1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
24 * Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
25 */
26
27#include <bsm/adt.h>
28#include <bsm/adt_event.h>
29#include <assert.h>
30#include <bsm/audit.h>
31#include <bsm/audit_record.h>
32#include <bsm/libbsm.h>
33#include <door.h>
34#include <errno.h>
35#include <generic.h>
36#include <md5.h>
37#include <sys/mkdev.h>
38#include <netdb.h>
39#include <nss_dbdefs.h>
40#include <pwd.h>
41#include <sys/stat.h>
42#include <time.h>
43#include <stdlib.h>
44#include <string.h>
45#include <synch.h>
46#include <sys/systeminfo.h>
47#include <syslog.h>
48#include <thread.h>
49#include <unistd.h>
50#include <adt_xlate.h>
51#include <adt_ucred.h>
52#include <arpa/inet.h>
53#include <net/if.h>
54#include <libinetutil.h>
55
56static int adt_selected(struct adt_event_state *, au_event_t, int);
57static int adt_init(adt_internal_state_t *, int);
58static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
59static m_label_t *adt_ucred_label(ucred_t *);
60static void adt_setto_unaudited(adt_internal_state_t *);
61static int adt_get_local_address(int, struct ifaddrlist *);
62
63#ifdef C2_DEBUG
64#define	DPRINTF(x) { (void) printf x; }
65#define	DFLUSH (void) fflush(stdout);
66#else
67#define	DPRINTF(x)
68#define	DFLUSH
69#endif
70
71/*
72 * Local audit states are a bit mask
73 *
74 * The global audit states are
75 *
76 * AUC_UNSET             0      - on/off hasn't been decided
77 * AUC_ENABLED           1      - loaded and enabled
78 *
79 * The local Zone states are
80 *
81 * AUC_AUDITING         0x1     - audit daemon is active
82 * AUC_NOAUDIT          0x2     - audit daemon is not active
83 * AUC_INIT_AUDIT       0x4     - audit is ready but auditd has not run
84 * AUC_NOSPACE          0x8     - audit enabled, no space for audit records
85 *
86 * The only values returned by auditon(A_GETCOND) are:
87 * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE
88 *
89 * The pseudo audit state used when the c2audit module is excluded is
90 *
91 * AUC_DISABLED		0x100	- c2audit module is excluded
92 */
93
94static int auditstate = AUC_DISABLED;	/* default state */
95
96/*
97 * adt_write_syslog
98 *
99 * errors that are not the user's fault (bugs or whatever in
100 * the underlying audit code are noted in syslog.)
101 *
102 * Avoid calling adt_write_syslog for things that can happen
103 * at high volume.
104 *
105 * syslog's open (openlog) and close (closelog) are interesting;
106 * openlog *may* create a file descriptor and is optional.  closelog
107 * *will* close any open file descriptors and is also optional.
108 *
109 * Since syslog may also be used by the calling application, the
110 * choice is to avoid openlog, which sets some otherwise useful
111 * parameters, and to embed "Solaris_audit" in the log message.
112 */
113
114void
115adt_write_syslog(const char *message, int err)
116{
117	int	save_errno = errno;
118	int	mask_priority;
119
120	DPRINTF(("syslog called: %s\n", message));
121
122	mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
123	errno = err;
124	syslog(LOG_ALERT, "Solaris_audit %s: %m", message);
125	(void) setlogmask(mask_priority);
126	errno = save_errno;
127}
128
129/*
130 * return true if c2audit is not excluded.
131 *
132 *	For purpose of this API, anything but AUC_DISABLED
133 *	is enabled; however one never actually sees
134 *	AUC_DISABLED since auditon returns ENOTSUP in that case.  Any
135 *	auditon error is considered the same as ENOTSUP for our
136 *	purpose.  auditstate is not changed by auditon if an error
137 *	is returned.
138 */
139
140/*
141 * XXX	this should probably be eliminated and adt_audit_state() replace it.
142 *	All the legitimate uses	are to not fork a waiting process for
143 *	process exit processing, as in su, login, dtlogin.  Other bogus
144 *	users are zoneadmd and init.
145 *	All but dtlogin are in ON, so we can do this without cross gate
146 *	synchronization.
147 *
148 *	No longer used in adt.c.
149 */
150
151boolean_t
152adt_audit_enabled(void)
153{
154
155	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
156
157	return (auditstate != AUC_DISABLED);
158}
159
160/*
161 *	See adt_audit_enabled() for state discussions.
162 *	The state parameter is a hedge until all the uses become clear.
163 *	Likely if adt_audit_enabled is brought internal to this file,
164 *	it could be modified to take one or more parameters to describe the
165 *	state.
166 */
167
168boolean_t
169adt_audit_state(int states)
170{
171
172	(void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
173
174	return ((auditstate & states) ? B_TRUE : B_FALSE);
175}
176
177/*
178 * Get user_specific/non-attributable audit mask. This may be called even when
179 * auditing is off.
180 */
181
182static int
183adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
184{
185	struct passwd	pwd;
186	long		buff_sz;
187	char		*pwd_buff;
188
189
190	if (auditstate & AUC_DISABLED) {
191		/* c2audit excluded */
192		mask->am_success = 0;
193		mask->am_failure = 0;
194	} else if (uid <= MAXUID) {
195		if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
196			adt_write_syslog("couldn't determine maximum size of "
197			    "password buffer", errno);
198			return (-1);
199		}
200		if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
201			return (-1);
202		}
203		if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) {
204			errno = EINVAL;	/* user doesn't exist */
205			free(pwd_buff);
206			return (-1);
207		}
208		if (au_user_mask(pwd.pw_name, mask)) {
209			free(pwd_buff);
210			errno = EFAULT; /* undetermined failure */
211			return (-1);
212		}
213		free(pwd_buff);
214	} else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
215			return (-1);
216	}
217
218	return (0);
219}
220
221/*
222 * adt_get_unique_id -- generate a hopefully unique 32 bit value
223 *
224 * there will be a follow up to replace this with the use of /dev/random
225 *
226 * An MD5 hash is taken on a buffer of
227 *     hostname . audit id . unix time . pid . count
228 *
229 * "count = noise++;" is subject to a race condition but I don't
230 * see a need to put a lock around it.
231 */
232
233au_asid_t
234adt_get_unique_id(au_id_t uid)
235{
236	char		hostname[MAXHOSTNAMELEN];
237	union {
238		au_id_t		v[4];
239		unsigned char	obuff[128/8];
240	} output;
241	MD5_CTX	context;
242
243	static int	noise = 0;
244
245	int		count = noise++;
246	time_t		timebits = time(NULL);
247	pid_t		pidbits = getpid();
248	au_asid_t	retval = 0;
249
250	if (gethostname(hostname, MAXHOSTNAMELEN)) {
251		adt_write_syslog("gethostname call failed", errno);
252		(void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
253	}
254
255	while (retval == 0) {  /* 0 is the only invalid result */
256		MD5Init(&context);
257
258		MD5Update(&context, (unsigned char *)hostname,
259		    (unsigned int) strlen((const char *)hostname));
260
261		MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
262
263		MD5Update(&context,
264		    (unsigned char *) &timebits, sizeof (time_t));
265
266		MD5Update(&context, (unsigned char *) &pidbits,
267		    sizeof (pid_t));
268
269		MD5Update(&context, (unsigned char *) &(count), sizeof (int));
270		MD5Final(output.obuff, &context);
271
272		retval = output.v[count % 4];
273	}
274	return (retval);
275}
276
277/*
278 * the following "port" function deals with the following issues:
279 *
280 * 1    the kernel and ucred deal with a dev_t as a 64 bit value made
281 *      up from a 32 bit major and 32 bit minor.
282 * 2    User space deals with a dev_t as either the above 64 bit value
283 *      or a 32 bit value made from a 14 bit major and an 18 bit minor.
284 * 3    The various audit interfaces (except ucred) pass the 32 or
285 *      64 bit version depending the architecture of the userspace
286 *      application.  If you get a port value from ucred and pass it
287 *      to the kernel via auditon(), it must be squeezed into a 32
288 *      bit value because the kernel knows the userspace app's bit
289 *      size.
290 *
291 * The internal state structure for adt (adt_internal_state_t) uses
292 * dev_t, so adt converts data from ucred to fit.  The import/export
293 * functions, however, can't know if they are importing/exporting
294 * from 64 or 32 bit applications, so they always send 64 bits and
295 * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
296 * appropriate.
297 */
298
299/*
300 * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
301 * both 64 bits).  If lib is 32 bits, squeeze the two-int port into
302 * a 32 bit dev_t.  A port fits in the "minor" part of au_port_t,
303 * so it isn't broken up into pieces.  (When it goes to the kernel
304 * and back, however, it will have been split into major/minor
305 * pieces.)
306 */
307
308static void
309adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
310{
311#ifdef _LP64
312	(void) memcpy(dest, src, sizeof (au_tid_addr_t));
313#else	/* _LP64 */
314	dest->at_type = src->at_type;
315
316	dest->at_port  = src->at_port.at_minor & MAXMIN32;
317	dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
318	    NBITSMINOR32;
319
320	(void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
321#endif	/* _LP64 */
322}
323
324/*
325 * adt_start_session -- create interface handle, create context
326 *
327 * The imported_state input is normally NULL, if not, it represents
328 * a continued session; its values obviate the need for a subsequent
329 * call to adt_set_user().
330 *
331 * The flag is used to decide how to set the initial state of the session.
332 * If 0, the session is "no audit" until a call to adt_set_user; if
333 * ADT_USE_PROC_DATA, the session is built from the process audit
334 * characteristics obtained from the kernel.  If imported_state is
335 * not NULL, the resulting audit mask is an OR of the current process
336 * audit mask and that passed in.
337 *
338 * The basic model is that the caller can use the pointer returned
339 * by adt_start_session whether or not auditing is enabled or an
340 * error was returned.  The functions that take the session handle
341 * as input generally return without doing anything if auditing is
342 * disabled.
343 */
344
345int
346adt_start_session(adt_session_data_t **new_session,
347    const adt_export_data_t *imported_state, adt_session_flags_t flags)
348{
349	adt_internal_state_t	*state;
350	adt_session_flags_t	flgmask = ADT_FLAGS_ALL;
351
352	/* test and set auditstate */
353	if (adt_audit_state(AUC_DISABLED)) {
354		/* c2audit excluded */
355		*new_session = NULL;
356		return (0);
357	}
358
359	if ((flags & ~flgmask) != 0) {
360		errno = EINVAL;
361		goto return_err;
362	}
363
364	if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) {
365		goto return_err;
366	}
367
368	if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) {
369		goto return_err_free;    /* errno from adt_init() */
370	}
371
372	/*
373	 * The imported state overwrites the initial state if the
374	 * imported state represents a valid audit trail
375	 */
376
377	if (imported_state != NULL) {
378		if (adt_import(state, imported_state) != 0) {
379			goto return_err_free;
380		}
381	} else if (flags & ADT_USE_PROC_DATA) {
382		state->as_session_model = ADT_PROCESS_MODEL;
383	}
384	state->as_flags = flags;
385	DPRINTF(("(%lld) Starting session id = %08X\n",
386	    (long long) getpid(), state->as_info.ai_asid));
387
388	*new_session = (adt_session_data_t *)state;
389	return (0);
390
391return_err_free:
392	free(state);
393return_err:
394	*new_session = NULL;
395	adt_write_syslog("audit session create failed", errno);
396	return (-1);
397}
398
399/*
400 * adt_load_table()
401 *
402 * loads the event translation table into the audit session.
403 */
404
405void
406adt_load_table(const adt_session_data_t *session_data,
407    adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *))
408{
409	adt_internal_state_t	*state = (adt_internal_state_t *)session_data;
410
411	if (state != NULL) {
412		assert(state->as_check == ADT_VALID);
413		state->as_xlate = xlate;
414		state->as_preload = preload;
415	}
416}
417
418/*
419 * adt_get_asid() and adt_set_asid()
420 *
421 * if you use this interface, you are responsible to insure that the
422 * rest of the session data is populated correctly before calling
423 * adt_proccess_attr()
424 *
425 * neither of these are intended for general use and will likely
426 * remain private interfaces for a long time.  Forever is a long
427 * time.  In the case of adt_set_asid(), you should have a very,
428 * very good reason for setting your own session id.  The process
429 * audit characteristics are not changed by put, use adt_set_proc().
430 *
431 * These are "volatile" (more changable than "evolving") and will
432 * probably change in the S10 period.
433 */
434
435void
436adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
437{
438
439	if (session_data == NULL) {
440		*asid = 0;
441	} else {
442		assert(((adt_internal_state_t *)session_data)->as_check ==
443		    ADT_VALID);
444
445		*asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
446	}
447}
448
449void
450adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
451{
452
453	if (session_data != NULL) {
454		assert(((adt_internal_state_t *)session_data)->as_check ==
455		    ADT_VALID);
456
457		((adt_internal_state_t *)session_data)->as_have_user_data |=
458		    ADT_HAVE_ASID;
459		((adt_internal_state_t *)session_data)->as_info.ai_asid =
460		    session_id;
461	}
462}
463
464/*
465 * adt_get_auid() and adt_set_auid()
466 *
467 * neither of these are intended for general use and will likely
468 * remain private interfaces for a long time.  Forever is a long
469 * time.  In the case of adt_set_auid(), you should have a very,
470 * very good reason for setting your own audit id.  The process
471 * audit characteristics are not changed by put, use adt_set_proc().
472 */
473
474void
475adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
476{
477
478	if (session_data == NULL) {
479		*auid = AU_NOAUDITID;
480	} else {
481		assert(((adt_internal_state_t *)session_data)->as_check ==
482		    ADT_VALID);
483
484		*auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
485	}
486}
487
488void
489adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
490{
491
492	if (session_data != NULL) {
493		assert(((adt_internal_state_t *)session_data)->as_check ==
494		    ADT_VALID);
495
496		((adt_internal_state_t *)session_data)->as_have_user_data |=
497		    ADT_HAVE_AUID;
498		((adt_internal_state_t *)session_data)->as_info.ai_auid =
499		    audit_id;
500	}
501}
502
503/*
504 * adt_get_termid(), adt_set_termid()
505 *
506 * if you use this interface, you are responsible to insure that the
507 * rest of the session data is populated correctly before calling
508 * adt_proccess_attr()
509 *
510 * The process  audit characteristics are not changed by put, use
511 * adt_set_proc().
512 */
513
514void
515adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
516{
517
518	if (session_data == NULL) {
519		(void) memset(termid, 0, sizeof (au_tid_addr_t));
520		termid->at_type = AU_IPv4;
521	} else {
522		assert(((adt_internal_state_t *)session_data)->as_check ==
523		    ADT_VALID);
524
525		*termid =
526		    ((adt_internal_state_t *)session_data)->as_info.ai_termid;
527	}
528}
529
530void
531adt_set_termid(const adt_session_data_t *session_data,
532    const au_tid_addr_t *termid)
533{
534
535	if (session_data != NULL) {
536		assert(((adt_internal_state_t *)session_data)->as_check ==
537		    ADT_VALID);
538
539		((adt_internal_state_t *)session_data)->as_info.ai_termid =
540		    *termid;
541
542		((adt_internal_state_t *)session_data)->as_have_user_data |=
543		    ADT_HAVE_TID;
544	}
545}
546
547/*
548 * adt_get_mask(), adt_set_mask()
549 *
550 * if you use this interface, you are responsible to insure that the
551 * rest of the session data is populated correctly before calling
552 * adt_proccess_attr()
553 *
554 * The process  audit characteristics are not changed by put, use
555 * adt_set_proc().
556 */
557
558void
559adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
560{
561
562	if (session_data == NULL) {
563		mask->am_success = 0;
564		mask->am_failure = 0;
565	} else {
566		assert(((adt_internal_state_t *)session_data)->as_check ==
567		    ADT_VALID);
568
569		*mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
570	}
571}
572
573void
574adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
575{
576
577	if (session_data != NULL) {
578		assert(((adt_internal_state_t *)session_data)->as_check ==
579		    ADT_VALID);
580
581		((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
582
583		((adt_internal_state_t *)session_data)->as_have_user_data |=
584		    ADT_HAVE_MASK;
585	}
586}
587
588/*
589 * helpers for adt_load_termid
590 */
591
592static dev_t
593adt_ports_to_at_port(in_port_t remote, in_port_t local)
594{
595	dev_t port;
596
597#ifdef _LP64
598	dev_t tmp;
599
600	/*
601	 * In 64-bit, at_port is a 64-bit value encoding major/minor
602	 * device numbers as 32-bits each. However when a 32-bit application
603	 * subsequently requests the audit address via getaudit_addr(), this
604	 * value must be capable of being compressed down to a 14-bit major and
605	 * 18-bit minor number or the call will fail.
606	 *
607	 * In order to construct a 32-bit compatible value, the top 14-bits of
608	 * the remote port are used for the major number and the remaining
609	 * 2-bits + local port are used for the minor.
610	 */
611
612	tmp = ((remote<<16) | (local));
613	port = (tmp & MAXMIN32);
614	port |= (((tmp >> NBITSMINOR32) & MAXMAJ32) << NBITSMINOR64);
615#else
616	port = ((remote<<16) | (local));
617#endif
618
619	return (port);
620}
621
622static void
623adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
624    au_tid_addr_t *termid)
625{
626	termid->at_port =
627	    adt_ports_to_at_port(peer->sin6_port, sock->sin6_port);
628	termid->at_type = AU_IPv6;
629	(void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
630}
631
632static void
633adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
634    au_tid_addr_t *termid)
635{
636	termid->at_port = adt_ports_to_at_port(peer->sin_port, sock->sin_port);
637	termid->at_type = AU_IPv4;
638	termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
639	(void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
640}
641
642/*
643 * adt_load_termid:  convenience function; inputs file handle and
644 * outputs an au_tid_addr struct.
645 *
646 * This code was stolen from audit_settid.c; it differs from audit_settid()
647 * in that it does not write the terminal id to the process.
648 */
649
650int
651adt_load_termid(int fd, adt_termid_t **termid)
652{
653	au_tid_addr_t		*p_term;
654	struct sockaddr_in6	peer;
655	struct sockaddr_in6	sock;
656	int			peerlen = sizeof (peer);
657	int			socklen = sizeof (sock);
658
659	/* get peer name if its a socket, else assume local terminal */
660
661	if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
662	    < 0) {
663		if (errno == ENOTSOCK) {
664			return (adt_load_hostname(NULL, termid));
665		}
666		goto return_err;
667	}
668
669	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
670		goto return_err;
671	}
672
673	/* get sock name */
674	if (getsockname(fd, (struct sockaddr *)&sock,
675	    (socklen_t *)&socklen) < 0) {
676		goto return_err_free;
677	}
678
679	if (peer.sin6_family == AF_INET6) {
680		adt_do_ipv6_address(&peer, &sock, p_term);
681	} else {
682		adt_do_ipv4_address((struct sockaddr_in *)&peer,
683		    (struct sockaddr_in *)&sock, p_term);
684	}
685	*termid = (adt_termid_t *)p_term;
686
687	return (0);
688
689return_err_free:
690	free(p_term);
691return_err:
692	*termid = NULL;
693	return (-1);
694}
695
696static boolean_t
697adt_have_termid(au_tid_addr_t *dest)
698{
699	struct auditinfo_addr	audit_data;
700
701	if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
702		adt_write_syslog("getaudit failed", errno);
703		return (B_FALSE);
704	}
705
706	if ((audit_data.ai_termid.at_type == 0) ||
707	    (audit_data.ai_termid.at_addr[0] |
708	    audit_data.ai_termid.at_addr[1]  |
709	    audit_data.ai_termid.at_addr[2]  |
710	    audit_data.ai_termid.at_addr[3]) == 0)
711		return (B_FALSE);
712
713	(void) memcpy(dest, &(audit_data.ai_termid),
714	    sizeof (au_tid_addr_t));
715
716	return (B_TRUE);
717}
718
719/*
720 * adt_get_hostIP - construct a terminal id from a hostname
721 *
722 *	Returns	 0 = success
723 *		-1 = failure and errno = ENETDOWN with the address
724 *		     defaulted to IPv4 loopback.
725 */
726
727static int
728adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
729{
730	struct addrinfo	*ai = NULL;
731	int	tries = 3;
732	char	msg[512];
733	int	eai_err;
734
735	while ((tries-- > 0) &&
736	    ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) {
737		/*
738		 * getaddrinfo returns its own set of errors.
739		 * Log them here, so any subsequent syslogs will
740		 * have a context.  adt_get_hostIP callers can only
741		 * return errno, so subsequent syslogs may be lacking
742		 * that getaddrinfo failed.
743		 */
744		(void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) "
745		    "failed[%s]", hostname, gai_strerror(eai_err));
746		adt_write_syslog(msg, 0);
747
748		if (eai_err != EAI_AGAIN) {
749
750			break;
751		}
752		/* see if resolution becomes available */
753		(void) sleep(1);
754	}
755	if (ai != NULL) {
756		if (ai->ai_family == AF_INET) {
757			p_term->at_type = AU_IPv4;
758			(void) memcpy(p_term->at_addr,
759			    /* LINTED */
760			    &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
761			    AU_IPv4);
762		} else {
763			p_term->at_type = AU_IPv6;
764			(void) memcpy(p_term->at_addr,
765			    /* LINTED */
766			    &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
767			    AU_IPv6);
768		}
769		freeaddrinfo(ai);
770		return (0);
771	} else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) {
772		auditinfo_addr_t  audit_info;
773
774		/*
775		 * auditd is running so there should be a
776		 * kernel audit context
777		 */
778		if (auditon(A_GETKAUDIT, (caddr_t)&audit_info,
779		    sizeof (audit_info)) < 0) {
780			adt_write_syslog("unable to get kernel audit context",
781			    errno);
782			goto try_interface;
783		}
784		adt_write_syslog("setting Audit IP address to kernel", 0);
785		*p_term = audit_info.ai_termid;
786		return (0);
787	}
788try_interface:
789	{
790		struct ifaddrlist al;
791		int	family;
792		char	ntop[INET6_ADDRSTRLEN];
793
794		/*
795		 * getaddrinfo has failed to map the hostname
796		 * to an IP address, try to get an IP address
797		 * from a local interface.  If none up, default
798		 * to loopback.
799		 */
800		family = AF_INET6;
801		if (adt_get_local_address(family, &al) != 0) {
802			family = AF_INET;
803
804			if (adt_get_local_address(family, &al) != 0) {
805				adt_write_syslog("adt_get_local_address "
806				    "failed, no Audit IP address available, "
807				    "faking loopback and error",
808				    errno);
809				IN_SET_LOOPBACK_ADDR(
810				    (struct sockaddr_in *)&(al.addr.addr));
811				(void) memcpy(p_term->at_addr, &al.addr.addr,
812				    AU_IPv4);
813				p_term->at_type = AU_IPv4;
814				return (-1);
815			}
816		}
817		if (family == AF_INET) {
818			p_term->at_type = AU_IPv4;
819			(void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4);
820		} else {
821			p_term->at_type = AU_IPv6;
822			(void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6);
823		}
824
825		(void) snprintf(msg, sizeof (msg), "mapping %s to %s",
826		    hostname, inet_ntop(family, &(al.addr), ntop,
827		    sizeof (ntop)));
828		adt_write_syslog(msg, 0);
829		return (0);
830	}
831}
832
833/*
834 * adt_load_hostname() is called when the caller does not have a file
835 * handle that gives access to the socket info or any other way to
836 * pass in both port and ip address.  The hostname input is ignored if
837 * the terminal id has already been set; instead it returns the
838 * existing terminal id.
839 *
840 * If c2audit is excluded, success is returned.
841 * If the hostname lookup fails, the loopback address is assumed,
842 * errno is set to ENETDOWN, this allows the caller to interpret
843 * whether failure is fatal, and if not to have a address for the
844 * hostname.
845 * Otherwise the caller would need to be aware of the audit state.
846 *
847 * Other errors are ignored if not auditing.
848 */
849
850int
851adt_load_hostname(const char *hostname, adt_termid_t **termid)
852{
853	char		localhost[MAXHOSTNAMELEN + 1];
854	au_tid_addr_t	*p_term;
855
856	if (adt_audit_state(AUC_DISABLED)) {
857		/* c2audit excluded */
858		*termid = NULL;
859		return (0);
860	}
861
862	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
863		goto return_err;
864	}
865
866	if (adt_have_termid(p_term)) {
867		*termid = (adt_termid_t *)p_term;
868		return (0);
869	}
870	p_term->at_port = 0;
871
872	if (hostname == NULL || *hostname == '\0') {
873		(void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN);
874		hostname = localhost;
875	}
876	if (adt_get_hostIP(hostname, p_term) == 0) {
877		*termid = (adt_termid_t *)p_term;
878		return (0);
879	} else {
880		*termid = (adt_termid_t *)p_term;
881		return (-1);
882	}
883
884return_err:
885	*termid = NULL;
886	if (auditstate & AUC_NOAUDIT) {
887		return (0);
888	}
889
890	return (-1);
891}
892
893/*
894 * adt_load_ttyname() is called when the caller does not have a file
895 * handle that gives access to the local terminal or any other way
896 * of determining the device id.  The ttyname input is ignored if
897 * the terminal id has already been set; instead it returns the
898 * existing terminal id.
899 *
900 * If c2audit is excluded, success is returned.
901 * The local hostname is used for the local IP address.
902 * If that hostname lookup fails, the loopback address is assumed,
903 * errno is set to ENETDOWN, this allows the caller to interpret
904 * whether failure is fatal, and if not to have a address for the
905 * hostname.
906 * Otherwise the caller would need to be aware of the audit state.
907 *
908 * Other errors are ignored if not auditing.
909 */
910
911int
912adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
913{
914	char		localhost[MAXHOSTNAMELEN + 1];
915	au_tid_addr_t	*p_term;
916	struct stat	stat_buf;
917
918	if (adt_audit_state(AUC_DISABLED)) {
919		/* c2audit excluded */
920		*termid = NULL;
921		return (0);
922	}
923
924	if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
925		goto return_err;
926	}
927
928	if (adt_have_termid(p_term)) {
929		*termid = (adt_termid_t *)p_term;
930		return (0);
931	}
932
933	p_term->at_port = 0;
934
935	if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) {
936		goto return_err_free; /* errno from sysinfo */
937	}
938
939	if (ttyname != NULL && *ttyname != '\0') {
940		if (stat(ttyname, &stat_buf) < 0) {
941			goto return_err_free;
942		}
943
944		p_term->at_port = stat_buf.st_rdev;
945	}
946
947	if (adt_get_hostIP(localhost, p_term) == 0) {
948		*termid = (adt_termid_t *)p_term;
949		return (0);
950	} else {
951		*termid = (adt_termid_t *)p_term;
952		return (-1);
953	}
954
955return_err_free:
956	free(p_term);
957
958return_err:
959	*termid = NULL;
960	if (auditstate & AUC_NOAUDIT) {
961		return (0);
962	}
963
964	return (-1);
965}
966
967/*
968 * adt_get_session_id returns a stringified representation of
969 * the audit session id.  See also adt_get_asid() for how to
970 * get the unexpurgated version.  No guarantees as to how long
971 * the returned string will be or its general form; hex for now.
972 *
973 * An empty string is returned if auditing is off; length = 1
974 * and the pointer is valid.
975 *
976 * returns strlen + 1 if buffer is valid; else 0 and errno.
977 */
978
979size_t
980adt_get_session_id(const adt_session_data_t *session_data, char **buff)
981{
982	au_asid_t	session_id;
983	size_t		length;
984	/*
985	 * output is 0x followed by
986	 * two characters per byte
987	 * plus terminator,
988	 * except leading 0's are suppressed, so a few bytes may
989	 * be unused.
990	 */
991	length = 2 + (2 * sizeof (session_id)) + 1;
992	*buff = malloc(length);
993
994	if (*buff == NULL) {
995		return (0);
996	}
997	if (session_data == NULL) { /* NULL is not an error */
998		**buff = '\0';
999		return (1);
1000	}
1001	adt_get_asid(session_data, &session_id);
1002
1003	length = snprintf(*buff, length, "0x%X", (int)session_id);
1004
1005	/* length < 1 is a bug: the session data type may have changed */
1006	assert(length > 0);
1007
1008	return (length);
1009}
1010
1011/*
1012 * adt_end_session -- close handle, clear context
1013 *
1014 * if as_check is invalid, no harm, no foul, EXCEPT that this could
1015 * be an attempt to free data already free'd, so output to syslog
1016 * to help explain why the process cored dumped.
1017 */
1018
1019int
1020adt_end_session(adt_session_data_t *session_data)
1021{
1022	adt_internal_state_t	*state;
1023
1024	if (session_data != NULL) {
1025		state = (adt_internal_state_t *)session_data;
1026		if (state->as_check != ADT_VALID) {
1027			adt_write_syslog("freeing invalid data", EINVAL);
1028		} else {
1029			state->as_check = 0;
1030			m_label_free(state->as_label);
1031			free(session_data);
1032		}
1033	}
1034	/* no errors yet defined */
1035	return (0);
1036}
1037
1038/*
1039 * adt_dup_session -- copy the session data
1040 */
1041
1042int
1043adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
1044{
1045	adt_internal_state_t	*source_state;
1046	adt_internal_state_t	*dest_state = NULL;
1047	int			rc = 0;
1048
1049	if (source != NULL) {
1050		source_state = (adt_internal_state_t *)source;
1051		assert(source_state->as_check == ADT_VALID);
1052
1053		dest_state = malloc(sizeof (adt_internal_state_t));
1054		if (dest_state == NULL) {
1055			rc = -1;
1056			goto return_rc;
1057		}
1058		(void) memcpy(dest_state, source,
1059		    sizeof (struct adt_internal_state));
1060
1061		if (source_state->as_label != NULL) {
1062			dest_state->as_label = NULL;
1063			if ((rc = m_label_dup(&dest_state->as_label,
1064			    source_state->as_label)) != 0) {
1065				free(dest_state);
1066				dest_state = NULL;
1067			}
1068		}
1069	}
1070return_rc:
1071	*dest = (adt_session_data_t *)dest_state;
1072	return (rc);
1073}
1074
1075/*
1076 * from_export_format()
1077 * read from a network order buffer into struct adt_session_data
1078 */
1079
1080static size_t
1081adt_from_export_format(adt_internal_state_t *internal,
1082    const adt_export_data_t *external)
1083{
1084	struct export_header	head;
1085	struct export_link	link;
1086	adr_t			context;
1087	int32_t 		offset;
1088	int32_t 		length;
1089	int32_t 		version;
1090	size_t			label_len;
1091	char			*p = (char *)external;
1092
1093	adrm_start(&context, (char *)external);
1094	adrm_int32(&context, (int *)&head, 4);
1095
1096	if ((internal->as_check = head.ax_check) != ADT_VALID) {
1097		errno = EINVAL;
1098		return (0);
1099	}
1100	offset = head.ax_link.ax_offset;
1101	version = head.ax_link.ax_version;
1102	length = head.ax_buffer_length;
1103
1104	/*
1105	 * Skip newer versions.
1106	 */
1107	while (version > PROTOCOL_VERSION_2) {
1108		if (offset < 1) {
1109			return (0);	/* failed to match version */
1110		}
1111		p += offset;		/* point to next version # */
1112
1113		if (p > (char *)external + length) {
1114			return (0);
1115		}
1116		adrm_start(&context, p);
1117		adrm_int32(&context, (int *)&link, 2);
1118		offset = link.ax_offset;
1119		version = link.ax_version;
1120		assert(version != 0);
1121	}
1122	/*
1123	 * Adjust buffer pointer to the first data item (euid).
1124	 */
1125	if (p == (char *)external) {
1126		adrm_start(&context, (char *)(p + sizeof (head)));
1127	} else {
1128		adrm_start(&context, (char *)(p + sizeof (link)));
1129	}
1130	/*
1131	 * if down rev version, neither pid nor label are included
1132	 * in v1 ax_size_of_tsol_data intentionally ignored
1133	 */
1134	if (version == PROTOCOL_VERSION_1) {
1135		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1136		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1137		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1138		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1139		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1140		adrm_int32(&context,
1141		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1142		adrm_int32(&context,
1143		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1144		adrm_int32(&context,
1145		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1146		adrm_int32(&context,
1147		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1148		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1149		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1150		internal->as_pid = (pid_t)-1;
1151		internal->as_label = NULL;
1152	} else if (version == PROTOCOL_VERSION_2) {
1153		adrm_int32(&context, (int *)&(internal->as_euid), 1);
1154		adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1155		adrm_int32(&context, (int *)&(internal->as_egid), 1);
1156		adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1157		adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1158		adrm_int32(&context,
1159		    (int *)&(internal->as_info.ai_mask.am_success), 2);
1160		adrm_int32(&context,
1161		    (int *)&(internal->as_info.ai_termid.at_port), 1);
1162		adrm_int32(&context,
1163		    (int *)&(internal->as_info.ai_termid.at_type), 1);
1164		adrm_int32(&context,
1165		    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1166		adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1167		adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1168		adrm_int32(&context, (int *)&(internal->as_pid), 1);
1169		adrm_int32(&context, (int *)&label_len, 1);
1170		if (label_len > 0) {
1171			/* read in and deal with different sized labels. */
1172			size32_t my_label_len = blabel_size();
1173
1174			if ((internal->as_label =
1175			    m_label_alloc(MAC_LABEL)) == NULL) {
1176				return (0);
1177			}
1178			if (label_len > my_label_len) {
1179				errno = EINVAL;
1180				m_label_free(internal->as_label);
1181				return (0);
1182			}
1183			(void) memset(internal->as_label, 0, my_label_len);
1184			adrm_int32(&context, (int *)(internal->as_label),
1185			    label_len / sizeof (int32_t));
1186		} else {
1187			internal->as_label = NULL;
1188		}
1189	}
1190
1191	return (length);
1192}
1193
1194/*
1195 * adt_to_export_format
1196 * read from struct adt_session_data into a network order buffer.
1197 *
1198 * (network order 'cause this data may be shared with a remote host.)
1199 */
1200
1201static size_t
1202adt_to_export_format(adt_export_data_t *external,
1203    adt_internal_state_t *internal)
1204{
1205	struct export_header	head;
1206	struct export_link	tail;
1207	adr_t			context;
1208	size32_t		label_len = 0;
1209
1210	adrm_start(&context, (char *)external);
1211
1212	if (internal->as_label != NULL) {
1213		label_len = blabel_size();
1214	}
1215
1216	head.ax_check = ADT_VALID;
1217	head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1218
1219	/* version 2 first */
1220
1221	head.ax_link.ax_version = PROTOCOL_VERSION_2;
1222	head.ax_link.ax_offset = sizeof (struct export_header) +
1223	    sizeof (struct adt_export_v2) + label_len;
1224
1225	adrm_putint32(&context, (int *)&head, 4);
1226
1227	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1228	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1229	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1230	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1231	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1232	adrm_putint32(&context,
1233	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1234	adrm_putint32(&context,
1235	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1236	adrm_putint32(&context,
1237	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1238	adrm_putint32(&context,
1239	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1240	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1241	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1242	adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1243	adrm_putint32(&context, (int *)&label_len, 1);
1244	if (internal->as_label != NULL) {
1245		/* serialize the label */
1246		adrm_putint32(&context, (int *)(internal->as_label),
1247		    (label_len / sizeof (int32_t)));
1248	}
1249
1250	/* now version 1 */
1251
1252	tail.ax_version = PROTOCOL_VERSION_1;
1253	tail.ax_offset = 0;
1254
1255	adrm_putint32(&context, (int *)&tail, 2);
1256
1257	adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1258	adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1259	adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1260	adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1261	adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1262	adrm_putint32(&context,
1263	    (int *)&(internal->as_info.ai_mask.am_success), 2);
1264	adrm_putint32(&context,
1265	    (int *)&(internal->as_info.ai_termid.at_port), 1);
1266	adrm_putint32(&context,
1267	    (int *)&(internal->as_info.ai_termid.at_type), 1);
1268	adrm_putint32(&context,
1269	    (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1270	adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1271	adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1272	/* ignored in v1 */
1273	adrm_putint32(&context, (int *)&label_len, 1);
1274
1275	/* finally terminator */
1276
1277	tail.ax_version = 0; /* invalid version number */
1278	tail.ax_offset = 0;
1279
1280	adrm_putint32(&context, (int *)&tail, 2);
1281
1282	return (head.ax_buffer_length);
1283}
1284
1285/*
1286 * adt_ucred_label() -- if label is available, duplicate it.
1287 */
1288
1289static m_label_t *
1290adt_ucred_label(ucred_t *uc)
1291{
1292	m_label_t	*ul = NULL;
1293
1294	if (ucred_getlabel(uc) != NULL) {
1295		(void) m_label_dup(&ul, ucred_getlabel(uc));
1296	}
1297
1298	return (ul);
1299}
1300
1301/*
1302 * adt_import() -- convert from network order to machine-specific order
1303 */
1304
1305static int
1306adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1307{
1308	au_mask_t mask;
1309
1310	/* save local audit state */
1311	int	local_audit_state = internal->as_audit_state;
1312
1313	if (adt_from_export_format(internal, external) < 1)
1314		return (-1); /* errno from adt_from_export_format */
1315
1316	/*
1317	 * If audit isn't enabled on the remote, they were unable
1318	 * to generate the audit mask, so generate it based on
1319	 * local configuration.  If the user id has changed, the
1320	 * resulting mask may miss some subtleties that occurred
1321	 * on the remote system.
1322	 *
1323	 * If the remote failed to generate a terminal id, it is not
1324	 * recoverable.
1325	 */
1326
1327	if (!(internal->as_audit_state & AUC_DISABLED)) {
1328		if (adt_get_mask_from_user(internal->as_info.ai_auid,
1329		    &(internal->as_info.ai_mask)))
1330			return (-1);
1331		if (internal->as_info.ai_auid != internal->as_ruid) {
1332			if (adt_get_mask_from_user(internal->as_info.ai_auid,
1333			    &mask))
1334				return (-1);
1335			internal->as_info.ai_mask.am_success |=
1336			    mask.am_success;
1337			internal->as_info.ai_mask.am_failure |=
1338			    mask.am_failure;
1339		}
1340	}
1341	internal->as_audit_state = local_audit_state;
1342
1343	DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(),
1344	    internal->as_info.ai_asid,
1345	    internal->as_info.ai_asid));
1346
1347	internal->as_have_user_data = ADT_HAVE_ALL;
1348
1349	return (0);
1350}
1351
1352/*
1353 * adt_export_session_data()
1354 * copies a adt_session_data struct into a network order buffer
1355 *
1356 * In a misconfigured network, the local host may have auditing
1357 * off while the destination may have auditing on, so if there
1358 * is sufficient memory, a buffer will be returned even in the
1359 * audit off case.
1360 */
1361
1362size_t
1363adt_export_session_data(const adt_session_data_t *internal,
1364    adt_export_data_t **external)
1365{
1366	size32_t		length = 0;
1367
1368	if ((internal != NULL) &&
1369	    ((adt_internal_state_t *)internal)->as_label != NULL) {
1370		length = blabel_size();
1371	}
1372
1373	*external = malloc(sizeof (adt_export_data_t) + length);
1374
1375	if (*external == NULL)
1376		return (0);
1377
1378	if (internal == NULL) {
1379		adt_internal_state_t	*dummy;
1380
1381		dummy = malloc(sizeof (adt_internal_state_t));
1382		if (dummy == NULL)
1383			goto return_length_free;
1384
1385		if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1386			free(dummy);
1387			goto return_length_free;
1388		}
1389		length = adt_to_export_format(*external, dummy);
1390		free(dummy);
1391	} else {
1392		length = adt_to_export_format(*external,
1393		    (adt_internal_state_t *)internal);
1394	}
1395	return (length);
1396
1397return_length_free:
1398	free(*external);
1399	*external = NULL;
1400	return (0);
1401}
1402
1403static void
1404adt_setto_unaudited(adt_internal_state_t *state)
1405{
1406	if (state->as_audit_state & AUC_DISABLED) {
1407		state->as_ruid = AU_NOAUDITID;
1408		state->as_euid = AU_NOAUDITID;
1409		state->as_rgid = AU_NOAUDITID;
1410		state->as_egid = AU_NOAUDITID;
1411		state->as_pid = (pid_t)-1;
1412		state->as_label = NULL;
1413	} else {
1414		state->as_info.ai_asid = 0;
1415		state->as_info.ai_auid = AU_NOAUDITID;
1416
1417		(void) memset((void *)&(state->as_info.ai_termid), 0,
1418		    sizeof (au_tid_addr_t));
1419		state->as_info.ai_termid.at_type = AU_IPv4;
1420
1421		(void) memset((void *)&(state->as_info.ai_mask), 0,
1422		    sizeof (au_mask_t));
1423		state->as_have_user_data = 0;
1424	}
1425}
1426
1427/*
1428 * adt_init -- set session context by copying the audit characteristics
1429 * from the proc and picking up current uid/tid information.
1430 *
1431 * By default, an audit session is based on the process; the default
1432 * is overriden by adt_set_user()
1433 */
1434
1435static int
1436adt_init(adt_internal_state_t *state, int use_proc_data)
1437{
1438	/* ensure auditstate is set */
1439
1440	(void) adt_audit_state(0);
1441	state->as_audit_state = auditstate;
1442
1443	if (use_proc_data) {
1444		state->as_ruid = getuid();
1445		state->as_euid = geteuid();
1446		state->as_rgid = getgid();
1447		state->as_egid = getegid();
1448		state->as_pid = getpid();
1449
1450		if (!(state->as_audit_state & AUC_DISABLED)) {
1451			const au_tid64_addr_t	*tid;
1452			const au_mask_t		*mask;
1453			ucred_t			*ucred = ucred_get(P_MYID);
1454
1455			/*
1456			 * Even if the ucred is NULL, the underlying
1457			 * credential may have a valid terminal id; if the
1458			 * terminal id is set, then that's good enough.  An
1459			 * example of where this matters is failed login,
1460			 * where rlogin/telnet sets the terminal id before
1461			 * calling login; login does not load the credential
1462			 * since auth failed.
1463			 */
1464			if (ucred == NULL) {
1465				if (!adt_have_termid(
1466				    &(state->as_info.ai_termid)))
1467					return (-1);
1468			} else {
1469				mask = ucred_getamask(ucred);
1470				if (mask != NULL) {
1471					state->as_info.ai_mask = *mask;
1472				} else {
1473					ucred_free(ucred);
1474					return (-1);
1475				}
1476				tid = ucred_getatid(ucred);
1477				if (tid != NULL) {
1478					adt_cpy_tid(&(state->as_info.ai_termid),
1479					    tid);
1480				} else {
1481					ucred_free(ucred);
1482					return (-1);
1483				}
1484				state->as_info.ai_asid = ucred_getasid(ucred);
1485				state->as_info.ai_auid = ucred_getauid(ucred);
1486				state->as_label = adt_ucred_label(ucred);
1487				ucred_free(ucred);
1488			}
1489			state->as_have_user_data = ADT_HAVE_ALL;
1490		}
1491	} else {
1492		adt_setto_unaudited(state);
1493	}
1494	state->as_session_model = ADT_SESSION_MODEL;	/* default */
1495
1496	if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) &&
1497	    auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1498	    sizeof (state->as_kernel_audit_policy))) {
1499		return (-1);  /* errno set by auditon */
1500	}
1501	state->as_check = ADT_VALID;
1502	adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0],
1503	    &adt_preload);
1504	return (0);
1505}
1506
1507/*
1508 * adt_set_proc
1509 *
1510 * Copy the current session state to the process.  If this function
1511 * is called, the model becomes a process model rather than a
1512 * session model.
1513 *
1514 * In the current implementation, the value state->as_have_user_data
1515 * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}.  These are all set
1516 * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1517 *
1518 */
1519
1520int
1521adt_set_proc(const adt_session_data_t *session_data)
1522{
1523	adt_internal_state_t	*state;
1524
1525	if (session_data == NULL) {
1526		return (0);
1527	}
1528
1529	state = (adt_internal_state_t *)session_data;
1530
1531	assert(state->as_check == ADT_VALID);
1532
1533	if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1534	    (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1535		errno = EINVAL;
1536		goto return_err;
1537	}
1538
1539	if (setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1540	    sizeof (auditinfo_addr_t)) < 0) {
1541		goto return_err;	/* errno set by setaudit_addr() */
1542	}
1543
1544	state->as_session_model = ADT_PROCESS_MODEL;
1545
1546	return (0);
1547
1548return_err:
1549	adt_write_syslog("failed to set process audit characteristics", errno);
1550	return (-1);
1551}
1552
1553static int
1554adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1555{
1556	au_tid_addr_t	no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1557	au_mask_t	no_mask = {0, 0};
1558
1559	if (ruid == ADT_NO_AUDIT) {
1560		state->as_info.ai_auid = AU_NOAUDITID;
1561		state->as_info.ai_asid = 0;
1562		state->as_info.ai_termid = no_tid;
1563		state->as_info.ai_mask = no_mask;
1564		return (0);
1565	}
1566	state->as_info.ai_auid = ruid;
1567	state->as_info.ai_asid = adt_get_unique_id(ruid);
1568	if (termid != NULL)
1569		state->as_info.ai_termid = *termid;
1570
1571	if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1572		return (-1);
1573
1574	/* Assume intending to audit as this process */
1575
1576	if (state->as_pid == (pid_t)-1)
1577		state->as_pid = getpid();
1578
1579	if (is_system_labeled() && state->as_label == NULL) {
1580		ucred_t	*ucred = ucred_get(P_MYID);
1581
1582		state->as_label = adt_ucred_label(ucred);
1583		ucred_free(ucred);
1584	}
1585
1586	return (0);
1587}
1588
1589static int
1590adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1591{
1592	au_mask_t		mask;
1593
1594	if (!(state->as_have_user_data & ADT_HAVE_AUID))
1595		state->as_info.ai_auid = ruid;
1596	if (!(state->as_have_user_data & ADT_HAVE_ASID))
1597		state->as_info.ai_asid = adt_get_unique_id(ruid);
1598
1599	if (ruid <= MAXEPHUID) {
1600		if (adt_get_mask_from_user(ruid, &mask))
1601			return (-1);
1602
1603		state->as_info.ai_mask.am_success |= mask.am_success;
1604		state->as_info.ai_mask.am_failure |= mask.am_failure;
1605	}
1606	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1607	    state->as_info.ai_mask.am_success,
1608	    state->as_info.ai_mask.am_failure,
1609	    ruid));
1610	return (0);
1611}
1612
1613/*
1614 * adt_set_user -- see also adt_set_from_ucred()
1615 *
1616 * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1617 * "unattributed."  If ruid, change the model to session.
1618 *
1619 * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1620 * only valid with ADT_UPDATE.
1621 *
1622 * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1623 * isn't a good reason to call adt_set_user() with it unless you don't
1624 * have a good value yet and intend to replace it later; auid will be
1625 * AU_NOAUDITID.
1626 *
1627 * adt_set_user should be called even if auditing is not enabled
1628 * so that adt_export_session_data() will have useful stuff to
1629 * work with.
1630 *
1631 * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1632 * and ADT_HAVE_ALL.
1633 */
1634
1635int
1636adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1637    uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1638    enum adt_user_context user_context)
1639{
1640	adt_internal_state_t	*state;
1641	int			rc;
1642
1643	if (session_data == NULL) /* no session exists to audit */
1644		return (0);
1645
1646	state = (adt_internal_state_t *)session_data;
1647	assert(state->as_check == ADT_VALID);
1648
1649	switch (user_context) {
1650	case ADT_NEW:
1651		if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1652		    rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1653			errno = EINVAL;
1654			return (-1);
1655		}
1656		if ((rc = adt_newuser(state, ruid,
1657		    (au_tid_addr_t *)termid)) != 0)
1658			return (rc);
1659
1660		state->as_have_user_data = ADT_HAVE_ALL;
1661		break;
1662	case ADT_UPDATE:
1663		if (state->as_have_user_data != ADT_HAVE_ALL) {
1664			errno = EINVAL;
1665			return (-1);
1666		}
1667
1668		if (ruid != ADT_NO_CHANGE)
1669			if ((rc = adt_changeuser(state, ruid)) != 0)
1670				return (rc);
1671		break;
1672	case ADT_USER:
1673		if (state->as_have_user_data != ADT_HAVE_ALL) {
1674			errno = EINVAL;
1675			return (-1);
1676		}
1677		break;
1678	case ADT_SETTID:
1679		assert(termid != NULL);
1680		state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1681		/* avoid fooling pam_setcred()... */
1682		state->as_info.ai_auid = AU_NOAUDITID;
1683		state->as_info.ai_asid = 0;
1684		state->as_info.ai_mask.am_failure = 0;
1685		state->as_info.ai_mask.am_success = 0;
1686		state->as_have_user_data = ADT_HAVE_TID |
1687		    ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1688		return (0);
1689	default:
1690		errno = EINVAL;
1691		return (-1);
1692	}
1693
1694	if (ruid == ADT_NO_AUDIT) {
1695		state->as_ruid = AU_NOAUDITID;
1696		state->as_euid = AU_NOAUDITID;
1697		state->as_rgid = AU_NOAUDITID;
1698		state->as_egid = AU_NOAUDITID;
1699	} else {
1700		if (ruid != ADT_NO_CHANGE)
1701			state->as_ruid = ruid;
1702		if (euid != ADT_NO_CHANGE)
1703			state->as_euid = euid;
1704		if (rgid != ADT_NO_CHANGE)
1705			state->as_rgid = rgid;
1706		if (egid != ADT_NO_CHANGE)
1707			state->as_egid = egid;
1708	}
1709
1710	if (ruid == ADT_NO_ATTRIB) {
1711		state->as_session_model = ADT_SESSION_MODEL;
1712	}
1713
1714	return (0);
1715}
1716
1717/*
1718 * adt_set_from_ucred()
1719 *
1720 * an alternate to adt_set_user that fills the same role but uses
1721 * a pointer to a ucred rather than a list of id's.  If the ucred
1722 * pointer is NULL, use the credential from the this process.
1723 *
1724 * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1725 * not overwrite the asid and auid unless auid has not been set.
1726 * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1727 * the incoming audit mask with the one that already exists.
1728 *
1729 * adt_set_from_ucred should be called even if auditing is not enabled
1730 * so that adt_export_session_data() will have useful stuff to
1731 * work with.
1732 */
1733
1734int
1735adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1736    enum adt_user_context user_context)
1737{
1738	adt_internal_state_t	*state;
1739	int			rc = -1;
1740	const au_tid64_addr_t		*tid64;
1741	au_tid_addr_t		termid, *tid;
1742	ucred_t	*ucred = (ucred_t *)uc;
1743	boolean_t	local_uc = B_FALSE;
1744
1745	if (session_data == NULL) /* no session exists to audit */
1746		return (0);
1747
1748	state = (adt_internal_state_t *)session_data;
1749	assert(state->as_check == ADT_VALID);
1750
1751	if (ucred == NULL) {
1752		ucred = ucred_get(P_MYID);
1753
1754		if (ucred == NULL)
1755			goto return_rc;
1756		local_uc = B_TRUE;
1757	}
1758
1759	switch (user_context) {
1760	case ADT_NEW:
1761		tid64 = ucred_getatid(ucred);
1762		if (tid64 != NULL) {
1763			adt_cpy_tid(&termid, tid64);
1764			tid = &termid;
1765		} else {
1766			tid = NULL;
1767		}
1768		if (ucred_getauid(ucred) == AU_NOAUDITID) {
1769			adt_setto_unaudited(state);
1770			state->as_have_user_data = ADT_HAVE_ALL;
1771			rc = 0;
1772			goto return_rc;
1773		} else {
1774			state->as_info.ai_auid = ucred_getauid(ucred);
1775			state->as_info.ai_asid = ucred_getasid(ucred);
1776			state->as_info.ai_mask = *ucred_getamask(ucred);
1777			state->as_info.ai_termid = *tid;
1778		}
1779		state->as_have_user_data = ADT_HAVE_ALL;
1780		break;
1781	case ADT_UPDATE:
1782		if (state->as_have_user_data != ADT_HAVE_ALL) {
1783			errno = EINVAL;
1784			goto return_rc;
1785		}
1786
1787		if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1788			goto return_rc;
1789		break;
1790	case ADT_USER:
1791		if (state->as_have_user_data != ADT_HAVE_ALL) {
1792			errno = EINVAL;
1793			goto return_rc;
1794		}
1795		break;
1796	default:
1797		errno = EINVAL;
1798		goto return_rc;
1799	}
1800	rc = 0;
1801
1802	state->as_ruid = ucred_getruid(ucred);
1803	state->as_euid = ucred_geteuid(ucred);
1804	state->as_rgid = ucred_getrgid(ucred);
1805	state->as_egid = ucred_getegid(ucred);
1806	state->as_pid = ucred_getpid(ucred);
1807	state->as_label = adt_ucred_label(ucred);
1808
1809return_rc:
1810	if (local_uc) {
1811		ucred_free(ucred);
1812	}
1813	return (rc);
1814}
1815
1816/*
1817 * adt_alloc_event() returns a pointer to allocated memory
1818 *
1819 */
1820
1821adt_event_data_t
1822*adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1823{
1824	struct adt_event_state	*event_state;
1825	adt_internal_state_t	*session_state;
1826	adt_event_data_t	*return_event = NULL;
1827	/*
1828	 * need to return a valid event pointer even if audit is
1829	 * off, else the caller will end up either (1) keeping its
1830	 * own flags for on/off or (2) writing to a NULL pointer.
1831	 * If auditing is on, the session data must be valid; otherwise
1832	 * we don't care.
1833	 */
1834	if (session_data != NULL) {
1835		session_state = (adt_internal_state_t *)session_data;
1836		assert(session_state->as_check == ADT_VALID);
1837	}
1838	event_state = calloc(1, sizeof (struct adt_event_state));
1839	if (event_state == NULL)
1840		goto return_ptr;
1841
1842	event_state->ae_check = ADT_VALID;
1843
1844	event_state->ae_event_id = event_id;
1845	event_state->ae_session = (struct adt_internal_state *)session_data;
1846
1847	return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1848
1849	/*
1850	 * preload data so the adt_au_*() functions can detect un-supplied
1851	 * values (0 and NULL are free via calloc()).
1852	 */
1853	if (session_data != NULL) {
1854		session_state->as_preload(event_id, return_event);
1855	}
1856
1857return_ptr:
1858	return (return_event);
1859}
1860
1861/*
1862 * adt_getXlateTable -- look up translation table address for event id
1863 */
1864
1865static adt_translation_t *
1866adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id)
1867{
1868	/* xlate_table is global in adt_xlate.c */
1869	adt_translation_t	**p_xlate = xlate;
1870	adt_translation_t	*p_event;
1871
1872	while (*p_xlate != NULL) {
1873		p_event = *p_xlate;
1874		if (event_id == p_event->tx_external_event)
1875			return (p_event);
1876		p_xlate++;
1877	}
1878	return (NULL);
1879}
1880
1881/*
1882 * adt_calcOffsets
1883 *
1884 * the call to this function is surrounded by a mutex.
1885 *
1886 * i walks down the table picking up next_token.  j walks again to
1887 * calculate the offset to the input data.  k points to the next
1888 * token's row.  Finally, l, is used to sum the values in the
1889 * datadef array.
1890 *
1891 * What's going on?  The entry array is in the order of the input
1892 * fields but the processing of array entries is in the order of
1893 * the output (see next_token).  Calculating the offset to the
1894 * "next" input can't be done in the outer loop (i) since i doesn't
1895 * point to the current entry and it can't be done with the k index
1896 * because it doesn't represent the order of input fields.
1897 *
1898 * While the resulting algorithm is n**2, it is only done once per
1899 * event type.
1900 */
1901
1902/*
1903 * adt_calcOffsets is only called once per event type, but it uses
1904 * the address alignment of memory allocated for that event as if it
1905 * were the same for all subsequently allocated memory.  This is
1906 * guaranteed by calloc/malloc.  Arrays take special handling since
1907 * what matters for figuring out the correct alignment is the size
1908 * of the array element.
1909 */
1910
1911static void
1912adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1913{
1914	int		i, j;
1915	size_t		this_size, prev_size;
1916	void		*struct_start = p_data;
1917
1918	for (i = 0; i < tablesize; i++) {
1919		if (p_entry[i].en_type_def == NULL) {
1920			p_entry[i].en_offset = 0;
1921			continue;
1922		}
1923		prev_size = 0;
1924		p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1925
1926		for (j = 0; j < p_entry[i].en_count_types; j++) {
1927			if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1928				this_size = sizeof (enum adt_generic);
1929			else
1930				this_size =
1931				    p_entry[i].en_type_def[j].dd_input_size;
1932
1933			/* adj for first entry */
1934			if (prev_size == 0)
1935				prev_size = this_size;
1936
1937			if (p_entry[i].en_type_def[j].dd_datatype ==
1938			    ADT_UINT32ARRAY) {
1939				p_data = (char *)adt_adjust_address(p_data,
1940				    prev_size, sizeof (uint32_t)) +
1941				    this_size - sizeof (uint32_t);
1942
1943				prev_size = sizeof (uint32_t);
1944			} else {
1945				p_data = adt_adjust_address(p_data, prev_size,
1946				    this_size);
1947				prev_size = this_size;
1948			}
1949		}
1950	}
1951}
1952
1953/*
1954 * adt_generate_event
1955 * generate event record from external struct.  The order is based on
1956 * the output tokens, allowing for the possibility that the input data
1957 * is in a different order.
1958 *
1959 */
1960
1961static int
1962adt_generate_event(const adt_event_data_t *p_extdata,
1963    struct adt_event_state *p_event,
1964    adt_translation_t *p_xlate)
1965{
1966	struct entry		*p_entry;
1967	static mutex_t	lock = DEFAULTMUTEX;
1968
1969	p_entry = p_xlate->tx_first_entry;
1970	assert(p_entry != NULL);
1971
1972	p_event->ae_internal_id = p_xlate->tx_internal_event;
1973	adt_token_open(p_event);
1974
1975	/*
1976	 * offsets are not pre-calculated; the initial offsets are all
1977	 * 0; valid offsets are >= 0.  Offsets for no-input tokens such
1978	 * as subject are set to -1 by adt_calcOffset()
1979	 */
1980	if (p_xlate->tx_offsetsCalculated == 0) {
1981		(void) mutex_lock(&lock);
1982		p_xlate->tx_offsetsCalculated = 1;
1983
1984		adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1985		    (void *)p_extdata);
1986		(void) mutex_unlock(&lock);
1987	}
1988	while (p_entry != NULL) {
1989		adt_generate_token(p_entry, (char *)p_extdata, p_event);
1990
1991		p_entry = p_entry->en_next_token;
1992	}
1993	return (adt_token_close(p_event));
1994}
1995
1996/*
1997 * adt_put_event -- main event generation function.
1998 * The input "event" is the address of the struct containing
1999 * event-specific data.
2000 *
2001 * However if auditing is off or the session handle
2002 * is NULL, no attempt to write a record is made.
2003 */
2004
2005int
2006adt_put_event(const adt_event_data_t *event, int status, int return_val)
2007{
2008	struct adt_event_state	*event_state;
2009	adt_translation_t	*xlate;
2010
2011	if (event == NULL) {
2012		errno = EINVAL;
2013		return (-1);
2014	}
2015	event_state = (struct adt_event_state *)event;
2016
2017	/* if this is a broken session or not auditing, exit */
2018	if ((event_state->ae_session == NULL) ||
2019	    !(event_state->ae_session->as_audit_state &
2020	    (AUC_AUDITING | AUC_NOSPACE))) {
2021		return (0);
2022	}
2023
2024	assert(event_state->ae_check == ADT_VALID);
2025
2026	event_state->ae_rc = status;
2027	event_state->ae_type = return_val;
2028
2029	/* look up the event */
2030
2031	xlate = adt_getXlateTable(event_state->ae_session->as_xlate,
2032	    event_state->ae_event_id);
2033
2034	if (xlate == NULL) {
2035		errno = EINVAL;
2036		return (-1);
2037	}
2038	DPRINTF(("got event %d\n", xlate->tx_internal_event));
2039
2040	if (adt_selected(event_state, xlate->tx_internal_event, status)) {
2041		return (adt_generate_event(event, event_state, xlate));
2042	}
2043
2044	return (0);
2045}
2046
2047/*
2048 * adt_free_event -- invalidate and free
2049 */
2050
2051void
2052adt_free_event(adt_event_data_t *event)
2053{
2054	struct adt_event_state	*event_state;
2055
2056	if (event == NULL)
2057		return;
2058
2059	event_state = (struct adt_event_state *)event;
2060
2061	assert(event_state->ae_check == ADT_VALID);
2062
2063	event_state->ae_check = 0;
2064
2065	free(event_state);
2066}
2067
2068/*
2069 * adt_is_selected -- helper to adt_selected(), below.
2070 *
2071 * "sorf" is "success or fail" status; au_preselect compares
2072 * that with success, fail, or both.
2073 */
2074
2075static int
2076adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
2077{
2078	int prs_sorf;
2079
2080	if (sorf == 0)
2081		prs_sorf = AU_PRS_SUCCESS;
2082	else
2083		prs_sorf = AU_PRS_FAILURE;
2084
2085	return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
2086}
2087
2088/*
2089 * selected -- see if this event is preselected.
2090 *
2091 * if errors are encountered trying to check a preselection mask
2092 * or look up a user name, the event is selected.  Otherwise, the
2093 * preselection mask is used for the job.
2094 */
2095
2096static int
2097adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2098{
2099	adt_internal_state_t *sp;
2100	au_mask_t	namask;
2101
2102	sp = event->ae_session;
2103
2104	if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2105		adt_write_syslog("No user data available", EINVAL);
2106		return (1);	/* default is "selected" */
2107	}
2108
2109	/* non-attributable? */
2110	if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2111	    (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2112		if (auditon(A_GETKMASK, (caddr_t)&namask,
2113		    sizeof (namask)) != 0) {
2114			adt_write_syslog("auditon failure", errno);
2115			return (1);
2116		}
2117		return (adt_is_selected(actual_id, &namask, status));
2118	} else {
2119		return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2120		    status));
2121	}
2122}
2123
2124/*
2125 * Can't map the host name to an IP address in
2126 * adt_get_hostIP.  Get something off an interface
2127 * to act as the hosts IP address for auditing.
2128 */
2129
2130static int
2131adt_get_local_address(int family, struct ifaddrlist *al)
2132{
2133	struct ifaddrlist	*ifal;
2134	char	errbuf[ERRBUFSIZE] = "empty list";
2135	char	msg[ERRBUFSIZE + 512];
2136	int	ifal_count;
2137	int	i;
2138
2139	if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) < 0) {
2140		int serrno = errno;
2141
2142		(void) snprintf(msg, sizeof (msg), "adt_get_local_address "
2143		    "couldn't get %d addrlist %s", family, errbuf);
2144		adt_write_syslog(msg, serrno);
2145		errno = serrno;
2146		return (-1);
2147	}
2148
2149	for (i = 0; i < ifal_count; i++) {
2150		/*
2151		 * loopback always defined,
2152		 * even if there is no real address
2153		 */
2154		if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) {
2155			break;
2156		}
2157	}
2158	if (i >= ifal_count) {
2159		free(ifal);
2160		/*
2161		 * Callers of adt_get_hostIP() can only return
2162		 * errno to their callers and eventually the application.
2163		 * Picked one that seemed least worse for saying no
2164		 * usable address for Audit terminal ID.
2165		 */
2166		errno = ENETDOWN;
2167		return (-1);
2168	}
2169
2170	*al = ifal[i];
2171	free(ifal);
2172	return (0);
2173}
2174