1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* 28 * This file contains the audit event table used to control the production 29 * of audit records for each system call. 30 */ 31 32 #include <sys/policy.h> 33 #include <sys/cred.h> 34 #include <sys/types.h> 35 #include <sys/systm.h> 36 #include <sys/systeminfo.h> /* for sysinfo auditing */ 37 #include <sys/utsname.h> /* for sysinfo auditing */ 38 #include <sys/proc.h> 39 #include <sys/vnode.h> 40 #include <sys/mman.h> /* for mmap(2) auditing etc. */ 41 #include <sys/fcntl.h> 42 #include <sys/modctl.h> /* for modctl auditing */ 43 #include <sys/vnode.h> 44 #include <sys/user.h> 45 #include <sys/types.h> 46 #include <sys/processor.h> 47 #include <sys/procset.h> 48 #include <sys/acl.h> 49 #include <sys/ipc.h> 50 #include <sys/door.h> 51 #include <sys/sem.h> 52 #include <sys/msg.h> 53 #include <sys/shm.h> 54 #include <sys/kmem.h> 55 #include <sys/file.h> /* for accept */ 56 #include <sys/utssys.h> /* for fuser */ 57 #include <sys/tsol/label.h> 58 #include <sys/tsol/tndb.h> 59 #include <sys/tsol/tsyscall.h> 60 #include <c2/audit.h> 61 #include <c2/audit_kernel.h> 62 #include <c2/audit_kevents.h> 63 #include <c2/audit_record.h> 64 #include <sys/procset.h> 65 #include <nfs/mount.h> 66 #include <sys/param.h> 67 #include <sys/debug.h> 68 #include <sys/sysmacros.h> 69 #include <sys/stream.h> 70 #include <sys/strsubr.h> 71 #include <sys/stropts.h> 72 #include <sys/tihdr.h> 73 #include <sys/socket.h> 74 #include <sys/socketvar.h> 75 #include <sys/vfs_opreg.h> 76 #include <fs/sockfs/sockcommon.h> 77 #include <netinet/in.h> 78 #include <sys/ddi.h> 79 #include <sys/port_impl.h> 80 81 82 char _depends_on[] = "fs/sockfs"; 83 84 static au_event_t aui_open(au_event_t); 85 static au_event_t aui_fsat(au_event_t); 86 static au_event_t aui_msgsys(au_event_t); 87 static au_event_t aui_shmsys(au_event_t); 88 static au_event_t aui_semsys(au_event_t); 89 static au_event_t aui_utssys(au_event_t); 90 static au_event_t aui_fcntl(au_event_t); 91 static au_event_t aui_execv(au_event_t); 92 static au_event_t aui_execve(au_event_t); 93 static au_event_t aui_memcntl(au_event_t); 94 static au_event_t aui_sysinfo(au_event_t); 95 static au_event_t aui_portfs(au_event_t); 96 static au_event_t aui_auditsys(au_event_t); 97 static au_event_t aui_modctl(au_event_t); 98 static au_event_t aui_acl(au_event_t); 99 static au_event_t aui_doorfs(au_event_t); 100 static au_event_t aui_privsys(au_event_t); 101 static au_event_t aui_forksys(au_event_t); 102 static au_event_t aui_labelsys(au_event_t); 103 104 static void aus_open(struct t_audit_data *); 105 static void aus_acl(struct t_audit_data *); 106 static void aus_acct(struct t_audit_data *); 107 static void aus_chown(struct t_audit_data *); 108 static void aus_fchown(struct t_audit_data *); 109 static void aus_lchown(struct t_audit_data *); 110 static void aus_chmod(struct t_audit_data *); 111 static void aus_facl(struct t_audit_data *); 112 static void aus_fchmod(struct t_audit_data *); 113 static void aus_fcntl(struct t_audit_data *); 114 static void aus_fsat(struct t_audit_data *); 115 static void aus_mkdir(struct t_audit_data *); 116 static void aus_mknod(struct t_audit_data *); 117 static void aus_mount(struct t_audit_data *); 118 static void aus_umount(struct t_audit_data *); 119 static void aus_umount2(struct t_audit_data *); 120 static void aus_msgsys(struct t_audit_data *); 121 static void aus_semsys(struct t_audit_data *); 122 static void aus_close(struct t_audit_data *); 123 static void aus_fstatfs(struct t_audit_data *); 124 static void aus_setgid(struct t_audit_data *); 125 static void aus_setuid(struct t_audit_data *); 126 static void aus_shmsys(struct t_audit_data *); 127 static void aus_doorfs(struct t_audit_data *); 128 static void aus_ioctl(struct t_audit_data *); 129 static void aus_memcntl(struct t_audit_data *); 130 static void aus_mmap(struct t_audit_data *); 131 static void aus_munmap(struct t_audit_data *); 132 static void aus_priocntlsys(struct t_audit_data *); 133 static void aus_setegid(struct t_audit_data *); 134 static void aus_setgroups(struct t_audit_data *); 135 static void aus_seteuid(struct t_audit_data *); 136 static void aus_putmsg(struct t_audit_data *); 137 static void aus_putpmsg(struct t_audit_data *); 138 static void aus_getmsg(struct t_audit_data *); 139 static void aus_getpmsg(struct t_audit_data *); 140 static void aus_auditsys(struct t_audit_data *); 141 static void aus_sysinfo(struct t_audit_data *); 142 static void aus_modctl(struct t_audit_data *); 143 static void aus_kill(struct t_audit_data *); 144 static void aus_xmknod(struct t_audit_data *); 145 static void aus_setregid(struct t_audit_data *); 146 static void aus_setreuid(struct t_audit_data *); 147 static void aus_labelsys(struct t_audit_data *); 148 149 static void auf_mknod(struct t_audit_data *, int, rval_t *); 150 static void auf_msgsys(struct t_audit_data *, int, rval_t *); 151 static void auf_semsys(struct t_audit_data *, int, rval_t *); 152 static void auf_shmsys(struct t_audit_data *, int, rval_t *); 153 static void auf_xmknod(struct t_audit_data *, int, rval_t *); 154 static void auf_read(struct t_audit_data *, int, rval_t *); 155 static void auf_write(struct t_audit_data *, int, rval_t *); 156 157 static void aus_sigqueue(struct t_audit_data *); 158 static void aus_p_online(struct t_audit_data *); 159 static void aus_processor_bind(struct t_audit_data *); 160 static void aus_inst_sync(struct t_audit_data *); 161 static void aus_brandsys(struct t_audit_data *); 162 163 static void auf_accept(struct t_audit_data *, int, rval_t *); 164 165 static void auf_bind(struct t_audit_data *, int, rval_t *); 166 static void auf_connect(struct t_audit_data *, int, rval_t *); 167 static void aus_shutdown(struct t_audit_data *); 168 static void auf_setsockopt(struct t_audit_data *, int, rval_t *); 169 static void aus_sockconfig(struct t_audit_data *); 170 static void auf_recv(struct t_audit_data *, int, rval_t *); 171 static void auf_recvmsg(struct t_audit_data *, int, rval_t *); 172 static void auf_send(struct t_audit_data *, int, rval_t *); 173 static void auf_sendmsg(struct t_audit_data *, int, rval_t *); 174 static void auf_recvfrom(struct t_audit_data *, int, rval_t *); 175 static void auf_sendto(struct t_audit_data *, int, rval_t *); 176 static void aus_socket(struct t_audit_data *); 177 /* 178 * This table contains mapping information for converting system call numbers 179 * to audit event IDs. In several cases it is necessary to map a single system 180 * call to several events. 181 */ 182 183 #define aui_null NULL /* NULL initialize function */ 184 #define aus_null NULL /* NULL start function */ 185 #define auf_null NULL /* NULL finish function */ 186 187 struct audit_s2e audit_s2e[] = 188 { 189 /* 190 * ---------- ---------- ---------- ---------- 191 * INITIAL AUDIT START SYSTEM 192 * PROCESSING EVENT PROCESSING CALL 193 * ---------- ---------- ---------- ----------- 194 * FINISH EVENT 195 * PROCESSING CONTROL 196 * ---------------------------------------------------------- 197 */ 198 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */ 199 auf_null, 0, 200 aui_null, AUE_EXIT, aus_null, /* 1 exit */ 201 auf_null, S2E_NPT, 202 aui_null, AUE_FORKALL, aus_null, /* 2 forkall */ 203 auf_null, 0, 204 aui_null, AUE_READ, aus_null, /* 3 read */ 205 auf_read, S2E_PUB, 206 aui_null, AUE_WRITE, aus_null, /* 4 write */ 207 auf_write, 0, 208 aui_open, AUE_OPEN, aus_open, /* 5 open */ 209 auf_null, S2E_SP, 210 aui_null, AUE_CLOSE, aus_close, /* 6 close */ 211 auf_null, 0, 212 aui_null, AUE_NULL, aus_null, /* 7 wait */ 213 auf_null, 0, 214 aui_null, AUE_CREAT, aus_null, /* 8 create */ 215 auf_null, S2E_SP, 216 aui_null, AUE_LINK, aus_null, /* 9 link */ 217 auf_null, 0, 218 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */ 219 auf_null, 0, 220 aui_execv, AUE_EXEC, aus_null, /* 11 exec */ 221 auf_null, S2E_MLD, 222 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */ 223 auf_null, S2E_SP, 224 aui_null, AUE_NULL, aus_null, /* 13 time */ 225 auf_null, 0, 226 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */ 227 auf_mknod, 0, 228 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */ 229 auf_null, 0, 230 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */ 231 auf_null, 0, 232 aui_null, AUE_NULL, aus_null, /* 17 brk */ 233 auf_null, 0, 234 aui_null, AUE_STAT, aus_null, /* 18 stat */ 235 auf_null, S2E_PUB, 236 aui_null, AUE_NULL, aus_null, /* 19 lseek */ 237 auf_null, 0, 238 aui_null, AUE_NULL, aus_null, /* 20 getpid */ 239 auf_null, 0, 240 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */ 241 auf_null, S2E_MLD, 242 aui_null, AUE_UMOUNT, aus_umount, /* 22 umount */ 243 auf_null, 0, 244 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */ 245 auf_null, 0, 246 aui_null, AUE_NULL, aus_null, /* 24 getuid */ 247 auf_null, 0, 248 aui_null, AUE_STIME, aus_null, /* 25 stime */ 249 auf_null, 0, 250 aui_null, AUE_NULL, aus_null, /* 26 (loadable) was ptrace */ 251 auf_null, 0, 252 aui_null, AUE_NULL, aus_null, /* 27 alarm */ 253 auf_null, 0, 254 aui_null, AUE_NULL, aus_null, /* 28 fstat */ 255 auf_null, 0, 256 aui_null, AUE_NULL, aus_null, /* 29 pause */ 257 auf_null, 0, 258 aui_null, AUE_UTIME, aus_null, /* 30 utime */ 259 auf_null, 0, 260 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */ 261 auf_null, 0, 262 aui_null, AUE_NULL, aus_null, /* 32 gtty */ 263 auf_null, 0, 264 aui_null, AUE_ACCESS, aus_null, /* 33 access */ 265 auf_null, S2E_PUB, 266 aui_null, AUE_NICE, aus_null, /* 34 nice */ 267 auf_null, 0, 268 aui_null, AUE_STATFS, aus_null, /* 35 statfs */ 269 auf_null, S2E_PUB, 270 aui_null, AUE_NULL, aus_null, /* 36 sync */ 271 auf_null, 0, 272 aui_null, AUE_KILL, aus_kill, /* 37 kill */ 273 auf_null, 0, 274 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */ 275 auf_null, S2E_PUB, 276 aui_null, AUE_SETPGRP, aus_null, /* 39 setpgrp */ 277 auf_null, 0, 278 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */ 279 auf_null, 0, 280 aui_null, AUE_NULL, aus_null, /* 41 dup */ 281 auf_null, 0, 282 aui_null, AUE_PIPE, aus_null, /* 42 pipe */ 283 auf_null, 0, 284 aui_null, AUE_NULL, aus_null, /* 43 times */ 285 auf_null, 0, 286 aui_null, AUE_NULL, aus_null, /* 44 profil */ 287 auf_null, 0, 288 aui_null, AUE_NULL, aus_null, /* 45 (loadable) */ 289 /* was proc lock */ 290 auf_null, 0, 291 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */ 292 auf_null, 0, 293 aui_null, AUE_NULL, aus_null, /* 47 getgid */ 294 auf_null, 0, 295 aui_null, AUE_NULL, aus_null, /* 48 sig */ 296 auf_null, 0, 297 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) was msgsys */ 298 auf_msgsys, 0, 299 #if defined(__x86) 300 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */ 301 auf_null, 0, 302 #else 303 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */ 304 auf_null, 0, 305 #endif /* __x86 */ 306 aui_null, AUE_ACCT, aus_acct, /* 51 acct */ 307 auf_null, 0, 308 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 shared memory */ 309 auf_shmsys, 0, 310 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 IPC semaphores */ 311 auf_semsys, 0, 312 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */ 313 auf_null, 0, 314 aui_null, AUE_NULL, aus_null, /* 55 uadmin */ 315 auf_null, 0, 316 aui_null, AUE_NULL, aus_null, /* 56 (loadable) was uexch */ 317 auf_null, 0, 318 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */ 319 auf_null, 0, 320 aui_null, AUE_NULL, aus_null, /* 58 fsync */ 321 auf_null, 0, 322 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */ 323 auf_null, S2E_MLD, 324 aui_null, AUE_NULL, aus_null, /* 60 umask */ 325 auf_null, 0, 326 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */ 327 auf_null, S2E_SP, 328 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */ 329 auf_null, 0, 330 aui_null, AUE_NULL, aus_null, /* 63 ulimit */ 331 auf_null, 0, 332 aui_null, AUE_NULL, aus_null, /* 64 (loadable) */ 333 auf_null, 0, 334 aui_null, AUE_NULL, aus_null, /* 65 (loadable) */ 335 auf_null, 0, 336 aui_null, AUE_NULL, aus_null, /* 66 (loadable) */ 337 auf_null, 0, 338 aui_null, AUE_NULL, aus_null, /* 67 (loadable) */ 339 /* file locking call */ 340 auf_null, 0, 341 aui_null, AUE_NULL, aus_null, /* 68 (loadable) */ 342 /* local system calls */ 343 auf_null, 0, 344 aui_null, AUE_NULL, aus_null, /* 69 (loadable) inode open */ 345 auf_null, 0, 346 aui_null, AUE_NULL, aus_null, /* 70 (loadable) was advfs */ 347 auf_null, 0, 348 aui_null, AUE_NULL, aus_null, /* 71 (loadable) was unadvfs */ 349 auf_null, 0, 350 aui_null, AUE_NULL, aus_null, /* 72 (loadable) was notused */ 351 auf_null, 0, 352 aui_null, AUE_NULL, aus_null, /* 73 (loadable) was notused */ 353 auf_null, 0, 354 aui_null, AUE_NULL, aus_null, /* 74 (loadable) was notused */ 355 auf_null, 0, 356 aui_null, AUE_NULL, aus_null, /* 75 sidsys */ 357 /* was sigret (SunOS) */ 358 auf_null, 0, 359 aui_fsat, AUE_FSAT, aus_fsat, /* 76 fsat */ 360 auf_null, 0, 361 aui_null, AUE_NULL, aus_null, /* 77 (loadable) was rfstop */ 362 auf_null, 0, 363 aui_null, AUE_NULL, aus_null, /* 78 (loadable) was rfssys */ 364 auf_null, 0, 365 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */ 366 auf_null, 0, 367 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */ 368 auf_null, 0, 369 aui_null, AUE_NULL, aus_null, /* 81 getdents */ 370 auf_null, 0, 371 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */ 372 /* was libattach */ 373 auf_null, 0, 374 aui_null, AUE_NULL, aus_null, /* 83 (loadable) */ 375 /* was libdetach */ 376 auf_null, 0, 377 aui_null, AUE_NULL, aus_null, /* 84 sysfs */ 378 auf_null, 0, 379 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */ 380 auf_null, 0, 381 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */ 382 auf_null, 0, 383 aui_null, AUE_NULL, aus_null, /* 87 poll */ 384 auf_null, 0, 385 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */ 386 auf_null, S2E_PUB, 387 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */ 388 auf_null, 0, 389 aui_null, AUE_READLINK, aus_null, /* 90 readlink */ 390 auf_null, S2E_PUB, 391 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */ 392 auf_null, 0, 393 aui_null, AUE_NULL, aus_null, /* 92 getgroups */ 394 auf_null, 0, 395 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */ 396 auf_null, 0, 397 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */ 398 auf_null, 0, 399 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */ 400 auf_null, 0, 401 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */ 402 auf_null, 0, 403 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */ 404 auf_null, 0, 405 aui_null, AUE_NULL, aus_null, /* 98 sigaction */ 406 auf_null, 0, 407 aui_null, AUE_NULL, aus_null, /* 99 sigpending */ 408 auf_null, 0, 409 aui_null, AUE_NULL, aus_null, /* 100 setcontext */ 410 auf_null, 0, 411 aui_null, AUE_NULL, aus_null, /* 101 (loadable) was evsys */ 412 auf_null, 0, 413 aui_null, AUE_NULL, aus_null, /* 102 (loadable) */ 414 /* was evtrapret */ 415 auf_null, 0, 416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */ 417 auf_null, S2E_PUB, 418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */ 419 auf_null, 0, 420 aui_null, AUE_NULL, aus_null, /* 105 (loadable) */ 421 auf_null, 0, 422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */ 423 auf_null, 0, 424 aui_null, AUE_NULL, aus_null, /* 107 waitset */ 425 auf_null, 0, 426 aui_null, AUE_NULL, aus_null, /* 108 sigsendset */ 427 auf_null, 0, 428 #if defined(__x86) 429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */ 430 auf_null, 0, 431 #else 432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */ 433 auf_null, 0, 434 #endif /* __x86 */ 435 aui_null, AUE_NULL, aus_null, /* 110 (loadable) was acancel */ 436 auf_null, 0, 437 aui_null, AUE_NULL, aus_null, /* 111 (loadable) was async */ 438 auf_null, 0, 439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, 440 auf_null, 0, /* 112 priocntlsys */ 441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */ 442 auf_null, S2E_PUB, 443 aui_null, AUE_NULL, aus_null, /* 114 mincore */ 444 auf_null, 0, 445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */ 446 auf_null, 0, 447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */ 448 auf_null, 0, 449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */ 450 auf_null, 0, 451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */ 452 auf_null, 0, 453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */ 454 auf_null, 0, 455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */ 456 auf_null, 0, 457 aui_null, AUE_READ, aus_null, /* 121 readv */ 458 auf_read, S2E_PUB, 459 aui_null, AUE_WRITE, aus_null, /* 122 writev */ 460 auf_write, 0, 461 aui_null, AUE_STAT, aus_null, /* 123 xstat (x86) */ 462 auf_null, S2E_PUB, 463 aui_null, AUE_LSTAT, aus_null, /* 124 lxstat (x86) */ 464 auf_null, S2E_PUB, 465 aui_null, AUE_NULL, aus_null, /* 125 fxstat (x86) */ 466 auf_null, 0, 467 aui_null, AUE_MKNOD, aus_xmknod, /* 126 xmknod (x86) */ 468 auf_xmknod, 0, 469 aui_null, AUE_NULL, aus_null, /* 127 (loadable) was clocal */ 470 auf_null, 0, 471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */ 472 auf_null, 0, 473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */ 474 auf_null, 0, 475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */ 476 auf_null, 0, 477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */ 478 auf_null, 0, 479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */ 480 auf_null, 0, 481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */ 482 auf_null, 0, 483 aui_null, AUE_RENAME, aus_null, /* 134 rename */ 484 auf_null, 0, 485 aui_null, AUE_NULL, aus_null, /* 135 uname */ 486 auf_null, 0, 487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */ 488 auf_null, 0, 489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */ 490 auf_null, 0, 491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */ 492 auf_null, 0, 493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */ 494 auf_null, 0, 495 aui_null, AUE_NULL, aus_null, /* 140 reserved */ 496 auf_null, 0, 497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */ 498 auf_null, 0, 499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */ 500 auf_null, 0, 501 aui_null, AUE_FORK1, aus_null, /* 143 fork1 */ 502 auf_null, 0, 503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */ 504 auf_null, 0, 505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */ 506 auf_null, 0, 507 aui_null, AUE_NULL, aus_null, /* 146 yield */ 508 auf_null, 0, 509 aui_null, AUE_NULL, aus_null, /* 147 lwp_sema_wait */ 510 auf_null, 0, 511 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */ 512 auf_null, 0, 513 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */ 514 auf_null, 0, 515 aui_null, AUE_NULL, aus_null, /* 150 (loadable reserved) */ 516 auf_null, 0, 517 aui_null, AUE_NULL, aus_null, /* 151 (loadable reserved) */ 518 auf_null, 0, 519 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */ 520 auf_null, 0, 521 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */ 522 auf_null, 0, 523 aui_null, AUE_UTIMES, aus_null, /* 154 utimes */ 524 auf_null, 0, 525 aui_null, AUE_NULL, aus_null, /* 155 vhangup */ 526 auf_null, 0, 527 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */ 528 auf_null, 0, 529 aui_null, AUE_NULL, aus_null, /* 157 getitimer */ 530 auf_null, 0, 531 aui_null, AUE_NULL, aus_null, /* 158 setitimer */ 532 auf_null, 0, 533 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */ 534 auf_null, 0, 535 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */ 536 auf_null, 0, 537 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */ 538 auf_null, 0, 539 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */ 540 auf_null, 0, 541 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */ 542 auf_null, 0, 543 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */ 544 auf_null, 0, 545 aui_null, AUE_NULL, aus_null, /* 165 (loadable) */ 546 /* was lwp_setprivate */ 547 auf_null, 0, 548 aui_null, AUE_NULL, aus_null, /* 166 (loadable) */ 549 /* was lwp_getprivate */ 550 auf_null, 0, 551 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */ 552 auf_null, 0, 553 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */ 554 auf_null, 0, 555 aui_null, AUE_NULL, aus_null, /* 169 lwp_mutex_lock */ 556 auf_null, 0, 557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */ 558 auf_null, 0, 559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */ 560 auf_null, 0, 561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */ 562 auf_null, 0, 563 aui_null, AUE_READ, aus_null, /* 173 pread */ 564 auf_read, S2E_PUB, 565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */ 566 auf_write, 0, 567 aui_null, AUE_NULL, aus_null, /* 175 llseek */ 568 auf_null, 0, 569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) */ 570 /* aus_inst_sync */ 571 auf_null, 0, 572 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */ 573 auf_null, 0, 574 aui_null, AUE_NULL, aus_null, /* 178 (loadable) */ 575 auf_null, 0, 576 aui_null, AUE_NULL, aus_null, /* 179 (loadable) */ 577 auf_null, 0, 578 aui_null, AUE_NULL, aus_null, /* 180 (loadable) kaio */ 579 auf_null, 0, 580 aui_null, AUE_NULL, aus_null, /* 181 (loadable) */ 581 auf_null, 0, 582 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */ 583 auf_null, S2E_MLD, 584 aui_null, AUE_NULL, aus_null, /* 183 (loadable) */ 585 auf_null, 0, 586 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */ 587 auf_null, 0, 588 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */ 589 auf_null, 0, 590 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */ 591 auf_null, 0, 592 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, 593 auf_null, 0, /* 187 processor_bind */ 594 aui_null, AUE_NULL, aus_null, /* 188 processor_info */ 595 auf_null, 0, 596 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */ 597 auf_null, 0, 598 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */ 599 auf_null, 0, 600 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */ 601 auf_null, 0, 602 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */ 603 auf_null, 0, 604 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */ 605 auf_null, 0, 606 aui_null, AUE_NULL, aus_null, /* 194 timer_create */ 607 auf_null, 0, 608 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */ 609 auf_null, 0, 610 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */ 611 auf_null, 0, 612 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */ 613 auf_null, 0, 614 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */ 615 auf_null, 0, 616 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */ 617 auf_null, 0, 618 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */ 619 auf_null, 0, 620 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */ 621 auf_null, 0, 622 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */ 623 auf_null, 0, 624 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */ 625 auf_null, 0, 626 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */ 627 auf_null, 0, 628 aui_null, AUE_NULL, aus_null, /* 205 signotify */ 629 auf_null, 0, 630 aui_null, AUE_NULL, aus_null, /* 206 schedctl */ 631 auf_null, 0, 632 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */ 633 auf_null, 0, 634 aui_null, AUE_NULL, aus_null, /* 208 (loadable) */ 635 auf_null, 0, 636 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */ 637 auf_null, 0, 638 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */ 639 auf_null, 0, 640 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */ 641 auf_null, 0, 642 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */ 643 auf_null, 0, 644 aui_null, AUE_NULL, aus_null, /* 213 getdents64 (__ppc) */ 645 auf_null, 0, 646 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */ 647 auf_null, 0, 648 aui_null, AUE_STAT, aus_null, /* 215 stat64 */ 649 auf_null, S2E_PUB, 650 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */ 651 auf_null, S2E_PUB, 652 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */ 653 auf_null, 0, 654 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */ 655 auf_null, S2E_PUB, 656 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */ 657 auf_null, 0, 658 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */ 659 auf_null, 0, 660 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */ 661 auf_null, 0, 662 aui_null, AUE_READ, aus_null, /* 222 pread64 */ 663 auf_read, S2E_PUB, 664 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */ 665 auf_write, 0, 666 aui_null, AUE_CREAT, aus_null, /* 224 creat64 */ 667 auf_null, S2E_SP, 668 aui_open, AUE_OPEN, aus_open, /* 225 open64 */ 669 auf_null, S2E_SP, 670 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */ 671 auf_null, 0, 672 aui_null, AUE_NULL, aus_null, /* 227 (loadable) */ 673 auf_null, 0, 674 aui_null, AUE_NULL, aus_null, /* 228 (loadable) */ 675 auf_null, 0, 676 aui_null, AUE_NULL, aus_null, /* 229 (loadable) */ 677 auf_null, 0, 678 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */ 679 auf_null, 0, 680 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */ 681 auf_null, 0, 682 aui_null, AUE_BIND, aus_null, /* 232 bind */ 683 auf_bind, 0, 684 aui_null, AUE_NULL, aus_null, /* 233 listen */ 685 auf_null, 0, 686 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */ 687 auf_accept, 0, 688 aui_null, AUE_CONNECT, aus_null, /* 235 connect */ 689 auf_connect, 0, 690 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */ 691 auf_null, 0, 692 aui_null, AUE_READ, aus_null, /* 237 recv */ 693 auf_recv, 0, 694 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */ 695 auf_recvfrom, 0, 696 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */ 697 auf_recvmsg, 0, 698 aui_null, AUE_WRITE, aus_null, /* 240 send */ 699 auf_send, 0, 700 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */ 701 auf_sendmsg, 0, 702 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */ 703 auf_sendto, 0, 704 aui_null, AUE_NULL, aus_null, /* 243 getpeername */ 705 auf_null, 0, 706 aui_null, AUE_NULL, aus_null, /* 244 getsockname */ 707 auf_null, 0, 708 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */ 709 auf_null, 0, 710 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */ 711 auf_setsockopt, 0, 712 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */ 713 auf_null, 0, 714 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */ 715 auf_null, 0, 716 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */ 717 auf_null, 0, 718 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */ 719 auf_null, 0, 720 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */ 721 auf_null, 0, 722 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */ 723 auf_null, 0, 724 aui_null, AUE_NULL, aus_null, /* 253 cladm */ 725 auf_null, 0, 726 aui_null, AUE_NULL, aus_null, /* 254 uucopy */ 727 auf_null, 0, 728 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */ 729 auf_null, 0 730 }; 731 732 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e); 733 734 735 /* acct start function */ 736 /*ARGSUSED*/ 737 static void 738 aus_acct(struct t_audit_data *tad) 739 { 740 klwp_t *clwp = ttolwp(curthread); 741 uintptr_t fname; 742 743 struct a { 744 long fname; /* char * */ 745 } *uap = (struct a *)clwp->lwp_ap; 746 747 fname = (uintptr_t)uap->fname; 748 749 if (fname == 0) 750 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0)); 751 } 752 753 /* chown start function */ 754 /*ARGSUSED*/ 755 static void 756 aus_chown(struct t_audit_data *tad) 757 { 758 klwp_t *clwp = ttolwp(curthread); 759 uint32_t uid, gid; 760 761 struct a { 762 long fname; /* char * */ 763 long uid; 764 long gid; 765 } *uap = (struct a *)clwp->lwp_ap; 766 767 uid = (uint32_t)uap->uid; 768 gid = (uint32_t)uap->gid; 769 770 au_uwrite(au_to_arg32(2, "new file uid", uid)); 771 au_uwrite(au_to_arg32(3, "new file gid", gid)); 772 } 773 774 /* fchown start function */ 775 /*ARGSUSED*/ 776 static void 777 aus_fchown(struct t_audit_data *tad) 778 { 779 klwp_t *clwp = ttolwp(curthread); 780 uint32_t uid, gid, fd; 781 struct file *fp; 782 struct vnode *vp; 783 struct f_audit_data *fad; 784 785 struct a { 786 long fd; 787 long uid; 788 long gid; 789 } *uap = (struct a *)clwp->lwp_ap; 790 791 fd = (uint32_t)uap->fd; 792 uid = (uint32_t)uap->uid; 793 gid = (uint32_t)uap->gid; 794 795 au_uwrite(au_to_arg32(2, "new file uid", uid)); 796 au_uwrite(au_to_arg32(3, "new file gid", gid)); 797 798 /* 799 * convert file pointer to file descriptor 800 * Note: fd ref count incremented here. 801 */ 802 if ((fp = getf(fd)) == NULL) 803 return; 804 805 /* get path from file struct here */ 806 fad = F2A(fp); 807 if (fad->fad_aupath != NULL) { 808 au_uwrite(au_to_path(fad->fad_aupath)); 809 } else { 810 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 811 } 812 813 vp = fp->f_vnode; 814 audit_attributes(vp); 815 816 /* decrement file descriptor reference count */ 817 releasef(fd); 818 } 819 820 /*ARGSUSED*/ 821 static void 822 aus_lchown(struct t_audit_data *tad) 823 { 824 klwp_t *clwp = ttolwp(curthread); 825 uint32_t uid, gid; 826 827 828 struct a { 829 long fname; /* char * */ 830 long uid; 831 long gid; 832 } *uap = (struct a *)clwp->lwp_ap; 833 834 uid = (uint32_t)uap->uid; 835 gid = (uint32_t)uap->gid; 836 837 au_uwrite(au_to_arg32(2, "new file uid", uid)); 838 au_uwrite(au_to_arg32(3, "new file gid", gid)); 839 } 840 841 /* chmod start function */ 842 /*ARGSUSED*/ 843 static void 844 aus_chmod(struct t_audit_data *tad) 845 { 846 klwp_t *clwp = ttolwp(curthread); 847 uint32_t fmode; 848 849 struct a { 850 long fname; /* char * */ 851 long fmode; 852 } *uap = (struct a *)clwp->lwp_ap; 853 854 fmode = (uint32_t)uap->fmode; 855 856 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 857 } 858 859 /* chmod start function */ 860 /*ARGSUSED*/ 861 static void 862 aus_fchmod(struct t_audit_data *tad) 863 { 864 klwp_t *clwp = ttolwp(curthread); 865 uint32_t fmode, fd; 866 struct file *fp; 867 struct vnode *vp; 868 struct f_audit_data *fad; 869 870 struct a { 871 long fd; 872 long fmode; 873 } *uap = (struct a *)clwp->lwp_ap; 874 875 fd = (uint32_t)uap->fd; 876 fmode = (uint32_t)uap->fmode; 877 878 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777)); 879 880 /* 881 * convert file pointer to file descriptor 882 * Note: fd ref count incremented here. 883 */ 884 if ((fp = getf(fd)) == NULL) 885 return; 886 887 /* get path from file struct here */ 888 fad = F2A(fp); 889 if (fad->fad_aupath != NULL) { 890 au_uwrite(au_to_path(fad->fad_aupath)); 891 } else { 892 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 893 } 894 895 vp = fp->f_vnode; 896 audit_attributes(vp); 897 898 /* decrement file descriptor reference count */ 899 releasef(fd); 900 } 901 902 903 /* convert open to appropriate event */ 904 static au_event_t 905 aui_open(au_event_t e) 906 { 907 klwp_t *clwp = ttolwp(curthread); 908 uint_t fm; 909 910 struct a { 911 long fnamep; /* char * */ 912 long fmode; 913 long cmode; 914 } *uap = (struct a *)clwp->lwp_ap; 915 916 fm = (uint_t)uap->fmode; 917 918 if (fm & O_WRONLY) 919 e = AUE_OPEN_W; 920 else if (fm & O_RDWR) 921 e = AUE_OPEN_RW; 922 else 923 e = AUE_OPEN_R; 924 925 if (fm & O_CREAT) 926 e += 1; 927 if (fm & O_TRUNC) 928 e += 2; 929 930 return (e); 931 } 932 933 /*ARGSUSED*/ 934 static void 935 aus_open(struct t_audit_data *tad) 936 { 937 klwp_t *clwp = ttolwp(curthread); 938 uint_t fm; 939 940 struct a { 941 long fnamep; /* char * */ 942 long fmode; 943 long cmode; 944 } *uap = (struct a *)clwp->lwp_ap; 945 946 fm = (uint_t)uap->fmode; 947 948 /* If no write, create, or trunc modes, mark as a public op */ 949 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 950 tad->tad_ctrl |= PAD_PUBLIC_EV; 951 } 952 953 /* convert openat(2) to appropriate event */ 954 static au_event_t 955 aui_fsat(au_event_t e) 956 { 957 t_audit_data_t *tad = U2A(u); 958 klwp_t *clwp = ttolwp(curthread); 959 uint_t fmcode, fm; 960 struct a { 961 long id; 962 long arg1; 963 long arg2; 964 long arg3; 965 long arg4; 966 long arg5; 967 } *uap = (struct a *)clwp->lwp_ap; 968 969 fmcode = (uint_t)uap->id; 970 971 switch (fmcode) { 972 973 case 0: /* openat */ 974 case 1: /* openat64 */ 975 fm = (uint_t)uap->arg3; 976 if (fm & O_WRONLY) 977 e = AUE_OPENAT_W; 978 else if (fm & O_RDWR) 979 e = AUE_OPENAT_RW; 980 else 981 e = AUE_OPENAT_R; 982 983 /* 984 * openat modes are defined in the following order: 985 * Read only 986 * Read|Create 987 * Read|Trunc 988 * Read|Create|Trunc 989 * Write Only 990 * Write|Create 991 * Write|Trunc 992 * Write|Create|Trunc * RW Only 993 * RW|Create 994 * RW|Trunc 995 * RW|Create|Trunc 996 */ 997 if (fm & O_CREAT) 998 e += 1; /* increment to include CREAT in mode */ 999 if (fm & O_TRUNC) 1000 e += 2; /* increment to include TRUNC in mode */ 1001 1002 /* convert to appropriate au_ctrl */ 1003 tad->tad_ctrl |= PAD_SAVPATH; 1004 if (fm & FXATTR) 1005 tad->tad_ctrl |= PAD_ATPATH; 1006 1007 1008 break; 1009 case 2: /* fstatat64 */ 1010 case 3: /* fstatat */ 1011 e = AUE_FSTATAT; 1012 break; 1013 case 4: /* fchownat */ 1014 e = AUE_FCHOWNAT; 1015 break; 1016 case 5: /* unlinkat */ 1017 e = AUE_UNLINKAT; 1018 break; 1019 case 6: /* futimesat */ 1020 e = AUE_FUTIMESAT; 1021 break; 1022 case 7: /* renameat */ 1023 e = AUE_RENAMEAT; 1024 break; 1025 case 9: /* __openattrdirat */ 1026 tad->tad_ctrl |= PAD_SAVPATH; 1027 /*FALLTHROUGH*/ 1028 default: 1029 e = AUE_NULL; 1030 break; 1031 } 1032 1033 return (e); 1034 } 1035 1036 /*ARGSUSED*/ 1037 static void 1038 aus_fsat(struct t_audit_data *tad) 1039 { 1040 klwp_t *clwp = ttolwp(curthread); 1041 uint_t fmcode, fm; 1042 struct a { 1043 long id; 1044 long arg1; 1045 long arg2; 1046 long arg3; 1047 long arg4; 1048 long arg5; 1049 } *uap = (struct a *)clwp->lwp_ap; 1050 1051 fmcode = (uint_t)uap->id; 1052 1053 switch (fmcode) { 1054 1055 case 0: /* openat */ 1056 case 1: /* openat64 */ 1057 fm = (uint_t)uap->arg3; 1058 /* If no write, create, or trunc modes, mark as a public op */ 1059 if (!(fm & (O_WRONLY|O_RDWR|O_CREAT|O_TRUNC))) 1060 tad->tad_ctrl |= PAD_PUBLIC_EV; 1061 1062 break; 1063 case 2: /* fstatat64 */ 1064 case 3: /* fstatat */ 1065 tad->tad_ctrl |= PAD_PUBLIC_EV; 1066 break; 1067 default: 1068 break; 1069 } 1070 } 1071 1072 /* msgsys */ 1073 static au_event_t 1074 aui_msgsys(au_event_t e) 1075 { 1076 klwp_t *clwp = ttolwp(curthread); 1077 uint_t fm; 1078 1079 struct a { 1080 long id; /* function code id */ 1081 long ap; /* arg pointer for recvmsg */ 1082 } *uap = (struct a *)clwp->lwp_ap; 1083 1084 struct b { 1085 long msgid; 1086 long cmd; 1087 long buf; /* struct msqid_ds * */ 1088 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1089 1090 fm = (uint_t)uap->id; 1091 1092 switch (fm) { 1093 case 0: /* msgget */ 1094 e = AUE_MSGGET; 1095 break; 1096 case 1: /* msgctl */ 1097 switch ((uint_t)uap1->cmd) { 1098 case IPC_RMID: 1099 e = AUE_MSGCTL_RMID; 1100 break; 1101 case IPC_SET: 1102 e = AUE_MSGCTL_SET; 1103 break; 1104 case IPC_STAT: 1105 e = AUE_MSGCTL_STAT; 1106 break; 1107 default: 1108 e = AUE_MSGCTL; 1109 break; 1110 } 1111 break; 1112 case 2: /* msgrcv */ 1113 e = AUE_MSGRCV; 1114 break; 1115 case 3: /* msgsnd */ 1116 e = AUE_MSGSND; 1117 break; 1118 default: /* illegal system call */ 1119 e = AUE_NULL; 1120 break; 1121 } 1122 1123 return (e); 1124 } 1125 1126 1127 /* shmsys */ 1128 static au_event_t 1129 aui_shmsys(au_event_t e) 1130 { 1131 klwp_t *clwp = ttolwp(curthread); 1132 int fm; 1133 1134 struct a { /* shmsys */ 1135 long id; /* function code id */ 1136 } *uap = (struct a *)clwp->lwp_ap; 1137 1138 struct b { /* ctrl */ 1139 long shmid; 1140 long cmd; 1141 long arg; /* struct shmid_ds * */ 1142 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1143 fm = (uint_t)uap->id; 1144 1145 switch (fm) { 1146 case 0: /* shmat */ 1147 e = AUE_SHMAT; 1148 break; 1149 case 1: /* shmctl */ 1150 switch ((uint_t)uap1->cmd) { 1151 case IPC_RMID: 1152 e = AUE_SHMCTL_RMID; 1153 break; 1154 case IPC_SET: 1155 e = AUE_SHMCTL_SET; 1156 break; 1157 case IPC_STAT: 1158 e = AUE_SHMCTL_STAT; 1159 break; 1160 default: 1161 e = AUE_SHMCTL; 1162 break; 1163 } 1164 break; 1165 case 2: /* shmdt */ 1166 e = AUE_SHMDT; 1167 break; 1168 case 3: /* shmget */ 1169 e = AUE_SHMGET; 1170 break; 1171 default: /* illegal system call */ 1172 e = AUE_NULL; 1173 break; 1174 } 1175 1176 return (e); 1177 } 1178 1179 1180 /* semsys */ 1181 static au_event_t 1182 aui_semsys(au_event_t e) 1183 { 1184 klwp_t *clwp = ttolwp(curthread); 1185 uint_t fm; 1186 1187 struct a { /* semsys */ 1188 long id; 1189 } *uap = (struct a *)clwp->lwp_ap; 1190 1191 struct b { /* ctrl */ 1192 long semid; 1193 long semnum; 1194 long cmd; 1195 long arg; 1196 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1197 1198 fm = (uint_t)uap->id; 1199 1200 switch (fm) { 1201 case 0: /* semctl */ 1202 switch ((uint_t)uap1->cmd) { 1203 case IPC_RMID: 1204 e = AUE_SEMCTL_RMID; 1205 break; 1206 case IPC_SET: 1207 e = AUE_SEMCTL_SET; 1208 break; 1209 case IPC_STAT: 1210 e = AUE_SEMCTL_STAT; 1211 break; 1212 case GETNCNT: 1213 e = AUE_SEMCTL_GETNCNT; 1214 break; 1215 case GETPID: 1216 e = AUE_SEMCTL_GETPID; 1217 break; 1218 case GETVAL: 1219 e = AUE_SEMCTL_GETVAL; 1220 break; 1221 case GETALL: 1222 e = AUE_SEMCTL_GETALL; 1223 break; 1224 case GETZCNT: 1225 e = AUE_SEMCTL_GETZCNT; 1226 break; 1227 case SETVAL: 1228 e = AUE_SEMCTL_SETVAL; 1229 break; 1230 case SETALL: 1231 e = AUE_SEMCTL_SETALL; 1232 break; 1233 default: 1234 e = AUE_SEMCTL; 1235 break; 1236 } 1237 break; 1238 case 1: /* semget */ 1239 e = AUE_SEMGET; 1240 break; 1241 case 2: /* semop */ 1242 e = AUE_SEMOP; 1243 break; 1244 default: /* illegal system call */ 1245 e = AUE_NULL; 1246 break; 1247 } 1248 1249 return (e); 1250 } 1251 1252 /* utssys - uname(2), ustat(2), fusers(2) */ 1253 static au_event_t 1254 aui_utssys(au_event_t e) 1255 { 1256 klwp_t *clwp = ttolwp(curthread); 1257 uint_t type; 1258 1259 struct a { 1260 union { 1261 long cbuf; /* char * */ 1262 long ubuf; /* struct stat * */ 1263 } ub; 1264 union { 1265 long mv; /* for USTAT */ 1266 long flags; /* for FUSERS */ 1267 } un; 1268 long type; 1269 long outbp; /* char * for FUSERS */ 1270 } *uap = (struct a *)clwp->lwp_ap; 1271 1272 type = (uint_t)uap->type; 1273 1274 if (type == UTS_FUSERS) 1275 return (e); 1276 else 1277 return ((au_event_t)AUE_NULL); 1278 } 1279 1280 static au_event_t 1281 aui_fcntl(au_event_t e) 1282 { 1283 klwp_t *clwp = ttolwp(curthread); 1284 uint_t cmd; 1285 1286 struct a { 1287 long fdes; 1288 long cmd; 1289 long arg; 1290 } *uap = (struct a *)clwp->lwp_ap; 1291 1292 cmd = (uint_t)uap->cmd; 1293 1294 switch (cmd) { 1295 case F_GETLK: 1296 case F_SETLK: 1297 case F_SETLKW: 1298 break; 1299 case F_SETFL: 1300 case F_GETFL: 1301 case F_GETFD: 1302 break; 1303 default: 1304 e = (au_event_t)AUE_NULL; 1305 break; 1306 } 1307 return ((au_event_t)e); 1308 } 1309 1310 /* null function for now */ 1311 static au_event_t 1312 aui_execv(au_event_t e) 1313 { 1314 return (e); 1315 } 1316 1317 /* null function for now */ 1318 static au_event_t 1319 aui_execve(au_event_t e) 1320 { 1321 return (e); 1322 } 1323 1324 /*ARGSUSED*/ 1325 static void 1326 aus_fcntl(struct t_audit_data *tad) 1327 { 1328 klwp_t *clwp = ttolwp(curthread); 1329 uint32_t cmd, fd; 1330 struct file *fp; 1331 struct vnode *vp; 1332 struct f_audit_data *fad; 1333 1334 struct a { 1335 long fd; 1336 long cmd; 1337 long arg; 1338 } *uap = (struct a *)clwp->lwp_ap; 1339 1340 cmd = (uint32_t)uap->cmd; 1341 fd = (uint32_t)uap->fd; 1342 1343 au_uwrite(au_to_arg32(2, "cmd", cmd)); 1344 1345 /* 1346 * convert file pointer to file descriptor 1347 * Note: fd ref count incremented here. 1348 */ 1349 if ((fp = getf(fd)) == NULL) 1350 return; 1351 1352 /* get path from file struct here */ 1353 fad = F2A(fp); 1354 if (fad->fad_aupath != NULL) { 1355 au_uwrite(au_to_path(fad->fad_aupath)); 1356 } else { 1357 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1358 } 1359 1360 vp = fp->f_vnode; 1361 audit_attributes(vp); 1362 1363 /* decrement file descriptor reference count */ 1364 releasef(fd); 1365 } 1366 1367 /*ARGSUSED*/ 1368 static void 1369 aus_kill(struct t_audit_data *tad) 1370 { 1371 klwp_t *clwp = ttolwp(curthread); 1372 struct proc *p; 1373 uint32_t signo; 1374 uid_t uid, ruid; 1375 gid_t gid, rgid; 1376 pid_t pid; 1377 const auditinfo_addr_t *ainfo; 1378 cred_t *cr; 1379 1380 struct a { 1381 long pid; 1382 long signo; 1383 } *uap = (struct a *)clwp->lwp_ap; 1384 1385 pid = (pid_t)uap->pid; 1386 signo = (uint32_t)uap->signo; 1387 1388 au_uwrite(au_to_arg32(2, "signal", signo)); 1389 if (pid > 0) { 1390 mutex_enter(&pidlock); 1391 if (((p = prfind(pid)) == (struct proc *)0) || 1392 (p->p_stat == SIDL)) { 1393 mutex_exit(&pidlock); 1394 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1395 return; 1396 } 1397 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1398 mutex_exit(&pidlock); 1399 1400 mutex_enter(&p->p_crlock); 1401 crhold(cr = p->p_cred); 1402 mutex_exit(&p->p_crlock); 1403 mutex_exit(&p->p_lock); 1404 1405 ainfo = crgetauinfo(cr); 1406 if (ainfo == NULL) { 1407 crfree(cr); 1408 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1409 return; 1410 } 1411 1412 uid = crgetuid(cr); 1413 gid = crgetgid(cr); 1414 ruid = crgetruid(cr); 1415 rgid = crgetrgid(cr); 1416 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1417 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1418 1419 if (is_system_labeled()) 1420 au_uwrite(au_to_label(CR_SL(cr))); 1421 1422 crfree(cr); 1423 } 1424 else 1425 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid)); 1426 } 1427 1428 /*ARGSUSED*/ 1429 static void 1430 aus_mkdir(struct t_audit_data *tad) 1431 { 1432 klwp_t *clwp = ttolwp(curthread); 1433 uint32_t dmode; 1434 1435 struct a { 1436 long dirnamep; /* char * */ 1437 long dmode; 1438 } *uap = (struct a *)clwp->lwp_ap; 1439 1440 dmode = (uint32_t)uap->dmode; 1441 1442 au_uwrite(au_to_arg32(2, "mode", dmode)); 1443 } 1444 1445 /*ARGSUSED*/ 1446 static void 1447 aus_mknod(struct t_audit_data *tad) 1448 { 1449 klwp_t *clwp = ttolwp(curthread); 1450 uint32_t fmode; 1451 dev_t dev; 1452 1453 struct a { 1454 long pnamep; /* char * */ 1455 long fmode; 1456 long dev; 1457 } *uap = (struct a *)clwp->lwp_ap; 1458 1459 fmode = (uint32_t)uap->fmode; 1460 dev = (dev_t)uap->dev; 1461 1462 au_uwrite(au_to_arg32(2, "mode", fmode)); 1463 #ifdef _LP64 1464 au_uwrite(au_to_arg64(3, "dev", dev)); 1465 #else 1466 au_uwrite(au_to_arg32(3, "dev", dev)); 1467 #endif 1468 } 1469 1470 /*ARGSUSED*/ 1471 static void 1472 aus_xmknod(struct t_audit_data *tad) 1473 { 1474 klwp_t *clwp = ttolwp(curthread); 1475 uint32_t fmode; 1476 dev_t dev; 1477 1478 struct a { 1479 long version; /* version */ 1480 long pnamep; /* char * */ 1481 long fmode; 1482 long dev; 1483 } *uap = (struct a *)clwp->lwp_ap; 1484 1485 fmode = (uint32_t)uap->fmode; 1486 dev = (dev_t)uap->dev; 1487 1488 au_uwrite(au_to_arg32(2, "mode", fmode)); 1489 #ifdef _LP64 1490 au_uwrite(au_to_arg64(3, "dev", dev)); 1491 #else 1492 au_uwrite(au_to_arg32(3, "dev", dev)); 1493 #endif 1494 } 1495 1496 /*ARGSUSED*/ 1497 static void 1498 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval) 1499 { 1500 klwp_t *clwp = ttolwp(curthread); 1501 vnode_t *dvp; 1502 caddr_t pnamep; 1503 1504 struct a { 1505 long pnamep; /* char * */ 1506 long fmode; 1507 long dev; 1508 } *uap = (struct a *)clwp->lwp_ap; 1509 1510 /* no error, then already path token in audit record */ 1511 if (error != EPERM) 1512 return; 1513 1514 /* not auditing this event, nothing then to do */ 1515 if (tad->tad_flag == 0) 1516 return; 1517 1518 /* do the lookup to force generation of path token */ 1519 pnamep = (caddr_t)uap->pnamep; 1520 tad->tad_ctrl |= PAD_NOATTRB; 1521 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1522 if (error == 0) 1523 VN_RELE(dvp); 1524 } 1525 1526 /*ARGSUSED*/ 1527 static void 1528 auf_xmknod(struct t_audit_data *tad, int error, rval_t *rval) 1529 { 1530 klwp_t *clwp = ttolwp(curthread); 1531 vnode_t *dvp; 1532 caddr_t pnamep; 1533 1534 struct a { 1535 long version; /* version */ 1536 long pnamep; /* char * */ 1537 long fmode; 1538 long dev; 1539 } *uap = (struct a *)clwp->lwp_arg; 1540 1541 1542 /* no error, then already path token in audit record */ 1543 if (error != EPERM) 1544 return; 1545 1546 /* not auditing this event, nothing then to do */ 1547 if (tad->tad_flag == 0) 1548 return; 1549 1550 /* do the lookup to force generation of path token */ 1551 pnamep = (caddr_t)uap->pnamep; 1552 tad->tad_ctrl |= PAD_NOATTRB; 1553 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP); 1554 if (error == 0) 1555 VN_RELE(dvp); 1556 } 1557 1558 /*ARGSUSED*/ 1559 static void 1560 aus_mount(struct t_audit_data *tad) 1561 { /* AUS_START */ 1562 klwp_t *clwp = ttolwp(curthread); 1563 uint32_t flags; 1564 uintptr_t u_fstype, dataptr; 1565 STRUCT_DECL(nfs_args, nfsargs); 1566 size_t len; 1567 char *fstype, *hostname; 1568 1569 struct a { 1570 long spec; /* char * */ 1571 long dir; /* char * */ 1572 long flags; 1573 long fstype; /* char * */ 1574 long dataptr; /* char * */ 1575 long datalen; 1576 } *uap = (struct a *)clwp->lwp_ap; 1577 1578 u_fstype = (uintptr_t)uap->fstype; 1579 flags = (uint32_t)uap->flags; 1580 dataptr = (uintptr_t)uap->dataptr; 1581 1582 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1583 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len)) 1584 goto mount_free_fstype; 1585 1586 au_uwrite(au_to_arg32(3, "flags", flags)); 1587 au_uwrite(au_to_text(fstype)); 1588 1589 if (strncmp(fstype, "nfs", 3) == 0) { 1590 1591 STRUCT_INIT(nfsargs, get_udatamodel()); 1592 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs)); 1593 1594 if (copyin((caddr_t)dataptr, 1595 STRUCT_BUF(nfsargs), 1596 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) { 1597 /* DEBUG debug_enter((char *)NULL); */ 1598 goto mount_free_fstype; 1599 } 1600 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP); 1601 if (copyinstr(STRUCT_FGETP(nfsargs, hostname), 1602 (caddr_t)hostname, 1603 MAXNAMELEN, &len)) { 1604 goto mount_free_hostname; 1605 } 1606 au_uwrite(au_to_text(hostname)); 1607 au_uwrite(au_to_arg32(3, "internal flags", 1608 (uint_t)STRUCT_FGET(nfsargs, flags))); 1609 1610 mount_free_hostname: 1611 kmem_free(hostname, MAXNAMELEN); 1612 } 1613 1614 mount_free_fstype: 1615 kmem_free(fstype, MAXNAMELEN); 1616 } /* AUS_MOUNT */ 1617 1618 static void 1619 aus_umount_path(caddr_t umount_dir) 1620 { 1621 char *dir_path; 1622 struct audit_path *path; 1623 size_t path_len, dir_len; 1624 1625 /* length alloc'd for two string pointers */ 1626 path_len = sizeof (struct audit_path) + sizeof (char *); 1627 path = kmem_alloc(path_len, KM_SLEEP); 1628 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP); 1629 1630 if (copyinstr(umount_dir, (caddr_t)dir_path, 1631 MAXPATHLEN, &dir_len)) 1632 goto umount2_free_dir; 1633 1634 /* 1635 * the audit_path struct assumes that the buffer pointed to 1636 * by audp_sect[n] contains string 0 immediatedly followed 1637 * by string 1. 1638 */ 1639 path->audp_sect[0] = dir_path; 1640 path->audp_sect[1] = dir_path + strlen(dir_path) + 1; 1641 path->audp_size = path_len; 1642 path->audp_ref = 1; /* not used */ 1643 path->audp_cnt = 1; /* one path string */ 1644 1645 au_uwrite(au_to_path(path)); 1646 1647 umount2_free_dir: 1648 kmem_free(dir_path, MAXPATHLEN); 1649 kmem_free(path, path_len); 1650 } 1651 1652 /* 1653 * the umount syscall is implemented as a call to umount2, but the args 1654 * are different... 1655 */ 1656 1657 /*ARGSUSED*/ 1658 static void 1659 aus_umount(struct t_audit_data *tad) 1660 { 1661 klwp_t *clwp = ttolwp(curthread); 1662 struct a { 1663 long dir; /* char * */ 1664 } *uap = (struct a *)clwp->lwp_ap; 1665 1666 aus_umount_path((caddr_t)uap->dir); 1667 } 1668 1669 /*ARGSUSED*/ 1670 static void 1671 aus_umount2(struct t_audit_data *tad) 1672 { 1673 klwp_t *clwp = ttolwp(curthread); 1674 struct a { 1675 long dir; /* char * */ 1676 long flags; 1677 } *uap = (struct a *)clwp->lwp_ap; 1678 1679 aus_umount_path((caddr_t)uap->dir); 1680 1681 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 1682 } 1683 1684 static void 1685 aus_msgsys(struct t_audit_data *tad) 1686 { 1687 klwp_t *clwp = ttolwp(curthread); 1688 uint32_t msgid; 1689 1690 struct b { 1691 long msgid; 1692 long cmd; 1693 long buf; /* struct msqid_ds * */ 1694 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1695 1696 msgid = (uint32_t)uap1->msgid; 1697 1698 1699 switch (tad->tad_event) { 1700 case AUE_MSGGET: /* msgget */ 1701 au_uwrite(au_to_arg32(1, "msg key", msgid)); 1702 break; 1703 case AUE_MSGCTL: /* msgctl */ 1704 case AUE_MSGCTL_RMID: /* msgctl */ 1705 case AUE_MSGCTL_SET: /* msgctl */ 1706 case AUE_MSGCTL_STAT: /* msgctl */ 1707 case AUE_MSGRCV: /* msgrcv */ 1708 case AUE_MSGSND: /* msgsnd */ 1709 au_uwrite(au_to_arg32(1, "msg ID", msgid)); 1710 break; 1711 } 1712 } 1713 1714 /*ARGSUSED*/ 1715 static void 1716 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval) 1717 { 1718 int id; 1719 1720 if (error != 0) 1721 return; 1722 if (tad->tad_event == AUE_MSGGET) { 1723 uint32_t scid; 1724 uint32_t sy_flags; 1725 1726 /* need to determine type of executing binary */ 1727 scid = tad->tad_scid; 1728 #ifdef _SYSCALL32_IMPL 1729 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1730 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1731 else 1732 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1733 #else 1734 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1735 #endif 1736 if (sy_flags == SE_32RVAL1) 1737 id = rval->r_val1; 1738 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1739 id = rval->r_val1; 1740 if (sy_flags == SE_64RVAL) 1741 id = (int)rval->r_vals; 1742 1743 au_uwrite(au_to_ipc(AT_IPC_MSG, id)); 1744 } 1745 } 1746 1747 static void 1748 aus_semsys(struct t_audit_data *tad) 1749 { 1750 klwp_t *clwp = ttolwp(curthread); 1751 uint32_t semid; 1752 1753 struct b { /* ctrl */ 1754 long semid; 1755 long semnum; 1756 long cmd; 1757 long arg; 1758 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 1759 1760 semid = (uint32_t)uap1->semid; 1761 1762 switch (tad->tad_event) { 1763 case AUE_SEMCTL_RMID: 1764 case AUE_SEMCTL_STAT: 1765 case AUE_SEMCTL_GETNCNT: 1766 case AUE_SEMCTL_GETPID: 1767 case AUE_SEMCTL_GETVAL: 1768 case AUE_SEMCTL_GETALL: 1769 case AUE_SEMCTL_GETZCNT: 1770 case AUE_SEMCTL_SET: 1771 case AUE_SEMCTL_SETVAL: 1772 case AUE_SEMCTL_SETALL: 1773 case AUE_SEMCTL: 1774 case AUE_SEMOP: 1775 au_uwrite(au_to_arg32(1, "sem ID", semid)); 1776 break; 1777 case AUE_SEMGET: 1778 au_uwrite(au_to_arg32(1, "sem key", semid)); 1779 break; 1780 } 1781 } 1782 1783 /*ARGSUSED*/ 1784 static void 1785 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval) 1786 { 1787 int id; 1788 1789 if (error != 0) 1790 return; 1791 if (tad->tad_event == AUE_SEMGET) { 1792 uint32_t scid; 1793 uint32_t sy_flags; 1794 1795 /* need to determine type of executing binary */ 1796 scid = tad->tad_scid; 1797 #ifdef _SYSCALL32_IMPL 1798 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 1799 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1800 else 1801 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 1802 #else 1803 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 1804 #endif 1805 if (sy_flags == SE_32RVAL1) 1806 id = rval->r_val1; 1807 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 1808 id = rval->r_val1; 1809 if (sy_flags == SE_64RVAL) 1810 id = (int)rval->r_vals; 1811 1812 au_uwrite(au_to_ipc(AT_IPC_SEM, id)); 1813 } 1814 } 1815 1816 /*ARGSUSED*/ 1817 static void 1818 aus_close(struct t_audit_data *tad) 1819 { 1820 klwp_t *clwp = ttolwp(curthread); 1821 uint32_t fd; 1822 struct file *fp; 1823 struct f_audit_data *fad; 1824 struct vnode *vp; 1825 struct vattr attr; 1826 au_kcontext_t *kctx = GET_KCTX_PZ; 1827 1828 struct a { 1829 long i; 1830 } *uap = (struct a *)clwp->lwp_ap; 1831 1832 fd = (uint32_t)uap->i; 1833 1834 attr.va_mask = 0; 1835 au_uwrite(au_to_arg32(1, "fd", fd)); 1836 1837 /* 1838 * convert file pointer to file descriptor 1839 * Note: fd ref count incremented here. 1840 */ 1841 if ((fp = getf(fd)) == NULL) 1842 return; 1843 1844 fad = F2A(fp); 1845 tad->tad_evmod = (au_emod_t)fad->fad_flags; 1846 if (fad->fad_aupath != NULL) { 1847 au_uwrite(au_to_path(fad->fad_aupath)); 1848 if ((vp = fp->f_vnode) != NULL) { 1849 attr.va_mask = AT_ALL; 1850 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) { 1851 /* 1852 * When write was not used and the file can be 1853 * considered public, skip the audit. 1854 */ 1855 if (((fp->f_flag & FWRITE) == 0) && 1856 file_is_public(&attr)) { 1857 tad->tad_flag = 0; 1858 tad->tad_evmod = 0; 1859 /* free any residual audit data */ 1860 au_close(kctx, &(u_ad), 0, 0, 0); 1861 releasef(fd); 1862 return; 1863 } 1864 au_uwrite(au_to_attr(&attr)); 1865 audit_sec_attributes(&(u_ad), vp); 1866 } 1867 } 1868 } 1869 1870 /* decrement file descriptor reference count */ 1871 releasef(fd); 1872 } 1873 1874 /*ARGSUSED*/ 1875 static void 1876 aus_fstatfs(struct t_audit_data *tad) 1877 { 1878 klwp_t *clwp = ttolwp(curthread); 1879 uint32_t fd; 1880 struct file *fp; 1881 struct vnode *vp; 1882 struct f_audit_data *fad; 1883 1884 struct a { 1885 long fd; 1886 long buf; /* struct statfs * */ 1887 } *uap = (struct a *)clwp->lwp_ap; 1888 1889 fd = (uint_t)uap->fd; 1890 1891 /* 1892 * convert file pointer to file descriptor 1893 * Note: fd ref count incremented here. 1894 */ 1895 if ((fp = getf(fd)) == NULL) 1896 return; 1897 1898 /* get path from file struct here */ 1899 fad = F2A(fp); 1900 if (fad->fad_aupath != NULL) { 1901 au_uwrite(au_to_path(fad->fad_aupath)); 1902 } else { 1903 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 1904 } 1905 1906 vp = fp->f_vnode; 1907 audit_attributes(vp); 1908 1909 /* decrement file descriptor reference count */ 1910 releasef(fd); 1911 } 1912 1913 #ifdef NOTYET 1914 /*ARGSUSED*/ 1915 static void 1916 aus_setpgrp(struct t_audit_data *tad) 1917 { 1918 klwp_t *clwp = ttolwp(curthread); 1919 uint32_t pgrp; 1920 struct proc *p; 1921 uid_t uid, ruid; 1922 gid_t gid, rgid; 1923 pid_t pid; 1924 const auditinfo_addr_t *ainfo; 1925 cred_t *cr; 1926 1927 struct a { 1928 long pid; 1929 long pgrp; 1930 } *uap = (struct a *)clwp->lwp_ap; 1931 1932 pid = (pid_t)uap->pid; 1933 pgrp = (uint32_t)uap->pgrp; 1934 1935 /* current process? */ 1936 if (pid == 0) 1937 (return); 1938 1939 mutex_enter(&pidlock); 1940 p = prfind(pid); 1941 if (p == NULL || p->p_as == &kas) { 1942 mutex_exit(&pidlock); 1943 return; 1944 } 1945 mutex_enter(&p->p_lock); /* so process doesn't go away */ 1946 mutex_exit(&pidlock); 1947 1948 mutex_enter(&p->p_crlock); 1949 crhold(cr = p->p_cred); 1950 mutex_exit(&p->p_crlock); 1951 mutex_exit(&p->p_lock); 1952 1953 ainfo = crgetauinfo(cr); 1954 if (ainfo == NULL) { 1955 crfree(cr); 1956 return; 1957 } 1958 1959 uid = crgetuid(cr); 1960 gid = crgetgid(cr); 1961 ruid = crgetruid(cr); 1962 rgid = crgetrgid(cr); 1963 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 1964 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 1965 crfree(cr); 1966 au_uwrite(au_to_arg32(2, "pgrp", pgrp)); 1967 } 1968 #endif 1969 1970 /*ARGSUSED*/ 1971 static void 1972 aus_setregid(struct t_audit_data *tad) 1973 { 1974 klwp_t *clwp = ttolwp(curthread); 1975 uint32_t rgid, egid; 1976 1977 struct a { 1978 long rgid; 1979 long egid; 1980 } *uap = (struct a *)clwp->lwp_ap; 1981 1982 rgid = (uint32_t)uap->rgid; 1983 egid = (uint32_t)uap->egid; 1984 1985 au_uwrite(au_to_arg32(1, "rgid", rgid)); 1986 au_uwrite(au_to_arg32(2, "egid", egid)); 1987 } 1988 1989 /*ARGSUSED*/ 1990 static void 1991 aus_setgid(struct t_audit_data *tad) 1992 { 1993 klwp_t *clwp = ttolwp(curthread); 1994 uint32_t gid; 1995 1996 struct a { 1997 long gid; 1998 } *uap = (struct a *)clwp->lwp_ap; 1999 2000 gid = (uint32_t)uap->gid; 2001 2002 au_uwrite(au_to_arg32(1, "gid", gid)); 2003 } 2004 2005 2006 /*ARGSUSED*/ 2007 static void 2008 aus_setreuid(struct t_audit_data *tad) 2009 { 2010 klwp_t *clwp = ttolwp(curthread); 2011 uint32_t ruid, euid; 2012 2013 struct a { 2014 long ruid; 2015 long euid; 2016 } *uap = (struct a *)clwp->lwp_ap; 2017 2018 ruid = (uint32_t)uap->ruid; 2019 euid = (uint32_t)uap->euid; 2020 2021 au_uwrite(au_to_arg32(1, "ruid", ruid)); 2022 au_uwrite(au_to_arg32(2, "euid", euid)); 2023 } 2024 2025 2026 /*ARGSUSED*/ 2027 static void 2028 aus_setuid(struct t_audit_data *tad) 2029 { 2030 klwp_t *clwp = ttolwp(curthread); 2031 uint32_t uid; 2032 2033 struct a { 2034 long uid; 2035 } *uap = (struct a *)clwp->lwp_ap; 2036 2037 uid = (uint32_t)uap->uid; 2038 2039 au_uwrite(au_to_arg32(1, "uid", uid)); 2040 } 2041 2042 /*ARGSUSED*/ 2043 static void 2044 aus_shmsys(struct t_audit_data *tad) 2045 { 2046 klwp_t *clwp = ttolwp(curthread); 2047 uint32_t id, cmd; 2048 2049 struct b { 2050 long id; 2051 long cmd; 2052 long buf; /* struct shmid_ds * */ 2053 } *uap1 = (struct b *)&clwp->lwp_ap[1]; 2054 2055 id = (uint32_t)uap1->id; 2056 cmd = (uint32_t)uap1->cmd; 2057 2058 switch (tad->tad_event) { 2059 case AUE_SHMGET: /* shmget */ 2060 au_uwrite(au_to_arg32(1, "shm key", id)); 2061 break; 2062 case AUE_SHMCTL: /* shmctl */ 2063 case AUE_SHMCTL_RMID: /* shmctl */ 2064 case AUE_SHMCTL_STAT: /* shmctl */ 2065 case AUE_SHMCTL_SET: /* shmctl */ 2066 au_uwrite(au_to_arg32(1, "shm ID", id)); 2067 break; 2068 case AUE_SHMDT: /* shmdt */ 2069 au_uwrite(au_to_arg32(1, "shm adr", id)); 2070 break; 2071 case AUE_SHMAT: /* shmat */ 2072 au_uwrite(au_to_arg32(1, "shm ID", id)); 2073 au_uwrite(au_to_arg32(2, "shm adr", cmd)); 2074 break; 2075 } 2076 } 2077 2078 /*ARGSUSED*/ 2079 static void 2080 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval) 2081 { 2082 int id; 2083 2084 if (error != 0) 2085 return; 2086 if (tad->tad_event == AUE_SHMGET) { 2087 uint32_t scid; 2088 uint32_t sy_flags; 2089 2090 /* need to determine type of executing binary */ 2091 scid = tad->tad_scid; 2092 #ifdef _SYSCALL32_IMPL 2093 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 2094 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2095 else 2096 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 2097 #else 2098 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 2099 #endif 2100 if (sy_flags == SE_32RVAL1) 2101 id = rval->r_val1; 2102 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 2103 id = rval->r_val1; 2104 if (sy_flags == SE_64RVAL) 2105 id = (int)rval->r_vals; 2106 au_uwrite(au_to_ipc(AT_IPC_SHM, id)); 2107 } 2108 } 2109 2110 2111 /*ARGSUSED*/ 2112 static void 2113 aus_ioctl(struct t_audit_data *tad) 2114 { 2115 klwp_t *clwp = ttolwp(curthread); 2116 struct file *fp; 2117 struct vnode *vp; 2118 struct f_audit_data *fad; 2119 uint32_t fd, cmd; 2120 uintptr_t cmarg; 2121 2122 /* XX64 */ 2123 struct a { 2124 long fd; 2125 long cmd; 2126 long cmarg; /* caddr_t */ 2127 } *uap = (struct a *)clwp->lwp_ap; 2128 2129 fd = (uint32_t)uap->fd; 2130 cmd = (uint32_t)uap->cmd; 2131 cmarg = (uintptr_t)uap->cmarg; 2132 2133 /* 2134 * convert file pointer to file descriptor 2135 * Note: fd ref count incremented here. 2136 */ 2137 if ((fp = getf(fd)) == NULL) { 2138 au_uwrite(au_to_arg32(1, "fd", fd)); 2139 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2140 #ifndef _LP64 2141 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2142 #else 2143 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2144 #endif 2145 return; 2146 } 2147 2148 /* get path from file struct here */ 2149 fad = F2A(fp); 2150 if (fad->fad_aupath != NULL) { 2151 au_uwrite(au_to_path(fad->fad_aupath)); 2152 } else { 2153 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2154 } 2155 2156 vp = fp->f_vnode; 2157 audit_attributes(vp); 2158 2159 /* decrement file descriptor reference count */ 2160 releasef(fd); 2161 2162 au_uwrite(au_to_arg32(2, "cmd", cmd)); 2163 #ifndef _LP64 2164 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg)); 2165 #else 2166 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg)); 2167 #endif 2168 } 2169 2170 /* 2171 * null function for memcntl for now. We might want to limit memcntl() 2172 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which 2173 * require privileges. 2174 */ 2175 static au_event_t 2176 aui_memcntl(au_event_t e) 2177 { 2178 return (e); 2179 } 2180 2181 /*ARGSUSED*/ 2182 static au_event_t 2183 aui_privsys(au_event_t e) 2184 { 2185 klwp_t *clwp = ttolwp(curthread); 2186 2187 struct a { 2188 long opcode; 2189 } *uap = (struct a *)clwp->lwp_ap; 2190 2191 switch (uap->opcode) { 2192 case PRIVSYS_SETPPRIV: 2193 return (AUE_SETPPRIV); 2194 default: 2195 return (AUE_NULL); 2196 } 2197 } 2198 2199 /*ARGSUSED*/ 2200 static void 2201 aus_memcntl(struct t_audit_data *tad) 2202 { 2203 klwp_t *clwp = ttolwp(curthread); 2204 2205 struct a { 2206 long addr; 2207 long len; 2208 long cmd; 2209 long arg; 2210 long attr; 2211 long mask; 2212 } *uap = (struct a *)clwp->lwp_ap; 2213 2214 #ifdef _LP64 2215 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr)); 2216 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2217 #else 2218 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr)); 2219 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2220 #endif 2221 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd)); 2222 #ifdef _LP64 2223 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg)); 2224 #else 2225 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg)); 2226 #endif 2227 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr)); 2228 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask)); 2229 } 2230 2231 /*ARGSUSED*/ 2232 static void 2233 aus_mmap(struct t_audit_data *tad) 2234 { 2235 klwp_t *clwp = ttolwp(curthread); 2236 struct file *fp; 2237 struct f_audit_data *fad; 2238 struct vnode *vp; 2239 uint32_t fd; 2240 2241 struct a { 2242 long addr; 2243 long len; 2244 long prot; 2245 long flags; 2246 long fd; 2247 long pos; 2248 } *uap = (struct a *)clwp->lwp_ap; 2249 2250 fd = (uint32_t)uap->fd; 2251 2252 #ifdef _LP64 2253 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2254 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2255 #else 2256 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2257 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2258 #endif 2259 2260 if ((fp = getf(fd)) == NULL) { 2261 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd)); 2262 return; 2263 } 2264 2265 /* 2266 * Mark in the tad if write access is NOT requested... if 2267 * this is later detected (in audit_attributes) to be a 2268 * public object, the mmap event may be discarded. 2269 */ 2270 if (((uap->prot) & PROT_WRITE) == 0) { 2271 tad->tad_ctrl |= PAD_PUBLIC_EV; 2272 } 2273 2274 fad = F2A(fp); 2275 if (fad->fad_aupath != NULL) { 2276 au_uwrite(au_to_path(fad->fad_aupath)); 2277 } else { 2278 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 2279 } 2280 2281 vp = (struct vnode *)fp->f_vnode; 2282 audit_attributes(vp); 2283 2284 /* mark READ/WRITE since we can't predict access */ 2285 if (uap->prot & PROT_READ) 2286 fad->fad_flags |= FAD_READ; 2287 if (uap->prot & PROT_WRITE) 2288 fad->fad_flags |= FAD_WRITE; 2289 2290 /* decrement file descriptor reference count */ 2291 releasef(fd); 2292 2293 } /* AUS_MMAP */ 2294 2295 2296 2297 2298 /*ARGSUSED*/ 2299 static void 2300 aus_munmap(struct t_audit_data *tad) 2301 { 2302 klwp_t *clwp = ttolwp(curthread); 2303 2304 struct a { 2305 long addr; 2306 long len; 2307 } *uap = (struct a *)clwp->lwp_ap; 2308 2309 #ifdef _LP64 2310 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr)); 2311 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len)); 2312 #else 2313 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr)); 2314 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len)); 2315 #endif 2316 2317 } /* AUS_MUNMAP */ 2318 2319 2320 2321 2322 2323 2324 2325 /*ARGSUSED*/ 2326 static void 2327 aus_priocntlsys(struct t_audit_data *tad) 2328 { 2329 klwp_t *clwp = ttolwp(curthread); 2330 2331 struct a { 2332 long pc_version; 2333 long psp; /* procset_t */ 2334 long cmd; 2335 long arg; 2336 } *uap = (struct a *)clwp->lwp_ap; 2337 2338 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version)); 2339 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd)); 2340 2341 } /* AUS_PRIOCNTLSYS */ 2342 2343 2344 /*ARGSUSED*/ 2345 static void 2346 aus_setegid(struct t_audit_data *tad) 2347 { 2348 klwp_t *clwp = ttolwp(curthread); 2349 uint32_t gid; 2350 2351 struct a { 2352 long gid; 2353 } *uap = (struct a *)clwp->lwp_ap; 2354 2355 gid = (uint32_t)uap->gid; 2356 2357 au_uwrite(au_to_arg32(1, "gid", gid)); 2358 } /* AUS_SETEGID */ 2359 2360 2361 2362 2363 /*ARGSUSED*/ 2364 static void 2365 aus_setgroups(struct t_audit_data *tad) 2366 { 2367 klwp_t *clwp = ttolwp(curthread); 2368 int i; 2369 int gidsetsize; 2370 uintptr_t gidset; 2371 gid_t *gidlist; 2372 2373 struct a { 2374 long gidsetsize; 2375 long gidset; 2376 } *uap = (struct a *)clwp->lwp_ap; 2377 2378 gidsetsize = (uint_t)uap->gidsetsize; 2379 gidset = (uintptr_t)uap->gidset; 2380 2381 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0)) 2382 return; 2383 if (gidsetsize != 0) { 2384 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t), 2385 KM_SLEEP); 2386 if (copyin((caddr_t)gidset, gidlist, 2387 gidsetsize * sizeof (gid_t)) == 0) 2388 for (i = 0; i < gidsetsize; i++) 2389 au_uwrite(au_to_arg32(1, "setgroups", 2390 (uint32_t)gidlist[i])); 2391 kmem_free(gidlist, gidsetsize * sizeof (gid_t)); 2392 } else 2393 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0)); 2394 2395 } /* AUS_SETGROUPS */ 2396 2397 2398 2399 2400 2401 /*ARGSUSED*/ 2402 static void 2403 aus_seteuid(struct t_audit_data *tad) 2404 { 2405 klwp_t *clwp = ttolwp(curthread); 2406 uint32_t uid; 2407 2408 struct a { 2409 long uid; 2410 } *uap = (struct a *)clwp->lwp_ap; 2411 2412 uid = (uint32_t)uap->uid; 2413 2414 au_uwrite(au_to_arg32(1, "euid", uid)); 2415 2416 } /* AUS_SETEUID */ 2417 2418 /*ARGSUSED*/ 2419 static void 2420 aus_putmsg(struct t_audit_data *tad) 2421 { 2422 klwp_t *clwp = ttolwp(curthread); 2423 uint32_t fd, pri; 2424 struct file *fp; 2425 struct f_audit_data *fad; 2426 2427 struct a { 2428 long fdes; 2429 long ctl; /* struct strbuf * */ 2430 long data; /* struct strbuf * */ 2431 long pri; 2432 } *uap = (struct a *)clwp->lwp_ap; 2433 2434 fd = (uint32_t)uap->fdes; 2435 pri = (uint32_t)uap->pri; 2436 2437 au_uwrite(au_to_arg32(1, "fd", fd)); 2438 2439 if ((fp = getf(fd)) != NULL) { 2440 fad = F2A(fp); 2441 2442 fad->fad_flags |= FAD_WRITE; 2443 2444 /* add path name to audit record */ 2445 if (fad->fad_aupath != NULL) { 2446 au_uwrite(au_to_path(fad->fad_aupath)); 2447 } 2448 audit_attributes(fp->f_vnode); 2449 2450 releasef(fd); 2451 } 2452 2453 au_uwrite(au_to_arg32(4, "pri", pri)); 2454 } 2455 2456 /*ARGSUSED*/ 2457 static void 2458 aus_putpmsg(struct t_audit_data *tad) 2459 { 2460 klwp_t *clwp = ttolwp(curthread); 2461 uint32_t fd, pri, flags; 2462 struct file *fp; 2463 struct f_audit_data *fad; 2464 2465 struct a { 2466 long fdes; 2467 long ctl; /* struct strbuf * */ 2468 long data; /* struct strbuf * */ 2469 long pri; 2470 long flags; 2471 } *uap = (struct a *)clwp->lwp_ap; 2472 2473 fd = (uint32_t)uap->fdes; 2474 pri = (uint32_t)uap->pri; 2475 flags = (uint32_t)uap->flags; 2476 2477 au_uwrite(au_to_arg32(1, "fd", fd)); 2478 2479 if ((fp = getf(fd)) != NULL) { 2480 fad = F2A(fp); 2481 2482 fad->fad_flags |= FAD_WRITE; 2483 2484 /* add path name to audit record */ 2485 if (fad->fad_aupath != NULL) { 2486 au_uwrite(au_to_path(fad->fad_aupath)); 2487 } 2488 audit_attributes(fp->f_vnode); 2489 2490 releasef(fd); 2491 } 2492 2493 2494 au_uwrite(au_to_arg32(4, "pri", pri)); 2495 au_uwrite(au_to_arg32(5, "flags", flags)); 2496 } 2497 2498 /*ARGSUSED*/ 2499 static void 2500 aus_getmsg(struct t_audit_data *tad) 2501 { 2502 klwp_t *clwp = ttolwp(curthread); 2503 uint32_t fd, pri; 2504 struct file *fp; 2505 struct f_audit_data *fad; 2506 2507 struct a { 2508 long fdes; 2509 long ctl; /* struct strbuf * */ 2510 long data; /* struct strbuf * */ 2511 long pri; 2512 } *uap = (struct a *)clwp->lwp_ap; 2513 2514 fd = (uint32_t)uap->fdes; 2515 pri = (uint32_t)uap->pri; 2516 2517 au_uwrite(au_to_arg32(1, "fd", fd)); 2518 2519 if ((fp = getf(fd)) != NULL) { 2520 fad = F2A(fp); 2521 2522 /* 2523 * read operation on this object 2524 */ 2525 fad->fad_flags |= FAD_READ; 2526 2527 /* add path name to audit record */ 2528 if (fad->fad_aupath != NULL) { 2529 au_uwrite(au_to_path(fad->fad_aupath)); 2530 } 2531 audit_attributes(fp->f_vnode); 2532 2533 releasef(fd); 2534 } 2535 2536 au_uwrite(au_to_arg32(4, "pri", pri)); 2537 } 2538 2539 /*ARGSUSED*/ 2540 static void 2541 aus_getpmsg(struct t_audit_data *tad) 2542 { 2543 klwp_t *clwp = ttolwp(curthread); 2544 uint32_t fd; 2545 struct file *fp; 2546 struct f_audit_data *fad; 2547 2548 struct a { 2549 long fdes; 2550 long ctl; /* struct strbuf * */ 2551 long data; /* struct strbuf * */ 2552 long pri; 2553 long flags; 2554 } *uap = (struct a *)clwp->lwp_ap; 2555 2556 fd = (uint32_t)uap->fdes; 2557 2558 au_uwrite(au_to_arg32(1, "fd", fd)); 2559 2560 if ((fp = getf(fd)) != NULL) { 2561 fad = F2A(fp); 2562 2563 /* 2564 * read operation on this object 2565 */ 2566 fad->fad_flags |= FAD_READ; 2567 2568 /* add path name to audit record */ 2569 if (fad->fad_aupath != NULL) { 2570 au_uwrite(au_to_path(fad->fad_aupath)); 2571 } 2572 audit_attributes(fp->f_vnode); 2573 2574 releasef(fd); 2575 } 2576 } 2577 2578 static au_event_t 2579 aui_labelsys(au_event_t e) 2580 { 2581 klwp_t *clwp = ttolwp(curthread); 2582 uint32_t code; 2583 uint32_t cmd; 2584 2585 struct a { 2586 long code; 2587 long cmd; 2588 } *uap = (struct a *)clwp->lwp_ap; 2589 2590 code = (uint32_t)uap->code; 2591 cmd = (uint32_t)uap->cmd; 2592 2593 /* not security relevant if not changing kernel cache */ 2594 if (cmd == TNDB_GET) 2595 return (AUE_NULL); 2596 2597 switch (code) { 2598 case TSOL_TNRH: 2599 e = AUE_LABELSYS_TNRH; 2600 break; 2601 case TSOL_TNRHTP: 2602 e = AUE_LABELSYS_TNRHTP; 2603 break; 2604 case TSOL_TNMLP: 2605 e = AUE_LABELSYS_TNMLP; 2606 break; 2607 default: 2608 e = AUE_NULL; 2609 break; 2610 } 2611 2612 return (e); 2613 2614 } 2615 2616 static void 2617 aus_labelsys(struct t_audit_data *tad) 2618 { 2619 klwp_t *clwp = ttolwp(curthread); 2620 uint32_t cmd; 2621 uintptr_t a2; 2622 2623 struct a { 2624 long code; 2625 long cmd; 2626 long a2; 2627 } *uap = (struct a *)clwp->lwp_ap; 2628 2629 cmd = (uint32_t)uap->cmd; 2630 a2 = (uintptr_t)uap->a2; 2631 2632 switch (tad->tad_event) { 2633 case AUE_LABELSYS_TNRH: 2634 { 2635 tsol_rhent_t *rhent; 2636 tnaddr_t *rh_addr; 2637 2638 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2639 2640 /* Remaining args don't apply for FLUSH, so skip */ 2641 if (cmd == TNDB_FLUSH) 2642 break; 2643 2644 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP); 2645 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) { 2646 kmem_free(rhent, sizeof (tsol_rhent_t)); 2647 return; 2648 } 2649 2650 rh_addr = &rhent->rh_address; 2651 if (rh_addr->ta_family == AF_INET) { 2652 struct in_addr *ipaddr; 2653 2654 ipaddr = &(rh_addr->ta_addr_v4); 2655 au_uwrite(au_to_in_addr(ipaddr)); 2656 } else if (rh_addr->ta_family == AF_INET6) { 2657 int32_t *ipaddr; 2658 2659 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6); 2660 au_uwrite(au_to_in_addr_ex(ipaddr)); 2661 } 2662 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix)); 2663 2664 kmem_free(rhent, sizeof (tsol_rhent_t)); 2665 2666 break; 2667 } 2668 case AUE_LABELSYS_TNRHTP: 2669 { 2670 tsol_tpent_t *tpent; 2671 2672 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2673 2674 /* Remaining args don't apply for FLUSH, so skip */ 2675 if (cmd == TNDB_FLUSH) 2676 break; 2677 2678 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP); 2679 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) { 2680 kmem_free(tpent, sizeof (tsol_tpent_t)); 2681 return; 2682 } 2683 2684 /* Make sure that the template name is null-terminated. */ 2685 *(tpent->name + TNTNAMSIZ - 1) = '\0'; 2686 2687 au_uwrite(au_to_text(tpent->name)); 2688 kmem_free(tpent, sizeof (tsol_tpent_t)); 2689 2690 break; 2691 } 2692 case AUE_LABELSYS_TNMLP: 2693 { 2694 tsol_mlpent_t *mlpent; 2695 2696 au_uwrite(au_to_arg32(1, "cmd", cmd)); 2697 2698 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP); 2699 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) { 2700 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2701 return; 2702 } 2703 2704 if (mlpent->tsme_flags & TSOL_MEF_SHARED) { 2705 au_uwrite(au_to_text("shared")); 2706 } else { 2707 zone_t *zone; 2708 2709 zone = zone_find_by_id(mlpent->tsme_zoneid); 2710 if (zone != NULL) { 2711 au_uwrite(au_to_text(zone->zone_name)); 2712 zone_rele(zone); 2713 } 2714 } 2715 2716 /* Remaining args don't apply for FLUSH, so skip */ 2717 if (cmd == TNDB_FLUSH) { 2718 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2719 break; 2720 } 2721 2722 au_uwrite(au_to_arg32(2, "proto num", 2723 (uint32_t)mlpent->tsme_mlp.mlp_ipp)); 2724 au_uwrite(au_to_arg32(2, "mlp_port", 2725 (uint32_t)mlpent->tsme_mlp.mlp_port)); 2726 2727 if (mlpent->tsme_mlp.mlp_port_upper != 0) 2728 au_uwrite(au_to_arg32(2, "mlp_port_upper", 2729 (uint32_t)mlpent->tsme_mlp.mlp_port_upper)); 2730 2731 kmem_free(mlpent, sizeof (tsol_mlpent_t)); 2732 2733 break; 2734 } 2735 default: 2736 break; 2737 } 2738 } 2739 2740 2741 static au_event_t 2742 aui_auditsys(au_event_t e) 2743 { 2744 klwp_t *clwp = ttolwp(curthread); 2745 uint32_t code; 2746 2747 struct a { 2748 long code; 2749 long a1; 2750 long a2; 2751 long a3; 2752 long a4; 2753 long a5; 2754 long a6; 2755 long a7; 2756 } *uap = (struct a *)clwp->lwp_ap; 2757 2758 code = (uint32_t)uap->code; 2759 2760 switch (code) { 2761 2762 case BSM_GETAUID: 2763 e = AUE_GETAUID; 2764 break; 2765 case BSM_SETAUID: 2766 e = AUE_SETAUID; 2767 break; 2768 case BSM_GETAUDIT: 2769 e = AUE_GETAUDIT; 2770 break; 2771 case BSM_GETAUDIT_ADDR: 2772 e = AUE_GETAUDIT_ADDR; 2773 break; 2774 case BSM_SETAUDIT: 2775 e = AUE_SETAUDIT; 2776 break; 2777 case BSM_SETAUDIT_ADDR: 2778 e = AUE_SETAUDIT_ADDR; 2779 break; 2780 case BSM_AUDIT: 2781 e = AUE_AUDIT; 2782 break; 2783 case BSM_AUDITON: 2784 case BSM_AUDITCTL: 2785 2786 switch ((uint_t)uap->a1) { 2787 2788 case A_GETPOLICY: 2789 e = AUE_AUDITON_GPOLICY; 2790 break; 2791 case A_SETPOLICY: 2792 e = AUE_AUDITON_SPOLICY; 2793 break; 2794 case A_GETKMASK: 2795 e = AUE_AUDITON_GETKMASK; 2796 break; 2797 case A_SETKMASK: 2798 e = AUE_AUDITON_SETKMASK; 2799 break; 2800 case A_GETQCTRL: 2801 e = AUE_AUDITON_GQCTRL; 2802 break; 2803 case A_SETQCTRL: 2804 e = AUE_AUDITON_SQCTRL; 2805 break; 2806 case A_GETCWD: 2807 e = AUE_AUDITON_GETCWD; 2808 break; 2809 case A_GETCAR: 2810 e = AUE_AUDITON_GETCAR; 2811 break; 2812 case A_GETSTAT: 2813 e = AUE_AUDITON_GETSTAT; 2814 break; 2815 case A_SETSTAT: 2816 e = AUE_AUDITON_SETSTAT; 2817 break; 2818 case A_SETUMASK: 2819 e = AUE_AUDITON_SETUMASK; 2820 break; 2821 case A_SETSMASK: 2822 e = AUE_AUDITON_SETSMASK; 2823 break; 2824 case A_GETCOND: 2825 e = AUE_AUDITON_GETCOND; 2826 break; 2827 case A_SETCOND: 2828 e = AUE_AUDITON_SETCOND; 2829 break; 2830 case A_GETCLASS: 2831 e = AUE_AUDITON_GETCLASS; 2832 break; 2833 case A_SETCLASS: 2834 e = AUE_AUDITON_SETCLASS; 2835 break; 2836 default: 2837 e = AUE_NULL; 2838 break; 2839 } 2840 break; 2841 default: 2842 e = AUE_NULL; 2843 break; 2844 } 2845 2846 return (e); 2847 2848 } /* AUI_AUDITSYS */ 2849 2850 2851 static void 2852 aus_auditsys(struct t_audit_data *tad) 2853 { 2854 klwp_t *clwp = ttolwp(curthread); 2855 uintptr_t a1, a2; 2856 STRUCT_DECL(auditinfo, ainfo); 2857 STRUCT_DECL(auditinfo_addr, ainfo_addr); 2858 au_evclass_map_t event; 2859 au_mask_t mask; 2860 int auditstate, policy; 2861 au_id_t auid; 2862 2863 2864 struct a { 2865 long code; 2866 long a1; 2867 long a2; 2868 long a3; 2869 long a4; 2870 long a5; 2871 long a6; 2872 long a7; 2873 } *uap = (struct a *)clwp->lwp_ap; 2874 2875 a1 = (uintptr_t)uap->a1; 2876 a2 = (uintptr_t)uap->a2; 2877 2878 switch (tad->tad_event) { 2879 case AUE_SETAUID: 2880 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t))) 2881 return; 2882 au_uwrite(au_to_arg32(2, "setauid", auid)); 2883 break; 2884 case AUE_SETAUDIT: 2885 STRUCT_INIT(ainfo, get_udatamodel()); 2886 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo), 2887 STRUCT_SIZE(ainfo))) { 2888 return; 2889 } 2890 au_uwrite(au_to_arg32((char)1, "setaudit:auid", 2891 (uint32_t)STRUCT_FGET(ainfo, ai_auid))); 2892 #ifdef _LP64 2893 au_uwrite(au_to_arg64((char)1, "setaudit:port", 2894 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port))); 2895 #else 2896 au_uwrite(au_to_arg32((char)1, "setaudit:port", 2897 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port))); 2898 #endif 2899 au_uwrite(au_to_arg32((char)1, "setaudit:machine", 2900 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine))); 2901 au_uwrite(au_to_arg32((char)1, "setaudit:as_success", 2902 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 2903 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure", 2904 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 2905 au_uwrite(au_to_arg32((char)1, "setaudit:asid", 2906 (uint32_t)STRUCT_FGET(ainfo, ai_asid))); 2907 break; 2908 case AUE_SETAUDIT_ADDR: 2909 STRUCT_INIT(ainfo_addr, get_udatamodel()); 2910 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr), 2911 STRUCT_SIZE(ainfo_addr))) { 2912 return; 2913 } 2914 au_uwrite(au_to_arg32((char)1, "auid", 2915 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid))); 2916 #ifdef _LP64 2917 au_uwrite(au_to_arg64((char)1, "port", 2918 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2919 #else 2920 au_uwrite(au_to_arg32((char)1, "port", 2921 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port))); 2922 #endif 2923 au_uwrite(au_to_arg32((char)1, "type", 2924 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type))); 2925 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) == 2926 AU_IPv4) { 2927 au_uwrite(au_to_in_addr( 2928 (struct in_addr *)STRUCT_FGETP(ainfo_addr, 2929 ai_termid.at_addr))); 2930 } else { 2931 au_uwrite(au_to_in_addr_ex( 2932 (int32_t *)STRUCT_FGETP(ainfo_addr, 2933 ai_termid.at_addr))); 2934 } 2935 au_uwrite(au_to_arg32((char)1, "as_success", 2936 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success))); 2937 au_uwrite(au_to_arg32((char)1, "as_failure", 2938 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure))); 2939 au_uwrite(au_to_arg32((char)1, "asid", 2940 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid))); 2941 break; 2942 case AUE_AUDITON_SETKMASK: 2943 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t))) 2944 return; 2945 au_uwrite(au_to_arg32( 2946 2, "setkmask:as_success", (uint32_t)mask.as_success)); 2947 au_uwrite(au_to_arg32( 2948 2, "setkmask:as_failure", (uint32_t)mask.as_failure)); 2949 break; 2950 case AUE_AUDITON_SPOLICY: 2951 if (copyin((caddr_t)a2, &policy, sizeof (int))) 2952 return; 2953 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy)); 2954 break; 2955 case AUE_AUDITON_SQCTRL: { 2956 STRUCT_DECL(au_qctrl, qctrl); 2957 model_t model; 2958 2959 model = get_udatamodel(); 2960 STRUCT_INIT(qctrl, model); 2961 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl))) 2962 return; 2963 if (model == DATAMODEL_ILP32) { 2964 au_uwrite(au_to_arg32( 2965 3, "setqctrl:aq_hiwater", 2966 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater))); 2967 au_uwrite(au_to_arg32( 2968 3, "setqctrl:aq_lowater", 2969 (uint32_t)STRUCT_FGET(qctrl, aq_lowater))); 2970 au_uwrite(au_to_arg32( 2971 3, "setqctrl:aq_bufsz", 2972 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz))); 2973 au_uwrite(au_to_arg32( 2974 3, "setqctrl:aq_delay", 2975 (uint32_t)STRUCT_FGET(qctrl, aq_delay))); 2976 } else { 2977 au_uwrite(au_to_arg64( 2978 3, "setqctrl:aq_hiwater", 2979 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater))); 2980 au_uwrite(au_to_arg64( 2981 3, "setqctrl:aq_lowater", 2982 (uint64_t)STRUCT_FGET(qctrl, aq_lowater))); 2983 au_uwrite(au_to_arg64( 2984 3, "setqctrl:aq_bufsz", 2985 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz))); 2986 au_uwrite(au_to_arg64( 2987 3, "setqctrl:aq_delay", 2988 (uint64_t)STRUCT_FGET(qctrl, aq_delay))); 2989 } 2990 break; 2991 } 2992 case AUE_AUDITON_SETUMASK: 2993 STRUCT_INIT(ainfo, get_udatamodel()); 2994 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 2995 STRUCT_SIZE(ainfo))) { 2996 return; 2997 } 2998 au_uwrite(au_to_arg32(3, "setumask:as_success", 2999 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3000 au_uwrite(au_to_arg32(3, "setumask:as_failure", 3001 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3002 break; 3003 case AUE_AUDITON_SETSMASK: 3004 STRUCT_INIT(ainfo, get_udatamodel()); 3005 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo), 3006 STRUCT_SIZE(ainfo))) { 3007 return; 3008 } 3009 au_uwrite(au_to_arg32(3, "setsmask:as_success", 3010 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success))); 3011 au_uwrite(au_to_arg32(3, "setsmask:as_failure", 3012 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure))); 3013 break; 3014 case AUE_AUDITON_SETCOND: 3015 if (copyin((caddr_t)a2, &auditstate, sizeof (int))) 3016 return; 3017 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate)); 3018 break; 3019 case AUE_AUDITON_SETCLASS: 3020 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t))) 3021 return; 3022 au_uwrite(au_to_arg32( 3023 2, "setclass:ec_event", (uint32_t)event.ec_number)); 3024 au_uwrite(au_to_arg32( 3025 3, "setclass:ec_class", (uint32_t)event.ec_class)); 3026 break; 3027 case AUE_GETAUID: 3028 case AUE_GETAUDIT: 3029 case AUE_GETAUDIT_ADDR: 3030 case AUE_AUDIT: 3031 case AUE_AUDITON_GPOLICY: 3032 case AUE_AUDITON_GQCTRL: 3033 case AUE_AUDITON_GETKMASK: 3034 case AUE_AUDITON_GETCWD: 3035 case AUE_AUDITON_GETCAR: 3036 case AUE_AUDITON_GETSTAT: 3037 case AUE_AUDITON_SETSTAT: 3038 case AUE_AUDITON_GETCOND: 3039 case AUE_AUDITON_GETCLASS: 3040 break; 3041 default: 3042 break; 3043 } 3044 3045 } /* AUS_AUDITSYS */ 3046 3047 3048 /* only audit privileged operations for systeminfo(2) system call */ 3049 static au_event_t 3050 aui_sysinfo(au_event_t e) 3051 { 3052 klwp_t *clwp = ttolwp(curthread); 3053 uint32_t command; 3054 3055 struct a { 3056 long command; 3057 long buf; /* char * */ 3058 long count; 3059 } *uap = (struct a *)clwp->lwp_ap; 3060 3061 command = (uint32_t)uap->command; 3062 3063 switch (command) { 3064 case SI_SET_HOSTNAME: 3065 case SI_SET_SRPC_DOMAIN: 3066 e = (au_event_t)AUE_SYSINFO; 3067 break; 3068 default: 3069 e = (au_event_t)AUE_NULL; 3070 break; 3071 } 3072 return (e); 3073 } 3074 3075 /*ARGSUSED*/ 3076 static void 3077 aus_sysinfo(struct t_audit_data *tad) 3078 { 3079 klwp_t *clwp = ttolwp(curthread); 3080 uint32_t command; 3081 size_t len, maxlen; 3082 char *name; 3083 uintptr_t buf; 3084 3085 struct a { 3086 long command; 3087 long buf; /* char * */ 3088 long count; 3089 } *uap = (struct a *)clwp->lwp_ap; 3090 3091 command = (uint32_t)uap->command; 3092 buf = (uintptr_t)uap->buf; 3093 3094 au_uwrite(au_to_arg32(1, "cmd", command)); 3095 3096 switch (command) { 3097 case SI_SET_HOSTNAME: 3098 { 3099 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3100 return; 3101 3102 maxlen = SYS_NMLN; 3103 name = kmem_alloc(maxlen, KM_SLEEP); 3104 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3105 break; 3106 3107 /* 3108 * Must be non-NULL string and string 3109 * must be less than SYS_NMLN chars. 3110 */ 3111 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')) 3112 break; 3113 3114 au_uwrite(au_to_text(name)); 3115 break; 3116 } 3117 3118 case SI_SET_SRPC_DOMAIN: 3119 { 3120 if (secpolicy_sys_config(CRED(), B_TRUE) != 0) 3121 return; 3122 3123 maxlen = SYS_NMLN; 3124 name = kmem_alloc(maxlen, KM_SLEEP); 3125 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len)) 3126 break; 3127 3128 /* 3129 * If string passed in is longer than length 3130 * allowed for domain name, fail. 3131 */ 3132 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0') 3133 break; 3134 3135 au_uwrite(au_to_text(name)); 3136 break; 3137 } 3138 3139 default: 3140 return; 3141 } 3142 3143 kmem_free(name, maxlen); 3144 } 3145 3146 static au_event_t 3147 aui_modctl(au_event_t e) 3148 { 3149 klwp_t *clwp = ttolwp(curthread); 3150 uint_t cmd; 3151 3152 struct a { 3153 long cmd; 3154 } *uap = (struct a *)clwp->lwp_ap; 3155 3156 cmd = (uint_t)uap->cmd; 3157 3158 switch (cmd) { 3159 case MODLOAD: 3160 e = AUE_MODLOAD; 3161 break; 3162 case MODUNLOAD: 3163 e = AUE_MODUNLOAD; 3164 break; 3165 case MODADDMAJBIND: 3166 e = AUE_MODADDMAJ; 3167 break; 3168 case MODSETDEVPOLICY: 3169 e = AUE_MODDEVPLCY; 3170 break; 3171 case MODALLOCPRIV: 3172 e = AUE_MODADDPRIV; 3173 break; 3174 default: 3175 e = AUE_NULL; 3176 break; 3177 } 3178 return (e); 3179 } 3180 3181 3182 /*ARGSUSED*/ 3183 static void 3184 aus_modctl(struct t_audit_data *tad) 3185 { 3186 klwp_t *clwp = ttolwp(curthread); 3187 void *a = clwp->lwp_ap; 3188 uint_t use_path; 3189 3190 switch (tad->tad_event) { 3191 case AUE_MODLOAD: { 3192 typedef struct { 3193 long cmd; 3194 long use_path; 3195 long filename; /* char * */ 3196 } modloada_t; 3197 3198 char *filenamep; 3199 uintptr_t fname; 3200 extern char *default_path; 3201 3202 fname = (uintptr_t)((modloada_t *)a)->filename; 3203 use_path = (uint_t)((modloada_t *)a)->use_path; 3204 3205 /* space to hold path */ 3206 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP); 3207 /* get string */ 3208 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) { 3209 /* free allocated path */ 3210 kmem_free(filenamep, MOD_MAXPATH); 3211 return; 3212 } 3213 /* ensure it's null terminated */ 3214 filenamep[MOD_MAXPATH - 1] = 0; 3215 3216 if (use_path) 3217 au_uwrite(au_to_text(default_path)); 3218 au_uwrite(au_to_text(filenamep)); 3219 3220 /* release temporary memory */ 3221 kmem_free(filenamep, MOD_MAXPATH); 3222 break; 3223 } 3224 case AUE_MODUNLOAD: { 3225 typedef struct { 3226 long cmd; 3227 long id; 3228 } modunloada_t; 3229 3230 uint32_t id = (uint32_t)((modunloada_t *)a)->id; 3231 3232 au_uwrite(au_to_arg32(1, "id", id)); 3233 break; 3234 } 3235 case AUE_MODADDMAJ: { 3236 STRUCT_DECL(modconfig, mc); 3237 typedef struct { 3238 long cmd; 3239 long subcmd; 3240 long data; /* int * */ 3241 } modconfiga_t; 3242 3243 STRUCT_DECL(aliases, alias); 3244 caddr_t ap; 3245 int i, num_aliases; 3246 char *drvname, *mc_drvname; 3247 char *name; 3248 extern char *ddi_major_to_name(major_t); 3249 model_t model; 3250 3251 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data; 3252 3253 model = get_udatamodel(); 3254 STRUCT_INIT(mc, model); 3255 /* sanitize buffer */ 3256 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc)); 3257 /* get user arguments */ 3258 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc), 3259 STRUCT_SIZE(mc)) != 0) 3260 return; 3261 3262 mc_drvname = STRUCT_FGET(mc, drvname); 3263 if ((drvname = ddi_major_to_name( 3264 (major_t)STRUCT_FGET(mc, major))) != NULL && 3265 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) { 3266 /* safety */ 3267 if (mc_drvname[0] != '\0') { 3268 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3269 au_uwrite(au_to_text(mc_drvname)); 3270 } 3271 /* drvname != NULL from test above */ 3272 au_uwrite(au_to_text(drvname)); 3273 return; 3274 } 3275 3276 if (mc_drvname[0] != '\0') { 3277 /* safety */ 3278 mc_drvname[MAXMODCONFNAME-1] = '\0'; 3279 au_uwrite(au_to_text(mc_drvname)); 3280 } else 3281 au_uwrite(au_to_text("no drvname")); 3282 3283 num_aliases = STRUCT_FGET(mc, num_aliases); 3284 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases)); 3285 ap = (caddr_t)STRUCT_FGETP(mc, ap); 3286 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP); 3287 STRUCT_INIT(alias, model); 3288 for (i = 0; i < num_aliases; i++) { 3289 bzero((caddr_t)STRUCT_BUF(alias), 3290 STRUCT_SIZE(alias)); 3291 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias), 3292 STRUCT_SIZE(alias)) != 0) 3293 break; 3294 if (copyinstr(STRUCT_FGETP(alias, a_name), name, 3295 MAXMODCONFNAME, NULL) != 0) { 3296 break; 3297 } 3298 3299 au_uwrite(au_to_text(name)); 3300 ap = (caddr_t)STRUCT_FGETP(alias, a_next); 3301 } 3302 kmem_free(name, MAXMODCONFNAME); 3303 break; 3304 } 3305 default: 3306 break; 3307 } 3308 } 3309 3310 3311 /*ARGSUSED*/ 3312 static void 3313 auf_accept( 3314 struct t_audit_data *tad, 3315 int error, 3316 rval_t *rval) 3317 { 3318 uint32_t scid; 3319 uint32_t sy_flags; 3320 int fd; 3321 struct sonode *so; 3322 char so_laddr[sizeof (struct sockaddr_in6)]; 3323 char so_faddr[sizeof (struct sockaddr_in6)]; 3324 int err; 3325 short so_family, so_type; 3326 int add_sock_token = 0; 3327 3328 /* need to determine type of executing binary */ 3329 scid = tad->tad_scid; 3330 #ifdef _SYSCALL32_IMPL 3331 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE) 3332 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3333 else 3334 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK; 3335 #else 3336 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK; 3337 #endif 3338 if (sy_flags == SE_32RVAL1) 3339 fd = rval->r_val1; 3340 if (sy_flags == (SE_32RVAL2|SE_32RVAL1)) 3341 fd = rval->r_val1; 3342 if (sy_flags == SE_64RVAL) 3343 fd = (int)rval->r_vals; 3344 3345 if (error) { 3346 /* can't trust socket contents. Just return */ 3347 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3348 return; 3349 } 3350 3351 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3352 /* 3353 * not security relevant if doing a accept from non socket 3354 * so no extra tokens. Should probably turn off audit record 3355 * generation here. 3356 */ 3357 return; 3358 } 3359 3360 so_family = so->so_family; 3361 so_type = so->so_type; 3362 3363 switch (so_family) { 3364 case AF_INET: 3365 case AF_INET6: 3366 /* 3367 * XXX - what about other socket types for AF_INET (e.g. DGRAM) 3368 */ 3369 if (so->so_type == SOCK_STREAM) { 3370 socklen_t len; 3371 3372 bzero((void *)so_laddr, sizeof (so_laddr)); 3373 bzero((void *)so_faddr, sizeof (so_faddr)); 3374 3375 len = sizeof (so_laddr); 3376 (void) socket_getsockname(so, 3377 (struct sockaddr *)so_laddr, &len, CRED()); 3378 len = sizeof (so_faddr); 3379 (void) socket_getpeername(so, 3380 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3381 3382 add_sock_token = 1; 3383 } 3384 break; 3385 3386 default: 3387 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */ 3388 break; 3389 } 3390 3391 releasef(fd); 3392 3393 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3394 3395 if (add_sock_token == 0) { 3396 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family))); 3397 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type))); 3398 return; 3399 } 3400 3401 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3402 3403 } 3404 3405 /*ARGSUSED*/ 3406 static void 3407 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp) 3408 { 3409 struct a { 3410 long fd; 3411 long addr; 3412 long len; 3413 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3414 3415 struct sonode *so; 3416 char so_laddr[sizeof (struct sockaddr_in6)]; 3417 char so_faddr[sizeof (struct sockaddr_in6)]; 3418 int err, fd; 3419 socklen_t len; 3420 short so_family, so_type; 3421 int add_sock_token = 0; 3422 3423 fd = (int)uap->fd; 3424 3425 /* 3426 * bind failed, then nothing extra to add to audit record. 3427 */ 3428 if (error) { 3429 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3430 /* XXX may want to add failed address some day */ 3431 return; 3432 } 3433 3434 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3435 /* 3436 * not security relevant if doing a bind from non socket 3437 * so no extra tokens. Should probably turn off audit record 3438 * generation here. 3439 */ 3440 return; 3441 } 3442 3443 so_family = so->so_family; 3444 so_type = so->so_type; 3445 3446 switch (so_family) { 3447 case AF_INET: 3448 case AF_INET6: 3449 3450 bzero(so_faddr, sizeof (so_faddr)); 3451 len = sizeof (so_faddr); 3452 3453 (void) socket_getpeername(so, 3454 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3455 add_sock_token = 1; 3456 3457 break; 3458 3459 case AF_UNIX: 3460 /* token added by lookup */ 3461 break; 3462 default: 3463 /* AF_ROUTE, AF_KEY do not support accept */ 3464 break; 3465 } 3466 3467 releasef(fd); 3468 3469 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3470 3471 if (add_sock_token == 0) { 3472 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3473 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3474 return; 3475 } 3476 3477 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3478 3479 } 3480 3481 /*ARGSUSED*/ 3482 static void 3483 auf_connect(struct t_audit_data *tad, int error, rval_t *rval) 3484 { 3485 struct a { 3486 long fd; 3487 long addr; 3488 long len; 3489 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3490 3491 struct sonode *so; 3492 char so_laddr[sizeof (struct sockaddr_in6)]; 3493 char so_faddr[sizeof (struct sockaddr_in6)]; 3494 int err, fd; 3495 socklen_t len; 3496 short so_family, so_type; 3497 int add_sock_token = 0; 3498 3499 fd = (int)uap->fd; 3500 3501 3502 if ((so = getsonode(fd, &err, NULL)) == NULL) { 3503 /* 3504 * not security relevant if doing a connect from non socket 3505 * so no extra tokens. Should probably turn off audit record 3506 * generation here. 3507 */ 3508 return; 3509 } 3510 3511 so_family = so->so_family; 3512 so_type = so->so_type; 3513 3514 switch (so_family) { 3515 case AF_INET: 3516 case AF_INET6: 3517 3518 bzero(so_laddr, sizeof (so_laddr)); 3519 bzero(so_faddr, sizeof (so_faddr)); 3520 3521 len = sizeof (so_laddr); 3522 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3523 &len, CRED()); 3524 if (error) { 3525 if (uap->addr == NULL) 3526 break; 3527 if (uap->len <= 0) 3528 break; 3529 len = min(uap->len, sizeof (so_faddr)); 3530 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0) 3531 break; 3532 #ifdef NOTYET 3533 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr)); 3534 #endif 3535 } else { 3536 /* sanity check on length */ 3537 len = sizeof (so_faddr); 3538 (void) socket_getpeername(so, 3539 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3540 } 3541 3542 add_sock_token = 1; 3543 3544 break; 3545 3546 case AF_UNIX: 3547 /* does a lookup on name */ 3548 break; 3549 3550 default: 3551 /* AF_ROUTE, AF_KEY do not support accept */ 3552 break; 3553 } 3554 3555 releasef(fd); 3556 3557 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3558 3559 if (add_sock_token == 0) { 3560 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3561 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3562 return; 3563 } 3564 3565 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3566 3567 } 3568 3569 /*ARGSUSED*/ 3570 static void 3571 aus_shutdown(struct t_audit_data *tad) 3572 { 3573 struct a { 3574 long fd; 3575 long how; 3576 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3577 3578 struct sonode *so; 3579 char so_laddr[sizeof (struct sockaddr_in6)]; 3580 char so_faddr[sizeof (struct sockaddr_in6)]; 3581 int err, fd; 3582 socklen_t len; 3583 short so_family, so_type; 3584 int add_sock_token = 0; 3585 file_t *fp; /* unix domain sockets */ 3586 struct f_audit_data *fad; /* unix domain sockets */ 3587 3588 fd = (int)uap->fd; 3589 3590 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3591 /* 3592 * not security relevant if doing a shutdown using non socket 3593 * so no extra tokens. Should probably turn off audit record 3594 * generation here. 3595 */ 3596 return; 3597 } 3598 3599 so_family = so->so_family; 3600 so_type = so->so_type; 3601 3602 switch (so_family) { 3603 case AF_INET: 3604 case AF_INET6: 3605 3606 bzero(so_laddr, sizeof (so_laddr)); 3607 bzero(so_faddr, sizeof (so_faddr)); 3608 3609 len = sizeof (so_laddr); 3610 (void) socket_getsockname(so, 3611 (struct sockaddr *)so_laddr, &len, CRED()); 3612 len = sizeof (so_faddr); 3613 (void) socket_getpeername(so, 3614 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3615 3616 add_sock_token = 1; 3617 3618 break; 3619 3620 case AF_UNIX: 3621 3622 /* get path from file struct here */ 3623 fad = F2A(fp); 3624 ASSERT(fad); 3625 3626 if (fad->fad_aupath != NULL) { 3627 au_uwrite(au_to_path(fad->fad_aupath)); 3628 } else { 3629 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3630 } 3631 3632 audit_attributes(fp->f_vnode); 3633 3634 break; 3635 3636 default: 3637 /* 3638 * AF_KEY and AF_ROUTE support shutdown. No socket token 3639 * added. 3640 */ 3641 break; 3642 } 3643 3644 releasef(fd); 3645 3646 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3647 3648 if (add_sock_token == 0) { 3649 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3650 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3651 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3652 return; 3653 } 3654 3655 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how))); 3656 3657 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3658 3659 } 3660 3661 /*ARGSUSED*/ 3662 static void 3663 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval) 3664 { 3665 struct a { 3666 long fd; 3667 long level; 3668 long optname; 3669 long *optval; 3670 long optlen; 3671 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3672 3673 struct sonode *so; 3674 char so_laddr[sizeof (struct sockaddr_in6)]; 3675 char so_faddr[sizeof (struct sockaddr_in6)]; 3676 char val[AU_BUFSIZE]; 3677 int err, fd; 3678 socklen_t len; 3679 short so_family, so_type; 3680 int add_sock_token = 0; 3681 file_t *fp; /* unix domain sockets */ 3682 struct f_audit_data *fad; /* unix domain sockets */ 3683 3684 fd = (int)uap->fd; 3685 3686 if (error) { 3687 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3688 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level)); 3689 /* XXX may want to include other arguments */ 3690 return; 3691 } 3692 3693 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3694 /* 3695 * not security relevant if doing a setsockopt from non socket 3696 * so no extra tokens. Should probably turn off audit record 3697 * generation here. 3698 */ 3699 return; 3700 } 3701 3702 so_family = so->so_family; 3703 so_type = so->so_type; 3704 3705 switch (so_family) { 3706 case AF_INET: 3707 case AF_INET6: 3708 bzero((void *)so_laddr, sizeof (so_laddr)); 3709 bzero((void *)so_faddr, sizeof (so_faddr)); 3710 3711 /* get local and foreign addresses */ 3712 len = sizeof (so_laddr); 3713 (void) socket_getsockname(so, (struct sockaddr *)so_laddr, 3714 &len, CRED()); 3715 len = sizeof (so_faddr); 3716 (void) socket_getpeername(so, (struct sockaddr *)so_faddr, 3717 &len, B_FALSE, CRED()); 3718 3719 add_sock_token = 1; 3720 3721 break; 3722 3723 case AF_UNIX: 3724 3725 /* get path from file struct here */ 3726 fad = F2A(fp); 3727 ASSERT(fad); 3728 3729 if (fad->fad_aupath != NULL) { 3730 au_uwrite(au_to_path(fad->fad_aupath)); 3731 } else { 3732 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3733 } 3734 3735 audit_attributes(fp->f_vnode); 3736 3737 break; 3738 3739 default: 3740 /* 3741 * AF_KEY and AF_ROUTE support setsockopt. No socket token 3742 * added. 3743 */ 3744 break; 3745 } 3746 3747 releasef(fd); 3748 3749 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3750 3751 if (add_sock_token == 0) { 3752 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family))); 3753 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type))); 3754 } 3755 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level))); 3756 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname))); 3757 3758 bzero(val, sizeof (val)); 3759 len = min(uap->optlen, sizeof (val)); 3760 if ((len > 0) && 3761 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) { 3762 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen))); 3763 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val)); 3764 } 3765 3766 if (add_sock_token == 0) 3767 return; 3768 3769 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 3770 3771 } 3772 3773 /*ARGSUSED*/ 3774 static void 3775 aus_sockconfig(tad) 3776 struct t_audit_data *tad; 3777 { 3778 struct a { 3779 long domain; 3780 long type; 3781 long protocol; 3782 long devpath; 3783 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3784 3785 char *kdevpath; 3786 int kdevpathlen = MAXPATHLEN + 1; 3787 size_t size; 3788 3789 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 3790 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 3791 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 3792 3793 if (uap->devpath == 0) { 3794 au_uwrite(au_to_arg32(3, "devpath", (uint32_t)0)); 3795 } else { 3796 kdevpath = kmem_alloc(kdevpathlen, KM_SLEEP); 3797 3798 if (copyinstr((caddr_t)uap->devpath, kdevpath, kdevpathlen, 3799 &size)) { 3800 kmem_free(kdevpath, kdevpathlen); 3801 return; 3802 } 3803 3804 if (size > MAXPATHLEN) { 3805 kmem_free(kdevpath, kdevpathlen); 3806 return; 3807 } 3808 3809 au_uwrite(au_to_text(kdevpath)); 3810 kmem_free(kdevpath, kdevpathlen); 3811 } 3812 } 3813 3814 /* 3815 * only audit recvmsg when the system call represents the creation of a new 3816 * circuit. This effectively occurs for all UDP packets and may occur for 3817 * special TCP situations where the local host has not set a local address 3818 * in the socket structure. 3819 */ 3820 /*ARGSUSED*/ 3821 static void 3822 auf_recvmsg( 3823 struct t_audit_data *tad, 3824 int error, 3825 rval_t *rvp) 3826 { 3827 struct a { 3828 long fd; 3829 long msg; /* struct msghdr */ 3830 long flags; 3831 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 3832 3833 struct sonode *so; 3834 STRUCT_DECL(msghdr, msg); 3835 caddr_t msg_name; 3836 socklen_t msg_namelen; 3837 int fd; 3838 int err; 3839 char so_laddr[sizeof (struct sockaddr_in6)]; 3840 char so_faddr[sizeof (struct sockaddr_in6)]; 3841 socklen_t len; 3842 file_t *fp; /* unix domain sockets */ 3843 struct f_audit_data *fad; /* unix domain sockets */ 3844 short so_family, so_type; 3845 int add_sock_token = 0; 3846 au_kcontext_t *kctx = GET_KCTX_PZ; 3847 3848 fd = (int)uap->fd; 3849 3850 /* bail if an error */ 3851 if (error) { 3852 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 3853 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 3854 return; 3855 } 3856 3857 if ((so = getsonode(fd, &err, &fp)) == NULL) { 3858 /* 3859 * not security relevant if doing a recvmsg from non socket 3860 * so no extra tokens. Should probably turn off audit record 3861 * generation here. 3862 */ 3863 return; 3864 } 3865 3866 so_family = so->so_family; 3867 so_type = so->so_type; 3868 3869 /* 3870 * only putout SOCKET_EX token if INET/INET6 family. 3871 * XXX - what do we do about other families? 3872 */ 3873 3874 switch (so_family) { 3875 case AF_INET: 3876 case AF_INET6: 3877 3878 /* 3879 * if datagram type socket, then just use what is in 3880 * socket structure for local address. 3881 * XXX - what do we do for other types? 3882 */ 3883 if ((so->so_type == SOCK_DGRAM) || 3884 (so->so_type == SOCK_RAW)) { 3885 add_sock_token = 1; 3886 3887 bzero((void *)so_laddr, sizeof (so_laddr)); 3888 bzero((void *)so_faddr, sizeof (so_faddr)); 3889 3890 /* get local address */ 3891 len = sizeof (so_laddr); 3892 (void) socket_getsockname(so, 3893 (struct sockaddr *)so_laddr, &len, CRED()); 3894 3895 /* get peer address */ 3896 STRUCT_INIT(msg, get_udatamodel()); 3897 3898 if (copyin((caddr_t)(uap->msg), 3899 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 3900 break; 3901 } 3902 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 3903 if (msg_name == NULL) { 3904 break; 3905 } 3906 3907 /* length is value from recvmsg - sanity check */ 3908 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 3909 if (msg_namelen == 0) { 3910 break; 3911 } 3912 if (copyin(msg_name, so_faddr, 3913 sizeof (so_faddr)) != 0) { 3914 break; 3915 } 3916 3917 } else if (so->so_type == SOCK_STREAM) { 3918 3919 /* get path from file struct here */ 3920 fad = F2A(fp); 3921 ASSERT(fad); 3922 3923 /* 3924 * already processed this file for read attempt 3925 */ 3926 if (fad->fad_flags & FAD_READ) { 3927 /* don't want to audit every recvmsg attempt */ 3928 tad->tad_flag = 0; 3929 /* free any residual audit data */ 3930 au_close(kctx, &(u_ad), 0, 0, 0); 3931 releasef(fd); 3932 return; 3933 } 3934 /* 3935 * mark things so we know what happened and don't 3936 * repeat things 3937 */ 3938 fad->fad_flags |= FAD_READ; 3939 3940 bzero((void *)so_laddr, sizeof (so_laddr)); 3941 bzero((void *)so_faddr, sizeof (so_faddr)); 3942 3943 /* get local and foreign addresses */ 3944 len = sizeof (so_laddr); 3945 (void) socket_getsockname(so, 3946 (struct sockaddr *)so_laddr, &len, CRED()); 3947 len = sizeof (so_faddr); 3948 (void) socket_getpeername(so, 3949 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 3950 3951 add_sock_token = 1; 3952 } 3953 3954 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 3955 3956 break; 3957 3958 case AF_UNIX: 3959 /* 3960 * first check if this is first time through. Too much 3961 * duplicate code to put this in an aui_ routine. 3962 */ 3963 3964 /* get path from file struct here */ 3965 fad = F2A(fp); 3966 ASSERT(fad); 3967 3968 /* 3969 * already processed this file for read attempt 3970 */ 3971 if (fad->fad_flags & FAD_READ) { 3972 releasef(fd); 3973 /* don't want to audit every recvmsg attempt */ 3974 tad->tad_flag = 0; 3975 /* free any residual audit data */ 3976 au_close(kctx, &(u_ad), 0, 0, 0); 3977 return; 3978 } 3979 /* 3980 * mark things so we know what happened and don't 3981 * repeat things 3982 */ 3983 fad->fad_flags |= FAD_READ; 3984 3985 if (fad->fad_aupath != NULL) { 3986 au_uwrite(au_to_path(fad->fad_aupath)); 3987 } else { 3988 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 3989 } 3990 3991 audit_attributes(fp->f_vnode); 3992 3993 releasef(fd); 3994 3995 return; 3996 3997 default: 3998 break; 3999 4000 } 4001 4002 releasef(fd); 4003 4004 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4005 4006 if (add_sock_token == 0) { 4007 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4008 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4009 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4010 return; 4011 } 4012 4013 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4014 4015 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4016 4017 } 4018 4019 /*ARGSUSED*/ 4020 static void 4021 auf_recvfrom( 4022 struct t_audit_data *tad, 4023 int error, 4024 rval_t *rvp) 4025 { 4026 4027 struct a { 4028 long fd; 4029 long msg; /* char */ 4030 long len; 4031 long flags; 4032 long from; /* struct sockaddr */ 4033 long fromlen; 4034 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4035 4036 socklen_t fromlen; 4037 struct sonode *so; 4038 char so_laddr[sizeof (struct sockaddr_in6)]; 4039 char so_faddr[sizeof (struct sockaddr_in6)]; 4040 int fd; 4041 short so_family, so_type; 4042 int add_sock_token = 0; 4043 socklen_t len; 4044 int err; 4045 struct file *fp; 4046 struct f_audit_data *fad; /* unix domain sockets */ 4047 au_kcontext_t *kctx = GET_KCTX_PZ; 4048 4049 fd = (int)uap->fd; 4050 4051 /* bail if an error */ 4052 if (error) { 4053 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4054 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4055 return; 4056 } 4057 4058 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4059 /* 4060 * not security relevant if doing a recvmsg from non socket 4061 * so no extra tokens. Should probably turn off audit record 4062 * generation here. 4063 */ 4064 return; 4065 } 4066 4067 so_family = so->so_family; 4068 so_type = so->so_type; 4069 4070 /* 4071 * only putout SOCKET_EX token if INET/INET6 family. 4072 * XXX - what do we do about other families? 4073 */ 4074 4075 switch (so_family) { 4076 case AF_INET: 4077 case AF_INET6: 4078 4079 /* 4080 * if datagram type socket, then just use what is in 4081 * socket structure for local address. 4082 * XXX - what do we do for other types? 4083 */ 4084 if ((so->so_type == SOCK_DGRAM) || 4085 (so->so_type == SOCK_RAW)) { 4086 add_sock_token = 1; 4087 4088 /* get local address */ 4089 len = sizeof (so_laddr); 4090 (void) socket_getsockname(so, 4091 (struct sockaddr *)so_laddr, &len, CRED()); 4092 4093 /* get peer address */ 4094 bzero((void *)so_faddr, sizeof (so_faddr)); 4095 4096 /* sanity check */ 4097 if (uap->from == NULL) 4098 break; 4099 4100 /* sanity checks */ 4101 if (uap->fromlen == 0) 4102 break; 4103 4104 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen, 4105 sizeof (fromlen)) != 0) 4106 break; 4107 4108 if (fromlen == 0) 4109 break; 4110 4111 /* enforce maximum size */ 4112 if (fromlen > sizeof (so_faddr)) 4113 fromlen = sizeof (so_faddr); 4114 4115 if (copyin((caddr_t)(uap->from), so_faddr, 4116 fromlen) != 0) 4117 break; 4118 4119 } else if (so->so_type == SOCK_STREAM) { 4120 4121 /* get path from file struct here */ 4122 fad = F2A(fp); 4123 ASSERT(fad); 4124 4125 /* 4126 * already processed this file for read attempt 4127 */ 4128 if (fad->fad_flags & FAD_READ) { 4129 /* don't want to audit every recvfrom attempt */ 4130 tad->tad_flag = 0; 4131 /* free any residual audit data */ 4132 au_close(kctx, &(u_ad), 0, 0, 0); 4133 releasef(fd); 4134 return; 4135 } 4136 /* 4137 * mark things so we know what happened and don't 4138 * repeat things 4139 */ 4140 fad->fad_flags |= FAD_READ; 4141 4142 bzero((void *)so_laddr, sizeof (so_laddr)); 4143 bzero((void *)so_faddr, sizeof (so_faddr)); 4144 4145 /* get local and foreign addresses */ 4146 len = sizeof (so_laddr); 4147 (void) socket_getsockname(so, 4148 (struct sockaddr *)so_laddr, &len, CRED()); 4149 len = sizeof (so_faddr); 4150 (void) socket_getpeername(so, 4151 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4152 4153 add_sock_token = 1; 4154 } 4155 4156 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4157 4158 break; 4159 4160 case AF_UNIX: 4161 /* 4162 * first check if this is first time through. Too much 4163 * duplicate code to put this in an aui_ routine. 4164 */ 4165 4166 /* get path from file struct here */ 4167 fad = F2A(fp); 4168 ASSERT(fad); 4169 4170 /* 4171 * already processed this file for read attempt 4172 */ 4173 if (fad->fad_flags & FAD_READ) { 4174 /* don't want to audit every recvfrom attempt */ 4175 tad->tad_flag = 0; 4176 /* free any residual audit data */ 4177 au_close(kctx, &(u_ad), 0, 0, 0); 4178 releasef(fd); 4179 return; 4180 } 4181 /* 4182 * mark things so we know what happened and don't 4183 * repeat things 4184 */ 4185 fad->fad_flags |= FAD_READ; 4186 4187 if (fad->fad_aupath != NULL) { 4188 au_uwrite(au_to_path(fad->fad_aupath)); 4189 } else { 4190 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4191 } 4192 4193 audit_attributes(fp->f_vnode); 4194 4195 releasef(fd); 4196 4197 return; 4198 4199 default: 4200 break; 4201 4202 } 4203 4204 releasef(fd); 4205 4206 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4207 4208 if (add_sock_token == 0) { 4209 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4210 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4211 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4212 return; 4213 } 4214 4215 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4216 4217 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4218 } 4219 4220 /*ARGSUSED*/ 4221 static void 4222 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval) 4223 { 4224 struct a { 4225 long fd; 4226 long msg; /* struct msghdr */ 4227 long flags; 4228 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4229 4230 struct sonode *so; 4231 char so_laddr[sizeof (struct sockaddr_in6)]; 4232 char so_faddr[sizeof (struct sockaddr_in6)]; 4233 int err; 4234 int fd; 4235 short so_family, so_type; 4236 int add_sock_token = 0; 4237 socklen_t len; 4238 struct file *fp; 4239 struct f_audit_data *fad; 4240 caddr_t msg_name; 4241 socklen_t msg_namelen; 4242 STRUCT_DECL(msghdr, msg); 4243 au_kcontext_t *kctx = GET_KCTX_PZ; 4244 4245 fd = (int)uap->fd; 4246 4247 /* bail if an error */ 4248 if (error) { 4249 /* XXX include destination address from system call arguments */ 4250 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4251 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4252 return; 4253 } 4254 4255 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4256 /* 4257 * not security relevant if doing a sendmsg from non socket 4258 * so no extra tokens. Should probably turn off audit record 4259 * generation here. 4260 */ 4261 return; 4262 } 4263 4264 so_family = so->so_family; 4265 so_type = so->so_type; 4266 4267 switch (so_family) { 4268 case AF_INET: 4269 case AF_INET6: 4270 /* 4271 * if datagram type socket, then just use what is in 4272 * socket structure for local address. 4273 * XXX - what do we do for other types? 4274 */ 4275 if ((so->so_type == SOCK_DGRAM) || 4276 (so->so_type == SOCK_RAW)) { 4277 4278 bzero((void *)so_laddr, sizeof (so_laddr)); 4279 bzero((void *)so_faddr, sizeof (so_faddr)); 4280 4281 /* get local address */ 4282 len = sizeof (so_laddr); 4283 (void) socket_getsockname(so, 4284 (struct sockaddr *)so_laddr, &len, CRED()); 4285 4286 /* get peer address */ 4287 STRUCT_INIT(msg, get_udatamodel()); 4288 4289 if (copyin((caddr_t)(uap->msg), 4290 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) { 4291 break; 4292 } 4293 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name); 4294 if (msg_name == NULL) 4295 break; 4296 4297 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen); 4298 /* length is value from recvmsg - sanity check */ 4299 if (msg_namelen == 0) 4300 break; 4301 4302 if (copyin(msg_name, so_faddr, 4303 sizeof (so_faddr)) != 0) 4304 break; 4305 4306 add_sock_token = 1; 4307 4308 } else if (so->so_type == SOCK_STREAM) { 4309 4310 /* get path from file struct here */ 4311 fad = F2A(fp); 4312 ASSERT(fad); 4313 4314 /* 4315 * already processed this file for write attempt 4316 */ 4317 if (fad->fad_flags & FAD_WRITE) { 4318 releasef(fd); 4319 /* don't want to audit every sendmsg attempt */ 4320 tad->tad_flag = 0; 4321 /* free any residual audit data */ 4322 au_close(kctx, &(u_ad), 0, 0, 0); 4323 return; 4324 } 4325 4326 /* 4327 * mark things so we know what happened and don't 4328 * repeat things 4329 */ 4330 fad->fad_flags |= FAD_WRITE; 4331 4332 bzero((void *)so_laddr, sizeof (so_laddr)); 4333 bzero((void *)so_faddr, sizeof (so_faddr)); 4334 4335 /* get local and foreign addresses */ 4336 len = sizeof (so_laddr); 4337 (void) socket_getsockname(so, 4338 (struct sockaddr *)so_laddr, &len, CRED()); 4339 len = sizeof (so_faddr); 4340 (void) socket_getpeername(so, 4341 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4342 4343 add_sock_token = 1; 4344 } 4345 4346 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */ 4347 4348 break; 4349 4350 case AF_UNIX: 4351 /* 4352 * first check if this is first time through. Too much 4353 * duplicate code to put this in an aui_ routine. 4354 */ 4355 4356 /* get path from file struct here */ 4357 fad = F2A(fp); 4358 ASSERT(fad); 4359 4360 /* 4361 * already processed this file for write attempt 4362 */ 4363 if (fad->fad_flags & FAD_WRITE) { 4364 releasef(fd); 4365 /* don't want to audit every sendmsg attempt */ 4366 tad->tad_flag = 0; 4367 /* free any residual audit data */ 4368 au_close(kctx, &(u_ad), 0, 0, 0); 4369 return; 4370 } 4371 /* 4372 * mark things so we know what happened and don't 4373 * repeat things 4374 */ 4375 fad->fad_flags |= FAD_WRITE; 4376 4377 if (fad->fad_aupath != NULL) { 4378 au_uwrite(au_to_path(fad->fad_aupath)); 4379 } else { 4380 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4381 } 4382 4383 audit_attributes(fp->f_vnode); 4384 4385 releasef(fd); 4386 4387 return; 4388 4389 default: 4390 break; 4391 } 4392 4393 releasef(fd); 4394 4395 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4396 4397 if (add_sock_token == 0) { 4398 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4399 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4400 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4401 return; 4402 } 4403 4404 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4405 4406 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4407 } 4408 4409 /*ARGSUSED*/ 4410 static void 4411 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval) 4412 { 4413 struct a { 4414 long fd; 4415 long msg; /* char */ 4416 long len; 4417 long flags; 4418 long to; /* struct sockaddr */ 4419 long tolen; 4420 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4421 4422 struct sonode *so; 4423 char so_laddr[sizeof (struct sockaddr_in6)]; 4424 char so_faddr[sizeof (struct sockaddr_in6)]; 4425 socklen_t tolen; 4426 int err; 4427 int fd; 4428 socklen_t len; 4429 short so_family, so_type; 4430 int add_sock_token = 0; 4431 struct file *fp; 4432 struct f_audit_data *fad; 4433 au_kcontext_t *kctx = GET_KCTX_PZ; 4434 4435 fd = (int)uap->fd; 4436 4437 /* bail if an error */ 4438 if (error) { 4439 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4440 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4441 /* XXX include destination address from system call arguments */ 4442 return; 4443 } 4444 4445 if ((so = getsonode(fd, &err, &fp)) == NULL) { 4446 /* 4447 * not security relevant if doing a sendto using non socket 4448 * so no extra tokens. Should probably turn off audit record 4449 * generation here. 4450 */ 4451 return; 4452 } 4453 4454 so_family = so->so_family; 4455 so_type = so->so_type; 4456 4457 /* 4458 * only putout SOCKET_EX token if INET/INET6 family. 4459 * XXX - what do we do about other families? 4460 */ 4461 4462 switch (so_family) { 4463 case AF_INET: 4464 case AF_INET6: 4465 4466 /* 4467 * if datagram type socket, then just use what is in 4468 * socket structure for local address. 4469 * XXX - what do we do for other types? 4470 */ 4471 if ((so->so_type == SOCK_DGRAM) || 4472 (so->so_type == SOCK_RAW)) { 4473 4474 bzero((void *)so_laddr, sizeof (so_laddr)); 4475 bzero((void *)so_faddr, sizeof (so_faddr)); 4476 4477 /* get local address */ 4478 len = sizeof (so_laddr); 4479 (void) socket_getsockname(so, 4480 (struct sockaddr *)so_laddr, &len, CRED()); 4481 4482 /* get peer address */ 4483 4484 /* sanity check */ 4485 if (uap->to == NULL) 4486 break; 4487 4488 /* sanity checks */ 4489 if (uap->tolen == 0) 4490 break; 4491 4492 tolen = (socklen_t)uap->tolen; 4493 4494 /* enforce maximum size */ 4495 if (tolen > sizeof (so_faddr)) 4496 tolen = sizeof (so_faddr); 4497 4498 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0) 4499 break; 4500 4501 add_sock_token = 1; 4502 } else { 4503 /* 4504 * check if this is first time through. 4505 */ 4506 4507 /* get path from file struct here */ 4508 fad = F2A(fp); 4509 ASSERT(fad); 4510 4511 /* 4512 * already processed this file for write attempt 4513 */ 4514 if (fad->fad_flags & FAD_WRITE) { 4515 /* don't want to audit every sendto attempt */ 4516 tad->tad_flag = 0; 4517 /* free any residual audit data */ 4518 au_close(kctx, &(u_ad), 0, 0, 0); 4519 releasef(fd); 4520 return; 4521 } 4522 /* 4523 * mark things so we know what happened and don't 4524 * repeat things 4525 */ 4526 fad->fad_flags |= FAD_WRITE; 4527 4528 bzero((void *)so_laddr, sizeof (so_laddr)); 4529 bzero((void *)so_faddr, sizeof (so_faddr)); 4530 4531 /* get local and foreign addresses */ 4532 len = sizeof (so_laddr); 4533 (void) socket_getsockname(so, 4534 (struct sockaddr *)so_laddr, &len, CRED()); 4535 len = sizeof (so_faddr); 4536 (void) socket_getpeername(so, 4537 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 4538 4539 add_sock_token = 1; 4540 } 4541 4542 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */ 4543 4544 break; 4545 4546 case AF_UNIX: 4547 /* 4548 * first check if this is first time through. Too much 4549 * duplicate code to put this in an aui_ routine. 4550 */ 4551 4552 /* get path from file struct here */ 4553 fad = F2A(fp); 4554 ASSERT(fad); 4555 4556 /* 4557 * already processed this file for write attempt 4558 */ 4559 if (fad->fad_flags & FAD_WRITE) { 4560 /* don't want to audit every sendto attempt */ 4561 tad->tad_flag = 0; 4562 /* free any residual audit data */ 4563 au_close(kctx, &(u_ad), 0, 0, 0); 4564 releasef(fd); 4565 return; 4566 } 4567 /* 4568 * mark things so we know what happened and don't 4569 * repeat things 4570 */ 4571 fad->fad_flags |= FAD_WRITE; 4572 4573 if (fad->fad_aupath != NULL) { 4574 au_uwrite(au_to_path(fad->fad_aupath)); 4575 } else { 4576 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 4577 } 4578 4579 audit_attributes(fp->f_vnode); 4580 4581 releasef(fd); 4582 4583 return; 4584 4585 default: 4586 break; 4587 4588 } 4589 4590 releasef(fd); 4591 4592 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 4593 4594 if (add_sock_token == 0) { 4595 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 4596 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 4597 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4598 return; 4599 } 4600 4601 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags))); 4602 4603 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 4604 4605 } 4606 4607 /* 4608 * XXX socket(2) may be equivalent to open(2) on a unix domain 4609 * socket. This needs investigation. 4610 */ 4611 4612 /*ARGSUSED*/ 4613 static void 4614 aus_socket(struct t_audit_data *tad) 4615 { 4616 struct a { 4617 long domain; 4618 long type; 4619 long protocol; 4620 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4621 4622 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain)); 4623 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type)); 4624 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol)); 4625 } 4626 4627 /*ARGSUSED*/ 4628 static void 4629 aus_sigqueue(struct t_audit_data *tad) 4630 { 4631 struct a { 4632 long pid; 4633 long signo; 4634 long *val; 4635 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4636 struct proc *p; 4637 uid_t uid, ruid; 4638 gid_t gid, rgid; 4639 pid_t pid; 4640 const auditinfo_addr_t *ainfo; 4641 cred_t *cr; 4642 4643 pid = (pid_t)uap->pid; 4644 4645 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo)); 4646 if (pid > 0) { 4647 mutex_enter(&pidlock); 4648 if ((p = prfind(pid)) == (struct proc *)0) { 4649 mutex_exit(&pidlock); 4650 return; 4651 } 4652 mutex_enter(&p->p_lock); /* so process doesn't go away */ 4653 mutex_exit(&pidlock); 4654 4655 mutex_enter(&p->p_crlock); 4656 crhold(cr = p->p_cred); 4657 mutex_exit(&p->p_crlock); 4658 mutex_exit(&p->p_lock); 4659 4660 ainfo = crgetauinfo(cr); 4661 if (ainfo == NULL) { 4662 crfree(cr); 4663 return; 4664 } 4665 4666 uid = crgetuid(cr); 4667 gid = crgetgid(cr); 4668 ruid = crgetruid(cr); 4669 rgid = crgetrgid(cr); 4670 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4671 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4672 crfree(cr); 4673 } 4674 else 4675 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid)); 4676 } 4677 4678 /*ARGSUSED*/ 4679 static void 4680 aus_inst_sync(struct t_audit_data *tad) 4681 { 4682 struct a { 4683 long name; /* char */ 4684 long flags; 4685 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4686 4687 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags)); 4688 } 4689 4690 /*ARGSUSED*/ 4691 static void 4692 aus_brandsys(struct t_audit_data *tad) 4693 { 4694 klwp_t *clwp = ttolwp(curthread); 4695 4696 struct a { 4697 long cmd; 4698 long arg1; 4699 long arg2; 4700 long arg3; 4701 long arg4; 4702 long arg5; 4703 long arg6; 4704 } *uap = (struct a *)clwp->lwp_ap; 4705 4706 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd)); 4707 #ifdef _LP64 4708 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1)); 4709 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2)); 4710 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3)); 4711 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4)); 4712 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5)); 4713 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6)); 4714 #else 4715 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1)); 4716 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2)); 4717 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3)); 4718 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4)); 4719 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5)); 4720 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6)); 4721 #endif 4722 } 4723 4724 /*ARGSUSED*/ 4725 static void 4726 aus_p_online(struct t_audit_data *tad) 4727 { 4728 struct a { 4729 long processor_id; 4730 long flag; 4731 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4732 4733 struct flags { 4734 int flag; 4735 char *cflag; 4736 } aflags[6] = { 4737 { P_ONLINE, "P_ONLINE"}, 4738 { P_OFFLINE, "P_OFFLINE"}, 4739 { P_NOINTR, "P_NOINTR"}, 4740 { P_SPARE, "P_SPARE"}, 4741 { P_FAULTED, "P_FAULTED"}, 4742 { P_STATUS, "P_STATUS"} 4743 }; 4744 int i; 4745 char *cflag; 4746 4747 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id)); 4748 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag)); 4749 4750 for (i = 0; i < 6; i++) { 4751 if (aflags[i].flag == uap->flag) 4752 break; 4753 } 4754 cflag = (i == 6) ? "bad flag":aflags[i].cflag; 4755 4756 au_uwrite(au_to_text(cflag)); 4757 } 4758 4759 /*ARGSUSED*/ 4760 static void 4761 aus_processor_bind(struct t_audit_data *tad) 4762 { 4763 struct a { 4764 long id_type; 4765 long id; 4766 long processor_id; 4767 long obind; 4768 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4769 4770 struct proc *p; 4771 int lwpcnt; 4772 uid_t uid, ruid; 4773 gid_t gid, rgid; 4774 pid_t pid; 4775 const auditinfo_addr_t *ainfo; 4776 cred_t *cr; 4777 4778 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type)); 4779 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id)); 4780 if (uap->processor_id == PBIND_NONE) 4781 au_uwrite(au_to_text("PBIND_NONE")); 4782 else 4783 au_uwrite(au_to_arg32(3, "processor_id", 4784 (uint32_t)uap->processor_id)); 4785 4786 switch (uap->id_type) { 4787 case P_MYID: 4788 case P_LWPID: 4789 mutex_enter(&pidlock); 4790 p = ttoproc(curthread); 4791 if (p == NULL || p->p_as == &kas) { 4792 mutex_exit(&pidlock); 4793 return; 4794 } 4795 mutex_enter(&p->p_lock); 4796 mutex_exit(&pidlock); 4797 lwpcnt = p->p_lwpcnt; 4798 pid = p->p_pid; 4799 4800 mutex_enter(&p->p_crlock); 4801 crhold(cr = p->p_cred); 4802 mutex_exit(&p->p_crlock); 4803 mutex_exit(&p->p_lock); 4804 4805 ainfo = crgetauinfo(cr); 4806 if (ainfo == NULL) { 4807 crfree(cr); 4808 return; 4809 } 4810 4811 uid = crgetuid(cr); 4812 gid = crgetgid(cr); 4813 ruid = crgetruid(cr); 4814 rgid = crgetrgid(cr); 4815 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4816 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4817 crfree(cr); 4818 break; 4819 case P_PID: 4820 mutex_enter(&pidlock); 4821 p = prfind(uap->id); 4822 if (p == NULL || p->p_as == &kas) { 4823 mutex_exit(&pidlock); 4824 return; 4825 } 4826 mutex_enter(&p->p_lock); 4827 mutex_exit(&pidlock); 4828 lwpcnt = p->p_lwpcnt; 4829 pid = p->p_pid; 4830 4831 mutex_enter(&p->p_crlock); 4832 crhold(cr = p->p_cred); 4833 mutex_exit(&p->p_crlock); 4834 mutex_exit(&p->p_lock); 4835 4836 ainfo = crgetauinfo(cr); 4837 if (ainfo == NULL) { 4838 crfree(cr); 4839 return; 4840 } 4841 4842 uid = crgetuid(cr); 4843 gid = crgetgid(cr); 4844 ruid = crgetruid(cr); 4845 rgid = crgetrgid(cr); 4846 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 4847 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 4848 crfree(cr); 4849 4850 break; 4851 default: 4852 return; 4853 } 4854 4855 if (uap->processor_id == PBIND_NONE && 4856 (!(uap->id_type == P_LWPID && lwpcnt > 1))) 4857 au_uwrite(au_to_text("PBIND_NONE for process")); 4858 else 4859 au_uwrite(au_to_arg32(3, "processor_id", 4860 (uint32_t)uap->processor_id)); 4861 } 4862 4863 /*ARGSUSED*/ 4864 static au_event_t 4865 aui_doorfs(au_event_t e) 4866 { 4867 uint32_t code; 4868 4869 struct a { /* doorfs */ 4870 long a1; 4871 long a2; 4872 long a3; 4873 long a4; 4874 long a5; 4875 long code; 4876 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4877 4878 /* 4879 * audit formats for several of the 4880 * door calls have not yet been determined 4881 */ 4882 code = (uint32_t)uap->code; 4883 switch (code) { 4884 case DOOR_CALL: 4885 e = AUE_DOORFS_DOOR_CALL; 4886 break; 4887 case DOOR_RETURN: 4888 e = AUE_NULL; 4889 break; 4890 case DOOR_CREATE: 4891 e = AUE_DOORFS_DOOR_CREATE; 4892 break; 4893 case DOOR_REVOKE: 4894 e = AUE_DOORFS_DOOR_REVOKE; 4895 break; 4896 case DOOR_INFO: 4897 e = AUE_NULL; 4898 break; 4899 case DOOR_UCRED: 4900 e = AUE_NULL; 4901 break; 4902 case DOOR_BIND: 4903 e = AUE_NULL; 4904 break; 4905 case DOOR_UNBIND: 4906 e = AUE_NULL; 4907 break; 4908 case DOOR_GETPARAM: 4909 e = AUE_NULL; 4910 break; 4911 case DOOR_SETPARAM: 4912 e = AUE_NULL; 4913 break; 4914 default: /* illegal system call */ 4915 e = AUE_NULL; 4916 break; 4917 } 4918 4919 return (e); 4920 } 4921 4922 static door_node_t * 4923 au_door_lookup(int did) 4924 { 4925 vnode_t *vp; 4926 file_t *fp; 4927 4928 if ((fp = getf(did)) == NULL) 4929 return (NULL); 4930 /* 4931 * Use the underlying vnode (we may be namefs mounted) 4932 */ 4933 if (VOP_REALVP(fp->f_vnode, &vp, NULL)) 4934 vp = fp->f_vnode; 4935 4936 if (vp == NULL || vp->v_type != VDOOR) { 4937 releasef(did); 4938 return (NULL); 4939 } 4940 4941 return (VTOD(vp)); 4942 } 4943 4944 /*ARGSUSED*/ 4945 static void 4946 aus_doorfs(struct t_audit_data *tad) 4947 { 4948 4949 struct a { /* doorfs */ 4950 long a1; 4951 long a2; 4952 long a3; 4953 long a4; 4954 long a5; 4955 long code; 4956 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 4957 4958 door_node_t *dp; 4959 struct proc *p; 4960 uint32_t did; 4961 uid_t uid, ruid; 4962 gid_t gid, rgid; 4963 pid_t pid; 4964 const auditinfo_addr_t *ainfo; 4965 cred_t *cr; 4966 4967 did = (uint32_t)uap->a1; 4968 4969 switch (tad->tad_event) { 4970 case AUE_DOORFS_DOOR_CALL: 4971 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 4972 if ((dp = au_door_lookup(did)) == NULL) 4973 break; 4974 4975 if (DOOR_INVALID(dp)) { 4976 releasef(did); 4977 break; 4978 } 4979 4980 if ((p = dp->door_target) == NULL) { 4981 releasef(did); 4982 break; 4983 } 4984 mutex_enter(&p->p_lock); 4985 releasef(did); 4986 4987 pid = p->p_pid; 4988 4989 mutex_enter(&p->p_crlock); 4990 crhold(cr = p->p_cred); 4991 mutex_exit(&p->p_crlock); 4992 mutex_exit(&p->p_lock); 4993 4994 ainfo = crgetauinfo(cr); 4995 if (ainfo == NULL) { 4996 crfree(cr); 4997 return; 4998 } 4999 uid = crgetuid(cr); 5000 gid = crgetgid(cr); 5001 ruid = crgetruid(cr); 5002 rgid = crgetrgid(cr); 5003 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid, 5004 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid)); 5005 crfree(cr); 5006 break; 5007 case AUE_DOORFS_DOOR_RETURN: 5008 /* 5009 * We may want to write information about 5010 * all doors (if any) which will be copied 5011 * by this call to the user space 5012 */ 5013 break; 5014 case AUE_DOORFS_DOOR_CREATE: 5015 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3)); 5016 break; 5017 case AUE_DOORFS_DOOR_REVOKE: 5018 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did)); 5019 break; 5020 case AUE_DOORFS_DOOR_INFO: 5021 break; 5022 case AUE_DOORFS_DOOR_CRED: 5023 break; 5024 case AUE_DOORFS_DOOR_BIND: 5025 break; 5026 case AUE_DOORFS_DOOR_UNBIND: { 5027 break; 5028 } 5029 default: /* illegal system call */ 5030 break; 5031 } 5032 } 5033 5034 /*ARGSUSED*/ 5035 static au_event_t 5036 aui_acl(au_event_t e) 5037 { 5038 struct a { 5039 union { 5040 long name; /* char */ 5041 long fd; 5042 } obj; 5043 5044 long cmd; 5045 long nentries; 5046 long arg; /* aclent_t */ 5047 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5048 5049 switch (uap->cmd) { 5050 case SETACL: 5051 case ACE_SETACL: 5052 /* 5053 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...) 5054 * are expected. 5055 */ 5056 break; 5057 case GETACL: 5058 case GETACLCNT: 5059 case ACE_GETACLCNT: 5060 /* do nothing for these two values. */ 5061 e = AUE_NULL; 5062 break; 5063 default: 5064 /* illegal system call */ 5065 break; 5066 } 5067 5068 return (e); 5069 } 5070 5071 static void 5072 au_acl(int cmd, int nentries, caddr_t bufp) 5073 { 5074 size_t a_size; 5075 aclent_t *aclbufp; 5076 ace_t *acebufp; 5077 int i; 5078 5079 switch (cmd) { 5080 case GETACL: 5081 case GETACLCNT: 5082 break; 5083 case SETACL: 5084 if (nentries < 3) 5085 break; 5086 5087 a_size = nentries * sizeof (aclent_t); 5088 5089 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5090 break; 5091 if (copyin(bufp, aclbufp, a_size)) { 5092 kmem_free(aclbufp, a_size); 5093 break; 5094 } 5095 for (i = 0; i < nentries; i++) { 5096 au_uwrite(au_to_acl(aclbufp + i)); 5097 } 5098 kmem_free(aclbufp, a_size); 5099 break; 5100 5101 case ACE_SETACL: 5102 if (nentries < 1 || nentries > MAX_ACL_ENTRIES) 5103 break; 5104 5105 a_size = nentries * sizeof (ace_t); 5106 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL) 5107 break; 5108 if (copyin(bufp, acebufp, a_size)) { 5109 kmem_free(acebufp, a_size); 5110 break; 5111 } 5112 for (i = 0; i < nentries; i++) { 5113 au_uwrite(au_to_ace(acebufp + i)); 5114 } 5115 kmem_free(acebufp, a_size); 5116 break; 5117 default: 5118 break; 5119 } 5120 } 5121 5122 /*ARGSUSED*/ 5123 static void 5124 aus_acl(struct t_audit_data *tad) 5125 { 5126 struct a { 5127 long fname; 5128 long cmd; 5129 long nentries; 5130 long aclbufp; 5131 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5132 5133 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5134 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5135 5136 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5137 } 5138 5139 /*ARGSUSED*/ 5140 static void 5141 aus_facl(struct t_audit_data *tad) 5142 { 5143 struct a { 5144 long fd; 5145 long cmd; 5146 long nentries; 5147 long aclbufp; 5148 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5149 struct file *fp; 5150 struct vnode *vp; 5151 struct f_audit_data *fad; 5152 int fd; 5153 5154 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd)); 5155 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries)); 5156 5157 fd = (int)uap->fd; 5158 5159 if ((fp = getf(fd)) == NULL) 5160 return; 5161 5162 /* get path from file struct here */ 5163 fad = F2A(fp); 5164 if (fad->fad_aupath != NULL) { 5165 au_uwrite(au_to_path(fad->fad_aupath)); 5166 } else { 5167 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5168 } 5169 5170 vp = fp->f_vnode; 5171 audit_attributes(vp); 5172 5173 /* decrement file descriptor reference count */ 5174 releasef(fd); 5175 5176 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp); 5177 } 5178 5179 /*ARGSUSED*/ 5180 static void 5181 auf_read(tad, error, rval) 5182 struct t_audit_data *tad; 5183 int error; 5184 rval_t *rval; 5185 { 5186 struct file *fp; 5187 struct f_audit_data *fad; 5188 int fd; 5189 register struct a { 5190 long fd; 5191 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5192 au_kcontext_t *kctx = GET_KCTX_PZ; 5193 5194 fd = (int)uap->fd; 5195 5196 /* 5197 * convert file pointer to file descriptor 5198 * Note: fd ref count incremented here. 5199 */ 5200 if ((fp = getf(fd)) == NULL) 5201 return; 5202 5203 /* get path from file struct here */ 5204 fad = F2A(fp); 5205 ASSERT(fad); 5206 5207 /* 5208 * already processed this file for read attempt 5209 * 5210 * XXX might be better to turn off auditing in a aui_read() routine. 5211 */ 5212 if (fad->fad_flags & FAD_READ) { 5213 /* don't really want to audit every read attempt */ 5214 tad->tad_flag = 0; 5215 /* free any residual audit data */ 5216 au_close(kctx, &(u_ad), 0, 0, 0); 5217 releasef(fd); 5218 return; 5219 } 5220 /* mark things so we know what happened and don't repeat things */ 5221 fad->fad_flags |= FAD_READ; 5222 5223 if (fad->fad_aupath != NULL) { 5224 au_uwrite(au_to_path(fad->fad_aupath)); 5225 } else { 5226 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5227 } 5228 5229 /* include attributes */ 5230 audit_attributes(fp->f_vnode); 5231 5232 /* decrement file descriptor reference count */ 5233 releasef(fd); 5234 } 5235 5236 /*ARGSUSED*/ 5237 static void 5238 auf_write(tad, error, rval) 5239 struct t_audit_data *tad; 5240 int error; 5241 rval_t *rval; 5242 { 5243 struct file *fp; 5244 struct f_audit_data *fad; 5245 int fd; 5246 register struct a { 5247 long fd; 5248 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5249 au_kcontext_t *kctx = GET_KCTX_PZ; 5250 5251 fd = (int)uap->fd; 5252 5253 /* 5254 * convert file pointer to file descriptor 5255 * Note: fd ref count incremented here. 5256 */ 5257 if ((fp = getf(fd)) == NULL) 5258 return; 5259 5260 /* get path from file struct here */ 5261 fad = F2A(fp); 5262 ASSERT(fad); 5263 5264 /* 5265 * already processed this file for write attempt 5266 * 5267 * XXX might be better to turn off auditing in a aus_write() routine. 5268 */ 5269 if (fad->fad_flags & FAD_WRITE) { 5270 /* don't really want to audit every write attempt */ 5271 tad->tad_flag = 0; 5272 /* free any residual audit data */ 5273 au_close(kctx, &(u_ad), 0, 0, 0); 5274 releasef(fd); 5275 return; 5276 } 5277 /* mark things so we know what happened and don't repeat things */ 5278 fad->fad_flags |= FAD_WRITE; 5279 5280 if (fad->fad_aupath != NULL) { 5281 au_uwrite(au_to_path(fad->fad_aupath)); 5282 } else { 5283 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd)); 5284 } 5285 5286 /* include attributes */ 5287 audit_attributes(fp->f_vnode); 5288 5289 /* decrement file descriptor reference count */ 5290 releasef(fd); 5291 } 5292 5293 /*ARGSUSED*/ 5294 static void 5295 auf_recv(tad, error, rval) 5296 struct t_audit_data *tad; 5297 int error; 5298 rval_t *rval; 5299 { 5300 struct sonode *so; 5301 char so_laddr[sizeof (struct sockaddr_in6)]; 5302 char so_faddr[sizeof (struct sockaddr_in6)]; 5303 struct file *fp; 5304 struct f_audit_data *fad; 5305 int fd; 5306 int err; 5307 socklen_t len; 5308 short so_family, so_type; 5309 register struct a { 5310 long fd; 5311 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5312 au_kcontext_t *kctx = GET_KCTX_PZ; 5313 5314 /* 5315 * If there was an error, then nothing to do. Only generate 5316 * audit record on first successful recv. 5317 */ 5318 if (error) { 5319 /* Turn off audit record generation here. */ 5320 tad->tad_flag = 0; 5321 /* free any residual audit data */ 5322 au_close(kctx, &(u_ad), 0, 0, 0); 5323 return; 5324 } 5325 5326 fd = (int)uap->fd; 5327 5328 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5329 /* Turn off audit record generation here. */ 5330 tad->tad_flag = 0; 5331 /* free any residual audit data */ 5332 au_close(kctx, &(u_ad), 0, 0, 0); 5333 return; 5334 } 5335 5336 /* get path from file struct here */ 5337 fad = F2A(fp); 5338 ASSERT(fad); 5339 5340 /* 5341 * already processed this file for read attempt 5342 */ 5343 if (fad->fad_flags & FAD_READ) { 5344 releasef(fd); 5345 /* don't really want to audit every recv call */ 5346 tad->tad_flag = 0; 5347 /* free any residual audit data */ 5348 au_close(kctx, &(u_ad), 0, 0, 0); 5349 return; 5350 } 5351 5352 /* mark things so we know what happened and don't repeat things */ 5353 fad->fad_flags |= FAD_READ; 5354 5355 so_family = so->so_family; 5356 so_type = so->so_type; 5357 5358 switch (so_family) { 5359 case AF_INET: 5360 case AF_INET6: 5361 /* 5362 * Only for connections. 5363 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5364 */ 5365 if (so->so_state & SS_ISBOUND) { 5366 5367 bzero((void *)so_laddr, sizeof (so_laddr)); 5368 bzero((void *)so_faddr, sizeof (so_faddr)); 5369 5370 /* get local and foreign addresses */ 5371 len = sizeof (so_laddr); 5372 (void) socket_getsockname(so, 5373 (struct sockaddr *)so_laddr, &len, CRED()); 5374 len = sizeof (so_faddr); 5375 (void) socket_getpeername(so, 5376 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5377 5378 /* 5379 * only way to drop out of switch. Note that we 5380 * we release fd below. 5381 */ 5382 5383 break; 5384 } 5385 5386 releasef(fd); 5387 5388 /* don't really want to audit every recv call */ 5389 tad->tad_flag = 0; 5390 /* free any residual audit data */ 5391 au_close(kctx, &(u_ad), 0, 0, 0); 5392 5393 return; 5394 5395 case AF_UNIX: 5396 5397 if (fad->fad_aupath != NULL) { 5398 au_uwrite(au_to_path(fad->fad_aupath)); 5399 } else { 5400 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5401 } 5402 5403 audit_attributes(fp->f_vnode); 5404 5405 releasef(fd); 5406 5407 return; 5408 5409 default: 5410 releasef(fd); 5411 5412 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5413 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5414 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5415 5416 return; 5417 } 5418 5419 releasef(fd); 5420 5421 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5422 5423 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5424 5425 } 5426 5427 /*ARGSUSED*/ 5428 static void 5429 auf_send(tad, error, rval) 5430 struct t_audit_data *tad; 5431 int error; 5432 rval_t *rval; 5433 { 5434 struct sonode *so; 5435 char so_laddr[sizeof (struct sockaddr_in6)]; 5436 char so_faddr[sizeof (struct sockaddr_in6)]; 5437 struct file *fp; 5438 struct f_audit_data *fad; 5439 int fd; 5440 int err; 5441 socklen_t len; 5442 short so_family, so_type; 5443 register struct a { 5444 long fd; 5445 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5446 au_kcontext_t *kctx = GET_KCTX_PZ; 5447 5448 fd = (int)uap->fd; 5449 5450 /* 5451 * If there was an error, then nothing to do. Only generate 5452 * audit record on first successful send. 5453 */ 5454 if (error != 0) { 5455 /* Turn off audit record generation here. */ 5456 tad->tad_flag = 0; 5457 /* free any residual audit data */ 5458 au_close(kctx, &(u_ad), 0, 0, 0); 5459 return; 5460 } 5461 5462 fd = (int)uap->fd; 5463 5464 if ((so = getsonode(fd, &err, &fp)) == NULL) { 5465 /* Turn off audit record generation here. */ 5466 tad->tad_flag = 0; 5467 /* free any residual audit data */ 5468 au_close(kctx, &(u_ad), 0, 0, 0); 5469 return; 5470 } 5471 5472 /* get path from file struct here */ 5473 fad = F2A(fp); 5474 ASSERT(fad); 5475 5476 /* 5477 * already processed this file for write attempt 5478 */ 5479 if (fad->fad_flags & FAD_WRITE) { 5480 releasef(fd); 5481 /* don't really want to audit every send call */ 5482 tad->tad_flag = 0; 5483 /* free any residual audit data */ 5484 au_close(kctx, &(u_ad), 0, 0, 0); 5485 return; 5486 } 5487 5488 /* mark things so we know what happened and don't repeat things */ 5489 fad->fad_flags |= FAD_WRITE; 5490 5491 so_family = so->so_family; 5492 so_type = so->so_type; 5493 5494 switch (so_family) { 5495 case AF_INET: 5496 case AF_INET6: 5497 /* 5498 * Only for connections. 5499 * XXX - do we need to worry about SOCK_DGRAM or other types??? 5500 */ 5501 if (so->so_state & SS_ISBOUND) { 5502 5503 bzero((void *)so_laddr, sizeof (so_laddr)); 5504 bzero((void *)so_faddr, sizeof (so_faddr)); 5505 5506 /* get local and foreign addresses */ 5507 len = sizeof (so_laddr); 5508 (void) socket_getsockname(so, 5509 (struct sockaddr *)so_laddr, &len, CRED()); 5510 len = sizeof (so_faddr); 5511 (void) socket_getpeername(so, 5512 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED()); 5513 5514 /* 5515 * only way to drop out of switch. Note that we 5516 * we release fd below. 5517 */ 5518 5519 break; 5520 } 5521 5522 releasef(fd); 5523 /* don't really want to audit every send call */ 5524 tad->tad_flag = 0; 5525 /* free any residual audit data */ 5526 au_close(kctx, &(u_ad), 0, 0, 0); 5527 5528 return; 5529 5530 case AF_UNIX: 5531 5532 if (fad->fad_aupath != NULL) { 5533 au_uwrite(au_to_path(fad->fad_aupath)); 5534 } else { 5535 au_uwrite(au_to_arg32(1, "no path: fd", fd)); 5536 } 5537 5538 audit_attributes(fp->f_vnode); 5539 5540 releasef(fd); 5541 5542 return; 5543 5544 default: 5545 releasef(fd); 5546 5547 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5548 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family)); 5549 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type)); 5550 5551 return; 5552 } 5553 5554 releasef(fd); 5555 5556 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd)); 5557 5558 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr)); 5559 } 5560 5561 static au_event_t 5562 aui_forksys(au_event_t e) 5563 { 5564 struct a { 5565 long subcode; 5566 long flags; 5567 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5568 5569 switch ((uint_t)uap->subcode) { 5570 case 0: 5571 e = AUE_FORK1; 5572 break; 5573 case 1: 5574 e = AUE_FORKALL; 5575 break; 5576 case 2: 5577 e = AUE_VFORK; 5578 break; 5579 default: 5580 e = AUE_NULL; 5581 break; 5582 } 5583 5584 return (e); 5585 } 5586 5587 /*ARGSUSED*/ 5588 static au_event_t 5589 aui_portfs(au_event_t e) 5590 { 5591 struct a { /* portfs */ 5592 long a1; 5593 long a2; 5594 long a3; 5595 } *uap = (struct a *)ttolwp(curthread)->lwp_ap; 5596 5597 /* 5598 * check opcode 5599 */ 5600 switch (((uint_t)uap->a1) & PORT_CODE_MASK) { 5601 case PORT_ASSOCIATE: 5602 /* check source */ 5603 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5604 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5605 e = AUE_PORTFS_ASSOCIATE; 5606 } else { 5607 e = AUE_NULL; 5608 } 5609 break; 5610 case PORT_DISSOCIATE: 5611 /* check source */ 5612 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) || 5613 ((uint_t)uap->a3 == PORT_SOURCE_FD)) { 5614 e = AUE_PORTFS_DISSOCIATE; 5615 } else { 5616 e = AUE_NULL; 5617 } 5618 break; 5619 default: 5620 e = AUE_NULL; 5621 } 5622 return (e); 5623 } 5624