common/os/audit_core.c

005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CDDL HEADER START
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * The contents of this file are subject to the terms of the
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * Common Development and Distribution License (the "License").
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * You may not use this file except in compliance with the License.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * or http://www.opensolaris.org/os/licensing.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * See the License for the specific language governing permissions
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * and limitations under the License.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * When distributing Covered Code, include this CDDL HEADER in each
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * If applicable, add the following below this CDDL HEADER, with the
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * fields enclosed by brackets "[]" replaced with your own identifying
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * information: Portions Copyright [yyyy] [name of copyright owner]
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CDDL HEADER END
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
7a6a8adf33a8856352a2184975e7957261808220Marek Pospisil * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/param.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/types.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/time.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/kmem.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/proc.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/vnode.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/file.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/user.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/stropts.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/systm.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/pathname.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/debug.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/cred_impl.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/zone.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/modctl.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <sys/sysconf.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <c2/audit.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <c2/audit_kernel.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <c2/audit_kevents.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil#include <c2/audit_record.h>
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilstruct p_audit_data *pad0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilstruct t_audit_data *tad0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilextern uint_t num_syscall;      /* size of audit_s2e table */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilextern kmutex_t pidlock;        /* proc table lock */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_init()
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    kthread_t       *au_thread;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    auditinfo_addr_t    *ainfo;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    struct audit_path   apempty;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * If the c2audit module is explicitely excluded in /etc/system,
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * it cannot be loaded later (e.g. using modload). Make a notice
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * that the module won't be present and do nothing.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (mod_sysctl(SYS_CHECK_EXCLUDE, "c2audit") != 0) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        audit_active = C2AUDIT_DISABLED;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* c2audit module can be loaded anytime */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    audit_active = C2AUDIT_UNLOADED;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* initialize the process audit data (pad) memory allocator */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_pad_init();
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* initialize the zone audit context */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_zone_setup();
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* inital thread structure */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    tad0 = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* initial process structure */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    pad0 = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    bzero(&pad0->pad_data, sizeof (pad0->pad_data));
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    curthread->t_audit_data = tad0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    curproc->p_audit_data = pad0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * The kernel allocates a bunch of threads make sure they have
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * a valid tad
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    mutex_enter(&pidlock);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_thread = curthread;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    do {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        if (T2A(au_thread) == NULL) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            T2A(au_thread) = tad0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        au_thread = au_thread->t_next;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    } while (au_thread != curthread);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    tad0->tad_ad = NULL;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    mutex_exit(&pidlock);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * Initialize audit context in our cred (kcred).
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * No copy-on-write needed here because it's so early in init.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    ainfo = crgetauinfo_modifiable(kcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    ASSERT(ainfo != NULL);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    bzero(ainfo, sizeof (auditinfo_addr_t));
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    ainfo->ai_auid = AU_NOAUDITID;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* fabricate an empty audit_path to extend */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    apempty.audp_cnt = 0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    apempty.audp_sect[0] = (char *)(&apempty.audp_sect[1]);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    pad0->pad_root = au_pathdup(&apempty, 1, 2);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    bcopy("/", pad0->pad_root->audp_sect[0], 2);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_pathhold(pad0->pad_root);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    pad0->pad_cwd = pad0->pad_root;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * Check for any pending changes to the audit context for the given proc.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * p_crlock and pad_lock for the process are acquired here. Caller is
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * responsible for assuring the process doesn't go away. If context is
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * updated, the specified cralloc'ed cred will be used, otherwise it's freed.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * If no cred is given, it will be cralloc'ed here and caller assures that
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * it is safe to allocate memory.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_update_context(proc_t *p, cred_t *ncr)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    struct p_audit_data *pad;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    cred_t *newcred = ncr;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    pad = P2A(p);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (pad == NULL) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        if (newcred != NULL)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            crfree(newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* If a mask update is pending, take care of it. */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (pad->pad_flags & PAD_SETMASK) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        auditinfo_addr_t *ainfo;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        if (newcred == NULL)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            newcred = cralloc();
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        mutex_enter(&pad->pad_lock);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        /* the condition may have been handled by the time we lock */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        if (pad->pad_flags & PAD_SETMASK) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            ainfo = crgetauinfo_modifiable(newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            if (ainfo == NULL) {
7a6a8adf33a8856352a2184975e7957261808220Marek Pospisil                mutex_exit(&pad->pad_lock);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil                crfree(newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil                return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            mutex_enter(&p->p_crlock);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            crcopy_to(p->p_cred, newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            p->p_cred = newcred;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            ainfo->ai_mask = pad->pad_newmask;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            /* Unlock and cleanup. */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            mutex_exit(&p->p_crlock);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            pad->pad_flags &= ~PAD_SETMASK;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil             * For curproc, assure that our thread points to right
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil             * cred, so CRED() will be correct. Otherwise, no need
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil             * to broadcast changes (via set_proc_pre_sys), since
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil             * t_pre_sys is ALWAYS on when audit is enabled... due
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil             * to syscall auditing.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil             */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            if (p == curproc)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil                crset(p, newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            else
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil                crfree(newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        } else {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            crfree(newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        mutex_exit(&pad->pad_lock);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    } else {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        if (newcred != NULL)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            crfree(newcred);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * ROUTINE: AUDIT_NEWPROC
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * PURPOSE: initialize the child p_audit_data structure
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CALLBY:  GETPROC
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * NOTE:    All threads for the parent process are locked at this point.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      We are essentially running singled threaded for this reason.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      GETPROC is called when system creates a new process.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      By the time AUDIT_NEWPROC is called, the child proc
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      structure has already been initialized. What we need
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      to do is to allocate the child p_audit_data and
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      initialize it with the content of current parent process.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_newproc(struct proc *cp)  /* initialized child proc structure */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    p_audit_data_t *pad;    /* child process audit data */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    p_audit_data_t *opad;   /* parent process audit data */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    pad = kmem_cache_alloc(au_pad_cache, KM_SLEEP);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    P2A(cp) = pad;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    opad = P2A(curproc);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * copy the audit data. Note that all threads of current
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   process have been "held". Thus there is no race condition
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   here with mutiple threads trying to alter the cwrd
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   structure (such as releasing it).
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   The audit context in the cred is "duplicated" for the new
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   proc by elsewhere crhold'ing the parent's cred which it shares.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   We still want to hold things since auditon() [A_SETUMASK,
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   A_SETSMASK] could be walking through the processes to
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *   update things.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    mutex_enter(&opad->pad_lock);   /* lock opad structure during copy */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    pad->pad_data = opad->pad_data; /* copy parent's process audit data */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_pathhold(pad->pad_root);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_pathhold(pad->pad_cwd);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    mutex_exit(&opad->pad_lock);    /* current proc will keep cwrd open */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * If we are in the limited mode, there is nothing to audit and
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * there could not have been anything to audit, since it is not
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * possible to switch from the full mode into the limited mode
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * once the full mode is set.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (audit_active != C2AUDIT_LOADED)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * finish auditing of parent here so that it will be done
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * before child has a chance to run. We include the child
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * pid since the return value in the return token is a dummy
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * one and contains no useful information (it is included to
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * make the audit record structure consistant).
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     *
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * tad_flag is set if auditing is on
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (((t_audit_data_t *)T2A(curthread))->tad_flag)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        au_uwrite(au_to_arg32(0, "child PID", (uint32_t)cp->p_pid));
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * finish up audit record generation here because child process
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * is set to run before parent process. We distinguish here
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * between FORK, FORK1, or VFORK by the saved system call ID.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    audit_finish(0, ((t_audit_data_t *)T2A(curthread))->tad_scid, 0, 0);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * ROUTINE: AUDIT_PFREE
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * PURPOSE: deallocate the per-process udit data structure
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CALLBY:  EXIT
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      FORK_FAIL
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * NOTE:    all lwp except current one have stopped in SEXITLWPS
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      why we are single threaded?
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      . all lwp except current one have stopped in SEXITLWPS.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_pfree(struct proc *p)     /* proc structure to be freed */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{   /* AUDIT_PFREE */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    p_audit_data_t *pad;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    pad = P2A(p);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* better be a per process audit data structure */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    ASSERT(pad != (p_audit_data_t *)0);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (pad == pad0) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* deallocate all auditing resources for this process */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_pathrele(pad->pad_root);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_pathrele(pad->pad_cwd);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * Since the pad structure is completely overwritten after alloc,
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     * we don't bother to clear it.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil     */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    kmem_cache_free(au_pad_cache, pad);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * ROUTINE: AUDIT_THREAD_CREATE
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * PURPOSE: allocate per-process thread audit data structure
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CALLBY:  THREAD_CREATE
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * NOTE:    This is called just after *t was bzero'd.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      We are single threaded in this routine.
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * TODO:
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * QUESTION:
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_thread_create(kthread_id_t t)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    t_audit_data_t *tad;    /* per-thread audit data */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    tad = kmem_zalloc(sizeof (struct t_audit_data), KM_SLEEP);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    T2A(t) = tad;       /* set up thread audit data ptr */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    tad->tad_thread = t;    /* back ptr to thread: DEBUG */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * ROUTINE: AUDIT_THREAD_FREE
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * PURPOSE: free the per-thread audit data structure
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CALLBY:  THREAD_FREE
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * NOTE:    most thread data is clear after return
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_thread_free(kthread_t *t)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    t_audit_data_t *tad;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    au_defer_info_t *attr;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    tad = T2A(t);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* thread audit data must still be set */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (tad == tad0) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (tad == NULL) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    t->t_audit_data = 0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* must not have any audit record residual */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    ASSERT(tad->tad_ad == NULL);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* saved path must be empty */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    ASSERT(tad->tad_aupath == NULL);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (tad->tad_atpath)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        au_pathrele(tad->tad_atpath);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (audit_active == C2AUDIT_LOADED) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        attr = tad->tad_defer_head;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        while (attr != NULL) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            au_defer_info_t *tmp_attr = attr;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            au_free_rec(attr->audi_ad);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            attr = attr->audi_next;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil            kmem_free(tmp_attr, sizeof (au_defer_info_t));
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    kmem_free(tad, sizeof (*tad));
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * ROUTINE: AUDIT_FALLOC
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * PURPOSE: allocating a new file structure
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CALLBY:  FALLOC
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * NOTE:    file structure already initialized
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * TODO:
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * QUESTION:
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_falloc(struct file *fp)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{   /* AUDIT_FALLOC */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    f_audit_data_t *fad;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    /* allocate per file audit structure if there a'int any */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    ASSERT(F2A(fp) == NULL);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    fad = kmem_zalloc(sizeof (struct f_audit_data), KM_SLEEP);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    F2A(fp) = fad;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    fad->fad_thread = curthread;    /* file audit data back ptr; DEBUG */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil/*
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * ROUTINE: AUDIT_UNFALLOC
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * PURPOSE: deallocate file audit data structure
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * CALLBY:  CLOSEF
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil *      UNFALLOC
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * NOTE:
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * TODO:
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil * QUESTION:
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil */
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilvoid
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_unfalloc(struct file *fp)
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    f_audit_data_t *fad;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    fad = F2A(fp);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (!fad) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        return;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    if (fad->fad_aupath != NULL) {
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        au_pathrele(fad->fad_aupath);
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    }
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    fp->f_audit_data = 0;
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    kmem_free(fad, sizeof (struct f_audit_data));
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisiluint32_t
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisilaudit_getstate()
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil{
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil    return (audit_active == C2AUDIT_LOADED &&
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil        ((AU_AUDIT_MASK) & U2A(u)->tad_audit));
005d3feb53a9a10272d4a24b03991575d6a9bcb3Marek Pospisil}