xref: /titanic_41/usr/src/cmd/init/init.c (revision 49d3bc91e27cd871b950d56c01398fa2f2e12ab4)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
27 /*	  All Rights Reserved  	*/
28 
29 /*
30  * University Copyright- Copyright (c) 1982, 1986, 1988
31  * The Regents of the University of California
32  * All Rights Reserved
33  *
34  * University Acknowledgment- Portions of this document are derived from
35  * software developed by the University of California, Berkeley, and its
36  * contributors.
37  */
38 
39 /*
40  * init(1M) is the general process spawning program.  Its primary job is to
41  * start and restart svc.startd for smf(5).  For backwards-compatibility it also
42  * spawns and respawns processes according to /etc/inittab and the current
43  * run-level.  It reads /etc/default/inittab for general configuration.
44  *
45  * To change run-levels the system administrator runs init from the command
46  * line with a level name.  init signals svc.startd via libscf and directs the
47  * zone's init (pid 1 in the global zone) what to do by sending it a signal;
48  * these signal numbers are commonly refered to in the code as 'states'.  Valid
49  * run-levels are [sS0123456].  Additionally, init can be given directives
50  * [qQabc], which indicate actions to be taken pertaining to /etc/inittab.
51  *
52  * When init processes inittab entries, it finds processes that are to be
53  * spawned at various run-levels.  inittab contains the set of the levels for
54  * which each inittab entry is valid.
55  *
56  * State File and Restartability
57  *   Premature exit by init(1M) is handled as a special case by the kernel:
58  *   init(1M) will be immediately re-executed, retaining its original PID.  (PID
59  *   1 in the global zone.)  To track the processes it has previously spawned,
60  *   as well as other mutable state, init(1M) regularly updates a state file
61  *   such that its subsequent invocations have knowledge of its various
62  *   dependent processes and duties.
63  *
64  * Process Contracts
65  *   We start svc.startd(1M) in a contract and transfer inherited contracts when
66  *   restarting it.  Everything else is started using the legacy contract
67  *   template, and the created contracts are abandoned when they become empty.
68  *
69  * utmpx Entry Handling
70  *   Because init(1M) no longer governs the startup process, its knowledge of
71  *   when utmpx becomes writable is indirect.  However, spawned processes
72  *   expect to be constructed with valid utmpx entries.  As a result, attempts
73  *   to write normal entries will be retried until successful.
74  *
75  * Maintenance Mode
76  *   In certain failure scenarios, init(1M) will enter a maintenance mode, in
77  *   which it invokes sulogin(1M) to allow the operator an opportunity to
78  *   repair the system.  Normally, this operation is performed as a
79  *   fork(2)-exec(2)-waitpid(3C) sequence with the parent waiting for repair or
80  *   diagnosis to be completed.  In the cases that fork(2) requests themselves
81  *   fail, init(1M) will directly execute sulogin(1M), and allow the kernel to
82  *   restart init(1M) on exit from the operator session.
83  *
84  *   One scenario where init(1M) enters its maintenance mode is when
85  *   svc.startd(1M) begins to fail rapidly, defined as when the average time
86  *   between recent failures drops below a given threshold.
87  */
88 
89 #include <sys/contract/process.h>
90 #include <sys/ctfs.h>
91 #include <sys/stat.h>
92 #include <sys/statvfs.h>
93 #include <sys/stropts.h>
94 #include <sys/systeminfo.h>
95 #include <sys/time.h>
96 #include <sys/termios.h>
97 #include <sys/tty.h>
98 #include <sys/types.h>
99 #include <sys/utsname.h>
100 
101 #include <bsm/adt_event.h>
102 #include <bsm/libbsm.h>
103 #include <security/pam_appl.h>
104 
105 #include <assert.h>
106 #include <ctype.h>
107 #include <dirent.h>
108 #include <errno.h>
109 #include <fcntl.h>
110 #include <libcontract.h>
111 #include <libcontract_priv.h>
112 #include <libintl.h>
113 #include <libscf.h>
114 #include <libscf_priv.h>
115 #include <poll.h>
116 #include <procfs.h>
117 #include <signal.h>
118 #include <stdarg.h>
119 #include <stdio.h>
120 #include <stdio_ext.h>
121 #include <stdlib.h>
122 #include <string.h>
123 #include <strings.h>
124 #include <syslog.h>
125 #include <time.h>
126 #include <ulimit.h>
127 #include <unistd.h>
128 #include <utmpx.h>
129 #include <wait.h>
130 #include <zone.h>
131 #include <ucontext.h>
132 
133 #undef	sleep
134 
135 #define	fioctl(p, sptr, cmd)	ioctl(fileno(p), sptr, cmd)
136 #define	min(a, b)		(((a) < (b)) ? (a) : (b))
137 
138 #define	TRUE	1
139 #define	FALSE	0
140 #define	FAILURE	-1
141 
142 #define	UT_LINE_SZ	32	/* Size of a utmpx ut_line field */
143 
144 /*
145  * SLEEPTIME	The number of seconds "init" sleeps between wakeups if
146  *		nothing else requires this "init" wakeup.
147  */
148 #define	SLEEPTIME	(5 * 60)
149 
150 /*
151  * MAXCMDL	The maximum length of a command string in inittab.
152  */
153 #define	MAXCMDL	512
154 
155 /*
156  * EXEC		The length of the prefix string added to all comamnds
157  *		found in inittab.
158  */
159 #define	EXEC	(sizeof ("exec ") - 1)
160 
161 /*
162  * TWARN	The amount of time between warning signal, SIGTERM,
163  *		and the fatal kill signal, SIGKILL.
164  */
165 #define	TWARN	5
166 
167 #define	id_eq(x, y)	((x[0] == y[0] && x[1] == y[1] && x[2] == y[2] &&\
168 			x[3] == y[3]) ? TRUE : FALSE)
169 
170 /*
171  * The kernel's default umask is 022 these days; since some processes inherit
172  * their umask from init, init will set it from CMASK in /etc/default/init.
173  * init gets the default umask from the kernel, it sets it to 022 whenever
174  * it wants to create a file and reverts to CMASK afterwards.
175  */
176 
177 static int cmask;
178 
179 /*
180  * The following definitions, concluding with the 'lvls' array, provide a
181  * common mapping between level-name (like 'S'), signal number (state),
182  * run-level mask, and specific properties associated with a run-level.
183  * This array should be accessed using the routines lvlname_to_state(),
184  * lvlname_to_mask(), state_to_mask(), and state_to_flags().
185  */
186 
187 /*
188  * Correspondence of signals to init actions.
189  */
190 #define	LVLQ		SIGHUP
191 #define	LVL0		SIGINT
192 #define	LVL1		SIGQUIT
193 #define	LVL2		SIGILL
194 #define	LVL3		SIGTRAP
195 #define	LVL4		SIGIOT
196 #define	LVL5		SIGEMT
197 #define	LVL6		SIGFPE
198 #define	SINGLE_USER	SIGBUS
199 #define	LVLa		SIGSEGV
200 #define	LVLb		SIGSYS
201 #define	LVLc		SIGPIPE
202 
203 /*
204  * Bit Mask for each level.  Used to determine legal levels.
205  */
206 #define	MASK0	0x0001
207 #define	MASK1	0x0002
208 #define	MASK2	0x0004
209 #define	MASK3	0x0008
210 #define	MASK4	0x0010
211 #define	MASK5	0x0020
212 #define	MASK6	0x0040
213 #define	MASKSU	0x0080
214 #define	MASKa	0x0100
215 #define	MASKb	0x0200
216 #define	MASKc	0x0400
217 
218 #define	MASK_NUMERIC (MASK0 | MASK1 | MASK2 | MASK3 | MASK4 | MASK5 | MASK6)
219 #define	MASK_abc (MASKa | MASKb | MASKc)
220 
221 /*
222  * Flags to indicate properties of various states.
223  */
224 #define	LSEL_RUNLEVEL	0x0001	/* runlevels you can transition to */
225 
226 typedef struct lvl {
227 	int	lvl_state;
228 	int	lvl_mask;
229 	char	lvl_name;
230 	int	lvl_flags;
231 } lvl_t;
232 
233 static lvl_t lvls[] = {
234 	{ LVLQ,		0,	'Q', 0					},
235 	{ LVLQ,		0,	'q', 0					},
236 	{ LVL0,		MASK0,	'0', LSEL_RUNLEVEL			},
237 	{ LVL1, 	MASK1,	'1', LSEL_RUNLEVEL			},
238 	{ LVL2, 	MASK2,	'2', LSEL_RUNLEVEL			},
239 	{ LVL3, 	MASK3,	'3', LSEL_RUNLEVEL			},
240 	{ LVL4, 	MASK4,	'4', LSEL_RUNLEVEL			},
241 	{ LVL5, 	MASK5,	'5', LSEL_RUNLEVEL			},
242 	{ LVL6, 	MASK6, 	'6', LSEL_RUNLEVEL			},
243 	{ SINGLE_USER, 	MASKSU, 'S', LSEL_RUNLEVEL			},
244 	{ SINGLE_USER, 	MASKSU, 's', LSEL_RUNLEVEL			},
245 	{ LVLa,		MASKa,	'a', 0					},
246 	{ LVLb,		MASKb,	'b', 0					},
247 	{ LVLc,		MASKc,	'c', 0					}
248 };
249 
250 #define	LVL_NELEMS (sizeof (lvls) / sizeof (lvl_t))
251 
252 /*
253  * Legal action field values.
254  */
255 #define	OFF		0	/* Kill process if on, else ignore */
256 #define	RESPAWN		1	/* Continuously restart process when it dies */
257 #define	ONDEMAND	RESPAWN	/* Respawn for a, b, c type processes */
258 #define	ONCE		2	/* Start process, do not respawn when dead */
259 #define	WAIT		3	/* Perform once and wait to complete */
260 #define	BOOT		4	/* Start at boot time only */
261 #define	BOOTWAIT	5	/* Start at boot time and wait to complete */
262 #define	POWERFAIL	6	/* Start on powerfail */
263 #define	POWERWAIT	7	/* Start and wait for complete on powerfail */
264 #define	INITDEFAULT	8	/* Default level "init" should start at */
265 #define	SYSINIT		9	/* Actions performed before init speaks */
266 
267 #define	M_OFF		0001
268 #define	M_RESPAWN	0002
269 #define	M_ONDEMAND	M_RESPAWN
270 #define	M_ONCE		0004
271 #define	M_WAIT		0010
272 #define	M_BOOT		0020
273 #define	M_BOOTWAIT	0040
274 #define	M_PF		0100
275 #define	M_PWAIT		0200
276 #define	M_INITDEFAULT	0400
277 #define	M_SYSINIT	01000
278 
279 /* States for the inittab parser in getcmd(). */
280 #define	ID	1
281 #define	LEVELS	2
282 #define	ACTION	3
283 #define	COMMAND	4
284 #define	COMMENT	5
285 
286 /*
287  * inittab entry id constants
288  */
289 #define	INITTAB_ENTRY_ID_SIZE 4
290 #define	INITTAB_ENTRY_ID_STR_FORMAT "%.4s"	/* if INITTAB_ENTRY_ID_SIZE */
291 						/* changes, this should */
292 						/* change accordingly */
293 
294 /*
295  * Init can be in any of three main states, "normal" mode where it is
296  * processing entries for the lines file in a normal fashion, "boot" mode,
297  * where it is only interested in the boot actions, and "powerfail" mode,
298  * where it is only interested in powerfail related actions. The following
299  * masks declare the legal actions for each mode.
300  */
301 #define	NORMAL_MODES	(M_OFF | M_RESPAWN | M_ONCE | M_WAIT)
302 #define	BOOT_MODES	(M_BOOT | M_BOOTWAIT)
303 #define	PF_MODES	(M_PF | M_PWAIT)
304 
305 struct PROC_TABLE {
306 	char	p_id[INITTAB_ENTRY_ID_SIZE];	/* Four letter unique id of */
307 						/* process */
308 	pid_t	p_pid;		/* Process id */
309 	short	p_count;	/* How many respawns of this command in */
310 				/*   the current series */
311 	long	p_time;		/* Start time for a series of respawns */
312 	short	p_flags;
313 	short	p_exit;		/* Exit status of a process which died */
314 };
315 
316 /*
317  * Flags for the "p_flags" word of a PROC_TABLE entry:
318  *
319  *	OCCUPIED	This slot in init's proc table is in use.
320  *
321  *	LIVING		Process is alive.
322  *
323  *	NOCLEANUP	efork() is not allowed to cleanup this entry even
324  *			if process is dead.
325  *
326  *	NAMED		This process has a name, i.e. came from inittab.
327  *
328  *	DEMANDREQUEST	Process started by a "telinit [abc]" command.  Processes
329  *			formed this way are respawnable and immune to level
330  *			changes as long as their entry exists in inittab.
331  *
332  *	TOUCHED		Flag used by remv() to determine whether it has looked
333  *			at an entry while checking for processes to be killed.
334  *
335  *	WARNED		Flag used by remv() to mark processes that have been
336  *			sent the SIGTERM signal.  If they don't die in 5
337  *			seconds, they are sent the SIGKILL signal.
338  *
339  *	KILLED		Flag used by remv() to mark procs that have been sent
340  *			the SIGTERM and SIGKILL signals.
341  *
342  *	PF_MASK		Bitwise or of legal flags, for sanity checking.
343  */
344 #define	OCCUPIED	01
345 #define	LIVING		02
346 #define	NOCLEANUP	04
347 #define	NAMED		010
348 #define	DEMANDREQUEST	020
349 #define	TOUCHED		040
350 #define	WARNED		0100
351 #define	KILLED		0200
352 #define	PF_MASK		0377
353 
354 /*
355  * Respawn limits for processes that are to be respawned:
356  *
357  *	SPAWN_INTERVAL	The number of seconds over which "init" will try to
358  *			respawn a process SPAWN_LIMIT times before it gets mad.
359  *
360  *	SPAWN_LIMIT	The number of respawns "init" will attempt in
361  *			SPAWN_INTERVAL seconds before it generates an
362  *			error message and inhibits further tries for
363  *			INHIBIT seconds.
364  *
365  *	INHIBIT		The number of seconds "init" ignores an entry it had
366  *			trouble spawning unless a "telinit Q" is received.
367  */
368 
369 #define	SPAWN_INTERVAL	(2*60)
370 #define	SPAWN_LIMIT	10
371 #define	INHIBIT		(5*60)
372 
373 /*
374  * The maximum number of decimal digits for an id_t.  (ceil(log10 (max_id)))
375  */
376 #define	ID_MAX_STR_LEN	10
377 
378 #define	NULLPROC	((struct PROC_TABLE *)(0))
379 #define	NO_ROOM		((struct PROC_TABLE *)(FAILURE))
380 
381 struct CMD_LINE {
382 	char c_id[INITTAB_ENTRY_ID_SIZE];	/* Four letter unique id of */
383 						/* process to be affected by */
384 						/* action */
385 	short c_levels;	/* Mask of legal levels for process */
386 	short c_action;	/* Mask for type of action required */
387 	char *c_command; /* Pointer to init command */
388 };
389 
390 struct	pidrec {
391 	int	pd_type;	/* Command type */
392 	pid_t	pd_pid;		/* pid to add or remove */
393 };
394 
395 /*
396  * pd_type's
397  */
398 #define	ADDPID	1
399 #define	REMPID	2
400 
401 static struct	pidlist {
402 	pid_t	pl_pid;		/* pid to watch for */
403 	int	pl_dflag;	/* Flag indicating SIGCLD from this pid */
404 	short	pl_exit;	/* Exit status of proc */
405 	struct	pidlist	*pl_next; /* Next in list */
406 } *Plhead, *Plfree;
407 
408 /*
409  * The following structure contains a set of modes for /dev/syscon
410  * and should match the default contents of /etc/ioctl.syscon.  It should also
411  * be kept in-sync with base_termios in uts/common/io/ttcompat.c.
412  */
413 static struct termios	dflt_termios = {
414 	BRKINT|ICRNL|IXON|IMAXBEL,			/* iflag */
415 	OPOST|ONLCR|TAB3,				/* oflag */
416 	CS8|CREAD|B9600,				/* cflag */
417 	ISIG|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE|IEXTEN, /* lflag */
418 	CINTR, CQUIT, CERASE, CKILL, CEOF, 0, 0, 0,
419 	0, 0, 0, 0, 0, 0, 0, 0,
420 	0, 0, 0
421 };
422 
423 static struct termios	stored_syscon_termios;
424 static int		write_ioctl = 0;	/* Rewrite /etc/ioctl.syscon */
425 
426 static union WAKEUP {
427 	struct WAKEFLAGS {
428 		unsigned w_usersignal : 1;	/* User sent signal to "init" */
429 		unsigned w_childdeath : 1;	/* An "init" child died */
430 		unsigned w_powerhit : 1;	/* OS experienced powerfail */
431 	}	w_flags;
432 	int w_mask;
433 } wakeup;
434 
435 
436 struct init_state {
437 	int			ist_runlevel;
438 	int			ist_num_proc;
439 	int			ist_utmpx_ok;
440 	struct PROC_TABLE	ist_proc_table[1];
441 };
442 
443 #define	cur_state	(g_state->ist_runlevel)
444 #define	num_proc	(g_state->ist_num_proc)
445 #define	proc_table	(g_state->ist_proc_table)
446 #define	utmpx_ok	(g_state->ist_utmpx_ok)
447 
448 /* Contract cookies. */
449 #define	ORDINARY_COOKIE		0
450 #define	STARTD_COOKIE		1
451 
452 
453 #ifndef NDEBUG
454 #define	bad_error(func, err)	{					\
455 	(void) fprintf(stderr, "%s:%d: %s() failed with unexpected "	\
456 	    "error %d.  Aborting.\n", __FILE__, __LINE__, (func), (err)); \
457 	abort();							\
458 }
459 #else
460 #define	bad_error(func, err)	abort()
461 #endif
462 
463 
464 /*
465  * Useful file and device names.
466  */
467 static char *CONSOLE	  = "/dev/console";	/* Real system console */
468 static char *INITPIPE_DIR = "/var/run";
469 static char *INITPIPE	  = "/var/run/initpipe";
470 
471 #define	INIT_STATE_DIR "/etc/svc/volatile"
472 static const char * const init_state_file = INIT_STATE_DIR "/init.state";
473 static const char * const init_next_state_file =
474 	INIT_STATE_DIR "/init-next.state";
475 
476 static const int init_num_proc = 20;	/* Initial size of process table. */
477 
478 static char *UTMPX	 = UTMPX_FILE;		/* Snapshot record file */
479 static char *WTMPX	 = WTMPX_FILE;		/* Long term record file */
480 static char *INITTAB	 = "/etc/inittab";	/* Script file for "init" */
481 static char *SYSTTY	 = "/dev/systty";	/* System Console */
482 static char *SYSCON	 = "/dev/syscon";	/* Virtual System console */
483 static char *IOCTLSYSCON = "/etc/ioctl.syscon";	/* Last syscon modes */
484 static char *ENVFILE	 = "/etc/default/init";	/* Default env. */
485 static char *SU	= "/etc/sulogin";	/* Super-user program for single user */
486 static char *SH	= "/sbin/sh";		/* Standard shell */
487 
488 /*
489  * Default Path.  /sbin is included in path only during sysinit phase
490  */
491 #define	DEF_PATH	"PATH=/usr/sbin:/usr/bin"
492 #define	INIT_PATH	"PATH=/sbin:/usr/sbin:/usr/bin"
493 
494 static int	prior_state;
495 static int	prev_state;	/* State "init" was in last time it woke */
496 static int	new_state;	/* State user wants "init" to go to. */
497 static int	lvlq_received;	/* Explicit request to examine state */
498 static int	op_modes = BOOT_MODES; /* Current state of "init" */
499 static int	Gchild = 0;	/* Flag to indicate "godchild" died, set in */
500 				/*   childeath() and cleared in cleanaux() */
501 static int	Pfd = -1;	/* fd to receive pids thru */
502 static unsigned int	spawncnt, pausecnt;
503 static int	rsflag;		/* Set if a respawn has taken place */
504 static volatile int time_up;	/* Flag set to TRUE by the alarm interrupt */
505 				/* routine each time an alarm interrupt */
506 				/* takes place. */
507 static int	sflg = 0;	/* Set if we were booted -s to single user */
508 static int	rflg = 0;	/* Set if booted -r, reconfigure devices */
509 static int	bflg = 0;	/* Set if booted -b, don't run rc scripts */
510 static pid_t	init_pid;	/* PID of "one true" init for current zone */
511 
512 static struct init_state *g_state = NULL;
513 static size_t	g_state_sz;
514 static int	booting = 1;	/* Set while we're booting. */
515 
516 /*
517  * Array for default global environment.
518  */
519 #define	MAXENVENT	24	/* Max number of default env variables + 1 */
520 				/* init can use three itself, so this leaves */
521 				/* 20 for the administrator in ENVFILE. */
522 static char	*glob_envp[MAXENVENT];	/* Array of environment strings */
523 static int	glob_envn;		/* Number of environment strings */
524 
525 
526 static struct pollfd	poll_fds[1];
527 static int		poll_nfds = 0;	/* poll_fds is uninitialized */
528 
529 /*
530  * Contracts constants
531  */
532 #define	SVC_INIT_PREFIX "init:/"
533 #define	SVC_AUX_SIZE (INITTAB_ENTRY_ID_SIZE + 1)
534 #define	SVC_FMRI_SIZE (sizeof (SVC_INIT_PREFIX) + INITTAB_ENTRY_ID_SIZE)
535 
536 static int	legacy_tmpl = -1;	/* fd for legacy contract template */
537 static int	startd_tmpl = -1;	/* fd for svc.startd's template */
538 static char	startd_svc_aux[SVC_AUX_SIZE];
539 
540 static char	startd_cline[256] = "";	/* svc.startd's command line */
541 static int	do_restart_startd = 1;	/* Whether to restart svc.startd. */
542 static char	*smf_options = NULL;	/* Options to give to startd. */
543 static int	smf_debug = 0;		/* Messages for debugging smf(5) */
544 static time_t	init_boot_time;		/* Substitute for kernel boot time. */
545 
546 #define	NSTARTD_FAILURE_TIMES	3		/* trigger after 3 failures */
547 #define	STARTD_FAILURE_RATE_NS	5000000000LL	/* 1 failure/5 seconds */
548 
549 static hrtime_t	startd_failure_time[NSTARTD_FAILURE_TIMES];
550 static uint_t	startd_failure_index;
551 
552 
553 static char	*prog_name(char *);
554 static int	state_to_mask(int);
555 static int	lvlname_to_mask(char, int *);
556 static void	lscf_set_runlevel(char);
557 static int	state_to_flags(int);
558 static char	state_to_name(int);
559 static int	lvlname_to_state(char);
560 static int	getcmd(struct CMD_LINE *, char *);
561 static int	realcon();
562 static int	spawn_processes();
563 static int	get_ioctl_syscon();
564 static int	account(short, struct PROC_TABLE *, char *);
565 static void	alarmclk();
566 static void	childeath(int);
567 static void	cleanaux();
568 static void	clearent(pid_t, short);
569 static void	console(boolean_t, char *, ...);
570 static void	init_signals(void);
571 static void	setup_pipe();
572 static void	killproc(pid_t);
573 static void	init_env();
574 static void	boot_init();
575 static void	powerfail();
576 static void	remv();
577 static void	write_ioctl_syscon();
578 static void	spawn(struct PROC_TABLE *, struct CMD_LINE *);
579 static void	setimer(int);
580 static void	siglvl(int, siginfo_t *, ucontext_t *);
581 static void	sigpoll(int);
582 static void	enter_maintenance(void);
583 static void	timer(int);
584 static void	userinit(int, char **);
585 static void	notify_pam_dead(struct utmpx *);
586 static long	waitproc(struct PROC_TABLE *);
587 static struct PROC_TABLE *efork(int, struct PROC_TABLE *, int);
588 static struct PROC_TABLE *findpslot(struct CMD_LINE *);
589 static void	increase_proc_table_size();
590 static void	st_init();
591 static void	st_write();
592 static void	contracts_init();
593 static void	contract_event(struct pollfd *);
594 static int	startd_run(const char *, int, ctid_t);
595 static void	startd_record_failure();
596 static int	startd_failure_rate_critical();
597 static char	*audit_boot_msg();
598 static int	audit_put_record(int, int, char *);
599 static void	update_boot_archive(int new_state);
600 
601 int
602 main(int argc, char *argv[])
603 {
604 	int	chg_lvl_flag = FALSE, print_banner = FALSE;
605 	int	may_need_audit = 1;
606 	int	c;
607 	char	*msg;
608 
609 	/* Get a timestamp for use as boot time, if needed. */
610 	(void) time(&init_boot_time);
611 
612 	/* Get the default umask */
613 	cmask = umask(022);
614 	(void) umask(cmask);
615 
616 	/* Parse the arguments to init. Check for single user */
617 	opterr = 0;
618 	while ((c = getopt(argc, argv, "brsm:")) != EOF) {
619 		switch (c) {
620 		case 'b':
621 			rflg = 0;
622 			bflg = 1;
623 			if (!sflg)
624 				sflg++;
625 			break;
626 		case 'r':
627 			bflg = 0;
628 			rflg++;
629 			break;
630 		case 's':
631 			if (!bflg)
632 				sflg++;
633 			break;
634 		case 'm':
635 			smf_options = optarg;
636 			smf_debug = (strstr(smf_options, "debug") != NULL);
637 			break;
638 		}
639 	}
640 
641 	/*
642 	 * Determine if we are the main init, or a user invoked init, whose job
643 	 * it is to inform init to change levels or perform some other action.
644 	 */
645 	if (zone_getattr(getzoneid(), ZONE_ATTR_INITPID, &init_pid,
646 	    sizeof (init_pid)) != sizeof (init_pid)) {
647 		(void) fprintf(stderr, "could not get pid for init\n");
648 		return (1);
649 	}
650 
651 	/*
652 	 * If this PID is not the same as the "true" init for the zone, then we
653 	 * must be in 'user' mode.
654 	 */
655 	if (getpid() != init_pid) {
656 		userinit(argc, argv);
657 	}
658 
659 	if (getzoneid() != GLOBAL_ZONEID) {
660 		print_banner = TRUE;
661 	}
662 
663 	/*
664 	 * Initialize state (and set "booting").
665 	 */
666 	st_init();
667 
668 	if (booting && print_banner) {
669 		struct utsname un;
670 		char buf[BUFSIZ], *isa;
671 		long ret;
672 		int bits = 32;
673 
674 		/*
675 		 * We want to print the boot banner as soon as
676 		 * possible.  In the global zone, the kernel does it,
677 		 * but we do not have that luxury in non-global zones,
678 		 * so we will print it here.
679 		 */
680 		(void) uname(&un);
681 		ret = sysinfo(SI_ISALIST, buf, sizeof (buf));
682 		if (ret != -1L && ret <= sizeof (buf)) {
683 			for (isa = strtok(buf, " "); isa;
684 			    isa = strtok(NULL, " ")) {
685 				if (strcmp(isa, "sparcv9") == 0 ||
686 				    strcmp(isa, "amd64") == 0) {
687 					bits = 64;
688 					break;
689 				}
690 			}
691 		}
692 
693 		console(B_FALSE,
694 		    "\n\n%s Release %s Version %s %d-bit\r\n",
695 		    un.sysname, un.release, un.version, bits);
696 		console(B_FALSE,
697 		    "Copyright (c) 1983, 2010, Oracle and/or its affiliates."
698 		    " All rights reserved.\r\n");
699 	}
700 
701 	/*
702 	 * Get the ioctl settings for /dev/syscon from /etc/ioctl.syscon
703 	 * so that it can be brought up in the state it was in when the
704 	 * system went down; or set to defaults if ioctl.syscon isn't
705 	 * valid.
706 	 *
707 	 * This needs to be done even if we're restarting so reset_modes()
708 	 * will work in case we need to go down to single user mode.
709 	 */
710 	write_ioctl = get_ioctl_syscon();
711 
712 	/*
713 	 * Set up all signals to be caught or ignored as appropriate.
714 	 */
715 	init_signals();
716 
717 	/* Load glob_envp from ENVFILE. */
718 	init_env();
719 
720 	contracts_init();
721 
722 	if (!booting) {
723 		/* cur_state should have been read in. */
724 
725 		op_modes = NORMAL_MODES;
726 
727 		/* Rewrite the ioctl file if it was bad. */
728 		if (write_ioctl)
729 			write_ioctl_syscon();
730 	} else {
731 		/*
732 		 * It's fine to boot up with state as zero, because
733 		 * startd will later tell us the real state.
734 		 */
735 		cur_state = 0;
736 		op_modes = BOOT_MODES;
737 
738 		boot_init();
739 	}
740 
741 	prev_state = prior_state = cur_state;
742 
743 	setup_pipe();
744 
745 	/*
746 	 * Here is the beginning of the main process loop.
747 	 */
748 	for (;;) {
749 		if (lvlq_received) {
750 			setup_pipe();
751 			lvlq_received = B_FALSE;
752 		}
753 
754 		/*
755 		 * Clean up any accounting records for dead "godchildren".
756 		 */
757 		if (Gchild)
758 			cleanaux();
759 
760 		/*
761 		 * If in "normal" mode, check all living processes and initiate
762 		 * kill sequence on those that should not be there anymore.
763 		 */
764 		if (op_modes == NORMAL_MODES && cur_state != LVLa &&
765 		    cur_state != LVLb && cur_state != LVLc)
766 			remv();
767 
768 		/*
769 		 * If a change in run levels is the reason we awoke, now do
770 		 * the accounting to report the change in the utmp file.
771 		 * Also report the change on the system console.
772 		 */
773 		if (chg_lvl_flag) {
774 			chg_lvl_flag = FALSE;
775 
776 			if (state_to_flags(cur_state) & LSEL_RUNLEVEL) {
777 				char rl = state_to_name(cur_state);
778 
779 				if (rl != -1)
780 					lscf_set_runlevel(rl);
781 			}
782 
783 			may_need_audit = 1;
784 		}
785 
786 		/*
787 		 * Scan the inittab file and spawn and respawn processes that
788 		 * should be alive in the current state. If inittab does not
789 		 * exist default to  single user mode.
790 		 */
791 		if (spawn_processes() == FAILURE) {
792 			prior_state = prev_state;
793 			cur_state = SINGLE_USER;
794 		}
795 
796 		/* If any respawns occurred, take note. */
797 		if (rsflag) {
798 			rsflag = 0;
799 			spawncnt++;
800 		}
801 
802 		/*
803 		 * If a powerfail signal was received during the last
804 		 * sequence, set mode to powerfail.  When spawn_processes() is
805 		 * entered the first thing it does is to check "powerhit".  If
806 		 * it is in PF_MODES then it clears "powerhit" and does
807 		 * a powerfail sequence.  If it is not in PF_MODES, then it
808 		 * puts itself in PF_MODES and then clears "powerhit".  Should
809 		 * "powerhit" get set again while spawn_processes() is working
810 		 * on a powerfail sequence, the following code  will see that
811 		 * spawn_processes() tries to execute the powerfail sequence
812 		 * again.  This guarantees that the powerfail sequence will be
813 		 * successfully completed before further processing takes
814 		 * place.
815 		 */
816 		if (wakeup.w_flags.w_powerhit) {
817 			op_modes = PF_MODES;
818 			/*
819 			 * Make sure that cur_state != prev_state so that
820 			 * ONCE and WAIT types work.
821 			 */
822 			prev_state = 0;
823 		} else if (op_modes != NORMAL_MODES) {
824 			/*
825 			 * If spawn_processes() was not just called while in
826 			 * normal mode, we set the mode to normal and it will
827 			 * be called again to check normal modes.  If we have
828 			 * just finished a powerfail sequence with prev_state
829 			 * equal to zero, we set prev_state equal to cur_state
830 			 * before the next pass through.
831 			 */
832 			if (op_modes == PF_MODES)
833 				prev_state = cur_state;
834 			op_modes = NORMAL_MODES;
835 		} else if (cur_state == LVLa || cur_state == LVLb ||
836 		    cur_state == LVLc) {
837 			/*
838 			 * If it was a change of levels that awakened us and the
839 			 * new level is one of the demand levels then reset
840 			 * cur_state to the previous state and do another scan
841 			 * to take care of the usual respawn actions.
842 			 */
843 			cur_state = prior_state;
844 			prior_state = prev_state;
845 			prev_state = cur_state;
846 		} else {
847 			prev_state = cur_state;
848 
849 			if (wakeup.w_mask == 0) {
850 				int ret;
851 
852 				if (may_need_audit && (cur_state == LVL3)) {
853 					msg = audit_boot_msg();
854 
855 					may_need_audit = 0;
856 					(void) audit_put_record(ADT_SUCCESS,
857 					    ADT_SUCCESS, msg);
858 					free(msg);
859 				}
860 
861 				/*
862 				 * "init" is finished with all actions for
863 				 * the current wakeup.
864 				 */
865 				ret = poll(poll_fds, poll_nfds,
866 				    SLEEPTIME * MILLISEC);
867 				pausecnt++;
868 				if (ret > 0)
869 					contract_event(&poll_fds[0]);
870 				else if (ret < 0 && errno != EINTR)
871 					console(B_TRUE, "poll() error: %s\n",
872 					    strerror(errno));
873 			}
874 
875 			if (wakeup.w_flags.w_usersignal) {
876 				/*
877 				 * Install the new level.  This could be a real
878 				 * change in levels  or a telinit [Q|a|b|c] or
879 				 * just a telinit to the same level at which
880 				 * we are running.
881 				 */
882 				if (new_state != cur_state) {
883 					if (new_state == LVLa ||
884 					    new_state == LVLb ||
885 					    new_state == LVLc) {
886 						prev_state = prior_state;
887 						prior_state = cur_state;
888 						cur_state = new_state;
889 					} else {
890 						prev_state = cur_state;
891 						if (cur_state >= 0)
892 							prior_state = cur_state;
893 						cur_state = new_state;
894 						chg_lvl_flag = TRUE;
895 					}
896 				}
897 
898 				new_state = 0;
899 			}
900 
901 			if (wakeup.w_flags.w_powerhit)
902 				op_modes = PF_MODES;
903 
904 			/*
905 			 * Clear all wakeup reasons.
906 			 */
907 			wakeup.w_mask = 0;
908 		}
909 	}
910 
911 	/*NOTREACHED*/
912 }
913 
914 static void
915 update_boot_archive(int new_state)
916 {
917 	if (new_state != LVL0 && new_state != LVL5 && new_state != LVL6)
918 		return;
919 
920 	if (getzoneid() != GLOBAL_ZONEID)
921 		return;
922 
923 	(void) system("/sbin/bootadm -ea update_all");
924 }
925 
926 /*
927  * void enter_maintenance()
928  *   A simple invocation of sulogin(1M), with no baggage, in the case that we
929  *   are unable to activate svc.startd(1M).  We fork; the child runs sulogin;
930  *   we wait for it to exit.
931  */
932 static void
933 enter_maintenance()
934 {
935 	struct PROC_TABLE	*su_process;
936 
937 	console(B_FALSE, "Requesting maintenance mode\n"
938 	    "(See /lib/svc/share/README for additional information.)\n");
939 	(void) sighold(SIGCLD);
940 	while ((su_process = efork(M_OFF, NULLPROC, NOCLEANUP)) == NO_ROOM)
941 		(void) pause();
942 	(void) sigrelse(SIGCLD);
943 	if (su_process == NULLPROC) {
944 		int fd;
945 
946 		(void) fclose(stdin);
947 		(void) fclose(stdout);
948 		(void) fclose(stderr);
949 		closefrom(0);
950 
951 		fd = open(SYSCON, O_RDWR | O_NOCTTY);
952 		if (fd >= 0) {
953 			(void) dup2(fd, 1);
954 			(void) dup2(fd, 2);
955 		} else {
956 			/*
957 			 * Need to issue an error message somewhere.
958 			 */
959 			syslog(LOG_CRIT, "init[%d]: cannot open %s; %s\n",
960 			    getpid(), SYSCON, strerror(errno));
961 		}
962 
963 		/*
964 		 * Execute the "su" program.
965 		 */
966 		(void) execle(SU, SU, "-", (char *)0, glob_envp);
967 		console(B_TRUE, "execle of %s failed: %s\n", SU,
968 		    strerror(errno));
969 		timer(5);
970 		exit(1);
971 	}
972 
973 	/*
974 	 * If we are the parent, wait around for the child to die
975 	 * or for "init" to be signaled to change levels.
976 	 */
977 	while (waitproc(su_process) == FAILURE) {
978 		/*
979 		 * All other reasons for waking are ignored when in
980 		 * single-user mode.  The only child we are interested
981 		 * in is being waited for explicitly by waitproc().
982 		 */
983 		wakeup.w_mask = 0;
984 	}
985 }
986 
987 /*
988  * remv() scans through "proc_table" and performs cleanup.  If
989  * there is a process in the table, which shouldn't be here at
990  * the current run level, then remv() kills the process.
991  */
992 static void
993 remv()
994 {
995 	struct PROC_TABLE	*process;
996 	struct CMD_LINE		cmd;
997 	char			cmd_string[MAXCMDL];
998 	int			change_level;
999 
1000 	change_level = (cur_state != prev_state ? TRUE : FALSE);
1001 
1002 	/*
1003 	 * Clear the TOUCHED flag on all entries so that when we have
1004 	 * finished scanning inittab, we will be able to tell if we
1005 	 * have any processes for which there is no entry in inittab.
1006 	 */
1007 	for (process = proc_table;
1008 	    (process < proc_table + num_proc); process++) {
1009 		process->p_flags &= ~TOUCHED;
1010 	}
1011 
1012 	/*
1013 	 * Scan all inittab entries.
1014 	 */
1015 	while (getcmd(&cmd, &cmd_string[0]) == TRUE) {
1016 		/* Scan for process which goes with this entry in inittab. */
1017 		for (process = proc_table;
1018 		    (process < proc_table + num_proc); process++) {
1019 			if ((process->p_flags & OCCUPIED) == 0 ||
1020 			    !id_eq(process->p_id, cmd.c_id))
1021 				continue;
1022 
1023 			/*
1024 			 * This slot contains the process we are looking for.
1025 			 */
1026 
1027 			/*
1028 			 * Is the cur_state SINGLE_USER or is this process
1029 			 * marked as "off" or was this proc started by some
1030 			 * mechanism other than LVL{a|b|c} and the current level
1031 			 * does not support this process?
1032 			 */
1033 			if (cur_state == SINGLE_USER ||
1034 			    cmd.c_action == M_OFF ||
1035 			    ((cmd.c_levels & state_to_mask(cur_state)) == 0 &&
1036 			    (process->p_flags & DEMANDREQUEST) == 0)) {
1037 				if (process->p_flags & LIVING) {
1038 					/*
1039 					 * Touch this entry so we know we have
1040 					 * treated it.  Note that procs which
1041 					 * are already dead at this point and
1042 					 * should not be restarted are left
1043 					 * untouched.  This causes their slot to
1044 					 * be freed later after dead accounting
1045 					 * is done.
1046 					 */
1047 					process->p_flags |= TOUCHED;
1048 
1049 					if ((process->p_flags & KILLED) == 0) {
1050 						if (change_level) {
1051 							process->p_flags
1052 							    |= WARNED;
1053 							(void) kill(
1054 							    process->p_pid,
1055 							    SIGTERM);
1056 						} else {
1057 							/*
1058 							 * Fork a killing proc
1059 							 * so "init" can
1060 							 * continue without
1061 							 * having to pause for
1062 							 * TWARN seconds.
1063 							 */
1064 							killproc(
1065 							    process->p_pid);
1066 						}
1067 						process->p_flags |= KILLED;
1068 					}
1069 				}
1070 			} else {
1071 				/*
1072 				 * Process can exist at current level.  If it is
1073 				 * still alive or a DEMANDREQUEST we touch it so
1074 				 * it will be left alone.  Otherwise we leave it
1075 				 * untouched so it will be accounted for and
1076 				 * cleaned up later in remv().  Dead
1077 				 * DEMANDREQUESTs will be accounted but not
1078 				 * freed.
1079 				 */
1080 				if (process->p_flags &
1081 				    (LIVING|NOCLEANUP|DEMANDREQUEST))
1082 					process->p_flags |= TOUCHED;
1083 			}
1084 
1085 			break;
1086 		}
1087 	}
1088 
1089 	st_write();
1090 
1091 	/*
1092 	 * If this was a change of levels call, scan through the
1093 	 * process table for processes that were warned to die.  If any
1094 	 * are found that haven't left yet, sleep for TWARN seconds and
1095 	 * then send final terminations to any that haven't died yet.
1096 	 */
1097 	if (change_level) {
1098 
1099 		/*
1100 		 * Set the alarm for TWARN seconds on the assumption
1101 		 * that there will be some that need to be waited for.
1102 		 * This won't harm anything except we are guaranteed to
1103 		 * wakeup in TWARN seconds whether we need to or not.
1104 		 */
1105 		setimer(TWARN);
1106 
1107 		/*
1108 		 * Scan for processes which should be dying.  We hope they
1109 		 * will die without having to be sent a SIGKILL signal.
1110 		 */
1111 		for (process = proc_table;
1112 		    (process < proc_table + num_proc); process++) {
1113 			/*
1114 			 * If this process should die, hasn't yet, and the
1115 			 * TWARN time hasn't expired yet, wait for process
1116 			 * to die or for timer to expire.
1117 			 */
1118 			while (time_up == FALSE &&
1119 			    (process->p_flags & (WARNED|LIVING|OCCUPIED)) ==
1120 			    (WARNED|LIVING|OCCUPIED))
1121 				(void) pause();
1122 
1123 			if (time_up == TRUE)
1124 				break;
1125 		}
1126 
1127 		/*
1128 		 * If we reached the end of the table without the timer
1129 		 * expiring, then there are no procs which will have to be
1130 		 * sent the SIGKILL signal.  If the timer has expired, then
1131 		 * it is necessary to scan the table again and send signals
1132 		 * to all processes which aren't going away nicely.
1133 		 */
1134 		if (time_up == TRUE) {
1135 			for (process = proc_table;
1136 			    (process < proc_table + num_proc); process++) {
1137 				if ((process->p_flags &
1138 				    (WARNED|LIVING|OCCUPIED)) ==
1139 				    (WARNED|LIVING|OCCUPIED))
1140 					(void) kill(process->p_pid, SIGKILL);
1141 			}
1142 		}
1143 		setimer(0);
1144 	}
1145 
1146 	/*
1147 	 * Rescan the proc_table for two kinds of entry, those marked LIVING,
1148 	 * NAMED, which don't have an entry in inittab (haven't been TOUCHED
1149 	 * by the above scanning), and haven't been sent kill signals, and
1150 	 * those entries marked not LIVING, NAMED.  The former procs are killed.
1151 	 * The latter have DEAD_PROCESS accounting done and the slot cleared.
1152 	 */
1153 	for (process = proc_table;
1154 	    (process < proc_table + num_proc); process++) {
1155 		if ((process->p_flags & (LIVING|NAMED|TOUCHED|KILLED|OCCUPIED))
1156 		    == (LIVING|NAMED|OCCUPIED)) {
1157 			killproc(process->p_pid);
1158 			process->p_flags |= KILLED;
1159 		} else if ((process->p_flags & (LIVING|NAMED|OCCUPIED)) ==
1160 		    (NAMED|OCCUPIED)) {
1161 			(void) account(DEAD_PROCESS, process, NULL);
1162 			/*
1163 			 * If this named proc hasn't been TOUCHED, then free the
1164 			 * space. It has either died of it's own accord, but
1165 			 * isn't respawnable or it was killed because it
1166 			 * shouldn't exist at this level.
1167 			 */
1168 			if ((process->p_flags & TOUCHED) == 0)
1169 				process->p_flags = 0;
1170 		}
1171 	}
1172 
1173 	st_write();
1174 }
1175 
1176 /*
1177  * Extract the svc.startd command line and whether to restart it from its
1178  * inittab entry.
1179  */
1180 /*ARGSUSED*/
1181 static void
1182 process_startd_line(struct CMD_LINE *cmd, char *cmd_string)
1183 {
1184 	size_t sz;
1185 
1186 	/* Save the command line. */
1187 	if (sflg || rflg) {
1188 		/* Also append -r or -s. */
1189 		(void) strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
1190 		(void) strlcat(startd_cline, " -", sizeof (startd_cline));
1191 		if (sflg)
1192 			sz = strlcat(startd_cline, "s", sizeof (startd_cline));
1193 		if (rflg)
1194 			sz = strlcat(startd_cline, "r", sizeof (startd_cline));
1195 	} else {
1196 		sz = strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
1197 	}
1198 
1199 	if (sz >= sizeof (startd_cline)) {
1200 		console(B_TRUE,
1201 		    "svc.startd command line too long.  Ignoring.\n");
1202 		startd_cline[0] = '\0';
1203 		return;
1204 	}
1205 }
1206 
1207 /*
1208  * spawn_processes() scans inittab for entries which should be run at this
1209  * mode.  Processes which should be running but are not, are started.
1210  */
1211 static int
1212 spawn_processes()
1213 {
1214 	struct PROC_TABLE		*pp;
1215 	struct CMD_LINE			cmd;
1216 	char				cmd_string[MAXCMDL];
1217 	short				lvl_mask;
1218 	int				status;
1219 
1220 	/*
1221 	 * First check the "powerhit" flag.  If it is set, make sure the modes
1222 	 * are PF_MODES and clear the "powerhit" flag.  Avoid the possible race
1223 	 * on the "powerhit" flag by disallowing a new powerfail interrupt
1224 	 * between the test of the powerhit flag and the clearing of it.
1225 	 */
1226 	if (wakeup.w_flags.w_powerhit) {
1227 		wakeup.w_flags.w_powerhit = 0;
1228 		op_modes = PF_MODES;
1229 	}
1230 	lvl_mask = state_to_mask(cur_state);
1231 
1232 	/*
1233 	 * Scan through all the entries in inittab.
1234 	 */
1235 	while ((status = getcmd(&cmd, &cmd_string[0])) == TRUE) {
1236 		if (id_eq(cmd.c_id, "smf")) {
1237 			process_startd_line(&cmd, cmd_string);
1238 			continue;
1239 		}
1240 
1241 retry_for_proc_slot:
1242 
1243 		/*
1244 		 * Find out if there is a process slot for this entry already.
1245 		 */
1246 		if ((pp = findpslot(&cmd)) == NULLPROC) {
1247 			/*
1248 			 * we've run out of proc table entries
1249 			 * increase proc_table.
1250 			 */
1251 			increase_proc_table_size();
1252 
1253 			/*
1254 			 * Retry now as we have an empty proc slot.
1255 			 * In case increase_proc_table_size() fails,
1256 			 * we will keep retrying.
1257 			 */
1258 			goto retry_for_proc_slot;
1259 		}
1260 
1261 		/*
1262 		 * If there is an entry, and it is marked as DEMANDREQUEST,
1263 		 * one of the levels a, b, or c is in its levels mask, and
1264 		 * the action field is ONDEMAND and ONDEMAND is a permissable
1265 		 * mode, and the process is dead, then respawn it.
1266 		 */
1267 		if (((pp->p_flags & (LIVING|DEMANDREQUEST)) == DEMANDREQUEST) &&
1268 		    (cmd.c_levels & MASK_abc) &&
1269 		    (cmd.c_action & op_modes) == M_ONDEMAND) {
1270 			spawn(pp, &cmd);
1271 			continue;
1272 		}
1273 
1274 		/*
1275 		 * If the action is not an action we are interested in,
1276 		 * skip the entry.
1277 		 */
1278 		if ((cmd.c_action & op_modes) == 0 || pp->p_flags & LIVING ||
1279 		    (cmd.c_levels & lvl_mask) == 0)
1280 			continue;
1281 
1282 		/*
1283 		 * If the modes are the normal modes (ONCE, WAIT, RESPAWN, OFF,
1284 		 * ONDEMAND) and the action field is either OFF or the action
1285 		 * field is ONCE or WAIT and the current level is the same as
1286 		 * the last level, then skip this entry.  ONCE and WAIT only
1287 		 * get run when the level changes.
1288 		 */
1289 		if (op_modes == NORMAL_MODES &&
1290 		    (cmd.c_action == M_OFF ||
1291 		    (cmd.c_action & (M_ONCE|M_WAIT)) &&
1292 		    cur_state == prev_state))
1293 			continue;
1294 
1295 		/*
1296 		 * At this point we are interested in performing the action for
1297 		 * this entry.  Actions fall into two categories, spinning off
1298 		 * a process and not waiting, and spinning off a process and
1299 		 * waiting for it to die.  If the action is ONCE, RESPAWN,
1300 		 * ONDEMAND, POWERFAIL, or BOOT we don't wait for the process
1301 		 * to die, for all other actions we do wait.
1302 		 */
1303 		if (cmd.c_action & (M_ONCE | M_RESPAWN | M_PF | M_BOOT)) {
1304 			spawn(pp, &cmd);
1305 
1306 		} else {
1307 			spawn(pp, &cmd);
1308 			while (waitproc(pp) == FAILURE)
1309 				;
1310 			(void) account(DEAD_PROCESS, pp, NULL);
1311 			pp->p_flags = 0;
1312 		}
1313 	}
1314 	return (status);
1315 }
1316 
1317 /*
1318  * spawn() spawns a shell, inserts the information about the process
1319  * process into the proc_table, and does the startup accounting.
1320  */
1321 static void
1322 spawn(struct PROC_TABLE *process, struct CMD_LINE *cmd)
1323 {
1324 	int		i;
1325 	int		modes, maxfiles;
1326 	time_t		now;
1327 	struct PROC_TABLE tmproc, *oprocess;
1328 
1329 	/*
1330 	 * The modes to be sent to efork() are 0 unless we are
1331 	 * spawning a LVLa, LVLb, or LVLc entry or we will be
1332 	 * waiting for the death of the child before continuing.
1333 	 */
1334 	modes = NAMED;
1335 	if (process->p_flags & DEMANDREQUEST || cur_state == LVLa ||
1336 	    cur_state == LVLb || cur_state == LVLc)
1337 		modes |= DEMANDREQUEST;
1338 	if ((cmd->c_action & (M_SYSINIT | M_WAIT | M_BOOTWAIT | M_PWAIT)) != 0)
1339 		modes |= NOCLEANUP;
1340 
1341 	/*
1342 	 * If this is a respawnable process, check the threshold
1343 	 * information to avoid excessive respawns.
1344 	 */
1345 	if (cmd->c_action & M_RESPAWN) {
1346 		/*
1347 		 * Add NOCLEANUP to all respawnable commands so that the
1348 		 * information about the frequency of respawns isn't lost.
1349 		 */
1350 		modes |= NOCLEANUP;
1351 		(void) time(&now);
1352 
1353 		/*
1354 		 * If no time is assigned, then this is the first time
1355 		 * this command is being processed in this series.  Assign
1356 		 * the current time.
1357 		 */
1358 		if (process->p_time == 0L)
1359 			process->p_time = now;
1360 
1361 		if (process->p_count++ == SPAWN_LIMIT) {
1362 
1363 			if ((now - process->p_time) < SPAWN_INTERVAL) {
1364 				/*
1365 				 * Process is respawning too rapidly.  Print
1366 				 * message and refuse to respawn it for now.
1367 				 */
1368 				console(B_TRUE, "Command is respawning too "
1369 				    "rapidly. Check for possible errors.\n"
1370 				    "id:%4s \"%s\"\n",
1371 				    &cmd->c_id[0], &cmd->c_command[EXEC]);
1372 				return;
1373 			}
1374 			process->p_time = now;
1375 			process->p_count = 0;
1376 
1377 		} else if (process->p_count > SPAWN_LIMIT) {
1378 			/*
1379 			 * If process has been respawning too rapidly and
1380 			 * the inhibit time limit hasn't expired yet, we
1381 			 * refuse to respawn.
1382 			 */
1383 			if (now - process->p_time < SPAWN_INTERVAL + INHIBIT)
1384 				return;
1385 			process->p_time = now;
1386 			process->p_count = 0;
1387 		}
1388 		rsflag = TRUE;
1389 	}
1390 
1391 	/*
1392 	 * Spawn a child process to execute this command.
1393 	 */
1394 	(void) sighold(SIGCLD);
1395 	oprocess = process;
1396 	while ((process = efork(cmd->c_action, oprocess, modes)) == NO_ROOM)
1397 		(void) pause();
1398 
1399 	if (process == NULLPROC) {
1400 
1401 		/*
1402 		 * We are the child.  We must make sure we get a different
1403 		 * file pointer for our references to utmpx.  Otherwise our
1404 		 * seeks and reads will compete with those of the parent.
1405 		 */
1406 		endutxent();
1407 
1408 		/*
1409 		 * Perform the accounting for the beginning of a process.
1410 		 * Note that all processes are initially "INIT_PROCESS"es.
1411 		 */
1412 		tmproc.p_id[0] = cmd->c_id[0];
1413 		tmproc.p_id[1] = cmd->c_id[1];
1414 		tmproc.p_id[2] = cmd->c_id[2];
1415 		tmproc.p_id[3] = cmd->c_id[3];
1416 		tmproc.p_pid = getpid();
1417 		tmproc.p_exit = 0;
1418 		(void) account(INIT_PROCESS, &tmproc,
1419 		    prog_name(&cmd->c_command[EXEC]));
1420 		maxfiles = ulimit(UL_GDESLIM, 0);
1421 		for (i = 0; i < maxfiles; i++)
1422 			(void) fcntl(i, F_SETFD, FD_CLOEXEC);
1423 
1424 		/*
1425 		 * Now exec a shell with the -c option and the command
1426 		 * from inittab.
1427 		 */
1428 		(void) execle(SH, "INITSH", "-c", cmd->c_command, (char *)0,
1429 		    glob_envp);
1430 		console(B_TRUE, "Command\n\"%s\"\n failed to execute.  errno "
1431 		    "= %d (exec of shell failed)\n", cmd->c_command, errno);
1432 
1433 		/*
1434 		 * Don't come back so quickly that "init" doesn't have a
1435 		 * chance to finish putting this child in "proc_table".
1436 		 */
1437 		timer(20);
1438 		exit(1);
1439 
1440 	}
1441 
1442 	/*
1443 	 * We are the parent.  Insert the necessary
1444 	 * information in the proc_table.
1445 	 */
1446 	process->p_id[0] = cmd->c_id[0];
1447 	process->p_id[1] = cmd->c_id[1];
1448 	process->p_id[2] = cmd->c_id[2];
1449 	process->p_id[3] = cmd->c_id[3];
1450 
1451 	st_write();
1452 
1453 	(void) sigrelse(SIGCLD);
1454 }
1455 
1456 /*
1457  * findpslot() finds the old slot in the process table for the
1458  * command with the same id, or it finds an empty slot.
1459  */
1460 static struct PROC_TABLE *
1461 findpslot(struct CMD_LINE *cmd)
1462 {
1463 	struct PROC_TABLE	*process;
1464 	struct PROC_TABLE	*empty = NULLPROC;
1465 
1466 	for (process = proc_table;
1467 	    (process < proc_table + num_proc); process++) {
1468 		if (process->p_flags & OCCUPIED &&
1469 		    id_eq(process->p_id, cmd->c_id))
1470 			break;
1471 
1472 		/*
1473 		 * If the entry is totally empty and "empty" is still 0,
1474 		 * remember where this hole is and make sure the slot is
1475 		 * zeroed out.
1476 		 */
1477 		if (empty == NULLPROC && (process->p_flags & OCCUPIED) == 0) {
1478 			empty = process;
1479 			process->p_id[0] = '\0';
1480 			process->p_id[1] = '\0';
1481 			process->p_id[2] = '\0';
1482 			process->p_id[3] = '\0';
1483 			process->p_pid = 0;
1484 			process->p_time = 0L;
1485 			process->p_count = 0;
1486 			process->p_flags = 0;
1487 			process->p_exit = 0;
1488 		}
1489 	}
1490 
1491 	/*
1492 	 * If there is no entry for this slot, then there should be an
1493 	 * empty slot.  If there is no empty slot, then we've run out
1494 	 * of proc_table space.  If the latter is true, empty will be
1495 	 * NULL and the caller will have to complain.
1496 	 */
1497 	if (process == (proc_table + num_proc))
1498 		process = empty;
1499 
1500 	return (process);
1501 }
1502 
1503 /*
1504  * getcmd() parses lines from inittab.  Each time it finds a command line
1505  * it will return TRUE as well as fill the passed CMD_LINE structure and
1506  * the shell command string.  When the end of inittab is reached, FALSE
1507  * is returned inittab is automatically opened if it is not currently open
1508  * and is closed when the end of the file is reached.
1509  */
1510 static FILE *fp_inittab = NULL;
1511 
1512 static int
1513 getcmd(struct CMD_LINE *cmd, char *shcmd)
1514 {
1515 	char	*ptr;
1516 	int	c, lastc, state;
1517 	char 	*ptr1;
1518 	int	answer, i, proceed;
1519 	struct	stat	sbuf;
1520 	static char *actions[] = {
1521 		"off", "respawn", "ondemand", "once", "wait", "boot",
1522 		"bootwait", "powerfail", "powerwait", "initdefault",
1523 		"sysinit",
1524 	};
1525 	static short act_masks[] = {
1526 		M_OFF, M_RESPAWN, M_ONDEMAND, M_ONCE, M_WAIT, M_BOOT,
1527 		M_BOOTWAIT, M_PF, M_PWAIT, M_INITDEFAULT, M_SYSINIT,
1528 	};
1529 	/*
1530 	 * Only these actions will be allowed for entries which
1531 	 * are specified for single-user mode.
1532 	 */
1533 	short su_acts = M_INITDEFAULT | M_PF | M_PWAIT | M_WAIT;
1534 
1535 	if (fp_inittab == NULL) {
1536 		/*
1537 		 * Before attempting to open inittab we stat it to make
1538 		 * sure it currently exists and is not empty.  We try
1539 		 * several times because someone may have temporarily
1540 		 * unlinked or truncated the file.
1541 		 */
1542 		for (i = 0; i < 3; i++) {
1543 			if (stat(INITTAB, &sbuf) == -1) {
1544 				if (i == 2) {
1545 					console(B_TRUE,
1546 					    "Cannot stat %s, errno: %d\n",
1547 					    INITTAB, errno);
1548 					return (FAILURE);
1549 				} else {
1550 					timer(3);
1551 				}
1552 			} else if (sbuf.st_size < 10) {
1553 				if (i == 2) {
1554 					console(B_TRUE,
1555 					    "%s truncated or corrupted\n",
1556 					    INITTAB);
1557 					return (FAILURE);
1558 				} else {
1559 					timer(3);
1560 				}
1561 			} else {
1562 				break;
1563 			}
1564 		}
1565 
1566 		/*
1567 		 * If unable to open inittab, print error message and
1568 		 * return FAILURE to caller.
1569 		 */
1570 		if ((fp_inittab = fopen(INITTAB, "r")) == NULL) {
1571 			console(B_TRUE, "Cannot open %s errno: %d\n", INITTAB,
1572 			    errno);
1573 			return (FAILURE);
1574 		}
1575 	}
1576 
1577 	/*
1578 	 * Keep getting commands from inittab until you find a
1579 	 * good one or run out of file.
1580 	 */
1581 	for (answer = FALSE; answer == FALSE; ) {
1582 		/*
1583 		 * Zero out the cmd itself before trying next line.
1584 		 */
1585 		bzero(cmd, sizeof (struct CMD_LINE));
1586 
1587 		/*
1588 		 * Read in lines of inittab, parsing at colons, until a line is
1589 		 * read in which doesn't end with a backslash.  Do not start if
1590 		 * the first character read is an EOF.  Note that this means
1591 		 * that lines which don't end in a newline are still processed,
1592 		 * since the "for" will terminate normally once started,
1593 		 * regardless of whether line terminates with a newline or EOF.
1594 		 */
1595 		state = FAILURE;
1596 		if ((c = fgetc(fp_inittab)) == EOF) {
1597 			answer = FALSE;
1598 			(void) fclose(fp_inittab);
1599 			fp_inittab = NULL;
1600 			break;
1601 		}
1602 
1603 		for (proceed = TRUE, ptr = shcmd, state = ID, lastc = '\0';
1604 		    proceed && c != EOF;
1605 		    lastc = c, c = fgetc(fp_inittab)) {
1606 		    /* If we're not in the FAILURE state and haven't	*/
1607 		    /* yet reached the shell command field, process	*/
1608 		    /* the line, otherwise just look for a real end	*/
1609 		    /* of line.						*/
1610 		    if (state != FAILURE && state != COMMAND) {
1611 			/*
1612 			 * Squeeze out spaces and tabs.
1613 			 */
1614 			if (c == ' ' || c == '\t')
1615 				continue;
1616 
1617 			/*
1618 			 * Ignore characters in a comment, except for the \n.
1619 			 */
1620 			if (state == COMMENT) {
1621 				if (c == '\n') {
1622 					lastc = ' ';
1623 					break;
1624 				} else {
1625 					continue;
1626 				}
1627 			}
1628 
1629 			/*
1630 			 * Detect comments (lines whose first non-whitespace
1631 			 * character is '#') by checking that we're at the
1632 			 * beginning of a line, have seen a '#', and haven't
1633 			 * yet accumulated any characters.
1634 			 */
1635 			if (state == ID && c == '#' && ptr == shcmd) {
1636 				state = COMMENT;
1637 				continue;
1638 			}
1639 
1640 			/*
1641 			 * If the character is a ':', then check the
1642 			 * previous field for correctness and advance
1643 			 * to the next field.
1644 			 */
1645 			if (c == ':') {
1646 			    switch (state) {
1647 
1648 			    case ID :
1649 				/*
1650 				 * Check to see that there are only
1651 				 * 1 to 4 characters for the id.
1652 				 */
1653 				if ((i = ptr - shcmd) < 1 || i > 4) {
1654 					state = FAILURE;
1655 				} else {
1656 					bcopy(shcmd, &cmd->c_id[0], i);
1657 					ptr = shcmd;
1658 					state = LEVELS;
1659 				}
1660 				break;
1661 
1662 			    case LEVELS :
1663 				/*
1664 				 * Build a mask for all the levels for
1665 				 * which this command will be legal.
1666 				 */
1667 				for (cmd->c_levels = 0, ptr1 = shcmd;
1668 				    ptr1 < ptr; ptr1++) {
1669 					int mask;
1670 					if (lvlname_to_mask(*ptr1,
1671 					    &mask) == -1) {
1672 						state = FAILURE;
1673 						break;
1674 					}
1675 					cmd->c_levels |= mask;
1676 				}
1677 				if (state != FAILURE) {
1678 					state = ACTION;
1679 					ptr = shcmd;	/* Reset the buffer */
1680 				}
1681 				break;
1682 
1683 			    case ACTION :
1684 				/*
1685 				 * Null terminate the string in shcmd buffer and
1686 				 * then try to match against legal actions.  If
1687 				 * the field is of length 0, then the default of
1688 				 * "RESPAWN" is used if the id is numeric,
1689 				 * otherwise the default is "OFF".
1690 				 */
1691 				if (ptr == shcmd) {
1692 					if (isdigit(cmd->c_id[0]) &&
1693 					    (cmd->c_id[1] == '\0' ||
1694 						isdigit(cmd->c_id[1])) &&
1695 					    (cmd->c_id[2] == '\0' ||
1696 						isdigit(cmd->c_id[2])) &&
1697 					    (cmd->c_id[3] == '\0' ||
1698 						isdigit(cmd->c_id[3])))
1699 						    cmd->c_action = M_RESPAWN;
1700 					else
1701 						    cmd->c_action = M_OFF;
1702 				} else {
1703 				    for (cmd->c_action = 0, i = 0, *ptr = '\0';
1704 				    i < sizeof (actions)/sizeof (char *);
1705 				    i++) {
1706 					if (strcmp(shcmd, actions[i]) == 0) {
1707 					    if ((cmd->c_levels & MASKSU) &&
1708 						!(act_masks[i] & su_acts))
1709 						    cmd->c_action = 0;
1710 					    else
1711 						cmd->c_action = act_masks[i];
1712 					    break;
1713 					}
1714 				    }
1715 				}
1716 
1717 				/*
1718 				 * If the action didn't match any legal action,
1719 				 * set state to FAILURE.
1720 				 */
1721 				if (cmd->c_action == 0) {
1722 					state = FAILURE;
1723 				} else {
1724 					state = COMMAND;
1725 					(void) strcpy(shcmd, "exec ");
1726 				}
1727 				ptr = shcmd + EXEC;
1728 				break;
1729 			    }
1730 			    continue;
1731 			}
1732 		    }
1733 
1734 		    /* If the character is a '\n', then this is the end of a */
1735 		    /* line.  If the '\n' wasn't preceded by a backslash, */
1736 		    /* it is also the end of an inittab command.  If it was */
1737 		    /* preceded by a backslash then the next line is a */
1738 		    /* continuation.  Note that the continuation '\n' falls */
1739 		    /* through and is treated like other characters and is */
1740 		    /* stored in the shell command line. */
1741 		    if (c == '\n' && lastc != '\\') {
1742 				proceed = FALSE;
1743 				*ptr = '\0';
1744 				break;
1745 		    }
1746 
1747 		    /* For all other characters just stuff them into the */
1748 		    /* command as long as there aren't too many of them. */
1749 		    /* Make sure there is room for a terminating '\0' also. */
1750 		    if (ptr >= shcmd + MAXCMDL - 1)
1751 			state = FAILURE;
1752 		    else
1753 			*ptr++ = (char)c;
1754 
1755 		    /* If the character we just stored was a quoted	*/
1756 		    /* backslash, then change "c" to '\0', so that this	*/
1757 		    /* backslash will not cause a subsequent '\n' to appear */
1758 		    /* quoted.  In otherwords '\' '\' '\n' is the real end */
1759 		    /* of a command, while '\' '\n' is a continuation. */
1760 		    if (c == '\\' && lastc == '\\')
1761 			c = '\0';
1762 		}
1763 
1764 		/*
1765 		 * Make sure all the fields are properly specified
1766 		 * for a good command line.
1767 		 */
1768 		if (state == COMMAND) {
1769 			answer = TRUE;
1770 			cmd->c_command = shcmd;
1771 
1772 			/*
1773 			 * If no default level was supplied, insert
1774 			 * all numerical levels.
1775 			 */
1776 			if (cmd->c_levels == 0)
1777 				cmd->c_levels = MASK_NUMERIC;
1778 
1779 			/*
1780 			 * If no action has been supplied, declare this
1781 			 * entry to be OFF.
1782 			 */
1783 			if (cmd->c_action == 0)
1784 				cmd->c_action = M_OFF;
1785 
1786 			/*
1787 			 * If no shell command has been supplied, make sure
1788 			 * there is a null string in the command field.
1789 			 */
1790 			if (ptr == shcmd + EXEC)
1791 				*shcmd = '\0';
1792 		} else
1793 			answer = FALSE;
1794 
1795 		/*
1796 		 * If we have reached the end of inittab, then close it
1797 		 * and quit trying to find a good command line.
1798 		 */
1799 		if (c == EOF) {
1800 			(void) fclose(fp_inittab);
1801 			fp_inittab = NULL;
1802 			break;
1803 		}
1804 	}
1805 	return (answer);
1806 }
1807 
1808 /*
1809  * lvlname_to_state(): convert the character name of a state to its level
1810  * (its corresponding signal number).
1811  */
1812 static int
1813 lvlname_to_state(char name)
1814 {
1815 	int i;
1816 	for (i = 0; i < LVL_NELEMS; i++) {
1817 		if (lvls[i].lvl_name == name)
1818 			return (lvls[i].lvl_state);
1819 	}
1820 	return (-1);
1821 }
1822 
1823 /*
1824  * state_to_name(): convert the level to the character name.
1825  */
1826 static char
1827 state_to_name(int state)
1828 {
1829 	int i;
1830 	for (i = 0; i < LVL_NELEMS; i++) {
1831 		if (lvls[i].lvl_state == state)
1832 			return (lvls[i].lvl_name);
1833 	}
1834 	return (-1);
1835 }
1836 
1837 /*
1838  * state_to_mask(): return the mask corresponding to a signal number
1839  */
1840 static int
1841 state_to_mask(int state)
1842 {
1843 	int i;
1844 	for (i = 0; i < LVL_NELEMS; i++) {
1845 		if (lvls[i].lvl_state == state)
1846 			return (lvls[i].lvl_mask);
1847 	}
1848 	return (0);	/* return 0, since that represents an empty mask */
1849 }
1850 
1851 /*
1852  * lvlname_to_mask(): return the mask corresponding to a levels character name
1853  */
1854 static int
1855 lvlname_to_mask(char name, int *mask)
1856 {
1857 	int i;
1858 	for (i = 0; i < LVL_NELEMS; i++) {
1859 		if (lvls[i].lvl_name == name) {
1860 			*mask = lvls[i].lvl_mask;
1861 			return (0);
1862 		}
1863 	}
1864 	return (-1);
1865 }
1866 
1867 /*
1868  * state_to_flags(): return the flags corresponding to a runlevel.  These
1869  * indicate properties of that runlevel.
1870  */
1871 static int
1872 state_to_flags(int state)
1873 {
1874 	int i;
1875 	for (i = 0; i < LVL_NELEMS; i++) {
1876 		if (lvls[i].lvl_state == state)
1877 			return (lvls[i].lvl_flags);
1878 	}
1879 	return (0);
1880 }
1881 
1882 /*
1883  * killproc() creates a child which kills the process specified by pid.
1884  */
1885 void
1886 killproc(pid_t pid)
1887 {
1888 	struct PROC_TABLE	*process;
1889 
1890 	(void) sighold(SIGCLD);
1891 	while ((process = efork(M_OFF, NULLPROC, 0)) == NO_ROOM)
1892 		(void) pause();
1893 	(void) sigrelse(SIGCLD);
1894 
1895 	if (process == NULLPROC) {
1896 		/*
1897 		 * efork() sets all signal handlers to the default, so reset
1898 		 * the ALRM handler to make timer() work as expected.
1899 		 */
1900 		(void) sigset(SIGALRM, alarmclk);
1901 
1902 		/*
1903 		 * We are the child.  Try to terminate the process nicely
1904 		 * first using SIGTERM and if it refuses to die in TWARN
1905 		 * seconds kill it with SIGKILL.
1906 		 */
1907 		(void) kill(pid, SIGTERM);
1908 		(void) timer(TWARN);
1909 		(void) kill(pid, SIGKILL);
1910 		(void) exit(0);
1911 	}
1912 }
1913 
1914 /*
1915  * Set up the default environment for all procs to be forked from init.
1916  * Read the values from the /etc/default/init file, except for PATH.  If
1917  * there's not enough room in the environment array, the environment
1918  * lines that don't fit are silently discarded.
1919  */
1920 void
1921 init_env()
1922 {
1923 	char	line[MAXCMDL];
1924 	FILE	*fp;
1925 	int	inquotes, length, wslength;
1926 	char	*tokp, *cp1, *cp2;
1927 
1928 	glob_envp[0] = malloc((unsigned)(strlen(DEF_PATH)+2));
1929 	(void) strcpy(glob_envp[0], DEF_PATH);
1930 	glob_envn = 1;
1931 
1932 	if (rflg) {
1933 		glob_envp[1] =
1934 		    malloc((unsigned)(strlen("_DVFS_RECONFIG=YES")+2));
1935 		(void) strcpy(glob_envp[1], "_DVFS_RECONFIG=YES");
1936 		++glob_envn;
1937 	} else if (bflg == 1) {
1938 		glob_envp[1] =
1939 		    malloc((unsigned)(strlen("RB_NOBOOTRC=YES")+2));
1940 		(void) strcpy(glob_envp[1], "RB_NOBOOTRC=YES");
1941 		++glob_envn;
1942 	}
1943 
1944 	if ((fp = fopen(ENVFILE, "r")) == NULL) {
1945 		console(B_TRUE,
1946 		    "Cannot open %s. Environment not initialized.\n",
1947 		    ENVFILE);
1948 	} else {
1949 		while (fgets(line, MAXCMDL - 1, fp) != NULL &&
1950 		    glob_envn < MAXENVENT - 2) {
1951 			/*
1952 			 * Toss newline
1953 			 */
1954 			length = strlen(line);
1955 			if (line[length - 1] == '\n')
1956 				line[length - 1] = '\0';
1957 
1958 			/*
1959 			 * Ignore blank or comment lines.
1960 			 */
1961 			if (line[0] == '#' || line[0] == '\0' ||
1962 			    (wslength = strspn(line, " \t\n")) ==
1963 			    strlen(line) ||
1964 			    strchr(line, '#') == line + wslength)
1965 				continue;
1966 
1967 			/*
1968 			 * First make a pass through the line and change
1969 			 * any non-quoted semi-colons to blanks so they
1970 			 * will be treated as token separators below.
1971 			 */
1972 			inquotes = 0;
1973 			for (cp1 = line; *cp1 != '\0'; cp1++) {
1974 				if (*cp1 == '"') {
1975 					if (inquotes == 0)
1976 						inquotes = 1;
1977 					else
1978 						inquotes = 0;
1979 				} else if (*cp1 == ';') {
1980 					if (inquotes == 0)
1981 						*cp1 = ' ';
1982 				}
1983 			}
1984 
1985 			/*
1986 			 * Tokens within the line are separated by blanks
1987 			 *  and tabs.  For each token in the line which
1988 			 * contains a '=' we strip out any quotes and then
1989 			 * stick the token in the environment array.
1990 			 */
1991 			if ((tokp = strtok(line, " \t")) == NULL)
1992 				continue;
1993 			do {
1994 				if (strchr(tokp, '=') == NULL)
1995 					continue;
1996 				length = strlen(tokp);
1997 				while ((cp1 = strpbrk(tokp, "\"\'")) != NULL) {
1998 					for (cp2 = cp1;
1999 					    cp2 < &tokp[length]; cp2++)
2000 						*cp2 = *(cp2 + 1);
2001 					length--;
2002 				}
2003 
2004 				if (strncmp(tokp, "CMASK=",
2005 				    sizeof ("CMASK=") - 1) == 0) {
2006 					long t;
2007 
2008 					/* We know there's an = */
2009 					t = strtol(strchr(tokp, '=') + 1, NULL,
2010 					    8);
2011 
2012 					/* Sanity */
2013 					if (t <= 077 && t >= 0)
2014 						cmask = (int)t;
2015 					(void) umask(cmask);
2016 					continue;
2017 				}
2018 				glob_envp[glob_envn] =
2019 				    malloc((unsigned)(length + 1));
2020 				(void) strcpy(glob_envp[glob_envn], tokp);
2021 				if (++glob_envn >= MAXENVENT - 1)
2022 					break;
2023 			} while ((tokp = strtok(NULL, " \t")) != NULL);
2024 		}
2025 
2026 		/*
2027 		 * Append a null pointer to the environment array
2028 		 * to mark its end.
2029 		 */
2030 		glob_envp[glob_envn] = NULL;
2031 		(void) fclose(fp);
2032 	}
2033 }
2034 
2035 /*
2036  * boot_init(): Do initialization things that should be done at boot.
2037  */
2038 void
2039 boot_init()
2040 {
2041 	int i;
2042 	struct PROC_TABLE *process, *oprocess;
2043 	struct CMD_LINE	cmd;
2044 	char	line[MAXCMDL];
2045 	char	svc_aux[SVC_AUX_SIZE];
2046 	char	init_svc_fmri[SVC_FMRI_SIZE];
2047 	char *old_path;
2048 	int maxfiles;
2049 
2050 	/* Use INIT_PATH for sysinit cmds */
2051 	old_path = glob_envp[0];
2052 	glob_envp[0] = malloc((unsigned)(strlen(INIT_PATH)+2));
2053 	(void) strcpy(glob_envp[0], INIT_PATH);
2054 
2055 	/*
2056 	 * Scan inittab(4) and process the special svc.startd entry, initdefault
2057 	 * and sysinit entries.
2058 	 */
2059 	while (getcmd(&cmd, &line[0]) == TRUE) {
2060 		if (startd_tmpl >= 0 && id_eq(cmd.c_id, "smf")) {
2061 			process_startd_line(&cmd, line);
2062 			(void) snprintf(startd_svc_aux, SVC_AUX_SIZE,
2063 			    INITTAB_ENTRY_ID_STR_FORMAT, cmd.c_id);
2064 		} else if (cmd.c_action == M_INITDEFAULT) {
2065 			/*
2066 			 * initdefault is no longer meaningful, as the SMF
2067 			 * milestone controls what (legacy) run level we
2068 			 * boot to.
2069 			 */
2070 			console(B_TRUE,
2071 			    "Ignoring legacy \"initdefault\" entry.\n");
2072 		} else if (cmd.c_action == M_SYSINIT) {
2073 			/*
2074 			 * Execute the "sysinit" entry and wait for it to
2075 			 * complete.  No bookkeeping is performed on these
2076 			 * entries because we avoid writing to the file system
2077 			 * until after there has been an chance to check it.
2078 			 */
2079 			if (process = findpslot(&cmd)) {
2080 				(void) sighold(SIGCLD);
2081 				(void) snprintf(svc_aux, SVC_AUX_SIZE,
2082 				    INITTAB_ENTRY_ID_STR_FORMAT, cmd.c_id);
2083 				(void) snprintf(init_svc_fmri, SVC_FMRI_SIZE,
2084 				    SVC_INIT_PREFIX INITTAB_ENTRY_ID_STR_FORMAT,
2085 				    cmd.c_id);
2086 				if (legacy_tmpl >= 0) {
2087 					(void) ct_pr_tmpl_set_svc_fmri(
2088 					    legacy_tmpl, init_svc_fmri);
2089 					(void) ct_pr_tmpl_set_svc_aux(
2090 					    legacy_tmpl, svc_aux);
2091 				}
2092 
2093 				for (oprocess = process;
2094 				    (process = efork(M_OFF, oprocess,
2095 				    (NAMED|NOCLEANUP))) == NO_ROOM;
2096 				    /* CSTYLED */)
2097 					;
2098 				(void) sigrelse(SIGCLD);
2099 
2100 				if (process == NULLPROC) {
2101 					maxfiles = ulimit(UL_GDESLIM, 0);
2102 
2103 					for (i = 0; i < maxfiles; i++)
2104 						(void) fcntl(i, F_SETFD,
2105 						    FD_CLOEXEC);
2106 					(void) execle(SH, "INITSH", "-c",
2107 					    cmd.c_command,
2108 					    (char *)0, glob_envp);
2109 					console(B_TRUE,
2110 "Command\n\"%s\"\n failed to execute.  errno = %d (exec of shell failed)\n",
2111 					    cmd.c_command, errno);
2112 					exit(1);
2113 				} else while (waitproc(process) == FAILURE);
2114 				process->p_flags = 0;
2115 				st_write();
2116 			}
2117 		}
2118 	}
2119 
2120 	/* Restore the path. */
2121 	free(glob_envp[0]);
2122 	glob_envp[0] = old_path;
2123 
2124 	/*
2125 	 * This will enable st_write() to complain about init_state_file.
2126 	 */
2127 	booting = 0;
2128 
2129 	/*
2130 	 * If the /etc/ioctl.syscon didn't exist or had invalid contents write
2131 	 * out a correct version.
2132 	 */
2133 	if (write_ioctl)
2134 		write_ioctl_syscon();
2135 
2136 	/*
2137 	 * Start svc.startd(1M), which does most of the work.
2138 	 */
2139 	if (startd_cline[0] != '\0' && startd_tmpl >= 0) {
2140 		/* Start svc.startd. */
2141 		if (startd_run(startd_cline, startd_tmpl, 0) == -1)
2142 			cur_state = SINGLE_USER;
2143 	} else {
2144 		console(B_TRUE, "Absent svc.startd entry or bad "
2145 		    "contract template.  Not starting svc.startd.\n");
2146 		enter_maintenance();
2147 	}
2148 }
2149 
2150 /*
2151  * init_signals(): Initialize all signals to either be caught or ignored.
2152  */
2153 void
2154 init_signals(void)
2155 {
2156 	struct sigaction act;
2157 	int i;
2158 
2159 	/*
2160 	 * Start by ignoring all signals, then selectively re-enable some.
2161 	 * The SIG_IGN disposition will only affect asynchronous signals:
2162 	 * any signal that we trigger synchronously that doesn't end up
2163 	 * being handled by siglvl() will be forcibly delivered by the kernel.
2164 	 */
2165 	for (i = SIGHUP; i <= SIGRTMAX; i++)
2166 		(void) sigset(i, SIG_IGN);
2167 
2168 	/*
2169 	 * Handle all level-changing signals using siglvl() and set sa_mask so
2170 	 * that all level-changing signals are blocked while in siglvl().
2171 	 */
2172 	act.sa_handler = siglvl;
2173 	act.sa_flags = SA_SIGINFO;
2174 	(void) sigemptyset(&act.sa_mask);
2175 
2176 	(void) sigaddset(&act.sa_mask, LVLQ);
2177 	(void) sigaddset(&act.sa_mask, LVL0);
2178 	(void) sigaddset(&act.sa_mask, LVL1);
2179 	(void) sigaddset(&act.sa_mask, LVL2);
2180 	(void) sigaddset(&act.sa_mask, LVL3);
2181 	(void) sigaddset(&act.sa_mask, LVL4);
2182 	(void) sigaddset(&act.sa_mask, LVL5);
2183 	(void) sigaddset(&act.sa_mask, LVL6);
2184 	(void) sigaddset(&act.sa_mask, SINGLE_USER);
2185 	(void) sigaddset(&act.sa_mask, LVLa);
2186 	(void) sigaddset(&act.sa_mask, LVLb);
2187 	(void) sigaddset(&act.sa_mask, LVLc);
2188 
2189 	(void) sigaction(LVLQ, &act, NULL);
2190 	(void) sigaction(LVL0, &act, NULL);
2191 	(void) sigaction(LVL1, &act, NULL);
2192 	(void) sigaction(LVL2, &act, NULL);
2193 	(void) sigaction(LVL3, &act, NULL);
2194 	(void) sigaction(LVL4, &act, NULL);
2195 	(void) sigaction(LVL5, &act, NULL);
2196 	(void) sigaction(LVL6, &act, NULL);
2197 	(void) sigaction(SINGLE_USER, &act, NULL);
2198 	(void) sigaction(LVLa, &act, NULL);
2199 	(void) sigaction(LVLb, &act, NULL);
2200 	(void) sigaction(LVLc, &act, NULL);
2201 
2202 	(void) sigset(SIGALRM, alarmclk);
2203 	alarmclk();
2204 
2205 	(void) sigset(SIGCLD, childeath);
2206 	(void) sigset(SIGPWR, powerfail);
2207 }
2208 
2209 /*
2210  * Set up pipe for "godchildren". If the file exists and is a pipe just open
2211  * it. Else, if the file system is r/w create it.  Otherwise, defer its
2212  * creation and open until after /var/run has been mounted.  This function is
2213  * only called on startup and when explicitly requested via LVLQ.
2214  */
2215 void
2216 setup_pipe()
2217 {
2218 	struct stat stat_buf;
2219 	struct statvfs statvfs_buf;
2220 	struct sigaction act;
2221 
2222 	/*
2223 	 * Always close the previous pipe descriptor as the mounted filesystems
2224 	 * may have changed.
2225 	 */
2226 	if (Pfd >= 0)
2227 		(void) close(Pfd);
2228 
2229 	if ((stat(INITPIPE, &stat_buf) == 0) &&
2230 	    ((stat_buf.st_mode & (S_IFMT|S_IRUSR)) == (S_IFIFO|S_IRUSR)))
2231 		Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
2232 	else
2233 		if ((statvfs(INITPIPE_DIR, &statvfs_buf) == 0) &&
2234 		    ((statvfs_buf.f_flag & ST_RDONLY) == 0)) {
2235 			(void) unlink(INITPIPE);
2236 			(void) mknod(INITPIPE, S_IFIFO | 0600, 0);
2237 			Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
2238 		}
2239 
2240 	if (Pfd >= 0) {
2241 		(void) ioctl(Pfd, I_SETSIG, S_INPUT);
2242 		/*
2243 		 * Read pipe in message discard mode.
2244 		 */
2245 		(void) ioctl(Pfd, I_SRDOPT, RMSGD);
2246 
2247 		act.sa_handler = sigpoll;
2248 		act.sa_flags = 0;
2249 		(void) sigemptyset(&act.sa_mask);
2250 		(void) sigaddset(&act.sa_mask, SIGCLD);
2251 		(void) sigaction(SIGPOLL, &act, NULL);
2252 	}
2253 }
2254 
2255 /*
2256  * siglvl - handle an asynchronous signal from init(1M) telling us that we
2257  * should change the current run level.  We set new_state accordingly.
2258  */
2259 void
2260 siglvl(int sig, siginfo_t *sip, ucontext_t *ucp)
2261 {
2262 	struct PROC_TABLE *process;
2263 	struct sigaction act;
2264 
2265 	/*
2266 	 * If the signal was from the kernel (rather than init(1M)) then init
2267 	 * itself tripped the signal.  That is, we might have a bug and tripped
2268 	 * a real SIGSEGV instead of receiving it as an alias for SIGLVLa.  In
2269 	 * such a case we reset the disposition to SIG_DFL, block all signals
2270 	 * in uc_mask but the current one, and return to the interrupted ucp
2271 	 * to effect an appropriate death.  The kernel will then restart us.
2272 	 *
2273 	 * The one exception to SI_FROMKERNEL() is SIGFPE (a.k.a. LVL6), which
2274 	 * the kernel can send us when it wants to effect an orderly reboot.
2275 	 * For this case we must also verify si_code is zero, rather than a
2276 	 * code such as FPE_INTDIV which a bug might have triggered.
2277 	 */
2278 	if (sip != NULL && SI_FROMKERNEL(sip) &&
2279 	    (sig != SIGFPE || sip->si_code == 0)) {
2280 
2281 		(void) sigemptyset(&act.sa_mask);
2282 		act.sa_handler = SIG_DFL;
2283 		act.sa_flags = 0;
2284 		(void) sigaction(sig, &act, NULL);
2285 
2286 		(void) sigfillset(&ucp->uc_sigmask);
2287 		(void) sigdelset(&ucp->uc_sigmask, sig);
2288 		ucp->uc_flags |= UC_SIGMASK;
2289 
2290 		(void) setcontext(ucp);
2291 	}
2292 
2293 	/*
2294 	 * If the signal received is a LVLQ signal, do not really
2295 	 * change levels, just restate the current level.  If the
2296 	 * signal is not a LVLQ, set the new level to the signal
2297 	 * received.
2298 	 */
2299 	if (sig == LVLQ) {
2300 		new_state = cur_state;
2301 		lvlq_received = B_TRUE;
2302 	} else {
2303 		new_state = sig;
2304 	}
2305 
2306 	/*
2307 	 * Clear all times and repeat counts in the process table
2308 	 * since either the level is changing or the user has editted
2309 	 * the inittab file and wants us to look at it again.
2310 	 * If the user has fixed a typo, we don't want residual timing
2311 	 * data preventing the fixed command line from executing.
2312 	 */
2313 	for (process = proc_table;
2314 	    (process < proc_table + num_proc); process++) {
2315 		process->p_time = 0L;
2316 		process->p_count = 0;
2317 	}
2318 
2319 	/*
2320 	 * Set the flag to indicate that a "user signal" was received.
2321 	 */
2322 	wakeup.w_flags.w_usersignal = 1;
2323 }
2324 
2325 
2326 /*
2327  * alarmclk
2328  */
2329 static void
2330 alarmclk()
2331 {
2332 	time_up = TRUE;
2333 }
2334 
2335 /*
2336  * childeath_single():
2337  *
2338  * This used to be the SIGCLD handler and it was set with signal()
2339  * (as opposed to sigset()).  When a child exited we'd come to the
2340  * handler, wait for the child, and reenable the handler with
2341  * signal() just before returning.  The implementation of signal()
2342  * checks with waitid() for waitable children and sends a SIGCLD
2343  * if there are some.  If children are exiting faster than the
2344  * handler can run we keep sending signals and the handler never
2345  * gets to return and eventually the stack runs out and init dies.
2346  * To prevent that we set the handler with sigset() so the handler
2347  * doesn't need to be reset, and in childeath() (see below) we
2348  * call childeath_single() as long as there are children to be
2349  * waited for.  If a child exits while init is in the handler a
2350  * SIGCLD will be pending and delivered on return from the handler.
2351  * If the child was already waited for the handler will have nothing
2352  * to do and return, otherwise the child will be waited for.
2353  */
2354 static void
2355 childeath_single(pid_t pid, int status)
2356 {
2357 	struct PROC_TABLE	*process;
2358 	struct pidlist		*pp;
2359 
2360 	/*
2361 	 * Scan the process table to see if we are interested in this process.
2362 	 */
2363 	for (process = proc_table;
2364 	    (process < proc_table + num_proc); process++) {
2365 		if ((process->p_flags & (LIVING|OCCUPIED)) ==
2366 		    (LIVING|OCCUPIED) && process->p_pid == pid) {
2367 
2368 			/*
2369 			 * Mark this process as having died and store the exit
2370 			 * status.  Also set the wakeup flag for a dead child
2371 			 * and break out of the loop.
2372 			 */
2373 			process->p_flags &= ~LIVING;
2374 			process->p_exit = (short)status;
2375 			wakeup.w_flags.w_childdeath = 1;
2376 
2377 			return;
2378 		}
2379 	}
2380 
2381 	/*
2382 	 * No process was found above, look through auxiliary list.
2383 	 */
2384 	(void) sighold(SIGPOLL);
2385 	pp = Plhead;
2386 	while (pp) {
2387 		if (pid > pp->pl_pid) {
2388 			/*
2389 			 * Keep on looking.
2390 			 */
2391 			pp = pp->pl_next;
2392 			continue;
2393 		} else if (pid < pp->pl_pid) {
2394 			/*
2395 			 * Not in the list.
2396 			 */
2397 			break;
2398 		} else {
2399 			/*
2400 			 * This is a dead "godchild".
2401 			 */
2402 			pp->pl_dflag = 1;
2403 			pp->pl_exit = (short)status;
2404 			wakeup.w_flags.w_childdeath = 1;
2405 			Gchild = 1;	/* Notice to call cleanaux(). */
2406 			break;
2407 		}
2408 	}
2409 
2410 	(void) sigrelse(SIGPOLL);
2411 }
2412 
2413 /* ARGSUSED */
2414 static void
2415 childeath(int signo)
2416 {
2417 	pid_t pid;
2418 	int status;
2419 
2420 	while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
2421 		childeath_single(pid, status);
2422 }
2423 
2424 static void
2425 powerfail()
2426 {
2427 	(void) nice(-19);
2428 	wakeup.w_flags.w_powerhit = 1;
2429 }
2430 
2431 /*
2432  * efork() forks a child and the parent inserts the process in its table
2433  * of processes that are directly a result of forks that it has performed.
2434  * The child just changes the "global" with the process id for this process
2435  * to it's new value.
2436  * If efork() is called with a pointer into the proc_table it uses that slot,
2437  * otherwise it searches for a free slot.  Regardless of how it was called,
2438  * it returns the pointer to the proc_table entry
2439  *
2440  * The SIGCLD signal is blocked (held) before calling efork()
2441  * and is unblocked (released) after efork() returns.
2442  *
2443  * Ideally, this should be rewritten to use modern signal semantics.
2444  */
2445 static struct PROC_TABLE *
2446 efork(int action, struct PROC_TABLE *process, int modes)
2447 {
2448 	pid_t	childpid;
2449 	struct PROC_TABLE *proc;
2450 	int		i;
2451 	/*
2452 	 * Freshen up the proc_table, removing any entries for dead processes
2453 	 * that don't have NOCLEANUP set.  Perform the necessary accounting.
2454 	 */
2455 	for (proc = proc_table; (proc < proc_table + num_proc); proc++) {
2456 		if ((proc->p_flags & (OCCUPIED|LIVING|NOCLEANUP)) ==
2457 		    (OCCUPIED)) {
2458 			/*
2459 			 * Is this a named process?
2460 			 * If so, do the necessary bookkeeping.
2461 			 */
2462 			if (proc->p_flags & NAMED)
2463 				(void) account(DEAD_PROCESS, proc, NULL);
2464 
2465 			/*
2466 			 * Free this entry for new usage.
2467 			 */
2468 			proc->p_flags = 0;
2469 		}
2470 	}
2471 
2472 	while ((childpid = fork()) == FAILURE) {
2473 		/*
2474 		 * Shorten the alarm timer in case someone else's child dies
2475 		 * and free up a slot in the process table.
2476 		 */
2477 		setimer(5);
2478 
2479 		/*
2480 		 * Wait for some children to die.  Since efork()
2481 		 * is always called with SIGCLD blocked, unblock
2482 		 * it here so that child death signals can come in.
2483 		 */
2484 		(void) sigrelse(SIGCLD);
2485 		(void) pause();
2486 		(void) sighold(SIGCLD);
2487 		setimer(0);
2488 	}
2489 
2490 	if (childpid != 0) {
2491 
2492 		if (process == NULLPROC) {
2493 			/*
2494 			 * No proc table pointer specified so search
2495 			 * for a free slot.
2496 			 */
2497 			for (process = proc_table;  process->p_flags != 0 &&
2498 			    (process < proc_table + num_proc); process++)
2499 					;
2500 
2501 			if (process == (proc_table + num_proc)) {
2502 				int old_proc_table_size = num_proc;
2503 
2504 				/* Increase the process table size */
2505 				increase_proc_table_size();
2506 				if (old_proc_table_size == num_proc) {
2507 					/* didn't grow: memory failure */
2508 					return (NO_ROOM);
2509 				} else {
2510 					process =
2511 					    proc_table + old_proc_table_size;
2512 				}
2513 			}
2514 
2515 			process->p_time = 0L;
2516 			process->p_count = 0;
2517 		}
2518 		process->p_id[0] = '\0';
2519 		process->p_id[1] = '\0';
2520 		process->p_id[2] = '\0';
2521 		process->p_id[3] = '\0';
2522 		process->p_pid = childpid;
2523 		process->p_flags = (LIVING | OCCUPIED | modes);
2524 		process->p_exit = 0;
2525 
2526 		st_write();
2527 	} else {
2528 		if ((action & (M_WAIT | M_BOOTWAIT)) == 0)
2529 			(void) setpgrp();
2530 
2531 		process = NULLPROC;
2532 
2533 		/*
2534 		 * Reset all signals to the system defaults.
2535 		 */
2536 		for (i = SIGHUP; i <= SIGRTMAX; i++)
2537 			(void) sigset(i, SIG_DFL);
2538 
2539 		/*
2540 		 * POSIX B.2.2.2 advises that init should set SIGTTOU,
2541 		 * SIGTTIN, and SIGTSTP to SIG_IGN.
2542 		 *
2543 		 * Make sure that SIGXCPU and SIGXFSZ also remain ignored,
2544 		 * for backward compatibility.
2545 		 */
2546 		(void) sigset(SIGTTIN, SIG_IGN);
2547 		(void) sigset(SIGTTOU, SIG_IGN);
2548 		(void) sigset(SIGTSTP, SIG_IGN);
2549 		(void) sigset(SIGXCPU, SIG_IGN);
2550 		(void) sigset(SIGXFSZ, SIG_IGN);
2551 	}
2552 	return (process);
2553 }
2554 
2555 
2556 /*
2557  * waitproc() waits for a specified process to die.  For this function to
2558  * work, the specified process must already in the proc_table.  waitproc()
2559  * returns the exit status of the specified process when it dies.
2560  */
2561 static long
2562 waitproc(struct PROC_TABLE *process)
2563 {
2564 	int		answer;
2565 	sigset_t	oldmask, newmask, zeromask;
2566 
2567 	(void) sigemptyset(&zeromask);
2568 	(void) sigemptyset(&newmask);
2569 
2570 	(void) sigaddset(&newmask, SIGCLD);
2571 
2572 	/* Block SIGCLD and save the current signal mask */
2573 	if (sigprocmask(SIG_BLOCK, &newmask, &oldmask) < 0)
2574 		perror("SIG_BLOCK error");
2575 
2576 	/*
2577 	 * Wait around until the process dies.
2578 	 */
2579 	if (process->p_flags & LIVING)
2580 		(void) sigsuspend(&zeromask);
2581 
2582 	/* Reset signal mask to unblock SIGCLD */
2583 	if (sigprocmask(SIG_SETMASK, &oldmask, NULL) < 0)
2584 		perror("SIG_SETMASK error");
2585 
2586 	if (process->p_flags & LIVING)
2587 		return (FAILURE);
2588 
2589 	/*
2590 	 * Make sure to only return 16 bits so that answer will always
2591 	 * be positive whenever the process of interest really died.
2592 	 */
2593 	answer = (process->p_exit & 0xffff);
2594 
2595 	/*
2596 	 * Free the slot in the proc_table.
2597 	 */
2598 	process->p_flags = 0;
2599 	return (answer);
2600 }
2601 
2602 /*
2603  * notify_pam_dead(): calls into the PAM framework to close the given session.
2604  */
2605 static void
2606 notify_pam_dead(struct utmpx *up)
2607 {
2608 	pam_handle_t *pamh;
2609 	char user[sizeof (up->ut_user) + 1];
2610 	char ttyn[sizeof (up->ut_line) + 1];
2611 	char host[sizeof (up->ut_host) + 1];
2612 
2613 	/*
2614 	 * PAM does not take care of updating utmpx/wtmpx.
2615 	 */
2616 	(void) snprintf(user, sizeof (user), "%s", up->ut_user);
2617 	(void) snprintf(ttyn, sizeof (ttyn), "%s", up->ut_line);
2618 	(void) snprintf(host, sizeof (host), "%s", up->ut_host);
2619 
2620 	if (pam_start("init", user, NULL, &pamh) == PAM_SUCCESS)  {
2621 		(void) pam_set_item(pamh, PAM_TTY, ttyn);
2622 		(void) pam_set_item(pamh, PAM_RHOST, host);
2623 		(void) pam_close_session(pamh, 0);
2624 		(void) pam_end(pamh, PAM_SUCCESS);
2625 	}
2626 }
2627 
2628 /*
2629  * Check you can access utmpx (As / may be read-only and
2630  * /var may not be mounted yet).
2631  */
2632 static int
2633 access_utmpx(void)
2634 {
2635 	do {
2636 		utmpx_ok = (access(UTMPX, R_OK|W_OK) == 0);
2637 	} while (!utmpx_ok && errno == EINTR);
2638 
2639 	return (utmpx_ok);
2640 }
2641 
2642 /*
2643  * account() updates entries in utmpx and appends new entries to the end of
2644  * wtmpx (assuming they exist).  The program argument indicates the name of
2645  * program if INIT_PROCESS, otherwise should be NULL.
2646  *
2647  * account() only blocks for INIT_PROCESS requests.
2648  *
2649  * Returns non-zero if write failed.
2650  */
2651 static int
2652 account(short state, struct PROC_TABLE *process, char *program)
2653 {
2654 	struct utmpx utmpbuf, *u, *oldu;
2655 	int tmplen;
2656 	char fail_buf[UT_LINE_SZ];
2657 	sigset_t block, unblock;
2658 
2659 	if (!utmpx_ok && !access_utmpx()) {
2660 		return (-1);
2661 	}
2662 
2663 	/*
2664 	 * Set up the prototype for the utmp structure we want to write.
2665 	 */
2666 	u = &utmpbuf;
2667 	(void) memset(u, 0, sizeof (struct utmpx));
2668 
2669 	/*
2670 	 * Fill in the various fields of the utmp structure.
2671 	 */
2672 	u->ut_id[0] = process->p_id[0];
2673 	u->ut_id[1] = process->p_id[1];
2674 	u->ut_id[2] = process->p_id[2];
2675 	u->ut_id[3] = process->p_id[3];
2676 	u->ut_pid = process->p_pid;
2677 
2678 	/*
2679 	 * Fill the "ut_exit" structure.
2680 	 */
2681 	u->ut_exit.e_termination = WTERMSIG(process->p_exit);
2682 	u->ut_exit.e_exit = WEXITSTATUS(process->p_exit);
2683 	u->ut_type = state;
2684 
2685 	(void) time(&u->ut_tv.tv_sec);
2686 
2687 	/*
2688 	 * Block signals for utmp update.
2689 	 */
2690 	(void) sigfillset(&block);
2691 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
2692 
2693 	/*
2694 	 * See if there already is such an entry in the "utmpx" file.
2695 	 */
2696 	setutxent();	/* Start at beginning of utmpx file. */
2697 
2698 	if ((oldu = getutxid(u)) != NULL) {
2699 		/*
2700 		 * Copy in the old "user", "line" and "host" fields
2701 		 * to our new structure.
2702 		 */
2703 		bcopy(oldu->ut_user, u->ut_user, sizeof (u->ut_user));
2704 		bcopy(oldu->ut_line, u->ut_line, sizeof (u->ut_line));
2705 		bcopy(oldu->ut_host, u->ut_host, sizeof (u->ut_host));
2706 		u->ut_syslen = (tmplen = strlen(u->ut_host)) ?
2707 		    min(tmplen + 1, sizeof (u->ut_host)) : 0;
2708 
2709 		if (oldu->ut_type == USER_PROCESS && state == DEAD_PROCESS) {
2710 			notify_pam_dead(oldu);
2711 		}
2712 	}
2713 
2714 	/*
2715 	 * Perform special accounting. Insert the special string into the
2716 	 * ut_line array. For INIT_PROCESSes put in the name of the
2717 	 * program in the "ut_user" field.
2718 	 */
2719 	switch (state) {
2720 	case INIT_PROCESS:
2721 		(void) strncpy(u->ut_user, program, sizeof (u->ut_user));
2722 		(void) strcpy(fail_buf, "INIT_PROCESS");
2723 		break;
2724 
2725 	default:
2726 		(void) strlcpy(fail_buf, u->ut_id, sizeof (u->ut_id) + 1);
2727 		break;
2728 	}
2729 
2730 	/*
2731 	 * Write out the updated entry to utmpx file.
2732 	 */
2733 	if (pututxline(u) == NULL) {
2734 		console(B_TRUE, "Failed write of utmpx entry: \"%s\": %s\n",
2735 		    fail_buf, strerror(errno));
2736 		endutxent();
2737 		(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2738 		return (-1);
2739 	}
2740 
2741 	/*
2742 	 * If we're able to write to utmpx, then attempt to add to the
2743 	 * end of the wtmpx file.
2744 	 */
2745 	updwtmpx(WTMPX, u);
2746 
2747 	endutxent();
2748 
2749 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2750 
2751 	return (0);
2752 }
2753 
2754 static void
2755 clearent(pid_t pid, short status)
2756 {
2757 	struct utmpx *up;
2758 	sigset_t block, unblock;
2759 
2760 	/*
2761 	 * Block signals for utmp update.
2762 	 */
2763 	(void) sigfillset(&block);
2764 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
2765 
2766 	/*
2767 	 * No error checking for now.
2768 	 */
2769 
2770 	setutxent();
2771 	while (up = getutxent()) {
2772 		if (up->ut_pid == pid) {
2773 			if (up->ut_type == DEAD_PROCESS) {
2774 				/*
2775 				 * Cleaned up elsewhere.
2776 				 */
2777 				continue;
2778 			}
2779 
2780 			notify_pam_dead(up);
2781 
2782 			up->ut_type = DEAD_PROCESS;
2783 			up->ut_exit.e_termination = WTERMSIG(status);
2784 			up->ut_exit.e_exit = WEXITSTATUS(status);
2785 			(void) time(&up->ut_tv.tv_sec);
2786 
2787 			(void) pututxline(up);
2788 			/*
2789 			 * Now attempt to add to the end of the
2790 			 * wtmp and wtmpx files.  Do not create
2791 			 * if they don't already exist.
2792 			 */
2793 			updwtmpx(WTMPX, up);
2794 
2795 			break;
2796 		}
2797 	}
2798 
2799 	endutxent();
2800 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2801 }
2802 
2803 /*
2804  * prog_name() searches for the word or unix path name and
2805  * returns a pointer to the last element of the pathname.
2806  */
2807 static char *
2808 prog_name(char *string)
2809 {
2810 	char	*ptr, *ptr2;
2811 	/* XXX - utmp - fix name length */
2812 	static char word[_POSIX_LOGIN_NAME_MAX];
2813 
2814 	/*
2815 	 * Search for the first word skipping leading spaces and tabs.
2816 	 */
2817 	while (*string == ' ' || *string == '\t')
2818 		string++;
2819 
2820 	/*
2821 	 * If the first non-space non-tab character is not one allowed in
2822 	 * a word, return a pointer to a null string, otherwise parse the
2823 	 * pathname.
2824 	 */
2825 	if (*string != '.' && *string != '/' && *string != '_' &&
2826 	    (*string < 'a' || *string > 'z') &&
2827 	    (*string < 'A' || * string > 'Z') &&
2828 	    (*string < '0' || *string > '9'))
2829 		return ("");
2830 
2831 	/*
2832 	 * Parse the pathname looking forward for '/', ' ', '\t', '\n' or
2833 	 * '\0'.  Each time a '/' is found, move "ptr" to one past the
2834 	 * '/', thus when a ' ', '\t', '\n', or '\0' is found, "ptr" will
2835 	 * point to the last element of the pathname.
2836 	 */
2837 	for (ptr = string; *string != ' ' && *string != '\t' &&
2838 	    *string != '\n' && *string != '\0'; string++) {
2839 		if (*string == '/')
2840 			ptr = string+1;
2841 	}
2842 
2843 	/*
2844 	 * Copy out up to the size of the "ut_user" array into "word",
2845 	 * null terminate it and return a pointer to it.
2846 	 */
2847 	/* XXX - utmp - fix name length */
2848 	for (ptr2 = &word[0]; ptr2 < &word[_POSIX_LOGIN_NAME_MAX - 1] &&
2849 	    ptr < string; /* CSTYLED */)
2850 		*ptr2++ = *ptr++;
2851 
2852 	*ptr2 = '\0';
2853 	return (&word[0]);
2854 }
2855 
2856 
2857 /*
2858  * realcon() returns a nonzero value if there is a character device
2859  * associated with SYSCON that has the same device number as CONSOLE.
2860  */
2861 static int
2862 realcon()
2863 {
2864 	struct stat sconbuf, conbuf;
2865 
2866 	if (stat(SYSCON, &sconbuf) != -1 &&
2867 	    stat(CONSOLE, &conbuf) != -1 &&
2868 	    S_ISCHR(sconbuf.st_mode) &&
2869 	    S_ISCHR(conbuf.st_mode) &&
2870 	    sconbuf.st_rdev == conbuf.st_rdev) {
2871 		return (1);
2872 	} else {
2873 		return (0);
2874 	}
2875 }
2876 
2877 
2878 /*
2879  * get_ioctl_syscon() retrieves the SYSCON settings from the IOCTLSYSCON file.
2880  * Returns true if the IOCTLSYSCON file needs to be written (with
2881  * write_ioctl_syscon() below)
2882  */
2883 static int
2884 get_ioctl_syscon()
2885 {
2886 	FILE	*fp;
2887 	unsigned int	iflags, oflags, cflags, lflags, ldisc, cc[18];
2888 	int		i, valid_format = 0;
2889 
2890 	/*
2891 	 * Read in the previous modes for SYSCON from IOCTLSYSCON.
2892 	 */
2893 	if ((fp = fopen(IOCTLSYSCON, "r")) == NULL) {
2894 		stored_syscon_termios = dflt_termios;
2895 		console(B_TRUE,
2896 		    "warning:%s does not exist, default settings assumed\n",
2897 		    IOCTLSYSCON);
2898 	} else {
2899 
2900 	    i = fscanf(fp,
2901 	    "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
2902 		&iflags, &oflags, &cflags, &lflags,
2903 		&cc[0], &cc[1], &cc[2], &cc[3], &cc[4], &cc[5], &cc[6],
2904 		&cc[7], &cc[8], &cc[9], &cc[10], &cc[11], &cc[12], &cc[13],
2905 		&cc[14], &cc[15], &cc[16], &cc[17]);
2906 
2907 	    if (i == 22) {
2908 		stored_syscon_termios.c_iflag = iflags;
2909 		stored_syscon_termios.c_oflag = oflags;
2910 		stored_syscon_termios.c_cflag = cflags;
2911 		stored_syscon_termios.c_lflag = lflags;
2912 		for (i = 0; i < 18; i++)
2913 			stored_syscon_termios.c_cc[i] = (char)cc[i];
2914 		valid_format = 1;
2915 	    } else if (i == 13) {
2916 		rewind(fp);
2917 		i = fscanf(fp, "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
2918 		    &iflags, &oflags, &cflags, &lflags, &ldisc, &cc[0], &cc[1],
2919 		    &cc[2], &cc[3], &cc[4], &cc[5], &cc[6], &cc[7]);
2920 
2921 		/*
2922 		 * If the file is formatted properly, use the values to
2923 		 * initialize the console terminal condition.
2924 		 */
2925 		stored_syscon_termios.c_iflag = (ushort_t)iflags;
2926 		stored_syscon_termios.c_oflag = (ushort_t)oflags;
2927 		stored_syscon_termios.c_cflag = (ushort_t)cflags;
2928 		stored_syscon_termios.c_lflag = (ushort_t)lflags;
2929 		for (i = 0; i < 8; i++)
2930 			stored_syscon_termios.c_cc[i] = (char)cc[i];
2931 		valid_format = 1;
2932 	    }
2933 	    (void) fclose(fp);
2934 
2935 	    /* If the file is badly formatted, use the default settings. */
2936 	    if (!valid_format)
2937 		stored_syscon_termios = dflt_termios;
2938 	}
2939 
2940 	/* If the file had a bad format, rewrite it later. */
2941 	return (!valid_format);
2942 }
2943 
2944 
2945 static void
2946 write_ioctl_syscon()
2947 {
2948 	FILE *fp;
2949 	int i;
2950 
2951 	(void) unlink(SYSCON);
2952 	(void) link(SYSTTY, SYSCON);
2953 	(void) umask(022);
2954 	fp = fopen(IOCTLSYSCON, "w");
2955 
2956 	(void) fprintf(fp, "%x:%x:%x:%x:0", stored_syscon_termios.c_iflag,
2957 	    stored_syscon_termios.c_oflag, stored_syscon_termios.c_cflag,
2958 	    stored_syscon_termios.c_lflag);
2959 	for (i = 0; i < 8; ++i)
2960 		(void) fprintf(fp, ":%x", stored_syscon_termios.c_cc[i]);
2961 	(void) putc('\n', fp);
2962 
2963 	(void) fflush(fp);
2964 	(void) fsync(fileno(fp));
2965 	(void) fclose(fp);
2966 	(void) umask(cmask);
2967 }
2968 
2969 
2970 /*
2971  * void console(boolean_t, char *, ...)
2972  *   Outputs the requested message to the system console.  Note that the number
2973  *   of arguments passed to console() should be determined by the print format.
2974  *
2975  *   The "prefix" parameter indicates whether or not "INIT: " should precede the
2976  *   message.
2977  *
2978  *   To make sure we write to the console in a sane fashion, we use the modes
2979  *   we keep in stored_syscon_termios (which we read out of /etc/ioctl.syscon).
2980  *   Afterwards we restore whatever modes were already there.
2981  */
2982 /* PRINTFLIKE2 */
2983 static void
2984 console(boolean_t prefix, char *format, ...)
2985 {
2986 	char	outbuf[BUFSIZ];
2987 	va_list	args;
2988 	int fd, getret;
2989 	struct termios old_syscon_termios;
2990 	FILE *f;
2991 
2992 	/*
2993 	 * We open SYSCON anew each time in case it has changed (see
2994 	 * userinit()).
2995 	 */
2996 	if ((fd = open(SYSCON, O_RDWR | O_NOCTTY)) < 0 ||
2997 	    (f = fdopen(fd, "r+")) == NULL) {
2998 		if (prefix)
2999 			syslog(LOG_WARNING, "INIT: ");
3000 		va_start(args, format);
3001 		vsyslog(LOG_WARNING, format, args);
3002 		va_end(args);
3003 		if (fd >= 0)
3004 			(void) close(fd);
3005 		return;
3006 	}
3007 	setbuf(f, &outbuf[0]);
3008 
3009 	getret = tcgetattr(fd, &old_syscon_termios);
3010 	old_syscon_termios.c_cflag &= ~HUPCL;
3011 	if (realcon())
3012 		/* Don't overwrite cflag of real console. */
3013 		stored_syscon_termios.c_cflag = old_syscon_termios.c_cflag;
3014 
3015 	stored_syscon_termios.c_cflag &= ~HUPCL;
3016 
3017 	(void) tcsetattr(fd, TCSANOW, &stored_syscon_termios);
3018 
3019 	if (prefix)
3020 		(void) fprintf(f, "\nINIT: ");
3021 	va_start(args, format);
3022 	(void) vfprintf(f, format, args);
3023 	va_end(args);
3024 
3025 	if (getret == 0)
3026 		(void) tcsetattr(fd, TCSADRAIN, &old_syscon_termios);
3027 
3028 	(void) fclose(f);
3029 }
3030 
3031 /*
3032  * timer() is a substitute for sleep() which uses alarm() and pause().
3033  */
3034 static void
3035 timer(int waitime)
3036 {
3037 	setimer(waitime);
3038 	while (time_up == FALSE)
3039 		(void) pause();
3040 }
3041 
3042 static void
3043 setimer(int timelimit)
3044 {
3045 	alarmclk();
3046 	(void) alarm(timelimit);
3047 	time_up = (timelimit ? FALSE : TRUE);
3048 }
3049 
3050 /*
3051  * Fails with
3052  *   ENOMEM - out of memory
3053  *   ECONNABORTED - repository connection broken
3054  *   EPERM - permission denied
3055  *   EACCES - backend access denied
3056  *   EROFS - backend readonly
3057  */
3058 static int
3059 get_or_add_startd(scf_instance_t *inst)
3060 {
3061 	scf_handle_t *h;
3062 	scf_scope_t *scope = NULL;
3063 	scf_service_t *svc = NULL;
3064 	int ret = 0;
3065 
3066 	h = scf_instance_handle(inst);
3067 
3068 	if (scf_handle_decode_fmri(h, SCF_SERVICE_STARTD, NULL, NULL, inst,
3069 	    NULL, NULL, SCF_DECODE_FMRI_EXACT) == 0)
3070 		return (0);
3071 
3072 	switch (scf_error()) {
3073 	case SCF_ERROR_CONNECTION_BROKEN:
3074 		return (ECONNABORTED);
3075 
3076 	case SCF_ERROR_NOT_FOUND:
3077 		break;
3078 
3079 	case SCF_ERROR_HANDLE_MISMATCH:
3080 	case SCF_ERROR_INVALID_ARGUMENT:
3081 	case SCF_ERROR_CONSTRAINT_VIOLATED:
3082 	default:
3083 		bad_error("scf_handle_decode_fmri", scf_error());
3084 	}
3085 
3086 	/* Make sure we're right, since we're adding piece-by-piece. */
3087 	assert(strcmp(SCF_SERVICE_STARTD,
3088 	    "svc:/system/svc/restarter:default") == 0);
3089 
3090 	if ((scope = scf_scope_create(h)) == NULL ||
3091 	    (svc = scf_service_create(h)) == NULL) {
3092 		ret = ENOMEM;
3093 		goto out;
3094 	}
3095 
3096 get_scope:
3097 	if (scf_handle_get_scope(h, SCF_SCOPE_LOCAL, scope) != 0) {
3098 		switch (scf_error()) {
3099 		case SCF_ERROR_CONNECTION_BROKEN:
3100 			ret = ECONNABORTED;
3101 			goto out;
3102 
3103 		case SCF_ERROR_NOT_FOUND:
3104 			(void) fputs(gettext(
3105 			    "smf(5) repository missing local scope.\n"),
3106 			    stderr);
3107 			exit(1);
3108 			/* NOTREACHED */
3109 
3110 		case SCF_ERROR_HANDLE_MISMATCH:
3111 		case SCF_ERROR_INVALID_ARGUMENT:
3112 		default:
3113 			bad_error("scf_handle_get_scope", scf_error());
3114 		}
3115 	}
3116 
3117 get_svc:
3118 	if (scf_scope_get_service(scope, "system/svc/restarter", svc) != 0) {
3119 		switch (scf_error()) {
3120 		case SCF_ERROR_CONNECTION_BROKEN:
3121 			ret = ECONNABORTED;
3122 			goto out;
3123 
3124 		case SCF_ERROR_DELETED:
3125 			goto get_scope;
3126 
3127 		case SCF_ERROR_NOT_FOUND:
3128 			break;
3129 
3130 		case SCF_ERROR_HANDLE_MISMATCH:
3131 		case SCF_ERROR_INVALID_ARGUMENT:
3132 		case SCF_ERROR_NOT_SET:
3133 		default:
3134 			bad_error("scf_scope_get_service", scf_error());
3135 		}
3136 
3137 add_svc:
3138 		if (scf_scope_add_service(scope, "system/svc/restarter", svc) !=
3139 		    0) {
3140 			switch (scf_error()) {
3141 			case SCF_ERROR_CONNECTION_BROKEN:
3142 				ret = ECONNABORTED;
3143 				goto out;
3144 
3145 			case SCF_ERROR_EXISTS:
3146 				goto get_svc;
3147 
3148 			case SCF_ERROR_PERMISSION_DENIED:
3149 				ret = EPERM;
3150 				goto out;
3151 
3152 			case SCF_ERROR_BACKEND_ACCESS:
3153 				ret = EACCES;
3154 				goto out;
3155 
3156 			case SCF_ERROR_BACKEND_READONLY:
3157 				ret = EROFS;
3158 				goto out;
3159 
3160 			case SCF_ERROR_HANDLE_MISMATCH:
3161 			case SCF_ERROR_INVALID_ARGUMENT:
3162 			case SCF_ERROR_NOT_SET:
3163 			default:
3164 				bad_error("scf_scope_add_service", scf_error());
3165 			}
3166 		}
3167 	}
3168 
3169 get_inst:
3170 	if (scf_service_get_instance(svc, "default", inst) != 0) {
3171 		switch (scf_error()) {
3172 		case SCF_ERROR_CONNECTION_BROKEN:
3173 			ret = ECONNABORTED;
3174 			goto out;
3175 
3176 		case SCF_ERROR_DELETED:
3177 			goto add_svc;
3178 
3179 		case SCF_ERROR_NOT_FOUND:
3180 			break;
3181 
3182 		case SCF_ERROR_HANDLE_MISMATCH:
3183 		case SCF_ERROR_INVALID_ARGUMENT:
3184 		case SCF_ERROR_NOT_SET:
3185 		default:
3186 			bad_error("scf_service_get_instance", scf_error());
3187 		}
3188 
3189 		if (scf_service_add_instance(svc, "default", inst) !=
3190 		    0) {
3191 			switch (scf_error()) {
3192 			case SCF_ERROR_CONNECTION_BROKEN:
3193 				ret = ECONNABORTED;
3194 				goto out;
3195 
3196 			case SCF_ERROR_DELETED:
3197 				goto add_svc;
3198 
3199 			case SCF_ERROR_EXISTS:
3200 				goto get_inst;
3201 
3202 			case SCF_ERROR_PERMISSION_DENIED:
3203 				ret = EPERM;
3204 				goto out;
3205 
3206 			case SCF_ERROR_BACKEND_ACCESS:
3207 				ret = EACCES;
3208 				goto out;
3209 
3210 			case SCF_ERROR_BACKEND_READONLY:
3211 				ret = EROFS;
3212 				goto out;
3213 
3214 			case SCF_ERROR_HANDLE_MISMATCH:
3215 			case SCF_ERROR_INVALID_ARGUMENT:
3216 			case SCF_ERROR_NOT_SET:
3217 			default:
3218 				bad_error("scf_service_add_instance",
3219 				    scf_error());
3220 			}
3221 		}
3222 	}
3223 
3224 	ret = 0;
3225 
3226 out:
3227 	scf_service_destroy(svc);
3228 	scf_scope_destroy(scope);
3229 	return (ret);
3230 }
3231 
3232 /*
3233  * Fails with
3234  *   ECONNABORTED - repository connection broken
3235  *   ECANCELED - the transaction's property group was deleted
3236  */
3237 static int
3238 transaction_add_set(scf_transaction_t *tx, scf_transaction_entry_t *ent,
3239     const char *pname, scf_type_t type)
3240 {
3241 change_type:
3242 	if (scf_transaction_property_change_type(tx, ent, pname, type) == 0)
3243 		return (0);
3244 
3245 	switch (scf_error()) {
3246 	case SCF_ERROR_CONNECTION_BROKEN:
3247 		return (ECONNABORTED);
3248 
3249 	case SCF_ERROR_DELETED:
3250 		return (ECANCELED);
3251 
3252 	case SCF_ERROR_NOT_FOUND:
3253 		goto new;
3254 
3255 	case SCF_ERROR_HANDLE_MISMATCH:
3256 	case SCF_ERROR_INVALID_ARGUMENT:
3257 	case SCF_ERROR_NOT_BOUND:
3258 	case SCF_ERROR_NOT_SET:
3259 	default:
3260 		bad_error("scf_transaction_property_change_type", scf_error());
3261 	}
3262 
3263 new:
3264 	if (scf_transaction_property_new(tx, ent, pname, type) == 0)
3265 		return (0);
3266 
3267 	switch (scf_error()) {
3268 	case SCF_ERROR_CONNECTION_BROKEN:
3269 		return (ECONNABORTED);
3270 
3271 	case SCF_ERROR_DELETED:
3272 		return (ECANCELED);
3273 
3274 	case SCF_ERROR_EXISTS:
3275 		goto change_type;
3276 
3277 	case SCF_ERROR_HANDLE_MISMATCH:
3278 	case SCF_ERROR_INVALID_ARGUMENT:
3279 	case SCF_ERROR_NOT_BOUND:
3280 	case SCF_ERROR_NOT_SET:
3281 	default:
3282 		bad_error("scf_transaction_property_new", scf_error());
3283 		/* NOTREACHED */
3284 	}
3285 }
3286 
3287 static void
3288 scferr(void)
3289 {
3290 	switch (scf_error()) {
3291 	case SCF_ERROR_NO_MEMORY:
3292 		console(B_TRUE, gettext("Out of memory.\n"));
3293 		break;
3294 
3295 	case SCF_ERROR_CONNECTION_BROKEN:
3296 		console(B_TRUE, gettext(
3297 		    "Connection to smf(5) repository server broken.\n"));
3298 		break;
3299 
3300 	case SCF_ERROR_NO_RESOURCES:
3301 		console(B_TRUE, gettext(
3302 		    "smf(5) repository server is out of memory.\n"));
3303 		break;
3304 
3305 	case SCF_ERROR_PERMISSION_DENIED:
3306 		console(B_TRUE, gettext("Insufficient privileges.\n"));
3307 		break;
3308 
3309 	default:
3310 		console(B_TRUE, gettext("libscf error: %s\n"),
3311 		    scf_strerror(scf_error()));
3312 	}
3313 }
3314 
3315 static void
3316 lscf_set_runlevel(char rl)
3317 {
3318 	scf_handle_t *h;
3319 	scf_instance_t *inst = NULL;
3320 	scf_propertygroup_t *pg = NULL;
3321 	scf_transaction_t *tx = NULL;
3322 	scf_transaction_entry_t *ent = NULL;
3323 	scf_value_t *val = NULL;
3324 	char buf[2];
3325 	int r;
3326 
3327 	h = scf_handle_create(SCF_VERSION);
3328 	if (h == NULL) {
3329 		scferr();
3330 		return;
3331 	}
3332 
3333 	if (scf_handle_bind(h) != 0) {
3334 		switch (scf_error()) {
3335 		case SCF_ERROR_NO_SERVER:
3336 			console(B_TRUE,
3337 			    gettext("smf(5) repository server not running.\n"));
3338 			goto bail;
3339 
3340 		default:
3341 			scferr();
3342 			goto bail;
3343 		}
3344 	}
3345 
3346 	if ((inst = scf_instance_create(h)) == NULL ||
3347 	    (pg = scf_pg_create(h)) == NULL ||
3348 	    (val = scf_value_create(h)) == NULL ||
3349 	    (tx = scf_transaction_create(h)) == NULL ||
3350 	    (ent = scf_entry_create(h)) == NULL) {
3351 		scferr();
3352 		goto bail;
3353 	}
3354 
3355 get_inst:
3356 	r = get_or_add_startd(inst);
3357 	switch (r) {
3358 	case 0:
3359 		break;
3360 
3361 	case ENOMEM:
3362 	case ECONNABORTED:
3363 	case EPERM:
3364 	case EACCES:
3365 	case EROFS:
3366 		scferr();
3367 		goto bail;
3368 	default:
3369 		bad_error("get_or_add_startd", r);
3370 	}
3371 
3372 get_pg:
3373 	if (scf_instance_get_pg(inst, SCF_PG_OPTIONS_OVR, pg) != 0) {
3374 		switch (scf_error()) {
3375 		case SCF_ERROR_CONNECTION_BROKEN:
3376 			scferr();
3377 			goto bail;
3378 
3379 		case SCF_ERROR_DELETED:
3380 			goto get_inst;
3381 
3382 		case SCF_ERROR_NOT_FOUND:
3383 			break;
3384 
3385 		case SCF_ERROR_HANDLE_MISMATCH:
3386 		case SCF_ERROR_INVALID_ARGUMENT:
3387 		case SCF_ERROR_NOT_SET:
3388 		default:
3389 			bad_error("scf_instance_get_pg", scf_error());
3390 		}
3391 
3392 add_pg:
3393 		if (scf_instance_add_pg(inst, SCF_PG_OPTIONS_OVR,
3394 		    SCF_PG_OPTIONS_OVR_TYPE, SCF_PG_OPTIONS_OVR_FLAGS, pg) !=
3395 		    0) {
3396 			switch (scf_error()) {
3397 			case SCF_ERROR_CONNECTION_BROKEN:
3398 			case SCF_ERROR_PERMISSION_DENIED:
3399 			case SCF_ERROR_BACKEND_ACCESS:
3400 				scferr();
3401 				goto bail;
3402 
3403 			case SCF_ERROR_DELETED:
3404 				goto get_inst;
3405 
3406 			case SCF_ERROR_EXISTS:
3407 				goto get_pg;
3408 
3409 			case SCF_ERROR_HANDLE_MISMATCH:
3410 			case SCF_ERROR_INVALID_ARGUMENT:
3411 			case SCF_ERROR_NOT_SET:
3412 			default:
3413 				bad_error("scf_instance_add_pg", scf_error());
3414 			}
3415 		}
3416 	}
3417 
3418 	buf[0] = rl;
3419 	buf[1] = '\0';
3420 	r = scf_value_set_astring(val, buf);
3421 	assert(r == 0);
3422 
3423 	for (;;) {
3424 		if (scf_transaction_start(tx, pg) != 0) {
3425 			switch (scf_error()) {
3426 			case SCF_ERROR_CONNECTION_BROKEN:
3427 			case SCF_ERROR_PERMISSION_DENIED:
3428 			case SCF_ERROR_BACKEND_ACCESS:
3429 				scferr();
3430 				goto bail;
3431 
3432 			case SCF_ERROR_DELETED:
3433 				goto add_pg;
3434 
3435 			case SCF_ERROR_HANDLE_MISMATCH:
3436 			case SCF_ERROR_NOT_BOUND:
3437 			case SCF_ERROR_IN_USE:
3438 			case SCF_ERROR_NOT_SET:
3439 			default:
3440 				bad_error("scf_transaction_start", scf_error());
3441 			}
3442 		}
3443 
3444 		r = transaction_add_set(tx, ent, "runlevel", SCF_TYPE_ASTRING);
3445 		switch (r) {
3446 		case 0:
3447 			break;
3448 
3449 		case ECONNABORTED:
3450 			scferr();
3451 			goto bail;
3452 
3453 		case ECANCELED:
3454 			scf_transaction_reset(tx);
3455 			goto add_pg;
3456 
3457 		default:
3458 			bad_error("transaction_add_set", r);
3459 		}
3460 
3461 		r = scf_entry_add_value(ent, val);
3462 		assert(r == 0);
3463 
3464 		r = scf_transaction_commit(tx);
3465 		if (r == 1)
3466 			break;
3467 
3468 		if (r != 0) {
3469 			switch (scf_error()) {
3470 			case SCF_ERROR_CONNECTION_BROKEN:
3471 			case SCF_ERROR_PERMISSION_DENIED:
3472 			case SCF_ERROR_BACKEND_ACCESS:
3473 			case SCF_ERROR_BACKEND_READONLY:
3474 				scferr();
3475 				goto bail;
3476 
3477 			case SCF_ERROR_DELETED:
3478 				scf_transaction_reset(tx);
3479 				goto add_pg;
3480 
3481 			case SCF_ERROR_INVALID_ARGUMENT:
3482 			case SCF_ERROR_NOT_BOUND:
3483 			case SCF_ERROR_NOT_SET:
3484 			default:
3485 				bad_error("scf_transaction_commit",
3486 				    scf_error());
3487 			}
3488 		}
3489 
3490 		scf_transaction_reset(tx);
3491 		(void) scf_pg_update(pg);
3492 	}
3493 
3494 bail:
3495 	scf_transaction_destroy(tx);
3496 	scf_entry_destroy(ent);
3497 	scf_value_destroy(val);
3498 	scf_pg_destroy(pg);
3499 	scf_instance_destroy(inst);
3500 
3501 	(void) scf_handle_unbind(h);
3502 	scf_handle_destroy(h);
3503 }
3504 
3505 /*
3506  * Function to handle requests from users to main init running as process 1.
3507  */
3508 static void
3509 userinit(int argc, char **argv)
3510 {
3511 	FILE	*fp;
3512 	char	*ln;
3513 	int	init_signal;
3514 	struct stat	sconbuf, conbuf;
3515 	const char *usage_msg = "Usage: init [0123456SsQqabc]\n";
3516 
3517 	/*
3518 	 * We are a user invoked init.  Is there an argument and is it
3519 	 * a single character?  If not, print usage message and quit.
3520 	 */
3521 	if (argc != 2 || argv[1][1] != '\0') {
3522 		(void) fprintf(stderr, usage_msg);
3523 		exit(0);
3524 	}
3525 
3526 	if ((init_signal = lvlname_to_state((char)argv[1][0])) == -1) {
3527 		(void) fprintf(stderr, usage_msg);
3528 		(void) audit_put_record(ADT_FAILURE, ADT_FAIL_VALUE_BAD_CMD,
3529 		    argv[1]);
3530 		exit(1);
3531 	}
3532 
3533 	if (init_signal == SINGLE_USER) {
3534 		/*
3535 		 * Make sure this process is talking to a legal tty line
3536 		 * and that /dev/syscon is linked to this line.
3537 		 */
3538 		ln = ttyname(0);	/* Get the name of tty */
3539 		if (ln == NULL) {
3540 			(void) fprintf(stderr,
3541 			    "Standard input not a tty line\n");
3542 			(void) audit_put_record(ADT_FAILURE,
3543 			    ADT_FAIL_VALUE_BAD_TTY, argv[1]);
3544 			exit(1);
3545 		}
3546 
3547 		if ((stat(ln, &sconbuf) != -1) &&
3548 		    (stat(SYSCON, &conbuf) == -1 ||
3549 		    sconbuf.st_rdev != conbuf.st_rdev)) {
3550 			/*
3551 			 * /dev/syscon needs to change.
3552 			 * Unlink /dev/syscon and relink it to the current line.
3553 			 */
3554 			if (lstat(SYSCON, &conbuf) != -1 &&
3555 			    unlink(SYSCON) == FAILURE) {
3556 				perror("Can't unlink /dev/syscon");
3557 				(void) fprintf(stderr,
3558 				    "Run command on the system console.\n");
3559 				(void) audit_put_record(ADT_FAILURE,
3560 				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
3561 				exit(1);
3562 			}
3563 			if (symlink(ln, SYSCON) == FAILURE) {
3564 				(void) fprintf(stderr,
3565 				    "Can't symlink /dev/syscon to %s: %s", ln,
3566 				    strerror(errno));
3567 
3568 				/* Try to leave a syscon */
3569 				(void) link(SYSTTY, SYSCON);
3570 				(void) audit_put_record(ADT_FAILURE,
3571 				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
3572 				exit(1);
3573 			}
3574 
3575 			/*
3576 			 * Try to leave a message on system console saying where
3577 			 * /dev/syscon is currently connected.
3578 			 */
3579 			if ((fp = fopen(SYSTTY, "r+")) != NULL) {
3580 				(void) fprintf(fp,
3581 				    "\n****	SYSCON CHANGED TO %s	****\n",
3582 				    ln);
3583 				(void) fclose(fp);
3584 			}
3585 		}
3586 	}
3587 
3588 	update_boot_archive(init_signal);
3589 
3590 	(void) audit_put_record(ADT_SUCCESS, ADT_SUCCESS, argv[1]);
3591 
3592 	/*
3593 	 * Signal init; init will take care of telling svc.startd.
3594 	 */
3595 	if (kill(init_pid, init_signal) == FAILURE) {
3596 		(void) fprintf(stderr, "Must be super-user\n");
3597 		(void) audit_put_record(ADT_FAILURE,
3598 		    ADT_FAIL_VALUE_AUTH, argv[1]);
3599 		exit(1);
3600 	}
3601 
3602 	exit(0);
3603 }
3604 
3605 
3606 #define	DELTA	25	/* Number of pidlist elements to allocate at a time */
3607 
3608 /* ARGSUSED */
3609 void
3610 sigpoll(int n)
3611 {
3612 	struct pidrec prec;
3613 	struct pidrec *p = &prec;
3614 	struct pidlist *plp;
3615 	struct pidlist *tp, *savetp;
3616 	int i;
3617 
3618 	if (Pfd < 0) {
3619 		return;
3620 	}
3621 
3622 	for (;;) {
3623 		/*
3624 		 * Important Note: Either read will really fail (in which case
3625 		 * return is all we can do) or will get EAGAIN (Pfd was opened
3626 		 * O_NDELAY), in which case we also want to return.
3627 		 * Always return from here!
3628 		 */
3629 		if (read(Pfd, p, sizeof (struct pidrec)) !=
3630 						sizeof (struct pidrec)) {
3631 			return;
3632 		}
3633 		switch (p->pd_type) {
3634 
3635 		case ADDPID:
3636 			/*
3637 			 * New "godchild", add to list.
3638 			 */
3639 			if (Plfree == NULL) {
3640 				plp = (struct pidlist *)calloc(DELTA,
3641 				    sizeof (struct pidlist));
3642 				if (plp == NULL) {
3643 					/* Can't save pid */
3644 					break;
3645 				}
3646 				/*
3647 				 * Point at 2nd record allocated, we'll use plp.
3648 				 */
3649 				tp = plp + 1;
3650 				/*
3651 				 * Link them into a chain.
3652 				 */
3653 				Plfree = tp;
3654 				for (i = 0; i < DELTA - 2; i++) {
3655 					tp->pl_next = tp + 1;
3656 					tp++;
3657 				}
3658 			} else {
3659 				plp = Plfree;
3660 				Plfree = plp->pl_next;
3661 			}
3662 			plp->pl_pid = p->pd_pid;
3663 			plp->pl_dflag = 0;
3664 			plp->pl_next = NULL;
3665 			/*
3666 			 * Note - pid list is kept in increasing order of pids.
3667 			 */
3668 			if (Plhead == NULL) {
3669 				Plhead = plp;
3670 				/* Back up to read next record */
3671 				break;
3672 			} else {
3673 				savetp = tp = Plhead;
3674 				while (tp) {
3675 					if (plp->pl_pid > tp->pl_pid) {
3676 						savetp = tp;
3677 						tp = tp->pl_next;
3678 						continue;
3679 					} else if (plp->pl_pid < tp->pl_pid) {
3680 						if (tp == Plhead) {
3681 							plp->pl_next = Plhead;
3682 							Plhead = plp;
3683 						} else {
3684 							plp->pl_next =
3685 							    savetp->pl_next;
3686 							savetp->pl_next = plp;
3687 						}
3688 						break;
3689 					} else {
3690 						/* Already in list! */
3691 						plp->pl_next = Plfree;
3692 						Plfree = plp;
3693 						break;
3694 					}
3695 				}
3696 				if (tp == NULL) {
3697 					/* Add to end of list */
3698 					savetp->pl_next = plp;
3699 				}
3700 			}
3701 			/* Back up to read next record. */
3702 			break;
3703 
3704 		case REMPID:
3705 			/*
3706 			 * This one was handled by someone else,
3707 			 * purge it from the list.
3708 			 */
3709 			if (Plhead == NULL) {
3710 				/* Back up to read next record. */
3711 				break;
3712 			}
3713 			savetp = tp = Plhead;
3714 			while (tp) {
3715 				if (p->pd_pid > tp->pl_pid) {
3716 					/* Keep on looking. */
3717 					savetp = tp;
3718 					tp = tp->pl_next;
3719 					continue;
3720 				} else if (p->pd_pid < tp->pl_pid) {
3721 					/* Not in list. */
3722 					break;
3723 				} else {
3724 					/* Found it. */
3725 					if (tp == Plhead)
3726 						Plhead = tp->pl_next;
3727 					else
3728 						savetp->pl_next = tp->pl_next;
3729 					tp->pl_next = Plfree;
3730 					Plfree = tp;
3731 					break;
3732 				}
3733 			}
3734 			/* Back up to read next record. */
3735 			break;
3736 		default:
3737 			console(B_TRUE, "Bad message on initpipe\n");
3738 			break;
3739 		}
3740 	}
3741 }
3742 
3743 
3744 static void
3745 cleanaux()
3746 {
3747 	struct pidlist *savep, *p;
3748 	pid_t	pid;
3749 	short	status;
3750 
3751 	(void) sighold(SIGCLD);
3752 	Gchild = 0;	/* Note - Safe to do this here since no SIGCLDs */
3753 	(void) sighold(SIGPOLL);
3754 	savep = p = Plhead;
3755 	while (p) {
3756 		if (p->pl_dflag) {
3757 			/*
3758 			 * Found an entry to delete,
3759 			 * remove it from list first.
3760 			 */
3761 			pid = p->pl_pid;
3762 			status = p->pl_exit;
3763 			if (p == Plhead) {
3764 				Plhead = p->pl_next;
3765 				p->pl_next = Plfree;
3766 				Plfree = p;
3767 				savep = p = Plhead;
3768 			} else {
3769 				savep->pl_next = p->pl_next;
3770 				p->pl_next = Plfree;
3771 				Plfree = p;
3772 				p = savep->pl_next;
3773 			}
3774 			clearent(pid, status);
3775 			continue;
3776 		}
3777 		savep = p;
3778 		p = p->pl_next;
3779 	}
3780 	(void) sigrelse(SIGPOLL);
3781 	(void) sigrelse(SIGCLD);
3782 }
3783 
3784 
3785 /*
3786  * /etc/inittab has more entries and we have run out of room in the proc_table
3787  * array. Double the size of proc_table to accomodate the extra entries.
3788  */
3789 static void
3790 increase_proc_table_size()
3791 {
3792 	sigset_t block, unblock;
3793 	void *ptr;
3794 	size_t delta = num_proc * sizeof (struct PROC_TABLE);
3795 
3796 
3797 	/*
3798 	 * Block signals for realloc.
3799 	 */
3800 	(void) sigfillset(&block);
3801 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
3802 
3803 
3804 	/*
3805 	 * On failure we just return because callers of this function check
3806 	 * for failure.
3807 	 */
3808 	do
3809 		ptr = realloc(g_state, g_state_sz + delta);
3810 	while (ptr == NULL && errno == EAGAIN);
3811 
3812 	if (ptr != NULL) {
3813 		/* ensure that the new part is initialized to zero */
3814 		bzero((caddr_t)ptr + g_state_sz, delta);
3815 
3816 		g_state = ptr;
3817 		g_state_sz += delta;
3818 		num_proc <<= 1;
3819 	}
3820 
3821 
3822 	/* unblock our signals before returning */
3823 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
3824 }
3825 
3826 
3827 
3828 /*
3829  * Sanity check g_state.
3830  */
3831 static int
3832 st_sane()
3833 {
3834 	int i;
3835 	struct PROC_TABLE *ptp;
3836 
3837 
3838 	/* Note: cur_state is encoded as a signal number */
3839 	if (cur_state < 1 || cur_state == 9 || cur_state > 13)
3840 		return (0);
3841 
3842 	/* Check num_proc */
3843 	if (g_state_sz != sizeof (struct init_state) + (num_proc - 1) *
3844 	    sizeof (struct PROC_TABLE))
3845 		return (0);
3846 
3847 	/* Check proc_table */
3848 	for (i = 0, ptp = proc_table; i < num_proc; ++i, ++ptp) {
3849 		/* skip unoccupied entries */
3850 		if (!(ptp->p_flags & OCCUPIED))
3851 			continue;
3852 
3853 		/* p_flags has no bits outside of PF_MASK */
3854 		if (ptp->p_flags & ~(PF_MASK))
3855 			return (0);
3856 
3857 		/* 5 <= pid <= MAXPID */
3858 		if (ptp->p_pid < 5 || ptp->p_pid > MAXPID)
3859 			return (0);
3860 
3861 		/* p_count >= 0 */
3862 		if (ptp->p_count < 0)
3863 			return (0);
3864 
3865 		/* p_time >= 0 */
3866 		if (ptp->p_time < 0)
3867 			return (0);
3868 	}
3869 
3870 	return (1);
3871 }
3872 
3873 /*
3874  * Initialize our state.
3875  *
3876  * If the system just booted, then init_state_file, which is located on an
3877  * everpresent tmpfs filesystem, should not exist.
3878  *
3879  * If we were restarted, then init_state_file should exist, in
3880  * which case we'll read it in, sanity check it, and use it.
3881  *
3882  * Note: You can't call console() until proc_table is ready.
3883  */
3884 void
3885 st_init()
3886 {
3887 	struct stat stb;
3888 	int ret, st_fd, insane = 0;
3889 	size_t to_be_read;
3890 	char *ptr;
3891 
3892 
3893 	booting = 1;
3894 
3895 	do {
3896 		/*
3897 		 * If we can exclusively create the file, then we're the
3898 		 * initial invocation of init(1M).
3899 		 */
3900 		st_fd = open(init_state_file, O_RDWR | O_CREAT | O_EXCL,
3901 		    S_IRUSR | S_IWUSR);
3902 	} while (st_fd == -1 && errno == EINTR);
3903 	if (st_fd != -1)
3904 		goto new_state;
3905 
3906 	booting = 0;
3907 
3908 	do {
3909 		st_fd = open(init_state_file, O_RDWR, S_IRUSR | S_IWUSR);
3910 	} while (st_fd == -1 && errno == EINTR);
3911 	if (st_fd == -1)
3912 		goto new_state;
3913 
3914 	/* Get the size of the file. */
3915 	do
3916 		ret = fstat(st_fd, &stb);
3917 	while (ret == -1 && errno == EINTR);
3918 	if (ret == -1)
3919 		goto new_state;
3920 
3921 	do
3922 		g_state = malloc(stb.st_size);
3923 	while (g_state == NULL && errno == EAGAIN);
3924 	if (g_state == NULL)
3925 		goto new_state;
3926 
3927 	to_be_read = stb.st_size;
3928 	ptr = (char *)g_state;
3929 	while (to_be_read > 0) {
3930 		ssize_t read_ret;
3931 
3932 		read_ret = read(st_fd, ptr, to_be_read);
3933 		if (read_ret < 0) {
3934 			if (errno == EINTR)
3935 				continue;
3936 
3937 			goto new_state;
3938 		}
3939 
3940 		to_be_read -= read_ret;
3941 		ptr += read_ret;
3942 	}
3943 
3944 	(void) close(st_fd);
3945 
3946 	g_state_sz = stb.st_size;
3947 
3948 	if (st_sane()) {
3949 		console(B_TRUE, "Restarting.\n");
3950 		return;
3951 	}
3952 
3953 	insane = 1;
3954 
3955 new_state:
3956 	if (st_fd >= 0)
3957 		(void) close(st_fd);
3958 	else
3959 		(void) unlink(init_state_file);
3960 
3961 	if (g_state != NULL)
3962 		free(g_state);
3963 
3964 	/* Something went wrong, so allocate new state. */
3965 	g_state_sz = sizeof (struct init_state) +
3966 	    ((init_num_proc - 1) * sizeof (struct PROC_TABLE));
3967 	do
3968 		g_state = calloc(1, g_state_sz);
3969 	while (g_state == NULL && errno == EAGAIN);
3970 	if (g_state == NULL) {
3971 		/* Fatal error! */
3972 		exit(errno);
3973 	}
3974 
3975 	g_state->ist_runlevel = -1;
3976 	num_proc = init_num_proc;
3977 
3978 	if (!booting) {
3979 		console(B_TRUE, "Restarting.\n");
3980 
3981 		/* Overwrite the bad state file. */
3982 		st_write();
3983 
3984 		if (!insane) {
3985 			console(B_TRUE,
3986 			    "Error accessing persistent state file `%s'.  "
3987 			    "Ignored.\n", init_state_file);
3988 		} else {
3989 			console(B_TRUE,
3990 			    "Persistent state file `%s' is invalid and was "
3991 			    "ignored.\n", init_state_file);
3992 		}
3993 	}
3994 }
3995 
3996 /*
3997  * Write g_state out to the state file.
3998  */
3999 void
4000 st_write()
4001 {
4002 	static int complained = 0;
4003 
4004 	int st_fd;
4005 	char *cp;
4006 	size_t sz;
4007 	ssize_t ret;
4008 
4009 
4010 	do {
4011 		st_fd = open(init_next_state_file,
4012 		    O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
4013 	} while (st_fd < 0 && errno == EINTR);
4014 	if (st_fd < 0)
4015 		goto err;
4016 
4017 	cp = (char *)g_state;
4018 	sz = g_state_sz;
4019 	while (sz > 0) {
4020 		ret = write(st_fd, cp, sz);
4021 		if (ret < 0) {
4022 			if (errno == EINTR)
4023 				continue;
4024 
4025 			goto err;
4026 		}
4027 
4028 		sz -= ret;
4029 		cp += ret;
4030 	}
4031 
4032 	(void) close(st_fd);
4033 	st_fd = -1;
4034 	if (rename(init_next_state_file, init_state_file)) {
4035 		(void) unlink(init_next_state_file);
4036 		goto err;
4037 	}
4038 	complained = 0;
4039 
4040 	return;
4041 
4042 err:
4043 	if (st_fd >= 0)
4044 		(void) close(st_fd);
4045 
4046 	if (!booting && !complained) {
4047 		/*
4048 		 * Only complain after the filesystem should have come up.
4049 		 * And only do it once so we don't loop between console()
4050 		 * & efork().
4051 		 */
4052 		complained = 1;
4053 		if (st_fd)
4054 			console(B_TRUE, "Couldn't write persistent state "
4055 			    "file `%s'.\n", init_state_file);
4056 		else
4057 			console(B_TRUE, "Couldn't move persistent state "
4058 			    "file `%s' to `%s'.\n", init_next_state_file,
4059 			    init_state_file);
4060 	}
4061 }
4062 
4063 /*
4064  * Create a contract with these parameters.
4065  */
4066 static int
4067 contract_make_template(uint_t info, uint_t critical, uint_t fatal,
4068     uint64_t cookie)
4069 {
4070 	int fd, err;
4071 
4072 	char *ioctl_tset_emsg =
4073 	    "Couldn't set \"%s\" contract template parameter: %s.\n";
4074 
4075 	do
4076 		fd = open64(CTFS_ROOT "/process/template", O_RDWR);
4077 	while (fd < 0 && errno == EINTR);
4078 	if (fd < 0) {
4079 		console(B_TRUE, "Couldn't create process template: %s.\n",
4080 		    strerror(errno));
4081 		return (-1);
4082 	}
4083 
4084 	if (err = ct_pr_tmpl_set_param(fd, CT_PR_INHERIT | CT_PR_REGENT))
4085 		console(B_TRUE, "Contract set template inherit, regent "
4086 		    "failed: %s.\n", strerror(err));
4087 
4088 	/*
4089 	 * These errors result in a misconfigured template, which is better
4090 	 * than no template at all, so warn but don't abort.
4091 	 */
4092 	if (err = ct_tmpl_set_informative(fd, info))
4093 		console(B_TRUE, ioctl_tset_emsg, "informative", strerror(err));
4094 
4095 	if (err = ct_tmpl_set_critical(fd, critical))
4096 		console(B_TRUE, ioctl_tset_emsg, "critical", strerror(err));
4097 
4098 	if (err = ct_pr_tmpl_set_fatal(fd, fatal))
4099 		console(B_TRUE, ioctl_tset_emsg, "fatal", strerror(err));
4100 
4101 	if (err = ct_tmpl_set_cookie(fd, cookie))
4102 		console(B_TRUE, ioctl_tset_emsg, "cookie", strerror(err));
4103 
4104 	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
4105 
4106 	return (fd);
4107 }
4108 
4109 /*
4110  * Create the templates and open an event file descriptor.  We use dup2(2) to
4111  * get these descriptors away from the stdin/stdout/stderr group.
4112  */
4113 static void
4114 contracts_init()
4115 {
4116 	int err, fd;
4117 
4118 	/*
4119 	 * Create & configure a legacy template.  We only want empty events so
4120 	 * we know when to abandon them.
4121 	 */
4122 	legacy_tmpl = contract_make_template(0, CT_PR_EV_EMPTY, CT_PR_EV_HWERR,
4123 	    ORDINARY_COOKIE);
4124 	if (legacy_tmpl >= 0) {
4125 		err = ct_tmpl_activate(legacy_tmpl);
4126 		if (err != 0) {
4127 			(void) close(legacy_tmpl);
4128 			legacy_tmpl = -1;
4129 			console(B_TRUE,
4130 			    "Couldn't activate legacy template (%s); "
4131 			    "legacy services will be in init's contract.\n",
4132 			    strerror(err));
4133 		}
4134 	} else
4135 		console(B_TRUE,
4136 		    "Legacy services will be in init's contract.\n");
4137 
4138 	if (dup2(legacy_tmpl, 255) == -1) {
4139 		console(B_TRUE, "Could not duplicate legacy template: %s.\n",
4140 		    strerror(errno));
4141 	} else {
4142 		(void) close(legacy_tmpl);
4143 		legacy_tmpl = 255;
4144 	}
4145 
4146 	(void) fcntl(legacy_tmpl, F_SETFD, FD_CLOEXEC);
4147 
4148 	startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
4149 	    CT_PR_EV_HWERR | CT_PR_EV_SIGNAL | CT_PR_EV_CORE, STARTD_COOKIE);
4150 
4151 	if (dup2(startd_tmpl, 254) == -1) {
4152 		console(B_TRUE, "Could not duplicate startd template: %s.\n",
4153 		    strerror(errno));
4154 	} else {
4155 		(void) close(startd_tmpl);
4156 		startd_tmpl = 254;
4157 	}
4158 
4159 	(void) fcntl(startd_tmpl, F_SETFD, FD_CLOEXEC);
4160 
4161 	if (legacy_tmpl < 0 && startd_tmpl < 0) {
4162 		/* The creation errors have already been reported. */
4163 		console(B_TRUE,
4164 		    "Ignoring contract events.  Core smf(5) services will not "
4165 		    "be restarted.\n");
4166 		return;
4167 	}
4168 
4169 	/*
4170 	 * Open an event endpoint.
4171 	 */
4172 	do
4173 		fd = open64(CTFS_ROOT "/process/pbundle", O_RDONLY);
4174 	while (fd < 0 && errno == EINTR);
4175 	if (fd < 0) {
4176 		console(B_TRUE,
4177 		    "Couldn't open process pbundle: %s.  Core smf(5) services "
4178 		    "will not be restarted.\n", strerror(errno));
4179 		return;
4180 	}
4181 
4182 	if (dup2(fd, 253) == -1) {
4183 		console(B_TRUE, "Could not duplicate process bundle: %s.\n",
4184 		    strerror(errno));
4185 	} else {
4186 		(void) close(fd);
4187 		fd = 253;
4188 	}
4189 
4190 	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
4191 
4192 	/* Reset in case we've been restarted. */
4193 	(void) ct_event_reset(fd);
4194 
4195 	poll_fds[0].fd = fd;
4196 	poll_fds[0].events = POLLIN;
4197 	poll_nfds = 1;
4198 }
4199 
4200 static int
4201 contract_getfile(ctid_t id, const char *name, int oflag)
4202 {
4203 	int fd;
4204 
4205 	do
4206 		fd = contract_open(id, "process", name, oflag);
4207 	while (fd < 0 && errno == EINTR);
4208 
4209 	if (fd < 0)
4210 		console(B_TRUE, "Couldn't open %s for contract %ld: %s.\n",
4211 		    name, id, strerror(errno));
4212 
4213 	return (fd);
4214 }
4215 
4216 static int
4217 contract_cookie(ctid_t id, uint64_t *cp)
4218 {
4219 	int fd, err;
4220 	ct_stathdl_t sh;
4221 
4222 	fd = contract_getfile(id, "status", O_RDONLY);
4223 	if (fd < 0)
4224 		return (-1);
4225 
4226 	err = ct_status_read(fd, CTD_COMMON, &sh);
4227 	if (err != 0) {
4228 		console(B_TRUE, "Couldn't read status of contract %ld: %s.\n",
4229 		    id, strerror(err));
4230 		(void) close(fd);
4231 		return (-1);
4232 	}
4233 
4234 	(void) close(fd);
4235 
4236 	*cp = ct_status_get_cookie(sh);
4237 
4238 	ct_status_free(sh);
4239 	return (0);
4240 }
4241 
4242 static void
4243 contract_ack(ct_evthdl_t e)
4244 {
4245 	int fd;
4246 
4247 	if (ct_event_get_flags(e) & CTE_INFO)
4248 		return;
4249 
4250 	fd = contract_getfile(ct_event_get_ctid(e), "ctl", O_WRONLY);
4251 	if (fd < 0)
4252 		return;
4253 
4254 	(void) ct_ctl_ack(fd, ct_event_get_evid(e));
4255 	(void) close(fd);
4256 }
4257 
4258 /*
4259  * Process a contract event.
4260  */
4261 static void
4262 contract_event(struct pollfd *poll)
4263 {
4264 	ct_evthdl_t e;
4265 	int err;
4266 	ctid_t ctid;
4267 
4268 	if (!(poll->revents & POLLIN)) {
4269 		if (poll->revents & POLLERR)
4270 			console(B_TRUE,
4271 			    "Unknown poll error on my process contract "
4272 			    "pbundle.\n");
4273 		return;
4274 	}
4275 
4276 	err = ct_event_read(poll->fd, &e);
4277 	if (err != 0) {
4278 		console(B_TRUE, "Error retrieving contract event: %s.\n",
4279 		    strerror(err));
4280 		return;
4281 	}
4282 
4283 	ctid = ct_event_get_ctid(e);
4284 
4285 	if (ct_event_get_type(e) == CT_PR_EV_EMPTY) {
4286 		uint64_t cookie;
4287 		int ret, abandon = 1;
4288 
4289 		/* If it's svc.startd, restart it.  Else, abandon. */
4290 		ret = contract_cookie(ctid, &cookie);
4291 
4292 		if (ret == 0) {
4293 			if (cookie == STARTD_COOKIE &&
4294 			    do_restart_startd) {
4295 				if (smf_debug)
4296 					console(B_TRUE, "Restarting "
4297 					    "svc.startd.\n");
4298 
4299 				/*
4300 				 * Account for the failure.  If the failure rate
4301 				 * exceeds a threshold, then drop to maintenance
4302 				 * mode.
4303 				 */
4304 				startd_record_failure();
4305 				if (startd_failure_rate_critical())
4306 					enter_maintenance();
4307 
4308 				if (startd_tmpl < 0)
4309 					console(B_TRUE,
4310 					    "Restarting svc.startd in "
4311 					    "improper contract (bad "
4312 					    "template).\n");
4313 
4314 				(void) startd_run(startd_cline, startd_tmpl,
4315 				    ctid);
4316 
4317 				abandon = 0;
4318 			}
4319 		}
4320 
4321 		if (abandon && (err = contract_abandon_id(ctid))) {
4322 			console(B_TRUE, "Couldn't abandon contract %ld: %s.\n",
4323 			    ctid, strerror(err));
4324 		}
4325 
4326 		/*
4327 		 * No need to acknowledge the event since either way the
4328 		 * originating contract should be abandoned.
4329 		 */
4330 	} else {
4331 		console(B_TRUE,
4332 		    "Received contract event of unexpected type %d from "
4333 		    "contract %ld.\n", ct_event_get_type(e), ctid);
4334 
4335 		if ((ct_event_get_flags(e) & (CTE_INFO | CTE_ACK)) == 0)
4336 			/* Allow unexpected critical events to be released. */
4337 			contract_ack(e);
4338 	}
4339 
4340 	ct_event_free(e);
4341 }
4342 
4343 /*
4344  * svc.startd(1M) Management
4345  */
4346 
4347 /*
4348  * (Re)start svc.startd(1M).  old_ctid should be the contract ID of the old
4349  * contract, or 0 if we're starting it for the first time.  If wait is true
4350  * we'll wait for and return the exit value of the child.
4351  */
4352 static int
4353 startd_run(const char *cline, int tmpl, ctid_t old_ctid)
4354 {
4355 	int err, i, ret, did_activate;
4356 	pid_t pid;
4357 	struct stat sb;
4358 
4359 	if (cline[0] == '\0')
4360 		return (-1);
4361 
4362 	/*
4363 	 * Don't restart startd if the system is rebooting or shutting down.
4364 	 */
4365 	do {
4366 		ret = stat("/etc/svc/volatile/resetting", &sb);
4367 	} while (ret == -1 && errno == EINTR);
4368 
4369 	if (ret == 0) {
4370 		if (smf_debug)
4371 			console(B_TRUE, "Quiescing for reboot.\n");
4372 		(void) pause();
4373 		return (-1);
4374 	}
4375 
4376 	err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
4377 	if (err == EINVAL) {
4378 		console(B_TRUE, "Remake startd_tmpl; reattempt transfer.\n");
4379 		tmpl = startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
4380 		    CT_PR_EV_HWERR, STARTD_COOKIE);
4381 
4382 		err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
4383 	}
4384 	if (err != 0) {
4385 		console(B_TRUE,
4386 		    "Couldn't set transfer parameter of contract template: "
4387 		    "%s.\n", strerror(err));
4388 	}
4389 
4390 	if ((err = ct_pr_tmpl_set_svc_fmri(startd_tmpl,
4391 	    SCF_SERVICE_STARTD)) != 0)
4392 		console(B_TRUE,
4393 		    "Can not set svc_fmri in contract template: %s\n",
4394 		    strerror(err));
4395 	if ((err = ct_pr_tmpl_set_svc_aux(startd_tmpl,
4396 	    startd_svc_aux)) != 0)
4397 		console(B_TRUE,
4398 		    "Can not set svc_aux in contract template: %s\n",
4399 		    strerror(err));
4400 	did_activate = !(ct_tmpl_activate(tmpl));
4401 	if (!did_activate)
4402 		console(B_TRUE,
4403 		    "Template activation failed; not starting \"%s\" in "
4404 		    "proper contract.\n", cline);
4405 
4406 	/* Hold SIGCLD so we can wait if necessary. */
4407 	(void) sighold(SIGCLD);
4408 
4409 	while ((pid = fork()) < 0) {
4410 		if (errno == EPERM) {
4411 			console(B_TRUE, "Insufficient permission to fork.\n");
4412 
4413 			/* Now that's a doozy. */
4414 			exit(1);
4415 		}
4416 
4417 		console(B_TRUE,
4418 		    "fork() for svc.startd failed: %s.  Will retry in 1 "
4419 		    "second...\n", strerror(errno));
4420 
4421 		(void) sleep(1);
4422 
4423 		/* Eventually give up? */
4424 	}
4425 
4426 	if (pid == 0) {
4427 		/* child */
4428 
4429 		/* See the comment in efork() */
4430 		for (i = SIGHUP; i <= SIGRTMAX; ++i) {
4431 			if (i == SIGTTOU || i == SIGTTIN || i == SIGTSTP)
4432 				(void) sigset(i, SIG_IGN);
4433 			else
4434 				(void) sigset(i, SIG_DFL);
4435 		}
4436 
4437 		if (smf_options != NULL) {
4438 			/* Put smf_options in the environment. */
4439 			glob_envp[glob_envn] =
4440 			    malloc(sizeof ("SMF_OPTIONS=") - 1 +
4441 			    strlen(smf_options) + 1);
4442 
4443 			if (glob_envp[glob_envn] != NULL) {
4444 				/* LINTED */
4445 				(void) sprintf(glob_envp[glob_envn],
4446 				    "SMF_OPTIONS=%s", smf_options);
4447 				glob_envp[glob_envn+1] = NULL;
4448 			} else {
4449 				console(B_TRUE,
4450 				    "Could not set SMF_OPTIONS (%s).\n",
4451 				    strerror(errno));
4452 			}
4453 		}
4454 
4455 		if (smf_debug)
4456 			console(B_TRUE, "Executing svc.startd\n");
4457 
4458 		(void) execle(SH, "INITSH", "-c", cline, NULL, glob_envp);
4459 
4460 		console(B_TRUE, "Could not exec \"%s\" (%s).\n", SH,
4461 		    strerror(errno));
4462 
4463 		exit(1);
4464 	}
4465 
4466 	/* parent */
4467 
4468 	if (did_activate) {
4469 		if (legacy_tmpl < 0 || ct_tmpl_activate(legacy_tmpl) != 0)
4470 			(void) ct_tmpl_clear(tmpl);
4471 	}
4472 
4473 	/* Clear the old_ctid reference so the kernel can reclaim it. */
4474 	if (old_ctid != 0)
4475 		(void) ct_pr_tmpl_set_transfer(tmpl, 0);
4476 
4477 	(void) sigrelse(SIGCLD);
4478 
4479 	return (0);
4480 }
4481 
4482 /*
4483  * void startd_record_failure(void)
4484  *   Place the current time in our circular array of svc.startd failures.
4485  */
4486 void
4487 startd_record_failure()
4488 {
4489 	int index = startd_failure_index++ % NSTARTD_FAILURE_TIMES;
4490 
4491 	startd_failure_time[index] = gethrtime();
4492 }
4493 
4494 /*
4495  * int startd_failure_rate_critical(void)
4496  *   Return true if the average failure interval is less than the permitted
4497  *   interval.  Implicit success if insufficient measurements for an average
4498  *   exist.
4499  */
4500 int
4501 startd_failure_rate_critical()
4502 {
4503 	int n = startd_failure_index;
4504 	hrtime_t avg_ns = 0;
4505 
4506 	if (startd_failure_index < NSTARTD_FAILURE_TIMES)
4507 		return (0);
4508 
4509 	avg_ns =
4510 	    (startd_failure_time[(n - 1) % NSTARTD_FAILURE_TIMES] -
4511 	    startd_failure_time[n % NSTARTD_FAILURE_TIMES]) /
4512 	    NSTARTD_FAILURE_TIMES;
4513 
4514 	return (avg_ns < STARTD_FAILURE_RATE_NS);
4515 }
4516 
4517 /*
4518  * returns string that must be free'd
4519  */
4520 
4521 static char
4522 *audit_boot_msg()
4523 {
4524 	char		*b, *p;
4525 	char		desc[] = "booted";
4526 	zoneid_t	zid = getzoneid();
4527 
4528 	b = malloc(sizeof (desc) + MAXNAMELEN + 3);
4529 	if (b == NULL)
4530 		return (b);
4531 
4532 	p = b;
4533 	p += strlcpy(p, desc, sizeof (desc));
4534 	if (zid != GLOBAL_ZONEID) {
4535 		p += strlcpy(p, ": ", 3);
4536 		(void) getzonenamebyid(zid, p, MAXNAMELEN);
4537 	}
4538 	return (b);
4539 }
4540 
4541 /*
4542  * Generate AUE_init_solaris audit record.  Return 1 if
4543  * auditing is enabled in case the caller cares.
4544  *
4545  * In the case of userint() or a local zone invocation of
4546  * one_true_init, the process initially contains the audit
4547  * characteristics of the process that invoked init.  The first pass
4548  * through here uses those characteristics then for the case of
4549  * one_true_init in a local zone, clears them so subsequent system
4550  * state changes won't be attributed to the person who booted the
4551  * zone.
4552  */
4553 static int
4554 audit_put_record(int pass_fail, int status, char *msg)
4555 {
4556 	adt_session_data_t	*ah;
4557 	adt_event_data_t	*event;
4558 
4559 	if (!adt_audit_enabled())
4560 		return (0);
4561 
4562 	/*
4563 	 * the PROC_DATA picks up the context to tell whether this is
4564 	 * an attributed record (auid = -2 is unattributed)
4565 	 */
4566 	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) {
4567 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4568 		return (1);
4569 	}
4570 	event = adt_alloc_event(ah, ADT_init_solaris);
4571 	if (event == NULL) {
4572 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4573 		(void) adt_end_session(ah);
4574 		return (1);
4575 	}
4576 	event->adt_init_solaris.info = msg;	/* NULL is ok here */
4577 
4578 	if (adt_put_event(event, pass_fail, status)) {
4579 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4580 		(void) adt_end_session(ah);
4581 		return (1);
4582 	}
4583 	adt_free_event(event);
4584 
4585 	(void) adt_end_session(ah);
4586 
4587 	return (1);
4588 }
4589