1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright (c) 2011 Bayard G. Bell. All rights reserved.
  25  */
  26 
  27 /*
  28  * This file contains the audit event table used to control the production
  29  * of audit records for each system call.
  30  */
  31 
  32 #include <sys/policy.h>
  33 #include <sys/cred.h>
  34 #include <sys/types.h>
  35 #include <sys/systm.h>
  36 #include <sys/systeminfo.h>       /* for sysinfo auditing */
  37 #include <sys/utsname.h>  /* for sysinfo auditing */
  38 #include <sys/proc.h>
  39 #include <sys/vnode.h>
  40 #include <sys/mman.h>             /* for mmap(2) auditing etc. */
  41 #include <sys/fcntl.h>
  42 #include <sys/modctl.h>           /* for modctl auditing */
  43 #include <sys/vnode.h>
  44 #include <sys/user.h>
  45 #include <sys/types.h>
  46 #include <sys/processor.h>
  47 #include <sys/procset.h>
  48 #include <sys/acl.h>
  49 #include <sys/ipc.h>
  50 #include <sys/door.h>
  51 #include <sys/sem.h>
  52 #include <sys/msg.h>
  53 #include <sys/shm.h>
  54 #include <sys/kmem.h>
  55 #include <sys/file.h>             /* for accept */
  56 #include <sys/utssys.h>           /* for fuser */
  57 #include <sys/tsol/label.h>
  58 #include <sys/tsol/tndb.h>
  59 #include <sys/tsol/tsyscall.h>
  60 #include <c2/audit.h>
  61 #include <c2/audit_kernel.h>
  62 #include <c2/audit_kevents.h>
  63 #include <c2/audit_record.h>
  64 #include <sys/procset.h>
  65 #include <nfs/mount.h>
  66 #include <sys/param.h>
  67 #include <sys/debug.h>
  68 #include <sys/sysmacros.h>
  69 #include <sys/stream.h>
  70 #include <sys/strsubr.h>
  71 #include <sys/stropts.h>
  72 #include <sys/tihdr.h>
  73 #include <sys/socket.h>
  74 #include <sys/socketvar.h>
  75 #include <sys/vfs_opreg.h>
  76 #include <fs/sockfs/sockcommon.h>
  77 #include <netinet/in.h>
  78 #include <sys/ddi.h>
  79 #include <sys/port_impl.h>
  80 
  81 static au_event_t       aui_fchownat(au_event_t);
  82 static au_event_t       aui_fchmodat(au_event_t);
  83 static au_event_t       aui_open(au_event_t);
  84 static au_event_t       aui_openat(au_event_t);
  85 static au_event_t       aui_unlinkat(au_event_t);
  86 static au_event_t       aui_fstatat(au_event_t);
  87 static au_event_t       aui_msgsys(au_event_t);
  88 static au_event_t       aui_shmsys(au_event_t);
  89 static au_event_t       aui_semsys(au_event_t);
  90 static au_event_t       aui_utssys(au_event_t);
  91 static au_event_t       aui_fcntl(au_event_t);
  92 static au_event_t       aui_execve(au_event_t);
  93 static au_event_t       aui_memcntl(au_event_t);
  94 static au_event_t       aui_sysinfo(au_event_t);
  95 static au_event_t       aui_portfs(au_event_t);
  96 static au_event_t       aui_auditsys(au_event_t);
  97 static au_event_t       aui_modctl(au_event_t);
  98 static au_event_t       aui_acl(au_event_t);
  99 static au_event_t       aui_doorfs(au_event_t);
 100 static au_event_t       aui_privsys(au_event_t);
 101 static au_event_t       aui_forksys(au_event_t);
 102 static au_event_t       aui_labelsys(au_event_t);
 103 static au_event_t       aui_setpgrp(au_event_t);
 104 
 105 static void     aus_exit(struct t_audit_data *);
 106 static void     aus_open(struct t_audit_data *);
 107 static void     aus_openat(struct t_audit_data *);
 108 static void     aus_acl(struct t_audit_data *);
 109 static void     aus_acct(struct t_audit_data *);
 110 static void     aus_chown(struct t_audit_data *);
 111 static void     aus_fchown(struct t_audit_data *);
 112 static void     aus_lchown(struct t_audit_data *);
 113 static void     aus_fchownat(struct t_audit_data *);
 114 static void     aus_chmod(struct t_audit_data *);
 115 static void     aus_facl(struct t_audit_data *);
 116 static void     aus_fchmod(struct t_audit_data *);
 117 static void     aus_fchmodat(struct t_audit_data *);
 118 static void     aus_fcntl(struct t_audit_data *);
 119 static void     aus_mkdir(struct t_audit_data *);
 120 static void     aus_mkdirat(struct t_audit_data *);
 121 static void     aus_mknod(struct t_audit_data *);
 122 static void     aus_mknodat(struct t_audit_data *);
 123 static void     aus_mount(struct t_audit_data *);
 124 static void     aus_umount2(struct t_audit_data *);
 125 static void     aus_msgsys(struct t_audit_data *);
 126 static void     aus_semsys(struct t_audit_data *);
 127 static void     aus_close(struct t_audit_data *);
 128 static void     aus_fstatfs(struct t_audit_data *);
 129 static void     aus_setgid(struct t_audit_data *);
 130 static void     aus_setpgrp(struct t_audit_data *);
 131 static void     aus_setuid(struct t_audit_data *);
 132 static void     aus_shmsys(struct t_audit_data *);
 133 static void     aus_doorfs(struct t_audit_data *);
 134 static void     aus_ioctl(struct t_audit_data *);
 135 static void     aus_memcntl(struct t_audit_data *);
 136 static void     aus_mmap(struct t_audit_data *);
 137 static void     aus_munmap(struct t_audit_data *);
 138 static void     aus_priocntlsys(struct t_audit_data *);
 139 static void     aus_setegid(struct t_audit_data *);
 140 static void     aus_setgroups(struct t_audit_data *);
 141 static void     aus_seteuid(struct t_audit_data *);
 142 static void     aus_putmsg(struct t_audit_data *);
 143 static void     aus_putpmsg(struct t_audit_data *);
 144 static void     aus_getmsg(struct t_audit_data *);
 145 static void     aus_getpmsg(struct t_audit_data *);
 146 static void     aus_auditsys(struct t_audit_data *);
 147 static void     aus_sysinfo(struct t_audit_data *);
 148 static void     aus_modctl(struct t_audit_data *);
 149 static void     aus_kill(struct t_audit_data *);
 150 static void     aus_setregid(struct t_audit_data *);
 151 static void     aus_setreuid(struct t_audit_data *);
 152 static void     aus_labelsys(struct t_audit_data *);
 153 
 154 static void     auf_mknod(struct t_audit_data *, int, rval_t *);
 155 static void     auf_mknodat(struct t_audit_data *, int, rval_t *);
 156 static void     auf_msgsys(struct t_audit_data *, int, rval_t *);
 157 static void     auf_semsys(struct t_audit_data *, int, rval_t *);
 158 static void     auf_shmsys(struct t_audit_data *, int, rval_t *);
 159 static void     auf_read(struct t_audit_data *, int, rval_t *);
 160 static void     auf_write(struct t_audit_data *, int, rval_t *);
 161 
 162 static void     aus_sigqueue(struct t_audit_data *);
 163 static void     aus_p_online(struct t_audit_data *);
 164 static void     aus_processor_bind(struct t_audit_data *);
 165 static void     aus_inst_sync(struct t_audit_data *);
 166 static void     aus_brandsys(struct t_audit_data *);
 167 
 168 static void     auf_accept(struct t_audit_data *, int, rval_t *);
 169 
 170 static void     auf_bind(struct t_audit_data *, int, rval_t *);
 171 static void     auf_connect(struct t_audit_data *, int, rval_t *);
 172 static void     aus_shutdown(struct t_audit_data *);
 173 static void     auf_setsockopt(struct t_audit_data *, int, rval_t *);
 174 static void     aus_sockconfig(struct t_audit_data *);
 175 static void     auf_recv(struct t_audit_data *, int, rval_t *);
 176 static void     auf_recvmsg(struct t_audit_data *, int, rval_t *);
 177 static void     auf_send(struct t_audit_data *, int, rval_t *);
 178 static void     auf_sendmsg(struct t_audit_data *, int, rval_t *);
 179 static void     auf_recvfrom(struct t_audit_data *, int, rval_t *);
 180 static void     auf_sendto(struct t_audit_data *, int, rval_t *);
 181 static void     aus_socket(struct t_audit_data *);
 182 /*
 183  * This table contains mapping information for converting system call numbers
 184  * to audit event IDs. In several cases it is necessary to map a single system
 185  * call to several events.
 186  */
 187 
 188 #define aui_null        NULL    /* NULL initialize function */
 189 #define aus_null        NULL    /* NULL start function */
 190 #define auf_null        NULL    /* NULL finish function */
 191 
 192 struct audit_s2e audit_s2e[] =
 193 {
 194 /*
 195  * ----------   ----------      ----------      ----------
 196  * INITIAL      AUDIT           START           SYSTEM
 197  * PROCESSING   EVENT           PROCESSING      CALL
 198  * ----------   ----------      ----------      -----------
 199  *              FINISH          EVENT
 200  *              PROCESSING      CONTROL
 201  * ----------------------------------------------------------
 202  */
 203 aui_null,       AUE_NULL,       aus_null,       /* 0 unused (indirect) */
 204                 auf_null,       0,
 205 aui_null,       AUE_EXIT,       aus_exit,       /* 1 exit */
 206                 auf_null,       S2E_NPT,
 207 aui_null,       AUE_NULL,       aus_null,       /* 2 (loadable) was forkall */
 208                 auf_null,       0,
 209 aui_null,       AUE_READ,       aus_null,       /* 3 read */
 210                 auf_read,       S2E_PUB,
 211 aui_null,       AUE_WRITE,      aus_null,       /* 4 write */
 212                 auf_write,      0,
 213 aui_open,       AUE_OPEN,       aus_open,       /* 5 open */
 214                 auf_null,       S2E_SP,
 215 aui_null,       AUE_CLOSE,      aus_close,      /* 6 close */
 216                 auf_null,       0,
 217 aui_null,       AUE_LINK,       aus_null,       /* 7 linkat */
 218                 auf_null,       0,
 219 aui_null,       AUE_NULL,       aus_null,       /* 8 (loadable) was creat */
 220                 auf_null,       0,
 221 aui_null,       AUE_LINK,       aus_null,       /* 9 link */
 222                 auf_null,       0,
 223 aui_null,       AUE_UNLINK,     aus_null,       /* 10 unlink */
 224                 auf_null,       0,
 225 aui_null,       AUE_SYMLINK,    aus_null,       /* 11 symlinkat */
 226                 auf_null,       0,
 227 aui_null,       AUE_CHDIR,      aus_null,       /* 12 chdir */
 228                 auf_null,       S2E_SP,
 229 aui_null,       AUE_NULL,       aus_null,       /* 13 time */
 230                 auf_null,       0,
 231 aui_null,       AUE_MKNOD,      aus_mknod,      /* 14 mknod */
 232                 auf_mknod,      S2E_MLD,
 233 aui_null,       AUE_CHMOD,      aus_chmod,      /* 15 chmod */
 234                 auf_null,       0,
 235 aui_null,       AUE_CHOWN,      aus_chown,      /* 16 chown */
 236                 auf_null,       0,
 237 aui_null,       AUE_NULL,       aus_null,       /* 17 brk */
 238                 auf_null,       0,
 239 aui_null,       AUE_STAT,       aus_null,       /* 18 stat */
 240                 auf_null,       S2E_PUB,
 241 aui_null,       AUE_NULL,       aus_null,       /* 19 lseek */
 242                 auf_null,       0,
 243 aui_null,       AUE_NULL,       aus_null,       /* 20 getpid */
 244                 auf_null,       0,
 245 aui_null,       AUE_MOUNT,      aus_mount,      /* 21 mount */
 246                 auf_null,       S2E_MLD,
 247 aui_null,       AUE_READLINK,   aus_null,       /* 22 readlinkat */
 248                 auf_null,       S2E_PUB,
 249 aui_null,       AUE_SETUID,     aus_setuid,     /* 23 setuid */
 250                 auf_null,       0,
 251 aui_null,       AUE_NULL,       aus_null,       /* 24 getuid */
 252                 auf_null,       0,
 253 aui_null,       AUE_STIME,      aus_null,       /* 25 stime */
 254                 auf_null,       0,
 255 aui_null,       AUE_NULL,       aus_null,       /* 26 pcsample */
 256                 auf_null,       0,
 257 aui_null,       AUE_NULL,       aus_null,       /* 27 alarm */
 258                 auf_null,       0,
 259 aui_null,       AUE_NULL,       aus_null,       /* 28 fstat */
 260                 auf_null,       0,
 261 aui_null,       AUE_NULL,       aus_null,       /* 29 pause */
 262                 auf_null,       0,
 263 aui_null,       AUE_NULL,       aus_null,       /* 30 (loadable) was utime */
 264                 auf_null,       0,
 265 aui_null,       AUE_NULL,       aus_null,       /* 31 stty (TIOCSETP-audit?) */
 266                 auf_null,       0,
 267 aui_null,       AUE_NULL,       aus_null,       /* 32 gtty */
 268                 auf_null,       0,
 269 aui_null,       AUE_ACCESS,     aus_null,       /* 33 access */
 270                 auf_null,       S2E_PUB,
 271 aui_null,       AUE_NICE,       aus_null,       /* 34 nice */
 272                 auf_null,       0,
 273 aui_null,       AUE_STATFS,     aus_null,       /* 35 statfs */
 274                 auf_null,       S2E_PUB,
 275 aui_null,       AUE_NULL,       aus_null,       /* 36 sync */
 276                 auf_null,       0,
 277 aui_null,       AUE_KILL,       aus_kill,       /* 37 kill */
 278                 auf_null,       0,
 279 aui_null,       AUE_FSTATFS,    aus_fstatfs,    /* 38 fstatfs */
 280                 auf_null,       S2E_PUB,
 281 aui_setpgrp,    AUE_SETPGRP,    aus_setpgrp,    /* 39 setpgrp */
 282                 auf_null,       0,
 283 aui_null,       AUE_NULL,       aus_null,       /* 40 uucopystr */
 284                 auf_null,       0,
 285 aui_null,       AUE_NULL,       aus_null,       /* 41 (loadable) was dup */
 286                 auf_null,       0,
 287 aui_null,       AUE_PIPE,       aus_null,       /* 42 (loadable) pipe */
 288                 auf_null,       0,
 289 aui_null,       AUE_NULL,       aus_null,       /* 43 times */
 290                 auf_null,       0,
 291 aui_null,       AUE_NULL,       aus_null,       /* 44 profil */
 292                 auf_null,       0,
 293 aui_null,       AUE_ACCESS,     aus_null,       /* 45 faccessat */
 294                 auf_null,       S2E_PUB,
 295 aui_null,       AUE_SETGID,     aus_setgid,     /* 46 setgid */
 296                 auf_null,       0,
 297 aui_null,       AUE_NULL,       aus_null,       /* 47 getgid */
 298                 auf_null,       0,
 299 aui_null,       AUE_MKNOD,      aus_mknodat,    /* 48 mknodat */
 300                 auf_mknodat,    S2E_MLD,
 301 aui_msgsys,     AUE_MSGSYS,     aus_msgsys,     /* 49 (loadable) msgsys */
 302                 auf_msgsys,     0,
 303 #if defined(__x86)
 304 aui_null,       AUE_NULL,       aus_null,       /* 50 sysi86 */
 305                 auf_null,       0,
 306 #else
 307 aui_null,       AUE_NULL,       aus_null,       /* 50 (loadable) was sys3b */
 308                 auf_null,       0,
 309 #endif /* __x86 */
 310 aui_null,       AUE_ACCT,       aus_acct,       /* 51 (loadable) sysacct */
 311                 auf_null,       0,
 312 aui_shmsys,     AUE_SHMSYS,     aus_shmsys,     /* 52 (loadable) shmsys */
 313                 auf_shmsys,     0,
 314 aui_semsys,     AUE_SEMSYS,     aus_semsys,     /* 53 (loadable) semsys */
 315                 auf_semsys,     0,
 316 aui_null,       AUE_IOCTL,      aus_ioctl,      /* 54 ioctl */
 317                 auf_null,       0,
 318 aui_null,       AUE_NULL,       aus_null,       /* 55 uadmin */
 319                 auf_null,       0,
 320 aui_fchownat,   AUE_NULL,       aus_fchownat,   /* 56 fchownat */
 321                 auf_null,       0,
 322 aui_utssys,     AUE_FUSERS,     aus_null,       /* 57 utssys */
 323                 auf_null,       0,
 324 aui_null,       AUE_NULL,       aus_null,       /* 58 fsync */
 325                 auf_null,       0,
 326 aui_execve,     AUE_EXECVE,     aus_null,       /* 59 exece */
 327                 auf_null,       S2E_MLD,
 328 aui_null,       AUE_NULL,       aus_null,       /* 60 umask */
 329                 auf_null,       0,
 330 aui_null,       AUE_CHROOT,     aus_null,       /* 61 chroot */
 331                 auf_null,       S2E_SP,
 332 aui_fcntl,      AUE_FCNTL,      aus_fcntl,      /* 62 fcntl */
 333                 auf_null,       0,
 334 aui_null,       AUE_NULL,       aus_null,       /* 63 ulimit */
 335                 auf_null,       0,
 336 aui_null,       AUE_RENAME,     aus_null,       /* 64 renameat */
 337                 auf_null,       0,
 338 aui_unlinkat,   AUE_NULL,       aus_null,       /* 65 unlinkat */
 339                 auf_null,       0,
 340 aui_fstatat,    AUE_NULL,       aus_null,       /* 66 fstatat */
 341                 auf_null,       S2E_PUB,
 342 aui_fstatat,    AUE_NULL,       aus_null,       /* 67 fstatat64 */
 343                 auf_null,       S2E_PUB,
 344 aui_openat,     AUE_OPEN,       aus_openat,     /* 68 openat */
 345                 auf_null,       S2E_SP,
 346 aui_openat,     AUE_OPEN,       aus_openat,     /* 69 openat64 */
 347                 auf_null,       S2E_SP,
 348 aui_null,       AUE_NULL,       aus_null,       /* 70 tasksys */
 349                 auf_null,       0,
 350 aui_null,       AUE_NULL,       aus_null,       /* 71 (loadable) acctctl */
 351                 auf_null,       0,
 352 aui_null,       AUE_NULL,       aus_null,       /* 72 (loadable) exacct */
 353                 auf_null,       0,
 354 aui_null,       AUE_NULL,       aus_null,       /* 73 getpagesizes */
 355                 auf_null,       0,
 356 aui_null,       AUE_NULL,       aus_null,       /* 74 rctlsys */
 357                 auf_null,       0,
 358 aui_null,       AUE_NULL,       aus_null,       /* 75 sidsys */
 359                 auf_null,       0,
 360 aui_null,       AUE_NULL,       aus_null,       /* 76 (loadable) was fsat */
 361                 auf_null,       0,
 362 aui_null,       AUE_NULL,       aus_null,       /* 77 syslwp_park */
 363                 auf_null,       0,
 364 aui_null,       AUE_NULL,       aus_null,       /* 78 sendfilev */
 365                 auf_null,       0,
 366 aui_null,       AUE_RMDIR,      aus_null,       /* 79 rmdir */
 367                 auf_null,       0,
 368 aui_null,       AUE_MKDIR,      aus_mkdir,      /* 80 mkdir */
 369                 auf_null,       0,
 370 aui_null,       AUE_NULL,       aus_null,       /* 81 getdents */
 371                 auf_null,       0,
 372 aui_privsys,    AUE_NULL,       aus_null,       /* 82 privsys */
 373                 auf_null,       0,
 374 aui_null,       AUE_NULL,       aus_null,       /* 83 ucredsys */
 375                 auf_null,       0,
 376 aui_null,       AUE_NULL,       aus_null,       /* 84 sysfs */
 377                 auf_null,       0,
 378 aui_null,       AUE_GETMSG,     aus_getmsg,     /* 85 getmsg */
 379                 auf_null,       0,
 380 aui_null,       AUE_PUTMSG,     aus_putmsg,     /* 86 putmsg */
 381                 auf_null,       0,
 382 aui_null,       AUE_NULL,       aus_null,       /* 87 (loadable) was poll */
 383                 auf_null,       0,
 384 aui_null,       AUE_LSTAT,      aus_null,       /* 88 lstat */
 385                 auf_null,       S2E_PUB,
 386 aui_null,       AUE_SYMLINK,    aus_null,       /* 89 symlink */
 387                 auf_null,       0,
 388 aui_null,       AUE_READLINK,   aus_null,       /* 90 readlink */
 389                 auf_null,       S2E_PUB,
 390 aui_null,       AUE_SETGROUPS,  aus_setgroups,  /* 91 setgroups */
 391                 auf_null,       0,
 392 aui_null,       AUE_NULL,       aus_null,       /* 92 getgroups */
 393                 auf_null,       0,
 394 aui_null,       AUE_FCHMOD,     aus_fchmod,     /* 93 fchmod */
 395                 auf_null,       0,
 396 aui_null,       AUE_FCHOWN,     aus_fchown,     /* 94 fchown */
 397                 auf_null,       0,
 398 aui_null,       AUE_NULL,       aus_null,       /* 95 sigprocmask */
 399                 auf_null,       0,
 400 aui_null,       AUE_NULL,       aus_null,       /* 96 sigsuspend */
 401                 auf_null,       0,
 402 aui_null,       AUE_NULL,       aus_null,       /* 97 sigaltstack */
 403                 auf_null,       0,
 404 aui_null,       AUE_NULL,       aus_null,       /* 98 sigaction */
 405                 auf_null,       0,
 406 aui_null,       AUE_NULL,       aus_null,       /* 99 sigpending */
 407                 auf_null,       0,
 408 aui_null,       AUE_NULL,       aus_null,       /* 100 setcontext */
 409                 auf_null,       0,
 410 aui_fchmodat,   AUE_NULL,       aus_fchmodat,   /* 101 fchmodat */
 411                 auf_null,       0,
 412 aui_null,       AUE_MKDIR,      aus_mkdirat,    /* 102 mkdirat */
 413                 auf_null,       0,
 414 aui_null,       AUE_STATVFS,    aus_null,       /* 103 statvfs */
 415                 auf_null,       S2E_PUB,
 416 aui_null,       AUE_NULL,       aus_null,       /* 104 fstatvfs */
 417                 auf_null,       0,
 418 aui_null,       AUE_NULL,       aus_null,       /* 105 getloadavg */
 419                 auf_null,       0,
 420 aui_null,       AUE_NULL,       aus_null,       /* 106 nfssys */
 421                 auf_null,       0,
 422 aui_null,       AUE_NULL,       aus_null,       /* 107 waitsys */
 423                 auf_null,       0,
 424 aui_null,       AUE_NULL,       aus_null,       /* 108 sigsendsys */
 425                 auf_null,       0,
 426 #if defined(__x86)
 427 aui_null,       AUE_NULL,       aus_null,       /* 109 hrtsys */
 428                 auf_null,       0,
 429 #else
 430 aui_null,       AUE_NULL,       aus_null,       /* 109 (loadable) */
 431                 auf_null,       0,
 432 #endif /* __x86 */
 433 aui_null,       AUE_UTIMES,     aus_null,       /* 110 utimesys */
 434                 auf_null,       0,
 435 aui_null,       AUE_NULL,       aus_null,       /* 111 sigresend */
 436                 auf_null,       0,
 437 aui_null,       AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
 438                 auf_null,       0,
 439 aui_null,       AUE_PATHCONF,   aus_null,       /* 113 pathconf */
 440                 auf_null,       S2E_PUB,
 441 aui_null,       AUE_NULL,       aus_null,       /* 114 mincore */
 442                 auf_null,       0,
 443 aui_null,       AUE_MMAP,       aus_mmap,       /* 115 mmap */
 444                 auf_null,       0,
 445 aui_null,       AUE_NULL,       aus_null,       /* 116 mprotect */
 446                 auf_null,       0,
 447 aui_null,       AUE_MUNMAP,     aus_munmap,     /* 117 munmap */
 448                 auf_null,       0,
 449 aui_null,       AUE_NULL,       aus_null,       /* 118 fpathconf */
 450                 auf_null,       0,
 451 aui_null,       AUE_VFORK,      aus_null,       /* 119 vfork */
 452                 auf_null,       0,
 453 aui_null,       AUE_FCHDIR,     aus_null,       /* 120 fchdir */
 454                 auf_null,       0,
 455 aui_null,       AUE_READ,       aus_null,       /* 121 readv */
 456                 auf_read,       S2E_PUB,
 457 aui_null,       AUE_WRITE,      aus_null,       /* 122 writev */
 458                 auf_write,      0,
 459 aui_null,       AUE_NULL,       aus_null,       /* 123 (loadable) was xstat */
 460                 auf_null,       0,
 461 aui_null,       AUE_NULL,       aus_null,       /* 124 (loadable) was lxstat */
 462                 auf_null,       0,
 463 aui_null,       AUE_NULL,       aus_null,       /* 125 (loadable) was fxstat */
 464                 auf_null,       0,
 465 aui_null,       AUE_NULL,       aus_null,       /* 126 (loadable) was xmknod */
 466                 auf_null,       0,
 467 aui_null,       AUE_NULL,       aus_null,       /* 127 mmapobj */
 468                 auf_null,       0,
 469 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 128 setrlimit */
 470                 auf_null,       0,
 471 aui_null,       AUE_NULL,       aus_null,       /* 129 getrlimit */
 472                 auf_null,       0,
 473 aui_null,       AUE_LCHOWN,     aus_lchown,     /* 130 lchown */
 474                 auf_null,       0,
 475 aui_memcntl,    AUE_MEMCNTL,    aus_memcntl,    /* 131 memcntl */
 476                 auf_null,       0,
 477 aui_null,       AUE_GETPMSG,    aus_getpmsg,    /* 132 getpmsg */
 478                 auf_null,       0,
 479 aui_null,       AUE_PUTPMSG,    aus_putpmsg,    /* 133 putpmsg */
 480                 auf_null,       0,
 481 aui_null,       AUE_RENAME,     aus_null,       /* 134 rename */
 482                 auf_null,       0,
 483 aui_null,       AUE_NULL,       aus_null,       /* 135 uname */
 484                 auf_null,       0,
 485 aui_null,       AUE_SETEGID,    aus_setegid,    /* 136 setegid */
 486                 auf_null,       0,
 487 aui_null,       AUE_NULL,       aus_null,       /* 137 sysconfig */
 488                 auf_null,       0,
 489 aui_null,       AUE_ADJTIME,    aus_null,       /* 138 adjtime */
 490                 auf_null,       0,
 491 aui_sysinfo,    AUE_SYSINFO,    aus_sysinfo,    /* 139 systeminfo */
 492                 auf_null,       0,
 493 aui_null,       AUE_NULL,       aus_null,       /* 140 (loadable) sharefs */
 494                 auf_null,       0,
 495 aui_null,       AUE_SETEUID,    aus_seteuid,    /* 141 seteuid */
 496                 auf_null,       0,
 497 aui_forksys,    AUE_NULL,       aus_null,       /* 142 forksys */
 498                 auf_null,       0,
 499 aui_null,       AUE_NULL,       aus_null,       /* 143 (loadable) was fork1 */
 500                 auf_null,       0,
 501 aui_null,       AUE_NULL,       aus_null,       /* 144 sigwait */
 502                 auf_null,       0,
 503 aui_null,       AUE_NULL,       aus_null,       /* 145 lwp_info */
 504                 auf_null,       0,
 505 aui_null,       AUE_NULL,       aus_null,       /* 146 yield */
 506                 auf_null,       0,
 507 aui_null,       AUE_NULL,       aus_null,       /* 147 (loadable) */
 508                                                 /*      was lwp_sema_wait */
 509                 auf_null,       0,
 510 aui_null,       AUE_NULL,       aus_null,       /* 148 lwp_sema_post */
 511                 auf_null,       0,
 512 aui_null,       AUE_NULL,       aus_null,       /* 149 lwp_sema_trywait */
 513                 auf_null,       0,
 514 aui_null,       AUE_NULL,       aus_null,       /* 150 lwp_detach */
 515                 auf_null,       0,
 516 aui_null,       AUE_NULL,       aus_null,       /* 151 corectl */
 517                 auf_null,       0,
 518 aui_modctl,     AUE_MODCTL,     aus_modctl,     /* 152 modctl */
 519                 auf_null,       0,
 520 aui_null,       AUE_FCHROOT,    aus_null,       /* 153 fchroot */
 521                 auf_null,       0,
 522 aui_null,       AUE_NULL,       aus_null,       /* 154 (loadable) was utimes */
 523                 auf_null,       0,
 524 aui_null,       AUE_NULL,       aus_null,       /* 155 vhangup */
 525                 auf_null,       0,
 526 aui_null,       AUE_NULL,       aus_null,       /* 156 gettimeofday */
 527                 auf_null,       0,
 528 aui_null,       AUE_NULL,       aus_null,       /* 157 getitimer */
 529                 auf_null,       0,
 530 aui_null,       AUE_NULL,       aus_null,       /* 158 setitimer */
 531                 auf_null,       0,
 532 aui_null,       AUE_NULL,       aus_null,       /* 159 lwp_create */
 533                 auf_null,       0,
 534 aui_null,       AUE_NULL,       aus_null,       /* 160 lwp_exit */
 535                 auf_null,       0,
 536 aui_null,       AUE_NULL,       aus_null,       /* 161 lwp_suspend */
 537                 auf_null,       0,
 538 aui_null,       AUE_NULL,       aus_null,       /* 162 lwp_continue */
 539                 auf_null,       0,
 540 aui_null,       AUE_NULL,       aus_null,       /* 163 lwp_kill */
 541                 auf_null,       0,
 542 aui_null,       AUE_NULL,       aus_null,       /* 164 lwp_self */
 543                 auf_null,       0,
 544 aui_null,       AUE_NULL,       aus_null,       /* 165 lwp_sigmask */
 545                 auf_null,       0,
 546 aui_null,       AUE_NULL,       aus_null,       /* 166 lwp_private */
 547                 auf_null,       0,
 548 aui_null,       AUE_NULL,       aus_null,       /* 167 lwp_wait */
 549                 auf_null,       0,
 550 aui_null,       AUE_NULL,       aus_null,       /* 168 lwp_mutex_wakeup  */
 551                 auf_null,       0,
 552 aui_null,       AUE_NULL,       aus_null,       /* 169 (loadable) */
 553                                                 /*      was lwp_mutex_lock */
 554                 auf_null,       0,
 555 aui_null,       AUE_NULL,       aus_null,       /* 170 lwp_cond_wait */
 556                 auf_null,       0,
 557 aui_null,       AUE_NULL,       aus_null,       /* 171 lwp_cond_signal */
 558                 auf_null,       0,
 559 aui_null,       AUE_NULL,       aus_null,       /* 172 lwp_cond_broadcast */
 560                 auf_null,       0,
 561 aui_null,       AUE_READ,       aus_null,       /* 173 pread */
 562                 auf_read,       S2E_PUB,
 563 aui_null,       AUE_WRITE,      aus_null,       /* 174 pwrite */
 564                 auf_write,      0,
 565 aui_null,       AUE_NULL,       aus_null,       /* 175 llseek */
 566                 auf_null,       0,
 567 aui_null,       AUE_INST_SYNC,  aus_inst_sync,  /* 176 (loadable) inst_sync */
 568                 auf_null,       0,
 569 aui_null,       AUE_BRANDSYS,   aus_brandsys,   /* 177 brandsys */
 570                 auf_null,       0,
 571 aui_null,       AUE_NULL,       aus_null,       /* 178 (loadable) kaio */
 572                 auf_null,       0,
 573 aui_null,       AUE_NULL,       aus_null,       /* 179 (loadable) cpc */
 574                 auf_null,       0,
 575 aui_null,       AUE_NULL,       aus_null,       /* 180 lgrpsys */
 576                 auf_null,       0,
 577 aui_null,       AUE_NULL,       aus_null,       /* 181 rusagesys */
 578                 auf_null,       0,
 579 aui_portfs,     AUE_PORTFS,     aus_null,       /* 182 (loadable) portfs */
 580                 auf_null,       S2E_MLD,
 581 aui_null,       AUE_NULL,       aus_null,       /* 183 pollsys */
 582                 auf_null,       0,
 583 aui_labelsys,   AUE_NULL,       aus_labelsys,   /* 184 labelsys */
 584                 auf_null,       0,
 585 aui_acl,        AUE_ACLSET,     aus_acl,        /* 185 acl */
 586                 auf_null,       0,
 587 aui_auditsys,   AUE_AUDITSYS,   aus_auditsys,   /* 186 auditsys  */
 588                 auf_null,       0,
 589 aui_null,       AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
 590                 auf_null,       0,
 591 aui_null,       AUE_NULL,       aus_null,       /* 188 processor_info */
 592                 auf_null,       0,
 593 aui_null,       AUE_P_ONLINE,   aus_p_online,   /* 189 p_online */
 594                 auf_null,       0,
 595 aui_null,       AUE_NULL,       aus_sigqueue,   /* 190 sigqueue */
 596                 auf_null,       0,
 597 aui_null,       AUE_NULL,       aus_null,       /* 191 clock_gettime */
 598                 auf_null,       0,
 599 aui_null,       AUE_CLOCK_SETTIME,      aus_null,       /* 192 clock_settime */
 600                 auf_null,       0,
 601 aui_null,       AUE_NULL,       aus_null,       /* 193 clock_getres */
 602                 auf_null,       0,
 603 aui_null,       AUE_NULL,       aus_null,       /* 194 timer_create */
 604                 auf_null,       0,
 605 aui_null,       AUE_NULL,       aus_null,       /* 195 timer_delete */
 606                 auf_null,       0,
 607 aui_null,       AUE_NULL,       aus_null,       /* 196 timer_settime */
 608                 auf_null,       0,
 609 aui_null,       AUE_NULL,       aus_null,       /* 197 timer_gettime */
 610                 auf_null,       0,
 611 aui_null,       AUE_NULL,       aus_null,       /* 198 timer_getoverrun */
 612                 auf_null,       0,
 613 aui_null,       AUE_NULL,       aus_null,       /* 199 nanosleep */
 614                 auf_null,       0,
 615 aui_acl,        AUE_FACLSET,    aus_facl,       /* 200 facl */
 616                 auf_null,       0,
 617 aui_doorfs,     AUE_DOORFS,     aus_doorfs,     /* 201 (loadable) doorfs */
 618                 auf_null,       0,
 619 aui_null,       AUE_SETREUID,   aus_setreuid,   /* 202 setreuid */
 620                 auf_null,       0,
 621 aui_null,       AUE_SETREGID,   aus_setregid,   /* 203 setregid */
 622                 auf_null,       0,
 623 aui_null,       AUE_NULL,       aus_null,       /* 204 install_utrap */
 624                 auf_null,       0,
 625 aui_null,       AUE_NULL,       aus_null,       /* 205 signotify */
 626                 auf_null,       0,
 627 aui_null,       AUE_NULL,       aus_null,       /* 206 schedctl */
 628                 auf_null,       0,
 629 aui_null,       AUE_NULL,       aus_null,       /* 207 (loadable) pset */
 630                 auf_null,       0,
 631 aui_null,       AUE_NULL,       aus_null,       /* 208 sparc_utrap_install */
 632                 auf_null,       0,
 633 aui_null,       AUE_NULL,       aus_null,       /* 209 resolvepath */
 634                 auf_null,       0,
 635 aui_null,       AUE_NULL,       aus_null,       /* 210 lwp_mutex_timedlock */
 636                 auf_null,       0,
 637 aui_null,       AUE_NULL,       aus_null,       /* 211 lwp_sema_timedwait */
 638                 auf_null,       0,
 639 aui_null,       AUE_NULL,       aus_null,       /* 212 lwp_rwlock_sys */
 640                 auf_null,       0,
 641 aui_null,       AUE_NULL,       aus_null,       /* 213 getdents64 */
 642                 auf_null,       0,
 643 aui_null,       AUE_MMAP,       aus_mmap,       /* 214 mmap64 */
 644                 auf_null,       0,
 645 aui_null,       AUE_STAT,       aus_null,       /* 215 stat64 */
 646                 auf_null,       S2E_PUB,
 647 aui_null,       AUE_LSTAT,      aus_null,       /* 216 lstat64 */
 648                 auf_null,       S2E_PUB,
 649 aui_null,       AUE_NULL,       aus_null,       /* 217 fstat64 */
 650                 auf_null,       0,
 651 aui_null,       AUE_STATVFS,    aus_null,       /* 218 statvfs64 */
 652                 auf_null,       S2E_PUB,
 653 aui_null,       AUE_NULL,       aus_null,       /* 219 fstatvfs64 */
 654                 auf_null,       0,
 655 aui_null,       AUE_SETRLIMIT,  aus_null,       /* 220 setrlimit64 */
 656                 auf_null,       0,
 657 aui_null,       AUE_NULL,       aus_null,       /* 221 getrlimit64 */
 658                 auf_null,       0,
 659 aui_null,       AUE_READ,       aus_null,       /* 222 pread64  */
 660                 auf_read,       S2E_PUB,
 661 aui_null,       AUE_WRITE,      aus_null,       /* 223 pwrite64 */
 662                 auf_write,      0,
 663 aui_null,       AUE_NULL,       aus_null,       /* 224 (loadable) was creat64 */
 664                 auf_null,       0,
 665 aui_open,       AUE_OPEN,       aus_open,       /* 225 open64 */
 666                 auf_null,       S2E_SP,
 667 aui_null,       AUE_NULL,       aus_null,       /* 226 (loadable) rpcsys */
 668                 auf_null,       0,
 669 aui_null,       AUE_NULL,       aus_null,       /* 227 zone */
 670                 auf_null,       0,
 671 aui_null,       AUE_NULL,       aus_null,       /* 228 (loadable) autofssys */
 672                 auf_null,       0,
 673 aui_null,       AUE_NULL,       aus_null,       /* 229 getcwd */
 674                 auf_null,       0,
 675 aui_null,       AUE_SOCKET,     aus_socket,     /* 230 so_socket */
 676                 auf_null,       0,
 677 aui_null,       AUE_NULL,       aus_null,       /* 231 so_socketpair */
 678                 auf_null,       0,
 679 aui_null,       AUE_BIND,       aus_null,       /* 232 bind */
 680                 auf_bind,       0,
 681 aui_null,       AUE_NULL,       aus_null,       /* 233 listen */
 682                 auf_null,       0,
 683 aui_null,       AUE_ACCEPT,     aus_null,       /* 234 accept */
 684                 auf_accept,     0,
 685 aui_null,       AUE_CONNECT,    aus_null,       /* 235 connect */
 686                 auf_connect,    0,
 687 aui_null,       AUE_SHUTDOWN,   aus_shutdown,   /* 236 shutdown */
 688                 auf_null,       0,
 689 aui_null,       AUE_READ,       aus_null,       /* 237 recv */
 690                 auf_recv,       0,
 691 aui_null,       AUE_RECVFROM,   aus_null,       /* 238 recvfrom */
 692                 auf_recvfrom,   0,
 693 aui_null,       AUE_RECVMSG,    aus_null,       /* 239 recvmsg */
 694                 auf_recvmsg,    0,
 695 aui_null,       AUE_WRITE,      aus_null,       /* 240 send */
 696                 auf_send,       0,
 697 aui_null,       AUE_SENDMSG,    aus_null,       /* 241 sendmsg */
 698                 auf_sendmsg,    0,
 699 aui_null,       AUE_SENDTO,     aus_null,       /* 242 sendto */
 700                 auf_sendto,     0,
 701 aui_null,       AUE_NULL,       aus_null,       /* 243 getpeername */
 702                 auf_null,       0,
 703 aui_null,       AUE_NULL,       aus_null,       /* 244 getsockname */
 704                 auf_null,       0,
 705 aui_null,       AUE_NULL,       aus_null,       /* 245 getsockopt */
 706                 auf_null,       0,
 707 aui_null,       AUE_SETSOCKOPT, aus_null,       /* 246 setsockopt */
 708                 auf_setsockopt, 0,
 709 aui_null,       AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
 710                 auf_null,       0,
 711 aui_null,       AUE_NULL,       aus_null,       /* 248 ntp_gettime */
 712                 auf_null,       0,
 713 aui_null,       AUE_NTP_ADJTIME, aus_null,      /* 249 ntp_adjtime */
 714                 auf_null,       0,
 715 aui_null,       AUE_NULL,       aus_null,       /* 250 lwp_mutex_unlock */
 716                 auf_null,       0,
 717 aui_null,       AUE_NULL,       aus_null,       /* 251 lwp_mutex_trylock */
 718                 auf_null,       0,
 719 aui_null,       AUE_NULL,       aus_null,       /* 252 lwp_mutex_register */
 720                 auf_null,       0,
 721 aui_null,       AUE_NULL,       aus_null,       /* 253 cladm */
 722                 auf_null,       0,
 723 aui_null,       AUE_NULL,       aus_null,       /* 254 uucopy */
 724                 auf_null,       0,
 725 aui_null,       AUE_UMOUNT2,    aus_umount2,    /* 255 umount2 */
 726                 auf_null,       0
 727 };
 728 
 729 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
 730 
 731 
 732 /* exit start function */
 733 /*ARGSUSED*/
 734 static void
 735 aus_exit(struct t_audit_data *tad)
 736 {
 737         uint32_t rval;
 738         struct a {
 739                 long rval;
 740         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
 741 
 742         rval = (uint32_t)uap->rval;
 743         au_uwrite(au_to_arg32(1, "exit status", rval));
 744 }
 745 
 746 /* acct start function */
 747 /*ARGSUSED*/
 748 static void
 749 aus_acct(struct t_audit_data *tad)
 750 {
 751         klwp_t *clwp = ttolwp(curthread);
 752         uintptr_t fname;
 753 
 754         struct a {
 755                 long    fname;          /* char * */
 756         } *uap = (struct a *)clwp->lwp_ap;
 757 
 758         fname = (uintptr_t)uap->fname;
 759 
 760         if (fname == 0)
 761                 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
 762 }
 763 
 764 /* chown start function */
 765 /*ARGSUSED*/
 766 static void
 767 aus_chown(struct t_audit_data *tad)
 768 {
 769         klwp_t *clwp = ttolwp(curthread);
 770         uint32_t uid, gid;
 771 
 772         struct a {
 773                 long    fname;          /* char * */
 774                 long    uid;
 775                 long    gid;
 776         } *uap = (struct a *)clwp->lwp_ap;
 777 
 778         uid = (uint32_t)uap->uid;
 779         gid = (uint32_t)uap->gid;
 780 
 781         au_uwrite(au_to_arg32(2, "new file uid", uid));
 782         au_uwrite(au_to_arg32(3, "new file gid", gid));
 783 }
 784 
 785 /* fchown start function */
 786 /*ARGSUSED*/
 787 static void
 788 aus_fchown(struct t_audit_data *tad)
 789 {
 790         klwp_t *clwp = ttolwp(curthread);
 791         uint32_t uid, gid, fd;
 792         struct file  *fp;
 793         struct vnode *vp;
 794         struct f_audit_data *fad;
 795 
 796         struct a {
 797                 long fd;
 798                 long uid;
 799                 long gid;
 800         } *uap = (struct a *)clwp->lwp_ap;
 801 
 802         fd  = (uint32_t)uap->fd;
 803         uid = (uint32_t)uap->uid;
 804         gid = (uint32_t)uap->gid;
 805 
 806         au_uwrite(au_to_arg32(2, "new file uid", uid));
 807         au_uwrite(au_to_arg32(3, "new file gid", gid));
 808 
 809                 /*
 810                  * convert file pointer to file descriptor
 811                  *   Note: fd ref count incremented here.
 812                  */
 813         if ((fp = getf(fd)) == NULL)
 814                 return;
 815 
 816         /* get path from file struct here */
 817         fad = F2A(fp);
 818         if (fad->fad_aupath != NULL) {
 819                 au_uwrite(au_to_path(fad->fad_aupath));
 820         } else {
 821                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 822         }
 823 
 824         vp = fp->f_vnode;
 825         audit_attributes(vp);
 826 
 827         /* decrement file descriptor reference count */
 828         releasef(fd);
 829 }
 830 
 831 /*ARGSUSED*/
 832 static void
 833 aus_lchown(struct t_audit_data *tad)
 834 {
 835         klwp_t *clwp = ttolwp(curthread);
 836         uint32_t uid, gid;
 837 
 838 
 839         struct a {
 840                 long    fname;          /* char * */
 841                 long    uid;
 842                 long    gid;
 843         } *uap = (struct a *)clwp->lwp_ap;
 844 
 845         uid = (uint32_t)uap->uid;
 846         gid = (uint32_t)uap->gid;
 847 
 848         au_uwrite(au_to_arg32(2, "new file uid", uid));
 849         au_uwrite(au_to_arg32(3, "new file gid", gid));
 850 }
 851 
 852 static au_event_t
 853 aui_fchownat(au_event_t e)
 854 {
 855         klwp_t *clwp = ttolwp(curthread);
 856 
 857         struct a {
 858                 long    fd;
 859                 long    fname;          /* char * */
 860                 long    uid;
 861                 long    gid;
 862                 long    flags;
 863         } *uap = (struct a *)clwp->lwp_ap;
 864 
 865         if (uap->fname == NULL)
 866                 e = AUE_FCHOWN;
 867         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
 868                 e = AUE_LCHOWN;
 869         else
 870                 e = AUE_CHOWN;
 871 
 872         return (e);
 873 }
 874 
 875 /*ARGSUSED*/
 876 static void
 877 aus_fchownat(struct t_audit_data *tad)
 878 {
 879         klwp_t *clwp = ttolwp(curthread);
 880         uint32_t uid, gid;
 881 
 882         struct a {
 883                 long    fd;
 884                 long    fname;          /* char * */
 885                 long    uid;
 886                 long    gid;
 887                 long    flags;
 888         } *uap = (struct a *)clwp->lwp_ap;
 889 
 890         uid = (uint32_t)uap->uid;
 891         gid = (uint32_t)uap->gid;
 892 
 893         au_uwrite(au_to_arg32(3, "new file uid", uid));
 894         au_uwrite(au_to_arg32(4, "new file gid", gid));
 895 }
 896 
 897 /*ARGSUSED*/
 898 static void
 899 aus_chmod(struct t_audit_data *tad)
 900 {
 901         klwp_t *clwp = ttolwp(curthread);
 902         uint32_t fmode;
 903 
 904         struct a {
 905                 long    fname;          /* char * */
 906                 long    fmode;
 907         } *uap = (struct a *)clwp->lwp_ap;
 908 
 909         fmode = (uint32_t)uap->fmode;
 910 
 911         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 912 }
 913 
 914 /*ARGSUSED*/
 915 static void
 916 aus_fchmod(struct t_audit_data *tad)
 917 {
 918         klwp_t *clwp = ttolwp(curthread);
 919         uint32_t fmode, fd;
 920         struct file  *fp;
 921         struct vnode *vp;
 922         struct f_audit_data *fad;
 923 
 924         struct a {
 925                 long    fd;
 926                 long    fmode;
 927         } *uap = (struct a *)clwp->lwp_ap;
 928 
 929         fd = (uint32_t)uap->fd;
 930         fmode = (uint32_t)uap->fmode;
 931 
 932         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 933 
 934         /*
 935          * convert file pointer to file descriptor
 936          *   Note: fd ref count incremented here.
 937          */
 938         if ((fp = getf(fd)) == NULL)
 939                 return;
 940 
 941         /* get path from file struct here */
 942         fad = F2A(fp);
 943         if (fad->fad_aupath != NULL) {
 944                 au_uwrite(au_to_path(fad->fad_aupath));
 945         } else {
 946                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
 947         }
 948 
 949         vp = fp->f_vnode;
 950         audit_attributes(vp);
 951 
 952         /* decrement file descriptor reference count */
 953         releasef(fd);
 954 }
 955 
 956 static au_event_t
 957 aui_fchmodat(au_event_t e)
 958 {
 959         klwp_t *clwp = ttolwp(curthread);
 960 
 961         struct a {
 962                 long    fd;
 963                 long    fname;          /* char * */
 964                 long    fmode;
 965                 long    flag;
 966         } *uap = (struct a *)clwp->lwp_ap;
 967 
 968         if (uap->fname == NULL)
 969                 e = AUE_FCHMOD;
 970         else
 971                 e = AUE_CHMOD;
 972 
 973         return (e);
 974 }
 975 
 976 /*ARGSUSED*/
 977 static void
 978 aus_fchmodat(struct t_audit_data *tad)
 979 {
 980         klwp_t *clwp = ttolwp(curthread);
 981         uint32_t fmode;
 982         uint32_t fd;
 983         struct file  *fp;
 984         struct vnode *vp;
 985         struct f_audit_data *fad;
 986 
 987         struct a {
 988                 long    fd;
 989                 long    fname;          /* char * */
 990                 long    fmode;
 991                 long    flag;
 992         } *uap = (struct a *)clwp->lwp_ap;
 993 
 994         fd = (uint32_t)uap->fd;
 995         fmode = (uint32_t)uap->fmode;
 996 
 997         au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
 998 
 999         if (fd == AT_FDCWD || uap->fname != NULL)    /* same as chmod() */
1000                 return;
1001 
1002         /*
1003          * convert file pointer to file descriptor
1004          *   Note: fd ref count incremented here.
1005          */
1006         if ((fp = getf(fd)) == NULL)
1007                 return;
1008 
1009         /* get path from file struct here */
1010         fad = F2A(fp);
1011         if (fad->fad_aupath != NULL) {
1012                 au_uwrite(au_to_path(fad->fad_aupath));
1013         } else {
1014                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1015         }
1016 
1017         vp = fp->f_vnode;
1018         audit_attributes(vp);
1019 
1020         /* decrement file descriptor reference count */
1021         releasef(fd);
1022 }
1023 
1024 /*
1025  * convert open mode to appropriate open event
1026  */
1027 au_event_t
1028 open_event(uint_t fm)
1029 {
1030         au_event_t e;
1031 
1032         switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1033         case O_RDONLY:
1034                 e = AUE_OPEN_R;
1035                 break;
1036         case O_RDONLY | O_CREAT:
1037                 e = AUE_OPEN_RC;
1038                 break;
1039         case O_RDONLY | O_TRUNC:
1040                 e = AUE_OPEN_RT;
1041                 break;
1042         case O_RDONLY | O_TRUNC | O_CREAT:
1043                 e = AUE_OPEN_RTC;
1044                 break;
1045         case O_WRONLY:
1046                 e = AUE_OPEN_W;
1047                 break;
1048         case O_WRONLY | O_CREAT:
1049                 e = AUE_OPEN_WC;
1050                 break;
1051         case O_WRONLY | O_TRUNC:
1052                 e = AUE_OPEN_WT;
1053                 break;
1054         case O_WRONLY | O_TRUNC | O_CREAT:
1055                 e = AUE_OPEN_WTC;
1056                 break;
1057         case O_RDWR:
1058                 e = AUE_OPEN_RW;
1059                 break;
1060         case O_RDWR | O_CREAT:
1061                 e = AUE_OPEN_RWC;
1062                 break;
1063         case O_RDWR | O_TRUNC:
1064                 e = AUE_OPEN_RWT;
1065                 break;
1066         case O_RDWR | O_TRUNC | O_CREAT:
1067                 e = AUE_OPEN_RWTC;
1068                 break;
1069         case O_SEARCH:
1070                 e = AUE_OPEN_S;
1071                 break;
1072         case O_EXEC:
1073                 e = AUE_OPEN_E;
1074                 break;
1075         default:
1076                 e = AUE_NULL;
1077                 break;
1078         }
1079 
1080         return (e);
1081 }
1082 
1083 /* ARGSUSED */
1084 static au_event_t
1085 aui_open(au_event_t e)
1086 {
1087         klwp_t *clwp = ttolwp(curthread);
1088         uint_t fm;
1089 
1090         struct a {
1091                 long    fnamep;         /* char * */
1092                 long    fmode;
1093                 long    cmode;
1094         } *uap = (struct a *)clwp->lwp_ap;
1095 
1096         fm = (uint_t)uap->fmode;
1097 
1098         return (open_event(fm));
1099 }
1100 
1101 static void
1102 aus_open(struct t_audit_data *tad)
1103 {
1104         klwp_t *clwp = ttolwp(curthread);
1105         uint_t fm;
1106 
1107         struct a {
1108                 long    fnamep;         /* char * */
1109                 long    fmode;
1110                 long    cmode;
1111         } *uap = (struct a *)clwp->lwp_ap;
1112 
1113         fm = (uint_t)uap->fmode;
1114 
1115         /* If no write, create, or trunc modes, mark as a public op */
1116         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1117                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1118 }
1119 
1120 /* ARGSUSED */
1121 static au_event_t
1122 aui_openat(au_event_t e)
1123 {
1124         t_audit_data_t *tad = T2A(curthread);
1125         klwp_t *clwp = ttolwp(curthread);
1126         uint_t fm;
1127 
1128         struct a {
1129                 long    filedes;
1130                 long    fnamep;         /* char * */
1131                 long    fmode;
1132                 long    cmode;
1133         } *uap = (struct a *)clwp->lwp_ap;
1134 
1135         fm = (uint_t)uap->fmode;
1136 
1137         /*
1138          * __openattrdirat() does an extra pathname lookup in order to
1139          * enter the extended system attribute namespace of the referenced
1140          * extended attribute filename.
1141          */
1142         if (fm & FXATTRDIROPEN)
1143                 tad->tad_ctrl |= TAD_MLD;
1144 
1145         return (open_event(fm));
1146 }
1147 
1148 static void
1149 aus_openat(struct t_audit_data *tad)
1150 {
1151         klwp_t *clwp = ttolwp(curthread);
1152         uint_t fm;
1153 
1154         struct a {
1155                 long    filedes;
1156                 long    fnamep;         /* char * */
1157                 long    fmode;
1158                 long    cmode;
1159         } *uap = (struct a *)clwp->lwp_ap;
1160 
1161         fm = (uint_t)uap->fmode;
1162 
1163         /* If no write, create, or trunc modes, mark as a public op */
1164         if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1165                 tad->tad_ctrl |= TAD_PUBLIC_EV;
1166 }
1167 
1168 static au_event_t
1169 aui_unlinkat(au_event_t e)
1170 {
1171         klwp_t *clwp = ttolwp(curthread);
1172 
1173         struct a {
1174                 long    filedes;
1175                 long    fnamep;         /* char * */
1176                 long    flags;
1177         } *uap = (struct a *)clwp->lwp_ap;
1178 
1179         if (uap->flags & AT_REMOVEDIR)
1180                 e = AUE_RMDIR;
1181         else
1182                 e = AUE_UNLINK;
1183 
1184         return (e);
1185 }
1186 
1187 static au_event_t
1188 aui_fstatat(au_event_t e)
1189 {
1190         klwp_t *clwp = ttolwp(curthread);
1191 
1192         struct a {
1193                 long    filedes;
1194                 long    fnamep;         /* char * */
1195                 long    statb;
1196                 long    flags;
1197         } *uap = (struct a *)clwp->lwp_ap;
1198 
1199         if (uap->fnamep == NULL)
1200                 e = AUE_FSTAT;
1201         else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1202                 e = AUE_LSTAT;
1203         else
1204                 e = AUE_STAT;
1205 
1206         return (e);
1207 }
1208 
1209 /* msgsys */
1210 static au_event_t
1211 aui_msgsys(au_event_t e)
1212 {
1213         klwp_t *clwp = ttolwp(curthread);
1214         uint_t fm;
1215 
1216         struct a {
1217                 long    id;     /* function code id */
1218                 long    ap;     /* arg pointer for recvmsg */
1219         } *uap = (struct a *)clwp->lwp_ap;
1220 
1221         struct b {
1222                 long    msgid;
1223                 long    cmd;
1224                 long    buf;    /* struct msqid_ds * */
1225         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1226 
1227         fm  = (uint_t)uap->id;
1228 
1229         switch (fm) {
1230         case 0:         /* msgget */
1231                 e = AUE_MSGGET;
1232                 break;
1233         case 1:         /* msgctl */
1234                 switch ((uint_t)uap1->cmd) {
1235                 case IPC_RMID:
1236                         e = AUE_MSGCTL_RMID;
1237                         break;
1238                 case IPC_SET:
1239                         e = AUE_MSGCTL_SET;
1240                         break;
1241                 case IPC_STAT:
1242                         e = AUE_MSGCTL_STAT;
1243                         break;
1244                 default:
1245                         e = AUE_MSGCTL;
1246                         break;
1247                 }
1248                 break;
1249         case 2:         /* msgrcv */
1250                 e = AUE_MSGRCV;
1251                 break;
1252         case 3:         /* msgsnd */
1253                 e = AUE_MSGSND;
1254                 break;
1255         default:        /* illegal system call */
1256                 e = AUE_NULL;
1257                 break;
1258         }
1259 
1260         return (e);
1261 }
1262 
1263 
1264 /* shmsys */
1265 static au_event_t
1266 aui_shmsys(au_event_t e)
1267 {
1268         klwp_t *clwp = ttolwp(curthread);
1269         int fm;
1270 
1271         struct a {              /* shmsys */
1272                 long    id;     /* function code id */
1273         } *uap = (struct a *)clwp->lwp_ap;
1274 
1275         struct b {              /* ctrl */
1276                 long    shmid;
1277                 long    cmd;
1278                 long    arg;            /* struct shmid_ds * */
1279         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1280         fm  = (uint_t)uap->id;
1281 
1282         switch (fm) {
1283         case 0:         /* shmat */
1284                 e = AUE_SHMAT;
1285                 break;
1286         case 1:         /* shmctl */
1287                 switch ((uint_t)uap1->cmd) {
1288                 case IPC_RMID:
1289                         e = AUE_SHMCTL_RMID;
1290                         break;
1291                 case IPC_SET:
1292                         e = AUE_SHMCTL_SET;
1293                         break;
1294                 case IPC_STAT:
1295                         e = AUE_SHMCTL_STAT;
1296                         break;
1297                 default:
1298                         e = AUE_SHMCTL;
1299                         break;
1300                 }
1301                 break;
1302         case 2:         /* shmdt */
1303                 e = AUE_SHMDT;
1304                 break;
1305         case 3:         /* shmget */
1306                 e = AUE_SHMGET;
1307                 break;
1308         default:        /* illegal system call */
1309                 e = AUE_NULL;
1310                 break;
1311         }
1312 
1313         return (e);
1314 }
1315 
1316 
1317 /* semsys */
1318 static au_event_t
1319 aui_semsys(au_event_t e)
1320 {
1321         klwp_t *clwp = ttolwp(curthread);
1322         uint_t fm;
1323 
1324         struct a {              /* semsys */
1325                 long    id;
1326         } *uap = (struct a *)clwp->lwp_ap;
1327 
1328         struct b {              /* ctrl */
1329                 long    semid;
1330                 long    semnum;
1331                 long    cmd;
1332                 long    arg;
1333         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1334 
1335         fm = (uint_t)uap->id;
1336 
1337         switch (fm) {
1338         case 0:         /* semctl */
1339                 switch ((uint_t)uap1->cmd) {
1340                 case IPC_RMID:
1341                         e = AUE_SEMCTL_RMID;
1342                         break;
1343                 case IPC_SET:
1344                         e = AUE_SEMCTL_SET;
1345                         break;
1346                 case IPC_STAT:
1347                         e = AUE_SEMCTL_STAT;
1348                         break;
1349                 case GETNCNT:
1350                         e = AUE_SEMCTL_GETNCNT;
1351                         break;
1352                 case GETPID:
1353                         e = AUE_SEMCTL_GETPID;
1354                         break;
1355                 case GETVAL:
1356                         e = AUE_SEMCTL_GETVAL;
1357                         break;
1358                 case GETALL:
1359                         e = AUE_SEMCTL_GETALL;
1360                         break;
1361                 case GETZCNT:
1362                         e = AUE_SEMCTL_GETZCNT;
1363                         break;
1364                 case SETVAL:
1365                         e = AUE_SEMCTL_SETVAL;
1366                         break;
1367                 case SETALL:
1368                         e = AUE_SEMCTL_SETALL;
1369                         break;
1370                 default:
1371                         e = AUE_SEMCTL;
1372                         break;
1373                 }
1374                 break;
1375         case 1:         /* semget */
1376                 e = AUE_SEMGET;
1377                 break;
1378         case 2:         /* semop */
1379                 e = AUE_SEMOP;
1380                 break;
1381         default:        /* illegal system call */
1382                 e = AUE_NULL;
1383                 break;
1384         }
1385 
1386         return (e);
1387 }
1388 
1389 /* utssys - uname(2), ustat(2), fusers(2) */
1390 static au_event_t
1391 aui_utssys(au_event_t e)
1392 {
1393         klwp_t *clwp = ttolwp(curthread);
1394         uint_t type;
1395 
1396         struct a {
1397                 union {
1398                         long    cbuf;           /* char * */
1399                         long    ubuf;           /* struct stat * */
1400                 } ub;
1401                 union {
1402                         long    mv;     /* for USTAT */
1403                         long    flags;  /* for FUSERS */
1404                 } un;
1405                 long    type;
1406                 long    outbp;          /* char * for FUSERS */
1407         } *uap = (struct a *)clwp->lwp_ap;
1408 
1409         type = (uint_t)uap->type;
1410 
1411         if (type == UTS_FUSERS)
1412                 return (e);
1413         else
1414                 return ((au_event_t)AUE_NULL);
1415 }
1416 
1417 static au_event_t
1418 aui_fcntl(au_event_t e)
1419 {
1420         klwp_t *clwp = ttolwp(curthread);
1421         uint_t cmd;
1422 
1423         struct a {
1424                 long    fdes;
1425                 long    cmd;
1426                 long    arg;
1427         } *uap = (struct a *)clwp->lwp_ap;
1428 
1429         cmd = (uint_t)uap->cmd;
1430 
1431         switch (cmd) {
1432         case F_GETLK:
1433         case F_SETLK:
1434         case F_SETLKW:
1435                 break;
1436         case F_SETFL:
1437         case F_GETFL:
1438         case F_GETFD:
1439                 break;
1440         default:
1441                 e = (au_event_t)AUE_NULL;
1442                 break;
1443         }
1444         return ((au_event_t)e);
1445 }
1446 
1447 /* null function for now */
1448 static au_event_t
1449 aui_execve(au_event_t e)
1450 {
1451         return (e);
1452 }
1453 
1454 /*ARGSUSED*/
1455 static void
1456 aus_fcntl(struct t_audit_data *tad)
1457 {
1458         klwp_t *clwp = ttolwp(curthread);
1459         uint32_t cmd, fd, flags;
1460         struct file  *fp;
1461         struct vnode *vp;
1462         struct f_audit_data *fad;
1463 
1464         struct a {
1465                 long    fd;
1466                 long    cmd;
1467                 long    arg;
1468         } *uap = (struct a *)clwp->lwp_ap;
1469 
1470         cmd     = (uint32_t)uap->cmd;
1471         fd      = (uint32_t)uap->fd;
1472         flags   = (uint32_t)uap->arg;
1473 
1474         au_uwrite(au_to_arg32(2, "cmd", cmd));
1475 
1476         if (cmd == F_SETFL)
1477                 au_uwrite(au_to_arg32(3, "flags", flags));
1478 
1479                 /*
1480                  * convert file pointer to file descriptor
1481                  *   Note: fd ref count incremented here.
1482                  */
1483         if ((fp = getf(fd)) == NULL)
1484                 return;
1485 
1486         /* get path from file struct here */
1487         fad = F2A(fp);
1488         if (fad->fad_aupath != NULL) {
1489                 au_uwrite(au_to_path(fad->fad_aupath));
1490         } else {
1491                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1492         }
1493 
1494         vp = fp->f_vnode;
1495         audit_attributes(vp);
1496 
1497         /* decrement file descriptor reference count */
1498         releasef(fd);
1499 }
1500 
1501 /*ARGSUSED*/
1502 static void
1503 aus_kill(struct t_audit_data *tad)
1504 {
1505         klwp_t *clwp = ttolwp(curthread);
1506         struct proc *p;
1507         uint32_t signo;
1508         uid_t uid, ruid;
1509         gid_t gid, rgid;
1510         pid_t pid;
1511         const auditinfo_addr_t *ainfo;
1512         cred_t *cr;
1513 
1514         struct a {
1515                 long    pid;
1516                 long    signo;
1517         } *uap = (struct a *)clwp->lwp_ap;
1518 
1519         pid   = (pid_t)uap->pid;
1520         signo = (uint32_t)uap->signo;
1521 
1522         au_uwrite(au_to_arg32(2, "signal", signo));
1523         if (pid > 0) {
1524                 mutex_enter(&pidlock);
1525                 if (((p = prfind(pid)) == (struct proc *)0) ||
1526                     (p->p_stat == SIDL)) {
1527                         mutex_exit(&pidlock);
1528                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1529                         return;
1530                 }
1531                 mutex_enter(&p->p_lock); /* so process doesn't go away */
1532                 mutex_exit(&pidlock);
1533 
1534                 mutex_enter(&p->p_crlock);
1535                 crhold(cr = p->p_cred);
1536                 mutex_exit(&p->p_crlock);
1537                 mutex_exit(&p->p_lock);
1538 
1539                 ainfo = crgetauinfo(cr);
1540                 if (ainfo == NULL) {
1541                         crfree(cr);
1542                         au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1543                         return;
1544                 }
1545 
1546                 uid  = crgetuid(cr);
1547                 gid  = crgetgid(cr);
1548                 ruid = crgetruid(cr);
1549                 rgid = crgetrgid(cr);
1550                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1551                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1552 
1553                 if (is_system_labeled())
1554                         au_uwrite(au_to_label(CR_SL(cr)));
1555 
1556                 crfree(cr);
1557         }
1558         else
1559                 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1560 }
1561 
1562 /*ARGSUSED*/
1563 static void
1564 aus_mkdir(struct t_audit_data *tad)
1565 {
1566         klwp_t *clwp = ttolwp(curthread);
1567         uint32_t dmode;
1568 
1569         struct a {
1570                 long    dirnamep;               /* char * */
1571                 long    dmode;
1572         } *uap = (struct a *)clwp->lwp_ap;
1573 
1574         dmode = (uint32_t)uap->dmode;
1575 
1576         au_uwrite(au_to_arg32(2, "mode", dmode));
1577 }
1578 
1579 /*ARGSUSED*/
1580 static void
1581 aus_mkdirat(struct t_audit_data *tad)
1582 {
1583         klwp_t *clwp = ttolwp(curthread);
1584         uint32_t dmode;
1585 
1586         struct a {
1587                 long    fd;
1588                 long    dirnamep;               /* char * */
1589                 long    dmode;
1590         } *uap = (struct a *)clwp->lwp_ap;
1591 
1592         dmode = (uint32_t)uap->dmode;
1593 
1594         au_uwrite(au_to_arg32(2, "mode", dmode));
1595 }
1596 
1597 /*ARGSUSED*/
1598 static void
1599 aus_mknod(struct t_audit_data *tad)
1600 {
1601         klwp_t *clwp = ttolwp(curthread);
1602         uint32_t fmode;
1603         dev_t dev;
1604 
1605         struct a {
1606                 long    pnamep;         /* char * */
1607                 long    fmode;
1608                 long    dev;
1609         } *uap = (struct a *)clwp->lwp_ap;
1610 
1611         fmode = (uint32_t)uap->fmode;
1612         dev   = (dev_t)uap->dev;
1613 
1614         au_uwrite(au_to_arg32(2, "mode", fmode));
1615 #ifdef _LP64
1616         au_uwrite(au_to_arg64(3, "dev", dev));
1617 #else
1618         au_uwrite(au_to_arg32(3, "dev", dev));
1619 #endif
1620 }
1621 
1622 /*ARGSUSED*/
1623 static void
1624 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1625 {
1626         klwp_t *clwp = ttolwp(curthread);
1627         vnode_t *dvp;
1628         caddr_t pnamep;
1629 
1630         struct a {
1631                 long    pnamep;         /* char * */
1632                 long    fmode;
1633                 long    dev;
1634         } *uap = (struct a *)clwp->lwp_ap;
1635 
1636         /* no error, then already path token in audit record */
1637         if (error != EPERM && error != EINVAL)
1638                 return;
1639 
1640         /* do the lookup to force generation of path token */
1641         pnamep = (caddr_t)uap->pnamep;
1642         tad->tad_ctrl |= TAD_NOATTRB;
1643         error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1644         if (error == 0)
1645                 VN_RELE(dvp);
1646 }
1647 
1648 /*ARGSUSED*/
1649 static void
1650 aus_mknodat(struct t_audit_data *tad)
1651 {
1652         klwp_t *clwp = ttolwp(curthread);
1653         uint32_t fmode;
1654         dev_t dev;
1655 
1656         struct a {
1657                 long    fd;
1658                 long    pnamep;         /* char * */
1659                 long    fmode;
1660                 long    dev;
1661         } *uap = (struct a *)clwp->lwp_ap;
1662 
1663         fmode = (uint32_t)uap->fmode;
1664         dev   = (dev_t)uap->dev;
1665 
1666         au_uwrite(au_to_arg32(2, "mode", fmode));
1667 #ifdef _LP64
1668         au_uwrite(au_to_arg64(3, "dev", dev));
1669 #else
1670         au_uwrite(au_to_arg32(3, "dev", dev));
1671 #endif
1672 }
1673 
1674 /*ARGSUSED*/
1675 static void
1676 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1677 {
1678         klwp_t *clwp = ttolwp(curthread);
1679         vnode_t *startvp;
1680         vnode_t *dvp;
1681         caddr_t pnamep;
1682         int fd;
1683 
1684         struct a {
1685                 long    fd;
1686                 long    pnamep;         /* char * */
1687                 long    fmode;
1688                 long    dev;
1689         } *uap = (struct a *)clwp->lwp_ap;
1690 
1691         /* no error, then already path token in audit record */
1692         if (error != EPERM && error != EINVAL)
1693                 return;
1694 
1695         /* do the lookup to force generation of path token */
1696         fd = (int)uap->fd;
1697         pnamep = (caddr_t)uap->pnamep;
1698         if (pnamep == NULL ||
1699             fgetstartvp(fd, pnamep, &startvp) != 0)
1700                 return;
1701         tad->tad_ctrl |= TAD_NOATTRB;
1702         error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1703             startvp);
1704         if (error == 0)
1705                 VN_RELE(dvp);
1706         if (startvp != NULL)
1707                 VN_RELE(startvp);
1708 }
1709 
1710 /*ARGSUSED*/
1711 static void
1712 aus_mount(struct t_audit_data *tad)
1713 {       /* AUS_START */
1714         klwp_t *clwp = ttolwp(curthread);
1715         uint32_t flags;
1716         uintptr_t u_fstype, dataptr;
1717         STRUCT_DECL(nfs_args, nfsargs);
1718         size_t len;
1719         char *fstype, *hostname;
1720 
1721         struct a {
1722                 long    spec;           /* char    * */
1723                 long    dir;            /* char    * */
1724                 long    flags;
1725                 long    fstype;         /* char    * */
1726                 long    dataptr;        /* char    * */
1727                 long    datalen;
1728         } *uap = (struct a *)clwp->lwp_ap;
1729 
1730         u_fstype = (uintptr_t)uap->fstype;
1731         flags    = (uint32_t)uap->flags;
1732         dataptr  = (uintptr_t)uap->dataptr;
1733 
1734         fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1735         if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1736                 goto mount_free_fstype;
1737 
1738         au_uwrite(au_to_arg32(3, "flags", flags));
1739         au_uwrite(au_to_text(fstype));
1740 
1741         if (strncmp(fstype, "nfs", 3) == 0) {
1742 
1743                 STRUCT_INIT(nfsargs, get_udatamodel());
1744                 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1745 
1746                 if (copyin((caddr_t)dataptr,
1747                                 STRUCT_BUF(nfsargs),
1748                                 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1749                         /* DEBUG debug_enter((char *)NULL); */
1750                         goto mount_free_fstype;
1751                 }
1752                 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1753                 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1754                                 (caddr_t)hostname,
1755                                 MAXNAMELEN, &len)) {
1756                         goto mount_free_hostname;
1757                 }
1758                 au_uwrite(au_to_text(hostname));
1759                 au_uwrite(au_to_arg32(3, "internal flags",
1760                         (uint_t)STRUCT_FGET(nfsargs, flags)));
1761 
1762 mount_free_hostname:
1763                 kmem_free(hostname, MAXNAMELEN);
1764         }
1765 
1766 mount_free_fstype:
1767         kmem_free(fstype, MAXNAMELEN);
1768 }       /* AUS_MOUNT */
1769 
1770 static void
1771 aus_umount_path(caddr_t umount_dir)
1772 {
1773         char                    *dir_path;
1774         struct audit_path       *path;
1775         size_t                  path_len, dir_len;
1776 
1777         /* length alloc'd for two string pointers */
1778         path_len = sizeof (struct audit_path) + sizeof (char *);
1779         path = kmem_alloc(path_len, KM_SLEEP);
1780         dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1781 
1782         if (copyinstr(umount_dir, (caddr_t)dir_path,
1783             MAXPATHLEN, &dir_len))
1784                 goto umount2_free_dir;
1785 
1786         /*
1787          * the audit_path struct assumes that the buffer pointed to
1788          * by audp_sect[n] contains string 0 immediatedly followed
1789          * by string 1.
1790          */
1791         path->audp_sect[0] = dir_path;
1792         path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1793         path->audp_size = path_len;
1794         path->audp_ref = 1;          /* not used */
1795         path->audp_cnt = 1;          /* one path string */
1796 
1797         au_uwrite(au_to_path(path));
1798 
1799 umount2_free_dir:
1800         kmem_free(dir_path, MAXPATHLEN);
1801         kmem_free(path, path_len);
1802 }
1803 
1804 /*ARGSUSED*/
1805 static void
1806 aus_umount2(struct t_audit_data *tad)
1807 {
1808         klwp_t                  *clwp = ttolwp(curthread);
1809         struct a {
1810                 long    dir;            /* char    * */
1811                 long    flags;
1812         } *uap = (struct a *)clwp->lwp_ap;
1813 
1814         aus_umount_path((caddr_t)uap->dir);
1815 
1816         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1817 }
1818 
1819 static void
1820 aus_msgsys(struct t_audit_data *tad)
1821 {
1822         klwp_t *clwp = ttolwp(curthread);
1823         uint32_t msgid;
1824 
1825         struct b {
1826                 long    msgid;
1827                 long    cmd;
1828                 long    buf;            /* struct msqid_ds * */
1829         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1830 
1831         msgid = (uint32_t)uap1->msgid;
1832 
1833 
1834         switch (tad->tad_event) {
1835         case AUE_MSGGET:                /* msgget */
1836                 au_uwrite(au_to_arg32(1, "msg key", msgid));
1837                 break;
1838         case AUE_MSGCTL:                /* msgctl */
1839         case AUE_MSGCTL_RMID:           /* msgctl */
1840         case AUE_MSGCTL_SET:            /* msgctl */
1841         case AUE_MSGCTL_STAT:           /* msgctl */
1842         case AUE_MSGRCV:                /* msgrcv */
1843         case AUE_MSGSND:                /* msgsnd */
1844                 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1845                 break;
1846         }
1847 }
1848 
1849 /*ARGSUSED*/
1850 static void
1851 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1852 {
1853         int id;
1854 
1855         if (error != 0)
1856                 return;
1857         if (tad->tad_event == AUE_MSGGET) {
1858                 uint32_t scid;
1859                 uint32_t sy_flags;
1860 
1861                 /* need to determine type of executing binary */
1862                 scid = tad->tad_scid;
1863 #ifdef _SYSCALL32_IMPL
1864                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1865                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1866                 else
1867                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1868 #else
1869                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1870 #endif
1871                 if (sy_flags == SE_32RVAL1)
1872                         id = rval->r_val1;
1873                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1874                         id = rval->r_val1;
1875                 if (sy_flags == SE_64RVAL)
1876                         id = (int)rval->r_vals;
1877 
1878                 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1879         }
1880 }
1881 
1882 static void
1883 aus_semsys(struct t_audit_data *tad)
1884 {
1885         klwp_t *clwp = ttolwp(curthread);
1886         uint32_t semid;
1887 
1888         struct b {              /* ctrl */
1889                 long    semid;
1890                 long    semnum;
1891                 long    cmd;
1892                 long    arg;
1893         } *uap1 = (struct b *)&clwp->lwp_ap[1];
1894 
1895         semid = (uint32_t)uap1->semid;
1896 
1897         switch (tad->tad_event) {
1898         case AUE_SEMCTL_RMID:
1899         case AUE_SEMCTL_STAT:
1900         case AUE_SEMCTL_GETNCNT:
1901         case AUE_SEMCTL_GETPID:
1902         case AUE_SEMCTL_GETVAL:
1903         case AUE_SEMCTL_GETALL:
1904         case AUE_SEMCTL_GETZCNT:
1905         case AUE_SEMCTL_SET:
1906         case AUE_SEMCTL_SETVAL:
1907         case AUE_SEMCTL_SETALL:
1908         case AUE_SEMCTL:
1909         case AUE_SEMOP:
1910                 au_uwrite(au_to_arg32(1, "sem ID", semid));
1911                 break;
1912         case AUE_SEMGET:
1913                 au_uwrite(au_to_arg32(1, "sem key", semid));
1914                 break;
1915         }
1916 }
1917 
1918 /*ARGSUSED*/
1919 static void
1920 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1921 {
1922         int id;
1923 
1924         if (error != 0)
1925                 return;
1926         if (tad->tad_event == AUE_SEMGET) {
1927                 uint32_t scid;
1928                 uint32_t sy_flags;
1929 
1930                 /* need to determine type of executing binary */
1931                 scid = tad->tad_scid;
1932 #ifdef _SYSCALL32_IMPL
1933                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1934                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1935                 else
1936                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1937 #else
1938                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1939 #endif
1940                 if (sy_flags == SE_32RVAL1)
1941                         id = rval->r_val1;
1942                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1943                         id = rval->r_val1;
1944                 if (sy_flags == SE_64RVAL)
1945                         id = (int)rval->r_vals;
1946 
1947                 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1948         }
1949 }
1950 
1951 /*ARGSUSED*/
1952 static void
1953 aus_close(struct t_audit_data *tad)
1954 {
1955         klwp_t *clwp = ttolwp(curthread);
1956         uint32_t fd;
1957         struct file *fp;
1958         struct f_audit_data *fad;
1959         struct vnode *vp;
1960         struct vattr attr;
1961         au_kcontext_t   *kctx = GET_KCTX_PZ;
1962 
1963         struct a {
1964                 long    i;
1965         } *uap = (struct a *)clwp->lwp_ap;
1966 
1967         fd = (uint32_t)uap->i;
1968 
1969         attr.va_mask = 0;
1970         au_uwrite(au_to_arg32(1, "fd", fd));
1971 
1972                 /*
1973                  * convert file pointer to file descriptor
1974                  *   Note: fd ref count incremented here.
1975                  */
1976         if ((fp = getf(fd)) == NULL)
1977                 return;
1978 
1979         fad = F2A(fp);
1980         tad->tad_evmod = (au_emod_t)fad->fad_flags;
1981         if (fad->fad_aupath != NULL) {
1982                 au_uwrite(au_to_path(fad->fad_aupath));
1983                 if ((vp = fp->f_vnode) != NULL) {
1984                         attr.va_mask = AT_ALL;
1985                         if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1986                                 /*
1987                                  * When write was not used and the file can be
1988                                  * considered public, skip the audit.
1989                                  */
1990                                 if (((fp->f_flag & FWRITE) == 0) &&
1991                                     object_is_public(&attr)) {
1992                                         tad->tad_flag = 0;
1993                                         tad->tad_evmod = 0;
1994                                         /* free any residual audit data */
1995                                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1996                                         releasef(fd);
1997                                         return;
1998                                 }
1999                                 au_uwrite(au_to_attr(&attr));
2000                                 audit_sec_attributes(&(u_ad), vp);
2001                         }
2002                 }
2003         }
2004 
2005         /* decrement file descriptor reference count */
2006         releasef(fd);
2007 }
2008 
2009 /*ARGSUSED*/
2010 static void
2011 aus_fstatfs(struct t_audit_data *tad)
2012 {
2013         klwp_t *clwp = ttolwp(curthread);
2014         uint32_t fd;
2015         struct file  *fp;
2016         struct vnode *vp;
2017         struct f_audit_data *fad;
2018 
2019         struct a {
2020                 long    fd;
2021                 long    buf;            /* struct statfs * */
2022         } *uap = (struct a *)clwp->lwp_ap;
2023 
2024         fd = (uint_t)uap->fd;
2025 
2026                 /*
2027                  * convert file pointer to file descriptor
2028                  *   Note: fd ref count incremented here.
2029                  */
2030         if ((fp = getf(fd)) == NULL)
2031                 return;
2032 
2033                 /* get path from file struct here */
2034         fad = F2A(fp);
2035         if (fad->fad_aupath != NULL) {
2036                 au_uwrite(au_to_path(fad->fad_aupath));
2037         } else {
2038                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2039         }
2040 
2041         vp = fp->f_vnode;
2042         audit_attributes(vp);
2043 
2044         /* decrement file descriptor reference count */
2045         releasef(fd);
2046 }
2047 
2048 static au_event_t
2049 aui_setpgrp(au_event_t e)
2050 {
2051         klwp_t *clwp = ttolwp(curthread);
2052         int flag;
2053 
2054         struct a {
2055                 long    flag;
2056                 long    pid;
2057                 long    pgid;
2058         } *uap = (struct a *)clwp->lwp_ap;
2059 
2060         flag = (int)uap->flag;
2061 
2062 
2063         switch (flag) {
2064 
2065         case 1: /* setpgrp() */
2066                 e = AUE_SETPGRP;
2067                 break;
2068 
2069         case 3: /* setsid() */
2070                 e = AUE_SETSID;
2071                 break;
2072 
2073         case 5: /* setpgid() */
2074                 e = AUE_SETPGID;
2075                 break;
2076 
2077         case 0: /* getpgrp()    - not security relevant */
2078         case 2: /* getsid()     - not security relevant */
2079         case 4: /* getpgid()    - not security relevant */
2080                 e = AUE_NULL;
2081                 break;
2082 
2083         default:
2084                 e = AUE_NULL;
2085                 break;
2086         }
2087 
2088         return (e);
2089 }
2090 
2091 /*ARGSUSED*/
2092 static void
2093 aus_setpgrp(struct t_audit_data *tad)
2094 {
2095         klwp_t          *clwp = ttolwp(curthread);
2096         pid_t           pgid;
2097         struct proc     *p;
2098         uid_t           uid, ruid;
2099         gid_t           gid, rgid;
2100         pid_t           pid;
2101         cred_t          *cr;
2102         int             flag;
2103         const auditinfo_addr_t  *ainfo;
2104 
2105         struct a {
2106                 long    flag;
2107                 long    pid;
2108                 long    pgid;
2109         } *uap = (struct a *)clwp->lwp_ap;
2110 
2111         flag = (int)uap->flag;
2112         pid  = (pid_t)uap->pid;
2113         pgid = (pid_t)uap->pgid;
2114 
2115 
2116         switch (flag) {
2117 
2118         case 0: /* getpgrp() */
2119         case 1: /* setpgrp() */
2120         case 2: /* getsid() */
2121         case 3: /* setsid() */
2122         case 4: /* getpgid() */
2123                 break;
2124 
2125         case 5: /* setpgid() */
2126 
2127                 /* current process? */
2128                 if (pid == 0) {
2129                         return;
2130                 }
2131 
2132                 mutex_enter(&pidlock);
2133                 p = prfind(pid);
2134                 if (p == NULL || p->p_as == &kas ||
2135                     p->p_stat == SIDL || p->p_stat == SZOMB) {
2136                         mutex_exit(&pidlock);
2137                         return;
2138                 }
2139                 mutex_enter(&p->p_lock); /* so process doesn't go away */
2140                 mutex_exit(&pidlock);
2141 
2142                 mutex_enter(&p->p_crlock);
2143                 crhold(cr = p->p_cred);
2144                 mutex_exit(&p->p_crlock);
2145                 mutex_exit(&p->p_lock);
2146 
2147                 ainfo = crgetauinfo(cr);
2148                 if (ainfo == NULL) {
2149                         crfree(cr);
2150                         return;
2151                 }
2152 
2153                 uid  = crgetuid(cr);
2154                 gid  = crgetgid(cr);
2155                 ruid = crgetruid(cr);
2156                 rgid = crgetrgid(cr);
2157                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2158                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2159                 crfree(cr);
2160                 au_uwrite(au_to_arg32(2, "pgid", pgid));
2161                 break;
2162 
2163         default:
2164                 break;
2165         }
2166 }
2167 
2168 
2169 /*ARGSUSED*/
2170 static void
2171 aus_setregid(struct t_audit_data *tad)
2172 {
2173         klwp_t *clwp = ttolwp(curthread);
2174         uint32_t rgid, egid;
2175 
2176         struct a {
2177                 long     rgid;
2178                 long     egid;
2179         } *uap = (struct a *)clwp->lwp_ap;
2180 
2181         rgid  = (uint32_t)uap->rgid;
2182         egid  = (uint32_t)uap->egid;
2183 
2184         au_uwrite(au_to_arg32(1, "rgid", rgid));
2185         au_uwrite(au_to_arg32(2, "egid", egid));
2186 }
2187 
2188 /*ARGSUSED*/
2189 static void
2190 aus_setgid(struct t_audit_data *tad)
2191 {
2192         klwp_t *clwp = ttolwp(curthread);
2193         uint32_t gid;
2194 
2195         struct a {
2196                 long    gid;
2197         } *uap = (struct a *)clwp->lwp_ap;
2198 
2199         gid = (uint32_t)uap->gid;
2200 
2201         au_uwrite(au_to_arg32(1, "gid", gid));
2202 }
2203 
2204 
2205 /*ARGSUSED*/
2206 static void
2207 aus_setreuid(struct t_audit_data *tad)
2208 {
2209         klwp_t *clwp = ttolwp(curthread);
2210         uint32_t ruid, euid;
2211 
2212         struct a {
2213                 long    ruid;
2214                 long    euid;
2215         } *uap = (struct a *)clwp->lwp_ap;
2216 
2217         ruid = (uint32_t)uap->ruid;
2218         euid  = (uint32_t)uap->euid;
2219 
2220         au_uwrite(au_to_arg32(1, "ruid", ruid));
2221         au_uwrite(au_to_arg32(2, "euid", euid));
2222 }
2223 
2224 
2225 /*ARGSUSED*/
2226 static void
2227 aus_setuid(struct t_audit_data *tad)
2228 {
2229         klwp_t *clwp = ttolwp(curthread);
2230         uint32_t uid;
2231 
2232         struct a {
2233                 long    uid;
2234         } *uap = (struct a *)clwp->lwp_ap;
2235 
2236         uid = (uint32_t)uap->uid;
2237 
2238         au_uwrite(au_to_arg32(1, "uid", uid));
2239 }
2240 
2241 /*ARGSUSED*/
2242 static void
2243 aus_shmsys(struct t_audit_data *tad)
2244 {
2245         klwp_t *clwp = ttolwp(curthread);
2246         uint32_t id, cmd;
2247 
2248         struct b {
2249                 long    id;
2250                 long    cmd;
2251                 long    buf;            /* struct shmid_ds * */
2252         } *uap1 = (struct b *)&clwp->lwp_ap[1];
2253 
2254         id  = (uint32_t)uap1->id;
2255         cmd = (uint32_t)uap1->cmd;
2256 
2257         switch (tad->tad_event) {
2258         case AUE_SHMGET:                        /* shmget */
2259                 au_uwrite(au_to_arg32(1, "shm key", id));
2260                 break;
2261         case AUE_SHMCTL:                        /* shmctl */
2262         case AUE_SHMCTL_RMID:                   /* shmctl */
2263         case AUE_SHMCTL_STAT:                   /* shmctl */
2264         case AUE_SHMCTL_SET:                    /* shmctl */
2265                 au_uwrite(au_to_arg32(1, "shm ID", id));
2266                 break;
2267         case AUE_SHMDT:                         /* shmdt */
2268                 au_uwrite(au_to_arg32(1, "shm adr", id));
2269                 break;
2270         case AUE_SHMAT:                         /* shmat */
2271                 au_uwrite(au_to_arg32(1, "shm ID", id));
2272                 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2273                 break;
2274         }
2275 }
2276 
2277 /*ARGSUSED*/
2278 static void
2279 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2280 {
2281         int id;
2282 
2283         if (error != 0)
2284                 return;
2285         if (tad->tad_event == AUE_SHMGET) {
2286                 uint32_t scid;
2287                 uint32_t sy_flags;
2288 
2289                 /* need to determine type of executing binary */
2290                 scid = tad->tad_scid;
2291 #ifdef _SYSCALL32_IMPL
2292                 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2293                         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2294                 else
2295                         sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2296 #else
2297                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2298 #endif
2299                 if (sy_flags == SE_32RVAL1)
2300                         id = rval->r_val1;
2301                 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2302                         id = rval->r_val1;
2303                 if (sy_flags == SE_64RVAL)
2304                         id = (int)rval->r_vals;
2305                 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2306         }
2307 }
2308 
2309 
2310 /*ARGSUSED*/
2311 static void
2312 aus_ioctl(struct t_audit_data *tad)
2313 {
2314         klwp_t *clwp = ttolwp(curthread);
2315         struct file *fp;
2316         struct vnode *vp;
2317         struct f_audit_data *fad;
2318         uint32_t fd, cmd;
2319         uintptr_t cmarg;
2320 
2321         /* XX64 */
2322         struct a {
2323                 long    fd;
2324                 long    cmd;
2325                 long    cmarg;          /* caddr_t */
2326         } *uap = (struct a *)clwp->lwp_ap;
2327 
2328         fd    = (uint32_t)uap->fd;
2329         cmd   = (uint32_t)uap->cmd;
2330         cmarg = (uintptr_t)uap->cmarg;
2331 
2332                 /*
2333                  * convert file pointer to file descriptor
2334                  *   Note: fd ref count incremented here.
2335                  */
2336         if ((fp = getf(fd)) == NULL) {
2337                 au_uwrite(au_to_arg32(1, "fd", fd));
2338                 au_uwrite(au_to_arg32(2, "cmd", cmd));
2339 #ifndef _LP64
2340                         au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2341 #else
2342                         au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2343 #endif
2344                 return;
2345         }
2346 
2347         /* get path from file struct here */
2348         fad = F2A(fp);
2349         if (fad->fad_aupath != NULL) {
2350                 au_uwrite(au_to_path(fad->fad_aupath));
2351         } else {
2352                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2353         }
2354 
2355         vp = fp->f_vnode;
2356         audit_attributes(vp);
2357 
2358         /* decrement file descriptor reference count */
2359         releasef(fd);
2360 
2361         au_uwrite(au_to_arg32(2, "cmd", cmd));
2362 #ifndef _LP64
2363                 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2364 #else
2365                 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2366 #endif
2367 }
2368 
2369 /*
2370  * null function for memcntl for now. We might want to limit memcntl()
2371  * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2372  * require privileges.
2373  */
2374 static au_event_t
2375 aui_memcntl(au_event_t e)
2376 {
2377         return (e);
2378 }
2379 
2380 /*ARGSUSED*/
2381 static au_event_t
2382 aui_privsys(au_event_t e)
2383 {
2384         klwp_t *clwp = ttolwp(curthread);
2385 
2386         struct a {
2387                 long    opcode;
2388         } *uap = (struct a *)clwp->lwp_ap;
2389 
2390         switch (uap->opcode) {
2391         case PRIVSYS_SETPPRIV:
2392                 return (AUE_SETPPRIV);
2393         default:
2394                 return (AUE_NULL);
2395         }
2396 }
2397 
2398 /*ARGSUSED*/
2399 static void
2400 aus_memcntl(struct t_audit_data *tad)
2401 {
2402         klwp_t *clwp = ttolwp(curthread);
2403 
2404         struct a {
2405                 long    addr;
2406                 long    len;
2407                 long    cmd;
2408                 long    arg;
2409                 long    attr;
2410                 long    mask;
2411         } *uap = (struct a *)clwp->lwp_ap;
2412 
2413 #ifdef _LP64
2414         au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2415         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2416 #else
2417         au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2418         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2419 #endif
2420         au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2421 #ifdef _LP64
2422         au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2423 #else
2424         au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2425 #endif
2426         au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2427         au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2428 }
2429 
2430 /*ARGSUSED*/
2431 static void
2432 aus_mmap(struct t_audit_data *tad)
2433 {
2434         klwp_t *clwp = ttolwp(curthread);
2435         struct file *fp;
2436         struct f_audit_data *fad;
2437         struct vnode *vp;
2438         uint32_t fd;
2439 
2440         struct a {
2441                 long    addr;
2442                 long    len;
2443                 long    prot;
2444                 long    flags;
2445                 long    fd;
2446                 long    pos;
2447         } *uap = (struct a *)clwp->lwp_ap;
2448 
2449         fd = (uint32_t)uap->fd;
2450 
2451 #ifdef _LP64
2452         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2453         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2454 #else
2455         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2456         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2457 #endif
2458 
2459         if ((fp = getf(fd)) == NULL) {
2460                 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2461                 return;
2462         }
2463 
2464         /*
2465          * Mark in the tad if write access is NOT requested... if
2466          * this is later detected (in audit_attributes) to be a
2467          * public object, the mmap event may be discarded.
2468          */
2469         if (((uap->prot) & PROT_WRITE) == 0) {
2470                 tad->tad_ctrl |= TAD_PUBLIC_EV;
2471         }
2472 
2473         fad = F2A(fp);
2474         if (fad->fad_aupath != NULL) {
2475                 au_uwrite(au_to_path(fad->fad_aupath));
2476         } else {
2477                 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2478         }
2479 
2480         vp = (struct vnode *)fp->f_vnode;
2481         audit_attributes(vp);
2482 
2483         /* mark READ/WRITE since we can't predict access */
2484         if (uap->prot & PROT_READ)
2485                 fad->fad_flags |= FAD_READ;
2486         if (uap->prot & PROT_WRITE)
2487                 fad->fad_flags |= FAD_WRITE;
2488 
2489         /* decrement file descriptor reference count */
2490         releasef(fd);
2491 
2492 }       /* AUS_MMAP */
2493 
2494 
2495 
2496 
2497 /*ARGSUSED*/
2498 static void
2499 aus_munmap(struct t_audit_data *tad)
2500 {
2501         klwp_t *clwp = ttolwp(curthread);
2502 
2503         struct a {
2504                 long    addr;
2505                 long    len;
2506         } *uap = (struct a *)clwp->lwp_ap;
2507 
2508 #ifdef _LP64
2509         au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2510         au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2511 #else
2512         au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2513         au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2514 #endif
2515 
2516 }       /* AUS_MUNMAP */
2517 
2518 
2519 
2520 
2521 
2522 
2523 
2524 /*ARGSUSED*/
2525 static void
2526 aus_priocntlsys(struct t_audit_data *tad)
2527 {
2528         klwp_t *clwp = ttolwp(curthread);
2529 
2530         struct a {
2531                 long    pc_version;
2532                 long    psp;            /* procset_t */
2533                 long    cmd;
2534                 long    arg;
2535         } *uap = (struct a *)clwp->lwp_ap;
2536 
2537         au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2538         au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2539 
2540 }       /* AUS_PRIOCNTLSYS */
2541 
2542 
2543 /*ARGSUSED*/
2544 static void
2545 aus_setegid(struct t_audit_data *tad)
2546 {
2547         klwp_t *clwp = ttolwp(curthread);
2548         uint32_t gid;
2549 
2550         struct a {
2551                 long    gid;
2552         } *uap = (struct a *)clwp->lwp_ap;
2553 
2554         gid = (uint32_t)uap->gid;
2555 
2556         au_uwrite(au_to_arg32(1, "gid", gid));
2557 }       /* AUS_SETEGID */
2558 
2559 
2560 
2561 
2562 /*ARGSUSED*/
2563 static void
2564 aus_setgroups(struct t_audit_data *tad)
2565 {
2566         klwp_t *clwp = ttolwp(curthread);
2567         int i;
2568         int gidsetsize;
2569         uintptr_t gidset;
2570         gid_t *gidlist;
2571 
2572         struct a {
2573                 long    gidsetsize;
2574                 long    gidset;
2575         } *uap = (struct a *)clwp->lwp_ap;
2576 
2577         gidsetsize = (uint_t)uap->gidsetsize;
2578         gidset = (uintptr_t)uap->gidset;
2579 
2580         if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2581                 return;
2582         if (gidsetsize != 0) {
2583                 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2584                     KM_SLEEP);
2585                 if (copyin((caddr_t)gidset, gidlist,
2586                     gidsetsize * sizeof (gid_t)) == 0)
2587                         for (i = 0; i < gidsetsize; i++)
2588                                 au_uwrite(au_to_arg32(1, "setgroups",
2589                                     (uint32_t)gidlist[i]));
2590                 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2591         } else
2592                 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2593 
2594 }       /* AUS_SETGROUPS */
2595 
2596 
2597 
2598 
2599 
2600 /*ARGSUSED*/
2601 static void
2602 aus_seteuid(struct t_audit_data *tad)
2603 {
2604         klwp_t *clwp = ttolwp(curthread);
2605         uint32_t uid;
2606 
2607         struct a {
2608                 long    uid;
2609         } *uap = (struct a *)clwp->lwp_ap;
2610 
2611         uid = (uint32_t)uap->uid;
2612 
2613         au_uwrite(au_to_arg32(1, "euid", uid));
2614 
2615 }       /* AUS_SETEUID */
2616 
2617 /*ARGSUSED*/
2618 static void
2619 aus_putmsg(struct t_audit_data *tad)
2620 {
2621         klwp_t *clwp = ttolwp(curthread);
2622         uint32_t fd, pri;
2623         struct file *fp;
2624         struct f_audit_data *fad;
2625 
2626         struct a {
2627                 long    fdes;
2628                 long    ctl;            /* struct strbuf * */
2629                 long    data;           /* struct strbuf * */
2630                 long    pri;
2631         } *uap = (struct a *)clwp->lwp_ap;
2632 
2633         fd  = (uint32_t)uap->fdes;
2634         pri = (uint32_t)uap->pri;
2635 
2636         au_uwrite(au_to_arg32(1, "fd", fd));
2637 
2638         if ((fp = getf(fd)) != NULL) {
2639                 fad = F2A(fp);
2640 
2641                 fad->fad_flags |= FAD_WRITE;
2642 
2643                 /* add path name to audit record */
2644                 if (fad->fad_aupath != NULL) {
2645                         au_uwrite(au_to_path(fad->fad_aupath));
2646                 }
2647                 audit_attributes(fp->f_vnode);
2648 
2649                 releasef(fd);
2650         }
2651 
2652         au_uwrite(au_to_arg32(4, "pri", pri));
2653 }
2654 
2655 /*ARGSUSED*/
2656 static void
2657 aus_putpmsg(struct t_audit_data *tad)
2658 {
2659         klwp_t *clwp = ttolwp(curthread);
2660         uint32_t fd, pri, flags;
2661         struct file *fp;
2662         struct f_audit_data *fad;
2663 
2664         struct a {
2665                 long    fdes;
2666                 long    ctl;            /* struct strbuf * */
2667                 long    data;           /* struct strbuf * */
2668                 long    pri;
2669                 long    flags;
2670         } *uap = (struct a *)clwp->lwp_ap;
2671 
2672         fd = (uint32_t)uap->fdes;
2673         pri  = (uint32_t)uap->pri;
2674         flags  = (uint32_t)uap->flags;
2675 
2676         au_uwrite(au_to_arg32(1, "fd", fd));
2677 
2678         if ((fp = getf(fd)) != NULL) {
2679                 fad = F2A(fp);
2680 
2681                 fad->fad_flags |= FAD_WRITE;
2682 
2683                 /* add path name to audit record */
2684                 if (fad->fad_aupath != NULL) {
2685                         au_uwrite(au_to_path(fad->fad_aupath));
2686                 }
2687                 audit_attributes(fp->f_vnode);
2688 
2689                 releasef(fd);
2690         }
2691 
2692 
2693         au_uwrite(au_to_arg32(4, "pri", pri));
2694         au_uwrite(au_to_arg32(5, "flags", flags));
2695 }
2696 
2697 /*ARGSUSED*/
2698 static void
2699 aus_getmsg(struct t_audit_data *tad)
2700 {
2701         klwp_t *clwp = ttolwp(curthread);
2702         uint32_t fd, pri;
2703         struct file *fp;
2704         struct f_audit_data *fad;
2705 
2706         struct a {
2707                 long    fdes;
2708                 long    ctl;            /* struct strbuf * */
2709                 long    data;           /* struct strbuf * */
2710                 long    pri;
2711         } *uap = (struct a *)clwp->lwp_ap;
2712 
2713         fd  = (uint32_t)uap->fdes;
2714         pri = (uint32_t)uap->pri;
2715 
2716         au_uwrite(au_to_arg32(1, "fd", fd));
2717 
2718         if ((fp = getf(fd)) != NULL) {
2719                 fad = F2A(fp);
2720 
2721                 /*
2722                  * read operation on this object
2723                  */
2724                 fad->fad_flags |= FAD_READ;
2725 
2726                 /* add path name to audit record */
2727                 if (fad->fad_aupath != NULL) {
2728                         au_uwrite(au_to_path(fad->fad_aupath));
2729                 }
2730                 audit_attributes(fp->f_vnode);
2731 
2732                 releasef(fd);
2733         }
2734 
2735         au_uwrite(au_to_arg32(4, "pri", pri));
2736 }
2737 
2738 /*ARGSUSED*/
2739 static void
2740 aus_getpmsg(struct t_audit_data *tad)
2741 {
2742         klwp_t *clwp = ttolwp(curthread);
2743         uint32_t fd;
2744         struct file *fp;
2745         struct f_audit_data *fad;
2746 
2747         struct a {
2748                 long    fdes;
2749                 long    ctl;            /* struct strbuf * */
2750                 long    data;           /* struct strbuf * */
2751                 long    pri;
2752                 long    flags;
2753         } *uap = (struct a *)clwp->lwp_ap;
2754 
2755         fd = (uint32_t)uap->fdes;
2756 
2757         au_uwrite(au_to_arg32(1, "fd", fd));
2758 
2759         if ((fp = getf(fd)) != NULL) {
2760                 fad = F2A(fp);
2761 
2762                 /*
2763                  * read operation on this object
2764                  */
2765                 fad->fad_flags |= FAD_READ;
2766 
2767                 /* add path name to audit record */
2768                 if (fad->fad_aupath != NULL) {
2769                         au_uwrite(au_to_path(fad->fad_aupath));
2770                 }
2771                 audit_attributes(fp->f_vnode);
2772 
2773                 releasef(fd);
2774         }
2775 }
2776 
2777 static au_event_t
2778 aui_labelsys(au_event_t e)
2779 {
2780         klwp_t *clwp = ttolwp(curthread);
2781         uint32_t code;
2782         uint32_t cmd;
2783 
2784         struct a {
2785                 long    code;
2786                 long    cmd;
2787         } *uap = (struct a *)clwp->lwp_ap;
2788 
2789         code = (uint32_t)uap->code;
2790         cmd = (uint32_t)uap->cmd;
2791 
2792         /* not security relevant if not changing kernel cache */
2793         if (cmd == TNDB_GET)
2794                 return (AUE_NULL);
2795 
2796         switch (code) {
2797         case TSOL_TNRH:
2798                 e = AUE_LABELSYS_TNRH;
2799                 break;
2800         case TSOL_TNRHTP:
2801                 e = AUE_LABELSYS_TNRHTP;
2802                 break;
2803         case TSOL_TNMLP:
2804                 e = AUE_LABELSYS_TNMLP;
2805                 break;
2806         default:
2807                 e = AUE_NULL;
2808                 break;
2809         }
2810 
2811         return (e);
2812 
2813 }
2814 
2815 static void
2816 aus_labelsys(struct t_audit_data *tad)
2817 {
2818         klwp_t *clwp = ttolwp(curthread);
2819         uint32_t cmd;
2820         uintptr_t a2;
2821 
2822         struct a {
2823                 long    code;
2824                 long    cmd;
2825                 long    a2;
2826         } *uap = (struct a *)clwp->lwp_ap;
2827 
2828         cmd = (uint32_t)uap->cmd;
2829         a2 = (uintptr_t)uap->a2;
2830 
2831         switch (tad->tad_event) {
2832         case AUE_LABELSYS_TNRH:
2833         {
2834                 tsol_rhent_t    *rhent;
2835                 tnaddr_t        *rh_addr;
2836 
2837                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2838 
2839                 /* Remaining args don't apply for FLUSH, so skip */
2840                 if (cmd == TNDB_FLUSH)
2841                         break;
2842 
2843                 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2844                 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2845                         kmem_free(rhent, sizeof (tsol_rhent_t));
2846                         return;
2847                 }
2848 
2849                 rh_addr = &rhent->rh_address;
2850                 if (rh_addr->ta_family == AF_INET) {
2851                         struct in_addr  *ipaddr;
2852 
2853                         ipaddr = &(rh_addr->ta_addr_v4);
2854                         au_uwrite(au_to_in_addr(ipaddr));
2855                 } else if (rh_addr->ta_family == AF_INET6) {
2856                         int32_t         *ipaddr;
2857 
2858                         ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2859                         au_uwrite(au_to_in_addr_ex(ipaddr));
2860                 }
2861                 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2862 
2863                 kmem_free(rhent, sizeof (tsol_rhent_t));
2864 
2865                 break;
2866         }
2867         case AUE_LABELSYS_TNRHTP:
2868         {
2869                 tsol_tpent_t    *tpent;
2870 
2871                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2872 
2873                 /* Remaining args don't apply for FLUSH, so skip */
2874                 if (cmd == TNDB_FLUSH)
2875                         break;
2876 
2877                 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2878                 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2879                         kmem_free(tpent, sizeof (tsol_tpent_t));
2880                         return;
2881                 }
2882 
2883                 /* Make sure that the template name is null-terminated. */
2884                 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2885 
2886                 au_uwrite(au_to_text(tpent->name));
2887                 kmem_free(tpent, sizeof (tsol_tpent_t));
2888 
2889                 break;
2890         }
2891         case AUE_LABELSYS_TNMLP:
2892         {
2893                 tsol_mlpent_t   *mlpent;
2894 
2895                 au_uwrite(au_to_arg32(1, "cmd", cmd));
2896 
2897                 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2898                 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2899                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2900                         return;
2901                 }
2902 
2903                 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2904                         au_uwrite(au_to_text("shared"));
2905                 } else {
2906                         zone_t  *zone;
2907 
2908                         zone = zone_find_by_id(mlpent->tsme_zoneid);
2909                         if (zone != NULL) {
2910                                 au_uwrite(au_to_text(zone->zone_name));
2911                                 zone_rele(zone);
2912                         }
2913                 }
2914 
2915                 /* Remaining args don't apply for FLUSH, so skip */
2916                 if (cmd == TNDB_FLUSH) {
2917                         kmem_free(mlpent, sizeof (tsol_mlpent_t));
2918                         break;
2919                 }
2920 
2921                 au_uwrite(au_to_arg32(2, "proto num",
2922                     (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2923                 au_uwrite(au_to_arg32(2, "mlp_port",
2924                     (uint32_t)mlpent->tsme_mlp.mlp_port));
2925 
2926                 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2927                         au_uwrite(au_to_arg32(2, "mlp_port_upper",
2928                             (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2929 
2930                 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2931 
2932                 break;
2933         }
2934         default:
2935                 break;
2936         }
2937 }
2938 
2939 
2940 static au_event_t
2941 aui_auditsys(au_event_t e)
2942 {
2943         klwp_t *clwp = ttolwp(curthread);
2944         uint32_t code;
2945 
2946         struct a {
2947                 long    code;
2948                 long    a1;
2949                 long    a2;
2950                 long    a3;
2951                 long    a4;
2952                 long    a5;
2953                 long    a6;
2954                 long    a7;
2955         } *uap = (struct a *)clwp->lwp_ap;
2956 
2957         code = (uint32_t)uap->code;
2958 
2959         switch (code) {
2960 
2961         case BSM_GETAUID:
2962                 e = AUE_GETAUID;
2963                 break;
2964         case BSM_SETAUID:
2965                 e = AUE_SETAUID;
2966                 break;
2967         case BSM_GETAUDIT:
2968                 e = AUE_GETAUDIT;
2969                 break;
2970         case BSM_GETAUDIT_ADDR:
2971                 e = AUE_GETAUDIT_ADDR;
2972                 break;
2973         case BSM_SETAUDIT:
2974                 e = AUE_SETAUDIT;
2975                 break;
2976         case BSM_SETAUDIT_ADDR:
2977                 e = AUE_SETAUDIT_ADDR;
2978                 break;
2979         case BSM_AUDIT:
2980                 e = AUE_AUDIT;
2981                 break;
2982         case BSM_AUDITCTL:
2983                 switch ((uint_t)uap->a1) {
2984 
2985                 case A_GETPOLICY:
2986                         e = AUE_AUDITON_GPOLICY;
2987                         break;
2988                 case A_SETPOLICY:
2989                         e = AUE_AUDITON_SPOLICY;
2990                         break;
2991                 case A_GETAMASK:
2992                         e = AUE_AUDITON_GETAMASK;
2993                         break;
2994                 case A_SETAMASK:
2995                         e = AUE_AUDITON_SETAMASK;
2996                         break;
2997                 case A_GETKMASK:
2998                         e = AUE_AUDITON_GETKMASK;
2999                         break;
3000                 case A_SETKMASK:
3001                         e = AUE_AUDITON_SETKMASK;
3002                         break;
3003                 case A_GETQCTRL:
3004                         e = AUE_AUDITON_GQCTRL;
3005                         break;
3006                 case A_SETQCTRL:
3007                         e = AUE_AUDITON_SQCTRL;
3008                         break;
3009                 case A_GETCWD:
3010                         e = AUE_AUDITON_GETCWD;
3011                         break;
3012                 case A_GETCAR:
3013                         e = AUE_AUDITON_GETCAR;
3014                         break;
3015                 case A_GETSTAT:
3016                         e = AUE_AUDITON_GETSTAT;
3017                         break;
3018                 case A_SETSTAT:
3019                         e = AUE_AUDITON_SETSTAT;
3020                         break;
3021                 case A_SETUMASK:
3022                         e = AUE_AUDITON_SETUMASK;
3023                         break;
3024                 case A_SETSMASK:
3025                         e = AUE_AUDITON_SETSMASK;
3026                         break;
3027                 case A_GETCOND:
3028                         e = AUE_AUDITON_GETCOND;
3029                         break;
3030                 case A_SETCOND:
3031                         e = AUE_AUDITON_SETCOND;
3032                         break;
3033                 case A_GETCLASS:
3034                         e = AUE_AUDITON_GETCLASS;
3035                         break;
3036                 case A_SETCLASS:
3037                         e = AUE_AUDITON_SETCLASS;
3038                         break;
3039                 default:
3040                         e = AUE_NULL;
3041                         break;
3042                 }
3043                 break;
3044         default:
3045                 e = AUE_NULL;
3046                 break;
3047         }
3048 
3049         return (e);
3050 
3051 }       /* AUI_AUDITSYS */
3052 
3053 
3054 static void
3055 aus_auditsys(struct t_audit_data *tad)
3056 {
3057         klwp_t *clwp = ttolwp(curthread);
3058         uintptr_t a1, a2;
3059         STRUCT_DECL(auditinfo, ainfo);
3060         STRUCT_DECL(auditinfo_addr, ainfo_addr);
3061         au_evclass_map_t event;
3062         au_mask_t mask;
3063         int auditstate, policy;
3064         au_id_t auid;
3065 
3066 
3067         struct a {
3068                 long    code;
3069                 long    a1;
3070                 long    a2;
3071                 long    a3;
3072                 long    a4;
3073                 long    a5;
3074                 long    a6;
3075                 long    a7;
3076         } *uap = (struct a *)clwp->lwp_ap;
3077 
3078         a1   = (uintptr_t)uap->a1;
3079         a2   = (uintptr_t)uap->a2;
3080 
3081         switch (tad->tad_event) {
3082         case AUE_SETAUID:
3083                 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3084                                 return;
3085                 au_uwrite(au_to_arg32(2, "setauid", auid));
3086                 break;
3087         case AUE_SETAUDIT:
3088                 STRUCT_INIT(ainfo, get_udatamodel());
3089                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3090                     STRUCT_SIZE(ainfo))) {
3091                                 return;
3092                 }
3093                 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3094                     (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3095 #ifdef _LP64
3096                 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3097                     (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3098 #else
3099                 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3100                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3101 #endif
3102                 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3103                     (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3104                 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3105                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3106                 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3107                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3108                 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3109                     (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3110                 break;
3111         case AUE_SETAUDIT_ADDR:
3112                 STRUCT_INIT(ainfo_addr, get_udatamodel());
3113                 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3114                     STRUCT_SIZE(ainfo_addr))) {
3115                                 return;
3116                 }
3117                 au_uwrite(au_to_arg32((char)1, "auid",
3118                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3119 #ifdef _LP64
3120                 au_uwrite(au_to_arg64((char)1, "port",
3121                     (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3122 #else
3123                 au_uwrite(au_to_arg32((char)1, "port",
3124                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3125 #endif
3126                 au_uwrite(au_to_arg32((char)1, "type",
3127                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3128                 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3129                     AU_IPv4) {
3130                         au_uwrite(au_to_in_addr(
3131                             (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3132                             ai_termid.at_addr)));
3133                 } else {
3134                         au_uwrite(au_to_in_addr_ex(
3135                             (int32_t *)STRUCT_FGETP(ainfo_addr,
3136                             ai_termid.at_addr)));
3137                 }
3138                 au_uwrite(au_to_arg32((char)1, "as_success",
3139                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3140                 au_uwrite(au_to_arg32((char)1, "as_failure",
3141                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3142                 au_uwrite(au_to_arg32((char)1, "asid",
3143                     (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3144                 break;
3145         case AUE_AUDITON_SETAMASK:
3146                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3147                                 return;
3148                 au_uwrite(au_to_arg32(
3149                     2, "setamask:as_success", (uint32_t)mask.as_success));
3150                 au_uwrite(au_to_arg32(
3151                     2, "setamask:as_failure", (uint32_t)mask.as_failure));
3152                 break;
3153         case AUE_AUDITON_SETKMASK:
3154                 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3155                                 return;
3156                 au_uwrite(au_to_arg32(
3157                     2, "setkmask:as_success", (uint32_t)mask.as_success));
3158                 au_uwrite(au_to_arg32(
3159                     2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3160                 break;
3161         case AUE_AUDITON_SPOLICY:
3162                 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3163                         return;
3164                 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3165                 break;
3166         case AUE_AUDITON_SQCTRL: {
3167                 STRUCT_DECL(au_qctrl, qctrl);
3168                 model_t model;
3169 
3170                 model = get_udatamodel();
3171                 STRUCT_INIT(qctrl, model);
3172                 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3173                                 return;
3174                 if (model == DATAMODEL_ILP32) {
3175                         au_uwrite(au_to_arg32(
3176                             3, "setqctrl:aq_hiwater",
3177                             (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3178                         au_uwrite(au_to_arg32(
3179                             3, "setqctrl:aq_lowater",
3180                             (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3181                         au_uwrite(au_to_arg32(
3182                             3, "setqctrl:aq_bufsz",
3183                             (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3184                         au_uwrite(au_to_arg32(
3185                             3, "setqctrl:aq_delay",
3186                             (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3187                 } else {
3188                         au_uwrite(au_to_arg64(
3189                             3, "setqctrl:aq_hiwater",
3190                             (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3191                         au_uwrite(au_to_arg64(
3192                             3, "setqctrl:aq_lowater",
3193                             (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3194                         au_uwrite(au_to_arg64(
3195                             3, "setqctrl:aq_bufsz",
3196                             (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3197                         au_uwrite(au_to_arg64(
3198                             3, "setqctrl:aq_delay",
3199                             (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3200                 }
3201                 break;
3202         }
3203         case AUE_AUDITON_SETUMASK:
3204                 STRUCT_INIT(ainfo, get_udatamodel());
3205                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3206                     STRUCT_SIZE(ainfo))) {
3207                         return;
3208                 }
3209                 au_uwrite(au_to_arg32(3, "setumask:as_success",
3210                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3211                 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3212                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3213                 break;
3214         case AUE_AUDITON_SETSMASK:
3215                 STRUCT_INIT(ainfo, get_udatamodel());
3216                 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3217                     STRUCT_SIZE(ainfo))) {
3218                         return;
3219                 }
3220                 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3221                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3222                 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3223                     (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3224                 break;
3225         case AUE_AUDITON_SETCOND:
3226                 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3227                         return;
3228                 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3229                 break;
3230         case AUE_AUDITON_SETCLASS:
3231                 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3232                         return;
3233                 au_uwrite(au_to_arg32(
3234                     2, "setclass:ec_event", (uint32_t)event.ec_number));
3235                 au_uwrite(au_to_arg32(
3236                     3, "setclass:ec_class", (uint32_t)event.ec_class));
3237                 break;
3238         case AUE_GETAUID:
3239         case AUE_GETAUDIT:
3240         case AUE_GETAUDIT_ADDR:
3241         case AUE_AUDIT:
3242         case AUE_AUDITON_GPOLICY:
3243         case AUE_AUDITON_GQCTRL:
3244         case AUE_AUDITON_GETAMASK:
3245         case AUE_AUDITON_GETKMASK:
3246         case AUE_AUDITON_GETCWD:
3247         case AUE_AUDITON_GETCAR:
3248         case AUE_AUDITON_GETSTAT:
3249         case AUE_AUDITON_SETSTAT:
3250         case AUE_AUDITON_GETCOND:
3251         case AUE_AUDITON_GETCLASS:
3252                 break;
3253         default:
3254                 break;
3255         }
3256 
3257 }       /* AUS_AUDITSYS */
3258 
3259 
3260 /* only audit privileged operations for systeminfo(2) system call */
3261 static au_event_t
3262 aui_sysinfo(au_event_t e)
3263 {
3264         klwp_t *clwp = ttolwp(curthread);
3265         uint32_t command;
3266 
3267         struct a {
3268                 long    command;
3269                 long    buf;            /* char * */
3270                 long    count;
3271         } *uap = (struct a *)clwp->lwp_ap;
3272 
3273         command = (uint32_t)uap->command;
3274 
3275         switch (command) {
3276         case SI_SET_HOSTNAME:
3277         case SI_SET_SRPC_DOMAIN:
3278                 e = (au_event_t)AUE_SYSINFO;
3279                 break;
3280         default:
3281                 e = (au_event_t)AUE_NULL;
3282                 break;
3283         }
3284         return (e);
3285 }
3286 
3287 /*ARGSUSED*/
3288 static void
3289 aus_sysinfo(struct t_audit_data *tad)
3290 {
3291         klwp_t *clwp = ttolwp(curthread);
3292         uint32_t command;
3293         size_t len, maxlen;
3294         char *name;
3295         uintptr_t buf;
3296 
3297         struct a {
3298                 long    command;
3299                 long    buf;            /* char * */
3300                 long    count;
3301         } *uap = (struct a *)clwp->lwp_ap;
3302 
3303         command = (uint32_t)uap->command;
3304         buf = (uintptr_t)uap->buf;
3305 
3306         au_uwrite(au_to_arg32(1, "cmd", command));
3307 
3308         switch (command) {
3309         case SI_SET_HOSTNAME:
3310         {
3311                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3312                         return;
3313 
3314                 maxlen = SYS_NMLN;
3315                 name = kmem_alloc(maxlen, KM_SLEEP);
3316                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3317                         break;
3318 
3319                 /*
3320                  * Must be non-NULL string and string
3321                  * must be less than SYS_NMLN chars.
3322                  */
3323                 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3324                         break;
3325 
3326                 au_uwrite(au_to_text(name));
3327                 break;
3328         }
3329 
3330         case SI_SET_SRPC_DOMAIN:
3331         {
3332                 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3333                         return;
3334 
3335                 maxlen = SYS_NMLN;
3336                 name = kmem_alloc(maxlen, KM_SLEEP);
3337                 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3338                         break;
3339 
3340                 /*
3341                  * If string passed in is longer than length
3342                  * allowed for domain name, fail.
3343                  */
3344                 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3345                         break;
3346 
3347                 au_uwrite(au_to_text(name));
3348                 break;
3349         }
3350 
3351         default:
3352                 return;
3353         }
3354 
3355         kmem_free(name, maxlen);
3356 }
3357 
3358 static au_event_t
3359 aui_modctl(au_event_t e)
3360 {
3361         klwp_t *clwp = ttolwp(curthread);
3362         uint_t cmd;
3363 
3364         struct a {
3365                 long    cmd;
3366         } *uap = (struct a *)clwp->lwp_ap;
3367 
3368         cmd = (uint_t)uap->cmd;
3369 
3370         switch (cmd) {
3371         case MODLOAD:
3372                 e = AUE_MODLOAD;
3373                 break;
3374         case MODUNLOAD:
3375                 e = AUE_MODUNLOAD;
3376                 break;
3377         case MODADDMAJBIND:
3378                 e = AUE_MODADDMAJ;
3379                 break;
3380         case MODSETDEVPOLICY:
3381                 e = AUE_MODDEVPLCY;
3382                 break;
3383         case MODALLOCPRIV:
3384                 e = AUE_MODADDPRIV;
3385                 break;
3386         default:
3387                 e = AUE_NULL;
3388                 break;
3389         }
3390         return (e);
3391 }
3392 
3393 
3394 /*ARGSUSED*/
3395 static void
3396 aus_modctl(struct t_audit_data *tad)
3397 {
3398         klwp_t *clwp = ttolwp(curthread);
3399         void *a = clwp->lwp_ap;
3400         uint_t use_path;
3401 
3402         switch (tad->tad_event) {
3403         case AUE_MODLOAD: {
3404                 typedef struct {
3405                         long    cmd;
3406                         long    use_path;
3407                         long    filename;               /* char * */
3408                 } modloada_t;
3409 
3410                 char *filenamep;
3411                 uintptr_t fname;
3412                 extern char *default_path;
3413 
3414                 fname = (uintptr_t)((modloada_t *)a)->filename;
3415                 use_path = (uint_t)((modloada_t *)a)->use_path;
3416 
3417                         /* space to hold path */
3418                 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3419                         /* get string */
3420                 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3421                                 /* free allocated path */
3422                         kmem_free(filenamep, MOD_MAXPATH);
3423                         return;
3424                 }
3425                         /* ensure it's null terminated */
3426                 filenamep[MOD_MAXPATH - 1] = 0;
3427 
3428                 if (use_path)
3429                         au_uwrite(au_to_text(default_path));
3430                 au_uwrite(au_to_text(filenamep));
3431 
3432                         /* release temporary memory */
3433                 kmem_free(filenamep, MOD_MAXPATH);
3434                 break;
3435         }
3436         case AUE_MODUNLOAD: {
3437                 typedef struct {
3438                         long    cmd;
3439                         long    id;
3440                 } modunloada_t;
3441 
3442                 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3443 
3444                 au_uwrite(au_to_arg32(1, "id", id));
3445                 break;
3446         }
3447         case AUE_MODADDMAJ: {
3448                 STRUCT_DECL(modconfig, mc);
3449                 typedef struct {
3450                         long    cmd;
3451                         long    subcmd;
3452                         long    data;           /* int * */
3453                 } modconfiga_t;
3454 
3455                 STRUCT_DECL(aliases, alias);
3456                 caddr_t ap;
3457                 int i, num_aliases;
3458                 char *drvname, *mc_drvname;
3459                 char *name;
3460                 extern char *ddi_major_to_name(major_t);
3461                 model_t model;
3462 
3463                 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3464 
3465                 model = get_udatamodel();
3466                 STRUCT_INIT(mc, model);
3467                         /* sanitize buffer */
3468                 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3469                         /* get user arguments */
3470                 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3471                     STRUCT_SIZE(mc)) != 0)
3472                         return;
3473 
3474                 mc_drvname = STRUCT_FGET(mc, drvname);
3475                 if ((drvname = ddi_major_to_name(
3476                     (major_t)STRUCT_FGET(mc, major))) != NULL &&
3477                     strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3478                                 /* safety */
3479                         if (mc_drvname[0] != '\0') {
3480                                 mc_drvname[MAXMODCONFNAME-1] = '\0';
3481                                 au_uwrite(au_to_text(mc_drvname));
3482                         }
3483                                 /* drvname != NULL from test above */
3484                         au_uwrite(au_to_text(drvname));
3485                         return;
3486                 }
3487 
3488                 if (mc_drvname[0] != '\0') {
3489                                 /* safety */
3490                         mc_drvname[MAXMODCONFNAME-1] = '\0';
3491                         au_uwrite(au_to_text(mc_drvname));
3492                 } else
3493                         au_uwrite(au_to_text("no drvname"));
3494 
3495                 num_aliases = STRUCT_FGET(mc, num_aliases);
3496                 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3497                 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3498                 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3499                 STRUCT_INIT(alias, model);
3500                 for (i = 0; i < num_aliases; i++) {
3501                         bzero((caddr_t)STRUCT_BUF(alias),
3502                             STRUCT_SIZE(alias));
3503                         if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3504                             STRUCT_SIZE(alias)) != 0)
3505                                 break;
3506                         if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3507                             MAXMODCONFNAME, NULL) != 0) {
3508                                 break;
3509                         }
3510 
3511                         au_uwrite(au_to_text(name));
3512                         ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3513                 }
3514                 kmem_free(name, MAXMODCONFNAME);
3515                 break;
3516         }
3517         default:
3518                 break;
3519         }
3520 }
3521 
3522 
3523 /*ARGSUSED*/
3524 static void
3525 auf_accept(
3526         struct t_audit_data *tad,
3527         int     error,
3528         rval_t  *rval)
3529 {
3530         uint32_t scid;
3531         uint32_t sy_flags;
3532         int fd;
3533         struct sonode *so;
3534         char so_laddr[sizeof (struct sockaddr_in6)];
3535         char so_faddr[sizeof (struct sockaddr_in6)];
3536         int err;
3537         short so_family, so_type;
3538         int add_sock_token = 0;
3539 
3540         /* need to determine type of executing binary */
3541         scid = tad->tad_scid;
3542 #ifdef _SYSCALL32_IMPL
3543         if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3544                 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3545         else
3546                 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3547 #else
3548         sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3549 #endif
3550         switch (sy_flags) {
3551         case SE_32RVAL1:
3552                 /* FALLTHRU */
3553         case SE_32RVAL2|SE_32RVAL1:
3554                 fd = rval->r_val1;
3555                 break;
3556         case SE_64RVAL:
3557                 fd = (int)rval->r_vals;
3558                 break;
3559         default:
3560                 /*
3561                  * should never happen, seems to be an internal error
3562                  * in sysent => no fd, nothing to audit here, returning
3563                  */
3564                 return;
3565         }
3566 
3567         if (error) {
3568                 /* can't trust socket contents. Just return */
3569                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3570                 return;
3571         }
3572 
3573         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3574                 /*
3575                  * not security relevant if doing a accept from non socket
3576                  * so no extra tokens. Should probably turn off audit record
3577                  * generation here.
3578                  */
3579                 return;
3580         }
3581 
3582         so_family = so->so_family;
3583         so_type   = so->so_type;
3584 
3585         switch (so_family) {
3586         case AF_INET:
3587         case AF_INET6:
3588                 /*
3589                  * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3590                  */
3591                 if (so->so_type == SOCK_STREAM) {
3592                         socklen_t len;
3593 
3594                         bzero((void *)so_laddr, sizeof (so_laddr));
3595                         bzero((void *)so_faddr, sizeof (so_faddr));
3596 
3597                         len = sizeof (so_laddr);
3598                         (void) socket_getsockname(so,
3599                             (struct sockaddr *)so_laddr, &len, CRED());
3600                         len = sizeof (so_faddr);
3601                         (void) socket_getpeername(so,
3602                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3603 
3604                         add_sock_token = 1;
3605                 }
3606                 break;
3607 
3608         default:
3609                 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3610                 break;
3611         }
3612 
3613         releasef(fd);
3614 
3615         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3616 
3617         if (add_sock_token == 0) {
3618                 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3619                 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3620                 return;
3621         }
3622 
3623         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3624 
3625 }
3626 
3627 /*ARGSUSED*/
3628 static void
3629 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3630 {
3631         struct a {
3632                 long    fd;
3633                 long    addr;
3634                 long    len;
3635         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3636 
3637         struct sonode *so;
3638         char so_laddr[sizeof (struct sockaddr_in6)];
3639         char so_faddr[sizeof (struct sockaddr_in6)];
3640         int err, fd;
3641         socklen_t len;
3642         short so_family, so_type;
3643         int add_sock_token = 0;
3644 
3645         fd = (int)uap->fd;
3646 
3647         /*
3648          * bind failed, then nothing extra to add to audit record.
3649          */
3650         if (error) {
3651                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3652                 /* XXX may want to add failed address some day */
3653                 return;
3654         }
3655 
3656         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3657                 /*
3658                  * not security relevant if doing a bind from non socket
3659                  * so no extra tokens. Should probably turn off audit record
3660                  * generation here.
3661                  */
3662                 return;
3663         }
3664 
3665         so_family = so->so_family;
3666         so_type   = so->so_type;
3667 
3668         switch (so_family) {
3669         case AF_INET:
3670         case AF_INET6:
3671 
3672                 bzero(so_faddr, sizeof (so_faddr));
3673                 len = sizeof (so_faddr);
3674 
3675                 (void) socket_getpeername(so,
3676                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3677                 add_sock_token = 1;
3678 
3679                 break;
3680 
3681         case AF_UNIX:
3682                 /* token added by lookup */
3683                 break;
3684         default:
3685                 /* AF_ROUTE, AF_KEY do not support accept */
3686                 break;
3687         }
3688 
3689         releasef(fd);
3690 
3691         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3692 
3693         if (add_sock_token == 0) {
3694                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3695                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3696                 return;
3697         }
3698 
3699         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3700 
3701 }
3702 
3703 /*ARGSUSED*/
3704 static void
3705 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3706 {
3707         struct a {
3708                 long    fd;
3709                 long    addr;
3710                 long    len;
3711         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3712 
3713         struct sonode *so;
3714         char so_laddr[sizeof (struct sockaddr_in6)];
3715         char so_faddr[sizeof (struct sockaddr_in6)];
3716         int err, fd;
3717         socklen_t len;
3718         short so_family, so_type;
3719         int add_sock_token = 0;
3720 
3721         fd = (int)uap->fd;
3722 
3723 
3724         if ((so = getsonode(fd, &err, NULL)) == NULL) {
3725                 /*
3726                  * not security relevant if doing a connect from non socket
3727                  * so no extra tokens. Should probably turn off audit record
3728                  * generation here.
3729                  */
3730                 return;
3731         }
3732 
3733         so_family = so->so_family;
3734         so_type   = so->so_type;
3735 
3736         switch (so_family) {
3737         case AF_INET:
3738         case AF_INET6:
3739 
3740                 bzero(so_laddr, sizeof (so_laddr));
3741                 bzero(so_faddr, sizeof (so_faddr));
3742 
3743                 len = sizeof (so_laddr);
3744                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3745                     &len, CRED());
3746                 if (error) {
3747                         if (uap->addr == NULL)
3748                                 break;
3749                         if (uap->len <= 0)
3750                                 break;
3751                         len = min(uap->len, sizeof (so_faddr));
3752                         if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3753                                 break;
3754 #ifdef NOTYET
3755                         au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3756 #endif
3757                 } else {
3758                         /* sanity check on length */
3759                         len = sizeof (so_faddr);
3760                         (void) socket_getpeername(so,
3761                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3762                 }
3763 
3764                 add_sock_token = 1;
3765 
3766                 break;
3767 
3768         case AF_UNIX:
3769                 /* does a lookup on name */
3770                 break;
3771 
3772         default:
3773                 /* AF_ROUTE, AF_KEY do not support accept */
3774                 break;
3775         }
3776 
3777         releasef(fd);
3778 
3779         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3780 
3781         if (add_sock_token == 0) {
3782                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3783                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3784                 return;
3785         }
3786 
3787         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3788 
3789 }
3790 
3791 /*ARGSUSED*/
3792 static void
3793 aus_shutdown(struct t_audit_data *tad)
3794 {
3795         struct a {
3796                 long    fd;
3797                 long    how;
3798         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3799 
3800         struct sonode *so;
3801         char so_laddr[sizeof (struct sockaddr_in6)];
3802         char so_faddr[sizeof (struct sockaddr_in6)];
3803         int err, fd;
3804         socklen_t len;
3805         short so_family, so_type;
3806         int add_sock_token = 0;
3807         file_t *fp;                             /* unix domain sockets */
3808         struct f_audit_data *fad;               /* unix domain sockets */
3809 
3810         fd = (int)uap->fd;
3811 
3812         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3813                 /*
3814                  * not security relevant if doing a shutdown using non socket
3815                  * so no extra tokens. Should probably turn off audit record
3816                  * generation here.
3817                  */
3818                 return;
3819         }
3820 
3821         so_family = so->so_family;
3822         so_type   = so->so_type;
3823 
3824         switch (so_family) {
3825         case AF_INET:
3826         case AF_INET6:
3827 
3828                 bzero(so_laddr, sizeof (so_laddr));
3829                 bzero(so_faddr, sizeof (so_faddr));
3830 
3831                 len = sizeof (so_laddr);
3832                 (void) socket_getsockname(so,
3833                     (struct sockaddr *)so_laddr, &len, CRED());
3834                 len = sizeof (so_faddr);
3835                 (void) socket_getpeername(so,
3836                     (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3837 
3838                 add_sock_token = 1;
3839 
3840                 break;
3841 
3842         case AF_UNIX:
3843 
3844                 /* get path from file struct here */
3845                 fad = F2A(fp);
3846                 ASSERT(fad);
3847 
3848                 if (fad->fad_aupath != NULL) {
3849                         au_uwrite(au_to_path(fad->fad_aupath));
3850                 } else {
3851                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
3852                 }
3853 
3854                 audit_attributes(fp->f_vnode);
3855 
3856                 break;
3857 
3858         default:
3859                 /*
3860                  * AF_KEY and AF_ROUTE support shutdown. No socket token
3861                  * added.
3862                  */
3863                 break;
3864         }
3865 
3866         releasef(fd);
3867 
3868         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3869 
3870         if (add_sock_token == 0) {
3871                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3872                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3873                 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3874                 return;
3875         }
3876 
3877         au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3878 
3879         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3880 
3881 }
3882 
3883 /*ARGSUSED*/
3884 static void
3885 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3886 {
3887         struct a {
3888                 long    fd;
3889                 long    level;
3890                 long    optname;
3891                 long    *optval;
3892                 long    optlen;
3893         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3894 
3895         struct sonode   *so;
3896         char so_laddr[sizeof (struct sockaddr_in6)];
3897         char so_faddr[sizeof (struct sockaddr_in6)];
3898         char            val[AU_BUFSIZE];
3899         int             err, fd;
3900         socklen_t       len;
3901         short so_family, so_type;
3902         int             add_sock_token = 0;
3903         file_t *fp;                             /* unix domain sockets */
3904         struct f_audit_data *fad;               /* unix domain sockets */
3905 
3906         fd = (int)uap->fd;
3907 
3908         if (error) {
3909                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3910                 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3911                 /* XXX may want to include other arguments */
3912                 return;
3913         }
3914 
3915         if ((so = getsonode(fd, &err, &fp)) == NULL) {
3916                 /*
3917                  * not security relevant if doing a setsockopt from non socket
3918                  * so no extra tokens. Should probably turn off audit record
3919                  * generation here.
3920                  */
3921                 return;
3922         }
3923 
3924         so_family = so->so_family;
3925         so_type   = so->so_type;
3926 
3927         switch (so_family) {
3928         case AF_INET:
3929         case AF_INET6:
3930                 bzero((void *)so_laddr, sizeof (so_laddr));
3931                 bzero((void *)so_faddr, sizeof (so_faddr));
3932 
3933                 /* get local and foreign addresses */
3934                 len = sizeof (so_laddr);
3935                 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3936                     &len, CRED());
3937                 len = sizeof (so_faddr);
3938                 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3939                     &len, B_FALSE, CRED());
3940 
3941                 add_sock_token = 1;
3942 
3943                 break;
3944 
3945         case AF_UNIX:
3946 
3947                 /* get path from file struct here */
3948                 fad = F2A(fp);
3949                 ASSERT(fad);
3950 
3951                 if (fad->fad_aupath != NULL) {
3952                         au_uwrite(au_to_path(fad->fad_aupath));
3953                 } else {
3954                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
3955                 }
3956 
3957                 audit_attributes(fp->f_vnode);
3958 
3959                 break;
3960 
3961         default:
3962                 /*
3963                  * AF_KEY and AF_ROUTE support setsockopt. No socket token
3964                  * added.
3965                  */
3966                 break;
3967         }
3968 
3969         releasef(fd);
3970 
3971         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3972 
3973         if (add_sock_token == 0) {
3974                 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3975                 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3976         }
3977         au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3978         au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3979 
3980         bzero(val, sizeof (val));
3981         len = min(uap->optlen, sizeof (val));
3982         if ((len > 0) &&
3983             (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3984                 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3985                 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3986         }
3987 
3988         if (add_sock_token == 0)
3989                 return;
3990 
3991         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3992 
3993 }
3994 
3995 /*ARGSUSED*/
3996 static void
3997 aus_sockconfig(tad)
3998         struct t_audit_data *tad;
3999 {
4000         struct a {
4001                 long    cmd;
4002                 long    arg1;
4003                 long    arg2;
4004                 long    arg3;
4005                 long    arg4;
4006         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4007 
4008         char    *buf;
4009         int     buflen;
4010         size_t  size;
4011 
4012         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4013         switch (uap->cmd) {
4014         case SOCKCONFIG_ADD_SOCK:
4015         case SOCKCONFIG_REMOVE_SOCK:
4016                 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4017                 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4018                 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4019 
4020                 if (uap->arg4 == 0) {
4021                         au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4022                 } else {
4023                         buflen = MAXPATHLEN + 1;
4024                         buf = kmem_alloc(buflen, KM_SLEEP);
4025                         if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4026                             &size)) {
4027                                 kmem_free(buf, buflen);
4028                                 return;
4029                         }
4030 
4031                         if (size > MAXPATHLEN) {
4032                                 kmem_free(buf, buflen);
4033                                 return;
4034                         }
4035 
4036                         au_uwrite(au_to_text(buf));
4037                         kmem_free(buf, buflen);
4038                 }
4039                 break;
4040         case SOCKCONFIG_ADD_FILTER:
4041         case SOCKCONFIG_REMOVE_FILTER:
4042                 buflen = FILNAME_MAX;
4043                 buf = kmem_alloc(buflen, KM_SLEEP);
4044 
4045                 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4046                         kmem_free(buf, buflen);
4047                         return;
4048                 }
4049 
4050                 au_uwrite(au_to_text(buf));
4051                 kmem_free(buf, buflen);
4052                 break;
4053         default:
4054                 break;
4055         }
4056 }
4057 
4058 /*
4059  * only audit recvmsg when the system call represents the creation of a new
4060  * circuit. This effectively occurs for all UDP packets and may occur for
4061  * special TCP situations where the local host has not set a local address
4062  * in the socket structure.
4063  */
4064 /*ARGSUSED*/
4065 static void
4066 auf_recvmsg(
4067         struct t_audit_data *tad,
4068         int error,
4069         rval_t *rvp)
4070 {
4071         struct a {
4072                 long    fd;
4073                 long    msg;    /* struct msghdr */
4074                 long    flags;
4075         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4076 
4077         struct sonode   *so;
4078         STRUCT_DECL(msghdr, msg);
4079         caddr_t msg_name;
4080         socklen_t msg_namelen;
4081         int fd;
4082         int err;
4083         char so_laddr[sizeof (struct sockaddr_in6)];
4084         char so_faddr[sizeof (struct sockaddr_in6)];
4085         socklen_t len;
4086         file_t *fp;                             /* unix domain sockets */
4087         struct f_audit_data *fad;               /* unix domain sockets */
4088         short so_family, so_type;
4089         int add_sock_token = 0;
4090         au_kcontext_t   *kctx = GET_KCTX_PZ;
4091 
4092         fd = (int)uap->fd;
4093 
4094         /* bail if an error */
4095         if (error) {
4096                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4097                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4098                 return;
4099         }
4100 
4101         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4102                 /*
4103                  * not security relevant if doing a recvmsg from non socket
4104                  * so no extra tokens. Should probably turn off audit record
4105                  * generation here.
4106                  */
4107                 return;
4108         }
4109 
4110         so_family = so->so_family;
4111         so_type   = so->so_type;
4112 
4113         /*
4114          * only putout SOCKET_EX token if INET/INET6 family.
4115          * XXX - what do we do about other families?
4116          */
4117 
4118         switch (so_family) {
4119         case AF_INET:
4120         case AF_INET6:
4121 
4122                 /*
4123                  * if datagram type socket, then just use what is in
4124                  * socket structure for local address.
4125                  * XXX - what do we do for other types?
4126                  */
4127                 if ((so->so_type == SOCK_DGRAM) ||
4128                     (so->so_type == SOCK_RAW)) {
4129                         add_sock_token = 1;
4130 
4131                         bzero((void *)so_laddr, sizeof (so_laddr));
4132                         bzero((void *)so_faddr, sizeof (so_faddr));
4133 
4134                         /* get local address */
4135                         len = sizeof (so_laddr);
4136                         (void) socket_getsockname(so,
4137                             (struct sockaddr *)so_laddr, &len, CRED());
4138 
4139                         /* get peer address */
4140                         STRUCT_INIT(msg, get_udatamodel());
4141 
4142                         if (copyin((caddr_t)(uap->msg),
4143                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4144                                 break;
4145                         }
4146                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4147                         if (msg_name == NULL) {
4148                                 break;
4149                         }
4150 
4151                         /* length is value from recvmsg - sanity check */
4152                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4153                         if (msg_namelen == 0) {
4154                                 break;
4155                         }
4156                         if (copyin(msg_name, so_faddr,
4157                             sizeof (so_faddr)) != 0) {
4158                                 break;
4159                         }
4160 
4161                 } else if (so->so_type == SOCK_STREAM) {
4162 
4163                         /* get path from file struct here */
4164                         fad = F2A(fp);
4165                         ASSERT(fad);
4166 
4167                         /*
4168                          * already processed this file for read attempt
4169                          */
4170                         if (fad->fad_flags & FAD_READ) {
4171                                 /* don't want to audit every recvmsg attempt */
4172                                 tad->tad_flag = 0;
4173                                 /* free any residual audit data */
4174                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4175                                 releasef(fd);
4176                                 return;
4177                         }
4178                         /*
4179                          * mark things so we know what happened and don't
4180                          * repeat things
4181                          */
4182                         fad->fad_flags |= FAD_READ;
4183 
4184                         bzero((void *)so_laddr, sizeof (so_laddr));
4185                         bzero((void *)so_faddr, sizeof (so_faddr));
4186 
4187                         /* get local and foreign addresses */
4188                         len = sizeof (so_laddr);
4189                         (void) socket_getsockname(so,
4190                             (struct sockaddr *)so_laddr, &len, CRED());
4191                         len = sizeof (so_faddr);
4192                         (void) socket_getpeername(so,
4193                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4194 
4195                         add_sock_token = 1;
4196                 }
4197 
4198                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4199 
4200                 break;
4201 
4202         case AF_UNIX:
4203                 /*
4204                  * first check if this is first time through. Too much
4205                  * duplicate code to put this in an aui_ routine.
4206                  */
4207 
4208                 /* get path from file struct here */
4209                 fad = F2A(fp);
4210                 ASSERT(fad);
4211 
4212                 /*
4213                  * already processed this file for read attempt
4214                  */
4215                 if (fad->fad_flags & FAD_READ) {
4216                         releasef(fd);
4217                         /* don't want to audit every recvmsg attempt */
4218                         tad->tad_flag = 0;
4219                         /* free any residual audit data */
4220                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4221                         return;
4222                 }
4223                 /*
4224                  * mark things so we know what happened and don't
4225                  * repeat things
4226                  */
4227                 fad->fad_flags |= FAD_READ;
4228 
4229                 if (fad->fad_aupath != NULL) {
4230                         au_uwrite(au_to_path(fad->fad_aupath));
4231                 } else {
4232                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4233                 }
4234 
4235                 audit_attributes(fp->f_vnode);
4236 
4237                 releasef(fd);
4238 
4239                 return;
4240 
4241         default:
4242                 break;
4243 
4244         }
4245 
4246         releasef(fd);
4247 
4248         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4249 
4250         if (add_sock_token == 0) {
4251                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4252                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4253                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4254                 return;
4255         }
4256 
4257         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4258 
4259         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4260 
4261 }
4262 
4263 /*ARGSUSED*/
4264 static void
4265 auf_recvfrom(
4266         struct t_audit_data *tad,
4267         int error,
4268         rval_t *rvp)
4269 {
4270 
4271         struct a {
4272                 long    fd;
4273                 long    msg;    /* char */
4274                 long    len;
4275                 long    flags;
4276                 long    from;   /* struct sockaddr */
4277                 long    fromlen;
4278         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4279 
4280         socklen_t       fromlen;
4281         struct sonode   *so;
4282         char so_laddr[sizeof (struct sockaddr_in6)];
4283         char so_faddr[sizeof (struct sockaddr_in6)];
4284         int             fd;
4285         short so_family, so_type;
4286         int add_sock_token = 0;
4287         socklen_t len;
4288         int err;
4289         struct file *fp;
4290         struct f_audit_data *fad;               /* unix domain sockets */
4291         au_kcontext_t   *kctx = GET_KCTX_PZ;
4292 
4293         fd = (int)uap->fd;
4294 
4295         /* bail if an error */
4296         if (error) {
4297                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4298                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4299                 return;
4300         }
4301 
4302         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4303                 /*
4304                  * not security relevant if doing a recvmsg from non socket
4305                  * so no extra tokens. Should probably turn off audit record
4306                  * generation here.
4307                  */
4308                 return;
4309         }
4310 
4311         so_family = so->so_family;
4312         so_type   = so->so_type;
4313 
4314         /*
4315          * only putout SOCKET_EX token if INET/INET6 family.
4316          * XXX - what do we do about other families?
4317          */
4318 
4319         switch (so_family) {
4320         case AF_INET:
4321         case AF_INET6:
4322 
4323                 /*
4324                  * if datagram type socket, then just use what is in
4325                  * socket structure for local address.
4326                  * XXX - what do we do for other types?
4327                  */
4328                 if ((so->so_type == SOCK_DGRAM) ||
4329                     (so->so_type == SOCK_RAW)) {
4330                         add_sock_token = 1;
4331 
4332                         /* get local address */
4333                         len = sizeof (so_laddr);
4334                         (void) socket_getsockname(so,
4335                             (struct sockaddr *)so_laddr, &len, CRED());
4336 
4337                         /* get peer address */
4338                         bzero((void *)so_faddr, sizeof (so_faddr));
4339 
4340                         /* sanity check */
4341                         if (uap->from == NULL)
4342                                 break;
4343 
4344                         /* sanity checks */
4345                         if (uap->fromlen == 0)
4346                                 break;
4347 
4348                         if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4349                             sizeof (fromlen)) != 0)
4350                                 break;
4351 
4352                         if (fromlen == 0)
4353                                 break;
4354 
4355                         /* enforce maximum size */
4356                         if (fromlen > sizeof (so_faddr))
4357                                 fromlen = sizeof (so_faddr);
4358 
4359                         if (copyin((caddr_t)(uap->from), so_faddr,
4360                             fromlen) != 0)
4361                                 break;
4362 
4363                 } else if (so->so_type == SOCK_STREAM) {
4364 
4365                         /* get path from file struct here */
4366                         fad = F2A(fp);
4367                         ASSERT(fad);
4368 
4369                         /*
4370                          * already processed this file for read attempt
4371                          */
4372                         if (fad->fad_flags & FAD_READ) {
4373                                 /* don't want to audit every recvfrom attempt */
4374                                 tad->tad_flag = 0;
4375                                 /* free any residual audit data */
4376                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4377                                 releasef(fd);
4378                                 return;
4379                         }
4380                         /*
4381                          * mark things so we know what happened and don't
4382                          * repeat things
4383                          */
4384                         fad->fad_flags |= FAD_READ;
4385 
4386                         bzero((void *)so_laddr, sizeof (so_laddr));
4387                         bzero((void *)so_faddr, sizeof (so_faddr));
4388 
4389                         /* get local and foreign addresses */
4390                         len = sizeof (so_laddr);
4391                         (void) socket_getsockname(so,
4392                             (struct sockaddr *)so_laddr, &len, CRED());
4393                         len = sizeof (so_faddr);
4394                         (void) socket_getpeername(so,
4395                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4396 
4397                         add_sock_token = 1;
4398                 }
4399 
4400                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4401 
4402                 break;
4403 
4404         case AF_UNIX:
4405                 /*
4406                  * first check if this is first time through. Too much
4407                  * duplicate code to put this in an aui_ routine.
4408                  */
4409 
4410                 /* get path from file struct here */
4411                 fad = F2A(fp);
4412                 ASSERT(fad);
4413 
4414                 /*
4415                  * already processed this file for read attempt
4416                  */
4417                 if (fad->fad_flags & FAD_READ) {
4418                         /* don't want to audit every recvfrom attempt */
4419                         tad->tad_flag = 0;
4420                         /* free any residual audit data */
4421                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4422                         releasef(fd);
4423                         return;
4424                 }
4425                 /*
4426                  * mark things so we know what happened and don't
4427                  * repeat things
4428                  */
4429                 fad->fad_flags |= FAD_READ;
4430 
4431                 if (fad->fad_aupath != NULL) {
4432                         au_uwrite(au_to_path(fad->fad_aupath));
4433                 } else {
4434                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4435                 }
4436 
4437                 audit_attributes(fp->f_vnode);
4438 
4439                 releasef(fd);
4440 
4441                 return;
4442 
4443         default:
4444                 break;
4445 
4446         }
4447 
4448         releasef(fd);
4449 
4450         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4451 
4452         if (add_sock_token == 0) {
4453                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4454                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4455                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4456                 return;
4457         }
4458 
4459         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4460 
4461         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4462 }
4463 
4464 /*ARGSUSED*/
4465 static void
4466 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4467 {
4468         struct a {
4469                 long    fd;
4470                 long    msg;    /* struct msghdr */
4471                 long    flags;
4472         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4473 
4474         struct sonode   *so;
4475         char so_laddr[sizeof (struct sockaddr_in6)];
4476         char so_faddr[sizeof (struct sockaddr_in6)];
4477         int             err;
4478         int             fd;
4479         short so_family, so_type;
4480         int             add_sock_token = 0;
4481         socklen_t       len;
4482         struct file     *fp;
4483         struct f_audit_data *fad;
4484         caddr_t         msg_name;
4485         socklen_t       msg_namelen;
4486         STRUCT_DECL(msghdr, msg);
4487         au_kcontext_t   *kctx = GET_KCTX_PZ;
4488 
4489         fd = (int)uap->fd;
4490 
4491         /* bail if an error */
4492         if (error) {
4493                 /* XXX include destination address from system call arguments */
4494                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4495                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4496                 return;
4497         }
4498 
4499         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4500                 /*
4501                  * not security relevant if doing a sendmsg from non socket
4502                  * so no extra tokens. Should probably turn off audit record
4503                  * generation here.
4504                  */
4505                 return;
4506         }
4507 
4508         so_family = so->so_family;
4509         so_type   = so->so_type;
4510 
4511         switch (so_family) {
4512         case AF_INET:
4513         case AF_INET6:
4514                 /*
4515                  * if datagram type socket, then just use what is in
4516                  * socket structure for local address.
4517                  * XXX - what do we do for other types?
4518                  */
4519                 if ((so->so_type == SOCK_DGRAM) ||
4520                     (so->so_type == SOCK_RAW)) {
4521 
4522                         bzero((void *)so_laddr, sizeof (so_laddr));
4523                         bzero((void *)so_faddr, sizeof (so_faddr));
4524 
4525                         /* get local address */
4526                         len = sizeof (so_laddr);
4527                         (void) socket_getsockname(so,
4528                             (struct sockaddr *)so_laddr, &len, CRED());
4529 
4530                         /* get peer address */
4531                         STRUCT_INIT(msg, get_udatamodel());
4532 
4533                         if (copyin((caddr_t)(uap->msg),
4534                             (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4535                                 break;
4536                         }
4537                         msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4538                         if (msg_name == NULL)
4539                                 break;
4540 
4541                         msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4542                         /* length is value from recvmsg - sanity check */
4543                         if (msg_namelen == 0)
4544                                 break;
4545 
4546                         if (copyin(msg_name, so_faddr,
4547                             sizeof (so_faddr)) != 0)
4548                                 break;
4549 
4550                         add_sock_token = 1;
4551 
4552                 } else if (so->so_type == SOCK_STREAM) {
4553 
4554                         /* get path from file struct here */
4555                         fad = F2A(fp);
4556                         ASSERT(fad);
4557 
4558                         /*
4559                          * already processed this file for write attempt
4560                          */
4561                         if (fad->fad_flags & FAD_WRITE) {
4562                                 releasef(fd);
4563                                 /* don't want to audit every sendmsg attempt */
4564                                 tad->tad_flag = 0;
4565                                 /* free any residual audit data */
4566                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4567                                 return;
4568                         }
4569 
4570                         /*
4571                          * mark things so we know what happened and don't
4572                          * repeat things
4573                          */
4574                         fad->fad_flags |= FAD_WRITE;
4575 
4576                         bzero((void *)so_laddr, sizeof (so_laddr));
4577                         bzero((void *)so_faddr, sizeof (so_faddr));
4578 
4579                         /* get local and foreign addresses */
4580                         len = sizeof (so_laddr);
4581                         (void) socket_getsockname(so,
4582                             (struct sockaddr *)so_laddr, &len, CRED());
4583                         len = sizeof (so_faddr);
4584                         (void) socket_getpeername(so,
4585                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4586 
4587                         add_sock_token = 1;
4588                 }
4589 
4590                 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4591 
4592                 break;
4593 
4594         case AF_UNIX:
4595                 /*
4596                  * first check if this is first time through. Too much
4597                  * duplicate code to put this in an aui_ routine.
4598                  */
4599 
4600                 /* get path from file struct here */
4601                 fad = F2A(fp);
4602                 ASSERT(fad);
4603 
4604                 /*
4605                  * already processed this file for write attempt
4606                  */
4607                 if (fad->fad_flags & FAD_WRITE) {
4608                         releasef(fd);
4609                         /* don't want to audit every sendmsg attempt */
4610                         tad->tad_flag = 0;
4611                         /* free any residual audit data */
4612                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4613                         return;
4614                 }
4615                 /*
4616                  * mark things so we know what happened and don't
4617                  * repeat things
4618                  */
4619                 fad->fad_flags |= FAD_WRITE;
4620 
4621                 if (fad->fad_aupath != NULL) {
4622                         au_uwrite(au_to_path(fad->fad_aupath));
4623                 } else {
4624                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4625                 }
4626 
4627                 audit_attributes(fp->f_vnode);
4628 
4629                 releasef(fd);
4630 
4631                 return;
4632 
4633         default:
4634                 break;
4635         }
4636 
4637         releasef(fd);
4638 
4639         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4640 
4641         if (add_sock_token == 0) {
4642                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4643                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4644                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4645                 return;
4646         }
4647 
4648         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4649 
4650         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4651 }
4652 
4653 /*ARGSUSED*/
4654 static void
4655 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4656 {
4657         struct a {
4658                 long    fd;
4659                 long    msg;    /* char */
4660                 long    len;
4661                 long    flags;
4662                 long    to;     /* struct sockaddr */
4663                 long    tolen;
4664         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4665 
4666         struct sonode   *so;
4667         char so_laddr[sizeof (struct sockaddr_in6)];
4668         char so_faddr[sizeof (struct sockaddr_in6)];
4669         socklen_t       tolen;
4670         int             err;
4671         int             fd;
4672         socklen_t       len;
4673         short so_family, so_type;
4674         int             add_sock_token = 0;
4675         struct file     *fp;
4676         struct f_audit_data *fad;
4677         au_kcontext_t   *kctx = GET_KCTX_PZ;
4678 
4679         fd = (int)uap->fd;
4680 
4681         /* bail if an error */
4682         if (error) {
4683                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4684                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4685                 /* XXX include destination address from system call arguments */
4686                 return;
4687         }
4688 
4689         if ((so = getsonode(fd, &err, &fp)) == NULL) {
4690                 /*
4691                  * not security relevant if doing a sendto using non socket
4692                  * so no extra tokens. Should probably turn off audit record
4693                  * generation here.
4694                  */
4695                 return;
4696         }
4697 
4698         so_family = so->so_family;
4699         so_type   = so->so_type;
4700 
4701         /*
4702          * only putout SOCKET_EX token if INET/INET6 family.
4703          * XXX - what do we do about other families?
4704          */
4705 
4706         switch (so_family) {
4707         case AF_INET:
4708         case AF_INET6:
4709 
4710                 /*
4711                  * if datagram type socket, then just use what is in
4712                  * socket structure for local address.
4713                  * XXX - what do we do for other types?
4714                  */
4715                 if ((so->so_type == SOCK_DGRAM) ||
4716                     (so->so_type == SOCK_RAW)) {
4717 
4718                         bzero((void *)so_laddr, sizeof (so_laddr));
4719                         bzero((void *)so_faddr, sizeof (so_faddr));
4720 
4721                         /* get local address */
4722                         len = sizeof (so_laddr);
4723                         (void) socket_getsockname(so,
4724                             (struct sockaddr *)so_laddr, &len, CRED());
4725 
4726                         /* get peer address */
4727 
4728                         /* sanity check */
4729                         if (uap->to == NULL)
4730                                 break;
4731 
4732                         /* sanity checks */
4733                         if (uap->tolen == 0)
4734                                 break;
4735 
4736                         tolen = (socklen_t)uap->tolen;
4737 
4738                         /* enforce maximum size */
4739                         if (tolen > sizeof (so_faddr))
4740                                 tolen = sizeof (so_faddr);
4741 
4742                         if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4743                                 break;
4744 
4745                         add_sock_token = 1;
4746                 } else {
4747                         /*
4748                          * check if this is first time through.
4749                          */
4750 
4751                         /* get path from file struct here */
4752                         fad = F2A(fp);
4753                         ASSERT(fad);
4754 
4755                         /*
4756                          * already processed this file for write attempt
4757                          */
4758                         if (fad->fad_flags & FAD_WRITE) {
4759                                 /* don't want to audit every sendto attempt */
4760                                 tad->tad_flag = 0;
4761                                 /* free any residual audit data */
4762                                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4763                                 releasef(fd);
4764                                 return;
4765                         }
4766                         /*
4767                          * mark things so we know what happened and don't
4768                          * repeat things
4769                          */
4770                         fad->fad_flags |= FAD_WRITE;
4771 
4772                         bzero((void *)so_laddr, sizeof (so_laddr));
4773                         bzero((void *)so_faddr, sizeof (so_faddr));
4774 
4775                         /* get local and foreign addresses */
4776                         len = sizeof (so_laddr);
4777                         (void) socket_getsockname(so,
4778                             (struct sockaddr *)so_laddr, &len, CRED());
4779                         len = sizeof (so_faddr);
4780                         (void) socket_getpeername(so,
4781                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4782 
4783                         add_sock_token = 1;
4784                 }
4785 
4786                 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4787 
4788                 break;
4789 
4790         case AF_UNIX:
4791                 /*
4792                  * first check if this is first time through. Too much
4793                  * duplicate code to put this in an aui_ routine.
4794                  */
4795 
4796                 /* get path from file struct here */
4797                 fad = F2A(fp);
4798                 ASSERT(fad);
4799 
4800                 /*
4801                  * already processed this file for write attempt
4802                  */
4803                 if (fad->fad_flags & FAD_WRITE) {
4804                         /* don't want to audit every sendto attempt */
4805                         tad->tad_flag = 0;
4806                         /* free any residual audit data */
4807                         au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4808                         releasef(fd);
4809                         return;
4810                 }
4811                 /*
4812                  * mark things so we know what happened and don't
4813                  * repeat things
4814                  */
4815                 fad->fad_flags |= FAD_WRITE;
4816 
4817                 if (fad->fad_aupath != NULL) {
4818                         au_uwrite(au_to_path(fad->fad_aupath));
4819                 } else {
4820                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
4821                 }
4822 
4823                 audit_attributes(fp->f_vnode);
4824 
4825                 releasef(fd);
4826 
4827                 return;
4828 
4829         default:
4830                 break;
4831 
4832         }
4833 
4834         releasef(fd);
4835 
4836         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4837 
4838         if (add_sock_token == 0) {
4839                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4840                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4841                 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4842                 return;
4843         }
4844 
4845         au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4846 
4847         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4848 
4849 }
4850 
4851 /*
4852  * XXX socket(2) may be equivalent to open(2) on a unix domain
4853  * socket. This needs investigation.
4854  */
4855 
4856 /*ARGSUSED*/
4857 static void
4858 aus_socket(struct t_audit_data *tad)
4859 {
4860         struct a {
4861                 long    domain;
4862                 long    type;
4863                 long    protocol;
4864         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4865 
4866         au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4867         au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4868         au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4869 }
4870 
4871 /*ARGSUSED*/
4872 static void
4873 aus_sigqueue(struct t_audit_data *tad)
4874 {
4875         struct a {
4876                 long    pid;
4877                 long    signo;
4878                 long    *val;
4879         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4880         struct proc *p;
4881         uid_t uid, ruid;
4882         gid_t gid, rgid;
4883         pid_t pid;
4884         const auditinfo_addr_t *ainfo;
4885         cred_t *cr;
4886 
4887         pid = (pid_t)uap->pid;
4888 
4889         au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4890         if (pid > 0) {
4891                 mutex_enter(&pidlock);
4892                 if ((p = prfind(pid)) == (struct proc *)0) {
4893                         mutex_exit(&pidlock);
4894                         return;
4895                 }
4896                 mutex_enter(&p->p_lock); /* so process doesn't go away */
4897                 mutex_exit(&pidlock);
4898 
4899                 mutex_enter(&p->p_crlock);
4900                 crhold(cr = p->p_cred);
4901                 mutex_exit(&p->p_crlock);
4902                 mutex_exit(&p->p_lock);
4903 
4904                 ainfo = crgetauinfo(cr);
4905                 if (ainfo == NULL) {
4906                         crfree(cr);
4907                         return;
4908                 }
4909 
4910                 uid  = crgetuid(cr);
4911                 gid  = crgetgid(cr);
4912                 ruid = crgetruid(cr);
4913                 rgid = crgetrgid(cr);
4914                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4915                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4916                 crfree(cr);
4917         }
4918         else
4919                 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4920 }
4921 
4922 /*ARGSUSED*/
4923 static void
4924 aus_inst_sync(struct t_audit_data *tad)
4925 {
4926         struct a {
4927                 long    name;   /* char */
4928                 long    flags;
4929         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4930 
4931         au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4932 }
4933 
4934 /*ARGSUSED*/
4935 static void
4936 aus_brandsys(struct t_audit_data *tad)
4937 {
4938         klwp_t *clwp = ttolwp(curthread);
4939 
4940         struct a {
4941                 long    cmd;
4942                 long    arg1;
4943                 long    arg2;
4944                 long    arg3;
4945                 long    arg4;
4946                 long    arg5;
4947                 long    arg6;
4948         } *uap = (struct a *)clwp->lwp_ap;
4949 
4950         au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4951 #ifdef _LP64
4952         au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4953         au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4954         au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4955         au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4956         au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4957         au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4958 #else
4959         au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4960         au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4961         au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4962         au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4963         au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4964         au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4965 #endif
4966 }
4967 
4968 /*ARGSUSED*/
4969 static void
4970 aus_p_online(struct t_audit_data *tad)
4971 {
4972         struct a {
4973                 long    processor_id;
4974                 long    flag;
4975         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4976 
4977         struct flags {
4978                         int     flag;
4979                         char    *cflag;
4980         } aflags[6] = {
4981                         { P_ONLINE, "P_ONLINE"},
4982                         { P_OFFLINE, "P_OFFLINE"},
4983                         { P_NOINTR, "P_NOINTR"},
4984                         { P_SPARE, "P_SPARE"},
4985                         { P_FAULTED, "P_FAULTED"},
4986                         { P_STATUS, "P_STATUS"}
4987         };
4988         int i;
4989         char *cflag;
4990 
4991         au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4992         au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4993 
4994         for (i = 0; i < 6; i++) {
4995                 if (aflags[i].flag == uap->flag)
4996                         break;
4997         }
4998         cflag = (i == 6) ? "bad flag":aflags[i].cflag;
4999 
5000         au_uwrite(au_to_text(cflag));
5001 }
5002 
5003 /*ARGSUSED*/
5004 static void
5005 aus_processor_bind(struct t_audit_data *tad)
5006 {
5007         struct a {
5008                 long    id_type;
5009                 long    id;
5010                 long    processor_id;
5011                 long    obind;
5012         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5013 
5014         struct proc *p;
5015         int lwpcnt;
5016         uid_t uid, ruid;
5017         gid_t gid, rgid;
5018         pid_t pid;
5019         const auditinfo_addr_t *ainfo;
5020         cred_t *cr;
5021 
5022         au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5023         au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5024         if (uap->processor_id == PBIND_NONE)
5025                 au_uwrite(au_to_text("PBIND_NONE"));
5026         else
5027                 au_uwrite(au_to_arg32(3, "processor_id",
5028                     (uint32_t)uap->processor_id));
5029 
5030         switch (uap->id_type) {
5031         case P_MYID:
5032         case P_LWPID:
5033                 mutex_enter(&pidlock);
5034                 p = ttoproc(curthread);
5035                 if (p == NULL || p->p_as == &kas) {
5036                         mutex_exit(&pidlock);
5037                         return;
5038                 }
5039                 mutex_enter(&p->p_lock);
5040                 mutex_exit(&pidlock);
5041                 lwpcnt = p->p_lwpcnt;
5042                 pid  = p->p_pid;
5043 
5044                 mutex_enter(&p->p_crlock);
5045                 crhold(cr = p->p_cred);
5046                 mutex_exit(&p->p_crlock);
5047                 mutex_exit(&p->p_lock);
5048 
5049                 ainfo = crgetauinfo(cr);
5050                 if (ainfo == NULL) {
5051                         crfree(cr);
5052                         return;
5053                 }
5054 
5055                 uid  = crgetuid(cr);
5056                 gid  = crgetgid(cr);
5057                 ruid = crgetruid(cr);
5058                 rgid = crgetrgid(cr);
5059                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5060                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5061                 crfree(cr);
5062                 break;
5063         case P_PID:
5064                 mutex_enter(&pidlock);
5065                 p = prfind(uap->id);
5066                 if (p == NULL || p->p_as == &kas) {
5067                         mutex_exit(&pidlock);
5068                         return;
5069                 }
5070                 mutex_enter(&p->p_lock);
5071                 mutex_exit(&pidlock);
5072                 lwpcnt = p->p_lwpcnt;
5073                 pid  = p->p_pid;
5074 
5075                 mutex_enter(&p->p_crlock);
5076                 crhold(cr = p->p_cred);
5077                 mutex_exit(&p->p_crlock);
5078                 mutex_exit(&p->p_lock);
5079 
5080                 ainfo = crgetauinfo(cr);
5081                 if (ainfo == NULL) {
5082                         crfree(cr);
5083                         return;
5084                 }
5085 
5086                 uid  = crgetuid(cr);
5087                 gid  = crgetgid(cr);
5088                 ruid = crgetruid(cr);
5089                 rgid = crgetrgid(cr);
5090                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5091                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5092                 crfree(cr);
5093 
5094                 break;
5095         default:
5096                 return;
5097         }
5098 
5099         if (uap->processor_id == PBIND_NONE &&
5100             (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5101                 au_uwrite(au_to_text("PBIND_NONE for process"));
5102         else
5103                 au_uwrite(au_to_arg32(3, "processor_id",
5104                     (uint32_t)uap->processor_id));
5105 }
5106 
5107 /*ARGSUSED*/
5108 static au_event_t
5109 aui_doorfs(au_event_t e)
5110 {
5111         uint32_t code;
5112 
5113         struct a {              /* doorfs */
5114                 long    a1;
5115                 long    a2;
5116                 long    a3;
5117                 long    a4;
5118                 long    a5;
5119                 long    code;
5120         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5121 
5122         /*
5123          *      audit formats for several of the
5124          *      door calls have not yet been determined
5125          */
5126         code = (uint32_t)uap->code;
5127         switch (code) {
5128         case DOOR_CALL:
5129                 e = AUE_DOORFS_DOOR_CALL;
5130                 break;
5131         case DOOR_RETURN:
5132                 e = AUE_NULL;
5133                 break;
5134         case DOOR_CREATE:
5135                 e = AUE_DOORFS_DOOR_CREATE;
5136                 break;
5137         case DOOR_REVOKE:
5138                 e = AUE_DOORFS_DOOR_REVOKE;
5139                 break;
5140         case DOOR_INFO:
5141                 e = AUE_NULL;
5142                 break;
5143         case DOOR_UCRED:
5144                 e = AUE_NULL;
5145                 break;
5146         case DOOR_BIND:
5147                 e = AUE_NULL;
5148                 break;
5149         case DOOR_UNBIND:
5150                 e = AUE_NULL;
5151                 break;
5152         case DOOR_GETPARAM:
5153                 e = AUE_NULL;
5154                 break;
5155         case DOOR_SETPARAM:
5156                 e = AUE_NULL;
5157                 break;
5158         default:        /* illegal system call */
5159                 e = AUE_NULL;
5160                 break;
5161         }
5162 
5163         return (e);
5164 }
5165 
5166 static door_node_t *
5167 au_door_lookup(int did)
5168 {
5169         vnode_t *vp;
5170         file_t *fp;
5171 
5172         if ((fp = getf(did)) == NULL)
5173                 return (NULL);
5174         /*
5175          * Use the underlying vnode (we may be namefs mounted)
5176          */
5177         if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5178                 vp = fp->f_vnode;
5179 
5180         if (vp == NULL || vp->v_type != VDOOR) {
5181                 releasef(did);
5182                 return (NULL);
5183         }
5184 
5185         return (VTOD(vp));
5186 }
5187 
5188 /*ARGSUSED*/
5189 static void
5190 aus_doorfs(struct t_audit_data *tad)
5191 {
5192 
5193         struct a {              /* doorfs */
5194                 long    a1;
5195                 long    a2;
5196                 long    a3;
5197                 long    a4;
5198                 long    a5;
5199                 long    code;
5200         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5201 
5202         door_node_t     *dp;
5203         struct proc     *p;
5204         uint32_t        did;
5205         uid_t uid, ruid;
5206         gid_t gid, rgid;
5207         pid_t pid;
5208         const auditinfo_addr_t *ainfo;
5209         cred_t *cr;
5210 
5211         did = (uint32_t)uap->a1;
5212 
5213         switch (tad->tad_event) {
5214         case AUE_DOORFS_DOOR_CALL:
5215                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5216                 if ((dp = au_door_lookup(did)) == NULL)
5217                         break;
5218 
5219                 if (DOOR_INVALID(dp)) {
5220                         releasef(did);
5221                         break;
5222                 }
5223 
5224                 if ((p = dp->door_target) == NULL) {
5225                         releasef(did);
5226                         break;
5227                 }
5228                 mutex_enter(&p->p_lock);
5229                 releasef(did);
5230 
5231                 pid  = p->p_pid;
5232 
5233                 mutex_enter(&p->p_crlock);
5234                 crhold(cr = p->p_cred);
5235                 mutex_exit(&p->p_crlock);
5236                 mutex_exit(&p->p_lock);
5237 
5238                 ainfo = crgetauinfo(cr);
5239                 if (ainfo == NULL) {
5240                         crfree(cr);
5241                         return;
5242                 }
5243                 uid  = crgetuid(cr);
5244                 gid  = crgetgid(cr);
5245                 ruid = crgetruid(cr);
5246                 rgid = crgetrgid(cr);
5247                 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5248                     ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5249                 crfree(cr);
5250                 break;
5251         case AUE_DOORFS_DOOR_RETURN:
5252                 /*
5253                  * We may want to write information about
5254                  * all doors (if any) which will be copied
5255                  * by this call to the user space
5256                  */
5257                 break;
5258         case AUE_DOORFS_DOOR_CREATE:
5259                 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5260                 break;
5261         case AUE_DOORFS_DOOR_REVOKE:
5262                 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5263                 break;
5264         case AUE_DOORFS_DOOR_INFO:
5265                 break;
5266         case AUE_DOORFS_DOOR_CRED:
5267                 break;
5268         case AUE_DOORFS_DOOR_BIND:
5269                 break;
5270         case AUE_DOORFS_DOOR_UNBIND: {
5271                 break;
5272         }
5273         default:        /* illegal system call */
5274                 break;
5275         }
5276 }
5277 
5278 /*ARGSUSED*/
5279 static au_event_t
5280 aui_acl(au_event_t e)
5281 {
5282         struct a {
5283                 union {
5284                         long    name;   /* char */
5285                         long    fd;
5286                 }               obj;
5287 
5288                 long            cmd;
5289                 long            nentries;
5290                 long            arg;    /* aclent_t */
5291         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5292 
5293         switch (uap->cmd) {
5294         case SETACL:
5295         case ACE_SETACL:
5296                 /*
5297                  * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5298                  * are expected.
5299                  */
5300                 break;
5301         case GETACL:
5302         case GETACLCNT:
5303         case ACE_GETACL:
5304         case ACE_GETACLCNT:
5305                 /* do nothing for these four values. */
5306                 e = AUE_NULL;
5307                 break;
5308         default:
5309                 /* illegal system call */
5310                 break;
5311         }
5312 
5313         return (e);
5314 }
5315 
5316 static void
5317 au_acl(int cmd, int nentries, caddr_t bufp)
5318 {
5319         size_t          a_size;
5320         aclent_t        *aclbufp;
5321         ace_t           *acebufp;
5322         int             i;
5323 
5324         switch (cmd) {
5325         case GETACL:
5326         case GETACLCNT:
5327                 break;
5328         case SETACL:
5329                 if (nentries < 3)
5330                         break;
5331 
5332                 a_size = nentries * sizeof (aclent_t);
5333 
5334                 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5335                         break;
5336                 if (copyin(bufp, aclbufp, a_size)) {
5337                         kmem_free(aclbufp, a_size);
5338                         break;
5339                 }
5340                 for (i = 0; i < nentries; i++) {
5341                         au_uwrite(au_to_acl(aclbufp + i));
5342                 }
5343                 kmem_free(aclbufp, a_size);
5344                 break;
5345 
5346         case ACE_SETACL:
5347                 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5348                         break;
5349 
5350                 a_size = nentries * sizeof (ace_t);
5351                 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5352                         break;
5353                 if (copyin(bufp, acebufp, a_size)) {
5354                         kmem_free(acebufp, a_size);
5355                         break;
5356                 }
5357                 for (i = 0; i < nentries; i++) {
5358                         au_uwrite(au_to_ace(acebufp + i));
5359                 }
5360                 kmem_free(acebufp, a_size);
5361                 break;
5362         default:
5363                 break;
5364         }
5365 }
5366 
5367 /*ARGSUSED*/
5368 static void
5369 aus_acl(struct t_audit_data *tad)
5370 {
5371         struct a {
5372                 long    fname;
5373                 long    cmd;
5374                 long    nentries;
5375                 long    aclbufp;
5376         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5377 
5378         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5379         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5380 
5381         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5382 }
5383 
5384 /*ARGSUSED*/
5385 static void
5386 aus_facl(struct t_audit_data *tad)
5387 {
5388         struct a {
5389                 long    fd;
5390                 long    cmd;
5391                 long    nentries;
5392                 long    aclbufp;
5393         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5394         struct file  *fp;
5395         struct vnode *vp;
5396         struct f_audit_data *fad;
5397         int fd;
5398 
5399         au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5400         au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5401 
5402         fd = (int)uap->fd;
5403 
5404         if ((fp = getf(fd)) == NULL)
5405                 return;
5406 
5407         /* get path from file struct here */
5408         fad = F2A(fp);
5409         if (fad->fad_aupath != NULL) {
5410                 au_uwrite(au_to_path(fad->fad_aupath));
5411         } else {
5412                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5413         }
5414 
5415         vp = fp->f_vnode;
5416         audit_attributes(vp);
5417 
5418         /* decrement file descriptor reference count */
5419         releasef(fd);
5420 
5421         au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5422 }
5423 
5424 /*ARGSUSED*/
5425 static void
5426 auf_read(tad, error, rval)
5427         struct t_audit_data *tad;
5428         int error;
5429         rval_t *rval;
5430 {
5431         struct file *fp;
5432         struct f_audit_data *fad;
5433         int fd;
5434         register struct a {
5435                 long    fd;
5436         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5437         au_kcontext_t   *kctx = GET_KCTX_PZ;
5438 
5439         fd = (int)uap->fd;
5440 
5441         /*
5442          * convert file pointer to file descriptor
5443          *   Note: fd ref count incremented here.
5444          */
5445         if ((fp = getf(fd)) == NULL)
5446                 return;
5447 
5448         /* get path from file struct here */
5449         fad = F2A(fp);
5450         ASSERT(fad);
5451 
5452         /*
5453          * already processed this file for read attempt
5454          *
5455          * XXX might be better to turn off auditing in a aui_read() routine.
5456          */
5457         if (fad->fad_flags & FAD_READ) {
5458                 /* don't really want to audit every read attempt */
5459                 tad->tad_flag = 0;
5460                 /* free any residual audit data */
5461                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5462                 releasef(fd);
5463                 return;
5464         }
5465         /* mark things so we know what happened and don't repeat things */
5466         fad->fad_flags |= FAD_READ;
5467 
5468         if (fad->fad_aupath != NULL) {
5469                 au_uwrite(au_to_path(fad->fad_aupath));
5470         } else {
5471                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5472         }
5473 
5474         /* include attributes */
5475         audit_attributes(fp->f_vnode);
5476 
5477         /* decrement file descriptor reference count */
5478         releasef(fd);
5479 }
5480 
5481 /*ARGSUSED*/
5482 static void
5483 auf_write(tad, error, rval)
5484         struct t_audit_data *tad;
5485         int error;
5486         rval_t *rval;
5487 {
5488         struct file *fp;
5489         struct f_audit_data *fad;
5490         int fd;
5491         register struct a {
5492                 long    fd;
5493         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5494         au_kcontext_t   *kctx = GET_KCTX_PZ;
5495 
5496         fd = (int)uap->fd;
5497 
5498         /*
5499          * convert file pointer to file descriptor
5500          *   Note: fd ref count incremented here.
5501          */
5502         if ((fp = getf(fd)) == NULL)
5503                 return;
5504 
5505         /* get path from file struct here */
5506         fad = F2A(fp);
5507         ASSERT(fad);
5508 
5509         /*
5510          * already processed this file for write attempt
5511          *
5512          * XXX might be better to turn off auditing in a aus_write() routine.
5513          */
5514         if (fad->fad_flags & FAD_WRITE) {
5515                 /* don't really want to audit every write attempt */
5516                 tad->tad_flag = 0;
5517                 /* free any residual audit data */
5518                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5519                 releasef(fd);
5520                 return;
5521         }
5522         /* mark things so we know what happened and don't repeat things */
5523         fad->fad_flags |= FAD_WRITE;
5524 
5525         if (fad->fad_aupath != NULL) {
5526                 au_uwrite(au_to_path(fad->fad_aupath));
5527         } else {
5528                 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5529         }
5530 
5531         /* include attributes */
5532         audit_attributes(fp->f_vnode);
5533 
5534         /* decrement file descriptor reference count */
5535         releasef(fd);
5536 }
5537 
5538 /*ARGSUSED*/
5539 static void
5540 auf_recv(tad, error, rval)
5541         struct t_audit_data *tad;
5542         int error;
5543         rval_t *rval;
5544 {
5545         struct sonode *so;
5546         char so_laddr[sizeof (struct sockaddr_in6)];
5547         char so_faddr[sizeof (struct sockaddr_in6)];
5548         struct file *fp;
5549         struct f_audit_data *fad;
5550         int fd;
5551         int err;
5552         socklen_t len;
5553         short so_family, so_type;
5554         register struct a {
5555                 long    fd;
5556         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5557         au_kcontext_t   *kctx = GET_KCTX_PZ;
5558 
5559         /*
5560          * If there was an error, then nothing to do. Only generate
5561          * audit record on first successful recv.
5562          */
5563         if (error) {
5564                 /* Turn off audit record generation here. */
5565                 tad->tad_flag = 0;
5566                 /* free any residual audit data */
5567                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5568                 return;
5569         }
5570 
5571         fd = (int)uap->fd;
5572 
5573         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5574                 /* Turn off audit record generation here. */
5575                 tad->tad_flag = 0;
5576                 /* free any residual audit data */
5577                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5578                 return;
5579         }
5580 
5581         /* get path from file struct here */
5582         fad = F2A(fp);
5583         ASSERT(fad);
5584 
5585         /*
5586          * already processed this file for read attempt
5587          */
5588         if (fad->fad_flags & FAD_READ) {
5589                 releasef(fd);
5590                 /* don't really want to audit every recv call */
5591                 tad->tad_flag = 0;
5592                 /* free any residual audit data */
5593                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5594                 return;
5595         }
5596 
5597         /* mark things so we know what happened and don't repeat things */
5598         fad->fad_flags |= FAD_READ;
5599 
5600         so_family = so->so_family;
5601         so_type   = so->so_type;
5602 
5603         switch (so_family) {
5604         case AF_INET:
5605         case AF_INET6:
5606                 /*
5607                  * Only for connections.
5608                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5609                  */
5610                 if (so->so_state & SS_ISBOUND) {
5611 
5612                         bzero((void *)so_laddr, sizeof (so_laddr));
5613                         bzero((void *)so_faddr, sizeof (so_faddr));
5614 
5615                         /* get local and foreign addresses */
5616                         len = sizeof (so_laddr);
5617                         (void) socket_getsockname(so,
5618                             (struct sockaddr *)so_laddr, &len, CRED());
5619                         len = sizeof (so_faddr);
5620                         (void) socket_getpeername(so,
5621                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5622 
5623                         /*
5624                          * only way to drop out of switch. Note that we
5625                          * we release fd below.
5626                          */
5627 
5628                         break;
5629                 }
5630 
5631                 releasef(fd);
5632 
5633                 /* don't really want to audit every recv call */
5634                 tad->tad_flag = 0;
5635                 /* free any residual audit data */
5636                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5637 
5638                 return;
5639 
5640         case AF_UNIX:
5641 
5642                 if (fad->fad_aupath != NULL) {
5643                         au_uwrite(au_to_path(fad->fad_aupath));
5644                 } else {
5645                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5646                 }
5647 
5648                 audit_attributes(fp->f_vnode);
5649 
5650                 releasef(fd);
5651 
5652                 return;
5653 
5654         default:
5655                 releasef(fd);
5656 
5657                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5658                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5659                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5660 
5661                 return;
5662         }
5663 
5664         releasef(fd);
5665 
5666         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5667 
5668         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5669 
5670 }
5671 
5672 /*ARGSUSED*/
5673 static void
5674 auf_send(tad, error, rval)
5675         struct t_audit_data *tad;
5676         int error;
5677         rval_t *rval;
5678 {
5679         struct sonode *so;
5680         char so_laddr[sizeof (struct sockaddr_in6)];
5681         char so_faddr[sizeof (struct sockaddr_in6)];
5682         struct file *fp;
5683         struct f_audit_data *fad;
5684         int fd;
5685         int err;
5686         socklen_t len;
5687         short so_family, so_type;
5688         register struct a {
5689                 long    fd;
5690         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5691         au_kcontext_t   *kctx = GET_KCTX_PZ;
5692 
5693         fd = (int)uap->fd;
5694 
5695         /*
5696          * If there was an error, then nothing to do. Only generate
5697          * audit record on first successful send.
5698          */
5699         if (error != 0) {
5700                 /* Turn off audit record generation here. */
5701                 tad->tad_flag = 0;
5702                 /* free any residual audit data */
5703                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5704                 return;
5705         }
5706 
5707         fd = (int)uap->fd;
5708 
5709         if ((so = getsonode(fd, &err, &fp)) == NULL) {
5710                 /* Turn off audit record generation here. */
5711                 tad->tad_flag = 0;
5712                 /* free any residual audit data */
5713                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5714                 return;
5715         }
5716 
5717         /* get path from file struct here */
5718         fad = F2A(fp);
5719         ASSERT(fad);
5720 
5721         /*
5722          * already processed this file for write attempt
5723          */
5724         if (fad->fad_flags & FAD_WRITE) {
5725                 releasef(fd);
5726                 /* don't really want to audit every send call */
5727                 tad->tad_flag = 0;
5728                 /* free any residual audit data */
5729                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5730                 return;
5731         }
5732 
5733         /* mark things so we know what happened and don't repeat things */
5734         fad->fad_flags |= FAD_WRITE;
5735 
5736         so_family = so->so_family;
5737         so_type   = so->so_type;
5738 
5739         switch (so_family) {
5740         case AF_INET:
5741         case AF_INET6:
5742                 /*
5743                  * Only for connections.
5744                  * XXX - do we need to worry about SOCK_DGRAM or other types???
5745                  */
5746                 if (so->so_state & SS_ISBOUND) {
5747 
5748                         bzero((void *)so_laddr, sizeof (so_laddr));
5749                         bzero((void *)so_faddr, sizeof (so_faddr));
5750 
5751                         /* get local and foreign addresses */
5752                         len = sizeof (so_laddr);
5753                         (void) socket_getsockname(so,
5754                             (struct sockaddr *)so_laddr, &len, CRED());
5755                         len = sizeof (so_faddr);
5756                         (void) socket_getpeername(so,
5757                             (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5758 
5759                         /*
5760                          * only way to drop out of switch. Note that we
5761                          * we release fd below.
5762                          */
5763 
5764                         break;
5765                 }
5766 
5767                 releasef(fd);
5768                 /* don't really want to audit every send call */
5769                 tad->tad_flag = 0;
5770                 /* free any residual audit data */
5771                 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5772 
5773                 return;
5774 
5775         case AF_UNIX:
5776 
5777                 if (fad->fad_aupath != NULL) {
5778                         au_uwrite(au_to_path(fad->fad_aupath));
5779                 } else {
5780                         au_uwrite(au_to_arg32(1, "no path: fd", fd));
5781                 }
5782 
5783                 audit_attributes(fp->f_vnode);
5784 
5785                 releasef(fd);
5786 
5787                 return;
5788 
5789         default:
5790                 releasef(fd);
5791 
5792                 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5793                 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5794                 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5795 
5796                 return;
5797         }
5798 
5799         releasef(fd);
5800 
5801         au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5802 
5803         au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5804 }
5805 
5806 static au_event_t
5807 aui_forksys(au_event_t e)
5808 {
5809         struct a {
5810                 long    subcode;
5811                 long    flags;
5812         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5813 
5814         switch ((uint_t)uap->subcode) {
5815         case 0:
5816                 e = AUE_FORK1;
5817                 break;
5818         case 1:
5819                 e = AUE_FORKALL;
5820                 break;
5821         case 2:
5822                 e = AUE_VFORK;
5823                 break;
5824         default:
5825                 e = AUE_NULL;
5826                 break;
5827         }
5828 
5829         return (e);
5830 }
5831 
5832 /*ARGSUSED*/
5833 static au_event_t
5834 aui_portfs(au_event_t e)
5835 {
5836         struct a {              /* portfs */
5837                 long    a1;
5838                 long    a2;
5839                 long    a3;
5840         } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5841 
5842         /*
5843          * check opcode
5844          */
5845         switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5846         case PORT_ASSOCIATE:
5847                 /* check source */
5848                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5849                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5850                         e = AUE_PORTFS_ASSOCIATE;
5851                 } else {
5852                         e = AUE_NULL;
5853                 }
5854                 break;
5855         case PORT_DISSOCIATE:
5856                 /* check source */
5857                 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5858                     ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5859                         e = AUE_PORTFS_DISSOCIATE;
5860                 } else {
5861                         e = AUE_NULL;
5862                 }
5863                 break;
5864         default:
5865                 e = AUE_NULL;
5866         }
5867         return (e);
5868 }