1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 * Copyright (c) 2018, Joyent, Inc.
26 */
27
28 /*
29 * This file contains the audit event table used to control the production
30 * of audit records for each system call.
31 */
32
33 #include <sys/policy.h>
34 #include <sys/cred.h>
35 #include <sys/types.h>
36 #include <sys/systm.h>
37 #include <sys/systeminfo.h> /* for sysinfo auditing */
38 #include <sys/utsname.h> /* for sysinfo auditing */
39 #include <sys/proc.h>
40 #include <sys/vnode.h>
41 #include <sys/mman.h> /* for mmap(2) auditing etc. */
42 #include <sys/fcntl.h>
43 #include <sys/modctl.h> /* for modctl auditing */
44 #include <sys/vnode.h>
45 #include <sys/user.h>
46 #include <sys/types.h>
47 #include <sys/processor.h>
48 #include <sys/procset.h>
49 #include <sys/acl.h>
50 #include <sys/ipc.h>
51 #include <sys/door.h>
52 #include <sys/sem.h>
53 #include <sys/msg.h>
54 #include <sys/shm.h>
55 #include <sys/kmem.h>
56 #include <sys/file.h> /* for accept */
57 #include <sys/utssys.h> /* for fuser */
58 #include <sys/tsol/label.h>
59 #include <sys/tsol/tndb.h>
60 #include <sys/tsol/tsyscall.h>
61 #include <c2/audit.h>
62 #include <c2/audit_kernel.h>
63 #include <c2/audit_kevents.h>
64 #include <c2/audit_record.h>
65 #include <sys/procset.h>
66 #include <nfs/mount.h>
67 #include <sys/param.h>
68 #include <sys/debug.h>
69 #include <sys/sysmacros.h>
70 #include <sys/stream.h>
71 #include <sys/strsubr.h>
72 #include <sys/stropts.h>
73 #include <sys/tihdr.h>
74 #include <sys/socket.h>
75 #include <sys/socketvar.h>
76 #include <sys/vfs_opreg.h>
77 #include <fs/sockfs/sockcommon.h>
78 #include <netinet/in.h>
79 #include <sys/ddi.h>
80 #include <sys/port_impl.h>
81 #include <sys/secflags.h>
82
83 static au_event_t aui_fchownat(au_event_t);
84 static au_event_t aui_fchmodat(au_event_t);
85 static au_event_t aui_open(au_event_t);
86 static au_event_t aui_openat(au_event_t);
87 static au_event_t aui_unlinkat(au_event_t);
88 static au_event_t aui_fstatat(au_event_t);
89 static au_event_t aui_msgsys(au_event_t);
90 static au_event_t aui_shmsys(au_event_t);
91 static au_event_t aui_semsys(au_event_t);
92 static au_event_t aui_utssys(au_event_t);
93 static au_event_t aui_fcntl(au_event_t);
94 static au_event_t aui_execve(au_event_t);
95 static au_event_t aui_memcntl(au_event_t);
96 static au_event_t aui_sysinfo(au_event_t);
97 static au_event_t aui_portfs(au_event_t);
98 static au_event_t aui_auditsys(au_event_t);
99 static au_event_t aui_modctl(au_event_t);
100 static au_event_t aui_acl(au_event_t);
101 static au_event_t aui_doorfs(au_event_t);
102 static au_event_t aui_privsys(au_event_t);
103 static au_event_t aui_forksys(au_event_t);
104 static au_event_t aui_labelsys(au_event_t);
105 static au_event_t aui_setpgrp(au_event_t);
106
107
108 static void aus_exit(struct t_audit_data *);
109 static void aus_open(struct t_audit_data *);
110 static void aus_openat(struct t_audit_data *);
111 static void aus_acl(struct t_audit_data *);
112 static void aus_acct(struct t_audit_data *);
113 static void aus_chown(struct t_audit_data *);
114 static void aus_fchown(struct t_audit_data *);
115 static void aus_lchown(struct t_audit_data *);
116 static void aus_fchownat(struct t_audit_data *);
117 static void aus_chmod(struct t_audit_data *);
118 static void aus_facl(struct t_audit_data *);
119 static void aus_fchmod(struct t_audit_data *);
120 static void aus_fchmodat(struct t_audit_data *);
121 static void aus_fcntl(struct t_audit_data *);
122 static void aus_mkdir(struct t_audit_data *);
123 static void aus_mkdirat(struct t_audit_data *);
124 static void aus_mknod(struct t_audit_data *);
125 static void aus_mknodat(struct t_audit_data *);
126 static void aus_mount(struct t_audit_data *);
127 static void aus_umount2(struct t_audit_data *);
128 static void aus_msgsys(struct t_audit_data *);
129 static void aus_semsys(struct t_audit_data *);
130 static void aus_close(struct t_audit_data *);
131 static void aus_fstatfs(struct t_audit_data *);
132 static void aus_setgid(struct t_audit_data *);
133 static void aus_setpgrp(struct t_audit_data *);
134 static void aus_setuid(struct t_audit_data *);
135 static void aus_shmsys(struct t_audit_data *);
136 static void aus_doorfs(struct t_audit_data *);
137 static void aus_ioctl(struct t_audit_data *);
138 static void aus_memcntl(struct t_audit_data *);
139 static void aus_mmap(struct t_audit_data *);
140 static void aus_munmap(struct t_audit_data *);
141 static void aus_priocntlsys(struct t_audit_data *);
142 static void aus_setegid(struct t_audit_data *);
143 static void aus_setgroups(struct t_audit_data *);
144 static void aus_seteuid(struct t_audit_data *);
145 static void aus_putmsg(struct t_audit_data *);
146 static void aus_putpmsg(struct t_audit_data *);
147 static void aus_getmsg(struct t_audit_data *);
148 static void aus_getpmsg(struct t_audit_data *);
149 static void aus_auditsys(struct t_audit_data *);
150 static void aus_sysinfo(struct t_audit_data *);
151 static void aus_modctl(struct t_audit_data *);
152 static void aus_kill(struct t_audit_data *);
153 static void aus_setregid(struct t_audit_data *);
154 static void aus_setreuid(struct t_audit_data *);
155 static void aus_labelsys(struct t_audit_data *);
156
157 static void auf_mknod(struct t_audit_data *, int, rval_t *);
158 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
159 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
160 static void auf_semsys(struct t_audit_data *, int, rval_t *);
161 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
162 static void auf_read(struct t_audit_data *, int, rval_t *);
163 static void auf_write(struct t_audit_data *, int, rval_t *);
164
165 static void aus_sigqueue(struct t_audit_data *);
166 static void aus_p_online(struct t_audit_data *);
167 static void aus_processor_bind(struct t_audit_data *);
168 static void aus_inst_sync(struct t_audit_data *);
169 static void aus_brandsys(struct t_audit_data *);
170
171 static void auf_accept(struct t_audit_data *, int, rval_t *);
172
173 static void auf_bind(struct t_audit_data *, int, rval_t *);
174 static void auf_connect(struct t_audit_data *, int, rval_t *);
175 static void aus_shutdown(struct t_audit_data *);
176 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
177 static void aus_sockconfig(struct t_audit_data *);
178 static void auf_recv(struct t_audit_data *, int, rval_t *);
179 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
180 static void auf_send(struct t_audit_data *, int, rval_t *);
181 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
182 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
183 static void auf_sendto(struct t_audit_data *, int, rval_t *);
184 static void aus_socket(struct t_audit_data *);
185 /*
186 * This table contains mapping information for converting system call numbers
187 * to audit event IDs. In several cases it is necessary to map a single system
188 * call to several events.
189 */
190
191 #define aui_null NULL /* NULL initialize function */
192 #define aus_null NULL /* NULL start function */
193 #define auf_null NULL /* NULL finish function */
194
195 struct audit_s2e audit_s2e[] =
196 {
197 /*
198 * ---------- ---------- ---------- ----------
199 * INITIAL AUDIT START SYSTEM
200 * PROCESSING EVENT PROCESSING CALL
201 * ---------- ---------- ---------- -----------
202 * FINISH EVENT
203 * PROCESSING CONTROL
204 * ----------------------------------------------------------
205 */
206 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
207 auf_null, 0,
208 aui_null, AUE_EXIT, aus_exit, /* 1 exit */
209 auf_null, S2E_NPT,
210 aui_null, AUE_PSECFLAGS, aus_null, /* 2 psecflags */
211 auf_null, 0,
212 aui_null, AUE_READ, aus_null, /* 3 read */
213 auf_read, S2E_PUB,
214 aui_null, AUE_WRITE, aus_null, /* 4 write */
215 auf_write, 0,
216 aui_open, AUE_OPEN, aus_open, /* 5 open */
217 auf_null, S2E_SP,
218 aui_null, AUE_CLOSE, aus_close, /* 6 close */
219 auf_null, 0,
220 aui_null, AUE_LINK, aus_null, /* 7 linkat */
221 auf_null, 0,
222 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
223 auf_null, 0,
224 aui_null, AUE_LINK, aus_null, /* 9 link */
225 auf_null, 0,
226 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
227 auf_null, 0,
228 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
229 auf_null, 0,
230 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
231 auf_null, S2E_SP,
232 aui_null, AUE_NULL, aus_null, /* 13 time */
233 auf_null, 0,
234 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
235 auf_mknod, S2E_MLD,
236 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
237 auf_null, 0,
238 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
239 auf_null, 0,
240 aui_null, AUE_NULL, aus_null, /* 17 brk */
241 auf_null, 0,
242 aui_null, AUE_STAT, aus_null, /* 18 stat */
243 auf_null, S2E_PUB,
244 aui_null, AUE_NULL, aus_null, /* 19 lseek */
245 auf_null, 0,
246 aui_null, AUE_NULL, aus_null, /* 20 getpid */
247 auf_null, 0,
248 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
249 auf_null, S2E_MLD,
250 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
251 auf_null, S2E_PUB,
252 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
253 auf_null, 0,
254 aui_null, AUE_NULL, aus_null, /* 24 getuid */
255 auf_null, 0,
256 aui_null, AUE_STIME, aus_null, /* 25 stime */
257 auf_null, 0,
258 aui_null, AUE_NULL, aus_null, /* 26 pcsample */
259 auf_null, 0,
260 aui_null, AUE_NULL, aus_null, /* 27 alarm */
261 auf_null, 0,
262 aui_null, AUE_NULL, aus_null, /* 28 fstat */
263 auf_null, 0,
264 aui_null, AUE_NULL, aus_null, /* 29 pause */
265 auf_null, 0,
266 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
267 auf_null, 0,
268 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
269 auf_null, 0,
270 aui_null, AUE_NULL, aus_null, /* 32 gtty */
271 auf_null, 0,
272 aui_null, AUE_ACCESS, aus_null, /* 33 access */
273 auf_null, S2E_PUB,
274 aui_null, AUE_NICE, aus_null, /* 34 nice */
275 auf_null, 0,
276 aui_null, AUE_STATFS, aus_null, /* 35 statfs */
277 auf_null, S2E_PUB,
278 aui_null, AUE_NULL, aus_null, /* 36 sync */
279 auf_null, 0,
280 aui_null, AUE_KILL, aus_kill, /* 37 kill */
281 auf_null, 0,
282 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
283 auf_null, S2E_PUB,
284 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
285 auf_null, 0,
286 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
287 auf_null, 0,
288 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
289 auf_null, 0,
290 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
291 auf_null, 0,
292 aui_null, AUE_NULL, aus_null, /* 43 times */
293 auf_null, 0,
294 aui_null, AUE_NULL, aus_null, /* 44 profil */
295 auf_null, 0,
296 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
297 auf_null, S2E_PUB,
298 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
299 auf_null, 0,
300 aui_null, AUE_NULL, aus_null, /* 47 getgid */
301 auf_null, 0,
302 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
303 auf_mknodat, S2E_MLD,
304 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
305 auf_msgsys, 0,
306 #if defined(__x86)
307 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
308 auf_null, 0,
309 #else
310 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
311 auf_null, 0,
312 #endif /* __x86 */
313 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
314 auf_null, 0,
315 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
316 auf_shmsys, 0,
317 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
318 auf_semsys, 0,
319 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
320 auf_null, 0,
321 aui_null, AUE_NULL, aus_null, /* 55 uadmin */
322 auf_null, 0,
323 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
324 auf_null, 0,
325 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
326 auf_null, 0,
327 aui_null, AUE_NULL, aus_null, /* 58 fsync */
328 auf_null, 0,
329 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */
330 auf_null, S2E_MLD,
331 aui_null, AUE_NULL, aus_null, /* 60 umask */
332 auf_null, 0,
333 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
334 auf_null, S2E_SP,
335 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
336 auf_null, 0,
337 aui_null, AUE_NULL, aus_null, /* 63 ulimit */
338 auf_null, 0,
339 aui_null, AUE_RENAME, aus_null, /* 64 renameat */
340 auf_null, 0,
341 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
342 auf_null, 0,
343 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
344 auf_null, S2E_PUB,
345 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
346 auf_null, S2E_PUB,
347 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
348 auf_null, S2E_SP,
349 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
350 auf_null, S2E_SP,
351 aui_null, AUE_NULL, aus_null, /* 70 tasksys */
352 auf_null, 0,
353 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
354 auf_null, 0,
355 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
356 auf_null, 0,
357 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
358 auf_null, 0,
359 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
360 auf_null, 0,
361 aui_null, AUE_NULL, aus_null, /* 75 sidsys */
362 auf_null, 0,
363 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
364 auf_null, 0,
365 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
366 auf_null, 0,
367 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
368 auf_null, 0,
369 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
370 auf_null, 0,
371 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
372 auf_null, 0,
373 aui_null, AUE_NULL, aus_null, /* 81 getdents */
374 auf_null, 0,
375 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
376 auf_null, 0,
377 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
378 auf_null, 0,
379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */
380 auf_null, 0,
381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
382 auf_null, 0,
383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
384 auf_null, 0,
385 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
386 auf_null, 0,
387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
388 auf_null, S2E_PUB,
389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
390 auf_null, 0,
391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */
392 auf_null, S2E_PUB,
393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
394 auf_null, 0,
395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */
396 auf_null, 0,
397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
398 auf_null, 0,
399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
400 auf_null, 0,
401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
402 auf_null, 0,
403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
404 auf_null, 0,
405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
406 auf_null, 0,
407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */
408 auf_null, 0,
409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */
410 auf_null, 0,
411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */
412 auf_null, 0,
413 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
414 auf_null, 0,
415 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
416 auf_null, 0,
417 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
418 auf_null, S2E_PUB,
419 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
420 auf_null, 0,
421 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
422 auf_null, 0,
423 aui_null, AUE_NULL, aus_null, /* 106 nfssys */
424 auf_null, 0,
425 aui_null, AUE_NULL, aus_null, /* 107 waitsys */
426 auf_null, 0,
427 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
428 auf_null, 0,
429 #if defined(__x86)
430 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
431 auf_null, 0,
432 #else
433 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
434 auf_null, 0,
435 #endif /* __x86 */
436 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
437 auf_null, 0,
438 aui_null, AUE_NULL, aus_null, /* 111 sigresend */
439 auf_null, 0,
440 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
441 auf_null, 0,
442 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
443 auf_null, S2E_PUB,
444 aui_null, AUE_NULL, aus_null, /* 114 mincore */
445 auf_null, 0,
446 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
447 auf_null, 0,
448 aui_null, AUE_NULL, aus_null, /* 116 mprotect */
449 auf_null, 0,
450 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
451 auf_null, 0,
452 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
453 auf_null, 0,
454 aui_null, AUE_VFORK, aus_null, /* 119 vfork */
455 auf_null, 0,
456 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
457 auf_null, 0,
458 aui_null, AUE_READ, aus_null, /* 121 readv */
459 auf_read, S2E_PUB,
460 aui_null, AUE_WRITE, aus_null, /* 122 writev */
461 auf_write, 0,
462 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
463 auf_null, 0,
464 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
465 auf_null, 0,
466 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
467 auf_null, 0,
468 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
469 auf_null, 0,
470 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
471 auf_null, 0,
472 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
473 auf_null, 0,
474 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
475 auf_null, 0,
476 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
477 auf_null, 0,
478 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
479 auf_null, 0,
480 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
481 auf_null, 0,
482 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
483 auf_null, 0,
484 aui_null, AUE_RENAME, aus_null, /* 134 rename */
485 auf_null, 0,
486 aui_null, AUE_NULL, aus_null, /* 135 uname */
487 auf_null, 0,
488 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
489 auf_null, 0,
490 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
491 auf_null, 0,
492 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
493 auf_null, 0,
494 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
495 auf_null, 0,
496 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
497 auf_null, 0,
498 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
499 auf_null, 0,
500 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
501 auf_null, 0,
502 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
503 auf_null, 0,
504 aui_null, AUE_NULL, aus_null, /* 144 sigwait */
505 auf_null, 0,
506 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
507 auf_null, 0,
508 aui_null, AUE_NULL, aus_null, /* 146 yield */
509 auf_null, 0,
510 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
511 /* was lwp_sema_wait */
512 auf_null, 0,
513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
514 auf_null, 0,
515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
516 auf_null, 0,
517 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
518 auf_null, 0,
519 aui_null, AUE_NULL, aus_null, /* 151 corectl */
520 auf_null, 0,
521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
522 auf_null, 0,
523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
524 auf_null, 0,
525 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
526 auf_null, 0,
527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */
528 auf_null, 0,
529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
530 auf_null, 0,
531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */
532 auf_null, 0,
533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */
534 auf_null, 0,
535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
536 auf_null, 0,
537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
538 auf_null, 0,
539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
540 auf_null, 0,
541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
542 auf_null, 0,
543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
544 auf_null, 0,
545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
546 auf_null, 0,
547 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
548 auf_null, 0,
549 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
550 auf_null, 0,
551 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
552 auf_null, 0,
553 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
554 auf_null, 0,
555 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
556 /* was lwp_mutex_lock */
557 auf_null, 0,
558 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
559 auf_null, 0,
560 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
561 auf_null, 0,
562 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
563 auf_null, 0,
564 aui_null, AUE_READ, aus_null, /* 173 pread */
565 auf_read, S2E_PUB,
566 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
567 auf_write, 0,
568 aui_null, AUE_NULL, aus_null, /* 175 llseek */
569 auf_null, 0,
570 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
571 auf_null, 0,
572 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
573 auf_null, 0,
574 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
575 auf_null, 0,
576 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
577 auf_null, 0,
578 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
579 auf_null, 0,
580 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
581 auf_null, 0,
582 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
583 auf_null, S2E_MLD,
584 aui_null, AUE_NULL, aus_null, /* 183 pollsys */
585 auf_null, 0,
586 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
587 auf_null, 0,
588 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
589 auf_null, 0,
590 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
591 auf_null, 0,
592 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
593 auf_null, 0,
594 aui_null, AUE_NULL, aus_null, /* 188 processor_info */
595 auf_null, 0,
596 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
597 auf_null, 0,
598 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
599 auf_null, 0,
600 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
601 auf_null, 0,
602 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
603 auf_null, 0,
604 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
605 auf_null, 0,
606 aui_null, AUE_NULL, aus_null, /* 194 timer_create */
607 auf_null, 0,
608 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
609 auf_null, 0,
610 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
611 auf_null, 0,
612 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
613 auf_null, 0,
614 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
615 auf_null, 0,
616 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
617 auf_null, 0,
618 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
619 auf_null, 0,
620 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
621 auf_null, 0,
622 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
623 auf_null, 0,
624 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
625 auf_null, 0,
626 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
627 auf_null, 0,
628 aui_null, AUE_NULL, aus_null, /* 205 signotify */
629 auf_null, 0,
630 aui_null, AUE_NULL, aus_null, /* 206 schedctl */
631 auf_null, 0,
632 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
633 auf_null, 0,
634 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
635 auf_null, 0,
636 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
637 auf_null, 0,
638 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
639 auf_null, 0,
640 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
641 auf_null, 0,
642 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
643 auf_null, 0,
644 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
645 auf_null, 0,
646 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
647 auf_null, 0,
648 aui_null, AUE_STAT, aus_null, /* 215 stat64 */
649 auf_null, S2E_PUB,
650 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
651 auf_null, S2E_PUB,
652 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
653 auf_null, 0,
654 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
655 auf_null, S2E_PUB,
656 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
657 auf_null, 0,
658 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
659 auf_null, 0,
660 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
661 auf_null, 0,
662 aui_null, AUE_READ, aus_null, /* 222 pread64 */
663 auf_read, S2E_PUB,
664 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
665 auf_write, 0,
666 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
667 auf_null, 0,
668 aui_open, AUE_OPEN, aus_open, /* 225 open64 */
669 auf_null, S2E_SP,
670 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
671 auf_null, 0,
672 aui_null, AUE_NULL, aus_null, /* 227 zone */
673 auf_null, 0,
674 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
675 auf_null, 0,
676 aui_null, AUE_NULL, aus_null, /* 229 getcwd */
677 auf_null, 0,
678 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
679 auf_null, 0,
680 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
681 auf_null, 0,
682 aui_null, AUE_BIND, aus_null, /* 232 bind */
683 auf_bind, 0,
684 aui_null, AUE_NULL, aus_null, /* 233 listen */
685 auf_null, 0,
686 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
687 auf_accept, 0,
688 aui_null, AUE_CONNECT, aus_null, /* 235 connect */
689 auf_connect, 0,
690 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
691 auf_null, 0,
692 aui_null, AUE_READ, aus_null, /* 237 recv */
693 auf_recv, 0,
694 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
695 auf_recvfrom, 0,
696 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
697 auf_recvmsg, 0,
698 aui_null, AUE_WRITE, aus_null, /* 240 send */
699 auf_send, 0,
700 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
701 auf_sendmsg, 0,
702 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
703 auf_sendto, 0,
704 aui_null, AUE_NULL, aus_null, /* 243 getpeername */
705 auf_null, 0,
706 aui_null, AUE_NULL, aus_null, /* 244 getsockname */
707 auf_null, 0,
708 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
709 auf_null, 0,
710 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
711 auf_setsockopt, 0,
712 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
713 auf_null, 0,
714 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
715 auf_null, 0,
716 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
717 auf_null, 0,
718 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
719 auf_null, 0,
720 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
721 auf_null, 0,
722 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
723 auf_null, 0,
724 aui_null, AUE_NULL, aus_null, /* 253 cladm */
725 auf_null, 0,
726 aui_null, AUE_NULL, aus_null, /* 254 uucopy */
727 auf_null, 0,
728 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
729 auf_null, 0
730 };
731
732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
733
734
735 /* exit start function */
736 /*ARGSUSED*/
737 static void
738 aus_exit(struct t_audit_data *tad)
739 {
740 uint32_t rval;
741 struct a {
742 long rval;
743 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
744
745 rval = (uint32_t)uap->rval;
746 au_uwrite(au_to_arg32(1, "exit status", rval));
747 }
748
749
750 /* acct start function */
751 /*ARGSUSED*/
752 static void
753 aus_acct(struct t_audit_data *tad)
754 {
755 klwp_t *clwp = ttolwp(curthread);
756 uintptr_t fname;
757
758 struct a {
759 long fname; /* char * */
760 } *uap = (struct a *)clwp->lwp_ap;
761
762 fname = (uintptr_t)uap->fname;
763
764 if (fname == 0)
765 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
766 }
767
768 /* chown start function */
769 /*ARGSUSED*/
770 static void
771 aus_chown(struct t_audit_data *tad)
772 {
773 klwp_t *clwp = ttolwp(curthread);
774 uint32_t uid, gid;
775
776 struct a {
777 long fname; /* char * */
778 long uid;
779 long gid;
780 } *uap = (struct a *)clwp->lwp_ap;
781
782 uid = (uint32_t)uap->uid;
783 gid = (uint32_t)uap->gid;
784
785 au_uwrite(au_to_arg32(2, "new file uid", uid));
786 au_uwrite(au_to_arg32(3, "new file gid", gid));
787 }
788
789 /* fchown start function */
790 /*ARGSUSED*/
791 static void
792 aus_fchown(struct t_audit_data *tad)
793 {
794 klwp_t *clwp = ttolwp(curthread);
795 uint32_t uid, gid, fd;
796 struct file *fp;
797 struct vnode *vp;
798 struct f_audit_data *fad;
799
800 struct a {
801 long fd;
802 long uid;
803 long gid;
804 } *uap = (struct a *)clwp->lwp_ap;
805
806 fd = (uint32_t)uap->fd;
807 uid = (uint32_t)uap->uid;
808 gid = (uint32_t)uap->gid;
809
810 au_uwrite(au_to_arg32(2, "new file uid", uid));
811 au_uwrite(au_to_arg32(3, "new file gid", gid));
812
813 /*
814 * convert file pointer to file descriptor
815 * Note: fd ref count incremented here.
816 */
817 if ((fp = getf(fd)) == NULL)
818 return;
819
820 /* get path from file struct here */
821 fad = F2A(fp);
822 if (fad->fad_aupath != NULL) {
823 au_uwrite(au_to_path(fad->fad_aupath));
824 } else {
825 au_uwrite(au_to_arg32(1, "no path: fd", fd));
826 }
827
828 vp = fp->f_vnode;
829 audit_attributes(vp);
830
831 /* decrement file descriptor reference count */
832 releasef(fd);
833 }
834
835 /*ARGSUSED*/
836 static void
837 aus_lchown(struct t_audit_data *tad)
838 {
839 klwp_t *clwp = ttolwp(curthread);
840 uint32_t uid, gid;
841
842
843 struct a {
844 long fname; /* char * */
845 long uid;
846 long gid;
847 } *uap = (struct a *)clwp->lwp_ap;
848
849 uid = (uint32_t)uap->uid;
850 gid = (uint32_t)uap->gid;
851
852 au_uwrite(au_to_arg32(2, "new file uid", uid));
853 au_uwrite(au_to_arg32(3, "new file gid", gid));
854 }
855
856 static au_event_t
857 aui_fchownat(au_event_t e)
858 {
859 klwp_t *clwp = ttolwp(curthread);
860
861 struct a {
862 long fd;
863 long fname; /* char * */
864 long uid;
865 long gid;
866 long flags;
867 } *uap = (struct a *)clwp->lwp_ap;
868
869 if (uap->fname == 0)
870 e = AUE_FCHOWN;
871 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
872 e = AUE_LCHOWN;
873 else
874 e = AUE_CHOWN;
875
876 return (e);
877 }
878
879 /*ARGSUSED*/
880 static void
881 aus_fchownat(struct t_audit_data *tad)
882 {
883 klwp_t *clwp = ttolwp(curthread);
884 uint32_t uid, gid;
885
886 struct a {
887 long fd;
888 long fname; /* char * */
889 long uid;
890 long gid;
891 long flags;
892 } *uap = (struct a *)clwp->lwp_ap;
893
894 uid = (uint32_t)uap->uid;
895 gid = (uint32_t)uap->gid;
896
897 au_uwrite(au_to_arg32(3, "new file uid", uid));
898 au_uwrite(au_to_arg32(4, "new file gid", gid));
899 }
900
901 /*ARGSUSED*/
902 static void
903 aus_chmod(struct t_audit_data *tad)
904 {
905 klwp_t *clwp = ttolwp(curthread);
906 uint32_t fmode;
907
908 struct a {
909 long fname; /* char * */
910 long fmode;
911 } *uap = (struct a *)clwp->lwp_ap;
912
913 fmode = (uint32_t)uap->fmode;
914
915 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
916 }
917
918 /*ARGSUSED*/
919 static void
920 aus_fchmod(struct t_audit_data *tad)
921 {
922 klwp_t *clwp = ttolwp(curthread);
923 uint32_t fmode, fd;
924 struct file *fp;
925 struct vnode *vp;
926 struct f_audit_data *fad;
927
928 struct a {
929 long fd;
930 long fmode;
931 } *uap = (struct a *)clwp->lwp_ap;
932
933 fd = (uint32_t)uap->fd;
934 fmode = (uint32_t)uap->fmode;
935
936 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
937
938 /*
939 * convert file pointer to file descriptor
940 * Note: fd ref count incremented here.
941 */
942 if ((fp = getf(fd)) == NULL)
943 return;
944
945 /* get path from file struct here */
946 fad = F2A(fp);
947 if (fad->fad_aupath != NULL) {
948 au_uwrite(au_to_path(fad->fad_aupath));
949 } else {
950 au_uwrite(au_to_arg32(1, "no path: fd", fd));
951 }
952
953 vp = fp->f_vnode;
954 audit_attributes(vp);
955
956 /* decrement file descriptor reference count */
957 releasef(fd);
958 }
959
960 static au_event_t
961 aui_fchmodat(au_event_t e)
962 {
963 klwp_t *clwp = ttolwp(curthread);
964
965 struct a {
966 long fd;
967 long fname; /* char * */
968 long fmode;
969 long flag;
970 } *uap = (struct a *)clwp->lwp_ap;
971
972 if (uap->fname == 0)
973 e = AUE_FCHMOD;
974 else
975 e = AUE_CHMOD;
976
977 return (e);
978 }
979
980 /*ARGSUSED*/
981 static void
982 aus_fchmodat(struct t_audit_data *tad)
983 {
984 klwp_t *clwp = ttolwp(curthread);
985 uint32_t fmode;
986 uint32_t fd;
987 struct file *fp;
988 struct vnode *vp;
989 struct f_audit_data *fad;
990
991 struct a {
992 long fd;
993 long fname; /* char * */
994 long fmode;
995 long flag;
996 } *uap = (struct a *)clwp->lwp_ap;
997
998 fd = (uint32_t)uap->fd;
999 fmode = (uint32_t)uap->fmode;
1000
1001 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1002
1003 if (fd == AT_FDCWD || uap->fname != 0) /* same as chmod() */
1004 return;
1005
1006 /*
1007 * convert file pointer to file descriptor
1008 * Note: fd ref count incremented here.
1009 */
1010 if ((fp = getf(fd)) == NULL)
1011 return;
1012
1013 /* get path from file struct here */
1014 fad = F2A(fp);
1015 if (fad->fad_aupath != NULL) {
1016 au_uwrite(au_to_path(fad->fad_aupath));
1017 } else {
1018 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1019 }
1020
1021 vp = fp->f_vnode;
1022 audit_attributes(vp);
1023
1024 /* decrement file descriptor reference count */
1025 releasef(fd);
1026 }
1027
1028 /*
1029 * convert open mode to appropriate open event
1030 */
1031 au_event_t
1032 open_event(uint_t fm)
1033 {
1034 au_event_t e;
1035
1036 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1037 case O_RDONLY:
1038 e = AUE_OPEN_R;
1039 break;
1040 case O_RDONLY | O_CREAT:
1041 e = AUE_OPEN_RC;
1042 break;
1043 case O_RDONLY | O_TRUNC:
1044 e = AUE_OPEN_RT;
1045 break;
1046 case O_RDONLY | O_TRUNC | O_CREAT:
1047 e = AUE_OPEN_RTC;
1048 break;
1049 case O_WRONLY:
1050 e = AUE_OPEN_W;
1051 break;
1052 case O_WRONLY | O_CREAT:
1053 e = AUE_OPEN_WC;
1054 break;
1055 case O_WRONLY | O_TRUNC:
1056 e = AUE_OPEN_WT;
1057 break;
1058 case O_WRONLY | O_TRUNC | O_CREAT:
1059 e = AUE_OPEN_WTC;
1060 break;
1061 case O_RDWR:
1062 e = AUE_OPEN_RW;
1063 break;
1064 case O_RDWR | O_CREAT:
1065 e = AUE_OPEN_RWC;
1066 break;
1067 case O_RDWR | O_TRUNC:
1068 e = AUE_OPEN_RWT;
1069 break;
1070 case O_RDWR | O_TRUNC | O_CREAT:
1071 e = AUE_OPEN_RWTC;
1072 break;
1073 case O_SEARCH:
1074 e = AUE_OPEN_S;
1075 break;
1076 case O_EXEC:
1077 e = AUE_OPEN_E;
1078 break;
1079 default:
1080 e = AUE_NULL;
1081 break;
1082 }
1083
1084 return (e);
1085 }
1086
1087 /* ARGSUSED */
1088 static au_event_t
1089 aui_open(au_event_t e)
1090 {
1091 klwp_t *clwp = ttolwp(curthread);
1092 uint_t fm;
1093
1094 struct a {
1095 long fnamep; /* char * */
1096 long fmode;
1097 long cmode;
1098 } *uap = (struct a *)clwp->lwp_ap;
1099
1100 fm = (uint_t)uap->fmode;
1101
1102 return (open_event(fm));
1103 }
1104
1105 static void
1106 aus_open(struct t_audit_data *tad)
1107 {
1108 klwp_t *clwp = ttolwp(curthread);
1109 uint_t fm;
1110
1111 struct a {
1112 long fnamep; /* char * */
1113 long fmode;
1114 long cmode;
1115 } *uap = (struct a *)clwp->lwp_ap;
1116
1117 fm = (uint_t)uap->fmode;
1118
1119 /* If no write, create, or trunc modes, mark as a public op */
1120 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1121 tad->tad_ctrl |= TAD_PUBLIC_EV;
1122 }
1123
1124 /* ARGSUSED */
1125 static au_event_t
1126 aui_openat(au_event_t e)
1127 {
1128 t_audit_data_t *tad = T2A(curthread);
1129 klwp_t *clwp = ttolwp(curthread);
1130 uint_t fm;
1131
1132 struct a {
1133 long filedes;
1134 long fnamep; /* char * */
1135 long fmode;
1136 long cmode;
1137 } *uap = (struct a *)clwp->lwp_ap;
1138
1139 fm = (uint_t)uap->fmode;
1140
1141 /*
1142 * __openattrdirat() does an extra pathname lookup in order to
1143 * enter the extended system attribute namespace of the referenced
1144 * extended attribute filename.
1145 */
1146 if (fm & FXATTRDIROPEN)
1147 tad->tad_ctrl |= TAD_MLD;
1148
1149 return (open_event(fm));
1150 }
1151
1152 static void
1153 aus_openat(struct t_audit_data *tad)
1154 {
1155 klwp_t *clwp = ttolwp(curthread);
1156 uint_t fm;
1157
1158 struct a {
1159 long filedes;
1160 long fnamep; /* char * */
1161 long fmode;
1162 long cmode;
1163 } *uap = (struct a *)clwp->lwp_ap;
1164
1165 fm = (uint_t)uap->fmode;
1166
1167 /* If no write, create, or trunc modes, mark as a public op */
1168 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1169 tad->tad_ctrl |= TAD_PUBLIC_EV;
1170 }
1171
1172 static au_event_t
1173 aui_unlinkat(au_event_t e)
1174 {
1175 klwp_t *clwp = ttolwp(curthread);
1176
1177 struct a {
1178 long filedes;
1179 long fnamep; /* char * */
1180 long flags;
1181 } *uap = (struct a *)clwp->lwp_ap;
1182
1183 if (uap->flags & AT_REMOVEDIR)
1184 e = AUE_RMDIR;
1185 else
1186 e = AUE_UNLINK;
1187
1188 return (e);
1189 }
1190
1191 static au_event_t
1192 aui_fstatat(au_event_t e)
1193 {
1194 klwp_t *clwp = ttolwp(curthread);
1195
1196 struct a {
1197 long filedes;
1198 long fnamep; /* char * */
1199 long statb;
1200 long flags;
1201 } *uap = (struct a *)clwp->lwp_ap;
1202
1203 if (uap->fnamep == 0)
1204 e = AUE_FSTAT;
1205 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1206 e = AUE_LSTAT;
1207 else
1208 e = AUE_STAT;
1209
1210 return (e);
1211 }
1212
1213 /* msgsys */
1214 static au_event_t
1215 aui_msgsys(au_event_t e)
1216 {
1217 klwp_t *clwp = ttolwp(curthread);
1218 uint_t fm;
1219
1220 struct a {
1221 long id; /* function code id */
1222 long ap; /* arg pointer for recvmsg */
1223 } *uap = (struct a *)clwp->lwp_ap;
1224
1225 struct b {
1226 long msgid;
1227 long cmd;
1228 long buf; /* struct msqid_ds * */
1229 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1230
1231 fm = (uint_t)uap->id;
1232
1233 switch (fm) {
1234 case 0: /* msgget */
1235 e = AUE_MSGGET;
1236 break;
1237 case 1: /* msgctl */
1238 switch ((uint_t)uap1->cmd) {
1239 case IPC_RMID:
1240 e = AUE_MSGCTL_RMID;
1241 break;
1242 case IPC_SET:
1243 e = AUE_MSGCTL_SET;
1244 break;
1245 case IPC_STAT:
1246 e = AUE_MSGCTL_STAT;
1247 break;
1248 default:
1249 e = AUE_MSGCTL;
1250 break;
1251 }
1252 break;
1253 case 2: /* msgrcv */
1254 e = AUE_MSGRCV;
1255 break;
1256 case 3: /* msgsnd */
1257 e = AUE_MSGSND;
1258 break;
1259 default: /* illegal system call */
1260 e = AUE_NULL;
1261 break;
1262 }
1263
1264 return (e);
1265 }
1266
1267
1268 /* shmsys */
1269 static au_event_t
1270 aui_shmsys(au_event_t e)
1271 {
1272 klwp_t *clwp = ttolwp(curthread);
1273 int fm;
1274
1275 struct a { /* shmsys */
1276 long id; /* function code id */
1277 } *uap = (struct a *)clwp->lwp_ap;
1278
1279 struct b { /* ctrl */
1280 long shmid;
1281 long cmd;
1282 long arg; /* struct shmid_ds * */
1283 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1284 fm = (uint_t)uap->id;
1285
1286 switch (fm) {
1287 case 0: /* shmat */
1288 e = AUE_SHMAT;
1289 break;
1290 case 1: /* shmctl */
1291 switch ((uint_t)uap1->cmd) {
1292 case IPC_RMID:
1293 e = AUE_SHMCTL_RMID;
1294 break;
1295 case IPC_SET:
1296 e = AUE_SHMCTL_SET;
1297 break;
1298 case IPC_STAT:
1299 e = AUE_SHMCTL_STAT;
1300 break;
1301 default:
1302 e = AUE_SHMCTL;
1303 break;
1304 }
1305 break;
1306 case 2: /* shmdt */
1307 e = AUE_SHMDT;
1308 break;
1309 case 3: /* shmget */
1310 e = AUE_SHMGET;
1311 break;
1312 default: /* illegal system call */
1313 e = AUE_NULL;
1314 break;
1315 }
1316
1317 return (e);
1318 }
1319
1320
1321 /* semsys */
1322 static au_event_t
1323 aui_semsys(au_event_t e)
1324 {
1325 klwp_t *clwp = ttolwp(curthread);
1326 uint_t fm;
1327
1328 struct a { /* semsys */
1329 long id;
1330 } *uap = (struct a *)clwp->lwp_ap;
1331
1332 struct b { /* ctrl */
1333 long semid;
1334 long semnum;
1335 long cmd;
1336 long arg;
1337 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1338
1339 fm = (uint_t)uap->id;
1340
1341 switch (fm) {
1342 case 0: /* semctl */
1343 switch ((uint_t)uap1->cmd) {
1344 case IPC_RMID:
1345 e = AUE_SEMCTL_RMID;
1346 break;
1347 case IPC_SET:
1348 e = AUE_SEMCTL_SET;
1349 break;
1350 case IPC_STAT:
1351 e = AUE_SEMCTL_STAT;
1352 break;
1353 case GETNCNT:
1354 e = AUE_SEMCTL_GETNCNT;
1355 break;
1356 case GETPID:
1357 e = AUE_SEMCTL_GETPID;
1358 break;
1359 case GETVAL:
1360 e = AUE_SEMCTL_GETVAL;
1361 break;
1362 case GETALL:
1363 e = AUE_SEMCTL_GETALL;
1364 break;
1365 case GETZCNT:
1366 e = AUE_SEMCTL_GETZCNT;
1367 break;
1368 case SETVAL:
1369 e = AUE_SEMCTL_SETVAL;
1370 break;
1371 case SETALL:
1372 e = AUE_SEMCTL_SETALL;
1373 break;
1374 default:
1375 e = AUE_SEMCTL;
1376 break;
1377 }
1378 break;
1379 case 1: /* semget */
1380 e = AUE_SEMGET;
1381 break;
1382 case 2: /* semop */
1383 e = AUE_SEMOP;
1384 break;
1385 default: /* illegal system call */
1386 e = AUE_NULL;
1387 break;
1388 }
1389
1390 return (e);
1391 }
1392
1393 /* utssys - uname(2), ustat(2), fusers(2) */
1394 static au_event_t
1395 aui_utssys(au_event_t e)
1396 {
1397 klwp_t *clwp = ttolwp(curthread);
1398 uint_t type;
1399
1400 struct a {
1401 union {
1402 long cbuf; /* char * */
1403 long ubuf; /* struct stat * */
1404 } ub;
1405 union {
1406 long mv; /* for USTAT */
1407 long flags; /* for FUSERS */
1408 } un;
1409 long type;
1410 long outbp; /* char * for FUSERS */
1411 } *uap = (struct a *)clwp->lwp_ap;
1412
1413 type = (uint_t)uap->type;
1414
1415 if (type == UTS_FUSERS)
1416 return (e);
1417 else
1418 return ((au_event_t)AUE_NULL);
1419 }
1420
1421 static au_event_t
1422 aui_fcntl(au_event_t e)
1423 {
1424 klwp_t *clwp = ttolwp(curthread);
1425 uint_t cmd;
1426
1427 struct a {
1428 long fdes;
1429 long cmd;
1430 long arg;
1431 } *uap = (struct a *)clwp->lwp_ap;
1432
1433 cmd = (uint_t)uap->cmd;
1434
1435 switch (cmd) {
1436 case F_GETLK:
1437 case F_SETLK:
1438 case F_SETLKW:
1439 break;
1440 case F_SETFL:
1441 case F_GETFL:
1442 case F_GETFD:
1443 break;
1444 default:
1445 e = (au_event_t)AUE_NULL;
1446 break;
1447 }
1448 return ((au_event_t)e);
1449 }
1450
1451 /* null function for now */
1452 static au_event_t
1453 aui_execve(au_event_t e)
1454 {
1455 return (e);
1456 }
1457
1458 /*ARGSUSED*/
1459 static void
1460 aus_fcntl(struct t_audit_data *tad)
1461 {
1462 klwp_t *clwp = ttolwp(curthread);
1463 uint32_t cmd, fd, flags;
1464 struct file *fp;
1465 struct vnode *vp;
1466 struct f_audit_data *fad;
1467
1468 struct a {
1469 long fd;
1470 long cmd;
1471 long arg;
1472 } *uap = (struct a *)clwp->lwp_ap;
1473
1474 cmd = (uint32_t)uap->cmd;
1475 fd = (uint32_t)uap->fd;
1476 flags = (uint32_t)uap->arg;
1477
1478 au_uwrite(au_to_arg32(2, "cmd", cmd));
1479
1480 if (cmd == F_SETFL)
1481 au_uwrite(au_to_arg32(3, "flags", flags));
1482
1483 /*
1484 * convert file pointer to file descriptor
1485 * Note: fd ref count incremented here.
1486 */
1487 if ((fp = getf(fd)) == NULL)
1488 return;
1489
1490 /* get path from file struct here */
1491 fad = F2A(fp);
1492 if (fad->fad_aupath != NULL) {
1493 au_uwrite(au_to_path(fad->fad_aupath));
1494 } else {
1495 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1496 }
1497
1498 vp = fp->f_vnode;
1499 audit_attributes(vp);
1500
1501 /* decrement file descriptor reference count */
1502 releasef(fd);
1503 }
1504
1505 /*ARGSUSED*/
1506 static void
1507 aus_kill(struct t_audit_data *tad)
1508 {
1509 klwp_t *clwp = ttolwp(curthread);
1510 struct proc *p;
1511 uint32_t signo;
1512 uid_t uid, ruid;
1513 gid_t gid, rgid;
1514 pid_t pid;
1515 const auditinfo_addr_t *ainfo;
1516 cred_t *cr;
1517
1518 struct a {
1519 long pid;
1520 long signo;
1521 } *uap = (struct a *)clwp->lwp_ap;
1522
1523 pid = (pid_t)uap->pid;
1524 signo = (uint32_t)uap->signo;
1525
1526 au_uwrite(au_to_arg32(2, "signal", signo));
1527 if (pid > 0) {
1528 mutex_enter(&pidlock);
1529 if (((p = prfind(pid)) == (struct proc *)0) ||
1530 (p->p_stat == SIDL)) {
1531 mutex_exit(&pidlock);
1532 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1533 return;
1534 }
1535 mutex_enter(&p->p_lock); /* so process doesn't go away */
1536 mutex_exit(&pidlock);
1537
1538 mutex_enter(&p->p_crlock);
1539 crhold(cr = p->p_cred);
1540 mutex_exit(&p->p_crlock);
1541 mutex_exit(&p->p_lock);
1542
1543 ainfo = crgetauinfo(cr);
1544 if (ainfo == NULL) {
1545 crfree(cr);
1546 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1547 return;
1548 }
1549
1550 uid = crgetuid(cr);
1551 gid = crgetgid(cr);
1552 ruid = crgetruid(cr);
1553 rgid = crgetrgid(cr);
1554 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1555 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1556
1557 if (is_system_labeled())
1558 au_uwrite(au_to_label(CR_SL(cr)));
1559
1560 crfree(cr);
1561 }
1562 else
1563 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1564 }
1565
1566 /*ARGSUSED*/
1567 static void
1568 aus_mkdir(struct t_audit_data *tad)
1569 {
1570 klwp_t *clwp = ttolwp(curthread);
1571 uint32_t dmode;
1572
1573 struct a {
1574 long dirnamep; /* char * */
1575 long dmode;
1576 } *uap = (struct a *)clwp->lwp_ap;
1577
1578 dmode = (uint32_t)uap->dmode;
1579
1580 au_uwrite(au_to_arg32(2, "mode", dmode));
1581 }
1582
1583 /*ARGSUSED*/
1584 static void
1585 aus_mkdirat(struct t_audit_data *tad)
1586 {
1587 klwp_t *clwp = ttolwp(curthread);
1588 uint32_t dmode;
1589
1590 struct a {
1591 long fd;
1592 long dirnamep; /* char * */
1593 long dmode;
1594 } *uap = (struct a *)clwp->lwp_ap;
1595
1596 dmode = (uint32_t)uap->dmode;
1597
1598 au_uwrite(au_to_arg32(2, "mode", dmode));
1599 }
1600
1601 /*ARGSUSED*/
1602 static void
1603 aus_mknod(struct t_audit_data *tad)
1604 {
1605 klwp_t *clwp = ttolwp(curthread);
1606 uint32_t fmode;
1607 dev_t dev;
1608
1609 struct a {
1610 long pnamep; /* char * */
1611 long fmode;
1612 long dev;
1613 } *uap = (struct a *)clwp->lwp_ap;
1614
1615 fmode = (uint32_t)uap->fmode;
1616 dev = (dev_t)uap->dev;
1617
1618 au_uwrite(au_to_arg32(2, "mode", fmode));
1619 #ifdef _LP64
1620 au_uwrite(au_to_arg64(3, "dev", dev));
1621 #else
1622 au_uwrite(au_to_arg32(3, "dev", dev));
1623 #endif
1624 }
1625
1626 /*ARGSUSED*/
1627 static void
1628 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1629 {
1630 klwp_t *clwp = ttolwp(curthread);
1631 vnode_t *dvp;
1632 caddr_t pnamep;
1633
1634 struct a {
1635 long pnamep; /* char * */
1636 long fmode;
1637 long dev;
1638 } *uap = (struct a *)clwp->lwp_ap;
1639
1640 /* no error, then already path token in audit record */
1641 if (error != EPERM && error != EINVAL)
1642 return;
1643
1644 /* do the lookup to force generation of path token */
1645 pnamep = (caddr_t)uap->pnamep;
1646 tad->tad_ctrl |= TAD_NOATTRB;
1647 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1648 if (error == 0)
1649 VN_RELE(dvp);
1650 }
1651
1652 /*ARGSUSED*/
1653 static void
1654 aus_mknodat(struct t_audit_data *tad)
1655 {
1656 klwp_t *clwp = ttolwp(curthread);
1657 uint32_t fmode;
1658 dev_t dev;
1659
1660 struct a {
1661 long fd;
1662 long pnamep; /* char * */
1663 long fmode;
1664 long dev;
1665 } *uap = (struct a *)clwp->lwp_ap;
1666
1667 fmode = (uint32_t)uap->fmode;
1668 dev = (dev_t)uap->dev;
1669
1670 au_uwrite(au_to_arg32(2, "mode", fmode));
1671 #ifdef _LP64
1672 au_uwrite(au_to_arg64(3, "dev", dev));
1673 #else
1674 au_uwrite(au_to_arg32(3, "dev", dev));
1675 #endif
1676 }
1677
1678 /*ARGSUSED*/
1679 static void
1680 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1681 {
1682 klwp_t *clwp = ttolwp(curthread);
1683 vnode_t *startvp;
1684 vnode_t *dvp;
1685 caddr_t pnamep;
1686 int fd;
1687
1688 struct a {
1689 long fd;
1690 long pnamep; /* char * */
1691 long fmode;
1692 long dev;
1693 } *uap = (struct a *)clwp->lwp_ap;
1694
1695 /* no error, then already path token in audit record */
1696 if (error != EPERM && error != EINVAL)
1697 return;
1698
1699 /* do the lookup to force generation of path token */
1700 fd = (int)uap->fd;
1701 pnamep = (caddr_t)uap->pnamep;
1702 if (pnamep == NULL ||
1703 fgetstartvp(fd, pnamep, &startvp) != 0)
1704 return;
1705 tad->tad_ctrl |= TAD_NOATTRB;
1706 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1707 startvp);
1708 if (error == 0)
1709 VN_RELE(dvp);
1710 if (startvp != NULL)
1711 VN_RELE(startvp);
1712 }
1713
1714 /*ARGSUSED*/
1715 static void
1716 aus_mount(struct t_audit_data *tad)
1717 {
1718 /* AUS_START */
1719 klwp_t *clwp = ttolwp(curthread);
1720 uint32_t flags;
1721 uintptr_t u_fstype, dataptr;
1722 STRUCT_DECL(nfs_args, nfsargs);
1723 size_t len;
1724 char *fstype, *hostname;
1725
1726 struct a {
1727 long spec; /* char * */
1728 long dir; /* char * */
1729 long flags;
1730 long fstype; /* char * */
1731 long dataptr; /* char * */
1732 long datalen;
1733 } *uap = (struct a *)clwp->lwp_ap;
1734
1735 u_fstype = (uintptr_t)uap->fstype;
1736 flags = (uint32_t)uap->flags;
1737 dataptr = (uintptr_t)uap->dataptr;
1738
1739 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1740 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1741 goto mount_free_fstype;
1742
1743 au_uwrite(au_to_arg32(3, "flags", flags));
1744 au_uwrite(au_to_text(fstype));
1745
1746 if (strncmp(fstype, "nfs", 3) == 0) {
1747
1748 STRUCT_INIT(nfsargs, get_udatamodel());
1749 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1750
1751 if (copyin((caddr_t)dataptr, STRUCT_BUF(nfsargs),
1752 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1753 /* DEBUG debug_enter((char *)NULL); */
1754 goto mount_free_fstype;
1755 }
1756 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1757 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1758 (caddr_t)hostname, MAXNAMELEN, &len)) {
1759 goto mount_free_hostname;
1760 }
1761 au_uwrite(au_to_text(hostname));
1762 au_uwrite(au_to_arg32(3, "internal flags",
1763 (uint_t)STRUCT_FGET(nfsargs, flags)));
1764
1765 mount_free_hostname:
1766 kmem_free(hostname, MAXNAMELEN);
1767 }
1768
1769 mount_free_fstype:
1770 kmem_free(fstype, MAXNAMELEN);
1771 } /* AUS_MOUNT */
1772
1773 static void
1774 aus_umount_path(caddr_t umount_dir)
1775 {
1776 char *dir_path;
1777 struct audit_path *path;
1778 size_t path_len, dir_len;
1779
1780 /* length alloc'd for two string pointers */
1781 path_len = sizeof (struct audit_path) + sizeof (char *);
1782 path = kmem_alloc(path_len, KM_SLEEP);
1783 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1784
1785 if (copyinstr(umount_dir, (caddr_t)dir_path,
1786 MAXPATHLEN, &dir_len))
1787 goto umount2_free_dir;
1788
1789 /*
1790 * the audit_path struct assumes that the buffer pointed to
1791 * by audp_sect[n] contains string 0 immediatedly followed
1792 * by string 1.
1793 */
1794 path->audp_sect[0] = dir_path;
1795 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1796 path->audp_size = path_len;
1797 path->audp_ref = 1; /* not used */
1798 path->audp_cnt = 1; /* one path string */
1799
1800 au_uwrite(au_to_path(path));
1801
1802 umount2_free_dir:
1803 kmem_free(dir_path, MAXPATHLEN);
1804 kmem_free(path, path_len);
1805 }
1806
1807 /*ARGSUSED*/
1808 static void
1809 aus_umount2(struct t_audit_data *tad)
1810 {
1811 klwp_t *clwp = ttolwp(curthread);
1812 struct a {
1813 long dir; /* char * */
1814 long flags;
1815 } *uap = (struct a *)clwp->lwp_ap;
1816
1817 aus_umount_path((caddr_t)uap->dir);
1818
1819 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1820 }
1821
1822 static void
1823 aus_msgsys(struct t_audit_data *tad)
1824 {
1825 klwp_t *clwp = ttolwp(curthread);
1826 uint32_t msgid;
1827
1828 struct b {
1829 long msgid;
1830 long cmd;
1831 long buf; /* struct msqid_ds * */
1832 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1833
1834 msgid = (uint32_t)uap1->msgid;
1835
1836
1837 switch (tad->tad_event) {
1838 case AUE_MSGGET: /* msgget */
1839 au_uwrite(au_to_arg32(1, "msg key", msgid));
1840 break;
1841 case AUE_MSGCTL: /* msgctl */
1842 case AUE_MSGCTL_RMID: /* msgctl */
1843 case AUE_MSGCTL_SET: /* msgctl */
1844 case AUE_MSGCTL_STAT: /* msgctl */
1845 case AUE_MSGRCV: /* msgrcv */
1846 case AUE_MSGSND: /* msgsnd */
1847 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1848 break;
1849 }
1850 }
1851
1852 /*ARGSUSED*/
1853 static void
1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1855 {
1856 int id;
1857
1858 if (error != 0)
1859 return;
1860 if (tad->tad_event == AUE_MSGGET) {
1861 uint32_t scid;
1862 uint32_t sy_flags;
1863
1864 /* need to determine type of executing binary */
1865 scid = tad->tad_scid;
1866 #ifdef _SYSCALL32_IMPL
1867 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1868 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869 else
1870 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1871 #else
1872 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1873 #endif
1874 if (sy_flags == SE_32RVAL1)
1875 id = rval->r_val1;
1876 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1877 id = rval->r_val1;
1878 if (sy_flags == SE_64RVAL)
1879 id = (int)rval->r_vals;
1880
1881 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1882 }
1883 }
1884
1885 static void
1886 aus_semsys(struct t_audit_data *tad)
1887 {
1888 klwp_t *clwp = ttolwp(curthread);
1889 uint32_t semid;
1890
1891 struct b { /* ctrl */
1892 long semid;
1893 long semnum;
1894 long cmd;
1895 long arg;
1896 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1897
1898 semid = (uint32_t)uap1->semid;
1899
1900 switch (tad->tad_event) {
1901 case AUE_SEMCTL_RMID:
1902 case AUE_SEMCTL_STAT:
1903 case AUE_SEMCTL_GETNCNT:
1904 case AUE_SEMCTL_GETPID:
1905 case AUE_SEMCTL_GETVAL:
1906 case AUE_SEMCTL_GETALL:
1907 case AUE_SEMCTL_GETZCNT:
1908 case AUE_SEMCTL_SET:
1909 case AUE_SEMCTL_SETVAL:
1910 case AUE_SEMCTL_SETALL:
1911 case AUE_SEMCTL:
1912 case AUE_SEMOP:
1913 au_uwrite(au_to_arg32(1, "sem ID", semid));
1914 break;
1915 case AUE_SEMGET:
1916 au_uwrite(au_to_arg32(1, "sem key", semid));
1917 break;
1918 }
1919 }
1920
1921 /*ARGSUSED*/
1922 static void
1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1924 {
1925 int id;
1926
1927 if (error != 0)
1928 return;
1929 if (tad->tad_event == AUE_SEMGET) {
1930 uint32_t scid;
1931 uint32_t sy_flags;
1932
1933 /* need to determine type of executing binary */
1934 scid = tad->tad_scid;
1935 #ifdef _SYSCALL32_IMPL
1936 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1937 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1938 else
1939 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1940 #else
1941 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1942 #endif
1943 if (sy_flags == SE_32RVAL1)
1944 id = rval->r_val1;
1945 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1946 id = rval->r_val1;
1947 if (sy_flags == SE_64RVAL)
1948 id = (int)rval->r_vals;
1949
1950 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1951 }
1952 }
1953
1954 /*ARGSUSED*/
1955 static void
1956 aus_close(struct t_audit_data *tad)
1957 {
1958 klwp_t *clwp = ttolwp(curthread);
1959 uint32_t fd;
1960 struct file *fp;
1961 struct f_audit_data *fad;
1962 struct vnode *vp;
1963 struct vattr attr;
1964 au_kcontext_t *kctx = GET_KCTX_PZ;
1965
1966 struct a {
1967 long i;
1968 } *uap = (struct a *)clwp->lwp_ap;
1969
1970 fd = (uint32_t)uap->i;
1971
1972 attr.va_mask = 0;
1973 au_uwrite(au_to_arg32(1, "fd", fd));
1974
1975 /*
1976 * convert file pointer to file descriptor
1977 * Note: fd ref count incremented here.
1978 */
1979 if ((fp = getf(fd)) == NULL)
1980 return;
1981
1982 fad = F2A(fp);
1983 tad->tad_evmod = (au_emod_t)fad->fad_flags;
1984 if (fad->fad_aupath != NULL) {
1985 au_uwrite(au_to_path(fad->fad_aupath));
1986 if ((vp = fp->f_vnode) != NULL) {
1987 attr.va_mask = AT_ALL;
1988 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1989 /*
1990 * When write was not used and the file can be
1991 * considered public, skip the audit.
1992 */
1993 if (((fp->f_flag & FWRITE) == 0) &&
1994 object_is_public(&attr)) {
1995 tad->tad_flag = 0;
1996 tad->tad_evmod = 0;
1997 /* free any residual audit data */
1998 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1999 releasef(fd);
2000 return;
2001 }
2002 au_uwrite(au_to_attr(&attr));
2003 audit_sec_attributes(&(u_ad), vp);
2004 }
2005 }
2006 }
2007
2008 /* decrement file descriptor reference count */
2009 releasef(fd);
2010 }
2011
2012 /*ARGSUSED*/
2013 static void
2014 aus_fstatfs(struct t_audit_data *tad)
2015 {
2016 klwp_t *clwp = ttolwp(curthread);
2017 uint32_t fd;
2018 struct file *fp;
2019 struct vnode *vp;
2020 struct f_audit_data *fad;
2021
2022 struct a {
2023 long fd;
2024 long buf; /* struct statfs * */
2025 } *uap = (struct a *)clwp->lwp_ap;
2026
2027 fd = (uint_t)uap->fd;
2028
2029 /*
2030 * convert file pointer to file descriptor
2031 * Note: fd ref count incremented here.
2032 */
2033 if ((fp = getf(fd)) == NULL)
2034 return;
2035
2036 /* get path from file struct here */
2037 fad = F2A(fp);
2038 if (fad->fad_aupath != NULL) {
2039 au_uwrite(au_to_path(fad->fad_aupath));
2040 } else {
2041 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2042 }
2043
2044 vp = fp->f_vnode;
2045 audit_attributes(vp);
2046
2047 /* decrement file descriptor reference count */
2048 releasef(fd);
2049 }
2050
2051 static au_event_t
2052 aui_setpgrp(au_event_t e)
2053 {
2054 klwp_t *clwp = ttolwp(curthread);
2055 int flag;
2056
2057 struct a {
2058 long flag;
2059 long pid;
2060 long pgid;
2061 } *uap = (struct a *)clwp->lwp_ap;
2062
2063 flag = (int)uap->flag;
2064
2065
2066 switch (flag) {
2067
2068 case 1: /* setpgrp() */
2069 e = AUE_SETPGRP;
2070 break;
2071
2072 case 3: /* setsid() */
2073 e = AUE_SETSID;
2074 break;
2075
2076 case 5: /* setpgid() */
2077 e = AUE_SETPGID;
2078 break;
2079
2080 case 0: /* getpgrp() - not security relevant */
2081 case 2: /* getsid() - not security relevant */
2082 case 4: /* getpgid() - not security relevant */
2083 e = AUE_NULL;
2084 break;
2085
2086 default:
2087 e = AUE_NULL;
2088 break;
2089 }
2090
2091 return (e);
2092 }
2093
2094 /*ARGSUSED*/
2095 static void
2096 aus_setpgrp(struct t_audit_data *tad)
2097 {
2098 klwp_t *clwp = ttolwp(curthread);
2099 pid_t pgid;
2100 struct proc *p;
2101 uid_t uid, ruid;
2102 gid_t gid, rgid;
2103 pid_t pid;
2104 cred_t *cr;
2105 int flag;
2106 const auditinfo_addr_t *ainfo;
2107
2108 struct a {
2109 long flag;
2110 long pid;
2111 long pgid;
2112 } *uap = (struct a *)clwp->lwp_ap;
2113
2114 flag = (int)uap->flag;
2115 pid = (pid_t)uap->pid;
2116 pgid = (pid_t)uap->pgid;
2117
2118
2119 switch (flag) {
2120
2121 case 0: /* getpgrp() */
2122 case 1: /* setpgrp() */
2123 case 2: /* getsid() */
2124 case 3: /* setsid() */
2125 case 4: /* getpgid() */
2126 break;
2127
2128 case 5: /* setpgid() */
2129
2130 /* current process? */
2131 if (pid == 0) {
2132 return;
2133 }
2134
2135 mutex_enter(&pidlock);
2136 p = prfind(pid);
2137 if (p == NULL || p->p_as == &kas ||
2138 p->p_stat == SIDL || p->p_stat == SZOMB) {
2139 mutex_exit(&pidlock);
2140 return;
2141 }
2142 mutex_enter(&p->p_lock); /* so process doesn't go away */
2143 mutex_exit(&pidlock);
2144
2145 mutex_enter(&p->p_crlock);
2146 crhold(cr = p->p_cred);
2147 mutex_exit(&p->p_crlock);
2148 mutex_exit(&p->p_lock);
2149
2150 ainfo = crgetauinfo(cr);
2151 if (ainfo == NULL) {
2152 crfree(cr);
2153 return;
2154 }
2155
2156 uid = crgetuid(cr);
2157 gid = crgetgid(cr);
2158 ruid = crgetruid(cr);
2159 rgid = crgetrgid(cr);
2160 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2161 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2162 crfree(cr);
2163 au_uwrite(au_to_arg32(2, "pgid", pgid));
2164 break;
2165
2166 default:
2167 break;
2168 }
2169 }
2170
2171
2172 /*ARGSUSED*/
2173 static void
2174 aus_setregid(struct t_audit_data *tad)
2175 {
2176 klwp_t *clwp = ttolwp(curthread);
2177 uint32_t rgid, egid;
2178
2179 struct a {
2180 long rgid;
2181 long egid;
2182 } *uap = (struct a *)clwp->lwp_ap;
2183
2184 rgid = (uint32_t)uap->rgid;
2185 egid = (uint32_t)uap->egid;
2186
2187 au_uwrite(au_to_arg32(1, "rgid", rgid));
2188 au_uwrite(au_to_arg32(2, "egid", egid));
2189 }
2190
2191 /*ARGSUSED*/
2192 static void
2193 aus_setgid(struct t_audit_data *tad)
2194 {
2195 klwp_t *clwp = ttolwp(curthread);
2196 uint32_t gid;
2197
2198 struct a {
2199 long gid;
2200 } *uap = (struct a *)clwp->lwp_ap;
2201
2202 gid = (uint32_t)uap->gid;
2203
2204 au_uwrite(au_to_arg32(1, "gid", gid));
2205 }
2206
2207
2208 /*ARGSUSED*/
2209 static void
2210 aus_setreuid(struct t_audit_data *tad)
2211 {
2212 klwp_t *clwp = ttolwp(curthread);
2213 uint32_t ruid, euid;
2214
2215 struct a {
2216 long ruid;
2217 long euid;
2218 } *uap = (struct a *)clwp->lwp_ap;
2219
2220 ruid = (uint32_t)uap->ruid;
2221 euid = (uint32_t)uap->euid;
2222
2223 au_uwrite(au_to_arg32(1, "ruid", ruid));
2224 au_uwrite(au_to_arg32(2, "euid", euid));
2225 }
2226
2227
2228 /*ARGSUSED*/
2229 static void
2230 aus_setuid(struct t_audit_data *tad)
2231 {
2232 klwp_t *clwp = ttolwp(curthread);
2233 uint32_t uid;
2234
2235 struct a {
2236 long uid;
2237 } *uap = (struct a *)clwp->lwp_ap;
2238
2239 uid = (uint32_t)uap->uid;
2240
2241 au_uwrite(au_to_arg32(1, "uid", uid));
2242 }
2243
2244 /*ARGSUSED*/
2245 static void
2246 aus_shmsys(struct t_audit_data *tad)
2247 {
2248 klwp_t *clwp = ttolwp(curthread);
2249 uint32_t id, cmd;
2250
2251 struct b {
2252 long id;
2253 long cmd;
2254 long buf; /* struct shmid_ds * */
2255 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2256
2257 id = (uint32_t)uap1->id;
2258 cmd = (uint32_t)uap1->cmd;
2259
2260 switch (tad->tad_event) {
2261 case AUE_SHMGET: /* shmget */
2262 au_uwrite(au_to_arg32(1, "shm key", id));
2263 break;
2264 case AUE_SHMCTL: /* shmctl */
2265 case AUE_SHMCTL_RMID: /* shmctl */
2266 case AUE_SHMCTL_STAT: /* shmctl */
2267 case AUE_SHMCTL_SET: /* shmctl */
2268 au_uwrite(au_to_arg32(1, "shm ID", id));
2269 break;
2270 case AUE_SHMDT: /* shmdt */
2271 au_uwrite(au_to_arg32(1, "shm adr", id));
2272 break;
2273 case AUE_SHMAT: /* shmat */
2274 au_uwrite(au_to_arg32(1, "shm ID", id));
2275 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2276 break;
2277 }
2278 }
2279
2280 /*ARGSUSED*/
2281 static void
2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2283 {
2284 int id;
2285
2286 if (error != 0)
2287 return;
2288 if (tad->tad_event == AUE_SHMGET) {
2289 uint32_t scid;
2290 uint32_t sy_flags;
2291
2292 /* need to determine type of executing binary */
2293 scid = tad->tad_scid;
2294 #ifdef _SYSCALL32_IMPL
2295 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2296 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2297 else
2298 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2299 #else
2300 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2301 #endif
2302 if (sy_flags == SE_32RVAL1)
2303 id = rval->r_val1;
2304 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2305 id = rval->r_val1;
2306 if (sy_flags == SE_64RVAL)
2307 id = (int)rval->r_vals;
2308 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2309 }
2310 }
2311
2312
2313 /*ARGSUSED*/
2314 static void
2315 aus_ioctl(struct t_audit_data *tad)
2316 {
2317 klwp_t *clwp = ttolwp(curthread);
2318 struct file *fp;
2319 struct vnode *vp;
2320 struct f_audit_data *fad;
2321 uint32_t fd, cmd;
2322 uintptr_t cmarg;
2323
2324 /* XX64 */
2325 struct a {
2326 long fd;
2327 long cmd;
2328 long cmarg; /* caddr_t */
2329 } *uap = (struct a *)clwp->lwp_ap;
2330
2331 fd = (uint32_t)uap->fd;
2332 cmd = (uint32_t)uap->cmd;
2333 cmarg = (uintptr_t)uap->cmarg;
2334
2335 /*
2336 * convert file pointer to file descriptor
2337 * Note: fd ref count incremented here.
2338 */
2339 if ((fp = getf(fd)) == NULL) {
2340 au_uwrite(au_to_arg32(1, "fd", fd));
2341 au_uwrite(au_to_arg32(2, "cmd", cmd));
2342 #ifndef _LP64
2343 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2344 #else
2345 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2346 #endif
2347 return;
2348 }
2349
2350 /* get path from file struct here */
2351 fad = F2A(fp);
2352 if (fad->fad_aupath != NULL) {
2353 au_uwrite(au_to_path(fad->fad_aupath));
2354 } else {
2355 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2356 }
2357
2358 vp = fp->f_vnode;
2359 audit_attributes(vp);
2360
2361 /* decrement file descriptor reference count */
2362 releasef(fd);
2363
2364 au_uwrite(au_to_arg32(2, "cmd", cmd));
2365 #ifndef _LP64
2366 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2367 #else
2368 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2369 #endif
2370 }
2371
2372 /*
2373 * null function for memcntl for now. We might want to limit memcntl()
2374 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2375 * require privileges.
2376 */
2377 static au_event_t
2378 aui_memcntl(au_event_t e)
2379 {
2380 return (e);
2381 }
2382
2383 /*ARGSUSED*/
2384 static au_event_t
2385 aui_privsys(au_event_t e)
2386 {
2387 klwp_t *clwp = ttolwp(curthread);
2388
2389 struct a {
2390 long opcode;
2391 } *uap = (struct a *)clwp->lwp_ap;
2392
2393 switch (uap->opcode) {
2394 case PRIVSYS_SETPPRIV:
2395 return (AUE_SETPPRIV);
2396 default:
2397 return (AUE_NULL);
2398 }
2399 }
2400
2401 /*ARGSUSED*/
2402 static void
2403 aus_memcntl(struct t_audit_data *tad)
2404 {
2405 klwp_t *clwp = ttolwp(curthread);
2406
2407 struct a {
2408 long addr;
2409 long len;
2410 long cmd;
2411 long arg;
2412 long attr;
2413 long mask;
2414 } *uap = (struct a *)clwp->lwp_ap;
2415
2416 #ifdef _LP64
2417 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2418 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2419 #else
2420 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2421 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2422 #endif
2423 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2424 #ifdef _LP64
2425 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2426 #else
2427 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2428 #endif
2429 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2430 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2431 }
2432
2433 /*ARGSUSED*/
2434 static void
2435 aus_mmap(struct t_audit_data *tad)
2436 {
2437 klwp_t *clwp = ttolwp(curthread);
2438 struct file *fp;
2439 struct f_audit_data *fad;
2440 struct vnode *vp;
2441 uint32_t fd;
2442
2443 struct a {
2444 long addr;
2445 long len;
2446 long prot;
2447 long flags;
2448 long fd;
2449 long pos;
2450 } *uap = (struct a *)clwp->lwp_ap;
2451
2452 fd = (uint32_t)uap->fd;
2453
2454 #ifdef _LP64
2455 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2456 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2457 #else
2458 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2459 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2460 #endif
2461
2462 if ((fp = getf(fd)) == NULL) {
2463 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2464 return;
2465 }
2466
2467 /*
2468 * Mark in the tad if write access is NOT requested... if
2469 * this is later detected (in audit_attributes) to be a
2470 * public object, the mmap event may be discarded.
2471 */
2472 if (((uap->prot) & PROT_WRITE) == 0) {
2473 tad->tad_ctrl |= TAD_PUBLIC_EV;
2474 }
2475
2476 fad = F2A(fp);
2477 if (fad->fad_aupath != NULL) {
2478 au_uwrite(au_to_path(fad->fad_aupath));
2479 } else {
2480 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2481 }
2482
2483 vp = (struct vnode *)fp->f_vnode;
2484 audit_attributes(vp);
2485
2486 /* mark READ/WRITE since we can't predict access */
2487 if (uap->prot & PROT_READ)
2488 fad->fad_flags |= FAD_READ;
2489 if (uap->prot & PROT_WRITE)
2490 fad->fad_flags |= FAD_WRITE;
2491
2492 /* decrement file descriptor reference count */
2493 releasef(fd);
2494
2495 } /* AUS_MMAP */
2496
2497
2498
2499
2500 /*ARGSUSED*/
2501 static void
2502 aus_munmap(struct t_audit_data *tad)
2503 {
2504 klwp_t *clwp = ttolwp(curthread);
2505
2506 struct a {
2507 long addr;
2508 long len;
2509 } *uap = (struct a *)clwp->lwp_ap;
2510
2511 #ifdef _LP64
2512 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2513 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2514 #else
2515 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2516 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2517 #endif
2518
2519 } /* AUS_MUNMAP */
2520
2521
2522
2523
2524
2525
2526
2527 /*ARGSUSED*/
2528 static void
2529 aus_priocntlsys(struct t_audit_data *tad)
2530 {
2531 klwp_t *clwp = ttolwp(curthread);
2532
2533 struct a {
2534 long pc_version;
2535 long psp; /* procset_t */
2536 long cmd;
2537 long arg;
2538 } *uap = (struct a *)clwp->lwp_ap;
2539
2540 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2541 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2542
2543 } /* AUS_PRIOCNTLSYS */
2544
2545
2546 /*ARGSUSED*/
2547 static void
2548 aus_setegid(struct t_audit_data *tad)
2549 {
2550 klwp_t *clwp = ttolwp(curthread);
2551 uint32_t gid;
2552
2553 struct a {
2554 long gid;
2555 } *uap = (struct a *)clwp->lwp_ap;
2556
2557 gid = (uint32_t)uap->gid;
2558
2559 au_uwrite(au_to_arg32(1, "gid", gid));
2560 } /* AUS_SETEGID */
2561
2562
2563
2564
2565 /*ARGSUSED*/
2566 static void
2567 aus_setgroups(struct t_audit_data *tad)
2568 {
2569 klwp_t *clwp = ttolwp(curthread);
2570 int i;
2571 int gidsetsize;
2572 uintptr_t gidset;
2573 gid_t *gidlist;
2574
2575 struct a {
2576 long gidsetsize;
2577 long gidset;
2578 } *uap = (struct a *)clwp->lwp_ap;
2579
2580 gidsetsize = (uint_t)uap->gidsetsize;
2581 gidset = (uintptr_t)uap->gidset;
2582
2583 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2584 return;
2585 if (gidsetsize != 0) {
2586 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2587 KM_SLEEP);
2588 if (copyin((caddr_t)gidset, gidlist,
2589 gidsetsize * sizeof (gid_t)) == 0)
2590 for (i = 0; i < gidsetsize; i++)
2591 au_uwrite(au_to_arg32(1, "setgroups",
2592 (uint32_t)gidlist[i]));
2593 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2594 } else
2595 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2596
2597 } /* AUS_SETGROUPS */
2598
2599
2600
2601
2602
2603 /*ARGSUSED*/
2604 static void
2605 aus_seteuid(struct t_audit_data *tad)
2606 {
2607 klwp_t *clwp = ttolwp(curthread);
2608 uint32_t uid;
2609
2610 struct a {
2611 long uid;
2612 } *uap = (struct a *)clwp->lwp_ap;
2613
2614 uid = (uint32_t)uap->uid;
2615
2616 au_uwrite(au_to_arg32(1, "euid", uid));
2617
2618 } /* AUS_SETEUID */
2619
2620 /*ARGSUSED*/
2621 static void
2622 aus_putmsg(struct t_audit_data *tad)
2623 {
2624 klwp_t *clwp = ttolwp(curthread);
2625 uint32_t fd, pri;
2626 struct file *fp;
2627 struct f_audit_data *fad;
2628
2629 struct a {
2630 long fdes;
2631 long ctl; /* struct strbuf * */
2632 long data; /* struct strbuf * */
2633 long pri;
2634 } *uap = (struct a *)clwp->lwp_ap;
2635
2636 fd = (uint32_t)uap->fdes;
2637 pri = (uint32_t)uap->pri;
2638
2639 au_uwrite(au_to_arg32(1, "fd", fd));
2640
2641 if ((fp = getf(fd)) != NULL) {
2642 fad = F2A(fp);
2643
2644 fad->fad_flags |= FAD_WRITE;
2645
2646 /* add path name to audit record */
2647 if (fad->fad_aupath != NULL) {
2648 au_uwrite(au_to_path(fad->fad_aupath));
2649 }
2650 audit_attributes(fp->f_vnode);
2651
2652 releasef(fd);
2653 }
2654
2655 au_uwrite(au_to_arg32(4, "pri", pri));
2656 }
2657
2658 /*ARGSUSED*/
2659 static void
2660 aus_putpmsg(struct t_audit_data *tad)
2661 {
2662 klwp_t *clwp = ttolwp(curthread);
2663 uint32_t fd, pri, flags;
2664 struct file *fp;
2665 struct f_audit_data *fad;
2666
2667 struct a {
2668 long fdes;
2669 long ctl; /* struct strbuf * */
2670 long data; /* struct strbuf * */
2671 long pri;
2672 long flags;
2673 } *uap = (struct a *)clwp->lwp_ap;
2674
2675 fd = (uint32_t)uap->fdes;
2676 pri = (uint32_t)uap->pri;
2677 flags = (uint32_t)uap->flags;
2678
2679 au_uwrite(au_to_arg32(1, "fd", fd));
2680
2681 if ((fp = getf(fd)) != NULL) {
2682 fad = F2A(fp);
2683
2684 fad->fad_flags |= FAD_WRITE;
2685
2686 /* add path name to audit record */
2687 if (fad->fad_aupath != NULL) {
2688 au_uwrite(au_to_path(fad->fad_aupath));
2689 }
2690 audit_attributes(fp->f_vnode);
2691
2692 releasef(fd);
2693 }
2694
2695
2696 au_uwrite(au_to_arg32(4, "pri", pri));
2697 au_uwrite(au_to_arg32(5, "flags", flags));
2698 }
2699
2700 /*ARGSUSED*/
2701 static void
2702 aus_getmsg(struct t_audit_data *tad)
2703 {
2704 klwp_t *clwp = ttolwp(curthread);
2705 uint32_t fd, pri;
2706 struct file *fp;
2707 struct f_audit_data *fad;
2708
2709 struct a {
2710 long fdes;
2711 long ctl; /* struct strbuf * */
2712 long data; /* struct strbuf * */
2713 long pri;
2714 } *uap = (struct a *)clwp->lwp_ap;
2715
2716 fd = (uint32_t)uap->fdes;
2717 pri = (uint32_t)uap->pri;
2718
2719 au_uwrite(au_to_arg32(1, "fd", fd));
2720
2721 if ((fp = getf(fd)) != NULL) {
2722 fad = F2A(fp);
2723
2724 /*
2725 * read operation on this object
2726 */
2727 fad->fad_flags |= FAD_READ;
2728
2729 /* add path name to audit record */
2730 if (fad->fad_aupath != NULL) {
2731 au_uwrite(au_to_path(fad->fad_aupath));
2732 }
2733 audit_attributes(fp->f_vnode);
2734
2735 releasef(fd);
2736 }
2737
2738 au_uwrite(au_to_arg32(4, "pri", pri));
2739 }
2740
2741 /*ARGSUSED*/
2742 static void
2743 aus_getpmsg(struct t_audit_data *tad)
2744 {
2745 klwp_t *clwp = ttolwp(curthread);
2746 uint32_t fd;
2747 struct file *fp;
2748 struct f_audit_data *fad;
2749
2750 struct a {
2751 long fdes;
2752 long ctl; /* struct strbuf * */
2753 long data; /* struct strbuf * */
2754 long pri;
2755 long flags;
2756 } *uap = (struct a *)clwp->lwp_ap;
2757
2758 fd = (uint32_t)uap->fdes;
2759
2760 au_uwrite(au_to_arg32(1, "fd", fd));
2761
2762 if ((fp = getf(fd)) != NULL) {
2763 fad = F2A(fp);
2764
2765 /*
2766 * read operation on this object
2767 */
2768 fad->fad_flags |= FAD_READ;
2769
2770 /* add path name to audit record */
2771 if (fad->fad_aupath != NULL) {
2772 au_uwrite(au_to_path(fad->fad_aupath));
2773 }
2774 audit_attributes(fp->f_vnode);
2775
2776 releasef(fd);
2777 }
2778 }
2779
2780 static au_event_t
2781 aui_labelsys(au_event_t e)
2782 {
2783 klwp_t *clwp = ttolwp(curthread);
2784 uint32_t code;
2785 uint32_t cmd;
2786
2787 struct a {
2788 long code;
2789 long cmd;
2790 } *uap = (struct a *)clwp->lwp_ap;
2791
2792 code = (uint32_t)uap->code;
2793 cmd = (uint32_t)uap->cmd;
2794
2795 /* not security relevant if not changing kernel cache */
2796 if (cmd == TNDB_GET)
2797 return (AUE_NULL);
2798
2799 switch (code) {
2800 case TSOL_TNRH:
2801 e = AUE_LABELSYS_TNRH;
2802 break;
2803 case TSOL_TNRHTP:
2804 e = AUE_LABELSYS_TNRHTP;
2805 break;
2806 case TSOL_TNMLP:
2807 e = AUE_LABELSYS_TNMLP;
2808 break;
2809 default:
2810 e = AUE_NULL;
2811 break;
2812 }
2813
2814 return (e);
2815
2816 }
2817
2818 static void
2819 aus_labelsys(struct t_audit_data *tad)
2820 {
2821 klwp_t *clwp = ttolwp(curthread);
2822 uint32_t cmd;
2823 uintptr_t a2;
2824
2825 struct a {
2826 long code;
2827 long cmd;
2828 long a2;
2829 } *uap = (struct a *)clwp->lwp_ap;
2830
2831 cmd = (uint32_t)uap->cmd;
2832 a2 = (uintptr_t)uap->a2;
2833
2834 switch (tad->tad_event) {
2835 case AUE_LABELSYS_TNRH:
2836 {
2837 tsol_rhent_t *rhent;
2838 tnaddr_t *rh_addr;
2839
2840 au_uwrite(au_to_arg32(1, "cmd", cmd));
2841
2842 /* Remaining args don't apply for FLUSH, so skip */
2843 if (cmd == TNDB_FLUSH)
2844 break;
2845
2846 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2847 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2848 kmem_free(rhent, sizeof (tsol_rhent_t));
2849 return;
2850 }
2851
2852 rh_addr = &rhent->rh_address;
2853 if (rh_addr->ta_family == AF_INET) {
2854 struct in_addr *ipaddr;
2855
2856 ipaddr = &(rh_addr->ta_addr_v4);
2857 au_uwrite(au_to_in_addr(ipaddr));
2858 } else if (rh_addr->ta_family == AF_INET6) {
2859 int32_t *ipaddr;
2860
2861 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2862 au_uwrite(au_to_in_addr_ex(ipaddr));
2863 }
2864 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2865
2866 kmem_free(rhent, sizeof (tsol_rhent_t));
2867
2868 break;
2869 }
2870 case AUE_LABELSYS_TNRHTP:
2871 {
2872 tsol_tpent_t *tpent;
2873
2874 au_uwrite(au_to_arg32(1, "cmd", cmd));
2875
2876 /* Remaining args don't apply for FLUSH, so skip */
2877 if (cmd == TNDB_FLUSH)
2878 break;
2879
2880 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2881 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2882 kmem_free(tpent, sizeof (tsol_tpent_t));
2883 return;
2884 }
2885
2886 /* Make sure that the template name is null-terminated. */
2887 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2888
2889 au_uwrite(au_to_text(tpent->name));
2890 kmem_free(tpent, sizeof (tsol_tpent_t));
2891
2892 break;
2893 }
2894 case AUE_LABELSYS_TNMLP:
2895 {
2896 tsol_mlpent_t *mlpent;
2897
2898 au_uwrite(au_to_arg32(1, "cmd", cmd));
2899
2900 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2901 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2902 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2903 return;
2904 }
2905
2906 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2907 au_uwrite(au_to_text("shared"));
2908 } else {
2909 zone_t *zone;
2910
2911 zone = zone_find_by_id(mlpent->tsme_zoneid);
2912 if (zone != NULL) {
2913 au_uwrite(au_to_text(zone->zone_name));
2914 zone_rele(zone);
2915 }
2916 }
2917
2918 /* Remaining args don't apply for FLUSH, so skip */
2919 if (cmd == TNDB_FLUSH) {
2920 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2921 break;
2922 }
2923
2924 au_uwrite(au_to_arg32(2, "proto num",
2925 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2926 au_uwrite(au_to_arg32(2, "mlp_port",
2927 (uint32_t)mlpent->tsme_mlp.mlp_port));
2928
2929 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2930 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2931 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2932
2933 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2934
2935 break;
2936 }
2937 default:
2938 break;
2939 }
2940 }
2941
2942
2943 static au_event_t
2944 aui_auditsys(au_event_t e)
2945 {
2946 klwp_t *clwp = ttolwp(curthread);
2947 uint32_t code;
2948
2949 struct a {
2950 long code;
2951 long a1;
2952 long a2;
2953 long a3;
2954 long a4;
2955 long a5;
2956 long a6;
2957 long a7;
2958 } *uap = (struct a *)clwp->lwp_ap;
2959
2960 code = (uint32_t)uap->code;
2961
2962 switch (code) {
2963
2964 case BSM_GETAUID:
2965 e = AUE_GETAUID;
2966 break;
2967 case BSM_SETAUID:
2968 e = AUE_SETAUID;
2969 break;
2970 case BSM_GETAUDIT:
2971 e = AUE_GETAUDIT;
2972 break;
2973 case BSM_GETAUDIT_ADDR:
2974 e = AUE_GETAUDIT_ADDR;
2975 break;
2976 case BSM_SETAUDIT:
2977 e = AUE_SETAUDIT;
2978 break;
2979 case BSM_SETAUDIT_ADDR:
2980 e = AUE_SETAUDIT_ADDR;
2981 break;
2982 case BSM_AUDIT:
2983 e = AUE_AUDIT;
2984 break;
2985 case BSM_AUDITCTL:
2986 switch ((uint_t)uap->a1) {
2987
2988 case A_GETPOLICY:
2989 e = AUE_AUDITON_GPOLICY;
2990 break;
2991 case A_SETPOLICY:
2992 e = AUE_AUDITON_SPOLICY;
2993 break;
2994 case A_GETAMASK:
2995 e = AUE_AUDITON_GETAMASK;
2996 break;
2997 case A_SETAMASK:
2998 e = AUE_AUDITON_SETAMASK;
2999 break;
3000 case A_GETKMASK:
3001 e = AUE_AUDITON_GETKMASK;
3002 break;
3003 case A_SETKMASK:
3004 e = AUE_AUDITON_SETKMASK;
3005 break;
3006 case A_GETQCTRL:
3007 e = AUE_AUDITON_GQCTRL;
3008 break;
3009 case A_SETQCTRL:
3010 e = AUE_AUDITON_SQCTRL;
3011 break;
3012 case A_GETCWD:
3013 e = AUE_AUDITON_GETCWD;
3014 break;
3015 case A_GETCAR:
3016 e = AUE_AUDITON_GETCAR;
3017 break;
3018 case A_GETSTAT:
3019 e = AUE_AUDITON_GETSTAT;
3020 break;
3021 case A_SETSTAT:
3022 e = AUE_AUDITON_SETSTAT;
3023 break;
3024 case A_SETUMASK:
3025 e = AUE_AUDITON_SETUMASK;
3026 break;
3027 case A_SETSMASK:
3028 e = AUE_AUDITON_SETSMASK;
3029 break;
3030 case A_GETCOND:
3031 e = AUE_AUDITON_GETCOND;
3032 break;
3033 case A_SETCOND:
3034 e = AUE_AUDITON_SETCOND;
3035 break;
3036 case A_GETCLASS:
3037 e = AUE_AUDITON_GETCLASS;
3038 break;
3039 case A_SETCLASS:
3040 e = AUE_AUDITON_SETCLASS;
3041 break;
3042 case A_GETPINFO:
3043 case A_GETPINFO_ADDR:
3044 e = AUE_AUDITON_GETPINFO;
3045 break;
3046 case A_SETPMASK:
3047 e = AUE_AUDITON_SETPMASK;
3048 break;
3049 case A_GETKAUDIT:
3050 e = AUE_AUDITON_GETKAUDIT;
3051 break;
3052 case A_SETKAUDIT:
3053 e = AUE_AUDITON_SETKAUDIT;
3054 break;
3055 default:
3056 e = AUE_AUDITON_OTHER;
3057 break;
3058 }
3059 break;
3060 default:
3061 e = AUE_NULL;
3062 break;
3063 }
3064
3065 return (e);
3066
3067 } /* AUI_AUDITSYS */
3068
3069
3070 static void
3071 aus_auditsys(struct t_audit_data *tad)
3072 {
3073 klwp_t *clwp = ttolwp(curthread);
3074 uintptr_t a1, a2;
3075 STRUCT_DECL(auditinfo, ainfo);
3076 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3077 STRUCT_DECL(auditpinfo, apinfo);
3078 au_evclass_map_t event;
3079 au_mask_t mask;
3080 int auditstate, policy;
3081 au_id_t auid;
3082
3083
3084 struct a {
3085 long code;
3086 long a1;
3087 long a2;
3088 long a3;
3089 long a4;
3090 long a5;
3091 long a6;
3092 long a7;
3093 } *uap = (struct a *)clwp->lwp_ap;
3094
3095 a1 = (uintptr_t)uap->a1;
3096 a2 = (uintptr_t)uap->a2;
3097
3098 switch (tad->tad_event) {
3099 case AUE_SETAUID:
3100 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3101 return;
3102 au_uwrite(au_to_arg32(2, "setauid", auid));
3103 break;
3104 case AUE_SETAUDIT:
3105 STRUCT_INIT(ainfo, get_udatamodel());
3106 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3107 STRUCT_SIZE(ainfo))) {
3108 return;
3109 }
3110 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3111 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3112 #ifdef _LP64
3113 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3114 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3115 #else
3116 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3117 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3118 #endif
3119 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3120 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3121 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3122 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3123 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3124 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3125 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3126 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3127 break;
3128 case AUE_SETAUDIT_ADDR:
3129 STRUCT_INIT(ainfo_addr, get_udatamodel());
3130 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3131 STRUCT_SIZE(ainfo_addr))) {
3132 return;
3133 }
3134 au_uwrite(au_to_arg32((char)1, "auid",
3135 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3136 #ifdef _LP64
3137 au_uwrite(au_to_arg64((char)1, "port",
3138 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3139 #else
3140 au_uwrite(au_to_arg32((char)1, "port",
3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3142 #endif
3143 au_uwrite(au_to_arg32((char)1, "type",
3144 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3145 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3146 AU_IPv4) {
3147 au_uwrite(au_to_in_addr(
3148 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3149 ai_termid.at_addr)));
3150 } else {
3151 au_uwrite(au_to_in_addr_ex(
3152 (int32_t *)STRUCT_FGETP(ainfo_addr,
3153 ai_termid.at_addr)));
3154 }
3155 au_uwrite(au_to_arg32((char)1, "as_success",
3156 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3157 au_uwrite(au_to_arg32((char)1, "as_failure",
3158 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3159 au_uwrite(au_to_arg32((char)1, "asid",
3160 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3161 break;
3162 case AUE_AUDITON_SETAMASK:
3163 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3164 return;
3165 au_uwrite(au_to_arg32(
3166 2, "setamask:as_success", (uint32_t)mask.as_success));
3167 au_uwrite(au_to_arg32(
3168 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3169 break;
3170 case AUE_AUDITON_SETKMASK:
3171 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3172 return;
3173 au_uwrite(au_to_arg32(
3174 2, "setkmask:as_success", (uint32_t)mask.as_success));
3175 au_uwrite(au_to_arg32(
3176 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3177 break;
3178 case AUE_AUDITON_SPOLICY:
3179 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3180 return;
3181 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3182 break;
3183 case AUE_AUDITON_SQCTRL: {
3184 STRUCT_DECL(au_qctrl, qctrl);
3185 model_t model;
3186
3187 model = get_udatamodel();
3188 STRUCT_INIT(qctrl, model);
3189 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3190 return;
3191 if (model == DATAMODEL_ILP32) {
3192 au_uwrite(au_to_arg32(
3193 3, "setqctrl:aq_hiwater",
3194 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3195 au_uwrite(au_to_arg32(
3196 3, "setqctrl:aq_lowater",
3197 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3198 au_uwrite(au_to_arg32(
3199 3, "setqctrl:aq_bufsz",
3200 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3201 au_uwrite(au_to_arg32(
3202 3, "setqctrl:aq_delay",
3203 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3204 } else {
3205 au_uwrite(au_to_arg64(
3206 3, "setqctrl:aq_hiwater",
3207 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3208 au_uwrite(au_to_arg64(
3209 3, "setqctrl:aq_lowater",
3210 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3211 au_uwrite(au_to_arg64(
3212 3, "setqctrl:aq_bufsz",
3213 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3214 au_uwrite(au_to_arg64(
3215 3, "setqctrl:aq_delay",
3216 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3217 }
3218 break;
3219 }
3220 case AUE_AUDITON_SETUMASK:
3221 STRUCT_INIT(ainfo, get_udatamodel());
3222 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3223 STRUCT_SIZE(ainfo))) {
3224 return;
3225 }
3226 au_uwrite(au_to_arg32(3, "setumask:as_success",
3227 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3228 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3229 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3230 break;
3231 case AUE_AUDITON_SETSMASK:
3232 STRUCT_INIT(ainfo, get_udatamodel());
3233 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3234 STRUCT_SIZE(ainfo))) {
3235 return;
3236 }
3237 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3238 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3239 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3240 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3241 break;
3242 case AUE_AUDITON_SETCOND:
3243 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3244 return;
3245 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3246 break;
3247 case AUE_AUDITON_SETCLASS:
3248 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3249 return;
3250 au_uwrite(au_to_arg32(
3251 2, "setclass:ec_event", (uint32_t)event.ec_number));
3252 au_uwrite(au_to_arg32(
3253 3, "setclass:ec_class", (uint32_t)event.ec_class));
3254 break;
3255 case AUE_AUDITON_SETPMASK:
3256 STRUCT_INIT(apinfo, get_udatamodel());
3257 if (copyin((caddr_t)uap->a2, STRUCT_BUF(apinfo),
3258 STRUCT_SIZE(apinfo))) {
3259 return;
3260 }
3261 au_uwrite(au_to_arg32(3, "setpmask:pid",
3262 (uint32_t)STRUCT_FGET(apinfo, ap_pid)));
3263 au_uwrite(au_to_arg32(3, "setpmask:as_success",
3264 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_success)));
3265 au_uwrite(au_to_arg32(3, "setpmask:as_failure",
3266 (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_failure)));
3267 break;
3268 case AUE_AUDITON_SETKAUDIT:
3269 STRUCT_INIT(ainfo_addr, get_udatamodel());
3270 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3271 STRUCT_SIZE(ainfo_addr))) {
3272 return;
3273 }
3274 au_uwrite(au_to_arg32((char)1, "auid",
3275 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3276 #ifdef _LP64
3277 au_uwrite(au_to_arg64((char)1, "port",
3278 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3279 #else
3280 au_uwrite(au_to_arg32((char)1, "port",
3281 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3282 #endif
3283 au_uwrite(au_to_arg32((char)1, "type",
3284 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3285 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3286 AU_IPv4) {
3287 au_uwrite(au_to_in_addr(
3288 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3289 ai_termid.at_addr)));
3290 } else {
3291 au_uwrite(au_to_in_addr_ex(
3292 (int32_t *)STRUCT_FGETP(ainfo_addr,
3293 ai_termid.at_addr)));
3294 }
3295 au_uwrite(au_to_arg32((char)1, "as_success",
3296 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3297 au_uwrite(au_to_arg32((char)1, "as_failure",
3298 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3299 au_uwrite(au_to_arg32((char)1, "asid",
3300 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3301 break;
3302 case AUE_GETAUID:
3303 case AUE_GETAUDIT:
3304 case AUE_GETAUDIT_ADDR:
3305 case AUE_AUDIT:
3306 case AUE_AUDITON_GPOLICY:
3307 case AUE_AUDITON_GQCTRL:
3308 case AUE_AUDITON_GETAMASK:
3309 case AUE_AUDITON_GETKMASK:
3310 case AUE_AUDITON_GETCWD:
3311 case AUE_AUDITON_GETCAR:
3312 case AUE_AUDITON_GETSTAT:
3313 case AUE_AUDITON_SETSTAT:
3314 case AUE_AUDITON_GETCOND:
3315 case AUE_AUDITON_GETCLASS:
3316 case AUE_AUDITON_GETPINFO:
3317 case AUE_AUDITON_GETKAUDIT:
3318 case AUE_AUDITON_OTHER:
3319 break;
3320 default:
3321 break;
3322 }
3323
3324 } /* AUS_AUDITSYS */
3325
3326
3327 /* only audit privileged operations for systeminfo(2) system call */
3328 static au_event_t
3329 aui_sysinfo(au_event_t e)
3330 {
3331 klwp_t *clwp = ttolwp(curthread);
3332 uint32_t command;
3333
3334 struct a {
3335 long command;
3336 long buf; /* char * */
3337 long count;
3338 } *uap = (struct a *)clwp->lwp_ap;
3339
3340 command = (uint32_t)uap->command;
3341
3342 switch (command) {
3343 case SI_SET_HOSTNAME:
3344 case SI_SET_SRPC_DOMAIN:
3345 e = (au_event_t)AUE_SYSINFO;
3346 break;
3347 default:
3348 e = (au_event_t)AUE_NULL;
3349 break;
3350 }
3351 return (e);
3352 }
3353
3354 /*ARGSUSED*/
3355 static void
3356 aus_sysinfo(struct t_audit_data *tad)
3357 {
3358 klwp_t *clwp = ttolwp(curthread);
3359 uint32_t command;
3360 size_t len, maxlen;
3361 char *name;
3362 uintptr_t buf;
3363
3364 struct a {
3365 long command;
3366 long buf; /* char * */
3367 long count;
3368 } *uap = (struct a *)clwp->lwp_ap;
3369
3370 command = (uint32_t)uap->command;
3371 buf = (uintptr_t)uap->buf;
3372
3373 au_uwrite(au_to_arg32(1, "cmd", command));
3374
3375 switch (command) {
3376 case SI_SET_HOSTNAME:
3377 {
3378 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3379 return;
3380
3381 maxlen = SYS_NMLN;
3382 name = kmem_alloc(maxlen, KM_SLEEP);
3383 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3384 break;
3385
3386 /*
3387 * Must be non-NULL string and string
3388 * must be less than SYS_NMLN chars.
3389 */
3390 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3391 break;
3392
3393 au_uwrite(au_to_text(name));
3394 break;
3395 }
3396
3397 case SI_SET_SRPC_DOMAIN:
3398 {
3399 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3400 return;
3401
3402 maxlen = SYS_NMLN;
3403 name = kmem_alloc(maxlen, KM_SLEEP);
3404 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3405 break;
3406
3407 /*
3408 * If string passed in is longer than length
3409 * allowed for domain name, fail.
3410 */
3411 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3412 break;
3413
3414 au_uwrite(au_to_text(name));
3415 break;
3416 }
3417
3418 default:
3419 return;
3420 }
3421
3422 kmem_free(name, maxlen);
3423 }
3424
3425 static au_event_t
3426 aui_modctl(au_event_t e)
3427 {
3428 klwp_t *clwp = ttolwp(curthread);
3429 uint_t cmd;
3430
3431 struct a {
3432 long cmd;
3433 } *uap = (struct a *)clwp->lwp_ap;
3434
3435 cmd = (uint_t)uap->cmd;
3436
3437 switch (cmd) {
3438 case MODLOAD:
3439 e = AUE_MODLOAD;
3440 break;
3441 case MODUNLOAD:
3442 e = AUE_MODUNLOAD;
3443 break;
3444 case MODADDMAJBIND:
3445 e = AUE_MODADDMAJ;
3446 break;
3447 case MODSETDEVPOLICY:
3448 e = AUE_MODDEVPLCY;
3449 break;
3450 case MODALLOCPRIV:
3451 e = AUE_MODADDPRIV;
3452 break;
3453 default:
3454 e = AUE_NULL;
3455 break;
3456 }
3457 return (e);
3458 }
3459
3460
3461 /*ARGSUSED*/
3462 static void
3463 aus_modctl(struct t_audit_data *tad)
3464 {
3465 klwp_t *clwp = ttolwp(curthread);
3466 void *a = clwp->lwp_ap;
3467 uint_t use_path;
3468
3469 switch (tad->tad_event) {
3470 case AUE_MODLOAD: {
3471 typedef struct {
3472 long cmd;
3473 long use_path;
3474 long filename; /* char * */
3475 } modloada_t;
3476
3477 char *filenamep;
3478 uintptr_t fname;
3479 extern char *default_path;
3480
3481 fname = (uintptr_t)((modloada_t *)a)->filename;
3482 use_path = (uint_t)((modloada_t *)a)->use_path;
3483
3484 /* space to hold path */
3485 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3486 /* get string */
3487 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3488 /* free allocated path */
3489 kmem_free(filenamep, MOD_MAXPATH);
3490 return;
3491 }
3492 /* ensure it's null terminated */
3493 filenamep[MOD_MAXPATH - 1] = 0;
3494
3495 if (use_path)
3496 au_uwrite(au_to_text(default_path));
3497 au_uwrite(au_to_text(filenamep));
3498
3499 /* release temporary memory */
3500 kmem_free(filenamep, MOD_MAXPATH);
3501 break;
3502 }
3503 case AUE_MODUNLOAD: {
3504 typedef struct {
3505 long cmd;
3506 long id;
3507 } modunloada_t;
3508
3509 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3510
3511 au_uwrite(au_to_arg32(1, "id", id));
3512 break;
3513 }
3514 case AUE_MODADDMAJ: {
3515 STRUCT_DECL(modconfig, mc);
3516 typedef struct {
3517 long cmd;
3518 long subcmd;
3519 long data; /* int * */
3520 } modconfiga_t;
3521
3522 STRUCT_DECL(aliases, alias);
3523 caddr_t ap;
3524 int i, num_aliases;
3525 char *drvname, *mc_drvname;
3526 char *name;
3527 extern char *ddi_major_to_name(major_t);
3528 model_t model;
3529
3530 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3531
3532 model = get_udatamodel();
3533 STRUCT_INIT(mc, model);
3534 /* sanitize buffer */
3535 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3536 /* get user arguments */
3537 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3538 STRUCT_SIZE(mc)) != 0)
3539 return;
3540
3541 mc_drvname = STRUCT_FGET(mc, drvname);
3542 if ((drvname = ddi_major_to_name(
3543 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3544 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3545 /* safety */
3546 if (mc_drvname[0] != '\0') {
3547 mc_drvname[MAXMODCONFNAME-1] = '\0';
3548 au_uwrite(au_to_text(mc_drvname));
3549 }
3550 /* drvname != NULL from test above */
3551 au_uwrite(au_to_text(drvname));
3552 return;
3553 }
3554
3555 if (mc_drvname[0] != '\0') {
3556 /* safety */
3557 mc_drvname[MAXMODCONFNAME-1] = '\0';
3558 au_uwrite(au_to_text(mc_drvname));
3559 } else
3560 au_uwrite(au_to_text("no drvname"));
3561
3562 num_aliases = STRUCT_FGET(mc, num_aliases);
3563 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3564 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3565 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3566 STRUCT_INIT(alias, model);
3567 for (i = 0; i < num_aliases; i++) {
3568 bzero((caddr_t)STRUCT_BUF(alias),
3569 STRUCT_SIZE(alias));
3570 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3571 STRUCT_SIZE(alias)) != 0)
3572 break;
3573 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3574 MAXMODCONFNAME, NULL) != 0) {
3575 break;
3576 }
3577
3578 au_uwrite(au_to_text(name));
3579 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3580 }
3581 kmem_free(name, MAXMODCONFNAME);
3582 break;
3583 }
3584 default:
3585 break;
3586 }
3587 }
3588
3589
3590 /*ARGSUSED*/
3591 static void
3592 auf_accept(
3593 struct t_audit_data *tad,
3594 int error,
3595 rval_t *rval)
3596 {
3597 uint32_t scid;
3598 uint32_t sy_flags;
3599 int fd;
3600 struct sonode *so;
3601 char so_laddr[sizeof (struct sockaddr_in6)];
3602 char so_faddr[sizeof (struct sockaddr_in6)];
3603 int err;
3604 short so_family, so_type;
3605 int add_sock_token = 0;
3606
3607 /* need to determine type of executing binary */
3608 scid = tad->tad_scid;
3609 #ifdef _SYSCALL32_IMPL
3610 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3611 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3612 else
3613 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3614 #else
3615 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3616 #endif
3617 switch (sy_flags) {
3618 case SE_32RVAL1:
3619 /* FALLTHRU */
3620 case SE_32RVAL2|SE_32RVAL1:
3621 fd = rval->r_val1;
3622 break;
3623 case SE_64RVAL:
3624 fd = (int)rval->r_vals;
3625 break;
3626 default:
3627 /*
3628 * should never happen, seems to be an internal error
3629 * in sysent => no fd, nothing to audit here, returning
3630 */
3631 return;
3632 }
3633
3634 if (error) {
3635 /* can't trust socket contents. Just return */
3636 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3637 return;
3638 }
3639
3640 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3641 /*
3642 * not security relevant if doing a accept from non socket
3643 * so no extra tokens. Should probably turn off audit record
3644 * generation here.
3645 */
3646 return;
3647 }
3648
3649 so_family = so->so_family;
3650 so_type = so->so_type;
3651
3652 switch (so_family) {
3653 case AF_INET:
3654 case AF_INET6:
3655 /*
3656 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3657 */
3658 if (so->so_type == SOCK_STREAM) {
3659 socklen_t len;
3660
3661 bzero((void *)so_laddr, sizeof (so_laddr));
3662 bzero((void *)so_faddr, sizeof (so_faddr));
3663
3664 len = sizeof (so_laddr);
3665 (void) socket_getsockname(so,
3666 (struct sockaddr *)so_laddr, &len, CRED());
3667 len = sizeof (so_faddr);
3668 (void) socket_getpeername(so,
3669 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3670
3671 add_sock_token = 1;
3672 }
3673 break;
3674
3675 default:
3676 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3677 break;
3678 }
3679
3680 releasef(fd);
3681
3682 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3683
3684 if (add_sock_token == 0) {
3685 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3686 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3687 return;
3688 }
3689
3690 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3691
3692 }
3693
3694 /*ARGSUSED*/
3695 static void
3696 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3697 {
3698 struct a {
3699 long fd;
3700 long addr;
3701 long len;
3702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3703
3704 struct sonode *so;
3705 char so_laddr[sizeof (struct sockaddr_in6)];
3706 char so_faddr[sizeof (struct sockaddr_in6)];
3707 int err, fd;
3708 socklen_t len;
3709 short so_family, so_type;
3710 int add_sock_token = 0;
3711
3712 fd = (int)uap->fd;
3713
3714 /*
3715 * bind failed, then nothing extra to add to audit record.
3716 */
3717 if (error) {
3718 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3719 /* XXX may want to add failed address some day */
3720 return;
3721 }
3722
3723 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3724 /*
3725 * not security relevant if doing a bind from non socket
3726 * so no extra tokens. Should probably turn off audit record
3727 * generation here.
3728 */
3729 return;
3730 }
3731
3732 so_family = so->so_family;
3733 so_type = so->so_type;
3734
3735 switch (so_family) {
3736 case AF_INET:
3737 case AF_INET6:
3738
3739 bzero(so_faddr, sizeof (so_faddr));
3740 len = sizeof (so_faddr);
3741
3742 (void) socket_getpeername(so,
3743 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3744 add_sock_token = 1;
3745
3746 break;
3747
3748 case AF_UNIX:
3749 /* token added by lookup */
3750 break;
3751 default:
3752 /* AF_ROUTE, AF_KEY do not support accept */
3753 break;
3754 }
3755
3756 releasef(fd);
3757
3758 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3759
3760 if (add_sock_token == 0) {
3761 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3762 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3763 return;
3764 }
3765
3766 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3767
3768 }
3769
3770 /*ARGSUSED*/
3771 static void
3772 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3773 {
3774 struct a {
3775 long fd;
3776 long addr;
3777 long len;
3778 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3779
3780 struct sonode *so;
3781 char so_laddr[sizeof (struct sockaddr_in6)];
3782 char so_faddr[sizeof (struct sockaddr_in6)];
3783 int err, fd;
3784 socklen_t len;
3785 short so_family, so_type;
3786 int add_sock_token = 0;
3787
3788 fd = (int)uap->fd;
3789
3790
3791 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3792 /*
3793 * not security relevant if doing a connect from non socket
3794 * so no extra tokens. Should probably turn off audit record
3795 * generation here.
3796 */
3797 return;
3798 }
3799
3800 so_family = so->so_family;
3801 so_type = so->so_type;
3802
3803 switch (so_family) {
3804 case AF_INET:
3805 case AF_INET6:
3806
3807 bzero(so_laddr, sizeof (so_laddr));
3808 bzero(so_faddr, sizeof (so_faddr));
3809
3810 len = sizeof (so_laddr);
3811 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3812 &len, CRED());
3813 if (error) {
3814 if (uap->addr == 0)
3815 break;
3816 if (uap->len <= 0)
3817 break;
3818 len = min(uap->len, sizeof (so_faddr));
3819 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3820 break;
3821 #ifdef NOTYET
3822 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3823 #endif
3824 } else {
3825 /* sanity check on length */
3826 len = sizeof (so_faddr);
3827 (void) socket_getpeername(so,
3828 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3829 }
3830
3831 add_sock_token = 1;
3832
3833 break;
3834
3835 case AF_UNIX:
3836 /* does a lookup on name */
3837 break;
3838
3839 default:
3840 /* AF_ROUTE, AF_KEY do not support accept */
3841 break;
3842 }
3843
3844 releasef(fd);
3845
3846 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3847
3848 if (add_sock_token == 0) {
3849 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3850 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3851 return;
3852 }
3853
3854 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3855
3856 }
3857
3858 /*ARGSUSED*/
3859 static void
3860 aus_shutdown(struct t_audit_data *tad)
3861 {
3862 struct a {
3863 long fd;
3864 long how;
3865 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3866
3867 struct sonode *so;
3868 char so_laddr[sizeof (struct sockaddr_in6)];
3869 char so_faddr[sizeof (struct sockaddr_in6)];
3870 int err, fd;
3871 socklen_t len;
3872 short so_family, so_type;
3873 int add_sock_token = 0;
3874 file_t *fp; /* unix domain sockets */
3875 struct f_audit_data *fad; /* unix domain sockets */
3876
3877 fd = (int)uap->fd;
3878
3879 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3880 /*
3881 * not security relevant if doing a shutdown using non socket
3882 * so no extra tokens. Should probably turn off audit record
3883 * generation here.
3884 */
3885 return;
3886 }
3887
3888 so_family = so->so_family;
3889 so_type = so->so_type;
3890
3891 switch (so_family) {
3892 case AF_INET:
3893 case AF_INET6:
3894
3895 bzero(so_laddr, sizeof (so_laddr));
3896 bzero(so_faddr, sizeof (so_faddr));
3897
3898 len = sizeof (so_laddr);
3899 (void) socket_getsockname(so,
3900 (struct sockaddr *)so_laddr, &len, CRED());
3901 len = sizeof (so_faddr);
3902 (void) socket_getpeername(so,
3903 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3904
3905 add_sock_token = 1;
3906
3907 break;
3908
3909 case AF_UNIX:
3910
3911 /* get path from file struct here */
3912 fad = F2A(fp);
3913 ASSERT(fad);
3914
3915 if (fad->fad_aupath != NULL) {
3916 au_uwrite(au_to_path(fad->fad_aupath));
3917 } else {
3918 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3919 }
3920
3921 audit_attributes(fp->f_vnode);
3922
3923 break;
3924
3925 default:
3926 /*
3927 * AF_KEY and AF_ROUTE support shutdown. No socket token
3928 * added.
3929 */
3930 break;
3931 }
3932
3933 releasef(fd);
3934
3935 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3936
3937 if (add_sock_token == 0) {
3938 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3939 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3940 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3941 return;
3942 }
3943
3944 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3945
3946 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3947
3948 }
3949
3950 /*ARGSUSED*/
3951 static void
3952 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3953 {
3954 struct a {
3955 long fd;
3956 long level;
3957 long optname;
3958 long *optval;
3959 long optlen;
3960 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3961
3962 struct sonode *so;
3963 char so_laddr[sizeof (struct sockaddr_in6)];
3964 char so_faddr[sizeof (struct sockaddr_in6)];
3965 char val[AU_BUFSIZE];
3966 int err, fd;
3967 socklen_t len;
3968 short so_family, so_type;
3969 int add_sock_token = 0;
3970 file_t *fp; /* unix domain sockets */
3971 struct f_audit_data *fad; /* unix domain sockets */
3972
3973 fd = (int)uap->fd;
3974
3975 if (error) {
3976 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3977 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3978 /* XXX may want to include other arguments */
3979 return;
3980 }
3981
3982 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3983 /*
3984 * not security relevant if doing a setsockopt from non socket
3985 * so no extra tokens. Should probably turn off audit record
3986 * generation here.
3987 */
3988 return;
3989 }
3990
3991 so_family = so->so_family;
3992 so_type = so->so_type;
3993
3994 switch (so_family) {
3995 case AF_INET:
3996 case AF_INET6:
3997 bzero((void *)so_laddr, sizeof (so_laddr));
3998 bzero((void *)so_faddr, sizeof (so_faddr));
3999
4000 /* get local and foreign addresses */
4001 len = sizeof (so_laddr);
4002 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
4003 &len, CRED());
4004 len = sizeof (so_faddr);
4005 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
4006 &len, B_FALSE, CRED());
4007
4008 add_sock_token = 1;
4009
4010 break;
4011
4012 case AF_UNIX:
4013
4014 /* get path from file struct here */
4015 fad = F2A(fp);
4016 ASSERT(fad);
4017
4018 if (fad->fad_aupath != NULL) {
4019 au_uwrite(au_to_path(fad->fad_aupath));
4020 } else {
4021 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4022 }
4023
4024 audit_attributes(fp->f_vnode);
4025
4026 break;
4027
4028 default:
4029 /*
4030 * AF_KEY and AF_ROUTE support setsockopt. No socket token
4031 * added.
4032 */
4033 break;
4034 }
4035
4036 releasef(fd);
4037
4038 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4039
4040 if (add_sock_token == 0) {
4041 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
4042 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
4043 }
4044 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
4045 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
4046
4047 bzero(val, sizeof (val));
4048 len = min(uap->optlen, sizeof (val));
4049 if ((len > 0) &&
4050 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
4051 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
4052 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
4053 }
4054
4055 if (add_sock_token == 0)
4056 return;
4057
4058 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4059
4060 }
4061
4062 /*ARGSUSED*/
4063 static void
4064 aus_sockconfig(struct t_audit_data *tad)
4065 {
4066 struct a {
4067 long cmd;
4068 long arg1;
4069 long arg2;
4070 long arg3;
4071 long arg4;
4072 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4073
4074 char *buf;
4075 int buflen;
4076 size_t size;
4077
4078 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4079 switch (uap->cmd) {
4080 case SOCKCONFIG_ADD_SOCK:
4081 case SOCKCONFIG_REMOVE_SOCK:
4082 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4083 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4084 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4085
4086 if (uap->arg4 == 0) {
4087 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4088 } else {
4089 buflen = MAXPATHLEN + 1;
4090 buf = kmem_alloc(buflen, KM_SLEEP);
4091 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4092 &size)) {
4093 kmem_free(buf, buflen);
4094 return;
4095 }
4096
4097 if (size > MAXPATHLEN) {
4098 kmem_free(buf, buflen);
4099 return;
4100 }
4101
4102 au_uwrite(au_to_text(buf));
4103 kmem_free(buf, buflen);
4104 }
4105 break;
4106 case SOCKCONFIG_ADD_FILTER:
4107 case SOCKCONFIG_REMOVE_FILTER:
4108 buflen = FILNAME_MAX;
4109 buf = kmem_alloc(buflen, KM_SLEEP);
4110
4111 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4112 kmem_free(buf, buflen);
4113 return;
4114 }
4115
4116 au_uwrite(au_to_text(buf));
4117 kmem_free(buf, buflen);
4118 break;
4119 default:
4120 break;
4121 }
4122 }
4123
4124 /*
4125 * only audit recvmsg when the system call represents the creation of a new
4126 * circuit. This effectively occurs for all UDP packets and may occur for
4127 * special TCP situations where the local host has not set a local address
4128 * in the socket structure.
4129 */
4130 /*ARGSUSED*/
4131 static void
4132 auf_recvmsg(
4133 struct t_audit_data *tad,
4134 int error,
4135 rval_t *rvp)
4136 {
4137 struct a {
4138 long fd;
4139 long msg; /* struct msghdr */
4140 long flags;
4141 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4142
4143 struct sonode *so;
4144 STRUCT_DECL(msghdr, msg);
4145 caddr_t msg_name;
4146 socklen_t msg_namelen;
4147 int fd;
4148 int err;
4149 char so_laddr[sizeof (struct sockaddr_in6)];
4150 char so_faddr[sizeof (struct sockaddr_in6)];
4151 socklen_t len;
4152 file_t *fp; /* unix domain sockets */
4153 struct f_audit_data *fad; /* unix domain sockets */
4154 short so_family, so_type;
4155 int add_sock_token = 0;
4156 au_kcontext_t *kctx = GET_KCTX_PZ;
4157
4158 fd = (int)uap->fd;
4159
4160 /* bail if an error */
4161 if (error) {
4162 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4163 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4164 return;
4165 }
4166
4167 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4168 /*
4169 * not security relevant if doing a recvmsg from non socket
4170 * so no extra tokens. Should probably turn off audit record
4171 * generation here.
4172 */
4173 return;
4174 }
4175
4176 so_family = so->so_family;
4177 so_type = so->so_type;
4178
4179 /*
4180 * only putout SOCKET_EX token if INET/INET6 family.
4181 * XXX - what do we do about other families?
4182 */
4183
4184 switch (so_family) {
4185 case AF_INET:
4186 case AF_INET6:
4187
4188 /*
4189 * if datagram type socket, then just use what is in
4190 * socket structure for local address.
4191 * XXX - what do we do for other types?
4192 */
4193 if ((so->so_type == SOCK_DGRAM) ||
4194 (so->so_type == SOCK_RAW)) {
4195 add_sock_token = 1;
4196
4197 bzero((void *)so_laddr, sizeof (so_laddr));
4198 bzero((void *)so_faddr, sizeof (so_faddr));
4199
4200 /* get local address */
4201 len = sizeof (so_laddr);
4202 (void) socket_getsockname(so,
4203 (struct sockaddr *)so_laddr, &len, CRED());
4204
4205 /* get peer address */
4206 STRUCT_INIT(msg, get_udatamodel());
4207
4208 if (copyin((caddr_t)(uap->msg),
4209 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4210 break;
4211 }
4212 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4213 if (msg_name == NULL) {
4214 break;
4215 }
4216
4217 /* length is value from recvmsg - sanity check */
4218 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4219 if (msg_namelen == 0) {
4220 break;
4221 }
4222 if (copyin(msg_name, so_faddr,
4223 sizeof (so_faddr)) != 0) {
4224 break;
4225 }
4226
4227 } else if (so->so_type == SOCK_STREAM) {
4228
4229 /* get path from file struct here */
4230 fad = F2A(fp);
4231 ASSERT(fad);
4232
4233 /*
4234 * already processed this file for read attempt
4235 */
4236 if (fad->fad_flags & FAD_READ) {
4237 /* don't want to audit every recvmsg attempt */
4238 tad->tad_flag = 0;
4239 /* free any residual audit data */
4240 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4241 releasef(fd);
4242 return;
4243 }
4244 /*
4245 * mark things so we know what happened and don't
4246 * repeat things
4247 */
4248 fad->fad_flags |= FAD_READ;
4249
4250 bzero((void *)so_laddr, sizeof (so_laddr));
4251 bzero((void *)so_faddr, sizeof (so_faddr));
4252
4253 /* get local and foreign addresses */
4254 len = sizeof (so_laddr);
4255 (void) socket_getsockname(so,
4256 (struct sockaddr *)so_laddr, &len, CRED());
4257 len = sizeof (so_faddr);
4258 (void) socket_getpeername(so,
4259 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4260
4261 add_sock_token = 1;
4262 }
4263
4264 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4265
4266 break;
4267
4268 case AF_UNIX:
4269 /*
4270 * first check if this is first time through. Too much
4271 * duplicate code to put this in an aui_ routine.
4272 */
4273
4274 /* get path from file struct here */
4275 fad = F2A(fp);
4276 ASSERT(fad);
4277
4278 /*
4279 * already processed this file for read attempt
4280 */
4281 if (fad->fad_flags & FAD_READ) {
4282 releasef(fd);
4283 /* don't want to audit every recvmsg attempt */
4284 tad->tad_flag = 0;
4285 /* free any residual audit data */
4286 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4287 return;
4288 }
4289 /*
4290 * mark things so we know what happened and don't
4291 * repeat things
4292 */
4293 fad->fad_flags |= FAD_READ;
4294
4295 if (fad->fad_aupath != NULL) {
4296 au_uwrite(au_to_path(fad->fad_aupath));
4297 } else {
4298 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4299 }
4300
4301 audit_attributes(fp->f_vnode);
4302
4303 releasef(fd);
4304
4305 return;
4306
4307 default:
4308 break;
4309
4310 }
4311
4312 releasef(fd);
4313
4314 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4315
4316 if (add_sock_token == 0) {
4317 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4318 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4319 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4320 return;
4321 }
4322
4323 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4324
4325 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4326
4327 }
4328
4329 /*ARGSUSED*/
4330 static void
4331 auf_recvfrom(
4332 struct t_audit_data *tad,
4333 int error,
4334 rval_t *rvp)
4335 {
4336
4337 struct a {
4338 long fd;
4339 long msg; /* char */
4340 long len;
4341 long flags;
4342 long from; /* struct sockaddr */
4343 long fromlen;
4344 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4345
4346 socklen_t fromlen;
4347 struct sonode *so;
4348 char so_laddr[sizeof (struct sockaddr_in6)];
4349 char so_faddr[sizeof (struct sockaddr_in6)];
4350 int fd;
4351 short so_family, so_type;
4352 int add_sock_token = 0;
4353 socklen_t len;
4354 int err;
4355 struct file *fp;
4356 struct f_audit_data *fad; /* unix domain sockets */
4357 au_kcontext_t *kctx = GET_KCTX_PZ;
4358
4359 fd = (int)uap->fd;
4360
4361 /* bail if an error */
4362 if (error) {
4363 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4364 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4365 return;
4366 }
4367
4368 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4369 /*
4370 * not security relevant if doing a recvmsg from non socket
4371 * so no extra tokens. Should probably turn off audit record
4372 * generation here.
4373 */
4374 return;
4375 }
4376
4377 so_family = so->so_family;
4378 so_type = so->so_type;
4379
4380 /*
4381 * only putout SOCKET_EX token if INET/INET6 family.
4382 * XXX - what do we do about other families?
4383 */
4384
4385 switch (so_family) {
4386 case AF_INET:
4387 case AF_INET6:
4388
4389 /*
4390 * if datagram type socket, then just use what is in
4391 * socket structure for local address.
4392 * XXX - what do we do for other types?
4393 */
4394 if ((so->so_type == SOCK_DGRAM) ||
4395 (so->so_type == SOCK_RAW)) {
4396 add_sock_token = 1;
4397
4398 /* get local address */
4399 len = sizeof (so_laddr);
4400 (void) socket_getsockname(so,
4401 (struct sockaddr *)so_laddr, &len, CRED());
4402
4403 /* get peer address */
4404 bzero((void *)so_faddr, sizeof (so_faddr));
4405
4406 /* sanity check */
4407 if (uap->from == 0)
4408 break;
4409
4410 /* sanity checks */
4411 if (uap->fromlen == 0)
4412 break;
4413
4414 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4415 sizeof (fromlen)) != 0)
4416 break;
4417
4418 if (fromlen == 0)
4419 break;
4420
4421 /* enforce maximum size */
4422 if (fromlen > sizeof (so_faddr))
4423 fromlen = sizeof (so_faddr);
4424
4425 if (copyin((caddr_t)(uap->from), so_faddr,
4426 fromlen) != 0)
4427 break;
4428
4429 } else if (so->so_type == SOCK_STREAM) {
4430
4431 /* get path from file struct here */
4432 fad = F2A(fp);
4433 ASSERT(fad);
4434
4435 /*
4436 * already processed this file for read attempt
4437 */
4438 if (fad->fad_flags & FAD_READ) {
4439 /* don't want to audit every recvfrom attempt */
4440 tad->tad_flag = 0;
4441 /* free any residual audit data */
4442 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4443 releasef(fd);
4444 return;
4445 }
4446 /*
4447 * mark things so we know what happened and don't
4448 * repeat things
4449 */
4450 fad->fad_flags |= FAD_READ;
4451
4452 bzero((void *)so_laddr, sizeof (so_laddr));
4453 bzero((void *)so_faddr, sizeof (so_faddr));
4454
4455 /* get local and foreign addresses */
4456 len = sizeof (so_laddr);
4457 (void) socket_getsockname(so,
4458 (struct sockaddr *)so_laddr, &len, CRED());
4459 len = sizeof (so_faddr);
4460 (void) socket_getpeername(so,
4461 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4462
4463 add_sock_token = 1;
4464 }
4465
4466 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4467
4468 break;
4469
4470 case AF_UNIX:
4471 /*
4472 * first check if this is first time through. Too much
4473 * duplicate code to put this in an aui_ routine.
4474 */
4475
4476 /* get path from file struct here */
4477 fad = F2A(fp);
4478 ASSERT(fad);
4479
4480 /*
4481 * already processed this file for read attempt
4482 */
4483 if (fad->fad_flags & FAD_READ) {
4484 /* don't want to audit every recvfrom attempt */
4485 tad->tad_flag = 0;
4486 /* free any residual audit data */
4487 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4488 releasef(fd);
4489 return;
4490 }
4491 /*
4492 * mark things so we know what happened and don't
4493 * repeat things
4494 */
4495 fad->fad_flags |= FAD_READ;
4496
4497 if (fad->fad_aupath != NULL) {
4498 au_uwrite(au_to_path(fad->fad_aupath));
4499 } else {
4500 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4501 }
4502
4503 audit_attributes(fp->f_vnode);
4504
4505 releasef(fd);
4506
4507 return;
4508
4509 default:
4510 break;
4511
4512 }
4513
4514 releasef(fd);
4515
4516 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4517
4518 if (add_sock_token == 0) {
4519 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4520 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4521 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4522 return;
4523 }
4524
4525 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4526
4527 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4528 }
4529
4530 /*ARGSUSED*/
4531 static void
4532 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4533 {
4534 struct a {
4535 long fd;
4536 long msg; /* struct msghdr */
4537 long flags;
4538 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4539
4540 struct sonode *so;
4541 char so_laddr[sizeof (struct sockaddr_in6)];
4542 char so_faddr[sizeof (struct sockaddr_in6)];
4543 int err;
4544 int fd;
4545 short so_family, so_type;
4546 int add_sock_token = 0;
4547 socklen_t len;
4548 struct file *fp;
4549 struct f_audit_data *fad;
4550 caddr_t msg_name;
4551 socklen_t msg_namelen;
4552 STRUCT_DECL(msghdr, msg);
4553 au_kcontext_t *kctx = GET_KCTX_PZ;
4554
4555 fd = (int)uap->fd;
4556
4557 /* bail if an error */
4558 if (error) {
4559 /* XXX include destination address from system call arguments */
4560 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4561 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4562 return;
4563 }
4564
4565 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4566 /*
4567 * not security relevant if doing a sendmsg from non socket
4568 * so no extra tokens. Should probably turn off audit record
4569 * generation here.
4570 */
4571 return;
4572 }
4573
4574 so_family = so->so_family;
4575 so_type = so->so_type;
4576
4577 switch (so_family) {
4578 case AF_INET:
4579 case AF_INET6:
4580 /*
4581 * if datagram type socket, then just use what is in
4582 * socket structure for local address.
4583 * XXX - what do we do for other types?
4584 */
4585 if ((so->so_type == SOCK_DGRAM) ||
4586 (so->so_type == SOCK_RAW)) {
4587
4588 bzero((void *)so_laddr, sizeof (so_laddr));
4589 bzero((void *)so_faddr, sizeof (so_faddr));
4590
4591 /* get local address */
4592 len = sizeof (so_laddr);
4593 (void) socket_getsockname(so,
4594 (struct sockaddr *)so_laddr, &len, CRED());
4595
4596 /* get peer address */
4597 STRUCT_INIT(msg, get_udatamodel());
4598
4599 if (copyin((caddr_t)(uap->msg),
4600 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4601 break;
4602 }
4603 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4604 if (msg_name == NULL)
4605 break;
4606
4607 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4608 /* length is value from recvmsg - sanity check */
4609 if (msg_namelen == 0)
4610 break;
4611
4612 if (copyin(msg_name, so_faddr,
4613 sizeof (so_faddr)) != 0)
4614 break;
4615
4616 add_sock_token = 1;
4617
4618 } else if (so->so_type == SOCK_STREAM) {
4619
4620 /* get path from file struct here */
4621 fad = F2A(fp);
4622 ASSERT(fad);
4623
4624 /*
4625 * already processed this file for write attempt
4626 */
4627 if (fad->fad_flags & FAD_WRITE) {
4628 releasef(fd);
4629 /* don't want to audit every sendmsg attempt */
4630 tad->tad_flag = 0;
4631 /* free any residual audit data */
4632 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4633 return;
4634 }
4635
4636 /*
4637 * mark things so we know what happened and don't
4638 * repeat things
4639 */
4640 fad->fad_flags |= FAD_WRITE;
4641
4642 bzero((void *)so_laddr, sizeof (so_laddr));
4643 bzero((void *)so_faddr, sizeof (so_faddr));
4644
4645 /* get local and foreign addresses */
4646 len = sizeof (so_laddr);
4647 (void) socket_getsockname(so,
4648 (struct sockaddr *)so_laddr, &len, CRED());
4649 len = sizeof (so_faddr);
4650 (void) socket_getpeername(so,
4651 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4652
4653 add_sock_token = 1;
4654 }
4655
4656 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4657
4658 break;
4659
4660 case AF_UNIX:
4661 /*
4662 * first check if this is first time through. Too much
4663 * duplicate code to put this in an aui_ routine.
4664 */
4665
4666 /* get path from file struct here */
4667 fad = F2A(fp);
4668 ASSERT(fad);
4669
4670 /*
4671 * already processed this file for write attempt
4672 */
4673 if (fad->fad_flags & FAD_WRITE) {
4674 releasef(fd);
4675 /* don't want to audit every sendmsg attempt */
4676 tad->tad_flag = 0;
4677 /* free any residual audit data */
4678 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4679 return;
4680 }
4681 /*
4682 * mark things so we know what happened and don't
4683 * repeat things
4684 */
4685 fad->fad_flags |= FAD_WRITE;
4686
4687 if (fad->fad_aupath != NULL) {
4688 au_uwrite(au_to_path(fad->fad_aupath));
4689 } else {
4690 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4691 }
4692
4693 audit_attributes(fp->f_vnode);
4694
4695 releasef(fd);
4696
4697 return;
4698
4699 default:
4700 break;
4701 }
4702
4703 releasef(fd);
4704
4705 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4706
4707 if (add_sock_token == 0) {
4708 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4709 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4710 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4711 return;
4712 }
4713
4714 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4715
4716 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4717 }
4718
4719 /*ARGSUSED*/
4720 static void
4721 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4722 {
4723 struct a {
4724 long fd;
4725 long msg; /* char */
4726 long len;
4727 long flags;
4728 long to; /* struct sockaddr */
4729 long tolen;
4730 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4731
4732 struct sonode *so;
4733 char so_laddr[sizeof (struct sockaddr_in6)];
4734 char so_faddr[sizeof (struct sockaddr_in6)];
4735 socklen_t tolen;
4736 int err;
4737 int fd;
4738 socklen_t len;
4739 short so_family, so_type;
4740 int add_sock_token = 0;
4741 struct file *fp;
4742 struct f_audit_data *fad;
4743 au_kcontext_t *kctx = GET_KCTX_PZ;
4744
4745 fd = (int)uap->fd;
4746
4747 /* bail if an error */
4748 if (error) {
4749 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4750 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4751 /* XXX include destination address from system call arguments */
4752 return;
4753 }
4754
4755 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4756 /*
4757 * not security relevant if doing a sendto using non socket
4758 * so no extra tokens. Should probably turn off audit record
4759 * generation here.
4760 */
4761 return;
4762 }
4763
4764 so_family = so->so_family;
4765 so_type = so->so_type;
4766
4767 /*
4768 * only putout SOCKET_EX token if INET/INET6 family.
4769 * XXX - what do we do about other families?
4770 */
4771
4772 switch (so_family) {
4773 case AF_INET:
4774 case AF_INET6:
4775
4776 /*
4777 * if datagram type socket, then just use what is in
4778 * socket structure for local address.
4779 * XXX - what do we do for other types?
4780 */
4781 if ((so->so_type == SOCK_DGRAM) ||
4782 (so->so_type == SOCK_RAW)) {
4783
4784 bzero((void *)so_laddr, sizeof (so_laddr));
4785 bzero((void *)so_faddr, sizeof (so_faddr));
4786
4787 /* get local address */
4788 len = sizeof (so_laddr);
4789 (void) socket_getsockname(so,
4790 (struct sockaddr *)so_laddr, &len, CRED());
4791
4792 /* get peer address */
4793
4794 /* sanity check */
4795 if (uap->to == 0)
4796 break;
4797
4798 /* sanity checks */
4799 if (uap->tolen == 0)
4800 break;
4801
4802 tolen = (socklen_t)uap->tolen;
4803
4804 /* enforce maximum size */
4805 if (tolen > sizeof (so_faddr))
4806 tolen = sizeof (so_faddr);
4807
4808 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4809 break;
4810
4811 add_sock_token = 1;
4812 } else {
4813 /*
4814 * check if this is first time through.
4815 */
4816
4817 /* get path from file struct here */
4818 fad = F2A(fp);
4819 ASSERT(fad);
4820
4821 /*
4822 * already processed this file for write attempt
4823 */
4824 if (fad->fad_flags & FAD_WRITE) {
4825 /* don't want to audit every sendto attempt */
4826 tad->tad_flag = 0;
4827 /* free any residual audit data */
4828 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4829 releasef(fd);
4830 return;
4831 }
4832 /*
4833 * mark things so we know what happened and don't
4834 * repeat things
4835 */
4836 fad->fad_flags |= FAD_WRITE;
4837
4838 bzero((void *)so_laddr, sizeof (so_laddr));
4839 bzero((void *)so_faddr, sizeof (so_faddr));
4840
4841 /* get local and foreign addresses */
4842 len = sizeof (so_laddr);
4843 (void) socket_getsockname(so,
4844 (struct sockaddr *)so_laddr, &len, CRED());
4845 len = sizeof (so_faddr);
4846 (void) socket_getpeername(so,
4847 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4848
4849 add_sock_token = 1;
4850 }
4851
4852 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4853
4854 break;
4855
4856 case AF_UNIX:
4857 /*
4858 * first check if this is first time through. Too much
4859 * duplicate code to put this in an aui_ routine.
4860 */
4861
4862 /* get path from file struct here */
4863 fad = F2A(fp);
4864 ASSERT(fad);
4865
4866 /*
4867 * already processed this file for write attempt
4868 */
4869 if (fad->fad_flags & FAD_WRITE) {
4870 /* don't want to audit every sendto attempt */
4871 tad->tad_flag = 0;
4872 /* free any residual audit data */
4873 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4874 releasef(fd);
4875 return;
4876 }
4877 /*
4878 * mark things so we know what happened and don't
4879 * repeat things
4880 */
4881 fad->fad_flags |= FAD_WRITE;
4882
4883 if (fad->fad_aupath != NULL) {
4884 au_uwrite(au_to_path(fad->fad_aupath));
4885 } else {
4886 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4887 }
4888
4889 audit_attributes(fp->f_vnode);
4890
4891 releasef(fd);
4892
4893 return;
4894
4895 default:
4896 break;
4897
4898 }
4899
4900 releasef(fd);
4901
4902 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4903
4904 if (add_sock_token == 0) {
4905 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4906 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4907 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4908 return;
4909 }
4910
4911 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4912
4913 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4914
4915 }
4916
4917 /*
4918 * XXX socket(2) may be equivalent to open(2) on a unix domain
4919 * socket. This needs investigation.
4920 */
4921
4922 /*ARGSUSED*/
4923 static void
4924 aus_socket(struct t_audit_data *tad)
4925 {
4926 struct a {
4927 long domain;
4928 long type;
4929 long protocol;
4930 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4931
4932 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4933 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4934 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4935 }
4936
4937 /*ARGSUSED*/
4938 static void
4939 aus_sigqueue(struct t_audit_data *tad)
4940 {
4941 struct a {
4942 long pid;
4943 long signo;
4944 long *val;
4945 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4946 struct proc *p;
4947 uid_t uid, ruid;
4948 gid_t gid, rgid;
4949 pid_t pid;
4950 const auditinfo_addr_t *ainfo;
4951 cred_t *cr;
4952
4953 pid = (pid_t)uap->pid;
4954
4955 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4956 if (pid > 0) {
4957 mutex_enter(&pidlock);
4958 if ((p = prfind(pid)) == (struct proc *)0) {
4959 mutex_exit(&pidlock);
4960 return;
4961 }
4962 mutex_enter(&p->p_lock); /* so process doesn't go away */
4963 mutex_exit(&pidlock);
4964
4965 mutex_enter(&p->p_crlock);
4966 crhold(cr = p->p_cred);
4967 mutex_exit(&p->p_crlock);
4968 mutex_exit(&p->p_lock);
4969
4970 ainfo = crgetauinfo(cr);
4971 if (ainfo == NULL) {
4972 crfree(cr);
4973 return;
4974 }
4975
4976 uid = crgetuid(cr);
4977 gid = crgetgid(cr);
4978 ruid = crgetruid(cr);
4979 rgid = crgetrgid(cr);
4980 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4981 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4982 crfree(cr);
4983 }
4984 else
4985 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4986 }
4987
4988 /*ARGSUSED*/
4989 static void
4990 aus_inst_sync(struct t_audit_data *tad)
4991 {
4992 struct a {
4993 long name; /* char */
4994 long flags;
4995 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4996
4997 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4998 }
4999
5000 /*ARGSUSED*/
5001 static void
5002 aus_brandsys(struct t_audit_data *tad)
5003 {
5004 klwp_t *clwp = ttolwp(curthread);
5005
5006 struct a {
5007 long cmd;
5008 long arg1;
5009 long arg2;
5010 long arg3;
5011 long arg4;
5012 long arg5;
5013 long arg6;
5014 } *uap = (struct a *)clwp->lwp_ap;
5015
5016 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
5017 #ifdef _LP64
5018 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
5019 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
5020 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
5021 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
5022 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
5023 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
5024 #else
5025 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
5026 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
5027 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
5028 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
5029 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
5030 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
5031 #endif
5032 }
5033
5034 /*ARGSUSED*/
5035 static void
5036 aus_p_online(struct t_audit_data *tad)
5037 {
5038 struct a {
5039 long processor_id;
5040 long flag;
5041 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5042
5043 struct flags {
5044 int flag;
5045 char *cflag;
5046 } aflags[6] = {
5047 { P_ONLINE, "P_ONLINE"},
5048 { P_OFFLINE, "P_OFFLINE"},
5049 { P_NOINTR, "P_NOINTR"},
5050 { P_SPARE, "P_SPARE"},
5051 { P_FAULTED, "P_FAULTED"},
5052 { P_STATUS, "P_STATUS"}
5053 };
5054 int i;
5055 char *cflag;
5056
5057 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
5058 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
5059
5060 for (i = 0; i < 6; i++) {
5061 if (aflags[i].flag == uap->flag)
5062 break;
5063 }
5064 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5065
5066 au_uwrite(au_to_text(cflag));
5067 }
5068
5069 /*ARGSUSED*/
5070 static void
5071 aus_processor_bind(struct t_audit_data *tad)
5072 {
5073 struct a {
5074 long id_type;
5075 long id;
5076 long processor_id;
5077 long obind;
5078 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5079
5080 struct proc *p;
5081 int lwpcnt;
5082 uid_t uid, ruid;
5083 gid_t gid, rgid;
5084 pid_t pid;
5085 const auditinfo_addr_t *ainfo;
5086 cred_t *cr;
5087
5088 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5089 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5090 if (uap->processor_id == PBIND_NONE)
5091 au_uwrite(au_to_text("PBIND_NONE"));
5092 else
5093 au_uwrite(au_to_arg32(3, "processor_id",
5094 (uint32_t)uap->processor_id));
5095
5096 switch (uap->id_type) {
5097 case P_MYID:
5098 case P_LWPID:
5099 mutex_enter(&pidlock);
5100 p = ttoproc(curthread);
5101 if (p == NULL || p->p_as == &kas) {
5102 mutex_exit(&pidlock);
5103 return;
5104 }
5105 mutex_enter(&p->p_lock);
5106 mutex_exit(&pidlock);
5107 lwpcnt = p->p_lwpcnt;
5108 pid = p->p_pid;
5109
5110 mutex_enter(&p->p_crlock);
5111 crhold(cr = p->p_cred);
5112 mutex_exit(&p->p_crlock);
5113 mutex_exit(&p->p_lock);
5114
5115 ainfo = crgetauinfo(cr);
5116 if (ainfo == NULL) {
5117 crfree(cr);
5118 return;
5119 }
5120
5121 uid = crgetuid(cr);
5122 gid = crgetgid(cr);
5123 ruid = crgetruid(cr);
5124 rgid = crgetrgid(cr);
5125 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5126 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5127 crfree(cr);
5128 break;
5129 case P_PID:
5130 mutex_enter(&pidlock);
5131 p = prfind(uap->id);
5132 if (p == NULL || p->p_as == &kas) {
5133 mutex_exit(&pidlock);
5134 return;
5135 }
5136 mutex_enter(&p->p_lock);
5137 mutex_exit(&pidlock);
5138 lwpcnt = p->p_lwpcnt;
5139 pid = p->p_pid;
5140
5141 mutex_enter(&p->p_crlock);
5142 crhold(cr = p->p_cred);
5143 mutex_exit(&p->p_crlock);
5144 mutex_exit(&p->p_lock);
5145
5146 ainfo = crgetauinfo(cr);
5147 if (ainfo == NULL) {
5148 crfree(cr);
5149 return;
5150 }
5151
5152 uid = crgetuid(cr);
5153 gid = crgetgid(cr);
5154 ruid = crgetruid(cr);
5155 rgid = crgetrgid(cr);
5156 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5157 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5158 crfree(cr);
5159
5160 break;
5161 default:
5162 return;
5163 }
5164
5165 if (uap->processor_id == PBIND_NONE &&
5166 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5167 au_uwrite(au_to_text("PBIND_NONE for process"));
5168 else
5169 au_uwrite(au_to_arg32(3, "processor_id",
5170 (uint32_t)uap->processor_id));
5171 }
5172
5173 /*ARGSUSED*/
5174 static au_event_t
5175 aui_doorfs(au_event_t e)
5176 {
5177 uint32_t code;
5178
5179 struct a { /* doorfs */
5180 long a1;
5181 long a2;
5182 long a3;
5183 long a4;
5184 long a5;
5185 long code;
5186 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5187
5188 /*
5189 * audit formats for several of the
5190 * door calls have not yet been determined
5191 */
5192 code = (uint32_t)uap->code;
5193 switch (code) {
5194 case DOOR_CALL:
5195 e = AUE_DOORFS_DOOR_CALL;
5196 break;
5197 case DOOR_RETURN:
5198 e = AUE_NULL;
5199 break;
5200 case DOOR_CREATE:
5201 e = AUE_DOORFS_DOOR_CREATE;
5202 break;
5203 case DOOR_REVOKE:
5204 e = AUE_DOORFS_DOOR_REVOKE;
5205 break;
5206 case DOOR_INFO:
5207 e = AUE_NULL;
5208 break;
5209 case DOOR_UCRED:
5210 e = AUE_NULL;
5211 break;
5212 case DOOR_BIND:
5213 e = AUE_NULL;
5214 break;
5215 case DOOR_UNBIND:
5216 e = AUE_NULL;
5217 break;
5218 case DOOR_GETPARAM:
5219 e = AUE_NULL;
5220 break;
5221 case DOOR_SETPARAM:
5222 e = AUE_NULL;
5223 break;
5224 default: /* illegal system call */
5225 e = AUE_NULL;
5226 break;
5227 }
5228
5229 return (e);
5230 }
5231
5232 static door_node_t *
5233 au_door_lookup(int did)
5234 {
5235 vnode_t *vp;
5236 file_t *fp;
5237
5238 if ((fp = getf(did)) == NULL)
5239 return (NULL);
5240 /*
5241 * Use the underlying vnode (we may be namefs mounted)
5242 */
5243 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5244 vp = fp->f_vnode;
5245
5246 if (vp == NULL || vp->v_type != VDOOR) {
5247 releasef(did);
5248 return (NULL);
5249 }
5250
5251 return (VTOD(vp));
5252 }
5253
5254 /*ARGSUSED*/
5255 static void
5256 aus_doorfs(struct t_audit_data *tad)
5257 {
5258
5259 struct a { /* doorfs */
5260 long a1;
5261 long a2;
5262 long a3;
5263 long a4;
5264 long a5;
5265 long code;
5266 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5267
5268 door_node_t *dp;
5269 struct proc *p;
5270 uint32_t did;
5271 uid_t uid, ruid;
5272 gid_t gid, rgid;
5273 pid_t pid;
5274 const auditinfo_addr_t *ainfo;
5275 cred_t *cr;
5276
5277 did = (uint32_t)uap->a1;
5278
5279 switch (tad->tad_event) {
5280 case AUE_DOORFS_DOOR_CALL:
5281 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5282 if ((dp = au_door_lookup(did)) == NULL)
5283 break;
5284
5285 if (DOOR_INVALID(dp)) {
5286 releasef(did);
5287 break;
5288 }
5289
5290 if ((p = dp->door_target) == NULL) {
5291 releasef(did);
5292 break;
5293 }
5294 mutex_enter(&p->p_lock);
5295 releasef(did);
5296
5297 pid = p->p_pid;
5298
5299 mutex_enter(&p->p_crlock);
5300 crhold(cr = p->p_cred);
5301 mutex_exit(&p->p_crlock);
5302 mutex_exit(&p->p_lock);
5303
5304 ainfo = crgetauinfo(cr);
5305 if (ainfo == NULL) {
5306 crfree(cr);
5307 return;
5308 }
5309 uid = crgetuid(cr);
5310 gid = crgetgid(cr);
5311 ruid = crgetruid(cr);
5312 rgid = crgetrgid(cr);
5313 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5314 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5315 crfree(cr);
5316 break;
5317 case AUE_DOORFS_DOOR_RETURN:
5318 /*
5319 * We may want to write information about
5320 * all doors (if any) which will be copied
5321 * by this call to the user space
5322 */
5323 break;
5324 case AUE_DOORFS_DOOR_CREATE:
5325 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5326 break;
5327 case AUE_DOORFS_DOOR_REVOKE:
5328 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5329 break;
5330 case AUE_DOORFS_DOOR_INFO:
5331 break;
5332 case AUE_DOORFS_DOOR_CRED:
5333 break;
5334 case AUE_DOORFS_DOOR_BIND:
5335 break;
5336 case AUE_DOORFS_DOOR_UNBIND: {
5337 break;
5338 }
5339 default: /* illegal system call */
5340 break;
5341 }
5342 }
5343
5344 /*ARGSUSED*/
5345 static au_event_t
5346 aui_acl(au_event_t e)
5347 {
5348 struct a {
5349 union {
5350 long name; /* char */
5351 long fd;
5352 } obj;
5353
5354 long cmd;
5355 long nentries;
5356 long arg; /* aclent_t */
5357 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5358
5359 switch (uap->cmd) {
5360 case SETACL:
5361 case ACE_SETACL:
5362 /*
5363 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5364 * are expected.
5365 */
5366 break;
5367 case GETACL:
5368 case GETACLCNT:
5369 case ACE_GETACL:
5370 case ACE_GETACLCNT:
5371 /* do nothing for these four values. */
5372 e = AUE_NULL;
5373 break;
5374 default:
5375 /* illegal system call */
5376 break;
5377 }
5378
5379 return (e);
5380 }
5381
5382 static void
5383 au_acl(int cmd, int nentries, caddr_t bufp)
5384 {
5385 size_t a_size;
5386 aclent_t *aclbufp;
5387 ace_t *acebufp;
5388 int i;
5389
5390 switch (cmd) {
5391 case GETACL:
5392 case GETACLCNT:
5393 break;
5394 case SETACL:
5395 if (nentries < 3)
5396 break;
5397
5398 a_size = nentries * sizeof (aclent_t);
5399
5400 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5401 break;
5402 if (copyin(bufp, aclbufp, a_size)) {
5403 kmem_free(aclbufp, a_size);
5404 break;
5405 }
5406 for (i = 0; i < nentries; i++) {
5407 au_uwrite(au_to_acl(aclbufp + i));
5408 }
5409 kmem_free(aclbufp, a_size);
5410 break;
5411
5412 case ACE_SETACL:
5413 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5414 break;
5415
5416 a_size = nentries * sizeof (ace_t);
5417 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5418 break;
5419 if (copyin(bufp, acebufp, a_size)) {
5420 kmem_free(acebufp, a_size);
5421 break;
5422 }
5423 for (i = 0; i < nentries; i++) {
5424 au_uwrite(au_to_ace(acebufp + i));
5425 }
5426 kmem_free(acebufp, a_size);
5427 break;
5428 default:
5429 break;
5430 }
5431 }
5432
5433 /*ARGSUSED*/
5434 static void
5435 aus_acl(struct t_audit_data *tad)
5436 {
5437 struct a {
5438 long fname;
5439 long cmd;
5440 long nentries;
5441 long aclbufp;
5442 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5443
5444 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5445 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5446
5447 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5448 }
5449
5450 /*ARGSUSED*/
5451 static void
5452 aus_facl(struct t_audit_data *tad)
5453 {
5454 struct a {
5455 long fd;
5456 long cmd;
5457 long nentries;
5458 long aclbufp;
5459 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5460 struct file *fp;
5461 struct vnode *vp;
5462 struct f_audit_data *fad;
5463 int fd;
5464
5465 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5466 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5467
5468 fd = (int)uap->fd;
5469
5470 if ((fp = getf(fd)) == NULL)
5471 return;
5472
5473 /* get path from file struct here */
5474 fad = F2A(fp);
5475 if (fad->fad_aupath != NULL) {
5476 au_uwrite(au_to_path(fad->fad_aupath));
5477 } else {
5478 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5479 }
5480
5481 vp = fp->f_vnode;
5482 audit_attributes(vp);
5483
5484 /* decrement file descriptor reference count */
5485 releasef(fd);
5486
5487 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5488 }
5489
5490 /*ARGSUSED*/
5491 static void
5492 auf_read(struct t_audit_data *tad, int error, rval_t *rval)
5493 {
5494 struct file *fp;
5495 struct f_audit_data *fad;
5496 int fd;
5497 register struct a {
5498 long fd;
5499 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5500 au_kcontext_t *kctx = GET_KCTX_PZ;
5501
5502 fd = (int)uap->fd;
5503
5504 /*
5505 * convert file pointer to file descriptor
5506 * Note: fd ref count incremented here.
5507 */
5508 if ((fp = getf(fd)) == NULL)
5509 return;
5510
5511 /* get path from file struct here */
5512 fad = F2A(fp);
5513 ASSERT(fad);
5514
5515 /*
5516 * already processed this file for read attempt
5517 *
5518 * XXX might be better to turn off auditing in a aui_read() routine.
5519 */
5520 if (fad->fad_flags & FAD_READ) {
5521 /* don't really want to audit every read attempt */
5522 tad->tad_flag = 0;
5523 /* free any residual audit data */
5524 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5525 releasef(fd);
5526 return;
5527 }
5528 /* mark things so we know what happened and don't repeat things */
5529 fad->fad_flags |= FAD_READ;
5530
5531 if (fad->fad_aupath != NULL) {
5532 au_uwrite(au_to_path(fad->fad_aupath));
5533 } else {
5534 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5535 }
5536
5537 /* include attributes */
5538 audit_attributes(fp->f_vnode);
5539
5540 /* decrement file descriptor reference count */
5541 releasef(fd);
5542 }
5543
5544 /*ARGSUSED*/
5545 static void
5546 auf_write(struct t_audit_data *tad, int error, rval_t *rval)
5547 {
5548 struct file *fp;
5549 struct f_audit_data *fad;
5550 int fd;
5551 register struct a {
5552 long fd;
5553 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5554 au_kcontext_t *kctx = GET_KCTX_PZ;
5555
5556 fd = (int)uap->fd;
5557
5558 /*
5559 * convert file pointer to file descriptor
5560 * Note: fd ref count incremented here.
5561 */
5562 if ((fp = getf(fd)) == NULL)
5563 return;
5564
5565 /* get path from file struct here */
5566 fad = F2A(fp);
5567 ASSERT(fad);
5568
5569 /*
5570 * already processed this file for write attempt
5571 *
5572 * XXX might be better to turn off auditing in a aus_write() routine.
5573 */
5574 if (fad->fad_flags & FAD_WRITE) {
5575 /* don't really want to audit every write attempt */
5576 tad->tad_flag = 0;
5577 /* free any residual audit data */
5578 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5579 releasef(fd);
5580 return;
5581 }
5582 /* mark things so we know what happened and don't repeat things */
5583 fad->fad_flags |= FAD_WRITE;
5584
5585 if (fad->fad_aupath != NULL) {
5586 au_uwrite(au_to_path(fad->fad_aupath));
5587 } else {
5588 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5589 }
5590
5591 /* include attributes */
5592 audit_attributes(fp->f_vnode);
5593
5594 /* decrement file descriptor reference count */
5595 releasef(fd);
5596 }
5597
5598 /*ARGSUSED*/
5599 static void
5600 auf_recv(struct t_audit_data *tad, int error, rval_t *rval)
5601 {
5602 struct sonode *so;
5603 char so_laddr[sizeof (struct sockaddr_in6)];
5604 char so_faddr[sizeof (struct sockaddr_in6)];
5605 struct file *fp;
5606 struct f_audit_data *fad;
5607 int fd;
5608 int err;
5609 socklen_t len;
5610 short so_family, so_type;
5611 register struct a {
5612 long fd;
5613 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5614 au_kcontext_t *kctx = GET_KCTX_PZ;
5615
5616 /*
5617 * If there was an error, then nothing to do. Only generate
5618 * audit record on first successful recv.
5619 */
5620 if (error) {
5621 /* Turn off audit record generation here. */
5622 tad->tad_flag = 0;
5623 /* free any residual audit data */
5624 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5625 return;
5626 }
5627
5628 fd = (int)uap->fd;
5629
5630 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5631 /* Turn off audit record generation here. */
5632 tad->tad_flag = 0;
5633 /* free any residual audit data */
5634 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5635 return;
5636 }
5637
5638 /* get path from file struct here */
5639 fad = F2A(fp);
5640 ASSERT(fad);
5641
5642 /*
5643 * already processed this file for read attempt
5644 */
5645 if (fad->fad_flags & FAD_READ) {
5646 releasef(fd);
5647 /* don't really want to audit every recv call */
5648 tad->tad_flag = 0;
5649 /* free any residual audit data */
5650 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5651 return;
5652 }
5653
5654 /* mark things so we know what happened and don't repeat things */
5655 fad->fad_flags |= FAD_READ;
5656
5657 so_family = so->so_family;
5658 so_type = so->so_type;
5659
5660 switch (so_family) {
5661 case AF_INET:
5662 case AF_INET6:
5663 /*
5664 * Only for connections.
5665 * XXX - do we need to worry about SOCK_DGRAM or other types???
5666 */
5667 if (so->so_state & SS_ISBOUND) {
5668
5669 bzero((void *)so_laddr, sizeof (so_laddr));
5670 bzero((void *)so_faddr, sizeof (so_faddr));
5671
5672 /* get local and foreign addresses */
5673 len = sizeof (so_laddr);
5674 (void) socket_getsockname(so,
5675 (struct sockaddr *)so_laddr, &len, CRED());
5676 len = sizeof (so_faddr);
5677 (void) socket_getpeername(so,
5678 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5679
5680 /*
5681 * only way to drop out of switch. Note that we
5682 * we release fd below.
5683 */
5684
5685 break;
5686 }
5687
5688 releasef(fd);
5689
5690 /* don't really want to audit every recv call */
5691 tad->tad_flag = 0;
5692 /* free any residual audit data */
5693 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5694
5695 return;
5696
5697 case AF_UNIX:
5698
5699 if (fad->fad_aupath != NULL) {
5700 au_uwrite(au_to_path(fad->fad_aupath));
5701 } else {
5702 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5703 }
5704
5705 audit_attributes(fp->f_vnode);
5706
5707 releasef(fd);
5708
5709 return;
5710
5711 default:
5712 releasef(fd);
5713
5714 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5715 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5716 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5717
5718 return;
5719 }
5720
5721 releasef(fd);
5722
5723 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5724
5725 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5726
5727 }
5728
5729 /*ARGSUSED*/
5730 static void
5731 auf_send(struct t_audit_data *tad, int error, rval_t *rval)
5732 {
5733 struct sonode *so;
5734 char so_laddr[sizeof (struct sockaddr_in6)];
5735 char so_faddr[sizeof (struct sockaddr_in6)];
5736 struct file *fp;
5737 struct f_audit_data *fad;
5738 int fd;
5739 int err;
5740 socklen_t len;
5741 short so_family, so_type;
5742 register struct a {
5743 long fd;
5744 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5745 au_kcontext_t *kctx = GET_KCTX_PZ;
5746
5747 fd = (int)uap->fd;
5748
5749 /*
5750 * If there was an error, then nothing to do. Only generate
5751 * audit record on first successful send.
5752 */
5753 if (error != 0) {
5754 /* Turn off audit record generation here. */
5755 tad->tad_flag = 0;
5756 /* free any residual audit data */
5757 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5758 return;
5759 }
5760
5761 fd = (int)uap->fd;
5762
5763 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5764 /* Turn off audit record generation here. */
5765 tad->tad_flag = 0;
5766 /* free any residual audit data */
5767 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5768 return;
5769 }
5770
5771 /* get path from file struct here */
5772 fad = F2A(fp);
5773 ASSERT(fad);
5774
5775 /*
5776 * already processed this file for write attempt
5777 */
5778 if (fad->fad_flags & FAD_WRITE) {
5779 releasef(fd);
5780 /* don't really want to audit every send call */
5781 tad->tad_flag = 0;
5782 /* free any residual audit data */
5783 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5784 return;
5785 }
5786
5787 /* mark things so we know what happened and don't repeat things */
5788 fad->fad_flags |= FAD_WRITE;
5789
5790 so_family = so->so_family;
5791 so_type = so->so_type;
5792
5793 switch (so_family) {
5794 case AF_INET:
5795 case AF_INET6:
5796 /*
5797 * Only for connections.
5798 * XXX - do we need to worry about SOCK_DGRAM or other types???
5799 */
5800 if (so->so_state & SS_ISBOUND) {
5801
5802 bzero((void *)so_laddr, sizeof (so_laddr));
5803 bzero((void *)so_faddr, sizeof (so_faddr));
5804
5805 /* get local and foreign addresses */
5806 len = sizeof (so_laddr);
5807 (void) socket_getsockname(so,
5808 (struct sockaddr *)so_laddr, &len, CRED());
5809 len = sizeof (so_faddr);
5810 (void) socket_getpeername(so,
5811 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5812
5813 /*
5814 * only way to drop out of switch. Note that we
5815 * we release fd below.
5816 */
5817
5818 break;
5819 }
5820
5821 releasef(fd);
5822 /* don't really want to audit every send call */
5823 tad->tad_flag = 0;
5824 /* free any residual audit data */
5825 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5826
5827 return;
5828
5829 case AF_UNIX:
5830
5831 if (fad->fad_aupath != NULL) {
5832 au_uwrite(au_to_path(fad->fad_aupath));
5833 } else {
5834 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5835 }
5836
5837 audit_attributes(fp->f_vnode);
5838
5839 releasef(fd);
5840
5841 return;
5842
5843 default:
5844 releasef(fd);
5845
5846 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5847 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5848 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5849
5850 return;
5851 }
5852
5853 releasef(fd);
5854
5855 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5856
5857 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5858 }
5859
5860 static au_event_t
5861 aui_forksys(au_event_t e)
5862 {
5863 struct a {
5864 long subcode;
5865 long flags;
5866 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5867
5868 switch ((uint_t)uap->subcode) {
5869 case 0:
5870 e = AUE_FORK1;
5871 break;
5872 case 1:
5873 e = AUE_FORKALL;
5874 break;
5875 case 2:
5876 e = AUE_VFORK;
5877 break;
5878 default:
5879 e = AUE_NULL;
5880 break;
5881 }
5882
5883 return (e);
5884 }
5885
5886 /*ARGSUSED*/
5887 static au_event_t
5888 aui_portfs(au_event_t e)
5889 {
5890 struct a { /* portfs */
5891 long a1;
5892 long a2;
5893 long a3;
5894 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5895
5896 /*
5897 * check opcode
5898 */
5899 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5900 case PORT_ASSOCIATE:
5901 /* check source */
5902 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5903 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5904 e = AUE_PORTFS_ASSOCIATE;
5905 } else {
5906 e = AUE_NULL;
5907 }
5908 break;
5909 case PORT_DISSOCIATE:
5910 /* check source */
5911 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5912 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5913 e = AUE_PORTFS_DISSOCIATE;
5914 } else {
5915 e = AUE_NULL;
5916 }
5917 break;
5918 default:
5919 e = AUE_NULL;
5920 }
5921 return (e);
5922 }