xref: /titanic_52/usr/src/lib/libbsm/common/adt.c (revision 6185db853e024a486ff8837e6784dd290d866112)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #pragma ident	"%Z%%M%	%I%	%E% SMI"
27 
28 #include <bsm/adt.h>
29 #include <bsm/adt_event.h>
30 #include <assert.h>
31 #include <bsm/audit.h>
32 #include <bsm/audit_record.h>
33 #include <bsm/libbsm.h>
34 #include <door.h>
35 #include <errno.h>
36 #include <generic.h>
37 #include <md5.h>
38 #include <sys/mkdev.h>
39 #include <netdb.h>
40 #include <nss_dbdefs.h>
41 #include <pwd.h>
42 #include <sys/stat.h>
43 #include <time.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <synch.h>
47 #include <sys/systeminfo.h>
48 #include <syslog.h>
49 #include <thread.h>
50 #include <unistd.h>
51 #include <adt_xlate.h>
52 #include <adt_ucred.h>
53 
54 static int adt_selected(struct adt_event_state *, au_event_t, int);
55 static int adt_init(adt_internal_state_t *, int);
56 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
57 static m_label_t *adt_ucred_label(ucred_t *);
58 
59 #ifdef C2_DEBUG
60 #define	DPRINTF(x) {printf x; }
61 #define	DFLUSH fflush(stdout);
62 #else
63 #define	DPRINTF(x)
64 #define	DFLUSH
65 #endif
66 
67 extern int _mutex_lock(mutex_t *);
68 extern int _mutex_unlock(mutex_t *);
69 
70 static int auditstate = AUC_DISABLED;	/* default state */
71 
72 /*
73  * adt_write_syslog
74  *
75  * errors that are not the user's fault (bugs or whatever in
76  * the underlying audit code are noted in syslog.)
77  *
78  * Avoid calling adt_write_syslog for things that can happen
79  * at high volume.
80  *
81  * syslog's open (openlog) and close (closelog) are interesting;
82  * openlog *may* create a file descriptor and is optional.  closelog
83  * *will* close any open file descriptors and is also optional.
84  *
85  * Since syslog may also be used by the calling application, the
86  * choice is to avoid openlog, which sets some otherwise useful
87  * parameters, and to embed "Solaris_audit" in the log message.
88  */
89 
90 void
91 adt_write_syslog(const char *message, int err)
92 {
93 	int	save_errno;
94 	int	mask_priority;
95 
96 	save_errno = errno;
97 	errno = err;
98 
99 	DPRINTF(("syslog called: %s\n", message));
100 
101 	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
102 	syslog(LOG_ALERT, "Solaris_audit %s: %m", message, err);
103 	(void) setlogmask(mask_priority);
104 	errno = save_errno;
105 }
106 
107 /*
108  * return true if audit is enabled.  "Enabled" is any state
109  * other than AUC_DISABLED.
110  *
111  * states are
112  *		AUC_INIT_AUDIT	-- c2audit queuing enabled.
113  *		AUC_AUDITING	-- up and running
114  *		AUC_DISABLED	-- no audit subsystem loaded
115  *		AUC_UNSET	-- early boot state
116  *		AUC_NOAUDIT	-- subsystem loaded, turned off via
117  *				   auditon(A_SETCOND...)
118  *		AUC_NOSPACE	-- up and running, but log partitions are full
119  *
120  *	For purpose of this API, anything but AUC_DISABLED or
121  *	AUC_UNSET is enabled; however one never actually sees
122  *	AUC_DISABLED since auditon returns EINVAL in that case.  Any
123  *	auditon error is considered the same as EINVAL for our
124  *	purpose.  auditstate is not changed by auditon if an error
125  *	is returned.
126  */
127 
128 boolean_t
129 adt_audit_enabled(void) {
130 
131 	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
132 
133 	return (auditstate != AUC_DISABLED);
134 }
135 
136 /*
137  * The man page for getpwuid_r says the buffer must be big enough
138  * or ERANGE will be returned, but offers no guidance for how big
139  * the buffer should be or a way to calculate it.  If you get
140  * ERANGE, double pwd_buff's size.
141  *
142  * This may be called even when auditing is off.
143  */
144 
145 #define	NAFLAG_LEN 512
146 
147 static int
148 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
149 {
150 	struct passwd	pwd;
151 	char		pwd_buff[NSS_BUFSIZ];
152 	char		naflag_buf[NAFLAG_LEN];
153 
154 	if (auditstate == AUC_DISABLED) {
155 		mask->am_success = 0;
156 		mask->am_failure = 0;
157 	} else if (uid >= 0) {
158 		if (getpwuid_r(uid, &pwd, pwd_buff, NSS_BUFSIZ) == NULL) {
159 			/*
160 			 * getpwuid_r returns NULL without setting
161 			 * errno if the user does not exist; only
162 			 * if the input is the wrong length does it
163 			 * set errno.
164 			 */
165 			if (errno != ERANGE)
166 				errno = EINVAL;
167 			return (-1);
168 		}
169 		if (au_user_mask(pwd.pw_name, mask)) {
170 			errno = EFAULT; /* undetermined failure */
171 			return (-1);
172 		}
173 	} else if (getacna(naflag_buf, NAFLAG_LEN - 1) == 0) {
174 		if (getauditflagsbin(naflag_buf, mask))
175 			return (-1);
176 	} else {
177 		return (-1);
178 	}
179 	return (0);
180 }
181 
182 /*
183  * adt_get_unique_id -- generate a hopefully unique 32 bit value
184  *
185  * there will be a follow up to replace this with the use of /dev/random
186  *
187  * An MD5 hash is taken on a buffer of
188  *     hostname . audit id . unix time . pid . count
189  *
190  * "count = noise++;" is subject to a race condition but I don't
191  * see a need to put a lock around it.
192  */
193 
194 static au_id_t
195 adt_get_unique_id(uid_t uid)
196 {
197 	char		hostname[MAXHOSTNAMELEN];
198 	union {
199 		au_id_t		v[4];
200 		unsigned char	obuff[128/8];
201 	} output;
202 	MD5_CTX	context;
203 
204 	static int	noise = 0;
205 
206 	int		count = noise++;
207 	time_t		timebits = time(NULL);
208 	pid_t		pidbits = getpid();
209 	au_id_t		retval = 0;
210 
211 	if (gethostname(hostname, MAXHOSTNAMELEN)) {
212 		adt_write_syslog("gethostname call failed", errno);
213 		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
214 	}
215 
216 	while (retval == 0) {  /* 0 is the only invalid result */
217 		MD5Init(&context);
218 
219 		MD5Update(&context, (unsigned char *)hostname,
220 		    (unsigned int) strlen((const char *)hostname));
221 
222 		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
223 
224 		MD5Update(&context,
225 		    (unsigned char *) &timebits, sizeof (time_t));
226 
227 		MD5Update(&context, (unsigned char *) &pidbits,
228 		    sizeof (pid_t));
229 
230 		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
231 		MD5Final(output.obuff, &context);
232 
233 		retval = output.v[count % 4];
234 	}
235 	return (retval);
236 }
237 
238 /*
239  * the following "port" function deals with the following issues:
240  *
241  * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
242  *      up from a 32 bit major and 32 bit minor.
243  * 2    User space deals with a dev_t as either the above 64 bit value
244  *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
245  * 3    The various audit interfaces (except ucred) pass the 32 or
246  *      64 bit version depending the architecture of the userspace
247  *      application.  If you get a port value from ucred and pass it
248  *      to the kernel via auditon(), it must be squeezed into a 32
249  *      bit value because the kernel knows the userspace app's bit
250  *      size.
251  *
252  * The internal state structure for adt (adt_internal_state_t) uses
253  * dev_t, so adt converts data from ucred to fit.  The import/export
254  * functions, however, can't know if they are importing/exporting
255  * from 64 or 32 bit applications, so they always send 64 bits and
256  * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
257  * appropriate.
258  */
259 
260 /*
261  * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
262  * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
263  * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
264  * so it isn't broken up into pieces.  (When it goes to the kernel
265  * and back, however, it will have been split into major/minor
266  * pieces.)
267  */
268 
269 static void
270 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
271 {
272 #ifdef _LP64
273 	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
274 #else
275 	dest->at_type = src->at_type;
276 
277 	dest->at_port  = src->at_port.at_minor & MAXMIN32;
278 	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
279 	    NBITSMINOR32;
280 
281 	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
282 #endif
283 }
284 
285 /*
286  * adt_start_session -- create interface handle, create context
287  *
288  * The imported_state input is normally NULL, if not, it represents
289  * a continued session; its values obviate the need for a subsequent
290  * call to adt_set_user().
291  *
292  * The flag is used to decide how to set the initial state of the session.
293  * If 0, the session is "no audit" until a call to adt_set_user; if
294  * ADT_USE_PROC_DATA, the session is built from the process audit
295  * characteristics obtained from the kernel.  If imported_state is
296  * not NULL, the resulting audit mask is an OR of the current process
297  * audit mask and that passed in.
298  *
299  * The basic model is that the caller can use the pointer returned
300  * by adt_start_session whether or not auditing is enabled or an
301  * error was returned.  The functions that take the session handle
302  * as input generally return without doing anything if auditing is
303  * disabled.
304  */
305 
306 int
307 adt_start_session(adt_session_data_t **new_session,
308     const adt_export_data_t *imported_state, adt_session_flags_t flags)
309 {
310 	adt_internal_state_t	*state;
311 	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
312 
313 	*new_session = NULL;	/* assume failure */
314 
315 	/* ensure that auditstate is set */
316 	(void) adt_audit_enabled();
317 
318 	if ((flags & ~flgmask) != 0) {
319 		errno = EINVAL;
320 		goto return_err;
321 	}
322 	state = calloc(1, sizeof (adt_internal_state_t));
323 
324 	if (state == NULL)
325 		goto return_err;
326 
327 	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0)
328 		goto return_err_free;    /* errno from adt_init() */
329 
330 	/*
331 	 * The imported state overwrites the initial state if the
332 	 * imported state represents a valid audit trail
333 	 */
334 
335 	if (imported_state != NULL) {
336 		if (adt_import(state, imported_state) != 0) {
337 			goto return_err_free;
338 		}
339 	} else if (flags & ADT_USE_PROC_DATA) {
340 		state->as_session_model = ADT_PROCESS_MODEL;
341 	}
342 	state->as_flags = flags;
343 	DPRINTF(("(%d) Starting session id = %08X\n",
344 	    getpid(), state->as_info.ai_asid));
345 
346 	if (state->as_audit_enabled) {
347 		*new_session = (adt_session_data_t *)state;
348 	} else {
349 		free(state);
350 	}
351 
352 	return (0);
353 return_err_free:
354 	free(state);
355 return_err:
356 	adt_write_syslog("audit session create failed", errno);
357 	return (-1);
358 }
359 
360 /*
361  * adt_get_asid() and adt_set_asid()
362  *
363  * if you use this interface, you are responsible to insure that the
364  * rest of the session data is populated correctly before calling
365  * adt_proccess_attr()
366  *
367  * neither of these are intended for general use and will likely
368  * remain private interfaces for a long time.  Forever is a long
369  * time.  In the case of adt_set_asid(), you should have a very,
370  * very good reason for setting your own session id.  The process
371  * audit characteristics are not changed by put, use adt_set_proc().
372  *
373  * These are "volatile" (more changable than "evolving") and will
374  * probably change in the S10 period.
375  */
376 
377 void
378 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
379 {
380 
381 	if (session_data == NULL) {
382 		*asid = 0;
383 	} else {
384 		assert(((adt_internal_state_t *)session_data)->as_check ==
385 		    ADT_VALID);
386 
387 		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
388 	}
389 }
390 
391 void
392 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
393 {
394 
395 	if (session_data != NULL) {
396 		assert(((adt_internal_state_t *)session_data)->as_check ==
397 		    ADT_VALID);
398 
399 		((adt_internal_state_t *)session_data)->as_have_user_data |=
400 		    ADT_HAVE_ASID;
401 		((adt_internal_state_t *)session_data)->as_info.ai_asid =
402 		    session_id;
403 	}
404 }
405 
406 /*
407  * adt_get_auid() and adt_set_auid()
408  *
409  * neither of these are intended for general use and will likely
410  * remain private interfaces for a long time.  Forever is a long
411  * time.  In the case of adt_set_auid(), you should have a very,
412  * very good reason for setting your own audit id.  The process
413  * audit characteristics are not changed by put, use adt_set_proc().
414  */
415 
416 void
417 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
418 {
419 
420 	if (session_data == NULL) {
421 		*auid = AU_NOAUDITID;
422 	} else {
423 		assert(((adt_internal_state_t *)session_data)->as_check ==
424 		    ADT_VALID);
425 
426 		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
427 	}
428 }
429 
430 void
431 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
432 {
433 
434 	if (session_data != NULL) {
435 		assert(((adt_internal_state_t *)session_data)->as_check ==
436 		    ADT_VALID);
437 
438 		((adt_internal_state_t *)session_data)->as_have_user_data |=
439 		    ADT_HAVE_AUID;
440 		((adt_internal_state_t *)session_data)->as_info.ai_auid =
441 		    audit_id;
442 	}
443 }
444 
445 /*
446  * adt_get_termid(), adt_set_termid()
447  *
448  * if you use this interface, you are responsible to insure that the
449  * rest of the session data is populated correctly before calling
450  * adt_proccess_attr()
451  *
452  * The process  audit characteristics are not changed by put, use
453  * adt_set_proc().
454  */
455 
456 void
457 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
458 {
459 
460 	if (session_data == NULL) {
461 		(void) memset(termid, 0, sizeof (au_tid_addr_t));
462 		termid->at_type = AU_IPv4;
463 	} else {
464 		assert(((adt_internal_state_t *)session_data)->as_check ==
465 		    ADT_VALID);
466 
467 		*termid =
468 		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
469 	}
470 }
471 
472 void
473 adt_set_termid(const adt_session_data_t *session_data,
474     const au_tid_addr_t *termid)
475 {
476 
477 	if (session_data != NULL) {
478 		assert(((adt_internal_state_t *)session_data)->as_check ==
479 		    ADT_VALID);
480 
481 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
482 			*termid;
483 
484 		((adt_internal_state_t *)session_data)->as_have_user_data |=
485 			ADT_HAVE_TID;
486 	}
487 }
488 
489 /*
490  * adt_get_mask(), adt_set_mask()
491  *
492  * if you use this interface, you are responsible to insure that the
493  * rest of the session data is populated correctly before calling
494  * adt_proccess_attr()
495  *
496  * The process  audit characteristics are not changed by put, use
497  * adt_set_proc().
498  */
499 
500 void
501 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
502 {
503 
504 	if (session_data == NULL) {
505 		mask->am_success = 0;
506 		mask->am_failure = 0;
507 	} else {
508 		assert(((adt_internal_state_t *)session_data)->as_check ==
509 		    ADT_VALID);
510 
511 		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
512 	}
513 }
514 
515 void
516 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
517 {
518 
519 	if (session_data != NULL) {
520 		assert(((adt_internal_state_t *)session_data)->as_check ==
521 		    ADT_VALID);
522 
523 		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
524 
525 		((adt_internal_state_t *)session_data)->as_have_user_data |=
526 		    ADT_HAVE_MASK;
527 	}
528 }
529 
530 /*
531  * helpers for adt_load_termid
532  */
533 
534 static void
535 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
536     au_tid_addr_t *termid)
537 {
538 
539 	termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port));
540 	termid->at_type = AU_IPv6;
541 	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
542 }
543 
544 static void
545 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
546     au_tid_addr_t *termid)
547 {
548 
549 	termid->at_port = ((peer->sin_port<<16) | (sock->sin_port));
550 
551 	termid->at_type = AU_IPv4;
552 	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
553 	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
554 }
555 
556 /*
557  * adt_load_termid:  convenience function; inputs file handle and
558  * outputs an au_tid_addr struct.
559  *
560  * This code was stolen from audit_settid.c; it differs from audit_settid()
561  * in that it does not write the terminal id to the process.
562  */
563 
564 int
565 adt_load_termid(int fd, adt_termid_t **termid)
566 {
567 	au_tid_addr_t		*p_term;
568 	struct sockaddr_in6	peer;
569 	struct sockaddr_in6	sock;
570 	int			peerlen = sizeof (peer);
571 	int			socklen = sizeof (sock);
572 
573 	*termid = NULL;
574 
575 	/* get peer name if its a socket, else assume local terminal */
576 
577 	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
578 	    < 0) {
579 		if (errno == ENOTSOCK)
580 			return (adt_load_hostname(NULL, termid));
581 		goto return_err;
582 	}
583 
584 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
585 		goto return_err;
586 
587 	/* get sock name */
588 	if (getsockname(fd, (struct sockaddr *)&sock,
589 	    (socklen_t *)&socklen) < 0)
590 		goto return_err_free;
591 
592 	if (peer.sin6_family == AF_INET6) {
593 		adt_do_ipv6_address(&peer, &sock, p_term);
594 	} else {
595 		adt_do_ipv4_address((struct sockaddr_in *)&peer,
596 		    (struct sockaddr_in *)&sock, p_term);
597 	}
598 	*termid = (adt_termid_t *)p_term;
599 
600 	return (0);
601 
602 return_err_free:
603 	free(p_term);
604 return_err:
605 	return (-1);
606 }
607 
608 static boolean_t
609 adt_have_termid(au_tid_addr_t *dest)
610 {
611 	struct auditinfo_addr	audit_data;
612 
613 	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
614 		adt_write_syslog("getaudit failed", errno);
615 		return (B_FALSE);
616 	}
617 
618 	if ((audit_data.ai_termid.at_type == 0) ||
619 	    (audit_data.ai_termid.at_addr[0] |
620 	    audit_data.ai_termid.at_addr[1]  |
621 	    audit_data.ai_termid.at_addr[2]  |
622 	    audit_data.ai_termid.at_addr[3]) == 0)
623 		return (B_FALSE);
624 
625 	(void) memcpy(dest, &(audit_data.ai_termid),
626 	    sizeof (au_tid_addr_t));
627 
628 	return (B_TRUE);
629 }
630 
631 static int
632 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
633 {
634 	struct addrinfo	*ai;
635 	void		*p;
636 
637 	if (getaddrinfo(hostname, NULL, NULL, &ai) != 0)
638 		return (-1);
639 
640 	switch (ai->ai_family) {
641 		case AF_INET:
642 			/* LINTED */
643 			p = &((struct sockaddr_in *)ai->ai_addr)->sin_addr;
644 			(void) memcpy(p_term->at_addr, p,
645 			    sizeof (((struct sockaddr_in *)NULL)->sin_addr));
646 			p_term->at_type = AU_IPv4;
647 			break;
648 		case AF_INET6:
649 			/* LINTED */
650 			p = &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
651 			(void) memcpy(p_term->at_addr, p,
652 			    sizeof (((struct sockaddr_in6 *)NULL)->sin6_addr));
653 			p_term->at_type = AU_IPv6;
654 			break;
655 		default:
656 			return (-1);
657 	}
658 
659 	freeaddrinfo(ai);
660 
661 	return (0);
662 }
663 
664 /*
665  * adt_load_hostname() is called when the caller does not have a file
666  * handle that gives access to the socket info or any other way to
667  * pass in both port and ip address.  The hostname input is ignored if
668  * the terminal id has already been set; instead it returns the
669  * existing terminal id.
670  *
671  * If audit is off and the hostname lookup fails, no error is
672  * returned, since an error may be interpreted by the caller
673  * as grounds for denying a login.  Otherwise the caller would
674  * need to be aware of the audit state.
675  */
676 
677 int
678 adt_load_hostname(const char *hostname, adt_termid_t **termid)
679 {
680 	char		localhost[ADT_STRING_MAX + 1];
681 	au_tid_addr_t	*p_term;
682 
683 	*termid = NULL;
684 
685 	if (!adt_audit_enabled())
686 		return (0);
687 
688 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
689 		goto return_err;
690 
691 	if (adt_have_termid(p_term)) {
692 		*termid = (adt_termid_t *)p_term;
693 		return (0);
694 	}
695 	p_term->at_port = 0;
696 
697 	if (hostname == NULL || *hostname == '\0') {
698 		(void) sysinfo(SI_HOSTNAME, localhost, ADT_STRING_MAX);
699 		hostname = localhost;
700 	}
701 	if (adt_get_hostIP(hostname, p_term))
702 		goto return_err_free;
703 
704 	*termid = (adt_termid_t *)p_term;
705 	return (0);
706 
707 return_err_free:
708 	free(p_term);
709 
710 return_err:
711 	if ((auditstate == AUC_DISABLED) ||
712 	    (auditstate == AUC_NOAUDIT))
713 		return (0);
714 
715 	return (-1);
716 }
717 
718 /*
719  * adt_load_ttyname() is called when the caller does not have a file
720  * handle that gives access to the local terminal or any other way
721  * of determining the device id.  The ttyname input is ignored if
722  * the terminal id has already been set; instead it returns the
723  * existing terminal id.
724  *
725  * If audit is off and the ttyname lookup fails, no error is
726  * returned, since an error may be interpreted by the caller
727  * as grounds for denying a login.  Otherwise the caller would
728  * need to be aware of the audit state.
729  */
730 
731 int
732 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
733 {
734 	char		localhost[ADT_STRING_MAX + 1];
735 	au_tid_addr_t	*p_term;
736 	struct stat	stat_buf;
737 
738 	*termid = NULL;
739 
740 	if (!adt_audit_enabled())
741 		return (0);
742 
743 	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL)
744 		goto return_err;
745 
746 	if (adt_have_termid(p_term)) {
747 		*termid = (adt_termid_t *)p_term;
748 		return (0);
749 	}
750 
751 	p_term->at_port = 0;
752 
753 	if (sysinfo(SI_HOSTNAME, localhost, ADT_STRING_MAX) < 0)
754 		goto return_err_free; /* errno from sysinfo */
755 
756 	if (ttyname != NULL) {
757 		if (stat(ttyname, &stat_buf) < 0)
758 			goto return_err_free;
759 
760 		p_term->at_port = stat_buf.st_rdev;
761 	}
762 
763 	if (adt_get_hostIP(localhost, p_term))
764 		goto return_err_free;
765 
766 	*termid = (adt_termid_t *)p_term;
767 	return (0);
768 
769 return_err_free:
770 	free(p_term);
771 
772 return_err:
773 	if ((auditstate == AUC_DISABLED) ||
774 	    (auditstate == AUC_NOAUDIT))
775 		return (0);
776 
777 	return (-1);
778 }
779 
780 /*
781  * adt_get_session_id returns a stringified representation of
782  * the audit session id.  See also adt_get_asid() for how to
783  * get the unexpurgated version.  No guarantees as to how long
784  * the returned string will be or its general form; hex for now.
785  *
786  * An empty string is returned if auditing is off; length = 1
787  * and the pointer is valid.
788  *
789  * returns strlen + 1 if buffer is valid; else 0 and errno.
790  */
791 
792 size_t
793 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
794 {
795 	au_asid_t	session_id;
796 	size_t		length;
797 	/*
798 	 * output is 0x followed by
799 	 * two characters per byte
800 	 * plus terminator,
801 	 * except leading 0's are suppressed, so a few bytes may
802 	 * be unused.
803 	 */
804 	length = 2 + (2 * sizeof (session_id)) + 1;
805 	*buff = malloc(length);
806 
807 	if (*buff == NULL) {
808 		return (0);
809 	}
810 	if (session_data == NULL) { /* NULL is not an error */
811 		**buff = '\0';
812 		return (1);
813 	}
814 	adt_get_asid(session_data, &session_id);
815 
816 	length = snprintf(*buff, length, "0x%X", (int)session_id);
817 
818 	/* length < 1 is a bug: the session data type may have changed */
819 	assert(length > 0);
820 
821 	return (length);
822 }
823 
824 /*
825  * adt_end_session -- close handle, clear context
826  *
827  * if as_check is invalid, no harm, no foul, EXCEPT that this could
828  * be an attempt to free data already free'd, so output to syslog
829  * to help explain why the process cored dumped.
830  */
831 
832 int
833 adt_end_session(adt_session_data_t *session_data)
834 {
835 	adt_internal_state_t	*state;
836 
837 	if (session_data != NULL) {
838 		state = (adt_internal_state_t *)session_data;
839 		if (state->as_check != ADT_VALID) {
840 			adt_write_syslog("freeing invalid data", EINVAL);
841 		} else {
842 			state->as_check = 0;
843 			m_label_free(state->as_label);
844 			free(session_data);
845 		}
846 	}
847 	/* no errors yet defined */
848 	return (0);
849 }
850 
851 /*
852  * adt_dup_session -- copy the session data
853  */
854 
855 int
856 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
857 {
858 	adt_internal_state_t	*source_state;
859 	adt_internal_state_t	*dest_state = NULL;
860 	int			rc = 0;
861 
862 	if (source != NULL) {
863 		source_state = (adt_internal_state_t *)source;
864 		assert(source_state->as_check == ADT_VALID);
865 
866 		dest_state = malloc(sizeof (adt_internal_state_t));
867 		if (dest_state == NULL) {
868 			rc = -1;
869 			goto return_rc;
870 		}
871 		(void) memcpy(dest_state, source,
872 		    sizeof (struct adt_internal_state));
873 
874 		if (source_state->as_label != NULL) {
875 			dest_state->as_label = NULL;
876 			if ((rc = m_label_dup(&dest_state->as_label,
877 			    source_state->as_label)) != 0) {
878 				free(dest_state);
879 				dest_state = NULL;
880 			}
881 		}
882 	}
883 return_rc:
884 	*dest = (adt_session_data_t *)dest_state;
885 	return (rc);
886 }
887 
888 /*
889  * from_export_format()
890  * read from a network order buffer into struct adt_session_data
891  */
892 
893 static size_t
894 adt_from_export_format(adt_internal_state_t *internal,
895     const adt_export_data_t *external)
896 {
897 	struct export_header	head;
898 	struct export_link	link;
899 	adr_t			context;
900 	int32_t 		offset;
901 	int32_t 		length;
902 	int32_t 		version;
903 	size_t			label_len;
904 	char			*p = (char *)external;
905 
906 	adrm_start(&context, (char *)external);
907 	adrm_int32(&context, (int *)&head, 4);
908 
909 	if ((internal->as_check = head.ax_check) != ADT_VALID) {
910 		errno = EINVAL;
911 		return (0);
912 	}
913 	offset = head.ax_link.ax_offset;
914 	version = head.ax_link.ax_version;
915 	length = head.ax_buffer_length;
916 
917 	/*
918 	 * Skip newer versions.
919 	 */
920 	while (version > PROTOCOL_VERSION_2) {
921 		if (offset < 1) {
922 			return (0);	/* failed to match version */
923 		}
924 		p += offset;		/* point to next version # */
925 
926 		if (p > (char *)external + length) {
927 			return (0);
928 		}
929 		adrm_start(&context, p);
930 		adrm_int32(&context, (int *)&link, 2);
931 		offset = link.ax_offset;
932 		version = link.ax_version;
933 		assert(version != 0);
934 	}
935 	/*
936 	 * Adjust buffer pointer to the first data item (euid).
937 	 */
938 	if (p == (char *)external) {
939 		adrm_start(&context, (char *)(p + sizeof (head)));
940 	} else {
941 		adrm_start(&context, (char *)(p + sizeof (link)));
942 	}
943 	/*
944 	 * if down rev version, neither pid nor label are included
945 	 * in v1 ax_size_of_tsol_data intentionally ignored
946 	 */
947 	if (version == PROTOCOL_VERSION_1) {
948 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
949 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
950 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
951 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
952 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
953 		adrm_int32(&context,
954 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
955 		adrm_int32(&context,
956 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
957 		adrm_int32(&context,
958 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
959 		adrm_int32(&context,
960 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
961 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
962 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
963 		internal->as_pid = (pid_t)-1;
964 		internal->as_label = NULL;
965 	} else if (version == PROTOCOL_VERSION_2) {
966 		adrm_int32(&context, (int *)&(internal->as_euid), 1);
967 		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
968 		adrm_int32(&context, (int *)&(internal->as_egid), 1);
969 		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
970 		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
971 		adrm_int32(&context,
972 		    (int *)&(internal->as_info.ai_mask.am_success), 2);
973 		adrm_int32(&context,
974 		    (int *)&(internal->as_info.ai_termid.at_port), 1);
975 		adrm_int32(&context,
976 		    (int *)&(internal->as_info.ai_termid.at_type), 1);
977 		adrm_int32(&context,
978 		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
979 		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
980 		adrm_int32(&context, (int *)&(internal->as_audit_enabled), 1);
981 		adrm_int32(&context, (int *)&(internal->as_pid), 1);
982 		adrm_int32(&context, (int *)&label_len, 1);
983 		if (label_len > 0) {
984 			/* read in and deal with different sized labels. */
985 			size_t	my_label_len = blabel_size();
986 
987 			if ((internal->as_label =
988 			    m_label_alloc(MAC_LABEL)) == NULL) {
989 				return (0);
990 			}
991 			if (label_len > my_label_len) {
992 				errno = EINVAL;
993 				m_label_free(internal->as_label);
994 				return (0);
995 			}
996 			(void) memset(internal->as_label, 0, my_label_len);
997 			adrm_int32(&context, (int *)(internal->as_label),
998 			    label_len / sizeof (int32_t));
999 		} else {
1000 			internal->as_label = NULL;
1001 		}
1002 	}
1003 
1004 	return (length);
1005 }
1006 
1007 /*
1008  * adt_to_export_format
1009  * read from struct adt_session_data into a network order buffer.
1010  *
1011  * (network order 'cause this data may be shared with a remote host.)
1012  */
1013 
1014 static size_t
1015 adt_to_export_format(adt_export_data_t *external,
1016     adt_internal_state_t *internal)
1017 {
1018 	struct export_header	head;
1019 	struct export_link	tail;
1020 	adr_t			context;
1021 	size_t			label_len = 0;
1022 
1023 	adrm_start(&context, (char *)external);
1024 
1025 	if (internal->as_label != NULL) {
1026 		label_len = blabel_size();
1027 	}
1028 
1029 	head.ax_check = ADT_VALID;
1030 	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1031 
1032 	/* version 2 first */
1033 
1034 	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1035 	head.ax_link.ax_offset = sizeof (struct export_header) +
1036 	    sizeof (struct adt_export_v2) + label_len;
1037 
1038 	adrm_putint32(&context, (int *)&head, 4);
1039 
1040 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1041 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1042 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1043 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1044 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1045 	adrm_putint32(&context,
1046 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1047 	adrm_putint32(&context,
1048 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1049 	adrm_putint32(&context,
1050 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1051 	adrm_putint32(&context,
1052 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1053 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1054 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1055 	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1056 	adrm_putint32(&context, (int *)&label_len, 1);
1057 	if (internal->as_label != NULL) {
1058 		/* serialize the label */
1059 		adrm_putint32(&context, (int *)(internal->as_label),
1060 		    (label_len / sizeof (int32_t)));
1061 	}
1062 
1063 	/* now version 1 */
1064 
1065 	tail.ax_version = PROTOCOL_VERSION_1;
1066 	tail.ax_offset = 0;
1067 
1068 	adrm_putint32(&context, (int *)&tail, 2);
1069 
1070 	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1071 	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1072 	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1073 	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1074 	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1075 	adrm_putint32(&context,
1076 	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1077 	adrm_putint32(&context,
1078 	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1079 	adrm_putint32(&context,
1080 	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1081 	adrm_putint32(&context,
1082 	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1083 	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1084 	adrm_putint32(&context, (int *)&(internal->as_audit_enabled), 1);
1085 	/* ignored in v1 */
1086 	adrm_putint32(&context, (int *)&label_len, 1);
1087 
1088 	/* finally terminator */
1089 
1090 	tail.ax_version = 0; /* invalid version number */
1091 	tail.ax_offset = 0;
1092 
1093 	adrm_putint32(&context, (int *)&tail, 2);
1094 
1095 	return (head.ax_buffer_length);
1096 }
1097 
1098 
1099 /*
1100  * adt_import_proc() is used by a server acting on behalf
1101  * of a client which has connected via an ipc mechanism such as
1102  * a door.
1103  *
1104  * Since the interface is via ucred, the info.ap_termid.port
1105  * value is always the 64 bit version.  What is stored depends
1106  * on how libbsm is compiled.
1107  */
1108 
1109 size_t
1110 adt_import_proc(pid_t pid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1111     adt_export_data_t **external)
1112 {
1113 	size_t			length = 0;
1114 	adt_internal_state_t	*state;
1115 	ucred_t			*ucred;
1116 	const au_tid64_addr_t	*tid;
1117 
1118 	state = calloc(1, sizeof (adt_internal_state_t));
1119 
1120 	if (state == NULL)
1121 		return (0);
1122 
1123 	if (adt_init(state, 0) != 0)
1124 		goto return_length_free;    /* errno from adt_init() */
1125 
1126 	/*
1127 	 * ucred_getauid() returns AU_NOAUDITID if audit is off, which
1128 	 * is the right answer for adt_import_proc().
1129 	 *
1130 	 * Create a local context as near as possible.
1131 	 */
1132 
1133 	ucred = ucred_get(pid);
1134 
1135 	if (ucred == NULL)
1136 		goto return_length_free;
1137 
1138 	state->as_ruid = ruid != ADT_NO_CHANGE ? ruid : ucred_getruid(ucred);
1139 	state->as_euid = euid != ADT_NO_CHANGE ? euid : ucred_geteuid(ucred);
1140 	state->as_rgid = rgid != ADT_NO_CHANGE ? rgid : ucred_getrgid(ucred);
1141 	state->as_egid = egid != ADT_NO_CHANGE ? egid : ucred_getegid(ucred);
1142 
1143 	state->as_info.ai_auid = ucred_getauid(ucred);
1144 
1145 	if (state->as_info.ai_auid == AU_NOAUDITID) {
1146 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1147 
1148 		if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1149 			goto return_all_free;
1150 	} else {
1151 		const au_mask_t *mask = ucred_getamask(ucred);
1152 
1153 		if (mask != NULL)
1154 			state->as_info.ai_mask = *mask;
1155 		else
1156 			goto return_all_free;
1157 
1158 		state->as_info.ai_asid = ucred_getasid(ucred);
1159 	}
1160 
1161 	tid = ucred_getatid(ucred);
1162 
1163 	if (tid != NULL) {
1164 		adt_cpy_tid(&(state->as_info.ai_termid), tid);
1165 	} else {
1166 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1167 		    sizeof (au_tid_addr_t));
1168 		state->as_info.ai_termid.at_type = AU_IPv4;
1169 	}
1170 
1171 	DPRINTF(("import_proc/asid = %X %u\n", state->as_info.ai_asid,
1172 	    state->as_info.ai_asid));
1173 
1174 	DPRINTF(("import_proc/masks = %X %X\n",
1175 	    state->as_info.ai_mask.am_success,
1176 	    state->as_info.ai_mask.am_failure));
1177 
1178 	if (state->as_label == NULL) {
1179 		*external = malloc(sizeof (adt_export_data_t));
1180 	} else {
1181 		*external = malloc(sizeof (adt_export_data_t) + blabel_size());
1182 	}
1183 
1184 	if (*external == NULL)
1185 		goto return_all_free;
1186 
1187 	length = adt_to_export_format(*external, state);
1188 	/*
1189 	 * yes, state is supposed to be free'd for both pass and fail
1190 	 */
1191 return_all_free:
1192 	ucred_free(ucred);
1193 return_length_free:
1194 	free(state);
1195 	return (length);
1196 }
1197 
1198 /*
1199  * adt_ucred_label() -- if label is available, duplicate it.
1200  */
1201 
1202 static m_label_t *
1203 adt_ucred_label(ucred_t *uc)
1204 {
1205 	m_label_t	*ul = NULL;
1206 
1207 	if (ucred_getlabel(uc) != NULL) {
1208 		(void) m_label_dup(&ul, ucred_getlabel(uc));
1209 	}
1210 
1211 	return (ul);
1212 }
1213 
1214 /*
1215  * adt_import() -- convert from network order to machine-specific order
1216  */
1217 
1218 static int
1219 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1220 {
1221 	au_mask_t mask;
1222 
1223 	/* save local audit enabled state */
1224 	int	local_audit_enabled = internal->as_audit_enabled;
1225 
1226 	if (adt_from_export_format(internal, external) < 1)
1227 		return (-1); /* errno from adt_from_export_format */
1228 
1229 	/*
1230 	 * If audit isn't enabled on the remote, they were unable
1231 	 * to generate the audit mask, so generate it based on
1232 	 * local configuration.  If the user id has changed, the
1233 	 * resulting mask may miss some subtleties that occurred
1234 	 * on the remote system.
1235 	 *
1236 	 * If the remote failed to generate a terminal id, it is not
1237 	 * recoverable.
1238 	 */
1239 
1240 	if (!internal->as_audit_enabled) {
1241 		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1242 		    &(internal->as_info.ai_mask)))
1243 			return (-1);
1244 		if (internal->as_info.ai_auid != internal->as_ruid) {
1245 			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1246 			    &mask))
1247 				return (-1);
1248 			internal->as_info.ai_mask.am_success |=
1249 			    mask.am_success;
1250 			internal->as_info.ai_mask.am_failure |=
1251 			    mask.am_failure;
1252 		}
1253 	}
1254 	internal->as_audit_enabled = local_audit_enabled;
1255 
1256 	DPRINTF(("(%d)imported asid = %X %u\n", getpid(),
1257 	    internal->as_info.ai_asid,
1258 	    internal->as_info.ai_asid));
1259 
1260 	internal->as_have_user_data = ADT_HAVE_ALL;
1261 
1262 	return (0);
1263 }
1264 
1265 /*
1266  * adt_export_session_data()
1267  * copies a adt_session_data struct into a network order buffer
1268  *
1269  * In a misconfigured network, the local host may have auditing
1270  * off while the destination may have auditing on, so if there
1271  * is sufficient memory, a buffer will be returned even in the
1272  * audit off case.
1273  */
1274 
1275 size_t
1276 adt_export_session_data(const adt_session_data_t *internal,
1277     adt_export_data_t **external)
1278 {
1279 	size_t			length = 0;
1280 
1281 	if ((internal != NULL) &&
1282 	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1283 		length = blabel_size();
1284 	}
1285 
1286 	*external = malloc(sizeof (adt_export_data_t) + length);
1287 
1288 	if (*external == NULL)
1289 		return (0);
1290 
1291 	if (internal == NULL) {
1292 		adt_internal_state_t	*dummy;
1293 
1294 		dummy = malloc(sizeof (adt_internal_state_t));
1295 		if (dummy == NULL)
1296 			goto return_length_free;
1297 
1298 		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1299 			free(dummy);
1300 			goto return_length_free;
1301 		}
1302 		length = adt_to_export_format(*external, dummy);
1303 		free(dummy);
1304 	} else {
1305 		length = adt_to_export_format(*external,
1306 		    (adt_internal_state_t *)internal);
1307 	}
1308 	return (length);
1309 
1310 return_length_free:
1311 	free(*external);
1312 	*external = NULL;
1313 	return (0);
1314 }
1315 
1316 static void
1317 adt_setto_unaudited(adt_internal_state_t *state)
1318 {
1319 	state->as_ruid = AU_NOAUDITID;
1320 	state->as_euid = AU_NOAUDITID;
1321 	state->as_rgid = AU_NOAUDITID;
1322 	state->as_egid = AU_NOAUDITID;
1323 	state->as_pid = (pid_t)-1;
1324 	state->as_label = NULL;
1325 
1326 	if (state->as_audit_enabled) {
1327 		state->as_info.ai_asid = 0;
1328 		state->as_info.ai_auid = AU_NOAUDITID;
1329 
1330 		(void) memset((void *)&(state->as_info.ai_termid), 0,
1331 		    sizeof (au_tid_addr_t));
1332 		state->as_info.ai_termid.at_type = AU_IPv4;
1333 
1334 		(void) memset((void *)&(state->as_info.ai_mask), 0,
1335 		    sizeof (au_mask_t));
1336 		state->as_have_user_data = 0;
1337 	}
1338 }
1339 
1340 /*
1341  * adt_init -- set session context by copying the audit characteristics
1342  * from the proc and picking up current uid/tid information.
1343  *
1344  * By default, an audit session is based on the process; the default
1345  * is overriden by adt_set_user()
1346  */
1347 
1348 static int
1349 adt_init(adt_internal_state_t *state, int use_proc_data)
1350 {
1351 
1352 	state->as_audit_enabled = (auditstate == AUC_DISABLED) ? 0 : 1;
1353 
1354 	if (use_proc_data) {
1355 		state->as_ruid = getuid();
1356 		state->as_euid = geteuid();
1357 		state->as_rgid = getgid();
1358 		state->as_egid = getegid();
1359 		state->as_pid = getpid();
1360 
1361 		if (state->as_audit_enabled) {
1362 			const au_tid64_addr_t	*tid;
1363 			const au_mask_t		*mask;
1364 			ucred_t			*ucred = ucred_get(P_MYID);
1365 
1366 			/*
1367 			 * Even if the ucred is NULL, the underlying
1368 			 * credential may have a valid terminal id; if the
1369 			 * terminal id is set, then that's good enough.  An
1370 			 * example of where this matters is failed login,
1371 			 * where rlogin/telnet sets the terminal id before
1372 			 * calling login; login does not load the credential
1373 			 * since auth failed.
1374 			 */
1375 			if (ucred == NULL) {
1376 				if (!adt_have_termid(
1377 				    &(state->as_info.ai_termid)))
1378 					return (-1);
1379 			} else {
1380 				mask = ucred_getamask(ucred);
1381 				if (mask != NULL) {
1382 					state->as_info.ai_mask = *mask;
1383 				} else {
1384 					ucred_free(ucred);
1385 					return (-1);
1386 				}
1387 				tid = ucred_getatid(ucred);
1388 				if (tid != NULL) {
1389 					adt_cpy_tid(&(state->as_info.ai_termid),
1390 					    tid);
1391 				} else {
1392 					ucred_free(ucred);
1393 					return (-1);
1394 				}
1395 				state->as_info.ai_asid = ucred_getasid(ucred);
1396 				state->as_info.ai_auid = ucred_getauid(ucred);
1397 				state->as_label = adt_ucred_label(ucred);
1398 				ucred_free(ucred);
1399 			}
1400 			state->as_have_user_data = ADT_HAVE_ALL;
1401 		}
1402 	} else {
1403 		adt_setto_unaudited(state);
1404 	}
1405 	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1406 
1407 	if (state->as_audit_enabled &&
1408 	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1409 	    sizeof (state->as_kernel_audit_policy))) {
1410 		return (-1);  /* errno set by auditon */
1411 	}
1412 	state->as_check = ADT_VALID;
1413 	return (0);
1414 }
1415 
1416 /*
1417  * adt_set_proc
1418  *
1419  * Copy the current session state to the process.  If this function
1420  * is called, the model becomes a process model rather than a
1421  * session model.
1422  *
1423  * In the current implementation, the value state->as_have_user_data
1424  * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1425  * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1426  *
1427  */
1428 
1429 int
1430 adt_set_proc(const adt_session_data_t *session_data)
1431 {
1432 	int			rc;
1433 	adt_internal_state_t	*state;
1434 
1435 	if (auditstate == AUC_DISABLED || (session_data == NULL))
1436 		return (0);
1437 
1438 	state = (adt_internal_state_t *)session_data;
1439 
1440 	assert(state->as_check == ADT_VALID);
1441 
1442 	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1443 	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1444 		errno = EINVAL;
1445 		goto return_err;
1446 	}
1447 
1448 	rc = setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1449 	    sizeof (auditinfo_addr_t));
1450 
1451 	if (rc < 0)
1452 		goto return_err;	/* errno set by setaudit_addr() */
1453 
1454 	state->as_session_model = ADT_PROCESS_MODEL;
1455 
1456 	return (0);
1457 
1458 return_err:
1459 	adt_write_syslog("failed to set process audit characteristics", errno);
1460 	return (-1);
1461 }
1462 
1463 static int
1464 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1465 {
1466 	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1467 	au_mask_t	no_mask = {0, 0};
1468 
1469 	if (ruid == ADT_NO_AUDIT) {
1470 		state->as_info.ai_auid = AU_NOAUDITID;
1471 		state->as_info.ai_asid = 0;
1472 		state->as_info.ai_termid = no_tid;
1473 		state->as_info.ai_mask = no_mask;
1474 		return (0);
1475 	}
1476 	state->as_info.ai_auid = ruid;
1477 	state->as_info.ai_asid = adt_get_unique_id(ruid);
1478 	if (termid != NULL)
1479 		state->as_info.ai_termid = *termid;
1480 
1481 	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1482 		return (-1);
1483 
1484 	return (0);
1485 }
1486 
1487 static int
1488 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1489 {
1490 	au_mask_t		mask;
1491 
1492 	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1493 		state->as_info.ai_auid = ruid;
1494 	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1495 		state->as_info.ai_asid = adt_get_unique_id(ruid);
1496 
1497 	if (ruid >= 0) {
1498 		if (adt_get_mask_from_user(ruid, &mask))
1499 			return (-1);
1500 
1501 		state->as_info.ai_mask.am_success |= mask.am_success;
1502 		state->as_info.ai_mask.am_failure |= mask.am_failure;
1503 	}
1504 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1505 		state->as_info.ai_mask.am_success,
1506 		state->as_info.ai_mask.am_failure,
1507 		ruid));
1508 	return (0);
1509 }
1510 
1511 /*
1512  * adt_set_user -- see also adt_set_from_ucred()
1513  *
1514  * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1515  * "unattributed."  If ruid, change the model to session.
1516  *
1517  * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1518  * only valid with ADT_UPDATE.
1519  *
1520  * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1521  * isn't a good reason to call adt_set_user() with it unless you don't
1522  * have a good value yet and intend to replace it later; auid will be
1523  * AU_NOAUDITID.
1524  *
1525  * adt_set_user should be called even if auditing is not enabled
1526  * so that adt_export_session_data() will have useful stuff to
1527  * work with.
1528  *
1529  * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1530  * and ADT_HAVE_ALL.
1531  */
1532 
1533 int
1534 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1535     uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1536     enum adt_user_context user_context)
1537 {
1538 	adt_internal_state_t	*state;
1539 	int			rc;
1540 
1541 	if (session_data == NULL) /* no session exists to audit */
1542 		return (0);
1543 
1544 	state = (adt_internal_state_t *)session_data;
1545 	assert(state->as_check == ADT_VALID);
1546 
1547 	switch (user_context) {
1548 	case ADT_NEW:
1549 		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1550 		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1551 			errno = EINVAL;
1552 			return (-1);
1553 		}
1554 		if ((rc = adt_newuser(state, ruid,
1555 		    (au_tid_addr_t *)termid)) != 0)
1556 			return (rc);
1557 
1558 		state->as_have_user_data = ADT_HAVE_ALL;
1559 		break;
1560 	case ADT_UPDATE:
1561 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1562 			errno = EINVAL;
1563 			return (-1);
1564 		}
1565 
1566 		if (ruid != ADT_NO_CHANGE)
1567 			if ((rc = adt_changeuser(state, ruid)) != 0)
1568 				return (rc);
1569 		break;
1570 	case ADT_USER:
1571 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1572 			errno = EINVAL;
1573 			return (-1);
1574 		}
1575 		break;
1576 	case ADT_SETTID:
1577 		assert(termid != NULL);
1578 		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1579 		/* avoid fooling pam_setcred()... */
1580 		state->as_info.ai_auid = AU_NOAUDITID;
1581 		state->as_info.ai_asid = 0;
1582 		state->as_info.ai_mask.am_failure = 0;
1583 		state->as_info.ai_mask.am_success = 0;
1584 		state->as_have_user_data = ADT_HAVE_TID |
1585 		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1586 		return (0);
1587 	default:
1588 		errno = EINVAL;
1589 		return (-1);
1590 	}
1591 
1592 	if (ruid == ADT_NO_AUDIT) {
1593 		state->as_ruid = AU_NOAUDITID;
1594 		state->as_euid = AU_NOAUDITID;
1595 		state->as_rgid = AU_NOAUDITID;
1596 		state->as_egid = AU_NOAUDITID;
1597 	} else {
1598 		if (ruid != ADT_NO_CHANGE)
1599 			state->as_ruid = ruid;
1600 		if (euid != ADT_NO_CHANGE)
1601 			state->as_euid = euid;
1602 		if (rgid != ADT_NO_CHANGE)
1603 			state->as_rgid = rgid;
1604 		if (egid != ADT_NO_CHANGE)
1605 			state->as_egid = egid;
1606 	}
1607 
1608 	if (ruid == ADT_NO_ATTRIB) {
1609 		state->as_session_model = ADT_SESSION_MODEL;
1610 	}
1611 
1612 	return (0);
1613 }
1614 
1615 /*
1616  * adt_set_from_ucred()
1617  *
1618  * an alternate to adt_set_user that fills the same role but uses
1619  * a pointer to a ucred rather than a list of id's.  If the ucred
1620  * pointer is NULL, use the credential from the this process.
1621  *
1622  * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1623  * not overwrite the asid and auid unless auid has not been set.
1624  * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1625  * the incoming audit mask with the one that already exists.
1626  *
1627  * adt_set_from_ucred should be called even if auditing is not enabled
1628  * so that adt_export_session_data() will have useful stuff to
1629  * work with.
1630  */
1631 
1632 int
1633 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1634     enum adt_user_context user_context)
1635 {
1636 	adt_internal_state_t	*state;
1637 	int			rc = -1;
1638 	const au_tid64_addr_t		*tid64;
1639 	au_tid_addr_t		termid, *tid;
1640 	ucred_t	*ucred = (ucred_t *)uc;
1641 	boolean_t	local_uc = B_FALSE;
1642 
1643 	if (session_data == NULL) /* no session exists to audit */
1644 		return (0);
1645 
1646 	state = (adt_internal_state_t *)session_data;
1647 	assert(state->as_check == ADT_VALID);
1648 
1649 	if (ucred == NULL) {
1650 		ucred = ucred_get(getpid());
1651 
1652 		if (ucred == NULL)
1653 			goto return_rc;
1654 		local_uc = B_TRUE;
1655 	}
1656 
1657 	switch (user_context) {
1658 	case ADT_NEW:
1659 		tid64 = ucred_getatid(ucred);
1660 		if (tid64 != NULL) {
1661 			adt_cpy_tid(&termid, tid64);
1662 			tid = &termid;
1663 		} else {
1664 			tid = NULL;
1665 		}
1666 		/* if unaudited, adt_newuser cleans up */
1667 		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1668 			if ((rc = adt_newuser(state, ucred_getruid(ucred),
1669 			    tid)) != 0)
1670 				goto return_rc;
1671 		} else {
1672 			state->as_info.ai_auid = ucred_getauid(ucred);
1673 			state->as_info.ai_asid = ucred_getasid(ucred);
1674 			state->as_info.ai_mask = *ucred_getamask(ucred);
1675 			state->as_info.ai_termid = *tid;
1676 		}
1677 		state->as_have_user_data = ADT_HAVE_ALL;
1678 		break;
1679 	case ADT_UPDATE:
1680 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1681 			errno = EINVAL;
1682 			goto return_rc;
1683 		}
1684 
1685 		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1686 			goto return_rc;
1687 		break;
1688 	case ADT_USER:
1689 		if (state->as_have_user_data != ADT_HAVE_ALL) {
1690 			errno = EINVAL;
1691 			goto return_rc;
1692 		}
1693 		break;
1694 	default:
1695 		errno = EINVAL;
1696 		goto return_rc;
1697 	}
1698 	rc = 0;
1699 
1700 	state->as_ruid = ucred_getruid(ucred);
1701 	state->as_euid = ucred_geteuid(ucred);
1702 	state->as_rgid = ucred_getrgid(ucred);
1703 	state->as_egid = ucred_getegid(ucred);
1704 	state->as_pid = ucred_getpid(ucred);
1705 	state->as_label = adt_ucred_label(ucred);
1706 
1707 return_rc:
1708 	if (local_uc) {
1709 		ucred_free(ucred);
1710 	}
1711 	return (rc);
1712 }
1713 
1714 /*
1715  * adt_alloc_event() returns a pointer to allocated memory
1716  *
1717  */
1718 
1719 adt_event_data_t
1720 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1721 {
1722 	struct adt_event_state	*event_state;
1723 	adt_internal_state_t	*session_state;
1724 	adt_event_data_t	*return_event = NULL;
1725 	/*
1726 	 * need to return a valid event pointer even if audit is
1727 	 * off, else the caller will end up either (1) keeping its
1728 	 * own flags for on/off or (2) writing to a NULL pointer.
1729 	 * If auditing is on, the session data must be valid; otherwise
1730 	 * we don't care.
1731 	 */
1732 	if (session_data != NULL) {
1733 		session_state = (adt_internal_state_t *)session_data;
1734 		assert(session_state->as_check == ADT_VALID);
1735 	}
1736 	event_state = calloc(1, sizeof (struct adt_event_state));
1737 	if (event_state == NULL)
1738 		goto return_ptr;
1739 
1740 	event_state->ae_check = ADT_VALID;
1741 
1742 	event_state->ae_event_id = event_id;
1743 	event_state->ae_session = (struct adt_internal_state *)session_data;
1744 
1745 	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1746 
1747 	/*
1748 	 * preload data so the adt_au_*() functions can detect un-supplied
1749 	 * values (0 and NULL are free via calloc()).
1750 	 */
1751 	adt_preload(event_id, return_event);
1752 
1753 return_ptr:
1754 	return (return_event);
1755 }
1756 
1757 /*
1758  * adt_getXlateTable -- look up translation table address for event id
1759  */
1760 
1761 static struct translation *
1762 adt_getXlateTable(au_event_t event_id)
1763 {
1764 	/* xlate_table is global in adt_xlate.c */
1765 	struct translation	**p_xlate = &xlate_table[0];
1766 	struct translation	*p_event;
1767 
1768 	while (*p_xlate != NULL) {
1769 		p_event = *p_xlate;
1770 		if (event_id == p_event->tx_external_event)
1771 			return (p_event);
1772 		p_xlate++;
1773 	}
1774 	return (NULL);
1775 }
1776 
1777 /*
1778  * adt_calcOffsets
1779  *
1780  * the call to this function is surrounded by a mutex.
1781  *
1782  * i walks down the table picking up next_token.  j walks again to
1783  * calculate the offset to the input data.  k points to the next
1784  * token's row.  Finally, l, is used to sum the values in the
1785  * datadef array.
1786  *
1787  * What's going on?  The entry array is in the order of the input
1788  * fields but the processing of array entries is in the order of
1789  * the output (see next_token).  Calculating the offset to the
1790  * "next" input can't be done in the outer loop (i) since i doesn't
1791  * point to the current entry and it can't be done with the k index
1792  * because it doesn't represent the order of input fields.
1793  *
1794  * While the resulting algorithm is n**2, it is only done once per
1795  * event type.
1796  */
1797 
1798 /*
1799  * adt_calcOffsets is only called once per event type, but it uses
1800  * the address alignment of memory allocated for that event as if it
1801  * were the same for all subsequently allocated memory.  This is
1802  * guaranteed by calloc/malloc.  Arrays take special handling since
1803  * what matters for figuring out the correct alignment is the size
1804  * of the array element.
1805  */
1806 
1807 static void
1808 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1809 {
1810 	int		i, j;
1811 	size_t		this_size, prev_size;
1812 	void		*struct_start = p_data;
1813 
1814 	for (i = 0; i < tablesize; i++) {
1815 		if (p_entry[i].en_type_def == NULL) {
1816 			p_entry[i].en_offset = 0;
1817 			continue;
1818 		}
1819 		prev_size = 0;
1820 		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1821 
1822 		for (j = 0; j < p_entry[i].en_count_types; j++) {
1823 			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1824 				this_size = sizeof (enum adt_generic);
1825 			else
1826 				this_size =
1827 				    p_entry[i].en_type_def[j].dd_input_size;
1828 
1829 			/* adj for first entry */
1830 			if (prev_size == 0)
1831 				prev_size = this_size;
1832 
1833 			if (p_entry[i].en_type_def[j].dd_datatype ==
1834 			    ADT_UINT32ARRAY) {
1835 				p_data = (char *)adt_adjust_address(p_data,
1836 				    prev_size, sizeof (uint32_t)) +
1837 				    this_size - sizeof (uint32_t);
1838 
1839 				prev_size = sizeof (uint32_t);
1840 			} else {
1841 				p_data = adt_adjust_address(p_data, prev_size,
1842 				    this_size);
1843 				prev_size = this_size;
1844 			}
1845 		}
1846 	}
1847 }
1848 
1849 /*
1850  * adt_generate_event
1851  * generate event record from external struct.  The order is based on
1852  * the output tokens, allowing for the possibility that the input data
1853  * is in a different order.
1854  *
1855  */
1856 
1857 static void
1858 adt_generate_event(const adt_event_data_t *p_extdata,
1859     struct adt_event_state *p_event,
1860     struct translation *p_xlate)
1861 {
1862 	struct entry		*p_entry;
1863 	static mutex_t	lock = DEFAULTMUTEX;
1864 
1865 	p_entry = p_xlate->tx_first_entry;
1866 	assert(p_entry != NULL);
1867 
1868 	p_event->ae_internal_id = p_xlate->tx_internal_event;
1869 	adt_token_open(p_event);
1870 
1871 	/*
1872 	 * offsets are not pre-calculated; the initial offsets are all
1873 	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
1874 	 * as subject are set to -1 by adt_calcOffset()
1875 	 */
1876 	if (p_xlate->tx_offsetsCalculated == 0) {
1877 		(void) _mutex_lock(&lock);
1878 		p_xlate->tx_offsetsCalculated = 1;
1879 
1880 		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1881 		    (void *)p_extdata);
1882 		(void) _mutex_unlock(&lock);
1883 	}
1884 	while (p_entry != NULL) {
1885 		adt_generate_token(p_entry, (char *)p_extdata,
1886 		    p_event);
1887 
1888 		p_entry = p_entry->en_next_token;
1889 	}
1890 	adt_token_close(p_event);
1891 }
1892 
1893 /*
1894  * adt_put_event -- main event generation function.
1895  * The input "event" is the address of the struct containing
1896  * event-specific data.
1897  *
1898  * However if auditing is off or the session handle
1899  * is NULL, no attempt to write a record is made.
1900  */
1901 
1902 int
1903 adt_put_event(const adt_event_data_t *event, int status, int return_val)
1904 {
1905 	struct adt_event_state	*event_state;
1906 	struct translation	*xlate;
1907 	int			rc = 0;
1908 
1909 	if (event == NULL) {
1910 		errno = EINVAL;
1911 		rc = -1;
1912 		goto return_rc;
1913 	}
1914 	event_state = (struct adt_event_state *)event;
1915 
1916 	/* if audit off or this is a broken session, exit */
1917 	if (auditstate == AUC_DISABLED || (event_state->ae_session == NULL))
1918 		goto return_rc;
1919 
1920 	assert(event_state->ae_check == ADT_VALID);
1921 
1922 	event_state->ae_rc = status;
1923 	event_state->ae_type = return_val;
1924 
1925 	/* look up the event */
1926 
1927 	xlate = adt_getXlateTable(event_state->ae_event_id);
1928 
1929 	if (xlate == NULL) {
1930 		errno = EINVAL;
1931 		rc = -1;
1932 		goto return_rc;
1933 	}
1934 	DPRINTF(("got event %d\n", xlate->tx_internal_event));
1935 
1936 	if (adt_selected(event_state, xlate->tx_internal_event, status))
1937 		adt_generate_event(event, event_state, xlate);
1938 
1939 return_rc:
1940 	return (rc);
1941 }
1942 
1943 /*
1944  * adt_free_event -- invalidate and free
1945  */
1946 
1947 void
1948 adt_free_event(adt_event_data_t *event)
1949 {
1950 	struct adt_event_state	*event_state;
1951 
1952 	if (event == NULL)
1953 		return;
1954 
1955 	event_state = (struct adt_event_state *)event;
1956 
1957 	assert(event_state->ae_check == ADT_VALID);
1958 
1959 	event_state->ae_check = 0;
1960 
1961 	free(event_state);
1962 }
1963 
1964 /*
1965  * adt_is_selected -- helper to adt_selected(), below.
1966  *
1967  * "sorf" is "success or fail" status; au_preselect compares
1968  * that with success, fail, or both.
1969  */
1970 
1971 static int
1972 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
1973 {
1974 	int prs_sorf;
1975 
1976 	if (sorf == 0)
1977 		prs_sorf = AU_PRS_SUCCESS;
1978 	else
1979 		prs_sorf = AU_PRS_FAILURE;
1980 
1981 	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
1982 }
1983 
1984 /*
1985  * selected -- see if this event is preselected.
1986  *
1987  * if errors are encountered trying to check a preselection mask
1988  * or look up a user name, the event is selected.  Otherwise, the
1989  * preselection mask is used for the job.
1990  */
1991 
1992 static int
1993 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
1994 {
1995 	adt_internal_state_t *sp;
1996 	au_mask_t	namask;
1997 
1998 	sp = event->ae_session;
1999 
2000 	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2001 		adt_write_syslog("No user data available", EINVAL);
2002 		return (1);	/* default is "selected" */
2003 	}
2004 
2005 	/* non-attributable? */
2006 	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2007 	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2008 		if (auditon(A_GETKMASK, (caddr_t)&namask,
2009 		    sizeof (namask)) != 0) {
2010 			adt_write_syslog("auditon failure", errno);
2011 			return (1);
2012 		}
2013 		return (adt_is_selected(actual_id, &namask, status));
2014 	} else {
2015 		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2016 		    status));
2017 	}
2018 }
2019