xref: /titanic_50/usr/src/lib/libbsm/common/adt.c (revision da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <bsm/adt.h>
29 #include <bsm/adt_event.h>
30 #include <assert.h>
31 #include <bsm/audit.h>
32 #include <bsm/audit_record.h>
33 #include <bsm/libbsm.h>
34 #include <door.h>
35 #include <errno.h>
36 #include <generic.h>
37 #include <md5.h>
38 #include <sys/mkdev.h>
39 #include <netdb.h>
40 #include <nss_dbdefs.h>
41 #include <pwd.h>
42 #include <sys/stat.h>
43 #include <time.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <synch.h>
47 #include <sys/systeminfo.h>
48 #include <syslog.h>
49 #include <thread.h>
50 #include <unistd.h>
51 #include <adt_xlate.h>
52 #include <adt_ucred.h>
53 
54 static int adt_selected(struct adt_event_state *, au_event_t, int);
55 static int adt_init(adt_internal_state_t *, int);
56 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
57 static m_label_t *adt_ucred_label(ucred_t *);
58 static void adt_setto_unaudited(adt_internal_state_t *);
59 
60 #ifdef C2_DEBUG
61 #define	DPRINTF(x) {printf x; }
62 #define	DFLUSH fflush(stdout);
63 #else
64 #define	DPRINTF(x)
65 #define	DFLUSH
66 #endif
67 
68 extern int _mutex_lock(mutex_t *);
69 extern int _mutex_unlock(mutex_t *);
70 
71 static int auditstate = AUC_DISABLED;	/* default state */
72 
73 /*
74  * adt_write_syslog
75  *
76  * errors that are not the user's fault (bugs or whatever in
77  * the underlying audit code are noted in syslog.)
78  *
79  * Avoid calling adt_write_syslog for things that can happen
80  * at high volume.
81  *
82  * syslog's open (openlog) and close (closelog) are interesting;
83  * openlog *may* create a file descriptor and is optional.  closelog
84  * *will* close any open file descriptors and is also optional.
85  *
86  * Since syslog may also be used by the calling application, the
87  * choice is to avoid openlog, which sets some otherwise useful
88  * parameters, and to embed "Solaris_audit" in the log message.
89  */
90 
91 void
92 adt_write_syslog(const char *message, int err)
93 {
94 	int	save_errno;
95 	int	mask_priority;
96 
97 	save_errno = errno;
98 	errno = err;
99 
100 	DPRINTF(("syslog called: %s\n", message));
101 
102 	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
103 	syslog(LOG_ALERT, "Solaris_audit %s: %m", message, err);
104 	(void) setlogmask(mask_priority);
105 	errno = save_errno;
106 }
107 
108 /*
109  * return true if audit is enabled.  "Enabled" is any state
110  * other than AUC_DISABLED.
111  *
112  * states are
113  *		AUC_INIT_AUDIT	-- c2audit queuing enabled.
114  *		AUC_AUDITING	-- up and running
115  *		AUC_DISABLED	-- no audit subsystem loaded
116  *		AUC_UNSET	-- early boot state
117  *		AUC_NOAUDIT	-- subsystem loaded, turned off via
118  *				   auditon(A_SETCOND...)
119  *		AUC_NOSPACE	-- up and running, but log partitions are full
120  *
121  *	For purpose of this API, anything but AUC_DISABLED or
122  *	AUC_UNSET is enabled; however one never actually sees
123  *	AUC_DISABLED since auditon returns EINVAL in that case.  Any
124  *	auditon error is considered the same as EINVAL for our
125  *	purpose.  auditstate is not changed by auditon if an error
126  *	is returned.
127  */
128 
129 boolean_t
130 adt_audit_enabled(void) {
131 
132 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
133 
134 	return (auditstate != AUC_DISABLED);
135 }
136 
137 /*
138  * The man page for getpwuid_r says the buffer must be big enough
139  * or ERANGE will be returned, but offers no guidance for how big
140  * the buffer should be or a way to calculate it.  If you get
141  * ERANGE, double pwd_buff's size.
142  *
143  * This may be called even when auditing is off.
144  */
145 
146 #define	NAFLAG_LEN 512
147 
148 static int
149 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
150 {
151 	struct passwd	pwd;
152 	char		pwd_buff[NSS_BUFSIZ];
153 	char		naflag_buf[NAFLAG_LEN];
154 
155 	if (auditstate == AUC_DISABLED) {
156 		mask->am_success = 0;
157 		mask->am_failure = 0;
158 	} else if (uid <= MAXUID) {
159 		if (getpwuid_r(uid, &pwd, pwd_buff, NSS_BUFSIZ) == NULL) {
160 			/*
161 			 * getpwuid_r returns NULL without setting
162 			 * errno if the user does not exist; only
163 			 * if the input is the wrong length does it
164 			 * set errno.
165 			 */
166 			if (errno != ERANGE)
167 				errno = EINVAL;
168 			return (-1);
169 		}
170 		if (au_user_mask(pwd.pw_name, mask)) {
171 			errno = EFAULT; /* undetermined failure */
172 			return (-1);
173 		}
174 	} else if (getacna(naflag_buf, NAFLAG_LEN - 1) == 0) {
175 		if (getauditflagsbin(naflag_buf, mask))
176 			return (-1);
177 	} else {
178 		return (-1);
179 	}
180 	return (0);
181 }
182 
183 /*
184  * adt_get_unique_id -- generate a hopefully unique 32 bit value
185  *
186  * there will be a follow up to replace this with the use of /dev/random
187  *
188  * An MD5 hash is taken on a buffer of
189  *     hostname . audit id . unix time . pid . count
190  *
191  * "count = noise++;" is subject to a race condition but I don't
192  * see a need to put a lock around it.
193  */
194 
195 static au_id_t
196 adt_get_unique_id(uid_t uid)
197 {
198 	char		hostname[MAXHOSTNAMELEN];
199 	union {
200 		au_id_t		v[4];
201 		unsigned char	obuff[128/8];
202 	} output;
203 	MD5_CTX	context;
204 
205 	static int	noise = 0;
206 
207 	int		count = noise++;
208 	time_t		timebits = time(NULL);
209 	pid_t		pidbits = getpid();
210 	au_id_t		retval = 0;
211 
212 	if (gethostname(hostname, MAXHOSTNAMELEN)) {
213 		adt_write_syslog("gethostname call failed", errno);
214 		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
215 	}
216 
217 	while (retval == 0) {  /* 0 is the only invalid result */
218 		MD5Init(&context);
219 
220 		MD5Update(&context, (unsigned char *)hostname,
221 		    (unsigned int) strlen((const char *)hostname));
222 
223 		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
224 
225 		MD5Update(&context,
226 		    (unsigned char *) &timebits, sizeof (time_t));
227 
228 		MD5Update(&context, (unsigned char *) &pidbits,
229 		    sizeof (pid_t));
230 
231 		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
232 		MD5Final(output.obuff, &context);
233 
234 		retval = output.v[count % 4];
235 	}
236 	return (retval);
237 }
238 
239 /*
240  * the following "port" function deals with the following issues:
241  *
242  * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
243  *      up from a 32 bit major and 32 bit minor.
244  * 2    User space deals with a dev_t as either the above 64 bit value
245  *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
246  * 3    The various audit interfaces (except ucred) pass the 32 or
247  *      64 bit version depending the architecture of the userspace
248  *      application.  If you get a port value from ucred and pass it
249  *      to the kernel via auditon(), it must be squeezed into a 32
250  *      bit value because the kernel knows the userspace app's bit
251  *      size.
252  *
253  * The internal state structure for adt (adt_internal_state_t) uses
254  * dev_t, so adt converts data from ucred to fit.  The import/export
255  * functions, however, can't know if they are importing/exporting
256  * from 64 or 32 bit applications, so they always send 64 bits and
257  * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
258  * appropriate.
259  */
260 
261 /*
262  * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
263  * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
264  * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
265  * so it isn't broken up into pieces.  (When it goes to the kernel
266  * and back, however, it will have been split into major/minor
267  * pieces.)
268  */
269 
270 static void
271 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
272 {
273 #ifdef _LP64
274 	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
275 #else
276 	dest->at_type = src->at_type;
277 
278 	dest->at_port  = src->at_port.at_minor & MAXMIN32;
279 	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
280 	    NBITSMINOR32;
281 
282 	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
283 #endif
284 }
285 
286 /*
287  * adt_start_session -- create interface handle, create context
288  *
289  * The imported_state input is normally NULL, if not, it represents
290  * a continued session; its values obviate the need for a subsequent
291  * call to adt_set_user().
292  *
293  * The flag is used to decide how to set the initial state of the session.
294  * If 0, the session is "no audit" until a call to adt_set_user; if
295  * ADT_USE_PROC_DATA, the session is built from the process audit
296  * characteristics obtained from the kernel.  If imported_state is
297  * not NULL, the resulting audit mask is an OR of the current process
298  * audit mask and that passed in.
299  *
300  * The basic model is that the caller can use the pointer returned
301  * by adt_start_session whether or not auditing is enabled or an
302  * error was returned.  The functions that take the session handle
303  * as input generally return without doing anything if auditing is
304  * disabled.
305  */
306 
307 int
308 adt_start_session(adt_session_data_t **new_session,
309     const adt_export_data_t *imported_state, adt_session_flags_t flags)
310 {
311 	adt_internal_state_t	*state;
312 	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
313 
314 	*new_session = NULL;	/* assume failure */
315 
316 	/* ensure that auditstate is set */
317 	(void) adt_audit_enabled();
318 
319 	if ((flags & ~flgmask) != 0) {
320 		errno = EINVAL;
321 		goto return_err;
322 	}
323 	state = calloc(1, sizeof (adt_internal_state_t));
324 
325 	if (state == NULL)
326 		goto return_err;
327 
328 	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0)
329 		goto return_err_free;    /* errno from adt_init() */
330 
331 	/*
332 	 * The imported state overwrites the initial state if the
333 	 * imported state represents a valid audit trail
334 	 */
335 
336 	if (imported_state != NULL) {
337 		if (adt_import(state, imported_state) != 0) {
338 			goto return_err_free;
339 		}
340 	} else if (flags & ADT_USE_PROC_DATA) {
341 		state->as_session_model = ADT_PROCESS_MODEL;
342 	}
343 	state->as_flags = flags;
344 	DPRINTF(("(%d) Starting session id = %08X\n",
345 	    getpid(), state->as_info.ai_asid));
346 
347 	if (state->as_audit_enabled) {
348 		*new_session = (adt_session_data_t *)state;
349 	} else {
350 		free(state);
351 	}
352 
353 	return (0);
354 return_err_free:
355 	free(state);
356 return_err:
357 	adt_write_syslog("audit session create failed", errno);
358 	return (-1);
359 }
360 
361 /*
362  * adt_get_asid() and adt_set_asid()
363  *
364  * if you use this interface, you are responsible to insure that the
365  * rest of the session data is populated correctly before calling
366  * adt_proccess_attr()
367  *
368  * neither of these are intended for general use and will likely
369  * remain private interfaces for a long time.  Forever is a long
370  * time.  In the case of adt_set_asid(), you should have a very,
371  * very good reason for setting your own session id.  The process
372  * audit characteristics are not changed by put, use adt_set_proc().
373  *
374  * These are "volatile" (more changable than "evolving") and will
375  * probably change in the S10 period.
376  */
377 
378 void
379 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
380 {
381 
382 	if (session_data == NULL) {
383 		*asid = 0;
384 	} else {
385 		assert(((adt_internal_state_t *)session_data)->as_check ==
386 		    ADT_VALID);
387 
388 		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
389 	}
390 }
391 
392 void
393 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
394 {
395 
396 	if (session_data != NULL) {
397 		assert(((adt_internal_state_t *)session_data)->as_check ==
398 		    ADT_VALID);
399 
400 		((adt_internal_state_t *)session_data)->as_have_user_data |=
401 		    ADT_HAVE_ASID;
402 		((adt_internal_state_t *)session_data)->as_info.ai_asid =
403 		    session_id;
404 	}
405 }
406 
407 /*
408  * adt_get_auid() and adt_set_auid()
409  *
410  * neither of these are intended for general use and will likely
411  * remain private interfaces for a long time.  Forever is a long
412  * time.  In the case of adt_set_auid(), you should have a very,
413  * very good reason for setting your own audit id.  The process
414  * audit characteristics are not changed by put, use adt_set_proc().
415  */
416 
417 void
418 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
419 {
420 
421 	if (session_data == NULL) {
422 		*auid = AU_NOAUDITID;
423 	} else {
424 		assert(((adt_internal_state_t *)session_data)->as_check ==
425 		    ADT_VALID);
426 
427 		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
428 	}
429 }
430 
431 void
432 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
433 {
434 
435 	if (session_data != NULL) {
436 		assert(((adt_internal_state_t *)session_data)->as_check ==
437 		    ADT_VALID);
438 
439 		((adt_internal_state_t *)session_data)->as_have_user_data |=
440 		    ADT_HAVE_AUID;
441 		((adt_internal_state_t *)session_data)->as_info.ai_auid =
442 		    audit_id;
443 	}
444 }
445 
446 /*
447  * adt_get_termid(), adt_set_termid()
448  *
449  * if you use this interface, you are responsible to insure that the
450  * rest of the session data is populated correctly before calling
451  * adt_proccess_attr()
452  *
453  * The process  audit characteristics are not changed by put, use
454  * adt_set_proc().
455  */
456 
457 void
458 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
459 {
460 
461 	if (session_data == NULL) {
462 		(void) memset(termid, 0, sizeof (au_tid_addr_t));
463 		termid->at_type = AU_IPv4;
464 	} else {
465 		assert(((adt_internal_state_t *)session_data)->as_check ==
466 		    ADT_VALID);
467 
468 		*termid =
469 		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
470 	}
471 }
472 
473 void
474 adt_set_termid(const adt_session_data_t *session_data,
475     const au_tid_addr_t *termid)
476 {
477 
478 	if (session_data != NULL) {
479 		assert(((adt_internal_state_t *)session_data)->as_check ==
480 		    ADT_VALID);
481 
482 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
483 			*termid;
484 
485 		((adt_internal_state_t *)session_data)->as_have_user_data |=
486 			ADT_HAVE_TID;
487 	}
488 }
489 
490 /*
491  * adt_get_mask(), adt_set_mask()
492  *
493  * if you use this interface, you are responsible to insure that the
494  * rest of the session data is populated correctly before calling
495  * adt_proccess_attr()
496  *
497  * The process  audit characteristics are not changed by put, use
498  * adt_set_proc().
499  */
500 
501 void
502 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
503 {
504 
505 	if (session_data == NULL) {
506 		mask->am_success = 0;
507 		mask->am_failure = 0;
508 	} else {
509 		assert(((adt_internal_state_t *)session_data)->as_check ==
510 		    ADT_VALID);
511 
512 		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
513 	}
514 }
515 
516 void
517 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
518 {
519 
520 	if (session_data != NULL) {
521 		assert(((adt_internal_state_t *)session_data)->as_check ==
522 		    ADT_VALID);
523 
524 		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
525 
526 		((adt_internal_state_t *)session_data)->as_have_user_data |=
527 		    ADT_HAVE_MASK;
528 	}
529 }
530 
531 /*
532  * helpers for adt_load_termid
533  */
534 
535 static void
536 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
537     au_tid_addr_t *termid)
538 {
539 
540 	termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port));
541 	termid->at_type = AU_IPv6;
542 	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
543 }
544 
545 static void
546 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
547     au_tid_addr_t *termid)
548 {
549 
550 	termid->at_port = ((peer->sin_port<<16) | (sock->sin_port));
551 
552 	termid->at_type = AU_IPv4;
553 	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
554 	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
555 }
556 
557 /*
558  * adt_load_termid:  convenience function; inputs file handle and
559  * outputs an au_tid_addr struct.
560  *
561  * This code was stolen from audit_settid.c; it differs from audit_settid()
562  * in that it does not write the terminal id to the process.
563  */
564 
565 int
566 adt_load_termid(int fd, adt_termid_t **termid)
567 {
568 	au_tid_addr_t		*p_term;
569 	struct sockaddr_in6	peer;
570 	struct sockaddr_in6	sock;
571 	int			peerlen = sizeof (peer);
572 	int			socklen = sizeof (sock);
573 
574 	*termid = NULL;
575 
576 	/* get peer name if its a socket, else assume local terminal */
577 
578 	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
579 	    < 0) {
580 		if (errno == ENOTSOCK)
581 			return (adt_load_hostname(NULL, termid));
582 		goto return_err;
583 	}
584 
585 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
586 		goto return_err;
587 
588 	/* get sock name */
589 	if (getsockname(fd, (struct sockaddr *)&sock,
590 	    (socklen_t *)&socklen) < 0)
591 		goto return_err_free;
592 
593 	if (peer.sin6_family == AF_INET6) {
594 		adt_do_ipv6_address(&peer, &sock, p_term);
595 	} else {
596 		adt_do_ipv4_address((struct sockaddr_in *)&peer,
597 		    (struct sockaddr_in *)&sock, p_term);
598 	}
599 	*termid = (adt_termid_t *)p_term;
600 
601 	return (0);
602 
603 return_err_free:
604 	free(p_term);
605 return_err:
606 	return (-1);
607 }
608 
609 static boolean_t
610 adt_have_termid(au_tid_addr_t *dest)
611 {
612 	struct auditinfo_addr	audit_data;
613 
614 	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
615 		adt_write_syslog("getaudit failed", errno);
616 		return (B_FALSE);
617 	}
618 
619 	if ((audit_data.ai_termid.at_type == 0) ||
620 	    (audit_data.ai_termid.at_addr[0] |
621 	    audit_data.ai_termid.at_addr[1]  |
622 	    audit_data.ai_termid.at_addr[2]  |
623 	    audit_data.ai_termid.at_addr[3]) == 0)
624 		return (B_FALSE);
625 
626 	(void) memcpy(dest, &(audit_data.ai_termid),
627 	    sizeof (au_tid_addr_t));
628 
629 	return (B_TRUE);
630 }
631 
632 static int
633 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
634 {
635 	struct addrinfo	*ai;
636 	void		*p;
637 
638 	if (getaddrinfo(hostname, NULL, NULL, &ai) != 0)
639 		return (-1);
640 
641 	switch (ai->ai_family) {
642 		case AF_INET:
643 			/* LINTED */
644 			p = &((struct sockaddr_in *)ai->ai_addr)->sin_addr;
645 			(void) memcpy(p_term->at_addr, p,
646 			    sizeof (((struct sockaddr_in *)NULL)->sin_addr));
647 			p_term->at_type = AU_IPv4;
648 			break;
649 		case AF_INET6:
650 			/* LINTED */
651 			p = &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
652 			(void) memcpy(p_term->at_addr, p,
653 			    sizeof (((struct sockaddr_in6 *)NULL)->sin6_addr));
654 			p_term->at_type = AU_IPv6;
655 			break;
656 		default:
657 			return (-1);
658 	}
659 
660 	freeaddrinfo(ai);
661 
662 	return (0);
663 }
664 
665 /*
666  * adt_load_hostname() is called when the caller does not have a file
667  * handle that gives access to the socket info or any other way to
668  * pass in both port and ip address.  The hostname input is ignored if
669  * the terminal id has already been set; instead it returns the
670  * existing terminal id.
671  *
672  * If audit is off and the hostname lookup fails, no error is
673  * returned, since an error may be interpreted by the caller
674  * as grounds for denying a login.  Otherwise the caller would
675  * need to be aware of the audit state.
676  */
677 
678 int
679 adt_load_hostname(const char *hostname, adt_termid_t **termid)
680 {
681 	char		localhost[ADT_STRING_MAX + 1];
682 	au_tid_addr_t	*p_term;
683 
684 	*termid = NULL;
685 
686 	if (!adt_audit_enabled())
687 		return (0);
688 
689 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
690 		goto return_err;
691 
692 	if (adt_have_termid(p_term)) {
693 		*termid = (adt_termid_t *)p_term;
694 		return (0);
695 	}
696 	p_term->at_port = 0;
697 
698 	if (hostname == NULL || *hostname == '\0') {
699 		(void) sysinfo(SI_HOSTNAME, localhost, ADT_STRING_MAX);
700 		hostname = localhost;
701 	}
702 	if (adt_get_hostIP(hostname, p_term))
703 		goto return_err_free;
704 
705 	*termid = (adt_termid_t *)p_term;
706 	return (0);
707 
708 return_err_free:
709 	free(p_term);
710 
711 return_err:
712 	if ((auditstate == AUC_DISABLED) ||
713 	    (auditstate == AUC_NOAUDIT))
714 		return (0);
715 
716 	return (-1);
717 }
718 
719 /*
720  * adt_load_ttyname() is called when the caller does not have a file
721  * handle that gives access to the local terminal or any other way
722  * of determining the device id.  The ttyname input is ignored if
723  * the terminal id has already been set; instead it returns the
724  * existing terminal id.
725  *
726  * If audit is off and the ttyname lookup fails, no error is
727  * returned, since an error may be interpreted by the caller
728  * as grounds for denying a login.  Otherwise the caller would
729  * need to be aware of the audit state.
730  */
731 
732 int
733 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
734 {
735 	char		localhost[ADT_STRING_MAX + 1];
736 	au_tid_addr_t	*p_term;
737 	struct stat	stat_buf;
738 
739 	*termid = NULL;
740 
741 	if (!adt_audit_enabled())
742 		return (0);
743 
744 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
745 		goto return_err;
746 
747 	if (adt_have_termid(p_term)) {
748 		*termid = (adt_termid_t *)p_term;
749 		return (0);
750 	}
751 
752 	p_term->at_port = 0;
753 
754 	if (sysinfo(SI_HOSTNAME, localhost, ADT_STRING_MAX) < 0)
755 		goto return_err_free; /* errno from sysinfo */
756 
757 	if (ttyname != NULL) {
758 		if (stat(ttyname, &stat_buf) < 0)
759 			goto return_err_free;
760 
761 		p_term->at_port = stat_buf.st_rdev;
762 	}
763 
764 	if (adt_get_hostIP(localhost, p_term))
765 		goto return_err_free;
766 
767 	*termid = (adt_termid_t *)p_term;
768 	return (0);
769 
770 return_err_free:
771 	free(p_term);
772 
773 return_err:
774 	if ((auditstate == AUC_DISABLED) ||
775 	    (auditstate == AUC_NOAUDIT))
776 		return (0);
777 
778 	return (-1);
779 }
780 
781 /*
782  * adt_get_session_id returns a stringified representation of
783  * the audit session id.  See also adt_get_asid() for how to
784  * get the unexpurgated version.  No guarantees as to how long
785  * the returned string will be or its general form; hex for now.
786  *
787  * An empty string is returned if auditing is off; length = 1
788  * and the pointer is valid.
789  *
790  * returns strlen + 1 if buffer is valid; else 0 and errno.
791  */
792 
793 size_t
794 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
795 {
796 	au_asid_t	session_id;
797 	size_t		length;
798 	/*
799 	 * output is 0x followed by
800 	 * two characters per byte
801 	 * plus terminator,
802 	 * except leading 0's are suppressed, so a few bytes may
803 	 * be unused.
804 	 */
805 	length = 2 + (2 * sizeof (session_id)) + 1;
806 	*buff = malloc(length);
807 
808 	if (*buff == NULL) {
809 		return (0);
810 	}
811 	if (session_data == NULL) { /* NULL is not an error */
812 		**buff = '\0';
813 		return (1);
814 	}
815 	adt_get_asid(session_data, &session_id);
816 
817 	length = snprintf(*buff, length, "0x%X", (int)session_id);
818 
819 	/* length < 1 is a bug: the session data type may have changed */
820 	assert(length > 0);
821 
822 	return (length);
823 }
824 
825 /*
826  * adt_end_session -- close handle, clear context
827  *
828  * if as_check is invalid, no harm, no foul, EXCEPT that this could
829  * be an attempt to free data already free'd, so output to syslog
830  * to help explain why the process cored dumped.
831  */
832 
833 int
834 adt_end_session(adt_session_data_t *session_data)
835 {
836 	adt_internal_state_t	*state;
837 
838 	if (session_data != NULL) {
839 		state = (adt_internal_state_t *)session_data;
840 		if (state->as_check != ADT_VALID) {
841 			adt_write_syslog("freeing invalid data", EINVAL);
842 		} else {
843 			state->as_check = 0;
844 			m_label_free(state->as_label);
845 			free(session_data);
846 		}
847 	}
848 	/* no errors yet defined */
849 	return (0);
850 }
851 
852 /*
853  * adt_dup_session -- copy the session data
854  */
855 
856 int
857 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
858 {
859 	adt_internal_state_t	*source_state;
860 	adt_internal_state_t	*dest_state = NULL;
861 	int			rc = 0;
862 
863 	if (source != NULL) {
864 		source_state = (adt_internal_state_t *)source;
865 		assert(source_state->as_check == ADT_VALID);
866 
867 		dest_state = malloc(sizeof (adt_internal_state_t));
868 		if (dest_state == NULL) {
869 			rc = -1;
870 			goto return_rc;
871 		}
872 		(void) memcpy(dest_state, source,
873 		    sizeof (struct adt_internal_state));
874 
875 		if (source_state->as_label != NULL) {
876 			dest_state->as_label = NULL;
877 			if ((rc = m_label_dup(&dest_state->as_label,
878 			    source_state->as_label)) != 0) {
879 				free(dest_state);
880 				dest_state = NULL;
881 			}
882 		}
883 	}
884 return_rc:
885 	*dest = (adt_session_data_t *)dest_state;
886 	return (rc);
887 }
888 
889 /*
890  * from_export_format()
891  * read from a network order buffer into struct adt_session_data
892  */
893 
894 static size_t
895 adt_from_export_format(adt_internal_state_t *internal,
896     const adt_export_data_t *external)
897 {
898 	struct export_header	head;
899 	struct export_link	link;
900 	adr_t			context;
901 	int32_t 		offset;
902 	int32_t 		length;
903 	int32_t 		version;
904 	size_t			label_len;
905 	char			*p = (char *)external;
906 
907 	adrm_start(&context, (char *)external);
908 	adrm_int32(&context, (int *)&head, 4);
909 
910 	if ((internal->as_check = head.ax_check) != ADT_VALID) {
911 		errno = EINVAL;
912 		return (0);
913 	}
914 	offset = head.ax_link.ax_offset;
915 	version = head.ax_link.ax_version;
916 	length = head.ax_buffer_length;
917 
918 	/*
919 	 * Skip newer versions.
920 	 */
921 	while (version > PROTOCOL_VERSION_2) {
922 		if (offset < 1) {
923 			return (0);	/* failed to match version */
924 		}
925 		p += offset;		/* point to next version # */
926 
927 		if (p > (char *)external + length) {
928 			return (0);
929 		}
930 		adrm_start(&context, p);
931 		adrm_int32(&context, (int *)&link, 2);
932 		offset = link.ax_offset;
933 		version = link.ax_version;
934 		assert(version != 0);
935 	}
936 	/*
937 	 * Adjust buffer pointer to the first data item (euid).
938 	 */
939 	if (p == (char *)external) {
940 		adrm_start(&context, (char *)(p + sizeof (head)));
941 	} else {
942 		adrm_start(&context, (char *)(p + sizeof (link)));
943 	}
944 	/*
945 	 * if down rev version, neither pid nor label are included
946 	 * in v1 ax_size_of_tsol_data intentionally ignored
947 	 */
948 	if (version == PROTOCOL_VERSION_1) {
949 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
950 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
951 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
952 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
953 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
954 		adrm_int32(&context,
955 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
956 		adrm_int32(&context,
957 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
958 		adrm_int32(&context,
959 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
960 		adrm_int32(&context,
961 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
962 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
963 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
964 		internal->as_pid = (pid_t)-1;
965 		internal->as_label = NULL;
966 	} else if (version == PROTOCOL_VERSION_2) {
967 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
968 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
969 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
970 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
971 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
972 		adrm_int32(&context,
973 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
974 		adrm_int32(&context,
975 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
976 		adrm_int32(&context,
977 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
978 		adrm_int32(&context,
979 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
980 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
981 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
982 		adrm_int32(&context, (int *)&(internal->as_pid), 1);
983 		adrm_int32(&context, (int *)&label_len, 1);
984 		if (label_len > 0) {
985 			/* read in and deal with different sized labels. */
986 			size_t	my_label_len = blabel_size();
987 
988 			if ((internal->as_label =
989 			    m_label_alloc(MAC_LABEL)) == NULL) {
990 				return (0);
991 			}
992 			if (label_len > my_label_len) {
993 				errno = EINVAL;
994 				m_label_free(internal->as_label);
995 				return (0);
996 			}
997 			(void) memset(internal->as_label, 0, my_label_len);
998 			adrm_int32(&context, (int *)(internal->as_label),
999 			    label_len / sizeof (int32_t));
1000 		} else {
1001 			internal->as_label = NULL;
1002 		}
1003 	}
1004 
1005 	return (length);
1006 }
1007 
1008 /*
1009  * adt_to_export_format
1010  * read from struct adt_session_data into a network order buffer.
1011  *
1012  * (network order 'cause this data may be shared with a remote host.)
1013  */
1014 
1015 static size_t
1016 adt_to_export_format(adt_export_data_t *external,
1017     adt_internal_state_t *internal)
1018 {
1019 	struct export_header	head;
1020 	struct export_link	tail;
1021 	adr_t			context;
1022 	size_t			label_len = 0;
1023 
1024 	adrm_start(&context, (char *)external);
1025 
1026 	if (internal->as_label != NULL) {
1027 		label_len = blabel_size();
1028 	}
1029 
1030 	head.ax_check = ADT_VALID;
1031 	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1032 
1033 	/* version 2 first */
1034 
1035 	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1036 	head.ax_link.ax_offset = sizeof (struct export_header) +
1037 	    sizeof (struct adt_export_v2) + label_len;
1038 
1039 	adrm_putint32(&context, (int *)&head, 4);
1040 
1041 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1042 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1043 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1044 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1045 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1046 	adrm_putint32(&context,
1047 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1048 	adrm_putint32(&context,
1049 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1050 	adrm_putint32(&context,
1051 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1052 	adrm_putint32(&context,
1053 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1054 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1055 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1056 	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1057 	adrm_putint32(&context, (int *)&label_len, 1);
1058 	if (internal->as_label != NULL) {
1059 		/* serialize the label */
1060 		adrm_putint32(&context, (int *)(internal->as_label),
1061 		    (label_len / sizeof (int32_t)));
1062 	}
1063 
1064 	/* now version 1 */
1065 
1066 	tail.ax_version = PROTOCOL_VERSION_1;
1067 	tail.ax_offset = 0;
1068 
1069 	adrm_putint32(&context, (int *)&tail, 2);
1070 
1071 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1072 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1073 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1074 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1075 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1076 	adrm_putint32(&context,
1077 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1078 	adrm_putint32(&context,
1079 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1080 	adrm_putint32(&context,
1081 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1082 	adrm_putint32(&context,
1083 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1084 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1085 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1086 	/* ignored in v1 */
1087 	adrm_putint32(&context, (int *)&label_len, 1);
1088 
1089 	/* finally terminator */
1090 
1091 	tail.ax_version = 0; /* invalid version number */
1092 	tail.ax_offset = 0;
1093 
1094 	adrm_putint32(&context, (int *)&tail, 2);
1095 
1096 	return (head.ax_buffer_length);
1097 }
1098 
1099 
1100 /*
1101  * adt_import_proc() is used by a server acting on behalf
1102  * of a client which has connected via an ipc mechanism such as
1103  * a door.
1104  *
1105  * Since the interface is via ucred, the info.ap_termid.port
1106  * value is always the 64 bit version.  What is stored depends
1107  * on how libbsm is compiled.
1108  */
1109 
1110 size_t
1111 adt_import_proc(pid_t pid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1112     adt_export_data_t **external)
1113 {
1114 	size_t			length = 0;
1115 	adt_internal_state_t	*state;
1116 	ucred_t			*ucred;
1117 	const au_tid64_addr_t	*tid;
1118 
1119 	state = calloc(1, sizeof (adt_internal_state_t));
1120 
1121 	if (state == NULL)
1122 		return (0);
1123 
1124 	if (adt_init(state, 0) != 0)
1125 		goto return_length_free;    /* errno from adt_init() */
1126 
1127 	/*
1128 	 * ucred_getauid() returns AU_NOAUDITID if audit is off, which
1129 	 * is the right answer for adt_import_proc().
1130 	 *
1131 	 * Create a local context as near as possible.
1132 	 */
1133 
1134 	ucred = ucred_get(pid);
1135 
1136 	if (ucred == NULL)
1137 		goto return_length_free;
1138 
1139 	state->as_ruid = ruid != ADT_NO_CHANGE ? ruid : ucred_getruid(ucred);
1140 	state->as_euid = euid != ADT_NO_CHANGE ? euid : ucred_geteuid(ucred);
1141 	state->as_rgid = rgid != ADT_NO_CHANGE ? rgid : ucred_getrgid(ucred);
1142 	state->as_egid = egid != ADT_NO_CHANGE ? egid : ucred_getegid(ucred);
1143 
1144 	state->as_info.ai_auid = ucred_getauid(ucred);
1145 
1146 	if (state->as_info.ai_auid == AU_NOAUDITID) {
1147 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1148 
1149 		if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1150 			goto return_all_free;
1151 	} else {
1152 		const au_mask_t *mask = ucred_getamask(ucred);
1153 
1154 		if (mask != NULL)
1155 			state->as_info.ai_mask = *mask;
1156 		else
1157 			goto return_all_free;
1158 
1159 		state->as_info.ai_asid = ucred_getasid(ucred);
1160 	}
1161 
1162 	tid = ucred_getatid(ucred);
1163 
1164 	if (tid != NULL) {
1165 		adt_cpy_tid(&(state->as_info.ai_termid), tid);
1166 	} else {
1167 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1168 		    sizeof (au_tid_addr_t));
1169 		state->as_info.ai_termid.at_type = AU_IPv4;
1170 	}
1171 
1172 	DPRINTF(("import_proc/asid = %X %u\n", state->as_info.ai_asid,
1173 	    state->as_info.ai_asid));
1174 
1175 	DPRINTF(("import_proc/masks = %X %X\n",
1176 	    state->as_info.ai_mask.am_success,
1177 	    state->as_info.ai_mask.am_failure));
1178 
1179 	if (state->as_label == NULL) {
1180 		*external = malloc(sizeof (adt_export_data_t));
1181 	} else {
1182 		*external = malloc(sizeof (adt_export_data_t) + blabel_size());
1183 	}
1184 
1185 	if (*external == NULL)
1186 		goto return_all_free;
1187 
1188 	length = adt_to_export_format(*external, state);
1189 	/*
1190 	 * yes, state is supposed to be free'd for both pass and fail
1191 	 */
1192 return_all_free:
1193 	ucred_free(ucred);
1194 return_length_free:
1195 	free(state);
1196 	return (length);
1197 }
1198 
1199 /*
1200  * adt_ucred_label() -- if label is available, duplicate it.
1201  */
1202 
1203 static m_label_t *
1204 adt_ucred_label(ucred_t *uc)
1205 {
1206 	m_label_t	*ul = NULL;
1207 
1208 	if (ucred_getlabel(uc) != NULL) {
1209 		(void) m_label_dup(&ul, ucred_getlabel(uc));
1210 	}
1211 
1212 	return (ul);
1213 }
1214 
1215 /*
1216  * adt_import() -- convert from network order to machine-specific order
1217  */
1218 
1219 static int
1220 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1221 {
1222 	au_mask_t mask;
1223 
1224 	/* save local audit enabled state */
1225 	int	local_audit_enabled = internal->as_audit_enabled;
1226 
1227 	if (adt_from_export_format(internal, external) < 1)
1228 		return (-1); /* errno from adt_from_export_format */
1229 
1230 	/*
1231 	 * If audit isn't enabled on the remote, they were unable
1232 	 * to generate the audit mask, so generate it based on
1233 	 * local configuration.  If the user id has changed, the
1234 	 * resulting mask may miss some subtleties that occurred
1235 	 * on the remote system.
1236 	 *
1237 	 * If the remote failed to generate a terminal id, it is not
1238 	 * recoverable.
1239 	 */
1240 
1241 	if (!internal->as_audit_enabled) {
1242 		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1243 		    &(internal->as_info.ai_mask)))
1244 			return (-1);
1245 		if (internal->as_info.ai_auid != internal->as_ruid) {
1246 			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1247 			    &mask))
1248 				return (-1);
1249 			internal->as_info.ai_mask.am_success |=
1250 			    mask.am_success;
1251 			internal->as_info.ai_mask.am_failure |=
1252 			    mask.am_failure;
1253 		}
1254 	}
1255 	internal->as_audit_enabled = local_audit_enabled;
1256 
1257 	DPRINTF(("(%d)imported asid = %X %u\n", getpid(),
1258 	    internal->as_info.ai_asid,
1259 	    internal->as_info.ai_asid));
1260 
1261 	internal->as_have_user_data = ADT_HAVE_ALL;
1262 
1263 	return (0);
1264 }
1265 
1266 /*
1267  * adt_export_session_data()
1268  * copies a adt_session_data struct into a network order buffer
1269  *
1270  * In a misconfigured network, the local host may have auditing
1271  * off while the destination may have auditing on, so if there
1272  * is sufficient memory, a buffer will be returned even in the
1273  * audit off case.
1274  */
1275 
1276 size_t
1277 adt_export_session_data(const adt_session_data_t *internal,
1278     adt_export_data_t **external)
1279 {
1280 	size_t			length = 0;
1281 
1282 	if ((internal != NULL) &&
1283 	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1284 		length = blabel_size();
1285 	}
1286 
1287 	*external = malloc(sizeof (adt_export_data_t) + length);
1288 
1289 	if (*external == NULL)
1290 		return (0);
1291 
1292 	if (internal == NULL) {
1293 		adt_internal_state_t	*dummy;
1294 
1295 		dummy = malloc(sizeof (adt_internal_state_t));
1296 		if (dummy == NULL)
1297 			goto return_length_free;
1298 
1299 		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1300 			free(dummy);
1301 			goto return_length_free;
1302 		}
1303 		length = adt_to_export_format(*external, dummy);
1304 		free(dummy);
1305 	} else {
1306 		length = adt_to_export_format(*external,
1307 		    (adt_internal_state_t *)internal);
1308 	}
1309 	return (length);
1310 
1311 return_length_free:
1312 	free(*external);
1313 	*external = NULL;
1314 	return (0);
1315 }
1316 
1317 static void
1318 adt_setto_unaudited(adt_internal_state_t *state)
1319 {
1320 	state->as_ruid = AU_NOAUDITID;
1321 	state->as_euid = AU_NOAUDITID;
1322 	state->as_rgid = AU_NOAUDITID;
1323 	state->as_egid = AU_NOAUDITID;
1324 	state->as_pid = (pid_t)-1;
1325 	state->as_label = NULL;
1326 
1327 	if (state->as_audit_enabled) {
1328 		state->as_info.ai_asid = 0;
1329 		state->as_info.ai_auid = AU_NOAUDITID;
1330 
1331 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1332 		    sizeof (au_tid_addr_t));
1333 		state->as_info.ai_termid.at_type = AU_IPv4;
1334 
1335 		(void) memset((void *)&(state->as_info.ai_mask), 0,
1336 		    sizeof (au_mask_t));
1337 		state->as_have_user_data = 0;
1338 	}
1339 }
1340 
1341 /*
1342  * adt_init -- set session context by copying the audit characteristics
1343  * from the proc and picking up current uid/tid information.
1344  *
1345  * By default, an audit session is based on the process; the default
1346  * is overriden by adt_set_user()
1347  */
1348 
1349 static int
1350 adt_init(adt_internal_state_t *state, int use_proc_data)
1351 {
1352 
1353 	state->as_audit_enabled = (auditstate == AUC_DISABLED) ? 0 : 1;
1354 
1355 	if (use_proc_data) {
1356 		state->as_ruid = getuid();
1357 		state->as_euid = geteuid();
1358 		state->as_rgid = getgid();
1359 		state->as_egid = getegid();
1360 		state->as_pid = getpid();
1361 
1362 		if (state->as_audit_enabled) {
1363 			const au_tid64_addr_t	*tid;
1364 			const au_mask_t		*mask;
1365 			ucred_t			*ucred = ucred_get(P_MYID);
1366 
1367 			/*
1368 			 * Even if the ucred is NULL, the underlying
1369 			 * credential may have a valid terminal id; if the
1370 			 * terminal id is set, then that's good enough.  An
1371 			 * example of where this matters is failed login,
1372 			 * where rlogin/telnet sets the terminal id before
1373 			 * calling login; login does not load the credential
1374 			 * since auth failed.
1375 			 */
1376 			if (ucred == NULL) {
1377 				if (!adt_have_termid(
1378 				    &(state->as_info.ai_termid)))
1379 					return (-1);
1380 			} else {
1381 				mask = ucred_getamask(ucred);
1382 				if (mask != NULL) {
1383 					state->as_info.ai_mask = *mask;
1384 				} else {
1385 					ucred_free(ucred);
1386 					return (-1);
1387 				}
1388 				tid = ucred_getatid(ucred);
1389 				if (tid != NULL) {
1390 					adt_cpy_tid(&(state->as_info.ai_termid),
1391 					    tid);
1392 				} else {
1393 					ucred_free(ucred);
1394 					return (-1);
1395 				}
1396 				state->as_info.ai_asid = ucred_getasid(ucred);
1397 				state->as_info.ai_auid = ucred_getauid(ucred);
1398 				state->as_label = adt_ucred_label(ucred);
1399 				ucred_free(ucred);
1400 			}
1401 			state->as_have_user_data = ADT_HAVE_ALL;
1402 		}
1403 	} else {
1404 		adt_setto_unaudited(state);
1405 	}
1406 	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1407 
1408 	if (state->as_audit_enabled &&
1409 	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1410 	    sizeof (state->as_kernel_audit_policy))) {
1411 		return (-1);  /* errno set by auditon */
1412 	}
1413 	state->as_check = ADT_VALID;
1414 	return (0);
1415 }
1416 
1417 /*
1418  * adt_set_proc
1419  *
1420  * Copy the current session state to the process.  If this function
1421  * is called, the model becomes a process model rather than a
1422  * session model.
1423  *
1424  * In the current implementation, the value state->as_have_user_data
1425  * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1426  * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1427  *
1428  */
1429 
1430 int
1431 adt_set_proc(const adt_session_data_t *session_data)
1432 {
1433 	int			rc;
1434 	adt_internal_state_t	*state;
1435 
1436 	if (auditstate == AUC_DISABLED || (session_data == NULL))
1437 		return (0);
1438 
1439 	state = (adt_internal_state_t *)session_data;
1440 
1441 	assert(state->as_check == ADT_VALID);
1442 
1443 	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1444 	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1445 		errno = EINVAL;
1446 		goto return_err;
1447 	}
1448 
1449 	rc = setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1450 	    sizeof (auditinfo_addr_t));
1451 
1452 	if (rc < 0)
1453 		goto return_err;	/* errno set by setaudit_addr() */
1454 
1455 	state->as_session_model = ADT_PROCESS_MODEL;
1456 
1457 	return (0);
1458 
1459 return_err:
1460 	adt_write_syslog("failed to set process audit characteristics", errno);
1461 	return (-1);
1462 }
1463 
1464 static int
1465 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1466 {
1467 	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1468 	au_mask_t	no_mask = {0, 0};
1469 
1470 	if (ruid == ADT_NO_AUDIT) {
1471 		state->as_info.ai_auid = AU_NOAUDITID;
1472 		state->as_info.ai_asid = 0;
1473 		state->as_info.ai_termid = no_tid;
1474 		state->as_info.ai_mask = no_mask;
1475 		return (0);
1476 	}
1477 	state->as_info.ai_auid = ruid;
1478 	state->as_info.ai_asid = adt_get_unique_id(ruid);
1479 	if (termid != NULL)
1480 		state->as_info.ai_termid = *termid;
1481 
1482 	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1483 		return (-1);
1484 
1485 	/* Assume intending to audit as this process */
1486 
1487 	if (state->as_pid == (pid_t)-1)
1488 		state->as_pid = getpid();
1489 
1490 	if (is_system_labeled() && state->as_label == NULL) {
1491 		ucred_t	*ucred = ucred_get(P_MYID);
1492 
1493 		state->as_label = adt_ucred_label(ucred);
1494 		ucred_free(ucred);
1495 	}
1496 
1497 	return (0);
1498 }
1499 
1500 static int
1501 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1502 {
1503 	au_mask_t		mask;
1504 
1505 	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1506 		state->as_info.ai_auid = ruid;
1507 	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1508 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1509 
1510 	if (ruid <= MAXEPHUID) {
1511 		if (adt_get_mask_from_user(ruid, &mask))
1512 			return (-1);
1513 
1514 		state->as_info.ai_mask.am_success |= mask.am_success;
1515 		state->as_info.ai_mask.am_failure |= mask.am_failure;
1516 	}
1517 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1518 		state->as_info.ai_mask.am_success,
1519 		state->as_info.ai_mask.am_failure,
1520 		ruid));
1521 	return (0);
1522 }
1523 
1524 /*
1525  * adt_set_user -- see also adt_set_from_ucred()
1526  *
1527  * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1528  * "unattributed."  If ruid, change the model to session.
1529  *
1530  * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1531  * only valid with ADT_UPDATE.
1532  *
1533  * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1534  * isn't a good reason to call adt_set_user() with it unless you don't
1535  * have a good value yet and intend to replace it later; auid will be
1536  * AU_NOAUDITID.
1537  *
1538  * adt_set_user should be called even if auditing is not enabled
1539  * so that adt_export_session_data() will have useful stuff to
1540  * work with.
1541  *
1542  * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1543  * and ADT_HAVE_ALL.
1544  */
1545 
1546 int
1547 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1548     uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1549     enum adt_user_context user_context)
1550 {
1551 	adt_internal_state_t	*state;
1552 	int			rc;
1553 
1554 	if (session_data == NULL) /* no session exists to audit */
1555 		return (0);
1556 
1557 	state = (adt_internal_state_t *)session_data;
1558 	assert(state->as_check == ADT_VALID);
1559 
1560 	switch (user_context) {
1561 	case ADT_NEW:
1562 		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1563 		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1564 			errno = EINVAL;
1565 			return (-1);
1566 		}
1567 		if ((rc = adt_newuser(state, ruid,
1568 		    (au_tid_addr_t *)termid)) != 0)
1569 			return (rc);
1570 
1571 		state->as_have_user_data = ADT_HAVE_ALL;
1572 		break;
1573 	case ADT_UPDATE:
1574 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1575 			errno = EINVAL;
1576 			return (-1);
1577 		}
1578 
1579 		if (ruid != ADT_NO_CHANGE)
1580 			if ((rc = adt_changeuser(state, ruid)) != 0)
1581 				return (rc);
1582 		break;
1583 	case ADT_USER:
1584 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1585 			errno = EINVAL;
1586 			return (-1);
1587 		}
1588 		break;
1589 	case ADT_SETTID:
1590 		assert(termid != NULL);
1591 		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1592 		/* avoid fooling pam_setcred()... */
1593 		state->as_info.ai_auid = AU_NOAUDITID;
1594 		state->as_info.ai_asid = 0;
1595 		state->as_info.ai_mask.am_failure = 0;
1596 		state->as_info.ai_mask.am_success = 0;
1597 		state->as_have_user_data = ADT_HAVE_TID |
1598 		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1599 		return (0);
1600 	default:
1601 		errno = EINVAL;
1602 		return (-1);
1603 	}
1604 
1605 	if (ruid == ADT_NO_AUDIT) {
1606 		state->as_ruid = AU_NOAUDITID;
1607 		state->as_euid = AU_NOAUDITID;
1608 		state->as_rgid = AU_NOAUDITID;
1609 		state->as_egid = AU_NOAUDITID;
1610 	} else {
1611 		if (ruid != ADT_NO_CHANGE)
1612 			state->as_ruid = ruid;
1613 		if (euid != ADT_NO_CHANGE)
1614 			state->as_euid = euid;
1615 		if (rgid != ADT_NO_CHANGE)
1616 			state->as_rgid = rgid;
1617 		if (egid != ADT_NO_CHANGE)
1618 			state->as_egid = egid;
1619 	}
1620 
1621 	if (ruid == ADT_NO_ATTRIB) {
1622 		state->as_session_model = ADT_SESSION_MODEL;
1623 	}
1624 
1625 	return (0);
1626 }
1627 
1628 /*
1629  * adt_set_from_ucred()
1630  *
1631  * an alternate to adt_set_user that fills the same role but uses
1632  * a pointer to a ucred rather than a list of id's.  If the ucred
1633  * pointer is NULL, use the credential from the this process.
1634  *
1635  * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1636  * not overwrite the asid and auid unless auid has not been set.
1637  * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1638  * the incoming audit mask with the one that already exists.
1639  *
1640  * adt_set_from_ucred should be called even if auditing is not enabled
1641  * so that adt_export_session_data() will have useful stuff to
1642  * work with.
1643  */
1644 
1645 int
1646 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1647     enum adt_user_context user_context)
1648 {
1649 	adt_internal_state_t	*state;
1650 	int			rc = -1;
1651 	const au_tid64_addr_t		*tid64;
1652 	au_tid_addr_t		termid, *tid;
1653 	ucred_t	*ucred = (ucred_t *)uc;
1654 	boolean_t	local_uc = B_FALSE;
1655 
1656 	if (session_data == NULL) /* no session exists to audit */
1657 		return (0);
1658 
1659 	state = (adt_internal_state_t *)session_data;
1660 	assert(state->as_check == ADT_VALID);
1661 
1662 	if (ucred == NULL) {
1663 		ucred = ucred_get(P_MYID);
1664 
1665 		if (ucred == NULL)
1666 			goto return_rc;
1667 		local_uc = B_TRUE;
1668 	}
1669 
1670 	switch (user_context) {
1671 	case ADT_NEW:
1672 		tid64 = ucred_getatid(ucred);
1673 		if (tid64 != NULL) {
1674 			adt_cpy_tid(&termid, tid64);
1675 			tid = &termid;
1676 		} else {
1677 			tid = NULL;
1678 		}
1679 		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1680 			adt_setto_unaudited(state);
1681 			state->as_have_user_data = ADT_HAVE_ALL;
1682 			rc = 0;
1683 			goto return_rc;
1684 		} else {
1685 			state->as_info.ai_auid = ucred_getauid(ucred);
1686 			state->as_info.ai_asid = ucred_getasid(ucred);
1687 			state->as_info.ai_mask = *ucred_getamask(ucred);
1688 			state->as_info.ai_termid = *tid;
1689 		}
1690 		state->as_have_user_data = ADT_HAVE_ALL;
1691 		break;
1692 	case ADT_UPDATE:
1693 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1694 			errno = EINVAL;
1695 			goto return_rc;
1696 		}
1697 
1698 		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1699 			goto return_rc;
1700 		break;
1701 	case ADT_USER:
1702 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1703 			errno = EINVAL;
1704 			goto return_rc;
1705 		}
1706 		break;
1707 	default:
1708 		errno = EINVAL;
1709 		goto return_rc;
1710 	}
1711 	rc = 0;
1712 
1713 	state->as_ruid = ucred_getruid(ucred);
1714 	state->as_euid = ucred_geteuid(ucred);
1715 	state->as_rgid = ucred_getrgid(ucred);
1716 	state->as_egid = ucred_getegid(ucred);
1717 	state->as_pid = ucred_getpid(ucred);
1718 	state->as_label = adt_ucred_label(ucred);
1719 
1720 return_rc:
1721 	if (local_uc) {
1722 		ucred_free(ucred);
1723 	}
1724 	return (rc);
1725 }
1726 
1727 /*
1728  * adt_alloc_event() returns a pointer to allocated memory
1729  *
1730  */
1731 
1732 adt_event_data_t
1733 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1734 {
1735 	struct adt_event_state	*event_state;
1736 	adt_internal_state_t	*session_state;
1737 	adt_event_data_t	*return_event = NULL;
1738 	/*
1739 	 * need to return a valid event pointer even if audit is
1740 	 * off, else the caller will end up either (1) keeping its
1741 	 * own flags for on/off or (2) writing to a NULL pointer.
1742 	 * If auditing is on, the session data must be valid; otherwise
1743 	 * we don't care.
1744 	 */
1745 	if (session_data != NULL) {
1746 		session_state = (adt_internal_state_t *)session_data;
1747 		assert(session_state->as_check == ADT_VALID);
1748 	}
1749 	event_state = calloc(1, sizeof (struct adt_event_state));
1750 	if (event_state == NULL)
1751 		goto return_ptr;
1752 
1753 	event_state->ae_check = ADT_VALID;
1754 
1755 	event_state->ae_event_id = event_id;
1756 	event_state->ae_session = (struct adt_internal_state *)session_data;
1757 
1758 	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1759 
1760 	/*
1761 	 * preload data so the adt_au_*() functions can detect un-supplied
1762 	 * values (0 and NULL are free via calloc()).
1763 	 */
1764 	adt_preload(event_id, return_event);
1765 
1766 return_ptr:
1767 	return (return_event);
1768 }
1769 
1770 /*
1771  * adt_getXlateTable -- look up translation table address for event id
1772  */
1773 
1774 static struct translation *
1775 adt_getXlateTable(au_event_t event_id)
1776 {
1777 	/* xlate_table is global in adt_xlate.c */
1778 	struct translation	**p_xlate = &xlate_table[0];
1779 	struct translation	*p_event;
1780 
1781 	while (*p_xlate != NULL) {
1782 		p_event = *p_xlate;
1783 		if (event_id == p_event->tx_external_event)
1784 			return (p_event);
1785 		p_xlate++;
1786 	}
1787 	return (NULL);
1788 }
1789 
1790 /*
1791  * adt_calcOffsets
1792  *
1793  * the call to this function is surrounded by a mutex.
1794  *
1795  * i walks down the table picking up next_token.  j walks again to
1796  * calculate the offset to the input data.  k points to the next
1797  * token's row.  Finally, l, is used to sum the values in the
1798  * datadef array.
1799  *
1800  * What's going on?  The entry array is in the order of the input
1801  * fields but the processing of array entries is in the order of
1802  * the output (see next_token).  Calculating the offset to the
1803  * "next" input can't be done in the outer loop (i) since i doesn't
1804  * point to the current entry and it can't be done with the k index
1805  * because it doesn't represent the order of input fields.
1806  *
1807  * While the resulting algorithm is n**2, it is only done once per
1808  * event type.
1809  */
1810 
1811 /*
1812  * adt_calcOffsets is only called once per event type, but it uses
1813  * the address alignment of memory allocated for that event as if it
1814  * were the same for all subsequently allocated memory.  This is
1815  * guaranteed by calloc/malloc.  Arrays take special handling since
1816  * what matters for figuring out the correct alignment is the size
1817  * of the array element.
1818  */
1819 
1820 static void
1821 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1822 {
1823 	int		i, j;
1824 	size_t		this_size, prev_size;
1825 	void		*struct_start = p_data;
1826 
1827 	for (i = 0; i < tablesize; i++) {
1828 		if (p_entry[i].en_type_def == NULL) {
1829 			p_entry[i].en_offset = 0;
1830 			continue;
1831 		}
1832 		prev_size = 0;
1833 		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1834 
1835 		for (j = 0; j < p_entry[i].en_count_types; j++) {
1836 			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1837 				this_size = sizeof (enum adt_generic);
1838 			else
1839 				this_size =
1840 				    p_entry[i].en_type_def[j].dd_input_size;
1841 
1842 			/* adj for first entry */
1843 			if (prev_size == 0)
1844 				prev_size = this_size;
1845 
1846 			if (p_entry[i].en_type_def[j].dd_datatype ==
1847 			    ADT_UINT32ARRAY) {
1848 				p_data = (char *)adt_adjust_address(p_data,
1849 				    prev_size, sizeof (uint32_t)) +
1850 				    this_size - sizeof (uint32_t);
1851 
1852 				prev_size = sizeof (uint32_t);
1853 			} else {
1854 				p_data = adt_adjust_address(p_data, prev_size,
1855 				    this_size);
1856 				prev_size = this_size;
1857 			}
1858 		}
1859 	}
1860 }
1861 
1862 /*
1863  * adt_generate_event
1864  * generate event record from external struct.  The order is based on
1865  * the output tokens, allowing for the possibility that the input data
1866  * is in a different order.
1867  *
1868  */
1869 
1870 static void
1871 adt_generate_event(const adt_event_data_t *p_extdata,
1872     struct adt_event_state *p_event,
1873     struct translation *p_xlate)
1874 {
1875 	struct entry		*p_entry;
1876 	static mutex_t	lock = DEFAULTMUTEX;
1877 
1878 	p_entry = p_xlate->tx_first_entry;
1879 	assert(p_entry != NULL);
1880 
1881 	p_event->ae_internal_id = p_xlate->tx_internal_event;
1882 	adt_token_open(p_event);
1883 
1884 	/*
1885 	 * offsets are not pre-calculated; the initial offsets are all
1886 	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
1887 	 * as subject are set to -1 by adt_calcOffset()
1888 	 */
1889 	if (p_xlate->tx_offsetsCalculated == 0) {
1890 		(void) _mutex_lock(&lock);
1891 		p_xlate->tx_offsetsCalculated = 1;
1892 
1893 		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1894 		    (void *)p_extdata);
1895 		(void) _mutex_unlock(&lock);
1896 	}
1897 	while (p_entry != NULL) {
1898 		adt_generate_token(p_entry, (char *)p_extdata,
1899 		    p_event);
1900 
1901 		p_entry = p_entry->en_next_token;
1902 	}
1903 	adt_token_close(p_event);
1904 }
1905 
1906 /*
1907  * adt_put_event -- main event generation function.
1908  * The input "event" is the address of the struct containing
1909  * event-specific data.
1910  *
1911  * However if auditing is off or the session handle
1912  * is NULL, no attempt to write a record is made.
1913  */
1914 
1915 int
1916 adt_put_event(const adt_event_data_t *event, int status, int return_val)
1917 {
1918 	struct adt_event_state	*event_state;
1919 	struct translation	*xlate;
1920 	int			rc = 0;
1921 
1922 	if (event == NULL) {
1923 		errno = EINVAL;
1924 		rc = -1;
1925 		goto return_rc;
1926 	}
1927 	event_state = (struct adt_event_state *)event;
1928 
1929 	/* if audit off or this is a broken session, exit */
1930 	if (auditstate == AUC_DISABLED || (event_state->ae_session == NULL))
1931 		goto return_rc;
1932 
1933 	assert(event_state->ae_check == ADT_VALID);
1934 
1935 	event_state->ae_rc = status;
1936 	event_state->ae_type = return_val;
1937 
1938 	/* look up the event */
1939 
1940 	xlate = adt_getXlateTable(event_state->ae_event_id);
1941 
1942 	if (xlate == NULL) {
1943 		errno = EINVAL;
1944 		rc = -1;
1945 		goto return_rc;
1946 	}
1947 	DPRINTF(("got event %d\n", xlate->tx_internal_event));
1948 
1949 	if (adt_selected(event_state, xlate->tx_internal_event, status))
1950 		adt_generate_event(event, event_state, xlate);
1951 
1952 return_rc:
1953 	return (rc);
1954 }
1955 
1956 /*
1957  * adt_free_event -- invalidate and free
1958  */
1959 
1960 void
1961 adt_free_event(adt_event_data_t *event)
1962 {
1963 	struct adt_event_state	*event_state;
1964 
1965 	if (event == NULL)
1966 		return;
1967 
1968 	event_state = (struct adt_event_state *)event;
1969 
1970 	assert(event_state->ae_check == ADT_VALID);
1971 
1972 	event_state->ae_check = 0;
1973 
1974 	free(event_state);
1975 }
1976 
1977 /*
1978  * adt_is_selected -- helper to adt_selected(), below.
1979  *
1980  * "sorf" is "success or fail" status; au_preselect compares
1981  * that with success, fail, or both.
1982  */
1983 
1984 static int
1985 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
1986 {
1987 	int prs_sorf;
1988 
1989 	if (sorf == 0)
1990 		prs_sorf = AU_PRS_SUCCESS;
1991 	else
1992 		prs_sorf = AU_PRS_FAILURE;
1993 
1994 	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
1995 }
1996 
1997 /*
1998  * selected -- see if this event is preselected.
1999  *
2000  * if errors are encountered trying to check a preselection mask
2001  * or look up a user name, the event is selected.  Otherwise, the
2002  * preselection mask is used for the job.
2003  */
2004 
2005 static int
2006 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2007 {
2008 	adt_internal_state_t *sp;
2009 	au_mask_t	namask;
2010 
2011 	sp = event->ae_session;
2012 
2013 	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2014 		adt_write_syslog("No user data available", EINVAL);
2015 		return (1);	/* default is "selected" */
2016 	}
2017 
2018 	/* non-attributable? */
2019 	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2020 	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2021 		if (auditon(A_GETKMASK, (caddr_t)&namask,
2022 		    sizeof (namask)) != 0) {
2023 			adt_write_syslog("auditon failure", errno);
2024 			return (1);
2025 		}
2026 		return (adt_is_selected(actual_id, &namask, status));
2027 	} else {
2028 		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2029 		    status));
2030 	}
2031 }
2032