xref: /illumos-gate/usr/src/cmd/init/init.c (revision 7c478bd9)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
/*	  All Rights Reserved  	*/

/*
 * University Copyright- Copyright (c) 1982, 1986, 1988
 * The Regents of the University of California
 * All Rights Reserved
 *
 * University Acknowledgment- Portions of this document are derived from
 * software developed by the University of California, Berkeley, and its
 * contributors.
 */

#pragma ident	"%Z%%M%	%I%	%E% SMI"

/*
 * init(1M) is the general process spawning program.  Its primary job is to
 * start and restart svc.startd for smf(5).  For backwards-compatibility it also
 * spawns and respawns processes according to /etc/inittab and the current
 * run-level.  It reads /etc/default/inittab for general configuration.
 *
 * To change run-levels the system administrator runs init from the command
 * line with a level name.  init signals svc.startd via libscf and directs the
 * zone's init (pid 1 in the global zone) what to do by sending it a signal;
 * these signal numbers are commonly refered to in the code as 'states'.  Valid
 * run-levels are [sS0123456].  Additionally, init can be given directives
 * [qQabc], which indicate actions to be taken pertaining to /etc/inittab.
 *
 * When init processes inittab entries, it finds processes that are to be
 * spawned at various run-levels.  inittab contains the set of the levels for
 * which each inittab entry is valid.
 *
 * State File and Restartability
 *   Premature exit by init(1M) is handled as a special case by the kernel:
 *   init(1M) will be immediately re-executed, retaining its original PID.  (PID
 *   1 in the global zone.)  To track the processes it has previously spawned,
 *   as well as other mutable state, init(1M) regularly updates a state file
 *   such that its subsequent invocations have knowledge of its various
 *   dependent processes and duties.
 *
 * Process Contracts
 *   We start svc.startd(1M) in a contract and transfer inherited contracts when
 *   restarting it.  Everything else is started using the legacy contract
 *   template, and the created contracts are abandoned when they become empty.
 *
 * utmpx Entry Handling
 *   Because init(1M) no longer governs the startup process, its knowledge of
 *   when utmpx becomes writable is indirect.  However, spawned processes
 *   expect to be constructed with valid utmpx entries.  As a result, attempts
 *   to write normal entries will be retried until successful.
 *
 * Maintenance Mode
 *   In certain failure scenarios, init(1M) will enter a maintenance mode, in
 *   which it invokes sulogin(1M) to allow the operator an opportunity to
 *   repair the system.  Normally, this operation is performed as a
 *   fork(2)-exec(2)-waitpid(3C) sequence with the parent waiting for repair or
 *   diagnosis to be completed.  In the cases that fork(2) requests themselves
 *   fail, init(1M) will directly execute sulogin(1M), and allow the kernel to
 *   restart init(1M) on exit from the operator session.
 *
 *   One scenario where init(1M) enters its maintenance mode is when
 *   svc.startd(1M) begins to fail rapidly, defined as when the average time
 *   between recent failures drops below a given threshold.
 */

#include <sys/contract/process.h>
#include <sys/ctfs.h>
#include <sys/stat.h>
#include <sys/statvfs.h>
#include <sys/stropts.h>
#include <sys/systeminfo.h>
#include <sys/time.h>
#include <sys/termios.h>
#include <sys/tty.h>
#include <sys/types.h>
#include <sys/utsname.h>

#include <bsm/adt_event.h>
#include <bsm/libbsm.h>
#include <security/pam_appl.h>

#include <assert.h>
#include <ctype.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <libcontract.h>
#include <libcontract_priv.h>
#include <libintl.h>
#include <libscf.h>
#include <libscf_priv.h>
#include <poll.h>
#include <procfs.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdio_ext.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <syslog.h>
#include <time.h>
#include <ulimit.h>
#include <unistd.h>
#include <utmpx.h>
#include <wait.h>
#include <zone.h>
#include <ucontext.h>

#undef	sleep

#define	fioctl(p, sptr, cmd)	ioctl(fileno(p), sptr, cmd)
#define	min(a, b)		(((a) < (b)) ? (a) : (b))

#define	TRUE	1
#define	FALSE	0
#define	FAILURE	-1

#define	UT_LINE_SZ	32	/* Size of a utmpx ut_line field */

/*
 * SLEEPTIME	The number of seconds "init" sleeps between wakeups if
 *		nothing else requires this "init" wakeup.
 */
#define	SLEEPTIME	(5 * 60)

/*
 * MAXCMDL	The maximum length of a command string in inittab.
 */
#define	MAXCMDL	512

/*
 * EXEC		The length of the prefix string added to all comamnds
 *		found in inittab.
 */
#define	EXEC	(sizeof ("exec ") - 1)

/*
 * TWARN	The amount of time between warning signal, SIGTERM,
 *		and the fatal kill signal, SIGKILL.
 */
#define	TWARN	5

#define	id_eq(x, y)	((x[0] == y[0] && x[1] == y[1] && x[2] == y[2] &&\
			x[3] == y[3]) ? TRUE : FALSE)

/*
 * The kernel's default umask is 022 these days; since some processes inherit
 * their umask from init, init will set it from CMASK in /etc/default/init.
 * init gets the default umask from the kernel, it sets it to 022 whenever
 * it wants to create a file and reverts to CMASK afterwards.
 */

static int cmask;

/*
 * The following definitions, concluding with the 'lvls' array, provide a
 * common mapping between level-name (like 'S'), signal number (state),
 * run-level mask, and specific properties associated with a run-level.
 * This array should be accessed using the routines lvlname_to_state(),
 * lvlname_to_mask(), state_to_mask(), and state_to_flags().
 */

/*
 * Correspondence of signals to init actions.
 */
#define	LVLQ		SIGHUP
#define	LVL0		SIGINT
#define	LVL1		SIGQUIT
#define	LVL2		SIGILL
#define	LVL3		SIGTRAP
#define	LVL4		SIGIOT
#define	LVL5		SIGEMT
#define	LVL6		SIGFPE
#define	SINGLE_USER	SIGBUS
#define	LVLa		SIGSEGV
#define	LVLb		SIGSYS
#define	LVLc		SIGPIPE

/*
 * Bit Mask for each level.  Used to determine legal levels.
 */
#define	MASK0	0x0001
#define	MASK1	0x0002
#define	MASK2	0x0004
#define	MASK3	0x0008
#define	MASK4	0x0010
#define	MASK5	0x0020
#define	MASK6	0x0040
#define	MASKSU	0x0080
#define	MASKa	0x0100
#define	MASKb	0x0200
#define	MASKc	0x0400

#define	MASK_NUMERIC (MASK0 | MASK1 | MASK2 | MASK3 | MASK4 | MASK5 | MASK6)
#define	MASK_abc (MASKa | MASKb | MASKc)

/*
 * Flags to indicate properties of various states.
 */
#define	LSEL_RUNLEVEL	0x0001	/* runlevels you can transition to */
#define	LSEL_NOAUDIT	0x0002	/* levels with auditing disabled */

typedef struct lvl {
	int	lvl_state;
	int	lvl_mask;
	char	lvl_name;
	int	lvl_flags;
} lvl_t;

static lvl_t lvls[] = {
	{ LVLQ,		0,	'Q', 0					},
	{ LVLQ,		0,	'q', 0					},
	{ LVL0,		MASK0,	'0', LSEL_RUNLEVEL | LSEL_NOAUDIT	},
	{ LVL1, 	MASK1,	'1', LSEL_RUNLEVEL | LSEL_NOAUDIT	},
	{ LVL2, 	MASK2,	'2', LSEL_RUNLEVEL			},
	{ LVL3, 	MASK3,	'3', LSEL_RUNLEVEL			},
	{ LVL4, 	MASK4,	'4', LSEL_RUNLEVEL			},
	{ LVL5, 	MASK5,	'5', LSEL_RUNLEVEL | LSEL_NOAUDIT	},
	{ LVL6, 	MASK6, 	'6', LSEL_RUNLEVEL | LSEL_NOAUDIT	},
	{ SINGLE_USER, 	MASKSU, 'S', LSEL_RUNLEVEL | LSEL_NOAUDIT	},
	{ SINGLE_USER, 	MASKSU, 's', LSEL_RUNLEVEL | LSEL_NOAUDIT	},
	{ LVLa,		MASKa,	'a', 0					},
	{ LVLb,		MASKb,	'b', 0					},
	{ LVLc,		MASKc,	'c', 0					}
};

#define	LVL_NELEMS (sizeof (lvls) / sizeof (lvl_t))

/*
 * Legal action field values.
 */
#define	OFF		0	/* Kill process if on, else ignore */
#define	RESPAWN		1	/* Continuously restart process when it dies */
#define	ONDEMAND	RESPAWN	/* Respawn for a, b, c type processes */
#define	ONCE		2	/* Start process, do not respawn when dead */
#define	WAIT		3	/* Perform once and wait to complete */
#define	BOOT		4	/* Start at boot time only */
#define	BOOTWAIT	5	/* Start at boot time and wait to complete */
#define	POWERFAIL	6	/* Start on powerfail */
#define	POWERWAIT	7	/* Start and wait for complete on powerfail */
#define	INITDEFAULT	8	/* Default level "init" should start at */
#define	SYSINIT		9	/* Actions performed before init speaks */

#define	M_OFF		0001
#define	M_RESPAWN	0002
#define	M_ONDEMAND	M_RESPAWN
#define	M_ONCE		0004
#define	M_WAIT		0010
#define	M_BOOT		0020
#define	M_BOOTWAIT	0040
#define	M_PF		0100
#define	M_PWAIT		0200
#define	M_INITDEFAULT	0400
#define	M_SYSINIT	01000

/* States for the inittab parser in getcmd(). */
#define	ID	1
#define	LEVELS	2
#define	ACTION	3
#define	COMMAND	4
#define	COMMENT	5

/*
 * Init can be in any of three main states, "normal" mode where it is
 * processing entries for the lines file in a normal fashion, "boot" mode,
 * where it is only interested in the boot actions, and "powerfail" mode,
 * where it is only interested in powerfail related actions. The following
 * masks declare the legal actions for each mode.
 */
#define	NORMAL_MODES	(M_OFF | M_RESPAWN | M_ONCE | M_WAIT)
#define	BOOT_MODES	(M_BOOT | M_BOOTWAIT)
#define	PF_MODES	(M_PF | M_PWAIT)

struct PROC_TABLE {
	char	p_id[4];	/* Four letter unique id of process */
	pid_t	p_pid;		/* Process id */
	short	p_count;	/* How many respawns of this command in */
				/*   the current series */
	long	p_time;		/* Start time for a series of respawns */
	short	p_flags;
	short	p_exit;		/* Exit status of a process which died */
};

/*
 * Flags for the "p_flags" word of a PROC_TABLE entry:
 *
 *	OCCUPIED	This slot in init's proc table is in use.
 *
 *	LIVING		Process is alive.
 *
 *	NOCLEANUP	efork() is not allowed to cleanup this entry even
 *			if process is dead.
 *
 *	NAMED		This process has a name, i.e. came from inittab.
 *
 *	DEMANDREQUEST	Process started by a "telinit [abc]" command.  Processes
 *			formed this way are respawnable and immune to level
 *			changes as long as their entry exists in inittab.
 *
 *	TOUCHED		Flag used by remv() to determine whether it has looked
 *			at an entry while checking for processes to be killed.
 *
 *	WARNED		Flag used by remv() to mark processes that have been
 *			sent the SIGTERM signal.  If they don't die in 5
 *			seconds, they are sent the SIGKILL signal.
 *
 *	KILLED		Flag used by remv() to mark procs that have been sent
 *			the SIGTERM and SIGKILL signals.
 *
 *	PF_MASK		Bitwise or of legal flags, for sanity checking.
 */
#define	OCCUPIED	01
#define	LIVING		02
#define	NOCLEANUP	04
#define	NAMED		010
#define	DEMANDREQUEST	020
#define	TOUCHED		040
#define	WARNED		0100
#define	KILLED		0200
#define	PF_MASK		0377

/*
 * Respawn limits for processes that are to be respawned:
 *
 *	SPAWN_INTERVAL	The number of seconds over which "init" will try to
 *			respawn a process SPAWN_LIMIT times before it gets mad.
 *
 *	SPAWN_LIMIT	The number of respawns "init" will attempt in
 *			SPAWN_INTERVAL seconds before it generates an
 *			error message and inhibits further tries for
 *			INHIBIT seconds.
 *
 *	INHIBIT		The number of seconds "init" ignores an entry it had
 *			trouble spawning unless a "telinit Q" is received.
 */

#define	SPAWN_INTERVAL	(2*60)
#define	SPAWN_LIMIT	10
#define	INHIBIT		(5*60)

/*
 * The maximum number of decimal digits for an id_t.  (ceil(log10 (max_id)))
 */
#define	ID_MAX_STR_LEN	10

#define	NULLPROC	((struct PROC_TABLE *)(0))
#define	NO_ROOM		((struct PROC_TABLE *)(FAILURE))

struct CMD_LINE {
	char c_id[4];	/* Four letter unique id of process to be */
			/*   affected by action */
	short c_levels;	/* Mask of legal levels for process */
	short c_action;	/* Mask for type of action required */
	char *c_command; /* Pointer to init command */
};

struct	pidrec {
	int	pd_type;	/* Command type */
	pid_t	pd_pid;		/* pid to add or remove */
};

/*
 * pd_type's
 */
#define	ADDPID	1
#define	REMPID	2

static struct	pidlist {
	pid_t	pl_pid;		/* pid to watch for */
	int	pl_dflag;	/* Flag indicating SIGCLD from this pid */
	short	pl_exit;	/* Exit status of proc */
	struct	pidlist	*pl_next; /* Next in list */
} *Plhead, *Plfree;

/*
 * The following structure contains a set of modes for /dev/syscon
 * and should match the default contents of /etc/ioctl.syscon.
 */
static struct termios	dflt_termios = {
	BRKINT|ICRNL|IXON|IMAXBEL,			/* iflag */
	OPOST|ONLCR|TAB3,				/* oflag */
	CS8|CREAD|B9600,				/* cflag */
	ISIG|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE|IEXTEN, /* lflag */
	CINTR, CQUIT, CERASE, CKILL, CEOF, 0, 0, 0,
	0, 0, 0, 0, 0, 0, 0, 0,
	0, 0, 0
};

static struct termios	stored_syscon_termios;
static int		write_ioctl = 0;	/* Rewrite /etc/ioctl.syscon */

static union WAKEUP {
	struct WAKEFLAGS {
		unsigned w_usersignal : 1;	/* User sent signal to "init" */
		unsigned w_childdeath : 1;	/* An "init" child died */
		unsigned w_powerhit : 1;	/* OS experienced powerfail */
	}	w_flags;
	int w_mask;
} wakeup;


struct init_state {
	int			ist_runlevel;
	int			ist_num_proc;
	int			ist_utmpx_ok;
	struct PROC_TABLE	ist_proc_table[1];
};

#define	cur_state	(g_state->ist_runlevel)
#define	num_proc	(g_state->ist_num_proc)
#define	proc_table	(g_state->ist_proc_table)
#define	utmpx_ok	(g_state->ist_utmpx_ok)

/* Contract cookies. */
#define	ORDINARY_COOKIE		0
#define	STARTD_COOKIE		1


#ifndef NDEBUG
#define	bad_error(func, err)	{					\
	(void) fprintf(stderr, "%s:%d: %s() failed with unexpected "	\
	    "error %d.  Aborting.\n", __FILE__, __LINE__, (func), (err)); \
	abort();							\
}
#else
#define	bad_error(func, err)	abort()
#endif


/*
 * Useful file and device names.
 */
static char *CONSOLE	  = "/dev/console";	/* Real system console */
static char *INITPIPE_DIR = "/etc";
static char *INITPIPE	  = "/etc/initpipe";

#define	INIT_STATE_DIR "/etc/svc/volatile"
static const char * const init_state_file = INIT_STATE_DIR "/init.state";
static const char * const init_next_state_file =
	INIT_STATE_DIR "/init-next.state";

static const int init_num_proc = 20;	/* Initial size of process table. */

static char *UTMPX	 = UTMPX_FILE;		/* Snapshot record file */
static char *WTMPX	 = WTMPX_FILE;		/* Long term record file */
static char *INITTAB	 = "/etc/inittab";	/* Script file for "init" */
static char *SYSTTY	 = "/dev/systty";	/* System Console */
static char *SYSCON	 = "/dev/syscon";	/* Virtual System console */
static char *IOCTLSYSCON = "/etc/ioctl.syscon";	/* Last syscon modes */
static char *ENVFILE	 = "/etc/default/init";	/* Default env. */
static char *SU	= "/etc/sulogin";	/* Super-user program for single user */
static char *SH	= "/sbin/sh";		/* Standard shell */

/*
 * Default Path.  /sbin is included in path only during sysinit phase
 */
#define	DEF_PATH	"PATH=/usr/sbin:/usr/bin"
#define	INIT_PATH	"PATH=/sbin:/usr/sbin:/usr/bin"

static int	prior_state;
static int	prev_state;	/* State "init" was in last time it woke */
static int	new_state;	/* State user wants "init" to go to. */
static int	op_modes = BOOT_MODES; /* Current state of "init" */
static int	Gchild = 0;	/* Flag to indicate "godchild" died, set in */
				/*   childeath() and cleared in cleanaux() */
static int	Pfd = -1;	/* fd to receive pids thru */
static unsigned int	spawncnt, pausecnt;
static int	rsflag;		/* Set if a respawn has taken place */
static volatile int time_up;	/* Flag set to TRUE by the alarm interrupt */
				/* routine each time an alarm interrupt */
				/* takes place. */
static int	sflg = 0;	/* Set if we were booted -s to single user */
static int	rflg = 0;	/* Set if booted -r, reconfigure devices */
static int	bflg = 0;	/* Set if booted -b, don't run rc scripts */
static pid_t	init_pid;	/* PID of "one true" init for current zone */

static struct init_state *g_state = NULL;
static size_t	g_state_sz;
static int	booting = 1;	/* Set while we're booting. */

/*
 * Array for default global environment.
 */
#define	MAXENVENT	24	/* Max number of default env variables + 1 */
				/* init can use three itself, so this leaves */
				/* 20 for the administrator in ENVFILE. */
static char	*glob_envp[MAXENVENT];	/* Array of environment strings */
static int	glob_envn;		/* Number of environment strings */


static struct pollfd	poll_fds[1];
static int		poll_nfds = 0;	/* poll_fds is uninitialized */

static int	legacy_tmpl = -1;	/* fd for legacy contract template */
static int	startd_tmpl = -1;	/* fd for svc.startd's template */

static char	startd_cline[256] = "";	/* svc.startd's command line */
static int	do_restart_startd = 1;	/* Whether to restart svc.startd. */
static char	*smf_options = NULL;	/* Options to give to startd. */
static int	smf_debug = 0;		/* Messages for debugging smf(5) */
static time_t	init_boot_time;		/* Substitute for kernel boot time. */

#define	NSTARTD_FAILURE_TIMES	3		/* trigger after 3 failures */
#define	STARTD_FAILURE_RATE_NS	5000000000LL	/* 1 failure/5 seconds */

static hrtime_t	startd_failure_time[NSTARTD_FAILURE_TIMES];
static uint_t	startd_failure_index;


static char	*prog_name(char *);
static int	state_to_mask(int);
static int	lvlname_to_mask(char, int *);
static void	lscf_set_runlevel(char);
static int	state_to_flags(int);
static char	state_to_name(int);
static int	lvlname_to_state(char);
static int	getcmd(struct CMD_LINE *, char *);
static int	realcon();
static int	spawn_processes();
static int	get_ioctl_syscon();
static int	account(short, struct PROC_TABLE *, char *);
static void	alarmclk();
static void	childeath(int);
static void	cleanaux();
static void	clearent(pid_t, short);
static void	console(boolean_t, char *, ...);
static void	init_signals(void);
static void	setup_pipe();
static void	killproc(pid_t);
static void	init_env();
static void	boot_init();
static void	powerfail();
static void	remv();
static void	write_ioctl_syscon();
static void	spawn(struct PROC_TABLE *, struct CMD_LINE *);
static void	setimer(int);
static void	siglvl(int, siginfo_t *, ucontext_t *);
static void	sigpoll(int);
static void	enter_maintenance(void);
static void	timer(int);
static void	userinit(int, char **);
static void	notify_pam_dead(struct utmpx *);
static long	waitproc(struct PROC_TABLE *);
static struct PROC_TABLE *efork(int, struct PROC_TABLE *, int);
static struct PROC_TABLE *findpslot(struct CMD_LINE *);
static void	increase_proc_table_size();
static void	st_init();
static void	st_write();
static void	contracts_init();
static void	contract_event(struct pollfd *);
static int	startd_run(const char *, int, ctid_t);
static void	startd_record_failure();
static int	startd_failure_rate_critical();
static char	*audit_boot_msg();
static int	audit_put_record(int, int, char *);
static void	update_boot_archive(int new_state);

int
main(int argc, char *argv[])
{
	int	chg_lvl_flag = FALSE, print_banner = FALSE;
	int	may_need_audit = 1;
	int	c;
	char	*msg;

	/* Get a timestamp for use as boot time, if needed. */
	(void) time(&init_boot_time);

	/* Get the default umask */
	cmask = umask(022);
	(void) umask(cmask);

	/* Parse the arguments to init. Check for single user */
	opterr = 0;
	while ((c = getopt(argc, argv, "brsm:")) != EOF) {
		switch (c) {
		case 'b':
			rflg = 0;
			bflg = 1;
			if (!sflg)
				sflg++;
			break;
		case 'r':
			bflg = 0;
			rflg++;
			break;
		case 's':
			if (!bflg)
				sflg++;
			break;
		case 'm':
			smf_options = optarg;
			smf_debug = (strstr(smf_options, "debug") != NULL);
			break;
		}
	}

	/*
	 * Determine if we are the main init, or a user invoked init, whose job
	 * it is to inform init to change levels or perform some other action.
	 */
	if (zone_getattr(getzoneid(), ZONE_ATTR_INITPID, &init_pid,
	    sizeof (init_pid)) != sizeof (init_pid)) {
		(void) fprintf(stderr, "could not get pid for init\n");
		return (1);
	}

	/*
	 * If this PID is not the same as the "true" init for the zone, then we
	 * must be in 'user' mode.
	 */
	if (getpid() != init_pid) {
		userinit(argc, argv);
	}

	if (getzoneid() != GLOBAL_ZONEID) {
		print_banner = TRUE;
	}

	/*
	 * Initialize state (and set "booting").
	 */
	st_init();

	if (booting && print_banner) {
		struct utsname un;
		char buf[BUFSIZ], *isa;
		long ret;
		int bits = 32;

		/*
		 * We want to print the boot banner as soon as
		 * possible.  In the global zone, the kernel does it,
		 * but we do not have that luxury in non-global zones,
		 * so we will print it here.
		 */
		(void) uname(&un);
		ret = sysinfo(SI_ISALIST, buf, sizeof (buf));
		if (ret != -1L && ret <= sizeof (buf)) {
			for (isa = strtok(buf, " "); isa;
			    isa = strtok(NULL, " ")) {
				if (strcmp(isa, "sparcv9") == 0 ||
				    strcmp(isa, "amd64") == 0) {
					bits = 64;
					break;
				}
			}
		}

		console(B_FALSE,
		    "\n\n%s Release %s Version %s %d-bit\r\n",
		    un.sysname, un.release, un.version, bits);
		console(B_FALSE,
		    "Copyright 1983-2005 Sun Microsystems, Inc. "
		    " All rights reserved.\r\n");
		console(B_FALSE,
		    "Use is subject to license terms.\r\n");
	}

	/*
	 * Get the ioctl settings for /dev/syscon from /etc/ioctl.syscon
	 * so that it can be brought up in the state it was in when the
	 * system went down; or set to defaults if ioctl.syscon isn't
	 * valid.
	 *
	 * This needs to be done even if we're restarting so reset_modes()
	 * will work in case we need to go down to single user mode.
	 */
	write_ioctl = get_ioctl_syscon();

	/*
	 * Set up all signals to be caught or ignored as appropriate.
	 */
	init_signals();

	/* Load glob_envp from ENVFILE. */
	init_env();

	contracts_init();

	if (!booting) {
		/* cur_state should have been read in. */

		op_modes = NORMAL_MODES;

		/* Rewrite the ioctl file if it was bad. */
		if (write_ioctl)
			write_ioctl_syscon();
	} else {
		/*
		 * It's fine to boot up with state as zero, because
		 * startd will later tell us the real state.
		 */
		cur_state = 0;
		op_modes = BOOT_MODES;

		boot_init();
	}

	prev_state = prior_state = cur_state;

	/*
	 * Here is the beginning of the main process loop.
	 */
	for (;;) {
		if (Pfd < 0)
			setup_pipe();

		/*
		 * Clean up any accounting records for dead "godchildren".
		 */
		if (Gchild)
			cleanaux();

		/*
		 * If in "normal" mode, check all living processes and initiate
		 * kill sequence on those that should not be there anymore.
		 */
		if (op_modes == NORMAL_MODES && cur_state != LVLa &&
		    cur_state != LVLb && cur_state != LVLc)
			remv();

		/*
		 * If a change in run levels is the reason we awoke, now do
		 * the accounting to report the change in the utmp file.
		 * Also report the change on the system console.
		 */
		if (chg_lvl_flag) {
			chg_lvl_flag = FALSE;

			if (state_to_flags(cur_state) & LSEL_RUNLEVEL) {
				char rl = state_to_name(cur_state);

				if (rl != -1)
					lscf_set_runlevel(rl);
			}

			may_need_audit = 1;
		}

		/*
		 * Scan the inittab file and spawn and respawn processes that
		 * should be alive in the current state. If inittab does not
		 * exist default to  single user mode.
		 */
		if (spawn_processes() == FAILURE) {
			prior_state = prev_state;
			cur_state = SINGLE_USER;
		}

		/* If any respawns occurred, take note. */
		if (rsflag) {
			rsflag = 0;
			spawncnt++;
		}

		/*
		 * If a powerfail signal was received during the last
		 * sequence, set mode to powerfail.  When spawn_processes() is
		 * entered the first thing it does is to check "powerhit".  If
		 * it is in PF_MODES then it clears "powerhit" and does
		 * a powerfail sequence.  If it is not in PF_MODES, then it
		 * puts itself in PF_MODES and then clears "powerhit".  Should
		 * "powerhit" get set again while spawn_processes() is working
		 * on a powerfail sequence, the following code  will see that
		 * spawn_processes() tries to execute the powerfail sequence
		 * again.  This guarantees that the powerfail sequence will be
		 * successfully completed before further processing takes
		 * place.
		 */
		if (wakeup.w_flags.w_powerhit) {
			op_modes = PF_MODES;
			/*
			 * Make sure that cur_state != prev_state so that
			 * ONCE and WAIT types work.
			 */
			prev_state = 0;
		} else if (op_modes != NORMAL_MODES) {
			/*
			 * If spawn_processes() was not just called while in
			 * normal mode, we set the mode to normal and it will
			 * be called again to check normal modes.  If we have
			 * just finished a powerfail sequence with prev_state
			 * equal to zero, we set prev_state equal to cur_state
			 * before the next pass through.
			 */
			if (op_modes == PF_MODES)
				prev_state = cur_state;
			op_modes = NORMAL_MODES;
		} else if (cur_state == LVLa || cur_state == LVLb ||
		    cur_state == LVLc) {
			/*
			 * If it was a change of levels that awakened us and the
			 * new level is one of the demand levels then reset
			 * cur_state to the previous state and do another scan
			 * to take care of the usual respawn actions.
			 */
			cur_state = prior_state;
			prior_state = prev_state;
			prev_state = cur_state;
		} else {
			prev_state = cur_state;

			if (wakeup.w_mask == 0) {
				int ret;

				if (may_need_audit && (cur_state == LVL3)) {
					msg = audit_boot_msg();

					may_need_audit = 0;
					(void) audit_put_record(ADT_SUCCESS,
					    ADT_SUCCESS, msg);
					free(msg);
				}

				/*
				 * "init" is finished with all actions for
				 * the current wakeup.
				 */
				ret = poll(poll_fds, poll_nfds,
				    SLEEPTIME * MILLISEC);
				pausecnt++;
				if (ret > 0)
					contract_event(&poll_fds[0]);
				else if (ret < 0 && errno != EINTR)
					console(B_TRUE, "poll() error: %s\n",
					    strerror(errno));
			}

			if (wakeup.w_flags.w_usersignal) {
				/*
				 * Install the new level.  This could be a real
				 * change in levels  or a telinit [Q|a|b|c] or
				 * just a telinit to the same level at which
				 * we are running.
				 */
				if (new_state != cur_state) {
					if (new_state == LVLa ||
					    new_state == LVLb ||
					    new_state == LVLc) {
						prev_state = prior_state;
						prior_state = cur_state;
						cur_state = new_state;
					} else {
						prev_state = cur_state;
						if (cur_state >= 0)
							prior_state = cur_state;
						cur_state = new_state;
						chg_lvl_flag = TRUE;
					}
				}

				new_state = 0;
			}

			if (wakeup.w_flags.w_powerhit)
				op_modes = PF_MODES;

			/*
			 * Clear all wakeup reasons.
			 */
			wakeup.w_mask = 0;
		}
	}

	/*NOTREACHED*/
}

static void
update_boot_archive(int new_state)
{
	if (new_state != LVL0 && new_state != LVL5 && new_state != LVL6)
		return;

	if (getzoneid() != GLOBAL_ZONEID)
		return;

	(void) system("/sbin/bootadm -a update_all");
}

/*
 * void enter_maintenance()
 *   A simple invocation of sulogin(1M), with no baggage, in the case that we
 *   are unable to activate svc.startd(1M).  We fork; the child runs sulogin;
 *   we wait for it to exit.
 */
static void
enter_maintenance()
{
	struct PROC_TABLE	*su_process;

	console(B_FALSE, "Requesting maintenance mode\n"
	    "(See /lib/svc/share/README for additional information.)\n");
	(void) sigset(SIGCLD, SIG_DFL);
	while ((su_process = efork(M_OFF, NULLPROC, NOCLEANUP)) == NO_ROOM)
		(void) pause();
	(void) sigset(SIGCLD, childeath);
	if (su_process == NULLPROC) {
		int fd;

		(void) fclose(stdin);
		(void) fclose(stdout);
		(void) fclose(stderr);
		closefrom(0);

		fd = open(SYSCON, O_RDWR | O_NOCTTY);
		if (fd >= 0) {
			(void) dup2(fd, 1);
			(void) dup2(fd, 2);
		} else {
			/*
			 * Need to issue an error message somewhere.
			 */
			syslog(LOG_CRIT, "init[%d]: cannot open %s; %s\n",
			    getpid(), SYSCON, strerror(errno));
		}

		/*
		 * Execute the "su" program.
		 */
		(void) execle(SU, SU, "-", (char *)0, glob_envp);
		console(B_TRUE, "execle of %s failed: %s\n", SU,
		    strerror(errno));
		timer(5);
		exit(1);
	}

	/*
	 * If we are the parent, wait around for the child to die
	 * or for "init" to be signaled to change levels.
	 */
	while (waitproc(su_process) == FAILURE) {
		/*
		 * All other reasons for waking are ignored when in
		 * single-user mode.  The only child we are interested
		 * in is being waited for explicitly by waitproc().
		 */
		wakeup.w_mask = 0;
	}
}

/*
 * remv() scans through "proc_table" and performs cleanup.  If
 * there is a process in the table, which shouldn't be here at
 * the current run level, then remv() kills the process.
 */
static void
remv()
{
	struct PROC_TABLE	*process;
	struct CMD_LINE		cmd;
	char			cmd_string[MAXCMDL];
	int			change_level;

	change_level = (cur_state != prev_state ? TRUE : FALSE);

	/*
	 * Clear the TOUCHED flag on all entries so that when we have
	 * finished scanning inittab, we will be able to tell if we
	 * have any processes for which there is no entry in inittab.
	 */
	for (process = proc_table;
	    (process < proc_table + num_proc); process++) {
		process->p_flags &= ~TOUCHED;
	}

	/*
	 * Scan all inittab entries.
	 */
	while (getcmd(&cmd, &cmd_string[0]) == TRUE) {
		/* Scan for process which goes with this entry in inittab. */
		for (process = proc_table;
		    (process < proc_table + num_proc); process++) {
			if ((process->p_flags & OCCUPIED) == 0 ||
			    !id_eq(process->p_id, cmd.c_id))
				continue;

			/*
			 * This slot contains the process we are looking for.
			 */

			/*
			 * Is the cur_state SINGLE_USER or is this process
			 * marked as "off" or was this proc started by some
			 * mechanism other than LVL{a|b|c} and the current level
			 * does not support this process?
			 */
			if (cur_state == SINGLE_USER ||
			    cmd.c_action == M_OFF ||
			    ((cmd.c_levels & state_to_mask(cur_state)) == 0 &&
			    (process->p_flags & DEMANDREQUEST) == 0)) {
				if (process->p_flags & LIVING) {
					/*
					 * Touch this entry so we know we have
					 * treated it.  Note that procs which
					 * are already dead at this point and
					 * should not be restarted are left
					 * untouched.  This causes their slot to
					 * be freed later after dead accounting
					 * is done.
					 */
					process->p_flags |= TOUCHED;

					if ((process->p_flags & KILLED) == 0) {
						if (change_level) {
							process->p_flags
							    |= WARNED;
							(void) kill(
							    process->p_pid,
							    SIGTERM);
						} else {
							/*
							 * Fork a killing proc
							 * so "init" can
							 * continue without
							 * having to pause for
							 * TWARN seconds.
							 */
							killproc(
							    process->p_pid);
						}
						process->p_flags |= KILLED;
					}
				}
			} else {
				/*
				 * Process can exist at current level.  If it is
				 * still alive or a DEMANDREQUEST we touch it so
				 * it will be left alone.  Otherwise we leave it
				 * untouched so it will be accounted for and
				 * cleaned up later in remv().  Dead
				 * DEMANDREQUESTs will be accounted but not
				 * freed.
				 */
				if (process->p_flags &
				    (LIVING|NOCLEANUP|DEMANDREQUEST))
					process->p_flags |= TOUCHED;
			}

			break;
		}
	}

	st_write();

	/*
	 * If this was a change of levels call, scan through the
	 * process table for processes that were warned to die.  If any
	 * are found that haven't left yet, sleep for TWARN seconds and
	 * then send final terminations to any that haven't died yet.
	 */
	if (change_level) {

		/*
		 * Set the alarm for TWARN seconds on the assumption
		 * that there will be some that need to be waited for.
		 * This won't harm anything except we are guaranteed to
		 * wakeup in TWARN seconds whether we need to or not.
		 */
		setimer(TWARN);

		/*
		 * Scan for processes which should be dying.  We hope they
		 * will die without having to be sent a SIGKILL signal.
		 */
		for (process = proc_table;
		    (process < proc_table + num_proc); process++) {
			/*
			 * If this process should die, hasn't yet, and the
			 * TWARN time hasn't expired yet, wait for process
			 * to die or for timer to expire.
			 */
			while (time_up == FALSE &&
			    (process->p_flags & (WARNED|LIVING|OCCUPIED)) ==
			    (WARNED|LIVING|OCCUPIED))
				(void) pause();

			if (time_up == TRUE)
				break;
		}

		/*
		 * If we reached the end of the table without the timer
		 * expiring, then there are no procs which will have to be
		 * sent the SIGKILL signal.  If the timer has expired, then
		 * it is necessary to scan the table again and send signals
		 * to all processes which aren't going away nicely.
		 */
		if (time_up == TRUE) {
			for (process = proc_table;
			    (process < proc_table + num_proc); process++) {
				if ((process->p_flags &
				    (WARNED|LIVING|OCCUPIED)) ==
				    (WARNED|LIVING|OCCUPIED))
					(void) kill(process->p_pid, SIGKILL);
			}
		}
		setimer(0);
	}

	/*
	 * Rescan the proc_table for two kinds of entry, those marked LIVING,
	 * NAMED, which don't have an entry in inittab (haven't been TOUCHED
	 * by the above scanning), and haven't been sent kill signals, and
	 * those entries marked not LIVING, NAMED.  The former procs are killed.
	 * The latter have DEAD_PROCESS accounting done and the slot cleared.
	 */
	for (process = proc_table;
	    (process < proc_table + num_proc); process++) {
		if ((process->p_flags & (LIVING|NAMED|TOUCHED|KILLED|OCCUPIED))
		    == (LIVING|NAMED|OCCUPIED)) {
			killproc(process->p_pid);
			process->p_flags |= KILLED;
		} else if ((process->p_flags & (LIVING|NAMED|OCCUPIED)) ==
		    (NAMED|OCCUPIED)) {
			(void) account(DEAD_PROCESS, process, NULL);
			/*
			 * If this named proc hasn't been TOUCHED, then free the
			 * space. It has either died of it's own accord, but
			 * isn't respawnable or it was killed because it
			 * shouldn't exist at this level.
			 */
			if ((process->p_flags & TOUCHED) == 0)
				process->p_flags = 0;
		}
	}

	st_write();
}

/*
 * Extract the svc.startd command line and whether to restart it from its
 * inittab entry.
 */
/*ARGSUSED*/
static void
process_startd_line(struct CMD_LINE *cmd, char *cmd_string)
{
	size_t sz;

	/* Save the command line. */
	if (sflg || rflg) {
		/* Also append -r or -s. */
		(void) strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
		(void) strlcat(startd_cline, " -", sizeof (startd_cline));
		if (sflg)
			sz = strlcat(startd_cline, "s", sizeof (startd_cline));
		if (rflg)
			sz = strlcat(startd_cline, "r", sizeof (startd_cline));
	} else {
		sz = strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
	}

	if (sz >= sizeof (startd_cline)) {
		console(B_TRUE,
		    "svc.startd command line too long.  Ignoring.\n");
		startd_cline[0] = '\0';
		return;
	}
}

/*
 * spawn_processes() scans inittab for entries which should be run at this
 * mode.  Processes which should be running but are not, are started.
 */
static int
spawn_processes()
{
	struct PROC_TABLE		*pp;
	struct CMD_LINE			cmd;
	char				cmd_string[MAXCMDL];
	short				lvl_mask;
	int				status;

	/*
	 * First check the "powerhit" flag.  If it is set, make sure the modes
	 * are PF_MODES and clear the "powerhit" flag.  Avoid the possible race
	 * on the "powerhit" flag by disallowing a new powerfail interrupt
	 * between the test of the powerhit flag and the clearing of it.
	 */
	if (wakeup.w_flags.w_powerhit) {
		wakeup.w_flags.w_powerhit = 0;
		op_modes = PF_MODES;
	}
	lvl_mask = state_to_mask(cur_state);

	/*
	 * Scan through all the entries in inittab.
	 */
	while ((status = getcmd(&cmd, &cmd_string[0])) == TRUE) {
		if (id_eq(cmd.c_id, "smf")) {
			process_startd_line(&cmd, cmd_string);
			continue;
		}

retry_for_proc_slot:

		/*
		 * Find out if there is a process slot for this entry already.
		 */
		if ((pp = findpslot(&cmd)) == NULLPROC) {
			/*
			 * we've run out of proc table entries
			 * increase proc_table.
			 */
			increase_proc_table_size();

			/*
			 * Retry now as we have an empty proc slot.
			 * In case increase_proc_table_size() fails,
			 * we will keep retrying.
			 */
			goto retry_for_proc_slot;
		}

		/*
		 * If there is an entry, and it is marked as DEMANDREQUEST,
		 * one of the levels a, b, or c is in its levels mask, and
		 * the action field is ONDEMAND and ONDEMAND is a permissable
		 * mode, and the process is dead, then respawn it.
		 */
		if (((pp->p_flags & (LIVING|DEMANDREQUEST)) == DEMANDREQUEST) &&
		    (cmd.c_levels & MASK_abc) &&
		    (cmd.c_action & op_modes) == M_ONDEMAND) {
			spawn(pp, &cmd);
			continue;
		}

		/*
		 * If the action is not an action we are interested in,
		 * skip the entry.
		 */
		if ((cmd.c_action & op_modes) == 0 || pp->p_flags & LIVING ||
		    (cmd.c_levels & lvl_mask) == 0)
			continue;

		/*
		 * If the modes are the normal modes (ONCE, WAIT, RESPAWN, OFF,
		 * ONDEMAND) and the action field is either OFF or the action
		 * field is ONCE or WAIT and the current level is the same as
		 * the last level, then skip this entry.  ONCE and WAIT only
		 * get run when the level changes.
		 */
		if (op_modes == NORMAL_MODES &&
		    (cmd.c_action == M_OFF ||
			(cmd.c_action & (M_ONCE|M_WAIT)) &&
			cur_state == prev_state))
			continue;

		/*
		 * At this point we are interested in performing the action for
		 * this entry.  Actions fall into two categories, spinning off
		 * a process and not waiting, and spinning off a process and
		 * waiting for it to die.  If the action is ONCE, RESPAWN,
		 * ONDEMAND, POWERFAIL, or BOOT we don't wait for the process
		 * to die, for all other actions we do wait.
		 */
		if (cmd.c_action & (M_ONCE | M_RESPAWN | M_PF | M_BOOT)) {
			spawn(pp, &cmd);

		} else {
			spawn(pp, &cmd);
			while (waitproc(pp) == FAILURE);
			(void) account(DEAD_PROCESS, pp, NULL);
			pp->p_flags = 0;
		}
	}
	return (status);
}

/*
 * spawn() spawns a shell, inserts the information about the process
 * process into the proc_table, and does the startup accounting.
 */
static void
spawn(struct PROC_TABLE *process, struct CMD_LINE *cmd)
{
	int		i;
	int		modes, maxfiles;
	time_t		now;
	struct PROC_TABLE tmproc, *oprocess;

	/*
	 * The modes to be sent to efork() are 0 unless we are
	 * spawning a LVLa, LVLb, or LVLc entry or we will be
	 * waiting for the death of the child before continuing.
	 */
	modes = NAMED;
	if (process->p_flags & DEMANDREQUEST || cur_state == LVLa ||
	    cur_state == LVLb || cur_state == LVLc)
		modes |= DEMANDREQUEST;
	if ((cmd->c_action & (M_SYSINIT | M_WAIT | M_BOOTWAIT | M_PWAIT)) != 0)
		modes |= NOCLEANUP;

	/*
	 * If this is a respawnable process, check the threshold
	 * information to avoid excessive respawns.
	 */
	if (cmd->c_action & M_RESPAWN) {
		/*
		 * Add NOCLEANUP to all respawnable commands so that the
		 * information about the frequency of respawns isn't lost.
		 */
		modes |= NOCLEANUP;
		(void) time(&now);

		/*
		 * If no time is assigned, then this is the first time
		 * this command is being processed in this series.  Assign
		 * the current time.
		 */
		if (process->p_time == 0L)
			process->p_time = now;

		if (process->p_count++ == SPAWN_LIMIT) {

			if ((now - process->p_time) < SPAWN_INTERVAL) {
				/*
				 * Process is respawning too rapidly.  Print
				 * message and refuse to respawn it for now.
				 */
				console(B_TRUE, "Command is respawning too "
				    "rapidly. Check for possible errors.\n"
				    "id:%4s \"%s\"\n",
				    &cmd->c_id[0], &cmd->c_command[EXEC]);
				return;
			}
			process->p_time = now;
			process->p_count = 0;

		} else if (process->p_count > SPAWN_LIMIT) {
			/*
			 * If process has been respawning too rapidly and
			 * the inhibit time limit hasn't expired yet, we
			 * refuse to respawn.
			 */
			if (now - process->p_time < SPAWN_INTERVAL + INHIBIT)
				return;
			process->p_time = now;
			process->p_count = 0;
		}
		rsflag = TRUE;
	}

	/*
	 * Spawn a child process to execute this command.
	 */
	(void) sigset(SIGCLD, SIG_DFL);
	oprocess = process;
	while ((process = efork(cmd->c_action, oprocess, modes)) == NO_ROOM)
		(void) pause();

	if (process == NULLPROC) {

		/*
		 * We are the child.  We must make sure we get a different
		 * file pointer for our references to utmpx.  Otherwise our
		 * seeks and reads will compete with those of the parent.
		 */
		endutxent();

		/*
		 * Perform the accounting for the beginning of a process.
		 * Note that all processes are initially "INIT_PROCESS"es.
		 */
		tmproc.p_id[0] = cmd->c_id[0];
		tmproc.p_id[1] = cmd->c_id[1];
		tmproc.p_id[2] = cmd->c_id[2];
		tmproc.p_id[3] = cmd->c_id[3];
		tmproc.p_pid = getpid();
		tmproc.p_exit = 0;
		(void) account(INIT_PROCESS, &tmproc,
		    prog_name(&cmd->c_command[EXEC]));
		maxfiles = ulimit(UL_GDESLIM, 0);
		for (i = 0; i < maxfiles; i++)
			(void) fcntl(i, F_SETFD, FD_CLOEXEC);

		/*
		 * Now exec a shell with the -c option and the command
		 * from inittab.
		 */
		(void) execle(SH, "INITSH", "-c", cmd->c_command, (char *)0,
		    glob_envp);
		console(B_TRUE, "Command\n\"%s\"\n failed to execute.  errno "
		    "= %d (exec of shell failed)\n", cmd->c_command, errno);

		/*
		 * Don't come back so quickly that "init" doesn't have a
		 * chance to finish putting this child in "proc_table".
		 */
		timer(20);
		exit(1);

	}

	/*
	 * We are the parent.  Insert the necessary
	 * information in the proc_table.
	 */
	process->p_id[0] = cmd->c_id[0];
	process->p_id[1] = cmd->c_id[1];
	process->p_id[2] = cmd->c_id[2];
	process->p_id[3] = cmd->c_id[3];

	st_write();

	(void) sigset(SIGCLD, childeath);
}

/*
 * findpslot() finds the old slot in the process table for the
 * command with the same id, or it finds an empty slot.
 */
static struct PROC_TABLE *
findpslot(struct CMD_LINE *cmd)
{
	struct PROC_TABLE	*process;
	struct PROC_TABLE	*empty = NULLPROC;

	for (process = proc_table;
	    (process < proc_table + num_proc); process++) {
		if (process->p_flags & OCCUPIED &&
		    id_eq(process->p_id, cmd->c_id))
			break;

		/*
		 * If the entry is totally empty and "empty" is still 0,
		 * remember where this hole is and make sure the slot is
		 * zeroed out.
		 */
		if (empty == NULLPROC && (process->p_flags & OCCUPIED) == 0) {
			empty = process;
			process->p_id[0] = '\0';
			process->p_id[1] = '\0';
			process->p_id[2] = '\0';
			process->p_id[3] = '\0';
			process->p_pid = 0;
			process->p_time = 0L;
			process->p_count = 0;
			process->p_flags = 0;
			process->p_exit = 0;
		}
	}

	/*
	 * If there is no entry for this slot, then there should be an
	 * empty slot.  If there is no empty slot, then we've run out
	 * of proc_table space.  If the latter is true, empty will be
	 * NULL and the caller will have to complain.
	 */
	if (process == (proc_table + num_proc))
		process = empty;

	return (process);
}

/*
 * getcmd() parses lines from inittab.  Each time it finds a command line
 * it will return TRUE as well as fill the passed CMD_LINE structure and
 * the shell command string.  When the end of inittab is reached, FALSE
 * is returned inittab is automatically opened if it is not currently open
 * and is closed when the end of the file is reached.
 */
static FILE *fp_inittab = NULL;

static int
getcmd(struct CMD_LINE *cmd, char *shcmd)
{
	char	*ptr;
	int	c, lastc, state;
	char 	*ptr1;
	int	answer, i, proceed;
	struct	stat	sbuf;
	static char *actions[] = {
		"off", "respawn", "ondemand", "once", "wait", "boot",
		"bootwait", "powerfail", "powerwait", "initdefault",
		"sysinit",
	};
	static short act_masks[] = {
		M_OFF, M_RESPAWN, M_ONDEMAND, M_ONCE, M_WAIT, M_BOOT,
		M_BOOTWAIT, M_PF, M_PWAIT, M_INITDEFAULT, M_SYSINIT,
	};
	/*
	 * Only these actions will be allowed for entries which
	 * are specified for single-user mode.
	 */
	short su_acts = M_INITDEFAULT | M_PF | M_PWAIT | M_WAIT;

	if (fp_inittab == NULL) {
		/*
		 * Before attempting to open inittab we stat it to make
		 * sure it currently exists and is not empty.  We try
		 * several times because someone may have temporarily
		 * unlinked or truncated the file.
		 */
		for (i = 0; i < 3; i++) {
			if (stat(INITTAB, &sbuf) == -1) {
				if (i == 2) {
					console(B_TRUE,
					    "Cannot stat %s, errno: %d\n",
					    INITTAB, errno);
					return (FAILURE);
				} else {
					timer(3);
				}
			} else if (sbuf.st_size < 10) {
				if (i == 2) {
					console(B_TRUE,
					    "%s truncated or corrupted\n",
					    INITTAB);
					return (FAILURE);
				} else {
					timer(3);
				}
			} else {
				break;
			}
		}

		/*
		 * If unable to open inittab, print error message and
		 * return FAILURE to caller.
		 */
		if ((fp_inittab = fopen(INITTAB, "r")) == NULL) {
			console(B_TRUE, "Cannot open %s errno: %d\n", INITTAB,
			    errno);
			return (FAILURE);
		}
	}

	/*
	 * Keep getting commands from inittab until you find a
	 * good one or run out of file.
	 */
	for (answer = FALSE; answer == FALSE; ) {
		/*
		 * Zero out the cmd itself before trying next line.
		 */
		bzero(cmd, sizeof (struct CMD_LINE));

		/*
		 * Read in lines of inittab, parsing at colons, until a line is
		 * read in which doesn't end with a backslash.  Do not start if
		 * the first character read is an EOF.  Note that this means
		 * that lines which don't end in a newline are still processed,
		 * since the "for" will terminate normally once started,
		 * regardless of whether line terminates with a newline or EOF.
		 */
		state = FAILURE;
		if ((c = fgetc(fp_inittab)) == EOF) {
			answer = FALSE;
			(void) fclose(fp_inittab);
			fp_inittab = NULL;
			break;
		}

		for (proceed = TRUE, ptr = shcmd, state = ID, lastc = '\0';
		    proceed && c != EOF;
		    lastc = c, c = fgetc(fp_inittab)) {
		    /* If we're not in the FAILURE state and haven't	*/
		    /* yet reached the shell command field, process	*/
		    /* the line, otherwise just look for a real end	*/
		    /* of line.						*/
		    if (state != FAILURE && state != COMMAND) {
			/*
			 * Squeeze out spaces and tabs.
			 */
			if (c == ' ' || c == '\t')
				continue;

			/*
			 * Ignore characters in a comment, except for the \n.
			 */
			if (state == COMMENT) {
				if (c == '\n') {
					lastc = ' ';
					break;
				} else {
					continue;
				}
			}

			/*
			 * Detect comments (lines whose first non-whitespace
			 * character is '#') by checking that we're at the
			 * beginning of a line, have seen a '#', and haven't
			 * yet accumulated any characters.
			 */
			if (state == ID && c == '#' && ptr == shcmd) {
				state = COMMENT;
				continue;
			}

			/*
			 * If the character is a ':', then check the
			 * previous field for correctness and advance
			 * to the next field.
			 */
			if (c == ':') {
			    switch (state) {

			    case ID :
				/*
				 * Check to see that there are only
				 * 1 to 4 characters for the id.
				 */
				if ((i = ptr - shcmd) < 1 || i > 4) {
					state = FAILURE;
				} else {
					bcopy(shcmd, &cmd->c_id[0], i);
					ptr = shcmd;
					state = LEVELS;
				}
				break;

			    case LEVELS :
				/*
				 * Build a mask for all the levels for
				 * which this command will be legal.
				 */
				for (cmd->c_levels = 0, ptr1 = shcmd;
				    ptr1 < ptr; ptr1++) {
					int mask;
					if (lvlname_to_mask(*ptr1,
					    &mask) == -1) {
						state = FAILURE;
						break;
					}
					cmd->c_levels |= mask;
				}
				if (state != FAILURE) {
					state = ACTION;
					ptr = shcmd;	/* Reset the buffer */
				}
				break;

			    case ACTION :
				/*
				 * Null terminate the string in shcmd buffer and
				 * then try to match against legal actions.  If
				 * the field is of length 0, then the default of
				 * "RESPAWN" is used if the id is numeric,
				 * otherwise the default is "OFF".
				 */
				if (ptr == shcmd) {
					if (isdigit(cmd->c_id[0]) &&
					    (cmd->c_id[1] == '\0' ||
						isdigit(cmd->c_id[1])) &&
					    (cmd->c_id[2] == '\0' ||
						isdigit(cmd->c_id[2])) &&
					    (cmd->c_id[3] == '\0' ||
						isdigit(cmd->c_id[3])))
						    cmd->c_action = M_RESPAWN;
					else
						    cmd->c_action = M_OFF;
				} else {
				    for (cmd->c_action = 0, i = 0, *ptr = '\0';
				    i < sizeof (actions)/sizeof (char *);
				    i++) {
					if (strcmp(shcmd, actions[i]) == 0) {
					    if ((cmd->c_levels & MASKSU) &&
						!(act_masks[i] & su_acts))
						    cmd->c_action = 0;
					    else
						cmd->c_action = act_masks[i];
					    break;
					}
				    }
				}

				/*
				 * If the action didn't match any legal action,
				 * set state to FAILURE.
				 */
				if (cmd->c_action == 0) {
					state = FAILURE;
				} else {
					state = COMMAND;
					(void) strcpy(shcmd, "exec ");
				}
				ptr = shcmd + EXEC;
				break;
			    }
			    continue;
			}
		    }

		    /* If the character is a '\n', then this is the end of a */
		    /* line.  If the '\n' wasn't preceded by a backslash, */
		    /* it is also the end of an inittab command.  If it was */
		    /* preceded by a backslash then the next line is a */
		    /* continuation.  Note that the continuation '\n' falls */
		    /* through and is treated like other characters and is */
		    /* stored in the shell command line. */
		    if (c == '\n' && lastc != '\\') {
				proceed = FALSE;
				*ptr = '\0';
				break;
		    }

		    /* For all other characters just stuff them into the */
		    /* command as long as there aren't too many of them. */
		    /* Make sure there is room for a terminating '\0' also. */
		    if (ptr >= shcmd + MAXCMDL - 1)
			state = FAILURE;
		    else
			*ptr++ = (char)c;

		    /* If the character we just stored was a quoted	*/
		    /* backslash, then change "c" to '\0', so that this	*/
		    /* backslash will not cause a subsequent '\n' to appear */
		    /* quoted.  In otherwords '\' '\' '\n' is the real end */
		    /* of a command, while '\' '\n' is a continuation. */
		    if (c == '\\' && lastc == '\\')
			c = '\0';
		}

		/*
		 * Make sure all the fields are properly specified
		 * for a good command line.
		 */
		if (state == COMMAND) {
			answer = TRUE;
			cmd->c_command = shcmd;

			/*
			 * If no default level was supplied, insert
			 * all numerical levels.
			 */
			if (cmd->c_levels == 0)
				cmd->c_levels = MASK_NUMERIC;

			/*
			 * If no action has been supplied, declare this
			 * entry to be OFF.
			 */
			if (cmd->c_action == 0)
				cmd->c_action = M_OFF;

			/*
			 * If no shell command has been supplied, make sure
			 * there is a null string in the command field.
			 */
			if (ptr == shcmd + EXEC)
				*shcmd = '\0';
		} else
			answer = FALSE;

		/*
		 * If we have reached the end of inittab, then close it
		 * and quit trying to find a good command line.
		 */
		if (c == EOF) {
			(void) fclose(fp_inittab);
			fp_inittab = NULL;
			break;
		}
	}
	return (answer);
}

/*
 * lvlname_to_state(): convert the character name of a state to its level
 * (its corresponding signal number).
 */
static int
lvlname_to_state(char name)
{
	int i;
	for (i = 0; i < LVL_NELEMS; i++) {
		if (lvls[i].lvl_name == name)
			return (lvls[i].lvl_state);
	}
	return (-1);
}

/*
 * state_to_name(): convert the level to the character name.
 */
static char
state_to_name(int state)
{
	int i;
	for (i = 0; i < LVL_NELEMS; i++) {
		if (lvls[i].lvl_state == state)
			return (lvls[i].lvl_name);
	}
	return (-1);
}

/*
 * state_to_mask(): return the mask corresponding to a signal number
 */
static int
state_to_mask(int state)
{
	int i;
	for (i = 0; i < LVL_NELEMS; i++) {
		if (lvls[i].lvl_state == state)
			return (lvls[i].lvl_mask);
	}
	return (0);	/* return 0, since that represents an empty mask */
}

/*
 * lvlname_to_mask(): return the mask corresponding to a levels character name
 */
static int
lvlname_to_mask(char name, int *mask)
{
	int i;
	for (i = 0; i < LVL_NELEMS; i++) {
		if (lvls[i].lvl_name == name) {
			*mask = lvls[i].lvl_mask;
			return (0);
		}
	}
	return (-1);
}

/*
 * state_to_flags(): return the flags corresponding to a runlevel.  These
 * indicate properties of that runlevel.
 */
static int
state_to_flags(int state)
{
	int i;
	for (i = 0; i < LVL_NELEMS; i++) {
		if (lvls[i].lvl_state == state)
			return (lvls[i].lvl_flags);
	}
	return (0);
}

/*
 * killproc() creates a child which kills the process specified by pid.
 */
void
killproc(pid_t pid)
{
	struct PROC_TABLE	*process;

	(void) sigset(SIGCLD, SIG_DFL);
	while ((process = efork(M_OFF, NULLPROC, 0)) == NO_ROOM)
		(void) pause();
	(void) sigset(SIGCLD, childeath);

	if (process == NULLPROC) {
		/*
		 * efork() sets all signal handlers to the default, so reset
		 * the ALRM handler to make timer() work as expected.
		 */
		(void) sigset(SIGALRM, alarmclk);

		/*
		 * We are the child.  Try to terminate the process nicely
		 * first using SIGTERM and if it refuses to die in TWARN
		 * seconds kill it with SIGKILL.
		 */
		(void) kill(pid, SIGTERM);
		(void) timer(TWARN);
		(void) kill(pid, SIGKILL);
		(void) exit(0);
	}
}

/*
 * Set up the default environment for all procs to be forked from init.
 * Read the values from the /etc/default/init file, except for PATH.  If
 * there's not enough room in the environment array, the environment
 * lines that don't fit are silently discarded.
 */
void
init_env()
{
	char	line[MAXCMDL];
	FILE	*fp;
	int	inquotes, length, wslength;
	char	*tokp, *cp1, *cp2;

	glob_envp[0] = malloc((unsigned)(strlen(DEF_PATH)+2));
	(void) strcpy(glob_envp[0], DEF_PATH);
	glob_envn = 1;

	if (rflg) {
		glob_envp[1] =
			malloc((unsigned)(strlen("_DVFS_RECONFIG=YES")+2));
		(void) strcpy(glob_envp[1], "_DVFS_RECONFIG=YES");
		++glob_envn;
	} else if (bflg == 1) {
		glob_envp[1] =
			malloc((unsigned)(strlen("RB_NOBOOTRC=YES")+2));
		(void) strcpy(glob_envp[1], "RB_NOBOOTRC=YES");
		++glob_envn;
	}

	if ((fp = fopen(ENVFILE, "r")) == NULL) {
		console(B_TRUE,
		    "Cannot open %s. Environment not initialized.\n",
		    ENVFILE);
	} else {
		while (fgets(line, MAXCMDL - 1, fp) != NULL &&
		    glob_envn < MAXENVENT - 2) {
			/*
			 * Toss newline
			 */
			length = strlen(line);
			if (line[length - 1] == '\n')
				line[length - 1] = '\0';

			/*
			 * Ignore blank or comment lines.
			 */
			if (line[0] == '#' || line[0] == '\0' ||
			    (wslength = strspn(line, " \t\n")) ==
			    strlen(line) ||
			    strchr(line, '#') == line + wslength)
				continue;

			/*
			 * First make a pass through the line and change
			 * any non-quoted semi-colons to blanks so they
			 * will be treated as token separators below.
			 */
			inquotes = 0;
			for (cp1 = line; *cp1 != '\0'; cp1++) {
				if (*cp1 == '"') {
					if (inquotes == 0)
						inquotes = 1;
					else
						inquotes = 0;
				} else if (*cp1 == ';') {
					if (inquotes == 0)
						*cp1 = ' ';
				}
			}

			/*
			 * Tokens within the line are separated by blanks
			 *  and tabs.  For each token in the line which
			 * contains a '=' we strip out any quotes and then
			 * stick the token in the environment array.
			 */
			if ((tokp = strtok(line, " \t")) == NULL)
				continue;
			do {
				if (strchr(tokp, '=') == NULL)
					continue;
				length = strlen(tokp);
				while ((cp1 = strpbrk(tokp, "\"\'")) != NULL) {
					for (cp2 = cp1;
					    cp2 < &tokp[length]; cp2++)
						*cp2 = *(cp2 + 1);
					length--;
				}

				if (strncmp(tokp, "CMASK=",
				    sizeof ("CMASK=") - 1) == 0) {
					long t;

					/* We know there's an = */
					t = strtol(strchr(tokp, '=') + 1, NULL,
					    8);

					/* Sanity */
					if (t <= 077 && t >= 0)
						cmask = (int)t;
					(void) umask(cmask);
					continue;
				}
				glob_envp[glob_envn] =
				    malloc((unsigned)(length + 1));
				(void) strcpy(glob_envp[glob_envn], tokp);
				if (++glob_envn >= MAXENVENT - 1)
					break;
			} while ((tokp = strtok(NULL, " \t")) != NULL);
		}

		/*
		 * Append a null pointer to the environment array
		 * to mark its end.
		 */
		glob_envp[glob_envn] = NULL;
		(void) fclose(fp);
	}
}

/*
 * boot_init(): Do initialization things that should be done at boot.
 */
void
boot_init()
{
	int i;
	struct PROC_TABLE *process, *oprocess;
	struct CMD_LINE	cmd;
	char	line[MAXCMDL];
	char *old_path;
	int maxfiles;

	/* Use INIT_PATH for sysinit cmds */
	old_path = glob_envp[0];
	glob_envp[0] = malloc((unsigned)(strlen(INIT_PATH)+2));
	(void) strcpy(glob_envp[0], INIT_PATH);

	/*
	 * Scan inittab(4) and process the special svc.startd entry, initdefault
	 * and sysinit entries.
	 */
	while (getcmd(&cmd, &line[0]) == TRUE) {
		if (startd_tmpl >= 0 && id_eq(cmd.c_id, "smf"))
			process_startd_line(&cmd, line);
		else if (cmd.c_action == M_INITDEFAULT) {
			/*
			 * initdefault is no longer meaningful, as the SMF
			 * milestone controls what (legacy) run level we
			 * boot to.
			 */
			console(B_TRUE,
			    "Ignoring legacy \"initdefault\" entry.\n");
		} else if (cmd.c_action == M_SYSINIT) {
			/*
			 * Execute the "sysinit" entry and wait for it to
			 * complete.  No bookkeeping is performed on these
			 * entries because we avoid writing to the file system
			 * until after there has been an chance to check it.
			 */
			if (process = findpslot(&cmd)) {
				(void) sigset(SIGCLD, SIG_DFL);

				for (oprocess = process;
				    (process = efork(M_OFF, oprocess,
				    (NAMED|NOCLEANUP))) == NO_ROOM;
				    /* CSTYLED */)
					;
				(void) sigset(SIGCLD, childeath);

				if (process == NULLPROC) {
					maxfiles = ulimit(UL_GDESLIM, 0);

					for (i = 0; i < maxfiles; i++)
						(void) fcntl(i, F_SETFD,
						    FD_CLOEXEC);
					(void) execle(SH, "INITSH", "-c",
					    cmd.c_command,
					    (char *)0, glob_envp);
					console(B_TRUE,
"Command\n\"%s\"\n failed to execute.  errno = %d (exec of shell failed)\n",
						cmd.c_command, errno);
					exit(1);
				} else while (waitproc(process) == FAILURE);
				process->p_flags = 0;
				st_write();
			}
		}
	}

	/* Restore the path. */
	free(glob_envp[0]);
	glob_envp[0] = old_path;

	/*
	 * This will enable st_write() to complain about init_state_file.
	 */
	booting = 0;

	/*
	 * If the /etc/ioctl.syscon didn't exist or had invalid contents write
	 * out a correct version.
	 */
	if (write_ioctl)
		write_ioctl_syscon();

	/*
	 * Start svc.startd(1M), which does most of the work.
	 */
	if (startd_cline[0] != '\0' && startd_tmpl >= 0) {
		/* Start svc.startd. */
		if (startd_run(startd_cline, startd_tmpl, 0) == -1)
			cur_state = SINGLE_USER;
	} else {
		console(B_TRUE, "Absent svc.startd entry or bad "
		    "contract template.  Not starting svc.startd.\n");
		enter_maintenance();
	}
}

/*
 * init_signals(): Initialize all signals to either be caught or ignored.
 */
void
init_signals(void)
{
	struct sigaction act;
	int i;

	/*
	 * Start by ignoring all signals, then selectively re-enable some.
	 * The SIG_IGN disposition will only affect asynchronous signals:
	 * any signal that we trigger synchronously that doesn't end up
	 * being handled by siglvl() will be forcibly delivered by the kernel.
	 */
	for (i = SIGHUP; i <= SIGRTMAX; i++)
		(void) sigset(i, SIG_IGN);

	/*
	 * Handle all level-changing signals using siglvl() and set sa_mask so
	 * that all level-changing signals are blocked while in siglvl().
	 */
	act.sa_handler = siglvl;
	act.sa_flags = SA_SIGINFO;
	(void) sigemptyset(&act.sa_mask);

	(void) sigaddset(&act.sa_mask, LVLQ);
	(void) sigaddset(&act.sa_mask, LVL0);
	(void) sigaddset(&act.sa_mask, LVL1);
	(void) sigaddset(&act.sa_mask, LVL2);
	(void) sigaddset(&act.sa_mask, LVL3);
	(void) sigaddset(&act.sa_mask, LVL4);
	(void) sigaddset(&act.sa_mask, LVL5);
	(void) sigaddset(&act.sa_mask, LVL6);
	(void) sigaddset(&act.sa_mask, SINGLE_USER);
	(void) sigaddset(&act.sa_mask, LVLa);
	(void) sigaddset(&act.sa_mask, LVLb);
	(void) sigaddset(&act.sa_mask, LVLc);

	(void) sigaction(LVLQ, &act, NULL);
	(void) sigaction(LVL0, &act, NULL);
	(void) sigaction(LVL1, &act, NULL);
	(void) sigaction(LVL2, &act, NULL);
	(void) sigaction(LVL3, &act, NULL);
	(void) sigaction(LVL4, &act, NULL);
	(void) sigaction(LVL5, &act, NULL);
	(void) sigaction(LVL6, &act, NULL);
	(void) sigaction(SINGLE_USER, &act, NULL);
	(void) sigaction(LVLa, &act, NULL);
	(void) sigaction(LVLb, &act, NULL);
	(void) sigaction(LVLc, &act, NULL);

	(void) sigset(SIGALRM, alarmclk);
	alarmclk();

	(void) sigset(SIGCLD, childeath);
	(void) sigset(SIGPWR, powerfail);
}

/*
 * Set up pipe for "godchildren". If the file exists and is a pipe just open
 * it. Else, if the file system is r/w create it.  Otherwise, defer its
 * creation and open until after the sysinit functions have had a chance to
 * make the root read/write.
 */
void
setup_pipe()
{
	struct stat stat_buf;
	struct statvfs statvfs_buf;

	if ((stat(INITPIPE, &stat_buf) == 0) &&
	    ((stat_buf.st_mode & (S_IFMT|S_IRUSR)) == (S_IFIFO|S_IRUSR)))
		Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
	else
		if ((statvfs(INITPIPE_DIR, &statvfs_buf) == 0) &&
		    ((statvfs_buf.f_flag & ST_RDONLY) == 0)) {
			(void) unlink(INITPIPE);
			(void) mknod(INITPIPE, S_IFIFO | 0600, 0);
			Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
		}

	if (Pfd >= 0) {
		(void) ioctl(Pfd, I_SETSIG, S_INPUT);
		/*
		 * Read pipe in message discard mode.
		 */
		(void) ioctl(Pfd, I_SRDOPT, RMSGD);
		(void) sigset(SIGPOLL, sigpoll);
	}
}

/*
 * siglvl - handle an asynchronous signal from init(1M) telling us that we
 * should change the current run level.  We set new_state accordingly.
 */
void
siglvl(int sig, siginfo_t *sip, ucontext_t *ucp)
{
	struct PROC_TABLE *process;
	struct sigaction act;

	/*
	 * If the signal was from the kernel (rather than init(1M)) then init
	 * itself tripped the signal.  That is, we might have a bug and tripped
	 * a real SIGSEGV instead of receiving it as an alias for SIGLVLa.  In
	 * such a case we reset the disposition to SIG_DFL, block all signals
	 * in uc_mask but the current one, and return to the interrupted ucp
	 * to effect an appropriate death.  The kernel will then restart us.
	 *
	 * The one exception to SI_FROMKERNEL() is SIGFPE (a.k.a. LVL6), which
	 * the kernel can send us when it wants to effect an orderly reboot.
	 * For this case we must also verify si_code is zero, rather than a
	 * code such as FPE_INTDIV which a bug might have triggered.
	 */
	if (sip != NULL && SI_FROMKERNEL(sip) &&
	    (sig != SIGFPE || sip->si_code == 0)) {

		(void) sigemptyset(&act.sa_mask);
		act.sa_handler = SIG_DFL;
		act.sa_flags = 0;
		(void) sigaction(sig, &act, NULL);

		(void) sigfillset(&ucp->uc_sigmask);
		(void) sigdelset(&ucp->uc_sigmask, sig);
		ucp->uc_flags |= UC_SIGMASK;

		(void) setcontext(ucp);
	}

	/*
	 * If the signal received is a LVLQ signal, do not really
	 * change levels, just restate the current level.  If the
	 * signal is not a LVLQ, set the new level to the signal
	 * received.
	 */
	if (sig == LVLQ)
		new_state = cur_state;
	else
		new_state = sig;

	/*
	 * Clear all times and repeat counts in the process table
	 * since either the level is changing or the user has editted
	 * the inittab file and wants us to look at it again.
	 * If the user has fixed a typo, we don't want residual timing
	 * data preventing the fixed command line from executing.
	 */
	for (process = proc_table;
		(process < proc_table + num_proc); process++) {
		process->p_time = 0L;
		process->p_count = 0;
	}

	/*
	 * Set the flag to indicate that a "user signal" was received.
	 */
	wakeup.w_flags.w_usersignal = 1;
}


/*
 * alarmclk
 */
static void
alarmclk()
{
	time_up = TRUE;
}

/*
 * childeath_single():
 *
 * This used to be the SIGCLD handler and it was set with signal()
 * (as opposed to sigset()).  When a child exited we'd come to the
 * handler, wait for the child, and reenable the handler with
 * signal() just before returning.  The implementation of signal()
 * checks with waitid() for waitable children and sends a SIGCLD
 * if there are some.  If children are exiting faster than the
 * handler can run we keep sending signals and the handler never
 * gets to return and eventually the stack runs out and init dies.
 * To prevent that we set the handler with sigset() so the handler
 * doesn't need to be reset, and in childeath() (see below) we
 * call childeath_single() as long as there are children to be
 * waited for.  If a child exits while init is in the handler a
 * SIGCLD will be pending and delivered on return from the handler.
 * If the child was already waited for the handler will have nothing
 * to do and return, otherwise the child will be waited for.
 */
static void
childeath_single()
{
	struct PROC_TABLE	*process;
	struct pidlist		*pp;
	pid_t			pid;
	int			status;

	/*
	 * Perform wait to get the process id of the child that died and
	 * then scan the process table to see if we are interested in
	 * this process. NOTE: if a super-user sends the SIGCLD signal
	 * to init, the following wait will not immediately return and
	 * init will be inoperative until one of its child really does die.
	 */
	pid = wait(&status);

	for (process = proc_table;
		(process < proc_table + num_proc); process++) {
		if ((process->p_flags & (LIVING|OCCUPIED)) ==
		    (LIVING|OCCUPIED) && process->p_pid == pid) {

			/*
			 * Mark this process as having died and store the exit
			 * status.  Also set the wakeup flag for a dead child
			 * and break out of the loop.
			 */
			process->p_flags &= ~LIVING;
			process->p_exit = (short)status;
			wakeup.w_flags.w_childdeath = 1;

			return;
		}
	}

	/*
	 * No process was found above, look through auxiliary list.
	 */
	(void) sighold(SIGPOLL);
	pp = Plhead;
	while (pp) {
		if (pid > pp->pl_pid) {
			/*
			 * Keep on looking.
			 */
			pp = pp->pl_next;
			continue;
		} else if (pid < pp->pl_pid) {
			/*
			 * Not in the list.
			 */
			break;
		} else {
			/*
			 * This is a dead "godchild".
			 */
			pp->pl_dflag = 1;
			pp->pl_exit = (short)status;
			wakeup.w_flags.w_childdeath = 1;
			Gchild = 1;	/* Notice to call cleanaux(). */
			break;
		}
	}

	(void) sigrelse(SIGPOLL);
}

/* ARGSUSED */
static void
childeath(int signo)
{
	siginfo_t info;

	while ((waitid(P_ALL, (id_t)0, &info, WEXITED|WNOHANG|WNOWAIT) == 0) &&
	    info.si_pid != 0)
		childeath_single();
}

static void
powerfail()
{
	(void) nice(-19);
	wakeup.w_flags.w_powerhit = 1;
}

/*
 * efork() forks a child and the parent inserts the process in its table
 * of processes that are directly a result of forks that it has performed.
 * The child just changes the "global" with the process id for this process
 * to it's new value.
 * If efork() is called with a pointer into the proc_table it uses that slot,
 * otherwise it searches for a free slot.  Regardless of how it was called,
 * it returns the pointer to the proc_table entry
 *
 * The SIGCLD handler is set to default (SIG_DFL) before calling efork().
 * This relies on the somewhat obscure SVR2 SIGCLD/SIG_DFL semantic
 * implied by the use of signal(3c).  While the meaning of SIG_DFL for
 * SIGCLD is nominally to ignore the signal, once the signal disposition
 * is set to childeath(), the kernel will post a SIGCLD if a child
 * exited during the period the disposition was SIG_DFL.  It acts more
 * like a signal block.
 *
 * Ideally, this should be rewritten to use modern signal semantics.
 */
static struct PROC_TABLE *
efork(int action, struct PROC_TABLE *process, int modes)
{
	pid_t	childpid;
	struct PROC_TABLE *proc;
	int		i;
	void (*oldroutine)();
	/*
	 * Freshen up the proc_table, removing any entries for dead processes
	 * that don't have NOCLEANUP set.  Perform the necessary accounting.
	 */
	for (proc = proc_table; (proc < proc_table + num_proc); proc++) {
		if ((proc->p_flags & (OCCUPIED|LIVING|NOCLEANUP)) ==
		    (OCCUPIED)) {
			/*
			 * Is this a named process?
			 * If so, do the necessary bookkeeping.
			 */
			if (proc->p_flags & NAMED)
				(void) account(DEAD_PROCESS, proc, NULL);

			/*
			 * Free this entry for new usage.
			 */
			proc->p_flags = 0;
		}
	}

	while ((childpid = fork()) == FAILURE) {
		/*
		 * Shorten the alarm timer in case someone else's child dies
		 * and free up a slot in the process table.
		 */
		setimer(5);

		/*
		 * Wait for some children to die.  Since efork() is normally
		 * called with SIGCLD in the default state, reset it to catch
		 * so that child death signals can come in.
		 */
		oldroutine = sigset(SIGCLD, childeath);
		(void) pause();
		(void) sigset(SIGCLD, oldroutine);
		setimer(0);
	}

	if (childpid != 0) {

		if (process == NULLPROC) {
			/*
			 * No proc table pointer specified so search
			 * for a free slot.
			 */
			for (process = proc_table;  process->p_flags != 0 &&
				(process < proc_table + num_proc); process++)
					;

			if (process == (proc_table + num_proc)) {
				int old_proc_table_size = num_proc;

				/* Increase the process table size */
				increase_proc_table_size();
				if (old_proc_table_size == num_proc) {
					/* didn't grow: memory failure */
					return (NO_ROOM);
				} else {
					process =
					    proc_table + old_proc_table_size;
				}
			}

			process->p_time = 0L;
			process->p_count = 0;
		}
		process->p_id[0] = '\0';
		process->p_id[1] = '\0';
		process->p_id[2] = '\0';
		process->p_id[3] = '\0';
		process->p_pid = childpid;
		process->p_flags = (LIVING | OCCUPIED | modes);
		process->p_exit = 0;

		st_write();
	} else {
		if ((action & (M_WAIT | M_BOOTWAIT)) == 0)
			(void) setpgrp();

		process = NULLPROC;

		/*
		 * Reset all signals to the system defaults.
		 */
		for (i = SIGHUP; i <= SIGRTMAX; i++)
			(void) sigset(i, SIG_DFL);

		/*
		 * POSIX B.2.2.2 advises that init should set SIGTTOU,
		 * SIGTTIN, and SIGTSTP to SIG_IGN.
		 *
		 * Make sure that SIGXCPU and SIGXFSZ also remain ignored,
		 * for backward compatibility.
		 */
		(void) sigset(SIGTTIN, SIG_IGN);
		(void) sigset(SIGTTOU, SIG_IGN);
		(void) sigset(SIGTSTP, SIG_IGN);
		(void) sigset(SIGXCPU, SIG_IGN);
		(void) sigset(SIGXFSZ, SIG_IGN);
	}
	return (process);
}


/*
 * waitproc() waits for a specified process to die.  For this function to
 * work, the specified process must already in the proc_table.  waitproc()
 * returns the exit status of the specified process when it dies.
 */
static long
waitproc(struct PROC_TABLE *process)
{
	int		answer;
	sigset_t	oldmask, newmask, zeromask;

	(void) sigemptyset(&zeromask);
	(void) sigemptyset(&newmask);

	(void) sigaddset(&newmask, SIGCLD);

	/* Block SIGCLD and save the current signal mask */
	if (sigprocmask(SIG_BLOCK, &newmask, &oldmask) < 0)
		perror("SIG_BLOCK error");

	/*
	 * Wait around until the process dies.
	 */
	if (process->p_flags & LIVING)
		(void) sigsuspend(&zeromask);

	/* Reset signal mask to unblock SIGCLD */
	if (sigprocmask(SIG_SETMASK, &oldmask, NULL) < 0)
		perror("SIG_SETMASK error");

	if (process->p_flags & LIVING)
		return (FAILURE);

	/*
	 * Make sure to only return 16 bits so that answer will always
	 * be positive whenever the process of interest really died.
	 */
	answer = (process->p_exit & 0xffff);

	/*
	 * Free the slot in the proc_table.
	 */
	process->p_flags = 0;
	return (answer);
}

/*
 * notify_pam_dead(): calls into the PAM framework to close the given session.
 */
static void
notify_pam_dead(struct utmpx *up)
{
	pam_handle_t *pamh;
	char user[sizeof (up->ut_user) + 1];
	char ttyn[sizeof (up->ut_line) + 1];
	char host[sizeof (up->ut_host) + 1];

	/*
	 * PAM does not take care of updating utmpx/wtmpx.
	 */
	(void) snprintf(user, sizeof (user), "%s", up->ut_user);
	(void) snprintf(ttyn, sizeof (ttyn), "%s", up->ut_line);
	(void) snprintf(host, sizeof (host), "%s", up->ut_host);

	if (pam_start("init", user, NULL, &pamh) == PAM_SUCCESS)  {
		(void) pam_set_item(pamh, PAM_TTY, ttyn);
		(void) pam_set_item(pamh, PAM_RHOST, host);
		(void) pam_close_session(pamh, 0);
		(void) pam_end(pamh, PAM_SUCCESS);
	}
}

/*
 * Check you can access utmpx (As / may be read-only and
 * /var may not be mounted yet).
 */
static int
access_utmpx(void)
{
	do {
		utmpx_ok = (access(UTMPX, R_OK|W_OK) == 0);
	} while (!utmpx_ok && errno == EINTR);

	return (utmpx_ok);
}

/*
 * account() updates entries in utmpx and appends new entries to the end of
 * wtmpx (assuming they exist).  The program argument indicates the name of
 * program if INIT_PROCESS, otherwise should be NULL.
 *
 * account() only blocks for INIT_PROCESS requests.
 *
 * Returns non-zero if write failed.
 */
static int
account(short state, struct PROC_TABLE *process, char *program)
{
	struct utmpx utmpbuf, *u, *oldu;
	int tmplen;
	char fail_buf[UT_LINE_SZ];
	sigset_t block, unblock;

	if (!utmpx_ok && !access_utmpx()) {
		return (-1);
	}

	/*
	 * Set up the prototype for the utmp structure we want to write.
	 */
	u = &utmpbuf;
	(void) memset(u, 0, sizeof (struct utmpx));

	/*
	 * Fill in the various fields of the utmp structure.
	 */
	u->ut_id[0] = process->p_id[0];
	u->ut_id[1] = process->p_id[1];
	u->ut_id[2] = process->p_id[2];
	u->ut_id[3] = process->p_id[3];
	u->ut_pid = process->p_pid;

	/*
	 * Fill the "ut_exit" structure.
	 */
	u->ut_exit.e_termination = WTERMSIG(process->p_exit);
	u->ut_exit.e_exit = WEXITSTATUS(process->p_exit);
	u->ut_type = state;

	(void) time(&u->ut_tv.tv_sec);

	/*
	 * Block signals for utmp update.
	 */
	(void) sigfillset(&block);
	(void) sigprocmask(SIG_BLOCK, &block, &unblock);

	/*
	 * See if there already is such an entry in the "utmpx" file.
	 */
	setutxent();	/* Start at beginning of utmpx file. */

	if ((oldu = getutxid(u)) != NULL) {
		/*
		 * Copy in the old "user", "line" and "host" fields
		 * to our new structure.
		 */
		bcopy(oldu->ut_user, u->ut_user, sizeof (u->ut_user));
		bcopy(oldu->ut_line, u->ut_line, sizeof (u->ut_line));
		bcopy(oldu->ut_host, u->ut_host, sizeof (u->ut_host));
		u->ut_syslen = (tmplen = strlen(u->ut_host)) ?
			min(tmplen + 1, sizeof (u->ut_host)) : 0;

		if (oldu->ut_type == USER_PROCESS && state == DEAD_PROCESS) {
			notify_pam_dead(oldu);
		}
	}

	/*
	 * Perform special accounting. Insert the special string into the
	 * ut_line array. For INIT_PROCESSes put in the name of the
	 * program in the "ut_user" field.
	 */
	switch (state) {
	case INIT_PROCESS:
		(void) strncpy(u->ut_user, program, sizeof (u->ut_user));
		(void) strcpy(fail_buf, "INIT_PROCESS");
		break;

	default:
		(void) strlcpy(fail_buf, u->ut_id, sizeof (u->ut_id) + 1);
		break;
	}

	/*
	 * Write out the updated entry to utmpx file.
	 */
	if (pututxline(u) == NULL) {
		console(B_TRUE, "Failed write of utmpx entry: \"%s\": %s\n",
		    fail_buf, strerror(errno));
		endutxent();
		(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
		return (-1);
	}

	/*
	 * If we're able to write to utmpx, then attempt to add to the
	 * end of the wtmpx file.
	 */
	updwtmpx(WTMPX, u);

	endutxent();

	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);

	return (0);
}

static void
clearent(pid_t pid, short status)
{
	struct utmpx *up;
	sigset_t block, unblock;

	/*
	 * Block signals for utmp update.
	 */
	(void) sigfillset(&block);
	(void) sigprocmask(SIG_BLOCK, &block, &unblock);

	/*
	 * No error checking for now.
	 */

	setutxent();
	while (up = getutxent()) {
		if (up->ut_pid == pid) {
			if (up->ut_type == DEAD_PROCESS) {
				/*
				 * Cleaned up elsewhere.
				 */
				continue;
			}

			notify_pam_dead(up);

			up->ut_type = DEAD_PROCESS;
			up->ut_exit.e_termination = WTERMSIG(status);
			up->ut_exit.e_exit = WEXITSTATUS(status);
			(void) time(&up->ut_tv.tv_sec);

			(void) pututxline(up);
			/*
			 * Now attempt to add to the end of the
			 * wtmp and wtmpx files.  Do not create
			 * if they don't already exist.
			 */
			updwtmpx(WTMPX, up);

			break;
		}
	}

	endutxent();
	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
}

/*
 * prog_name() searches for the word or unix path name and
 * returns a pointer to the last element of the pathname.
 */
static char *
prog_name(char *string)
{
	char	*ptr, *ptr2;
	/* XXX - utmp - fix name length */
	static char word[_POSIX_LOGIN_NAME_MAX];

	/*
	 * Search for the first word skipping leading spaces and tabs.
	 */
	while (*string == ' ' || *string == '\t')
		string++;

	/*
	 * If the first non-space non-tab character is not one allowed in
	 * a word, return a pointer to a null string, otherwise parse the
	 * pathname.
	 */
	if (*string != '.' && *string != '/' && *string != '_' &&
	    (*string < 'a' || *string > 'z') &&
	    (*string < 'A' || * string > 'Z') &&
	    (*string < '0' || *string > '9'))
		return ("");

	/*
	 * Parse the pathname looking forward for '/', ' ', '\t', '\n' or
	 * '\0'.  Each time a '/' is found, move "ptr" to one past the
	 * '/', thus when a ' ', '\t', '\n', or '\0' is found, "ptr" will
	 * point to the last element of the pathname.
	 */
	for (ptr = string;
		*string != ' ' && *string != '\t' && *string != '\n' &&
							*string != '\0';
		string++) {
		if (*string == '/')
			ptr = string+1;
	}

	/*
	 * Copy out up to the size of the "ut_user" array into "word",
	 * null terminate it and return a pointer to it.
	 */
	/* XXX - utmp - fix name length */
	for (ptr2 = &word[0]; ptr2 < &word[_POSIX_LOGIN_NAME_MAX - 1] &&
	    ptr < string; /* CSTYLED */)
		*ptr2++ = *ptr++;

	*ptr2 = '\0';
	return (&word[0]);
}


/*
 * realcon() returns a nonzero value if there is a character device
 * associated with SYSCON that has the same device number as CONSOLE.
 */
static int
realcon()
{
	struct stat sconbuf, conbuf;

	if (stat(SYSCON, &sconbuf) != -1 &&
	    stat(CONSOLE, &conbuf) != -1 &&
	    sconbuf.st_mode & S_IFCHR &&
	    conbuf.st_mode & S_IFCHR &&
	    sconbuf.st_rdev == conbuf.st_rdev) {
		return (1);
	} else {
		return (0);
	}
}


/*
 * get_ioctl_syscon() retrieves the SYSCON settings from the IOCTLSYSCON file.
 * Returns true if the IOCTLSYSCON file needs to be written (with
 * write_ioctl_syscon() below)
 */
static int
get_ioctl_syscon()
{
	FILE	*fp;
	unsigned int	iflags, oflags, cflags, lflags, ldisc, cc[18];
	int		i, valid_format = 0;

	/*
	 * Read in the previous modes for SYSCON from IOCTLSYSCON.
	 */
	if ((fp = fopen(IOCTLSYSCON, "r")) == NULL) {
		stored_syscon_termios = dflt_termios;
		console(B_TRUE,
		    "warning:%s does not exist, default settings assumed\n",
		    IOCTLSYSCON);
	} else {

	    i = fscanf(fp,
	    "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
		&iflags, &oflags, &cflags, &lflags,
		&cc[0], &cc[1], &cc[2], &cc[3], &cc[4], &cc[5], &cc[6],
		&cc[7], &cc[8], &cc[9], &cc[10], &cc[11], &cc[12], &cc[13],
		&cc[14], &cc[15], &cc[16], &cc[17]);

	    if (i == 22) {
		stored_syscon_termios.c_iflag = iflags;
		stored_syscon_termios.c_oflag = oflags;
		stored_syscon_termios.c_cflag = cflags;
		stored_syscon_termios.c_lflag = lflags;
		for (i = 0; i < 18; i++)
			stored_syscon_termios.c_cc[i] = (char)cc[i];
		valid_format = 1;
	    } else if (i == 13) {
		rewind(fp);
		i = fscanf(fp, "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
		    &iflags, &oflags, &cflags, &lflags, &ldisc, &cc[0], &cc[1],
		    &cc[2], &cc[3], &cc[4], &cc[5], &cc[6], &cc[7]);

		/*
		 * If the file is formatted properly, use the values to
		 * initialize the console terminal condition.
		 */
		stored_syscon_termios.c_iflag = (ushort_t)iflags;
		stored_syscon_termios.c_oflag = (ushort_t)oflags;
		stored_syscon_termios.c_cflag = (ushort_t)cflags;
		stored_syscon_termios.c_lflag = (ushort_t)lflags;
		for (i = 0; i < 8; i++)
			stored_syscon_termios.c_cc[i] = (char)cc[i];
		valid_format = 1;
	    }
	    (void) fclose(fp);

	    /* If the file is badly formatted, use the default settings. */
	    if (!valid_format)
		stored_syscon_termios = dflt_termios;
	}

	/* If the file had a bad format, rewrite it later. */
	return (!valid_format);
}


static void
write_ioctl_syscon()
{
	FILE *fp;
	int i;

	(void) unlink(SYSCON);
	(void) link(SYSTTY, SYSCON);
	(void) umask(022);
	fp = fopen(IOCTLSYSCON, "w");

	(void) fprintf(fp, "%x:%x:%x:%x:0", stored_syscon_termios.c_iflag,
	    stored_syscon_termios.c_oflag, stored_syscon_termios.c_cflag,
	    stored_syscon_termios.c_lflag);
	for (i = 0; i < 8; ++i)
		(void) fprintf(fp, ":%x", stored_syscon_termios.c_cc[i]);
	(void) putc('\n', fp);

	(void) fflush(fp);
	(void) fsync(fileno(fp));
	(void) fclose(fp);
	(void) umask(cmask);
}


/*
 * void console(boolean_t, char *, ...)
 *   Outputs the requested message to the system console.  Note that the number
 *   of arguments passed to console() should be determined by the print format.
 *
 *   The "prefix" parameter indicates whether or not "INIT: " should precede the
 *   message.
 *
 *   To make sure we write to the console in a sane fashion, we use the modes
 *   we keep in stored_syscon_termios (which we read out of /etc/ioctl.syscon).
 *   Afterwards we restore whatever modes were already there.
 */
/* PRINTFLIKE2 */
static void
console(boolean_t prefix, char *format, ...)
{
	char	outbuf[BUFSIZ];
	va_list	args;
	int fd, getret;
	struct termios old_syscon_termios;
	FILE *f;

	/*
	 * We open SYSCON anew each time in case it has changed (see
	 * userinit()).
	 */
	if ((fd = open(SYSCON, O_RDWR | O_NOCTTY)) < 0 ||
	    (f = fdopen(fd, "r+")) == NULL) {
		if (prefix)
			syslog(LOG_WARNING, "INIT: ");
		va_start(args, format);
		vsyslog(LOG_WARNING, format, args);
		va_end(args);
		if (fd >= 0)
			(void) close(fd);
		return;
	}
	setbuf(f, &outbuf[0]);

	getret = tcgetattr(fd, &old_syscon_termios);
	old_syscon_termios.c_cflag &= ~HUPCL;
	if (realcon())
		/* Don't overwrite cflag of real console. */
		stored_syscon_termios.c_cflag = old_syscon_termios.c_cflag;

	stored_syscon_termios.c_cflag &= ~HUPCL;

	(void) tcsetattr(fd, TCSANOW, &stored_syscon_termios);

	if (prefix)
		(void) fprintf(f, "\nINIT: ");
	va_start(args, format);
	(void) vfprintf(f, format, args);
	va_end(args);

	if (getret == 0)
		(void) tcsetattr(fd, TCSADRAIN, &old_syscon_termios);

	(void) fclose(f);
}

/*
 * timer() is a substitute for sleep() which uses alarm() and pause().
 */
static void
timer(int waitime)
{
	setimer(waitime);
	while (time_up == FALSE)
		(void) pause();
}

static void
setimer(int timelimit)
{
	alarmclk();
	(void) alarm(timelimit);
	time_up = (timelimit ? FALSE : TRUE);
}

/*
 * Fails with
 *   ENOMEM - out of memory
 *   ECONNABORTED - repository connection broken
 *   EPERM - permission denied
 *   EACCES - backend access denied
 *   EROFS - backend readonly
 */
static int
get_or_add_startd(scf_instance_t *inst)
{
	scf_handle_t *h;
	scf_scope_t *scope = NULL;
	scf_service_t *svc = NULL;
	int ret = 0;

	h = scf_instance_handle(inst);

	if (scf_handle_decode_fmri(h, SCF_SERVICE_STARTD, NULL, NULL, inst,
	    NULL, NULL, SCF_DECODE_FMRI_EXACT) == 0)
		return (0);

	switch (scf_error()) {
	case SCF_ERROR_CONNECTION_BROKEN:
		return (ECONNABORTED);

	case SCF_ERROR_NOT_FOUND:
		break;

	case SCF_ERROR_HANDLE_MISMATCH:
	case SCF_ERROR_INVALID_ARGUMENT:
	case SCF_ERROR_CONSTRAINT_VIOLATED:
	default:
		bad_error("scf_handle_decode_fmri", scf_error());
	}

	/* Make sure we're right, since we're adding piece-by-piece. */
	assert(strcmp(SCF_SERVICE_STARTD,
	    "svc:/system/svc/restarter:default") == 0);

	if ((scope = scf_scope_create(h)) == NULL ||
	    (svc = scf_service_create(h)) == NULL) {
		ret = ENOMEM;
		goto out;
	}

get_scope:
	if (scf_handle_get_scope(h, SCF_SCOPE_LOCAL, scope) != 0) {
		switch (scf_error()) {
		case SCF_ERROR_CONNECTION_BROKEN:
			ret = ECONNABORTED;
			goto out;

		case SCF_ERROR_NOT_FOUND:
			(void) fputs(gettext(
			    "smf(5) repository missing local scope.\n"),
			    stderr);
			exit(1);
			/* NOTREACHED */

		case SCF_ERROR_HANDLE_MISMATCH:
		case SCF_ERROR_INVALID_ARGUMENT:
		default:
			bad_error("scf_handle_get_scope", scf_error());
		}
	}

get_svc:
	if (scf_scope_get_service(scope, "system/svc/restarter", svc) != 0) {
		switch (scf_error()) {
		case SCF_ERROR_CONNECTION_BROKEN:
			ret = ECONNABORTED;
			goto out;

		case SCF_ERROR_DELETED:
			goto get_scope;

		case SCF_ERROR_NOT_FOUND:
			break;

		case SCF_ERROR_HANDLE_MISMATCH:
		case SCF_ERROR_INVALID_ARGUMENT:
		case SCF_ERROR_NOT_SET:
		default:
			bad_error("scf_scope_get_service", scf_error());
		}

add_svc:
		if (scf_scope_add_service(scope, "system/svc/restarter", svc) !=
		    0) {
			switch (scf_error()) {
			case SCF_ERROR_CONNECTION_BROKEN:
				ret = ECONNABORTED;
				goto out;

			case SCF_ERROR_EXISTS:
				goto get_svc;

			case SCF_ERROR_PERMISSION_DENIED:
				ret = EPERM;
				goto out;

			case SCF_ERROR_BACKEND_ACCESS:
				ret = EACCES;
				goto out;

			case SCF_ERROR_BACKEND_READONLY:
				ret = EROFS;
				goto out;

			case SCF_ERROR_HANDLE_MISMATCH:
			case SCF_ERROR_INVALID_ARGUMENT:
			case SCF_ERROR_NOT_SET:
			default:
				bad_error("scf_scope_add_service", scf_error());
			}
		}
	}

get_inst:
	if (scf_service_get_instance(svc, "default", inst) != 0) {
		switch (scf_error()) {
		case SCF_ERROR_CONNECTION_BROKEN:
			ret = ECONNABORTED;
			goto out;

		case SCF_ERROR_DELETED:
			goto add_svc;

		case SCF_ERROR_NOT_FOUND:
			break;

		case SCF_ERROR_HANDLE_MISMATCH:
		case SCF_ERROR_INVALID_ARGUMENT:
		case SCF_ERROR_NOT_SET:
		default:
			bad_error("scf_service_get_instance", scf_error());
		}

		if (scf_service_add_instance(svc, "default", inst) !=
		    0) {
			switch (scf_error()) {
			case SCF_ERROR_CONNECTION_BROKEN:
				ret = ECONNABORTED;
				goto out;

			case SCF_ERROR_DELETED:
				goto add_svc;

			case SCF_ERROR_EXISTS:
				goto get_inst;

			case SCF_ERROR_PERMISSION_DENIED:
				ret = EPERM;
				goto out;

			case SCF_ERROR_BACKEND_ACCESS:
				ret = EACCES;
				goto out;

			case SCF_ERROR_BACKEND_READONLY:
				ret = EROFS;
				goto out;

			case SCF_ERROR_HANDLE_MISMATCH:
			case SCF_ERROR_INVALID_ARGUMENT:
			case SCF_ERROR_NOT_SET:
			default:
				bad_error("scf_service_add_instance",
				    scf_error());
			}
		}
	}

	ret = 0;

out:
	scf_service_destroy(svc);
	scf_scope_destroy(scope);
	return (ret);
}

/*
 * Fails with
 *   ECONNABORTED - repository connection broken
 *   ECANCELED - the transaction's property group was deleted
 */
static int
transaction_add_set(scf_transaction_t *tx, scf_transaction_entry_t *ent,
    const char *pname, scf_type_t type)
{
change_type:
	if (scf_transaction_property_change_type(tx, ent, pname, type) == 0)
		return (0);

	switch (scf_error()) {
	case SCF_ERROR_CONNECTION_BROKEN:
		return (ECONNABORTED);

	case SCF_ERROR_DELETED:
		return (ECANCELED);

	case SCF_ERROR_NOT_FOUND:
		goto new;

	case SCF_ERROR_HANDLE_MISMATCH:
	case SCF_ERROR_INVALID_ARGUMENT:
	case SCF_ERROR_NOT_BOUND:
	case SCF_ERROR_NOT_SET:
	default:
		bad_error("scf_transaction_property_change_type", scf_error());
	}

new:
	if (scf_transaction_property_new(tx, ent, pname, type) == 0)
		return (0);

	switch (scf_error()) {
	case SCF_ERROR_CONNECTION_BROKEN:
		return (ECONNABORTED);

	case SCF_ERROR_DELETED:
		return (ECANCELED);

	case SCF_ERROR_EXISTS:
		goto change_type;

	case SCF_ERROR_HANDLE_MISMATCH:
	case SCF_ERROR_INVALID_ARGUMENT:
	case SCF_ERROR_NOT_BOUND:
	case SCF_ERROR_NOT_SET:
	default:
		bad_error("scf_transaction_property_new", scf_error());
		/* NOTREACHED */
	}
}

static void
scferr(void)
{
	switch (scf_error()) {
	case SCF_ERROR_NO_MEMORY:
		console(B_TRUE, gettext("Out of memory.\n"));
		break;

	case SCF_ERROR_CONNECTION_BROKEN:
		console(B_TRUE, gettext(
		    "Connection to smf(5) repository server broken.\n"));
		break;

	case SCF_ERROR_NO_RESOURCES:
		console(B_TRUE, gettext(
		    "smf(5) repository server is out of memory.\n"));
		break;

	case SCF_ERROR_PERMISSION_DENIED:
		console(B_TRUE, gettext("Insufficient privileges.\n"));
		break;

	default:
		console(B_TRUE, gettext("libscf error: %s\n"),
		    scf_strerror(scf_error()));
	}
}

static void
lscf_set_runlevel(char rl)
{
	scf_handle_t *h;
	scf_instance_t *inst = NULL;
	scf_propertygroup_t *pg = NULL;
	scf_transaction_t *tx = NULL;
	scf_transaction_entry_t *ent = NULL;
	scf_value_t *val = NULL;
	char buf[2];
	int r;

	h = scf_handle_create(SCF_VERSION);
	if (h == NULL) {
		scferr();
		return;
	}

	if (scf_handle_bind(h) != 0) {
		switch (scf_error()) {
		case SCF_ERROR_NO_SERVER:
			console(B_TRUE,
			    gettext("smf(5) repository server not running.\n"));
			goto bail;

		default:
			scferr();
			goto bail;
		}
	}

	if ((inst = scf_instance_create(h)) == NULL ||
	    (pg = scf_pg_create(h)) == NULL ||
	    (val = scf_value_create(h)) == NULL ||
	    (tx = scf_transaction_create(h)) == NULL ||
	    (ent = scf_entry_create(h)) == NULL) {
		scferr();
		goto bail;
	}

get_inst:
	r = get_or_add_startd(inst);
	switch (r) {
	case 0:
		break;

	case ENOMEM:
	case ECONNABORTED:
	case EPERM:
	case EACCES:
	case EROFS:
		scferr();
		goto bail;
	default:
		bad_error("get_or_add_startd", r);
	}

get_pg:
	if (scf_instance_get_pg(inst, SCF_PG_OPTIONS_OVR, pg) != 0) {
		switch (scf_error()) {
		case SCF_ERROR_CONNECTION_BROKEN:
			scferr();
			goto bail;

		case SCF_ERROR_DELETED:
			goto get_inst;

		case SCF_ERROR_NOT_FOUND:
			break;

		case SCF_ERROR_HANDLE_MISMATCH:
		case SCF_ERROR_INVALID_ARGUMENT:
		case SCF_ERROR_NOT_SET:
		default:
			bad_error("scf_instance_get_pg", scf_error());
		}

add_pg:
		if (scf_instance_add_pg(inst, SCF_PG_OPTIONS_OVR,
		    SCF_PG_OPTIONS_OVR_TYPE, SCF_PG_OPTIONS_OVR_FLAGS, pg) !=
		    0) {
			switch (scf_error()) {
			case SCF_ERROR_CONNECTION_BROKEN:
			case SCF_ERROR_PERMISSION_DENIED:
			case SCF_ERROR_BACKEND_ACCESS:
				scferr();
				goto bail;

			case SCF_ERROR_DELETED:
				goto get_inst;

			case SCF_ERROR_EXISTS:
				goto get_pg;

			case SCF_ERROR_HANDLE_MISMATCH:
			case SCF_ERROR_INVALID_ARGUMENT:
			case SCF_ERROR_NOT_SET:
			default:
				bad_error("scf_instance_add_pg", scf_error());
			}
		}
	}

	buf[0] = rl;
	buf[1] = '\0';
	r = scf_value_set_astring(val, buf);
	assert(r == 0);

	for (;;) {
		if (scf_transaction_start(tx, pg) != 0) {
			switch (scf_error()) {
			case SCF_ERROR_CONNECTION_BROKEN:
			case SCF_ERROR_PERMISSION_DENIED:
			case SCF_ERROR_BACKEND_ACCESS:
				scferr();
				goto bail;

			case SCF_ERROR_DELETED:
				goto add_pg;

			case SCF_ERROR_HANDLE_MISMATCH:
			case SCF_ERROR_NOT_BOUND:
			case SCF_ERROR_IN_USE:
			case SCF_ERROR_NOT_SET:
			default:
				bad_error("scf_transaction_start", scf_error());
			}
		}

		r = transaction_add_set(tx, ent, "runlevel", SCF_TYPE_ASTRING);
		switch (r) {
		case 0:
			break;

		case ECONNABORTED:
			scferr();
			goto bail;

		case ECANCELED:
			scf_transaction_reset(tx);
			goto add_pg;

		default:
			bad_error("transaction_add_set", r);
		}

		r = scf_entry_add_value(ent, val);
		assert(r == 0);

		r = scf_transaction_commit(tx);
		if (r == 1)
			break;

		if (r != 0) {
			switch (scf_error()) {
			case SCF_ERROR_CONNECTION_BROKEN:
			case SCF_ERROR_PERMISSION_DENIED:
			case SCF_ERROR_BACKEND_ACCESS:
			case SCF_ERROR_BACKEND_READONLY:
				scferr();
				goto bail;

			case SCF_ERROR_DELETED:
				scf_transaction_reset(tx);
				goto add_pg;

			case SCF_ERROR_INVALID_ARGUMENT:
			case SCF_ERROR_NOT_BOUND:
			case SCF_ERROR_NOT_SET:
			default:
				bad_error("scf_transaction_commit",
				    scf_error());
			}
		}

		scf_transaction_reset(tx);
		(void) scf_pg_update(pg);
	}

bail:
	scf_transaction_destroy(tx);
	scf_entry_destroy(ent);
	scf_value_destroy(val);
	scf_pg_destroy(pg);
	scf_instance_destroy(inst);

	(void) scf_handle_unbind(h);
	scf_handle_destroy(h);
}

/*
 * Function to handle requests from users to main init running as process 1.
 */
static void
userinit(int argc, char **argv)
{
	FILE	*fp;
	char	*ln;
	int	init_signal;
	struct stat	sconbuf, conbuf;
	int turnoff = 0;
	const char *usage_msg = "Usage: init [0123456SsQqabc]\n";

	/*
	 * We are a user invoked init.  Is there an argument and is it
	 * a single character?  If not, print usage message and quit.
	 */
	if (argc != 2 || argv[1][1] != '\0') {
		(void) fprintf(stderr, usage_msg);
		exit(0);
	}

	if ((init_signal = lvlname_to_state((char)argv[1][0])) == -1) {
		(void) fprintf(stderr, usage_msg);
		(void) audit_put_record(ADT_FAILURE, ADT_FAIL_VALUE_BAD_CMD,
		    argv[1]);
		exit(1);
	}

	turnoff = LSEL_NOAUDIT & state_to_flags(init_signal);

	if (init_signal == SINGLE_USER) {
		/*
		 * Make sure this process is talking to a legal tty line
		 * and that /dev/syscon is linked to this line.
		 */
		ln = ttyname(0);	/* Get the name of tty */
		if (ln == NULL) {
			(void) fprintf(stderr,
			    "Standard input not a tty line\n");
			(void) audit_put_record(ADT_FAILURE,
			    ADT_FAIL_VALUE_BAD_TTY, argv[1]);
			exit(1);
		}
		if (stat(ln, &sconbuf) != -1 &&
		    stat(SYSCON, &conbuf) != -1 &&
		    sconbuf.st_rdev != conbuf.st_rdev &&
		    sconbuf.st_ino != conbuf.st_ino) {
			/*
			 * Unlink /dev/syscon and relink it to the current line.
			 */
			if (unlink(SYSCON) == FAILURE) {
				perror("Can't unlink /dev/syscon");
				(void) fprintf(stderr,
				    "Run command on the system console.\n");
				(void) audit_put_record(ADT_FAILURE,
				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
				exit(1);
			}
			if (link(ln, SYSCON) == FAILURE) {
				(void) fprintf(stderr,
				    "Can't link /dev/syscon to %s: %s", ln,
				    strerror(errno));

				/* Try to leave a syscon */
				(void) link(SYSTTY, SYSCON);
				(void) audit_put_record(ADT_FAILURE,
				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
				exit(1);
			}

			/*
			 * Try to leave a message on system console saying where
			 * /dev/syscon is currently connected.
			 */
			if ((fp = fopen(SYSTTY, "r+")) != NULL) {
				(void) fprintf(fp,
				    "\n****	SYSCON CHANGED TO %s	****\n",
				    ln);
				(void) fclose(fp);
			}
		}
	}

	update_boot_archive(init_signal);

	if (audit_put_record(ADT_SUCCESS, ADT_SUCCESS, argv[1]) &&
	    turnoff) {
		/* turn off audit daemon and try to flush audit queue */

		if (system("/usr/sbin/audit -t")) {
			(void) fprintf(stderr, "%s: can't turn off auditd\n",
				argv[0]);
		} else {
			(void) sleep(5);
		}
	}

	/*
	 * Signal init; init will take care of telling svc.startd.
	 */
	if (kill(init_pid, init_signal) == FAILURE) {
		(void) fprintf(stderr, "Must be super-user\n");
		(void) audit_put_record(ADT_FAILURE,
		    ADT_FAIL_VALUE_AUTH, argv[1]);
		exit(1);
	}

	exit(0);
}


#define	DELTA	25	/* Number of pidlist elements to allocate at a time */

/* ARGSUSED */
void
sigpoll(int n)
{
	struct pidrec prec;
	struct pidrec *p = &prec;
	struct pidlist *plp;
	struct pidlist *tp, *savetp;
	int i;

	if (Pfd < 0) {
		return;
	}
	(void) sigset(SIGCLD, SIG_DFL);
	for (;;) {
		/*
		 * Important Note: Either read will really fail (in which case
		 * return is all we can do) or will get EAGAIN (Pfd was opened
		 * O_NDELAY), in which case we also want to return.
		 * Always return from here!
		 */
		if (read(Pfd, p, sizeof (struct pidrec)) !=
						sizeof (struct pidrec)) {
			(void) sigset(SIGCLD, childeath);
			return;
		}
		switch (p->pd_type) {

		case ADDPID:
			/*
			 * New "godchild", add to list.
			 */
			if (Plfree == NULL) {
				plp = (struct pidlist *)calloc(DELTA,
				    sizeof (struct pidlist));
				if (plp == NULL) {
					/* Can't save pid */
					break;
				}
				/*
				 * Point at 2nd record allocated, we'll use plp.
				 */
				tp = plp + 1;
				/*
				 * Link them into a chain.
				 */
				Plfree = tp;
				for (i = 0; i < DELTA - 2; i++) {
					tp->pl_next = tp + 1;
					tp++;
				}
			} else {
				plp = Plfree;
				Plfree = plp->pl_next;
			}
			plp->pl_pid = p->pd_pid;
			plp->pl_dflag = 0;
			plp->pl_next = NULL;
			/*
			 * Note - pid list is kept in increasing order of pids.
			 */
			if (Plhead == NULL) {
				Plhead = plp;
				/* Back up to read next record */
				break;
			} else {
				savetp = tp = Plhead;
				while (tp) {
					if (plp->pl_pid > tp->pl_pid) {
						savetp = tp;
						tp = tp->pl_next;
						continue;
					} else if (plp->pl_pid < tp->pl_pid) {
						if (tp == Plhead) {
							plp->pl_next = Plhead;
							Plhead = plp;
						} else {
							plp->pl_next =
							    savetp->pl_next;
							savetp->pl_next = plp;
						}
						break;
					} else {
						/* Already in list! */
						plp->pl_next = Plfree;
						Plfree = plp;
						break;
					}
				}
				if (tp == NULL) {
					/* Add to end of list */
					savetp->pl_next = plp;
				}
			}
			/* Back up to read next record. */
			break;

		case REMPID:
			/*
			 * This one was handled by someone else,
			 * purge it from the list.
			 */
			if (Plhead == NULL) {
				/* Back up to read next record. */
				break;
			}
			savetp = tp = Plhead;
			while (tp) {
				if (p->pd_pid > tp->pl_pid) {
					/* Keep on looking. */
					savetp = tp;
					tp = tp->pl_next;
					continue;
				} else if (p->pd_pid < tp->pl_pid) {
					/* Not in list. */
					break;
				} else {
					/* Found it. */
					if (tp == Plhead)
						Plhead = tp->pl_next;
					else
						savetp->pl_next = tp->pl_next;
					tp->pl_next = Plfree;
					Plfree = tp;
					break;
				}
			}
			/* Back up to read next record. */
			break;
		default:
			console(B_TRUE, "Bad message on initpipe\n");
			break;
		}
	}
}


static void
cleanaux()
{
	struct pidlist *savep, *p;
	pid_t	pid;
	short	status;

	(void) sigset(SIGCLD, SIG_DFL);
	Gchild = 0;	/* Note - Safe to do this here since no SIGCLDs */
	(void) sighold(SIGPOLL);
	savep = p = Plhead;
	while (p) {
		if (p->pl_dflag) {
			/*
			 * Found an entry to delete,
			 * remove it from list first.
			 */
			pid = p->pl_pid;
			status = p->pl_exit;
			if (p == Plhead) {
				Plhead = p->pl_next;
				p->pl_next = Plfree;
				Plfree = p;
				savep = p = Plhead;
			} else {
				savep->pl_next = p->pl_next;
				p->pl_next = Plfree;
				Plfree = p;
				p = savep->pl_next;
			}
			clearent(pid, status);
			continue;
		}
		savep = p;
		p = p->pl_next;
	}
	(void) sigrelse(SIGPOLL);
	(void) sigset(SIGCLD, childeath);
}


/*
 * /etc/inittab has more entries and we have run out of room in the proc_table
 * array. Double the size of proc_table to accomodate the extra entries.
 */
static void
increase_proc_table_size()
{
	sigset_t block, unblock;
	void *ptr;
	size_t delta = num_proc * sizeof (struct PROC_TABLE);


	/*
	 * Block signals for realloc.
	 */
	(void) sigfillset(&block);
	(void) sigprocmask(SIG_BLOCK, &block, &unblock);


	/*
	 * On failure we just return because callers of this function check
	 * for failure.
	 */
	do
		ptr = realloc(g_state, g_state_sz + delta);
	while (ptr == NULL && errno == EAGAIN);

	if (ptr != NULL) {
		/* ensure that the new part is initialized to zero */
		bzero((caddr_t)ptr + g_state_sz, delta);

		g_state = ptr;
		g_state_sz += delta;
		num_proc <<= 1;
	}


	/* unblock our signals before returning */
	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
}



/*
 * Sanity check g_state.
 */
static int
st_sane()
{
	int i;
	struct PROC_TABLE *ptp;


	/* Note: cur_state is encoded as a signal number */
	if (cur_state < 1 || cur_state == 9 || cur_state > 13)
		return (0);

	/* Check num_proc */
	if (g_state_sz != sizeof (struct init_state) + (num_proc - 1) *
	    sizeof (struct PROC_TABLE))
		return (0);

	/* Check proc_table */
	for (i = 0, ptp = proc_table; i < num_proc; ++i, ++ptp) {
		/* skip unoccupied entries */
		if (!(ptp->p_flags & OCCUPIED))
			continue;

		/* p_flags has no bits outside of PF_MASK */
		if (ptp->p_flags & ~(PF_MASK))
			return (0);

		/* 5 <= pid <= MAXPID */
		if (ptp->p_pid < 5 || ptp->p_pid > MAXPID)
			return (0);

		/* p_count >= 0 */
		if (ptp->p_count < 0)
			return (0);

		/* p_time >= 0 */
		if (ptp->p_time < 0)
			return (0);
	}

	return (1);
}

/*
 * Initialize our state.
 *
 * If the system just booted, then init_state_file, which is located on an
 * everpresent tmpfs filesystem, should not exist.
 *
 * If we were restarted, then init_state_file should exist, in
 * which case we'll read it in, sanity check it, and use it.
 *
 * Note: You can't call console() until proc_table is ready.
 */
void
st_init()
{
	struct stat stb;
	int ret, st_fd, insane = 0;
	size_t to_be_read;
	char *ptr;


	booting = 1;

	do {
		/*
		 * If we can exclusively create the file, then we're the
		 * initial invocation of init(1M).
		 */
		st_fd = open(init_state_file, O_RDWR | O_CREAT | O_EXCL,
		    S_IRUSR | S_IWUSR);
	} while (st_fd == -1 && errno == EINTR);
	if (st_fd != -1)
		goto new_state;

	booting = 0;

	do {
		st_fd = open(init_state_file, O_RDWR, S_IRUSR | S_IWUSR);
	} while (st_fd == -1 && errno == EINTR);
	if (st_fd == -1)
		goto new_state;

	/* Get the size of the file. */
	do
		ret = fstat(st_fd, &stb);
	while (ret == -1 && errno == EINTR);
	if (ret == -1)
		goto new_state;

	do
		g_state = malloc(stb.st_size);
	while (g_state == NULL && errno == EAGAIN);
	if (g_state == NULL)
		goto new_state;

	to_be_read = stb.st_size;
	ptr = (char *)g_state;
	while (to_be_read > 0) {
		ssize_t read_ret;

		read_ret = read(st_fd, ptr, to_be_read);
		if (read_ret < 0) {
			if (errno == EINTR)
				continue;

			goto new_state;
		}

		to_be_read -= read_ret;
		ptr += read_ret;
	}

	(void) close(st_fd);

	g_state_sz = stb.st_size;

	if (st_sane()) {
		console(B_TRUE, "Restarting.\n");
		return;
	}

	insane = 1;

new_state:
	if (st_fd >= 0)
		(void) close(st_fd);
	else
		(void) unlink(init_state_file);

	if (g_state != NULL)
		free(g_state);

	/* Something went wrong, so allocate new state. */
	g_state_sz = sizeof (struct init_state) +
	    ((init_num_proc - 1) * sizeof (struct PROC_TABLE));
	do
		g_state = calloc(1, g_state_sz);
	while (g_state == NULL && errno == EAGAIN);
	if (g_state == NULL) {
		/* Fatal error! */
		exit(errno);
	}

	g_state->ist_runlevel = -1;
	num_proc = init_num_proc;

	if (!booting) {
		console(B_TRUE, "Restarting.\n");

		/* Overwrite the bad state file. */
		st_write();

		if (!insane) {
			console(B_TRUE,
			    "Error accessing persistent state file `%s'.  "
			    "Ignored.\n", init_state_file);
		} else {
			console(B_TRUE,
			    "Persistent state file `%s' is invalid and was "
			    "ignored.\n", init_state_file);
		}
	}
}

/*
 * Write g_state out to the state file.
 */
void
st_write()
{
	static int complained = 0;

	int st_fd;
	char *cp;
	size_t sz;
	ssize_t ret;


	do {
		st_fd = open(init_next_state_file,
		    O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
	} while (st_fd < 0 && errno == EINTR);
	if (st_fd < 0)
		goto err;

	cp = (char *)g_state;
	sz = g_state_sz;
	while (sz > 0) {
		ret = write(st_fd, cp, sz);
		if (ret < 0) {
			if (errno == EINTR)
				continue;

			goto err;
		}

		sz -= ret;
		cp += ret;
	}

	(void) close(st_fd);
	st_fd = -1;
	if (rename(init_next_state_file, init_state_file)) {
		(void) unlink(init_next_state_file);
		goto err;
	}
	complained = 0;

	return;

err:
	if (st_fd >= 0)
		(void) close(st_fd);

	if (!booting && !complained) {
		/*
		 * Only complain after the filesystem should have come up.
		 * And only do it once so we don't loop between console()
		 * & efork().
		 */
		complained = 1;
		if (st_fd)
			console(B_TRUE, "Couldn't write persistent state "
			    "file `%s'.\n", init_state_file);
		else
			console(B_TRUE, "Couldn't move persistent state "
			    "file `%s' to `%s'.\n", init_next_state_file,
			    init_state_file);
	}
}

/*
 * Create a contract with these parameters.
 */
static int
contract_make_template(uint_t info, uint_t critical, uint_t fatal,
    uint64_t cookie)
{
	int fd, err;

	char *ioctl_tset_emsg =
	    "Couldn't set \"%s\" contract template parameter: %s.\n";

	do
		fd = open64(CTFS_ROOT "/process/template", O_RDWR);
	while (fd < 0 && errno == EINTR);
	if (fd < 0) {
		console(B_TRUE, "Couldn't create process template: %s.\n",
		    strerror(errno));
		return (-1);
	}

	if (err = ct_pr_tmpl_set_param(fd, CT_PR_INHERIT | CT_PR_REGENT))
		console(B_TRUE, "Contract set template inherit, regent "
		    "failed.\n");

	/*
	 * These errors result in a misconfigured template, which is better
	 * than no template at all, so warn but don't abort.
	 */
	if (err = ct_tmpl_set_informative(fd, info))
		console(B_TRUE, ioctl_tset_emsg, "informative", strerror(err));

	if (err = ct_tmpl_set_critical(fd, critical))
		console(B_TRUE, ioctl_tset_emsg, "critical", strerror(err));

	if (err = ct_pr_tmpl_set_fatal(fd, fatal))
		console(B_TRUE, ioctl_tset_emsg, "fatal", strerror(err));

	if (err = ct_tmpl_set_cookie(fd, cookie))
		console(B_TRUE, ioctl_tset_emsg, "cookie", strerror(err));

	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);

	return (fd);
}

/*
 * Create the templates and open an event file descriptor.  We use dup2(2) to
 * get these descriptors away from the stdin/stdout/stderr group.
 */
static void
contracts_init()
{
	int err, fd;

	/*
	 * Create & configure a legacy template.  We only want empty events so
	 * we know when to abandon them.
	 */
	legacy_tmpl = contract_make_template(0, CT_PR_EV_EMPTY, CT_PR_EV_HWERR,
	    ORDINARY_COOKIE);
	if (legacy_tmpl >= 0) {
		err = ct_tmpl_activate(legacy_tmpl);
		if (err != 0) {
			(void) close(legacy_tmpl);
			legacy_tmpl = -1;
			console(B_TRUE,
			    "Couldn't activate legacy template (%s); "
			    "legacy services will be in init's contract.\n",
			    strerror(err));
		}
	} else
		console(B_TRUE,
		    "Legacy services will be in init's contract.\n");

	if (dup2(legacy_tmpl, 255) == -1) {
		console(B_TRUE, "Could not duplicate legacy template: %s.\n",
		    strerror(errno));
	} else {
		(void) close(legacy_tmpl);
		legacy_tmpl = 255;
	}

	(void) fcntl(legacy_tmpl, F_SETFD, FD_CLOEXEC);

	startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
	    CT_PR_EV_HWERR | CT_PR_EV_SIGNAL | CT_PR_EV_CORE, STARTD_COOKIE);

	if (dup2(startd_tmpl, 254) == -1) {
		console(B_TRUE, "Could not duplicate startd template: %s.\n",
		    strerror(errno));
	} else {
		(void) close(startd_tmpl);
		startd_tmpl = 254;
	}

	(void) fcntl(startd_tmpl, F_SETFD, FD_CLOEXEC);

	if (legacy_tmpl < 0 && startd_tmpl < 0) {
		/* The creation errors have already been reported. */
		console(B_TRUE,
		    "Ignoring contract events.  Core smf(5) services will not "
		    "be restarted.\n");
		return;
	}

	/*
	 * Open an event endpoint.
	 */
	do
		fd = open64(CTFS_ROOT "/process/pbundle", O_RDONLY);
	while (fd < 0 && errno == EINTR);
	if (fd < 0) {
		console(B_TRUE,
		    "Couldn't open process pbundle: %s.  Core smf(5) services "
		    "will not be restarted.\n", strerror(errno));
		return;
	}

	if (dup2(fd, 253) == -1) {
		console(B_TRUE, "Could not duplicate process bundle: %s.\n",
		    strerror(errno));
	} else {
		(void) close(fd);
		fd = 253;
	}

	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);

	/* Reset in case we've been restarted. */
	(void) ct_event_reset(fd);

	poll_fds[0].fd = fd;
	poll_fds[0].events = POLLIN;
	poll_nfds = 1;
}

static int
contract_getfile(ctid_t id, const char *name, int oflag)
{
	int fd;

	do
		fd = contract_open(id, "process", name, oflag);
	while (fd < 0 && errno == EINTR);

	if (fd < 0)
		console(B_TRUE, "Couldn't open %s for contract %ld: %s.\n",
		    name, id, strerror(errno));

	return (fd);
}

static int
contract_cookie(ctid_t id, uint64_t *cp)
{
	int fd, err;
	ct_stathdl_t sh;

	fd = contract_getfile(id, "status", O_RDONLY);
	if (fd < 0)
		return (-1);

	err = ct_status_read(fd, CTD_COMMON, &sh);
	if (err != 0) {
		console(B_TRUE, "Couldn't read status of contract %ld: %s.\n",
		    id, strerror(err));
		(void) close(fd);
		return (-1);
	}

	(void) close(fd);

	*cp = ct_status_get_cookie(sh);

	ct_status_free(sh);
	return (0);
}

static void
contract_ack(ct_evthdl_t e)
{
	int fd;

	if (ct_event_get_flags(e) & CTE_INFO)
		return;

	fd = contract_getfile(ct_event_get_ctid(e), "ctl", O_WRONLY);
	if (fd < 0)
		return;

	(void) ct_ctl_ack(fd, ct_event_get_evid(e));
	(void) close(fd);
}

/*
 * Process a contract event.
 */
static void
contract_event(struct pollfd *poll)
{
	ct_evthdl_t e;
	int err;
	ctid_t ctid;

	if (!(poll->revents & POLLIN)) {
		if (poll->revents & POLLERR)
			console(B_TRUE,
			    "Unknown poll error on my process contract "
			    "pbundle.\n");
		return;
	}

	err = ct_event_read(poll->fd, &e);
	if (err != 0) {
		console(B_TRUE, "Error retrieving contract event: %s.\n",
		    strerror(err));
		return;
	}

	ctid = ct_event_get_ctid(e);

	if (ct_event_get_type(e) == CT_PR_EV_EMPTY) {
		uint64_t cookie;
		int ret, abandon = 1;

		/* If it's svc.startd, restart it.  Else, abandon. */
		ret = contract_cookie(ctid, &cookie);

		if (ret == 0) {
			if (cookie == STARTD_COOKIE &&
			    do_restart_startd) {
				if (smf_debug)
					console(B_TRUE, "Restarting "
					    "svc.startd.\n");

				/*
				 * Account for the failure.  If the failure rate
				 * exceeds a threshold, then drop to maintenance
				 * mode.
				 */
				startd_record_failure();
				if (startd_failure_rate_critical())
					enter_maintenance();

				if (startd_tmpl < 0)
					console(B_TRUE,
					    "Restarting svc.startd in "
					    "improper contract (bad "
					    "template).\n");

				(void) startd_run(startd_cline, startd_tmpl,
				    ctid);

				abandon = 0;
			}
		}

		if (abandon && (err = contract_abandon_id(ctid))) {
			console(B_TRUE, "Couldn't abandon contract %ld: %s.\n",
			    ctid, strerror(err));
		}

		/*
		 * No need to acknowledge the event since either way the
		 * originating contract should be abandoned.
		 */
	} else {
		console(B_TRUE,
		    "Received contract event of unexpected type %d from "
		    "contract %ld.\n", ct_event_get_type(e), ctid);

		if ((ct_event_get_flags(e) & (CTE_INFO | CTE_ACK)) == 0)
			/* Allow unexpected critical events to be released. */
			contract_ack(e);
	}

	ct_event_free(e);
}

/*
 * svc.startd(1M) Management
 */

/*
 * (Re)start svc.startd(1M).  old_ctid should be the contract ID of the old
 * contract, or 0 if we're starting it for the first time.  If wait is true
 * we'll wait for and return the exit value of the child.
 */
static int
startd_run(const char *cline, int tmpl, ctid_t old_ctid)
{
	int err, i, ret, did_activate;
	pid_t pid;
	struct stat sb;

	if (cline[0] == '\0')
		return (-1);

	/*
	 * Don't restart startd if the system is rebooting or shutting down.
	 */
	do {
		ret = stat("/etc/svc/volatile/resetting", &sb);
	} while (ret == -1 && errno == EINTR);

	if (ret == 0) {
		if (smf_debug)
			console(B_TRUE, "Quiescing for reboot.\n");
		(void) pause();
		return (-1);
	}

	err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
	if (err == EINVAL) {
		console(B_TRUE, "Remake startd_tmpl; reattempt transfer.\n");
		tmpl = startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
		    CT_PR_EV_HWERR, STARTD_COOKIE);

		err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
	}
	if (err != 0) {
		console(B_TRUE,
		    "Couldn't set transfer parameter of contract template: "
		    "%s.\n", strerror(err));
	}

	did_activate = !(ct_tmpl_activate(tmpl));
	if (!did_activate)
		console(B_TRUE,
		    "Template activation failed; not starting \"%s\" in "
		    "proper contract.\n", cline);

	/* Hold SIGCHLD so we can wait if necessary. */
	(void) sighold(SIGCHLD);

	while ((pid = fork()) < 0) {
		if (errno == EPERM) {
			console(B_TRUE, "Insufficient permission to fork.\n");

			/* Now that's a doozy. */
			exit(1);
		}

		console(B_TRUE,
		    "fork() for svc.startd failed: %s.  Will retry in 1 "
		    "second...\n", strerror(errno));

		(void) sleep(1);

		/* Eventually give up? */
	}

	if (pid == 0) {
		/* child */

		/* See the comment in efork() */
		for (i = SIGHUP; i <= SIGRTMAX; ++i) {
			if (i == SIGTTOU || i == SIGTTIN || i == SIGTSTP)
				(void) sigset(i, SIG_IGN);
			else
				(void) sigset(i, SIG_DFL);
		}

		if (smf_options != NULL) {
			/* Put smf_options in the environment. */
			glob_envp[glob_envn] =
			    malloc(sizeof ("SMF_OPTIONS=") - 1 +
				strlen(smf_options) + 1);

			if (glob_envp[glob_envn] != NULL) {
				/* LINTED */
				(void) sprintf(glob_envp[glob_envn],
				    "SMF_OPTIONS=%s", smf_options);
				glob_envp[glob_envn+1] = NULL;
			} else {
				console(B_TRUE,
				    "Could not set SMF_OPTIONS (%s).\n",
				    strerror(errno));
			}
		}

		if (smf_debug)
			console(B_TRUE, "Executing svc.startd\n");

		(void) execle(SH, "INITSH", "-c", cline, NULL, glob_envp);

		console(B_TRUE, "Could not exec \"%s\" (%s).\n", SH,
		    strerror(errno));

		exit(1);
	}

	/* parent */

	if (did_activate) {
		if (legacy_tmpl < 0 || ct_tmpl_activate(legacy_tmpl) != 0)
			(void) ct_tmpl_clear(tmpl);
	}

	/* Clear the old_ctid reference so the kernel can reclaim it. */
	if (old_ctid != 0)
		(void) ct_pr_tmpl_set_transfer(tmpl, 0);

	(void) sigrelse(SIGCHLD);

	return (0);
}

/*
 * void startd_record_failure(void)
 *   Place the current time in our circular array of svc.startd failures.
 */
void
startd_record_failure()
{
	int index = startd_failure_index++ % NSTARTD_FAILURE_TIMES;

	startd_failure_time[index] = gethrtime();
}

/*
 * int startd_failure_rate_critical(void)
 *   Return true if the average failure interval is less than the permitted
 *   interval.  Implicit success if insufficient measurements for an average
 *   exist.
 */
int
startd_failure_rate_critical()
{
	int n = startd_failure_index;
	hrtime_t avg_ns = 0;

	if (startd_failure_index < NSTARTD_FAILURE_TIMES)
		return (0);

	avg_ns =
	    (startd_failure_time[(n - 1) % NSTARTD_FAILURE_TIMES] -
	    startd_failure_time[n % NSTARTD_FAILURE_TIMES]) /
	    NSTARTD_FAILURE_TIMES;

	return (avg_ns < STARTD_FAILURE_RATE_NS);
}

/*
 * returns string that must be free'd
 */

static char
*audit_boot_msg()
{
	char		*b, *p;
	char		desc[] = "booted";
	zoneid_t	zid = getzoneid();

	b = malloc(sizeof (desc) + MAXNAMELEN + 3);
	if (b == NULL)
		return (b);

	p = b;
	p += strlcpy(p, desc, sizeof (desc));
	if (zid != GLOBAL_ZONEID) {
		p += strlcpy(p, ": ", 3);
		(void) getzonenamebyid(zid, p, MAXNAMELEN);
	}
	return (b);
}

/*
 * Generate AUE_init_solaris audit record.  Return 1 if
 * auditing is enabled in case the caller cares.
 *
 * In the case of userint() or a local zone invocation of
 * one_true_init, the process initially contains the audit
 * characteristics of the process that invoked init.  The first pass
 * through here uses those characteristics then for the case of
 * one_true_init in a local zone, clears them so subsequent system
 * state changes won't be attributed to the person who booted the
 * zone.
 */
static int
audit_put_record(int pass_fail, int status, char *msg)
{
	adt_session_data_t	*ah;
	adt_event_data_t	*event;

	if (!adt_audit_enabled())
		return (0);

	/*
	 * the PROC_DATA picks up the context to tell whether this is
	 * an attributed record (auid = -2 is unattributed)
	 */
	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) {
		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
		return (1);
	}
	event = adt_alloc_event(ah, ADT_init_solaris);
	if (event == NULL) {
		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
		(void) adt_end_session(ah);
		return (1);
	}
	event->adt_init_solaris.info = msg;	/* NULL is ok here */

	if (adt_put_event(event, pass_fail, status)) {
		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
		(void) adt_end_session(ah);
		return (1);
	}
	adt_free_event(event);

	(void) adt_end_session(ah);

	return (1);
}