27c478bdstevel@tonic-gate * CDDL HEADER START
37c478bdstevel@tonic-gate *
47c478bdstevel@tonic-gate * The contents of this file are subject to the terms of the
581490fdgww * Common Development and Distribution License (the "License").
681490fdgww * You may not use this file except in compliance with the License.
77c478bdstevel@tonic-gate *
87c478bdstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bdstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bdstevel@tonic-gate * See the License for the specific language governing permissions
117c478bdstevel@tonic-gate * and limitations under the License.
127c478bdstevel@tonic-gate *
137c478bdstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bdstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bdstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bdstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bdstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bdstevel@tonic-gate *
197c478bdstevel@tonic-gate * CDDL HEADER END
207c478bdstevel@tonic-gate */
22134a1f4Casper H.S. Dik * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
237c478bdstevel@tonic-gate */
257c478bdstevel@tonic-gate#ifndef _BSM_AUDIT_KERNEL_H
267c478bdstevel@tonic-gate#define	_BSM_AUDIT_KERNEL_H
307c478bdstevel@tonic-gate * This file contains the basic auditing control structure definitions.
317c478bdstevel@tonic-gate */
337c478bdstevel@tonic-gate#include <c2/audit_kevents.h>
347c478bdstevel@tonic-gate#include <sys/priv_impl.h>
357c478bdstevel@tonic-gate#include <sys/taskq.h>
367c478bdstevel@tonic-gate#include <sys/zone.h>
3881490fdgww#include <sys/tsol/label.h>
407c478bdstevel@tonic-gate#ifdef __cplusplus
417c478bdstevel@tonic-gateextern "C" {
457c478bdstevel@tonic-gate * This table contains the mapping from the system call ID to a corresponding
467c478bdstevel@tonic-gate * audit event.
477c478bdstevel@tonic-gate *
487c478bdstevel@tonic-gate *   au_init() is a function called at the beginning of the system call that
497c478bdstevel@tonic-gate *   performs any necessary setup/processing. It maps the call into the
507c478bdstevel@tonic-gate *   appropriate event, depending on the system call arguments. It is called
517c478bdstevel@tonic-gate *   by audit_start() from trap.c .
527c478bdstevel@tonic-gate *
537c478bdstevel@tonic-gate *   au_event is the audit event associated with the system call. Most of the
547c478bdstevel@tonic-gate *   time it will map directly from the system call i.e. There is one system
557c478bdstevel@tonic-gate *   call associated with the event. In some cases, such as shmsys, or open,
567c478bdstevel@tonic-gate *   the au_start() function will map the system call to more than one event,
577c478bdstevel@tonic-gate *   depending on the system call arguments.
587c478bdstevel@tonic-gate *
597c478bdstevel@tonic-gate *   au_start() is a function that provides per system call processing at the
607c478bdstevel@tonic-gate *   beginning of a system call. It is mainly concerned with preseving the
617c478bdstevel@tonic-gate *   audit record components that may be altered so that we can determine
627c478bdstevel@tonic-gate *   what the original paramater was before as well as after the system call.
637c478bdstevel@tonic-gate *   It is possible that au_start() may be taken away. It might be cleaner to
647c478bdstevel@tonic-gate *   define flags in au_ctrl to save a designated argument. For the moment we
657c478bdstevel@tonic-gate *   support both mechanisms, however the use of au_start() will be reviewed
667c478bdstevel@tonic-gate *   for 4.1.1 and CMW and ZEUS to see if such a general method is justified.
677c478bdstevel@tonic-gate *
687c478bdstevel@tonic-gate *   au_finish() is a function that provides per system call processing at the
697c478bdstevel@tonic-gate *   completion of a system call. In certain circumstances, the type of audit
707c478bdstevel@tonic-gate *   event depends on intermidiate results during the processing of the system
717c478bdstevel@tonic-gate *   call. It is called in audit_finish() from trap.c .
727c478bdstevel@tonic-gate *
737c478bdstevel@tonic-gate *   au_ctrl is a control vector that indicates what processing might have to
747c478bdstevel@tonic-gate *   be performed, even if there is no auditing for this system call. At
757c478bdstevel@tonic-gate *   present this is mostly for path processing for chmod, chroot. We need to
767c478bdstevel@tonic-gate *   process the path information in vfs_lookup, even when we are not auditing
777c478bdstevel@tonic-gate *   the system call in the case of chdir and chroot.
787c478bdstevel@tonic-gate */
807c478bdstevel@tonic-gate * Defines for au_ctrl
817c478bdstevel@tonic-gate */
824a0fa54Marek Pospisil#define	S2E_SP  TAD_SAVPATH	/* save path for later use */
834a0fa54Marek Pospisil#define	S2E_MLD TAD_MLD		/* only one lookup per system call */
844a0fa54Marek Pospisil#define	S2E_NPT TAD_NOPATH	/* force no path in audit record */
854a0fa54Marek Pospisil#define	S2E_PUB TAD_PUBLIC_EV	/* syscall is defined as a public op */
887c478bdstevel@tonic-gate * At present, we are using the audit classes imbedded with in the kernel. Each
897c478bdstevel@tonic-gate * event has a bit mask determining which classes the event is associated.
907c478bdstevel@tonic-gate * The table audit_e2s maps the audit event ID to the audit state.
917c478bdstevel@tonic-gate *
927c478bdstevel@tonic-gate * Note that this may change radically. If we use a bit vector for the audit
937c478bdstevel@tonic-gate * class, we can allow granularity at the event ID for each user. In this
947c478bdstevel@tonic-gate * case, the vector would be determined at user level and passed to the kernel
957c478bdstevel@tonic-gate * via the setaudit system call.
967c478bdstevel@tonic-gate */
997c478bdstevel@tonic-gate * The audit_pad structure holds paths for the current root and directory
1007c478bdstevel@tonic-gate * for the process, as well as for open files and directly manipulated objects.
1017c478bdstevel@tonic-gate * The reference count minimizes data copies since the process's current
1027c478bdstevel@tonic-gate * directory changes very seldom.
1037c478bdstevel@tonic-gate */
1047c478bdstevel@tonic-gatestruct audit_path {
1057c478bdstevel@tonic-gate	uint_t		audp_ref;	/* reference count */
1067c478bdstevel@tonic-gate	uint_t		audp_size;	/* allocated size of this structure */
1077c478bdstevel@tonic-gate	uint_t		audp_cnt;	/* number of path sections */
1087c478bdstevel@tonic-gate	char		*audp_sect[1];	/* path section pointers */
1097c478bdstevel@tonic-gate					/* audp_sect[0] is the path name */
1107c478bdstevel@tonic-gate					/* audp_sect[1+] are attribute paths */
1147c478bdstevel@tonic-gate * The structure of the terminal ID within the kernel is different from the
1157c478bdstevel@tonic-gate * terminal ID in user space. It is a combination of port and IP address.
1167c478bdstevel@tonic-gate */
1187c478bdstevel@tonic-gatestruct au_termid {
1197c478bdstevel@tonic-gate	dev_t	at_port;
1207c478bdstevel@tonic-gate	uint_t	at_type;
1217c478bdstevel@tonic-gate	uint_t	at_addr[4];
1237c478bdstevel@tonic-gatetypedef struct au_termid au_termid_t;
1267c478bdstevel@tonic-gate * Attributes for deferring the queuing of an event.
1277c478bdstevel@tonic-gate */
1287c478bdstevel@tonic-gatetypedef struct au_defer_info {
1297c478bdstevel@tonic-gate	struct au_defer_info	*audi_next;	/* next on linked list */
1307c478bdstevel@tonic-gate	void	 *audi_ad;		/* audit record */
131d0fa49bTony Nguyen	au_event_t	audi_e_type;	/* audit event id */
132d0fa49bTony Nguyen	au_emod_t	audi_e_mod;	/* audit event modifier */
1337c478bdstevel@tonic-gate	int	audi_flag;		/* au_close*() flags */
1347c478bdstevel@tonic-gate	timestruc_t	audi_atime;	/* audit event timestamp */
1357c478bdstevel@tonic-gate} au_defer_info_t;
1387c478bdstevel@tonic-gate * The structure p_audit_data hangs off of the process structure. It contains
1397c478bdstevel@tonic-gate * all of the audit information necessary to manage the audit record generation
1407c478bdstevel@tonic-gate * for each process.
1417c478bdstevel@tonic-gate *
1427c478bdstevel@tonic-gate * The pad_lock is constructed in the kmem_cache; the rest is combined
1437c478bdstevel@tonic-gate * in a sub structure so it can be copied/zeroed in one statement.
1447c478bdstevel@tonic-gate *
1457c478bdstevel@tonic-gate * The members have been reordered for maximum packing on 64 bit Solaris.
1467c478bdstevel@tonic-gate */
1477c478bdstevel@tonic-gatestruct p_audit_data {
1487c478bdstevel@tonic-gate	kmutex_t	pad_lock;	/* lock pad data during changes */
1497c478bdstevel@tonic-gate	struct _pad_data {
1507c478bdstevel@tonic-gate		struct audit_path	*pad_root;	/* process root path */
1517c478bdstevel@tonic-gate		struct audit_path	*pad_cwd;	/* process cwd path */
1527c478bdstevel@tonic-gate		au_mask_t		pad_newmask;	/* pending new mask */
1537c478bdstevel@tonic-gate		int			pad_flags;
1547c478bdstevel@tonic-gate	} pad_data;
1567c478bdstevel@tonic-gatetypedef struct p_audit_data p_audit_data_t;
1587c478bdstevel@tonic-gate#define	pad_root	pad_data.pad_root
1597c478bdstevel@tonic-gate#define	pad_cwd		pad_data.pad_cwd
1607c478bdstevel@tonic-gate#define	pad_newmask	pad_data.pad_newmask
1617c478bdstevel@tonic-gate#define	pad_flags	pad_data.pad_flags
1644a0fa54Marek Pospisil * Defines for process audit flags (pad_flags)
1657c478bdstevel@tonic-gate */
1667c478bdstevel@tonic-gate#define	PAD_SETMASK 	0x00000001	/* need to complete pending setmask */
1687c478bdstevel@tonic-gateextern kmem_cache_t *au_pad_cache;
1714a0fa54Marek Pospisil * Defines for thread audit control/status flags (tad_ctrl)
1727c478bdstevel@tonic-gate */
1734a0fa54Marek Pospisil#define	TAD_ABSPATH 	0x00000001	/* path from lookup is absolute */
1744a0fa54Marek Pospisil#define	TAD_ATCALL	0x00000002	/* *at() syscall, like openat() */
1754a0fa54Marek Pospisil#define	TAD_ATTPATH  	0x00000004	/* attribute file lookup */
1764a0fa54Marek Pospisil#define	TAD_CORE	0x00000008	/* save attribute during core dump */
1774a0fa54Marek Pospisil#define	TAD_ERRJMP	0x00000010	/* abort record generation on error */
1784a0fa54Marek Pospisil#define	TAD_MLD		0x00000020	/* system call involves MLD */
1794a0fa54Marek Pospisil#define	TAD_NOATTRB 	0x00000040	/* do not automatically add attribute */
1804a0fa54Marek Pospisil#define	TAD_NOAUDIT 	0x00000080	/* discard audit record */
1814a0fa54Marek Pospisil#define	TAD_NOPATH  	0x00000100	/* force no paths in audit record */
1824a0fa54Marek Pospisil#define	TAD_PATHFND 	0x00000200	/* found path, don't retry lookup */
1834a0fa54Marek Pospisil#define	TAD_PUBLIC_EV	0x00000400	/* syscall is defined as a public op */
1844a0fa54Marek Pospisil#define	TAD_SAVPATH 	0x00000800	/* save path for further processing */
1854a0fa54Marek Pospisil#define	TAD_TRUE_CREATE 0x00001000	/* true create, file not found */
1887c478bdstevel@tonic-gate * The structure t_audit_data hangs off of the thread structure. It contains
1897c478bdstevel@tonic-gate * all of the audit information necessary to manage the audit record generation
1907c478bdstevel@tonic-gate * for each thread.
1917c478bdstevel@tonic-gate *
1927c478bdstevel@tonic-gate */
1947c478bdstevel@tonic-gatestruct t_audit_data {
1957c478bdstevel@tonic-gate	kthread_id_t  tad_thread;	/* DEBUG pointer to parent thread */
1967c478bdstevel@tonic-gate	unsigned int  tad_scid;		/* system call ID for finish */
197d0fa49bTony Nguyen	au_event_t	tad_event;	/* event for audit record */
198d0fa49bTony Nguyen	au_emod_t	tad_evmod;	/* event modifier for audit record */
1997c478bdstevel@tonic-gate	int	tad_ctrl;	/* audit control/status flags */
2007c478bdstevel@tonic-gate	void	*tad_errjmp;	/* error longjmp (audit record aborted) */
2017c478bdstevel@tonic-gate	int	tad_flag;	/* to audit or not to audit */
202005d3feMarek Pospisil	uint32_t tad_audit;	/* auditing enabled/disabled */
2037c478bdstevel@tonic-gate	struct audit_path	*tad_aupath;	/* captured at vfs_lookup */
2047c478bdstevel@tonic-gate	struct audit_path	*tad_atpath;	/* openat prefix, path of fd */
2057c478bdstevel@tonic-gate	caddr_t tad_ad;		/* base of accumulated audit data */
2067c478bdstevel@tonic-gate	au_defer_info_t	*tad_defer_head;	/* queue of records to defer */
2077c478bdstevel@tonic-gate						/* until syscall end: */
2087c478bdstevel@tonic-gate	au_defer_info_t	*tad_defer_tail;	/* tail of defer queue */
2097c478bdstevel@tonic-gate	priv_set_t tad_sprivs;	/* saved (success) used privs */
2107c478bdstevel@tonic-gate	priv_set_t tad_fprivs;	/* saved (failed) used privs */
2127c478bdstevel@tonic-gatetypedef struct t_audit_data t_audit_data_t;
2157c478bdstevel@tonic-gate * The f_audit_data structure hangs off of the file structure. It contains
2167c478bdstevel@tonic-gate * three fields of data. The audit ID, the audit state, and a path name.
2177c478bdstevel@tonic-gate */
2197c478bdstevel@tonic-gatestruct f_audit_data {
2207c478bdstevel@tonic-gate	kthread_id_t	fad_thread;	/* DEBUG creating thread */
2217c478bdstevel@tonic-gate	int		fad_flags;	/* audit control flags */
2227c478bdstevel@tonic-gate	struct audit_path	*fad_aupath;	/* path from vfs_lookup */
2247c478bdstevel@tonic-gatetypedef struct f_audit_data f_audit_data_t;
2267c478bdstevel@tonic-gate#define	FAD_READ	0x0001		/* read system call seen */
2277c478bdstevel@tonic-gate#define	FAD_WRITE	0x0002		/* write system call seen */
2297c478bdstevel@tonic-gate#define	P2A(p)	(p->p_audit_data)
2307c478bdstevel@tonic-gate#define	T2A(t)	(t->t_audit_data)
2317c478bdstevel@tonic-gate#define	U2A(u)	(curthread->t_audit_data)
2327c478bdstevel@tonic-gate#define	F2A(f)	(f->f_audit_data)
2347c478bdstevel@tonic-gate#define	u_ad    ((U2A(u))->tad_ad)
2357c478bdstevel@tonic-gate#define	ad_ctrl ((U2A(u))->tad_ctrl)
2367c478bdstevel@tonic-gate#define	ad_flag ((U2A(u))->tad_flag)
2387c478bdstevel@tonic-gate#define	AU_BUFSIZE	128		/* buffer size for the buffer pool */
2407c478bdstevel@tonic-gatestruct au_buff {
2417c478bdstevel@tonic-gate	char		buf[AU_BUFSIZE];
2427c478bdstevel@tonic-gate	struct au_buff	*next_buf;
2437c478bdstevel@tonic-gate	struct au_buff	*next_rec;
2447c478bdstevel@tonic-gate	ushort_t	rec_len;
2457c478bdstevel@tonic-gate	uchar_t		len;
2467c478bdstevel@tonic-gate	uchar_t		flag;
2497c478bdstevel@tonic-gatetypedef struct au_buff au_buff_t;
2527c478bdstevel@tonic-gate * Kernel audit queue structure.
2537c478bdstevel@tonic-gate */
2547c478bdstevel@tonic-gatestruct audit_queue {
2557c478bdstevel@tonic-gate	au_buff_t *head;	/* head of queue */
2567c478bdstevel@tonic-gate	au_buff_t *tail;	/* tail of queue */
2577c478bdstevel@tonic-gate	ssize_t	cnt;		/* number elements on queue */
2587c478bdstevel@tonic-gate	size_t	hiwater;	/* high water mark to block */
2597c478bdstevel@tonic-gate	size_t	lowater;	/* low water mark to restart */
2607c478bdstevel@tonic-gate	size_t	bufsz;		/* audit trail write buffer size */
2617c478bdstevel@tonic-gate	size_t	buflen;		/* audit trail buffer length in use */
2627c478bdstevel@tonic-gate	clock_t	delay;		/* delay before flushing queue */
2637c478bdstevel@tonic-gate	int	wt_block;	/* writer is blocked (1) */
2647c478bdstevel@tonic-gate	int	rd_block;	/* reader is blocked (1) */
2657c478bdstevel@tonic-gate	kmutex_t lock;		/* mutex lock for queue modification */
2667c478bdstevel@tonic-gate	kcondvar_t write_cv;	/* sleep structure for write block */
2677c478bdstevel@tonic-gate	kcondvar_t read_cv;	/* sleep structure for read block */
2717c478bdstevel@tonic-gateunion rval;
2727c478bdstevel@tonic-gatestruct audit_s2e {
2737c478bdstevel@tonic-gate	au_event_t (*au_init)(au_event_t);
2747c478bdstevel@tonic-gate				/* convert au_event to real audit event ID */
2767c478bdstevel@tonic-gate	int au_event;		/* default audit event for this system call */
2777c478bdstevel@tonic-gate	void (*au_start)(struct t_audit_data *);
2787c478bdstevel@tonic-gate				/* pre-system call audit processing */
2797c478bdstevel@tonic-gate	void (*au_finish)(struct t_audit_data *, int, union rval *);
2807c478bdstevel@tonic-gate				/* post-system call audit processing */
2817c478bdstevel@tonic-gate	int au_ctrl;		/* control flags for auditing actions */
2847c478bdstevel@tonic-gateextern struct audit_s2e audit_s2e[];
2867c478bdstevel@tonic-gate#define	AUK_VALID	0x5A5A5A5A
2877c478bdstevel@tonic-gate#define	AUK_INVALID	0
2897c478bdstevel@tonic-gate * per zone audit context
2907c478bdstevel@tonic-gate */
2917c478bdstevel@tonic-gatestruct au_kcontext {
2927c478bdstevel@tonic-gate	uint32_t		auk_valid;
2937c478bdstevel@tonic-gate	zoneid_t		auk_zid;
2957c478bdstevel@tonic-gate	boolean_t		auk_hostaddr_valid;
2967c478bdstevel@tonic-gate	int			auk_sequence;
2977c478bdstevel@tonic-gate	int			auk_auditstate;
2987c478bdstevel@tonic-gate	int			auk_output_active;
2997c478bdstevel@tonic-gate	struct vnode		*auk_current_vp;
3009609350Marek Pospisil	uint32_t		auk_policy;
3027c478bdstevel@tonic-gate	struct audit_queue	auk_queue;
3047c478bdstevel@tonic-gate	au_dbuf_t		*auk_dbuffer;	/* auditdoor output */
3067c478bdstevel@tonic-gate	au_stat_t		auk_statistics;
308f899407Jan Friedel	k_auditinfo_addr_t	auk_info;
3097c478bdstevel@tonic-gate	kmutex_t		auk_eagain_mutex; /* door call retry */
3107c478bdstevel@tonic-gate	kcondvar_t		auk_eagain_cv;
3127c478bdstevel@tonic-gate	taskq_t			*auk_taskq;	/* output thread */
3147c478bdstevel@tonic-gate	/* Only one audit svc per zone at a time */
315787b48egww	/* With the elimination of auditsvc, can this also go? see 6648414 */
3167c478bdstevel@tonic-gate	kmutex_t 		auk_svc_lock;
318d31ffe9rica	au_state_t		auk_ets[MAX_KEVENTS + 1];
3207c478bdstevel@tonic-gate#ifndef AUK_CONTEXT_T
3217c478bdstevel@tonic-gate#define	AUK_CONTEXT_T
3227c478bdstevel@tonic-gatetypedef struct au_kcontext au_kcontext_t;
3257c478bdstevel@tonic-gateextern zone_key_t au_zone_key;
3287c478bdstevel@tonic-gate * Kernel auditing external variables
3297c478bdstevel@tonic-gate */
3309609350Marek Pospisilextern uint32_t audit_policy;
3317c478bdstevel@tonic-gateextern int audit_active;
3337c478bdstevel@tonic-gateextern struct audit_queue au_queue;
3347c478bdstevel@tonic-gateextern struct p_audit_data *pad0;
3357c478bdstevel@tonic-gateextern struct t_audit_data *tad0;
3387c478bdstevel@tonic-gate * audit_path support routines
3397c478bdstevel@tonic-gate */
3407c478bdstevel@tonic-gatevoid au_pathhold(struct audit_path *);
3417c478bdstevel@tonic-gatevoid au_pathrele(struct audit_path *);
3427c478bdstevel@tonic-gatestruct audit_path *au_pathdup(const struct audit_path *, int, int);
344005d3feMarek Pospisilvoid au_pad_init(void);
345005d3feMarek Pospisil
346005d3feMarek Pospisilint auditctl(int cmd, caddr_t data, int length);
347005d3feMarek Pospisilint auditdoor(int fd);
348005d3feMarek Pospisilint getauid(caddr_t);
349005d3feMarek Pospisilint setauid(caddr_t);
350005d3feMarek Pospisilint getaudit(caddr_t);
351005d3feMarek Pospisilint getaudit_addr(caddr_t, int);
352005d3feMarek Pospisilint setaudit(caddr_t);
353005d3feMarek Pospisilint setaudit_addr(caddr_t, int);
354005d3feMarek Pospisil
3567c478bdstevel@tonic-gate * Macros to hide asynchronous, non-blocking audit record start and finish
3577c478bdstevel@tonic-gate * processing.
3587c478bdstevel@tonic-gate *
3597c478bdstevel@tonic-gate * NOTE: must be used in (void) funcction () { ... }
3607c478bdstevel@tonic-gate */
3627c478bdstevel@tonic-gate#define	AUDIT_ASYNC_START(rp, audit_event, sorf) \
3637c478bdstevel@tonic-gate{ \
3647c478bdstevel@tonic-gate	label_t jb; \
3657c478bdstevel@tonic-gate	if (setjmp(&jb)) { \
3667c478bdstevel@tonic-gate		/* cleanup any residual audit data */ \
3677c478bdstevel@tonic-gate		audit_async_drop((caddr_t *)&(rp), 0); \
3687c478bdstevel@tonic-gate		return; \
3697c478bdstevel@tonic-gate	} \
3707c478bdstevel@tonic-gate	/* auditing enabled and we're preselected for this event? */ \
3717c478bdstevel@tonic-gate	if (audit_async_start(&jb, audit_event, sorf)) { \
3727c478bdstevel@tonic-gate		return; \
3737c478bdstevel@tonic-gate	} \
376005d3feMarek Pospisil#define	AUDIT_ASYNC_FINISH(rp, audit_event, event_modifier, event_time) \
377005d3feMarek Pospisil	audit_async_finish((caddr_t *)&(rp), audit_event, event_modifier, \
378005d3feMarek Pospisil	event_time);
3817c478bdstevel@tonic-gate#ifdef	_KERNEL
3827c478bdstevel@tonic-gateau_buff_t *au_get_buff(void), *au_free_buff(au_buff_t *);
38681490fdgww * Macro for uniform "subject" token(s) generation
3877c478bdstevel@tonic-gate */
38889581a1jf#define	AUDIT_SETSUBJ_GENERIC(u, c, a, k, p)		\
38989581a1jf	(au_write((u), au_to_subject(crgetuid(c),	\
39089581a1jf	    crgetgid(c), crgetruid(c), crgetrgid(c),	\
39189581a1jf	    p, (a)->ai_auid, (a)->ai_asid,		\
39289581a1jf	    &((a)->ai_termid))));			\
39389581a1jf	((is_system_labeled()) ?  au_write((u),		\
39489581a1jf	    au_to_label(CR_SL((c)))) : (void) 0);	\
39589581a1jf	(((k)->auk_policy & AUDIT_GROUP) ? au_write((u),\
39689581a1jf	    au_to_groups(crgetgroups(c),		\
39789581a1jf	    crgetngroups(c))) : (void) 0)
3991d7bfectz#define	AUDIT_SETSUBJ(u, c, a, k)      		\
4001d7bfectz	AUDIT_SETSUBJ_GENERIC(u, c, a, k, curproc->p_pid)
402134a1f4Casper H.S. Dik#define	AUDIT_SETPROC_GENERIC(u, c, a, p)		\
403134a1f4Casper H.S. Dik	(au_write((u), au_to_process(crgetuid(c),	\
404134a1f4Casper H.S. Dik	    crgetgid(c), crgetruid(c), crgetrgid(c),	\
405134a1f4Casper H.S. Dik	    p, (a)->ai_auid, (a)->ai_asid,		\
406134a1f4Casper H.S. Dik	    &((a)->ai_termid))));
407134a1f4Casper H.S. Dik
408134a1f4Casper H.S. Dik#define	AUDIT_SETPROC(u, c, a)      		\
409134a1f4Casper H.S. Dik	AUDIT_SETPROC_GENERIC(u, c, a, curproc->p_pid)
410134a1f4Casper H.S. Dik
4127c478bdstevel@tonic-gate * Macros for type conversion
4137c478bdstevel@tonic-gate */
4157c478bdstevel@tonic-gate/* au_membuf head, to typed data */
4167c478bdstevel@tonic-gate#define	memtod(x, t)	((t)x->buf)
4187c478bdstevel@tonic-gate/* au_membuf types */
4197c478bdstevel@tonic-gate#define	MT_FREE		0	/* should be on free list */
4207c478bdstevel@tonic-gate#define	MT_DATA		1	/* dynamic (data) allocation */
4227c478bdstevel@tonic-gate/* flags to au_memget */
4237c478bdstevel@tonic-gate#define	DONTWAIT	0
4247c478bdstevel@tonic-gate#define	WAIT		1
4267c478bdstevel@tonic-gate#define	AU_PACK	1	/* pack data in au_append_rec() */
4277c478bdstevel@tonic-gate#define	AU_LINK 0	/* link data in au_append_rec() */
4297c478bdstevel@tonic-gate/* flags to async routines */
4307c478bdstevel@tonic-gate#define	AU_BACKEND	1	/* called from softcall backend */
4327c478bdstevel@tonic-gate#ifdef __cplusplus
4367c478bdstevel@tonic-gate#endif /* _BSM_AUDIT_KERNEL_H */