xref: /titanic_51/usr/src/cmd/init/init.c (revision 64cfc8ed0c5da83f827c424588bfe709e3fb5a7a)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
28 /*	  All Rights Reserved  	*/
29 
30 /*
31  * University Copyright- Copyright (c) 1982, 1986, 1988
32  * The Regents of the University of California
33  * All Rights Reserved
34  *
35  * University Acknowledgment- Portions of this document are derived from
36  * software developed by the University of California, Berkeley, and its
37  * contributors.
38  */
39 
40 #pragma ident	"%Z%%M%	%I%	%E% SMI"
41 
42 /*
43  * init(1M) is the general process spawning program.  Its primary job is to
44  * start and restart svc.startd for smf(5).  For backwards-compatibility it also
45  * spawns and respawns processes according to /etc/inittab and the current
46  * run-level.  It reads /etc/default/inittab for general configuration.
47  *
48  * To change run-levels the system administrator runs init from the command
49  * line with a level name.  init signals svc.startd via libscf and directs the
50  * zone's init (pid 1 in the global zone) what to do by sending it a signal;
51  * these signal numbers are commonly refered to in the code as 'states'.  Valid
52  * run-levels are [sS0123456].  Additionally, init can be given directives
53  * [qQabc], which indicate actions to be taken pertaining to /etc/inittab.
54  *
55  * When init processes inittab entries, it finds processes that are to be
56  * spawned at various run-levels.  inittab contains the set of the levels for
57  * which each inittab entry is valid.
58  *
59  * State File and Restartability
60  *   Premature exit by init(1M) is handled as a special case by the kernel:
61  *   init(1M) will be immediately re-executed, retaining its original PID.  (PID
62  *   1 in the global zone.)  To track the processes it has previously spawned,
63  *   as well as other mutable state, init(1M) regularly updates a state file
64  *   such that its subsequent invocations have knowledge of its various
65  *   dependent processes and duties.
66  *
67  * Process Contracts
68  *   We start svc.startd(1M) in a contract and transfer inherited contracts when
69  *   restarting it.  Everything else is started using the legacy contract
70  *   template, and the created contracts are abandoned when they become empty.
71  *
72  * utmpx Entry Handling
73  *   Because init(1M) no longer governs the startup process, its knowledge of
74  *   when utmpx becomes writable is indirect.  However, spawned processes
75  *   expect to be constructed with valid utmpx entries.  As a result, attempts
76  *   to write normal entries will be retried until successful.
77  *
78  * Maintenance Mode
79  *   In certain failure scenarios, init(1M) will enter a maintenance mode, in
80  *   which it invokes sulogin(1M) to allow the operator an opportunity to
81  *   repair the system.  Normally, this operation is performed as a
82  *   fork(2)-exec(2)-waitpid(3C) sequence with the parent waiting for repair or
83  *   diagnosis to be completed.  In the cases that fork(2) requests themselves
84  *   fail, init(1M) will directly execute sulogin(1M), and allow the kernel to
85  *   restart init(1M) on exit from the operator session.
86  *
87  *   One scenario where init(1M) enters its maintenance mode is when
88  *   svc.startd(1M) begins to fail rapidly, defined as when the average time
89  *   between recent failures drops below a given threshold.
90  */
91 
92 #include <sys/contract/process.h>
93 #include <sys/ctfs.h>
94 #include <sys/stat.h>
95 #include <sys/statvfs.h>
96 #include <sys/stropts.h>
97 #include <sys/systeminfo.h>
98 #include <sys/time.h>
99 #include <sys/termios.h>
100 #include <sys/tty.h>
101 #include <sys/types.h>
102 #include <sys/utsname.h>
103 
104 #include <bsm/adt_event.h>
105 #include <bsm/libbsm.h>
106 #include <security/pam_appl.h>
107 
108 #include <assert.h>
109 #include <ctype.h>
110 #include <dirent.h>
111 #include <errno.h>
112 #include <fcntl.h>
113 #include <libcontract.h>
114 #include <libcontract_priv.h>
115 #include <libintl.h>
116 #include <libscf.h>
117 #include <libscf_priv.h>
118 #include <poll.h>
119 #include <procfs.h>
120 #include <signal.h>
121 #include <stdarg.h>
122 #include <stdio.h>
123 #include <stdio_ext.h>
124 #include <stdlib.h>
125 #include <string.h>
126 #include <strings.h>
127 #include <syslog.h>
128 #include <time.h>
129 #include <ulimit.h>
130 #include <unistd.h>
131 #include <utmpx.h>
132 #include <wait.h>
133 #include <zone.h>
134 #include <ucontext.h>
135 
136 #undef	sleep
137 
138 #define	fioctl(p, sptr, cmd)	ioctl(fileno(p), sptr, cmd)
139 #define	min(a, b)		(((a) < (b)) ? (a) : (b))
140 
141 #define	TRUE	1
142 #define	FALSE	0
143 #define	FAILURE	-1
144 
145 #define	UT_LINE_SZ	32	/* Size of a utmpx ut_line field */
146 
147 /*
148  * SLEEPTIME	The number of seconds "init" sleeps between wakeups if
149  *		nothing else requires this "init" wakeup.
150  */
151 #define	SLEEPTIME	(5 * 60)
152 
153 /*
154  * MAXCMDL	The maximum length of a command string in inittab.
155  */
156 #define	MAXCMDL	512
157 
158 /*
159  * EXEC		The length of the prefix string added to all comamnds
160  *		found in inittab.
161  */
162 #define	EXEC	(sizeof ("exec ") - 1)
163 
164 /*
165  * TWARN	The amount of time between warning signal, SIGTERM,
166  *		and the fatal kill signal, SIGKILL.
167  */
168 #define	TWARN	5
169 
170 #define	id_eq(x, y)	((x[0] == y[0] && x[1] == y[1] && x[2] == y[2] &&\
171 			x[3] == y[3]) ? TRUE : FALSE)
172 
173 /*
174  * The kernel's default umask is 022 these days; since some processes inherit
175  * their umask from init, init will set it from CMASK in /etc/default/init.
176  * init gets the default umask from the kernel, it sets it to 022 whenever
177  * it wants to create a file and reverts to CMASK afterwards.
178  */
179 
180 static int cmask;
181 
182 /*
183  * The following definitions, concluding with the 'lvls' array, provide a
184  * common mapping between level-name (like 'S'), signal number (state),
185  * run-level mask, and specific properties associated with a run-level.
186  * This array should be accessed using the routines lvlname_to_state(),
187  * lvlname_to_mask(), state_to_mask(), and state_to_flags().
188  */
189 
190 /*
191  * Correspondence of signals to init actions.
192  */
193 #define	LVLQ		SIGHUP
194 #define	LVL0		SIGINT
195 #define	LVL1		SIGQUIT
196 #define	LVL2		SIGILL
197 #define	LVL3		SIGTRAP
198 #define	LVL4		SIGIOT
199 #define	LVL5		SIGEMT
200 #define	LVL6		SIGFPE
201 #define	SINGLE_USER	SIGBUS
202 #define	LVLa		SIGSEGV
203 #define	LVLb		SIGSYS
204 #define	LVLc		SIGPIPE
205 
206 /*
207  * Bit Mask for each level.  Used to determine legal levels.
208  */
209 #define	MASK0	0x0001
210 #define	MASK1	0x0002
211 #define	MASK2	0x0004
212 #define	MASK3	0x0008
213 #define	MASK4	0x0010
214 #define	MASK5	0x0020
215 #define	MASK6	0x0040
216 #define	MASKSU	0x0080
217 #define	MASKa	0x0100
218 #define	MASKb	0x0200
219 #define	MASKc	0x0400
220 
221 #define	MASK_NUMERIC (MASK0 | MASK1 | MASK2 | MASK3 | MASK4 | MASK5 | MASK6)
222 #define	MASK_abc (MASKa | MASKb | MASKc)
223 
224 /*
225  * Flags to indicate properties of various states.
226  */
227 #define	LSEL_RUNLEVEL	0x0001	/* runlevels you can transition to */
228 
229 typedef struct lvl {
230 	int	lvl_state;
231 	int	lvl_mask;
232 	char	lvl_name;
233 	int	lvl_flags;
234 } lvl_t;
235 
236 static lvl_t lvls[] = {
237 	{ LVLQ,		0,	'Q', 0					},
238 	{ LVLQ,		0,	'q', 0					},
239 	{ LVL0,		MASK0,	'0', LSEL_RUNLEVEL			},
240 	{ LVL1, 	MASK1,	'1', LSEL_RUNLEVEL			},
241 	{ LVL2, 	MASK2,	'2', LSEL_RUNLEVEL			},
242 	{ LVL3, 	MASK3,	'3', LSEL_RUNLEVEL			},
243 	{ LVL4, 	MASK4,	'4', LSEL_RUNLEVEL			},
244 	{ LVL5, 	MASK5,	'5', LSEL_RUNLEVEL			},
245 	{ LVL6, 	MASK6, 	'6', LSEL_RUNLEVEL			},
246 	{ SINGLE_USER, 	MASKSU, 'S', LSEL_RUNLEVEL			},
247 	{ SINGLE_USER, 	MASKSU, 's', LSEL_RUNLEVEL			},
248 	{ LVLa,		MASKa,	'a', 0					},
249 	{ LVLb,		MASKb,	'b', 0					},
250 	{ LVLc,		MASKc,	'c', 0					}
251 };
252 
253 #define	LVL_NELEMS (sizeof (lvls) / sizeof (lvl_t))
254 
255 /*
256  * Legal action field values.
257  */
258 #define	OFF		0	/* Kill process if on, else ignore */
259 #define	RESPAWN		1	/* Continuously restart process when it dies */
260 #define	ONDEMAND	RESPAWN	/* Respawn for a, b, c type processes */
261 #define	ONCE		2	/* Start process, do not respawn when dead */
262 #define	WAIT		3	/* Perform once and wait to complete */
263 #define	BOOT		4	/* Start at boot time only */
264 #define	BOOTWAIT	5	/* Start at boot time and wait to complete */
265 #define	POWERFAIL	6	/* Start on powerfail */
266 #define	POWERWAIT	7	/* Start and wait for complete on powerfail */
267 #define	INITDEFAULT	8	/* Default level "init" should start at */
268 #define	SYSINIT		9	/* Actions performed before init speaks */
269 
270 #define	M_OFF		0001
271 #define	M_RESPAWN	0002
272 #define	M_ONDEMAND	M_RESPAWN
273 #define	M_ONCE		0004
274 #define	M_WAIT		0010
275 #define	M_BOOT		0020
276 #define	M_BOOTWAIT	0040
277 #define	M_PF		0100
278 #define	M_PWAIT		0200
279 #define	M_INITDEFAULT	0400
280 #define	M_SYSINIT	01000
281 
282 /* States for the inittab parser in getcmd(). */
283 #define	ID	1
284 #define	LEVELS	2
285 #define	ACTION	3
286 #define	COMMAND	4
287 #define	COMMENT	5
288 
289 /*
290  * Init can be in any of three main states, "normal" mode where it is
291  * processing entries for the lines file in a normal fashion, "boot" mode,
292  * where it is only interested in the boot actions, and "powerfail" mode,
293  * where it is only interested in powerfail related actions. The following
294  * masks declare the legal actions for each mode.
295  */
296 #define	NORMAL_MODES	(M_OFF | M_RESPAWN | M_ONCE | M_WAIT)
297 #define	BOOT_MODES	(M_BOOT | M_BOOTWAIT)
298 #define	PF_MODES	(M_PF | M_PWAIT)
299 
300 struct PROC_TABLE {
301 	char	p_id[4];	/* Four letter unique id of process */
302 	pid_t	p_pid;		/* Process id */
303 	short	p_count;	/* How many respawns of this command in */
304 				/*   the current series */
305 	long	p_time;		/* Start time for a series of respawns */
306 	short	p_flags;
307 	short	p_exit;		/* Exit status of a process which died */
308 };
309 
310 /*
311  * Flags for the "p_flags" word of a PROC_TABLE entry:
312  *
313  *	OCCUPIED	This slot in init's proc table is in use.
314  *
315  *	LIVING		Process is alive.
316  *
317  *	NOCLEANUP	efork() is not allowed to cleanup this entry even
318  *			if process is dead.
319  *
320  *	NAMED		This process has a name, i.e. came from inittab.
321  *
322  *	DEMANDREQUEST	Process started by a "telinit [abc]" command.  Processes
323  *			formed this way are respawnable and immune to level
324  *			changes as long as their entry exists in inittab.
325  *
326  *	TOUCHED		Flag used by remv() to determine whether it has looked
327  *			at an entry while checking for processes to be killed.
328  *
329  *	WARNED		Flag used by remv() to mark processes that have been
330  *			sent the SIGTERM signal.  If they don't die in 5
331  *			seconds, they are sent the SIGKILL signal.
332  *
333  *	KILLED		Flag used by remv() to mark procs that have been sent
334  *			the SIGTERM and SIGKILL signals.
335  *
336  *	PF_MASK		Bitwise or of legal flags, for sanity checking.
337  */
338 #define	OCCUPIED	01
339 #define	LIVING		02
340 #define	NOCLEANUP	04
341 #define	NAMED		010
342 #define	DEMANDREQUEST	020
343 #define	TOUCHED		040
344 #define	WARNED		0100
345 #define	KILLED		0200
346 #define	PF_MASK		0377
347 
348 /*
349  * Respawn limits for processes that are to be respawned:
350  *
351  *	SPAWN_INTERVAL	The number of seconds over which "init" will try to
352  *			respawn a process SPAWN_LIMIT times before it gets mad.
353  *
354  *	SPAWN_LIMIT	The number of respawns "init" will attempt in
355  *			SPAWN_INTERVAL seconds before it generates an
356  *			error message and inhibits further tries for
357  *			INHIBIT seconds.
358  *
359  *	INHIBIT		The number of seconds "init" ignores an entry it had
360  *			trouble spawning unless a "telinit Q" is received.
361  */
362 
363 #define	SPAWN_INTERVAL	(2*60)
364 #define	SPAWN_LIMIT	10
365 #define	INHIBIT		(5*60)
366 
367 /*
368  * The maximum number of decimal digits for an id_t.  (ceil(log10 (max_id)))
369  */
370 #define	ID_MAX_STR_LEN	10
371 
372 #define	NULLPROC	((struct PROC_TABLE *)(0))
373 #define	NO_ROOM		((struct PROC_TABLE *)(FAILURE))
374 
375 struct CMD_LINE {
376 	char c_id[4];	/* Four letter unique id of process to be */
377 			/*   affected by action */
378 	short c_levels;	/* Mask of legal levels for process */
379 	short c_action;	/* Mask for type of action required */
380 	char *c_command; /* Pointer to init command */
381 };
382 
383 struct	pidrec {
384 	int	pd_type;	/* Command type */
385 	pid_t	pd_pid;		/* pid to add or remove */
386 };
387 
388 /*
389  * pd_type's
390  */
391 #define	ADDPID	1
392 #define	REMPID	2
393 
394 static struct	pidlist {
395 	pid_t	pl_pid;		/* pid to watch for */
396 	int	pl_dflag;	/* Flag indicating SIGCLD from this pid */
397 	short	pl_exit;	/* Exit status of proc */
398 	struct	pidlist	*pl_next; /* Next in list */
399 } *Plhead, *Plfree;
400 
401 /*
402  * The following structure contains a set of modes for /dev/syscon
403  * and should match the default contents of /etc/ioctl.syscon.
404  */
405 static struct termios	dflt_termios = {
406 	BRKINT|ICRNL|IXON|IMAXBEL,			/* iflag */
407 	OPOST|ONLCR|TAB3,				/* oflag */
408 	CS8|CREAD|B9600,				/* cflag */
409 	ISIG|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE|IEXTEN, /* lflag */
410 	CINTR, CQUIT, CERASE, CKILL, CEOF, 0, 0, 0,
411 	0, 0, 0, 0, 0, 0, 0, 0,
412 	0, 0, 0
413 };
414 
415 static struct termios	stored_syscon_termios;
416 static int		write_ioctl = 0;	/* Rewrite /etc/ioctl.syscon */
417 
418 static union WAKEUP {
419 	struct WAKEFLAGS {
420 		unsigned w_usersignal : 1;	/* User sent signal to "init" */
421 		unsigned w_childdeath : 1;	/* An "init" child died */
422 		unsigned w_powerhit : 1;	/* OS experienced powerfail */
423 	}	w_flags;
424 	int w_mask;
425 } wakeup;
426 
427 
428 struct init_state {
429 	int			ist_runlevel;
430 	int			ist_num_proc;
431 	int			ist_utmpx_ok;
432 	struct PROC_TABLE	ist_proc_table[1];
433 };
434 
435 #define	cur_state	(g_state->ist_runlevel)
436 #define	num_proc	(g_state->ist_num_proc)
437 #define	proc_table	(g_state->ist_proc_table)
438 #define	utmpx_ok	(g_state->ist_utmpx_ok)
439 
440 /* Contract cookies. */
441 #define	ORDINARY_COOKIE		0
442 #define	STARTD_COOKIE		1
443 
444 
445 #ifndef NDEBUG
446 #define	bad_error(func, err)	{					\
447 	(void) fprintf(stderr, "%s:%d: %s() failed with unexpected "	\
448 	    "error %d.  Aborting.\n", __FILE__, __LINE__, (func), (err)); \
449 	abort();							\
450 }
451 #else
452 #define	bad_error(func, err)	abort()
453 #endif
454 
455 
456 /*
457  * Useful file and device names.
458  */
459 static char *CONSOLE	  = "/dev/console";	/* Real system console */
460 static char *INITPIPE_DIR = "/var/run";
461 static char *INITPIPE	  = "/var/run/initpipe";
462 
463 #define	INIT_STATE_DIR "/etc/svc/volatile"
464 static const char * const init_state_file = INIT_STATE_DIR "/init.state";
465 static const char * const init_next_state_file =
466 	INIT_STATE_DIR "/init-next.state";
467 
468 static const int init_num_proc = 20;	/* Initial size of process table. */
469 
470 static char *UTMPX	 = UTMPX_FILE;		/* Snapshot record file */
471 static char *WTMPX	 = WTMPX_FILE;		/* Long term record file */
472 static char *INITTAB	 = "/etc/inittab";	/* Script file for "init" */
473 static char *SYSTTY	 = "/dev/systty";	/* System Console */
474 static char *SYSCON	 = "/dev/syscon";	/* Virtual System console */
475 static char *IOCTLSYSCON = "/etc/ioctl.syscon";	/* Last syscon modes */
476 static char *ENVFILE	 = "/etc/default/init";	/* Default env. */
477 static char *SU	= "/etc/sulogin";	/* Super-user program for single user */
478 static char *SH	= "/sbin/sh";		/* Standard shell */
479 
480 /*
481  * Default Path.  /sbin is included in path only during sysinit phase
482  */
483 #define	DEF_PATH	"PATH=/usr/sbin:/usr/bin"
484 #define	INIT_PATH	"PATH=/sbin:/usr/sbin:/usr/bin"
485 
486 static int	prior_state;
487 static int	prev_state;	/* State "init" was in last time it woke */
488 static int	new_state;	/* State user wants "init" to go to. */
489 static int	lvlq_received;	/* Explicit request to examine state */
490 static int	op_modes = BOOT_MODES; /* Current state of "init" */
491 static int	Gchild = 0;	/* Flag to indicate "godchild" died, set in */
492 				/*   childeath() and cleared in cleanaux() */
493 static int	Pfd = -1;	/* fd to receive pids thru */
494 static unsigned int	spawncnt, pausecnt;
495 static int	rsflag;		/* Set if a respawn has taken place */
496 static volatile int time_up;	/* Flag set to TRUE by the alarm interrupt */
497 				/* routine each time an alarm interrupt */
498 				/* takes place. */
499 static int	sflg = 0;	/* Set if we were booted -s to single user */
500 static int	rflg = 0;	/* Set if booted -r, reconfigure devices */
501 static int	bflg = 0;	/* Set if booted -b, don't run rc scripts */
502 static pid_t	init_pid;	/* PID of "one true" init for current zone */
503 
504 static struct init_state *g_state = NULL;
505 static size_t	g_state_sz;
506 static int	booting = 1;	/* Set while we're booting. */
507 
508 /*
509  * Array for default global environment.
510  */
511 #define	MAXENVENT	24	/* Max number of default env variables + 1 */
512 				/* init can use three itself, so this leaves */
513 				/* 20 for the administrator in ENVFILE. */
514 static char	*glob_envp[MAXENVENT];	/* Array of environment strings */
515 static int	glob_envn;		/* Number of environment strings */
516 
517 
518 static struct pollfd	poll_fds[1];
519 static int		poll_nfds = 0;	/* poll_fds is uninitialized */
520 
521 static int	legacy_tmpl = -1;	/* fd for legacy contract template */
522 static int	startd_tmpl = -1;	/* fd for svc.startd's template */
523 
524 static char	startd_cline[256] = "";	/* svc.startd's command line */
525 static int	do_restart_startd = 1;	/* Whether to restart svc.startd. */
526 static char	*smf_options = NULL;	/* Options to give to startd. */
527 static int	smf_debug = 0;		/* Messages for debugging smf(5) */
528 static time_t	init_boot_time;		/* Substitute for kernel boot time. */
529 
530 #define	NSTARTD_FAILURE_TIMES	3		/* trigger after 3 failures */
531 #define	STARTD_FAILURE_RATE_NS	5000000000LL	/* 1 failure/5 seconds */
532 
533 static hrtime_t	startd_failure_time[NSTARTD_FAILURE_TIMES];
534 static uint_t	startd_failure_index;
535 
536 
537 static char	*prog_name(char *);
538 static int	state_to_mask(int);
539 static int	lvlname_to_mask(char, int *);
540 static void	lscf_set_runlevel(char);
541 static int	state_to_flags(int);
542 static char	state_to_name(int);
543 static int	lvlname_to_state(char);
544 static int	getcmd(struct CMD_LINE *, char *);
545 static int	realcon();
546 static int	spawn_processes();
547 static int	get_ioctl_syscon();
548 static int	account(short, struct PROC_TABLE *, char *);
549 static void	alarmclk();
550 static void	childeath(int);
551 static void	cleanaux();
552 static void	clearent(pid_t, short);
553 static void	console(boolean_t, char *, ...);
554 static void	init_signals(void);
555 static void	setup_pipe();
556 static void	killproc(pid_t);
557 static void	init_env();
558 static void	boot_init();
559 static void	powerfail();
560 static void	remv();
561 static void	write_ioctl_syscon();
562 static void	spawn(struct PROC_TABLE *, struct CMD_LINE *);
563 static void	setimer(int);
564 static void	siglvl(int, siginfo_t *, ucontext_t *);
565 static void	sigpoll(int);
566 static void	enter_maintenance(void);
567 static void	timer(int);
568 static void	userinit(int, char **);
569 static void	notify_pam_dead(struct utmpx *);
570 static long	waitproc(struct PROC_TABLE *);
571 static struct PROC_TABLE *efork(int, struct PROC_TABLE *, int);
572 static struct PROC_TABLE *findpslot(struct CMD_LINE *);
573 static void	increase_proc_table_size();
574 static void	st_init();
575 static void	st_write();
576 static void	contracts_init();
577 static void	contract_event(struct pollfd *);
578 static int	startd_run(const char *, int, ctid_t);
579 static void	startd_record_failure();
580 static int	startd_failure_rate_critical();
581 static char	*audit_boot_msg();
582 static int	audit_put_record(int, int, char *);
583 static void	update_boot_archive(int new_state);
584 
585 int
586 main(int argc, char *argv[])
587 {
588 	int	chg_lvl_flag = FALSE, print_banner = FALSE;
589 	int	may_need_audit = 1;
590 	int	c;
591 	char	*msg;
592 
593 	/* Get a timestamp for use as boot time, if needed. */
594 	(void) time(&init_boot_time);
595 
596 	/* Get the default umask */
597 	cmask = umask(022);
598 	(void) umask(cmask);
599 
600 	/* Parse the arguments to init. Check for single user */
601 	opterr = 0;
602 	while ((c = getopt(argc, argv, "brsm:")) != EOF) {
603 		switch (c) {
604 		case 'b':
605 			rflg = 0;
606 			bflg = 1;
607 			if (!sflg)
608 				sflg++;
609 			break;
610 		case 'r':
611 			bflg = 0;
612 			rflg++;
613 			break;
614 		case 's':
615 			if (!bflg)
616 				sflg++;
617 			break;
618 		case 'm':
619 			smf_options = optarg;
620 			smf_debug = (strstr(smf_options, "debug") != NULL);
621 			break;
622 		}
623 	}
624 
625 	/*
626 	 * Determine if we are the main init, or a user invoked init, whose job
627 	 * it is to inform init to change levels or perform some other action.
628 	 */
629 	if (zone_getattr(getzoneid(), ZONE_ATTR_INITPID, &init_pid,
630 	    sizeof (init_pid)) != sizeof (init_pid)) {
631 		(void) fprintf(stderr, "could not get pid for init\n");
632 		return (1);
633 	}
634 
635 	/*
636 	 * If this PID is not the same as the "true" init for the zone, then we
637 	 * must be in 'user' mode.
638 	 */
639 	if (getpid() != init_pid) {
640 		userinit(argc, argv);
641 	}
642 
643 	if (getzoneid() != GLOBAL_ZONEID) {
644 		print_banner = TRUE;
645 	}
646 
647 	/*
648 	 * Initialize state (and set "booting").
649 	 */
650 	st_init();
651 
652 	if (booting && print_banner) {
653 		struct utsname un;
654 		char buf[BUFSIZ], *isa;
655 		long ret;
656 		int bits = 32;
657 
658 		/*
659 		 * We want to print the boot banner as soon as
660 		 * possible.  In the global zone, the kernel does it,
661 		 * but we do not have that luxury in non-global zones,
662 		 * so we will print it here.
663 		 */
664 		(void) uname(&un);
665 		ret = sysinfo(SI_ISALIST, buf, sizeof (buf));
666 		if (ret != -1L && ret <= sizeof (buf)) {
667 			for (isa = strtok(buf, " "); isa;
668 			    isa = strtok(NULL, " ")) {
669 				if (strcmp(isa, "sparcv9") == 0 ||
670 				    strcmp(isa, "amd64") == 0) {
671 					bits = 64;
672 					break;
673 				}
674 			}
675 		}
676 
677 		console(B_FALSE,
678 		    "\n\n%s Release %s Version %s %d-bit\r\n",
679 		    un.sysname, un.release, un.version, bits);
680 		console(B_FALSE,
681 		    "Copyright 1983-2007 Sun Microsystems, Inc. "
682 		    " All rights reserved.\r\n");
683 		console(B_FALSE,
684 		    "Use is subject to license terms.\r\n");
685 	}
686 
687 	/*
688 	 * Get the ioctl settings for /dev/syscon from /etc/ioctl.syscon
689 	 * so that it can be brought up in the state it was in when the
690 	 * system went down; or set to defaults if ioctl.syscon isn't
691 	 * valid.
692 	 *
693 	 * This needs to be done even if we're restarting so reset_modes()
694 	 * will work in case we need to go down to single user mode.
695 	 */
696 	write_ioctl = get_ioctl_syscon();
697 
698 	/*
699 	 * Set up all signals to be caught or ignored as appropriate.
700 	 */
701 	init_signals();
702 
703 	/* Load glob_envp from ENVFILE. */
704 	init_env();
705 
706 	contracts_init();
707 
708 	if (!booting) {
709 		/* cur_state should have been read in. */
710 
711 		op_modes = NORMAL_MODES;
712 
713 		/* Rewrite the ioctl file if it was bad. */
714 		if (write_ioctl)
715 			write_ioctl_syscon();
716 	} else {
717 		/*
718 		 * It's fine to boot up with state as zero, because
719 		 * startd will later tell us the real state.
720 		 */
721 		cur_state = 0;
722 		op_modes = BOOT_MODES;
723 
724 		boot_init();
725 	}
726 
727 	prev_state = prior_state = cur_state;
728 
729 	setup_pipe();
730 
731 	/*
732 	 * Here is the beginning of the main process loop.
733 	 */
734 	for (;;) {
735 		if (lvlq_received) {
736 			setup_pipe();
737 			lvlq_received = B_FALSE;
738 		}
739 
740 		/*
741 		 * Clean up any accounting records for dead "godchildren".
742 		 */
743 		if (Gchild)
744 			cleanaux();
745 
746 		/*
747 		 * If in "normal" mode, check all living processes and initiate
748 		 * kill sequence on those that should not be there anymore.
749 		 */
750 		if (op_modes == NORMAL_MODES && cur_state != LVLa &&
751 		    cur_state != LVLb && cur_state != LVLc)
752 			remv();
753 
754 		/*
755 		 * If a change in run levels is the reason we awoke, now do
756 		 * the accounting to report the change in the utmp file.
757 		 * Also report the change on the system console.
758 		 */
759 		if (chg_lvl_flag) {
760 			chg_lvl_flag = FALSE;
761 
762 			if (state_to_flags(cur_state) & LSEL_RUNLEVEL) {
763 				char rl = state_to_name(cur_state);
764 
765 				if (rl != -1)
766 					lscf_set_runlevel(rl);
767 			}
768 
769 			may_need_audit = 1;
770 		}
771 
772 		/*
773 		 * Scan the inittab file and spawn and respawn processes that
774 		 * should be alive in the current state. If inittab does not
775 		 * exist default to  single user mode.
776 		 */
777 		if (spawn_processes() == FAILURE) {
778 			prior_state = prev_state;
779 			cur_state = SINGLE_USER;
780 		}
781 
782 		/* If any respawns occurred, take note. */
783 		if (rsflag) {
784 			rsflag = 0;
785 			spawncnt++;
786 		}
787 
788 		/*
789 		 * If a powerfail signal was received during the last
790 		 * sequence, set mode to powerfail.  When spawn_processes() is
791 		 * entered the first thing it does is to check "powerhit".  If
792 		 * it is in PF_MODES then it clears "powerhit" and does
793 		 * a powerfail sequence.  If it is not in PF_MODES, then it
794 		 * puts itself in PF_MODES and then clears "powerhit".  Should
795 		 * "powerhit" get set again while spawn_processes() is working
796 		 * on a powerfail sequence, the following code  will see that
797 		 * spawn_processes() tries to execute the powerfail sequence
798 		 * again.  This guarantees that the powerfail sequence will be
799 		 * successfully completed before further processing takes
800 		 * place.
801 		 */
802 		if (wakeup.w_flags.w_powerhit) {
803 			op_modes = PF_MODES;
804 			/*
805 			 * Make sure that cur_state != prev_state so that
806 			 * ONCE and WAIT types work.
807 			 */
808 			prev_state = 0;
809 		} else if (op_modes != NORMAL_MODES) {
810 			/*
811 			 * If spawn_processes() was not just called while in
812 			 * normal mode, we set the mode to normal and it will
813 			 * be called again to check normal modes.  If we have
814 			 * just finished a powerfail sequence with prev_state
815 			 * equal to zero, we set prev_state equal to cur_state
816 			 * before the next pass through.
817 			 */
818 			if (op_modes == PF_MODES)
819 				prev_state = cur_state;
820 			op_modes = NORMAL_MODES;
821 		} else if (cur_state == LVLa || cur_state == LVLb ||
822 		    cur_state == LVLc) {
823 			/*
824 			 * If it was a change of levels that awakened us and the
825 			 * new level is one of the demand levels then reset
826 			 * cur_state to the previous state and do another scan
827 			 * to take care of the usual respawn actions.
828 			 */
829 			cur_state = prior_state;
830 			prior_state = prev_state;
831 			prev_state = cur_state;
832 		} else {
833 			prev_state = cur_state;
834 
835 			if (wakeup.w_mask == 0) {
836 				int ret;
837 
838 				if (may_need_audit && (cur_state == LVL3)) {
839 					msg = audit_boot_msg();
840 
841 					may_need_audit = 0;
842 					(void) audit_put_record(ADT_SUCCESS,
843 					    ADT_SUCCESS, msg);
844 					free(msg);
845 				}
846 
847 				/*
848 				 * "init" is finished with all actions for
849 				 * the current wakeup.
850 				 */
851 				ret = poll(poll_fds, poll_nfds,
852 				    SLEEPTIME * MILLISEC);
853 				pausecnt++;
854 				if (ret > 0)
855 					contract_event(&poll_fds[0]);
856 				else if (ret < 0 && errno != EINTR)
857 					console(B_TRUE, "poll() error: %s\n",
858 					    strerror(errno));
859 			}
860 
861 			if (wakeup.w_flags.w_usersignal) {
862 				/*
863 				 * Install the new level.  This could be a real
864 				 * change in levels  or a telinit [Q|a|b|c] or
865 				 * just a telinit to the same level at which
866 				 * we are running.
867 				 */
868 				if (new_state != cur_state) {
869 					if (new_state == LVLa ||
870 					    new_state == LVLb ||
871 					    new_state == LVLc) {
872 						prev_state = prior_state;
873 						prior_state = cur_state;
874 						cur_state = new_state;
875 					} else {
876 						prev_state = cur_state;
877 						if (cur_state >= 0)
878 							prior_state = cur_state;
879 						cur_state = new_state;
880 						chg_lvl_flag = TRUE;
881 					}
882 				}
883 
884 				new_state = 0;
885 			}
886 
887 			if (wakeup.w_flags.w_powerhit)
888 				op_modes = PF_MODES;
889 
890 			/*
891 			 * Clear all wakeup reasons.
892 			 */
893 			wakeup.w_mask = 0;
894 		}
895 	}
896 
897 	/*NOTREACHED*/
898 }
899 
900 static void
901 update_boot_archive(int new_state)
902 {
903 	if (new_state != LVL0 && new_state != LVL5 && new_state != LVL6)
904 		return;
905 
906 	if (getzoneid() != GLOBAL_ZONEID)
907 		return;
908 
909 	(void) system("/sbin/bootadm -a update_all");
910 }
911 
912 /*
913  * void enter_maintenance()
914  *   A simple invocation of sulogin(1M), with no baggage, in the case that we
915  *   are unable to activate svc.startd(1M).  We fork; the child runs sulogin;
916  *   we wait for it to exit.
917  */
918 static void
919 enter_maintenance()
920 {
921 	struct PROC_TABLE	*su_process;
922 
923 	console(B_FALSE, "Requesting maintenance mode\n"
924 	    "(See /lib/svc/share/README for additional information.)\n");
925 	(void) sigset(SIGCLD, SIG_DFL);
926 	while ((su_process = efork(M_OFF, NULLPROC, NOCLEANUP)) == NO_ROOM)
927 		(void) pause();
928 	(void) sigset(SIGCLD, childeath);
929 	if (su_process == NULLPROC) {
930 		int fd;
931 
932 		(void) fclose(stdin);
933 		(void) fclose(stdout);
934 		(void) fclose(stderr);
935 		closefrom(0);
936 
937 		fd = open(SYSCON, O_RDWR | O_NOCTTY);
938 		if (fd >= 0) {
939 			(void) dup2(fd, 1);
940 			(void) dup2(fd, 2);
941 		} else {
942 			/*
943 			 * Need to issue an error message somewhere.
944 			 */
945 			syslog(LOG_CRIT, "init[%d]: cannot open %s; %s\n",
946 			    getpid(), SYSCON, strerror(errno));
947 		}
948 
949 		/*
950 		 * Execute the "su" program.
951 		 */
952 		(void) execle(SU, SU, "-", (char *)0, glob_envp);
953 		console(B_TRUE, "execle of %s failed: %s\n", SU,
954 		    strerror(errno));
955 		timer(5);
956 		exit(1);
957 	}
958 
959 	/*
960 	 * If we are the parent, wait around for the child to die
961 	 * or for "init" to be signaled to change levels.
962 	 */
963 	while (waitproc(su_process) == FAILURE) {
964 		/*
965 		 * All other reasons for waking are ignored when in
966 		 * single-user mode.  The only child we are interested
967 		 * in is being waited for explicitly by waitproc().
968 		 */
969 		wakeup.w_mask = 0;
970 	}
971 }
972 
973 /*
974  * remv() scans through "proc_table" and performs cleanup.  If
975  * there is a process in the table, which shouldn't be here at
976  * the current run level, then remv() kills the process.
977  */
978 static void
979 remv()
980 {
981 	struct PROC_TABLE	*process;
982 	struct CMD_LINE		cmd;
983 	char			cmd_string[MAXCMDL];
984 	int			change_level;
985 
986 	change_level = (cur_state != prev_state ? TRUE : FALSE);
987 
988 	/*
989 	 * Clear the TOUCHED flag on all entries so that when we have
990 	 * finished scanning inittab, we will be able to tell if we
991 	 * have any processes for which there is no entry in inittab.
992 	 */
993 	for (process = proc_table;
994 	    (process < proc_table + num_proc); process++) {
995 		process->p_flags &= ~TOUCHED;
996 	}
997 
998 	/*
999 	 * Scan all inittab entries.
1000 	 */
1001 	while (getcmd(&cmd, &cmd_string[0]) == TRUE) {
1002 		/* Scan for process which goes with this entry in inittab. */
1003 		for (process = proc_table;
1004 		    (process < proc_table + num_proc); process++) {
1005 			if ((process->p_flags & OCCUPIED) == 0 ||
1006 			    !id_eq(process->p_id, cmd.c_id))
1007 				continue;
1008 
1009 			/*
1010 			 * This slot contains the process we are looking for.
1011 			 */
1012 
1013 			/*
1014 			 * Is the cur_state SINGLE_USER or is this process
1015 			 * marked as "off" or was this proc started by some
1016 			 * mechanism other than LVL{a|b|c} and the current level
1017 			 * does not support this process?
1018 			 */
1019 			if (cur_state == SINGLE_USER ||
1020 			    cmd.c_action == M_OFF ||
1021 			    ((cmd.c_levels & state_to_mask(cur_state)) == 0 &&
1022 			    (process->p_flags & DEMANDREQUEST) == 0)) {
1023 				if (process->p_flags & LIVING) {
1024 					/*
1025 					 * Touch this entry so we know we have
1026 					 * treated it.  Note that procs which
1027 					 * are already dead at this point and
1028 					 * should not be restarted are left
1029 					 * untouched.  This causes their slot to
1030 					 * be freed later after dead accounting
1031 					 * is done.
1032 					 */
1033 					process->p_flags |= TOUCHED;
1034 
1035 					if ((process->p_flags & KILLED) == 0) {
1036 						if (change_level) {
1037 							process->p_flags
1038 							    |= WARNED;
1039 							(void) kill(
1040 							    process->p_pid,
1041 							    SIGTERM);
1042 						} else {
1043 							/*
1044 							 * Fork a killing proc
1045 							 * so "init" can
1046 							 * continue without
1047 							 * having to pause for
1048 							 * TWARN seconds.
1049 							 */
1050 							killproc(
1051 							    process->p_pid);
1052 						}
1053 						process->p_flags |= KILLED;
1054 					}
1055 				}
1056 			} else {
1057 				/*
1058 				 * Process can exist at current level.  If it is
1059 				 * still alive or a DEMANDREQUEST we touch it so
1060 				 * it will be left alone.  Otherwise we leave it
1061 				 * untouched so it will be accounted for and
1062 				 * cleaned up later in remv().  Dead
1063 				 * DEMANDREQUESTs will be accounted but not
1064 				 * freed.
1065 				 */
1066 				if (process->p_flags &
1067 				    (LIVING|NOCLEANUP|DEMANDREQUEST))
1068 					process->p_flags |= TOUCHED;
1069 			}
1070 
1071 			break;
1072 		}
1073 	}
1074 
1075 	st_write();
1076 
1077 	/*
1078 	 * If this was a change of levels call, scan through the
1079 	 * process table for processes that were warned to die.  If any
1080 	 * are found that haven't left yet, sleep for TWARN seconds and
1081 	 * then send final terminations to any that haven't died yet.
1082 	 */
1083 	if (change_level) {
1084 
1085 		/*
1086 		 * Set the alarm for TWARN seconds on the assumption
1087 		 * that there will be some that need to be waited for.
1088 		 * This won't harm anything except we are guaranteed to
1089 		 * wakeup in TWARN seconds whether we need to or not.
1090 		 */
1091 		setimer(TWARN);
1092 
1093 		/*
1094 		 * Scan for processes which should be dying.  We hope they
1095 		 * will die without having to be sent a SIGKILL signal.
1096 		 */
1097 		for (process = proc_table;
1098 		    (process < proc_table + num_proc); process++) {
1099 			/*
1100 			 * If this process should die, hasn't yet, and the
1101 			 * TWARN time hasn't expired yet, wait for process
1102 			 * to die or for timer to expire.
1103 			 */
1104 			while (time_up == FALSE &&
1105 			    (process->p_flags & (WARNED|LIVING|OCCUPIED)) ==
1106 			    (WARNED|LIVING|OCCUPIED))
1107 				(void) pause();
1108 
1109 			if (time_up == TRUE)
1110 				break;
1111 		}
1112 
1113 		/*
1114 		 * If we reached the end of the table without the timer
1115 		 * expiring, then there are no procs which will have to be
1116 		 * sent the SIGKILL signal.  If the timer has expired, then
1117 		 * it is necessary to scan the table again and send signals
1118 		 * to all processes which aren't going away nicely.
1119 		 */
1120 		if (time_up == TRUE) {
1121 			for (process = proc_table;
1122 			    (process < proc_table + num_proc); process++) {
1123 				if ((process->p_flags &
1124 				    (WARNED|LIVING|OCCUPIED)) ==
1125 				    (WARNED|LIVING|OCCUPIED))
1126 					(void) kill(process->p_pid, SIGKILL);
1127 			}
1128 		}
1129 		setimer(0);
1130 	}
1131 
1132 	/*
1133 	 * Rescan the proc_table for two kinds of entry, those marked LIVING,
1134 	 * NAMED, which don't have an entry in inittab (haven't been TOUCHED
1135 	 * by the above scanning), and haven't been sent kill signals, and
1136 	 * those entries marked not LIVING, NAMED.  The former procs are killed.
1137 	 * The latter have DEAD_PROCESS accounting done and the slot cleared.
1138 	 */
1139 	for (process = proc_table;
1140 	    (process < proc_table + num_proc); process++) {
1141 		if ((process->p_flags & (LIVING|NAMED|TOUCHED|KILLED|OCCUPIED))
1142 		    == (LIVING|NAMED|OCCUPIED)) {
1143 			killproc(process->p_pid);
1144 			process->p_flags |= KILLED;
1145 		} else if ((process->p_flags & (LIVING|NAMED|OCCUPIED)) ==
1146 		    (NAMED|OCCUPIED)) {
1147 			(void) account(DEAD_PROCESS, process, NULL);
1148 			/*
1149 			 * If this named proc hasn't been TOUCHED, then free the
1150 			 * space. It has either died of it's own accord, but
1151 			 * isn't respawnable or it was killed because it
1152 			 * shouldn't exist at this level.
1153 			 */
1154 			if ((process->p_flags & TOUCHED) == 0)
1155 				process->p_flags = 0;
1156 		}
1157 	}
1158 
1159 	st_write();
1160 }
1161 
1162 /*
1163  * Extract the svc.startd command line and whether to restart it from its
1164  * inittab entry.
1165  */
1166 /*ARGSUSED*/
1167 static void
1168 process_startd_line(struct CMD_LINE *cmd, char *cmd_string)
1169 {
1170 	size_t sz;
1171 
1172 	/* Save the command line. */
1173 	if (sflg || rflg) {
1174 		/* Also append -r or -s. */
1175 		(void) strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
1176 		(void) strlcat(startd_cline, " -", sizeof (startd_cline));
1177 		if (sflg)
1178 			sz = strlcat(startd_cline, "s", sizeof (startd_cline));
1179 		if (rflg)
1180 			sz = strlcat(startd_cline, "r", sizeof (startd_cline));
1181 	} else {
1182 		sz = strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
1183 	}
1184 
1185 	if (sz >= sizeof (startd_cline)) {
1186 		console(B_TRUE,
1187 		    "svc.startd command line too long.  Ignoring.\n");
1188 		startd_cline[0] = '\0';
1189 		return;
1190 	}
1191 }
1192 
1193 /*
1194  * spawn_processes() scans inittab for entries which should be run at this
1195  * mode.  Processes which should be running but are not, are started.
1196  */
1197 static int
1198 spawn_processes()
1199 {
1200 	struct PROC_TABLE		*pp;
1201 	struct CMD_LINE			cmd;
1202 	char				cmd_string[MAXCMDL];
1203 	short				lvl_mask;
1204 	int				status;
1205 
1206 	/*
1207 	 * First check the "powerhit" flag.  If it is set, make sure the modes
1208 	 * are PF_MODES and clear the "powerhit" flag.  Avoid the possible race
1209 	 * on the "powerhit" flag by disallowing a new powerfail interrupt
1210 	 * between the test of the powerhit flag and the clearing of it.
1211 	 */
1212 	if (wakeup.w_flags.w_powerhit) {
1213 		wakeup.w_flags.w_powerhit = 0;
1214 		op_modes = PF_MODES;
1215 	}
1216 	lvl_mask = state_to_mask(cur_state);
1217 
1218 	/*
1219 	 * Scan through all the entries in inittab.
1220 	 */
1221 	while ((status = getcmd(&cmd, &cmd_string[0])) == TRUE) {
1222 		if (id_eq(cmd.c_id, "smf")) {
1223 			process_startd_line(&cmd, cmd_string);
1224 			continue;
1225 		}
1226 
1227 retry_for_proc_slot:
1228 
1229 		/*
1230 		 * Find out if there is a process slot for this entry already.
1231 		 */
1232 		if ((pp = findpslot(&cmd)) == NULLPROC) {
1233 			/*
1234 			 * we've run out of proc table entries
1235 			 * increase proc_table.
1236 			 */
1237 			increase_proc_table_size();
1238 
1239 			/*
1240 			 * Retry now as we have an empty proc slot.
1241 			 * In case increase_proc_table_size() fails,
1242 			 * we will keep retrying.
1243 			 */
1244 			goto retry_for_proc_slot;
1245 		}
1246 
1247 		/*
1248 		 * If there is an entry, and it is marked as DEMANDREQUEST,
1249 		 * one of the levels a, b, or c is in its levels mask, and
1250 		 * the action field is ONDEMAND and ONDEMAND is a permissable
1251 		 * mode, and the process is dead, then respawn it.
1252 		 */
1253 		if (((pp->p_flags & (LIVING|DEMANDREQUEST)) == DEMANDREQUEST) &&
1254 		    (cmd.c_levels & MASK_abc) &&
1255 		    (cmd.c_action & op_modes) == M_ONDEMAND) {
1256 			spawn(pp, &cmd);
1257 			continue;
1258 		}
1259 
1260 		/*
1261 		 * If the action is not an action we are interested in,
1262 		 * skip the entry.
1263 		 */
1264 		if ((cmd.c_action & op_modes) == 0 || pp->p_flags & LIVING ||
1265 		    (cmd.c_levels & lvl_mask) == 0)
1266 			continue;
1267 
1268 		/*
1269 		 * If the modes are the normal modes (ONCE, WAIT, RESPAWN, OFF,
1270 		 * ONDEMAND) and the action field is either OFF or the action
1271 		 * field is ONCE or WAIT and the current level is the same as
1272 		 * the last level, then skip this entry.  ONCE and WAIT only
1273 		 * get run when the level changes.
1274 		 */
1275 		if (op_modes == NORMAL_MODES &&
1276 		    (cmd.c_action == M_OFF ||
1277 			(cmd.c_action & (M_ONCE|M_WAIT)) &&
1278 			cur_state == prev_state))
1279 			continue;
1280 
1281 		/*
1282 		 * At this point we are interested in performing the action for
1283 		 * this entry.  Actions fall into two categories, spinning off
1284 		 * a process and not waiting, and spinning off a process and
1285 		 * waiting for it to die.  If the action is ONCE, RESPAWN,
1286 		 * ONDEMAND, POWERFAIL, or BOOT we don't wait for the process
1287 		 * to die, for all other actions we do wait.
1288 		 */
1289 		if (cmd.c_action & (M_ONCE | M_RESPAWN | M_PF | M_BOOT)) {
1290 			spawn(pp, &cmd);
1291 
1292 		} else {
1293 			spawn(pp, &cmd);
1294 			while (waitproc(pp) == FAILURE);
1295 			(void) account(DEAD_PROCESS, pp, NULL);
1296 			pp->p_flags = 0;
1297 		}
1298 	}
1299 	return (status);
1300 }
1301 
1302 /*
1303  * spawn() spawns a shell, inserts the information about the process
1304  * process into the proc_table, and does the startup accounting.
1305  */
1306 static void
1307 spawn(struct PROC_TABLE *process, struct CMD_LINE *cmd)
1308 {
1309 	int		i;
1310 	int		modes, maxfiles;
1311 	time_t		now;
1312 	struct PROC_TABLE tmproc, *oprocess;
1313 
1314 	/*
1315 	 * The modes to be sent to efork() are 0 unless we are
1316 	 * spawning a LVLa, LVLb, or LVLc entry or we will be
1317 	 * waiting for the death of the child before continuing.
1318 	 */
1319 	modes = NAMED;
1320 	if (process->p_flags & DEMANDREQUEST || cur_state == LVLa ||
1321 	    cur_state == LVLb || cur_state == LVLc)
1322 		modes |= DEMANDREQUEST;
1323 	if ((cmd->c_action & (M_SYSINIT | M_WAIT | M_BOOTWAIT | M_PWAIT)) != 0)
1324 		modes |= NOCLEANUP;
1325 
1326 	/*
1327 	 * If this is a respawnable process, check the threshold
1328 	 * information to avoid excessive respawns.
1329 	 */
1330 	if (cmd->c_action & M_RESPAWN) {
1331 		/*
1332 		 * Add NOCLEANUP to all respawnable commands so that the
1333 		 * information about the frequency of respawns isn't lost.
1334 		 */
1335 		modes |= NOCLEANUP;
1336 		(void) time(&now);
1337 
1338 		/*
1339 		 * If no time is assigned, then this is the first time
1340 		 * this command is being processed in this series.  Assign
1341 		 * the current time.
1342 		 */
1343 		if (process->p_time == 0L)
1344 			process->p_time = now;
1345 
1346 		if (process->p_count++ == SPAWN_LIMIT) {
1347 
1348 			if ((now - process->p_time) < SPAWN_INTERVAL) {
1349 				/*
1350 				 * Process is respawning too rapidly.  Print
1351 				 * message and refuse to respawn it for now.
1352 				 */
1353 				console(B_TRUE, "Command is respawning too "
1354 				    "rapidly. Check for possible errors.\n"
1355 				    "id:%4s \"%s\"\n",
1356 				    &cmd->c_id[0], &cmd->c_command[EXEC]);
1357 				return;
1358 			}
1359 			process->p_time = now;
1360 			process->p_count = 0;
1361 
1362 		} else if (process->p_count > SPAWN_LIMIT) {
1363 			/*
1364 			 * If process has been respawning too rapidly and
1365 			 * the inhibit time limit hasn't expired yet, we
1366 			 * refuse to respawn.
1367 			 */
1368 			if (now - process->p_time < SPAWN_INTERVAL + INHIBIT)
1369 				return;
1370 			process->p_time = now;
1371 			process->p_count = 0;
1372 		}
1373 		rsflag = TRUE;
1374 	}
1375 
1376 	/*
1377 	 * Spawn a child process to execute this command.
1378 	 */
1379 	(void) sigset(SIGCLD, SIG_DFL);
1380 	oprocess = process;
1381 	while ((process = efork(cmd->c_action, oprocess, modes)) == NO_ROOM)
1382 		(void) pause();
1383 
1384 	if (process == NULLPROC) {
1385 
1386 		/*
1387 		 * We are the child.  We must make sure we get a different
1388 		 * file pointer for our references to utmpx.  Otherwise our
1389 		 * seeks and reads will compete with those of the parent.
1390 		 */
1391 		endutxent();
1392 
1393 		/*
1394 		 * Perform the accounting for the beginning of a process.
1395 		 * Note that all processes are initially "INIT_PROCESS"es.
1396 		 */
1397 		tmproc.p_id[0] = cmd->c_id[0];
1398 		tmproc.p_id[1] = cmd->c_id[1];
1399 		tmproc.p_id[2] = cmd->c_id[2];
1400 		tmproc.p_id[3] = cmd->c_id[3];
1401 		tmproc.p_pid = getpid();
1402 		tmproc.p_exit = 0;
1403 		(void) account(INIT_PROCESS, &tmproc,
1404 		    prog_name(&cmd->c_command[EXEC]));
1405 		maxfiles = ulimit(UL_GDESLIM, 0);
1406 		for (i = 0; i < maxfiles; i++)
1407 			(void) fcntl(i, F_SETFD, FD_CLOEXEC);
1408 
1409 		/*
1410 		 * Now exec a shell with the -c option and the command
1411 		 * from inittab.
1412 		 */
1413 		(void) execle(SH, "INITSH", "-c", cmd->c_command, (char *)0,
1414 		    glob_envp);
1415 		console(B_TRUE, "Command\n\"%s\"\n failed to execute.  errno "
1416 		    "= %d (exec of shell failed)\n", cmd->c_command, errno);
1417 
1418 		/*
1419 		 * Don't come back so quickly that "init" doesn't have a
1420 		 * chance to finish putting this child in "proc_table".
1421 		 */
1422 		timer(20);
1423 		exit(1);
1424 
1425 	}
1426 
1427 	/*
1428 	 * We are the parent.  Insert the necessary
1429 	 * information in the proc_table.
1430 	 */
1431 	process->p_id[0] = cmd->c_id[0];
1432 	process->p_id[1] = cmd->c_id[1];
1433 	process->p_id[2] = cmd->c_id[2];
1434 	process->p_id[3] = cmd->c_id[3];
1435 
1436 	st_write();
1437 
1438 	(void) sigset(SIGCLD, childeath);
1439 }
1440 
1441 /*
1442  * findpslot() finds the old slot in the process table for the
1443  * command with the same id, or it finds an empty slot.
1444  */
1445 static struct PROC_TABLE *
1446 findpslot(struct CMD_LINE *cmd)
1447 {
1448 	struct PROC_TABLE	*process;
1449 	struct PROC_TABLE	*empty = NULLPROC;
1450 
1451 	for (process = proc_table;
1452 	    (process < proc_table + num_proc); process++) {
1453 		if (process->p_flags & OCCUPIED &&
1454 		    id_eq(process->p_id, cmd->c_id))
1455 			break;
1456 
1457 		/*
1458 		 * If the entry is totally empty and "empty" is still 0,
1459 		 * remember where this hole is and make sure the slot is
1460 		 * zeroed out.
1461 		 */
1462 		if (empty == NULLPROC && (process->p_flags & OCCUPIED) == 0) {
1463 			empty = process;
1464 			process->p_id[0] = '\0';
1465 			process->p_id[1] = '\0';
1466 			process->p_id[2] = '\0';
1467 			process->p_id[3] = '\0';
1468 			process->p_pid = 0;
1469 			process->p_time = 0L;
1470 			process->p_count = 0;
1471 			process->p_flags = 0;
1472 			process->p_exit = 0;
1473 		}
1474 	}
1475 
1476 	/*
1477 	 * If there is no entry for this slot, then there should be an
1478 	 * empty slot.  If there is no empty slot, then we've run out
1479 	 * of proc_table space.  If the latter is true, empty will be
1480 	 * NULL and the caller will have to complain.
1481 	 */
1482 	if (process == (proc_table + num_proc))
1483 		process = empty;
1484 
1485 	return (process);
1486 }
1487 
1488 /*
1489  * getcmd() parses lines from inittab.  Each time it finds a command line
1490  * it will return TRUE as well as fill the passed CMD_LINE structure and
1491  * the shell command string.  When the end of inittab is reached, FALSE
1492  * is returned inittab is automatically opened if it is not currently open
1493  * and is closed when the end of the file is reached.
1494  */
1495 static FILE *fp_inittab = NULL;
1496 
1497 static int
1498 getcmd(struct CMD_LINE *cmd, char *shcmd)
1499 {
1500 	char	*ptr;
1501 	int	c, lastc, state;
1502 	char 	*ptr1;
1503 	int	answer, i, proceed;
1504 	struct	stat	sbuf;
1505 	static char *actions[] = {
1506 		"off", "respawn", "ondemand", "once", "wait", "boot",
1507 		"bootwait", "powerfail", "powerwait", "initdefault",
1508 		"sysinit",
1509 	};
1510 	static short act_masks[] = {
1511 		M_OFF, M_RESPAWN, M_ONDEMAND, M_ONCE, M_WAIT, M_BOOT,
1512 		M_BOOTWAIT, M_PF, M_PWAIT, M_INITDEFAULT, M_SYSINIT,
1513 	};
1514 	/*
1515 	 * Only these actions will be allowed for entries which
1516 	 * are specified for single-user mode.
1517 	 */
1518 	short su_acts = M_INITDEFAULT | M_PF | M_PWAIT | M_WAIT;
1519 
1520 	if (fp_inittab == NULL) {
1521 		/*
1522 		 * Before attempting to open inittab we stat it to make
1523 		 * sure it currently exists and is not empty.  We try
1524 		 * several times because someone may have temporarily
1525 		 * unlinked or truncated the file.
1526 		 */
1527 		for (i = 0; i < 3; i++) {
1528 			if (stat(INITTAB, &sbuf) == -1) {
1529 				if (i == 2) {
1530 					console(B_TRUE,
1531 					    "Cannot stat %s, errno: %d\n",
1532 					    INITTAB, errno);
1533 					return (FAILURE);
1534 				} else {
1535 					timer(3);
1536 				}
1537 			} else if (sbuf.st_size < 10) {
1538 				if (i == 2) {
1539 					console(B_TRUE,
1540 					    "%s truncated or corrupted\n",
1541 					    INITTAB);
1542 					return (FAILURE);
1543 				} else {
1544 					timer(3);
1545 				}
1546 			} else {
1547 				break;
1548 			}
1549 		}
1550 
1551 		/*
1552 		 * If unable to open inittab, print error message and
1553 		 * return FAILURE to caller.
1554 		 */
1555 		if ((fp_inittab = fopen(INITTAB, "r")) == NULL) {
1556 			console(B_TRUE, "Cannot open %s errno: %d\n", INITTAB,
1557 			    errno);
1558 			return (FAILURE);
1559 		}
1560 	}
1561 
1562 	/*
1563 	 * Keep getting commands from inittab until you find a
1564 	 * good one or run out of file.
1565 	 */
1566 	for (answer = FALSE; answer == FALSE; ) {
1567 		/*
1568 		 * Zero out the cmd itself before trying next line.
1569 		 */
1570 		bzero(cmd, sizeof (struct CMD_LINE));
1571 
1572 		/*
1573 		 * Read in lines of inittab, parsing at colons, until a line is
1574 		 * read in which doesn't end with a backslash.  Do not start if
1575 		 * the first character read is an EOF.  Note that this means
1576 		 * that lines which don't end in a newline are still processed,
1577 		 * since the "for" will terminate normally once started,
1578 		 * regardless of whether line terminates with a newline or EOF.
1579 		 */
1580 		state = FAILURE;
1581 		if ((c = fgetc(fp_inittab)) == EOF) {
1582 			answer = FALSE;
1583 			(void) fclose(fp_inittab);
1584 			fp_inittab = NULL;
1585 			break;
1586 		}
1587 
1588 		for (proceed = TRUE, ptr = shcmd, state = ID, lastc = '\0';
1589 		    proceed && c != EOF;
1590 		    lastc = c, c = fgetc(fp_inittab)) {
1591 		    /* If we're not in the FAILURE state and haven't	*/
1592 		    /* yet reached the shell command field, process	*/
1593 		    /* the line, otherwise just look for a real end	*/
1594 		    /* of line.						*/
1595 		    if (state != FAILURE && state != COMMAND) {
1596 			/*
1597 			 * Squeeze out spaces and tabs.
1598 			 */
1599 			if (c == ' ' || c == '\t')
1600 				continue;
1601 
1602 			/*
1603 			 * Ignore characters in a comment, except for the \n.
1604 			 */
1605 			if (state == COMMENT) {
1606 				if (c == '\n') {
1607 					lastc = ' ';
1608 					break;
1609 				} else {
1610 					continue;
1611 				}
1612 			}
1613 
1614 			/*
1615 			 * Detect comments (lines whose first non-whitespace
1616 			 * character is '#') by checking that we're at the
1617 			 * beginning of a line, have seen a '#', and haven't
1618 			 * yet accumulated any characters.
1619 			 */
1620 			if (state == ID && c == '#' && ptr == shcmd) {
1621 				state = COMMENT;
1622 				continue;
1623 			}
1624 
1625 			/*
1626 			 * If the character is a ':', then check the
1627 			 * previous field for correctness and advance
1628 			 * to the next field.
1629 			 */
1630 			if (c == ':') {
1631 			    switch (state) {
1632 
1633 			    case ID :
1634 				/*
1635 				 * Check to see that there are only
1636 				 * 1 to 4 characters for the id.
1637 				 */
1638 				if ((i = ptr - shcmd) < 1 || i > 4) {
1639 					state = FAILURE;
1640 				} else {
1641 					bcopy(shcmd, &cmd->c_id[0], i);
1642 					ptr = shcmd;
1643 					state = LEVELS;
1644 				}
1645 				break;
1646 
1647 			    case LEVELS :
1648 				/*
1649 				 * Build a mask for all the levels for
1650 				 * which this command will be legal.
1651 				 */
1652 				for (cmd->c_levels = 0, ptr1 = shcmd;
1653 				    ptr1 < ptr; ptr1++) {
1654 					int mask;
1655 					if (lvlname_to_mask(*ptr1,
1656 					    &mask) == -1) {
1657 						state = FAILURE;
1658 						break;
1659 					}
1660 					cmd->c_levels |= mask;
1661 				}
1662 				if (state != FAILURE) {
1663 					state = ACTION;
1664 					ptr = shcmd;	/* Reset the buffer */
1665 				}
1666 				break;
1667 
1668 			    case ACTION :
1669 				/*
1670 				 * Null terminate the string in shcmd buffer and
1671 				 * then try to match against legal actions.  If
1672 				 * the field is of length 0, then the default of
1673 				 * "RESPAWN" is used if the id is numeric,
1674 				 * otherwise the default is "OFF".
1675 				 */
1676 				if (ptr == shcmd) {
1677 					if (isdigit(cmd->c_id[0]) &&
1678 					    (cmd->c_id[1] == '\0' ||
1679 						isdigit(cmd->c_id[1])) &&
1680 					    (cmd->c_id[2] == '\0' ||
1681 						isdigit(cmd->c_id[2])) &&
1682 					    (cmd->c_id[3] == '\0' ||
1683 						isdigit(cmd->c_id[3])))
1684 						    cmd->c_action = M_RESPAWN;
1685 					else
1686 						    cmd->c_action = M_OFF;
1687 				} else {
1688 				    for (cmd->c_action = 0, i = 0, *ptr = '\0';
1689 				    i < sizeof (actions)/sizeof (char *);
1690 				    i++) {
1691 					if (strcmp(shcmd, actions[i]) == 0) {
1692 					    if ((cmd->c_levels & MASKSU) &&
1693 						!(act_masks[i] & su_acts))
1694 						    cmd->c_action = 0;
1695 					    else
1696 						cmd->c_action = act_masks[i];
1697 					    break;
1698 					}
1699 				    }
1700 				}
1701 
1702 				/*
1703 				 * If the action didn't match any legal action,
1704 				 * set state to FAILURE.
1705 				 */
1706 				if (cmd->c_action == 0) {
1707 					state = FAILURE;
1708 				} else {
1709 					state = COMMAND;
1710 					(void) strcpy(shcmd, "exec ");
1711 				}
1712 				ptr = shcmd + EXEC;
1713 				break;
1714 			    }
1715 			    continue;
1716 			}
1717 		    }
1718 
1719 		    /* If the character is a '\n', then this is the end of a */
1720 		    /* line.  If the '\n' wasn't preceded by a backslash, */
1721 		    /* it is also the end of an inittab command.  If it was */
1722 		    /* preceded by a backslash then the next line is a */
1723 		    /* continuation.  Note that the continuation '\n' falls */
1724 		    /* through and is treated like other characters and is */
1725 		    /* stored in the shell command line. */
1726 		    if (c == '\n' && lastc != '\\') {
1727 				proceed = FALSE;
1728 				*ptr = '\0';
1729 				break;
1730 		    }
1731 
1732 		    /* For all other characters just stuff them into the */
1733 		    /* command as long as there aren't too many of them. */
1734 		    /* Make sure there is room for a terminating '\0' also. */
1735 		    if (ptr >= shcmd + MAXCMDL - 1)
1736 			state = FAILURE;
1737 		    else
1738 			*ptr++ = (char)c;
1739 
1740 		    /* If the character we just stored was a quoted	*/
1741 		    /* backslash, then change "c" to '\0', so that this	*/
1742 		    /* backslash will not cause a subsequent '\n' to appear */
1743 		    /* quoted.  In otherwords '\' '\' '\n' is the real end */
1744 		    /* of a command, while '\' '\n' is a continuation. */
1745 		    if (c == '\\' && lastc == '\\')
1746 			c = '\0';
1747 		}
1748 
1749 		/*
1750 		 * Make sure all the fields are properly specified
1751 		 * for a good command line.
1752 		 */
1753 		if (state == COMMAND) {
1754 			answer = TRUE;
1755 			cmd->c_command = shcmd;
1756 
1757 			/*
1758 			 * If no default level was supplied, insert
1759 			 * all numerical levels.
1760 			 */
1761 			if (cmd->c_levels == 0)
1762 				cmd->c_levels = MASK_NUMERIC;
1763 
1764 			/*
1765 			 * If no action has been supplied, declare this
1766 			 * entry to be OFF.
1767 			 */
1768 			if (cmd->c_action == 0)
1769 				cmd->c_action = M_OFF;
1770 
1771 			/*
1772 			 * If no shell command has been supplied, make sure
1773 			 * there is a null string in the command field.
1774 			 */
1775 			if (ptr == shcmd + EXEC)
1776 				*shcmd = '\0';
1777 		} else
1778 			answer = FALSE;
1779 
1780 		/*
1781 		 * If we have reached the end of inittab, then close it
1782 		 * and quit trying to find a good command line.
1783 		 */
1784 		if (c == EOF) {
1785 			(void) fclose(fp_inittab);
1786 			fp_inittab = NULL;
1787 			break;
1788 		}
1789 	}
1790 	return (answer);
1791 }
1792 
1793 /*
1794  * lvlname_to_state(): convert the character name of a state to its level
1795  * (its corresponding signal number).
1796  */
1797 static int
1798 lvlname_to_state(char name)
1799 {
1800 	int i;
1801 	for (i = 0; i < LVL_NELEMS; i++) {
1802 		if (lvls[i].lvl_name == name)
1803 			return (lvls[i].lvl_state);
1804 	}
1805 	return (-1);
1806 }
1807 
1808 /*
1809  * state_to_name(): convert the level to the character name.
1810  */
1811 static char
1812 state_to_name(int state)
1813 {
1814 	int i;
1815 	for (i = 0; i < LVL_NELEMS; i++) {
1816 		if (lvls[i].lvl_state == state)
1817 			return (lvls[i].lvl_name);
1818 	}
1819 	return (-1);
1820 }
1821 
1822 /*
1823  * state_to_mask(): return the mask corresponding to a signal number
1824  */
1825 static int
1826 state_to_mask(int state)
1827 {
1828 	int i;
1829 	for (i = 0; i < LVL_NELEMS; i++) {
1830 		if (lvls[i].lvl_state == state)
1831 			return (lvls[i].lvl_mask);
1832 	}
1833 	return (0);	/* return 0, since that represents an empty mask */
1834 }
1835 
1836 /*
1837  * lvlname_to_mask(): return the mask corresponding to a levels character name
1838  */
1839 static int
1840 lvlname_to_mask(char name, int *mask)
1841 {
1842 	int i;
1843 	for (i = 0; i < LVL_NELEMS; i++) {
1844 		if (lvls[i].lvl_name == name) {
1845 			*mask = lvls[i].lvl_mask;
1846 			return (0);
1847 		}
1848 	}
1849 	return (-1);
1850 }
1851 
1852 /*
1853  * state_to_flags(): return the flags corresponding to a runlevel.  These
1854  * indicate properties of that runlevel.
1855  */
1856 static int
1857 state_to_flags(int state)
1858 {
1859 	int i;
1860 	for (i = 0; i < LVL_NELEMS; i++) {
1861 		if (lvls[i].lvl_state == state)
1862 			return (lvls[i].lvl_flags);
1863 	}
1864 	return (0);
1865 }
1866 
1867 /*
1868  * killproc() creates a child which kills the process specified by pid.
1869  */
1870 void
1871 killproc(pid_t pid)
1872 {
1873 	struct PROC_TABLE	*process;
1874 
1875 	(void) sigset(SIGCLD, SIG_DFL);
1876 	while ((process = efork(M_OFF, NULLPROC, 0)) == NO_ROOM)
1877 		(void) pause();
1878 	(void) sigset(SIGCLD, childeath);
1879 
1880 	if (process == NULLPROC) {
1881 		/*
1882 		 * efork() sets all signal handlers to the default, so reset
1883 		 * the ALRM handler to make timer() work as expected.
1884 		 */
1885 		(void) sigset(SIGALRM, alarmclk);
1886 
1887 		/*
1888 		 * We are the child.  Try to terminate the process nicely
1889 		 * first using SIGTERM and if it refuses to die in TWARN
1890 		 * seconds kill it with SIGKILL.
1891 		 */
1892 		(void) kill(pid, SIGTERM);
1893 		(void) timer(TWARN);
1894 		(void) kill(pid, SIGKILL);
1895 		(void) exit(0);
1896 	}
1897 }
1898 
1899 /*
1900  * Set up the default environment for all procs to be forked from init.
1901  * Read the values from the /etc/default/init file, except for PATH.  If
1902  * there's not enough room in the environment array, the environment
1903  * lines that don't fit are silently discarded.
1904  */
1905 void
1906 init_env()
1907 {
1908 	char	line[MAXCMDL];
1909 	FILE	*fp;
1910 	int	inquotes, length, wslength;
1911 	char	*tokp, *cp1, *cp2;
1912 
1913 	glob_envp[0] = malloc((unsigned)(strlen(DEF_PATH)+2));
1914 	(void) strcpy(glob_envp[0], DEF_PATH);
1915 	glob_envn = 1;
1916 
1917 	if (rflg) {
1918 		glob_envp[1] =
1919 			malloc((unsigned)(strlen("_DVFS_RECONFIG=YES")+2));
1920 		(void) strcpy(glob_envp[1], "_DVFS_RECONFIG=YES");
1921 		++glob_envn;
1922 	} else if (bflg == 1) {
1923 		glob_envp[1] =
1924 			malloc((unsigned)(strlen("RB_NOBOOTRC=YES")+2));
1925 		(void) strcpy(glob_envp[1], "RB_NOBOOTRC=YES");
1926 		++glob_envn;
1927 	}
1928 
1929 	if ((fp = fopen(ENVFILE, "r")) == NULL) {
1930 		console(B_TRUE,
1931 		    "Cannot open %s. Environment not initialized.\n",
1932 		    ENVFILE);
1933 	} else {
1934 		while (fgets(line, MAXCMDL - 1, fp) != NULL &&
1935 		    glob_envn < MAXENVENT - 2) {
1936 			/*
1937 			 * Toss newline
1938 			 */
1939 			length = strlen(line);
1940 			if (line[length - 1] == '\n')
1941 				line[length - 1] = '\0';
1942 
1943 			/*
1944 			 * Ignore blank or comment lines.
1945 			 */
1946 			if (line[0] == '#' || line[0] == '\0' ||
1947 			    (wslength = strspn(line, " \t\n")) ==
1948 			    strlen(line) ||
1949 			    strchr(line, '#') == line + wslength)
1950 				continue;
1951 
1952 			/*
1953 			 * First make a pass through the line and change
1954 			 * any non-quoted semi-colons to blanks so they
1955 			 * will be treated as token separators below.
1956 			 */
1957 			inquotes = 0;
1958 			for (cp1 = line; *cp1 != '\0'; cp1++) {
1959 				if (*cp1 == '"') {
1960 					if (inquotes == 0)
1961 						inquotes = 1;
1962 					else
1963 						inquotes = 0;
1964 				} else if (*cp1 == ';') {
1965 					if (inquotes == 0)
1966 						*cp1 = ' ';
1967 				}
1968 			}
1969 
1970 			/*
1971 			 * Tokens within the line are separated by blanks
1972 			 *  and tabs.  For each token in the line which
1973 			 * contains a '=' we strip out any quotes and then
1974 			 * stick the token in the environment array.
1975 			 */
1976 			if ((tokp = strtok(line, " \t")) == NULL)
1977 				continue;
1978 			do {
1979 				if (strchr(tokp, '=') == NULL)
1980 					continue;
1981 				length = strlen(tokp);
1982 				while ((cp1 = strpbrk(tokp, "\"\'")) != NULL) {
1983 					for (cp2 = cp1;
1984 					    cp2 < &tokp[length]; cp2++)
1985 						*cp2 = *(cp2 + 1);
1986 					length--;
1987 				}
1988 
1989 				if (strncmp(tokp, "CMASK=",
1990 				    sizeof ("CMASK=") - 1) == 0) {
1991 					long t;
1992 
1993 					/* We know there's an = */
1994 					t = strtol(strchr(tokp, '=') + 1, NULL,
1995 					    8);
1996 
1997 					/* Sanity */
1998 					if (t <= 077 && t >= 0)
1999 						cmask = (int)t;
2000 					(void) umask(cmask);
2001 					continue;
2002 				}
2003 				glob_envp[glob_envn] =
2004 				    malloc((unsigned)(length + 1));
2005 				(void) strcpy(glob_envp[glob_envn], tokp);
2006 				if (++glob_envn >= MAXENVENT - 1)
2007 					break;
2008 			} while ((tokp = strtok(NULL, " \t")) != NULL);
2009 		}
2010 
2011 		/*
2012 		 * Append a null pointer to the environment array
2013 		 * to mark its end.
2014 		 */
2015 		glob_envp[glob_envn] = NULL;
2016 		(void) fclose(fp);
2017 	}
2018 }
2019 
2020 /*
2021  * boot_init(): Do initialization things that should be done at boot.
2022  */
2023 void
2024 boot_init()
2025 {
2026 	int i;
2027 	struct PROC_TABLE *process, *oprocess;
2028 	struct CMD_LINE	cmd;
2029 	char	line[MAXCMDL];
2030 	char *old_path;
2031 	int maxfiles;
2032 
2033 	/* Use INIT_PATH for sysinit cmds */
2034 	old_path = glob_envp[0];
2035 	glob_envp[0] = malloc((unsigned)(strlen(INIT_PATH)+2));
2036 	(void) strcpy(glob_envp[0], INIT_PATH);
2037 
2038 	/*
2039 	 * Scan inittab(4) and process the special svc.startd entry, initdefault
2040 	 * and sysinit entries.
2041 	 */
2042 	while (getcmd(&cmd, &line[0]) == TRUE) {
2043 		if (startd_tmpl >= 0 && id_eq(cmd.c_id, "smf"))
2044 			process_startd_line(&cmd, line);
2045 		else if (cmd.c_action == M_INITDEFAULT) {
2046 			/*
2047 			 * initdefault is no longer meaningful, as the SMF
2048 			 * milestone controls what (legacy) run level we
2049 			 * boot to.
2050 			 */
2051 			console(B_TRUE,
2052 			    "Ignoring legacy \"initdefault\" entry.\n");
2053 		} else if (cmd.c_action == M_SYSINIT) {
2054 			/*
2055 			 * Execute the "sysinit" entry and wait for it to
2056 			 * complete.  No bookkeeping is performed on these
2057 			 * entries because we avoid writing to the file system
2058 			 * until after there has been an chance to check it.
2059 			 */
2060 			if (process = findpslot(&cmd)) {
2061 				(void) sigset(SIGCLD, SIG_DFL);
2062 
2063 				for (oprocess = process;
2064 				    (process = efork(M_OFF, oprocess,
2065 				    (NAMED|NOCLEANUP))) == NO_ROOM;
2066 				    /* CSTYLED */)
2067 					;
2068 				(void) sigset(SIGCLD, childeath);
2069 
2070 				if (process == NULLPROC) {
2071 					maxfiles = ulimit(UL_GDESLIM, 0);
2072 
2073 					for (i = 0; i < maxfiles; i++)
2074 						(void) fcntl(i, F_SETFD,
2075 						    FD_CLOEXEC);
2076 					(void) execle(SH, "INITSH", "-c",
2077 					    cmd.c_command,
2078 					    (char *)0, glob_envp);
2079 					console(B_TRUE,
2080 "Command\n\"%s\"\n failed to execute.  errno = %d (exec of shell failed)\n",
2081 						cmd.c_command, errno);
2082 					exit(1);
2083 				} else while (waitproc(process) == FAILURE);
2084 				process->p_flags = 0;
2085 				st_write();
2086 			}
2087 		}
2088 	}
2089 
2090 	/* Restore the path. */
2091 	free(glob_envp[0]);
2092 	glob_envp[0] = old_path;
2093 
2094 	/*
2095 	 * This will enable st_write() to complain about init_state_file.
2096 	 */
2097 	booting = 0;
2098 
2099 	/*
2100 	 * If the /etc/ioctl.syscon didn't exist or had invalid contents write
2101 	 * out a correct version.
2102 	 */
2103 	if (write_ioctl)
2104 		write_ioctl_syscon();
2105 
2106 	/*
2107 	 * Start svc.startd(1M), which does most of the work.
2108 	 */
2109 	if (startd_cline[0] != '\0' && startd_tmpl >= 0) {
2110 		/* Start svc.startd. */
2111 		if (startd_run(startd_cline, startd_tmpl, 0) == -1)
2112 			cur_state = SINGLE_USER;
2113 	} else {
2114 		console(B_TRUE, "Absent svc.startd entry or bad "
2115 		    "contract template.  Not starting svc.startd.\n");
2116 		enter_maintenance();
2117 	}
2118 }
2119 
2120 /*
2121  * init_signals(): Initialize all signals to either be caught or ignored.
2122  */
2123 void
2124 init_signals(void)
2125 {
2126 	struct sigaction act;
2127 	int i;
2128 
2129 	/*
2130 	 * Start by ignoring all signals, then selectively re-enable some.
2131 	 * The SIG_IGN disposition will only affect asynchronous signals:
2132 	 * any signal that we trigger synchronously that doesn't end up
2133 	 * being handled by siglvl() will be forcibly delivered by the kernel.
2134 	 */
2135 	for (i = SIGHUP; i <= SIGRTMAX; i++)
2136 		(void) sigset(i, SIG_IGN);
2137 
2138 	/*
2139 	 * Handle all level-changing signals using siglvl() and set sa_mask so
2140 	 * that all level-changing signals are blocked while in siglvl().
2141 	 */
2142 	act.sa_handler = siglvl;
2143 	act.sa_flags = SA_SIGINFO;
2144 	(void) sigemptyset(&act.sa_mask);
2145 
2146 	(void) sigaddset(&act.sa_mask, LVLQ);
2147 	(void) sigaddset(&act.sa_mask, LVL0);
2148 	(void) sigaddset(&act.sa_mask, LVL1);
2149 	(void) sigaddset(&act.sa_mask, LVL2);
2150 	(void) sigaddset(&act.sa_mask, LVL3);
2151 	(void) sigaddset(&act.sa_mask, LVL4);
2152 	(void) sigaddset(&act.sa_mask, LVL5);
2153 	(void) sigaddset(&act.sa_mask, LVL6);
2154 	(void) sigaddset(&act.sa_mask, SINGLE_USER);
2155 	(void) sigaddset(&act.sa_mask, LVLa);
2156 	(void) sigaddset(&act.sa_mask, LVLb);
2157 	(void) sigaddset(&act.sa_mask, LVLc);
2158 
2159 	(void) sigaction(LVLQ, &act, NULL);
2160 	(void) sigaction(LVL0, &act, NULL);
2161 	(void) sigaction(LVL1, &act, NULL);
2162 	(void) sigaction(LVL2, &act, NULL);
2163 	(void) sigaction(LVL3, &act, NULL);
2164 	(void) sigaction(LVL4, &act, NULL);
2165 	(void) sigaction(LVL5, &act, NULL);
2166 	(void) sigaction(LVL6, &act, NULL);
2167 	(void) sigaction(SINGLE_USER, &act, NULL);
2168 	(void) sigaction(LVLa, &act, NULL);
2169 	(void) sigaction(LVLb, &act, NULL);
2170 	(void) sigaction(LVLc, &act, NULL);
2171 
2172 	(void) sigset(SIGALRM, alarmclk);
2173 	alarmclk();
2174 
2175 	(void) sigset(SIGCLD, childeath);
2176 	(void) sigset(SIGPWR, powerfail);
2177 }
2178 
2179 /*
2180  * Set up pipe for "godchildren". If the file exists and is a pipe just open
2181  * it. Else, if the file system is r/w create it.  Otherwise, defer its
2182  * creation and open until after /var/run has been mounted.  This function is
2183  * only called on startup and when explicitly requested via LVLQ.
2184  */
2185 void
2186 setup_pipe()
2187 {
2188 	struct stat stat_buf;
2189 	struct statvfs statvfs_buf;
2190 	struct sigaction act;
2191 
2192 	/*
2193 	 * Always close the previous pipe descriptor as the mounted filesystems
2194 	 * may have changed.
2195 	 */
2196 	if (Pfd >= 0)
2197 		(void) close(Pfd);
2198 
2199 	if ((stat(INITPIPE, &stat_buf) == 0) &&
2200 	    ((stat_buf.st_mode & (S_IFMT|S_IRUSR)) == (S_IFIFO|S_IRUSR)))
2201 		Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
2202 	else
2203 		if ((statvfs(INITPIPE_DIR, &statvfs_buf) == 0) &&
2204 		    ((statvfs_buf.f_flag & ST_RDONLY) == 0)) {
2205 			(void) unlink(INITPIPE);
2206 			(void) mknod(INITPIPE, S_IFIFO | 0600, 0);
2207 			Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
2208 		}
2209 
2210 	if (Pfd >= 0) {
2211 		(void) ioctl(Pfd, I_SETSIG, S_INPUT);
2212 		/*
2213 		 * Read pipe in message discard mode.
2214 		 */
2215 		(void) ioctl(Pfd, I_SRDOPT, RMSGD);
2216 
2217 		act.sa_handler = sigpoll;
2218 		act.sa_flags = 0;
2219 		(void) sigemptyset(&act.sa_mask);
2220 		(void) sigaddset(&act.sa_mask, SIGCLD);
2221 		(void) sigaction(SIGPOLL, &act, NULL);
2222 	}
2223 }
2224 
2225 /*
2226  * siglvl - handle an asynchronous signal from init(1M) telling us that we
2227  * should change the current run level.  We set new_state accordingly.
2228  */
2229 void
2230 siglvl(int sig, siginfo_t *sip, ucontext_t *ucp)
2231 {
2232 	struct PROC_TABLE *process;
2233 	struct sigaction act;
2234 
2235 	/*
2236 	 * If the signal was from the kernel (rather than init(1M)) then init
2237 	 * itself tripped the signal.  That is, we might have a bug and tripped
2238 	 * a real SIGSEGV instead of receiving it as an alias for SIGLVLa.  In
2239 	 * such a case we reset the disposition to SIG_DFL, block all signals
2240 	 * in uc_mask but the current one, and return to the interrupted ucp
2241 	 * to effect an appropriate death.  The kernel will then restart us.
2242 	 *
2243 	 * The one exception to SI_FROMKERNEL() is SIGFPE (a.k.a. LVL6), which
2244 	 * the kernel can send us when it wants to effect an orderly reboot.
2245 	 * For this case we must also verify si_code is zero, rather than a
2246 	 * code such as FPE_INTDIV which a bug might have triggered.
2247 	 */
2248 	if (sip != NULL && SI_FROMKERNEL(sip) &&
2249 	    (sig != SIGFPE || sip->si_code == 0)) {
2250 
2251 		(void) sigemptyset(&act.sa_mask);
2252 		act.sa_handler = SIG_DFL;
2253 		act.sa_flags = 0;
2254 		(void) sigaction(sig, &act, NULL);
2255 
2256 		(void) sigfillset(&ucp->uc_sigmask);
2257 		(void) sigdelset(&ucp->uc_sigmask, sig);
2258 		ucp->uc_flags |= UC_SIGMASK;
2259 
2260 		(void) setcontext(ucp);
2261 	}
2262 
2263 	/*
2264 	 * If the signal received is a LVLQ signal, do not really
2265 	 * change levels, just restate the current level.  If the
2266 	 * signal is not a LVLQ, set the new level to the signal
2267 	 * received.
2268 	 */
2269 	if (sig == LVLQ) {
2270 		new_state = cur_state;
2271 		lvlq_received = B_TRUE;
2272 	} else {
2273 		new_state = sig;
2274 	}
2275 
2276 	/*
2277 	 * Clear all times and repeat counts in the process table
2278 	 * since either the level is changing or the user has editted
2279 	 * the inittab file and wants us to look at it again.
2280 	 * If the user has fixed a typo, we don't want residual timing
2281 	 * data preventing the fixed command line from executing.
2282 	 */
2283 	for (process = proc_table;
2284 		(process < proc_table + num_proc); process++) {
2285 		process->p_time = 0L;
2286 		process->p_count = 0;
2287 	}
2288 
2289 	/*
2290 	 * Set the flag to indicate that a "user signal" was received.
2291 	 */
2292 	wakeup.w_flags.w_usersignal = 1;
2293 }
2294 
2295 
2296 /*
2297  * alarmclk
2298  */
2299 static void
2300 alarmclk()
2301 {
2302 	time_up = TRUE;
2303 }
2304 
2305 /*
2306  * childeath_single():
2307  *
2308  * This used to be the SIGCLD handler and it was set with signal()
2309  * (as opposed to sigset()).  When a child exited we'd come to the
2310  * handler, wait for the child, and reenable the handler with
2311  * signal() just before returning.  The implementation of signal()
2312  * checks with waitid() for waitable children and sends a SIGCLD
2313  * if there are some.  If children are exiting faster than the
2314  * handler can run we keep sending signals and the handler never
2315  * gets to return and eventually the stack runs out and init dies.
2316  * To prevent that we set the handler with sigset() so the handler
2317  * doesn't need to be reset, and in childeath() (see below) we
2318  * call childeath_single() as long as there are children to be
2319  * waited for.  If a child exits while init is in the handler a
2320  * SIGCLD will be pending and delivered on return from the handler.
2321  * If the child was already waited for the handler will have nothing
2322  * to do and return, otherwise the child will be waited for.
2323  */
2324 static void
2325 childeath_single()
2326 {
2327 	struct PROC_TABLE	*process;
2328 	struct pidlist		*pp;
2329 	pid_t			pid;
2330 	int			status;
2331 
2332 	/*
2333 	 * Perform wait to get the process id of the child that died and
2334 	 * then scan the process table to see if we are interested in
2335 	 * this process. NOTE: if a super-user sends the SIGCLD signal
2336 	 * to init, the following wait will not immediately return and
2337 	 * init will be inoperative until one of its child really does die.
2338 	 */
2339 	pid = wait(&status);
2340 
2341 	for (process = proc_table;
2342 		(process < proc_table + num_proc); process++) {
2343 		if ((process->p_flags & (LIVING|OCCUPIED)) ==
2344 		    (LIVING|OCCUPIED) && process->p_pid == pid) {
2345 
2346 			/*
2347 			 * Mark this process as having died and store the exit
2348 			 * status.  Also set the wakeup flag for a dead child
2349 			 * and break out of the loop.
2350 			 */
2351 			process->p_flags &= ~LIVING;
2352 			process->p_exit = (short)status;
2353 			wakeup.w_flags.w_childdeath = 1;
2354 
2355 			return;
2356 		}
2357 	}
2358 
2359 	/*
2360 	 * No process was found above, look through auxiliary list.
2361 	 */
2362 	(void) sighold(SIGPOLL);
2363 	pp = Plhead;
2364 	while (pp) {
2365 		if (pid > pp->pl_pid) {
2366 			/*
2367 			 * Keep on looking.
2368 			 */
2369 			pp = pp->pl_next;
2370 			continue;
2371 		} else if (pid < pp->pl_pid) {
2372 			/*
2373 			 * Not in the list.
2374 			 */
2375 			break;
2376 		} else {
2377 			/*
2378 			 * This is a dead "godchild".
2379 			 */
2380 			pp->pl_dflag = 1;
2381 			pp->pl_exit = (short)status;
2382 			wakeup.w_flags.w_childdeath = 1;
2383 			Gchild = 1;	/* Notice to call cleanaux(). */
2384 			break;
2385 		}
2386 	}
2387 
2388 	(void) sigrelse(SIGPOLL);
2389 }
2390 
2391 /* ARGSUSED */
2392 static void
2393 childeath(int signo)
2394 {
2395 	siginfo_t info;
2396 
2397 	while ((waitid(P_ALL, (id_t)0, &info, WEXITED|WNOHANG|WNOWAIT) == 0) &&
2398 	    info.si_pid != 0)
2399 		childeath_single();
2400 }
2401 
2402 static void
2403 powerfail()
2404 {
2405 	(void) nice(-19);
2406 	wakeup.w_flags.w_powerhit = 1;
2407 }
2408 
2409 /*
2410  * efork() forks a child and the parent inserts the process in its table
2411  * of processes that are directly a result of forks that it has performed.
2412  * The child just changes the "global" with the process id for this process
2413  * to it's new value.
2414  * If efork() is called with a pointer into the proc_table it uses that slot,
2415  * otherwise it searches for a free slot.  Regardless of how it was called,
2416  * it returns the pointer to the proc_table entry
2417  *
2418  * The SIGCLD handler is set to default (SIG_DFL) before calling efork().
2419  * This relies on the somewhat obscure SVR2 SIGCLD/SIG_DFL semantic
2420  * implied by the use of signal(3c).  While the meaning of SIG_DFL for
2421  * SIGCLD is nominally to ignore the signal, once the signal disposition
2422  * is set to childeath(), the kernel will post a SIGCLD if a child
2423  * exited during the period the disposition was SIG_DFL.  It acts more
2424  * like a signal block.
2425  *
2426  * Ideally, this should be rewritten to use modern signal semantics.
2427  */
2428 static struct PROC_TABLE *
2429 efork(int action, struct PROC_TABLE *process, int modes)
2430 {
2431 	pid_t	childpid;
2432 	struct PROC_TABLE *proc;
2433 	int		i;
2434 	void (*oldroutine)();
2435 	/*
2436 	 * Freshen up the proc_table, removing any entries for dead processes
2437 	 * that don't have NOCLEANUP set.  Perform the necessary accounting.
2438 	 */
2439 	for (proc = proc_table; (proc < proc_table + num_proc); proc++) {
2440 		if ((proc->p_flags & (OCCUPIED|LIVING|NOCLEANUP)) ==
2441 		    (OCCUPIED)) {
2442 			/*
2443 			 * Is this a named process?
2444 			 * If so, do the necessary bookkeeping.
2445 			 */
2446 			if (proc->p_flags & NAMED)
2447 				(void) account(DEAD_PROCESS, proc, NULL);
2448 
2449 			/*
2450 			 * Free this entry for new usage.
2451 			 */
2452 			proc->p_flags = 0;
2453 		}
2454 	}
2455 
2456 	while ((childpid = fork()) == FAILURE) {
2457 		/*
2458 		 * Shorten the alarm timer in case someone else's child dies
2459 		 * and free up a slot in the process table.
2460 		 */
2461 		setimer(5);
2462 
2463 		/*
2464 		 * Wait for some children to die.  Since efork() is normally
2465 		 * called with SIGCLD in the default state, reset it to catch
2466 		 * so that child death signals can come in.
2467 		 */
2468 		oldroutine = sigset(SIGCLD, childeath);
2469 		(void) pause();
2470 		(void) sigset(SIGCLD, oldroutine);
2471 		setimer(0);
2472 	}
2473 
2474 	if (childpid != 0) {
2475 
2476 		if (process == NULLPROC) {
2477 			/*
2478 			 * No proc table pointer specified so search
2479 			 * for a free slot.
2480 			 */
2481 			for (process = proc_table;  process->p_flags != 0 &&
2482 				(process < proc_table + num_proc); process++)
2483 					;
2484 
2485 			if (process == (proc_table + num_proc)) {
2486 				int old_proc_table_size = num_proc;
2487 
2488 				/* Increase the process table size */
2489 				increase_proc_table_size();
2490 				if (old_proc_table_size == num_proc) {
2491 					/* didn't grow: memory failure */
2492 					return (NO_ROOM);
2493 				} else {
2494 					process =
2495 					    proc_table + old_proc_table_size;
2496 				}
2497 			}
2498 
2499 			process->p_time = 0L;
2500 			process->p_count = 0;
2501 		}
2502 		process->p_id[0] = '\0';
2503 		process->p_id[1] = '\0';
2504 		process->p_id[2] = '\0';
2505 		process->p_id[3] = '\0';
2506 		process->p_pid = childpid;
2507 		process->p_flags = (LIVING | OCCUPIED | modes);
2508 		process->p_exit = 0;
2509 
2510 		st_write();
2511 	} else {
2512 		if ((action & (M_WAIT | M_BOOTWAIT)) == 0)
2513 			(void) setpgrp();
2514 
2515 		process = NULLPROC;
2516 
2517 		/*
2518 		 * Reset all signals to the system defaults.
2519 		 */
2520 		for (i = SIGHUP; i <= SIGRTMAX; i++)
2521 			(void) sigset(i, SIG_DFL);
2522 
2523 		/*
2524 		 * POSIX B.2.2.2 advises that init should set SIGTTOU,
2525 		 * SIGTTIN, and SIGTSTP to SIG_IGN.
2526 		 *
2527 		 * Make sure that SIGXCPU and SIGXFSZ also remain ignored,
2528 		 * for backward compatibility.
2529 		 */
2530 		(void) sigset(SIGTTIN, SIG_IGN);
2531 		(void) sigset(SIGTTOU, SIG_IGN);
2532 		(void) sigset(SIGTSTP, SIG_IGN);
2533 		(void) sigset(SIGXCPU, SIG_IGN);
2534 		(void) sigset(SIGXFSZ, SIG_IGN);
2535 	}
2536 	return (process);
2537 }
2538 
2539 
2540 /*
2541  * waitproc() waits for a specified process to die.  For this function to
2542  * work, the specified process must already in the proc_table.  waitproc()
2543  * returns the exit status of the specified process when it dies.
2544  */
2545 static long
2546 waitproc(struct PROC_TABLE *process)
2547 {
2548 	int		answer;
2549 	sigset_t	oldmask, newmask, zeromask;
2550 
2551 	(void) sigemptyset(&zeromask);
2552 	(void) sigemptyset(&newmask);
2553 
2554 	(void) sigaddset(&newmask, SIGCLD);
2555 
2556 	/* Block SIGCLD and save the current signal mask */
2557 	if (sigprocmask(SIG_BLOCK, &newmask, &oldmask) < 0)
2558 		perror("SIG_BLOCK error");
2559 
2560 	/*
2561 	 * Wait around until the process dies.
2562 	 */
2563 	if (process->p_flags & LIVING)
2564 		(void) sigsuspend(&zeromask);
2565 
2566 	/* Reset signal mask to unblock SIGCLD */
2567 	if (sigprocmask(SIG_SETMASK, &oldmask, NULL) < 0)
2568 		perror("SIG_SETMASK error");
2569 
2570 	if (process->p_flags & LIVING)
2571 		return (FAILURE);
2572 
2573 	/*
2574 	 * Make sure to only return 16 bits so that answer will always
2575 	 * be positive whenever the process of interest really died.
2576 	 */
2577 	answer = (process->p_exit & 0xffff);
2578 
2579 	/*
2580 	 * Free the slot in the proc_table.
2581 	 */
2582 	process->p_flags = 0;
2583 	return (answer);
2584 }
2585 
2586 /*
2587  * notify_pam_dead(): calls into the PAM framework to close the given session.
2588  */
2589 static void
2590 notify_pam_dead(struct utmpx *up)
2591 {
2592 	pam_handle_t *pamh;
2593 	char user[sizeof (up->ut_user) + 1];
2594 	char ttyn[sizeof (up->ut_line) + 1];
2595 	char host[sizeof (up->ut_host) + 1];
2596 
2597 	/*
2598 	 * PAM does not take care of updating utmpx/wtmpx.
2599 	 */
2600 	(void) snprintf(user, sizeof (user), "%s", up->ut_user);
2601 	(void) snprintf(ttyn, sizeof (ttyn), "%s", up->ut_line);
2602 	(void) snprintf(host, sizeof (host), "%s", up->ut_host);
2603 
2604 	if (pam_start("init", user, NULL, &pamh) == PAM_SUCCESS)  {
2605 		(void) pam_set_item(pamh, PAM_TTY, ttyn);
2606 		(void) pam_set_item(pamh, PAM_RHOST, host);
2607 		(void) pam_close_session(pamh, 0);
2608 		(void) pam_end(pamh, PAM_SUCCESS);
2609 	}
2610 }
2611 
2612 /*
2613  * Check you can access utmpx (As / may be read-only and
2614  * /var may not be mounted yet).
2615  */
2616 static int
2617 access_utmpx(void)
2618 {
2619 	do {
2620 		utmpx_ok = (access(UTMPX, R_OK|W_OK) == 0);
2621 	} while (!utmpx_ok && errno == EINTR);
2622 
2623 	return (utmpx_ok);
2624 }
2625 
2626 /*
2627  * account() updates entries in utmpx and appends new entries to the end of
2628  * wtmpx (assuming they exist).  The program argument indicates the name of
2629  * program if INIT_PROCESS, otherwise should be NULL.
2630  *
2631  * account() only blocks for INIT_PROCESS requests.
2632  *
2633  * Returns non-zero if write failed.
2634  */
2635 static int
2636 account(short state, struct PROC_TABLE *process, char *program)
2637 {
2638 	struct utmpx utmpbuf, *u, *oldu;
2639 	int tmplen;
2640 	char fail_buf[UT_LINE_SZ];
2641 	sigset_t block, unblock;
2642 
2643 	if (!utmpx_ok && !access_utmpx()) {
2644 		return (-1);
2645 	}
2646 
2647 	/*
2648 	 * Set up the prototype for the utmp structure we want to write.
2649 	 */
2650 	u = &utmpbuf;
2651 	(void) memset(u, 0, sizeof (struct utmpx));
2652 
2653 	/*
2654 	 * Fill in the various fields of the utmp structure.
2655 	 */
2656 	u->ut_id[0] = process->p_id[0];
2657 	u->ut_id[1] = process->p_id[1];
2658 	u->ut_id[2] = process->p_id[2];
2659 	u->ut_id[3] = process->p_id[3];
2660 	u->ut_pid = process->p_pid;
2661 
2662 	/*
2663 	 * Fill the "ut_exit" structure.
2664 	 */
2665 	u->ut_exit.e_termination = WTERMSIG(process->p_exit);
2666 	u->ut_exit.e_exit = WEXITSTATUS(process->p_exit);
2667 	u->ut_type = state;
2668 
2669 	(void) time(&u->ut_tv.tv_sec);
2670 
2671 	/*
2672 	 * Block signals for utmp update.
2673 	 */
2674 	(void) sigfillset(&block);
2675 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
2676 
2677 	/*
2678 	 * See if there already is such an entry in the "utmpx" file.
2679 	 */
2680 	setutxent();	/* Start at beginning of utmpx file. */
2681 
2682 	if ((oldu = getutxid(u)) != NULL) {
2683 		/*
2684 		 * Copy in the old "user", "line" and "host" fields
2685 		 * to our new structure.
2686 		 */
2687 		bcopy(oldu->ut_user, u->ut_user, sizeof (u->ut_user));
2688 		bcopy(oldu->ut_line, u->ut_line, sizeof (u->ut_line));
2689 		bcopy(oldu->ut_host, u->ut_host, sizeof (u->ut_host));
2690 		u->ut_syslen = (tmplen = strlen(u->ut_host)) ?
2691 			min(tmplen + 1, sizeof (u->ut_host)) : 0;
2692 
2693 		if (oldu->ut_type == USER_PROCESS && state == DEAD_PROCESS) {
2694 			notify_pam_dead(oldu);
2695 		}
2696 	}
2697 
2698 	/*
2699 	 * Perform special accounting. Insert the special string into the
2700 	 * ut_line array. For INIT_PROCESSes put in the name of the
2701 	 * program in the "ut_user" field.
2702 	 */
2703 	switch (state) {
2704 	case INIT_PROCESS:
2705 		(void) strncpy(u->ut_user, program, sizeof (u->ut_user));
2706 		(void) strcpy(fail_buf, "INIT_PROCESS");
2707 		break;
2708 
2709 	default:
2710 		(void) strlcpy(fail_buf, u->ut_id, sizeof (u->ut_id) + 1);
2711 		break;
2712 	}
2713 
2714 	/*
2715 	 * Write out the updated entry to utmpx file.
2716 	 */
2717 	if (pututxline(u) == NULL) {
2718 		console(B_TRUE, "Failed write of utmpx entry: \"%s\": %s\n",
2719 		    fail_buf, strerror(errno));
2720 		endutxent();
2721 		(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2722 		return (-1);
2723 	}
2724 
2725 	/*
2726 	 * If we're able to write to utmpx, then attempt to add to the
2727 	 * end of the wtmpx file.
2728 	 */
2729 	updwtmpx(WTMPX, u);
2730 
2731 	endutxent();
2732 
2733 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2734 
2735 	return (0);
2736 }
2737 
2738 static void
2739 clearent(pid_t pid, short status)
2740 {
2741 	struct utmpx *up;
2742 	sigset_t block, unblock;
2743 
2744 	/*
2745 	 * Block signals for utmp update.
2746 	 */
2747 	(void) sigfillset(&block);
2748 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
2749 
2750 	/*
2751 	 * No error checking for now.
2752 	 */
2753 
2754 	setutxent();
2755 	while (up = getutxent()) {
2756 		if (up->ut_pid == pid) {
2757 			if (up->ut_type == DEAD_PROCESS) {
2758 				/*
2759 				 * Cleaned up elsewhere.
2760 				 */
2761 				continue;
2762 			}
2763 
2764 			notify_pam_dead(up);
2765 
2766 			up->ut_type = DEAD_PROCESS;
2767 			up->ut_exit.e_termination = WTERMSIG(status);
2768 			up->ut_exit.e_exit = WEXITSTATUS(status);
2769 			(void) time(&up->ut_tv.tv_sec);
2770 
2771 			(void) pututxline(up);
2772 			/*
2773 			 * Now attempt to add to the end of the
2774 			 * wtmp and wtmpx files.  Do not create
2775 			 * if they don't already exist.
2776 			 */
2777 			updwtmpx(WTMPX, up);
2778 
2779 			break;
2780 		}
2781 	}
2782 
2783 	endutxent();
2784 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2785 }
2786 
2787 /*
2788  * prog_name() searches for the word or unix path name and
2789  * returns a pointer to the last element of the pathname.
2790  */
2791 static char *
2792 prog_name(char *string)
2793 {
2794 	char	*ptr, *ptr2;
2795 	/* XXX - utmp - fix name length */
2796 	static char word[_POSIX_LOGIN_NAME_MAX];
2797 
2798 	/*
2799 	 * Search for the first word skipping leading spaces and tabs.
2800 	 */
2801 	while (*string == ' ' || *string == '\t')
2802 		string++;
2803 
2804 	/*
2805 	 * If the first non-space non-tab character is not one allowed in
2806 	 * a word, return a pointer to a null string, otherwise parse the
2807 	 * pathname.
2808 	 */
2809 	if (*string != '.' && *string != '/' && *string != '_' &&
2810 	    (*string < 'a' || *string > 'z') &&
2811 	    (*string < 'A' || * string > 'Z') &&
2812 	    (*string < '0' || *string > '9'))
2813 		return ("");
2814 
2815 	/*
2816 	 * Parse the pathname looking forward for '/', ' ', '\t', '\n' or
2817 	 * '\0'.  Each time a '/' is found, move "ptr" to one past the
2818 	 * '/', thus when a ' ', '\t', '\n', or '\0' is found, "ptr" will
2819 	 * point to the last element of the pathname.
2820 	 */
2821 	for (ptr = string;
2822 		*string != ' ' && *string != '\t' && *string != '\n' &&
2823 							*string != '\0';
2824 		string++) {
2825 		if (*string == '/')
2826 			ptr = string+1;
2827 	}
2828 
2829 	/*
2830 	 * Copy out up to the size of the "ut_user" array into "word",
2831 	 * null terminate it and return a pointer to it.
2832 	 */
2833 	/* XXX - utmp - fix name length */
2834 	for (ptr2 = &word[0]; ptr2 < &word[_POSIX_LOGIN_NAME_MAX - 1] &&
2835 	    ptr < string; /* CSTYLED */)
2836 		*ptr2++ = *ptr++;
2837 
2838 	*ptr2 = '\0';
2839 	return (&word[0]);
2840 }
2841 
2842 
2843 /*
2844  * realcon() returns a nonzero value if there is a character device
2845  * associated with SYSCON that has the same device number as CONSOLE.
2846  */
2847 static int
2848 realcon()
2849 {
2850 	struct stat sconbuf, conbuf;
2851 
2852 	if (stat(SYSCON, &sconbuf) != -1 &&
2853 	    stat(CONSOLE, &conbuf) != -1 &&
2854 	    S_ISCHR(sconbuf.st_mode) &&
2855 	    S_ISCHR(conbuf.st_mode) &&
2856 	    sconbuf.st_rdev == conbuf.st_rdev) {
2857 		return (1);
2858 	} else {
2859 		return (0);
2860 	}
2861 }
2862 
2863 
2864 /*
2865  * get_ioctl_syscon() retrieves the SYSCON settings from the IOCTLSYSCON file.
2866  * Returns true if the IOCTLSYSCON file needs to be written (with
2867  * write_ioctl_syscon() below)
2868  */
2869 static int
2870 get_ioctl_syscon()
2871 {
2872 	FILE	*fp;
2873 	unsigned int	iflags, oflags, cflags, lflags, ldisc, cc[18];
2874 	int		i, valid_format = 0;
2875 
2876 	/*
2877 	 * Read in the previous modes for SYSCON from IOCTLSYSCON.
2878 	 */
2879 	if ((fp = fopen(IOCTLSYSCON, "r")) == NULL) {
2880 		stored_syscon_termios = dflt_termios;
2881 		console(B_TRUE,
2882 		    "warning:%s does not exist, default settings assumed\n",
2883 		    IOCTLSYSCON);
2884 	} else {
2885 
2886 	    i = fscanf(fp,
2887 	    "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
2888 		&iflags, &oflags, &cflags, &lflags,
2889 		&cc[0], &cc[1], &cc[2], &cc[3], &cc[4], &cc[5], &cc[6],
2890 		&cc[7], &cc[8], &cc[9], &cc[10], &cc[11], &cc[12], &cc[13],
2891 		&cc[14], &cc[15], &cc[16], &cc[17]);
2892 
2893 	    if (i == 22) {
2894 		stored_syscon_termios.c_iflag = iflags;
2895 		stored_syscon_termios.c_oflag = oflags;
2896 		stored_syscon_termios.c_cflag = cflags;
2897 		stored_syscon_termios.c_lflag = lflags;
2898 		for (i = 0; i < 18; i++)
2899 			stored_syscon_termios.c_cc[i] = (char)cc[i];
2900 		valid_format = 1;
2901 	    } else if (i == 13) {
2902 		rewind(fp);
2903 		i = fscanf(fp, "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
2904 		    &iflags, &oflags, &cflags, &lflags, &ldisc, &cc[0], &cc[1],
2905 		    &cc[2], &cc[3], &cc[4], &cc[5], &cc[6], &cc[7]);
2906 
2907 		/*
2908 		 * If the file is formatted properly, use the values to
2909 		 * initialize the console terminal condition.
2910 		 */
2911 		stored_syscon_termios.c_iflag = (ushort_t)iflags;
2912 		stored_syscon_termios.c_oflag = (ushort_t)oflags;
2913 		stored_syscon_termios.c_cflag = (ushort_t)cflags;
2914 		stored_syscon_termios.c_lflag = (ushort_t)lflags;
2915 		for (i = 0; i < 8; i++)
2916 			stored_syscon_termios.c_cc[i] = (char)cc[i];
2917 		valid_format = 1;
2918 	    }
2919 	    (void) fclose(fp);
2920 
2921 	    /* If the file is badly formatted, use the default settings. */
2922 	    if (!valid_format)
2923 		stored_syscon_termios = dflt_termios;
2924 	}
2925 
2926 	/* If the file had a bad format, rewrite it later. */
2927 	return (!valid_format);
2928 }
2929 
2930 
2931 static void
2932 write_ioctl_syscon()
2933 {
2934 	FILE *fp;
2935 	int i;
2936 
2937 	(void) unlink(SYSCON);
2938 	(void) link(SYSTTY, SYSCON);
2939 	(void) umask(022);
2940 	fp = fopen(IOCTLSYSCON, "w");
2941 
2942 	(void) fprintf(fp, "%x:%x:%x:%x:0", stored_syscon_termios.c_iflag,
2943 	    stored_syscon_termios.c_oflag, stored_syscon_termios.c_cflag,
2944 	    stored_syscon_termios.c_lflag);
2945 	for (i = 0; i < 8; ++i)
2946 		(void) fprintf(fp, ":%x", stored_syscon_termios.c_cc[i]);
2947 	(void) putc('\n', fp);
2948 
2949 	(void) fflush(fp);
2950 	(void) fsync(fileno(fp));
2951 	(void) fclose(fp);
2952 	(void) umask(cmask);
2953 }
2954 
2955 
2956 /*
2957  * void console(boolean_t, char *, ...)
2958  *   Outputs the requested message to the system console.  Note that the number
2959  *   of arguments passed to console() should be determined by the print format.
2960  *
2961  *   The "prefix" parameter indicates whether or not "INIT: " should precede the
2962  *   message.
2963  *
2964  *   To make sure we write to the console in a sane fashion, we use the modes
2965  *   we keep in stored_syscon_termios (which we read out of /etc/ioctl.syscon).
2966  *   Afterwards we restore whatever modes were already there.
2967  */
2968 /* PRINTFLIKE2 */
2969 static void
2970 console(boolean_t prefix, char *format, ...)
2971 {
2972 	char	outbuf[BUFSIZ];
2973 	va_list	args;
2974 	int fd, getret;
2975 	struct termios old_syscon_termios;
2976 	FILE *f;
2977 
2978 	/*
2979 	 * We open SYSCON anew each time in case it has changed (see
2980 	 * userinit()).
2981 	 */
2982 	if ((fd = open(SYSCON, O_RDWR | O_NOCTTY)) < 0 ||
2983 	    (f = fdopen(fd, "r+")) == NULL) {
2984 		if (prefix)
2985 			syslog(LOG_WARNING, "INIT: ");
2986 		va_start(args, format);
2987 		vsyslog(LOG_WARNING, format, args);
2988 		va_end(args);
2989 		if (fd >= 0)
2990 			(void) close(fd);
2991 		return;
2992 	}
2993 	setbuf(f, &outbuf[0]);
2994 
2995 	getret = tcgetattr(fd, &old_syscon_termios);
2996 	old_syscon_termios.c_cflag &= ~HUPCL;
2997 	if (realcon())
2998 		/* Don't overwrite cflag of real console. */
2999 		stored_syscon_termios.c_cflag = old_syscon_termios.c_cflag;
3000 
3001 	stored_syscon_termios.c_cflag &= ~HUPCL;
3002 
3003 	(void) tcsetattr(fd, TCSANOW, &stored_syscon_termios);
3004 
3005 	if (prefix)
3006 		(void) fprintf(f, "\nINIT: ");
3007 	va_start(args, format);
3008 	(void) vfprintf(f, format, args);
3009 	va_end(args);
3010 
3011 	if (getret == 0)
3012 		(void) tcsetattr(fd, TCSADRAIN, &old_syscon_termios);
3013 
3014 	(void) fclose(f);
3015 }
3016 
3017 /*
3018  * timer() is a substitute for sleep() which uses alarm() and pause().
3019  */
3020 static void
3021 timer(int waitime)
3022 {
3023 	setimer(waitime);
3024 	while (time_up == FALSE)
3025 		(void) pause();
3026 }
3027 
3028 static void
3029 setimer(int timelimit)
3030 {
3031 	alarmclk();
3032 	(void) alarm(timelimit);
3033 	time_up = (timelimit ? FALSE : TRUE);
3034 }
3035 
3036 /*
3037  * Fails with
3038  *   ENOMEM - out of memory
3039  *   ECONNABORTED - repository connection broken
3040  *   EPERM - permission denied
3041  *   EACCES - backend access denied
3042  *   EROFS - backend readonly
3043  */
3044 static int
3045 get_or_add_startd(scf_instance_t *inst)
3046 {
3047 	scf_handle_t *h;
3048 	scf_scope_t *scope = NULL;
3049 	scf_service_t *svc = NULL;
3050 	int ret = 0;
3051 
3052 	h = scf_instance_handle(inst);
3053 
3054 	if (scf_handle_decode_fmri(h, SCF_SERVICE_STARTD, NULL, NULL, inst,
3055 	    NULL, NULL, SCF_DECODE_FMRI_EXACT) == 0)
3056 		return (0);
3057 
3058 	switch (scf_error()) {
3059 	case SCF_ERROR_CONNECTION_BROKEN:
3060 		return (ECONNABORTED);
3061 
3062 	case SCF_ERROR_NOT_FOUND:
3063 		break;
3064 
3065 	case SCF_ERROR_HANDLE_MISMATCH:
3066 	case SCF_ERROR_INVALID_ARGUMENT:
3067 	case SCF_ERROR_CONSTRAINT_VIOLATED:
3068 	default:
3069 		bad_error("scf_handle_decode_fmri", scf_error());
3070 	}
3071 
3072 	/* Make sure we're right, since we're adding piece-by-piece. */
3073 	assert(strcmp(SCF_SERVICE_STARTD,
3074 	    "svc:/system/svc/restarter:default") == 0);
3075 
3076 	if ((scope = scf_scope_create(h)) == NULL ||
3077 	    (svc = scf_service_create(h)) == NULL) {
3078 		ret = ENOMEM;
3079 		goto out;
3080 	}
3081 
3082 get_scope:
3083 	if (scf_handle_get_scope(h, SCF_SCOPE_LOCAL, scope) != 0) {
3084 		switch (scf_error()) {
3085 		case SCF_ERROR_CONNECTION_BROKEN:
3086 			ret = ECONNABORTED;
3087 			goto out;
3088 
3089 		case SCF_ERROR_NOT_FOUND:
3090 			(void) fputs(gettext(
3091 			    "smf(5) repository missing local scope.\n"),
3092 			    stderr);
3093 			exit(1);
3094 			/* NOTREACHED */
3095 
3096 		case SCF_ERROR_HANDLE_MISMATCH:
3097 		case SCF_ERROR_INVALID_ARGUMENT:
3098 		default:
3099 			bad_error("scf_handle_get_scope", scf_error());
3100 		}
3101 	}
3102 
3103 get_svc:
3104 	if (scf_scope_get_service(scope, "system/svc/restarter", svc) != 0) {
3105 		switch (scf_error()) {
3106 		case SCF_ERROR_CONNECTION_BROKEN:
3107 			ret = ECONNABORTED;
3108 			goto out;
3109 
3110 		case SCF_ERROR_DELETED:
3111 			goto get_scope;
3112 
3113 		case SCF_ERROR_NOT_FOUND:
3114 			break;
3115 
3116 		case SCF_ERROR_HANDLE_MISMATCH:
3117 		case SCF_ERROR_INVALID_ARGUMENT:
3118 		case SCF_ERROR_NOT_SET:
3119 		default:
3120 			bad_error("scf_scope_get_service", scf_error());
3121 		}
3122 
3123 add_svc:
3124 		if (scf_scope_add_service(scope, "system/svc/restarter", svc) !=
3125 		    0) {
3126 			switch (scf_error()) {
3127 			case SCF_ERROR_CONNECTION_BROKEN:
3128 				ret = ECONNABORTED;
3129 				goto out;
3130 
3131 			case SCF_ERROR_EXISTS:
3132 				goto get_svc;
3133 
3134 			case SCF_ERROR_PERMISSION_DENIED:
3135 				ret = EPERM;
3136 				goto out;
3137 
3138 			case SCF_ERROR_BACKEND_ACCESS:
3139 				ret = EACCES;
3140 				goto out;
3141 
3142 			case SCF_ERROR_BACKEND_READONLY:
3143 				ret = EROFS;
3144 				goto out;
3145 
3146 			case SCF_ERROR_HANDLE_MISMATCH:
3147 			case SCF_ERROR_INVALID_ARGUMENT:
3148 			case SCF_ERROR_NOT_SET:
3149 			default:
3150 				bad_error("scf_scope_add_service", scf_error());
3151 			}
3152 		}
3153 	}
3154 
3155 get_inst:
3156 	if (scf_service_get_instance(svc, "default", inst) != 0) {
3157 		switch (scf_error()) {
3158 		case SCF_ERROR_CONNECTION_BROKEN:
3159 			ret = ECONNABORTED;
3160 			goto out;
3161 
3162 		case SCF_ERROR_DELETED:
3163 			goto add_svc;
3164 
3165 		case SCF_ERROR_NOT_FOUND:
3166 			break;
3167 
3168 		case SCF_ERROR_HANDLE_MISMATCH:
3169 		case SCF_ERROR_INVALID_ARGUMENT:
3170 		case SCF_ERROR_NOT_SET:
3171 		default:
3172 			bad_error("scf_service_get_instance", scf_error());
3173 		}
3174 
3175 		if (scf_service_add_instance(svc, "default", inst) !=
3176 		    0) {
3177 			switch (scf_error()) {
3178 			case SCF_ERROR_CONNECTION_BROKEN:
3179 				ret = ECONNABORTED;
3180 				goto out;
3181 
3182 			case SCF_ERROR_DELETED:
3183 				goto add_svc;
3184 
3185 			case SCF_ERROR_EXISTS:
3186 				goto get_inst;
3187 
3188 			case SCF_ERROR_PERMISSION_DENIED:
3189 				ret = EPERM;
3190 				goto out;
3191 
3192 			case SCF_ERROR_BACKEND_ACCESS:
3193 				ret = EACCES;
3194 				goto out;
3195 
3196 			case SCF_ERROR_BACKEND_READONLY:
3197 				ret = EROFS;
3198 				goto out;
3199 
3200 			case SCF_ERROR_HANDLE_MISMATCH:
3201 			case SCF_ERROR_INVALID_ARGUMENT:
3202 			case SCF_ERROR_NOT_SET:
3203 			default:
3204 				bad_error("scf_service_add_instance",
3205 				    scf_error());
3206 			}
3207 		}
3208 	}
3209 
3210 	ret = 0;
3211 
3212 out:
3213 	scf_service_destroy(svc);
3214 	scf_scope_destroy(scope);
3215 	return (ret);
3216 }
3217 
3218 /*
3219  * Fails with
3220  *   ECONNABORTED - repository connection broken
3221  *   ECANCELED - the transaction's property group was deleted
3222  */
3223 static int
3224 transaction_add_set(scf_transaction_t *tx, scf_transaction_entry_t *ent,
3225     const char *pname, scf_type_t type)
3226 {
3227 change_type:
3228 	if (scf_transaction_property_change_type(tx, ent, pname, type) == 0)
3229 		return (0);
3230 
3231 	switch (scf_error()) {
3232 	case SCF_ERROR_CONNECTION_BROKEN:
3233 		return (ECONNABORTED);
3234 
3235 	case SCF_ERROR_DELETED:
3236 		return (ECANCELED);
3237 
3238 	case SCF_ERROR_NOT_FOUND:
3239 		goto new;
3240 
3241 	case SCF_ERROR_HANDLE_MISMATCH:
3242 	case SCF_ERROR_INVALID_ARGUMENT:
3243 	case SCF_ERROR_NOT_BOUND:
3244 	case SCF_ERROR_NOT_SET:
3245 	default:
3246 		bad_error("scf_transaction_property_change_type", scf_error());
3247 	}
3248 
3249 new:
3250 	if (scf_transaction_property_new(tx, ent, pname, type) == 0)
3251 		return (0);
3252 
3253 	switch (scf_error()) {
3254 	case SCF_ERROR_CONNECTION_BROKEN:
3255 		return (ECONNABORTED);
3256 
3257 	case SCF_ERROR_DELETED:
3258 		return (ECANCELED);
3259 
3260 	case SCF_ERROR_EXISTS:
3261 		goto change_type;
3262 
3263 	case SCF_ERROR_HANDLE_MISMATCH:
3264 	case SCF_ERROR_INVALID_ARGUMENT:
3265 	case SCF_ERROR_NOT_BOUND:
3266 	case SCF_ERROR_NOT_SET:
3267 	default:
3268 		bad_error("scf_transaction_property_new", scf_error());
3269 		/* NOTREACHED */
3270 	}
3271 }
3272 
3273 static void
3274 scferr(void)
3275 {
3276 	switch (scf_error()) {
3277 	case SCF_ERROR_NO_MEMORY:
3278 		console(B_TRUE, gettext("Out of memory.\n"));
3279 		break;
3280 
3281 	case SCF_ERROR_CONNECTION_BROKEN:
3282 		console(B_TRUE, gettext(
3283 		    "Connection to smf(5) repository server broken.\n"));
3284 		break;
3285 
3286 	case SCF_ERROR_NO_RESOURCES:
3287 		console(B_TRUE, gettext(
3288 		    "smf(5) repository server is out of memory.\n"));
3289 		break;
3290 
3291 	case SCF_ERROR_PERMISSION_DENIED:
3292 		console(B_TRUE, gettext("Insufficient privileges.\n"));
3293 		break;
3294 
3295 	default:
3296 		console(B_TRUE, gettext("libscf error: %s\n"),
3297 		    scf_strerror(scf_error()));
3298 	}
3299 }
3300 
3301 static void
3302 lscf_set_runlevel(char rl)
3303 {
3304 	scf_handle_t *h;
3305 	scf_instance_t *inst = NULL;
3306 	scf_propertygroup_t *pg = NULL;
3307 	scf_transaction_t *tx = NULL;
3308 	scf_transaction_entry_t *ent = NULL;
3309 	scf_value_t *val = NULL;
3310 	char buf[2];
3311 	int r;
3312 
3313 	h = scf_handle_create(SCF_VERSION);
3314 	if (h == NULL) {
3315 		scferr();
3316 		return;
3317 	}
3318 
3319 	if (scf_handle_bind(h) != 0) {
3320 		switch (scf_error()) {
3321 		case SCF_ERROR_NO_SERVER:
3322 			console(B_TRUE,
3323 			    gettext("smf(5) repository server not running.\n"));
3324 			goto bail;
3325 
3326 		default:
3327 			scferr();
3328 			goto bail;
3329 		}
3330 	}
3331 
3332 	if ((inst = scf_instance_create(h)) == NULL ||
3333 	    (pg = scf_pg_create(h)) == NULL ||
3334 	    (val = scf_value_create(h)) == NULL ||
3335 	    (tx = scf_transaction_create(h)) == NULL ||
3336 	    (ent = scf_entry_create(h)) == NULL) {
3337 		scferr();
3338 		goto bail;
3339 	}
3340 
3341 get_inst:
3342 	r = get_or_add_startd(inst);
3343 	switch (r) {
3344 	case 0:
3345 		break;
3346 
3347 	case ENOMEM:
3348 	case ECONNABORTED:
3349 	case EPERM:
3350 	case EACCES:
3351 	case EROFS:
3352 		scferr();
3353 		goto bail;
3354 	default:
3355 		bad_error("get_or_add_startd", r);
3356 	}
3357 
3358 get_pg:
3359 	if (scf_instance_get_pg(inst, SCF_PG_OPTIONS_OVR, pg) != 0) {
3360 		switch (scf_error()) {
3361 		case SCF_ERROR_CONNECTION_BROKEN:
3362 			scferr();
3363 			goto bail;
3364 
3365 		case SCF_ERROR_DELETED:
3366 			goto get_inst;
3367 
3368 		case SCF_ERROR_NOT_FOUND:
3369 			break;
3370 
3371 		case SCF_ERROR_HANDLE_MISMATCH:
3372 		case SCF_ERROR_INVALID_ARGUMENT:
3373 		case SCF_ERROR_NOT_SET:
3374 		default:
3375 			bad_error("scf_instance_get_pg", scf_error());
3376 		}
3377 
3378 add_pg:
3379 		if (scf_instance_add_pg(inst, SCF_PG_OPTIONS_OVR,
3380 		    SCF_PG_OPTIONS_OVR_TYPE, SCF_PG_OPTIONS_OVR_FLAGS, pg) !=
3381 		    0) {
3382 			switch (scf_error()) {
3383 			case SCF_ERROR_CONNECTION_BROKEN:
3384 			case SCF_ERROR_PERMISSION_DENIED:
3385 			case SCF_ERROR_BACKEND_ACCESS:
3386 				scferr();
3387 				goto bail;
3388 
3389 			case SCF_ERROR_DELETED:
3390 				goto get_inst;
3391 
3392 			case SCF_ERROR_EXISTS:
3393 				goto get_pg;
3394 
3395 			case SCF_ERROR_HANDLE_MISMATCH:
3396 			case SCF_ERROR_INVALID_ARGUMENT:
3397 			case SCF_ERROR_NOT_SET:
3398 			default:
3399 				bad_error("scf_instance_add_pg", scf_error());
3400 			}
3401 		}
3402 	}
3403 
3404 	buf[0] = rl;
3405 	buf[1] = '\0';
3406 	r = scf_value_set_astring(val, buf);
3407 	assert(r == 0);
3408 
3409 	for (;;) {
3410 		if (scf_transaction_start(tx, pg) != 0) {
3411 			switch (scf_error()) {
3412 			case SCF_ERROR_CONNECTION_BROKEN:
3413 			case SCF_ERROR_PERMISSION_DENIED:
3414 			case SCF_ERROR_BACKEND_ACCESS:
3415 				scferr();
3416 				goto bail;
3417 
3418 			case SCF_ERROR_DELETED:
3419 				goto add_pg;
3420 
3421 			case SCF_ERROR_HANDLE_MISMATCH:
3422 			case SCF_ERROR_NOT_BOUND:
3423 			case SCF_ERROR_IN_USE:
3424 			case SCF_ERROR_NOT_SET:
3425 			default:
3426 				bad_error("scf_transaction_start", scf_error());
3427 			}
3428 		}
3429 
3430 		r = transaction_add_set(tx, ent, "runlevel", SCF_TYPE_ASTRING);
3431 		switch (r) {
3432 		case 0:
3433 			break;
3434 
3435 		case ECONNABORTED:
3436 			scferr();
3437 			goto bail;
3438 
3439 		case ECANCELED:
3440 			scf_transaction_reset(tx);
3441 			goto add_pg;
3442 
3443 		default:
3444 			bad_error("transaction_add_set", r);
3445 		}
3446 
3447 		r = scf_entry_add_value(ent, val);
3448 		assert(r == 0);
3449 
3450 		r = scf_transaction_commit(tx);
3451 		if (r == 1)
3452 			break;
3453 
3454 		if (r != 0) {
3455 			switch (scf_error()) {
3456 			case SCF_ERROR_CONNECTION_BROKEN:
3457 			case SCF_ERROR_PERMISSION_DENIED:
3458 			case SCF_ERROR_BACKEND_ACCESS:
3459 			case SCF_ERROR_BACKEND_READONLY:
3460 				scferr();
3461 				goto bail;
3462 
3463 			case SCF_ERROR_DELETED:
3464 				scf_transaction_reset(tx);
3465 				goto add_pg;
3466 
3467 			case SCF_ERROR_INVALID_ARGUMENT:
3468 			case SCF_ERROR_NOT_BOUND:
3469 			case SCF_ERROR_NOT_SET:
3470 			default:
3471 				bad_error("scf_transaction_commit",
3472 				    scf_error());
3473 			}
3474 		}
3475 
3476 		scf_transaction_reset(tx);
3477 		(void) scf_pg_update(pg);
3478 	}
3479 
3480 bail:
3481 	scf_transaction_destroy(tx);
3482 	scf_entry_destroy(ent);
3483 	scf_value_destroy(val);
3484 	scf_pg_destroy(pg);
3485 	scf_instance_destroy(inst);
3486 
3487 	(void) scf_handle_unbind(h);
3488 	scf_handle_destroy(h);
3489 }
3490 
3491 /*
3492  * Function to handle requests from users to main init running as process 1.
3493  */
3494 static void
3495 userinit(int argc, char **argv)
3496 {
3497 	FILE	*fp;
3498 	char	*ln;
3499 	int	init_signal;
3500 	struct stat	sconbuf, conbuf;
3501 	const char *usage_msg = "Usage: init [0123456SsQqabc]\n";
3502 
3503 	/*
3504 	 * We are a user invoked init.  Is there an argument and is it
3505 	 * a single character?  If not, print usage message and quit.
3506 	 */
3507 	if (argc != 2 || argv[1][1] != '\0') {
3508 		(void) fprintf(stderr, usage_msg);
3509 		exit(0);
3510 	}
3511 
3512 	if ((init_signal = lvlname_to_state((char)argv[1][0])) == -1) {
3513 		(void) fprintf(stderr, usage_msg);
3514 		(void) audit_put_record(ADT_FAILURE, ADT_FAIL_VALUE_BAD_CMD,
3515 		    argv[1]);
3516 		exit(1);
3517 	}
3518 
3519 	if (init_signal == SINGLE_USER) {
3520 		/*
3521 		 * Make sure this process is talking to a legal tty line
3522 		 * and that /dev/syscon is linked to this line.
3523 		 */
3524 		ln = ttyname(0);	/* Get the name of tty */
3525 		if (ln == NULL) {
3526 			(void) fprintf(stderr,
3527 			    "Standard input not a tty line\n");
3528 			(void) audit_put_record(ADT_FAILURE,
3529 			    ADT_FAIL_VALUE_BAD_TTY, argv[1]);
3530 			exit(1);
3531 		}
3532 
3533 		if ((stat(ln, &sconbuf) != -1) &&
3534 		    (stat(SYSCON, &conbuf) == -1 ||
3535 		    sconbuf.st_rdev != conbuf.st_rdev)) {
3536 			/*
3537 			 * /dev/syscon needs to change.
3538 			 * Unlink /dev/syscon and relink it to the current line.
3539 			 */
3540 			if (lstat(SYSCON, &conbuf) != -1 &&
3541 			    unlink(SYSCON) == FAILURE) {
3542 				perror("Can't unlink /dev/syscon");
3543 				(void) fprintf(stderr,
3544 				    "Run command on the system console.\n");
3545 				(void) audit_put_record(ADT_FAILURE,
3546 				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
3547 				exit(1);
3548 			}
3549 			if (symlink(ln, SYSCON) == FAILURE) {
3550 				(void) fprintf(stderr,
3551 				    "Can't symlink /dev/syscon to %s: %s", ln,
3552 				    strerror(errno));
3553 
3554 				/* Try to leave a syscon */
3555 				(void) link(SYSTTY, SYSCON);
3556 				(void) audit_put_record(ADT_FAILURE,
3557 				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
3558 				exit(1);
3559 			}
3560 
3561 			/*
3562 			 * Try to leave a message on system console saying where
3563 			 * /dev/syscon is currently connected.
3564 			 */
3565 			if ((fp = fopen(SYSTTY, "r+")) != NULL) {
3566 				(void) fprintf(fp,
3567 				    "\n****	SYSCON CHANGED TO %s	****\n",
3568 				    ln);
3569 				(void) fclose(fp);
3570 			}
3571 		}
3572 	}
3573 
3574 	update_boot_archive(init_signal);
3575 
3576 	(void) audit_put_record(ADT_SUCCESS, ADT_SUCCESS, argv[1]);
3577 
3578 	/*
3579 	 * Signal init; init will take care of telling svc.startd.
3580 	 */
3581 	if (kill(init_pid, init_signal) == FAILURE) {
3582 		(void) fprintf(stderr, "Must be super-user\n");
3583 		(void) audit_put_record(ADT_FAILURE,
3584 		    ADT_FAIL_VALUE_AUTH, argv[1]);
3585 		exit(1);
3586 	}
3587 
3588 	exit(0);
3589 }
3590 
3591 
3592 #define	DELTA	25	/* Number of pidlist elements to allocate at a time */
3593 
3594 /* ARGSUSED */
3595 void
3596 sigpoll(int n)
3597 {
3598 	struct pidrec prec;
3599 	struct pidrec *p = &prec;
3600 	struct pidlist *plp;
3601 	struct pidlist *tp, *savetp;
3602 	int i;
3603 
3604 	if (Pfd < 0) {
3605 		return;
3606 	}
3607 
3608 	for (;;) {
3609 		/*
3610 		 * Important Note: Either read will really fail (in which case
3611 		 * return is all we can do) or will get EAGAIN (Pfd was opened
3612 		 * O_NDELAY), in which case we also want to return.
3613 		 * Always return from here!
3614 		 */
3615 		if (read(Pfd, p, sizeof (struct pidrec)) !=
3616 						sizeof (struct pidrec)) {
3617 			return;
3618 		}
3619 		switch (p->pd_type) {
3620 
3621 		case ADDPID:
3622 			/*
3623 			 * New "godchild", add to list.
3624 			 */
3625 			if (Plfree == NULL) {
3626 				plp = (struct pidlist *)calloc(DELTA,
3627 				    sizeof (struct pidlist));
3628 				if (plp == NULL) {
3629 					/* Can't save pid */
3630 					break;
3631 				}
3632 				/*
3633 				 * Point at 2nd record allocated, we'll use plp.
3634 				 */
3635 				tp = plp + 1;
3636 				/*
3637 				 * Link them into a chain.
3638 				 */
3639 				Plfree = tp;
3640 				for (i = 0; i < DELTA - 2; i++) {
3641 					tp->pl_next = tp + 1;
3642 					tp++;
3643 				}
3644 			} else {
3645 				plp = Plfree;
3646 				Plfree = plp->pl_next;
3647 			}
3648 			plp->pl_pid = p->pd_pid;
3649 			plp->pl_dflag = 0;
3650 			plp->pl_next = NULL;
3651 			/*
3652 			 * Note - pid list is kept in increasing order of pids.
3653 			 */
3654 			if (Plhead == NULL) {
3655 				Plhead = plp;
3656 				/* Back up to read next record */
3657 				break;
3658 			} else {
3659 				savetp = tp = Plhead;
3660 				while (tp) {
3661 					if (plp->pl_pid > tp->pl_pid) {
3662 						savetp = tp;
3663 						tp = tp->pl_next;
3664 						continue;
3665 					} else if (plp->pl_pid < tp->pl_pid) {
3666 						if (tp == Plhead) {
3667 							plp->pl_next = Plhead;
3668 							Plhead = plp;
3669 						} else {
3670 							plp->pl_next =
3671 							    savetp->pl_next;
3672 							savetp->pl_next = plp;
3673 						}
3674 						break;
3675 					} else {
3676 						/* Already in list! */
3677 						plp->pl_next = Plfree;
3678 						Plfree = plp;
3679 						break;
3680 					}
3681 				}
3682 				if (tp == NULL) {
3683 					/* Add to end of list */
3684 					savetp->pl_next = plp;
3685 				}
3686 			}
3687 			/* Back up to read next record. */
3688 			break;
3689 
3690 		case REMPID:
3691 			/*
3692 			 * This one was handled by someone else,
3693 			 * purge it from the list.
3694 			 */
3695 			if (Plhead == NULL) {
3696 				/* Back up to read next record. */
3697 				break;
3698 			}
3699 			savetp = tp = Plhead;
3700 			while (tp) {
3701 				if (p->pd_pid > tp->pl_pid) {
3702 					/* Keep on looking. */
3703 					savetp = tp;
3704 					tp = tp->pl_next;
3705 					continue;
3706 				} else if (p->pd_pid < tp->pl_pid) {
3707 					/* Not in list. */
3708 					break;
3709 				} else {
3710 					/* Found it. */
3711 					if (tp == Plhead)
3712 						Plhead = tp->pl_next;
3713 					else
3714 						savetp->pl_next = tp->pl_next;
3715 					tp->pl_next = Plfree;
3716 					Plfree = tp;
3717 					break;
3718 				}
3719 			}
3720 			/* Back up to read next record. */
3721 			break;
3722 		default:
3723 			console(B_TRUE, "Bad message on initpipe\n");
3724 			break;
3725 		}
3726 	}
3727 }
3728 
3729 
3730 static void
3731 cleanaux()
3732 {
3733 	struct pidlist *savep, *p;
3734 	pid_t	pid;
3735 	short	status;
3736 
3737 	(void) sigset(SIGCLD, SIG_DFL);
3738 	Gchild = 0;	/* Note - Safe to do this here since no SIGCLDs */
3739 	(void) sighold(SIGPOLL);
3740 	savep = p = Plhead;
3741 	while (p) {
3742 		if (p->pl_dflag) {
3743 			/*
3744 			 * Found an entry to delete,
3745 			 * remove it from list first.
3746 			 */
3747 			pid = p->pl_pid;
3748 			status = p->pl_exit;
3749 			if (p == Plhead) {
3750 				Plhead = p->pl_next;
3751 				p->pl_next = Plfree;
3752 				Plfree = p;
3753 				savep = p = Plhead;
3754 			} else {
3755 				savep->pl_next = p->pl_next;
3756 				p->pl_next = Plfree;
3757 				Plfree = p;
3758 				p = savep->pl_next;
3759 			}
3760 			clearent(pid, status);
3761 			continue;
3762 		}
3763 		savep = p;
3764 		p = p->pl_next;
3765 	}
3766 	(void) sigrelse(SIGPOLL);
3767 	(void) sigset(SIGCLD, childeath);
3768 }
3769 
3770 
3771 /*
3772  * /etc/inittab has more entries and we have run out of room in the proc_table
3773  * array. Double the size of proc_table to accomodate the extra entries.
3774  */
3775 static void
3776 increase_proc_table_size()
3777 {
3778 	sigset_t block, unblock;
3779 	void *ptr;
3780 	size_t delta = num_proc * sizeof (struct PROC_TABLE);
3781 
3782 
3783 	/*
3784 	 * Block signals for realloc.
3785 	 */
3786 	(void) sigfillset(&block);
3787 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
3788 
3789 
3790 	/*
3791 	 * On failure we just return because callers of this function check
3792 	 * for failure.
3793 	 */
3794 	do
3795 		ptr = realloc(g_state, g_state_sz + delta);
3796 	while (ptr == NULL && errno == EAGAIN);
3797 
3798 	if (ptr != NULL) {
3799 		/* ensure that the new part is initialized to zero */
3800 		bzero((caddr_t)ptr + g_state_sz, delta);
3801 
3802 		g_state = ptr;
3803 		g_state_sz += delta;
3804 		num_proc <<= 1;
3805 	}
3806 
3807 
3808 	/* unblock our signals before returning */
3809 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
3810 }
3811 
3812 
3813 
3814 /*
3815  * Sanity check g_state.
3816  */
3817 static int
3818 st_sane()
3819 {
3820 	int i;
3821 	struct PROC_TABLE *ptp;
3822 
3823 
3824 	/* Note: cur_state is encoded as a signal number */
3825 	if (cur_state < 1 || cur_state == 9 || cur_state > 13)
3826 		return (0);
3827 
3828 	/* Check num_proc */
3829 	if (g_state_sz != sizeof (struct init_state) + (num_proc - 1) *
3830 	    sizeof (struct PROC_TABLE))
3831 		return (0);
3832 
3833 	/* Check proc_table */
3834 	for (i = 0, ptp = proc_table; i < num_proc; ++i, ++ptp) {
3835 		/* skip unoccupied entries */
3836 		if (!(ptp->p_flags & OCCUPIED))
3837 			continue;
3838 
3839 		/* p_flags has no bits outside of PF_MASK */
3840 		if (ptp->p_flags & ~(PF_MASK))
3841 			return (0);
3842 
3843 		/* 5 <= pid <= MAXPID */
3844 		if (ptp->p_pid < 5 || ptp->p_pid > MAXPID)
3845 			return (0);
3846 
3847 		/* p_count >= 0 */
3848 		if (ptp->p_count < 0)
3849 			return (0);
3850 
3851 		/* p_time >= 0 */
3852 		if (ptp->p_time < 0)
3853 			return (0);
3854 	}
3855 
3856 	return (1);
3857 }
3858 
3859 /*
3860  * Initialize our state.
3861  *
3862  * If the system just booted, then init_state_file, which is located on an
3863  * everpresent tmpfs filesystem, should not exist.
3864  *
3865  * If we were restarted, then init_state_file should exist, in
3866  * which case we'll read it in, sanity check it, and use it.
3867  *
3868  * Note: You can't call console() until proc_table is ready.
3869  */
3870 void
3871 st_init()
3872 {
3873 	struct stat stb;
3874 	int ret, st_fd, insane = 0;
3875 	size_t to_be_read;
3876 	char *ptr;
3877 
3878 
3879 	booting = 1;
3880 
3881 	do {
3882 		/*
3883 		 * If we can exclusively create the file, then we're the
3884 		 * initial invocation of init(1M).
3885 		 */
3886 		st_fd = open(init_state_file, O_RDWR | O_CREAT | O_EXCL,
3887 		    S_IRUSR | S_IWUSR);
3888 	} while (st_fd == -1 && errno == EINTR);
3889 	if (st_fd != -1)
3890 		goto new_state;
3891 
3892 	booting = 0;
3893 
3894 	do {
3895 		st_fd = open(init_state_file, O_RDWR, S_IRUSR | S_IWUSR);
3896 	} while (st_fd == -1 && errno == EINTR);
3897 	if (st_fd == -1)
3898 		goto new_state;
3899 
3900 	/* Get the size of the file. */
3901 	do
3902 		ret = fstat(st_fd, &stb);
3903 	while (ret == -1 && errno == EINTR);
3904 	if (ret == -1)
3905 		goto new_state;
3906 
3907 	do
3908 		g_state = malloc(stb.st_size);
3909 	while (g_state == NULL && errno == EAGAIN);
3910 	if (g_state == NULL)
3911 		goto new_state;
3912 
3913 	to_be_read = stb.st_size;
3914 	ptr = (char *)g_state;
3915 	while (to_be_read > 0) {
3916 		ssize_t read_ret;
3917 
3918 		read_ret = read(st_fd, ptr, to_be_read);
3919 		if (read_ret < 0) {
3920 			if (errno == EINTR)
3921 				continue;
3922 
3923 			goto new_state;
3924 		}
3925 
3926 		to_be_read -= read_ret;
3927 		ptr += read_ret;
3928 	}
3929 
3930 	(void) close(st_fd);
3931 
3932 	g_state_sz = stb.st_size;
3933 
3934 	if (st_sane()) {
3935 		console(B_TRUE, "Restarting.\n");
3936 		return;
3937 	}
3938 
3939 	insane = 1;
3940 
3941 new_state:
3942 	if (st_fd >= 0)
3943 		(void) close(st_fd);
3944 	else
3945 		(void) unlink(init_state_file);
3946 
3947 	if (g_state != NULL)
3948 		free(g_state);
3949 
3950 	/* Something went wrong, so allocate new state. */
3951 	g_state_sz = sizeof (struct init_state) +
3952 	    ((init_num_proc - 1) * sizeof (struct PROC_TABLE));
3953 	do
3954 		g_state = calloc(1, g_state_sz);
3955 	while (g_state == NULL && errno == EAGAIN);
3956 	if (g_state == NULL) {
3957 		/* Fatal error! */
3958 		exit(errno);
3959 	}
3960 
3961 	g_state->ist_runlevel = -1;
3962 	num_proc = init_num_proc;
3963 
3964 	if (!booting) {
3965 		console(B_TRUE, "Restarting.\n");
3966 
3967 		/* Overwrite the bad state file. */
3968 		st_write();
3969 
3970 		if (!insane) {
3971 			console(B_TRUE,
3972 			    "Error accessing persistent state file `%s'.  "
3973 			    "Ignored.\n", init_state_file);
3974 		} else {
3975 			console(B_TRUE,
3976 			    "Persistent state file `%s' is invalid and was "
3977 			    "ignored.\n", init_state_file);
3978 		}
3979 	}
3980 }
3981 
3982 /*
3983  * Write g_state out to the state file.
3984  */
3985 void
3986 st_write()
3987 {
3988 	static int complained = 0;
3989 
3990 	int st_fd;
3991 	char *cp;
3992 	size_t sz;
3993 	ssize_t ret;
3994 
3995 
3996 	do {
3997 		st_fd = open(init_next_state_file,
3998 		    O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
3999 	} while (st_fd < 0 && errno == EINTR);
4000 	if (st_fd < 0)
4001 		goto err;
4002 
4003 	cp = (char *)g_state;
4004 	sz = g_state_sz;
4005 	while (sz > 0) {
4006 		ret = write(st_fd, cp, sz);
4007 		if (ret < 0) {
4008 			if (errno == EINTR)
4009 				continue;
4010 
4011 			goto err;
4012 		}
4013 
4014 		sz -= ret;
4015 		cp += ret;
4016 	}
4017 
4018 	(void) close(st_fd);
4019 	st_fd = -1;
4020 	if (rename(init_next_state_file, init_state_file)) {
4021 		(void) unlink(init_next_state_file);
4022 		goto err;
4023 	}
4024 	complained = 0;
4025 
4026 	return;
4027 
4028 err:
4029 	if (st_fd >= 0)
4030 		(void) close(st_fd);
4031 
4032 	if (!booting && !complained) {
4033 		/*
4034 		 * Only complain after the filesystem should have come up.
4035 		 * And only do it once so we don't loop between console()
4036 		 * & efork().
4037 		 */
4038 		complained = 1;
4039 		if (st_fd)
4040 			console(B_TRUE, "Couldn't write persistent state "
4041 			    "file `%s'.\n", init_state_file);
4042 		else
4043 			console(B_TRUE, "Couldn't move persistent state "
4044 			    "file `%s' to `%s'.\n", init_next_state_file,
4045 			    init_state_file);
4046 	}
4047 }
4048 
4049 /*
4050  * Create a contract with these parameters.
4051  */
4052 static int
4053 contract_make_template(uint_t info, uint_t critical, uint_t fatal,
4054     uint64_t cookie)
4055 {
4056 	int fd, err;
4057 
4058 	char *ioctl_tset_emsg =
4059 	    "Couldn't set \"%s\" contract template parameter: %s.\n";
4060 
4061 	do
4062 		fd = open64(CTFS_ROOT "/process/template", O_RDWR);
4063 	while (fd < 0 && errno == EINTR);
4064 	if (fd < 0) {
4065 		console(B_TRUE, "Couldn't create process template: %s.\n",
4066 		    strerror(errno));
4067 		return (-1);
4068 	}
4069 
4070 	if (err = ct_pr_tmpl_set_param(fd, CT_PR_INHERIT | CT_PR_REGENT))
4071 		console(B_TRUE, "Contract set template inherit, regent "
4072 		    "failed.\n");
4073 
4074 	/*
4075 	 * These errors result in a misconfigured template, which is better
4076 	 * than no template at all, so warn but don't abort.
4077 	 */
4078 	if (err = ct_tmpl_set_informative(fd, info))
4079 		console(B_TRUE, ioctl_tset_emsg, "informative", strerror(err));
4080 
4081 	if (err = ct_tmpl_set_critical(fd, critical))
4082 		console(B_TRUE, ioctl_tset_emsg, "critical", strerror(err));
4083 
4084 	if (err = ct_pr_tmpl_set_fatal(fd, fatal))
4085 		console(B_TRUE, ioctl_tset_emsg, "fatal", strerror(err));
4086 
4087 	if (err = ct_tmpl_set_cookie(fd, cookie))
4088 		console(B_TRUE, ioctl_tset_emsg, "cookie", strerror(err));
4089 
4090 	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
4091 
4092 	return (fd);
4093 }
4094 
4095 /*
4096  * Create the templates and open an event file descriptor.  We use dup2(2) to
4097  * get these descriptors away from the stdin/stdout/stderr group.
4098  */
4099 static void
4100 contracts_init()
4101 {
4102 	int err, fd;
4103 
4104 	/*
4105 	 * Create & configure a legacy template.  We only want empty events so
4106 	 * we know when to abandon them.
4107 	 */
4108 	legacy_tmpl = contract_make_template(0, CT_PR_EV_EMPTY, CT_PR_EV_HWERR,
4109 	    ORDINARY_COOKIE);
4110 	if (legacy_tmpl >= 0) {
4111 		err = ct_tmpl_activate(legacy_tmpl);
4112 		if (err != 0) {
4113 			(void) close(legacy_tmpl);
4114 			legacy_tmpl = -1;
4115 			console(B_TRUE,
4116 			    "Couldn't activate legacy template (%s); "
4117 			    "legacy services will be in init's contract.\n",
4118 			    strerror(err));
4119 		}
4120 	} else
4121 		console(B_TRUE,
4122 		    "Legacy services will be in init's contract.\n");
4123 
4124 	if (dup2(legacy_tmpl, 255) == -1) {
4125 		console(B_TRUE, "Could not duplicate legacy template: %s.\n",
4126 		    strerror(errno));
4127 	} else {
4128 		(void) close(legacy_tmpl);
4129 		legacy_tmpl = 255;
4130 	}
4131 
4132 	(void) fcntl(legacy_tmpl, F_SETFD, FD_CLOEXEC);
4133 
4134 	startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
4135 	    CT_PR_EV_HWERR | CT_PR_EV_SIGNAL | CT_PR_EV_CORE, STARTD_COOKIE);
4136 
4137 	if (dup2(startd_tmpl, 254) == -1) {
4138 		console(B_TRUE, "Could not duplicate startd template: %s.\n",
4139 		    strerror(errno));
4140 	} else {
4141 		(void) close(startd_tmpl);
4142 		startd_tmpl = 254;
4143 	}
4144 
4145 	(void) fcntl(startd_tmpl, F_SETFD, FD_CLOEXEC);
4146 
4147 	if (legacy_tmpl < 0 && startd_tmpl < 0) {
4148 		/* The creation errors have already been reported. */
4149 		console(B_TRUE,
4150 		    "Ignoring contract events.  Core smf(5) services will not "
4151 		    "be restarted.\n");
4152 		return;
4153 	}
4154 
4155 	/*
4156 	 * Open an event endpoint.
4157 	 */
4158 	do
4159 		fd = open64(CTFS_ROOT "/process/pbundle", O_RDONLY);
4160 	while (fd < 0 && errno == EINTR);
4161 	if (fd < 0) {
4162 		console(B_TRUE,
4163 		    "Couldn't open process pbundle: %s.  Core smf(5) services "
4164 		    "will not be restarted.\n", strerror(errno));
4165 		return;
4166 	}
4167 
4168 	if (dup2(fd, 253) == -1) {
4169 		console(B_TRUE, "Could not duplicate process bundle: %s.\n",
4170 		    strerror(errno));
4171 	} else {
4172 		(void) close(fd);
4173 		fd = 253;
4174 	}
4175 
4176 	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
4177 
4178 	/* Reset in case we've been restarted. */
4179 	(void) ct_event_reset(fd);
4180 
4181 	poll_fds[0].fd = fd;
4182 	poll_fds[0].events = POLLIN;
4183 	poll_nfds = 1;
4184 }
4185 
4186 static int
4187 contract_getfile(ctid_t id, const char *name, int oflag)
4188 {
4189 	int fd;
4190 
4191 	do
4192 		fd = contract_open(id, "process", name, oflag);
4193 	while (fd < 0 && errno == EINTR);
4194 
4195 	if (fd < 0)
4196 		console(B_TRUE, "Couldn't open %s for contract %ld: %s.\n",
4197 		    name, id, strerror(errno));
4198 
4199 	return (fd);
4200 }
4201 
4202 static int
4203 contract_cookie(ctid_t id, uint64_t *cp)
4204 {
4205 	int fd, err;
4206 	ct_stathdl_t sh;
4207 
4208 	fd = contract_getfile(id, "status", O_RDONLY);
4209 	if (fd < 0)
4210 		return (-1);
4211 
4212 	err = ct_status_read(fd, CTD_COMMON, &sh);
4213 	if (err != 0) {
4214 		console(B_TRUE, "Couldn't read status of contract %ld: %s.\n",
4215 		    id, strerror(err));
4216 		(void) close(fd);
4217 		return (-1);
4218 	}
4219 
4220 	(void) close(fd);
4221 
4222 	*cp = ct_status_get_cookie(sh);
4223 
4224 	ct_status_free(sh);
4225 	return (0);
4226 }
4227 
4228 static void
4229 contract_ack(ct_evthdl_t e)
4230 {
4231 	int fd;
4232 
4233 	if (ct_event_get_flags(e) & CTE_INFO)
4234 		return;
4235 
4236 	fd = contract_getfile(ct_event_get_ctid(e), "ctl", O_WRONLY);
4237 	if (fd < 0)
4238 		return;
4239 
4240 	(void) ct_ctl_ack(fd, ct_event_get_evid(e));
4241 	(void) close(fd);
4242 }
4243 
4244 /*
4245  * Process a contract event.
4246  */
4247 static void
4248 contract_event(struct pollfd *poll)
4249 {
4250 	ct_evthdl_t e;
4251 	int err;
4252 	ctid_t ctid;
4253 
4254 	if (!(poll->revents & POLLIN)) {
4255 		if (poll->revents & POLLERR)
4256 			console(B_TRUE,
4257 			    "Unknown poll error on my process contract "
4258 			    "pbundle.\n");
4259 		return;
4260 	}
4261 
4262 	err = ct_event_read(poll->fd, &e);
4263 	if (err != 0) {
4264 		console(B_TRUE, "Error retrieving contract event: %s.\n",
4265 		    strerror(err));
4266 		return;
4267 	}
4268 
4269 	ctid = ct_event_get_ctid(e);
4270 
4271 	if (ct_event_get_type(e) == CT_PR_EV_EMPTY) {
4272 		uint64_t cookie;
4273 		int ret, abandon = 1;
4274 
4275 		/* If it's svc.startd, restart it.  Else, abandon. */
4276 		ret = contract_cookie(ctid, &cookie);
4277 
4278 		if (ret == 0) {
4279 			if (cookie == STARTD_COOKIE &&
4280 			    do_restart_startd) {
4281 				if (smf_debug)
4282 					console(B_TRUE, "Restarting "
4283 					    "svc.startd.\n");
4284 
4285 				/*
4286 				 * Account for the failure.  If the failure rate
4287 				 * exceeds a threshold, then drop to maintenance
4288 				 * mode.
4289 				 */
4290 				startd_record_failure();
4291 				if (startd_failure_rate_critical())
4292 					enter_maintenance();
4293 
4294 				if (startd_tmpl < 0)
4295 					console(B_TRUE,
4296 					    "Restarting svc.startd in "
4297 					    "improper contract (bad "
4298 					    "template).\n");
4299 
4300 				(void) startd_run(startd_cline, startd_tmpl,
4301 				    ctid);
4302 
4303 				abandon = 0;
4304 			}
4305 		}
4306 
4307 		if (abandon && (err = contract_abandon_id(ctid))) {
4308 			console(B_TRUE, "Couldn't abandon contract %ld: %s.\n",
4309 			    ctid, strerror(err));
4310 		}
4311 
4312 		/*
4313 		 * No need to acknowledge the event since either way the
4314 		 * originating contract should be abandoned.
4315 		 */
4316 	} else {
4317 		console(B_TRUE,
4318 		    "Received contract event of unexpected type %d from "
4319 		    "contract %ld.\n", ct_event_get_type(e), ctid);
4320 
4321 		if ((ct_event_get_flags(e) & (CTE_INFO | CTE_ACK)) == 0)
4322 			/* Allow unexpected critical events to be released. */
4323 			contract_ack(e);
4324 	}
4325 
4326 	ct_event_free(e);
4327 }
4328 
4329 /*
4330  * svc.startd(1M) Management
4331  */
4332 
4333 /*
4334  * (Re)start svc.startd(1M).  old_ctid should be the contract ID of the old
4335  * contract, or 0 if we're starting it for the first time.  If wait is true
4336  * we'll wait for and return the exit value of the child.
4337  */
4338 static int
4339 startd_run(const char *cline, int tmpl, ctid_t old_ctid)
4340 {
4341 	int err, i, ret, did_activate;
4342 	pid_t pid;
4343 	struct stat sb;
4344 
4345 	if (cline[0] == '\0')
4346 		return (-1);
4347 
4348 	/*
4349 	 * Don't restart startd if the system is rebooting or shutting down.
4350 	 */
4351 	do {
4352 		ret = stat("/etc/svc/volatile/resetting", &sb);
4353 	} while (ret == -1 && errno == EINTR);
4354 
4355 	if (ret == 0) {
4356 		if (smf_debug)
4357 			console(B_TRUE, "Quiescing for reboot.\n");
4358 		(void) pause();
4359 		return (-1);
4360 	}
4361 
4362 	err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
4363 	if (err == EINVAL) {
4364 		console(B_TRUE, "Remake startd_tmpl; reattempt transfer.\n");
4365 		tmpl = startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
4366 		    CT_PR_EV_HWERR, STARTD_COOKIE);
4367 
4368 		err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
4369 	}
4370 	if (err != 0) {
4371 		console(B_TRUE,
4372 		    "Couldn't set transfer parameter of contract template: "
4373 		    "%s.\n", strerror(err));
4374 	}
4375 
4376 	did_activate = !(ct_tmpl_activate(tmpl));
4377 	if (!did_activate)
4378 		console(B_TRUE,
4379 		    "Template activation failed; not starting \"%s\" in "
4380 		    "proper contract.\n", cline);
4381 
4382 	/* Hold SIGCHLD so we can wait if necessary. */
4383 	(void) sighold(SIGCHLD);
4384 
4385 	while ((pid = fork()) < 0) {
4386 		if (errno == EPERM) {
4387 			console(B_TRUE, "Insufficient permission to fork.\n");
4388 
4389 			/* Now that's a doozy. */
4390 			exit(1);
4391 		}
4392 
4393 		console(B_TRUE,
4394 		    "fork() for svc.startd failed: %s.  Will retry in 1 "
4395 		    "second...\n", strerror(errno));
4396 
4397 		(void) sleep(1);
4398 
4399 		/* Eventually give up? */
4400 	}
4401 
4402 	if (pid == 0) {
4403 		/* child */
4404 
4405 		/* See the comment in efork() */
4406 		for (i = SIGHUP; i <= SIGRTMAX; ++i) {
4407 			if (i == SIGTTOU || i == SIGTTIN || i == SIGTSTP)
4408 				(void) sigset(i, SIG_IGN);
4409 			else
4410 				(void) sigset(i, SIG_DFL);
4411 		}
4412 
4413 		if (smf_options != NULL) {
4414 			/* Put smf_options in the environment. */
4415 			glob_envp[glob_envn] =
4416 			    malloc(sizeof ("SMF_OPTIONS=") - 1 +
4417 				strlen(smf_options) + 1);
4418 
4419 			if (glob_envp[glob_envn] != NULL) {
4420 				/* LINTED */
4421 				(void) sprintf(glob_envp[glob_envn],
4422 				    "SMF_OPTIONS=%s", smf_options);
4423 				glob_envp[glob_envn+1] = NULL;
4424 			} else {
4425 				console(B_TRUE,
4426 				    "Could not set SMF_OPTIONS (%s).\n",
4427 				    strerror(errno));
4428 			}
4429 		}
4430 
4431 		if (smf_debug)
4432 			console(B_TRUE, "Executing svc.startd\n");
4433 
4434 		(void) execle(SH, "INITSH", "-c", cline, NULL, glob_envp);
4435 
4436 		console(B_TRUE, "Could not exec \"%s\" (%s).\n", SH,
4437 		    strerror(errno));
4438 
4439 		exit(1);
4440 	}
4441 
4442 	/* parent */
4443 
4444 	if (did_activate) {
4445 		if (legacy_tmpl < 0 || ct_tmpl_activate(legacy_tmpl) != 0)
4446 			(void) ct_tmpl_clear(tmpl);
4447 	}
4448 
4449 	/* Clear the old_ctid reference so the kernel can reclaim it. */
4450 	if (old_ctid != 0)
4451 		(void) ct_pr_tmpl_set_transfer(tmpl, 0);
4452 
4453 	(void) sigrelse(SIGCHLD);
4454 
4455 	return (0);
4456 }
4457 
4458 /*
4459  * void startd_record_failure(void)
4460  *   Place the current time in our circular array of svc.startd failures.
4461  */
4462 void
4463 startd_record_failure()
4464 {
4465 	int index = startd_failure_index++ % NSTARTD_FAILURE_TIMES;
4466 
4467 	startd_failure_time[index] = gethrtime();
4468 }
4469 
4470 /*
4471  * int startd_failure_rate_critical(void)
4472  *   Return true if the average failure interval is less than the permitted
4473  *   interval.  Implicit success if insufficient measurements for an average
4474  *   exist.
4475  */
4476 int
4477 startd_failure_rate_critical()
4478 {
4479 	int n = startd_failure_index;
4480 	hrtime_t avg_ns = 0;
4481 
4482 	if (startd_failure_index < NSTARTD_FAILURE_TIMES)
4483 		return (0);
4484 
4485 	avg_ns =
4486 	    (startd_failure_time[(n - 1) % NSTARTD_FAILURE_TIMES] -
4487 	    startd_failure_time[n % NSTARTD_FAILURE_TIMES]) /
4488 	    NSTARTD_FAILURE_TIMES;
4489 
4490 	return (avg_ns < STARTD_FAILURE_RATE_NS);
4491 }
4492 
4493 /*
4494  * returns string that must be free'd
4495  */
4496 
4497 static char
4498 *audit_boot_msg()
4499 {
4500 	char		*b, *p;
4501 	char		desc[] = "booted";
4502 	zoneid_t	zid = getzoneid();
4503 
4504 	b = malloc(sizeof (desc) + MAXNAMELEN + 3);
4505 	if (b == NULL)
4506 		return (b);
4507 
4508 	p = b;
4509 	p += strlcpy(p, desc, sizeof (desc));
4510 	if (zid != GLOBAL_ZONEID) {
4511 		p += strlcpy(p, ": ", 3);
4512 		(void) getzonenamebyid(zid, p, MAXNAMELEN);
4513 	}
4514 	return (b);
4515 }
4516 
4517 /*
4518  * Generate AUE_init_solaris audit record.  Return 1 if
4519  * auditing is enabled in case the caller cares.
4520  *
4521  * In the case of userint() or a local zone invocation of
4522  * one_true_init, the process initially contains the audit
4523  * characteristics of the process that invoked init.  The first pass
4524  * through here uses those characteristics then for the case of
4525  * one_true_init in a local zone, clears them so subsequent system
4526  * state changes won't be attributed to the person who booted the
4527  * zone.
4528  */
4529 static int
4530 audit_put_record(int pass_fail, int status, char *msg)
4531 {
4532 	adt_session_data_t	*ah;
4533 	adt_event_data_t	*event;
4534 
4535 	if (!adt_audit_enabled())
4536 		return (0);
4537 
4538 	/*
4539 	 * the PROC_DATA picks up the context to tell whether this is
4540 	 * an attributed record (auid = -2 is unattributed)
4541 	 */
4542 	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) {
4543 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4544 		return (1);
4545 	}
4546 	event = adt_alloc_event(ah, ADT_init_solaris);
4547 	if (event == NULL) {
4548 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4549 		(void) adt_end_session(ah);
4550 		return (1);
4551 	}
4552 	event->adt_init_solaris.info = msg;	/* NULL is ok here */
4553 
4554 	if (adt_put_event(event, pass_fail, status)) {
4555 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4556 		(void) adt_end_session(ah);
4557 		return (1);
4558 	}
4559 	adt_free_event(event);
4560 
4561 	(void) adt_end_session(ah);
4562 
4563 	return (1);
4564 }
4565