xref: /titanic_41/usr/src/lib/libbsm/common/adt.c (revision 09cb82ca24006b806e9f17e2135eef96364facfe)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <bsm/adt.h>
30 #include <bsm/adt_event.h>
31 #include <assert.h>
32 #include <bsm/audit.h>
33 #include <bsm/audit_record.h>
34 #include <bsm/libbsm.h>
35 #include <door.h>
36 #include <errno.h>
37 #include <generic.h>
38 #include <md5.h>
39 #include <sys/mkdev.h>
40 #include <netdb.h>
41 #include <nss_dbdefs.h>
42 #include <pwd.h>
43 #include <sys/stat.h>
44 #include <time.h>
45 #include <stdlib.h>
46 #include <string.h>
47 #include <synch.h>
48 #include <sys/systeminfo.h>
49 #include <syslog.h>
50 #include <thread.h>
51 #include <unistd.h>
52 #include <adt_xlate.h>
53 #include <adt_ucred.h>
54 #include <arpa/inet.h>
55 #include <net/if.h>
56 #include <libinetutil.h>
57 
58 static int adt_selected(struct adt_event_state *, au_event_t, int);
59 static int adt_init(adt_internal_state_t *, int);
60 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
61 static m_label_t *adt_ucred_label(ucred_t *);
62 static void adt_setto_unaudited(adt_internal_state_t *);
63 static int adt_get_local_address(int, struct ifaddrlist *);
64 
65 #ifdef C2_DEBUG
66 #define	DPRINTF(x) {printf x; }
67 #define	DFLUSH fflush(stdout);
68 #else
69 #define	DPRINTF(x)
70 #define	DFLUSH
71 #endif
72 
73 static int auditstate = AUC_DISABLED;	/* default state */
74 
75 /*
76  * adt_write_syslog
77  *
78  * errors that are not the user's fault (bugs or whatever in
79  * the underlying audit code are noted in syslog.)
80  *
81  * Avoid calling adt_write_syslog for things that can happen
82  * at high volume.
83  *
84  * syslog's open (openlog) and close (closelog) are interesting;
85  * openlog *may* create a file descriptor and is optional.  closelog
86  * *will* close any open file descriptors and is also optional.
87  *
88  * Since syslog may also be used by the calling application, the
89  * choice is to avoid openlog, which sets some otherwise useful
90  * parameters, and to embed "Solaris_audit" in the log message.
91  */
92 
93 void
94 adt_write_syslog(const char *message, int err)
95 {
96 	int	save_errno = errno;
97 	int	mask_priority;
98 
99 	DPRINTF(("syslog called: %s\n", message));
100 
101 	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
102 	errno = err;
103 	syslog(LOG_ALERT, "Solaris_audit %s: %m", message);
104 	(void) setlogmask(mask_priority);
105 	errno = save_errno;
106 }
107 
108 /*
109  * return true if audit is enabled.  "Enabled" is any state
110  * other than AUC_DISABLED.
111  *
112  * states are
113  *		AUC_INIT_AUDIT	-- c2audit queuing enabled.
114  *		AUC_AUDITING	-- up and running
115  *		AUC_DISABLED	-- no audit subsystem loaded
116  *		AUC_UNSET	-- early boot state
117  *		AUC_NOAUDIT	-- subsystem loaded, turned off via
118  *				   auditon(A_SETCOND...)
119  *		AUC_NOSPACE	-- up and running, but log partitions are full
120  *
121  *	For purpose of this API, anything but AUC_DISABLED or
122  *	AUC_UNSET is enabled; however one never actually sees
123  *	AUC_DISABLED since auditon returns EINVAL in that case.  Any
124  *	auditon error is considered the same as EINVAL for our
125  *	purpose.  auditstate is not changed by auditon if an error
126  *	is returned.
127  */
128 
129 /*
130  * XXX	this should probably be eliminated and adt_audit_state() replace it.
131  *	All the legitimate uses	are to not fork a waiting process for
132  *	process exit processing, as in su, login, dtlogin.  Other bogus
133  *	users are zoneadmd and init.
134  *	All but dtlogin are in ON, so we can do this without cross gate
135  *	synchronization.
136  */
137 
138 boolean_t
139 adt_audit_enabled(void)
140 {
141 
142 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
143 
144 	return (auditstate != AUC_DISABLED);
145 }
146 
147 /*
148  *	See adt_audit_enabled() for state discussions.
149  *	The state parameter is a hedge until all the uses become clear.
150  *	Likely if adt_audit_enabled is brought internal to this file,
151  *	it can take a parameter discussing the state.
152  */
153 
154 boolean_t
155 adt_audit_state(int state)
156 {
157 
158 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
159 
160 	return (auditstate == state);
161 }
162 
163 /*
164  * The man page for getpwuid_r says the buffer must be big enough
165  * or ERANGE will be returned, but offers no guidance for how big
166  * the buffer should be or a way to calculate it.  If you get
167  * ERANGE, double pwd_buff's size.
168  *
169  * This may be called even when auditing is off.
170  */
171 
172 #define	NAFLAG_LEN 512
173 
174 static int
175 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
176 {
177 	struct passwd	pwd;
178 	char		pwd_buff[NSS_BUFSIZ];
179 	char		naflag_buf[NAFLAG_LEN];
180 
181 	if (auditstate == AUC_DISABLED) {
182 		mask->am_success = 0;
183 		mask->am_failure = 0;
184 	} else if (uid <= MAXUID) {
185 		if (getpwuid_r(uid, &pwd, pwd_buff, NSS_BUFSIZ) == NULL) {
186 			/*
187 			 * getpwuid_r returns NULL without setting
188 			 * errno if the user does not exist; only
189 			 * if the input is the wrong length does it
190 			 * set errno.
191 			 */
192 			if (errno != ERANGE)
193 				errno = EINVAL;
194 			return (-1);
195 		}
196 		if (au_user_mask(pwd.pw_name, mask)) {
197 			errno = EFAULT; /* undetermined failure */
198 			return (-1);
199 		}
200 	} else if (getacna(naflag_buf, NAFLAG_LEN - 1) == 0) {
201 		if (getauditflagsbin(naflag_buf, mask))
202 			return (-1);
203 	} else {
204 		return (-1);
205 	}
206 	return (0);
207 }
208 
209 /*
210  * adt_get_unique_id -- generate a hopefully unique 32 bit value
211  *
212  * there will be a follow up to replace this with the use of /dev/random
213  *
214  * An MD5 hash is taken on a buffer of
215  *     hostname . audit id . unix time . pid . count
216  *
217  * "count = noise++;" is subject to a race condition but I don't
218  * see a need to put a lock around it.
219  */
220 
221 au_id_t
222 adt_get_unique_id(au_id_t uid)
223 {
224 	char		hostname[MAXHOSTNAMELEN];
225 	union {
226 		au_id_t		v[4];
227 		unsigned char	obuff[128/8];
228 	} output;
229 	MD5_CTX	context;
230 
231 	static int	noise = 0;
232 
233 	int		count = noise++;
234 	time_t		timebits = time(NULL);
235 	pid_t		pidbits = getpid();
236 	au_id_t		retval = 0;
237 
238 	if (gethostname(hostname, MAXHOSTNAMELEN)) {
239 		adt_write_syslog("gethostname call failed", errno);
240 		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
241 	}
242 
243 	while (retval == 0) {  /* 0 is the only invalid result */
244 		MD5Init(&context);
245 
246 		MD5Update(&context, (unsigned char *)hostname,
247 		    (unsigned int) strlen((const char *)hostname));
248 
249 		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
250 
251 		MD5Update(&context,
252 		    (unsigned char *) &timebits, sizeof (time_t));
253 
254 		MD5Update(&context, (unsigned char *) &pidbits,
255 		    sizeof (pid_t));
256 
257 		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
258 		MD5Final(output.obuff, &context);
259 
260 		retval = output.v[count % 4];
261 	}
262 	return (retval);
263 }
264 
265 /*
266  * the following "port" function deals with the following issues:
267  *
268  * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
269  *      up from a 32 bit major and 32 bit minor.
270  * 2    User space deals with a dev_t as either the above 64 bit value
271  *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
272  * 3    The various audit interfaces (except ucred) pass the 32 or
273  *      64 bit version depending the architecture of the userspace
274  *      application.  If you get a port value from ucred and pass it
275  *      to the kernel via auditon(), it must be squeezed into a 32
276  *      bit value because the kernel knows the userspace app's bit
277  *      size.
278  *
279  * The internal state structure for adt (adt_internal_state_t) uses
280  * dev_t, so adt converts data from ucred to fit.  The import/export
281  * functions, however, can't know if they are importing/exporting
282  * from 64 or 32 bit applications, so they always send 64 bits and
283  * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
284  * appropriate.
285  */
286 
287 /*
288  * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
289  * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
290  * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
291  * so it isn't broken up into pieces.  (When it goes to the kernel
292  * and back, however, it will have been split into major/minor
293  * pieces.)
294  */
295 
296 static void
297 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
298 {
299 #ifdef _LP64
300 	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
301 #else	/* _LP64 */
302 	dest->at_type = src->at_type;
303 
304 	dest->at_port  = src->at_port.at_minor & MAXMIN32;
305 	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
306 	    NBITSMINOR32;
307 
308 	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
309 #endif	/* _LP64 */
310 }
311 
312 /*
313  * adt_start_session -- create interface handle, create context
314  *
315  * The imported_state input is normally NULL, if not, it represents
316  * a continued session; its values obviate the need for a subsequent
317  * call to adt_set_user().
318  *
319  * The flag is used to decide how to set the initial state of the session.
320  * If 0, the session is "no audit" until a call to adt_set_user; if
321  * ADT_USE_PROC_DATA, the session is built from the process audit
322  * characteristics obtained from the kernel.  If imported_state is
323  * not NULL, the resulting audit mask is an OR of the current process
324  * audit mask and that passed in.
325  *
326  * The basic model is that the caller can use the pointer returned
327  * by adt_start_session whether or not auditing is enabled or an
328  * error was returned.  The functions that take the session handle
329  * as input generally return without doing anything if auditing is
330  * disabled.
331  */
332 
333 int
334 adt_start_session(adt_session_data_t **new_session,
335     const adt_export_data_t *imported_state, adt_session_flags_t flags)
336 {
337 	adt_internal_state_t	*state;
338 	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
339 
340 	*new_session = NULL;	/* assume failure */
341 
342 	/* ensure that auditstate is set */
343 	(void) adt_audit_enabled();
344 
345 	if ((flags & ~flgmask) != 0) {
346 		errno = EINVAL;
347 		goto return_err;
348 	}
349 	state = calloc(1, sizeof (adt_internal_state_t));
350 
351 	if (state == NULL)
352 		goto return_err;
353 
354 	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0)
355 		goto return_err_free;    /* errno from adt_init() */
356 
357 	/*
358 	 * The imported state overwrites the initial state if the
359 	 * imported state represents a valid audit trail
360 	 */
361 
362 	if (imported_state != NULL) {
363 		if (adt_import(state, imported_state) != 0) {
364 			goto return_err_free;
365 		}
366 	} else if (flags & ADT_USE_PROC_DATA) {
367 		state->as_session_model = ADT_PROCESS_MODEL;
368 	}
369 	state->as_flags = flags;
370 	DPRINTF(("(%d) Starting session id = %08X\n",
371 	    getpid(), state->as_info.ai_asid));
372 
373 	if (state->as_audit_enabled) {
374 		*new_session = (adt_session_data_t *)state;
375 	} else {
376 		free(state);
377 	}
378 
379 	return (0);
380 return_err_free:
381 	free(state);
382 return_err:
383 	adt_write_syslog("audit session create failed", errno);
384 	return (-1);
385 }
386 
387 /*
388  * adt_get_asid() and adt_set_asid()
389  *
390  * if you use this interface, you are responsible to insure that the
391  * rest of the session data is populated correctly before calling
392  * adt_proccess_attr()
393  *
394  * neither of these are intended for general use and will likely
395  * remain private interfaces for a long time.  Forever is a long
396  * time.  In the case of adt_set_asid(), you should have a very,
397  * very good reason for setting your own session id.  The process
398  * audit characteristics are not changed by put, use adt_set_proc().
399  *
400  * These are "volatile" (more changable than "evolving") and will
401  * probably change in the S10 period.
402  */
403 
404 void
405 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
406 {
407 
408 	if (session_data == NULL) {
409 		*asid = 0;
410 	} else {
411 		assert(((adt_internal_state_t *)session_data)->as_check ==
412 		    ADT_VALID);
413 
414 		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
415 	}
416 }
417 
418 void
419 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
420 {
421 
422 	if (session_data != NULL) {
423 		assert(((adt_internal_state_t *)session_data)->as_check ==
424 		    ADT_VALID);
425 
426 		((adt_internal_state_t *)session_data)->as_have_user_data |=
427 		    ADT_HAVE_ASID;
428 		((adt_internal_state_t *)session_data)->as_info.ai_asid =
429 		    session_id;
430 	}
431 }
432 
433 /*
434  * adt_get_auid() and adt_set_auid()
435  *
436  * neither of these are intended for general use and will likely
437  * remain private interfaces for a long time.  Forever is a long
438  * time.  In the case of adt_set_auid(), you should have a very,
439  * very good reason for setting your own audit id.  The process
440  * audit characteristics are not changed by put, use adt_set_proc().
441  */
442 
443 void
444 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
445 {
446 
447 	if (session_data == NULL) {
448 		*auid = AU_NOAUDITID;
449 	} else {
450 		assert(((adt_internal_state_t *)session_data)->as_check ==
451 		    ADT_VALID);
452 
453 		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
454 	}
455 }
456 
457 void
458 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
459 {
460 
461 	if (session_data != NULL) {
462 		assert(((adt_internal_state_t *)session_data)->as_check ==
463 		    ADT_VALID);
464 
465 		((adt_internal_state_t *)session_data)->as_have_user_data |=
466 		    ADT_HAVE_AUID;
467 		((adt_internal_state_t *)session_data)->as_info.ai_auid =
468 		    audit_id;
469 	}
470 }
471 
472 /*
473  * adt_get_termid(), adt_set_termid()
474  *
475  * if you use this interface, you are responsible to insure that the
476  * rest of the session data is populated correctly before calling
477  * adt_proccess_attr()
478  *
479  * The process  audit characteristics are not changed by put, use
480  * adt_set_proc().
481  */
482 
483 void
484 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
485 {
486 
487 	if (session_data == NULL) {
488 		(void) memset(termid, 0, sizeof (au_tid_addr_t));
489 		termid->at_type = AU_IPv4;
490 	} else {
491 		assert(((adt_internal_state_t *)session_data)->as_check ==
492 		    ADT_VALID);
493 
494 		*termid =
495 		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
496 	}
497 }
498 
499 void
500 adt_set_termid(const adt_session_data_t *session_data,
501     const au_tid_addr_t *termid)
502 {
503 
504 	if (session_data != NULL) {
505 		assert(((adt_internal_state_t *)session_data)->as_check ==
506 		    ADT_VALID);
507 
508 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
509 		    *termid;
510 
511 		((adt_internal_state_t *)session_data)->as_have_user_data |=
512 		    ADT_HAVE_TID;
513 	}
514 }
515 
516 /*
517  * adt_get_mask(), adt_set_mask()
518  *
519  * if you use this interface, you are responsible to insure that the
520  * rest of the session data is populated correctly before calling
521  * adt_proccess_attr()
522  *
523  * The process  audit characteristics are not changed by put, use
524  * adt_set_proc().
525  */
526 
527 void
528 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
529 {
530 
531 	if (session_data == NULL) {
532 		mask->am_success = 0;
533 		mask->am_failure = 0;
534 	} else {
535 		assert(((adt_internal_state_t *)session_data)->as_check ==
536 		    ADT_VALID);
537 
538 		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
539 	}
540 }
541 
542 void
543 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
544 {
545 
546 	if (session_data != NULL) {
547 		assert(((adt_internal_state_t *)session_data)->as_check ==
548 		    ADT_VALID);
549 
550 		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
551 
552 		((adt_internal_state_t *)session_data)->as_have_user_data |=
553 		    ADT_HAVE_MASK;
554 	}
555 }
556 
557 /*
558  * helpers for adt_load_termid
559  */
560 
561 static void
562 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
563     au_tid_addr_t *termid)
564 {
565 
566 	termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port));
567 	termid->at_type = AU_IPv6;
568 	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
569 }
570 
571 static void
572 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
573     au_tid_addr_t *termid)
574 {
575 
576 	termid->at_port = ((peer->sin_port<<16) | (sock->sin_port));
577 
578 	termid->at_type = AU_IPv4;
579 	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
580 	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
581 }
582 
583 /*
584  * adt_load_termid:  convenience function; inputs file handle and
585  * outputs an au_tid_addr struct.
586  *
587  * This code was stolen from audit_settid.c; it differs from audit_settid()
588  * in that it does not write the terminal id to the process.
589  */
590 
591 int
592 adt_load_termid(int fd, adt_termid_t **termid)
593 {
594 	au_tid_addr_t		*p_term;
595 	struct sockaddr_in6	peer;
596 	struct sockaddr_in6	sock;
597 	int			peerlen = sizeof (peer);
598 	int			socklen = sizeof (sock);
599 
600 	*termid = NULL;
601 
602 	/* get peer name if its a socket, else assume local terminal */
603 
604 	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
605 	    < 0) {
606 		if (errno == ENOTSOCK)
607 			return (adt_load_hostname(NULL, termid));
608 		goto return_err;
609 	}
610 
611 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
612 		goto return_err;
613 
614 	/* get sock name */
615 	if (getsockname(fd, (struct sockaddr *)&sock,
616 	    (socklen_t *)&socklen) < 0)
617 		goto return_err_free;
618 
619 	if (peer.sin6_family == AF_INET6) {
620 		adt_do_ipv6_address(&peer, &sock, p_term);
621 	} else {
622 		adt_do_ipv4_address((struct sockaddr_in *)&peer,
623 		    (struct sockaddr_in *)&sock, p_term);
624 	}
625 	*termid = (adt_termid_t *)p_term;
626 
627 	return (0);
628 
629 return_err_free:
630 	free(p_term);
631 return_err:
632 	return (-1);
633 }
634 
635 static boolean_t
636 adt_have_termid(au_tid_addr_t *dest)
637 {
638 	struct auditinfo_addr	audit_data;
639 
640 	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
641 		adt_write_syslog("getaudit failed", errno);
642 		return (B_FALSE);
643 	}
644 
645 	if ((audit_data.ai_termid.at_type == 0) ||
646 	    (audit_data.ai_termid.at_addr[0] |
647 	    audit_data.ai_termid.at_addr[1]  |
648 	    audit_data.ai_termid.at_addr[2]  |
649 	    audit_data.ai_termid.at_addr[3]) == 0)
650 		return (B_FALSE);
651 
652 	(void) memcpy(dest, &(audit_data.ai_termid),
653 	    sizeof (au_tid_addr_t));
654 
655 	return (B_TRUE);
656 }
657 
658 static int
659 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
660 {
661 	struct addrinfo	*ai = NULL;
662 	int	tries = 3;
663 	char	msg[512];
664 	int	eai_err;
665 
666 	while ((tries-- > 0) &&
667 	    ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) {
668 		/*
669 		 * getaddrinfo returns its own set of errors.
670 		 * Log them here, so any subsequent syslogs will
671 		 * have a context.  adt_get_hostIP callers can only
672 		 * return errno, so subsequent syslogs may be lacking
673 		 * that getaddrinfo failed.
674 		 */
675 		(void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) "
676 		    "failed[%s]", hostname, gai_strerror(eai_err));
677 		adt_write_syslog(msg, 0);
678 
679 		if (eai_err != EAI_AGAIN) {
680 
681 			break;
682 		}
683 		/* see if resolution becomes available */
684 		(void) sleep(1);
685 	}
686 	if (ai != NULL) {
687 		if (ai->ai_family == AF_INET) {
688 			p_term->at_type = AU_IPv4;
689 			(void) memcpy(p_term->at_addr,
690 			    /* LINTED */
691 			    &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
692 			    AU_IPv4);
693 		} else {
694 			p_term->at_type = AU_IPv6;
695 			(void) memcpy(p_term->at_addr,
696 			    /* LINTED */
697 			    &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
698 			    AU_IPv6);
699 		}
700 		freeaddrinfo(ai);
701 		return (0);
702 	} else {
703 		struct ifaddrlist al;
704 		int	family;
705 		char	ntop[INET6_ADDRSTRLEN];
706 
707 		/*
708 		 * getaddrinfo has failed to map the hostname
709 		 * to an IP address, try to get an IP address
710 		 * from a local interface.
711 		 */
712 		family = AF_INET6;
713 		if (adt_get_local_address(family, &al) != 0) {
714 			family = AF_INET;
715 
716 			if (adt_get_local_address(family, &al) != 0) {
717 				adt_write_syslog("adt_get_local_address "
718 				    "failed, no Audit IP address available",
719 				    errno);
720 				return (-1);
721 			}
722 		}
723 		if (family == AF_INET) {
724 			p_term->at_type = AU_IPv4;
725 			(void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4);
726 		} else {
727 			p_term->at_type = AU_IPv6;
728 			(void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6);
729 		}
730 
731 		(void) snprintf(msg, sizeof (msg), "mapping %s to %s",
732 		    hostname, inet_ntop(family, &(al.addr), ntop,
733 		    sizeof (ntop)));
734 		adt_write_syslog(msg, 0);
735 		return (0);
736 	}
737 }
738 
739 /*
740  * adt_load_hostname() is called when the caller does not have a file
741  * handle that gives access to the socket info or any other way to
742  * pass in both port and ip address.  The hostname input is ignored if
743  * the terminal id has already been set; instead it returns the
744  * existing terminal id.
745  *
746  * If audit is off and the hostname lookup fails, no error is
747  * returned, since an error may be interpreted by the caller
748  * as grounds for denying a login.  Otherwise the caller would
749  * need to be aware of the audit state.
750  */
751 
752 int
753 adt_load_hostname(const char *hostname, adt_termid_t **termid)
754 {
755 	char		localhost[MAXHOSTNAMELEN + 1];
756 	au_tid_addr_t	*p_term;
757 
758 	*termid = NULL;
759 
760 	if (!adt_audit_enabled())
761 		return (0);
762 
763 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
764 		goto return_err;
765 
766 	if (adt_have_termid(p_term)) {
767 		*termid = (adt_termid_t *)p_term;
768 		return (0);
769 	}
770 	p_term->at_port = 0;
771 
772 	if (hostname == NULL || *hostname == '\0') {
773 		(void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN);
774 		hostname = localhost;
775 	}
776 	if (adt_get_hostIP(hostname, p_term))
777 		goto return_err_free;
778 
779 	*termid = (adt_termid_t *)p_term;
780 	return (0);
781 
782 return_err_free:
783 	free(p_term);
784 
785 return_err:
786 	if ((auditstate == AUC_DISABLED) ||
787 	    (auditstate == AUC_NOAUDIT))
788 		return (0);
789 
790 	return (-1);
791 }
792 
793 /*
794  * adt_load_ttyname() is called when the caller does not have a file
795  * handle that gives access to the local terminal or any other way
796  * of determining the device id.  The ttyname input is ignored if
797  * the terminal id has already been set; instead it returns the
798  * existing terminal id.
799  *
800  * If audit is off and the ttyname lookup fails, no error is
801  * returned, since an error may be interpreted by the caller
802  * as grounds for denying a login.  Otherwise the caller would
803  * need to be aware of the audit state.
804  */
805 
806 int
807 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
808 {
809 	char		localhost[MAXHOSTNAMELEN + 1];
810 	au_tid_addr_t	*p_term;
811 	struct stat	stat_buf;
812 
813 	*termid = NULL;
814 
815 	if (!adt_audit_enabled())
816 		return (0);
817 
818 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
819 		goto return_err;
820 
821 	if (adt_have_termid(p_term)) {
822 		*termid = (adt_termid_t *)p_term;
823 		return (0);
824 	}
825 
826 	p_term->at_port = 0;
827 
828 	if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0)
829 		goto return_err_free; /* errno from sysinfo */
830 
831 	if (ttyname != NULL) {
832 		if (stat(ttyname, &stat_buf) < 0)
833 			goto return_err_free;
834 
835 		p_term->at_port = stat_buf.st_rdev;
836 	}
837 
838 	if (adt_get_hostIP(localhost, p_term))
839 		goto return_err_free;
840 
841 	*termid = (adt_termid_t *)p_term;
842 	return (0);
843 
844 return_err_free:
845 	free(p_term);
846 
847 return_err:
848 	if ((auditstate == AUC_DISABLED) ||
849 	    (auditstate == AUC_NOAUDIT))
850 		return (0);
851 
852 	return (-1);
853 }
854 
855 /*
856  * adt_get_session_id returns a stringified representation of
857  * the audit session id.  See also adt_get_asid() for how to
858  * get the unexpurgated version.  No guarantees as to how long
859  * the returned string will be or its general form; hex for now.
860  *
861  * An empty string is returned if auditing is off; length = 1
862  * and the pointer is valid.
863  *
864  * returns strlen + 1 if buffer is valid; else 0 and errno.
865  */
866 
867 size_t
868 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
869 {
870 	au_asid_t	session_id;
871 	size_t		length;
872 	/*
873 	 * output is 0x followed by
874 	 * two characters per byte
875 	 * plus terminator,
876 	 * except leading 0's are suppressed, so a few bytes may
877 	 * be unused.
878 	 */
879 	length = 2 + (2 * sizeof (session_id)) + 1;
880 	*buff = malloc(length);
881 
882 	if (*buff == NULL) {
883 		return (0);
884 	}
885 	if (session_data == NULL) { /* NULL is not an error */
886 		**buff = '\0';
887 		return (1);
888 	}
889 	adt_get_asid(session_data, &session_id);
890 
891 	length = snprintf(*buff, length, "0x%X", (int)session_id);
892 
893 	/* length < 1 is a bug: the session data type may have changed */
894 	assert(length > 0);
895 
896 	return (length);
897 }
898 
899 /*
900  * adt_end_session -- close handle, clear context
901  *
902  * if as_check is invalid, no harm, no foul, EXCEPT that this could
903  * be an attempt to free data already free'd, so output to syslog
904  * to help explain why the process cored dumped.
905  */
906 
907 int
908 adt_end_session(adt_session_data_t *session_data)
909 {
910 	adt_internal_state_t	*state;
911 
912 	if (session_data != NULL) {
913 		state = (adt_internal_state_t *)session_data;
914 		if (state->as_check != ADT_VALID) {
915 			adt_write_syslog("freeing invalid data", EINVAL);
916 		} else {
917 			state->as_check = 0;
918 			m_label_free(state->as_label);
919 			free(session_data);
920 		}
921 	}
922 	/* no errors yet defined */
923 	return (0);
924 }
925 
926 /*
927  * adt_dup_session -- copy the session data
928  */
929 
930 int
931 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
932 {
933 	adt_internal_state_t	*source_state;
934 	adt_internal_state_t	*dest_state = NULL;
935 	int			rc = 0;
936 
937 	if (source != NULL) {
938 		source_state = (adt_internal_state_t *)source;
939 		assert(source_state->as_check == ADT_VALID);
940 
941 		dest_state = malloc(sizeof (adt_internal_state_t));
942 		if (dest_state == NULL) {
943 			rc = -1;
944 			goto return_rc;
945 		}
946 		(void) memcpy(dest_state, source,
947 		    sizeof (struct adt_internal_state));
948 
949 		if (source_state->as_label != NULL) {
950 			dest_state->as_label = NULL;
951 			if ((rc = m_label_dup(&dest_state->as_label,
952 			    source_state->as_label)) != 0) {
953 				free(dest_state);
954 				dest_state = NULL;
955 			}
956 		}
957 	}
958 return_rc:
959 	*dest = (adt_session_data_t *)dest_state;
960 	return (rc);
961 }
962 
963 /*
964  * from_export_format()
965  * read from a network order buffer into struct adt_session_data
966  */
967 
968 static size_t
969 adt_from_export_format(adt_internal_state_t *internal,
970     const adt_export_data_t *external)
971 {
972 	struct export_header	head;
973 	struct export_link	link;
974 	adr_t			context;
975 	int32_t 		offset;
976 	int32_t 		length;
977 	int32_t 		version;
978 	size_t			label_len;
979 	char			*p = (char *)external;
980 
981 	adrm_start(&context, (char *)external);
982 	adrm_int32(&context, (int *)&head, 4);
983 
984 	if ((internal->as_check = head.ax_check) != ADT_VALID) {
985 		errno = EINVAL;
986 		return (0);
987 	}
988 	offset = head.ax_link.ax_offset;
989 	version = head.ax_link.ax_version;
990 	length = head.ax_buffer_length;
991 
992 	/*
993 	 * Skip newer versions.
994 	 */
995 	while (version > PROTOCOL_VERSION_2) {
996 		if (offset < 1) {
997 			return (0);	/* failed to match version */
998 		}
999 		p += offset;		/* point to next version # */
1000 
1001 		if (p > (char *)external + length) {
1002 			return (0);
1003 		}
1004 		adrm_start(&context, p);
1005 		adrm_int32(&context, (int *)&link, 2);
1006 		offset = link.ax_offset;
1007 		version = link.ax_version;
1008 		assert(version != 0);
1009 	}
1010 	/*
1011 	 * Adjust buffer pointer to the first data item (euid).
1012 	 */
1013 	if (p == (char *)external) {
1014 		adrm_start(&context, (char *)(p + sizeof (head)));
1015 	} else {
1016 		adrm_start(&context, (char *)(p + sizeof (link)));
1017 	}
1018 	/*
1019 	 * if down rev version, neither pid nor label are included
1020 	 * in v1 ax_size_of_tsol_data intentionally ignored
1021 	 */
1022 	if (version == PROTOCOL_VERSION_1) {
1023 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1024 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1025 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1026 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1027 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1028 		adrm_int32(&context,
1029 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1030 		adrm_int32(&context,
1031 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1032 		adrm_int32(&context,
1033 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1034 		adrm_int32(&context,
1035 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1036 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1037 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
1038 		internal->as_pid = (pid_t)-1;
1039 		internal->as_label = NULL;
1040 	} else if (version == PROTOCOL_VERSION_2) {
1041 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1042 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1043 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1044 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1045 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1046 		adrm_int32(&context,
1047 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1048 		adrm_int32(&context,
1049 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1050 		adrm_int32(&context,
1051 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1052 		adrm_int32(&context,
1053 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1054 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1055 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
1056 		adrm_int32(&context, (int *)&(internal->as_pid), 1);
1057 		adrm_int32(&context, (int *)&label_len, 1);
1058 		if (label_len > 0) {
1059 			/* read in and deal with different sized labels. */
1060 			size_t	my_label_len = blabel_size();
1061 
1062 			if ((internal->as_label =
1063 			    m_label_alloc(MAC_LABEL)) == NULL) {
1064 				return (0);
1065 			}
1066 			if (label_len > my_label_len) {
1067 				errno = EINVAL;
1068 				m_label_free(internal->as_label);
1069 				return (0);
1070 			}
1071 			(void) memset(internal->as_label, 0, my_label_len);
1072 			adrm_int32(&context, (int *)(internal->as_label),
1073 			    label_len / sizeof (int32_t));
1074 		} else {
1075 			internal->as_label = NULL;
1076 		}
1077 	}
1078 
1079 	return (length);
1080 }
1081 
1082 /*
1083  * adt_to_export_format
1084  * read from struct adt_session_data into a network order buffer.
1085  *
1086  * (network order 'cause this data may be shared with a remote host.)
1087  */
1088 
1089 static size_t
1090 adt_to_export_format(adt_export_data_t *external,
1091     adt_internal_state_t *internal)
1092 {
1093 	struct export_header	head;
1094 	struct export_link	tail;
1095 	adr_t			context;
1096 	size_t			label_len = 0;
1097 
1098 	adrm_start(&context, (char *)external);
1099 
1100 	if (internal->as_label != NULL) {
1101 		label_len = blabel_size();
1102 	}
1103 
1104 	head.ax_check = ADT_VALID;
1105 	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1106 
1107 	/* version 2 first */
1108 
1109 	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1110 	head.ax_link.ax_offset = sizeof (struct export_header) +
1111 	    sizeof (struct adt_export_v2) + label_len;
1112 
1113 	adrm_putint32(&context, (int *)&head, 4);
1114 
1115 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1116 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1117 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1118 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1119 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1120 	adrm_putint32(&context,
1121 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1122 	adrm_putint32(&context,
1123 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1124 	adrm_putint32(&context,
1125 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1126 	adrm_putint32(&context,
1127 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1128 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1129 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1130 	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1131 	adrm_putint32(&context, (int *)&label_len, 1);
1132 	if (internal->as_label != NULL) {
1133 		/* serialize the label */
1134 		adrm_putint32(&context, (int *)(internal->as_label),
1135 		    (label_len / sizeof (int32_t)));
1136 	}
1137 
1138 	/* now version 1 */
1139 
1140 	tail.ax_version = PROTOCOL_VERSION_1;
1141 	tail.ax_offset = 0;
1142 
1143 	adrm_putint32(&context, (int *)&tail, 2);
1144 
1145 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1146 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1147 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1148 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1149 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1150 	adrm_putint32(&context,
1151 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1152 	adrm_putint32(&context,
1153 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1154 	adrm_putint32(&context,
1155 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1156 	adrm_putint32(&context,
1157 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1158 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1159 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1160 	/* ignored in v1 */
1161 	adrm_putint32(&context, (int *)&label_len, 1);
1162 
1163 	/* finally terminator */
1164 
1165 	tail.ax_version = 0; /* invalid version number */
1166 	tail.ax_offset = 0;
1167 
1168 	adrm_putint32(&context, (int *)&tail, 2);
1169 
1170 	return (head.ax_buffer_length);
1171 }
1172 
1173 
1174 /*
1175  * adt_import_proc() is used by a server acting on behalf
1176  * of a client which has connected via an ipc mechanism such as
1177  * a door.
1178  *
1179  * Since the interface is via ucred, the info.ap_termid.port
1180  * value is always the 64 bit version.  What is stored depends
1181  * on how libbsm is compiled.
1182  */
1183 
1184 size_t
1185 adt_import_proc(pid_t pid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1186     adt_export_data_t **external)
1187 {
1188 	size_t			length = 0;
1189 	adt_internal_state_t	*state;
1190 	ucred_t			*ucred;
1191 	const au_tid64_addr_t	*tid;
1192 
1193 	state = calloc(1, sizeof (adt_internal_state_t));
1194 
1195 	if (state == NULL)
1196 		return (0);
1197 
1198 	if (adt_init(state, 0) != 0)
1199 		goto return_length_free;    /* errno from adt_init() */
1200 
1201 	/*
1202 	 * ucred_getauid() returns AU_NOAUDITID if audit is off, which
1203 	 * is the right answer for adt_import_proc().
1204 	 *
1205 	 * Create a local context as near as possible.
1206 	 */
1207 
1208 	ucred = ucred_get(pid);
1209 
1210 	if (ucred == NULL)
1211 		goto return_length_free;
1212 
1213 	state->as_ruid = ruid != ADT_NO_CHANGE ? ruid : ucred_getruid(ucred);
1214 	state->as_euid = euid != ADT_NO_CHANGE ? euid : ucred_geteuid(ucred);
1215 	state->as_rgid = rgid != ADT_NO_CHANGE ? rgid : ucred_getrgid(ucred);
1216 	state->as_egid = egid != ADT_NO_CHANGE ? egid : ucred_getegid(ucred);
1217 
1218 	state->as_info.ai_auid = ucred_getauid(ucred);
1219 
1220 	if (state->as_info.ai_auid == AU_NOAUDITID) {
1221 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1222 
1223 		if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1224 			goto return_all_free;
1225 	} else {
1226 		const au_mask_t *mask = ucred_getamask(ucred);
1227 
1228 		if (mask != NULL)
1229 			state->as_info.ai_mask = *mask;
1230 		else
1231 			goto return_all_free;
1232 
1233 		state->as_info.ai_asid = ucred_getasid(ucred);
1234 	}
1235 
1236 	tid = ucred_getatid(ucred);
1237 
1238 	if (tid != NULL) {
1239 		adt_cpy_tid(&(state->as_info.ai_termid), tid);
1240 	} else {
1241 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1242 		    sizeof (au_tid_addr_t));
1243 		state->as_info.ai_termid.at_type = AU_IPv4;
1244 	}
1245 
1246 	DPRINTF(("import_proc/asid = %X %u\n", state->as_info.ai_asid,
1247 	    state->as_info.ai_asid));
1248 
1249 	DPRINTF(("import_proc/masks = %X %X\n",
1250 	    state->as_info.ai_mask.am_success,
1251 	    state->as_info.ai_mask.am_failure));
1252 
1253 	if (state->as_label == NULL) {
1254 		*external = malloc(sizeof (adt_export_data_t));
1255 	} else {
1256 		*external = malloc(sizeof (adt_export_data_t) + blabel_size());
1257 	}
1258 
1259 	if (*external == NULL)
1260 		goto return_all_free;
1261 
1262 	length = adt_to_export_format(*external, state);
1263 	/*
1264 	 * yes, state is supposed to be free'd for both pass and fail
1265 	 */
1266 return_all_free:
1267 	ucred_free(ucred);
1268 return_length_free:
1269 	free(state);
1270 	return (length);
1271 }
1272 
1273 /*
1274  * adt_ucred_label() -- if label is available, duplicate it.
1275  */
1276 
1277 static m_label_t *
1278 adt_ucred_label(ucred_t *uc)
1279 {
1280 	m_label_t	*ul = NULL;
1281 
1282 	if (ucred_getlabel(uc) != NULL) {
1283 		(void) m_label_dup(&ul, ucred_getlabel(uc));
1284 	}
1285 
1286 	return (ul);
1287 }
1288 
1289 /*
1290  * adt_import() -- convert from network order to machine-specific order
1291  */
1292 
1293 static int
1294 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1295 {
1296 	au_mask_t mask;
1297 
1298 	/* save local audit enabled state */
1299 	int	local_audit_enabled = internal->as_audit_enabled;
1300 
1301 	if (adt_from_export_format(internal, external) < 1)
1302 		return (-1); /* errno from adt_from_export_format */
1303 
1304 	/*
1305 	 * If audit isn't enabled on the remote, they were unable
1306 	 * to generate the audit mask, so generate it based on
1307 	 * local configuration.  If the user id has changed, the
1308 	 * resulting mask may miss some subtleties that occurred
1309 	 * on the remote system.
1310 	 *
1311 	 * If the remote failed to generate a terminal id, it is not
1312 	 * recoverable.
1313 	 */
1314 
1315 	if (!internal->as_audit_enabled) {
1316 		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1317 		    &(internal->as_info.ai_mask)))
1318 			return (-1);
1319 		if (internal->as_info.ai_auid != internal->as_ruid) {
1320 			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1321 			    &mask))
1322 				return (-1);
1323 			internal->as_info.ai_mask.am_success |=
1324 			    mask.am_success;
1325 			internal->as_info.ai_mask.am_failure |=
1326 			    mask.am_failure;
1327 		}
1328 	}
1329 	internal->as_audit_enabled = local_audit_enabled;
1330 
1331 	DPRINTF(("(%d)imported asid = %X %u\n", getpid(),
1332 	    internal->as_info.ai_asid,
1333 	    internal->as_info.ai_asid));
1334 
1335 	internal->as_have_user_data = ADT_HAVE_ALL;
1336 
1337 	return (0);
1338 }
1339 
1340 /*
1341  * adt_export_session_data()
1342  * copies a adt_session_data struct into a network order buffer
1343  *
1344  * In a misconfigured network, the local host may have auditing
1345  * off while the destination may have auditing on, so if there
1346  * is sufficient memory, a buffer will be returned even in the
1347  * audit off case.
1348  */
1349 
1350 size_t
1351 adt_export_session_data(const adt_session_data_t *internal,
1352     adt_export_data_t **external)
1353 {
1354 	size_t			length = 0;
1355 
1356 	if ((internal != NULL) &&
1357 	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1358 		length = blabel_size();
1359 	}
1360 
1361 	*external = malloc(sizeof (adt_export_data_t) + length);
1362 
1363 	if (*external == NULL)
1364 		return (0);
1365 
1366 	if (internal == NULL) {
1367 		adt_internal_state_t	*dummy;
1368 
1369 		dummy = malloc(sizeof (adt_internal_state_t));
1370 		if (dummy == NULL)
1371 			goto return_length_free;
1372 
1373 		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1374 			free(dummy);
1375 			goto return_length_free;
1376 		}
1377 		length = adt_to_export_format(*external, dummy);
1378 		free(dummy);
1379 	} else {
1380 		length = adt_to_export_format(*external,
1381 		    (adt_internal_state_t *)internal);
1382 	}
1383 	return (length);
1384 
1385 return_length_free:
1386 	free(*external);
1387 	*external = NULL;
1388 	return (0);
1389 }
1390 
1391 static void
1392 adt_setto_unaudited(adt_internal_state_t *state)
1393 {
1394 	state->as_ruid = AU_NOAUDITID;
1395 	state->as_euid = AU_NOAUDITID;
1396 	state->as_rgid = AU_NOAUDITID;
1397 	state->as_egid = AU_NOAUDITID;
1398 	state->as_pid = (pid_t)-1;
1399 	state->as_label = NULL;
1400 
1401 	if (state->as_audit_enabled) {
1402 		state->as_info.ai_asid = 0;
1403 		state->as_info.ai_auid = AU_NOAUDITID;
1404 
1405 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1406 		    sizeof (au_tid_addr_t));
1407 		state->as_info.ai_termid.at_type = AU_IPv4;
1408 
1409 		(void) memset((void *)&(state->as_info.ai_mask), 0,
1410 		    sizeof (au_mask_t));
1411 		state->as_have_user_data = 0;
1412 	}
1413 }
1414 
1415 /*
1416  * adt_init -- set session context by copying the audit characteristics
1417  * from the proc and picking up current uid/tid information.
1418  *
1419  * By default, an audit session is based on the process; the default
1420  * is overriden by adt_set_user()
1421  */
1422 
1423 static int
1424 adt_init(adt_internal_state_t *state, int use_proc_data)
1425 {
1426 
1427 	state->as_audit_enabled = (auditstate == AUC_DISABLED) ? 0 : 1;
1428 
1429 	if (use_proc_data) {
1430 		state->as_ruid = getuid();
1431 		state->as_euid = geteuid();
1432 		state->as_rgid = getgid();
1433 		state->as_egid = getegid();
1434 		state->as_pid = getpid();
1435 
1436 		if (state->as_audit_enabled) {
1437 			const au_tid64_addr_t	*tid;
1438 			const au_mask_t		*mask;
1439 			ucred_t			*ucred = ucred_get(P_MYID);
1440 
1441 			/*
1442 			 * Even if the ucred is NULL, the underlying
1443 			 * credential may have a valid terminal id; if the
1444 			 * terminal id is set, then that's good enough.  An
1445 			 * example of where this matters is failed login,
1446 			 * where rlogin/telnet sets the terminal id before
1447 			 * calling login; login does not load the credential
1448 			 * since auth failed.
1449 			 */
1450 			if (ucred == NULL) {
1451 				if (!adt_have_termid(
1452 				    &(state->as_info.ai_termid)))
1453 					return (-1);
1454 			} else {
1455 				mask = ucred_getamask(ucred);
1456 				if (mask != NULL) {
1457 					state->as_info.ai_mask = *mask;
1458 				} else {
1459 					ucred_free(ucred);
1460 					return (-1);
1461 				}
1462 				tid = ucred_getatid(ucred);
1463 				if (tid != NULL) {
1464 					adt_cpy_tid(&(state->as_info.ai_termid),
1465 					    tid);
1466 				} else {
1467 					ucred_free(ucred);
1468 					return (-1);
1469 				}
1470 				state->as_info.ai_asid = ucred_getasid(ucred);
1471 				state->as_info.ai_auid = ucred_getauid(ucred);
1472 				state->as_label = adt_ucred_label(ucred);
1473 				ucred_free(ucred);
1474 			}
1475 			state->as_have_user_data = ADT_HAVE_ALL;
1476 		}
1477 	} else {
1478 		adt_setto_unaudited(state);
1479 	}
1480 	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1481 
1482 	if (state->as_audit_enabled &&
1483 	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1484 	    sizeof (state->as_kernel_audit_policy))) {
1485 		return (-1);  /* errno set by auditon */
1486 	}
1487 	state->as_check = ADT_VALID;
1488 	return (0);
1489 }
1490 
1491 /*
1492  * adt_set_proc
1493  *
1494  * Copy the current session state to the process.  If this function
1495  * is called, the model becomes a process model rather than a
1496  * session model.
1497  *
1498  * In the current implementation, the value state->as_have_user_data
1499  * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1500  * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1501  *
1502  */
1503 
1504 int
1505 adt_set_proc(const adt_session_data_t *session_data)
1506 {
1507 	int			rc;
1508 	adt_internal_state_t	*state;
1509 
1510 	if (auditstate == AUC_DISABLED || (session_data == NULL))
1511 		return (0);
1512 
1513 	state = (adt_internal_state_t *)session_data;
1514 
1515 	assert(state->as_check == ADT_VALID);
1516 
1517 	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1518 	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1519 		errno = EINVAL;
1520 		goto return_err;
1521 	}
1522 
1523 	rc = setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1524 	    sizeof (auditinfo_addr_t));
1525 
1526 	if (rc < 0)
1527 		goto return_err;	/* errno set by setaudit_addr() */
1528 
1529 	state->as_session_model = ADT_PROCESS_MODEL;
1530 
1531 	return (0);
1532 
1533 return_err:
1534 	adt_write_syslog("failed to set process audit characteristics", errno);
1535 	return (-1);
1536 }
1537 
1538 static int
1539 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1540 {
1541 	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1542 	au_mask_t	no_mask = {0, 0};
1543 
1544 	if (ruid == ADT_NO_AUDIT) {
1545 		state->as_info.ai_auid = AU_NOAUDITID;
1546 		state->as_info.ai_asid = 0;
1547 		state->as_info.ai_termid = no_tid;
1548 		state->as_info.ai_mask = no_mask;
1549 		return (0);
1550 	}
1551 	state->as_info.ai_auid = ruid;
1552 	state->as_info.ai_asid = adt_get_unique_id(ruid);
1553 	if (termid != NULL)
1554 		state->as_info.ai_termid = *termid;
1555 
1556 	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1557 		return (-1);
1558 
1559 	/* Assume intending to audit as this process */
1560 
1561 	if (state->as_pid == (pid_t)-1)
1562 		state->as_pid = getpid();
1563 
1564 	if (is_system_labeled() && state->as_label == NULL) {
1565 		ucred_t	*ucred = ucred_get(P_MYID);
1566 
1567 		state->as_label = adt_ucred_label(ucred);
1568 		ucred_free(ucred);
1569 	}
1570 
1571 	return (0);
1572 }
1573 
1574 static int
1575 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1576 {
1577 	au_mask_t		mask;
1578 
1579 	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1580 		state->as_info.ai_auid = ruid;
1581 	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1582 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1583 
1584 	if (ruid <= MAXEPHUID) {
1585 		if (adt_get_mask_from_user(ruid, &mask))
1586 			return (-1);
1587 
1588 		state->as_info.ai_mask.am_success |= mask.am_success;
1589 		state->as_info.ai_mask.am_failure |= mask.am_failure;
1590 	}
1591 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1592 	    state->as_info.ai_mask.am_success,
1593 	    state->as_info.ai_mask.am_failure,
1594 	    ruid));
1595 	return (0);
1596 }
1597 
1598 /*
1599  * adt_set_user -- see also adt_set_from_ucred()
1600  *
1601  * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1602  * "unattributed."  If ruid, change the model to session.
1603  *
1604  * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1605  * only valid with ADT_UPDATE.
1606  *
1607  * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1608  * isn't a good reason to call adt_set_user() with it unless you don't
1609  * have a good value yet and intend to replace it later; auid will be
1610  * AU_NOAUDITID.
1611  *
1612  * adt_set_user should be called even if auditing is not enabled
1613  * so that adt_export_session_data() will have useful stuff to
1614  * work with.
1615  *
1616  * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1617  * and ADT_HAVE_ALL.
1618  */
1619 
1620 int
1621 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1622     uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1623     enum adt_user_context user_context)
1624 {
1625 	adt_internal_state_t	*state;
1626 	int			rc;
1627 
1628 	if (session_data == NULL) /* no session exists to audit */
1629 		return (0);
1630 
1631 	state = (adt_internal_state_t *)session_data;
1632 	assert(state->as_check == ADT_VALID);
1633 
1634 	switch (user_context) {
1635 	case ADT_NEW:
1636 		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1637 		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1638 			errno = EINVAL;
1639 			return (-1);
1640 		}
1641 		if ((rc = adt_newuser(state, ruid,
1642 		    (au_tid_addr_t *)termid)) != 0)
1643 			return (rc);
1644 
1645 		state->as_have_user_data = ADT_HAVE_ALL;
1646 		break;
1647 	case ADT_UPDATE:
1648 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1649 			errno = EINVAL;
1650 			return (-1);
1651 		}
1652 
1653 		if (ruid != ADT_NO_CHANGE)
1654 			if ((rc = adt_changeuser(state, ruid)) != 0)
1655 				return (rc);
1656 		break;
1657 	case ADT_USER:
1658 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1659 			errno = EINVAL;
1660 			return (-1);
1661 		}
1662 		break;
1663 	case ADT_SETTID:
1664 		assert(termid != NULL);
1665 		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1666 		/* avoid fooling pam_setcred()... */
1667 		state->as_info.ai_auid = AU_NOAUDITID;
1668 		state->as_info.ai_asid = 0;
1669 		state->as_info.ai_mask.am_failure = 0;
1670 		state->as_info.ai_mask.am_success = 0;
1671 		state->as_have_user_data = ADT_HAVE_TID |
1672 		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1673 		return (0);
1674 	default:
1675 		errno = EINVAL;
1676 		return (-1);
1677 	}
1678 
1679 	if (ruid == ADT_NO_AUDIT) {
1680 		state->as_ruid = AU_NOAUDITID;
1681 		state->as_euid = AU_NOAUDITID;
1682 		state->as_rgid = AU_NOAUDITID;
1683 		state->as_egid = AU_NOAUDITID;
1684 	} else {
1685 		if (ruid != ADT_NO_CHANGE)
1686 			state->as_ruid = ruid;
1687 		if (euid != ADT_NO_CHANGE)
1688 			state->as_euid = euid;
1689 		if (rgid != ADT_NO_CHANGE)
1690 			state->as_rgid = rgid;
1691 		if (egid != ADT_NO_CHANGE)
1692 			state->as_egid = egid;
1693 	}
1694 
1695 	if (ruid == ADT_NO_ATTRIB) {
1696 		state->as_session_model = ADT_SESSION_MODEL;
1697 	}
1698 
1699 	return (0);
1700 }
1701 
1702 /*
1703  * adt_set_from_ucred()
1704  *
1705  * an alternate to adt_set_user that fills the same role but uses
1706  * a pointer to a ucred rather than a list of id's.  If the ucred
1707  * pointer is NULL, use the credential from the this process.
1708  *
1709  * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1710  * not overwrite the asid and auid unless auid has not been set.
1711  * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1712  * the incoming audit mask with the one that already exists.
1713  *
1714  * adt_set_from_ucred should be called even if auditing is not enabled
1715  * so that adt_export_session_data() will have useful stuff to
1716  * work with.
1717  */
1718 
1719 int
1720 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1721     enum adt_user_context user_context)
1722 {
1723 	adt_internal_state_t	*state;
1724 	int			rc = -1;
1725 	const au_tid64_addr_t		*tid64;
1726 	au_tid_addr_t		termid, *tid;
1727 	ucred_t	*ucred = (ucred_t *)uc;
1728 	boolean_t	local_uc = B_FALSE;
1729 
1730 	if (session_data == NULL) /* no session exists to audit */
1731 		return (0);
1732 
1733 	state = (adt_internal_state_t *)session_data;
1734 	assert(state->as_check == ADT_VALID);
1735 
1736 	if (ucred == NULL) {
1737 		ucred = ucred_get(P_MYID);
1738 
1739 		if (ucred == NULL)
1740 			goto return_rc;
1741 		local_uc = B_TRUE;
1742 	}
1743 
1744 	switch (user_context) {
1745 	case ADT_NEW:
1746 		tid64 = ucred_getatid(ucred);
1747 		if (tid64 != NULL) {
1748 			adt_cpy_tid(&termid, tid64);
1749 			tid = &termid;
1750 		} else {
1751 			tid = NULL;
1752 		}
1753 		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1754 			adt_setto_unaudited(state);
1755 			state->as_have_user_data = ADT_HAVE_ALL;
1756 			rc = 0;
1757 			goto return_rc;
1758 		} else {
1759 			state->as_info.ai_auid = ucred_getauid(ucred);
1760 			state->as_info.ai_asid = ucred_getasid(ucred);
1761 			state->as_info.ai_mask = *ucred_getamask(ucred);
1762 			state->as_info.ai_termid = *tid;
1763 		}
1764 		state->as_have_user_data = ADT_HAVE_ALL;
1765 		break;
1766 	case ADT_UPDATE:
1767 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1768 			errno = EINVAL;
1769 			goto return_rc;
1770 		}
1771 
1772 		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1773 			goto return_rc;
1774 		break;
1775 	case ADT_USER:
1776 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1777 			errno = EINVAL;
1778 			goto return_rc;
1779 		}
1780 		break;
1781 	default:
1782 		errno = EINVAL;
1783 		goto return_rc;
1784 	}
1785 	rc = 0;
1786 
1787 	state->as_ruid = ucred_getruid(ucred);
1788 	state->as_euid = ucred_geteuid(ucred);
1789 	state->as_rgid = ucred_getrgid(ucred);
1790 	state->as_egid = ucred_getegid(ucred);
1791 	state->as_pid = ucred_getpid(ucred);
1792 	state->as_label = adt_ucred_label(ucred);
1793 
1794 return_rc:
1795 	if (local_uc) {
1796 		ucred_free(ucred);
1797 	}
1798 	return (rc);
1799 }
1800 
1801 /*
1802  * adt_alloc_event() returns a pointer to allocated memory
1803  *
1804  */
1805 
1806 adt_event_data_t
1807 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1808 {
1809 	struct adt_event_state	*event_state;
1810 	adt_internal_state_t	*session_state;
1811 	adt_event_data_t	*return_event = NULL;
1812 	/*
1813 	 * need to return a valid event pointer even if audit is
1814 	 * off, else the caller will end up either (1) keeping its
1815 	 * own flags for on/off or (2) writing to a NULL pointer.
1816 	 * If auditing is on, the session data must be valid; otherwise
1817 	 * we don't care.
1818 	 */
1819 	if (session_data != NULL) {
1820 		session_state = (adt_internal_state_t *)session_data;
1821 		assert(session_state->as_check == ADT_VALID);
1822 	}
1823 	event_state = calloc(1, sizeof (struct adt_event_state));
1824 	if (event_state == NULL)
1825 		goto return_ptr;
1826 
1827 	event_state->ae_check = ADT_VALID;
1828 
1829 	event_state->ae_event_id = event_id;
1830 	event_state->ae_session = (struct adt_internal_state *)session_data;
1831 
1832 	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1833 
1834 	/*
1835 	 * preload data so the adt_au_*() functions can detect un-supplied
1836 	 * values (0 and NULL are free via calloc()).
1837 	 */
1838 	adt_preload(event_id, return_event);
1839 
1840 return_ptr:
1841 	return (return_event);
1842 }
1843 
1844 /*
1845  * adt_getXlateTable -- look up translation table address for event id
1846  */
1847 
1848 static struct translation *
1849 adt_getXlateTable(au_event_t event_id)
1850 {
1851 	/* xlate_table is global in adt_xlate.c */
1852 	struct translation	**p_xlate = &xlate_table[0];
1853 	struct translation	*p_event;
1854 
1855 	while (*p_xlate != NULL) {
1856 		p_event = *p_xlate;
1857 		if (event_id == p_event->tx_external_event)
1858 			return (p_event);
1859 		p_xlate++;
1860 	}
1861 	return (NULL);
1862 }
1863 
1864 /*
1865  * adt_calcOffsets
1866  *
1867  * the call to this function is surrounded by a mutex.
1868  *
1869  * i walks down the table picking up next_token.  j walks again to
1870  * calculate the offset to the input data.  k points to the next
1871  * token's row.  Finally, l, is used to sum the values in the
1872  * datadef array.
1873  *
1874  * What's going on?  The entry array is in the order of the input
1875  * fields but the processing of array entries is in the order of
1876  * the output (see next_token).  Calculating the offset to the
1877  * "next" input can't be done in the outer loop (i) since i doesn't
1878  * point to the current entry and it can't be done with the k index
1879  * because it doesn't represent the order of input fields.
1880  *
1881  * While the resulting algorithm is n**2, it is only done once per
1882  * event type.
1883  */
1884 
1885 /*
1886  * adt_calcOffsets is only called once per event type, but it uses
1887  * the address alignment of memory allocated for that event as if it
1888  * were the same for all subsequently allocated memory.  This is
1889  * guaranteed by calloc/malloc.  Arrays take special handling since
1890  * what matters for figuring out the correct alignment is the size
1891  * of the array element.
1892  */
1893 
1894 static void
1895 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1896 {
1897 	int		i, j;
1898 	size_t		this_size, prev_size;
1899 	void		*struct_start = p_data;
1900 
1901 	for (i = 0; i < tablesize; i++) {
1902 		if (p_entry[i].en_type_def == NULL) {
1903 			p_entry[i].en_offset = 0;
1904 			continue;
1905 		}
1906 		prev_size = 0;
1907 		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1908 
1909 		for (j = 0; j < p_entry[i].en_count_types; j++) {
1910 			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1911 				this_size = sizeof (enum adt_generic);
1912 			else
1913 				this_size =
1914 				    p_entry[i].en_type_def[j].dd_input_size;
1915 
1916 			/* adj for first entry */
1917 			if (prev_size == 0)
1918 				prev_size = this_size;
1919 
1920 			if (p_entry[i].en_type_def[j].dd_datatype ==
1921 			    ADT_UINT32ARRAY) {
1922 				p_data = (char *)adt_adjust_address(p_data,
1923 				    prev_size, sizeof (uint32_t)) +
1924 				    this_size - sizeof (uint32_t);
1925 
1926 				prev_size = sizeof (uint32_t);
1927 			} else {
1928 				p_data = adt_adjust_address(p_data, prev_size,
1929 				    this_size);
1930 				prev_size = this_size;
1931 			}
1932 		}
1933 	}
1934 }
1935 
1936 /*
1937  * adt_generate_event
1938  * generate event record from external struct.  The order is based on
1939  * the output tokens, allowing for the possibility that the input data
1940  * is in a different order.
1941  *
1942  */
1943 
1944 static void
1945 adt_generate_event(const adt_event_data_t *p_extdata,
1946     struct adt_event_state *p_event,
1947     struct translation *p_xlate)
1948 {
1949 	struct entry		*p_entry;
1950 	static mutex_t	lock = DEFAULTMUTEX;
1951 
1952 	p_entry = p_xlate->tx_first_entry;
1953 	assert(p_entry != NULL);
1954 
1955 	p_event->ae_internal_id = p_xlate->tx_internal_event;
1956 	adt_token_open(p_event);
1957 
1958 	/*
1959 	 * offsets are not pre-calculated; the initial offsets are all
1960 	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
1961 	 * as subject are set to -1 by adt_calcOffset()
1962 	 */
1963 	if (p_xlate->tx_offsetsCalculated == 0) {
1964 		(void) mutex_lock(&lock);
1965 		p_xlate->tx_offsetsCalculated = 1;
1966 
1967 		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1968 		    (void *)p_extdata);
1969 		(void) mutex_unlock(&lock);
1970 	}
1971 	while (p_entry != NULL) {
1972 		adt_generate_token(p_entry, (char *)p_extdata,
1973 		    p_event);
1974 
1975 		p_entry = p_entry->en_next_token;
1976 	}
1977 	adt_token_close(p_event);
1978 }
1979 
1980 /*
1981  * adt_put_event -- main event generation function.
1982  * The input "event" is the address of the struct containing
1983  * event-specific data.
1984  *
1985  * However if auditing is off or the session handle
1986  * is NULL, no attempt to write a record is made.
1987  */
1988 
1989 int
1990 adt_put_event(const adt_event_data_t *event, int status, int return_val)
1991 {
1992 	struct adt_event_state	*event_state;
1993 	struct translation	*xlate;
1994 	int			rc = 0;
1995 
1996 	if (event == NULL) {
1997 		errno = EINVAL;
1998 		rc = -1;
1999 		goto return_rc;
2000 	}
2001 	event_state = (struct adt_event_state *)event;
2002 
2003 	/* if audit off or this is a broken session, exit */
2004 	if (auditstate == AUC_DISABLED || (event_state->ae_session == NULL))
2005 		goto return_rc;
2006 
2007 	assert(event_state->ae_check == ADT_VALID);
2008 
2009 	event_state->ae_rc = status;
2010 	event_state->ae_type = return_val;
2011 
2012 	/* look up the event */
2013 
2014 	xlate = adt_getXlateTable(event_state->ae_event_id);
2015 
2016 	if (xlate == NULL) {
2017 		errno = EINVAL;
2018 		rc = -1;
2019 		goto return_rc;
2020 	}
2021 	DPRINTF(("got event %d\n", xlate->tx_internal_event));
2022 
2023 	if (adt_selected(event_state, xlate->tx_internal_event, status))
2024 		adt_generate_event(event, event_state, xlate);
2025 
2026 return_rc:
2027 	return (rc);
2028 }
2029 
2030 /*
2031  * adt_free_event -- invalidate and free
2032  */
2033 
2034 void
2035 adt_free_event(adt_event_data_t *event)
2036 {
2037 	struct adt_event_state	*event_state;
2038 
2039 	if (event == NULL)
2040 		return;
2041 
2042 	event_state = (struct adt_event_state *)event;
2043 
2044 	assert(event_state->ae_check == ADT_VALID);
2045 
2046 	event_state->ae_check = 0;
2047 
2048 	free(event_state);
2049 }
2050 
2051 /*
2052  * adt_is_selected -- helper to adt_selected(), below.
2053  *
2054  * "sorf" is "success or fail" status; au_preselect compares
2055  * that with success, fail, or both.
2056  */
2057 
2058 static int
2059 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
2060 {
2061 	int prs_sorf;
2062 
2063 	if (sorf == 0)
2064 		prs_sorf = AU_PRS_SUCCESS;
2065 	else
2066 		prs_sorf = AU_PRS_FAILURE;
2067 
2068 	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
2069 }
2070 
2071 /*
2072  * selected -- see if this event is preselected.
2073  *
2074  * if errors are encountered trying to check a preselection mask
2075  * or look up a user name, the event is selected.  Otherwise, the
2076  * preselection mask is used for the job.
2077  */
2078 
2079 static int
2080 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2081 {
2082 	adt_internal_state_t *sp;
2083 	au_mask_t	namask;
2084 
2085 	sp = event->ae_session;
2086 
2087 	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2088 		adt_write_syslog("No user data available", EINVAL);
2089 		return (1);	/* default is "selected" */
2090 	}
2091 
2092 	/* non-attributable? */
2093 	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2094 	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2095 		if (auditon(A_GETKMASK, (caddr_t)&namask,
2096 		    sizeof (namask)) != 0) {
2097 			adt_write_syslog("auditon failure", errno);
2098 			return (1);
2099 		}
2100 		return (adt_is_selected(actual_id, &namask, status));
2101 	} else {
2102 		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2103 		    status));
2104 	}
2105 }
2106 
2107 /*
2108  * Can't map the host name to an IP address in
2109  * adt_get_hostIP.  Get something off an interface
2110  * to act as the hosts IP address for auditing.
2111  */
2112 
2113 int
2114 adt_get_local_address(int family, struct ifaddrlist *al)
2115 {
2116 	struct ifaddrlist	*ifal;
2117 	char	errbuf[ERRBUFSIZE] = "empty list";
2118 	char	msg[ERRBUFSIZE + 512];
2119 	int	ifal_count;
2120 	int	i;
2121 
2122 	if ((ifal_count = ifaddrlist(&ifal, family, errbuf)) <= 0) {
2123 		int serrno = errno;
2124 
2125 		(void) snprintf(msg, sizeof (msg), "adt_get_local_address "
2126 		    "couldn't get %d addrlist %s", family, errbuf);
2127 		adt_write_syslog(msg, serrno);
2128 		errno = serrno;
2129 		return (-1);
2130 	}
2131 
2132 	for (i = 0; i < ifal_count; i++) {
2133 		/*
2134 		 * loopback always defined,
2135 		 * even if there is no real address
2136 		 */
2137 		if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) {
2138 			break;
2139 		}
2140 	}
2141 	if (i >= ifal_count) {
2142 		free(ifal);
2143 		/*
2144 		 * Callers of adt_get_hostIP() can only return
2145 		 * errno to their callers and eventually the application.
2146 		 * Picked one that seemed least worse for saying no
2147 		 * usable address for Audit terminal ID.
2148 		 */
2149 		errno = ENETDOWN;
2150 		return (-1);
2151 	}
2152 
2153 	*al = ifal[i];
2154 	free(ifal);
2155 	return (0);
2156 }
2157