1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26/*
27 * This file contains the audit hook support code for auditing.
28 */
29
30#include <sys/types.h>
31#include <sys/proc.h>
32#include <sys/vnode.h>
33#include <sys/vfs.h>
34#include <sys/file.h>
35#include <sys/user.h>
36#include <sys/stropts.h>
37#include <sys/systm.h>
38#include <sys/pathname.h>
39#include <sys/syscall.h>
40#include <sys/fcntl.h>
41#include <sys/ipc_impl.h>
42#include <sys/msg_impl.h>
43#include <sys/sem_impl.h>
44#include <sys/shm_impl.h>
45#include <sys/kmem.h>		/* for KM_SLEEP */
46#include <sys/socket.h>
47#include <sys/cmn_err.h>	/* snprintf... */
48#include <sys/debug.h>
49#include <sys/thread.h>
50#include <netinet/in.h>
51#include <c2/audit.h>		/* needs to be included before user.h */
52#include <c2/audit_kernel.h>	/* for M_DONTWAIT */
53#include <c2/audit_kevents.h>
54#include <c2/audit_record.h>
55#include <sys/strsubr.h>
56#include <sys/tihdr.h>
57#include <sys/tiuser.h>
58#include <sys/timod.h>
59#include <sys/model.h>		/* for model_t */
60#include <sys/disp.h>		/* for servicing_interrupt() */
61#include <sys/devpolicy.h>
62#include <sys/crypto/ioctladmin.h>
63#include <sys/cred_impl.h>
64#include <inet/kssl/kssl.h>
65#include <net/pfpolicy.h>
66
67static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68
69static void audit_pathbuild(struct pathname *pnp);
70
71
72/*
73 * ROUTINE:	AUDIT_SAVEPATH
74 * PURPOSE:
75 * CALLBY:	LOOKUPPN
76 *
77 * NOTE:	We have reached the end of a path in fs/lookup.c.
78 *		We get two pieces of information here:
79 *		the vnode of the last component (vp) and
80 *		the status of the last access (flag).
81 * TODO:
82 * QUESTION:
83 */
84
85/*ARGSUSED*/
86int
87audit_savepath(
88	struct pathname *pnp,		/* pathname to lookup */
89	struct vnode *vp,		/* vnode of the last component */
90	struct vnode *pvp,		/* vnode of the last parent component */
91	int    flag,			/* status of the last access */
92	cred_t *cr)			/* cred of requestor */
93{
94
95	t_audit_data_t *tad;	/* current thread */
96	au_kcontext_t	*kctx = GET_KCTX_PZ;
97
98	tad = U2A(u);
99
100	/*
101	 * Noise elimination in audit trails - this event will be discarded if:
102	 * - the public policy is not active AND
103	 * - the system call is a public operation AND
104	 * - the file was not found: VFS lookup failed with ENOENT error AND
105	 * - the missing file would have been located in the public directory
106	 *   owned by root if it had existed
107	 */
108	if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
109	    (tad->tad_ctrl & TAD_PUBLIC_EV) &&
110	    !(kctx->auk_policy & AUDIT_PUBLIC)) {
111		struct vattr attr;
112
113		attr.va_mask = AT_ALL;
114		if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
115			if (object_is_public(&attr)) {
116				tad->tad_ctrl |= TAD_NOAUDIT;
117			}
118		}
119	}
120
121	/*
122	 * this event being audited or do we need path information
123	 * later? This might be for a chdir/chroot or open (add path
124	 * to file pointer. If the path has already been found for an
125	 * open/creat then we don't need to process the path.
126	 *
127	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
128	 *	chroot, chdir, open, creat system call processing. It determines
129	 *	if audit_savepath() will discard the path or we need it later.
130	 * TAD_PATHFND means path already included in this audit record. It
131	 *	is used in cases where multiple path lookups are done per
132	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
133	 *	paths are allowed.
134	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
135	 *	exit processing to inhibit any paths that may be added due to
136	 *	closes.
137	 */
138	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
139	    ((tad->tad_ctrl & TAD_PATHFND) &&
140	    !(kctx->auk_policy & AUDIT_PATH)) ||
141	    (tad->tad_ctrl & TAD_NOPATH)) {
142		return (0);
143	}
144
145	tad->tad_ctrl |= TAD_NOPATH;		/* prevent possible reentry */
146
147	audit_pathbuild(pnp);
148
149	/*
150	 * are we auditing only if error, or if it is not open or create
151	 * otherwise audit_setf will do it
152	 */
153
154	if (tad->tad_flag) {
155		if (flag &&
156		    (tad->tad_scid == SYS_open ||
157		    tad->tad_scid == SYS_open64 ||
158		    tad->tad_scid == SYS_openat ||
159		    tad->tad_scid == SYS_openat64)) {
160			tad->tad_ctrl |= TAD_TRUE_CREATE;
161		}
162
163		/* add token to audit record for this name */
164		au_uwrite(au_to_path(tad->tad_aupath));
165
166		/* add the attributes of the object */
167		if (vp) {
168			/*
169			 * only capture attributes when there is no error
170			 * lookup will not return the vnode of the failing
171			 * component.
172			 *
173			 * if there was a lookup error, then don't add
174			 * attribute. if lookup in vn_create(),
175			 * then don't add attribute,
176			 * it will be added at end of vn_create().
177			 */
178			if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
179				audit_attributes(vp);
180		}
181	}
182
183	/* free up space if we're not going to save path (open, creat) */
184	if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
185		if (tad->tad_aupath != NULL) {
186			au_pathrele(tad->tad_aupath);
187			tad->tad_aupath = NULL;
188		}
189	}
190	if (tad->tad_ctrl & TAD_MLD)
191		tad->tad_ctrl |= TAD_PATHFND;
192
193	tad->tad_ctrl &= ~TAD_NOPATH;		/* restore */
194	return (0);
195}
196
197static void
198audit_pathbuild(struct pathname *pnp)
199{
200	char *pp;	/* pointer to path */
201	int len;	/* length of incoming segment */
202	int newsect;	/* path requires a new section */
203	struct audit_path	*pfxapp;	/* prefix for path */
204	struct audit_path	*newapp;	/* new audit_path */
205	t_audit_data_t *tad;	/* current thread */
206	p_audit_data_t *pad;	/* current process */
207
208	tad = U2A(u);
209	ASSERT(tad != NULL);
210	pad = P2A(curproc);
211	ASSERT(pad != NULL);
212
213	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
214	ASSERT(len > 0);
215
216	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
217	mutex_enter(&pad->pad_lock);
218	if (tad->tad_aupath != NULL) {
219		pfxapp = tad->tad_aupath;
220	} else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
221		ASSERT(tad->tad_atpath != NULL);
222		pfxapp = tad->tad_atpath;
223	} else if (tad->tad_ctrl & TAD_ABSPATH) {
224		pfxapp = pad->pad_root;
225	} else {
226		pfxapp = pad->pad_cwd;
227	}
228	au_pathhold(pfxapp);
229	mutex_exit(&pad->pad_lock);
230
231	/* get an expanded buffer to hold the anchored path */
232	newsect = tad->tad_ctrl & TAD_ATTPATH;
233	newapp = au_pathdup(pfxapp, newsect, len);
234	au_pathrele(pfxapp);
235
236	pp = newapp->audp_sect[newapp->audp_cnt] - len;
237	if (!newsect) {
238		/* overlay previous NUL terminator */
239		*(pp - 1) = '/';
240	}
241
242	/* now add string of processed path */
243	bcopy(pnp->pn_buf, pp, len);
244	pp[len - 1] = '\0';
245
246	/* perform path simplification as necessary */
247	audit_fixpath(newapp, len);
248
249	if (tad->tad_aupath)
250		au_pathrele(tad->tad_aupath);
251	tad->tad_aupath = newapp;
252
253	/* for case where multiple lookups in one syscall (rename) */
254	tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
255}
256
257
258/*
259 * ROUTINE:	AUDIT_ANCHORPATH
260 * PURPOSE:
261 * CALLBY:	LOOKUPPN
262 * NOTE:
263 * anchor path at "/". We have seen a symbolic link or entering for the
264 * first time we will throw away any saved path if path is anchored.
265 *
266 * flag = 0, path is relative.
267 * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
268 *
269 * If the (new) path is absolute, then we have to throw away whatever we have
270 * already accumulated since it is being superseded by new path which is
271 * anchored at the root.
272 *		Note that if the path is relative, this function does nothing
273 * TODO:
274 * QUESTION:
275 */
276/*ARGSUSED*/
277void
278audit_anchorpath(struct pathname *pnp, int flag)
279{
280	au_kcontext_t	*kctx = GET_KCTX_PZ;
281	t_audit_data_t *tad;
282
283	tad = U2A(u);
284
285	/*
286	 * this event being audited or do we need path information
287	 * later? This might be for a chdir/chroot or open (add path
288	 * to file pointer. If the path has already been found for an
289	 * open/creat then we don't need to process the path.
290	 *
291	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
292	 *	chroot, chdir, open, creat system call processing. It determines
293	 *	if audit_savepath() will discard the path or we need it later.
294	 * TAD_PATHFND means path already included in this audit record. It
295	 *	is used in cases where multiple path lookups are done per
296	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
297	 *	paths are allowed.
298	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
299	 *	exit processing to inhibit any paths that may be added due to
300	 *	closes.
301	 */
302	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
303	    ((tad->tad_ctrl & TAD_PATHFND) &&
304	    !(kctx->auk_policy & AUDIT_PATH)) ||
305	    (tad->tad_ctrl & TAD_NOPATH)) {
306		return;
307	}
308
309	if (flag) {
310		tad->tad_ctrl |= TAD_ABSPATH;
311		if (tad->tad_aupath != NULL) {
312			au_pathrele(tad->tad_aupath);
313			tad->tad_aupath = NULL;
314		}
315	}
316}
317
318
319/*
320 * symbolic link. Save previous components.
321 *
322 * the path seen so far looks like this
323 *
324 *  +-----------------------+----------------+
325 *  | path processed so far | remaining path |
326 *  +-----------------------+----------------+
327 *  \-----------------------/
328 *	save this string if
329 *	symbolic link relative
330 *	(but don't include  symlink component)
331 */
332
333/*ARGSUSED*/
334
335
336/*
337 * ROUTINE:	AUDIT_SYMLINK
338 * PURPOSE:
339 * CALLBY:	LOOKUPPN
340 * NOTE:
341 * TODO:
342 * QUESTION:
343 */
344void
345audit_symlink(struct pathname *pnp, struct pathname *sympath)
346{
347	char *sp;	/* saved initial pp */
348	char *cp;	/* start of symlink path */
349	uint_t len_path;	/* processed path before symlink */
350	t_audit_data_t *tad;
351	au_kcontext_t	*kctx = GET_KCTX_PZ;
352
353	tad = U2A(u);
354
355	/*
356	 * this event being audited or do we need path information
357	 * later? This might be for a chdir/chroot or open (add path
358	 * to file pointer. If the path has already been found for an
359	 * open/creat then we don't need to process the path.
360	 *
361	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
362	 *	chroot, chdir, open, creat system call processing. It determines
363	 *	if audit_savepath() will discard the path or we need it later.
364	 * TAD_PATHFND means path already included in this audit record. It
365	 *	is used in cases where multiple path lookups are done per
366	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
367	 *	paths are allowed.
368	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
369	 *	exit processing to inhibit any paths that may be added due to
370	 *	closes.
371	 */
372	if ((tad->tad_flag == 0 &&
373	    !(tad->tad_ctrl & TAD_SAVPATH)) ||
374	    ((tad->tad_ctrl & TAD_PATHFND) &&
375	    !(kctx->auk_policy & AUDIT_PATH)) ||
376	    (tad->tad_ctrl & TAD_NOPATH)) {
377		return;
378	}
379
380	/*
381	 * if symbolic link is anchored at / then do nothing.
382	 * When we cycle back to begin: in lookuppn() we will
383	 * call audit_anchorpath() with a flag indicating if the
384	 * path is anchored at / or is relative. We will release
385	 * any saved path at that point.
386	 *
387	 * Note In the event that an error occurs in pn_combine then
388	 * we want to remain pointing at the component that caused the
389	 * path to overflow the pnp structure.
390	 */
391	if (sympath->pn_buf[0] == '/')
392		return;
393
394	/* backup over last component */
395	sp = cp = pnp->pn_path;
396	while (*--cp != '/' && cp > pnp->pn_buf)
397		;
398
399	len_path = cp - pnp->pn_buf;
400
401	/* is there anything to save? */
402	if (len_path) {
403		pnp->pn_path = pnp->pn_buf;
404		audit_pathbuild(pnp);
405		pnp->pn_path = sp;
406	}
407}
408
409/*
410 * object_is_public : determine whether events for the object (corresponding to
411 *			the specified file/directory attr) should be audited or
412 *			ignored.
413 *
414 * returns:	1 - if audit policy and object attributes indicate that
415 *			file/directory is effectively public. read events for
416 *			the file should not be audited.
417 *		0 - otherwise
418 *
419 * The required attributes to be considered a public object are:
420 * - owned by root, AND
421 * - world-readable (permissions for other include read), AND
422 * - NOT world-writeable (permissions for other don't
423 *	include write)
424 *   (mode doesn't need to be checked for symlinks)
425 */
426int
427object_is_public(struct vattr *attr)
428{
429	au_kcontext_t	*kctx = GET_KCTX_PZ;
430
431	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
432	    ((attr->va_type == VLNK) ||
433	    ((attr->va_mode & (VREAD>>6)) != 0) &&
434	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
435		return (1);
436	}
437	return (0);
438}
439
440
441/*
442 * ROUTINE:	AUDIT_ATTRIBUTES
443 * PURPOSE:	Audit the attributes so we can tell why the error occurred
444 * CALLBY:	AUDIT_SAVEPATH
445 *		AUDIT_VNCREATE_FINISH
446 *		AUS_FCHOWN...audit_event.c...audit_path.c
447 * NOTE:
448 * TODO:
449 * QUESTION:
450 */
451void
452audit_attributes(struct vnode *vp)
453{
454	struct vattr attr;
455	struct t_audit_data *tad;
456
457	tad = U2A(u);
458
459	if (vp) {
460		attr.va_mask = AT_ALL;
461		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
462			return;
463
464		if (object_is_public(&attr) &&
465		    (tad->tad_ctrl & TAD_PUBLIC_EV)) {
466			/*
467			 * This is a public object and a "public" event
468			 * (i.e., read only) -- either by definition
469			 * (e.g., stat, access...) or by virtue of write access
470			 * not being requested (e.g. mmap).
471			 * Flag it in the tad to prevent this audit at the end.
472			 */
473			tad->tad_ctrl |= TAD_NOAUDIT;
474		} else {
475			au_uwrite(au_to_attr(&attr));
476			audit_sec_attributes(&(u_ad), vp);
477		}
478	}
479}
480
481
482/*
483 * ROUTINE:	AUDIT_EXIT
484 * PURPOSE:
485 * CALLBY:	EXIT
486 * NOTE:
487 * TODO:
488 * QUESTION:	why cmw code as offset by 2 but not here
489 */
490/* ARGSUSED */
491void
492audit_exit(int code, int what)
493{
494	struct t_audit_data *tad;
495	tad = U2A(u);
496
497	/*
498	 * tad_scid will be set by audit_start even if we are not auditing
499	 * the event.
500	 */
501	if (tad->tad_scid == SYS_exit) {
502		/*
503		 * if we are auditing the exit system call, then complete
504		 * audit record generation (no return from system call).
505		 */
506		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
507			audit_finish(0, SYS_exit, 0, 0);
508		return;
509	}
510
511	/*
512	 * Anyone auditing the system call that was aborted?
513	 */
514	if (tad->tad_flag) {
515		au_uwrite(au_to_text("event aborted"));
516		audit_finish(0, tad->tad_scid, 0, 0);
517	}
518
519	/*
520	 * Generate an audit record for process exit if preselected.
521	 */
522	(void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
523	audit_finish(0, SYS_exit, 0, 0);
524}
525
526/*
527 * ROUTINE:	AUDIT_CORE_START
528 * PURPOSE:
529 * CALLBY:	PSIG
530 * NOTE:
531 * TODO:
532 */
533void
534audit_core_start(int sig)
535{
536	au_event_t event;
537	au_state_t estate;
538	t_audit_data_t *tad;
539	au_kcontext_t	*kctx;
540
541	tad = U2A(u);
542
543	ASSERT(tad != (t_audit_data_t *)0);
544
545	ASSERT(tad->tad_scid == 0);
546	ASSERT(tad->tad_event == 0);
547	ASSERT(tad->tad_evmod == 0);
548	ASSERT(tad->tad_ctrl == 0);
549	ASSERT(tad->tad_flag == 0);
550	ASSERT(tad->tad_aupath == NULL);
551
552	kctx = GET_KCTX_PZ;
553
554	/* get basic event for system call */
555	event = AUE_CORE;
556	estate = kctx->auk_ets[event];
557
558	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
559		return;
560
561	/* reset the flags for non-user attributable events */
562	tad->tad_ctrl   = TAD_CORE;
563	tad->tad_scid   = 0;
564
565	/* if auditing not enabled, then don't generate an audit record */
566
567	if (!((kctx->auk_auditstate == AUC_AUDITING ||
568	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
569	    kctx->auk_auditstate == AUC_NOSPACE)) {
570		tad->tad_flag = 0;
571		tad->tad_ctrl = 0;
572		return;
573	}
574
575	tad->tad_event  = event;
576	tad->tad_evmod  = 0;
577
578	ASSERT(tad->tad_ad == NULL);
579
580	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
581}
582
583/*
584 * ROUTINE:	AUDIT_CORE_FINISH
585 * PURPOSE:
586 * CALLBY:	PSIG
587 * NOTE:
588 * TODO:
589 * QUESTION:
590 */
591
592/*ARGSUSED*/
593void
594audit_core_finish(int code)
595{
596	int flag;
597	t_audit_data_t *tad;
598	au_kcontext_t	*kctx;
599
600	tad = U2A(u);
601
602	ASSERT(tad != (t_audit_data_t *)0);
603
604	if ((flag = tad->tad_flag) == 0) {
605		tad->tad_event = 0;
606		tad->tad_evmod = 0;
607		tad->tad_ctrl  = 0;
608		ASSERT(tad->tad_aupath == NULL);
609		return;
610	}
611	tad->tad_flag = 0;
612
613	kctx = GET_KCTX_PZ;
614
615	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
616	if (flag = audit_success(kctx, tad, 0, NULL)) {
617		cred_t *cr = CRED();
618		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
619
620		ASSERT(ainfo != NULL);
621
622		/*
623		 * Add subject information (no locks since our private copy of
624		 * credential
625		 */
626		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
627
628		/* Add a return token (should use f argument) */
629		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
630
631		AS_INC(as_generated, 1, kctx);
632		AS_INC(as_kernel, 1, kctx);
633	}
634
635	/* Close up everything */
636	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
637
638	/* free up any space remaining with the path's */
639	if (tad->tad_aupath != NULL) {
640		au_pathrele(tad->tad_aupath);
641		tad->tad_aupath = NULL;
642	}
643	tad->tad_event = 0;
644	tad->tad_evmod = 0;
645	tad->tad_ctrl  = 0;
646}
647
648
649/*ARGSUSED*/
650void
651audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
652    unsigned char *pri, int *flag, int fmode)
653{
654	struct stdata *stp;
655	t_audit_data_t *tad = U2A(u);
656
657	ASSERT(tad != (t_audit_data_t *)0);
658
659	stp = vp->v_stream;
660
661	/* lock stdata from audit_sock */
662	mutex_enter(&stp->sd_lock);
663
664	/* proceed ONLY if user is being audited */
665	if (!tad->tad_flag) {
666		/*
667		 * this is so we will not add audit data onto
668		 * a thread that is not being audited.
669		 */
670		stp->sd_t_audit_data = NULL;
671		mutex_exit(&stp->sd_lock);
672		return;
673	}
674
675	stp->sd_t_audit_data = (caddr_t)curthread;
676	mutex_exit(&stp->sd_lock);
677}
678
679/*ARGSUSED*/
680void
681audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
682    unsigned char pri, int flag, int fmode)
683{
684	struct stdata *stp;
685	t_audit_data_t *tad = U2A(u);
686
687	ASSERT(tad != (t_audit_data_t *)0);
688
689	stp = vp->v_stream;
690
691	/* lock stdata from audit_sock */
692	mutex_enter(&stp->sd_lock);
693
694	/* proceed ONLY if user is being audited */
695	if (!tad->tad_flag) {
696		/*
697		 * this is so we will not add audit data onto
698		 * a thread that is not being audited.
699		 */
700		stp->sd_t_audit_data = NULL;
701		mutex_exit(&stp->sd_lock);
702		return;
703	}
704
705	stp->sd_t_audit_data = (caddr_t)curthread;
706	mutex_exit(&stp->sd_lock);
707}
708
709/*
710 * ROUTINE:	AUDIT_CLOSEF
711 * PURPOSE:
712 * CALLBY:	CLOSEF
713 * NOTE:
714 * release per file audit resources when file structure is being released.
715 *
716 * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717 *	on the audit queue if it becomes full. This means
718 *	audit_closef can not be called when f_count == 0. Since
719 *	f_count == 0 indicates the file structure is free, another
720 *	process could attempt to use the file while we were still
721 *	asleep waiting on the audit queue. This would cause the
722 *	per file audit data to be corrupted when we finally do
723 *	wakeup.
724 * TODO:
725 * QUESTION:
726 */
727
728void
729audit_closef(struct file *fp)
730{
731	f_audit_data_t *fad;
732	t_audit_data_t *tad;
733	int success;
734	au_state_t estate;
735	struct vnode *vp;
736	token_t *ad = NULL;
737	struct vattr attr;
738	au_emod_t evmod = 0;
739	const auditinfo_addr_t *ainfo;
740	cred_t *cr;
741	au_kcontext_t	*kctx = GET_KCTX_PZ;
742	uint32_t auditing;
743	boolean_t audit_attr = B_FALSE;
744
745	fad = F2A(fp);
746	estate = kctx->auk_ets[AUE_CLOSE];
747	tad = U2A(u);
748	cr = CRED();
749
750	/* audit record already generated by system call envelope */
751	if (tad->tad_event == AUE_CLOSE) {
752		/* so close audit event will have bits set */
753		tad->tad_evmod |= (au_emod_t)fad->fad_flags;
754		return;
755	}
756
757	/* if auditing not enabled, then don't generate an audit record */
758	auditing = (tad->tad_audit == AUC_UNSET) ?
759	    kctx->auk_auditstate : tad->tad_audit;
760	if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
761		return;
762
763	ainfo = crgetauinfo(cr);
764	if (ainfo == NULL)
765		return;
766
767	success = ainfo->ai_mask.as_success & estate;
768
769	/* not selected for this event */
770	if (success == 0)
771		return;
772
773	/*
774	 * can't use audit_attributes here since we use a private audit area
775	 * to build the audit record instead of the one off the thread.
776	 */
777	if ((vp = fp->f_vnode) != NULL) {
778		attr.va_mask = AT_ALL;
779		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
780			if ((fp->f_flag & FWRITE) == 0 &&
781			    object_is_public(&attr)) {
782				/*
783				 * When write was not used and the file can be
784				 * considered public, then skip the audit.
785				 */
786				return;
787			}
788			audit_attr = B_TRUE;
789		}
790	}
791
792	evmod = (au_emod_t)fad->fad_flags;
793	if (fad->fad_aupath != NULL) {
794		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
795	} else {
796#ifdef _LP64
797		au_write((caddr_t *)&(ad), au_to_arg64(
798		    1, "no path: fp", (uint64_t)fp));
799#else
800		au_write((caddr_t *)&(ad), au_to_arg32(
801		    1, "no path: fp", (uint32_t)fp));
802#endif
803	}
804
805	if (audit_attr) {
806		au_write((caddr_t *)&(ad), au_to_attr(&attr));
807		audit_sec_attributes((caddr_t *)&(ad), vp);
808	}
809
810	/* Add subject information */
811	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
812
813	/* add a return token */
814	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
815
816	AS_INC(as_generated, 1, kctx);
817	AS_INC(as_kernel, 1, kctx);
818
819	/*
820	 * Close up everything
821	 * Note: path space recovery handled by normal system
822	 * call envelope if not at last close.
823	 * Note there is no failure at this point since
824	 *   this represents closes due to exit of process,
825	 *   thus we always indicate successful closes.
826	 */
827	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
828	    AUE_CLOSE, evmod, NULL);
829}
830
831/*
832 * ROUTINE:	AUDIT_SET
833 * PURPOSE:	Audit the file path and file attributes.
834 * CALLBY:	SETF
835 * NOTE:	SETF associate a file pointer with user area's open files.
836 * TODO:
837 * call audit_finish directly ???
838 * QUESTION:
839 */
840
841/*ARGSUSED*/
842void
843audit_setf(file_t *fp, int fd)
844{
845	f_audit_data_t *fad;
846	t_audit_data_t *tad;
847
848	if (fp == NULL)
849		return;
850
851	tad = T2A(curthread);
852	fad = F2A(fp);
853
854	if (!(tad->tad_scid == SYS_open ||
855	    tad->tad_scid == SYS_open64 ||
856	    tad->tad_scid == SYS_openat ||
857	    tad->tad_scid == SYS_openat64))
858		return;
859
860	/* no path */
861	if (tad->tad_aupath == 0)
862		return;
863
864	/*
865	 * assign path information associated with file audit data
866	 * use tad hold
867	 */
868	fad->fad_aupath = tad->tad_aupath;
869	tad->tad_aupath = NULL;
870
871	if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
872		/* adjust event type by dropping the 'creat' part */
873		switch (tad->tad_event) {
874		case AUE_OPEN_RC:
875			tad->tad_event = AUE_OPEN_R;
876			tad->tad_ctrl |= TAD_PUBLIC_EV;
877			break;
878		case AUE_OPEN_RTC:
879			tad->tad_event = AUE_OPEN_RT;
880			break;
881		case AUE_OPEN_WC:
882			tad->tad_event = AUE_OPEN_W;
883			break;
884		case AUE_OPEN_WTC:
885			tad->tad_event = AUE_OPEN_WT;
886			break;
887		case AUE_OPEN_RWC:
888			tad->tad_event = AUE_OPEN_RW;
889			break;
890		case AUE_OPEN_RWTC:
891			tad->tad_event = AUE_OPEN_RWT;
892			break;
893		default:
894			break;
895		}
896	}
897}
898
899
900void
901audit_ipc(int type, int id, void *vp)
902{
903	/* if not auditing this event, then do nothing */
904	if (ad_flag == 0)
905		return;
906
907	switch (type) {
908	case AT_IPC_MSG:
909		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
910		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
911		break;
912	case AT_IPC_SEM:
913		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
914		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
915		break;
916	case AT_IPC_SHM:
917		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
918		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
919		break;
920	}
921}
922
923void
924audit_ipcget(int type, void *vp)
925{
926	/* if not auditing this event, then do nothing */
927	if (ad_flag == 0)
928		return;
929
930	switch (type) {
931	case 0:
932		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
933		break;
934	case AT_IPC_MSG:
935		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
936		break;
937	case AT_IPC_SEM:
938		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
939		break;
940	case AT_IPC_SHM:
941		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
942		break;
943	}
944}
945
946/*
947 * ROUTINE:	AUDIT_REBOOT
948 * PURPOSE:
949 * CALLBY:
950 * NOTE:
951 * At this point we know that the system call reboot will not return. We thus
952 * have to complete the audit record generation and put it onto the queue.
953 * This might be fairly useless if the auditing daemon is already dead....
954 * TODO:
955 * QUESTION:	who calls audit_reboot
956 */
957
958void
959audit_reboot(void)
960{
961	int flag;
962	t_audit_data_t *tad;
963	au_kcontext_t	*kctx = GET_KCTX_PZ;
964
965	tad = U2A(u);
966
967	/* if not auditing this event, then do nothing */
968	if (tad->tad_flag == 0)
969		return;
970
971	/* do preselection on success/failure */
972	if (flag = audit_success(kctx, tad, 0, NULL)) {
973		/* add a process token */
974
975		cred_t *cr = CRED();
976		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
977
978		if (ainfo == NULL)
979			return;
980
981		/* Add subject information */
982		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
983
984		/* add a return token */
985		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
986
987		AS_INC(as_generated, 1, kctx);
988		AS_INC(as_kernel, 1, kctx);
989	}
990
991	/*
992	 * Flow control useless here since we're going
993	 * to drop everything in the queue anyway. Why
994	 * block and wait. There aint anyone left alive to
995	 * read the records remaining anyway.
996	 */
997
998	/* Close up everything */
999	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1000	    tad->tad_event, tad->tad_evmod, NULL);
1001}
1002
1003void
1004audit_setfsat_path(int argnum)
1005{
1006	klwp_id_t clwp = ttolwp(curthread);
1007	struct file  *fp;
1008	uint32_t fd;
1009	t_audit_data_t *tad;
1010	struct f_audit_data *fad;
1011	p_audit_data_t *pad;	/* current process */
1012	uint_t fm;
1013	struct a {
1014		long arg1;
1015		long arg2;
1016		long arg3;
1017		long arg4;
1018		long arg5;
1019	} *uap;
1020
1021	if (clwp == NULL)
1022		return;
1023	uap = (struct a *)clwp->lwp_ap;
1024
1025	tad = U2A(u);
1026	ASSERT(tad != NULL);
1027
1028	switch (tad->tad_scid) {
1029	case SYS_faccessat:
1030	case SYS_fchmodat:
1031	case SYS_fchownat:
1032	case SYS_fstatat:
1033	case SYS_fstatat64:
1034	case SYS_mkdirat:
1035	case SYS_mknodat:
1036	case SYS_openat:
1037	case SYS_openat64:
1038	case SYS_readlinkat:
1039	case SYS_unlinkat:
1040		fd = uap->arg1;
1041		break;
1042	case SYS_linkat:
1043	case SYS_renameat:
1044		if (argnum == 3)
1045			fd = uap->arg3;
1046		else
1047			fd = uap->arg1;
1048		break;
1049	case SYS_symlinkat:
1050	case SYS_utimesys:
1051		fd = uap->arg2;
1052		break;
1053	case SYS_open:
1054	case SYS_open64:
1055		fd = AT_FDCWD;
1056		break;
1057	default:
1058		return;
1059	}
1060
1061	if (tad->tad_atpath != NULL) {
1062		au_pathrele(tad->tad_atpath);
1063		tad->tad_atpath = NULL;
1064	}
1065
1066	if (fd != AT_FDCWD) {
1067		tad->tad_ctrl |= TAD_ATCALL;
1068
1069		if (tad->tad_scid == SYS_openat ||
1070		    tad->tad_scid == SYS_openat64) {
1071			fm = (uint_t)uap->arg3;
1072			if (fm & (FXATTR | FXATTRDIROPEN)) {
1073				tad->tad_ctrl |= TAD_ATTPATH;
1074			}
1075		}
1076
1077		if ((fp = getf(fd)) == NULL) {
1078			tad->tad_ctrl |= TAD_NOPATH;
1079			return;
1080		}
1081		fad = F2A(fp);
1082		ASSERT(fad);
1083		if (fad->fad_aupath == NULL) {
1084			tad->tad_ctrl |= TAD_NOPATH;
1085			releasef(fd);
1086			return;
1087		}
1088		au_pathhold(fad->fad_aupath);
1089		tad->tad_atpath = fad->fad_aupath;
1090		releasef(fd);
1091	} else {
1092		if (tad->tad_scid == SYS_open ||
1093		    tad->tad_scid == SYS_open64) {
1094			fm = (uint_t)uap->arg2;
1095			if (fm & FXATTR) {
1096				tad->tad_ctrl |= TAD_ATTPATH;
1097			}
1098			return;
1099		}
1100		pad = P2A(curproc);
1101		mutex_enter(&pad->pad_lock);
1102		au_pathhold(pad->pad_cwd);
1103		tad->tad_atpath = pad->pad_cwd;
1104		mutex_exit(&pad->pad_lock);
1105	}
1106}
1107
1108void
1109audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1110{
1111	t_audit_data_t *tad;
1112	vnode_t	*vp;
1113
1114	tad = U2A(u);
1115
1116	/* if not auditing this event, then do nothing */
1117	if (tad->tad_flag == 0)
1118		return;
1119
1120	au_uwrite(au_to_text(target));
1121
1122	if (error)
1123		return;
1124
1125	error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1126	    NULL, NULL, NULL);
1127	if (error == 0) {
1128		audit_attributes(vp);
1129		VN_RELE(vp);
1130	}
1131}
1132
1133/*
1134 * ROUTINE:	AUDIT_VNCREATE_START
1135 * PURPOSE:	set flag so path name lookup in create will not add attribute
1136 * CALLBY:	VN_CREATE
1137 * NOTE:
1138 * TODO:
1139 * QUESTION:
1140 */
1141
1142void
1143audit_vncreate_start()
1144{
1145	t_audit_data_t *tad;
1146
1147	tad = U2A(u);
1148	tad->tad_ctrl |= TAD_NOATTRB;
1149}
1150
1151/*
1152 * ROUTINE:	AUDIT_VNCREATE_FINISH
1153 * PURPOSE:
1154 * CALLBY:	VN_CREATE
1155 * NOTE:
1156 * TODO:
1157 * QUESTION:
1158 */
1159void
1160audit_vncreate_finish(struct vnode *vp, int error)
1161{
1162	t_audit_data_t *tad;
1163
1164	if (error)
1165		return;
1166
1167	tad = U2A(u);
1168
1169	/* if not auditing this event, then do nothing */
1170	if (tad->tad_flag == 0)
1171		return;
1172
1173	if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1174		audit_attributes(vp);
1175	}
1176
1177	if (tad->tad_ctrl & TAD_CORE) {
1178		audit_attributes(vp);
1179		tad->tad_ctrl &= ~TAD_CORE;
1180	}
1181
1182	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1183	    (tad->tad_event == AUE_MKDIR))) {
1184		audit_attributes(vp);
1185	}
1186
1187	/* for case where multiple lookups in one syscall (rename) */
1188	tad->tad_ctrl &= ~TAD_NOATTRB;
1189}
1190
1191
1192
1193
1194
1195
1196
1197
1198/*
1199 * ROUTINE:	AUDIT_EXEC
1200 * PURPOSE:	Records the function arguments and environment variables
1201 * CALLBY:	EXEC_ARGS
1202 * NOTE:
1203 * TODO:
1204 * QUESTION:
1205 */
1206
1207void
1208audit_exec(
1209	const char *argstr,	/* argument strings */
1210	const char *envstr,	/* environment strings */
1211	ssize_t argc,		/* total # arguments */
1212	ssize_t envc,		/* total # environment variables */
1213	cred_t *pfcred)		/* the additional privileges in a profile */
1214{
1215	t_audit_data_t *tad;
1216	au_kcontext_t	*kctx = GET_KCTX_PZ;
1217
1218	tad = U2A(u);
1219
1220	/* if not auditing this event, then do nothing */
1221	if (!tad->tad_flag)
1222		return;
1223
1224	if (pfcred != NULL) {
1225		p_audit_data_t *pad;
1226		cred_t *cr = CRED();
1227		priv_set_t pset = CR_IPRIV(cr);
1228
1229		pad = P2A(curproc);
1230
1231		/* It's a different event. */
1232		tad->tad_event = AUE_PFEXEC;
1233
1234		/* Add the current working directory to the audit trail. */
1235		if (pad->pad_cwd != NULL)
1236			au_uwrite(au_to_path(pad->pad_cwd));
1237
1238		/*
1239		 * The new credential is not yet in place when audit_exec
1240		 * is called.
1241		 * Compute the additional bits available in the new credential
1242		 * and the limit set.
1243		 */
1244		priv_inverse(&pset);
1245		priv_intersect(&CR_IPRIV(pfcred), &pset);
1246		if (!priv_isemptyset(&pset) ||
1247		    !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1248			au_uwrite(au_to_privset(
1249			    priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1250			    0));
1251			au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1252			    &CR_LPRIV(pfcred), AUT_PRIV, 0));
1253		}
1254		/*
1255		 * Compare the uids & gids: create a process token if changed.
1256		 */
1257		if (crgetuid(cr) != crgetuid(pfcred) ||
1258		    crgetruid(cr) != crgetruid(pfcred) ||
1259		    crgetgid(cr) != crgetgid(pfcred) ||
1260		    crgetrgid(cr) != crgetrgid(pfcred)) {
1261			AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1262		}
1263	}
1264
1265	if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1266		au_uwrite(au_to_exec_args(argstr, argc));
1267
1268	if (kctx->auk_policy & AUDIT_ARGE)
1269		au_uwrite(au_to_exec_env(envstr, envc));
1270}
1271
1272/*
1273 * ROUTINE:	AUDIT_ENTERPROM
1274 * PURPOSE:
1275 * CALLBY:	KBDINPUT
1276 *		ZSA_XSINT
1277 * NOTE:
1278 * TODO:
1279 * QUESTION:
1280 */
1281void
1282audit_enterprom(int flg)
1283{
1284	token_t *rp = NULL;
1285	int sorf;
1286
1287	if (flg)
1288		sorf = AUM_SUCC;
1289	else
1290		sorf = AUM_FAIL;
1291
1292	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1293
1294	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1295
1296	if (flg)
1297		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1298	else
1299		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1300
1301	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, 0, NULL);
1302}
1303
1304
1305/*
1306 * ROUTINE:	AUDIT_EXITPROM
1307 * PURPOSE:
1308 * CALLBY:	KBDINPUT
1309 *		ZSA_XSINT
1310 * NOTE:
1311 * TODO:
1312 * QUESTION:
1313 */
1314void
1315audit_exitprom(int flg)
1316{
1317	int sorf;
1318	token_t *rp = NULL;
1319
1320	if (flg)
1321		sorf = AUM_SUCC;
1322	else
1323		sorf = AUM_FAIL;
1324
1325	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1326
1327	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1328
1329	if (flg)
1330		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1331	else
1332		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1333
1334	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, 0, NULL);
1335}
1336
1337struct fcntla {
1338	int fdes;
1339	int cmd;
1340	intptr_t arg;
1341};
1342
1343
1344/*
1345 * ROUTINE:	AUDIT_CHDIREC
1346 * PURPOSE:
1347 * CALLBY:	CHDIREC
1348 * NOTE:	The main function of CHDIREC
1349 * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1350 * QUESTION:
1351 */
1352
1353/*ARGSUSED*/
1354void
1355audit_chdirec(vnode_t *vp, vnode_t **vpp)
1356{
1357	int		chdir;
1358	int		fchdir;
1359	struct audit_path	**appp;
1360	struct file	*fp;
1361	f_audit_data_t *fad;
1362	p_audit_data_t *pad = P2A(curproc);
1363	t_audit_data_t *tad = T2A(curthread);
1364
1365	struct a {
1366		long fd;
1367	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1368
1369	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1370		chdir = tad->tad_scid == SYS_chdir;
1371		if (tad->tad_aupath) {
1372			mutex_enter(&pad->pad_lock);
1373			if (chdir)
1374				appp = &(pad->pad_cwd);
1375			else
1376				appp = &(pad->pad_root);
1377			au_pathrele(*appp);
1378			/* use tad hold */
1379			*appp = tad->tad_aupath;
1380			tad->tad_aupath = NULL;
1381			mutex_exit(&pad->pad_lock);
1382		}
1383	} else if ((tad->tad_scid == SYS_fchdir) ||
1384	    (tad->tad_scid == SYS_fchroot)) {
1385		fchdir = tad->tad_scid == SYS_fchdir;
1386		if ((fp = getf(uap->fd)) == NULL)
1387			return;
1388		fad = F2A(fp);
1389		if (fad->fad_aupath) {
1390			au_pathhold(fad->fad_aupath);
1391			mutex_enter(&pad->pad_lock);
1392			if (fchdir)
1393				appp = &(pad->pad_cwd);
1394			else
1395				appp = &(pad->pad_root);
1396			au_pathrele(*appp);
1397			*appp = fad->fad_aupath;
1398			mutex_exit(&pad->pad_lock);
1399			if (tad->tad_flag) {
1400				au_uwrite(au_to_path(fad->fad_aupath));
1401				audit_attributes(fp->f_vnode);
1402			}
1403		}
1404		releasef(uap->fd);
1405	}
1406}
1407
1408
1409/*
1410 *	Audit hook for stream based socket and tli request.
1411 *	Note that we do not have user context while executing
1412 *	this code so we had to record them earlier during the
1413 *	putmsg/getmsg to figure out which user we are dealing with.
1414 */
1415
1416/*ARGSUSED*/
1417void
1418audit_sock(
1419	int type,	/* type of tihdr.h header requests */
1420	queue_t *q,	/* contains the process and thread audit data */
1421	mblk_t *mp,	/* contains the tihdr.h header structures */
1422	int from)	/* timod or sockmod request */
1423{
1424	int32_t    len;
1425	int32_t    offset;
1426	struct sockaddr_in *sock_data;
1427	struct T_conn_req *conn_req;
1428	struct T_conn_ind *conn_ind;
1429	struct T_unitdata_req *unitdata_req;
1430	struct T_unitdata_ind *unitdata_ind;
1431	au_state_t estate;
1432	t_audit_data_t *tad;
1433	caddr_t saved_thread_ptr;
1434	au_mask_t amask;
1435	const auditinfo_addr_t *ainfo;
1436	au_kcontext_t	*kctx;
1437
1438	if (q->q_stream == NULL)
1439		return;
1440	mutex_enter(&q->q_stream->sd_lock);
1441	/* are we being audited */
1442	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1443	/* no pointer to thread, nothing to do */
1444	if (saved_thread_ptr == NULL) {
1445		mutex_exit(&q->q_stream->sd_lock);
1446		return;
1447	}
1448	/* only allow one addition of a record token */
1449	q->q_stream->sd_t_audit_data = NULL;
1450	/*
1451	 * thread is not the one being audited, then nothing to do
1452	 * This could be the stream thread handling the module
1453	 * service routine. In this case, the context for the audit
1454	 * record can no longer be assumed. Simplest to just drop
1455	 * the operation.
1456	 */
1457	if (curthread != (kthread_id_t)saved_thread_ptr) {
1458		mutex_exit(&q->q_stream->sd_lock);
1459		return;
1460	}
1461	if (curthread->t_sysnum >= SYS_so_socket &&
1462	    curthread->t_sysnum <= SYS_sockconfig) {
1463		mutex_exit(&q->q_stream->sd_lock);
1464		return;
1465	}
1466	mutex_exit(&q->q_stream->sd_lock);
1467	/*
1468	 * we know that the thread that did the put/getmsg is the
1469	 * one running. Now we can get the TAD and see if we should
1470	 * add an audit token.
1471	 */
1472	tad = U2A(u);
1473
1474	kctx = GET_KCTX_PZ;
1475
1476	/* proceed ONLY if user is being audited */
1477	if (!tad->tad_flag)
1478		return;
1479
1480	ainfo = crgetauinfo(CRED());
1481	if (ainfo == NULL)
1482		return;
1483	amask = ainfo->ai_mask;
1484
1485	/*
1486	 * Figure out the type of stream networking request here.
1487	 * Note that getmsg and putmsg are always preselected
1488	 * because during the beginning of the system call we have
1489	 * not yet figure out which of the socket or tli request
1490	 * we are looking at until we are here. So we need to check
1491	 * against that specific request and reset the type of event.
1492	 */
1493	switch (type) {
1494	case T_CONN_REQ:	/* connection request */
1495		conn_req = (struct T_conn_req *)mp->b_rptr;
1496		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1497			return;
1498		offset = conn_req->DEST_offset;
1499		len = conn_req->DEST_length;
1500		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1501		if (amask.as_success & estate || amask.as_failure & estate) {
1502			tad->tad_event = AUE_SOCKCONNECT;
1503			break;
1504		} else {
1505			return;
1506		}
1507	case T_CONN_IND:	 /* connectionless receive request */
1508		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1509		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1510			return;
1511		offset = conn_ind->SRC_offset;
1512		len = conn_ind->SRC_length;
1513		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1514		if (amask.as_success & estate || amask.as_failure & estate) {
1515			tad->tad_event = AUE_SOCKACCEPT;
1516			break;
1517		} else {
1518			return;
1519		}
1520	case T_UNITDATA_REQ:	 /* connectionless send request */
1521		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1522		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1523			return;
1524		offset = unitdata_req->DEST_offset;
1525		len = unitdata_req->DEST_length;
1526		estate = kctx->auk_ets[AUE_SOCKSEND];
1527		if (amask.as_success & estate || amask.as_failure & estate) {
1528			tad->tad_event = AUE_SOCKSEND;
1529			break;
1530		} else {
1531			return;
1532		}
1533	case T_UNITDATA_IND:	 /* connectionless receive request */
1534		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1535		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1536			return;
1537		offset = unitdata_ind->SRC_offset;
1538		len = unitdata_ind->SRC_length;
1539		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1540		if (amask.as_success & estate || amask.as_failure & estate) {
1541			tad->tad_event = AUE_SOCKRECEIVE;
1542			break;
1543		} else {
1544			return;
1545		}
1546	default:
1547		return;
1548	}
1549
1550	/*
1551	 * we are only interested in tcp stream connections,
1552	 * not unix domain stuff
1553	 */
1554	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1555		tad->tad_event = AUE_GETMSG;
1556		return;
1557	}
1558	/* skip over TPI header and point to the ip address */
1559	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1560
1561	switch (sock_data->sin_family) {
1562	case AF_INET:
1563		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1564		break;
1565	default:	/* reset to AUE_PUTMSG if not a inet request */
1566		tad->tad_event = AUE_GETMSG;
1567		break;
1568	}
1569}
1570
1571
1572static void
1573add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1574{
1575	unsigned int sy_flags;
1576
1577#ifdef _SYSCALL32_IMPL
1578	/*
1579	 * Guard against t_lwp being NULL when this function is called
1580	 * from a kernel queue instead of from a direct system call.
1581	 * In that case, assume the running kernel data model.
1582	 */
1583	if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584	    ttolwp(curthread)) == DATAMODEL_NATIVE))
1585		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586	else
1587		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588#else
1589		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590#endif
1591
1592	if (sy_flags == SE_64RVAL)
1593		au_write(ad, au_to_return64(err, rval));
1594	else
1595		au_write(ad, au_to_return32(err, rval));
1596
1597}
1598
1599/*ARGSUSED*/
1600void
1601audit_fdsend(int fd, struct file *fp, int error)
1602{
1603	t_audit_data_t *tad;	/* current thread */
1604	f_audit_data_t *fad;	/* per file audit structure */
1605	struct vnode *vp;	/* for file attributes */
1606
1607	/* is this system call being audited */
1608	tad = U2A(u);
1609	ASSERT(tad != (t_audit_data_t *)0);
1610	if (!tad->tad_flag)
1611		return;
1612
1613	fad = F2A(fp);
1614
1615	/* add path and file attributes */
1616	if (fad != NULL && fad->fad_aupath != NULL) {
1617		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1618		au_uwrite(au_to_path(fad->fad_aupath));
1619	} else {
1620		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621#ifdef _LP64
1622		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1623#else
1624		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1625#endif
1626	}
1627	vp = fp->f_vnode;	/* include vnode attributes */
1628	audit_attributes(vp);
1629}
1630
1631/*
1632 * Record privileges successfully used and we attempted to use but
1633 * didn't have.
1634 */
1635void
1636audit_priv(int priv, const priv_set_t *set, int flag)
1637{
1638	t_audit_data_t *tad;
1639	int sbit;
1640	priv_set_t *target;
1641
1642	/* Make sure this isn't being called in an interrupt context */
1643	ASSERT(servicing_interrupt() == 0);
1644
1645	tad = U2A(u);
1646
1647	if (tad->tad_flag == 0)
1648		return;
1649
1650	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1651	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1652
1653	/* Tell audit_success() and audit_finish() that we saw this case */
1654	if (!(tad->tad_evmod & sbit)) {
1655		/* Clear set first time around */
1656		priv_emptyset(target);
1657		tad->tad_evmod |= sbit;
1658	}
1659
1660	/* Save the privileges in the tad */
1661	if (priv == PRIV_ALL) {
1662		priv_fillset(target);
1663	} else {
1664		ASSERT(set != NULL || priv != PRIV_NONE);
1665		if (set != NULL)
1666			priv_union(set, target);
1667		if (priv != PRIV_NONE)
1668			priv_addset(target, priv);
1669	}
1670}
1671
1672/*
1673 * Audit the psecflags() system call; the set name, current value, and delta
1674 * are put in the audit trail.
1675 */
1676void
1677audit_psecflags(proc_t *p,
1678    psecflagwhich_t which,
1679    const secflagdelta_t *psd)
1680{
1681	t_audit_data_t *tad;
1682	secflagset_t new;
1683	const secflagset_t *old;
1684	const char *s;
1685	cred_t *cr;
1686	pid_t pid;
1687	const auditinfo_addr_t	*ainfo;
1688	const psecflags_t *psec = &p->p_secflags;
1689
1690	tad = U2A(u);
1691
1692	if (tad->tad_flag == 0)
1693		return;
1694
1695	switch (which) {
1696	case PSF_EFFECTIVE:
1697		s = "effective";
1698		old = &psec->psf_effective;
1699		break;
1700	case PSF_INHERIT:
1701		s = "inherit";
1702		old = &psec->psf_inherit;
1703		break;
1704	case PSF_LOWER:
1705		s = "lower";
1706		old = &psec->psf_lower;
1707		break;
1708	case PSF_UPPER:
1709		s = "upper";
1710		old = &psec->psf_upper;
1711		break;
1712	}
1713
1714	secflags_copy(&new, old);
1715	secflags_apply_delta(&new, psd);
1716
1717	au_uwrite(au_to_secflags(s, *old));
1718	au_uwrite(au_to_secflags(s, new));
1719
1720	ASSERT(mutex_owned(&p->p_lock));
1721	mutex_enter(&p->p_crlock);
1722
1723	pid = p->p_pid;
1724	crhold(cr = p->p_cred);
1725	mutex_exit(&p->p_crlock);
1726
1727	if ((ainfo = crgetauinfo(cr)) == NULL) {
1728		crfree(cr);
1729		return;
1730	}
1731
1732	AUDIT_SETPROC_GENERIC(&(u_ad), cr, ainfo, pid);
1733
1734	crfree(cr);
1735}
1736
1737/*
1738 * Audit the setpriv() system call; the operation, the set name and
1739 * the current value as well as the set argument are put in the
1740 * audit trail.
1741 */
1742void
1743audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1744{
1745	t_audit_data_t *tad;
1746	const priv_set_t *oldpriv;
1747	priv_set_t report;
1748	const char *setname;
1749
1750	tad = U2A(u);
1751
1752	if (tad->tad_flag == 0)
1753		return;
1754
1755	oldpriv = priv_getset(ocr, set);
1756
1757	/* Generate the actual record, include the before and after */
1758	au_uwrite(au_to_arg32(2, "op", op));
1759	setname = priv_getsetbynum(set);
1760
1761	switch (op) {
1762	case PRIV_OFF:
1763		/* Report privileges actually switched off */
1764		report = *oldpriv;
1765		priv_intersect(newpriv, &report);
1766		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1767		break;
1768	case PRIV_ON:
1769		/* Report privileges actually switched on */
1770		report = *oldpriv;
1771		priv_inverse(&report);
1772		priv_intersect(newpriv, &report);
1773		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1774		break;
1775	case PRIV_SET:
1776		/* Report before and after */
1777		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1778		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1779		break;
1780	}
1781}
1782
1783/*
1784 * Dump the full device policy setting in the audit trail.
1785 */
1786void
1787audit_devpolicy(int nitems, const devplcysys_t *items)
1788{
1789	t_audit_data_t *tad;
1790	int i;
1791
1792	tad = U2A(u);
1793
1794	if (tad->tad_flag == 0)
1795		return;
1796
1797	for (i = 0; i < nitems; i++) {
1798		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1799		if (items[i].dps_minornm[0] == '\0') {
1800			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1801			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1802		} else
1803			au_uwrite(au_to_text(items[i].dps_minornm));
1804
1805		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1806		    AUT_PRIV, 0));
1807		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1808		    AUT_PRIV, 0));
1809	}
1810}
1811
1812/*ARGSUSED*/
1813void
1814audit_fdrecv(int fd, struct file *fp)
1815{
1816	t_audit_data_t *tad;	/* current thread */
1817	f_audit_data_t *fad;	/* per file audit structure */
1818	struct vnode *vp;	/* for file attributes */
1819
1820	/* is this system call being audited */
1821	tad = U2A(u);
1822	ASSERT(tad != (t_audit_data_t *)0);
1823	if (!tad->tad_flag)
1824		return;
1825
1826	fad = F2A(fp);
1827
1828	/* add path and file attributes */
1829	if (fad != NULL && fad->fad_aupath != NULL) {
1830		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1831		au_uwrite(au_to_path(fad->fad_aupath));
1832	} else {
1833		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1834#ifdef _LP64
1835		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1836#else
1837		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1838#endif
1839	}
1840	vp = fp->f_vnode;	/* include vnode attributes */
1841	audit_attributes(vp);
1842}
1843
1844/*
1845 * ROUTINE:	AUDIT_CRYPTOADM
1846 * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
1847 * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1848 *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1849 *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1850 *		CRYPTO_LOAD_DOOR
1851 * NOTE:
1852 * TODO:
1853 * QUESTION:
1854 */
1855
1856void
1857audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1858    uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1859{
1860	boolean_t		mech_list_required = B_FALSE;
1861	cred_t			*cr = CRED();
1862	t_audit_data_t		*tad;
1863	token_t			*ad = NULL;
1864	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
1865	char			buffer[MAXNAMELEN * 2];
1866	au_kcontext_t		*kctx = GET_KCTX_PZ;
1867
1868	tad = U2A(u);
1869	if (tad == NULL)
1870		return;
1871
1872	if (ainfo == NULL)
1873		return;
1874
1875	tad->tad_event = AUE_CRYPTOADM;
1876
1877	if (audit_success(kctx, tad, error, NULL) != AU_OK)
1878		return;
1879
1880	/* Add subject information */
1881	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1882
1883	switch (cmd) {
1884	case CRYPTO_LOAD_DEV_DISABLED:
1885		if (error == 0 && rv == CRYPTO_SUCCESS) {
1886			(void) snprintf(buffer, sizeof (buffer),
1887			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1888			    " dev_instance=%d",
1889			    module_name, device_instance);
1890			mech_list_required = B_TRUE;
1891		} else {
1892			(void) snprintf(buffer, sizeof (buffer),
1893			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1894		}
1895		break;
1896
1897	case CRYPTO_LOAD_SOFT_DISABLED:
1898		if (error == 0 && rv == CRYPTO_SUCCESS) {
1899			(void) snprintf(buffer, sizeof (buffer),
1900			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1901			    module_name);
1902			mech_list_required = B_TRUE;
1903		} else {
1904			(void) snprintf(buffer, sizeof (buffer),
1905			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1906		}
1907		break;
1908
1909	case CRYPTO_UNLOAD_SOFT_MODULE:
1910		if (error == 0 && rv == CRYPTO_SUCCESS) {
1911			(void) snprintf(buffer, sizeof (buffer),
1912			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1913			    module_name);
1914		} else {
1915			(void) snprintf(buffer, sizeof (buffer),
1916			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1917		}
1918		break;
1919
1920	case CRYPTO_LOAD_SOFT_CONFIG:
1921		if (error == 0 && rv == CRYPTO_SUCCESS) {
1922			(void) snprintf(buffer, sizeof (buffer),
1923			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1924			    module_name);
1925			mech_list_required = B_TRUE;
1926		} else {
1927			(void) snprintf(buffer, sizeof (buffer),
1928			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1929		}
1930		break;
1931
1932	case CRYPTO_POOL_CREATE:
1933		(void) snprintf(buffer, sizeof (buffer),
1934		    "op=CRYPTO_POOL_CREATE");
1935		break;
1936
1937	case CRYPTO_POOL_WAIT:
1938		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1939		break;
1940
1941	case CRYPTO_POOL_RUN:
1942		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1943		break;
1944
1945	case CRYPTO_LOAD_DOOR:
1946		if (error == 0 && rv == CRYPTO_SUCCESS)
1947			(void) snprintf(buffer, sizeof (buffer),
1948			    "op=CRYPTO_LOAD_DOOR");
1949		else
1950			(void) snprintf(buffer, sizeof (buffer),
1951			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1952		break;
1953
1954	case CRYPTO_FIPS140_SET:
1955		(void) snprintf(buffer, sizeof (buffer),
1956		    "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1957		break;
1958
1959	default:
1960		return;
1961	}
1962
1963	au_write((caddr_t *)&ad, au_to_text(buffer));
1964
1965	if (mech_list_required) {
1966		int i;
1967
1968		if (mech_count == 0) {
1969			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1970		} else {
1971			char	*pb = buffer;
1972			size_t	l = sizeof (buffer);
1973			size_t	n;
1974			char	space[2] = ":";
1975
1976			n = snprintf(pb, l, "mech=");
1977
1978			for (i = 0; i < mech_count; i++) {
1979				pb += n;
1980				l = (n >= l) ? 0 : l - n;
1981
1982				if (i == mech_count - 1)
1983					(void) strcpy(space, "");
1984
1985				n = snprintf(pb, l, "%s%s", mech_names[i],
1986				    space);
1987			}
1988			au_write((caddr_t *)&ad, au_to_text(buffer));
1989		}
1990	}
1991
1992	/* add a return token */
1993	if (error || (rv != CRYPTO_SUCCESS))
1994		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1995	else
1996		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1997
1998	AS_INC(as_generated, 1, kctx);
1999	AS_INC(as_kernel, 1, kctx);
2000
2001	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
2002	    NULL);
2003}
2004
2005/*
2006 * Audit the kernel SSL administration command. The address and the
2007 * port number for the SSL instance, and the proxy port are put in the
2008 * audit trail.
2009 */
2010void
2011audit_kssl(int cmd, void *params, int error)
2012{
2013	cred_t			*cr = CRED();
2014	t_audit_data_t		*tad;
2015	token_t			*ad = NULL;
2016	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2017	au_kcontext_t		*kctx = GET_KCTX_PZ;
2018
2019	tad = U2A(u);
2020
2021	if (ainfo == NULL)
2022		return;
2023
2024	tad->tad_event = AUE_CONFIGKSSL;
2025
2026	if (audit_success(kctx, tad, error, NULL) != AU_OK)
2027		return;
2028
2029	/* Add subject information */
2030	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2031
2032	switch (cmd) {
2033	case KSSL_ADD_ENTRY: {
2034		char buf[32];
2035		kssl_params_t *kp = (kssl_params_t *)params;
2036		struct sockaddr_in6 *saddr = &kp->kssl_addr;
2037
2038		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2039		au_write((caddr_t *)&ad,
2040		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2041		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2042		    saddr->sin6_port);
2043		au_write((caddr_t *)&ad, au_to_text(buf));
2044
2045		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
2046		    kp->kssl_proxy_port);
2047		au_write((caddr_t *)&ad, au_to_text(buf));
2048		break;
2049	}
2050
2051	case KSSL_DELETE_ENTRY: {
2052		char buf[32];
2053		struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
2054
2055		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2056		au_write((caddr_t *)&ad,
2057		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2058		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2059		    saddr->sin6_port);
2060		au_write((caddr_t *)&ad, au_to_text(buf));
2061		break;
2062	}
2063
2064	default:
2065		return;
2066	}
2067
2068	/* add a return token */
2069	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2070
2071	AS_INC(as_generated, 1, kctx);
2072	AS_INC(as_kernel, 1, kctx);
2073
2074	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2075	    NULL);
2076}
2077
2078/*
2079 * Audit the kernel PF_POLICY administration commands.  Record command,
2080 * zone, policy type (global or tunnel, active or inactive)
2081 */
2082/*
2083 * ROUTINE:	AUDIT_PF_POLICY
2084 * PURPOSE:	Records arguments to administrative ioctls on PF_POLICY socket
2085 * CALLBY:	SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2086 *		SPD_CLONE, SPD_FLIP
2087 * NOTE:
2088 * TODO:
2089 * QUESTION:
2090 */
2091
2092void
2093audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2094    boolean_t active, int error, pid_t pid)
2095{
2096	const auditinfo_addr_t	*ainfo;
2097	t_audit_data_t		*tad;
2098	token_t			*ad = NULL;
2099	au_kcontext_t		*kctx = GET_KCTX_PZ;
2100	char			buf[80];
2101	int			flag;
2102
2103	tad = U2A(u);
2104	if (tad == NULL)
2105		return;
2106
2107	ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2108	if (ainfo == NULL)
2109		return;
2110
2111	/*
2112	 * Initialize some variables since these are only set
2113	 * with system calls.
2114	 */
2115
2116	switch (cmd) {
2117	case SPD_ADDRULE: {
2118		tad->tad_event = AUE_PF_POLICY_ADDRULE;
2119		break;
2120	}
2121
2122	case SPD_DELETERULE: {
2123		tad->tad_event = AUE_PF_POLICY_DELRULE;
2124		break;
2125	}
2126
2127	case SPD_FLUSH: {
2128		tad->tad_event = AUE_PF_POLICY_FLUSH;
2129		break;
2130	}
2131
2132	case SPD_UPDATEALGS: {
2133		tad->tad_event = AUE_PF_POLICY_ALGS;
2134		break;
2135	}
2136
2137	case SPD_CLONE: {
2138		tad->tad_event = AUE_PF_POLICY_CLONE;
2139		break;
2140	}
2141
2142	case SPD_FLIP: {
2143		tad->tad_event = AUE_PF_POLICY_FLIP;
2144		break;
2145	}
2146
2147	default:
2148		tad->tad_event = AUE_NULL;
2149	}
2150
2151	tad->tad_evmod = 0;
2152
2153	if (flag = audit_success(kctx, tad, error, cred)) {
2154		zone_t *nszone;
2155
2156		/*
2157		 * For now, just audit that an event happened,
2158		 * along with the error code.
2159		 */
2160		au_write((caddr_t *)&ad,
2161		    au_to_arg32(1, "Policy Active?", (uint32_t)active));
2162		au_write((caddr_t *)&ad,
2163		    au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2164
2165		/* Supplemental data */
2166
2167		/*
2168		 * Generate this zone token if the target zone differs
2169		 * from the administrative zone.  If netstacks are expanded
2170		 * to something other than a 1-1 relationship with zones,
2171		 * the auditing framework should create a new token type
2172		 * and audit it as a netstack instead.
2173		 * Turn on general zone auditing to get the administrative zone.
2174		 */
2175
2176		nszone = zone_find_by_id(netstackid_to_zoneid(
2177		    ns->netstack_stackid));
2178		if (nszone != NULL) {
2179			if (strncmp(crgetzone(cred)->zone_name,
2180			    nszone->zone_name, ZONENAME_MAX) != 0) {
2181				token_t *ztoken;
2182
2183				ztoken = au_to_zonename(0, nszone);
2184				au_write((caddr_t *)&ad, ztoken);
2185			}
2186			zone_rele(nszone);
2187		}
2188
2189		if (tun != NULL) {
2190			/* write tunnel name - tun is bounded */
2191			(void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2192			    tun);
2193			au_write((caddr_t *)&ad, au_to_text(buf));
2194		}
2195
2196		/* Add subject information */
2197		AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2198		    ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2199
2200		/* add a return token */
2201		add_return_token((caddr_t *)&ad, 0, error, 0);
2202
2203		AS_INC(as_generated, 1, kctx);
2204		AS_INC(as_kernel, 1, kctx);
2205
2206	}
2207	au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2208	    NULL);
2209
2210	/*
2211	 * clear the ctrl flag so that we don't have spurious collection of
2212	 * audit information.
2213	 */
2214	tad->tad_scid  = 0;
2215	tad->tad_event = 0;
2216	tad->tad_evmod = 0;
2217	tad->tad_ctrl  = 0;
2218}
2219
2220/*
2221 * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2222 * PURPOSE:	Add security attributes
2223 * CALLBY:	AUDIT_ATTRIBUTES
2224 *		AUDIT_CLOSEF
2225 *		AUS_CLOSE
2226 * NOTE:
2227 * TODO:
2228 * QUESTION:
2229 */
2230
2231void
2232audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2233{
2234	/* Dump the SL */
2235	if (is_system_labeled()) {
2236		ts_label_t	*tsl;
2237		bslabel_t	*bsl;
2238
2239		tsl = getflabel(vp);
2240		if (tsl == NULL)
2241			return;			/* nothing else to do */
2242
2243		bsl = label2bslabel(tsl);
2244		if (bsl == NULL)
2245			return;			/* nothing else to do */
2246		au_write(ad, au_to_label(bsl));
2247		label_rele(tsl);
2248	}
2249
2250}	/* AUDIT_SEC_ATTRIBUTES */
2251