xref: /illumos-gate/usr/src/lib/libbsm/common/adt.c (revision dd72704bd9e794056c558153663c739e2012d721)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
25  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
26  */
27 
28 #include <bsm/adt.h>
29 #include <bsm/adt_event.h>
30 #include <assert.h>
31 #include <bsm/audit.h>
32 #include <bsm/audit_record.h>
33 #include <bsm/libbsm.h>
34 #include <door.h>
35 #include <errno.h>
36 #include <generic.h>
37 #include <md5.h>
38 #include <sys/mkdev.h>
39 #include <netdb.h>
40 #include <nss_dbdefs.h>
41 #include <pwd.h>
42 #include <sys/stat.h>
43 #include <time.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <synch.h>
47 #include <sys/systeminfo.h>
48 #include <syslog.h>
49 #include <thread.h>
50 #include <unistd.h>
51 #include <adt_xlate.h>
52 #include <adt_ucred.h>
53 #include <arpa/inet.h>
54 #include <net/if.h>
55 #include <libinetutil.h>
56 
57 static int adt_selected(struct adt_event_state *, au_event_t, int);
58 static int adt_init(adt_internal_state_t *, int);
59 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
60 static m_label_t *adt_ucred_label(ucred_t *);
61 static void adt_setto_unaudited(adt_internal_state_t *);
62 static int adt_get_local_address(int, struct ifaddrlist *);
63 
64 #ifdef C2_DEBUG
65 #define	DPRINTF(x) { (void) printf x; }
66 #define	DFLUSH (void) fflush(stdout);
67 #else
68 #define	DPRINTF(x)
69 #define	DFLUSH
70 #endif
71 
72 /*
73  * Local audit states are a bit mask
74  *
75  * The global audit states are
76  *
77  * AUC_UNSET             0      - on/off hasn't been decided
78  * AUC_ENABLED           1      - loaded and enabled
79  *
80  * The local Zone states are
81  *
82  * AUC_AUDITING         0x1     - audit daemon is active
83  * AUC_NOAUDIT          0x2     - audit daemon is not active
84  * AUC_INIT_AUDIT       0x4     - audit is ready but auditd has not run
85  * AUC_NOSPACE          0x8     - audit enabled, no space for audit records
86  *
87  * The only values returned by auditon(A_GETCOND) are:
88  * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE
89  *
90  * The pseudo audit state used when the c2audit module is excluded is
91  *
92  * AUC_DISABLED		0x100	- c2audit module is excluded
93  */
94 
95 static int auditstate = AUC_DISABLED;	/* default state */
96 
97 /*
98  * adt_write_syslog
99  *
100  * errors that are not the user's fault (bugs or whatever in
101  * the underlying audit code are noted in syslog.)
102  *
103  * Avoid calling adt_write_syslog for things that can happen
104  * at high volume.
105  *
106  * syslog's open (openlog) and close (closelog) are interesting;
107  * openlog *may* create a file descriptor and is optional.  closelog
108  * *will* close any open file descriptors and is also optional.
109  *
110  * Since syslog may also be used by the calling application, the
111  * choice is to avoid openlog, which sets some otherwise useful
112  * parameters, and to embed "Solaris_audit" in the log message.
113  */
114 
115 void
116 adt_write_syslog(const char *message, int err)
117 {
118 	int	save_errno = errno;
119 	int	mask_priority;
120 
121 	DPRINTF(("syslog called: %s\n", message));
122 
123 	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
124 	errno = err;
125 	syslog(LOG_ALERT, "Solaris_audit %s: %m", message);
126 	(void) setlogmask(mask_priority);
127 	errno = save_errno;
128 }
129 
130 /*
131  * return true if c2audit is not excluded.
132  *
133  *	For purpose of this API, anything but AUC_DISABLED
134  *	is enabled; however one never actually sees
135  *	AUC_DISABLED since auditon returns ENOTSUP in that case.  Any
136  *	auditon error is considered the same as ENOTSUP for our
137  *	purpose.  auditstate is not changed by auditon if an error
138  *	is returned.
139  */
140 
141 /*
142  * XXX	this should probably be eliminated and adt_audit_state() replace it.
143  *	All the legitimate uses	are to not fork a waiting process for
144  *	process exit processing, as in su, login, dtlogin.  Other bogus
145  *	users are zoneadmd and init.
146  *	All but dtlogin are in ON, so we can do this without cross gate
147  *	synchronization.
148  *
149  *	No longer used in adt.c.
150  */
151 
152 boolean_t
153 adt_audit_enabled(void)
154 {
155 
156 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
157 
158 	return (auditstate != AUC_DISABLED);
159 }
160 
161 /*
162  *	See adt_audit_enabled() for state discussions.
163  *	The state parameter is a hedge until all the uses become clear.
164  *	Likely if adt_audit_enabled is brought internal to this file,
165  *	it could be modified to take one or more parameters to describe the
166  *	state.
167  */
168 
169 boolean_t
170 adt_audit_state(int states)
171 {
172 
173 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
174 
175 	return ((auditstate & states) ? B_TRUE : B_FALSE);
176 }
177 
178 /*
179  * Get user_specific/non-attributable audit mask. This may be called even when
180  * auditing is off.
181  */
182 
183 static int
184 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
185 {
186 	struct passwd	pwd;
187 	long		buff_sz;
188 	char		*pwd_buff;
189 
190 
191 	if (auditstate & AUC_DISABLED) {
192 		/* c2audit excluded */
193 		mask->am_success = 0;
194 		mask->am_failure = 0;
195 		return (0);
196 	}
197 
198 	/*
199 	 * This function applies the 'attributable' mask, modified by
200 	 * any per-user flags, to any user whose UID can be mapped to
201 	 * a name via name services.
202 	 * Others, such as users with Ephemeral UIDs, or NFS clients
203 	 * using AUTH_SYS, get the 'non-attributable mask'.
204 	 * This is true even if some _other_ system or service could
205 	 * map the ID to a name, or if it could be inferred from
206 	 * other records.
207 	 * Note that it is possible for records to contain _only_
208 	 * an ephemeral ID, which can't be mapped back to a name
209 	 * once it becomes invalid (e.g. server reboot).
210 	 */
211 	if (uid <= MAXUID) {
212 		if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
213 			adt_write_syslog("couldn't determine maximum size of "
214 			    "password buffer", errno);
215 			return (-1);
216 		}
217 		if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
218 			return (-1);
219 		}
220 		/*
221 		 * Ephemeral id's and id's that exist in a name service we
222 		 * don't have configured (LDAP, NIS) can't be looked up,
223 		 * but either way it's not an error.
224 		 */
225 		if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) != NULL) {
226 			if (au_user_mask(pwd.pw_name, mask)) {
227 				free(pwd_buff);
228 				errno = EFAULT; /* undetermined failure */
229 				return (-1);
230 			}
231 			free(pwd_buff);
232 			return (0);
233 		}
234 		free(pwd_buff);
235 	}
236 
237 	if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
238 			return (-1);
239 	}
240 
241 	return (0);
242 }
243 
244 /*
245  * adt_get_unique_id -- generate a hopefully unique 32 bit value
246  *
247  * there will be a follow up to replace this with the use of /dev/random
248  *
249  * An MD5 hash is taken on a buffer of
250  *     hostname . audit id . unix time . pid . count
251  *
252  * "count = noise++;" is subject to a race condition but I don't
253  * see a need to put a lock around it.
254  */
255 
256 au_asid_t
257 adt_get_unique_id(au_id_t uid)
258 {
259 	char		hostname[MAXHOSTNAMELEN];
260 	union {
261 		au_id_t		v[4];
262 		unsigned char	obuff[128/8];
263 	} output;
264 	MD5_CTX	context;
265 
266 	static int	noise = 0;
267 
268 	int		count = noise++;
269 	time_t		timebits = time(NULL);
270 	pid_t		pidbits = getpid();
271 	au_asid_t	retval = 0;
272 
273 	if (gethostname(hostname, MAXHOSTNAMELEN)) {
274 		adt_write_syslog("gethostname call failed", errno);
275 		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
276 	}
277 
278 	while (retval == 0) {  /* 0 is the only invalid result */
279 		MD5Init(&context);
280 
281 		MD5Update(&context, (unsigned char *)hostname,
282 		    (unsigned int) strlen((const char *)hostname));
283 
284 		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
285 
286 		MD5Update(&context,
287 		    (unsigned char *) &timebits, sizeof (time_t));
288 
289 		MD5Update(&context, (unsigned char *) &pidbits,
290 		    sizeof (pid_t));
291 
292 		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
293 		MD5Final(output.obuff, &context);
294 
295 		retval = output.v[count % 4];
296 	}
297 	return (retval);
298 }
299 
300 /*
301  * the following "port" function deals with the following issues:
302  *
303  * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
304  *      up from a 32 bit major and 32 bit minor.
305  * 2    User space deals with a dev_t as either the above 64 bit value
306  *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
307  * 3    The various audit interfaces (except ucred) pass the 32 or
308  *      64 bit version depending the architecture of the userspace
309  *      application.  If you get a port value from ucred and pass it
310  *      to the kernel via auditon(), it must be squeezed into a 32
311  *      bit value because the kernel knows the userspace app's bit
312  *      size.
313  *
314  * The internal state structure for adt (adt_internal_state_t) uses
315  * dev_t, so adt converts data from ucred to fit.  The import/export
316  * functions, however, can't know if they are importing/exporting
317  * from 64 or 32 bit applications, so they always send 64 bits and
318  * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
319  * appropriate.
320  */
321 
322 /*
323  * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
324  * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
325  * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
326  * so it isn't broken up into pieces.  (When it goes to the kernel
327  * and back, however, it will have been split into major/minor
328  * pieces.)
329  */
330 
331 static void
332 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
333 {
334 #ifdef _LP64
335 	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
336 #else	/* _LP64 */
337 	dest->at_type = src->at_type;
338 
339 	dest->at_port  = src->at_port.at_minor & MAXMIN32;
340 	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
341 	    NBITSMINOR32;
342 
343 	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
344 #endif	/* _LP64 */
345 }
346 
347 /*
348  * adt_start_session -- create interface handle, create context
349  *
350  * The imported_state input is normally NULL, if not, it represents
351  * a continued session; its values obviate the need for a subsequent
352  * call to adt_set_user().
353  *
354  * The flag is used to decide how to set the initial state of the session.
355  * If 0, the session is "no audit" until a call to adt_set_user; if
356  * ADT_USE_PROC_DATA, the session is built from the process audit
357  * characteristics obtained from the kernel.  If imported_state is
358  * not NULL, the resulting audit mask is an OR of the current process
359  * audit mask and that passed in.
360  *
361  * The basic model is that the caller can use the pointer returned
362  * by adt_start_session whether or not auditing is enabled or an
363  * error was returned.  The functions that take the session handle
364  * as input generally return without doing anything if auditing is
365  * disabled.
366  */
367 
368 int
369 adt_start_session(adt_session_data_t **new_session,
370     const adt_export_data_t *imported_state, adt_session_flags_t flags)
371 {
372 	adt_internal_state_t	*state;
373 	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
374 
375 	/* test and set auditstate */
376 	if (adt_audit_state(AUC_DISABLED)) {
377 		/* c2audit excluded */
378 		*new_session = NULL;
379 		return (0);
380 	}
381 
382 	if ((flags & ~flgmask) != 0) {
383 		errno = EINVAL;
384 		goto return_err;
385 	}
386 
387 	if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) {
388 		goto return_err;
389 	}
390 
391 	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) {
392 		goto return_err_free;    /* errno from adt_init() */
393 	}
394 
395 	/*
396 	 * The imported state overwrites the initial state if the
397 	 * imported state represents a valid audit trail
398 	 */
399 
400 	if (imported_state != NULL) {
401 		if (adt_import(state, imported_state) != 0) {
402 			goto return_err_free;
403 		}
404 	} else if (flags & ADT_USE_PROC_DATA) {
405 		state->as_session_model = ADT_PROCESS_MODEL;
406 	}
407 	state->as_flags = flags;
408 	DPRINTF(("(%lld) Starting session id = %08X\n",
409 	    (long long) getpid(), state->as_info.ai_asid));
410 
411 	*new_session = (adt_session_data_t *)state;
412 	return (0);
413 
414 return_err_free:
415 	free(state);
416 return_err:
417 	*new_session = NULL;
418 	adt_write_syslog("audit session create failed", errno);
419 	return (-1);
420 }
421 
422 /*
423  * adt_load_table()
424  *
425  * loads the event translation table into the audit session.
426  */
427 
428 void
429 adt_load_table(const adt_session_data_t *session_data,
430     adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *))
431 {
432 	adt_internal_state_t	*state = (adt_internal_state_t *)session_data;
433 
434 	if (state != NULL) {
435 		assert(state->as_check == ADT_VALID);
436 		state->as_xlate = xlate;
437 		state->as_preload = preload;
438 	}
439 }
440 
441 /*
442  * adt_get_asid() and adt_set_asid()
443  *
444  * if you use this interface, you are responsible to insure that the
445  * rest of the session data is populated correctly before calling
446  * adt_proccess_attr()
447  *
448  * neither of these are intended for general use and will likely
449  * remain private interfaces for a long time.  Forever is a long
450  * time.  In the case of adt_set_asid(), you should have a very,
451  * very good reason for setting your own session id.  The process
452  * audit characteristics are not changed by put, use adt_set_proc().
453  *
454  * These are "volatile" (more changable than "evolving") and will
455  * probably change in the S10 period.
456  */
457 
458 void
459 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
460 {
461 
462 	if (session_data == NULL) {
463 		*asid = 0;
464 	} else {
465 		assert(((adt_internal_state_t *)session_data)->as_check ==
466 		    ADT_VALID);
467 
468 		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
469 	}
470 }
471 
472 void
473 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
474 {
475 
476 	if (session_data != NULL) {
477 		assert(((adt_internal_state_t *)session_data)->as_check ==
478 		    ADT_VALID);
479 
480 		((adt_internal_state_t *)session_data)->as_have_user_data |=
481 		    ADT_HAVE_ASID;
482 		((adt_internal_state_t *)session_data)->as_info.ai_asid =
483 		    session_id;
484 	}
485 }
486 
487 /*
488  * adt_get_auid() and adt_set_auid()
489  *
490  * neither of these are intended for general use and will likely
491  * remain private interfaces for a long time.  Forever is a long
492  * time.  In the case of adt_set_auid(), you should have a very,
493  * very good reason for setting your own audit id.  The process
494  * audit characteristics are not changed by put, use adt_set_proc().
495  */
496 
497 void
498 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
499 {
500 
501 	if (session_data == NULL) {
502 		*auid = AU_NOAUDITID;
503 	} else {
504 		assert(((adt_internal_state_t *)session_data)->as_check ==
505 		    ADT_VALID);
506 
507 		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
508 	}
509 }
510 
511 void
512 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
513 {
514 
515 	if (session_data != NULL) {
516 		assert(((adt_internal_state_t *)session_data)->as_check ==
517 		    ADT_VALID);
518 
519 		((adt_internal_state_t *)session_data)->as_have_user_data |=
520 		    ADT_HAVE_AUID;
521 		((adt_internal_state_t *)session_data)->as_info.ai_auid =
522 		    audit_id;
523 	}
524 }
525 
526 /*
527  * adt_get_termid(), adt_set_termid()
528  *
529  * if you use this interface, you are responsible to insure that the
530  * rest of the session data is populated correctly before calling
531  * adt_proccess_attr()
532  *
533  * The process  audit characteristics are not changed by put, use
534  * adt_set_proc().
535  */
536 
537 void
538 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
539 {
540 
541 	if (session_data == NULL) {
542 		(void) memset(termid, 0, sizeof (au_tid_addr_t));
543 		termid->at_type = AU_IPv4;
544 	} else {
545 		assert(((adt_internal_state_t *)session_data)->as_check ==
546 		    ADT_VALID);
547 
548 		*termid =
549 		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
550 	}
551 }
552 
553 void
554 adt_set_termid(const adt_session_data_t *session_data,
555     const au_tid_addr_t *termid)
556 {
557 
558 	if (session_data != NULL) {
559 		assert(((adt_internal_state_t *)session_data)->as_check ==
560 		    ADT_VALID);
561 
562 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
563 		    *termid;
564 
565 		((adt_internal_state_t *)session_data)->as_have_user_data |=
566 		    ADT_HAVE_TID;
567 	}
568 }
569 
570 /*
571  * adt_get_mask(), adt_set_mask()
572  *
573  * if you use this interface, you are responsible to insure that the
574  * rest of the session data is populated correctly before calling
575  * adt_proccess_attr()
576  *
577  * The process  audit characteristics are not changed by put, use
578  * adt_set_proc().
579  */
580 
581 void
582 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
583 {
584 
585 	if (session_data == NULL) {
586 		mask->am_success = 0;
587 		mask->am_failure = 0;
588 	} else {
589 		assert(((adt_internal_state_t *)session_data)->as_check ==
590 		    ADT_VALID);
591 
592 		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
593 	}
594 }
595 
596 void
597 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
598 {
599 
600 	if (session_data != NULL) {
601 		assert(((adt_internal_state_t *)session_data)->as_check ==
602 		    ADT_VALID);
603 
604 		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
605 
606 		((adt_internal_state_t *)session_data)->as_have_user_data |=
607 		    ADT_HAVE_MASK;
608 	}
609 }
610 
611 /*
612  * helpers for adt_load_termid
613  */
614 
615 static dev_t
616 adt_ports_to_at_port(in_port_t remote, in_port_t local)
617 {
618 	dev_t port;
619 
620 #ifdef _LP64
621 	dev_t tmp;
622 
623 	/*
624 	 * In 64-bit, at_port is a 64-bit value encoding major/minor
625 	 * device numbers as 32-bits each. However when a 32-bit application
626 	 * subsequently requests the audit address via getaudit_addr(), this
627 	 * value must be capable of being compressed down to a 14-bit major and
628 	 * 18-bit minor number or the call will fail.
629 	 *
630 	 * In order to construct a 32-bit compatible value, the top 14-bits of
631 	 * the remote port are used for the major number and the remaining
632 	 * 2-bits + local port are used for the minor.
633 	 */
634 
635 	tmp = ((remote<<16) | (local));
636 	port = (tmp & MAXMIN32);
637 	port |= (((tmp >> NBITSMINOR32) & MAXMAJ32) << NBITSMINOR64);
638 #else
639 	port = ((remote<<16) | (local));
640 #endif
641 
642 	return (port);
643 }
644 
645 static void
646 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
647     au_tid_addr_t *termid)
648 {
649 	termid->at_port =
650 	    adt_ports_to_at_port(peer->sin6_port, sock->sin6_port);
651 	termid->at_type = AU_IPv6;
652 	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
653 }
654 
655 static void
656 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
657     au_tid_addr_t *termid)
658 {
659 	termid->at_port = adt_ports_to_at_port(peer->sin_port, sock->sin_port);
660 	termid->at_type = AU_IPv4;
661 	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
662 	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
663 }
664 
665 /*
666  * adt_load_termid:  convenience function; inputs file handle and
667  * outputs an au_tid_addr struct.
668  *
669  * This code was stolen from audit_settid.c; it differs from audit_settid()
670  * in that it does not write the terminal id to the process.
671  */
672 
673 int
674 adt_load_termid(int fd, adt_termid_t **termid)
675 {
676 	au_tid_addr_t		*p_term;
677 	struct sockaddr_in6	peer;
678 	struct sockaddr_in6	sock;
679 	int			peerlen = sizeof (peer);
680 	int			socklen = sizeof (sock);
681 
682 	/* get peer name if its a socket, else assume local terminal */
683 
684 	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
685 	    < 0) {
686 		if (errno == ENOTSOCK) {
687 			return (adt_load_hostname(NULL, termid));
688 		}
689 		goto return_err;
690 	}
691 
692 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
693 		goto return_err;
694 	}
695 
696 	/* get sock name */
697 	if (getsockname(fd, (struct sockaddr *)&sock,
698 	    (socklen_t *)&socklen) < 0) {
699 		goto return_err_free;
700 	}
701 
702 	if (peer.sin6_family == AF_INET6) {
703 		adt_do_ipv6_address(&peer, &sock, p_term);
704 	} else {
705 		adt_do_ipv4_address((struct sockaddr_in *)&peer,
706 		    (struct sockaddr_in *)&sock, p_term);
707 	}
708 	*termid = (adt_termid_t *)p_term;
709 
710 	return (0);
711 
712 return_err_free:
713 	free(p_term);
714 return_err:
715 	*termid = NULL;
716 	return (-1);
717 }
718 
719 static boolean_t
720 adt_have_termid(au_tid_addr_t *dest)
721 {
722 	struct auditinfo_addr	audit_data;
723 
724 	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
725 		adt_write_syslog("getaudit failed", errno);
726 		return (B_FALSE);
727 	}
728 
729 	if ((audit_data.ai_termid.at_type == 0) ||
730 	    (audit_data.ai_termid.at_addr[0] |
731 	    audit_data.ai_termid.at_addr[1]  |
732 	    audit_data.ai_termid.at_addr[2]  |
733 	    audit_data.ai_termid.at_addr[3]) == 0)
734 		return (B_FALSE);
735 
736 	(void) memcpy(dest, &(audit_data.ai_termid),
737 	    sizeof (au_tid_addr_t));
738 
739 	return (B_TRUE);
740 }
741 
742 /*
743  * adt_get_hostIP - construct a terminal id from a hostname
744  *
745  *	Returns	 0 = success
746  *		-1 = failure and errno = ENETDOWN with the address
747  *		     defaulted to IPv4 loopback.
748  */
749 
750 static int
751 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
752 {
753 	struct addrinfo	*ai = NULL;
754 	int	tries = 3;
755 	char	msg[512];
756 	int	eai_err;
757 
758 	while ((tries-- > 0) &&
759 	    ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) {
760 		/*
761 		 * getaddrinfo returns its own set of errors.
762 		 * Log them here, so any subsequent syslogs will
763 		 * have a context.  adt_get_hostIP callers can only
764 		 * return errno, so subsequent syslogs may be lacking
765 		 * that getaddrinfo failed.
766 		 */
767 		(void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) "
768 		    "failed[%s]", hostname, gai_strerror(eai_err));
769 		adt_write_syslog(msg, 0);
770 
771 		if (eai_err != EAI_AGAIN) {
772 
773 			break;
774 		}
775 		/* see if resolution becomes available */
776 		(void) sleep(1);
777 	}
778 	if (ai != NULL) {
779 		if (ai->ai_family == AF_INET) {
780 			p_term->at_type = AU_IPv4;
781 			(void) memcpy(p_term->at_addr,
782 			    /* LINTED */
783 			    &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
784 			    AU_IPv4);
785 		} else {
786 			p_term->at_type = AU_IPv6;
787 			(void) memcpy(p_term->at_addr,
788 			    /* LINTED */
789 			    &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
790 			    AU_IPv6);
791 		}
792 		freeaddrinfo(ai);
793 		return (0);
794 	} else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) {
795 		auditinfo_addr_t  audit_info;
796 
797 		/*
798 		 * auditd is running so there should be a
799 		 * kernel audit context
800 		 */
801 		if (auditon(A_GETKAUDIT, (caddr_t)&audit_info,
802 		    sizeof (audit_info)) < 0) {
803 			adt_write_syslog("unable to get kernel audit context",
804 			    errno);
805 			goto try_interface;
806 		}
807 		adt_write_syslog("setting Audit IP address to kernel", 0);
808 		*p_term = audit_info.ai_termid;
809 		return (0);
810 	}
811 try_interface:
812 	{
813 		struct ifaddrlist al;
814 		int	family;
815 		char	ntop[INET6_ADDRSTRLEN];
816 
817 		/*
818 		 * getaddrinfo has failed to map the hostname
819 		 * to an IP address, try to get an IP address
820 		 * from a local interface.  If none up, default
821 		 * to loopback.
822 		 */
823 		family = AF_INET6;
824 		if (adt_get_local_address(family, &al) != 0) {
825 			family = AF_INET;
826 
827 			if (adt_get_local_address(family, &al) != 0) {
828 				adt_write_syslog("adt_get_local_address "
829 				    "failed, no Audit IP address available, "
830 				    "faking loopback and error",
831 				    errno);
832 				IN_SET_LOOPBACK_ADDR(
833 				    (struct sockaddr_in *)&(al.addr.addr));
834 				(void) memcpy(p_term->at_addr, &al.addr.addr,
835 				    AU_IPv4);
836 				p_term->at_type = AU_IPv4;
837 				return (-1);
838 			}
839 		}
840 		if (family == AF_INET) {
841 			p_term->at_type = AU_IPv4;
842 			(void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4);
843 		} else {
844 			p_term->at_type = AU_IPv6;
845 			(void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6);
846 		}
847 
848 		(void) snprintf(msg, sizeof (msg), "mapping %s to %s",
849 		    hostname, inet_ntop(family, &(al.addr), ntop,
850 		    sizeof (ntop)));
851 		adt_write_syslog(msg, 0);
852 		return (0);
853 	}
854 }
855 
856 /*
857  * adt_load_hostname() is called when the caller does not have a file
858  * handle that gives access to the socket info or any other way to
859  * pass in both port and ip address.  The hostname input is ignored if
860  * the terminal id has already been set; instead it returns the
861  * existing terminal id.
862  *
863  * If c2audit is excluded, success is returned.
864  * If the hostname lookup fails, the loopback address is assumed,
865  * errno is set to ENETDOWN, this allows the caller to interpret
866  * whether failure is fatal, and if not to have a address for the
867  * hostname.
868  * Otherwise the caller would need to be aware of the audit state.
869  *
870  * Other errors are ignored if not auditing.
871  */
872 
873 int
874 adt_load_hostname(const char *hostname, adt_termid_t **termid)
875 {
876 	char		localhost[MAXHOSTNAMELEN + 1];
877 	au_tid_addr_t	*p_term;
878 
879 	if (adt_audit_state(AUC_DISABLED)) {
880 		/* c2audit excluded */
881 		*termid = NULL;
882 		return (0);
883 	}
884 
885 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
886 		goto return_err;
887 	}
888 
889 	if (adt_have_termid(p_term)) {
890 		*termid = (adt_termid_t *)p_term;
891 		return (0);
892 	}
893 	p_term->at_port = 0;
894 
895 	if (hostname == NULL || *hostname == '\0') {
896 		(void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN);
897 		hostname = localhost;
898 	}
899 	if (adt_get_hostIP(hostname, p_term) == 0) {
900 		*termid = (adt_termid_t *)p_term;
901 		return (0);
902 	} else {
903 		*termid = (adt_termid_t *)p_term;
904 		return (-1);
905 	}
906 
907 return_err:
908 	*termid = NULL;
909 	if (auditstate & AUC_NOAUDIT) {
910 		return (0);
911 	}
912 
913 	return (-1);
914 }
915 
916 /*
917  * adt_load_ttyname() is called when the caller does not have a file
918  * handle that gives access to the local terminal or any other way
919  * of determining the device id.  The ttyname input is ignored if
920  * the terminal id has already been set; instead it returns the
921  * existing terminal id.
922  *
923  * If c2audit is excluded, success is returned.
924  * The local hostname is used for the local IP address.
925  * If that hostname lookup fails, the loopback address is assumed,
926  * errno is set to ENETDOWN, this allows the caller to interpret
927  * whether failure is fatal, and if not to have a address for the
928  * hostname.
929  * Otherwise the caller would need to be aware of the audit state.
930  *
931  * Other errors are ignored if not auditing.
932  */
933 
934 int
935 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
936 {
937 	char		localhost[MAXHOSTNAMELEN + 1];
938 	au_tid_addr_t	*p_term;
939 	struct stat	stat_buf;
940 
941 	if (adt_audit_state(AUC_DISABLED)) {
942 		/* c2audit excluded */
943 		*termid = NULL;
944 		return (0);
945 	}
946 
947 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
948 		goto return_err;
949 	}
950 
951 	if (adt_have_termid(p_term)) {
952 		*termid = (adt_termid_t *)p_term;
953 		return (0);
954 	}
955 
956 	p_term->at_port = 0;
957 
958 	if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) {
959 		goto return_err_free; /* errno from sysinfo */
960 	}
961 
962 	if (ttyname != NULL && *ttyname != '\0') {
963 		if (stat(ttyname, &stat_buf) < 0) {
964 			goto return_err_free;
965 		}
966 
967 		p_term->at_port = stat_buf.st_rdev;
968 	}
969 
970 	if (adt_get_hostIP(localhost, p_term) == 0) {
971 		*termid = (adt_termid_t *)p_term;
972 		return (0);
973 	} else {
974 		*termid = (adt_termid_t *)p_term;
975 		return (-1);
976 	}
977 
978 return_err_free:
979 	free(p_term);
980 
981 return_err:
982 	*termid = NULL;
983 	if (auditstate & AUC_NOAUDIT) {
984 		return (0);
985 	}
986 
987 	return (-1);
988 }
989 
990 /*
991  * adt_get_session_id returns a stringified representation of
992  * the audit session id.  See also adt_get_asid() for how to
993  * get the unexpurgated version.  No guarantees as to how long
994  * the returned string will be or its general form; hex for now.
995  *
996  * An empty string is returned if auditing is off; length = 1
997  * and the pointer is valid.
998  *
999  * returns strlen + 1 if buffer is valid; else 0 and errno.
1000  */
1001 
1002 size_t
1003 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
1004 {
1005 	au_asid_t	session_id;
1006 	size_t		length;
1007 	/*
1008 	 * output is 0x followed by
1009 	 * two characters per byte
1010 	 * plus terminator,
1011 	 * except leading 0's are suppressed, so a few bytes may
1012 	 * be unused.
1013 	 */
1014 	length = 2 + (2 * sizeof (session_id)) + 1;
1015 	*buff = malloc(length);
1016 
1017 	if (*buff == NULL) {
1018 		return (0);
1019 	}
1020 	if (session_data == NULL) { /* NULL is not an error */
1021 		**buff = '\0';
1022 		return (1);
1023 	}
1024 	adt_get_asid(session_data, &session_id);
1025 
1026 	length = snprintf(*buff, length, "0x%X", (int)session_id);
1027 
1028 	/* length < 1 is a bug: the session data type may have changed */
1029 	assert(length > 0);
1030 
1031 	return (length);
1032 }
1033 
1034 /*
1035  * adt_end_session -- close handle, clear context
1036  *
1037  * if as_check is invalid, no harm, no foul, EXCEPT that this could
1038  * be an attempt to free data already free'd, so output to syslog
1039  * to help explain why the process cored dumped.
1040  */
1041 
1042 int
1043 adt_end_session(adt_session_data_t *session_data)
1044 {
1045 	adt_internal_state_t	*state;
1046 
1047 	if (session_data != NULL) {
1048 		state = (adt_internal_state_t *)session_data;
1049 		if (state->as_check != ADT_VALID) {
1050 			adt_write_syslog("freeing invalid data", EINVAL);
1051 		} else {
1052 			state->as_check = 0;
1053 			m_label_free(state->as_label);
1054 			free(session_data);
1055 		}
1056 	}
1057 	/* no errors yet defined */
1058 	return (0);
1059 }
1060 
1061 /*
1062  * adt_dup_session -- copy the session data
1063  */
1064 
1065 int
1066 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
1067 {
1068 	adt_internal_state_t	*source_state;
1069 	adt_internal_state_t	*dest_state = NULL;
1070 	int			rc = 0;
1071 
1072 	if (source != NULL) {
1073 		source_state = (adt_internal_state_t *)source;
1074 		assert(source_state->as_check == ADT_VALID);
1075 
1076 		dest_state = malloc(sizeof (adt_internal_state_t));
1077 		if (dest_state == NULL) {
1078 			rc = -1;
1079 			goto return_rc;
1080 		}
1081 		(void) memcpy(dest_state, source,
1082 		    sizeof (struct adt_internal_state));
1083 
1084 		if (source_state->as_label != NULL) {
1085 			dest_state->as_label = NULL;
1086 			if ((rc = m_label_dup(&dest_state->as_label,
1087 			    source_state->as_label)) != 0) {
1088 				free(dest_state);
1089 				dest_state = NULL;
1090 			}
1091 		}
1092 	}
1093 return_rc:
1094 	*dest = (adt_session_data_t *)dest_state;
1095 	return (rc);
1096 }
1097 
1098 /*
1099  * from_export_format()
1100  * read from a network order buffer into struct adt_session_data
1101  */
1102 
1103 static size_t
1104 adt_from_export_format(adt_internal_state_t *internal,
1105     const adt_export_data_t *external)
1106 {
1107 	struct export_header	head;
1108 	struct export_link	link;
1109 	adr_t			context;
1110 	int32_t			offset;
1111 	int32_t			length;
1112 	int32_t			version;
1113 	size_t			label_len;
1114 	char			*p = (char *)external;
1115 
1116 	adrm_start(&context, (char *)external);
1117 	adrm_int32(&context, (int *)&head, 4);
1118 
1119 	if ((internal->as_check = head.ax_check) != ADT_VALID) {
1120 		errno = EINVAL;
1121 		return (0);
1122 	}
1123 	offset = head.ax_link.ax_offset;
1124 	version = head.ax_link.ax_version;
1125 	length = head.ax_buffer_length;
1126 
1127 	/*
1128 	 * Skip newer versions.
1129 	 */
1130 	while (version > PROTOCOL_VERSION_2) {
1131 		if (offset < 1) {
1132 			return (0);	/* failed to match version */
1133 		}
1134 		p += offset;		/* point to next version # */
1135 
1136 		if (p > (char *)external + length) {
1137 			return (0);
1138 		}
1139 		adrm_start(&context, p);
1140 		adrm_int32(&context, (int *)&link, 2);
1141 		offset = link.ax_offset;
1142 		version = link.ax_version;
1143 		assert(version != 0);
1144 	}
1145 	/*
1146 	 * Adjust buffer pointer to the first data item (euid).
1147 	 */
1148 	if (p == (char *)external) {
1149 		adrm_start(&context, (char *)(p + sizeof (head)));
1150 	} else {
1151 		adrm_start(&context, (char *)(p + sizeof (link)));
1152 	}
1153 	/*
1154 	 * if down rev version, neither pid nor label are included
1155 	 * in v1 ax_size_of_tsol_data intentionally ignored
1156 	 */
1157 	if (version == PROTOCOL_VERSION_1) {
1158 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1159 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1160 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1161 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1162 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1163 		adrm_int32(&context,
1164 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1165 		adrm_int32(&context,
1166 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1167 		adrm_int32(&context,
1168 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1169 		adrm_int32(&context,
1170 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1171 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1172 		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1173 		internal->as_pid = (pid_t)-1;
1174 		internal->as_label = NULL;
1175 	} else if (version == PROTOCOL_VERSION_2) {
1176 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1177 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1178 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1179 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1180 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1181 		adrm_int32(&context,
1182 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1183 		adrm_int32(&context,
1184 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1185 		adrm_int32(&context,
1186 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1187 		adrm_int32(&context,
1188 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1189 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1190 		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1191 		adrm_int32(&context, (int *)&(internal->as_pid), 1);
1192 		adrm_int32(&context, (int *)&label_len, 1);
1193 		if (label_len > 0) {
1194 			/* read in and deal with different sized labels. */
1195 			size32_t my_label_len = blabel_size();
1196 
1197 			if ((internal->as_label =
1198 			    m_label_alloc(MAC_LABEL)) == NULL) {
1199 				return (0);
1200 			}
1201 			if (label_len > my_label_len) {
1202 				errno = EINVAL;
1203 				m_label_free(internal->as_label);
1204 				return (0);
1205 			}
1206 			(void) memset(internal->as_label, 0, my_label_len);
1207 			adrm_int32(&context, (int *)(internal->as_label),
1208 			    label_len / sizeof (int32_t));
1209 		} else {
1210 			internal->as_label = NULL;
1211 		}
1212 	}
1213 
1214 	return (length);
1215 }
1216 
1217 /*
1218  * adt_to_export_format
1219  * read from struct adt_session_data into a network order buffer.
1220  *
1221  * (network order 'cause this data may be shared with a remote host.)
1222  */
1223 
1224 static size_t
1225 adt_to_export_format(adt_export_data_t *external,
1226     adt_internal_state_t *internal)
1227 {
1228 	struct export_header	head;
1229 	struct export_link	tail;
1230 	adr_t			context;
1231 	size32_t		label_len = 0;
1232 
1233 	adrm_start(&context, (char *)external);
1234 
1235 	if (internal->as_label != NULL) {
1236 		label_len = blabel_size();
1237 	}
1238 
1239 	head.ax_check = ADT_VALID;
1240 	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1241 
1242 	/* version 2 first */
1243 
1244 	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1245 	head.ax_link.ax_offset = sizeof (struct export_header) +
1246 	    sizeof (struct adt_export_v2) + label_len;
1247 
1248 	adrm_putint32(&context, (int *)&head, 4);
1249 
1250 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1251 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1252 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1253 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1254 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1255 	adrm_putint32(&context,
1256 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1257 	adrm_putint32(&context,
1258 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1259 	adrm_putint32(&context,
1260 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1261 	adrm_putint32(&context,
1262 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1263 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1264 	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1265 	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1266 	adrm_putint32(&context, (int *)&label_len, 1);
1267 	if (internal->as_label != NULL) {
1268 		/* serialize the label */
1269 		adrm_putint32(&context, (int *)(internal->as_label),
1270 		    (label_len / sizeof (int32_t)));
1271 	}
1272 
1273 	/* now version 1 */
1274 
1275 	tail.ax_version = PROTOCOL_VERSION_1;
1276 	tail.ax_offset = 0;
1277 
1278 	adrm_putint32(&context, (int *)&tail, 2);
1279 
1280 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1281 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1282 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1283 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1284 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1285 	adrm_putint32(&context,
1286 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1287 	adrm_putint32(&context,
1288 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1289 	adrm_putint32(&context,
1290 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1291 	adrm_putint32(&context,
1292 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1293 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1294 	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1295 	/* ignored in v1 */
1296 	adrm_putint32(&context, (int *)&label_len, 1);
1297 
1298 	/* finally terminator */
1299 
1300 	tail.ax_version = 0; /* invalid version number */
1301 	tail.ax_offset = 0;
1302 
1303 	adrm_putint32(&context, (int *)&tail, 2);
1304 
1305 	return (head.ax_buffer_length);
1306 }
1307 
1308 /*
1309  * adt_ucred_label() -- if label is available, duplicate it.
1310  */
1311 
1312 static m_label_t *
1313 adt_ucred_label(ucred_t *uc)
1314 {
1315 	m_label_t	*ul = NULL;
1316 
1317 	if (ucred_getlabel(uc) != NULL) {
1318 		(void) m_label_dup(&ul, ucred_getlabel(uc));
1319 	}
1320 
1321 	return (ul);
1322 }
1323 
1324 /*
1325  * adt_import() -- convert from network order to machine-specific order
1326  */
1327 
1328 static int
1329 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1330 {
1331 	au_mask_t mask;
1332 
1333 	/* save local audit state */
1334 	int	local_audit_state = internal->as_audit_state;
1335 
1336 	if (adt_from_export_format(internal, external) < 1)
1337 		return (-1); /* errno from adt_from_export_format */
1338 
1339 	/*
1340 	 * If audit isn't enabled on the remote, they were unable
1341 	 * to generate the audit mask, so generate it based on
1342 	 * local configuration.  If the user id has changed, the
1343 	 * resulting mask may miss some subtleties that occurred
1344 	 * on the remote system.
1345 	 *
1346 	 * If the remote failed to generate a terminal id, it is not
1347 	 * recoverable.
1348 	 */
1349 
1350 	if (!(internal->as_audit_state & AUC_DISABLED)) {
1351 		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1352 		    &(internal->as_info.ai_mask)))
1353 			return (-1);
1354 		if (internal->as_info.ai_auid != internal->as_ruid) {
1355 			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1356 			    &mask))
1357 				return (-1);
1358 			internal->as_info.ai_mask.am_success |=
1359 			    mask.am_success;
1360 			internal->as_info.ai_mask.am_failure |=
1361 			    mask.am_failure;
1362 		}
1363 	}
1364 	internal->as_audit_state = local_audit_state;
1365 
1366 	DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(),
1367 	    internal->as_info.ai_asid,
1368 	    internal->as_info.ai_asid));
1369 
1370 	internal->as_have_user_data = ADT_HAVE_ALL;
1371 
1372 	return (0);
1373 }
1374 
1375 /*
1376  * adt_export_session_data()
1377  * copies a adt_session_data struct into a network order buffer
1378  *
1379  * In a misconfigured network, the local host may have auditing
1380  * off while the destination may have auditing on, so if there
1381  * is sufficient memory, a buffer will be returned even in the
1382  * audit off case.
1383  */
1384 
1385 size_t
1386 adt_export_session_data(const adt_session_data_t *internal,
1387     adt_export_data_t **external)
1388 {
1389 	size32_t		length = 0;
1390 
1391 	if ((internal != NULL) &&
1392 	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1393 		length = blabel_size();
1394 	}
1395 
1396 	*external = malloc(sizeof (adt_export_data_t) + length);
1397 
1398 	if (*external == NULL)
1399 		return (0);
1400 
1401 	if (internal == NULL) {
1402 		adt_internal_state_t	*dummy;
1403 
1404 		dummy = malloc(sizeof (adt_internal_state_t));
1405 		if (dummy == NULL)
1406 			goto return_length_free;
1407 
1408 		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1409 			free(dummy);
1410 			goto return_length_free;
1411 		}
1412 		length = adt_to_export_format(*external, dummy);
1413 		free(dummy);
1414 	} else {
1415 		length = adt_to_export_format(*external,
1416 		    (adt_internal_state_t *)internal);
1417 	}
1418 	return (length);
1419 
1420 return_length_free:
1421 	free(*external);
1422 	*external = NULL;
1423 	return (0);
1424 }
1425 
1426 static void
1427 adt_setto_unaudited(adt_internal_state_t *state)
1428 {
1429 	if (state->as_audit_state & AUC_DISABLED) {
1430 		state->as_ruid = AU_NOAUDITID;
1431 		state->as_euid = AU_NOAUDITID;
1432 		state->as_rgid = AU_NOAUDITID;
1433 		state->as_egid = AU_NOAUDITID;
1434 		state->as_pid = (pid_t)-1;
1435 		state->as_label = NULL;
1436 	} else {
1437 		state->as_info.ai_asid = 0;
1438 		state->as_info.ai_auid = AU_NOAUDITID;
1439 
1440 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1441 		    sizeof (au_tid_addr_t));
1442 		state->as_info.ai_termid.at_type = AU_IPv4;
1443 
1444 		(void) memset((void *)&(state->as_info.ai_mask), 0,
1445 		    sizeof (au_mask_t));
1446 		state->as_have_user_data = 0;
1447 	}
1448 }
1449 
1450 /*
1451  * adt_init -- set session context by copying the audit characteristics
1452  * from the proc and picking up current uid/tid information.
1453  *
1454  * By default, an audit session is based on the process; the default
1455  * is overriden by adt_set_user()
1456  */
1457 
1458 static int
1459 adt_init(adt_internal_state_t *state, int use_proc_data)
1460 {
1461 	/* ensure auditstate is set */
1462 
1463 	(void) adt_audit_state(0);
1464 	state->as_audit_state = auditstate;
1465 
1466 	if (use_proc_data) {
1467 		state->as_ruid = getuid();
1468 		state->as_euid = geteuid();
1469 		state->as_rgid = getgid();
1470 		state->as_egid = getegid();
1471 		state->as_pid = getpid();
1472 
1473 		if (!(state->as_audit_state & AUC_DISABLED)) {
1474 			const au_tid64_addr_t	*tid;
1475 			const au_mask_t		*mask;
1476 			ucred_t			*ucred = ucred_get(P_MYID);
1477 
1478 			/*
1479 			 * Even if the ucred is NULL, the underlying
1480 			 * credential may have a valid terminal id; if the
1481 			 * terminal id is set, then that's good enough.  An
1482 			 * example of where this matters is failed login,
1483 			 * where rlogin/telnet sets the terminal id before
1484 			 * calling login; login does not load the credential
1485 			 * since auth failed.
1486 			 */
1487 			if (ucred == NULL) {
1488 				if (!adt_have_termid(
1489 				    &(state->as_info.ai_termid)))
1490 					return (-1);
1491 			} else {
1492 				mask = ucred_getamask(ucred);
1493 				if (mask != NULL) {
1494 					state->as_info.ai_mask = *mask;
1495 				} else {
1496 					ucred_free(ucred);
1497 					return (-1);
1498 				}
1499 				tid = ucred_getatid(ucred);
1500 				if (tid != NULL) {
1501 					adt_cpy_tid(&(state->as_info.ai_termid),
1502 					    tid);
1503 				} else {
1504 					ucred_free(ucred);
1505 					return (-1);
1506 				}
1507 				state->as_info.ai_asid = ucred_getasid(ucred);
1508 				state->as_info.ai_auid = ucred_getauid(ucred);
1509 				state->as_label = adt_ucred_label(ucred);
1510 				ucred_free(ucred);
1511 			}
1512 			state->as_have_user_data = ADT_HAVE_ALL;
1513 		}
1514 	} else {
1515 		adt_setto_unaudited(state);
1516 	}
1517 	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1518 
1519 	if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) &&
1520 	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1521 	    sizeof (state->as_kernel_audit_policy))) {
1522 		return (-1);  /* errno set by auditon */
1523 	}
1524 	state->as_check = ADT_VALID;
1525 	adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0],
1526 	    &adt_preload);
1527 	return (0);
1528 }
1529 
1530 /*
1531  * adt_set_proc
1532  *
1533  * Copy the current session state to the process.  If this function
1534  * is called, the model becomes a process model rather than a
1535  * session model.
1536  *
1537  * In the current implementation, the value state->as_have_user_data
1538  * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1539  * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1540  *
1541  */
1542 
1543 int
1544 adt_set_proc(const adt_session_data_t *session_data)
1545 {
1546 	adt_internal_state_t	*state;
1547 
1548 	if (session_data == NULL) {
1549 		return (0);
1550 	}
1551 
1552 	state = (adt_internal_state_t *)session_data;
1553 
1554 	assert(state->as_check == ADT_VALID);
1555 
1556 	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1557 	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1558 		errno = EINVAL;
1559 		goto return_err;
1560 	}
1561 
1562 	if (setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1563 	    sizeof (auditinfo_addr_t)) < 0) {
1564 		goto return_err;	/* errno set by setaudit_addr() */
1565 	}
1566 
1567 	state->as_session_model = ADT_PROCESS_MODEL;
1568 
1569 	return (0);
1570 
1571 return_err:
1572 	adt_write_syslog("failed to set process audit characteristics", errno);
1573 	return (-1);
1574 }
1575 
1576 static int
1577 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1578 {
1579 	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1580 	au_mask_t	no_mask = {0, 0};
1581 
1582 	if (ruid == ADT_NO_AUDIT) {
1583 		state->as_info.ai_auid = AU_NOAUDITID;
1584 		state->as_info.ai_asid = 0;
1585 		state->as_info.ai_termid = no_tid;
1586 		state->as_info.ai_mask = no_mask;
1587 		return (0);
1588 	}
1589 	state->as_info.ai_auid = ruid;
1590 	state->as_info.ai_asid = adt_get_unique_id(ruid);
1591 	if (termid != NULL)
1592 		state->as_info.ai_termid = *termid;
1593 
1594 	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1595 		return (-1);
1596 
1597 	/* Assume intending to audit as this process */
1598 
1599 	if (state->as_pid == (pid_t)-1)
1600 		state->as_pid = getpid();
1601 
1602 	if (is_system_labeled() && state->as_label == NULL) {
1603 		ucred_t	*ucred = ucred_get(P_MYID);
1604 
1605 		state->as_label = adt_ucred_label(ucred);
1606 		ucred_free(ucred);
1607 	}
1608 
1609 	return (0);
1610 }
1611 
1612 static int
1613 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1614 {
1615 	au_mask_t		mask;
1616 
1617 	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1618 		state->as_info.ai_auid = ruid;
1619 	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1620 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1621 
1622 	if (ruid <= MAXEPHUID) {
1623 		if (adt_get_mask_from_user(ruid, &mask))
1624 			return (-1);
1625 
1626 		state->as_info.ai_mask.am_success |= mask.am_success;
1627 		state->as_info.ai_mask.am_failure |= mask.am_failure;
1628 	}
1629 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1630 	    state->as_info.ai_mask.am_success,
1631 	    state->as_info.ai_mask.am_failure,
1632 	    ruid));
1633 	return (0);
1634 }
1635 
1636 /*
1637  * adt_set_user -- see also adt_set_from_ucred()
1638  *
1639  * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1640  * "unattributed."  If ruid, change the model to session.
1641  *
1642  * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1643  * only valid with ADT_UPDATE.
1644  *
1645  * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1646  * isn't a good reason to call adt_set_user() with it unless you don't
1647  * have a good value yet and intend to replace it later; auid will be
1648  * AU_NOAUDITID.
1649  *
1650  * adt_set_user should be called even if auditing is not enabled
1651  * so that adt_export_session_data() will have useful stuff to
1652  * work with.
1653  *
1654  * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1655  * and ADT_HAVE_ALL.
1656  */
1657 
1658 int
1659 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1660     uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1661     enum adt_user_context user_context)
1662 {
1663 	adt_internal_state_t	*state;
1664 	int			rc;
1665 
1666 	if (session_data == NULL) /* no session exists to audit */
1667 		return (0);
1668 
1669 	state = (adt_internal_state_t *)session_data;
1670 	assert(state->as_check == ADT_VALID);
1671 
1672 	switch (user_context) {
1673 	case ADT_NEW:
1674 		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1675 		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1676 			errno = EINVAL;
1677 			return (-1);
1678 		}
1679 		if ((rc = adt_newuser(state, ruid,
1680 		    (au_tid_addr_t *)termid)) != 0)
1681 			return (rc);
1682 
1683 		state->as_have_user_data = ADT_HAVE_ALL;
1684 		break;
1685 	case ADT_UPDATE:
1686 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1687 			errno = EINVAL;
1688 			return (-1);
1689 		}
1690 
1691 		if (ruid != ADT_NO_CHANGE)
1692 			if ((rc = adt_changeuser(state, ruid)) != 0)
1693 				return (rc);
1694 		break;
1695 	case ADT_USER:
1696 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1697 			errno = EINVAL;
1698 			return (-1);
1699 		}
1700 		break;
1701 	case ADT_SETTID:
1702 		assert(termid != NULL);
1703 		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1704 		/* avoid fooling pam_setcred()... */
1705 		state->as_info.ai_auid = AU_NOAUDITID;
1706 		state->as_info.ai_asid = 0;
1707 		state->as_info.ai_mask.am_failure = 0;
1708 		state->as_info.ai_mask.am_success = 0;
1709 		state->as_have_user_data = ADT_HAVE_TID |
1710 		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1711 		return (0);
1712 	default:
1713 		errno = EINVAL;
1714 		return (-1);
1715 	}
1716 
1717 	if (ruid == ADT_NO_AUDIT) {
1718 		state->as_ruid = AU_NOAUDITID;
1719 		state->as_euid = AU_NOAUDITID;
1720 		state->as_rgid = AU_NOAUDITID;
1721 		state->as_egid = AU_NOAUDITID;
1722 	} else {
1723 		if (ruid != ADT_NO_CHANGE)
1724 			state->as_ruid = ruid;
1725 		if (euid != ADT_NO_CHANGE)
1726 			state->as_euid = euid;
1727 		if (rgid != ADT_NO_CHANGE)
1728 			state->as_rgid = rgid;
1729 		if (egid != ADT_NO_CHANGE)
1730 			state->as_egid = egid;
1731 	}
1732 
1733 	if (ruid == ADT_NO_ATTRIB) {
1734 		state->as_session_model = ADT_SESSION_MODEL;
1735 	}
1736 
1737 	return (0);
1738 }
1739 
1740 /*
1741  * adt_set_from_ucred()
1742  *
1743  * an alternate to adt_set_user that fills the same role but uses
1744  * a pointer to a ucred rather than a list of id's.  If the ucred
1745  * pointer is NULL, use the credential from the this process.
1746  *
1747  * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1748  * not overwrite the asid and auid unless auid has not been set.
1749  * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1750  * the incoming audit mask with the one that already exists.
1751  *
1752  * adt_set_from_ucred should be called even if auditing is not enabled
1753  * so that adt_export_session_data() will have useful stuff to
1754  * work with.
1755  */
1756 
1757 int
1758 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1759     enum adt_user_context user_context)
1760 {
1761 	adt_internal_state_t	*state;
1762 	int			rc = -1;
1763 	const au_tid64_addr_t		*tid64;
1764 	au_tid_addr_t		termid, *tid;
1765 	ucred_t	*ucred = (ucred_t *)uc;
1766 	boolean_t	local_uc = B_FALSE;
1767 
1768 	if (session_data == NULL) /* no session exists to audit */
1769 		return (0);
1770 
1771 	state = (adt_internal_state_t *)session_data;
1772 	assert(state->as_check == ADT_VALID);
1773 
1774 	if (ucred == NULL) {
1775 		ucred = ucred_get(P_MYID);
1776 
1777 		if (ucred == NULL)
1778 			goto return_rc;
1779 		local_uc = B_TRUE;
1780 	}
1781 
1782 	switch (user_context) {
1783 	case ADT_NEW:
1784 		tid64 = ucred_getatid(ucred);
1785 		if (tid64 != NULL) {
1786 			adt_cpy_tid(&termid, tid64);
1787 			tid = &termid;
1788 		} else {
1789 			tid = NULL;
1790 		}
1791 		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1792 			adt_setto_unaudited(state);
1793 			state->as_have_user_data = ADT_HAVE_ALL;
1794 			rc = 0;
1795 			goto return_rc;
1796 		} else {
1797 			state->as_info.ai_auid = ucred_getauid(ucred);
1798 			state->as_info.ai_asid = ucred_getasid(ucred);
1799 			state->as_info.ai_mask = *ucred_getamask(ucred);
1800 			state->as_info.ai_termid = *tid;
1801 		}
1802 		state->as_have_user_data = ADT_HAVE_ALL;
1803 		break;
1804 	case ADT_UPDATE:
1805 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1806 			errno = EINVAL;
1807 			goto return_rc;
1808 		}
1809 
1810 		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1811 			goto return_rc;
1812 		break;
1813 	case ADT_USER:
1814 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1815 			errno = EINVAL;
1816 			goto return_rc;
1817 		}
1818 		break;
1819 	default:
1820 		errno = EINVAL;
1821 		goto return_rc;
1822 	}
1823 	rc = 0;
1824 
1825 	state->as_ruid = ucred_getruid(ucred);
1826 	state->as_euid = ucred_geteuid(ucred);
1827 	state->as_rgid = ucred_getrgid(ucred);
1828 	state->as_egid = ucred_getegid(ucred);
1829 	state->as_pid = ucred_getpid(ucred);
1830 	state->as_label = adt_ucred_label(ucred);
1831 
1832 return_rc:
1833 	if (local_uc) {
1834 		ucred_free(ucred);
1835 	}
1836 	return (rc);
1837 }
1838 
1839 /*
1840  * adt_alloc_event() returns a pointer to allocated memory
1841  *
1842  */
1843 
1844 adt_event_data_t
1845 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1846 {
1847 	struct adt_event_state	*event_state;
1848 	adt_internal_state_t	*session_state;
1849 	adt_event_data_t	*return_event = NULL;
1850 	/*
1851 	 * need to return a valid event pointer even if audit is
1852 	 * off, else the caller will end up either (1) keeping its
1853 	 * own flags for on/off or (2) writing to a NULL pointer.
1854 	 * If auditing is on, the session data must be valid; otherwise
1855 	 * we don't care.
1856 	 */
1857 	if (session_data != NULL) {
1858 		session_state = (adt_internal_state_t *)session_data;
1859 		assert(session_state->as_check == ADT_VALID);
1860 	}
1861 	event_state = calloc(1, sizeof (struct adt_event_state));
1862 	if (event_state == NULL)
1863 		goto return_ptr;
1864 
1865 	event_state->ae_check = ADT_VALID;
1866 
1867 	event_state->ae_event_id = event_id;
1868 	event_state->ae_session = (struct adt_internal_state *)session_data;
1869 
1870 	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1871 
1872 	/*
1873 	 * preload data so the adt_au_*() functions can detect un-supplied
1874 	 * values (0 and NULL are free via calloc()).
1875 	 */
1876 	if (session_data != NULL) {
1877 		session_state->as_preload(event_id, return_event);
1878 	}
1879 
1880 return_ptr:
1881 	return (return_event);
1882 }
1883 
1884 /*
1885  * adt_getXlateTable -- look up translation table address for event id
1886  */
1887 
1888 static adt_translation_t *
1889 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id)
1890 {
1891 	/* xlate_table is global in adt_xlate.c */
1892 	adt_translation_t	**p_xlate = xlate;
1893 	adt_translation_t	*p_event;
1894 
1895 	while (*p_xlate != NULL) {
1896 		p_event = *p_xlate;
1897 		if (event_id == p_event->tx_external_event)
1898 			return (p_event);
1899 		p_xlate++;
1900 	}
1901 	return (NULL);
1902 }
1903 
1904 /*
1905  * adt_calcOffsets
1906  *
1907  * the call to this function is surrounded by a mutex.
1908  *
1909  * i walks down the table picking up next_token.  j walks again to
1910  * calculate the offset to the input data.  k points to the next
1911  * token's row.  Finally, l, is used to sum the values in the
1912  * datadef array.
1913  *
1914  * What's going on?  The entry array is in the order of the input
1915  * fields but the processing of array entries is in the order of
1916  * the output (see next_token).  Calculating the offset to the
1917  * "next" input can't be done in the outer loop (i) since i doesn't
1918  * point to the current entry and it can't be done with the k index
1919  * because it doesn't represent the order of input fields.
1920  *
1921  * While the resulting algorithm is n**2, it is only done once per
1922  * event type.
1923  */
1924 
1925 /*
1926  * adt_calcOffsets is only called once per event type, but it uses
1927  * the address alignment of memory allocated for that event as if it
1928  * were the same for all subsequently allocated memory.  This is
1929  * guaranteed by calloc/malloc.  Arrays take special handling since
1930  * what matters for figuring out the correct alignment is the size
1931  * of the array element.
1932  */
1933 
1934 static void
1935 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1936 {
1937 	int		i, j;
1938 	size_t		this_size, prev_size;
1939 	void		*struct_start = p_data;
1940 
1941 	for (i = 0; i < tablesize; i++) {
1942 		if (p_entry[i].en_type_def == NULL) {
1943 			p_entry[i].en_offset = 0;
1944 			continue;
1945 		}
1946 		prev_size = 0;
1947 		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1948 
1949 		for (j = 0; j < p_entry[i].en_count_types; j++) {
1950 			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1951 				this_size = sizeof (enum adt_generic);
1952 			else
1953 				this_size =
1954 				    p_entry[i].en_type_def[j].dd_input_size;
1955 
1956 			/* adj for first entry */
1957 			if (prev_size == 0)
1958 				prev_size = this_size;
1959 
1960 			if (p_entry[i].en_type_def[j].dd_datatype ==
1961 			    ADT_UINT32ARRAY) {
1962 				p_data = (char *)adt_adjust_address(p_data,
1963 				    prev_size, sizeof (uint32_t)) +
1964 				    this_size - sizeof (uint32_t);
1965 
1966 				prev_size = sizeof (uint32_t);
1967 			} else {
1968 				p_data = adt_adjust_address(p_data, prev_size,
1969 				    this_size);
1970 				prev_size = this_size;
1971 			}
1972 		}
1973 	}
1974 }
1975 
1976 /*
1977  * adt_generate_event
1978  * generate event record from external struct.  The order is based on
1979  * the output tokens, allowing for the possibility that the input data
1980  * is in a different order.
1981  *
1982  */
1983 
1984 static int
1985 adt_generate_event(const adt_event_data_t *p_extdata,
1986     struct adt_event_state *p_event,
1987     adt_translation_t *p_xlate)
1988 {
1989 	struct entry		*p_entry;
1990 	static mutex_t	lock = DEFAULTMUTEX;
1991 
1992 	p_entry = p_xlate->tx_first_entry;
1993 	assert(p_entry != NULL);
1994 
1995 	p_event->ae_internal_id = p_xlate->tx_internal_event;
1996 	adt_token_open(p_event);
1997 
1998 	/*
1999 	 * offsets are not pre-calculated; the initial offsets are all
2000 	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
2001 	 * as subject are set to -1 by adt_calcOffset()
2002 	 */
2003 	if (p_xlate->tx_offsetsCalculated == 0) {
2004 		(void) mutex_lock(&lock);
2005 		p_xlate->tx_offsetsCalculated = 1;
2006 
2007 		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
2008 		    (void *)p_extdata);
2009 		(void) mutex_unlock(&lock);
2010 	}
2011 	while (p_entry != NULL) {
2012 		adt_generate_token(p_entry, (char *)p_extdata, p_event);
2013 
2014 		p_entry = p_entry->en_next_token;
2015 	}
2016 	return (adt_token_close(p_event));
2017 }
2018 
2019 /*
2020  * adt_put_event -- main event generation function.
2021  * The input "event" is the address of the struct containing
2022  * event-specific data.
2023  *
2024  * However if auditing is off or the session handle
2025  * is NULL, no attempt to write a record is made.
2026  */
2027 
2028 int
2029 adt_put_event(const adt_event_data_t *event, int status, int return_val)
2030 {
2031 	struct adt_event_state	*event_state;
2032 	adt_translation_t	*xlate;
2033 
2034 	if (event == NULL) {
2035 		errno = EINVAL;
2036 		return (-1);
2037 	}
2038 	event_state = (struct adt_event_state *)event;
2039 
2040 	/* if this is a broken session or not auditing, exit */
2041 	if ((event_state->ae_session == NULL) ||
2042 	    !(event_state->ae_session->as_audit_state &
2043 	    (AUC_AUDITING | AUC_NOSPACE))) {
2044 		return (0);
2045 	}
2046 
2047 	assert(event_state->ae_check == ADT_VALID);
2048 
2049 	event_state->ae_rc = status;
2050 	event_state->ae_type = return_val;
2051 
2052 	/* look up the event */
2053 
2054 	xlate = adt_getXlateTable(event_state->ae_session->as_xlate,
2055 	    event_state->ae_event_id);
2056 
2057 	if (xlate == NULL) {
2058 		errno = EINVAL;
2059 		return (-1);
2060 	}
2061 	DPRINTF(("got event %d\n", xlate->tx_internal_event));
2062 
2063 	if (adt_selected(event_state, xlate->tx_internal_event, status)) {
2064 		return (adt_generate_event(event, event_state, xlate));
2065 	}
2066 
2067 	return (0);
2068 }
2069 
2070 /*
2071  * adt_free_event -- invalidate and free
2072  */
2073 
2074 void
2075 adt_free_event(adt_event_data_t *event)
2076 {
2077 	struct adt_event_state	*event_state;
2078 
2079 	if (event == NULL)
2080 		return;
2081 
2082 	event_state = (struct adt_event_state *)event;
2083 
2084 	assert(event_state->ae_check == ADT_VALID);
2085 
2086 	event_state->ae_check = 0;
2087 
2088 	free(event_state);
2089 }
2090 
2091 /*
2092  * adt_is_selected -- helper to adt_selected(), below.
2093  *
2094  * "sorf" is "success or fail" status; au_preselect compares
2095  * that with success, fail, or both.
2096  */
2097 
2098 static int
2099 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
2100 {
2101 	int prs_sorf;
2102 
2103 	if (sorf == 0)
2104 		prs_sorf = AU_PRS_SUCCESS;
2105 	else
2106 		prs_sorf = AU_PRS_FAILURE;
2107 
2108 	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
2109 }
2110 
2111 /*
2112  * selected -- see if this event is preselected.
2113  *
2114  * if errors are encountered trying to check a preselection mask
2115  * or look up a user name, the event is selected.  Otherwise, the
2116  * preselection mask is used for the job.
2117  */
2118 
2119 static int
2120 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2121 {
2122 	adt_internal_state_t *sp;
2123 	au_mask_t	namask;
2124 
2125 	sp = event->ae_session;
2126 
2127 	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2128 		adt_write_syslog("No user data available", EINVAL);
2129 		return (1);	/* default is "selected" */
2130 	}
2131 
2132 	/* non-attributable? */
2133 	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2134 	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2135 		if (auditon(A_GETKMASK, (caddr_t)&namask,
2136 		    sizeof (namask)) != 0) {
2137 			adt_write_syslog("auditon failure", errno);
2138 			return (1);
2139 		}
2140 		return (adt_is_selected(actual_id, &namask, status));
2141 	} else {
2142 		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2143 		    status));
2144 	}
2145 }
2146 
2147 /*
2148  * Can't map the host name to an IP address in
2149  * adt_get_hostIP.  Get something off an interface
2150  * to act as the hosts IP address for auditing.
2151  */
2152 
2153 static int
2154 adt_get_local_address(int family, struct ifaddrlist *al)
2155 {
2156 	struct ifaddrlist	*ifal;
2157 	char	errbuf[ERRBUFSIZE] = "empty list";
2158 	char	msg[ERRBUFSIZE + 512];
2159 	int	ifal_count;
2160 	int	i;
2161 
2162 	if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) < 0) {
2163 		int serrno = errno;
2164 
2165 		(void) snprintf(msg, sizeof (msg), "adt_get_local_address "
2166 		    "couldn't get %d addrlist %s", family, errbuf);
2167 		adt_write_syslog(msg, serrno);
2168 		errno = serrno;
2169 		return (-1);
2170 	}
2171 
2172 	for (i = 0; i < ifal_count; i++) {
2173 		/*
2174 		 * loopback always defined,
2175 		 * even if there is no real address
2176 		 */
2177 		if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) {
2178 			break;
2179 		}
2180 	}
2181 	if (i >= ifal_count) {
2182 		free(ifal);
2183 		/*
2184 		 * Callers of adt_get_hostIP() can only return
2185 		 * errno to their callers and eventually the application.
2186 		 * Picked one that seemed least worse for saying no
2187 		 * usable address for Audit terminal ID.
2188 		 */
2189 		errno = ENETDOWN;
2190 		return (-1);
2191 	}
2192 
2193 	*al = ifal[i];
2194 	free(ifal);
2195 	return (0);
2196 }
2197