xref: /illumos-gate/usr/src/lib/libbsm/common/adt.c (revision fb23c574f17ddde310cea59fe008d16f650ced5a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
24  * Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
25  */
26 
27 #include <bsm/adt.h>
28 #include <bsm/adt_event.h>
29 #include <assert.h>
30 #include <bsm/audit.h>
31 #include <bsm/audit_record.h>
32 #include <bsm/libbsm.h>
33 #include <door.h>
34 #include <errno.h>
35 #include <generic.h>
36 #include <md5.h>
37 #include <sys/mkdev.h>
38 #include <netdb.h>
39 #include <nss_dbdefs.h>
40 #include <pwd.h>
41 #include <sys/stat.h>
42 #include <time.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <synch.h>
46 #include <sys/systeminfo.h>
47 #include <syslog.h>
48 #include <thread.h>
49 #include <unistd.h>
50 #include <adt_xlate.h>
51 #include <adt_ucred.h>
52 #include <arpa/inet.h>
53 #include <net/if.h>
54 #include <libinetutil.h>
55 
56 static int adt_selected(struct adt_event_state *, au_event_t, int);
57 static int adt_init(adt_internal_state_t *, int);
58 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
59 static m_label_t *adt_ucred_label(ucred_t *);
60 static void adt_setto_unaudited(adt_internal_state_t *);
61 static int adt_get_local_address(int, struct ifaddrlist *);
62 
63 #ifdef C2_DEBUG
64 #define	DPRINTF(x) { (void) printf x; }
65 #define	DFLUSH (void) fflush(stdout);
66 #else
67 #define	DPRINTF(x)
68 #define	DFLUSH
69 #endif
70 
71 /*
72  * Local audit states are a bit mask
73  *
74  * The global audit states are
75  *
76  * AUC_UNSET             0      - on/off hasn't been decided
77  * AUC_ENABLED           1      - loaded and enabled
78  *
79  * The local Zone states are
80  *
81  * AUC_AUDITING         0x1     - audit daemon is active
82  * AUC_NOAUDIT          0x2     - audit daemon is not active
83  * AUC_INIT_AUDIT       0x4     - audit is ready but auditd has not run
84  * AUC_NOSPACE          0x8     - audit enabled, no space for audit records
85  *
86  * The only values returned by auditon(A_GETCOND) are:
87  * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE
88  *
89  * The pseudo audit state used when the c2audit module is excluded is
90  *
91  * AUC_DISABLED		0x100	- c2audit module is excluded
92  */
93 
94 static int auditstate = AUC_DISABLED;	/* default state */
95 
96 /*
97  * adt_write_syslog
98  *
99  * errors that are not the user's fault (bugs or whatever in
100  * the underlying audit code are noted in syslog.)
101  *
102  * Avoid calling adt_write_syslog for things that can happen
103  * at high volume.
104  *
105  * syslog's open (openlog) and close (closelog) are interesting;
106  * openlog *may* create a file descriptor and is optional.  closelog
107  * *will* close any open file descriptors and is also optional.
108  *
109  * Since syslog may also be used by the calling application, the
110  * choice is to avoid openlog, which sets some otherwise useful
111  * parameters, and to embed "Solaris_audit" in the log message.
112  */
113 
114 void
115 adt_write_syslog(const char *message, int err)
116 {
117 	int	save_errno = errno;
118 	int	mask_priority;
119 
120 	DPRINTF(("syslog called: %s\n", message));
121 
122 	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
123 	errno = err;
124 	syslog(LOG_ALERT, "Solaris_audit %s: %m", message);
125 	(void) setlogmask(mask_priority);
126 	errno = save_errno;
127 }
128 
129 /*
130  * return true if c2audit is not excluded.
131  *
132  *	For purpose of this API, anything but AUC_DISABLED
133  *	is enabled; however one never actually sees
134  *	AUC_DISABLED since auditon returns ENOTSUP in that case.  Any
135  *	auditon error is considered the same as ENOTSUP for our
136  *	purpose.  auditstate is not changed by auditon if an error
137  *	is returned.
138  */
139 
140 /*
141  * XXX	this should probably be eliminated and adt_audit_state() replace it.
142  *	All the legitimate uses	are to not fork a waiting process for
143  *	process exit processing, as in su, login, dtlogin.  Other bogus
144  *	users are zoneadmd and init.
145  *	All but dtlogin are in ON, so we can do this without cross gate
146  *	synchronization.
147  *
148  *	No longer used in adt.c.
149  */
150 
151 boolean_t
152 adt_audit_enabled(void)
153 {
154 
155 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
156 
157 	return (auditstate != AUC_DISABLED);
158 }
159 
160 /*
161  *	See adt_audit_enabled() for state discussions.
162  *	The state parameter is a hedge until all the uses become clear.
163  *	Likely if adt_audit_enabled is brought internal to this file,
164  *	it could be modified to take one or more parameters to describe the
165  *	state.
166  */
167 
168 boolean_t
169 adt_audit_state(int states)
170 {
171 
172 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
173 
174 	return ((auditstate & states) ? B_TRUE : B_FALSE);
175 }
176 
177 /*
178  * Get user_specific/non-attributable audit mask. This may be called even when
179  * auditing is off.
180  */
181 
182 static int
183 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
184 {
185 	struct passwd	pwd;
186 	long		buff_sz;
187 	char		*pwd_buff;
188 
189 
190 	if (auditstate & AUC_DISABLED) {
191 		/* c2audit excluded */
192 		mask->am_success = 0;
193 		mask->am_failure = 0;
194 	} else if (uid <= MAXUID) {
195 		if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
196 			adt_write_syslog("couldn't determine maximum size of "
197 			    "password buffer", errno);
198 			return (-1);
199 		}
200 		if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
201 			return (-1);
202 		}
203 		if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) {
204 			errno = EINVAL;	/* user doesn't exist */
205 			free(pwd_buff);
206 			return (-1);
207 		}
208 		if (au_user_mask(pwd.pw_name, mask)) {
209 			free(pwd_buff);
210 			errno = EFAULT; /* undetermined failure */
211 			return (-1);
212 		}
213 		free(pwd_buff);
214 	} else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
215 			return (-1);
216 	}
217 
218 	return (0);
219 }
220 
221 /*
222  * adt_get_unique_id -- generate a hopefully unique 32 bit value
223  *
224  * there will be a follow up to replace this with the use of /dev/random
225  *
226  * An MD5 hash is taken on a buffer of
227  *     hostname . audit id . unix time . pid . count
228  *
229  * "count = noise++;" is subject to a race condition but I don't
230  * see a need to put a lock around it.
231  */
232 
233 au_asid_t
234 adt_get_unique_id(au_id_t uid)
235 {
236 	char		hostname[MAXHOSTNAMELEN];
237 	union {
238 		au_id_t		v[4];
239 		unsigned char	obuff[128/8];
240 	} output;
241 	MD5_CTX	context;
242 
243 	static int	noise = 0;
244 
245 	int		count = noise++;
246 	time_t		timebits = time(NULL);
247 	pid_t		pidbits = getpid();
248 	au_asid_t	retval = 0;
249 
250 	if (gethostname(hostname, MAXHOSTNAMELEN)) {
251 		adt_write_syslog("gethostname call failed", errno);
252 		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
253 	}
254 
255 	while (retval == 0) {  /* 0 is the only invalid result */
256 		MD5Init(&context);
257 
258 		MD5Update(&context, (unsigned char *)hostname,
259 		    (unsigned int) strlen((const char *)hostname));
260 
261 		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
262 
263 		MD5Update(&context,
264 		    (unsigned char *) &timebits, sizeof (time_t));
265 
266 		MD5Update(&context, (unsigned char *) &pidbits,
267 		    sizeof (pid_t));
268 
269 		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
270 		MD5Final(output.obuff, &context);
271 
272 		retval = output.v[count % 4];
273 	}
274 	return (retval);
275 }
276 
277 /*
278  * the following "port" function deals with the following issues:
279  *
280  * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
281  *      up from a 32 bit major and 32 bit minor.
282  * 2    User space deals with a dev_t as either the above 64 bit value
283  *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
284  * 3    The various audit interfaces (except ucred) pass the 32 or
285  *      64 bit version depending the architecture of the userspace
286  *      application.  If you get a port value from ucred and pass it
287  *      to the kernel via auditon(), it must be squeezed into a 32
288  *      bit value because the kernel knows the userspace app's bit
289  *      size.
290  *
291  * The internal state structure for adt (adt_internal_state_t) uses
292  * dev_t, so adt converts data from ucred to fit.  The import/export
293  * functions, however, can't know if they are importing/exporting
294  * from 64 or 32 bit applications, so they always send 64 bits and
295  * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
296  * appropriate.
297  */
298 
299 /*
300  * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
301  * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
302  * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
303  * so it isn't broken up into pieces.  (When it goes to the kernel
304  * and back, however, it will have been split into major/minor
305  * pieces.)
306  */
307 
308 static void
309 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
310 {
311 #ifdef _LP64
312 	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
313 #else	/* _LP64 */
314 	dest->at_type = src->at_type;
315 
316 	dest->at_port  = src->at_port.at_minor & MAXMIN32;
317 	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
318 	    NBITSMINOR32;
319 
320 	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
321 #endif	/* _LP64 */
322 }
323 
324 /*
325  * adt_start_session -- create interface handle, create context
326  *
327  * The imported_state input is normally NULL, if not, it represents
328  * a continued session; its values obviate the need for a subsequent
329  * call to adt_set_user().
330  *
331  * The flag is used to decide how to set the initial state of the session.
332  * If 0, the session is "no audit" until a call to adt_set_user; if
333  * ADT_USE_PROC_DATA, the session is built from the process audit
334  * characteristics obtained from the kernel.  If imported_state is
335  * not NULL, the resulting audit mask is an OR of the current process
336  * audit mask and that passed in.
337  *
338  * The basic model is that the caller can use the pointer returned
339  * by adt_start_session whether or not auditing is enabled or an
340  * error was returned.  The functions that take the session handle
341  * as input generally return without doing anything if auditing is
342  * disabled.
343  */
344 
345 int
346 adt_start_session(adt_session_data_t **new_session,
347     const adt_export_data_t *imported_state, adt_session_flags_t flags)
348 {
349 	adt_internal_state_t	*state;
350 	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
351 
352 	/* test and set auditstate */
353 	if (adt_audit_state(AUC_DISABLED)) {
354 		/* c2audit excluded */
355 		*new_session = NULL;
356 		return (0);
357 	}
358 
359 	if ((flags & ~flgmask) != 0) {
360 		errno = EINVAL;
361 		goto return_err;
362 	}
363 
364 	if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) {
365 		goto return_err;
366 	}
367 
368 	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) {
369 		goto return_err_free;    /* errno from adt_init() */
370 	}
371 
372 	/*
373 	 * The imported state overwrites the initial state if the
374 	 * imported state represents a valid audit trail
375 	 */
376 
377 	if (imported_state != NULL) {
378 		if (adt_import(state, imported_state) != 0) {
379 			goto return_err_free;
380 		}
381 	} else if (flags & ADT_USE_PROC_DATA) {
382 		state->as_session_model = ADT_PROCESS_MODEL;
383 	}
384 	state->as_flags = flags;
385 	DPRINTF(("(%lld) Starting session id = %08X\n",
386 	    (long long) getpid(), state->as_info.ai_asid));
387 
388 	*new_session = (adt_session_data_t *)state;
389 	return (0);
390 
391 return_err_free:
392 	free(state);
393 return_err:
394 	*new_session = NULL;
395 	adt_write_syslog("audit session create failed", errno);
396 	return (-1);
397 }
398 
399 /*
400  * adt_load_table()
401  *
402  * loads the event translation table into the audit session.
403  */
404 
405 void
406 adt_load_table(const adt_session_data_t *session_data,
407     adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *))
408 {
409 	adt_internal_state_t	*state = (adt_internal_state_t *)session_data;
410 
411 	if (state != NULL) {
412 		assert(state->as_check == ADT_VALID);
413 		state->as_xlate = xlate;
414 		state->as_preload = preload;
415 	}
416 }
417 
418 /*
419  * adt_get_asid() and adt_set_asid()
420  *
421  * if you use this interface, you are responsible to insure that the
422  * rest of the session data is populated correctly before calling
423  * adt_proccess_attr()
424  *
425  * neither of these are intended for general use and will likely
426  * remain private interfaces for a long time.  Forever is a long
427  * time.  In the case of adt_set_asid(), you should have a very,
428  * very good reason for setting your own session id.  The process
429  * audit characteristics are not changed by put, use adt_set_proc().
430  *
431  * These are "volatile" (more changable than "evolving") and will
432  * probably change in the S10 period.
433  */
434 
435 void
436 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
437 {
438 
439 	if (session_data == NULL) {
440 		*asid = 0;
441 	} else {
442 		assert(((adt_internal_state_t *)session_data)->as_check ==
443 		    ADT_VALID);
444 
445 		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
446 	}
447 }
448 
449 void
450 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
451 {
452 
453 	if (session_data != NULL) {
454 		assert(((adt_internal_state_t *)session_data)->as_check ==
455 		    ADT_VALID);
456 
457 		((adt_internal_state_t *)session_data)->as_have_user_data |=
458 		    ADT_HAVE_ASID;
459 		((adt_internal_state_t *)session_data)->as_info.ai_asid =
460 		    session_id;
461 	}
462 }
463 
464 /*
465  * adt_get_auid() and adt_set_auid()
466  *
467  * neither of these are intended for general use and will likely
468  * remain private interfaces for a long time.  Forever is a long
469  * time.  In the case of adt_set_auid(), you should have a very,
470  * very good reason for setting your own audit id.  The process
471  * audit characteristics are not changed by put, use adt_set_proc().
472  */
473 
474 void
475 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
476 {
477 
478 	if (session_data == NULL) {
479 		*auid = AU_NOAUDITID;
480 	} else {
481 		assert(((adt_internal_state_t *)session_data)->as_check ==
482 		    ADT_VALID);
483 
484 		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
485 	}
486 }
487 
488 void
489 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
490 {
491 
492 	if (session_data != NULL) {
493 		assert(((adt_internal_state_t *)session_data)->as_check ==
494 		    ADT_VALID);
495 
496 		((adt_internal_state_t *)session_data)->as_have_user_data |=
497 		    ADT_HAVE_AUID;
498 		((adt_internal_state_t *)session_data)->as_info.ai_auid =
499 		    audit_id;
500 	}
501 }
502 
503 /*
504  * adt_get_termid(), adt_set_termid()
505  *
506  * if you use this interface, you are responsible to insure that the
507  * rest of the session data is populated correctly before calling
508  * adt_proccess_attr()
509  *
510  * The process  audit characteristics are not changed by put, use
511  * adt_set_proc().
512  */
513 
514 void
515 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
516 {
517 
518 	if (session_data == NULL) {
519 		(void) memset(termid, 0, sizeof (au_tid_addr_t));
520 		termid->at_type = AU_IPv4;
521 	} else {
522 		assert(((adt_internal_state_t *)session_data)->as_check ==
523 		    ADT_VALID);
524 
525 		*termid =
526 		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
527 	}
528 }
529 
530 void
531 adt_set_termid(const adt_session_data_t *session_data,
532     const au_tid_addr_t *termid)
533 {
534 
535 	if (session_data != NULL) {
536 		assert(((adt_internal_state_t *)session_data)->as_check ==
537 		    ADT_VALID);
538 
539 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
540 		    *termid;
541 
542 		((adt_internal_state_t *)session_data)->as_have_user_data |=
543 		    ADT_HAVE_TID;
544 	}
545 }
546 
547 /*
548  * adt_get_mask(), adt_set_mask()
549  *
550  * if you use this interface, you are responsible to insure that the
551  * rest of the session data is populated correctly before calling
552  * adt_proccess_attr()
553  *
554  * The process  audit characteristics are not changed by put, use
555  * adt_set_proc().
556  */
557 
558 void
559 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
560 {
561 
562 	if (session_data == NULL) {
563 		mask->am_success = 0;
564 		mask->am_failure = 0;
565 	} else {
566 		assert(((adt_internal_state_t *)session_data)->as_check ==
567 		    ADT_VALID);
568 
569 		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
570 	}
571 }
572 
573 void
574 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
575 {
576 
577 	if (session_data != NULL) {
578 		assert(((adt_internal_state_t *)session_data)->as_check ==
579 		    ADT_VALID);
580 
581 		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
582 
583 		((adt_internal_state_t *)session_data)->as_have_user_data |=
584 		    ADT_HAVE_MASK;
585 	}
586 }
587 
588 /*
589  * helpers for adt_load_termid
590  */
591 
592 static dev_t
593 adt_ports_to_at_port(in_port_t remote, in_port_t local)
594 {
595 	dev_t port;
596 
597 #ifdef _LP64
598 	dev_t tmp;
599 
600 	/*
601 	 * In 64-bit, at_port is a 64-bit value encoding major/minor
602 	 * device numbers as 32-bits each. However when a 32-bit application
603 	 * subsequently requests the audit address via getaudit_addr(), this
604 	 * value must be capable of being compressed down to a 14-bit major and
605 	 * 18-bit minor number or the call will fail.
606 	 *
607 	 * In order to construct a 32-bit compatible value, the top 14-bits of
608 	 * the remote port are used for the major number and the remaining
609 	 * 2-bits + local port are used for the minor.
610 	 */
611 
612 	tmp = ((remote<<16) | (local));
613 	port = (tmp & MAXMIN32);
614 	port |= (((tmp >> NBITSMINOR32) & MAXMAJ32) << NBITSMINOR64);
615 #else
616 	port = ((remote<<16) | (local));
617 #endif
618 
619 	return (port);
620 }
621 
622 static void
623 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
624     au_tid_addr_t *termid)
625 {
626 	termid->at_port =
627 	    adt_ports_to_at_port(peer->sin6_port, sock->sin6_port);
628 	termid->at_type = AU_IPv6;
629 	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
630 }
631 
632 static void
633 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
634     au_tid_addr_t *termid)
635 {
636 	termid->at_port = adt_ports_to_at_port(peer->sin_port, sock->sin_port);
637 	termid->at_type = AU_IPv4;
638 	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
639 	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
640 }
641 
642 /*
643  * adt_load_termid:  convenience function; inputs file handle and
644  * outputs an au_tid_addr struct.
645  *
646  * This code was stolen from audit_settid.c; it differs from audit_settid()
647  * in that it does not write the terminal id to the process.
648  */
649 
650 int
651 adt_load_termid(int fd, adt_termid_t **termid)
652 {
653 	au_tid_addr_t		*p_term;
654 	struct sockaddr_in6	peer;
655 	struct sockaddr_in6	sock;
656 	int			peerlen = sizeof (peer);
657 	int			socklen = sizeof (sock);
658 
659 	/* get peer name if its a socket, else assume local terminal */
660 
661 	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
662 	    < 0) {
663 		if (errno == ENOTSOCK) {
664 			return (adt_load_hostname(NULL, termid));
665 		}
666 		goto return_err;
667 	}
668 
669 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
670 		goto return_err;
671 	}
672 
673 	/* get sock name */
674 	if (getsockname(fd, (struct sockaddr *)&sock,
675 	    (socklen_t *)&socklen) < 0) {
676 		goto return_err_free;
677 	}
678 
679 	if (peer.sin6_family == AF_INET6) {
680 		adt_do_ipv6_address(&peer, &sock, p_term);
681 	} else {
682 		adt_do_ipv4_address((struct sockaddr_in *)&peer,
683 		    (struct sockaddr_in *)&sock, p_term);
684 	}
685 	*termid = (adt_termid_t *)p_term;
686 
687 	return (0);
688 
689 return_err_free:
690 	free(p_term);
691 return_err:
692 	*termid = NULL;
693 	return (-1);
694 }
695 
696 static boolean_t
697 adt_have_termid(au_tid_addr_t *dest)
698 {
699 	struct auditinfo_addr	audit_data;
700 
701 	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
702 		adt_write_syslog("getaudit failed", errno);
703 		return (B_FALSE);
704 	}
705 
706 	if ((audit_data.ai_termid.at_type == 0) ||
707 	    (audit_data.ai_termid.at_addr[0] |
708 	    audit_data.ai_termid.at_addr[1]  |
709 	    audit_data.ai_termid.at_addr[2]  |
710 	    audit_data.ai_termid.at_addr[3]) == 0)
711 		return (B_FALSE);
712 
713 	(void) memcpy(dest, &(audit_data.ai_termid),
714 	    sizeof (au_tid_addr_t));
715 
716 	return (B_TRUE);
717 }
718 
719 /*
720  * adt_get_hostIP - construct a terminal id from a hostname
721  *
722  *	Returns	 0 = success
723  *		-1 = failure and errno = ENETDOWN with the address
724  *		     defaulted to IPv4 loopback.
725  */
726 
727 static int
728 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
729 {
730 	struct addrinfo	*ai = NULL;
731 	int	tries = 3;
732 	char	msg[512];
733 	int	eai_err;
734 
735 	while ((tries-- > 0) &&
736 	    ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) {
737 		/*
738 		 * getaddrinfo returns its own set of errors.
739 		 * Log them here, so any subsequent syslogs will
740 		 * have a context.  adt_get_hostIP callers can only
741 		 * return errno, so subsequent syslogs may be lacking
742 		 * that getaddrinfo failed.
743 		 */
744 		(void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) "
745 		    "failed[%s]", hostname, gai_strerror(eai_err));
746 		adt_write_syslog(msg, 0);
747 
748 		if (eai_err != EAI_AGAIN) {
749 
750 			break;
751 		}
752 		/* see if resolution becomes available */
753 		(void) sleep(1);
754 	}
755 	if (ai != NULL) {
756 		if (ai->ai_family == AF_INET) {
757 			p_term->at_type = AU_IPv4;
758 			(void) memcpy(p_term->at_addr,
759 			    /* LINTED */
760 			    &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
761 			    AU_IPv4);
762 		} else {
763 			p_term->at_type = AU_IPv6;
764 			(void) memcpy(p_term->at_addr,
765 			    /* LINTED */
766 			    &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
767 			    AU_IPv6);
768 		}
769 		freeaddrinfo(ai);
770 		return (0);
771 	} else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) {
772 		auditinfo_addr_t  audit_info;
773 
774 		/*
775 		 * auditd is running so there should be a
776 		 * kernel audit context
777 		 */
778 		if (auditon(A_GETKAUDIT, (caddr_t)&audit_info,
779 		    sizeof (audit_info)) < 0) {
780 			adt_write_syslog("unable to get kernel audit context",
781 			    errno);
782 			goto try_interface;
783 		}
784 		adt_write_syslog("setting Audit IP address to kernel", 0);
785 		*p_term = audit_info.ai_termid;
786 		return (0);
787 	}
788 try_interface:
789 	{
790 		struct ifaddrlist al;
791 		int	family;
792 		char	ntop[INET6_ADDRSTRLEN];
793 
794 		/*
795 		 * getaddrinfo has failed to map the hostname
796 		 * to an IP address, try to get an IP address
797 		 * from a local interface.  If none up, default
798 		 * to loopback.
799 		 */
800 		family = AF_INET6;
801 		if (adt_get_local_address(family, &al) != 0) {
802 			family = AF_INET;
803 
804 			if (adt_get_local_address(family, &al) != 0) {
805 				adt_write_syslog("adt_get_local_address "
806 				    "failed, no Audit IP address available, "
807 				    "faking loopback and error",
808 				    errno);
809 				IN_SET_LOOPBACK_ADDR(
810 				    (struct sockaddr_in *)&(al.addr.addr));
811 				(void) memcpy(p_term->at_addr, &al.addr.addr,
812 				    AU_IPv4);
813 				p_term->at_type = AU_IPv4;
814 				return (-1);
815 			}
816 		}
817 		if (family == AF_INET) {
818 			p_term->at_type = AU_IPv4;
819 			(void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4);
820 		} else {
821 			p_term->at_type = AU_IPv6;
822 			(void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6);
823 		}
824 
825 		(void) snprintf(msg, sizeof (msg), "mapping %s to %s",
826 		    hostname, inet_ntop(family, &(al.addr), ntop,
827 		    sizeof (ntop)));
828 		adt_write_syslog(msg, 0);
829 		return (0);
830 	}
831 }
832 
833 /*
834  * adt_load_hostname() is called when the caller does not have a file
835  * handle that gives access to the socket info or any other way to
836  * pass in both port and ip address.  The hostname input is ignored if
837  * the terminal id has already been set; instead it returns the
838  * existing terminal id.
839  *
840  * If c2audit is excluded, success is returned.
841  * If the hostname lookup fails, the loopback address is assumed,
842  * errno is set to ENETDOWN, this allows the caller to interpret
843  * whether failure is fatal, and if not to have a address for the
844  * hostname.
845  * Otherwise the caller would need to be aware of the audit state.
846  *
847  * Other errors are ignored if not auditing.
848  */
849 
850 int
851 adt_load_hostname(const char *hostname, adt_termid_t **termid)
852 {
853 	char		localhost[MAXHOSTNAMELEN + 1];
854 	au_tid_addr_t	*p_term;
855 
856 	if (adt_audit_state(AUC_DISABLED)) {
857 		/* c2audit excluded */
858 		*termid = NULL;
859 		return (0);
860 	}
861 
862 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
863 		goto return_err;
864 	}
865 
866 	if (adt_have_termid(p_term)) {
867 		*termid = (adt_termid_t *)p_term;
868 		return (0);
869 	}
870 	p_term->at_port = 0;
871 
872 	if (hostname == NULL || *hostname == '\0') {
873 		(void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN);
874 		hostname = localhost;
875 	}
876 	if (adt_get_hostIP(hostname, p_term) == 0) {
877 		*termid = (adt_termid_t *)p_term;
878 		return (0);
879 	} else {
880 		*termid = (adt_termid_t *)p_term;
881 		return (-1);
882 	}
883 
884 return_err:
885 	*termid = NULL;
886 	if (auditstate & AUC_NOAUDIT) {
887 		return (0);
888 	}
889 
890 	return (-1);
891 }
892 
893 /*
894  * adt_load_ttyname() is called when the caller does not have a file
895  * handle that gives access to the local terminal or any other way
896  * of determining the device id.  The ttyname input is ignored if
897  * the terminal id has already been set; instead it returns the
898  * existing terminal id.
899  *
900  * If c2audit is excluded, success is returned.
901  * The local hostname is used for the local IP address.
902  * If that hostname lookup fails, the loopback address is assumed,
903  * errno is set to ENETDOWN, this allows the caller to interpret
904  * whether failure is fatal, and if not to have a address for the
905  * hostname.
906  * Otherwise the caller would need to be aware of the audit state.
907  *
908  * Other errors are ignored if not auditing.
909  */
910 
911 int
912 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
913 {
914 	char		localhost[MAXHOSTNAMELEN + 1];
915 	au_tid_addr_t	*p_term;
916 	struct stat	stat_buf;
917 
918 	if (adt_audit_state(AUC_DISABLED)) {
919 		/* c2audit excluded */
920 		*termid = NULL;
921 		return (0);
922 	}
923 
924 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
925 		goto return_err;
926 	}
927 
928 	if (adt_have_termid(p_term)) {
929 		*termid = (adt_termid_t *)p_term;
930 		return (0);
931 	}
932 
933 	p_term->at_port = 0;
934 
935 	if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) {
936 		goto return_err_free; /* errno from sysinfo */
937 	}
938 
939 	if (ttyname != NULL && *ttyname != '\0') {
940 		if (stat(ttyname, &stat_buf) < 0) {
941 			goto return_err_free;
942 		}
943 
944 		p_term->at_port = stat_buf.st_rdev;
945 	}
946 
947 	if (adt_get_hostIP(localhost, p_term) == 0) {
948 		*termid = (adt_termid_t *)p_term;
949 		return (0);
950 	} else {
951 		*termid = (adt_termid_t *)p_term;
952 		return (-1);
953 	}
954 
955 return_err_free:
956 	free(p_term);
957 
958 return_err:
959 	*termid = NULL;
960 	if (auditstate & AUC_NOAUDIT) {
961 		return (0);
962 	}
963 
964 	return (-1);
965 }
966 
967 /*
968  * adt_get_session_id returns a stringified representation of
969  * the audit session id.  See also adt_get_asid() for how to
970  * get the unexpurgated version.  No guarantees as to how long
971  * the returned string will be or its general form; hex for now.
972  *
973  * An empty string is returned if auditing is off; length = 1
974  * and the pointer is valid.
975  *
976  * returns strlen + 1 if buffer is valid; else 0 and errno.
977  */
978 
979 size_t
980 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
981 {
982 	au_asid_t	session_id;
983 	size_t		length;
984 	/*
985 	 * output is 0x followed by
986 	 * two characters per byte
987 	 * plus terminator,
988 	 * except leading 0's are suppressed, so a few bytes may
989 	 * be unused.
990 	 */
991 	length = 2 + (2 * sizeof (session_id)) + 1;
992 	*buff = malloc(length);
993 
994 	if (*buff == NULL) {
995 		return (0);
996 	}
997 	if (session_data == NULL) { /* NULL is not an error */
998 		**buff = '\0';
999 		return (1);
1000 	}
1001 	adt_get_asid(session_data, &session_id);
1002 
1003 	length = snprintf(*buff, length, "0x%X", (int)session_id);
1004 
1005 	/* length < 1 is a bug: the session data type may have changed */
1006 	assert(length > 0);
1007 
1008 	return (length);
1009 }
1010 
1011 /*
1012  * adt_end_session -- close handle, clear context
1013  *
1014  * if as_check is invalid, no harm, no foul, EXCEPT that this could
1015  * be an attempt to free data already free'd, so output to syslog
1016  * to help explain why the process cored dumped.
1017  */
1018 
1019 int
1020 adt_end_session(adt_session_data_t *session_data)
1021 {
1022 	adt_internal_state_t	*state;
1023 
1024 	if (session_data != NULL) {
1025 		state = (adt_internal_state_t *)session_data;
1026 		if (state->as_check != ADT_VALID) {
1027 			adt_write_syslog("freeing invalid data", EINVAL);
1028 		} else {
1029 			state->as_check = 0;
1030 			m_label_free(state->as_label);
1031 			free(session_data);
1032 		}
1033 	}
1034 	/* no errors yet defined */
1035 	return (0);
1036 }
1037 
1038 /*
1039  * adt_dup_session -- copy the session data
1040  */
1041 
1042 int
1043 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
1044 {
1045 	adt_internal_state_t	*source_state;
1046 	adt_internal_state_t	*dest_state = NULL;
1047 	int			rc = 0;
1048 
1049 	if (source != NULL) {
1050 		source_state = (adt_internal_state_t *)source;
1051 		assert(source_state->as_check == ADT_VALID);
1052 
1053 		dest_state = malloc(sizeof (adt_internal_state_t));
1054 		if (dest_state == NULL) {
1055 			rc = -1;
1056 			goto return_rc;
1057 		}
1058 		(void) memcpy(dest_state, source,
1059 		    sizeof (struct adt_internal_state));
1060 
1061 		if (source_state->as_label != NULL) {
1062 			dest_state->as_label = NULL;
1063 			if ((rc = m_label_dup(&dest_state->as_label,
1064 			    source_state->as_label)) != 0) {
1065 				free(dest_state);
1066 				dest_state = NULL;
1067 			}
1068 		}
1069 	}
1070 return_rc:
1071 	*dest = (adt_session_data_t *)dest_state;
1072 	return (rc);
1073 }
1074 
1075 /*
1076  * from_export_format()
1077  * read from a network order buffer into struct adt_session_data
1078  */
1079 
1080 static size_t
1081 adt_from_export_format(adt_internal_state_t *internal,
1082     const adt_export_data_t *external)
1083 {
1084 	struct export_header	head;
1085 	struct export_link	link;
1086 	adr_t			context;
1087 	int32_t 		offset;
1088 	int32_t 		length;
1089 	int32_t 		version;
1090 	size_t			label_len;
1091 	char			*p = (char *)external;
1092 
1093 	adrm_start(&context, (char *)external);
1094 	adrm_int32(&context, (int *)&head, 4);
1095 
1096 	if ((internal->as_check = head.ax_check) != ADT_VALID) {
1097 		errno = EINVAL;
1098 		return (0);
1099 	}
1100 	offset = head.ax_link.ax_offset;
1101 	version = head.ax_link.ax_version;
1102 	length = head.ax_buffer_length;
1103 
1104 	/*
1105 	 * Skip newer versions.
1106 	 */
1107 	while (version > PROTOCOL_VERSION_2) {
1108 		if (offset < 1) {
1109 			return (0);	/* failed to match version */
1110 		}
1111 		p += offset;		/* point to next version # */
1112 
1113 		if (p > (char *)external + length) {
1114 			return (0);
1115 		}
1116 		adrm_start(&context, p);
1117 		adrm_int32(&context, (int *)&link, 2);
1118 		offset = link.ax_offset;
1119 		version = link.ax_version;
1120 		assert(version != 0);
1121 	}
1122 	/*
1123 	 * Adjust buffer pointer to the first data item (euid).
1124 	 */
1125 	if (p == (char *)external) {
1126 		adrm_start(&context, (char *)(p + sizeof (head)));
1127 	} else {
1128 		adrm_start(&context, (char *)(p + sizeof (link)));
1129 	}
1130 	/*
1131 	 * if down rev version, neither pid nor label are included
1132 	 * in v1 ax_size_of_tsol_data intentionally ignored
1133 	 */
1134 	if (version == PROTOCOL_VERSION_1) {
1135 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1136 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1137 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1138 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1139 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1140 		adrm_int32(&context,
1141 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1142 		adrm_int32(&context,
1143 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1144 		adrm_int32(&context,
1145 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1146 		adrm_int32(&context,
1147 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1148 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1149 		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1150 		internal->as_pid = (pid_t)-1;
1151 		internal->as_label = NULL;
1152 	} else if (version == PROTOCOL_VERSION_2) {
1153 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1154 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1155 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1156 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1157 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1158 		adrm_int32(&context,
1159 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1160 		adrm_int32(&context,
1161 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1162 		adrm_int32(&context,
1163 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1164 		adrm_int32(&context,
1165 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1166 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1167 		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1168 		adrm_int32(&context, (int *)&(internal->as_pid), 1);
1169 		adrm_int32(&context, (int *)&label_len, 1);
1170 		if (label_len > 0) {
1171 			/* read in and deal with different sized labels. */
1172 			size32_t my_label_len = blabel_size();
1173 
1174 			if ((internal->as_label =
1175 			    m_label_alloc(MAC_LABEL)) == NULL) {
1176 				return (0);
1177 			}
1178 			if (label_len > my_label_len) {
1179 				errno = EINVAL;
1180 				m_label_free(internal->as_label);
1181 				return (0);
1182 			}
1183 			(void) memset(internal->as_label, 0, my_label_len);
1184 			adrm_int32(&context, (int *)(internal->as_label),
1185 			    label_len / sizeof (int32_t));
1186 		} else {
1187 			internal->as_label = NULL;
1188 		}
1189 	}
1190 
1191 	return (length);
1192 }
1193 
1194 /*
1195  * adt_to_export_format
1196  * read from struct adt_session_data into a network order buffer.
1197  *
1198  * (network order 'cause this data may be shared with a remote host.)
1199  */
1200 
1201 static size_t
1202 adt_to_export_format(adt_export_data_t *external,
1203     adt_internal_state_t *internal)
1204 {
1205 	struct export_header	head;
1206 	struct export_link	tail;
1207 	adr_t			context;
1208 	size32_t		label_len = 0;
1209 
1210 	adrm_start(&context, (char *)external);
1211 
1212 	if (internal->as_label != NULL) {
1213 		label_len = blabel_size();
1214 	}
1215 
1216 	head.ax_check = ADT_VALID;
1217 	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1218 
1219 	/* version 2 first */
1220 
1221 	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1222 	head.ax_link.ax_offset = sizeof (struct export_header) +
1223 	    sizeof (struct adt_export_v2) + label_len;
1224 
1225 	adrm_putint32(&context, (int *)&head, 4);
1226 
1227 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1228 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1229 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1230 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1231 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1232 	adrm_putint32(&context,
1233 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1234 	adrm_putint32(&context,
1235 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1236 	adrm_putint32(&context,
1237 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1238 	adrm_putint32(&context,
1239 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1240 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1241 	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1242 	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1243 	adrm_putint32(&context, (int *)&label_len, 1);
1244 	if (internal->as_label != NULL) {
1245 		/* serialize the label */
1246 		adrm_putint32(&context, (int *)(internal->as_label),
1247 		    (label_len / sizeof (int32_t)));
1248 	}
1249 
1250 	/* now version 1 */
1251 
1252 	tail.ax_version = PROTOCOL_VERSION_1;
1253 	tail.ax_offset = 0;
1254 
1255 	adrm_putint32(&context, (int *)&tail, 2);
1256 
1257 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1258 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1259 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1260 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1261 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1262 	adrm_putint32(&context,
1263 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1264 	adrm_putint32(&context,
1265 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1266 	adrm_putint32(&context,
1267 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1268 	adrm_putint32(&context,
1269 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1270 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1271 	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1272 	/* ignored in v1 */
1273 	adrm_putint32(&context, (int *)&label_len, 1);
1274 
1275 	/* finally terminator */
1276 
1277 	tail.ax_version = 0; /* invalid version number */
1278 	tail.ax_offset = 0;
1279 
1280 	adrm_putint32(&context, (int *)&tail, 2);
1281 
1282 	return (head.ax_buffer_length);
1283 }
1284 
1285 /*
1286  * adt_ucred_label() -- if label is available, duplicate it.
1287  */
1288 
1289 static m_label_t *
1290 adt_ucred_label(ucred_t *uc)
1291 {
1292 	m_label_t	*ul = NULL;
1293 
1294 	if (ucred_getlabel(uc) != NULL) {
1295 		(void) m_label_dup(&ul, ucred_getlabel(uc));
1296 	}
1297 
1298 	return (ul);
1299 }
1300 
1301 /*
1302  * adt_import() -- convert from network order to machine-specific order
1303  */
1304 
1305 static int
1306 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1307 {
1308 	au_mask_t mask;
1309 
1310 	/* save local audit state */
1311 	int	local_audit_state = internal->as_audit_state;
1312 
1313 	if (adt_from_export_format(internal, external) < 1)
1314 		return (-1); /* errno from adt_from_export_format */
1315 
1316 	/*
1317 	 * If audit isn't enabled on the remote, they were unable
1318 	 * to generate the audit mask, so generate it based on
1319 	 * local configuration.  If the user id has changed, the
1320 	 * resulting mask may miss some subtleties that occurred
1321 	 * on the remote system.
1322 	 *
1323 	 * If the remote failed to generate a terminal id, it is not
1324 	 * recoverable.
1325 	 */
1326 
1327 	if (!(internal->as_audit_state & AUC_DISABLED)) {
1328 		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1329 		    &(internal->as_info.ai_mask)))
1330 			return (-1);
1331 		if (internal->as_info.ai_auid != internal->as_ruid) {
1332 			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1333 			    &mask))
1334 				return (-1);
1335 			internal->as_info.ai_mask.am_success |=
1336 			    mask.am_success;
1337 			internal->as_info.ai_mask.am_failure |=
1338 			    mask.am_failure;
1339 		}
1340 	}
1341 	internal->as_audit_state = local_audit_state;
1342 
1343 	DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(),
1344 	    internal->as_info.ai_asid,
1345 	    internal->as_info.ai_asid));
1346 
1347 	internal->as_have_user_data = ADT_HAVE_ALL;
1348 
1349 	return (0);
1350 }
1351 
1352 /*
1353  * adt_export_session_data()
1354  * copies a adt_session_data struct into a network order buffer
1355  *
1356  * In a misconfigured network, the local host may have auditing
1357  * off while the destination may have auditing on, so if there
1358  * is sufficient memory, a buffer will be returned even in the
1359  * audit off case.
1360  */
1361 
1362 size_t
1363 adt_export_session_data(const adt_session_data_t *internal,
1364     adt_export_data_t **external)
1365 {
1366 	size32_t		length = 0;
1367 
1368 	if ((internal != NULL) &&
1369 	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1370 		length = blabel_size();
1371 	}
1372 
1373 	*external = malloc(sizeof (adt_export_data_t) + length);
1374 
1375 	if (*external == NULL)
1376 		return (0);
1377 
1378 	if (internal == NULL) {
1379 		adt_internal_state_t	*dummy;
1380 
1381 		dummy = malloc(sizeof (adt_internal_state_t));
1382 		if (dummy == NULL)
1383 			goto return_length_free;
1384 
1385 		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1386 			free(dummy);
1387 			goto return_length_free;
1388 		}
1389 		length = adt_to_export_format(*external, dummy);
1390 		free(dummy);
1391 	} else {
1392 		length = adt_to_export_format(*external,
1393 		    (adt_internal_state_t *)internal);
1394 	}
1395 	return (length);
1396 
1397 return_length_free:
1398 	free(*external);
1399 	*external = NULL;
1400 	return (0);
1401 }
1402 
1403 static void
1404 adt_setto_unaudited(adt_internal_state_t *state)
1405 {
1406 	if (state->as_audit_state & AUC_DISABLED) {
1407 		state->as_ruid = AU_NOAUDITID;
1408 		state->as_euid = AU_NOAUDITID;
1409 		state->as_rgid = AU_NOAUDITID;
1410 		state->as_egid = AU_NOAUDITID;
1411 		state->as_pid = (pid_t)-1;
1412 		state->as_label = NULL;
1413 	} else {
1414 		state->as_info.ai_asid = 0;
1415 		state->as_info.ai_auid = AU_NOAUDITID;
1416 
1417 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1418 		    sizeof (au_tid_addr_t));
1419 		state->as_info.ai_termid.at_type = AU_IPv4;
1420 
1421 		(void) memset((void *)&(state->as_info.ai_mask), 0,
1422 		    sizeof (au_mask_t));
1423 		state->as_have_user_data = 0;
1424 	}
1425 }
1426 
1427 /*
1428  * adt_init -- set session context by copying the audit characteristics
1429  * from the proc and picking up current uid/tid information.
1430  *
1431  * By default, an audit session is based on the process; the default
1432  * is overriden by adt_set_user()
1433  */
1434 
1435 static int
1436 adt_init(adt_internal_state_t *state, int use_proc_data)
1437 {
1438 	/* ensure auditstate is set */
1439 
1440 	(void) adt_audit_state(0);
1441 	state->as_audit_state = auditstate;
1442 
1443 	if (use_proc_data) {
1444 		state->as_ruid = getuid();
1445 		state->as_euid = geteuid();
1446 		state->as_rgid = getgid();
1447 		state->as_egid = getegid();
1448 		state->as_pid = getpid();
1449 
1450 		if (!(state->as_audit_state & AUC_DISABLED)) {
1451 			const au_tid64_addr_t	*tid;
1452 			const au_mask_t		*mask;
1453 			ucred_t			*ucred = ucred_get(P_MYID);
1454 
1455 			/*
1456 			 * Even if the ucred is NULL, the underlying
1457 			 * credential may have a valid terminal id; if the
1458 			 * terminal id is set, then that's good enough.  An
1459 			 * example of where this matters is failed login,
1460 			 * where rlogin/telnet sets the terminal id before
1461 			 * calling login; login does not load the credential
1462 			 * since auth failed.
1463 			 */
1464 			if (ucred == NULL) {
1465 				if (!adt_have_termid(
1466 				    &(state->as_info.ai_termid)))
1467 					return (-1);
1468 			} else {
1469 				mask = ucred_getamask(ucred);
1470 				if (mask != NULL) {
1471 					state->as_info.ai_mask = *mask;
1472 				} else {
1473 					ucred_free(ucred);
1474 					return (-1);
1475 				}
1476 				tid = ucred_getatid(ucred);
1477 				if (tid != NULL) {
1478 					adt_cpy_tid(&(state->as_info.ai_termid),
1479 					    tid);
1480 				} else {
1481 					ucred_free(ucred);
1482 					return (-1);
1483 				}
1484 				state->as_info.ai_asid = ucred_getasid(ucred);
1485 				state->as_info.ai_auid = ucred_getauid(ucred);
1486 				state->as_label = adt_ucred_label(ucred);
1487 				ucred_free(ucred);
1488 			}
1489 			state->as_have_user_data = ADT_HAVE_ALL;
1490 		}
1491 	} else {
1492 		adt_setto_unaudited(state);
1493 	}
1494 	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1495 
1496 	if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) &&
1497 	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1498 	    sizeof (state->as_kernel_audit_policy))) {
1499 		return (-1);  /* errno set by auditon */
1500 	}
1501 	state->as_check = ADT_VALID;
1502 	adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0],
1503 	    &adt_preload);
1504 	return (0);
1505 }
1506 
1507 /*
1508  * adt_set_proc
1509  *
1510  * Copy the current session state to the process.  If this function
1511  * is called, the model becomes a process model rather than a
1512  * session model.
1513  *
1514  * In the current implementation, the value state->as_have_user_data
1515  * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1516  * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1517  *
1518  */
1519 
1520 int
1521 adt_set_proc(const adt_session_data_t *session_data)
1522 {
1523 	adt_internal_state_t	*state;
1524 
1525 	if (session_data == NULL) {
1526 		return (0);
1527 	}
1528 
1529 	state = (adt_internal_state_t *)session_data;
1530 
1531 	assert(state->as_check == ADT_VALID);
1532 
1533 	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1534 	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1535 		errno = EINVAL;
1536 		goto return_err;
1537 	}
1538 
1539 	if (setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1540 	    sizeof (auditinfo_addr_t)) < 0) {
1541 		goto return_err;	/* errno set by setaudit_addr() */
1542 	}
1543 
1544 	state->as_session_model = ADT_PROCESS_MODEL;
1545 
1546 	return (0);
1547 
1548 return_err:
1549 	adt_write_syslog("failed to set process audit characteristics", errno);
1550 	return (-1);
1551 }
1552 
1553 static int
1554 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1555 {
1556 	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1557 	au_mask_t	no_mask = {0, 0};
1558 
1559 	if (ruid == ADT_NO_AUDIT) {
1560 		state->as_info.ai_auid = AU_NOAUDITID;
1561 		state->as_info.ai_asid = 0;
1562 		state->as_info.ai_termid = no_tid;
1563 		state->as_info.ai_mask = no_mask;
1564 		return (0);
1565 	}
1566 	state->as_info.ai_auid = ruid;
1567 	state->as_info.ai_asid = adt_get_unique_id(ruid);
1568 	if (termid != NULL)
1569 		state->as_info.ai_termid = *termid;
1570 
1571 	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1572 		return (-1);
1573 
1574 	/* Assume intending to audit as this process */
1575 
1576 	if (state->as_pid == (pid_t)-1)
1577 		state->as_pid = getpid();
1578 
1579 	if (is_system_labeled() && state->as_label == NULL) {
1580 		ucred_t	*ucred = ucred_get(P_MYID);
1581 
1582 		state->as_label = adt_ucred_label(ucred);
1583 		ucred_free(ucred);
1584 	}
1585 
1586 	return (0);
1587 }
1588 
1589 static int
1590 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1591 {
1592 	au_mask_t		mask;
1593 
1594 	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1595 		state->as_info.ai_auid = ruid;
1596 	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1597 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1598 
1599 	if (ruid <= MAXEPHUID) {
1600 		if (adt_get_mask_from_user(ruid, &mask))
1601 			return (-1);
1602 
1603 		state->as_info.ai_mask.am_success |= mask.am_success;
1604 		state->as_info.ai_mask.am_failure |= mask.am_failure;
1605 	}
1606 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1607 	    state->as_info.ai_mask.am_success,
1608 	    state->as_info.ai_mask.am_failure,
1609 	    ruid));
1610 	return (0);
1611 }
1612 
1613 /*
1614  * adt_set_user -- see also adt_set_from_ucred()
1615  *
1616  * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1617  * "unattributed."  If ruid, change the model to session.
1618  *
1619  * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1620  * only valid with ADT_UPDATE.
1621  *
1622  * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1623  * isn't a good reason to call adt_set_user() with it unless you don't
1624  * have a good value yet and intend to replace it later; auid will be
1625  * AU_NOAUDITID.
1626  *
1627  * adt_set_user should be called even if auditing is not enabled
1628  * so that adt_export_session_data() will have useful stuff to
1629  * work with.
1630  *
1631  * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1632  * and ADT_HAVE_ALL.
1633  */
1634 
1635 int
1636 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1637     uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1638     enum adt_user_context user_context)
1639 {
1640 	adt_internal_state_t	*state;
1641 	int			rc;
1642 
1643 	if (session_data == NULL) /* no session exists to audit */
1644 		return (0);
1645 
1646 	state = (adt_internal_state_t *)session_data;
1647 	assert(state->as_check == ADT_VALID);
1648 
1649 	switch (user_context) {
1650 	case ADT_NEW:
1651 		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1652 		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1653 			errno = EINVAL;
1654 			return (-1);
1655 		}
1656 		if ((rc = adt_newuser(state, ruid,
1657 		    (au_tid_addr_t *)termid)) != 0)
1658 			return (rc);
1659 
1660 		state->as_have_user_data = ADT_HAVE_ALL;
1661 		break;
1662 	case ADT_UPDATE:
1663 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1664 			errno = EINVAL;
1665 			return (-1);
1666 		}
1667 
1668 		if (ruid != ADT_NO_CHANGE)
1669 			if ((rc = adt_changeuser(state, ruid)) != 0)
1670 				return (rc);
1671 		break;
1672 	case ADT_USER:
1673 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1674 			errno = EINVAL;
1675 			return (-1);
1676 		}
1677 		break;
1678 	case ADT_SETTID:
1679 		assert(termid != NULL);
1680 		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1681 		/* avoid fooling pam_setcred()... */
1682 		state->as_info.ai_auid = AU_NOAUDITID;
1683 		state->as_info.ai_asid = 0;
1684 		state->as_info.ai_mask.am_failure = 0;
1685 		state->as_info.ai_mask.am_success = 0;
1686 		state->as_have_user_data = ADT_HAVE_TID |
1687 		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1688 		return (0);
1689 	default:
1690 		errno = EINVAL;
1691 		return (-1);
1692 	}
1693 
1694 	if (ruid == ADT_NO_AUDIT) {
1695 		state->as_ruid = AU_NOAUDITID;
1696 		state->as_euid = AU_NOAUDITID;
1697 		state->as_rgid = AU_NOAUDITID;
1698 		state->as_egid = AU_NOAUDITID;
1699 	} else {
1700 		if (ruid != ADT_NO_CHANGE)
1701 			state->as_ruid = ruid;
1702 		if (euid != ADT_NO_CHANGE)
1703 			state->as_euid = euid;
1704 		if (rgid != ADT_NO_CHANGE)
1705 			state->as_rgid = rgid;
1706 		if (egid != ADT_NO_CHANGE)
1707 			state->as_egid = egid;
1708 	}
1709 
1710 	if (ruid == ADT_NO_ATTRIB) {
1711 		state->as_session_model = ADT_SESSION_MODEL;
1712 	}
1713 
1714 	return (0);
1715 }
1716 
1717 /*
1718  * adt_set_from_ucred()
1719  *
1720  * an alternate to adt_set_user that fills the same role but uses
1721  * a pointer to a ucred rather than a list of id's.  If the ucred
1722  * pointer is NULL, use the credential from the this process.
1723  *
1724  * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1725  * not overwrite the asid and auid unless auid has not been set.
1726  * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1727  * the incoming audit mask with the one that already exists.
1728  *
1729  * adt_set_from_ucred should be called even if auditing is not enabled
1730  * so that adt_export_session_data() will have useful stuff to
1731  * work with.
1732  */
1733 
1734 int
1735 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1736     enum adt_user_context user_context)
1737 {
1738 	adt_internal_state_t	*state;
1739 	int			rc = -1;
1740 	const au_tid64_addr_t		*tid64;
1741 	au_tid_addr_t		termid, *tid;
1742 	ucred_t	*ucred = (ucred_t *)uc;
1743 	boolean_t	local_uc = B_FALSE;
1744 
1745 	if (session_data == NULL) /* no session exists to audit */
1746 		return (0);
1747 
1748 	state = (adt_internal_state_t *)session_data;
1749 	assert(state->as_check == ADT_VALID);
1750 
1751 	if (ucred == NULL) {
1752 		ucred = ucred_get(P_MYID);
1753 
1754 		if (ucred == NULL)
1755 			goto return_rc;
1756 		local_uc = B_TRUE;
1757 	}
1758 
1759 	switch (user_context) {
1760 	case ADT_NEW:
1761 		tid64 = ucred_getatid(ucred);
1762 		if (tid64 != NULL) {
1763 			adt_cpy_tid(&termid, tid64);
1764 			tid = &termid;
1765 		} else {
1766 			tid = NULL;
1767 		}
1768 		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1769 			adt_setto_unaudited(state);
1770 			state->as_have_user_data = ADT_HAVE_ALL;
1771 			rc = 0;
1772 			goto return_rc;
1773 		} else {
1774 			state->as_info.ai_auid = ucred_getauid(ucred);
1775 			state->as_info.ai_asid = ucred_getasid(ucred);
1776 			state->as_info.ai_mask = *ucred_getamask(ucred);
1777 			state->as_info.ai_termid = *tid;
1778 		}
1779 		state->as_have_user_data = ADT_HAVE_ALL;
1780 		break;
1781 	case ADT_UPDATE:
1782 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1783 			errno = EINVAL;
1784 			goto return_rc;
1785 		}
1786 
1787 		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1788 			goto return_rc;
1789 		break;
1790 	case ADT_USER:
1791 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1792 			errno = EINVAL;
1793 			goto return_rc;
1794 		}
1795 		break;
1796 	default:
1797 		errno = EINVAL;
1798 		goto return_rc;
1799 	}
1800 	rc = 0;
1801 
1802 	state->as_ruid = ucred_getruid(ucred);
1803 	state->as_euid = ucred_geteuid(ucred);
1804 	state->as_rgid = ucred_getrgid(ucred);
1805 	state->as_egid = ucred_getegid(ucred);
1806 	state->as_pid = ucred_getpid(ucred);
1807 	state->as_label = adt_ucred_label(ucred);
1808 
1809 return_rc:
1810 	if (local_uc) {
1811 		ucred_free(ucred);
1812 	}
1813 	return (rc);
1814 }
1815 
1816 /*
1817  * adt_alloc_event() returns a pointer to allocated memory
1818  *
1819  */
1820 
1821 adt_event_data_t
1822 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1823 {
1824 	struct adt_event_state	*event_state;
1825 	adt_internal_state_t	*session_state;
1826 	adt_event_data_t	*return_event = NULL;
1827 	/*
1828 	 * need to return a valid event pointer even if audit is
1829 	 * off, else the caller will end up either (1) keeping its
1830 	 * own flags for on/off or (2) writing to a NULL pointer.
1831 	 * If auditing is on, the session data must be valid; otherwise
1832 	 * we don't care.
1833 	 */
1834 	if (session_data != NULL) {
1835 		session_state = (adt_internal_state_t *)session_data;
1836 		assert(session_state->as_check == ADT_VALID);
1837 	}
1838 	event_state = calloc(1, sizeof (struct adt_event_state));
1839 	if (event_state == NULL)
1840 		goto return_ptr;
1841 
1842 	event_state->ae_check = ADT_VALID;
1843 
1844 	event_state->ae_event_id = event_id;
1845 	event_state->ae_session = (struct adt_internal_state *)session_data;
1846 
1847 	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1848 
1849 	/*
1850 	 * preload data so the adt_au_*() functions can detect un-supplied
1851 	 * values (0 and NULL are free via calloc()).
1852 	 */
1853 	if (session_data != NULL) {
1854 		session_state->as_preload(event_id, return_event);
1855 	}
1856 
1857 return_ptr:
1858 	return (return_event);
1859 }
1860 
1861 /*
1862  * adt_getXlateTable -- look up translation table address for event id
1863  */
1864 
1865 static adt_translation_t *
1866 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id)
1867 {
1868 	/* xlate_table is global in adt_xlate.c */
1869 	adt_translation_t	**p_xlate = xlate;
1870 	adt_translation_t	*p_event;
1871 
1872 	while (*p_xlate != NULL) {
1873 		p_event = *p_xlate;
1874 		if (event_id == p_event->tx_external_event)
1875 			return (p_event);
1876 		p_xlate++;
1877 	}
1878 	return (NULL);
1879 }
1880 
1881 /*
1882  * adt_calcOffsets
1883  *
1884  * the call to this function is surrounded by a mutex.
1885  *
1886  * i walks down the table picking up next_token.  j walks again to
1887  * calculate the offset to the input data.  k points to the next
1888  * token's row.  Finally, l, is used to sum the values in the
1889  * datadef array.
1890  *
1891  * What's going on?  The entry array is in the order of the input
1892  * fields but the processing of array entries is in the order of
1893  * the output (see next_token).  Calculating the offset to the
1894  * "next" input can't be done in the outer loop (i) since i doesn't
1895  * point to the current entry and it can't be done with the k index
1896  * because it doesn't represent the order of input fields.
1897  *
1898  * While the resulting algorithm is n**2, it is only done once per
1899  * event type.
1900  */
1901 
1902 /*
1903  * adt_calcOffsets is only called once per event type, but it uses
1904  * the address alignment of memory allocated for that event as if it
1905  * were the same for all subsequently allocated memory.  This is
1906  * guaranteed by calloc/malloc.  Arrays take special handling since
1907  * what matters for figuring out the correct alignment is the size
1908  * of the array element.
1909  */
1910 
1911 static void
1912 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1913 {
1914 	int		i, j;
1915 	size_t		this_size, prev_size;
1916 	void		*struct_start = p_data;
1917 
1918 	for (i = 0; i < tablesize; i++) {
1919 		if (p_entry[i].en_type_def == NULL) {
1920 			p_entry[i].en_offset = 0;
1921 			continue;
1922 		}
1923 		prev_size = 0;
1924 		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1925 
1926 		for (j = 0; j < p_entry[i].en_count_types; j++) {
1927 			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1928 				this_size = sizeof (enum adt_generic);
1929 			else
1930 				this_size =
1931 				    p_entry[i].en_type_def[j].dd_input_size;
1932 
1933 			/* adj for first entry */
1934 			if (prev_size == 0)
1935 				prev_size = this_size;
1936 
1937 			if (p_entry[i].en_type_def[j].dd_datatype ==
1938 			    ADT_UINT32ARRAY) {
1939 				p_data = (char *)adt_adjust_address(p_data,
1940 				    prev_size, sizeof (uint32_t)) +
1941 				    this_size - sizeof (uint32_t);
1942 
1943 				prev_size = sizeof (uint32_t);
1944 			} else {
1945 				p_data = adt_adjust_address(p_data, prev_size,
1946 				    this_size);
1947 				prev_size = this_size;
1948 			}
1949 		}
1950 	}
1951 }
1952 
1953 /*
1954  * adt_generate_event
1955  * generate event record from external struct.  The order is based on
1956  * the output tokens, allowing for the possibility that the input data
1957  * is in a different order.
1958  *
1959  */
1960 
1961 static int
1962 adt_generate_event(const adt_event_data_t *p_extdata,
1963     struct adt_event_state *p_event,
1964     adt_translation_t *p_xlate)
1965 {
1966 	struct entry		*p_entry;
1967 	static mutex_t	lock = DEFAULTMUTEX;
1968 
1969 	p_entry = p_xlate->tx_first_entry;
1970 	assert(p_entry != NULL);
1971 
1972 	p_event->ae_internal_id = p_xlate->tx_internal_event;
1973 	adt_token_open(p_event);
1974 
1975 	/*
1976 	 * offsets are not pre-calculated; the initial offsets are all
1977 	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
1978 	 * as subject are set to -1 by adt_calcOffset()
1979 	 */
1980 	if (p_xlate->tx_offsetsCalculated == 0) {
1981 		(void) mutex_lock(&lock);
1982 		p_xlate->tx_offsetsCalculated = 1;
1983 
1984 		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1985 		    (void *)p_extdata);
1986 		(void) mutex_unlock(&lock);
1987 	}
1988 	while (p_entry != NULL) {
1989 		adt_generate_token(p_entry, (char *)p_extdata, p_event);
1990 
1991 		p_entry = p_entry->en_next_token;
1992 	}
1993 	return (adt_token_close(p_event));
1994 }
1995 
1996 /*
1997  * adt_put_event -- main event generation function.
1998  * The input "event" is the address of the struct containing
1999  * event-specific data.
2000  *
2001  * However if auditing is off or the session handle
2002  * is NULL, no attempt to write a record is made.
2003  */
2004 
2005 int
2006 adt_put_event(const adt_event_data_t *event, int status, int return_val)
2007 {
2008 	struct adt_event_state	*event_state;
2009 	adt_translation_t	*xlate;
2010 
2011 	if (event == NULL) {
2012 		errno = EINVAL;
2013 		return (-1);
2014 	}
2015 	event_state = (struct adt_event_state *)event;
2016 
2017 	/* if this is a broken session or not auditing, exit */
2018 	if ((event_state->ae_session == NULL) ||
2019 	    !(event_state->ae_session->as_audit_state &
2020 	    (AUC_AUDITING | AUC_NOSPACE))) {
2021 		return (0);
2022 	}
2023 
2024 	assert(event_state->ae_check == ADT_VALID);
2025 
2026 	event_state->ae_rc = status;
2027 	event_state->ae_type = return_val;
2028 
2029 	/* look up the event */
2030 
2031 	xlate = adt_getXlateTable(event_state->ae_session->as_xlate,
2032 	    event_state->ae_event_id);
2033 
2034 	if (xlate == NULL) {
2035 		errno = EINVAL;
2036 		return (-1);
2037 	}
2038 	DPRINTF(("got event %d\n", xlate->tx_internal_event));
2039 
2040 	if (adt_selected(event_state, xlate->tx_internal_event, status)) {
2041 		return (adt_generate_event(event, event_state, xlate));
2042 	}
2043 
2044 	return (0);
2045 }
2046 
2047 /*
2048  * adt_free_event -- invalidate and free
2049  */
2050 
2051 void
2052 adt_free_event(adt_event_data_t *event)
2053 {
2054 	struct adt_event_state	*event_state;
2055 
2056 	if (event == NULL)
2057 		return;
2058 
2059 	event_state = (struct adt_event_state *)event;
2060 
2061 	assert(event_state->ae_check == ADT_VALID);
2062 
2063 	event_state->ae_check = 0;
2064 
2065 	free(event_state);
2066 }
2067 
2068 /*
2069  * adt_is_selected -- helper to adt_selected(), below.
2070  *
2071  * "sorf" is "success or fail" status; au_preselect compares
2072  * that with success, fail, or both.
2073  */
2074 
2075 static int
2076 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
2077 {
2078 	int prs_sorf;
2079 
2080 	if (sorf == 0)
2081 		prs_sorf = AU_PRS_SUCCESS;
2082 	else
2083 		prs_sorf = AU_PRS_FAILURE;
2084 
2085 	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
2086 }
2087 
2088 /*
2089  * selected -- see if this event is preselected.
2090  *
2091  * if errors are encountered trying to check a preselection mask
2092  * or look up a user name, the event is selected.  Otherwise, the
2093  * preselection mask is used for the job.
2094  */
2095 
2096 static int
2097 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2098 {
2099 	adt_internal_state_t *sp;
2100 	au_mask_t	namask;
2101 
2102 	sp = event->ae_session;
2103 
2104 	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2105 		adt_write_syslog("No user data available", EINVAL);
2106 		return (1);	/* default is "selected" */
2107 	}
2108 
2109 	/* non-attributable? */
2110 	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2111 	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2112 		if (auditon(A_GETKMASK, (caddr_t)&namask,
2113 		    sizeof (namask)) != 0) {
2114 			adt_write_syslog("auditon failure", errno);
2115 			return (1);
2116 		}
2117 		return (adt_is_selected(actual_id, &namask, status));
2118 	} else {
2119 		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2120 		    status));
2121 	}
2122 }
2123 
2124 /*
2125  * Can't map the host name to an IP address in
2126  * adt_get_hostIP.  Get something off an interface
2127  * to act as the hosts IP address for auditing.
2128  */
2129 
2130 static int
2131 adt_get_local_address(int family, struct ifaddrlist *al)
2132 {
2133 	struct ifaddrlist	*ifal;
2134 	char	errbuf[ERRBUFSIZE] = "empty list";
2135 	char	msg[ERRBUFSIZE + 512];
2136 	int	ifal_count;
2137 	int	i;
2138 
2139 	if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) < 0) {
2140 		int serrno = errno;
2141 
2142 		(void) snprintf(msg, sizeof (msg), "adt_get_local_address "
2143 		    "couldn't get %d addrlist %s", family, errbuf);
2144 		adt_write_syslog(msg, serrno);
2145 		errno = serrno;
2146 		return (-1);
2147 	}
2148 
2149 	for (i = 0; i < ifal_count; i++) {
2150 		/*
2151 		 * loopback always defined,
2152 		 * even if there is no real address
2153 		 */
2154 		if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) {
2155 			break;
2156 		}
2157 	}
2158 	if (i >= ifal_count) {
2159 		free(ifal);
2160 		/*
2161 		 * Callers of adt_get_hostIP() can only return
2162 		 * errno to their callers and eventually the application.
2163 		 * Picked one that seemed least worse for saying no
2164 		 * usable address for Audit terminal ID.
2165 		 */
2166 		errno = ENETDOWN;
2167 		return (-1);
2168 	}
2169 
2170 	*al = ifal[i];
2171 	free(ifal);
2172 	return (0);
2173 }
2174