xref: /illumos-gate/usr/src/uts/common/c2/audit.c (revision 6a634c9d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*
27  * This file contains the audit hook support code for auditing.
28  */
29 
30 #include <sys/types.h>
31 #include <sys/proc.h>
32 #include <sys/vnode.h>
33 #include <sys/vfs.h>
34 #include <sys/file.h>
35 #include <sys/user.h>
36 #include <sys/stropts.h>
37 #include <sys/systm.h>
38 #include <sys/pathname.h>
39 #include <sys/syscall.h>
40 #include <sys/fcntl.h>
41 #include <sys/ipc_impl.h>
42 #include <sys/msg_impl.h>
43 #include <sys/sem_impl.h>
44 #include <sys/shm_impl.h>
45 #include <sys/kmem.h>		/* for KM_SLEEP */
46 #include <sys/socket.h>
47 #include <sys/cmn_err.h>	/* snprintf... */
48 #include <sys/debug.h>
49 #include <sys/thread.h>
50 #include <netinet/in.h>
51 #include <c2/audit.h>		/* needs to be included before user.h */
52 #include <c2/audit_kernel.h>	/* for M_DONTWAIT */
53 #include <c2/audit_kevents.h>
54 #include <c2/audit_record.h>
55 #include <sys/strsubr.h>
56 #include <sys/tihdr.h>
57 #include <sys/tiuser.h>
58 #include <sys/timod.h>
59 #include <sys/model.h>		/* for model_t */
60 #include <sys/disp.h>		/* for servicing_interrupt() */
61 #include <sys/devpolicy.h>
62 #include <sys/crypto/ioctladmin.h>
63 #include <sys/cred_impl.h>
64 #include <inet/kssl/kssl.h>
65 #include <net/pfpolicy.h>
66 
67 static void add_return_token(caddr_t *, unsigned int scid, int err, int rval);
68 
69 static void audit_pathbuild(struct pathname *pnp);
70 
71 
72 /*
73  * ROUTINE:	AUDIT_SAVEPATH
74  * PURPOSE:
75  * CALLBY:	LOOKUPPN
76  *
77  * NOTE:	We have reached the end of a path in fs/lookup.c.
78  *		We get two pieces of information here:
79  *		the vnode of the last component (vp) and
80  *		the status of the last access (flag).
81  * TODO:
82  * QUESTION:
83  */
84 
85 /*ARGSUSED*/
86 int
87 audit_savepath(
88 	struct pathname *pnp,		/* pathname to lookup */
89 	struct vnode *vp,		/* vnode of the last component */
90 	struct vnode *pvp,		/* vnode of the last parent component */
91 	int    flag,			/* status of the last access */
92 	cred_t *cr)			/* cred of requestor */
93 {
94 
95 	t_audit_data_t *tad;	/* current thread */
96 	au_kcontext_t	*kctx = GET_KCTX_PZ;
97 
98 	tad = U2A(u);
99 
100 	/*
101 	 * Noise elimination in audit trails - this event will be discarded if:
102 	 * - the public policy is not active AND
103 	 * - the system call is a public operation AND
104 	 * - the file was not found: VFS lookup failed with ENOENT error AND
105 	 * - the missing file would have been located in the public directory
106 	 *   owned by root if it had existed
107 	 */
108 	if (tad->tad_flag != 0 && flag == ENOENT && pvp != NULL &&
109 	    (tad->tad_ctrl & TAD_PUBLIC_EV) &&
110 	    !(kctx->auk_policy & AUDIT_PUBLIC)) {
111 		struct vattr attr;
112 
113 		attr.va_mask = AT_ALL;
114 		if (VOP_GETATTR(pvp, &attr, 0, CRED(), NULL) == 0) {
115 			if (object_is_public(&attr)) {
116 				tad->tad_ctrl |= TAD_NOAUDIT;
117 			}
118 		}
119 	}
120 
121 	/*
122 	 * this event being audited or do we need path information
123 	 * later? This might be for a chdir/chroot or open (add path
124 	 * to file pointer. If the path has already been found for an
125 	 * open/creat then we don't need to process the path.
126 	 *
127 	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
128 	 *	chroot, chdir, open, creat system call processing. It determines
129 	 *	if audit_savepath() will discard the path or we need it later.
130 	 * TAD_PATHFND means path already included in this audit record. It
131 	 *	is used in cases where multiple path lookups are done per
132 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
133 	 *	paths are allowed.
134 	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
135 	 *	exit processing to inhibit any paths that may be added due to
136 	 *	closes.
137 	 */
138 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
139 	    ((tad->tad_ctrl & TAD_PATHFND) &&
140 	    !(kctx->auk_policy & AUDIT_PATH)) ||
141 	    (tad->tad_ctrl & TAD_NOPATH)) {
142 		return (0);
143 	}
144 
145 	tad->tad_ctrl |= TAD_NOPATH;		/* prevent possible reentry */
146 
147 	audit_pathbuild(pnp);
148 
149 	/*
150 	 * are we auditing only if error, or if it is not open or create
151 	 * otherwise audit_setf will do it
152 	 */
153 
154 	if (tad->tad_flag) {
155 		if (flag &&
156 		    (tad->tad_scid == SYS_open ||
157 		    tad->tad_scid == SYS_open64 ||
158 		    tad->tad_scid == SYS_openat ||
159 		    tad->tad_scid == SYS_openat64)) {
160 			tad->tad_ctrl |= TAD_TRUE_CREATE;
161 		}
162 
163 		/* add token to audit record for this name */
164 		au_uwrite(au_to_path(tad->tad_aupath));
165 
166 		/* add the attributes of the object */
167 		if (vp) {
168 			/*
169 			 * only capture attributes when there is no error
170 			 * lookup will not return the vnode of the failing
171 			 * component.
172 			 *
173 			 * if there was a lookup error, then don't add
174 			 * attribute. if lookup in vn_create(),
175 			 * then don't add attribute,
176 			 * it will be added at end of vn_create().
177 			 */
178 			if (!flag && !(tad->tad_ctrl & TAD_NOATTRB))
179 				audit_attributes(vp);
180 		}
181 	}
182 
183 	/* free up space if we're not going to save path (open, creat) */
184 	if ((tad->tad_ctrl & TAD_SAVPATH) == 0) {
185 		if (tad->tad_aupath != NULL) {
186 			au_pathrele(tad->tad_aupath);
187 			tad->tad_aupath = NULL;
188 		}
189 	}
190 	if (tad->tad_ctrl & TAD_MLD)
191 		tad->tad_ctrl |= TAD_PATHFND;
192 
193 	tad->tad_ctrl &= ~TAD_NOPATH;		/* restore */
194 	return (0);
195 }
196 
197 static void
198 audit_pathbuild(struct pathname *pnp)
199 {
200 	char *pp;	/* pointer to path */
201 	int len;	/* length of incoming segment */
202 	int newsect;	/* path requires a new section */
203 	struct audit_path	*pfxapp;	/* prefix for path */
204 	struct audit_path	*newapp;	/* new audit_path */
205 	t_audit_data_t *tad;	/* current thread */
206 	p_audit_data_t *pad;	/* current process */
207 
208 	tad = U2A(u);
209 	ASSERT(tad != NULL);
210 	pad = P2A(curproc);
211 	ASSERT(pad != NULL);
212 
213 	len = (pnp->pn_path - pnp->pn_buf) + 1;		/* +1 for terminator */
214 	ASSERT(len > 0);
215 
216 	/* adjust for path prefix: tad_aupath, ATPATH, CRD, or CWD */
217 	mutex_enter(&pad->pad_lock);
218 	if (tad->tad_aupath != NULL) {
219 		pfxapp = tad->tad_aupath;
220 	} else if ((tad->tad_ctrl & TAD_ATCALL) && pnp->pn_buf[0] != '/') {
221 		ASSERT(tad->tad_atpath != NULL);
222 		pfxapp = tad->tad_atpath;
223 	} else if (tad->tad_ctrl & TAD_ABSPATH) {
224 		pfxapp = pad->pad_root;
225 	} else {
226 		pfxapp = pad->pad_cwd;
227 	}
228 	au_pathhold(pfxapp);
229 	mutex_exit(&pad->pad_lock);
230 
231 	/* get an expanded buffer to hold the anchored path */
232 	newsect = tad->tad_ctrl & TAD_ATTPATH;
233 	newapp = au_pathdup(pfxapp, newsect, len);
234 	au_pathrele(pfxapp);
235 
236 	pp = newapp->audp_sect[newapp->audp_cnt] - len;
237 	if (!newsect) {
238 		/* overlay previous NUL terminator */
239 		*(pp - 1) = '/';
240 	}
241 
242 	/* now add string of processed path */
243 	bcopy(pnp->pn_buf, pp, len);
244 	pp[len - 1] = '\0';
245 
246 	/* perform path simplification as necessary */
247 	audit_fixpath(newapp, len);
248 
249 	if (tad->tad_aupath)
250 		au_pathrele(tad->tad_aupath);
251 	tad->tad_aupath = newapp;
252 
253 	/* for case where multiple lookups in one syscall (rename) */
254 	tad->tad_ctrl &= ~(TAD_ABSPATH | TAD_ATTPATH);
255 }
256 
257 
258 /*
259  * ROUTINE:	AUDIT_ANCHORPATH
260  * PURPOSE:
261  * CALLBY:	LOOKUPPN
262  * NOTE:
263  * anchor path at "/". We have seen a symbolic link or entering for the
264  * first time we will throw away any saved path if path is anchored.
265  *
266  * flag = 0, path is relative.
267  * flag = 1, path is absolute. Free any saved path and set flag to TAD_ABSPATH.
268  *
269  * If the (new) path is absolute, then we have to throw away whatever we have
270  * already accumulated since it is being superseded by new path which is
271  * anchored at the root.
272  *		Note that if the path is relative, this function does nothing
273  * TODO:
274  * QUESTION:
275  */
276 /*ARGSUSED*/
277 void
278 audit_anchorpath(struct pathname *pnp, int flag)
279 {
280 	au_kcontext_t	*kctx = GET_KCTX_PZ;
281 	t_audit_data_t *tad;
282 
283 	tad = U2A(u);
284 
285 	/*
286 	 * this event being audited or do we need path information
287 	 * later? This might be for a chdir/chroot or open (add path
288 	 * to file pointer. If the path has already been found for an
289 	 * open/creat then we don't need to process the path.
290 	 *
291 	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
292 	 *	chroot, chdir, open, creat system call processing. It determines
293 	 *	if audit_savepath() will discard the path or we need it later.
294 	 * TAD_PATHFND means path already included in this audit record. It
295 	 *	is used in cases where multiple path lookups are done per
296 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
297 	 *	paths are allowed.
298 	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
299 	 *	exit processing to inhibit any paths that may be added due to
300 	 *	closes.
301 	 */
302 	if ((tad->tad_flag == 0 && !(tad->tad_ctrl & TAD_SAVPATH)) ||
303 	    ((tad->tad_ctrl & TAD_PATHFND) &&
304 	    !(kctx->auk_policy & AUDIT_PATH)) ||
305 	    (tad->tad_ctrl & TAD_NOPATH)) {
306 		return;
307 	}
308 
309 	if (flag) {
310 		tad->tad_ctrl |= TAD_ABSPATH;
311 		if (tad->tad_aupath != NULL) {
312 			au_pathrele(tad->tad_aupath);
313 			tad->tad_aupath = NULL;
314 		}
315 	}
316 }
317 
318 
319 /*
320  * symbolic link. Save previous components.
321  *
322  * the path seen so far looks like this
323  *
324  *  +-----------------------+----------------+
325  *  | path processed so far | remaining path |
326  *  +-----------------------+----------------+
327  *  \-----------------------/
328  *	save this string if
329  *	symbolic link relative
330  *	(but don't include  symlink component)
331  */
332 
333 /*ARGSUSED*/
334 
335 
336 /*
337  * ROUTINE:	AUDIT_SYMLINK
338  * PURPOSE:
339  * CALLBY:	LOOKUPPN
340  * NOTE:
341  * TODO:
342  * QUESTION:
343  */
344 void
345 audit_symlink(struct pathname *pnp, struct pathname *sympath)
346 {
347 	char *sp;	/* saved initial pp */
348 	char *cp;	/* start of symlink path */
349 	uint_t len_path;	/* processed path before symlink */
350 	t_audit_data_t *tad;
351 	au_kcontext_t	*kctx = GET_KCTX_PZ;
352 
353 	tad = U2A(u);
354 
355 	/*
356 	 * this event being audited or do we need path information
357 	 * later? This might be for a chdir/chroot or open (add path
358 	 * to file pointer. If the path has already been found for an
359 	 * open/creat then we don't need to process the path.
360 	 *
361 	 * S2E_SP (TAD_SAVPATH) flag comes from audit_s2e[].au_ctrl. Used with
362 	 *	chroot, chdir, open, creat system call processing. It determines
363 	 *	if audit_savepath() will discard the path or we need it later.
364 	 * TAD_PATHFND means path already included in this audit record. It
365 	 *	is used in cases where multiple path lookups are done per
366 	 *	system call. The policy flag, AUDIT_PATH, controls if multiple
367 	 *	paths are allowed.
368 	 * S2E_NPT (TAD_NOPATH) flag comes from audit_s2e[].au_ctrl. Used with
369 	 *	exit processing to inhibit any paths that may be added due to
370 	 *	closes.
371 	 */
372 	if ((tad->tad_flag == 0 &&
373 	    !(tad->tad_ctrl & TAD_SAVPATH)) ||
374 	    ((tad->tad_ctrl & TAD_PATHFND) &&
375 	    !(kctx->auk_policy & AUDIT_PATH)) ||
376 	    (tad->tad_ctrl & TAD_NOPATH)) {
377 		return;
378 	}
379 
380 	/*
381 	 * if symbolic link is anchored at / then do nothing.
382 	 * When we cycle back to begin: in lookuppn() we will
383 	 * call audit_anchorpath() with a flag indicating if the
384 	 * path is anchored at / or is relative. We will release
385 	 * any saved path at that point.
386 	 *
387 	 * Note In the event that an error occurs in pn_combine then
388 	 * we want to remain pointing at the component that caused the
389 	 * path to overflow the pnp structure.
390 	 */
391 	if (sympath->pn_buf[0] == '/')
392 		return;
393 
394 	/* backup over last component */
395 	sp = cp = pnp->pn_path;
396 	while (*--cp != '/' && cp > pnp->pn_buf)
397 		;
398 
399 	len_path = cp - pnp->pn_buf;
400 
401 	/* is there anything to save? */
402 	if (len_path) {
403 		pnp->pn_path = pnp->pn_buf;
404 		audit_pathbuild(pnp);
405 		pnp->pn_path = sp;
406 	}
407 }
408 
409 /*
410  * object_is_public : determine whether events for the object (corresponding to
411  *			the specified file/directory attr) should be audited or
412  *			ignored.
413  *
414  * returns: 	1 - if audit policy and object attributes indicate that
415  *			file/directory is effectively public. read events for
416  *			the file should not be audited.
417  *		0 - otherwise
418  *
419  * The required attributes to be considered a public object are:
420  * - owned by root, AND
421  * - world-readable (permissions for other include read), AND
422  * - NOT world-writeable (permissions for other don't
423  *	include write)
424  *   (mode doesn't need to be checked for symlinks)
425  */
426 int
427 object_is_public(struct vattr *attr)
428 {
429 	au_kcontext_t	*kctx = GET_KCTX_PZ;
430 
431 	if (!(kctx->auk_policy & AUDIT_PUBLIC) && (attr->va_uid == 0) &&
432 	    ((attr->va_type == VLNK) ||
433 	    ((attr->va_mode & (VREAD>>6)) != 0) &&
434 	    ((attr->va_mode & (VWRITE>>6)) == 0))) {
435 		return (1);
436 	}
437 	return (0);
438 }
439 
440 
441 /*
442  * ROUTINE:	AUDIT_ATTRIBUTES
443  * PURPOSE:	Audit the attributes so we can tell why the error occurred
444  * CALLBY:	AUDIT_SAVEPATH
445  *		AUDIT_VNCREATE_FINISH
446  *		AUS_FCHOWN...audit_event.c...audit_path.c
447  * NOTE:
448  * TODO:
449  * QUESTION:
450  */
451 void
452 audit_attributes(struct vnode *vp)
453 {
454 	struct vattr attr;
455 	struct t_audit_data *tad;
456 
457 	tad = U2A(u);
458 
459 	if (vp) {
460 		attr.va_mask = AT_ALL;
461 		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) != 0)
462 			return;
463 
464 		if (object_is_public(&attr) &&
465 		    (tad->tad_ctrl & TAD_PUBLIC_EV)) {
466 			/*
467 			 * This is a public object and a "public" event
468 			 * (i.e., read only) -- either by definition
469 			 * (e.g., stat, access...) or by virtue of write access
470 			 * not being requested (e.g. mmap).
471 			 * Flag it in the tad to prevent this audit at the end.
472 			 */
473 			tad->tad_ctrl |= TAD_NOAUDIT;
474 		} else {
475 			au_uwrite(au_to_attr(&attr));
476 			audit_sec_attributes(&(u_ad), vp);
477 		}
478 	}
479 }
480 
481 
482 /*
483  * ROUTINE:	AUDIT_EXIT
484  * PURPOSE:
485  * CALLBY:	EXIT
486  * NOTE:
487  * TODO:
488  * QUESTION:	why cmw code as offset by 2 but not here
489  */
490 /* ARGSUSED */
491 void
492 audit_exit(int code, int what)
493 {
494 	struct t_audit_data *tad;
495 	tad = U2A(u);
496 
497 	/*
498 	 * tad_scid will be set by audit_start even if we are not auditing
499 	 * the event.
500 	 */
501 	if (tad->tad_scid == SYS_exit) {
502 		/*
503 		 * if we are auditing the exit system call, then complete
504 		 * audit record generation (no return from system call).
505 		 */
506 		if (tad->tad_flag && tad->tad_event == AUE_EXIT)
507 			audit_finish(0, SYS_exit, 0, 0);
508 		return;
509 	}
510 
511 	/*
512 	 * Anyone auditing the system call that was aborted?
513 	 */
514 	if (tad->tad_flag) {
515 		au_uwrite(au_to_text("event aborted"));
516 		audit_finish(0, tad->tad_scid, 0, 0);
517 	}
518 
519 	/*
520 	 * Generate an audit record for process exit if preselected.
521 	 */
522 	(void) audit_start(0, SYS_exit, AUC_UNSET, 0, 0);
523 	audit_finish(0, SYS_exit, 0, 0);
524 }
525 
526 /*
527  * ROUTINE:	AUDIT_CORE_START
528  * PURPOSE:
529  * CALLBY: 	PSIG
530  * NOTE:
531  * TODO:
532  */
533 void
534 audit_core_start(int sig)
535 {
536 	au_event_t event;
537 	au_state_t estate;
538 	t_audit_data_t *tad;
539 	au_kcontext_t	*kctx;
540 
541 	tad = U2A(u);
542 
543 	ASSERT(tad != (t_audit_data_t *)0);
544 
545 	ASSERT(tad->tad_scid == 0);
546 	ASSERT(tad->tad_event == 0);
547 	ASSERT(tad->tad_evmod == 0);
548 	ASSERT(tad->tad_ctrl == 0);
549 	ASSERT(tad->tad_flag == 0);
550 	ASSERT(tad->tad_aupath == NULL);
551 
552 	kctx = GET_KCTX_PZ;
553 
554 	/* get basic event for system call */
555 	event = AUE_CORE;
556 	estate = kctx->auk_ets[event];
557 
558 	if ((tad->tad_flag = auditme(kctx, tad, estate)) == 0)
559 		return;
560 
561 	/* reset the flags for non-user attributable events */
562 	tad->tad_ctrl   = TAD_CORE;
563 	tad->tad_scid   = 0;
564 
565 	/* if auditing not enabled, then don't generate an audit record */
566 
567 	if (!((kctx->auk_auditstate == AUC_AUDITING ||
568 	    kctx->auk_auditstate == AUC_INIT_AUDIT) ||
569 	    kctx->auk_auditstate == AUC_NOSPACE)) {
570 		tad->tad_flag = 0;
571 		tad->tad_ctrl = 0;
572 		return;
573 	}
574 
575 	tad->tad_event  = event;
576 	tad->tad_evmod  = 0;
577 
578 	ASSERT(tad->tad_ad == NULL);
579 
580 	au_write(&(u_ad), au_to_arg32(1, "signal", (uint32_t)sig));
581 }
582 
583 /*
584  * ROUTINE:	AUDIT_CORE_FINISH
585  * PURPOSE:
586  * CALLBY:	PSIG
587  * NOTE:
588  * TODO:
589  * QUESTION:
590  */
591 
592 /*ARGSUSED*/
593 void
594 audit_core_finish(int code)
595 {
596 	int flag;
597 	t_audit_data_t *tad;
598 	au_kcontext_t	*kctx;
599 
600 	tad = U2A(u);
601 
602 	ASSERT(tad != (t_audit_data_t *)0);
603 
604 	if ((flag = tad->tad_flag) == 0) {
605 		tad->tad_event = 0;
606 		tad->tad_evmod = 0;
607 		tad->tad_ctrl  = 0;
608 		ASSERT(tad->tad_aupath == NULL);
609 		return;
610 	}
611 	tad->tad_flag = 0;
612 
613 	kctx = GET_KCTX_PZ;
614 
615 	/* kludge for error 0, should use `code==CLD_DUMPED' instead */
616 	if (flag = audit_success(kctx, tad, 0, NULL)) {
617 		cred_t *cr = CRED();
618 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
619 
620 		ASSERT(ainfo != NULL);
621 
622 		/*
623 		 * Add subject information (no locks since our private copy of
624 		 * credential
625 		 */
626 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
627 
628 		/* Add a return token (should use f argument) */
629 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
630 
631 		AS_INC(as_generated, 1, kctx);
632 		AS_INC(as_kernel, 1, kctx);
633 	}
634 
635 	/* Close up everything */
636 	au_close(kctx, &(u_ad), flag, tad->tad_event, tad->tad_evmod, NULL);
637 
638 	/* free up any space remaining with the path's */
639 	if (tad->tad_aupath != NULL) {
640 		au_pathrele(tad->tad_aupath);
641 		tad->tad_aupath = NULL;
642 	}
643 	tad->tad_event = 0;
644 	tad->tad_evmod = 0;
645 	tad->tad_ctrl  = 0;
646 }
647 
648 
649 /*ARGSUSED*/
650 void
651 audit_strgetmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
652     unsigned char *pri, int *flag, int fmode)
653 {
654 	struct stdata *stp;
655 	t_audit_data_t *tad = U2A(u);
656 
657 	ASSERT(tad != (t_audit_data_t *)0);
658 
659 	stp = vp->v_stream;
660 
661 	/* lock stdata from audit_sock */
662 	mutex_enter(&stp->sd_lock);
663 
664 	/* proceed ONLY if user is being audited */
665 	if (!tad->tad_flag) {
666 		/*
667 		 * this is so we will not add audit data onto
668 		 * a thread that is not being audited.
669 		 */
670 		stp->sd_t_audit_data = NULL;
671 		mutex_exit(&stp->sd_lock);
672 		return;
673 	}
674 
675 	stp->sd_t_audit_data = (caddr_t)curthread;
676 	mutex_exit(&stp->sd_lock);
677 }
678 
679 /*ARGSUSED*/
680 void
681 audit_strputmsg(struct vnode *vp, struct strbuf *mctl, struct strbuf *mdata,
682     unsigned char pri, int flag, int fmode)
683 {
684 	struct stdata *stp;
685 	t_audit_data_t *tad = U2A(u);
686 
687 	ASSERT(tad != (t_audit_data_t *)0);
688 
689 	stp = vp->v_stream;
690 
691 	/* lock stdata from audit_sock */
692 	mutex_enter(&stp->sd_lock);
693 
694 	/* proceed ONLY if user is being audited */
695 	if (!tad->tad_flag) {
696 		/*
697 		 * this is so we will not add audit data onto
698 		 * a thread that is not being audited.
699 		 */
700 		stp->sd_t_audit_data = NULL;
701 		mutex_exit(&stp->sd_lock);
702 		return;
703 	}
704 
705 	stp->sd_t_audit_data = (caddr_t)curthread;
706 	mutex_exit(&stp->sd_lock);
707 }
708 
709 /*
710  * ROUTINE:	AUDIT_CLOSEF
711  * PURPOSE:
712  * CALLBY:	CLOSEF
713  * NOTE:
714  * release per file audit resources when file structure is being released.
715  *
716  * IMPORTANT NOTE: Since we generate an audit record here, we may sleep
717  *	on the audit queue if it becomes full. This means
718  *	audit_closef can not be called when f_count == 0. Since
719  *	f_count == 0 indicates the file structure is free, another
720  *	process could attempt to use the file while we were still
721  *	asleep waiting on the audit queue. This would cause the
722  *	per file audit data to be corrupted when we finally do
723  *	wakeup.
724  * TODO:
725  * QUESTION:
726  */
727 
728 void
729 audit_closef(struct file *fp)
730 {	/* AUDIT_CLOSEF */
731 	f_audit_data_t *fad;
732 	t_audit_data_t *tad;
733 	int success;
734 	au_state_t estate;
735 	struct vnode *vp;
736 	token_t *ad = NULL;
737 	struct vattr attr;
738 	au_emod_t evmod = 0;
739 	const auditinfo_addr_t *ainfo;
740 	cred_t *cr;
741 	au_kcontext_t	*kctx = GET_KCTX_PZ;
742 	uint32_t auditing;
743 	boolean_t audit_attr = B_FALSE;
744 
745 	fad = F2A(fp);
746 	estate = kctx->auk_ets[AUE_CLOSE];
747 	tad = U2A(u);
748 	cr = CRED();
749 
750 	/* audit record already generated by system call envelope */
751 	if (tad->tad_event == AUE_CLOSE) {
752 		/* so close audit event will have bits set */
753 		tad->tad_evmod |= (au_emod_t)fad->fad_flags;
754 		return;
755 	}
756 
757 	/* if auditing not enabled, then don't generate an audit record */
758 	auditing = (tad->tad_audit == AUC_UNSET) ?
759 	    kctx->auk_auditstate : tad->tad_audit;
760 	if (auditing & ~(AUC_AUDITING | AUC_INIT_AUDIT | AUC_NOSPACE))
761 		return;
762 
763 	ainfo = crgetauinfo(cr);
764 	if (ainfo == NULL)
765 		return;
766 
767 	success = ainfo->ai_mask.as_success & estate;
768 
769 	/* not selected for this event */
770 	if (success == 0)
771 		return;
772 
773 	/*
774 	 * can't use audit_attributes here since we use a private audit area
775 	 * to build the audit record instead of the one off the thread.
776 	 */
777 	if ((vp = fp->f_vnode) != NULL) {
778 		attr.va_mask = AT_ALL;
779 		if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
780 			if ((fp->f_flag & FWRITE) == 0 &&
781 			    object_is_public(&attr)) {
782 				/*
783 				 * When write was not used and the file can be
784 				 * considered public, then skip the audit.
785 				 */
786 				return;
787 			}
788 			audit_attr = B_TRUE;
789 		}
790 	}
791 
792 	evmod = (au_emod_t)fad->fad_flags;
793 	if (fad->fad_aupath != NULL) {
794 		au_write((caddr_t *)&(ad), au_to_path(fad->fad_aupath));
795 	} else {
796 #ifdef _LP64
797 		au_write((caddr_t *)&(ad), au_to_arg64(
798 			1, "no path: fp", (uint64_t)fp));
799 #else
800 		au_write((caddr_t *)&(ad), au_to_arg32(
801 			1, "no path: fp", (uint32_t)fp));
802 #endif
803 	}
804 
805 	if (audit_attr) {
806 		au_write((caddr_t *)&(ad), au_to_attr(&attr));
807 		audit_sec_attributes((caddr_t *)&(ad), vp);
808 	}
809 
810 	/* Add subject information */
811 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
812 
813 	/* add a return token */
814 	add_return_token((caddr_t *)&(ad), tad->tad_scid, 0, 0);
815 
816 	AS_INC(as_generated, 1, kctx);
817 	AS_INC(as_kernel, 1, kctx);
818 
819 	/*
820 	 * Close up everything
821 	 * Note: path space recovery handled by normal system
822 	 * call envelope if not at last close.
823 	 * Note there is no failure at this point since
824 	 *   this represents closes due to exit of process,
825 	 *   thus we always indicate successful closes.
826 	 */
827 	au_close(kctx, (caddr_t *)&(ad), AU_OK | AU_DEFER,
828 	    AUE_CLOSE, evmod, NULL);
829 }
830 
831 /*
832  * ROUTINE:	AUDIT_SET
833  * PURPOSE:	Audit the file path and file attributes.
834  * CALLBY:	SETF
835  * NOTE:	SETF associate a file pointer with user area's open files.
836  * TODO:
837  * call audit_finish directly ???
838  * QUESTION:
839  */
840 
841 /*ARGSUSED*/
842 void
843 audit_setf(file_t *fp, int fd)
844 {
845 	f_audit_data_t *fad;
846 	t_audit_data_t *tad;
847 
848 	if (fp == NULL)
849 		return;
850 
851 	tad = T2A(curthread);
852 	fad = F2A(fp);
853 
854 	if (!(tad->tad_scid == SYS_open ||
855 	    tad->tad_scid == SYS_open64 ||
856 	    tad->tad_scid == SYS_openat ||
857 	    tad->tad_scid == SYS_openat64))
858 		return;
859 
860 	/* no path */
861 	if (tad->tad_aupath == 0)
862 		return;
863 
864 	/*
865 	 * assign path information associated with file audit data
866 	 * use tad hold
867 	 */
868 	fad->fad_aupath = tad->tad_aupath;
869 	tad->tad_aupath = NULL;
870 
871 	if (!(tad->tad_ctrl & TAD_TRUE_CREATE)) {
872 		/* adjust event type by dropping the 'creat' part */
873 		switch (tad->tad_event) {
874 		case AUE_OPEN_RC:
875 			tad->tad_event = AUE_OPEN_R;
876 			tad->tad_ctrl |= TAD_PUBLIC_EV;
877 			break;
878 		case AUE_OPEN_RTC:
879 			tad->tad_event = AUE_OPEN_RT;
880 			break;
881 		case AUE_OPEN_WC:
882 			tad->tad_event = AUE_OPEN_W;
883 			break;
884 		case AUE_OPEN_WTC:
885 			tad->tad_event = AUE_OPEN_WT;
886 			break;
887 		case AUE_OPEN_RWC:
888 			tad->tad_event = AUE_OPEN_RW;
889 			break;
890 		case AUE_OPEN_RWTC:
891 			tad->tad_event = AUE_OPEN_RWT;
892 			break;
893 		default:
894 			break;
895 		}
896 	}
897 }
898 
899 
900 void
901 audit_ipc(int type, int id, void *vp)
902 {
903 	/* if not auditing this event, then do nothing */
904 	if (ad_flag == 0)
905 		return;
906 
907 	switch (type) {
908 	case AT_IPC_MSG:
909 		au_uwrite(au_to_ipc(AT_IPC_MSG, id));
910 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
911 		break;
912 	case AT_IPC_SEM:
913 		au_uwrite(au_to_ipc(AT_IPC_SEM, id));
914 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
915 		break;
916 	case AT_IPC_SHM:
917 		au_uwrite(au_to_ipc(AT_IPC_SHM, id));
918 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
919 		break;
920 	}
921 }
922 
923 void
924 audit_ipcget(int type, void *vp)
925 {
926 	/* if not auditing this event, then do nothing */
927 	if (ad_flag == 0)
928 		return;
929 
930 	switch (type) {
931 	case NULL:
932 		au_uwrite(au_to_ipc_perm((struct kipc_perm *)vp));
933 		break;
934 	case AT_IPC_MSG:
935 		au_uwrite(au_to_ipc_perm(&(((kmsqid_t *)vp)->msg_perm)));
936 		break;
937 	case AT_IPC_SEM:
938 		au_uwrite(au_to_ipc_perm(&(((ksemid_t *)vp)->sem_perm)));
939 		break;
940 	case AT_IPC_SHM:
941 		au_uwrite(au_to_ipc_perm(&(((kshmid_t *)vp)->shm_perm)));
942 		break;
943 	}
944 }
945 
946 /*
947  * ROUTINE:	AUDIT_REBOOT
948  * PURPOSE:
949  * CALLBY:
950  * NOTE:
951  * At this point we know that the system call reboot will not return. We thus
952  * have to complete the audit record generation and put it onto the queue.
953  * This might be fairly useless if the auditing daemon is already dead....
954  * TODO:
955  * QUESTION:	who calls audit_reboot
956  */
957 
958 void
959 audit_reboot(void)
960 {
961 	int flag;
962 	t_audit_data_t *tad;
963 	au_kcontext_t	*kctx = GET_KCTX_PZ;
964 
965 	tad = U2A(u);
966 
967 	/* if not auditing this event, then do nothing */
968 	if (tad->tad_flag == 0)
969 		return;
970 
971 	/* do preselection on success/failure */
972 	if (flag = audit_success(kctx, tad, 0, NULL)) {
973 		/* add a process token */
974 
975 		cred_t *cr = CRED();
976 		const auditinfo_addr_t *ainfo = crgetauinfo(cr);
977 
978 		if (ainfo == NULL)
979 			return;
980 
981 		/* Add subject information */
982 		AUDIT_SETSUBJ(&(u_ad), cr, ainfo, kctx);
983 
984 		/* add a return token */
985 		add_return_token((caddr_t *)&(u_ad), tad->tad_scid, 0, 0);
986 
987 		AS_INC(as_generated, 1, kctx);
988 		AS_INC(as_kernel, 1, kctx);
989 	}
990 
991 	/*
992 	 * Flow control useless here since we're going
993 	 * to drop everything in the queue anyway. Why
994 	 * block and wait. There aint anyone left alive to
995 	 * read the records remaining anyway.
996 	 */
997 
998 	/* Close up everything */
999 	au_close(kctx, &(u_ad), flag | AU_DONTBLOCK,
1000 	    tad->tad_event, tad->tad_evmod, NULL);
1001 }
1002 
1003 void
1004 audit_setfsat_path(int argnum)
1005 {
1006 	klwp_id_t clwp = ttolwp(curthread);
1007 	struct file  *fp;
1008 	uint32_t fd;
1009 	t_audit_data_t *tad;
1010 	struct f_audit_data *fad;
1011 	p_audit_data_t *pad;	/* current process */
1012 	uint_t fm;
1013 	struct a {
1014 		long arg1;
1015 		long arg2;
1016 		long arg3;
1017 		long arg4;
1018 		long arg5;
1019 	} *uap;
1020 
1021 	if (clwp == NULL)
1022 		return;
1023 	uap = (struct a *)clwp->lwp_ap;
1024 
1025 	tad = U2A(u);
1026 	ASSERT(tad != NULL);
1027 
1028 	switch (tad->tad_scid) {
1029 	case SYS_faccessat:
1030 	case SYS_fchmodat:
1031 	case SYS_fchownat:
1032 	case SYS_fstatat:
1033 	case SYS_fstatat64:
1034 	case SYS_mkdirat:
1035 	case SYS_mknodat:
1036 	case SYS_openat:
1037 	case SYS_openat64:
1038 	case SYS_readlinkat:
1039 	case SYS_unlinkat:
1040 		fd = uap->arg1;
1041 		break;
1042 	case SYS_linkat:
1043 	case SYS_renameat:
1044 		if (argnum == 3)
1045 			fd = uap->arg3;
1046 		else
1047 			fd = uap->arg1;
1048 		break;
1049 	case SYS_symlinkat:
1050 	case SYS_utimesys:
1051 		fd = uap->arg2;
1052 		break;
1053 	case SYS_open:
1054 	case SYS_open64:
1055 		fd = AT_FDCWD;
1056 		break;
1057 	default:
1058 		return;
1059 	}
1060 
1061 	if (tad->tad_atpath != NULL) {
1062 		au_pathrele(tad->tad_atpath);
1063 		tad->tad_atpath = NULL;
1064 	}
1065 
1066 	if (fd != AT_FDCWD) {
1067 		tad->tad_ctrl |= TAD_ATCALL;
1068 
1069 		if (tad->tad_scid == SYS_openat ||
1070 		    tad->tad_scid == SYS_openat64) {
1071 			fm = (uint_t)uap->arg3;
1072 			if (fm & (FXATTR | FXATTRDIROPEN)) {
1073 				tad->tad_ctrl |= TAD_ATTPATH;
1074 			}
1075 		}
1076 
1077 		if ((fp = getf(fd)) == NULL) {
1078 			tad->tad_ctrl |= TAD_NOPATH;
1079 			return;
1080 		}
1081 		fad = F2A(fp);
1082 		ASSERT(fad);
1083 		if (fad->fad_aupath == NULL) {
1084 			tad->tad_ctrl |= TAD_NOPATH;
1085 			releasef(fd);
1086 			return;
1087 		}
1088 		au_pathhold(fad->fad_aupath);
1089 		tad->tad_atpath = fad->fad_aupath;
1090 		releasef(fd);
1091 	} else {
1092 		if (tad->tad_scid == SYS_open ||
1093 		    tad->tad_scid == SYS_open64) {
1094 			fm = (uint_t)uap->arg2;
1095 			if (fm & FXATTR) {
1096 				tad->tad_ctrl |= TAD_ATTPATH;
1097 			}
1098 			return;
1099 		}
1100 		pad = P2A(curproc);
1101 		mutex_enter(&pad->pad_lock);
1102 		au_pathhold(pad->pad_cwd);
1103 		tad->tad_atpath = pad->pad_cwd;
1104 		mutex_exit(&pad->pad_lock);
1105 	}
1106 }
1107 
1108 void
1109 audit_symlink_create(vnode_t *dvp, char *sname, char *target, int error)
1110 {
1111 	t_audit_data_t *tad;
1112 	vnode_t	*vp;
1113 
1114 	tad = U2A(u);
1115 
1116 	/* if not auditing this event, then do nothing */
1117 	if (tad->tad_flag == 0)
1118 		return;
1119 
1120 	au_uwrite(au_to_text(target));
1121 
1122 	if (error)
1123 		return;
1124 
1125 	error = VOP_LOOKUP(dvp, sname, &vp, NULL, 0, NULL, CRED(),
1126 	    NULL, NULL, NULL);
1127 	if (error == 0) {
1128 		audit_attributes(vp);
1129 		VN_RELE(vp);
1130 	}
1131 }
1132 
1133 /*
1134  * ROUTINE:	AUDIT_VNCREATE_START
1135  * PURPOSE:	set flag so path name lookup in create will not add attribute
1136  * CALLBY:	VN_CREATE
1137  * NOTE:
1138  * TODO:
1139  * QUESTION:
1140  */
1141 
1142 void
1143 audit_vncreate_start()
1144 {
1145 	t_audit_data_t *tad;
1146 
1147 	tad = U2A(u);
1148 	tad->tad_ctrl |= TAD_NOATTRB;
1149 }
1150 
1151 /*
1152  * ROUTINE:	AUDIT_VNCREATE_FINISH
1153  * PURPOSE:
1154  * CALLBY:	VN_CREATE
1155  * NOTE:
1156  * TODO:
1157  * QUESTION:
1158  */
1159 void
1160 audit_vncreate_finish(struct vnode *vp, int error)
1161 {
1162 	t_audit_data_t *tad;
1163 
1164 	if (error)
1165 		return;
1166 
1167 	tad = U2A(u);
1168 
1169 	/* if not auditing this event, then do nothing */
1170 	if (tad->tad_flag == 0)
1171 		return;
1172 
1173 	if (tad->tad_ctrl & TAD_TRUE_CREATE) {
1174 		audit_attributes(vp);
1175 	}
1176 
1177 	if (tad->tad_ctrl & TAD_CORE) {
1178 		audit_attributes(vp);
1179 		tad->tad_ctrl &= ~TAD_CORE;
1180 	}
1181 
1182 	if (!error && ((tad->tad_event == AUE_MKNOD) ||
1183 	    (tad->tad_event == AUE_MKDIR))) {
1184 		audit_attributes(vp);
1185 	}
1186 
1187 	/* for case where multiple lookups in one syscall (rename) */
1188 	tad->tad_ctrl &= ~TAD_NOATTRB;
1189 }
1190 
1191 
1192 
1193 
1194 
1195 
1196 
1197 
1198 /*
1199  * ROUTINE:	AUDIT_EXEC
1200  * PURPOSE:	Records the function arguments and environment variables
1201  * CALLBY:	EXEC_ARGS
1202  * NOTE:
1203  * TODO:
1204  * QUESTION:
1205  */
1206 
1207 void
1208 audit_exec(
1209 	const char *argstr,	/* argument strings */
1210 	const char *envstr,	/* environment strings */
1211 	ssize_t argc,		/* total # arguments */
1212 	ssize_t envc,		/* total # environment variables */
1213 	cred_t *pfcred)		/* the additional privileges in a profile */
1214 {
1215 	t_audit_data_t *tad;
1216 	au_kcontext_t	*kctx = GET_KCTX_PZ;
1217 
1218 	tad = U2A(u);
1219 
1220 	/* if not auditing this event, then do nothing */
1221 	if (!tad->tad_flag)
1222 		return;
1223 
1224 	if (pfcred != NULL) {
1225 		p_audit_data_t *pad;
1226 		cred_t *cr = CRED();
1227 		priv_set_t pset = CR_IPRIV(cr);
1228 
1229 		pad = P2A(curproc);
1230 
1231 		/* It's a different event. */
1232 		tad->tad_event = AUE_PFEXEC;
1233 
1234 		/* Add the current working directory to the audit trail. */
1235 		if (pad->pad_cwd != NULL)
1236 			au_uwrite(au_to_path(pad->pad_cwd));
1237 
1238 		/*
1239 		 * The new credential is not yet in place when audit_exec
1240 		 * is called.
1241 		 * Compute the additional bits available in the new credential
1242 		 * and the limit set.
1243 		 */
1244 		priv_inverse(&pset);
1245 		priv_intersect(&CR_IPRIV(pfcred), &pset);
1246 		if (!priv_isemptyset(&pset) ||
1247 		    !priv_isequalset(&CR_LPRIV(pfcred), &CR_LPRIV(cr))) {
1248 			au_uwrite(au_to_privset(
1249 			    priv_getsetbynum(PRIV_INHERITABLE), &pset, AUT_PRIV,
1250 			    0));
1251 			au_uwrite(au_to_privset(priv_getsetbynum(PRIV_LIMIT),
1252 			    &CR_LPRIV(pfcred), AUT_PRIV, 0));
1253 		}
1254 		/*
1255 		 * Compare the uids & gids: create a process token if changed.
1256 		 */
1257 		if (crgetuid(cr) != crgetuid(pfcred) ||
1258 		    crgetruid(cr) != crgetruid(pfcred) ||
1259 		    crgetgid(cr) != crgetgid(pfcred) ||
1260 		    crgetrgid(cr) != crgetrgid(pfcred)) {
1261 			AUDIT_SETPROC(&(u_ad), cr, crgetauinfo(cr));
1262 		}
1263 	}
1264 
1265 	if (pfcred != NULL || (kctx->auk_policy & AUDIT_ARGV) != 0)
1266 		au_uwrite(au_to_exec_args(argstr, argc));
1267 
1268 	if (kctx->auk_policy & AUDIT_ARGE)
1269 		au_uwrite(au_to_exec_env(envstr, envc));
1270 }
1271 
1272 /*
1273  * ROUTINE:	AUDIT_ENTERPROM
1274  * PURPOSE:
1275  * CALLBY:	KBDINPUT
1276  *		ZSA_XSINT
1277  * NOTE:
1278  * TODO:
1279  * QUESTION:
1280  */
1281 void
1282 audit_enterprom(int flg)
1283 {
1284 	token_t *rp = NULL;
1285 	int sorf;
1286 
1287 	if (flg)
1288 		sorf = AUM_SUCC;
1289 	else
1290 		sorf = AUM_FAIL;
1291 
1292 	AUDIT_ASYNC_START(rp, AUE_ENTERPROM, sorf);
1293 
1294 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1295 
1296 	if (flg)
1297 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1298 	else
1299 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1300 
1301 	AUDIT_ASYNC_FINISH(rp, AUE_ENTERPROM, NULL, NULL);
1302 }
1303 
1304 
1305 /*
1306  * ROUTINE:	AUDIT_EXITPROM
1307  * PURPOSE:
1308  * CALLBY:	KBDINPUT
1309  *		ZSA_XSINT
1310  * NOTE:
1311  * TODO:
1312  * QUESTION:
1313  */
1314 void
1315 audit_exitprom(int flg)
1316 {
1317 	int sorf;
1318 	token_t *rp = NULL;
1319 
1320 	if (flg)
1321 		sorf = AUM_SUCC;
1322 	else
1323 		sorf = AUM_FAIL;
1324 
1325 	AUDIT_ASYNC_START(rp, AUE_EXITPROM, sorf);
1326 
1327 	au_write((caddr_t *)&(rp), au_to_text("kmdb"));
1328 
1329 	if (flg)
1330 		au_write((caddr_t *)&(rp), au_to_return32(0, 0));
1331 	else
1332 		au_write((caddr_t *)&(rp), au_to_return32(ECANCELED, 0));
1333 
1334 	AUDIT_ASYNC_FINISH(rp, AUE_EXITPROM, NULL, NULL);
1335 }
1336 
1337 struct fcntla {
1338 	int fdes;
1339 	int cmd;
1340 	intptr_t arg;
1341 };
1342 
1343 
1344 /*
1345  * ROUTINE:	AUDIT_CHDIREC
1346  * PURPOSE:
1347  * CALLBY:	CHDIREC
1348  * NOTE:	The main function of CHDIREC
1349  * TODO:	Move the audit_chdirec hook above the VN_RELE in vncalls.c
1350  * QUESTION:
1351  */
1352 
1353 /*ARGSUSED*/
1354 void
1355 audit_chdirec(vnode_t *vp, vnode_t **vpp)
1356 {
1357 	int		chdir;
1358 	int		fchdir;
1359 	struct audit_path	**appp;
1360 	struct file	*fp;
1361 	f_audit_data_t *fad;
1362 	p_audit_data_t *pad = P2A(curproc);
1363 	t_audit_data_t *tad = T2A(curthread);
1364 
1365 	struct a {
1366 		long fd;
1367 	} *uap = (struct a *)ttolwp(curthread)->lwp_ap;
1368 
1369 	if ((tad->tad_scid == SYS_chdir) || (tad->tad_scid == SYS_chroot)) {
1370 		chdir = tad->tad_scid == SYS_chdir;
1371 		if (tad->tad_aupath) {
1372 			mutex_enter(&pad->pad_lock);
1373 			if (chdir)
1374 				appp = &(pad->pad_cwd);
1375 			else
1376 				appp = &(pad->pad_root);
1377 			au_pathrele(*appp);
1378 			/* use tad hold */
1379 			*appp = tad->tad_aupath;
1380 			tad->tad_aupath = NULL;
1381 			mutex_exit(&pad->pad_lock);
1382 		}
1383 	} else if ((tad->tad_scid == SYS_fchdir) ||
1384 	    (tad->tad_scid == SYS_fchroot)) {
1385 		fchdir = tad->tad_scid == SYS_fchdir;
1386 		if ((fp = getf(uap->fd)) == NULL)
1387 			return;
1388 		fad = F2A(fp);
1389 		if (fad->fad_aupath) {
1390 			au_pathhold(fad->fad_aupath);
1391 			mutex_enter(&pad->pad_lock);
1392 			if (fchdir)
1393 				appp = &(pad->pad_cwd);
1394 			else
1395 				appp = &(pad->pad_root);
1396 			au_pathrele(*appp);
1397 			*appp = fad->fad_aupath;
1398 			mutex_exit(&pad->pad_lock);
1399 			if (tad->tad_flag) {
1400 				au_uwrite(au_to_path(fad->fad_aupath));
1401 				audit_attributes(fp->f_vnode);
1402 			}
1403 		}
1404 		releasef(uap->fd);
1405 	}
1406 }
1407 
1408 
1409 /*
1410  *	Audit hook for stream based socket and tli request.
1411  *	Note that we do not have user context while executing
1412  *	this code so we had to record them earlier during the
1413  *	putmsg/getmsg to figure out which user we are dealing with.
1414  */
1415 
1416 /*ARGSUSED*/
1417 void
1418 audit_sock(
1419 	int type,	/* type of tihdr.h header requests */
1420 	queue_t *q,	/* contains the process and thread audit data */
1421 	mblk_t *mp,	/* contains the tihdr.h header structures */
1422 	int from)	/* timod or sockmod request */
1423 {
1424 	int32_t    len;
1425 	int32_t    offset;
1426 	struct sockaddr_in *sock_data;
1427 	struct T_conn_req *conn_req;
1428 	struct T_conn_ind *conn_ind;
1429 	struct T_unitdata_req *unitdata_req;
1430 	struct T_unitdata_ind *unitdata_ind;
1431 	au_state_t estate;
1432 	t_audit_data_t *tad;
1433 	caddr_t saved_thread_ptr;
1434 	au_mask_t amask;
1435 	const auditinfo_addr_t *ainfo;
1436 	au_kcontext_t	*kctx;
1437 
1438 	if (q->q_stream == NULL)
1439 		return;
1440 	mutex_enter(&q->q_stream->sd_lock);
1441 	/* are we being audited */
1442 	saved_thread_ptr = q->q_stream->sd_t_audit_data;
1443 	/* no pointer to thread, nothing to do */
1444 	if (saved_thread_ptr == NULL) {
1445 		mutex_exit(&q->q_stream->sd_lock);
1446 		return;
1447 	}
1448 	/* only allow one addition of a record token */
1449 	q->q_stream->sd_t_audit_data = NULL;
1450 	/*
1451 	 * thread is not the one being audited, then nothing to do
1452 	 * This could be the stream thread handling the module
1453 	 * service routine. In this case, the context for the audit
1454 	 * record can no longer be assumed. Simplest to just drop
1455 	 * the operation.
1456 	 */
1457 	if (curthread != (kthread_id_t)saved_thread_ptr) {
1458 		mutex_exit(&q->q_stream->sd_lock);
1459 		return;
1460 	}
1461 	if (curthread->t_sysnum >= SYS_so_socket &&
1462 	    curthread->t_sysnum <= SYS_sockconfig) {
1463 		mutex_exit(&q->q_stream->sd_lock);
1464 		return;
1465 	}
1466 	mutex_exit(&q->q_stream->sd_lock);
1467 	/*
1468 	 * we know that the thread that did the put/getmsg is the
1469 	 * one running. Now we can get the TAD and see if we should
1470 	 * add an audit token.
1471 	 */
1472 	tad = U2A(u);
1473 
1474 	kctx = GET_KCTX_PZ;
1475 
1476 	/* proceed ONLY if user is being audited */
1477 	if (!tad->tad_flag)
1478 		return;
1479 
1480 	ainfo = crgetauinfo(CRED());
1481 	if (ainfo == NULL)
1482 		return;
1483 	amask = ainfo->ai_mask;
1484 
1485 	/*
1486 	 * Figure out the type of stream networking request here.
1487 	 * Note that getmsg and putmsg are always preselected
1488 	 * because during the beginning of the system call we have
1489 	 * not yet figure out which of the socket or tli request
1490 	 * we are looking at until we are here. So we need to check
1491 	 * against that specific request and reset the type of event.
1492 	 */
1493 	switch (type) {
1494 	case T_CONN_REQ:	/* connection request */
1495 		conn_req = (struct T_conn_req *)mp->b_rptr;
1496 		if (conn_req->DEST_offset < sizeof (struct T_conn_req))
1497 			return;
1498 		offset = conn_req->DEST_offset;
1499 		len = conn_req->DEST_length;
1500 		estate = kctx->auk_ets[AUE_SOCKCONNECT];
1501 		if (amask.as_success & estate || amask.as_failure & estate) {
1502 			tad->tad_event = AUE_SOCKCONNECT;
1503 			break;
1504 		} else {
1505 			return;
1506 		}
1507 	case T_CONN_IND:	 /* connectionless receive request */
1508 		conn_ind = (struct T_conn_ind *)mp->b_rptr;
1509 		if (conn_ind->SRC_offset < sizeof (struct T_conn_ind))
1510 			return;
1511 		offset = conn_ind->SRC_offset;
1512 		len = conn_ind->SRC_length;
1513 		estate = kctx->auk_ets[AUE_SOCKACCEPT];
1514 		if (amask.as_success & estate || amask.as_failure & estate) {
1515 			tad->tad_event = AUE_SOCKACCEPT;
1516 			break;
1517 		} else {
1518 			return;
1519 		}
1520 	case T_UNITDATA_REQ:	 /* connectionless send request */
1521 		unitdata_req = (struct T_unitdata_req *)mp->b_rptr;
1522 		if (unitdata_req->DEST_offset < sizeof (struct T_unitdata_req))
1523 			return;
1524 		offset = unitdata_req->DEST_offset;
1525 		len = unitdata_req->DEST_length;
1526 		estate = kctx->auk_ets[AUE_SOCKSEND];
1527 		if (amask.as_success & estate || amask.as_failure & estate) {
1528 			tad->tad_event = AUE_SOCKSEND;
1529 			break;
1530 		} else {
1531 			return;
1532 		}
1533 	case T_UNITDATA_IND:	 /* connectionless receive request */
1534 		unitdata_ind = (struct T_unitdata_ind *)mp->b_rptr;
1535 		if (unitdata_ind->SRC_offset < sizeof (struct T_unitdata_ind))
1536 			return;
1537 		offset = unitdata_ind->SRC_offset;
1538 		len = unitdata_ind->SRC_length;
1539 		estate = kctx->auk_ets[AUE_SOCKRECEIVE];
1540 		if (amask.as_success & estate || amask.as_failure & estate) {
1541 			tad->tad_event = AUE_SOCKRECEIVE;
1542 			break;
1543 		} else {
1544 			return;
1545 		}
1546 	default:
1547 		return;
1548 	}
1549 
1550 	/*
1551 	 * we are only interested in tcp stream connections,
1552 	 * not unix domain stuff
1553 	 */
1554 	if ((len < 0) || (len > sizeof (struct sockaddr_in))) {
1555 		tad->tad_event = AUE_GETMSG;
1556 		return;
1557 	}
1558 	/* skip over TPI header and point to the ip address */
1559 	sock_data = (struct sockaddr_in *)((char *)mp->b_rptr + offset);
1560 
1561 	switch (sock_data->sin_family) {
1562 	case AF_INET:
1563 		au_write(&(tad->tad_ad), au_to_sock_inet(sock_data));
1564 		break;
1565 	default:	/* reset to AUE_PUTMSG if not a inet request */
1566 		tad->tad_event = AUE_GETMSG;
1567 		break;
1568 	}
1569 }
1570 
1571 
1572 static void
1573 add_return_token(caddr_t *ad, unsigned int scid, int err, int rval)
1574 {
1575 	unsigned int sy_flags;
1576 
1577 #ifdef _SYSCALL32_IMPL
1578 	/*
1579 	 * Guard against t_lwp being NULL when this function is called
1580 	 * from a kernel queue instead of from a direct system call.
1581 	 * In that case, assume the running kernel data model.
1582 	 */
1583 	if ((curthread->t_lwp == NULL) || (lwp_getdatamodel(
1584 	    ttolwp(curthread)) == DATAMODEL_NATIVE))
1585 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1586 	else
1587 		sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1588 #else
1589 		sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1590 #endif
1591 
1592 	if (sy_flags == SE_64RVAL)
1593 		au_write(ad, au_to_return64(err, rval));
1594 	else
1595 		au_write(ad, au_to_return32(err, rval));
1596 
1597 }
1598 
1599 /*ARGSUSED*/
1600 void
1601 audit_fdsend(fd, fp, error)
1602 	int fd;
1603 	struct file *fp;
1604 	int error;		/* ignore for now */
1605 {
1606 	t_audit_data_t *tad;	/* current thread */
1607 	f_audit_data_t *fad;	/* per file audit structure */
1608 	struct vnode *vp;	/* for file attributes */
1609 
1610 	/* is this system call being audited */
1611 	tad = U2A(u);
1612 	ASSERT(tad != (t_audit_data_t *)0);
1613 	if (!tad->tad_flag)
1614 		return;
1615 
1616 	fad = F2A(fp);
1617 
1618 	/* add path and file attributes */
1619 	if (fad != NULL && fad->fad_aupath != NULL) {
1620 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1621 		au_uwrite(au_to_path(fad->fad_aupath));
1622 	} else {
1623 		au_uwrite(au_to_arg32(0, "send fd", (uint32_t)fd));
1624 #ifdef _LP64
1625 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1626 #else
1627 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1628 #endif
1629 	}
1630 	vp = fp->f_vnode;	/* include vnode attributes */
1631 	audit_attributes(vp);
1632 }
1633 
1634 /*
1635  * Record privileges successfully used and we attempted to use but
1636  * didn't have.
1637  */
1638 void
1639 audit_priv(int priv, const priv_set_t *set, int flag)
1640 {
1641 	t_audit_data_t *tad;
1642 	int sbit;
1643 	priv_set_t *target;
1644 
1645 	/* Make sure this isn't being called in an interrupt context */
1646 	ASSERT(servicing_interrupt() == 0);
1647 
1648 	tad = U2A(u);
1649 
1650 	if (tad->tad_flag == 0)
1651 		return;
1652 
1653 	target = flag ? &tad->tad_sprivs : &tad->tad_fprivs;
1654 	sbit = flag ? PAD_SPRIVUSE : PAD_FPRIVUSE;
1655 
1656 	/* Tell audit_success() and audit_finish() that we saw this case */
1657 	if (!(tad->tad_evmod & sbit)) {
1658 		/* Clear set first time around */
1659 		priv_emptyset(target);
1660 		tad->tad_evmod |= sbit;
1661 	}
1662 
1663 	/* Save the privileges in the tad */
1664 	if (priv == PRIV_ALL) {
1665 		priv_fillset(target);
1666 	} else {
1667 		ASSERT(set != NULL || priv != PRIV_NONE);
1668 		if (set != NULL)
1669 			priv_union(set, target);
1670 		if (priv != PRIV_NONE)
1671 			priv_addset(target, priv);
1672 	}
1673 }
1674 
1675 /*
1676  * Audit the setpriv() system call; the operation, the set name and
1677  * the current value as well as the set argument are put in the
1678  * audit trail.
1679  */
1680 void
1681 audit_setppriv(int op, int set, const priv_set_t *newpriv, const cred_t *ocr)
1682 {
1683 	t_audit_data_t *tad;
1684 	const priv_set_t *oldpriv;
1685 	priv_set_t report;
1686 	const char *setname;
1687 
1688 	tad = U2A(u);
1689 
1690 	if (tad->tad_flag == 0)
1691 		return;
1692 
1693 	oldpriv = priv_getset(ocr, set);
1694 
1695 	/* Generate the actual record, include the before and after */
1696 	au_uwrite(au_to_arg32(2, "op", op));
1697 	setname = priv_getsetbynum(set);
1698 
1699 	switch (op) {
1700 	case PRIV_OFF:
1701 		/* Report privileges actually switched off */
1702 		report = *oldpriv;
1703 		priv_intersect(newpriv, &report);
1704 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1705 		break;
1706 	case PRIV_ON:
1707 		/* Report privileges actually switched on */
1708 		report = *oldpriv;
1709 		priv_inverse(&report);
1710 		priv_intersect(newpriv, &report);
1711 		au_uwrite(au_to_privset(setname, &report, AUT_PRIV, 0));
1712 		break;
1713 	case PRIV_SET:
1714 		/* Report before and after */
1715 		au_uwrite(au_to_privset(setname, oldpriv, AUT_PRIV, 0));
1716 		au_uwrite(au_to_privset(setname, newpriv, AUT_PRIV, 0));
1717 		break;
1718 	}
1719 }
1720 
1721 /*
1722  * Dump the full device policy setting in the audit trail.
1723  */
1724 void
1725 audit_devpolicy(int nitems, const devplcysys_t *items)
1726 {
1727 	t_audit_data_t *tad;
1728 	int i;
1729 
1730 	tad = U2A(u);
1731 
1732 	if (tad->tad_flag == 0)
1733 		return;
1734 
1735 	for (i = 0; i < nitems; i++) {
1736 		au_uwrite(au_to_arg32(2, "major", items[i].dps_maj));
1737 		if (items[i].dps_minornm[0] == '\0') {
1738 			au_uwrite(au_to_arg32(2, "lomin", items[i].dps_lomin));
1739 			au_uwrite(au_to_arg32(2, "himin", items[i].dps_himin));
1740 		} else
1741 			au_uwrite(au_to_text(items[i].dps_minornm));
1742 
1743 		au_uwrite(au_to_privset("read", &items[i].dps_rdp,
1744 		    AUT_PRIV, 0));
1745 		au_uwrite(au_to_privset("write", &items[i].dps_wrp,
1746 		    AUT_PRIV, 0));
1747 	}
1748 }
1749 
1750 /*ARGSUSED*/
1751 void
1752 audit_fdrecv(fd, fp)
1753 	int fd;
1754 	struct file *fp;
1755 {
1756 	t_audit_data_t *tad;	/* current thread */
1757 	f_audit_data_t *fad;	/* per file audit structure */
1758 	struct vnode *vp;	/* for file attributes */
1759 
1760 	/* is this system call being audited */
1761 	tad = U2A(u);
1762 	ASSERT(tad != (t_audit_data_t *)0);
1763 	if (!tad->tad_flag)
1764 		return;
1765 
1766 	fad = F2A(fp);
1767 
1768 	/* add path and file attributes */
1769 	if (fad != NULL && fad->fad_aupath != NULL) {
1770 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1771 		au_uwrite(au_to_path(fad->fad_aupath));
1772 	} else {
1773 		au_uwrite(au_to_arg32(0, "recv fd", (uint32_t)fd));
1774 #ifdef _LP64
1775 		au_uwrite(au_to_arg64(0, "no path", (uint64_t)fp));
1776 #else
1777 		au_uwrite(au_to_arg32(0, "no path", (uint32_t)fp));
1778 #endif
1779 	}
1780 	vp = fp->f_vnode;	/* include vnode attributes */
1781 	audit_attributes(vp);
1782 }
1783 
1784 /*
1785  * ROUTINE:	AUDIT_CRYPTOADM
1786  * PURPOSE:	Records arguments to administrative ioctls on /dev/cryptoadm
1787  * CALLBY:	CRYPTO_LOAD_DEV_DISABLED, CRYPTO_LOAD_SOFT_DISABLED,
1788  *		CRYPTO_UNLOAD_SOFT_MODULE, CRYPTO_LOAD_SOFT_CONFIG,
1789  *		CRYPTO_POOL_CREATE, CRYPTO_POOL_WAIT, CRYPTO_POOL_RUN,
1790  *		CRYPTO_LOAD_DOOR
1791  * NOTE:
1792  * TODO:
1793  * QUESTION:
1794  */
1795 
1796 void
1797 audit_cryptoadm(int cmd, char *module_name, crypto_mech_name_t *mech_names,
1798     uint_t mech_count, uint_t device_instance, uint32_t rv, int error)
1799 {
1800 	boolean_t		mech_list_required = B_FALSE;
1801 	cred_t			*cr = CRED();
1802 	t_audit_data_t		*tad;
1803 	token_t			*ad = NULL;
1804 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
1805 	char			buffer[MAXNAMELEN * 2];
1806 	au_kcontext_t		*kctx = GET_KCTX_PZ;
1807 
1808 	tad = U2A(u);
1809 	if (tad == NULL)
1810 		return;
1811 
1812 	if (ainfo == NULL)
1813 		return;
1814 
1815 	tad->tad_event = AUE_CRYPTOADM;
1816 
1817 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
1818 		return;
1819 
1820 	/* Add subject information */
1821 	AUDIT_SETSUBJ((caddr_t *)&(ad), cr, ainfo, kctx);
1822 
1823 	switch (cmd) {
1824 	case CRYPTO_LOAD_DEV_DISABLED:
1825 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1826 			(void) snprintf(buffer, sizeof (buffer),
1827 			    "op=CRYPTO_LOAD_DEV_DISABLED, module=%s,"
1828 			    " dev_instance=%d",
1829 			    module_name, device_instance);
1830 			mech_list_required = B_TRUE;
1831 		} else {
1832 			(void) snprintf(buffer, sizeof (buffer),
1833 			    "op=CRYPTO_LOAD_DEV_DISABLED, return_val=%d", rv);
1834 		}
1835 		break;
1836 
1837 	case CRYPTO_LOAD_SOFT_DISABLED:
1838 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1839 			(void) snprintf(buffer, sizeof (buffer),
1840 			    "op=CRYPTO_LOAD_SOFT_DISABLED, module=%s",
1841 			    module_name);
1842 			mech_list_required = B_TRUE;
1843 		} else {
1844 			(void) snprintf(buffer, sizeof (buffer),
1845 			    "op=CRYPTO_LOAD_SOFT_DISABLED, return_val=%d", rv);
1846 		}
1847 		break;
1848 
1849 	case CRYPTO_UNLOAD_SOFT_MODULE:
1850 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1851 			(void) snprintf(buffer, sizeof (buffer),
1852 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, module=%s",
1853 			    module_name);
1854 		} else {
1855 			(void) snprintf(buffer, sizeof (buffer),
1856 			    "op=CRYPTO_UNLOAD_SOFT_MODULE, return_val=%d", rv);
1857 		}
1858 		break;
1859 
1860 	case CRYPTO_LOAD_SOFT_CONFIG:
1861 		if (error == 0 && rv == CRYPTO_SUCCESS) {
1862 			(void) snprintf(buffer, sizeof (buffer),
1863 			    "op=CRYPTO_LOAD_SOFT_CONFIG, module=%s",
1864 			    module_name);
1865 			mech_list_required = B_TRUE;
1866 		} else {
1867 			(void) snprintf(buffer, sizeof (buffer),
1868 			    "op=CRYPTO_LOAD_SOFT_CONFIG, return_val=%d", rv);
1869 		}
1870 		break;
1871 
1872 	case CRYPTO_POOL_CREATE:
1873 		(void) snprintf(buffer, sizeof (buffer),
1874 		    "op=CRYPTO_POOL_CREATE");
1875 		break;
1876 
1877 	case CRYPTO_POOL_WAIT:
1878 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_WAIT");
1879 		break;
1880 
1881 	case CRYPTO_POOL_RUN:
1882 		(void) snprintf(buffer, sizeof (buffer), "op=CRYPTO_POOL_RUN");
1883 		break;
1884 
1885 	case CRYPTO_LOAD_DOOR:
1886 		if (error == 0 && rv == CRYPTO_SUCCESS)
1887 			(void) snprintf(buffer, sizeof (buffer),
1888 			    "op=CRYPTO_LOAD_DOOR");
1889 		else
1890 			(void) snprintf(buffer, sizeof (buffer),
1891 			    "op=CRYPTO_LOAD_DOOR, return_val=%d", rv);
1892 		break;
1893 
1894 	case CRYPTO_FIPS140_SET:
1895 		(void) snprintf(buffer, sizeof (buffer),
1896 		    "op=CRYPTO_FIPS140_SET, fips_state=%d", rv);
1897 		break;
1898 
1899 	default:
1900 		return;
1901 	}
1902 
1903 	au_write((caddr_t *)&ad, au_to_text(buffer));
1904 
1905 	if (mech_list_required) {
1906 		int i;
1907 
1908 		if (mech_count == 0) {
1909 			au_write((caddr_t *)&ad, au_to_text("mech=list empty"));
1910 		} else {
1911 			char	*pb = buffer;
1912 			size_t	l = sizeof (buffer);
1913 			size_t	n;
1914 			char	space[2] = ":";
1915 
1916 			n = snprintf(pb, l, "mech=");
1917 
1918 			for (i = 0; i < mech_count; i++) {
1919 				pb += n;
1920 				l = (n >= l) ? 0 : l - n;
1921 
1922 				if (i == mech_count - 1)
1923 					(void) strcpy(space, "");
1924 
1925 				n = snprintf(pb, l, "%s%s", mech_names[i],
1926 				    space);
1927 			}
1928 			au_write((caddr_t *)&ad, au_to_text(buffer));
1929 		}
1930 	}
1931 
1932 	/* add a return token */
1933 	if (error || (rv != CRYPTO_SUCCESS))
1934 		add_return_token((caddr_t *)&ad, tad->tad_scid, -1, error);
1935 	else
1936 		add_return_token((caddr_t *)&ad, tad->tad_scid, 0, rv);
1937 
1938 	AS_INC(as_generated, 1, kctx);
1939 	AS_INC(as_kernel, 1, kctx);
1940 
1941 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CRYPTOADM, tad->tad_evmod,
1942 	    NULL);
1943 }
1944 
1945 /*
1946  * Audit the kernel SSL administration command. The address and the
1947  * port number for the SSL instance, and the proxy port are put in the
1948  * audit trail.
1949  */
1950 void
1951 audit_kssl(int cmd, void *params, int error)
1952 {
1953 	cred_t			*cr = CRED();
1954 	t_audit_data_t		*tad;
1955 	token_t			*ad = NULL;
1956 	const auditinfo_addr_t	*ainfo = crgetauinfo(cr);
1957 	au_kcontext_t		*kctx = GET_KCTX_PZ;
1958 
1959 	tad = U2A(u);
1960 
1961 	if (ainfo == NULL)
1962 		return;
1963 
1964 	tad->tad_event = AUE_CONFIGKSSL;
1965 
1966 	if (audit_success(kctx, tad, error, NULL) != AU_OK)
1967 		return;
1968 
1969 	/* Add subject information */
1970 	AUDIT_SETSUBJ((caddr_t *)&ad, cr, ainfo, kctx);
1971 
1972 	switch (cmd) {
1973 	case KSSL_ADD_ENTRY: {
1974 		char buf[32];
1975 		kssl_params_t *kp = (kssl_params_t *)params;
1976 		struct sockaddr_in6 *saddr = &kp->kssl_addr;
1977 
1978 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_ADD_ENTRY"));
1979 		au_write((caddr_t *)&ad,
1980 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1981 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
1982 		    saddr->sin6_port);
1983 		au_write((caddr_t *)&ad, au_to_text(buf));
1984 
1985 		(void) snprintf(buf, sizeof (buf), "proxy port=%d",
1986 		    kp->kssl_proxy_port);
1987 		au_write((caddr_t *)&ad, au_to_text(buf));
1988 		break;
1989 	}
1990 
1991 	case KSSL_DELETE_ENTRY: {
1992 		char buf[32];
1993 		struct sockaddr_in6 *saddr = (struct sockaddr_in6 *)params;
1994 
1995 		au_write((caddr_t *)&ad, au_to_text("op=KSSL_DELETE_ENTRY"));
1996 		au_write((caddr_t *)&ad,
1997 		    au_to_in_addr_ex((int32_t *)&saddr->sin6_addr));
1998 		(void) snprintf(buf, sizeof (buf), "SSL port=%d",
1999 		    saddr->sin6_port);
2000 		au_write((caddr_t *)&ad, au_to_text(buf));
2001 		break;
2002 	}
2003 
2004 	default:
2005 		return;
2006 	}
2007 
2008 	/* add a return token */
2009 	add_return_token((caddr_t *)&ad, tad->tad_scid, error, 0);
2010 
2011 	AS_INC(as_generated, 1, kctx);
2012 	AS_INC(as_kernel, 1, kctx);
2013 
2014 	au_close(kctx, (caddr_t *)&ad, AU_OK, AUE_CONFIGKSSL, tad->tad_evmod,
2015 	    NULL);
2016 }
2017 
2018 /*
2019  * Audit the kernel PF_POLICY administration commands.  Record command,
2020  * zone, policy type (global or tunnel, active or inactive)
2021  */
2022 /*
2023  * ROUTINE:	AUDIT_PF_POLICY
2024  * PURPOSE:	Records arguments to administrative ioctls on PF_POLICY socket
2025  * CALLBY:	SPD_ADDRULE, SPD_DELETERULE, SPD_FLUSH, SPD_UPDATEALGS,
2026  *		SPD_CLONE, SPD_FLIP
2027  * NOTE:
2028  * TODO:
2029  * QUESTION:
2030  */
2031 
2032 void
2033 audit_pf_policy(int cmd, cred_t *cred, netstack_t *ns, char *tun,
2034     boolean_t active, int error, pid_t pid)
2035 {
2036 	const auditinfo_addr_t	*ainfo;
2037 	t_audit_data_t		*tad;
2038 	token_t			*ad = NULL;
2039 	au_kcontext_t		*kctx = GET_KCTX_PZ;
2040 	char			buf[80];
2041 	int			flag;
2042 
2043 	tad = U2A(u);
2044 	if (tad == NULL)
2045 		return;
2046 
2047 	ainfo = crgetauinfo((cred != NULL) ? cred : CRED());
2048 	if (ainfo == NULL)
2049 		return;
2050 
2051 	/*
2052 	 * Initialize some variables since these are only set
2053 	 * with system calls.
2054 	 */
2055 
2056 	switch (cmd) {
2057 	case SPD_ADDRULE: {
2058 		tad->tad_event = AUE_PF_POLICY_ADDRULE;
2059 		break;
2060 	}
2061 
2062 	case SPD_DELETERULE: {
2063 		tad->tad_event = AUE_PF_POLICY_DELRULE;
2064 		break;
2065 	}
2066 
2067 	case SPD_FLUSH: {
2068 		tad->tad_event = AUE_PF_POLICY_FLUSH;
2069 		break;
2070 	}
2071 
2072 	case SPD_UPDATEALGS: {
2073 		tad->tad_event = AUE_PF_POLICY_ALGS;
2074 		break;
2075 	}
2076 
2077 	case SPD_CLONE: {
2078 		tad->tad_event = AUE_PF_POLICY_CLONE;
2079 		break;
2080 	}
2081 
2082 	case SPD_FLIP: {
2083 		tad->tad_event = AUE_PF_POLICY_FLIP;
2084 		break;
2085 	}
2086 
2087 	default:
2088 		tad->tad_event = AUE_NULL;
2089 	}
2090 
2091 	tad->tad_evmod = 0;
2092 
2093 	if (flag = audit_success(kctx, tad, error, cred)) {
2094 		zone_t *nszone;
2095 
2096 		/*
2097 		 * For now, just audit that an event happened,
2098 		 * along with the error code.
2099 		 */
2100 		au_write((caddr_t *)&ad,
2101 		    au_to_arg32(1, "Policy Active?", (uint32_t)active));
2102 		au_write((caddr_t *)&ad,
2103 		    au_to_arg32(2, "Policy Global?", (uint32_t)(tun == NULL)));
2104 
2105 		/* Supplemental data */
2106 
2107 		/*
2108 		 * Generate this zone token if the target zone differs
2109 		 * from the administrative zone.  If netstacks are expanded
2110 		 * to something other than a 1-1 relationship with zones,
2111 		 * the auditing framework should create a new token type
2112 		 * and audit it as a netstack instead.
2113 		 * Turn on general zone auditing to get the administrative zone.
2114 		 */
2115 
2116 		nszone = zone_find_by_id(netstackid_to_zoneid(
2117 		    ns->netstack_stackid));
2118 		if (nszone != NULL) {
2119 			if (strncmp(crgetzone(cred)->zone_name,
2120 			    nszone->zone_name, ZONENAME_MAX) != 0) {
2121 				token_t *ztoken;
2122 
2123 				ztoken = au_to_zonename(0, nszone);
2124 				au_write((caddr_t *)&ad, ztoken);
2125 			}
2126 			zone_rele(nszone);
2127 		}
2128 
2129 		if (tun != NULL) {
2130 			/* write tunnel name - tun is bounded */
2131 			(void) snprintf(buf, sizeof (buf), "tunnel_name:%s",
2132 			    tun);
2133 			au_write((caddr_t *)&ad, au_to_text(buf));
2134 		}
2135 
2136 		/* Add subject information */
2137 		AUDIT_SETSUBJ_GENERIC((caddr_t *)&ad,
2138 		    ((cred != NULL) ? cred : CRED()), ainfo, kctx, pid);
2139 
2140 		/* add a return token */
2141 		add_return_token((caddr_t *)&ad, 0, error, 0);
2142 
2143 		AS_INC(as_generated, 1, kctx);
2144 		AS_INC(as_kernel, 1, kctx);
2145 
2146 	}
2147 	au_close(kctx, (caddr_t *)&ad, flag, tad->tad_event, tad->tad_evmod,
2148 	    NULL);
2149 
2150 	/*
2151 	 * clear the ctrl flag so that we don't have spurious collection of
2152 	 * audit information.
2153 	 */
2154 	tad->tad_scid  = 0;
2155 	tad->tad_event = 0;
2156 	tad->tad_evmod = 0;
2157 	tad->tad_ctrl  = 0;
2158 }
2159 
2160 /*
2161  * ROUTINE:	AUDIT_SEC_ATTRIBUTES
2162  * PURPOSE:	Add security attributes
2163  * CALLBY:	AUDIT_ATTRIBUTES
2164  *		AUDIT_CLOSEF
2165  *		AUS_CLOSE
2166  * NOTE:
2167  * TODO:
2168  * QUESTION:
2169  */
2170 
2171 void
2172 audit_sec_attributes(caddr_t *ad, struct vnode *vp)
2173 {
2174 	/* Dump the SL */
2175 	if (is_system_labeled()) {
2176 		ts_label_t	*tsl;
2177 		bslabel_t	*bsl;
2178 
2179 		tsl = getflabel(vp);
2180 		if (tsl == NULL)
2181 			return;			/* nothing else to do */
2182 
2183 		bsl = label2bslabel(tsl);
2184 		if (bsl == NULL)
2185 			return;			/* nothing else to do */
2186 		au_write(ad, au_to_label(bsl));
2187 		label_rele(tsl);
2188 	}
2189 
2190 }	/* AUDIT_SEC_ATTRIBUTES */
2191