xref: /titanic_41/usr/src/lib/libbsm/common/adt.c (revision 4cca9c843b53e5c17fa12ad23a003df0587904fd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 #include <bsm/adt.h>
27 #include <bsm/adt_event.h>
28 #include <assert.h>
29 #include <bsm/audit.h>
30 #include <bsm/audit_record.h>
31 #include <bsm/libbsm.h>
32 #include <door.h>
33 #include <errno.h>
34 #include <generic.h>
35 #include <md5.h>
36 #include <sys/mkdev.h>
37 #include <netdb.h>
38 #include <nss_dbdefs.h>
39 #include <pwd.h>
40 #include <sys/stat.h>
41 #include <time.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <synch.h>
45 #include <sys/systeminfo.h>
46 #include <syslog.h>
47 #include <thread.h>
48 #include <unistd.h>
49 #include <adt_xlate.h>
50 #include <adt_ucred.h>
51 #include <arpa/inet.h>
52 #include <net/if.h>
53 #include <libinetutil.h>
54 
55 static int adt_selected(struct adt_event_state *, au_event_t, int);
56 static int adt_init(adt_internal_state_t *, int);
57 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
58 static m_label_t *adt_ucred_label(ucred_t *);
59 static void adt_setto_unaudited(adt_internal_state_t *);
60 static int adt_get_local_address(int, struct ifaddrlist *);
61 
62 #ifdef C2_DEBUG
63 #define	DPRINTF(x) { (void) printf x; }
64 #define	DFLUSH (void) fflush(stdout);
65 #else
66 #define	DPRINTF(x)
67 #define	DFLUSH
68 #endif
69 
70 /*
71  * Local audit states are a bit mask
72  *
73  * The global audit states are
74  *
75  * AUC_UNSET             0      - on/off hasn't been decided
76  * AUC_ENABLED           1      - loaded and enabled
77  *
78  * The local Zone states are
79  *
80  * AUC_AUDITING         0x1     - audit daemon is active
81  * AUC_NOAUDIT          0x2     - audit daemon is not active
82  * AUC_INIT_AUDIT       0x4     - audit is ready but auditd has not run
83  * AUC_NOSPACE          0x8     - audit enabled, no space for audit records
84  *
85  * The only values returned by auditon(A_GETCOND) are:
86  * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE
87  *
88  * The pseudo audit state used when the c2audit module is excluded is
89  *
90  * AUC_DISABLED		0x100	- c2audit module is excluded
91  */
92 
93 static int auditstate = AUC_DISABLED;	/* default state */
94 
95 /*
96  * adt_write_syslog
97  *
98  * errors that are not the user's fault (bugs or whatever in
99  * the underlying audit code are noted in syslog.)
100  *
101  * Avoid calling adt_write_syslog for things that can happen
102  * at high volume.
103  *
104  * syslog's open (openlog) and close (closelog) are interesting;
105  * openlog *may* create a file descriptor and is optional.  closelog
106  * *will* close any open file descriptors and is also optional.
107  *
108  * Since syslog may also be used by the calling application, the
109  * choice is to avoid openlog, which sets some otherwise useful
110  * parameters, and to embed "Solaris_audit" in the log message.
111  */
112 
113 void
114 adt_write_syslog(const char *message, int err)
115 {
116 	int	save_errno = errno;
117 	int	mask_priority;
118 
119 	DPRINTF(("syslog called: %s\n", message));
120 
121 	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
122 	errno = err;
123 	syslog(LOG_ALERT, "Solaris_audit %s: %m", message);
124 	(void) setlogmask(mask_priority);
125 	errno = save_errno;
126 }
127 
128 /*
129  * return true if c2audit is not excluded.
130  *
131  *	For purpose of this API, anything but AUC_DISABLED
132  *	is enabled; however one never actually sees
133  *	AUC_DISABLED since auditon returns ENOTSUP in that case.  Any
134  *	auditon error is considered the same as ENOTSUP for our
135  *	purpose.  auditstate is not changed by auditon if an error
136  *	is returned.
137  */
138 
139 /*
140  * XXX	this should probably be eliminated and adt_audit_state() replace it.
141  *	All the legitimate uses	are to not fork a waiting process for
142  *	process exit processing, as in su, login, dtlogin.  Other bogus
143  *	users are zoneadmd and init.
144  *	All but dtlogin are in ON, so we can do this without cross gate
145  *	synchronization.
146  *
147  *	No longer used in adt.c.
148  */
149 
150 boolean_t
151 adt_audit_enabled(void)
152 {
153 
154 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
155 
156 	return (auditstate != AUC_DISABLED);
157 }
158 
159 /*
160  *	See adt_audit_enabled() for state discussions.
161  *	The state parameter is a hedge until all the uses become clear.
162  *	Likely if adt_audit_enabled is brought internal to this file,
163  *	it could be modified to take one or more parameters to describe the
164  *	state.
165  */
166 
167 boolean_t
168 adt_audit_state(int states)
169 {
170 
171 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
172 
173 	return ((auditstate & states) ? B_TRUE : B_FALSE);
174 }
175 
176 /*
177  * Get user_specific/non-attributable audit mask. This may be called even when
178  * auditing is off.
179  */
180 
181 static int
182 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
183 {
184 	struct passwd	pwd;
185 	long		buff_sz;
186 	char		*pwd_buff;
187 
188 
189 	if (auditstate & AUC_DISABLED) {
190 		/* c2audit excluded */
191 		mask->am_success = 0;
192 		mask->am_failure = 0;
193 	} else if (uid <= MAXUID) {
194 		if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
195 			adt_write_syslog("couldn't determine maximum size of "
196 			    "password buffer", errno);
197 			return (-1);
198 		}
199 		if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
200 			return (-1);
201 		}
202 		if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) {
203 			errno = EINVAL;	/* user doesn't exist */
204 			free(pwd_buff);
205 			return (-1);
206 		}
207 		free(pwd_buff);
208 		if (au_user_mask(pwd.pw_name, mask)) {
209 			errno = EFAULT; /* undetermined failure */
210 			return (-1);
211 		}
212 	} else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
213 			return (-1);
214 	}
215 
216 	return (0);
217 }
218 
219 /*
220  * adt_get_unique_id -- generate a hopefully unique 32 bit value
221  *
222  * there will be a follow up to replace this with the use of /dev/random
223  *
224  * An MD5 hash is taken on a buffer of
225  *     hostname . audit id . unix time . pid . count
226  *
227  * "count = noise++;" is subject to a race condition but I don't
228  * see a need to put a lock around it.
229  */
230 
231 au_asid_t
232 adt_get_unique_id(au_id_t uid)
233 {
234 	char		hostname[MAXHOSTNAMELEN];
235 	union {
236 		au_id_t		v[4];
237 		unsigned char	obuff[128/8];
238 	} output;
239 	MD5_CTX	context;
240 
241 	static int	noise = 0;
242 
243 	int		count = noise++;
244 	time_t		timebits = time(NULL);
245 	pid_t		pidbits = getpid();
246 	au_asid_t	retval = 0;
247 
248 	if (gethostname(hostname, MAXHOSTNAMELEN)) {
249 		adt_write_syslog("gethostname call failed", errno);
250 		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
251 	}
252 
253 	while (retval == 0) {  /* 0 is the only invalid result */
254 		MD5Init(&context);
255 
256 		MD5Update(&context, (unsigned char *)hostname,
257 		    (unsigned int) strlen((const char *)hostname));
258 
259 		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
260 
261 		MD5Update(&context,
262 		    (unsigned char *) &timebits, sizeof (time_t));
263 
264 		MD5Update(&context, (unsigned char *) &pidbits,
265 		    sizeof (pid_t));
266 
267 		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
268 		MD5Final(output.obuff, &context);
269 
270 		retval = output.v[count % 4];
271 	}
272 	return (retval);
273 }
274 
275 /*
276  * the following "port" function deals with the following issues:
277  *
278  * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
279  *      up from a 32 bit major and 32 bit minor.
280  * 2    User space deals with a dev_t as either the above 64 bit value
281  *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
282  * 3    The various audit interfaces (except ucred) pass the 32 or
283  *      64 bit version depending the architecture of the userspace
284  *      application.  If you get a port value from ucred and pass it
285  *      to the kernel via auditon(), it must be squeezed into a 32
286  *      bit value because the kernel knows the userspace app's bit
287  *      size.
288  *
289  * The internal state structure for adt (adt_internal_state_t) uses
290  * dev_t, so adt converts data from ucred to fit.  The import/export
291  * functions, however, can't know if they are importing/exporting
292  * from 64 or 32 bit applications, so they always send 64 bits and
293  * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
294  * appropriate.
295  */
296 
297 /*
298  * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
299  * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
300  * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
301  * so it isn't broken up into pieces.  (When it goes to the kernel
302  * and back, however, it will have been split into major/minor
303  * pieces.)
304  */
305 
306 static void
307 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
308 {
309 #ifdef _LP64
310 	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
311 #else	/* _LP64 */
312 	dest->at_type = src->at_type;
313 
314 	dest->at_port  = src->at_port.at_minor & MAXMIN32;
315 	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
316 	    NBITSMINOR32;
317 
318 	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
319 #endif	/* _LP64 */
320 }
321 
322 /*
323  * adt_start_session -- create interface handle, create context
324  *
325  * The imported_state input is normally NULL, if not, it represents
326  * a continued session; its values obviate the need for a subsequent
327  * call to adt_set_user().
328  *
329  * The flag is used to decide how to set the initial state of the session.
330  * If 0, the session is "no audit" until a call to adt_set_user; if
331  * ADT_USE_PROC_DATA, the session is built from the process audit
332  * characteristics obtained from the kernel.  If imported_state is
333  * not NULL, the resulting audit mask is an OR of the current process
334  * audit mask and that passed in.
335  *
336  * The basic model is that the caller can use the pointer returned
337  * by adt_start_session whether or not auditing is enabled or an
338  * error was returned.  The functions that take the session handle
339  * as input generally return without doing anything if auditing is
340  * disabled.
341  */
342 
343 int
344 adt_start_session(adt_session_data_t **new_session,
345     const adt_export_data_t *imported_state, adt_session_flags_t flags)
346 {
347 	adt_internal_state_t	*state;
348 	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
349 
350 	/* test and set auditstate */
351 	if (adt_audit_state(AUC_DISABLED)) {
352 		/* c2audit excluded */
353 		*new_session = NULL;
354 		return (0);
355 	}
356 
357 	if ((flags & ~flgmask) != 0) {
358 		errno = EINVAL;
359 		goto return_err;
360 	}
361 
362 	if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) {
363 		goto return_err;
364 	}
365 
366 	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) {
367 		goto return_err_free;    /* errno from adt_init() */
368 	}
369 
370 	/*
371 	 * The imported state overwrites the initial state if the
372 	 * imported state represents a valid audit trail
373 	 */
374 
375 	if (imported_state != NULL) {
376 		if (adt_import(state, imported_state) != 0) {
377 			goto return_err_free;
378 		}
379 	} else if (flags & ADT_USE_PROC_DATA) {
380 		state->as_session_model = ADT_PROCESS_MODEL;
381 	}
382 	state->as_flags = flags;
383 	DPRINTF(("(%lld) Starting session id = %08X\n",
384 	    (long long) getpid(), state->as_info.ai_asid));
385 
386 	*new_session = (adt_session_data_t *)state;
387 	return (0);
388 
389 return_err_free:
390 	free(state);
391 return_err:
392 	*new_session = NULL;
393 	adt_write_syslog("audit session create failed", errno);
394 	return (-1);
395 }
396 
397 /*
398  * adt_load_table()
399  *
400  * loads the event translation table into the audit session.
401  */
402 
403 void
404 adt_load_table(const adt_session_data_t *session_data,
405     adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *))
406 {
407 	adt_internal_state_t	*state = (adt_internal_state_t *)session_data;
408 
409 	if (state != NULL) {
410 		assert(state->as_check == ADT_VALID);
411 		state->as_xlate = xlate;
412 		state->as_preload = preload;
413 	}
414 }
415 
416 /*
417  * adt_get_asid() and adt_set_asid()
418  *
419  * if you use this interface, you are responsible to insure that the
420  * rest of the session data is populated correctly before calling
421  * adt_proccess_attr()
422  *
423  * neither of these are intended for general use and will likely
424  * remain private interfaces for a long time.  Forever is a long
425  * time.  In the case of adt_set_asid(), you should have a very,
426  * very good reason for setting your own session id.  The process
427  * audit characteristics are not changed by put, use adt_set_proc().
428  *
429  * These are "volatile" (more changable than "evolving") and will
430  * probably change in the S10 period.
431  */
432 
433 void
434 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
435 {
436 
437 	if (session_data == NULL) {
438 		*asid = 0;
439 	} else {
440 		assert(((adt_internal_state_t *)session_data)->as_check ==
441 		    ADT_VALID);
442 
443 		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
444 	}
445 }
446 
447 void
448 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
449 {
450 
451 	if (session_data != NULL) {
452 		assert(((adt_internal_state_t *)session_data)->as_check ==
453 		    ADT_VALID);
454 
455 		((adt_internal_state_t *)session_data)->as_have_user_data |=
456 		    ADT_HAVE_ASID;
457 		((adt_internal_state_t *)session_data)->as_info.ai_asid =
458 		    session_id;
459 	}
460 }
461 
462 /*
463  * adt_get_auid() and adt_set_auid()
464  *
465  * neither of these are intended for general use and will likely
466  * remain private interfaces for a long time.  Forever is a long
467  * time.  In the case of adt_set_auid(), you should have a very,
468  * very good reason for setting your own audit id.  The process
469  * audit characteristics are not changed by put, use adt_set_proc().
470  */
471 
472 void
473 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
474 {
475 
476 	if (session_data == NULL) {
477 		*auid = AU_NOAUDITID;
478 	} else {
479 		assert(((adt_internal_state_t *)session_data)->as_check ==
480 		    ADT_VALID);
481 
482 		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
483 	}
484 }
485 
486 void
487 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
488 {
489 
490 	if (session_data != NULL) {
491 		assert(((adt_internal_state_t *)session_data)->as_check ==
492 		    ADT_VALID);
493 
494 		((adt_internal_state_t *)session_data)->as_have_user_data |=
495 		    ADT_HAVE_AUID;
496 		((adt_internal_state_t *)session_data)->as_info.ai_auid =
497 		    audit_id;
498 	}
499 }
500 
501 /*
502  * adt_get_termid(), adt_set_termid()
503  *
504  * if you use this interface, you are responsible to insure that the
505  * rest of the session data is populated correctly before calling
506  * adt_proccess_attr()
507  *
508  * The process  audit characteristics are not changed by put, use
509  * adt_set_proc().
510  */
511 
512 void
513 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
514 {
515 
516 	if (session_data == NULL) {
517 		(void) memset(termid, 0, sizeof (au_tid_addr_t));
518 		termid->at_type = AU_IPv4;
519 	} else {
520 		assert(((adt_internal_state_t *)session_data)->as_check ==
521 		    ADT_VALID);
522 
523 		*termid =
524 		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
525 	}
526 }
527 
528 void
529 adt_set_termid(const adt_session_data_t *session_data,
530     const au_tid_addr_t *termid)
531 {
532 
533 	if (session_data != NULL) {
534 		assert(((adt_internal_state_t *)session_data)->as_check ==
535 		    ADT_VALID);
536 
537 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
538 		    *termid;
539 
540 		((adt_internal_state_t *)session_data)->as_have_user_data |=
541 		    ADT_HAVE_TID;
542 	}
543 }
544 
545 /*
546  * adt_get_mask(), adt_set_mask()
547  *
548  * if you use this interface, you are responsible to insure that the
549  * rest of the session data is populated correctly before calling
550  * adt_proccess_attr()
551  *
552  * The process  audit characteristics are not changed by put, use
553  * adt_set_proc().
554  */
555 
556 void
557 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
558 {
559 
560 	if (session_data == NULL) {
561 		mask->am_success = 0;
562 		mask->am_failure = 0;
563 	} else {
564 		assert(((adt_internal_state_t *)session_data)->as_check ==
565 		    ADT_VALID);
566 
567 		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
568 	}
569 }
570 
571 void
572 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
573 {
574 
575 	if (session_data != NULL) {
576 		assert(((adt_internal_state_t *)session_data)->as_check ==
577 		    ADT_VALID);
578 
579 		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
580 
581 		((adt_internal_state_t *)session_data)->as_have_user_data |=
582 		    ADT_HAVE_MASK;
583 	}
584 }
585 
586 /*
587  * helpers for adt_load_termid
588  */
589 
590 static void
591 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
592     au_tid_addr_t *termid)
593 {
594 
595 	termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port));
596 	termid->at_type = AU_IPv6;
597 	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
598 }
599 
600 static void
601 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
602     au_tid_addr_t *termid)
603 {
604 
605 	termid->at_port = ((peer->sin_port<<16) | (sock->sin_port));
606 
607 	termid->at_type = AU_IPv4;
608 	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
609 	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
610 }
611 
612 /*
613  * adt_load_termid:  convenience function; inputs file handle and
614  * outputs an au_tid_addr struct.
615  *
616  * This code was stolen from audit_settid.c; it differs from audit_settid()
617  * in that it does not write the terminal id to the process.
618  */
619 
620 int
621 adt_load_termid(int fd, adt_termid_t **termid)
622 {
623 	au_tid_addr_t		*p_term;
624 	struct sockaddr_in6	peer;
625 	struct sockaddr_in6	sock;
626 	int			peerlen = sizeof (peer);
627 	int			socklen = sizeof (sock);
628 
629 	/* get peer name if its a socket, else assume local terminal */
630 
631 	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
632 	    < 0) {
633 		if (errno == ENOTSOCK) {
634 			return (adt_load_hostname(NULL, termid));
635 		}
636 		goto return_err;
637 	}
638 
639 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
640 		goto return_err;
641 	}
642 
643 	/* get sock name */
644 	if (getsockname(fd, (struct sockaddr *)&sock,
645 	    (socklen_t *)&socklen) < 0) {
646 		goto return_err_free;
647 	}
648 
649 	if (peer.sin6_family == AF_INET6) {
650 		adt_do_ipv6_address(&peer, &sock, p_term);
651 	} else {
652 		adt_do_ipv4_address((struct sockaddr_in *)&peer,
653 		    (struct sockaddr_in *)&sock, p_term);
654 	}
655 	*termid = (adt_termid_t *)p_term;
656 
657 	return (0);
658 
659 return_err_free:
660 	free(p_term);
661 return_err:
662 	*termid = NULL;
663 	return (-1);
664 }
665 
666 static boolean_t
667 adt_have_termid(au_tid_addr_t *dest)
668 {
669 	struct auditinfo_addr	audit_data;
670 
671 	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
672 		adt_write_syslog("getaudit failed", errno);
673 		return (B_FALSE);
674 	}
675 
676 	if ((audit_data.ai_termid.at_type == 0) ||
677 	    (audit_data.ai_termid.at_addr[0] |
678 	    audit_data.ai_termid.at_addr[1]  |
679 	    audit_data.ai_termid.at_addr[2]  |
680 	    audit_data.ai_termid.at_addr[3]) == 0)
681 		return (B_FALSE);
682 
683 	(void) memcpy(dest, &(audit_data.ai_termid),
684 	    sizeof (au_tid_addr_t));
685 
686 	return (B_TRUE);
687 }
688 
689 /*
690  * adt_get_hostIP - construct a terminal id from a hostname
691  *
692  *	Returns	 0 = success
693  *		-1 = failure and errno = ENETDOWN with the address
694  *		     defaulted to IPv4 loopback.
695  */
696 
697 static int
698 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
699 {
700 	struct addrinfo	*ai = NULL;
701 	int	tries = 3;
702 	char	msg[512];
703 	int	eai_err;
704 
705 	while ((tries-- > 0) &&
706 	    ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) {
707 		/*
708 		 * getaddrinfo returns its own set of errors.
709 		 * Log them here, so any subsequent syslogs will
710 		 * have a context.  adt_get_hostIP callers can only
711 		 * return errno, so subsequent syslogs may be lacking
712 		 * that getaddrinfo failed.
713 		 */
714 		(void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) "
715 		    "failed[%s]", hostname, gai_strerror(eai_err));
716 		adt_write_syslog(msg, 0);
717 
718 		if (eai_err != EAI_AGAIN) {
719 
720 			break;
721 		}
722 		/* see if resolution becomes available */
723 		(void) sleep(1);
724 	}
725 	if (ai != NULL) {
726 		if (ai->ai_family == AF_INET) {
727 			p_term->at_type = AU_IPv4;
728 			(void) memcpy(p_term->at_addr,
729 			    /* LINTED */
730 			    &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
731 			    AU_IPv4);
732 		} else {
733 			p_term->at_type = AU_IPv6;
734 			(void) memcpy(p_term->at_addr,
735 			    /* LINTED */
736 			    &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
737 			    AU_IPv6);
738 		}
739 		freeaddrinfo(ai);
740 		return (0);
741 	} else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) {
742 		auditinfo_addr_t  audit_info;
743 
744 		/*
745 		 * auditd is running so there should be a
746 		 * kernel audit context
747 		 */
748 		if (auditon(A_GETKAUDIT, (caddr_t)&audit_info,
749 		    sizeof (audit_info)) < 0) {
750 			adt_write_syslog("unable to get kernel audit context",
751 			    errno);
752 			goto try_interface;
753 		}
754 		adt_write_syslog("setting Audit IP address to kernel", 0);
755 		*p_term = audit_info.ai_termid;
756 		return (0);
757 	}
758 try_interface:
759 	{
760 		struct ifaddrlist al;
761 		int	family;
762 		char	ntop[INET6_ADDRSTRLEN];
763 
764 		/*
765 		 * getaddrinfo has failed to map the hostname
766 		 * to an IP address, try to get an IP address
767 		 * from a local interface.  If none up, default
768 		 * to loopback.
769 		 */
770 		family = AF_INET6;
771 		if (adt_get_local_address(family, &al) != 0) {
772 			family = AF_INET;
773 
774 			if (adt_get_local_address(family, &al) != 0) {
775 				adt_write_syslog("adt_get_local_address "
776 				    "failed, no Audit IP address available, "
777 				    "faking loopback and error",
778 				    errno);
779 				IN_SET_LOOPBACK_ADDR(
780 				    (struct sockaddr_in *)&(al.addr.addr));
781 				(void) memcpy(p_term->at_addr, &al.addr.addr,
782 				    AU_IPv4);
783 				p_term->at_type = AU_IPv4;
784 				return (-1);
785 			}
786 		}
787 		if (family == AF_INET) {
788 			p_term->at_type = AU_IPv4;
789 			(void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4);
790 		} else {
791 			p_term->at_type = AU_IPv6;
792 			(void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6);
793 		}
794 
795 		(void) snprintf(msg, sizeof (msg), "mapping %s to %s",
796 		    hostname, inet_ntop(family, &(al.addr), ntop,
797 		    sizeof (ntop)));
798 		adt_write_syslog(msg, 0);
799 		return (0);
800 	}
801 }
802 
803 /*
804  * adt_load_hostname() is called when the caller does not have a file
805  * handle that gives access to the socket info or any other way to
806  * pass in both port and ip address.  The hostname input is ignored if
807  * the terminal id has already been set; instead it returns the
808  * existing terminal id.
809  *
810  * If c2audit is excluded, success is returned.
811  * If the hostname lookup fails, the loopback address is assumed,
812  * errno is set to ENETDOWN, this allows the caller to interpret
813  * whether failure is fatal, and if not to have a address for the
814  * hostname.
815  * Otherwise the caller would need to be aware of the audit state.
816  *
817  * Other errors are ignored if not auditing.
818  */
819 
820 int
821 adt_load_hostname(const char *hostname, adt_termid_t **termid)
822 {
823 	char		localhost[MAXHOSTNAMELEN + 1];
824 	au_tid_addr_t	*p_term;
825 
826 	if (adt_audit_state(AUC_DISABLED)) {
827 		/* c2audit excluded */
828 		*termid = NULL;
829 		return (0);
830 	}
831 
832 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
833 		goto return_err;
834 	}
835 
836 	if (adt_have_termid(p_term)) {
837 		*termid = (adt_termid_t *)p_term;
838 		return (0);
839 	}
840 	p_term->at_port = 0;
841 
842 	if (hostname == NULL || *hostname == '\0') {
843 		(void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN);
844 		hostname = localhost;
845 	}
846 	if (adt_get_hostIP(hostname, p_term) == 0) {
847 		*termid = (adt_termid_t *)p_term;
848 		return (0);
849 	} else {
850 		*termid = (adt_termid_t *)p_term;
851 		return (-1);
852 	}
853 
854 return_err:
855 	*termid = NULL;
856 	if (auditstate & AUC_NOAUDIT) {
857 		return (0);
858 	}
859 
860 	return (-1);
861 }
862 
863 /*
864  * adt_load_ttyname() is called when the caller does not have a file
865  * handle that gives access to the local terminal or any other way
866  * of determining the device id.  The ttyname input is ignored if
867  * the terminal id has already been set; instead it returns the
868  * existing terminal id.
869  *
870  * If c2audit is excluded, success is returned.
871  * The local hostname is used for the local IP address.
872  * If that hostname lookup fails, the loopback address is assumed,
873  * errno is set to ENETDOWN, this allows the caller to interpret
874  * whether failure is fatal, and if not to have a address for the
875  * hostname.
876  * Otherwise the caller would need to be aware of the audit state.
877  *
878  * Other errors are ignored if not auditing.
879  */
880 
881 int
882 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
883 {
884 	char		localhost[MAXHOSTNAMELEN + 1];
885 	au_tid_addr_t	*p_term;
886 	struct stat	stat_buf;
887 
888 	if (adt_audit_state(AUC_DISABLED)) {
889 		/* c2audit excluded */
890 		*termid = NULL;
891 		return (0);
892 	}
893 
894 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
895 		goto return_err;
896 	}
897 
898 	if (adt_have_termid(p_term)) {
899 		*termid = (adt_termid_t *)p_term;
900 		return (0);
901 	}
902 
903 	p_term->at_port = 0;
904 
905 	if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) {
906 		goto return_err_free; /* errno from sysinfo */
907 	}
908 
909 	if (ttyname != NULL && *ttyname != '\0') {
910 		if (stat(ttyname, &stat_buf) < 0) {
911 			goto return_err_free;
912 		}
913 
914 		p_term->at_port = stat_buf.st_rdev;
915 	}
916 
917 	if (adt_get_hostIP(localhost, p_term) == 0) {
918 		*termid = (adt_termid_t *)p_term;
919 		return (0);
920 	} else {
921 		*termid = (adt_termid_t *)p_term;
922 		return (-1);
923 	}
924 
925 return_err_free:
926 	free(p_term);
927 
928 return_err:
929 	*termid = NULL;
930 	if (auditstate & AUC_NOAUDIT) {
931 		return (0);
932 	}
933 
934 	return (-1);
935 }
936 
937 /*
938  * adt_get_session_id returns a stringified representation of
939  * the audit session id.  See also adt_get_asid() for how to
940  * get the unexpurgated version.  No guarantees as to how long
941  * the returned string will be or its general form; hex for now.
942  *
943  * An empty string is returned if auditing is off; length = 1
944  * and the pointer is valid.
945  *
946  * returns strlen + 1 if buffer is valid; else 0 and errno.
947  */
948 
949 size_t
950 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
951 {
952 	au_asid_t	session_id;
953 	size_t		length;
954 	/*
955 	 * output is 0x followed by
956 	 * two characters per byte
957 	 * plus terminator,
958 	 * except leading 0's are suppressed, so a few bytes may
959 	 * be unused.
960 	 */
961 	length = 2 + (2 * sizeof (session_id)) + 1;
962 	*buff = malloc(length);
963 
964 	if (*buff == NULL) {
965 		return (0);
966 	}
967 	if (session_data == NULL) { /* NULL is not an error */
968 		**buff = '\0';
969 		return (1);
970 	}
971 	adt_get_asid(session_data, &session_id);
972 
973 	length = snprintf(*buff, length, "0x%X", (int)session_id);
974 
975 	/* length < 1 is a bug: the session data type may have changed */
976 	assert(length > 0);
977 
978 	return (length);
979 }
980 
981 /*
982  * adt_end_session -- close handle, clear context
983  *
984  * if as_check is invalid, no harm, no foul, EXCEPT that this could
985  * be an attempt to free data already free'd, so output to syslog
986  * to help explain why the process cored dumped.
987  */
988 
989 int
990 adt_end_session(adt_session_data_t *session_data)
991 {
992 	adt_internal_state_t	*state;
993 
994 	if (session_data != NULL) {
995 		state = (adt_internal_state_t *)session_data;
996 		if (state->as_check != ADT_VALID) {
997 			adt_write_syslog("freeing invalid data", EINVAL);
998 		} else {
999 			state->as_check = 0;
1000 			m_label_free(state->as_label);
1001 			free(session_data);
1002 		}
1003 	}
1004 	/* no errors yet defined */
1005 	return (0);
1006 }
1007 
1008 /*
1009  * adt_dup_session -- copy the session data
1010  */
1011 
1012 int
1013 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
1014 {
1015 	adt_internal_state_t	*source_state;
1016 	adt_internal_state_t	*dest_state = NULL;
1017 	int			rc = 0;
1018 
1019 	if (source != NULL) {
1020 		source_state = (adt_internal_state_t *)source;
1021 		assert(source_state->as_check == ADT_VALID);
1022 
1023 		dest_state = malloc(sizeof (adt_internal_state_t));
1024 		if (dest_state == NULL) {
1025 			rc = -1;
1026 			goto return_rc;
1027 		}
1028 		(void) memcpy(dest_state, source,
1029 		    sizeof (struct adt_internal_state));
1030 
1031 		if (source_state->as_label != NULL) {
1032 			dest_state->as_label = NULL;
1033 			if ((rc = m_label_dup(&dest_state->as_label,
1034 			    source_state->as_label)) != 0) {
1035 				free(dest_state);
1036 				dest_state = NULL;
1037 			}
1038 		}
1039 	}
1040 return_rc:
1041 	*dest = (adt_session_data_t *)dest_state;
1042 	return (rc);
1043 }
1044 
1045 /*
1046  * from_export_format()
1047  * read from a network order buffer into struct adt_session_data
1048  */
1049 
1050 static size_t
1051 adt_from_export_format(adt_internal_state_t *internal,
1052     const adt_export_data_t *external)
1053 {
1054 	struct export_header	head;
1055 	struct export_link	link;
1056 	adr_t			context;
1057 	int32_t 		offset;
1058 	int32_t 		length;
1059 	int32_t 		version;
1060 	size_t			label_len;
1061 	char			*p = (char *)external;
1062 
1063 	adrm_start(&context, (char *)external);
1064 	adrm_int32(&context, (int *)&head, 4);
1065 
1066 	if ((internal->as_check = head.ax_check) != ADT_VALID) {
1067 		errno = EINVAL;
1068 		return (0);
1069 	}
1070 	offset = head.ax_link.ax_offset;
1071 	version = head.ax_link.ax_version;
1072 	length = head.ax_buffer_length;
1073 
1074 	/*
1075 	 * Skip newer versions.
1076 	 */
1077 	while (version > PROTOCOL_VERSION_2) {
1078 		if (offset < 1) {
1079 			return (0);	/* failed to match version */
1080 		}
1081 		p += offset;		/* point to next version # */
1082 
1083 		if (p > (char *)external + length) {
1084 			return (0);
1085 		}
1086 		adrm_start(&context, p);
1087 		adrm_int32(&context, (int *)&link, 2);
1088 		offset = link.ax_offset;
1089 		version = link.ax_version;
1090 		assert(version != 0);
1091 	}
1092 	/*
1093 	 * Adjust buffer pointer to the first data item (euid).
1094 	 */
1095 	if (p == (char *)external) {
1096 		adrm_start(&context, (char *)(p + sizeof (head)));
1097 	} else {
1098 		adrm_start(&context, (char *)(p + sizeof (link)));
1099 	}
1100 	/*
1101 	 * if down rev version, neither pid nor label are included
1102 	 * in v1 ax_size_of_tsol_data intentionally ignored
1103 	 */
1104 	if (version == PROTOCOL_VERSION_1) {
1105 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1106 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1107 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1108 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1109 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1110 		adrm_int32(&context,
1111 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1112 		adrm_int32(&context,
1113 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1114 		adrm_int32(&context,
1115 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1116 		adrm_int32(&context,
1117 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1118 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1119 		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1120 		internal->as_pid = (pid_t)-1;
1121 		internal->as_label = NULL;
1122 	} else if (version == PROTOCOL_VERSION_2) {
1123 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1124 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1125 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1126 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1127 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1128 		adrm_int32(&context,
1129 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1130 		adrm_int32(&context,
1131 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1132 		adrm_int32(&context,
1133 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1134 		adrm_int32(&context,
1135 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1136 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1137 		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1138 		adrm_int32(&context, (int *)&(internal->as_pid), 1);
1139 		adrm_int32(&context, (int *)&label_len, 1);
1140 		if (label_len > 0) {
1141 			/* read in and deal with different sized labels. */
1142 			size32_t my_label_len = blabel_size();
1143 
1144 			if ((internal->as_label =
1145 			    m_label_alloc(MAC_LABEL)) == NULL) {
1146 				return (0);
1147 			}
1148 			if (label_len > my_label_len) {
1149 				errno = EINVAL;
1150 				m_label_free(internal->as_label);
1151 				return (0);
1152 			}
1153 			(void) memset(internal->as_label, 0, my_label_len);
1154 			adrm_int32(&context, (int *)(internal->as_label),
1155 			    label_len / sizeof (int32_t));
1156 		} else {
1157 			internal->as_label = NULL;
1158 		}
1159 	}
1160 
1161 	return (length);
1162 }
1163 
1164 /*
1165  * adt_to_export_format
1166  * read from struct adt_session_data into a network order buffer.
1167  *
1168  * (network order 'cause this data may be shared with a remote host.)
1169  */
1170 
1171 static size_t
1172 adt_to_export_format(adt_export_data_t *external,
1173     adt_internal_state_t *internal)
1174 {
1175 	struct export_header	head;
1176 	struct export_link	tail;
1177 	adr_t			context;
1178 	size32_t		label_len = 0;
1179 
1180 	adrm_start(&context, (char *)external);
1181 
1182 	if (internal->as_label != NULL) {
1183 		label_len = blabel_size();
1184 	}
1185 
1186 	head.ax_check = ADT_VALID;
1187 	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1188 
1189 	/* version 2 first */
1190 
1191 	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1192 	head.ax_link.ax_offset = sizeof (struct export_header) +
1193 	    sizeof (struct adt_export_v2) + label_len;
1194 
1195 	adrm_putint32(&context, (int *)&head, 4);
1196 
1197 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1198 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1199 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1200 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1201 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1202 	adrm_putint32(&context,
1203 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1204 	adrm_putint32(&context,
1205 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1206 	adrm_putint32(&context,
1207 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1208 	adrm_putint32(&context,
1209 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1210 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1211 	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1212 	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1213 	adrm_putint32(&context, (int *)&label_len, 1);
1214 	if (internal->as_label != NULL) {
1215 		/* serialize the label */
1216 		adrm_putint32(&context, (int *)(internal->as_label),
1217 		    (label_len / sizeof (int32_t)));
1218 	}
1219 
1220 	/* now version 1 */
1221 
1222 	tail.ax_version = PROTOCOL_VERSION_1;
1223 	tail.ax_offset = 0;
1224 
1225 	adrm_putint32(&context, (int *)&tail, 2);
1226 
1227 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1228 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1229 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1230 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1231 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1232 	adrm_putint32(&context,
1233 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1234 	adrm_putint32(&context,
1235 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1236 	adrm_putint32(&context,
1237 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1238 	adrm_putint32(&context,
1239 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1240 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1241 	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1242 	/* ignored in v1 */
1243 	adrm_putint32(&context, (int *)&label_len, 1);
1244 
1245 	/* finally terminator */
1246 
1247 	tail.ax_version = 0; /* invalid version number */
1248 	tail.ax_offset = 0;
1249 
1250 	adrm_putint32(&context, (int *)&tail, 2);
1251 
1252 	return (head.ax_buffer_length);
1253 }
1254 
1255 /*
1256  * adt_ucred_label() -- if label is available, duplicate it.
1257  */
1258 
1259 static m_label_t *
1260 adt_ucred_label(ucred_t *uc)
1261 {
1262 	m_label_t	*ul = NULL;
1263 
1264 	if (ucred_getlabel(uc) != NULL) {
1265 		(void) m_label_dup(&ul, ucred_getlabel(uc));
1266 	}
1267 
1268 	return (ul);
1269 }
1270 
1271 /*
1272  * adt_import() -- convert from network order to machine-specific order
1273  */
1274 
1275 static int
1276 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1277 {
1278 	au_mask_t mask;
1279 
1280 	/* save local audit state */
1281 	int	local_audit_state = internal->as_audit_state;
1282 
1283 	if (adt_from_export_format(internal, external) < 1)
1284 		return (-1); /* errno from adt_from_export_format */
1285 
1286 	/*
1287 	 * If audit isn't enabled on the remote, they were unable
1288 	 * to generate the audit mask, so generate it based on
1289 	 * local configuration.  If the user id has changed, the
1290 	 * resulting mask may miss some subtleties that occurred
1291 	 * on the remote system.
1292 	 *
1293 	 * If the remote failed to generate a terminal id, it is not
1294 	 * recoverable.
1295 	 */
1296 
1297 	if (!(internal->as_audit_state & AUC_DISABLED)) {
1298 		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1299 		    &(internal->as_info.ai_mask)))
1300 			return (-1);
1301 		if (internal->as_info.ai_auid != internal->as_ruid) {
1302 			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1303 			    &mask))
1304 				return (-1);
1305 			internal->as_info.ai_mask.am_success |=
1306 			    mask.am_success;
1307 			internal->as_info.ai_mask.am_failure |=
1308 			    mask.am_failure;
1309 		}
1310 	}
1311 	internal->as_audit_state = local_audit_state;
1312 
1313 	DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(),
1314 	    internal->as_info.ai_asid,
1315 	    internal->as_info.ai_asid));
1316 
1317 	internal->as_have_user_data = ADT_HAVE_ALL;
1318 
1319 	return (0);
1320 }
1321 
1322 /*
1323  * adt_export_session_data()
1324  * copies a adt_session_data struct into a network order buffer
1325  *
1326  * In a misconfigured network, the local host may have auditing
1327  * off while the destination may have auditing on, so if there
1328  * is sufficient memory, a buffer will be returned even in the
1329  * audit off case.
1330  */
1331 
1332 size_t
1333 adt_export_session_data(const adt_session_data_t *internal,
1334     adt_export_data_t **external)
1335 {
1336 	size32_t		length = 0;
1337 
1338 	if ((internal != NULL) &&
1339 	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1340 		length = blabel_size();
1341 	}
1342 
1343 	*external = malloc(sizeof (adt_export_data_t) + length);
1344 
1345 	if (*external == NULL)
1346 		return (0);
1347 
1348 	if (internal == NULL) {
1349 		adt_internal_state_t	*dummy;
1350 
1351 		dummy = malloc(sizeof (adt_internal_state_t));
1352 		if (dummy == NULL)
1353 			goto return_length_free;
1354 
1355 		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1356 			free(dummy);
1357 			goto return_length_free;
1358 		}
1359 		length = adt_to_export_format(*external, dummy);
1360 		free(dummy);
1361 	} else {
1362 		length = adt_to_export_format(*external,
1363 		    (adt_internal_state_t *)internal);
1364 	}
1365 	return (length);
1366 
1367 return_length_free:
1368 	free(*external);
1369 	*external = NULL;
1370 	return (0);
1371 }
1372 
1373 static void
1374 adt_setto_unaudited(adt_internal_state_t *state)
1375 {
1376 	if (state->as_audit_state & AUC_DISABLED) {
1377 		state->as_ruid = AU_NOAUDITID;
1378 		state->as_euid = AU_NOAUDITID;
1379 		state->as_rgid = AU_NOAUDITID;
1380 		state->as_egid = AU_NOAUDITID;
1381 		state->as_pid = (pid_t)-1;
1382 		state->as_label = NULL;
1383 	} else {
1384 		state->as_info.ai_asid = 0;
1385 		state->as_info.ai_auid = AU_NOAUDITID;
1386 
1387 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1388 		    sizeof (au_tid_addr_t));
1389 		state->as_info.ai_termid.at_type = AU_IPv4;
1390 
1391 		(void) memset((void *)&(state->as_info.ai_mask), 0,
1392 		    sizeof (au_mask_t));
1393 		state->as_have_user_data = 0;
1394 	}
1395 }
1396 
1397 /*
1398  * adt_init -- set session context by copying the audit characteristics
1399  * from the proc and picking up current uid/tid information.
1400  *
1401  * By default, an audit session is based on the process; the default
1402  * is overriden by adt_set_user()
1403  */
1404 
1405 static int
1406 adt_init(adt_internal_state_t *state, int use_proc_data)
1407 {
1408 	/* ensure auditstate is set */
1409 
1410 	(void) adt_audit_state(0);
1411 	state->as_audit_state = auditstate;
1412 
1413 	if (use_proc_data) {
1414 		state->as_ruid = getuid();
1415 		state->as_euid = geteuid();
1416 		state->as_rgid = getgid();
1417 		state->as_egid = getegid();
1418 		state->as_pid = getpid();
1419 
1420 		if (!(state->as_audit_state & AUC_DISABLED)) {
1421 			const au_tid64_addr_t	*tid;
1422 			const au_mask_t		*mask;
1423 			ucred_t			*ucred = ucred_get(P_MYID);
1424 
1425 			/*
1426 			 * Even if the ucred is NULL, the underlying
1427 			 * credential may have a valid terminal id; if the
1428 			 * terminal id is set, then that's good enough.  An
1429 			 * example of where this matters is failed login,
1430 			 * where rlogin/telnet sets the terminal id before
1431 			 * calling login; login does not load the credential
1432 			 * since auth failed.
1433 			 */
1434 			if (ucred == NULL) {
1435 				if (!adt_have_termid(
1436 				    &(state->as_info.ai_termid)))
1437 					return (-1);
1438 			} else {
1439 				mask = ucred_getamask(ucred);
1440 				if (mask != NULL) {
1441 					state->as_info.ai_mask = *mask;
1442 				} else {
1443 					ucred_free(ucred);
1444 					return (-1);
1445 				}
1446 				tid = ucred_getatid(ucred);
1447 				if (tid != NULL) {
1448 					adt_cpy_tid(&(state->as_info.ai_termid),
1449 					    tid);
1450 				} else {
1451 					ucred_free(ucred);
1452 					return (-1);
1453 				}
1454 				state->as_info.ai_asid = ucred_getasid(ucred);
1455 				state->as_info.ai_auid = ucred_getauid(ucred);
1456 				state->as_label = adt_ucred_label(ucred);
1457 				ucred_free(ucred);
1458 			}
1459 			state->as_have_user_data = ADT_HAVE_ALL;
1460 		}
1461 	} else {
1462 		adt_setto_unaudited(state);
1463 	}
1464 	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1465 
1466 	if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) &&
1467 	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1468 	    sizeof (state->as_kernel_audit_policy))) {
1469 		return (-1);  /* errno set by auditon */
1470 	}
1471 	state->as_check = ADT_VALID;
1472 	adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0],
1473 	    &adt_preload);
1474 	return (0);
1475 }
1476 
1477 /*
1478  * adt_set_proc
1479  *
1480  * Copy the current session state to the process.  If this function
1481  * is called, the model becomes a process model rather than a
1482  * session model.
1483  *
1484  * In the current implementation, the value state->as_have_user_data
1485  * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1486  * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1487  *
1488  */
1489 
1490 int
1491 adt_set_proc(const adt_session_data_t *session_data)
1492 {
1493 	adt_internal_state_t	*state;
1494 
1495 	if (session_data == NULL) {
1496 		return (0);
1497 	}
1498 
1499 	state = (adt_internal_state_t *)session_data;
1500 
1501 	assert(state->as_check == ADT_VALID);
1502 
1503 	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1504 	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1505 		errno = EINVAL;
1506 		goto return_err;
1507 	}
1508 
1509 	if (setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1510 	    sizeof (auditinfo_addr_t)) < 0) {
1511 		goto return_err;	/* errno set by setaudit_addr() */
1512 	}
1513 
1514 	state->as_session_model = ADT_PROCESS_MODEL;
1515 
1516 	return (0);
1517 
1518 return_err:
1519 	adt_write_syslog("failed to set process audit characteristics", errno);
1520 	return (-1);
1521 }
1522 
1523 static int
1524 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1525 {
1526 	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1527 	au_mask_t	no_mask = {0, 0};
1528 
1529 	if (ruid == ADT_NO_AUDIT) {
1530 		state->as_info.ai_auid = AU_NOAUDITID;
1531 		state->as_info.ai_asid = 0;
1532 		state->as_info.ai_termid = no_tid;
1533 		state->as_info.ai_mask = no_mask;
1534 		return (0);
1535 	}
1536 	state->as_info.ai_auid = ruid;
1537 	state->as_info.ai_asid = adt_get_unique_id(ruid);
1538 	if (termid != NULL)
1539 		state->as_info.ai_termid = *termid;
1540 
1541 	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1542 		return (-1);
1543 
1544 	/* Assume intending to audit as this process */
1545 
1546 	if (state->as_pid == (pid_t)-1)
1547 		state->as_pid = getpid();
1548 
1549 	if (is_system_labeled() && state->as_label == NULL) {
1550 		ucred_t	*ucred = ucred_get(P_MYID);
1551 
1552 		state->as_label = adt_ucred_label(ucred);
1553 		ucred_free(ucred);
1554 	}
1555 
1556 	return (0);
1557 }
1558 
1559 static int
1560 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1561 {
1562 	au_mask_t		mask;
1563 
1564 	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1565 		state->as_info.ai_auid = ruid;
1566 	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1567 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1568 
1569 	if (ruid <= MAXEPHUID) {
1570 		if (adt_get_mask_from_user(ruid, &mask))
1571 			return (-1);
1572 
1573 		state->as_info.ai_mask.am_success |= mask.am_success;
1574 		state->as_info.ai_mask.am_failure |= mask.am_failure;
1575 	}
1576 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1577 	    state->as_info.ai_mask.am_success,
1578 	    state->as_info.ai_mask.am_failure,
1579 	    ruid));
1580 	return (0);
1581 }
1582 
1583 /*
1584  * adt_set_user -- see also adt_set_from_ucred()
1585  *
1586  * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1587  * "unattributed."  If ruid, change the model to session.
1588  *
1589  * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1590  * only valid with ADT_UPDATE.
1591  *
1592  * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1593  * isn't a good reason to call adt_set_user() with it unless you don't
1594  * have a good value yet and intend to replace it later; auid will be
1595  * AU_NOAUDITID.
1596  *
1597  * adt_set_user should be called even if auditing is not enabled
1598  * so that adt_export_session_data() will have useful stuff to
1599  * work with.
1600  *
1601  * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1602  * and ADT_HAVE_ALL.
1603  */
1604 
1605 int
1606 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1607     uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1608     enum adt_user_context user_context)
1609 {
1610 	adt_internal_state_t	*state;
1611 	int			rc;
1612 
1613 	if (session_data == NULL) /* no session exists to audit */
1614 		return (0);
1615 
1616 	state = (adt_internal_state_t *)session_data;
1617 	assert(state->as_check == ADT_VALID);
1618 
1619 	switch (user_context) {
1620 	case ADT_NEW:
1621 		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1622 		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1623 			errno = EINVAL;
1624 			return (-1);
1625 		}
1626 		if ((rc = adt_newuser(state, ruid,
1627 		    (au_tid_addr_t *)termid)) != 0)
1628 			return (rc);
1629 
1630 		state->as_have_user_data = ADT_HAVE_ALL;
1631 		break;
1632 	case ADT_UPDATE:
1633 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1634 			errno = EINVAL;
1635 			return (-1);
1636 		}
1637 
1638 		if (ruid != ADT_NO_CHANGE)
1639 			if ((rc = adt_changeuser(state, ruid)) != 0)
1640 				return (rc);
1641 		break;
1642 	case ADT_USER:
1643 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1644 			errno = EINVAL;
1645 			return (-1);
1646 		}
1647 		break;
1648 	case ADT_SETTID:
1649 		assert(termid != NULL);
1650 		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1651 		/* avoid fooling pam_setcred()... */
1652 		state->as_info.ai_auid = AU_NOAUDITID;
1653 		state->as_info.ai_asid = 0;
1654 		state->as_info.ai_mask.am_failure = 0;
1655 		state->as_info.ai_mask.am_success = 0;
1656 		state->as_have_user_data = ADT_HAVE_TID |
1657 		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1658 		return (0);
1659 	default:
1660 		errno = EINVAL;
1661 		return (-1);
1662 	}
1663 
1664 	if (ruid == ADT_NO_AUDIT) {
1665 		state->as_ruid = AU_NOAUDITID;
1666 		state->as_euid = AU_NOAUDITID;
1667 		state->as_rgid = AU_NOAUDITID;
1668 		state->as_egid = AU_NOAUDITID;
1669 	} else {
1670 		if (ruid != ADT_NO_CHANGE)
1671 			state->as_ruid = ruid;
1672 		if (euid != ADT_NO_CHANGE)
1673 			state->as_euid = euid;
1674 		if (rgid != ADT_NO_CHANGE)
1675 			state->as_rgid = rgid;
1676 		if (egid != ADT_NO_CHANGE)
1677 			state->as_egid = egid;
1678 	}
1679 
1680 	if (ruid == ADT_NO_ATTRIB) {
1681 		state->as_session_model = ADT_SESSION_MODEL;
1682 	}
1683 
1684 	return (0);
1685 }
1686 
1687 /*
1688  * adt_set_from_ucred()
1689  *
1690  * an alternate to adt_set_user that fills the same role but uses
1691  * a pointer to a ucred rather than a list of id's.  If the ucred
1692  * pointer is NULL, use the credential from the this process.
1693  *
1694  * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1695  * not overwrite the asid and auid unless auid has not been set.
1696  * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1697  * the incoming audit mask with the one that already exists.
1698  *
1699  * adt_set_from_ucred should be called even if auditing is not enabled
1700  * so that adt_export_session_data() will have useful stuff to
1701  * work with.
1702  */
1703 
1704 int
1705 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1706     enum adt_user_context user_context)
1707 {
1708 	adt_internal_state_t	*state;
1709 	int			rc = -1;
1710 	const au_tid64_addr_t		*tid64;
1711 	au_tid_addr_t		termid, *tid;
1712 	ucred_t	*ucred = (ucred_t *)uc;
1713 	boolean_t	local_uc = B_FALSE;
1714 
1715 	if (session_data == NULL) /* no session exists to audit */
1716 		return (0);
1717 
1718 	state = (adt_internal_state_t *)session_data;
1719 	assert(state->as_check == ADT_VALID);
1720 
1721 	if (ucred == NULL) {
1722 		ucred = ucred_get(P_MYID);
1723 
1724 		if (ucred == NULL)
1725 			goto return_rc;
1726 		local_uc = B_TRUE;
1727 	}
1728 
1729 	switch (user_context) {
1730 	case ADT_NEW:
1731 		tid64 = ucred_getatid(ucred);
1732 		if (tid64 != NULL) {
1733 			adt_cpy_tid(&termid, tid64);
1734 			tid = &termid;
1735 		} else {
1736 			tid = NULL;
1737 		}
1738 		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1739 			adt_setto_unaudited(state);
1740 			state->as_have_user_data = ADT_HAVE_ALL;
1741 			rc = 0;
1742 			goto return_rc;
1743 		} else {
1744 			state->as_info.ai_auid = ucred_getauid(ucred);
1745 			state->as_info.ai_asid = ucred_getasid(ucred);
1746 			state->as_info.ai_mask = *ucred_getamask(ucred);
1747 			state->as_info.ai_termid = *tid;
1748 		}
1749 		state->as_have_user_data = ADT_HAVE_ALL;
1750 		break;
1751 	case ADT_UPDATE:
1752 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1753 			errno = EINVAL;
1754 			goto return_rc;
1755 		}
1756 
1757 		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1758 			goto return_rc;
1759 		break;
1760 	case ADT_USER:
1761 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1762 			errno = EINVAL;
1763 			goto return_rc;
1764 		}
1765 		break;
1766 	default:
1767 		errno = EINVAL;
1768 		goto return_rc;
1769 	}
1770 	rc = 0;
1771 
1772 	state->as_ruid = ucred_getruid(ucred);
1773 	state->as_euid = ucred_geteuid(ucred);
1774 	state->as_rgid = ucred_getrgid(ucred);
1775 	state->as_egid = ucred_getegid(ucred);
1776 	state->as_pid = ucred_getpid(ucred);
1777 	state->as_label = adt_ucred_label(ucred);
1778 
1779 return_rc:
1780 	if (local_uc) {
1781 		ucred_free(ucred);
1782 	}
1783 	return (rc);
1784 }
1785 
1786 /*
1787  * adt_alloc_event() returns a pointer to allocated memory
1788  *
1789  */
1790 
1791 adt_event_data_t
1792 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1793 {
1794 	struct adt_event_state	*event_state;
1795 	adt_internal_state_t	*session_state;
1796 	adt_event_data_t	*return_event = NULL;
1797 	/*
1798 	 * need to return a valid event pointer even if audit is
1799 	 * off, else the caller will end up either (1) keeping its
1800 	 * own flags for on/off or (2) writing to a NULL pointer.
1801 	 * If auditing is on, the session data must be valid; otherwise
1802 	 * we don't care.
1803 	 */
1804 	if (session_data != NULL) {
1805 		session_state = (adt_internal_state_t *)session_data;
1806 		assert(session_state->as_check == ADT_VALID);
1807 	}
1808 	event_state = calloc(1, sizeof (struct adt_event_state));
1809 	if (event_state == NULL)
1810 		goto return_ptr;
1811 
1812 	event_state->ae_check = ADT_VALID;
1813 
1814 	event_state->ae_event_id = event_id;
1815 	event_state->ae_session = (struct adt_internal_state *)session_data;
1816 
1817 	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1818 
1819 	/*
1820 	 * preload data so the adt_au_*() functions can detect un-supplied
1821 	 * values (0 and NULL are free via calloc()).
1822 	 */
1823 	if (session_data != NULL) {
1824 		session_state->as_preload(event_id, return_event);
1825 	}
1826 
1827 return_ptr:
1828 	return (return_event);
1829 }
1830 
1831 /*
1832  * adt_getXlateTable -- look up translation table address for event id
1833  */
1834 
1835 static adt_translation_t *
1836 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id)
1837 {
1838 	/* xlate_table is global in adt_xlate.c */
1839 	adt_translation_t	**p_xlate = xlate;
1840 	adt_translation_t	*p_event;
1841 
1842 	while (*p_xlate != NULL) {
1843 		p_event = *p_xlate;
1844 		if (event_id == p_event->tx_external_event)
1845 			return (p_event);
1846 		p_xlate++;
1847 	}
1848 	return (NULL);
1849 }
1850 
1851 /*
1852  * adt_calcOffsets
1853  *
1854  * the call to this function is surrounded by a mutex.
1855  *
1856  * i walks down the table picking up next_token.  j walks again to
1857  * calculate the offset to the input data.  k points to the next
1858  * token's row.  Finally, l, is used to sum the values in the
1859  * datadef array.
1860  *
1861  * What's going on?  The entry array is in the order of the input
1862  * fields but the processing of array entries is in the order of
1863  * the output (see next_token).  Calculating the offset to the
1864  * "next" input can't be done in the outer loop (i) since i doesn't
1865  * point to the current entry and it can't be done with the k index
1866  * because it doesn't represent the order of input fields.
1867  *
1868  * While the resulting algorithm is n**2, it is only done once per
1869  * event type.
1870  */
1871 
1872 /*
1873  * adt_calcOffsets is only called once per event type, but it uses
1874  * the address alignment of memory allocated for that event as if it
1875  * were the same for all subsequently allocated memory.  This is
1876  * guaranteed by calloc/malloc.  Arrays take special handling since
1877  * what matters for figuring out the correct alignment is the size
1878  * of the array element.
1879  */
1880 
1881 static void
1882 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1883 {
1884 	int		i, j;
1885 	size_t		this_size, prev_size;
1886 	void		*struct_start = p_data;
1887 
1888 	for (i = 0; i < tablesize; i++) {
1889 		if (p_entry[i].en_type_def == NULL) {
1890 			p_entry[i].en_offset = 0;
1891 			continue;
1892 		}
1893 		prev_size = 0;
1894 		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1895 
1896 		for (j = 0; j < p_entry[i].en_count_types; j++) {
1897 			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1898 				this_size = sizeof (enum adt_generic);
1899 			else
1900 				this_size =
1901 				    p_entry[i].en_type_def[j].dd_input_size;
1902 
1903 			/* adj for first entry */
1904 			if (prev_size == 0)
1905 				prev_size = this_size;
1906 
1907 			if (p_entry[i].en_type_def[j].dd_datatype ==
1908 			    ADT_UINT32ARRAY) {
1909 				p_data = (char *)adt_adjust_address(p_data,
1910 				    prev_size, sizeof (uint32_t)) +
1911 				    this_size - sizeof (uint32_t);
1912 
1913 				prev_size = sizeof (uint32_t);
1914 			} else {
1915 				p_data = adt_adjust_address(p_data, prev_size,
1916 				    this_size);
1917 				prev_size = this_size;
1918 			}
1919 		}
1920 	}
1921 }
1922 
1923 /*
1924  * adt_generate_event
1925  * generate event record from external struct.  The order is based on
1926  * the output tokens, allowing for the possibility that the input data
1927  * is in a different order.
1928  *
1929  */
1930 
1931 static int
1932 adt_generate_event(const adt_event_data_t *p_extdata,
1933     struct adt_event_state *p_event,
1934     adt_translation_t *p_xlate)
1935 {
1936 	struct entry		*p_entry;
1937 	static mutex_t	lock = DEFAULTMUTEX;
1938 
1939 	p_entry = p_xlate->tx_first_entry;
1940 	assert(p_entry != NULL);
1941 
1942 	p_event->ae_internal_id = p_xlate->tx_internal_event;
1943 	adt_token_open(p_event);
1944 
1945 	/*
1946 	 * offsets are not pre-calculated; the initial offsets are all
1947 	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
1948 	 * as subject are set to -1 by adt_calcOffset()
1949 	 */
1950 	if (p_xlate->tx_offsetsCalculated == 0) {
1951 		(void) mutex_lock(&lock);
1952 		p_xlate->tx_offsetsCalculated = 1;
1953 
1954 		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1955 		    (void *)p_extdata);
1956 		(void) mutex_unlock(&lock);
1957 	}
1958 	while (p_entry != NULL) {
1959 		adt_generate_token(p_entry, (char *)p_extdata, p_event);
1960 
1961 		p_entry = p_entry->en_next_token;
1962 	}
1963 	return (adt_token_close(p_event));
1964 }
1965 
1966 /*
1967  * adt_put_event -- main event generation function.
1968  * The input "event" is the address of the struct containing
1969  * event-specific data.
1970  *
1971  * However if auditing is off or the session handle
1972  * is NULL, no attempt to write a record is made.
1973  */
1974 
1975 int
1976 adt_put_event(const adt_event_data_t *event, int status, int return_val)
1977 {
1978 	struct adt_event_state	*event_state;
1979 	adt_translation_t	*xlate;
1980 
1981 	if (event == NULL) {
1982 		errno = EINVAL;
1983 		return (-1);
1984 	}
1985 	event_state = (struct adt_event_state *)event;
1986 
1987 	/* if this is a broken session or not auditing, exit */
1988 	if ((event_state->ae_session == NULL) ||
1989 	    !(event_state->ae_session->as_audit_state &
1990 	    (AUC_AUDITING | AUC_NOSPACE))) {
1991 		return (0);
1992 	}
1993 
1994 	assert(event_state->ae_check == ADT_VALID);
1995 
1996 	event_state->ae_rc = status;
1997 	event_state->ae_type = return_val;
1998 
1999 	/* look up the event */
2000 
2001 	xlate = adt_getXlateTable(event_state->ae_session->as_xlate,
2002 	    event_state->ae_event_id);
2003 
2004 	if (xlate == NULL) {
2005 		errno = EINVAL;
2006 		return (-1);
2007 	}
2008 	DPRINTF(("got event %d\n", xlate->tx_internal_event));
2009 
2010 	if (adt_selected(event_state, xlate->tx_internal_event, status)) {
2011 		return (adt_generate_event(event, event_state, xlate));
2012 	}
2013 
2014 	return (0);
2015 }
2016 
2017 /*
2018  * adt_free_event -- invalidate and free
2019  */
2020 
2021 void
2022 adt_free_event(adt_event_data_t *event)
2023 {
2024 	struct adt_event_state	*event_state;
2025 
2026 	if (event == NULL)
2027 		return;
2028 
2029 	event_state = (struct adt_event_state *)event;
2030 
2031 	assert(event_state->ae_check == ADT_VALID);
2032 
2033 	event_state->ae_check = 0;
2034 
2035 	free(event_state);
2036 }
2037 
2038 /*
2039  * adt_is_selected -- helper to adt_selected(), below.
2040  *
2041  * "sorf" is "success or fail" status; au_preselect compares
2042  * that with success, fail, or both.
2043  */
2044 
2045 static int
2046 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
2047 {
2048 	int prs_sorf;
2049 
2050 	if (sorf == 0)
2051 		prs_sorf = AU_PRS_SUCCESS;
2052 	else
2053 		prs_sorf = AU_PRS_FAILURE;
2054 
2055 	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
2056 }
2057 
2058 /*
2059  * selected -- see if this event is preselected.
2060  *
2061  * if errors are encountered trying to check a preselection mask
2062  * or look up a user name, the event is selected.  Otherwise, the
2063  * preselection mask is used for the job.
2064  */
2065 
2066 static int
2067 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2068 {
2069 	adt_internal_state_t *sp;
2070 	au_mask_t	namask;
2071 
2072 	sp = event->ae_session;
2073 
2074 	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2075 		adt_write_syslog("No user data available", EINVAL);
2076 		return (1);	/* default is "selected" */
2077 	}
2078 
2079 	/* non-attributable? */
2080 	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2081 	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2082 		if (auditon(A_GETKMASK, (caddr_t)&namask,
2083 		    sizeof (namask)) != 0) {
2084 			adt_write_syslog("auditon failure", errno);
2085 			return (1);
2086 		}
2087 		return (adt_is_selected(actual_id, &namask, status));
2088 	} else {
2089 		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2090 		    status));
2091 	}
2092 }
2093 
2094 /*
2095  * Can't map the host name to an IP address in
2096  * adt_get_hostIP.  Get something off an interface
2097  * to act as the hosts IP address for auditing.
2098  */
2099 
2100 static int
2101 adt_get_local_address(int family, struct ifaddrlist *al)
2102 {
2103 	struct ifaddrlist	*ifal;
2104 	char	errbuf[ERRBUFSIZE] = "empty list";
2105 	char	msg[ERRBUFSIZE + 512];
2106 	int	ifal_count;
2107 	int	i;
2108 
2109 	if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) <= 0) {
2110 		int serrno = errno;
2111 
2112 		(void) snprintf(msg, sizeof (msg), "adt_get_local_address "
2113 		    "couldn't get %d addrlist %s", family, errbuf);
2114 		adt_write_syslog(msg, serrno);
2115 		errno = serrno;
2116 		return (-1);
2117 	}
2118 
2119 	for (i = 0; i < ifal_count; i++) {
2120 		/*
2121 		 * loopback always defined,
2122 		 * even if there is no real address
2123 		 */
2124 		if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) {
2125 			break;
2126 		}
2127 	}
2128 	if (i >= ifal_count) {
2129 		free(ifal);
2130 		/*
2131 		 * Callers of adt_get_hostIP() can only return
2132 		 * errno to their callers and eventually the application.
2133 		 * Picked one that seemed least worse for saying no
2134 		 * usable address for Audit terminal ID.
2135 		 */
2136 		errno = ENETDOWN;
2137 		return (-1);
2138 	}
2139 
2140 	*al = ifal[i];
2141 	free(ifal);
2142 	return (0);
2143 }
2144