1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /*
27 * This file contains the audit event table used to control the production
28 * of audit records for each system call.
29 */
30
31 #include <sys/policy.h>
32 #include <sys/cred.h>
33 #include <sys/types.h>
34 #include <sys/systm.h>
35 #include <sys/systeminfo.h> /* for sysinfo auditing */
36 #include <sys/utsname.h> /* for sysinfo auditing */
37 #include <sys/proc.h>
38 #include <sys/vnode.h>
39 #include <sys/mman.h> /* for mmap(2) auditing etc. */
40 #include <sys/fcntl.h>
41 #include <sys/modctl.h> /* for modctl auditing */
42 #include <sys/vnode.h>
43 #include <sys/user.h>
44 #include <sys/types.h>
45 #include <sys/processor.h>
46 #include <sys/procset.h>
47 #include <sys/acl.h>
48 #include <sys/ipc.h>
49 #include <sys/door.h>
50 #include <sys/sem.h>
51 #include <sys/msg.h>
52 #include <sys/shm.h>
53 #include <sys/kmem.h>
54 #include <sys/file.h> /* for accept */
55 #include <sys/utssys.h> /* for fuser */
56 #include <sys/tsol/label.h>
57 #include <sys/tsol/tndb.h>
58 #include <sys/tsol/tsyscall.h>
59 #include <c2/audit.h>
60 #include <c2/audit_kernel.h>
61 #include <c2/audit_kevents.h>
62 #include <c2/audit_record.h>
63 #include <sys/procset.h>
64 #include <nfs/mount.h>
65 #include <sys/param.h>
66 #include <sys/debug.h>
67 #include <sys/sysmacros.h>
68 #include <sys/stream.h>
69 #include <sys/strsubr.h>
70 #include <sys/stropts.h>
71 #include <sys/tihdr.h>
72 #include <sys/socket.h>
73 #include <sys/socketvar.h>
74 #include <sys/vfs_opreg.h>
75 #include <fs/sockfs/sockcommon.h>
76 #include <netinet/in.h>
77 #include <sys/ddi.h>
78 #include <sys/port_impl.h>
79
80
81 char _depends_on[] = "fs/sockfs";
82
83 static au_event_t aui_fchownat(au_event_t);
84 static au_event_t aui_fchmodat(au_event_t);
85 static au_event_t aui_open(au_event_t);
86 static au_event_t aui_openat(au_event_t);
87 static au_event_t aui_unlinkat(au_event_t);
88 static au_event_t aui_fstatat(au_event_t);
89 static au_event_t aui_msgsys(au_event_t);
90 static au_event_t aui_shmsys(au_event_t);
91 static au_event_t aui_semsys(au_event_t);
92 static au_event_t aui_utssys(au_event_t);
93 static au_event_t aui_fcntl(au_event_t);
94 static au_event_t aui_execve(au_event_t);
95 static au_event_t aui_memcntl(au_event_t);
96 static au_event_t aui_sysinfo(au_event_t);
97 static au_event_t aui_portfs(au_event_t);
98 static au_event_t aui_auditsys(au_event_t);
99 static au_event_t aui_modctl(au_event_t);
100 static au_event_t aui_acl(au_event_t);
101 static au_event_t aui_doorfs(au_event_t);
102 static au_event_t aui_privsys(au_event_t);
103 static au_event_t aui_forksys(au_event_t);
104 static au_event_t aui_labelsys(au_event_t);
105 static au_event_t aui_setpgrp(au_event_t);
106
107 static void aus_exit(struct t_audit_data *);
108 static void aus_open(struct t_audit_data *);
109 static void aus_openat(struct t_audit_data *);
110 static void aus_acl(struct t_audit_data *);
111 static void aus_acct(struct t_audit_data *);
112 static void aus_chown(struct t_audit_data *);
113 static void aus_fchown(struct t_audit_data *);
114 static void aus_lchown(struct t_audit_data *);
115 static void aus_fchownat(struct t_audit_data *);
116 static void aus_chmod(struct t_audit_data *);
117 static void aus_facl(struct t_audit_data *);
118 static void aus_fchmod(struct t_audit_data *);
119 static void aus_fchmodat(struct t_audit_data *);
120 static void aus_fcntl(struct t_audit_data *);
121 static void aus_mkdir(struct t_audit_data *);
122 static void aus_mkdirat(struct t_audit_data *);
123 static void aus_mknod(struct t_audit_data *);
124 static void aus_mknodat(struct t_audit_data *);
125 static void aus_mount(struct t_audit_data *);
126 static void aus_umount2(struct t_audit_data *);
127 static void aus_msgsys(struct t_audit_data *);
128 static void aus_semsys(struct t_audit_data *);
129 static void aus_close(struct t_audit_data *);
130 static void aus_fstatfs(struct t_audit_data *);
131 static void aus_setgid(struct t_audit_data *);
132 static void aus_setpgrp(struct t_audit_data *);
133 static void aus_setuid(struct t_audit_data *);
134 static void aus_shmsys(struct t_audit_data *);
135 static void aus_doorfs(struct t_audit_data *);
136 static void aus_ioctl(struct t_audit_data *);
137 static void aus_memcntl(struct t_audit_data *);
138 static void aus_mmap(struct t_audit_data *);
139 static void aus_munmap(struct t_audit_data *);
140 static void aus_priocntlsys(struct t_audit_data *);
141 static void aus_setegid(struct t_audit_data *);
142 static void aus_setgroups(struct t_audit_data *);
143 static void aus_seteuid(struct t_audit_data *);
144 static void aus_putmsg(struct t_audit_data *);
145 static void aus_putpmsg(struct t_audit_data *);
146 static void aus_getmsg(struct t_audit_data *);
147 static void aus_getpmsg(struct t_audit_data *);
148 static void aus_auditsys(struct t_audit_data *);
149 static void aus_sysinfo(struct t_audit_data *);
150 static void aus_modctl(struct t_audit_data *);
151 static void aus_kill(struct t_audit_data *);
152 static void aus_setregid(struct t_audit_data *);
153 static void aus_setreuid(struct t_audit_data *);
154 static void aus_labelsys(struct t_audit_data *);
155
156 static void auf_mknod(struct t_audit_data *, int, rval_t *);
157 static void auf_mknodat(struct t_audit_data *, int, rval_t *);
158 static void auf_msgsys(struct t_audit_data *, int, rval_t *);
159 static void auf_semsys(struct t_audit_data *, int, rval_t *);
160 static void auf_shmsys(struct t_audit_data *, int, rval_t *);
161 static void auf_read(struct t_audit_data *, int, rval_t *);
162 static void auf_write(struct t_audit_data *, int, rval_t *);
163
164 static void aus_sigqueue(struct t_audit_data *);
165 static void aus_p_online(struct t_audit_data *);
166 static void aus_processor_bind(struct t_audit_data *);
167 static void aus_inst_sync(struct t_audit_data *);
168 static void aus_brandsys(struct t_audit_data *);
169
170 static void auf_accept(struct t_audit_data *, int, rval_t *);
171
172 static void auf_bind(struct t_audit_data *, int, rval_t *);
173 static void auf_connect(struct t_audit_data *, int, rval_t *);
174 static void aus_shutdown(struct t_audit_data *);
175 static void auf_setsockopt(struct t_audit_data *, int, rval_t *);
176 static void aus_sockconfig(struct t_audit_data *);
177 static void auf_recv(struct t_audit_data *, int, rval_t *);
178 static void auf_recvmsg(struct t_audit_data *, int, rval_t *);
179 static void auf_send(struct t_audit_data *, int, rval_t *);
180 static void auf_sendmsg(struct t_audit_data *, int, rval_t *);
181 static void auf_recvfrom(struct t_audit_data *, int, rval_t *);
182 static void auf_sendto(struct t_audit_data *, int, rval_t *);
183 static void aus_socket(struct t_audit_data *);
184 /*
185 * This table contains mapping information for converting system call numbers
186 * to audit event IDs. In several cases it is necessary to map a single system
187 * call to several events.
188 */
189
190 #define aui_null NULL /* NULL initialize function */
191 #define aus_null NULL /* NULL start function */
192 #define auf_null NULL /* NULL finish function */
193
194 struct audit_s2e audit_s2e[] =
195 {
196 /*
197 * ---------- ---------- ---------- ----------
198 * INITIAL AUDIT START SYSTEM
199 * PROCESSING EVENT PROCESSING CALL
200 * ---------- ---------- ---------- -----------
201 * FINISH EVENT
202 * PROCESSING CONTROL
203 * ----------------------------------------------------------
204 */
205 aui_null, AUE_NULL, aus_null, /* 0 unused (indirect) */
206 auf_null, 0,
207 aui_null, AUE_EXIT, aus_exit, /* 1 exit */
208 auf_null, S2E_NPT,
209 aui_null, AUE_NULL, aus_null, /* 2 (loadable) was forkall */
210 auf_null, 0,
211 aui_null, AUE_READ, aus_null, /* 3 read */
212 auf_read, S2E_PUB,
213 aui_null, AUE_WRITE, aus_null, /* 4 write */
214 auf_write, 0,
215 aui_open, AUE_OPEN, aus_open, /* 5 open */
216 auf_null, S2E_SP,
217 aui_null, AUE_CLOSE, aus_close, /* 6 close */
218 auf_null, 0,
219 aui_null, AUE_LINK, aus_null, /* 7 linkat */
220 auf_null, 0,
221 aui_null, AUE_NULL, aus_null, /* 8 (loadable) was creat */
222 auf_null, 0,
223 aui_null, AUE_LINK, aus_null, /* 9 link */
224 auf_null, 0,
225 aui_null, AUE_UNLINK, aus_null, /* 10 unlink */
226 auf_null, 0,
227 aui_null, AUE_SYMLINK, aus_null, /* 11 symlinkat */
228 auf_null, 0,
229 aui_null, AUE_CHDIR, aus_null, /* 12 chdir */
230 auf_null, S2E_SP,
231 aui_null, AUE_NULL, aus_null, /* 13 time */
232 auf_null, 0,
233 aui_null, AUE_MKNOD, aus_mknod, /* 14 mknod */
234 auf_mknod, S2E_MLD,
235 aui_null, AUE_CHMOD, aus_chmod, /* 15 chmod */
236 auf_null, 0,
237 aui_null, AUE_CHOWN, aus_chown, /* 16 chown */
238 auf_null, 0,
239 aui_null, AUE_NULL, aus_null, /* 17 brk */
240 auf_null, 0,
241 aui_null, AUE_STAT, aus_null, /* 18 stat */
242 auf_null, S2E_PUB,
243 aui_null, AUE_NULL, aus_null, /* 19 lseek */
244 auf_null, 0,
245 aui_null, AUE_NULL, aus_null, /* 20 getpid */
246 auf_null, 0,
247 aui_null, AUE_MOUNT, aus_mount, /* 21 mount */
248 auf_null, S2E_MLD,
249 aui_null, AUE_READLINK, aus_null, /* 22 readlinkat */
250 auf_null, S2E_PUB,
251 aui_null, AUE_SETUID, aus_setuid, /* 23 setuid */
252 auf_null, 0,
253 aui_null, AUE_NULL, aus_null, /* 24 getuid */
254 auf_null, 0,
255 aui_null, AUE_STIME, aus_null, /* 25 stime */
256 auf_null, 0,
257 aui_null, AUE_NULL, aus_null, /* 26 pcsample */
258 auf_null, 0,
259 aui_null, AUE_NULL, aus_null, /* 27 alarm */
260 auf_null, 0,
261 aui_null, AUE_NULL, aus_null, /* 28 fstat */
262 auf_null, 0,
263 aui_null, AUE_NULL, aus_null, /* 29 pause */
264 auf_null, 0,
265 aui_null, AUE_NULL, aus_null, /* 30 (loadable) was utime */
266 auf_null, 0,
267 aui_null, AUE_NULL, aus_null, /* 31 stty (TIOCSETP-audit?) */
268 auf_null, 0,
269 aui_null, AUE_NULL, aus_null, /* 32 gtty */
270 auf_null, 0,
271 aui_null, AUE_ACCESS, aus_null, /* 33 access */
272 auf_null, S2E_PUB,
273 aui_null, AUE_NICE, aus_null, /* 34 nice */
274 auf_null, 0,
275 aui_null, AUE_STATFS, aus_null, /* 35 statfs */
276 auf_null, S2E_PUB,
277 aui_null, AUE_NULL, aus_null, /* 36 sync */
278 auf_null, 0,
279 aui_null, AUE_KILL, aus_kill, /* 37 kill */
280 auf_null, 0,
281 aui_null, AUE_FSTATFS, aus_fstatfs, /* 38 fstatfs */
282 auf_null, S2E_PUB,
283 aui_setpgrp, AUE_SETPGRP, aus_setpgrp, /* 39 setpgrp */
284 auf_null, 0,
285 aui_null, AUE_NULL, aus_null, /* 40 uucopystr */
286 auf_null, 0,
287 aui_null, AUE_NULL, aus_null, /* 41 (loadable) was dup */
288 auf_null, 0,
289 aui_null, AUE_PIPE, aus_null, /* 42 (loadable) pipe */
290 auf_null, 0,
291 aui_null, AUE_NULL, aus_null, /* 43 times */
292 auf_null, 0,
293 aui_null, AUE_NULL, aus_null, /* 44 profil */
294 auf_null, 0,
295 aui_null, AUE_ACCESS, aus_null, /* 45 faccessat */
296 auf_null, S2E_PUB,
297 aui_null, AUE_SETGID, aus_setgid, /* 46 setgid */
298 auf_null, 0,
299 aui_null, AUE_NULL, aus_null, /* 47 getgid */
300 auf_null, 0,
301 aui_null, AUE_MKNOD, aus_mknodat, /* 48 mknodat */
302 auf_mknodat, S2E_MLD,
303 aui_msgsys, AUE_MSGSYS, aus_msgsys, /* 49 (loadable) msgsys */
304 auf_msgsys, 0,
305 #if defined(__x86)
306 aui_null, AUE_NULL, aus_null, /* 50 sysi86 */
307 auf_null, 0,
308 #else
309 aui_null, AUE_NULL, aus_null, /* 50 (loadable) was sys3b */
310 auf_null, 0,
311 #endif /* __x86 */
312 aui_null, AUE_ACCT, aus_acct, /* 51 (loadable) sysacct */
313 auf_null, 0,
314 aui_shmsys, AUE_SHMSYS, aus_shmsys, /* 52 (loadable) shmsys */
315 auf_shmsys, 0,
316 aui_semsys, AUE_SEMSYS, aus_semsys, /* 53 (loadable) semsys */
317 auf_semsys, 0,
318 aui_null, AUE_IOCTL, aus_ioctl, /* 54 ioctl */
319 auf_null, 0,
320 aui_null, AUE_NULL, aus_null, /* 55 uadmin */
321 auf_null, 0,
322 aui_fchownat, AUE_NULL, aus_fchownat, /* 56 fchownat */
323 auf_null, 0,
324 aui_utssys, AUE_FUSERS, aus_null, /* 57 utssys */
325 auf_null, 0,
326 aui_null, AUE_NULL, aus_null, /* 58 fsync */
327 auf_null, 0,
328 aui_execve, AUE_EXECVE, aus_null, /* 59 exece */
329 auf_null, S2E_MLD,
330 aui_null, AUE_NULL, aus_null, /* 60 umask */
331 auf_null, 0,
332 aui_null, AUE_CHROOT, aus_null, /* 61 chroot */
333 auf_null, S2E_SP,
334 aui_fcntl, AUE_FCNTL, aus_fcntl, /* 62 fcntl */
335 auf_null, 0,
336 aui_null, AUE_NULL, aus_null, /* 63 ulimit */
337 auf_null, 0,
338 aui_null, AUE_RENAME, aus_null, /* 64 renameat */
339 auf_null, 0,
340 aui_unlinkat, AUE_NULL, aus_null, /* 65 unlinkat */
341 auf_null, 0,
342 aui_fstatat, AUE_NULL, aus_null, /* 66 fstatat */
343 auf_null, S2E_PUB,
344 aui_fstatat, AUE_NULL, aus_null, /* 67 fstatat64 */
345 auf_null, S2E_PUB,
346 aui_openat, AUE_OPEN, aus_openat, /* 68 openat */
347 auf_null, S2E_SP,
348 aui_openat, AUE_OPEN, aus_openat, /* 69 openat64 */
349 auf_null, S2E_SP,
350 aui_null, AUE_NULL, aus_null, /* 70 tasksys */
351 auf_null, 0,
352 aui_null, AUE_NULL, aus_null, /* 71 (loadable) acctctl */
353 auf_null, 0,
354 aui_null, AUE_NULL, aus_null, /* 72 (loadable) exacct */
355 auf_null, 0,
356 aui_null, AUE_NULL, aus_null, /* 73 getpagesizes */
357 auf_null, 0,
358 aui_null, AUE_NULL, aus_null, /* 74 rctlsys */
359 auf_null, 0,
360 aui_null, AUE_NULL, aus_null, /* 75 sidsys */
361 auf_null, 0,
362 aui_null, AUE_NULL, aus_null, /* 76 (loadable) was fsat */
363 auf_null, 0,
364 aui_null, AUE_NULL, aus_null, /* 77 syslwp_park */
365 auf_null, 0,
366 aui_null, AUE_NULL, aus_null, /* 78 sendfilev */
367 auf_null, 0,
368 aui_null, AUE_RMDIR, aus_null, /* 79 rmdir */
369 auf_null, 0,
370 aui_null, AUE_MKDIR, aus_mkdir, /* 80 mkdir */
371 auf_null, 0,
372 aui_null, AUE_NULL, aus_null, /* 81 getdents */
373 auf_null, 0,
374 aui_privsys, AUE_NULL, aus_null, /* 82 privsys */
375 auf_null, 0,
376 aui_null, AUE_NULL, aus_null, /* 83 ucredsys */
377 auf_null, 0,
378 aui_null, AUE_NULL, aus_null, /* 84 sysfs */
379 auf_null, 0,
380 aui_null, AUE_GETMSG, aus_getmsg, /* 85 getmsg */
381 auf_null, 0,
382 aui_null, AUE_PUTMSG, aus_putmsg, /* 86 putmsg */
383 auf_null, 0,
384 aui_null, AUE_NULL, aus_null, /* 87 (loadable) was poll */
385 auf_null, 0,
386 aui_null, AUE_LSTAT, aus_null, /* 88 lstat */
387 auf_null, S2E_PUB,
388 aui_null, AUE_SYMLINK, aus_null, /* 89 symlink */
389 auf_null, 0,
390 aui_null, AUE_READLINK, aus_null, /* 90 readlink */
391 auf_null, S2E_PUB,
392 aui_null, AUE_SETGROUPS, aus_setgroups, /* 91 setgroups */
393 auf_null, 0,
394 aui_null, AUE_NULL, aus_null, /* 92 getgroups */
395 auf_null, 0,
396 aui_null, AUE_FCHMOD, aus_fchmod, /* 93 fchmod */
397 auf_null, 0,
398 aui_null, AUE_FCHOWN, aus_fchown, /* 94 fchown */
399 auf_null, 0,
400 aui_null, AUE_NULL, aus_null, /* 95 sigprocmask */
401 auf_null, 0,
402 aui_null, AUE_NULL, aus_null, /* 96 sigsuspend */
403 auf_null, 0,
404 aui_null, AUE_NULL, aus_null, /* 97 sigaltstack */
405 auf_null, 0,
406 aui_null, AUE_NULL, aus_null, /* 98 sigaction */
407 auf_null, 0,
408 aui_null, AUE_NULL, aus_null, /* 99 sigpending */
409 auf_null, 0,
410 aui_null, AUE_NULL, aus_null, /* 100 setcontext */
411 auf_null, 0,
412 aui_fchmodat, AUE_NULL, aus_fchmodat, /* 101 fchmodat */
413 auf_null, 0,
414 aui_null, AUE_MKDIR, aus_mkdirat, /* 102 mkdirat */
415 auf_null, 0,
416 aui_null, AUE_STATVFS, aus_null, /* 103 statvfs */
417 auf_null, S2E_PUB,
418 aui_null, AUE_NULL, aus_null, /* 104 fstatvfs */
419 auf_null, 0,
420 aui_null, AUE_NULL, aus_null, /* 105 getloadavg */
421 auf_null, 0,
422 aui_null, AUE_NULL, aus_null, /* 106 nfssys */
423 auf_null, 0,
424 aui_null, AUE_NULL, aus_null, /* 107 waitsys */
425 auf_null, 0,
426 aui_null, AUE_NULL, aus_null, /* 108 sigsendsys */
427 auf_null, 0,
428 #if defined(__x86)
429 aui_null, AUE_NULL, aus_null, /* 109 hrtsys */
430 auf_null, 0,
431 #else
432 aui_null, AUE_NULL, aus_null, /* 109 (loadable) */
433 auf_null, 0,
434 #endif /* __x86 */
435 aui_null, AUE_UTIMES, aus_null, /* 110 utimesys */
436 auf_null, 0,
437 aui_null, AUE_NULL, aus_null, /* 111 sigresend */
438 auf_null, 0,
439 aui_null, AUE_PRIOCNTLSYS, aus_priocntlsys, /* 112 priocntlsys */
440 auf_null, 0,
441 aui_null, AUE_PATHCONF, aus_null, /* 113 pathconf */
442 auf_null, S2E_PUB,
443 aui_null, AUE_NULL, aus_null, /* 114 mincore */
444 auf_null, 0,
445 aui_null, AUE_MMAP, aus_mmap, /* 115 mmap */
446 auf_null, 0,
447 aui_null, AUE_NULL, aus_null, /* 116 mprotect */
448 auf_null, 0,
449 aui_null, AUE_MUNMAP, aus_munmap, /* 117 munmap */
450 auf_null, 0,
451 aui_null, AUE_NULL, aus_null, /* 118 fpathconf */
452 auf_null, 0,
453 aui_null, AUE_VFORK, aus_null, /* 119 vfork */
454 auf_null, 0,
455 aui_null, AUE_FCHDIR, aus_null, /* 120 fchdir */
456 auf_null, 0,
457 aui_null, AUE_READ, aus_null, /* 121 readv */
458 auf_read, S2E_PUB,
459 aui_null, AUE_WRITE, aus_null, /* 122 writev */
460 auf_write, 0,
461 aui_null, AUE_NULL, aus_null, /* 123 (loadable) was xstat */
462 auf_null, 0,
463 aui_null, AUE_NULL, aus_null, /* 124 (loadable) was lxstat */
464 auf_null, 0,
465 aui_null, AUE_NULL, aus_null, /* 125 (loadable) was fxstat */
466 auf_null, 0,
467 aui_null, AUE_NULL, aus_null, /* 126 (loadable) was xmknod */
468 auf_null, 0,
469 aui_null, AUE_NULL, aus_null, /* 127 mmapobj */
470 auf_null, 0,
471 aui_null, AUE_SETRLIMIT, aus_null, /* 128 setrlimit */
472 auf_null, 0,
473 aui_null, AUE_NULL, aus_null, /* 129 getrlimit */
474 auf_null, 0,
475 aui_null, AUE_LCHOWN, aus_lchown, /* 130 lchown */
476 auf_null, 0,
477 aui_memcntl, AUE_MEMCNTL, aus_memcntl, /* 131 memcntl */
478 auf_null, 0,
479 aui_null, AUE_GETPMSG, aus_getpmsg, /* 132 getpmsg */
480 auf_null, 0,
481 aui_null, AUE_PUTPMSG, aus_putpmsg, /* 133 putpmsg */
482 auf_null, 0,
483 aui_null, AUE_RENAME, aus_null, /* 134 rename */
484 auf_null, 0,
485 aui_null, AUE_NULL, aus_null, /* 135 uname */
486 auf_null, 0,
487 aui_null, AUE_SETEGID, aus_setegid, /* 136 setegid */
488 auf_null, 0,
489 aui_null, AUE_NULL, aus_null, /* 137 sysconfig */
490 auf_null, 0,
491 aui_null, AUE_ADJTIME, aus_null, /* 138 adjtime */
492 auf_null, 0,
493 aui_sysinfo, AUE_SYSINFO, aus_sysinfo, /* 139 systeminfo */
494 auf_null, 0,
495 aui_null, AUE_NULL, aus_null, /* 140 (loadable) sharefs */
496 auf_null, 0,
497 aui_null, AUE_SETEUID, aus_seteuid, /* 141 seteuid */
498 auf_null, 0,
499 aui_forksys, AUE_NULL, aus_null, /* 142 forksys */
500 auf_null, 0,
501 aui_null, AUE_NULL, aus_null, /* 143 (loadable) was fork1 */
502 auf_null, 0,
503 aui_null, AUE_NULL, aus_null, /* 144 sigwait */
504 auf_null, 0,
505 aui_null, AUE_NULL, aus_null, /* 145 lwp_info */
506 auf_null, 0,
507 aui_null, AUE_NULL, aus_null, /* 146 yield */
508 auf_null, 0,
509 aui_null, AUE_NULL, aus_null, /* 147 (loadable) */
510 /* was lwp_sema_wait */
511 auf_null, 0,
512 aui_null, AUE_NULL, aus_null, /* 148 lwp_sema_post */
513 auf_null, 0,
514 aui_null, AUE_NULL, aus_null, /* 149 lwp_sema_trywait */
515 auf_null, 0,
516 aui_null, AUE_NULL, aus_null, /* 150 lwp_detach */
517 auf_null, 0,
518 aui_null, AUE_NULL, aus_null, /* 151 corectl */
519 auf_null, 0,
520 aui_modctl, AUE_MODCTL, aus_modctl, /* 152 modctl */
521 auf_null, 0,
522 aui_null, AUE_FCHROOT, aus_null, /* 153 fchroot */
523 auf_null, 0,
524 aui_null, AUE_NULL, aus_null, /* 154 (loadable) was utimes */
525 auf_null, 0,
526 aui_null, AUE_NULL, aus_null, /* 155 vhangup */
527 auf_null, 0,
528 aui_null, AUE_NULL, aus_null, /* 156 gettimeofday */
529 auf_null, 0,
530 aui_null, AUE_NULL, aus_null, /* 157 getitimer */
531 auf_null, 0,
532 aui_null, AUE_NULL, aus_null, /* 158 setitimer */
533 auf_null, 0,
534 aui_null, AUE_NULL, aus_null, /* 159 lwp_create */
535 auf_null, 0,
536 aui_null, AUE_NULL, aus_null, /* 160 lwp_exit */
537 auf_null, 0,
538 aui_null, AUE_NULL, aus_null, /* 161 lwp_suspend */
539 auf_null, 0,
540 aui_null, AUE_NULL, aus_null, /* 162 lwp_continue */
541 auf_null, 0,
542 aui_null, AUE_NULL, aus_null, /* 163 lwp_kill */
543 auf_null, 0,
544 aui_null, AUE_NULL, aus_null, /* 164 lwp_self */
545 auf_null, 0,
546 aui_null, AUE_NULL, aus_null, /* 165 lwp_sigmask */
547 auf_null, 0,
548 aui_null, AUE_NULL, aus_null, /* 166 lwp_private */
549 auf_null, 0,
550 aui_null, AUE_NULL, aus_null, /* 167 lwp_wait */
551 auf_null, 0,
552 aui_null, AUE_NULL, aus_null, /* 168 lwp_mutex_wakeup */
553 auf_null, 0,
554 aui_null, AUE_NULL, aus_null, /* 169 (loadable) */
555 /* was lwp_mutex_lock */
556 auf_null, 0,
557 aui_null, AUE_NULL, aus_null, /* 170 lwp_cond_wait */
558 auf_null, 0,
559 aui_null, AUE_NULL, aus_null, /* 171 lwp_cond_signal */
560 auf_null, 0,
561 aui_null, AUE_NULL, aus_null, /* 172 lwp_cond_broadcast */
562 auf_null, 0,
563 aui_null, AUE_READ, aus_null, /* 173 pread */
564 auf_read, S2E_PUB,
565 aui_null, AUE_WRITE, aus_null, /* 174 pwrite */
566 auf_write, 0,
567 aui_null, AUE_NULL, aus_null, /* 175 llseek */
568 auf_null, 0,
569 aui_null, AUE_INST_SYNC, aus_inst_sync, /* 176 (loadable) inst_sync */
570 auf_null, 0,
571 aui_null, AUE_BRANDSYS, aus_brandsys, /* 177 brandsys */
572 auf_null, 0,
573 aui_null, AUE_NULL, aus_null, /* 178 (loadable) kaio */
574 auf_null, 0,
575 aui_null, AUE_NULL, aus_null, /* 179 (loadable) cpc */
576 auf_null, 0,
577 aui_null, AUE_NULL, aus_null, /* 180 lgrpsys */
578 auf_null, 0,
579 aui_null, AUE_NULL, aus_null, /* 181 rusagesys */
580 auf_null, 0,
581 aui_portfs, AUE_PORTFS, aus_null, /* 182 (loadable) portfs */
582 auf_null, S2E_MLD,
583 aui_null, AUE_NULL, aus_null, /* 183 pollsys */
584 auf_null, 0,
585 aui_labelsys, AUE_NULL, aus_labelsys, /* 184 labelsys */
586 auf_null, 0,
587 aui_acl, AUE_ACLSET, aus_acl, /* 185 acl */
588 auf_null, 0,
589 aui_auditsys, AUE_AUDITSYS, aus_auditsys, /* 186 auditsys */
590 auf_null, 0,
591 aui_null, AUE_PROCESSOR_BIND, aus_processor_bind, /* 187 processor_bind */
592 auf_null, 0,
593 aui_null, AUE_NULL, aus_null, /* 188 processor_info */
594 auf_null, 0,
595 aui_null, AUE_P_ONLINE, aus_p_online, /* 189 p_online */
596 auf_null, 0,
597 aui_null, AUE_NULL, aus_sigqueue, /* 190 sigqueue */
598 auf_null, 0,
599 aui_null, AUE_NULL, aus_null, /* 191 clock_gettime */
600 auf_null, 0,
601 aui_null, AUE_CLOCK_SETTIME, aus_null, /* 192 clock_settime */
602 auf_null, 0,
603 aui_null, AUE_NULL, aus_null, /* 193 clock_getres */
604 auf_null, 0,
605 aui_null, AUE_NULL, aus_null, /* 194 timer_create */
606 auf_null, 0,
607 aui_null, AUE_NULL, aus_null, /* 195 timer_delete */
608 auf_null, 0,
609 aui_null, AUE_NULL, aus_null, /* 196 timer_settime */
610 auf_null, 0,
611 aui_null, AUE_NULL, aus_null, /* 197 timer_gettime */
612 auf_null, 0,
613 aui_null, AUE_NULL, aus_null, /* 198 timer_getoverrun */
614 auf_null, 0,
615 aui_null, AUE_NULL, aus_null, /* 199 nanosleep */
616 auf_null, 0,
617 aui_acl, AUE_FACLSET, aus_facl, /* 200 facl */
618 auf_null, 0,
619 aui_doorfs, AUE_DOORFS, aus_doorfs, /* 201 (loadable) doorfs */
620 auf_null, 0,
621 aui_null, AUE_SETREUID, aus_setreuid, /* 202 setreuid */
622 auf_null, 0,
623 aui_null, AUE_SETREGID, aus_setregid, /* 203 setregid */
624 auf_null, 0,
625 aui_null, AUE_NULL, aus_null, /* 204 install_utrap */
626 auf_null, 0,
627 aui_null, AUE_NULL, aus_null, /* 205 signotify */
628 auf_null, 0,
629 aui_null, AUE_NULL, aus_null, /* 206 schedctl */
630 auf_null, 0,
631 aui_null, AUE_NULL, aus_null, /* 207 (loadable) pset */
632 auf_null, 0,
633 aui_null, AUE_NULL, aus_null, /* 208 sparc_utrap_install */
634 auf_null, 0,
635 aui_null, AUE_NULL, aus_null, /* 209 resolvepath */
636 auf_null, 0,
637 aui_null, AUE_NULL, aus_null, /* 210 lwp_mutex_timedlock */
638 auf_null, 0,
639 aui_null, AUE_NULL, aus_null, /* 211 lwp_sema_timedwait */
640 auf_null, 0,
641 aui_null, AUE_NULL, aus_null, /* 212 lwp_rwlock_sys */
642 auf_null, 0,
643 aui_null, AUE_NULL, aus_null, /* 213 getdents64 */
644 auf_null, 0,
645 aui_null, AUE_MMAP, aus_mmap, /* 214 mmap64 */
646 auf_null, 0,
647 aui_null, AUE_STAT, aus_null, /* 215 stat64 */
648 auf_null, S2E_PUB,
649 aui_null, AUE_LSTAT, aus_null, /* 216 lstat64 */
650 auf_null, S2E_PUB,
651 aui_null, AUE_NULL, aus_null, /* 217 fstat64 */
652 auf_null, 0,
653 aui_null, AUE_STATVFS, aus_null, /* 218 statvfs64 */
654 auf_null, S2E_PUB,
655 aui_null, AUE_NULL, aus_null, /* 219 fstatvfs64 */
656 auf_null, 0,
657 aui_null, AUE_SETRLIMIT, aus_null, /* 220 setrlimit64 */
658 auf_null, 0,
659 aui_null, AUE_NULL, aus_null, /* 221 getrlimit64 */
660 auf_null, 0,
661 aui_null, AUE_READ, aus_null, /* 222 pread64 */
662 auf_read, S2E_PUB,
663 aui_null, AUE_WRITE, aus_null, /* 223 pwrite64 */
664 auf_write, 0,
665 aui_null, AUE_NULL, aus_null, /* 224 (loadable) was creat64 */
666 auf_null, 0,
667 aui_open, AUE_OPEN, aus_open, /* 225 open64 */
668 auf_null, S2E_SP,
669 aui_null, AUE_NULL, aus_null, /* 226 (loadable) rpcsys */
670 auf_null, 0,
671 aui_null, AUE_NULL, aus_null, /* 227 zone */
672 auf_null, 0,
673 aui_null, AUE_NULL, aus_null, /* 228 (loadable) autofssys */
674 auf_null, 0,
675 aui_null, AUE_NULL, aus_null, /* 229 getcwd */
676 auf_null, 0,
677 aui_null, AUE_SOCKET, aus_socket, /* 230 so_socket */
678 auf_null, 0,
679 aui_null, AUE_NULL, aus_null, /* 231 so_socketpair */
680 auf_null, 0,
681 aui_null, AUE_BIND, aus_null, /* 232 bind */
682 auf_bind, 0,
683 aui_null, AUE_NULL, aus_null, /* 233 listen */
684 auf_null, 0,
685 aui_null, AUE_ACCEPT, aus_null, /* 234 accept */
686 auf_accept, 0,
687 aui_null, AUE_CONNECT, aus_null, /* 235 connect */
688 auf_connect, 0,
689 aui_null, AUE_SHUTDOWN, aus_shutdown, /* 236 shutdown */
690 auf_null, 0,
691 aui_null, AUE_READ, aus_null, /* 237 recv */
692 auf_recv, 0,
693 aui_null, AUE_RECVFROM, aus_null, /* 238 recvfrom */
694 auf_recvfrom, 0,
695 aui_null, AUE_RECVMSG, aus_null, /* 239 recvmsg */
696 auf_recvmsg, 0,
697 aui_null, AUE_WRITE, aus_null, /* 240 send */
698 auf_send, 0,
699 aui_null, AUE_SENDMSG, aus_null, /* 241 sendmsg */
700 auf_sendmsg, 0,
701 aui_null, AUE_SENDTO, aus_null, /* 242 sendto */
702 auf_sendto, 0,
703 aui_null, AUE_NULL, aus_null, /* 243 getpeername */
704 auf_null, 0,
705 aui_null, AUE_NULL, aus_null, /* 244 getsockname */
706 auf_null, 0,
707 aui_null, AUE_NULL, aus_null, /* 245 getsockopt */
708 auf_null, 0,
709 aui_null, AUE_SETSOCKOPT, aus_null, /* 246 setsockopt */
710 auf_setsockopt, 0,
711 aui_null, AUE_SOCKCONFIG, aus_sockconfig, /* 247 sockconfig */
712 auf_null, 0,
713 aui_null, AUE_NULL, aus_null, /* 248 ntp_gettime */
714 auf_null, 0,
715 aui_null, AUE_NTP_ADJTIME, aus_null, /* 249 ntp_adjtime */
716 auf_null, 0,
717 aui_null, AUE_NULL, aus_null, /* 250 lwp_mutex_unlock */
718 auf_null, 0,
719 aui_null, AUE_NULL, aus_null, /* 251 lwp_mutex_trylock */
720 auf_null, 0,
721 aui_null, AUE_NULL, aus_null, /* 252 lwp_mutex_register */
722 auf_null, 0,
723 aui_null, AUE_NULL, aus_null, /* 253 cladm */
724 auf_null, 0,
725 aui_null, AUE_NULL, aus_null, /* 254 uucopy */
726 auf_null, 0,
727 aui_null, AUE_UMOUNT2, aus_umount2, /* 255 umount2 */
728 auf_null, 0
729 };
730
731 uint_t num_syscall = sizeof (audit_s2e) / sizeof (struct audit_s2e);
732
733
734 /* exit start function */
735 /*ARGSUSED*/
736 static void
aus_exit(struct t_audit_data * tad)737 aus_exit(struct t_audit_data *tad)
738 {
739 uint32_t rval;
740 struct a {
741 long rval;
742 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
743
744 rval = (uint32_t)uap->rval;
745 au_uwrite(au_to_arg32(1, "exit status", rval));
746 }
747
748 /* acct start function */
749 /*ARGSUSED*/
750 static void
aus_acct(struct t_audit_data * tad)751 aus_acct(struct t_audit_data *tad)
752 {
753 klwp_t *clwp = ttolwp(curthread);
754 uintptr_t fname;
755
756 struct a {
757 long fname; /* char * */
758 } *uap = (struct a *)clwp->lwp_ap;
759
760 fname = (uintptr_t)uap->fname;
761
762 if (fname == 0)
763 au_uwrite(au_to_arg32(1, "accounting off", (uint32_t)0));
764 }
765
766 /* chown start function */
767 /*ARGSUSED*/
768 static void
aus_chown(struct t_audit_data * tad)769 aus_chown(struct t_audit_data *tad)
770 {
771 klwp_t *clwp = ttolwp(curthread);
772 uint32_t uid, gid;
773
774 struct a {
775 long fname; /* char * */
776 long uid;
777 long gid;
778 } *uap = (struct a *)clwp->lwp_ap;
779
780 uid = (uint32_t)uap->uid;
781 gid = (uint32_t)uap->gid;
782
783 au_uwrite(au_to_arg32(2, "new file uid", uid));
784 au_uwrite(au_to_arg32(3, "new file gid", gid));
785 }
786
787 /* fchown start function */
788 /*ARGSUSED*/
789 static void
aus_fchown(struct t_audit_data * tad)790 aus_fchown(struct t_audit_data *tad)
791 {
792 klwp_t *clwp = ttolwp(curthread);
793 uint32_t uid, gid, fd;
794 struct file *fp;
795 struct vnode *vp;
796 struct f_audit_data *fad;
797
798 struct a {
799 long fd;
800 long uid;
801 long gid;
802 } *uap = (struct a *)clwp->lwp_ap;
803
804 fd = (uint32_t)uap->fd;
805 uid = (uint32_t)uap->uid;
806 gid = (uint32_t)uap->gid;
807
808 au_uwrite(au_to_arg32(2, "new file uid", uid));
809 au_uwrite(au_to_arg32(3, "new file gid", gid));
810
811 /*
812 * convert file pointer to file descriptor
813 * Note: fd ref count incremented here.
814 */
815 if ((fp = getf(fd)) == NULL)
816 return;
817
818 /* get path from file struct here */
819 fad = F2A(fp);
820 if (fad->fad_aupath != NULL) {
821 au_uwrite(au_to_path(fad->fad_aupath));
822 } else {
823 au_uwrite(au_to_arg32(1, "no path: fd", fd));
824 }
825
826 vp = fp->f_vnode;
827 audit_attributes(vp);
828
829 /* decrement file descriptor reference count */
830 releasef(fd);
831 }
832
833 /*ARGSUSED*/
834 static void
aus_lchown(struct t_audit_data * tad)835 aus_lchown(struct t_audit_data *tad)
836 {
837 klwp_t *clwp = ttolwp(curthread);
838 uint32_t uid, gid;
839
840
841 struct a {
842 long fname; /* char * */
843 long uid;
844 long gid;
845 } *uap = (struct a *)clwp->lwp_ap;
846
847 uid = (uint32_t)uap->uid;
848 gid = (uint32_t)uap->gid;
849
850 au_uwrite(au_to_arg32(2, "new file uid", uid));
851 au_uwrite(au_to_arg32(3, "new file gid", gid));
852 }
853
854 static au_event_t
aui_fchownat(au_event_t e)855 aui_fchownat(au_event_t e)
856 {
857 klwp_t *clwp = ttolwp(curthread);
858
859 struct a {
860 long fd;
861 long fname; /* char * */
862 long uid;
863 long gid;
864 long flags;
865 } *uap = (struct a *)clwp->lwp_ap;
866
867 if (uap->fname == NULL)
868 e = AUE_FCHOWN;
869 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
870 e = AUE_LCHOWN;
871 else
872 e = AUE_CHOWN;
873
874 return (e);
875 }
876
877 /*ARGSUSED*/
878 static void
aus_fchownat(struct t_audit_data * tad)879 aus_fchownat(struct t_audit_data *tad)
880 {
881 klwp_t *clwp = ttolwp(curthread);
882 uint32_t uid, gid;
883
884 struct a {
885 long fd;
886 long fname; /* char * */
887 long uid;
888 long gid;
889 long flags;
890 } *uap = (struct a *)clwp->lwp_ap;
891
892 uid = (uint32_t)uap->uid;
893 gid = (uint32_t)uap->gid;
894
895 au_uwrite(au_to_arg32(3, "new file uid", uid));
896 au_uwrite(au_to_arg32(4, "new file gid", gid));
897 }
898
899 /*ARGSUSED*/
900 static void
aus_chmod(struct t_audit_data * tad)901 aus_chmod(struct t_audit_data *tad)
902 {
903 klwp_t *clwp = ttolwp(curthread);
904 uint32_t fmode;
905
906 struct a {
907 long fname; /* char * */
908 long fmode;
909 } *uap = (struct a *)clwp->lwp_ap;
910
911 fmode = (uint32_t)uap->fmode;
912
913 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
914 }
915
916 /*ARGSUSED*/
917 static void
aus_fchmod(struct t_audit_data * tad)918 aus_fchmod(struct t_audit_data *tad)
919 {
920 klwp_t *clwp = ttolwp(curthread);
921 uint32_t fmode, fd;
922 struct file *fp;
923 struct vnode *vp;
924 struct f_audit_data *fad;
925
926 struct a {
927 long fd;
928 long fmode;
929 } *uap = (struct a *)clwp->lwp_ap;
930
931 fd = (uint32_t)uap->fd;
932 fmode = (uint32_t)uap->fmode;
933
934 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
935
936 /*
937 * convert file pointer to file descriptor
938 * Note: fd ref count incremented here.
939 */
940 if ((fp = getf(fd)) == NULL)
941 return;
942
943 /* get path from file struct here */
944 fad = F2A(fp);
945 if (fad->fad_aupath != NULL) {
946 au_uwrite(au_to_path(fad->fad_aupath));
947 } else {
948 au_uwrite(au_to_arg32(1, "no path: fd", fd));
949 }
950
951 vp = fp->f_vnode;
952 audit_attributes(vp);
953
954 /* decrement file descriptor reference count */
955 releasef(fd);
956 }
957
958 static au_event_t
aui_fchmodat(au_event_t e)959 aui_fchmodat(au_event_t e)
960 {
961 klwp_t *clwp = ttolwp(curthread);
962
963 struct a {
964 long fd;
965 long fname; /* char * */
966 long fmode;
967 long flag;
968 } *uap = (struct a *)clwp->lwp_ap;
969
970 if (uap->fname == NULL)
971 e = AUE_FCHMOD;
972 else
973 e = AUE_CHMOD;
974
975 return (e);
976 }
977
978 /*ARGSUSED*/
979 static void
aus_fchmodat(struct t_audit_data * tad)980 aus_fchmodat(struct t_audit_data *tad)
981 {
982 klwp_t *clwp = ttolwp(curthread);
983 uint32_t fmode;
984 uint32_t fd;
985 struct file *fp;
986 struct vnode *vp;
987 struct f_audit_data *fad;
988
989 struct a {
990 long fd;
991 long fname; /* char * */
992 long fmode;
993 long flag;
994 } *uap = (struct a *)clwp->lwp_ap;
995
996 fd = (uint32_t)uap->fd;
997 fmode = (uint32_t)uap->fmode;
998
999 au_uwrite(au_to_arg32(2, "new file mode", fmode&07777));
1000
1001 if (fd == AT_FDCWD || uap->fname != NULL) /* same as chmod() */
1002 return;
1003
1004 /*
1005 * convert file pointer to file descriptor
1006 * Note: fd ref count incremented here.
1007 */
1008 if ((fp = getf(fd)) == NULL)
1009 return;
1010
1011 /* get path from file struct here */
1012 fad = F2A(fp);
1013 if (fad->fad_aupath != NULL) {
1014 au_uwrite(au_to_path(fad->fad_aupath));
1015 } else {
1016 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1017 }
1018
1019 vp = fp->f_vnode;
1020 audit_attributes(vp);
1021
1022 /* decrement file descriptor reference count */
1023 releasef(fd);
1024 }
1025
1026 /*
1027 * convert open mode to appropriate open event
1028 */
1029 au_event_t
open_event(uint_t fm)1030 open_event(uint_t fm)
1031 {
1032 au_event_t e;
1033
1034 switch (fm & (O_ACCMODE | O_CREAT | O_TRUNC)) {
1035 case O_RDONLY:
1036 e = AUE_OPEN_R;
1037 break;
1038 case O_RDONLY | O_CREAT:
1039 e = AUE_OPEN_RC;
1040 break;
1041 case O_RDONLY | O_TRUNC:
1042 e = AUE_OPEN_RT;
1043 break;
1044 case O_RDONLY | O_TRUNC | O_CREAT:
1045 e = AUE_OPEN_RTC;
1046 break;
1047 case O_WRONLY:
1048 e = AUE_OPEN_W;
1049 break;
1050 case O_WRONLY | O_CREAT:
1051 e = AUE_OPEN_WC;
1052 break;
1053 case O_WRONLY | O_TRUNC:
1054 e = AUE_OPEN_WT;
1055 break;
1056 case O_WRONLY | O_TRUNC | O_CREAT:
1057 e = AUE_OPEN_WTC;
1058 break;
1059 case O_RDWR:
1060 e = AUE_OPEN_RW;
1061 break;
1062 case O_RDWR | O_CREAT:
1063 e = AUE_OPEN_RWC;
1064 break;
1065 case O_RDWR | O_TRUNC:
1066 e = AUE_OPEN_RWT;
1067 break;
1068 case O_RDWR | O_TRUNC | O_CREAT:
1069 e = AUE_OPEN_RWTC;
1070 break;
1071 case O_SEARCH:
1072 e = AUE_OPEN_S;
1073 break;
1074 case O_EXEC:
1075 e = AUE_OPEN_E;
1076 break;
1077 default:
1078 e = AUE_NULL;
1079 break;
1080 }
1081
1082 return (e);
1083 }
1084
1085 /* ARGSUSED */
1086 static au_event_t
aui_open(au_event_t e)1087 aui_open(au_event_t e)
1088 {
1089 klwp_t *clwp = ttolwp(curthread);
1090 uint_t fm;
1091
1092 struct a {
1093 long fnamep; /* char * */
1094 long fmode;
1095 long cmode;
1096 } *uap = (struct a *)clwp->lwp_ap;
1097
1098 fm = (uint_t)uap->fmode;
1099
1100 return (open_event(fm));
1101 }
1102
1103 static void
aus_open(struct t_audit_data * tad)1104 aus_open(struct t_audit_data *tad)
1105 {
1106 klwp_t *clwp = ttolwp(curthread);
1107 uint_t fm;
1108
1109 struct a {
1110 long fnamep; /* char * */
1111 long fmode;
1112 long cmode;
1113 } *uap = (struct a *)clwp->lwp_ap;
1114
1115 fm = (uint_t)uap->fmode;
1116
1117 /* If no write, create, or trunc modes, mark as a public op */
1118 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1119 tad->tad_ctrl |= TAD_PUBLIC_EV;
1120 }
1121
1122 /* ARGSUSED */
1123 static au_event_t
aui_openat(au_event_t e)1124 aui_openat(au_event_t e)
1125 {
1126 t_audit_data_t *tad = T2A(curthread);
1127 klwp_t *clwp = ttolwp(curthread);
1128 uint_t fm;
1129
1130 struct a {
1131 long filedes;
1132 long fnamep; /* char * */
1133 long fmode;
1134 long cmode;
1135 } *uap = (struct a *)clwp->lwp_ap;
1136
1137 fm = (uint_t)uap->fmode;
1138
1139 /*
1140 * __openattrdirat() does an extra pathname lookup in order to
1141 * enter the extended system attribute namespace of the referenced
1142 * extended attribute filename.
1143 */
1144 if (fm & FXATTRDIROPEN)
1145 tad->tad_ctrl |= TAD_MLD;
1146
1147 return (open_event(fm));
1148 }
1149
1150 static void
aus_openat(struct t_audit_data * tad)1151 aus_openat(struct t_audit_data *tad)
1152 {
1153 klwp_t *clwp = ttolwp(curthread);
1154 uint_t fm;
1155
1156 struct a {
1157 long filedes;
1158 long fnamep; /* char * */
1159 long fmode;
1160 long cmode;
1161 } *uap = (struct a *)clwp->lwp_ap;
1162
1163 fm = (uint_t)uap->fmode;
1164
1165 /* If no write, create, or trunc modes, mark as a public op */
1166 if ((fm & (O_RDONLY|O_WRONLY|O_RDWR|O_CREAT|O_TRUNC)) == O_RDONLY)
1167 tad->tad_ctrl |= TAD_PUBLIC_EV;
1168 }
1169
1170 static au_event_t
aui_unlinkat(au_event_t e)1171 aui_unlinkat(au_event_t e)
1172 {
1173 klwp_t *clwp = ttolwp(curthread);
1174
1175 struct a {
1176 long filedes;
1177 long fnamep; /* char * */
1178 long flags;
1179 } *uap = (struct a *)clwp->lwp_ap;
1180
1181 if (uap->flags & AT_REMOVEDIR)
1182 e = AUE_RMDIR;
1183 else
1184 e = AUE_UNLINK;
1185
1186 return (e);
1187 }
1188
1189 static au_event_t
aui_fstatat(au_event_t e)1190 aui_fstatat(au_event_t e)
1191 {
1192 klwp_t *clwp = ttolwp(curthread);
1193
1194 struct a {
1195 long filedes;
1196 long fnamep; /* char * */
1197 long statb;
1198 long flags;
1199 } *uap = (struct a *)clwp->lwp_ap;
1200
1201 if (uap->fnamep == NULL)
1202 e = AUE_FSTAT;
1203 else if (uap->flags & AT_SYMLINK_NOFOLLOW)
1204 e = AUE_LSTAT;
1205 else
1206 e = AUE_STAT;
1207
1208 return (e);
1209 }
1210
1211 /* msgsys */
1212 static au_event_t
aui_msgsys(au_event_t e)1213 aui_msgsys(au_event_t e)
1214 {
1215 klwp_t *clwp = ttolwp(curthread);
1216 uint_t fm;
1217
1218 struct a {
1219 long id; /* function code id */
1220 long ap; /* arg pointer for recvmsg */
1221 } *uap = (struct a *)clwp->lwp_ap;
1222
1223 struct b {
1224 long msgid;
1225 long cmd;
1226 long buf; /* struct msqid_ds * */
1227 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1228
1229 fm = (uint_t)uap->id;
1230
1231 switch (fm) {
1232 case 0: /* msgget */
1233 e = AUE_MSGGET;
1234 break;
1235 case 1: /* msgctl */
1236 switch ((uint_t)uap1->cmd) {
1237 case IPC_RMID:
1238 e = AUE_MSGCTL_RMID;
1239 break;
1240 case IPC_SET:
1241 e = AUE_MSGCTL_SET;
1242 break;
1243 case IPC_STAT:
1244 e = AUE_MSGCTL_STAT;
1245 break;
1246 default:
1247 e = AUE_MSGCTL;
1248 break;
1249 }
1250 break;
1251 case 2: /* msgrcv */
1252 e = AUE_MSGRCV;
1253 break;
1254 case 3: /* msgsnd */
1255 e = AUE_MSGSND;
1256 break;
1257 default: /* illegal system call */
1258 e = AUE_NULL;
1259 break;
1260 }
1261
1262 return (e);
1263 }
1264
1265
1266 /* shmsys */
1267 static au_event_t
aui_shmsys(au_event_t e)1268 aui_shmsys(au_event_t e)
1269 {
1270 klwp_t *clwp = ttolwp(curthread);
1271 int fm;
1272
1273 struct a { /* shmsys */
1274 long id; /* function code id */
1275 } *uap = (struct a *)clwp->lwp_ap;
1276
1277 struct b { /* ctrl */
1278 long shmid;
1279 long cmd;
1280 long arg; /* struct shmid_ds * */
1281 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1282 fm = (uint_t)uap->id;
1283
1284 switch (fm) {
1285 case 0: /* shmat */
1286 e = AUE_SHMAT;
1287 break;
1288 case 1: /* shmctl */
1289 switch ((uint_t)uap1->cmd) {
1290 case IPC_RMID:
1291 e = AUE_SHMCTL_RMID;
1292 break;
1293 case IPC_SET:
1294 e = AUE_SHMCTL_SET;
1295 break;
1296 case IPC_STAT:
1297 e = AUE_SHMCTL_STAT;
1298 break;
1299 default:
1300 e = AUE_SHMCTL;
1301 break;
1302 }
1303 break;
1304 case 2: /* shmdt */
1305 e = AUE_SHMDT;
1306 break;
1307 case 3: /* shmget */
1308 e = AUE_SHMGET;
1309 break;
1310 default: /* illegal system call */
1311 e = AUE_NULL;
1312 break;
1313 }
1314
1315 return (e);
1316 }
1317
1318
1319 /* semsys */
1320 static au_event_t
aui_semsys(au_event_t e)1321 aui_semsys(au_event_t e)
1322 {
1323 klwp_t *clwp = ttolwp(curthread);
1324 uint_t fm;
1325
1326 struct a { /* semsys */
1327 long id;
1328 } *uap = (struct a *)clwp->lwp_ap;
1329
1330 struct b { /* ctrl */
1331 long semid;
1332 long semnum;
1333 long cmd;
1334 long arg;
1335 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1336
1337 fm = (uint_t)uap->id;
1338
1339 switch (fm) {
1340 case 0: /* semctl */
1341 switch ((uint_t)uap1->cmd) {
1342 case IPC_RMID:
1343 e = AUE_SEMCTL_RMID;
1344 break;
1345 case IPC_SET:
1346 e = AUE_SEMCTL_SET;
1347 break;
1348 case IPC_STAT:
1349 e = AUE_SEMCTL_STAT;
1350 break;
1351 case GETNCNT:
1352 e = AUE_SEMCTL_GETNCNT;
1353 break;
1354 case GETPID:
1355 e = AUE_SEMCTL_GETPID;
1356 break;
1357 case GETVAL:
1358 e = AUE_SEMCTL_GETVAL;
1359 break;
1360 case GETALL:
1361 e = AUE_SEMCTL_GETALL;
1362 break;
1363 case GETZCNT:
1364 e = AUE_SEMCTL_GETZCNT;
1365 break;
1366 case SETVAL:
1367 e = AUE_SEMCTL_SETVAL;
1368 break;
1369 case SETALL:
1370 e = AUE_SEMCTL_SETALL;
1371 break;
1372 default:
1373 e = AUE_SEMCTL;
1374 break;
1375 }
1376 break;
1377 case 1: /* semget */
1378 e = AUE_SEMGET;
1379 break;
1380 case 2: /* semop */
1381 e = AUE_SEMOP;
1382 break;
1383 default: /* illegal system call */
1384 e = AUE_NULL;
1385 break;
1386 }
1387
1388 return (e);
1389 }
1390
1391 /* utssys - uname(2), ustat(2), fusers(2) */
1392 static au_event_t
aui_utssys(au_event_t e)1393 aui_utssys(au_event_t e)
1394 {
1395 klwp_t *clwp = ttolwp(curthread);
1396 uint_t type;
1397
1398 struct a {
1399 union {
1400 long cbuf; /* char * */
1401 long ubuf; /* struct stat * */
1402 } ub;
1403 union {
1404 long mv; /* for USTAT */
1405 long flags; /* for FUSERS */
1406 } un;
1407 long type;
1408 long outbp; /* char * for FUSERS */
1409 } *uap = (struct a *)clwp->lwp_ap;
1410
1411 type = (uint_t)uap->type;
1412
1413 if (type == UTS_FUSERS)
1414 return (e);
1415 else
1416 return ((au_event_t)AUE_NULL);
1417 }
1418
1419 static au_event_t
aui_fcntl(au_event_t e)1420 aui_fcntl(au_event_t e)
1421 {
1422 klwp_t *clwp = ttolwp(curthread);
1423 uint_t cmd;
1424
1425 struct a {
1426 long fdes;
1427 long cmd;
1428 long arg;
1429 } *uap = (struct a *)clwp->lwp_ap;
1430
1431 cmd = (uint_t)uap->cmd;
1432
1433 switch (cmd) {
1434 case F_GETLK:
1435 case F_SETLK:
1436 case F_SETLKW:
1437 break;
1438 case F_SETFL:
1439 case F_GETFL:
1440 case F_GETFD:
1441 break;
1442 default:
1443 e = (au_event_t)AUE_NULL;
1444 break;
1445 }
1446 return ((au_event_t)e);
1447 }
1448
1449 /* null function for now */
1450 static au_event_t
aui_execve(au_event_t e)1451 aui_execve(au_event_t e)
1452 {
1453 return (e);
1454 }
1455
1456 /*ARGSUSED*/
1457 static void
aus_fcntl(struct t_audit_data * tad)1458 aus_fcntl(struct t_audit_data *tad)
1459 {
1460 klwp_t *clwp = ttolwp(curthread);
1461 uint32_t cmd, fd, flags;
1462 struct file *fp;
1463 struct vnode *vp;
1464 struct f_audit_data *fad;
1465
1466 struct a {
1467 long fd;
1468 long cmd;
1469 long arg;
1470 } *uap = (struct a *)clwp->lwp_ap;
1471
1472 cmd = (uint32_t)uap->cmd;
1473 fd = (uint32_t)uap->fd;
1474 flags = (uint32_t)uap->arg;
1475
1476 au_uwrite(au_to_arg32(2, "cmd", cmd));
1477
1478 if (cmd == F_SETFL)
1479 au_uwrite(au_to_arg32(3, "flags", flags));
1480
1481 /*
1482 * convert file pointer to file descriptor
1483 * Note: fd ref count incremented here.
1484 */
1485 if ((fp = getf(fd)) == NULL)
1486 return;
1487
1488 /* get path from file struct here */
1489 fad = F2A(fp);
1490 if (fad->fad_aupath != NULL) {
1491 au_uwrite(au_to_path(fad->fad_aupath));
1492 } else {
1493 au_uwrite(au_to_arg32(1, "no path: fd", fd));
1494 }
1495
1496 vp = fp->f_vnode;
1497 audit_attributes(vp);
1498
1499 /* decrement file descriptor reference count */
1500 releasef(fd);
1501 }
1502
1503 /*ARGSUSED*/
1504 static void
aus_kill(struct t_audit_data * tad)1505 aus_kill(struct t_audit_data *tad)
1506 {
1507 klwp_t *clwp = ttolwp(curthread);
1508 struct proc *p;
1509 uint32_t signo;
1510 uid_t uid, ruid;
1511 gid_t gid, rgid;
1512 pid_t pid;
1513 const auditinfo_addr_t *ainfo;
1514 cred_t *cr;
1515
1516 struct a {
1517 long pid;
1518 long signo;
1519 } *uap = (struct a *)clwp->lwp_ap;
1520
1521 pid = (pid_t)uap->pid;
1522 signo = (uint32_t)uap->signo;
1523
1524 au_uwrite(au_to_arg32(2, "signal", signo));
1525 if (pid > 0) {
1526 mutex_enter(&pidlock);
1527 if (((p = prfind(pid)) == (struct proc *)0) ||
1528 (p->p_stat == SIDL)) {
1529 mutex_exit(&pidlock);
1530 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1531 return;
1532 }
1533 mutex_enter(&p->p_lock); /* so process doesn't go away */
1534 mutex_exit(&pidlock);
1535
1536 mutex_enter(&p->p_crlock);
1537 crhold(cr = p->p_cred);
1538 mutex_exit(&p->p_crlock);
1539 mutex_exit(&p->p_lock);
1540
1541 ainfo = crgetauinfo(cr);
1542 if (ainfo == NULL) {
1543 crfree(cr);
1544 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1545 return;
1546 }
1547
1548 uid = crgetuid(cr);
1549 gid = crgetgid(cr);
1550 ruid = crgetruid(cr);
1551 rgid = crgetrgid(cr);
1552 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
1553 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
1554
1555 if (is_system_labeled())
1556 au_uwrite(au_to_label(CR_SL(cr)));
1557
1558 crfree(cr);
1559 }
1560 else
1561 au_uwrite(au_to_arg32(1, "process", (uint32_t)pid));
1562 }
1563
1564 /*ARGSUSED*/
1565 static void
aus_mkdir(struct t_audit_data * tad)1566 aus_mkdir(struct t_audit_data *tad)
1567 {
1568 klwp_t *clwp = ttolwp(curthread);
1569 uint32_t dmode;
1570
1571 struct a {
1572 long dirnamep; /* char * */
1573 long dmode;
1574 } *uap = (struct a *)clwp->lwp_ap;
1575
1576 dmode = (uint32_t)uap->dmode;
1577
1578 au_uwrite(au_to_arg32(2, "mode", dmode));
1579 }
1580
1581 /*ARGSUSED*/
1582 static void
aus_mkdirat(struct t_audit_data * tad)1583 aus_mkdirat(struct t_audit_data *tad)
1584 {
1585 klwp_t *clwp = ttolwp(curthread);
1586 uint32_t dmode;
1587
1588 struct a {
1589 long fd;
1590 long dirnamep; /* char * */
1591 long dmode;
1592 } *uap = (struct a *)clwp->lwp_ap;
1593
1594 dmode = (uint32_t)uap->dmode;
1595
1596 au_uwrite(au_to_arg32(2, "mode", dmode));
1597 }
1598
1599 /*ARGSUSED*/
1600 static void
aus_mknod(struct t_audit_data * tad)1601 aus_mknod(struct t_audit_data *tad)
1602 {
1603 klwp_t *clwp = ttolwp(curthread);
1604 uint32_t fmode;
1605 dev_t dev;
1606
1607 struct a {
1608 long pnamep; /* char * */
1609 long fmode;
1610 long dev;
1611 } *uap = (struct a *)clwp->lwp_ap;
1612
1613 fmode = (uint32_t)uap->fmode;
1614 dev = (dev_t)uap->dev;
1615
1616 au_uwrite(au_to_arg32(2, "mode", fmode));
1617 #ifdef _LP64
1618 au_uwrite(au_to_arg64(3, "dev", dev));
1619 #else
1620 au_uwrite(au_to_arg32(3, "dev", dev));
1621 #endif
1622 }
1623
1624 /*ARGSUSED*/
1625 static void
auf_mknod(struct t_audit_data * tad,int error,rval_t * rval)1626 auf_mknod(struct t_audit_data *tad, int error, rval_t *rval)
1627 {
1628 klwp_t *clwp = ttolwp(curthread);
1629 vnode_t *dvp;
1630 caddr_t pnamep;
1631
1632 struct a {
1633 long pnamep; /* char * */
1634 long fmode;
1635 long dev;
1636 } *uap = (struct a *)clwp->lwp_ap;
1637
1638 /* no error, then already path token in audit record */
1639 if (error != EPERM && error != EINVAL)
1640 return;
1641
1642 /* do the lookup to force generation of path token */
1643 pnamep = (caddr_t)uap->pnamep;
1644 tad->tad_ctrl |= TAD_NOATTRB;
1645 error = lookupname(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP);
1646 if (error == 0)
1647 VN_RELE(dvp);
1648 }
1649
1650 /*ARGSUSED*/
1651 static void
aus_mknodat(struct t_audit_data * tad)1652 aus_mknodat(struct t_audit_data *tad)
1653 {
1654 klwp_t *clwp = ttolwp(curthread);
1655 uint32_t fmode;
1656 dev_t dev;
1657
1658 struct a {
1659 long fd;
1660 long pnamep; /* char * */
1661 long fmode;
1662 long dev;
1663 } *uap = (struct a *)clwp->lwp_ap;
1664
1665 fmode = (uint32_t)uap->fmode;
1666 dev = (dev_t)uap->dev;
1667
1668 au_uwrite(au_to_arg32(2, "mode", fmode));
1669 #ifdef _LP64
1670 au_uwrite(au_to_arg64(3, "dev", dev));
1671 #else
1672 au_uwrite(au_to_arg32(3, "dev", dev));
1673 #endif
1674 }
1675
1676 /*ARGSUSED*/
1677 static void
auf_mknodat(struct t_audit_data * tad,int error,rval_t * rval)1678 auf_mknodat(struct t_audit_data *tad, int error, rval_t *rval)
1679 {
1680 klwp_t *clwp = ttolwp(curthread);
1681 vnode_t *startvp;
1682 vnode_t *dvp;
1683 caddr_t pnamep;
1684 int fd;
1685
1686 struct a {
1687 long fd;
1688 long pnamep; /* char * */
1689 long fmode;
1690 long dev;
1691 } *uap = (struct a *)clwp->lwp_ap;
1692
1693 /* no error, then already path token in audit record */
1694 if (error != EPERM && error != EINVAL)
1695 return;
1696
1697 /* do the lookup to force generation of path token */
1698 fd = (int)uap->fd;
1699 pnamep = (caddr_t)uap->pnamep;
1700 if (pnamep == NULL ||
1701 fgetstartvp(fd, pnamep, &startvp) != 0)
1702 return;
1703 tad->tad_ctrl |= TAD_NOATTRB;
1704 error = lookupnameat(pnamep, UIO_USERSPACE, NO_FOLLOW, &dvp, NULLVPP,
1705 startvp);
1706 if (error == 0)
1707 VN_RELE(dvp);
1708 if (startvp != NULL)
1709 VN_RELE(startvp);
1710 }
1711
1712 /*ARGSUSED*/
1713 static void
aus_mount(struct t_audit_data * tad)1714 aus_mount(struct t_audit_data *tad)
1715 { /* AUS_START */
1716 klwp_t *clwp = ttolwp(curthread);
1717 uint32_t flags;
1718 uintptr_t u_fstype, dataptr;
1719 STRUCT_DECL(nfs_args, nfsargs);
1720 size_t len;
1721 char *fstype, *hostname;
1722
1723 struct a {
1724 long spec; /* char * */
1725 long dir; /* char * */
1726 long flags;
1727 long fstype; /* char * */
1728 long dataptr; /* char * */
1729 long datalen;
1730 } *uap = (struct a *)clwp->lwp_ap;
1731
1732 u_fstype = (uintptr_t)uap->fstype;
1733 flags = (uint32_t)uap->flags;
1734 dataptr = (uintptr_t)uap->dataptr;
1735
1736 fstype = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1737 if (copyinstr((caddr_t)u_fstype, (caddr_t)fstype, MAXNAMELEN, &len))
1738 goto mount_free_fstype;
1739
1740 au_uwrite(au_to_arg32(3, "flags", flags));
1741 au_uwrite(au_to_text(fstype));
1742
1743 if (strncmp(fstype, "nfs", 3) == 0) {
1744
1745 STRUCT_INIT(nfsargs, get_udatamodel());
1746 bzero(STRUCT_BUF(nfsargs), STRUCT_SIZE(nfsargs));
1747
1748 if (copyin((caddr_t)dataptr,
1749 STRUCT_BUF(nfsargs),
1750 MIN(uap->datalen, STRUCT_SIZE(nfsargs)))) {
1751 /* DEBUG debug_enter((char *)NULL); */
1752 goto mount_free_fstype;
1753 }
1754 hostname = kmem_alloc(MAXNAMELEN, KM_SLEEP);
1755 if (copyinstr(STRUCT_FGETP(nfsargs, hostname),
1756 (caddr_t)hostname,
1757 MAXNAMELEN, &len)) {
1758 goto mount_free_hostname;
1759 }
1760 au_uwrite(au_to_text(hostname));
1761 au_uwrite(au_to_arg32(3, "internal flags",
1762 (uint_t)STRUCT_FGET(nfsargs, flags)));
1763
1764 mount_free_hostname:
1765 kmem_free(hostname, MAXNAMELEN);
1766 }
1767
1768 mount_free_fstype:
1769 kmem_free(fstype, MAXNAMELEN);
1770 } /* AUS_MOUNT */
1771
1772 static void
aus_umount_path(caddr_t umount_dir)1773 aus_umount_path(caddr_t umount_dir)
1774 {
1775 char *dir_path;
1776 struct audit_path *path;
1777 size_t path_len, dir_len;
1778
1779 /* length alloc'd for two string pointers */
1780 path_len = sizeof (struct audit_path) + sizeof (char *);
1781 path = kmem_alloc(path_len, KM_SLEEP);
1782 dir_path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1783
1784 if (copyinstr(umount_dir, (caddr_t)dir_path,
1785 MAXPATHLEN, &dir_len))
1786 goto umount2_free_dir;
1787
1788 /*
1789 * the audit_path struct assumes that the buffer pointed to
1790 * by audp_sect[n] contains string 0 immediatedly followed
1791 * by string 1.
1792 */
1793 path->audp_sect[0] = dir_path;
1794 path->audp_sect[1] = dir_path + strlen(dir_path) + 1;
1795 path->audp_size = path_len;
1796 path->audp_ref = 1; /* not used */
1797 path->audp_cnt = 1; /* one path string */
1798
1799 au_uwrite(au_to_path(path));
1800
1801 umount2_free_dir:
1802 kmem_free(dir_path, MAXPATHLEN);
1803 kmem_free(path, path_len);
1804 }
1805
1806 /*ARGSUSED*/
1807 static void
aus_umount2(struct t_audit_data * tad)1808 aus_umount2(struct t_audit_data *tad)
1809 {
1810 klwp_t *clwp = ttolwp(curthread);
1811 struct a {
1812 long dir; /* char * */
1813 long flags;
1814 } *uap = (struct a *)clwp->lwp_ap;
1815
1816 aus_umount_path((caddr_t)uap->dir);
1817
1818 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
1819 }
1820
1821 static void
aus_msgsys(struct t_audit_data * tad)1822 aus_msgsys(struct t_audit_data *tad)
1823 {
1824 klwp_t *clwp = ttolwp(curthread);
1825 uint32_t msgid;
1826
1827 struct b {
1828 long msgid;
1829 long cmd;
1830 long buf; /* struct msqid_ds * */
1831 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1832
1833 msgid = (uint32_t)uap1->msgid;
1834
1835
1836 switch (tad->tad_event) {
1837 case AUE_MSGGET: /* msgget */
1838 au_uwrite(au_to_arg32(1, "msg key", msgid));
1839 break;
1840 case AUE_MSGCTL: /* msgctl */
1841 case AUE_MSGCTL_RMID: /* msgctl */
1842 case AUE_MSGCTL_SET: /* msgctl */
1843 case AUE_MSGCTL_STAT: /* msgctl */
1844 case AUE_MSGRCV: /* msgrcv */
1845 case AUE_MSGSND: /* msgsnd */
1846 au_uwrite(au_to_arg32(1, "msg ID", msgid));
1847 break;
1848 }
1849 }
1850
1851 /*ARGSUSED*/
1852 static void
auf_msgsys(struct t_audit_data * tad,int error,rval_t * rval)1853 auf_msgsys(struct t_audit_data *tad, int error, rval_t *rval)
1854 {
1855 int id;
1856
1857 if (error != 0)
1858 return;
1859 if (tad->tad_event == AUE_MSGGET) {
1860 uint32_t scid;
1861 uint32_t sy_flags;
1862
1863 /* need to determine type of executing binary */
1864 scid = tad->tad_scid;
1865 #ifdef _SYSCALL32_IMPL
1866 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1867 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1868 else
1869 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1870 #else
1871 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1872 #endif
1873 if (sy_flags == SE_32RVAL1)
1874 id = rval->r_val1;
1875 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1876 id = rval->r_val1;
1877 if (sy_flags == SE_64RVAL)
1878 id = (int)rval->r_vals;
1879
1880 au_uwrite(au_to_ipc(AT_IPC_MSG, id));
1881 }
1882 }
1883
1884 static void
aus_semsys(struct t_audit_data * tad)1885 aus_semsys(struct t_audit_data *tad)
1886 {
1887 klwp_t *clwp = ttolwp(curthread);
1888 uint32_t semid;
1889
1890 struct b { /* ctrl */
1891 long semid;
1892 long semnum;
1893 long cmd;
1894 long arg;
1895 } *uap1 = (struct b *)&clwp->lwp_ap[1];
1896
1897 semid = (uint32_t)uap1->semid;
1898
1899 switch (tad->tad_event) {
1900 case AUE_SEMCTL_RMID:
1901 case AUE_SEMCTL_STAT:
1902 case AUE_SEMCTL_GETNCNT:
1903 case AUE_SEMCTL_GETPID:
1904 case AUE_SEMCTL_GETVAL:
1905 case AUE_SEMCTL_GETALL:
1906 case AUE_SEMCTL_GETZCNT:
1907 case AUE_SEMCTL_SET:
1908 case AUE_SEMCTL_SETVAL:
1909 case AUE_SEMCTL_SETALL:
1910 case AUE_SEMCTL:
1911 case AUE_SEMOP:
1912 au_uwrite(au_to_arg32(1, "sem ID", semid));
1913 break;
1914 case AUE_SEMGET:
1915 au_uwrite(au_to_arg32(1, "sem key", semid));
1916 break;
1917 }
1918 }
1919
1920 /*ARGSUSED*/
1921 static void
auf_semsys(struct t_audit_data * tad,int error,rval_t * rval)1922 auf_semsys(struct t_audit_data *tad, int error, rval_t *rval)
1923 {
1924 int id;
1925
1926 if (error != 0)
1927 return;
1928 if (tad->tad_event == AUE_SEMGET) {
1929 uint32_t scid;
1930 uint32_t sy_flags;
1931
1932 /* need to determine type of executing binary */
1933 scid = tad->tad_scid;
1934 #ifdef _SYSCALL32_IMPL
1935 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
1936 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1937 else
1938 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
1939 #else
1940 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
1941 #endif
1942 if (sy_flags == SE_32RVAL1)
1943 id = rval->r_val1;
1944 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
1945 id = rval->r_val1;
1946 if (sy_flags == SE_64RVAL)
1947 id = (int)rval->r_vals;
1948
1949 au_uwrite(au_to_ipc(AT_IPC_SEM, id));
1950 }
1951 }
1952
1953 /*ARGSUSED*/
1954 static void
aus_close(struct t_audit_data * tad)1955 aus_close(struct t_audit_data *tad)
1956 {
1957 klwp_t *clwp = ttolwp(curthread);
1958 uint32_t fd;
1959 struct file *fp;
1960 struct f_audit_data *fad;
1961 struct vnode *vp;
1962 struct vattr attr;
1963 au_kcontext_t *kctx = GET_KCTX_PZ;
1964
1965 struct a {
1966 long i;
1967 } *uap = (struct a *)clwp->lwp_ap;
1968
1969 fd = (uint32_t)uap->i;
1970
1971 attr.va_mask = 0;
1972 au_uwrite(au_to_arg32(1, "fd", fd));
1973
1974 /*
1975 * convert file pointer to file descriptor
1976 * Note: fd ref count incremented here.
1977 */
1978 if ((fp = getf(fd)) == NULL)
1979 return;
1980
1981 fad = F2A(fp);
1982 tad->tad_evmod = (au_emod_t)fad->fad_flags;
1983 if (fad->fad_aupath != NULL) {
1984 au_uwrite(au_to_path(fad->fad_aupath));
1985 if ((vp = fp->f_vnode) != NULL) {
1986 attr.va_mask = AT_ALL;
1987 if (VOP_GETATTR(vp, &attr, 0, CRED(), NULL) == 0) {
1988 /*
1989 * When write was not used and the file can be
1990 * considered public, skip the audit.
1991 */
1992 if (((fp->f_flag & FWRITE) == 0) &&
1993 object_is_public(&attr)) {
1994 tad->tad_flag = 0;
1995 tad->tad_evmod = 0;
1996 /* free any residual audit data */
1997 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
1998 releasef(fd);
1999 return;
2000 }
2001 au_uwrite(au_to_attr(&attr));
2002 audit_sec_attributes(&(u_ad), vp);
2003 }
2004 }
2005 }
2006
2007 /* decrement file descriptor reference count */
2008 releasef(fd);
2009 }
2010
2011 /*ARGSUSED*/
2012 static void
aus_fstatfs(struct t_audit_data * tad)2013 aus_fstatfs(struct t_audit_data *tad)
2014 {
2015 klwp_t *clwp = ttolwp(curthread);
2016 uint32_t fd;
2017 struct file *fp;
2018 struct vnode *vp;
2019 struct f_audit_data *fad;
2020
2021 struct a {
2022 long fd;
2023 long buf; /* struct statfs * */
2024 } *uap = (struct a *)clwp->lwp_ap;
2025
2026 fd = (uint_t)uap->fd;
2027
2028 /*
2029 * convert file pointer to file descriptor
2030 * Note: fd ref count incremented here.
2031 */
2032 if ((fp = getf(fd)) == NULL)
2033 return;
2034
2035 /* get path from file struct here */
2036 fad = F2A(fp);
2037 if (fad->fad_aupath != NULL) {
2038 au_uwrite(au_to_path(fad->fad_aupath));
2039 } else {
2040 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2041 }
2042
2043 vp = fp->f_vnode;
2044 audit_attributes(vp);
2045
2046 /* decrement file descriptor reference count */
2047 releasef(fd);
2048 }
2049
2050 static au_event_t
aui_setpgrp(au_event_t e)2051 aui_setpgrp(au_event_t e)
2052 {
2053 klwp_t *clwp = ttolwp(curthread);
2054 int flag;
2055
2056 struct a {
2057 long flag;
2058 long pid;
2059 long pgid;
2060 } *uap = (struct a *)clwp->lwp_ap;
2061
2062 flag = (int)uap->flag;
2063
2064
2065 switch (flag) {
2066
2067 case 1: /* setpgrp() */
2068 e = AUE_SETPGRP;
2069 break;
2070
2071 case 3: /* setsid() */
2072 e = AUE_SETSID;
2073 break;
2074
2075 case 5: /* setpgid() */
2076 e = AUE_SETPGID;
2077 break;
2078
2079 case 0: /* getpgrp() - not security relevant */
2080 case 2: /* getsid() - not security relevant */
2081 case 4: /* getpgid() - not security relevant */
2082 e = AUE_NULL;
2083 break;
2084
2085 default:
2086 e = AUE_NULL;
2087 break;
2088 }
2089
2090 return (e);
2091 }
2092
2093 /*ARGSUSED*/
2094 static void
aus_setpgrp(struct t_audit_data * tad)2095 aus_setpgrp(struct t_audit_data *tad)
2096 {
2097 klwp_t *clwp = ttolwp(curthread);
2098 pid_t pgid;
2099 struct proc *p;
2100 uid_t uid, ruid;
2101 gid_t gid, rgid;
2102 pid_t pid;
2103 cred_t *cr;
2104 int flag;
2105 const auditinfo_addr_t *ainfo;
2106
2107 struct a {
2108 long flag;
2109 long pid;
2110 long pgid;
2111 } *uap = (struct a *)clwp->lwp_ap;
2112
2113 flag = (int)uap->flag;
2114 pid = (pid_t)uap->pid;
2115 pgid = (pid_t)uap->pgid;
2116
2117
2118 switch (flag) {
2119
2120 case 0: /* getpgrp() */
2121 case 1: /* setpgrp() */
2122 case 2: /* getsid() */
2123 case 3: /* setsid() */
2124 case 4: /* getpgid() */
2125 break;
2126
2127 case 5: /* setpgid() */
2128
2129 /* current process? */
2130 if (pid == 0) {
2131 return;
2132 }
2133
2134 mutex_enter(&pidlock);
2135 p = prfind(pid);
2136 if (p == NULL || p->p_as == &kas ||
2137 p->p_stat == SIDL || p->p_stat == SZOMB) {
2138 mutex_exit(&pidlock);
2139 return;
2140 }
2141 mutex_enter(&p->p_lock); /* so process doesn't go away */
2142 mutex_exit(&pidlock);
2143
2144 mutex_enter(&p->p_crlock);
2145 crhold(cr = p->p_cred);
2146 mutex_exit(&p->p_crlock);
2147 mutex_exit(&p->p_lock);
2148
2149 ainfo = crgetauinfo(cr);
2150 if (ainfo == NULL) {
2151 crfree(cr);
2152 return;
2153 }
2154
2155 uid = crgetuid(cr);
2156 gid = crgetgid(cr);
2157 ruid = crgetruid(cr);
2158 rgid = crgetrgid(cr);
2159 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
2160 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
2161 crfree(cr);
2162 au_uwrite(au_to_arg32(2, "pgid", pgid));
2163 break;
2164
2165 default:
2166 break;
2167 }
2168 }
2169
2170
2171 /*ARGSUSED*/
2172 static void
aus_setregid(struct t_audit_data * tad)2173 aus_setregid(struct t_audit_data *tad)
2174 {
2175 klwp_t *clwp = ttolwp(curthread);
2176 uint32_t rgid, egid;
2177
2178 struct a {
2179 long rgid;
2180 long egid;
2181 } *uap = (struct a *)clwp->lwp_ap;
2182
2183 rgid = (uint32_t)uap->rgid;
2184 egid = (uint32_t)uap->egid;
2185
2186 au_uwrite(au_to_arg32(1, "rgid", rgid));
2187 au_uwrite(au_to_arg32(2, "egid", egid));
2188 }
2189
2190 /*ARGSUSED*/
2191 static void
aus_setgid(struct t_audit_data * tad)2192 aus_setgid(struct t_audit_data *tad)
2193 {
2194 klwp_t *clwp = ttolwp(curthread);
2195 uint32_t gid;
2196
2197 struct a {
2198 long gid;
2199 } *uap = (struct a *)clwp->lwp_ap;
2200
2201 gid = (uint32_t)uap->gid;
2202
2203 au_uwrite(au_to_arg32(1, "gid", gid));
2204 }
2205
2206
2207 /*ARGSUSED*/
2208 static void
aus_setreuid(struct t_audit_data * tad)2209 aus_setreuid(struct t_audit_data *tad)
2210 {
2211 klwp_t *clwp = ttolwp(curthread);
2212 uint32_t ruid, euid;
2213
2214 struct a {
2215 long ruid;
2216 long euid;
2217 } *uap = (struct a *)clwp->lwp_ap;
2218
2219 ruid = (uint32_t)uap->ruid;
2220 euid = (uint32_t)uap->euid;
2221
2222 au_uwrite(au_to_arg32(1, "ruid", ruid));
2223 au_uwrite(au_to_arg32(2, "euid", euid));
2224 }
2225
2226
2227 /*ARGSUSED*/
2228 static void
aus_setuid(struct t_audit_data * tad)2229 aus_setuid(struct t_audit_data *tad)
2230 {
2231 klwp_t *clwp = ttolwp(curthread);
2232 uint32_t uid;
2233
2234 struct a {
2235 long uid;
2236 } *uap = (struct a *)clwp->lwp_ap;
2237
2238 uid = (uint32_t)uap->uid;
2239
2240 au_uwrite(au_to_arg32(1, "uid", uid));
2241 }
2242
2243 /*ARGSUSED*/
2244 static void
aus_shmsys(struct t_audit_data * tad)2245 aus_shmsys(struct t_audit_data *tad)
2246 {
2247 klwp_t *clwp = ttolwp(curthread);
2248 uint32_t id, cmd;
2249
2250 struct b {
2251 long id;
2252 long cmd;
2253 long buf; /* struct shmid_ds * */
2254 } *uap1 = (struct b *)&clwp->lwp_ap[1];
2255
2256 id = (uint32_t)uap1->id;
2257 cmd = (uint32_t)uap1->cmd;
2258
2259 switch (tad->tad_event) {
2260 case AUE_SHMGET: /* shmget */
2261 au_uwrite(au_to_arg32(1, "shm key", id));
2262 break;
2263 case AUE_SHMCTL: /* shmctl */
2264 case AUE_SHMCTL_RMID: /* shmctl */
2265 case AUE_SHMCTL_STAT: /* shmctl */
2266 case AUE_SHMCTL_SET: /* shmctl */
2267 au_uwrite(au_to_arg32(1, "shm ID", id));
2268 break;
2269 case AUE_SHMDT: /* shmdt */
2270 au_uwrite(au_to_arg32(1, "shm adr", id));
2271 break;
2272 case AUE_SHMAT: /* shmat */
2273 au_uwrite(au_to_arg32(1, "shm ID", id));
2274 au_uwrite(au_to_arg32(2, "shm adr", cmd));
2275 break;
2276 }
2277 }
2278
2279 /*ARGSUSED*/
2280 static void
auf_shmsys(struct t_audit_data * tad,int error,rval_t * rval)2281 auf_shmsys(struct t_audit_data *tad, int error, rval_t *rval)
2282 {
2283 int id;
2284
2285 if (error != 0)
2286 return;
2287 if (tad->tad_event == AUE_SHMGET) {
2288 uint32_t scid;
2289 uint32_t sy_flags;
2290
2291 /* need to determine type of executing binary */
2292 scid = tad->tad_scid;
2293 #ifdef _SYSCALL32_IMPL
2294 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
2295 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2296 else
2297 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
2298 #else
2299 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
2300 #endif
2301 if (sy_flags == SE_32RVAL1)
2302 id = rval->r_val1;
2303 if (sy_flags == (SE_32RVAL2|SE_32RVAL1))
2304 id = rval->r_val1;
2305 if (sy_flags == SE_64RVAL)
2306 id = (int)rval->r_vals;
2307 au_uwrite(au_to_ipc(AT_IPC_SHM, id));
2308 }
2309 }
2310
2311
2312 /*ARGSUSED*/
2313 static void
aus_ioctl(struct t_audit_data * tad)2314 aus_ioctl(struct t_audit_data *tad)
2315 {
2316 klwp_t *clwp = ttolwp(curthread);
2317 struct file *fp;
2318 struct vnode *vp;
2319 struct f_audit_data *fad;
2320 uint32_t fd, cmd;
2321 uintptr_t cmarg;
2322
2323 /* XX64 */
2324 struct a {
2325 long fd;
2326 long cmd;
2327 long cmarg; /* caddr_t */
2328 } *uap = (struct a *)clwp->lwp_ap;
2329
2330 fd = (uint32_t)uap->fd;
2331 cmd = (uint32_t)uap->cmd;
2332 cmarg = (uintptr_t)uap->cmarg;
2333
2334 /*
2335 * convert file pointer to file descriptor
2336 * Note: fd ref count incremented here.
2337 */
2338 if ((fp = getf(fd)) == NULL) {
2339 au_uwrite(au_to_arg32(1, "fd", fd));
2340 au_uwrite(au_to_arg32(2, "cmd", cmd));
2341 #ifndef _LP64
2342 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2343 #else
2344 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2345 #endif
2346 return;
2347 }
2348
2349 /* get path from file struct here */
2350 fad = F2A(fp);
2351 if (fad->fad_aupath != NULL) {
2352 au_uwrite(au_to_path(fad->fad_aupath));
2353 } else {
2354 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2355 }
2356
2357 vp = fp->f_vnode;
2358 audit_attributes(vp);
2359
2360 /* decrement file descriptor reference count */
2361 releasef(fd);
2362
2363 au_uwrite(au_to_arg32(2, "cmd", cmd));
2364 #ifndef _LP64
2365 au_uwrite(au_to_arg32(3, "arg", (uint32_t)cmarg));
2366 #else
2367 au_uwrite(au_to_arg64(3, "arg", (uint64_t)cmarg));
2368 #endif
2369 }
2370
2371 /*
2372 * null function for memcntl for now. We might want to limit memcntl()
2373 * auditing to commands: MC_LOCKAS, MC_LOCK, MC_UNLOCKAS, MC_UNLOCK which
2374 * require privileges.
2375 */
2376 static au_event_t
aui_memcntl(au_event_t e)2377 aui_memcntl(au_event_t e)
2378 {
2379 return (e);
2380 }
2381
2382 /*ARGSUSED*/
2383 static au_event_t
aui_privsys(au_event_t e)2384 aui_privsys(au_event_t e)
2385 {
2386 klwp_t *clwp = ttolwp(curthread);
2387
2388 struct a {
2389 long opcode;
2390 } *uap = (struct a *)clwp->lwp_ap;
2391
2392 switch (uap->opcode) {
2393 case PRIVSYS_SETPPRIV:
2394 return (AUE_SETPPRIV);
2395 default:
2396 return (AUE_NULL);
2397 }
2398 }
2399
2400 /*ARGSUSED*/
2401 static void
aus_memcntl(struct t_audit_data * tad)2402 aus_memcntl(struct t_audit_data *tad)
2403 {
2404 klwp_t *clwp = ttolwp(curthread);
2405
2406 struct a {
2407 long addr;
2408 long len;
2409 long cmd;
2410 long arg;
2411 long attr;
2412 long mask;
2413 } *uap = (struct a *)clwp->lwp_ap;
2414
2415 #ifdef _LP64
2416 au_uwrite(au_to_arg64(1, "base", (uint64_t)uap->addr));
2417 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2418 #else
2419 au_uwrite(au_to_arg32(1, "base", (uint32_t)uap->addr));
2420 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2421 #endif
2422 au_uwrite(au_to_arg32(3, "cmd", (uint_t)uap->cmd));
2423 #ifdef _LP64
2424 au_uwrite(au_to_arg64(4, "arg", (uint64_t)uap->arg));
2425 #else
2426 au_uwrite(au_to_arg32(4, "arg", (uint32_t)uap->arg));
2427 #endif
2428 au_uwrite(au_to_arg32(5, "attr", (uint_t)uap->attr));
2429 au_uwrite(au_to_arg32(6, "mask", (uint_t)uap->mask));
2430 }
2431
2432 /*ARGSUSED*/
2433 static void
aus_mmap(struct t_audit_data * tad)2434 aus_mmap(struct t_audit_data *tad)
2435 {
2436 klwp_t *clwp = ttolwp(curthread);
2437 struct file *fp;
2438 struct f_audit_data *fad;
2439 struct vnode *vp;
2440 uint32_t fd;
2441
2442 struct a {
2443 long addr;
2444 long len;
2445 long prot;
2446 long flags;
2447 long fd;
2448 long pos;
2449 } *uap = (struct a *)clwp->lwp_ap;
2450
2451 fd = (uint32_t)uap->fd;
2452
2453 #ifdef _LP64
2454 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2455 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2456 #else
2457 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2458 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2459 #endif
2460
2461 if ((fp = getf(fd)) == NULL) {
2462 au_uwrite(au_to_arg32(5, "fd", (uint32_t)uap->fd));
2463 return;
2464 }
2465
2466 /*
2467 * Mark in the tad if write access is NOT requested... if
2468 * this is later detected (in audit_attributes) to be a
2469 * public object, the mmap event may be discarded.
2470 */
2471 if (((uap->prot) & PROT_WRITE) == 0) {
2472 tad->tad_ctrl |= TAD_PUBLIC_EV;
2473 }
2474
2475 fad = F2A(fp);
2476 if (fad->fad_aupath != NULL) {
2477 au_uwrite(au_to_path(fad->fad_aupath));
2478 } else {
2479 au_uwrite(au_to_arg32(1, "no path: fd", fd));
2480 }
2481
2482 vp = (struct vnode *)fp->f_vnode;
2483 audit_attributes(vp);
2484
2485 /* mark READ/WRITE since we can't predict access */
2486 if (uap->prot & PROT_READ)
2487 fad->fad_flags |= FAD_READ;
2488 if (uap->prot & PROT_WRITE)
2489 fad->fad_flags |= FAD_WRITE;
2490
2491 /* decrement file descriptor reference count */
2492 releasef(fd);
2493
2494 } /* AUS_MMAP */
2495
2496
2497
2498
2499 /*ARGSUSED*/
2500 static void
aus_munmap(struct t_audit_data * tad)2501 aus_munmap(struct t_audit_data *tad)
2502 {
2503 klwp_t *clwp = ttolwp(curthread);
2504
2505 struct a {
2506 long addr;
2507 long len;
2508 } *uap = (struct a *)clwp->lwp_ap;
2509
2510 #ifdef _LP64
2511 au_uwrite(au_to_arg64(1, "addr", (uint64_t)uap->addr));
2512 au_uwrite(au_to_arg64(2, "len", (uint64_t)uap->len));
2513 #else
2514 au_uwrite(au_to_arg32(1, "addr", (uint32_t)uap->addr));
2515 au_uwrite(au_to_arg32(2, "len", (uint32_t)uap->len));
2516 #endif
2517
2518 } /* AUS_MUNMAP */
2519
2520
2521
2522
2523
2524
2525
2526 /*ARGSUSED*/
2527 static void
aus_priocntlsys(struct t_audit_data * tad)2528 aus_priocntlsys(struct t_audit_data *tad)
2529 {
2530 klwp_t *clwp = ttolwp(curthread);
2531
2532 struct a {
2533 long pc_version;
2534 long psp; /* procset_t */
2535 long cmd;
2536 long arg;
2537 } *uap = (struct a *)clwp->lwp_ap;
2538
2539 au_uwrite(au_to_arg32(1, "pc_version", (uint32_t)uap->pc_version));
2540 au_uwrite(au_to_arg32(3, "cmd", (uint32_t)uap->cmd));
2541
2542 } /* AUS_PRIOCNTLSYS */
2543
2544
2545 /*ARGSUSED*/
2546 static void
aus_setegid(struct t_audit_data * tad)2547 aus_setegid(struct t_audit_data *tad)
2548 {
2549 klwp_t *clwp = ttolwp(curthread);
2550 uint32_t gid;
2551
2552 struct a {
2553 long gid;
2554 } *uap = (struct a *)clwp->lwp_ap;
2555
2556 gid = (uint32_t)uap->gid;
2557
2558 au_uwrite(au_to_arg32(1, "gid", gid));
2559 } /* AUS_SETEGID */
2560
2561
2562
2563
2564 /*ARGSUSED*/
2565 static void
aus_setgroups(struct t_audit_data * tad)2566 aus_setgroups(struct t_audit_data *tad)
2567 {
2568 klwp_t *clwp = ttolwp(curthread);
2569 int i;
2570 int gidsetsize;
2571 uintptr_t gidset;
2572 gid_t *gidlist;
2573
2574 struct a {
2575 long gidsetsize;
2576 long gidset;
2577 } *uap = (struct a *)clwp->lwp_ap;
2578
2579 gidsetsize = (uint_t)uap->gidsetsize;
2580 gidset = (uintptr_t)uap->gidset;
2581
2582 if ((gidsetsize > NGROUPS_MAX_DEFAULT) || (gidsetsize < 0))
2583 return;
2584 if (gidsetsize != 0) {
2585 gidlist = kmem_alloc(gidsetsize * sizeof (gid_t),
2586 KM_SLEEP);
2587 if (copyin((caddr_t)gidset, gidlist,
2588 gidsetsize * sizeof (gid_t)) == 0)
2589 for (i = 0; i < gidsetsize; i++)
2590 au_uwrite(au_to_arg32(1, "setgroups",
2591 (uint32_t)gidlist[i]));
2592 kmem_free(gidlist, gidsetsize * sizeof (gid_t));
2593 } else
2594 au_uwrite(au_to_arg32(1, "setgroups", (uint32_t)0));
2595
2596 } /* AUS_SETGROUPS */
2597
2598
2599
2600
2601
2602 /*ARGSUSED*/
2603 static void
aus_seteuid(struct t_audit_data * tad)2604 aus_seteuid(struct t_audit_data *tad)
2605 {
2606 klwp_t *clwp = ttolwp(curthread);
2607 uint32_t uid;
2608
2609 struct a {
2610 long uid;
2611 } *uap = (struct a *)clwp->lwp_ap;
2612
2613 uid = (uint32_t)uap->uid;
2614
2615 au_uwrite(au_to_arg32(1, "euid", uid));
2616
2617 } /* AUS_SETEUID */
2618
2619 /*ARGSUSED*/
2620 static void
aus_putmsg(struct t_audit_data * tad)2621 aus_putmsg(struct t_audit_data *tad)
2622 {
2623 klwp_t *clwp = ttolwp(curthread);
2624 uint32_t fd, pri;
2625 struct file *fp;
2626 struct f_audit_data *fad;
2627
2628 struct a {
2629 long fdes;
2630 long ctl; /* struct strbuf * */
2631 long data; /* struct strbuf * */
2632 long pri;
2633 } *uap = (struct a *)clwp->lwp_ap;
2634
2635 fd = (uint32_t)uap->fdes;
2636 pri = (uint32_t)uap->pri;
2637
2638 au_uwrite(au_to_arg32(1, "fd", fd));
2639
2640 if ((fp = getf(fd)) != NULL) {
2641 fad = F2A(fp);
2642
2643 fad->fad_flags |= FAD_WRITE;
2644
2645 /* add path name to audit record */
2646 if (fad->fad_aupath != NULL) {
2647 au_uwrite(au_to_path(fad->fad_aupath));
2648 }
2649 audit_attributes(fp->f_vnode);
2650
2651 releasef(fd);
2652 }
2653
2654 au_uwrite(au_to_arg32(4, "pri", pri));
2655 }
2656
2657 /*ARGSUSED*/
2658 static void
aus_putpmsg(struct t_audit_data * tad)2659 aus_putpmsg(struct t_audit_data *tad)
2660 {
2661 klwp_t *clwp = ttolwp(curthread);
2662 uint32_t fd, pri, flags;
2663 struct file *fp;
2664 struct f_audit_data *fad;
2665
2666 struct a {
2667 long fdes;
2668 long ctl; /* struct strbuf * */
2669 long data; /* struct strbuf * */
2670 long pri;
2671 long flags;
2672 } *uap = (struct a *)clwp->lwp_ap;
2673
2674 fd = (uint32_t)uap->fdes;
2675 pri = (uint32_t)uap->pri;
2676 flags = (uint32_t)uap->flags;
2677
2678 au_uwrite(au_to_arg32(1, "fd", fd));
2679
2680 if ((fp = getf(fd)) != NULL) {
2681 fad = F2A(fp);
2682
2683 fad->fad_flags |= FAD_WRITE;
2684
2685 /* add path name to audit record */
2686 if (fad->fad_aupath != NULL) {
2687 au_uwrite(au_to_path(fad->fad_aupath));
2688 }
2689 audit_attributes(fp->f_vnode);
2690
2691 releasef(fd);
2692 }
2693
2694
2695 au_uwrite(au_to_arg32(4, "pri", pri));
2696 au_uwrite(au_to_arg32(5, "flags", flags));
2697 }
2698
2699 /*ARGSUSED*/
2700 static void
aus_getmsg(struct t_audit_data * tad)2701 aus_getmsg(struct t_audit_data *tad)
2702 {
2703 klwp_t *clwp = ttolwp(curthread);
2704 uint32_t fd, pri;
2705 struct file *fp;
2706 struct f_audit_data *fad;
2707
2708 struct a {
2709 long fdes;
2710 long ctl; /* struct strbuf * */
2711 long data; /* struct strbuf * */
2712 long pri;
2713 } *uap = (struct a *)clwp->lwp_ap;
2714
2715 fd = (uint32_t)uap->fdes;
2716 pri = (uint32_t)uap->pri;
2717
2718 au_uwrite(au_to_arg32(1, "fd", fd));
2719
2720 if ((fp = getf(fd)) != NULL) {
2721 fad = F2A(fp);
2722
2723 /*
2724 * read operation on this object
2725 */
2726 fad->fad_flags |= FAD_READ;
2727
2728 /* add path name to audit record */
2729 if (fad->fad_aupath != NULL) {
2730 au_uwrite(au_to_path(fad->fad_aupath));
2731 }
2732 audit_attributes(fp->f_vnode);
2733
2734 releasef(fd);
2735 }
2736
2737 au_uwrite(au_to_arg32(4, "pri", pri));
2738 }
2739
2740 /*ARGSUSED*/
2741 static void
aus_getpmsg(struct t_audit_data * tad)2742 aus_getpmsg(struct t_audit_data *tad)
2743 {
2744 klwp_t *clwp = ttolwp(curthread);
2745 uint32_t fd;
2746 struct file *fp;
2747 struct f_audit_data *fad;
2748
2749 struct a {
2750 long fdes;
2751 long ctl; /* struct strbuf * */
2752 long data; /* struct strbuf * */
2753 long pri;
2754 long flags;
2755 } *uap = (struct a *)clwp->lwp_ap;
2756
2757 fd = (uint32_t)uap->fdes;
2758
2759 au_uwrite(au_to_arg32(1, "fd", fd));
2760
2761 if ((fp = getf(fd)) != NULL) {
2762 fad = F2A(fp);
2763
2764 /*
2765 * read operation on this object
2766 */
2767 fad->fad_flags |= FAD_READ;
2768
2769 /* add path name to audit record */
2770 if (fad->fad_aupath != NULL) {
2771 au_uwrite(au_to_path(fad->fad_aupath));
2772 }
2773 audit_attributes(fp->f_vnode);
2774
2775 releasef(fd);
2776 }
2777 }
2778
2779 static au_event_t
aui_labelsys(au_event_t e)2780 aui_labelsys(au_event_t e)
2781 {
2782 klwp_t *clwp = ttolwp(curthread);
2783 uint32_t code;
2784 uint32_t cmd;
2785
2786 struct a {
2787 long code;
2788 long cmd;
2789 } *uap = (struct a *)clwp->lwp_ap;
2790
2791 code = (uint32_t)uap->code;
2792 cmd = (uint32_t)uap->cmd;
2793
2794 /* not security relevant if not changing kernel cache */
2795 if (cmd == TNDB_GET)
2796 return (AUE_NULL);
2797
2798 switch (code) {
2799 case TSOL_TNRH:
2800 e = AUE_LABELSYS_TNRH;
2801 break;
2802 case TSOL_TNRHTP:
2803 e = AUE_LABELSYS_TNRHTP;
2804 break;
2805 case TSOL_TNMLP:
2806 e = AUE_LABELSYS_TNMLP;
2807 break;
2808 default:
2809 e = AUE_NULL;
2810 break;
2811 }
2812
2813 return (e);
2814
2815 }
2816
2817 static void
aus_labelsys(struct t_audit_data * tad)2818 aus_labelsys(struct t_audit_data *tad)
2819 {
2820 klwp_t *clwp = ttolwp(curthread);
2821 uint32_t cmd;
2822 uintptr_t a2;
2823
2824 struct a {
2825 long code;
2826 long cmd;
2827 long a2;
2828 } *uap = (struct a *)clwp->lwp_ap;
2829
2830 cmd = (uint32_t)uap->cmd;
2831 a2 = (uintptr_t)uap->a2;
2832
2833 switch (tad->tad_event) {
2834 case AUE_LABELSYS_TNRH:
2835 {
2836 tsol_rhent_t *rhent;
2837 tnaddr_t *rh_addr;
2838
2839 au_uwrite(au_to_arg32(1, "cmd", cmd));
2840
2841 /* Remaining args don't apply for FLUSH, so skip */
2842 if (cmd == TNDB_FLUSH)
2843 break;
2844
2845 rhent = kmem_alloc(sizeof (tsol_rhent_t), KM_SLEEP);
2846 if (copyin((caddr_t)a2, rhent, sizeof (tsol_rhent_t))) {
2847 kmem_free(rhent, sizeof (tsol_rhent_t));
2848 return;
2849 }
2850
2851 rh_addr = &rhent->rh_address;
2852 if (rh_addr->ta_family == AF_INET) {
2853 struct in_addr *ipaddr;
2854
2855 ipaddr = &(rh_addr->ta_addr_v4);
2856 au_uwrite(au_to_in_addr(ipaddr));
2857 } else if (rh_addr->ta_family == AF_INET6) {
2858 int32_t *ipaddr;
2859
2860 ipaddr = (int32_t *)&(rh_addr->ta_addr_v6);
2861 au_uwrite(au_to_in_addr_ex(ipaddr));
2862 }
2863 au_uwrite(au_to_arg32(2, "prefix len", rhent->rh_prefix));
2864
2865 kmem_free(rhent, sizeof (tsol_rhent_t));
2866
2867 break;
2868 }
2869 case AUE_LABELSYS_TNRHTP:
2870 {
2871 tsol_tpent_t *tpent;
2872
2873 au_uwrite(au_to_arg32(1, "cmd", cmd));
2874
2875 /* Remaining args don't apply for FLUSH, so skip */
2876 if (cmd == TNDB_FLUSH)
2877 break;
2878
2879 tpent = kmem_alloc(sizeof (tsol_tpent_t), KM_SLEEP);
2880 if (copyin((caddr_t)a2, tpent, sizeof (tsol_tpent_t))) {
2881 kmem_free(tpent, sizeof (tsol_tpent_t));
2882 return;
2883 }
2884
2885 /* Make sure that the template name is null-terminated. */
2886 *(tpent->name + TNTNAMSIZ - 1) = '\0';
2887
2888 au_uwrite(au_to_text(tpent->name));
2889 kmem_free(tpent, sizeof (tsol_tpent_t));
2890
2891 break;
2892 }
2893 case AUE_LABELSYS_TNMLP:
2894 {
2895 tsol_mlpent_t *mlpent;
2896
2897 au_uwrite(au_to_arg32(1, "cmd", cmd));
2898
2899 mlpent = kmem_alloc(sizeof (tsol_mlpent_t), KM_SLEEP);
2900 if (copyin((caddr_t)a2, mlpent, sizeof (tsol_mlpent_t))) {
2901 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2902 return;
2903 }
2904
2905 if (mlpent->tsme_flags & TSOL_MEF_SHARED) {
2906 au_uwrite(au_to_text("shared"));
2907 } else {
2908 zone_t *zone;
2909
2910 zone = zone_find_by_id(mlpent->tsme_zoneid);
2911 if (zone != NULL) {
2912 au_uwrite(au_to_text(zone->zone_name));
2913 zone_rele(zone);
2914 }
2915 }
2916
2917 /* Remaining args don't apply for FLUSH, so skip */
2918 if (cmd == TNDB_FLUSH) {
2919 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2920 break;
2921 }
2922
2923 au_uwrite(au_to_arg32(2, "proto num",
2924 (uint32_t)mlpent->tsme_mlp.mlp_ipp));
2925 au_uwrite(au_to_arg32(2, "mlp_port",
2926 (uint32_t)mlpent->tsme_mlp.mlp_port));
2927
2928 if (mlpent->tsme_mlp.mlp_port_upper != 0)
2929 au_uwrite(au_to_arg32(2, "mlp_port_upper",
2930 (uint32_t)mlpent->tsme_mlp.mlp_port_upper));
2931
2932 kmem_free(mlpent, sizeof (tsol_mlpent_t));
2933
2934 break;
2935 }
2936 default:
2937 break;
2938 }
2939 }
2940
2941
2942 static au_event_t
aui_auditsys(au_event_t e)2943 aui_auditsys(au_event_t e)
2944 {
2945 klwp_t *clwp = ttolwp(curthread);
2946 uint32_t code;
2947
2948 struct a {
2949 long code;
2950 long a1;
2951 long a2;
2952 long a3;
2953 long a4;
2954 long a5;
2955 long a6;
2956 long a7;
2957 } *uap = (struct a *)clwp->lwp_ap;
2958
2959 code = (uint32_t)uap->code;
2960
2961 switch (code) {
2962
2963 case BSM_GETAUID:
2964 e = AUE_GETAUID;
2965 break;
2966 case BSM_SETAUID:
2967 e = AUE_SETAUID;
2968 break;
2969 case BSM_GETAUDIT:
2970 e = AUE_GETAUDIT;
2971 break;
2972 case BSM_GETAUDIT_ADDR:
2973 e = AUE_GETAUDIT_ADDR;
2974 break;
2975 case BSM_SETAUDIT:
2976 e = AUE_SETAUDIT;
2977 break;
2978 case BSM_SETAUDIT_ADDR:
2979 e = AUE_SETAUDIT_ADDR;
2980 break;
2981 case BSM_AUDIT:
2982 e = AUE_AUDIT;
2983 break;
2984 case BSM_AUDITCTL:
2985 switch ((uint_t)uap->a1) {
2986
2987 case A_GETPOLICY:
2988 e = AUE_AUDITON_GPOLICY;
2989 break;
2990 case A_SETPOLICY:
2991 e = AUE_AUDITON_SPOLICY;
2992 break;
2993 case A_GETAMASK:
2994 e = AUE_AUDITON_GETAMASK;
2995 break;
2996 case A_SETAMASK:
2997 e = AUE_AUDITON_SETAMASK;
2998 break;
2999 case A_GETKMASK:
3000 e = AUE_AUDITON_GETKMASK;
3001 break;
3002 case A_SETKMASK:
3003 e = AUE_AUDITON_SETKMASK;
3004 break;
3005 case A_GETQCTRL:
3006 e = AUE_AUDITON_GQCTRL;
3007 break;
3008 case A_SETQCTRL:
3009 e = AUE_AUDITON_SQCTRL;
3010 break;
3011 case A_GETCWD:
3012 e = AUE_AUDITON_GETCWD;
3013 break;
3014 case A_GETCAR:
3015 e = AUE_AUDITON_GETCAR;
3016 break;
3017 case A_GETSTAT:
3018 e = AUE_AUDITON_GETSTAT;
3019 break;
3020 case A_SETSTAT:
3021 e = AUE_AUDITON_SETSTAT;
3022 break;
3023 case A_SETUMASK:
3024 e = AUE_AUDITON_SETUMASK;
3025 break;
3026 case A_SETSMASK:
3027 e = AUE_AUDITON_SETSMASK;
3028 break;
3029 case A_GETCOND:
3030 e = AUE_AUDITON_GETCOND;
3031 break;
3032 case A_SETCOND:
3033 e = AUE_AUDITON_SETCOND;
3034 break;
3035 case A_GETCLASS:
3036 e = AUE_AUDITON_GETCLASS;
3037 break;
3038 case A_SETCLASS:
3039 e = AUE_AUDITON_SETCLASS;
3040 break;
3041 default:
3042 e = AUE_NULL;
3043 break;
3044 }
3045 break;
3046 default:
3047 e = AUE_NULL;
3048 break;
3049 }
3050
3051 return (e);
3052
3053 } /* AUI_AUDITSYS */
3054
3055
3056 static void
aus_auditsys(struct t_audit_data * tad)3057 aus_auditsys(struct t_audit_data *tad)
3058 {
3059 klwp_t *clwp = ttolwp(curthread);
3060 uintptr_t a1, a2;
3061 STRUCT_DECL(auditinfo, ainfo);
3062 STRUCT_DECL(auditinfo_addr, ainfo_addr);
3063 au_evclass_map_t event;
3064 au_mask_t mask;
3065 int auditstate, policy;
3066 au_id_t auid;
3067
3068
3069 struct a {
3070 long code;
3071 long a1;
3072 long a2;
3073 long a3;
3074 long a4;
3075 long a5;
3076 long a6;
3077 long a7;
3078 } *uap = (struct a *)clwp->lwp_ap;
3079
3080 a1 = (uintptr_t)uap->a1;
3081 a2 = (uintptr_t)uap->a2;
3082
3083 switch (tad->tad_event) {
3084 case AUE_SETAUID:
3085 if (copyin((caddr_t)a1, &auid, sizeof (au_id_t)))
3086 return;
3087 au_uwrite(au_to_arg32(2, "setauid", auid));
3088 break;
3089 case AUE_SETAUDIT:
3090 STRUCT_INIT(ainfo, get_udatamodel());
3091 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo),
3092 STRUCT_SIZE(ainfo))) {
3093 return;
3094 }
3095 au_uwrite(au_to_arg32((char)1, "setaudit:auid",
3096 (uint32_t)STRUCT_FGET(ainfo, ai_auid)));
3097 #ifdef _LP64
3098 au_uwrite(au_to_arg64((char)1, "setaudit:port",
3099 (uint64_t)STRUCT_FGET(ainfo, ai_termid.port)));
3100 #else
3101 au_uwrite(au_to_arg32((char)1, "setaudit:port",
3102 (uint32_t)STRUCT_FGET(ainfo, ai_termid.port)));
3103 #endif
3104 au_uwrite(au_to_arg32((char)1, "setaudit:machine",
3105 (uint32_t)STRUCT_FGET(ainfo, ai_termid.machine)));
3106 au_uwrite(au_to_arg32((char)1, "setaudit:as_success",
3107 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3108 au_uwrite(au_to_arg32((char)1, "setaudit:as_failure",
3109 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3110 au_uwrite(au_to_arg32((char)1, "setaudit:asid",
3111 (uint32_t)STRUCT_FGET(ainfo, ai_asid)));
3112 break;
3113 case AUE_SETAUDIT_ADDR:
3114 STRUCT_INIT(ainfo_addr, get_udatamodel());
3115 if (copyin((caddr_t)a1, STRUCT_BUF(ainfo_addr),
3116 STRUCT_SIZE(ainfo_addr))) {
3117 return;
3118 }
3119 au_uwrite(au_to_arg32((char)1, "auid",
3120 (uint32_t)STRUCT_FGET(ainfo_addr, ai_auid)));
3121 #ifdef _LP64
3122 au_uwrite(au_to_arg64((char)1, "port",
3123 (uint64_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3124 #else
3125 au_uwrite(au_to_arg32((char)1, "port",
3126 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_port)));
3127 #endif
3128 au_uwrite(au_to_arg32((char)1, "type",
3129 (uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type)));
3130 if ((uint32_t)STRUCT_FGET(ainfo_addr, ai_termid.at_type) ==
3131 AU_IPv4) {
3132 au_uwrite(au_to_in_addr(
3133 (struct in_addr *)STRUCT_FGETP(ainfo_addr,
3134 ai_termid.at_addr)));
3135 } else {
3136 au_uwrite(au_to_in_addr_ex(
3137 (int32_t *)STRUCT_FGETP(ainfo_addr,
3138 ai_termid.at_addr)));
3139 }
3140 au_uwrite(au_to_arg32((char)1, "as_success",
3141 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_success)));
3142 au_uwrite(au_to_arg32((char)1, "as_failure",
3143 (uint32_t)STRUCT_FGET(ainfo_addr, ai_mask.as_failure)));
3144 au_uwrite(au_to_arg32((char)1, "asid",
3145 (uint32_t)STRUCT_FGET(ainfo_addr, ai_asid)));
3146 break;
3147 case AUE_AUDITON_SETAMASK:
3148 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3149 return;
3150 au_uwrite(au_to_arg32(
3151 2, "setamask:as_success", (uint32_t)mask.as_success));
3152 au_uwrite(au_to_arg32(
3153 2, "setamask:as_failure", (uint32_t)mask.as_failure));
3154 break;
3155 case AUE_AUDITON_SETKMASK:
3156 if (copyin((caddr_t)a2, &mask, sizeof (au_mask_t)))
3157 return;
3158 au_uwrite(au_to_arg32(
3159 2, "setkmask:as_success", (uint32_t)mask.as_success));
3160 au_uwrite(au_to_arg32(
3161 2, "setkmask:as_failure", (uint32_t)mask.as_failure));
3162 break;
3163 case AUE_AUDITON_SPOLICY:
3164 if (copyin((caddr_t)a2, &policy, sizeof (int)))
3165 return;
3166 au_uwrite(au_to_arg32(3, "setpolicy", (uint32_t)policy));
3167 break;
3168 case AUE_AUDITON_SQCTRL: {
3169 STRUCT_DECL(au_qctrl, qctrl);
3170 model_t model;
3171
3172 model = get_udatamodel();
3173 STRUCT_INIT(qctrl, model);
3174 if (copyin((caddr_t)a2, STRUCT_BUF(qctrl), STRUCT_SIZE(qctrl)))
3175 return;
3176 if (model == DATAMODEL_ILP32) {
3177 au_uwrite(au_to_arg32(
3178 3, "setqctrl:aq_hiwater",
3179 (uint32_t)STRUCT_FGET(qctrl, aq_hiwater)));
3180 au_uwrite(au_to_arg32(
3181 3, "setqctrl:aq_lowater",
3182 (uint32_t)STRUCT_FGET(qctrl, aq_lowater)));
3183 au_uwrite(au_to_arg32(
3184 3, "setqctrl:aq_bufsz",
3185 (uint32_t)STRUCT_FGET(qctrl, aq_bufsz)));
3186 au_uwrite(au_to_arg32(
3187 3, "setqctrl:aq_delay",
3188 (uint32_t)STRUCT_FGET(qctrl, aq_delay)));
3189 } else {
3190 au_uwrite(au_to_arg64(
3191 3, "setqctrl:aq_hiwater",
3192 (uint64_t)STRUCT_FGET(qctrl, aq_hiwater)));
3193 au_uwrite(au_to_arg64(
3194 3, "setqctrl:aq_lowater",
3195 (uint64_t)STRUCT_FGET(qctrl, aq_lowater)));
3196 au_uwrite(au_to_arg64(
3197 3, "setqctrl:aq_bufsz",
3198 (uint64_t)STRUCT_FGET(qctrl, aq_bufsz)));
3199 au_uwrite(au_to_arg64(
3200 3, "setqctrl:aq_delay",
3201 (uint64_t)STRUCT_FGET(qctrl, aq_delay)));
3202 }
3203 break;
3204 }
3205 case AUE_AUDITON_SETUMASK:
3206 STRUCT_INIT(ainfo, get_udatamodel());
3207 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3208 STRUCT_SIZE(ainfo))) {
3209 return;
3210 }
3211 au_uwrite(au_to_arg32(3, "setumask:as_success",
3212 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3213 au_uwrite(au_to_arg32(3, "setumask:as_failure",
3214 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3215 break;
3216 case AUE_AUDITON_SETSMASK:
3217 STRUCT_INIT(ainfo, get_udatamodel());
3218 if (copyin((caddr_t)uap->a2, STRUCT_BUF(ainfo),
3219 STRUCT_SIZE(ainfo))) {
3220 return;
3221 }
3222 au_uwrite(au_to_arg32(3, "setsmask:as_success",
3223 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_success)));
3224 au_uwrite(au_to_arg32(3, "setsmask:as_failure",
3225 (uint32_t)STRUCT_FGET(ainfo, ai_mask.as_failure)));
3226 break;
3227 case AUE_AUDITON_SETCOND:
3228 if (copyin((caddr_t)a2, &auditstate, sizeof (int)))
3229 return;
3230 au_uwrite(au_to_arg32(3, "setcond", (uint32_t)auditstate));
3231 break;
3232 case AUE_AUDITON_SETCLASS:
3233 if (copyin((caddr_t)a2, &event, sizeof (au_evclass_map_t)))
3234 return;
3235 au_uwrite(au_to_arg32(
3236 2, "setclass:ec_event", (uint32_t)event.ec_number));
3237 au_uwrite(au_to_arg32(
3238 3, "setclass:ec_class", (uint32_t)event.ec_class));
3239 break;
3240 case AUE_GETAUID:
3241 case AUE_GETAUDIT:
3242 case AUE_GETAUDIT_ADDR:
3243 case AUE_AUDIT:
3244 case AUE_AUDITON_GPOLICY:
3245 case AUE_AUDITON_GQCTRL:
3246 case AUE_AUDITON_GETAMASK:
3247 case AUE_AUDITON_GETKMASK:
3248 case AUE_AUDITON_GETCWD:
3249 case AUE_AUDITON_GETCAR:
3250 case AUE_AUDITON_GETSTAT:
3251 case AUE_AUDITON_SETSTAT:
3252 case AUE_AUDITON_GETCOND:
3253 case AUE_AUDITON_GETCLASS:
3254 break;
3255 default:
3256 break;
3257 }
3258
3259 } /* AUS_AUDITSYS */
3260
3261
3262 /* only audit privileged operations for systeminfo(2) system call */
3263 static au_event_t
aui_sysinfo(au_event_t e)3264 aui_sysinfo(au_event_t e)
3265 {
3266 klwp_t *clwp = ttolwp(curthread);
3267 uint32_t command;
3268
3269 struct a {
3270 long command;
3271 long buf; /* char * */
3272 long count;
3273 } *uap = (struct a *)clwp->lwp_ap;
3274
3275 command = (uint32_t)uap->command;
3276
3277 switch (command) {
3278 case SI_SET_HOSTNAME:
3279 case SI_SET_SRPC_DOMAIN:
3280 e = (au_event_t)AUE_SYSINFO;
3281 break;
3282 default:
3283 e = (au_event_t)AUE_NULL;
3284 break;
3285 }
3286 return (e);
3287 }
3288
3289 /*ARGSUSED*/
3290 static void
aus_sysinfo(struct t_audit_data * tad)3291 aus_sysinfo(struct t_audit_data *tad)
3292 {
3293 klwp_t *clwp = ttolwp(curthread);
3294 uint32_t command;
3295 size_t len, maxlen;
3296 char *name;
3297 uintptr_t buf;
3298
3299 struct a {
3300 long command;
3301 long buf; /* char * */
3302 long count;
3303 } *uap = (struct a *)clwp->lwp_ap;
3304
3305 command = (uint32_t)uap->command;
3306 buf = (uintptr_t)uap->buf;
3307
3308 au_uwrite(au_to_arg32(1, "cmd", command));
3309
3310 switch (command) {
3311 case SI_SET_HOSTNAME:
3312 {
3313 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3314 return;
3315
3316 maxlen = SYS_NMLN;
3317 name = kmem_alloc(maxlen, KM_SLEEP);
3318 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3319 break;
3320
3321 /*
3322 * Must be non-NULL string and string
3323 * must be less than SYS_NMLN chars.
3324 */
3325 if (len < 2 || (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0'))
3326 break;
3327
3328 au_uwrite(au_to_text(name));
3329 break;
3330 }
3331
3332 case SI_SET_SRPC_DOMAIN:
3333 {
3334 if (secpolicy_sys_config(CRED(), B_TRUE) != 0)
3335 return;
3336
3337 maxlen = SYS_NMLN;
3338 name = kmem_alloc(maxlen, KM_SLEEP);
3339 if (copyinstr((caddr_t)buf, name, SYS_NMLN, &len))
3340 break;
3341
3342 /*
3343 * If string passed in is longer than length
3344 * allowed for domain name, fail.
3345 */
3346 if (len == SYS_NMLN && name[SYS_NMLN - 1] != '\0')
3347 break;
3348
3349 au_uwrite(au_to_text(name));
3350 break;
3351 }
3352
3353 default:
3354 return;
3355 }
3356
3357 kmem_free(name, maxlen);
3358 }
3359
3360 static au_event_t
aui_modctl(au_event_t e)3361 aui_modctl(au_event_t e)
3362 {
3363 klwp_t *clwp = ttolwp(curthread);
3364 uint_t cmd;
3365
3366 struct a {
3367 long cmd;
3368 } *uap = (struct a *)clwp->lwp_ap;
3369
3370 cmd = (uint_t)uap->cmd;
3371
3372 switch (cmd) {
3373 case MODLOAD:
3374 e = AUE_MODLOAD;
3375 break;
3376 case MODUNLOAD:
3377 e = AUE_MODUNLOAD;
3378 break;
3379 case MODADDMAJBIND:
3380 e = AUE_MODADDMAJ;
3381 break;
3382 case MODSETDEVPOLICY:
3383 e = AUE_MODDEVPLCY;
3384 break;
3385 case MODALLOCPRIV:
3386 e = AUE_MODADDPRIV;
3387 break;
3388 default:
3389 e = AUE_NULL;
3390 break;
3391 }
3392 return (e);
3393 }
3394
3395
3396 /*ARGSUSED*/
3397 static void
aus_modctl(struct t_audit_data * tad)3398 aus_modctl(struct t_audit_data *tad)
3399 {
3400 klwp_t *clwp = ttolwp(curthread);
3401 void *a = clwp->lwp_ap;
3402 uint_t use_path;
3403
3404 switch (tad->tad_event) {
3405 case AUE_MODLOAD: {
3406 typedef struct {
3407 long cmd;
3408 long use_path;
3409 long filename; /* char * */
3410 } modloada_t;
3411
3412 char *filenamep;
3413 uintptr_t fname;
3414 extern char *default_path;
3415
3416 fname = (uintptr_t)((modloada_t *)a)->filename;
3417 use_path = (uint_t)((modloada_t *)a)->use_path;
3418
3419 /* space to hold path */
3420 filenamep = kmem_alloc(MOD_MAXPATH, KM_SLEEP);
3421 /* get string */
3422 if (copyinstr((caddr_t)fname, filenamep, MOD_MAXPATH, 0)) {
3423 /* free allocated path */
3424 kmem_free(filenamep, MOD_MAXPATH);
3425 return;
3426 }
3427 /* ensure it's null terminated */
3428 filenamep[MOD_MAXPATH - 1] = 0;
3429
3430 if (use_path)
3431 au_uwrite(au_to_text(default_path));
3432 au_uwrite(au_to_text(filenamep));
3433
3434 /* release temporary memory */
3435 kmem_free(filenamep, MOD_MAXPATH);
3436 break;
3437 }
3438 case AUE_MODUNLOAD: {
3439 typedef struct {
3440 long cmd;
3441 long id;
3442 } modunloada_t;
3443
3444 uint32_t id = (uint32_t)((modunloada_t *)a)->id;
3445
3446 au_uwrite(au_to_arg32(1, "id", id));
3447 break;
3448 }
3449 case AUE_MODADDMAJ: {
3450 STRUCT_DECL(modconfig, mc);
3451 typedef struct {
3452 long cmd;
3453 long subcmd;
3454 long data; /* int * */
3455 } modconfiga_t;
3456
3457 STRUCT_DECL(aliases, alias);
3458 caddr_t ap;
3459 int i, num_aliases;
3460 char *drvname, *mc_drvname;
3461 char *name;
3462 extern char *ddi_major_to_name(major_t);
3463 model_t model;
3464
3465 uintptr_t data = (uintptr_t)((modconfiga_t *)a)->data;
3466
3467 model = get_udatamodel();
3468 STRUCT_INIT(mc, model);
3469 /* sanitize buffer */
3470 bzero((caddr_t)STRUCT_BUF(mc), STRUCT_SIZE(mc));
3471 /* get user arguments */
3472 if (copyin((caddr_t)data, (caddr_t)STRUCT_BUF(mc),
3473 STRUCT_SIZE(mc)) != 0)
3474 return;
3475
3476 mc_drvname = STRUCT_FGET(mc, drvname);
3477 if ((drvname = ddi_major_to_name(
3478 (major_t)STRUCT_FGET(mc, major))) != NULL &&
3479 strncmp(drvname, mc_drvname, MAXMODCONFNAME) != 0) {
3480 /* safety */
3481 if (mc_drvname[0] != '\0') {
3482 mc_drvname[MAXMODCONFNAME-1] = '\0';
3483 au_uwrite(au_to_text(mc_drvname));
3484 }
3485 /* drvname != NULL from test above */
3486 au_uwrite(au_to_text(drvname));
3487 return;
3488 }
3489
3490 if (mc_drvname[0] != '\0') {
3491 /* safety */
3492 mc_drvname[MAXMODCONFNAME-1] = '\0';
3493 au_uwrite(au_to_text(mc_drvname));
3494 } else
3495 au_uwrite(au_to_text("no drvname"));
3496
3497 num_aliases = STRUCT_FGET(mc, num_aliases);
3498 au_uwrite(au_to_arg32(5, "", (uint32_t)num_aliases));
3499 ap = (caddr_t)STRUCT_FGETP(mc, ap);
3500 name = kmem_alloc(MAXMODCONFNAME, KM_SLEEP);
3501 STRUCT_INIT(alias, model);
3502 for (i = 0; i < num_aliases; i++) {
3503 bzero((caddr_t)STRUCT_BUF(alias),
3504 STRUCT_SIZE(alias));
3505 if (copyin((caddr_t)ap, (caddr_t)STRUCT_BUF(alias),
3506 STRUCT_SIZE(alias)) != 0)
3507 break;
3508 if (copyinstr(STRUCT_FGETP(alias, a_name), name,
3509 MAXMODCONFNAME, NULL) != 0) {
3510 break;
3511 }
3512
3513 au_uwrite(au_to_text(name));
3514 ap = (caddr_t)STRUCT_FGETP(alias, a_next);
3515 }
3516 kmem_free(name, MAXMODCONFNAME);
3517 break;
3518 }
3519 default:
3520 break;
3521 }
3522 }
3523
3524
3525 /*ARGSUSED*/
3526 static void
auf_accept(struct t_audit_data * tad,int error,rval_t * rval)3527 auf_accept(
3528 struct t_audit_data *tad,
3529 int error,
3530 rval_t *rval)
3531 {
3532 uint32_t scid;
3533 uint32_t sy_flags;
3534 int fd;
3535 struct sonode *so;
3536 char so_laddr[sizeof (struct sockaddr_in6)];
3537 char so_faddr[sizeof (struct sockaddr_in6)];
3538 int err;
3539 short so_family, so_type;
3540 int add_sock_token = 0;
3541
3542 /* need to determine type of executing binary */
3543 scid = tad->tad_scid;
3544 #ifdef _SYSCALL32_IMPL
3545 if (lwp_getdatamodel(ttolwp(curthread)) == DATAMODEL_NATIVE)
3546 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3547 else
3548 sy_flags = sysent32[scid].sy_flags & SE_RVAL_MASK;
3549 #else
3550 sy_flags = sysent[scid].sy_flags & SE_RVAL_MASK;
3551 #endif
3552 switch (sy_flags) {
3553 case SE_32RVAL1:
3554 /* FALLTHRU */
3555 case SE_32RVAL2|SE_32RVAL1:
3556 fd = rval->r_val1;
3557 break;
3558 case SE_64RVAL:
3559 fd = (int)rval->r_vals;
3560 break;
3561 default:
3562 /*
3563 * should never happen, seems to be an internal error
3564 * in sysent => no fd, nothing to audit here, returning
3565 */
3566 return;
3567 }
3568
3569 if (error) {
3570 /* can't trust socket contents. Just return */
3571 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3572 return;
3573 }
3574
3575 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3576 /*
3577 * not security relevant if doing a accept from non socket
3578 * so no extra tokens. Should probably turn off audit record
3579 * generation here.
3580 */
3581 return;
3582 }
3583
3584 so_family = so->so_family;
3585 so_type = so->so_type;
3586
3587 switch (so_family) {
3588 case AF_INET:
3589 case AF_INET6:
3590 /*
3591 * XXX - what about other socket types for AF_INET (e.g. DGRAM)
3592 */
3593 if (so->so_type == SOCK_STREAM) {
3594 socklen_t len;
3595
3596 bzero((void *)so_laddr, sizeof (so_laddr));
3597 bzero((void *)so_faddr, sizeof (so_faddr));
3598
3599 len = sizeof (so_laddr);
3600 (void) socket_getsockname(so,
3601 (struct sockaddr *)so_laddr, &len, CRED());
3602 len = sizeof (so_faddr);
3603 (void) socket_getpeername(so,
3604 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3605
3606 add_sock_token = 1;
3607 }
3608 break;
3609
3610 default:
3611 /* AF_UNIX, AF_ROUTE, AF_KEY do not support accept */
3612 break;
3613 }
3614
3615 releasef(fd);
3616
3617 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3618
3619 if (add_sock_token == 0) {
3620 au_uwrite(au_to_arg32(0, "family", (uint32_t)(so_family)));
3621 au_uwrite(au_to_arg32(0, "type", (uint32_t)(so_type)));
3622 return;
3623 }
3624
3625 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3626
3627 }
3628
3629 /*ARGSUSED*/
3630 static void
auf_bind(struct t_audit_data * tad,int error,rval_t * rvp)3631 auf_bind(struct t_audit_data *tad, int error, rval_t *rvp)
3632 {
3633 struct a {
3634 long fd;
3635 long addr;
3636 long len;
3637 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3638
3639 struct sonode *so;
3640 char so_laddr[sizeof (struct sockaddr_in6)];
3641 char so_faddr[sizeof (struct sockaddr_in6)];
3642 int err, fd;
3643 socklen_t len;
3644 short so_family, so_type;
3645 int add_sock_token = 0;
3646
3647 fd = (int)uap->fd;
3648
3649 /*
3650 * bind failed, then nothing extra to add to audit record.
3651 */
3652 if (error) {
3653 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3654 /* XXX may want to add failed address some day */
3655 return;
3656 }
3657
3658 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3659 /*
3660 * not security relevant if doing a bind from non socket
3661 * so no extra tokens. Should probably turn off audit record
3662 * generation here.
3663 */
3664 return;
3665 }
3666
3667 so_family = so->so_family;
3668 so_type = so->so_type;
3669
3670 switch (so_family) {
3671 case AF_INET:
3672 case AF_INET6:
3673
3674 bzero(so_faddr, sizeof (so_faddr));
3675 len = sizeof (so_faddr);
3676
3677 (void) socket_getpeername(so,
3678 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3679 add_sock_token = 1;
3680
3681 break;
3682
3683 case AF_UNIX:
3684 /* token added by lookup */
3685 break;
3686 default:
3687 /* AF_ROUTE, AF_KEY do not support accept */
3688 break;
3689 }
3690
3691 releasef(fd);
3692
3693 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3694
3695 if (add_sock_token == 0) {
3696 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3697 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3698 return;
3699 }
3700
3701 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3702
3703 }
3704
3705 /*ARGSUSED*/
3706 static void
auf_connect(struct t_audit_data * tad,int error,rval_t * rval)3707 auf_connect(struct t_audit_data *tad, int error, rval_t *rval)
3708 {
3709 struct a {
3710 long fd;
3711 long addr;
3712 long len;
3713 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3714
3715 struct sonode *so;
3716 char so_laddr[sizeof (struct sockaddr_in6)];
3717 char so_faddr[sizeof (struct sockaddr_in6)];
3718 int err, fd;
3719 socklen_t len;
3720 short so_family, so_type;
3721 int add_sock_token = 0;
3722
3723 fd = (int)uap->fd;
3724
3725
3726 if ((so = getsonode(fd, &err, NULL)) == NULL) {
3727 /*
3728 * not security relevant if doing a connect from non socket
3729 * so no extra tokens. Should probably turn off audit record
3730 * generation here.
3731 */
3732 return;
3733 }
3734
3735 so_family = so->so_family;
3736 so_type = so->so_type;
3737
3738 switch (so_family) {
3739 case AF_INET:
3740 case AF_INET6:
3741
3742 bzero(so_laddr, sizeof (so_laddr));
3743 bzero(so_faddr, sizeof (so_faddr));
3744
3745 len = sizeof (so_laddr);
3746 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3747 &len, CRED());
3748 if (error) {
3749 if (uap->addr == NULL)
3750 break;
3751 if (uap->len <= 0)
3752 break;
3753 len = min(uap->len, sizeof (so_faddr));
3754 if (copyin((caddr_t)(uap->addr), so_faddr, len) != 0)
3755 break;
3756 #ifdef NOTYET
3757 au_uwrite(au_to_data(AUP_HEX, AUR_CHAR, len, so_faddr));
3758 #endif
3759 } else {
3760 /* sanity check on length */
3761 len = sizeof (so_faddr);
3762 (void) socket_getpeername(so,
3763 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3764 }
3765
3766 add_sock_token = 1;
3767
3768 break;
3769
3770 case AF_UNIX:
3771 /* does a lookup on name */
3772 break;
3773
3774 default:
3775 /* AF_ROUTE, AF_KEY do not support accept */
3776 break;
3777 }
3778
3779 releasef(fd);
3780
3781 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3782
3783 if (add_sock_token == 0) {
3784 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3785 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3786 return;
3787 }
3788
3789 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3790
3791 }
3792
3793 /*ARGSUSED*/
3794 static void
aus_shutdown(struct t_audit_data * tad)3795 aus_shutdown(struct t_audit_data *tad)
3796 {
3797 struct a {
3798 long fd;
3799 long how;
3800 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3801
3802 struct sonode *so;
3803 char so_laddr[sizeof (struct sockaddr_in6)];
3804 char so_faddr[sizeof (struct sockaddr_in6)];
3805 int err, fd;
3806 socklen_t len;
3807 short so_family, so_type;
3808 int add_sock_token = 0;
3809 file_t *fp; /* unix domain sockets */
3810 struct f_audit_data *fad; /* unix domain sockets */
3811
3812 fd = (int)uap->fd;
3813
3814 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3815 /*
3816 * not security relevant if doing a shutdown using non socket
3817 * so no extra tokens. Should probably turn off audit record
3818 * generation here.
3819 */
3820 return;
3821 }
3822
3823 so_family = so->so_family;
3824 so_type = so->so_type;
3825
3826 switch (so_family) {
3827 case AF_INET:
3828 case AF_INET6:
3829
3830 bzero(so_laddr, sizeof (so_laddr));
3831 bzero(so_faddr, sizeof (so_faddr));
3832
3833 len = sizeof (so_laddr);
3834 (void) socket_getsockname(so,
3835 (struct sockaddr *)so_laddr, &len, CRED());
3836 len = sizeof (so_faddr);
3837 (void) socket_getpeername(so,
3838 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
3839
3840 add_sock_token = 1;
3841
3842 break;
3843
3844 case AF_UNIX:
3845
3846 /* get path from file struct here */
3847 fad = F2A(fp);
3848 ASSERT(fad);
3849
3850 if (fad->fad_aupath != NULL) {
3851 au_uwrite(au_to_path(fad->fad_aupath));
3852 } else {
3853 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3854 }
3855
3856 audit_attributes(fp->f_vnode);
3857
3858 break;
3859
3860 default:
3861 /*
3862 * AF_KEY and AF_ROUTE support shutdown. No socket token
3863 * added.
3864 */
3865 break;
3866 }
3867
3868 releasef(fd);
3869
3870 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3871
3872 if (add_sock_token == 0) {
3873 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3874 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3875 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3876 return;
3877 }
3878
3879 au_uwrite(au_to_arg32(2, "how", (uint32_t)(uap->how)));
3880
3881 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3882
3883 }
3884
3885 /*ARGSUSED*/
3886 static void
auf_setsockopt(struct t_audit_data * tad,int error,rval_t * rval)3887 auf_setsockopt(struct t_audit_data *tad, int error, rval_t *rval)
3888 {
3889 struct a {
3890 long fd;
3891 long level;
3892 long optname;
3893 long *optval;
3894 long optlen;
3895 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
3896
3897 struct sonode *so;
3898 char so_laddr[sizeof (struct sockaddr_in6)];
3899 char so_faddr[sizeof (struct sockaddr_in6)];
3900 char val[AU_BUFSIZE];
3901 int err, fd;
3902 socklen_t len;
3903 short so_family, so_type;
3904 int add_sock_token = 0;
3905 file_t *fp; /* unix domain sockets */
3906 struct f_audit_data *fad; /* unix domain sockets */
3907
3908 fd = (int)uap->fd;
3909
3910 if (error) {
3911 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3912 au_uwrite(au_to_arg32(2, "level", (uint32_t)uap->level));
3913 /* XXX may want to include other arguments */
3914 return;
3915 }
3916
3917 if ((so = getsonode(fd, &err, &fp)) == NULL) {
3918 /*
3919 * not security relevant if doing a setsockopt from non socket
3920 * so no extra tokens. Should probably turn off audit record
3921 * generation here.
3922 */
3923 return;
3924 }
3925
3926 so_family = so->so_family;
3927 so_type = so->so_type;
3928
3929 switch (so_family) {
3930 case AF_INET:
3931 case AF_INET6:
3932 bzero((void *)so_laddr, sizeof (so_laddr));
3933 bzero((void *)so_faddr, sizeof (so_faddr));
3934
3935 /* get local and foreign addresses */
3936 len = sizeof (so_laddr);
3937 (void) socket_getsockname(so, (struct sockaddr *)so_laddr,
3938 &len, CRED());
3939 len = sizeof (so_faddr);
3940 (void) socket_getpeername(so, (struct sockaddr *)so_faddr,
3941 &len, B_FALSE, CRED());
3942
3943 add_sock_token = 1;
3944
3945 break;
3946
3947 case AF_UNIX:
3948
3949 /* get path from file struct here */
3950 fad = F2A(fp);
3951 ASSERT(fad);
3952
3953 if (fad->fad_aupath != NULL) {
3954 au_uwrite(au_to_path(fad->fad_aupath));
3955 } else {
3956 au_uwrite(au_to_arg32(1, "no path: fd", fd));
3957 }
3958
3959 audit_attributes(fp->f_vnode);
3960
3961 break;
3962
3963 default:
3964 /*
3965 * AF_KEY and AF_ROUTE support setsockopt. No socket token
3966 * added.
3967 */
3968 break;
3969 }
3970
3971 releasef(fd);
3972
3973 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
3974
3975 if (add_sock_token == 0) {
3976 au_uwrite(au_to_arg32(1, "family", (uint32_t)(so_family)));
3977 au_uwrite(au_to_arg32(1, "type", (uint32_t)(so_type)));
3978 }
3979 au_uwrite(au_to_arg32(2, "level", (uint32_t)(uap->level)));
3980 au_uwrite(au_to_arg32(3, "optname", (uint32_t)(uap->optname)));
3981
3982 bzero(val, sizeof (val));
3983 len = min(uap->optlen, sizeof (val));
3984 if ((len > 0) &&
3985 (copyin((caddr_t)(uap->optval), (caddr_t)val, len) == 0)) {
3986 au_uwrite(au_to_arg32(5, "optlen", (uint32_t)(uap->optlen)));
3987 au_uwrite(au_to_data(AUP_HEX, AUR_BYTE, len, val));
3988 }
3989
3990 if (add_sock_token == 0)
3991 return;
3992
3993 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
3994
3995 }
3996
3997 /*ARGSUSED*/
3998 static void
aus_sockconfig(tad)3999 aus_sockconfig(tad)
4000 struct t_audit_data *tad;
4001 {
4002 struct a {
4003 long cmd;
4004 long arg1;
4005 long arg2;
4006 long arg3;
4007 long arg4;
4008 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4009
4010 char *buf;
4011 int buflen;
4012 size_t size;
4013
4014 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4015 switch (uap->cmd) {
4016 case SOCKCONFIG_ADD_SOCK:
4017 case SOCKCONFIG_REMOVE_SOCK:
4018 au_uwrite(au_to_arg32(2, "domain", (uint32_t)uap->arg1));
4019 au_uwrite(au_to_arg32(3, "type", (uint32_t)uap->arg2));
4020 au_uwrite(au_to_arg32(4, "protocol", (uint32_t)uap->arg3));
4021
4022 if (uap->arg4 == 0) {
4023 au_uwrite(au_to_arg32(5, "devpath", (uint32_t)0));
4024 } else {
4025 buflen = MAXPATHLEN + 1;
4026 buf = kmem_alloc(buflen, KM_SLEEP);
4027 if (copyinstr((caddr_t)uap->arg4, buf, buflen,
4028 &size)) {
4029 kmem_free(buf, buflen);
4030 return;
4031 }
4032
4033 if (size > MAXPATHLEN) {
4034 kmem_free(buf, buflen);
4035 return;
4036 }
4037
4038 au_uwrite(au_to_text(buf));
4039 kmem_free(buf, buflen);
4040 }
4041 break;
4042 case SOCKCONFIG_ADD_FILTER:
4043 case SOCKCONFIG_REMOVE_FILTER:
4044 buflen = FILNAME_MAX;
4045 buf = kmem_alloc(buflen, KM_SLEEP);
4046
4047 if (copyinstr((caddr_t)uap->arg1, buf, buflen, &size)) {
4048 kmem_free(buf, buflen);
4049 return;
4050 }
4051
4052 au_uwrite(au_to_text(buf));
4053 kmem_free(buf, buflen);
4054 break;
4055 default:
4056 break;
4057 }
4058 }
4059
4060 /*
4061 * only audit recvmsg when the system call represents the creation of a new
4062 * circuit. This effectively occurs for all UDP packets and may occur for
4063 * special TCP situations where the local host has not set a local address
4064 * in the socket structure.
4065 */
4066 /*ARGSUSED*/
4067 static void
auf_recvmsg(struct t_audit_data * tad,int error,rval_t * rvp)4068 auf_recvmsg(
4069 struct t_audit_data *tad,
4070 int error,
4071 rval_t *rvp)
4072 {
4073 struct a {
4074 long fd;
4075 long msg; /* struct msghdr */
4076 long flags;
4077 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4078
4079 struct sonode *so;
4080 STRUCT_DECL(msghdr, msg);
4081 caddr_t msg_name;
4082 socklen_t msg_namelen;
4083 int fd;
4084 int err;
4085 char so_laddr[sizeof (struct sockaddr_in6)];
4086 char so_faddr[sizeof (struct sockaddr_in6)];
4087 socklen_t len;
4088 file_t *fp; /* unix domain sockets */
4089 struct f_audit_data *fad; /* unix domain sockets */
4090 short so_family, so_type;
4091 int add_sock_token = 0;
4092 au_kcontext_t *kctx = GET_KCTX_PZ;
4093
4094 fd = (int)uap->fd;
4095
4096 /* bail if an error */
4097 if (error) {
4098 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4099 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4100 return;
4101 }
4102
4103 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4104 /*
4105 * not security relevant if doing a recvmsg from non socket
4106 * so no extra tokens. Should probably turn off audit record
4107 * generation here.
4108 */
4109 return;
4110 }
4111
4112 so_family = so->so_family;
4113 so_type = so->so_type;
4114
4115 /*
4116 * only putout SOCKET_EX token if INET/INET6 family.
4117 * XXX - what do we do about other families?
4118 */
4119
4120 switch (so_family) {
4121 case AF_INET:
4122 case AF_INET6:
4123
4124 /*
4125 * if datagram type socket, then just use what is in
4126 * socket structure for local address.
4127 * XXX - what do we do for other types?
4128 */
4129 if ((so->so_type == SOCK_DGRAM) ||
4130 (so->so_type == SOCK_RAW)) {
4131 add_sock_token = 1;
4132
4133 bzero((void *)so_laddr, sizeof (so_laddr));
4134 bzero((void *)so_faddr, sizeof (so_faddr));
4135
4136 /* get local address */
4137 len = sizeof (so_laddr);
4138 (void) socket_getsockname(so,
4139 (struct sockaddr *)so_laddr, &len, CRED());
4140
4141 /* get peer address */
4142 STRUCT_INIT(msg, get_udatamodel());
4143
4144 if (copyin((caddr_t)(uap->msg),
4145 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4146 break;
4147 }
4148 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4149 if (msg_name == NULL) {
4150 break;
4151 }
4152
4153 /* length is value from recvmsg - sanity check */
4154 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4155 if (msg_namelen == 0) {
4156 break;
4157 }
4158 if (copyin(msg_name, so_faddr,
4159 sizeof (so_faddr)) != 0) {
4160 break;
4161 }
4162
4163 } else if (so->so_type == SOCK_STREAM) {
4164
4165 /* get path from file struct here */
4166 fad = F2A(fp);
4167 ASSERT(fad);
4168
4169 /*
4170 * already processed this file for read attempt
4171 */
4172 if (fad->fad_flags & FAD_READ) {
4173 /* don't want to audit every recvmsg attempt */
4174 tad->tad_flag = 0;
4175 /* free any residual audit data */
4176 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4177 releasef(fd);
4178 return;
4179 }
4180 /*
4181 * mark things so we know what happened and don't
4182 * repeat things
4183 */
4184 fad->fad_flags |= FAD_READ;
4185
4186 bzero((void *)so_laddr, sizeof (so_laddr));
4187 bzero((void *)so_faddr, sizeof (so_faddr));
4188
4189 /* get local and foreign addresses */
4190 len = sizeof (so_laddr);
4191 (void) socket_getsockname(so,
4192 (struct sockaddr *)so_laddr, &len, CRED());
4193 len = sizeof (so_faddr);
4194 (void) socket_getpeername(so,
4195 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4196
4197 add_sock_token = 1;
4198 }
4199
4200 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4201
4202 break;
4203
4204 case AF_UNIX:
4205 /*
4206 * first check if this is first time through. Too much
4207 * duplicate code to put this in an aui_ routine.
4208 */
4209
4210 /* get path from file struct here */
4211 fad = F2A(fp);
4212 ASSERT(fad);
4213
4214 /*
4215 * already processed this file for read attempt
4216 */
4217 if (fad->fad_flags & FAD_READ) {
4218 releasef(fd);
4219 /* don't want to audit every recvmsg attempt */
4220 tad->tad_flag = 0;
4221 /* free any residual audit data */
4222 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4223 return;
4224 }
4225 /*
4226 * mark things so we know what happened and don't
4227 * repeat things
4228 */
4229 fad->fad_flags |= FAD_READ;
4230
4231 if (fad->fad_aupath != NULL) {
4232 au_uwrite(au_to_path(fad->fad_aupath));
4233 } else {
4234 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4235 }
4236
4237 audit_attributes(fp->f_vnode);
4238
4239 releasef(fd);
4240
4241 return;
4242
4243 default:
4244 break;
4245
4246 }
4247
4248 releasef(fd);
4249
4250 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4251
4252 if (add_sock_token == 0) {
4253 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4254 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4255 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4256 return;
4257 }
4258
4259 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4260
4261 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4262
4263 }
4264
4265 /*ARGSUSED*/
4266 static void
auf_recvfrom(struct t_audit_data * tad,int error,rval_t * rvp)4267 auf_recvfrom(
4268 struct t_audit_data *tad,
4269 int error,
4270 rval_t *rvp)
4271 {
4272
4273 struct a {
4274 long fd;
4275 long msg; /* char */
4276 long len;
4277 long flags;
4278 long from; /* struct sockaddr */
4279 long fromlen;
4280 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4281
4282 socklen_t fromlen;
4283 struct sonode *so;
4284 char so_laddr[sizeof (struct sockaddr_in6)];
4285 char so_faddr[sizeof (struct sockaddr_in6)];
4286 int fd;
4287 short so_family, so_type;
4288 int add_sock_token = 0;
4289 socklen_t len;
4290 int err;
4291 struct file *fp;
4292 struct f_audit_data *fad; /* unix domain sockets */
4293 au_kcontext_t *kctx = GET_KCTX_PZ;
4294
4295 fd = (int)uap->fd;
4296
4297 /* bail if an error */
4298 if (error) {
4299 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4300 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4301 return;
4302 }
4303
4304 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4305 /*
4306 * not security relevant if doing a recvmsg from non socket
4307 * so no extra tokens. Should probably turn off audit record
4308 * generation here.
4309 */
4310 return;
4311 }
4312
4313 so_family = so->so_family;
4314 so_type = so->so_type;
4315
4316 /*
4317 * only putout SOCKET_EX token if INET/INET6 family.
4318 * XXX - what do we do about other families?
4319 */
4320
4321 switch (so_family) {
4322 case AF_INET:
4323 case AF_INET6:
4324
4325 /*
4326 * if datagram type socket, then just use what is in
4327 * socket structure for local address.
4328 * XXX - what do we do for other types?
4329 */
4330 if ((so->so_type == SOCK_DGRAM) ||
4331 (so->so_type == SOCK_RAW)) {
4332 add_sock_token = 1;
4333
4334 /* get local address */
4335 len = sizeof (so_laddr);
4336 (void) socket_getsockname(so,
4337 (struct sockaddr *)so_laddr, &len, CRED());
4338
4339 /* get peer address */
4340 bzero((void *)so_faddr, sizeof (so_faddr));
4341
4342 /* sanity check */
4343 if (uap->from == NULL)
4344 break;
4345
4346 /* sanity checks */
4347 if (uap->fromlen == 0)
4348 break;
4349
4350 if (copyin((caddr_t)(uap->fromlen), (caddr_t)&fromlen,
4351 sizeof (fromlen)) != 0)
4352 break;
4353
4354 if (fromlen == 0)
4355 break;
4356
4357 /* enforce maximum size */
4358 if (fromlen > sizeof (so_faddr))
4359 fromlen = sizeof (so_faddr);
4360
4361 if (copyin((caddr_t)(uap->from), so_faddr,
4362 fromlen) != 0)
4363 break;
4364
4365 } else if (so->so_type == SOCK_STREAM) {
4366
4367 /* get path from file struct here */
4368 fad = F2A(fp);
4369 ASSERT(fad);
4370
4371 /*
4372 * already processed this file for read attempt
4373 */
4374 if (fad->fad_flags & FAD_READ) {
4375 /* don't want to audit every recvfrom attempt */
4376 tad->tad_flag = 0;
4377 /* free any residual audit data */
4378 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4379 releasef(fd);
4380 return;
4381 }
4382 /*
4383 * mark things so we know what happened and don't
4384 * repeat things
4385 */
4386 fad->fad_flags |= FAD_READ;
4387
4388 bzero((void *)so_laddr, sizeof (so_laddr));
4389 bzero((void *)so_faddr, sizeof (so_faddr));
4390
4391 /* get local and foreign addresses */
4392 len = sizeof (so_laddr);
4393 (void) socket_getsockname(so,
4394 (struct sockaddr *)so_laddr, &len, CRED());
4395 len = sizeof (so_faddr);
4396 (void) socket_getpeername(so,
4397 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4398
4399 add_sock_token = 1;
4400 }
4401
4402 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4403
4404 break;
4405
4406 case AF_UNIX:
4407 /*
4408 * first check if this is first time through. Too much
4409 * duplicate code to put this in an aui_ routine.
4410 */
4411
4412 /* get path from file struct here */
4413 fad = F2A(fp);
4414 ASSERT(fad);
4415
4416 /*
4417 * already processed this file for read attempt
4418 */
4419 if (fad->fad_flags & FAD_READ) {
4420 /* don't want to audit every recvfrom attempt */
4421 tad->tad_flag = 0;
4422 /* free any residual audit data */
4423 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4424 releasef(fd);
4425 return;
4426 }
4427 /*
4428 * mark things so we know what happened and don't
4429 * repeat things
4430 */
4431 fad->fad_flags |= FAD_READ;
4432
4433 if (fad->fad_aupath != NULL) {
4434 au_uwrite(au_to_path(fad->fad_aupath));
4435 } else {
4436 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4437 }
4438
4439 audit_attributes(fp->f_vnode);
4440
4441 releasef(fd);
4442
4443 return;
4444
4445 default:
4446 break;
4447
4448 }
4449
4450 releasef(fd);
4451
4452 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4453
4454 if (add_sock_token == 0) {
4455 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4456 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4457 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4458 return;
4459 }
4460
4461 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4462
4463 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4464 }
4465
4466 /*ARGSUSED*/
4467 static void
auf_sendmsg(struct t_audit_data * tad,int error,rval_t * rval)4468 auf_sendmsg(struct t_audit_data *tad, int error, rval_t *rval)
4469 {
4470 struct a {
4471 long fd;
4472 long msg; /* struct msghdr */
4473 long flags;
4474 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4475
4476 struct sonode *so;
4477 char so_laddr[sizeof (struct sockaddr_in6)];
4478 char so_faddr[sizeof (struct sockaddr_in6)];
4479 int err;
4480 int fd;
4481 short so_family, so_type;
4482 int add_sock_token = 0;
4483 socklen_t len;
4484 struct file *fp;
4485 struct f_audit_data *fad;
4486 caddr_t msg_name;
4487 socklen_t msg_namelen;
4488 STRUCT_DECL(msghdr, msg);
4489 au_kcontext_t *kctx = GET_KCTX_PZ;
4490
4491 fd = (int)uap->fd;
4492
4493 /* bail if an error */
4494 if (error) {
4495 /* XXX include destination address from system call arguments */
4496 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4497 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4498 return;
4499 }
4500
4501 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4502 /*
4503 * not security relevant if doing a sendmsg from non socket
4504 * so no extra tokens. Should probably turn off audit record
4505 * generation here.
4506 */
4507 return;
4508 }
4509
4510 so_family = so->so_family;
4511 so_type = so->so_type;
4512
4513 switch (so_family) {
4514 case AF_INET:
4515 case AF_INET6:
4516 /*
4517 * if datagram type socket, then just use what is in
4518 * socket structure for local address.
4519 * XXX - what do we do for other types?
4520 */
4521 if ((so->so_type == SOCK_DGRAM) ||
4522 (so->so_type == SOCK_RAW)) {
4523
4524 bzero((void *)so_laddr, sizeof (so_laddr));
4525 bzero((void *)so_faddr, sizeof (so_faddr));
4526
4527 /* get local address */
4528 len = sizeof (so_laddr);
4529 (void) socket_getsockname(so,
4530 (struct sockaddr *)so_laddr, &len, CRED());
4531
4532 /* get peer address */
4533 STRUCT_INIT(msg, get_udatamodel());
4534
4535 if (copyin((caddr_t)(uap->msg),
4536 (caddr_t)STRUCT_BUF(msg), STRUCT_SIZE(msg)) != 0) {
4537 break;
4538 }
4539 msg_name = (caddr_t)STRUCT_FGETP(msg, msg_name);
4540 if (msg_name == NULL)
4541 break;
4542
4543 msg_namelen = (socklen_t)STRUCT_FGET(msg, msg_namelen);
4544 /* length is value from recvmsg - sanity check */
4545 if (msg_namelen == 0)
4546 break;
4547
4548 if (copyin(msg_name, so_faddr,
4549 sizeof (so_faddr)) != 0)
4550 break;
4551
4552 add_sock_token = 1;
4553
4554 } else if (so->so_type == SOCK_STREAM) {
4555
4556 /* get path from file struct here */
4557 fad = F2A(fp);
4558 ASSERT(fad);
4559
4560 /*
4561 * already processed this file for write attempt
4562 */
4563 if (fad->fad_flags & FAD_WRITE) {
4564 releasef(fd);
4565 /* don't want to audit every sendmsg attempt */
4566 tad->tad_flag = 0;
4567 /* free any residual audit data */
4568 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4569 return;
4570 }
4571
4572 /*
4573 * mark things so we know what happened and don't
4574 * repeat things
4575 */
4576 fad->fad_flags |= FAD_WRITE;
4577
4578 bzero((void *)so_laddr, sizeof (so_laddr));
4579 bzero((void *)so_faddr, sizeof (so_faddr));
4580
4581 /* get local and foreign addresses */
4582 len = sizeof (so_laddr);
4583 (void) socket_getsockname(so,
4584 (struct sockaddr *)so_laddr, &len, CRED());
4585 len = sizeof (so_faddr);
4586 (void) socket_getpeername(so,
4587 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4588
4589 add_sock_token = 1;
4590 }
4591
4592 /* XXX - what about SOCK_RAW/SOCK_RDM/SOCK_SEQPACKET ??? */
4593
4594 break;
4595
4596 case AF_UNIX:
4597 /*
4598 * first check if this is first time through. Too much
4599 * duplicate code to put this in an aui_ routine.
4600 */
4601
4602 /* get path from file struct here */
4603 fad = F2A(fp);
4604 ASSERT(fad);
4605
4606 /*
4607 * already processed this file for write attempt
4608 */
4609 if (fad->fad_flags & FAD_WRITE) {
4610 releasef(fd);
4611 /* don't want to audit every sendmsg attempt */
4612 tad->tad_flag = 0;
4613 /* free any residual audit data */
4614 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4615 return;
4616 }
4617 /*
4618 * mark things so we know what happened and don't
4619 * repeat things
4620 */
4621 fad->fad_flags |= FAD_WRITE;
4622
4623 if (fad->fad_aupath != NULL) {
4624 au_uwrite(au_to_path(fad->fad_aupath));
4625 } else {
4626 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4627 }
4628
4629 audit_attributes(fp->f_vnode);
4630
4631 releasef(fd);
4632
4633 return;
4634
4635 default:
4636 break;
4637 }
4638
4639 releasef(fd);
4640
4641 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4642
4643 if (add_sock_token == 0) {
4644 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4645 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4646 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4647 return;
4648 }
4649
4650 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4651
4652 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4653 }
4654
4655 /*ARGSUSED*/
4656 static void
auf_sendto(struct t_audit_data * tad,int error,rval_t * rval)4657 auf_sendto(struct t_audit_data *tad, int error, rval_t *rval)
4658 {
4659 struct a {
4660 long fd;
4661 long msg; /* char */
4662 long len;
4663 long flags;
4664 long to; /* struct sockaddr */
4665 long tolen;
4666 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4667
4668 struct sonode *so;
4669 char so_laddr[sizeof (struct sockaddr_in6)];
4670 char so_faddr[sizeof (struct sockaddr_in6)];
4671 socklen_t tolen;
4672 int err;
4673 int fd;
4674 socklen_t len;
4675 short so_family, so_type;
4676 int add_sock_token = 0;
4677 struct file *fp;
4678 struct f_audit_data *fad;
4679 au_kcontext_t *kctx = GET_KCTX_PZ;
4680
4681 fd = (int)uap->fd;
4682
4683 /* bail if an error */
4684 if (error) {
4685 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4686 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4687 /* XXX include destination address from system call arguments */
4688 return;
4689 }
4690
4691 if ((so = getsonode(fd, &err, &fp)) == NULL) {
4692 /*
4693 * not security relevant if doing a sendto using non socket
4694 * so no extra tokens. Should probably turn off audit record
4695 * generation here.
4696 */
4697 return;
4698 }
4699
4700 so_family = so->so_family;
4701 so_type = so->so_type;
4702
4703 /*
4704 * only putout SOCKET_EX token if INET/INET6 family.
4705 * XXX - what do we do about other families?
4706 */
4707
4708 switch (so_family) {
4709 case AF_INET:
4710 case AF_INET6:
4711
4712 /*
4713 * if datagram type socket, then just use what is in
4714 * socket structure for local address.
4715 * XXX - what do we do for other types?
4716 */
4717 if ((so->so_type == SOCK_DGRAM) ||
4718 (so->so_type == SOCK_RAW)) {
4719
4720 bzero((void *)so_laddr, sizeof (so_laddr));
4721 bzero((void *)so_faddr, sizeof (so_faddr));
4722
4723 /* get local address */
4724 len = sizeof (so_laddr);
4725 (void) socket_getsockname(so,
4726 (struct sockaddr *)so_laddr, &len, CRED());
4727
4728 /* get peer address */
4729
4730 /* sanity check */
4731 if (uap->to == NULL)
4732 break;
4733
4734 /* sanity checks */
4735 if (uap->tolen == 0)
4736 break;
4737
4738 tolen = (socklen_t)uap->tolen;
4739
4740 /* enforce maximum size */
4741 if (tolen > sizeof (so_faddr))
4742 tolen = sizeof (so_faddr);
4743
4744 if (copyin((caddr_t)(uap->to), so_faddr, tolen) != 0)
4745 break;
4746
4747 add_sock_token = 1;
4748 } else {
4749 /*
4750 * check if this is first time through.
4751 */
4752
4753 /* get path from file struct here */
4754 fad = F2A(fp);
4755 ASSERT(fad);
4756
4757 /*
4758 * already processed this file for write attempt
4759 */
4760 if (fad->fad_flags & FAD_WRITE) {
4761 /* don't want to audit every sendto attempt */
4762 tad->tad_flag = 0;
4763 /* free any residual audit data */
4764 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4765 releasef(fd);
4766 return;
4767 }
4768 /*
4769 * mark things so we know what happened and don't
4770 * repeat things
4771 */
4772 fad->fad_flags |= FAD_WRITE;
4773
4774 bzero((void *)so_laddr, sizeof (so_laddr));
4775 bzero((void *)so_faddr, sizeof (so_faddr));
4776
4777 /* get local and foreign addresses */
4778 len = sizeof (so_laddr);
4779 (void) socket_getsockname(so,
4780 (struct sockaddr *)so_laddr, &len, CRED());
4781 len = sizeof (so_faddr);
4782 (void) socket_getpeername(so,
4783 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
4784
4785 add_sock_token = 1;
4786 }
4787
4788 /* XXX - what about SOCK_RDM/SOCK_SEQPACKET ??? */
4789
4790 break;
4791
4792 case AF_UNIX:
4793 /*
4794 * first check if this is first time through. Too much
4795 * duplicate code to put this in an aui_ routine.
4796 */
4797
4798 /* get path from file struct here */
4799 fad = F2A(fp);
4800 ASSERT(fad);
4801
4802 /*
4803 * already processed this file for write attempt
4804 */
4805 if (fad->fad_flags & FAD_WRITE) {
4806 /* don't want to audit every sendto attempt */
4807 tad->tad_flag = 0;
4808 /* free any residual audit data */
4809 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
4810 releasef(fd);
4811 return;
4812 }
4813 /*
4814 * mark things so we know what happened and don't
4815 * repeat things
4816 */
4817 fad->fad_flags |= FAD_WRITE;
4818
4819 if (fad->fad_aupath != NULL) {
4820 au_uwrite(au_to_path(fad->fad_aupath));
4821 } else {
4822 au_uwrite(au_to_arg32(1, "no path: fd", fd));
4823 }
4824
4825 audit_attributes(fp->f_vnode);
4826
4827 releasef(fd);
4828
4829 return;
4830
4831 default:
4832 break;
4833
4834 }
4835
4836 releasef(fd);
4837
4838 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
4839
4840 if (add_sock_token == 0) {
4841 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
4842 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
4843 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4844 return;
4845 }
4846
4847 au_uwrite(au_to_arg32(3, "flags", (uint32_t)(uap->flags)));
4848
4849 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
4850
4851 }
4852
4853 /*
4854 * XXX socket(2) may be equivalent to open(2) on a unix domain
4855 * socket. This needs investigation.
4856 */
4857
4858 /*ARGSUSED*/
4859 static void
aus_socket(struct t_audit_data * tad)4860 aus_socket(struct t_audit_data *tad)
4861 {
4862 struct a {
4863 long domain;
4864 long type;
4865 long protocol;
4866 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4867
4868 au_uwrite(au_to_arg32(1, "domain", (uint32_t)uap->domain));
4869 au_uwrite(au_to_arg32(2, "type", (uint32_t)uap->type));
4870 au_uwrite(au_to_arg32(3, "protocol", (uint32_t)uap->protocol));
4871 }
4872
4873 /*ARGSUSED*/
4874 static void
aus_sigqueue(struct t_audit_data * tad)4875 aus_sigqueue(struct t_audit_data *tad)
4876 {
4877 struct a {
4878 long pid;
4879 long signo;
4880 long *val;
4881 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4882 struct proc *p;
4883 uid_t uid, ruid;
4884 gid_t gid, rgid;
4885 pid_t pid;
4886 const auditinfo_addr_t *ainfo;
4887 cred_t *cr;
4888
4889 pid = (pid_t)uap->pid;
4890
4891 au_uwrite(au_to_arg32(2, "signal", (uint32_t)uap->signo));
4892 if (pid > 0) {
4893 mutex_enter(&pidlock);
4894 if ((p = prfind(pid)) == (struct proc *)0) {
4895 mutex_exit(&pidlock);
4896 return;
4897 }
4898 mutex_enter(&p->p_lock); /* so process doesn't go away */
4899 mutex_exit(&pidlock);
4900
4901 mutex_enter(&p->p_crlock);
4902 crhold(cr = p->p_cred);
4903 mutex_exit(&p->p_crlock);
4904 mutex_exit(&p->p_lock);
4905
4906 ainfo = crgetauinfo(cr);
4907 if (ainfo == NULL) {
4908 crfree(cr);
4909 return;
4910 }
4911
4912 uid = crgetuid(cr);
4913 gid = crgetgid(cr);
4914 ruid = crgetruid(cr);
4915 rgid = crgetrgid(cr);
4916 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
4917 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
4918 crfree(cr);
4919 }
4920 else
4921 au_uwrite(au_to_arg32(1, "process ID", (uint32_t)pid));
4922 }
4923
4924 /*ARGSUSED*/
4925 static void
aus_inst_sync(struct t_audit_data * tad)4926 aus_inst_sync(struct t_audit_data *tad)
4927 {
4928 struct a {
4929 long name; /* char */
4930 long flags;
4931 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4932
4933 au_uwrite(au_to_arg32(2, "flags", (uint32_t)uap->flags));
4934 }
4935
4936 /*ARGSUSED*/
4937 static void
aus_brandsys(struct t_audit_data * tad)4938 aus_brandsys(struct t_audit_data *tad)
4939 {
4940 klwp_t *clwp = ttolwp(curthread);
4941
4942 struct a {
4943 long cmd;
4944 long arg1;
4945 long arg2;
4946 long arg3;
4947 long arg4;
4948 long arg5;
4949 long arg6;
4950 } *uap = (struct a *)clwp->lwp_ap;
4951
4952 au_uwrite(au_to_arg32(1, "cmd", (uint_t)uap->cmd));
4953 #ifdef _LP64
4954 au_uwrite(au_to_arg64(2, "arg1", (uint64_t)uap->arg1));
4955 au_uwrite(au_to_arg64(3, "arg2", (uint64_t)uap->arg2));
4956 au_uwrite(au_to_arg64(4, "arg3", (uint64_t)uap->arg3));
4957 au_uwrite(au_to_arg64(5, "arg4", (uint64_t)uap->arg4));
4958 au_uwrite(au_to_arg64(6, "arg5", (uint64_t)uap->arg5));
4959 au_uwrite(au_to_arg64(7, "arg6", (uint64_t)uap->arg6));
4960 #else
4961 au_uwrite(au_to_arg32(2, "arg1", (uint32_t)uap->arg1));
4962 au_uwrite(au_to_arg32(3, "arg2", (uint32_t)uap->arg2));
4963 au_uwrite(au_to_arg32(4, "arg3", (uint32_t)uap->arg3));
4964 au_uwrite(au_to_arg32(5, "arg4", (uint32_t)uap->arg4));
4965 au_uwrite(au_to_arg32(6, "arg5", (uint32_t)uap->arg5));
4966 au_uwrite(au_to_arg32(7, "arg6", (uint32_t)uap->arg6));
4967 #endif
4968 }
4969
4970 /*ARGSUSED*/
4971 static void
aus_p_online(struct t_audit_data * tad)4972 aus_p_online(struct t_audit_data *tad)
4973 {
4974 struct a {
4975 long processor_id;
4976 long flag;
4977 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
4978
4979 struct flags {
4980 int flag;
4981 char *cflag;
4982 } aflags[6] = {
4983 { P_ONLINE, "P_ONLINE"},
4984 { P_OFFLINE, "P_OFFLINE"},
4985 { P_NOINTR, "P_NOINTR"},
4986 { P_SPARE, "P_SPARE"},
4987 { P_FAULTED, "P_FAULTED"},
4988 { P_STATUS, "P_STATUS"}
4989 };
4990 int i;
4991 char *cflag;
4992
4993 au_uwrite(au_to_arg32(1, "processor ID", (uint32_t)uap->processor_id));
4994 au_uwrite(au_to_arg32(2, "flag", (uint32_t)uap->flag));
4995
4996 for (i = 0; i < 6; i++) {
4997 if (aflags[i].flag == uap->flag)
4998 break;
4999 }
5000 cflag = (i == 6) ? "bad flag":aflags[i].cflag;
5001
5002 au_uwrite(au_to_text(cflag));
5003 }
5004
5005 /*ARGSUSED*/
5006 static void
aus_processor_bind(struct t_audit_data * tad)5007 aus_processor_bind(struct t_audit_data *tad)
5008 {
5009 struct a {
5010 long id_type;
5011 long id;
5012 long processor_id;
5013 long obind;
5014 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5015
5016 struct proc *p;
5017 int lwpcnt;
5018 uid_t uid, ruid;
5019 gid_t gid, rgid;
5020 pid_t pid;
5021 const auditinfo_addr_t *ainfo;
5022 cred_t *cr;
5023
5024 au_uwrite(au_to_arg32(1, "ID type", (uint32_t)uap->id_type));
5025 au_uwrite(au_to_arg32(2, "ID", (uint32_t)uap->id));
5026 if (uap->processor_id == PBIND_NONE)
5027 au_uwrite(au_to_text("PBIND_NONE"));
5028 else
5029 au_uwrite(au_to_arg32(3, "processor_id",
5030 (uint32_t)uap->processor_id));
5031
5032 switch (uap->id_type) {
5033 case P_MYID:
5034 case P_LWPID:
5035 mutex_enter(&pidlock);
5036 p = ttoproc(curthread);
5037 if (p == NULL || p->p_as == &kas) {
5038 mutex_exit(&pidlock);
5039 return;
5040 }
5041 mutex_enter(&p->p_lock);
5042 mutex_exit(&pidlock);
5043 lwpcnt = p->p_lwpcnt;
5044 pid = p->p_pid;
5045
5046 mutex_enter(&p->p_crlock);
5047 crhold(cr = p->p_cred);
5048 mutex_exit(&p->p_crlock);
5049 mutex_exit(&p->p_lock);
5050
5051 ainfo = crgetauinfo(cr);
5052 if (ainfo == NULL) {
5053 crfree(cr);
5054 return;
5055 }
5056
5057 uid = crgetuid(cr);
5058 gid = crgetgid(cr);
5059 ruid = crgetruid(cr);
5060 rgid = crgetrgid(cr);
5061 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5062 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5063 crfree(cr);
5064 break;
5065 case P_PID:
5066 mutex_enter(&pidlock);
5067 p = prfind(uap->id);
5068 if (p == NULL || p->p_as == &kas) {
5069 mutex_exit(&pidlock);
5070 return;
5071 }
5072 mutex_enter(&p->p_lock);
5073 mutex_exit(&pidlock);
5074 lwpcnt = p->p_lwpcnt;
5075 pid = p->p_pid;
5076
5077 mutex_enter(&p->p_crlock);
5078 crhold(cr = p->p_cred);
5079 mutex_exit(&p->p_crlock);
5080 mutex_exit(&p->p_lock);
5081
5082 ainfo = crgetauinfo(cr);
5083 if (ainfo == NULL) {
5084 crfree(cr);
5085 return;
5086 }
5087
5088 uid = crgetuid(cr);
5089 gid = crgetgid(cr);
5090 ruid = crgetruid(cr);
5091 rgid = crgetrgid(cr);
5092 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5093 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5094 crfree(cr);
5095
5096 break;
5097 default:
5098 return;
5099 }
5100
5101 if (uap->processor_id == PBIND_NONE &&
5102 (!(uap->id_type == P_LWPID && lwpcnt > 1)))
5103 au_uwrite(au_to_text("PBIND_NONE for process"));
5104 else
5105 au_uwrite(au_to_arg32(3, "processor_id",
5106 (uint32_t)uap->processor_id));
5107 }
5108
5109 /*ARGSUSED*/
5110 static au_event_t
aui_doorfs(au_event_t e)5111 aui_doorfs(au_event_t e)
5112 {
5113 uint32_t code;
5114
5115 struct a { /* doorfs */
5116 long a1;
5117 long a2;
5118 long a3;
5119 long a4;
5120 long a5;
5121 long code;
5122 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5123
5124 /*
5125 * audit formats for several of the
5126 * door calls have not yet been determined
5127 */
5128 code = (uint32_t)uap->code;
5129 switch (code) {
5130 case DOOR_CALL:
5131 e = AUE_DOORFS_DOOR_CALL;
5132 break;
5133 case DOOR_RETURN:
5134 e = AUE_NULL;
5135 break;
5136 case DOOR_CREATE:
5137 e = AUE_DOORFS_DOOR_CREATE;
5138 break;
5139 case DOOR_REVOKE:
5140 e = AUE_DOORFS_DOOR_REVOKE;
5141 break;
5142 case DOOR_INFO:
5143 e = AUE_NULL;
5144 break;
5145 case DOOR_UCRED:
5146 e = AUE_NULL;
5147 break;
5148 case DOOR_BIND:
5149 e = AUE_NULL;
5150 break;
5151 case DOOR_UNBIND:
5152 e = AUE_NULL;
5153 break;
5154 case DOOR_GETPARAM:
5155 e = AUE_NULL;
5156 break;
5157 case DOOR_SETPARAM:
5158 e = AUE_NULL;
5159 break;
5160 default: /* illegal system call */
5161 e = AUE_NULL;
5162 break;
5163 }
5164
5165 return (e);
5166 }
5167
5168 static door_node_t *
au_door_lookup(int did)5169 au_door_lookup(int did)
5170 {
5171 vnode_t *vp;
5172 file_t *fp;
5173
5174 if ((fp = getf(did)) == NULL)
5175 return (NULL);
5176 /*
5177 * Use the underlying vnode (we may be namefs mounted)
5178 */
5179 if (VOP_REALVP(fp->f_vnode, &vp, NULL))
5180 vp = fp->f_vnode;
5181
5182 if (vp == NULL || vp->v_type != VDOOR) {
5183 releasef(did);
5184 return (NULL);
5185 }
5186
5187 return (VTOD(vp));
5188 }
5189
5190 /*ARGSUSED*/
5191 static void
aus_doorfs(struct t_audit_data * tad)5192 aus_doorfs(struct t_audit_data *tad)
5193 {
5194
5195 struct a { /* doorfs */
5196 long a1;
5197 long a2;
5198 long a3;
5199 long a4;
5200 long a5;
5201 long code;
5202 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5203
5204 door_node_t *dp;
5205 struct proc *p;
5206 uint32_t did;
5207 uid_t uid, ruid;
5208 gid_t gid, rgid;
5209 pid_t pid;
5210 const auditinfo_addr_t *ainfo;
5211 cred_t *cr;
5212
5213 did = (uint32_t)uap->a1;
5214
5215 switch (tad->tad_event) {
5216 case AUE_DOORFS_DOOR_CALL:
5217 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5218 if ((dp = au_door_lookup(did)) == NULL)
5219 break;
5220
5221 if (DOOR_INVALID(dp)) {
5222 releasef(did);
5223 break;
5224 }
5225
5226 if ((p = dp->door_target) == NULL) {
5227 releasef(did);
5228 break;
5229 }
5230 mutex_enter(&p->p_lock);
5231 releasef(did);
5232
5233 pid = p->p_pid;
5234
5235 mutex_enter(&p->p_crlock);
5236 crhold(cr = p->p_cred);
5237 mutex_exit(&p->p_crlock);
5238 mutex_exit(&p->p_lock);
5239
5240 ainfo = crgetauinfo(cr);
5241 if (ainfo == NULL) {
5242 crfree(cr);
5243 return;
5244 }
5245 uid = crgetuid(cr);
5246 gid = crgetgid(cr);
5247 ruid = crgetruid(cr);
5248 rgid = crgetrgid(cr);
5249 au_uwrite(au_to_process(uid, gid, ruid, rgid, pid,
5250 ainfo->ai_auid, ainfo->ai_asid, &ainfo->ai_termid));
5251 crfree(cr);
5252 break;
5253 case AUE_DOORFS_DOOR_RETURN:
5254 /*
5255 * We may want to write information about
5256 * all doors (if any) which will be copied
5257 * by this call to the user space
5258 */
5259 break;
5260 case AUE_DOORFS_DOOR_CREATE:
5261 au_uwrite(au_to_arg32(3, "door attr", (uint32_t)uap->a3));
5262 break;
5263 case AUE_DOORFS_DOOR_REVOKE:
5264 au_uwrite(au_to_arg32(1, "door ID", (uint32_t)did));
5265 break;
5266 case AUE_DOORFS_DOOR_INFO:
5267 break;
5268 case AUE_DOORFS_DOOR_CRED:
5269 break;
5270 case AUE_DOORFS_DOOR_BIND:
5271 break;
5272 case AUE_DOORFS_DOOR_UNBIND: {
5273 break;
5274 }
5275 default: /* illegal system call */
5276 break;
5277 }
5278 }
5279
5280 /*ARGSUSED*/
5281 static au_event_t
aui_acl(au_event_t e)5282 aui_acl(au_event_t e)
5283 {
5284 struct a {
5285 union {
5286 long name; /* char */
5287 long fd;
5288 } obj;
5289
5290 long cmd;
5291 long nentries;
5292 long arg; /* aclent_t */
5293 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5294
5295 switch (uap->cmd) {
5296 case SETACL:
5297 case ACE_SETACL:
5298 /*
5299 * acl(SETACL/ACE_SETACL, ...) and facl(SETACL/ACE_SETACL, ...)
5300 * are expected.
5301 */
5302 break;
5303 case GETACL:
5304 case GETACLCNT:
5305 case ACE_GETACL:
5306 case ACE_GETACLCNT:
5307 /* do nothing for these four values. */
5308 e = AUE_NULL;
5309 break;
5310 default:
5311 /* illegal system call */
5312 break;
5313 }
5314
5315 return (e);
5316 }
5317
5318 static void
au_acl(int cmd,int nentries,caddr_t bufp)5319 au_acl(int cmd, int nentries, caddr_t bufp)
5320 {
5321 size_t a_size;
5322 aclent_t *aclbufp;
5323 ace_t *acebufp;
5324 int i;
5325
5326 switch (cmd) {
5327 case GETACL:
5328 case GETACLCNT:
5329 break;
5330 case SETACL:
5331 if (nentries < 3)
5332 break;
5333
5334 a_size = nentries * sizeof (aclent_t);
5335
5336 if ((aclbufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5337 break;
5338 if (copyin(bufp, aclbufp, a_size)) {
5339 kmem_free(aclbufp, a_size);
5340 break;
5341 }
5342 for (i = 0; i < nentries; i++) {
5343 au_uwrite(au_to_acl(aclbufp + i));
5344 }
5345 kmem_free(aclbufp, a_size);
5346 break;
5347
5348 case ACE_SETACL:
5349 if (nentries < 1 || nentries > MAX_ACL_ENTRIES)
5350 break;
5351
5352 a_size = nentries * sizeof (ace_t);
5353 if ((acebufp = kmem_alloc(a_size, KM_SLEEP)) == NULL)
5354 break;
5355 if (copyin(bufp, acebufp, a_size)) {
5356 kmem_free(acebufp, a_size);
5357 break;
5358 }
5359 for (i = 0; i < nentries; i++) {
5360 au_uwrite(au_to_ace(acebufp + i));
5361 }
5362 kmem_free(acebufp, a_size);
5363 break;
5364 default:
5365 break;
5366 }
5367 }
5368
5369 /*ARGSUSED*/
5370 static void
aus_acl(struct t_audit_data * tad)5371 aus_acl(struct t_audit_data *tad)
5372 {
5373 struct a {
5374 long fname;
5375 long cmd;
5376 long nentries;
5377 long aclbufp;
5378 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5379
5380 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5381 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5382
5383 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5384 }
5385
5386 /*ARGSUSED*/
5387 static void
aus_facl(struct t_audit_data * tad)5388 aus_facl(struct t_audit_data *tad)
5389 {
5390 struct a {
5391 long fd;
5392 long cmd;
5393 long nentries;
5394 long aclbufp;
5395 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5396 struct file *fp;
5397 struct vnode *vp;
5398 struct f_audit_data *fad;
5399 int fd;
5400
5401 au_uwrite(au_to_arg32(2, "cmd", (uint32_t)uap->cmd));
5402 au_uwrite(au_to_arg32(3, "nentries", (uint32_t)uap->nentries));
5403
5404 fd = (int)uap->fd;
5405
5406 if ((fp = getf(fd)) == NULL)
5407 return;
5408
5409 /* get path from file struct here */
5410 fad = F2A(fp);
5411 if (fad->fad_aupath != NULL) {
5412 au_uwrite(au_to_path(fad->fad_aupath));
5413 } else {
5414 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5415 }
5416
5417 vp = fp->f_vnode;
5418 audit_attributes(vp);
5419
5420 /* decrement file descriptor reference count */
5421 releasef(fd);
5422
5423 au_acl(uap->cmd, uap->nentries, (caddr_t)uap->aclbufp);
5424 }
5425
5426 /*ARGSUSED*/
5427 static void
auf_read(tad,error,rval)5428 auf_read(tad, error, rval)
5429 struct t_audit_data *tad;
5430 int error;
5431 rval_t *rval;
5432 {
5433 struct file *fp;
5434 struct f_audit_data *fad;
5435 int fd;
5436 register struct a {
5437 long fd;
5438 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5439 au_kcontext_t *kctx = GET_KCTX_PZ;
5440
5441 fd = (int)uap->fd;
5442
5443 /*
5444 * convert file pointer to file descriptor
5445 * Note: fd ref count incremented here.
5446 */
5447 if ((fp = getf(fd)) == NULL)
5448 return;
5449
5450 /* get path from file struct here */
5451 fad = F2A(fp);
5452 ASSERT(fad);
5453
5454 /*
5455 * already processed this file for read attempt
5456 *
5457 * XXX might be better to turn off auditing in a aui_read() routine.
5458 */
5459 if (fad->fad_flags & FAD_READ) {
5460 /* don't really want to audit every read attempt */
5461 tad->tad_flag = 0;
5462 /* free any residual audit data */
5463 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5464 releasef(fd);
5465 return;
5466 }
5467 /* mark things so we know what happened and don't repeat things */
5468 fad->fad_flags |= FAD_READ;
5469
5470 if (fad->fad_aupath != NULL) {
5471 au_uwrite(au_to_path(fad->fad_aupath));
5472 } else {
5473 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5474 }
5475
5476 /* include attributes */
5477 audit_attributes(fp->f_vnode);
5478
5479 /* decrement file descriptor reference count */
5480 releasef(fd);
5481 }
5482
5483 /*ARGSUSED*/
5484 static void
auf_write(tad,error,rval)5485 auf_write(tad, error, rval)
5486 struct t_audit_data *tad;
5487 int error;
5488 rval_t *rval;
5489 {
5490 struct file *fp;
5491 struct f_audit_data *fad;
5492 int fd;
5493 register struct a {
5494 long fd;
5495 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5496 au_kcontext_t *kctx = GET_KCTX_PZ;
5497
5498 fd = (int)uap->fd;
5499
5500 /*
5501 * convert file pointer to file descriptor
5502 * Note: fd ref count incremented here.
5503 */
5504 if ((fp = getf(fd)) == NULL)
5505 return;
5506
5507 /* get path from file struct here */
5508 fad = F2A(fp);
5509 ASSERT(fad);
5510
5511 /*
5512 * already processed this file for write attempt
5513 *
5514 * XXX might be better to turn off auditing in a aus_write() routine.
5515 */
5516 if (fad->fad_flags & FAD_WRITE) {
5517 /* don't really want to audit every write attempt */
5518 tad->tad_flag = 0;
5519 /* free any residual audit data */
5520 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5521 releasef(fd);
5522 return;
5523 }
5524 /* mark things so we know what happened and don't repeat things */
5525 fad->fad_flags |= FAD_WRITE;
5526
5527 if (fad->fad_aupath != NULL) {
5528 au_uwrite(au_to_path(fad->fad_aupath));
5529 } else {
5530 au_uwrite(au_to_arg32(1, "no path: fd", (uint32_t)fd));
5531 }
5532
5533 /* include attributes */
5534 audit_attributes(fp->f_vnode);
5535
5536 /* decrement file descriptor reference count */
5537 releasef(fd);
5538 }
5539
5540 /*ARGSUSED*/
5541 static void
auf_recv(tad,error,rval)5542 auf_recv(tad, error, rval)
5543 struct t_audit_data *tad;
5544 int error;
5545 rval_t *rval;
5546 {
5547 struct sonode *so;
5548 char so_laddr[sizeof (struct sockaddr_in6)];
5549 char so_faddr[sizeof (struct sockaddr_in6)];
5550 struct file *fp;
5551 struct f_audit_data *fad;
5552 int fd;
5553 int err;
5554 socklen_t len;
5555 short so_family, so_type;
5556 register struct a {
5557 long fd;
5558 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5559 au_kcontext_t *kctx = GET_KCTX_PZ;
5560
5561 /*
5562 * If there was an error, then nothing to do. Only generate
5563 * audit record on first successful recv.
5564 */
5565 if (error) {
5566 /* Turn off audit record generation here. */
5567 tad->tad_flag = 0;
5568 /* free any residual audit data */
5569 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5570 return;
5571 }
5572
5573 fd = (int)uap->fd;
5574
5575 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5576 /* Turn off audit record generation here. */
5577 tad->tad_flag = 0;
5578 /* free any residual audit data */
5579 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5580 return;
5581 }
5582
5583 /* get path from file struct here */
5584 fad = F2A(fp);
5585 ASSERT(fad);
5586
5587 /*
5588 * already processed this file for read attempt
5589 */
5590 if (fad->fad_flags & FAD_READ) {
5591 releasef(fd);
5592 /* don't really want to audit every recv call */
5593 tad->tad_flag = 0;
5594 /* free any residual audit data */
5595 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5596 return;
5597 }
5598
5599 /* mark things so we know what happened and don't repeat things */
5600 fad->fad_flags |= FAD_READ;
5601
5602 so_family = so->so_family;
5603 so_type = so->so_type;
5604
5605 switch (so_family) {
5606 case AF_INET:
5607 case AF_INET6:
5608 /*
5609 * Only for connections.
5610 * XXX - do we need to worry about SOCK_DGRAM or other types???
5611 */
5612 if (so->so_state & SS_ISBOUND) {
5613
5614 bzero((void *)so_laddr, sizeof (so_laddr));
5615 bzero((void *)so_faddr, sizeof (so_faddr));
5616
5617 /* get local and foreign addresses */
5618 len = sizeof (so_laddr);
5619 (void) socket_getsockname(so,
5620 (struct sockaddr *)so_laddr, &len, CRED());
5621 len = sizeof (so_faddr);
5622 (void) socket_getpeername(so,
5623 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5624
5625 /*
5626 * only way to drop out of switch. Note that we
5627 * we release fd below.
5628 */
5629
5630 break;
5631 }
5632
5633 releasef(fd);
5634
5635 /* don't really want to audit every recv call */
5636 tad->tad_flag = 0;
5637 /* free any residual audit data */
5638 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5639
5640 return;
5641
5642 case AF_UNIX:
5643
5644 if (fad->fad_aupath != NULL) {
5645 au_uwrite(au_to_path(fad->fad_aupath));
5646 } else {
5647 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5648 }
5649
5650 audit_attributes(fp->f_vnode);
5651
5652 releasef(fd);
5653
5654 return;
5655
5656 default:
5657 releasef(fd);
5658
5659 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5660 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5661 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5662
5663 return;
5664 }
5665
5666 releasef(fd);
5667
5668 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5669
5670 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5671
5672 }
5673
5674 /*ARGSUSED*/
5675 static void
auf_send(tad,error,rval)5676 auf_send(tad, error, rval)
5677 struct t_audit_data *tad;
5678 int error;
5679 rval_t *rval;
5680 {
5681 struct sonode *so;
5682 char so_laddr[sizeof (struct sockaddr_in6)];
5683 char so_faddr[sizeof (struct sockaddr_in6)];
5684 struct file *fp;
5685 struct f_audit_data *fad;
5686 int fd;
5687 int err;
5688 socklen_t len;
5689 short so_family, so_type;
5690 register struct a {
5691 long fd;
5692 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5693 au_kcontext_t *kctx = GET_KCTX_PZ;
5694
5695 fd = (int)uap->fd;
5696
5697 /*
5698 * If there was an error, then nothing to do. Only generate
5699 * audit record on first successful send.
5700 */
5701 if (error != 0) {
5702 /* Turn off audit record generation here. */
5703 tad->tad_flag = 0;
5704 /* free any residual audit data */
5705 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5706 return;
5707 }
5708
5709 fd = (int)uap->fd;
5710
5711 if ((so = getsonode(fd, &err, &fp)) == NULL) {
5712 /* Turn off audit record generation here. */
5713 tad->tad_flag = 0;
5714 /* free any residual audit data */
5715 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5716 return;
5717 }
5718
5719 /* get path from file struct here */
5720 fad = F2A(fp);
5721 ASSERT(fad);
5722
5723 /*
5724 * already processed this file for write attempt
5725 */
5726 if (fad->fad_flags & FAD_WRITE) {
5727 releasef(fd);
5728 /* don't really want to audit every send call */
5729 tad->tad_flag = 0;
5730 /* free any residual audit data */
5731 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5732 return;
5733 }
5734
5735 /* mark things so we know what happened and don't repeat things */
5736 fad->fad_flags |= FAD_WRITE;
5737
5738 so_family = so->so_family;
5739 so_type = so->so_type;
5740
5741 switch (so_family) {
5742 case AF_INET:
5743 case AF_INET6:
5744 /*
5745 * Only for connections.
5746 * XXX - do we need to worry about SOCK_DGRAM or other types???
5747 */
5748 if (so->so_state & SS_ISBOUND) {
5749
5750 bzero((void *)so_laddr, sizeof (so_laddr));
5751 bzero((void *)so_faddr, sizeof (so_faddr));
5752
5753 /* get local and foreign addresses */
5754 len = sizeof (so_laddr);
5755 (void) socket_getsockname(so,
5756 (struct sockaddr *)so_laddr, &len, CRED());
5757 len = sizeof (so_faddr);
5758 (void) socket_getpeername(so,
5759 (struct sockaddr *)so_faddr, &len, B_FALSE, CRED());
5760
5761 /*
5762 * only way to drop out of switch. Note that we
5763 * we release fd below.
5764 */
5765
5766 break;
5767 }
5768
5769 releasef(fd);
5770 /* don't really want to audit every send call */
5771 tad->tad_flag = 0;
5772 /* free any residual audit data */
5773 au_close(kctx, &(u_ad), 0, 0, 0, NULL);
5774
5775 return;
5776
5777 case AF_UNIX:
5778
5779 if (fad->fad_aupath != NULL) {
5780 au_uwrite(au_to_path(fad->fad_aupath));
5781 } else {
5782 au_uwrite(au_to_arg32(1, "no path: fd", fd));
5783 }
5784
5785 audit_attributes(fp->f_vnode);
5786
5787 releasef(fd);
5788
5789 return;
5790
5791 default:
5792 releasef(fd);
5793
5794 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5795 au_uwrite(au_to_arg32(1, "family", (uint32_t)so_family));
5796 au_uwrite(au_to_arg32(1, "type", (uint32_t)so_type));
5797
5798 return;
5799 }
5800
5801 releasef(fd);
5802
5803 au_uwrite(au_to_arg32(1, "so", (uint32_t)fd));
5804
5805 au_uwrite(au_to_socket_ex(so_family, so_type, so_laddr, so_faddr));
5806 }
5807
5808 static au_event_t
aui_forksys(au_event_t e)5809 aui_forksys(au_event_t e)
5810 {
5811 struct a {
5812 long subcode;
5813 long flags;
5814 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5815
5816 switch ((uint_t)uap->subcode) {
5817 case 0:
5818 e = AUE_FORK1;
5819 break;
5820 case 1:
5821 e = AUE_FORKALL;
5822 break;
5823 case 2:
5824 e = AUE_VFORK;
5825 break;
5826 default:
5827 e = AUE_NULL;
5828 break;
5829 }
5830
5831 return (e);
5832 }
5833
5834 /*ARGSUSED*/
5835 static au_event_t
aui_portfs(au_event_t e)5836 aui_portfs(au_event_t e)
5837 {
5838 struct a { /* portfs */
5839 long a1;
5840 long a2;
5841 long a3;
5842 } *uap = (struct a *)ttolwp(curthread)->lwp_ap;
5843
5844 /*
5845 * check opcode
5846 */
5847 switch (((uint_t)uap->a1) & PORT_CODE_MASK) {
5848 case PORT_ASSOCIATE:
5849 /* check source */
5850 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5851 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5852 e = AUE_PORTFS_ASSOCIATE;
5853 } else {
5854 e = AUE_NULL;
5855 }
5856 break;
5857 case PORT_DISSOCIATE:
5858 /* check source */
5859 if (((uint_t)uap->a3 == PORT_SOURCE_FILE) ||
5860 ((uint_t)uap->a3 == PORT_SOURCE_FD)) {
5861 e = AUE_PORTFS_DISSOCIATE;
5862 } else {
5863 e = AUE_NULL;
5864 }
5865 break;
5866 default:
5867 e = AUE_NULL;
5868 }
5869 return (e);
5870 }
5871