xref: /illumos-gate/usr/src/uts/common/c2/audit.c (revision 134a1f4e)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * This file contains the audit hook support code for auditing.
27  */
28 
29 #include <sys/types.h>
30 #include <sys/proc.h>
31 #include <sys/vnode.h>
32 #include <sys/vfs.h>
33 #include <sys/file.h>
34 #include <sys/user.h>
35 #include <sys/stropts.h>
36 #include <sys/systm.h>
37 #include <sys/pathname.h>
38 #include <sys/syscall.h>
39 #include <sys/fcntl.h>
40 #include <sys/ipc_impl.h>
41 #include <sys/msg_impl.h>
42 #include <sys/sem_impl.h>
43 #include <sys/shm_impl.h>
44 #include <sys/kmem.h>		/* for KM_SLEEP */
45 #include <sys/socket.h>
46 #include <sys/cmn_err.h>	/* snprintf... */
47 #include <sys/debug.h>
48 #include <sys/thread.h>
49 #include <netinet/in.h>
50 #include <c2/audit.h>		/* needs to be included before user.h */
51 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
52 #include <c2/audit_kevents.h>
53 #include <c2/audit_record.h>
54 #include <sys/strsubr.h>
55 #include <sys/tihdr.h>
56 #include <sys/tiuser.h>
57 #include <sys/timod.h>
58 #include <sys/model.h>		/* for model_t */
59 #include <sys/disp.h>		/* for servicing_interrupt() */
60 #include <sys/devpolicy.h>
61 #include <sys/crypto/ioctladmin.h>
62 #include <sys/cred_impl.h>
63 #include <inet/kssl/kssl.h>
64 #include <net/pfpolicy.h>
65 
66 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
67 
68 static void audit_pathbuild(struct pathname *pnp);
69 
70 
71 /*
72  * ROUTINE:	AUDIT_SAVEPATH
73  * PURPOSE:
74  * CALLBY:	LOOKUPPN
75  *
76  * NOTE:	We have reached the end of a path in fs/lookup.c.
77  *		We get two pieces of information here:
78  *		the vnode of the last component (vp) and
79  *		the status of the last access (flag).
80  * TODO:
81  * QUESTION:
82  */
83 
84 /*ARGSUSED*/
85 int
86 audit_savepath(
87 	struct pathname *pnp,		/* pathname to lookup */
88 	struct vnode *vp,		/* vnode of the last component */
89 	int    flag,			/* status of the last access */
90 	cred_t *cr)			/* cred of requestor */
91 {
92 
93 	t_audit_data_t *tad;	/* current thread */
94 	au_kcontext_t	*kctx = GET_KCTX_PZ;
95 
96 	tad = U2A(u);
97 
98 	/*
99 	 * this event being audited or do we need path information
100 	 * later? This might be for a chdir/chroot or open (add path
101 	 * to file pointer. If the path has already been found for an
102 	 * open/creat then we don't need to process the path.
103 	 *
104 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
105 	 *	chroot, chdir, open, creat system call processing. It determines
106 	 *	if audit_savepath() will discard the path or we need it later.
107 	 * PAD_PATHFND means path already included in this audit record. It
108 	 *	is used in cases where multiple path lookups are done per
109 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
110 	 *	paths are allowed.
111 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
112 	 *	exit processing to inhibit any paths that may be added due to
113 	 *	closes.
114 	 */
115 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
116 	    ((tad->tad_ctrl & PAD_PATHFND) &&
117 	    !(kctx->auk_policy & AUDIT_PATH)) ||
118 	    (tad->tad_ctrl & PAD_NOPATH)) {
119 		return (0);
120 	}
121 
122 	tad->tad_ctrl |= PAD_NOPATH;		/* prevent possible reentry */
123 
124 	audit_pathbuild(pnp);
125 	tad->tad_vn = vp;
126 
127 	/*
128 	 * are we auditing only if error, or if it is not open or create
129 	 * otherwise audit_setf will do it
130 	 */
131 
132 	if (tad->tad_flag) {
133 		if (flag &&
134 		    (tad->tad_scid == SYS_open ||
135 		    tad->tad_scid == SYS_open64 ||
136 		    tad->tad_scid == SYS_openat ||
137 		    tad->tad_scid == SYS_openat64)) {
138 			tad->tad_ctrl |= PAD_TRUE_CREATE;
139 		}
140 
141 		/* add token to audit record for this name */
142 		au_uwrite(au_to_path(tad->tad_aupath));
143 
144 		/* add the attributes of the object */
145 		if (vp) {
146 			/*
147 			 * only capture attributes when there is no error
148 			 * lookup will not return the vnode of the failing
149 			 * component.
150 			 *
151 			 * if there was a lookup error, then don't add
152 			 * attribute. if lookup in vn_create(),
153 			 * then don't add attribute,
154 			 * it will be added at end of vn_create().
155 			 */
156 			if (!flag && !(tad->tad_ctrl & PAD_NOATTRB))
157 				audit_attributes(vp);
158 		}
159 	}
160 
161 	/* free up space if we're not going to save path (open, creat) */
162 	if ((tad->tad_ctrl & PAD_SAVPATH) == 0) {
163 		if (tad->tad_aupath != NULL) {
164 			au_pathrele(tad->tad_aupath);
165 			tad->tad_aupath = NULL;
166 			tad->tad_vn = NULL;
167 		}
168 	}
169 	if (tad->tad_ctrl & PAD_MLD)
170 		tad->tad_ctrl |= PAD_PATHFND;
171 
172 	tad->tad_ctrl &= ~PAD_NOPATH;		/* restore */
173 	return (0);
174 }
175 
176 static void
177 audit_pathbuild(struct pathname *pnp)
178 {
179 	char *pp;	/* pointer to path */
180 	int len;	/* length of incoming segment */
181 	int newsect;	/* path requires a new section */
182 	struct audit_path	*pfxapp;	/* prefix for path */
183 	struct audit_path	*newapp;	/* new audit_path */
184 	t_audit_data_t *tad;	/* current thread */
185 	p_audit_data_t *pad;	/* current process */
186 
187 	tad = U2A(u);
188 	ASSERT(tad != NULL);
189 	pad = P2A(curproc);
190 	ASSERT(pad != NULL);
191 
192 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
193 	ASSERT(len > 0);
194 
195 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
196 	mutex_enter(&pad->pad_lock);
197 	if (tad->tad_aupath != NULL) {
198 		pfxapp = tad->tad_aupath;
199 	} else if ((tad->tad_ctrl & PAD_ATCALL) && pnp->pn_buf[0] != '/') {
200 		ASSERT(tad->tad_atpath != NULL);
201 		pfxapp = tad->tad_atpath;
202 	} else if (tad->tad_ctrl & PAD_ABSPATH) {
203 		pfxapp = pad->pad_root;
204 	} else {
205 		pfxapp = pad->pad_cwd;
206 	}
207 	au_pathhold(pfxapp);
208 	mutex_exit(&pad->pad_lock);
209 
210 	/* get an expanded buffer to hold the anchored path */
211 	newsect = tad->tad_ctrl & PAD_ATTPATH;
212 	newapp = au_pathdup(pfxapp, newsect, len);
213 	au_pathrele(pfxapp);
214 
215 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
216 	if (!newsect) {
217 		/* overlay previous NUL terminator */
218 		*(pp - 1) = '/';
219 	}
220 
221 	/* now add string of processed path */
222 	bcopy(pnp->pn_buf, pp, len);
223 	pp[len - 1] = '\0';
224 
225 	/* perform path simplification as necessary */
226 	audit_fixpath(newapp, len);
227 
228 	if (tad->tad_aupath)
229 		au_pathrele(tad->tad_aupath);
230 	tad->tad_aupath = newapp;
231 
232 	/* for case where multiple lookups in one syscall (rename) */
233 	tad->tad_ctrl &= ~(PAD_ABSPATH | PAD_ATTPATH);
234 }
235 
236 
237 
238 /*ARGSUSED*/
239 
240 /*
241  * ROUTINE:	AUDIT_ADDCOMPONENT
242  * PURPOSE:	extend the path by the component accepted
243  * CALLBY:	LOOKUPPN
244  * NOTE:	This function is called only when there is an error in
245  *		parsing a path component
246  * TODO:	Add the error component to audit record
247  * QUESTION:	what is this for
248  */
249 
250 void
251 audit_addcomponent(struct pathname *pnp)
252 {
253 	au_kcontext_t	*kctx = GET_KCTX_PZ;
254 	t_audit_data_t *tad;
255 
256 	tad = U2A(u);
257 	/*
258 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
259 	 *	chroot, chdir, open, creat system call processing. It determines
260 	 *	if audit_savepath() will discard the path or we need it later.
261 	 * PAD_PATHFND means path already included in this audit record. It
262 	 *	is used in cases where multiple path lookups are done per
263 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
264 	 *	paths are allowed.
265 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
266 	 *	exit processing to inhibit any paths that may be added due to
267 	 *	closes.
268 	 */
269 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
270 	    ((tad->tad_ctrl & PAD_PATHFND) &&
271 	    !(kctx->auk_policy & AUDIT_PATH)) ||
272 	    (tad->tad_ctrl & PAD_NOPATH)) {
273 		return;
274 	}
275 
276 	return;
277 
278 }	/* AUDIT_ADDCOMPONENT */
279 
280 
281 /*
282  * ROUTINE:	AUDIT_ANCHORPATH
283  * PURPOSE:
284  * CALLBY:	LOOKUPPN
285  * NOTE:
286  * anchor path at "/". We have seen a symbolic link or entering for the
287  * first time we will throw away any saved path if path is anchored.
288  *
289  * flag = 0, path is relative.
290  * flag = 1, path is absolute. Free any saved path and set flag to PAD_ABSPATH.
291  *
292  * If the (new) path is absolute, then we have to throw away whatever we have
293  * already accumulated since it is being superseded by new path which is
294  * anchored at the root.
295  *		Note that if the path is relative, this function does nothing
296  * TODO:
297  * QUESTION:
298  */
299 /*ARGSUSED*/
300 void
301 audit_anchorpath(struct pathname *pnp, int flag)
302 {
303 	au_kcontext_t	*kctx = GET_KCTX_PZ;
304 	t_audit_data_t *tad;
305 
306 	tad = U2A(u);
307 
308 	/*
309 	 * this event being audited or do we need path information
310 	 * later? This might be for a chdir/chroot or open (add path
311 	 * to file pointer. If the path has already been found for an
312 	 * open/creat then we don't need to process the path.
313 	 *
314 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
315 	 *	chroot, chdir, open, creat system call processing. It determines
316 	 *	if audit_savepath() will discard the path or we need it later.
317 	 * PAD_PATHFND means path already included in this audit record. It
318 	 *	is used in cases where multiple path lookups are done per
319 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
320 	 *	paths are allowed.
321 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
322 	 *	exit processing to inhibit any paths that may be added due to
323 	 *	closes.
324 	 */
325 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & PAD_SAVPATH)) ||
326 	    ((tad->tad_ctrl & PAD_PATHFND) &&
327 	    !(kctx->auk_policy & AUDIT_PATH)) ||
328 	    (tad->tad_ctrl & PAD_NOPATH)) {
329 		return;
330 	}
331 
332 	if (flag) {
333 		tad->tad_ctrl |= PAD_ABSPATH;
334 		if (tad->tad_aupath != NULL) {
335 			au_pathrele(tad->tad_aupath);
336 			tad->tad_aupath = NULL;
337 			tad->tad_vn = NULL;
338 		}
339 	}
340 }
341 
342 
343 /*
344  * symbolic link. Save previous components.
345  *
346  * the path seen so far looks like this
347  *
348  *  +-----------------------+----------------+
349  *  | path processed so far | remaining path |
350  *  +-----------------------+----------------+
351  *  \-----------------------/
352  *	save this string if
353  *	symbolic link relative
354  *	(but don't include  symlink component)
355  */
356 
357 /*ARGSUSED*/
358 
359 
360 /*
361  * ROUTINE:	AUDIT_SYMLINK
362  * PURPOSE:
363  * CALLBY:	LOOKUPPN
364  * NOTE:
365  * TODO:
366  * QUESTION:
367  */
368 void
369 audit_symlink(struct pathname *pnp, struct pathname *sympath)
370 {
371 	char *sp;	/* saved initial pp */
372 	char *cp;	/* start of symlink path */
373 	uint_t len_path;	/* processed path before symlink */
374 	t_audit_data_t *tad;
375 	au_kcontext_t	*kctx = GET_KCTX_PZ;
376 
377 	tad = U2A(u);
378 
379 	/*
380 	 * this event being audited or do we need path information
381 	 * later? This might be for a chdir/chroot or open (add path
382 	 * to file pointer. If the path has already been found for an
383 	 * open/creat then we don't need to process the path.
384 	 *
385 	 * S2E_SP (PAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
386 	 *	chroot, chdir, open, creat system call processing. It determines
387 	 *	if audit_savepath() will discard the path or we need it later.
388 	 * PAD_PATHFND means path already included in this audit record. It
389 	 *	is used in cases where multiple path lookups are done per
390 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
391 	 *	paths are allowed.
392 	 * S2E_NPT (PAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
393 	 *	exit processing to inhibit any paths that may be added due to
394 	 *	closes.
395 	 */
396 	if ((tad->tad_flag == 0 &&
397 	    !(tad->tad_ctrl & PAD_SAVPATH)) ||
398 	    ((tad->tad_ctrl & PAD_PATHFND) &&
399 	    !(kctx->auk_policy & AUDIT_PATH)) ||
400 	    (tad->tad_ctrl & PAD_NOPATH)) {
401 		return;
402 	}
403 
404 	/*
405 	 * if symbolic link is anchored at / then do nothing.
406 	 * When we cycle back to begin: in lookuppn() we will
407 	 * call audit_anchorpath() with a flag indicating if the
408 	 * path is anchored at / or is relative. We will release
409 	 * any saved path at that point.
410 	 *
411 	 * Note In the event that an error occurs in pn_combine then
412 	 * we want to remain pointing at the component that caused the
413 	 * path to overflow the pnp structure.
414 	 */
415 	if (sympath->pn_buf[0] == '/')
416 		return;
417 
418 	/* backup over last component */
419 	sp = cp = pnp->pn_path;
420 	while (*--cp != '/' && cp > pnp->pn_buf)
421 		;
422 
423 	len_path = cp - pnp->pn_buf;
424 
425 	/* is there anything to save? */
426 	if (len_path) {
427 		pnp->pn_path = pnp->pn_buf;
428 		audit_pathbuild(pnp);
429 		pnp->pn_path = sp;
430 	}
431 }
432 
433 /*
434  * file_is_public : determine whether events for the file (corresponding to
435  * 			the specified file attr) should be audited or ignored.
436  *
437  * returns: 	1 - if audit policy and file attributes indicate that
438  *			file is effectively public. read events for
439  *			the file should not be audited.
440  *		0 - otherwise
441  *
442  * The required attributes to be considered a public object are:
443  * - owned by root, AND
444  * - world-readable (permissions for other include read), AND
445  * - NOT world-writeable (permissions for other don't
446  *	include write)
447  *   (mode doesn't need to be checked for symlinks)
448  */
449 int
450 file_is_public(struct vattr *attr)
451 {
452 	au_kcontext_t	*kctx = GET_KCTX_PZ;
453 
454 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
455 	    ((attr->va_type == VLNK) ||
456 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
457 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
458 		return (1);
459 	}
460 	return (0);
461 }
462 
463 
464 /*
465  * ROUTINE:	AUDIT_ATTRIBUTES
466  * PURPOSE:	Audit the attributes so we can tell why the error occurred
467  * CALLBY:	AUDIT_SAVEPATH
468  *		AUDIT_VNCREATE_FINISH
469  *		AUS_FCHOWN...audit_event.c...audit_path.c
470  * NOTE:
471  * TODO:
472  * QUESTION:
473  */
474 void
475 audit_attributes(struct vnode *vp)
476 {
477 	struct vattr attr;
478 	struct t_audit_data *tad;
479 
480 	tad = U2A(u);
481 
482 	if (vp) {
483 		attr.va_mask = AT_ALL;
484 		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
485 			return;
486 
487 		if (file_is_public(&attr) && (tad->tad_ctrl & PAD_PUBLIC_EV)) {
488 			/*
489 			 * This is a public object and a "public" event
490 			 * (i.e., read only) -- either by definition
491 			 * (e.g., stat, access...) or by virtue of write access
492 			 * not being requested (e.g. mmap).
493 			 * Flag it in the tad to prevent this audit at the end.
494 			 */
495 			tad->tad_ctrl |= PAD_NOAUDIT;
496 		} else {
497 			au_uwrite(au_to_attr(&attr));
498 			audit_sec_attributes(&(u_ad), vp);
499 		}
500 	}
501 }
502 
503 
504 /*
505  * ROUTINE:	AUDIT_EXIT
506  * PURPOSE:
507  * CALLBY:	EXIT
508  * NOTE:
509  * TODO:
510  * QUESTION:	why cmw code as offset by 2 but not here
511  */
512 /* ARGSUSED */
513 void
514 audit_exit(int code, int what)
515 {
516 	struct t_audit_data *tad;
517 	tad = U2A(u);
518 
519 	/*
520 	 * tad_scid will be set by audit_start even if we are not auditing
521 	 * the event.
522 	 */
523 	if (tad->tad_scid == SYS_exit) {
524 		/*
525 		 * if we are auditing the exit system call, then complete
526 		 * audit record generation (no return from system call).
527 		 */
528 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
529 			audit_finish(0, SYS_exit, 0, 0);
530 		return;
531 	}
532 
533 	/*
534 	 * Anyone auditing the system call that was aborted?
535 	 */
536 	if (tad->tad_flag) {
537 		au_uwrite(au_to_text("event aborted"));
538 		audit_finish(0, tad->tad_scid, 0, 0);
539 	}
540 
541 	/*
542 	 * Generate an audit record for process exit if preselected.
543 	 */
544 	(void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
545 	audit_finish(0, SYS_exit, 0, 0);
546 }
547 
548 /*
549  * ROUTINE:	AUDIT_CORE_START
550  * PURPOSE:
551  * CALLBY: 	PSIG
552  * NOTE:
553  * TODO:
554  */
555 void
556 audit_core_start(int sig)
557 {
558 	au_event_t event;
559 	au_state_t estate;
560 	t_audit_data_t *tad;
561 	au_kcontext_t	*kctx;
562 
563 	tad = U2A(u);
564 
565 	ASSERT(tad != (t_audit_data_t *)0);
566 
567 	ASSERT(tad->tad_scid == 0);
568 	ASSERT(tad->tad_event == 0);
569 	ASSERT(tad->tad_evmod == 0);
570 	ASSERT(tad->tad_ctrl == 0);
571 	ASSERT(tad->tad_flag == 0);
572 	ASSERT(tad->tad_aupath == NULL);
573 
574 	kctx = GET_KCTX_PZ;
575 
576 	/* get basic event for system call */
577 	event = AUE_CORE;
578 	estate = kctx->auk_ets[event];
579 
580 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
581 		return;
582 
583 	/* reset the flags for non-user attributable events */
584 	tad->tad_ctrl   = PAD_CORE;
585 	tad->tad_scid   = 0;
586 
587 	/* if auditing not enabled, then don't generate an audit record */
588 
589 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
590 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
591 	    kctx->auk_auditstate == AUC_NOSPACE)) {
592 		tad->tad_flag = 0;
593 		tad->tad_ctrl = 0;
594 		return;
595 	}
596 
597 	tad->tad_event  = event;
598 	tad->tad_evmod  = 0;
599 
600 	ASSERT(tad->tad_ad == NULL);
601 
602 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
603 }
604 
605 /*
606  * ROUTINE:	AUDIT_CORE_FINISH
607  * PURPOSE:
608  * CALLBY:	PSIG
609  * NOTE:
610  * TODO:
611  * QUESTION:
612  */
613 
614 /*ARGSUSED*/
615 void
616 audit_core_finish(int code)
617 {
618 	int flag;
619 	t_audit_data_t *tad;
620 	au_kcontext_t	*kctx;
621 
622 	tad = U2A(u);
623 
624 	ASSERT(tad != (t_audit_data_t *)0);
625 
626 	if ((flag = tad->tad_flag) == 0) {
627 		tad->tad_event = 0;
628 		tad->tad_evmod = 0;
629 		tad->tad_ctrl  = 0;
630 		ASSERT(tad->tad_aupath == NULL);
631 		return;
632 	}
633 	tad->tad_flag = 0;
634 
635 	kctx = GET_KCTX_PZ;
636 
637 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
638 	if (flag = audit_success(kctx, tad, 0, NULL)) {
639 		cred_t *cr = CRED();
640 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
641 
642 		ASSERT(ainfo != NULL);
643 
644 		/*
645 		 * Add subject information (no locks since our private copy of
646 		 * credential
647 		 */
648 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
649 
650 		/* Add a return token (should use f argument) */
651 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
652 
653 		AS_INC(as_generated, 1, kctx);
654 		AS_INC(as_kernel, 1, kctx);
655 	}
656 
657 	/* Close up everything */
658 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
659 
660 	/* free up any space remaining with the path's */
661 	if (tad->tad_aupath != NULL) {
662 		au_pathrele(tad->tad_aupath);
663 		tad->tad_aupath = NULL;
664 		tad->tad_vn = NULL;
665 	}
666 	tad->tad_event = 0;
667 	tad->tad_evmod = 0;
668 	tad->tad_ctrl  = 0;
669 }
670 
671 /*ARGSUSED*/
672 void
673 audit_stropen(struct vnode *vp, dev_t *devp, int flag, cred_t *crp)
674 {
675 }
676 
677 /*ARGSUSED*/
678 void
679 audit_strclose(struct vnode *vp, int flag, cred_t *crp)
680 {
681 }
682 
683 /*ARGSUSED*/
684 void
685 audit_strioctl(struct vnode *vp, int cmd, intptr_t arg, int flag,
686     int copyflag, cred_t *crp, int *rvalp)
687 {
688 }
689 
690 
691 /*ARGSUSED*/
692 void
693 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
694     unsigned char *pri, int *flag, int fmode)
695 {
696 	struct stdata *stp;
697 	t_audit_data_t *tad = U2A(u);
698 
699 	ASSERT(tad != (t_audit_data_t *)0);
700 
701 	stp = vp->v_stream;
702 
703 	/* lock stdata from audit_sock */
704 	mutex_enter(&stp->sd_lock);
705 
706 	/* proceed ONLY if user is being audited */
707 	if (!tad->tad_flag) {
708 		/*
709 		 * this is so we will not add audit data onto
710 		 * a thread that is not being audited.
711 		 */
712 		stp->sd_t_audit_data = NULL;
713 		mutex_exit(&stp->sd_lock);
714 		return;
715 	}
716 
717 	stp->sd_t_audit_data = (caddr_t)curthread;
718 	mutex_exit(&stp->sd_lock);
719 }
720 
721 /*ARGSUSED*/
722 void
723 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
724     unsigned char pri, int flag, int fmode)
725 {
726 	struct stdata *stp;
727 	t_audit_data_t *tad = U2A(u);
728 
729 	ASSERT(tad != (t_audit_data_t *)0);
730 
731 	stp = vp->v_stream;
732 
733 	/* lock stdata from audit_sock */
734 	mutex_enter(&stp->sd_lock);
735 
736 	/* proceed ONLY if user is being audited */
737 	if (!tad->tad_flag) {
738 		/*
739 		 * this is so we will not add audit data onto
740 		 * a thread that is not being audited.
741 		 */
742 		stp->sd_t_audit_data = NULL;
743 		mutex_exit(&stp->sd_lock);
744 		return;
745 	}
746 
747 	stp->sd_t_audit_data = (caddr_t)curthread;
748 	mutex_exit(&stp->sd_lock);
749 }
750 
751 /*
752  * ROUTINE:	AUDIT_CLOSEF
753  * PURPOSE:
754  * CALLBY:	CLOSEF
755  * NOTE:
756  * release per file audit resources when file structure is being released.
757  *
758  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
759  *	on the audit queue if it becomes full. This means
760  *	audit_closef can not be called when f_count == 0. Since
761  *	f_count == 0 indicates the file structure is free, another
762  *	process could attempt to use the file while we were still
763  *	asleep waiting on the audit queue. This would cause the
764  *	per file audit data to be corrupted when we finally do
765  *	wakeup.
766  * TODO:
767  * QUESTION:
768  */
769 
770 void
771 audit_closef(struct file *fp)
772 {	/* AUDIT_CLOSEF */
773 	f_audit_data_t *fad;
774 	t_audit_data_t *tad;
775 	int success;
776 	au_state_t estate;
777 	struct vnode *vp;
778 	token_t *ad = NULL;
779 	struct vattr attr;
780 	au_emod_t evmod = 0;
781 	const auditinfo_addr_t *ainfo;
782 	int getattr_ret;
783 	cred_t *cr;
784 	au_kcontext_t	*kctx = GET_KCTX_PZ;
785 	uint32_t auditing;
786 
787 	fad = F2A(fp);
788 	estate = kctx->auk_ets[AUE_CLOSE];
789 	tad = U2A(u);
790 	cr = CRED();
791 
792 	/* audit record already generated by system call envelope */
793 	if (tad->tad_event == AUE_CLOSE) {
794 		/* so close audit event will have bits set */
795 		tad->tad_evmod |= (au_emod_t)fad->fad_flags;
796 		return;
797 	}
798 
799 	/* if auditing not enabled, then don't generate an audit record */
800 	auditing = (tad->tad_audit == AUC_UNSET) ?
801 	    kctx->auk_auditstate : tad->tad_audit;
802 	if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
803 		return;
804 
805 	ainfo = crgetauinfo(cr);
806 	if (ainfo == NULL)
807 		return;
808 
809 	success = ainfo->ai_mask.as_success & estate;
810 
811 	/* not selected for this event */
812 	if (success == 0)
813 		return;
814 
815 	/*
816 	 * can't use audit_attributes here since we use a private audit area
817 	 * to build the audit record instead of the one off the thread.
818 	 */
819 	if ((vp = fp->f_vnode) != NULL) {
820 		attr.va_mask = AT_ALL;
821 		getattr_ret = VOP_GETATTR(vp, &attr, 0, CRED(), NULL);
822 	}
823 
824 	/*
825 	 * When write was not used and the file can be considered public,
826 	 * then skip the audit.
827 	 */
828 	if ((getattr_ret == 0) && ((fp->f_flag & FWRITE) == 0)) {
829 		if (file_is_public(&attr)) {
830 			return;
831 		}
832 	}
833 
834 	evmod = (au_emod_t)fad->fad_flags;
835 	if (fad->fad_aupath != NULL) {
836 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
837 	} else {
838 #ifdef _LP64
839 		au_write((caddr_t *)&(ad), au_to_arg64(
840 			1, "no path: fp", (uint64_t)fp));
841 #else
842 		au_write((caddr_t *)&(ad), au_to_arg32(
843 			1, "no path: fp", (uint32_t)fp));
844 #endif
845 	}
846 
847 	if (getattr_ret == 0) {
848 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
849 		audit_sec_attributes((caddr_t *)&(ad), vp);
850 	}
851 
852 	/* Add subject information */
853 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
854 
855 	/* add a return token */
856 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
857 
858 	AS_INC(as_generated, 1, kctx);
859 	AS_INC(as_kernel, 1, kctx);
860 
861 	/*
862 	 * Close up everything
863 	 * Note: path space recovery handled by normal system
864 	 * call envelope if not at last close.
865 	 * Note there is no failure at this point since
866 	 *   this represents closes due to exit of process,
867 	 *   thus we always indicate successful closes.
868 	 */
869 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
870 	    AUE_CLOSE, evmod, NULL);
871 }
872 
873 /*
874  * ROUTINE:	AUDIT_SET
875  * PURPOSE:	Audit the file path and file attributes.
876  * CALLBY:	SETF
877  * NOTE:	SETF associate a file pointer with user area's open files.
878  * TODO:
879  * call audit_finish directly ???
880  * QUESTION:
881  */
882 
883 /*ARGSUSED*/
884 void
885 audit_setf(file_t *fp, int fd)
886 {
887 	f_audit_data_t *fad;
888 	t_audit_data_t *tad;
889 
890 	if (fp == NULL)
891 		return;
892 
893 	tad = T2A(curthread);
894 	fad = F2A(fp);
895 
896 	if (!(tad->tad_scid == SYS_open ||
897 	    tad->tad_scid == SYS_open64 ||
898 	    tad->tad_scid == SYS_openat ||
899 	    tad->tad_scid == SYS_openat64))
900 		return;
901 
902 	/* no path */
903 	if (tad->tad_aupath == 0)
904 		return;
905 
906 	/*
907 	 * assign path information associated with file audit data
908 	 * use tad hold
909 	 */
910 	fad->fad_aupath = tad->tad_aupath;
911 	tad->tad_aupath = NULL;
912 	tad->tad_vn = NULL;
913 
914 	if (!(tad->tad_ctrl & PAD_TRUE_CREATE)) {
915 		/* adjust event type by dropping the 'creat' part */
916 		switch (tad->tad_event) {
917 		case AUE_OPEN_RC:
918 			tad->tad_event = AUE_OPEN_R;
919 			tad->tad_ctrl |= PAD_PUBLIC_EV;
920 			break;
921 		case AUE_OPEN_RTC:
922 			tad->tad_event = AUE_OPEN_RT;
923 			break;
924 		case AUE_OPEN_WC:
925 			tad->tad_event = AUE_OPEN_W;
926 			break;
927 		case AUE_OPEN_WTC:
928 			tad->tad_event = AUE_OPEN_WT;
929 			break;
930 		case AUE_OPEN_RWC:
931 			tad->tad_event = AUE_OPEN_RW;
932 			break;
933 		case AUE_OPEN_RWTC:
934 			tad->tad_event = AUE_OPEN_RWT;
935 			break;
936 		default:
937 			break;
938 		}
939 	}
940 }
941 
942 
943 /*
944  * ROUTINE:	AUDIT_COPEN
945  * PURPOSE:
946  * CALLBY:	COPEN
947  * NOTE:
948  * TODO:
949  * QUESTION:
950  */
951 /*ARGSUSED*/
952 void
953 audit_copen(int fd, file_t *fp, vnode_t *vp)
954 {
955 }
956 
957 void
958 audit_ipc(int type, int id, void *vp)
959 {
960 	/* if not auditing this event, then do nothing */
961 	if (ad_flag == 0)
962 		return;
963 
964 	switch (type) {
965 	case AT_IPC_MSG:
966 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
967 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
968 		break;
969 	case AT_IPC_SEM:
970 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
971 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
972 		break;
973 	case AT_IPC_SHM:
974 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
975 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
976 		break;
977 	}
978 }
979 
980 void
981 audit_ipcget(int type, void *vp)
982 {
983 	/* if not auditing this event, then do nothing */
984 	if (ad_flag == 0)
985 		return;
986 
987 	switch (type) {
988 	case NULL:
989 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
990 		break;
991 	case AT_IPC_MSG:
992 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
993 		break;
994 	case AT_IPC_SEM:
995 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
996 		break;
997 	case AT_IPC_SHM:
998 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
999 		break;
1000 	}
1001 }
1002 
1003 /*
1004  * ROUTINE:	AUDIT_REBOOT
1005  * PURPOSE:
1006  * CALLBY:
1007  * NOTE:
1008  * At this point we know that the system call reboot will not return. We thus
1009  * have to complete the audit record generation and put it onto the queue.
1010  * This might be fairly useless if the auditing daemon is already dead....
1011  * TODO:
1012  * QUESTION:	who calls audit_reboot
1013  */
1014 
1015 void
1016 audit_reboot(void)
1017 {
1018 	int flag;
1019 	t_audit_data_t *tad;
1020 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1021 
1022 	tad = U2A(u);
1023 
1024 	/* if not auditing this event, then do nothing */
1025 	if (tad->tad_flag == 0)
1026 		return;
1027 
1028 	/* do preselection on success/failure */
1029 	if (flag = audit_success(kctx, tad, 0, NULL)) {
1030 		/* add a process token */
1031 
1032 		cred_t *cr = CRED();
1033 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
1034 
1035 		if (ainfo == NULL)
1036 			return;
1037 
1038 		/* Add subject information */
1039 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
1040 
1041 		/* add a return token */
1042 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
1043 
1044 		AS_INC(as_generated, 1, kctx);
1045 		AS_INC(as_kernel, 1, kctx);
1046 	}
1047 
1048 	/*
1049 	 * Flow control useless here since we're going
1050 	 * to drop everything in the queue anyway. Why
1051 	 * block and wait. There aint anyone left alive to
1052 	 * read the records remaining anyway.
1053 	 */
1054 
1055 	/* Close up everything */
1056 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1057 	    tad->tad_event, tad->tad_evmod, NULL);
1058 }
1059 
1060 void
1061 audit_setfsat_path(int argnum)
1062 {
1063 	klwp_id_t clwp = ttolwp(curthread);
1064 	struct file  *fp;
1065 	uint32_t fd;
1066 	t_audit_data_t *tad;
1067 	struct f_audit_data *fad;
1068 	p_audit_data_t *pad;	/* current process */
1069 	struct a {
1070 		long arg1;
1071 		long arg2;
1072 		long arg3;
1073 		long arg4;
1074 		long arg5;
1075 	} *uap;
1076 
1077 	if (clwp == NULL)
1078 		return;
1079 	uap = (struct a *)clwp->lwp_ap;
1080 
1081 	tad = U2A(u);
1082 	ASSERT(tad != NULL);
1083 
1084 	switch (tad->tad_scid) {
1085 	case SYS_faccessat:
1086 	case SYS_fchownat:
1087 	case SYS_fstatat:
1088 	case SYS_fstatat64:
1089 	case SYS_openat:
1090 	case SYS_openat64:
1091 	case SYS_unlinkat:
1092 		fd = uap->arg1;
1093 		break;
1094 	case SYS_renameat:
1095 		if (argnum == 3)
1096 			fd = uap->arg3;
1097 		else
1098 			fd = uap->arg1;
1099 		break;
1100 	case SYS_utimesys:
1101 		fd = uap->arg2;
1102 		break;
1103 	default:
1104 		return;
1105 	}
1106 
1107 	if (tad->tad_atpath != NULL) {
1108 		au_pathrele(tad->tad_atpath);
1109 		tad->tad_atpath = NULL;
1110 	}
1111 	if (fd != AT_FDCWD) {
1112 		if ((fp = getf(fd)) == NULL) {
1113 			tad->tad_ctrl |= PAD_NOPATH;
1114 			return;
1115 		}
1116 		fad = F2A(fp);
1117 		ASSERT(fad);
1118 		if (fad->fad_aupath == NULL) {
1119 			tad->tad_ctrl |= PAD_NOPATH;
1120 			releasef(fd);
1121 			return;
1122 		}
1123 		au_pathhold(fad->fad_aupath);
1124 		tad->tad_atpath = fad->fad_aupath;
1125 		releasef(fd);
1126 	} else {
1127 		pad = P2A(curproc);
1128 		mutex_enter(&pad->pad_lock);
1129 		au_pathhold(pad->pad_cwd);
1130 		tad->tad_atpath = pad->pad_cwd;
1131 		mutex_exit(&pad->pad_lock);
1132 	}
1133 }
1134 
1135 void
1136 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1137 {
1138 	t_audit_data_t *tad;
1139 	vnode_t	*vp;
1140 
1141 	tad = U2A(u);
1142 
1143 	/* if not auditing this event, then do nothing */
1144 	if (tad->tad_flag == 0)
1145 		return;
1146 
1147 	au_uwrite(au_to_text(target));
1148 
1149 	if (error)
1150 		return;
1151 
1152 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1153 	    NULL, NULL, NULL);
1154 	if (error == 0) {
1155 		audit_attributes(vp);
1156 		VN_RELE(vp);
1157 	}
1158 }
1159 
1160 /*
1161  * ROUTINE:	AUDIT_VNCREATE_START
1162  * PURPOSE:	set flag so path name lookup in create will not add attribute
1163  * CALLBY:	VN_CREATE
1164  * NOTE:
1165  * TODO:
1166  * QUESTION:
1167  */
1168 
1169 void
1170 audit_vncreate_start()
1171 {
1172 	t_audit_data_t *tad;
1173 
1174 	tad = U2A(u);
1175 	tad->tad_ctrl |= PAD_NOATTRB;
1176 }
1177 
1178 /*
1179  * ROUTINE:	AUDIT_VNCREATE_FINISH
1180  * PURPOSE:
1181  * CALLBY:	VN_CREATE
1182  * NOTE:
1183  * TODO:
1184  * QUESTION:
1185  */
1186 void
1187 audit_vncreate_finish(struct vnode *vp, int error)
1188 {
1189 	t_audit_data_t *tad;
1190 
1191 	if (error)
1192 		return;
1193 
1194 	tad = U2A(u);
1195 
1196 	/* if not auditing this event, then do nothing */
1197 	if (tad->tad_flag == 0)
1198 		return;
1199 
1200 	if (tad->tad_ctrl & PAD_TRUE_CREATE) {
1201 		audit_attributes(vp);
1202 	}
1203 
1204 	if (tad->tad_ctrl & PAD_CORE) {
1205 		audit_attributes(vp);
1206 		tad->tad_ctrl &= ~PAD_CORE;
1207 	}
1208 
1209 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1210 	    (tad->tad_event == AUE_MKDIR))) {
1211 		audit_attributes(vp);
1212 	}
1213 
1214 	/* for case where multiple lookups in one syscall (rename) */
1215 	tad->tad_ctrl &= ~PAD_NOATTRB;
1216 }
1217 
1218 
1219 
1220 
1221 
1222 
1223 
1224 
1225 /*
1226  * ROUTINE:	AUDIT_EXEC
1227  * PURPOSE:	Records the function arguments and environment variables
1228  * CALLBY:	EXEC_ARGS
1229  * NOTE:
1230  * TODO:
1231  * QUESTION:
1232  */
1233 
1234 void
1235 audit_exec(
1236 	const char *argstr,	/* argument strings */
1237 	const char *envstr,	/* environment strings */
1238 	ssize_t argc,		/* total # arguments */
1239 	ssize_t envc,		/* total # environment variables */
1240 	cred_t *pfcred)		/* the additional privileges in a profile */
1241 {
1242 	t_audit_data_t *tad;
1243 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1244 
1245 	tad = U2A(u);
1246 
1247 	/* if not auditing this event, then do nothing */
1248 	if (!tad->tad_flag)
1249 		return;
1250 
1251 	if (pfcred != NULL) {
1252 		p_audit_data_t *pad;
1253 		cred_t *cr = CRED();
1254 		priv_set_t pset = CR_IPRIV(cr);
1255 
1256 		pad = P2A(curproc);
1257 
1258 		/* It's a different event. */
1259 		tad->tad_event = AUE_PFEXEC;
1260 
1261 		/* Add the current working directory to the audit trail. */
1262 		if (pad->pad_cwd != NULL)
1263 			au_uwrite(au_to_path(pad->pad_cwd));
1264 
1265 		/*
1266 		 * The new credential is not yet in place when audit_exec
1267 		 * is called.
1268 		 * Compute the additional bits available in the new credential
1269 		 * and the limit set.
1270 		 */
1271 		priv_inverse(&pset);
1272 		priv_intersect(&CR_IPRIV(pfcred), &pset);
1273 		if (!priv_isemptyset(&pset) ||
1274 		    !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1275 			au_uwrite(au_to_privset(
1276 			    priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1277 			    0));
1278 			au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1279 			    &CR_LPRIV(pfcred), AUT_PRIV, 0));
1280 		}
1281 		/*
1282 		 * Compare the uids & gids: create a process token if changed.
1283 		 */
1284 		if (crgetuid(cr) != crgetuid(pfcred) ||
1285 		    crgetruid(cr) != crgetruid(pfcred) ||
1286 		    crgetgid(cr) != crgetgid(pfcred) ||
1287 		    crgetrgid(cr) != crgetrgid(pfcred)) {
1288 			AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1289 		}
1290 	}
1291 
1292 	if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1293 		au_uwrite(au_to_exec_args(argstr, argc));
1294 
1295 	if (kctx->auk_policy & AUDIT_ARGE)
1296 		au_uwrite(au_to_exec_env(envstr, envc));
1297 }
1298 
1299 /*
1300  * ROUTINE:	AUDIT_ENTERPROM
1301  * PURPOSE:
1302  * CALLBY:	KBDINPUT
1303  *		ZSA_XSINT
1304  * NOTE:
1305  * TODO:
1306  * QUESTION:
1307  */
1308 void
1309 audit_enterprom(int flg)
1310 {
1311 	token_t *rp = NULL;
1312 	int sorf;
1313 
1314 	if (flg)
1315 		sorf = AUM_SUCC;
1316 	else
1317 		sorf = AUM_FAIL;
1318 
1319 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1320 
1321 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1322 
1323 	if (flg)
1324 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1325 	else
1326 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1327 
1328 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1329 }
1330 
1331 
1332 /*
1333  * ROUTINE:	AUDIT_EXITPROM
1334  * PURPOSE:
1335  * CALLBY:	KBDINPUT
1336  *		ZSA_XSINT
1337  * NOTE:
1338  * TODO:
1339  * QUESTION:
1340  */
1341 void
1342 audit_exitprom(int flg)
1343 {
1344 	int sorf;
1345 	token_t *rp = NULL;
1346 
1347 	if (flg)
1348 		sorf = AUM_SUCC;
1349 	else
1350 		sorf = AUM_FAIL;
1351 
1352 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1353 
1354 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1355 
1356 	if (flg)
1357 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1358 	else
1359 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1360 
1361 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1362 }
1363 
1364 struct fcntla {
1365 	int fdes;
1366 	int cmd;
1367 	intptr_t arg;
1368 };
1369 
1370 /*
1371  * ROUTINE:	AUDIT_C2_REVOKE
1372  * PURPOSE:
1373  * CALLBY:	FCNTL
1374  * NOTE:
1375  * TODO:
1376  * QUESTION:	are we keeping this func
1377  */
1378 
1379 /*ARGSUSED*/
1380 int
1381 audit_c2_revoke(struct fcntla *uap, rval_t *rvp)
1382 {
1383 	return (0);
1384 }
1385 
1386 
1387 /*
1388  * ROUTINE:	AUDIT_CHDIREC
1389  * PURPOSE:
1390  * CALLBY:	CHDIREC
1391  * NOTE:	The main function of CHDIREC
1392  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1393  * QUESTION:
1394  */
1395 
1396 /*ARGSUSED*/
1397 void
1398 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1399 {
1400 	int		chdir;
1401 	int		fchdir;
1402 	struct audit_path	**appp;
1403 	struct file	*fp;
1404 	f_audit_data_t *fad;
1405 	p_audit_data_t *pad = P2A(curproc);
1406 	t_audit_data_t *tad = T2A(curthread);
1407 
1408 	struct a {
1409 		long fd;
1410 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1411 
1412 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1413 		chdir = tad->tad_scid == SYS_chdir;
1414 		if (tad->tad_aupath) {
1415 			mutex_enter(&pad->pad_lock);
1416 			if (chdir)
1417 				appp = &(pad->pad_cwd);
1418 			else
1419 				appp = &(pad->pad_root);
1420 			au_pathrele(*appp);
1421 			/* use tad hold */
1422 			*appp = tad->tad_aupath;
1423 			tad->tad_aupath = NULL;
1424 			mutex_exit(&pad->pad_lock);
1425 		}
1426 	} else if ((tad->tad_scid == SYS_fchdir) ||
1427 	    (tad->tad_scid == SYS_fchroot)) {
1428 		fchdir = tad->tad_scid == SYS_fchdir;
1429 		if ((fp = getf(uap->fd)) == NULL)
1430 			return;
1431 		fad = F2A(fp);
1432 		if (fad->fad_aupath) {
1433 			au_pathhold(fad->fad_aupath);
1434 			mutex_enter(&pad->pad_lock);
1435 			if (fchdir)
1436 				appp = &(pad->pad_cwd);
1437 			else
1438 				appp = &(pad->pad_root);
1439 			au_pathrele(*appp);
1440 			*appp = fad->fad_aupath;
1441 			mutex_exit(&pad->pad_lock);
1442 			if (tad->tad_flag) {
1443 				au_uwrite(au_to_path(fad->fad_aupath));
1444 				audit_attributes(fp->f_vnode);
1445 			}
1446 		}
1447 		releasef(uap->fd);
1448 	}
1449 }
1450 
1451 /*
1452  * ROUTINE:	AUDIT_GETF
1453  * PURPOSE:
1454  * CALLBY:	GETF_INTERNAL
1455  * NOTE:	The main function of GETF_INTERNAL is to associate a given
1456  *		file descriptor with a file structure and increment the
1457  *		file pointer reference count.
1458  * TODO:	remove pass in of fpp.
1459  * increment a reference count so that even if a thread with same process delete
1460  * the same object, it will not panic our system
1461  * QUESTION:
1462  * where to decrement the f_count?????????????????
1463  * seems like I need to set a flag if f_count incremented through audit_getf
1464  */
1465 
1466 /*ARGSUSED*/
1467 int
1468 audit_getf(int fd)
1469 {
1470 #ifdef NOTYET
1471 	t_audit_data_t *tad;
1472 
1473 	tad = T2A(curthread);
1474 
1475 	if (!(tad->tad_scid == SYS_openat ||
1476 	    tad->tad_scid == SYS_openat64 ||
1477 	    tad->tad_scid == SYS_open ||
1478 	    tad->tad_scid == SYS_open64))
1479 		return (0);
1480 #endif
1481 	return (0);
1482 }
1483 
1484 /*
1485  *	Audit hook for stream based socket and tli request.
1486  *	Note that we do not have user context while executing
1487  *	this code so we had to record them earlier during the
1488  *	putmsg/getmsg to figure out which user we are dealing with.
1489  */
1490 
1491 /*ARGSUSED*/
1492 void
1493 audit_sock(
1494 	int type,	/* type of tihdr.h header requests */
1495 	queue_t *q,	/* contains the process and thread audit data */
1496 	mblk_t *mp,	/* contains the tihdr.h header structures */
1497 	int from)	/* timod or sockmod request */
1498 {
1499 	int32_t    len;
1500 	int32_t    offset;
1501 	struct sockaddr_in *sock_data;
1502 	struct T_conn_req *conn_req;
1503 	struct T_conn_ind *conn_ind;
1504 	struct T_unitdata_req *unitdata_req;
1505 	struct T_unitdata_ind *unitdata_ind;
1506 	au_state_t estate;
1507 	t_audit_data_t *tad;
1508 	caddr_t saved_thread_ptr;
1509 	au_mask_t amask;
1510 	const auditinfo_addr_t *ainfo;
1511 	au_kcontext_t	*kctx;
1512 
1513 	if (q->q_stream == NULL)
1514 		return;
1515 	mutex_enter(&q->q_stream->sd_lock);
1516 	/* are we being audited */
1517 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1518 	/* no pointer to thread, nothing to do */
1519 	if (saved_thread_ptr == NULL) {
1520 		mutex_exit(&q->q_stream->sd_lock);
1521 		return;
1522 	}
1523 	/* only allow one addition of a record token */
1524 	q->q_stream->sd_t_audit_data = NULL;
1525 	/*
1526 	 * thread is not the one being audited, then nothing to do
1527 	 * This could be the stream thread handling the module
1528 	 * service routine. In this case, the context for the audit
1529 	 * record can no longer be assumed. Simplest to just drop
1530 	 * the operation.
1531 	 */
1532 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1533 		mutex_exit(&q->q_stream->sd_lock);
1534 		return;
1535 	}
1536 	if (curthread->t_sysnum >= SYS_so_socket &&
1537 	    curthread->t_sysnum <= SYS_sockconfig) {
1538 		mutex_exit(&q->q_stream->sd_lock);
1539 		return;
1540 	}
1541 	mutex_exit(&q->q_stream->sd_lock);
1542 	/*
1543 	 * we know that the thread that did the put/getmsg is the
1544 	 * one running. Now we can get the TAD and see if we should
1545 	 * add an audit token.
1546 	 */
1547 	tad = U2A(u);
1548 
1549 	kctx = GET_KCTX_PZ;
1550 
1551 	/* proceed ONLY if user is being audited */
1552 	if (!tad->tad_flag)
1553 		return;
1554 
1555 	ainfo = crgetauinfo(CRED());
1556 	if (ainfo == NULL)
1557 		return;
1558 	amask = ainfo->ai_mask;
1559 
1560 	/*
1561 	 * Figure out the type of stream networking request here.
1562 	 * Note that getmsg and putmsg are always preselected
1563 	 * because during the beginning of the system call we have
1564 	 * not yet figure out which of the socket or tli request
1565 	 * we are looking at until we are here. So we need to check
1566 	 * against that specific request and reset the type of event.
1567 	 */
1568 	switch (type) {
1569 	case T_CONN_REQ:	/* connection request */
1570 		conn_req = (struct T_conn_req *)mp->b_rptr;
1571 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1572 			return;
1573 		offset = conn_req->DEST_offset;
1574 		len = conn_req->DEST_length;
1575 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1576 		if (amask.as_success & estate || amask.as_failure & estate) {
1577 			tad->tad_event = AUE_SOCKCONNECT;
1578 			break;
1579 		} else {
1580 			return;
1581 		}
1582 	case T_CONN_IND:	 /* connectionless receive request */
1583 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1584 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1585 			return;
1586 		offset = conn_ind->SRC_offset;
1587 		len = conn_ind->SRC_length;
1588 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1589 		if (amask.as_success & estate || amask.as_failure & estate) {
1590 			tad->tad_event = AUE_SOCKACCEPT;
1591 			break;
1592 		} else {
1593 			return;
1594 		}
1595 	case T_UNITDATA_REQ:	 /* connectionless send request */
1596 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1597 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1598 			return;
1599 		offset = unitdata_req->DEST_offset;
1600 		len = unitdata_req->DEST_length;
1601 		estate = kctx->auk_ets[AUE_SOCKSEND];
1602 		if (amask.as_success & estate || amask.as_failure & estate) {
1603 			tad->tad_event = AUE_SOCKSEND;
1604 			break;
1605 		} else {
1606 			return;
1607 		}
1608 	case T_UNITDATA_IND:	 /* connectionless receive request */
1609 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1610 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1611 			return;
1612 		offset = unitdata_ind->SRC_offset;
1613 		len = unitdata_ind->SRC_length;
1614 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1615 		if (amask.as_success & estate || amask.as_failure & estate) {
1616 			tad->tad_event = AUE_SOCKRECEIVE;
1617 			break;
1618 		} else {
1619 			return;
1620 		}
1621 	default:
1622 		return;
1623 	}
1624 
1625 	/*
1626 	 * we are only interested in tcp stream connections,
1627 	 * not unix domain stuff
1628 	 */
1629 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1630 		tad->tad_event = AUE_GETMSG;
1631 		return;
1632 	}
1633 	/* skip over TPI header and point to the ip address */
1634 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1635 
1636 	switch (sock_data->sin_family) {
1637 	case AF_INET:
1638 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1639 		break;
1640 	default:	/* reset to AUE_PUTMSG if not a inet request */
1641 		tad->tad_event = AUE_GETMSG;
1642 		break;
1643 	}
1644 }
1645 
1646 void
1647 audit_lookupname()
1648 {
1649 }
1650 
1651 /*ARGSUSED*/
1652 int
1653 audit_pathcomp(struct pathname *pnp, vnode_t *cvp, cred_t *cr)
1654 {
1655 	return (0);
1656 }
1657 
1658 static void
1659 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1660 {
1661 	unsigned int sy_flags;
1662 
1663 #ifdef _SYSCALL32_IMPL
1664 	/*
1665 	 * Guard against t_lwp being NULL when this function is called
1666 	 * from a kernel queue instead of from a direct system call.
1667 	 * In that case, assume the running kernel data model.
1668 	 */
1669 	if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1670 	    ttolwp(curthread)) == DATAMODEL_NATIVE))
1671 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1672 	else
1673 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1674 #else
1675 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1676 #endif
1677 
1678 	if (sy_flags == SE_64RVAL)
1679 		au_write(ad, au_to_return64(err, rval));
1680 	else
1681 		au_write(ad, au_to_return32(err, rval));
1682 
1683 }
1684 
1685 /*ARGSUSED*/
1686 void
1687 audit_fdsend(fd, fp, error)
1688 	int fd;
1689 	struct file *fp;
1690 	int error;		/* ignore for now */
1691 {
1692 	t_audit_data_t *tad;	/* current thread */
1693 	f_audit_data_t *fad;	/* per file audit structure */
1694 	struct vnode *vp;	/* for file attributes */
1695 
1696 	/* is this system call being audited */
1697 	tad = U2A(u);
1698 	ASSERT(tad != (t_audit_data_t *)0);
1699 	if (!tad->tad_flag)
1700 		return;
1701 
1702 	fad = F2A(fp);
1703 
1704 	/* add path and file attributes */
1705 	if (fad != NULL && fad->fad_aupath != NULL) {
1706 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1707 		au_uwrite(au_to_path(fad->fad_aupath));
1708 	} else {
1709 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1710 #ifdef _LP64
1711 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1712 #else
1713 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1714 #endif
1715 	}
1716 	vp = fp->f_vnode;	/* include vnode attributes */
1717 	audit_attributes(vp);
1718 }
1719 
1720 /*
1721  * Record privileges successfully used and we attempted to use but
1722  * didn't have.
1723  */
1724 void
1725 audit_priv(int priv, const priv_set_t *set, int flag)
1726 {
1727 	t_audit_data_t *tad;
1728 	int sbit;
1729 	priv_set_t *target;
1730 
1731 	/* Make sure this isn't being called in an interrupt context */
1732 	ASSERT(servicing_interrupt() == 0);
1733 
1734 	tad = U2A(u);
1735 
1736 	if (tad->tad_flag == 0)
1737 		return;
1738 
1739 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1740 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1741 
1742 	/* Tell audit_success() and audit_finish() that we saw this case */
1743 	if (!(tad->tad_evmod & sbit)) {
1744 		/* Clear set first time around */
1745 		priv_emptyset(target);
1746 		tad->tad_evmod |= sbit;
1747 	}
1748 
1749 	/* Save the privileges in the tad */
1750 	if (priv == PRIV_ALL) {
1751 		priv_fillset(target);
1752 	} else {
1753 		ASSERT(set != NULL || priv != PRIV_NONE);
1754 		if (set != NULL)
1755 			priv_union(set, target);
1756 		if (priv != PRIV_NONE)
1757 			priv_addset(target, priv);
1758 	}
1759 }
1760 
1761 /*
1762  * Audit the setpriv() system call; the operation, the set name and
1763  * the current value as well as the set argument are put in the
1764  * audit trail.
1765  */
1766 void
1767 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1768 {
1769 	t_audit_data_t *tad;
1770 	const priv_set_t *oldpriv;
1771 	priv_set_t report;
1772 	const char *setname;
1773 
1774 	tad = U2A(u);
1775 
1776 	if (tad->tad_flag == 0)
1777 		return;
1778 
1779 	oldpriv = priv_getset(ocr, set);
1780 
1781 	/* Generate the actual record, include the before and after */
1782 	au_uwrite(au_to_arg32(2, "op", op));
1783 	setname = priv_getsetbynum(set);
1784 
1785 	switch (op) {
1786 	case PRIV_OFF:
1787 		/* Report privileges actually switched off */
1788 		report = *oldpriv;
1789 		priv_intersect(newpriv, &report);
1790 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1791 		break;
1792 	case PRIV_ON:
1793 		/* Report privileges actually switched on */
1794 		report = *oldpriv;
1795 		priv_inverse(&report);
1796 		priv_intersect(newpriv, &report);
1797 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1798 		break;
1799 	case PRIV_SET:
1800 		/* Report before and after */
1801 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1802 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1803 		break;
1804 	}
1805 }
1806 
1807 /*
1808  * Dump the full device policy setting in the audit trail.
1809  */
1810 void
1811 audit_devpolicy(int nitems, const devplcysys_t *items)
1812 {
1813 	t_audit_data_t *tad;
1814 	int i;
1815 
1816 	tad = U2A(u);
1817 
1818 	if (tad->tad_flag == 0)
1819 		return;
1820 
1821 	for (i = 0; i < nitems; i++) {
1822 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1823 		if (items[i].dps_minornm[0] == '\0') {
1824 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1825 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1826 		} else
1827 			au_uwrite(au_to_text(items[i].dps_minornm));
1828 
1829 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1830 		    AUT_PRIV, 0));
1831 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1832 		    AUT_PRIV, 0));
1833 	}
1834 }
1835 
1836 /*ARGSUSED*/
1837 void
1838 audit_fdrecv(fd, fp)
1839 	int fd;
1840 	struct file *fp;
1841 {
1842 	t_audit_data_t *tad;	/* current thread */
1843 	f_audit_data_t *fad;	/* per file audit structure */
1844 	struct vnode *vp;	/* for file attributes */
1845 
1846 	/* is this system call being audited */
1847 	tad = U2A(u);
1848 	ASSERT(tad != (t_audit_data_t *)0);
1849 	if (!tad->tad_flag)
1850 		return;
1851 
1852 	fad = F2A(fp);
1853 
1854 	/* add path and file attributes */
1855 	if (fad != NULL && fad->fad_aupath != NULL) {
1856 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1857 		au_uwrite(au_to_path(fad->fad_aupath));
1858 	} else {
1859 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1860 #ifdef _LP64
1861 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1862 #else
1863 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1864 #endif
1865 	}
1866 	vp = fp->f_vnode;	/* include vnode attributes */
1867 	audit_attributes(vp);
1868 }
1869 
1870 /*
1871  * ROUTINE:	AUDIT_CRYPTOADM
1872  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
1873  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1874  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1875  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1876  *		CRYPTO_LOAD_DOOR
1877  * NOTE:
1878  * TODO:
1879  * QUESTION:
1880  */
1881 
1882 void
1883 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1884     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1885 {
1886 	boolean_t		mech_list_required = B_FALSE;
1887 	cred_t			*cr = CRED();
1888 	t_audit_data_t		*tad;
1889 	token_t			*ad = NULL;
1890 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
1891 	char			buffer[MAXNAMELEN * 2];
1892 	au_kcontext_t		*kctx = GET_KCTX_PZ;
1893 
1894 	tad = U2A(u);
1895 	if (tad == NULL)
1896 		return;
1897 
1898 	if (ainfo == NULL)
1899 		return;
1900 
1901 	tad->tad_event = AUE_CRYPTOADM;
1902 
1903 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
1904 		return;
1905 
1906 	/* Add subject information */
1907 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1908 
1909 	switch (cmd) {
1910 	case CRYPTO_LOAD_DEV_DISABLED:
1911 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1912 			(void) snprintf(buffer, sizeof (buffer),
1913 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1914 			    " dev_instance=%d",
1915 			    module_name, device_instance);
1916 			mech_list_required = B_TRUE;
1917 		} else {
1918 			(void) snprintf(buffer, sizeof (buffer),
1919 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1920 		}
1921 		break;
1922 
1923 	case CRYPTO_LOAD_SOFT_DISABLED:
1924 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1925 			(void) snprintf(buffer, sizeof (buffer),
1926 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1927 			    module_name);
1928 			mech_list_required = B_TRUE;
1929 		} else {
1930 			(void) snprintf(buffer, sizeof (buffer),
1931 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1932 		}
1933 		break;
1934 
1935 	case CRYPTO_UNLOAD_SOFT_MODULE:
1936 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1937 			(void) snprintf(buffer, sizeof (buffer),
1938 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1939 			    module_name);
1940 		} else {
1941 			(void) snprintf(buffer, sizeof (buffer),
1942 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1943 		}
1944 		break;
1945 
1946 	case CRYPTO_LOAD_SOFT_CONFIG:
1947 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1948 			(void) snprintf(buffer, sizeof (buffer),
1949 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1950 			    module_name);
1951 			mech_list_required = B_TRUE;
1952 		} else {
1953 			(void) snprintf(buffer, sizeof (buffer),
1954 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1955 		}
1956 		break;
1957 
1958 	case CRYPTO_POOL_CREATE:
1959 		(void) snprintf(buffer, sizeof (buffer),
1960 		    "op=CRYPTO_POOL_CREATE");
1961 		break;
1962 
1963 	case CRYPTO_POOL_WAIT:
1964 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1965 		break;
1966 
1967 	case CRYPTO_POOL_RUN:
1968 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1969 		break;
1970 
1971 	case CRYPTO_LOAD_DOOR:
1972 		if (error == 0 && rv == CRYPTO_SUCCESS)
1973 			(void) snprintf(buffer, sizeof (buffer),
1974 			    "op=CRYPTO_LOAD_DOOR");
1975 		else
1976 			(void) snprintf(buffer, sizeof (buffer),
1977 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1978 		break;
1979 
1980 	case CRYPTO_FIPS140_SET:
1981 		(void) snprintf(buffer, sizeof (buffer),
1982 		    "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1983 		break;
1984 
1985 	default:
1986 		return;
1987 	}
1988 
1989 	au_write((caddr_t *)&ad, au_to_text(buffer));
1990 
1991 	if (mech_list_required) {
1992 		int i;
1993 
1994 		if (mech_count == 0) {
1995 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1996 		} else {
1997 			char	*pb = buffer;
1998 			size_t	l = sizeof (buffer);
1999 			size_t	n;
2000 			char	space[2] = ":";
2001 
2002 			n = snprintf(pb, l, "mech=");
2003 
2004 			for (i = 0; i < mech_count; i++) {
2005 				pb += n;
2006 				l -= n;
2007 				if (l < 0)
2008 					l = 0;
2009 
2010 				if (i == mech_count - 1)
2011 					(void) strcpy(space, "");
2012 
2013 				n = snprintf(pb, l, "%s%s", mech_names[i],
2014 				    space);
2015 			}
2016 			au_write((caddr_t *)&ad, au_to_text(buffer));
2017 		}
2018 	}
2019 
2020 	/* add a return token */
2021 	if (error || (rv != CRYPTO_SUCCESS))
2022 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
2023 	else
2024 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
2025 
2026 	AS_INC(as_generated, 1, kctx);
2027 	AS_INC(as_kernel, 1, kctx);
2028 
2029 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
2030 	    NULL);
2031 }
2032 
2033 /*
2034  * Audit the kernel SSL administration command. The address and the
2035  * port number for the SSL instance, and the proxy port are put in the
2036  * audit trail.
2037  */
2038 void
2039 audit_kssl(int cmd, void *params, int error)
2040 {
2041 	cred_t			*cr = CRED();
2042 	t_audit_data_t		*tad;
2043 	token_t			*ad = NULL;
2044 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
2045 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2046 
2047 	tad = U2A(u);
2048 
2049 	if (ainfo == NULL)
2050 		return;
2051 
2052 	tad->tad_event = AUE_CONFIGKSSL;
2053 
2054 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
2055 		return;
2056 
2057 	/* Add subject information */
2058 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
2059 
2060 	switch (cmd) {
2061 	case KSSL_ADD_ENTRY: {
2062 		char buf[32];
2063 		kssl_params_t *kp = (kssl_params_t *)params;
2064 		struct sockaddr_in6 *saddr = &kp->kssl_addr;
2065 
2066 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
2067 		au_write((caddr_t *)&ad,
2068 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2069 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2070 		    saddr->sin6_port);
2071 		au_write((caddr_t *)&ad, au_to_text(buf));
2072 
2073 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
2074 		    kp->kssl_proxy_port);
2075 		au_write((caddr_t *)&ad, au_to_text(buf));
2076 		break;
2077 	}
2078 
2079 	case KSSL_DELETE_ENTRY: {
2080 		char buf[32];
2081 		struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
2082 
2083 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
2084 		au_write((caddr_t *)&ad,
2085 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
2086 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
2087 		    saddr->sin6_port);
2088 		au_write((caddr_t *)&ad, au_to_text(buf));
2089 		break;
2090 	}
2091 
2092 	default:
2093 		return;
2094 	}
2095 
2096 	/* add a return token */
2097 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2098 
2099 	AS_INC(as_generated, 1, kctx);
2100 	AS_INC(as_kernel, 1, kctx);
2101 
2102 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2103 	    NULL);
2104 }
2105 
2106 /*
2107  * Audit the kernel PF_POLICY administration commands.  Record command,
2108  * zone, policy type (global or tunnel, active or inactive)
2109  */
2110 /*
2111  * ROUTINE:	AUDIT_PF_POLICY
2112  * PURPOSE:	Records arguments to administrative ioctls on PF_POLICY socket
2113  * CALLBY:	SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2114  *		SPD_CLONE, SPD_FLIP
2115  * NOTE:
2116  * TODO:
2117  * QUESTION:
2118  */
2119 
2120 void
2121 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2122     boolean_t active, int error, pid_t pid)
2123 {
2124 	const auditinfo_addr_t	*ainfo;
2125 	t_audit_data_t		*tad;
2126 	token_t			*ad = NULL;
2127 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2128 	char			buf[80];
2129 	int			flag;
2130 
2131 	tad = U2A(u);
2132 	if (tad == NULL)
2133 		return;
2134 
2135 	ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2136 	if (ainfo == NULL)
2137 		return;
2138 
2139 	/*
2140 	 * Initialize some variables since these are only set
2141 	 * with system calls.
2142 	 */
2143 
2144 	switch (cmd) {
2145 	case SPD_ADDRULE: {
2146 		tad->tad_event = AUE_PF_POLICY_ADDRULE;
2147 		break;
2148 	}
2149 
2150 	case SPD_DELETERULE: {
2151 		tad->tad_event = AUE_PF_POLICY_DELRULE;
2152 		break;
2153 	}
2154 
2155 	case SPD_FLUSH: {
2156 		tad->tad_event = AUE_PF_POLICY_FLUSH;
2157 		break;
2158 	}
2159 
2160 	case SPD_UPDATEALGS: {
2161 		tad->tad_event = AUE_PF_POLICY_ALGS;
2162 		break;
2163 	}
2164 
2165 	case SPD_CLONE: {
2166 		tad->tad_event = AUE_PF_POLICY_CLONE;
2167 		break;
2168 	}
2169 
2170 	case SPD_FLIP: {
2171 		tad->tad_event = AUE_PF_POLICY_FLIP;
2172 		break;
2173 	}
2174 
2175 	default:
2176 		tad->tad_event = AUE_NULL;
2177 	}
2178 
2179 	tad->tad_evmod = 0;
2180 
2181 	if (flag = audit_success(kctx, tad, error, cred)) {
2182 		zone_t *nszone;
2183 
2184 		/*
2185 		 * For now, just audit that an event happened,
2186 		 * along with the error code.
2187 		 */
2188 		au_write((caddr_t *)&ad,
2189 		    au_to_arg32(1, "Policy Active?", (uint32_t)active));
2190 		au_write((caddr_t *)&ad,
2191 		    au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2192 
2193 		/* Supplemental data */
2194 
2195 		/*
2196 		 * Generate this zone token if the target zone differs
2197 		 * from the administrative zone.  If netstacks are expanded
2198 		 * to something other than a 1-1 relationship with zones,
2199 		 * the auditing framework should create a new token type
2200 		 * and audit it as a netstack instead.
2201 		 * Turn on general zone auditing to get the administrative zone.
2202 		 */
2203 
2204 		nszone = zone_find_by_id(netstackid_to_zoneid(
2205 		    ns->netstack_stackid));
2206 		if (nszone != NULL) {
2207 			if (strncmp(crgetzone(cred)->zone_name,
2208 			    nszone->zone_name, ZONENAME_MAX) != 0) {
2209 				token_t *ztoken;
2210 
2211 				ztoken = au_to_zonename(0, nszone);
2212 				au_write((caddr_t *)&ad, ztoken);
2213 			}
2214 			zone_rele(nszone);
2215 		}
2216 
2217 		if (tun != NULL) {
2218 			/* write tunnel name - tun is bounded */
2219 			(void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2220 			    tun);
2221 			au_write((caddr_t *)&ad, au_to_text(buf));
2222 		}
2223 
2224 		/* Add subject information */
2225 		AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2226 		    ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2227 
2228 		/* add a return token */
2229 		add_return_token((caddr_t *)&ad, 0, error, 0);
2230 
2231 		AS_INC(as_generated, 1, kctx);
2232 		AS_INC(as_kernel, 1, kctx);
2233 
2234 	}
2235 	au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2236 	    NULL);
2237 
2238 	/*
2239 	 * clear the ctrl flag so that we don't have spurious collection of
2240 	 * audit information.
2241 	 */
2242 	tad->tad_scid  = 0;
2243 	tad->tad_event = 0;
2244 	tad->tad_evmod = 0;
2245 	tad->tad_ctrl  = 0;
2246 }
2247 
2248 /*
2249  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2250  * PURPOSE:	Add security attributes
2251  * CALLBY:	AUDIT_ATTRIBUTES
2252  *		AUDIT_CLOSEF
2253  *		AUS_CLOSE
2254  * NOTE:
2255  * TODO:
2256  * QUESTION:
2257  */
2258 
2259 void
2260 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2261 {
2262 	/* Dump the SL */
2263 	if (is_system_labeled()) {
2264 		ts_label_t	*tsl;
2265 		bslabel_t	*bsl;
2266 
2267 		tsl = getflabel(vp);
2268 		if (tsl == NULL)
2269 			return;			/* nothing else to do */
2270 
2271 		bsl = label2bslabel(tsl);
2272 		if (bsl == NULL)
2273 			return;			/* nothing else to do */
2274 		au_write(ad, au_to_label(bsl));
2275 		label_rele(tsl);
2276 	}
2277 
2278 }	/* AUDIT_SEC_ATTRIBUTES */
2279