xref: /titanic_52/usr/src/lib/librestart/common/librestart.c (revision 6a1af1a67532df169a657cce07140be64bdea084)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 #include <libintl.h>
27 #include <librestart.h>
28 #include <librestart_priv.h>
29 #include <libscf.h>
30 #include <libscf_priv.h>
31 
32 #include <assert.h>
33 #include <ctype.h>
34 #include <dlfcn.h>
35 #include <errno.h>
36 #include <exec_attr.h>
37 #include <grp.h>
38 #include <libsysevent.h>
39 #include <libuutil.h>
40 #include <limits.h>
41 #include <link.h>
42 #include <malloc.h>
43 #include <pool.h>
44 #include <priv.h>
45 #include <project.h>
46 #include <pthread.h>
47 #include <pwd.h>
48 #include <secdb.h>
49 #include <signal.h>
50 #include <stdlib.h>
51 #include <string.h>
52 #include <syslog.h>
53 #include <sys/corectl.h>
54 #include <sys/machelf.h>
55 #include <sys/task.h>
56 #include <sys/types.h>
57 #include <time.h>
58 #include <unistd.h>
59 #include <ucontext.h>
60 
61 #define	min(a, b)		((a) > (b) ? (b) : (a))
62 
63 #define	MKW_TRUE	":true"
64 #define	MKW_KILL	":kill"
65 #define	MKW_KILL_PROC	":kill_process"
66 
67 #define	ALLOCFAIL	((char *)"Allocation failure.")
68 #define	RCBROKEN	((char *)"Repository connection broken.")
69 
70 #define	MAX_COMMIT_RETRIES		10
71 #define	MAX_COMMIT_RETRY_INT		(5 * 1000000)	/* 5 seconds */
72 #define	INITIAL_COMMIT_RETRY_INT	(10000)		/* 1/100th second */
73 
74 /*
75  * bad_fail() catches bugs in this and lower layers by reporting supposedly
76  * impossible function failures.  The NDEBUG case keeps the strings out of the
77  * library but still calls abort() so we can root-cause from the coredump.
78  */
79 #ifndef NDEBUG
80 #define	bad_fail(func, err)	{					\
81 	(void) fprintf(stderr,						\
82 	    "At %s:%d, %s() failed with unexpected error %d.  Aborting.\n", \
83 	    __FILE__, __LINE__, (func), (err));				\
84 	abort();							\
85 }
86 #else
87 #define	bad_fail(func, err)	abort()
88 #endif
89 
90 struct restarter_event_handle {
91 	char				*reh_restarter_name;
92 	char				*reh_delegate_channel_name;
93 	evchan_t			*reh_delegate_channel;
94 	char				*reh_delegate_subscriber_id;
95 	char				*reh_master_channel_name;
96 	evchan_t			*reh_master_channel;
97 	char				*reh_master_subscriber_id;
98 	int				(*reh_handler)(restarter_event_t *);
99 };
100 
101 struct restarter_event {
102 	sysevent_t			*re_sysevent;
103 	restarter_event_type_t		re_type;
104 	char				*re_instance_name;
105 	restarter_event_handle_t	*re_event_handle;
106 	restarter_instance_state_t	re_state;
107 	restarter_instance_state_t	re_next_state;
108 };
109 
110 /*
111  * Long reasons must all parse/read correctly in the following contexts:
112  *
113  * "A service instance transitioned state: %s."
114  * "A service failed: %s."
115  * "Reason: %s."
116  * "The service transitioned state (%s) and ..."
117  *
118  * With the exception of restart_str_none they must also fit the following
119  * moulds:
120  *
121  * "An instance transitioned because %s, and ..."
122  * "An instance transitioned to <new-state> because %s, and ..."
123  *
124  * Note that whoever is rendering the long message must provide the
125  * terminal punctuation - don't include it here.  Similarly, do not
126  * provide an initial capital letter in reason-long.
127  *
128  * The long reason strings are Volatile - within the grammatical constraints
129  * above we may improve them as need be.  The intention is that a consumer
130  * may blindly render the string along the lines of the above examples,
131  * but has no other guarantees as to the exact wording.  Long reasons
132  * are localized.
133  *
134  * We define revisions of the set of short reason strings in use.  Within
135  * a given revision, all short reasons are Committed.  Consumers must check
136  * the revision in use before relying on the semantics of the short reason
137  * codes - if the version exceeds that which they are familiar with they should
138  * fail gracefully.  Having checked for version compatability, a consumer
139  * is assured that
140  *
141  *	"short_reason_A iff semantic_A", provided:
142  *
143  *		. the restarter uses this short reason code at all,
144  *		. the short reason is not "none" (which a restarter could
145  *		  specifiy for any transition semantics)
146  *
147  * To split/refine such a Committed semantic_A into further cases,
148  * we are required to bump the revision number.  This should be an
149  * infrequent occurence.  If you bump the revision number you may
150  * need to make corresponding changes in any source that calls
151  * restarter_str_version (e.g., FMA event generation).
152  *
153  * To add additional reasons to the set you must also bump the version
154  * number.
155  */
156 
157 /*
158  * The following describes revision 0 of the set of transition reasons.
159  * Read the preceding block comment before making any changes.
160  */
161 static const struct restarter_state_transition_reason restarter_str[] = {
162 	/*
163 	 * Any transition for which the restarter has not provided a reason.
164 	 */
165 	{
166 	    restarter_str_none,
167 	    "none",
168 	    "the restarter gave no reason"
169 	},
170 
171 	/*
172 	 * A transition to maintenance state due to a
173 	 * 'svcadm mark maintenance <fmri>'.  *Not* used if the libscf
174 	 * interface smf_maintain_instance(3SCF) is used to request maintenance.
175 	 */
176 	{
177 	    restarter_str_administrative_request,
178 	    "administrative_request",
179 	    "maintenance was requested by an administrator"
180 	},
181 
182 	/*
183 	 * A transition to maintenance state if a repository inconsistency
184 	 * exists when the service/instance state is first read by startd
185 	 * into the graph engine (this can also happen during startd restart).
186 	 */
187 	{
188 	    restarter_str_bad_repo_state,
189 	    "bad_repo_state",
190 	    "an SMF repository inconsistecy exists"
191 	},
192 
193 	/*
194 	 * A transition 'maintenance -> uninitialized' resulting always
195 	 * from 'svcadm clear <fmri>'.  *Not* used if the libscf interface
196 	 * smf_restore_instance(3SCF) is used.
197 	 */
198 	{
199 	    restarter_str_clear_request,
200 	    "clear_request",
201 	    "maintenance clear was requested by an administrator"
202 	},
203 
204 	/*
205 	 * A transition 'online -> offline' due to a process core dump.
206 	 */
207 	{
208 	    restarter_str_ct_ev_core,
209 	    "ct_ev_core",
210 	    "a process dumped core"
211 	},
212 
213 	/*
214 	 * A transition 'online -> offline' due to an empty process contract,
215 	 * i.e., the last process in a contract type service has exited.
216 	 */
217 	{
218 	    restarter_str_ct_ev_exit,
219 	    "ct_ev_exit",
220 	    "all processes in the service have exited"
221 	},
222 
223 	/*
224 	 * A transition 'online -> offline' due to a hardware error.
225 	 */
226 	{
227 	    restarter_str_ct_ev_hwerr,
228 	    "ct_ev_hwerr",
229 	    "a process was killed due to uncorrectable hardware error"
230 	},
231 
232 	/*
233 	 * A transition 'online -> offline' due to a process in the service
234 	 * having received a fatal signal originating from outside the
235 	 * service process contract.
236 	 */
237 	{
238 	    restarter_str_ct_ev_signal,
239 	    "ct_ev_signal",
240 	    "a process received a fatal signal from outside the service"
241 	},
242 
243 	/*
244 	 * A transition 'offline -> online' when all dependencies for the
245 	 * service have been met.
246 	 */
247 	{
248 	    restarter_str_dependencies_satisfied,
249 	    "dependencies_satisfied",
250 	    "all dependencies have been satisfied"
251 	},
252 
253 	/*
254 	 * A transition 'online -> offline' because some dependency for the
255 	 * service is no-longer met.
256 	 */
257 	{
258 	    restarter_str_dependency_activity,
259 	    "dependency_activity",
260 	    "a dependency activity required a stop"
261 	},
262 
263 	/*
264 	 * A transition to maintenance state due to a cycle in the
265 	 * service dependencies.
266 	 */
267 	{
268 	    restarter_str_dependency_cycle,
269 	    "dependency_cycle",
270 	    "a dependency cycle exists"
271 	},
272 
273 	/*
274 	 * A transition 'online -> offline -> disabled' due to a
275 	 * 'svcadm disable [-t] <fmri>' or smf_disable_instance(3SCF) call.
276 	 */
277 	{
278 	    restarter_str_disable_request,
279 	    "disable_request",
280 	    "a disable was requested"
281 	},
282 
283 	/*
284 	 * A transition 'disabled -> offline' due to a
285 	 * 'svcadm enable [-t] <fmri>' or smf_enable_instance(3SCF) call.
286 	 */
287 	{
288 	    restarter_str_enable_request,
289 	    "enable_request",
290 	    "an enable was requested"
291 	},
292 
293 	/*
294 	 * A transition to maintenance state when a method fails
295 	 * repeatedly for a retryable reason.
296 	 */
297 	{
298 	    restarter_str_fault_threshold_reached,
299 	    "fault_threshold_reached",
300 	    "a method is failing in a retryable manner but too often"
301 	},
302 
303 	/*
304 	 * A transition to uninitialized state when startd reads the service
305 	 * configuration and inserts it into the graph engine.
306 	 */
307 	{
308 	    restarter_str_insert_in_graph,
309 	    "insert_in_graph",
310 	    "the instance was inserted in the graph"
311 	},
312 
313 	/*
314 	 * A transition to maintenance state due to an invalid dependency
315 	 * declared for the service.
316 	 */
317 	{
318 	    restarter_str_invalid_dependency,
319 	    "invalid_dependency",
320 	    "a service has an invalid dependency"
321 	},
322 
323 	/*
324 	 * A transition to maintenance state because the service-declared
325 	 * restarter is invalid.
326 	 */
327 	{
328 	    restarter_str_invalid_restarter,
329 	    "invalid_restarter",
330 	    "the service restarter is invalid"
331 	},
332 
333 	/*
334 	 * A transition to maintenance state because a restarter method
335 	 * exited with one of SMF_EXIT_ERR_CONFIG, SMF_EXIT_ERR_NOSMF,
336 	 * SMF_EXIT_ERR_PERM, or SMF_EXIT_ERR_FATAL.
337 	 */
338 	{
339 	    restarter_str_method_failed,
340 	    "method_failed",
341 	    "a start, stop or refresh method failed"
342 	},
343 
344 	/*
345 	 * A transition 'uninitialized -> {disabled|offline}' after
346 	 * "insert_in_graph" to match the state configured in the
347 	 * repository.
348 	 */
349 	{
350 	    restarter_str_per_configuration,
351 	    "per_configuration",
352 	    "the SMF repository configuration specifies this state"
353 	},
354 
355 	/*
356 	 * Refresh requested - no state change.
357 	 */
358 	{
359 	    restarter_str_refresh,
360 	    NULL,
361 	    "a refresh was requested (no change of state)"
362 	},
363 
364 	/*
365 	 * A transition 'online -> offline -> online' due to a
366 	 * 'svcadm restart <fmri> or equivlaent libscf API call.
367 	 * Both the 'online -> offline' and 'offline -> online' transtions
368 	 * specify this reason.
369 	 */
370 	{
371 	    restarter_str_restart_request,
372 	    "restart_request",
373 	    "a restart was requested"
374 	},
375 
376 	/*
377 	 * A transition to maintenance state because the start method is
378 	 * being executed successfully but too frequently.
379 	 */
380 	{
381 	    restarter_str_restarting_too_quickly,
382 	    "restarting_too_quickly",
383 	    "the instance is restarting too quickly"
384 	},
385 
386 	/*
387 	 * A transition to maintenance state due a service requesting
388 	 * 'svcadm mark maintenance <fmri>' or equivalent libscf API call.
389 	 * A command line 'svcadm mark maintenance <fmri>' does not produce
390 	 * this reason - it produces administrative_request instead.
391 	 */
392 	{
393 	    restarter_str_service_request,
394 	    "service_request",
395 	    "maintenance was requested by another service"
396 	},
397 
398 	/*
399 	 * An instanced inserted into the graph at its existing state
400 	 * during a startd restart - no state change.
401 	 */
402 	{
403 	    restarter_str_startd_restart,
404 	    NULL,
405 	    "the instance was inserted in the graph due to startd restart"
406 	}
407 };
408 
409 uint32_t
410 restarter_str_version(void)
411 {
412 	return (RESTARTER_STRING_VERSION);
413 }
414 
415 const char *
416 restarter_get_str_short(restarter_str_t key)
417 {
418 	int i;
419 	for (i = 0; i < sizeof (restarter_str) /
420 	    sizeof (struct restarter_state_transition_reason); i++)
421 		if (key == restarter_str[i].str_key)
422 			return (restarter_str[i].str_short);
423 	return (NULL);
424 }
425 
426 const char *
427 restarter_get_str_long(restarter_str_t key)
428 {
429 	int i;
430 	for (i = 0; i < sizeof (restarter_str) /
431 	    sizeof (struct restarter_state_transition_reason); i++)
432 		if (key == restarter_str[i].str_key)
433 			return (dgettext(TEXT_DOMAIN,
434 			    restarter_str[i].str_long));
435 	return (NULL);
436 }
437 
438 /*
439  * A static no memory error message mc_error_t structure
440  * to be used in cases when memory errors are to be returned
441  * This avoids the need to attempt to allocate memory for the
442  * message, therefore getting into a cycle of no memory failures.
443  */
444 mc_error_t mc_nomem_err = {
445 	0, ENOMEM, sizeof ("Out of memory") - 1, "Out of memory"
446 };
447 
448 static const char * const allocfail = "Allocation failure.\n";
449 static const char * const rcbroken = "Repository connection broken.\n";
450 
451 static int method_context_safety = 0;	/* Can safely call pools/projects. */
452 
453 int ndebug = 1;
454 
455 /* PRINTFLIKE3 */
456 static mc_error_t *
457 mc_error_create(mc_error_t *e, int type, const char *format, ...)
458 {
459 	mc_error_t	*le;
460 	va_list		args;
461 	int		size;
462 
463 	/*
464 	 * If the type is ENOMEM and format is NULL, then
465 	 * go ahead and return the default nomem error.
466 	 * Otherwise, attempt to allocate the memory and if
467 	 * that fails then there is no reason to continue.
468 	 */
469 	if (type == ENOMEM && format == NULL)
470 		return (&mc_nomem_err);
471 
472 	if (e == NULL && (le = malloc(sizeof (mc_error_t))) == NULL)
473 		return (&mc_nomem_err);
474 	else
475 		le = e;
476 
477 	le->type = type;
478 	le->destroy = 1;
479 	va_start(args, format);
480 	size = vsnprintf(NULL, 0, format, args) + 1;
481 	if (size >= RESTARTER_ERRMSGSZ) {
482 		if ((le = realloc(e, sizeof (mc_error_t) +
483 		    (size - RESTARTER_ERRMSGSZ))) == NULL) {
484 			size = RESTARTER_ERRMSGSZ - 1;
485 			le = e;
486 		}
487 	}
488 
489 	le->size = size;
490 	(void) vsnprintf(le->msg, le->size, format, args);
491 	va_end(args);
492 
493 	return (le);
494 }
495 
496 void
497 restarter_mc_error_destroy(mc_error_t *mc_err)
498 {
499 	if (mc_err == NULL)
500 		return;
501 
502 	/*
503 	 * If the error messages was allocated then free.
504 	 */
505 	if (mc_err->destroy) {
506 		free(mc_err);
507 	}
508 }
509 
510 static void
511 free_restarter_event_handle(struct restarter_event_handle *h)
512 {
513 	if (h == NULL)
514 		return;
515 
516 	/*
517 	 * Just free the memory -- don't unbind the sysevent handle,
518 	 * as otherwise events may be lost if this is just a restarter
519 	 * restart.
520 	 */
521 
522 	if (h->reh_restarter_name != NULL)
523 		free(h->reh_restarter_name);
524 	if (h->reh_delegate_channel_name != NULL)
525 		free(h->reh_delegate_channel_name);
526 	if (h->reh_delegate_subscriber_id != NULL)
527 		free(h->reh_delegate_subscriber_id);
528 	if (h->reh_master_channel_name != NULL)
529 		free(h->reh_master_channel_name);
530 	if (h->reh_master_subscriber_id != NULL)
531 		free(h->reh_master_subscriber_id);
532 
533 	free(h);
534 }
535 
536 char *
537 _restarter_get_channel_name(const char *fmri, int type)
538 {
539 	char *name;
540 	char *chan_name = malloc(MAX_CHNAME_LEN);
541 	char prefix_name[3];
542 	int i;
543 
544 	if (chan_name == NULL)
545 		return (NULL);
546 
547 	if (type == RESTARTER_CHANNEL_DELEGATE)
548 		(void) strcpy(prefix_name, "d_");
549 	else if (type == RESTARTER_CHANNEL_MASTER)
550 		(void) strcpy(prefix_name, "m_");
551 	else {
552 		free(chan_name);
553 		return (NULL);
554 	}
555 
556 	/*
557 	 * Create a unique name
558 	 *
559 	 * Use the entire name, using a replacement of the /
560 	 * characters to get a better name.
561 	 *
562 	 * Remove the svc:/ from the beginning as this really
563 	 * isn't going to provide any uniqueness...
564 	 *
565 	 * An fmri name greater than MAX_CHNAME_LEN is going
566 	 * to be rejected as too long for the chan_name below
567 	 * in the snprintf call.
568 	 */
569 	if ((name = strdup(strchr(fmri, '/') + 1)) == NULL) {
570 		free(chan_name);
571 		return (NULL);
572 	}
573 	i = 0;
574 	while (name[i]) {
575 		if (name[i] == '/') {
576 			name[i] = '_';
577 		}
578 
579 		i++;
580 	}
581 
582 	/*
583 	 * Should check for [a-z],[A-Z],[0-9],.,_,-,:
584 	 */
585 
586 	if (snprintf(chan_name, MAX_CHNAME_LEN, "com.sun:scf:%s%s",
587 	    prefix_name, name) > MAX_CHNAME_LEN) {
588 		free(chan_name);
589 		chan_name = NULL;
590 	}
591 
592 	free(name);
593 	return (chan_name);
594 }
595 
596 int
597 cb(sysevent_t *syse, void *cookie)
598 {
599 	restarter_event_handle_t *h = (restarter_event_handle_t *)cookie;
600 	restarter_event_t *e;
601 	nvlist_t *attr_list = NULL;
602 	int ret = 0;
603 
604 	e = uu_zalloc(sizeof (restarter_event_t));
605 	if (e == NULL)
606 		uu_die(allocfail);
607 	e->re_event_handle = h;
608 	e->re_sysevent = syse;
609 
610 	if (sysevent_get_attr_list(syse, &attr_list) != 0)
611 		uu_die(allocfail);
612 
613 	if ((nvlist_lookup_uint32(attr_list, RESTARTER_NAME_TYPE,
614 	    &(e->re_type)) != 0) ||
615 	    (nvlist_lookup_string(attr_list,
616 	    RESTARTER_NAME_INSTANCE, &(e->re_instance_name)) != 0)) {
617 		uu_warn("%s: Can't decode nvlist for event %p\n",
618 		    h->reh_restarter_name, (void *)syse);
619 
620 		ret = 0;
621 	} else {
622 		ret = h->reh_handler(e);
623 	}
624 
625 	uu_free(e);
626 	nvlist_free(attr_list);
627 	return (ret);
628 }
629 
630 /*
631  * restarter_bind_handle(uint32_t, char *, int (*)(restarter_event_t *), int,
632  *     restarter_event_handle_t **)
633  *
634  * Bind to a delegated restarter event channel.
635  * Each delegated restarter gets its own channel for resource management.
636  *
637  * Returns 0 on success or
638  *   ENOTSUP	version mismatch
639  *   EINVAL	restarter_name or event_handle is NULL
640  *   ENOMEM	out of memory, too many channels, or too many subscriptions
641  *   EBUSY	sysevent_evc_bind() could not establish binding
642  *   EFAULT	internal sysevent_evc_bind()/sysevent_evc_subscribe() error
643  *   EMFILE	out of file descriptors
644  *   EPERM	insufficient privilege for sysevent_evc_bind()
645  *   EEXIST	already subscribed
646  */
647 int
648 restarter_bind_handle(uint32_t version, const char *restarter_name,
649     int (*event_handler)(restarter_event_t *), int flags,
650     restarter_event_handle_t **rehp)
651 {
652 	restarter_event_handle_t *h;
653 	size_t sz;
654 	int err;
655 
656 	if (version != RESTARTER_EVENT_VERSION)
657 		return (ENOTSUP);
658 
659 	if (restarter_name == NULL || event_handler == NULL)
660 		return (EINVAL);
661 
662 	if (flags & RESTARTER_FLAG_DEBUG)
663 		ndebug++;
664 
665 	if ((h = uu_zalloc(sizeof (restarter_event_handle_t))) == NULL)
666 		return (ENOMEM);
667 
668 	h->reh_delegate_subscriber_id = malloc(MAX_SUBID_LEN);
669 	h->reh_master_subscriber_id = malloc(MAX_SUBID_LEN);
670 	h->reh_restarter_name = strdup(restarter_name);
671 	if (h->reh_delegate_subscriber_id == NULL ||
672 	    h->reh_master_subscriber_id == NULL ||
673 	    h->reh_restarter_name == NULL) {
674 		free_restarter_event_handle(h);
675 		return (ENOMEM);
676 	}
677 
678 	sz = strlcpy(h->reh_delegate_subscriber_id, "del", MAX_SUBID_LEN);
679 	assert(sz < MAX_SUBID_LEN);
680 	sz = strlcpy(h->reh_master_subscriber_id, "master", MAX_SUBID_LEN);
681 	assert(sz < MAX_SUBID_LEN);
682 
683 	h->reh_delegate_channel_name =
684 	    _restarter_get_channel_name(restarter_name,
685 	    RESTARTER_CHANNEL_DELEGATE);
686 	h->reh_master_channel_name =
687 	    _restarter_get_channel_name(restarter_name,
688 	    RESTARTER_CHANNEL_MASTER);
689 
690 	if (h->reh_delegate_channel_name == NULL ||
691 	    h->reh_master_channel_name == NULL) {
692 		free_restarter_event_handle(h);
693 		return (ENOMEM);
694 	}
695 
696 	if (sysevent_evc_bind(h->reh_delegate_channel_name,
697 	    &h->reh_delegate_channel, EVCH_CREAT|EVCH_HOLD_PEND) != 0) {
698 		err = errno;
699 		assert(err != EINVAL);
700 		assert(err != ENOENT);
701 		free_restarter_event_handle(h);
702 		return (err);
703 	}
704 
705 	if (sysevent_evc_bind(h->reh_master_channel_name,
706 	    &h->reh_master_channel, EVCH_CREAT|EVCH_HOLD_PEND) != 0) {
707 		err = errno;
708 		assert(err != EINVAL);
709 		assert(err != ENOENT);
710 		free_restarter_event_handle(h);
711 		return (err);
712 	}
713 
714 	h->reh_handler = event_handler;
715 
716 	assert(strlen(restarter_name) <= MAX_CLASS_LEN - 1);
717 	assert(strlen(h->reh_delegate_subscriber_id) <= MAX_SUBID_LEN - 1);
718 	assert(strlen(h->reh_master_subscriber_id) <= MAX_SUBID_LEN - 1);
719 
720 	if (sysevent_evc_subscribe(h->reh_delegate_channel,
721 	    h->reh_delegate_subscriber_id, EC_ALL, cb, h, EVCH_SUB_KEEP) != 0) {
722 		err = errno;
723 		assert(err != EINVAL);
724 		free_restarter_event_handle(h);
725 		return (err);
726 	}
727 
728 	*rehp = h;
729 	return (0);
730 }
731 
732 restarter_event_handle_t *
733 restarter_event_get_handle(restarter_event_t *e)
734 {
735 	assert(e != NULL && e->re_event_handle != NULL);
736 	return (e->re_event_handle);
737 }
738 
739 restarter_event_type_t
740 restarter_event_get_type(restarter_event_t *e)
741 {
742 	assert(e != NULL);
743 	return (e->re_type);
744 }
745 
746 ssize_t
747 restarter_event_get_instance(restarter_event_t *e, char *inst, size_t sz)
748 {
749 	assert(e != NULL && inst != NULL);
750 	return ((ssize_t)strlcpy(inst, e->re_instance_name, sz));
751 }
752 
753 int
754 restarter_event_get_current_states(restarter_event_t *e,
755     restarter_instance_state_t *state, restarter_instance_state_t *next_state)
756 {
757 	if (e == NULL)
758 		return (-1);
759 	*state = e->re_state;
760 	*next_state = e->re_next_state;
761 	return (0);
762 }
763 
764 /*
765  * restarter_event_publish_retry() is a wrapper around sysevent_evc_publish().
766  * In case, the event cannot be sent at the first attempt (sysevent_evc_publish
767  * returned EAGAIN - sysevent queue full), this function retries a few time
768  * and return ENOSPC if it reaches the retry limit.
769  *
770  * The arguments to this function map the arguments of sysevent_evc_publish().
771  *
772  * On success, return 0. On error, return
773  *
774  *   EFAULT - internal sysevent_evc_publish() error
775  *   ENOMEM - internal sysevent_evc_publish() error
776  *   EBADF - scp is invalid (sysevent_evc_publish() returned EINVAL)
777  *   ENOSPC - sysevent queue full (sysevent_evc_publish() returned EAGAIN)
778  */
779 int
780 restarter_event_publish_retry(evchan_t *scp, const char *class,
781     const char *subclass, const char *vendor, const char *pub_name,
782     nvlist_t *attr_list, uint32_t flags)
783 {
784 	int retries, ret;
785 	useconds_t retry_int = INITIAL_COMMIT_RETRY_INT;
786 
787 	for (retries = 0; retries < MAX_COMMIT_RETRIES; retries++) {
788 		ret = sysevent_evc_publish(scp, class, subclass, vendor,
789 		    pub_name, attr_list, flags);
790 		if (ret == 0)
791 			break;
792 
793 		switch (ret) {
794 		case EAGAIN:
795 			/* Queue is full */
796 			(void) usleep(retry_int);
797 
798 			retry_int = min(retry_int * 2, MAX_COMMIT_RETRY_INT);
799 			break;
800 
801 		case EINVAL:
802 			ret = EBADF;
803 			/* FALLTHROUGH */
804 
805 		case EFAULT:
806 		case ENOMEM:
807 			return (ret);
808 
809 		case EOVERFLOW:
810 		default:
811 			/* internal error - abort */
812 			bad_fail("sysevent_evc_publish", ret);
813 		}
814 	}
815 
816 	if (retries == MAX_COMMIT_RETRIES)
817 		ret = ENOSPC;
818 
819 	return (ret);
820 }
821 
822 /*
823  * Commit the state, next state, and auxiliary state into the repository.
824  * Let the graph engine know about the state change and error.  On success,
825  * return 0. On error, return
826  *   EPROTO - librestart compiled against different libscf
827  *   ENOMEM - out of memory
828  *	    - repository server out of resources
829  *   ENOTACTIVE - repository server not running
830  *   ECONNABORTED - repository connection established, but then broken
831  *		  - unknown libscf error
832  *   ENOENT - inst does not exist in the repository
833  *   EPERM - insufficient permissions
834  *   EACCESS - backend access denied
835  *   EROFS - backend is readonly
836  *   EFAULT - internal sysevent_evc_publish() error
837  *   EBADF - h is invalid (sysevent_evc_publish() returned EINVAL)
838  *   ENOSPC - sysevent queue full (sysevent_evc_publish() returned EAGAIN)
839  */
840 int
841 restarter_set_states(restarter_event_handle_t *h, const char *inst,
842     restarter_instance_state_t cur_state,
843     restarter_instance_state_t new_cur_state,
844     restarter_instance_state_t next_state,
845     restarter_instance_state_t new_next_state, restarter_error_t e,
846     restarter_str_t aux)
847 {
848 	nvlist_t *attr;
849 	scf_handle_t *scf_h;
850 	instance_data_t id;
851 	int ret = 0;
852 	const char *p = restarter_get_str_short(aux);
853 
854 	assert(h->reh_master_channel != NULL);
855 	assert(h->reh_master_channel_name != NULL);
856 	assert(h->reh_master_subscriber_id != NULL);
857 
858 	if ((scf_h = scf_handle_create(SCF_VERSION)) == NULL) {
859 		switch (scf_error()) {
860 		case SCF_ERROR_VERSION_MISMATCH:
861 			return (EPROTO);
862 
863 		case SCF_ERROR_NO_MEMORY:
864 			return (ENOMEM);
865 
866 		default:
867 			bad_fail("scf_handle_create", scf_error());
868 		}
869 	}
870 
871 	if (scf_handle_bind(scf_h) == -1) {
872 		scf_handle_destroy(scf_h);
873 		switch (scf_error()) {
874 		case SCF_ERROR_NO_SERVER:
875 			return (ENOTACTIVE);
876 
877 		case SCF_ERROR_NO_RESOURCES:
878 			return (ENOMEM);
879 
880 		case SCF_ERROR_INVALID_ARGUMENT:
881 		case SCF_ERROR_IN_USE:
882 		default:
883 			bad_fail("scf_handle_bind", scf_error());
884 		}
885 	}
886 
887 	if (nvlist_alloc(&attr, NV_UNIQUE_NAME, 0) != 0 ||
888 	    nvlist_add_int32(attr, RESTARTER_NAME_STATE, new_cur_state) != 0 ||
889 	    nvlist_add_int32(attr, RESTARTER_NAME_NEXT_STATE, new_next_state)
890 	    != 0 ||
891 	    nvlist_add_int32(attr, RESTARTER_NAME_ERROR, e) != 0 ||
892 	    nvlist_add_string(attr, RESTARTER_NAME_INSTANCE, inst) != 0 ||
893 	    nvlist_add_int32(attr, RESTARTER_NAME_REASON, aux) != 0) {
894 		ret = ENOMEM;
895 	} else {
896 		id.i_fmri = inst;
897 		id.i_state = cur_state;
898 		id.i_next_state = next_state;
899 
900 		ret = _restarter_commit_states(scf_h, &id, new_cur_state,
901 		    new_next_state, p);
902 
903 		if (ret == 0) {
904 			ret = restarter_event_publish_retry(
905 			    h->reh_master_channel, "master", "state_change",
906 			    "com.sun", "librestart", attr, EVCH_NOSLEEP);
907 		}
908 	}
909 
910 	nvlist_free(attr);
911 	(void) scf_handle_unbind(scf_h);
912 	scf_handle_destroy(scf_h);
913 
914 	return (ret);
915 }
916 
917 restarter_instance_state_t
918 restarter_string_to_state(char *string)
919 {
920 	assert(string != NULL);
921 
922 	if (strcmp(string, SCF_STATE_STRING_NONE) == 0)
923 		return (RESTARTER_STATE_NONE);
924 	else if (strcmp(string, SCF_STATE_STRING_UNINIT) == 0)
925 		return (RESTARTER_STATE_UNINIT);
926 	else if (strcmp(string, SCF_STATE_STRING_MAINT) == 0)
927 		return (RESTARTER_STATE_MAINT);
928 	else if (strcmp(string, SCF_STATE_STRING_OFFLINE) == 0)
929 		return (RESTARTER_STATE_OFFLINE);
930 	else if (strcmp(string, SCF_STATE_STRING_DISABLED) == 0)
931 		return (RESTARTER_STATE_DISABLED);
932 	else if (strcmp(string, SCF_STATE_STRING_ONLINE) == 0)
933 		return (RESTARTER_STATE_ONLINE);
934 	else if (strcmp(string, SCF_STATE_STRING_DEGRADED) == 0)
935 		return (RESTARTER_STATE_DEGRADED);
936 	else {
937 		return (RESTARTER_STATE_NONE);
938 	}
939 }
940 
941 ssize_t
942 restarter_state_to_string(restarter_instance_state_t state, char *string,
943     size_t len)
944 {
945 	assert(string != NULL);
946 
947 	if (state == RESTARTER_STATE_NONE)
948 		return ((ssize_t)strlcpy(string, SCF_STATE_STRING_NONE, len));
949 	else if (state == RESTARTER_STATE_UNINIT)
950 		return ((ssize_t)strlcpy(string, SCF_STATE_STRING_UNINIT, len));
951 	else if (state == RESTARTER_STATE_MAINT)
952 		return ((ssize_t)strlcpy(string, SCF_STATE_STRING_MAINT, len));
953 	else if (state == RESTARTER_STATE_OFFLINE)
954 		return ((ssize_t)strlcpy(string, SCF_STATE_STRING_OFFLINE,
955 		    len));
956 	else if (state == RESTARTER_STATE_DISABLED)
957 		return ((ssize_t)strlcpy(string, SCF_STATE_STRING_DISABLED,
958 		    len));
959 	else if (state == RESTARTER_STATE_ONLINE)
960 		return ((ssize_t)strlcpy(string, SCF_STATE_STRING_ONLINE, len));
961 	else if (state == RESTARTER_STATE_DEGRADED)
962 		return ((ssize_t)strlcpy(string, SCF_STATE_STRING_DEGRADED,
963 		    len));
964 	else
965 		return ((ssize_t)strlcpy(string, "unknown", len));
966 }
967 
968 /*
969  * Sets pg to the name property group of s_inst.  If it doesn't exist, it is
970  * added.
971  *
972  * Fails with
973  *   ECONNABORTED - repository disconnection or unknown libscf error
974  *   EBADF - inst is not set
975  *   ECANCELED - inst is deleted
976  *   EPERM - permission is denied
977  *   EACCES - backend denied access
978  *   EROFS - backend readonly
979  */
980 static int
981 instance_get_or_add_pg(scf_instance_t *inst, const char *name,
982     const char *type, uint32_t flags, scf_propertygroup_t *pg)
983 {
984 again:
985 	if (scf_instance_get_pg(inst, name, pg) == 0)
986 		return (0);
987 
988 	switch (scf_error()) {
989 	case SCF_ERROR_CONNECTION_BROKEN:
990 	default:
991 		return (ECONNABORTED);
992 
993 	case SCF_ERROR_NOT_SET:
994 		return (EBADF);
995 
996 	case SCF_ERROR_DELETED:
997 		return (ECANCELED);
998 
999 	case SCF_ERROR_NOT_FOUND:
1000 		break;
1001 
1002 	case SCF_ERROR_HANDLE_MISMATCH:
1003 	case SCF_ERROR_INVALID_ARGUMENT:
1004 		bad_fail("scf_instance_get_pg", scf_error());
1005 	}
1006 
1007 	if (scf_instance_add_pg(inst, name, type, flags, pg) == 0)
1008 		return (0);
1009 
1010 	switch (scf_error()) {
1011 	case SCF_ERROR_CONNECTION_BROKEN:
1012 	default:
1013 		return (ECONNABORTED);
1014 
1015 	case SCF_ERROR_DELETED:
1016 		return (ECANCELED);
1017 
1018 	case SCF_ERROR_EXISTS:
1019 		goto again;
1020 
1021 	case SCF_ERROR_PERMISSION_DENIED:
1022 		return (EPERM);
1023 
1024 	case SCF_ERROR_BACKEND_ACCESS:
1025 		return (EACCES);
1026 
1027 	case SCF_ERROR_BACKEND_READONLY:
1028 		return (EROFS);
1029 
1030 	case SCF_ERROR_HANDLE_MISMATCH:
1031 	case SCF_ERROR_INVALID_ARGUMENT:
1032 	case SCF_ERROR_NOT_SET:			/* should be caught above */
1033 		bad_fail("scf_instance_add_pg", scf_error());
1034 	}
1035 
1036 	return (0);
1037 }
1038 
1039 /*
1040  * Fails with
1041  *   ECONNABORTED
1042  *   ECANCELED - pg was deleted
1043  */
1044 static int
1045 tx_set_value(scf_transaction_t *tx, scf_transaction_entry_t *ent,
1046     const char *pname, scf_type_t ty, scf_value_t *val)
1047 {
1048 	int r;
1049 
1050 	for (;;) {
1051 		if (scf_transaction_property_change_type(tx, ent, pname,
1052 		    ty) == 0)
1053 			break;
1054 
1055 		switch (scf_error()) {
1056 		case SCF_ERROR_CONNECTION_BROKEN:
1057 		default:
1058 			return (ECONNABORTED);
1059 
1060 		case SCF_ERROR_DELETED:
1061 			return (ECANCELED);
1062 
1063 		case SCF_ERROR_NOT_FOUND:
1064 			break;
1065 
1066 		case SCF_ERROR_HANDLE_MISMATCH:
1067 		case SCF_ERROR_INVALID_ARGUMENT:
1068 		case SCF_ERROR_IN_USE:
1069 		case SCF_ERROR_NOT_SET:
1070 			bad_fail("scf_transaction_property_change_type",
1071 			    scf_error());
1072 		}
1073 
1074 		if (scf_transaction_property_new(tx, ent, pname, ty) == 0)
1075 			break;
1076 
1077 		switch (scf_error()) {
1078 		case SCF_ERROR_CONNECTION_BROKEN:
1079 		default:
1080 			return (ECONNABORTED);
1081 
1082 		case SCF_ERROR_DELETED:
1083 			return (ECANCELED);
1084 
1085 		case SCF_ERROR_EXISTS:
1086 			break;
1087 
1088 		case SCF_ERROR_HANDLE_MISMATCH:
1089 		case SCF_ERROR_INVALID_ARGUMENT:
1090 		case SCF_ERROR_IN_USE:
1091 		case SCF_ERROR_NOT_SET:
1092 			bad_fail("scf_transaction_property_new", scf_error());
1093 		}
1094 	}
1095 
1096 	r = scf_entry_add_value(ent, val);
1097 	assert(r == 0);
1098 
1099 	return (0);
1100 }
1101 
1102 /*
1103  * Commit new_state, new_next_state, and aux to the repository for id.  If
1104  * successful, also set id's state and next-state as given, and return 0.
1105  * Fails with
1106  *   ENOMEM - out of memory
1107  *   ECONNABORTED - repository connection broken
1108  *		  - unknown libscf error
1109  *   EINVAL - id->i_fmri is invalid or not an instance FMRI
1110  *   ENOENT - id->i_fmri does not exist
1111  *   EPERM - insufficient permissions
1112  *   EACCES - backend access denied
1113  *   EROFS - backend is readonly
1114  */
1115 int
1116 _restarter_commit_states(scf_handle_t *h, instance_data_t *id,
1117     restarter_instance_state_t new_state,
1118     restarter_instance_state_t new_state_next, const char *aux)
1119 {
1120 	char str_state[MAX_SCF_STATE_STRING_SZ];
1121 	char str_new_state[MAX_SCF_STATE_STRING_SZ];
1122 	char str_state_next[MAX_SCF_STATE_STRING_SZ];
1123 	char str_new_state_next[MAX_SCF_STATE_STRING_SZ];
1124 	int ret = 0, r;
1125 	struct timeval now;
1126 	ssize_t sz;
1127 
1128 	scf_transaction_t *t = NULL;
1129 	scf_transaction_entry_t *t_state = NULL, *t_state_next = NULL;
1130 	scf_transaction_entry_t *t_stime = NULL, *t_aux = NULL;
1131 	scf_value_t *v_state = NULL, *v_state_next = NULL, *v_stime = NULL;
1132 	scf_value_t *v_aux = NULL;
1133 	scf_instance_t *s_inst = NULL;
1134 	scf_propertygroup_t *pg = NULL;
1135 
1136 	assert(new_state != RESTARTER_STATE_NONE);
1137 
1138 	if ((s_inst = scf_instance_create(h)) == NULL ||
1139 	    (pg = scf_pg_create(h)) == NULL ||
1140 	    (t = scf_transaction_create(h)) == NULL ||
1141 	    (t_state = scf_entry_create(h)) == NULL ||
1142 	    (t_state_next = scf_entry_create(h)) == NULL ||
1143 	    (t_stime = scf_entry_create(h)) == NULL ||
1144 	    (t_aux = scf_entry_create(h)) == NULL ||
1145 	    (v_state = scf_value_create(h)) == NULL ||
1146 	    (v_state_next = scf_value_create(h)) == NULL ||
1147 	    (v_stime = scf_value_create(h)) == NULL ||
1148 	    (v_aux = scf_value_create(h)) == NULL) {
1149 		ret = ENOMEM;
1150 		goto out;
1151 	}
1152 
1153 	sz = restarter_state_to_string(new_state, str_new_state,
1154 	    sizeof (str_new_state));
1155 	assert(sz < sizeof (str_new_state));
1156 	sz = restarter_state_to_string(new_state_next, str_new_state_next,
1157 	    sizeof (str_new_state_next));
1158 	assert(sz < sizeof (str_new_state_next));
1159 	sz = restarter_state_to_string(id->i_state, str_state,
1160 	    sizeof (str_state));
1161 	assert(sz < sizeof (str_state));
1162 	sz = restarter_state_to_string(id->i_next_state, str_state_next,
1163 	    sizeof (str_state_next));
1164 	assert(sz < sizeof (str_state_next));
1165 
1166 	ret = gettimeofday(&now, NULL);
1167 	assert(ret != -1);
1168 
1169 	if (scf_handle_decode_fmri(h, id->i_fmri, NULL, NULL, s_inst,
1170 	    NULL, NULL, SCF_DECODE_FMRI_EXACT) == -1) {
1171 		switch (scf_error()) {
1172 		case SCF_ERROR_CONNECTION_BROKEN:
1173 		default:
1174 			ret = ECONNABORTED;
1175 			break;
1176 
1177 		case SCF_ERROR_INVALID_ARGUMENT:
1178 		case SCF_ERROR_CONSTRAINT_VIOLATED:
1179 			ret = EINVAL;
1180 			break;
1181 
1182 		case SCF_ERROR_NOT_FOUND:
1183 			ret = ENOENT;
1184 			break;
1185 
1186 		case SCF_ERROR_HANDLE_MISMATCH:
1187 			bad_fail("scf_handle_decode_fmri", scf_error());
1188 		}
1189 		goto out;
1190 	}
1191 
1192 
1193 	if (scf_value_set_astring(v_state, str_new_state) != 0 ||
1194 	    scf_value_set_astring(v_state_next, str_new_state_next) != 0)
1195 		bad_fail("scf_value_set_astring", scf_error());
1196 
1197 	if (aux) {
1198 		if (scf_value_set_astring(v_aux, aux) != 0)
1199 			bad_fail("scf_value_set_astring", scf_error());
1200 	}
1201 
1202 	if (scf_value_set_time(v_stime, now.tv_sec, now.tv_usec * 1000) != 0)
1203 		bad_fail("scf_value_set_time", scf_error());
1204 
1205 add_pg:
1206 	switch (r = instance_get_or_add_pg(s_inst, SCF_PG_RESTARTER,
1207 	    SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS, pg)) {
1208 	case 0:
1209 		break;
1210 
1211 	case ECONNABORTED:
1212 	case EPERM:
1213 	case EACCES:
1214 	case EROFS:
1215 		ret = r;
1216 		goto out;
1217 
1218 	case ECANCELED:
1219 		ret = ENOENT;
1220 		goto out;
1221 
1222 	case EBADF:
1223 	default:
1224 		bad_fail("instance_get_or_add_pg", r);
1225 	}
1226 
1227 	for (;;) {
1228 		if (scf_transaction_start(t, pg) != 0) {
1229 			switch (scf_error()) {
1230 			case SCF_ERROR_CONNECTION_BROKEN:
1231 			default:
1232 				ret = ECONNABORTED;
1233 				goto out;
1234 
1235 			case SCF_ERROR_NOT_SET:
1236 				goto add_pg;
1237 
1238 			case SCF_ERROR_PERMISSION_DENIED:
1239 				ret = EPERM;
1240 				goto out;
1241 
1242 			case SCF_ERROR_BACKEND_ACCESS:
1243 				ret = EACCES;
1244 				goto out;
1245 
1246 			case SCF_ERROR_BACKEND_READONLY:
1247 				ret = EROFS;
1248 				goto out;
1249 
1250 			case SCF_ERROR_HANDLE_MISMATCH:
1251 			case SCF_ERROR_IN_USE:
1252 				bad_fail("scf_transaction_start", scf_error());
1253 			}
1254 		}
1255 
1256 		if ((r = tx_set_value(t, t_state, SCF_PROPERTY_STATE,
1257 		    SCF_TYPE_ASTRING, v_state)) != 0 ||
1258 		    (r = tx_set_value(t, t_state_next, SCF_PROPERTY_NEXT_STATE,
1259 		    SCF_TYPE_ASTRING, v_state_next)) != 0 ||
1260 		    (r = tx_set_value(t, t_stime, SCF_PROPERTY_STATE_TIMESTAMP,
1261 		    SCF_TYPE_TIME, v_stime)) != 0) {
1262 			switch (r) {
1263 			case ECONNABORTED:
1264 				ret = ECONNABORTED;
1265 				goto out;
1266 
1267 			case ECANCELED:
1268 				scf_transaction_reset(t);
1269 				goto add_pg;
1270 
1271 			default:
1272 				bad_fail("tx_set_value", r);
1273 			}
1274 		}
1275 
1276 		if (aux) {
1277 			if ((r = tx_set_value(t, t_aux, SCF_PROPERTY_AUX_STATE,
1278 			    SCF_TYPE_ASTRING, v_aux)) != 0) {
1279 				switch (r) {
1280 				case ECONNABORTED:
1281 					ret = ECONNABORTED;
1282 					goto out;
1283 
1284 				case ECANCELED:
1285 					scf_transaction_reset(t);
1286 					goto add_pg;
1287 
1288 				default:
1289 					bad_fail("tx_set_value", r);
1290 				}
1291 			}
1292 		}
1293 
1294 		ret = scf_transaction_commit(t);
1295 		if (ret == 1)
1296 			break;
1297 		if (ret == -1) {
1298 			switch (scf_error()) {
1299 			case SCF_ERROR_CONNECTION_BROKEN:
1300 			default:
1301 				ret = ECONNABORTED;
1302 				goto out;
1303 
1304 			case SCF_ERROR_PERMISSION_DENIED:
1305 				ret = EPERM;
1306 				goto out;
1307 
1308 			case SCF_ERROR_BACKEND_ACCESS:
1309 				ret = EACCES;
1310 				goto out;
1311 
1312 			case SCF_ERROR_BACKEND_READONLY:
1313 				ret = EROFS;
1314 				goto out;
1315 
1316 			case SCF_ERROR_NOT_SET:
1317 				bad_fail("scf_transaction_commit", scf_error());
1318 			}
1319 		}
1320 
1321 		scf_transaction_reset(t);
1322 		if (scf_pg_update(pg) == -1) {
1323 			switch (scf_error()) {
1324 			case SCF_ERROR_CONNECTION_BROKEN:
1325 			default:
1326 				ret = ECONNABORTED;
1327 				goto out;
1328 
1329 			case SCF_ERROR_NOT_SET:
1330 				goto add_pg;
1331 			}
1332 		}
1333 	}
1334 
1335 	id->i_state = new_state;
1336 	id->i_next_state = new_state_next;
1337 	ret = 0;
1338 
1339 out:
1340 	scf_transaction_destroy(t);
1341 	scf_entry_destroy(t_state);
1342 	scf_entry_destroy(t_state_next);
1343 	scf_entry_destroy(t_stime);
1344 	scf_entry_destroy(t_aux);
1345 	scf_value_destroy(v_state);
1346 	scf_value_destroy(v_state_next);
1347 	scf_value_destroy(v_stime);
1348 	scf_value_destroy(v_aux);
1349 	scf_pg_destroy(pg);
1350 	scf_instance_destroy(s_inst);
1351 
1352 	return (ret);
1353 }
1354 
1355 /*
1356  * Fails with
1357  *   EINVAL - type is invalid
1358  *   ENOMEM
1359  *   ECONNABORTED - repository connection broken
1360  *   EBADF - s_inst is not set
1361  *   ECANCELED - s_inst is deleted
1362  *   EPERM - permission denied
1363  *   EACCES - backend access denied
1364  *   EROFS - backend readonly
1365  */
1366 int
1367 restarter_remove_contract(scf_instance_t *s_inst, ctid_t contract_id,
1368     restarter_contract_type_t type)
1369 {
1370 	scf_handle_t *h;
1371 	scf_transaction_t *t = NULL;
1372 	scf_transaction_entry_t *t_cid = NULL;
1373 	scf_propertygroup_t *pg = NULL;
1374 	scf_property_t *prop = NULL;
1375 	scf_value_t *val;
1376 	scf_iter_t *iter = NULL;
1377 	const char *pname;
1378 	int ret = 0, primary;
1379 	uint64_t c;
1380 
1381 	switch (type) {
1382 	case RESTARTER_CONTRACT_PRIMARY:
1383 		primary = 1;
1384 		break;
1385 	case RESTARTER_CONTRACT_TRANSIENT:
1386 		primary = 0;
1387 		break;
1388 	default:
1389 		return (EINVAL);
1390 	}
1391 
1392 	h = scf_instance_handle(s_inst);
1393 
1394 	pg = scf_pg_create(h);
1395 	prop = scf_property_create(h);
1396 	iter = scf_iter_create(h);
1397 	t = scf_transaction_create(h);
1398 
1399 	if (pg == NULL || prop == NULL || iter == NULL || t == NULL) {
1400 		ret = ENOMEM;
1401 		goto remove_contract_cleanup;
1402 	}
1403 
1404 add:
1405 	scf_transaction_destroy_children(t);
1406 	ret = instance_get_or_add_pg(s_inst, SCF_PG_RESTARTER,
1407 	    SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS, pg);
1408 	if (ret != 0)
1409 		goto remove_contract_cleanup;
1410 
1411 	pname = primary? SCF_PROPERTY_CONTRACT :
1412 	    SCF_PROPERTY_TRANSIENT_CONTRACT;
1413 
1414 	for (;;) {
1415 		if (scf_transaction_start(t, pg) != 0) {
1416 			switch (scf_error()) {
1417 			case SCF_ERROR_CONNECTION_BROKEN:
1418 			default:
1419 				ret = ECONNABORTED;
1420 				goto remove_contract_cleanup;
1421 
1422 			case SCF_ERROR_DELETED:
1423 				goto add;
1424 
1425 			case SCF_ERROR_PERMISSION_DENIED:
1426 				ret = EPERM;
1427 				goto remove_contract_cleanup;
1428 
1429 			case SCF_ERROR_BACKEND_ACCESS:
1430 				ret = EACCES;
1431 				goto remove_contract_cleanup;
1432 
1433 			case SCF_ERROR_BACKEND_READONLY:
1434 				ret = EROFS;
1435 				goto remove_contract_cleanup;
1436 
1437 			case SCF_ERROR_HANDLE_MISMATCH:
1438 			case SCF_ERROR_IN_USE:
1439 			case SCF_ERROR_NOT_SET:
1440 				bad_fail("scf_transaction_start", scf_error());
1441 			}
1442 		}
1443 
1444 		t_cid = scf_entry_create(h);
1445 
1446 		if (scf_pg_get_property(pg, pname, prop) == 0) {
1447 replace:
1448 			if (scf_transaction_property_change_type(t, t_cid,
1449 			    pname, SCF_TYPE_COUNT) != 0) {
1450 				switch (scf_error()) {
1451 				case SCF_ERROR_CONNECTION_BROKEN:
1452 				default:
1453 					ret = ECONNABORTED;
1454 					goto remove_contract_cleanup;
1455 
1456 				case SCF_ERROR_DELETED:
1457 					scf_entry_destroy(t_cid);
1458 					goto add;
1459 
1460 				case SCF_ERROR_NOT_FOUND:
1461 					goto new;
1462 
1463 				case SCF_ERROR_HANDLE_MISMATCH:
1464 				case SCF_ERROR_INVALID_ARGUMENT:
1465 				case SCF_ERROR_IN_USE:
1466 				case SCF_ERROR_NOT_SET:
1467 					bad_fail(
1468 					"scf_transaction_property_changetype",
1469 					    scf_error());
1470 				}
1471 			}
1472 
1473 			if (scf_property_is_type(prop, SCF_TYPE_COUNT) == 0) {
1474 				if (scf_iter_property_values(iter, prop) != 0) {
1475 					switch (scf_error()) {
1476 					case SCF_ERROR_CONNECTION_BROKEN:
1477 					default:
1478 						ret = ECONNABORTED;
1479 						goto remove_contract_cleanup;
1480 
1481 					case SCF_ERROR_NOT_SET:
1482 					case SCF_ERROR_HANDLE_MISMATCH:
1483 						bad_fail(
1484 						    "scf_iter_property_values",
1485 						    scf_error());
1486 					}
1487 				}
1488 
1489 next_val:
1490 				val = scf_value_create(h);
1491 				if (val == NULL) {
1492 					assert(scf_error() ==
1493 					    SCF_ERROR_NO_MEMORY);
1494 					ret = ENOMEM;
1495 					goto remove_contract_cleanup;
1496 				}
1497 
1498 				ret = scf_iter_next_value(iter, val);
1499 				if (ret == -1) {
1500 					switch (scf_error()) {
1501 					case SCF_ERROR_CONNECTION_BROKEN:
1502 						ret = ECONNABORTED;
1503 						goto remove_contract_cleanup;
1504 
1505 					case SCF_ERROR_DELETED:
1506 						scf_value_destroy(val);
1507 						goto add;
1508 
1509 					case SCF_ERROR_HANDLE_MISMATCH:
1510 					case SCF_ERROR_INVALID_ARGUMENT:
1511 					case SCF_ERROR_PERMISSION_DENIED:
1512 					default:
1513 						bad_fail("scf_iter_next_value",
1514 						    scf_error());
1515 					}
1516 				}
1517 
1518 				if (ret == 1) {
1519 					ret = scf_value_get_count(val, &c);
1520 					assert(ret == 0);
1521 
1522 					if (c != contract_id) {
1523 						ret = scf_entry_add_value(t_cid,
1524 						    val);
1525 						assert(ret == 0);
1526 					} else {
1527 						scf_value_destroy(val);
1528 					}
1529 
1530 					goto next_val;
1531 				}
1532 
1533 				scf_value_destroy(val);
1534 			} else {
1535 				switch (scf_error()) {
1536 				case SCF_ERROR_CONNECTION_BROKEN:
1537 				default:
1538 					ret = ECONNABORTED;
1539 					goto remove_contract_cleanup;
1540 
1541 				case SCF_ERROR_TYPE_MISMATCH:
1542 					break;
1543 
1544 				case SCF_ERROR_INVALID_ARGUMENT:
1545 				case SCF_ERROR_NOT_SET:
1546 					bad_fail("scf_property_is_type",
1547 					    scf_error());
1548 				}
1549 			}
1550 		} else {
1551 			switch (scf_error()) {
1552 			case SCF_ERROR_CONNECTION_BROKEN:
1553 			default:
1554 				ret = ECONNABORTED;
1555 				goto remove_contract_cleanup;
1556 
1557 			case SCF_ERROR_DELETED:
1558 				scf_entry_destroy(t_cid);
1559 				goto add;
1560 
1561 			case SCF_ERROR_NOT_FOUND:
1562 				break;
1563 
1564 			case SCF_ERROR_HANDLE_MISMATCH:
1565 			case SCF_ERROR_INVALID_ARGUMENT:
1566 			case SCF_ERROR_NOT_SET:
1567 				bad_fail("scf_pg_get_property", scf_error());
1568 			}
1569 
1570 new:
1571 			if (scf_transaction_property_new(t, t_cid, pname,
1572 			    SCF_TYPE_COUNT) != 0) {
1573 				switch (scf_error()) {
1574 				case SCF_ERROR_CONNECTION_BROKEN:
1575 				default:
1576 					ret = ECONNABORTED;
1577 					goto remove_contract_cleanup;
1578 
1579 				case SCF_ERROR_DELETED:
1580 					scf_entry_destroy(t_cid);
1581 					goto add;
1582 
1583 				case SCF_ERROR_EXISTS:
1584 					goto replace;
1585 
1586 				case SCF_ERROR_HANDLE_MISMATCH:
1587 				case SCF_ERROR_INVALID_ARGUMENT:
1588 				case SCF_ERROR_NOT_SET:
1589 					bad_fail("scf_transaction_property_new",
1590 					    scf_error());
1591 				}
1592 			}
1593 		}
1594 
1595 		ret = scf_transaction_commit(t);
1596 		if (ret == -1) {
1597 			switch (scf_error()) {
1598 			case SCF_ERROR_CONNECTION_BROKEN:
1599 			default:
1600 				ret = ECONNABORTED;
1601 				goto remove_contract_cleanup;
1602 
1603 			case SCF_ERROR_DELETED:
1604 				goto add;
1605 
1606 			case SCF_ERROR_PERMISSION_DENIED:
1607 				ret = EPERM;
1608 				goto remove_contract_cleanup;
1609 
1610 			case SCF_ERROR_BACKEND_ACCESS:
1611 				ret = EACCES;
1612 				goto remove_contract_cleanup;
1613 
1614 			case SCF_ERROR_BACKEND_READONLY:
1615 				ret = EROFS;
1616 				goto remove_contract_cleanup;
1617 
1618 			case SCF_ERROR_NOT_SET:
1619 				bad_fail("scf_transaction_commit", scf_error());
1620 			}
1621 		}
1622 		if (ret == 1) {
1623 			ret = 0;
1624 			break;
1625 		}
1626 
1627 		scf_transaction_destroy_children(t);
1628 		if (scf_pg_update(pg) == -1) {
1629 			switch (scf_error()) {
1630 			case SCF_ERROR_CONNECTION_BROKEN:
1631 			default:
1632 				ret = ECONNABORTED;
1633 				goto remove_contract_cleanup;
1634 
1635 			case SCF_ERROR_DELETED:
1636 				goto add;
1637 
1638 			case SCF_ERROR_NOT_SET:
1639 				bad_fail("scf_pg_update", scf_error());
1640 			}
1641 		}
1642 	}
1643 
1644 remove_contract_cleanup:
1645 	scf_transaction_destroy_children(t);
1646 	scf_transaction_destroy(t);
1647 	scf_iter_destroy(iter);
1648 	scf_property_destroy(prop);
1649 	scf_pg_destroy(pg);
1650 
1651 	return (ret);
1652 }
1653 
1654 /*
1655  * Fails with
1656  *   EINVAL - type is invalid
1657  *   ENOMEM
1658  *   ECONNABORTED - repository disconnection
1659  *   EBADF - s_inst is not set
1660  *   ECANCELED - s_inst is deleted
1661  *   EPERM
1662  *   EACCES
1663  *   EROFS
1664  */
1665 int
1666 restarter_store_contract(scf_instance_t *s_inst, ctid_t contract_id,
1667     restarter_contract_type_t type)
1668 {
1669 	scf_handle_t *h;
1670 	scf_transaction_t *t = NULL;
1671 	scf_transaction_entry_t *t_cid = NULL;
1672 	scf_value_t *val;
1673 	scf_propertygroup_t *pg = NULL;
1674 	scf_property_t *prop = NULL;
1675 	scf_iter_t *iter = NULL;
1676 	const char *pname;
1677 	int ret = 0, primary;
1678 
1679 	if (type == RESTARTER_CONTRACT_PRIMARY)
1680 		primary = 1;
1681 	else if (type == RESTARTER_CONTRACT_TRANSIENT)
1682 		primary = 0;
1683 	else
1684 		return (EINVAL);
1685 
1686 	h = scf_instance_handle(s_inst);
1687 
1688 	pg = scf_pg_create(h);
1689 	prop = scf_property_create(h);
1690 	iter = scf_iter_create(h);
1691 	t = scf_transaction_create(h);
1692 
1693 	if (pg == NULL || prop == NULL || iter == NULL || t == NULL) {
1694 		ret = ENOMEM;
1695 		goto out;
1696 	}
1697 
1698 add:
1699 	scf_transaction_destroy_children(t);
1700 	ret = instance_get_or_add_pg(s_inst, SCF_PG_RESTARTER,
1701 	    SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS, pg);
1702 	if (ret != 0)
1703 		goto out;
1704 
1705 	pname = primary ? SCF_PROPERTY_CONTRACT :
1706 	    SCF_PROPERTY_TRANSIENT_CONTRACT;
1707 
1708 	for (;;) {
1709 		if (scf_transaction_start(t, pg) != 0) {
1710 			switch (scf_error()) {
1711 			case SCF_ERROR_CONNECTION_BROKEN:
1712 			default:
1713 				ret = ECONNABORTED;
1714 				goto out;
1715 
1716 			case SCF_ERROR_DELETED:
1717 				goto add;
1718 
1719 			case SCF_ERROR_PERMISSION_DENIED:
1720 				ret = EPERM;
1721 				goto out;
1722 
1723 			case SCF_ERROR_BACKEND_ACCESS:
1724 				ret = EACCES;
1725 				goto out;
1726 
1727 			case SCF_ERROR_BACKEND_READONLY:
1728 				ret = EROFS;
1729 				goto out;
1730 
1731 			case SCF_ERROR_HANDLE_MISMATCH:
1732 			case SCF_ERROR_IN_USE:
1733 			case SCF_ERROR_NOT_SET:
1734 				bad_fail("scf_transaction_start", scf_error());
1735 			}
1736 		}
1737 
1738 		t_cid = scf_entry_create(h);
1739 		if (t_cid == NULL) {
1740 			ret = ENOMEM;
1741 			goto out;
1742 		}
1743 
1744 		if (scf_pg_get_property(pg, pname, prop) == 0) {
1745 replace:
1746 			if (scf_transaction_property_change_type(t, t_cid,
1747 			    pname, SCF_TYPE_COUNT) != 0) {
1748 				switch (scf_error()) {
1749 				case SCF_ERROR_CONNECTION_BROKEN:
1750 				default:
1751 					ret = ECONNABORTED;
1752 					goto out;
1753 
1754 				case SCF_ERROR_DELETED:
1755 					scf_entry_destroy(t_cid);
1756 					goto add;
1757 
1758 				case SCF_ERROR_NOT_FOUND:
1759 					goto new;
1760 
1761 				case SCF_ERROR_HANDLE_MISMATCH:
1762 				case SCF_ERROR_INVALID_ARGUMENT:
1763 				case SCF_ERROR_IN_USE:
1764 				case SCF_ERROR_NOT_SET:
1765 					bad_fail(
1766 					"scf_transaction_propert_change_type",
1767 					    scf_error());
1768 				}
1769 			}
1770 
1771 			if (scf_property_is_type(prop, SCF_TYPE_COUNT) == 0) {
1772 				if (scf_iter_property_values(iter, prop) != 0) {
1773 					switch (scf_error()) {
1774 					case SCF_ERROR_CONNECTION_BROKEN:
1775 					default:
1776 						ret = ECONNABORTED;
1777 						goto out;
1778 
1779 					case SCF_ERROR_NOT_SET:
1780 					case SCF_ERROR_HANDLE_MISMATCH:
1781 						bad_fail(
1782 						    "scf_iter_property_values",
1783 						    scf_error());
1784 					}
1785 				}
1786 
1787 next_val:
1788 				val = scf_value_create(h);
1789 				if (val == NULL) {
1790 					assert(scf_error() ==
1791 					    SCF_ERROR_NO_MEMORY);
1792 					ret = ENOMEM;
1793 					goto out;
1794 				}
1795 
1796 				ret = scf_iter_next_value(iter, val);
1797 				if (ret == -1) {
1798 					switch (scf_error()) {
1799 					case SCF_ERROR_CONNECTION_BROKEN:
1800 					default:
1801 						ret = ECONNABORTED;
1802 						goto out;
1803 
1804 					case SCF_ERROR_DELETED:
1805 						scf_value_destroy(val);
1806 						goto add;
1807 
1808 					case SCF_ERROR_HANDLE_MISMATCH:
1809 					case SCF_ERROR_INVALID_ARGUMENT:
1810 					case SCF_ERROR_PERMISSION_DENIED:
1811 						bad_fail(
1812 						    "scf_iter_next_value",
1813 						    scf_error());
1814 					}
1815 				}
1816 
1817 				if (ret == 1) {
1818 					ret = scf_entry_add_value(t_cid, val);
1819 					assert(ret == 0);
1820 
1821 					goto next_val;
1822 				}
1823 
1824 				scf_value_destroy(val);
1825 			} else {
1826 				switch (scf_error()) {
1827 				case SCF_ERROR_CONNECTION_BROKEN:
1828 				default:
1829 					ret = ECONNABORTED;
1830 					goto out;
1831 
1832 				case SCF_ERROR_TYPE_MISMATCH:
1833 					break;
1834 
1835 				case SCF_ERROR_INVALID_ARGUMENT:
1836 				case SCF_ERROR_NOT_SET:
1837 					bad_fail("scf_property_is_type",
1838 					    scf_error());
1839 				}
1840 			}
1841 		} else {
1842 			switch (scf_error()) {
1843 			case SCF_ERROR_CONNECTION_BROKEN:
1844 			default:
1845 				ret = ECONNABORTED;
1846 				goto out;
1847 
1848 			case SCF_ERROR_DELETED:
1849 				scf_entry_destroy(t_cid);
1850 				goto add;
1851 
1852 			case SCF_ERROR_NOT_FOUND:
1853 				break;
1854 
1855 			case SCF_ERROR_HANDLE_MISMATCH:
1856 			case SCF_ERROR_INVALID_ARGUMENT:
1857 			case SCF_ERROR_NOT_SET:
1858 				bad_fail("scf_pg_get_property", scf_error());
1859 			}
1860 
1861 new:
1862 			if (scf_transaction_property_new(t, t_cid, pname,
1863 			    SCF_TYPE_COUNT) != 0) {
1864 				switch (scf_error()) {
1865 				case SCF_ERROR_CONNECTION_BROKEN:
1866 				default:
1867 					ret = ECONNABORTED;
1868 					goto out;
1869 
1870 				case SCF_ERROR_DELETED:
1871 					scf_entry_destroy(t_cid);
1872 					goto add;
1873 
1874 				case SCF_ERROR_EXISTS:
1875 					goto replace;
1876 
1877 				case SCF_ERROR_HANDLE_MISMATCH:
1878 				case SCF_ERROR_INVALID_ARGUMENT:
1879 				case SCF_ERROR_NOT_SET:
1880 					bad_fail("scf_transaction_property_new",
1881 					    scf_error());
1882 				}
1883 			}
1884 		}
1885 
1886 		val = scf_value_create(h);
1887 		if (val == NULL) {
1888 			assert(scf_error() == SCF_ERROR_NO_MEMORY);
1889 			ret = ENOMEM;
1890 			goto out;
1891 		}
1892 
1893 		scf_value_set_count(val, contract_id);
1894 		ret = scf_entry_add_value(t_cid, val);
1895 		assert(ret == 0);
1896 
1897 		ret = scf_transaction_commit(t);
1898 		if (ret == -1) {
1899 			switch (scf_error()) {
1900 			case SCF_ERROR_CONNECTION_BROKEN:
1901 			default:
1902 				ret = ECONNABORTED;
1903 				goto out;
1904 
1905 			case SCF_ERROR_DELETED:
1906 				goto add;
1907 
1908 			case SCF_ERROR_PERMISSION_DENIED:
1909 				ret = EPERM;
1910 				goto out;
1911 
1912 			case SCF_ERROR_BACKEND_ACCESS:
1913 				ret = EACCES;
1914 				goto out;
1915 
1916 			case SCF_ERROR_BACKEND_READONLY:
1917 				ret = EROFS;
1918 				goto out;
1919 
1920 			case SCF_ERROR_NOT_SET:
1921 				bad_fail("scf_transaction_commit", scf_error());
1922 			}
1923 		}
1924 		if (ret == 1) {
1925 			ret = 0;
1926 			break;
1927 		}
1928 
1929 		scf_transaction_destroy_children(t);
1930 		if (scf_pg_update(pg) == -1) {
1931 			switch (scf_error()) {
1932 			case SCF_ERROR_CONNECTION_BROKEN:
1933 			default:
1934 				ret = ECONNABORTED;
1935 				goto out;
1936 
1937 			case SCF_ERROR_DELETED:
1938 				goto add;
1939 
1940 			case SCF_ERROR_NOT_SET:
1941 				bad_fail("scf_pg_update", scf_error());
1942 			}
1943 		}
1944 	}
1945 
1946 out:
1947 	scf_transaction_destroy_children(t);
1948 	scf_transaction_destroy(t);
1949 	scf_iter_destroy(iter);
1950 	scf_property_destroy(prop);
1951 	scf_pg_destroy(pg);
1952 
1953 	return (ret);
1954 }
1955 
1956 int
1957 restarter_rm_libs_loadable()
1958 {
1959 	void *libhndl;
1960 
1961 	if (method_context_safety)
1962 		return (1);
1963 
1964 	if ((libhndl = dlopen("libpool.so", RTLD_LAZY | RTLD_LOCAL)) == NULL)
1965 		return (0);
1966 
1967 	(void) dlclose(libhndl);
1968 
1969 	if ((libhndl = dlopen("libproject.so", RTLD_LAZY | RTLD_LOCAL)) == NULL)
1970 		return (0);
1971 
1972 	(void) dlclose(libhndl);
1973 
1974 	method_context_safety = 1;
1975 
1976 	return (1);
1977 }
1978 
1979 static int
1980 get_astring_val(scf_propertygroup_t *pg, const char *name, char *buf,
1981     size_t bufsz, scf_property_t *prop, scf_value_t *val)
1982 {
1983 	ssize_t szret;
1984 
1985 	if (pg == NULL)
1986 		return (-1);
1987 
1988 	if (scf_pg_get_property(pg, name, prop) != SCF_SUCCESS) {
1989 		if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
1990 			uu_die(rcbroken);
1991 		return (-1);
1992 	}
1993 
1994 	if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
1995 		if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
1996 			uu_die(rcbroken);
1997 		return (-1);
1998 	}
1999 
2000 	szret = scf_value_get_astring(val, buf, bufsz);
2001 
2002 	return (szret >= 0 ? 0 : -1);
2003 }
2004 
2005 static int
2006 get_boolean_val(scf_propertygroup_t *pg, const char *name, uint8_t *b,
2007     scf_property_t *prop, scf_value_t *val)
2008 {
2009 	if (scf_pg_get_property(pg, name, prop) != SCF_SUCCESS) {
2010 		if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
2011 			uu_die(rcbroken);
2012 		return (-1);
2013 	}
2014 
2015 	if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
2016 		if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
2017 			uu_die(rcbroken);
2018 		return (-1);
2019 	}
2020 
2021 	if (scf_value_get_boolean(val, b))
2022 		return (-1);
2023 
2024 	return (0);
2025 }
2026 
2027 /*
2028  * Try to load mcp->pwd, if it isn't already.
2029  * Fails with
2030  *   ENOMEM - malloc() failed
2031  *   ENOENT - no entry found
2032  *   EIO - I/O error
2033  *   EMFILE - process out of file descriptors
2034  *   ENFILE - system out of file handles
2035  */
2036 static int
2037 lookup_pwd(struct method_context *mcp)
2038 {
2039 	struct passwd *pwdp;
2040 
2041 	if (mcp->pwbuf != NULL && mcp->pwd.pw_uid == mcp->uid)
2042 		return (0);
2043 
2044 	if (mcp->pwbuf == NULL) {
2045 		mcp->pwbufsz = sysconf(_SC_GETPW_R_SIZE_MAX);
2046 		assert(mcp->pwbufsz >= 0);
2047 		mcp->pwbuf = malloc(mcp->pwbufsz);
2048 		if (mcp->pwbuf == NULL)
2049 			return (ENOMEM);
2050 	}
2051 
2052 	do {
2053 		errno = 0;
2054 		pwdp = getpwuid_r(mcp->uid, &mcp->pwd, mcp->pwbuf,
2055 		    mcp->pwbufsz);
2056 	} while (pwdp == NULL && errno == EINTR);
2057 	if (pwdp != NULL)
2058 		return (0);
2059 
2060 	free(mcp->pwbuf);
2061 	mcp->pwbuf = NULL;
2062 
2063 	switch (errno) {
2064 	case 0:
2065 	default:
2066 		/*
2067 		 * Until bug 5065780 is fixed, getpwuid_r() can fail with
2068 		 * ENOENT, particularly on the miniroot.  Since the
2069 		 * documentation is inaccurate, we'll return ENOENT for unknown
2070 		 * errors.
2071 		 */
2072 		return (ENOENT);
2073 
2074 	case EIO:
2075 	case EMFILE:
2076 	case ENFILE:
2077 		return (errno);
2078 
2079 	case ERANGE:
2080 		bad_fail("getpwuid_r", errno);
2081 		/* NOTREACHED */
2082 	}
2083 }
2084 
2085 /*
2086  * Get the user id for str.  Returns 0 on success or
2087  *   ERANGE	the uid is too big
2088  *   EINVAL	the string starts with a digit, but is not a valid uid
2089  *   ENOMEM	out of memory
2090  *   ENOENT	no passwd entry for str
2091  *   EIO	an I/O error has occurred
2092  *   EMFILE/ENFILE  out of file descriptors
2093  */
2094 int
2095 get_uid(const char *str, struct method_context *ci, uid_t *uidp)
2096 {
2097 	if (isdigit(str[0])) {
2098 		uid_t uid;
2099 		char *cp;
2100 
2101 		errno = 0;
2102 		uid = strtol(str, &cp, 10);
2103 
2104 		if (uid == 0 && errno != 0) {
2105 			assert(errno != EINVAL);
2106 			return (errno);
2107 		}
2108 
2109 		for (; *cp != '\0'; ++cp)
2110 			if (*cp != ' ' || *cp != '\t')
2111 				return (EINVAL);
2112 
2113 		if (uid > UID_MAX)
2114 			return (EINVAL);
2115 
2116 		*uidp = uid;
2117 		return (0);
2118 	} else {
2119 		struct passwd *pwdp;
2120 
2121 		if (ci->pwbuf == NULL) {
2122 			ci->pwbufsz = sysconf(_SC_GETPW_R_SIZE_MAX);
2123 			ci->pwbuf = malloc(ci->pwbufsz);
2124 			if (ci->pwbuf == NULL)
2125 				return (ENOMEM);
2126 		}
2127 
2128 		do {
2129 			errno = 0;
2130 			pwdp =
2131 			    getpwnam_r(str, &ci->pwd, ci->pwbuf, ci->pwbufsz);
2132 		} while (pwdp == NULL && errno == EINTR);
2133 
2134 		if (pwdp != NULL) {
2135 			*uidp = ci->pwd.pw_uid;
2136 			return (0);
2137 		} else {
2138 			free(ci->pwbuf);
2139 			ci->pwbuf = NULL;
2140 			switch (errno) {
2141 			case 0:
2142 				return (ENOENT);
2143 
2144 			case ENOENT:
2145 			case EIO:
2146 			case EMFILE:
2147 			case ENFILE:
2148 				return (errno);
2149 
2150 			case ERANGE:
2151 			default:
2152 				bad_fail("getpwnam_r", errno);
2153 				/* NOTREACHED */
2154 			}
2155 		}
2156 	}
2157 }
2158 
2159 gid_t
2160 get_gid(const char *str)
2161 {
2162 	if (isdigit(str[0])) {
2163 		gid_t gid;
2164 		char *cp;
2165 
2166 		errno = 0;
2167 		gid = strtol(str, &cp, 10);
2168 
2169 		if (gid == 0 && errno != 0)
2170 			return ((gid_t)-1);
2171 
2172 		for (; *cp != '\0'; ++cp)
2173 			if (*cp != ' ' || *cp != '\t')
2174 				return ((gid_t)-1);
2175 
2176 		return (gid);
2177 	} else {
2178 		struct group grp, *ret;
2179 		char *buffer;
2180 		size_t buflen;
2181 
2182 		buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
2183 		buffer = malloc(buflen);
2184 		if (buffer == NULL)
2185 			uu_die(allocfail);
2186 
2187 		errno = 0;
2188 		ret = getgrnam_r(str, &grp, buffer, buflen);
2189 		free(buffer);
2190 
2191 		return (ret == NULL ? (gid_t)-1 : grp.gr_gid);
2192 	}
2193 }
2194 
2195 /*
2196  * Fails with
2197  *   ENOMEM - out of memory
2198  *   ENOENT - no passwd entry
2199  *	      no project entry
2200  *   EIO - an I/O error occurred
2201  *   EMFILE - the process is out of file descriptors
2202  *   ENFILE - the system is out of file handles
2203  *   ERANGE - the project id is out of range
2204  *   EINVAL - str is invalid
2205  *   E2BIG - the project entry was too big
2206  *   -1 - the name service switch is misconfigured
2207  */
2208 int
2209 get_projid(const char *str, struct method_context *cip)
2210 {
2211 	int ret;
2212 	void *buf;
2213 	const size_t bufsz = PROJECT_BUFSZ;
2214 	struct project proj, *pp;
2215 
2216 	if (strcmp(str, ":default") == 0) {
2217 		if (cip->uid == 0) {
2218 			/* Don't change project for root services */
2219 			cip->project = NULL;
2220 			return (0);
2221 		}
2222 
2223 		switch (ret = lookup_pwd(cip)) {
2224 		case 0:
2225 			break;
2226 
2227 		case ENOMEM:
2228 		case ENOENT:
2229 		case EIO:
2230 		case EMFILE:
2231 		case ENFILE:
2232 			return (ret);
2233 
2234 		default:
2235 			bad_fail("lookup_pwd", ret);
2236 		}
2237 
2238 		buf = malloc(bufsz);
2239 		if (buf == NULL)
2240 			return (ENOMEM);
2241 
2242 		do {
2243 			errno = 0;
2244 			pp = getdefaultproj(cip->pwd.pw_name, &proj, buf,
2245 			    bufsz);
2246 		} while (pp == NULL && errno == EINTR);
2247 
2248 		/* to be continued ... */
2249 	} else {
2250 		projid_t projid;
2251 		char *cp;
2252 
2253 		if (!isdigit(str[0])) {
2254 			cip->project = strdup(str);
2255 			return (cip->project != NULL ? 0 : ENOMEM);
2256 		}
2257 
2258 		errno = 0;
2259 		projid = strtol(str, &cp, 10);
2260 
2261 		if (projid == 0 && errno != 0) {
2262 			assert(errno == ERANGE);
2263 			return (errno);
2264 		}
2265 
2266 		for (; *cp != '\0'; ++cp)
2267 			if (*cp != ' ' || *cp != '\t')
2268 				return (EINVAL);
2269 
2270 		if (projid > MAXPROJID)
2271 			return (ERANGE);
2272 
2273 		buf = malloc(bufsz);
2274 		if (buf == NULL)
2275 			return (ENOMEM);
2276 
2277 		do {
2278 			errno = 0;
2279 			pp = getprojbyid(projid, &proj, buf, bufsz);
2280 		} while (pp == NULL && errno == EINTR);
2281 	}
2282 
2283 	if (pp) {
2284 		cip->project = strdup(pp->pj_name);
2285 		free(buf);
2286 		return (cip->project != NULL ? 0 : ENOMEM);
2287 	}
2288 
2289 	free(buf);
2290 
2291 	switch (errno) {
2292 	case 0:
2293 		return (ENOENT);
2294 
2295 	case EIO:
2296 	case EMFILE:
2297 	case ENFILE:
2298 		return (errno);
2299 
2300 	case ERANGE:
2301 		return (E2BIG);
2302 
2303 	default:
2304 		return (-1);
2305 	}
2306 }
2307 
2308 /*
2309  * Parse the supp_groups property value and populate ci->groups.  Returns
2310  * EINVAL (get_gid() failed for one of the components), E2BIG (the property has
2311  * more than NGROUPS_MAX-1 groups), or 0 on success.
2312  */
2313 int
2314 get_groups(char *str, struct method_context *ci)
2315 {
2316 	char *cp, *end, *next;
2317 	uint_t i;
2318 
2319 	const char * const whitespace = " \t";
2320 	const char * const illegal = ", \t";
2321 
2322 	if (str[0] == '\0') {
2323 		ci->ngroups = 0;
2324 		return (0);
2325 	}
2326 
2327 	for (cp = str, i = 0; *cp != '\0'; ) {
2328 		/* skip whitespace */
2329 		cp += strspn(cp, whitespace);
2330 
2331 		/* find the end */
2332 		end = cp + strcspn(cp, illegal);
2333 
2334 		/* skip whitespace after end */
2335 		next = end + strspn(end, whitespace);
2336 
2337 		/* if there's a comma, it separates the fields */
2338 		if (*next == ',')
2339 			++next;
2340 
2341 		*end = '\0';
2342 
2343 		if ((ci->groups[i] = get_gid(cp)) == (gid_t)-1) {
2344 			ci->ngroups = 0;
2345 			return (EINVAL);
2346 		}
2347 
2348 		++i;
2349 		if (i > NGROUPS_MAX - 1) {
2350 			ci->ngroups = 0;
2351 			return (E2BIG);
2352 		}
2353 
2354 		cp = next;
2355 	}
2356 
2357 	ci->ngroups = i;
2358 	return (0);
2359 }
2360 
2361 
2362 /*
2363  * Return an error message structure containing the error message
2364  * with context, and the error so the caller can make a decision
2365  * on what to do next.
2366  *
2367  * Because get_ids uses the mc_error_create() function which can
2368  * reallocate the merr, this function must return the merr pointer
2369  * in case it was reallocated.
2370  */
2371 static mc_error_t *
2372 get_profile(scf_propertygroup_t *methpg, scf_propertygroup_t *instpg,
2373     scf_property_t *prop, scf_value_t *val, const char *cmdline,
2374     struct method_context *ci, mc_error_t *merr)
2375 {
2376 	char *buf = ci->vbuf;
2377 	ssize_t buf_sz = ci->vbuf_sz;
2378 	char cmd[PATH_MAX];
2379 	char *cp, *value;
2380 	const char *cmdp;
2381 	execattr_t *eap;
2382 	mc_error_t *err = merr;
2383 	int r;
2384 
2385 	if (!(get_astring_val(methpg, SCF_PROPERTY_PROFILE, buf, buf_sz, prop,
2386 	    val) == 0 || get_astring_val(instpg, SCF_PROPERTY_PROFILE, buf,
2387 	    buf_sz, prop, val) == 0))
2388 		return (mc_error_create(merr, scf_error(),
2389 		    "Method context requires a profile, but the  \"%s\" "
2390 		    "property could not be read. scf_error is %s",
2391 		    SCF_PROPERTY_PROFILE, scf_strerror(scf_error())));
2392 
2393 	/* Extract the command from the command line. */
2394 	cp = strpbrk(cmdline, " \t");
2395 
2396 	if (cp == NULL) {
2397 		cmdp = cmdline;
2398 	} else {
2399 		(void) strncpy(cmd, cmdline, cp - cmdline);
2400 		cmd[cp - cmdline] = '\0';
2401 		cmdp = cmd;
2402 	}
2403 
2404 	/* Require that cmdp[0] == '/'? */
2405 
2406 	eap = getexecprof(buf, KV_COMMAND, cmdp, GET_ONE);
2407 	if (eap == NULL)
2408 		return (mc_error_create(merr, ENOENT,
2409 		    "Could not find the execution profile \"%s\", "
2410 		    "command %s.", buf, cmdp));
2411 
2412 	/* Based on pfexec.c */
2413 
2414 	/* Get the euid first so we don't override ci->pwd for the uid. */
2415 	if ((value = kva_match(eap->attr, EXECATTR_EUID_KW)) != NULL) {
2416 		if ((r = get_uid(value, ci, &ci->euid)) != 0) {
2417 			ci->euid = (uid_t)-1;
2418 			err = mc_error_create(merr, r,
2419 			    "Could not interpret profile euid value \"%s\", "
2420 			    "from the execution profile \"%s\", error %d.",
2421 			    value, buf, r);
2422 			goto out;
2423 		}
2424 	}
2425 
2426 	if ((value = kva_match(eap->attr, EXECATTR_UID_KW)) != NULL) {
2427 		if ((r = get_uid(value, ci, &ci->uid)) != 0) {
2428 			ci->euid = ci->uid = (uid_t)-1;
2429 			err = mc_error_create(merr, r,
2430 			    "Could not interpret profile uid value \"%s\", "
2431 			    "from the execution profile \"%s\", error %d.",
2432 			    value, buf, r);
2433 			goto out;
2434 		}
2435 		ci->euid = ci->uid;
2436 	}
2437 
2438 	if ((value = kva_match(eap->attr, EXECATTR_GID_KW)) != NULL) {
2439 		ci->egid = ci->gid = get_gid(value);
2440 		if (ci->gid == (gid_t)-1) {
2441 			err = mc_error_create(merr, EINVAL,
2442 			    "Could not interpret profile gid value \"%s\", "
2443 			    "from the execution profile \"%s\".", value, buf);
2444 			goto out;
2445 		}
2446 	}
2447 
2448 	if ((value = kva_match(eap->attr, EXECATTR_EGID_KW)) != NULL) {
2449 		ci->egid = get_gid(value);
2450 		if (ci->egid == (gid_t)-1) {
2451 			err = mc_error_create(merr, EINVAL,
2452 			    "Could not interpret profile egid value \"%s\", "
2453 			    "from the execution profile \"%s\".", value, buf);
2454 			goto out;
2455 		}
2456 	}
2457 
2458 	if ((value = kva_match(eap->attr, EXECATTR_LPRIV_KW)) != NULL) {
2459 		ci->lpriv_set = priv_str_to_set(value, ",", NULL);
2460 		if (ci->lpriv_set == NULL) {
2461 			if (errno != EINVAL)
2462 				err = mc_error_create(merr, ENOMEM,
2463 				    ALLOCFAIL);
2464 			else
2465 				err = mc_error_create(merr, EINVAL,
2466 				    "Could not interpret profile "
2467 				    "limitprivs value \"%s\", from "
2468 				    "the execution profile \"%s\".",
2469 				    value, buf);
2470 			goto out;
2471 		}
2472 	}
2473 
2474 	if ((value = kva_match(eap->attr, EXECATTR_IPRIV_KW)) != NULL) {
2475 		ci->priv_set = priv_str_to_set(value, ",", NULL);
2476 		if (ci->priv_set == NULL) {
2477 			if (errno != EINVAL)
2478 				err = mc_error_create(merr, ENOMEM,
2479 				    ALLOCFAIL);
2480 			else
2481 				err = mc_error_create(merr, EINVAL,
2482 				    "Could not interpret profile privs value "
2483 				    "\"%s\", from the execution profile "
2484 				    "\"%s\".", value, buf);
2485 			goto out;
2486 		}
2487 	}
2488 
2489 out:
2490 	free_execattr(eap);
2491 
2492 	return (err);
2493 }
2494 
2495 /*
2496  * Return an error message structure containing the error message
2497  * with context, and the error so the caller can make a decision
2498  * on what to do next.
2499  *
2500  * Because get_ids uses the mc_error_create() function which can
2501  * reallocate the merr, this function must return the merr pointer
2502  * in case it was reallocated.
2503  */
2504 static mc_error_t *
2505 get_ids(scf_propertygroup_t *methpg, scf_propertygroup_t *instpg,
2506     scf_property_t *prop, scf_value_t *val, struct method_context *ci,
2507     mc_error_t *merr)
2508 {
2509 	char *vbuf = ci->vbuf;
2510 	ssize_t vbuf_sz = ci->vbuf_sz;
2511 	int r;
2512 
2513 	/*
2514 	 * This should never happen because the caller should fall through
2515 	 * another path of just setting the ids to defaults, instead of
2516 	 * attempting to get the ids here.
2517 	 */
2518 	if (methpg == NULL && instpg == NULL)
2519 		return (mc_error_create(merr, ENOENT,
2520 		    "No property groups to get ids from."));
2521 
2522 	if (!(get_astring_val(methpg, SCF_PROPERTY_USER,
2523 	    vbuf, vbuf_sz, prop, val) == 0 || get_astring_val(instpg,
2524 	    SCF_PROPERTY_USER, vbuf, vbuf_sz, prop,
2525 	    val) == 0))
2526 		return (mc_error_create(merr, ENOENT,
2527 		    "Could not get \"%s\" property.", SCF_PROPERTY_USER));
2528 
2529 	if ((r = get_uid(vbuf, ci, &ci->uid)) != 0) {
2530 		ci->uid = (uid_t)-1;
2531 		return (mc_error_create(merr, r,
2532 		    "Could not interpret \"%s\" property value \"%s\", "
2533 		    "error %d.", SCF_PROPERTY_USER, vbuf, r));
2534 	}
2535 
2536 	if (!(get_astring_val(methpg, SCF_PROPERTY_GROUP, vbuf, vbuf_sz, prop,
2537 	    val) == 0 || get_astring_val(instpg, SCF_PROPERTY_GROUP, vbuf,
2538 	    vbuf_sz, prop, val) == 0)) {
2539 		if (scf_error() == SCF_ERROR_NOT_FOUND) {
2540 			(void) strcpy(vbuf, ":default");
2541 		} else {
2542 			return (mc_error_create(merr, ENOENT,
2543 			    "Could not get \"%s\" property.",
2544 			    SCF_PROPERTY_GROUP));
2545 		}
2546 	}
2547 
2548 	if (strcmp(vbuf, ":default") != 0) {
2549 		ci->gid = get_gid(vbuf);
2550 		if (ci->gid == (gid_t)-1) {
2551 			return (mc_error_create(merr, ENOENT,
2552 			    "Could not interpret \"%s\" property value \"%s\".",
2553 			    SCF_PROPERTY_GROUP, vbuf));
2554 		}
2555 	} else {
2556 		switch (r = lookup_pwd(ci)) {
2557 		case 0:
2558 			ci->gid = ci->pwd.pw_gid;
2559 			break;
2560 
2561 		case ENOENT:
2562 			ci->gid = (gid_t)-1;
2563 			return (mc_error_create(merr, ENOENT,
2564 			    "No passwd entry for uid \"%d\".", ci->uid));
2565 
2566 		case ENOMEM:
2567 			return (mc_error_create(merr, ENOMEM,
2568 			    "Out of memory."));
2569 
2570 		case EIO:
2571 		case EMFILE:
2572 		case ENFILE:
2573 			return (mc_error_create(merr, ENFILE,
2574 			    "getpwuid_r() failed, error %d.", r));
2575 
2576 		default:
2577 			bad_fail("lookup_pwd", r);
2578 		}
2579 	}
2580 
2581 	if (!(get_astring_val(methpg, SCF_PROPERTY_SUPP_GROUPS, vbuf, vbuf_sz,
2582 	    prop, val) == 0 || get_astring_val(instpg,
2583 	    SCF_PROPERTY_SUPP_GROUPS, vbuf, vbuf_sz, prop, val) == 0)) {
2584 		if (scf_error() == SCF_ERROR_NOT_FOUND) {
2585 			(void) strcpy(vbuf, ":default");
2586 		} else {
2587 			return (mc_error_create(merr, ENOENT,
2588 			    "Could not get supplemental groups (\"%s\") "
2589 			    "property.", SCF_PROPERTY_SUPP_GROUPS));
2590 		}
2591 	}
2592 
2593 	if (strcmp(vbuf, ":default") != 0) {
2594 		switch (r = get_groups(vbuf, ci)) {
2595 		case 0:
2596 			break;
2597 
2598 		case EINVAL:
2599 			return (mc_error_create(merr, EINVAL,
2600 			    "Could not interpret supplemental groups (\"%s\") "
2601 			    "property value \"%s\".", SCF_PROPERTY_SUPP_GROUPS,
2602 			    vbuf));
2603 
2604 		case E2BIG:
2605 			return (mc_error_create(merr, E2BIG,
2606 			    "Too many supplemental groups values in \"%s\".",
2607 			    vbuf));
2608 
2609 		default:
2610 			bad_fail("get_groups", r);
2611 		}
2612 	} else {
2613 		ci->ngroups = -1;
2614 	}
2615 
2616 	if (!(get_astring_val(methpg, SCF_PROPERTY_PRIVILEGES, vbuf, vbuf_sz,
2617 	    prop, val) == 0 || get_astring_val(instpg, SCF_PROPERTY_PRIVILEGES,
2618 	    vbuf, vbuf_sz, prop, val) == 0)) {
2619 		if (scf_error() == SCF_ERROR_NOT_FOUND) {
2620 			(void) strcpy(vbuf, ":default");
2621 		} else {
2622 			return (mc_error_create(merr, ENOENT,
2623 			    "Could not get \"%s\" property.",
2624 			    SCF_PROPERTY_PRIVILEGES));
2625 		}
2626 	}
2627 
2628 	/*
2629 	 * For default privs, we need to keep priv_set == NULL, as
2630 	 * we use this test elsewhere.
2631 	 */
2632 	if (strcmp(vbuf, ":default") != 0) {
2633 		ci->priv_set = priv_str_to_set(vbuf, ",", NULL);
2634 		if (ci->priv_set == NULL) {
2635 			if (errno != EINVAL) {
2636 				return (mc_error_create(merr, ENOMEM,
2637 				    ALLOCFAIL));
2638 			} else {
2639 				return (mc_error_create(merr, EINVAL,
2640 				    "Could not interpret \"%s\" "
2641 				    "property value \"%s\".",
2642 				    SCF_PROPERTY_PRIVILEGES, vbuf));
2643 			}
2644 		}
2645 	}
2646 
2647 	if (!(get_astring_val(methpg, SCF_PROPERTY_LIMIT_PRIVILEGES, vbuf,
2648 	    vbuf_sz, prop, val) == 0 || get_astring_val(instpg,
2649 	    SCF_PROPERTY_LIMIT_PRIVILEGES, vbuf, vbuf_sz, prop, val) == 0)) {
2650 		if (scf_error() == SCF_ERROR_NOT_FOUND) {
2651 			(void) strcpy(vbuf, ":default");
2652 		} else {
2653 			return (mc_error_create(merr, ENOENT,
2654 			    "Could not get \"%s\" property.",
2655 			    SCF_PROPERTY_LIMIT_PRIVILEGES));
2656 		}
2657 	}
2658 
2659 	if (strcmp(vbuf, ":default") == 0)
2660 		/*
2661 		 * L must default to all privileges so root NPA services see
2662 		 * iE = all.  "zone" is all privileges available in the current
2663 		 * zone, equivalent to "all" in the global zone.
2664 		 */
2665 		(void) strcpy(vbuf, "zone");
2666 
2667 	ci->lpriv_set = priv_str_to_set(vbuf, ",", NULL);
2668 	if (ci->lpriv_set == NULL) {
2669 		if (errno != EINVAL) {
2670 			return (mc_error_create(merr, ENOMEM, ALLOCFAIL));
2671 		} else {
2672 			return (mc_error_create(merr, EINVAL,
2673 			    "Could not interpret \"%s\" property value \"%s\".",
2674 			    SCF_PROPERTY_LIMIT_PRIVILEGES, vbuf));
2675 		}
2676 	}
2677 
2678 	return (merr);
2679 }
2680 
2681 static int
2682 get_environment(scf_handle_t *h, scf_propertygroup_t *pg,
2683     struct method_context *mcp, scf_property_t *prop, scf_value_t *val)
2684 {
2685 	scf_iter_t *iter;
2686 	scf_type_t type;
2687 	size_t i = 0;
2688 	int ret;
2689 
2690 	if (scf_pg_get_property(pg, SCF_PROPERTY_ENVIRONMENT, prop) != 0) {
2691 		if (scf_error() == SCF_ERROR_NOT_FOUND)
2692 			return (ENOENT);
2693 		return (scf_error());
2694 	}
2695 	if (scf_property_type(prop, &type) != 0)
2696 		return (scf_error());
2697 	if (type != SCF_TYPE_ASTRING)
2698 		return (EINVAL);
2699 	if ((iter = scf_iter_create(h)) == NULL)
2700 		return (scf_error());
2701 
2702 	if (scf_iter_property_values(iter, prop) != 0) {
2703 		ret = scf_error();
2704 		scf_iter_destroy(iter);
2705 		return (ret);
2706 	}
2707 
2708 	mcp->env_sz = 10;
2709 
2710 	if ((mcp->env = uu_zalloc(sizeof (*mcp->env) * mcp->env_sz)) == NULL) {
2711 		ret = ENOMEM;
2712 		goto out;
2713 	}
2714 
2715 	while ((ret = scf_iter_next_value(iter, val)) == 1) {
2716 		ret = scf_value_get_as_string(val, mcp->vbuf, mcp->vbuf_sz);
2717 		if (ret == -1) {
2718 			ret = scf_error();
2719 			goto out;
2720 		}
2721 
2722 		if ((mcp->env[i] = strdup(mcp->vbuf)) == NULL) {
2723 			ret = ENOMEM;
2724 			goto out;
2725 		}
2726 
2727 		if (++i == mcp->env_sz) {
2728 			char **env;
2729 			mcp->env_sz *= 2;
2730 			env = uu_zalloc(sizeof (*mcp->env) * mcp->env_sz);
2731 			if (env == NULL) {
2732 				ret = ENOMEM;
2733 				goto out;
2734 			}
2735 			(void) memcpy(env, mcp->env,
2736 			    sizeof (*mcp->env) * (mcp->env_sz / 2));
2737 			free(mcp->env);
2738 			mcp->env = env;
2739 		}
2740 	}
2741 
2742 	if (ret == -1)
2743 		ret = scf_error();
2744 
2745 out:
2746 	scf_iter_destroy(iter);
2747 	return (ret);
2748 }
2749 
2750 /*
2751  * Fetch method context information from the repository, allocate and fill
2752  * a method_context structure, return it in *mcpp, and return NULL.
2753  *
2754  * If no method_context is defined, original init context is provided, where
2755  * the working directory is '/', and uid/gid are 0/0.  But if a method_context
2756  * is defined at any level the smf_method(5) method_context defaults are used.
2757  *
2758  * Return an error message structure containing the error message
2759  * with context, and the error so the caller can make a decision
2760  * on what to do next.
2761  *
2762  * Error Types :
2763  * 	E2BIG		Too many values or entry is too big
2764  * 	EINVAL		Invalid value
2765  * 	EIO		an I/O error has occured
2766  * 	ENOENT		no entry for value
2767  * 	ENOMEM		out of memory
2768  * 	ENOTSUP		Version mismatch
2769  * 	ERANGE		value is out of range
2770  * 	EMFILE/ENFILE	out of file descriptors
2771  *
2772  * 	SCF_ERROR_BACKEND_ACCESS
2773  * 	SCF_ERROR_CONNECTION_BROKEN
2774  * 	SCF_ERROR_DELETED
2775  * 	SCF_ERROR_CONSTRAINT_VIOLATED
2776  * 	SCF_ERROR_HANDLE_DESTROYED
2777  * 	SCF_ERROR_INTERNAL
2778  * 	SCF_ERROR_INVALID_ARGUMENT
2779  * 	SCF_ERROR_NO_MEMORY
2780  * 	SCF_ERROR_NO_RESOURCES
2781  * 	SCF_ERROR_NOT_BOUND
2782  * 	SCF_ERROR_NOT_FOUND
2783  * 	SCF_ERROR_NOT_SET
2784  * 	SCF_ERROR_TYPE_MISMATCH
2785  *
2786  */
2787 mc_error_t *
2788 restarter_get_method_context(uint_t version, scf_instance_t *inst,
2789     scf_snapshot_t *snap, const char *mname, const char *cmdline,
2790     struct method_context **mcpp)
2791 {
2792 	scf_handle_t *h;
2793 	scf_propertygroup_t *methpg = NULL;
2794 	scf_propertygroup_t *instpg = NULL;
2795 	scf_propertygroup_t *pg = NULL;
2796 	scf_property_t *prop = NULL;
2797 	scf_value_t *val = NULL;
2798 	scf_type_t ty;
2799 	uint8_t use_profile;
2800 	int ret = 0;
2801 	int mc_used = 0;
2802 	mc_error_t *err = NULL;
2803 	struct method_context *cip;
2804 
2805 	if ((err = malloc(sizeof (mc_error_t))) == NULL)
2806 		return (mc_error_create(NULL, ENOMEM, NULL));
2807 
2808 	/* Set the type to zero to track if an error occured. */
2809 	err->type = 0;
2810 
2811 	if (version != RESTARTER_METHOD_CONTEXT_VERSION)
2812 		return (mc_error_create(err, ENOTSUP,
2813 		    "Invalid client version %d. (Expected %d)",
2814 		    version, RESTARTER_METHOD_CONTEXT_VERSION));
2815 
2816 	/* Get the handle before we allocate anything. */
2817 	h = scf_instance_handle(inst);
2818 	if (h == NULL)
2819 		return (mc_error_create(err, scf_error(),
2820 		    scf_strerror(scf_error())));
2821 
2822 	cip = malloc(sizeof (*cip));
2823 	if (cip == NULL)
2824 		return (mc_error_create(err, ENOMEM, ALLOCFAIL));
2825 
2826 	(void) memset(cip, 0, sizeof (*cip));
2827 	cip->uid = (uid_t)-1;
2828 	cip->euid = (uid_t)-1;
2829 	cip->gid = (gid_t)-1;
2830 	cip->egid = (gid_t)-1;
2831 
2832 	cip->vbuf_sz = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH);
2833 	assert(cip->vbuf_sz >= 0);
2834 	cip->vbuf = malloc(cip->vbuf_sz);
2835 	if (cip->vbuf == NULL) {
2836 		free(cip);
2837 		return (mc_error_create(err, ENOMEM, ALLOCFAIL));
2838 	}
2839 
2840 	if ((instpg = scf_pg_create(h)) == NULL ||
2841 	    (methpg = scf_pg_create(h)) == NULL ||
2842 	    (prop = scf_property_create(h)) == NULL ||
2843 	    (val = scf_value_create(h)) == NULL) {
2844 		err = mc_error_create(err, scf_error(),
2845 		    "Failed to create repository object: %s\n",
2846 		    scf_strerror(scf_error()));
2847 		goto out;
2848 	}
2849 
2850 	/*
2851 	 * The method environment, and the credentials/profile data,
2852 	 * may be found either in the pg for the method (methpg),
2853 	 * or in the instance/service SCF_PG_METHOD_CONTEXT pg (named
2854 	 * instpg below).
2855 	 */
2856 
2857 	if (scf_instance_get_pg_composed(inst, snap, mname, methpg) !=
2858 	    SCF_SUCCESS) {
2859 		err = mc_error_create(err, scf_error(), "Unable to get the "
2860 		    "\"%s\" method, %s", mname, scf_strerror(scf_error()));
2861 		goto out;
2862 	}
2863 
2864 	if (scf_instance_get_pg_composed(inst, snap, SCF_PG_METHOD_CONTEXT,
2865 	    instpg) != SCF_SUCCESS) {
2866 		if (scf_error() != SCF_ERROR_NOT_FOUND) {
2867 			err = mc_error_create(err, scf_error(),
2868 			    "Unable to retrieve the \"%s\" property group, %s",
2869 			    SCF_PG_METHOD_CONTEXT, scf_strerror(scf_error()));
2870 			goto out;
2871 		}
2872 		scf_pg_destroy(instpg);
2873 		instpg = NULL;
2874 	} else {
2875 		mc_used++;
2876 	}
2877 
2878 	ret = get_environment(h, methpg, cip, prop, val);
2879 	if (ret == ENOENT && instpg != NULL) {
2880 		ret = get_environment(h, instpg, cip, prop, val);
2881 	}
2882 
2883 	switch (ret) {
2884 	case 0:
2885 		mc_used++;
2886 		break;
2887 	case ENOENT:
2888 		break;
2889 	case ENOMEM:
2890 		err = mc_error_create(err, ret, "Out of memory.");
2891 		goto out;
2892 	case EINVAL:
2893 		err = mc_error_create(err, ret, "Invalid method environment.");
2894 		goto out;
2895 	default:
2896 		err = mc_error_create(err, ret,
2897 		    "Get method environment failed : %s\n", scf_strerror(ret));
2898 		goto out;
2899 	}
2900 
2901 	pg = methpg;
2902 
2903 	ret = scf_pg_get_property(pg, SCF_PROPERTY_USE_PROFILE, prop);
2904 	if (ret && scf_error() == SCF_ERROR_NOT_FOUND && instpg != NULL) {
2905 		pg = NULL;
2906 		ret = scf_pg_get_property(instpg, SCF_PROPERTY_USE_PROFILE,
2907 		    prop);
2908 	}
2909 
2910 	if (ret) {
2911 		switch (scf_error()) {
2912 		case SCF_ERROR_NOT_FOUND:
2913 			/* No profile context: use default credentials */
2914 			cip->uid = 0;
2915 			cip->gid = 0;
2916 			break;
2917 
2918 		case SCF_ERROR_CONNECTION_BROKEN:
2919 			err = mc_error_create(err, SCF_ERROR_CONNECTION_BROKEN,
2920 			    RCBROKEN);
2921 			goto out;
2922 
2923 		case SCF_ERROR_DELETED:
2924 			err = mc_error_create(err, SCF_ERROR_NOT_FOUND,
2925 			    "Could not find property group \"%s\"",
2926 			    pg == NULL ? SCF_PG_METHOD_CONTEXT : mname);
2927 			goto out;
2928 
2929 		case SCF_ERROR_HANDLE_MISMATCH:
2930 		case SCF_ERROR_INVALID_ARGUMENT:
2931 		case SCF_ERROR_NOT_SET:
2932 		default:
2933 			bad_fail("scf_pg_get_property", scf_error());
2934 		}
2935 	} else {
2936 		if (scf_property_type(prop, &ty) != SCF_SUCCESS) {
2937 			ret = scf_error();
2938 			switch (ret) {
2939 			case SCF_ERROR_CONNECTION_BROKEN:
2940 				err = mc_error_create(err,
2941 				    SCF_ERROR_CONNECTION_BROKEN, RCBROKEN);
2942 				break;
2943 
2944 			case SCF_ERROR_DELETED:
2945 				err = mc_error_create(err,
2946 				    SCF_ERROR_NOT_FOUND,
2947 				    "Could not find property group \"%s\"",
2948 				    pg == NULL ? SCF_PG_METHOD_CONTEXT : mname);
2949 				break;
2950 
2951 			case SCF_ERROR_NOT_SET:
2952 			default:
2953 				bad_fail("scf_property_type", ret);
2954 			}
2955 
2956 			goto out;
2957 		}
2958 
2959 		if (ty != SCF_TYPE_BOOLEAN) {
2960 			err = mc_error_create(err,
2961 			    SCF_ERROR_TYPE_MISMATCH,
2962 			    "\"%s\" property is not boolean in property group "
2963 			    "\"%s\".", SCF_PROPERTY_USE_PROFILE,
2964 			    pg == NULL ? SCF_PG_METHOD_CONTEXT : mname);
2965 			goto out;
2966 		}
2967 
2968 		if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
2969 			ret = scf_error();
2970 			switch (ret) {
2971 			case SCF_ERROR_CONNECTION_BROKEN:
2972 				err = mc_error_create(err,
2973 				    SCF_ERROR_CONNECTION_BROKEN, RCBROKEN);
2974 				break;
2975 
2976 			case SCF_ERROR_CONSTRAINT_VIOLATED:
2977 				err = mc_error_create(err,
2978 				    SCF_ERROR_CONSTRAINT_VIOLATED,
2979 				    "\"%s\" property has multiple values.",
2980 				    SCF_PROPERTY_USE_PROFILE);
2981 				break;
2982 
2983 			case SCF_ERROR_NOT_FOUND:
2984 				err = mc_error_create(err,
2985 				    SCF_ERROR_NOT_FOUND,
2986 				    "\"%s\" property has no values.",
2987 				    SCF_PROPERTY_USE_PROFILE);
2988 				break;
2989 			default:
2990 				bad_fail("scf_property_get_value", ret);
2991 			}
2992 
2993 			goto out;
2994 		}
2995 
2996 		mc_used++;
2997 		ret = scf_value_get_boolean(val, &use_profile);
2998 		assert(ret == SCF_SUCCESS);
2999 
3000 		/* get ids & privileges */
3001 		if (use_profile)
3002 			err = get_profile(pg, instpg, prop, val, cmdline,
3003 			    cip, err);
3004 		else
3005 			err = get_ids(pg, instpg, prop, val, cip, err);
3006 
3007 		if (err->type != 0)
3008 			goto out;
3009 	}
3010 
3011 	/* get working directory */
3012 	if ((methpg != NULL && scf_pg_get_property(methpg,
3013 	    SCF_PROPERTY_WORKING_DIRECTORY, prop) == SCF_SUCCESS) ||
3014 	    (instpg != NULL && scf_pg_get_property(instpg,
3015 	    SCF_PROPERTY_WORKING_DIRECTORY, prop) == SCF_SUCCESS)) {
3016 		if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3017 			ret = scf_error();
3018 			switch (ret) {
3019 			case SCF_ERROR_CONNECTION_BROKEN:
3020 				err = mc_error_create(err, ret, RCBROKEN);
3021 				break;
3022 
3023 			case SCF_ERROR_CONSTRAINT_VIOLATED:
3024 				err = mc_error_create(err, ret,
3025 				    "\"%s\" property has multiple values.",
3026 				    SCF_PROPERTY_WORKING_DIRECTORY);
3027 				break;
3028 
3029 			case SCF_ERROR_NOT_FOUND:
3030 				err = mc_error_create(err, ret,
3031 				    "\"%s\" property has no values.",
3032 				    SCF_PROPERTY_WORKING_DIRECTORY);
3033 				break;
3034 
3035 			default:
3036 				bad_fail("scf_property_get_value", ret);
3037 			}
3038 
3039 			goto out;
3040 		}
3041 
3042 		mc_used++;
3043 		ret = scf_value_get_astring(val, cip->vbuf, cip->vbuf_sz);
3044 		assert(ret != -1);
3045 	} else {
3046 		ret = scf_error();
3047 		switch (ret) {
3048 		case SCF_ERROR_NOT_FOUND:
3049 			/* okay if missing. */
3050 			(void) strcpy(cip->vbuf, ":default");
3051 			break;
3052 
3053 		case SCF_ERROR_CONNECTION_BROKEN:
3054 			err = mc_error_create(err, ret, RCBROKEN);
3055 			goto out;
3056 
3057 		case SCF_ERROR_DELETED:
3058 			err = mc_error_create(err, ret,
3059 			    "Property group could not be found");
3060 			goto out;
3061 
3062 		case SCF_ERROR_HANDLE_MISMATCH:
3063 		case SCF_ERROR_INVALID_ARGUMENT:
3064 		case SCF_ERROR_NOT_SET:
3065 		default:
3066 			bad_fail("scf_pg_get_property", ret);
3067 		}
3068 	}
3069 
3070 	if (strcmp(cip->vbuf, ":default") == 0 ||
3071 	    strcmp(cip->vbuf, ":home") == 0) {
3072 		switch (ret = lookup_pwd(cip)) {
3073 		case 0:
3074 			break;
3075 
3076 		case ENOMEM:
3077 			err = mc_error_create(err, ret, "Out of memory.");
3078 			goto out;
3079 
3080 		case ENOENT:
3081 		case EIO:
3082 		case EMFILE:
3083 		case ENFILE:
3084 			err = mc_error_create(err, ret,
3085 			    "Could not get passwd entry.");
3086 			goto out;
3087 
3088 		default:
3089 			bad_fail("lookup_pwd", ret);
3090 		}
3091 
3092 		cip->working_dir = strdup(cip->pwd.pw_dir);
3093 		if (cip->working_dir == NULL) {
3094 			err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3095 			goto out;
3096 		}
3097 	} else {
3098 		cip->working_dir = strdup(cip->vbuf);
3099 		if (cip->working_dir == NULL) {
3100 			err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3101 			goto out;
3102 		}
3103 	}
3104 
3105 	/* get (optional) corefile pattern */
3106 	if ((methpg != NULL && scf_pg_get_property(methpg,
3107 	    SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS) ||
3108 	    (instpg != NULL && scf_pg_get_property(instpg,
3109 	    SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS)) {
3110 		if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3111 			ret = scf_error();
3112 			switch (ret) {
3113 			case SCF_ERROR_CONNECTION_BROKEN:
3114 				err = mc_error_create(err, ret, RCBROKEN);
3115 				break;
3116 
3117 			case SCF_ERROR_CONSTRAINT_VIOLATED:
3118 				err = mc_error_create(err, ret,
3119 				    "\"%s\" property has multiple values.",
3120 				    SCF_PROPERTY_COREFILE_PATTERN);
3121 				break;
3122 
3123 			case SCF_ERROR_NOT_FOUND:
3124 				err = mc_error_create(err, ret,
3125 				    "\"%s\" property has no values.",
3126 				    SCF_PROPERTY_COREFILE_PATTERN);
3127 				break;
3128 
3129 			default:
3130 				bad_fail("scf_property_get_value", ret);
3131 			}
3132 
3133 		} else {
3134 
3135 			ret = scf_value_get_astring(val, cip->vbuf,
3136 			    cip->vbuf_sz);
3137 			assert(ret != -1);
3138 
3139 			cip->corefile_pattern = strdup(cip->vbuf);
3140 			if (cip->corefile_pattern == NULL) {
3141 				err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3142 				goto out;
3143 			}
3144 		}
3145 
3146 		mc_used++;
3147 	} else {
3148 		ret = scf_error();
3149 		switch (ret) {
3150 		case SCF_ERROR_NOT_FOUND:
3151 			/* okay if missing. */
3152 			break;
3153 
3154 		case SCF_ERROR_CONNECTION_BROKEN:
3155 			err = mc_error_create(err, ret, RCBROKEN);
3156 			goto out;
3157 
3158 		case SCF_ERROR_DELETED:
3159 			err = mc_error_create(err, ret,
3160 			    "Property group could not be found");
3161 			goto out;
3162 
3163 		case SCF_ERROR_HANDLE_MISMATCH:
3164 		case SCF_ERROR_INVALID_ARGUMENT:
3165 		case SCF_ERROR_NOT_SET:
3166 		default:
3167 			bad_fail("scf_pg_get_property", ret);
3168 		}
3169 	}
3170 
3171 	if (restarter_rm_libs_loadable()) {
3172 		/* get project */
3173 		if ((methpg != NULL && scf_pg_get_property(methpg,
3174 		    SCF_PROPERTY_PROJECT, prop) == SCF_SUCCESS) ||
3175 		    (instpg != NULL && scf_pg_get_property(instpg,
3176 		    SCF_PROPERTY_PROJECT, prop) == SCF_SUCCESS)) {
3177 			if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3178 				ret = scf_error();
3179 				switch (ret) {
3180 				case SCF_ERROR_CONNECTION_BROKEN:
3181 					err = mc_error_create(err, ret,
3182 					    RCBROKEN);
3183 					break;
3184 
3185 				case SCF_ERROR_CONSTRAINT_VIOLATED:
3186 					err = mc_error_create(err, ret,
3187 					    "\"%s\" property has multiple "
3188 					    "values.", SCF_PROPERTY_PROJECT);
3189 					break;
3190 
3191 				case SCF_ERROR_NOT_FOUND:
3192 					err = mc_error_create(err, ret,
3193 					    "\"%s\" property has no values.",
3194 					    SCF_PROPERTY_PROJECT);
3195 					break;
3196 
3197 				default:
3198 					bad_fail("scf_property_get_value", ret);
3199 				}
3200 
3201 				(void) strcpy(cip->vbuf, ":default");
3202 			} else {
3203 				ret = scf_value_get_astring(val, cip->vbuf,
3204 				    cip->vbuf_sz);
3205 				assert(ret != -1);
3206 			}
3207 
3208 			mc_used++;
3209 		} else {
3210 			(void) strcpy(cip->vbuf, ":default");
3211 		}
3212 
3213 		switch (ret = get_projid(cip->vbuf, cip)) {
3214 		case 0:
3215 			break;
3216 
3217 		case ENOMEM:
3218 			err = mc_error_create(err, ret, "Out of memory.");
3219 			goto out;
3220 
3221 		case ENOENT:
3222 			err = mc_error_create(err, ret,
3223 			    "Missing passwd or project entry for \"%s\".",
3224 			    cip->vbuf);
3225 			goto out;
3226 
3227 		case EIO:
3228 			err = mc_error_create(err, ret, "I/O error.");
3229 			goto out;
3230 
3231 		case EMFILE:
3232 		case ENFILE:
3233 			err = mc_error_create(err, ret,
3234 			    "Out of file descriptors.");
3235 			goto out;
3236 
3237 		case -1:
3238 			err = mc_error_create(err, ret,
3239 			    "Name service switch is misconfigured.");
3240 			goto out;
3241 
3242 		case ERANGE:
3243 		case E2BIG:
3244 			err = mc_error_create(err, ret,
3245 			    "Project ID \"%s\" too big.", cip->vbuf);
3246 			goto out;
3247 
3248 		case EINVAL:
3249 			err = mc_error_create(err, ret,
3250 			    "Project ID \"%s\" is invalid.", cip->vbuf);
3251 			goto out;
3252 
3253 		default:
3254 			bad_fail("get_projid", ret);
3255 		}
3256 
3257 		/* get resource pool */
3258 		if ((methpg != NULL && scf_pg_get_property(methpg,
3259 		    SCF_PROPERTY_RESOURCE_POOL, prop) == SCF_SUCCESS) ||
3260 		    (instpg != NULL && scf_pg_get_property(instpg,
3261 		    SCF_PROPERTY_RESOURCE_POOL, prop) == SCF_SUCCESS)) {
3262 			if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3263 				ret = scf_error();
3264 				switch (ret) {
3265 				case SCF_ERROR_CONNECTION_BROKEN:
3266 					err = mc_error_create(err, ret,
3267 					    RCBROKEN);
3268 					break;
3269 
3270 				case SCF_ERROR_CONSTRAINT_VIOLATED:
3271 					err = mc_error_create(err, ret,
3272 					    "\"%s\" property has multiple "
3273 					    "values.",
3274 					    SCF_PROPERTY_RESOURCE_POOL);
3275 					break;
3276 
3277 				case SCF_ERROR_NOT_FOUND:
3278 					err = mc_error_create(err, ret,
3279 					    "\"%s\" property has no "
3280 					    "values.",
3281 					    SCF_PROPERTY_RESOURCE_POOL);
3282 					break;
3283 
3284 				default:
3285 					bad_fail("scf_property_get_value", ret);
3286 				}
3287 
3288 				(void) strcpy(cip->vbuf, ":default");
3289 			} else {
3290 				ret = scf_value_get_astring(val, cip->vbuf,
3291 				    cip->vbuf_sz);
3292 				assert(ret != -1);
3293 			}
3294 
3295 			mc_used++;
3296 		} else {
3297 			ret = scf_error();
3298 			switch (ret) {
3299 			case SCF_ERROR_NOT_FOUND:
3300 				/* okay if missing. */
3301 				(void) strcpy(cip->vbuf, ":default");
3302 				break;
3303 
3304 			case SCF_ERROR_CONNECTION_BROKEN:
3305 				err = mc_error_create(err, ret, RCBROKEN);
3306 				goto out;
3307 
3308 			case SCF_ERROR_DELETED:
3309 				err = mc_error_create(err, ret,
3310 				    "property group could not be found.");
3311 				goto out;
3312 
3313 			case SCF_ERROR_HANDLE_MISMATCH:
3314 			case SCF_ERROR_INVALID_ARGUMENT:
3315 			case SCF_ERROR_NOT_SET:
3316 			default:
3317 				bad_fail("scf_pg_get_property", ret);
3318 			}
3319 		}
3320 
3321 		if (strcmp(cip->vbuf, ":default") != 0) {
3322 			cip->resource_pool = strdup(cip->vbuf);
3323 			if (cip->resource_pool == NULL) {
3324 				err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3325 				goto out;
3326 			}
3327 		}
3328 	}
3329 
3330 	/*
3331 	 * A method_context was not used for any configurable
3332 	 * elements or attributes, so reset and use the simple
3333 	 * defaults that provide historic init behavior.
3334 	 */
3335 	if (mc_used == 0) {
3336 		(void) memset(cip, 0, sizeof (*cip));
3337 		cip->uid = 0;
3338 		cip->gid = 0;
3339 		cip->euid = (uid_t)-1;
3340 		cip->egid = (gid_t)-1;
3341 	}
3342 
3343 	*mcpp = cip;
3344 
3345 out:
3346 	(void) scf_value_destroy(val);
3347 	scf_property_destroy(prop);
3348 	scf_pg_destroy(instpg);
3349 	scf_pg_destroy(methpg);
3350 
3351 	if (cip->pwbuf != NULL)
3352 		free(cip->pwbuf);
3353 	free(cip->vbuf);
3354 
3355 	if (err->type != 0) {
3356 		restarter_free_method_context(cip);
3357 	} else {
3358 		restarter_mc_error_destroy(err);
3359 		err = NULL;
3360 	}
3361 
3362 	return (err);
3363 }
3364 
3365 /*
3366  * Modify the current process per the given method_context.  On success, returns
3367  * 0.  Note that the environment is not modified by this function to include the
3368  * environment variables in cip->env.
3369  *
3370  * On failure, sets *fp to NULL or the name of the function which failed,
3371  * and returns one of the following error codes.  The words in parentheses are
3372  * the values to which *fp may be set for the error case.
3373  *   ENOMEM - malloc() failed
3374  *   EIO - an I/O error occurred (getpwuid_r, chdir)
3375  *   EMFILE - process is out of file descriptors (getpwuid_r)
3376  *   ENFILE - system is out of file handles (getpwuid_r)
3377  *   EINVAL - gid or egid is out of range (setregid)
3378  *	      ngroups is too big (setgroups)
3379  *	      project's project id is bad (setproject)
3380  *	      uid or euid is out of range (setreuid)
3381  *	      poolname is invalid (pool_set_binding)
3382  *   EPERM - insufficient privilege (setregid, initgroups, setgroups, setppriv,
3383  *	         setproject, setreuid, settaskid)
3384  *   ENOENT - uid has a passwd entry but no shadow entry
3385  *	      working_dir does not exist (chdir)
3386  *	      uid has no passwd entry
3387  *	      the pool could not be found (pool_set_binding)
3388  *   EFAULT - lpriv_set or priv_set has a bad address (setppriv)
3389  *	      working_dir has a bad address (chdir)
3390  *   EACCES - could not access working_dir (chdir)
3391  *	      in a TASK_FINAL task (setproject, settaskid)
3392  *	      no resource pool accepting default binding exists (setproject)
3393  *   ELOOP - too many symbolic links in working_dir (chdir)
3394  *   ENAMETOOLONG - working_dir is too long (chdir)
3395  *   ENOLINK - working_dir is on an inaccessible remote machine (chdir)
3396  *   ENOTDIR - working_dir is not a directory (chdir)
3397  *   ESRCH - uid is not a user of project (setproject)
3398  *	     project is invalid (setproject)
3399  *	     the resource pool specified for project is unknown (setproject)
3400  *   EBADF - the configuration for the pool is invalid (pool_set_binding)
3401  *   -1 - core_set_process_path() failed (core_set_process_path)
3402  *	  a resource control assignment failed (setproject)
3403  *	  a system error occurred during pool_set_binding (pool_set_binding)
3404  */
3405 int
3406 restarter_set_method_context(struct method_context *cip, const char **fp)
3407 {
3408 	pid_t mypid = -1;
3409 	int r, ret;
3410 
3411 	cip->pwbuf = NULL;
3412 	*fp = NULL;
3413 
3414 	if (cip->gid != (gid_t)-1) {
3415 		if (setregid(cip->gid,
3416 		    cip->egid != (gid_t)-1 ? cip->egid : cip->gid) != 0) {
3417 			*fp = "setregid";
3418 
3419 			ret = errno;
3420 			assert(ret == EINVAL || ret == EPERM);
3421 			goto out;
3422 		}
3423 	} else {
3424 		if (cip->pwbuf == NULL) {
3425 			switch (ret = lookup_pwd(cip)) {
3426 			case 0:
3427 				break;
3428 
3429 			case ENOMEM:
3430 			case ENOENT:
3431 				*fp = NULL;
3432 				goto out;
3433 
3434 			case EIO:
3435 			case EMFILE:
3436 			case ENFILE:
3437 				*fp = "getpwuid_r";
3438 				goto out;
3439 
3440 			default:
3441 				bad_fail("lookup_pwd", ret);
3442 			}
3443 		}
3444 
3445 		if (setregid(cip->pwd.pw_gid,
3446 		    cip->egid != (gid_t)-1 ?
3447 		    cip->egid : cip->pwd.pw_gid) != 0) {
3448 			*fp = "setregid";
3449 
3450 			ret = errno;
3451 			assert(ret == EINVAL || ret == EPERM);
3452 			goto out;
3453 		}
3454 	}
3455 
3456 	if (cip->ngroups == -1) {
3457 		if (cip->pwbuf == NULL) {
3458 			switch (ret = lookup_pwd(cip)) {
3459 			case 0:
3460 				break;
3461 
3462 			case ENOMEM:
3463 			case ENOENT:
3464 				*fp = NULL;
3465 				goto out;
3466 
3467 			case EIO:
3468 			case EMFILE:
3469 			case ENFILE:
3470 				*fp = "getpwuid_r";
3471 				goto out;
3472 
3473 			default:
3474 				bad_fail("lookup_pwd", ret);
3475 			}
3476 		}
3477 
3478 		/* Ok if cip->gid == -1 */
3479 		if (initgroups(cip->pwd.pw_name, cip->gid) != 0) {
3480 			*fp = "initgroups";
3481 			ret = errno;
3482 			assert(ret == EPERM);
3483 			goto out;
3484 		}
3485 	} else if (cip->ngroups > 0 &&
3486 	    setgroups(cip->ngroups, cip->groups) != 0) {
3487 		*fp = "setgroups";
3488 
3489 		ret = errno;
3490 		assert(ret == EINVAL || ret == EPERM);
3491 		goto out;
3492 	}
3493 
3494 	if (cip->corefile_pattern != NULL) {
3495 		mypid = getpid();
3496 
3497 		if (core_set_process_path(cip->corefile_pattern,
3498 		    strlen(cip->corefile_pattern) + 1, mypid) != 0) {
3499 			*fp = "core_set_process_path";
3500 			ret = -1;
3501 			goto out;
3502 		}
3503 	}
3504 
3505 	if (restarter_rm_libs_loadable()) {
3506 		if (cip->project == NULL) {
3507 			if (settaskid(getprojid(), TASK_NORMAL) == -1) {
3508 				switch (errno) {
3509 				case EACCES:
3510 				case EPERM:
3511 					*fp = "settaskid";
3512 					ret = errno;
3513 					goto out;
3514 
3515 				case EINVAL:
3516 				default:
3517 					bad_fail("settaskid", errno);
3518 				}
3519 			}
3520 		} else {
3521 			switch (ret = lookup_pwd(cip)) {
3522 			case 0:
3523 				break;
3524 
3525 			case ENOMEM:
3526 			case ENOENT:
3527 				*fp = NULL;
3528 				goto out;
3529 
3530 			case EIO:
3531 			case EMFILE:
3532 			case ENFILE:
3533 				*fp = "getpwuid_r";
3534 				goto out;
3535 
3536 			default:
3537 				bad_fail("lookup_pwd", ret);
3538 			}
3539 
3540 			*fp = "setproject";
3541 
3542 			switch (setproject(cip->project, cip->pwd.pw_name,
3543 			    TASK_NORMAL)) {
3544 			case 0:
3545 				break;
3546 
3547 			case SETPROJ_ERR_TASK:
3548 			case SETPROJ_ERR_POOL:
3549 				ret = errno;
3550 				goto out;
3551 
3552 			default:
3553 				ret = -1;
3554 				goto out;
3555 			}
3556 		}
3557 
3558 		if (cip->resource_pool != NULL) {
3559 			if (mypid == -1)
3560 				mypid = getpid();
3561 
3562 			*fp = "pool_set_binding";
3563 
3564 			if (pool_set_binding(cip->resource_pool, P_PID,
3565 			    mypid) != PO_SUCCESS) {
3566 				switch (pool_error()) {
3567 				case POE_INVALID_SEARCH:
3568 					ret = ENOENT;
3569 					break;
3570 
3571 				case POE_BADPARAM:
3572 					ret = EINVAL;
3573 					break;
3574 
3575 				case POE_INVALID_CONF:
3576 					ret = EBADF;
3577 					break;
3578 
3579 				case POE_SYSTEM:
3580 					ret = -1;
3581 					break;
3582 
3583 				default:
3584 					bad_fail("pool_set_binding",
3585 					    pool_error());
3586 				}
3587 
3588 				goto out;
3589 			}
3590 		}
3591 	}
3592 
3593 	/*
3594 	 * Now, we have to assume our ID. If the UID is 0, we want it to be
3595 	 * privilege-aware, otherwise the limit set gets used instead of E/P.
3596 	 * We can do this by setting P as well, which keeps
3597 	 * PA status (see priv_can_clear_PA()).
3598 	 */
3599 
3600 	*fp = "setppriv";
3601 
3602 	if (cip->lpriv_set != NULL) {
3603 		if (setppriv(PRIV_SET, PRIV_LIMIT, cip->lpriv_set) != 0) {
3604 			ret = errno;
3605 			assert(ret == EFAULT || ret == EPERM);
3606 			goto out;
3607 		}
3608 	}
3609 	if (cip->priv_set != NULL) {
3610 		if (setppriv(PRIV_SET, PRIV_INHERITABLE, cip->priv_set) != 0) {
3611 			ret = errno;
3612 			assert(ret == EFAULT || ret == EPERM);
3613 			goto out;
3614 		}
3615 	}
3616 
3617 	/*
3618 	 * If the limit privset is already set, then must be privilege
3619 	 * aware.  Otherwise, don't assume anything, and force privilege
3620 	 * aware status.
3621 	 */
3622 
3623 	if (cip->lpriv_set == NULL && cip->priv_set != NULL) {
3624 		ret = setpflags(PRIV_AWARE, 1);
3625 		assert(ret == 0);
3626 	}
3627 
3628 	*fp = "setreuid";
3629 	if (setreuid(cip->uid,
3630 	    cip->euid != (uid_t)-1 ? cip->euid : cip->uid) != 0) {
3631 		ret = errno;
3632 		assert(ret == EINVAL || ret == EPERM);
3633 		goto out;
3634 	}
3635 
3636 	*fp = "setppriv";
3637 	if (cip->priv_set != NULL) {
3638 		if (setppriv(PRIV_SET, PRIV_PERMITTED, cip->priv_set) != 0) {
3639 			ret = errno;
3640 			assert(ret == EFAULT || ret == EPERM);
3641 			goto out;
3642 		}
3643 	}
3644 
3645 	/*
3646 	 * The last thing to do is chdir to the specified working directory.
3647 	 * This should come after the uid switching as only the user might
3648 	 * have access to the specified directory.
3649 	 */
3650 	if (cip->working_dir != NULL) {
3651 		do {
3652 			r = chdir(cip->working_dir);
3653 		} while (r != 0 && errno == EINTR);
3654 		if (r != 0) {
3655 			*fp = "chdir";
3656 			ret = errno;
3657 			goto out;
3658 		}
3659 	}
3660 
3661 	ret = 0;
3662 out:
3663 	free(cip->pwbuf);
3664 	cip->pwbuf = NULL;
3665 	return (ret);
3666 }
3667 
3668 void
3669 restarter_free_method_context(struct method_context *mcp)
3670 {
3671 	size_t i;
3672 
3673 	if (mcp->lpriv_set != NULL)
3674 		priv_freeset(mcp->lpriv_set);
3675 	if (mcp->priv_set != NULL)
3676 		priv_freeset(mcp->priv_set);
3677 
3678 	if (mcp->env != NULL) {
3679 		for (i = 0; i < mcp->env_sz; i++)
3680 			free(mcp->env[i]);
3681 		free(mcp->env);
3682 	}
3683 
3684 	free(mcp->working_dir);
3685 	free(mcp->corefile_pattern);
3686 	free(mcp->project);
3687 	free(mcp->resource_pool);
3688 	free(mcp);
3689 }
3690 
3691 /*
3692  * Method keyword functions
3693  */
3694 
3695 int
3696 restarter_is_null_method(const char *meth)
3697 {
3698 	return (strcmp(meth, MKW_TRUE) == 0);
3699 }
3700 
3701 static int
3702 is_kill_method(const char *method, const char *kill_str,
3703     size_t kill_str_len)
3704 {
3705 	const char *cp;
3706 	int sig;
3707 
3708 	if (strncmp(method, kill_str, kill_str_len) != 0 ||
3709 	    (method[kill_str_len] != '\0' &&
3710 	    !isspace(method[kill_str_len])))
3711 		return (-1);
3712 
3713 	cp = method + kill_str_len;
3714 	while (*cp != '\0' && isspace(*cp))
3715 		++cp;
3716 
3717 	if (*cp == '\0')
3718 		return (SIGTERM);
3719 
3720 	if (*cp != '-')
3721 		return (-1);
3722 
3723 	return (str2sig(cp + 1, &sig) == 0 ? sig : -1);
3724 }
3725 
3726 int
3727 restarter_is_kill_proc_method(const char *method)
3728 {
3729 	return (is_kill_method(method, MKW_KILL_PROC,
3730 	    sizeof (MKW_KILL_PROC) - 1));
3731 }
3732 
3733 int
3734 restarter_is_kill_method(const char *method)
3735 {
3736 	return (is_kill_method(method, MKW_KILL, sizeof (MKW_KILL) - 1));
3737 }
3738 
3739 /*
3740  * Stubs for now.
3741  */
3742 
3743 /* ARGSUSED */
3744 int
3745 restarter_event_get_enabled(restarter_event_t *e)
3746 {
3747 	return (-1);
3748 }
3749 
3750 /* ARGSUSED */
3751 uint64_t
3752 restarter_event_get_seq(restarter_event_t *e)
3753 {
3754 	return (-1);
3755 }
3756 
3757 /* ARGSUSED */
3758 void
3759 restarter_event_get_time(restarter_event_t *e, hrtime_t *time)
3760 {
3761 }
3762 
3763 /*
3764  * Check for and validate fmri specified in restarter_actions/auxiliary_fmri
3765  * 0 - Success
3766  * 1 - Failure
3767  */
3768 int
3769 restarter_inst_validate_ractions_aux_fmri(scf_instance_t *inst)
3770 {
3771 	scf_handle_t *h;
3772 	scf_propertygroup_t *pg;
3773 	scf_property_t *prop;
3774 	scf_value_t *val;
3775 	char *aux_fmri;
3776 	size_t size = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH);
3777 	int ret = 1;
3778 
3779 	if ((aux_fmri = malloc(size)) == NULL)
3780 		return (1);
3781 
3782 	h = scf_instance_handle(inst);
3783 
3784 	pg = scf_pg_create(h);
3785 	prop = scf_property_create(h);
3786 	val = scf_value_create(h);
3787 	if (pg == NULL || prop == NULL || val == NULL)
3788 		goto out;
3789 
3790 	if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS,
3791 	    SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS,
3792 	    pg) != SCF_SUCCESS)
3793 		goto out;
3794 
3795 	if (get_astring_val(pg, SCF_PROPERTY_AUX_FMRI, aux_fmri, size,
3796 	    prop, val) != SCF_SUCCESS)
3797 		goto out;
3798 
3799 	if (scf_parse_fmri(aux_fmri, NULL, NULL, NULL, NULL, NULL,
3800 	    NULL) != SCF_SUCCESS)
3801 		goto out;
3802 
3803 	ret = 0;
3804 
3805 out:
3806 	free(aux_fmri);
3807 	scf_value_destroy(val);
3808 	scf_property_destroy(prop);
3809 	scf_pg_destroy(pg);
3810 	return (ret);
3811 }
3812 
3813 /*
3814  * Get instance's boolean value in restarter_actions/auxiliary_tty
3815  * Return -1 on failure
3816  */
3817 int
3818 restarter_inst_ractions_from_tty(scf_instance_t *inst)
3819 {
3820 	scf_handle_t *h;
3821 	scf_propertygroup_t *pg;
3822 	scf_property_t *prop;
3823 	scf_value_t *val;
3824 	uint8_t	has_tty;
3825 	int ret = -1;
3826 
3827 	h = scf_instance_handle(inst);
3828 	pg = scf_pg_create(h);
3829 	prop = scf_property_create(h);
3830 	val = scf_value_create(h);
3831 	if (pg == NULL || prop == NULL || val == NULL)
3832 		goto out;
3833 
3834 	if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS,
3835 	    SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS,
3836 	    pg) != SCF_SUCCESS)
3837 		goto out;
3838 
3839 	if (get_boolean_val(pg, SCF_PROPERTY_AUX_TTY, &has_tty, prop,
3840 	    val) != SCF_SUCCESS)
3841 		goto out;
3842 
3843 	ret = has_tty;
3844 
3845 out:
3846 	scf_value_destroy(val);
3847 	scf_property_destroy(prop);
3848 	scf_pg_destroy(pg);
3849 	return (ret);
3850 }
3851 
3852 static int
3853 restarter_inst_set_astring_prop(scf_instance_t *inst, const char *pgname,
3854     const char *pgtype, uint32_t pgflags, const char *pname, const char *str)
3855 {
3856 	scf_handle_t *h;
3857 	scf_propertygroup_t *pg;
3858 	scf_transaction_t *t;
3859 	scf_transaction_entry_t *e;
3860 	scf_value_t *v;
3861 	int ret = 1, r;
3862 
3863 	h = scf_instance_handle(inst);
3864 
3865 	pg = scf_pg_create(h);
3866 	t = scf_transaction_create(h);
3867 	e = scf_entry_create(h);
3868 	v = scf_value_create(h);
3869 	if (pg == NULL || t == NULL || e == NULL || v == NULL)
3870 		goto out;
3871 
3872 	if (instance_get_or_add_pg(inst, pgname, pgtype, pgflags, pg))
3873 		goto out;
3874 
3875 	if (scf_value_set_astring(v, str) != SCF_SUCCESS)
3876 		goto out;
3877 
3878 	for (;;) {
3879 		if (scf_transaction_start(t, pg) != 0)
3880 			goto out;
3881 
3882 		if (tx_set_value(t, e, pname, SCF_TYPE_ASTRING, v) != 0)
3883 			goto out;
3884 
3885 		if ((r = scf_transaction_commit(t)) == 1)
3886 			break;
3887 
3888 		if (r == -1)
3889 			goto out;
3890 
3891 		scf_transaction_reset(t);
3892 		if (scf_pg_update(pg) == -1)
3893 			goto out;
3894 	}
3895 	ret = 0;
3896 
3897 out:
3898 	scf_transaction_destroy(t);
3899 	scf_entry_destroy(e);
3900 	scf_value_destroy(v);
3901 	scf_pg_destroy(pg);
3902 
3903 	return (ret);
3904 }
3905 
3906 int
3907 restarter_inst_set_aux_fmri(scf_instance_t *inst)
3908 {
3909 	scf_handle_t *h;
3910 	scf_propertygroup_t *pg;
3911 	scf_property_t *prop;
3912 	scf_value_t *val;
3913 	char *aux_fmri;
3914 	size_t size = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH);
3915 	int ret = 1;
3916 
3917 	if ((aux_fmri = malloc(size)) == NULL)
3918 		return (1);
3919 
3920 	h = scf_instance_handle(inst);
3921 
3922 	pg = scf_pg_create(h);
3923 	prop = scf_property_create(h);
3924 	val = scf_value_create(h);
3925 	if (pg == NULL || prop == NULL || val == NULL)
3926 		goto out;
3927 
3928 	/*
3929 	 * Get auxiliary_fmri value from restarter_actions pg
3930 	 */
3931 	if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS,
3932 	    SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS,
3933 	    pg) != SCF_SUCCESS)
3934 		goto out;
3935 
3936 	if (get_astring_val(pg, SCF_PROPERTY_AUX_FMRI, aux_fmri, size,
3937 	    prop, val) != SCF_SUCCESS)
3938 		goto out;
3939 
3940 	/*
3941 	 * Populate restarter/auxiliary_fmri with the obtained fmri.
3942 	 */
3943 	ret = restarter_inst_set_astring_prop(inst, SCF_PG_RESTARTER,
3944 	    SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS,
3945 	    SCF_PROPERTY_AUX_FMRI, aux_fmri);
3946 
3947 out:
3948 	free(aux_fmri);
3949 	scf_value_destroy(val);
3950 	scf_property_destroy(prop);
3951 	scf_pg_destroy(pg);
3952 	return (ret);
3953 }
3954 
3955 int
3956 restarter_inst_reset_aux_fmri(scf_instance_t *inst)
3957 {
3958 	return (scf_instance_delete_prop(inst,
3959 	    SCF_PG_RESTARTER, SCF_PROPERTY_AUX_FMRI));
3960 }
3961 
3962 int
3963 restarter_inst_reset_ractions_aux_fmri(scf_instance_t *inst)
3964 {
3965 	return (scf_instance_delete_prop(inst,
3966 	    SCF_PG_RESTARTER_ACTIONS, SCF_PROPERTY_AUX_FMRI));
3967 }
3968