1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 */
26
27 /*
28 * This file contains the audit event table used to control the production
29 * of audit records for each system call.
30 */
31
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h> /* for sysinfo auditing */
37 #include <sys/utsname.h> /* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h> /* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h> /* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h> /* for accept */
56 #include <sys/utssys.h> /* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80
81 static au_event_t aui_fchownat(au_event_t);
82 static au_event_t aui_fchmodat(au_event_t);
83 static au_event_t aui_open(au_event_t);
84 static au_event_t aui_openat(au_event_t);
85 static au_event_t aui_unlinkat(au_event_t);
86 static au_event_t aui_fstatat(au_event_t);
87 static au_event_t aui_msgsys(au_event_t);
88 static au_event_t aui_shmsys(au_event_t);
89 static au_event_t aui_semsys(au_event_t);
90 static au_event_t aui_utssys(au_event_t);
91 static au_event_t aui_fcntl(au_event_t);
92 static au_event_t aui_execve(au_event_t);
93 static au_event_t aui_memcntl(au_event_t);
94 static au_event_t aui_sysinfo(au_event_t);
95 static au_event_t aui_portfs(au_event_t);
96 static au_event_t aui_auditsys(au_event_t);
97 static au_event_t aui_modctl(au_event_t);
98 static au_event_t aui_acl(au_event_t);
99 static au_event_t aui_doorfs(au_event_t);
100 static au_event_t aui_privsys(au_event_t);
101 static au_event_t aui_forksys(au_event_t);
102 static au_event_t aui_labelsys(au_event_t);
103 static au_event_t aui_setpgrp(au_event_t);
104
105 static void aus_exit(struct t_audit_data *);
106 static void aus_open(struct t_audit_data *);
107 static void aus_openat(struct t_audit_data *);
108 static void aus_acl(struct t_audit_data *);
109 static void aus_acct(struct t_audit_data *);
110 static void aus_chown(struct t_audit_data *);
111 static void aus_fchown(struct t_audit_data *);
112 static void aus_lchown(struct t_audit_data *);
113 static void aus_fchownat(struct t_audit_data *);
114 static void aus_chmod(struct t_audit_data *);
115 static void aus_facl(struct t_audit_data *);
116 static void aus_fchmod(struct t_audit_data *);
117 static void aus_fchmodat(struct t_audit_data *);
118 static void aus_fcntl(struct t_audit_data *);
119 static void aus_mkdir(struct t_audit_data *);
120 static void aus_mkdirat(struct t_audit_data *);
121 static void aus_mknod(struct t_audit_data *);
122 static void aus_mknodat(struct t_audit_data *);
123 static void aus_mount(struct t_audit_data *);
124 static void aus_umount2(struct t_audit_data *);
125 static void aus_msgsys(struct t_audit_data *);
126 static void aus_semsys(struct t_audit_data *);
127 static void aus_close(struct t_audit_data *);
128 static void aus_fstatfs(struct t_audit_data *);
129 static void aus_setgid(struct t_audit_data *);
130 static void aus_setpgrp(struct t_audit_data *);
131 static void aus_setuid(struct t_audit_data *);
132 static void aus_shmsys(struct t_audit_data *);
133 static void aus_doorfs(struct t_audit_data *);
134 static void aus_ioctl(struct t_audit_data *);
135 static void aus_memcntl(struct t_audit_data *);
136 static void aus_mmap(struct t_audit_data *);
137 static void aus_munmap(struct t_audit_data *);
138 static void aus_priocntlsys(struct t_audit_data *);
139 static void aus_psecflags(struct t_audit_data *);
140 static void aus_setegid(struct t_audit_data *);
141 static void aus_setgroups(struct t_audit_data *);
142 static void aus_seteuid(struct t_audit_data *);
143 static void aus_putmsg(struct t_audit_data *);
144 static void aus_putpmsg(struct t_audit_data *);
145 static void aus_getmsg(struct t_audit_data *);
146 static void aus_getpmsg(struct t_audit_data *);
147 static void aus_auditsys(struct t_audit_data *);
148 static void aus_sysinfo(struct t_audit_data *);
149 static void aus_modctl(struct t_audit_data *);
150 static void aus_kill(struct t_audit_data *);
151 static void aus_setregid(struct t_audit_data *);
152 static void aus_setreuid(struct t_audit_data *);
153 static void aus_labelsys(struct t_audit_data *);
154
155 static void auf_mknod(struct t_audit_data *, int, rval_t *);
156 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
157 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
158 static void auf_semsys(struct t_audit_data *, int, rval_t *);
159 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
160 static void auf_read(struct t_audit_data *, int, rval_t *);
161 static void auf_write(struct t_audit_data *, int, rval_t *);
162
163 static void aus_sigqueue(struct t_audit_data *);
164 static void aus_p_online(struct t_audit_data *);
165 static void aus_processor_bind(struct t_audit_data *);
166 static void aus_inst_sync(struct t_audit_data *);
167 static void aus_brandsys(struct t_audit_data *);
168
169 static void auf_accept(struct t_audit_data *, int, rval_t *);
170
171 static void auf_bind(struct t_audit_data *, int, rval_t *);
172 static void auf_connect(struct t_audit_data *, int, rval_t *);
173 static void aus_shutdown(struct t_audit_data *);
174 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
175 static void aus_sockconfig(struct t_audit_data *);
176 static void auf_recv(struct t_audit_data *, int, rval_t *);
177 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
178 static void auf_send(struct t_audit_data *, int, rval_t *);
179 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
180 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
181 static void auf_sendto(struct t_audit_data *, int, rval_t *);
182 static void aus_socket(struct t_audit_data *);
183 /*
184 * This table contains mapping information for converting system call numbers
185 * to audit event IDs. In several cases it is necessary to map a single system
186 * call to several events.
187 */
188
189 #define aui_null NULL /* NULL initialize function */
190 #define aus_null NULL /* NULL start function */
191 #define auf_null NULL /* NULL finish function */
192
193 struct audit_s2e audit_s2e[] =
194 {
195 /*
196 * ---------- ---------- ---------- ----------
197 * INITIAL AUDIT START SYSTEM
198 * PROCESSING EVENT PROCESSING CALL
199 * ---------- ---------- ---------- -----------
200 * FINISH EVENT
201 * PROCESSING CONTROL
202 * ----------------------------------------------------------
203 */
204 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
205 auf_null, 0,
206 aui_null, AUE_EXIT, aus_exit, /* 1 exit */
207 auf_null, S2E_NPT,
208 aui_null, AUE_PSECFLAGS, aus_psecflags, /* 2 psecflags */
209 auf_null, 0,
210 aui_null, AUE_READ, aus_null, /* 3 read */
211 auf_read, S2E_PUB,
212 aui_null, AUE_WRITE, aus_null, /* 4 write */
213 auf_write, 0,
214 aui_open, AUE_OPEN, aus_open, /* 5 open */
215 auf_null, S2E_SP,
216 aui_null, AUE_CLOSE, aus_close, /* 6 close */
217 auf_null, 0,
218 aui_null, AUE_LINK, aus_null, /* 7 linkat */
219 auf_null, 0,
220 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
221 auf_null, 0,
222 aui_null, AUE_LINK, aus_null, /* 9 link */
223 auf_null, 0,
224 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
225 auf_null, 0,
226 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
227 auf_null, 0,
228 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
229 auf_null, S2E_SP,
230 aui_null, AUE_NULL, aus_null, /* 13 time */
231 auf_null, 0,
232 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
233 auf_mknod, S2E_MLD,
234 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
235 auf_null, 0,
236 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
237 auf_null, 0,
238 aui_null, AUE_NULL, aus_null, /* 17 brk */
239 auf_null, 0,
240 aui_null, AUE_STAT, aus_null, /* 18 stat */
241 auf_null, S2E_PUB,
242 aui_null, AUE_NULL, aus_null, /* 19 lseek */
243 auf_null, 0,
244 aui_null, AUE_NULL, aus_null, /* 20 getpid */
245 auf_null, 0,
246 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
247 auf_null, S2E_MLD,
248 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
249 auf_null, S2E_PUB,
250 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
251 auf_null, 0,
252 aui_null, AUE_NULL, aus_null, /* 24 getuid */
253 auf_null, 0,
254 aui_null, AUE_STIME, aus_null, /* 25 stime */
255 auf_null, 0,
256 aui_null, AUE_NULL, aus_null, /* 26 pcsample */
257 auf_null, 0,
258 aui_null, AUE_NULL, aus_null, /* 27 alarm */
259 auf_null, 0,
260 aui_null, AUE_NULL, aus_null, /* 28 fstat */
261 auf_null, 0,
262 aui_null, AUE_NULL, aus_null, /* 29 pause */
263 auf_null, 0,
264 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
265 auf_null, 0,
266 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
267 auf_null, 0,
268 aui_null, AUE_NULL, aus_null, /* 32 gtty */
269 auf_null, 0,
270 aui_null, AUE_ACCESS, aus_null, /* 33 access */
271 auf_null, S2E_PUB,
272 aui_null, AUE_NICE, aus_null, /* 34 nice */
273 auf_null, 0,
274 aui_null, AUE_STATFS, aus_null, /* 35 statfs */
275 auf_null, S2E_PUB,
276 aui_null, AUE_NULL, aus_null, /* 36 sync */
277 auf_null, 0,
278 aui_null, AUE_KILL, aus_kill, /* 37 kill */
279 auf_null, 0,
280 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
281 auf_null, S2E_PUB,
282 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
283 auf_null, 0,
284 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
285 auf_null, 0,
286 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
287 auf_null, 0,
288 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
289 auf_null, 0,
290 aui_null, AUE_NULL, aus_null, /* 43 times */
291 auf_null, 0,
292 aui_null, AUE_NULL, aus_null, /* 44 profil */
293 auf_null, 0,
294 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
295 auf_null, S2E_PUB,
296 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
297 auf_null, 0,
298 aui_null, AUE_NULL, aus_null, /* 47 getgid */
299 auf_null, 0,
300 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
301 auf_mknodat, S2E_MLD,
302 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
303 auf_msgsys, 0,
304 #if defined(__x86)
305 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
306 auf_null, 0,
307 #else
308 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
309 auf_null, 0,
310 #endif /* __x86 */
311 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
312 auf_null, 0,
313 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
314 auf_shmsys, 0,
315 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
316 auf_semsys, 0,
317 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
318 auf_null, 0,
319 aui_null, AUE_NULL, aus_null, /* 55 uadmin */
320 auf_null, 0,
321 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
322 auf_null, 0,
323 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
324 auf_null, 0,
325 aui_null, AUE_NULL, aus_null, /* 58 fsync */
326 auf_null, 0,
327 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */
328 auf_null, S2E_MLD,
329 aui_null, AUE_NULL, aus_null, /* 60 umask */
330 auf_null, 0,
331 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
332 auf_null, S2E_SP,
333 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
334 auf_null, 0,
335 aui_null, AUE_NULL, aus_null, /* 63 ulimit */
336 auf_null, 0,
337 aui_null, AUE_RENAME, aus_null, /* 64 renameat */
338 auf_null, 0,
339 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
340 auf_null, 0,
341 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
342 auf_null, S2E_PUB,
343 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
344 auf_null, S2E_PUB,
345 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
346 auf_null, S2E_SP,
347 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
348 auf_null, S2E_SP,
349 aui_null, AUE_NULL, aus_null, /* 70 tasksys */
350 auf_null, 0,
351 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
352 auf_null, 0,
353 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
354 auf_null, 0,
355 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
356 auf_null, 0,
357 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
358 auf_null, 0,
359 aui_null, AUE_NULL, aus_null, /* 75 sidsys */
360 auf_null, 0,
361 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
362 auf_null, 0,
363 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
364 auf_null, 0,
365 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
366 auf_null, 0,
367 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
368 auf_null, 0,
369 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
370 auf_null, 0,
371 aui_null, AUE_NULL, aus_null, /* 81 getdents */
372 auf_null, 0,
373 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
374 auf_null, 0,
375 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
376 auf_null, 0,
377 aui_null, AUE_NULL, aus_null, /* 84 sysfs */
378 auf_null, 0,
379 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
380 auf_null, 0,
381 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
382 auf_null, 0,
383 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
384 auf_null, 0,
385 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
386 auf_null, S2E_PUB,
387 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
388 auf_null, 0,
389 aui_null, AUE_READLINK, aus_null, /* 90 readlink */
390 auf_null, S2E_PUB,
391 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
392 auf_null, 0,
393 aui_null, AUE_NULL, aus_null, /* 92 getgroups */
394 auf_null, 0,
395 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
396 auf_null, 0,
397 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
398 auf_null, 0,
399 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
400 auf_null, 0,
401 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
402 auf_null, 0,
403 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
404 auf_null, 0,
405 aui_null, AUE_NULL, aus_null, /* 98 sigaction */
406 auf_null, 0,
407 aui_null, AUE_NULL, aus_null, /* 99 sigpending */
408 auf_null, 0,
409 aui_null, AUE_NULL, aus_null, /* 100 setcontext */
410 auf_null, 0,
411 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
412 auf_null, 0,
413 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
414 auf_null, 0,
415 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
416 auf_null, S2E_PUB,
417 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
418 auf_null, 0,
419 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
420 auf_null, 0,
421 aui_null, AUE_NULL, aus_null, /* 106 nfssys */
422 auf_null, 0,
423 aui_null, AUE_NULL, aus_null, /* 107 waitsys */
424 auf_null, 0,
425 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
426 auf_null, 0,
427 #if defined(__x86)
428 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
429 auf_null, 0,
430 #else
431 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
432 auf_null, 0,
433 #endif /* __x86 */
434 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
435 auf_null, 0,
436 aui_null, AUE_NULL, aus_null, /* 111 sigresend */
437 auf_null, 0,
438 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
439 auf_null, 0,
440 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
441 auf_null, S2E_PUB,
442 aui_null, AUE_NULL, aus_null, /* 114 mincore */
443 auf_null, 0,
444 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
445 auf_null, 0,
446 aui_null, AUE_NULL, aus_null, /* 116 mprotect */
447 auf_null, 0,
448 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
449 auf_null, 0,
450 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
451 auf_null, 0,
452 aui_null, AUE_VFORK, aus_null, /* 119 vfork */
453 auf_null, 0,
454 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
455 auf_null, 0,
456 aui_null, AUE_READ, aus_null, /* 121 readv */
457 auf_read, S2E_PUB,
458 aui_null, AUE_WRITE, aus_null, /* 122 writev */
459 auf_write, 0,
460 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
461 auf_null, 0,
462 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
463 auf_null, 0,
464 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
465 auf_null, 0,
466 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
467 auf_null, 0,
468 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
469 auf_null, 0,
470 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
471 auf_null, 0,
472 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
473 auf_null, 0,
474 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
475 auf_null, 0,
476 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
477 auf_null, 0,
478 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
479 auf_null, 0,
480 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
481 auf_null, 0,
482 aui_null, AUE_RENAME, aus_null, /* 134 rename */
483 auf_null, 0,
484 aui_null, AUE_NULL, aus_null, /* 135 uname */
485 auf_null, 0,
486 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
487 auf_null, 0,
488 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
489 auf_null, 0,
490 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
491 auf_null, 0,
492 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
493 auf_null, 0,
494 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
495 auf_null, 0,
496 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
497 auf_null, 0,
498 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
499 auf_null, 0,
500 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
501 auf_null, 0,
502 aui_null, AUE_NULL, aus_null, /* 144 sigwait */
503 auf_null, 0,
504 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
505 auf_null, 0,
506 aui_null, AUE_NULL, aus_null, /* 146 yield */
507 auf_null, 0,
508 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
509 /* was lwp_sema_wait */
510 auf_null, 0,
511 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
512 auf_null, 0,
513 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
514 auf_null, 0,
515 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
516 auf_null, 0,
517 aui_null, AUE_NULL, aus_null, /* 151 corectl */
518 auf_null, 0,
519 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
520 auf_null, 0,
521 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
522 auf_null, 0,
523 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
524 auf_null, 0,
525 aui_null, AUE_NULL, aus_null, /* 155 vhangup */
526 auf_null, 0,
527 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
528 auf_null, 0,
529 aui_null, AUE_NULL, aus_null, /* 157 getitimer */
530 auf_null, 0,
531 aui_null, AUE_NULL, aus_null, /* 158 setitimer */
532 auf_null, 0,
533 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
534 auf_null, 0,
535 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
536 auf_null, 0,
537 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
538 auf_null, 0,
539 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
540 auf_null, 0,
541 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
542 auf_null, 0,
543 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
544 auf_null, 0,
545 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
546 auf_null, 0,
547 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
548 auf_null, 0,
549 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
550 auf_null, 0,
551 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
552 auf_null, 0,
553 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
554 /* was lwp_mutex_lock */
555 auf_null, 0,
556 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
557 auf_null, 0,
558 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
559 auf_null, 0,
560 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
561 auf_null, 0,
562 aui_null, AUE_READ, aus_null, /* 173 pread */
563 auf_read, S2E_PUB,
564 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
565 auf_write, 0,
566 aui_null, AUE_NULL, aus_null, /* 175 llseek */
567 auf_null, 0,
568 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
569 auf_null, 0,
570 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
571 auf_null, 0,
572 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
573 auf_null, 0,
574 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
575 auf_null, 0,
576 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
577 auf_null, 0,
578 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
579 auf_null, 0,
580 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
581 auf_null, S2E_MLD,
582 aui_null, AUE_NULL, aus_null, /* 183 pollsys */
583 auf_null, 0,
584 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
585 auf_null, 0,
586 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
587 auf_null, 0,
588 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
589 auf_null, 0,
590 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
591 auf_null, 0,
592 aui_null, AUE_NULL, aus_null, /* 188 processor_info */
593 auf_null, 0,
594 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
595 auf_null, 0,
596 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
597 auf_null, 0,
598 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
599 auf_null, 0,
600 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
601 auf_null, 0,
602 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
603 auf_null, 0,
604 aui_null, AUE_NULL, aus_null, /* 194 timer_create */
605 auf_null, 0,
606 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
607 auf_null, 0,
608 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
609 auf_null, 0,
610 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
611 auf_null, 0,
612 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
613 auf_null, 0,
614 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
615 auf_null, 0,
616 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
617 auf_null, 0,
618 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
619 auf_null, 0,
620 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
621 auf_null, 0,
622 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
623 auf_null, 0,
624 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
625 auf_null, 0,
626 aui_null, AUE_NULL, aus_null, /* 205 signotify */
627 auf_null, 0,
628 aui_null, AUE_NULL, aus_null, /* 206 schedctl */
629 auf_null, 0,
630 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
631 auf_null, 0,
632 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
633 auf_null, 0,
634 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
635 auf_null, 0,
636 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
637 auf_null, 0,
638 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
639 auf_null, 0,
640 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
641 auf_null, 0,
642 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
643 auf_null, 0,
644 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
645 auf_null, 0,
646 aui_null, AUE_STAT, aus_null, /* 215 stat64 */
647 auf_null, S2E_PUB,
648 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
649 auf_null, S2E_PUB,
650 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
651 auf_null, 0,
652 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
653 auf_null, S2E_PUB,
654 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
655 auf_null, 0,
656 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
657 auf_null, 0,
658 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
659 auf_null, 0,
660 aui_null, AUE_READ, aus_null, /* 222 pread64 */
661 auf_read, S2E_PUB,
662 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
663 auf_write, 0,
664 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
665 auf_null, 0,
666 aui_open, AUE_OPEN, aus_open, /* 225 open64 */
667 auf_null, S2E_SP,
668 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
669 auf_null, 0,
670 aui_null, AUE_NULL, aus_null, /* 227 zone */
671 auf_null, 0,
672 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
673 auf_null, 0,
674 aui_null, AUE_NULL, aus_null, /* 229 getcwd */
675 auf_null, 0,
676 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
677 auf_null, 0,
678 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
679 auf_null, 0,
680 aui_null, AUE_BIND, aus_null, /* 232 bind */
681 auf_bind, 0,
682 aui_null, AUE_NULL, aus_null, /* 233 listen */
683 auf_null, 0,
684 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
685 auf_accept, 0,
686 aui_null, AUE_CONNECT, aus_null, /* 235 connect */
687 auf_connect, 0,
688 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
689 auf_null, 0,
690 aui_null, AUE_READ, aus_null, /* 237 recv */
691 auf_recv, 0,
692 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
693 auf_recvfrom, 0,
694 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
695 auf_recvmsg, 0,
696 aui_null, AUE_WRITE, aus_null, /* 240 send */
697 auf_send, 0,
698 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
699 auf_sendmsg, 0,
700 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
701 auf_sendto, 0,
702 aui_null, AUE_NULL, aus_null, /* 243 getpeername */
703 auf_null, 0,
704 aui_null, AUE_NULL, aus_null, /* 244 getsockname */
705 auf_null, 0,
706 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
707 auf_null, 0,
708 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
709 auf_setsockopt, 0,
710 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
711 auf_null, 0,
712 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
713 auf_null, 0,
714 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
715 auf_null, 0,
716 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
717 auf_null, 0,
718 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
719 auf_null, 0,
720 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
721 auf_null, 0,
722 aui_null, AUE_NULL, aus_null, /* 253 cladm */
723 auf_null, 0,
724 aui_null, AUE_NULL, aus_null, /* 254 uucopy */
725 auf_null, 0,
726 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
727 auf_null, 0
728 };
729
730 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
731
732
733 /* exit start function */
734 /*ARGSUSED*/
735 static void
736 aus_exit(struct t_audit_data *tad)
737 {
738 uint32_t rval;
739 struct a {
740 long rval;
741 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
742
743 rval = (uint32_t)uap->rval;
744 au_uwrite(au_to_arg32(1, "exit status", rval));
745 }
746
747 /*ARGSUSED*/
748 static void
749 aus_psecflags(struct t_audit_data *tad)
750 {
751 struct a {
752 uintptr_t psp; /* procset_t */
753 uint_t cmd; /* psecflags_cmd_t */
754 uint_t arg;
755 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
756
757 au_uwrite(au_to_arg32(2, "cmd", (uint_t)uap->cmd));
758 au_uwrite(au_to_arg32(3, "arg", (uint_t)uap->arg));
759 }
760
761 /* acct start function */
762 /*ARGSUSED*/
763 static void
764 aus_acct(struct t_audit_data *tad)
765 {
766 klwp_t *clwp = ttolwp(curthread);
767 uintptr_t fname;
768
769 struct a {
770 long fname; /* char * */
771 } *uap = (struct a *)clwp->lwp_ap;
772
773 fname = (uintptr_t)uap->fname;
774
775 if (fname == 0)
776 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
777 }
778
779 /* chown start function */
780 /*ARGSUSED*/
781 static void
782 aus_chown(struct t_audit_data *tad)
783 {
784 klwp_t *clwp = ttolwp(curthread);
785 uint32_t uid, gid;
786
787 struct a {
788 long fname; /* char * */
789 long uid;
790 long gid;
791 } *uap = (struct a *)clwp->lwp_ap;
792
793 uid = (uint32_t)uap->uid;
794 gid = (uint32_t)uap->gid;
795
796 au_uwrite(au_to_arg32(2, "new file uid", uid));
797 au_uwrite(au_to_arg32(3, "new file gid", gid));
798 }
799
800 /* fchown start function */
801 /*ARGSUSED*/
802 static void
803 aus_fchown(struct t_audit_data *tad)
804 {
805 klwp_t *clwp = ttolwp(curthread);
806 uint32_t uid, gid, fd;
807 struct file *fp;
808 struct vnode *vp;
809 struct f_audit_data *fad;
810
811 struct a {
812 long fd;
813 long uid;
814 long gid;
815 } *uap = (struct a *)clwp->lwp_ap;
816
817 fd = (uint32_t)uap->fd;
818 uid = (uint32_t)uap->uid;
819 gid = (uint32_t)uap->gid;
820
821 au_uwrite(au_to_arg32(2, "new file uid", uid));
822 au_uwrite(au_to_arg32(3, "new file gid", gid));
823
824 /*
825 * convert file pointer to file descriptor
826 * Note: fd ref count incremented here.
827 */
828 if ((fp = getf(fd)) == NULL)
829 return;
830
831 /* get path from file struct here */
832 fad = F2A(fp);
833 if (fad->fad_aupath != NULL) {
834 au_uwrite(au_to_path(fad->fad_aupath));
835 } else {
836 au_uwrite(au_to_arg32(1, "no path: fd", fd));
837 }
838
839 vp = fp->f_vnode;
840 audit_attributes(vp);
841
842 /* decrement file descriptor reference count */
843 releasef(fd);
844 }
845
846 /*ARGSUSED*/
847 static void
848 aus_lchown(struct t_audit_data *tad)
849 {
850 klwp_t *clwp = ttolwp(curthread);
851 uint32_t uid, gid;
852
853
854 struct a {
855 long fname; /* char * */
856 long uid;
857 long gid;
858 } *uap = (struct a *)clwp->lwp_ap;
859
860 uid = (uint32_t)uap->uid;
861 gid = (uint32_t)uap->gid;
862
863 au_uwrite(au_to_arg32(2, "new file uid", uid));
864 au_uwrite(au_to_arg32(3, "new file gid", gid));
865 }
866
867 static au_event_t
868 aui_fchownat(au_event_t e)
869 {
870 klwp_t *clwp = ttolwp(curthread);
871
872 struct a {
873 long fd;
874 long fname; /* char * */
875 long uid;
876 long gid;
877 long flags;
878 } *uap = (struct a *)clwp->lwp_ap;
879
880 if (uap->fname == NULL)
881 e = AUE_FCHOWN;
882 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
883 e = AUE_LCHOWN;
884 else
885 e = AUE_CHOWN;
886
887 return (e);
888 }
889
890 /*ARGSUSED*/
891 static void
892 aus_fchownat(struct t_audit_data *tad)
893 {
894 klwp_t *clwp = ttolwp(curthread);
895 uint32_t uid, gid;
896
897 struct a {
898 long fd;
899 long fname; /* char * */
900 long uid;
901 long gid;
902 long flags;
903 } *uap = (struct a *)clwp->lwp_ap;
904
905 uid = (uint32_t)uap->uid;
906 gid = (uint32_t)uap->gid;
907
908 au_uwrite(au_to_arg32(3, "new file uid", uid));
909 au_uwrite(au_to_arg32(4, "new file gid", gid));
910 }
911
912 /*ARGSUSED*/
913 static void
914 aus_chmod(struct t_audit_data *tad)
915 {
916 klwp_t *clwp = ttolwp(curthread);
917 uint32_t fmode;
918
919 struct a {
920 long fname; /* char * */
921 long fmode;
922 } *uap = (struct a *)clwp->lwp_ap;
923
924 fmode = (uint32_t)uap->fmode;
925
926 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
927 }
928
929 /*ARGSUSED*/
930 static void
931 aus_fchmod(struct t_audit_data *tad)
932 {
933 klwp_t *clwp = ttolwp(curthread);
934 uint32_t fmode, fd;
935 struct file *fp;
936 struct vnode *vp;
937 struct f_audit_data *fad;
938
939 struct a {
940 long fd;
941 long fmode;
942 } *uap = (struct a *)clwp->lwp_ap;
943
944 fd = (uint32_t)uap->fd;
945 fmode = (uint32_t)uap->fmode;
946
947 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
948
949 /*
950 * convert file pointer to file descriptor
951 * Note: fd ref count incremented here.
952 */
953 if ((fp = getf(fd)) == NULL)
954 return;
955
956 /* get path from file struct here */
957 fad = F2A(fp);
958 if (fad->fad_aupath != NULL) {
959 au_uwrite(au_to_path(fad->fad_aupath));
960 } else {
961 au_uwrite(au_to_arg32(1, "no path: fd", fd));
962 }
963
964 vp = fp->f_vnode;
965 audit_attributes(vp);
966
967 /* decrement file descriptor reference count */
968 releasef(fd);
969 }
970
971 static au_event_t
972 aui_fchmodat(au_event_t e)
973 {
974 klwp_t *clwp = ttolwp(curthread);
975
976 struct a {
977 long fd;
978 long fname; /* char * */
979 long fmode;
980 long flag;
981 } *uap = (struct a *)clwp->lwp_ap;
982
983 if (uap->fname == NULL)
984 e = AUE_FCHMOD;
985 else
986 e = AUE_CHMOD;
987
988 return (e);
989 }
990
991 /*ARGSUSED*/
992 static void
993 aus_fchmodat(struct t_audit_data *tad)
994 {
995 klwp_t *clwp = ttolwp(curthread);
996 uint32_t fmode;
997 uint32_t fd;
998 struct file *fp;
999 struct vnode *vp;
1000 struct f_audit_data *fad;
1001
1002 struct a {
1003 long fd;
1004 long fname; /* char * */
1005 long fmode;
1006 long flag;
1007 } *uap = (struct a *)clwp->lwp_ap;
1008
1009 fd = (uint32_t)uap->fd;
1010 fmode = (uint32_t)uap->fmode;
1011
1012 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1013
1014 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */
1015 return;
1016
1017 /*
1018 * convert file pointer to file descriptor
1019 * Note: fd ref count incremented here.
1020 */
1021 if ((fp = getf(fd)) == NULL)
1022 return;
1023
1024 /* get path from file struct here */
1025 fad = F2A(fp);
1026 if (fad->fad_aupath != NULL) {
1027 au_uwrite(au_to_path(fad->fad_aupath));
1028 } else {
1029 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1030 }
1031
1032 vp = fp->f_vnode;
1033 audit_attributes(vp);
1034
1035 /* decrement file descriptor reference count */
1036 releasef(fd);
1037 }
1038
1039 /*
1040 * convert open mode to appropriate open event
1041 */
1042 au_event_t
1043 open_event(uint_t fm)
1044 {
1045 au_event_t e;
1046
1047 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1048 case O_RDONLY:
1049 e = AUE_OPEN_R;
1050 break;
1051 case O_RDONLY | O_CREAT:
1052 e = AUE_OPEN_RC;
1053 break;
1054 case O_RDONLY | O_TRUNC:
1055 e = AUE_OPEN_RT;
1056 break;
1057 case O_RDONLY | O_TRUNC | O_CREAT:
1058 e = AUE_OPEN_RTC;
1059 break;
1060 case O_WRONLY:
1061 e = AUE_OPEN_W;
1062 break;
1063 case O_WRONLY | O_CREAT:
1064 e = AUE_OPEN_WC;
1065 break;
1066 case O_WRONLY | O_TRUNC:
1067 e = AUE_OPEN_WT;
1068 break;
1069 case O_WRONLY | O_TRUNC | O_CREAT:
1070 e = AUE_OPEN_WTC;
1071 break;
1072 case O_RDWR:
1073 e = AUE_OPEN_RW;
1074 break;
1075 case O_RDWR | O_CREAT:
1076 e = AUE_OPEN_RWC;
1077 break;
1078 case O_RDWR | O_TRUNC:
1079 e = AUE_OPEN_RWT;
1080 break;
1081 case O_RDWR | O_TRUNC | O_CREAT:
1082 e = AUE_OPEN_RWTC;
1083 break;
1084 case O_SEARCH:
1085 e = AUE_OPEN_S;
1086 break;
1087 case O_EXEC:
1088 e = AUE_OPEN_E;
1089 break;
1090 default:
1091 e = AUE_NULL;
1092 break;
1093 }
1094
1095 return (e);
1096 }
1097
1098 /* ARGSUSED */
1099 static au_event_t
1100 aui_open(au_event_t e)
1101 {
1102 klwp_t *clwp = ttolwp(curthread);
1103 uint_t fm;
1104
1105 struct a {
1106 long fnamep; /* char * */
1107 long fmode;
1108 long cmode;
1109 } *uap = (struct a *)clwp->lwp_ap;
1110
1111 fm = (uint_t)uap->fmode;
1112
1113 return (open_event(fm));
1114 }
1115
1116 static void
1117 aus_open(struct t_audit_data *tad)
1118 {
1119 klwp_t *clwp = ttolwp(curthread);
1120 uint_t fm;
1121
1122 struct a {
1123 long fnamep; /* char * */
1124 long fmode;
1125 long cmode;
1126 } *uap = (struct a *)clwp->lwp_ap;
1127
1128 fm = (uint_t)uap->fmode;
1129
1130 /* If no write, create, or trunc modes, mark as a public op */
1131 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1132 tad->tad_ctrl |= TAD_PUBLIC_EV;
1133 }
1134
1135 /* ARGSUSED */
1136 static au_event_t
1137 aui_openat(au_event_t e)
1138 {
1139 t_audit_data_t *tad = T2A(curthread);
1140 klwp_t *clwp = ttolwp(curthread);
1141 uint_t fm;
1142
1143 struct a {
1144 long filedes;
1145 long fnamep; /* char * */
1146 long fmode;
1147 long cmode;
1148 } *uap = (struct a *)clwp->lwp_ap;
1149
1150 fm = (uint_t)uap->fmode;
1151
1152 /*
1153 * __openattrdirat() does an extra pathname lookup in order to
1154 * enter the extended system attribute namespace of the referenced
1155 * extended attribute filename.
1156 */
1157 if (fm & FXATTRDIROPEN)
1158 tad->tad_ctrl |= TAD_MLD;
1159
1160 return (open_event(fm));
1161 }
1162
1163 static void
1164 aus_openat(struct t_audit_data *tad)
1165 {
1166 klwp_t *clwp = ttolwp(curthread);
1167 uint_t fm;
1168
1169 struct a {
1170 long filedes;
1171 long fnamep; /* char * */
1172 long fmode;
1173 long cmode;
1174 } *uap = (struct a *)clwp->lwp_ap;
1175
1176 fm = (uint_t)uap->fmode;
1177
1178 /* If no write, create, or trunc modes, mark as a public op */
1179 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1180 tad->tad_ctrl |= TAD_PUBLIC_EV;
1181 }
1182
1183 static au_event_t
1184 aui_unlinkat(au_event_t e)
1185 {
1186 klwp_t *clwp = ttolwp(curthread);
1187
1188 struct a {
1189 long filedes;
1190 long fnamep; /* char * */
1191 long flags;
1192 } *uap = (struct a *)clwp->lwp_ap;
1193
1194 if (uap->flags & AT_REMOVEDIR)
1195 e = AUE_RMDIR;
1196 else
1197 e = AUE_UNLINK;
1198
1199 return (e);
1200 }
1201
1202 static au_event_t
1203 aui_fstatat(au_event_t e)
1204 {
1205 klwp_t *clwp = ttolwp(curthread);
1206
1207 struct a {
1208 long filedes;
1209 long fnamep; /* char * */
1210 long statb;
1211 long flags;
1212 } *uap = (struct a *)clwp->lwp_ap;
1213
1214 if (uap->fnamep == NULL)
1215 e = AUE_FSTAT;
1216 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1217 e = AUE_LSTAT;
1218 else
1219 e = AUE_STAT;
1220
1221 return (e);
1222 }
1223
1224 /* msgsys */
1225 static au_event_t
1226 aui_msgsys(au_event_t e)
1227 {
1228 klwp_t *clwp = ttolwp(curthread);
1229 uint_t fm;
1230
1231 struct a {
1232 long id; /* function code id */
1233 long ap; /* arg pointer for recvmsg */
1234 } *uap = (struct a *)clwp->lwp_ap;
1235
1236 struct b {
1237 long msgid;
1238 long cmd;
1239 long buf; /* struct msqid_ds * */
1240 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1241
1242 fm = (uint_t)uap->id;
1243
1244 switch (fm) {
1245 case 0: /* msgget */
1246 e = AUE_MSGGET;
1247 break;
1248 case 1: /* msgctl */
1249 switch ((uint_t)uap1->cmd) {
1250 case IPC_RMID:
1251 e = AUE_MSGCTL_RMID;
1252 break;
1253 case IPC_SET:
1254 e = AUE_MSGCTL_SET;
1255 break;
1256 case IPC_STAT:
1257 e = AUE_MSGCTL_STAT;
1258 break;
1259 default:
1260 e = AUE_MSGCTL;
1261 break;
1262 }
1263 break;
1264 case 2: /* msgrcv */
1265 e = AUE_MSGRCV;
1266 break;
1267 case 3: /* msgsnd */
1268 e = AUE_MSGSND;
1269 break;
1270 default: /* illegal system call */
1271 e = AUE_NULL;
1272 break;
1273 }
1274
1275 return (e);
1276 }
1277
1278
1279 /* shmsys */
1280 static au_event_t
1281 aui_shmsys(au_event_t e)
1282 {
1283 klwp_t *clwp = ttolwp(curthread);
1284 int fm;
1285
1286 struct a { /* shmsys */
1287 long id; /* function code id */
1288 } *uap = (struct a *)clwp->lwp_ap;
1289
1290 struct b { /* ctrl */
1291 long shmid;
1292 long cmd;
1293 long arg; /* struct shmid_ds * */
1294 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1295 fm = (uint_t)uap->id;
1296
1297 switch (fm) {
1298 case 0: /* shmat */
1299 e = AUE_SHMAT;
1300 break;
1301 case 1: /* shmctl */
1302 switch ((uint_t)uap1->cmd) {
1303 case IPC_RMID:
1304 e = AUE_SHMCTL_RMID;
1305 break;
1306 case IPC_SET:
1307 e = AUE_SHMCTL_SET;
1308 break;
1309 case IPC_STAT:
1310 e = AUE_SHMCTL_STAT;
1311 break;
1312 default:
1313 e = AUE_SHMCTL;
1314 break;
1315 }
1316 break;
1317 case 2: /* shmdt */
1318 e = AUE_SHMDT;
1319 break;
1320 case 3: /* shmget */
1321 e = AUE_SHMGET;
1322 break;
1323 default: /* illegal system call */
1324 e = AUE_NULL;
1325 break;
1326 }
1327
1328 return (e);
1329 }
1330
1331
1332 /* semsys */
1333 static au_event_t
1334 aui_semsys(au_event_t e)
1335 {
1336 klwp_t *clwp = ttolwp(curthread);
1337 uint_t fm;
1338
1339 struct a { /* semsys */
1340 long id;
1341 } *uap = (struct a *)clwp->lwp_ap;
1342
1343 struct b { /* ctrl */
1344 long semid;
1345 long semnum;
1346 long cmd;
1347 long arg;
1348 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1349
1350 fm = (uint_t)uap->id;
1351
1352 switch (fm) {
1353 case 0: /* semctl */
1354 switch ((uint_t)uap1->cmd) {
1355 case IPC_RMID:
1356 e = AUE_SEMCTL_RMID;
1357 break;
1358 case IPC_SET:
1359 e = AUE_SEMCTL_SET;
1360 break;
1361 case IPC_STAT:
1362 e = AUE_SEMCTL_STAT;
1363 break;
1364 case GETNCNT:
1365 e = AUE_SEMCTL_GETNCNT;
1366 break;
1367 case GETPID:
1368 e = AUE_SEMCTL_GETPID;
1369 break;
1370 case GETVAL:
1371 e = AUE_SEMCTL_GETVAL;
1372 break;
1373 case GETALL:
1374 e = AUE_SEMCTL_GETALL;
1375 break;
1376 case GETZCNT:
1377 e = AUE_SEMCTL_GETZCNT;
1378 break;
1379 case SETVAL:
1380 e = AUE_SEMCTL_SETVAL;
1381 break;
1382 case SETALL:
1383 e = AUE_SEMCTL_SETALL;
1384 break;
1385 default:
1386 e = AUE_SEMCTL;
1387 break;
1388 }
1389 break;
1390 case 1: /* semget */
1391 e = AUE_SEMGET;
1392 break;
1393 case 2: /* semop */
1394 e = AUE_SEMOP;
1395 break;
1396 default: /* illegal system call */
1397 e = AUE_NULL;
1398 break;
1399 }
1400
1401 return (e);
1402 }
1403
1404 /* utssys - uname(2), ustat(2), fusers(2) */
1405 static au_event_t
1406 aui_utssys(au_event_t e)
1407 {
1408 klwp_t *clwp = ttolwp(curthread);
1409 uint_t type;
1410
1411 struct a {
1412 union {
1413 long cbuf; /* char * */
1414 long ubuf; /* struct stat * */
1415 } ub;
1416 union {
1417 long mv; /* for USTAT */
1418 long flags; /* for FUSERS */
1419 } un;
1420 long type;
1421 long outbp; /* char * for FUSERS */
1422 } *uap = (struct a *)clwp->lwp_ap;
1423
1424 type = (uint_t)uap->type;
1425
1426 if (type == UTS_FUSERS)
1427 return (e);
1428 else
1429 return ((au_event_t)AUE_NULL);
1430 }
1431
1432 static au_event_t
1433 aui_fcntl(au_event_t e)
1434 {
1435 klwp_t *clwp = ttolwp(curthread);
1436 uint_t cmd;
1437
1438 struct a {
1439 long fdes;
1440 long cmd;
1441 long arg;
1442 } *uap = (struct a *)clwp->lwp_ap;
1443
1444 cmd = (uint_t)uap->cmd;
1445
1446 switch (cmd) {
1447 case F_GETLK:
1448 case F_SETLK:
1449 case F_SETLKW:
1450 break;
1451 case F_SETFL:
1452 case F_GETFL:
1453 case F_GETFD:
1454 break;
1455 default:
1456 e = (au_event_t)AUE_NULL;
1457 break;
1458 }
1459 return ((au_event_t)e);
1460 }
1461
1462 /* null function for now */
1463 static au_event_t
1464 aui_execve(au_event_t e)
1465 {
1466 return (e);
1467 }
1468
1469 /*ARGSUSED*/
1470 static void
1471 aus_fcntl(struct t_audit_data *tad)
1472 {
1473 klwp_t *clwp = ttolwp(curthread);
1474 uint32_t cmd, fd, flags;
1475 struct file *fp;
1476 struct vnode *vp;
1477 struct f_audit_data *fad;
1478
1479 struct a {
1480 long fd;
1481 long cmd;
1482 long arg;
1483 } *uap = (struct a *)clwp->lwp_ap;
1484
1485 cmd = (uint32_t)uap->cmd;
1486 fd = (uint32_t)uap->fd;
1487 flags = (uint32_t)uap->arg;
1488
1489 au_uwrite(au_to_arg32(2, "cmd", cmd));
1490
1491 if (cmd == F_SETFL)
1492 au_uwrite(au_to_arg32(3, "flags", flags));
1493
1494 /*
1495 * convert file pointer to file descriptor
1496 * Note: fd ref count incremented here.
1497 */
1498 if ((fp = getf(fd)) == NULL)
1499 return;
1500
1501 /* get path from file struct here */
1502 fad = F2A(fp);
1503 if (fad->fad_aupath != NULL) {
1504 au_uwrite(au_to_path(fad->fad_aupath));
1505 } else {
1506 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1507 }
1508
1509 vp = fp->f_vnode;
1510 audit_attributes(vp);
1511
1512 /* decrement file descriptor reference count */
1513 releasef(fd);
1514 }
1515
1516 /*ARGSUSED*/
1517 static void
1518 aus_kill(struct t_audit_data *tad)
1519 {
1520 klwp_t *clwp = ttolwp(curthread);
1521 struct proc *p;
1522 uint32_t signo;
1523 uid_t uid, ruid;
1524 gid_t gid, rgid;
1525 pid_t pid;
1526 const auditinfo_addr_t *ainfo;
1527 cred_t *cr;
1528
1529 struct a {
1530 long pid;
1531 long signo;
1532 } *uap = (struct a *)clwp->lwp_ap;
1533
1534 pid = (pid_t)uap->pid;
1535 signo = (uint32_t)uap->signo;
1536
1537 au_uwrite(au_to_arg32(2, "signal", signo));
1538 if (pid > 0) {
1539 mutex_enter(&pidlock);
1540 if (((p = prfind(pid)) == (struct proc *)0) ||
1541 (p->p_stat == SIDL)) {
1542 mutex_exit(&pidlock);
1543 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1544 return;
1545 }
1546 mutex_enter(&p->p_lock); /* so process doesn't go away */
1547 mutex_exit(&pidlock);
1548
1549 mutex_enter(&p->p_crlock);
1550 crhold(cr = p->p_cred);
1551 mutex_exit(&p->p_crlock);
1552 mutex_exit(&p->p_lock);
1553
1554 ainfo = crgetauinfo(cr);
1555 if (ainfo == NULL) {
1556 crfree(cr);
1557 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1558 return;
1559 }
1560
1561 uid = crgetuid(cr);
1562 gid = crgetgid(cr);
1563 ruid = crgetruid(cr);
1564 rgid = crgetrgid(cr);
1565 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1566 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1567
1568 if (is_system_labeled())
1569 au_uwrite(au_to_label(CR_SL(cr)));
1570
1571 crfree(cr);
1572 }
1573 else
1574 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1575 }
1576
1577 /*ARGSUSED*/
1578 static void
1579 aus_mkdir(struct t_audit_data *tad)
1580 {
1581 klwp_t *clwp = ttolwp(curthread);
1582 uint32_t dmode;
1583
1584 struct a {
1585 long dirnamep; /* char * */
1586 long dmode;
1587 } *uap = (struct a *)clwp->lwp_ap;
1588
1589 dmode = (uint32_t)uap->dmode;
1590
1591 au_uwrite(au_to_arg32(2, "mode", dmode));
1592 }
1593
1594 /*ARGSUSED*/
1595 static void
1596 aus_mkdirat(struct t_audit_data *tad)
1597 {
1598 klwp_t *clwp = ttolwp(curthread);
1599 uint32_t dmode;
1600
1601 struct a {
1602 long fd;
1603 long dirnamep; /* char * */
1604 long dmode;
1605 } *uap = (struct a *)clwp->lwp_ap;
1606
1607 dmode = (uint32_t)uap->dmode;
1608
1609 au_uwrite(au_to_arg32(2, "mode", dmode));
1610 }
1611
1612 /*ARGSUSED*/
1613 static void
1614 aus_mknod(struct t_audit_data *tad)
1615 {
1616 klwp_t *clwp = ttolwp(curthread);
1617 uint32_t fmode;
1618 dev_t dev;
1619
1620 struct a {
1621 long pnamep; /* char * */
1622 long fmode;
1623 long dev;
1624 } *uap = (struct a *)clwp->lwp_ap;
1625
1626 fmode = (uint32_t)uap->fmode;
1627 dev = (dev_t)uap->dev;
1628
1629 au_uwrite(au_to_arg32(2, "mode", fmode));
1630 #ifdef _LP64
1631 au_uwrite(au_to_arg64(3, "dev", dev));
1632 #else
1633 au_uwrite(au_to_arg32(3, "dev", dev));
1634 #endif
1635 }
1636
1637 /*ARGSUSED*/
1638 static void
1639 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1640 {
1641 klwp_t *clwp = ttolwp(curthread);
1642 vnode_t *dvp;
1643 caddr_t pnamep;
1644
1645 struct a {
1646 long pnamep; /* char * */
1647 long fmode;
1648 long dev;
1649 } *uap = (struct a *)clwp->lwp_ap;
1650
1651 /* no error, then already path token in audit record */
1652 if (error != EPERM && error != EINVAL)
1653 return;
1654
1655 /* do the lookup to force generation of path token */
1656 pnamep = (caddr_t)uap->pnamep;
1657 tad->tad_ctrl |= TAD_NOATTRB;
1658 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1659 if (error == 0)
1660 VN_RELE(dvp);
1661 }
1662
1663 /*ARGSUSED*/
1664 static void
1665 aus_mknodat(struct t_audit_data *tad)
1666 {
1667 klwp_t *clwp = ttolwp(curthread);
1668 uint32_t fmode;
1669 dev_t dev;
1670
1671 struct a {
1672 long fd;
1673 long pnamep; /* char * */
1674 long fmode;
1675 long dev;
1676 } *uap = (struct a *)clwp->lwp_ap;
1677
1678 fmode = (uint32_t)uap->fmode;
1679 dev = (dev_t)uap->dev;
1680
1681 au_uwrite(au_to_arg32(2, "mode", fmode));
1682 #ifdef _LP64
1683 au_uwrite(au_to_arg64(3, "dev", dev));
1684 #else
1685 au_uwrite(au_to_arg32(3, "dev", dev));
1686 #endif
1687 }
1688
1689 /*ARGSUSED*/
1690 static void
1691 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1692 {
1693 klwp_t *clwp = ttolwp(curthread);
1694 vnode_t *startvp;
1695 vnode_t *dvp;
1696 caddr_t pnamep;
1697 int fd;
1698
1699 struct a {
1700 long fd;
1701 long pnamep; /* char * */
1702 long fmode;
1703 long dev;
1704 } *uap = (struct a *)clwp->lwp_ap;
1705
1706 /* no error, then already path token in audit record */
1707 if (error != EPERM && error != EINVAL)
1708 return;
1709
1710 /* do the lookup to force generation of path token */
1711 fd = (int)uap->fd;
1712 pnamep = (caddr_t)uap->pnamep;
1713 if (pnamep == NULL ||
1714 fgetstartvp(fd, pnamep, &startvp) != 0)
1715 return;
1716 tad->tad_ctrl |= TAD_NOATTRB;
1717 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1718 startvp);
1719 if (error == 0)
1720 VN_RELE(dvp);
1721 if (startvp != NULL)
1722 VN_RELE(startvp);
1723 }
1724
1725 /*ARGSUSED*/
1726 static void
1727 aus_mount(struct t_audit_data *tad)
1728 { /* AUS_START */
1729 klwp_t *clwp = ttolwp(curthread);
1730 uint32_t flags;
1731 uintptr_t u_fstype, dataptr;
1732 STRUCT_DECL(nfs_args, nfsargs);
1733 size_t len;
1734 char *fstype, *hostname;
1735
1736 struct a {
1737 long spec; /* char * */
1738 long dir; /* char * */
1739 long flags;
1740 long fstype; /* char * */
1741 long dataptr; /* char * */
1742 long datalen;
1743 } *uap = (struct a *)clwp->lwp_ap;
1744
1745 u_fstype = (uintptr_t)uap->fstype;
1746 flags = (uint32_t)uap->flags;
1747 dataptr = (uintptr_t)uap->dataptr;
1748
1749 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1750 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1751 goto mount_free_fstype;
1752
1753 au_uwrite(au_to_arg32(3, "flags", flags));
1754 au_uwrite(au_to_text(fstype));
1755
1756 if (strncmp(fstype, "nfs", 3) == 0) {
1757
1758 STRUCT_INIT(nfsargs, get_udatamodel());
1759 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1760
1761 if (copyin((caddr_t)dataptr,
1762 STRUCT_BUF(nfsargs),
1763 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1764 /* DEBUG debug_enter((char *)NULL); */
1765 goto mount_free_fstype;
1766 }
1767 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1768 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1769 (caddr_t)hostname,
1770 MAXNAMELEN, &len)) {
1771 goto mount_free_hostname;
1772 }
1773 au_uwrite(au_to_text(hostname));
1774 au_uwrite(au_to_arg32(3, "internal flags",
1775 (uint_t)STRUCT_FGET(nfsargs, flags)));
1776
1777 mount_free_hostname:
1778 kmem_free(hostname, MAXNAMELEN);
1779 }
1780
1781 mount_free_fstype:
1782 kmem_free(fstype, MAXNAMELEN);
1783 } /* AUS_MOUNT */
1784
1785 static void
1786 aus_umount_path(caddr_t umount_dir)
1787 {
1788 char *dir_path;
1789 struct audit_path *path;
1790 size_t path_len, dir_len;
1791
1792 /* length alloc'd for two string pointers */
1793 path_len = sizeof (struct audit_path) + sizeof (char *);
1794 path = kmem_alloc(path_len, KM_SLEEP);
1795 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1796
1797 if (copyinstr(umount_dir, (caddr_t)dir_path,
1798 MAXPATHLEN, &dir_len))
1799 goto umount2_free_dir;
1800
1801 /*
1802 * the audit_path struct assumes that the buffer pointed to
1803 * by audp_sect[n] contains string 0 immediatedly followed
1804 * by string 1.
1805 */
1806 path->audp_sect[0] = dir_path;
1807 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1808 path->audp_size = path_len;
1809 path->audp_ref = 1; /* not used */
1810 path->audp_cnt = 1; /* one path string */
1811
1812 au_uwrite(au_to_path(path));
1813
1814 umount2_free_dir:
1815 kmem_free(dir_path, MAXPATHLEN);
1816 kmem_free(path, path_len);
1817 }
1818
1819 /*ARGSUSED*/
1820 static void
1821 aus_umount2(struct t_audit_data *tad)
1822 {
1823 klwp_t *clwp = ttolwp(curthread);
1824 struct a {
1825 long dir; /* char * */
1826 long flags;
1827 } *uap = (struct a *)clwp->lwp_ap;
1828
1829 aus_umount_path((caddr_t)uap->dir);
1830
1831 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1832 }
1833
1834 static void
1835 aus_msgsys(struct t_audit_data *tad)
1836 {
1837 klwp_t *clwp = ttolwp(curthread);
1838 uint32_t msgid;
1839
1840 struct b {
1841 long msgid;
1842 long cmd;
1843 long buf; /* struct msqid_ds * */
1844 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1845
1846 msgid = (uint32_t)uap1->msgid;
1847
1848
1849 switch (tad->tad_event) {
1850 case AUE_MSGGET: /* msgget */
1851 au_uwrite(au_to_arg32(1, "msg key", msgid));
1852 break;
1853 case AUE_MSGCTL: /* msgctl */
1854 case AUE_MSGCTL_RMID: /* msgctl */
1855 case AUE_MSGCTL_SET: /* msgctl */
1856 case AUE_MSGCTL_STAT: /* msgctl */
1857 case AUE_MSGRCV: /* msgrcv */
1858 case AUE_MSGSND: /* msgsnd */
1859 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1860 break;
1861 }
1862 }
1863
1864 /*ARGSUSED*/
1865 static void
1866 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1867 {
1868 int id;
1869
1870 if (error != 0)
1871 return;
1872 if (tad->tad_event == AUE_MSGGET) {
1873 uint32_t scid;
1874 uint32_t sy_flags;
1875
1876 /* need to determine type of executing binary */
1877 scid = tad->tad_scid;
1878 #ifdef _SYSCALL32_IMPL
1879 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1880 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1881 else
1882 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1883 #else
1884 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1885 #endif
1886 if (sy_flags == SE_32RVAL1)
1887 id = rval->r_val1;
1888 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1889 id = rval->r_val1;
1890 if (sy_flags == SE_64RVAL)
1891 id = (int)rval->r_vals;
1892
1893 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1894 }
1895 }
1896
1897 static void
1898 aus_semsys(struct t_audit_data *tad)
1899 {
1900 klwp_t *clwp = ttolwp(curthread);
1901 uint32_t semid;
1902
1903 struct b { /* ctrl */
1904 long semid;
1905 long semnum;
1906 long cmd;
1907 long arg;
1908 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1909
1910 semid = (uint32_t)uap1->semid;
1911
1912 switch (tad->tad_event) {
1913 case AUE_SEMCTL_RMID:
1914 case AUE_SEMCTL_STAT:
1915 case AUE_SEMCTL_GETNCNT:
1916 case AUE_SEMCTL_GETPID:
1917 case AUE_SEMCTL_GETVAL:
1918 case AUE_SEMCTL_GETALL:
1919 case AUE_SEMCTL_GETZCNT:
1920 case AUE_SEMCTL_SET:
1921 case AUE_SEMCTL_SETVAL:
1922 case AUE_SEMCTL_SETALL:
1923 case AUE_SEMCTL:
1924 case AUE_SEMOP:
1925 au_uwrite(au_to_arg32(1, "sem ID", semid));
1926 break;
1927 case AUE_SEMGET:
1928 au_uwrite(au_to_arg32(1, "sem key", semid));
1929 break;
1930 }
1931 }
1932
1933 /*ARGSUSED*/
1934 static void
1935 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1936 {
1937 int id;
1938
1939 if (error != 0)
1940 return;
1941 if (tad->tad_event == AUE_SEMGET) {
1942 uint32_t scid;
1943 uint32_t sy_flags;
1944
1945 /* need to determine type of executing binary */
1946 scid = tad->tad_scid;
1947 #ifdef _SYSCALL32_IMPL
1948 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1949 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1950 else
1951 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1952 #else
1953 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1954 #endif
1955 if (sy_flags == SE_32RVAL1)
1956 id = rval->r_val1;
1957 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1958 id = rval->r_val1;
1959 if (sy_flags == SE_64RVAL)
1960 id = (int)rval->r_vals;
1961
1962 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1963 }
1964 }
1965
1966 /*ARGSUSED*/
1967 static void
1968 aus_close(struct t_audit_data *tad)
1969 {
1970 klwp_t *clwp = ttolwp(curthread);
1971 uint32_t fd;
1972 struct file *fp;
1973 struct f_audit_data *fad;
1974 struct vnode *vp;
1975 struct vattr attr;
1976 au_kcontext_t *kctx = GET_KCTX_PZ;
1977
1978 struct a {
1979 long i;
1980 } *uap = (struct a *)clwp->lwp_ap;
1981
1982 fd = (uint32_t)uap->i;
1983
1984 attr.va_mask = 0;
1985 au_uwrite(au_to_arg32(1, "fd", fd));
1986
1987 /*
1988 * convert file pointer to file descriptor
1989 * Note: fd ref count incremented here.
1990 */
1991 if ((fp = getf(fd)) == NULL)
1992 return;
1993
1994 fad = F2A(fp);
1995 tad->tad_evmod = (au_emod_t)fad->fad_flags;
1996 if (fad->fad_aupath != NULL) {
1997 au_uwrite(au_to_path(fad->fad_aupath));
1998 if ((vp = fp->f_vnode) != NULL) {
1999 attr.va_mask = AT_ALL;
2000 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
2001 /*
2002 * When write was not used and the file can be
2003 * considered public, skip the audit.
2004 */
2005 if (((fp->f_flag & FWRITE) == 0) &&
2006 object_is_public(&attr)) {
2007 tad->tad_flag = 0;
2008 tad->tad_evmod = 0;
2009 /* free any residual audit data */
2010 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
2011 releasef(fd);
2012 return;
2013 }
2014 au_uwrite(au_to_attr(&attr));
2015 audit_sec_attributes(&(u_ad), vp);
2016 }
2017 }
2018 }
2019
2020 /* decrement file descriptor reference count */
2021 releasef(fd);
2022 }
2023
2024 /*ARGSUSED*/
2025 static void
2026 aus_fstatfs(struct t_audit_data *tad)
2027 {
2028 klwp_t *clwp = ttolwp(curthread);
2029 uint32_t fd;
2030 struct file *fp;
2031 struct vnode *vp;
2032 struct f_audit_data *fad;
2033
2034 struct a {
2035 long fd;
2036 long buf; /* struct statfs * */
2037 } *uap = (struct a *)clwp->lwp_ap;
2038
2039 fd = (uint_t)uap->fd;
2040
2041 /*
2042 * convert file pointer to file descriptor
2043 * Note: fd ref count incremented here.
2044 */
2045 if ((fp = getf(fd)) == NULL)
2046 return;
2047
2048 /* get path from file struct here */
2049 fad = F2A(fp);
2050 if (fad->fad_aupath != NULL) {
2051 au_uwrite(au_to_path(fad->fad_aupath));
2052 } else {
2053 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2054 }
2055
2056 vp = fp->f_vnode;
2057 audit_attributes(vp);
2058
2059 /* decrement file descriptor reference count */
2060 releasef(fd);
2061 }
2062
2063 static au_event_t
2064 aui_setpgrp(au_event_t e)
2065 {
2066 klwp_t *clwp = ttolwp(curthread);
2067 int flag;
2068
2069 struct a {
2070 long flag;
2071 long pid;
2072 long pgid;
2073 } *uap = (struct a *)clwp->lwp_ap;
2074
2075 flag = (int)uap->flag;
2076
2077
2078 switch (flag) {
2079
2080 case 1: /* setpgrp() */
2081 e = AUE_SETPGRP;
2082 break;
2083
2084 case 3: /* setsid() */
2085 e = AUE_SETSID;
2086 break;
2087
2088 case 5: /* setpgid() */
2089 e = AUE_SETPGID;
2090 break;
2091
2092 case 0: /* getpgrp() - not security relevant */
2093 case 2: /* getsid() - not security relevant */
2094 case 4: /* getpgid() - not security relevant */
2095 e = AUE_NULL;
2096 break;
2097
2098 default:
2099 e = AUE_NULL;
2100 break;
2101 }
2102
2103 return (e);
2104 }
2105
2106 /*ARGSUSED*/
2107 static void
2108 aus_setpgrp(struct t_audit_data *tad)
2109 {
2110 klwp_t *clwp = ttolwp(curthread);
2111 pid_t pgid;
2112 struct proc *p;
2113 uid_t uid, ruid;
2114 gid_t gid, rgid;
2115 pid_t pid;
2116 cred_t *cr;
2117 int flag;
2118 const auditinfo_addr_t *ainfo;
2119
2120 struct a {
2121 long flag;
2122 long pid;
2123 long pgid;
2124 } *uap = (struct a *)clwp->lwp_ap;
2125
2126 flag = (int)uap->flag;
2127 pid = (pid_t)uap->pid;
2128 pgid = (pid_t)uap->pgid;
2129
2130
2131 switch (flag) {
2132
2133 case 0: /* getpgrp() */
2134 case 1: /* setpgrp() */
2135 case 2: /* getsid() */
2136 case 3: /* setsid() */
2137 case 4: /* getpgid() */
2138 break;
2139
2140 case 5: /* setpgid() */
2141
2142 /* current process? */
2143 if (pid == 0) {
2144 return;
2145 }
2146
2147 mutex_enter(&pidlock);
2148 p = prfind(pid);
2149 if (p == NULL || p->p_as == &kas ||
2150 p->p_stat == SIDL || p->p_stat == SZOMB) {
2151 mutex_exit(&pidlock);
2152 return;
2153 }
2154 mutex_enter(&p->p_lock); /* so process doesn't go away */
2155 mutex_exit(&pidlock);
2156
2157 mutex_enter(&p->p_crlock);
2158 crhold(cr = p->p_cred);
2159 mutex_exit(&p->p_crlock);
2160 mutex_exit(&p->p_lock);
2161
2162 ainfo = crgetauinfo(cr);
2163 if (ainfo == NULL) {
2164 crfree(cr);
2165 return;
2166 }
2167
2168 uid = crgetuid(cr);
2169 gid = crgetgid(cr);
2170 ruid = crgetruid(cr);
2171 rgid = crgetrgid(cr);
2172 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2173 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2174 crfree(cr);
2175 au_uwrite(au_to_arg32(2, "pgid", pgid));
2176 break;
2177
2178 default:
2179 break;
2180 }
2181 }
2182
2183
2184 /*ARGSUSED*/
2185 static void
2186 aus_setregid(struct t_audit_data *tad)
2187 {
2188 klwp_t *clwp = ttolwp(curthread);
2189 uint32_t rgid, egid;
2190
2191 struct a {
2192 long rgid;
2193 long egid;
2194 } *uap = (struct a *)clwp->lwp_ap;
2195
2196 rgid = (uint32_t)uap->rgid;
2197 egid = (uint32_t)uap->egid;
2198
2199 au_uwrite(au_to_arg32(1, "rgid", rgid));
2200 au_uwrite(au_to_arg32(2, "egid", egid));
2201 }
2202
2203 /*ARGSUSED*/
2204 static void
2205 aus_setgid(struct t_audit_data *tad)
2206 {
2207 klwp_t *clwp = ttolwp(curthread);
2208 uint32_t gid;
2209
2210 struct a {
2211 long gid;
2212 } *uap = (struct a *)clwp->lwp_ap;
2213
2214 gid = (uint32_t)uap->gid;
2215
2216 au_uwrite(au_to_arg32(1, "gid", gid));
2217 }
2218
2219
2220 /*ARGSUSED*/
2221 static void
2222 aus_setreuid(struct t_audit_data *tad)
2223 {
2224 klwp_t *clwp = ttolwp(curthread);
2225 uint32_t ruid, euid;
2226
2227 struct a {
2228 long ruid;
2229 long euid;
2230 } *uap = (struct a *)clwp->lwp_ap;
2231
2232 ruid = (uint32_t)uap->ruid;
2233 euid = (uint32_t)uap->euid;
2234
2235 au_uwrite(au_to_arg32(1, "ruid", ruid));
2236 au_uwrite(au_to_arg32(2, "euid", euid));
2237 }
2238
2239
2240 /*ARGSUSED*/
2241 static void
2242 aus_setuid(struct t_audit_data *tad)
2243 {
2244 klwp_t *clwp = ttolwp(curthread);
2245 uint32_t uid;
2246
2247 struct a {
2248 long uid;
2249 } *uap = (struct a *)clwp->lwp_ap;
2250
2251 uid = (uint32_t)uap->uid;
2252
2253 au_uwrite(au_to_arg32(1, "uid", uid));
2254 }
2255
2256 /*ARGSUSED*/
2257 static void
2258 aus_shmsys(struct t_audit_data *tad)
2259 {
2260 klwp_t *clwp = ttolwp(curthread);
2261 uint32_t id, cmd;
2262
2263 struct b {
2264 long id;
2265 long cmd;
2266 long buf; /* struct shmid_ds * */
2267 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2268
2269 id = (uint32_t)uap1->id;
2270 cmd = (uint32_t)uap1->cmd;
2271
2272 switch (tad->tad_event) {
2273 case AUE_SHMGET: /* shmget */
2274 au_uwrite(au_to_arg32(1, "shm key", id));
2275 break;
2276 case AUE_SHMCTL: /* shmctl */
2277 case AUE_SHMCTL_RMID: /* shmctl */
2278 case AUE_SHMCTL_STAT: /* shmctl */
2279 case AUE_SHMCTL_SET: /* shmctl */
2280 au_uwrite(au_to_arg32(1, "shm ID", id));
2281 break;
2282 case AUE_SHMDT: /* shmdt */
2283 au_uwrite(au_to_arg32(1, "shm adr", id));
2284 break;
2285 case AUE_SHMAT: /* shmat */
2286 au_uwrite(au_to_arg32(1, "shm ID", id));
2287 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2288 break;
2289 }
2290 }
2291
2292 /*ARGSUSED*/
2293 static void
2294 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2295 {
2296 int id;
2297
2298 if (error != 0)
2299 return;
2300 if (tad->tad_event == AUE_SHMGET) {
2301 uint32_t scid;
2302 uint32_t sy_flags;
2303
2304 /* need to determine type of executing binary */
2305 scid = tad->tad_scid;
2306 #ifdef _SYSCALL32_IMPL
2307 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2308 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2309 else
2310 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2311 #else
2312 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2313 #endif
2314 if (sy_flags == SE_32RVAL1)
2315 id = rval->r_val1;
2316 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2317 id = rval->r_val1;
2318 if (sy_flags == SE_64RVAL)
2319 id = (int)rval->r_vals;
2320 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2321 }
2322 }
2323
2324
2325 /*ARGSUSED*/
2326 static void
2327 aus_ioctl(struct t_audit_data *tad)
2328 {
2329 klwp_t *clwp = ttolwp(curthread);
2330 struct file *fp;
2331 struct vnode *vp;
2332 struct f_audit_data *fad;
2333 uint32_t fd, cmd;
2334 uintptr_t cmarg;
2335
2336 /* XX64 */
2337 struct a {
2338 long fd;
2339 long cmd;
2340 long cmarg; /* caddr_t */
2341 } *uap = (struct a *)clwp->lwp_ap;
2342
2343 fd = (uint32_t)uap->fd;
2344 cmd = (uint32_t)uap->cmd;
2345 cmarg = (uintptr_t)uap->cmarg;
2346
2347 /*
2348 * convert file pointer to file descriptor
2349 * Note: fd ref count incremented here.
2350 */
2351 if ((fp = getf(fd)) == NULL) {
2352 au_uwrite(au_to_arg32(1, "fd", fd));
2353 au_uwrite(au_to_arg32(2, "cmd", cmd));
2354 #ifndef _LP64
2355 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2356 #else
2357 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2358 #endif
2359 return;
2360 }
2361
2362 /* get path from file struct here */
2363 fad = F2A(fp);
2364 if (fad->fad_aupath != NULL) {
2365 au_uwrite(au_to_path(fad->fad_aupath));
2366 } else {
2367 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2368 }
2369
2370 vp = fp->f_vnode;
2371 audit_attributes(vp);
2372
2373 /* decrement file descriptor reference count */
2374 releasef(fd);
2375
2376 au_uwrite(au_to_arg32(2, "cmd", cmd));
2377 #ifndef _LP64
2378 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2379 #else
2380 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2381 #endif
2382 }
2383
2384 /*
2385 * null function for memcntl for now. We might want to limit memcntl()
2386 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2387 * require privileges.
2388 */
2389 static au_event_t
2390 aui_memcntl(au_event_t e)
2391 {
2392 return (e);
2393 }
2394
2395 /*ARGSUSED*/
2396 static au_event_t
2397 aui_privsys(au_event_t e)
2398 {
2399 klwp_t *clwp = ttolwp(curthread);
2400
2401 struct a {
2402 long opcode;
2403 } *uap = (struct a *)clwp->lwp_ap;
2404
2405 switch (uap->opcode) {
2406 case PRIVSYS_SETPPRIV:
2407 return (AUE_SETPPRIV);
2408 default:
2409 return (AUE_NULL);
2410 }
2411 }
2412
2413 /*ARGSUSED*/
2414 static void
2415 aus_memcntl(struct t_audit_data *tad)
2416 {
2417 klwp_t *clwp = ttolwp(curthread);
2418
2419 struct a {
2420 long addr;
2421 long len;
2422 long cmd;
2423 long arg;
2424 long attr;
2425 long mask;
2426 } *uap = (struct a *)clwp->lwp_ap;
2427
2428 #ifdef _LP64
2429 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2430 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2431 #else
2432 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2433 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2434 #endif
2435 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2436 #ifdef _LP64
2437 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2438 #else
2439 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2440 #endif
2441 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2442 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2443 }
2444
2445 /*ARGSUSED*/
2446 static void
2447 aus_mmap(struct t_audit_data *tad)
2448 {
2449 klwp_t *clwp = ttolwp(curthread);
2450 struct file *fp;
2451 struct f_audit_data *fad;
2452 struct vnode *vp;
2453 uint32_t fd;
2454
2455 struct a {
2456 long addr;
2457 long len;
2458 long prot;
2459 long flags;
2460 long fd;
2461 long pos;
2462 } *uap = (struct a *)clwp->lwp_ap;
2463
2464 fd = (uint32_t)uap->fd;
2465
2466 #ifdef _LP64
2467 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2468 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2469 #else
2470 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2471 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2472 #endif
2473
2474 if ((fp = getf(fd)) == NULL) {
2475 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2476 return;
2477 }
2478
2479 /*
2480 * Mark in the tad if write access is NOT requested... if
2481 * this is later detected (in audit_attributes) to be a
2482 * public object, the mmap event may be discarded.
2483 */
2484 if (((uap->prot) & PROT_WRITE) == 0) {
2485 tad->tad_ctrl |= TAD_PUBLIC_EV;
2486 }
2487
2488 fad = F2A(fp);
2489 if (fad->fad_aupath != NULL) {
2490 au_uwrite(au_to_path(fad->fad_aupath));
2491 } else {
2492 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2493 }
2494
2495 vp = (struct vnode *)fp->f_vnode;
2496 audit_attributes(vp);
2497
2498 /* mark READ/WRITE since we can't predict access */
2499 if (uap->prot & PROT_READ)
2500 fad->fad_flags |= FAD_READ;
2501 if (uap->prot & PROT_WRITE)
2502 fad->fad_flags |= FAD_WRITE;
2503
2504 /* decrement file descriptor reference count */
2505 releasef(fd);
2506
2507 } /* AUS_MMAP */
2508
2509
2510
2511
2512 /*ARGSUSED*/
2513 static void
2514 aus_munmap(struct t_audit_data *tad)
2515 {
2516 klwp_t *clwp = ttolwp(curthread);
2517
2518 struct a {
2519 long addr;
2520 long len;
2521 } *uap = (struct a *)clwp->lwp_ap;
2522
2523 #ifdef _LP64
2524 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2525 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2526 #else
2527 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2528 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2529 #endif
2530
2531 } /* AUS_MUNMAP */
2532
2533
2534
2535
2536
2537
2538
2539 /*ARGSUSED*/
2540 static void
2541 aus_priocntlsys(struct t_audit_data *tad)
2542 {
2543 klwp_t *clwp = ttolwp(curthread);
2544
2545 struct a {
2546 long pc_version;
2547 long psp; /* procset_t */
2548 long cmd;
2549 long arg;
2550 } *uap = (struct a *)clwp->lwp_ap;
2551
2552 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2553 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2554
2555 } /* AUS_PRIOCNTLSYS */
2556
2557
2558 /*ARGSUSED*/
2559 static void
2560 aus_setegid(struct t_audit_data *tad)
2561 {
2562 klwp_t *clwp = ttolwp(curthread);
2563 uint32_t gid;
2564
2565 struct a {
2566 long gid;
2567 } *uap = (struct a *)clwp->lwp_ap;
2568
2569 gid = (uint32_t)uap->gid;
2570
2571 au_uwrite(au_to_arg32(1, "gid", gid));
2572 } /* AUS_SETEGID */
2573
2574
2575
2576
2577 /*ARGSUSED*/
2578 static void
2579 aus_setgroups(struct t_audit_data *tad)
2580 {
2581 klwp_t *clwp = ttolwp(curthread);
2582 int i;
2583 int gidsetsize;
2584 uintptr_t gidset;
2585 gid_t *gidlist;
2586
2587 struct a {
2588 long gidsetsize;
2589 long gidset;
2590 } *uap = (struct a *)clwp->lwp_ap;
2591
2592 gidsetsize = (uint_t)uap->gidsetsize;
2593 gidset = (uintptr_t)uap->gidset;
2594
2595 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2596 return;
2597 if (gidsetsize != 0) {
2598 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2599 KM_SLEEP);
2600 if (copyin((caddr_t)gidset, gidlist,
2601 gidsetsize * sizeof (gid_t)) == 0)
2602 for (i = 0; i < gidsetsize; i++)
2603 au_uwrite(au_to_arg32(1, "setgroups",
2604 (uint32_t)gidlist[i]));
2605 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2606 } else
2607 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2608
2609 } /* AUS_SETGROUPS */
2610
2611
2612
2613
2614
2615 /*ARGSUSED*/
2616 static void
2617 aus_seteuid(struct t_audit_data *tad)
2618 {
2619 klwp_t *clwp = ttolwp(curthread);
2620 uint32_t uid;
2621
2622 struct a {
2623 long uid;
2624 } *uap = (struct a *)clwp->lwp_ap;
2625
2626 uid = (uint32_t)uap->uid;
2627
2628 au_uwrite(au_to_arg32(1, "euid", uid));
2629
2630 } /* AUS_SETEUID */
2631
2632 /*ARGSUSED*/
2633 static void
2634 aus_putmsg(struct t_audit_data *tad)
2635 {
2636 klwp_t *clwp = ttolwp(curthread);
2637 uint32_t fd, pri;
2638 struct file *fp;
2639 struct f_audit_data *fad;
2640
2641 struct a {
2642 long fdes;
2643 long ctl; /* struct strbuf * */
2644 long data; /* struct strbuf * */
2645 long pri;
2646 } *uap = (struct a *)clwp->lwp_ap;
2647
2648 fd = (uint32_t)uap->fdes;
2649 pri = (uint32_t)uap->pri;
2650
2651 au_uwrite(au_to_arg32(1, "fd", fd));
2652
2653 if ((fp = getf(fd)) != NULL) {
2654 fad = F2A(fp);
2655
2656 fad->fad_flags |= FAD_WRITE;
2657
2658 /* add path name to audit record */
2659 if (fad->fad_aupath != NULL) {
2660 au_uwrite(au_to_path(fad->fad_aupath));
2661 }
2662 audit_attributes(fp->f_vnode);
2663
2664 releasef(fd);
2665 }
2666
2667 au_uwrite(au_to_arg32(4, "pri", pri));
2668 }
2669
2670 /*ARGSUSED*/
2671 static void
2672 aus_putpmsg(struct t_audit_data *tad)
2673 {
2674 klwp_t *clwp = ttolwp(curthread);
2675 uint32_t fd, pri, flags;
2676 struct file *fp;
2677 struct f_audit_data *fad;
2678
2679 struct a {
2680 long fdes;
2681 long ctl; /* struct strbuf * */
2682 long data; /* struct strbuf * */
2683 long pri;
2684 long flags;
2685 } *uap = (struct a *)clwp->lwp_ap;
2686
2687 fd = (uint32_t)uap->fdes;
2688 pri = (uint32_t)uap->pri;
2689 flags = (uint32_t)uap->flags;
2690
2691 au_uwrite(au_to_arg32(1, "fd", fd));
2692
2693 if ((fp = getf(fd)) != NULL) {
2694 fad = F2A(fp);
2695
2696 fad->fad_flags |= FAD_WRITE;
2697
2698 /* add path name to audit record */
2699 if (fad->fad_aupath != NULL) {
2700 au_uwrite(au_to_path(fad->fad_aupath));
2701 }
2702 audit_attributes(fp->f_vnode);
2703
2704 releasef(fd);
2705 }
2706
2707
2708 au_uwrite(au_to_arg32(4, "pri", pri));
2709 au_uwrite(au_to_arg32(5, "flags", flags));
2710 }
2711
2712 /*ARGSUSED*/
2713 static void
2714 aus_getmsg(struct t_audit_data *tad)
2715 {
2716 klwp_t *clwp = ttolwp(curthread);
2717 uint32_t fd, pri;
2718 struct file *fp;
2719 struct f_audit_data *fad;
2720
2721 struct a {
2722 long fdes;
2723 long ctl; /* struct strbuf * */
2724 long data; /* struct strbuf * */
2725 long pri;
2726 } *uap = (struct a *)clwp->lwp_ap;
2727
2728 fd = (uint32_t)uap->fdes;
2729 pri = (uint32_t)uap->pri;
2730
2731 au_uwrite(au_to_arg32(1, "fd", fd));
2732
2733 if ((fp = getf(fd)) != NULL) {
2734 fad = F2A(fp);
2735
2736 /*
2737 * read operation on this object
2738 */
2739 fad->fad_flags |= FAD_READ;
2740
2741 /* add path name to audit record */
2742 if (fad->fad_aupath != NULL) {
2743 au_uwrite(au_to_path(fad->fad_aupath));
2744 }
2745 audit_attributes(fp->f_vnode);
2746
2747 releasef(fd);
2748 }
2749
2750 au_uwrite(au_to_arg32(4, "pri", pri));
2751 }
2752
2753 /*ARGSUSED*/
2754 static void
2755 aus_getpmsg(struct t_audit_data *tad)
2756 {
2757 klwp_t *clwp = ttolwp(curthread);
2758 uint32_t fd;
2759 struct file *fp;
2760 struct f_audit_data *fad;
2761
2762 struct a {
2763 long fdes;
2764 long ctl; /* struct strbuf * */
2765 long data; /* struct strbuf * */
2766 long pri;
2767 long flags;
2768 } *uap = (struct a *)clwp->lwp_ap;
2769
2770 fd = (uint32_t)uap->fdes;
2771
2772 au_uwrite(au_to_arg32(1, "fd", fd));
2773
2774 if ((fp = getf(fd)) != NULL) {
2775 fad = F2A(fp);
2776
2777 /*
2778 * read operation on this object
2779 */
2780 fad->fad_flags |= FAD_READ;
2781
2782 /* add path name to audit record */
2783 if (fad->fad_aupath != NULL) {
2784 au_uwrite(au_to_path(fad->fad_aupath));
2785 }
2786 audit_attributes(fp->f_vnode);
2787
2788 releasef(fd);
2789 }
2790 }
2791
2792 static au_event_t
2793 aui_labelsys(au_event_t e)
2794 {
2795 klwp_t *clwp = ttolwp(curthread);
2796 uint32_t code;
2797 uint32_t cmd;
2798
2799 struct a {
2800 long code;
2801 long cmd;
2802 } *uap = (struct a *)clwp->lwp_ap;
2803
2804 code = (uint32_t)uap->code;
2805 cmd = (uint32_t)uap->cmd;
2806
2807 /* not security relevant if not changing kernel cache */
2808 if (cmd == TNDB_GET)
2809 return (AUE_NULL);
2810
2811 switch (code) {
2812 case TSOL_TNRH:
2813 e = AUE_LABELSYS_TNRH;
2814 break;
2815 case TSOL_TNRHTP:
2816 e = AUE_LABELSYS_TNRHTP;
2817 break;
2818 case TSOL_TNMLP:
2819 e = AUE_LABELSYS_TNMLP;
2820 break;
2821 default:
2822 e = AUE_NULL;
2823 break;
2824 }
2825
2826 return (e);
2827
2828 }
2829
2830 static void
2831 aus_labelsys(struct t_audit_data *tad)
2832 {
2833 klwp_t *clwp = ttolwp(curthread);
2834 uint32_t cmd;
2835 uintptr_t a2;
2836
2837 struct a {
2838 long code;
2839 long cmd;
2840 long a2;
2841 } *uap = (struct a *)clwp->lwp_ap;
2842
2843 cmd = (uint32_t)uap->cmd;
2844 a2 = (uintptr_t)uap->a2;
2845
2846 switch (tad->tad_event) {
2847 case AUE_LABELSYS_TNRH:
2848 {
2849 tsol_rhent_t *rhent;
2850 tnaddr_t *rh_addr;
2851
2852 au_uwrite(au_to_arg32(1, "cmd", cmd));
2853
2854 /* Remaining args don't apply for FLUSH, so skip */
2855 if (cmd == TNDB_FLUSH)
2856 break;
2857
2858 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2859 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2860 kmem_free(rhent, sizeof (tsol_rhent_t));
2861 return;
2862 }
2863
2864 rh_addr = &rhent->rh_address;
2865 if (rh_addr->ta_family == AF_INET) {
2866 struct in_addr *ipaddr;
2867
2868 ipaddr = &(rh_addr->ta_addr_v4);
2869 au_uwrite(au_to_in_addr(ipaddr));
2870 } else if (rh_addr->ta_family == AF_INET6) {
2871 int32_t *ipaddr;
2872
2873 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2874 au_uwrite(au_to_in_addr_ex(ipaddr));
2875 }
2876 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2877
2878 kmem_free(rhent, sizeof (tsol_rhent_t));
2879
2880 break;
2881 }
2882 case AUE_LABELSYS_TNRHTP:
2883 {
2884 tsol_tpent_t *tpent;
2885
2886 au_uwrite(au_to_arg32(1, "cmd", cmd));
2887
2888 /* Remaining args don't apply for FLUSH, so skip */
2889 if (cmd == TNDB_FLUSH)
2890 break;
2891
2892 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2893 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2894 kmem_free(tpent, sizeof (tsol_tpent_t));
2895 return;
2896 }
2897
2898 /* Make sure that the template name is null-terminated. */
2899 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2900
2901 au_uwrite(au_to_text(tpent->name));
2902 kmem_free(tpent, sizeof (tsol_tpent_t));
2903
2904 break;
2905 }
2906 case AUE_LABELSYS_TNMLP:
2907 {
2908 tsol_mlpent_t *mlpent;
2909
2910 au_uwrite(au_to_arg32(1, "cmd", cmd));
2911
2912 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2913 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2914 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2915 return;
2916 }
2917
2918 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2919 au_uwrite(au_to_text("shared"));
2920 } else {
2921 zone_t *zone;
2922
2923 zone = zone_find_by_id(mlpent->tsme_zoneid);
2924 if (zone != NULL) {
2925 au_uwrite(au_to_text(zone->zone_name));
2926 zone_rele(zone);
2927 }
2928 }
2929
2930 /* Remaining args don't apply for FLUSH, so skip */
2931 if (cmd == TNDB_FLUSH) {
2932 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2933 break;
2934 }
2935
2936 au_uwrite(au_to_arg32(2, "proto num",
2937 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2938 au_uwrite(au_to_arg32(2, "mlp_port",
2939 (uint32_t)mlpent->tsme_mlp.mlp_port));
2940
2941 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2942 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2943 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2944
2945 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2946
2947 break;
2948 }
2949 default:
2950 break;
2951 }
2952 }
2953
2954
2955 static au_event_t
2956 aui_auditsys(au_event_t e)
2957 {
2958 klwp_t *clwp = ttolwp(curthread);
2959 uint32_t code;
2960
2961 struct a {
2962 long code;
2963 long a1;
2964 long a2;
2965 long a3;
2966 long a4;
2967 long a5;
2968 long a6;
2969 long a7;
2970 } *uap = (struct a *)clwp->lwp_ap;
2971
2972 code = (uint32_t)uap->code;
2973
2974 switch (code) {
2975
2976 case BSM_GETAUID:
2977 e = AUE_GETAUID;
2978 break;
2979 case BSM_SETAUID:
2980 e = AUE_SETAUID;
2981 break;
2982 case BSM_GETAUDIT:
2983 e = AUE_GETAUDIT;
2984 break;
2985 case BSM_GETAUDIT_ADDR:
2986 e = AUE_GETAUDIT_ADDR;
2987 break;
2988 case BSM_SETAUDIT:
2989 e = AUE_SETAUDIT;
2990 break;
2991 case BSM_SETAUDIT_ADDR:
2992 e = AUE_SETAUDIT_ADDR;
2993 break;
2994 case BSM_AUDIT:
2995 e = AUE_AUDIT;
2996 break;
2997 case BSM_AUDITCTL:
2998 switch ((uint_t)uap->a1) {
2999
3000 case A_GETPOLICY:
3001 e = AUE_AUDITON_GPOLICY;
3002 break;
3003 case A_SETPOLICY:
3004 e = AUE_AUDITON_SPOLICY;
3005 break;
3006 case A_GETAMASK:
3007 e = AUE_AUDITON_GETAMASK;
3008 break;
3009 case A_SETAMASK:
3010 e = AUE_AUDITON_SETAMASK;
3011 break;
3012 case A_GETKMASK:
3013 e = AUE_AUDITON_GETKMASK;
3014 break;
3015 case A_SETKMASK:
3016 e = AUE_AUDITON_SETKMASK;
3017 break;
3018 case A_GETQCTRL:
3019 e = AUE_AUDITON_GQCTRL;
3020 break;
3021 case A_SETQCTRL:
3022 e = AUE_AUDITON_SQCTRL;
3023 break;
3024 case A_GETCWD:
3025 e = AUE_AUDITON_GETCWD;
3026 break;
3027 case A_GETCAR:
3028 e = AUE_AUDITON_GETCAR;
3029 break;
3030 case A_GETSTAT:
3031 e = AUE_AUDITON_GETSTAT;
3032 break;
3033 case A_SETSTAT:
3034 e = AUE_AUDITON_SETSTAT;
3035 break;
3036 case A_SETUMASK:
3037 e = AUE_AUDITON_SETUMASK;
3038 break;
3039 case A_SETSMASK:
3040 e = AUE_AUDITON_SETSMASK;
3041 break;
3042 case A_GETCOND:
3043 e = AUE_AUDITON_GETCOND;
3044 break;
3045 case A_SETCOND:
3046 e = AUE_AUDITON_SETCOND;
3047 break;
3048 case A_GETCLASS:
3049 e = AUE_AUDITON_GETCLASS;
3050 break;
3051 case A_SETCLASS:
3052 e = AUE_AUDITON_SETCLASS;
3053 break;
3054 default:
3055 e = AUE_NULL;
3056 break;
3057 }
3058 break;
3059 default:
3060 e = AUE_NULL;
3061 break;
3062 }
3063
3064 return (e);
3065
3066 } /* AUI_AUDITSYS */
3067
3068
3069 static void
3070 aus_auditsys(struct t_audit_data *tad)
3071 {
3072 klwp_t *clwp = ttolwp(curthread);
3073 uintptr_t a1, a2;
3074 STRUCT_DECL(auditinfo, ainfo);
3075 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3076 au_evclass_map_t event;
3077 au_mask_t mask;
3078 int auditstate, policy;
3079 au_id_t auid;
3080
3081
3082 struct a {
3083 long code;
3084 long a1;
3085 long a2;
3086 long a3;
3087 long a4;
3088 long a5;
3089 long a6;
3090 long a7;
3091 } *uap = (struct a *)clwp->lwp_ap;
3092
3093 a1 = (uintptr_t)uap->a1;
3094 a2 = (uintptr_t)uap->a2;
3095
3096 switch (tad->tad_event) {
3097 case AUE_SETAUID:
3098 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3099 return;
3100 au_uwrite(au_to_arg32(2, "setauid", auid));
3101 break;
3102 case AUE_SETAUDIT:
3103 STRUCT_INIT(ainfo, get_udatamodel());
3104 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3105 STRUCT_SIZE(ainfo))) {
3106 return;
3107 }
3108 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3109 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3110 #ifdef _LP64
3111 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3112 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3113 #else
3114 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3115 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3116 #endif
3117 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3118 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3119 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3120 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3121 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3122 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3123 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3124 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3125 break;
3126 case AUE_SETAUDIT_ADDR:
3127 STRUCT_INIT(ainfo_addr, get_udatamodel());
3128 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3129 STRUCT_SIZE(ainfo_addr))) {
3130 return;
3131 }
3132 au_uwrite(au_to_arg32((char)1, "auid",
3133 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3134 #ifdef _LP64
3135 au_uwrite(au_to_arg64((char)1, "port",
3136 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3137 #else
3138 au_uwrite(au_to_arg32((char)1, "port",
3139 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3140 #endif
3141 au_uwrite(au_to_arg32((char)1, "type",
3142 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3143 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3144 AU_IPv4) {
3145 au_uwrite(au_to_in_addr(
3146 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3147 ai_termid.at_addr)));
3148 } else {
3149 au_uwrite(au_to_in_addr_ex(
3150 (int32_t *)STRUCT_FGETP(ainfo_addr,
3151 ai_termid.at_addr)));
3152 }
3153 au_uwrite(au_to_arg32((char)1, "as_success",
3154 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3155 au_uwrite(au_to_arg32((char)1, "as_failure",
3156 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3157 au_uwrite(au_to_arg32((char)1, "asid",
3158 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3159 break;
3160 case AUE_AUDITON_SETAMASK:
3161 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3162 return;
3163 au_uwrite(au_to_arg32(
3164 2, "setamask:as_success", (uint32_t)mask.as_success));
3165 au_uwrite(au_to_arg32(
3166 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3167 break;
3168 case AUE_AUDITON_SETKMASK:
3169 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3170 return;
3171 au_uwrite(au_to_arg32(
3172 2, "setkmask:as_success", (uint32_t)mask.as_success));
3173 au_uwrite(au_to_arg32(
3174 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3175 break;
3176 case AUE_AUDITON_SPOLICY:
3177 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3178 return;
3179 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3180 break;
3181 case AUE_AUDITON_SQCTRL: {
3182 STRUCT_DECL(au_qctrl, qctrl);
3183 model_t model;
3184
3185 model = get_udatamodel();
3186 STRUCT_INIT(qctrl, model);
3187 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3188 return;
3189 if (model == DATAMODEL_ILP32) {
3190 au_uwrite(au_to_arg32(
3191 3, "setqctrl:aq_hiwater",
3192 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3193 au_uwrite(au_to_arg32(
3194 3, "setqctrl:aq_lowater",
3195 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3196 au_uwrite(au_to_arg32(
3197 3, "setqctrl:aq_bufsz",
3198 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3199 au_uwrite(au_to_arg32(
3200 3, "setqctrl:aq_delay",
3201 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3202 } else {
3203 au_uwrite(au_to_arg64(
3204 3, "setqctrl:aq_hiwater",
3205 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3206 au_uwrite(au_to_arg64(
3207 3, "setqctrl:aq_lowater",
3208 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3209 au_uwrite(au_to_arg64(
3210 3, "setqctrl:aq_bufsz",
3211 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3212 au_uwrite(au_to_arg64(
3213 3, "setqctrl:aq_delay",
3214 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3215 }
3216 break;
3217 }
3218 case AUE_AUDITON_SETUMASK:
3219 STRUCT_INIT(ainfo, get_udatamodel());
3220 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3221 STRUCT_SIZE(ainfo))) {
3222 return;
3223 }
3224 au_uwrite(au_to_arg32(3, "setumask:as_success",
3225 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3226 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3227 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3228 break;
3229 case AUE_AUDITON_SETSMASK:
3230 STRUCT_INIT(ainfo, get_udatamodel());
3231 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3232 STRUCT_SIZE(ainfo))) {
3233 return;
3234 }
3235 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3236 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3237 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3238 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3239 break;
3240 case AUE_AUDITON_SETCOND:
3241 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3242 return;
3243 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3244 break;
3245 case AUE_AUDITON_SETCLASS:
3246 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3247 return;
3248 au_uwrite(au_to_arg32(
3249 2, "setclass:ec_event", (uint32_t)event.ec_number));
3250 au_uwrite(au_to_arg32(
3251 3, "setclass:ec_class", (uint32_t)event.ec_class));
3252 break;
3253 case AUE_GETAUID:
3254 case AUE_GETAUDIT:
3255 case AUE_GETAUDIT_ADDR:
3256 case AUE_AUDIT:
3257 case AUE_AUDITON_GPOLICY:
3258 case AUE_AUDITON_GQCTRL:
3259 case AUE_AUDITON_GETAMASK:
3260 case AUE_AUDITON_GETKMASK:
3261 case AUE_AUDITON_GETCWD:
3262 case AUE_AUDITON_GETCAR:
3263 case AUE_AUDITON_GETSTAT:
3264 case AUE_AUDITON_SETSTAT:
3265 case AUE_AUDITON_GETCOND:
3266 case AUE_AUDITON_GETCLASS:
3267 break;
3268 default:
3269 break;
3270 }
3271
3272 } /* AUS_AUDITSYS */
3273
3274
3275 /* only audit privileged operations for systeminfo(2) system call */
3276 static au_event_t
3277 aui_sysinfo(au_event_t e)
3278 {
3279 klwp_t *clwp = ttolwp(curthread);
3280 uint32_t command;
3281
3282 struct a {
3283 long command;
3284 long buf; /* char * */
3285 long count;
3286 } *uap = (struct a *)clwp->lwp_ap;
3287
3288 command = (uint32_t)uap->command;
3289
3290 switch (command) {
3291 case SI_SET_HOSTNAME:
3292 case SI_SET_SRPC_DOMAIN:
3293 e = (au_event_t)AUE_SYSINFO;
3294 break;
3295 default:
3296 e = (au_event_t)AUE_NULL;
3297 break;
3298 }
3299 return (e);
3300 }
3301
3302 /*ARGSUSED*/
3303 static void
3304 aus_sysinfo(struct t_audit_data *tad)
3305 {
3306 klwp_t *clwp = ttolwp(curthread);
3307 uint32_t command;
3308 size_t len, maxlen;
3309 char *name;
3310 uintptr_t buf;
3311
3312 struct a {
3313 long command;
3314 long buf; /* char * */
3315 long count;
3316 } *uap = (struct a *)clwp->lwp_ap;
3317
3318 command = (uint32_t)uap->command;
3319 buf = (uintptr_t)uap->buf;
3320
3321 au_uwrite(au_to_arg32(1, "cmd", command));
3322
3323 switch (command) {
3324 case SI_SET_HOSTNAME:
3325 {
3326 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3327 return;
3328
3329 maxlen = SYS_NMLN;
3330 name = kmem_alloc(maxlen, KM_SLEEP);
3331 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3332 break;
3333
3334 /*
3335 * Must be non-NULL string and string
3336 * must be less than SYS_NMLN chars.
3337 */
3338 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3339 break;
3340
3341 au_uwrite(au_to_text(name));
3342 break;
3343 }
3344
3345 case SI_SET_SRPC_DOMAIN:
3346 {
3347 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3348 return;
3349
3350 maxlen = SYS_NMLN;
3351 name = kmem_alloc(maxlen, KM_SLEEP);
3352 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3353 break;
3354
3355 /*
3356 * If string passed in is longer than length
3357 * allowed for domain name, fail.
3358 */
3359 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3360 break;
3361
3362 au_uwrite(au_to_text(name));
3363 break;
3364 }
3365
3366 default:
3367 return;
3368 }
3369
3370 kmem_free(name, maxlen);
3371 }
3372
3373 static au_event_t
3374 aui_modctl(au_event_t e)
3375 {
3376 klwp_t *clwp = ttolwp(curthread);
3377 uint_t cmd;
3378
3379 struct a {
3380 long cmd;
3381 } *uap = (struct a *)clwp->lwp_ap;
3382
3383 cmd = (uint_t)uap->cmd;
3384
3385 switch (cmd) {
3386 case MODLOAD:
3387 e = AUE_MODLOAD;
3388 break;
3389 case MODUNLOAD:
3390 e = AUE_MODUNLOAD;
3391 break;
3392 case MODADDMAJBIND:
3393 e = AUE_MODADDMAJ;
3394 break;
3395 case MODSETDEVPOLICY:
3396 e = AUE_MODDEVPLCY;
3397 break;
3398 case MODALLOCPRIV:
3399 e = AUE_MODADDPRIV;
3400 break;
3401 default:
3402 e = AUE_NULL;
3403 break;
3404 }
3405 return (e);
3406 }
3407
3408
3409 /*ARGSUSED*/
3410 static void
3411 aus_modctl(struct t_audit_data *tad)
3412 {
3413 klwp_t *clwp = ttolwp(curthread);
3414 void *a = clwp->lwp_ap;
3415 uint_t use_path;
3416
3417 switch (tad->tad_event) {
3418 case AUE_MODLOAD: {
3419 typedef struct {
3420 long cmd;
3421 long use_path;
3422 long filename; /* char * */
3423 } modloada_t;
3424
3425 char *filenamep;
3426 uintptr_t fname;
3427 extern char *default_path;
3428
3429 fname = (uintptr_t)((modloada_t *)a)->filename;
3430 use_path = (uint_t)((modloada_t *)a)->use_path;
3431
3432 /* space to hold path */
3433 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3434 /* get string */
3435 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3436 /* free allocated path */
3437 kmem_free(filenamep, MOD_MAXPATH);
3438 return;
3439 }
3440 /* ensure it's null terminated */
3441 filenamep[MOD_MAXPATH - 1] = 0;
3442
3443 if (use_path)
3444 au_uwrite(au_to_text(default_path));
3445 au_uwrite(au_to_text(filenamep));
3446
3447 /* release temporary memory */
3448 kmem_free(filenamep, MOD_MAXPATH);
3449 break;
3450 }
3451 case AUE_MODUNLOAD: {
3452 typedef struct {
3453 long cmd;
3454 long id;
3455 } modunloada_t;
3456
3457 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3458
3459 au_uwrite(au_to_arg32(1, "id", id));
3460 break;
3461 }
3462 case AUE_MODADDMAJ: {
3463 STRUCT_DECL(modconfig, mc);
3464 typedef struct {
3465 long cmd;
3466 long subcmd;
3467 long data; /* int * */
3468 } modconfiga_t;
3469
3470 STRUCT_DECL(aliases, alias);
3471 caddr_t ap;
3472 int i, num_aliases;
3473 char *drvname, *mc_drvname;
3474 char *name;
3475 extern char *ddi_major_to_name(major_t);
3476 model_t model;
3477
3478 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3479
3480 model = get_udatamodel();
3481 STRUCT_INIT(mc, model);
3482 /* sanitize buffer */
3483 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3484 /* get user arguments */
3485 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3486 STRUCT_SIZE(mc)) != 0)
3487 return;
3488
3489 mc_drvname = STRUCT_FGET(mc, drvname);
3490 if ((drvname = ddi_major_to_name(
3491 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3492 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3493 /* safety */
3494 if (mc_drvname[0] != '\0') {
3495 mc_drvname[MAXMODCONFNAME-1] = '\0';
3496 au_uwrite(au_to_text(mc_drvname));
3497 }
3498 /* drvname != NULL from test above */
3499 au_uwrite(au_to_text(drvname));
3500 return;
3501 }
3502
3503 if (mc_drvname[0] != '\0') {
3504 /* safety */
3505 mc_drvname[MAXMODCONFNAME-1] = '\0';
3506 au_uwrite(au_to_text(mc_drvname));
3507 } else
3508 au_uwrite(au_to_text("no drvname"));
3509
3510 num_aliases = STRUCT_FGET(mc, num_aliases);
3511 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3512 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3513 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3514 STRUCT_INIT(alias, model);
3515 for (i = 0; i < num_aliases; i++) {
3516 bzero((caddr_t)STRUCT_BUF(alias),
3517 STRUCT_SIZE(alias));
3518 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3519 STRUCT_SIZE(alias)) != 0)
3520 break;
3521 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3522 MAXMODCONFNAME, NULL) != 0) {
3523 break;
3524 }
3525
3526 au_uwrite(au_to_text(name));
3527 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3528 }
3529 kmem_free(name, MAXMODCONFNAME);
3530 break;
3531 }
3532 default:
3533 break;
3534 }
3535 }
3536
3537
3538 /*ARGSUSED*/
3539 static void
3540 auf_accept(
3541 struct t_audit_data *tad,
3542 int error,
3543 rval_t *rval)
3544 {
3545 uint32_t scid;
3546 uint32_t sy_flags;
3547 int fd;
3548 struct sonode *so;
3549 char so_laddr[sizeof (struct sockaddr_in6)];
3550 char so_faddr[sizeof (struct sockaddr_in6)];
3551 int err;
3552 short so_family, so_type;
3553 int add_sock_token = 0;
3554
3555 /* need to determine type of executing binary */
3556 scid = tad->tad_scid;
3557 #ifdef _SYSCALL32_IMPL
3558 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3559 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3560 else
3561 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3562 #else
3563 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3564 #endif
3565 switch (sy_flags) {
3566 case SE_32RVAL1:
3567 /* FALLTHRU */
3568 case SE_32RVAL2|SE_32RVAL1:
3569 fd = rval->r_val1;
3570 break;
3571 case SE_64RVAL:
3572 fd = (int)rval->r_vals;
3573 break;
3574 default:
3575 /*
3576 * should never happen, seems to be an internal error
3577 * in sysent => no fd, nothing to audit here, returning
3578 */
3579 return;
3580 }
3581
3582 if (error) {
3583 /* can't trust socket contents. Just return */
3584 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3585 return;
3586 }
3587
3588 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3589 /*
3590 * not security relevant if doing a accept from non socket
3591 * so no extra tokens. Should probably turn off audit record
3592 * generation here.
3593 */
3594 return;
3595 }
3596
3597 so_family = so->so_family;
3598 so_type = so->so_type;
3599
3600 switch (so_family) {
3601 case AF_INET:
3602 case AF_INET6:
3603 /*
3604 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3605 */
3606 if (so->so_type == SOCK_STREAM) {
3607 socklen_t len;
3608
3609 bzero((void *)so_laddr, sizeof (so_laddr));
3610 bzero((void *)so_faddr, sizeof (so_faddr));
3611
3612 len = sizeof (so_laddr);
3613 (void) socket_getsockname(so,
3614 (struct sockaddr *)so_laddr, &len, CRED());
3615 len = sizeof (so_faddr);
3616 (void) socket_getpeername(so,
3617 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3618
3619 add_sock_token = 1;
3620 }
3621 break;
3622
3623 default:
3624 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3625 break;
3626 }
3627
3628 releasef(fd);
3629
3630 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3631
3632 if (add_sock_token == 0) {
3633 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3634 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3635 return;
3636 }
3637
3638 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3639
3640 }
3641
3642 /*ARGSUSED*/
3643 static void
3644 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3645 {
3646 struct a {
3647 long fd;
3648 long addr;
3649 long len;
3650 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3651
3652 struct sonode *so;
3653 char so_laddr[sizeof (struct sockaddr_in6)];
3654 char so_faddr[sizeof (struct sockaddr_in6)];
3655 int err, fd;
3656 socklen_t len;
3657 short so_family, so_type;
3658 int add_sock_token = 0;
3659
3660 fd = (int)uap->fd;
3661
3662 /*
3663 * bind failed, then nothing extra to add to audit record.
3664 */
3665 if (error) {
3666 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3667 /* XXX may want to add failed address some day */
3668 return;
3669 }
3670
3671 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3672 /*
3673 * not security relevant if doing a bind from non socket
3674 * so no extra tokens. Should probably turn off audit record
3675 * generation here.
3676 */
3677 return;
3678 }
3679
3680 so_family = so->so_family;
3681 so_type = so->so_type;
3682
3683 switch (so_family) {
3684 case AF_INET:
3685 case AF_INET6:
3686
3687 bzero(so_faddr, sizeof (so_faddr));
3688 len = sizeof (so_faddr);
3689
3690 (void) socket_getpeername(so,
3691 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3692 add_sock_token = 1;
3693
3694 break;
3695
3696 case AF_UNIX:
3697 /* token added by lookup */
3698 break;
3699 default:
3700 /* AF_ROUTE, AF_KEY do not support accept */
3701 break;
3702 }
3703
3704 releasef(fd);
3705
3706 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3707
3708 if (add_sock_token == 0) {
3709 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3710 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3711 return;
3712 }
3713
3714 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3715
3716 }
3717
3718 /*ARGSUSED*/
3719 static void
3720 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3721 {
3722 struct a {
3723 long fd;
3724 long addr;
3725 long len;
3726 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3727
3728 struct sonode *so;
3729 char so_laddr[sizeof (struct sockaddr_in6)];
3730 char so_faddr[sizeof (struct sockaddr_in6)];
3731 int err, fd;
3732 socklen_t len;
3733 short so_family, so_type;
3734 int add_sock_token = 0;
3735
3736 fd = (int)uap->fd;
3737
3738
3739 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3740 /*
3741 * not security relevant if doing a connect from non socket
3742 * so no extra tokens. Should probably turn off audit record
3743 * generation here.
3744 */
3745 return;
3746 }
3747
3748 so_family = so->so_family;
3749 so_type = so->so_type;
3750
3751 switch (so_family) {
3752 case AF_INET:
3753 case AF_INET6:
3754
3755 bzero(so_laddr, sizeof (so_laddr));
3756 bzero(so_faddr, sizeof (so_faddr));
3757
3758 len = sizeof (so_laddr);
3759 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3760 &len, CRED());
3761 if (error) {
3762 if (uap->addr == NULL)
3763 break;
3764 if (uap->len <= 0)
3765 break;
3766 len = min(uap->len, sizeof (so_faddr));
3767 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3768 break;
3769 #ifdef NOTYET
3770 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3771 #endif
3772 } else {
3773 /* sanity check on length */
3774 len = sizeof (so_faddr);
3775 (void) socket_getpeername(so,
3776 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3777 }
3778
3779 add_sock_token = 1;
3780
3781 break;
3782
3783 case AF_UNIX:
3784 /* does a lookup on name */
3785 break;
3786
3787 default:
3788 /* AF_ROUTE, AF_KEY do not support accept */
3789 break;
3790 }
3791
3792 releasef(fd);
3793
3794 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3795
3796 if (add_sock_token == 0) {
3797 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3798 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3799 return;
3800 }
3801
3802 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3803
3804 }
3805
3806 /*ARGSUSED*/
3807 static void
3808 aus_shutdown(struct t_audit_data *tad)
3809 {
3810 struct a {
3811 long fd;
3812 long how;
3813 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3814
3815 struct sonode *so;
3816 char so_laddr[sizeof (struct sockaddr_in6)];
3817 char so_faddr[sizeof (struct sockaddr_in6)];
3818 int err, fd;
3819 socklen_t len;
3820 short so_family, so_type;
3821 int add_sock_token = 0;
3822 file_t *fp; /* unix domain sockets */
3823 struct f_audit_data *fad; /* unix domain sockets */
3824
3825 fd = (int)uap->fd;
3826
3827 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3828 /*
3829 * not security relevant if doing a shutdown using non socket
3830 * so no extra tokens. Should probably turn off audit record
3831 * generation here.
3832 */
3833 return;
3834 }
3835
3836 so_family = so->so_family;
3837 so_type = so->so_type;
3838
3839 switch (so_family) {
3840 case AF_INET:
3841 case AF_INET6:
3842
3843 bzero(so_laddr, sizeof (so_laddr));
3844 bzero(so_faddr, sizeof (so_faddr));
3845
3846 len = sizeof (so_laddr);
3847 (void) socket_getsockname(so,
3848 (struct sockaddr *)so_laddr, &len, CRED());
3849 len = sizeof (so_faddr);
3850 (void) socket_getpeername(so,
3851 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3852
3853 add_sock_token = 1;
3854
3855 break;
3856
3857 case AF_UNIX:
3858
3859 /* get path from file struct here */
3860 fad = F2A(fp);
3861 ASSERT(fad);
3862
3863 if (fad->fad_aupath != NULL) {
3864 au_uwrite(au_to_path(fad->fad_aupath));
3865 } else {
3866 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3867 }
3868
3869 audit_attributes(fp->f_vnode);
3870
3871 break;
3872
3873 default:
3874 /*
3875 * AF_KEY and AF_ROUTE support shutdown. No socket token
3876 * added.
3877 */
3878 break;
3879 }
3880
3881 releasef(fd);
3882
3883 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3884
3885 if (add_sock_token == 0) {
3886 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3887 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3888 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3889 return;
3890 }
3891
3892 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3893
3894 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3895
3896 }
3897
3898 /*ARGSUSED*/
3899 static void
3900 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3901 {
3902 struct a {
3903 long fd;
3904 long level;
3905 long optname;
3906 long *optval;
3907 long optlen;
3908 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3909
3910 struct sonode *so;
3911 char so_laddr[sizeof (struct sockaddr_in6)];
3912 char so_faddr[sizeof (struct sockaddr_in6)];
3913 char val[AU_BUFSIZE];
3914 int err, fd;
3915 socklen_t len;
3916 short so_family, so_type;
3917 int add_sock_token = 0;
3918 file_t *fp; /* unix domain sockets */
3919 struct f_audit_data *fad; /* unix domain sockets */
3920
3921 fd = (int)uap->fd;
3922
3923 if (error) {
3924 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3925 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3926 /* XXX may want to include other arguments */
3927 return;
3928 }
3929
3930 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3931 /*
3932 * not security relevant if doing a setsockopt from non socket
3933 * so no extra tokens. Should probably turn off audit record
3934 * generation here.
3935 */
3936 return;
3937 }
3938
3939 so_family = so->so_family;
3940 so_type = so->so_type;
3941
3942 switch (so_family) {
3943 case AF_INET:
3944 case AF_INET6:
3945 bzero((void *)so_laddr, sizeof (so_laddr));
3946 bzero((void *)so_faddr, sizeof (so_faddr));
3947
3948 /* get local and foreign addresses */
3949 len = sizeof (so_laddr);
3950 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3951 &len, CRED());
3952 len = sizeof (so_faddr);
3953 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3954 &len, B_FALSE, CRED());
3955
3956 add_sock_token = 1;
3957
3958 break;
3959
3960 case AF_UNIX:
3961
3962 /* get path from file struct here */
3963 fad = F2A(fp);
3964 ASSERT(fad);
3965
3966 if (fad->fad_aupath != NULL) {
3967 au_uwrite(au_to_path(fad->fad_aupath));
3968 } else {
3969 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3970 }
3971
3972 audit_attributes(fp->f_vnode);
3973
3974 break;
3975
3976 default:
3977 /*
3978 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3979 * added.
3980 */
3981 break;
3982 }
3983
3984 releasef(fd);
3985
3986 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3987
3988 if (add_sock_token == 0) {
3989 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3990 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3991 }
3992 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3993 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3994
3995 bzero(val, sizeof (val));
3996 len = min(uap->optlen, sizeof (val));
3997 if ((len > 0) &&
3998 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3999 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
4000 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
4001 }
4002
4003 if (add_sock_token == 0)
4004 return;
4005
4006 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4007
4008 }
4009
4010 /*ARGSUSED*/
4011 static void
4012 aus_sockconfig(tad)
4013 struct t_audit_data *tad;
4014 {
4015 struct a {
4016 long cmd;
4017 long arg1;
4018 long arg2;
4019 long arg3;
4020 long arg4;
4021 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4022
4023 char *buf;
4024 int buflen;
4025 size_t size;
4026
4027 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4028 switch (uap->cmd) {
4029 case SOCKCONFIG_ADD_SOCK:
4030 case SOCKCONFIG_REMOVE_SOCK:
4031 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4032 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4033 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4034
4035 if (uap->arg4 == 0) {
4036 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4037 } else {
4038 buflen = MAXPATHLEN + 1;
4039 buf = kmem_alloc(buflen, KM_SLEEP);
4040 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4041 &size)) {
4042 kmem_free(buf, buflen);
4043 return;
4044 }
4045
4046 if (size > MAXPATHLEN) {
4047 kmem_free(buf, buflen);
4048 return;
4049 }
4050
4051 au_uwrite(au_to_text(buf));
4052 kmem_free(buf, buflen);
4053 }
4054 break;
4055 case SOCKCONFIG_ADD_FILTER:
4056 case SOCKCONFIG_REMOVE_FILTER:
4057 buflen = FILNAME_MAX;
4058 buf = kmem_alloc(buflen, KM_SLEEP);
4059
4060 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4061 kmem_free(buf, buflen);
4062 return;
4063 }
4064
4065 au_uwrite(au_to_text(buf));
4066 kmem_free(buf, buflen);
4067 break;
4068 default:
4069 break;
4070 }
4071 }
4072
4073 /*
4074 * only audit recvmsg when the system call represents the creation of a new
4075 * circuit. This effectively occurs for all UDP packets and may occur for
4076 * special TCP situations where the local host has not set a local address
4077 * in the socket structure.
4078 */
4079 /*ARGSUSED*/
4080 static void
4081 auf_recvmsg(
4082 struct t_audit_data *tad,
4083 int error,
4084 rval_t *rvp)
4085 {
4086 struct a {
4087 long fd;
4088 long msg; /* struct msghdr */
4089 long flags;
4090 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4091
4092 struct sonode *so;
4093 STRUCT_DECL(msghdr, msg);
4094 caddr_t msg_name;
4095 socklen_t msg_namelen;
4096 int fd;
4097 int err;
4098 char so_laddr[sizeof (struct sockaddr_in6)];
4099 char so_faddr[sizeof (struct sockaddr_in6)];
4100 socklen_t len;
4101 file_t *fp; /* unix domain sockets */
4102 struct f_audit_data *fad; /* unix domain sockets */
4103 short so_family, so_type;
4104 int add_sock_token = 0;
4105 au_kcontext_t *kctx = GET_KCTX_PZ;
4106
4107 fd = (int)uap->fd;
4108
4109 /* bail if an error */
4110 if (error) {
4111 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4112 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4113 return;
4114 }
4115
4116 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4117 /*
4118 * not security relevant if doing a recvmsg from non socket
4119 * so no extra tokens. Should probably turn off audit record
4120 * generation here.
4121 */
4122 return;
4123 }
4124
4125 so_family = so->so_family;
4126 so_type = so->so_type;
4127
4128 /*
4129 * only putout SOCKET_EX token if INET/INET6 family.
4130 * XXX - what do we do about other families?
4131 */
4132
4133 switch (so_family) {
4134 case AF_INET:
4135 case AF_INET6:
4136
4137 /*
4138 * if datagram type socket, then just use what is in
4139 * socket structure for local address.
4140 * XXX - what do we do for other types?
4141 */
4142 if ((so->so_type == SOCK_DGRAM) ||
4143 (so->so_type == SOCK_RAW)) {
4144 add_sock_token = 1;
4145
4146 bzero((void *)so_laddr, sizeof (so_laddr));
4147 bzero((void *)so_faddr, sizeof (so_faddr));
4148
4149 /* get local address */
4150 len = sizeof (so_laddr);
4151 (void) socket_getsockname(so,
4152 (struct sockaddr *)so_laddr, &len, CRED());
4153
4154 /* get peer address */
4155 STRUCT_INIT(msg, get_udatamodel());
4156
4157 if (copyin((caddr_t)(uap->msg),
4158 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4159 break;
4160 }
4161 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4162 if (msg_name == NULL) {
4163 break;
4164 }
4165
4166 /* length is value from recvmsg - sanity check */
4167 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4168 if (msg_namelen == 0) {
4169 break;
4170 }
4171 if (copyin(msg_name, so_faddr,
4172 sizeof (so_faddr)) != 0) {
4173 break;
4174 }
4175
4176 } else if (so->so_type == SOCK_STREAM) {
4177
4178 /* get path from file struct here */
4179 fad = F2A(fp);
4180 ASSERT(fad);
4181
4182 /*
4183 * already processed this file for read attempt
4184 */
4185 if (fad->fad_flags & FAD_READ) {
4186 /* don't want to audit every recvmsg attempt */
4187 tad->tad_flag = 0;
4188 /* free any residual audit data */
4189 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4190 releasef(fd);
4191 return;
4192 }
4193 /*
4194 * mark things so we know what happened and don't
4195 * repeat things
4196 */
4197 fad->fad_flags |= FAD_READ;
4198
4199 bzero((void *)so_laddr, sizeof (so_laddr));
4200 bzero((void *)so_faddr, sizeof (so_faddr));
4201
4202 /* get local and foreign addresses */
4203 len = sizeof (so_laddr);
4204 (void) socket_getsockname(so,
4205 (struct sockaddr *)so_laddr, &len, CRED());
4206 len = sizeof (so_faddr);
4207 (void) socket_getpeername(so,
4208 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4209
4210 add_sock_token = 1;
4211 }
4212
4213 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4214
4215 break;
4216
4217 case AF_UNIX:
4218 /*
4219 * first check if this is first time through. Too much
4220 * duplicate code to put this in an aui_ routine.
4221 */
4222
4223 /* get path from file struct here */
4224 fad = F2A(fp);
4225 ASSERT(fad);
4226
4227 /*
4228 * already processed this file for read attempt
4229 */
4230 if (fad->fad_flags & FAD_READ) {
4231 releasef(fd);
4232 /* don't want to audit every recvmsg attempt */
4233 tad->tad_flag = 0;
4234 /* free any residual audit data */
4235 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4236 return;
4237 }
4238 /*
4239 * mark things so we know what happened and don't
4240 * repeat things
4241 */
4242 fad->fad_flags |= FAD_READ;
4243
4244 if (fad->fad_aupath != NULL) {
4245 au_uwrite(au_to_path(fad->fad_aupath));
4246 } else {
4247 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4248 }
4249
4250 audit_attributes(fp->f_vnode);
4251
4252 releasef(fd);
4253
4254 return;
4255
4256 default:
4257 break;
4258
4259 }
4260
4261 releasef(fd);
4262
4263 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4264
4265 if (add_sock_token == 0) {
4266 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4267 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4268 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4269 return;
4270 }
4271
4272 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4273
4274 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4275
4276 }
4277
4278 /*ARGSUSED*/
4279 static void
4280 auf_recvfrom(
4281 struct t_audit_data *tad,
4282 int error,
4283 rval_t *rvp)
4284 {
4285
4286 struct a {
4287 long fd;
4288 long msg; /* char */
4289 long len;
4290 long flags;
4291 long from; /* struct sockaddr */
4292 long fromlen;
4293 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4294
4295 socklen_t fromlen;
4296 struct sonode *so;
4297 char so_laddr[sizeof (struct sockaddr_in6)];
4298 char so_faddr[sizeof (struct sockaddr_in6)];
4299 int fd;
4300 short so_family, so_type;
4301 int add_sock_token = 0;
4302 socklen_t len;
4303 int err;
4304 struct file *fp;
4305 struct f_audit_data *fad; /* unix domain sockets */
4306 au_kcontext_t *kctx = GET_KCTX_PZ;
4307
4308 fd = (int)uap->fd;
4309
4310 /* bail if an error */
4311 if (error) {
4312 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4313 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4314 return;
4315 }
4316
4317 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4318 /*
4319 * not security relevant if doing a recvmsg from non socket
4320 * so no extra tokens. Should probably turn off audit record
4321 * generation here.
4322 */
4323 return;
4324 }
4325
4326 so_family = so->so_family;
4327 so_type = so->so_type;
4328
4329 /*
4330 * only putout SOCKET_EX token if INET/INET6 family.
4331 * XXX - what do we do about other families?
4332 */
4333
4334 switch (so_family) {
4335 case AF_INET:
4336 case AF_INET6:
4337
4338 /*
4339 * if datagram type socket, then just use what is in
4340 * socket structure for local address.
4341 * XXX - what do we do for other types?
4342 */
4343 if ((so->so_type == SOCK_DGRAM) ||
4344 (so->so_type == SOCK_RAW)) {
4345 add_sock_token = 1;
4346
4347 /* get local address */
4348 len = sizeof (so_laddr);
4349 (void) socket_getsockname(so,
4350 (struct sockaddr *)so_laddr, &len, CRED());
4351
4352 /* get peer address */
4353 bzero((void *)so_faddr, sizeof (so_faddr));
4354
4355 /* sanity check */
4356 if (uap->from == NULL)
4357 break;
4358
4359 /* sanity checks */
4360 if (uap->fromlen == 0)
4361 break;
4362
4363 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4364 sizeof (fromlen)) != 0)
4365 break;
4366
4367 if (fromlen == 0)
4368 break;
4369
4370 /* enforce maximum size */
4371 if (fromlen > sizeof (so_faddr))
4372 fromlen = sizeof (so_faddr);
4373
4374 if (copyin((caddr_t)(uap->from), so_faddr,
4375 fromlen) != 0)
4376 break;
4377
4378 } else if (so->so_type == SOCK_STREAM) {
4379
4380 /* get path from file struct here */
4381 fad = F2A(fp);
4382 ASSERT(fad);
4383
4384 /*
4385 * already processed this file for read attempt
4386 */
4387 if (fad->fad_flags & FAD_READ) {
4388 /* don't want to audit every recvfrom attempt */
4389 tad->tad_flag = 0;
4390 /* free any residual audit data */
4391 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4392 releasef(fd);
4393 return;
4394 }
4395 /*
4396 * mark things so we know what happened and don't
4397 * repeat things
4398 */
4399 fad->fad_flags |= FAD_READ;
4400
4401 bzero((void *)so_laddr, sizeof (so_laddr));
4402 bzero((void *)so_faddr, sizeof (so_faddr));
4403
4404 /* get local and foreign addresses */
4405 len = sizeof (so_laddr);
4406 (void) socket_getsockname(so,
4407 (struct sockaddr *)so_laddr, &len, CRED());
4408 len = sizeof (so_faddr);
4409 (void) socket_getpeername(so,
4410 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4411
4412 add_sock_token = 1;
4413 }
4414
4415 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4416
4417 break;
4418
4419 case AF_UNIX:
4420 /*
4421 * first check if this is first time through. Too much
4422 * duplicate code to put this in an aui_ routine.
4423 */
4424
4425 /* get path from file struct here */
4426 fad = F2A(fp);
4427 ASSERT(fad);
4428
4429 /*
4430 * already processed this file for read attempt
4431 */
4432 if (fad->fad_flags & FAD_READ) {
4433 /* don't want to audit every recvfrom attempt */
4434 tad->tad_flag = 0;
4435 /* free any residual audit data */
4436 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4437 releasef(fd);
4438 return;
4439 }
4440 /*
4441 * mark things so we know what happened and don't
4442 * repeat things
4443 */
4444 fad->fad_flags |= FAD_READ;
4445
4446 if (fad->fad_aupath != NULL) {
4447 au_uwrite(au_to_path(fad->fad_aupath));
4448 } else {
4449 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4450 }
4451
4452 audit_attributes(fp->f_vnode);
4453
4454 releasef(fd);
4455
4456 return;
4457
4458 default:
4459 break;
4460
4461 }
4462
4463 releasef(fd);
4464
4465 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4466
4467 if (add_sock_token == 0) {
4468 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4469 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4470 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4471 return;
4472 }
4473
4474 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4475
4476 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4477 }
4478
4479 /*ARGSUSED*/
4480 static void
4481 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4482 {
4483 struct a {
4484 long fd;
4485 long msg; /* struct msghdr */
4486 long flags;
4487 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4488
4489 struct sonode *so;
4490 char so_laddr[sizeof (struct sockaddr_in6)];
4491 char so_faddr[sizeof (struct sockaddr_in6)];
4492 int err;
4493 int fd;
4494 short so_family, so_type;
4495 int add_sock_token = 0;
4496 socklen_t len;
4497 struct file *fp;
4498 struct f_audit_data *fad;
4499 caddr_t msg_name;
4500 socklen_t msg_namelen;
4501 STRUCT_DECL(msghdr, msg);
4502 au_kcontext_t *kctx = GET_KCTX_PZ;
4503
4504 fd = (int)uap->fd;
4505
4506 /* bail if an error */
4507 if (error) {
4508 /* XXX include destination address from system call arguments */
4509 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4510 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4511 return;
4512 }
4513
4514 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4515 /*
4516 * not security relevant if doing a sendmsg from non socket
4517 * so no extra tokens. Should probably turn off audit record
4518 * generation here.
4519 */
4520 return;
4521 }
4522
4523 so_family = so->so_family;
4524 so_type = so->so_type;
4525
4526 switch (so_family) {
4527 case AF_INET:
4528 case AF_INET6:
4529 /*
4530 * if datagram type socket, then just use what is in
4531 * socket structure for local address.
4532 * XXX - what do we do for other types?
4533 */
4534 if ((so->so_type == SOCK_DGRAM) ||
4535 (so->so_type == SOCK_RAW)) {
4536
4537 bzero((void *)so_laddr, sizeof (so_laddr));
4538 bzero((void *)so_faddr, sizeof (so_faddr));
4539
4540 /* get local address */
4541 len = sizeof (so_laddr);
4542 (void) socket_getsockname(so,
4543 (struct sockaddr *)so_laddr, &len, CRED());
4544
4545 /* get peer address */
4546 STRUCT_INIT(msg, get_udatamodel());
4547
4548 if (copyin((caddr_t)(uap->msg),
4549 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4550 break;
4551 }
4552 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4553 if (msg_name == NULL)
4554 break;
4555
4556 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4557 /* length is value from recvmsg - sanity check */
4558 if (msg_namelen == 0)
4559 break;
4560
4561 if (copyin(msg_name, so_faddr,
4562 sizeof (so_faddr)) != 0)
4563 break;
4564
4565 add_sock_token = 1;
4566
4567 } else if (so->so_type == SOCK_STREAM) {
4568
4569 /* get path from file struct here */
4570 fad = F2A(fp);
4571 ASSERT(fad);
4572
4573 /*
4574 * already processed this file for write attempt
4575 */
4576 if (fad->fad_flags & FAD_WRITE) {
4577 releasef(fd);
4578 /* don't want to audit every sendmsg attempt */
4579 tad->tad_flag = 0;
4580 /* free any residual audit data */
4581 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4582 return;
4583 }
4584
4585 /*
4586 * mark things so we know what happened and don't
4587 * repeat things
4588 */
4589 fad->fad_flags |= FAD_WRITE;
4590
4591 bzero((void *)so_laddr, sizeof (so_laddr));
4592 bzero((void *)so_faddr, sizeof (so_faddr));
4593
4594 /* get local and foreign addresses */
4595 len = sizeof (so_laddr);
4596 (void) socket_getsockname(so,
4597 (struct sockaddr *)so_laddr, &len, CRED());
4598 len = sizeof (so_faddr);
4599 (void) socket_getpeername(so,
4600 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4601
4602 add_sock_token = 1;
4603 }
4604
4605 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4606
4607 break;
4608
4609 case AF_UNIX:
4610 /*
4611 * first check if this is first time through. Too much
4612 * duplicate code to put this in an aui_ routine.
4613 */
4614
4615 /* get path from file struct here */
4616 fad = F2A(fp);
4617 ASSERT(fad);
4618
4619 /*
4620 * already processed this file for write attempt
4621 */
4622 if (fad->fad_flags & FAD_WRITE) {
4623 releasef(fd);
4624 /* don't want to audit every sendmsg attempt */
4625 tad->tad_flag = 0;
4626 /* free any residual audit data */
4627 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4628 return;
4629 }
4630 /*
4631 * mark things so we know what happened and don't
4632 * repeat things
4633 */
4634 fad->fad_flags |= FAD_WRITE;
4635
4636 if (fad->fad_aupath != NULL) {
4637 au_uwrite(au_to_path(fad->fad_aupath));
4638 } else {
4639 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4640 }
4641
4642 audit_attributes(fp->f_vnode);
4643
4644 releasef(fd);
4645
4646 return;
4647
4648 default:
4649 break;
4650 }
4651
4652 releasef(fd);
4653
4654 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4655
4656 if (add_sock_token == 0) {
4657 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4658 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4659 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4660 return;
4661 }
4662
4663 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4664
4665 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4666 }
4667
4668 /*ARGSUSED*/
4669 static void
4670 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4671 {
4672 struct a {
4673 long fd;
4674 long msg; /* char */
4675 long len;
4676 long flags;
4677 long to; /* struct sockaddr */
4678 long tolen;
4679 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4680
4681 struct sonode *so;
4682 char so_laddr[sizeof (struct sockaddr_in6)];
4683 char so_faddr[sizeof (struct sockaddr_in6)];
4684 socklen_t tolen;
4685 int err;
4686 int fd;
4687 socklen_t len;
4688 short so_family, so_type;
4689 int add_sock_token = 0;
4690 struct file *fp;
4691 struct f_audit_data *fad;
4692 au_kcontext_t *kctx = GET_KCTX_PZ;
4693
4694 fd = (int)uap->fd;
4695
4696 /* bail if an error */
4697 if (error) {
4698 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4699 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4700 /* XXX include destination address from system call arguments */
4701 return;
4702 }
4703
4704 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4705 /*
4706 * not security relevant if doing a sendto using non socket
4707 * so no extra tokens. Should probably turn off audit record
4708 * generation here.
4709 */
4710 return;
4711 }
4712
4713 so_family = so->so_family;
4714 so_type = so->so_type;
4715
4716 /*
4717 * only putout SOCKET_EX token if INET/INET6 family.
4718 * XXX - what do we do about other families?
4719 */
4720
4721 switch (so_family) {
4722 case AF_INET:
4723 case AF_INET6:
4724
4725 /*
4726 * if datagram type socket, then just use what is in
4727 * socket structure for local address.
4728 * XXX - what do we do for other types?
4729 */
4730 if ((so->so_type == SOCK_DGRAM) ||
4731 (so->so_type == SOCK_RAW)) {
4732
4733 bzero((void *)so_laddr, sizeof (so_laddr));
4734 bzero((void *)so_faddr, sizeof (so_faddr));
4735
4736 /* get local address */
4737 len = sizeof (so_laddr);
4738 (void) socket_getsockname(so,
4739 (struct sockaddr *)so_laddr, &len, CRED());
4740
4741 /* get peer address */
4742
4743 /* sanity check */
4744 if (uap->to == NULL)
4745 break;
4746
4747 /* sanity checks */
4748 if (uap->tolen == 0)
4749 break;
4750
4751 tolen = (socklen_t)uap->tolen;
4752
4753 /* enforce maximum size */
4754 if (tolen > sizeof (so_faddr))
4755 tolen = sizeof (so_faddr);
4756
4757 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4758 break;
4759
4760 add_sock_token = 1;
4761 } else {
4762 /*
4763 * check if this is first time through.
4764 */
4765
4766 /* get path from file struct here */
4767 fad = F2A(fp);
4768 ASSERT(fad);
4769
4770 /*
4771 * already processed this file for write attempt
4772 */
4773 if (fad->fad_flags & FAD_WRITE) {
4774 /* don't want to audit every sendto attempt */
4775 tad->tad_flag = 0;
4776 /* free any residual audit data */
4777 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4778 releasef(fd);
4779 return;
4780 }
4781 /*
4782 * mark things so we know what happened and don't
4783 * repeat things
4784 */
4785 fad->fad_flags |= FAD_WRITE;
4786
4787 bzero((void *)so_laddr, sizeof (so_laddr));
4788 bzero((void *)so_faddr, sizeof (so_faddr));
4789
4790 /* get local and foreign addresses */
4791 len = sizeof (so_laddr);
4792 (void) socket_getsockname(so,
4793 (struct sockaddr *)so_laddr, &len, CRED());
4794 len = sizeof (so_faddr);
4795 (void) socket_getpeername(so,
4796 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4797
4798 add_sock_token = 1;
4799 }
4800
4801 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4802
4803 break;
4804
4805 case AF_UNIX:
4806 /*
4807 * first check if this is first time through. Too much
4808 * duplicate code to put this in an aui_ routine.
4809 */
4810
4811 /* get path from file struct here */
4812 fad = F2A(fp);
4813 ASSERT(fad);
4814
4815 /*
4816 * already processed this file for write attempt
4817 */
4818 if (fad->fad_flags & FAD_WRITE) {
4819 /* don't want to audit every sendto attempt */
4820 tad->tad_flag = 0;
4821 /* free any residual audit data */
4822 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4823 releasef(fd);
4824 return;
4825 }
4826 /*
4827 * mark things so we know what happened and don't
4828 * repeat things
4829 */
4830 fad->fad_flags |= FAD_WRITE;
4831
4832 if (fad->fad_aupath != NULL) {
4833 au_uwrite(au_to_path(fad->fad_aupath));
4834 } else {
4835 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4836 }
4837
4838 audit_attributes(fp->f_vnode);
4839
4840 releasef(fd);
4841
4842 return;
4843
4844 default:
4845 break;
4846
4847 }
4848
4849 releasef(fd);
4850
4851 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4852
4853 if (add_sock_token == 0) {
4854 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4855 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4856 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4857 return;
4858 }
4859
4860 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4861
4862 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4863
4864 }
4865
4866 /*
4867 * XXX socket(2) may be equivalent to open(2) on a unix domain
4868 * socket. This needs investigation.
4869 */
4870
4871 /*ARGSUSED*/
4872 static void
4873 aus_socket(struct t_audit_data *tad)
4874 {
4875 struct a {
4876 long domain;
4877 long type;
4878 long protocol;
4879 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4880
4881 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4882 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4883 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4884 }
4885
4886 /*ARGSUSED*/
4887 static void
4888 aus_sigqueue(struct t_audit_data *tad)
4889 {
4890 struct a {
4891 long pid;
4892 long signo;
4893 long *val;
4894 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4895 struct proc *p;
4896 uid_t uid, ruid;
4897 gid_t gid, rgid;
4898 pid_t pid;
4899 const auditinfo_addr_t *ainfo;
4900 cred_t *cr;
4901
4902 pid = (pid_t)uap->pid;
4903
4904 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4905 if (pid > 0) {
4906 mutex_enter(&pidlock);
4907 if ((p = prfind(pid)) == (struct proc *)0) {
4908 mutex_exit(&pidlock);
4909 return;
4910 }
4911 mutex_enter(&p->p_lock); /* so process doesn't go away */
4912 mutex_exit(&pidlock);
4913
4914 mutex_enter(&p->p_crlock);
4915 crhold(cr = p->p_cred);
4916 mutex_exit(&p->p_crlock);
4917 mutex_exit(&p->p_lock);
4918
4919 ainfo = crgetauinfo(cr);
4920 if (ainfo == NULL) {
4921 crfree(cr);
4922 return;
4923 }
4924
4925 uid = crgetuid(cr);
4926 gid = crgetgid(cr);
4927 ruid = crgetruid(cr);
4928 rgid = crgetrgid(cr);
4929 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4930 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4931 crfree(cr);
4932 }
4933 else
4934 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4935 }
4936
4937 /*ARGSUSED*/
4938 static void
4939 aus_inst_sync(struct t_audit_data *tad)
4940 {
4941 struct a {
4942 long name; /* char */
4943 long flags;
4944 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4945
4946 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4947 }
4948
4949 /*ARGSUSED*/
4950 static void
4951 aus_brandsys(struct t_audit_data *tad)
4952 {
4953 klwp_t *clwp = ttolwp(curthread);
4954
4955 struct a {
4956 long cmd;
4957 long arg1;
4958 long arg2;
4959 long arg3;
4960 long arg4;
4961 long arg5;
4962 long arg6;
4963 } *uap = (struct a *)clwp->lwp_ap;
4964
4965 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4966 #ifdef _LP64
4967 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4968 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4969 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4970 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4971 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4972 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4973 #else
4974 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4975 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4976 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4977 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4978 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4979 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4980 #endif
4981 }
4982
4983 /*ARGSUSED*/
4984 static void
4985 aus_p_online(struct t_audit_data *tad)
4986 {
4987 struct a {
4988 long processor_id;
4989 long flag;
4990 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4991
4992 struct flags {
4993 int flag;
4994 char *cflag;
4995 } aflags[6] = {
4996 { P_ONLINE, "P_ONLINE"},
4997 { P_OFFLINE, "P_OFFLINE"},
4998 { P_NOINTR, "P_NOINTR"},
4999 { P_SPARE, "P_SPARE"},
5000 { P_FAULTED, "P_FAULTED"},
5001 { P_STATUS, "P_STATUS"}
5002 };
5003 int i;
5004 char *cflag;
5005
5006 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
5007 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
5008
5009 for (i = 0; i < 6; i++) {
5010 if (aflags[i].flag == uap->flag)
5011 break;
5012 }
5013 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5014
5015 au_uwrite(au_to_text(cflag));
5016 }
5017
5018 /*ARGSUSED*/
5019 static void
5020 aus_processor_bind(struct t_audit_data *tad)
5021 {
5022 struct a {
5023 long id_type;
5024 long id;
5025 long processor_id;
5026 long obind;
5027 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5028
5029 struct proc *p;
5030 int lwpcnt;
5031 uid_t uid, ruid;
5032 gid_t gid, rgid;
5033 pid_t pid;
5034 const auditinfo_addr_t *ainfo;
5035 cred_t *cr;
5036
5037 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5038 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5039 if (uap->processor_id == PBIND_NONE)
5040 au_uwrite(au_to_text("PBIND_NONE"));
5041 else
5042 au_uwrite(au_to_arg32(3, "processor_id",
5043 (uint32_t)uap->processor_id));
5044
5045 switch (uap->id_type) {
5046 case P_MYID:
5047 case P_LWPID:
5048 mutex_enter(&pidlock);
5049 p = ttoproc(curthread);
5050 if (p == NULL || p->p_as == &kas) {
5051 mutex_exit(&pidlock);
5052 return;
5053 }
5054 mutex_enter(&p->p_lock);
5055 mutex_exit(&pidlock);
5056 lwpcnt = p->p_lwpcnt;
5057 pid = p->p_pid;
5058
5059 mutex_enter(&p->p_crlock);
5060 crhold(cr = p->p_cred);
5061 mutex_exit(&p->p_crlock);
5062 mutex_exit(&p->p_lock);
5063
5064 ainfo = crgetauinfo(cr);
5065 if (ainfo == NULL) {
5066 crfree(cr);
5067 return;
5068 }
5069
5070 uid = crgetuid(cr);
5071 gid = crgetgid(cr);
5072 ruid = crgetruid(cr);
5073 rgid = crgetrgid(cr);
5074 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5075 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5076 crfree(cr);
5077 break;
5078 case P_PID:
5079 mutex_enter(&pidlock);
5080 p = prfind(uap->id);
5081 if (p == NULL || p->p_as == &kas) {
5082 mutex_exit(&pidlock);
5083 return;
5084 }
5085 mutex_enter(&p->p_lock);
5086 mutex_exit(&pidlock);
5087 lwpcnt = p->p_lwpcnt;
5088 pid = p->p_pid;
5089
5090 mutex_enter(&p->p_crlock);
5091 crhold(cr = p->p_cred);
5092 mutex_exit(&p->p_crlock);
5093 mutex_exit(&p->p_lock);
5094
5095 ainfo = crgetauinfo(cr);
5096 if (ainfo == NULL) {
5097 crfree(cr);
5098 return;
5099 }
5100
5101 uid = crgetuid(cr);
5102 gid = crgetgid(cr);
5103 ruid = crgetruid(cr);
5104 rgid = crgetrgid(cr);
5105 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5106 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5107 crfree(cr);
5108
5109 break;
5110 default:
5111 return;
5112 }
5113
5114 if (uap->processor_id == PBIND_NONE &&
5115 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5116 au_uwrite(au_to_text("PBIND_NONE for process"));
5117 else
5118 au_uwrite(au_to_arg32(3, "processor_id",
5119 (uint32_t)uap->processor_id));
5120 }
5121
5122 /*ARGSUSED*/
5123 static au_event_t
5124 aui_doorfs(au_event_t e)
5125 {
5126 uint32_t code;
5127
5128 struct a { /* doorfs */
5129 long a1;
5130 long a2;
5131 long a3;
5132 long a4;
5133 long a5;
5134 long code;
5135 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5136
5137 /*
5138 * audit formats for several of the
5139 * door calls have not yet been determined
5140 */
5141 code = (uint32_t)uap->code;
5142 switch (code) {
5143 case DOOR_CALL:
5144 e = AUE_DOORFS_DOOR_CALL;
5145 break;
5146 case DOOR_RETURN:
5147 e = AUE_NULL;
5148 break;
5149 case DOOR_CREATE:
5150 e = AUE_DOORFS_DOOR_CREATE;
5151 break;
5152 case DOOR_REVOKE:
5153 e = AUE_DOORFS_DOOR_REVOKE;
5154 break;
5155 case DOOR_INFO:
5156 e = AUE_NULL;
5157 break;
5158 case DOOR_UCRED:
5159 e = AUE_NULL;
5160 break;
5161 case DOOR_BIND:
5162 e = AUE_NULL;
5163 break;
5164 case DOOR_UNBIND:
5165 e = AUE_NULL;
5166 break;
5167 case DOOR_GETPARAM:
5168 e = AUE_NULL;
5169 break;
5170 case DOOR_SETPARAM:
5171 e = AUE_NULL;
5172 break;
5173 default: /* illegal system call */
5174 e = AUE_NULL;
5175 break;
5176 }
5177
5178 return (e);
5179 }
5180
5181 static door_node_t *
5182 au_door_lookup(int did)
5183 {
5184 vnode_t *vp;
5185 file_t *fp;
5186
5187 if ((fp = getf(did)) == NULL)
5188 return (NULL);
5189 /*
5190 * Use the underlying vnode (we may be namefs mounted)
5191 */
5192 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5193 vp = fp->f_vnode;
5194
5195 if (vp == NULL || vp->v_type != VDOOR) {
5196 releasef(did);
5197 return (NULL);
5198 }
5199
5200 return (VTOD(vp));
5201 }
5202
5203 /*ARGSUSED*/
5204 static void
5205 aus_doorfs(struct t_audit_data *tad)
5206 {
5207
5208 struct a { /* doorfs */
5209 long a1;
5210 long a2;
5211 long a3;
5212 long a4;
5213 long a5;
5214 long code;
5215 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5216
5217 door_node_t *dp;
5218 struct proc *p;
5219 uint32_t did;
5220 uid_t uid, ruid;
5221 gid_t gid, rgid;
5222 pid_t pid;
5223 const auditinfo_addr_t *ainfo;
5224 cred_t *cr;
5225
5226 did = (uint32_t)uap->a1;
5227
5228 switch (tad->tad_event) {
5229 case AUE_DOORFS_DOOR_CALL:
5230 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5231 if ((dp = au_door_lookup(did)) == NULL)
5232 break;
5233
5234 if (DOOR_INVALID(dp)) {
5235 releasef(did);
5236 break;
5237 }
5238
5239 if ((p = dp->door_target) == NULL) {
5240 releasef(did);
5241 break;
5242 }
5243 mutex_enter(&p->p_lock);
5244 releasef(did);
5245
5246 pid = p->p_pid;
5247
5248 mutex_enter(&p->p_crlock);
5249 crhold(cr = p->p_cred);
5250 mutex_exit(&p->p_crlock);
5251 mutex_exit(&p->p_lock);
5252
5253 ainfo = crgetauinfo(cr);
5254 if (ainfo == NULL) {
5255 crfree(cr);
5256 return;
5257 }
5258 uid = crgetuid(cr);
5259 gid = crgetgid(cr);
5260 ruid = crgetruid(cr);
5261 rgid = crgetrgid(cr);
5262 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5263 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5264 crfree(cr);
5265 break;
5266 case AUE_DOORFS_DOOR_RETURN:
5267 /*
5268 * We may want to write information about
5269 * all doors (if any) which will be copied
5270 * by this call to the user space
5271 */
5272 break;
5273 case AUE_DOORFS_DOOR_CREATE:
5274 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5275 break;
5276 case AUE_DOORFS_DOOR_REVOKE:
5277 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5278 break;
5279 case AUE_DOORFS_DOOR_INFO:
5280 break;
5281 case AUE_DOORFS_DOOR_CRED:
5282 break;
5283 case AUE_DOORFS_DOOR_BIND:
5284 break;
5285 case AUE_DOORFS_DOOR_UNBIND: {
5286 break;
5287 }
5288 default: /* illegal system call */
5289 break;
5290 }
5291 }
5292
5293 /*ARGSUSED*/
5294 static au_event_t
5295 aui_acl(au_event_t e)
5296 {
5297 struct a {
5298 union {
5299 long name; /* char */
5300 long fd;
5301 } obj;
5302
5303 long cmd;
5304 long nentries;
5305 long arg; /* aclent_t */
5306 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5307
5308 switch (uap->cmd) {
5309 case SETACL:
5310 case ACE_SETACL:
5311 /*
5312 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5313 * are expected.
5314 */
5315 break;
5316 case GETACL:
5317 case GETACLCNT:
5318 case ACE_GETACL:
5319 case ACE_GETACLCNT:
5320 /* do nothing for these four values. */
5321 e = AUE_NULL;
5322 break;
5323 default:
5324 /* illegal system call */
5325 break;
5326 }
5327
5328 return (e);
5329 }
5330
5331 static void
5332 au_acl(int cmd, int nentries, caddr_t bufp)
5333 {
5334 size_t a_size;
5335 aclent_t *aclbufp;
5336 ace_t *acebufp;
5337 int i;
5338
5339 switch (cmd) {
5340 case GETACL:
5341 case GETACLCNT:
5342 break;
5343 case SETACL:
5344 if (nentries < 3)
5345 break;
5346
5347 a_size = nentries * sizeof (aclent_t);
5348
5349 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5350 break;
5351 if (copyin(bufp, aclbufp, a_size)) {
5352 kmem_free(aclbufp, a_size);
5353 break;
5354 }
5355 for (i = 0; i < nentries; i++) {
5356 au_uwrite(au_to_acl(aclbufp + i));
5357 }
5358 kmem_free(aclbufp, a_size);
5359 break;
5360
5361 case ACE_SETACL:
5362 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5363 break;
5364
5365 a_size = nentries * sizeof (ace_t);
5366 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5367 break;
5368 if (copyin(bufp, acebufp, a_size)) {
5369 kmem_free(acebufp, a_size);
5370 break;
5371 }
5372 for (i = 0; i < nentries; i++) {
5373 au_uwrite(au_to_ace(acebufp + i));
5374 }
5375 kmem_free(acebufp, a_size);
5376 break;
5377 default:
5378 break;
5379 }
5380 }
5381
5382 /*ARGSUSED*/
5383 static void
5384 aus_acl(struct t_audit_data *tad)
5385 {
5386 struct a {
5387 long fname;
5388 long cmd;
5389 long nentries;
5390 long aclbufp;
5391 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5392
5393 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5394 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5395
5396 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5397 }
5398
5399 /*ARGSUSED*/
5400 static void
5401 aus_facl(struct t_audit_data *tad)
5402 {
5403 struct a {
5404 long fd;
5405 long cmd;
5406 long nentries;
5407 long aclbufp;
5408 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5409 struct file *fp;
5410 struct vnode *vp;
5411 struct f_audit_data *fad;
5412 int fd;
5413
5414 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5415 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5416
5417 fd = (int)uap->fd;
5418
5419 if ((fp = getf(fd)) == NULL)
5420 return;
5421
5422 /* get path from file struct here */
5423 fad = F2A(fp);
5424 if (fad->fad_aupath != NULL) {
5425 au_uwrite(au_to_path(fad->fad_aupath));
5426 } else {
5427 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5428 }
5429
5430 vp = fp->f_vnode;
5431 audit_attributes(vp);
5432
5433 /* decrement file descriptor reference count */
5434 releasef(fd);
5435
5436 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5437 }
5438
5439 /*ARGSUSED*/
5440 static void
5441 auf_read(tad, error, rval)
5442 struct t_audit_data *tad;
5443 int error;
5444 rval_t *rval;
5445 {
5446 struct file *fp;
5447 struct f_audit_data *fad;
5448 int fd;
5449 register struct a {
5450 long fd;
5451 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5452 au_kcontext_t *kctx = GET_KCTX_PZ;
5453
5454 fd = (int)uap->fd;
5455
5456 /*
5457 * convert file pointer to file descriptor
5458 * Note: fd ref count incremented here.
5459 */
5460 if ((fp = getf(fd)) == NULL)
5461 return;
5462
5463 /* get path from file struct here */
5464 fad = F2A(fp);
5465 ASSERT(fad);
5466
5467 /*
5468 * already processed this file for read attempt
5469 *
5470 * XXX might be better to turn off auditing in a aui_read() routine.
5471 */
5472 if (fad->fad_flags & FAD_READ) {
5473 /* don't really want to audit every read attempt */
5474 tad->tad_flag = 0;
5475 /* free any residual audit data */
5476 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5477 releasef(fd);
5478 return;
5479 }
5480 /* mark things so we know what happened and don't repeat things */
5481 fad->fad_flags |= FAD_READ;
5482
5483 if (fad->fad_aupath != NULL) {
5484 au_uwrite(au_to_path(fad->fad_aupath));
5485 } else {
5486 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5487 }
5488
5489 /* include attributes */
5490 audit_attributes(fp->f_vnode);
5491
5492 /* decrement file descriptor reference count */
5493 releasef(fd);
5494 }
5495
5496 /*ARGSUSED*/
5497 static void
5498 auf_write(tad, error, rval)
5499 struct t_audit_data *tad;
5500 int error;
5501 rval_t *rval;
5502 {
5503 struct file *fp;
5504 struct f_audit_data *fad;
5505 int fd;
5506 register struct a {
5507 long fd;
5508 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5509 au_kcontext_t *kctx = GET_KCTX_PZ;
5510
5511 fd = (int)uap->fd;
5512
5513 /*
5514 * convert file pointer to file descriptor
5515 * Note: fd ref count incremented here.
5516 */
5517 if ((fp = getf(fd)) == NULL)
5518 return;
5519
5520 /* get path from file struct here */
5521 fad = F2A(fp);
5522 ASSERT(fad);
5523
5524 /*
5525 * already processed this file for write attempt
5526 *
5527 * XXX might be better to turn off auditing in a aus_write() routine.
5528 */
5529 if (fad->fad_flags & FAD_WRITE) {
5530 /* don't really want to audit every write attempt */
5531 tad->tad_flag = 0;
5532 /* free any residual audit data */
5533 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5534 releasef(fd);
5535 return;
5536 }
5537 /* mark things so we know what happened and don't repeat things */
5538 fad->fad_flags |= FAD_WRITE;
5539
5540 if (fad->fad_aupath != NULL) {
5541 au_uwrite(au_to_path(fad->fad_aupath));
5542 } else {
5543 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5544 }
5545
5546 /* include attributes */
5547 audit_attributes(fp->f_vnode);
5548
5549 /* decrement file descriptor reference count */
5550 releasef(fd);
5551 }
5552
5553 /*ARGSUSED*/
5554 static void
5555 auf_recv(tad, error, rval)
5556 struct t_audit_data *tad;
5557 int error;
5558 rval_t *rval;
5559 {
5560 struct sonode *so;
5561 char so_laddr[sizeof (struct sockaddr_in6)];
5562 char so_faddr[sizeof (struct sockaddr_in6)];
5563 struct file *fp;
5564 struct f_audit_data *fad;
5565 int fd;
5566 int err;
5567 socklen_t len;
5568 short so_family, so_type;
5569 register struct a {
5570 long fd;
5571 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5572 au_kcontext_t *kctx = GET_KCTX_PZ;
5573
5574 /*
5575 * If there was an error, then nothing to do. Only generate
5576 * audit record on first successful recv.
5577 */
5578 if (error) {
5579 /* Turn off audit record generation here. */
5580 tad->tad_flag = 0;
5581 /* free any residual audit data */
5582 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5583 return;
5584 }
5585
5586 fd = (int)uap->fd;
5587
5588 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5589 /* Turn off audit record generation here. */
5590 tad->tad_flag = 0;
5591 /* free any residual audit data */
5592 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5593 return;
5594 }
5595
5596 /* get path from file struct here */
5597 fad = F2A(fp);
5598 ASSERT(fad);
5599
5600 /*
5601 * already processed this file for read attempt
5602 */
5603 if (fad->fad_flags & FAD_READ) {
5604 releasef(fd);
5605 /* don't really want to audit every recv call */
5606 tad->tad_flag = 0;
5607 /* free any residual audit data */
5608 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5609 return;
5610 }
5611
5612 /* mark things so we know what happened and don't repeat things */
5613 fad->fad_flags |= FAD_READ;
5614
5615 so_family = so->so_family;
5616 so_type = so->so_type;
5617
5618 switch (so_family) {
5619 case AF_INET:
5620 case AF_INET6:
5621 /*
5622 * Only for connections.
5623 * XXX - do we need to worry about SOCK_DGRAM or other types???
5624 */
5625 if (so->so_state & SS_ISBOUND) {
5626
5627 bzero((void *)so_laddr, sizeof (so_laddr));
5628 bzero((void *)so_faddr, sizeof (so_faddr));
5629
5630 /* get local and foreign addresses */
5631 len = sizeof (so_laddr);
5632 (void) socket_getsockname(so,
5633 (struct sockaddr *)so_laddr, &len, CRED());
5634 len = sizeof (so_faddr);
5635 (void) socket_getpeername(so,
5636 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5637
5638 /*
5639 * only way to drop out of switch. Note that we
5640 * we release fd below.
5641 */
5642
5643 break;
5644 }
5645
5646 releasef(fd);
5647
5648 /* don't really want to audit every recv call */
5649 tad->tad_flag = 0;
5650 /* free any residual audit data */
5651 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5652
5653 return;
5654
5655 case AF_UNIX:
5656
5657 if (fad->fad_aupath != NULL) {
5658 au_uwrite(au_to_path(fad->fad_aupath));
5659 } else {
5660 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5661 }
5662
5663 audit_attributes(fp->f_vnode);
5664
5665 releasef(fd);
5666
5667 return;
5668
5669 default:
5670 releasef(fd);
5671
5672 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5673 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5674 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5675
5676 return;
5677 }
5678
5679 releasef(fd);
5680
5681 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5682
5683 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5684
5685 }
5686
5687 /*ARGSUSED*/
5688 static void
5689 auf_send(tad, error, rval)
5690 struct t_audit_data *tad;
5691 int error;
5692 rval_t *rval;
5693 {
5694 struct sonode *so;
5695 char so_laddr[sizeof (struct sockaddr_in6)];
5696 char so_faddr[sizeof (struct sockaddr_in6)];
5697 struct file *fp;
5698 struct f_audit_data *fad;
5699 int fd;
5700 int err;
5701 socklen_t len;
5702 short so_family, so_type;
5703 register struct a {
5704 long fd;
5705 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5706 au_kcontext_t *kctx = GET_KCTX_PZ;
5707
5708 fd = (int)uap->fd;
5709
5710 /*
5711 * If there was an error, then nothing to do. Only generate
5712 * audit record on first successful send.
5713 */
5714 if (error != 0) {
5715 /* Turn off audit record generation here. */
5716 tad->tad_flag = 0;
5717 /* free any residual audit data */
5718 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5719 return;
5720 }
5721
5722 fd = (int)uap->fd;
5723
5724 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5725 /* Turn off audit record generation here. */
5726 tad->tad_flag = 0;
5727 /* free any residual audit data */
5728 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5729 return;
5730 }
5731
5732 /* get path from file struct here */
5733 fad = F2A(fp);
5734 ASSERT(fad);
5735
5736 /*
5737 * already processed this file for write attempt
5738 */
5739 if (fad->fad_flags & FAD_WRITE) {
5740 releasef(fd);
5741 /* don't really want to audit every send call */
5742 tad->tad_flag = 0;
5743 /* free any residual audit data */
5744 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5745 return;
5746 }
5747
5748 /* mark things so we know what happened and don't repeat things */
5749 fad->fad_flags |= FAD_WRITE;
5750
5751 so_family = so->so_family;
5752 so_type = so->so_type;
5753
5754 switch (so_family) {
5755 case AF_INET:
5756 case AF_INET6:
5757 /*
5758 * Only for connections.
5759 * XXX - do we need to worry about SOCK_DGRAM or other types???
5760 */
5761 if (so->so_state & SS_ISBOUND) {
5762
5763 bzero((void *)so_laddr, sizeof (so_laddr));
5764 bzero((void *)so_faddr, sizeof (so_faddr));
5765
5766 /* get local and foreign addresses */
5767 len = sizeof (so_laddr);
5768 (void) socket_getsockname(so,
5769 (struct sockaddr *)so_laddr, &len, CRED());
5770 len = sizeof (so_faddr);
5771 (void) socket_getpeername(so,
5772 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5773
5774 /*
5775 * only way to drop out of switch. Note that we
5776 * we release fd below.
5777 */
5778
5779 break;
5780 }
5781
5782 releasef(fd);
5783 /* don't really want to audit every send call */
5784 tad->tad_flag = 0;
5785 /* free any residual audit data */
5786 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5787
5788 return;
5789
5790 case AF_UNIX:
5791
5792 if (fad->fad_aupath != NULL) {
5793 au_uwrite(au_to_path(fad->fad_aupath));
5794 } else {
5795 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5796 }
5797
5798 audit_attributes(fp->f_vnode);
5799
5800 releasef(fd);
5801
5802 return;
5803
5804 default:
5805 releasef(fd);
5806
5807 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5808 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5809 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5810
5811 return;
5812 }
5813
5814 releasef(fd);
5815
5816 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5817
5818 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5819 }
5820
5821 static au_event_t
5822 aui_forksys(au_event_t e)
5823 {
5824 struct a {
5825 long subcode;
5826 long flags;
5827 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5828
5829 switch ((uint_t)uap->subcode) {
5830 case 0:
5831 e = AUE_FORK1;
5832 break;
5833 case 1:
5834 e = AUE_FORKALL;
5835 break;
5836 case 2:
5837 e = AUE_VFORK;
5838 break;
5839 default:
5840 e = AUE_NULL;
5841 break;
5842 }
5843
5844 return (e);
5845 }
5846
5847 /*ARGSUSED*/
5848 static au_event_t
5849 aui_portfs(au_event_t e)
5850 {
5851 struct a { /* portfs */
5852 long a1;
5853 long a2;
5854 long a3;
5855 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5856
5857 /*
5858 * check opcode
5859 */
5860 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5861 case PORT_ASSOCIATE:
5862 /* check source */
5863 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5864 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5865 e = AUE_PORTFS_ASSOCIATE;
5866 } else {
5867 e = AUE_NULL;
5868 }
5869 break;
5870 case PORT_DISSOCIATE:
5871 /* check source */
5872 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5873 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5874 e = AUE_PORTFS_DISSOCIATE;
5875 } else {
5876 e = AUE_NULL;
5877 }
5878 break;
5879 default:
5880 e = AUE_NULL;
5881 }
5882 return (e);
5883 }