Print this page
11842 Want audit events for auditon(A_SETPMASK) and friends
Reviewed by: John Levon <john.levon@joyent.com>
Reviewed by: Andy Fiddaman <andy@omniosce.org>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/c2/audit_event.c
+++ new/usr/src/uts/common/c2/audit_event.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21
22 22 /*
23 23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 25 * Copyright (c) 2018, Joyent, Inc.
26 26 */
27 27
28 28 /*
29 29 * This file contains the audit event table used to control the production
30 30 * of audit records for each system call.
31 31 */
32 32
33 33 #include <sys/policy.h>
34 34 #include <sys/cred.h>
35 35 #include <sys/types.h>
36 36 #include <sys/systm.h>
37 37 #include <sys/systeminfo.h> /* for sysinfo auditing */
38 38 #include <sys/utsname.h> /* for sysinfo auditing */
39 39 #include <sys/proc.h>
40 40 #include <sys/vnode.h>
41 41 #include <sys/mman.h> /* for mmap(2) auditing etc. */
42 42 #include <sys/fcntl.h>
43 43 #include <sys/modctl.h> /* for modctl auditing */
44 44 #include <sys/vnode.h>
45 45 #include <sys/user.h>
46 46 #include <sys/types.h>
47 47 #include <sys/processor.h>
48 48 #include <sys/procset.h>
49 49 #include <sys/acl.h>
50 50 #include <sys/ipc.h>
51 51 #include <sys/door.h>
52 52 #include <sys/sem.h>
53 53 #include <sys/msg.h>
54 54 #include <sys/shm.h>
55 55 #include <sys/kmem.h>
56 56 #include <sys/file.h> /* for accept */
57 57 #include <sys/utssys.h> /* for fuser */
58 58 #include <sys/tsol/label.h>
59 59 #include <sys/tsol/tndb.h>
60 60 #include <sys/tsol/tsyscall.h>
61 61 #include <c2/audit.h>
62 62 #include <c2/audit_kernel.h>
63 63 #include <c2/audit_kevents.h>
64 64 #include <c2/audit_record.h>
65 65 #include <sys/procset.h>
66 66 #include <nfs/mount.h>
67 67 #include <sys/param.h>
68 68 #include <sys/debug.h>
69 69 #include <sys/sysmacros.h>
70 70 #include <sys/stream.h>
71 71 #include <sys/strsubr.h>
72 72 #include <sys/stropts.h>
73 73 #include <sys/tihdr.h>
74 74 #include <sys/socket.h>
75 75 #include <sys/socketvar.h>
76 76 #include <sys/vfs_opreg.h>
77 77 #include <fs/sockfs/sockcommon.h>
78 78 #include <netinet/in.h>
79 79 #include <sys/ddi.h>
80 80 #include <sys/port_impl.h>
81 81 #include <sys/secflags.h>
82 82
83 83 static au_event_t aui_fchownat(au_event_t);
84 84 static au_event_t aui_fchmodat(au_event_t);
85 85 static au_event_t aui_open(au_event_t);
86 86 static au_event_t aui_openat(au_event_t);
87 87 static au_event_t aui_unlinkat(au_event_t);
88 88 static au_event_t aui_fstatat(au_event_t);
89 89 static au_event_t aui_msgsys(au_event_t);
90 90 static au_event_t aui_shmsys(au_event_t);
91 91 static au_event_t aui_semsys(au_event_t);
92 92 static au_event_t aui_utssys(au_event_t);
93 93 static au_event_t aui_fcntl(au_event_t);
94 94 static au_event_t aui_execve(au_event_t);
95 95 static au_event_t aui_memcntl(au_event_t);
96 96 static au_event_t aui_sysinfo(au_event_t);
97 97 static au_event_t aui_portfs(au_event_t);
98 98 static au_event_t aui_auditsys(au_event_t);
99 99 static au_event_t aui_modctl(au_event_t);
100 100 static au_event_t aui_acl(au_event_t);
101 101 static au_event_t aui_doorfs(au_event_t);
102 102 static au_event_t aui_privsys(au_event_t);
103 103 static au_event_t aui_forksys(au_event_t);
104 104 static au_event_t aui_labelsys(au_event_t);
105 105 static au_event_t aui_setpgrp(au_event_t);
106 106
107 107
108 108 static void aus_exit(struct t_audit_data *);
109 109 static void aus_open(struct t_audit_data *);
110 110 static void aus_openat(struct t_audit_data *);
111 111 static void aus_acl(struct t_audit_data *);
112 112 static void aus_acct(struct t_audit_data *);
113 113 static void aus_chown(struct t_audit_data *);
114 114 static void aus_fchown(struct t_audit_data *);
115 115 static void aus_lchown(struct t_audit_data *);
116 116 static void aus_fchownat(struct t_audit_data *);
117 117 static void aus_chmod(struct t_audit_data *);
118 118 static void aus_facl(struct t_audit_data *);
119 119 static void aus_fchmod(struct t_audit_data *);
120 120 static void aus_fchmodat(struct t_audit_data *);
121 121 static void aus_fcntl(struct t_audit_data *);
122 122 static void aus_mkdir(struct t_audit_data *);
123 123 static void aus_mkdirat(struct t_audit_data *);
124 124 static void aus_mknod(struct t_audit_data *);
125 125 static void aus_mknodat(struct t_audit_data *);
126 126 static void aus_mount(struct t_audit_data *);
127 127 static void aus_umount2(struct t_audit_data *);
128 128 static void aus_msgsys(struct t_audit_data *);
129 129 static void aus_semsys(struct t_audit_data *);
130 130 static void aus_close(struct t_audit_data *);
131 131 static void aus_fstatfs(struct t_audit_data *);
132 132 static void aus_setgid(struct t_audit_data *);
133 133 static void aus_setpgrp(struct t_audit_data *);
134 134 static void aus_setuid(struct t_audit_data *);
135 135 static void aus_shmsys(struct t_audit_data *);
136 136 static void aus_doorfs(struct t_audit_data *);
137 137 static void aus_ioctl(struct t_audit_data *);
138 138 static void aus_memcntl(struct t_audit_data *);
139 139 static void aus_mmap(struct t_audit_data *);
140 140 static void aus_munmap(struct t_audit_data *);
141 141 static void aus_priocntlsys(struct t_audit_data *);
142 142 static void aus_setegid(struct t_audit_data *);
143 143 static void aus_setgroups(struct t_audit_data *);
144 144 static void aus_seteuid(struct t_audit_data *);
145 145 static void aus_putmsg(struct t_audit_data *);
146 146 static void aus_putpmsg(struct t_audit_data *);
147 147 static void aus_getmsg(struct t_audit_data *);
148 148 static void aus_getpmsg(struct t_audit_data *);
149 149 static void aus_auditsys(struct t_audit_data *);
150 150 static void aus_sysinfo(struct t_audit_data *);
151 151 static void aus_modctl(struct t_audit_data *);
152 152 static void aus_kill(struct t_audit_data *);
153 153 static void aus_setregid(struct t_audit_data *);
154 154 static void aus_setreuid(struct t_audit_data *);
155 155 static void aus_labelsys(struct t_audit_data *);
156 156
157 157 static void auf_mknod(struct t_audit_data *, int, rval_t *);
158 158 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
159 159 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
160 160 static void auf_semsys(struct t_audit_data *, int, rval_t *);
161 161 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
162 162 static void auf_read(struct t_audit_data *, int, rval_t *);
163 163 static void auf_write(struct t_audit_data *, int, rval_t *);
164 164
165 165 static void aus_sigqueue(struct t_audit_data *);
166 166 static void aus_p_online(struct t_audit_data *);
167 167 static void aus_processor_bind(struct t_audit_data *);
168 168 static void aus_inst_sync(struct t_audit_data *);
169 169 static void aus_brandsys(struct t_audit_data *);
170 170
171 171 static void auf_accept(struct t_audit_data *, int, rval_t *);
172 172
173 173 static void auf_bind(struct t_audit_data *, int, rval_t *);
174 174 static void auf_connect(struct t_audit_data *, int, rval_t *);
175 175 static void aus_shutdown(struct t_audit_data *);
176 176 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
177 177 static void aus_sockconfig(struct t_audit_data *);
178 178 static void auf_recv(struct t_audit_data *, int, rval_t *);
179 179 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
180 180 static void auf_send(struct t_audit_data *, int, rval_t *);
181 181 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
182 182 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
183 183 static void auf_sendto(struct t_audit_data *, int, rval_t *);
184 184 static void aus_socket(struct t_audit_data *);
185 185 /*
186 186 * This table contains mapping information for converting system call numbers
187 187 * to audit event IDs. In several cases it is necessary to map a single system
188 188 * call to several events.
189 189 */
190 190
191 191 #define aui_null NULL /* NULL initialize function */
192 192 #define aus_null NULL /* NULL start function */
193 193 #define auf_null NULL /* NULL finish function */
194 194
195 195 struct audit_s2e audit_s2e[] =
196 196 {
197 197 /*
198 198 * ---------- ---------- ---------- ----------
199 199 * INITIAL AUDIT START SYSTEM
200 200 * PROCESSING EVENT PROCESSING CALL
201 201 * ---------- ---------- ---------- -----------
202 202 * FINISH EVENT
203 203 * PROCESSING CONTROL
204 204 * ----------------------------------------------------------
205 205 */
206 206 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
207 207 auf_null, 0,
208 208 aui_null, AUE_EXIT, aus_exit, /* 1 exit */
209 209 auf_null, S2E_NPT,
210 210 aui_null, AUE_PSECFLAGS, aus_null, /* 2 psecflags */
211 211 auf_null, 0,
212 212 aui_null, AUE_READ, aus_null, /* 3 read */
213 213 auf_read, S2E_PUB,
214 214 aui_null, AUE_WRITE, aus_null, /* 4 write */
215 215 auf_write, 0,
216 216 aui_open, AUE_OPEN, aus_open, /* 5 open */
217 217 auf_null, S2E_SP,
218 218 aui_null, AUE_CLOSE, aus_close, /* 6 close */
219 219 auf_null, 0,
220 220 aui_null, AUE_LINK, aus_null, /* 7 linkat */
221 221 auf_null, 0,
222 222 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
223 223 auf_null, 0,
224 224 aui_null, AUE_LINK, aus_null, /* 9 link */
225 225 auf_null, 0,
226 226 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
227 227 auf_null, 0,
228 228 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
229 229 auf_null, 0,
230 230 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
231 231 auf_null, S2E_SP,
232 232 aui_null, AUE_NULL, aus_null, /* 13 time */
233 233 auf_null, 0,
234 234 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
235 235 auf_mknod, S2E_MLD,
236 236 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
237 237 auf_null, 0,
238 238 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
239 239 auf_null, 0,
240 240 aui_null, AUE_NULL, aus_null, /* 17 brk */
241 241 auf_null, 0,
242 242 aui_null, AUE_STAT, aus_null, /* 18 stat */
243 243 auf_null, S2E_PUB,
244 244 aui_null, AUE_NULL, aus_null, /* 19 lseek */
245 245 auf_null, 0,
246 246 aui_null, AUE_NULL, aus_null, /* 20 getpid */
247 247 auf_null, 0,
248 248 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
249 249 auf_null, S2E_MLD,
250 250 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
251 251 auf_null, S2E_PUB,
252 252 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
253 253 auf_null, 0,
254 254 aui_null, AUE_NULL, aus_null, /* 24 getuid */
255 255 auf_null, 0,
256 256 aui_null, AUE_STIME, aus_null, /* 25 stime */
257 257 auf_null, 0,
258 258 aui_null, AUE_NULL, aus_null, /* 26 pcsample */
259 259 auf_null, 0,
260 260 aui_null, AUE_NULL, aus_null, /* 27 alarm */
261 261 auf_null, 0,
262 262 aui_null, AUE_NULL, aus_null, /* 28 fstat */
263 263 auf_null, 0,
264 264 aui_null, AUE_NULL, aus_null, /* 29 pause */
265 265 auf_null, 0,
266 266 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
267 267 auf_null, 0,
268 268 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
269 269 auf_null, 0,
270 270 aui_null, AUE_NULL, aus_null, /* 32 gtty */
271 271 auf_null, 0,
272 272 aui_null, AUE_ACCESS, aus_null, /* 33 access */
273 273 auf_null, S2E_PUB,
274 274 aui_null, AUE_NICE, aus_null, /* 34 nice */
275 275 auf_null, 0,
276 276 aui_null, AUE_STATFS, aus_null, /* 35 statfs */
277 277 auf_null, S2E_PUB,
278 278 aui_null, AUE_NULL, aus_null, /* 36 sync */
279 279 auf_null, 0,
280 280 aui_null, AUE_KILL, aus_kill, /* 37 kill */
281 281 auf_null, 0,
282 282 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
283 283 auf_null, S2E_PUB,
284 284 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
285 285 auf_null, 0,
286 286 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
287 287 auf_null, 0,
288 288 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
289 289 auf_null, 0,
290 290 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
291 291 auf_null, 0,
292 292 aui_null, AUE_NULL, aus_null, /* 43 times */
293 293 auf_null, 0,
294 294 aui_null, AUE_NULL, aus_null, /* 44 profil */
295 295 auf_null, 0,
296 296 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
297 297 auf_null, S2E_PUB,
298 298 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
299 299 auf_null, 0,
300 300 aui_null, AUE_NULL, aus_null, /* 47 getgid */
301 301 auf_null, 0,
302 302 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
303 303 auf_mknodat, S2E_MLD,
304 304 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
305 305 auf_msgsys, 0,
306 306 #if defined(__x86)
307 307 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
308 308 auf_null, 0,
309 309 #else
310 310 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
311 311 auf_null, 0,
312 312 #endif /* __x86 */
313 313 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
314 314 auf_null, 0,
315 315 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
316 316 auf_shmsys, 0,
317 317 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
318 318 auf_semsys, 0,
319 319 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
320 320 auf_null, 0,
321 321 aui_null, AUE_NULL, aus_null, /* 55 uadmin */
322 322 auf_null, 0,
323 323 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
324 324 auf_null, 0,
325 325 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
326 326 auf_null, 0,
327 327 aui_null, AUE_NULL, aus_null, /* 58 fsync */
328 328 auf_null, 0,
329 329 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */
330 330 auf_null, S2E_MLD,
331 331 aui_null, AUE_NULL, aus_null, /* 60 umask */
332 332 auf_null, 0,
333 333 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
334 334 auf_null, S2E_SP,
335 335 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
336 336 auf_null, 0,
337 337 aui_null, AUE_NULL, aus_null, /* 63 ulimit */
338 338 auf_null, 0,
339 339 aui_null, AUE_RENAME, aus_null, /* 64 renameat */
340 340 auf_null, 0,
341 341 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
342 342 auf_null, 0,
343 343 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
344 344 auf_null, S2E_PUB,
345 345 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
346 346 auf_null, S2E_PUB,
347 347 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
348 348 auf_null, S2E_SP,
349 349 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
350 350 auf_null, S2E_SP,
351 351 aui_null, AUE_NULL, aus_null, /* 70 tasksys */
352 352 auf_null, 0,
353 353 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
354 354 auf_null, 0,
355 355 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
356 356 auf_null, 0,
357 357 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
358 358 auf_null, 0,
359 359 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
360 360 auf_null, 0,
361 361 aui_null, AUE_NULL, aus_null, /* 75 sidsys */
362 362 auf_null, 0,
363 363 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
364 364 auf_null, 0,
365 365 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
366 366 auf_null, 0,
367 367 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
368 368 auf_null, 0,
369 369 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
370 370 auf_null, 0,
371 371 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
372 372 auf_null, 0,
373 373 aui_null, AUE_NULL, aus_null, /* 81 getdents */
374 374 auf_null, 0,
375 375 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
376 376 auf_null, 0,
377 377 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
378 378 auf_null, 0,
379 379 aui_null, AUE_NULL, aus_null, /* 84 sysfs */
380 380 auf_null, 0,
381 381 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
382 382 auf_null, 0,
383 383 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
384 384 auf_null, 0,
385 385 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
386 386 auf_null, 0,
387 387 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
388 388 auf_null, S2E_PUB,
389 389 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
390 390 auf_null, 0,
391 391 aui_null, AUE_READLINK, aus_null, /* 90 readlink */
392 392 auf_null, S2E_PUB,
393 393 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
394 394 auf_null, 0,
395 395 aui_null, AUE_NULL, aus_null, /* 92 getgroups */
396 396 auf_null, 0,
397 397 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
398 398 auf_null, 0,
399 399 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
400 400 auf_null, 0,
401 401 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
402 402 auf_null, 0,
403 403 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
404 404 auf_null, 0,
405 405 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
406 406 auf_null, 0,
407 407 aui_null, AUE_NULL, aus_null, /* 98 sigaction */
408 408 auf_null, 0,
409 409 aui_null, AUE_NULL, aus_null, /* 99 sigpending */
410 410 auf_null, 0,
411 411 aui_null, AUE_NULL, aus_null, /* 100 setcontext */
412 412 auf_null, 0,
413 413 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
414 414 auf_null, 0,
415 415 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
416 416 auf_null, 0,
417 417 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
418 418 auf_null, S2E_PUB,
419 419 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
420 420 auf_null, 0,
421 421 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
422 422 auf_null, 0,
423 423 aui_null, AUE_NULL, aus_null, /* 106 nfssys */
424 424 auf_null, 0,
425 425 aui_null, AUE_NULL, aus_null, /* 107 waitsys */
426 426 auf_null, 0,
427 427 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
428 428 auf_null, 0,
429 429 #if defined(__x86)
430 430 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
431 431 auf_null, 0,
432 432 #else
433 433 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
434 434 auf_null, 0,
435 435 #endif /* __x86 */
436 436 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
437 437 auf_null, 0,
438 438 aui_null, AUE_NULL, aus_null, /* 111 sigresend */
439 439 auf_null, 0,
440 440 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
441 441 auf_null, 0,
442 442 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
443 443 auf_null, S2E_PUB,
444 444 aui_null, AUE_NULL, aus_null, /* 114 mincore */
445 445 auf_null, 0,
446 446 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
447 447 auf_null, 0,
448 448 aui_null, AUE_NULL, aus_null, /* 116 mprotect */
449 449 auf_null, 0,
450 450 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
451 451 auf_null, 0,
452 452 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
453 453 auf_null, 0,
454 454 aui_null, AUE_VFORK, aus_null, /* 119 vfork */
455 455 auf_null, 0,
456 456 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
457 457 auf_null, 0,
458 458 aui_null, AUE_READ, aus_null, /* 121 readv */
459 459 auf_read, S2E_PUB,
460 460 aui_null, AUE_WRITE, aus_null, /* 122 writev */
461 461 auf_write, 0,
462 462 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
463 463 auf_null, 0,
464 464 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
465 465 auf_null, 0,
466 466 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
467 467 auf_null, 0,
468 468 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
469 469 auf_null, 0,
470 470 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
471 471 auf_null, 0,
472 472 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
473 473 auf_null, 0,
474 474 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
475 475 auf_null, 0,
476 476 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
477 477 auf_null, 0,
478 478 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
479 479 auf_null, 0,
480 480 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
481 481 auf_null, 0,
482 482 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
483 483 auf_null, 0,
484 484 aui_null, AUE_RENAME, aus_null, /* 134 rename */
485 485 auf_null, 0,
486 486 aui_null, AUE_NULL, aus_null, /* 135 uname */
487 487 auf_null, 0,
488 488 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
489 489 auf_null, 0,
490 490 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
491 491 auf_null, 0,
492 492 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
493 493 auf_null, 0,
494 494 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
495 495 auf_null, 0,
496 496 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
497 497 auf_null, 0,
498 498 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
499 499 auf_null, 0,
500 500 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
501 501 auf_null, 0,
502 502 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
503 503 auf_null, 0,
504 504 aui_null, AUE_NULL, aus_null, /* 144 sigwait */
505 505 auf_null, 0,
506 506 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
507 507 auf_null, 0,
508 508 aui_null, AUE_NULL, aus_null, /* 146 yield */
509 509 auf_null, 0,
510 510 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
511 511 /* was lwp_sema_wait */
512 512 auf_null, 0,
513 513 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
514 514 auf_null, 0,
515 515 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
516 516 auf_null, 0,
517 517 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
518 518 auf_null, 0,
519 519 aui_null, AUE_NULL, aus_null, /* 151 corectl */
520 520 auf_null, 0,
521 521 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
522 522 auf_null, 0,
523 523 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
524 524 auf_null, 0,
525 525 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
526 526 auf_null, 0,
527 527 aui_null, AUE_NULL, aus_null, /* 155 vhangup */
528 528 auf_null, 0,
529 529 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
530 530 auf_null, 0,
531 531 aui_null, AUE_NULL, aus_null, /* 157 getitimer */
532 532 auf_null, 0,
533 533 aui_null, AUE_NULL, aus_null, /* 158 setitimer */
534 534 auf_null, 0,
535 535 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
536 536 auf_null, 0,
537 537 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
538 538 auf_null, 0,
539 539 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
540 540 auf_null, 0,
541 541 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
542 542 auf_null, 0,
543 543 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
544 544 auf_null, 0,
545 545 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
546 546 auf_null, 0,
547 547 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
548 548 auf_null, 0,
549 549 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
550 550 auf_null, 0,
551 551 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
552 552 auf_null, 0,
553 553 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
554 554 auf_null, 0,
555 555 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
556 556 /* was lwp_mutex_lock */
557 557 auf_null, 0,
558 558 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
559 559 auf_null, 0,
560 560 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
561 561 auf_null, 0,
562 562 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
563 563 auf_null, 0,
564 564 aui_null, AUE_READ, aus_null, /* 173 pread */
565 565 auf_read, S2E_PUB,
566 566 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
567 567 auf_write, 0,
568 568 aui_null, AUE_NULL, aus_null, /* 175 llseek */
569 569 auf_null, 0,
570 570 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
571 571 auf_null, 0,
572 572 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
573 573 auf_null, 0,
574 574 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
575 575 auf_null, 0,
576 576 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
577 577 auf_null, 0,
578 578 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
579 579 auf_null, 0,
580 580 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
581 581 auf_null, 0,
582 582 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
583 583 auf_null, S2E_MLD,
584 584 aui_null, AUE_NULL, aus_null, /* 183 pollsys */
585 585 auf_null, 0,
586 586 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
587 587 auf_null, 0,
588 588 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
589 589 auf_null, 0,
590 590 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
591 591 auf_null, 0,
592 592 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
593 593 auf_null, 0,
594 594 aui_null, AUE_NULL, aus_null, /* 188 processor_info */
595 595 auf_null, 0,
596 596 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
597 597 auf_null, 0,
598 598 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
599 599 auf_null, 0,
600 600 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
601 601 auf_null, 0,
602 602 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
603 603 auf_null, 0,
604 604 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
605 605 auf_null, 0,
606 606 aui_null, AUE_NULL, aus_null, /* 194 timer_create */
607 607 auf_null, 0,
608 608 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
609 609 auf_null, 0,
610 610 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
611 611 auf_null, 0,
612 612 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
613 613 auf_null, 0,
614 614 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
615 615 auf_null, 0,
616 616 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
617 617 auf_null, 0,
618 618 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
619 619 auf_null, 0,
620 620 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
621 621 auf_null, 0,
622 622 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
623 623 auf_null, 0,
624 624 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
625 625 auf_null, 0,
626 626 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
627 627 auf_null, 0,
628 628 aui_null, AUE_NULL, aus_null, /* 205 signotify */
629 629 auf_null, 0,
630 630 aui_null, AUE_NULL, aus_null, /* 206 schedctl */
631 631 auf_null, 0,
632 632 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
633 633 auf_null, 0,
634 634 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
635 635 auf_null, 0,
636 636 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
637 637 auf_null, 0,
638 638 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
639 639 auf_null, 0,
640 640 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
641 641 auf_null, 0,
642 642 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
643 643 auf_null, 0,
644 644 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
645 645 auf_null, 0,
646 646 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
647 647 auf_null, 0,
648 648 aui_null, AUE_STAT, aus_null, /* 215 stat64 */
649 649 auf_null, S2E_PUB,
650 650 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
651 651 auf_null, S2E_PUB,
652 652 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
653 653 auf_null, 0,
654 654 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
655 655 auf_null, S2E_PUB,
656 656 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
657 657 auf_null, 0,
658 658 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
659 659 auf_null, 0,
660 660 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
661 661 auf_null, 0,
662 662 aui_null, AUE_READ, aus_null, /* 222 pread64 */
663 663 auf_read, S2E_PUB,
664 664 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
665 665 auf_write, 0,
666 666 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
667 667 auf_null, 0,
668 668 aui_open, AUE_OPEN, aus_open, /* 225 open64 */
669 669 auf_null, S2E_SP,
670 670 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
671 671 auf_null, 0,
672 672 aui_null, AUE_NULL, aus_null, /* 227 zone */
673 673 auf_null, 0,
674 674 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
675 675 auf_null, 0,
676 676 aui_null, AUE_NULL, aus_null, /* 229 getcwd */
677 677 auf_null, 0,
678 678 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
679 679 auf_null, 0,
680 680 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
681 681 auf_null, 0,
682 682 aui_null, AUE_BIND, aus_null, /* 232 bind */
683 683 auf_bind, 0,
684 684 aui_null, AUE_NULL, aus_null, /* 233 listen */
685 685 auf_null, 0,
686 686 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
687 687 auf_accept, 0,
688 688 aui_null, AUE_CONNECT, aus_null, /* 235 connect */
689 689 auf_connect, 0,
690 690 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
691 691 auf_null, 0,
692 692 aui_null, AUE_READ, aus_null, /* 237 recv */
693 693 auf_recv, 0,
694 694 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
695 695 auf_recvfrom, 0,
696 696 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
697 697 auf_recvmsg, 0,
698 698 aui_null, AUE_WRITE, aus_null, /* 240 send */
699 699 auf_send, 0,
700 700 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
701 701 auf_sendmsg, 0,
702 702 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
703 703 auf_sendto, 0,
704 704 aui_null, AUE_NULL, aus_null, /* 243 getpeername */
705 705 auf_null, 0,
706 706 aui_null, AUE_NULL, aus_null, /* 244 getsockname */
707 707 auf_null, 0,
708 708 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
709 709 auf_null, 0,
710 710 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
711 711 auf_setsockopt, 0,
712 712 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
713 713 auf_null, 0,
714 714 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
715 715 auf_null, 0,
716 716 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
717 717 auf_null, 0,
718 718 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
719 719 auf_null, 0,
720 720 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
721 721 auf_null, 0,
722 722 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
723 723 auf_null, 0,
724 724 aui_null, AUE_NULL, aus_null, /* 253 cladm */
725 725 auf_null, 0,
726 726 aui_null, AUE_NULL, aus_null, /* 254 uucopy */
727 727 auf_null, 0,
728 728 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
729 729 auf_null, 0
730 730 };
731 731
732 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
733 733
734 734
735 735 /* exit start function */
736 736 /*ARGSUSED*/
737 737 static void
738 738 aus_exit(struct t_audit_data *tad)
739 739 {
740 740 uint32_t rval;
741 741 struct a {
742 742 long rval;
743 743 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
744 744
745 745 rval = (uint32_t)uap->rval;
746 746 au_uwrite(au_to_arg32(1, "exit status", rval));
747 747 }
748 748
749 749
750 750 /* acct start function */
751 751 /*ARGSUSED*/
752 752 static void
753 753 aus_acct(struct t_audit_data *tad)
754 754 {
755 755 klwp_t *clwp = ttolwp(curthread);
756 756 uintptr_t fname;
757 757
758 758 struct a {
759 759 long fname; /* char * */
760 760 } *uap = (struct a *)clwp->lwp_ap;
761 761
762 762 fname = (uintptr_t)uap->fname;
763 763
764 764 if (fname == 0)
765 765 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
766 766 }
767 767
768 768 /* chown start function */
769 769 /*ARGSUSED*/
770 770 static void
771 771 aus_chown(struct t_audit_data *tad)
772 772 {
773 773 klwp_t *clwp = ttolwp(curthread);
774 774 uint32_t uid, gid;
775 775
776 776 struct a {
777 777 long fname; /* char * */
778 778 long uid;
779 779 long gid;
780 780 } *uap = (struct a *)clwp->lwp_ap;
781 781
782 782 uid = (uint32_t)uap->uid;
783 783 gid = (uint32_t)uap->gid;
784 784
785 785 au_uwrite(au_to_arg32(2, "new file uid", uid));
786 786 au_uwrite(au_to_arg32(3, "new file gid", gid));
787 787 }
788 788
789 789 /* fchown start function */
790 790 /*ARGSUSED*/
791 791 static void
792 792 aus_fchown(struct t_audit_data *tad)
793 793 {
794 794 klwp_t *clwp = ttolwp(curthread);
795 795 uint32_t uid, gid, fd;
796 796 struct file *fp;
797 797 struct vnode *vp;
798 798 struct f_audit_data *fad;
799 799
800 800 struct a {
801 801 long fd;
802 802 long uid;
803 803 long gid;
804 804 } *uap = (struct a *)clwp->lwp_ap;
805 805
806 806 fd = (uint32_t)uap->fd;
807 807 uid = (uint32_t)uap->uid;
808 808 gid = (uint32_t)uap->gid;
809 809
810 810 au_uwrite(au_to_arg32(2, "new file uid", uid));
811 811 au_uwrite(au_to_arg32(3, "new file gid", gid));
812 812
813 813 /*
814 814 * convert file pointer to file descriptor
815 815 * Note: fd ref count incremented here.
816 816 */
817 817 if ((fp = getf(fd)) == NULL)
818 818 return;
819 819
820 820 /* get path from file struct here */
821 821 fad = F2A(fp);
822 822 if (fad->fad_aupath != NULL) {
823 823 au_uwrite(au_to_path(fad->fad_aupath));
824 824 } else {
825 825 au_uwrite(au_to_arg32(1, "no path: fd", fd));
826 826 }
827 827
828 828 vp = fp->f_vnode;
829 829 audit_attributes(vp);
830 830
831 831 /* decrement file descriptor reference count */
832 832 releasef(fd);
833 833 }
834 834
835 835 /*ARGSUSED*/
836 836 static void
837 837 aus_lchown(struct t_audit_data *tad)
838 838 {
839 839 klwp_t *clwp = ttolwp(curthread);
840 840 uint32_t uid, gid;
841 841
842 842
843 843 struct a {
844 844 long fname; /* char * */
845 845 long uid;
846 846 long gid;
847 847 } *uap = (struct a *)clwp->lwp_ap;
848 848
849 849 uid = (uint32_t)uap->uid;
850 850 gid = (uint32_t)uap->gid;
851 851
852 852 au_uwrite(au_to_arg32(2, "new file uid", uid));
853 853 au_uwrite(au_to_arg32(3, "new file gid", gid));
854 854 }
855 855
856 856 static au_event_t
857 857 aui_fchownat(au_event_t e)
858 858 {
859 859 klwp_t *clwp = ttolwp(curthread);
860 860
861 861 struct a {
862 862 long fd;
863 863 long fname; /* char * */
864 864 long uid;
865 865 long gid;
866 866 long flags;
867 867 } *uap = (struct a *)clwp->lwp_ap;
868 868
869 869 if (uap->fname == 0)
870 870 e = AUE_FCHOWN;
871 871 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
872 872 e = AUE_LCHOWN;
873 873 else
874 874 e = AUE_CHOWN;
875 875
876 876 return (e);
877 877 }
878 878
879 879 /*ARGSUSED*/
880 880 static void
881 881 aus_fchownat(struct t_audit_data *tad)
882 882 {
883 883 klwp_t *clwp = ttolwp(curthread);
884 884 uint32_t uid, gid;
885 885
886 886 struct a {
887 887 long fd;
888 888 long fname; /* char * */
889 889 long uid;
890 890 long gid;
891 891 long flags;
892 892 } *uap = (struct a *)clwp->lwp_ap;
893 893
894 894 uid = (uint32_t)uap->uid;
895 895 gid = (uint32_t)uap->gid;
896 896
897 897 au_uwrite(au_to_arg32(3, "new file uid", uid));
898 898 au_uwrite(au_to_arg32(4, "new file gid", gid));
899 899 }
900 900
901 901 /*ARGSUSED*/
902 902 static void
903 903 aus_chmod(struct t_audit_data *tad)
904 904 {
905 905 klwp_t *clwp = ttolwp(curthread);
906 906 uint32_t fmode;
907 907
908 908 struct a {
909 909 long fname; /* char * */
910 910 long fmode;
911 911 } *uap = (struct a *)clwp->lwp_ap;
912 912
913 913 fmode = (uint32_t)uap->fmode;
914 914
915 915 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
916 916 }
917 917
918 918 /*ARGSUSED*/
919 919 static void
920 920 aus_fchmod(struct t_audit_data *tad)
921 921 {
922 922 klwp_t *clwp = ttolwp(curthread);
923 923 uint32_t fmode, fd;
924 924 struct file *fp;
925 925 struct vnode *vp;
926 926 struct f_audit_data *fad;
927 927
928 928 struct a {
929 929 long fd;
930 930 long fmode;
931 931 } *uap = (struct a *)clwp->lwp_ap;
932 932
933 933 fd = (uint32_t)uap->fd;
934 934 fmode = (uint32_t)uap->fmode;
935 935
936 936 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
937 937
938 938 /*
939 939 * convert file pointer to file descriptor
940 940 * Note: fd ref count incremented here.
941 941 */
942 942 if ((fp = getf(fd)) == NULL)
943 943 return;
944 944
945 945 /* get path from file struct here */
946 946 fad = F2A(fp);
947 947 if (fad->fad_aupath != NULL) {
948 948 au_uwrite(au_to_path(fad->fad_aupath));
949 949 } else {
950 950 au_uwrite(au_to_arg32(1, "no path: fd", fd));
951 951 }
952 952
953 953 vp = fp->f_vnode;
954 954 audit_attributes(vp);
955 955
956 956 /* decrement file descriptor reference count */
957 957 releasef(fd);
958 958 }
959 959
960 960 static au_event_t
961 961 aui_fchmodat(au_event_t e)
962 962 {
963 963 klwp_t *clwp = ttolwp(curthread);
964 964
965 965 struct a {
966 966 long fd;
967 967 long fname; /* char * */
968 968 long fmode;
969 969 long flag;
970 970 } *uap = (struct a *)clwp->lwp_ap;
971 971
972 972 if (uap->fname == 0)
973 973 e = AUE_FCHMOD;
974 974 else
975 975 e = AUE_CHMOD;
976 976
977 977 return (e);
978 978 }
979 979
980 980 /*ARGSUSED*/
981 981 static void
982 982 aus_fchmodat(struct t_audit_data *tad)
983 983 {
984 984 klwp_t *clwp = ttolwp(curthread);
985 985 uint32_t fmode;
986 986 uint32_t fd;
987 987 struct file *fp;
988 988 struct vnode *vp;
989 989 struct f_audit_data *fad;
990 990
991 991 struct a {
992 992 long fd;
993 993 long fname; /* char * */
994 994 long fmode;
995 995 long flag;
996 996 } *uap = (struct a *)clwp->lwp_ap;
997 997
998 998 fd = (uint32_t)uap->fd;
999 999 fmode = (uint32_t)uap->fmode;
1000 1000
1001 1001 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1002 1002
1003 1003 if (fd == AT_FDCWD || uap->fname != 0) /* same as chmod() */
1004 1004 return;
1005 1005
1006 1006 /*
1007 1007 * convert file pointer to file descriptor
1008 1008 * Note: fd ref count incremented here.
1009 1009 */
1010 1010 if ((fp = getf(fd)) == NULL)
1011 1011 return;
1012 1012
1013 1013 /* get path from file struct here */
1014 1014 fad = F2A(fp);
1015 1015 if (fad->fad_aupath != NULL) {
1016 1016 au_uwrite(au_to_path(fad->fad_aupath));
1017 1017 } else {
1018 1018 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1019 1019 }
1020 1020
1021 1021 vp = fp->f_vnode;
1022 1022 audit_attributes(vp);
1023 1023
1024 1024 /* decrement file descriptor reference count */
1025 1025 releasef(fd);
1026 1026 }
1027 1027
1028 1028 /*
1029 1029 * convert open mode to appropriate open event
1030 1030 */
1031 1031 au_event_t
1032 1032 open_event(uint_t fm)
1033 1033 {
1034 1034 au_event_t e;
1035 1035
1036 1036 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1037 1037 case O_RDONLY:
1038 1038 e = AUE_OPEN_R;
1039 1039 break;
1040 1040 case O_RDONLY | O_CREAT:
1041 1041 e = AUE_OPEN_RC;
1042 1042 break;
1043 1043 case O_RDONLY | O_TRUNC:
1044 1044 e = AUE_OPEN_RT;
1045 1045 break;
1046 1046 case O_RDONLY | O_TRUNC | O_CREAT:
1047 1047 e = AUE_OPEN_RTC;
1048 1048 break;
1049 1049 case O_WRONLY:
1050 1050 e = AUE_OPEN_W;
1051 1051 break;
1052 1052 case O_WRONLY | O_CREAT:
1053 1053 e = AUE_OPEN_WC;
1054 1054 break;
1055 1055 case O_WRONLY | O_TRUNC:
1056 1056 e = AUE_OPEN_WT;
1057 1057 break;
1058 1058 case O_WRONLY | O_TRUNC | O_CREAT:
1059 1059 e = AUE_OPEN_WTC;
1060 1060 break;
1061 1061 case O_RDWR:
1062 1062 e = AUE_OPEN_RW;
1063 1063 break;
1064 1064 case O_RDWR | O_CREAT:
1065 1065 e = AUE_OPEN_RWC;
1066 1066 break;
1067 1067 case O_RDWR | O_TRUNC:
1068 1068 e = AUE_OPEN_RWT;
1069 1069 break;
1070 1070 case O_RDWR | O_TRUNC | O_CREAT:
1071 1071 e = AUE_OPEN_RWTC;
1072 1072 break;
1073 1073 case O_SEARCH:
1074 1074 e = AUE_OPEN_S;
1075 1075 break;
1076 1076 case O_EXEC:
1077 1077 e = AUE_OPEN_E;
1078 1078 break;
1079 1079 default:
1080 1080 e = AUE_NULL;
1081 1081 break;
1082 1082 }
1083 1083
1084 1084 return (e);
1085 1085 }
1086 1086
1087 1087 /* ARGSUSED */
1088 1088 static au_event_t
1089 1089 aui_open(au_event_t e)
1090 1090 {
1091 1091 klwp_t *clwp = ttolwp(curthread);
1092 1092 uint_t fm;
1093 1093
1094 1094 struct a {
1095 1095 long fnamep; /* char * */
1096 1096 long fmode;
1097 1097 long cmode;
1098 1098 } *uap = (struct a *)clwp->lwp_ap;
1099 1099
1100 1100 fm = (uint_t)uap->fmode;
1101 1101
1102 1102 return (open_event(fm));
1103 1103 }
1104 1104
1105 1105 static void
1106 1106 aus_open(struct t_audit_data *tad)
1107 1107 {
1108 1108 klwp_t *clwp = ttolwp(curthread);
1109 1109 uint_t fm;
1110 1110
1111 1111 struct a {
1112 1112 long fnamep; /* char * */
1113 1113 long fmode;
1114 1114 long cmode;
1115 1115 } *uap = (struct a *)clwp->lwp_ap;
1116 1116
1117 1117 fm = (uint_t)uap->fmode;
1118 1118
1119 1119 /* If no write, create, or trunc modes, mark as a public op */
1120 1120 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1121 1121 tad->tad_ctrl |= TAD_PUBLIC_EV;
1122 1122 }
1123 1123
1124 1124 /* ARGSUSED */
1125 1125 static au_event_t
1126 1126 aui_openat(au_event_t e)
1127 1127 {
1128 1128 t_audit_data_t *tad = T2A(curthread);
1129 1129 klwp_t *clwp = ttolwp(curthread);
1130 1130 uint_t fm;
1131 1131
1132 1132 struct a {
1133 1133 long filedes;
1134 1134 long fnamep; /* char * */
1135 1135 long fmode;
1136 1136 long cmode;
1137 1137 } *uap = (struct a *)clwp->lwp_ap;
1138 1138
1139 1139 fm = (uint_t)uap->fmode;
1140 1140
1141 1141 /*
1142 1142 * __openattrdirat() does an extra pathname lookup in order to
1143 1143 * enter the extended system attribute namespace of the referenced
1144 1144 * extended attribute filename.
1145 1145 */
1146 1146 if (fm & FXATTRDIROPEN)
1147 1147 tad->tad_ctrl |= TAD_MLD;
1148 1148
1149 1149 return (open_event(fm));
1150 1150 }
1151 1151
1152 1152 static void
1153 1153 aus_openat(struct t_audit_data *tad)
1154 1154 {
1155 1155 klwp_t *clwp = ttolwp(curthread);
1156 1156 uint_t fm;
1157 1157
1158 1158 struct a {
1159 1159 long filedes;
1160 1160 long fnamep; /* char * */
1161 1161 long fmode;
1162 1162 long cmode;
1163 1163 } *uap = (struct a *)clwp->lwp_ap;
1164 1164
1165 1165 fm = (uint_t)uap->fmode;
1166 1166
1167 1167 /* If no write, create, or trunc modes, mark as a public op */
1168 1168 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1169 1169 tad->tad_ctrl |= TAD_PUBLIC_EV;
1170 1170 }
1171 1171
1172 1172 static au_event_t
1173 1173 aui_unlinkat(au_event_t e)
1174 1174 {
1175 1175 klwp_t *clwp = ttolwp(curthread);
1176 1176
1177 1177 struct a {
1178 1178 long filedes;
1179 1179 long fnamep; /* char * */
1180 1180 long flags;
1181 1181 } *uap = (struct a *)clwp->lwp_ap;
1182 1182
1183 1183 if (uap->flags & AT_REMOVEDIR)
1184 1184 e = AUE_RMDIR;
1185 1185 else
1186 1186 e = AUE_UNLINK;
1187 1187
1188 1188 return (e);
1189 1189 }
1190 1190
1191 1191 static au_event_t
1192 1192 aui_fstatat(au_event_t e)
1193 1193 {
1194 1194 klwp_t *clwp = ttolwp(curthread);
1195 1195
1196 1196 struct a {
1197 1197 long filedes;
1198 1198 long fnamep; /* char * */
1199 1199 long statb;
1200 1200 long flags;
1201 1201 } *uap = (struct a *)clwp->lwp_ap;
1202 1202
1203 1203 if (uap->fnamep == 0)
1204 1204 e = AUE_FSTAT;
1205 1205 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1206 1206 e = AUE_LSTAT;
1207 1207 else
1208 1208 e = AUE_STAT;
1209 1209
1210 1210 return (e);
1211 1211 }
1212 1212
1213 1213 /* msgsys */
1214 1214 static au_event_t
1215 1215 aui_msgsys(au_event_t e)
1216 1216 {
1217 1217 klwp_t *clwp = ttolwp(curthread);
1218 1218 uint_t fm;
1219 1219
1220 1220 struct a {
1221 1221 long id; /* function code id */
1222 1222 long ap; /* arg pointer for recvmsg */
1223 1223 } *uap = (struct a *)clwp->lwp_ap;
1224 1224
1225 1225 struct b {
1226 1226 long msgid;
1227 1227 long cmd;
1228 1228 long buf; /* struct msqid_ds * */
1229 1229 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1230 1230
1231 1231 fm = (uint_t)uap->id;
1232 1232
1233 1233 switch (fm) {
1234 1234 case 0: /* msgget */
1235 1235 e = AUE_MSGGET;
1236 1236 break;
1237 1237 case 1: /* msgctl */
1238 1238 switch ((uint_t)uap1->cmd) {
1239 1239 case IPC_RMID:
1240 1240 e = AUE_MSGCTL_RMID;
1241 1241 break;
1242 1242 case IPC_SET:
1243 1243 e = AUE_MSGCTL_SET;
1244 1244 break;
1245 1245 case IPC_STAT:
1246 1246 e = AUE_MSGCTL_STAT;
1247 1247 break;
1248 1248 default:
1249 1249 e = AUE_MSGCTL;
1250 1250 break;
1251 1251 }
1252 1252 break;
1253 1253 case 2: /* msgrcv */
1254 1254 e = AUE_MSGRCV;
1255 1255 break;
1256 1256 case 3: /* msgsnd */
1257 1257 e = AUE_MSGSND;
1258 1258 break;
1259 1259 default: /* illegal system call */
1260 1260 e = AUE_NULL;
1261 1261 break;
1262 1262 }
1263 1263
1264 1264 return (e);
1265 1265 }
1266 1266
1267 1267
1268 1268 /* shmsys */
1269 1269 static au_event_t
1270 1270 aui_shmsys(au_event_t e)
1271 1271 {
1272 1272 klwp_t *clwp = ttolwp(curthread);
1273 1273 int fm;
1274 1274
1275 1275 struct a { /* shmsys */
1276 1276 long id; /* function code id */
1277 1277 } *uap = (struct a *)clwp->lwp_ap;
1278 1278
1279 1279 struct b { /* ctrl */
1280 1280 long shmid;
1281 1281 long cmd;
1282 1282 long arg; /* struct shmid_ds * */
1283 1283 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1284 1284 fm = (uint_t)uap->id;
1285 1285
1286 1286 switch (fm) {
1287 1287 case 0: /* shmat */
1288 1288 e = AUE_SHMAT;
1289 1289 break;
1290 1290 case 1: /* shmctl */
1291 1291 switch ((uint_t)uap1->cmd) {
1292 1292 case IPC_RMID:
1293 1293 e = AUE_SHMCTL_RMID;
1294 1294 break;
1295 1295 case IPC_SET:
1296 1296 e = AUE_SHMCTL_SET;
1297 1297 break;
1298 1298 case IPC_STAT:
1299 1299 e = AUE_SHMCTL_STAT;
1300 1300 break;
1301 1301 default:
1302 1302 e = AUE_SHMCTL;
1303 1303 break;
1304 1304 }
1305 1305 break;
1306 1306 case 2: /* shmdt */
1307 1307 e = AUE_SHMDT;
1308 1308 break;
1309 1309 case 3: /* shmget */
1310 1310 e = AUE_SHMGET;
1311 1311 break;
1312 1312 default: /* illegal system call */
1313 1313 e = AUE_NULL;
1314 1314 break;
1315 1315 }
1316 1316
1317 1317 return (e);
1318 1318 }
1319 1319
1320 1320
1321 1321 /* semsys */
1322 1322 static au_event_t
1323 1323 aui_semsys(au_event_t e)
1324 1324 {
1325 1325 klwp_t *clwp = ttolwp(curthread);
1326 1326 uint_t fm;
1327 1327
1328 1328 struct a { /* semsys */
1329 1329 long id;
1330 1330 } *uap = (struct a *)clwp->lwp_ap;
1331 1331
1332 1332 struct b { /* ctrl */
1333 1333 long semid;
1334 1334 long semnum;
1335 1335 long cmd;
1336 1336 long arg;
1337 1337 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1338 1338
1339 1339 fm = (uint_t)uap->id;
1340 1340
1341 1341 switch (fm) {
1342 1342 case 0: /* semctl */
1343 1343 switch ((uint_t)uap1->cmd) {
1344 1344 case IPC_RMID:
1345 1345 e = AUE_SEMCTL_RMID;
1346 1346 break;
1347 1347 case IPC_SET:
1348 1348 e = AUE_SEMCTL_SET;
1349 1349 break;
1350 1350 case IPC_STAT:
1351 1351 e = AUE_SEMCTL_STAT;
1352 1352 break;
1353 1353 case GETNCNT:
1354 1354 e = AUE_SEMCTL_GETNCNT;
1355 1355 break;
1356 1356 case GETPID:
1357 1357 e = AUE_SEMCTL_GETPID;
1358 1358 break;
1359 1359 case GETVAL:
1360 1360 e = AUE_SEMCTL_GETVAL;
1361 1361 break;
1362 1362 case GETALL:
1363 1363 e = AUE_SEMCTL_GETALL;
1364 1364 break;
1365 1365 case GETZCNT:
1366 1366 e = AUE_SEMCTL_GETZCNT;
1367 1367 break;
1368 1368 case SETVAL:
1369 1369 e = AUE_SEMCTL_SETVAL;
1370 1370 break;
1371 1371 case SETALL:
1372 1372 e = AUE_SEMCTL_SETALL;
1373 1373 break;
1374 1374 default:
1375 1375 e = AUE_SEMCTL;
1376 1376 break;
1377 1377 }
1378 1378 break;
1379 1379 case 1: /* semget */
1380 1380 e = AUE_SEMGET;
1381 1381 break;
1382 1382 case 2: /* semop */
1383 1383 e = AUE_SEMOP;
1384 1384 break;
1385 1385 default: /* illegal system call */
1386 1386 e = AUE_NULL;
1387 1387 break;
1388 1388 }
1389 1389
1390 1390 return (e);
1391 1391 }
1392 1392
1393 1393 /* utssys - uname(2), ustat(2), fusers(2) */
1394 1394 static au_event_t
1395 1395 aui_utssys(au_event_t e)
1396 1396 {
1397 1397 klwp_t *clwp = ttolwp(curthread);
1398 1398 uint_t type;
1399 1399
1400 1400 struct a {
1401 1401 union {
1402 1402 long cbuf; /* char * */
1403 1403 long ubuf; /* struct stat * */
1404 1404 } ub;
1405 1405 union {
1406 1406 long mv; /* for USTAT */
1407 1407 long flags; /* for FUSERS */
1408 1408 } un;
1409 1409 long type;
1410 1410 long outbp; /* char * for FUSERS */
1411 1411 } *uap = (struct a *)clwp->lwp_ap;
1412 1412
1413 1413 type = (uint_t)uap->type;
1414 1414
1415 1415 if (type == UTS_FUSERS)
1416 1416 return (e);
1417 1417 else
1418 1418 return ((au_event_t)AUE_NULL);
1419 1419 }
1420 1420
1421 1421 static au_event_t
1422 1422 aui_fcntl(au_event_t e)
1423 1423 {
1424 1424 klwp_t *clwp = ttolwp(curthread);
1425 1425 uint_t cmd;
1426 1426
1427 1427 struct a {
1428 1428 long fdes;
1429 1429 long cmd;
1430 1430 long arg;
1431 1431 } *uap = (struct a *)clwp->lwp_ap;
1432 1432
1433 1433 cmd = (uint_t)uap->cmd;
1434 1434
1435 1435 switch (cmd) {
1436 1436 case F_GETLK:
1437 1437 case F_SETLK:
1438 1438 case F_SETLKW:
1439 1439 break;
1440 1440 case F_SETFL:
1441 1441 case F_GETFL:
1442 1442 case F_GETFD:
1443 1443 break;
1444 1444 default:
1445 1445 e = (au_event_t)AUE_NULL;
1446 1446 break;
1447 1447 }
1448 1448 return ((au_event_t)e);
1449 1449 }
1450 1450
1451 1451 /* null function for now */
1452 1452 static au_event_t
1453 1453 aui_execve(au_event_t e)
1454 1454 {
1455 1455 return (e);
1456 1456 }
1457 1457
1458 1458 /*ARGSUSED*/
1459 1459 static void
1460 1460 aus_fcntl(struct t_audit_data *tad)
1461 1461 {
1462 1462 klwp_t *clwp = ttolwp(curthread);
1463 1463 uint32_t cmd, fd, flags;
1464 1464 struct file *fp;
1465 1465 struct vnode *vp;
1466 1466 struct f_audit_data *fad;
1467 1467
1468 1468 struct a {
1469 1469 long fd;
1470 1470 long cmd;
1471 1471 long arg;
1472 1472 } *uap = (struct a *)clwp->lwp_ap;
1473 1473
1474 1474 cmd = (uint32_t)uap->cmd;
1475 1475 fd = (uint32_t)uap->fd;
1476 1476 flags = (uint32_t)uap->arg;
1477 1477
1478 1478 au_uwrite(au_to_arg32(2, "cmd", cmd));
1479 1479
1480 1480 if (cmd == F_SETFL)
1481 1481 au_uwrite(au_to_arg32(3, "flags", flags));
1482 1482
1483 1483 /*
1484 1484 * convert file pointer to file descriptor
1485 1485 * Note: fd ref count incremented here.
1486 1486 */
1487 1487 if ((fp = getf(fd)) == NULL)
1488 1488 return;
1489 1489
1490 1490 /* get path from file struct here */
1491 1491 fad = F2A(fp);
1492 1492 if (fad->fad_aupath != NULL) {
1493 1493 au_uwrite(au_to_path(fad->fad_aupath));
1494 1494 } else {
1495 1495 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1496 1496 }
1497 1497
1498 1498 vp = fp->f_vnode;
1499 1499 audit_attributes(vp);
1500 1500
1501 1501 /* decrement file descriptor reference count */
1502 1502 releasef(fd);
1503 1503 }
1504 1504
1505 1505 /*ARGSUSED*/
1506 1506 static void
1507 1507 aus_kill(struct t_audit_data *tad)
1508 1508 {
1509 1509 klwp_t *clwp = ttolwp(curthread);
1510 1510 struct proc *p;
1511 1511 uint32_t signo;
1512 1512 uid_t uid, ruid;
1513 1513 gid_t gid, rgid;
1514 1514 pid_t pid;
1515 1515 const auditinfo_addr_t *ainfo;
1516 1516 cred_t *cr;
1517 1517
1518 1518 struct a {
1519 1519 long pid;
1520 1520 long signo;
1521 1521 } *uap = (struct a *)clwp->lwp_ap;
1522 1522
1523 1523 pid = (pid_t)uap->pid;
1524 1524 signo = (uint32_t)uap->signo;
1525 1525
1526 1526 au_uwrite(au_to_arg32(2, "signal", signo));
1527 1527 if (pid > 0) {
1528 1528 mutex_enter(&pidlock);
1529 1529 if (((p = prfind(pid)) == (struct proc *)0) ||
1530 1530 (p->p_stat == SIDL)) {
1531 1531 mutex_exit(&pidlock);
1532 1532 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1533 1533 return;
1534 1534 }
1535 1535 mutex_enter(&p->p_lock); /* so process doesn't go away */
1536 1536 mutex_exit(&pidlock);
1537 1537
1538 1538 mutex_enter(&p->p_crlock);
1539 1539 crhold(cr = p->p_cred);
1540 1540 mutex_exit(&p->p_crlock);
1541 1541 mutex_exit(&p->p_lock);
1542 1542
1543 1543 ainfo = crgetauinfo(cr);
1544 1544 if (ainfo == NULL) {
1545 1545 crfree(cr);
1546 1546 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1547 1547 return;
1548 1548 }
1549 1549
1550 1550 uid = crgetuid(cr);
1551 1551 gid = crgetgid(cr);
1552 1552 ruid = crgetruid(cr);
1553 1553 rgid = crgetrgid(cr);
1554 1554 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1555 1555 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1556 1556
1557 1557 if (is_system_labeled())
1558 1558 au_uwrite(au_to_label(CR_SL(cr)));
1559 1559
1560 1560 crfree(cr);
1561 1561 }
1562 1562 else
1563 1563 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1564 1564 }
1565 1565
1566 1566 /*ARGSUSED*/
1567 1567 static void
1568 1568 aus_mkdir(struct t_audit_data *tad)
1569 1569 {
1570 1570 klwp_t *clwp = ttolwp(curthread);
1571 1571 uint32_t dmode;
1572 1572
1573 1573 struct a {
1574 1574 long dirnamep; /* char * */
1575 1575 long dmode;
1576 1576 } *uap = (struct a *)clwp->lwp_ap;
1577 1577
1578 1578 dmode = (uint32_t)uap->dmode;
1579 1579
1580 1580 au_uwrite(au_to_arg32(2, "mode", dmode));
1581 1581 }
1582 1582
1583 1583 /*ARGSUSED*/
1584 1584 static void
1585 1585 aus_mkdirat(struct t_audit_data *tad)
1586 1586 {
1587 1587 klwp_t *clwp = ttolwp(curthread);
1588 1588 uint32_t dmode;
1589 1589
1590 1590 struct a {
1591 1591 long fd;
1592 1592 long dirnamep; /* char * */
1593 1593 long dmode;
1594 1594 } *uap = (struct a *)clwp->lwp_ap;
1595 1595
1596 1596 dmode = (uint32_t)uap->dmode;
1597 1597
1598 1598 au_uwrite(au_to_arg32(2, "mode", dmode));
1599 1599 }
1600 1600
1601 1601 /*ARGSUSED*/
1602 1602 static void
1603 1603 aus_mknod(struct t_audit_data *tad)
1604 1604 {
1605 1605 klwp_t *clwp = ttolwp(curthread);
1606 1606 uint32_t fmode;
1607 1607 dev_t dev;
1608 1608
1609 1609 struct a {
1610 1610 long pnamep; /* char * */
1611 1611 long fmode;
1612 1612 long dev;
1613 1613 } *uap = (struct a *)clwp->lwp_ap;
1614 1614
1615 1615 fmode = (uint32_t)uap->fmode;
1616 1616 dev = (dev_t)uap->dev;
1617 1617
1618 1618 au_uwrite(au_to_arg32(2, "mode", fmode));
1619 1619 #ifdef _LP64
1620 1620 au_uwrite(au_to_arg64(3, "dev", dev));
1621 1621 #else
1622 1622 au_uwrite(au_to_arg32(3, "dev", dev));
1623 1623 #endif
1624 1624 }
1625 1625
1626 1626 /*ARGSUSED*/
1627 1627 static void
1628 1628 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1629 1629 {
1630 1630 klwp_t *clwp = ttolwp(curthread);
1631 1631 vnode_t *dvp;
1632 1632 caddr_t pnamep;
1633 1633
1634 1634 struct a {
1635 1635 long pnamep; /* char * */
1636 1636 long fmode;
1637 1637 long dev;
1638 1638 } *uap = (struct a *)clwp->lwp_ap;
1639 1639
1640 1640 /* no error, then already path token in audit record */
1641 1641 if (error != EPERM && error != EINVAL)
1642 1642 return;
1643 1643
1644 1644 /* do the lookup to force generation of path token */
1645 1645 pnamep = (caddr_t)uap->pnamep;
1646 1646 tad->tad_ctrl |= TAD_NOATTRB;
1647 1647 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1648 1648 if (error == 0)
1649 1649 VN_RELE(dvp);
1650 1650 }
1651 1651
1652 1652 /*ARGSUSED*/
1653 1653 static void
1654 1654 aus_mknodat(struct t_audit_data *tad)
1655 1655 {
1656 1656 klwp_t *clwp = ttolwp(curthread);
1657 1657 uint32_t fmode;
1658 1658 dev_t dev;
1659 1659
1660 1660 struct a {
1661 1661 long fd;
1662 1662 long pnamep; /* char * */
1663 1663 long fmode;
1664 1664 long dev;
1665 1665 } *uap = (struct a *)clwp->lwp_ap;
1666 1666
1667 1667 fmode = (uint32_t)uap->fmode;
1668 1668 dev = (dev_t)uap->dev;
1669 1669
1670 1670 au_uwrite(au_to_arg32(2, "mode", fmode));
1671 1671 #ifdef _LP64
1672 1672 au_uwrite(au_to_arg64(3, "dev", dev));
1673 1673 #else
1674 1674 au_uwrite(au_to_arg32(3, "dev", dev));
1675 1675 #endif
1676 1676 }
1677 1677
1678 1678 /*ARGSUSED*/
1679 1679 static void
1680 1680 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1681 1681 {
1682 1682 klwp_t *clwp = ttolwp(curthread);
1683 1683 vnode_t *startvp;
1684 1684 vnode_t *dvp;
1685 1685 caddr_t pnamep;
1686 1686 int fd;
1687 1687
1688 1688 struct a {
1689 1689 long fd;
1690 1690 long pnamep; /* char * */
1691 1691 long fmode;
1692 1692 long dev;
1693 1693 } *uap = (struct a *)clwp->lwp_ap;
1694 1694
1695 1695 /* no error, then already path token in audit record */
1696 1696 if (error != EPERM && error != EINVAL)
1697 1697 return;
1698 1698
1699 1699 /* do the lookup to force generation of path token */
1700 1700 fd = (int)uap->fd;
1701 1701 pnamep = (caddr_t)uap->pnamep;
1702 1702 if (pnamep == NULL ||
1703 1703 fgetstartvp(fd, pnamep, &startvp) != 0)
1704 1704 return;
1705 1705 tad->tad_ctrl |= TAD_NOATTRB;
1706 1706 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1707 1707 startvp);
1708 1708 if (error == 0)
1709 1709 VN_RELE(dvp);
1710 1710 if (startvp != NULL)
1711 1711 VN_RELE(startvp);
1712 1712 }
1713 1713
1714 1714 /*ARGSUSED*/
1715 1715 static void
1716 1716 aus_mount(struct t_audit_data *tad)
1717 1717 {
1718 1718 /* AUS_START */
1719 1719 klwp_t *clwp = ttolwp(curthread);
1720 1720 uint32_t flags;
1721 1721 uintptr_t u_fstype, dataptr;
1722 1722 STRUCT_DECL(nfs_args, nfsargs);
1723 1723 size_t len;
1724 1724 char *fstype, *hostname;
1725 1725
1726 1726 struct a {
1727 1727 long spec; /* char * */
1728 1728 long dir; /* char * */
1729 1729 long flags;
1730 1730 long fstype; /* char * */
1731 1731 long dataptr; /* char * */
1732 1732 long datalen;
1733 1733 } *uap = (struct a *)clwp->lwp_ap;
1734 1734
1735 1735 u_fstype = (uintptr_t)uap->fstype;
1736 1736 flags = (uint32_t)uap->flags;
1737 1737 dataptr = (uintptr_t)uap->dataptr;
1738 1738
1739 1739 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1740 1740 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1741 1741 goto mount_free_fstype;
1742 1742
1743 1743 au_uwrite(au_to_arg32(3, "flags", flags));
1744 1744 au_uwrite(au_to_text(fstype));
1745 1745
1746 1746 if (strncmp(fstype, "nfs", 3) == 0) {
1747 1747
1748 1748 STRUCT_INIT(nfsargs, get_udatamodel());
1749 1749 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1750 1750
1751 1751 if (copyin((caddr_t)dataptr, STRUCT_BUF(nfsargs),
1752 1752 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1753 1753 /* DEBUG debug_enter((char *)NULL); */
1754 1754 goto mount_free_fstype;
1755 1755 }
1756 1756 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1757 1757 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1758 1758 (caddr_t)hostname, MAXNAMELEN, &len)) {
1759 1759 goto mount_free_hostname;
1760 1760 }
1761 1761 au_uwrite(au_to_text(hostname));
1762 1762 au_uwrite(au_to_arg32(3, "internal flags",
1763 1763 (uint_t)STRUCT_FGET(nfsargs, flags)));
1764 1764
1765 1765 mount_free_hostname:
1766 1766 kmem_free(hostname, MAXNAMELEN);
1767 1767 }
1768 1768
1769 1769 mount_free_fstype:
1770 1770 kmem_free(fstype, MAXNAMELEN);
1771 1771 } /* AUS_MOUNT */
1772 1772
1773 1773 static void
1774 1774 aus_umount_path(caddr_t umount_dir)
1775 1775 {
1776 1776 char *dir_path;
1777 1777 struct audit_path *path;
1778 1778 size_t path_len, dir_len;
1779 1779
1780 1780 /* length alloc'd for two string pointers */
1781 1781 path_len = sizeof (struct audit_path) + sizeof (char *);
1782 1782 path = kmem_alloc(path_len, KM_SLEEP);
1783 1783 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1784 1784
1785 1785 if (copyinstr(umount_dir, (caddr_t)dir_path,
1786 1786 MAXPATHLEN, &dir_len))
1787 1787 goto umount2_free_dir;
1788 1788
1789 1789 /*
1790 1790 * the audit_path struct assumes that the buffer pointed to
1791 1791 * by audp_sect[n] contains string 0 immediatedly followed
1792 1792 * by string 1.
1793 1793 */
1794 1794 path->audp_sect[0] = dir_path;
1795 1795 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1796 1796 path->audp_size = path_len;
1797 1797 path->audp_ref = 1; /* not used */
1798 1798 path->audp_cnt = 1; /* one path string */
1799 1799
1800 1800 au_uwrite(au_to_path(path));
1801 1801
1802 1802 umount2_free_dir:
1803 1803 kmem_free(dir_path, MAXPATHLEN);
1804 1804 kmem_free(path, path_len);
1805 1805 }
1806 1806
1807 1807 /*ARGSUSED*/
1808 1808 static void
1809 1809 aus_umount2(struct t_audit_data *tad)
1810 1810 {
1811 1811 klwp_t *clwp = ttolwp(curthread);
1812 1812 struct a {
1813 1813 long dir; /* char * */
1814 1814 long flags;
1815 1815 } *uap = (struct a *)clwp->lwp_ap;
1816 1816
1817 1817 aus_umount_path((caddr_t)uap->dir);
1818 1818
1819 1819 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1820 1820 }
1821 1821
1822 1822 static void
1823 1823 aus_msgsys(struct t_audit_data *tad)
1824 1824 {
1825 1825 klwp_t *clwp = ttolwp(curthread);
1826 1826 uint32_t msgid;
1827 1827
1828 1828 struct b {
1829 1829 long msgid;
1830 1830 long cmd;
1831 1831 long buf; /* struct msqid_ds * */
1832 1832 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1833 1833
1834 1834 msgid = (uint32_t)uap1->msgid;
1835 1835
1836 1836
1837 1837 switch (tad->tad_event) {
1838 1838 case AUE_MSGGET: /* msgget */
1839 1839 au_uwrite(au_to_arg32(1, "msg key", msgid));
1840 1840 break;
1841 1841 case AUE_MSGCTL: /* msgctl */
1842 1842 case AUE_MSGCTL_RMID: /* msgctl */
1843 1843 case AUE_MSGCTL_SET: /* msgctl */
1844 1844 case AUE_MSGCTL_STAT: /* msgctl */
1845 1845 case AUE_MSGRCV: /* msgrcv */
1846 1846 case AUE_MSGSND: /* msgsnd */
1847 1847 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1848 1848 break;
1849 1849 }
1850 1850 }
1851 1851
1852 1852 /*ARGSUSED*/
1853 1853 static void
1854 1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1855 1855 {
1856 1856 int id;
1857 1857
1858 1858 if (error != 0)
1859 1859 return;
1860 1860 if (tad->tad_event == AUE_MSGGET) {
1861 1861 uint32_t scid;
1862 1862 uint32_t sy_flags;
1863 1863
1864 1864 /* need to determine type of executing binary */
1865 1865 scid = tad->tad_scid;
1866 1866 #ifdef _SYSCALL32_IMPL
1867 1867 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1868 1868 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869 1869 else
1870 1870 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1871 1871 #else
1872 1872 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1873 1873 #endif
1874 1874 if (sy_flags == SE_32RVAL1)
1875 1875 id = rval->r_val1;
1876 1876 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1877 1877 id = rval->r_val1;
1878 1878 if (sy_flags == SE_64RVAL)
1879 1879 id = (int)rval->r_vals;
1880 1880
1881 1881 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1882 1882 }
1883 1883 }
1884 1884
1885 1885 static void
1886 1886 aus_semsys(struct t_audit_data *tad)
1887 1887 {
1888 1888 klwp_t *clwp = ttolwp(curthread);
1889 1889 uint32_t semid;
1890 1890
1891 1891 struct b { /* ctrl */
1892 1892 long semid;
1893 1893 long semnum;
1894 1894 long cmd;
1895 1895 long arg;
1896 1896 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1897 1897
1898 1898 semid = (uint32_t)uap1->semid;
1899 1899
1900 1900 switch (tad->tad_event) {
1901 1901 case AUE_SEMCTL_RMID:
1902 1902 case AUE_SEMCTL_STAT:
1903 1903 case AUE_SEMCTL_GETNCNT:
1904 1904 case AUE_SEMCTL_GETPID:
1905 1905 case AUE_SEMCTL_GETVAL:
1906 1906 case AUE_SEMCTL_GETALL:
1907 1907 case AUE_SEMCTL_GETZCNT:
1908 1908 case AUE_SEMCTL_SET:
1909 1909 case AUE_SEMCTL_SETVAL:
1910 1910 case AUE_SEMCTL_SETALL:
1911 1911 case AUE_SEMCTL:
1912 1912 case AUE_SEMOP:
1913 1913 au_uwrite(au_to_arg32(1, "sem ID", semid));
1914 1914 break;
1915 1915 case AUE_SEMGET:
1916 1916 au_uwrite(au_to_arg32(1, "sem key", semid));
1917 1917 break;
1918 1918 }
1919 1919 }
1920 1920
1921 1921 /*ARGSUSED*/
1922 1922 static void
1923 1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1924 1924 {
1925 1925 int id;
1926 1926
1927 1927 if (error != 0)
1928 1928 return;
1929 1929 if (tad->tad_event == AUE_SEMGET) {
1930 1930 uint32_t scid;
1931 1931 uint32_t sy_flags;
1932 1932
1933 1933 /* need to determine type of executing binary */
1934 1934 scid = tad->tad_scid;
1935 1935 #ifdef _SYSCALL32_IMPL
1936 1936 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1937 1937 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1938 1938 else
1939 1939 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1940 1940 #else
1941 1941 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1942 1942 #endif
1943 1943 if (sy_flags == SE_32RVAL1)
1944 1944 id = rval->r_val1;
1945 1945 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1946 1946 id = rval->r_val1;
1947 1947 if (sy_flags == SE_64RVAL)
1948 1948 id = (int)rval->r_vals;
1949 1949
1950 1950 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1951 1951 }
1952 1952 }
1953 1953
1954 1954 /*ARGSUSED*/
1955 1955 static void
1956 1956 aus_close(struct t_audit_data *tad)
1957 1957 {
1958 1958 klwp_t *clwp = ttolwp(curthread);
1959 1959 uint32_t fd;
1960 1960 struct file *fp;
1961 1961 struct f_audit_data *fad;
1962 1962 struct vnode *vp;
1963 1963 struct vattr attr;
1964 1964 au_kcontext_t *kctx = GET_KCTX_PZ;
1965 1965
1966 1966 struct a {
1967 1967 long i;
1968 1968 } *uap = (struct a *)clwp->lwp_ap;
1969 1969
1970 1970 fd = (uint32_t)uap->i;
1971 1971
1972 1972 attr.va_mask = 0;
1973 1973 au_uwrite(au_to_arg32(1, "fd", fd));
1974 1974
1975 1975 /*
1976 1976 * convert file pointer to file descriptor
1977 1977 * Note: fd ref count incremented here.
1978 1978 */
1979 1979 if ((fp = getf(fd)) == NULL)
1980 1980 return;
1981 1981
1982 1982 fad = F2A(fp);
1983 1983 tad->tad_evmod = (au_emod_t)fad->fad_flags;
1984 1984 if (fad->fad_aupath != NULL) {
1985 1985 au_uwrite(au_to_path(fad->fad_aupath));
1986 1986 if ((vp = fp->f_vnode) != NULL) {
1987 1987 attr.va_mask = AT_ALL;
1988 1988 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1989 1989 /*
1990 1990 * When write was not used and the file can be
1991 1991 * considered public, skip the audit.
1992 1992 */
1993 1993 if (((fp->f_flag & FWRITE) == 0) &&
1994 1994 object_is_public(&attr)) {
1995 1995 tad->tad_flag = 0;
1996 1996 tad->tad_evmod = 0;
1997 1997 /* free any residual audit data */
1998 1998 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1999 1999 releasef(fd);
2000 2000 return;
2001 2001 }
2002 2002 au_uwrite(au_to_attr(&attr));
2003 2003 audit_sec_attributes(&(u_ad), vp);
2004 2004 }
2005 2005 }
2006 2006 }
2007 2007
2008 2008 /* decrement file descriptor reference count */
2009 2009 releasef(fd);
2010 2010 }
2011 2011
2012 2012 /*ARGSUSED*/
2013 2013 static void
2014 2014 aus_fstatfs(struct t_audit_data *tad)
2015 2015 {
2016 2016 klwp_t *clwp = ttolwp(curthread);
2017 2017 uint32_t fd;
2018 2018 struct file *fp;
2019 2019 struct vnode *vp;
2020 2020 struct f_audit_data *fad;
2021 2021
2022 2022 struct a {
2023 2023 long fd;
2024 2024 long buf; /* struct statfs * */
2025 2025 } *uap = (struct a *)clwp->lwp_ap;
2026 2026
2027 2027 fd = (uint_t)uap->fd;
2028 2028
2029 2029 /*
2030 2030 * convert file pointer to file descriptor
2031 2031 * Note: fd ref count incremented here.
2032 2032 */
2033 2033 if ((fp = getf(fd)) == NULL)
2034 2034 return;
2035 2035
2036 2036 /* get path from file struct here */
2037 2037 fad = F2A(fp);
2038 2038 if (fad->fad_aupath != NULL) {
2039 2039 au_uwrite(au_to_path(fad->fad_aupath));
2040 2040 } else {
2041 2041 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2042 2042 }
2043 2043
2044 2044 vp = fp->f_vnode;
2045 2045 audit_attributes(vp);
2046 2046
2047 2047 /* decrement file descriptor reference count */
2048 2048 releasef(fd);
2049 2049 }
2050 2050
2051 2051 static au_event_t
2052 2052 aui_setpgrp(au_event_t e)
2053 2053 {
2054 2054 klwp_t *clwp = ttolwp(curthread);
2055 2055 int flag;
2056 2056
2057 2057 struct a {
2058 2058 long flag;
2059 2059 long pid;
2060 2060 long pgid;
2061 2061 } *uap = (struct a *)clwp->lwp_ap;
2062 2062
2063 2063 flag = (int)uap->flag;
2064 2064
2065 2065
2066 2066 switch (flag) {
2067 2067
2068 2068 case 1: /* setpgrp() */
2069 2069 e = AUE_SETPGRP;
2070 2070 break;
2071 2071
2072 2072 case 3: /* setsid() */
2073 2073 e = AUE_SETSID;
2074 2074 break;
2075 2075
2076 2076 case 5: /* setpgid() */
2077 2077 e = AUE_SETPGID;
2078 2078 break;
2079 2079
2080 2080 case 0: /* getpgrp() - not security relevant */
2081 2081 case 2: /* getsid() - not security relevant */
2082 2082 case 4: /* getpgid() - not security relevant */
2083 2083 e = AUE_NULL;
2084 2084 break;
2085 2085
2086 2086 default:
2087 2087 e = AUE_NULL;
2088 2088 break;
2089 2089 }
2090 2090
2091 2091 return (e);
2092 2092 }
2093 2093
2094 2094 /*ARGSUSED*/
2095 2095 static void
2096 2096 aus_setpgrp(struct t_audit_data *tad)
2097 2097 {
2098 2098 klwp_t *clwp = ttolwp(curthread);
2099 2099 pid_t pgid;
2100 2100 struct proc *p;
2101 2101 uid_t uid, ruid;
2102 2102 gid_t gid, rgid;
2103 2103 pid_t pid;
2104 2104 cred_t *cr;
2105 2105 int flag;
2106 2106 const auditinfo_addr_t *ainfo;
2107 2107
2108 2108 struct a {
2109 2109 long flag;
2110 2110 long pid;
2111 2111 long pgid;
2112 2112 } *uap = (struct a *)clwp->lwp_ap;
2113 2113
2114 2114 flag = (int)uap->flag;
2115 2115 pid = (pid_t)uap->pid;
2116 2116 pgid = (pid_t)uap->pgid;
2117 2117
2118 2118
2119 2119 switch (flag) {
2120 2120
2121 2121 case 0: /* getpgrp() */
2122 2122 case 1: /* setpgrp() */
2123 2123 case 2: /* getsid() */
2124 2124 case 3: /* setsid() */
2125 2125 case 4: /* getpgid() */
2126 2126 break;
2127 2127
2128 2128 case 5: /* setpgid() */
2129 2129
2130 2130 /* current process? */
2131 2131 if (pid == 0) {
2132 2132 return;
2133 2133 }
2134 2134
2135 2135 mutex_enter(&pidlock);
2136 2136 p = prfind(pid);
2137 2137 if (p == NULL || p->p_as == &kas ||
2138 2138 p->p_stat == SIDL || p->p_stat == SZOMB) {
2139 2139 mutex_exit(&pidlock);
2140 2140 return;
2141 2141 }
2142 2142 mutex_enter(&p->p_lock); /* so process doesn't go away */
2143 2143 mutex_exit(&pidlock);
2144 2144
2145 2145 mutex_enter(&p->p_crlock);
2146 2146 crhold(cr = p->p_cred);
2147 2147 mutex_exit(&p->p_crlock);
2148 2148 mutex_exit(&p->p_lock);
2149 2149
2150 2150 ainfo = crgetauinfo(cr);
2151 2151 if (ainfo == NULL) {
2152 2152 crfree(cr);
2153 2153 return;
2154 2154 }
2155 2155
2156 2156 uid = crgetuid(cr);
2157 2157 gid = crgetgid(cr);
2158 2158 ruid = crgetruid(cr);
2159 2159 rgid = crgetrgid(cr);
2160 2160 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2161 2161 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2162 2162 crfree(cr);
2163 2163 au_uwrite(au_to_arg32(2, "pgid", pgid));
2164 2164 break;
2165 2165
2166 2166 default:
2167 2167 break;
2168 2168 }
2169 2169 }
2170 2170
2171 2171
2172 2172 /*ARGSUSED*/
2173 2173 static void
2174 2174 aus_setregid(struct t_audit_data *tad)
2175 2175 {
2176 2176 klwp_t *clwp = ttolwp(curthread);
2177 2177 uint32_t rgid, egid;
2178 2178
2179 2179 struct a {
2180 2180 long rgid;
2181 2181 long egid;
2182 2182 } *uap = (struct a *)clwp->lwp_ap;
2183 2183
2184 2184 rgid = (uint32_t)uap->rgid;
2185 2185 egid = (uint32_t)uap->egid;
2186 2186
2187 2187 au_uwrite(au_to_arg32(1, "rgid", rgid));
2188 2188 au_uwrite(au_to_arg32(2, "egid", egid));
2189 2189 }
2190 2190
2191 2191 /*ARGSUSED*/
2192 2192 static void
2193 2193 aus_setgid(struct t_audit_data *tad)
2194 2194 {
2195 2195 klwp_t *clwp = ttolwp(curthread);
2196 2196 uint32_t gid;
2197 2197
2198 2198 struct a {
2199 2199 long gid;
2200 2200 } *uap = (struct a *)clwp->lwp_ap;
2201 2201
2202 2202 gid = (uint32_t)uap->gid;
2203 2203
2204 2204 au_uwrite(au_to_arg32(1, "gid", gid));
2205 2205 }
2206 2206
2207 2207
2208 2208 /*ARGSUSED*/
2209 2209 static void
2210 2210 aus_setreuid(struct t_audit_data *tad)
2211 2211 {
2212 2212 klwp_t *clwp = ttolwp(curthread);
2213 2213 uint32_t ruid, euid;
2214 2214
2215 2215 struct a {
2216 2216 long ruid;
2217 2217 long euid;
2218 2218 } *uap = (struct a *)clwp->lwp_ap;
2219 2219
2220 2220 ruid = (uint32_t)uap->ruid;
2221 2221 euid = (uint32_t)uap->euid;
2222 2222
2223 2223 au_uwrite(au_to_arg32(1, "ruid", ruid));
2224 2224 au_uwrite(au_to_arg32(2, "euid", euid));
2225 2225 }
2226 2226
2227 2227
2228 2228 /*ARGSUSED*/
2229 2229 static void
2230 2230 aus_setuid(struct t_audit_data *tad)
2231 2231 {
2232 2232 klwp_t *clwp = ttolwp(curthread);
2233 2233 uint32_t uid;
2234 2234
2235 2235 struct a {
2236 2236 long uid;
2237 2237 } *uap = (struct a *)clwp->lwp_ap;
2238 2238
2239 2239 uid = (uint32_t)uap->uid;
2240 2240
2241 2241 au_uwrite(au_to_arg32(1, "uid", uid));
2242 2242 }
2243 2243
2244 2244 /*ARGSUSED*/
2245 2245 static void
2246 2246 aus_shmsys(struct t_audit_data *tad)
2247 2247 {
2248 2248 klwp_t *clwp = ttolwp(curthread);
2249 2249 uint32_t id, cmd;
2250 2250
2251 2251 struct b {
2252 2252 long id;
2253 2253 long cmd;
2254 2254 long buf; /* struct shmid_ds * */
2255 2255 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2256 2256
2257 2257 id = (uint32_t)uap1->id;
2258 2258 cmd = (uint32_t)uap1->cmd;
2259 2259
2260 2260 switch (tad->tad_event) {
2261 2261 case AUE_SHMGET: /* shmget */
2262 2262 au_uwrite(au_to_arg32(1, "shm key", id));
2263 2263 break;
2264 2264 case AUE_SHMCTL: /* shmctl */
2265 2265 case AUE_SHMCTL_RMID: /* shmctl */
2266 2266 case AUE_SHMCTL_STAT: /* shmctl */
2267 2267 case AUE_SHMCTL_SET: /* shmctl */
2268 2268 au_uwrite(au_to_arg32(1, "shm ID", id));
2269 2269 break;
2270 2270 case AUE_SHMDT: /* shmdt */
2271 2271 au_uwrite(au_to_arg32(1, "shm adr", id));
2272 2272 break;
2273 2273 case AUE_SHMAT: /* shmat */
2274 2274 au_uwrite(au_to_arg32(1, "shm ID", id));
2275 2275 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2276 2276 break;
2277 2277 }
2278 2278 }
2279 2279
2280 2280 /*ARGSUSED*/
2281 2281 static void
2282 2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2283 2283 {
2284 2284 int id;
2285 2285
2286 2286 if (error != 0)
2287 2287 return;
2288 2288 if (tad->tad_event == AUE_SHMGET) {
2289 2289 uint32_t scid;
2290 2290 uint32_t sy_flags;
2291 2291
2292 2292 /* need to determine type of executing binary */
2293 2293 scid = tad->tad_scid;
2294 2294 #ifdef _SYSCALL32_IMPL
2295 2295 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2296 2296 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2297 2297 else
2298 2298 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2299 2299 #else
2300 2300 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2301 2301 #endif
2302 2302 if (sy_flags == SE_32RVAL1)
2303 2303 id = rval->r_val1;
2304 2304 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2305 2305 id = rval->r_val1;
2306 2306 if (sy_flags == SE_64RVAL)
2307 2307 id = (int)rval->r_vals;
2308 2308 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2309 2309 }
2310 2310 }
2311 2311
2312 2312
2313 2313 /*ARGSUSED*/
2314 2314 static void
2315 2315 aus_ioctl(struct t_audit_data *tad)
2316 2316 {
2317 2317 klwp_t *clwp = ttolwp(curthread);
2318 2318 struct file *fp;
2319 2319 struct vnode *vp;
2320 2320 struct f_audit_data *fad;
2321 2321 uint32_t fd, cmd;
2322 2322 uintptr_t cmarg;
2323 2323
2324 2324 /* XX64 */
2325 2325 struct a {
2326 2326 long fd;
2327 2327 long cmd;
2328 2328 long cmarg; /* caddr_t */
2329 2329 } *uap = (struct a *)clwp->lwp_ap;
2330 2330
2331 2331 fd = (uint32_t)uap->fd;
2332 2332 cmd = (uint32_t)uap->cmd;
2333 2333 cmarg = (uintptr_t)uap->cmarg;
2334 2334
2335 2335 /*
2336 2336 * convert file pointer to file descriptor
2337 2337 * Note: fd ref count incremented here.
2338 2338 */
2339 2339 if ((fp = getf(fd)) == NULL) {
2340 2340 au_uwrite(au_to_arg32(1, "fd", fd));
2341 2341 au_uwrite(au_to_arg32(2, "cmd", cmd));
2342 2342 #ifndef _LP64
2343 2343 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2344 2344 #else
2345 2345 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2346 2346 #endif
2347 2347 return;
2348 2348 }
2349 2349
2350 2350 /* get path from file struct here */
2351 2351 fad = F2A(fp);
2352 2352 if (fad->fad_aupath != NULL) {
2353 2353 au_uwrite(au_to_path(fad->fad_aupath));
2354 2354 } else {
2355 2355 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2356 2356 }
2357 2357
2358 2358 vp = fp->f_vnode;
2359 2359 audit_attributes(vp);
2360 2360
2361 2361 /* decrement file descriptor reference count */
2362 2362 releasef(fd);
2363 2363
2364 2364 au_uwrite(au_to_arg32(2, "cmd", cmd));
2365 2365 #ifndef _LP64
2366 2366 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2367 2367 #else
2368 2368 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2369 2369 #endif
2370 2370 }
2371 2371
2372 2372 /*
2373 2373 * null function for memcntl for now. We might want to limit memcntl()
2374 2374 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2375 2375 * require privileges.
2376 2376 */
2377 2377 static au_event_t
2378 2378 aui_memcntl(au_event_t e)
2379 2379 {
2380 2380 return (e);
2381 2381 }
2382 2382
2383 2383 /*ARGSUSED*/
2384 2384 static au_event_t
2385 2385 aui_privsys(au_event_t e)
2386 2386 {
2387 2387 klwp_t *clwp = ttolwp(curthread);
2388 2388
2389 2389 struct a {
2390 2390 long opcode;
2391 2391 } *uap = (struct a *)clwp->lwp_ap;
2392 2392
2393 2393 switch (uap->opcode) {
2394 2394 case PRIVSYS_SETPPRIV:
2395 2395 return (AUE_SETPPRIV);
2396 2396 default:
2397 2397 return (AUE_NULL);
2398 2398 }
2399 2399 }
2400 2400
2401 2401 /*ARGSUSED*/
2402 2402 static void
2403 2403 aus_memcntl(struct t_audit_data *tad)
2404 2404 {
2405 2405 klwp_t *clwp = ttolwp(curthread);
2406 2406
2407 2407 struct a {
2408 2408 long addr;
2409 2409 long len;
2410 2410 long cmd;
2411 2411 long arg;
2412 2412 long attr;
2413 2413 long mask;
2414 2414 } *uap = (struct a *)clwp->lwp_ap;
2415 2415
2416 2416 #ifdef _LP64
2417 2417 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2418 2418 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2419 2419 #else
2420 2420 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2421 2421 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2422 2422 #endif
2423 2423 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2424 2424 #ifdef _LP64
2425 2425 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2426 2426 #else
2427 2427 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2428 2428 #endif
2429 2429 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2430 2430 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2431 2431 }
2432 2432
2433 2433 /*ARGSUSED*/
2434 2434 static void
2435 2435 aus_mmap(struct t_audit_data *tad)
2436 2436 {
2437 2437 klwp_t *clwp = ttolwp(curthread);
2438 2438 struct file *fp;
2439 2439 struct f_audit_data *fad;
2440 2440 struct vnode *vp;
2441 2441 uint32_t fd;
2442 2442
2443 2443 struct a {
2444 2444 long addr;
2445 2445 long len;
2446 2446 long prot;
2447 2447 long flags;
2448 2448 long fd;
2449 2449 long pos;
2450 2450 } *uap = (struct a *)clwp->lwp_ap;
2451 2451
2452 2452 fd = (uint32_t)uap->fd;
2453 2453
2454 2454 #ifdef _LP64
2455 2455 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2456 2456 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2457 2457 #else
2458 2458 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2459 2459 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2460 2460 #endif
2461 2461
2462 2462 if ((fp = getf(fd)) == NULL) {
2463 2463 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2464 2464 return;
2465 2465 }
2466 2466
2467 2467 /*
2468 2468 * Mark in the tad if write access is NOT requested... if
2469 2469 * this is later detected (in audit_attributes) to be a
2470 2470 * public object, the mmap event may be discarded.
2471 2471 */
2472 2472 if (((uap->prot) & PROT_WRITE) == 0) {
2473 2473 tad->tad_ctrl |= TAD_PUBLIC_EV;
2474 2474 }
2475 2475
2476 2476 fad = F2A(fp);
2477 2477 if (fad->fad_aupath != NULL) {
2478 2478 au_uwrite(au_to_path(fad->fad_aupath));
2479 2479 } else {
2480 2480 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2481 2481 }
2482 2482
2483 2483 vp = (struct vnode *)fp->f_vnode;
2484 2484 audit_attributes(vp);
2485 2485
2486 2486 /* mark READ/WRITE since we can't predict access */
2487 2487 if (uap->prot & PROT_READ)
2488 2488 fad->fad_flags |= FAD_READ;
2489 2489 if (uap->prot & PROT_WRITE)
2490 2490 fad->fad_flags |= FAD_WRITE;
2491 2491
2492 2492 /* decrement file descriptor reference count */
2493 2493 releasef(fd);
2494 2494
2495 2495 } /* AUS_MMAP */
2496 2496
2497 2497
2498 2498
2499 2499
2500 2500 /*ARGSUSED*/
2501 2501 static void
2502 2502 aus_munmap(struct t_audit_data *tad)
2503 2503 {
2504 2504 klwp_t *clwp = ttolwp(curthread);
2505 2505
2506 2506 struct a {
2507 2507 long addr;
2508 2508 long len;
2509 2509 } *uap = (struct a *)clwp->lwp_ap;
2510 2510
2511 2511 #ifdef _LP64
2512 2512 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2513 2513 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2514 2514 #else
2515 2515 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2516 2516 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2517 2517 #endif
2518 2518
2519 2519 } /* AUS_MUNMAP */
2520 2520
2521 2521
2522 2522
2523 2523
2524 2524
2525 2525
2526 2526
2527 2527 /*ARGSUSED*/
2528 2528 static void
2529 2529 aus_priocntlsys(struct t_audit_data *tad)
2530 2530 {
2531 2531 klwp_t *clwp = ttolwp(curthread);
2532 2532
2533 2533 struct a {
2534 2534 long pc_version;
2535 2535 long psp; /* procset_t */
2536 2536 long cmd;
2537 2537 long arg;
2538 2538 } *uap = (struct a *)clwp->lwp_ap;
2539 2539
2540 2540 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2541 2541 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2542 2542
2543 2543 } /* AUS_PRIOCNTLSYS */
2544 2544
2545 2545
2546 2546 /*ARGSUSED*/
2547 2547 static void
2548 2548 aus_setegid(struct t_audit_data *tad)
2549 2549 {
2550 2550 klwp_t *clwp = ttolwp(curthread);
2551 2551 uint32_t gid;
2552 2552
2553 2553 struct a {
2554 2554 long gid;
2555 2555 } *uap = (struct a *)clwp->lwp_ap;
2556 2556
2557 2557 gid = (uint32_t)uap->gid;
2558 2558
2559 2559 au_uwrite(au_to_arg32(1, "gid", gid));
2560 2560 } /* AUS_SETEGID */
2561 2561
2562 2562
2563 2563
2564 2564
2565 2565 /*ARGSUSED*/
2566 2566 static void
2567 2567 aus_setgroups(struct t_audit_data *tad)
2568 2568 {
2569 2569 klwp_t *clwp = ttolwp(curthread);
2570 2570 int i;
2571 2571 int gidsetsize;
2572 2572 uintptr_t gidset;
2573 2573 gid_t *gidlist;
2574 2574
2575 2575 struct a {
2576 2576 long gidsetsize;
2577 2577 long gidset;
2578 2578 } *uap = (struct a *)clwp->lwp_ap;
2579 2579
2580 2580 gidsetsize = (uint_t)uap->gidsetsize;
2581 2581 gidset = (uintptr_t)uap->gidset;
2582 2582
2583 2583 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2584 2584 return;
2585 2585 if (gidsetsize != 0) {
2586 2586 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2587 2587 KM_SLEEP);
2588 2588 if (copyin((caddr_t)gidset, gidlist,
2589 2589 gidsetsize * sizeof (gid_t)) == 0)
2590 2590 for (i = 0; i < gidsetsize; i++)
2591 2591 au_uwrite(au_to_arg32(1, "setgroups",
2592 2592 (uint32_t)gidlist[i]));
2593 2593 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2594 2594 } else
2595 2595 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2596 2596
2597 2597 } /* AUS_SETGROUPS */
2598 2598
2599 2599
2600 2600
2601 2601
2602 2602
2603 2603 /*ARGSUSED*/
2604 2604 static void
2605 2605 aus_seteuid(struct t_audit_data *tad)
2606 2606 {
2607 2607 klwp_t *clwp = ttolwp(curthread);
2608 2608 uint32_t uid;
2609 2609
2610 2610 struct a {
2611 2611 long uid;
2612 2612 } *uap = (struct a *)clwp->lwp_ap;
2613 2613
2614 2614 uid = (uint32_t)uap->uid;
2615 2615
2616 2616 au_uwrite(au_to_arg32(1, "euid", uid));
2617 2617
2618 2618 } /* AUS_SETEUID */
2619 2619
2620 2620 /*ARGSUSED*/
2621 2621 static void
2622 2622 aus_putmsg(struct t_audit_data *tad)
2623 2623 {
2624 2624 klwp_t *clwp = ttolwp(curthread);
2625 2625 uint32_t fd, pri;
2626 2626 struct file *fp;
2627 2627 struct f_audit_data *fad;
2628 2628
2629 2629 struct a {
2630 2630 long fdes;
2631 2631 long ctl; /* struct strbuf * */
2632 2632 long data; /* struct strbuf * */
2633 2633 long pri;
2634 2634 } *uap = (struct a *)clwp->lwp_ap;
2635 2635
2636 2636 fd = (uint32_t)uap->fdes;
2637 2637 pri = (uint32_t)uap->pri;
2638 2638
2639 2639 au_uwrite(au_to_arg32(1, "fd", fd));
2640 2640
2641 2641 if ((fp = getf(fd)) != NULL) {
2642 2642 fad = F2A(fp);
2643 2643
2644 2644 fad->fad_flags |= FAD_WRITE;
2645 2645
2646 2646 /* add path name to audit record */
2647 2647 if (fad->fad_aupath != NULL) {
2648 2648 au_uwrite(au_to_path(fad->fad_aupath));
2649 2649 }
2650 2650 audit_attributes(fp->f_vnode);
2651 2651
2652 2652 releasef(fd);
2653 2653 }
2654 2654
2655 2655 au_uwrite(au_to_arg32(4, "pri", pri));
2656 2656 }
2657 2657
2658 2658 /*ARGSUSED*/
2659 2659 static void
2660 2660 aus_putpmsg(struct t_audit_data *tad)
2661 2661 {
2662 2662 klwp_t *clwp = ttolwp(curthread);
2663 2663 uint32_t fd, pri, flags;
2664 2664 struct file *fp;
2665 2665 struct f_audit_data *fad;
2666 2666
2667 2667 struct a {
2668 2668 long fdes;
2669 2669 long ctl; /* struct strbuf * */
2670 2670 long data; /* struct strbuf * */
2671 2671 long pri;
2672 2672 long flags;
2673 2673 } *uap = (struct a *)clwp->lwp_ap;
2674 2674
2675 2675 fd = (uint32_t)uap->fdes;
2676 2676 pri = (uint32_t)uap->pri;
2677 2677 flags = (uint32_t)uap->flags;
2678 2678
2679 2679 au_uwrite(au_to_arg32(1, "fd", fd));
2680 2680
2681 2681 if ((fp = getf(fd)) != NULL) {
2682 2682 fad = F2A(fp);
2683 2683
2684 2684 fad->fad_flags |= FAD_WRITE;
2685 2685
2686 2686 /* add path name to audit record */
2687 2687 if (fad->fad_aupath != NULL) {
2688 2688 au_uwrite(au_to_path(fad->fad_aupath));
2689 2689 }
2690 2690 audit_attributes(fp->f_vnode);
2691 2691
2692 2692 releasef(fd);
2693 2693 }
2694 2694
2695 2695
2696 2696 au_uwrite(au_to_arg32(4, "pri", pri));
2697 2697 au_uwrite(au_to_arg32(5, "flags", flags));
2698 2698 }
2699 2699
2700 2700 /*ARGSUSED*/
2701 2701 static void
2702 2702 aus_getmsg(struct t_audit_data *tad)
2703 2703 {
2704 2704 klwp_t *clwp = ttolwp(curthread);
2705 2705 uint32_t fd, pri;
2706 2706 struct file *fp;
2707 2707 struct f_audit_data *fad;
2708 2708
2709 2709 struct a {
2710 2710 long fdes;
2711 2711 long ctl; /* struct strbuf * */
2712 2712 long data; /* struct strbuf * */
2713 2713 long pri;
2714 2714 } *uap = (struct a *)clwp->lwp_ap;
2715 2715
2716 2716 fd = (uint32_t)uap->fdes;
2717 2717 pri = (uint32_t)uap->pri;
2718 2718
2719 2719 au_uwrite(au_to_arg32(1, "fd", fd));
2720 2720
2721 2721 if ((fp = getf(fd)) != NULL) {
2722 2722 fad = F2A(fp);
2723 2723
2724 2724 /*
2725 2725 * read operation on this object
2726 2726 */
2727 2727 fad->fad_flags |= FAD_READ;
2728 2728
2729 2729 /* add path name to audit record */
2730 2730 if (fad->fad_aupath != NULL) {
2731 2731 au_uwrite(au_to_path(fad->fad_aupath));
2732 2732 }
2733 2733 audit_attributes(fp->f_vnode);
2734 2734
2735 2735 releasef(fd);
2736 2736 }
2737 2737
2738 2738 au_uwrite(au_to_arg32(4, "pri", pri));
2739 2739 }
2740 2740
2741 2741 /*ARGSUSED*/
2742 2742 static void
2743 2743 aus_getpmsg(struct t_audit_data *tad)
2744 2744 {
2745 2745 klwp_t *clwp = ttolwp(curthread);
2746 2746 uint32_t fd;
2747 2747 struct file *fp;
2748 2748 struct f_audit_data *fad;
2749 2749
2750 2750 struct a {
2751 2751 long fdes;
2752 2752 long ctl; /* struct strbuf * */
2753 2753 long data; /* struct strbuf * */
2754 2754 long pri;
2755 2755 long flags;
2756 2756 } *uap = (struct a *)clwp->lwp_ap;
2757 2757
2758 2758 fd = (uint32_t)uap->fdes;
2759 2759
2760 2760 au_uwrite(au_to_arg32(1, "fd", fd));
2761 2761
2762 2762 if ((fp = getf(fd)) != NULL) {
2763 2763 fad = F2A(fp);
2764 2764
2765 2765 /*
2766 2766 * read operation on this object
2767 2767 */
2768 2768 fad->fad_flags |= FAD_READ;
2769 2769
2770 2770 /* add path name to audit record */
2771 2771 if (fad->fad_aupath != NULL) {
2772 2772 au_uwrite(au_to_path(fad->fad_aupath));
2773 2773 }
2774 2774 audit_attributes(fp->f_vnode);
2775 2775
2776 2776 releasef(fd);
2777 2777 }
2778 2778 }
2779 2779
2780 2780 static au_event_t
2781 2781 aui_labelsys(au_event_t e)
2782 2782 {
2783 2783 klwp_t *clwp = ttolwp(curthread);
2784 2784 uint32_t code;
2785 2785 uint32_t cmd;
2786 2786
2787 2787 struct a {
2788 2788 long code;
2789 2789 long cmd;
2790 2790 } *uap = (struct a *)clwp->lwp_ap;
2791 2791
2792 2792 code = (uint32_t)uap->code;
2793 2793 cmd = (uint32_t)uap->cmd;
2794 2794
2795 2795 /* not security relevant if not changing kernel cache */
2796 2796 if (cmd == TNDB_GET)
2797 2797 return (AUE_NULL);
2798 2798
2799 2799 switch (code) {
2800 2800 case TSOL_TNRH:
2801 2801 e = AUE_LABELSYS_TNRH;
2802 2802 break;
2803 2803 case TSOL_TNRHTP:
2804 2804 e = AUE_LABELSYS_TNRHTP;
2805 2805 break;
2806 2806 case TSOL_TNMLP:
2807 2807 e = AUE_LABELSYS_TNMLP;
2808 2808 break;
2809 2809 default:
2810 2810 e = AUE_NULL;
2811 2811 break;
2812 2812 }
2813 2813
2814 2814 return (e);
2815 2815
2816 2816 }
2817 2817
2818 2818 static void
2819 2819 aus_labelsys(struct t_audit_data *tad)
2820 2820 {
2821 2821 klwp_t *clwp = ttolwp(curthread);
2822 2822 uint32_t cmd;
2823 2823 uintptr_t a2;
2824 2824
2825 2825 struct a {
2826 2826 long code;
2827 2827 long cmd;
2828 2828 long a2;
2829 2829 } *uap = (struct a *)clwp->lwp_ap;
2830 2830
2831 2831 cmd = (uint32_t)uap->cmd;
2832 2832 a2 = (uintptr_t)uap->a2;
2833 2833
2834 2834 switch (tad->tad_event) {
2835 2835 case AUE_LABELSYS_TNRH:
2836 2836 {
2837 2837 tsol_rhent_t *rhent;
2838 2838 tnaddr_t *rh_addr;
2839 2839
2840 2840 au_uwrite(au_to_arg32(1, "cmd", cmd));
2841 2841
2842 2842 /* Remaining args don't apply for FLUSH, so skip */
2843 2843 if (cmd == TNDB_FLUSH)
2844 2844 break;
2845 2845
2846 2846 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2847 2847 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2848 2848 kmem_free(rhent, sizeof (tsol_rhent_t));
2849 2849 return;
2850 2850 }
2851 2851
2852 2852 rh_addr = &rhent->rh_address;
2853 2853 if (rh_addr->ta_family == AF_INET) {
2854 2854 struct in_addr *ipaddr;
2855 2855
2856 2856 ipaddr = &(rh_addr->ta_addr_v4);
2857 2857 au_uwrite(au_to_in_addr(ipaddr));
2858 2858 } else if (rh_addr->ta_family == AF_INET6) {
2859 2859 int32_t *ipaddr;
2860 2860
2861 2861 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2862 2862 au_uwrite(au_to_in_addr_ex(ipaddr));
2863 2863 }
2864 2864 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2865 2865
2866 2866 kmem_free(rhent, sizeof (tsol_rhent_t));
2867 2867
2868 2868 break;
2869 2869 }
2870 2870 case AUE_LABELSYS_TNRHTP:
2871 2871 {
2872 2872 tsol_tpent_t *tpent;
2873 2873
2874 2874 au_uwrite(au_to_arg32(1, "cmd", cmd));
2875 2875
2876 2876 /* Remaining args don't apply for FLUSH, so skip */
2877 2877 if (cmd == TNDB_FLUSH)
2878 2878 break;
2879 2879
2880 2880 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2881 2881 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2882 2882 kmem_free(tpent, sizeof (tsol_tpent_t));
2883 2883 return;
2884 2884 }
2885 2885
2886 2886 /* Make sure that the template name is null-terminated. */
2887 2887 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2888 2888
2889 2889 au_uwrite(au_to_text(tpent->name));
2890 2890 kmem_free(tpent, sizeof (tsol_tpent_t));
2891 2891
2892 2892 break;
2893 2893 }
2894 2894 case AUE_LABELSYS_TNMLP:
2895 2895 {
2896 2896 tsol_mlpent_t *mlpent;
2897 2897
2898 2898 au_uwrite(au_to_arg32(1, "cmd", cmd));
2899 2899
2900 2900 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2901 2901 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2902 2902 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2903 2903 return;
2904 2904 }
2905 2905
2906 2906 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2907 2907 au_uwrite(au_to_text("shared"));
2908 2908 } else {
2909 2909 zone_t *zone;
2910 2910
2911 2911 zone = zone_find_by_id(mlpent->tsme_zoneid);
2912 2912 if (zone != NULL) {
2913 2913 au_uwrite(au_to_text(zone->zone_name));
2914 2914 zone_rele(zone);
2915 2915 }
2916 2916 }
2917 2917
2918 2918 /* Remaining args don't apply for FLUSH, so skip */
2919 2919 if (cmd == TNDB_FLUSH) {
2920 2920 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2921 2921 break;
2922 2922 }
2923 2923
2924 2924 au_uwrite(au_to_arg32(2, "proto num",
2925 2925 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2926 2926 au_uwrite(au_to_arg32(2, "mlp_port",
2927 2927 (uint32_t)mlpent->tsme_mlp.mlp_port));
2928 2928
2929 2929 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2930 2930 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2931 2931 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2932 2932
2933 2933 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2934 2934
2935 2935 break;
2936 2936 }
2937 2937 default:
2938 2938 break;
2939 2939 }
2940 2940 }
2941 2941
2942 2942
2943 2943 static au_event_t
2944 2944 aui_auditsys(au_event_t e)
2945 2945 {
2946 2946 klwp_t *clwp = ttolwp(curthread);
2947 2947 uint32_t code;
2948 2948
2949 2949 struct a {
2950 2950 long code;
2951 2951 long a1;
2952 2952 long a2;
2953 2953 long a3;
2954 2954 long a4;
2955 2955 long a5;
2956 2956 long a6;
2957 2957 long a7;
2958 2958 } *uap = (struct a *)clwp->lwp_ap;
2959 2959
2960 2960 code = (uint32_t)uap->code;
2961 2961
2962 2962 switch (code) {
2963 2963
2964 2964 case BSM_GETAUID:
2965 2965 e = AUE_GETAUID;
2966 2966 break;
2967 2967 case BSM_SETAUID:
2968 2968 e = AUE_SETAUID;
2969 2969 break;
2970 2970 case BSM_GETAUDIT:
2971 2971 e = AUE_GETAUDIT;
2972 2972 break;
2973 2973 case BSM_GETAUDIT_ADDR:
2974 2974 e = AUE_GETAUDIT_ADDR;
2975 2975 break;
2976 2976 case BSM_SETAUDIT:
2977 2977 e = AUE_SETAUDIT;
2978 2978 break;
2979 2979 case BSM_SETAUDIT_ADDR:
2980 2980 e = AUE_SETAUDIT_ADDR;
2981 2981 break;
2982 2982 case BSM_AUDIT:
2983 2983 e = AUE_AUDIT;
2984 2984 break;
2985 2985 case BSM_AUDITCTL:
2986 2986 switch ((uint_t)uap->a1) {
2987 2987
2988 2988 case A_GETPOLICY:
2989 2989 e = AUE_AUDITON_GPOLICY;
2990 2990 break;
2991 2991 case A_SETPOLICY:
2992 2992 e = AUE_AUDITON_SPOLICY;
2993 2993 break;
2994 2994 case A_GETAMASK:
2995 2995 e = AUE_AUDITON_GETAMASK;
2996 2996 break;
2997 2997 case A_SETAMASK:
2998 2998 e = AUE_AUDITON_SETAMASK;
2999 2999 break;
3000 3000 case A_GETKMASK:
3001 3001 e = AUE_AUDITON_GETKMASK;
3002 3002 break;
3003 3003 case A_SETKMASK:
3004 3004 e = AUE_AUDITON_SETKMASK;
3005 3005 break;
3006 3006 case A_GETQCTRL:
3007 3007 e = AUE_AUDITON_GQCTRL;
3008 3008 break;
3009 3009 case A_SETQCTRL:
3010 3010 e = AUE_AUDITON_SQCTRL;
3011 3011 break;
3012 3012 case A_GETCWD:
3013 3013 e = AUE_AUDITON_GETCWD;
3014 3014 break;
3015 3015 case A_GETCAR:
3016 3016 e = AUE_AUDITON_GETCAR;
3017 3017 break;
3018 3018 case A_GETSTAT:
3019 3019 e = AUE_AUDITON_GETSTAT;
3020 3020 break;
3021 3021 case A_SETSTAT:
3022 3022 e = AUE_AUDITON_SETSTAT;
3023 3023 break;
3024 3024 case A_SETUMASK:
3025 3025 e = AUE_AUDITON_SETUMASK;
3026 3026 break;
3027 3027 case A_SETSMASK:
3028 3028 e = AUE_AUDITON_SETSMASK;
3029 3029 break;
3030 3030 case A_GETCOND:
3031 3031 e = AUE_AUDITON_GETCOND;
|
↓ open down ↓ |
3031 lines elided |
↑ open up ↑ |
3032 3032 break;
3033 3033 case A_SETCOND:
3034 3034 e = AUE_AUDITON_SETCOND;
3035 3035 break;
3036 3036 case A_GETCLASS:
3037 3037 e = AUE_AUDITON_GETCLASS;
3038 3038 break;
3039 3039 case A_SETCLASS:
3040 3040 e = AUE_AUDITON_SETCLASS;
3041 3041 break;
3042 + case A_GETPINFO:
3043 + case A_GETPINFO_ADDR:
3044 + e = AUE_AUDITON_GETPINFO;
3045 + break;
3046 + case A_SETPMASK:
3047 + e = AUE_AUDITON_SETPMASK;
3048 + break;
3049 + case A_GETKAUDIT:
3050 + e = AUE_AUDITON_GETKAUDIT;
3051 + break;
3052 + case A_SETKAUDIT:
3053 + e = AUE_AUDITON_SETKAUDIT;
3054 + break;
3042 3055 default:
3043 - e = AUE_NULL;
3056 + e = AUE_AUDITON_OTHER;
3044 3057 break;
3045 3058 }
3046 3059 break;
3047 3060 default:
3048 3061 e = AUE_NULL;
3049 3062 break;
3050 3063 }
3051 3064
3052 3065 return (e);
3053 3066
3054 3067 } /* AUI_AUDITSYS */
3055 3068
3056 3069
3057 3070 static void
3058 3071 aus_auditsys(struct t_audit_data *tad)
3059 3072 {
3060 3073 klwp_t *clwp = ttolwp(curthread);
3061 3074 uintptr_t a1, a2;
3062 3075 STRUCT_DECL(auditinfo, ainfo);
3063 3076 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3077 + STRUCT_DECL(auditpinfo, apinfo);
3064 3078 au_evclass_map_t event;
3065 3079 au_mask_t mask;
3066 3080 int auditstate, policy;
3067 3081 au_id_t auid;
3068 3082
3069 3083
3070 3084 struct a {
3071 3085 long code;
3072 3086 long a1;
3073 3087 long a2;
3074 3088 long a3;
3075 3089 long a4;
3076 3090 long a5;
3077 3091 long a6;
3078 3092 long a7;
3079 3093 } *uap = (struct a *)clwp->lwp_ap;
3080 3094
3081 3095 a1 = (uintptr_t)uap->a1;
3082 3096 a2 = (uintptr_t)uap->a2;
3083 3097
3084 3098 switch (tad->tad_event) {
3085 3099 case AUE_SETAUID:
3086 3100 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3087 3101 return;
3088 3102 au_uwrite(au_to_arg32(2, "setauid", auid));
3089 3103 break;
3090 3104 case AUE_SETAUDIT:
3091 3105 STRUCT_INIT(ainfo, get_udatamodel());
3092 3106 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3093 3107 STRUCT_SIZE(ainfo))) {
3094 3108 return;
3095 3109 }
3096 3110 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3097 3111 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3098 3112 #ifdef _LP64
3099 3113 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3100 3114 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 3115 #else
3102 3116 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3103 3117 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3104 3118 #endif
3105 3119 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3106 3120 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3107 3121 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3108 3122 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3109 3123 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3110 3124 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3111 3125 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3112 3126 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3113 3127 break;
3114 3128 case AUE_SETAUDIT_ADDR:
3115 3129 STRUCT_INIT(ainfo_addr, get_udatamodel());
3116 3130 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3117 3131 STRUCT_SIZE(ainfo_addr))) {
3118 3132 return;
3119 3133 }
3120 3134 au_uwrite(au_to_arg32((char)1, "auid",
3121 3135 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3122 3136 #ifdef _LP64
3123 3137 au_uwrite(au_to_arg64((char)1, "port",
3124 3138 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 3139 #else
3126 3140 au_uwrite(au_to_arg32((char)1, "port",
3127 3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3128 3142 #endif
3129 3143 au_uwrite(au_to_arg32((char)1, "type",
3130 3144 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3131 3145 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3132 3146 AU_IPv4) {
3133 3147 au_uwrite(au_to_in_addr(
3134 3148 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3135 3149 ai_termid.at_addr)));
3136 3150 } else {
3137 3151 au_uwrite(au_to_in_addr_ex(
3138 3152 (int32_t *)STRUCT_FGETP(ainfo_addr,
3139 3153 ai_termid.at_addr)));
3140 3154 }
3141 3155 au_uwrite(au_to_arg32((char)1, "as_success",
3142 3156 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3143 3157 au_uwrite(au_to_arg32((char)1, "as_failure",
3144 3158 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3145 3159 au_uwrite(au_to_arg32((char)1, "asid",
3146 3160 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3147 3161 break;
3148 3162 case AUE_AUDITON_SETAMASK:
3149 3163 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3150 3164 return;
3151 3165 au_uwrite(au_to_arg32(
3152 3166 2, "setamask:as_success", (uint32_t)mask.as_success));
3153 3167 au_uwrite(au_to_arg32(
3154 3168 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3155 3169 break;
3156 3170 case AUE_AUDITON_SETKMASK:
3157 3171 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3158 3172 return;
3159 3173 au_uwrite(au_to_arg32(
3160 3174 2, "setkmask:as_success", (uint32_t)mask.as_success));
3161 3175 au_uwrite(au_to_arg32(
3162 3176 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3163 3177 break;
3164 3178 case AUE_AUDITON_SPOLICY:
3165 3179 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3166 3180 return;
3167 3181 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3168 3182 break;
3169 3183 case AUE_AUDITON_SQCTRL: {
3170 3184 STRUCT_DECL(au_qctrl, qctrl);
3171 3185 model_t model;
3172 3186
3173 3187 model = get_udatamodel();
3174 3188 STRUCT_INIT(qctrl, model);
3175 3189 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3176 3190 return;
3177 3191 if (model == DATAMODEL_ILP32) {
3178 3192 au_uwrite(au_to_arg32(
3179 3193 3, "setqctrl:aq_hiwater",
3180 3194 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3181 3195 au_uwrite(au_to_arg32(
3182 3196 3, "setqctrl:aq_lowater",
3183 3197 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3184 3198 au_uwrite(au_to_arg32(
3185 3199 3, "setqctrl:aq_bufsz",
3186 3200 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3187 3201 au_uwrite(au_to_arg32(
3188 3202 3, "setqctrl:aq_delay",
3189 3203 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3190 3204 } else {
3191 3205 au_uwrite(au_to_arg64(
3192 3206 3, "setqctrl:aq_hiwater",
3193 3207 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3194 3208 au_uwrite(au_to_arg64(
3195 3209 3, "setqctrl:aq_lowater",
3196 3210 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3197 3211 au_uwrite(au_to_arg64(
3198 3212 3, "setqctrl:aq_bufsz",
3199 3213 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3200 3214 au_uwrite(au_to_arg64(
3201 3215 3, "setqctrl:aq_delay",
3202 3216 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3203 3217 }
3204 3218 break;
3205 3219 }
3206 3220 case AUE_AUDITON_SETUMASK:
3207 3221 STRUCT_INIT(ainfo, get_udatamodel());
3208 3222 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3209 3223 STRUCT_SIZE(ainfo))) {
3210 3224 return;
3211 3225 }
3212 3226 au_uwrite(au_to_arg32(3, "setumask:as_success",
3213 3227 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3214 3228 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3215 3229 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3216 3230 break;
3217 3231 case AUE_AUDITON_SETSMASK:
3218 3232 STRUCT_INIT(ainfo, get_udatamodel());
3219 3233 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3220 3234 STRUCT_SIZE(ainfo))) {
3221 3235 return;
3222 3236 }
3223 3237 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3224 3238 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3225 3239 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3226 3240 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3227 3241 break;
3228 3242 case AUE_AUDITON_SETCOND:
3229 3243 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3230 3244 return;
|
↓ open down ↓ |
157 lines elided |
↑ open up ↑ |
3231 3245 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3232 3246 break;
3233 3247 case AUE_AUDITON_SETCLASS:
3234 3248 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3235 3249 return;
3236 3250 au_uwrite(au_to_arg32(
3237 3251 2, "setclass:ec_event", (uint32_t)event.ec_number));
3238 3252 au_uwrite(au_to_arg32(
3239 3253 3, "setclass:ec_class", (uint32_t)event.ec_class));
3240 3254 break;
3255 + case AUE_AUDITON_SETPMASK:
3256 + STRUCT_INIT(apinfo, get_udatamodel());
3257 + if (copyin((caddr_t)uap->a2, STRUCT_BUF(apinfo),
3258 + STRUCT_SIZE(apinfo))) {
3259 + return;
3260 + }
3261 + au_uwrite(au_to_arg32(3, "setpmask:pid",
3262 + (uint32_t)STRUCT_FGET(apinfo, ap_pid)));
3263 + au_uwrite(au_to_arg32(3, "setpmask:as_success",
3264 + (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_success)));
3265 + au_uwrite(au_to_arg32(3, "setpmask:as_failure",
3266 + (uint32_t)STRUCT_FGET(apinfo, ap_mask.as_failure)));
3267 + break;
3268 + case AUE_AUDITON_SETKAUDIT:
3269 + STRUCT_INIT(ainfo_addr, get_udatamodel());
3270 + if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3271 + STRUCT_SIZE(ainfo_addr))) {
3272 + return;
3273 + }
3274 + au_uwrite(au_to_arg32((char)1, "auid",
3275 + (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3276 +#ifdef _LP64
3277 + au_uwrite(au_to_arg64((char)1, "port",
3278 + (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3279 +#else
3280 + au_uwrite(au_to_arg32((char)1, "port",
3281 + (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3282 +#endif
3283 + au_uwrite(au_to_arg32((char)1, "type",
3284 + (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3285 + if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3286 + AU_IPv4) {
3287 + au_uwrite(au_to_in_addr(
3288 + (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3289 + ai_termid.at_addr)));
3290 + } else {
3291 + au_uwrite(au_to_in_addr_ex(
3292 + (int32_t *)STRUCT_FGETP(ainfo_addr,
3293 + ai_termid.at_addr)));
3294 + }
3295 + au_uwrite(au_to_arg32((char)1, "as_success",
3296 + (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3297 + au_uwrite(au_to_arg32((char)1, "as_failure",
3298 + (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3299 + au_uwrite(au_to_arg32((char)1, "asid",
3300 + (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3301 + break;
3241 3302 case AUE_GETAUID:
3242 3303 case AUE_GETAUDIT:
3243 3304 case AUE_GETAUDIT_ADDR:
3244 3305 case AUE_AUDIT:
3245 3306 case AUE_AUDITON_GPOLICY:
3246 3307 case AUE_AUDITON_GQCTRL:
3247 3308 case AUE_AUDITON_GETAMASK:
3248 3309 case AUE_AUDITON_GETKMASK:
3249 3310 case AUE_AUDITON_GETCWD:
3250 3311 case AUE_AUDITON_GETCAR:
3251 3312 case AUE_AUDITON_GETSTAT:
3252 3313 case AUE_AUDITON_SETSTAT:
3253 3314 case AUE_AUDITON_GETCOND:
3254 3315 case AUE_AUDITON_GETCLASS:
3316 + case AUE_AUDITON_GETPINFO:
3317 + case AUE_AUDITON_GETKAUDIT:
3318 + case AUE_AUDITON_OTHER:
3255 3319 break;
3256 3320 default:
3257 3321 break;
3258 3322 }
3259 3323
3260 3324 } /* AUS_AUDITSYS */
3261 3325
3262 3326
3263 3327 /* only audit privileged operations for systeminfo(2) system call */
3264 3328 static au_event_t
3265 3329 aui_sysinfo(au_event_t e)
3266 3330 {
3267 3331 klwp_t *clwp = ttolwp(curthread);
3268 3332 uint32_t command;
3269 3333
3270 3334 struct a {
3271 3335 long command;
3272 3336 long buf; /* char * */
3273 3337 long count;
3274 3338 } *uap = (struct a *)clwp->lwp_ap;
3275 3339
3276 3340 command = (uint32_t)uap->command;
3277 3341
3278 3342 switch (command) {
3279 3343 case SI_SET_HOSTNAME:
3280 3344 case SI_SET_SRPC_DOMAIN:
3281 3345 e = (au_event_t)AUE_SYSINFO;
3282 3346 break;
3283 3347 default:
3284 3348 e = (au_event_t)AUE_NULL;
3285 3349 break;
3286 3350 }
3287 3351 return (e);
3288 3352 }
3289 3353
3290 3354 /*ARGSUSED*/
3291 3355 static void
3292 3356 aus_sysinfo(struct t_audit_data *tad)
3293 3357 {
3294 3358 klwp_t *clwp = ttolwp(curthread);
3295 3359 uint32_t command;
3296 3360 size_t len, maxlen;
3297 3361 char *name;
3298 3362 uintptr_t buf;
3299 3363
3300 3364 struct a {
3301 3365 long command;
3302 3366 long buf; /* char * */
3303 3367 long count;
3304 3368 } *uap = (struct a *)clwp->lwp_ap;
3305 3369
3306 3370 command = (uint32_t)uap->command;
3307 3371 buf = (uintptr_t)uap->buf;
3308 3372
3309 3373 au_uwrite(au_to_arg32(1, "cmd", command));
3310 3374
3311 3375 switch (command) {
3312 3376 case SI_SET_HOSTNAME:
3313 3377 {
3314 3378 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3315 3379 return;
3316 3380
3317 3381 maxlen = SYS_NMLN;
3318 3382 name = kmem_alloc(maxlen, KM_SLEEP);
3319 3383 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3320 3384 break;
3321 3385
3322 3386 /*
3323 3387 * Must be non-NULL string and string
3324 3388 * must be less than SYS_NMLN chars.
3325 3389 */
3326 3390 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3327 3391 break;
3328 3392
3329 3393 au_uwrite(au_to_text(name));
3330 3394 break;
3331 3395 }
3332 3396
3333 3397 case SI_SET_SRPC_DOMAIN:
3334 3398 {
3335 3399 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3336 3400 return;
3337 3401
3338 3402 maxlen = SYS_NMLN;
3339 3403 name = kmem_alloc(maxlen, KM_SLEEP);
3340 3404 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3341 3405 break;
3342 3406
3343 3407 /*
3344 3408 * If string passed in is longer than length
3345 3409 * allowed for domain name, fail.
3346 3410 */
3347 3411 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3348 3412 break;
3349 3413
3350 3414 au_uwrite(au_to_text(name));
3351 3415 break;
3352 3416 }
3353 3417
3354 3418 default:
3355 3419 return;
3356 3420 }
3357 3421
3358 3422 kmem_free(name, maxlen);
3359 3423 }
3360 3424
3361 3425 static au_event_t
3362 3426 aui_modctl(au_event_t e)
3363 3427 {
3364 3428 klwp_t *clwp = ttolwp(curthread);
3365 3429 uint_t cmd;
3366 3430
3367 3431 struct a {
3368 3432 long cmd;
3369 3433 } *uap = (struct a *)clwp->lwp_ap;
3370 3434
3371 3435 cmd = (uint_t)uap->cmd;
3372 3436
3373 3437 switch (cmd) {
3374 3438 case MODLOAD:
3375 3439 e = AUE_MODLOAD;
3376 3440 break;
3377 3441 case MODUNLOAD:
3378 3442 e = AUE_MODUNLOAD;
3379 3443 break;
3380 3444 case MODADDMAJBIND:
3381 3445 e = AUE_MODADDMAJ;
3382 3446 break;
3383 3447 case MODSETDEVPOLICY:
3384 3448 e = AUE_MODDEVPLCY;
3385 3449 break;
3386 3450 case MODALLOCPRIV:
3387 3451 e = AUE_MODADDPRIV;
3388 3452 break;
3389 3453 default:
3390 3454 e = AUE_NULL;
3391 3455 break;
3392 3456 }
3393 3457 return (e);
3394 3458 }
3395 3459
3396 3460
3397 3461 /*ARGSUSED*/
3398 3462 static void
3399 3463 aus_modctl(struct t_audit_data *tad)
3400 3464 {
3401 3465 klwp_t *clwp = ttolwp(curthread);
3402 3466 void *a = clwp->lwp_ap;
3403 3467 uint_t use_path;
3404 3468
3405 3469 switch (tad->tad_event) {
3406 3470 case AUE_MODLOAD: {
3407 3471 typedef struct {
3408 3472 long cmd;
3409 3473 long use_path;
3410 3474 long filename; /* char * */
3411 3475 } modloada_t;
3412 3476
3413 3477 char *filenamep;
3414 3478 uintptr_t fname;
3415 3479 extern char *default_path;
3416 3480
3417 3481 fname = (uintptr_t)((modloada_t *)a)->filename;
3418 3482 use_path = (uint_t)((modloada_t *)a)->use_path;
3419 3483
3420 3484 /* space to hold path */
3421 3485 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3422 3486 /* get string */
3423 3487 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3424 3488 /* free allocated path */
3425 3489 kmem_free(filenamep, MOD_MAXPATH);
3426 3490 return;
3427 3491 }
3428 3492 /* ensure it's null terminated */
3429 3493 filenamep[MOD_MAXPATH - 1] = 0;
3430 3494
3431 3495 if (use_path)
3432 3496 au_uwrite(au_to_text(default_path));
3433 3497 au_uwrite(au_to_text(filenamep));
3434 3498
3435 3499 /* release temporary memory */
3436 3500 kmem_free(filenamep, MOD_MAXPATH);
3437 3501 break;
3438 3502 }
3439 3503 case AUE_MODUNLOAD: {
3440 3504 typedef struct {
3441 3505 long cmd;
3442 3506 long id;
3443 3507 } modunloada_t;
3444 3508
3445 3509 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3446 3510
3447 3511 au_uwrite(au_to_arg32(1, "id", id));
3448 3512 break;
3449 3513 }
3450 3514 case AUE_MODADDMAJ: {
3451 3515 STRUCT_DECL(modconfig, mc);
3452 3516 typedef struct {
3453 3517 long cmd;
3454 3518 long subcmd;
3455 3519 long data; /* int * */
3456 3520 } modconfiga_t;
3457 3521
3458 3522 STRUCT_DECL(aliases, alias);
3459 3523 caddr_t ap;
3460 3524 int i, num_aliases;
3461 3525 char *drvname, *mc_drvname;
3462 3526 char *name;
3463 3527 extern char *ddi_major_to_name(major_t);
3464 3528 model_t model;
3465 3529
3466 3530 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3467 3531
3468 3532 model = get_udatamodel();
3469 3533 STRUCT_INIT(mc, model);
3470 3534 /* sanitize buffer */
3471 3535 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3472 3536 /* get user arguments */
3473 3537 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3474 3538 STRUCT_SIZE(mc)) != 0)
3475 3539 return;
3476 3540
3477 3541 mc_drvname = STRUCT_FGET(mc, drvname);
3478 3542 if ((drvname = ddi_major_to_name(
3479 3543 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3480 3544 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3481 3545 /* safety */
3482 3546 if (mc_drvname[0] != '\0') {
3483 3547 mc_drvname[MAXMODCONFNAME-1] = '\0';
3484 3548 au_uwrite(au_to_text(mc_drvname));
3485 3549 }
3486 3550 /* drvname != NULL from test above */
3487 3551 au_uwrite(au_to_text(drvname));
3488 3552 return;
3489 3553 }
3490 3554
3491 3555 if (mc_drvname[0] != '\0') {
3492 3556 /* safety */
3493 3557 mc_drvname[MAXMODCONFNAME-1] = '\0';
3494 3558 au_uwrite(au_to_text(mc_drvname));
3495 3559 } else
3496 3560 au_uwrite(au_to_text("no drvname"));
3497 3561
3498 3562 num_aliases = STRUCT_FGET(mc, num_aliases);
3499 3563 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3500 3564 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3501 3565 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3502 3566 STRUCT_INIT(alias, model);
3503 3567 for (i = 0; i < num_aliases; i++) {
3504 3568 bzero((caddr_t)STRUCT_BUF(alias),
3505 3569 STRUCT_SIZE(alias));
3506 3570 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3507 3571 STRUCT_SIZE(alias)) != 0)
3508 3572 break;
3509 3573 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3510 3574 MAXMODCONFNAME, NULL) != 0) {
3511 3575 break;
3512 3576 }
3513 3577
3514 3578 au_uwrite(au_to_text(name));
3515 3579 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3516 3580 }
3517 3581 kmem_free(name, MAXMODCONFNAME);
3518 3582 break;
3519 3583 }
3520 3584 default:
3521 3585 break;
3522 3586 }
3523 3587 }
3524 3588
3525 3589
3526 3590 /*ARGSUSED*/
3527 3591 static void
3528 3592 auf_accept(
3529 3593 struct t_audit_data *tad,
3530 3594 int error,
3531 3595 rval_t *rval)
3532 3596 {
3533 3597 uint32_t scid;
3534 3598 uint32_t sy_flags;
3535 3599 int fd;
3536 3600 struct sonode *so;
3537 3601 char so_laddr[sizeof (struct sockaddr_in6)];
3538 3602 char so_faddr[sizeof (struct sockaddr_in6)];
3539 3603 int err;
3540 3604 short so_family, so_type;
3541 3605 int add_sock_token = 0;
3542 3606
3543 3607 /* need to determine type of executing binary */
3544 3608 scid = tad->tad_scid;
3545 3609 #ifdef _SYSCALL32_IMPL
3546 3610 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3547 3611 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3548 3612 else
3549 3613 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3550 3614 #else
3551 3615 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3552 3616 #endif
3553 3617 switch (sy_flags) {
3554 3618 case SE_32RVAL1:
3555 3619 /* FALLTHRU */
3556 3620 case SE_32RVAL2|SE_32RVAL1:
3557 3621 fd = rval->r_val1;
3558 3622 break;
3559 3623 case SE_64RVAL:
3560 3624 fd = (int)rval->r_vals;
3561 3625 break;
3562 3626 default:
3563 3627 /*
3564 3628 * should never happen, seems to be an internal error
3565 3629 * in sysent => no fd, nothing to audit here, returning
3566 3630 */
3567 3631 return;
3568 3632 }
3569 3633
3570 3634 if (error) {
3571 3635 /* can't trust socket contents. Just return */
3572 3636 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3573 3637 return;
3574 3638 }
3575 3639
3576 3640 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3577 3641 /*
3578 3642 * not security relevant if doing a accept from non socket
3579 3643 * so no extra tokens. Should probably turn off audit record
3580 3644 * generation here.
3581 3645 */
3582 3646 return;
3583 3647 }
3584 3648
3585 3649 so_family = so->so_family;
3586 3650 so_type = so->so_type;
3587 3651
3588 3652 switch (so_family) {
3589 3653 case AF_INET:
3590 3654 case AF_INET6:
3591 3655 /*
3592 3656 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3593 3657 */
3594 3658 if (so->so_type == SOCK_STREAM) {
3595 3659 socklen_t len;
3596 3660
3597 3661 bzero((void *)so_laddr, sizeof (so_laddr));
3598 3662 bzero((void *)so_faddr, sizeof (so_faddr));
3599 3663
3600 3664 len = sizeof (so_laddr);
3601 3665 (void) socket_getsockname(so,
3602 3666 (struct sockaddr *)so_laddr, &len, CRED());
3603 3667 len = sizeof (so_faddr);
3604 3668 (void) socket_getpeername(so,
3605 3669 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3606 3670
3607 3671 add_sock_token = 1;
3608 3672 }
3609 3673 break;
3610 3674
3611 3675 default:
3612 3676 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3613 3677 break;
3614 3678 }
3615 3679
3616 3680 releasef(fd);
3617 3681
3618 3682 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3619 3683
3620 3684 if (add_sock_token == 0) {
3621 3685 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3622 3686 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3623 3687 return;
3624 3688 }
3625 3689
3626 3690 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3627 3691
3628 3692 }
3629 3693
3630 3694 /*ARGSUSED*/
3631 3695 static void
3632 3696 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3633 3697 {
3634 3698 struct a {
3635 3699 long fd;
3636 3700 long addr;
3637 3701 long len;
3638 3702 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3639 3703
3640 3704 struct sonode *so;
3641 3705 char so_laddr[sizeof (struct sockaddr_in6)];
3642 3706 char so_faddr[sizeof (struct sockaddr_in6)];
3643 3707 int err, fd;
3644 3708 socklen_t len;
3645 3709 short so_family, so_type;
3646 3710 int add_sock_token = 0;
3647 3711
3648 3712 fd = (int)uap->fd;
3649 3713
3650 3714 /*
3651 3715 * bind failed, then nothing extra to add to audit record.
3652 3716 */
3653 3717 if (error) {
3654 3718 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3655 3719 /* XXX may want to add failed address some day */
3656 3720 return;
3657 3721 }
3658 3722
3659 3723 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3660 3724 /*
3661 3725 * not security relevant if doing a bind from non socket
3662 3726 * so no extra tokens. Should probably turn off audit record
3663 3727 * generation here.
3664 3728 */
3665 3729 return;
3666 3730 }
3667 3731
3668 3732 so_family = so->so_family;
3669 3733 so_type = so->so_type;
3670 3734
3671 3735 switch (so_family) {
3672 3736 case AF_INET:
3673 3737 case AF_INET6:
3674 3738
3675 3739 bzero(so_faddr, sizeof (so_faddr));
3676 3740 len = sizeof (so_faddr);
3677 3741
3678 3742 (void) socket_getpeername(so,
3679 3743 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3680 3744 add_sock_token = 1;
3681 3745
3682 3746 break;
3683 3747
3684 3748 case AF_UNIX:
3685 3749 /* token added by lookup */
3686 3750 break;
3687 3751 default:
3688 3752 /* AF_ROUTE, AF_KEY do not support accept */
3689 3753 break;
3690 3754 }
3691 3755
3692 3756 releasef(fd);
3693 3757
3694 3758 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3695 3759
3696 3760 if (add_sock_token == 0) {
3697 3761 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3698 3762 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3699 3763 return;
3700 3764 }
3701 3765
3702 3766 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3703 3767
3704 3768 }
3705 3769
3706 3770 /*ARGSUSED*/
3707 3771 static void
3708 3772 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3709 3773 {
3710 3774 struct a {
3711 3775 long fd;
3712 3776 long addr;
3713 3777 long len;
3714 3778 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3715 3779
3716 3780 struct sonode *so;
3717 3781 char so_laddr[sizeof (struct sockaddr_in6)];
3718 3782 char so_faddr[sizeof (struct sockaddr_in6)];
3719 3783 int err, fd;
3720 3784 socklen_t len;
3721 3785 short so_family, so_type;
3722 3786 int add_sock_token = 0;
3723 3787
3724 3788 fd = (int)uap->fd;
3725 3789
3726 3790
3727 3791 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3728 3792 /*
3729 3793 * not security relevant if doing a connect from non socket
3730 3794 * so no extra tokens. Should probably turn off audit record
3731 3795 * generation here.
3732 3796 */
3733 3797 return;
3734 3798 }
3735 3799
3736 3800 so_family = so->so_family;
3737 3801 so_type = so->so_type;
3738 3802
3739 3803 switch (so_family) {
3740 3804 case AF_INET:
3741 3805 case AF_INET6:
3742 3806
3743 3807 bzero(so_laddr, sizeof (so_laddr));
3744 3808 bzero(so_faddr, sizeof (so_faddr));
3745 3809
3746 3810 len = sizeof (so_laddr);
3747 3811 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3748 3812 &len, CRED());
3749 3813 if (error) {
3750 3814 if (uap->addr == 0)
3751 3815 break;
3752 3816 if (uap->len <= 0)
3753 3817 break;
3754 3818 len = min(uap->len, sizeof (so_faddr));
3755 3819 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3756 3820 break;
3757 3821 #ifdef NOTYET
3758 3822 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3759 3823 #endif
3760 3824 } else {
3761 3825 /* sanity check on length */
3762 3826 len = sizeof (so_faddr);
3763 3827 (void) socket_getpeername(so,
3764 3828 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3765 3829 }
3766 3830
3767 3831 add_sock_token = 1;
3768 3832
3769 3833 break;
3770 3834
3771 3835 case AF_UNIX:
3772 3836 /* does a lookup on name */
3773 3837 break;
3774 3838
3775 3839 default:
3776 3840 /* AF_ROUTE, AF_KEY do not support accept */
3777 3841 break;
3778 3842 }
3779 3843
3780 3844 releasef(fd);
3781 3845
3782 3846 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3783 3847
3784 3848 if (add_sock_token == 0) {
3785 3849 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3786 3850 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3787 3851 return;
3788 3852 }
3789 3853
3790 3854 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3791 3855
3792 3856 }
3793 3857
3794 3858 /*ARGSUSED*/
3795 3859 static void
3796 3860 aus_shutdown(struct t_audit_data *tad)
3797 3861 {
3798 3862 struct a {
3799 3863 long fd;
3800 3864 long how;
3801 3865 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3802 3866
3803 3867 struct sonode *so;
3804 3868 char so_laddr[sizeof (struct sockaddr_in6)];
3805 3869 char so_faddr[sizeof (struct sockaddr_in6)];
3806 3870 int err, fd;
3807 3871 socklen_t len;
3808 3872 short so_family, so_type;
3809 3873 int add_sock_token = 0;
3810 3874 file_t *fp; /* unix domain sockets */
3811 3875 struct f_audit_data *fad; /* unix domain sockets */
3812 3876
3813 3877 fd = (int)uap->fd;
3814 3878
3815 3879 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3816 3880 /*
3817 3881 * not security relevant if doing a shutdown using non socket
3818 3882 * so no extra tokens. Should probably turn off audit record
3819 3883 * generation here.
3820 3884 */
3821 3885 return;
3822 3886 }
3823 3887
3824 3888 so_family = so->so_family;
3825 3889 so_type = so->so_type;
3826 3890
3827 3891 switch (so_family) {
3828 3892 case AF_INET:
3829 3893 case AF_INET6:
3830 3894
3831 3895 bzero(so_laddr, sizeof (so_laddr));
3832 3896 bzero(so_faddr, sizeof (so_faddr));
3833 3897
3834 3898 len = sizeof (so_laddr);
3835 3899 (void) socket_getsockname(so,
3836 3900 (struct sockaddr *)so_laddr, &len, CRED());
3837 3901 len = sizeof (so_faddr);
3838 3902 (void) socket_getpeername(so,
3839 3903 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3840 3904
3841 3905 add_sock_token = 1;
3842 3906
3843 3907 break;
3844 3908
3845 3909 case AF_UNIX:
3846 3910
3847 3911 /* get path from file struct here */
3848 3912 fad = F2A(fp);
3849 3913 ASSERT(fad);
3850 3914
3851 3915 if (fad->fad_aupath != NULL) {
3852 3916 au_uwrite(au_to_path(fad->fad_aupath));
3853 3917 } else {
3854 3918 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3855 3919 }
3856 3920
3857 3921 audit_attributes(fp->f_vnode);
3858 3922
3859 3923 break;
3860 3924
3861 3925 default:
3862 3926 /*
3863 3927 * AF_KEY and AF_ROUTE support shutdown. No socket token
3864 3928 * added.
3865 3929 */
3866 3930 break;
3867 3931 }
3868 3932
3869 3933 releasef(fd);
3870 3934
3871 3935 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3872 3936
3873 3937 if (add_sock_token == 0) {
3874 3938 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3875 3939 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3876 3940 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3877 3941 return;
3878 3942 }
3879 3943
3880 3944 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3881 3945
3882 3946 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3883 3947
3884 3948 }
3885 3949
3886 3950 /*ARGSUSED*/
3887 3951 static void
3888 3952 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3889 3953 {
3890 3954 struct a {
3891 3955 long fd;
3892 3956 long level;
3893 3957 long optname;
3894 3958 long *optval;
3895 3959 long optlen;
3896 3960 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3897 3961
3898 3962 struct sonode *so;
3899 3963 char so_laddr[sizeof (struct sockaddr_in6)];
3900 3964 char so_faddr[sizeof (struct sockaddr_in6)];
3901 3965 char val[AU_BUFSIZE];
3902 3966 int err, fd;
3903 3967 socklen_t len;
3904 3968 short so_family, so_type;
3905 3969 int add_sock_token = 0;
3906 3970 file_t *fp; /* unix domain sockets */
3907 3971 struct f_audit_data *fad; /* unix domain sockets */
3908 3972
3909 3973 fd = (int)uap->fd;
3910 3974
3911 3975 if (error) {
3912 3976 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3913 3977 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3914 3978 /* XXX may want to include other arguments */
3915 3979 return;
3916 3980 }
3917 3981
3918 3982 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3919 3983 /*
3920 3984 * not security relevant if doing a setsockopt from non socket
3921 3985 * so no extra tokens. Should probably turn off audit record
3922 3986 * generation here.
3923 3987 */
3924 3988 return;
3925 3989 }
3926 3990
3927 3991 so_family = so->so_family;
3928 3992 so_type = so->so_type;
3929 3993
3930 3994 switch (so_family) {
3931 3995 case AF_INET:
3932 3996 case AF_INET6:
3933 3997 bzero((void *)so_laddr, sizeof (so_laddr));
3934 3998 bzero((void *)so_faddr, sizeof (so_faddr));
3935 3999
3936 4000 /* get local and foreign addresses */
3937 4001 len = sizeof (so_laddr);
3938 4002 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3939 4003 &len, CRED());
3940 4004 len = sizeof (so_faddr);
3941 4005 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3942 4006 &len, B_FALSE, CRED());
3943 4007
3944 4008 add_sock_token = 1;
3945 4009
3946 4010 break;
3947 4011
3948 4012 case AF_UNIX:
3949 4013
3950 4014 /* get path from file struct here */
3951 4015 fad = F2A(fp);
3952 4016 ASSERT(fad);
3953 4017
3954 4018 if (fad->fad_aupath != NULL) {
3955 4019 au_uwrite(au_to_path(fad->fad_aupath));
3956 4020 } else {
3957 4021 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3958 4022 }
3959 4023
3960 4024 audit_attributes(fp->f_vnode);
3961 4025
3962 4026 break;
3963 4027
3964 4028 default:
3965 4029 /*
3966 4030 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3967 4031 * added.
3968 4032 */
3969 4033 break;
3970 4034 }
3971 4035
3972 4036 releasef(fd);
3973 4037
3974 4038 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3975 4039
3976 4040 if (add_sock_token == 0) {
3977 4041 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3978 4042 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3979 4043 }
3980 4044 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3981 4045 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3982 4046
3983 4047 bzero(val, sizeof (val));
3984 4048 len = min(uap->optlen, sizeof (val));
3985 4049 if ((len > 0) &&
3986 4050 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3987 4051 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3988 4052 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3989 4053 }
3990 4054
3991 4055 if (add_sock_token == 0)
3992 4056 return;
3993 4057
3994 4058 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3995 4059
3996 4060 }
3997 4061
3998 4062 /*ARGSUSED*/
3999 4063 static void
4000 4064 aus_sockconfig(struct t_audit_data *tad)
4001 4065 {
4002 4066 struct a {
4003 4067 long cmd;
4004 4068 long arg1;
4005 4069 long arg2;
4006 4070 long arg3;
4007 4071 long arg4;
4008 4072 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4009 4073
4010 4074 char *buf;
4011 4075 int buflen;
4012 4076 size_t size;
4013 4077
4014 4078 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4015 4079 switch (uap->cmd) {
4016 4080 case SOCKCONFIG_ADD_SOCK:
4017 4081 case SOCKCONFIG_REMOVE_SOCK:
4018 4082 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4019 4083 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4020 4084 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4021 4085
4022 4086 if (uap->arg4 == 0) {
4023 4087 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4024 4088 } else {
4025 4089 buflen = MAXPATHLEN + 1;
4026 4090 buf = kmem_alloc(buflen, KM_SLEEP);
4027 4091 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4028 4092 &size)) {
4029 4093 kmem_free(buf, buflen);
4030 4094 return;
4031 4095 }
4032 4096
4033 4097 if (size > MAXPATHLEN) {
4034 4098 kmem_free(buf, buflen);
4035 4099 return;
4036 4100 }
4037 4101
4038 4102 au_uwrite(au_to_text(buf));
4039 4103 kmem_free(buf, buflen);
4040 4104 }
4041 4105 break;
4042 4106 case SOCKCONFIG_ADD_FILTER:
4043 4107 case SOCKCONFIG_REMOVE_FILTER:
4044 4108 buflen = FILNAME_MAX;
4045 4109 buf = kmem_alloc(buflen, KM_SLEEP);
4046 4110
4047 4111 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4048 4112 kmem_free(buf, buflen);
4049 4113 return;
4050 4114 }
4051 4115
4052 4116 au_uwrite(au_to_text(buf));
4053 4117 kmem_free(buf, buflen);
4054 4118 break;
4055 4119 default:
4056 4120 break;
4057 4121 }
4058 4122 }
4059 4123
4060 4124 /*
4061 4125 * only audit recvmsg when the system call represents the creation of a new
4062 4126 * circuit. This effectively occurs for all UDP packets and may occur for
4063 4127 * special TCP situations where the local host has not set a local address
4064 4128 * in the socket structure.
4065 4129 */
4066 4130 /*ARGSUSED*/
4067 4131 static void
4068 4132 auf_recvmsg(
4069 4133 struct t_audit_data *tad,
4070 4134 int error,
4071 4135 rval_t *rvp)
4072 4136 {
4073 4137 struct a {
4074 4138 long fd;
4075 4139 long msg; /* struct msghdr */
4076 4140 long flags;
4077 4141 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4078 4142
4079 4143 struct sonode *so;
4080 4144 STRUCT_DECL(msghdr, msg);
4081 4145 caddr_t msg_name;
4082 4146 socklen_t msg_namelen;
4083 4147 int fd;
4084 4148 int err;
4085 4149 char so_laddr[sizeof (struct sockaddr_in6)];
4086 4150 char so_faddr[sizeof (struct sockaddr_in6)];
4087 4151 socklen_t len;
4088 4152 file_t *fp; /* unix domain sockets */
4089 4153 struct f_audit_data *fad; /* unix domain sockets */
4090 4154 short so_family, so_type;
4091 4155 int add_sock_token = 0;
4092 4156 au_kcontext_t *kctx = GET_KCTX_PZ;
4093 4157
4094 4158 fd = (int)uap->fd;
4095 4159
4096 4160 /* bail if an error */
4097 4161 if (error) {
4098 4162 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4099 4163 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4100 4164 return;
4101 4165 }
4102 4166
4103 4167 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4104 4168 /*
4105 4169 * not security relevant if doing a recvmsg from non socket
4106 4170 * so no extra tokens. Should probably turn off audit record
4107 4171 * generation here.
4108 4172 */
4109 4173 return;
4110 4174 }
4111 4175
4112 4176 so_family = so->so_family;
4113 4177 so_type = so->so_type;
4114 4178
4115 4179 /*
4116 4180 * only putout SOCKET_EX token if INET/INET6 family.
4117 4181 * XXX - what do we do about other families?
4118 4182 */
4119 4183
4120 4184 switch (so_family) {
4121 4185 case AF_INET:
4122 4186 case AF_INET6:
4123 4187
4124 4188 /*
4125 4189 * if datagram type socket, then just use what is in
4126 4190 * socket structure for local address.
4127 4191 * XXX - what do we do for other types?
4128 4192 */
4129 4193 if ((so->so_type == SOCK_DGRAM) ||
4130 4194 (so->so_type == SOCK_RAW)) {
4131 4195 add_sock_token = 1;
4132 4196
4133 4197 bzero((void *)so_laddr, sizeof (so_laddr));
4134 4198 bzero((void *)so_faddr, sizeof (so_faddr));
4135 4199
4136 4200 /* get local address */
4137 4201 len = sizeof (so_laddr);
4138 4202 (void) socket_getsockname(so,
4139 4203 (struct sockaddr *)so_laddr, &len, CRED());
4140 4204
4141 4205 /* get peer address */
4142 4206 STRUCT_INIT(msg, get_udatamodel());
4143 4207
4144 4208 if (copyin((caddr_t)(uap->msg),
4145 4209 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4146 4210 break;
4147 4211 }
4148 4212 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4149 4213 if (msg_name == NULL) {
4150 4214 break;
4151 4215 }
4152 4216
4153 4217 /* length is value from recvmsg - sanity check */
4154 4218 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4155 4219 if (msg_namelen == 0) {
4156 4220 break;
4157 4221 }
4158 4222 if (copyin(msg_name, so_faddr,
4159 4223 sizeof (so_faddr)) != 0) {
4160 4224 break;
4161 4225 }
4162 4226
4163 4227 } else if (so->so_type == SOCK_STREAM) {
4164 4228
4165 4229 /* get path from file struct here */
4166 4230 fad = F2A(fp);
4167 4231 ASSERT(fad);
4168 4232
4169 4233 /*
4170 4234 * already processed this file for read attempt
4171 4235 */
4172 4236 if (fad->fad_flags & FAD_READ) {
4173 4237 /* don't want to audit every recvmsg attempt */
4174 4238 tad->tad_flag = 0;
4175 4239 /* free any residual audit data */
4176 4240 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4177 4241 releasef(fd);
4178 4242 return;
4179 4243 }
4180 4244 /*
4181 4245 * mark things so we know what happened and don't
4182 4246 * repeat things
4183 4247 */
4184 4248 fad->fad_flags |= FAD_READ;
4185 4249
4186 4250 bzero((void *)so_laddr, sizeof (so_laddr));
4187 4251 bzero((void *)so_faddr, sizeof (so_faddr));
4188 4252
4189 4253 /* get local and foreign addresses */
4190 4254 len = sizeof (so_laddr);
4191 4255 (void) socket_getsockname(so,
4192 4256 (struct sockaddr *)so_laddr, &len, CRED());
4193 4257 len = sizeof (so_faddr);
4194 4258 (void) socket_getpeername(so,
4195 4259 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4196 4260
4197 4261 add_sock_token = 1;
4198 4262 }
4199 4263
4200 4264 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4201 4265
4202 4266 break;
4203 4267
4204 4268 case AF_UNIX:
4205 4269 /*
4206 4270 * first check if this is first time through. Too much
4207 4271 * duplicate code to put this in an aui_ routine.
4208 4272 */
4209 4273
4210 4274 /* get path from file struct here */
4211 4275 fad = F2A(fp);
4212 4276 ASSERT(fad);
4213 4277
4214 4278 /*
4215 4279 * already processed this file for read attempt
4216 4280 */
4217 4281 if (fad->fad_flags & FAD_READ) {
4218 4282 releasef(fd);
4219 4283 /* don't want to audit every recvmsg attempt */
4220 4284 tad->tad_flag = 0;
4221 4285 /* free any residual audit data */
4222 4286 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4223 4287 return;
4224 4288 }
4225 4289 /*
4226 4290 * mark things so we know what happened and don't
4227 4291 * repeat things
4228 4292 */
4229 4293 fad->fad_flags |= FAD_READ;
4230 4294
4231 4295 if (fad->fad_aupath != NULL) {
4232 4296 au_uwrite(au_to_path(fad->fad_aupath));
4233 4297 } else {
4234 4298 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4235 4299 }
4236 4300
4237 4301 audit_attributes(fp->f_vnode);
4238 4302
4239 4303 releasef(fd);
4240 4304
4241 4305 return;
4242 4306
4243 4307 default:
4244 4308 break;
4245 4309
4246 4310 }
4247 4311
4248 4312 releasef(fd);
4249 4313
4250 4314 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4251 4315
4252 4316 if (add_sock_token == 0) {
4253 4317 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4254 4318 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4255 4319 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4256 4320 return;
4257 4321 }
4258 4322
4259 4323 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4260 4324
4261 4325 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4262 4326
4263 4327 }
4264 4328
4265 4329 /*ARGSUSED*/
4266 4330 static void
4267 4331 auf_recvfrom(
4268 4332 struct t_audit_data *tad,
4269 4333 int error,
4270 4334 rval_t *rvp)
4271 4335 {
4272 4336
4273 4337 struct a {
4274 4338 long fd;
4275 4339 long msg; /* char */
4276 4340 long len;
4277 4341 long flags;
4278 4342 long from; /* struct sockaddr */
4279 4343 long fromlen;
4280 4344 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4281 4345
4282 4346 socklen_t fromlen;
4283 4347 struct sonode *so;
4284 4348 char so_laddr[sizeof (struct sockaddr_in6)];
4285 4349 char so_faddr[sizeof (struct sockaddr_in6)];
4286 4350 int fd;
4287 4351 short so_family, so_type;
4288 4352 int add_sock_token = 0;
4289 4353 socklen_t len;
4290 4354 int err;
4291 4355 struct file *fp;
4292 4356 struct f_audit_data *fad; /* unix domain sockets */
4293 4357 au_kcontext_t *kctx = GET_KCTX_PZ;
4294 4358
4295 4359 fd = (int)uap->fd;
4296 4360
4297 4361 /* bail if an error */
4298 4362 if (error) {
4299 4363 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4300 4364 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4301 4365 return;
4302 4366 }
4303 4367
4304 4368 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4305 4369 /*
4306 4370 * not security relevant if doing a recvmsg from non socket
4307 4371 * so no extra tokens. Should probably turn off audit record
4308 4372 * generation here.
4309 4373 */
4310 4374 return;
4311 4375 }
4312 4376
4313 4377 so_family = so->so_family;
4314 4378 so_type = so->so_type;
4315 4379
4316 4380 /*
4317 4381 * only putout SOCKET_EX token if INET/INET6 family.
4318 4382 * XXX - what do we do about other families?
4319 4383 */
4320 4384
4321 4385 switch (so_family) {
4322 4386 case AF_INET:
4323 4387 case AF_INET6:
4324 4388
4325 4389 /*
4326 4390 * if datagram type socket, then just use what is in
4327 4391 * socket structure for local address.
4328 4392 * XXX - what do we do for other types?
4329 4393 */
4330 4394 if ((so->so_type == SOCK_DGRAM) ||
4331 4395 (so->so_type == SOCK_RAW)) {
4332 4396 add_sock_token = 1;
4333 4397
4334 4398 /* get local address */
4335 4399 len = sizeof (so_laddr);
4336 4400 (void) socket_getsockname(so,
4337 4401 (struct sockaddr *)so_laddr, &len, CRED());
4338 4402
4339 4403 /* get peer address */
4340 4404 bzero((void *)so_faddr, sizeof (so_faddr));
4341 4405
4342 4406 /* sanity check */
4343 4407 if (uap->from == 0)
4344 4408 break;
4345 4409
4346 4410 /* sanity checks */
4347 4411 if (uap->fromlen == 0)
4348 4412 break;
4349 4413
4350 4414 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4351 4415 sizeof (fromlen)) != 0)
4352 4416 break;
4353 4417
4354 4418 if (fromlen == 0)
4355 4419 break;
4356 4420
4357 4421 /* enforce maximum size */
4358 4422 if (fromlen > sizeof (so_faddr))
4359 4423 fromlen = sizeof (so_faddr);
4360 4424
4361 4425 if (copyin((caddr_t)(uap->from), so_faddr,
4362 4426 fromlen) != 0)
4363 4427 break;
4364 4428
4365 4429 } else if (so->so_type == SOCK_STREAM) {
4366 4430
4367 4431 /* get path from file struct here */
4368 4432 fad = F2A(fp);
4369 4433 ASSERT(fad);
4370 4434
4371 4435 /*
4372 4436 * already processed this file for read attempt
4373 4437 */
4374 4438 if (fad->fad_flags & FAD_READ) {
4375 4439 /* don't want to audit every recvfrom attempt */
4376 4440 tad->tad_flag = 0;
4377 4441 /* free any residual audit data */
4378 4442 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4379 4443 releasef(fd);
4380 4444 return;
4381 4445 }
4382 4446 /*
4383 4447 * mark things so we know what happened and don't
4384 4448 * repeat things
4385 4449 */
4386 4450 fad->fad_flags |= FAD_READ;
4387 4451
4388 4452 bzero((void *)so_laddr, sizeof (so_laddr));
4389 4453 bzero((void *)so_faddr, sizeof (so_faddr));
4390 4454
4391 4455 /* get local and foreign addresses */
4392 4456 len = sizeof (so_laddr);
4393 4457 (void) socket_getsockname(so,
4394 4458 (struct sockaddr *)so_laddr, &len, CRED());
4395 4459 len = sizeof (so_faddr);
4396 4460 (void) socket_getpeername(so,
4397 4461 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4398 4462
4399 4463 add_sock_token = 1;
4400 4464 }
4401 4465
4402 4466 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4403 4467
4404 4468 break;
4405 4469
4406 4470 case AF_UNIX:
4407 4471 /*
4408 4472 * first check if this is first time through. Too much
4409 4473 * duplicate code to put this in an aui_ routine.
4410 4474 */
4411 4475
4412 4476 /* get path from file struct here */
4413 4477 fad = F2A(fp);
4414 4478 ASSERT(fad);
4415 4479
4416 4480 /*
4417 4481 * already processed this file for read attempt
4418 4482 */
4419 4483 if (fad->fad_flags & FAD_READ) {
4420 4484 /* don't want to audit every recvfrom attempt */
4421 4485 tad->tad_flag = 0;
4422 4486 /* free any residual audit data */
4423 4487 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4424 4488 releasef(fd);
4425 4489 return;
4426 4490 }
4427 4491 /*
4428 4492 * mark things so we know what happened and don't
4429 4493 * repeat things
4430 4494 */
4431 4495 fad->fad_flags |= FAD_READ;
4432 4496
4433 4497 if (fad->fad_aupath != NULL) {
4434 4498 au_uwrite(au_to_path(fad->fad_aupath));
4435 4499 } else {
4436 4500 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4437 4501 }
4438 4502
4439 4503 audit_attributes(fp->f_vnode);
4440 4504
4441 4505 releasef(fd);
4442 4506
4443 4507 return;
4444 4508
4445 4509 default:
4446 4510 break;
4447 4511
4448 4512 }
4449 4513
4450 4514 releasef(fd);
4451 4515
4452 4516 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4453 4517
4454 4518 if (add_sock_token == 0) {
4455 4519 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4456 4520 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4457 4521 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4458 4522 return;
4459 4523 }
4460 4524
4461 4525 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4462 4526
4463 4527 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4464 4528 }
4465 4529
4466 4530 /*ARGSUSED*/
4467 4531 static void
4468 4532 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4469 4533 {
4470 4534 struct a {
4471 4535 long fd;
4472 4536 long msg; /* struct msghdr */
4473 4537 long flags;
4474 4538 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4475 4539
4476 4540 struct sonode *so;
4477 4541 char so_laddr[sizeof (struct sockaddr_in6)];
4478 4542 char so_faddr[sizeof (struct sockaddr_in6)];
4479 4543 int err;
4480 4544 int fd;
4481 4545 short so_family, so_type;
4482 4546 int add_sock_token = 0;
4483 4547 socklen_t len;
4484 4548 struct file *fp;
4485 4549 struct f_audit_data *fad;
4486 4550 caddr_t msg_name;
4487 4551 socklen_t msg_namelen;
4488 4552 STRUCT_DECL(msghdr, msg);
4489 4553 au_kcontext_t *kctx = GET_KCTX_PZ;
4490 4554
4491 4555 fd = (int)uap->fd;
4492 4556
4493 4557 /* bail if an error */
4494 4558 if (error) {
4495 4559 /* XXX include destination address from system call arguments */
4496 4560 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4497 4561 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4498 4562 return;
4499 4563 }
4500 4564
4501 4565 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4502 4566 /*
4503 4567 * not security relevant if doing a sendmsg from non socket
4504 4568 * so no extra tokens. Should probably turn off audit record
4505 4569 * generation here.
4506 4570 */
4507 4571 return;
4508 4572 }
4509 4573
4510 4574 so_family = so->so_family;
4511 4575 so_type = so->so_type;
4512 4576
4513 4577 switch (so_family) {
4514 4578 case AF_INET:
4515 4579 case AF_INET6:
4516 4580 /*
4517 4581 * if datagram type socket, then just use what is in
4518 4582 * socket structure for local address.
4519 4583 * XXX - what do we do for other types?
4520 4584 */
4521 4585 if ((so->so_type == SOCK_DGRAM) ||
4522 4586 (so->so_type == SOCK_RAW)) {
4523 4587
4524 4588 bzero((void *)so_laddr, sizeof (so_laddr));
4525 4589 bzero((void *)so_faddr, sizeof (so_faddr));
4526 4590
4527 4591 /* get local address */
4528 4592 len = sizeof (so_laddr);
4529 4593 (void) socket_getsockname(so,
4530 4594 (struct sockaddr *)so_laddr, &len, CRED());
4531 4595
4532 4596 /* get peer address */
4533 4597 STRUCT_INIT(msg, get_udatamodel());
4534 4598
4535 4599 if (copyin((caddr_t)(uap->msg),
4536 4600 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4537 4601 break;
4538 4602 }
4539 4603 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4540 4604 if (msg_name == NULL)
4541 4605 break;
4542 4606
4543 4607 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4544 4608 /* length is value from recvmsg - sanity check */
4545 4609 if (msg_namelen == 0)
4546 4610 break;
4547 4611
4548 4612 if (copyin(msg_name, so_faddr,
4549 4613 sizeof (so_faddr)) != 0)
4550 4614 break;
4551 4615
4552 4616 add_sock_token = 1;
4553 4617
4554 4618 } else if (so->so_type == SOCK_STREAM) {
4555 4619
4556 4620 /* get path from file struct here */
4557 4621 fad = F2A(fp);
4558 4622 ASSERT(fad);
4559 4623
4560 4624 /*
4561 4625 * already processed this file for write attempt
4562 4626 */
4563 4627 if (fad->fad_flags & FAD_WRITE) {
4564 4628 releasef(fd);
4565 4629 /* don't want to audit every sendmsg attempt */
4566 4630 tad->tad_flag = 0;
4567 4631 /* free any residual audit data */
4568 4632 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4569 4633 return;
4570 4634 }
4571 4635
4572 4636 /*
4573 4637 * mark things so we know what happened and don't
4574 4638 * repeat things
4575 4639 */
4576 4640 fad->fad_flags |= FAD_WRITE;
4577 4641
4578 4642 bzero((void *)so_laddr, sizeof (so_laddr));
4579 4643 bzero((void *)so_faddr, sizeof (so_faddr));
4580 4644
4581 4645 /* get local and foreign addresses */
4582 4646 len = sizeof (so_laddr);
4583 4647 (void) socket_getsockname(so,
4584 4648 (struct sockaddr *)so_laddr, &len, CRED());
4585 4649 len = sizeof (so_faddr);
4586 4650 (void) socket_getpeername(so,
4587 4651 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4588 4652
4589 4653 add_sock_token = 1;
4590 4654 }
4591 4655
4592 4656 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4593 4657
4594 4658 break;
4595 4659
4596 4660 case AF_UNIX:
4597 4661 /*
4598 4662 * first check if this is first time through. Too much
4599 4663 * duplicate code to put this in an aui_ routine.
4600 4664 */
4601 4665
4602 4666 /* get path from file struct here */
4603 4667 fad = F2A(fp);
4604 4668 ASSERT(fad);
4605 4669
4606 4670 /*
4607 4671 * already processed this file for write attempt
4608 4672 */
4609 4673 if (fad->fad_flags & FAD_WRITE) {
4610 4674 releasef(fd);
4611 4675 /* don't want to audit every sendmsg attempt */
4612 4676 tad->tad_flag = 0;
4613 4677 /* free any residual audit data */
4614 4678 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4615 4679 return;
4616 4680 }
4617 4681 /*
4618 4682 * mark things so we know what happened and don't
4619 4683 * repeat things
4620 4684 */
4621 4685 fad->fad_flags |= FAD_WRITE;
4622 4686
4623 4687 if (fad->fad_aupath != NULL) {
4624 4688 au_uwrite(au_to_path(fad->fad_aupath));
4625 4689 } else {
4626 4690 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4627 4691 }
4628 4692
4629 4693 audit_attributes(fp->f_vnode);
4630 4694
4631 4695 releasef(fd);
4632 4696
4633 4697 return;
4634 4698
4635 4699 default:
4636 4700 break;
4637 4701 }
4638 4702
4639 4703 releasef(fd);
4640 4704
4641 4705 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4642 4706
4643 4707 if (add_sock_token == 0) {
4644 4708 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4645 4709 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4646 4710 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4647 4711 return;
4648 4712 }
4649 4713
4650 4714 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4651 4715
4652 4716 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4653 4717 }
4654 4718
4655 4719 /*ARGSUSED*/
4656 4720 static void
4657 4721 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4658 4722 {
4659 4723 struct a {
4660 4724 long fd;
4661 4725 long msg; /* char */
4662 4726 long len;
4663 4727 long flags;
4664 4728 long to; /* struct sockaddr */
4665 4729 long tolen;
4666 4730 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4667 4731
4668 4732 struct sonode *so;
4669 4733 char so_laddr[sizeof (struct sockaddr_in6)];
4670 4734 char so_faddr[sizeof (struct sockaddr_in6)];
4671 4735 socklen_t tolen;
4672 4736 int err;
4673 4737 int fd;
4674 4738 socklen_t len;
4675 4739 short so_family, so_type;
4676 4740 int add_sock_token = 0;
4677 4741 struct file *fp;
4678 4742 struct f_audit_data *fad;
4679 4743 au_kcontext_t *kctx = GET_KCTX_PZ;
4680 4744
4681 4745 fd = (int)uap->fd;
4682 4746
4683 4747 /* bail if an error */
4684 4748 if (error) {
4685 4749 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4686 4750 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4687 4751 /* XXX include destination address from system call arguments */
4688 4752 return;
4689 4753 }
4690 4754
4691 4755 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4692 4756 /*
4693 4757 * not security relevant if doing a sendto using non socket
4694 4758 * so no extra tokens. Should probably turn off audit record
4695 4759 * generation here.
4696 4760 */
4697 4761 return;
4698 4762 }
4699 4763
4700 4764 so_family = so->so_family;
4701 4765 so_type = so->so_type;
4702 4766
4703 4767 /*
4704 4768 * only putout SOCKET_EX token if INET/INET6 family.
4705 4769 * XXX - what do we do about other families?
4706 4770 */
4707 4771
4708 4772 switch (so_family) {
4709 4773 case AF_INET:
4710 4774 case AF_INET6:
4711 4775
4712 4776 /*
4713 4777 * if datagram type socket, then just use what is in
4714 4778 * socket structure for local address.
4715 4779 * XXX - what do we do for other types?
4716 4780 */
4717 4781 if ((so->so_type == SOCK_DGRAM) ||
4718 4782 (so->so_type == SOCK_RAW)) {
4719 4783
4720 4784 bzero((void *)so_laddr, sizeof (so_laddr));
4721 4785 bzero((void *)so_faddr, sizeof (so_faddr));
4722 4786
4723 4787 /* get local address */
4724 4788 len = sizeof (so_laddr);
4725 4789 (void) socket_getsockname(so,
4726 4790 (struct sockaddr *)so_laddr, &len, CRED());
4727 4791
4728 4792 /* get peer address */
4729 4793
4730 4794 /* sanity check */
4731 4795 if (uap->to == 0)
4732 4796 break;
4733 4797
4734 4798 /* sanity checks */
4735 4799 if (uap->tolen == 0)
4736 4800 break;
4737 4801
4738 4802 tolen = (socklen_t)uap->tolen;
4739 4803
4740 4804 /* enforce maximum size */
4741 4805 if (tolen > sizeof (so_faddr))
4742 4806 tolen = sizeof (so_faddr);
4743 4807
4744 4808 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4745 4809 break;
4746 4810
4747 4811 add_sock_token = 1;
4748 4812 } else {
4749 4813 /*
4750 4814 * check if this is first time through.
4751 4815 */
4752 4816
4753 4817 /* get path from file struct here */
4754 4818 fad = F2A(fp);
4755 4819 ASSERT(fad);
4756 4820
4757 4821 /*
4758 4822 * already processed this file for write attempt
4759 4823 */
4760 4824 if (fad->fad_flags & FAD_WRITE) {
4761 4825 /* don't want to audit every sendto attempt */
4762 4826 tad->tad_flag = 0;
4763 4827 /* free any residual audit data */
4764 4828 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4765 4829 releasef(fd);
4766 4830 return;
4767 4831 }
4768 4832 /*
4769 4833 * mark things so we know what happened and don't
4770 4834 * repeat things
4771 4835 */
4772 4836 fad->fad_flags |= FAD_WRITE;
4773 4837
4774 4838 bzero((void *)so_laddr, sizeof (so_laddr));
4775 4839 bzero((void *)so_faddr, sizeof (so_faddr));
4776 4840
4777 4841 /* get local and foreign addresses */
4778 4842 len = sizeof (so_laddr);
4779 4843 (void) socket_getsockname(so,
4780 4844 (struct sockaddr *)so_laddr, &len, CRED());
4781 4845 len = sizeof (so_faddr);
4782 4846 (void) socket_getpeername(so,
4783 4847 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4784 4848
4785 4849 add_sock_token = 1;
4786 4850 }
4787 4851
4788 4852 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4789 4853
4790 4854 break;
4791 4855
4792 4856 case AF_UNIX:
4793 4857 /*
4794 4858 * first check if this is first time through. Too much
4795 4859 * duplicate code to put this in an aui_ routine.
4796 4860 */
4797 4861
4798 4862 /* get path from file struct here */
4799 4863 fad = F2A(fp);
4800 4864 ASSERT(fad);
4801 4865
4802 4866 /*
4803 4867 * already processed this file for write attempt
4804 4868 */
4805 4869 if (fad->fad_flags & FAD_WRITE) {
4806 4870 /* don't want to audit every sendto attempt */
4807 4871 tad->tad_flag = 0;
4808 4872 /* free any residual audit data */
4809 4873 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4810 4874 releasef(fd);
4811 4875 return;
4812 4876 }
4813 4877 /*
4814 4878 * mark things so we know what happened and don't
4815 4879 * repeat things
4816 4880 */
4817 4881 fad->fad_flags |= FAD_WRITE;
4818 4882
4819 4883 if (fad->fad_aupath != NULL) {
4820 4884 au_uwrite(au_to_path(fad->fad_aupath));
4821 4885 } else {
4822 4886 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4823 4887 }
4824 4888
4825 4889 audit_attributes(fp->f_vnode);
4826 4890
4827 4891 releasef(fd);
4828 4892
4829 4893 return;
4830 4894
4831 4895 default:
4832 4896 break;
4833 4897
4834 4898 }
4835 4899
4836 4900 releasef(fd);
4837 4901
4838 4902 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4839 4903
4840 4904 if (add_sock_token == 0) {
4841 4905 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4842 4906 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4843 4907 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4844 4908 return;
4845 4909 }
4846 4910
4847 4911 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4848 4912
4849 4913 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4850 4914
4851 4915 }
4852 4916
4853 4917 /*
4854 4918 * XXX socket(2) may be equivalent to open(2) on a unix domain
4855 4919 * socket. This needs investigation.
4856 4920 */
4857 4921
4858 4922 /*ARGSUSED*/
4859 4923 static void
4860 4924 aus_socket(struct t_audit_data *tad)
4861 4925 {
4862 4926 struct a {
4863 4927 long domain;
4864 4928 long type;
4865 4929 long protocol;
4866 4930 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4867 4931
4868 4932 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4869 4933 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4870 4934 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4871 4935 }
4872 4936
4873 4937 /*ARGSUSED*/
4874 4938 static void
4875 4939 aus_sigqueue(struct t_audit_data *tad)
4876 4940 {
4877 4941 struct a {
4878 4942 long pid;
4879 4943 long signo;
4880 4944 long *val;
4881 4945 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4882 4946 struct proc *p;
4883 4947 uid_t uid, ruid;
4884 4948 gid_t gid, rgid;
4885 4949 pid_t pid;
4886 4950 const auditinfo_addr_t *ainfo;
4887 4951 cred_t *cr;
4888 4952
4889 4953 pid = (pid_t)uap->pid;
4890 4954
4891 4955 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4892 4956 if (pid > 0) {
4893 4957 mutex_enter(&pidlock);
4894 4958 if ((p = prfind(pid)) == (struct proc *)0) {
4895 4959 mutex_exit(&pidlock);
4896 4960 return;
4897 4961 }
4898 4962 mutex_enter(&p->p_lock); /* so process doesn't go away */
4899 4963 mutex_exit(&pidlock);
4900 4964
4901 4965 mutex_enter(&p->p_crlock);
4902 4966 crhold(cr = p->p_cred);
4903 4967 mutex_exit(&p->p_crlock);
4904 4968 mutex_exit(&p->p_lock);
4905 4969
4906 4970 ainfo = crgetauinfo(cr);
4907 4971 if (ainfo == NULL) {
4908 4972 crfree(cr);
4909 4973 return;
4910 4974 }
4911 4975
4912 4976 uid = crgetuid(cr);
4913 4977 gid = crgetgid(cr);
4914 4978 ruid = crgetruid(cr);
4915 4979 rgid = crgetrgid(cr);
4916 4980 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4917 4981 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4918 4982 crfree(cr);
4919 4983 }
4920 4984 else
4921 4985 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4922 4986 }
4923 4987
4924 4988 /*ARGSUSED*/
4925 4989 static void
4926 4990 aus_inst_sync(struct t_audit_data *tad)
4927 4991 {
4928 4992 struct a {
4929 4993 long name; /* char */
4930 4994 long flags;
4931 4995 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4932 4996
4933 4997 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4934 4998 }
4935 4999
4936 5000 /*ARGSUSED*/
4937 5001 static void
4938 5002 aus_brandsys(struct t_audit_data *tad)
4939 5003 {
4940 5004 klwp_t *clwp = ttolwp(curthread);
4941 5005
4942 5006 struct a {
4943 5007 long cmd;
4944 5008 long arg1;
4945 5009 long arg2;
4946 5010 long arg3;
4947 5011 long arg4;
4948 5012 long arg5;
4949 5013 long arg6;
4950 5014 } *uap = (struct a *)clwp->lwp_ap;
4951 5015
4952 5016 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4953 5017 #ifdef _LP64
4954 5018 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4955 5019 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4956 5020 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4957 5021 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4958 5022 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4959 5023 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4960 5024 #else
4961 5025 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4962 5026 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4963 5027 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4964 5028 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4965 5029 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4966 5030 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4967 5031 #endif
4968 5032 }
4969 5033
4970 5034 /*ARGSUSED*/
4971 5035 static void
4972 5036 aus_p_online(struct t_audit_data *tad)
4973 5037 {
4974 5038 struct a {
4975 5039 long processor_id;
4976 5040 long flag;
4977 5041 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4978 5042
4979 5043 struct flags {
4980 5044 int flag;
4981 5045 char *cflag;
4982 5046 } aflags[6] = {
4983 5047 { P_ONLINE, "P_ONLINE"},
4984 5048 { P_OFFLINE, "P_OFFLINE"},
4985 5049 { P_NOINTR, "P_NOINTR"},
4986 5050 { P_SPARE, "P_SPARE"},
4987 5051 { P_FAULTED, "P_FAULTED"},
4988 5052 { P_STATUS, "P_STATUS"}
4989 5053 };
4990 5054 int i;
4991 5055 char *cflag;
4992 5056
4993 5057 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4994 5058 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4995 5059
4996 5060 for (i = 0; i < 6; i++) {
4997 5061 if (aflags[i].flag == uap->flag)
4998 5062 break;
4999 5063 }
5000 5064 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5001 5065
5002 5066 au_uwrite(au_to_text(cflag));
5003 5067 }
5004 5068
5005 5069 /*ARGSUSED*/
5006 5070 static void
5007 5071 aus_processor_bind(struct t_audit_data *tad)
5008 5072 {
5009 5073 struct a {
5010 5074 long id_type;
5011 5075 long id;
5012 5076 long processor_id;
5013 5077 long obind;
5014 5078 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5015 5079
5016 5080 struct proc *p;
5017 5081 int lwpcnt;
5018 5082 uid_t uid, ruid;
5019 5083 gid_t gid, rgid;
5020 5084 pid_t pid;
5021 5085 const auditinfo_addr_t *ainfo;
5022 5086 cred_t *cr;
5023 5087
5024 5088 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5025 5089 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5026 5090 if (uap->processor_id == PBIND_NONE)
5027 5091 au_uwrite(au_to_text("PBIND_NONE"));
5028 5092 else
5029 5093 au_uwrite(au_to_arg32(3, "processor_id",
5030 5094 (uint32_t)uap->processor_id));
5031 5095
5032 5096 switch (uap->id_type) {
5033 5097 case P_MYID:
5034 5098 case P_LWPID:
5035 5099 mutex_enter(&pidlock);
5036 5100 p = ttoproc(curthread);
5037 5101 if (p == NULL || p->p_as == &kas) {
5038 5102 mutex_exit(&pidlock);
5039 5103 return;
5040 5104 }
5041 5105 mutex_enter(&p->p_lock);
5042 5106 mutex_exit(&pidlock);
5043 5107 lwpcnt = p->p_lwpcnt;
5044 5108 pid = p->p_pid;
5045 5109
5046 5110 mutex_enter(&p->p_crlock);
5047 5111 crhold(cr = p->p_cred);
5048 5112 mutex_exit(&p->p_crlock);
5049 5113 mutex_exit(&p->p_lock);
5050 5114
5051 5115 ainfo = crgetauinfo(cr);
5052 5116 if (ainfo == NULL) {
5053 5117 crfree(cr);
5054 5118 return;
5055 5119 }
5056 5120
5057 5121 uid = crgetuid(cr);
5058 5122 gid = crgetgid(cr);
5059 5123 ruid = crgetruid(cr);
5060 5124 rgid = crgetrgid(cr);
5061 5125 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5062 5126 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5063 5127 crfree(cr);
5064 5128 break;
5065 5129 case P_PID:
5066 5130 mutex_enter(&pidlock);
5067 5131 p = prfind(uap->id);
5068 5132 if (p == NULL || p->p_as == &kas) {
5069 5133 mutex_exit(&pidlock);
5070 5134 return;
5071 5135 }
5072 5136 mutex_enter(&p->p_lock);
5073 5137 mutex_exit(&pidlock);
5074 5138 lwpcnt = p->p_lwpcnt;
5075 5139 pid = p->p_pid;
5076 5140
5077 5141 mutex_enter(&p->p_crlock);
5078 5142 crhold(cr = p->p_cred);
5079 5143 mutex_exit(&p->p_crlock);
5080 5144 mutex_exit(&p->p_lock);
5081 5145
5082 5146 ainfo = crgetauinfo(cr);
5083 5147 if (ainfo == NULL) {
5084 5148 crfree(cr);
5085 5149 return;
5086 5150 }
5087 5151
5088 5152 uid = crgetuid(cr);
5089 5153 gid = crgetgid(cr);
5090 5154 ruid = crgetruid(cr);
5091 5155 rgid = crgetrgid(cr);
5092 5156 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5093 5157 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5094 5158 crfree(cr);
5095 5159
5096 5160 break;
5097 5161 default:
5098 5162 return;
5099 5163 }
5100 5164
5101 5165 if (uap->processor_id == PBIND_NONE &&
5102 5166 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5103 5167 au_uwrite(au_to_text("PBIND_NONE for process"));
5104 5168 else
5105 5169 au_uwrite(au_to_arg32(3, "processor_id",
5106 5170 (uint32_t)uap->processor_id));
5107 5171 }
5108 5172
5109 5173 /*ARGSUSED*/
5110 5174 static au_event_t
5111 5175 aui_doorfs(au_event_t e)
5112 5176 {
5113 5177 uint32_t code;
5114 5178
5115 5179 struct a { /* doorfs */
5116 5180 long a1;
5117 5181 long a2;
5118 5182 long a3;
5119 5183 long a4;
5120 5184 long a5;
5121 5185 long code;
5122 5186 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5123 5187
5124 5188 /*
5125 5189 * audit formats for several of the
5126 5190 * door calls have not yet been determined
5127 5191 */
5128 5192 code = (uint32_t)uap->code;
5129 5193 switch (code) {
5130 5194 case DOOR_CALL:
5131 5195 e = AUE_DOORFS_DOOR_CALL;
5132 5196 break;
5133 5197 case DOOR_RETURN:
5134 5198 e = AUE_NULL;
5135 5199 break;
5136 5200 case DOOR_CREATE:
5137 5201 e = AUE_DOORFS_DOOR_CREATE;
5138 5202 break;
5139 5203 case DOOR_REVOKE:
5140 5204 e = AUE_DOORFS_DOOR_REVOKE;
5141 5205 break;
5142 5206 case DOOR_INFO:
5143 5207 e = AUE_NULL;
5144 5208 break;
5145 5209 case DOOR_UCRED:
5146 5210 e = AUE_NULL;
5147 5211 break;
5148 5212 case DOOR_BIND:
5149 5213 e = AUE_NULL;
5150 5214 break;
5151 5215 case DOOR_UNBIND:
5152 5216 e = AUE_NULL;
5153 5217 break;
5154 5218 case DOOR_GETPARAM:
5155 5219 e = AUE_NULL;
5156 5220 break;
5157 5221 case DOOR_SETPARAM:
5158 5222 e = AUE_NULL;
5159 5223 break;
5160 5224 default: /* illegal system call */
5161 5225 e = AUE_NULL;
5162 5226 break;
5163 5227 }
5164 5228
5165 5229 return (e);
5166 5230 }
5167 5231
5168 5232 static door_node_t *
5169 5233 au_door_lookup(int did)
5170 5234 {
5171 5235 vnode_t *vp;
5172 5236 file_t *fp;
5173 5237
5174 5238 if ((fp = getf(did)) == NULL)
5175 5239 return (NULL);
5176 5240 /*
5177 5241 * Use the underlying vnode (we may be namefs mounted)
5178 5242 */
5179 5243 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5180 5244 vp = fp->f_vnode;
5181 5245
5182 5246 if (vp == NULL || vp->v_type != VDOOR) {
5183 5247 releasef(did);
5184 5248 return (NULL);
5185 5249 }
5186 5250
5187 5251 return (VTOD(vp));
5188 5252 }
5189 5253
5190 5254 /*ARGSUSED*/
5191 5255 static void
5192 5256 aus_doorfs(struct t_audit_data *tad)
5193 5257 {
5194 5258
5195 5259 struct a { /* doorfs */
5196 5260 long a1;
5197 5261 long a2;
5198 5262 long a3;
5199 5263 long a4;
5200 5264 long a5;
5201 5265 long code;
5202 5266 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5203 5267
5204 5268 door_node_t *dp;
5205 5269 struct proc *p;
5206 5270 uint32_t did;
5207 5271 uid_t uid, ruid;
5208 5272 gid_t gid, rgid;
5209 5273 pid_t pid;
5210 5274 const auditinfo_addr_t *ainfo;
5211 5275 cred_t *cr;
5212 5276
5213 5277 did = (uint32_t)uap->a1;
5214 5278
5215 5279 switch (tad->tad_event) {
5216 5280 case AUE_DOORFS_DOOR_CALL:
5217 5281 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5218 5282 if ((dp = au_door_lookup(did)) == NULL)
5219 5283 break;
5220 5284
5221 5285 if (DOOR_INVALID(dp)) {
5222 5286 releasef(did);
5223 5287 break;
5224 5288 }
5225 5289
5226 5290 if ((p = dp->door_target) == NULL) {
5227 5291 releasef(did);
5228 5292 break;
5229 5293 }
5230 5294 mutex_enter(&p->p_lock);
5231 5295 releasef(did);
5232 5296
5233 5297 pid = p->p_pid;
5234 5298
5235 5299 mutex_enter(&p->p_crlock);
5236 5300 crhold(cr = p->p_cred);
5237 5301 mutex_exit(&p->p_crlock);
5238 5302 mutex_exit(&p->p_lock);
5239 5303
5240 5304 ainfo = crgetauinfo(cr);
5241 5305 if (ainfo == NULL) {
5242 5306 crfree(cr);
5243 5307 return;
5244 5308 }
5245 5309 uid = crgetuid(cr);
5246 5310 gid = crgetgid(cr);
5247 5311 ruid = crgetruid(cr);
5248 5312 rgid = crgetrgid(cr);
5249 5313 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5250 5314 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5251 5315 crfree(cr);
5252 5316 break;
5253 5317 case AUE_DOORFS_DOOR_RETURN:
5254 5318 /*
5255 5319 * We may want to write information about
5256 5320 * all doors (if any) which will be copied
5257 5321 * by this call to the user space
5258 5322 */
5259 5323 break;
5260 5324 case AUE_DOORFS_DOOR_CREATE:
5261 5325 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5262 5326 break;
5263 5327 case AUE_DOORFS_DOOR_REVOKE:
5264 5328 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5265 5329 break;
5266 5330 case AUE_DOORFS_DOOR_INFO:
5267 5331 break;
5268 5332 case AUE_DOORFS_DOOR_CRED:
5269 5333 break;
5270 5334 case AUE_DOORFS_DOOR_BIND:
5271 5335 break;
5272 5336 case AUE_DOORFS_DOOR_UNBIND: {
5273 5337 break;
5274 5338 }
5275 5339 default: /* illegal system call */
5276 5340 break;
5277 5341 }
5278 5342 }
5279 5343
5280 5344 /*ARGSUSED*/
5281 5345 static au_event_t
5282 5346 aui_acl(au_event_t e)
5283 5347 {
5284 5348 struct a {
5285 5349 union {
5286 5350 long name; /* char */
5287 5351 long fd;
5288 5352 } obj;
5289 5353
5290 5354 long cmd;
5291 5355 long nentries;
5292 5356 long arg; /* aclent_t */
5293 5357 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5294 5358
5295 5359 switch (uap->cmd) {
5296 5360 case SETACL:
5297 5361 case ACE_SETACL:
5298 5362 /*
5299 5363 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5300 5364 * are expected.
5301 5365 */
5302 5366 break;
5303 5367 case GETACL:
5304 5368 case GETACLCNT:
5305 5369 case ACE_GETACL:
5306 5370 case ACE_GETACLCNT:
5307 5371 /* do nothing for these four values. */
5308 5372 e = AUE_NULL;
5309 5373 break;
5310 5374 default:
5311 5375 /* illegal system call */
5312 5376 break;
5313 5377 }
5314 5378
5315 5379 return (e);
5316 5380 }
5317 5381
5318 5382 static void
5319 5383 au_acl(int cmd, int nentries, caddr_t bufp)
5320 5384 {
5321 5385 size_t a_size;
5322 5386 aclent_t *aclbufp;
5323 5387 ace_t *acebufp;
5324 5388 int i;
5325 5389
5326 5390 switch (cmd) {
5327 5391 case GETACL:
5328 5392 case GETACLCNT:
5329 5393 break;
5330 5394 case SETACL:
5331 5395 if (nentries < 3)
5332 5396 break;
5333 5397
5334 5398 a_size = nentries * sizeof (aclent_t);
5335 5399
5336 5400 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5337 5401 break;
5338 5402 if (copyin(bufp, aclbufp, a_size)) {
5339 5403 kmem_free(aclbufp, a_size);
5340 5404 break;
5341 5405 }
5342 5406 for (i = 0; i < nentries; i++) {
5343 5407 au_uwrite(au_to_acl(aclbufp + i));
5344 5408 }
5345 5409 kmem_free(aclbufp, a_size);
5346 5410 break;
5347 5411
5348 5412 case ACE_SETACL:
5349 5413 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5350 5414 break;
5351 5415
5352 5416 a_size = nentries * sizeof (ace_t);
5353 5417 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5354 5418 break;
5355 5419 if (copyin(bufp, acebufp, a_size)) {
5356 5420 kmem_free(acebufp, a_size);
5357 5421 break;
5358 5422 }
5359 5423 for (i = 0; i < nentries; i++) {
5360 5424 au_uwrite(au_to_ace(acebufp + i));
5361 5425 }
5362 5426 kmem_free(acebufp, a_size);
5363 5427 break;
5364 5428 default:
5365 5429 break;
5366 5430 }
5367 5431 }
5368 5432
5369 5433 /*ARGSUSED*/
5370 5434 static void
5371 5435 aus_acl(struct t_audit_data *tad)
5372 5436 {
5373 5437 struct a {
5374 5438 long fname;
5375 5439 long cmd;
5376 5440 long nentries;
5377 5441 long aclbufp;
5378 5442 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5379 5443
5380 5444 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5381 5445 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5382 5446
5383 5447 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5384 5448 }
5385 5449
5386 5450 /*ARGSUSED*/
5387 5451 static void
5388 5452 aus_facl(struct t_audit_data *tad)
5389 5453 {
5390 5454 struct a {
5391 5455 long fd;
5392 5456 long cmd;
5393 5457 long nentries;
5394 5458 long aclbufp;
5395 5459 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5396 5460 struct file *fp;
5397 5461 struct vnode *vp;
5398 5462 struct f_audit_data *fad;
5399 5463 int fd;
5400 5464
5401 5465 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5402 5466 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5403 5467
5404 5468 fd = (int)uap->fd;
5405 5469
5406 5470 if ((fp = getf(fd)) == NULL)
5407 5471 return;
5408 5472
5409 5473 /* get path from file struct here */
5410 5474 fad = F2A(fp);
5411 5475 if (fad->fad_aupath != NULL) {
5412 5476 au_uwrite(au_to_path(fad->fad_aupath));
5413 5477 } else {
5414 5478 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5415 5479 }
5416 5480
5417 5481 vp = fp->f_vnode;
5418 5482 audit_attributes(vp);
5419 5483
5420 5484 /* decrement file descriptor reference count */
5421 5485 releasef(fd);
5422 5486
5423 5487 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5424 5488 }
5425 5489
5426 5490 /*ARGSUSED*/
5427 5491 static void
5428 5492 auf_read(struct t_audit_data *tad, int error, rval_t *rval)
5429 5493 {
5430 5494 struct file *fp;
5431 5495 struct f_audit_data *fad;
5432 5496 int fd;
5433 5497 register struct a {
5434 5498 long fd;
5435 5499 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5436 5500 au_kcontext_t *kctx = GET_KCTX_PZ;
5437 5501
5438 5502 fd = (int)uap->fd;
5439 5503
5440 5504 /*
5441 5505 * convert file pointer to file descriptor
5442 5506 * Note: fd ref count incremented here.
5443 5507 */
5444 5508 if ((fp = getf(fd)) == NULL)
5445 5509 return;
5446 5510
5447 5511 /* get path from file struct here */
5448 5512 fad = F2A(fp);
5449 5513 ASSERT(fad);
5450 5514
5451 5515 /*
5452 5516 * already processed this file for read attempt
5453 5517 *
5454 5518 * XXX might be better to turn off auditing in a aui_read() routine.
5455 5519 */
5456 5520 if (fad->fad_flags & FAD_READ) {
5457 5521 /* don't really want to audit every read attempt */
5458 5522 tad->tad_flag = 0;
5459 5523 /* free any residual audit data */
5460 5524 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5461 5525 releasef(fd);
5462 5526 return;
5463 5527 }
5464 5528 /* mark things so we know what happened and don't repeat things */
5465 5529 fad->fad_flags |= FAD_READ;
5466 5530
5467 5531 if (fad->fad_aupath != NULL) {
5468 5532 au_uwrite(au_to_path(fad->fad_aupath));
5469 5533 } else {
5470 5534 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5471 5535 }
5472 5536
5473 5537 /* include attributes */
5474 5538 audit_attributes(fp->f_vnode);
5475 5539
5476 5540 /* decrement file descriptor reference count */
5477 5541 releasef(fd);
5478 5542 }
5479 5543
5480 5544 /*ARGSUSED*/
5481 5545 static void
5482 5546 auf_write(struct t_audit_data *tad, int error, rval_t *rval)
5483 5547 {
5484 5548 struct file *fp;
5485 5549 struct f_audit_data *fad;
5486 5550 int fd;
5487 5551 register struct a {
5488 5552 long fd;
5489 5553 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5490 5554 au_kcontext_t *kctx = GET_KCTX_PZ;
5491 5555
5492 5556 fd = (int)uap->fd;
5493 5557
5494 5558 /*
5495 5559 * convert file pointer to file descriptor
5496 5560 * Note: fd ref count incremented here.
5497 5561 */
5498 5562 if ((fp = getf(fd)) == NULL)
5499 5563 return;
5500 5564
5501 5565 /* get path from file struct here */
5502 5566 fad = F2A(fp);
5503 5567 ASSERT(fad);
5504 5568
5505 5569 /*
5506 5570 * already processed this file for write attempt
5507 5571 *
5508 5572 * XXX might be better to turn off auditing in a aus_write() routine.
5509 5573 */
5510 5574 if (fad->fad_flags & FAD_WRITE) {
5511 5575 /* don't really want to audit every write attempt */
5512 5576 tad->tad_flag = 0;
5513 5577 /* free any residual audit data */
5514 5578 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5515 5579 releasef(fd);
5516 5580 return;
5517 5581 }
5518 5582 /* mark things so we know what happened and don't repeat things */
5519 5583 fad->fad_flags |= FAD_WRITE;
5520 5584
5521 5585 if (fad->fad_aupath != NULL) {
5522 5586 au_uwrite(au_to_path(fad->fad_aupath));
5523 5587 } else {
5524 5588 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5525 5589 }
5526 5590
5527 5591 /* include attributes */
5528 5592 audit_attributes(fp->f_vnode);
5529 5593
5530 5594 /* decrement file descriptor reference count */
5531 5595 releasef(fd);
5532 5596 }
5533 5597
5534 5598 /*ARGSUSED*/
5535 5599 static void
5536 5600 auf_recv(struct t_audit_data *tad, int error, rval_t *rval)
5537 5601 {
5538 5602 struct sonode *so;
5539 5603 char so_laddr[sizeof (struct sockaddr_in6)];
5540 5604 char so_faddr[sizeof (struct sockaddr_in6)];
5541 5605 struct file *fp;
5542 5606 struct f_audit_data *fad;
5543 5607 int fd;
5544 5608 int err;
5545 5609 socklen_t len;
5546 5610 short so_family, so_type;
5547 5611 register struct a {
5548 5612 long fd;
5549 5613 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5550 5614 au_kcontext_t *kctx = GET_KCTX_PZ;
5551 5615
5552 5616 /*
5553 5617 * If there was an error, then nothing to do. Only generate
5554 5618 * audit record on first successful recv.
5555 5619 */
5556 5620 if (error) {
5557 5621 /* Turn off audit record generation here. */
5558 5622 tad->tad_flag = 0;
5559 5623 /* free any residual audit data */
5560 5624 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5561 5625 return;
5562 5626 }
5563 5627
5564 5628 fd = (int)uap->fd;
5565 5629
5566 5630 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5567 5631 /* Turn off audit record generation here. */
5568 5632 tad->tad_flag = 0;
5569 5633 /* free any residual audit data */
5570 5634 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5571 5635 return;
5572 5636 }
5573 5637
5574 5638 /* get path from file struct here */
5575 5639 fad = F2A(fp);
5576 5640 ASSERT(fad);
5577 5641
5578 5642 /*
5579 5643 * already processed this file for read attempt
5580 5644 */
5581 5645 if (fad->fad_flags & FAD_READ) {
5582 5646 releasef(fd);
5583 5647 /* don't really want to audit every recv call */
5584 5648 tad->tad_flag = 0;
5585 5649 /* free any residual audit data */
5586 5650 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5587 5651 return;
5588 5652 }
5589 5653
5590 5654 /* mark things so we know what happened and don't repeat things */
5591 5655 fad->fad_flags |= FAD_READ;
5592 5656
5593 5657 so_family = so->so_family;
5594 5658 so_type = so->so_type;
5595 5659
5596 5660 switch (so_family) {
5597 5661 case AF_INET:
5598 5662 case AF_INET6:
5599 5663 /*
5600 5664 * Only for connections.
5601 5665 * XXX - do we need to worry about SOCK_DGRAM or other types???
5602 5666 */
5603 5667 if (so->so_state & SS_ISBOUND) {
5604 5668
5605 5669 bzero((void *)so_laddr, sizeof (so_laddr));
5606 5670 bzero((void *)so_faddr, sizeof (so_faddr));
5607 5671
5608 5672 /* get local and foreign addresses */
5609 5673 len = sizeof (so_laddr);
5610 5674 (void) socket_getsockname(so,
5611 5675 (struct sockaddr *)so_laddr, &len, CRED());
5612 5676 len = sizeof (so_faddr);
5613 5677 (void) socket_getpeername(so,
5614 5678 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5615 5679
5616 5680 /*
5617 5681 * only way to drop out of switch. Note that we
5618 5682 * we release fd below.
5619 5683 */
5620 5684
5621 5685 break;
5622 5686 }
5623 5687
5624 5688 releasef(fd);
5625 5689
5626 5690 /* don't really want to audit every recv call */
5627 5691 tad->tad_flag = 0;
5628 5692 /* free any residual audit data */
5629 5693 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5630 5694
5631 5695 return;
5632 5696
5633 5697 case AF_UNIX:
5634 5698
5635 5699 if (fad->fad_aupath != NULL) {
5636 5700 au_uwrite(au_to_path(fad->fad_aupath));
5637 5701 } else {
5638 5702 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5639 5703 }
5640 5704
5641 5705 audit_attributes(fp->f_vnode);
5642 5706
5643 5707 releasef(fd);
5644 5708
5645 5709 return;
5646 5710
5647 5711 default:
5648 5712 releasef(fd);
5649 5713
5650 5714 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5651 5715 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5652 5716 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5653 5717
5654 5718 return;
5655 5719 }
5656 5720
5657 5721 releasef(fd);
5658 5722
5659 5723 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5660 5724
5661 5725 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5662 5726
5663 5727 }
5664 5728
5665 5729 /*ARGSUSED*/
5666 5730 static void
5667 5731 auf_send(struct t_audit_data *tad, int error, rval_t *rval)
5668 5732 {
5669 5733 struct sonode *so;
5670 5734 char so_laddr[sizeof (struct sockaddr_in6)];
5671 5735 char so_faddr[sizeof (struct sockaddr_in6)];
5672 5736 struct file *fp;
5673 5737 struct f_audit_data *fad;
5674 5738 int fd;
5675 5739 int err;
5676 5740 socklen_t len;
5677 5741 short so_family, so_type;
5678 5742 register struct a {
5679 5743 long fd;
5680 5744 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5681 5745 au_kcontext_t *kctx = GET_KCTX_PZ;
5682 5746
5683 5747 fd = (int)uap->fd;
5684 5748
5685 5749 /*
5686 5750 * If there was an error, then nothing to do. Only generate
5687 5751 * audit record on first successful send.
5688 5752 */
5689 5753 if (error != 0) {
5690 5754 /* Turn off audit record generation here. */
5691 5755 tad->tad_flag = 0;
5692 5756 /* free any residual audit data */
5693 5757 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5694 5758 return;
5695 5759 }
5696 5760
5697 5761 fd = (int)uap->fd;
5698 5762
5699 5763 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5700 5764 /* Turn off audit record generation here. */
5701 5765 tad->tad_flag = 0;
5702 5766 /* free any residual audit data */
5703 5767 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5704 5768 return;
5705 5769 }
5706 5770
5707 5771 /* get path from file struct here */
5708 5772 fad = F2A(fp);
5709 5773 ASSERT(fad);
5710 5774
5711 5775 /*
5712 5776 * already processed this file for write attempt
5713 5777 */
5714 5778 if (fad->fad_flags & FAD_WRITE) {
5715 5779 releasef(fd);
5716 5780 /* don't really want to audit every send call */
5717 5781 tad->tad_flag = 0;
5718 5782 /* free any residual audit data */
5719 5783 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5720 5784 return;
5721 5785 }
5722 5786
5723 5787 /* mark things so we know what happened and don't repeat things */
5724 5788 fad->fad_flags |= FAD_WRITE;
5725 5789
5726 5790 so_family = so->so_family;
5727 5791 so_type = so->so_type;
5728 5792
5729 5793 switch (so_family) {
5730 5794 case AF_INET:
5731 5795 case AF_INET6:
5732 5796 /*
5733 5797 * Only for connections.
5734 5798 * XXX - do we need to worry about SOCK_DGRAM or other types???
5735 5799 */
5736 5800 if (so->so_state & SS_ISBOUND) {
5737 5801
5738 5802 bzero((void *)so_laddr, sizeof (so_laddr));
5739 5803 bzero((void *)so_faddr, sizeof (so_faddr));
5740 5804
5741 5805 /* get local and foreign addresses */
5742 5806 len = sizeof (so_laddr);
5743 5807 (void) socket_getsockname(so,
5744 5808 (struct sockaddr *)so_laddr, &len, CRED());
5745 5809 len = sizeof (so_faddr);
5746 5810 (void) socket_getpeername(so,
5747 5811 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5748 5812
5749 5813 /*
5750 5814 * only way to drop out of switch. Note that we
5751 5815 * we release fd below.
5752 5816 */
5753 5817
5754 5818 break;
5755 5819 }
5756 5820
5757 5821 releasef(fd);
5758 5822 /* don't really want to audit every send call */
5759 5823 tad->tad_flag = 0;
5760 5824 /* free any residual audit data */
5761 5825 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5762 5826
5763 5827 return;
5764 5828
5765 5829 case AF_UNIX:
5766 5830
5767 5831 if (fad->fad_aupath != NULL) {
5768 5832 au_uwrite(au_to_path(fad->fad_aupath));
5769 5833 } else {
5770 5834 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5771 5835 }
5772 5836
5773 5837 audit_attributes(fp->f_vnode);
5774 5838
5775 5839 releasef(fd);
5776 5840
5777 5841 return;
5778 5842
5779 5843 default:
5780 5844 releasef(fd);
5781 5845
5782 5846 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5783 5847 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5784 5848 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5785 5849
5786 5850 return;
5787 5851 }
5788 5852
5789 5853 releasef(fd);
5790 5854
5791 5855 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5792 5856
5793 5857 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5794 5858 }
5795 5859
5796 5860 static au_event_t
5797 5861 aui_forksys(au_event_t e)
5798 5862 {
5799 5863 struct a {
5800 5864 long subcode;
5801 5865 long flags;
5802 5866 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5803 5867
5804 5868 switch ((uint_t)uap->subcode) {
5805 5869 case 0:
5806 5870 e = AUE_FORK1;
5807 5871 break;
5808 5872 case 1:
5809 5873 e = AUE_FORKALL;
5810 5874 break;
5811 5875 case 2:
5812 5876 e = AUE_VFORK;
5813 5877 break;
5814 5878 default:
5815 5879 e = AUE_NULL;
5816 5880 break;
5817 5881 }
5818 5882
5819 5883 return (e);
5820 5884 }
5821 5885
5822 5886 /*ARGSUSED*/
5823 5887 static au_event_t
5824 5888 aui_portfs(au_event_t e)
5825 5889 {
5826 5890 struct a { /* portfs */
5827 5891 long a1;
5828 5892 long a2;
5829 5893 long a3;
5830 5894 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5831 5895
5832 5896 /*
5833 5897 * check opcode
5834 5898 */
5835 5899 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5836 5900 case PORT_ASSOCIATE:
5837 5901 /* check source */
5838 5902 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5839 5903 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5840 5904 e = AUE_PORTFS_ASSOCIATE;
5841 5905 } else {
5842 5906 e = AUE_NULL;
5843 5907 }
5844 5908 break;
5845 5909 case PORT_DISSOCIATE:
5846 5910 /* check source */
5847 5911 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5848 5912 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5849 5913 e = AUE_PORTFS_DISSOCIATE;
5850 5914 } else {
5851 5915 e = AUE_NULL;
5852 5916 }
5853 5917 break;
5854 5918 default:
5855 5919 e = AUE_NULL;
5856 5920 }
5857 5921 return (e);
5858 5922 }
|
↓ open down ↓ |
2594 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX