1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
25 */
26
27 /*
28 * This file contains the audit event table used to control the production
29 * of audit records for each system call.
30 */
31
32 #include <sys/policy.h>
33 #include <sys/cred.h>
34 #include <sys/types.h>
35 #include <sys/systm.h>
36 #include <sys/systeminfo.h> /* for sysinfo auditing */
37 #include <sys/utsname.h> /* for sysinfo auditing */
38 #include <sys/proc.h>
39 #include <sys/vnode.h>
40 #include <sys/mman.h> /* for mmap(2) auditing etc. */
41 #include <sys/fcntl.h>
42 #include <sys/modctl.h> /* for modctl auditing */
43 #include <sys/vnode.h>
44 #include <sys/user.h>
45 #include <sys/types.h>
46 #include <sys/processor.h>
47 #include <sys/procset.h>
48 #include <sys/acl.h>
49 #include <sys/ipc.h>
50 #include <sys/door.h>
51 #include <sys/sem.h>
52 #include <sys/msg.h>
53 #include <sys/shm.h>
54 #include <sys/kmem.h>
55 #include <sys/file.h> /* for accept */
56 #include <sys/utssys.h> /* for fuser */
57 #include <sys/tsol/label.h>
58 #include <sys/tsol/tndb.h>
59 #include <sys/tsol/tsyscall.h>
60 #include <c2/audit.h>
61 #include <c2/audit_kernel.h>
62 #include <c2/audit_kevents.h>
63 #include <c2/audit_record.h>
64 #include <sys/procset.h>
65 #include <nfs/mount.h>
66 #include <sys/param.h>
67 #include <sys/debug.h>
68 #include <sys/sysmacros.h>
69 #include <sys/stream.h>
70 #include <sys/strsubr.h>
71 #include <sys/stropts.h>
72 #include <sys/tihdr.h>
73 #include <sys/socket.h>
74 #include <sys/socketvar.h>
75 #include <sys/vfs_opreg.h>
76 #include <fs/sockfs/sockcommon.h>
77 #include <netinet/in.h>
78 #include <sys/ddi.h>
79 #include <sys/port_impl.h>
80 #include <sys/secflags.h>
81
82 static au_event_t aui_fchownat(au_event_t);
83 static au_event_t aui_fchmodat(au_event_t);
84 static au_event_t aui_open(au_event_t);
85 static au_event_t aui_openat(au_event_t);
86 static au_event_t aui_unlinkat(au_event_t);
87 static au_event_t aui_fstatat(au_event_t);
88 static au_event_t aui_msgsys(au_event_t);
89 static au_event_t aui_shmsys(au_event_t);
90 static au_event_t aui_semsys(au_event_t);
91 static au_event_t aui_utssys(au_event_t);
92 static au_event_t aui_fcntl(au_event_t);
93 static au_event_t aui_execve(au_event_t);
94 static au_event_t aui_memcntl(au_event_t);
95 static au_event_t aui_sysinfo(au_event_t);
96 static au_event_t aui_portfs(au_event_t);
97 static au_event_t aui_auditsys(au_event_t);
98 static au_event_t aui_modctl(au_event_t);
99 static au_event_t aui_acl(au_event_t);
100 static au_event_t aui_doorfs(au_event_t);
101 static au_event_t aui_privsys(au_event_t);
102 static au_event_t aui_forksys(au_event_t);
103 static au_event_t aui_labelsys(au_event_t);
104 static au_event_t aui_setpgrp(au_event_t);
105
106
107 static void aus_exit(struct t_audit_data *);
108 static void aus_open(struct t_audit_data *);
109 static void aus_openat(struct t_audit_data *);
110 static void aus_acl(struct t_audit_data *);
111 static void aus_acct(struct t_audit_data *);
112 static void aus_chown(struct t_audit_data *);
113 static void aus_fchown(struct t_audit_data *);
114 static void aus_lchown(struct t_audit_data *);
115 static void aus_fchownat(struct t_audit_data *);
116 static void aus_chmod(struct t_audit_data *);
117 static void aus_facl(struct t_audit_data *);
118 static void aus_fchmod(struct t_audit_data *);
119 static void aus_fchmodat(struct t_audit_data *);
120 static void aus_fcntl(struct t_audit_data *);
121 static void aus_mkdir(struct t_audit_data *);
122 static void aus_mkdirat(struct t_audit_data *);
123 static void aus_mknod(struct t_audit_data *);
124 static void aus_mknodat(struct t_audit_data *);
125 static void aus_mount(struct t_audit_data *);
126 static void aus_umount2(struct t_audit_data *);
127 static void aus_msgsys(struct t_audit_data *);
128 static void aus_semsys(struct t_audit_data *);
129 static void aus_close(struct t_audit_data *);
130 static void aus_fstatfs(struct t_audit_data *);
131 static void aus_setgid(struct t_audit_data *);
132 static void aus_setpgrp(struct t_audit_data *);
133 static void aus_setuid(struct t_audit_data *);
134 static void aus_shmsys(struct t_audit_data *);
135 static void aus_doorfs(struct t_audit_data *);
136 static void aus_ioctl(struct t_audit_data *);
137 static void aus_memcntl(struct t_audit_data *);
138 static void aus_mmap(struct t_audit_data *);
139 static void aus_munmap(struct t_audit_data *);
140 static void aus_priocntlsys(struct t_audit_data *);
141 static void aus_setegid(struct t_audit_data *);
142 static void aus_setgroups(struct t_audit_data *);
143 static void aus_seteuid(struct t_audit_data *);
144 static void aus_putmsg(struct t_audit_data *);
145 static void aus_putpmsg(struct t_audit_data *);
146 static void aus_getmsg(struct t_audit_data *);
147 static void aus_getpmsg(struct t_audit_data *);
148 static void aus_auditsys(struct t_audit_data *);
149 static void aus_sysinfo(struct t_audit_data *);
150 static void aus_modctl(struct t_audit_data *);
151 static void aus_kill(struct t_audit_data *);
152 static void aus_setregid(struct t_audit_data *);
153 static void aus_setreuid(struct t_audit_data *);
154 static void aus_labelsys(struct t_audit_data *);
155
156 static void auf_mknod(struct t_audit_data *, int, rval_t *);
157 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
158 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
159 static void auf_semsys(struct t_audit_data *, int, rval_t *);
160 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
161 static void auf_read(struct t_audit_data *, int, rval_t *);
162 static void auf_write(struct t_audit_data *, int, rval_t *);
163
164 static void aus_sigqueue(struct t_audit_data *);
165 static void aus_p_online(struct t_audit_data *);
166 static void aus_processor_bind(struct t_audit_data *);
167 static void aus_inst_sync(struct t_audit_data *);
168 static void aus_brandsys(struct t_audit_data *);
169
170 static void auf_accept(struct t_audit_data *, int, rval_t *);
171
172 static void auf_bind(struct t_audit_data *, int, rval_t *);
173 static void auf_connect(struct t_audit_data *, int, rval_t *);
174 static void aus_shutdown(struct t_audit_data *);
175 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
176 static void aus_sockconfig(struct t_audit_data *);
177 static void auf_recv(struct t_audit_data *, int, rval_t *);
178 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
179 static void auf_send(struct t_audit_data *, int, rval_t *);
180 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
181 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
182 static void auf_sendto(struct t_audit_data *, int, rval_t *);
183 static void aus_socket(struct t_audit_data *);
184 /*
185 * This table contains mapping information for converting system call numbers
186 * to audit event IDs. In several cases it is necessary to map a single system
187 * call to several events.
188 */
189
190 #define aui_null NULL /* NULL initialize function */
191 #define aus_null NULL /* NULL start function */
192 #define auf_null NULL /* NULL finish function */
193
194 struct audit_s2e audit_s2e[] =
195 {
196 /*
197 * ---------- ---------- ---------- ----------
198 * INITIAL AUDIT START SYSTEM
199 * PROCESSING EVENT PROCESSING CALL
200 * ---------- ---------- ---------- -----------
201 * FINISH EVENT
202 * PROCESSING CONTROL
203 * ----------------------------------------------------------
204 */
205 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
206 auf_null, 0,
207 aui_null, AUE_EXIT, aus_exit, /* 1 exit */
208 auf_null, S2E_NPT,
209 aui_null, AUE_PSECFLAGS, aus_null, /* 2 psecflags */
210 auf_null, 0,
211 aui_null, AUE_READ, aus_null, /* 3 read */
212 auf_read, S2E_PUB,
213 aui_null, AUE_WRITE, aus_null, /* 4 write */
214 auf_write, 0,
215 aui_open, AUE_OPEN, aus_open, /* 5 open */
216 auf_null, S2E_SP,
217 aui_null, AUE_CLOSE, aus_close, /* 6 close */
218 auf_null, 0,
219 aui_null, AUE_LINK, aus_null, /* 7 linkat */
220 auf_null, 0,
221 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
222 auf_null, 0,
223 aui_null, AUE_LINK, aus_null, /* 9 link */
224 auf_null, 0,
225 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
226 auf_null, 0,
227 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
228 auf_null, 0,
229 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
230 auf_null, S2E_SP,
231 aui_null, AUE_NULL, aus_null, /* 13 time */
232 auf_null, 0,
233 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
234 auf_mknod, S2E_MLD,
235 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
236 auf_null, 0,
237 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
238 auf_null, 0,
239 aui_null, AUE_NULL, aus_null, /* 17 brk */
240 auf_null, 0,
241 aui_null, AUE_STAT, aus_null, /* 18 stat */
242 auf_null, S2E_PUB,
243 aui_null, AUE_NULL, aus_null, /* 19 lseek */
244 auf_null, 0,
245 aui_null, AUE_NULL, aus_null, /* 20 getpid */
246 auf_null, 0,
247 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
248 auf_null, S2E_MLD,
249 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
250 auf_null, S2E_PUB,
251 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
252 auf_null, 0,
253 aui_null, AUE_NULL, aus_null, /* 24 getuid */
254 auf_null, 0,
255 aui_null, AUE_STIME, aus_null, /* 25 stime */
256 auf_null, 0,
257 aui_null, AUE_NULL, aus_null, /* 26 pcsample */
258 auf_null, 0,
259 aui_null, AUE_NULL, aus_null, /* 27 alarm */
260 auf_null, 0,
261 aui_null, AUE_NULL, aus_null, /* 28 fstat */
262 auf_null, 0,
263 aui_null, AUE_NULL, aus_null, /* 29 pause */
264 auf_null, 0,
265 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
266 auf_null, 0,
267 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
268 auf_null, 0,
269 aui_null, AUE_NULL, aus_null, /* 32 gtty */
270 auf_null, 0,
271 aui_null, AUE_ACCESS, aus_null, /* 33 access */
272 auf_null, S2E_PUB,
273 aui_null, AUE_NICE, aus_null, /* 34 nice */
274 auf_null, 0,
275 aui_null, AUE_STATFS, aus_null, /* 35 statfs */
276 auf_null, S2E_PUB,
277 aui_null, AUE_NULL, aus_null, /* 36 sync */
278 auf_null, 0,
279 aui_null, AUE_KILL, aus_kill, /* 37 kill */
280 auf_null, 0,
281 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
282 auf_null, S2E_PUB,
283 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
284 auf_null, 0,
285 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
286 auf_null, 0,
287 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
288 auf_null, 0,
289 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
290 auf_null, 0,
291 aui_null, AUE_NULL, aus_null, /* 43 times */
292 auf_null, 0,
293 aui_null, AUE_NULL, aus_null, /* 44 profil */
294 auf_null, 0,
295 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
296 auf_null, S2E_PUB,
297 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
298 auf_null, 0,
299 aui_null, AUE_NULL, aus_null, /* 47 getgid */
300 auf_null, 0,
301 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
302 auf_mknodat, S2E_MLD,
303 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
304 auf_msgsys, 0,
305 #if defined(__x86)
306 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
307 auf_null, 0,
308 #else
309 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
310 auf_null, 0,
311 #endif /* __x86 */
312 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
313 auf_null, 0,
314 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
315 auf_shmsys, 0,
316 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
317 auf_semsys, 0,
318 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
319 auf_null, 0,
320 aui_null, AUE_NULL, aus_null, /* 55 uadmin */
321 auf_null, 0,
322 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
323 auf_null, 0,
324 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
325 auf_null, 0,
326 aui_null, AUE_NULL, aus_null, /* 58 fsync */
327 auf_null, 0,
328 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */
329 auf_null, S2E_MLD,
330 aui_null, AUE_NULL, aus_null, /* 60 umask */
331 auf_null, 0,
332 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
333 auf_null, S2E_SP,
334 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
335 auf_null, 0,
336 aui_null, AUE_NULL, aus_null, /* 63 ulimit */
337 auf_null, 0,
338 aui_null, AUE_RENAME, aus_null, /* 64 renameat */
339 auf_null, 0,
340 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
341 auf_null, 0,
342 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
343 auf_null, S2E_PUB,
344 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
345 auf_null, S2E_PUB,
346 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
347 auf_null, S2E_SP,
348 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
349 auf_null, S2E_SP,
350 aui_null, AUE_NULL, aus_null, /* 70 tasksys */
351 auf_null, 0,
352 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
353 auf_null, 0,
354 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
355 auf_null, 0,
356 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
357 auf_null, 0,
358 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
359 auf_null, 0,
360 aui_null, AUE_NULL, aus_null, /* 75 sidsys */
361 auf_null, 0,
362 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
363 auf_null, 0,
364 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
365 auf_null, 0,
366 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
367 auf_null, 0,
368 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
369 auf_null, 0,
370 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
371 auf_null, 0,
372 aui_null, AUE_NULL, aus_null, /* 81 getdents */
373 auf_null, 0,
374 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
375 auf_null, 0,
376 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
377 auf_null, 0,
378 aui_null, AUE_NULL, aus_null, /* 84 sysfs */
379 auf_null, 0,
380 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
381 auf_null, 0,
382 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
383 auf_null, 0,
384 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
385 auf_null, 0,
386 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
387 auf_null, S2E_PUB,
388 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
389 auf_null, 0,
390 aui_null, AUE_READLINK, aus_null, /* 90 readlink */
391 auf_null, S2E_PUB,
392 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
393 auf_null, 0,
394 aui_null, AUE_NULL, aus_null, /* 92 getgroups */
395 auf_null, 0,
396 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
397 auf_null, 0,
398 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
399 auf_null, 0,
400 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
401 auf_null, 0,
402 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
403 auf_null, 0,
404 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
405 auf_null, 0,
406 aui_null, AUE_NULL, aus_null, /* 98 sigaction */
407 auf_null, 0,
408 aui_null, AUE_NULL, aus_null, /* 99 sigpending */
409 auf_null, 0,
410 aui_null, AUE_NULL, aus_null, /* 100 setcontext */
411 auf_null, 0,
412 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
413 auf_null, 0,
414 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
415 auf_null, 0,
416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
417 auf_null, S2E_PUB,
418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
419 auf_null, 0,
420 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
421 auf_null, 0,
422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */
423 auf_null, 0,
424 aui_null, AUE_NULL, aus_null, /* 107 waitsys */
425 auf_null, 0,
426 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
427 auf_null, 0,
428 #if defined(__x86)
429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
430 auf_null, 0,
431 #else
432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
433 auf_null, 0,
434 #endif /* __x86 */
435 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
436 auf_null, 0,
437 aui_null, AUE_NULL, aus_null, /* 111 sigresend */
438 auf_null, 0,
439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
440 auf_null, 0,
441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
442 auf_null, S2E_PUB,
443 aui_null, AUE_NULL, aus_null, /* 114 mincore */
444 auf_null, 0,
445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
446 auf_null, 0,
447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */
448 auf_null, 0,
449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
450 auf_null, 0,
451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
452 auf_null, 0,
453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */
454 auf_null, 0,
455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
456 auf_null, 0,
457 aui_null, AUE_READ, aus_null, /* 121 readv */
458 auf_read, S2E_PUB,
459 aui_null, AUE_WRITE, aus_null, /* 122 writev */
460 auf_write, 0,
461 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
462 auf_null, 0,
463 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
464 auf_null, 0,
465 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
466 auf_null, 0,
467 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
468 auf_null, 0,
469 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
470 auf_null, 0,
471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
472 auf_null, 0,
473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
474 auf_null, 0,
475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
476 auf_null, 0,
477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
478 auf_null, 0,
479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
480 auf_null, 0,
481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
482 auf_null, 0,
483 aui_null, AUE_RENAME, aus_null, /* 134 rename */
484 auf_null, 0,
485 aui_null, AUE_NULL, aus_null, /* 135 uname */
486 auf_null, 0,
487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
488 auf_null, 0,
489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
490 auf_null, 0,
491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
492 auf_null, 0,
493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
494 auf_null, 0,
495 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
496 auf_null, 0,
497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
498 auf_null, 0,
499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
500 auf_null, 0,
501 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
502 auf_null, 0,
503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */
504 auf_null, 0,
505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
506 auf_null, 0,
507 aui_null, AUE_NULL, aus_null, /* 146 yield */
508 auf_null, 0,
509 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
510 /* was lwp_sema_wait */
511 auf_null, 0,
512 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
513 auf_null, 0,
514 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
515 auf_null, 0,
516 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
517 auf_null, 0,
518 aui_null, AUE_NULL, aus_null, /* 151 corectl */
519 auf_null, 0,
520 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
521 auf_null, 0,
522 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
523 auf_null, 0,
524 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
525 auf_null, 0,
526 aui_null, AUE_NULL, aus_null, /* 155 vhangup */
527 auf_null, 0,
528 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
529 auf_null, 0,
530 aui_null, AUE_NULL, aus_null, /* 157 getitimer */
531 auf_null, 0,
532 aui_null, AUE_NULL, aus_null, /* 158 setitimer */
533 auf_null, 0,
534 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
535 auf_null, 0,
536 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
537 auf_null, 0,
538 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
539 auf_null, 0,
540 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
541 auf_null, 0,
542 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
543 auf_null, 0,
544 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
545 auf_null, 0,
546 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
547 auf_null, 0,
548 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
549 auf_null, 0,
550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
551 auf_null, 0,
552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
553 auf_null, 0,
554 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
555 /* was lwp_mutex_lock */
556 auf_null, 0,
557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
558 auf_null, 0,
559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
560 auf_null, 0,
561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
562 auf_null, 0,
563 aui_null, AUE_READ, aus_null, /* 173 pread */
564 auf_read, S2E_PUB,
565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
566 auf_write, 0,
567 aui_null, AUE_NULL, aus_null, /* 175 llseek */
568 auf_null, 0,
569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
570 auf_null, 0,
571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
572 auf_null, 0,
573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
574 auf_null, 0,
575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
576 auf_null, 0,
577 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
578 auf_null, 0,
579 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
580 auf_null, 0,
581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
582 auf_null, S2E_MLD,
583 aui_null, AUE_NULL, aus_null, /* 183 pollsys */
584 auf_null, 0,
585 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
586 auf_null, 0,
587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
588 auf_null, 0,
589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
590 auf_null, 0,
591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
592 auf_null, 0,
593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */
594 auf_null, 0,
595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
596 auf_null, 0,
597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
598 auf_null, 0,
599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
600 auf_null, 0,
601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
602 auf_null, 0,
603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
604 auf_null, 0,
605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */
606 auf_null, 0,
607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
608 auf_null, 0,
609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
610 auf_null, 0,
611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
612 auf_null, 0,
613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
614 auf_null, 0,
615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
616 auf_null, 0,
617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
618 auf_null, 0,
619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
620 auf_null, 0,
621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
622 auf_null, 0,
623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
624 auf_null, 0,
625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
626 auf_null, 0,
627 aui_null, AUE_NULL, aus_null, /* 205 signotify */
628 auf_null, 0,
629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */
630 auf_null, 0,
631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
632 auf_null, 0,
633 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
634 auf_null, 0,
635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
636 auf_null, 0,
637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
638 auf_null, 0,
639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
640 auf_null, 0,
641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
642 auf_null, 0,
643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
644 auf_null, 0,
645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
646 auf_null, 0,
647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */
648 auf_null, S2E_PUB,
649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
650 auf_null, S2E_PUB,
651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
652 auf_null, 0,
653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
654 auf_null, S2E_PUB,
655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
656 auf_null, 0,
657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
658 auf_null, 0,
659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
660 auf_null, 0,
661 aui_null, AUE_READ, aus_null, /* 222 pread64 */
662 auf_read, S2E_PUB,
663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
664 auf_write, 0,
665 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
666 auf_null, 0,
667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */
668 auf_null, S2E_SP,
669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
670 auf_null, 0,
671 aui_null, AUE_NULL, aus_null, /* 227 zone */
672 auf_null, 0,
673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
674 auf_null, 0,
675 aui_null, AUE_NULL, aus_null, /* 229 getcwd */
676 auf_null, 0,
677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
678 auf_null, 0,
679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
680 auf_null, 0,
681 aui_null, AUE_BIND, aus_null, /* 232 bind */
682 auf_bind, 0,
683 aui_null, AUE_NULL, aus_null, /* 233 listen */
684 auf_null, 0,
685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
686 auf_accept, 0,
687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */
688 auf_connect, 0,
689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
690 auf_null, 0,
691 aui_null, AUE_READ, aus_null, /* 237 recv */
692 auf_recv, 0,
693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
694 auf_recvfrom, 0,
695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
696 auf_recvmsg, 0,
697 aui_null, AUE_WRITE, aus_null, /* 240 send */
698 auf_send, 0,
699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
700 auf_sendmsg, 0,
701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
702 auf_sendto, 0,
703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */
704 auf_null, 0,
705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */
706 auf_null, 0,
707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
708 auf_null, 0,
709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
710 auf_setsockopt, 0,
711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
712 auf_null, 0,
713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
714 auf_null, 0,
715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
716 auf_null, 0,
717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
718 auf_null, 0,
719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
720 auf_null, 0,
721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
722 auf_null, 0,
723 aui_null, AUE_NULL, aus_null, /* 253 cladm */
724 auf_null, 0,
725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */
726 auf_null, 0,
727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
728 auf_null, 0
729 };
730
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732
733
734 /* exit start function */
735 /*ARGSUSED*/
736 static void
737 aus_exit(struct t_audit_data *tad)
738 {
739 uint32_t rval;
740 struct a {
741 long rval;
742 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
743
744 rval = (uint32_t)uap->rval;
745 au_uwrite(au_to_arg32(1, "exit status", rval));
746 }
747
748
749 /* acct start function */
750 /*ARGSUSED*/
751 static void
752 aus_acct(struct t_audit_data *tad)
753 {
754 klwp_t *clwp = ttolwp(curthread);
755 uintptr_t fname;
756
757 struct a {
758 long fname; /* char * */
759 } *uap = (struct a *)clwp->lwp_ap;
760
761 fname = (uintptr_t)uap->fname;
762
763 if (fname == 0)
764 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
765 }
766
767 /* chown start function */
768 /*ARGSUSED*/
769 static void
770 aus_chown(struct t_audit_data *tad)
771 {
772 klwp_t *clwp = ttolwp(curthread);
773 uint32_t uid, gid;
774
775 struct a {
776 long fname; /* char * */
777 long uid;
778 long gid;
779 } *uap = (struct a *)clwp->lwp_ap;
780
781 uid = (uint32_t)uap->uid;
782 gid = (uint32_t)uap->gid;
783
784 au_uwrite(au_to_arg32(2, "new file uid", uid));
785 au_uwrite(au_to_arg32(3, "new file gid", gid));
786 }
787
788 /* fchown start function */
789 /*ARGSUSED*/
790 static void
791 aus_fchown(struct t_audit_data *tad)
792 {
793 klwp_t *clwp = ttolwp(curthread);
794 uint32_t uid, gid, fd;
795 struct file *fp;
796 struct vnode *vp;
797 struct f_audit_data *fad;
798
799 struct a {
800 long fd;
801 long uid;
802 long gid;
803 } *uap = (struct a *)clwp->lwp_ap;
804
805 fd = (uint32_t)uap->fd;
806 uid = (uint32_t)uap->uid;
807 gid = (uint32_t)uap->gid;
808
809 au_uwrite(au_to_arg32(2, "new file uid", uid));
810 au_uwrite(au_to_arg32(3, "new file gid", gid));
811
812 /*
813 * convert file pointer to file descriptor
814 * Note: fd ref count incremented here.
815 */
816 if ((fp = getf(fd)) == NULL)
817 return;
818
819 /* get path from file struct here */
820 fad = F2A(fp);
821 if (fad->fad_aupath != NULL) {
822 au_uwrite(au_to_path(fad->fad_aupath));
823 } else {
824 au_uwrite(au_to_arg32(1, "no path: fd", fd));
825 }
826
827 vp = fp->f_vnode;
828 audit_attributes(vp);
829
830 /* decrement file descriptor reference count */
831 releasef(fd);
832 }
833
834 /*ARGSUSED*/
835 static void
836 aus_lchown(struct t_audit_data *tad)
837 {
838 klwp_t *clwp = ttolwp(curthread);
839 uint32_t uid, gid;
840
841
842 struct a {
843 long fname; /* char * */
844 long uid;
845 long gid;
846 } *uap = (struct a *)clwp->lwp_ap;
847
848 uid = (uint32_t)uap->uid;
849 gid = (uint32_t)uap->gid;
850
851 au_uwrite(au_to_arg32(2, "new file uid", uid));
852 au_uwrite(au_to_arg32(3, "new file gid", gid));
853 }
854
855 static au_event_t
856 aui_fchownat(au_event_t e)
857 {
858 klwp_t *clwp = ttolwp(curthread);
859
860 struct a {
861 long fd;
862 long fname; /* char * */
863 long uid;
864 long gid;
865 long flags;
866 } *uap = (struct a *)clwp->lwp_ap;
867
868 if (uap->fname == NULL)
869 e = AUE_FCHOWN;
870 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
871 e = AUE_LCHOWN;
872 else
873 e = AUE_CHOWN;
874
875 return (e);
876 }
877
878 /*ARGSUSED*/
879 static void
880 aus_fchownat(struct t_audit_data *tad)
881 {
882 klwp_t *clwp = ttolwp(curthread);
883 uint32_t uid, gid;
884
885 struct a {
886 long fd;
887 long fname; /* char * */
888 long uid;
889 long gid;
890 long flags;
891 } *uap = (struct a *)clwp->lwp_ap;
892
893 uid = (uint32_t)uap->uid;
894 gid = (uint32_t)uap->gid;
895
896 au_uwrite(au_to_arg32(3, "new file uid", uid));
897 au_uwrite(au_to_arg32(4, "new file gid", gid));
898 }
899
900 /*ARGSUSED*/
901 static void
902 aus_chmod(struct t_audit_data *tad)
903 {
904 klwp_t *clwp = ttolwp(curthread);
905 uint32_t fmode;
906
907 struct a {
908 long fname; /* char * */
909 long fmode;
910 } *uap = (struct a *)clwp->lwp_ap;
911
912 fmode = (uint32_t)uap->fmode;
913
914 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
915 }
916
917 /*ARGSUSED*/
918 static void
919 aus_fchmod(struct t_audit_data *tad)
920 {
921 klwp_t *clwp = ttolwp(curthread);
922 uint32_t fmode, fd;
923 struct file *fp;
924 struct vnode *vp;
925 struct f_audit_data *fad;
926
927 struct a {
928 long fd;
929 long fmode;
930 } *uap = (struct a *)clwp->lwp_ap;
931
932 fd = (uint32_t)uap->fd;
933 fmode = (uint32_t)uap->fmode;
934
935 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
936
937 /*
938 * convert file pointer to file descriptor
939 * Note: fd ref count incremented here.
940 */
941 if ((fp = getf(fd)) == NULL)
942 return;
943
944 /* get path from file struct here */
945 fad = F2A(fp);
946 if (fad->fad_aupath != NULL) {
947 au_uwrite(au_to_path(fad->fad_aupath));
948 } else {
949 au_uwrite(au_to_arg32(1, "no path: fd", fd));
950 }
951
952 vp = fp->f_vnode;
953 audit_attributes(vp);
954
955 /* decrement file descriptor reference count */
956 releasef(fd);
957 }
958
959 static au_event_t
960 aui_fchmodat(au_event_t e)
961 {
962 klwp_t *clwp = ttolwp(curthread);
963
964 struct a {
965 long fd;
966 long fname; /* char * */
967 long fmode;
968 long flag;
969 } *uap = (struct a *)clwp->lwp_ap;
970
971 if (uap->fname == NULL)
972 e = AUE_FCHMOD;
973 else
974 e = AUE_CHMOD;
975
976 return (e);
977 }
978
979 /*ARGSUSED*/
980 static void
981 aus_fchmodat(struct t_audit_data *tad)
982 {
983 klwp_t *clwp = ttolwp(curthread);
984 uint32_t fmode;
985 uint32_t fd;
986 struct file *fp;
987 struct vnode *vp;
988 struct f_audit_data *fad;
989
990 struct a {
991 long fd;
992 long fname; /* char * */
993 long fmode;
994 long flag;
995 } *uap = (struct a *)clwp->lwp_ap;
996
997 fd = (uint32_t)uap->fd;
998 fmode = (uint32_t)uap->fmode;
999
1000 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1001
1002 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */
1003 return;
1004
1005 /*
1006 * convert file pointer to file descriptor
1007 * Note: fd ref count incremented here.
1008 */
1009 if ((fp = getf(fd)) == NULL)
1010 return;
1011
1012 /* get path from file struct here */
1013 fad = F2A(fp);
1014 if (fad->fad_aupath != NULL) {
1015 au_uwrite(au_to_path(fad->fad_aupath));
1016 } else {
1017 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1018 }
1019
1020 vp = fp->f_vnode;
1021 audit_attributes(vp);
1022
1023 /* decrement file descriptor reference count */
1024 releasef(fd);
1025 }
1026
1027 /*
1028 * convert open mode to appropriate open event
1029 */
1030 au_event_t
1031 open_event(uint_t fm)
1032 {
1033 au_event_t e;
1034
1035 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1036 case O_RDONLY:
1037 e = AUE_OPEN_R;
1038 break;
1039 case O_RDONLY | O_CREAT:
1040 e = AUE_OPEN_RC;
1041 break;
1042 case O_RDONLY | O_TRUNC:
1043 e = AUE_OPEN_RT;
1044 break;
1045 case O_RDONLY | O_TRUNC | O_CREAT:
1046 e = AUE_OPEN_RTC;
1047 break;
1048 case O_WRONLY:
1049 e = AUE_OPEN_W;
1050 break;
1051 case O_WRONLY | O_CREAT:
1052 e = AUE_OPEN_WC;
1053 break;
1054 case O_WRONLY | O_TRUNC:
1055 e = AUE_OPEN_WT;
1056 break;
1057 case O_WRONLY | O_TRUNC | O_CREAT:
1058 e = AUE_OPEN_WTC;
1059 break;
1060 case O_RDWR:
1061 e = AUE_OPEN_RW;
1062 break;
1063 case O_RDWR | O_CREAT:
1064 e = AUE_OPEN_RWC;
1065 break;
1066 case O_RDWR | O_TRUNC:
1067 e = AUE_OPEN_RWT;
1068 break;
1069 case O_RDWR | O_TRUNC | O_CREAT:
1070 e = AUE_OPEN_RWTC;
1071 break;
1072 case O_SEARCH:
1073 e = AUE_OPEN_S;
1074 break;
1075 case O_EXEC:
1076 e = AUE_OPEN_E;
1077 break;
1078 default:
1079 e = AUE_NULL;
1080 break;
1081 }
1082
1083 return (e);
1084 }
1085
1086 /* ARGSUSED */
1087 static au_event_t
1088 aui_open(au_event_t e)
1089 {
1090 klwp_t *clwp = ttolwp(curthread);
1091 uint_t fm;
1092
1093 struct a {
1094 long fnamep; /* char * */
1095 long fmode;
1096 long cmode;
1097 } *uap = (struct a *)clwp->lwp_ap;
1098
1099 fm = (uint_t)uap->fmode;
1100
1101 return (open_event(fm));
1102 }
1103
1104 static void
1105 aus_open(struct t_audit_data *tad)
1106 {
1107 klwp_t *clwp = ttolwp(curthread);
1108 uint_t fm;
1109
1110 struct a {
1111 long fnamep; /* char * */
1112 long fmode;
1113 long cmode;
1114 } *uap = (struct a *)clwp->lwp_ap;
1115
1116 fm = (uint_t)uap->fmode;
1117
1118 /* If no write, create, or trunc modes, mark as a public op */
1119 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1120 tad->tad_ctrl |= TAD_PUBLIC_EV;
1121 }
1122
1123 /* ARGSUSED */
1124 static au_event_t
1125 aui_openat(au_event_t e)
1126 {
1127 t_audit_data_t *tad = T2A(curthread);
1128 klwp_t *clwp = ttolwp(curthread);
1129 uint_t fm;
1130
1131 struct a {
1132 long filedes;
1133 long fnamep; /* char * */
1134 long fmode;
1135 long cmode;
1136 } *uap = (struct a *)clwp->lwp_ap;
1137
1138 fm = (uint_t)uap->fmode;
1139
1140 /*
1141 * __openattrdirat() does an extra pathname lookup in order to
1142 * enter the extended system attribute namespace of the referenced
1143 * extended attribute filename.
1144 */
1145 if (fm & FXATTRDIROPEN)
1146 tad->tad_ctrl |= TAD_MLD;
1147
1148 return (open_event(fm));
1149 }
1150
1151 static void
1152 aus_openat(struct t_audit_data *tad)
1153 {
1154 klwp_t *clwp = ttolwp(curthread);
1155 uint_t fm;
1156
1157 struct a {
1158 long filedes;
1159 long fnamep; /* char * */
1160 long fmode;
1161 long cmode;
1162 } *uap = (struct a *)clwp->lwp_ap;
1163
1164 fm = (uint_t)uap->fmode;
1165
1166 /* If no write, create, or trunc modes, mark as a public op */
1167 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1168 tad->tad_ctrl |= TAD_PUBLIC_EV;
1169 }
1170
1171 static au_event_t
1172 aui_unlinkat(au_event_t e)
1173 {
1174 klwp_t *clwp = ttolwp(curthread);
1175
1176 struct a {
1177 long filedes;
1178 long fnamep; /* char * */
1179 long flags;
1180 } *uap = (struct a *)clwp->lwp_ap;
1181
1182 if (uap->flags & AT_REMOVEDIR)
1183 e = AUE_RMDIR;
1184 else
1185 e = AUE_UNLINK;
1186
1187 return (e);
1188 }
1189
1190 static au_event_t
1191 aui_fstatat(au_event_t e)
1192 {
1193 klwp_t *clwp = ttolwp(curthread);
1194
1195 struct a {
1196 long filedes;
1197 long fnamep; /* char * */
1198 long statb;
1199 long flags;
1200 } *uap = (struct a *)clwp->lwp_ap;
1201
1202 if (uap->fnamep == NULL)
1203 e = AUE_FSTAT;
1204 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1205 e = AUE_LSTAT;
1206 else
1207 e = AUE_STAT;
1208
1209 return (e);
1210 }
1211
1212 /* msgsys */
1213 static au_event_t
1214 aui_msgsys(au_event_t e)
1215 {
1216 klwp_t *clwp = ttolwp(curthread);
1217 uint_t fm;
1218
1219 struct a {
1220 long id; /* function code id */
1221 long ap; /* arg pointer for recvmsg */
1222 } *uap = (struct a *)clwp->lwp_ap;
1223
1224 struct b {
1225 long msgid;
1226 long cmd;
1227 long buf; /* struct msqid_ds * */
1228 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1229
1230 fm = (uint_t)uap->id;
1231
1232 switch (fm) {
1233 case 0: /* msgget */
1234 e = AUE_MSGGET;
1235 break;
1236 case 1: /* msgctl */
1237 switch ((uint_t)uap1->cmd) {
1238 case IPC_RMID:
1239 e = AUE_MSGCTL_RMID;
1240 break;
1241 case IPC_SET:
1242 e = AUE_MSGCTL_SET;
1243 break;
1244 case IPC_STAT:
1245 e = AUE_MSGCTL_STAT;
1246 break;
1247 default:
1248 e = AUE_MSGCTL;
1249 break;
1250 }
1251 break;
1252 case 2: /* msgrcv */
1253 e = AUE_MSGRCV;
1254 break;
1255 case 3: /* msgsnd */
1256 e = AUE_MSGSND;
1257 break;
1258 default: /* illegal system call */
1259 e = AUE_NULL;
1260 break;
1261 }
1262
1263 return (e);
1264 }
1265
1266
1267 /* shmsys */
1268 static au_event_t
1269 aui_shmsys(au_event_t e)
1270 {
1271 klwp_t *clwp = ttolwp(curthread);
1272 int fm;
1273
1274 struct a { /* shmsys */
1275 long id; /* function code id */
1276 } *uap = (struct a *)clwp->lwp_ap;
1277
1278 struct b { /* ctrl */
1279 long shmid;
1280 long cmd;
1281 long arg; /* struct shmid_ds * */
1282 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1283 fm = (uint_t)uap->id;
1284
1285 switch (fm) {
1286 case 0: /* shmat */
1287 e = AUE_SHMAT;
1288 break;
1289 case 1: /* shmctl */
1290 switch ((uint_t)uap1->cmd) {
1291 case IPC_RMID:
1292 e = AUE_SHMCTL_RMID;
1293 break;
1294 case IPC_SET:
1295 e = AUE_SHMCTL_SET;
1296 break;
1297 case IPC_STAT:
1298 e = AUE_SHMCTL_STAT;
1299 break;
1300 default:
1301 e = AUE_SHMCTL;
1302 break;
1303 }
1304 break;
1305 case 2: /* shmdt */
1306 e = AUE_SHMDT;
1307 break;
1308 case 3: /* shmget */
1309 e = AUE_SHMGET;
1310 break;
1311 default: /* illegal system call */
1312 e = AUE_NULL;
1313 break;
1314 }
1315
1316 return (e);
1317 }
1318
1319
1320 /* semsys */
1321 static au_event_t
1322 aui_semsys(au_event_t e)
1323 {
1324 klwp_t *clwp = ttolwp(curthread);
1325 uint_t fm;
1326
1327 struct a { /* semsys */
1328 long id;
1329 } *uap = (struct a *)clwp->lwp_ap;
1330
1331 struct b { /* ctrl */
1332 long semid;
1333 long semnum;
1334 long cmd;
1335 long arg;
1336 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1337
1338 fm = (uint_t)uap->id;
1339
1340 switch (fm) {
1341 case 0: /* semctl */
1342 switch ((uint_t)uap1->cmd) {
1343 case IPC_RMID:
1344 e = AUE_SEMCTL_RMID;
1345 break;
1346 case IPC_SET:
1347 e = AUE_SEMCTL_SET;
1348 break;
1349 case IPC_STAT:
1350 e = AUE_SEMCTL_STAT;
1351 break;
1352 case GETNCNT:
1353 e = AUE_SEMCTL_GETNCNT;
1354 break;
1355 case GETPID:
1356 e = AUE_SEMCTL_GETPID;
1357 break;
1358 case GETVAL:
1359 e = AUE_SEMCTL_GETVAL;
1360 break;
1361 case GETALL:
1362 e = AUE_SEMCTL_GETALL;
1363 break;
1364 case GETZCNT:
1365 e = AUE_SEMCTL_GETZCNT;
1366 break;
1367 case SETVAL:
1368 e = AUE_SEMCTL_SETVAL;
1369 break;
1370 case SETALL:
1371 e = AUE_SEMCTL_SETALL;
1372 break;
1373 default:
1374 e = AUE_SEMCTL;
1375 break;
1376 }
1377 break;
1378 case 1: /* semget */
1379 e = AUE_SEMGET;
1380 break;
1381 case 2: /* semop */
1382 e = AUE_SEMOP;
1383 break;
1384 default: /* illegal system call */
1385 e = AUE_NULL;
1386 break;
1387 }
1388
1389 return (e);
1390 }
1391
1392 /* utssys - uname(2), ustat(2), fusers(2) */
1393 static au_event_t
1394 aui_utssys(au_event_t e)
1395 {
1396 klwp_t *clwp = ttolwp(curthread);
1397 uint_t type;
1398
1399 struct a {
1400 union {
1401 long cbuf; /* char * */
1402 long ubuf; /* struct stat * */
1403 } ub;
1404 union {
1405 long mv; /* for USTAT */
1406 long flags; /* for FUSERS */
1407 } un;
1408 long type;
1409 long outbp; /* char * for FUSERS */
1410 } *uap = (struct a *)clwp->lwp_ap;
1411
1412 type = (uint_t)uap->type;
1413
1414 if (type == UTS_FUSERS)
1415 return (e);
1416 else
1417 return ((au_event_t)AUE_NULL);
1418 }
1419
1420 static au_event_t
1421 aui_fcntl(au_event_t e)
1422 {
1423 klwp_t *clwp = ttolwp(curthread);
1424 uint_t cmd;
1425
1426 struct a {
1427 long fdes;
1428 long cmd;
1429 long arg;
1430 } *uap = (struct a *)clwp->lwp_ap;
1431
1432 cmd = (uint_t)uap->cmd;
1433
1434 switch (cmd) {
1435 case F_GETLK:
1436 case F_SETLK:
1437 case F_SETLKW:
1438 break;
1439 case F_SETFL:
1440 case F_GETFL:
1441 case F_GETFD:
1442 break;
1443 default:
1444 e = (au_event_t)AUE_NULL;
1445 break;
1446 }
1447 return ((au_event_t)e);
1448 }
1449
1450 /* null function for now */
1451 static au_event_t
1452 aui_execve(au_event_t e)
1453 {
1454 return (e);
1455 }
1456
1457 /*ARGSUSED*/
1458 static void
1459 aus_fcntl(struct t_audit_data *tad)
1460 {
1461 klwp_t *clwp = ttolwp(curthread);
1462 uint32_t cmd, fd, flags;
1463 struct file *fp;
1464 struct vnode *vp;
1465 struct f_audit_data *fad;
1466
1467 struct a {
1468 long fd;
1469 long cmd;
1470 long arg;
1471 } *uap = (struct a *)clwp->lwp_ap;
1472
1473 cmd = (uint32_t)uap->cmd;
1474 fd = (uint32_t)uap->fd;
1475 flags = (uint32_t)uap->arg;
1476
1477 au_uwrite(au_to_arg32(2, "cmd", cmd));
1478
1479 if (cmd == F_SETFL)
1480 au_uwrite(au_to_arg32(3, "flags", flags));
1481
1482 /*
1483 * convert file pointer to file descriptor
1484 * Note: fd ref count incremented here.
1485 */
1486 if ((fp = getf(fd)) == NULL)
1487 return;
1488
1489 /* get path from file struct here */
1490 fad = F2A(fp);
1491 if (fad->fad_aupath != NULL) {
1492 au_uwrite(au_to_path(fad->fad_aupath));
1493 } else {
1494 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1495 }
1496
1497 vp = fp->f_vnode;
1498 audit_attributes(vp);
1499
1500 /* decrement file descriptor reference count */
1501 releasef(fd);
1502 }
1503
1504 /*ARGSUSED*/
1505 static void
1506 aus_kill(struct t_audit_data *tad)
1507 {
1508 klwp_t *clwp = ttolwp(curthread);
1509 struct proc *p;
1510 uint32_t signo;
1511 uid_t uid, ruid;
1512 gid_t gid, rgid;
1513 pid_t pid;
1514 const auditinfo_addr_t *ainfo;
1515 cred_t *cr;
1516
1517 struct a {
1518 long pid;
1519 long signo;
1520 } *uap = (struct a *)clwp->lwp_ap;
1521
1522 pid = (pid_t)uap->pid;
1523 signo = (uint32_t)uap->signo;
1524
1525 au_uwrite(au_to_arg32(2, "signal", signo));
1526 if (pid > 0) {
1527 mutex_enter(&pidlock);
1528 if (((p = prfind(pid)) == (struct proc *)0) ||
1529 (p->p_stat == SIDL)) {
1530 mutex_exit(&pidlock);
1531 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1532 return;
1533 }
1534 mutex_enter(&p->p_lock); /* so process doesn't go away */
1535 mutex_exit(&pidlock);
1536
1537 mutex_enter(&p->p_crlock);
1538 crhold(cr = p->p_cred);
1539 mutex_exit(&p->p_crlock);
1540 mutex_exit(&p->p_lock);
1541
1542 ainfo = crgetauinfo(cr);
1543 if (ainfo == NULL) {
1544 crfree(cr);
1545 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1546 return;
1547 }
1548
1549 uid = crgetuid(cr);
1550 gid = crgetgid(cr);
1551 ruid = crgetruid(cr);
1552 rgid = crgetrgid(cr);
1553 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1554 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1555
1556 if (is_system_labeled())
1557 au_uwrite(au_to_label(CR_SL(cr)));
1558
1559 crfree(cr);
1560 }
1561 else
1562 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1563 }
1564
1565 /*ARGSUSED*/
1566 static void
1567 aus_mkdir(struct t_audit_data *tad)
1568 {
1569 klwp_t *clwp = ttolwp(curthread);
1570 uint32_t dmode;
1571
1572 struct a {
1573 long dirnamep; /* char * */
1574 long dmode;
1575 } *uap = (struct a *)clwp->lwp_ap;
1576
1577 dmode = (uint32_t)uap->dmode;
1578
1579 au_uwrite(au_to_arg32(2, "mode", dmode));
1580 }
1581
1582 /*ARGSUSED*/
1583 static void
1584 aus_mkdirat(struct t_audit_data *tad)
1585 {
1586 klwp_t *clwp = ttolwp(curthread);
1587 uint32_t dmode;
1588
1589 struct a {
1590 long fd;
1591 long dirnamep; /* char * */
1592 long dmode;
1593 } *uap = (struct a *)clwp->lwp_ap;
1594
1595 dmode = (uint32_t)uap->dmode;
1596
1597 au_uwrite(au_to_arg32(2, "mode", dmode));
1598 }
1599
1600 /*ARGSUSED*/
1601 static void
1602 aus_mknod(struct t_audit_data *tad)
1603 {
1604 klwp_t *clwp = ttolwp(curthread);
1605 uint32_t fmode;
1606 dev_t dev;
1607
1608 struct a {
1609 long pnamep; /* char * */
1610 long fmode;
1611 long dev;
1612 } *uap = (struct a *)clwp->lwp_ap;
1613
1614 fmode = (uint32_t)uap->fmode;
1615 dev = (dev_t)uap->dev;
1616
1617 au_uwrite(au_to_arg32(2, "mode", fmode));
1618 #ifdef _LP64
1619 au_uwrite(au_to_arg64(3, "dev", dev));
1620 #else
1621 au_uwrite(au_to_arg32(3, "dev", dev));
1622 #endif
1623 }
1624
1625 /*ARGSUSED*/
1626 static void
1627 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1628 {
1629 klwp_t *clwp = ttolwp(curthread);
1630 vnode_t *dvp;
1631 caddr_t pnamep;
1632
1633 struct a {
1634 long pnamep; /* char * */
1635 long fmode;
1636 long dev;
1637 } *uap = (struct a *)clwp->lwp_ap;
1638
1639 /* no error, then already path token in audit record */
1640 if (error != EPERM && error != EINVAL)
1641 return;
1642
1643 /* do the lookup to force generation of path token */
1644 pnamep = (caddr_t)uap->pnamep;
1645 tad->tad_ctrl |= TAD_NOATTRB;
1646 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1647 if (error == 0)
1648 VN_RELE(dvp);
1649 }
1650
1651 /*ARGSUSED*/
1652 static void
1653 aus_mknodat(struct t_audit_data *tad)
1654 {
1655 klwp_t *clwp = ttolwp(curthread);
1656 uint32_t fmode;
1657 dev_t dev;
1658
1659 struct a {
1660 long fd;
1661 long pnamep; /* char * */
1662 long fmode;
1663 long dev;
1664 } *uap = (struct a *)clwp->lwp_ap;
1665
1666 fmode = (uint32_t)uap->fmode;
1667 dev = (dev_t)uap->dev;
1668
1669 au_uwrite(au_to_arg32(2, "mode", fmode));
1670 #ifdef _LP64
1671 au_uwrite(au_to_arg64(3, "dev", dev));
1672 #else
1673 au_uwrite(au_to_arg32(3, "dev", dev));
1674 #endif
1675 }
1676
1677 /*ARGSUSED*/
1678 static void
1679 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1680 {
1681 klwp_t *clwp = ttolwp(curthread);
1682 vnode_t *startvp;
1683 vnode_t *dvp;
1684 caddr_t pnamep;
1685 int fd;
1686
1687 struct a {
1688 long fd;
1689 long pnamep; /* char * */
1690 long fmode;
1691 long dev;
1692 } *uap = (struct a *)clwp->lwp_ap;
1693
1694 /* no error, then already path token in audit record */
1695 if (error != EPERM && error != EINVAL)
1696 return;
1697
1698 /* do the lookup to force generation of path token */
1699 fd = (int)uap->fd;
1700 pnamep = (caddr_t)uap->pnamep;
1701 if (pnamep == NULL ||
1702 fgetstartvp(fd, pnamep, &startvp) != 0)
1703 return;
1704 tad->tad_ctrl |= TAD_NOATTRB;
1705 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1706 startvp);
1707 if (error == 0)
1708 VN_RELE(dvp);
1709 if (startvp != NULL)
1710 VN_RELE(startvp);
1711 }
1712
1713 /*ARGSUSED*/
1714 static void
1715 aus_mount(struct t_audit_data *tad)
1716 { /* AUS_START */
1717 klwp_t *clwp = ttolwp(curthread);
1718 uint32_t flags;
1719 uintptr_t u_fstype, dataptr;
1720 STRUCT_DECL(nfs_args, nfsargs);
1721 size_t len;
1722 char *fstype, *hostname;
1723
1724 struct a {
1725 long spec; /* char * */
1726 long dir; /* char * */
1727 long flags;
1728 long fstype; /* char * */
1729 long dataptr; /* char * */
1730 long datalen;
1731 } *uap = (struct a *)clwp->lwp_ap;
1732
1733 u_fstype = (uintptr_t)uap->fstype;
1734 flags = (uint32_t)uap->flags;
1735 dataptr = (uintptr_t)uap->dataptr;
1736
1737 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1738 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1739 goto mount_free_fstype;
1740
1741 au_uwrite(au_to_arg32(3, "flags", flags));
1742 au_uwrite(au_to_text(fstype));
1743
1744 if (strncmp(fstype, "nfs", 3) == 0) {
1745
1746 STRUCT_INIT(nfsargs, get_udatamodel());
1747 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1748
1749 if (copyin((caddr_t)dataptr,
1750 STRUCT_BUF(nfsargs),
1751 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1752 /* DEBUG debug_enter((char *)NULL); */
1753 goto mount_free_fstype;
1754 }
1755 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1756 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1757 (caddr_t)hostname,
1758 MAXNAMELEN, &len)) {
1759 goto mount_free_hostname;
1760 }
1761 au_uwrite(au_to_text(hostname));
1762 au_uwrite(au_to_arg32(3, "internal flags",
1763 (uint_t)STRUCT_FGET(nfsargs, flags)));
1764
1765 mount_free_hostname:
1766 kmem_free(hostname, MAXNAMELEN);
1767 }
1768
1769 mount_free_fstype:
1770 kmem_free(fstype, MAXNAMELEN);
1771 } /* AUS_MOUNT */
1772
1773 static void
1774 aus_umount_path(caddr_t umount_dir)
1775 {
1776 char *dir_path;
1777 struct audit_path *path;
1778 size_t path_len, dir_len;
1779
1780 /* length alloc'd for two string pointers */
1781 path_len = sizeof (struct audit_path) + sizeof (char *);
1782 path = kmem_alloc(path_len, KM_SLEEP);
1783 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1784
1785 if (copyinstr(umount_dir, (caddr_t)dir_path,
1786 MAXPATHLEN, &dir_len))
1787 goto umount2_free_dir;
1788
1789 /*
1790 * the audit_path struct assumes that the buffer pointed to
1791 * by audp_sect[n] contains string 0 immediatedly followed
1792 * by string 1.
1793 */
1794 path->audp_sect[0] = dir_path;
1795 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1796 path->audp_size = path_len;
1797 path->audp_ref = 1; /* not used */
1798 path->audp_cnt = 1; /* one path string */
1799
1800 au_uwrite(au_to_path(path));
1801
1802 umount2_free_dir:
1803 kmem_free(dir_path, MAXPATHLEN);
1804 kmem_free(path, path_len);
1805 }
1806
1807 /*ARGSUSED*/
1808 static void
1809 aus_umount2(struct t_audit_data *tad)
1810 {
1811 klwp_t *clwp = ttolwp(curthread);
1812 struct a {
1813 long dir; /* char * */
1814 long flags;
1815 } *uap = (struct a *)clwp->lwp_ap;
1816
1817 aus_umount_path((caddr_t)uap->dir);
1818
1819 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1820 }
1821
1822 static void
1823 aus_msgsys(struct t_audit_data *tad)
1824 {
1825 klwp_t *clwp = ttolwp(curthread);
1826 uint32_t msgid;
1827
1828 struct b {
1829 long msgid;
1830 long cmd;
1831 long buf; /* struct msqid_ds * */
1832 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1833
1834 msgid = (uint32_t)uap1->msgid;
1835
1836
1837 switch (tad->tad_event) {
1838 case AUE_MSGGET: /* msgget */
1839 au_uwrite(au_to_arg32(1, "msg key", msgid));
1840 break;
1841 case AUE_MSGCTL: /* msgctl */
1842 case AUE_MSGCTL_RMID: /* msgctl */
1843 case AUE_MSGCTL_SET: /* msgctl */
1844 case AUE_MSGCTL_STAT: /* msgctl */
1845 case AUE_MSGRCV: /* msgrcv */
1846 case AUE_MSGSND: /* msgsnd */
1847 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1848 break;
1849 }
1850 }
1851
1852 /*ARGSUSED*/
1853 static void
1854 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1855 {
1856 int id;
1857
1858 if (error != 0)
1859 return;
1860 if (tad->tad_event == AUE_MSGGET) {
1861 uint32_t scid;
1862 uint32_t sy_flags;
1863
1864 /* need to determine type of executing binary */
1865 scid = tad->tad_scid;
1866 #ifdef _SYSCALL32_IMPL
1867 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1868 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1869 else
1870 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1871 #else
1872 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1873 #endif
1874 if (sy_flags == SE_32RVAL1)
1875 id = rval->r_val1;
1876 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1877 id = rval->r_val1;
1878 if (sy_flags == SE_64RVAL)
1879 id = (int)rval->r_vals;
1880
1881 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1882 }
1883 }
1884
1885 static void
1886 aus_semsys(struct t_audit_data *tad)
1887 {
1888 klwp_t *clwp = ttolwp(curthread);
1889 uint32_t semid;
1890
1891 struct b { /* ctrl */
1892 long semid;
1893 long semnum;
1894 long cmd;
1895 long arg;
1896 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1897
1898 semid = (uint32_t)uap1->semid;
1899
1900 switch (tad->tad_event) {
1901 case AUE_SEMCTL_RMID:
1902 case AUE_SEMCTL_STAT:
1903 case AUE_SEMCTL_GETNCNT:
1904 case AUE_SEMCTL_GETPID:
1905 case AUE_SEMCTL_GETVAL:
1906 case AUE_SEMCTL_GETALL:
1907 case AUE_SEMCTL_GETZCNT:
1908 case AUE_SEMCTL_SET:
1909 case AUE_SEMCTL_SETVAL:
1910 case AUE_SEMCTL_SETALL:
1911 case AUE_SEMCTL:
1912 case AUE_SEMOP:
1913 au_uwrite(au_to_arg32(1, "sem ID", semid));
1914 break;
1915 case AUE_SEMGET:
1916 au_uwrite(au_to_arg32(1, "sem key", semid));
1917 break;
1918 }
1919 }
1920
1921 /*ARGSUSED*/
1922 static void
1923 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1924 {
1925 int id;
1926
1927 if (error != 0)
1928 return;
1929 if (tad->tad_event == AUE_SEMGET) {
1930 uint32_t scid;
1931 uint32_t sy_flags;
1932
1933 /* need to determine type of executing binary */
1934 scid = tad->tad_scid;
1935 #ifdef _SYSCALL32_IMPL
1936 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1937 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1938 else
1939 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1940 #else
1941 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1942 #endif
1943 if (sy_flags == SE_32RVAL1)
1944 id = rval->r_val1;
1945 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1946 id = rval->r_val1;
1947 if (sy_flags == SE_64RVAL)
1948 id = (int)rval->r_vals;
1949
1950 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1951 }
1952 }
1953
1954 /*ARGSUSED*/
1955 static void
1956 aus_close(struct t_audit_data *tad)
1957 {
1958 klwp_t *clwp = ttolwp(curthread);
1959 uint32_t fd;
1960 struct file *fp;
1961 struct f_audit_data *fad;
1962 struct vnode *vp;
1963 struct vattr attr;
1964 au_kcontext_t *kctx = GET_KCTX_PZ;
1965
1966 struct a {
1967 long i;
1968 } *uap = (struct a *)clwp->lwp_ap;
1969
1970 fd = (uint32_t)uap->i;
1971
1972 attr.va_mask = 0;
1973 au_uwrite(au_to_arg32(1, "fd", fd));
1974
1975 /*
1976 * convert file pointer to file descriptor
1977 * Note: fd ref count incremented here.
1978 */
1979 if ((fp = getf(fd)) == NULL)
1980 return;
1981
1982 fad = F2A(fp);
1983 tad->tad_evmod = (au_emod_t)fad->fad_flags;
1984 if (fad->fad_aupath != NULL) {
1985 au_uwrite(au_to_path(fad->fad_aupath));
1986 if ((vp = fp->f_vnode) != NULL) {
1987 attr.va_mask = AT_ALL;
1988 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1989 /*
1990 * When write was not used and the file can be
1991 * considered public, skip the audit.
1992 */
1993 if (((fp->f_flag & FWRITE) == 0) &&
1994 object_is_public(&attr)) {
1995 tad->tad_flag = 0;
1996 tad->tad_evmod = 0;
1997 /* free any residual audit data */
1998 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1999 releasef(fd);
2000 return;
2001 }
2002 au_uwrite(au_to_attr(&attr));
2003 audit_sec_attributes(&(u_ad), vp);
2004 }
2005 }
2006 }
2007
2008 /* decrement file descriptor reference count */
2009 releasef(fd);
2010 }
2011
2012 /*ARGSUSED*/
2013 static void
2014 aus_fstatfs(struct t_audit_data *tad)
2015 {
2016 klwp_t *clwp = ttolwp(curthread);
2017 uint32_t fd;
2018 struct file *fp;
2019 struct vnode *vp;
2020 struct f_audit_data *fad;
2021
2022 struct a {
2023 long fd;
2024 long buf; /* struct statfs * */
2025 } *uap = (struct a *)clwp->lwp_ap;
2026
2027 fd = (uint_t)uap->fd;
2028
2029 /*
2030 * convert file pointer to file descriptor
2031 * Note: fd ref count incremented here.
2032 */
2033 if ((fp = getf(fd)) == NULL)
2034 return;
2035
2036 /* get path from file struct here */
2037 fad = F2A(fp);
2038 if (fad->fad_aupath != NULL) {
2039 au_uwrite(au_to_path(fad->fad_aupath));
2040 } else {
2041 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2042 }
2043
2044 vp = fp->f_vnode;
2045 audit_attributes(vp);
2046
2047 /* decrement file descriptor reference count */
2048 releasef(fd);
2049 }
2050
2051 static au_event_t
2052 aui_setpgrp(au_event_t e)
2053 {
2054 klwp_t *clwp = ttolwp(curthread);
2055 int flag;
2056
2057 struct a {
2058 long flag;
2059 long pid;
2060 long pgid;
2061 } *uap = (struct a *)clwp->lwp_ap;
2062
2063 flag = (int)uap->flag;
2064
2065
2066 switch (flag) {
2067
2068 case 1: /* setpgrp() */
2069 e = AUE_SETPGRP;
2070 break;
2071
2072 case 3: /* setsid() */
2073 e = AUE_SETSID;
2074 break;
2075
2076 case 5: /* setpgid() */
2077 e = AUE_SETPGID;
2078 break;
2079
2080 case 0: /* getpgrp() - not security relevant */
2081 case 2: /* getsid() - not security relevant */
2082 case 4: /* getpgid() - not security relevant */
2083 e = AUE_NULL;
2084 break;
2085
2086 default:
2087 e = AUE_NULL;
2088 break;
2089 }
2090
2091 return (e);
2092 }
2093
2094 /*ARGSUSED*/
2095 static void
2096 aus_setpgrp(struct t_audit_data *tad)
2097 {
2098 klwp_t *clwp = ttolwp(curthread);
2099 pid_t pgid;
2100 struct proc *p;
2101 uid_t uid, ruid;
2102 gid_t gid, rgid;
2103 pid_t pid;
2104 cred_t *cr;
2105 int flag;
2106 const auditinfo_addr_t *ainfo;
2107
2108 struct a {
2109 long flag;
2110 long pid;
2111 long pgid;
2112 } *uap = (struct a *)clwp->lwp_ap;
2113
2114 flag = (int)uap->flag;
2115 pid = (pid_t)uap->pid;
2116 pgid = (pid_t)uap->pgid;
2117
2118
2119 switch (flag) {
2120
2121 case 0: /* getpgrp() */
2122 case 1: /* setpgrp() */
2123 case 2: /* getsid() */
2124 case 3: /* setsid() */
2125 case 4: /* getpgid() */
2126 break;
2127
2128 case 5: /* setpgid() */
2129
2130 /* current process? */
2131 if (pid == 0) {
2132 return;
2133 }
2134
2135 mutex_enter(&pidlock);
2136 p = prfind(pid);
2137 if (p == NULL || p->p_as == &kas ||
2138 p->p_stat == SIDL || p->p_stat == SZOMB) {
2139 mutex_exit(&pidlock);
2140 return;
2141 }
2142 mutex_enter(&p->p_lock); /* so process doesn't go away */
2143 mutex_exit(&pidlock);
2144
2145 mutex_enter(&p->p_crlock);
2146 crhold(cr = p->p_cred);
2147 mutex_exit(&p->p_crlock);
2148 mutex_exit(&p->p_lock);
2149
2150 ainfo = crgetauinfo(cr);
2151 if (ainfo == NULL) {
2152 crfree(cr);
2153 return;
2154 }
2155
2156 uid = crgetuid(cr);
2157 gid = crgetgid(cr);
2158 ruid = crgetruid(cr);
2159 rgid = crgetrgid(cr);
2160 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2161 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2162 crfree(cr);
2163 au_uwrite(au_to_arg32(2, "pgid", pgid));
2164 break;
2165
2166 default:
2167 break;
2168 }
2169 }
2170
2171
2172 /*ARGSUSED*/
2173 static void
2174 aus_setregid(struct t_audit_data *tad)
2175 {
2176 klwp_t *clwp = ttolwp(curthread);
2177 uint32_t rgid, egid;
2178
2179 struct a {
2180 long rgid;
2181 long egid;
2182 } *uap = (struct a *)clwp->lwp_ap;
2183
2184 rgid = (uint32_t)uap->rgid;
2185 egid = (uint32_t)uap->egid;
2186
2187 au_uwrite(au_to_arg32(1, "rgid", rgid));
2188 au_uwrite(au_to_arg32(2, "egid", egid));
2189 }
2190
2191 /*ARGSUSED*/
2192 static void
2193 aus_setgid(struct t_audit_data *tad)
2194 {
2195 klwp_t *clwp = ttolwp(curthread);
2196 uint32_t gid;
2197
2198 struct a {
2199 long gid;
2200 } *uap = (struct a *)clwp->lwp_ap;
2201
2202 gid = (uint32_t)uap->gid;
2203
2204 au_uwrite(au_to_arg32(1, "gid", gid));
2205 }
2206
2207
2208 /*ARGSUSED*/
2209 static void
2210 aus_setreuid(struct t_audit_data *tad)
2211 {
2212 klwp_t *clwp = ttolwp(curthread);
2213 uint32_t ruid, euid;
2214
2215 struct a {
2216 long ruid;
2217 long euid;
2218 } *uap = (struct a *)clwp->lwp_ap;
2219
2220 ruid = (uint32_t)uap->ruid;
2221 euid = (uint32_t)uap->euid;
2222
2223 au_uwrite(au_to_arg32(1, "ruid", ruid));
2224 au_uwrite(au_to_arg32(2, "euid", euid));
2225 }
2226
2227
2228 /*ARGSUSED*/
2229 static void
2230 aus_setuid(struct t_audit_data *tad)
2231 {
2232 klwp_t *clwp = ttolwp(curthread);
2233 uint32_t uid;
2234
2235 struct a {
2236 long uid;
2237 } *uap = (struct a *)clwp->lwp_ap;
2238
2239 uid = (uint32_t)uap->uid;
2240
2241 au_uwrite(au_to_arg32(1, "uid", uid));
2242 }
2243
2244 /*ARGSUSED*/
2245 static void
2246 aus_shmsys(struct t_audit_data *tad)
2247 {
2248 klwp_t *clwp = ttolwp(curthread);
2249 uint32_t id, cmd;
2250
2251 struct b {
2252 long id;
2253 long cmd;
2254 long buf; /* struct shmid_ds * */
2255 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2256
2257 id = (uint32_t)uap1->id;
2258 cmd = (uint32_t)uap1->cmd;
2259
2260 switch (tad->tad_event) {
2261 case AUE_SHMGET: /* shmget */
2262 au_uwrite(au_to_arg32(1, "shm key", id));
2263 break;
2264 case AUE_SHMCTL: /* shmctl */
2265 case AUE_SHMCTL_RMID: /* shmctl */
2266 case AUE_SHMCTL_STAT: /* shmctl */
2267 case AUE_SHMCTL_SET: /* shmctl */
2268 au_uwrite(au_to_arg32(1, "shm ID", id));
2269 break;
2270 case AUE_SHMDT: /* shmdt */
2271 au_uwrite(au_to_arg32(1, "shm adr", id));
2272 break;
2273 case AUE_SHMAT: /* shmat */
2274 au_uwrite(au_to_arg32(1, "shm ID", id));
2275 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2276 break;
2277 }
2278 }
2279
2280 /*ARGSUSED*/
2281 static void
2282 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2283 {
2284 int id;
2285
2286 if (error != 0)
2287 return;
2288 if (tad->tad_event == AUE_SHMGET) {
2289 uint32_t scid;
2290 uint32_t sy_flags;
2291
2292 /* need to determine type of executing binary */
2293 scid = tad->tad_scid;
2294 #ifdef _SYSCALL32_IMPL
2295 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2296 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2297 else
2298 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2299 #else
2300 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2301 #endif
2302 if (sy_flags == SE_32RVAL1)
2303 id = rval->r_val1;
2304 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2305 id = rval->r_val1;
2306 if (sy_flags == SE_64RVAL)
2307 id = (int)rval->r_vals;
2308 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2309 }
2310 }
2311
2312
2313 /*ARGSUSED*/
2314 static void
2315 aus_ioctl(struct t_audit_data *tad)
2316 {
2317 klwp_t *clwp = ttolwp(curthread);
2318 struct file *fp;
2319 struct vnode *vp;
2320 struct f_audit_data *fad;
2321 uint32_t fd, cmd;
2322 uintptr_t cmarg;
2323
2324 /* XX64 */
2325 struct a {
2326 long fd;
2327 long cmd;
2328 long cmarg; /* caddr_t */
2329 } *uap = (struct a *)clwp->lwp_ap;
2330
2331 fd = (uint32_t)uap->fd;
2332 cmd = (uint32_t)uap->cmd;
2333 cmarg = (uintptr_t)uap->cmarg;
2334
2335 /*
2336 * convert file pointer to file descriptor
2337 * Note: fd ref count incremented here.
2338 */
2339 if ((fp = getf(fd)) == NULL) {
2340 au_uwrite(au_to_arg32(1, "fd", fd));
2341 au_uwrite(au_to_arg32(2, "cmd", cmd));
2342 #ifndef _LP64
2343 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2344 #else
2345 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2346 #endif
2347 return;
2348 }
2349
2350 /* get path from file struct here */
2351 fad = F2A(fp);
2352 if (fad->fad_aupath != NULL) {
2353 au_uwrite(au_to_path(fad->fad_aupath));
2354 } else {
2355 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2356 }
2357
2358 vp = fp->f_vnode;
2359 audit_attributes(vp);
2360
2361 /* decrement file descriptor reference count */
2362 releasef(fd);
2363
2364 au_uwrite(au_to_arg32(2, "cmd", cmd));
2365 #ifndef _LP64
2366 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2367 #else
2368 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2369 #endif
2370 }
2371
2372 /*
2373 * null function for memcntl for now. We might want to limit memcntl()
2374 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2375 * require privileges.
2376 */
2377 static au_event_t
2378 aui_memcntl(au_event_t e)
2379 {
2380 return (e);
2381 }
2382
2383 /*ARGSUSED*/
2384 static au_event_t
2385 aui_privsys(au_event_t e)
2386 {
2387 klwp_t *clwp = ttolwp(curthread);
2388
2389 struct a {
2390 long opcode;
2391 } *uap = (struct a *)clwp->lwp_ap;
2392
2393 switch (uap->opcode) {
2394 case PRIVSYS_SETPPRIV:
2395 return (AUE_SETPPRIV);
2396 default:
2397 return (AUE_NULL);
2398 }
2399 }
2400
2401 /*ARGSUSED*/
2402 static void
2403 aus_memcntl(struct t_audit_data *tad)
2404 {
2405 klwp_t *clwp = ttolwp(curthread);
2406
2407 struct a {
2408 long addr;
2409 long len;
2410 long cmd;
2411 long arg;
2412 long attr;
2413 long mask;
2414 } *uap = (struct a *)clwp->lwp_ap;
2415
2416 #ifdef _LP64
2417 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2418 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2419 #else
2420 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2421 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2422 #endif
2423 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2424 #ifdef _LP64
2425 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2426 #else
2427 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2428 #endif
2429 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2430 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2431 }
2432
2433 /*ARGSUSED*/
2434 static void
2435 aus_mmap(struct t_audit_data *tad)
2436 {
2437 klwp_t *clwp = ttolwp(curthread);
2438 struct file *fp;
2439 struct f_audit_data *fad;
2440 struct vnode *vp;
2441 uint32_t fd;
2442
2443 struct a {
2444 long addr;
2445 long len;
2446 long prot;
2447 long flags;
2448 long fd;
2449 long pos;
2450 } *uap = (struct a *)clwp->lwp_ap;
2451
2452 fd = (uint32_t)uap->fd;
2453
2454 #ifdef _LP64
2455 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2456 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2457 #else
2458 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2459 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2460 #endif
2461
2462 if ((fp = getf(fd)) == NULL) {
2463 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2464 return;
2465 }
2466
2467 /*
2468 * Mark in the tad if write access is NOT requested... if
2469 * this is later detected (in audit_attributes) to be a
2470 * public object, the mmap event may be discarded.
2471 */
2472 if (((uap->prot) & PROT_WRITE) == 0) {
2473 tad->tad_ctrl |= TAD_PUBLIC_EV;
2474 }
2475
2476 fad = F2A(fp);
2477 if (fad->fad_aupath != NULL) {
2478 au_uwrite(au_to_path(fad->fad_aupath));
2479 } else {
2480 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2481 }
2482
2483 vp = (struct vnode *)fp->f_vnode;
2484 audit_attributes(vp);
2485
2486 /* mark READ/WRITE since we can't predict access */
2487 if (uap->prot & PROT_READ)
2488 fad->fad_flags |= FAD_READ;
2489 if (uap->prot & PROT_WRITE)
2490 fad->fad_flags |= FAD_WRITE;
2491
2492 /* decrement file descriptor reference count */
2493 releasef(fd);
2494
2495 } /* AUS_MMAP */
2496
2497
2498
2499
2500 /*ARGSUSED*/
2501 static void
2502 aus_munmap(struct t_audit_data *tad)
2503 {
2504 klwp_t *clwp = ttolwp(curthread);
2505
2506 struct a {
2507 long addr;
2508 long len;
2509 } *uap = (struct a *)clwp->lwp_ap;
2510
2511 #ifdef _LP64
2512 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2513 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2514 #else
2515 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2516 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2517 #endif
2518
2519 } /* AUS_MUNMAP */
2520
2521
2522
2523
2524
2525
2526
2527 /*ARGSUSED*/
2528 static void
2529 aus_priocntlsys(struct t_audit_data *tad)
2530 {
2531 klwp_t *clwp = ttolwp(curthread);
2532
2533 struct a {
2534 long pc_version;
2535 long psp; /* procset_t */
2536 long cmd;
2537 long arg;
2538 } *uap = (struct a *)clwp->lwp_ap;
2539
2540 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2541 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2542
2543 } /* AUS_PRIOCNTLSYS */
2544
2545
2546 /*ARGSUSED*/
2547 static void
2548 aus_setegid(struct t_audit_data *tad)
2549 {
2550 klwp_t *clwp = ttolwp(curthread);
2551 uint32_t gid;
2552
2553 struct a {
2554 long gid;
2555 } *uap = (struct a *)clwp->lwp_ap;
2556
2557 gid = (uint32_t)uap->gid;
2558
2559 au_uwrite(au_to_arg32(1, "gid", gid));
2560 } /* AUS_SETEGID */
2561
2562
2563
2564
2565 /*ARGSUSED*/
2566 static void
2567 aus_setgroups(struct t_audit_data *tad)
2568 {
2569 klwp_t *clwp = ttolwp(curthread);
2570 int i;
2571 int gidsetsize;
2572 uintptr_t gidset;
2573 gid_t *gidlist;
2574
2575 struct a {
2576 long gidsetsize;
2577 long gidset;
2578 } *uap = (struct a *)clwp->lwp_ap;
2579
2580 gidsetsize = (uint_t)uap->gidsetsize;
2581 gidset = (uintptr_t)uap->gidset;
2582
2583 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2584 return;
2585 if (gidsetsize != 0) {
2586 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2587 KM_SLEEP);
2588 if (copyin((caddr_t)gidset, gidlist,
2589 gidsetsize * sizeof (gid_t)) == 0)
2590 for (i = 0; i < gidsetsize; i++)
2591 au_uwrite(au_to_arg32(1, "setgroups",
2592 (uint32_t)gidlist[i]));
2593 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2594 } else
2595 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2596
2597 } /* AUS_SETGROUPS */
2598
2599
2600
2601
2602
2603 /*ARGSUSED*/
2604 static void
2605 aus_seteuid(struct t_audit_data *tad)
2606 {
2607 klwp_t *clwp = ttolwp(curthread);
2608 uint32_t uid;
2609
2610 struct a {
2611 long uid;
2612 } *uap = (struct a *)clwp->lwp_ap;
2613
2614 uid = (uint32_t)uap->uid;
2615
2616 au_uwrite(au_to_arg32(1, "euid", uid));
2617
2618 } /* AUS_SETEUID */
2619
2620 /*ARGSUSED*/
2621 static void
2622 aus_putmsg(struct t_audit_data *tad)
2623 {
2624 klwp_t *clwp = ttolwp(curthread);
2625 uint32_t fd, pri;
2626 struct file *fp;
2627 struct f_audit_data *fad;
2628
2629 struct a {
2630 long fdes;
2631 long ctl; /* struct strbuf * */
2632 long data; /* struct strbuf * */
2633 long pri;
2634 } *uap = (struct a *)clwp->lwp_ap;
2635
2636 fd = (uint32_t)uap->fdes;
2637 pri = (uint32_t)uap->pri;
2638
2639 au_uwrite(au_to_arg32(1, "fd", fd));
2640
2641 if ((fp = getf(fd)) != NULL) {
2642 fad = F2A(fp);
2643
2644 fad->fad_flags |= FAD_WRITE;
2645
2646 /* add path name to audit record */
2647 if (fad->fad_aupath != NULL) {
2648 au_uwrite(au_to_path(fad->fad_aupath));
2649 }
2650 audit_attributes(fp->f_vnode);
2651
2652 releasef(fd);
2653 }
2654
2655 au_uwrite(au_to_arg32(4, "pri", pri));
2656 }
2657
2658 /*ARGSUSED*/
2659 static void
2660 aus_putpmsg(struct t_audit_data *tad)
2661 {
2662 klwp_t *clwp = ttolwp(curthread);
2663 uint32_t fd, pri, flags;
2664 struct file *fp;
2665 struct f_audit_data *fad;
2666
2667 struct a {
2668 long fdes;
2669 long ctl; /* struct strbuf * */
2670 long data; /* struct strbuf * */
2671 long pri;
2672 long flags;
2673 } *uap = (struct a *)clwp->lwp_ap;
2674
2675 fd = (uint32_t)uap->fdes;
2676 pri = (uint32_t)uap->pri;
2677 flags = (uint32_t)uap->flags;
2678
2679 au_uwrite(au_to_arg32(1, "fd", fd));
2680
2681 if ((fp = getf(fd)) != NULL) {
2682 fad = F2A(fp);
2683
2684 fad->fad_flags |= FAD_WRITE;
2685
2686 /* add path name to audit record */
2687 if (fad->fad_aupath != NULL) {
2688 au_uwrite(au_to_path(fad->fad_aupath));
2689 }
2690 audit_attributes(fp->f_vnode);
2691
2692 releasef(fd);
2693 }
2694
2695
2696 au_uwrite(au_to_arg32(4, "pri", pri));
2697 au_uwrite(au_to_arg32(5, "flags", flags));
2698 }
2699
2700 /*ARGSUSED*/
2701 static void
2702 aus_getmsg(struct t_audit_data *tad)
2703 {
2704 klwp_t *clwp = ttolwp(curthread);
2705 uint32_t fd, pri;
2706 struct file *fp;
2707 struct f_audit_data *fad;
2708
2709 struct a {
2710 long fdes;
2711 long ctl; /* struct strbuf * */
2712 long data; /* struct strbuf * */
2713 long pri;
2714 } *uap = (struct a *)clwp->lwp_ap;
2715
2716 fd = (uint32_t)uap->fdes;
2717 pri = (uint32_t)uap->pri;
2718
2719 au_uwrite(au_to_arg32(1, "fd", fd));
2720
2721 if ((fp = getf(fd)) != NULL) {
2722 fad = F2A(fp);
2723
2724 /*
2725 * read operation on this object
2726 */
2727 fad->fad_flags |= FAD_READ;
2728
2729 /* add path name to audit record */
2730 if (fad->fad_aupath != NULL) {
2731 au_uwrite(au_to_path(fad->fad_aupath));
2732 }
2733 audit_attributes(fp->f_vnode);
2734
2735 releasef(fd);
2736 }
2737
2738 au_uwrite(au_to_arg32(4, "pri", pri));
2739 }
2740
2741 /*ARGSUSED*/
2742 static void
2743 aus_getpmsg(struct t_audit_data *tad)
2744 {
2745 klwp_t *clwp = ttolwp(curthread);
2746 uint32_t fd;
2747 struct file *fp;
2748 struct f_audit_data *fad;
2749
2750 struct a {
2751 long fdes;
2752 long ctl; /* struct strbuf * */
2753 long data; /* struct strbuf * */
2754 long pri;
2755 long flags;
2756 } *uap = (struct a *)clwp->lwp_ap;
2757
2758 fd = (uint32_t)uap->fdes;
2759
2760 au_uwrite(au_to_arg32(1, "fd", fd));
2761
2762 if ((fp = getf(fd)) != NULL) {
2763 fad = F2A(fp);
2764
2765 /*
2766 * read operation on this object
2767 */
2768 fad->fad_flags |= FAD_READ;
2769
2770 /* add path name to audit record */
2771 if (fad->fad_aupath != NULL) {
2772 au_uwrite(au_to_path(fad->fad_aupath));
2773 }
2774 audit_attributes(fp->f_vnode);
2775
2776 releasef(fd);
2777 }
2778 }
2779
2780 static au_event_t
2781 aui_labelsys(au_event_t e)
2782 {
2783 klwp_t *clwp = ttolwp(curthread);
2784 uint32_t code;
2785 uint32_t cmd;
2786
2787 struct a {
2788 long code;
2789 long cmd;
2790 } *uap = (struct a *)clwp->lwp_ap;
2791
2792 code = (uint32_t)uap->code;
2793 cmd = (uint32_t)uap->cmd;
2794
2795 /* not security relevant if not changing kernel cache */
2796 if (cmd == TNDB_GET)
2797 return (AUE_NULL);
2798
2799 switch (code) {
2800 case TSOL_TNRH:
2801 e = AUE_LABELSYS_TNRH;
2802 break;
2803 case TSOL_TNRHTP:
2804 e = AUE_LABELSYS_TNRHTP;
2805 break;
2806 case TSOL_TNMLP:
2807 e = AUE_LABELSYS_TNMLP;
2808 break;
2809 default:
2810 e = AUE_NULL;
2811 break;
2812 }
2813
2814 return (e);
2815
2816 }
2817
2818 static void
2819 aus_labelsys(struct t_audit_data *tad)
2820 {
2821 klwp_t *clwp = ttolwp(curthread);
2822 uint32_t cmd;
2823 uintptr_t a2;
2824
2825 struct a {
2826 long code;
2827 long cmd;
2828 long a2;
2829 } *uap = (struct a *)clwp->lwp_ap;
2830
2831 cmd = (uint32_t)uap->cmd;
2832 a2 = (uintptr_t)uap->a2;
2833
2834 switch (tad->tad_event) {
2835 case AUE_LABELSYS_TNRH:
2836 {
2837 tsol_rhent_t *rhent;
2838 tnaddr_t *rh_addr;
2839
2840 au_uwrite(au_to_arg32(1, "cmd", cmd));
2841
2842 /* Remaining args don't apply for FLUSH, so skip */
2843 if (cmd == TNDB_FLUSH)
2844 break;
2845
2846 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2847 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2848 kmem_free(rhent, sizeof (tsol_rhent_t));
2849 return;
2850 }
2851
2852 rh_addr = &rhent->rh_address;
2853 if (rh_addr->ta_family == AF_INET) {
2854 struct in_addr *ipaddr;
2855
2856 ipaddr = &(rh_addr->ta_addr_v4);
2857 au_uwrite(au_to_in_addr(ipaddr));
2858 } else if (rh_addr->ta_family == AF_INET6) {
2859 int32_t *ipaddr;
2860
2861 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2862 au_uwrite(au_to_in_addr_ex(ipaddr));
2863 }
2864 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2865
2866 kmem_free(rhent, sizeof (tsol_rhent_t));
2867
2868 break;
2869 }
2870 case AUE_LABELSYS_TNRHTP:
2871 {
2872 tsol_tpent_t *tpent;
2873
2874 au_uwrite(au_to_arg32(1, "cmd", cmd));
2875
2876 /* Remaining args don't apply for FLUSH, so skip */
2877 if (cmd == TNDB_FLUSH)
2878 break;
2879
2880 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2881 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2882 kmem_free(tpent, sizeof (tsol_tpent_t));
2883 return;
2884 }
2885
2886 /* Make sure that the template name is null-terminated. */
2887 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2888
2889 au_uwrite(au_to_text(tpent->name));
2890 kmem_free(tpent, sizeof (tsol_tpent_t));
2891
2892 break;
2893 }
2894 case AUE_LABELSYS_TNMLP:
2895 {
2896 tsol_mlpent_t *mlpent;
2897
2898 au_uwrite(au_to_arg32(1, "cmd", cmd));
2899
2900 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2901 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2902 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2903 return;
2904 }
2905
2906 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2907 au_uwrite(au_to_text("shared"));
2908 } else {
2909 zone_t *zone;
2910
2911 zone = zone_find_by_id(mlpent->tsme_zoneid);
2912 if (zone != NULL) {
2913 au_uwrite(au_to_text(zone->zone_name));
2914 zone_rele(zone);
2915 }
2916 }
2917
2918 /* Remaining args don't apply for FLUSH, so skip */
2919 if (cmd == TNDB_FLUSH) {
2920 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2921 break;
2922 }
2923
2924 au_uwrite(au_to_arg32(2, "proto num",
2925 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2926 au_uwrite(au_to_arg32(2, "mlp_port",
2927 (uint32_t)mlpent->tsme_mlp.mlp_port));
2928
2929 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2930 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2931 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2932
2933 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2934
2935 break;
2936 }
2937 default:
2938 break;
2939 }
2940 }
2941
2942
2943 static au_event_t
2944 aui_auditsys(au_event_t e)
2945 {
2946 klwp_t *clwp = ttolwp(curthread);
2947 uint32_t code;
2948
2949 struct a {
2950 long code;
2951 long a1;
2952 long a2;
2953 long a3;
2954 long a4;
2955 long a5;
2956 long a6;
2957 long a7;
2958 } *uap = (struct a *)clwp->lwp_ap;
2959
2960 code = (uint32_t)uap->code;
2961
2962 switch (code) {
2963
2964 case BSM_GETAUID:
2965 e = AUE_GETAUID;
2966 break;
2967 case BSM_SETAUID:
2968 e = AUE_SETAUID;
2969 break;
2970 case BSM_GETAUDIT:
2971 e = AUE_GETAUDIT;
2972 break;
2973 case BSM_GETAUDIT_ADDR:
2974 e = AUE_GETAUDIT_ADDR;
2975 break;
2976 case BSM_SETAUDIT:
2977 e = AUE_SETAUDIT;
2978 break;
2979 case BSM_SETAUDIT_ADDR:
2980 e = AUE_SETAUDIT_ADDR;
2981 break;
2982 case BSM_AUDIT:
2983 e = AUE_AUDIT;
2984 break;
2985 case BSM_AUDITCTL:
2986 switch ((uint_t)uap->a1) {
2987
2988 case A_GETPOLICY:
2989 e = AUE_AUDITON_GPOLICY;
2990 break;
2991 case A_SETPOLICY:
2992 e = AUE_AUDITON_SPOLICY;
2993 break;
2994 case A_GETAMASK:
2995 e = AUE_AUDITON_GETAMASK;
2996 break;
2997 case A_SETAMASK:
2998 e = AUE_AUDITON_SETAMASK;
2999 break;
3000 case A_GETKMASK:
3001 e = AUE_AUDITON_GETKMASK;
3002 break;
3003 case A_SETKMASK:
3004 e = AUE_AUDITON_SETKMASK;
3005 break;
3006 case A_GETQCTRL:
3007 e = AUE_AUDITON_GQCTRL;
3008 break;
3009 case A_SETQCTRL:
3010 e = AUE_AUDITON_SQCTRL;
3011 break;
3012 case A_GETCWD:
3013 e = AUE_AUDITON_GETCWD;
3014 break;
3015 case A_GETCAR:
3016 e = AUE_AUDITON_GETCAR;
3017 break;
3018 case A_GETSTAT:
3019 e = AUE_AUDITON_GETSTAT;
3020 break;
3021 case A_SETSTAT:
3022 e = AUE_AUDITON_SETSTAT;
3023 break;
3024 case A_SETUMASK:
3025 e = AUE_AUDITON_SETUMASK;
3026 break;
3027 case A_SETSMASK:
3028 e = AUE_AUDITON_SETSMASK;
3029 break;
3030 case A_GETCOND:
3031 e = AUE_AUDITON_GETCOND;
3032 break;
3033 case A_SETCOND:
3034 e = AUE_AUDITON_SETCOND;
3035 break;
3036 case A_GETCLASS:
3037 e = AUE_AUDITON_GETCLASS;
3038 break;
3039 case A_SETCLASS:
3040 e = AUE_AUDITON_SETCLASS;
3041 break;
3042 default:
3043 e = AUE_NULL;
3044 break;
3045 }
3046 break;
3047 default:
3048 e = AUE_NULL;
3049 break;
3050 }
3051
3052 return (e);
3053
3054 } /* AUI_AUDITSYS */
3055
3056
3057 static void
3058 aus_auditsys(struct t_audit_data *tad)
3059 {
3060 klwp_t *clwp = ttolwp(curthread);
3061 uintptr_t a1, a2;
3062 STRUCT_DECL(auditinfo, ainfo);
3063 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3064 au_evclass_map_t event;
3065 au_mask_t mask;
3066 int auditstate, policy;
3067 au_id_t auid;
3068
3069
3070 struct a {
3071 long code;
3072 long a1;
3073 long a2;
3074 long a3;
3075 long a4;
3076 long a5;
3077 long a6;
3078 long a7;
3079 } *uap = (struct a *)clwp->lwp_ap;
3080
3081 a1 = (uintptr_t)uap->a1;
3082 a2 = (uintptr_t)uap->a2;
3083
3084 switch (tad->tad_event) {
3085 case AUE_SETAUID:
3086 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3087 return;
3088 au_uwrite(au_to_arg32(2, "setauid", auid));
3089 break;
3090 case AUE_SETAUDIT:
3091 STRUCT_INIT(ainfo, get_udatamodel());
3092 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3093 STRUCT_SIZE(ainfo))) {
3094 return;
3095 }
3096 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3097 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3098 #ifdef _LP64
3099 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3100 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 #else
3102 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3103 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3104 #endif
3105 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3106 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3107 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3108 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3109 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3110 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3111 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3112 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3113 break;
3114 case AUE_SETAUDIT_ADDR:
3115 STRUCT_INIT(ainfo_addr, get_udatamodel());
3116 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3117 STRUCT_SIZE(ainfo_addr))) {
3118 return;
3119 }
3120 au_uwrite(au_to_arg32((char)1, "auid",
3121 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3122 #ifdef _LP64
3123 au_uwrite(au_to_arg64((char)1, "port",
3124 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 #else
3126 au_uwrite(au_to_arg32((char)1, "port",
3127 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3128 #endif
3129 au_uwrite(au_to_arg32((char)1, "type",
3130 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3131 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3132 AU_IPv4) {
3133 au_uwrite(au_to_in_addr(
3134 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3135 ai_termid.at_addr)));
3136 } else {
3137 au_uwrite(au_to_in_addr_ex(
3138 (int32_t *)STRUCT_FGETP(ainfo_addr,
3139 ai_termid.at_addr)));
3140 }
3141 au_uwrite(au_to_arg32((char)1, "as_success",
3142 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3143 au_uwrite(au_to_arg32((char)1, "as_failure",
3144 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3145 au_uwrite(au_to_arg32((char)1, "asid",
3146 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3147 break;
3148 case AUE_AUDITON_SETAMASK:
3149 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3150 return;
3151 au_uwrite(au_to_arg32(
3152 2, "setamask:as_success", (uint32_t)mask.as_success));
3153 au_uwrite(au_to_arg32(
3154 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3155 break;
3156 case AUE_AUDITON_SETKMASK:
3157 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3158 return;
3159 au_uwrite(au_to_arg32(
3160 2, "setkmask:as_success", (uint32_t)mask.as_success));
3161 au_uwrite(au_to_arg32(
3162 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3163 break;
3164 case AUE_AUDITON_SPOLICY:
3165 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3166 return;
3167 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3168 break;
3169 case AUE_AUDITON_SQCTRL: {
3170 STRUCT_DECL(au_qctrl, qctrl);
3171 model_t model;
3172
3173 model = get_udatamodel();
3174 STRUCT_INIT(qctrl, model);
3175 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3176 return;
3177 if (model == DATAMODEL_ILP32) {
3178 au_uwrite(au_to_arg32(
3179 3, "setqctrl:aq_hiwater",
3180 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3181 au_uwrite(au_to_arg32(
3182 3, "setqctrl:aq_lowater",
3183 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3184 au_uwrite(au_to_arg32(
3185 3, "setqctrl:aq_bufsz",
3186 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3187 au_uwrite(au_to_arg32(
3188 3, "setqctrl:aq_delay",
3189 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3190 } else {
3191 au_uwrite(au_to_arg64(
3192 3, "setqctrl:aq_hiwater",
3193 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3194 au_uwrite(au_to_arg64(
3195 3, "setqctrl:aq_lowater",
3196 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3197 au_uwrite(au_to_arg64(
3198 3, "setqctrl:aq_bufsz",
3199 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3200 au_uwrite(au_to_arg64(
3201 3, "setqctrl:aq_delay",
3202 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3203 }
3204 break;
3205 }
3206 case AUE_AUDITON_SETUMASK:
3207 STRUCT_INIT(ainfo, get_udatamodel());
3208 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3209 STRUCT_SIZE(ainfo))) {
3210 return;
3211 }
3212 au_uwrite(au_to_arg32(3, "setumask:as_success",
3213 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3214 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3215 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3216 break;
3217 case AUE_AUDITON_SETSMASK:
3218 STRUCT_INIT(ainfo, get_udatamodel());
3219 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3220 STRUCT_SIZE(ainfo))) {
3221 return;
3222 }
3223 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3224 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3225 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3226 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3227 break;
3228 case AUE_AUDITON_SETCOND:
3229 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3230 return;
3231 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3232 break;
3233 case AUE_AUDITON_SETCLASS:
3234 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3235 return;
3236 au_uwrite(au_to_arg32(
3237 2, "setclass:ec_event", (uint32_t)event.ec_number));
3238 au_uwrite(au_to_arg32(
3239 3, "setclass:ec_class", (uint32_t)event.ec_class));
3240 break;
3241 case AUE_GETAUID:
3242 case AUE_GETAUDIT:
3243 case AUE_GETAUDIT_ADDR:
3244 case AUE_AUDIT:
3245 case AUE_AUDITON_GPOLICY:
3246 case AUE_AUDITON_GQCTRL:
3247 case AUE_AUDITON_GETAMASK:
3248 case AUE_AUDITON_GETKMASK:
3249 case AUE_AUDITON_GETCWD:
3250 case AUE_AUDITON_GETCAR:
3251 case AUE_AUDITON_GETSTAT:
3252 case AUE_AUDITON_SETSTAT:
3253 case AUE_AUDITON_GETCOND:
3254 case AUE_AUDITON_GETCLASS:
3255 break;
3256 default:
3257 break;
3258 }
3259
3260 } /* AUS_AUDITSYS */
3261
3262
3263 /* only audit privileged operations for systeminfo(2) system call */
3264 static au_event_t
3265 aui_sysinfo(au_event_t e)
3266 {
3267 klwp_t *clwp = ttolwp(curthread);
3268 uint32_t command;
3269
3270 struct a {
3271 long command;
3272 long buf; /* char * */
3273 long count;
3274 } *uap = (struct a *)clwp->lwp_ap;
3275
3276 command = (uint32_t)uap->command;
3277
3278 switch (command) {
3279 case SI_SET_HOSTNAME:
3280 case SI_SET_SRPC_DOMAIN:
3281 e = (au_event_t)AUE_SYSINFO;
3282 break;
3283 default:
3284 e = (au_event_t)AUE_NULL;
3285 break;
3286 }
3287 return (e);
3288 }
3289
3290 /*ARGSUSED*/
3291 static void
3292 aus_sysinfo(struct t_audit_data *tad)
3293 {
3294 klwp_t *clwp = ttolwp(curthread);
3295 uint32_t command;
3296 size_t len, maxlen;
3297 char *name;
3298 uintptr_t buf;
3299
3300 struct a {
3301 long command;
3302 long buf; /* char * */
3303 long count;
3304 } *uap = (struct a *)clwp->lwp_ap;
3305
3306 command = (uint32_t)uap->command;
3307 buf = (uintptr_t)uap->buf;
3308
3309 au_uwrite(au_to_arg32(1, "cmd", command));
3310
3311 switch (command) {
3312 case SI_SET_HOSTNAME:
3313 {
3314 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3315 return;
3316
3317 maxlen = SYS_NMLN;
3318 name = kmem_alloc(maxlen, KM_SLEEP);
3319 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3320 break;
3321
3322 /*
3323 * Must be non-NULL string and string
3324 * must be less than SYS_NMLN chars.
3325 */
3326 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3327 break;
3328
3329 au_uwrite(au_to_text(name));
3330 break;
3331 }
3332
3333 case SI_SET_SRPC_DOMAIN:
3334 {
3335 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3336 return;
3337
3338 maxlen = SYS_NMLN;
3339 name = kmem_alloc(maxlen, KM_SLEEP);
3340 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3341 break;
3342
3343 /*
3344 * If string passed in is longer than length
3345 * allowed for domain name, fail.
3346 */
3347 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3348 break;
3349
3350 au_uwrite(au_to_text(name));
3351 break;
3352 }
3353
3354 default:
3355 return;
3356 }
3357
3358 kmem_free(name, maxlen);
3359 }
3360
3361 static au_event_t
3362 aui_modctl(au_event_t e)
3363 {
3364 klwp_t *clwp = ttolwp(curthread);
3365 uint_t cmd;
3366
3367 struct a {
3368 long cmd;
3369 } *uap = (struct a *)clwp->lwp_ap;
3370
3371 cmd = (uint_t)uap->cmd;
3372
3373 switch (cmd) {
3374 case MODLOAD:
3375 e = AUE_MODLOAD;
3376 break;
3377 case MODUNLOAD:
3378 e = AUE_MODUNLOAD;
3379 break;
3380 case MODADDMAJBIND:
3381 e = AUE_MODADDMAJ;
3382 break;
3383 case MODSETDEVPOLICY:
3384 e = AUE_MODDEVPLCY;
3385 break;
3386 case MODALLOCPRIV:
3387 e = AUE_MODADDPRIV;
3388 break;
3389 default:
3390 e = AUE_NULL;
3391 break;
3392 }
3393 return (e);
3394 }
3395
3396
3397 /*ARGSUSED*/
3398 static void
3399 aus_modctl(struct t_audit_data *tad)
3400 {
3401 klwp_t *clwp = ttolwp(curthread);
3402 void *a = clwp->lwp_ap;
3403 uint_t use_path;
3404
3405 switch (tad->tad_event) {
3406 case AUE_MODLOAD: {
3407 typedef struct {
3408 long cmd;
3409 long use_path;
3410 long filename; /* char * */
3411 } modloada_t;
3412
3413 char *filenamep;
3414 uintptr_t fname;
3415 extern char *default_path;
3416
3417 fname = (uintptr_t)((modloada_t *)a)->filename;
3418 use_path = (uint_t)((modloada_t *)a)->use_path;
3419
3420 /* space to hold path */
3421 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3422 /* get string */
3423 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3424 /* free allocated path */
3425 kmem_free(filenamep, MOD_MAXPATH);
3426 return;
3427 }
3428 /* ensure it's null terminated */
3429 filenamep[MOD_MAXPATH - 1] = 0;
3430
3431 if (use_path)
3432 au_uwrite(au_to_text(default_path));
3433 au_uwrite(au_to_text(filenamep));
3434
3435 /* release temporary memory */
3436 kmem_free(filenamep, MOD_MAXPATH);
3437 break;
3438 }
3439 case AUE_MODUNLOAD: {
3440 typedef struct {
3441 long cmd;
3442 long id;
3443 } modunloada_t;
3444
3445 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3446
3447 au_uwrite(au_to_arg32(1, "id", id));
3448 break;
3449 }
3450 case AUE_MODADDMAJ: {
3451 STRUCT_DECL(modconfig, mc);
3452 typedef struct {
3453 long cmd;
3454 long subcmd;
3455 long data; /* int * */
3456 } modconfiga_t;
3457
3458 STRUCT_DECL(aliases, alias);
3459 caddr_t ap;
3460 int i, num_aliases;
3461 char *drvname, *mc_drvname;
3462 char *name;
3463 extern char *ddi_major_to_name(major_t);
3464 model_t model;
3465
3466 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3467
3468 model = get_udatamodel();
3469 STRUCT_INIT(mc, model);
3470 /* sanitize buffer */
3471 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3472 /* get user arguments */
3473 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3474 STRUCT_SIZE(mc)) != 0)
3475 return;
3476
3477 mc_drvname = STRUCT_FGET(mc, drvname);
3478 if ((drvname = ddi_major_to_name(
3479 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3480 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3481 /* safety */
3482 if (mc_drvname[0] != '\0') {
3483 mc_drvname[MAXMODCONFNAME-1] = '\0';
3484 au_uwrite(au_to_text(mc_drvname));
3485 }
3486 /* drvname != NULL from test above */
3487 au_uwrite(au_to_text(drvname));
3488 return;
3489 }
3490
3491 if (mc_drvname[0] != '\0') {
3492 /* safety */
3493 mc_drvname[MAXMODCONFNAME-1] = '\0';
3494 au_uwrite(au_to_text(mc_drvname));
3495 } else
3496 au_uwrite(au_to_text("no drvname"));
3497
3498 num_aliases = STRUCT_FGET(mc, num_aliases);
3499 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3500 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3501 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3502 STRUCT_INIT(alias, model);
3503 for (i = 0; i < num_aliases; i++) {
3504 bzero((caddr_t)STRUCT_BUF(alias),
3505 STRUCT_SIZE(alias));
3506 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3507 STRUCT_SIZE(alias)) != 0)
3508 break;
3509 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3510 MAXMODCONFNAME, NULL) != 0) {
3511 break;
3512 }
3513
3514 au_uwrite(au_to_text(name));
3515 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3516 }
3517 kmem_free(name, MAXMODCONFNAME);
3518 break;
3519 }
3520 default:
3521 break;
3522 }
3523 }
3524
3525
3526 /*ARGSUSED*/
3527 static void
3528 auf_accept(
3529 struct t_audit_data *tad,
3530 int error,
3531 rval_t *rval)
3532 {
3533 uint32_t scid;
3534 uint32_t sy_flags;
3535 int fd;
3536 struct sonode *so;
3537 char so_laddr[sizeof (struct sockaddr_in6)];
3538 char so_faddr[sizeof (struct sockaddr_in6)];
3539 int err;
3540 short so_family, so_type;
3541 int add_sock_token = 0;
3542
3543 /* need to determine type of executing binary */
3544 scid = tad->tad_scid;
3545 #ifdef _SYSCALL32_IMPL
3546 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3547 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3548 else
3549 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3550 #else
3551 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3552 #endif
3553 switch (sy_flags) {
3554 case SE_32RVAL1:
3555 /* FALLTHRU */
3556 case SE_32RVAL2|SE_32RVAL1:
3557 fd = rval->r_val1;
3558 break;
3559 case SE_64RVAL:
3560 fd = (int)rval->r_vals;
3561 break;
3562 default:
3563 /*
3564 * should never happen, seems to be an internal error
3565 * in sysent => no fd, nothing to audit here, returning
3566 */
3567 return;
3568 }
3569
3570 if (error) {
3571 /* can't trust socket contents. Just return */
3572 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3573 return;
3574 }
3575
3576 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3577 /*
3578 * not security relevant if doing a accept from non socket
3579 * so no extra tokens. Should probably turn off audit record
3580 * generation here.
3581 */
3582 return;
3583 }
3584
3585 so_family = so->so_family;
3586 so_type = so->so_type;
3587
3588 switch (so_family) {
3589 case AF_INET:
3590 case AF_INET6:
3591 /*
3592 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3593 */
3594 if (so->so_type == SOCK_STREAM) {
3595 socklen_t len;
3596
3597 bzero((void *)so_laddr, sizeof (so_laddr));
3598 bzero((void *)so_faddr, sizeof (so_faddr));
3599
3600 len = sizeof (so_laddr);
3601 (void) socket_getsockname(so,
3602 (struct sockaddr *)so_laddr, &len, CRED());
3603 len = sizeof (so_faddr);
3604 (void) socket_getpeername(so,
3605 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3606
3607 add_sock_token = 1;
3608 }
3609 break;
3610
3611 default:
3612 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3613 break;
3614 }
3615
3616 releasef(fd);
3617
3618 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3619
3620 if (add_sock_token == 0) {
3621 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3622 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3623 return;
3624 }
3625
3626 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3627
3628 }
3629
3630 /*ARGSUSED*/
3631 static void
3632 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3633 {
3634 struct a {
3635 long fd;
3636 long addr;
3637 long len;
3638 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3639
3640 struct sonode *so;
3641 char so_laddr[sizeof (struct sockaddr_in6)];
3642 char so_faddr[sizeof (struct sockaddr_in6)];
3643 int err, fd;
3644 socklen_t len;
3645 short so_family, so_type;
3646 int add_sock_token = 0;
3647
3648 fd = (int)uap->fd;
3649
3650 /*
3651 * bind failed, then nothing extra to add to audit record.
3652 */
3653 if (error) {
3654 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3655 /* XXX may want to add failed address some day */
3656 return;
3657 }
3658
3659 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3660 /*
3661 * not security relevant if doing a bind from non socket
3662 * so no extra tokens. Should probably turn off audit record
3663 * generation here.
3664 */
3665 return;
3666 }
3667
3668 so_family = so->so_family;
3669 so_type = so->so_type;
3670
3671 switch (so_family) {
3672 case AF_INET:
3673 case AF_INET6:
3674
3675 bzero(so_faddr, sizeof (so_faddr));
3676 len = sizeof (so_faddr);
3677
3678 (void) socket_getpeername(so,
3679 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3680 add_sock_token = 1;
3681
3682 break;
3683
3684 case AF_UNIX:
3685 /* token added by lookup */
3686 break;
3687 default:
3688 /* AF_ROUTE, AF_KEY do not support accept */
3689 break;
3690 }
3691
3692 releasef(fd);
3693
3694 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3695
3696 if (add_sock_token == 0) {
3697 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3698 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3699 return;
3700 }
3701
3702 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3703
3704 }
3705
3706 /*ARGSUSED*/
3707 static void
3708 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3709 {
3710 struct a {
3711 long fd;
3712 long addr;
3713 long len;
3714 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3715
3716 struct sonode *so;
3717 char so_laddr[sizeof (struct sockaddr_in6)];
3718 char so_faddr[sizeof (struct sockaddr_in6)];
3719 int err, fd;
3720 socklen_t len;
3721 short so_family, so_type;
3722 int add_sock_token = 0;
3723
3724 fd = (int)uap->fd;
3725
3726
3727 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3728 /*
3729 * not security relevant if doing a connect from non socket
3730 * so no extra tokens. Should probably turn off audit record
3731 * generation here.
3732 */
3733 return;
3734 }
3735
3736 so_family = so->so_family;
3737 so_type = so->so_type;
3738
3739 switch (so_family) {
3740 case AF_INET:
3741 case AF_INET6:
3742
3743 bzero(so_laddr, sizeof (so_laddr));
3744 bzero(so_faddr, sizeof (so_faddr));
3745
3746 len = sizeof (so_laddr);
3747 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3748 &len, CRED());
3749 if (error) {
3750 if (uap->addr == NULL)
3751 break;
3752 if (uap->len <= 0)
3753 break;
3754 len = min(uap->len, sizeof (so_faddr));
3755 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3756 break;
3757 #ifdef NOTYET
3758 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3759 #endif
3760 } else {
3761 /* sanity check on length */
3762 len = sizeof (so_faddr);
3763 (void) socket_getpeername(so,
3764 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3765 }
3766
3767 add_sock_token = 1;
3768
3769 break;
3770
3771 case AF_UNIX:
3772 /* does a lookup on name */
3773 break;
3774
3775 default:
3776 /* AF_ROUTE, AF_KEY do not support accept */
3777 break;
3778 }
3779
3780 releasef(fd);
3781
3782 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3783
3784 if (add_sock_token == 0) {
3785 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3786 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3787 return;
3788 }
3789
3790 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3791
3792 }
3793
3794 /*ARGSUSED*/
3795 static void
3796 aus_shutdown(struct t_audit_data *tad)
3797 {
3798 struct a {
3799 long fd;
3800 long how;
3801 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3802
3803 struct sonode *so;
3804 char so_laddr[sizeof (struct sockaddr_in6)];
3805 char so_faddr[sizeof (struct sockaddr_in6)];
3806 int err, fd;
3807 socklen_t len;
3808 short so_family, so_type;
3809 int add_sock_token = 0;
3810 file_t *fp; /* unix domain sockets */
3811 struct f_audit_data *fad; /* unix domain sockets */
3812
3813 fd = (int)uap->fd;
3814
3815 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3816 /*
3817 * not security relevant if doing a shutdown using non socket
3818 * so no extra tokens. Should probably turn off audit record
3819 * generation here.
3820 */
3821 return;
3822 }
3823
3824 so_family = so->so_family;
3825 so_type = so->so_type;
3826
3827 switch (so_family) {
3828 case AF_INET:
3829 case AF_INET6:
3830
3831 bzero(so_laddr, sizeof (so_laddr));
3832 bzero(so_faddr, sizeof (so_faddr));
3833
3834 len = sizeof (so_laddr);
3835 (void) socket_getsockname(so,
3836 (struct sockaddr *)so_laddr, &len, CRED());
3837 len = sizeof (so_faddr);
3838 (void) socket_getpeername(so,
3839 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3840
3841 add_sock_token = 1;
3842
3843 break;
3844
3845 case AF_UNIX:
3846
3847 /* get path from file struct here */
3848 fad = F2A(fp);
3849 ASSERT(fad);
3850
3851 if (fad->fad_aupath != NULL) {
3852 au_uwrite(au_to_path(fad->fad_aupath));
3853 } else {
3854 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3855 }
3856
3857 audit_attributes(fp->f_vnode);
3858
3859 break;
3860
3861 default:
3862 /*
3863 * AF_KEY and AF_ROUTE support shutdown. No socket token
3864 * added.
3865 */
3866 break;
3867 }
3868
3869 releasef(fd);
3870
3871 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3872
3873 if (add_sock_token == 0) {
3874 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3875 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3876 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3877 return;
3878 }
3879
3880 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3881
3882 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3883
3884 }
3885
3886 /*ARGSUSED*/
3887 static void
3888 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3889 {
3890 struct a {
3891 long fd;
3892 long level;
3893 long optname;
3894 long *optval;
3895 long optlen;
3896 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3897
3898 struct sonode *so;
3899 char so_laddr[sizeof (struct sockaddr_in6)];
3900 char so_faddr[sizeof (struct sockaddr_in6)];
3901 char val[AU_BUFSIZE];
3902 int err, fd;
3903 socklen_t len;
3904 short so_family, so_type;
3905 int add_sock_token = 0;
3906 file_t *fp; /* unix domain sockets */
3907 struct f_audit_data *fad; /* unix domain sockets */
3908
3909 fd = (int)uap->fd;
3910
3911 if (error) {
3912 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3913 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3914 /* XXX may want to include other arguments */
3915 return;
3916 }
3917
3918 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3919 /*
3920 * not security relevant if doing a setsockopt from non socket
3921 * so no extra tokens. Should probably turn off audit record
3922 * generation here.
3923 */
3924 return;
3925 }
3926
3927 so_family = so->so_family;
3928 so_type = so->so_type;
3929
3930 switch (so_family) {
3931 case AF_INET:
3932 case AF_INET6:
3933 bzero((void *)so_laddr, sizeof (so_laddr));
3934 bzero((void *)so_faddr, sizeof (so_faddr));
3935
3936 /* get local and foreign addresses */
3937 len = sizeof (so_laddr);
3938 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3939 &len, CRED());
3940 len = sizeof (so_faddr);
3941 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3942 &len, B_FALSE, CRED());
3943
3944 add_sock_token = 1;
3945
3946 break;
3947
3948 case AF_UNIX:
3949
3950 /* get path from file struct here */
3951 fad = F2A(fp);
3952 ASSERT(fad);
3953
3954 if (fad->fad_aupath != NULL) {
3955 au_uwrite(au_to_path(fad->fad_aupath));
3956 } else {
3957 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3958 }
3959
3960 audit_attributes(fp->f_vnode);
3961
3962 break;
3963
3964 default:
3965 /*
3966 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3967 * added.
3968 */
3969 break;
3970 }
3971
3972 releasef(fd);
3973
3974 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3975
3976 if (add_sock_token == 0) {
3977 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3978 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3979 }
3980 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3981 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3982
3983 bzero(val, sizeof (val));
3984 len = min(uap->optlen, sizeof (val));
3985 if ((len > 0) &&
3986 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3987 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3988 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3989 }
3990
3991 if (add_sock_token == 0)
3992 return;
3993
3994 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3995
3996 }
3997
3998 /*ARGSUSED*/
3999 static void
4000 aus_sockconfig(tad)
4001 struct t_audit_data *tad;
4002 {
4003 struct a {
4004 long cmd;
4005 long arg1;
4006 long arg2;
4007 long arg3;
4008 long arg4;
4009 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4010
4011 char *buf;
4012 int buflen;
4013 size_t size;
4014
4015 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4016 switch (uap->cmd) {
4017 case SOCKCONFIG_ADD_SOCK:
4018 case SOCKCONFIG_REMOVE_SOCK:
4019 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4020 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4021 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4022
4023 if (uap->arg4 == 0) {
4024 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4025 } else {
4026 buflen = MAXPATHLEN + 1;
4027 buf = kmem_alloc(buflen, KM_SLEEP);
4028 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4029 &size)) {
4030 kmem_free(buf, buflen);
4031 return;
4032 }
4033
4034 if (size > MAXPATHLEN) {
4035 kmem_free(buf, buflen);
4036 return;
4037 }
4038
4039 au_uwrite(au_to_text(buf));
4040 kmem_free(buf, buflen);
4041 }
4042 break;
4043 case SOCKCONFIG_ADD_FILTER:
4044 case SOCKCONFIG_REMOVE_FILTER:
4045 buflen = FILNAME_MAX;
4046 buf = kmem_alloc(buflen, KM_SLEEP);
4047
4048 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4049 kmem_free(buf, buflen);
4050 return;
4051 }
4052
4053 au_uwrite(au_to_text(buf));
4054 kmem_free(buf, buflen);
4055 break;
4056 default:
4057 break;
4058 }
4059 }
4060
4061 /*
4062 * only audit recvmsg when the system call represents the creation of a new
4063 * circuit. This effectively occurs for all UDP packets and may occur for
4064 * special TCP situations where the local host has not set a local address
4065 * in the socket structure.
4066 */
4067 /*ARGSUSED*/
4068 static void
4069 auf_recvmsg(
4070 struct t_audit_data *tad,
4071 int error,
4072 rval_t *rvp)
4073 {
4074 struct a {
4075 long fd;
4076 long msg; /* struct msghdr */
4077 long flags;
4078 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4079
4080 struct sonode *so;
4081 STRUCT_DECL(msghdr, msg);
4082 caddr_t msg_name;
4083 socklen_t msg_namelen;
4084 int fd;
4085 int err;
4086 char so_laddr[sizeof (struct sockaddr_in6)];
4087 char so_faddr[sizeof (struct sockaddr_in6)];
4088 socklen_t len;
4089 file_t *fp; /* unix domain sockets */
4090 struct f_audit_data *fad; /* unix domain sockets */
4091 short so_family, so_type;
4092 int add_sock_token = 0;
4093 au_kcontext_t *kctx = GET_KCTX_PZ;
4094
4095 fd = (int)uap->fd;
4096
4097 /* bail if an error */
4098 if (error) {
4099 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4100 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4101 return;
4102 }
4103
4104 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4105 /*
4106 * not security relevant if doing a recvmsg from non socket
4107 * so no extra tokens. Should probably turn off audit record
4108 * generation here.
4109 */
4110 return;
4111 }
4112
4113 so_family = so->so_family;
4114 so_type = so->so_type;
4115
4116 /*
4117 * only putout SOCKET_EX token if INET/INET6 family.
4118 * XXX - what do we do about other families?
4119 */
4120
4121 switch (so_family) {
4122 case AF_INET:
4123 case AF_INET6:
4124
4125 /*
4126 * if datagram type socket, then just use what is in
4127 * socket structure for local address.
4128 * XXX - what do we do for other types?
4129 */
4130 if ((so->so_type == SOCK_DGRAM) ||
4131 (so->so_type == SOCK_RAW)) {
4132 add_sock_token = 1;
4133
4134 bzero((void *)so_laddr, sizeof (so_laddr));
4135 bzero((void *)so_faddr, sizeof (so_faddr));
4136
4137 /* get local address */
4138 len = sizeof (so_laddr);
4139 (void) socket_getsockname(so,
4140 (struct sockaddr *)so_laddr, &len, CRED());
4141
4142 /* get peer address */
4143 STRUCT_INIT(msg, get_udatamodel());
4144
4145 if (copyin((caddr_t)(uap->msg),
4146 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4147 break;
4148 }
4149 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4150 if (msg_name == NULL) {
4151 break;
4152 }
4153
4154 /* length is value from recvmsg - sanity check */
4155 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4156 if (msg_namelen == 0) {
4157 break;
4158 }
4159 if (copyin(msg_name, so_faddr,
4160 sizeof (so_faddr)) != 0) {
4161 break;
4162 }
4163
4164 } else if (so->so_type == SOCK_STREAM) {
4165
4166 /* get path from file struct here */
4167 fad = F2A(fp);
4168 ASSERT(fad);
4169
4170 /*
4171 * already processed this file for read attempt
4172 */
4173 if (fad->fad_flags & FAD_READ) {
4174 /* don't want to audit every recvmsg attempt */
4175 tad->tad_flag = 0;
4176 /* free any residual audit data */
4177 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4178 releasef(fd);
4179 return;
4180 }
4181 /*
4182 * mark things so we know what happened and don't
4183 * repeat things
4184 */
4185 fad->fad_flags |= FAD_READ;
4186
4187 bzero((void *)so_laddr, sizeof (so_laddr));
4188 bzero((void *)so_faddr, sizeof (so_faddr));
4189
4190 /* get local and foreign addresses */
4191 len = sizeof (so_laddr);
4192 (void) socket_getsockname(so,
4193 (struct sockaddr *)so_laddr, &len, CRED());
4194 len = sizeof (so_faddr);
4195 (void) socket_getpeername(so,
4196 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4197
4198 add_sock_token = 1;
4199 }
4200
4201 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4202
4203 break;
4204
4205 case AF_UNIX:
4206 /*
4207 * first check if this is first time through. Too much
4208 * duplicate code to put this in an aui_ routine.
4209 */
4210
4211 /* get path from file struct here */
4212 fad = F2A(fp);
4213 ASSERT(fad);
4214
4215 /*
4216 * already processed this file for read attempt
4217 */
4218 if (fad->fad_flags & FAD_READ) {
4219 releasef(fd);
4220 /* don't want to audit every recvmsg attempt */
4221 tad->tad_flag = 0;
4222 /* free any residual audit data */
4223 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4224 return;
4225 }
4226 /*
4227 * mark things so we know what happened and don't
4228 * repeat things
4229 */
4230 fad->fad_flags |= FAD_READ;
4231
4232 if (fad->fad_aupath != NULL) {
4233 au_uwrite(au_to_path(fad->fad_aupath));
4234 } else {
4235 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4236 }
4237
4238 audit_attributes(fp->f_vnode);
4239
4240 releasef(fd);
4241
4242 return;
4243
4244 default:
4245 break;
4246
4247 }
4248
4249 releasef(fd);
4250
4251 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4252
4253 if (add_sock_token == 0) {
4254 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4255 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4256 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4257 return;
4258 }
4259
4260 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4261
4262 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4263
4264 }
4265
4266 /*ARGSUSED*/
4267 static void
4268 auf_recvfrom(
4269 struct t_audit_data *tad,
4270 int error,
4271 rval_t *rvp)
4272 {
4273
4274 struct a {
4275 long fd;
4276 long msg; /* char */
4277 long len;
4278 long flags;
4279 long from; /* struct sockaddr */
4280 long fromlen;
4281 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4282
4283 socklen_t fromlen;
4284 struct sonode *so;
4285 char so_laddr[sizeof (struct sockaddr_in6)];
4286 char so_faddr[sizeof (struct sockaddr_in6)];
4287 int fd;
4288 short so_family, so_type;
4289 int add_sock_token = 0;
4290 socklen_t len;
4291 int err;
4292 struct file *fp;
4293 struct f_audit_data *fad; /* unix domain sockets */
4294 au_kcontext_t *kctx = GET_KCTX_PZ;
4295
4296 fd = (int)uap->fd;
4297
4298 /* bail if an error */
4299 if (error) {
4300 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4301 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4302 return;
4303 }
4304
4305 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4306 /*
4307 * not security relevant if doing a recvmsg from non socket
4308 * so no extra tokens. Should probably turn off audit record
4309 * generation here.
4310 */
4311 return;
4312 }
4313
4314 so_family = so->so_family;
4315 so_type = so->so_type;
4316
4317 /*
4318 * only putout SOCKET_EX token if INET/INET6 family.
4319 * XXX - what do we do about other families?
4320 */
4321
4322 switch (so_family) {
4323 case AF_INET:
4324 case AF_INET6:
4325
4326 /*
4327 * if datagram type socket, then just use what is in
4328 * socket structure for local address.
4329 * XXX - what do we do for other types?
4330 */
4331 if ((so->so_type == SOCK_DGRAM) ||
4332 (so->so_type == SOCK_RAW)) {
4333 add_sock_token = 1;
4334
4335 /* get local address */
4336 len = sizeof (so_laddr);
4337 (void) socket_getsockname(so,
4338 (struct sockaddr *)so_laddr, &len, CRED());
4339
4340 /* get peer address */
4341 bzero((void *)so_faddr, sizeof (so_faddr));
4342
4343 /* sanity check */
4344 if (uap->from == NULL)
4345 break;
4346
4347 /* sanity checks */
4348 if (uap->fromlen == 0)
4349 break;
4350
4351 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4352 sizeof (fromlen)) != 0)
4353 break;
4354
4355 if (fromlen == 0)
4356 break;
4357
4358 /* enforce maximum size */
4359 if (fromlen > sizeof (so_faddr))
4360 fromlen = sizeof (so_faddr);
4361
4362 if (copyin((caddr_t)(uap->from), so_faddr,
4363 fromlen) != 0)
4364 break;
4365
4366 } else if (so->so_type == SOCK_STREAM) {
4367
4368 /* get path from file struct here */
4369 fad = F2A(fp);
4370 ASSERT(fad);
4371
4372 /*
4373 * already processed this file for read attempt
4374 */
4375 if (fad->fad_flags & FAD_READ) {
4376 /* don't want to audit every recvfrom attempt */
4377 tad->tad_flag = 0;
4378 /* free any residual audit data */
4379 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4380 releasef(fd);
4381 return;
4382 }
4383 /*
4384 * mark things so we know what happened and don't
4385 * repeat things
4386 */
4387 fad->fad_flags |= FAD_READ;
4388
4389 bzero((void *)so_laddr, sizeof (so_laddr));
4390 bzero((void *)so_faddr, sizeof (so_faddr));
4391
4392 /* get local and foreign addresses */
4393 len = sizeof (so_laddr);
4394 (void) socket_getsockname(so,
4395 (struct sockaddr *)so_laddr, &len, CRED());
4396 len = sizeof (so_faddr);
4397 (void) socket_getpeername(so,
4398 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4399
4400 add_sock_token = 1;
4401 }
4402
4403 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4404
4405 break;
4406
4407 case AF_UNIX:
4408 /*
4409 * first check if this is first time through. Too much
4410 * duplicate code to put this in an aui_ routine.
4411 */
4412
4413 /* get path from file struct here */
4414 fad = F2A(fp);
4415 ASSERT(fad);
4416
4417 /*
4418 * already processed this file for read attempt
4419 */
4420 if (fad->fad_flags & FAD_READ) {
4421 /* don't want to audit every recvfrom attempt */
4422 tad->tad_flag = 0;
4423 /* free any residual audit data */
4424 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4425 releasef(fd);
4426 return;
4427 }
4428 /*
4429 * mark things so we know what happened and don't
4430 * repeat things
4431 */
4432 fad->fad_flags |= FAD_READ;
4433
4434 if (fad->fad_aupath != NULL) {
4435 au_uwrite(au_to_path(fad->fad_aupath));
4436 } else {
4437 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4438 }
4439
4440 audit_attributes(fp->f_vnode);
4441
4442 releasef(fd);
4443
4444 return;
4445
4446 default:
4447 break;
4448
4449 }
4450
4451 releasef(fd);
4452
4453 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4454
4455 if (add_sock_token == 0) {
4456 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4457 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4458 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4459 return;
4460 }
4461
4462 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4463
4464 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4465 }
4466
4467 /*ARGSUSED*/
4468 static void
4469 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4470 {
4471 struct a {
4472 long fd;
4473 long msg; /* struct msghdr */
4474 long flags;
4475 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4476
4477 struct sonode *so;
4478 char so_laddr[sizeof (struct sockaddr_in6)];
4479 char so_faddr[sizeof (struct sockaddr_in6)];
4480 int err;
4481 int fd;
4482 short so_family, so_type;
4483 int add_sock_token = 0;
4484 socklen_t len;
4485 struct file *fp;
4486 struct f_audit_data *fad;
4487 caddr_t msg_name;
4488 socklen_t msg_namelen;
4489 STRUCT_DECL(msghdr, msg);
4490 au_kcontext_t *kctx = GET_KCTX_PZ;
4491
4492 fd = (int)uap->fd;
4493
4494 /* bail if an error */
4495 if (error) {
4496 /* XXX include destination address from system call arguments */
4497 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4498 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4499 return;
4500 }
4501
4502 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4503 /*
4504 * not security relevant if doing a sendmsg from non socket
4505 * so no extra tokens. Should probably turn off audit record
4506 * generation here.
4507 */
4508 return;
4509 }
4510
4511 so_family = so->so_family;
4512 so_type = so->so_type;
4513
4514 switch (so_family) {
4515 case AF_INET:
4516 case AF_INET6:
4517 /*
4518 * if datagram type socket, then just use what is in
4519 * socket structure for local address.
4520 * XXX - what do we do for other types?
4521 */
4522 if ((so->so_type == SOCK_DGRAM) ||
4523 (so->so_type == SOCK_RAW)) {
4524
4525 bzero((void *)so_laddr, sizeof (so_laddr));
4526 bzero((void *)so_faddr, sizeof (so_faddr));
4527
4528 /* get local address */
4529 len = sizeof (so_laddr);
4530 (void) socket_getsockname(so,
4531 (struct sockaddr *)so_laddr, &len, CRED());
4532
4533 /* get peer address */
4534 STRUCT_INIT(msg, get_udatamodel());
4535
4536 if (copyin((caddr_t)(uap->msg),
4537 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4538 break;
4539 }
4540 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4541 if (msg_name == NULL)
4542 break;
4543
4544 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4545 /* length is value from recvmsg - sanity check */
4546 if (msg_namelen == 0)
4547 break;
4548
4549 if (copyin(msg_name, so_faddr,
4550 sizeof (so_faddr)) != 0)
4551 break;
4552
4553 add_sock_token = 1;
4554
4555 } else if (so->so_type == SOCK_STREAM) {
4556
4557 /* get path from file struct here */
4558 fad = F2A(fp);
4559 ASSERT(fad);
4560
4561 /*
4562 * already processed this file for write attempt
4563 */
4564 if (fad->fad_flags & FAD_WRITE) {
4565 releasef(fd);
4566 /* don't want to audit every sendmsg attempt */
4567 tad->tad_flag = 0;
4568 /* free any residual audit data */
4569 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4570 return;
4571 }
4572
4573 /*
4574 * mark things so we know what happened and don't
4575 * repeat things
4576 */
4577 fad->fad_flags |= FAD_WRITE;
4578
4579 bzero((void *)so_laddr, sizeof (so_laddr));
4580 bzero((void *)so_faddr, sizeof (so_faddr));
4581
4582 /* get local and foreign addresses */
4583 len = sizeof (so_laddr);
4584 (void) socket_getsockname(so,
4585 (struct sockaddr *)so_laddr, &len, CRED());
4586 len = sizeof (so_faddr);
4587 (void) socket_getpeername(so,
4588 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4589
4590 add_sock_token = 1;
4591 }
4592
4593 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4594
4595 break;
4596
4597 case AF_UNIX:
4598 /*
4599 * first check if this is first time through. Too much
4600 * duplicate code to put this in an aui_ routine.
4601 */
4602
4603 /* get path from file struct here */
4604 fad = F2A(fp);
4605 ASSERT(fad);
4606
4607 /*
4608 * already processed this file for write attempt
4609 */
4610 if (fad->fad_flags & FAD_WRITE) {
4611 releasef(fd);
4612 /* don't want to audit every sendmsg attempt */
4613 tad->tad_flag = 0;
4614 /* free any residual audit data */
4615 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4616 return;
4617 }
4618 /*
4619 * mark things so we know what happened and don't
4620 * repeat things
4621 */
4622 fad->fad_flags |= FAD_WRITE;
4623
4624 if (fad->fad_aupath != NULL) {
4625 au_uwrite(au_to_path(fad->fad_aupath));
4626 } else {
4627 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4628 }
4629
4630 audit_attributes(fp->f_vnode);
4631
4632 releasef(fd);
4633
4634 return;
4635
4636 default:
4637 break;
4638 }
4639
4640 releasef(fd);
4641
4642 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4643
4644 if (add_sock_token == 0) {
4645 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4646 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4647 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4648 return;
4649 }
4650
4651 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4652
4653 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4654 }
4655
4656 /*ARGSUSED*/
4657 static void
4658 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4659 {
4660 struct a {
4661 long fd;
4662 long msg; /* char */
4663 long len;
4664 long flags;
4665 long to; /* struct sockaddr */
4666 long tolen;
4667 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4668
4669 struct sonode *so;
4670 char so_laddr[sizeof (struct sockaddr_in6)];
4671 char so_faddr[sizeof (struct sockaddr_in6)];
4672 socklen_t tolen;
4673 int err;
4674 int fd;
4675 socklen_t len;
4676 short so_family, so_type;
4677 int add_sock_token = 0;
4678 struct file *fp;
4679 struct f_audit_data *fad;
4680 au_kcontext_t *kctx = GET_KCTX_PZ;
4681
4682 fd = (int)uap->fd;
4683
4684 /* bail if an error */
4685 if (error) {
4686 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4687 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4688 /* XXX include destination address from system call arguments */
4689 return;
4690 }
4691
4692 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4693 /*
4694 * not security relevant if doing a sendto using non socket
4695 * so no extra tokens. Should probably turn off audit record
4696 * generation here.
4697 */
4698 return;
4699 }
4700
4701 so_family = so->so_family;
4702 so_type = so->so_type;
4703
4704 /*
4705 * only putout SOCKET_EX token if INET/INET6 family.
4706 * XXX - what do we do about other families?
4707 */
4708
4709 switch (so_family) {
4710 case AF_INET:
4711 case AF_INET6:
4712
4713 /*
4714 * if datagram type socket, then just use what is in
4715 * socket structure for local address.
4716 * XXX - what do we do for other types?
4717 */
4718 if ((so->so_type == SOCK_DGRAM) ||
4719 (so->so_type == SOCK_RAW)) {
4720
4721 bzero((void *)so_laddr, sizeof (so_laddr));
4722 bzero((void *)so_faddr, sizeof (so_faddr));
4723
4724 /* get local address */
4725 len = sizeof (so_laddr);
4726 (void) socket_getsockname(so,
4727 (struct sockaddr *)so_laddr, &len, CRED());
4728
4729 /* get peer address */
4730
4731 /* sanity check */
4732 if (uap->to == NULL)
4733 break;
4734
4735 /* sanity checks */
4736 if (uap->tolen == 0)
4737 break;
4738
4739 tolen = (socklen_t)uap->tolen;
4740
4741 /* enforce maximum size */
4742 if (tolen > sizeof (so_faddr))
4743 tolen = sizeof (so_faddr);
4744
4745 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4746 break;
4747
4748 add_sock_token = 1;
4749 } else {
4750 /*
4751 * check if this is first time through.
4752 */
4753
4754 /* get path from file struct here */
4755 fad = F2A(fp);
4756 ASSERT(fad);
4757
4758 /*
4759 * already processed this file for write attempt
4760 */
4761 if (fad->fad_flags & FAD_WRITE) {
4762 /* don't want to audit every sendto attempt */
4763 tad->tad_flag = 0;
4764 /* free any residual audit data */
4765 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4766 releasef(fd);
4767 return;
4768 }
4769 /*
4770 * mark things so we know what happened and don't
4771 * repeat things
4772 */
4773 fad->fad_flags |= FAD_WRITE;
4774
4775 bzero((void *)so_laddr, sizeof (so_laddr));
4776 bzero((void *)so_faddr, sizeof (so_faddr));
4777
4778 /* get local and foreign addresses */
4779 len = sizeof (so_laddr);
4780 (void) socket_getsockname(so,
4781 (struct sockaddr *)so_laddr, &len, CRED());
4782 len = sizeof (so_faddr);
4783 (void) socket_getpeername(so,
4784 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4785
4786 add_sock_token = 1;
4787 }
4788
4789 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4790
4791 break;
4792
4793 case AF_UNIX:
4794 /*
4795 * first check if this is first time through. Too much
4796 * duplicate code to put this in an aui_ routine.
4797 */
4798
4799 /* get path from file struct here */
4800 fad = F2A(fp);
4801 ASSERT(fad);
4802
4803 /*
4804 * already processed this file for write attempt
4805 */
4806 if (fad->fad_flags & FAD_WRITE) {
4807 /* don't want to audit every sendto attempt */
4808 tad->tad_flag = 0;
4809 /* free any residual audit data */
4810 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4811 releasef(fd);
4812 return;
4813 }
4814 /*
4815 * mark things so we know what happened and don't
4816 * repeat things
4817 */
4818 fad->fad_flags |= FAD_WRITE;
4819
4820 if (fad->fad_aupath != NULL) {
4821 au_uwrite(au_to_path(fad->fad_aupath));
4822 } else {
4823 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4824 }
4825
4826 audit_attributes(fp->f_vnode);
4827
4828 releasef(fd);
4829
4830 return;
4831
4832 default:
4833 break;
4834
4835 }
4836
4837 releasef(fd);
4838
4839 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4840
4841 if (add_sock_token == 0) {
4842 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4843 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4844 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4845 return;
4846 }
4847
4848 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4849
4850 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4851
4852 }
4853
4854 /*
4855 * XXX socket(2) may be equivalent to open(2) on a unix domain
4856 * socket. This needs investigation.
4857 */
4858
4859 /*ARGSUSED*/
4860 static void
4861 aus_socket(struct t_audit_data *tad)
4862 {
4863 struct a {
4864 long domain;
4865 long type;
4866 long protocol;
4867 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4868
4869 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4870 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4871 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4872 }
4873
4874 /*ARGSUSED*/
4875 static void
4876 aus_sigqueue(struct t_audit_data *tad)
4877 {
4878 struct a {
4879 long pid;
4880 long signo;
4881 long *val;
4882 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4883 struct proc *p;
4884 uid_t uid, ruid;
4885 gid_t gid, rgid;
4886 pid_t pid;
4887 const auditinfo_addr_t *ainfo;
4888 cred_t *cr;
4889
4890 pid = (pid_t)uap->pid;
4891
4892 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4893 if (pid > 0) {
4894 mutex_enter(&pidlock);
4895 if ((p = prfind(pid)) == (struct proc *)0) {
4896 mutex_exit(&pidlock);
4897 return;
4898 }
4899 mutex_enter(&p->p_lock); /* so process doesn't go away */
4900 mutex_exit(&pidlock);
4901
4902 mutex_enter(&p->p_crlock);
4903 crhold(cr = p->p_cred);
4904 mutex_exit(&p->p_crlock);
4905 mutex_exit(&p->p_lock);
4906
4907 ainfo = crgetauinfo(cr);
4908 if (ainfo == NULL) {
4909 crfree(cr);
4910 return;
4911 }
4912
4913 uid = crgetuid(cr);
4914 gid = crgetgid(cr);
4915 ruid = crgetruid(cr);
4916 rgid = crgetrgid(cr);
4917 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4918 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4919 crfree(cr);
4920 }
4921 else
4922 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4923 }
4924
4925 /*ARGSUSED*/
4926 static void
4927 aus_inst_sync(struct t_audit_data *tad)
4928 {
4929 struct a {
4930 long name; /* char */
4931 long flags;
4932 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4933
4934 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4935 }
4936
4937 /*ARGSUSED*/
4938 static void
4939 aus_brandsys(struct t_audit_data *tad)
4940 {
4941 klwp_t *clwp = ttolwp(curthread);
4942
4943 struct a {
4944 long cmd;
4945 long arg1;
4946 long arg2;
4947 long arg3;
4948 long arg4;
4949 long arg5;
4950 long arg6;
4951 } *uap = (struct a *)clwp->lwp_ap;
4952
4953 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4954 #ifdef _LP64
4955 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4956 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4957 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4958 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4959 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4960 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4961 #else
4962 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4963 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4964 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4965 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4966 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4967 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4968 #endif
4969 }
4970
4971 /*ARGSUSED*/
4972 static void
4973 aus_p_online(struct t_audit_data *tad)
4974 {
4975 struct a {
4976 long processor_id;
4977 long flag;
4978 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4979
4980 struct flags {
4981 int flag;
4982 char *cflag;
4983 } aflags[6] = {
4984 { P_ONLINE, "P_ONLINE"},
4985 { P_OFFLINE, "P_OFFLINE"},
4986 { P_NOINTR, "P_NOINTR"},
4987 { P_SPARE, "P_SPARE"},
4988 { P_FAULTED, "P_FAULTED"},
4989 { P_STATUS, "P_STATUS"}
4990 };
4991 int i;
4992 char *cflag;
4993
4994 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4995 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4996
4997 for (i = 0; i < 6; i++) {
4998 if (aflags[i].flag == uap->flag)
4999 break;
5000 }
5001 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5002
5003 au_uwrite(au_to_text(cflag));
5004 }
5005
5006 /*ARGSUSED*/
5007 static void
5008 aus_processor_bind(struct t_audit_data *tad)
5009 {
5010 struct a {
5011 long id_type;
5012 long id;
5013 long processor_id;
5014 long obind;
5015 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5016
5017 struct proc *p;
5018 int lwpcnt;
5019 uid_t uid, ruid;
5020 gid_t gid, rgid;
5021 pid_t pid;
5022 const auditinfo_addr_t *ainfo;
5023 cred_t *cr;
5024
5025 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5026 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5027 if (uap->processor_id == PBIND_NONE)
5028 au_uwrite(au_to_text("PBIND_NONE"));
5029 else
5030 au_uwrite(au_to_arg32(3, "processor_id",
5031 (uint32_t)uap->processor_id));
5032
5033 switch (uap->id_type) {
5034 case P_MYID:
5035 case P_LWPID:
5036 mutex_enter(&pidlock);
5037 p = ttoproc(curthread);
5038 if (p == NULL || p->p_as == &kas) {
5039 mutex_exit(&pidlock);
5040 return;
5041 }
5042 mutex_enter(&p->p_lock);
5043 mutex_exit(&pidlock);
5044 lwpcnt = p->p_lwpcnt;
5045 pid = p->p_pid;
5046
5047 mutex_enter(&p->p_crlock);
5048 crhold(cr = p->p_cred);
5049 mutex_exit(&p->p_crlock);
5050 mutex_exit(&p->p_lock);
5051
5052 ainfo = crgetauinfo(cr);
5053 if (ainfo == NULL) {
5054 crfree(cr);
5055 return;
5056 }
5057
5058 uid = crgetuid(cr);
5059 gid = crgetgid(cr);
5060 ruid = crgetruid(cr);
5061 rgid = crgetrgid(cr);
5062 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5063 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5064 crfree(cr);
5065 break;
5066 case P_PID:
5067 mutex_enter(&pidlock);
5068 p = prfind(uap->id);
5069 if (p == NULL || p->p_as == &kas) {
5070 mutex_exit(&pidlock);
5071 return;
5072 }
5073 mutex_enter(&p->p_lock);
5074 mutex_exit(&pidlock);
5075 lwpcnt = p->p_lwpcnt;
5076 pid = p->p_pid;
5077
5078 mutex_enter(&p->p_crlock);
5079 crhold(cr = p->p_cred);
5080 mutex_exit(&p->p_crlock);
5081 mutex_exit(&p->p_lock);
5082
5083 ainfo = crgetauinfo(cr);
5084 if (ainfo == NULL) {
5085 crfree(cr);
5086 return;
5087 }
5088
5089 uid = crgetuid(cr);
5090 gid = crgetgid(cr);
5091 ruid = crgetruid(cr);
5092 rgid = crgetrgid(cr);
5093 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5094 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5095 crfree(cr);
5096
5097 break;
5098 default:
5099 return;
5100 }
5101
5102 if (uap->processor_id == PBIND_NONE &&
5103 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5104 au_uwrite(au_to_text("PBIND_NONE for process"));
5105 else
5106 au_uwrite(au_to_arg32(3, "processor_id",
5107 (uint32_t)uap->processor_id));
5108 }
5109
5110 /*ARGSUSED*/
5111 static au_event_t
5112 aui_doorfs(au_event_t e)
5113 {
5114 uint32_t code;
5115
5116 struct a { /* doorfs */
5117 long a1;
5118 long a2;
5119 long a3;
5120 long a4;
5121 long a5;
5122 long code;
5123 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5124
5125 /*
5126 * audit formats for several of the
5127 * door calls have not yet been determined
5128 */
5129 code = (uint32_t)uap->code;
5130 switch (code) {
5131 case DOOR_CALL:
5132 e = AUE_DOORFS_DOOR_CALL;
5133 break;
5134 case DOOR_RETURN:
5135 e = AUE_NULL;
5136 break;
5137 case DOOR_CREATE:
5138 e = AUE_DOORFS_DOOR_CREATE;
5139 break;
5140 case DOOR_REVOKE:
5141 e = AUE_DOORFS_DOOR_REVOKE;
5142 break;
5143 case DOOR_INFO:
5144 e = AUE_NULL;
5145 break;
5146 case DOOR_UCRED:
5147 e = AUE_NULL;
5148 break;
5149 case DOOR_BIND:
5150 e = AUE_NULL;
5151 break;
5152 case DOOR_UNBIND:
5153 e = AUE_NULL;
5154 break;
5155 case DOOR_GETPARAM:
5156 e = AUE_NULL;
5157 break;
5158 case DOOR_SETPARAM:
5159 e = AUE_NULL;
5160 break;
5161 default: /* illegal system call */
5162 e = AUE_NULL;
5163 break;
5164 }
5165
5166 return (e);
5167 }
5168
5169 static door_node_t *
5170 au_door_lookup(int did)
5171 {
5172 vnode_t *vp;
5173 file_t *fp;
5174
5175 if ((fp = getf(did)) == NULL)
5176 return (NULL);
5177 /*
5178 * Use the underlying vnode (we may be namefs mounted)
5179 */
5180 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5181 vp = fp->f_vnode;
5182
5183 if (vp == NULL || vp->v_type != VDOOR) {
5184 releasef(did);
5185 return (NULL);
5186 }
5187
5188 return (VTOD(vp));
5189 }
5190
5191 /*ARGSUSED*/
5192 static void
5193 aus_doorfs(struct t_audit_data *tad)
5194 {
5195
5196 struct a { /* doorfs */
5197 long a1;
5198 long a2;
5199 long a3;
5200 long a4;
5201 long a5;
5202 long code;
5203 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5204
5205 door_node_t *dp;
5206 struct proc *p;
5207 uint32_t did;
5208 uid_t uid, ruid;
5209 gid_t gid, rgid;
5210 pid_t pid;
5211 const auditinfo_addr_t *ainfo;
5212 cred_t *cr;
5213
5214 did = (uint32_t)uap->a1;
5215
5216 switch (tad->tad_event) {
5217 case AUE_DOORFS_DOOR_CALL:
5218 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5219 if ((dp = au_door_lookup(did)) == NULL)
5220 break;
5221
5222 if (DOOR_INVALID(dp)) {
5223 releasef(did);
5224 break;
5225 }
5226
5227 if ((p = dp->door_target) == NULL) {
5228 releasef(did);
5229 break;
5230 }
5231 mutex_enter(&p->p_lock);
5232 releasef(did);
5233
5234 pid = p->p_pid;
5235
5236 mutex_enter(&p->p_crlock);
5237 crhold(cr = p->p_cred);
5238 mutex_exit(&p->p_crlock);
5239 mutex_exit(&p->p_lock);
5240
5241 ainfo = crgetauinfo(cr);
5242 if (ainfo == NULL) {
5243 crfree(cr);
5244 return;
5245 }
5246 uid = crgetuid(cr);
5247 gid = crgetgid(cr);
5248 ruid = crgetruid(cr);
5249 rgid = crgetrgid(cr);
5250 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5251 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5252 crfree(cr);
5253 break;
5254 case AUE_DOORFS_DOOR_RETURN:
5255 /*
5256 * We may want to write information about
5257 * all doors (if any) which will be copied
5258 * by this call to the user space
5259 */
5260 break;
5261 case AUE_DOORFS_DOOR_CREATE:
5262 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5263 break;
5264 case AUE_DOORFS_DOOR_REVOKE:
5265 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5266 break;
5267 case AUE_DOORFS_DOOR_INFO:
5268 break;
5269 case AUE_DOORFS_DOOR_CRED:
5270 break;
5271 case AUE_DOORFS_DOOR_BIND:
5272 break;
5273 case AUE_DOORFS_DOOR_UNBIND: {
5274 break;
5275 }
5276 default: /* illegal system call */
5277 break;
5278 }
5279 }
5280
5281 /*ARGSUSED*/
5282 static au_event_t
5283 aui_acl(au_event_t e)
5284 {
5285 struct a {
5286 union {
5287 long name; /* char */
5288 long fd;
5289 } obj;
5290
5291 long cmd;
5292 long nentries;
5293 long arg; /* aclent_t */
5294 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5295
5296 switch (uap->cmd) {
5297 case SETACL:
5298 case ACE_SETACL:
5299 /*
5300 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5301 * are expected.
5302 */
5303 break;
5304 case GETACL:
5305 case GETACLCNT:
5306 case ACE_GETACL:
5307 case ACE_GETACLCNT:
5308 /* do nothing for these four values. */
5309 e = AUE_NULL;
5310 break;
5311 default:
5312 /* illegal system call */
5313 break;
5314 }
5315
5316 return (e);
5317 }
5318
5319 static void
5320 au_acl(int cmd, int nentries, caddr_t bufp)
5321 {
5322 size_t a_size;
5323 aclent_t *aclbufp;
5324 ace_t *acebufp;
5325 int i;
5326
5327 switch (cmd) {
5328 case GETACL:
5329 case GETACLCNT:
5330 break;
5331 case SETACL:
5332 if (nentries < 3)
5333 break;
5334
5335 a_size = nentries * sizeof (aclent_t);
5336
5337 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5338 break;
5339 if (copyin(bufp, aclbufp, a_size)) {
5340 kmem_free(aclbufp, a_size);
5341 break;
5342 }
5343 for (i = 0; i < nentries; i++) {
5344 au_uwrite(au_to_acl(aclbufp + i));
5345 }
5346 kmem_free(aclbufp, a_size);
5347 break;
5348
5349 case ACE_SETACL:
5350 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5351 break;
5352
5353 a_size = nentries * sizeof (ace_t);
5354 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5355 break;
5356 if (copyin(bufp, acebufp, a_size)) {
5357 kmem_free(acebufp, a_size);
5358 break;
5359 }
5360 for (i = 0; i < nentries; i++) {
5361 au_uwrite(au_to_ace(acebufp + i));
5362 }
5363 kmem_free(acebufp, a_size);
5364 break;
5365 default:
5366 break;
5367 }
5368 }
5369
5370 /*ARGSUSED*/
5371 static void
5372 aus_acl(struct t_audit_data *tad)
5373 {
5374 struct a {
5375 long fname;
5376 long cmd;
5377 long nentries;
5378 long aclbufp;
5379 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5380
5381 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5382 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5383
5384 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5385 }
5386
5387 /*ARGSUSED*/
5388 static void
5389 aus_facl(struct t_audit_data *tad)
5390 {
5391 struct a {
5392 long fd;
5393 long cmd;
5394 long nentries;
5395 long aclbufp;
5396 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5397 struct file *fp;
5398 struct vnode *vp;
5399 struct f_audit_data *fad;
5400 int fd;
5401
5402 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5403 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5404
5405 fd = (int)uap->fd;
5406
5407 if ((fp = getf(fd)) == NULL)
5408 return;
5409
5410 /* get path from file struct here */
5411 fad = F2A(fp);
5412 if (fad->fad_aupath != NULL) {
5413 au_uwrite(au_to_path(fad->fad_aupath));
5414 } else {
5415 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5416 }
5417
5418 vp = fp->f_vnode;
5419 audit_attributes(vp);
5420
5421 /* decrement file descriptor reference count */
5422 releasef(fd);
5423
5424 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5425 }
5426
5427 /*ARGSUSED*/
5428 static void
5429 auf_read(tad, error, rval)
5430 struct t_audit_data *tad;
5431 int error;
5432 rval_t *rval;
5433 {
5434 struct file *fp;
5435 struct f_audit_data *fad;
5436 int fd;
5437 register struct a {
5438 long fd;
5439 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5440 au_kcontext_t *kctx = GET_KCTX_PZ;
5441
5442 fd = (int)uap->fd;
5443
5444 /*
5445 * convert file pointer to file descriptor
5446 * Note: fd ref count incremented here.
5447 */
5448 if ((fp = getf(fd)) == NULL)
5449 return;
5450
5451 /* get path from file struct here */
5452 fad = F2A(fp);
5453 ASSERT(fad);
5454
5455 /*
5456 * already processed this file for read attempt
5457 *
5458 * XXX might be better to turn off auditing in a aui_read() routine.
5459 */
5460 if (fad->fad_flags & FAD_READ) {
5461 /* don't really want to audit every read attempt */
5462 tad->tad_flag = 0;
5463 /* free any residual audit data */
5464 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5465 releasef(fd);
5466 return;
5467 }
5468 /* mark things so we know what happened and don't repeat things */
5469 fad->fad_flags |= FAD_READ;
5470
5471 if (fad->fad_aupath != NULL) {
5472 au_uwrite(au_to_path(fad->fad_aupath));
5473 } else {
5474 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5475 }
5476
5477 /* include attributes */
5478 audit_attributes(fp->f_vnode);
5479
5480 /* decrement file descriptor reference count */
5481 releasef(fd);
5482 }
5483
5484 /*ARGSUSED*/
5485 static void
5486 auf_write(tad, error, rval)
5487 struct t_audit_data *tad;
5488 int error;
5489 rval_t *rval;
5490 {
5491 struct file *fp;
5492 struct f_audit_data *fad;
5493 int fd;
5494 register struct a {
5495 long fd;
5496 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5497 au_kcontext_t *kctx = GET_KCTX_PZ;
5498
5499 fd = (int)uap->fd;
5500
5501 /*
5502 * convert file pointer to file descriptor
5503 * Note: fd ref count incremented here.
5504 */
5505 if ((fp = getf(fd)) == NULL)
5506 return;
5507
5508 /* get path from file struct here */
5509 fad = F2A(fp);
5510 ASSERT(fad);
5511
5512 /*
5513 * already processed this file for write attempt
5514 *
5515 * XXX might be better to turn off auditing in a aus_write() routine.
5516 */
5517 if (fad->fad_flags & FAD_WRITE) {
5518 /* don't really want to audit every write attempt */
5519 tad->tad_flag = 0;
5520 /* free any residual audit data */
5521 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5522 releasef(fd);
5523 return;
5524 }
5525 /* mark things so we know what happened and don't repeat things */
5526 fad->fad_flags |= FAD_WRITE;
5527
5528 if (fad->fad_aupath != NULL) {
5529 au_uwrite(au_to_path(fad->fad_aupath));
5530 } else {
5531 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5532 }
5533
5534 /* include attributes */
5535 audit_attributes(fp->f_vnode);
5536
5537 /* decrement file descriptor reference count */
5538 releasef(fd);
5539 }
5540
5541 /*ARGSUSED*/
5542 static void
5543 auf_recv(tad, error, rval)
5544 struct t_audit_data *tad;
5545 int error;
5546 rval_t *rval;
5547 {
5548 struct sonode *so;
5549 char so_laddr[sizeof (struct sockaddr_in6)];
5550 char so_faddr[sizeof (struct sockaddr_in6)];
5551 struct file *fp;
5552 struct f_audit_data *fad;
5553 int fd;
5554 int err;
5555 socklen_t len;
5556 short so_family, so_type;
5557 register struct a {
5558 long fd;
5559 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5560 au_kcontext_t *kctx = GET_KCTX_PZ;
5561
5562 /*
5563 * If there was an error, then nothing to do. Only generate
5564 * audit record on first successful recv.
5565 */
5566 if (error) {
5567 /* Turn off audit record generation here. */
5568 tad->tad_flag = 0;
5569 /* free any residual audit data */
5570 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5571 return;
5572 }
5573
5574 fd = (int)uap->fd;
5575
5576 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5577 /* Turn off audit record generation here. */
5578 tad->tad_flag = 0;
5579 /* free any residual audit data */
5580 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5581 return;
5582 }
5583
5584 /* get path from file struct here */
5585 fad = F2A(fp);
5586 ASSERT(fad);
5587
5588 /*
5589 * already processed this file for read attempt
5590 */
5591 if (fad->fad_flags & FAD_READ) {
5592 releasef(fd);
5593 /* don't really want to audit every recv call */
5594 tad->tad_flag = 0;
5595 /* free any residual audit data */
5596 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5597 return;
5598 }
5599
5600 /* mark things so we know what happened and don't repeat things */
5601 fad->fad_flags |= FAD_READ;
5602
5603 so_family = so->so_family;
5604 so_type = so->so_type;
5605
5606 switch (so_family) {
5607 case AF_INET:
5608 case AF_INET6:
5609 /*
5610 * Only for connections.
5611 * XXX - do we need to worry about SOCK_DGRAM or other types???
5612 */
5613 if (so->so_state & SS_ISBOUND) {
5614
5615 bzero((void *)so_laddr, sizeof (so_laddr));
5616 bzero((void *)so_faddr, sizeof (so_faddr));
5617
5618 /* get local and foreign addresses */
5619 len = sizeof (so_laddr);
5620 (void) socket_getsockname(so,
5621 (struct sockaddr *)so_laddr, &len, CRED());
5622 len = sizeof (so_faddr);
5623 (void) socket_getpeername(so,
5624 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5625
5626 /*
5627 * only way to drop out of switch. Note that we
5628 * we release fd below.
5629 */
5630
5631 break;
5632 }
5633
5634 releasef(fd);
5635
5636 /* don't really want to audit every recv call */
5637 tad->tad_flag = 0;
5638 /* free any residual audit data */
5639 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5640
5641 return;
5642
5643 case AF_UNIX:
5644
5645 if (fad->fad_aupath != NULL) {
5646 au_uwrite(au_to_path(fad->fad_aupath));
5647 } else {
5648 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5649 }
5650
5651 audit_attributes(fp->f_vnode);
5652
5653 releasef(fd);
5654
5655 return;
5656
5657 default:
5658 releasef(fd);
5659
5660 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5661 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5662 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5663
5664 return;
5665 }
5666
5667 releasef(fd);
5668
5669 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5670
5671 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5672
5673 }
5674
5675 /*ARGSUSED*/
5676 static void
5677 auf_send(tad, error, rval)
5678 struct t_audit_data *tad;
5679 int error;
5680 rval_t *rval;
5681 {
5682 struct sonode *so;
5683 char so_laddr[sizeof (struct sockaddr_in6)];
5684 char so_faddr[sizeof (struct sockaddr_in6)];
5685 struct file *fp;
5686 struct f_audit_data *fad;
5687 int fd;
5688 int err;
5689 socklen_t len;
5690 short so_family, so_type;
5691 register struct a {
5692 long fd;
5693 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5694 au_kcontext_t *kctx = GET_KCTX_PZ;
5695
5696 fd = (int)uap->fd;
5697
5698 /*
5699 * If there was an error, then nothing to do. Only generate
5700 * audit record on first successful send.
5701 */
5702 if (error != 0) {
5703 /* Turn off audit record generation here. */
5704 tad->tad_flag = 0;
5705 /* free any residual audit data */
5706 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5707 return;
5708 }
5709
5710 fd = (int)uap->fd;
5711
5712 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5713 /* Turn off audit record generation here. */
5714 tad->tad_flag = 0;
5715 /* free any residual audit data */
5716 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5717 return;
5718 }
5719
5720 /* get path from file struct here */
5721 fad = F2A(fp);
5722 ASSERT(fad);
5723
5724 /*
5725 * already processed this file for write attempt
5726 */
5727 if (fad->fad_flags & FAD_WRITE) {
5728 releasef(fd);
5729 /* don't really want to audit every send call */
5730 tad->tad_flag = 0;
5731 /* free any residual audit data */
5732 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5733 return;
5734 }
5735
5736 /* mark things so we know what happened and don't repeat things */
5737 fad->fad_flags |= FAD_WRITE;
5738
5739 so_family = so->so_family;
5740 so_type = so->so_type;
5741
5742 switch (so_family) {
5743 case AF_INET:
5744 case AF_INET6:
5745 /*
5746 * Only for connections.
5747 * XXX - do we need to worry about SOCK_DGRAM or other types???
5748 */
5749 if (so->so_state & SS_ISBOUND) {
5750
5751 bzero((void *)so_laddr, sizeof (so_laddr));
5752 bzero((void *)so_faddr, sizeof (so_faddr));
5753
5754 /* get local and foreign addresses */
5755 len = sizeof (so_laddr);
5756 (void) socket_getsockname(so,
5757 (struct sockaddr *)so_laddr, &len, CRED());
5758 len = sizeof (so_faddr);
5759 (void) socket_getpeername(so,
5760 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5761
5762 /*
5763 * only way to drop out of switch. Note that we
5764 * we release fd below.
5765 */
5766
5767 break;
5768 }
5769
5770 releasef(fd);
5771 /* don't really want to audit every send call */
5772 tad->tad_flag = 0;
5773 /* free any residual audit data */
5774 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5775
5776 return;
5777
5778 case AF_UNIX:
5779
5780 if (fad->fad_aupath != NULL) {
5781 au_uwrite(au_to_path(fad->fad_aupath));
5782 } else {
5783 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5784 }
5785
5786 audit_attributes(fp->f_vnode);
5787
5788 releasef(fd);
5789
5790 return;
5791
5792 default:
5793 releasef(fd);
5794
5795 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5796 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5797 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5798
5799 return;
5800 }
5801
5802 releasef(fd);
5803
5804 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5805
5806 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5807 }
5808
5809 static au_event_t
5810 aui_forksys(au_event_t e)
5811 {
5812 struct a {
5813 long subcode;
5814 long flags;
5815 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5816
5817 switch ((uint_t)uap->subcode) {
5818 case 0:
5819 e = AUE_FORK1;
5820 break;
5821 case 1:
5822 e = AUE_FORKALL;
5823 break;
5824 case 2:
5825 e = AUE_VFORK;
5826 break;
5827 default:
5828 e = AUE_NULL;
5829 break;
5830 }
5831
5832 return (e);
5833 }
5834
5835 /*ARGSUSED*/
5836 static au_event_t
5837 aui_portfs(au_event_t e)
5838 {
5839 struct a { /* portfs */
5840 long a1;
5841 long a2;
5842 long a3;
5843 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5844
5845 /*
5846 * check opcode
5847 */
5848 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5849 case PORT_ASSOCIATE:
5850 /* check source */
5851 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5852 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5853 e = AUE_PORTFS_ASSOCIATE;
5854 } else {
5855 e = AUE_NULL;
5856 }
5857 break;
5858 case PORT_DISSOCIATE:
5859 /* check source */
5860 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5861 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5862 e = AUE_PORTFS_DISSOCIATE;
5863 } else {
5864 e = AUE_NULL;
5865 }
5866 break;
5867 default:
5868 e = AUE_NULL;
5869 }
5870 return (e);
5871 }