             err;
4737         int             fd;
4738         socklen_t       len;
4739         short so_family, so_type;
4740         int             add_sock_token = 0;
4741         struct file     *fp;
4742         struct f_audit_data *fad;
4743         au_kcontext_t   *kctx = GET_KCTX_PZ;
4744 
4745         fd = (int)uap->fd;
4746 
4747         /* bail if an error */
4748         if (error) {
4749                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4750                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4751                 /* XXX include destination address from system call arguments */
4752                 return;
4753         }
4754 
4755         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4756                 /*
4757                  * not security relevant if doing a sendto using non socket
4758                  * so no extra tokens. Should probably turn off audit record
4759                  * generation here.
4760                  */
4761                 return;
4762         }
4763 
4764         so_family = so->so_family;
4765         so_type   = so->so_type;
4766 
4767         /*
4768          * only putout SOCKET_EX token if INET/INET6 family.
4769          * XXX - what do we do about other families?
4770          */
4771 
4772         switch (so_family) {
4773         case AF_INET:
4774         case AF_INET6:
4775 
4776                 /*
4777                  * if datagram type socket, then just use what is in
4778                  * socket structure for local address.
4779                  * XXX - what do we do for other types?
4780                  */
4781                 if ((so->so_type == SOCK_DGRAM) ||
4782                     (so->so_type == SOCK_RAW)) {
4783 
4784                         bzero((void *)so_laddr, sizeof (so_laddr));
4785                         bzero((void *)so_faddr, sizeof (so_faddr));
4786 
4787                         /* get local address */
4788                         len = sizeof (so_laddr);
4789                         (void) socket_getsockname(so,
4790                             (struct sockaddr *)so_laddr, &len, CRED());
4791 
4792                         /* get peer address */
4793 
4794                         /* sanity check */
4795                         if (uap->to == 0)
4796                                 break;
4797 
4798                         /* sanity checks */
4799                         if (uap->tolen == 0)
4800                                 break;
4801 
4802                         tolen = (socklen_t)uap->tolen;
4803 
4804                         /* enforce maximum size */
4805                         if (tolen > sizeof (so_faddr))
4806                                 tolen = sizeof (so_faddr);
4807 
4808                         if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4809                                 break;
4810 
4811                         add_sock_token = 1;
4812                 } else {
4813                         /*
4814                          * check if this is first time through.
4815                          */
4816 
4817                         /* get path from file struct here */
4818                         fad = F2A(fp);
4819                         ASSERT(fad);
4820 
4821                         /*
4822                          * already processed this file for write attempt
4823                          */
4824                         if (fad->fad_flags & FAD_WRITE) {
4825                                 /* don't want to audit every sendto attempt */
4826                                 tad->tad_flag = 0;
4827                                 /* free any residual audit data */
4828                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4829                                 releasef(fd);
4830                                 return;
4831                         }
4832                         /*
4833                          * mark things so we know what happened and don't
4834                          * repeat things
4835                          */
4836                         fad->fad_flags |= FAD_WRITE;
4837 
4838                         bzero((void *)so_laddr, sizeof (so_laddr));
4839                         bzero((void *)so_faddr, sizeof (so_faddr));
4840 
4841                         /* get local and foreign addresses */
4842                         len = sizeof (so_laddr);
4843                         (void) socket_getsockname(so,
4844                             (struct sockaddr *)so_laddr, &len, CRED());
4845                         len = sizeof (so_faddr);
4846                         (void) socket_getpeername(so,
4847                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4848 
4849                         add_sock_token = 1;
4850                 }
4851 
4852                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4853 
4854                 break;
4855 
4856         case AF_UNIX:
4857                 /*
4858                  * first check if this is first time through. Too much
4859                  * duplicate code to put this in an aui_ routine.
4860                  */
4861 
4862                 /* get path from file struct here */
4863                 fad = F2A(fp);
4864                 ASSERT(fad);
4865 
4866                 /*
4867                  * already processed this file for write attempt
4868                  */
4869                 if (fad->fad_flags & FAD_WRITE) {
4870                         /* don't want to audit every sendto attempt */
4871                         tad->tad_flag = 0;
4872                         /* free any residual audit data */
4873                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4874                         releasef(fd);
4875                         return;
4876                 }
4877                 /*
4878                  * mark things so we know what happened and don't
4879                  * repeat things
4880                  */
4881                 fad->fad_flags |= FAD_WRITE;
4882 
4883                 if (fad->fad_aupath != NULL) {
4884                         au_uwrite(au_to_path(fad->fad_aupath));
4885                 } else {
4886                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4887                 }
4888 
4889                 audit_attributes(fp->f_vnode);
4890 
4891                 releasef(fd);
4892 
4893                 return;
4894 
4895         default:
4896                 break;
4897 
4898         }
4899 
4900         releasef(fd);
4901 
4902         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4903 
4904         if (add_sock_token == 0) {
4905                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4906                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4907                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4908                 return;
4909         }
4910 
4911         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4912 
4913         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4914 
4915 }
4916 
4917 /*
4918  * XXX socket(2) may be equivalent to open(2) on a unix domain
4919  * socket. This needs investigation.
4920  */
4921 
4922 /*ARGSUSED*/
4923 static void
4924 aus_socket(struct t_audit_data *tad)
4925 {
4926         struct a {
4927                 long    domain;
4928                 long    type;
4929                 long    protocol;
4930         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4931 
4932         au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4933         au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4934         au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4935 }
4936 
4937 /*ARGSUSED*/
4938 static void
4939 aus_sigqueue(struct t_audit_data *tad)
4940 {
4941         struct a {
4942                 long    pid;
4943                 long    signo;
4944                 long    *val;
4945         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4946         struct proc *p;
4947         uid_t uid, ruid;
4948         gid_t gid, rgid;
4949         pid_t pid;
4950         const auditinfo_addr_t *ainfo;
4951         cred_t *cr;
4952 
4953         pid = (pid_t)uap->pid;
4954 
4955         au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4956         if (pid > 0) {
4957                 mutex_enter(&pidlock);
4958                 if ((p = prfind(pid)) == (struct proc *)0) {
4959                         mutex_exit(&pidlock);
4960                         return;
4961                 }
4962                 mutex_enter(&p->p_lock); /* so process doesn't go away */
4963                 mutex_exit(&pidlock);
4964 
4965                 mutex_enter(&p->p_crlock);
4966                 crhold(cr = p->p_cred);
4967                 mutex_exit(&p->p_crlock);
4968                 mutex_exit(&p->p_lock);
4969 
4970                 ainfo = crgetauinfo(cr);
4971                 if (ainfo == NULL) {
4972                         crfree(cr);
4973                         return;
4974                 }
4975 
4976                 uid  = crgetuid(cr);
4977                 gid  = crgetgid(cr);
4978                 ruid = crgetruid(cr);
4979                 rgid = crgetrgid(cr);
4980                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4981                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4982                 crfree(cr);
4983         }
4984         else
4985                 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4986 }
4987 
4988 /*ARGSUSED*/
4989 static void
4990 aus_inst_sync(struct t_audit_data *tad)
4991 {
4992         struct a {
4993                 long    name;   /* char */
4994                 long    flags;
4995         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4996 
4997         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4998 }
4999 
5000 /*ARGSUSED*/
5001 static void
5002 aus_brandsys(struct t_audit_data *tad)
5003 {
5004         klwp_t *clwp = ttolwp(curthread);
5005 
5006         struct a {
5007                 long    cmd;
5008                 long    arg1;
5009                 long    arg2;
5010                 long    arg3;
5011                 long    arg4;
5012                 long    arg5;
5013                 long    arg6;
5014         } *uap = (struct a *)clwp->lwp_ap;
5015 
5016         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
5017 #ifdef _LP64
5018         au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
5019         au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
5020         au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
5021         au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
5022         au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
5023         au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
5024 #else
5025         au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
5026         au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
5027         au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
5028         au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
5029         au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
5030         au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
5031 #endif
5032 }
5033 
5034 /*ARGSUSED*/
5035 static void
5036 aus_p_online(struct t_audit_data *tad)
5037 {
5038         struct a {
5039                 long    processor_id;
5040                 long    flag;
5041         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5042 
5043         struct flags {
5044                         int     flag;
5045                         char    *cflag;
5046         } aflags[6] = {
5047                         { P_ONLINE, "P_ONLINE"},
5048                         { P_OFFLINE, "P_OFFLINE"},
5049                         { P_NOINTR, "P_NOINTR"},
5050                         { P_SPARE, "P_SPARE"},
5051                         { P_FAULTED, "P_FAULTED"},
5052                         { P_STATUS, "P_STATUS"}
5053         };
5054         int i;
5055         char *cflag;
5056 
5057         au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
5058         au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
5059 
5060         for (i = 0; i < 6; i++) {
5061                 if (aflags[i].flag == uap->flag)
5062                         break;
5063         }
5064         cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5065 
5066         au_uwrite(au_to_text(cflag));
5067 }
5068 
5069 /*ARGSUSED*/
5070 static void
5071 aus_processor_bind(struct t_audit_data *tad)
5072 {
5073         struct a {
5074                 long    id_type;
5075                 long    id;
5076                 long    processor_id;
5077                 long    obind;
5078         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5079 
5080         struct proc *p;
5081         int lwpcnt;
5082         uid_t uid, ruid;
5083         gid_t gid, rgid;
5084         pid_t pid;
5085         const auditinfo_addr_t *ainfo;
5086         cred_t *cr;
5087 
5088         au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5089         au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5090         if (uap->processor_id == PBIND_NONE)
5091                 au_uwrite(au_to_text("PBIND_NONE"));
5092         else
5093                 au_uwrite(au_to_arg32(3, "processor_id",
5094                     (uint32_t)uap->processor_id));
5095 
5096         switch (uap->id_type) {
5097         case P_MYID:
5098         case P_LWPID:
5099                 mutex_enter(&pidlock);
5100                 p = ttoproc(curthread);
5101                 if (p == NULL || p->p_as == &kas) {
5102                         mutex_exit(&pidlock);
5103                         return;
5104                 }
5105                 mutex_enter(&p->p_lock);
5106                 mutex_exit(&pidlock);
5107                 lwpcnt = p->p_lwpcnt;
5108                 pid  = p->p_pid;
5109 
5110                 mutex_enter(&p->p_crlock);
5111                 crhold(cr = p->p_cred);
5112                 mutex_exit(&p->p_crlock);
5113                 mutex_exit(&p->p_lock);
5114 
5115                 ainfo = crgetauinfo(cr);
5116                 if (ainfo == NULL) {
5117                         crfree(cr);
5118                         return;
5119                 }
5120 
5121                 uid  = crgetuid(cr);
5122                 gid  = crgetgid(cr);
5123                 ruid = crgetruid(cr);
5124                 rgid = crgetrgid(cr);
5125                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5126                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5127                 crfree(cr);
5128                 break;
5129         case P_PID:
5130                 mutex_enter(&pidlock);
5131                 p = prfind(uap->id);
5132                 if (p == NULL || p->p_as == &kas) {
5133                         mutex_exit(&pidlock);
5134                         return;
5135                 }
5136                 mutex_enter(&p->p_lock);
5137                 mutex_exit(&pidlock);
5138                 lwpcnt = p->p_lwpcnt;
5139                 pid  = p->p_pid;
5140 
5141                 mutex_enter(&p->p_crlock);
5142                 crhold(cr = p->p_cred);
5143                 mutex_exit(&p->p_crlock);
5144                 mutex_exit(&p->p_lock);
5145 
5146                 ainfo = crgetauinfo(cr);
5147                 if (ainfo == NULL) {
5148                         crfree(cr);
5149                         return;
5150                 }
5151 
5152                 uid  = crgetuid(cr);
5153                 gid  = crgetgid(cr);
5154                 ruid = crgetruid(cr);
5155                 rgid = crgetrgid(cr);
5156                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5157                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5158                 crfree(cr);
5159 
5160                 break;
5161         default:
5162                 return;
5163         }
5164 
5165         if (uap->processor_id == PBIND_NONE &&
5166             (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5167                 au_uwrite(au_to_text("PBIND_NONE for process"));
5168         else
5169                 au_uwrite(au_to_arg32(3, "processor_id",
5170                     (uint32_t)uap->processor_id));
5171 }
5172 
5173 /*ARGSUSED*/
5174 static au_event_t
5175 aui_doorfs(au_event_t e)
5176 {
5177         uint32_t code;
5178 
5179         struct a {              /* doorfs */
5180                 long    a1;
5181                 long    a2;
5182                 long    a3;
5183                 long    a4;
5184                 long    a5;
5185                 long    code;
5186         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5187 
5188         /*
5189          *      audit formats for several of the
5190          *      door calls have not yet been determined
5191          */
5192         code = (uint32_t)uap->code;
5193         switch (code) {
5194         case DOOR_CALL:
5195                 e = AUE_DOORFS_DOOR_CALL;
5196                 break;
5197         case DOOR_RETURN:
5198                 e = AUE_NULL;
5199                 break;
5200         case DOOR_CREATE:
5201                 e = AUE_DOORFS_DOOR_CREATE;
5202                 break;
5203         case DOOR_REVOKE:
5204                 e = AUE_DOORFS_DOOR_REVOKE;
5205                 break;
5206         case DOOR_INFO:
5207                 e = AUE_NULL;
5208                 break;
5209         case DOOR_UCRED:
5210                 e = AUE_NULL;
5211                 break;
5212         case DOOR_BIND:
5213                 e = AUE_NULL;
5214                 break;
5215         case DOOR_UNBIND:
5216                 e = AUE_NULL;
5217                 break;
5218         case DOOR_GETPARAM:
5219                 e = AUE_NULL;
5220                 break;
5221         case DOOR_SETPARAM:
5222                 e = AUE_NULL;
5223                 break;
5224         default:        /* illegal system call */
5225                 e = AUE_NULL;
5226                 break;
5227         }
5228 
5229         return (e);
5230 }
5231 
5232 static door_node_t *
5233 au_door_lookup(int did)
5234 {
5235         vnode_t *vp;
5236         file_t *fp;
5237 
5238         if ((fp = getf(did)) == NULL)
5239                 return (NULL);
5240         /*
5241          * Use the underlying vnode (we may be namefs mounted)
5242          */
5243         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5244                 vp = fp->f_vnode;
5245 
5246         if (vp == NULL || vp->v_type != VDOOR) {
5247                 releasef(did);
5248                 return (NULL);
5249         }
5250 
5251         return (VTOD(vp));
5252 }
5253 
5254 /*ARGSUSED*/
5255 static void
5256 aus_doorfs(struct t_audit_data *tad)
5257 {
5258 
5259         struct a {              /* doorfs */
5260                 long    a1;
5261                 long    a2;
5262                 long    a3;
5263                 long    a4;
5264                 long    a5;
5265                 long    code;
5266         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5267 
5268         door_node_t     *dp;
5269         struct proc     *p;
5270         uint32_t        did;
5271         uid_t uid, ruid;
5272         gid_t gid, rgid;
5273         pid_t pid;
5274         const auditinfo_addr_t *ainfo;
5275         cred_t *cr;
5276 
5277         did = (uint32_t)uap->a1;
5278 
5279         switch (tad->tad_event) {
5280         case AUE_DOORFS_DOOR_CALL:
5281                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5282                 if ((dp = au_door_lookup(did)) == NULL)
5283                         break;
5284 
5285                 if (DOOR_INVALID(dp)) {
5286                         releasef(did);
5287                         break;
5288                 }
5289 
5290                 if ((p = dp->door_target) == NULL) {
5291                         releasef(did);
5292                         break;
5293                 }
5294                 mutex_enter(&p->p_lock);
5295                 releasef(did);
5296 
5297                 pid  = p->p_pid;
5298 
5299                 mutex_enter(&p->p_crlock);
5300                 crhold(cr = p->p_cred);
5301                 mutex_exit(&p->p_crlock);
5302                 mutex_exit(&p->p_lock);
5303 
5304                 ainfo = crgetauinfo(cr);
5305                 if (ainfo == NULL) {
5306                         crfree(cr);
5307                         return;
5308                 }
5309                 uid  = crgetuid(cr);
5310                 gid  = crgetgid(cr);
5311                 ruid = crgetruid(cr);
5312                 rgid = crgetrgid(cr);
5313                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5314                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5315                 crfree(cr);
5316                 break;
5317         case AUE_DOORFS_DOOR_RETURN:
5318                 /*
5319                  * We may want to write information about
5320                  * all doors (if any) which will be copied
5321                  * by this call to the user space
5322                  */
5323                 break;
5324         case AUE_DOORFS_DOOR_CREATE:
5325                 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5326                 break;
5327         case AUE_DOORFS_DOOR_REVOKE:
5328                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5329                 break;
5330         case AUE_DOORFS_DOOR_INFO:
5331                 break;
5332         case AUE_DOORFS_DOOR_CRED:
5333                 break;
5334         case AUE_DOORFS_DOOR_BIND:
5335                 break;
5336         case AUE_DOORFS_DOOR_UNBIND: {
5337                 break;
5338         }
5339         default:        /* illegal system call */
5340                 break;
5341         }
5342 }
5343 
5344 /*ARGSUSED*/
5345 static au_event_t
5346 aui_acl(au_event_t e)
5347 {
5348         struct a {
5349                 union {
5350                         long    name;   /* char */
5351                         long    fd;
5352                 }               obj;
5353 
5354                 long            cmd;
5355                 long            nentries;
5356                 long            arg;    /* aclent_t */
5357         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5358 
5359         switch (uap->cmd) {
5360         case SETACL:
5361         case ACE_SETACL:
5362                 /*
5363                  * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5364                  * are expected.
5365                  */
5366                 break;
5367         case GETACL:
5368         case GETACLCNT:
5369         case ACE_GETACL:
5370         case ACE_GETACLCNT:
5371                 /* do nothing for these four values. */
5372                 e = AUE_NULL;
5373                 break;
5374         default:
5375                 /* illegal system call */
5376                 break;
5377         }
5378 
5379         return (e);
5380 }
5381 
5382 static void
5383 au_acl(int cmd, int nentries, caddr_t bufp)
5384 {
5385         size_t          a_size;
5386         aclent_t        *aclbufp;
5387         ace_t           *acebufp;
5388         int             i;
5389 
5390         switch (cmd) {
5391         case GETACL:
5392         case GETACLCNT:
5393                 break;
5394         case SETACL:
5395                 if (nentries < 3)
5396                         break;
5397 
5398                 a_size = nentries * sizeof (aclent_t);
5399 
5400                 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5401                         break;
5402                 if (copyin(bufp, aclbufp, a_size)) {
5403                         kmem_free(aclbufp, a_size);
5404                         break;
5405                 }
5406                 for (i = 0; i < nentries; i++) {
5407                         au_uwrite(au_to_acl(aclbufp + i));
5408                 }
5409                 kmem_free(aclbufp, a_size);
5410                 break;
5411 
5412         case ACE_SETACL:
5413                 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5414                         break;
5415 
5416                 a_size = nentries * sizeof (ace_t);
5417                 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5418                         break;
5419                 if (copyin(bufp, acebufp, a_size)) {
5420                         kmem_free(acebufp, a_size);
5421                         break;
5422                 }
5423                 for (i = 0; i < nentries; i++) {
5424                         au_uwrite(au_to_ace(acebufp + i));
5425                 }
5426                 kmem_free(acebufp, a_size);
5427                 break;
5428         default:
5429                 break;
5430         }
5431 }
5432 
5433 /*ARGSUSED*/
5434 static void
5435 aus_acl(struct t_audit_data *tad)
5436 {
5437         struct a {
5438                 long    fname;
5439                 long    cmd;
5440                 long    nentries;
5441                 long    aclbufp;
5442         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5443 
5444         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5445         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5446 
5447         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5448 }
5449 
5450 /*ARGSUSED*/
5451 static void
5452 aus_facl(struct t_audit_data *tad)
5453 {
5454         struct a {
5455                 long    fd;
5456                 long    cmd;
5457                 long    nentries;
5458                 long    aclbufp;
5459         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5460         struct file  *fp;
5461         struct vnode *vp;
5462         struct f_audit_data *fad;
5463         int fd;
5464 
5465         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5466         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5467 
5468         fd = (int)uap->fd;
5469 
5470         if ((fp = getf(fd)) == NULL)
5471                 return;
5472 
5473         /* get path from file struct here */
5474         fad = F2A(fp);
5475         if (fad->fad_aupath != NULL) {
5476                 au_uwrite(au_to_path(fad->fad_aupath));
5477         } else {
5478                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5479         }
5480 
5481         vp = fp->f_vnode;
5482         audit_attributes(vp);
5483 
5484         /* decrement file descriptor reference count */
5485         releasef(fd);
5486 
5487         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5488 }
5489 
5490 /*ARGSUSED*/
5491 static void
5492 auf_read(struct t_audit_data *tad, int error, rval_t *rval)
5493 {
5494         struct file *fp;
5495         struct f_audit_data *fad;
5496         int fd;
5497         register struct a {
5498                 long    fd;
5499         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5500         au_kcontext_t   *kctx = GET_KCTX_PZ;
5501 
5502         fd = (int)uap->fd;
5503 
5504         /*
5505          * convert file pointer to file descriptor
5506          *   Note: fd ref count incremented here.
5507          */
5508         if ((fp = getf(fd)) == NULL)
5509                 return;
5510 
5511         /* get path from file struct here */
5512         fad = F2A(fp);
5513         ASSERT(fad);
5514 
5515         /*
5516          * already processed this file for read attempt
5517          *
5518          * XXX might be better to turn off auditing in a aui_read() routine.
5519          */
5520         if (fad->fad_flags & FAD_READ) {
5521                 /* don't really want to audit every read attempt */
5522                 tad->tad_flag = 0;
5523                 /* free any residual audit data */
5524                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5525                 releasef(fd);
5526                 return;
5527         }
5528         /* mark things so we know what happened and don't repeat things */
5529         fad->fad_flags |= FAD_READ;
5530 
5531         if (fad->fad_aupath != NULL) {
5532                 au_uwrite(au_to_path(fad->fad_aupath));
5533         } else {
5534                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5535         }
5536 
5537         /* include attributes */
5538         audit_attributes(fp->f_vnode);
5539 
5540         /* decrement file descriptor reference count */
5541         releasef(fd);
5542 }
5543 
5544 /*ARGSUSED*/
5545 static void
5546 auf_write(struct t_audit_data *tad, int error, rval_t *rval)
5547 {
5548         struct file *fp;
5549         struct f_audit_data *fad;
5550         int fd;
5551         register struct a {
5552                 long    fd;
5553         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5554         au_kcontext_t   *kctx = GET_KCTX_PZ;
5555 
5556         fd = (int)uap->fd;
5557 
5558         /*
5559          * convert file pointer to file descriptor
5560          *   Note: fd ref count incremented here.
5561          */
5562         if ((fp = getf(fd)) == NULL)
5563                 return;
5564 
5565         /* get path from file struct here */
5566         fad = F2A(fp);
5567         ASSERT(fad);
5568 
5569         /*
5570          * already processed this file for write attempt
5571          *
5572          * XXX might be better to turn off auditing in a aus_write() routine.
5573          */
5574         if (fad->fad_flags & FAD_WRITE) {
5575                 /* don't really want to audit every write attempt */
5576                 tad->tad_flag = 0;
5577                 /* free any residual audit data */
5578                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5579                 releasef(fd);
5580                 return;
5581         }
5582         /* mark things so we know what happened and don't repeat things */
5583         fad->fad_flags |= FAD_WRITE;
5584 
5585         if (fad->fad_aupath != NULL) {
5586                 au_uwrite(au_to_path(fad->fad_aupath));
5587         } else {
5588                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5589         }
5590 
5591         /* include attributes */
5592         audit_attributes(fp->f_vnode);
5593 
5594         /* decrement file descriptor reference count */
5595         releasef(fd);
5596 }
5597 
5598 /*ARGSUSED*/
5599 static void
5600 auf_recv(struct t_audit_data *tad, int error, rval_t *rval)
5601 {
5602         struct sonode *so;
5603         char so_laddr[sizeof (struct sockaddr_in6)];
5604         char so_faddr[sizeof (struct sockaddr_in6)];
5605         struct file *fp;
5606         struct f_audit_data *fad;
5607         int fd;
5608         int err;
5609         socklen_t len;
5610         short so_family, so_type;
5611         register struct a {
5612                 long    fd;
5613         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5614         au_kcontext_t   *kctx = GET_KCTX_PZ;
5615 
5616         /*
5617          * If there was an error, then nothing to do. Only generate
5618          * audit record on first successful recv.
5619          */
5620         if (error) {
5621                 /* Turn off audit record generation here. */
5622                 tad->tad_flag = 0;
5623                 /* free any residual audit data */
5624                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5625                 return;
5626         }
5627 
5628         fd = (int)uap->fd;
5629 
5630         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5631                 /* Turn off audit record generation here. */
5632                 tad->tad_flag = 0;
5633                 /* free any residual audit data */
5634                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5635                 return;
5636         }
5637 
5638         /* get path from file struct here */
5639         fad = F2A(fp);
5640         ASSERT(fad);
5641 
5642         /*
5643          * already processed this file for read attempt
5644          */
5645         if (fad->fad_flags & FAD_READ) {
5646                 releasef(fd);
5647                 /* don't really want to audit every recv call */
5648                 tad->tad_flag = 0;
5649                 /* free any residual audit data */
5650                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5651                 return;
5652         }
5653 
5654         /* mark things so we know what happened and don't repeat things */
5655         fad->fad_flags |= FAD_READ;
5656 
5657         so_family = so->so_family;
5658         so_type   = so->so_type;
5659 
5660         switch (so_family) {
5661         case AF_INET:
5662         case AF_INET6:
5663                 /*
5664                  * Only for connections.
5665                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5666                  */
5667                 if (so->so_state & SS_ISBOUND) {
5668 
5669                         bzero((void *)so_laddr, sizeof (so_laddr));
5670                         bzero((void *)so_faddr, sizeof (so_faddr));
5671 
5672                         /* get local and foreign addresses */
5673                         len = sizeof (so_laddr);
5674                         (void) socket_getsockname(so,
5675                             (struct sockaddr *)so_laddr, &len, CRED());
5676                         len = sizeof (so_faddr);
5677                         (void) socket_getpeername(so,
5678                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5679 
5680                         /*
5681                          * only way to drop out of switch. Note that we
5682                          * we release fd below.
5683                          */
5684 
5685                         break;
5686                 }
5687 
5688                 releasef(fd);
5689 
5690                 /* don't really want to audit every recv call */
5691                 tad->tad_flag = 0;
5692                 /* free any residual audit data */
5693                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5694 
5695                 return;
5696 
5697         case AF_UNIX:
5698 
5699                 if (fad->fad_aupath != NULL) {
5700                         au_uwrite(au_to_path(fad->fad_aupath));
5701                 } else {
5702                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5703                 }
5704 
5705                 audit_attributes(fp->f_vnode);
5706 
5707                 releasef(fd);
5708 
5709                 return;
5710 
5711         default:
5712                 releasef(fd);
5713 
5714                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5715                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5716                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5717 
5718                 return;
5719         }
5720 
5721         releasef(fd);
5722 
5723         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5724 
5725         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5726 
5727 }
5728 
5729 /*ARGSUSED*/
5730 static void
5731 auf_send(struct t_audit_data *tad, int error, rval_t *rval)
5732 {
5733         struct sonode *so;
5734         char so_laddr[sizeof (struct sockaddr_in6)];
5735         char so_faddr[sizeof (struct sockaddr_in6)];
5736         struct file *fp;
5737         struct f_audit_data *fad;
5738         int fd;
5739         int err;
5740         socklen_t len;
5741         short so_family, so_type;
5742         register struct a {
5743                 long    fd;
5744         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5745         au_kcontext_t   *kctx = GET_KCTX_PZ;
5746 
5747         fd = (int)uap->fd;
5748 
5749         /*
5750          * If there was an error, then nothing to do. Only generate
5751          * audit record on first successful send.
5752          */
5753         if (error != 0) {
5754                 /* Turn off audit record generation here. */
5755                 tad->tad_flag = 0;
5756                 /* free any residual audit data */
5757                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5758                 return;
5759         }
5760 
5761         fd = (int)uap->fd;
5762 
5763         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5764                 /* Turn off audit record generation here. */
5765                 tad->tad_flag = 0;
5766                 /* free any residual audit data */
5767                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5768                 return;
5769         }
5770 
5771         /* get path from file struct here */
5772         fad = F2A(fp);
5773         ASSERT(fad);
5774 
5775         /*
5776          * already processed this file for write attempt
5777          */
5778         if (fad->fad_flags & FAD_WRITE) {
5779                 releasef(fd);
5780                 /* don't really want to audit every send call */
5781                 tad->tad_flag = 0;
5782                 /* free any residual audit data */
5783                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5784                 return;
5785         }
5786 
5787         /* mark things so we know what happened and don't repeat things */
5788         fad->fad_flags |= FAD_WRITE;
5789 
5790         so_family = so->so_family;
5791         so_type   = so->so_type;
5792 
5793         switch (so_family) {
5794         case AF_INET:
5795         case AF_INET6:
5796                 /*
5797                  * Only for connections.
5798                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5799                  */
5800                 if (so->so_state & SS_ISBOUND) {
5801 
5802                         bzero((void *)so_laddr, sizeof (so_laddr));
5803                         bzero((void *)so_faddr, sizeof (so_faddr));
5804 
5805                         /* get local and foreign addresses */
5806                         len = sizeof (so_laddr);
5807                         (void) socket_getsockname(so,
5808                             (struct sockaddr *)so_laddr, &len, CRED());
5809                         len = sizeof (so_faddr);
5810                         (void) socket_getpeername(so,
5811                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5812 
5813                         /*
5814                          * only way to drop out of switch. Note that we
5815                          * we release fd below.
5816                          */
5817 
5818                         break;
5819                 }
5820 
5821                 releasef(fd);
5822                 /* don't really want to audit every send call */
5823                 tad->tad_flag = 0;
5824                 /* free any residual audit data */
5825                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5826 
5827                 return;
5828 
5829         case AF_UNIX:
5830 
5831                 if (fad->fad_aupath != NULL) {
5832                         au_uwrite(au_to_path(fad->fad_aupath));
5833                 } else {
5834                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5835                 }
5836 
5837                 audit_attributes(fp->f_vnode);
5838 
5839                 releasef(fd);
5840 
5841                 return;
5842 
5843         default:
5844                 releasef(fd);
5845 
5846                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5847                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5848                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5849 
5850                 return;
5851         }
5852 
5853         releasef(fd);
5854 
5855         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5856 
5857         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5858 }
5859 
5860 static au_event_t
5861 aui_forksys(au_event_t e)
5862 {
5863         struct a {
5864                 long    subcode;
5865                 long    flags;
5866         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5867 
5868         switch ((uint_t)uap->subcode) {
5869         case 0:
5870                 e = AUE_FORK1;
5871                 break;
5872         case 1:
5873                 e = AUE_FORKALL;
5874                 break;
5875         case 2:
5876                 e = AUE_VFORK;
5877                 break;
5878         default:
5879                 e = AUE_NULL;
5880                 break;
5881         }
5882 
5883         return (e);
5884 }
5885 
5886 /*ARGSUSED*/
5887 static au_event_t
5888 aui_portfs(au_event_t e)
5889 {
5890         struct a {              /* portfs */
5891                 long    a1;
5892                 long    a2;
5893                 long    a3;
5894         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5895 
5896         /*
5897          * check opcode
5898          */
5899         switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5900         case PORT_ASSOCIATE:
5901                 /* check source */
5902                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5903                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5904                         e = AUE_PORTFS_ASSOCIATE;
5905                 } else {
5906                         e = AUE_NULL;
5907                 }
5908                 break;
5909         case PORT_DISSOCIATE:
5910                 /* check source */
5911                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5912                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5913                         e = AUE_PORTFS_DISSOCIATE;
5914                 } else {
5915                         e = AUE_NULL;
5916                 }
5917                 break;
5918         default:
5919                 e = AUE_NULL;
5920         }
5921         return (e);
5922 }