1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25 
  26 /*
  27  * This file contains the audit hook support code for auditing.
  28  */
  29 
  30 #include <sys/types.h>
  31 #include <sys/proc.h>
  32 #include <sys/vnode.h>
  33 #include <sys/vfs.h>
  34 #include <sys/file.h>
  35 #include <sys/user.h>
  36 #include <sys/stropts.h>
  37 #include <sys/systm.h>
  38 #include <sys/pathname.h>
  39 #include <sys/syscall.h>
  40 #include <sys/fcntl.h>
  41 #include <sys/ipc_impl.h>
  42 #include <sys/msg_impl.h>
  43 #include <sys/sem_impl.h>
  44 #include <sys/shm_impl.h>
  45 #include <sys/kmem.h>             /* for KM_SLEEP */
  46 #include <sys/socket.h>
  47 #include <sys/cmn_err.h>  /* snprintf... */
  48 #include <sys/debug.h>
  49 #include <sys/thread.h>
  50 #include <netinet/in.h>
  51 #include <c2/audit.h>             /* needs to be included before user.h */
  52 #include <c2/audit_kernel.h>      /* for M_DONTWAIT */
  53 #include <c2/audit_kevents.h>
  54 #include <c2/audit_record.h>
  55 #include <sys/strsubr.h>
  56 #include <sys/tihdr.h>
  57 #include <sys/tiuser.h>
  58 #include <sys/timod.h>
  59 #include <sys/model.h>            /* for model_t */
  60 #include <sys/disp.h>             /* for servicing_interrupt() */
  61 #include <sys/devpolicy.h>
  62 #include <sys/crypto/ioctladmin.h>
  63 #include <sys/cred_impl.h>
  64 #include <inet/kssl/kssl.h>
  65 #include <net/pfpolicy.h>
  66 
  67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
  68 
  69 static void audit_pathbuild(struct pathname *pnp);
  70 
  71 
  72 /*
  73  * ROUTINE:     AUDIT_SAVEPATH
  74  * PURPOSE:
  75  * CALLBY:      LOOKUPPN
  76  *
  77  * NOTE:        We have reached the end of a path in fs/lookup.c.
  78  *              We get two pieces of information here:
  79  *              the vnode of the last component (vp) and
  80  *              the status of the last access (flag).
  81  * TODO:
  82  * QUESTION:
  83  */
  84 
  85 /*ARGSUSED*/
  86 int
  87 audit_savepath(
  88         struct pathname *pnp,           /* pathname to lookup */
  89         struct vnode *vp,               /* vnode of the last component */
  90         struct vnode *pvp,              /* vnode of the last parent component */
  91         int    flag,                    /* status of the last access */
  92         cred_t *cr)                     /* cred of requestor */
  93 {
  94 
  95         t_audit_data_t *tad;    /* current thread */
  96         au_kcontext_t   *kctx = GET_KCTX_PZ;
  97 
  98         tad = U2A(u);
  99 
 100         /*
 101          * Noise elimination in audit trails - this event will be discarded if:
 102          * - the public policy is not active AND
 103          * - the system call is a public operation AND
 104          * - the file was not found: VFS lookup failed with ENOENT error AND
 105          * - the missing file would have been located in the public directory
 106          *   owned by root if it had existed
 107          */
 108         if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
 109             (tad->tad_ctrl & TAD_PUBLIC_EV) &&
 110             !(kctx->auk_policy & AUDIT_PUBLIC)) {
 111                 struct vattr attr;
 112 
 113                 attr.va_mask = AT_ALL;
 114                 if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
 115                         if (object_is_public(&attr)) {
 116                                 tad->tad_ctrl |= TAD_NOAUDIT;
 117                         }
 118                 }
 119         }
 120 
 121         /*
 122          * this event being audited or do we need path information
 123          * later? This might be for a chdir/chroot or open (add path
 124          * to file pointer. If the path has already been found for an
 125          * open/creat then we don't need to process the path.
 126          *
 127          * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
 128          *      chroot, chdir, open, creat system call processing. It determines
 129          *      if audit_savepath() will discard the path or we need it later.
 130          * TAD_PATHFND means path already included in this audit record. It
 131          *      is used in cases where multiple path lookups are done per
 132          *      system call. The policy flag, AUDIT_PATH, controls if multiple
 133          *      paths are allowed.
 134          * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
 135          *      exit processing to inhibit any paths that may be added due to
 136          *      closes.
 137          */
 138         if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
 139             ((tad->tad_ctrl & TAD_PATHFND) &&
 140             !(kctx->auk_policy & AUDIT_PATH)) ||
 141             (tad->tad_ctrl & TAD_NOPATH)) {
 142                 return (0);
 143         }
 144 
 145         tad->tad_ctrl |= TAD_NOPATH;         /* prevent possible reentry */
 146 
 147         audit_pathbuild(pnp);
 148 
 149         /*
 150          * are we auditing only if error, or if it is not open or create
 151          * otherwise audit_setf will do it
 152          */
 153 
 154         if (tad->tad_flag) {
 155                 if (flag &&
 156                     (tad->tad_scid == SYS_open ||
 157                     tad->tad_scid == SYS_open64 ||
 158                     tad->tad_scid == SYS_openat ||
 159                     tad->tad_scid == SYS_openat64)) {
 160                         tad->tad_ctrl |= TAD_TRUE_CREATE;
 161                 }
 162 
 163                 /* add token to audit record for this name */
 164                 au_uwrite(au_to_path(tad->tad_aupath));
 165 
 166                 /* add the attributes of the object */
 167                 if (vp) {
 168                         /*
 169                          * only capture attributes when there is no error
 170                          * lookup will not return the vnode of the failing
 171                          * component.
 172                          *
 173                          * if there was a lookup error, then don't add
 174                          * attribute. if lookup in vn_create(),
 175                          * then don't add attribute,
 176                          * it will be added at end of vn_create().
 177                          */
 178                         if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
 179                                 audit_attributes(vp);
 180                 }
 181         }
 182 
 183         /* free up space if we're not going to save path (open, creat) */
 184         if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
 185                 if (tad->tad_aupath != NULL) {
 186                         au_pathrele(tad->tad_aupath);
 187                         tad->tad_aupath = NULL;
 188                 }
 189         }
 190         if (tad->tad_ctrl & TAD_MLD)
 191                 tad->tad_ctrl |= TAD_PATHFND;
 192 
 193         tad->tad_ctrl &= ~TAD_NOPATH;            /* restore */
 194         return (0);
 195 }
 196 
 197 static void
 198 audit_pathbuild(struct pathname *pnp)
 199 {
 200         char *pp;       /* pointer to path */
 201         int len;        /* length of incoming segment */
 202         int newsect;    /* path requires a new section */
 203         struct audit_path       *pfxapp;        /* prefix for path */
 204         struct audit_path       *newapp;        /* new audit_path */
 205         t_audit_data_t *tad;    /* current thread */
 206         p_audit_data_t *pad;    /* current process */
 207 
 208         tad = U2A(u);
 209         ASSERT(tad != NULL);
 210         pad = P2A(curproc);
 211         ASSERT(pad != NULL);
 212 
 213         len = (pnp->pn_path - pnp->pn_buf) + 1;           /* +1 for terminator */
 214         ASSERT(len > 0);
 215 
 216         /* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
 217         mutex_enter(&pad->pad_lock);
 218         if (tad->tad_aupath != NULL) {
 219                 pfxapp = tad->tad_aupath;
 220         } else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
 221                 ASSERT(tad->tad_atpath != NULL);
 222                 pfxapp = tad->tad_atpath;
 223         } else if (tad->tad_ctrl & TAD_ABSPATH) {
 224                 pfxapp = pad->pad_root;
 225         } else {
 226                 pfxapp = pad->pad_cwd;
 227         }
 228         au_pathhold(pfxapp);
 229         mutex_exit(&pad->pad_lock);
 230 
 231         /* get an expanded buffer to hold the anchored path */
 232         newsect = tad->tad_ctrl & TAD_ATTPATH;
 233         newapp = au_pathdup(pfxapp, newsect, len);
 234         au_pathrele(pfxapp);
 235 
 236         pp = newapp->audp_sect[newapp->audp_cnt] - len;
 237         if (!newsect) {
 238                 /* overlay previous NUL terminator */
 239                 *(pp - 1) = '/';
 240         }
 241 
 242         /* now add string of processed path */
 243         bcopy(pnp->pn_buf, pp, len);
 244         pp[len - 1] = '\0';
 245 
 246         /* perform path simplification as necessary */
 247         audit_fixpath(newapp, len);
 248 
 249         if (tad->tad_aupath)
 250                 au_pathrele(tad->tad_aupath);
 251         tad->tad_aupath = newapp;
 252 
 253         /* for case where multiple lookups in one syscall (rename) */
 254         tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
 255 }
 256 
 257 
 258 /*
 259  * ROUTINE:     AUDIT_ANCHORPATH
 260  * PURPOSE:
 261  * CALLBY:      LOOKUPPN
 262  * NOTE:
 263  * anchor path at "/". We have seen a symbolic link or entering for the
 264  * first time we will throw away any saved path if path is anchored.
 265  *
 266  * flag = 0, path is relative.
 267  * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
 268  *
 269  * If the (new) path is absolute, then we have to throw away whatever we have
 270  * already accumulated since it is being superseded by new path which is
 271  * anchored at the root.
 272  *              Note that if the path is relative, this function does nothing
 273  * TODO:
 274  * QUESTION:
 275  */
 276 /*ARGSUSED*/
 277 void
 278 audit_anchorpath(struct pathname *pnp, int flag)
 279 {
 280         au_kcontext_t   *kctx = GET_KCTX_PZ;
 281         t_audit_data_t *tad;
 282 
 283         tad = U2A(u);
 284 
 285         /*
 286          * this event being audited or do we need path information
 287          * later? This might be for a chdir/chroot or open (add path
 288          * to file pointer. If the path has already been found for an
 289          * open/creat then we don't need to process the path.
 290          *
 291          * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
 292          *      chroot, chdir, open, creat system call processing. It determines
 293          *      if audit_savepath() will discard the path or we need it later.
 294          * TAD_PATHFND means path already included in this audit record. It
 295          *      is used in cases where multiple path lookups are done per
 296          *      system call. The policy flag, AUDIT_PATH, controls if multiple
 297          *      paths are allowed.
 298          * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
 299          *      exit processing to inhibit any paths that may be added due to
 300          *      closes.
 301          */
 302         if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
 303             ((tad->tad_ctrl & TAD_PATHFND) &&
 304             !(kctx->auk_policy & AUDIT_PATH)) ||
 305             (tad->tad_ctrl & TAD_NOPATH)) {
 306                 return;
 307         }
 308 
 309         if (flag) {
 310                 tad->tad_ctrl |= TAD_ABSPATH;
 311                 if (tad->tad_aupath != NULL) {
 312                         au_pathrele(tad->tad_aupath);
 313                         tad->tad_aupath = NULL;
 314                 }
 315         }
 316 }
 317 
 318 
 319 /*
 320  * symbolic link. Save previous components.
 321  *
 322  * the path seen so far looks like this
 323  *
 324  *  +-----------------------+----------------+
 325  *  | path processed so far | remaining path |
 326  *  +-----------------------+----------------+
 327  *  \-----------------------/
 328  *      save this string if
 329  *      symbolic link relative
 330  *      (but don't include  symlink component)
 331  */
 332 
 333 /*ARGSUSED*/
 334 
 335 
 336 /*
 337  * ROUTINE:     AUDIT_SYMLINK
 338  * PURPOSE:
 339  * CALLBY:      LOOKUPPN
 340  * NOTE:
 341  * TODO:
 342  * QUESTION:
 343  */
 344 void
 345 audit_symlink(struct pathname *pnp, struct pathname *sympath)
 346 {
 347         char *sp;       /* saved initial pp */
 348         char *cp;       /* start of symlink path */
 349         uint_t len_path;        /* processed path before symlink */
 350         t_audit_data_t *tad;
 351         au_kcontext_t   *kctx = GET_KCTX_PZ;
 352 
 353         tad = U2A(u);
 354 
 355         /*
 356          * this event being audited or do we need path information
 357          * later? This might be for a chdir/chroot or open (add path
 358          * to file pointer. If the path has already been found for an
 359          * open/creat then we don't need to process the path.
 360          *
 361          * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
 362          *      chroot, chdir, open, creat system call processing. It determines
 363          *      if audit_savepath() will discard the path or we need it later.
 364          * TAD_PATHFND means path already included in this audit record. It
 365          *      is used in cases where multiple path lookups are done per
 366          *      system call. The policy flag, AUDIT_PATH, controls if multiple
 367          *      paths are allowed.
 368          * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
 369          *      exit processing to inhibit any paths that may be added due to
 370          *      closes.
 371          */
 372         if ((tad->tad_flag == 0 &&
 373             !(tad->tad_ctrl & TAD_SAVPATH)) ||
 374             ((tad->tad_ctrl & TAD_PATHFND) &&
 375             !(kctx->auk_policy & AUDIT_PATH)) ||
 376             (tad->tad_ctrl & TAD_NOPATH)) {
 377                 return;
 378         }
 379 
 380         /*
 381          * if symbolic link is anchored at / then do nothing.
 382          * When we cycle back to begin: in lookuppn() we will
 383          * call audit_anchorpath() with a flag indicating if the
 384          * path is anchored at / or is relative. We will release
 385          * any saved path at that point.
 386          *
 387          * Note In the event that an error occurs in pn_combine then
 388          * we want to remain pointing at the component that caused the
 389          * path to overflow the pnp structure.
 390          */
 391         if (sympath->pn_buf[0] == '/')
 392                 return;
 393 
 394         /* backup over last component */
 395         sp = cp = pnp->pn_path;
 396         while (*--cp != '/' && cp > pnp->pn_buf)
 397                 ;
 398 
 399         len_path = cp - pnp->pn_buf;
 400 
 401         /* is there anything to save? */
 402         if (len_path) {
 403                 pnp->pn_path = pnp->pn_buf;
 404                 audit_pathbuild(pnp);
 405                 pnp->pn_path = sp;
 406         }
 407 }
 408 
 409 /*
 410  * object_is_public : determine whether events for the object (corresponding to
 411  *                      the specified file/directory attr) should be audited or
 412  *                      ignored.
 413  *
 414  * returns:     1 - if audit policy and object attributes indicate that
 415  *                      file/directory is effectively public. read events for
 416  *                      the file should not be audited.
 417  *              0 - otherwise
 418  *
 419  * The required attributes to be considered a public object are:
 420  * - owned by root, AND
 421  * - world-readable (permissions for other include read), AND
 422  * - NOT world-writeable (permissions for other don't
 423  *      include write)
 424  *   (mode doesn't need to be checked for symlinks)
 425  */
 426 int
 427 object_is_public(struct vattr *attr)
 428 {
 429         au_kcontext_t   *kctx = GET_KCTX_PZ;
 430 
 431         if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
 432             ((attr->va_type == VLNK) ||
 433             ((attr->va_mode & (VREAD>>6)) != 0) &&
 434             ((attr->va_mode & (VWRITE>>6)) == 0))) {
 435                 return (1);
 436         }
 437         return (0);
 438 }
 439 
 440 
 441 /*
 442  * ROUTINE:     AUDIT_ATTRIBUTES
 443  * PURPOSE:     Audit the attributes so we can tell why the error occurred
 444  * CALLBY:      AUDIT_SAVEPATH
 445  *              AUDIT_VNCREATE_FINISH
 446  *              AUS_FCHOWN...audit_event.c...audit_path.c
 447  * NOTE:
 448  * TODO:
 449  * QUESTION:
 450  */
 451 void
 452 audit_attributes(struct vnode *vp)
 453 {
 454         struct vattr attr;
 455         struct t_audit_data *tad;
 456 
 457         tad = U2A(u);
 458 
 459         if (vp) {
 460                 attr.va_mask = AT_ALL;
 461                 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
 462                         return;
 463 
 464                 if (object_is_public(&attr) &&
 465                     (tad->tad_ctrl & TAD_PUBLIC_EV)) {
 466                         /*
 467                          * This is a public object and a "public" event
 468                          * (i.e., read only) -- either by definition
 469                          * (e.g., stat, access...) or by virtue of write access
 470                          * not being requested (e.g. mmap).
 471                          * Flag it in the tad to prevent this audit at the end.
 472                          */
 473                         tad->tad_ctrl |= TAD_NOAUDIT;
 474                 } else {
 475                         au_uwrite(au_to_attr(&attr));
 476                         audit_sec_attributes(&(u_ad), vp);
 477                 }
 478         }
 479 }
 480 
 481 
 482 /*
 483  * ROUTINE:     AUDIT_EXIT
 484  * PURPOSE:
 485  * CALLBY:      EXIT
 486  * NOTE:
 487  * TODO:
 488  * QUESTION:    why cmw code as offset by 2 but not here
 489  */
 490 /* ARGSUSED */
 491 void
 492 audit_exit(int code, int what)
 493 {
 494         struct t_audit_data *tad;
 495         tad = U2A(u);
 496 
 497         /*
 498          * tad_scid will be set by audit_start even if we are not auditing
 499          * the event.
 500          */
 501         if (tad->tad_scid == SYS_exit) {
 502                 /*
 503                  * if we are auditing the exit system call, then complete
 504                  * audit record generation (no return from system call).
 505                  */
 506                 if (tad->tad_flag && tad->tad_event == AUE_EXIT)
 507                         audit_finish(0, SYS_exit, 0, 0);
 508                 return;
 509         }
 510 
 511         /*
 512          * Anyone auditing the system call that was aborted?
 513          */
 514         if (tad->tad_flag) {
 515                 au_uwrite(au_to_text("event aborted"));
 516                 audit_finish(0, tad->tad_scid, 0, 0);
 517         }
 518 
 519         /*
 520          * Generate an audit record for process exit if preselected.
 521          */
 522         (void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
 523         audit_finish(0, SYS_exit, 0, 0);
 524 }
 525 
 526 /*
 527  * ROUTINE:     AUDIT_CORE_START
 528  * PURPOSE:
 529  * CALLBY:      PSIG
 530  * NOTE:
 531  * TODO:
 532  */
 533 void
 534 audit_core_start(int sig)
 535 {
 536         au_event_t event;
 537         au_state_t estate;
 538         t_audit_data_t *tad;
 539         au_kcontext_t   *kctx;
 540 
 541         tad = U2A(u);
 542 
 543         ASSERT(tad != (t_audit_data_t *)0);
 544 
 545         ASSERT(tad->tad_scid == 0);
 546         ASSERT(tad->tad_event == 0);
 547         ASSERT(tad->tad_evmod == 0);
 548         ASSERT(tad->tad_ctrl == 0);
 549         ASSERT(tad->tad_flag == 0);
 550         ASSERT(tad->tad_aupath == NULL);
 551 
 552         kctx = GET_KCTX_PZ;
 553 
 554         /* get basic event for system call */
 555         event = AUE_CORE;
 556         estate = kctx->auk_ets[event];
 557 
 558         if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
 559                 return;
 560 
 561         /* reset the flags for non-user attributable events */
 562         tad->tad_ctrl   = TAD_CORE;
 563         tad->tad_scid   = 0;
 564 
 565         /* if auditing not enabled, then don't generate an audit record */
 566 
 567         if (!((kctx->auk_auditstate == AUC_AUDITING ||
 568             kctx->auk_auditstate == AUC_INIT_AUDIT) ||
 569             kctx->auk_auditstate == AUC_NOSPACE)) {
 570                 tad->tad_flag = 0;
 571                 tad->tad_ctrl = 0;
 572                 return;
 573         }
 574 
 575         tad->tad_event  = event;
 576         tad->tad_evmod  = 0;
 577 
 578         ASSERT(tad->tad_ad == NULL);
 579 
 580         au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
 581 }
 582 
 583 /*
 584  * ROUTINE:     AUDIT_CORE_FINISH
 585  * PURPOSE:
 586  * CALLBY:      PSIG
 587  * NOTE:
 588  * TODO:
 589  * QUESTION:
 590  */
 591 
 592 /*ARGSUSED*/
 593 void
 594 audit_core_finish(int code)
 595 {
 596         int flag;
 597         t_audit_data_t *tad;
 598         au_kcontext_t   *kctx;
 599 
 600         tad = U2A(u);
 601 
 602         ASSERT(tad != (t_audit_data_t *)0);
 603 
 604         if ((flag = tad->tad_flag) == 0) {
 605                 tad->tad_event = 0;
 606                 tad->tad_evmod = 0;
 607                 tad->tad_ctrl  = 0;
 608                 ASSERT(tad->tad_aupath == NULL);
 609                 return;
 610         }
 611         tad->tad_flag = 0;
 612 
 613         kctx = GET_KCTX_PZ;
 614 
 615         /* kludge for error 0, should use `code==CLD_DUMPED' instead */
 616         if (flag = audit_success(kctx, tad, 0, NULL)) {
 617                 cred_t *cr = CRED();
 618                 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
 619 
 620                 ASSERT(ainfo != NULL);
 621 
 622                 /*
 623                  * Add subject information (no locks since our private copy of
 624                  * credential
 625                  */
 626                 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
 627 
 628                 /* Add a return token (should use f argument) */
 629                 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
 630 
 631                 AS_INC(as_generated, 1, kctx);
 632                 AS_INC(as_kernel, 1, kctx);
 633         }
 634 
 635         /* Close up everything */
 636         au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
 637 
 638         /* free up any space remaining with the path's */
 639         if (tad->tad_aupath != NULL) {
 640                 au_pathrele(tad->tad_aupath);
 641                 tad->tad_aupath = NULL;
 642         }
 643         tad->tad_event = 0;
 644         tad->tad_evmod = 0;
 645         tad->tad_ctrl  = 0;
 646 }
 647 
 648 
 649 /*ARGSUSED*/
 650 void
 651 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
 652     unsigned char *pri, int *flag, int fmode)
 653 {
 654         struct stdata *stp;
 655         t_audit_data_t *tad = U2A(u);
 656 
 657         ASSERT(tad != (t_audit_data_t *)0);
 658 
 659         stp = vp->v_stream;
 660 
 661         /* lock stdata from audit_sock */
 662         mutex_enter(&stp->sd_lock);
 663 
 664         /* proceed ONLY if user is being audited */
 665         if (!tad->tad_flag) {
 666                 /*
 667                  * this is so we will not add audit data onto
 668                  * a thread that is not being audited.
 669                  */
 670                 stp->sd_t_audit_data = NULL;
 671                 mutex_exit(&stp->sd_lock);
 672                 return;
 673         }
 674 
 675         stp->sd_t_audit_data = (caddr_t)curthread;
 676         mutex_exit(&stp->sd_lock);
 677 }
 678 
 679 /*ARGSUSED*/
 680 void
 681 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
 682     unsigned char pri, int flag, int fmode)
 683 {
 684         struct stdata *stp;
 685         t_audit_data_t *tad = U2A(u);
 686 
 687         ASSERT(tad != (t_audit_data_t *)0);
 688 
 689         stp = vp->v_stream;
 690 
 691         /* lock stdata from audit_sock */
 692         mutex_enter(&stp->sd_lock);
 693 
 694         /* proceed ONLY if user is being audited */
 695         if (!tad->tad_flag) {
 696                 /*
 697                  * this is so we will not add audit data onto
 698                  * a thread that is not being audited.
 699                  */
 700                 stp->sd_t_audit_data = NULL;
 701                 mutex_exit(&stp->sd_lock);
 702                 return;
 703         }
 704 
 705         stp->sd_t_audit_data = (caddr_t)curthread;
 706         mutex_exit(&stp->sd_lock);
 707 }
 708 
 709 /*
 710  * ROUTINE:     AUDIT_CLOSEF
 711  * PURPOSE:
 712  * CALLBY:      CLOSEF
 713  * NOTE:
 714  * release per file audit resources when file structure is being released.
 715  *
 716  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
 717  *      on the audit queue if it becomes full. This means
 718  *      audit_closef can not be called when f_count == 0. Since
 719  *      f_count == 0 indicates the file structure is free, another
 720  *      process could attempt to use the file while we were still
 721  *      asleep waiting on the audit queue. This would cause the
 722  *      per file audit data to be corrupted when we finally do
 723  *      wakeup.
 724  * TODO:
 725  * QUESTION:
 726  */
 727 
 728 void
 729 audit_closef(struct file *fp)
 730 {
 731         f_audit_data_t *fad;
 732         t_audit_data_t *tad;
 733         int success;
 734         au_state_t estate;
 735         struct vnode *vp;
 736         token_t *ad = NULL;
 737         struct vattr attr;
 738         au_emod_t evmod = 0;
 739         const auditinfo_addr_t *ainfo;
 740         cred_t *cr;
 741         au_kcontext_t   *kctx = GET_KCTX_PZ;
 742         uint32_t auditing;
 743         boolean_t audit_attr = B_FALSE;
 744 
 745         fad = F2A(fp);
 746         estate = kctx->auk_ets[AUE_CLOSE];
 747         tad = U2A(u);
 748         cr = CRED();
 749 
 750         /* audit record already generated by system call envelope */
 751         if (tad->tad_event == AUE_CLOSE) {
 752                 /* so close audit event will have bits set */
 753                 tad->tad_evmod |= (au_emod_t)fad->fad_flags;
 754                 return;
 755         }
 756 
 757         /* if auditing not enabled, then don't generate an audit record */
 758         auditing = (tad->tad_audit == AUC_UNSET) ?
 759             kctx->auk_auditstate : tad->tad_audit;
 760         if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
 761                 return;
 762 
 763         ainfo = crgetauinfo(cr);
 764         if (ainfo == NULL)
 765                 return;
 766 
 767         success = ainfo->ai_mask.as_success & estate;
 768 
 769         /* not selected for this event */
 770         if (success == 0)
 771                 return;
 772 
 773         /*
 774          * can't use audit_attributes here since we use a private audit area
 775          * to build the audit record instead of the one off the thread.
 776          */
 777         if ((vp = fp->f_vnode) != NULL) {
 778                 attr.va_mask = AT_ALL;
 779                 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
 780                         if ((fp->f_flag & FWRITE) == 0 &&
 781                             object_is_public(&attr)) {
 782                                 /*
 783                                  * When write was not used and the file can be
 784                                  * considered public, then skip the audit.
 785                                  */
 786                                 return;
 787                         }
 788                         audit_attr = B_TRUE;
 789                 }
 790         }
 791 
 792         evmod = (au_emod_t)fad->fad_flags;
 793         if (fad->fad_aupath != NULL) {
 794                 au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
 795         } else {
 796 #ifdef _LP64
 797                 au_write((caddr_t *)&(ad), au_to_arg64(
 798                     1, "no path: fp", (uint64_t)fp));
 799 #else
 800                 au_write((caddr_t *)&(ad), au_to_arg32(
 801                     1, "no path: fp", (uint32_t)fp));
 802 #endif
 803         }
 804 
 805         if (audit_attr) {
 806                 au_write((caddr_t *)&(ad), au_to_attr(&attr));
 807                 audit_sec_attributes((caddr_t *)&(ad), vp);
 808         }
 809 
 810         /* Add subject information */
 811         AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
 812 
 813         /* add a return token */
 814         add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
 815 
 816         AS_INC(as_generated, 1, kctx);
 817         AS_INC(as_kernel, 1, kctx);
 818 
 819         /*
 820          * Close up everything
 821          * Note: path space recovery handled by normal system
 822          * call envelope if not at last close.
 823          * Note there is no failure at this point since
 824          *   this represents closes due to exit of process,
 825          *   thus we always indicate successful closes.
 826          */
 827         au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
 828             AUE_CLOSE, evmod, NULL);
 829 }
 830 
 831 /*
 832  * ROUTINE:     AUDIT_SET
 833  * PURPOSE:     Audit the file path and file attributes.
 834  * CALLBY:      SETF
 835  * NOTE:        SETF associate a file pointer with user area's open files.
 836  * TODO:
 837  * call audit_finish directly ???
 838  * QUESTION:
 839  */
 840 
 841 /*ARGSUSED*/
 842 void
 843 audit_setf(file_t *fp, int fd)
 844 {
 845         f_audit_data_t *fad;
 846         t_audit_data_t *tad;
 847 
 848         if (fp == NULL)
 849                 return;
 850 
 851         tad = T2A(curthread);
 852         fad = F2A(fp);
 853 
 854         if (!(tad->tad_scid == SYS_open ||
 855             tad->tad_scid == SYS_open64 ||
 856             tad->tad_scid == SYS_openat ||
 857             tad->tad_scid == SYS_openat64))
 858                 return;
 859 
 860         /* no path */
 861         if (tad->tad_aupath == 0)
 862                 return;
 863 
 864         /*
 865          * assign path information associated with file audit data
 866          * use tad hold
 867          */
 868         fad->fad_aupath = tad->tad_aupath;
 869         tad->tad_aupath = NULL;
 870 
 871         if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
 872                 /* adjust event type by dropping the 'creat' part */
 873                 switch (tad->tad_event) {
 874                 case AUE_OPEN_RC:
 875                         tad->tad_event = AUE_OPEN_R;
 876                         tad->tad_ctrl |= TAD_PUBLIC_EV;
 877                         break;
 878                 case AUE_OPEN_RTC:
 879                         tad->tad_event = AUE_OPEN_RT;
 880                         break;
 881                 case AUE_OPEN_WC:
 882                         tad->tad_event = AUE_OPEN_W;
 883                         break;
 884                 case AUE_OPEN_WTC:
 885                         tad->tad_event = AUE_OPEN_WT;
 886                         break;
 887                 case AUE_OPEN_RWC:
 888                         tad->tad_event = AUE_OPEN_RW;
 889                         break;
 890                 case AUE_OPEN_RWTC:
 891                         tad->tad_event = AUE_OPEN_RWT;
 892                         break;
 893                 default:
 894                         break;
 895                 }
 896         }
 897 }
 898 
 899 
 900 void
 901 audit_ipc(int type, int id, void *vp)
 902 {
 903         /* if not auditing this event, then do nothing */
 904         if (ad_flag == 0)
 905                 return;
 906 
 907         switch (type) {
 908         case AT_IPC_MSG:
 909                 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
 910                 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
 911                 break;
 912         case AT_IPC_SEM:
 913                 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
 914                 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
 915                 break;
 916         case AT_IPC_SHM:
 917                 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
 918                 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
 919                 break;
 920         }
 921 }
 922 
 923 void
 924 audit_ipcget(int type, void *vp)
 925 {
 926         /* if not auditing this event, then do nothing */
 927         if (ad_flag == 0)
 928                 return;
 929 
 930         switch (type) {
 931         case NULL:
 932                 au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
 933                 break;
 934         case AT_IPC_MSG:
 935                 au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
 936                 break;
 937         case AT_IPC_SEM:
 938                 au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
 939                 break;
 940         case AT_IPC_SHM:
 941                 au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
 942                 break;
 943         }
 944 }
 945 
 946 /*
 947  * ROUTINE:     AUDIT_REBOOT
 948  * PURPOSE:
 949  * CALLBY:
 950  * NOTE:
 951  * At this point we know that the system call reboot will not return. We thus
 952  * have to complete the audit record generation and put it onto the queue.
 953  * This might be fairly useless if the auditing daemon is already dead....
 954  * TODO:
 955  * QUESTION:    who calls audit_reboot
 956  */
 957 
 958 void
 959 audit_reboot(void)
 960 {
 961         int flag;
 962         t_audit_data_t *tad;
 963         au_kcontext_t   *kctx = GET_KCTX_PZ;
 964 
 965         tad = U2A(u);
 966 
 967         /* if not auditing this event, then do nothing */
 968         if (tad->tad_flag == 0)
 969                 return;
 970 
 971         /* do preselection on success/failure */
 972         if (flag = audit_success(kctx, tad, 0, NULL)) {
 973                 /* add a process token */
 974 
 975                 cred_t *cr = CRED();
 976                 const auditinfo_addr_t *ainfo = crgetauinfo(cr);
 977 
 978                 if (ainfo == NULL)
 979                         return;
 980 
 981                 /* Add subject information */
 982                 AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
 983 
 984                 /* add a return token */
 985                 add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
 986 
 987                 AS_INC(as_generated, 1, kctx);
 988                 AS_INC(as_kernel, 1, kctx);
 989         }
 990 
 991         /*
 992          * Flow control useless here since we're going
 993          * to drop everything in the queue anyway. Why
 994          * block and wait. There aint anyone left alive to
 995          * read the records remaining anyway.
 996          */
 997 
 998         /* Close up everything */
 999         au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1000             tad->tad_event, tad->tad_evmod, NULL);
1001 }
1002 
1003 void
1004 audit_setfsat_path(int argnum)
1005 {
1006         klwp_id_t clwp = ttolwp(curthread);
1007         struct file  *fp;
1008         uint32_t fd;
1009         t_audit_data_t *tad;
1010         struct f_audit_data *fad;
1011         p_audit_data_t *pad;    /* current process */
1012         uint_t fm;
1013         struct a {
1014                 long arg1;
1015                 long arg2;
1016                 long arg3;
1017                 long arg4;
1018                 long arg5;
1019         } *uap;
1020 
1021         if (clwp == NULL)
1022                 return;
1023         uap = (struct a *)clwp->lwp_ap;
1024 
1025         tad = U2A(u);
1026         ASSERT(tad != NULL);
1027 
1028         switch (tad->tad_scid) {
1029         case SYS_faccessat:
1030         case SYS_fchmodat:
1031         case SYS_fchownat:
1032         case SYS_fstatat:
1033         case SYS_fstatat64:
1034         case SYS_mkdirat:
1035         case SYS_mknodat:
1036         case SYS_openat:
1037         case SYS_openat64:
1038         case SYS_readlinkat:
1039         case SYS_unlinkat:
1040                 fd = uap->arg1;
1041                 break;
1042         case SYS_linkat:
1043         case SYS_renameat:
1044                 if (argnum == 3)
1045                         fd = uap->arg3;
1046                 else
1047                         fd = uap->arg1;
1048                 break;
1049         case SYS_symlinkat:
1050         case SYS_utimesys:
1051                 fd = uap->arg2;
1052                 break;
1053         case SYS_open:
1054         case SYS_open64:
1055                 fd = AT_FDCWD;
1056                 break;
1057         default:
1058                 return;
1059         }
1060 
1061         if (tad->tad_atpath != NULL) {
1062                 au_pathrele(tad->tad_atpath);
1063                 tad->tad_atpath = NULL;
1064         }
1065 
1066         if (fd != AT_FDCWD) {
1067                 tad->tad_ctrl |= TAD_ATCALL;
1068 
1069                 if (tad->tad_scid == SYS_openat ||
1070                     tad->tad_scid == SYS_openat64) {
1071                         fm = (uint_t)uap->arg3;
1072                         if (fm & (FXATTR | FXATTRDIROPEN)) {
1073                                 tad->tad_ctrl |= TAD_ATTPATH;
1074                         }
1075                 }
1076 
1077                 if ((fp = getf(fd)) == NULL) {
1078                         tad->tad_ctrl |= TAD_NOPATH;
1079                         return;
1080                 }
1081                 fad = F2A(fp);
1082                 ASSERT(fad);
1083                 if (fad->fad_aupath == NULL) {
1084                         tad->tad_ctrl |= TAD_NOPATH;
1085                         releasef(fd);
1086                         return;
1087                 }
1088                 au_pathhold(fad->fad_aupath);
1089                 tad->tad_atpath = fad->fad_aupath;
1090                 releasef(fd);
1091         } else {
1092                 if (tad->tad_scid == SYS_open ||
1093                     tad->tad_scid == SYS_open64) {
1094                         fm = (uint_t)uap->arg2;
1095                         if (fm & FXATTR) {
1096                                 tad->tad_ctrl |= TAD_ATTPATH;
1097                         }
1098                         return;
1099                 }
1100                 pad = P2A(curproc);
1101                 mutex_enter(&pad->pad_lock);
1102                 au_pathhold(pad->pad_cwd);
1103                 tad->tad_atpath = pad->pad_cwd;
1104                 mutex_exit(&pad->pad_lock);
1105         }
1106 }
1107 
1108 void
1109 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1110 {
1111         t_audit_data_t *tad;
1112         vnode_t *vp;
1113 
1114         tad = U2A(u);
1115 
1116         /* if not auditing this event, then do nothing */
1117         if (tad->tad_flag == 0)
1118                 return;
1119 
1120         au_uwrite(au_to_text(target));
1121 
1122         if (error)
1123                 return;
1124 
1125         error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1126             NULL, NULL, NULL);
1127         if (error == 0) {
1128                 audit_attributes(vp);
1129                 VN_RELE(vp);
1130         }
1131 }
1132 
1133 /*
1134  * ROUTINE:     AUDIT_VNCREATE_START
1135  * PURPOSE:     set flag so path name lookup in create will not add attribute
1136  * CALLBY:      VN_CREATE
1137  * NOTE:
1138  * TODO:
1139  * QUESTION:
1140  */
1141 
1142 void
1143 audit_vncreate_start()
1144 {
1145         t_audit_data_t *tad;
1146 
1147         tad = U2A(u);
1148         tad->tad_ctrl |= TAD_NOATTRB;
1149 }
1150 
1151 /*
1152  * ROUTINE:     AUDIT_VNCREATE_FINISH
1153  * PURPOSE:
1154  * CALLBY:      VN_CREATE
1155  * NOTE:
1156  * TODO:
1157  * QUESTION:
1158  */
1159 void
1160 audit_vncreate_finish(struct vnode *vp, int error)
1161 {
1162         t_audit_data_t *tad;
1163 
1164         if (error)
1165                 return;
1166 
1167         tad = U2A(u);
1168 
1169         /* if not auditing this event, then do nothing */
1170         if (tad->tad_flag == 0)
1171                 return;
1172 
1173         if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1174                 audit_attributes(vp);
1175         }
1176 
1177         if (tad->tad_ctrl & TAD_CORE) {
1178                 audit_attributes(vp);
1179                 tad->tad_ctrl &= ~TAD_CORE;
1180         }
1181 
1182         if (!error && ((tad->tad_event == AUE_MKNOD) ||
1183             (tad->tad_event == AUE_MKDIR))) {
1184                 audit_attributes(vp);
1185         }
1186 
1187         /* for case where multiple lookups in one syscall (rename) */
1188         tad->tad_ctrl &= ~TAD_NOATTRB;
1189 }
1190 
1191 
1192 
1193 
1194 
1195 
1196 
1197 
1198 /*
1199  * ROUTINE:     AUDIT_EXEC
1200  * PURPOSE:     Records the function arguments and environment variables
1201  * CALLBY:      EXEC_ARGS
1202  * NOTE:
1203  * TODO:
1204  * QUESTION:
1205  */
1206 
1207 void
1208 audit_exec(
1209         const char *argstr,     /* argument strings */
1210         const char *envstr,     /* environment strings */
1211         ssize_t argc,           /* total # arguments */
1212         ssize_t envc,           /* total # environment variables */
1213         cred_t *pfcred)         /* the additional privileges in a profile */
1214 {
1215         t_audit_data_t *tad;
1216         au_kcontext_t   *kctx = GET_KCTX_PZ;
1217 
1218         tad = U2A(u);
1219 
1220         /* if not auditing this event, then do nothing */
1221         if (!tad->tad_flag)
1222                 return;
1223 
1224         if (pfcred != NULL) {
1225                 p_audit_data_t *pad;
1226                 cred_t *cr = CRED();
1227                 priv_set_t pset = CR_IPRIV(cr);
1228 
1229                 pad = P2A(curproc);
1230 
1231                 /* It's a different event. */
1232                 tad->tad_event = AUE_PFEXEC;
1233 
1234                 /* Add the current working directory to the audit trail. */
1235                 if (pad->pad_cwd != NULL)
1236                         au_uwrite(au_to_path(pad->pad_cwd));
1237 
1238                 /*
1239                  * The new credential is not yet in place when audit_exec
1240                  * is called.
1241                  * Compute the additional bits available in the new credential
1242                  * and the limit set.
1243                  */
1244                 priv_inverse(&pset);
1245                 priv_intersect(&CR_IPRIV(pfcred), &pset);
1246                 if (!priv_isemptyset(&pset) ||
1247                     !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1248                         au_uwrite(au_to_privset(
1249                             priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1250                             0));
1251                         au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1252                             &CR_LPRIV(pfcred), AUT_PRIV, 0));
1253                 }
1254                 /*
1255                  * Compare the uids & gids: create a process token if changed.
1256                  */
1257                 if (crgetuid(cr) != crgetuid(pfcred) ||
1258                     crgetruid(cr) != crgetruid(pfcred) ||
1259                     crgetgid(cr) != crgetgid(pfcred) ||
1260                     crgetrgid(cr) != crgetrgid(pfcred)) {
1261                         AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1262                 }
1263         }
1264 
1265         if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1266                 au_uwrite(au_to_exec_args(argstr, argc));
1267 
1268         if (kctx->auk_policy & AUDIT_ARGE)
1269                 au_uwrite(au_to_exec_env(envstr, envc));
1270 }
1271 
1272 /*
1273  * ROUTINE:     AUDIT_ENTERPROM
1274  * PURPOSE:
1275  * CALLBY:      KBDINPUT
1276  *              ZSA_XSINT
1277  * NOTE:
1278  * TODO:
1279  * QUESTION:
1280  */
1281 void
1282 audit_enterprom(int flg)
1283 {
1284         token_t *rp = NULL;
1285         int sorf;
1286 
1287         if (flg)
1288                 sorf = AUM_SUCC;
1289         else
1290                 sorf = AUM_FAIL;
1291 
1292         AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1293 
1294         au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1295 
1296         if (flg)
1297                 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1298         else
1299                 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1300 
1301         AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1302 }
1303 
1304 
1305 /*
1306  * ROUTINE:     AUDIT_EXITPROM
1307  * PURPOSE:
1308  * CALLBY:      KBDINPUT
1309  *              ZSA_XSINT
1310  * NOTE:
1311  * TODO:
1312  * QUESTION:
1313  */
1314 void
1315 audit_exitprom(int flg)
1316 {
1317         int sorf;
1318         token_t *rp = NULL;
1319 
1320         if (flg)
1321                 sorf = AUM_SUCC;
1322         else
1323                 sorf = AUM_FAIL;
1324 
1325         AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1326 
1327         au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1328 
1329         if (flg)
1330                 au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1331         else
1332                 au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1333 
1334         AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1335 }
1336 
1337 struct fcntla {
1338         int fdes;
1339         int cmd;
1340         intptr_t arg;
1341 };
1342 
1343 
1344 /*
1345  * ROUTINE:     AUDIT_CHDIREC
1346  * PURPOSE:
1347  * CALLBY:      CHDIREC
1348  * NOTE:        The main function of CHDIREC
1349  * TODO:        Move the audit_chdirec hook above the VN_RELE in vncalls.c
1350  * QUESTION:
1351  */
1352 
1353 /*ARGSUSED*/
1354 void
1355 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1356 {
1357         int             chdir;
1358         int             fchdir;
1359         struct audit_path       **appp;
1360         struct file     *fp;
1361         f_audit_data_t *fad;
1362         p_audit_data_t *pad = P2A(curproc);
1363         t_audit_data_t *tad = T2A(curthread);
1364 
1365         struct a {
1366                 long fd;
1367         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1368 
1369         if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1370                 chdir = tad->tad_scid == SYS_chdir;
1371                 if (tad->tad_aupath) {
1372                         mutex_enter(&pad->pad_lock);
1373                         if (chdir)
1374                                 appp = &(pad->pad_cwd);
1375                         else
1376                                 appp = &(pad->pad_root);
1377                         au_pathrele(*appp);
1378                         /* use tad hold */
1379                         *appp = tad->tad_aupath;
1380                         tad->tad_aupath = NULL;
1381                         mutex_exit(&pad->pad_lock);
1382                 }
1383         } else if ((tad->tad_scid == SYS_fchdir) ||
1384             (tad->tad_scid == SYS_fchroot)) {
1385                 fchdir = tad->tad_scid == SYS_fchdir;
1386                 if ((fp = getf(uap->fd)) == NULL)
1387                         return;
1388                 fad = F2A(fp);
1389                 if (fad->fad_aupath) {
1390                         au_pathhold(fad->fad_aupath);
1391                         mutex_enter(&pad->pad_lock);
1392                         if (fchdir)
1393                                 appp = &(pad->pad_cwd);
1394                         else
1395                                 appp = &(pad->pad_root);
1396                         au_pathrele(*appp);
1397                         *appp = fad->fad_aupath;
1398                         mutex_exit(&pad->pad_lock);
1399                         if (tad->tad_flag) {
1400                                 au_uwrite(au_to_path(fad->fad_aupath));
1401                                 audit_attributes(fp->f_vnode);
1402                         }
1403                 }
1404                 releasef(uap->fd);
1405         }
1406 }
1407 
1408 
1409 /*
1410  *      Audit hook for stream based socket and tli request.
1411  *      Note that we do not have user context while executing
1412  *      this code so we had to record them earlier during the
1413  *      putmsg/getmsg to figure out which user we are dealing with.
1414  */
1415 
1416 /*ARGSUSED*/
1417 void
1418 audit_sock(
1419         int type,       /* type of tihdr.h header requests */
1420         queue_t *q,     /* contains the process and thread audit data */
1421         mblk_t *mp,     /* contains the tihdr.h header structures */
1422         int from)       /* timod or sockmod request */
1423 {
1424         int32_t    len;
1425         int32_t    offset;
1426         struct sockaddr_in *sock_data;
1427         struct T_conn_req *conn_req;
1428         struct T_conn_ind *conn_ind;
1429         struct T_unitdata_req *unitdata_req;
1430         struct T_unitdata_ind *unitdata_ind;
1431         au_state_t estate;
1432         t_audit_data_t *tad;
1433         caddr_t saved_thread_ptr;
1434         au_mask_t amask;
1435         const auditinfo_addr_t *ainfo;
1436         au_kcontext_t   *kctx;
1437 
1438         if (q->q_stream == NULL)
1439                 return;
1440         mutex_enter(&q->q_stream->sd_lock);
1441         /* are we being audited */
1442         saved_thread_ptr = q->q_stream->sd_t_audit_data;
1443         /* no pointer to thread, nothing to do */
1444         if (saved_thread_ptr == NULL) {
1445                 mutex_exit(&q->q_stream->sd_lock);
1446                 return;
1447         }
1448         /* only allow one addition of a record token */
1449         q->q_stream->sd_t_audit_data = NULL;
1450         /*
1451          * thread is not the one being audited, then nothing to do
1452          * This could be the stream thread handling the module
1453          * service routine. In this case, the context for the audit
1454          * record can no longer be assumed. Simplest to just drop
1455          * the operation.
1456          */
1457         if (curthread != (kthread_id_t)saved_thread_ptr) {
1458                 mutex_exit(&q->q_stream->sd_lock);
1459                 return;
1460         }
1461         if (curthread->t_sysnum >= SYS_so_socket &&
1462             curthread->t_sysnum <= SYS_sockconfig) {
1463                 mutex_exit(&q->q_stream->sd_lock);
1464                 return;
1465         }
1466         mutex_exit(&q->q_stream->sd_lock);
1467         /*
1468          * we know that the thread that did the put/getmsg is the
1469          * one running. Now we can get the TAD and see if we should
1470          * add an audit token.
1471          */
1472         tad = U2A(u);
1473 
1474         kctx = GET_KCTX_PZ;
1475 
1476         /* proceed ONLY if user is being audited */
1477         if (!tad->tad_flag)
1478                 return;
1479 
1480         ainfo = crgetauinfo(CRED());
1481         if (ainfo == NULL)
1482                 return;
1483         amask = ainfo->ai_mask;
1484 
1485         /*
1486          * Figure out the type of stream networking request here.
1487          * Note that getmsg and putmsg are always preselected
1488          * because during the beginning of the system call we have
1489          * not yet figure out which of the socket or tli request
1490          * we are looking at until we are here. So we need to check
1491          * against that specific request and reset the type of event.
1492          */
1493         switch (type) {
1494         case T_CONN_REQ:        /* connection request */
1495                 conn_req = (struct T_conn_req *)mp->b_rptr;
1496                 if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1497                         return;
1498                 offset = conn_req->DEST_offset;
1499                 len = conn_req->DEST_length;
1500                 estate = kctx->auk_ets[AUE_SOCKCONNECT];
1501                 if (amask.as_success & estate || amask.as_failure & estate) {
1502                         tad->tad_event = AUE_SOCKCONNECT;
1503                         break;
1504                 } else {
1505                         return;
1506                 }
1507         case T_CONN_IND:         /* connectionless receive request */
1508                 conn_ind = (struct T_conn_ind *)mp->b_rptr;
1509                 if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1510                         return;
1511                 offset = conn_ind->SRC_offset;
1512                 len = conn_ind->SRC_length;
1513                 estate = kctx->auk_ets[AUE_SOCKACCEPT];
1514                 if (amask.as_success & estate || amask.as_failure & estate) {
1515                         tad->tad_event = AUE_SOCKACCEPT;
1516                         break;
1517                 } else {
1518                         return;
1519                 }
1520         case T_UNITDATA_REQ:     /* connectionless send request */
1521                 unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1522                 if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1523                         return;
1524                 offset = unitdata_req->DEST_offset;
1525                 len = unitdata_req->DEST_length;
1526                 estate = kctx->auk_ets[AUE_SOCKSEND];
1527                 if (amask.as_success & estate || amask.as_failure & estate) {
1528                         tad->tad_event = AUE_SOCKSEND;
1529                         break;
1530                 } else {
1531                         return;
1532                 }
1533         case T_UNITDATA_IND:     /* connectionless receive request */
1534                 unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1535                 if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1536                         return;
1537                 offset = unitdata_ind->SRC_offset;
1538                 len = unitdata_ind->SRC_length;
1539                 estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1540                 if (amask.as_success & estate || amask.as_failure & estate) {
1541                         tad->tad_event = AUE_SOCKRECEIVE;
1542                         break;
1543                 } else {
1544                         return;
1545                 }
1546         default:
1547                 return;
1548         }
1549 
1550         /*
1551          * we are only interested in tcp stream connections,
1552          * not unix domain stuff
1553          */
1554         if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1555                 tad->tad_event = AUE_GETMSG;
1556                 return;
1557         }
1558         /* skip over TPI header and point to the ip address */
1559         sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1560 
1561         switch (sock_data->sin_family) {
1562         case AF_INET:
1563                 au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1564                 break;
1565         default:        /* reset to AUE_PUTMSG if not a inet request */
1566                 tad->tad_event = AUE_GETMSG;
1567                 break;
1568         }
1569 }
1570 
1571 
1572 static void
1573 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1574 {
1575         unsigned int sy_flags;
1576 
1577 #ifdef _SYSCALL32_IMPL
1578         /*
1579          * Guard against t_lwp being NULL when this function is called
1580          * from a kernel queue instead of from a direct system call.
1581          * In that case, assume the running kernel data model.
1582          */
1583         if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584             ttolwp(curthread)) == DATAMODEL_NATIVE))
1585                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586         else
1587                 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 #else
1589                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 #endif
1591 
1592         if (sy_flags == SE_64RVAL)
1593                 au_write(ad, au_to_return64(err, rval));
1594         else
1595                 au_write(ad, au_to_return32(err, rval));
1596 
1597 }
1598 
1599 /*ARGSUSED*/
1600 void
1601 audit_fdsend(int fd, struct file *fp, int error)
1602 {
1603         t_audit_data_t *tad;    /* current thread */
1604         f_audit_data_t *fad;    /* per file audit structure */
1605         struct vnode *vp;       /* for file attributes */
1606 
1607         /* is this system call being audited */
1608         tad = U2A(u);
1609         ASSERT(tad != (t_audit_data_t *)0);
1610         if (!tad->tad_flag)
1611                 return;
1612 
1613         fad = F2A(fp);
1614 
1615         /* add path and file attributes */
1616         if (fad != NULL && fad->fad_aupath != NULL) {
1617                 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1618                 au_uwrite(au_to_path(fad->fad_aupath));
1619         } else {
1620                 au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 #ifdef _LP64
1622                 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1623 #else
1624                 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1625 #endif
1626         }
1627         vp = fp->f_vnode;    /* include vnode attributes */
1628         audit_attributes(vp);
1629 }
1630 
1631 /*
1632  * Record privileges successfully used and we attempted to use but
1633  * didn't have.
1634  */
1635 void
1636 audit_priv(int priv, const priv_set_t *set, int flag)
1637 {
1638         t_audit_data_t *tad;
1639         int sbit;
1640         priv_set_t *target;
1641 
1642         /* Make sure this isn't being called in an interrupt context */
1643         ASSERT(servicing_interrupt() == 0);
1644 
1645         tad = U2A(u);
1646 
1647         if (tad->tad_flag == 0)
1648                 return;
1649 
1650         target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1651         sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1652 
1653         /* Tell audit_success() and audit_finish() that we saw this case */
1654         if (!(tad->tad_evmod & sbit)) {
1655                 /* Clear set first time around */
1656                 priv_emptyset(target);
1657                 tad->tad_evmod |= sbit;
1658         }
1659 
1660         /* Save the privileges in the tad */
1661         if (priv == PRIV_ALL) {
1662                 priv_fillset(target);
1663         } else {
1664                 ASSERT(set != NULL || priv != PRIV_NONE);
1665                 if (set != NULL)
1666                         priv_union(set, target);
1667                 if (priv != PRIV_NONE)
1668                         priv_addset(target, priv);
1669         }
1670 }
1671 
1672 /*
1673  * Audit the psecflags() system call; the set name, current value, and delta
1674  * are put in the audit trail.
1675  */
1676 void
1677 audit_psecflags(proc_t *p,
1678     psecflagwhich_t which,
1679     const secflagdelta_t *psd)
1680 {
1681         t_audit_data_t *tad;
1682         secflagset_t new;
1683         const secflagset_t *old;
1684         const char *s;
1685         cred_t *cr;
1686         pid_t pid;
1687         const auditinfo_addr_t  *ainfo;
1688         const psecflags_t *psec = &p->p_secflags;
1689 
1690         tad = U2A(u);
1691 
1692         if (tad->tad_flag == 0)
1693                 return;
1694 
1695         switch (which) {
1696         case PSF_EFFECTIVE:
1697                 s = "effective";
1698                 old = &psec->psf_effective;
1699                 break;
1700         case PSF_INHERIT:
1701                 s = "inherit";
1702                 old = &psec->psf_inherit;
1703                 break;
1704         case PSF_LOWER:
1705                 s = "lower";
1706                 old = &psec->psf_lower;
1707                 break;
1708         case PSF_UPPER:
1709                 s = "upper";
1710                 old = &psec->psf_upper;
1711                 break;
1712         }
1713 
1714         secflags_copy(&new, old);
1715         secflags_apply_delta(&new, psd);
1716 
1717         au_uwrite(au_to_secflags(s, *old));
1718         au_uwrite(au_to_secflags(s, new));
1719 
1720         ASSERT(mutex_owned(&p->p_lock));
1721         mutex_enter(&p->p_crlock);
1722 
1723         pid = p->p_pid;
1724         crhold(cr = p->p_cred);
1725         mutex_exit(&p->p_crlock);
1726 
1727         if ((ainfo = crgetauinfo(cr)) == NULL) {
1728                 crfree(cr);
1729                 return;
1730         }
1731 
1732         AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1733 
1734         crfree(cr);
1735 }
1736 
1737 /*
1738  * Audit the setpriv() system call; the operation, the set name and
1739  * the current value as well as the set argument are put in the
1740  * audit trail.
1741  */
1742 void
1743 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1744 {
1745         t_audit_data_t *tad;
1746         const priv_set_t *oldpriv;
1747         priv_set_t report;
1748         const char *setname;
1749 
1750         tad = U2A(u);
1751 
1752         if (tad->tad_flag == 0)
1753                 return;
1754 
1755         oldpriv = priv_getset(ocr, set);
1756 
1757         /* Generate the actual record, include the before and after */
1758         au_uwrite(au_to_arg32(2, "op", op));
1759         setname = priv_getsetbynum(set);
1760 
1761         switch (op) {
1762         case PRIV_OFF:
1763                 /* Report privileges actually switched off */
1764                 report = *oldpriv;
1765                 priv_intersect(newpriv, &report);
1766                 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1767                 break;
1768         case PRIV_ON:
1769                 /* Report privileges actually switched on */
1770                 report = *oldpriv;
1771                 priv_inverse(&report);
1772                 priv_intersect(newpriv, &report);
1773                 au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1774                 break;
1775         case PRIV_SET:
1776                 /* Report before and after */
1777                 au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1778                 au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1779                 break;
1780         }
1781 }
1782 
1783 /*
1784  * Dump the full device policy setting in the audit trail.
1785  */
1786 void
1787 audit_devpolicy(int nitems, const devplcysys_t *items)
1788 {
1789         t_audit_data_t *tad;
1790         int i;
1791 
1792         tad = U2A(u);
1793 
1794         if (tad->tad_flag == 0)
1795                 return;
1796 
1797         for (i = 0; i < nitems; i++) {
1798                 au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1799                 if (items[i].dps_minornm[0] == '\0') {
1800                         au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1801                         au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1802                 } else
1803                         au_uwrite(au_to_text(items[i].dps_minornm));
1804 
1805                 au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1806                     AUT_PRIV, 0));
1807                 au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1808                     AUT_PRIV, 0));
1809         }
1810 }
1811 
1812 /*ARGSUSED*/
1813 void
1814 audit_fdrecv(int fd, struct file *fp)
1815 {
1816         t_audit_data_t *tad;    /* current thread */
1817         f_audit_data_t *fad;    /* per file audit structure */
1818         struct vnode *vp;       /* for file attributes */
1819 
1820         /* is this system call being audited */
1821         tad = U2A(u);
1822         ASSERT(tad != (t_audit_data_t *)0);
1823         if (!tad->tad_flag)
1824                 return;
1825 
1826         fad = F2A(fp);
1827 
1828         /* add path and file attributes */
1829         if (fad != NULL && fad->fad_aupath != NULL) {
1830                 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1831                 au_uwrite(au_to_path(fad->fad_aupath));
1832         } else {
1833                 au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1834 #ifdef _LP64
1835                 au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1836 #else
1837                 au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1838 #endif
1839         }
1840         vp = fp->f_vnode;    /* include vnode attributes */
1841         audit_attributes(vp);
1842 }
1843 
1844 /*
1845  * ROUTINE:     AUDIT_CRYPTOADM
1846  * PURPOSE:     Records arguments to administrative ioctls on /dev/cryptoadm
1847  * CALLBY:      CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1848  *              CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1849  *              CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1850  *              CRYPTO_LOAD_DOOR
1851  * NOTE:
1852  * TODO:
1853  * QUESTION:
1854  */
1855 
1856 void
1857 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1858     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1859 {
1860         boolean_t               mech_list_required = B_FALSE;
1861         cred_t                  *cr = CRED();
1862         t_audit_data_t          *tad;
1863         token_t                 *ad = NULL;
1864         const auditinfo_addr_t  *ainfo = crgetauinfo(cr);
1865         char                    buffer[MAXNAMELEN * 2];
1866         au_kcontext_t           *kctx = GET_KCTX_PZ;
1867 
1868         tad = U2A(u);
1869         if (tad == NULL)
1870                 return;
1871 
1872         if (ainfo == NULL)
1873                 return;
1874 
1875         tad->tad_event = AUE_CRYPTOADM;
1876 
1877         if (audit_success(kctx, tad, error, NULL) != AU_OK)
1878                 return;
1879 
1880         /* Add subject information */
1881         AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1882 
1883         switch (cmd) {
1884         case CRYPTO_LOAD_DEV_DISABLED:
1885                 if (error == 0 && rv == CRYPTO_SUCCESS) {
1886                         (void) snprintf(buffer, sizeof (buffer),
1887                             "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1888                             " dev_instance=%d",
1889                             module_name, device_instance);
1890                         mech_list_required = B_TRUE;
1891                 } else {
1892                         (void) snprintf(buffer, sizeof (buffer),
1893                             "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1894                 }
1895                 break;
1896 
1897         case CRYPTO_LOAD_SOFT_DISABLED:
1898                 if (error == 0 && rv == CRYPTO_SUCCESS) {
1899                         (void) snprintf(buffer, sizeof (buffer),
1900                             "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1901                             module_name);
1902                         mech_list_required = B_TRUE;
1903                 } else {
1904                         (void) snprintf(buffer, sizeof (buffer),
1905                             "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1906                 }
1907                 break;
1908 
1909         case CRYPTO_UNLOAD_SOFT_MODULE:
1910                 if (error == 0 && rv == CRYPTO_SUCCESS) {
1911                         (void) snprintf(buffer, sizeof (buffer),
1912                             "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1913                             module_name);
1914                 } else {
1915                         (void) snprintf(buffer, sizeof (buffer),
1916                             "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1917                 }
1918                 break;
1919 
1920         case CRYPTO_LOAD_SOFT_CONFIG:
1921                 if (error == 0 && rv == CRYPTO_SUCCESS) {
1922                         (void) snprintf(buffer, sizeof (buffer),
1923                             "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1924                             module_name);
1925                         mech_list_required = B_TRUE;
1926                 } else {
1927                         (void) snprintf(buffer, sizeof (buffer),
1928                             "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1929                 }
1930                 break;
1931 
1932         case CRYPTO_POOL_CREATE:
1933                 (void) snprintf(buffer, sizeof (buffer),
1934                     "op=CRYPTO_POOL_CREATE");
1935                 break;
1936 
1937         case CRYPTO_POOL_WAIT:
1938                 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1939                 break;
1940 
1941         case CRYPTO_POOL_RUN:
1942                 (void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1943                 break;
1944 
1945         case CRYPTO_LOAD_DOOR:
1946                 if (error == 0 && rv == CRYPTO_SUCCESS)
1947                         (void) snprintf(buffer, sizeof (buffer),
1948                             "op=CRYPTO_LOAD_DOOR");
1949                 else
1950                         (void) snprintf(buffer, sizeof (buffer),
1951                             "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1952                 break;
1953 
1954         case CRYPTO_FIPS140_SET:
1955                 (void) snprintf(buffer, sizeof (buffer),
1956                     "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1957                 break;
1958 
1959         default:
1960                 return;
1961         }
1962 
1963         au_write((caddr_t *)&ad, au_to_text(buffer));
1964 
1965         if (mech_list_required) {
1966                 int i;
1967 
1968                 if (mech_count == 0) {
1969                         au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1970                 } else {
1971                         char    *pb = buffer;
1972                         size_t  l = sizeof (buffer);
1973                         size_t  n;
1974                         char    space[2] = ":";
1975 
1976                         n = snprintf(pb, l, "mech=");
1977 
1978                         for (i = 0; i < mech_count; i++) {
1979                                 pb += n;
1980                                 l = (n >= l) ? 0 : l - n;
1981 
1982                                 if (i == mech_count - 1)
1983                                         (void) strcpy(space, "");
1984 
1985                                 n = snprintf(pb, l, "%s%s", mech_names[i],
1986                                     space);
1987                         }
1988                         au_write((caddr_t *)&ad, au_to_text(buffer));
1989                 }
1990         }
1991 
1992         /* add a return token */
1993         if (error || (rv != CRYPTO_SUCCESS))
1994                 add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1995         else
1996                 add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1997 
1998         AS_INC(as_generated, 1, kctx);
1999         AS_INC(as_kernel, 1, kctx);
2000 
2001         au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
2002             NULL);
2003 }
2004 
2005 /*
2006  * Audit the kernel SSL administration command. The address and the
2007  * port number for the SSL instance, and the proxy port are put in the
2008  * audit trail.
2009  */
2010 void
2011 audit_kssl(int cmd, void *params, int error)
2012 {
2013         cred_t                  *cr = CRED();
2014         t_audit_data_t          *tad;
2015         token_t                 *ad = NULL;
2016         const auditinfo_addr_t  *ainfo = crgetauinfo(cr);
2017         au_kcontext_t           *kctx = GET_KCTX_PZ;
2018 
2019         tad = U2A(u);
2020 
2021         if (ainfo == NULL)
2022                 return;
2023 
2024         tad->tad_event = AUE_CONFIGKSSL;
2025 
2026         if (audit_success(kctx, tad, error, NULL) != AU_OK)
2027                 return;
2028 
2029         /* Add subject information */
2030         AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2031 
2032         switch (cmd) {
2033         case KSSL_ADD_ENTRY: {
2034                 char buf[32];
2035                 kssl_params_t *kp = (kssl_params_t *)params;
2036                 struct sockaddr_in6 *saddr = &kp->kssl_addr;
2037 
2038                 au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2039                 au_write((caddr_t *)&ad,
2040                     au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2041                 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2042                     saddr->sin6_port);
2043                 au_write((caddr_t *)&ad, au_to_text(buf));
2044 
2045                 (void) snprintf(buf, sizeof (buf), "proxy port=%d",
2046                     kp->kssl_proxy_port);
2047                 au_write((caddr_t *)&ad, au_to_text(buf));
2048                 break;
2049         }
2050 
2051         case KSSL_DELETE_ENTRY: {
2052                 char buf[32];
2053                 struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
2054 
2055                 au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2056                 au_write((caddr_t *)&ad,
2057                     au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2058                 (void) snprintf(buf, sizeof (buf), "SSL port=%d",
2059                     saddr->sin6_port);
2060                 au_write((caddr_t *)&ad, au_to_text(buf));
2061                 break;
2062         }
2063 
2064         default:
2065                 return;
2066         }
2067 
2068         /* add a return token */
2069         add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2070 
2071         AS_INC(as_generated, 1, kctx);
2072         AS_INC(as_kernel, 1, kctx);
2073 
2074         au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2075             NULL);
2076 }
2077 
2078 /*
2079  * Audit the kernel PF_POLICY administration commands.  Record command,
2080  * zone, policy type (global or tunnel, active or inactive)
2081  */
2082 /*
2083  * ROUTINE:     AUDIT_PF_POLICY
2084  * PURPOSE:     Records arguments to administrative ioctls on PF_POLICY socket
2085  * CALLBY:      SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2086  *              SPD_CLONE, SPD_FLIP
2087  * NOTE:
2088  * TODO:
2089  * QUESTION:
2090  */
2091 
2092 void
2093 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2094     boolean_t active, int error, pid_t pid)
2095 {
2096         const auditinfo_addr_t  *ainfo;
2097         t_audit_data_t          *tad;
2098         token_t                 *ad = NULL;
2099         au_kcontext_t           *kctx = GET_KCTX_PZ;
2100         char                    buf[80];
2101         int                     flag;
2102 
2103         tad = U2A(u);
2104         if (tad == NULL)
2105                 return;
2106 
2107         ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2108         if (ainfo == NULL)
2109                 return;
2110 
2111         /*
2112          * Initialize some variables since these are only set
2113          * with system calls.
2114          */
2115 
2116         switch (cmd) {
2117         case SPD_ADDRULE: {
2118                 tad->tad_event = AUE_PF_POLICY_ADDRULE;
2119                 break;
2120         }
2121 
2122         case SPD_DELETERULE: {
2123                 tad->tad_event = AUE_PF_POLICY_DELRULE;
2124                 break;
2125         }
2126 
2127         case SPD_FLUSH: {
2128                 tad->tad_event = AUE_PF_POLICY_FLUSH;
2129                 break;
2130         }
2131 
2132         case SPD_UPDATEALGS: {
2133                 tad->tad_event = AUE_PF_POLICY_ALGS;
2134                 break;
2135         }
2136 
2137         case SPD_CLONE: {
2138                 tad->tad_event = AUE_PF_POLICY_CLONE;
2139                 break;
2140         }
2141 
2142         case SPD_FLIP: {
2143                 tad->tad_event = AUE_PF_POLICY_FLIP;
2144                 break;
2145         }
2146 
2147         default:
2148                 tad->tad_event = AUE_NULL;
2149         }
2150 
2151         tad->tad_evmod = 0;
2152 
2153         if (flag = audit_success(kctx, tad, error, cred)) {
2154                 zone_t *nszone;
2155 
2156                 /*
2157                  * For now, just audit that an event happened,
2158                  * along with the error code.
2159                  */
2160                 au_write((caddr_t *)&ad,
2161                     au_to_arg32(1, "Policy Active?", (uint32_t)active));
2162                 au_write((caddr_t *)&ad,
2163                     au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2164 
2165                 /* Supplemental data */
2166 
2167                 /*
2168                  * Generate this zone token if the target zone differs
2169                  * from the administrative zone.  If netstacks are expanded
2170                  * to something other than a 1-1 relationship with zones,
2171                  * the auditing framework should create a new token type
2172                  * and audit it as a netstack instead.
2173                  * Turn on general zone auditing to get the administrative zone.
2174                  */
2175 
2176                 nszone = zone_find_by_id(netstackid_to_zoneid(
2177                     ns->netstack_stackid));
2178                 if (nszone != NULL) {
2179                         if (strncmp(crgetzone(cred)->zone_name,
2180                             nszone->zone_name, ZONENAME_MAX) != 0) {
2181                                 token_t *ztoken;
2182 
2183                                 ztoken = au_to_zonename(0, nszone);
2184                                 au_write((caddr_t *)&ad, ztoken);
2185                         }
2186                         zone_rele(nszone);
2187                 }
2188 
2189                 if (tun != NULL) {
2190                         /* write tunnel name - tun is bounded */
2191                         (void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2192                             tun);
2193                         au_write((caddr_t *)&ad, au_to_text(buf));
2194                 }
2195 
2196                 /* Add subject information */
2197                 AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2198                     ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2199 
2200                 /* add a return token */
2201                 add_return_token((caddr_t *)&ad, 0, error, 0);
2202 
2203                 AS_INC(as_generated, 1, kctx);
2204                 AS_INC(as_kernel, 1, kctx);
2205 
2206         }
2207         au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2208             NULL);
2209 
2210         /*
2211          * clear the ctrl flag so that we don't have spurious collection of
2212          * audit information.
2213          */
2214         tad->tad_scid  = 0;
2215         tad->tad_event = 0;
2216         tad->tad_evmod = 0;
2217         tad->tad_ctrl  = 0;
2218 }
2219 
2220 /*
2221  * ROUTINE:     AUDIT_SEC_ATTRIBUTES
2222  * PURPOSE:     Add security attributes
2223  * CALLBY:      AUDIT_ATTRIBUTES
2224  *              AUDIT_CLOSEF
2225  *              AUS_CLOSE
2226  * NOTE:
2227  * TODO:
2228  * QUESTION:
2229  */
2230 
2231 void
2232 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2233 {
2234         /* Dump the SL */
2235         if (is_system_labeled()) {
2236                 ts_label_t      *tsl;
2237                 bslabel_t       *bsl;
2238 
2239                 tsl = getflabel(vp);
2240                 if (tsl == NULL)
2241                         return;                 /* nothing else to do */
2242 
2243                 bsl = label2bslabel(tsl);
2244                 if (bsl == NULL)
2245                         return;                 /* nothing else to do */
2246                 au_write(ad, au_to_label(bsl));
2247                 label_rele(tsl);
2248         }
2249 
2250 }       /* AUDIT_SEC_ATTRIBUTES */