1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 104 static void aus_open(struct t_audit_data *); 105 static void aus_acl(struct t_audit_data *); 106 static void aus_acct(struct t_audit_data *); 107 static void aus_chown(struct t_audit_data *); 108 static void aus_fchown(struct t_audit_data *); 109 static void aus_lchown(struct t_audit_data *); 110 static void aus_chmod(struct t_audit_data *); 111 static void aus_facl(struct t_audit_data *); 112 static void aus_fchmod(struct t_audit_data *); 113 static void aus_fcntl(struct t_audit_data *); 114 static void aus_fsat(struct t_audit_data *); 115 static void aus_mkdir(struct t_audit_data *); 116 static void aus_mknod(struct t_audit_data *); 117 static void aus_mount(struct t_audit_data *); 118 static void aus_umount(struct t_audit_data *); 119 static void aus_umount2(struct t_audit_data *); 120 static void aus_msgsys(struct t_audit_data *); 121 static void aus_semsys(struct t_audit_data *); 122 static void aus_close(struct t_audit_data *); 123 static void aus_fstatfs(struct t_audit_data *); 124 static void aus_setgid(struct t_audit_data *); 125 static void aus_setuid(struct t_audit_data *); 126 static void aus_shmsys(struct t_audit_data *); 127 static void aus_doorfs(struct t_audit_data *); 128 static void aus_ioctl(struct t_audit_data *); 129 static void aus_memcntl(struct t_audit_data *); 130 static void aus_mmap(struct t_audit_data *); 131 static void aus_munmap(struct t_audit_data *); 132 static void aus_priocntlsys(struct t_audit_data *); 133 static void aus_setegid(struct t_audit_data *); 134 static void aus_setgroups(struct t_audit_data *); 135 static void aus_seteuid(struct t_audit_data *); 136 static void aus_putmsg(struct t_audit_data *); 137 static void aus_putpmsg(struct t_audit_data *); 138 static void aus_getmsg(struct t_audit_data *); 139 static void aus_getpmsg(struct t_audit_data *); 140 static void aus_auditsys(struct t_audit_data *); 141 static void aus_sysinfo(struct t_audit_data *); 142 static void aus_modctl(struct t_audit_data *); 143 static void aus_kill(struct t_audit_data *); 144 static void aus_xmknod(struct t_audit_data *); 145 static void aus_setregid(struct t_audit_data *); 146 static void aus_setreuid(struct t_audit_data *); 147 static void aus_labelsys(struct t_audit_data *); 148 149 static void auf_mknod(struct t_audit_data *, int, rval_t *); 150 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 151 static void auf_semsys(struct t_audit_data *, int, rval_t *); 152 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 153 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 154 static void auf_read(struct t_audit_data *, int, rval_t *); 155 static void auf_write(struct t_audit_data *, int, rval_t *); 156 157 static void aus_sigqueue(struct t_audit_data *); 158 static void aus_p_online(struct t_audit_data *); 159 static void aus_processor_bind(struct t_audit_data *); 160 static void aus_inst_sync(struct t_audit_data *); 161 static void aus_brandsys(struct t_audit_data *); 162 163 static void auf_accept(struct t_audit_data *, int, rval_t *); 164 165 static void auf_bind(struct t_audit_data *, int, rval_t *); 166 static void auf_connect(struct t_audit_data *, int, rval_t *); 167 static void aus_shutdown(struct t_audit_data *); 168 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 169 static void aus_sockconfig(struct t_audit_data *); 170 static void auf_recv(struct t_audit_data *, int, rval_t *); 171 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 172 static void auf_send(struct t_audit_data *, int, rval_t *); 173 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 175 static void auf_sendto(struct t_audit_data *, int, rval_t *); 176 static void aus_socket(struct t_audit_data *); 177 /* 178 * This table contains mapping information for converting system call numbers 179 * to audit event IDs. In several cases it is necessary to map a single system 180 * call to several events. 181 */ 182 183 #define aui_null NULL /* NULL initialize function */ 184 #define aus_null NULL /* NULL start function */ 185 #define auf_null NULL /* NULL finish function */ 186 187 struct audit_s2e audit_s2e[] = 188 { 189 /* 190 * ---------- ---------- ---------- ---------- 191 * INITIAL AUDIT START SYSTEM 192 * PROCESSING EVENT PROCESSING CALL 193 * ---------- ---------- ---------- ----------- 194 * FINISH EVENT 195 * PROCESSING CONTROL 196 * ---------------------------------------------------------- 197 */ 198 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 199 auf_null, 0, 200 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 201 auf_null, S2E_NPT, 202 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 203 auf_null, 0, 204 aui_null, AUE_READ, aus_null, /* 3 read */ 205 auf_read, S2E_PUB, 206 aui_null, AUE_WRITE, aus_null, /* 4 write */ 207 auf_write, 0, 208 aui_open, AUE_OPEN, aus_open, /* 5 open */ 209 auf_null, S2E_SP, 210 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 211 auf_null, 0, 212 aui_null, AUE_NULL, aus_null, /* 7 wait */ 213 auf_null, 0, 214 aui_null, AUE_CREAT, aus_null, /* 8 create */ 215 auf_null, S2E_SP, 216 aui_null, AUE_LINK, aus_null, /* 9 link */ 217 auf_null, 0, 218 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 219 auf_null, 0, 220 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 221 auf_null, S2E_MLD, 222 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 223 auf_null, S2E_SP, 224 aui_null, AUE_NULL, aus_null, /* 13 time */ 225 auf_null, 0, 226 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 227 auf_mknod, 0, 228 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 229 auf_null, 0, 230 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 231 auf_null, 0, 232 aui_null, AUE_NULL, aus_null, /* 17 brk */ 233 auf_null, 0, 234 aui_null, AUE_STAT, aus_null, /* 18 stat */ 235 auf_null, S2E_PUB, 236 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 237 auf_null, 0, 238 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 239 auf_null, 0, 240 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 241 auf_null, S2E_MLD, 242 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 243 auf_null, 0, 244 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 245 auf_null, 0, 246 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 247 auf_null, 0, 248 aui_null, AUE_STIME, aus_null, /* 25 stime */ 249 auf_null, 0, 250 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 29 pause */ 257 auf_null, 0, 258 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 263 auf_null, 0, 264 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 265 auf_null, S2E_PUB, 266 aui_null, AUE_NICE, aus_null, /* 34 nice */ 267 auf_null, 0, 268 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 269 auf_null, S2E_PUB, 270 aui_null, AUE_NULL, aus_null, /* 36 sync */ 271 auf_null, 0, 272 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 273 auf_null, 0, 274 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 275 auf_null, S2E_PUB, 276 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 277 auf_null, 0, 278 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 41 dup */ 281 auf_null, 0, 282 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 283 auf_null, 0, 284 aui_null, AUE_NULL, aus_null, /* 43 times */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 44 profil */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 289 /* was proc lock */ 290 auf_null, 0, 291 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 48 sig */ 296 auf_null, 0, 297 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 298 auf_msgsys, 0, 299 #if defined(__x86) 300 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 301 auf_null, 0, 302 #else 303 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 304 auf_null, 0, 305 #endif /* __x86 */ 306 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 307 auf_null, 0, 308 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 309 auf_shmsys, 0, 310 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 311 auf_semsys, 0, 312 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 317 auf_null, 0, 318 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 321 auf_null, 0, 322 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 323 auf_null, S2E_MLD, 324 aui_null, AUE_NULL, aus_null, /* 60 umask */ 325 auf_null, 0, 326 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 327 auf_null, S2E_SP, 328 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 339 /* file locking call */ 340 auf_null, 0, 341 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 342 /* local system calls */ 343 auf_null, 0, 344 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 357 /* was sigret (SunOS) */ 358 auf_null, 0, 359 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 364 auf_null, 0, 365 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 366 auf_null, 0, 367 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 368 auf_null, 0, 369 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 370 auf_null, 0, 371 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 372 /* was libattach */ 373 auf_null, 0, 374 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 375 /* was libdetach */ 376 auf_null, 0, 377 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 378 auf_null, 0, 379 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 380 auf_null, 0, 381 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 382 auf_null, 0, 383 aui_null, AUE_NULL, aus_null, /* 87 poll */ 384 auf_null, 0, 385 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 386 auf_null, S2E_PUB, 387 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 388 auf_null, 0, 389 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 390 auf_null, S2E_PUB, 391 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 392 auf_null, 0, 393 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 394 auf_null, 0, 395 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 396 auf_null, 0, 397 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 412 auf_null, 0, 413 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 414 /* was evtrapret */ 415 auf_null, 0, 416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 417 auf_null, S2E_PUB, 418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 427 auf_null, 0, 428 #if defined(__x86) 429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 430 auf_null, 0, 431 #else 432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 433 auf_null, 0, 434 #endif /* __x86 */ 435 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 436 auf_null, 0, 437 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 438 auf_null, 0, 439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 440 auf_null, 0, /* 112 priocntlsys */ 441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 442 auf_null, S2E_PUB, 443 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 444 auf_null, 0, 445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 448 auf_null, 0, 449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 450 auf_null, 0, 451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 452 auf_null, 0, 453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 454 auf_null, 0, 455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 456 auf_null, 0, 457 aui_null, AUE_READ, aus_null, /* 121 readv */ 458 auf_read, S2E_PUB, 459 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 460 auf_write, 0, 461 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 462 auf_null, S2E_PUB, 463 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 464 auf_null, S2E_PUB, 465 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 466 auf_null, 0, 467 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 468 auf_xmknod, 0, 469 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 470 auf_null, 0, 471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 472 auf_null, 0, 473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 474 auf_null, 0, 475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 476 auf_null, 0, 477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 478 auf_null, 0, 479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 480 auf_null, 0, 481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 482 auf_null, 0, 483 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 135 uname */ 486 auf_null, 0, 487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 490 auf_null, 0, 491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 492 auf_null, 0, 493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 496 auf_null, 0, 497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 498 auf_null, 0, 499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 500 auf_null, 0, 501 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 146 yield */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 518 auf_null, 0, 519 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 520 auf_null, 0, 521 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 522 auf_null, 0, 523 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 546 /* was lwp_setprivate */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 549 /* was lwp_getprivate */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 562 auf_null, 0, 563 aui_null, AUE_READ, aus_null, /* 173 pread */ 564 auf_read, S2E_PUB, 565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 566 auf_write, 0, 567 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 568 auf_null, 0, 569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 570 /* aus_inst_sync */ 571 auf_null, 0, 572 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 581 auf_null, 0, 582 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 583 auf_null, S2E_MLD, 584 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 585 auf_null, 0, 586 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 587 auf_null, 0, 588 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 589 auf_null, 0, 590 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 591 auf_null, 0, 592 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 593 auf_null, 0, /* 187 processor_bind */ 594 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 595 auf_null, 0, 596 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 601 auf_null, 0, 602 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 617 auf_null, 0, 618 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 619 auf_null, 0, 620 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 621 auf_null, 0, 622 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 623 auf_null, 0, 624 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 645 auf_null, 0, 646 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 647 auf_null, 0, 648 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 653 auf_null, 0, 654 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 655 auf_null, S2E_PUB, 656 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 657 auf_null, 0, 658 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 663 auf_read, S2E_PUB, 664 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 665 auf_write, 0, 666 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 667 auf_null, S2E_SP, 668 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 669 auf_null, S2E_SP, 670 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 677 auf_null, 0, 678 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 679 auf_null, 0, 680 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 681 auf_null, 0, 682 aui_null, AUE_BIND, aus_null, /* 232 bind */ 683 auf_bind, 0, 684 aui_null, AUE_NULL, aus_null, /* 233 listen */ 685 auf_null, 0, 686 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 687 auf_accept, 0, 688 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 689 auf_connect, 0, 690 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 691 auf_null, 0, 692 aui_null, AUE_READ, aus_null, /* 237 recv */ 693 auf_recv, 0, 694 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 695 auf_recvfrom, 0, 696 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 697 auf_recvmsg, 0, 698 aui_null, AUE_WRITE, aus_null, /* 240 send */ 699 auf_send, 0, 700 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 701 auf_sendmsg, 0, 702 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 703 auf_sendto, 0, 704 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 709 auf_null, 0, 710 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 711 auf_setsockopt, 0, 712 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 713 auf_null, 0, 714 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 715 auf_null, 0, 716 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 727 auf_null, 0, 728 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 729 auf_null, 0 730 }; 731 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 733 734 735 /* acct start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_acct(struct t_audit_data *tad) 739 { 740 klwp_t *clwp = ttolwp(curthread); 741 uintptr_t fname; 742 743 struct a { 744 long fname; /* char * */ 745 } *uap = (struct a *)clwp->lwp_ap; 746 747 fname = (uintptr_t)uap->fname; 748 749 if (fname == 0) 750 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 751 } 752 753 /* chown start function */ 754 /*ARGSUSED*/ 755 static void 756 aus_chown(struct t_audit_data *tad) 757 { 758 klwp_t *clwp = ttolwp(curthread); 759 uint32_t uid, gid; 760 761 struct a { 762 long fname; /* char * */ 763 long uid; 764 long gid; 765 } *uap = (struct a *)clwp->lwp_ap; 766 767 uid = (uint32_t)uap->uid; 768 gid = (uint32_t)uap->gid; 769 770 au_uwrite(au_to_arg32(2, "new file uid", uid)); 771 au_uwrite(au_to_arg32(3, "new file gid", gid)); 772 } 773 774 /* fchown start function */ 775 /*ARGSUSED*/ 776 static void 777 aus_fchown(struct t_audit_data *tad) 778 { 779 klwp_t *clwp = ttolwp(curthread); 780 uint32_t uid, gid, fd; 781 struct file *fp; 782 struct vnode *vp; 783 struct f_audit_data *fad; 784 785 struct a { 786 long fd; 787 long uid; 788 long gid; 789 } *uap = (struct a *)clwp->lwp_ap; 790 791 fd = (uint32_t)uap->fd; 792 uid = (uint32_t)uap->uid; 793 gid = (uint32_t)uap->gid; 794 795 au_uwrite(au_to_arg32(2, "new file uid", uid)); 796 au_uwrite(au_to_arg32(3, "new file gid", gid)); 797 798 /* 799 * convert file pointer to file descriptor 800 * Note: fd ref count incremented here. 801 */ 802 if ((fp = getf(fd)) == NULL) 803 return; 804 805 /* get path from file struct here */ 806 fad = F2A(fp); 807 if (fad->fad_aupath != NULL) { 808 au_uwrite(au_to_path(fad->fad_aupath)); 809 } else { 810 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 811 } 812 813 vp = fp->f_vnode; 814 audit_attributes(vp); 815 816 /* decrement file descriptor reference count */ 817 releasef(fd); 818 } 819 820 /*ARGSUSED*/ 821 static void 822 aus_lchown(struct t_audit_data *tad) 823 { 824 klwp_t *clwp = ttolwp(curthread); 825 uint32_t uid, gid; 826 827 828 struct a { 829 long fname; /* char * */ 830 long uid; 831 long gid; 832 } *uap = (struct a *)clwp->lwp_ap; 833 834 uid = (uint32_t)uap->uid; 835 gid = (uint32_t)uap->gid; 836 837 au_uwrite(au_to_arg32(2, "new file uid", uid)); 838 au_uwrite(au_to_arg32(3, "new file gid", gid)); 839 } 840 841 /* chmod start function */ 842 /*ARGSUSED*/ 843 static void 844 aus_chmod(struct t_audit_data *tad) 845 { 846 klwp_t *clwp = ttolwp(curthread); 847 uint32_t fmode; 848 849 struct a { 850 long fname; /* char * */ 851 long fmode; 852 } *uap = (struct a *)clwp->lwp_ap; 853 854 fmode = (uint32_t)uap->fmode; 855 856 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 857 } 858 859 /* chmod start function */ 860 /*ARGSUSED*/ 861 static void 862 aus_fchmod(struct t_audit_data *tad) 863 { 864 klwp_t *clwp = ttolwp(curthread); 865 uint32_t fmode, fd; 866 struct file *fp; 867 struct vnode *vp; 868 struct f_audit_data *fad; 869 870 struct a { 871 long fd; 872 long fmode; 873 } *uap = (struct a *)clwp->lwp_ap; 874 875 fd = (uint32_t)uap->fd; 876 fmode = (uint32_t)uap->fmode; 877 878 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 879 880 /* 881 * convert file pointer to file descriptor 882 * Note: fd ref count incremented here. 883 */ 884 if ((fp = getf(fd)) == NULL) 885 return; 886 887 /* get path from file struct here */ 888 fad = F2A(fp); 889 if (fad->fad_aupath != NULL) { 890 au_uwrite(au_to_path(fad->fad_aupath)); 891 } else { 892 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 893 } 894 895 vp = fp->f_vnode; 896 audit_attributes(vp); 897 898 /* decrement file descriptor reference count */ 899 releasef(fd); 900 } 901 902 903 /* convert open to appropriate event */ 904 static au_event_t 905 aui_open(au_event_t e) 906 { 907 klwp_t *clwp = ttolwp(curthread); 908 uint_t fm; 909 910 struct a { 911 long fnamep; /* char * */ 912 long fmode; 913 long cmode; 914 } *uap = (struct a *)clwp->lwp_ap; 915 916 fm = (uint_t)uap->fmode; 917 918 if (fm & O_WRONLY) 919 e = AUE_OPEN_W; 920 else if (fm & O_RDWR) 921 e = AUE_OPEN_RW; 922 else 923 e = AUE_OPEN_R; 924 925 if (fm & O_CREAT) 926 e += 1; 927 if (fm & O_TRUNC) 928 e += 2; 929 930 return (e); 931 } 932 933 /*ARGSUSED*/ 934 static void 935 aus_open(struct t_audit_data *tad) 936 { 937 klwp_t *clwp = ttolwp(curthread); 938 uint_t fm; 939 940 struct a { 941 long fnamep; /* char * */ 942 long fmode; 943 long cmode; 944 } *uap = (struct a *)clwp->lwp_ap; 945 946 fm = (uint_t)uap->fmode; 947 948 /* If no write, create, or trunc modes, mark as a public op */ 949 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 950 tad->tad_ctrl |= PAD_PUBLIC_EV; 951 } 952 953 /* convert openat(2) to appropriate event */ 954 static au_event_t 955 aui_fsat(au_event_t e) 956 { 957 t_audit_data_t *tad = U2A(u); 958 klwp_t *clwp = ttolwp(curthread); 959 uint_t fmcode, fm; 960 struct a { 961 long id; 962 long arg1; 963 long arg2; 964 long arg3; 965 long arg4; 966 long arg5; 967 } *uap = (struct a *)clwp->lwp_ap; 968 969 fmcode = (uint_t)uap->id; 970 971 switch (fmcode) { 972 973 case 0: /* openat */ 974 case 1: /* openat64 */ 975 fm = (uint_t)uap->arg3; 976 if (fm & O_WRONLY) 977 e = AUE_OPENAT_W; 978 else if (fm & O_RDWR) 979 e = AUE_OPENAT_RW; 980 else 981 e = AUE_OPENAT_R; 982 983 /* 984 * openat modes are defined in the following order: 985 * Read only 986 * Read|Create 987 * Read|Trunc 988 * Read|Create|Trunc 989 * Write Only 990 * Write|Create 991 * Write|Trunc 992 * Write|Create|Trunc * RW Only 993 * RW|Create 994 * RW|Trunc 995 * RW|Create|Trunc 996 */ 997 if (fm & O_CREAT) 998 e += 1; /* increment to include CREAT in mode */ 999 if (fm & O_TRUNC) 1000 e += 2; /* increment to include TRUNC in mode */ 1001 1002 /* convert to appropriate au_ctrl */ 1003 tad->tad_ctrl |= PAD_SAVPATH; 1004 if (fm & FXATTR) 1005 tad->tad_ctrl |= PAD_ATPATH; 1006 1007 1008 break; 1009 case 2: /* fstatat64 */ 1010 case 3: /* fstatat */ 1011 e = AUE_FSTATAT; 1012 break; 1013 case 4: /* fchownat */ 1014 e = AUE_FCHOWNAT; 1015 break; 1016 case 5: /* unlinkat */ 1017 e = AUE_UNLINKAT; 1018 break; 1019 case 6: /* futimesat */ 1020 e = AUE_FUTIMESAT; 1021 break; 1022 case 7: /* renameat */ 1023 e = AUE_RENAMEAT; 1024 break; 1025 case 9: /* __openattrdirat */ 1026 tad->tad_ctrl |= PAD_SAVPATH; 1027 /*FALLTHROUGH*/ 1028 default: 1029 e = AUE_NULL; 1030 break; 1031 } 1032 1033 return (e); 1034 } 1035 1036 /*ARGSUSED*/ 1037 static void 1038 aus_fsat(struct t_audit_data *tad) 1039 { 1040 klwp_t *clwp = ttolwp(curthread); 1041 uint_t fmcode, fm; 1042 struct a { 1043 long id; 1044 long arg1; 1045 long arg2; 1046 long arg3; 1047 long arg4; 1048 long arg5; 1049 } *uap = (struct a *)clwp->lwp_ap; 1050 1051 fmcode = (uint_t)uap->id; 1052 1053 switch (fmcode) { 1054 1055 case 0: /* openat */ 1056 case 1: /* openat64 */ 1057 fm = (uint_t)uap->arg3; 1058 /* If no write, create, or trunc modes, mark as a public op */ 1059 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1060 tad->tad_ctrl |= PAD_PUBLIC_EV; 1061 1062 break; 1063 case 2: /* fstatat64 */ 1064 case 3: /* fstatat */ 1065 tad->tad_ctrl |= PAD_PUBLIC_EV; 1066 break; 1067 default: 1068 break; 1069 } 1070 } 1071 1072 /* msgsys */ 1073 static au_event_t 1074 aui_msgsys(au_event_t e) 1075 { 1076 klwp_t *clwp = ttolwp(curthread); 1077 uint_t fm; 1078 1079 struct a { 1080 long id; /* function code id */ 1081 long ap; /* arg pointer for recvmsg */ 1082 } *uap = (struct a *)clwp->lwp_ap; 1083 1084 struct b { 1085 long msgid; 1086 long cmd; 1087 long buf; /* struct msqid_ds * */ 1088 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1089 1090 fm = (uint_t)uap->id; 1091 1092 switch (fm) { 1093 case 0: /* msgget */ 1094 e = AUE_MSGGET; 1095 break; 1096 case 1: /* msgctl */ 1097 switch ((uint_t)uap1->cmd) { 1098 case IPC_RMID: 1099 e = AUE_MSGCTL_RMID; 1100 break; 1101 case IPC_SET: 1102 e = AUE_MSGCTL_SET; 1103 break; 1104 case IPC_STAT: 1105 e = AUE_MSGCTL_STAT; 1106 break; 1107 default: 1108 e = AUE_MSGCTL; 1109 break; 1110 } 1111 break; 1112 case 2: /* msgrcv */ 1113 e = AUE_MSGRCV; 1114 break; 1115 case 3: /* msgsnd */ 1116 e = AUE_MSGSND; 1117 break; 1118 default: /* illegal system call */ 1119 e = AUE_NULL; 1120 break; 1121 } 1122 1123 return (e); 1124 } 1125 1126 1127 /* shmsys */ 1128 static au_event_t 1129 aui_shmsys(au_event_t e) 1130 { 1131 klwp_t *clwp = ttolwp(curthread); 1132 int fm; 1133 1134 struct a { /* shmsys */ 1135 long id; /* function code id */ 1136 } *uap = (struct a *)clwp->lwp_ap; 1137 1138 struct b { /* ctrl */ 1139 long shmid; 1140 long cmd; 1141 long arg; /* struct shmid_ds * */ 1142 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1143 fm = (uint_t)uap->id; 1144 1145 switch (fm) { 1146 case 0: /* shmat */ 1147 e = AUE_SHMAT; 1148 break; 1149 case 1: /* shmctl */ 1150 switch ((uint_t)uap1->cmd) { 1151 case IPC_RMID: 1152 e = AUE_SHMCTL_RMID; 1153 break; 1154 case IPC_SET: 1155 e = AUE_SHMCTL_SET; 1156 break; 1157 case IPC_STAT: 1158 e = AUE_SHMCTL_STAT; 1159 break; 1160 default: 1161 e = AUE_SHMCTL; 1162 break; 1163 } 1164 break; 1165 case 2: /* shmdt */ 1166 e = AUE_SHMDT; 1167 break; 1168 case 3: /* shmget */ 1169 e = AUE_SHMGET; 1170 break; 1171 default: /* illegal system call */ 1172 e = AUE_NULL; 1173 break; 1174 } 1175 1176 return (e); 1177 } 1178 1179 1180 /* semsys */ 1181 static au_event_t 1182 aui_semsys(au_event_t e) 1183 { 1184 klwp_t *clwp = ttolwp(curthread); 1185 uint_t fm; 1186 1187 struct a { /* semsys */ 1188 long id; 1189 } *uap = (struct a *)clwp->lwp_ap; 1190 1191 struct b { /* ctrl */ 1192 long semid; 1193 long semnum; 1194 long cmd; 1195 long arg; 1196 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1197 1198 fm = (uint_t)uap->id; 1199 1200 switch (fm) { 1201 case 0: /* semctl */ 1202 switch ((uint_t)uap1->cmd) { 1203 case IPC_RMID: 1204 e = AUE_SEMCTL_RMID; 1205 break; 1206 case IPC_SET: 1207 e = AUE_SEMCTL_SET; 1208 break; 1209 case IPC_STAT: 1210 e = AUE_SEMCTL_STAT; 1211 break; 1212 case GETNCNT: 1213 e = AUE_SEMCTL_GETNCNT; 1214 break; 1215 case GETPID: 1216 e = AUE_SEMCTL_GETPID; 1217 break; 1218 case GETVAL: 1219 e = AUE_SEMCTL_GETVAL; 1220 break; 1221 case GETALL: 1222 e = AUE_SEMCTL_GETALL; 1223 break; 1224 case GETZCNT: 1225 e = AUE_SEMCTL_GETZCNT; 1226 break; 1227 case SETVAL: 1228 e = AUE_SEMCTL_SETVAL; 1229 break; 1230 case SETALL: 1231 e = AUE_SEMCTL_SETALL; 1232 break; 1233 default: 1234 e = AUE_SEMCTL; 1235 break; 1236 } 1237 break; 1238 case 1: /* semget */ 1239 e = AUE_SEMGET; 1240 break; 1241 case 2: /* semop */ 1242 e = AUE_SEMOP; 1243 break; 1244 default: /* illegal system call */ 1245 e = AUE_NULL; 1246 break; 1247 } 1248 1249 return (e); 1250 } 1251 1252 /* utssys - uname(2), ustat(2), fusers(2) */ 1253 static au_event_t 1254 aui_utssys(au_event_t e) 1255 { 1256 klwp_t *clwp = ttolwp(curthread); 1257 uint_t type; 1258 1259 struct a { 1260 union { 1261 long cbuf; /* char * */ 1262 long ubuf; /* struct stat * */ 1263 } ub; 1264 union { 1265 long mv; /* for USTAT */ 1266 long flags; /* for FUSERS */ 1267 } un; 1268 long type; 1269 long outbp; /* char * for FUSERS */ 1270 } *uap = (struct a *)clwp->lwp_ap; 1271 1272 type = (uint_t)uap->type; 1273 1274 if (type == UTS_FUSERS) 1275 return (e); 1276 else 1277 return ((au_event_t)AUE_NULL); 1278 } 1279 1280 static au_event_t 1281 aui_fcntl(au_event_t e) 1282 { 1283 klwp_t *clwp = ttolwp(curthread); 1284 uint_t cmd; 1285 1286 struct a { 1287 long fdes; 1288 long cmd; 1289 long arg; 1290 } *uap = (struct a *)clwp->lwp_ap; 1291 1292 cmd = (uint_t)uap->cmd; 1293 1294 switch (cmd) { 1295 case F_GETLK: 1296 case F_SETLK: 1297 case F_SETLKW: 1298 break; 1299 case F_SETFL: 1300 case F_GETFL: 1301 case F_GETFD: 1302 break; 1303 default: 1304 e = (au_event_t)AUE_NULL; 1305 break; 1306 } 1307 return ((au_event_t)e); 1308 } 1309 1310 /* null function for now */ 1311 static au_event_t 1312 aui_execv(au_event_t e) 1313 { 1314 return (e); 1315 } 1316 1317 /* null function for now */ 1318 static au_event_t 1319 aui_execve(au_event_t e) 1320 { 1321 return (e); 1322 } 1323 1324 /*ARGSUSED*/ 1325 static void 1326 aus_fcntl(struct t_audit_data *tad) 1327 { 1328 klwp_t *clwp = ttolwp(curthread); 1329 uint32_t cmd, fd; 1330 struct file *fp; 1331 struct vnode *vp; 1332 struct f_audit_data *fad; 1333 1334 struct a { 1335 long fd; 1336 long cmd; 1337 long arg; 1338 } *uap = (struct a *)clwp->lwp_ap; 1339 1340 cmd = (uint32_t)uap->cmd; 1341 fd = (uint32_t)uap->fd; 1342 1343 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1344 1345 /* 1346 * convert file pointer to file descriptor 1347 * Note: fd ref count incremented here. 1348 */ 1349 if ((fp = getf(fd)) == NULL) 1350 return; 1351 1352 /* get path from file struct here */ 1353 fad = F2A(fp); 1354 if (fad->fad_aupath != NULL) { 1355 au_uwrite(au_to_path(fad->fad_aupath)); 1356 } else { 1357 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1358 } 1359 1360 vp = fp->f_vnode; 1361 audit_attributes(vp); 1362 1363 /* decrement file descriptor reference count */ 1364 releasef(fd); 1365 } 1366 1367 /*ARGSUSED*/ 1368 static void 1369 aus_kill(struct t_audit_data *tad) 1370 { 1371 klwp_t *clwp = ttolwp(curthread); 1372 struct proc *p; 1373 uint32_t signo; 1374 uid_t uid, ruid; 1375 gid_t gid, rgid; 1376 pid_t pid; 1377 const auditinfo_addr_t *ainfo; 1378 cred_t *cr; 1379 1380 struct a { 1381 long pid; 1382 long signo; 1383 } *uap = (struct a *)clwp->lwp_ap; 1384 1385 pid = (pid_t)uap->pid; 1386 signo = (uint32_t)uap->signo; 1387 1388 au_uwrite(au_to_arg32(2, "signal", signo)); 1389 if (pid > 0) { 1390 mutex_enter(&pidlock); 1391 if (((p = prfind(pid)) == (struct proc *)0) || 1392 (p->p_stat == SIDL)) { 1393 mutex_exit(&pidlock); 1394 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1395 return; 1396 } 1397 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1398 mutex_exit(&pidlock); 1399 1400 mutex_enter(&p->p_crlock); 1401 crhold(cr = p->p_cred); 1402 mutex_exit(&p->p_crlock); 1403 mutex_exit(&p->p_lock); 1404 1405 ainfo = crgetauinfo(cr); 1406 if (ainfo == NULL) { 1407 crfree(cr); 1408 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1409 return; 1410 } 1411 1412 uid = crgetuid(cr); 1413 gid = crgetgid(cr); 1414 ruid = crgetruid(cr); 1415 rgid = crgetrgid(cr); 1416 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1417 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1418 1419 if (is_system_labeled()) 1420 au_uwrite(au_to_label(CR_SL(cr))); 1421 1422 crfree(cr); 1423 } 1424 else 1425 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1426 } 1427 1428 /*ARGSUSED*/ 1429 static void 1430 aus_mkdir(struct t_audit_data *tad) 1431 { 1432 klwp_t *clwp = ttolwp(curthread); 1433 uint32_t dmode; 1434 1435 struct a { 1436 long dirnamep; /* char * */ 1437 long dmode; 1438 } *uap = (struct a *)clwp->lwp_ap; 1439 1440 dmode = (uint32_t)uap->dmode; 1441 1442 au_uwrite(au_to_arg32(2, "mode", dmode)); 1443 } 1444 1445 /*ARGSUSED*/ 1446 static void 1447 aus_mknod(struct t_audit_data *tad) 1448 { 1449 klwp_t *clwp = ttolwp(curthread); 1450 uint32_t fmode; 1451 dev_t dev; 1452 1453 struct a { 1454 long pnamep; /* char * */ 1455 long fmode; 1456 long dev; 1457 } *uap = (struct a *)clwp->lwp_ap; 1458 1459 fmode = (uint32_t)uap->fmode; 1460 dev = (dev_t)uap->dev; 1461 1462 au_uwrite(au_to_arg32(2, "mode", fmode)); 1463 #ifdef _LP64 1464 au_uwrite(au_to_arg64(3, "dev", dev)); 1465 #else 1466 au_uwrite(au_to_arg32(3, "dev", dev)); 1467 #endif 1468 } 1469 1470 /*ARGSUSED*/ 1471 static void 1472 aus_xmknod(struct t_audit_data *tad) 1473 { 1474 klwp_t *clwp = ttolwp(curthread); 1475 uint32_t fmode; 1476 dev_t dev; 1477 1478 struct a { 1479 long version; /* version */ 1480 long pnamep; /* char * */ 1481 long fmode; 1482 long dev; 1483 } *uap = (struct a *)clwp->lwp_ap; 1484 1485 fmode = (uint32_t)uap->fmode; 1486 dev = (dev_t)uap->dev; 1487 1488 au_uwrite(au_to_arg32(2, "mode", fmode)); 1489 #ifdef _LP64 1490 au_uwrite(au_to_arg64(3, "dev", dev)); 1491 #else 1492 au_uwrite(au_to_arg32(3, "dev", dev)); 1493 #endif 1494 } 1495 1496 /*ARGSUSED*/ 1497 static void 1498 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1499 { 1500 klwp_t *clwp = ttolwp(curthread); 1501 vnode_t *dvp; 1502 caddr_t pnamep; 1503 1504 struct a { 1505 long pnamep; /* char * */ 1506 long fmode; 1507 long dev; 1508 } *uap = (struct a *)clwp->lwp_ap; 1509 1510 /* no error, then already path token in audit record */ 1511 if (error != EPERM) 1512 return; 1513 1514 /* not auditing this event, nothing then to do */ 1515 if (tad->tad_flag == 0) 1516 return; 1517 1518 /* do the lookup to force generation of path token */ 1519 pnamep = (caddr_t)uap->pnamep; 1520 tad->tad_ctrl |= PAD_NOATTRB; 1521 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1522 if (error == 0) 1523 VN_RELE(dvp); 1524 } 1525 1526 /*ARGSUSED*/ 1527 static void 1528 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1529 { 1530 klwp_t *clwp = ttolwp(curthread); 1531 vnode_t *dvp; 1532 caddr_t pnamep; 1533 1534 struct a { 1535 long version; /* version */ 1536 long pnamep; /* char * */ 1537 long fmode; 1538 long dev; 1539 } *uap = (struct a *)clwp->lwp_arg; 1540 1541 1542 /* no error, then already path token in audit record */ 1543 if (error != EPERM) 1544 return; 1545 1546 /* not auditing this event, nothing then to do */ 1547 if (tad->tad_flag == 0) 1548 return; 1549 1550 /* do the lookup to force generation of path token */ 1551 pnamep = (caddr_t)uap->pnamep; 1552 tad->tad_ctrl |= PAD_NOATTRB; 1553 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1554 if (error == 0) 1555 VN_RELE(dvp); 1556 } 1557 1558 /*ARGSUSED*/ 1559 static void 1560 aus_mount(struct t_audit_data *tad) 1561 { /* AUS_START */ 1562 klwp_t *clwp = ttolwp(curthread); 1563 uint32_t flags; 1564 uintptr_t u_fstype, dataptr; 1565 STRUCT_DECL(nfs_args, nfsargs); 1566 size_t len; 1567 char *fstype, *hostname; 1568 1569 struct a { 1570 long spec; /* char * */ 1571 long dir; /* char * */ 1572 long flags; 1573 long fstype; /* char * */ 1574 long dataptr; /* char * */ 1575 long datalen; 1576 } *uap = (struct a *)clwp->lwp_ap; 1577 1578 u_fstype = (uintptr_t)uap->fstype; 1579 flags = (uint32_t)uap->flags; 1580 dataptr = (uintptr_t)uap->dataptr; 1581 1582 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1583 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1584 goto mount_free_fstype; 1585 1586 au_uwrite(au_to_arg32(3, "flags", flags)); 1587 au_uwrite(au_to_text(fstype)); 1588 1589 if (strncmp(fstype, "nfs", 3) == 0) { 1590 1591 STRUCT_INIT(nfsargs, get_udatamodel()); 1592 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1593 1594 if (copyin((caddr_t)dataptr, 1595 STRUCT_BUF(nfsargs), 1596 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1597 /* DEBUG debug_enter((char *)NULL); */ 1598 goto mount_free_fstype; 1599 } 1600 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1601 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1602 (caddr_t)hostname, 1603 MAXNAMELEN, &len)) { 1604 goto mount_free_hostname; 1605 } 1606 au_uwrite(au_to_text(hostname)); 1607 au_uwrite(au_to_arg32(3, "internal flags", 1608 (uint_t)STRUCT_FGET(nfsargs, flags))); 1609 1610 mount_free_hostname: 1611 kmem_free(hostname, MAXNAMELEN); 1612 } 1613 1614 mount_free_fstype: 1615 kmem_free(fstype, MAXNAMELEN); 1616 } /* AUS_MOUNT */ 1617 1618 static void 1619 aus_umount_path(caddr_t umount_dir) 1620 { 1621 char *dir_path; 1622 struct audit_path *path; 1623 size_t path_len, dir_len; 1624 1625 /* length alloc'd for two string pointers */ 1626 path_len = sizeof (struct audit_path) + sizeof (char *); 1627 path = kmem_alloc(path_len, KM_SLEEP); 1628 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1629 1630 if (copyinstr(umount_dir, (caddr_t)dir_path, 1631 MAXPATHLEN, &dir_len)) 1632 goto umount2_free_dir; 1633 1634 /* 1635 * the audit_path struct assumes that the buffer pointed to 1636 * by audp_sect[n] contains string 0 immediatedly followed 1637 * by string 1. 1638 */ 1639 path->audp_sect[0] = dir_path; 1640 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1641 path->audp_size = path_len; 1642 path->audp_ref = 1; /* not used */ 1643 path->audp_cnt = 1; /* one path string */ 1644 1645 au_uwrite(au_to_path(path)); 1646 1647 umount2_free_dir: 1648 kmem_free(dir_path, MAXPATHLEN); 1649 kmem_free(path, path_len); 1650 } 1651 1652 /* 1653 * the umount syscall is implemented as a call to umount2, but the args 1654 * are different... 1655 */ 1656 1657 /*ARGSUSED*/ 1658 static void 1659 aus_umount(struct t_audit_data *tad) 1660 { 1661 klwp_t *clwp = ttolwp(curthread); 1662 struct a { 1663 long dir; /* char * */ 1664 } *uap = (struct a *)clwp->lwp_ap; 1665 1666 aus_umount_path((caddr_t)uap->dir); 1667 } 1668 1669 /*ARGSUSED*/ 1670 static void 1671 aus_umount2(struct t_audit_data *tad) 1672 { 1673 klwp_t *clwp = ttolwp(curthread); 1674 struct a { 1675 long dir; /* char * */ 1676 long flags; 1677 } *uap = (struct a *)clwp->lwp_ap; 1678 1679 aus_umount_path((caddr_t)uap->dir); 1680 1681 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1682 } 1683 1684 static void 1685 aus_msgsys(struct t_audit_data *tad) 1686 { 1687 klwp_t *clwp = ttolwp(curthread); 1688 uint32_t msgid; 1689 1690 struct b { 1691 long msgid; 1692 long cmd; 1693 long buf; /* struct msqid_ds * */ 1694 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1695 1696 msgid = (uint32_t)uap1->msgid; 1697 1698 1699 switch (tad->tad_event) { 1700 case AUE_MSGGET: /* msgget */ 1701 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1702 break; 1703 case AUE_MSGCTL: /* msgctl */ 1704 case AUE_MSGCTL_RMID: /* msgctl */ 1705 case AUE_MSGCTL_STAT: /* msgctl */ 1706 case AUE_MSGRCV: /* msgrcv */ 1707 case AUE_MSGSND: /* msgsnd */ 1708 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1709 break; 1710 case AUE_MSGCTL_SET: /* msgctl */ 1711 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1712 break; 1713 } 1714 } 1715 1716 /*ARGSUSED*/ 1717 static void 1718 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1719 { 1720 int id; 1721 1722 if (error != 0) 1723 return; 1724 if (tad->tad_event == AUE_MSGGET) { 1725 uint32_t scid; 1726 uint32_t sy_flags; 1727 1728 /* need to determine type of executing binary */ 1729 scid = tad->tad_scid; 1730 #ifdef _SYSCALL32_IMPL 1731 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1732 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1733 else 1734 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1735 #else 1736 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1737 #endif 1738 if (sy_flags == SE_32RVAL1) 1739 id = rval->r_val1; 1740 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1741 id = rval->r_val1; 1742 if (sy_flags == SE_64RVAL) 1743 id = (int)rval->r_vals; 1744 1745 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1746 } 1747 } 1748 1749 static void 1750 aus_semsys(struct t_audit_data *tad) 1751 { 1752 klwp_t *clwp = ttolwp(curthread); 1753 uint32_t semid; 1754 1755 struct b { /* ctrl */ 1756 long semid; 1757 long semnum; 1758 long cmd; 1759 long arg; 1760 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1761 1762 semid = (uint32_t)uap1->semid; 1763 1764 switch (tad->tad_event) { 1765 case AUE_SEMCTL_RMID: 1766 case AUE_SEMCTL_STAT: 1767 case AUE_SEMCTL_GETNCNT: 1768 case AUE_SEMCTL_GETPID: 1769 case AUE_SEMCTL_GETVAL: 1770 case AUE_SEMCTL_GETALL: 1771 case AUE_SEMCTL_GETZCNT: 1772 case AUE_SEMCTL_SETVAL: 1773 case AUE_SEMCTL_SETALL: 1774 case AUE_SEMCTL: 1775 case AUE_SEMOP: 1776 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1777 break; 1778 case AUE_SEMCTL_SET: 1779 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1780 break; 1781 case AUE_SEMGET: 1782 au_uwrite(au_to_arg32(1, "sem key", semid)); 1783 break; 1784 } 1785 } 1786 1787 /*ARGSUSED*/ 1788 static void 1789 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1790 { 1791 int id; 1792 1793 if (error != 0) 1794 return; 1795 if (tad->tad_event == AUE_SEMGET) { 1796 uint32_t scid; 1797 uint32_t sy_flags; 1798 1799 /* need to determine type of executing binary */ 1800 scid = tad->tad_scid; 1801 #ifdef _SYSCALL32_IMPL 1802 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1803 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1804 else 1805 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1806 #else 1807 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1808 #endif 1809 if (sy_flags == SE_32RVAL1) 1810 id = rval->r_val1; 1811 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1812 id = rval->r_val1; 1813 if (sy_flags == SE_64RVAL) 1814 id = (int)rval->r_vals; 1815 1816 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1817 } 1818 } 1819 1820 /*ARGSUSED*/ 1821 static void 1822 aus_close(struct t_audit_data *tad) 1823 { 1824 klwp_t *clwp = ttolwp(curthread); 1825 uint32_t fd; 1826 struct file *fp; 1827 struct f_audit_data *fad; 1828 struct vnode *vp; 1829 struct vattr attr; 1830 au_kcontext_t *kctx = GET_KCTX_PZ; 1831 1832 struct a { 1833 long i; 1834 } *uap = (struct a *)clwp->lwp_ap; 1835 1836 fd = (uint32_t)uap->i; 1837 1838 attr.va_mask = 0; 1839 au_uwrite(au_to_arg32(1, "fd", fd)); 1840 1841 /* 1842 * convert file pointer to file descriptor 1843 * Note: fd ref count incremented here. 1844 */ 1845 if ((fp = getf(fd)) == NULL) 1846 return; 1847 1848 fad = F2A(fp); 1849 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1850 if (fad->fad_aupath != NULL) { 1851 au_uwrite(au_to_path(fad->fad_aupath)); 1852 if ((vp = fp->f_vnode) != NULL) { 1853 attr.va_mask = AT_ALL; 1854 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1855 /* 1856 * When write was not used and the file can be 1857 * considered public, skip the audit. 1858 */ 1859 if (((fp->f_flag & FWRITE) == 0) && 1860 file_is_public(&attr)) { 1861 tad->tad_flag = 0; 1862 tad->tad_evmod = 0; 1863 /* free any residual audit data */ 1864 au_close(kctx, &(u_ad), 0, 0, 0); 1865 releasef(fd); 1866 return; 1867 } 1868 au_uwrite(au_to_attr(&attr)); 1869 audit_sec_attributes(&(u_ad), vp); 1870 } 1871 } 1872 } 1873 1874 /* decrement file descriptor reference count */ 1875 releasef(fd); 1876 } 1877 1878 /*ARGSUSED*/ 1879 static void 1880 aus_fstatfs(struct t_audit_data *tad) 1881 { 1882 klwp_t *clwp = ttolwp(curthread); 1883 uint32_t fd; 1884 struct file *fp; 1885 struct vnode *vp; 1886 struct f_audit_data *fad; 1887 1888 struct a { 1889 long fd; 1890 long buf; /* struct statfs * */ 1891 } *uap = (struct a *)clwp->lwp_ap; 1892 1893 fd = (uint_t)uap->fd; 1894 1895 /* 1896 * convert file pointer to file descriptor 1897 * Note: fd ref count incremented here. 1898 */ 1899 if ((fp = getf(fd)) == NULL) 1900 return; 1901 1902 /* get path from file struct here */ 1903 fad = F2A(fp); 1904 if (fad->fad_aupath != NULL) { 1905 au_uwrite(au_to_path(fad->fad_aupath)); 1906 } else { 1907 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1908 } 1909 1910 vp = fp->f_vnode; 1911 audit_attributes(vp); 1912 1913 /* decrement file descriptor reference count */ 1914 releasef(fd); 1915 } 1916 1917 #ifdef NOTYET 1918 /*ARGSUSED*/ 1919 static void 1920 aus_setpgrp(struct t_audit_data *tad) 1921 { 1922 klwp_t *clwp = ttolwp(curthread); 1923 uint32_t pgrp; 1924 struct proc *p; 1925 uid_t uid, ruid; 1926 gid_t gid, rgid; 1927 pid_t pid; 1928 const auditinfo_addr_t *ainfo; 1929 cred_t *cr; 1930 1931 struct a { 1932 long pid; 1933 long pgrp; 1934 } *uap = (struct a *)clwp->lwp_ap; 1935 1936 pid = (pid_t)uap->pid; 1937 pgrp = (uint32_t)uap->pgrp; 1938 1939 /* current process? */ 1940 if (pid == 0) 1941 (return); 1942 1943 mutex_enter(&pidlock); 1944 p = prfind(pid); 1945 if (p == NULL || p->p_as == &kas) { 1946 mutex_exit(&pidlock); 1947 return; 1948 } 1949 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1950 mutex_exit(&pidlock); 1951 1952 mutex_enter(&p->p_crlock); 1953 crhold(cr = p->p_cred); 1954 mutex_exit(&p->p_crlock); 1955 mutex_exit(&p->p_lock); 1956 1957 ainfo = crgetauinfo(cr); 1958 if (ainfo == NULL) { 1959 crfree(cr); 1960 return; 1961 } 1962 1963 uid = crgetuid(cr); 1964 gid = crgetgid(cr); 1965 ruid = crgetruid(cr); 1966 rgid = crgetrgid(cr); 1967 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1968 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1969 crfree(cr); 1970 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1971 } 1972 #endif 1973 1974 /*ARGSUSED*/ 1975 static void 1976 aus_setregid(struct t_audit_data *tad) 1977 { 1978 klwp_t *clwp = ttolwp(curthread); 1979 uint32_t rgid, egid; 1980 1981 struct a { 1982 long rgid; 1983 long egid; 1984 } *uap = (struct a *)clwp->lwp_ap; 1985 1986 rgid = (uint32_t)uap->rgid; 1987 egid = (uint32_t)uap->egid; 1988 1989 au_uwrite(au_to_arg32(1, "rgid", rgid)); 1990 au_uwrite(au_to_arg32(2, "egid", egid)); 1991 } 1992 1993 /*ARGSUSED*/ 1994 static void 1995 aus_setgid(struct t_audit_data *tad) 1996 { 1997 klwp_t *clwp = ttolwp(curthread); 1998 uint32_t gid; 1999 2000 struct a { 2001 long gid; 2002 } *uap = (struct a *)clwp->lwp_ap; 2003 2004 gid = (uint32_t)uap->gid; 2005 2006 au_uwrite(au_to_arg32(1, "gid", gid)); 2007 } 2008 2009 2010 /*ARGSUSED*/ 2011 static void 2012 aus_setreuid(struct t_audit_data *tad) 2013 { 2014 klwp_t *clwp = ttolwp(curthread); 2015 uint32_t ruid, euid; 2016 2017 struct a { 2018 long ruid; 2019 long euid; 2020 } *uap = (struct a *)clwp->lwp_ap; 2021 2022 ruid = (uint32_t)uap->ruid; 2023 euid = (uint32_t)uap->euid; 2024 2025 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2026 au_uwrite(au_to_arg32(2, "euid", euid)); 2027 } 2028 2029 2030 /*ARGSUSED*/ 2031 static void 2032 aus_setuid(struct t_audit_data *tad) 2033 { 2034 klwp_t *clwp = ttolwp(curthread); 2035 uint32_t uid; 2036 2037 struct a { 2038 long uid; 2039 } *uap = (struct a *)clwp->lwp_ap; 2040 2041 uid = (uint32_t)uap->uid; 2042 2043 au_uwrite(au_to_arg32(1, "uid", uid)); 2044 } 2045 2046 /*ARGSUSED*/ 2047 static void 2048 aus_shmsys(struct t_audit_data *tad) 2049 { 2050 klwp_t *clwp = ttolwp(curthread); 2051 uint32_t id, cmd; 2052 2053 struct b { 2054 long id; 2055 long cmd; 2056 long buf; /* struct shmid_ds * */ 2057 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2058 2059 id = (uint32_t)uap1->id; 2060 cmd = (uint32_t)uap1->cmd; 2061 2062 switch (tad->tad_event) { 2063 case AUE_SHMGET: /* shmget */ 2064 au_uwrite(au_to_arg32(1, "shm key", id)); 2065 break; 2066 case AUE_SHMCTL: /* shmctl */ 2067 case AUE_SHMCTL_RMID: /* shmctl */ 2068 case AUE_SHMCTL_STAT: /* shmctl */ 2069 case AUE_SHMCTL_SET: /* shmctl */ 2070 au_uwrite(au_to_arg32(1, "shm ID", id)); 2071 break; 2072 case AUE_SHMDT: /* shmdt */ 2073 au_uwrite(au_to_arg32(1, "shm adr", id)); 2074 break; 2075 case AUE_SHMAT: /* shmat */ 2076 au_uwrite(au_to_arg32(1, "shm ID", id)); 2077 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2078 break; 2079 } 2080 } 2081 2082 /*ARGSUSED*/ 2083 static void 2084 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2085 { 2086 int id; 2087 2088 if (error != 0) 2089 return; 2090 if (tad->tad_event == AUE_SHMGET) { 2091 uint32_t scid; 2092 uint32_t sy_flags; 2093 2094 /* need to determine type of executing binary */ 2095 scid = tad->tad_scid; 2096 #ifdef _SYSCALL32_IMPL 2097 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2098 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2099 else 2100 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2101 #else 2102 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2103 #endif 2104 if (sy_flags == SE_32RVAL1) 2105 id = rval->r_val1; 2106 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2107 id = rval->r_val1; 2108 if (sy_flags == SE_64RVAL) 2109 id = (int)rval->r_vals; 2110 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2111 } 2112 } 2113 2114 2115 /*ARGSUSED*/ 2116 static void 2117 aus_ioctl(struct t_audit_data *tad) 2118 { 2119 klwp_t *clwp = ttolwp(curthread); 2120 struct file *fp; 2121 struct vnode *vp; 2122 struct f_audit_data *fad; 2123 uint32_t fd, cmd; 2124 uintptr_t cmarg; 2125 2126 /* XX64 */ 2127 struct a { 2128 long fd; 2129 long cmd; 2130 long cmarg; /* caddr_t */ 2131 } *uap = (struct a *)clwp->lwp_ap; 2132 2133 fd = (uint32_t)uap->fd; 2134 cmd = (uint32_t)uap->cmd; 2135 cmarg = (uintptr_t)uap->cmarg; 2136 2137 /* 2138 * convert file pointer to file descriptor 2139 * Note: fd ref count incremented here. 2140 */ 2141 if ((fp = getf(fd)) == NULL) { 2142 au_uwrite(au_to_arg32(1, "fd", fd)); 2143 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2144 #ifndef _LP64 2145 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2146 #else 2147 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2148 #endif 2149 return; 2150 } 2151 2152 /* get path from file struct here */ 2153 fad = F2A(fp); 2154 if (fad->fad_aupath != NULL) { 2155 au_uwrite(au_to_path(fad->fad_aupath)); 2156 } else { 2157 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2158 } 2159 2160 vp = fp->f_vnode; 2161 audit_attributes(vp); 2162 2163 /* decrement file descriptor reference count */ 2164 releasef(fd); 2165 2166 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2167 #ifndef _LP64 2168 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2169 #else 2170 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2171 #endif 2172 } 2173 2174 /* 2175 * null function for memcntl for now. We might want to limit memcntl() 2176 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2177 * require privileges. 2178 */ 2179 static au_event_t 2180 aui_memcntl(au_event_t e) 2181 { 2182 return (e); 2183 } 2184 2185 /*ARGSUSED*/ 2186 static au_event_t 2187 aui_privsys(au_event_t e) 2188 { 2189 klwp_t *clwp = ttolwp(curthread); 2190 2191 struct a { 2192 long opcode; 2193 } *uap = (struct a *)clwp->lwp_ap; 2194 2195 switch (uap->opcode) { 2196 case PRIVSYS_SETPPRIV: 2197 return (AUE_SETPPRIV); 2198 default: 2199 return (AUE_NULL); 2200 } 2201 } 2202 2203 /*ARGSUSED*/ 2204 static void 2205 aus_memcntl(struct t_audit_data *tad) 2206 { 2207 klwp_t *clwp = ttolwp(curthread); 2208 2209 struct a { 2210 long addr; 2211 long len; 2212 long cmd; 2213 long arg; 2214 long attr; 2215 long mask; 2216 } *uap = (struct a *)clwp->lwp_ap; 2217 2218 #ifdef _LP64 2219 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2220 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2221 #else 2222 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2223 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2224 #endif 2225 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2226 #ifdef _LP64 2227 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2228 #else 2229 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2230 #endif 2231 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2232 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2233 } 2234 2235 /*ARGSUSED*/ 2236 static void 2237 aus_mmap(struct t_audit_data *tad) 2238 { 2239 klwp_t *clwp = ttolwp(curthread); 2240 struct file *fp; 2241 struct f_audit_data *fad; 2242 struct vnode *vp; 2243 uint32_t fd; 2244 2245 struct a { 2246 long addr; 2247 long len; 2248 long prot; 2249 long flags; 2250 long fd; 2251 long pos; 2252 } *uap = (struct a *)clwp->lwp_ap; 2253 2254 fd = (uint32_t)uap->fd; 2255 2256 #ifdef _LP64 2257 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2258 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2259 #else 2260 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2261 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2262 #endif 2263 2264 if ((fp = getf(fd)) == NULL) { 2265 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2266 return; 2267 } 2268 2269 /* 2270 * Mark in the tad if write access is NOT requested... if 2271 * this is later detected (in audit_attributes) to be a 2272 * public object, the mmap event may be discarded. 2273 */ 2274 if (((uap->prot) & PROT_WRITE) == 0) { 2275 tad->tad_ctrl |= PAD_PUBLIC_EV; 2276 } 2277 2278 fad = F2A(fp); 2279 if (fad->fad_aupath != NULL) { 2280 au_uwrite(au_to_path(fad->fad_aupath)); 2281 } else { 2282 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2283 } 2284 2285 vp = (struct vnode *)fp->f_vnode; 2286 audit_attributes(vp); 2287 2288 /* mark READ/WRITE since we can't predict access */ 2289 if (uap->prot & PROT_READ) 2290 fad->fad_flags |= FAD_READ; 2291 if (uap->prot & PROT_WRITE) 2292 fad->fad_flags |= FAD_WRITE; 2293 2294 /* decrement file descriptor reference count */ 2295 releasef(fd); 2296 2297 } /* AUS_MMAP */ 2298 2299 2300 2301 2302 /*ARGSUSED*/ 2303 static void 2304 aus_munmap(struct t_audit_data *tad) 2305 { 2306 klwp_t *clwp = ttolwp(curthread); 2307 2308 struct a { 2309 long addr; 2310 long len; 2311 } *uap = (struct a *)clwp->lwp_ap; 2312 2313 #ifdef _LP64 2314 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2315 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2316 #else 2317 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2318 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2319 #endif 2320 2321 } /* AUS_MUNMAP */ 2322 2323 2324 2325 2326 2327 2328 2329 /*ARGSUSED*/ 2330 static void 2331 aus_priocntlsys(struct t_audit_data *tad) 2332 { 2333 klwp_t *clwp = ttolwp(curthread); 2334 2335 struct a { 2336 long pc_version; 2337 long psp; /* procset_t */ 2338 long cmd; 2339 long arg; 2340 } *uap = (struct a *)clwp->lwp_ap; 2341 2342 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2343 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2344 2345 } /* AUS_PRIOCNTLSYS */ 2346 2347 2348 /*ARGSUSED*/ 2349 static void 2350 aus_setegid(struct t_audit_data *tad) 2351 { 2352 klwp_t *clwp = ttolwp(curthread); 2353 uint32_t gid; 2354 2355 struct a { 2356 long gid; 2357 } *uap = (struct a *)clwp->lwp_ap; 2358 2359 gid = (uint32_t)uap->gid; 2360 2361 au_uwrite(au_to_arg32(1, "gid", gid)); 2362 } /* AUS_SETEGID */ 2363 2364 2365 2366 2367 /*ARGSUSED*/ 2368 static void 2369 aus_setgroups(struct t_audit_data *tad) 2370 { 2371 klwp_t *clwp = ttolwp(curthread); 2372 int i; 2373 int gidsetsize; 2374 uintptr_t gidset; 2375 gid_t *gidlist; 2376 2377 struct a { 2378 long gidsetsize; 2379 long gidset; 2380 } *uap = (struct a *)clwp->lwp_ap; 2381 2382 gidsetsize = (uint_t)uap->gidsetsize; 2383 gidset = (uintptr_t)uap->gidset; 2384 2385 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2386 return; 2387 if (gidsetsize != 0) { 2388 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2389 KM_SLEEP); 2390 if (copyin((caddr_t)gidset, gidlist, 2391 gidsetsize * sizeof (gid_t)) == 0) 2392 for (i = 0; i < gidsetsize; i++) 2393 au_uwrite(au_to_arg32(1, "setgroups", 2394 (uint32_t)gidlist[i])); 2395 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2396 } else 2397 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2398 2399 } /* AUS_SETGROUPS */ 2400 2401 2402 2403 2404 2405 /*ARGSUSED*/ 2406 static void 2407 aus_seteuid(struct t_audit_data *tad) 2408 { 2409 klwp_t *clwp = ttolwp(curthread); 2410 uint32_t uid; 2411 2412 struct a { 2413 long uid; 2414 } *uap = (struct a *)clwp->lwp_ap; 2415 2416 uid = (uint32_t)uap->uid; 2417 2418 au_uwrite(au_to_arg32(1, "euid", uid)); 2419 2420 } /* AUS_SETEUID */ 2421 2422 /*ARGSUSED*/ 2423 static void 2424 aus_putmsg(struct t_audit_data *tad) 2425 { 2426 klwp_t *clwp = ttolwp(curthread); 2427 uint32_t fd, pri; 2428 struct file *fp; 2429 struct f_audit_data *fad; 2430 2431 struct a { 2432 long fdes; 2433 long ctl; /* struct strbuf * */ 2434 long data; /* struct strbuf * */ 2435 long pri; 2436 } *uap = (struct a *)clwp->lwp_ap; 2437 2438 fd = (uint32_t)uap->fdes; 2439 pri = (uint32_t)uap->pri; 2440 2441 au_uwrite(au_to_arg32(1, "fd", fd)); 2442 2443 if ((fp = getf(fd)) != NULL) { 2444 fad = F2A(fp); 2445 2446 fad->fad_flags |= FAD_WRITE; 2447 2448 /* add path name to audit record */ 2449 if (fad->fad_aupath != NULL) { 2450 au_uwrite(au_to_path(fad->fad_aupath)); 2451 } 2452 audit_attributes(fp->f_vnode); 2453 2454 releasef(fd); 2455 } 2456 2457 au_uwrite(au_to_arg32(4, "pri", pri)); 2458 } 2459 2460 /*ARGSUSED*/ 2461 static void 2462 aus_putpmsg(struct t_audit_data *tad) 2463 { 2464 klwp_t *clwp = ttolwp(curthread); 2465 uint32_t fd, pri, flags; 2466 struct file *fp; 2467 struct f_audit_data *fad; 2468 2469 struct a { 2470 long fdes; 2471 long ctl; /* struct strbuf * */ 2472 long data; /* struct strbuf * */ 2473 long pri; 2474 long flags; 2475 } *uap = (struct a *)clwp->lwp_ap; 2476 2477 fd = (uint32_t)uap->fdes; 2478 pri = (uint32_t)uap->pri; 2479 flags = (uint32_t)uap->flags; 2480 2481 au_uwrite(au_to_arg32(1, "fd", fd)); 2482 2483 if ((fp = getf(fd)) != NULL) { 2484 fad = F2A(fp); 2485 2486 fad->fad_flags |= FAD_WRITE; 2487 2488 /* add path name to audit record */ 2489 if (fad->fad_aupath != NULL) { 2490 au_uwrite(au_to_path(fad->fad_aupath)); 2491 } 2492 audit_attributes(fp->f_vnode); 2493 2494 releasef(fd); 2495 } 2496 2497 2498 au_uwrite(au_to_arg32(4, "pri", pri)); 2499 au_uwrite(au_to_arg32(5, "flags", flags)); 2500 } 2501 2502 /*ARGSUSED*/ 2503 static void 2504 aus_getmsg(struct t_audit_data *tad) 2505 { 2506 klwp_t *clwp = ttolwp(curthread); 2507 uint32_t fd, pri; 2508 struct file *fp; 2509 struct f_audit_data *fad; 2510 2511 struct a { 2512 long fdes; 2513 long ctl; /* struct strbuf * */ 2514 long data; /* struct strbuf * */ 2515 long pri; 2516 } *uap = (struct a *)clwp->lwp_ap; 2517 2518 fd = (uint32_t)uap->fdes; 2519 pri = (uint32_t)uap->pri; 2520 2521 au_uwrite(au_to_arg32(1, "fd", fd)); 2522 2523 if ((fp = getf(fd)) != NULL) { 2524 fad = F2A(fp); 2525 2526 /* 2527 * read operation on this object 2528 */ 2529 fad->fad_flags |= FAD_READ; 2530 2531 /* add path name to audit record */ 2532 if (fad->fad_aupath != NULL) { 2533 au_uwrite(au_to_path(fad->fad_aupath)); 2534 } 2535 audit_attributes(fp->f_vnode); 2536 2537 releasef(fd); 2538 } 2539 2540 au_uwrite(au_to_arg32(4, "pri", pri)); 2541 } 2542 2543 /*ARGSUSED*/ 2544 static void 2545 aus_getpmsg(struct t_audit_data *tad) 2546 { 2547 klwp_t *clwp = ttolwp(curthread); 2548 uint32_t fd; 2549 struct file *fp; 2550 struct f_audit_data *fad; 2551 2552 struct a { 2553 long fdes; 2554 long ctl; /* struct strbuf * */ 2555 long data; /* struct strbuf * */ 2556 long pri; 2557 long flags; 2558 } *uap = (struct a *)clwp->lwp_ap; 2559 2560 fd = (uint32_t)uap->fdes; 2561 2562 au_uwrite(au_to_arg32(1, "fd", fd)); 2563 2564 if ((fp = getf(fd)) != NULL) { 2565 fad = F2A(fp); 2566 2567 /* 2568 * read operation on this object 2569 */ 2570 fad->fad_flags |= FAD_READ; 2571 2572 /* add path name to audit record */ 2573 if (fad->fad_aupath != NULL) { 2574 au_uwrite(au_to_path(fad->fad_aupath)); 2575 } 2576 audit_attributes(fp->f_vnode); 2577 2578 releasef(fd); 2579 } 2580 } 2581 2582 static au_event_t 2583 aui_labelsys(au_event_t e) 2584 { 2585 klwp_t *clwp = ttolwp(curthread); 2586 uint32_t code; 2587 uint32_t cmd; 2588 2589 struct a { 2590 long code; 2591 long cmd; 2592 } *uap = (struct a *)clwp->lwp_ap; 2593 2594 code = (uint32_t)uap->code; 2595 cmd = (uint32_t)uap->cmd; 2596 2597 /* not security relevant if not changing kernel cache */ 2598 if (cmd == TNDB_GET) 2599 return (AUE_NULL); 2600 2601 switch (code) { 2602 case TSOL_TNRH: 2603 e = AUE_LABELSYS_TNRH; 2604 break; 2605 case TSOL_TNRHTP: 2606 e = AUE_LABELSYS_TNRHTP; 2607 break; 2608 case TSOL_TNMLP: 2609 e = AUE_LABELSYS_TNMLP; 2610 break; 2611 default: 2612 e = AUE_NULL; 2613 break; 2614 } 2615 2616 return (e); 2617 2618 } 2619 2620 static void 2621 aus_labelsys(struct t_audit_data *tad) 2622 { 2623 klwp_t *clwp = ttolwp(curthread); 2624 uint32_t cmd; 2625 uintptr_t a2; 2626 2627 struct a { 2628 long code; 2629 long cmd; 2630 long a2; 2631 } *uap = (struct a *)clwp->lwp_ap; 2632 2633 cmd = (uint32_t)uap->cmd; 2634 a2 = (uintptr_t)uap->a2; 2635 2636 switch (tad->tad_event) { 2637 case AUE_LABELSYS_TNRH: 2638 { 2639 tsol_rhent_t *rhent; 2640 tnaddr_t *rh_addr; 2641 2642 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2643 2644 /* Remaining args don't apply for FLUSH, so skip */ 2645 if (cmd == TNDB_FLUSH) 2646 break; 2647 2648 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2649 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2650 kmem_free(rhent, sizeof (tsol_rhent_t)); 2651 return; 2652 } 2653 2654 rh_addr = &rhent->rh_address; 2655 if (rh_addr->ta_family == AF_INET) { 2656 struct in_addr *ipaddr; 2657 2658 ipaddr = &(rh_addr->ta_addr_v4); 2659 au_uwrite(au_to_in_addr(ipaddr)); 2660 } else if (rh_addr->ta_family == AF_INET6) { 2661 int32_t *ipaddr; 2662 2663 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2664 au_uwrite(au_to_in_addr_ex(ipaddr)); 2665 } 2666 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2667 2668 kmem_free(rhent, sizeof (tsol_rhent_t)); 2669 2670 break; 2671 } 2672 case AUE_LABELSYS_TNRHTP: 2673 { 2674 tsol_tpent_t *tpent; 2675 2676 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2677 2678 /* Remaining args don't apply for FLUSH, so skip */ 2679 if (cmd == TNDB_FLUSH) 2680 break; 2681 2682 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2683 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2684 kmem_free(tpent, sizeof (tsol_tpent_t)); 2685 return; 2686 } 2687 2688 /* Make sure that the template name is null-terminated. */ 2689 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2690 2691 au_uwrite(au_to_text(tpent->name)); 2692 kmem_free(tpent, sizeof (tsol_tpent_t)); 2693 2694 break; 2695 } 2696 case AUE_LABELSYS_TNMLP: 2697 { 2698 tsol_mlpent_t *mlpent; 2699 2700 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2701 2702 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2703 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2704 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2705 return; 2706 } 2707 2708 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2709 au_uwrite(au_to_text("shared")); 2710 } else { 2711 zone_t *zone; 2712 2713 zone = zone_find_by_id(mlpent->tsme_zoneid); 2714 if (zone != NULL) { 2715 au_uwrite(au_to_text(zone->zone_name)); 2716 zone_rele(zone); 2717 } 2718 } 2719 2720 /* Remaining args don't apply for FLUSH, so skip */ 2721 if (cmd == TNDB_FLUSH) { 2722 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2723 break; 2724 } 2725 2726 au_uwrite(au_to_arg32(2, "proto num", 2727 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2728 au_uwrite(au_to_arg32(2, "mlp_port", 2729 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2730 2731 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2732 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2733 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2734 2735 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2736 2737 break; 2738 } 2739 default: 2740 break; 2741 } 2742 } 2743 2744 2745 static au_event_t 2746 aui_auditsys(au_event_t e) 2747 { 2748 klwp_t *clwp = ttolwp(curthread); 2749 uint32_t code; 2750 2751 struct a { 2752 long code; 2753 long a1; 2754 long a2; 2755 long a3; 2756 long a4; 2757 long a5; 2758 long a6; 2759 long a7; 2760 } *uap = (struct a *)clwp->lwp_ap; 2761 2762 code = (uint32_t)uap->code; 2763 2764 switch (code) { 2765 2766 case BSM_GETAUID: 2767 e = AUE_GETAUID; 2768 break; 2769 case BSM_SETAUID: 2770 e = AUE_SETAUID; 2771 break; 2772 case BSM_GETAUDIT: 2773 e = AUE_GETAUDIT; 2774 break; 2775 case BSM_GETAUDIT_ADDR: 2776 e = AUE_GETAUDIT_ADDR; 2777 break; 2778 case BSM_SETAUDIT: 2779 e = AUE_SETAUDIT; 2780 break; 2781 case BSM_SETAUDIT_ADDR: 2782 e = AUE_SETAUDIT_ADDR; 2783 break; 2784 case BSM_AUDIT: 2785 e = AUE_AUDIT; 2786 break; 2787 case BSM_GETPORTAUDIT: 2788 e = AUE_GETPORTAUDIT; 2789 break; 2790 case BSM_AUDITON: 2791 case BSM_AUDITCTL: 2792 2793 switch ((uint_t)uap->a1) { 2794 2795 case A_GETPOLICY: 2796 e = AUE_AUDITON_GPOLICY; 2797 break; 2798 case A_SETPOLICY: 2799 e = AUE_AUDITON_SPOLICY; 2800 break; 2801 case A_GETKMASK: 2802 e = AUE_AUDITON_GETKMASK; 2803 break; 2804 case A_SETKMASK: 2805 e = AUE_AUDITON_SETKMASK; 2806 break; 2807 case A_GETQCTRL: 2808 e = AUE_AUDITON_GQCTRL; 2809 break; 2810 case A_SETQCTRL: 2811 e = AUE_AUDITON_SQCTRL; 2812 break; 2813 case A_GETCWD: 2814 e = AUE_AUDITON_GETCWD; 2815 break; 2816 case A_GETCAR: 2817 e = AUE_AUDITON_GETCAR; 2818 break; 2819 case A_GETSTAT: 2820 e = AUE_AUDITON_GETSTAT; 2821 break; 2822 case A_SETSTAT: 2823 e = AUE_AUDITON_SETSTAT; 2824 break; 2825 case A_SETUMASK: 2826 e = AUE_AUDITON_SETUMASK; 2827 break; 2828 case A_SETSMASK: 2829 e = AUE_AUDITON_SETSMASK; 2830 break; 2831 case A_GETCOND: 2832 e = AUE_AUDITON_GETCOND; 2833 break; 2834 case A_SETCOND: 2835 e = AUE_AUDITON_SETCOND; 2836 break; 2837 case A_GETCLASS: 2838 e = AUE_AUDITON_GETCLASS; 2839 break; 2840 case A_SETCLASS: 2841 e = AUE_AUDITON_SETCLASS; 2842 break; 2843 default: 2844 e = AUE_NULL; 2845 break; 2846 } 2847 break; 2848 default: 2849 e = AUE_NULL; 2850 break; 2851 } 2852 2853 return (e); 2854 2855 } /* AUI_AUDITSYS */ 2856 2857 2858 static void 2859 aus_auditsys(struct t_audit_data *tad) 2860 { 2861 klwp_t *clwp = ttolwp(curthread); 2862 uintptr_t a1, a2; 2863 STRUCT_DECL(auditinfo, ainfo); 2864 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2865 au_evclass_map_t event; 2866 au_mask_t mask; 2867 int auditstate, policy; 2868 au_id_t auid; 2869 2870 2871 struct a { 2872 long code; 2873 long a1; 2874 long a2; 2875 long a3; 2876 long a4; 2877 long a5; 2878 long a6; 2879 long a7; 2880 } *uap = (struct a *)clwp->lwp_ap; 2881 2882 a1 = (uintptr_t)uap->a1; 2883 a2 = (uintptr_t)uap->a2; 2884 2885 switch (tad->tad_event) { 2886 case AUE_SETAUID: 2887 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2888 return; 2889 au_uwrite(au_to_arg32(2, "setauid", auid)); 2890 break; 2891 case AUE_SETAUDIT: 2892 STRUCT_INIT(ainfo, get_udatamodel()); 2893 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2894 STRUCT_SIZE(ainfo))) { 2895 return; 2896 } 2897 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2898 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2899 #ifdef _LP64 2900 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2901 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2902 #else 2903 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2904 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2905 #endif 2906 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2907 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2908 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2909 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2910 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2911 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2912 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2913 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2914 break; 2915 case AUE_SETAUDIT_ADDR: 2916 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2917 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2918 STRUCT_SIZE(ainfo_addr))) { 2919 return; 2920 } 2921 au_uwrite(au_to_arg32((char)1, "auid", 2922 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2923 #ifdef _LP64 2924 au_uwrite(au_to_arg64((char)1, "port", 2925 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2926 #else 2927 au_uwrite(au_to_arg32((char)1, "port", 2928 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2929 #endif 2930 au_uwrite(au_to_arg32((char)1, "type", 2931 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2932 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2933 AU_IPv4) { 2934 au_uwrite(au_to_in_addr( 2935 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2936 ai_termid.at_addr))); 2937 } else { 2938 au_uwrite(au_to_in_addr_ex( 2939 (int32_t *)STRUCT_FGETP(ainfo_addr, 2940 ai_termid.at_addr))); 2941 } 2942 au_uwrite(au_to_arg32((char)1, "as_success", 2943 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2944 au_uwrite(au_to_arg32((char)1, "as_failure", 2945 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2946 au_uwrite(au_to_arg32((char)1, "asid", 2947 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2948 break; 2949 case AUE_AUDITON_SETKMASK: 2950 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2951 return; 2952 au_uwrite(au_to_arg32( 2953 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2954 au_uwrite(au_to_arg32( 2955 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2956 break; 2957 case AUE_AUDITON_SPOLICY: 2958 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2959 return; 2960 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2961 break; 2962 case AUE_AUDITON_SQCTRL: { 2963 STRUCT_DECL(au_qctrl, qctrl); 2964 model_t model; 2965 2966 model = get_udatamodel(); 2967 STRUCT_INIT(qctrl, model); 2968 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2969 return; 2970 if (model == DATAMODEL_ILP32) { 2971 au_uwrite(au_to_arg32( 2972 3, "setqctrl:aq_hiwater", 2973 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2974 au_uwrite(au_to_arg32( 2975 3, "setqctrl:aq_lowater", 2976 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2977 au_uwrite(au_to_arg32( 2978 3, "setqctrl:aq_bufsz", 2979 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2980 au_uwrite(au_to_arg32( 2981 3, "setqctrl:aq_delay", 2982 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2983 } else { 2984 au_uwrite(au_to_arg64( 2985 3, "setqctrl:aq_hiwater", 2986 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2987 au_uwrite(au_to_arg64( 2988 3, "setqctrl:aq_lowater", 2989 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2990 au_uwrite(au_to_arg64( 2991 3, "setqctrl:aq_bufsz", 2992 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2993 au_uwrite(au_to_arg64( 2994 3, "setqctrl:aq_delay", 2995 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2996 } 2997 break; 2998 } 2999 case AUE_AUDITON_SETUMASK: 3000 STRUCT_INIT(ainfo, get_udatamodel()); 3001 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3002 STRUCT_SIZE(ainfo))) { 3003 return; 3004 } 3005 au_uwrite(au_to_arg32(3, "setumask:as_success", 3006 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3007 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3008 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3009 break; 3010 case AUE_AUDITON_SETSMASK: 3011 STRUCT_INIT(ainfo, get_udatamodel()); 3012 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3013 STRUCT_SIZE(ainfo))) { 3014 return; 3015 } 3016 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3017 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3018 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3019 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3020 break; 3021 case AUE_AUDITON_SETCOND: 3022 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3023 return; 3024 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3025 break; 3026 case AUE_AUDITON_SETCLASS: 3027 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3028 return; 3029 au_uwrite(au_to_arg32( 3030 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3031 au_uwrite(au_to_arg32( 3032 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3033 break; 3034 case AUE_GETAUID: 3035 case AUE_GETAUDIT: 3036 case AUE_GETAUDIT_ADDR: 3037 case AUE_AUDIT: 3038 case AUE_GETPORTAUDIT: 3039 case AUE_AUDITON_GPOLICY: 3040 case AUE_AUDITON_GQCTRL: 3041 case AUE_AUDITON_GETKMASK: 3042 case AUE_AUDITON_GETCWD: 3043 case AUE_AUDITON_GETCAR: 3044 case AUE_AUDITON_GETSTAT: 3045 case AUE_AUDITON_SETSTAT: 3046 case AUE_AUDITON_GETCOND: 3047 case AUE_AUDITON_GETCLASS: 3048 break; 3049 default: 3050 break; 3051 } 3052 3053 } /* AUS_AUDITSYS */ 3054 3055 3056 /* only audit privileged operations for systeminfo(2) system call */ 3057 static au_event_t 3058 aui_sysinfo(au_event_t e) 3059 { 3060 klwp_t *clwp = ttolwp(curthread); 3061 uint32_t command; 3062 3063 struct a { 3064 long command; 3065 long buf; /* char * */ 3066 long count; 3067 } *uap = (struct a *)clwp->lwp_ap; 3068 3069 command = (uint32_t)uap->command; 3070 3071 switch (command) { 3072 case SI_SET_HOSTNAME: 3073 case SI_SET_SRPC_DOMAIN: 3074 e = (au_event_t)AUE_SYSINFO; 3075 break; 3076 default: 3077 e = (au_event_t)AUE_NULL; 3078 break; 3079 } 3080 return (e); 3081 } 3082 3083 /*ARGSUSED*/ 3084 static void 3085 aus_sysinfo(struct t_audit_data *tad) 3086 { 3087 klwp_t *clwp = ttolwp(curthread); 3088 uint32_t command; 3089 size_t len, maxlen; 3090 char *name; 3091 uintptr_t buf; 3092 3093 struct a { 3094 long command; 3095 long buf; /* char * */ 3096 long count; 3097 } *uap = (struct a *)clwp->lwp_ap; 3098 3099 command = (uint32_t)uap->command; 3100 buf = (uintptr_t)uap->buf; 3101 3102 au_uwrite(au_to_arg32(1, "cmd", command)); 3103 3104 switch (command) { 3105 case SI_SET_HOSTNAME: 3106 { 3107 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3108 return; 3109 3110 maxlen = SYS_NMLN; 3111 name = kmem_alloc(maxlen, KM_SLEEP); 3112 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3113 break; 3114 3115 /* 3116 * Must be non-NULL string and string 3117 * must be less than SYS_NMLN chars. 3118 */ 3119 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3120 break; 3121 3122 au_uwrite(au_to_text(name)); 3123 break; 3124 } 3125 3126 case SI_SET_SRPC_DOMAIN: 3127 { 3128 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3129 return; 3130 3131 maxlen = SYS_NMLN; 3132 name = kmem_alloc(maxlen, KM_SLEEP); 3133 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3134 break; 3135 3136 /* 3137 * If string passed in is longer than length 3138 * allowed for domain name, fail. 3139 */ 3140 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3141 break; 3142 3143 au_uwrite(au_to_text(name)); 3144 break; 3145 } 3146 3147 default: 3148 return; 3149 } 3150 3151 kmem_free(name, maxlen); 3152 } 3153 3154 static au_event_t 3155 aui_modctl(au_event_t e) 3156 { 3157 klwp_t *clwp = ttolwp(curthread); 3158 uint_t cmd; 3159 3160 struct a { 3161 long cmd; 3162 } *uap = (struct a *)clwp->lwp_ap; 3163 3164 cmd = (uint_t)uap->cmd; 3165 3166 switch (cmd) { 3167 case MODLOAD: 3168 e = AUE_MODLOAD; 3169 break; 3170 case MODUNLOAD: 3171 e = AUE_MODUNLOAD; 3172 break; 3173 case MODADDMAJBIND: 3174 e = AUE_MODADDMAJ; 3175 break; 3176 case MODSETDEVPOLICY: 3177 e = AUE_MODDEVPLCY; 3178 break; 3179 case MODALLOCPRIV: 3180 e = AUE_MODADDPRIV; 3181 break; 3182 default: 3183 e = AUE_NULL; 3184 break; 3185 } 3186 return (e); 3187 } 3188 3189 3190 /*ARGSUSED*/ 3191 static void 3192 aus_modctl(struct t_audit_data *tad) 3193 { 3194 klwp_t *clwp = ttolwp(curthread); 3195 void *a = clwp->lwp_ap; 3196 uint_t use_path; 3197 3198 switch (tad->tad_event) { 3199 case AUE_MODLOAD: { 3200 typedef struct { 3201 long cmd; 3202 long use_path; 3203 long filename; /* char * */ 3204 } modloada_t; 3205 3206 char *filenamep; 3207 uintptr_t fname; 3208 extern char *default_path; 3209 3210 fname = (uintptr_t)((modloada_t *)a)->filename; 3211 use_path = (uint_t)((modloada_t *)a)->use_path; 3212 3213 /* space to hold path */ 3214 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3215 /* get string */ 3216 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3217 /* free allocated path */ 3218 kmem_free(filenamep, MOD_MAXPATH); 3219 return; 3220 } 3221 /* ensure it's null terminated */ 3222 filenamep[MOD_MAXPATH - 1] = 0; 3223 3224 if (use_path) 3225 au_uwrite(au_to_text(default_path)); 3226 au_uwrite(au_to_text(filenamep)); 3227 3228 /* release temporary memory */ 3229 kmem_free(filenamep, MOD_MAXPATH); 3230 break; 3231 } 3232 case AUE_MODUNLOAD: { 3233 typedef struct { 3234 long cmd; 3235 long id; 3236 } modunloada_t; 3237 3238 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3239 3240 au_uwrite(au_to_arg32(1, "id", id)); 3241 break; 3242 } 3243 case AUE_MODADDMAJ: { 3244 STRUCT_DECL(modconfig, mc); 3245 typedef struct { 3246 long cmd; 3247 long subcmd; 3248 long data; /* int * */ 3249 } modconfiga_t; 3250 3251 STRUCT_DECL(aliases, alias); 3252 caddr_t ap; 3253 int i, num_aliases; 3254 char *drvname, *mc_drvname; 3255 char *name; 3256 extern char *ddi_major_to_name(major_t); 3257 model_t model; 3258 3259 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3260 3261 model = get_udatamodel(); 3262 STRUCT_INIT(mc, model); 3263 /* sanitize buffer */ 3264 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3265 /* get user arguments */ 3266 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3267 STRUCT_SIZE(mc)) != 0) 3268 return; 3269 3270 mc_drvname = STRUCT_FGET(mc, drvname); 3271 if ((drvname = ddi_major_to_name( 3272 (major_t)STRUCT_FGET(mc, major))) != NULL && 3273 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3274 /* safety */ 3275 if (mc_drvname[0] != '\0') { 3276 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3277 au_uwrite(au_to_text(mc_drvname)); 3278 } 3279 /* drvname != NULL from test above */ 3280 au_uwrite(au_to_text(drvname)); 3281 return; 3282 } 3283 3284 if (mc_drvname[0] != '\0') { 3285 /* safety */ 3286 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3287 au_uwrite(au_to_text(mc_drvname)); 3288 } else 3289 au_uwrite(au_to_text("no drvname")); 3290 3291 num_aliases = STRUCT_FGET(mc, num_aliases); 3292 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3293 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3294 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3295 STRUCT_INIT(alias, model); 3296 for (i = 0; i < num_aliases; i++) { 3297 bzero((caddr_t)STRUCT_BUF(alias), 3298 STRUCT_SIZE(alias)); 3299 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3300 STRUCT_SIZE(alias)) != 0) 3301 break; 3302 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3303 MAXMODCONFNAME, NULL) != 0) { 3304 break; 3305 } 3306 3307 au_uwrite(au_to_text(name)); 3308 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3309 } 3310 kmem_free(name, MAXMODCONFNAME); 3311 break; 3312 } 3313 default: 3314 break; 3315 } 3316 } 3317 3318 3319 /*ARGSUSED*/ 3320 static void 3321 auf_accept( 3322 struct t_audit_data *tad, 3323 int error, 3324 rval_t *rval) 3325 { 3326 uint32_t scid; 3327 uint32_t sy_flags; 3328 int fd; 3329 struct sonode *so; 3330 char so_laddr[sizeof (struct sockaddr_in6)]; 3331 char so_faddr[sizeof (struct sockaddr_in6)]; 3332 int err; 3333 short so_family, so_type; 3334 int add_sock_token = 0; 3335 3336 /* need to determine type of executing binary */ 3337 scid = tad->tad_scid; 3338 #ifdef _SYSCALL32_IMPL 3339 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3340 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3341 else 3342 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3343 #else 3344 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3345 #endif 3346 if (sy_flags == SE_32RVAL1) 3347 fd = rval->r_val1; 3348 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3349 fd = rval->r_val1; 3350 if (sy_flags == SE_64RVAL) 3351 fd = (int)rval->r_vals; 3352 3353 if (error) { 3354 /* can't trust socket contents. Just return */ 3355 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3356 return; 3357 } 3358 3359 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3360 /* 3361 * not security relevant if doing a accept from non socket 3362 * so no extra tokens. Should probably turn off audit record 3363 * generation here. 3364 */ 3365 return; 3366 } 3367 3368 so_family = so->so_family; 3369 so_type = so->so_type; 3370 3371 switch (so_family) { 3372 case AF_INET: 3373 case AF_INET6: 3374 /* 3375 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3376 */ 3377 if (so->so_type == SOCK_STREAM) { 3378 socklen_t len; 3379 3380 bzero((void *)so_laddr, sizeof (so_laddr)); 3381 bzero((void *)so_faddr, sizeof (so_faddr)); 3382 3383 len = sizeof (so_laddr); 3384 (void) socket_getsockname(so, 3385 (struct sockaddr *)so_laddr, &len, CRED()); 3386 len = sizeof (so_faddr); 3387 (void) socket_getpeername(so, 3388 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3389 3390 add_sock_token = 1; 3391 } 3392 break; 3393 3394 default: 3395 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3396 break; 3397 } 3398 3399 releasef(fd); 3400 3401 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3402 3403 if (add_sock_token == 0) { 3404 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3405 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3406 return; 3407 } 3408 3409 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3410 3411 } 3412 3413 /*ARGSUSED*/ 3414 static void 3415 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3416 { 3417 struct a { 3418 long fd; 3419 long addr; 3420 long len; 3421 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3422 3423 struct sonode *so; 3424 char so_laddr[sizeof (struct sockaddr_in6)]; 3425 char so_faddr[sizeof (struct sockaddr_in6)]; 3426 int err, fd; 3427 socklen_t len; 3428 short so_family, so_type; 3429 int add_sock_token = 0; 3430 3431 fd = (int)uap->fd; 3432 3433 /* 3434 * bind failed, then nothing extra to add to audit record. 3435 */ 3436 if (error) { 3437 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3438 /* XXX may want to add failed address some day */ 3439 return; 3440 } 3441 3442 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3443 /* 3444 * not security relevant if doing a bind from non socket 3445 * so no extra tokens. Should probably turn off audit record 3446 * generation here. 3447 */ 3448 return; 3449 } 3450 3451 so_family = so->so_family; 3452 so_type = so->so_type; 3453 3454 switch (so_family) { 3455 case AF_INET: 3456 case AF_INET6: 3457 3458 bzero(so_faddr, sizeof (so_faddr)); 3459 len = sizeof (so_faddr); 3460 3461 (void) socket_getpeername(so, 3462 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3463 add_sock_token = 1; 3464 3465 break; 3466 3467 case AF_UNIX: 3468 /* token added by lookup */ 3469 break; 3470 default: 3471 /* AF_ROUTE, AF_KEY do not support accept */ 3472 break; 3473 } 3474 3475 releasef(fd); 3476 3477 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3478 3479 if (add_sock_token == 0) { 3480 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3481 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3482 return; 3483 } 3484 3485 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3486 3487 } 3488 3489 /*ARGSUSED*/ 3490 static void 3491 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3492 { 3493 struct a { 3494 long fd; 3495 long addr; 3496 long len; 3497 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3498 3499 struct sonode *so; 3500 char so_laddr[sizeof (struct sockaddr_in6)]; 3501 char so_faddr[sizeof (struct sockaddr_in6)]; 3502 int err, fd; 3503 socklen_t len; 3504 short so_family, so_type; 3505 int add_sock_token = 0; 3506 3507 fd = (int)uap->fd; 3508 3509 3510 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3511 /* 3512 * not security relevant if doing a connect from non socket 3513 * so no extra tokens. Should probably turn off audit record 3514 * generation here. 3515 */ 3516 return; 3517 } 3518 3519 so_family = so->so_family; 3520 so_type = so->so_type; 3521 3522 switch (so_family) { 3523 case AF_INET: 3524 case AF_INET6: 3525 3526 bzero(so_laddr, sizeof (so_laddr)); 3527 bzero(so_faddr, sizeof (so_faddr)); 3528 3529 len = sizeof (so_laddr); 3530 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3531 &len, CRED()); 3532 if (error) { 3533 if (uap->addr == NULL) 3534 break; 3535 if (uap->len <= 0) 3536 break; 3537 len = min(uap->len, sizeof (so_faddr)); 3538 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3539 break; 3540 #ifdef NOTYET 3541 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3542 #endif 3543 } else { 3544 /* sanity check on length */ 3545 len = sizeof (so_faddr); 3546 (void) socket_getpeername(so, 3547 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3548 } 3549 3550 add_sock_token = 1; 3551 3552 break; 3553 3554 case AF_UNIX: 3555 /* does a lookup on name */ 3556 break; 3557 3558 default: 3559 /* AF_ROUTE, AF_KEY do not support accept */ 3560 break; 3561 } 3562 3563 releasef(fd); 3564 3565 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3566 3567 if (add_sock_token == 0) { 3568 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3569 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3570 return; 3571 } 3572 3573 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3574 3575 } 3576 3577 /*ARGSUSED*/ 3578 static void 3579 aus_shutdown(struct t_audit_data *tad) 3580 { 3581 struct a { 3582 long fd; 3583 long how; 3584 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3585 3586 struct sonode *so; 3587 char so_laddr[sizeof (struct sockaddr_in6)]; 3588 char so_faddr[sizeof (struct sockaddr_in6)]; 3589 int err, fd; 3590 socklen_t len; 3591 short so_family, so_type; 3592 int add_sock_token = 0; 3593 file_t *fp; /* unix domain sockets */ 3594 struct f_audit_data *fad; /* unix domain sockets */ 3595 3596 fd = (int)uap->fd; 3597 3598 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3599 /* 3600 * not security relevant if doing a shutdown using non socket 3601 * so no extra tokens. Should probably turn off audit record 3602 * generation here. 3603 */ 3604 return; 3605 } 3606 3607 so_family = so->so_family; 3608 so_type = so->so_type; 3609 3610 switch (so_family) { 3611 case AF_INET: 3612 case AF_INET6: 3613 3614 bzero(so_laddr, sizeof (so_laddr)); 3615 bzero(so_faddr, sizeof (so_faddr)); 3616 3617 len = sizeof (so_laddr); 3618 (void) socket_getsockname(so, 3619 (struct sockaddr *)so_laddr, &len, CRED()); 3620 len = sizeof (so_faddr); 3621 (void) socket_getpeername(so, 3622 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3623 3624 add_sock_token = 1; 3625 3626 break; 3627 3628 case AF_UNIX: 3629 3630 /* get path from file struct here */ 3631 fad = F2A(fp); 3632 ASSERT(fad); 3633 3634 if (fad->fad_aupath != NULL) { 3635 au_uwrite(au_to_path(fad->fad_aupath)); 3636 } else { 3637 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3638 } 3639 3640 audit_attributes(fp->f_vnode); 3641 3642 break; 3643 3644 default: 3645 /* 3646 * AF_KEY and AF_ROUTE support shutdown. No socket token 3647 * added. 3648 */ 3649 break; 3650 } 3651 3652 releasef(fd); 3653 3654 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3655 3656 if (add_sock_token == 0) { 3657 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3658 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3659 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3660 return; 3661 } 3662 3663 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3664 3665 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3666 3667 } 3668 3669 /*ARGSUSED*/ 3670 static void 3671 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3672 { 3673 struct a { 3674 long fd; 3675 long level; 3676 long optname; 3677 long *optval; 3678 long optlen; 3679 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3680 3681 struct sonode *so; 3682 char so_laddr[sizeof (struct sockaddr_in6)]; 3683 char so_faddr[sizeof (struct sockaddr_in6)]; 3684 char val[AU_BUFSIZE]; 3685 int err, fd; 3686 socklen_t len; 3687 short so_family, so_type; 3688 int add_sock_token = 0; 3689 file_t *fp; /* unix domain sockets */ 3690 struct f_audit_data *fad; /* unix domain sockets */ 3691 3692 fd = (int)uap->fd; 3693 3694 if (error) { 3695 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3696 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3697 /* XXX may want to include other arguments */ 3698 return; 3699 } 3700 3701 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3702 /* 3703 * not security relevant if doing a setsockopt from non socket 3704 * so no extra tokens. Should probably turn off audit record 3705 * generation here. 3706 */ 3707 return; 3708 } 3709 3710 so_family = so->so_family; 3711 so_type = so->so_type; 3712 3713 switch (so_family) { 3714 case AF_INET: 3715 case AF_INET6: 3716 bzero((void *)so_laddr, sizeof (so_laddr)); 3717 bzero((void *)so_faddr, sizeof (so_faddr)); 3718 3719 /* get local and foreign addresses */ 3720 len = sizeof (so_laddr); 3721 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3722 &len, CRED()); 3723 len = sizeof (so_faddr); 3724 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3725 &len, B_FALSE, CRED()); 3726 3727 add_sock_token = 1; 3728 3729 break; 3730 3731 case AF_UNIX: 3732 3733 /* get path from file struct here */ 3734 fad = F2A(fp); 3735 ASSERT(fad); 3736 3737 if (fad->fad_aupath != NULL) { 3738 au_uwrite(au_to_path(fad->fad_aupath)); 3739 } else { 3740 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3741 } 3742 3743 audit_attributes(fp->f_vnode); 3744 3745 break; 3746 3747 default: 3748 /* 3749 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3750 * added. 3751 */ 3752 break; 3753 } 3754 3755 releasef(fd); 3756 3757 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3758 3759 if (add_sock_token == 0) { 3760 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3761 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3762 } 3763 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3764 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3765 3766 bzero(val, sizeof (val)); 3767 len = min(uap->optlen, sizeof (val)); 3768 if ((len > 0) && 3769 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3770 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3771 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3772 } 3773 3774 if (add_sock_token == 0) 3775 return; 3776 3777 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3778 3779 } 3780 3781 /*ARGSUSED*/ 3782 static void 3783 aus_sockconfig(tad) 3784 struct t_audit_data *tad; 3785 { 3786 struct a { 3787 long domain; 3788 long type; 3789 long protocol; 3790 long devpath; 3791 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3792 3793 char *kdevpath; 3794 int kdevpathlen = MAXPATHLEN + 1; 3795 size_t size; 3796 3797 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3798 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3799 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3800 3801 if (uap->devpath == 0) { 3802 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3803 } else { 3804 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3805 3806 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3807 &size)) { 3808 kmem_free(kdevpath, kdevpathlen); 3809 return; 3810 } 3811 3812 if (size > MAXPATHLEN) { 3813 kmem_free(kdevpath, kdevpathlen); 3814 return; 3815 } 3816 3817 au_uwrite(au_to_text(kdevpath)); 3818 kmem_free(kdevpath, kdevpathlen); 3819 } 3820 } 3821 3822 /* 3823 * only audit recvmsg when the system call represents the creation of a new 3824 * circuit. This effectively occurs for all UDP packets and may occur for 3825 * special TCP situations where the local host has not set a local address 3826 * in the socket structure. 3827 */ 3828 /*ARGSUSED*/ 3829 static void 3830 auf_recvmsg( 3831 struct t_audit_data *tad, 3832 int error, 3833 rval_t *rvp) 3834 { 3835 struct a { 3836 long fd; 3837 long msg; /* struct msghdr */ 3838 long flags; 3839 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3840 3841 struct sonode *so; 3842 STRUCT_DECL(msghdr, msg); 3843 caddr_t msg_name; 3844 socklen_t msg_namelen; 3845 int fd; 3846 int err; 3847 char so_laddr[sizeof (struct sockaddr_in6)]; 3848 char so_faddr[sizeof (struct sockaddr_in6)]; 3849 socklen_t len; 3850 file_t *fp; /* unix domain sockets */ 3851 struct f_audit_data *fad; /* unix domain sockets */ 3852 short so_family, so_type; 3853 int add_sock_token = 0; 3854 au_kcontext_t *kctx = GET_KCTX_PZ; 3855 3856 fd = (int)uap->fd; 3857 3858 /* bail if an error */ 3859 if (error) { 3860 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3861 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3862 return; 3863 } 3864 3865 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3866 /* 3867 * not security relevant if doing a recvmsg from non socket 3868 * so no extra tokens. Should probably turn off audit record 3869 * generation here. 3870 */ 3871 return; 3872 } 3873 3874 so_family = so->so_family; 3875 so_type = so->so_type; 3876 3877 /* 3878 * only putout SOCKET_EX token if INET/INET6 family. 3879 * XXX - what do we do about other families? 3880 */ 3881 3882 switch (so_family) { 3883 case AF_INET: 3884 case AF_INET6: 3885 3886 /* 3887 * if datagram type socket, then just use what is in 3888 * socket structure for local address. 3889 * XXX - what do we do for other types? 3890 */ 3891 if ((so->so_type == SOCK_DGRAM) || 3892 (so->so_type == SOCK_RAW)) { 3893 add_sock_token = 1; 3894 3895 bzero((void *)so_laddr, sizeof (so_laddr)); 3896 bzero((void *)so_faddr, sizeof (so_faddr)); 3897 3898 /* get local address */ 3899 len = sizeof (so_laddr); 3900 (void) socket_getsockname(so, 3901 (struct sockaddr *)so_laddr, &len, CRED()); 3902 3903 /* get peer address */ 3904 STRUCT_INIT(msg, get_udatamodel()); 3905 3906 if (copyin((caddr_t)(uap->msg), 3907 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3908 break; 3909 } 3910 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3911 if (msg_name == NULL) { 3912 break; 3913 } 3914 3915 /* length is value from recvmsg - sanity check */ 3916 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3917 if (msg_namelen == 0) { 3918 break; 3919 } 3920 if (copyin(msg_name, so_faddr, 3921 sizeof (so_faddr)) != 0) { 3922 break; 3923 } 3924 3925 } else if (so->so_type == SOCK_STREAM) { 3926 3927 /* get path from file struct here */ 3928 fad = F2A(fp); 3929 ASSERT(fad); 3930 3931 /* 3932 * already processed this file for read attempt 3933 */ 3934 if (fad->fad_flags & FAD_READ) { 3935 /* don't want to audit every recvmsg attempt */ 3936 tad->tad_flag = 0; 3937 /* free any residual audit data */ 3938 au_close(kctx, &(u_ad), 0, 0, 0); 3939 releasef(fd); 3940 return; 3941 } 3942 /* 3943 * mark things so we know what happened and don't 3944 * repeat things 3945 */ 3946 fad->fad_flags |= FAD_READ; 3947 3948 bzero((void *)so_laddr, sizeof (so_laddr)); 3949 bzero((void *)so_faddr, sizeof (so_faddr)); 3950 3951 /* get local and foreign addresses */ 3952 len = sizeof (so_laddr); 3953 (void) socket_getsockname(so, 3954 (struct sockaddr *)so_laddr, &len, CRED()); 3955 len = sizeof (so_faddr); 3956 (void) socket_getpeername(so, 3957 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3958 3959 add_sock_token = 1; 3960 } 3961 3962 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3963 3964 break; 3965 3966 case AF_UNIX: 3967 /* 3968 * first check if this is first time through. Too much 3969 * duplicate code to put this in an aui_ routine. 3970 */ 3971 3972 /* get path from file struct here */ 3973 fad = F2A(fp); 3974 ASSERT(fad); 3975 3976 /* 3977 * already processed this file for read attempt 3978 */ 3979 if (fad->fad_flags & FAD_READ) { 3980 releasef(fd); 3981 /* don't want to audit every recvmsg attempt */ 3982 tad->tad_flag = 0; 3983 /* free any residual audit data */ 3984 au_close(kctx, &(u_ad), 0, 0, 0); 3985 return; 3986 } 3987 /* 3988 * mark things so we know what happened and don't 3989 * repeat things 3990 */ 3991 fad->fad_flags |= FAD_READ; 3992 3993 if (fad->fad_aupath != NULL) { 3994 au_uwrite(au_to_path(fad->fad_aupath)); 3995 } else { 3996 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3997 } 3998 3999 audit_attributes(fp->f_vnode); 4000 4001 releasef(fd); 4002 4003 return; 4004 4005 default: 4006 break; 4007 4008 } 4009 4010 releasef(fd); 4011 4012 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4013 4014 if (add_sock_token == 0) { 4015 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4016 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4017 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4018 return; 4019 } 4020 4021 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4022 4023 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4024 4025 } 4026 4027 /*ARGSUSED*/ 4028 static void 4029 auf_recvfrom( 4030 struct t_audit_data *tad, 4031 int error, 4032 rval_t *rvp) 4033 { 4034 4035 struct a { 4036 long fd; 4037 long msg; /* char */ 4038 long len; 4039 long flags; 4040 long from; /* struct sockaddr */ 4041 long fromlen; 4042 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4043 4044 socklen_t fromlen; 4045 struct sonode *so; 4046 char so_laddr[sizeof (struct sockaddr_in6)]; 4047 char so_faddr[sizeof (struct sockaddr_in6)]; 4048 int fd; 4049 short so_family, so_type; 4050 int add_sock_token = 0; 4051 socklen_t len; 4052 int err; 4053 struct file *fp; 4054 struct f_audit_data *fad; /* unix domain sockets */ 4055 au_kcontext_t *kctx = GET_KCTX_PZ; 4056 4057 fd = (int)uap->fd; 4058 4059 /* bail if an error */ 4060 if (error) { 4061 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4062 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4063 return; 4064 } 4065 4066 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4067 /* 4068 * not security relevant if doing a recvmsg from non socket 4069 * so no extra tokens. Should probably turn off audit record 4070 * generation here. 4071 */ 4072 return; 4073 } 4074 4075 so_family = so->so_family; 4076 so_type = so->so_type; 4077 4078 /* 4079 * only putout SOCKET_EX token if INET/INET6 family. 4080 * XXX - what do we do about other families? 4081 */ 4082 4083 switch (so_family) { 4084 case AF_INET: 4085 case AF_INET6: 4086 4087 /* 4088 * if datagram type socket, then just use what is in 4089 * socket structure for local address. 4090 * XXX - what do we do for other types? 4091 */ 4092 if ((so->so_type == SOCK_DGRAM) || 4093 (so->so_type == SOCK_RAW)) { 4094 add_sock_token = 1; 4095 4096 /* get local address */ 4097 len = sizeof (so_laddr); 4098 (void) socket_getsockname(so, 4099 (struct sockaddr *)so_laddr, &len, CRED()); 4100 4101 /* get peer address */ 4102 bzero((void *)so_faddr, sizeof (so_faddr)); 4103 4104 /* sanity check */ 4105 if (uap->from == NULL) 4106 break; 4107 4108 /* sanity checks */ 4109 if (uap->fromlen == 0) 4110 break; 4111 4112 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4113 sizeof (fromlen)) != 0) 4114 break; 4115 4116 if (fromlen == 0) 4117 break; 4118 4119 /* enforce maximum size */ 4120 if (fromlen > sizeof (so_faddr)) 4121 fromlen = sizeof (so_faddr); 4122 4123 if (copyin((caddr_t)(uap->from), so_faddr, 4124 fromlen) != 0) 4125 break; 4126 4127 } else if (so->so_type == SOCK_STREAM) { 4128 4129 /* get path from file struct here */ 4130 fad = F2A(fp); 4131 ASSERT(fad); 4132 4133 /* 4134 * already processed this file for read attempt 4135 */ 4136 if (fad->fad_flags & FAD_READ) { 4137 /* don't want to audit every recvfrom attempt */ 4138 tad->tad_flag = 0; 4139 /* free any residual audit data */ 4140 au_close(kctx, &(u_ad), 0, 0, 0); 4141 releasef(fd); 4142 return; 4143 } 4144 /* 4145 * mark things so we know what happened and don't 4146 * repeat things 4147 */ 4148 fad->fad_flags |= FAD_READ; 4149 4150 bzero((void *)so_laddr, sizeof (so_laddr)); 4151 bzero((void *)so_faddr, sizeof (so_faddr)); 4152 4153 /* get local and foreign addresses */ 4154 len = sizeof (so_laddr); 4155 (void) socket_getsockname(so, 4156 (struct sockaddr *)so_laddr, &len, CRED()); 4157 len = sizeof (so_faddr); 4158 (void) socket_getpeername(so, 4159 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4160 4161 add_sock_token = 1; 4162 } 4163 4164 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4165 4166 break; 4167 4168 case AF_UNIX: 4169 /* 4170 * first check if this is first time through. Too much 4171 * duplicate code to put this in an aui_ routine. 4172 */ 4173 4174 /* get path from file struct here */ 4175 fad = F2A(fp); 4176 ASSERT(fad); 4177 4178 /* 4179 * already processed this file for read attempt 4180 */ 4181 if (fad->fad_flags & FAD_READ) { 4182 /* don't want to audit every recvfrom attempt */ 4183 tad->tad_flag = 0; 4184 /* free any residual audit data */ 4185 au_close(kctx, &(u_ad), 0, 0, 0); 4186 releasef(fd); 4187 return; 4188 } 4189 /* 4190 * mark things so we know what happened and don't 4191 * repeat things 4192 */ 4193 fad->fad_flags |= FAD_READ; 4194 4195 if (fad->fad_aupath != NULL) { 4196 au_uwrite(au_to_path(fad->fad_aupath)); 4197 } else { 4198 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4199 } 4200 4201 audit_attributes(fp->f_vnode); 4202 4203 releasef(fd); 4204 4205 return; 4206 4207 default: 4208 break; 4209 4210 } 4211 4212 releasef(fd); 4213 4214 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4215 4216 if (add_sock_token == 0) { 4217 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4218 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4219 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4220 return; 4221 } 4222 4223 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4224 4225 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4226 } 4227 4228 /*ARGSUSED*/ 4229 static void 4230 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4231 { 4232 struct a { 4233 long fd; 4234 long msg; /* struct msghdr */ 4235 long flags; 4236 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4237 4238 struct sonode *so; 4239 char so_laddr[sizeof (struct sockaddr_in6)]; 4240 char so_faddr[sizeof (struct sockaddr_in6)]; 4241 int err; 4242 int fd; 4243 short so_family, so_type; 4244 int add_sock_token = 0; 4245 socklen_t len; 4246 struct file *fp; 4247 struct f_audit_data *fad; 4248 caddr_t msg_name; 4249 socklen_t msg_namelen; 4250 STRUCT_DECL(msghdr, msg); 4251 au_kcontext_t *kctx = GET_KCTX_PZ; 4252 4253 fd = (int)uap->fd; 4254 4255 /* bail if an error */ 4256 if (error) { 4257 /* XXX include destination address from system call arguments */ 4258 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4259 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4260 return; 4261 } 4262 4263 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4264 /* 4265 * not security relevant if doing a sendmsg from non socket 4266 * so no extra tokens. Should probably turn off audit record 4267 * generation here. 4268 */ 4269 return; 4270 } 4271 4272 so_family = so->so_family; 4273 so_type = so->so_type; 4274 4275 switch (so_family) { 4276 case AF_INET: 4277 case AF_INET6: 4278 /* 4279 * if datagram type socket, then just use what is in 4280 * socket structure for local address. 4281 * XXX - what do we do for other types? 4282 */ 4283 if ((so->so_type == SOCK_DGRAM) || 4284 (so->so_type == SOCK_RAW)) { 4285 4286 bzero((void *)so_laddr, sizeof (so_laddr)); 4287 bzero((void *)so_faddr, sizeof (so_faddr)); 4288 4289 /* get local address */ 4290 len = sizeof (so_laddr); 4291 (void) socket_getsockname(so, 4292 (struct sockaddr *)so_laddr, &len, CRED()); 4293 4294 /* get peer address */ 4295 STRUCT_INIT(msg, get_udatamodel()); 4296 4297 if (copyin((caddr_t)(uap->msg), 4298 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4299 break; 4300 } 4301 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4302 if (msg_name == NULL) 4303 break; 4304 4305 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4306 /* length is value from recvmsg - sanity check */ 4307 if (msg_namelen == 0) 4308 break; 4309 4310 if (copyin(msg_name, so_faddr, 4311 sizeof (so_faddr)) != 0) 4312 break; 4313 4314 add_sock_token = 1; 4315 4316 } else if (so->so_type == SOCK_STREAM) { 4317 4318 /* get path from file struct here */ 4319 fad = F2A(fp); 4320 ASSERT(fad); 4321 4322 /* 4323 * already processed this file for write attempt 4324 */ 4325 if (fad->fad_flags & FAD_WRITE) { 4326 releasef(fd); 4327 /* don't want to audit every sendmsg attempt */ 4328 tad->tad_flag = 0; 4329 /* free any residual audit data */ 4330 au_close(kctx, &(u_ad), 0, 0, 0); 4331 return; 4332 } 4333 4334 /* 4335 * mark things so we know what happened and don't 4336 * repeat things 4337 */ 4338 fad->fad_flags |= FAD_WRITE; 4339 4340 bzero((void *)so_laddr, sizeof (so_laddr)); 4341 bzero((void *)so_faddr, sizeof (so_faddr)); 4342 4343 /* get local and foreign addresses */ 4344 len = sizeof (so_laddr); 4345 (void) socket_getsockname(so, 4346 (struct sockaddr *)so_laddr, &len, CRED()); 4347 len = sizeof (so_faddr); 4348 (void) socket_getpeername(so, 4349 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4350 4351 add_sock_token = 1; 4352 } 4353 4354 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4355 4356 break; 4357 4358 case AF_UNIX: 4359 /* 4360 * first check if this is first time through. Too much 4361 * duplicate code to put this in an aui_ routine. 4362 */ 4363 4364 /* get path from file struct here */ 4365 fad = F2A(fp); 4366 ASSERT(fad); 4367 4368 /* 4369 * already processed this file for write attempt 4370 */ 4371 if (fad->fad_flags & FAD_WRITE) { 4372 releasef(fd); 4373 /* don't want to audit every sendmsg attempt */ 4374 tad->tad_flag = 0; 4375 /* free any residual audit data */ 4376 au_close(kctx, &(u_ad), 0, 0, 0); 4377 return; 4378 } 4379 /* 4380 * mark things so we know what happened and don't 4381 * repeat things 4382 */ 4383 fad->fad_flags |= FAD_WRITE; 4384 4385 if (fad->fad_aupath != NULL) { 4386 au_uwrite(au_to_path(fad->fad_aupath)); 4387 } else { 4388 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4389 } 4390 4391 audit_attributes(fp->f_vnode); 4392 4393 releasef(fd); 4394 4395 return; 4396 4397 default: 4398 break; 4399 } 4400 4401 releasef(fd); 4402 4403 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4404 4405 if (add_sock_token == 0) { 4406 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4407 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4408 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4409 return; 4410 } 4411 4412 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4413 4414 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4415 } 4416 4417 /*ARGSUSED*/ 4418 static void 4419 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4420 { 4421 struct a { 4422 long fd; 4423 long msg; /* char */ 4424 long len; 4425 long flags; 4426 long to; /* struct sockaddr */ 4427 long tolen; 4428 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4429 4430 struct sonode *so; 4431 char so_laddr[sizeof (struct sockaddr_in6)]; 4432 char so_faddr[sizeof (struct sockaddr_in6)]; 4433 socklen_t tolen; 4434 int err; 4435 int fd; 4436 socklen_t len; 4437 short so_family, so_type; 4438 int add_sock_token = 0; 4439 struct file *fp; 4440 struct f_audit_data *fad; 4441 au_kcontext_t *kctx = GET_KCTX_PZ; 4442 4443 fd = (int)uap->fd; 4444 4445 /* bail if an error */ 4446 if (error) { 4447 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4448 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4449 /* XXX include destination address from system call arguments */ 4450 return; 4451 } 4452 4453 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4454 /* 4455 * not security relevant if doing a sendto using non socket 4456 * so no extra tokens. Should probably turn off audit record 4457 * generation here. 4458 */ 4459 return; 4460 } 4461 4462 so_family = so->so_family; 4463 so_type = so->so_type; 4464 4465 /* 4466 * only putout SOCKET_EX token if INET/INET6 family. 4467 * XXX - what do we do about other families? 4468 */ 4469 4470 switch (so_family) { 4471 case AF_INET: 4472 case AF_INET6: 4473 4474 /* 4475 * if datagram type socket, then just use what is in 4476 * socket structure for local address. 4477 * XXX - what do we do for other types? 4478 */ 4479 if ((so->so_type == SOCK_DGRAM) || 4480 (so->so_type == SOCK_RAW)) { 4481 4482 bzero((void *)so_laddr, sizeof (so_laddr)); 4483 bzero((void *)so_faddr, sizeof (so_faddr)); 4484 4485 /* get local address */ 4486 len = sizeof (so_laddr); 4487 (void) socket_getsockname(so, 4488 (struct sockaddr *)so_laddr, &len, CRED()); 4489 4490 /* get peer address */ 4491 4492 /* sanity check */ 4493 if (uap->to == NULL) 4494 break; 4495 4496 /* sanity checks */ 4497 if (uap->tolen == 0) 4498 break; 4499 4500 tolen = (socklen_t)uap->tolen; 4501 4502 /* enforce maximum size */ 4503 if (tolen > sizeof (so_faddr)) 4504 tolen = sizeof (so_faddr); 4505 4506 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4507 break; 4508 4509 add_sock_token = 1; 4510 } else { 4511 /* 4512 * check if this is first time through. 4513 */ 4514 4515 /* get path from file struct here */ 4516 fad = F2A(fp); 4517 ASSERT(fad); 4518 4519 /* 4520 * already processed this file for write attempt 4521 */ 4522 if (fad->fad_flags & FAD_WRITE) { 4523 /* don't want to audit every sendto attempt */ 4524 tad->tad_flag = 0; 4525 /* free any residual audit data */ 4526 au_close(kctx, &(u_ad), 0, 0, 0); 4527 releasef(fd); 4528 return; 4529 } 4530 /* 4531 * mark things so we know what happened and don't 4532 * repeat things 4533 */ 4534 fad->fad_flags |= FAD_WRITE; 4535 4536 bzero((void *)so_laddr, sizeof (so_laddr)); 4537 bzero((void *)so_faddr, sizeof (so_faddr)); 4538 4539 /* get local and foreign addresses */ 4540 len = sizeof (so_laddr); 4541 (void) socket_getsockname(so, 4542 (struct sockaddr *)so_laddr, &len, CRED()); 4543 len = sizeof (so_faddr); 4544 (void) socket_getpeername(so, 4545 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4546 4547 add_sock_token = 1; 4548 } 4549 4550 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4551 4552 break; 4553 4554 case AF_UNIX: 4555 /* 4556 * first check if this is first time through. Too much 4557 * duplicate code to put this in an aui_ routine. 4558 */ 4559 4560 /* get path from file struct here */ 4561 fad = F2A(fp); 4562 ASSERT(fad); 4563 4564 /* 4565 * already processed this file for write attempt 4566 */ 4567 if (fad->fad_flags & FAD_WRITE) { 4568 /* don't want to audit every sendto attempt */ 4569 tad->tad_flag = 0; 4570 /* free any residual audit data */ 4571 au_close(kctx, &(u_ad), 0, 0, 0); 4572 releasef(fd); 4573 return; 4574 } 4575 /* 4576 * mark things so we know what happened and don't 4577 * repeat things 4578 */ 4579 fad->fad_flags |= FAD_WRITE; 4580 4581 if (fad->fad_aupath != NULL) { 4582 au_uwrite(au_to_path(fad->fad_aupath)); 4583 } else { 4584 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4585 } 4586 4587 audit_attributes(fp->f_vnode); 4588 4589 releasef(fd); 4590 4591 return; 4592 4593 default: 4594 break; 4595 4596 } 4597 4598 releasef(fd); 4599 4600 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4601 4602 if (add_sock_token == 0) { 4603 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4604 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4605 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4606 return; 4607 } 4608 4609 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4610 4611 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4612 4613 } 4614 4615 /* 4616 * XXX socket(2) may be equivalent to open(2) on a unix domain 4617 * socket. This needs investigation. 4618 */ 4619 4620 /*ARGSUSED*/ 4621 static void 4622 aus_socket(struct t_audit_data *tad) 4623 { 4624 struct a { 4625 long domain; 4626 long type; 4627 long protocol; 4628 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4629 4630 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4631 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4632 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4633 } 4634 4635 /*ARGSUSED*/ 4636 static void 4637 aus_sigqueue(struct t_audit_data *tad) 4638 { 4639 struct a { 4640 long pid; 4641 long signo; 4642 long *val; 4643 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4644 struct proc *p; 4645 uid_t uid, ruid; 4646 gid_t gid, rgid; 4647 pid_t pid; 4648 const auditinfo_addr_t *ainfo; 4649 cred_t *cr; 4650 4651 pid = (pid_t)uap->pid; 4652 4653 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4654 if (pid > 0) { 4655 mutex_enter(&pidlock); 4656 if ((p = prfind(pid)) == (struct proc *)0) { 4657 mutex_exit(&pidlock); 4658 return; 4659 } 4660 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4661 mutex_exit(&pidlock); 4662 4663 mutex_enter(&p->p_crlock); 4664 crhold(cr = p->p_cred); 4665 mutex_exit(&p->p_crlock); 4666 mutex_exit(&p->p_lock); 4667 4668 ainfo = crgetauinfo(cr); 4669 if (ainfo == NULL) { 4670 crfree(cr); 4671 return; 4672 } 4673 4674 uid = crgetuid(cr); 4675 gid = crgetgid(cr); 4676 ruid = crgetruid(cr); 4677 rgid = crgetrgid(cr); 4678 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4679 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4680 crfree(cr); 4681 } 4682 else 4683 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4684 } 4685 4686 /*ARGSUSED*/ 4687 static void 4688 aus_inst_sync(struct t_audit_data *tad) 4689 { 4690 struct a { 4691 long name; /* char */ 4692 long flags; 4693 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4694 4695 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4696 } 4697 4698 /*ARGSUSED*/ 4699 static void 4700 aus_brandsys(struct t_audit_data *tad) 4701 { 4702 klwp_t *clwp = ttolwp(curthread); 4703 4704 struct a { 4705 long cmd; 4706 long arg1; 4707 long arg2; 4708 long arg3; 4709 long arg4; 4710 long arg5; 4711 long arg6; 4712 } *uap = (struct a *)clwp->lwp_ap; 4713 4714 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4715 #ifdef _LP64 4716 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4717 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4718 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4719 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4720 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4721 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4722 #else 4723 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4724 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4725 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4726 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4727 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4728 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4729 #endif 4730 } 4731 4732 /*ARGSUSED*/ 4733 static void 4734 aus_p_online(struct t_audit_data *tad) 4735 { 4736 struct a { 4737 long processor_id; 4738 long flag; 4739 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4740 4741 struct flags { 4742 int flag; 4743 char *cflag; 4744 } aflags[6] = { 4745 { P_ONLINE, "P_ONLINE"}, 4746 { P_OFFLINE, "P_OFFLINE"}, 4747 { P_NOINTR, "P_NOINTR"}, 4748 { P_SPARE, "P_SPARE"}, 4749 { P_FAULTED, "P_FAULTED"}, 4750 { P_STATUS, "P_STATUS"} 4751 }; 4752 int i; 4753 char *cflag; 4754 4755 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4756 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4757 4758 for (i = 0; i < 6; i++) { 4759 if (aflags[i].flag == uap->flag) 4760 break; 4761 } 4762 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4763 4764 au_uwrite(au_to_text(cflag)); 4765 } 4766 4767 /*ARGSUSED*/ 4768 static void 4769 aus_processor_bind(struct t_audit_data *tad) 4770 { 4771 struct a { 4772 long id_type; 4773 long id; 4774 long processor_id; 4775 long obind; 4776 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4777 4778 struct proc *p; 4779 int lwpcnt; 4780 uid_t uid, ruid; 4781 gid_t gid, rgid; 4782 pid_t pid; 4783 const auditinfo_addr_t *ainfo; 4784 cred_t *cr; 4785 4786 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4787 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4788 if (uap->processor_id == PBIND_NONE) 4789 au_uwrite(au_to_text("PBIND_NONE")); 4790 else 4791 au_uwrite(au_to_arg32(3, "processor_id", 4792 (uint32_t)uap->processor_id)); 4793 4794 switch (uap->id_type) { 4795 case P_MYID: 4796 case P_LWPID: 4797 mutex_enter(&pidlock); 4798 p = ttoproc(curthread); 4799 if (p == NULL || p->p_as == &kas) { 4800 mutex_exit(&pidlock); 4801 return; 4802 } 4803 mutex_enter(&p->p_lock); 4804 mutex_exit(&pidlock); 4805 lwpcnt = p->p_lwpcnt; 4806 pid = p->p_pid; 4807 4808 mutex_enter(&p->p_crlock); 4809 crhold(cr = p->p_cred); 4810 mutex_exit(&p->p_crlock); 4811 mutex_exit(&p->p_lock); 4812 4813 ainfo = crgetauinfo(cr); 4814 if (ainfo == NULL) { 4815 crfree(cr); 4816 return; 4817 } 4818 4819 uid = crgetuid(cr); 4820 gid = crgetgid(cr); 4821 ruid = crgetruid(cr); 4822 rgid = crgetrgid(cr); 4823 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4824 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4825 crfree(cr); 4826 break; 4827 case P_PID: 4828 mutex_enter(&pidlock); 4829 p = prfind(uap->id); 4830 if (p == NULL || p->p_as == &kas) { 4831 mutex_exit(&pidlock); 4832 return; 4833 } 4834 mutex_enter(&p->p_lock); 4835 mutex_exit(&pidlock); 4836 lwpcnt = p->p_lwpcnt; 4837 pid = p->p_pid; 4838 4839 mutex_enter(&p->p_crlock); 4840 crhold(cr = p->p_cred); 4841 mutex_exit(&p->p_crlock); 4842 mutex_exit(&p->p_lock); 4843 4844 ainfo = crgetauinfo(cr); 4845 if (ainfo == NULL) { 4846 crfree(cr); 4847 return; 4848 } 4849 4850 uid = crgetuid(cr); 4851 gid = crgetgid(cr); 4852 ruid = crgetruid(cr); 4853 rgid = crgetrgid(cr); 4854 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4855 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4856 crfree(cr); 4857 4858 break; 4859 default: 4860 return; 4861 } 4862 4863 if (uap->processor_id == PBIND_NONE && 4864 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4865 au_uwrite(au_to_text("PBIND_NONE for process")); 4866 else 4867 au_uwrite(au_to_arg32(3, "processor_id", 4868 (uint32_t)uap->processor_id)); 4869 } 4870 4871 /*ARGSUSED*/ 4872 static au_event_t 4873 aui_doorfs(au_event_t e) 4874 { 4875 uint32_t code; 4876 4877 struct a { /* doorfs */ 4878 long a1; 4879 long a2; 4880 long a3; 4881 long a4; 4882 long a5; 4883 long code; 4884 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4885 4886 /* 4887 * audit formats for several of the 4888 * door calls have not yet been determined 4889 */ 4890 code = (uint32_t)uap->code; 4891 switch (code) { 4892 case DOOR_CALL: 4893 e = AUE_DOORFS_DOOR_CALL; 4894 break; 4895 case DOOR_RETURN: 4896 e = AUE_NULL; 4897 break; 4898 case DOOR_CREATE: 4899 e = AUE_DOORFS_DOOR_CREATE; 4900 break; 4901 case DOOR_REVOKE: 4902 e = AUE_DOORFS_DOOR_REVOKE; 4903 break; 4904 case DOOR_INFO: 4905 e = AUE_NULL; 4906 break; 4907 case DOOR_UCRED: 4908 e = AUE_NULL; 4909 break; 4910 case DOOR_BIND: 4911 e = AUE_NULL; 4912 break; 4913 case DOOR_UNBIND: 4914 e = AUE_NULL; 4915 break; 4916 case DOOR_GETPARAM: 4917 e = AUE_NULL; 4918 break; 4919 case DOOR_SETPARAM: 4920 e = AUE_NULL; 4921 break; 4922 default: /* illegal system call */ 4923 e = AUE_NULL; 4924 break; 4925 } 4926 4927 return (e); 4928 } 4929 4930 static door_node_t * 4931 au_door_lookup(int did) 4932 { 4933 vnode_t *vp; 4934 file_t *fp; 4935 4936 if ((fp = getf(did)) == NULL) 4937 return (NULL); 4938 /* 4939 * Use the underlying vnode (we may be namefs mounted) 4940 */ 4941 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4942 vp = fp->f_vnode; 4943 4944 if (vp == NULL || vp->v_type != VDOOR) { 4945 releasef(did); 4946 return (NULL); 4947 } 4948 4949 return (VTOD(vp)); 4950 } 4951 4952 /*ARGSUSED*/ 4953 static void 4954 aus_doorfs(struct t_audit_data *tad) 4955 { 4956 4957 struct a { /* doorfs */ 4958 long a1; 4959 long a2; 4960 long a3; 4961 long a4; 4962 long a5; 4963 long code; 4964 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4965 4966 door_node_t *dp; 4967 struct proc *p; 4968 uint32_t did; 4969 uid_t uid, ruid; 4970 gid_t gid, rgid; 4971 pid_t pid; 4972 const auditinfo_addr_t *ainfo; 4973 cred_t *cr; 4974 4975 did = (uint32_t)uap->a1; 4976 4977 switch (tad->tad_event) { 4978 case AUE_DOORFS_DOOR_CALL: 4979 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4980 if ((dp = au_door_lookup(did)) == NULL) 4981 break; 4982 4983 if (DOOR_INVALID(dp)) { 4984 releasef(did); 4985 break; 4986 } 4987 4988 if ((p = dp->door_target) == NULL) { 4989 releasef(did); 4990 break; 4991 } 4992 mutex_enter(&p->p_lock); 4993 releasef(did); 4994 4995 pid = p->p_pid; 4996 4997 mutex_enter(&p->p_crlock); 4998 crhold(cr = p->p_cred); 4999 mutex_exit(&p->p_crlock); 5000 mutex_exit(&p->p_lock); 5001 5002 ainfo = crgetauinfo(cr); 5003 if (ainfo == NULL) { 5004 crfree(cr); 5005 return; 5006 } 5007 uid = crgetuid(cr); 5008 gid = crgetgid(cr); 5009 ruid = crgetruid(cr); 5010 rgid = crgetrgid(cr); 5011 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5012 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5013 crfree(cr); 5014 break; 5015 case AUE_DOORFS_DOOR_RETURN: 5016 /* 5017 * We may want to write information about 5018 * all doors (if any) which will be copied 5019 * by this call to the user space 5020 */ 5021 break; 5022 case AUE_DOORFS_DOOR_CREATE: 5023 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5024 break; 5025 case AUE_DOORFS_DOOR_REVOKE: 5026 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5027 break; 5028 case AUE_DOORFS_DOOR_INFO: 5029 break; 5030 case AUE_DOORFS_DOOR_CRED: 5031 break; 5032 case AUE_DOORFS_DOOR_BIND: 5033 break; 5034 case AUE_DOORFS_DOOR_UNBIND: { 5035 break; 5036 } 5037 default: /* illegal system call */ 5038 break; 5039 } 5040 } 5041 5042 /*ARGSUSED*/ 5043 static au_event_t 5044 aui_acl(au_event_t e) 5045 { 5046 struct a { 5047 union { 5048 long name; /* char */ 5049 long fd; 5050 } obj; 5051 5052 long cmd; 5053 long nentries; 5054 long arg; /* aclent_t */ 5055 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5056 5057 switch (uap->cmd) { 5058 case SETACL: 5059 case ACE_SETACL: 5060 /* 5061 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5062 * are expected. 5063 */ 5064 break; 5065 case GETACL: 5066 case GETACLCNT: 5067 case ACE_GETACLCNT: 5068 /* do nothing for these two values. */ 5069 e = AUE_NULL; 5070 break; 5071 default: 5072 /* illegal system call */ 5073 break; 5074 } 5075 5076 return (e); 5077 } 5078 5079 static void 5080 au_acl(int cmd, int nentries, caddr_t bufp) 5081 { 5082 size_t a_size; 5083 aclent_t *aclbufp; 5084 ace_t *acebufp; 5085 int i; 5086 5087 switch (cmd) { 5088 case GETACL: 5089 case GETACLCNT: 5090 break; 5091 case SETACL: 5092 if (nentries < 3) 5093 break; 5094 5095 a_size = nentries * sizeof (aclent_t); 5096 5097 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5098 break; 5099 if (copyin(bufp, aclbufp, a_size)) { 5100 kmem_free(aclbufp, a_size); 5101 break; 5102 } 5103 for (i = 0; i < nentries; i++) { 5104 au_uwrite(au_to_acl(aclbufp + i)); 5105 } 5106 kmem_free(aclbufp, a_size); 5107 break; 5108 5109 case ACE_SETACL: 5110 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5111 break; 5112 5113 a_size = nentries * sizeof (ace_t); 5114 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5115 break; 5116 if (copyin(bufp, acebufp, a_size)) { 5117 kmem_free(acebufp, a_size); 5118 break; 5119 } 5120 for (i = 0; i < nentries; i++) { 5121 au_uwrite(au_to_ace(acebufp + i)); 5122 } 5123 kmem_free(acebufp, a_size); 5124 break; 5125 default: 5126 break; 5127 } 5128 } 5129 5130 /*ARGSUSED*/ 5131 static void 5132 aus_acl(struct t_audit_data *tad) 5133 { 5134 struct a { 5135 long fname; 5136 long cmd; 5137 long nentries; 5138 long aclbufp; 5139 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5140 5141 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5142 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5143 5144 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5145 } 5146 5147 /*ARGSUSED*/ 5148 static void 5149 aus_facl(struct t_audit_data *tad) 5150 { 5151 struct a { 5152 long fd; 5153 long cmd; 5154 long nentries; 5155 long aclbufp; 5156 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5157 struct file *fp; 5158 struct vnode *vp; 5159 struct f_audit_data *fad; 5160 int fd; 5161 5162 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5163 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5164 5165 fd = (int)uap->fd; 5166 5167 if ((fp = getf(fd)) == NULL) 5168 return; 5169 5170 /* get path from file struct here */ 5171 fad = F2A(fp); 5172 if (fad->fad_aupath != NULL) { 5173 au_uwrite(au_to_path(fad->fad_aupath)); 5174 } else { 5175 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5176 } 5177 5178 vp = fp->f_vnode; 5179 audit_attributes(vp); 5180 5181 /* decrement file descriptor reference count */ 5182 releasef(fd); 5183 5184 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5185 } 5186 5187 /*ARGSUSED*/ 5188 static void 5189 auf_read(tad, error, rval) 5190 struct t_audit_data *tad; 5191 int error; 5192 rval_t *rval; 5193 { 5194 struct file *fp; 5195 struct f_audit_data *fad; 5196 int fd; 5197 register struct a { 5198 long fd; 5199 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5200 au_kcontext_t *kctx = GET_KCTX_PZ; 5201 5202 fd = (int)uap->fd; 5203 5204 /* 5205 * convert file pointer to file descriptor 5206 * Note: fd ref count incremented here. 5207 */ 5208 if ((fp = getf(fd)) == NULL) 5209 return; 5210 5211 /* get path from file struct here */ 5212 fad = F2A(fp); 5213 ASSERT(fad); 5214 5215 /* 5216 * already processed this file for read attempt 5217 * 5218 * XXX might be better to turn off auditing in a aui_read() routine. 5219 */ 5220 if (fad->fad_flags & FAD_READ) { 5221 /* don't really want to audit every read attempt */ 5222 tad->tad_flag = 0; 5223 /* free any residual audit data */ 5224 au_close(kctx, &(u_ad), 0, 0, 0); 5225 releasef(fd); 5226 return; 5227 } 5228 /* mark things so we know what happened and don't repeat things */ 5229 fad->fad_flags |= FAD_READ; 5230 5231 if (fad->fad_aupath != NULL) { 5232 au_uwrite(au_to_path(fad->fad_aupath)); 5233 } else { 5234 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5235 } 5236 5237 /* include attributes */ 5238 audit_attributes(fp->f_vnode); 5239 5240 /* decrement file descriptor reference count */ 5241 releasef(fd); 5242 } 5243 5244 /*ARGSUSED*/ 5245 static void 5246 auf_write(tad, error, rval) 5247 struct t_audit_data *tad; 5248 int error; 5249 rval_t *rval; 5250 { 5251 struct file *fp; 5252 struct f_audit_data *fad; 5253 int fd; 5254 register struct a { 5255 long fd; 5256 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5257 au_kcontext_t *kctx = GET_KCTX_PZ; 5258 5259 fd = (int)uap->fd; 5260 5261 /* 5262 * convert file pointer to file descriptor 5263 * Note: fd ref count incremented here. 5264 */ 5265 if ((fp = getf(fd)) == NULL) 5266 return; 5267 5268 /* get path from file struct here */ 5269 fad = F2A(fp); 5270 ASSERT(fad); 5271 5272 /* 5273 * already processed this file for write attempt 5274 * 5275 * XXX might be better to turn off auditing in a aus_write() routine. 5276 */ 5277 if (fad->fad_flags & FAD_WRITE) { 5278 /* don't really want to audit every write attempt */ 5279 tad->tad_flag = 0; 5280 /* free any residual audit data */ 5281 au_close(kctx, &(u_ad), 0, 0, 0); 5282 releasef(fd); 5283 return; 5284 } 5285 /* mark things so we know what happened and don't repeat things */ 5286 fad->fad_flags |= FAD_WRITE; 5287 5288 if (fad->fad_aupath != NULL) { 5289 au_uwrite(au_to_path(fad->fad_aupath)); 5290 } else { 5291 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5292 } 5293 5294 /* include attributes */ 5295 audit_attributes(fp->f_vnode); 5296 5297 /* decrement file descriptor reference count */ 5298 releasef(fd); 5299 } 5300 5301 /*ARGSUSED*/ 5302 static void 5303 auf_recv(tad, error, rval) 5304 struct t_audit_data *tad; 5305 int error; 5306 rval_t *rval; 5307 { 5308 struct sonode *so; 5309 char so_laddr[sizeof (struct sockaddr_in6)]; 5310 char so_faddr[sizeof (struct sockaddr_in6)]; 5311 struct file *fp; 5312 struct f_audit_data *fad; 5313 int fd; 5314 int err; 5315 socklen_t len; 5316 short so_family, so_type; 5317 register struct a { 5318 long fd; 5319 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5320 au_kcontext_t *kctx = GET_KCTX_PZ; 5321 5322 /* 5323 * If there was an error, then nothing to do. Only generate 5324 * audit record on first successful recv. 5325 */ 5326 if (error) { 5327 /* Turn off audit record generation here. */ 5328 tad->tad_flag = 0; 5329 /* free any residual audit data */ 5330 au_close(kctx, &(u_ad), 0, 0, 0); 5331 return; 5332 } 5333 5334 fd = (int)uap->fd; 5335 5336 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5337 /* Turn off audit record generation here. */ 5338 tad->tad_flag = 0; 5339 /* free any residual audit data */ 5340 au_close(kctx, &(u_ad), 0, 0, 0); 5341 return; 5342 } 5343 5344 /* get path from file struct here */ 5345 fad = F2A(fp); 5346 ASSERT(fad); 5347 5348 /* 5349 * already processed this file for read attempt 5350 */ 5351 if (fad->fad_flags & FAD_READ) { 5352 releasef(fd); 5353 /* don't really want to audit every recv call */ 5354 tad->tad_flag = 0; 5355 /* free any residual audit data */ 5356 au_close(kctx, &(u_ad), 0, 0, 0); 5357 return; 5358 } 5359 5360 /* mark things so we know what happened and don't repeat things */ 5361 fad->fad_flags |= FAD_READ; 5362 5363 so_family = so->so_family; 5364 so_type = so->so_type; 5365 5366 switch (so_family) { 5367 case AF_INET: 5368 case AF_INET6: 5369 /* 5370 * Only for connections. 5371 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5372 */ 5373 if (so->so_state & SS_ISBOUND) { 5374 5375 bzero((void *)so_laddr, sizeof (so_laddr)); 5376 bzero((void *)so_faddr, sizeof (so_faddr)); 5377 5378 /* get local and foreign addresses */ 5379 len = sizeof (so_laddr); 5380 (void) socket_getsockname(so, 5381 (struct sockaddr *)so_laddr, &len, CRED()); 5382 len = sizeof (so_faddr); 5383 (void) socket_getpeername(so, 5384 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5385 5386 /* 5387 * only way to drop out of switch. Note that we 5388 * we release fd below. 5389 */ 5390 5391 break; 5392 } 5393 5394 releasef(fd); 5395 5396 /* don't really want to audit every recv call */ 5397 tad->tad_flag = 0; 5398 /* free any residual audit data */ 5399 au_close(kctx, &(u_ad), 0, 0, 0); 5400 5401 return; 5402 5403 case AF_UNIX: 5404 5405 if (fad->fad_aupath != NULL) { 5406 au_uwrite(au_to_path(fad->fad_aupath)); 5407 } else { 5408 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5409 } 5410 5411 audit_attributes(fp->f_vnode); 5412 5413 releasef(fd); 5414 5415 return; 5416 5417 default: 5418 releasef(fd); 5419 5420 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5421 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5422 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5423 5424 return; 5425 } 5426 5427 releasef(fd); 5428 5429 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5430 5431 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5432 5433 } 5434 5435 /*ARGSUSED*/ 5436 static void 5437 auf_send(tad, error, rval) 5438 struct t_audit_data *tad; 5439 int error; 5440 rval_t *rval; 5441 { 5442 struct sonode *so; 5443 char so_laddr[sizeof (struct sockaddr_in6)]; 5444 char so_faddr[sizeof (struct sockaddr_in6)]; 5445 struct file *fp; 5446 struct f_audit_data *fad; 5447 int fd; 5448 int err; 5449 socklen_t len; 5450 short so_family, so_type; 5451 register struct a { 5452 long fd; 5453 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5454 au_kcontext_t *kctx = GET_KCTX_PZ; 5455 5456 fd = (int)uap->fd; 5457 5458 /* 5459 * If there was an error, then nothing to do. Only generate 5460 * audit record on first successful send. 5461 */ 5462 if (error != 0) { 5463 /* Turn off audit record generation here. */ 5464 tad->tad_flag = 0; 5465 /* free any residual audit data */ 5466 au_close(kctx, &(u_ad), 0, 0, 0); 5467 return; 5468 } 5469 5470 fd = (int)uap->fd; 5471 5472 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5473 /* Turn off audit record generation here. */ 5474 tad->tad_flag = 0; 5475 /* free any residual audit data */ 5476 au_close(kctx, &(u_ad), 0, 0, 0); 5477 return; 5478 } 5479 5480 /* get path from file struct here */ 5481 fad = F2A(fp); 5482 ASSERT(fad); 5483 5484 /* 5485 * already processed this file for write attempt 5486 */ 5487 if (fad->fad_flags & FAD_WRITE) { 5488 releasef(fd); 5489 /* don't really want to audit every send call */ 5490 tad->tad_flag = 0; 5491 /* free any residual audit data */ 5492 au_close(kctx, &(u_ad), 0, 0, 0); 5493 return; 5494 } 5495 5496 /* mark things so we know what happened and don't repeat things */ 5497 fad->fad_flags |= FAD_WRITE; 5498 5499 so_family = so->so_family; 5500 so_type = so->so_type; 5501 5502 switch (so_family) { 5503 case AF_INET: 5504 case AF_INET6: 5505 /* 5506 * Only for connections. 5507 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5508 */ 5509 if (so->so_state & SS_ISBOUND) { 5510 5511 bzero((void *)so_laddr, sizeof (so_laddr)); 5512 bzero((void *)so_faddr, sizeof (so_faddr)); 5513 5514 /* get local and foreign addresses */ 5515 len = sizeof (so_laddr); 5516 (void) socket_getsockname(so, 5517 (struct sockaddr *)so_laddr, &len, CRED()); 5518 len = sizeof (so_faddr); 5519 (void) socket_getpeername(so, 5520 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5521 5522 /* 5523 * only way to drop out of switch. Note that we 5524 * we release fd below. 5525 */ 5526 5527 break; 5528 } 5529 5530 releasef(fd); 5531 /* don't really want to audit every send call */ 5532 tad->tad_flag = 0; 5533 /* free any residual audit data */ 5534 au_close(kctx, &(u_ad), 0, 0, 0); 5535 5536 return; 5537 5538 case AF_UNIX: 5539 5540 if (fad->fad_aupath != NULL) { 5541 au_uwrite(au_to_path(fad->fad_aupath)); 5542 } else { 5543 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5544 } 5545 5546 audit_attributes(fp->f_vnode); 5547 5548 releasef(fd); 5549 5550 return; 5551 5552 default: 5553 releasef(fd); 5554 5555 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5556 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5557 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5558 5559 return; 5560 } 5561 5562 releasef(fd); 5563 5564 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5565 5566 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5567 } 5568 5569 static au_event_t 5570 aui_forksys(au_event_t e) 5571 { 5572 struct a { 5573 long subcode; 5574 long flags; 5575 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5576 5577 switch ((uint_t)uap->subcode) { 5578 case 0: 5579 e = AUE_FORK1; 5580 break; 5581 case 1: 5582 e = AUE_FORKALL; 5583 break; 5584 case 2: 5585 e = AUE_VFORK; 5586 break; 5587 default: 5588 e = AUE_NULL; 5589 break; 5590 } 5591 5592 return (e); 5593 } 5594 5595 /*ARGSUSED*/ 5596 static au_event_t 5597 aui_portfs(au_event_t e) 5598 { 5599 struct a { /* portfs */ 5600 long a1; 5601 long a2; 5602 long a3; 5603 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5604 5605 /* 5606 * check opcode 5607 */ 5608 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5609 case PORT_ASSOCIATE: 5610 case PORT_DISSOCIATE: 5611 /* 5612 * check source 5613 */ 5614 if ((uint_t)uap->a3 == PORT_SOURCE_FILE) { 5615 e = AUE_PORTFS; 5616 } else { 5617 e = AUE_NULL; 5618 } 5619 break; 5620 default: 5621 e = AUE_NULL; 5622 } 5623 return (e); 5624 } 5625