xref: /titanic_50/usr/src/lib/libbsm/common/adt.c (revision 015a6ef6781cc3ceba8ad3bfbae98449b6002a1f)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #include <bsm/adt.h>
28 #include <bsm/adt_event.h>
29 #include <assert.h>
30 #include <bsm/audit.h>
31 #include <bsm/audit_record.h>
32 #include <bsm/libbsm.h>
33 #include <door.h>
34 #include <errno.h>
35 #include <generic.h>
36 #include <md5.h>
37 #include <sys/mkdev.h>
38 #include <netdb.h>
39 #include <nss_dbdefs.h>
40 #include <pwd.h>
41 #include <sys/stat.h>
42 #include <time.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <synch.h>
46 #include <sys/systeminfo.h>
47 #include <syslog.h>
48 #include <thread.h>
49 #include <unistd.h>
50 #include <adt_xlate.h>
51 #include <adt_ucred.h>
52 #include <arpa/inet.h>
53 #include <net/if.h>
54 #include <libinetutil.h>
55 
56 static int adt_selected(struct adt_event_state *, au_event_t, int);
57 static int adt_init(adt_internal_state_t *, int);
58 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
59 static m_label_t *adt_ucred_label(ucred_t *);
60 static void adt_setto_unaudited(adt_internal_state_t *);
61 static int adt_get_local_address(int, struct ifaddrlist *);
62 
63 #ifdef C2_DEBUG
64 #define	DPRINTF(x) {printf x; }
65 #define	DFLUSH fflush(stdout);
66 #else
67 #define	DPRINTF(x)
68 #define	DFLUSH
69 #endif
70 
71 static int auditstate = AUC_DISABLED;	/* default state */
72 
73 /*
74  * adt_write_syslog
75  *
76  * errors that are not the user's fault (bugs or whatever in
77  * the underlying audit code are noted in syslog.)
78  *
79  * Avoid calling adt_write_syslog for things that can happen
80  * at high volume.
81  *
82  * syslog's open (openlog) and close (closelog) are interesting;
83  * openlog *may* create a file descriptor and is optional.  closelog
84  * *will* close any open file descriptors and is also optional.
85  *
86  * Since syslog may also be used by the calling application, the
87  * choice is to avoid openlog, which sets some otherwise useful
88  * parameters, and to embed "Solaris_audit" in the log message.
89  */
90 
91 void
92 adt_write_syslog(const char *message, int err)
93 {
94 	int	save_errno = errno;
95 	int	mask_priority;
96 
97 	DPRINTF(("syslog called: %s\n", message));
98 
99 	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
100 	errno = err;
101 	syslog(LOG_ALERT, "Solaris_audit %s: %m", message);
102 	(void) setlogmask(mask_priority);
103 	errno = save_errno;
104 }
105 
106 /*
107  * return true if audit is enabled.  "Enabled" is any state
108  * other than AUC_DISABLED.
109  *
110  * states are
111  *		AUC_INIT_AUDIT	-- c2audit queuing enabled.
112  *		AUC_AUDITING	-- up and running
113  *		AUC_DISABLED	-- no audit subsystem loaded
114  *		AUC_UNSET	-- early boot state
115  *		AUC_NOAUDIT	-- subsystem loaded, turned off via
116  *				   auditon(A_SETCOND...)
117  *		AUC_NOSPACE	-- up and running, but log partitions are full
118  *
119  *	For purpose of this API, anything but AUC_DISABLED or
120  *	AUC_UNSET is enabled; however one never actually sees
121  *	AUC_DISABLED since auditon returns EINVAL in that case.  Any
122  *	auditon error is considered the same as EINVAL for our
123  *	purpose.  auditstate is not changed by auditon if an error
124  *	is returned.
125  */
126 
127 /*
128  * XXX	this should probably be eliminated and adt_audit_state() replace it.
129  *	All the legitimate uses	are to not fork a waiting process for
130  *	process exit processing, as in su, login, dtlogin.  Other bogus
131  *	users are zoneadmd and init.
132  *	All but dtlogin are in ON, so we can do this without cross gate
133  *	synchronization.
134  */
135 
136 boolean_t
137 adt_audit_enabled(void)
138 {
139 
140 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
141 
142 	return (auditstate != AUC_DISABLED);
143 }
144 
145 /*
146  *	See adt_audit_enabled() for state discussions.
147  *	The state parameter is a hedge until all the uses become clear.
148  *	Likely if adt_audit_enabled is brought internal to this file,
149  *	it can take a parameter discussing the state.
150  */
151 
152 boolean_t
153 adt_audit_state(int state)
154 {
155 
156 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
157 
158 	return (auditstate == state);
159 }
160 
161 /*
162  * The man page for getpwuid_r says the buffer must be big enough
163  * or ERANGE will be returned, but offers no guidance for how big
164  * the buffer should be or a way to calculate it.  If you get
165  * ERANGE, double pwd_buff's size.
166  *
167  * This may be called even when auditing is off.
168  */
169 
170 #define	NAFLAG_LEN 512
171 
172 static int
173 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
174 {
175 	struct passwd	pwd;
176 	char		pwd_buff[NSS_BUFSIZ];
177 	char		naflag_buf[NAFLAG_LEN];
178 
179 	if (auditstate == AUC_DISABLED) {
180 		mask->am_success = 0;
181 		mask->am_failure = 0;
182 	} else if (uid <= MAXUID) {
183 		if (getpwuid_r(uid, &pwd, pwd_buff, NSS_BUFSIZ) == NULL) {
184 			/*
185 			 * getpwuid_r returns NULL without setting
186 			 * errno if the user does not exist; only
187 			 * if the input is the wrong length does it
188 			 * set errno.
189 			 */
190 			if (errno != ERANGE)
191 				errno = EINVAL;
192 			return (-1);
193 		}
194 		if (au_user_mask(pwd.pw_name, mask)) {
195 			errno = EFAULT; /* undetermined failure */
196 			return (-1);
197 		}
198 	} else if (getacna(naflag_buf, NAFLAG_LEN - 1) == 0) {
199 		if (getauditflagsbin(naflag_buf, mask))
200 			return (-1);
201 	} else {
202 		return (-1);
203 	}
204 	return (0);
205 }
206 
207 /*
208  * adt_get_unique_id -- generate a hopefully unique 32 bit value
209  *
210  * there will be a follow up to replace this with the use of /dev/random
211  *
212  * An MD5 hash is taken on a buffer of
213  *     hostname . audit id . unix time . pid . count
214  *
215  * "count = noise++;" is subject to a race condition but I don't
216  * see a need to put a lock around it.
217  */
218 
219 au_asid_t
220 adt_get_unique_id(au_id_t uid)
221 {
222 	char		hostname[MAXHOSTNAMELEN];
223 	union {
224 		au_id_t		v[4];
225 		unsigned char	obuff[128/8];
226 	} output;
227 	MD5_CTX	context;
228 
229 	static int	noise = 0;
230 
231 	int		count = noise++;
232 	time_t		timebits = time(NULL);
233 	pid_t		pidbits = getpid();
234 	au_asid_t	retval = 0;
235 
236 	if (gethostname(hostname, MAXHOSTNAMELEN)) {
237 		adt_write_syslog("gethostname call failed", errno);
238 		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
239 	}
240 
241 	while (retval == 0) {  /* 0 is the only invalid result */
242 		MD5Init(&context);
243 
244 		MD5Update(&context, (unsigned char *)hostname,
245 		    (unsigned int) strlen((const char *)hostname));
246 
247 		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
248 
249 		MD5Update(&context,
250 		    (unsigned char *) &timebits, sizeof (time_t));
251 
252 		MD5Update(&context, (unsigned char *) &pidbits,
253 		    sizeof (pid_t));
254 
255 		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
256 		MD5Final(output.obuff, &context);
257 
258 		retval = output.v[count % 4];
259 	}
260 	return (retval);
261 }
262 
263 /*
264  * the following "port" function deals with the following issues:
265  *
266  * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
267  *      up from a 32 bit major and 32 bit minor.
268  * 2    User space deals with a dev_t as either the above 64 bit value
269  *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
270  * 3    The various audit interfaces (except ucred) pass the 32 or
271  *      64 bit version depending the architecture of the userspace
272  *      application.  If you get a port value from ucred and pass it
273  *      to the kernel via auditon(), it must be squeezed into a 32
274  *      bit value because the kernel knows the userspace app's bit
275  *      size.
276  *
277  * The internal state structure for adt (adt_internal_state_t) uses
278  * dev_t, so adt converts data from ucred to fit.  The import/export
279  * functions, however, can't know if they are importing/exporting
280  * from 64 or 32 bit applications, so they always send 64 bits and
281  * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
282  * appropriate.
283  */
284 
285 /*
286  * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
287  * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
288  * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
289  * so it isn't broken up into pieces.  (When it goes to the kernel
290  * and back, however, it will have been split into major/minor
291  * pieces.)
292  */
293 
294 static void
295 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
296 {
297 #ifdef _LP64
298 	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
299 #else	/* _LP64 */
300 	dest->at_type = src->at_type;
301 
302 	dest->at_port  = src->at_port.at_minor & MAXMIN32;
303 	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
304 	    NBITSMINOR32;
305 
306 	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
307 #endif	/* _LP64 */
308 }
309 
310 /*
311  * adt_start_session -- create interface handle, create context
312  *
313  * The imported_state input is normally NULL, if not, it represents
314  * a continued session; its values obviate the need for a subsequent
315  * call to adt_set_user().
316  *
317  * The flag is used to decide how to set the initial state of the session.
318  * If 0, the session is "no audit" until a call to adt_set_user; if
319  * ADT_USE_PROC_DATA, the session is built from the process audit
320  * characteristics obtained from the kernel.  If imported_state is
321  * not NULL, the resulting audit mask is an OR of the current process
322  * audit mask and that passed in.
323  *
324  * The basic model is that the caller can use the pointer returned
325  * by adt_start_session whether or not auditing is enabled or an
326  * error was returned.  The functions that take the session handle
327  * as input generally return without doing anything if auditing is
328  * disabled.
329  */
330 
331 int
332 adt_start_session(adt_session_data_t **new_session,
333     const adt_export_data_t *imported_state, adt_session_flags_t flags)
334 {
335 	adt_internal_state_t	*state;
336 	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
337 
338 	*new_session = NULL;	/* assume failure */
339 
340 	/* ensure that auditstate is set */
341 	(void) adt_audit_enabled();
342 
343 	if ((flags & ~flgmask) != 0) {
344 		errno = EINVAL;
345 		goto return_err;
346 	}
347 	state = calloc(1, sizeof (adt_internal_state_t));
348 
349 	if (state == NULL)
350 		goto return_err;
351 
352 	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0)
353 		goto return_err_free;    /* errno from adt_init() */
354 
355 	/*
356 	 * The imported state overwrites the initial state if the
357 	 * imported state represents a valid audit trail
358 	 */
359 
360 	if (imported_state != NULL) {
361 		if (adt_import(state, imported_state) != 0) {
362 			goto return_err_free;
363 		}
364 	} else if (flags & ADT_USE_PROC_DATA) {
365 		state->as_session_model = ADT_PROCESS_MODEL;
366 	}
367 	state->as_flags = flags;
368 	DPRINTF(("(%d) Starting session id = %08X\n",
369 	    getpid(), state->as_info.ai_asid));
370 
371 	if (state->as_audit_enabled) {
372 		*new_session = (adt_session_data_t *)state;
373 	} else {
374 		free(state);
375 	}
376 
377 	return (0);
378 return_err_free:
379 	free(state);
380 return_err:
381 	adt_write_syslog("audit session create failed", errno);
382 	return (-1);
383 }
384 
385 /*
386  * adt_load_table()
387  *
388  * loads the event translation table into the audit session.
389  */
390 
391 void
392 adt_load_table(const adt_session_data_t *session_data,
393     adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *))
394 {
395 	adt_internal_state_t	*state = (adt_internal_state_t *)session_data;
396 
397 	if (state != NULL) {
398 		assert(state->as_check == ADT_VALID);
399 		state->as_xlate = xlate;
400 		state->as_preload = preload;
401 	}
402 }
403 
404 /*
405  * adt_get_asid() and adt_set_asid()
406  *
407  * if you use this interface, you are responsible to insure that the
408  * rest of the session data is populated correctly before calling
409  * adt_proccess_attr()
410  *
411  * neither of these are intended for general use and will likely
412  * remain private interfaces for a long time.  Forever is a long
413  * time.  In the case of adt_set_asid(), you should have a very,
414  * very good reason for setting your own session id.  The process
415  * audit characteristics are not changed by put, use adt_set_proc().
416  *
417  * These are "volatile" (more changable than "evolving") and will
418  * probably change in the S10 period.
419  */
420 
421 void
422 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
423 {
424 
425 	if (session_data == NULL) {
426 		*asid = 0;
427 	} else {
428 		assert(((adt_internal_state_t *)session_data)->as_check ==
429 		    ADT_VALID);
430 
431 		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
432 	}
433 }
434 
435 void
436 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
437 {
438 
439 	if (session_data != NULL) {
440 		assert(((adt_internal_state_t *)session_data)->as_check ==
441 		    ADT_VALID);
442 
443 		((adt_internal_state_t *)session_data)->as_have_user_data |=
444 		    ADT_HAVE_ASID;
445 		((adt_internal_state_t *)session_data)->as_info.ai_asid =
446 		    session_id;
447 	}
448 }
449 
450 /*
451  * adt_get_auid() and adt_set_auid()
452  *
453  * neither of these are intended for general use and will likely
454  * remain private interfaces for a long time.  Forever is a long
455  * time.  In the case of adt_set_auid(), you should have a very,
456  * very good reason for setting your own audit id.  The process
457  * audit characteristics are not changed by put, use adt_set_proc().
458  */
459 
460 void
461 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
462 {
463 
464 	if (session_data == NULL) {
465 		*auid = AU_NOAUDITID;
466 	} else {
467 		assert(((adt_internal_state_t *)session_data)->as_check ==
468 		    ADT_VALID);
469 
470 		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
471 	}
472 }
473 
474 void
475 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
476 {
477 
478 	if (session_data != NULL) {
479 		assert(((adt_internal_state_t *)session_data)->as_check ==
480 		    ADT_VALID);
481 
482 		((adt_internal_state_t *)session_data)->as_have_user_data |=
483 		    ADT_HAVE_AUID;
484 		((adt_internal_state_t *)session_data)->as_info.ai_auid =
485 		    audit_id;
486 	}
487 }
488 
489 /*
490  * adt_get_termid(), adt_set_termid()
491  *
492  * if you use this interface, you are responsible to insure that the
493  * rest of the session data is populated correctly before calling
494  * adt_proccess_attr()
495  *
496  * The process  audit characteristics are not changed by put, use
497  * adt_set_proc().
498  */
499 
500 void
501 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
502 {
503 
504 	if (session_data == NULL) {
505 		(void) memset(termid, 0, sizeof (au_tid_addr_t));
506 		termid->at_type = AU_IPv4;
507 	} else {
508 		assert(((adt_internal_state_t *)session_data)->as_check ==
509 		    ADT_VALID);
510 
511 		*termid =
512 		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
513 	}
514 }
515 
516 void
517 adt_set_termid(const adt_session_data_t *session_data,
518     const au_tid_addr_t *termid)
519 {
520 
521 	if (session_data != NULL) {
522 		assert(((adt_internal_state_t *)session_data)->as_check ==
523 		    ADT_VALID);
524 
525 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
526 		    *termid;
527 
528 		((adt_internal_state_t *)session_data)->as_have_user_data |=
529 		    ADT_HAVE_TID;
530 	}
531 }
532 
533 /*
534  * adt_get_mask(), adt_set_mask()
535  *
536  * if you use this interface, you are responsible to insure that the
537  * rest of the session data is populated correctly before calling
538  * adt_proccess_attr()
539  *
540  * The process  audit characteristics are not changed by put, use
541  * adt_set_proc().
542  */
543 
544 void
545 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
546 {
547 
548 	if (session_data == NULL) {
549 		mask->am_success = 0;
550 		mask->am_failure = 0;
551 	} else {
552 		assert(((adt_internal_state_t *)session_data)->as_check ==
553 		    ADT_VALID);
554 
555 		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
556 	}
557 }
558 
559 void
560 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
561 {
562 
563 	if (session_data != NULL) {
564 		assert(((adt_internal_state_t *)session_data)->as_check ==
565 		    ADT_VALID);
566 
567 		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
568 
569 		((adt_internal_state_t *)session_data)->as_have_user_data |=
570 		    ADT_HAVE_MASK;
571 	}
572 }
573 
574 /*
575  * helpers for adt_load_termid
576  */
577 
578 static void
579 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
580     au_tid_addr_t *termid)
581 {
582 
583 	termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port));
584 	termid->at_type = AU_IPv6;
585 	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
586 }
587 
588 static void
589 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
590     au_tid_addr_t *termid)
591 {
592 
593 	termid->at_port = ((peer->sin_port<<16) | (sock->sin_port));
594 
595 	termid->at_type = AU_IPv4;
596 	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
597 	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
598 }
599 
600 /*
601  * adt_load_termid:  convenience function; inputs file handle and
602  * outputs an au_tid_addr struct.
603  *
604  * This code was stolen from audit_settid.c; it differs from audit_settid()
605  * in that it does not write the terminal id to the process.
606  */
607 
608 int
609 adt_load_termid(int fd, adt_termid_t **termid)
610 {
611 	au_tid_addr_t		*p_term;
612 	struct sockaddr_in6	peer;
613 	struct sockaddr_in6	sock;
614 	int			peerlen = sizeof (peer);
615 	int			socklen = sizeof (sock);
616 
617 	*termid = NULL;
618 
619 	/* get peer name if its a socket, else assume local terminal */
620 
621 	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
622 	    < 0) {
623 		if (errno == ENOTSOCK)
624 			return (adt_load_hostname(NULL, termid));
625 		goto return_err;
626 	}
627 
628 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
629 		goto return_err;
630 
631 	/* get sock name */
632 	if (getsockname(fd, (struct sockaddr *)&sock,
633 	    (socklen_t *)&socklen) < 0)
634 		goto return_err_free;
635 
636 	if (peer.sin6_family == AF_INET6) {
637 		adt_do_ipv6_address(&peer, &sock, p_term);
638 	} else {
639 		adt_do_ipv4_address((struct sockaddr_in *)&peer,
640 		    (struct sockaddr_in *)&sock, p_term);
641 	}
642 	*termid = (adt_termid_t *)p_term;
643 
644 	return (0);
645 
646 return_err_free:
647 	free(p_term);
648 return_err:
649 	return (-1);
650 }
651 
652 static boolean_t
653 adt_have_termid(au_tid_addr_t *dest)
654 {
655 	struct auditinfo_addr	audit_data;
656 
657 	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
658 		adt_write_syslog("getaudit failed", errno);
659 		return (B_FALSE);
660 	}
661 
662 	if ((audit_data.ai_termid.at_type == 0) ||
663 	    (audit_data.ai_termid.at_addr[0] |
664 	    audit_data.ai_termid.at_addr[1]  |
665 	    audit_data.ai_termid.at_addr[2]  |
666 	    audit_data.ai_termid.at_addr[3]) == 0)
667 		return (B_FALSE);
668 
669 	(void) memcpy(dest, &(audit_data.ai_termid),
670 	    sizeof (au_tid_addr_t));
671 
672 	return (B_TRUE);
673 }
674 
675 static int
676 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
677 {
678 	struct addrinfo	*ai = NULL;
679 	int	tries = 3;
680 	char	msg[512];
681 	int	eai_err;
682 
683 	while ((tries-- > 0) &&
684 	    ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) {
685 		/*
686 		 * getaddrinfo returns its own set of errors.
687 		 * Log them here, so any subsequent syslogs will
688 		 * have a context.  adt_get_hostIP callers can only
689 		 * return errno, so subsequent syslogs may be lacking
690 		 * that getaddrinfo failed.
691 		 */
692 		(void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) "
693 		    "failed[%s]", hostname, gai_strerror(eai_err));
694 		adt_write_syslog(msg, 0);
695 
696 		if (eai_err != EAI_AGAIN) {
697 
698 			break;
699 		}
700 		/* see if resolution becomes available */
701 		(void) sleep(1);
702 	}
703 	if (ai != NULL) {
704 		if (ai->ai_family == AF_INET) {
705 			p_term->at_type = AU_IPv4;
706 			(void) memcpy(p_term->at_addr,
707 			    /* LINTED */
708 			    &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
709 			    AU_IPv4);
710 		} else {
711 			p_term->at_type = AU_IPv6;
712 			(void) memcpy(p_term->at_addr,
713 			    /* LINTED */
714 			    &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
715 			    AU_IPv6);
716 		}
717 		freeaddrinfo(ai);
718 		return (0);
719 	} else {
720 		struct ifaddrlist al;
721 		int	family;
722 		char	ntop[INET6_ADDRSTRLEN];
723 
724 		/*
725 		 * getaddrinfo has failed to map the hostname
726 		 * to an IP address, try to get an IP address
727 		 * from a local interface.
728 		 */
729 		family = AF_INET6;
730 		if (adt_get_local_address(family, &al) != 0) {
731 			family = AF_INET;
732 
733 			if (adt_get_local_address(family, &al) != 0) {
734 				adt_write_syslog("adt_get_local_address "
735 				    "failed, no Audit IP address available",
736 				    errno);
737 				return (-1);
738 			}
739 		}
740 		if (family == AF_INET) {
741 			p_term->at_type = AU_IPv4;
742 			(void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4);
743 		} else {
744 			p_term->at_type = AU_IPv6;
745 			(void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6);
746 		}
747 
748 		(void) snprintf(msg, sizeof (msg), "mapping %s to %s",
749 		    hostname, inet_ntop(family, &(al.addr), ntop,
750 		    sizeof (ntop)));
751 		adt_write_syslog(msg, 0);
752 		return (0);
753 	}
754 }
755 
756 /*
757  * adt_load_hostname() is called when the caller does not have a file
758  * handle that gives access to the socket info or any other way to
759  * pass in both port and ip address.  The hostname input is ignored if
760  * the terminal id has already been set; instead it returns the
761  * existing terminal id.
762  *
763  * If audit is off and the hostname lookup fails, no error is
764  * returned, since an error may be interpreted by the caller
765  * as grounds for denying a login.  Otherwise the caller would
766  * need to be aware of the audit state.
767  */
768 
769 int
770 adt_load_hostname(const char *hostname, adt_termid_t **termid)
771 {
772 	char		localhost[MAXHOSTNAMELEN + 1];
773 	au_tid_addr_t	*p_term;
774 
775 	*termid = NULL;
776 
777 	if (!adt_audit_enabled())
778 		return (0);
779 
780 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
781 		goto return_err;
782 
783 	if (adt_have_termid(p_term)) {
784 		*termid = (adt_termid_t *)p_term;
785 		return (0);
786 	}
787 	p_term->at_port = 0;
788 
789 	if (hostname == NULL || *hostname == '\0') {
790 		(void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN);
791 		hostname = localhost;
792 	}
793 	if (adt_get_hostIP(hostname, p_term))
794 		goto return_err_free;
795 
796 	*termid = (adt_termid_t *)p_term;
797 	return (0);
798 
799 return_err_free:
800 	free(p_term);
801 
802 return_err:
803 	if ((auditstate == AUC_DISABLED) ||
804 	    (auditstate == AUC_NOAUDIT))
805 		return (0);
806 
807 	return (-1);
808 }
809 
810 /*
811  * adt_load_ttyname() is called when the caller does not have a file
812  * handle that gives access to the local terminal or any other way
813  * of determining the device id.  The ttyname input is ignored if
814  * the terminal id has already been set; instead it returns the
815  * existing terminal id.
816  *
817  * If audit is off and the ttyname lookup fails, no error is
818  * returned, since an error may be interpreted by the caller
819  * as grounds for denying a login.  Otherwise the caller would
820  * need to be aware of the audit state.
821  */
822 
823 int
824 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
825 {
826 	char		localhost[MAXHOSTNAMELEN + 1];
827 	au_tid_addr_t	*p_term;
828 	struct stat	stat_buf;
829 
830 	*termid = NULL;
831 
832 	if (!adt_audit_enabled())
833 		return (0);
834 
835 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
836 		goto return_err;
837 
838 	if (adt_have_termid(p_term)) {
839 		*termid = (adt_termid_t *)p_term;
840 		return (0);
841 	}
842 
843 	p_term->at_port = 0;
844 
845 	if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0)
846 		goto return_err_free; /* errno from sysinfo */
847 
848 	if (ttyname != NULL && *ttyname != '\0') {
849 		if (stat(ttyname, &stat_buf) < 0)
850 			goto return_err_free;
851 
852 		p_term->at_port = stat_buf.st_rdev;
853 	}
854 
855 	if (adt_get_hostIP(localhost, p_term))
856 		goto return_err_free;
857 
858 	*termid = (adt_termid_t *)p_term;
859 	return (0);
860 
861 return_err_free:
862 	free(p_term);
863 
864 return_err:
865 	if ((auditstate == AUC_DISABLED) ||
866 	    (auditstate == AUC_NOAUDIT))
867 		return (0);
868 
869 	return (-1);
870 }
871 
872 /*
873  * adt_get_session_id returns a stringified representation of
874  * the audit session id.  See also adt_get_asid() for how to
875  * get the unexpurgated version.  No guarantees as to how long
876  * the returned string will be or its general form; hex for now.
877  *
878  * An empty string is returned if auditing is off; length = 1
879  * and the pointer is valid.
880  *
881  * returns strlen + 1 if buffer is valid; else 0 and errno.
882  */
883 
884 size_t
885 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
886 {
887 	au_asid_t	session_id;
888 	size_t		length;
889 	/*
890 	 * output is 0x followed by
891 	 * two characters per byte
892 	 * plus terminator,
893 	 * except leading 0's are suppressed, so a few bytes may
894 	 * be unused.
895 	 */
896 	length = 2 + (2 * sizeof (session_id)) + 1;
897 	*buff = malloc(length);
898 
899 	if (*buff == NULL) {
900 		return (0);
901 	}
902 	if (session_data == NULL) { /* NULL is not an error */
903 		**buff = '\0';
904 		return (1);
905 	}
906 	adt_get_asid(session_data, &session_id);
907 
908 	length = snprintf(*buff, length, "0x%X", (int)session_id);
909 
910 	/* length < 1 is a bug: the session data type may have changed */
911 	assert(length > 0);
912 
913 	return (length);
914 }
915 
916 /*
917  * adt_end_session -- close handle, clear context
918  *
919  * if as_check is invalid, no harm, no foul, EXCEPT that this could
920  * be an attempt to free data already free'd, so output to syslog
921  * to help explain why the process cored dumped.
922  */
923 
924 int
925 adt_end_session(adt_session_data_t *session_data)
926 {
927 	adt_internal_state_t	*state;
928 
929 	if (session_data != NULL) {
930 		state = (adt_internal_state_t *)session_data;
931 		if (state->as_check != ADT_VALID) {
932 			adt_write_syslog("freeing invalid data", EINVAL);
933 		} else {
934 			state->as_check = 0;
935 			m_label_free(state->as_label);
936 			free(session_data);
937 		}
938 	}
939 	/* no errors yet defined */
940 	return (0);
941 }
942 
943 /*
944  * adt_dup_session -- copy the session data
945  */
946 
947 int
948 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
949 {
950 	adt_internal_state_t	*source_state;
951 	adt_internal_state_t	*dest_state = NULL;
952 	int			rc = 0;
953 
954 	if (source != NULL) {
955 		source_state = (adt_internal_state_t *)source;
956 		assert(source_state->as_check == ADT_VALID);
957 
958 		dest_state = malloc(sizeof (adt_internal_state_t));
959 		if (dest_state == NULL) {
960 			rc = -1;
961 			goto return_rc;
962 		}
963 		(void) memcpy(dest_state, source,
964 		    sizeof (struct adt_internal_state));
965 
966 		if (source_state->as_label != NULL) {
967 			dest_state->as_label = NULL;
968 			if ((rc = m_label_dup(&dest_state->as_label,
969 			    source_state->as_label)) != 0) {
970 				free(dest_state);
971 				dest_state = NULL;
972 			}
973 		}
974 	}
975 return_rc:
976 	*dest = (adt_session_data_t *)dest_state;
977 	return (rc);
978 }
979 
980 /*
981  * from_export_format()
982  * read from a network order buffer into struct adt_session_data
983  */
984 
985 static size_t
986 adt_from_export_format(adt_internal_state_t *internal,
987     const adt_export_data_t *external)
988 {
989 	struct export_header	head;
990 	struct export_link	link;
991 	adr_t			context;
992 	int32_t 		offset;
993 	int32_t 		length;
994 	int32_t 		version;
995 	size_t			label_len;
996 	char			*p = (char *)external;
997 
998 	adrm_start(&context, (char *)external);
999 	adrm_int32(&context, (int *)&head, 4);
1000 
1001 	if ((internal->as_check = head.ax_check) != ADT_VALID) {
1002 		errno = EINVAL;
1003 		return (0);
1004 	}
1005 	offset = head.ax_link.ax_offset;
1006 	version = head.ax_link.ax_version;
1007 	length = head.ax_buffer_length;
1008 
1009 	/*
1010 	 * Skip newer versions.
1011 	 */
1012 	while (version > PROTOCOL_VERSION_2) {
1013 		if (offset < 1) {
1014 			return (0);	/* failed to match version */
1015 		}
1016 		p += offset;		/* point to next version # */
1017 
1018 		if (p > (char *)external + length) {
1019 			return (0);
1020 		}
1021 		adrm_start(&context, p);
1022 		adrm_int32(&context, (int *)&link, 2);
1023 		offset = link.ax_offset;
1024 		version = link.ax_version;
1025 		assert(version != 0);
1026 	}
1027 	/*
1028 	 * Adjust buffer pointer to the first data item (euid).
1029 	 */
1030 	if (p == (char *)external) {
1031 		adrm_start(&context, (char *)(p + sizeof (head)));
1032 	} else {
1033 		adrm_start(&context, (char *)(p + sizeof (link)));
1034 	}
1035 	/*
1036 	 * if down rev version, neither pid nor label are included
1037 	 * in v1 ax_size_of_tsol_data intentionally ignored
1038 	 */
1039 	if (version == PROTOCOL_VERSION_1) {
1040 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1041 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1042 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1043 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1044 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1045 		adrm_int32(&context,
1046 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1047 		adrm_int32(&context,
1048 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1049 		adrm_int32(&context,
1050 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1051 		adrm_int32(&context,
1052 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1053 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1054 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
1055 		internal->as_pid = (pid_t)-1;
1056 		internal->as_label = NULL;
1057 	} else if (version == PROTOCOL_VERSION_2) {
1058 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1059 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1060 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1061 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1062 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1063 		adrm_int32(&context,
1064 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1065 		adrm_int32(&context,
1066 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1067 		adrm_int32(&context,
1068 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1069 		adrm_int32(&context,
1070 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1071 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1072 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
1073 		adrm_int32(&context, (int *)&(internal->as_pid), 1);
1074 		adrm_int32(&context, (int *)&label_len, 1);
1075 		if (label_len > 0) {
1076 			/* read in and deal with different sized labels. */
1077 			size32_t my_label_len = blabel_size();
1078 
1079 			if ((internal->as_label =
1080 			    m_label_alloc(MAC_LABEL)) == NULL) {
1081 				return (0);
1082 			}
1083 			if (label_len > my_label_len) {
1084 				errno = EINVAL;
1085 				m_label_free(internal->as_label);
1086 				return (0);
1087 			}
1088 			(void) memset(internal->as_label, 0, my_label_len);
1089 			adrm_int32(&context, (int *)(internal->as_label),
1090 			    label_len / sizeof (int32_t));
1091 		} else {
1092 			internal->as_label = NULL;
1093 		}
1094 	}
1095 
1096 	return (length);
1097 }
1098 
1099 /*
1100  * adt_to_export_format
1101  * read from struct adt_session_data into a network order buffer.
1102  *
1103  * (network order 'cause this data may be shared with a remote host.)
1104  */
1105 
1106 static size_t
1107 adt_to_export_format(adt_export_data_t *external,
1108     adt_internal_state_t *internal)
1109 {
1110 	struct export_header	head;
1111 	struct export_link	tail;
1112 	adr_t			context;
1113 	size32_t		label_len = 0;
1114 
1115 	adrm_start(&context, (char *)external);
1116 
1117 	if (internal->as_label != NULL) {
1118 		label_len = blabel_size();
1119 	}
1120 
1121 	head.ax_check = ADT_VALID;
1122 	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1123 
1124 	/* version 2 first */
1125 
1126 	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1127 	head.ax_link.ax_offset = sizeof (struct export_header) +
1128 	    sizeof (struct adt_export_v2) + label_len;
1129 
1130 	adrm_putint32(&context, (int *)&head, 4);
1131 
1132 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1133 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1134 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1135 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1136 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1137 	adrm_putint32(&context,
1138 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1139 	adrm_putint32(&context,
1140 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1141 	adrm_putint32(&context,
1142 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1143 	adrm_putint32(&context,
1144 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1145 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1146 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1147 	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1148 	adrm_putint32(&context, (int *)&label_len, 1);
1149 	if (internal->as_label != NULL) {
1150 		/* serialize the label */
1151 		adrm_putint32(&context, (int *)(internal->as_label),
1152 		    (label_len / sizeof (int32_t)));
1153 	}
1154 
1155 	/* now version 1 */
1156 
1157 	tail.ax_version = PROTOCOL_VERSION_1;
1158 	tail.ax_offset = 0;
1159 
1160 	adrm_putint32(&context, (int *)&tail, 2);
1161 
1162 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1163 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1164 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1165 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1166 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1167 	adrm_putint32(&context,
1168 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1169 	adrm_putint32(&context,
1170 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1171 	adrm_putint32(&context,
1172 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1173 	adrm_putint32(&context,
1174 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1175 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1176 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1177 	/* ignored in v1 */
1178 	adrm_putint32(&context, (int *)&label_len, 1);
1179 
1180 	/* finally terminator */
1181 
1182 	tail.ax_version = 0; /* invalid version number */
1183 	tail.ax_offset = 0;
1184 
1185 	adrm_putint32(&context, (int *)&tail, 2);
1186 
1187 	return (head.ax_buffer_length);
1188 }
1189 
1190 
1191 /*
1192  * adt_import_proc() is used by a server acting on behalf
1193  * of a client which has connected via an ipc mechanism such as
1194  * a door.
1195  *
1196  * Since the interface is via ucred, the info.ap_termid.port
1197  * value is always the 64 bit version.  What is stored depends
1198  * on how libbsm is compiled.
1199  */
1200 
1201 size_t
1202 adt_import_proc(pid_t pid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1203     adt_export_data_t **external)
1204 {
1205 	size_t			length = 0;
1206 	adt_internal_state_t	*state;
1207 	ucred_t			*ucred;
1208 	const au_tid64_addr_t	*tid;
1209 
1210 	state = calloc(1, sizeof (adt_internal_state_t));
1211 
1212 	if (state == NULL)
1213 		return (0);
1214 
1215 	if (adt_init(state, 0) != 0)
1216 		goto return_length_free;    /* errno from adt_init() */
1217 
1218 	/*
1219 	 * ucred_getauid() returns AU_NOAUDITID if audit is off, which
1220 	 * is the right answer for adt_import_proc().
1221 	 *
1222 	 * Create a local context as near as possible.
1223 	 */
1224 
1225 	ucred = ucred_get(pid);
1226 
1227 	if (ucred == NULL)
1228 		goto return_length_free;
1229 
1230 	state->as_ruid = ruid != ADT_NO_CHANGE ? ruid : ucred_getruid(ucred);
1231 	state->as_euid = euid != ADT_NO_CHANGE ? euid : ucred_geteuid(ucred);
1232 	state->as_rgid = rgid != ADT_NO_CHANGE ? rgid : ucred_getrgid(ucred);
1233 	state->as_egid = egid != ADT_NO_CHANGE ? egid : ucred_getegid(ucred);
1234 
1235 	state->as_info.ai_auid = ucred_getauid(ucred);
1236 
1237 	if (state->as_info.ai_auid == AU_NOAUDITID) {
1238 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1239 
1240 		if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1241 			goto return_all_free;
1242 	} else {
1243 		const au_mask_t *mask = ucred_getamask(ucred);
1244 
1245 		if (mask != NULL)
1246 			state->as_info.ai_mask = *mask;
1247 		else
1248 			goto return_all_free;
1249 
1250 		state->as_info.ai_asid = ucred_getasid(ucred);
1251 	}
1252 
1253 	tid = ucred_getatid(ucred);
1254 
1255 	if (tid != NULL) {
1256 		adt_cpy_tid(&(state->as_info.ai_termid), tid);
1257 	} else {
1258 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1259 		    sizeof (au_tid_addr_t));
1260 		state->as_info.ai_termid.at_type = AU_IPv4;
1261 	}
1262 
1263 	DPRINTF(("import_proc/asid = %X %u\n", state->as_info.ai_asid,
1264 	    state->as_info.ai_asid));
1265 
1266 	DPRINTF(("import_proc/masks = %X %X\n",
1267 	    state->as_info.ai_mask.am_success,
1268 	    state->as_info.ai_mask.am_failure));
1269 
1270 	if (state->as_label == NULL) {
1271 		*external = malloc(sizeof (adt_export_data_t));
1272 	} else {
1273 		*external = malloc(sizeof (adt_export_data_t) + blabel_size());
1274 	}
1275 
1276 	if (*external == NULL)
1277 		goto return_all_free;
1278 
1279 	length = adt_to_export_format(*external, state);
1280 	/*
1281 	 * yes, state is supposed to be free'd for both pass and fail
1282 	 */
1283 return_all_free:
1284 	ucred_free(ucred);
1285 return_length_free:
1286 	free(state);
1287 	return (length);
1288 }
1289 
1290 /*
1291  * adt_ucred_label() -- if label is available, duplicate it.
1292  */
1293 
1294 static m_label_t *
1295 adt_ucred_label(ucred_t *uc)
1296 {
1297 	m_label_t	*ul = NULL;
1298 
1299 	if (ucred_getlabel(uc) != NULL) {
1300 		(void) m_label_dup(&ul, ucred_getlabel(uc));
1301 	}
1302 
1303 	return (ul);
1304 }
1305 
1306 /*
1307  * adt_import() -- convert from network order to machine-specific order
1308  */
1309 
1310 static int
1311 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1312 {
1313 	au_mask_t mask;
1314 
1315 	/* save local audit enabled state */
1316 	int	local_audit_enabled = internal->as_audit_enabled;
1317 
1318 	if (adt_from_export_format(internal, external) < 1)
1319 		return (-1); /* errno from adt_from_export_format */
1320 
1321 	/*
1322 	 * If audit isn't enabled on the remote, they were unable
1323 	 * to generate the audit mask, so generate it based on
1324 	 * local configuration.  If the user id has changed, the
1325 	 * resulting mask may miss some subtleties that occurred
1326 	 * on the remote system.
1327 	 *
1328 	 * If the remote failed to generate a terminal id, it is not
1329 	 * recoverable.
1330 	 */
1331 
1332 	if (!internal->as_audit_enabled) {
1333 		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1334 		    &(internal->as_info.ai_mask)))
1335 			return (-1);
1336 		if (internal->as_info.ai_auid != internal->as_ruid) {
1337 			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1338 			    &mask))
1339 				return (-1);
1340 			internal->as_info.ai_mask.am_success |=
1341 			    mask.am_success;
1342 			internal->as_info.ai_mask.am_failure |=
1343 			    mask.am_failure;
1344 		}
1345 	}
1346 	internal->as_audit_enabled = local_audit_enabled;
1347 
1348 	DPRINTF(("(%d)imported asid = %X %u\n", getpid(),
1349 	    internal->as_info.ai_asid,
1350 	    internal->as_info.ai_asid));
1351 
1352 	internal->as_have_user_data = ADT_HAVE_ALL;
1353 
1354 	return (0);
1355 }
1356 
1357 /*
1358  * adt_export_session_data()
1359  * copies a adt_session_data struct into a network order buffer
1360  *
1361  * In a misconfigured network, the local host may have auditing
1362  * off while the destination may have auditing on, so if there
1363  * is sufficient memory, a buffer will be returned even in the
1364  * audit off case.
1365  */
1366 
1367 size_t
1368 adt_export_session_data(const adt_session_data_t *internal,
1369     adt_export_data_t **external)
1370 {
1371 	size32_t		length = 0;
1372 
1373 	if ((internal != NULL) &&
1374 	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1375 		length = blabel_size();
1376 	}
1377 
1378 	*external = malloc(sizeof (adt_export_data_t) + length);
1379 
1380 	if (*external == NULL)
1381 		return (0);
1382 
1383 	if (internal == NULL) {
1384 		adt_internal_state_t	*dummy;
1385 
1386 		dummy = malloc(sizeof (adt_internal_state_t));
1387 		if (dummy == NULL)
1388 			goto return_length_free;
1389 
1390 		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1391 			free(dummy);
1392 			goto return_length_free;
1393 		}
1394 		length = adt_to_export_format(*external, dummy);
1395 		free(dummy);
1396 	} else {
1397 		length = adt_to_export_format(*external,
1398 		    (adt_internal_state_t *)internal);
1399 	}
1400 	return (length);
1401 
1402 return_length_free:
1403 	free(*external);
1404 	*external = NULL;
1405 	return (0);
1406 }
1407 
1408 static void
1409 adt_setto_unaudited(adt_internal_state_t *state)
1410 {
1411 	state->as_ruid = AU_NOAUDITID;
1412 	state->as_euid = AU_NOAUDITID;
1413 	state->as_rgid = AU_NOAUDITID;
1414 	state->as_egid = AU_NOAUDITID;
1415 	state->as_pid = (pid_t)-1;
1416 	state->as_label = NULL;
1417 
1418 	if (state->as_audit_enabled) {
1419 		state->as_info.ai_asid = 0;
1420 		state->as_info.ai_auid = AU_NOAUDITID;
1421 
1422 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1423 		    sizeof (au_tid_addr_t));
1424 		state->as_info.ai_termid.at_type = AU_IPv4;
1425 
1426 		(void) memset((void *)&(state->as_info.ai_mask), 0,
1427 		    sizeof (au_mask_t));
1428 		state->as_have_user_data = 0;
1429 	}
1430 }
1431 
1432 /*
1433  * adt_init -- set session context by copying the audit characteristics
1434  * from the proc and picking up current uid/tid information.
1435  *
1436  * By default, an audit session is based on the process; the default
1437  * is overriden by adt_set_user()
1438  */
1439 
1440 static int
1441 adt_init(adt_internal_state_t *state, int use_proc_data)
1442 {
1443 
1444 	state->as_audit_enabled = (auditstate == AUC_DISABLED) ? 0 : 1;
1445 
1446 	if (use_proc_data) {
1447 		state->as_ruid = getuid();
1448 		state->as_euid = geteuid();
1449 		state->as_rgid = getgid();
1450 		state->as_egid = getegid();
1451 		state->as_pid = getpid();
1452 
1453 		if (state->as_audit_enabled) {
1454 			const au_tid64_addr_t	*tid;
1455 			const au_mask_t		*mask;
1456 			ucred_t			*ucred = ucred_get(P_MYID);
1457 
1458 			/*
1459 			 * Even if the ucred is NULL, the underlying
1460 			 * credential may have a valid terminal id; if the
1461 			 * terminal id is set, then that's good enough.  An
1462 			 * example of where this matters is failed login,
1463 			 * where rlogin/telnet sets the terminal id before
1464 			 * calling login; login does not load the credential
1465 			 * since auth failed.
1466 			 */
1467 			if (ucred == NULL) {
1468 				if (!adt_have_termid(
1469 				    &(state->as_info.ai_termid)))
1470 					return (-1);
1471 			} else {
1472 				mask = ucred_getamask(ucred);
1473 				if (mask != NULL) {
1474 					state->as_info.ai_mask = *mask;
1475 				} else {
1476 					ucred_free(ucred);
1477 					return (-1);
1478 				}
1479 				tid = ucred_getatid(ucred);
1480 				if (tid != NULL) {
1481 					adt_cpy_tid(&(state->as_info.ai_termid),
1482 					    tid);
1483 				} else {
1484 					ucred_free(ucred);
1485 					return (-1);
1486 				}
1487 				state->as_info.ai_asid = ucred_getasid(ucred);
1488 				state->as_info.ai_auid = ucred_getauid(ucred);
1489 				state->as_label = adt_ucred_label(ucred);
1490 				ucred_free(ucred);
1491 			}
1492 			state->as_have_user_data = ADT_HAVE_ALL;
1493 		}
1494 	} else {
1495 		adt_setto_unaudited(state);
1496 	}
1497 	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1498 
1499 	if (state->as_audit_enabled &&
1500 	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1501 	    sizeof (state->as_kernel_audit_policy))) {
1502 		return (-1);  /* errno set by auditon */
1503 	}
1504 	state->as_check = ADT_VALID;
1505 	adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0],
1506 	    &adt_preload);
1507 	return (0);
1508 }
1509 
1510 /*
1511  * adt_set_proc
1512  *
1513  * Copy the current session state to the process.  If this function
1514  * is called, the model becomes a process model rather than a
1515  * session model.
1516  *
1517  * In the current implementation, the value state->as_have_user_data
1518  * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1519  * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1520  *
1521  */
1522 
1523 int
1524 adt_set_proc(const adt_session_data_t *session_data)
1525 {
1526 	adt_internal_state_t	*state;
1527 
1528 	if (auditstate == AUC_DISABLED || (session_data == NULL))
1529 		return (0);
1530 
1531 	state = (adt_internal_state_t *)session_data;
1532 
1533 	assert(state->as_check == ADT_VALID);
1534 
1535 	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1536 	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1537 		errno = EINVAL;
1538 		goto return_err;
1539 	}
1540 
1541 	if (setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1542 	    sizeof (auditinfo_addr_t)) < 0) {
1543 		goto return_err;	/* errno set by setaudit_addr() */
1544 	}
1545 
1546 	state->as_session_model = ADT_PROCESS_MODEL;
1547 
1548 	return (0);
1549 
1550 return_err:
1551 	adt_write_syslog("failed to set process audit characteristics", errno);
1552 	return (-1);
1553 }
1554 
1555 static int
1556 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1557 {
1558 	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1559 	au_mask_t	no_mask = {0, 0};
1560 
1561 	if (ruid == ADT_NO_AUDIT) {
1562 		state->as_info.ai_auid = AU_NOAUDITID;
1563 		state->as_info.ai_asid = 0;
1564 		state->as_info.ai_termid = no_tid;
1565 		state->as_info.ai_mask = no_mask;
1566 		return (0);
1567 	}
1568 	state->as_info.ai_auid = ruid;
1569 	state->as_info.ai_asid = adt_get_unique_id(ruid);
1570 	if (termid != NULL)
1571 		state->as_info.ai_termid = *termid;
1572 
1573 	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1574 		return (-1);
1575 
1576 	/* Assume intending to audit as this process */
1577 
1578 	if (state->as_pid == (pid_t)-1)
1579 		state->as_pid = getpid();
1580 
1581 	if (is_system_labeled() && state->as_label == NULL) {
1582 		ucred_t	*ucred = ucred_get(P_MYID);
1583 
1584 		state->as_label = adt_ucred_label(ucred);
1585 		ucred_free(ucred);
1586 	}
1587 
1588 	return (0);
1589 }
1590 
1591 static int
1592 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1593 {
1594 	au_mask_t		mask;
1595 
1596 	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1597 		state->as_info.ai_auid = ruid;
1598 	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1599 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1600 
1601 	if (ruid <= MAXEPHUID) {
1602 		if (adt_get_mask_from_user(ruid, &mask))
1603 			return (-1);
1604 
1605 		state->as_info.ai_mask.am_success |= mask.am_success;
1606 		state->as_info.ai_mask.am_failure |= mask.am_failure;
1607 	}
1608 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1609 	    state->as_info.ai_mask.am_success,
1610 	    state->as_info.ai_mask.am_failure,
1611 	    ruid));
1612 	return (0);
1613 }
1614 
1615 /*
1616  * adt_set_user -- see also adt_set_from_ucred()
1617  *
1618  * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1619  * "unattributed."  If ruid, change the model to session.
1620  *
1621  * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1622  * only valid with ADT_UPDATE.
1623  *
1624  * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1625  * isn't a good reason to call adt_set_user() with it unless you don't
1626  * have a good value yet and intend to replace it later; auid will be
1627  * AU_NOAUDITID.
1628  *
1629  * adt_set_user should be called even if auditing is not enabled
1630  * so that adt_export_session_data() will have useful stuff to
1631  * work with.
1632  *
1633  * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1634  * and ADT_HAVE_ALL.
1635  */
1636 
1637 int
1638 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1639     uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1640     enum adt_user_context user_context)
1641 {
1642 	adt_internal_state_t	*state;
1643 	int			rc;
1644 
1645 	if (session_data == NULL) /* no session exists to audit */
1646 		return (0);
1647 
1648 	state = (adt_internal_state_t *)session_data;
1649 	assert(state->as_check == ADT_VALID);
1650 
1651 	switch (user_context) {
1652 	case ADT_NEW:
1653 		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1654 		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1655 			errno = EINVAL;
1656 			return (-1);
1657 		}
1658 		if ((rc = adt_newuser(state, ruid,
1659 		    (au_tid_addr_t *)termid)) != 0)
1660 			return (rc);
1661 
1662 		state->as_have_user_data = ADT_HAVE_ALL;
1663 		break;
1664 	case ADT_UPDATE:
1665 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1666 			errno = EINVAL;
1667 			return (-1);
1668 		}
1669 
1670 		if (ruid != ADT_NO_CHANGE)
1671 			if ((rc = adt_changeuser(state, ruid)) != 0)
1672 				return (rc);
1673 		break;
1674 	case ADT_USER:
1675 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1676 			errno = EINVAL;
1677 			return (-1);
1678 		}
1679 		break;
1680 	case ADT_SETTID:
1681 		assert(termid != NULL);
1682 		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1683 		/* avoid fooling pam_setcred()... */
1684 		state->as_info.ai_auid = AU_NOAUDITID;
1685 		state->as_info.ai_asid = 0;
1686 		state->as_info.ai_mask.am_failure = 0;
1687 		state->as_info.ai_mask.am_success = 0;
1688 		state->as_have_user_data = ADT_HAVE_TID |
1689 		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1690 		return (0);
1691 	default:
1692 		errno = EINVAL;
1693 		return (-1);
1694 	}
1695 
1696 	if (ruid == ADT_NO_AUDIT) {
1697 		state->as_ruid = AU_NOAUDITID;
1698 		state->as_euid = AU_NOAUDITID;
1699 		state->as_rgid = AU_NOAUDITID;
1700 		state->as_egid = AU_NOAUDITID;
1701 	} else {
1702 		if (ruid != ADT_NO_CHANGE)
1703 			state->as_ruid = ruid;
1704 		if (euid != ADT_NO_CHANGE)
1705 			state->as_euid = euid;
1706 		if (rgid != ADT_NO_CHANGE)
1707 			state->as_rgid = rgid;
1708 		if (egid != ADT_NO_CHANGE)
1709 			state->as_egid = egid;
1710 	}
1711 
1712 	if (ruid == ADT_NO_ATTRIB) {
1713 		state->as_session_model = ADT_SESSION_MODEL;
1714 	}
1715 
1716 	return (0);
1717 }
1718 
1719 /*
1720  * adt_set_from_ucred()
1721  *
1722  * an alternate to adt_set_user that fills the same role but uses
1723  * a pointer to a ucred rather than a list of id's.  If the ucred
1724  * pointer is NULL, use the credential from the this process.
1725  *
1726  * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1727  * not overwrite the asid and auid unless auid has not been set.
1728  * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1729  * the incoming audit mask with the one that already exists.
1730  *
1731  * adt_set_from_ucred should be called even if auditing is not enabled
1732  * so that adt_export_session_data() will have useful stuff to
1733  * work with.
1734  */
1735 
1736 int
1737 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1738     enum adt_user_context user_context)
1739 {
1740 	adt_internal_state_t	*state;
1741 	int			rc = -1;
1742 	const au_tid64_addr_t		*tid64;
1743 	au_tid_addr_t		termid, *tid;
1744 	ucred_t	*ucred = (ucred_t *)uc;
1745 	boolean_t	local_uc = B_FALSE;
1746 
1747 	if (session_data == NULL) /* no session exists to audit */
1748 		return (0);
1749 
1750 	state = (adt_internal_state_t *)session_data;
1751 	assert(state->as_check == ADT_VALID);
1752 
1753 	if (ucred == NULL) {
1754 		ucred = ucred_get(P_MYID);
1755 
1756 		if (ucred == NULL)
1757 			goto return_rc;
1758 		local_uc = B_TRUE;
1759 	}
1760 
1761 	switch (user_context) {
1762 	case ADT_NEW:
1763 		tid64 = ucred_getatid(ucred);
1764 		if (tid64 != NULL) {
1765 			adt_cpy_tid(&termid, tid64);
1766 			tid = &termid;
1767 		} else {
1768 			tid = NULL;
1769 		}
1770 		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1771 			adt_setto_unaudited(state);
1772 			state->as_have_user_data = ADT_HAVE_ALL;
1773 			rc = 0;
1774 			goto return_rc;
1775 		} else {
1776 			state->as_info.ai_auid = ucred_getauid(ucred);
1777 			state->as_info.ai_asid = ucred_getasid(ucred);
1778 			state->as_info.ai_mask = *ucred_getamask(ucred);
1779 			state->as_info.ai_termid = *tid;
1780 		}
1781 		state->as_have_user_data = ADT_HAVE_ALL;
1782 		break;
1783 	case ADT_UPDATE:
1784 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1785 			errno = EINVAL;
1786 			goto return_rc;
1787 		}
1788 
1789 		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1790 			goto return_rc;
1791 		break;
1792 	case ADT_USER:
1793 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1794 			errno = EINVAL;
1795 			goto return_rc;
1796 		}
1797 		break;
1798 	default:
1799 		errno = EINVAL;
1800 		goto return_rc;
1801 	}
1802 	rc = 0;
1803 
1804 	state->as_ruid = ucred_getruid(ucred);
1805 	state->as_euid = ucred_geteuid(ucred);
1806 	state->as_rgid = ucred_getrgid(ucred);
1807 	state->as_egid = ucred_getegid(ucred);
1808 	state->as_pid = ucred_getpid(ucred);
1809 	state->as_label = adt_ucred_label(ucred);
1810 
1811 return_rc:
1812 	if (local_uc) {
1813 		ucred_free(ucred);
1814 	}
1815 	return (rc);
1816 }
1817 
1818 /*
1819  * adt_alloc_event() returns a pointer to allocated memory
1820  *
1821  */
1822 
1823 adt_event_data_t
1824 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1825 {
1826 	struct adt_event_state	*event_state;
1827 	adt_internal_state_t	*session_state;
1828 	adt_event_data_t	*return_event = NULL;
1829 	/*
1830 	 * need to return a valid event pointer even if audit is
1831 	 * off, else the caller will end up either (1) keeping its
1832 	 * own flags for on/off or (2) writing to a NULL pointer.
1833 	 * If auditing is on, the session data must be valid; otherwise
1834 	 * we don't care.
1835 	 */
1836 	if (session_data != NULL) {
1837 		session_state = (adt_internal_state_t *)session_data;
1838 		assert(session_state->as_check == ADT_VALID);
1839 	}
1840 	event_state = calloc(1, sizeof (struct adt_event_state));
1841 	if (event_state == NULL)
1842 		goto return_ptr;
1843 
1844 	event_state->ae_check = ADT_VALID;
1845 
1846 	event_state->ae_event_id = event_id;
1847 	event_state->ae_session = (struct adt_internal_state *)session_data;
1848 
1849 	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1850 
1851 	/*
1852 	 * preload data so the adt_au_*() functions can detect un-supplied
1853 	 * values (0 and NULL are free via calloc()).
1854 	 */
1855 	if (session_data != NULL) {
1856 		session_state->as_preload(event_id, return_event);
1857 	}
1858 
1859 return_ptr:
1860 	return (return_event);
1861 }
1862 
1863 /*
1864  * adt_getXlateTable -- look up translation table address for event id
1865  */
1866 
1867 static adt_translation_t *
1868 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id)
1869 {
1870 	/* xlate_table is global in adt_xlate.c */
1871 	adt_translation_t	**p_xlate = xlate;
1872 	adt_translation_t	*p_event;
1873 
1874 	while (*p_xlate != NULL) {
1875 		p_event = *p_xlate;
1876 		if (event_id == p_event->tx_external_event)
1877 			return (p_event);
1878 		p_xlate++;
1879 	}
1880 	return (NULL);
1881 }
1882 
1883 /*
1884  * adt_calcOffsets
1885  *
1886  * the call to this function is surrounded by a mutex.
1887  *
1888  * i walks down the table picking up next_token.  j walks again to
1889  * calculate the offset to the input data.  k points to the next
1890  * token's row.  Finally, l, is used to sum the values in the
1891  * datadef array.
1892  *
1893  * What's going on?  The entry array is in the order of the input
1894  * fields but the processing of array entries is in the order of
1895  * the output (see next_token).  Calculating the offset to the
1896  * "next" input can't be done in the outer loop (i) since i doesn't
1897  * point to the current entry and it can't be done with the k index
1898  * because it doesn't represent the order of input fields.
1899  *
1900  * While the resulting algorithm is n**2, it is only done once per
1901  * event type.
1902  */
1903 
1904 /*
1905  * adt_calcOffsets is only called once per event type, but it uses
1906  * the address alignment of memory allocated for that event as if it
1907  * were the same for all subsequently allocated memory.  This is
1908  * guaranteed by calloc/malloc.  Arrays take special handling since
1909  * what matters for figuring out the correct alignment is the size
1910  * of the array element.
1911  */
1912 
1913 static void
1914 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1915 {
1916 	int		i, j;
1917 	size_t		this_size, prev_size;
1918 	void		*struct_start = p_data;
1919 
1920 	for (i = 0; i < tablesize; i++) {
1921 		if (p_entry[i].en_type_def == NULL) {
1922 			p_entry[i].en_offset = 0;
1923 			continue;
1924 		}
1925 		prev_size = 0;
1926 		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1927 
1928 		for (j = 0; j < p_entry[i].en_count_types; j++) {
1929 			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1930 				this_size = sizeof (enum adt_generic);
1931 			else
1932 				this_size =
1933 				    p_entry[i].en_type_def[j].dd_input_size;
1934 
1935 			/* adj for first entry */
1936 			if (prev_size == 0)
1937 				prev_size = this_size;
1938 
1939 			if (p_entry[i].en_type_def[j].dd_datatype ==
1940 			    ADT_UINT32ARRAY) {
1941 				p_data = (char *)adt_adjust_address(p_data,
1942 				    prev_size, sizeof (uint32_t)) +
1943 				    this_size - sizeof (uint32_t);
1944 
1945 				prev_size = sizeof (uint32_t);
1946 			} else {
1947 				p_data = adt_adjust_address(p_data, prev_size,
1948 				    this_size);
1949 				prev_size = this_size;
1950 			}
1951 		}
1952 	}
1953 }
1954 
1955 /*
1956  * adt_generate_event
1957  * generate event record from external struct.  The order is based on
1958  * the output tokens, allowing for the possibility that the input data
1959  * is in a different order.
1960  *
1961  */
1962 
1963 static int
1964 adt_generate_event(const adt_event_data_t *p_extdata,
1965     struct adt_event_state *p_event,
1966     adt_translation_t *p_xlate)
1967 {
1968 	struct entry		*p_entry;
1969 	static mutex_t	lock = DEFAULTMUTEX;
1970 
1971 	p_entry = p_xlate->tx_first_entry;
1972 	assert(p_entry != NULL);
1973 
1974 	p_event->ae_internal_id = p_xlate->tx_internal_event;
1975 	adt_token_open(p_event);
1976 
1977 	/*
1978 	 * offsets are not pre-calculated; the initial offsets are all
1979 	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
1980 	 * as subject are set to -1 by adt_calcOffset()
1981 	 */
1982 	if (p_xlate->tx_offsetsCalculated == 0) {
1983 		(void) mutex_lock(&lock);
1984 		p_xlate->tx_offsetsCalculated = 1;
1985 
1986 		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1987 		    (void *)p_extdata);
1988 		(void) mutex_unlock(&lock);
1989 	}
1990 	while (p_entry != NULL) {
1991 		adt_generate_token(p_entry, (char *)p_extdata, p_event);
1992 
1993 		p_entry = p_entry->en_next_token;
1994 	}
1995 	return (adt_token_close(p_event));
1996 }
1997 
1998 /*
1999  * adt_put_event -- main event generation function.
2000  * The input "event" is the address of the struct containing
2001  * event-specific data.
2002  *
2003  * However if auditing is off or the session handle
2004  * is NULL, no attempt to write a record is made.
2005  */
2006 
2007 int
2008 adt_put_event(const adt_event_data_t *event, int status, int return_val)
2009 {
2010 	struct adt_event_state	*event_state;
2011 	adt_translation_t	*xlate;
2012 
2013 	if (event == NULL) {
2014 		errno = EINVAL;
2015 		return (-1);
2016 	}
2017 	event_state = (struct adt_event_state *)event;
2018 
2019 	/* if audit off or this is a broken session, exit */
2020 	if (auditstate == AUC_DISABLED ||
2021 	    (event_state->ae_session == NULL)) {
2022 		return (0);
2023 	}
2024 
2025 	assert(event_state->ae_check == ADT_VALID);
2026 
2027 	event_state->ae_rc = status;
2028 	event_state->ae_type = return_val;
2029 
2030 	/* look up the event */
2031 
2032 	xlate = adt_getXlateTable(event_state->ae_session->as_xlate,
2033 	    event_state->ae_event_id);
2034 
2035 	if (xlate == NULL) {
2036 		errno = EINVAL;
2037 		return (-1);
2038 	}
2039 	DPRINTF(("got event %d\n", xlate->tx_internal_event));
2040 
2041 	if (adt_selected(event_state, xlate->tx_internal_event, status)) {
2042 		return (adt_generate_event(event, event_state, xlate));
2043 	}
2044 
2045 	return (0);
2046 }
2047 
2048 /*
2049  * adt_free_event -- invalidate and free
2050  */
2051 
2052 void
2053 adt_free_event(adt_event_data_t *event)
2054 {
2055 	struct adt_event_state	*event_state;
2056 
2057 	if (event == NULL)
2058 		return;
2059 
2060 	event_state = (struct adt_event_state *)event;
2061 
2062 	assert(event_state->ae_check == ADT_VALID);
2063 
2064 	event_state->ae_check = 0;
2065 
2066 	free(event_state);
2067 }
2068 
2069 /*
2070  * adt_is_selected -- helper to adt_selected(), below.
2071  *
2072  * "sorf" is "success or fail" status; au_preselect compares
2073  * that with success, fail, or both.
2074  */
2075 
2076 static int
2077 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
2078 {
2079 	int prs_sorf;
2080 
2081 	if (sorf == 0)
2082 		prs_sorf = AU_PRS_SUCCESS;
2083 	else
2084 		prs_sorf = AU_PRS_FAILURE;
2085 
2086 	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
2087 }
2088 
2089 /*
2090  * selected -- see if this event is preselected.
2091  *
2092  * if errors are encountered trying to check a preselection mask
2093  * or look up a user name, the event is selected.  Otherwise, the
2094  * preselection mask is used for the job.
2095  */
2096 
2097 static int
2098 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2099 {
2100 	adt_internal_state_t *sp;
2101 	au_mask_t	namask;
2102 
2103 	sp = event->ae_session;
2104 
2105 	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2106 		adt_write_syslog("No user data available", EINVAL);
2107 		return (1);	/* default is "selected" */
2108 	}
2109 
2110 	/* non-attributable? */
2111 	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2112 	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2113 		if (auditon(A_GETKMASK, (caddr_t)&namask,
2114 		    sizeof (namask)) != 0) {
2115 			adt_write_syslog("auditon failure", errno);
2116 			return (1);
2117 		}
2118 		return (adt_is_selected(actual_id, &namask, status));
2119 	} else {
2120 		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2121 		    status));
2122 	}
2123 }
2124 
2125 /*
2126  * Can't map the host name to an IP address in
2127  * adt_get_hostIP.  Get something off an interface
2128  * to act as the hosts IP address for auditing.
2129  */
2130 
2131 int
2132 adt_get_local_address(int family, struct ifaddrlist *al)
2133 {
2134 	struct ifaddrlist	*ifal;
2135 	char	errbuf[ERRBUFSIZE] = "empty list";
2136 	char	msg[ERRBUFSIZE + 512];
2137 	int	ifal_count;
2138 	int	i;
2139 
2140 	if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) <= 0) {
2141 		int serrno = errno;
2142 
2143 		(void) snprintf(msg, sizeof (msg), "adt_get_local_address "
2144 		    "couldn't get %d addrlist %s", family, errbuf);
2145 		adt_write_syslog(msg, serrno);
2146 		errno = serrno;
2147 		return (-1);
2148 	}
2149 
2150 	for (i = 0; i < ifal_count; i++) {
2151 		/*
2152 		 * loopback always defined,
2153 		 * even if there is no real address
2154 		 */
2155 		if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) {
2156 			break;
2157 		}
2158 	}
2159 	if (i >= ifal_count) {
2160 		free(ifal);
2161 		/*
2162 		 * Callers of adt_get_hostIP() can only return
2163 		 * errno to their callers and eventually the application.
2164 		 * Picked one that seemed least worse for saying no
2165 		 * usable address for Audit terminal ID.
2166 		 */
2167 		errno = ENETDOWN;
2168 		return (-1);
2169 	}
2170 
2171 	*al = ifal[i];
2172 	free(ifal);
2173 	return (0);
2174 }
2175