xref: /illumos-gate/usr/src/cmd/init/init.c (revision 30699046)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2021 OmniOS Community Edition (OmniOSce) Association.
24  * Copyright 2020 Oxide Computer Company
25  * Copyright (c) 2013 Gary Mills
26  *
27  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
28  */
29 
30 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
31 /*	  All Rights Reserved	*/
32 
33 /*
34  * University Copyright- Copyright (c) 1982, 1986, 1988
35  * The Regents of the University of California
36  * All Rights Reserved
37  *
38  * University Acknowledgment- Portions of this document are derived from
39  * software developed by the University of California, Berkeley, and its
40  * contributors.
41  */
42 
43 /*
44  * init(8) is the general process spawning program.  Its primary job is to
45  * start and restart svc.startd for smf(7).  For backwards-compatibility it also
46  * spawns and respawns processes according to /etc/inittab and the current
47  * run-level.  It reads /etc/default/inittab for general configuration.
48  *
49  * To change run-levels the system administrator runs init from the command
50  * line with a level name.  init signals svc.startd via libscf and directs the
51  * zone's init (pid 1 in the global zone) what to do by sending it a signal;
52  * these signal numbers are commonly refered to in the code as 'states'.  Valid
53  * run-levels are [sS0123456].  Additionally, init can be given directives
54  * [qQabc], which indicate actions to be taken pertaining to /etc/inittab.
55  *
56  * When init processes inittab entries, it finds processes that are to be
57  * spawned at various run-levels.  inittab contains the set of the levels for
58  * which each inittab entry is valid.
59  *
60  * State File and Restartability
61  *   Premature exit by init(8) is handled as a special case by the kernel:
62  *   init(8) will be immediately re-executed, retaining its original PID.  (PID
63  *   1 in the global zone.)  To track the processes it has previously spawned,
64  *   as well as other mutable state, init(8) regularly updates a state file
65  *   such that its subsequent invocations have knowledge of its various
66  *   dependent processes and duties.
67  *
68  * Process Contracts
69  *   We start svc.startd(8) in a contract and transfer inherited contracts when
70  *   restarting it.  Everything else is started using the legacy contract
71  *   template, and the created contracts are abandoned when they become empty.
72  *
73  * utmpx Entry Handling
74  *   Because init(8) no longer governs the startup process, its knowledge of
75  *   when utmpx becomes writable is indirect.  However, spawned processes
76  *   expect to be constructed with valid utmpx entries.  As a result, attempts
77  *   to write normal entries will be retried until successful.
78  *
79  * Maintenance Mode
80  *   In certain failure scenarios, init(8) will enter a maintenance mode, in
81  *   which it invokes sulogin(8) to allow the operator an opportunity to
82  *   repair the system.  Normally, this operation is performed as a
83  *   fork(2)-exec(2)-waitpid(3C) sequence with the parent waiting for repair or
84  *   diagnosis to be completed.  In the cases that fork(2) requests themselves
85  *   fail, init(8) will directly execute sulogin(8), and allow the kernel to
86  *   restart init(8) on exit from the operator session.
87  *
88  *   One scenario where init(8) enters its maintenance mode is when
89  *   svc.startd(8) begins to fail rapidly, defined as when the average time
90  *   between recent failures drops below a given threshold.
91  */
92 
93 #include <sys/contract/process.h>
94 #include <sys/ctfs.h>
95 #include <sys/stat.h>
96 #include <sys/statvfs.h>
97 #include <sys/stropts.h>
98 #include <sys/systeminfo.h>
99 #include <sys/time.h>
100 #include <sys/termios.h>
101 #include <sys/tty.h>
102 #include <sys/types.h>
103 #include <sys/utsname.h>
104 #include <sys/bootbanner.h>
105 
106 #include <bsm/adt_event.h>
107 #include <bsm/libbsm.h>
108 #include <security/pam_appl.h>
109 
110 #include <assert.h>
111 #include <ctype.h>
112 #include <definit.h>
113 #include <dirent.h>
114 #include <errno.h>
115 #include <fcntl.h>
116 #include <libcontract.h>
117 #include <libcontract_priv.h>
118 #include <libintl.h>
119 #include <libscf.h>
120 #include <libscf_priv.h>
121 #include <poll.h>
122 #include <procfs.h>
123 #include <signal.h>
124 #include <stdarg.h>
125 #include <stdio.h>
126 #include <stdio_ext.h>
127 #include <stdlib.h>
128 #include <string.h>
129 #include <strings.h>
130 #include <syslog.h>
131 #include <time.h>
132 #include <ulimit.h>
133 #include <unistd.h>
134 #include <utmpx.h>
135 #include <wait.h>
136 #include <zone.h>
137 #include <ucontext.h>
138 
139 #undef	sleep
140 
141 #define	fioctl(p, sptr, cmd)	ioctl(fileno(p), sptr, cmd)
142 #define	min(a, b)		(((a) < (b)) ? (a) : (b))
143 
144 #define	TRUE	1
145 #define	FALSE	0
146 #define	FAILURE	-1
147 
148 #define	UT_USER_SZ	32	/* Size of a utmpx ut_user field */
149 #define	UT_LINE_SZ	32	/* Size of a utmpx ut_line field */
150 
151 /*
152  * SLEEPTIME	The number of seconds "init" sleeps between wakeups if
153  *		nothing else requires this "init" wakeup.
154  */
155 #define	SLEEPTIME	(5 * 60)
156 
157 /*
158  * MAXCMDL	The maximum length of a command string in inittab.
159  */
160 #define	MAXCMDL	512
161 
162 /*
163  * EXEC		The length of the prefix string added to all comamnds
164  *		found in inittab.
165  */
166 #define	EXEC	(sizeof ("exec ") - 1)
167 
168 /*
169  * TWARN	The amount of time between warning signal, SIGTERM,
170  *		and the fatal kill signal, SIGKILL.
171  */
172 #define	TWARN	5
173 
174 #define	id_eq(x, y)	((x[0] == y[0] && x[1] == y[1] && x[2] == y[2] &&\
175 			x[3] == y[3]) ? TRUE : FALSE)
176 
177 /*
178  * The kernel's default umask is 022 these days; since some processes inherit
179  * their umask from init, init will set it from CMASK in /etc/default/init.
180  * init gets the default umask from the kernel, it sets it to 022 whenever
181  * it wants to create a file and reverts to CMASK afterwards.
182  */
183 
184 static int cmask;
185 
186 /*
187  * The following definitions, concluding with the 'lvls' array, provide a
188  * common mapping between level-name (like 'S'), signal number (state),
189  * run-level mask, and specific properties associated with a run-level.
190  * This array should be accessed using the routines lvlname_to_state(),
191  * lvlname_to_mask(), state_to_mask(), and state_to_flags().
192  */
193 
194 /*
195  * Correspondence of signals to init actions.
196  */
197 #define	LVLQ		SIGHUP
198 #define	LVL0		SIGINT
199 #define	LVL1		SIGQUIT
200 #define	LVL2		SIGILL
201 #define	LVL3		SIGTRAP
202 #define	LVL4		SIGIOT
203 #define	LVL5		SIGEMT
204 #define	LVL6		SIGFPE
205 #define	SINGLE_USER	SIGBUS
206 #define	LVLa		SIGSEGV
207 #define	LVLb		SIGSYS
208 #define	LVLc		SIGPIPE
209 
210 /*
211  * Bit Mask for each level.  Used to determine legal levels.
212  */
213 #define	MASK0	0x0001
214 #define	MASK1	0x0002
215 #define	MASK2	0x0004
216 #define	MASK3	0x0008
217 #define	MASK4	0x0010
218 #define	MASK5	0x0020
219 #define	MASK6	0x0040
220 #define	MASKSU	0x0080
221 #define	MASKa	0x0100
222 #define	MASKb	0x0200
223 #define	MASKc	0x0400
224 
225 #define	MASK_NUMERIC (MASK0 | MASK1 | MASK2 | MASK3 | MASK4 | MASK5 | MASK6)
226 #define	MASK_abc (MASKa | MASKb | MASKc)
227 
228 /*
229  * Flags to indicate properties of various states.
230  */
231 #define	LSEL_RUNLEVEL	0x0001	/* runlevels you can transition to */
232 
233 typedef struct lvl {
234 	int	lvl_state;
235 	int	lvl_mask;
236 	char	lvl_name;
237 	int	lvl_flags;
238 } lvl_t;
239 
240 static lvl_t lvls[] = {
241 	{ LVLQ,		0,	'Q', 0					},
242 	{ LVLQ,		0,	'q', 0					},
243 	{ LVL0,		MASK0,	'0', LSEL_RUNLEVEL			},
244 	{ LVL1,		MASK1,	'1', LSEL_RUNLEVEL			},
245 	{ LVL2,		MASK2,	'2', LSEL_RUNLEVEL			},
246 	{ LVL3,		MASK3,	'3', LSEL_RUNLEVEL			},
247 	{ LVL4,		MASK4,	'4', LSEL_RUNLEVEL			},
248 	{ LVL5,		MASK5,	'5', LSEL_RUNLEVEL			},
249 	{ LVL6,		MASK6,	'6', LSEL_RUNLEVEL			},
250 	{ SINGLE_USER,	MASKSU, 'S', LSEL_RUNLEVEL			},
251 	{ SINGLE_USER,	MASKSU, 's', LSEL_RUNLEVEL			},
252 	{ LVLa,		MASKa,	'a', 0					},
253 	{ LVLb,		MASKb,	'b', 0					},
254 	{ LVLc,		MASKc,	'c', 0					}
255 };
256 
257 #define	LVL_NELEMS (sizeof (lvls) / sizeof (lvl_t))
258 
259 /*
260  * Legal action field values.
261  */
262 #define	OFF		0	/* Kill process if on, else ignore */
263 #define	RESPAWN		1	/* Continuously restart process when it dies */
264 #define	ONDEMAND	RESPAWN	/* Respawn for a, b, c type processes */
265 #define	ONCE		2	/* Start process, do not respawn when dead */
266 #define	WAIT		3	/* Perform once and wait to complete */
267 #define	BOOT		4	/* Start at boot time only */
268 #define	BOOTWAIT	5	/* Start at boot time and wait to complete */
269 #define	POWERFAIL	6	/* Start on powerfail */
270 #define	POWERWAIT	7	/* Start and wait for complete on powerfail */
271 #define	INITDEFAULT	8	/* Default level "init" should start at */
272 #define	SYSINIT		9	/* Actions performed before init speaks */
273 
274 #define	M_OFF		0001
275 #define	M_RESPAWN	0002
276 #define	M_ONDEMAND	M_RESPAWN
277 #define	M_ONCE		0004
278 #define	M_WAIT		0010
279 #define	M_BOOT		0020
280 #define	M_BOOTWAIT	0040
281 #define	M_PF		0100
282 #define	M_PWAIT		0200
283 #define	M_INITDEFAULT	0400
284 #define	M_SYSINIT	01000
285 
286 /* States for the inittab parser in getcmd(). */
287 #define	ID	1
288 #define	LEVELS	2
289 #define	ACTION	3
290 #define	COMMAND	4
291 #define	COMMENT	5
292 
293 /*
294  * inittab entry id constants
295  */
296 #define	INITTAB_ENTRY_ID_SIZE 4
297 #define	INITTAB_ENTRY_ID_STR_FORMAT "%.4s"	/* if INITTAB_ENTRY_ID_SIZE */
298 						/* changes, this should */
299 						/* change accordingly */
300 
301 /*
302  * Init can be in any of three main states, "normal" mode where it is
303  * processing entries for the lines file in a normal fashion, "boot" mode,
304  * where it is only interested in the boot actions, and "powerfail" mode,
305  * where it is only interested in powerfail related actions. The following
306  * masks declare the legal actions for each mode.
307  */
308 #define	NORMAL_MODES	(M_OFF | M_RESPAWN | M_ONCE | M_WAIT)
309 #define	BOOT_MODES	(M_BOOT | M_BOOTWAIT)
310 #define	PF_MODES	(M_PF | M_PWAIT)
311 
312 struct PROC_TABLE {
313 	char	p_id[INITTAB_ENTRY_ID_SIZE];	/* Four letter unique id of */
314 						/* process */
315 	pid_t	p_pid;		/* Process id */
316 	short	p_count;	/* How many respawns of this command in */
317 				/*   the current series */
318 	long	p_time;		/* Start time for a series of respawns */
319 	short	p_flags;
320 	short	p_exit;		/* Exit status of a process which died */
321 };
322 
323 /*
324  * Flags for the "p_flags" word of a PROC_TABLE entry:
325  *
326  *	OCCUPIED	This slot in init's proc table is in use.
327  *
328  *	LIVING		Process is alive.
329  *
330  *	NOCLEANUP	efork() is not allowed to cleanup this entry even
331  *			if process is dead.
332  *
333  *	NAMED		This process has a name, i.e. came from inittab.
334  *
335  *	DEMANDREQUEST	Process started by a "telinit [abc]" command.  Processes
336  *			formed this way are respawnable and immune to level
337  *			changes as long as their entry exists in inittab.
338  *
339  *	TOUCHED		Flag used by remv() to determine whether it has looked
340  *			at an entry while checking for processes to be killed.
341  *
342  *	WARNED		Flag used by remv() to mark processes that have been
343  *			sent the SIGTERM signal.  If they don't die in 5
344  *			seconds, they are sent the SIGKILL signal.
345  *
346  *	KILLED		Flag used by remv() to mark procs that have been sent
347  *			the SIGTERM and SIGKILL signals.
348  *
349  *	PF_MASK		Bitwise or of legal flags, for sanity checking.
350  */
351 #define	OCCUPIED	01
352 #define	LIVING		02
353 #define	NOCLEANUP	04
354 #define	NAMED		010
355 #define	DEMANDREQUEST	020
356 #define	TOUCHED		040
357 #define	WARNED		0100
358 #define	KILLED		0200
359 #define	PF_MASK		0377
360 
361 /*
362  * Respawn limits for processes that are to be respawned:
363  *
364  *	SPAWN_INTERVAL	The number of seconds over which "init" will try to
365  *			respawn a process SPAWN_LIMIT times before it gets mad.
366  *
367  *	SPAWN_LIMIT	The number of respawns "init" will attempt in
368  *			SPAWN_INTERVAL seconds before it generates an
369  *			error message and inhibits further tries for
370  *			INHIBIT seconds.
371  *
372  *	INHIBIT		The number of seconds "init" ignores an entry it had
373  *			trouble spawning unless a "telinit Q" is received.
374  */
375 
376 #define	SPAWN_INTERVAL	(2*60)
377 #define	SPAWN_LIMIT	10
378 #define	INHIBIT		(5*60)
379 
380 /*
381  * The maximum number of decimal digits for an id_t.  (ceil(log10 (max_id)))
382  */
383 #define	ID_MAX_STR_LEN	10
384 
385 #define	NULLPROC	((struct PROC_TABLE *)(0))
386 #define	NO_ROOM		((struct PROC_TABLE *)(FAILURE))
387 
388 struct CMD_LINE {
389 	char c_id[INITTAB_ENTRY_ID_SIZE];	/* Four letter unique id of */
390 						/* process to be affected by */
391 						/* action */
392 	short c_levels;	/* Mask of legal levels for process */
393 	short c_action;	/* Mask for type of action required */
394 	char *c_command; /* Pointer to init command */
395 };
396 
397 struct	pidrec {
398 	int	pd_type;	/* Command type */
399 	pid_t	pd_pid;		/* pid to add or remove */
400 };
401 
402 /*
403  * pd_type's
404  */
405 #define	ADDPID	1
406 #define	REMPID	2
407 
408 static struct	pidlist {
409 	pid_t	pl_pid;		/* pid to watch for */
410 	int	pl_dflag;	/* Flag indicating SIGCLD from this pid */
411 	short	pl_exit;	/* Exit status of proc */
412 	struct	pidlist	*pl_next; /* Next in list */
413 } *Plhead, *Plfree;
414 
415 /*
416  * The following structure contains a set of modes for /dev/syscon
417  * and should match the default contents of /etc/ioctl.syscon.
418  */
419 static struct termios	dflt_termios = {
420 	.c_iflag = BRKINT|ICRNL|IXON|IMAXBEL,
421 	.c_oflag = OPOST|ONLCR|TAB3,
422 	.c_cflag = CS8|CREAD|B9600,
423 	.c_lflag = ISIG|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE|IEXTEN,
424 	.c_cc = { CINTR, CQUIT, CERASE, CKILL, CEOF, 0, 0, 0,
425 	    CSTART, CSTOP, CSWTCH, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT,
426 	    CSTATUS, CERASE2, 0
427 	}
428 };
429 
430 static struct termios	stored_syscon_termios;
431 static int		write_ioctl = 0;	/* Rewrite /etc/ioctl.syscon */
432 
433 static union WAKEUP {
434 	struct WAKEFLAGS {
435 		unsigned w_usersignal : 1;	/* User sent signal to "init" */
436 		unsigned w_childdeath : 1;	/* An "init" child died */
437 		unsigned w_powerhit : 1;	/* OS experienced powerfail */
438 	}	w_flags;
439 	int w_mask;
440 } wakeup;
441 
442 
443 struct init_state {
444 	int			ist_runlevel;
445 	int			ist_num_proc;
446 	int			ist_utmpx_ok;
447 	struct PROC_TABLE	ist_proc_table[1];
448 };
449 
450 #define	cur_state	(g_state->ist_runlevel)
451 #define	num_proc	(g_state->ist_num_proc)
452 #define	proc_table	(g_state->ist_proc_table)
453 #define	utmpx_ok	(g_state->ist_utmpx_ok)
454 
455 /* Contract cookies. */
456 #define	ORDINARY_COOKIE		0
457 #define	STARTD_COOKIE		1
458 
459 
460 #ifndef NDEBUG
461 #define	bad_error(func, err)	{					\
462 	(void) fprintf(stderr, "%s:%d: %s() failed with unexpected "	\
463 	    "error %d.  Aborting.\n", __FILE__, __LINE__, (func), (err)); \
464 	abort();							\
465 }
466 #else
467 #define	bad_error(func, err)	abort()
468 #endif
469 
470 
471 /*
472  * Useful file and device names.
473  */
474 static char *CONSOLE	  = "/dev/console";	/* Real system console */
475 static char *INITPIPE_DIR = "/var/run";
476 static char *INITPIPE	  = "/var/run/initpipe";
477 
478 #define	INIT_STATE_DIR "/etc/svc/volatile"
479 static const char * const init_state_file = INIT_STATE_DIR "/init.state";
480 static const char * const init_next_state_file =
481 	INIT_STATE_DIR "/init-next.state";
482 
483 static const int init_num_proc = 20;	/* Initial size of process table. */
484 
485 static char *UTMPX	 = UTMPX_FILE;		/* Snapshot record file */
486 static char *WTMPX	 = WTMPX_FILE;		/* Long term record file */
487 static char *INITTAB	 = "/etc/inittab";	/* Script file for "init" */
488 static char *SYSTTY	 = "/dev/systty";	/* System Console */
489 static char *SYSCON	 = "/dev/syscon";	/* Virtual System console */
490 static char *IOCTLSYSCON = "/etc/ioctl.syscon";	/* Last syscon modes */
491 static char *ENVFILE	 = DEFINIT_DEFAULT_FILE; /* Default env. */
492 static char *SU	= "/etc/sulogin";	/* Super-user program for single user */
493 static char *SH	= "/sbin/sh";		/* Standard shell */
494 
495 /*
496  * Default Path.  /sbin is included in path only during sysinit phase
497  */
498 #define	DEF_PATH	"PATH=/usr/sbin:/usr/bin"
499 #define	INIT_PATH	"PATH=/sbin:/usr/sbin:/usr/bin"
500 
501 static int	prior_state;
502 static int	prev_state;	/* State "init" was in last time it woke */
503 static int	new_state;	/* State user wants "init" to go to. */
504 static int	lvlq_received;	/* Explicit request to examine state */
505 static int	op_modes = BOOT_MODES; /* Current state of "init" */
506 static int	Gchild = 0;	/* Flag to indicate "godchild" died, set in */
507 				/*   childeath() and cleared in cleanaux() */
508 static int	Pfd = -1;	/* fd to receive pids thru */
509 static unsigned int	spawncnt, pausecnt;
510 static int	rsflag;		/* Set if a respawn has taken place */
511 static volatile int time_up;	/* Flag set to TRUE by the alarm interrupt */
512 				/* routine each time an alarm interrupt */
513 				/* takes place. */
514 static int	sflg = 0;	/* Set if we were booted -s to single user */
515 static int	rflg = 0;	/* Set if booted -r, reconfigure devices */
516 static int	bflg = 0;	/* Set if booted -b, don't run rc scripts */
517 static pid_t	init_pid;	/* PID of "one true" init for current zone */
518 
519 static struct init_state *g_state = NULL;
520 static size_t	g_state_sz;
521 static int	booting = 1;	/* Set while we're booting. */
522 
523 /*
524  * Array for default global environment.
525  */
526 #define	MAXENVENT	24	/* Max number of default env variables + 1 */
527 				/* init can use three itself, so this leaves */
528 				/* 20 for the administrator in ENVFILE. */
529 static char	*glob_envp[MAXENVENT];	/* Array of environment strings */
530 static int	glob_envn;		/* Number of environment strings */
531 
532 
533 static struct pollfd	poll_fds[1];
534 static int		poll_nfds = 0;	/* poll_fds is uninitialized */
535 
536 /*
537  * Contracts constants
538  */
539 #define	SVC_INIT_PREFIX "init:/"
540 #define	SVC_AUX_SIZE (INITTAB_ENTRY_ID_SIZE + 1)
541 #define	SVC_FMRI_SIZE (sizeof (SVC_INIT_PREFIX) + INITTAB_ENTRY_ID_SIZE)
542 
543 static int	legacy_tmpl = -1;	/* fd for legacy contract template */
544 static int	startd_tmpl = -1;	/* fd for svc.startd's template */
545 static char	startd_svc_aux[SVC_AUX_SIZE];
546 
547 static char	startd_cline[256] = "";	/* svc.startd's command line */
548 static int	do_restart_startd = 1;	/* Whether to restart svc.startd. */
549 static char	*smf_options = NULL;	/* Options to give to startd. */
550 static int	smf_debug = 0;		/* Messages for debugging smf(7) */
551 static time_t	init_boot_time;		/* Substitute for kernel boot time. */
552 
553 #define	NSTARTD_FAILURE_TIMES	3		/* trigger after 3 failures */
554 #define	STARTD_FAILURE_RATE_NS	5000000000LL	/* 1 failure/5 seconds */
555 
556 static hrtime_t	startd_failure_time[NSTARTD_FAILURE_TIMES];
557 static uint_t	startd_failure_index;
558 
559 
560 static char	*prog_name(char *);
561 static int	state_to_mask(int);
562 static int	lvlname_to_mask(char, int *);
563 static void	lscf_set_runlevel(char);
564 static int	state_to_flags(int);
565 static char	state_to_name(int);
566 static int	lvlname_to_state(char);
567 static int	getcmd(struct CMD_LINE *, char *);
568 static int	realcon();
569 static int	spawn_processes();
570 static int	get_ioctl_syscon();
571 static int	account(short, struct PROC_TABLE *, char *);
572 static void	alarmclk();
573 static void	childeath(int);
574 static void	cleanaux();
575 static void	clearent(pid_t, short);
576 static void	console(boolean_t, char *, ...);
577 static void	init_signals(void);
578 static void	setup_pipe();
579 static void	killproc(pid_t);
580 static void	init_env();
581 static void	boot_init();
582 static void	powerfail();
583 static void	remv();
584 static void	write_ioctl_syscon();
585 static void	spawn(struct PROC_TABLE *, struct CMD_LINE *);
586 static void	setimer(int);
587 static void	siglvl(int, siginfo_t *, void *);
588 static void	sigpoll(int);
589 static void	enter_maintenance(void);
590 static void	timer(int);
591 static void	userinit(int, char **);
592 static void	notify_pam_dead(struct utmpx *);
593 static long	waitproc(struct PROC_TABLE *);
594 static struct PROC_TABLE *efork(int, struct PROC_TABLE *, int);
595 static struct PROC_TABLE *findpslot(struct CMD_LINE *);
596 static void	increase_proc_table_size();
597 static void	st_init();
598 static void	st_write();
599 static void	contracts_init();
600 static void	contract_event(struct pollfd *);
601 static int	startd_run(const char *, int, ctid_t);
602 static void	startd_record_failure();
603 static int	startd_failure_rate_critical();
604 static char	*audit_boot_msg();
605 static int	audit_put_record(int, int, char *);
606 static void	update_boot_archive(int new_state);
607 static void	init_bootbanner_print(const char *, uint_t);
608 
609 int
main(int argc,char * argv[])610 main(int argc, char *argv[])
611 {
612 	int	chg_lvl_flag = FALSE, print_banner = FALSE;
613 	int	may_need_audit = 1;
614 	int	c;
615 	char	*msg;
616 
617 	/* Get a timestamp for use as boot time, if needed. */
618 	(void) time(&init_boot_time);
619 
620 	/* Get the default umask */
621 	cmask = umask(022);
622 	(void) umask(cmask);
623 
624 	/* Parse the arguments to init. Check for single user */
625 	opterr = 0;
626 	while ((c = getopt(argc, argv, "brsm:")) != EOF) {
627 		switch (c) {
628 		case 'b':
629 			rflg = 0;
630 			bflg = 1;
631 			if (!sflg)
632 				sflg++;
633 			break;
634 		case 'r':
635 			bflg = 0;
636 			rflg++;
637 			break;
638 		case 's':
639 			if (!bflg)
640 				sflg++;
641 			break;
642 		case 'm':
643 			smf_options = optarg;
644 			smf_debug = (strstr(smf_options, "debug") != NULL);
645 			break;
646 		}
647 	}
648 
649 	/*
650 	 * Determine if we are the main init, or a user invoked init, whose job
651 	 * it is to inform init to change levels or perform some other action.
652 	 */
653 	if (zone_getattr(getzoneid(), ZONE_ATTR_INITPID, &init_pid,
654 	    sizeof (init_pid)) != sizeof (init_pid)) {
655 		(void) fprintf(stderr, "could not get pid for init\n");
656 		return (1);
657 	}
658 
659 	/*
660 	 * If this PID is not the same as the "true" init for the zone, then we
661 	 * must be in 'user' mode.
662 	 */
663 	if (getpid() != init_pid) {
664 		userinit(argc, argv);
665 	}
666 
667 	if (getzoneid() != GLOBAL_ZONEID) {
668 		print_banner = TRUE;
669 	}
670 
671 	/*
672 	 * Initialize state (and set "booting").
673 	 */
674 	st_init();
675 
676 	if (booting && print_banner) {
677 		/*
678 		 * We want to print the boot banner as soon as
679 		 * possible.  In the global zone, the kernel does it,
680 		 * but we do not have that luxury in non-global zones,
681 		 * so we will print it here.
682 		 */
683 #ifdef	LEGACY_BANNER
684 		struct utsname un;
685 		char buf[BUFSIZ];
686 		const char *bits;
687 		int r;
688 
689 		(void) uname(&un);
690 		if ((r = sysinfo(SI_ADDRESS_WIDTH, buf, sizeof (buf))) > 0 &&
691 		    r < sizeof (buf)) {
692 			bits = buf;
693 		} else {
694 			bits = "64";
695 		}
696 
697 		console(B_FALSE,
698 		    "\n\n%s Release %s Version %s %s-bit\r\n",
699 		    un.sysname, un.release, un.version, bits);
700 		console(B_FALSE,
701 		    "Copyright (c) 1983, 2010, Oracle and/or its affiliates."
702 		    " All rights reserved.\r\n");
703 #else
704 		bootbanner_print(init_bootbanner_print);
705 #endif
706 	}
707 
708 	/*
709 	 * Get the ioctl settings for /dev/syscon from /etc/ioctl.syscon
710 	 * so that it can be brought up in the state it was in when the
711 	 * system went down; or set to defaults if ioctl.syscon isn't
712 	 * valid.
713 	 *
714 	 * This needs to be done even if we're restarting so reset_modes()
715 	 * will work in case we need to go down to single user mode.
716 	 */
717 	write_ioctl = get_ioctl_syscon();
718 
719 	/*
720 	 * Set up all signals to be caught or ignored as appropriate.
721 	 */
722 	init_signals();
723 
724 	/* Load glob_envp from ENVFILE. */
725 	init_env();
726 
727 	contracts_init();
728 
729 	if (!booting) {
730 		/* cur_state should have been read in. */
731 
732 		op_modes = NORMAL_MODES;
733 
734 		/* Rewrite the ioctl file if it was bad. */
735 		if (write_ioctl)
736 			write_ioctl_syscon();
737 	} else {
738 		/*
739 		 * It's fine to boot up with state as zero, because
740 		 * startd will later tell us the real state.
741 		 */
742 		cur_state = 0;
743 		op_modes = BOOT_MODES;
744 
745 		boot_init();
746 	}
747 
748 	prev_state = prior_state = cur_state;
749 
750 	setup_pipe();
751 
752 	/*
753 	 * Here is the beginning of the main process loop.
754 	 */
755 	for (;;) {
756 		if (lvlq_received) {
757 			setup_pipe();
758 			lvlq_received = B_FALSE;
759 		}
760 
761 		/*
762 		 * Clean up any accounting records for dead "godchildren".
763 		 */
764 		if (Gchild)
765 			cleanaux();
766 
767 		/*
768 		 * If in "normal" mode, check all living processes and initiate
769 		 * kill sequence on those that should not be there anymore.
770 		 */
771 		if (op_modes == NORMAL_MODES && cur_state != LVLa &&
772 		    cur_state != LVLb && cur_state != LVLc)
773 			remv();
774 
775 		/*
776 		 * If a change in run levels is the reason we awoke, now do
777 		 * the accounting to report the change in the utmp file.
778 		 * Also report the change on the system console.
779 		 */
780 		if (chg_lvl_flag) {
781 			chg_lvl_flag = FALSE;
782 
783 			if (state_to_flags(cur_state) & LSEL_RUNLEVEL) {
784 				char rl = state_to_name(cur_state);
785 
786 				if (rl != -1)
787 					lscf_set_runlevel(rl);
788 			}
789 
790 			may_need_audit = 1;
791 		}
792 
793 		/*
794 		 * Scan the inittab file and spawn and respawn processes that
795 		 * should be alive in the current state. If inittab does not
796 		 * exist default to  single user mode.
797 		 */
798 		if (spawn_processes() == FAILURE) {
799 			prior_state = prev_state;
800 			cur_state = SINGLE_USER;
801 		}
802 
803 		/* If any respawns occurred, take note. */
804 		if (rsflag) {
805 			rsflag = 0;
806 			spawncnt++;
807 		}
808 
809 		/*
810 		 * If a powerfail signal was received during the last
811 		 * sequence, set mode to powerfail.  When spawn_processes() is
812 		 * entered the first thing it does is to check "powerhit".  If
813 		 * it is in PF_MODES then it clears "powerhit" and does
814 		 * a powerfail sequence.  If it is not in PF_MODES, then it
815 		 * puts itself in PF_MODES and then clears "powerhit".  Should
816 		 * "powerhit" get set again while spawn_processes() is working
817 		 * on a powerfail sequence, the following code  will see that
818 		 * spawn_processes() tries to execute the powerfail sequence
819 		 * again.  This guarantees that the powerfail sequence will be
820 		 * successfully completed before further processing takes
821 		 * place.
822 		 */
823 		if (wakeup.w_flags.w_powerhit) {
824 			op_modes = PF_MODES;
825 			/*
826 			 * Make sure that cur_state != prev_state so that
827 			 * ONCE and WAIT types work.
828 			 */
829 			prev_state = 0;
830 		} else if (op_modes != NORMAL_MODES) {
831 			/*
832 			 * If spawn_processes() was not just called while in
833 			 * normal mode, we set the mode to normal and it will
834 			 * be called again to check normal modes.  If we have
835 			 * just finished a powerfail sequence with prev_state
836 			 * equal to zero, we set prev_state equal to cur_state
837 			 * before the next pass through.
838 			 */
839 			if (op_modes == PF_MODES)
840 				prev_state = cur_state;
841 			op_modes = NORMAL_MODES;
842 		} else if (cur_state == LVLa || cur_state == LVLb ||
843 		    cur_state == LVLc) {
844 			/*
845 			 * If it was a change of levels that awakened us and the
846 			 * new level is one of the demand levels then reset
847 			 * cur_state to the previous state and do another scan
848 			 * to take care of the usual respawn actions.
849 			 */
850 			cur_state = prior_state;
851 			prior_state = prev_state;
852 			prev_state = cur_state;
853 		} else {
854 			prev_state = cur_state;
855 
856 			if (wakeup.w_mask == 0) {
857 				int ret;
858 
859 				if (may_need_audit && (cur_state == LVL3)) {
860 					msg = audit_boot_msg();
861 
862 					may_need_audit = 0;
863 					(void) audit_put_record(ADT_SUCCESS,
864 					    ADT_SUCCESS, msg);
865 					free(msg);
866 				}
867 
868 				/*
869 				 * "init" is finished with all actions for
870 				 * the current wakeup.
871 				 */
872 				ret = poll(poll_fds, poll_nfds,
873 				    SLEEPTIME * MILLISEC);
874 				pausecnt++;
875 				if (ret > 0)
876 					contract_event(&poll_fds[0]);
877 				else if (ret < 0 && errno != EINTR)
878 					console(B_TRUE, "poll() error: %s\n",
879 					    strerror(errno));
880 			}
881 
882 			if (wakeup.w_flags.w_usersignal) {
883 				/*
884 				 * Install the new level.  This could be a real
885 				 * change in levels  or a telinit [Q|a|b|c] or
886 				 * just a telinit to the same level at which
887 				 * we are running.
888 				 */
889 				if (new_state != cur_state) {
890 					if (new_state == LVLa ||
891 					    new_state == LVLb ||
892 					    new_state == LVLc) {
893 						prev_state = prior_state;
894 						prior_state = cur_state;
895 						cur_state = new_state;
896 					} else {
897 						prev_state = cur_state;
898 						if (cur_state >= 0)
899 							prior_state = cur_state;
900 						cur_state = new_state;
901 						chg_lvl_flag = TRUE;
902 					}
903 				}
904 
905 				new_state = 0;
906 			}
907 
908 			if (wakeup.w_flags.w_powerhit)
909 				op_modes = PF_MODES;
910 
911 			/*
912 			 * Clear all wakeup reasons.
913 			 */
914 			wakeup.w_mask = 0;
915 		}
916 	}
917 
918 	/*NOTREACHED*/
919 }
920 
921 static void
init_bootbanner_print(const char * line,uint_t num)922 init_bootbanner_print(const char *line, uint_t num)
923 {
924 	const char *pfx = (num == 0) ? "\n\n" : "";
925 
926 	console(B_FALSE, "%s%s\r\n", pfx, line);
927 }
928 
929 static void
update_boot_archive(int new_state)930 update_boot_archive(int new_state)
931 {
932 	if (new_state != LVL0 && new_state != LVL5 && new_state != LVL6)
933 		return;
934 
935 	if (getzoneid() != GLOBAL_ZONEID)
936 		return;
937 
938 	(void) system("/sbin/bootadm -ea update_all");
939 }
940 
941 /*
942  * void enter_maintenance()
943  *   A simple invocation of sulogin(8), with no baggage, in the case that we
944  *   are unable to activate svc.startd(8).  We fork; the child runs sulogin;
945  *   we wait for it to exit.
946  */
947 static void
enter_maintenance()948 enter_maintenance()
949 {
950 	struct PROC_TABLE	*su_process;
951 
952 	console(B_FALSE, "Requesting maintenance mode\n"
953 	    "(See /lib/svc/share/README for additional information.)\n");
954 	(void) sighold(SIGCLD);
955 	while ((su_process = efork(M_OFF, NULLPROC, NOCLEANUP)) == NO_ROOM)
956 		(void) pause();
957 	(void) sigrelse(SIGCLD);
958 	if (su_process == NULLPROC) {
959 		int fd;
960 
961 		(void) fclose(stdin);
962 		(void) fclose(stdout);
963 		(void) fclose(stderr);
964 		closefrom(0);
965 
966 		fd = open(SYSCON, O_RDWR | O_NOCTTY);
967 		if (fd >= 0) {
968 			(void) dup2(fd, 1);
969 			(void) dup2(fd, 2);
970 		} else {
971 			/*
972 			 * Need to issue an error message somewhere.
973 			 */
974 			syslog(LOG_CRIT, "init[%d]: cannot open %s; %s\n",
975 			    getpid(), SYSCON, strerror(errno));
976 		}
977 
978 		/*
979 		 * Execute the "su" program.
980 		 */
981 		(void) execle(SU, SU, "-", (char *)0, glob_envp);
982 		console(B_TRUE, "execle of %s failed: %s\n", SU,
983 		    strerror(errno));
984 		timer(5);
985 		exit(1);
986 	}
987 
988 	/*
989 	 * If we are the parent, wait around for the child to die
990 	 * or for "init" to be signaled to change levels.
991 	 */
992 	while (waitproc(su_process) == FAILURE) {
993 		/*
994 		 * All other reasons for waking are ignored when in
995 		 * single-user mode.  The only child we are interested
996 		 * in is being waited for explicitly by waitproc().
997 		 */
998 		wakeup.w_mask = 0;
999 	}
1000 }
1001 
1002 /*
1003  * remv() scans through "proc_table" and performs cleanup.  If
1004  * there is a process in the table, which shouldn't be here at
1005  * the current run level, then remv() kills the process.
1006  */
1007 static void
remv()1008 remv()
1009 {
1010 	struct PROC_TABLE	*process;
1011 	struct CMD_LINE		cmd;
1012 	char			cmd_string[MAXCMDL];
1013 	int			change_level;
1014 
1015 	change_level = (cur_state != prev_state ? TRUE : FALSE);
1016 
1017 	/*
1018 	 * Clear the TOUCHED flag on all entries so that when we have
1019 	 * finished scanning inittab, we will be able to tell if we
1020 	 * have any processes for which there is no entry in inittab.
1021 	 */
1022 	for (process = proc_table;
1023 	    (process < proc_table + num_proc); process++) {
1024 		process->p_flags &= ~TOUCHED;
1025 	}
1026 
1027 	/*
1028 	 * Scan all inittab entries.
1029 	 */
1030 	while (getcmd(&cmd, &cmd_string[0]) == TRUE) {
1031 		/* Scan for process which goes with this entry in inittab. */
1032 		for (process = proc_table;
1033 		    (process < proc_table + num_proc); process++) {
1034 			if ((process->p_flags & OCCUPIED) == 0 ||
1035 			    !id_eq(process->p_id, cmd.c_id))
1036 				continue;
1037 
1038 			/*
1039 			 * This slot contains the process we are looking for.
1040 			 */
1041 
1042 			/*
1043 			 * Is the cur_state SINGLE_USER or is this process
1044 			 * marked as "off" or was this proc started by some
1045 			 * mechanism other than LVL{a|b|c} and the current level
1046 			 * does not support this process?
1047 			 */
1048 			if (cur_state == SINGLE_USER ||
1049 			    cmd.c_action == M_OFF ||
1050 			    ((cmd.c_levels & state_to_mask(cur_state)) == 0 &&
1051 			    (process->p_flags & DEMANDREQUEST) == 0)) {
1052 				if (process->p_flags & LIVING) {
1053 					/*
1054 					 * Touch this entry so we know we have
1055 					 * treated it.  Note that procs which
1056 					 * are already dead at this point and
1057 					 * should not be restarted are left
1058 					 * untouched.  This causes their slot to
1059 					 * be freed later after dead accounting
1060 					 * is done.
1061 					 */
1062 					process->p_flags |= TOUCHED;
1063 
1064 					if ((process->p_flags & KILLED) == 0) {
1065 						if (change_level) {
1066 							process->p_flags
1067 							    |= WARNED;
1068 							(void) kill(
1069 							    process->p_pid,
1070 							    SIGTERM);
1071 						} else {
1072 							/*
1073 							 * Fork a killing proc
1074 							 * so "init" can
1075 							 * continue without
1076 							 * having to pause for
1077 							 * TWARN seconds.
1078 							 */
1079 							killproc(
1080 							    process->p_pid);
1081 						}
1082 						process->p_flags |= KILLED;
1083 					}
1084 				}
1085 			} else {
1086 				/*
1087 				 * Process can exist at current level.  If it is
1088 				 * still alive or a DEMANDREQUEST we touch it so
1089 				 * it will be left alone.  Otherwise we leave it
1090 				 * untouched so it will be accounted for and
1091 				 * cleaned up later in remv().  Dead
1092 				 * DEMANDREQUESTs will be accounted but not
1093 				 * freed.
1094 				 */
1095 				if (process->p_flags &
1096 				    (LIVING|NOCLEANUP|DEMANDREQUEST))
1097 					process->p_flags |= TOUCHED;
1098 			}
1099 
1100 			break;
1101 		}
1102 	}
1103 
1104 	st_write();
1105 
1106 	/*
1107 	 * If this was a change of levels call, scan through the
1108 	 * process table for processes that were warned to die.  If any
1109 	 * are found that haven't left yet, sleep for TWARN seconds and
1110 	 * then send final terminations to any that haven't died yet.
1111 	 */
1112 	if (change_level) {
1113 
1114 		/*
1115 		 * Set the alarm for TWARN seconds on the assumption
1116 		 * that there will be some that need to be waited for.
1117 		 * This won't harm anything except we are guaranteed to
1118 		 * wakeup in TWARN seconds whether we need to or not.
1119 		 */
1120 		setimer(TWARN);
1121 
1122 		/*
1123 		 * Scan for processes which should be dying.  We hope they
1124 		 * will die without having to be sent a SIGKILL signal.
1125 		 */
1126 		for (process = proc_table;
1127 		    (process < proc_table + num_proc); process++) {
1128 			/*
1129 			 * If this process should die, hasn't yet, and the
1130 			 * TWARN time hasn't expired yet, wait for process
1131 			 * to die or for timer to expire.
1132 			 */
1133 			while (time_up == FALSE &&
1134 			    (process->p_flags & (WARNED|LIVING|OCCUPIED)) ==
1135 			    (WARNED|LIVING|OCCUPIED))
1136 				(void) pause();
1137 
1138 			if (time_up == TRUE)
1139 				break;
1140 		}
1141 
1142 		/*
1143 		 * If we reached the end of the table without the timer
1144 		 * expiring, then there are no procs which will have to be
1145 		 * sent the SIGKILL signal.  If the timer has expired, then
1146 		 * it is necessary to scan the table again and send signals
1147 		 * to all processes which aren't going away nicely.
1148 		 */
1149 		if (time_up == TRUE) {
1150 			for (process = proc_table;
1151 			    (process < proc_table + num_proc); process++) {
1152 				if ((process->p_flags &
1153 				    (WARNED|LIVING|OCCUPIED)) ==
1154 				    (WARNED|LIVING|OCCUPIED))
1155 					(void) kill(process->p_pid, SIGKILL);
1156 			}
1157 		}
1158 		setimer(0);
1159 	}
1160 
1161 	/*
1162 	 * Rescan the proc_table for two kinds of entry, those marked LIVING,
1163 	 * NAMED, which don't have an entry in inittab (haven't been TOUCHED
1164 	 * by the above scanning), and haven't been sent kill signals, and
1165 	 * those entries marked not LIVING, NAMED.  The former procs are killed.
1166 	 * The latter have DEAD_PROCESS accounting done and the slot cleared.
1167 	 */
1168 	for (process = proc_table;
1169 	    (process < proc_table + num_proc); process++) {
1170 		if ((process->p_flags & (LIVING|NAMED|TOUCHED|KILLED|OCCUPIED))
1171 		    == (LIVING|NAMED|OCCUPIED)) {
1172 			killproc(process->p_pid);
1173 			process->p_flags |= KILLED;
1174 		} else if ((process->p_flags & (LIVING|NAMED|OCCUPIED)) ==
1175 		    (NAMED|OCCUPIED)) {
1176 			(void) account(DEAD_PROCESS, process, NULL);
1177 			/*
1178 			 * If this named proc hasn't been TOUCHED, then free the
1179 			 * space. It has either died of it's own accord, but
1180 			 * isn't respawnable or it was killed because it
1181 			 * shouldn't exist at this level.
1182 			 */
1183 			if ((process->p_flags & TOUCHED) == 0)
1184 				process->p_flags = 0;
1185 		}
1186 	}
1187 
1188 	st_write();
1189 }
1190 
1191 /*
1192  * Extract the svc.startd command line and whether to restart it from its
1193  * inittab entry.
1194  */
1195 /*ARGSUSED*/
1196 static void
process_startd_line(struct CMD_LINE * cmd,char * cmd_string)1197 process_startd_line(struct CMD_LINE *cmd, char *cmd_string)
1198 {
1199 	size_t sz;
1200 
1201 	/* Save the command line. */
1202 	if (sflg || rflg) {
1203 		/* Also append -r or -s. */
1204 		(void) strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
1205 		(void) strlcat(startd_cline, " -", sizeof (startd_cline));
1206 		if (sflg)
1207 			sz = strlcat(startd_cline, "s", sizeof (startd_cline));
1208 		if (rflg)
1209 			sz = strlcat(startd_cline, "r", sizeof (startd_cline));
1210 	} else {
1211 		sz = strlcpy(startd_cline, cmd_string, sizeof (startd_cline));
1212 	}
1213 
1214 	if (sz >= sizeof (startd_cline)) {
1215 		console(B_TRUE,
1216 		    "svc.startd command line too long.  Ignoring.\n");
1217 		startd_cline[0] = '\0';
1218 		return;
1219 	}
1220 }
1221 
1222 /*
1223  * spawn_processes() scans inittab for entries which should be run at this
1224  * mode.  Processes which should be running but are not, are started.
1225  */
1226 static int
spawn_processes()1227 spawn_processes()
1228 {
1229 	struct PROC_TABLE		*pp;
1230 	struct CMD_LINE			cmd;
1231 	char				cmd_string[MAXCMDL];
1232 	short				lvl_mask;
1233 	int				status;
1234 
1235 	/*
1236 	 * First check the "powerhit" flag.  If it is set, make sure the modes
1237 	 * are PF_MODES and clear the "powerhit" flag.  Avoid the possible race
1238 	 * on the "powerhit" flag by disallowing a new powerfail interrupt
1239 	 * between the test of the powerhit flag and the clearing of it.
1240 	 */
1241 	if (wakeup.w_flags.w_powerhit) {
1242 		wakeup.w_flags.w_powerhit = 0;
1243 		op_modes = PF_MODES;
1244 	}
1245 	lvl_mask = state_to_mask(cur_state);
1246 
1247 	/*
1248 	 * Scan through all the entries in inittab.
1249 	 */
1250 	while ((status = getcmd(&cmd, &cmd_string[0])) == TRUE) {
1251 		if (id_eq(cmd.c_id, "smf")) {
1252 			process_startd_line(&cmd, cmd_string);
1253 			continue;
1254 		}
1255 
1256 retry_for_proc_slot:
1257 
1258 		/*
1259 		 * Find out if there is a process slot for this entry already.
1260 		 */
1261 		if ((pp = findpslot(&cmd)) == NULLPROC) {
1262 			/*
1263 			 * we've run out of proc table entries
1264 			 * increase proc_table.
1265 			 */
1266 			increase_proc_table_size();
1267 
1268 			/*
1269 			 * Retry now as we have an empty proc slot.
1270 			 * In case increase_proc_table_size() fails,
1271 			 * we will keep retrying.
1272 			 */
1273 			goto retry_for_proc_slot;
1274 		}
1275 
1276 		/*
1277 		 * If there is an entry, and it is marked as DEMANDREQUEST,
1278 		 * one of the levels a, b, or c is in its levels mask, and
1279 		 * the action field is ONDEMAND and ONDEMAND is a permissable
1280 		 * mode, and the process is dead, then respawn it.
1281 		 */
1282 		if (((pp->p_flags & (LIVING|DEMANDREQUEST)) == DEMANDREQUEST) &&
1283 		    (cmd.c_levels & MASK_abc) &&
1284 		    (cmd.c_action & op_modes) == M_ONDEMAND) {
1285 			spawn(pp, &cmd);
1286 			continue;
1287 		}
1288 
1289 		/*
1290 		 * If the action is not an action we are interested in,
1291 		 * skip the entry.
1292 		 */
1293 		if ((cmd.c_action & op_modes) == 0 || pp->p_flags & LIVING ||
1294 		    (cmd.c_levels & lvl_mask) == 0)
1295 			continue;
1296 
1297 		/*
1298 		 * If the modes are the normal modes (ONCE, WAIT, RESPAWN, OFF,
1299 		 * ONDEMAND) and the action field is either OFF or the action
1300 		 * field is ONCE or WAIT and the current level is the same as
1301 		 * the last level, then skip this entry.  ONCE and WAIT only
1302 		 * get run when the level changes.
1303 		 */
1304 		if (op_modes == NORMAL_MODES &&
1305 		    (cmd.c_action == M_OFF ||
1306 		    (cmd.c_action & (M_ONCE|M_WAIT)) &&
1307 		    cur_state == prev_state))
1308 			continue;
1309 
1310 		/*
1311 		 * At this point we are interested in performing the action for
1312 		 * this entry.  Actions fall into two categories, spinning off
1313 		 * a process and not waiting, and spinning off a process and
1314 		 * waiting for it to die.  If the action is ONCE, RESPAWN,
1315 		 * ONDEMAND, POWERFAIL, or BOOT we don't wait for the process
1316 		 * to die, for all other actions we do wait.
1317 		 */
1318 		if (cmd.c_action & (M_ONCE | M_RESPAWN | M_PF | M_BOOT)) {
1319 			spawn(pp, &cmd);
1320 
1321 		} else {
1322 			spawn(pp, &cmd);
1323 			while (waitproc(pp) == FAILURE)
1324 				;
1325 			(void) account(DEAD_PROCESS, pp, NULL);
1326 			pp->p_flags = 0;
1327 		}
1328 	}
1329 	return (status);
1330 }
1331 
1332 /*
1333  * spawn() spawns a shell, inserts the information about the process
1334  * process into the proc_table, and does the startup accounting.
1335  */
1336 static void
spawn(struct PROC_TABLE * process,struct CMD_LINE * cmd)1337 spawn(struct PROC_TABLE *process, struct CMD_LINE *cmd)
1338 {
1339 	int		i;
1340 	int		modes, maxfiles;
1341 	time_t		now;
1342 	struct PROC_TABLE tmproc, *oprocess;
1343 
1344 	/*
1345 	 * The modes to be sent to efork() are 0 unless we are
1346 	 * spawning a LVLa, LVLb, or LVLc entry or we will be
1347 	 * waiting for the death of the child before continuing.
1348 	 */
1349 	modes = NAMED;
1350 	if (process->p_flags & DEMANDREQUEST || cur_state == LVLa ||
1351 	    cur_state == LVLb || cur_state == LVLc)
1352 		modes |= DEMANDREQUEST;
1353 	if ((cmd->c_action & (M_SYSINIT | M_WAIT | M_BOOTWAIT | M_PWAIT)) != 0)
1354 		modes |= NOCLEANUP;
1355 
1356 	/*
1357 	 * If this is a respawnable process, check the threshold
1358 	 * information to avoid excessive respawns.
1359 	 */
1360 	if (cmd->c_action & M_RESPAWN) {
1361 		/*
1362 		 * Add NOCLEANUP to all respawnable commands so that the
1363 		 * information about the frequency of respawns isn't lost.
1364 		 */
1365 		modes |= NOCLEANUP;
1366 		(void) time(&now);
1367 
1368 		/*
1369 		 * If no time is assigned, then this is the first time
1370 		 * this command is being processed in this series.  Assign
1371 		 * the current time.
1372 		 */
1373 		if (process->p_time == 0L)
1374 			process->p_time = now;
1375 
1376 		if (process->p_count++ == SPAWN_LIMIT) {
1377 
1378 			if ((now - process->p_time) < SPAWN_INTERVAL) {
1379 				/*
1380 				 * Process is respawning too rapidly.  Print
1381 				 * message and refuse to respawn it for now.
1382 				 */
1383 				console(B_TRUE, "Command is respawning too "
1384 				    "rapidly. Check for possible errors.\n"
1385 				    "id:%4s \"%s\"\n",
1386 				    &cmd->c_id[0], &cmd->c_command[EXEC]);
1387 				return;
1388 			}
1389 			process->p_time = now;
1390 			process->p_count = 0;
1391 
1392 		} else if (process->p_count > SPAWN_LIMIT) {
1393 			/*
1394 			 * If process has been respawning too rapidly and
1395 			 * the inhibit time limit hasn't expired yet, we
1396 			 * refuse to respawn.
1397 			 */
1398 			if (now - process->p_time < SPAWN_INTERVAL + INHIBIT)
1399 				return;
1400 			process->p_time = now;
1401 			process->p_count = 0;
1402 		}
1403 		rsflag = TRUE;
1404 	}
1405 
1406 	/*
1407 	 * Spawn a child process to execute this command.
1408 	 */
1409 	(void) sighold(SIGCLD);
1410 	oprocess = process;
1411 	while ((process = efork(cmd->c_action, oprocess, modes)) == NO_ROOM)
1412 		(void) pause();
1413 
1414 	if (process == NULLPROC) {
1415 
1416 		/*
1417 		 * We are the child.  We must make sure we get a different
1418 		 * file pointer for our references to utmpx.  Otherwise our
1419 		 * seeks and reads will compete with those of the parent.
1420 		 */
1421 		endutxent();
1422 
1423 		/*
1424 		 * Perform the accounting for the beginning of a process.
1425 		 * Note that all processes are initially "INIT_PROCESS"es.
1426 		 */
1427 		tmproc.p_id[0] = cmd->c_id[0];
1428 		tmproc.p_id[1] = cmd->c_id[1];
1429 		tmproc.p_id[2] = cmd->c_id[2];
1430 		tmproc.p_id[3] = cmd->c_id[3];
1431 		tmproc.p_pid = getpid();
1432 		tmproc.p_exit = 0;
1433 		(void) account(INIT_PROCESS, &tmproc,
1434 		    prog_name(&cmd->c_command[EXEC]));
1435 		maxfiles = ulimit(UL_GDESLIM, 0);
1436 		for (i = 0; i < maxfiles; i++)
1437 			(void) fcntl(i, F_SETFD, FD_CLOEXEC);
1438 
1439 		/*
1440 		 * Now exec a shell with the -c option and the command
1441 		 * from inittab.
1442 		 */
1443 		(void) execle(SH, "INITSH", "-c", cmd->c_command, (char *)0,
1444 		    glob_envp);
1445 		console(B_TRUE, "Command\n\"%s\"\n failed to execute.  errno "
1446 		    "= %d (exec of shell failed)\n", cmd->c_command, errno);
1447 
1448 		/*
1449 		 * Don't come back so quickly that "init" doesn't have a
1450 		 * chance to finish putting this child in "proc_table".
1451 		 */
1452 		timer(20);
1453 		exit(1);
1454 
1455 	}
1456 
1457 	/*
1458 	 * We are the parent.  Insert the necessary
1459 	 * information in the proc_table.
1460 	 */
1461 	process->p_id[0] = cmd->c_id[0];
1462 	process->p_id[1] = cmd->c_id[1];
1463 	process->p_id[2] = cmd->c_id[2];
1464 	process->p_id[3] = cmd->c_id[3];
1465 
1466 	st_write();
1467 
1468 	(void) sigrelse(SIGCLD);
1469 }
1470 
1471 /*
1472  * findpslot() finds the old slot in the process table for the
1473  * command with the same id, or it finds an empty slot.
1474  */
1475 static struct PROC_TABLE *
findpslot(struct CMD_LINE * cmd)1476 findpslot(struct CMD_LINE *cmd)
1477 {
1478 	struct PROC_TABLE	*process;
1479 	struct PROC_TABLE	*empty = NULLPROC;
1480 
1481 	for (process = proc_table;
1482 	    (process < proc_table + num_proc); process++) {
1483 		if (process->p_flags & OCCUPIED &&
1484 		    id_eq(process->p_id, cmd->c_id))
1485 			break;
1486 
1487 		/*
1488 		 * If the entry is totally empty and "empty" is still 0,
1489 		 * remember where this hole is and make sure the slot is
1490 		 * zeroed out.
1491 		 */
1492 		if (empty == NULLPROC && (process->p_flags & OCCUPIED) == 0) {
1493 			empty = process;
1494 			process->p_id[0] = '\0';
1495 			process->p_id[1] = '\0';
1496 			process->p_id[2] = '\0';
1497 			process->p_id[3] = '\0';
1498 			process->p_pid = 0;
1499 			process->p_time = 0L;
1500 			process->p_count = 0;
1501 			process->p_flags = 0;
1502 			process->p_exit = 0;
1503 		}
1504 	}
1505 
1506 	/*
1507 	 * If there is no entry for this slot, then there should be an
1508 	 * empty slot.  If there is no empty slot, then we've run out
1509 	 * of proc_table space.  If the latter is true, empty will be
1510 	 * NULL and the caller will have to complain.
1511 	 */
1512 	if (process == (proc_table + num_proc))
1513 		process = empty;
1514 
1515 	return (process);
1516 }
1517 
1518 /*
1519  * getcmd() parses lines from inittab.  Each time it finds a command line
1520  * it will return TRUE as well as fill the passed CMD_LINE structure and
1521  * the shell command string.  When the end of inittab is reached, FALSE
1522  * is returned inittab is automatically opened if it is not currently open
1523  * and is closed when the end of the file is reached.
1524  */
1525 static FILE *fp_inittab = NULL;
1526 
1527 static int
getcmd(struct CMD_LINE * cmd,char * shcmd)1528 getcmd(struct CMD_LINE *cmd, char *shcmd)
1529 {
1530 	char	*ptr;
1531 	int	c, lastc, state;
1532 	char	*ptr1;
1533 	int	answer, i, proceed;
1534 	struct	stat	sbuf;
1535 	static char *actions[] = {
1536 		"off", "respawn", "ondemand", "once", "wait", "boot",
1537 		"bootwait", "powerfail", "powerwait", "initdefault",
1538 		"sysinit",
1539 	};
1540 	static short act_masks[] = {
1541 		M_OFF, M_RESPAWN, M_ONDEMAND, M_ONCE, M_WAIT, M_BOOT,
1542 		M_BOOTWAIT, M_PF, M_PWAIT, M_INITDEFAULT, M_SYSINIT,
1543 	};
1544 	/*
1545 	 * Only these actions will be allowed for entries which
1546 	 * are specified for single-user mode.
1547 	 */
1548 	short su_acts = M_INITDEFAULT | M_PF | M_PWAIT | M_WAIT;
1549 
1550 	if (fp_inittab == NULL) {
1551 		/*
1552 		 * Before attempting to open inittab we stat it to make
1553 		 * sure it currently exists and is not empty.  We try
1554 		 * several times because someone may have temporarily
1555 		 * unlinked or truncated the file.
1556 		 */
1557 		for (i = 0; i < 3; i++) {
1558 			if (stat(INITTAB, &sbuf) == -1) {
1559 				if (i == 2) {
1560 					console(B_TRUE,
1561 					    "Cannot stat %s, errno: %d\n",
1562 					    INITTAB, errno);
1563 					return (FAILURE);
1564 				} else {
1565 					timer(3);
1566 				}
1567 			} else if (sbuf.st_size < 10) {
1568 				if (i == 2) {
1569 					console(B_TRUE,
1570 					    "%s truncated or corrupted\n",
1571 					    INITTAB);
1572 					return (FAILURE);
1573 				} else {
1574 					timer(3);
1575 				}
1576 			} else {
1577 				break;
1578 			}
1579 		}
1580 
1581 		/*
1582 		 * If unable to open inittab, print error message and
1583 		 * return FAILURE to caller.
1584 		 */
1585 		if ((fp_inittab = fopen(INITTAB, "r")) == NULL) {
1586 			console(B_TRUE, "Cannot open %s errno: %d\n", INITTAB,
1587 			    errno);
1588 			return (FAILURE);
1589 		}
1590 	}
1591 
1592 	/*
1593 	 * Keep getting commands from inittab until you find a
1594 	 * good one or run out of file.
1595 	 */
1596 	for (answer = FALSE; answer == FALSE; ) {
1597 		/*
1598 		 * Zero out the cmd itself before trying next line.
1599 		 */
1600 		bzero(cmd, sizeof (struct CMD_LINE));
1601 
1602 		/*
1603 		 * Read in lines of inittab, parsing at colons, until a line is
1604 		 * read in which doesn't end with a backslash.  Do not start if
1605 		 * the first character read is an EOF.  Note that this means
1606 		 * that lines which don't end in a newline are still processed,
1607 		 * since the "for" will terminate normally once started,
1608 		 * regardless of whether line terminates with a newline or EOF.
1609 		 */
1610 		state = FAILURE;
1611 		if ((c = fgetc(fp_inittab)) == EOF) {
1612 			answer = FALSE;
1613 			(void) fclose(fp_inittab);
1614 			fp_inittab = NULL;
1615 			break;
1616 		}
1617 
1618 		for (proceed = TRUE, ptr = shcmd, state = ID, lastc = '\0';
1619 		    proceed && c != EOF;
1620 		    lastc = c, c = fgetc(fp_inittab)) {
1621 			/* If we're not in the FAILURE state and haven't */
1622 			/* yet reached the shell command field, process	 */
1623 			/* the line, otherwise just look for a real end	 */
1624 			/* of line.					 */
1625 			if (state != FAILURE && state != COMMAND) {
1626 			/*
1627 			 * Squeeze out spaces and tabs.
1628 			 */
1629 			if (c == ' ' || c == '\t')
1630 				continue;
1631 
1632 			/*
1633 			 * Ignore characters in a comment, except for the \n.
1634 			 */
1635 			if (state == COMMENT) {
1636 				if (c == '\n') {
1637 					lastc = ' ';
1638 					break;
1639 				} else {
1640 					continue;
1641 				}
1642 			}
1643 
1644 			/*
1645 			 * Detect comments (lines whose first non-whitespace
1646 			 * character is '#') by checking that we're at the
1647 			 * beginning of a line, have seen a '#', and haven't
1648 			 * yet accumulated any characters.
1649 			 */
1650 			if (state == ID && c == '#' && ptr == shcmd) {
1651 				state = COMMENT;
1652 				continue;
1653 			}
1654 
1655 			/*
1656 			 * If the character is a ':', then check the
1657 			 * previous field for correctness and advance
1658 			 * to the next field.
1659 			 */
1660 			if (c == ':') {
1661 				switch (state) {
1662 
1663 				case ID :
1664 				/*
1665 				 * Check to see that there are only
1666 				 * 1 to 4 characters for the id.
1667 				 */
1668 				if ((i = ptr - shcmd) < 1 || i > 4) {
1669 					state = FAILURE;
1670 				} else {
1671 					bcopy(shcmd, &cmd->c_id[0], i);
1672 					ptr = shcmd;
1673 					state = LEVELS;
1674 				}
1675 				break;
1676 
1677 				case LEVELS :
1678 				/*
1679 				 * Build a mask for all the levels for
1680 				 * which this command will be legal.
1681 				 */
1682 				for (cmd->c_levels = 0, ptr1 = shcmd;
1683 				    ptr1 < ptr; ptr1++) {
1684 					int mask;
1685 					if (lvlname_to_mask(*ptr1,
1686 					    &mask) == -1) {
1687 						state = FAILURE;
1688 						break;
1689 					}
1690 					cmd->c_levels |= mask;
1691 				}
1692 				if (state != FAILURE) {
1693 					state = ACTION;
1694 					ptr = shcmd;	/* Reset the buffer */
1695 				}
1696 				break;
1697 
1698 				case ACTION :
1699 				/*
1700 				 * Null terminate the string in shcmd buffer and
1701 				 * then try to match against legal actions.  If
1702 				 * the field is of length 0, then the default of
1703 				 * "RESPAWN" is used if the id is numeric,
1704 				 * otherwise the default is "OFF".
1705 				 */
1706 				if (ptr == shcmd) {
1707 					if (isdigit(cmd->c_id[0]) &&
1708 					    (cmd->c_id[1] == '\0' ||
1709 					    isdigit(cmd->c_id[1])) &&
1710 					    (cmd->c_id[2] == '\0' ||
1711 					    isdigit(cmd->c_id[2])) &&
1712 					    (cmd->c_id[3] == '\0' ||
1713 					    isdigit(cmd->c_id[3])))
1714 						cmd->c_action = M_RESPAWN;
1715 					else
1716 						cmd->c_action = M_OFF;
1717 				} else {
1718 					for (cmd->c_action = 0, i = 0,
1719 					    *ptr = '\0';
1720 					    i <
1721 					    sizeof (actions)/sizeof (char *);
1722 					    i++) {
1723 					if (strcmp(shcmd, actions[i]) == 0) {
1724 						if ((cmd->c_levels & MASKSU) &&
1725 						    !(act_masks[i] & su_acts))
1726 							cmd->c_action = 0;
1727 						else
1728 							cmd->c_action =
1729 							    act_masks[i];
1730 						break;
1731 					}
1732 					}
1733 				}
1734 
1735 				/*
1736 				 * If the action didn't match any legal action,
1737 				 * set state to FAILURE.
1738 				 */
1739 				if (cmd->c_action == 0) {
1740 					state = FAILURE;
1741 				} else {
1742 					state = COMMAND;
1743 					(void) strcpy(shcmd, "exec ");
1744 				}
1745 				ptr = shcmd + EXEC;
1746 				break;
1747 				}
1748 				continue;
1749 			}
1750 		}
1751 
1752 		/* If the character is a '\n', then this is the end of a */
1753 		/* line.  If the '\n' wasn't preceded by a backslash, */
1754 		/* it is also the end of an inittab command.  If it was */
1755 		/* preceded by a backslash then the next line is a */
1756 		/* continuation.  Note that the continuation '\n' falls */
1757 		/* through and is treated like other characters and is */
1758 		/* stored in the shell command line. */
1759 		if (c == '\n' && lastc != '\\') {
1760 			proceed = FALSE;
1761 			*ptr = '\0';
1762 			break;
1763 		}
1764 
1765 		/* For all other characters just stuff them into the */
1766 		/* command as long as there aren't too many of them. */
1767 		/* Make sure there is room for a terminating '\0' also. */
1768 		if (ptr >= shcmd + MAXCMDL - 1)
1769 			state = FAILURE;
1770 		else
1771 			*ptr++ = (char)c;
1772 
1773 		/* If the character we just stored was a quoted	*/
1774 		/* backslash, then change "c" to '\0', so that this	*/
1775 		/* backslash will not cause a subsequent '\n' to appear */
1776 		/* quoted.  In otherwords '\' '\' '\n' is the real end */
1777 		/* of a command, while '\' '\n' is a continuation. */
1778 		if (c == '\\' && lastc == '\\')
1779 			c = '\0';
1780 		}
1781 
1782 		/*
1783 		 * Make sure all the fields are properly specified
1784 		 * for a good command line.
1785 		 */
1786 		if (state == COMMAND) {
1787 			answer = TRUE;
1788 			cmd->c_command = shcmd;
1789 
1790 			/*
1791 			 * If no default level was supplied, insert
1792 			 * all numerical levels.
1793 			 */
1794 			if (cmd->c_levels == 0)
1795 				cmd->c_levels = MASK_NUMERIC;
1796 
1797 			/*
1798 			 * If no action has been supplied, declare this
1799 			 * entry to be OFF.
1800 			 */
1801 			if (cmd->c_action == 0)
1802 				cmd->c_action = M_OFF;
1803 
1804 			/*
1805 			 * If no shell command has been supplied, make sure
1806 			 * there is a null string in the command field.
1807 			 */
1808 			if (ptr == shcmd + EXEC)
1809 				*shcmd = '\0';
1810 		} else
1811 			answer = FALSE;
1812 
1813 		/*
1814 		 * If we have reached the end of inittab, then close it
1815 		 * and quit trying to find a good command line.
1816 		 */
1817 		if (c == EOF) {
1818 			(void) fclose(fp_inittab);
1819 			fp_inittab = NULL;
1820 			break;
1821 		}
1822 	}
1823 	return (answer);
1824 }
1825 
1826 /*
1827  * lvlname_to_state(): convert the character name of a state to its level
1828  * (its corresponding signal number).
1829  */
1830 static int
lvlname_to_state(char name)1831 lvlname_to_state(char name)
1832 {
1833 	int i;
1834 	for (i = 0; i < LVL_NELEMS; i++) {
1835 		if (lvls[i].lvl_name == name)
1836 			return (lvls[i].lvl_state);
1837 	}
1838 	return (-1);
1839 }
1840 
1841 /*
1842  * state_to_name(): convert the level to the character name.
1843  */
1844 static char
state_to_name(int state)1845 state_to_name(int state)
1846 {
1847 	int i;
1848 	for (i = 0; i < LVL_NELEMS; i++) {
1849 		if (lvls[i].lvl_state == state)
1850 			return (lvls[i].lvl_name);
1851 	}
1852 	return (-1);
1853 }
1854 
1855 /*
1856  * state_to_mask(): return the mask corresponding to a signal number
1857  */
1858 static int
state_to_mask(int state)1859 state_to_mask(int state)
1860 {
1861 	int i;
1862 	for (i = 0; i < LVL_NELEMS; i++) {
1863 		if (lvls[i].lvl_state == state)
1864 			return (lvls[i].lvl_mask);
1865 	}
1866 	return (0);	/* return 0, since that represents an empty mask */
1867 }
1868 
1869 /*
1870  * lvlname_to_mask(): return the mask corresponding to a levels character name
1871  */
1872 static int
lvlname_to_mask(char name,int * mask)1873 lvlname_to_mask(char name, int *mask)
1874 {
1875 	int i;
1876 	for (i = 0; i < LVL_NELEMS; i++) {
1877 		if (lvls[i].lvl_name == name) {
1878 			*mask = lvls[i].lvl_mask;
1879 			return (0);
1880 		}
1881 	}
1882 	return (-1);
1883 }
1884 
1885 /*
1886  * state_to_flags(): return the flags corresponding to a runlevel.  These
1887  * indicate properties of that runlevel.
1888  */
1889 static int
state_to_flags(int state)1890 state_to_flags(int state)
1891 {
1892 	int i;
1893 	for (i = 0; i < LVL_NELEMS; i++) {
1894 		if (lvls[i].lvl_state == state)
1895 			return (lvls[i].lvl_flags);
1896 	}
1897 	return (0);
1898 }
1899 
1900 /*
1901  * killproc() creates a child which kills the process specified by pid.
1902  */
1903 void
killproc(pid_t pid)1904 killproc(pid_t pid)
1905 {
1906 	struct PROC_TABLE	*process;
1907 
1908 	(void) sighold(SIGCLD);
1909 	while ((process = efork(M_OFF, NULLPROC, 0)) == NO_ROOM)
1910 		(void) pause();
1911 	(void) sigrelse(SIGCLD);
1912 
1913 	if (process == NULLPROC) {
1914 		/*
1915 		 * efork() sets all signal handlers to the default, so reset
1916 		 * the ALRM handler to make timer() work as expected.
1917 		 */
1918 		(void) sigset(SIGALRM, alarmclk);
1919 
1920 		/*
1921 		 * We are the child.  Try to terminate the process nicely
1922 		 * first using SIGTERM and if it refuses to die in TWARN
1923 		 * seconds kill it with SIGKILL.
1924 		 */
1925 		(void) kill(pid, SIGTERM);
1926 		(void) timer(TWARN);
1927 		(void) kill(pid, SIGKILL);
1928 		(void) exit(0);
1929 	}
1930 }
1931 
1932 /*
1933  * Set up the default environment for all procs to be forked from init.
1934  * Read the values from the /etc/default/init file, except for PATH.  If
1935  * there is not enough room in the environment array, the environment
1936  * lines that don't fit are discarded and a message is written to the console.
1937  */
1938 void
init_env()1939 init_env()
1940 {
1941 	void		*dstate;
1942 	const char	*tokp;
1943 
1944 	glob_envp[0] = malloc((unsigned)(strlen(DEF_PATH)+2));
1945 	(void) strcpy(glob_envp[0], DEF_PATH);
1946 	glob_envn = 1;
1947 
1948 	if (rflg) {
1949 		glob_envp[1] =
1950 		    malloc((unsigned)(strlen("_DVFS_RECONFIG=YES")+2));
1951 		(void) strcpy(glob_envp[1], "_DVFS_RECONFIG=YES");
1952 		++glob_envn;
1953 	} else if (bflg == 1) {
1954 		glob_envp[1] =
1955 		    malloc((unsigned)(strlen("RB_NOBOOTRC=YES")+2));
1956 		(void) strcpy(glob_envp[1], "RB_NOBOOTRC=YES");
1957 		++glob_envn;
1958 	}
1959 
1960 	if (definit_open(ENVFILE, &dstate) != 0) {
1961 		console(B_TRUE,
1962 		    "Cannot open %s. Environment not initialized.\n",
1963 		    ENVFILE);
1964 		return;
1965 	}
1966 
1967 	while ((tokp = definit_token(dstate)) != NULL &&
1968 	    glob_envn < MAXENVENT - 2) {
1969 
1970 		if (strncmp(tokp, "CMASK=", sizeof ("CMASK=") - 1) == 0) {
1971 			long t;
1972 
1973 			/* We know there's an = */
1974 			t = strtol(strchr(tokp, '=') + 1, NULL, 8);
1975 
1976 			/* Sanity */
1977 			if (t >= DEFINIT_MIN_UMASK && t <= DEFINIT_MAX_UMASK)
1978 				cmask = (int)t;
1979 			(void) umask(cmask);
1980 			continue;
1981 		}
1982 		glob_envp[glob_envn] = strdup(tokp);
1983 		if (glob_envp[glob_envn] == NULL) {
1984 			console(B_TRUE, "Out of memory building environment, "
1985 			    "truncated.\n");
1986 			break;
1987 		}
1988 		if (++glob_envn >= MAXENVENT - 1) {
1989 			console(B_TRUE, "Too many variables in %s; "
1990 			    "environment not fully initialized.\n", ENVFILE);
1991 			break;
1992 		}
1993 	}
1994 
1995 	/*
1996 	 * Append a null pointer to the environment array to mark its end.
1997 	 */
1998 	glob_envp[glob_envn] = NULL;
1999 
2000 	definit_close(dstate);
2001 }
2002 
2003 /*
2004  * boot_init(): Do initialization things that should be done at boot.
2005  */
2006 void
boot_init()2007 boot_init()
2008 {
2009 	int i;
2010 	struct PROC_TABLE *process, *oprocess;
2011 	struct CMD_LINE	cmd;
2012 	char	line[MAXCMDL];
2013 	char	svc_aux[SVC_AUX_SIZE];
2014 	char	init_svc_fmri[SVC_FMRI_SIZE];
2015 	char *old_path;
2016 	int maxfiles;
2017 
2018 	/* Use INIT_PATH for sysinit cmds */
2019 	old_path = glob_envp[0];
2020 	glob_envp[0] = malloc((unsigned)(strlen(INIT_PATH)+2));
2021 	(void) strcpy(glob_envp[0], INIT_PATH);
2022 
2023 	/*
2024 	 * Scan inittab(5) and process the special svc.startd entry, initdefault
2025 	 * and sysinit entries.
2026 	 */
2027 	while (getcmd(&cmd, &line[0]) == TRUE) {
2028 		if (startd_tmpl >= 0 && id_eq(cmd.c_id, "smf")) {
2029 			process_startd_line(&cmd, line);
2030 			(void) snprintf(startd_svc_aux, SVC_AUX_SIZE,
2031 			    INITTAB_ENTRY_ID_STR_FORMAT, cmd.c_id);
2032 		} else if (cmd.c_action == M_INITDEFAULT) {
2033 			/*
2034 			 * initdefault is no longer meaningful, as the SMF
2035 			 * milestone controls what (legacy) run level we
2036 			 * boot to.
2037 			 */
2038 			console(B_TRUE,
2039 			    "Ignoring legacy \"initdefault\" entry.\n");
2040 		} else if (cmd.c_action == M_SYSINIT) {
2041 			/*
2042 			 * Execute the "sysinit" entry and wait for it to
2043 			 * complete.  No bookkeeping is performed on these
2044 			 * entries because we avoid writing to the file system
2045 			 * until after there has been an chance to check it.
2046 			 */
2047 			if (process = findpslot(&cmd)) {
2048 				(void) sighold(SIGCLD);
2049 				(void) snprintf(svc_aux, SVC_AUX_SIZE,
2050 				    INITTAB_ENTRY_ID_STR_FORMAT, cmd.c_id);
2051 				(void) snprintf(init_svc_fmri, SVC_FMRI_SIZE,
2052 				    SVC_INIT_PREFIX INITTAB_ENTRY_ID_STR_FORMAT,
2053 				    cmd.c_id);
2054 				if (legacy_tmpl >= 0) {
2055 					(void) ct_pr_tmpl_set_svc_fmri(
2056 					    legacy_tmpl, init_svc_fmri);
2057 					(void) ct_pr_tmpl_set_svc_aux(
2058 					    legacy_tmpl, svc_aux);
2059 				}
2060 
2061 				for (oprocess = process;
2062 				    (process = efork(M_OFF, oprocess,
2063 				    (NAMED|NOCLEANUP))) == NO_ROOM;
2064 				    /* CSTYLED */)
2065 					;
2066 				(void) sigrelse(SIGCLD);
2067 
2068 				if (process == NULLPROC) {
2069 					maxfiles = ulimit(UL_GDESLIM, 0);
2070 
2071 					for (i = 0; i < maxfiles; i++)
2072 						(void) fcntl(i, F_SETFD,
2073 						    FD_CLOEXEC);
2074 					(void) execle(SH, "INITSH", "-c",
2075 					    cmd.c_command,
2076 					    (char *)0, glob_envp);
2077 					console(B_TRUE,
2078 "Command\n\"%s\"\n failed to execute.  errno = %d (exec of shell failed)\n",
2079 					    cmd.c_command, errno);
2080 					exit(1);
2081 				} else
2082 					while (waitproc(process) == FAILURE)
2083 						;
2084 				process->p_flags = 0;
2085 				st_write();
2086 			}
2087 		}
2088 	}
2089 
2090 	/* Restore the path. */
2091 	free(glob_envp[0]);
2092 	glob_envp[0] = old_path;
2093 
2094 	/*
2095 	 * This will enable st_write() to complain about init_state_file.
2096 	 */
2097 	booting = 0;
2098 
2099 	/*
2100 	 * If the /etc/ioctl.syscon didn't exist or had invalid contents write
2101 	 * out a correct version.
2102 	 */
2103 	if (write_ioctl)
2104 		write_ioctl_syscon();
2105 
2106 	/*
2107 	 * Start svc.startd(8), which does most of the work.
2108 	 */
2109 	if (startd_cline[0] != '\0' && startd_tmpl >= 0) {
2110 		/* Start svc.startd. */
2111 		if (startd_run(startd_cline, startd_tmpl, 0) == -1)
2112 			cur_state = SINGLE_USER;
2113 	} else {
2114 		console(B_TRUE, "Absent svc.startd entry or bad "
2115 		    "contract template.  Not starting svc.startd.\n");
2116 		enter_maintenance();
2117 	}
2118 }
2119 
2120 /*
2121  * init_signals(): Initialize all signals to either be caught or ignored.
2122  */
2123 void
init_signals(void)2124 init_signals(void)
2125 {
2126 	struct sigaction act;
2127 	int i;
2128 
2129 	/*
2130 	 * Start by ignoring all signals, then selectively re-enable some.
2131 	 * The SIG_IGN disposition will only affect asynchronous signals:
2132 	 * any signal that we trigger synchronously that doesn't end up
2133 	 * being handled by siglvl() will be forcibly delivered by the kernel.
2134 	 */
2135 	for (i = SIGHUP; i <= SIGRTMAX; i++)
2136 		(void) sigset(i, SIG_IGN);
2137 
2138 	/*
2139 	 * Handle all level-changing signals using siglvl() and set sa_mask so
2140 	 * that all level-changing signals are blocked while in siglvl().
2141 	 */
2142 	act.sa_sigaction = siglvl;
2143 	act.sa_flags = SA_SIGINFO;
2144 	(void) sigemptyset(&act.sa_mask);
2145 
2146 	(void) sigaddset(&act.sa_mask, LVLQ);
2147 	(void) sigaddset(&act.sa_mask, LVL0);
2148 	(void) sigaddset(&act.sa_mask, LVL1);
2149 	(void) sigaddset(&act.sa_mask, LVL2);
2150 	(void) sigaddset(&act.sa_mask, LVL3);
2151 	(void) sigaddset(&act.sa_mask, LVL4);
2152 	(void) sigaddset(&act.sa_mask, LVL5);
2153 	(void) sigaddset(&act.sa_mask, LVL6);
2154 	(void) sigaddset(&act.sa_mask, SINGLE_USER);
2155 	(void) sigaddset(&act.sa_mask, LVLa);
2156 	(void) sigaddset(&act.sa_mask, LVLb);
2157 	(void) sigaddset(&act.sa_mask, LVLc);
2158 
2159 	(void) sigaction(LVLQ, &act, NULL);
2160 	(void) sigaction(LVL0, &act, NULL);
2161 	(void) sigaction(LVL1, &act, NULL);
2162 	(void) sigaction(LVL2, &act, NULL);
2163 	(void) sigaction(LVL3, &act, NULL);
2164 	(void) sigaction(LVL4, &act, NULL);
2165 	(void) sigaction(LVL5, &act, NULL);
2166 	(void) sigaction(LVL6, &act, NULL);
2167 	(void) sigaction(SINGLE_USER, &act, NULL);
2168 	(void) sigaction(LVLa, &act, NULL);
2169 	(void) sigaction(LVLb, &act, NULL);
2170 	(void) sigaction(LVLc, &act, NULL);
2171 
2172 	(void) sigset(SIGALRM, alarmclk);
2173 	alarmclk();
2174 
2175 	(void) sigset(SIGCLD, childeath);
2176 	(void) sigset(SIGPWR, powerfail);
2177 }
2178 
2179 /*
2180  * Set up pipe for "godchildren". If the file exists and is a pipe just open
2181  * it. Else, if the file system is r/w create it.  Otherwise, defer its
2182  * creation and open until after /var/run has been mounted.  This function is
2183  * only called on startup and when explicitly requested via LVLQ.
2184  */
2185 void
setup_pipe()2186 setup_pipe()
2187 {
2188 	struct stat stat_buf;
2189 	struct statvfs statvfs_buf;
2190 	struct sigaction act;
2191 
2192 	/*
2193 	 * Always close the previous pipe descriptor as the mounted filesystems
2194 	 * may have changed.
2195 	 */
2196 	if (Pfd >= 0)
2197 		(void) close(Pfd);
2198 
2199 	if ((stat(INITPIPE, &stat_buf) == 0) &&
2200 	    ((stat_buf.st_mode & (S_IFMT|S_IRUSR)) == (S_IFIFO|S_IRUSR)))
2201 		Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
2202 	else
2203 		if ((statvfs(INITPIPE_DIR, &statvfs_buf) == 0) &&
2204 		    ((statvfs_buf.f_flag & ST_RDONLY) == 0)) {
2205 			(void) unlink(INITPIPE);
2206 			(void) mknod(INITPIPE, S_IFIFO | 0600, 0);
2207 			Pfd = open(INITPIPE, O_RDWR | O_NDELAY);
2208 		}
2209 
2210 	if (Pfd >= 0) {
2211 		(void) ioctl(Pfd, I_SETSIG, S_INPUT);
2212 		/*
2213 		 * Read pipe in message discard mode.
2214 		 */
2215 		(void) ioctl(Pfd, I_SRDOPT, RMSGD);
2216 
2217 		act.sa_handler = sigpoll;
2218 		act.sa_flags = 0;
2219 		(void) sigemptyset(&act.sa_mask);
2220 		(void) sigaddset(&act.sa_mask, SIGCLD);
2221 		(void) sigaction(SIGPOLL, &act, NULL);
2222 	}
2223 }
2224 
2225 /*
2226  * siglvl - handle an asynchronous signal from init(8) telling us that we
2227  * should change the current run level.  We set new_state accordingly.
2228  */
2229 void
siglvl(int sig,siginfo_t * sip,void * arg)2230 siglvl(int sig, siginfo_t *sip, void *arg)
2231 {
2232 	ucontext_t *ucp = arg;
2233 	struct PROC_TABLE *process;
2234 	struct sigaction act;
2235 
2236 	/*
2237 	 * If the signal was from the kernel (rather than init(8)) then init
2238 	 * itself tripped the signal.  That is, we might have a bug and tripped
2239 	 * a real SIGSEGV instead of receiving it as an alias for SIGLVLa.  In
2240 	 * such a case we reset the disposition to SIG_DFL, block all signals
2241 	 * in uc_mask but the current one, and return to the interrupted ucp
2242 	 * to effect an appropriate death.  The kernel will then restart us.
2243 	 *
2244 	 * The one exception to SI_FROMKERNEL() is SIGFPE (a.k.a. LVL6), which
2245 	 * the kernel can send us when it wants to effect an orderly reboot.
2246 	 * For this case we must also verify si_code is zero, rather than a
2247 	 * code such as FPE_INTDIV which a bug might have triggered.
2248 	 */
2249 	if (sip != NULL && SI_FROMKERNEL(sip) &&
2250 	    (sig != SIGFPE || sip->si_code == 0)) {
2251 
2252 		(void) sigemptyset(&act.sa_mask);
2253 		act.sa_handler = SIG_DFL;
2254 		act.sa_flags = 0;
2255 		(void) sigaction(sig, &act, NULL);
2256 
2257 		(void) sigfillset(&ucp->uc_sigmask);
2258 		(void) sigdelset(&ucp->uc_sigmask, sig);
2259 		ucp->uc_flags |= UC_SIGMASK;
2260 
2261 		(void) setcontext(ucp);
2262 	}
2263 
2264 	/*
2265 	 * If the signal received is a LVLQ signal, do not really
2266 	 * change levels, just restate the current level.  If the
2267 	 * signal is not a LVLQ, set the new level to the signal
2268 	 * received.
2269 	 */
2270 	if (sig == LVLQ) {
2271 		new_state = cur_state;
2272 		lvlq_received = B_TRUE;
2273 	} else {
2274 		new_state = sig;
2275 	}
2276 
2277 	/*
2278 	 * Clear all times and repeat counts in the process table
2279 	 * since either the level is changing or the user has editted
2280 	 * the inittab file and wants us to look at it again.
2281 	 * If the user has fixed a typo, we don't want residual timing
2282 	 * data preventing the fixed command line from executing.
2283 	 */
2284 	for (process = proc_table;
2285 	    (process < proc_table + num_proc); process++) {
2286 		process->p_time = 0L;
2287 		process->p_count = 0;
2288 	}
2289 
2290 	/*
2291 	 * Set the flag to indicate that a "user signal" was received.
2292 	 */
2293 	wakeup.w_flags.w_usersignal = 1;
2294 }
2295 
2296 
2297 /*
2298  * alarmclk
2299  */
2300 static void
alarmclk()2301 alarmclk()
2302 {
2303 	time_up = TRUE;
2304 }
2305 
2306 /*
2307  * childeath_single():
2308  *
2309  * This used to be the SIGCLD handler and it was set with signal()
2310  * (as opposed to sigset()).  When a child exited we'd come to the
2311  * handler, wait for the child, and reenable the handler with
2312  * signal() just before returning.  The implementation of signal()
2313  * checks with waitid() for waitable children and sends a SIGCLD
2314  * if there are some.  If children are exiting faster than the
2315  * handler can run we keep sending signals and the handler never
2316  * gets to return and eventually the stack runs out and init dies.
2317  * To prevent that we set the handler with sigset() so the handler
2318  * doesn't need to be reset, and in childeath() (see below) we
2319  * call childeath_single() as long as there are children to be
2320  * waited for.  If a child exits while init is in the handler a
2321  * SIGCLD will be pending and delivered on return from the handler.
2322  * If the child was already waited for the handler will have nothing
2323  * to do and return, otherwise the child will be waited for.
2324  */
2325 static void
childeath_single(pid_t pid,int status)2326 childeath_single(pid_t pid, int status)
2327 {
2328 	struct PROC_TABLE	*process;
2329 	struct pidlist		*pp;
2330 
2331 	/*
2332 	 * Scan the process table to see if we are interested in this process.
2333 	 */
2334 	for (process = proc_table;
2335 	    (process < proc_table + num_proc); process++) {
2336 		if ((process->p_flags & (LIVING|OCCUPIED)) ==
2337 		    (LIVING|OCCUPIED) && process->p_pid == pid) {
2338 
2339 			/*
2340 			 * Mark this process as having died and store the exit
2341 			 * status.  Also set the wakeup flag for a dead child
2342 			 * and break out of the loop.
2343 			 */
2344 			process->p_flags &= ~LIVING;
2345 			process->p_exit = (short)status;
2346 			wakeup.w_flags.w_childdeath = 1;
2347 
2348 			return;
2349 		}
2350 	}
2351 
2352 	/*
2353 	 * No process was found above, look through auxiliary list.
2354 	 */
2355 	(void) sighold(SIGPOLL);
2356 	pp = Plhead;
2357 	while (pp) {
2358 		if (pid > pp->pl_pid) {
2359 			/*
2360 			 * Keep on looking.
2361 			 */
2362 			pp = pp->pl_next;
2363 			continue;
2364 		} else if (pid < pp->pl_pid) {
2365 			/*
2366 			 * Not in the list.
2367 			 */
2368 			break;
2369 		} else {
2370 			/*
2371 			 * This is a dead "godchild".
2372 			 */
2373 			pp->pl_dflag = 1;
2374 			pp->pl_exit = (short)status;
2375 			wakeup.w_flags.w_childdeath = 1;
2376 			Gchild = 1;	/* Notice to call cleanaux(). */
2377 			break;
2378 		}
2379 	}
2380 
2381 	(void) sigrelse(SIGPOLL);
2382 }
2383 
2384 /* ARGSUSED */
2385 static void
childeath(int signo)2386 childeath(int signo)
2387 {
2388 	pid_t pid;
2389 	int status;
2390 
2391 	while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
2392 		childeath_single(pid, status);
2393 }
2394 
2395 static void
powerfail()2396 powerfail()
2397 {
2398 	(void) nice(-19);
2399 	wakeup.w_flags.w_powerhit = 1;
2400 }
2401 
2402 /*
2403  * efork() forks a child and the parent inserts the process in its table
2404  * of processes that are directly a result of forks that it has performed.
2405  * The child just changes the "global" with the process id for this process
2406  * to it's new value.
2407  * If efork() is called with a pointer into the proc_table it uses that slot,
2408  * otherwise it searches for a free slot.  Regardless of how it was called,
2409  * it returns the pointer to the proc_table entry
2410  *
2411  * The SIGCLD signal is blocked (held) before calling efork()
2412  * and is unblocked (released) after efork() returns.
2413  *
2414  * Ideally, this should be rewritten to use modern signal semantics.
2415  */
2416 static struct PROC_TABLE *
efork(int action,struct PROC_TABLE * process,int modes)2417 efork(int action, struct PROC_TABLE *process, int modes)
2418 {
2419 	pid_t	childpid;
2420 	struct PROC_TABLE *proc;
2421 	int		i;
2422 	/*
2423 	 * Freshen up the proc_table, removing any entries for dead processes
2424 	 * that don't have NOCLEANUP set.  Perform the necessary accounting.
2425 	 */
2426 	for (proc = proc_table; (proc < proc_table + num_proc); proc++) {
2427 		if ((proc->p_flags & (OCCUPIED|LIVING|NOCLEANUP)) ==
2428 		    (OCCUPIED)) {
2429 			/*
2430 			 * Is this a named process?
2431 			 * If so, do the necessary bookkeeping.
2432 			 */
2433 			if (proc->p_flags & NAMED)
2434 				(void) account(DEAD_PROCESS, proc, NULL);
2435 
2436 			/*
2437 			 * Free this entry for new usage.
2438 			 */
2439 			proc->p_flags = 0;
2440 		}
2441 	}
2442 
2443 	while ((childpid = fork()) == FAILURE) {
2444 		/*
2445 		 * Shorten the alarm timer in case someone else's child dies
2446 		 * and free up a slot in the process table.
2447 		 */
2448 		setimer(5);
2449 
2450 		/*
2451 		 * Wait for some children to die.  Since efork()
2452 		 * is always called with SIGCLD blocked, unblock
2453 		 * it here so that child death signals can come in.
2454 		 */
2455 		(void) sigrelse(SIGCLD);
2456 		(void) pause();
2457 		(void) sighold(SIGCLD);
2458 		setimer(0);
2459 	}
2460 
2461 	if (childpid != 0) {
2462 
2463 		if (process == NULLPROC) {
2464 			/*
2465 			 * No proc table pointer specified so search
2466 			 * for a free slot.
2467 			 */
2468 			for (process = proc_table;  process->p_flags != 0 &&
2469 			    (process < proc_table + num_proc); process++)
2470 					;
2471 
2472 			if (process == (proc_table + num_proc)) {
2473 				int old_proc_table_size = num_proc;
2474 
2475 				/* Increase the process table size */
2476 				increase_proc_table_size();
2477 				if (old_proc_table_size == num_proc) {
2478 					/* didn't grow: memory failure */
2479 					return (NO_ROOM);
2480 				} else {
2481 					process =
2482 					    proc_table + old_proc_table_size;
2483 				}
2484 			}
2485 
2486 			process->p_time = 0L;
2487 			process->p_count = 0;
2488 		}
2489 		process->p_id[0] = '\0';
2490 		process->p_id[1] = '\0';
2491 		process->p_id[2] = '\0';
2492 		process->p_id[3] = '\0';
2493 		process->p_pid = childpid;
2494 		process->p_flags = (LIVING | OCCUPIED | modes);
2495 		process->p_exit = 0;
2496 
2497 		st_write();
2498 	} else {
2499 		if ((action & (M_WAIT | M_BOOTWAIT)) == 0)
2500 			(void) setpgrp();
2501 
2502 		process = NULLPROC;
2503 
2504 		/*
2505 		 * Reset all signals to the system defaults.
2506 		 */
2507 		for (i = SIGHUP; i <= SIGRTMAX; i++)
2508 			(void) sigset(i, SIG_DFL);
2509 
2510 		/*
2511 		 * POSIX B.2.2.2 advises that init should set SIGTTOU,
2512 		 * SIGTTIN, and SIGTSTP to SIG_IGN.
2513 		 *
2514 		 * Make sure that SIGXCPU and SIGXFSZ also remain ignored,
2515 		 * for backward compatibility.
2516 		 */
2517 		(void) sigset(SIGTTIN, SIG_IGN);
2518 		(void) sigset(SIGTTOU, SIG_IGN);
2519 		(void) sigset(SIGTSTP, SIG_IGN);
2520 		(void) sigset(SIGXCPU, SIG_IGN);
2521 		(void) sigset(SIGXFSZ, SIG_IGN);
2522 	}
2523 	return (process);
2524 }
2525 
2526 
2527 /*
2528  * waitproc() waits for a specified process to die.  For this function to
2529  * work, the specified process must already in the proc_table.  waitproc()
2530  * returns the exit status of the specified process when it dies.
2531  */
2532 static long
waitproc(struct PROC_TABLE * process)2533 waitproc(struct PROC_TABLE *process)
2534 {
2535 	int		answer;
2536 	sigset_t	oldmask, newmask, zeromask;
2537 
2538 	(void) sigemptyset(&zeromask);
2539 	(void) sigemptyset(&newmask);
2540 
2541 	(void) sigaddset(&newmask, SIGCLD);
2542 
2543 	/* Block SIGCLD and save the current signal mask */
2544 	if (sigprocmask(SIG_BLOCK, &newmask, &oldmask) < 0)
2545 		perror("SIG_BLOCK error");
2546 
2547 	/*
2548 	 * Wait around until the process dies.
2549 	 */
2550 	if (process->p_flags & LIVING)
2551 		(void) sigsuspend(&zeromask);
2552 
2553 	/* Reset signal mask to unblock SIGCLD */
2554 	if (sigprocmask(SIG_SETMASK, &oldmask, NULL) < 0)
2555 		perror("SIG_SETMASK error");
2556 
2557 	if (process->p_flags & LIVING)
2558 		return (FAILURE);
2559 
2560 	/*
2561 	 * Make sure to only return 16 bits so that answer will always
2562 	 * be positive whenever the process of interest really died.
2563 	 */
2564 	answer = (process->p_exit & 0xffff);
2565 
2566 	/*
2567 	 * Free the slot in the proc_table.
2568 	 */
2569 	process->p_flags = 0;
2570 	return (answer);
2571 }
2572 
2573 /*
2574  * notify_pam_dead(): calls into the PAM framework to close the given session.
2575  */
2576 static void
notify_pam_dead(struct utmpx * up)2577 notify_pam_dead(struct utmpx *up)
2578 {
2579 	pam_handle_t *pamh;
2580 	char user[sizeof (up->ut_user) + 1];
2581 	char ttyn[sizeof (up->ut_line) + 1];
2582 	char host[sizeof (up->ut_host) + 1];
2583 
2584 	/*
2585 	 * PAM does not take care of updating utmpx/wtmpx.
2586 	 */
2587 	(void) snprintf(user, sizeof (user), "%s", up->ut_user);
2588 	(void) snprintf(ttyn, sizeof (ttyn), "%s", up->ut_line);
2589 	(void) snprintf(host, sizeof (host), "%s", up->ut_host);
2590 
2591 	if (pam_start("init", user, NULL, &pamh) == PAM_SUCCESS)  {
2592 		(void) pam_set_item(pamh, PAM_TTY, ttyn);
2593 		(void) pam_set_item(pamh, PAM_RHOST, host);
2594 		(void) pam_close_session(pamh, 0);
2595 		(void) pam_end(pamh, PAM_SUCCESS);
2596 	}
2597 }
2598 
2599 /*
2600  * Check you can access utmpx (As / may be read-only and
2601  * /var may not be mounted yet).
2602  */
2603 static int
access_utmpx(void)2604 access_utmpx(void)
2605 {
2606 	do {
2607 		utmpx_ok = (access(UTMPX, R_OK|W_OK) == 0);
2608 	} while (!utmpx_ok && errno == EINTR);
2609 
2610 	return (utmpx_ok);
2611 }
2612 
2613 /*
2614  * account() updates entries in utmpx and appends new entries to the end of
2615  * wtmpx (assuming they exist).  The program argument indicates the name of
2616  * program if INIT_PROCESS, otherwise should be NULL.
2617  *
2618  * account() only blocks for INIT_PROCESS requests.
2619  *
2620  * Returns non-zero if write failed.
2621  */
2622 static int
account(short state,struct PROC_TABLE * process,char * program)2623 account(short state, struct PROC_TABLE *process, char *program)
2624 {
2625 	struct utmpx utmpbuf, *u, *oldu;
2626 	int tmplen;
2627 	char fail_buf[UT_LINE_SZ];
2628 	sigset_t block, unblock;
2629 
2630 	if (!utmpx_ok && !access_utmpx()) {
2631 		return (-1);
2632 	}
2633 
2634 	/*
2635 	 * Set up the prototype for the utmp structure we want to write.
2636 	 */
2637 	u = &utmpbuf;
2638 	(void) memset(u, 0, sizeof (struct utmpx));
2639 
2640 	/*
2641 	 * Fill in the various fields of the utmp structure.
2642 	 */
2643 	u->ut_id[0] = process->p_id[0];
2644 	u->ut_id[1] = process->p_id[1];
2645 	u->ut_id[2] = process->p_id[2];
2646 	u->ut_id[3] = process->p_id[3];
2647 	u->ut_pid = process->p_pid;
2648 
2649 	/*
2650 	 * Fill the "ut_exit" structure.
2651 	 */
2652 	u->ut_exit.e_termination = WTERMSIG(process->p_exit);
2653 	u->ut_exit.e_exit = WEXITSTATUS(process->p_exit);
2654 	u->ut_type = state;
2655 
2656 	(void) time(&u->ut_tv.tv_sec);
2657 
2658 	/*
2659 	 * Block signals for utmp update.
2660 	 */
2661 	(void) sigfillset(&block);
2662 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
2663 
2664 	/*
2665 	 * See if there already is such an entry in the "utmpx" file.
2666 	 */
2667 	setutxent();	/* Start at beginning of utmpx file. */
2668 
2669 	if ((oldu = getutxid(u)) != NULL) {
2670 		/*
2671 		 * Copy in the old "user", "line" and "host" fields
2672 		 * to our new structure.
2673 		 */
2674 		bcopy(oldu->ut_user, u->ut_user, sizeof (u->ut_user));
2675 		bcopy(oldu->ut_line, u->ut_line, sizeof (u->ut_line));
2676 		bcopy(oldu->ut_host, u->ut_host, sizeof (u->ut_host));
2677 		u->ut_syslen = (tmplen = strlen(u->ut_host)) ?
2678 		    min(tmplen + 1, sizeof (u->ut_host)) : 0;
2679 
2680 		if (oldu->ut_type == USER_PROCESS && state == DEAD_PROCESS) {
2681 			notify_pam_dead(oldu);
2682 		}
2683 	}
2684 
2685 	/*
2686 	 * Perform special accounting. Insert the special string into the
2687 	 * ut_line array. For INIT_PROCESSes put in the name of the
2688 	 * program in the "ut_user" field.
2689 	 */
2690 	switch (state) {
2691 	case INIT_PROCESS:
2692 		(void) strncpy(u->ut_user, program, sizeof (u->ut_user));
2693 		(void) strcpy(fail_buf, "INIT_PROCESS");
2694 		break;
2695 
2696 	default:
2697 		(void) strlcpy(fail_buf, u->ut_id, sizeof (u->ut_id) + 1);
2698 		break;
2699 	}
2700 
2701 	/*
2702 	 * Write out the updated entry to utmpx file.
2703 	 */
2704 	if (pututxline(u) == NULL) {
2705 		console(B_TRUE, "Failed write of utmpx entry: \"%s\": %s\n",
2706 		    fail_buf, strerror(errno));
2707 		endutxent();
2708 		(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2709 		return (-1);
2710 	}
2711 
2712 	/*
2713 	 * If we're able to write to utmpx, then attempt to add to the
2714 	 * end of the wtmpx file.
2715 	 */
2716 	updwtmpx(WTMPX, u);
2717 
2718 	endutxent();
2719 
2720 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2721 
2722 	return (0);
2723 }
2724 
2725 static void
clearent(pid_t pid,short status)2726 clearent(pid_t pid, short status)
2727 {
2728 	struct utmpx *up;
2729 	sigset_t block, unblock;
2730 
2731 	/*
2732 	 * Block signals for utmp update.
2733 	 */
2734 	(void) sigfillset(&block);
2735 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
2736 
2737 	/*
2738 	 * No error checking for now.
2739 	 */
2740 
2741 	setutxent();
2742 	while (up = getutxent()) {
2743 		if (up->ut_pid == pid) {
2744 			if (up->ut_type == DEAD_PROCESS) {
2745 				/*
2746 				 * Cleaned up elsewhere.
2747 				 */
2748 				continue;
2749 			}
2750 
2751 			notify_pam_dead(up);
2752 
2753 			up->ut_type = DEAD_PROCESS;
2754 			up->ut_exit.e_termination = WTERMSIG(status);
2755 			up->ut_exit.e_exit = WEXITSTATUS(status);
2756 			(void) time(&up->ut_tv.tv_sec);
2757 
2758 			(void) pututxline(up);
2759 			/*
2760 			 * Now attempt to add to the end of the
2761 			 * wtmp and wtmpx files.  Do not create
2762 			 * if they don't already exist.
2763 			 */
2764 			updwtmpx(WTMPX, up);
2765 
2766 			break;
2767 		}
2768 	}
2769 
2770 	endutxent();
2771 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
2772 }
2773 
2774 /*
2775  * prog_name() searches for the word or unix path name and
2776  * returns a pointer to the last element of the pathname.
2777  */
2778 static char *
prog_name(char * string)2779 prog_name(char *string)
2780 {
2781 	char	*ptr, *ptr2;
2782 	static char word[UT_USER_SZ + 1];
2783 
2784 	/*
2785 	 * Search for the first word skipping leading spaces and tabs.
2786 	 */
2787 	while (*string == ' ' || *string == '\t')
2788 		string++;
2789 
2790 	/*
2791 	 * If the first non-space non-tab character is not one allowed in
2792 	 * a word, return a pointer to a null string, otherwise parse the
2793 	 * pathname.
2794 	 */
2795 	if (*string != '.' && *string != '/' && *string != '_' &&
2796 	    (*string < 'a' || *string > 'z') &&
2797 	    (*string < 'A' || * string > 'Z') &&
2798 	    (*string < '0' || *string > '9'))
2799 		return ("");
2800 
2801 	/*
2802 	 * Parse the pathname looking forward for '/', ' ', '\t', '\n' or
2803 	 * '\0'.  Each time a '/' is found, move "ptr" to one past the
2804 	 * '/', thus when a ' ', '\t', '\n', or '\0' is found, "ptr" will
2805 	 * point to the last element of the pathname.
2806 	 */
2807 	for (ptr = string; *string != ' ' && *string != '\t' &&
2808 	    *string != '\n' && *string != '\0'; string++) {
2809 		if (*string == '/')
2810 			ptr = string+1;
2811 	}
2812 
2813 	/*
2814 	 * Copy out up to the size of the "ut_user" array into "word",
2815 	 * null terminate it and return a pointer to it.
2816 	 */
2817 	for (ptr2 = &word[0]; ptr2 < &word[UT_USER_SZ] &&
2818 	    ptr < string; /* CSTYLED */)
2819 		*ptr2++ = *ptr++;
2820 
2821 	*ptr2 = '\0';
2822 	return (&word[0]);
2823 }
2824 
2825 
2826 /*
2827  * realcon() returns a nonzero value if there is a character device
2828  * associated with SYSCON that has the same device number as CONSOLE.
2829  */
2830 static int
realcon()2831 realcon()
2832 {
2833 	struct stat sconbuf, conbuf;
2834 
2835 	if (stat(SYSCON, &sconbuf) != -1 &&
2836 	    stat(CONSOLE, &conbuf) != -1 &&
2837 	    S_ISCHR(sconbuf.st_mode) &&
2838 	    S_ISCHR(conbuf.st_mode) &&
2839 	    sconbuf.st_rdev == conbuf.st_rdev) {
2840 		return (1);
2841 	} else {
2842 		return (0);
2843 	}
2844 }
2845 
2846 
2847 /*
2848  * get_ioctl_syscon() retrieves the SYSCON settings from the IOCTLSYSCON file.
2849  * Returns true if the IOCTLSYSCON file needs to be written (with
2850  * write_ioctl_syscon() below)
2851  */
2852 static int
get_ioctl_syscon()2853 get_ioctl_syscon()
2854 {
2855 	FILE	*fp;
2856 	unsigned int	iflags, oflags, cflags, lflags, ldisc, cc[18];
2857 	int		i, valid_format = 0;
2858 
2859 	/*
2860 	 * Read in the previous modes for SYSCON from IOCTLSYSCON.
2861 	 */
2862 	if ((fp = fopen(IOCTLSYSCON, "r")) == NULL) {
2863 		stored_syscon_termios = dflt_termios;
2864 		console(B_TRUE,
2865 		    "warning:%s does not exist, default settings assumed\n",
2866 		    IOCTLSYSCON);
2867 	} else {
2868 
2869 		i = fscanf(fp,
2870 	    "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
2871 		    &iflags, &oflags, &cflags, &lflags,
2872 		    &cc[0], &cc[1], &cc[2], &cc[3], &cc[4], &cc[5], &cc[6],
2873 		    &cc[7], &cc[8], &cc[9], &cc[10], &cc[11], &cc[12], &cc[13],
2874 		    &cc[14], &cc[15], &cc[16], &cc[17]);
2875 
2876 		if (i == 22) {
2877 			stored_syscon_termios.c_iflag = iflags;
2878 			stored_syscon_termios.c_oflag = oflags;
2879 			stored_syscon_termios.c_cflag = cflags;
2880 			stored_syscon_termios.c_lflag = lflags;
2881 			for (i = 0; i < 18; i++)
2882 				stored_syscon_termios.c_cc[i] = (char)cc[i];
2883 			valid_format = 1;
2884 		} else if (i == 13) {
2885 		rewind(fp);
2886 		i = fscanf(fp, "%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x:%x",
2887 		    &iflags, &oflags, &cflags, &lflags, &ldisc, &cc[0], &cc[1],
2888 		    &cc[2], &cc[3], &cc[4], &cc[5], &cc[6], &cc[7]);
2889 
2890 		/*
2891 		 * If the file is formatted properly, use the values to
2892 		 * initialize the console terminal condition.
2893 		 */
2894 		stored_syscon_termios.c_iflag = (ushort_t)iflags;
2895 		stored_syscon_termios.c_oflag = (ushort_t)oflags;
2896 		stored_syscon_termios.c_cflag = (ushort_t)cflags;
2897 		stored_syscon_termios.c_lflag = (ushort_t)lflags;
2898 		for (i = 0; i < 8; i++)
2899 			stored_syscon_termios.c_cc[i] = (char)cc[i];
2900 		valid_format = 1;
2901 		}
2902 		(void) fclose(fp);
2903 
2904 		/* If the file is badly formatted, use the default settings. */
2905 		if (!valid_format)
2906 			stored_syscon_termios = dflt_termios;
2907 	}
2908 
2909 	/* If the file had a bad format, rewrite it later. */
2910 	return (!valid_format);
2911 }
2912 
2913 
2914 static void
write_ioctl_syscon()2915 write_ioctl_syscon()
2916 {
2917 	FILE *fp;
2918 	int i;
2919 
2920 	(void) unlink(SYSCON);
2921 	(void) link(SYSTTY, SYSCON);
2922 	(void) umask(022);
2923 	fp = fopen(IOCTLSYSCON, "w");
2924 
2925 	(void) fprintf(fp, "%x:%x:%x:%x:0", stored_syscon_termios.c_iflag,
2926 	    stored_syscon_termios.c_oflag, stored_syscon_termios.c_cflag,
2927 	    stored_syscon_termios.c_lflag);
2928 	for (i = 0; i < 8; ++i)
2929 		(void) fprintf(fp, ":%x", stored_syscon_termios.c_cc[i]);
2930 	(void) putc('\n', fp);
2931 
2932 	(void) fflush(fp);
2933 	(void) fsync(fileno(fp));
2934 	(void) fclose(fp);
2935 	(void) umask(cmask);
2936 }
2937 
2938 
2939 /*
2940  * void console(boolean_t, char *, ...)
2941  *   Outputs the requested message to the system console.  Note that the number
2942  *   of arguments passed to console() should be determined by the print format.
2943  *
2944  *   The "prefix" parameter indicates whether or not "INIT: " should precede the
2945  *   message.
2946  *
2947  *   To make sure we write to the console in a sane fashion, we use the modes
2948  *   we keep in stored_syscon_termios (which we read out of /etc/ioctl.syscon).
2949  *   Afterwards we restore whatever modes were already there.
2950  */
2951 /* PRINTFLIKE2 */
2952 static void
console(boolean_t prefix,char * format,...)2953 console(boolean_t prefix, char *format, ...)
2954 {
2955 	char	outbuf[BUFSIZ];
2956 	va_list	args;
2957 	int fd, getret;
2958 	struct termios old_syscon_termios;
2959 	FILE *f;
2960 
2961 	/*
2962 	 * We open SYSCON anew each time in case it has changed (see
2963 	 * userinit()).
2964 	 */
2965 	if ((fd = open(SYSCON, O_RDWR | O_NOCTTY)) < 0 ||
2966 	    (f = fdopen(fd, "r+")) == NULL) {
2967 		if (prefix)
2968 			syslog(LOG_WARNING, "INIT: ");
2969 		va_start(args, format);
2970 		vsyslog(LOG_WARNING, format, args);
2971 		va_end(args);
2972 		if (fd >= 0)
2973 			(void) close(fd);
2974 		return;
2975 	}
2976 	setbuf(f, &outbuf[0]);
2977 
2978 	getret = tcgetattr(fd, &old_syscon_termios);
2979 	old_syscon_termios.c_cflag &= ~HUPCL;
2980 	if (realcon())
2981 		/* Don't overwrite cflag of real console. */
2982 		stored_syscon_termios.c_cflag = old_syscon_termios.c_cflag;
2983 
2984 	stored_syscon_termios.c_cflag &= ~HUPCL;
2985 
2986 	(void) tcsetattr(fd, TCSANOW, &stored_syscon_termios);
2987 
2988 	if (prefix)
2989 		(void) fprintf(f, "\nINIT: ");
2990 	va_start(args, format);
2991 	(void) vfprintf(f, format, args);
2992 	va_end(args);
2993 
2994 	if (getret == 0)
2995 		(void) tcsetattr(fd, TCSADRAIN, &old_syscon_termios);
2996 
2997 	(void) fclose(f);
2998 }
2999 
3000 /*
3001  * timer() is a substitute for sleep() which uses alarm() and pause().
3002  */
3003 static void
timer(int waitime)3004 timer(int waitime)
3005 {
3006 	setimer(waitime);
3007 	while (time_up == FALSE)
3008 		(void) pause();
3009 }
3010 
3011 static void
setimer(int timelimit)3012 setimer(int timelimit)
3013 {
3014 	alarmclk();
3015 	(void) alarm(timelimit);
3016 	time_up = (timelimit ? FALSE : TRUE);
3017 }
3018 
3019 /*
3020  * Fails with
3021  *   ENOMEM - out of memory
3022  *   ECONNABORTED - repository connection broken
3023  *   EPERM - permission denied
3024  *   EACCES - backend access denied
3025  *   EROFS - backend readonly
3026  */
3027 static int
get_or_add_startd(scf_instance_t * inst)3028 get_or_add_startd(scf_instance_t *inst)
3029 {
3030 	scf_handle_t *h;
3031 	scf_scope_t *scope = NULL;
3032 	scf_service_t *svc = NULL;
3033 	int ret = 0;
3034 
3035 	h = scf_instance_handle(inst);
3036 
3037 	if (scf_handle_decode_fmri(h, SCF_SERVICE_STARTD, NULL, NULL, inst,
3038 	    NULL, NULL, SCF_DECODE_FMRI_EXACT) == 0)
3039 		return (0);
3040 
3041 	switch (scf_error()) {
3042 	case SCF_ERROR_CONNECTION_BROKEN:
3043 		return (ECONNABORTED);
3044 
3045 	case SCF_ERROR_NOT_FOUND:
3046 		break;
3047 
3048 	case SCF_ERROR_HANDLE_MISMATCH:
3049 	case SCF_ERROR_INVALID_ARGUMENT:
3050 	case SCF_ERROR_CONSTRAINT_VIOLATED:
3051 	default:
3052 		bad_error("scf_handle_decode_fmri", scf_error());
3053 	}
3054 
3055 	/* Make sure we're right, since we're adding piece-by-piece. */
3056 	assert(strcmp(SCF_SERVICE_STARTD,
3057 	    "svc:/system/svc/restarter:default") == 0);
3058 
3059 	if ((scope = scf_scope_create(h)) == NULL ||
3060 	    (svc = scf_service_create(h)) == NULL) {
3061 		ret = ENOMEM;
3062 		goto out;
3063 	}
3064 
3065 get_scope:
3066 	if (scf_handle_get_scope(h, SCF_SCOPE_LOCAL, scope) != 0) {
3067 		switch (scf_error()) {
3068 		case SCF_ERROR_CONNECTION_BROKEN:
3069 			ret = ECONNABORTED;
3070 			goto out;
3071 
3072 		case SCF_ERROR_NOT_FOUND:
3073 			(void) fputs(gettext(
3074 			    "smf(7) repository missing local scope.\n"),
3075 			    stderr);
3076 			exit(1);
3077 			/* NOTREACHED */
3078 
3079 		case SCF_ERROR_HANDLE_MISMATCH:
3080 		case SCF_ERROR_INVALID_ARGUMENT:
3081 		default:
3082 			bad_error("scf_handle_get_scope", scf_error());
3083 		}
3084 	}
3085 
3086 get_svc:
3087 	if (scf_scope_get_service(scope, "system/svc/restarter", svc) != 0) {
3088 		switch (scf_error()) {
3089 		case SCF_ERROR_CONNECTION_BROKEN:
3090 			ret = ECONNABORTED;
3091 			goto out;
3092 
3093 		case SCF_ERROR_DELETED:
3094 			goto get_scope;
3095 
3096 		case SCF_ERROR_NOT_FOUND:
3097 			break;
3098 
3099 		case SCF_ERROR_HANDLE_MISMATCH:
3100 		case SCF_ERROR_INVALID_ARGUMENT:
3101 		case SCF_ERROR_NOT_SET:
3102 		default:
3103 			bad_error("scf_scope_get_service", scf_error());
3104 		}
3105 
3106 add_svc:
3107 		if (scf_scope_add_service(scope, "system/svc/restarter", svc) !=
3108 		    0) {
3109 			switch (scf_error()) {
3110 			case SCF_ERROR_CONNECTION_BROKEN:
3111 				ret = ECONNABORTED;
3112 				goto out;
3113 
3114 			case SCF_ERROR_EXISTS:
3115 				goto get_svc;
3116 
3117 			case SCF_ERROR_PERMISSION_DENIED:
3118 				ret = EPERM;
3119 				goto out;
3120 
3121 			case SCF_ERROR_BACKEND_ACCESS:
3122 				ret = EACCES;
3123 				goto out;
3124 
3125 			case SCF_ERROR_BACKEND_READONLY:
3126 				ret = EROFS;
3127 				goto out;
3128 
3129 			case SCF_ERROR_HANDLE_MISMATCH:
3130 			case SCF_ERROR_INVALID_ARGUMENT:
3131 			case SCF_ERROR_NOT_SET:
3132 			default:
3133 				bad_error("scf_scope_add_service", scf_error());
3134 			}
3135 		}
3136 	}
3137 
3138 get_inst:
3139 	if (scf_service_get_instance(svc, "default", inst) != 0) {
3140 		switch (scf_error()) {
3141 		case SCF_ERROR_CONNECTION_BROKEN:
3142 			ret = ECONNABORTED;
3143 			goto out;
3144 
3145 		case SCF_ERROR_DELETED:
3146 			goto add_svc;
3147 
3148 		case SCF_ERROR_NOT_FOUND:
3149 			break;
3150 
3151 		case SCF_ERROR_HANDLE_MISMATCH:
3152 		case SCF_ERROR_INVALID_ARGUMENT:
3153 		case SCF_ERROR_NOT_SET:
3154 		default:
3155 			bad_error("scf_service_get_instance", scf_error());
3156 		}
3157 
3158 		if (scf_service_add_instance(svc, "default", inst) !=
3159 		    0) {
3160 			switch (scf_error()) {
3161 			case SCF_ERROR_CONNECTION_BROKEN:
3162 				ret = ECONNABORTED;
3163 				goto out;
3164 
3165 			case SCF_ERROR_DELETED:
3166 				goto add_svc;
3167 
3168 			case SCF_ERROR_EXISTS:
3169 				goto get_inst;
3170 
3171 			case SCF_ERROR_PERMISSION_DENIED:
3172 				ret = EPERM;
3173 				goto out;
3174 
3175 			case SCF_ERROR_BACKEND_ACCESS:
3176 				ret = EACCES;
3177 				goto out;
3178 
3179 			case SCF_ERROR_BACKEND_READONLY:
3180 				ret = EROFS;
3181 				goto out;
3182 
3183 			case SCF_ERROR_HANDLE_MISMATCH:
3184 			case SCF_ERROR_INVALID_ARGUMENT:
3185 			case SCF_ERROR_NOT_SET:
3186 			default:
3187 				bad_error("scf_service_add_instance",
3188 				    scf_error());
3189 			}
3190 		}
3191 	}
3192 
3193 	ret = 0;
3194 
3195 out:
3196 	scf_service_destroy(svc);
3197 	scf_scope_destroy(scope);
3198 	return (ret);
3199 }
3200 
3201 /*
3202  * Fails with
3203  *   ECONNABORTED - repository connection broken
3204  *   ECANCELED - the transaction's property group was deleted
3205  */
3206 static int
transaction_add_set(scf_transaction_t * tx,scf_transaction_entry_t * ent,const char * pname,scf_type_t type)3207 transaction_add_set(scf_transaction_t *tx, scf_transaction_entry_t *ent,
3208     const char *pname, scf_type_t type)
3209 {
3210 change_type:
3211 	if (scf_transaction_property_change_type(tx, ent, pname, type) == 0)
3212 		return (0);
3213 
3214 	switch (scf_error()) {
3215 	case SCF_ERROR_CONNECTION_BROKEN:
3216 		return (ECONNABORTED);
3217 
3218 	case SCF_ERROR_DELETED:
3219 		return (ECANCELED);
3220 
3221 	case SCF_ERROR_NOT_FOUND:
3222 		goto new;
3223 
3224 	case SCF_ERROR_HANDLE_MISMATCH:
3225 	case SCF_ERROR_INVALID_ARGUMENT:
3226 	case SCF_ERROR_NOT_BOUND:
3227 	case SCF_ERROR_NOT_SET:
3228 	default:
3229 		bad_error("scf_transaction_property_change_type", scf_error());
3230 	}
3231 
3232 new:
3233 	if (scf_transaction_property_new(tx, ent, pname, type) == 0)
3234 		return (0);
3235 
3236 	switch (scf_error()) {
3237 	case SCF_ERROR_CONNECTION_BROKEN:
3238 		return (ECONNABORTED);
3239 
3240 	case SCF_ERROR_DELETED:
3241 		return (ECANCELED);
3242 
3243 	case SCF_ERROR_EXISTS:
3244 		goto change_type;
3245 
3246 	case SCF_ERROR_HANDLE_MISMATCH:
3247 	case SCF_ERROR_INVALID_ARGUMENT:
3248 	case SCF_ERROR_NOT_BOUND:
3249 	case SCF_ERROR_NOT_SET:
3250 	default:
3251 		bad_error("scf_transaction_property_new", scf_error());
3252 		/* NOTREACHED */
3253 	}
3254 }
3255 
3256 static void
scferr(void)3257 scferr(void)
3258 {
3259 	switch (scf_error()) {
3260 	case SCF_ERROR_NO_MEMORY:
3261 		console(B_TRUE, gettext("Out of memory.\n"));
3262 		break;
3263 
3264 	case SCF_ERROR_CONNECTION_BROKEN:
3265 		console(B_TRUE, gettext(
3266 		    "Connection to smf(7) repository server broken.\n"));
3267 		break;
3268 
3269 	case SCF_ERROR_NO_RESOURCES:
3270 		console(B_TRUE, gettext(
3271 		    "smf(7) repository server is out of memory.\n"));
3272 		break;
3273 
3274 	case SCF_ERROR_PERMISSION_DENIED:
3275 		console(B_TRUE, gettext("Insufficient privileges.\n"));
3276 		break;
3277 
3278 	default:
3279 		console(B_TRUE, gettext("libscf error: %s\n"),
3280 		    scf_strerror(scf_error()));
3281 	}
3282 }
3283 
3284 static void
lscf_set_runlevel(char rl)3285 lscf_set_runlevel(char rl)
3286 {
3287 	scf_handle_t *h;
3288 	scf_instance_t *inst = NULL;
3289 	scf_propertygroup_t *pg = NULL;
3290 	scf_transaction_t *tx = NULL;
3291 	scf_transaction_entry_t *ent = NULL;
3292 	scf_value_t *val = NULL;
3293 	char buf[2];
3294 	int r;
3295 
3296 	h = scf_handle_create(SCF_VERSION);
3297 	if (h == NULL) {
3298 		scferr();
3299 		return;
3300 	}
3301 
3302 	if (scf_handle_bind(h) != 0) {
3303 		switch (scf_error()) {
3304 		case SCF_ERROR_NO_SERVER:
3305 			console(B_TRUE,
3306 			    gettext("smf(7) repository server not running.\n"));
3307 			goto bail;
3308 
3309 		default:
3310 			scferr();
3311 			goto bail;
3312 		}
3313 	}
3314 
3315 	if ((inst = scf_instance_create(h)) == NULL ||
3316 	    (pg = scf_pg_create(h)) == NULL ||
3317 	    (val = scf_value_create(h)) == NULL ||
3318 	    (tx = scf_transaction_create(h)) == NULL ||
3319 	    (ent = scf_entry_create(h)) == NULL) {
3320 		scferr();
3321 		goto bail;
3322 	}
3323 
3324 get_inst:
3325 	r = get_or_add_startd(inst);
3326 	switch (r) {
3327 	case 0:
3328 		break;
3329 
3330 	case ENOMEM:
3331 	case ECONNABORTED:
3332 	case EPERM:
3333 	case EACCES:
3334 	case EROFS:
3335 		scferr();
3336 		goto bail;
3337 	default:
3338 		bad_error("get_or_add_startd", r);
3339 	}
3340 
3341 get_pg:
3342 	if (scf_instance_get_pg(inst, SCF_PG_OPTIONS_OVR, pg) != 0) {
3343 		switch (scf_error()) {
3344 		case SCF_ERROR_CONNECTION_BROKEN:
3345 			scferr();
3346 			goto bail;
3347 
3348 		case SCF_ERROR_DELETED:
3349 			goto get_inst;
3350 
3351 		case SCF_ERROR_NOT_FOUND:
3352 			break;
3353 
3354 		case SCF_ERROR_HANDLE_MISMATCH:
3355 		case SCF_ERROR_INVALID_ARGUMENT:
3356 		case SCF_ERROR_NOT_SET:
3357 		default:
3358 			bad_error("scf_instance_get_pg", scf_error());
3359 		}
3360 
3361 add_pg:
3362 		if (scf_instance_add_pg(inst, SCF_PG_OPTIONS_OVR,
3363 		    SCF_PG_OPTIONS_OVR_TYPE, SCF_PG_OPTIONS_OVR_FLAGS, pg) !=
3364 		    0) {
3365 			switch (scf_error()) {
3366 			case SCF_ERROR_CONNECTION_BROKEN:
3367 			case SCF_ERROR_PERMISSION_DENIED:
3368 			case SCF_ERROR_BACKEND_ACCESS:
3369 				scferr();
3370 				goto bail;
3371 
3372 			case SCF_ERROR_DELETED:
3373 				goto get_inst;
3374 
3375 			case SCF_ERROR_EXISTS:
3376 				goto get_pg;
3377 
3378 			case SCF_ERROR_HANDLE_MISMATCH:
3379 			case SCF_ERROR_INVALID_ARGUMENT:
3380 			case SCF_ERROR_NOT_SET:
3381 			default:
3382 				bad_error("scf_instance_add_pg", scf_error());
3383 			}
3384 		}
3385 	}
3386 
3387 	buf[0] = rl;
3388 	buf[1] = '\0';
3389 	r = scf_value_set_astring(val, buf);
3390 	assert(r == 0);
3391 
3392 	for (;;) {
3393 		if (scf_transaction_start(tx, pg) != 0) {
3394 			switch (scf_error()) {
3395 			case SCF_ERROR_CONNECTION_BROKEN:
3396 			case SCF_ERROR_PERMISSION_DENIED:
3397 			case SCF_ERROR_BACKEND_ACCESS:
3398 				scferr();
3399 				goto bail;
3400 
3401 			case SCF_ERROR_DELETED:
3402 				goto add_pg;
3403 
3404 			case SCF_ERROR_HANDLE_MISMATCH:
3405 			case SCF_ERROR_NOT_BOUND:
3406 			case SCF_ERROR_IN_USE:
3407 			case SCF_ERROR_NOT_SET:
3408 			default:
3409 				bad_error("scf_transaction_start", scf_error());
3410 			}
3411 		}
3412 
3413 		r = transaction_add_set(tx, ent, "runlevel", SCF_TYPE_ASTRING);
3414 		switch (r) {
3415 		case 0:
3416 			break;
3417 
3418 		case ECONNABORTED:
3419 			scferr();
3420 			goto bail;
3421 
3422 		case ECANCELED:
3423 			scf_transaction_reset(tx);
3424 			goto add_pg;
3425 
3426 		default:
3427 			bad_error("transaction_add_set", r);
3428 		}
3429 
3430 		r = scf_entry_add_value(ent, val);
3431 		assert(r == 0);
3432 
3433 		r = scf_transaction_commit(tx);
3434 		if (r == 1)
3435 			break;
3436 
3437 		if (r != 0) {
3438 			switch (scf_error()) {
3439 			case SCF_ERROR_CONNECTION_BROKEN:
3440 			case SCF_ERROR_PERMISSION_DENIED:
3441 			case SCF_ERROR_BACKEND_ACCESS:
3442 			case SCF_ERROR_BACKEND_READONLY:
3443 				scferr();
3444 				goto bail;
3445 
3446 			case SCF_ERROR_DELETED:
3447 				scf_transaction_reset(tx);
3448 				goto add_pg;
3449 
3450 			case SCF_ERROR_INVALID_ARGUMENT:
3451 			case SCF_ERROR_NOT_BOUND:
3452 			case SCF_ERROR_NOT_SET:
3453 			default:
3454 				bad_error("scf_transaction_commit",
3455 				    scf_error());
3456 			}
3457 		}
3458 
3459 		scf_transaction_reset(tx);
3460 		(void) scf_pg_update(pg);
3461 	}
3462 
3463 bail:
3464 	scf_transaction_destroy(tx);
3465 	scf_entry_destroy(ent);
3466 	scf_value_destroy(val);
3467 	scf_pg_destroy(pg);
3468 	scf_instance_destroy(inst);
3469 
3470 	(void) scf_handle_unbind(h);
3471 	scf_handle_destroy(h);
3472 }
3473 
3474 /*
3475  * Function to handle requests from users to main init running as process 1.
3476  */
3477 static void
userinit(int argc,char ** argv)3478 userinit(int argc, char **argv)
3479 {
3480 	FILE	*fp;
3481 	char	*ln;
3482 	int	init_signal;
3483 	struct stat	sconbuf, conbuf;
3484 	const char *usage_msg = "Usage: init [0123456SsQqabc]\n";
3485 
3486 	/*
3487 	 * We are a user invoked init.  Is there an argument and is it
3488 	 * a single character?  If not, print usage message and quit.
3489 	 */
3490 	if (argc != 2 || argv[1][1] != '\0') {
3491 		(void) fprintf(stderr, usage_msg);
3492 		exit(0);
3493 	}
3494 
3495 	if ((init_signal = lvlname_to_state((char)argv[1][0])) == -1) {
3496 		(void) fprintf(stderr, usage_msg);
3497 		(void) audit_put_record(ADT_FAILURE, ADT_FAIL_VALUE_BAD_CMD,
3498 		    argv[1]);
3499 		exit(1);
3500 	}
3501 
3502 	if (init_signal == SINGLE_USER) {
3503 		/*
3504 		 * Make sure this process is talking to a legal tty line
3505 		 * and that /dev/syscon is linked to this line.
3506 		 */
3507 		ln = ttyname(0);	/* Get the name of tty */
3508 		if (ln == NULL) {
3509 			(void) fprintf(stderr,
3510 			    "Standard input not a tty line\n");
3511 			(void) audit_put_record(ADT_FAILURE,
3512 			    ADT_FAIL_VALUE_BAD_TTY, argv[1]);
3513 			exit(1);
3514 		}
3515 
3516 		if ((stat(ln, &sconbuf) != -1) &&
3517 		    (stat(SYSCON, &conbuf) == -1 ||
3518 		    sconbuf.st_rdev != conbuf.st_rdev)) {
3519 			/*
3520 			 * /dev/syscon needs to change.
3521 			 * Unlink /dev/syscon and relink it to the current line.
3522 			 */
3523 			if (lstat(SYSCON, &conbuf) != -1 &&
3524 			    unlink(SYSCON) == FAILURE) {
3525 				perror("Can't unlink /dev/syscon");
3526 				(void) fprintf(stderr,
3527 				    "Run command on the system console.\n");
3528 				(void) audit_put_record(ADT_FAILURE,
3529 				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
3530 				exit(1);
3531 			}
3532 			if (symlink(ln, SYSCON) == FAILURE) {
3533 				(void) fprintf(stderr,
3534 				    "Can't symlink /dev/syscon to %s: %s", ln,
3535 				    strerror(errno));
3536 
3537 				/* Try to leave a syscon */
3538 				(void) link(SYSTTY, SYSCON);
3539 				(void) audit_put_record(ADT_FAILURE,
3540 				    ADT_FAIL_VALUE_PROGRAM, argv[1]);
3541 				exit(1);
3542 			}
3543 
3544 			/*
3545 			 * Try to leave a message on system console saying where
3546 			 * /dev/syscon is currently connected.
3547 			 */
3548 			if ((fp = fopen(SYSTTY, "r+")) != NULL) {
3549 				(void) fprintf(fp,
3550 				    "\n****	SYSCON CHANGED TO %s	****\n",
3551 				    ln);
3552 				(void) fclose(fp);
3553 			}
3554 		}
3555 	}
3556 
3557 	update_boot_archive(init_signal);
3558 
3559 	(void) audit_put_record(ADT_SUCCESS, ADT_SUCCESS, argv[1]);
3560 
3561 	/*
3562 	 * Signal init; init will take care of telling svc.startd.
3563 	 */
3564 	if (kill(init_pid, init_signal) == FAILURE) {
3565 		(void) fprintf(stderr, "Must be super-user\n");
3566 		(void) audit_put_record(ADT_FAILURE,
3567 		    ADT_FAIL_VALUE_AUTH, argv[1]);
3568 		exit(1);
3569 	}
3570 
3571 	exit(0);
3572 }
3573 
3574 
3575 #define	DELTA	25	/* Number of pidlist elements to allocate at a time */
3576 
3577 /* ARGSUSED */
3578 void
sigpoll(int n)3579 sigpoll(int n)
3580 {
3581 	struct pidrec prec;
3582 	struct pidrec *p = &prec;
3583 	struct pidlist *plp;
3584 	struct pidlist *tp, *savetp;
3585 	int i;
3586 
3587 	if (Pfd < 0) {
3588 		return;
3589 	}
3590 
3591 	for (;;) {
3592 		/*
3593 		 * Important Note: Either read will really fail (in which case
3594 		 * return is all we can do) or will get EAGAIN (Pfd was opened
3595 		 * O_NDELAY), in which case we also want to return.
3596 		 * Always return from here!
3597 		 */
3598 		if (read(Pfd, p, sizeof (struct pidrec)) !=
3599 						sizeof (struct pidrec)) {
3600 			return;
3601 		}
3602 		switch (p->pd_type) {
3603 
3604 		case ADDPID:
3605 			/*
3606 			 * New "godchild", add to list.
3607 			 */
3608 			if (Plfree == NULL) {
3609 				plp = (struct pidlist *)calloc(DELTA,
3610 				    sizeof (struct pidlist));
3611 				if (plp == NULL) {
3612 					/* Can't save pid */
3613 					break;
3614 				}
3615 				/*
3616 				 * Point at 2nd record allocated, we'll use plp.
3617 				 */
3618 				tp = plp + 1;
3619 				/*
3620 				 * Link them into a chain.
3621 				 */
3622 				Plfree = tp;
3623 				for (i = 0; i < DELTA - 2; i++) {
3624 					tp->pl_next = tp + 1;
3625 					tp++;
3626 				}
3627 			} else {
3628 				plp = Plfree;
3629 				Plfree = plp->pl_next;
3630 			}
3631 			plp->pl_pid = p->pd_pid;
3632 			plp->pl_dflag = 0;
3633 			plp->pl_next = NULL;
3634 			/*
3635 			 * Note - pid list is kept in increasing order of pids.
3636 			 */
3637 			if (Plhead == NULL) {
3638 				Plhead = plp;
3639 				/* Back up to read next record */
3640 				break;
3641 			} else {
3642 				savetp = tp = Plhead;
3643 				while (tp) {
3644 					if (plp->pl_pid > tp->pl_pid) {
3645 						savetp = tp;
3646 						tp = tp->pl_next;
3647 						continue;
3648 					} else if (plp->pl_pid < tp->pl_pid) {
3649 						if (tp == Plhead) {
3650 							plp->pl_next = Plhead;
3651 							Plhead = plp;
3652 						} else {
3653 							plp->pl_next =
3654 							    savetp->pl_next;
3655 							savetp->pl_next = plp;
3656 						}
3657 						break;
3658 					} else {
3659 						/* Already in list! */
3660 						plp->pl_next = Plfree;
3661 						Plfree = plp;
3662 						break;
3663 					}
3664 				}
3665 				if (tp == NULL) {
3666 					/* Add to end of list */
3667 					savetp->pl_next = plp;
3668 				}
3669 			}
3670 			/* Back up to read next record. */
3671 			break;
3672 
3673 		case REMPID:
3674 			/*
3675 			 * This one was handled by someone else,
3676 			 * purge it from the list.
3677 			 */
3678 			if (Plhead == NULL) {
3679 				/* Back up to read next record. */
3680 				break;
3681 			}
3682 			savetp = tp = Plhead;
3683 			while (tp) {
3684 				if (p->pd_pid > tp->pl_pid) {
3685 					/* Keep on looking. */
3686 					savetp = tp;
3687 					tp = tp->pl_next;
3688 					continue;
3689 				} else if (p->pd_pid < tp->pl_pid) {
3690 					/* Not in list. */
3691 					break;
3692 				} else {
3693 					/* Found it. */
3694 					if (tp == Plhead)
3695 						Plhead = tp->pl_next;
3696 					else
3697 						savetp->pl_next = tp->pl_next;
3698 					tp->pl_next = Plfree;
3699 					Plfree = tp;
3700 					break;
3701 				}
3702 			}
3703 			/* Back up to read next record. */
3704 			break;
3705 		default:
3706 			console(B_TRUE, "Bad message on initpipe\n");
3707 			break;
3708 		}
3709 	}
3710 }
3711 
3712 
3713 static void
cleanaux()3714 cleanaux()
3715 {
3716 	struct pidlist *savep, *p;
3717 	pid_t	pid;
3718 	short	status;
3719 
3720 	(void) sighold(SIGCLD);
3721 	Gchild = 0;	/* Note - Safe to do this here since no SIGCLDs */
3722 	(void) sighold(SIGPOLL);
3723 	savep = p = Plhead;
3724 	while (p) {
3725 		if (p->pl_dflag) {
3726 			/*
3727 			 * Found an entry to delete,
3728 			 * remove it from list first.
3729 			 */
3730 			pid = p->pl_pid;
3731 			status = p->pl_exit;
3732 			if (p == Plhead) {
3733 				Plhead = p->pl_next;
3734 				p->pl_next = Plfree;
3735 				Plfree = p;
3736 				savep = p = Plhead;
3737 			} else {
3738 				savep->pl_next = p->pl_next;
3739 				p->pl_next = Plfree;
3740 				Plfree = p;
3741 				p = savep->pl_next;
3742 			}
3743 			clearent(pid, status);
3744 			continue;
3745 		}
3746 		savep = p;
3747 		p = p->pl_next;
3748 	}
3749 	(void) sigrelse(SIGPOLL);
3750 	(void) sigrelse(SIGCLD);
3751 }
3752 
3753 
3754 /*
3755  * /etc/inittab has more entries and we have run out of room in the proc_table
3756  * array. Double the size of proc_table to accomodate the extra entries.
3757  */
3758 static void
increase_proc_table_size()3759 increase_proc_table_size()
3760 {
3761 	sigset_t block, unblock;
3762 	void *ptr;
3763 	size_t delta = num_proc * sizeof (struct PROC_TABLE);
3764 
3765 
3766 	/*
3767 	 * Block signals for realloc.
3768 	 */
3769 	(void) sigfillset(&block);
3770 	(void) sigprocmask(SIG_BLOCK, &block, &unblock);
3771 
3772 
3773 	/*
3774 	 * On failure we just return because callers of this function check
3775 	 * for failure.
3776 	 */
3777 	do
3778 		ptr = realloc(g_state, g_state_sz + delta);
3779 	while (ptr == NULL && errno == EAGAIN)
3780 		;
3781 
3782 	if (ptr != NULL) {
3783 		/* ensure that the new part is initialized to zero */
3784 		bzero((caddr_t)ptr + g_state_sz, delta);
3785 
3786 		g_state = ptr;
3787 		g_state_sz += delta;
3788 		num_proc <<= 1;
3789 	}
3790 
3791 
3792 	/* unblock our signals before returning */
3793 	(void) sigprocmask(SIG_SETMASK, &unblock, NULL);
3794 }
3795 
3796 
3797 
3798 /*
3799  * Sanity check g_state.
3800  */
3801 static int
st_sane()3802 st_sane()
3803 {
3804 	int i;
3805 	struct PROC_TABLE *ptp;
3806 
3807 
3808 	/* Note: cur_state is encoded as a signal number */
3809 	if (cur_state < 1 || cur_state == 9 || cur_state > 13)
3810 		return (0);
3811 
3812 	/* Check num_proc */
3813 	if (g_state_sz != sizeof (struct init_state) + (num_proc - 1) *
3814 	    sizeof (struct PROC_TABLE))
3815 		return (0);
3816 
3817 	/* Check proc_table */
3818 	for (i = 0, ptp = proc_table; i < num_proc; ++i, ++ptp) {
3819 		/* skip unoccupied entries */
3820 		if (!(ptp->p_flags & OCCUPIED))
3821 			continue;
3822 
3823 		/* p_flags has no bits outside of PF_MASK */
3824 		if (ptp->p_flags & ~(PF_MASK))
3825 			return (0);
3826 
3827 		/* 5 <= pid <= MAXPID */
3828 		if (ptp->p_pid < 5 || ptp->p_pid > MAXPID)
3829 			return (0);
3830 
3831 		/* p_count >= 0 */
3832 		if (ptp->p_count < 0)
3833 			return (0);
3834 
3835 		/* p_time >= 0 */
3836 		if (ptp->p_time < 0)
3837 			return (0);
3838 	}
3839 
3840 	return (1);
3841 }
3842 
3843 /*
3844  * Initialize our state.
3845  *
3846  * If the system just booted, then init_state_file, which is located on an
3847  * everpresent tmpfs filesystem, should not exist.
3848  *
3849  * If we were restarted, then init_state_file should exist, in
3850  * which case we'll read it in, sanity check it, and use it.
3851  *
3852  * Note: You can't call console() until proc_table is ready.
3853  */
3854 void
st_init()3855 st_init()
3856 {
3857 	struct stat stb;
3858 	int ret, st_fd, insane = 0;
3859 	size_t to_be_read;
3860 	char *ptr;
3861 
3862 
3863 	booting = 1;
3864 
3865 	do {
3866 		/*
3867 		 * If we can exclusively create the file, then we're the
3868 		 * initial invocation of init(8).
3869 		 */
3870 		st_fd = open(init_state_file, O_RDWR | O_CREAT | O_EXCL,
3871 		    S_IRUSR | S_IWUSR);
3872 	} while (st_fd == -1 && errno == EINTR);
3873 	if (st_fd != -1)
3874 		goto new_state;
3875 
3876 	booting = 0;
3877 
3878 	do {
3879 		st_fd = open(init_state_file, O_RDWR, S_IRUSR | S_IWUSR);
3880 	} while (st_fd == -1 && errno == EINTR);
3881 	if (st_fd == -1)
3882 		goto new_state;
3883 
3884 	/* Get the size of the file. */
3885 	do
3886 		ret = fstat(st_fd, &stb);
3887 	while (ret == -1 && errno == EINTR)
3888 		;
3889 	if (ret == -1)
3890 		goto new_state;
3891 
3892 	do
3893 		g_state = malloc(stb.st_size);
3894 	while (g_state == NULL && errno == EAGAIN)
3895 		;
3896 	if (g_state == NULL)
3897 		goto new_state;
3898 
3899 	to_be_read = stb.st_size;
3900 	ptr = (char *)g_state;
3901 	while (to_be_read > 0) {
3902 		ssize_t read_ret;
3903 
3904 		read_ret = read(st_fd, ptr, to_be_read);
3905 		if (read_ret < 0) {
3906 			if (errno == EINTR)
3907 				continue;
3908 
3909 			goto new_state;
3910 		}
3911 
3912 		to_be_read -= read_ret;
3913 		ptr += read_ret;
3914 	}
3915 
3916 	(void) close(st_fd);
3917 
3918 	g_state_sz = stb.st_size;
3919 
3920 	if (st_sane()) {
3921 		console(B_TRUE, "Restarting.\n");
3922 		return;
3923 	}
3924 
3925 	insane = 1;
3926 
3927 new_state:
3928 	if (st_fd >= 0)
3929 		(void) close(st_fd);
3930 	else
3931 		(void) unlink(init_state_file);
3932 
3933 	if (g_state != NULL)
3934 		free(g_state);
3935 
3936 	/* Something went wrong, so allocate new state. */
3937 	g_state_sz = sizeof (struct init_state) +
3938 	    ((init_num_proc - 1) * sizeof (struct PROC_TABLE));
3939 	do
3940 		g_state = calloc(1, g_state_sz);
3941 	while (g_state == NULL && errno == EAGAIN)
3942 		;
3943 	if (g_state == NULL) {
3944 		/* Fatal error! */
3945 		exit(errno);
3946 	}
3947 
3948 	g_state->ist_runlevel = -1;
3949 	num_proc = init_num_proc;
3950 
3951 	if (!booting) {
3952 		console(B_TRUE, "Restarting.\n");
3953 
3954 		/* Overwrite the bad state file. */
3955 		st_write();
3956 
3957 		if (!insane) {
3958 			console(B_TRUE,
3959 			    "Error accessing persistent state file `%s'.  "
3960 			    "Ignored.\n", init_state_file);
3961 		} else {
3962 			console(B_TRUE,
3963 			    "Persistent state file `%s' is invalid and was "
3964 			    "ignored.\n", init_state_file);
3965 		}
3966 	}
3967 }
3968 
3969 /*
3970  * Write g_state out to the state file.
3971  */
3972 void
st_write()3973 st_write()
3974 {
3975 	static int complained = 0;
3976 
3977 	int st_fd;
3978 	char *cp;
3979 	size_t sz;
3980 	ssize_t ret;
3981 
3982 
3983 	do {
3984 		st_fd = open(init_next_state_file,
3985 		    O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
3986 	} while (st_fd < 0 && errno == EINTR);
3987 	if (st_fd < 0)
3988 		goto err;
3989 
3990 	cp = (char *)g_state;
3991 	sz = g_state_sz;
3992 	while (sz > 0) {
3993 		ret = write(st_fd, cp, sz);
3994 		if (ret < 0) {
3995 			if (errno == EINTR)
3996 				continue;
3997 
3998 			goto err;
3999 		}
4000 
4001 		sz -= ret;
4002 		cp += ret;
4003 	}
4004 
4005 	(void) close(st_fd);
4006 	st_fd = -1;
4007 	if (rename(init_next_state_file, init_state_file)) {
4008 		(void) unlink(init_next_state_file);
4009 		goto err;
4010 	}
4011 	complained = 0;
4012 
4013 	return;
4014 
4015 err:
4016 	if (st_fd >= 0)
4017 		(void) close(st_fd);
4018 
4019 	if (!booting && !complained) {
4020 		/*
4021 		 * Only complain after the filesystem should have come up.
4022 		 * And only do it once so we don't loop between console()
4023 		 * & efork().
4024 		 */
4025 		complained = 1;
4026 		if (st_fd)
4027 			console(B_TRUE, "Couldn't write persistent state "
4028 			    "file `%s'.\n", init_state_file);
4029 		else
4030 			console(B_TRUE, "Couldn't move persistent state "
4031 			    "file `%s' to `%s'.\n", init_next_state_file,
4032 			    init_state_file);
4033 	}
4034 }
4035 
4036 /*
4037  * Create a contract with these parameters.
4038  */
4039 static int
contract_make_template(uint_t info,uint_t critical,uint_t fatal,uint64_t cookie)4040 contract_make_template(uint_t info, uint_t critical, uint_t fatal,
4041     uint64_t cookie)
4042 {
4043 	int fd, err;
4044 
4045 	char *ioctl_tset_emsg =
4046 	    "Couldn't set \"%s\" contract template parameter: %s.\n";
4047 
4048 	do
4049 		fd = open64(CTFS_ROOT "/process/template", O_RDWR);
4050 	while (fd < 0 && errno == EINTR)
4051 		;
4052 	if (fd < 0) {
4053 		console(B_TRUE, "Couldn't create process template: %s.\n",
4054 		    strerror(errno));
4055 		return (-1);
4056 	}
4057 
4058 	if (err = ct_pr_tmpl_set_param(fd, CT_PR_INHERIT | CT_PR_REGENT))
4059 		console(B_TRUE, "Contract set template inherit, regent "
4060 		    "failed: %s.\n", strerror(err));
4061 
4062 	/*
4063 	 * These errors result in a misconfigured template, which is better
4064 	 * than no template at all, so warn but don't abort.
4065 	 */
4066 	if (err = ct_tmpl_set_informative(fd, info))
4067 		console(B_TRUE, ioctl_tset_emsg, "informative", strerror(err));
4068 
4069 	if (err = ct_tmpl_set_critical(fd, critical))
4070 		console(B_TRUE, ioctl_tset_emsg, "critical", strerror(err));
4071 
4072 	if (err = ct_pr_tmpl_set_fatal(fd, fatal))
4073 		console(B_TRUE, ioctl_tset_emsg, "fatal", strerror(err));
4074 
4075 	if (err = ct_tmpl_set_cookie(fd, cookie))
4076 		console(B_TRUE, ioctl_tset_emsg, "cookie", strerror(err));
4077 
4078 	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
4079 
4080 	return (fd);
4081 }
4082 
4083 /*
4084  * Create the templates and open an event file descriptor.  We use dup2(2) to
4085  * get these descriptors away from the stdin/stdout/stderr group.
4086  */
4087 static void
contracts_init()4088 contracts_init()
4089 {
4090 	int err, fd;
4091 
4092 	/*
4093 	 * Create & configure a legacy template.  We only want empty events so
4094 	 * we know when to abandon them.
4095 	 */
4096 	legacy_tmpl = contract_make_template(0, CT_PR_EV_EMPTY, CT_PR_EV_HWERR,
4097 	    ORDINARY_COOKIE);
4098 	if (legacy_tmpl >= 0) {
4099 		err = ct_tmpl_activate(legacy_tmpl);
4100 		if (err != 0) {
4101 			(void) close(legacy_tmpl);
4102 			legacy_tmpl = -1;
4103 			console(B_TRUE,
4104 			    "Couldn't activate legacy template (%s); "
4105 			    "legacy services will be in init's contract.\n",
4106 			    strerror(err));
4107 		}
4108 	} else
4109 		console(B_TRUE,
4110 		    "Legacy services will be in init's contract.\n");
4111 
4112 	if (dup2(legacy_tmpl, 255) == -1) {
4113 		console(B_TRUE, "Could not duplicate legacy template: %s.\n",
4114 		    strerror(errno));
4115 	} else {
4116 		(void) close(legacy_tmpl);
4117 		legacy_tmpl = 255;
4118 	}
4119 
4120 	(void) fcntl(legacy_tmpl, F_SETFD, FD_CLOEXEC);
4121 
4122 	startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
4123 	    CT_PR_EV_HWERR | CT_PR_EV_SIGNAL | CT_PR_EV_CORE, STARTD_COOKIE);
4124 
4125 	if (dup2(startd_tmpl, 254) == -1) {
4126 		console(B_TRUE, "Could not duplicate startd template: %s.\n",
4127 		    strerror(errno));
4128 	} else {
4129 		(void) close(startd_tmpl);
4130 		startd_tmpl = 254;
4131 	}
4132 
4133 	(void) fcntl(startd_tmpl, F_SETFD, FD_CLOEXEC);
4134 
4135 	if (legacy_tmpl < 0 && startd_tmpl < 0) {
4136 		/* The creation errors have already been reported. */
4137 		console(B_TRUE,
4138 		    "Ignoring contract events.  Core smf(7) services will not "
4139 		    "be restarted.\n");
4140 		return;
4141 	}
4142 
4143 	/*
4144 	 * Open an event endpoint.
4145 	 */
4146 	do
4147 		fd = open64(CTFS_ROOT "/process/pbundle", O_RDONLY);
4148 	while (fd < 0 && errno == EINTR)
4149 		;
4150 	if (fd < 0) {
4151 		console(B_TRUE,
4152 		    "Couldn't open process pbundle: %s.  Core smf(7) services "
4153 		    "will not be restarted.\n", strerror(errno));
4154 		return;
4155 	}
4156 
4157 	if (dup2(fd, 253) == -1) {
4158 		console(B_TRUE, "Could not duplicate process bundle: %s.\n",
4159 		    strerror(errno));
4160 	} else {
4161 		(void) close(fd);
4162 		fd = 253;
4163 	}
4164 
4165 	(void) fcntl(fd, F_SETFD, FD_CLOEXEC);
4166 
4167 	/* Reset in case we've been restarted. */
4168 	(void) ct_event_reset(fd);
4169 
4170 	poll_fds[0].fd = fd;
4171 	poll_fds[0].events = POLLIN;
4172 	poll_nfds = 1;
4173 }
4174 
4175 static int
contract_getfile(ctid_t id,const char * name,int oflag)4176 contract_getfile(ctid_t id, const char *name, int oflag)
4177 {
4178 	int fd;
4179 
4180 	do
4181 		fd = contract_open(id, "process", name, oflag);
4182 	while (fd < 0 && errno == EINTR)
4183 		;
4184 
4185 	if (fd < 0)
4186 		console(B_TRUE, "Couldn't open %s for contract %ld: %s.\n",
4187 		    name, id, strerror(errno));
4188 
4189 	return (fd);
4190 }
4191 
4192 static int
contract_cookie(ctid_t id,uint64_t * cp)4193 contract_cookie(ctid_t id, uint64_t *cp)
4194 {
4195 	int fd, err;
4196 	ct_stathdl_t sh;
4197 
4198 	fd = contract_getfile(id, "status", O_RDONLY);
4199 	if (fd < 0)
4200 		return (-1);
4201 
4202 	err = ct_status_read(fd, CTD_COMMON, &sh);
4203 	if (err != 0) {
4204 		console(B_TRUE, "Couldn't read status of contract %ld: %s.\n",
4205 		    id, strerror(err));
4206 		(void) close(fd);
4207 		return (-1);
4208 	}
4209 
4210 	(void) close(fd);
4211 
4212 	*cp = ct_status_get_cookie(sh);
4213 
4214 	ct_status_free(sh);
4215 	return (0);
4216 }
4217 
4218 static void
contract_ack(ct_evthdl_t e)4219 contract_ack(ct_evthdl_t e)
4220 {
4221 	int fd;
4222 
4223 	if (ct_event_get_flags(e) & CTE_INFO)
4224 		return;
4225 
4226 	fd = contract_getfile(ct_event_get_ctid(e), "ctl", O_WRONLY);
4227 	if (fd < 0)
4228 		return;
4229 
4230 	(void) ct_ctl_ack(fd, ct_event_get_evid(e));
4231 	(void) close(fd);
4232 }
4233 
4234 /*
4235  * Process a contract event.
4236  */
4237 static void
contract_event(struct pollfd * poll)4238 contract_event(struct pollfd *poll)
4239 {
4240 	ct_evthdl_t e;
4241 	int err;
4242 	ctid_t ctid;
4243 
4244 	if (!(poll->revents & POLLIN)) {
4245 		if (poll->revents & POLLERR)
4246 			console(B_TRUE,
4247 			    "Unknown poll error on my process contract "
4248 			    "pbundle.\n");
4249 		return;
4250 	}
4251 
4252 	err = ct_event_read(poll->fd, &e);
4253 	if (err != 0) {
4254 		console(B_TRUE, "Error retrieving contract event: %s.\n",
4255 		    strerror(err));
4256 		return;
4257 	}
4258 
4259 	ctid = ct_event_get_ctid(e);
4260 
4261 	if (ct_event_get_type(e) == CT_PR_EV_EMPTY) {
4262 		uint64_t cookie;
4263 		int ret, abandon = 1;
4264 
4265 		/* If it's svc.startd, restart it.  Else, abandon. */
4266 		ret = contract_cookie(ctid, &cookie);
4267 
4268 		if (ret == 0) {
4269 			if (cookie == STARTD_COOKIE &&
4270 			    do_restart_startd) {
4271 				if (smf_debug)
4272 					console(B_TRUE, "Restarting "
4273 					    "svc.startd.\n");
4274 
4275 				/*
4276 				 * Account for the failure.  If the failure rate
4277 				 * exceeds a threshold, then drop to maintenance
4278 				 * mode.
4279 				 */
4280 				startd_record_failure();
4281 				if (startd_failure_rate_critical())
4282 					enter_maintenance();
4283 
4284 				if (startd_tmpl < 0)
4285 					console(B_TRUE,
4286 					    "Restarting svc.startd in "
4287 					    "improper contract (bad "
4288 					    "template).\n");
4289 
4290 				(void) startd_run(startd_cline, startd_tmpl,
4291 				    ctid);
4292 
4293 				abandon = 0;
4294 			}
4295 		}
4296 
4297 		if (abandon && (err = contract_abandon_id(ctid))) {
4298 			console(B_TRUE, "Couldn't abandon contract %ld: %s.\n",
4299 			    ctid, strerror(err));
4300 		}
4301 
4302 		/*
4303 		 * No need to acknowledge the event since either way the
4304 		 * originating contract should be abandoned.
4305 		 */
4306 	} else {
4307 		console(B_TRUE,
4308 		    "Received contract event of unexpected type %d from "
4309 		    "contract %ld.\n", ct_event_get_type(e), ctid);
4310 
4311 		if ((ct_event_get_flags(e) & (CTE_INFO | CTE_ACK)) == 0)
4312 			/* Allow unexpected critical events to be released. */
4313 			contract_ack(e);
4314 	}
4315 
4316 	ct_event_free(e);
4317 }
4318 
4319 /*
4320  * svc.startd(8) Management
4321  */
4322 
4323 /*
4324  * (Re)start svc.startd(8).  old_ctid should be the contract ID of the old
4325  * contract, or 0 if we're starting it for the first time.  If wait is true
4326  * we'll wait for and return the exit value of the child.
4327  */
4328 static int
startd_run(const char * cline,int tmpl,ctid_t old_ctid)4329 startd_run(const char *cline, int tmpl, ctid_t old_ctid)
4330 {
4331 	int err, i, ret, did_activate;
4332 	pid_t pid;
4333 	struct stat sb;
4334 
4335 	if (cline[0] == '\0')
4336 		return (-1);
4337 
4338 	/*
4339 	 * Don't restart startd if the system is rebooting or shutting down.
4340 	 */
4341 	do {
4342 		ret = stat("/etc/svc/volatile/resetting", &sb);
4343 	} while (ret == -1 && errno == EINTR);
4344 
4345 	if (ret == 0) {
4346 		if (smf_debug)
4347 			console(B_TRUE, "Quiescing for reboot.\n");
4348 		(void) pause();
4349 		return (-1);
4350 	}
4351 
4352 	err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
4353 	if (err == EINVAL) {
4354 		console(B_TRUE, "Remake startd_tmpl; reattempt transfer.\n");
4355 		tmpl = startd_tmpl = contract_make_template(0, CT_PR_EV_EMPTY,
4356 		    CT_PR_EV_HWERR, STARTD_COOKIE);
4357 
4358 		err = ct_pr_tmpl_set_transfer(tmpl, old_ctid);
4359 	}
4360 	if (err != 0) {
4361 		console(B_TRUE,
4362 		    "Couldn't set transfer parameter of contract template: "
4363 		    "%s.\n", strerror(err));
4364 	}
4365 
4366 	if ((err = ct_pr_tmpl_set_svc_fmri(startd_tmpl,
4367 	    SCF_SERVICE_STARTD)) != 0)
4368 		console(B_TRUE,
4369 		    "Can not set svc_fmri in contract template: %s\n",
4370 		    strerror(err));
4371 	if ((err = ct_pr_tmpl_set_svc_aux(startd_tmpl,
4372 	    startd_svc_aux)) != 0)
4373 		console(B_TRUE,
4374 		    "Can not set svc_aux in contract template: %s\n",
4375 		    strerror(err));
4376 	did_activate = !(ct_tmpl_activate(tmpl));
4377 	if (!did_activate)
4378 		console(B_TRUE,
4379 		    "Template activation failed; not starting \"%s\" in "
4380 		    "proper contract.\n", cline);
4381 
4382 	/* Hold SIGCLD so we can wait if necessary. */
4383 	(void) sighold(SIGCLD);
4384 
4385 	while ((pid = fork()) < 0) {
4386 		if (errno == EPERM) {
4387 			console(B_TRUE, "Insufficient permission to fork.\n");
4388 
4389 			/* Now that's a doozy. */
4390 			exit(1);
4391 		}
4392 
4393 		console(B_TRUE,
4394 		    "fork() for svc.startd failed: %s.  Will retry in 1 "
4395 		    "second...\n", strerror(errno));
4396 
4397 		(void) sleep(1);
4398 
4399 		/* Eventually give up? */
4400 	}
4401 
4402 	if (pid == 0) {
4403 		/* child */
4404 
4405 		/* See the comment in efork() */
4406 		for (i = SIGHUP; i <= SIGRTMAX; ++i) {
4407 			if (i == SIGTTOU || i == SIGTTIN || i == SIGTSTP)
4408 				(void) sigset(i, SIG_IGN);
4409 			else
4410 				(void) sigset(i, SIG_DFL);
4411 		}
4412 
4413 		if (smf_options != NULL) {
4414 			/* Put smf_options in the environment. */
4415 			glob_envp[glob_envn] =
4416 			    malloc(sizeof ("SMF_OPTIONS=") - 1 +
4417 			    strlen(smf_options) + 1);
4418 
4419 			if (glob_envp[glob_envn] != NULL) {
4420 				/* LINTED */
4421 				(void) sprintf(glob_envp[glob_envn],
4422 				    "SMF_OPTIONS=%s", smf_options);
4423 				glob_envp[glob_envn+1] = NULL;
4424 			} else {
4425 				console(B_TRUE,
4426 				    "Could not set SMF_OPTIONS (%s).\n",
4427 				    strerror(errno));
4428 			}
4429 		}
4430 
4431 		if (smf_debug)
4432 			console(B_TRUE, "Executing svc.startd\n");
4433 
4434 		(void) execle(SH, "INITSH", "-c", cline, NULL, glob_envp);
4435 
4436 		console(B_TRUE, "Could not exec \"%s\" (%s).\n", SH,
4437 		    strerror(errno));
4438 
4439 		exit(1);
4440 	}
4441 
4442 	/* parent */
4443 
4444 	if (did_activate) {
4445 		if (legacy_tmpl < 0 || ct_tmpl_activate(legacy_tmpl) != 0)
4446 			(void) ct_tmpl_clear(tmpl);
4447 	}
4448 
4449 	/* Clear the old_ctid reference so the kernel can reclaim it. */
4450 	if (old_ctid != 0)
4451 		(void) ct_pr_tmpl_set_transfer(tmpl, 0);
4452 
4453 	(void) sigrelse(SIGCLD);
4454 
4455 	return (0);
4456 }
4457 
4458 /*
4459  * void startd_record_failure(void)
4460  *   Place the current time in our circular array of svc.startd failures.
4461  */
4462 void
startd_record_failure()4463 startd_record_failure()
4464 {
4465 	int index = startd_failure_index++ % NSTARTD_FAILURE_TIMES;
4466 
4467 	startd_failure_time[index] = gethrtime();
4468 }
4469 
4470 /*
4471  * int startd_failure_rate_critical(void)
4472  *   Return true if the average failure interval is less than the permitted
4473  *   interval.  Implicit success if insufficient measurements for an average
4474  *   exist.
4475  */
4476 int
startd_failure_rate_critical()4477 startd_failure_rate_critical()
4478 {
4479 	int n = startd_failure_index;
4480 	hrtime_t avg_ns = 0;
4481 
4482 	if (startd_failure_index < NSTARTD_FAILURE_TIMES)
4483 		return (0);
4484 
4485 	avg_ns =
4486 	    (startd_failure_time[(n - 1) % NSTARTD_FAILURE_TIMES] -
4487 	    startd_failure_time[n % NSTARTD_FAILURE_TIMES]) /
4488 	    NSTARTD_FAILURE_TIMES;
4489 
4490 	return (avg_ns < STARTD_FAILURE_RATE_NS);
4491 }
4492 
4493 /*
4494  * returns string that must be free'd
4495  */
4496 
4497 static char
audit_boot_msg()4498 *audit_boot_msg()
4499 {
4500 	char		*b, *p;
4501 	char		desc[] = "booted";
4502 	zoneid_t	zid = getzoneid();
4503 
4504 	b = malloc(sizeof (desc) + MAXNAMELEN + 3);
4505 	if (b == NULL)
4506 		return (b);
4507 
4508 	p = b;
4509 	p += strlcpy(p, desc, sizeof (desc));
4510 	if (zid != GLOBAL_ZONEID) {
4511 		p += strlcpy(p, ": ", 3);
4512 		(void) getzonenamebyid(zid, p, MAXNAMELEN);
4513 	}
4514 	return (b);
4515 }
4516 
4517 /*
4518  * Generate AUE_init_solaris audit record.  Return 1 if
4519  * auditing is enabled in case the caller cares.
4520  *
4521  * In the case of userint() or a local zone invocation of
4522  * one_true_init, the process initially contains the audit
4523  * characteristics of the process that invoked init.  The first pass
4524  * through here uses those characteristics then for the case of
4525  * one_true_init in a local zone, clears them so subsequent system
4526  * state changes won't be attributed to the person who booted the
4527  * zone.
4528  */
4529 static int
audit_put_record(int pass_fail,int status,char * msg)4530 audit_put_record(int pass_fail, int status, char *msg)
4531 {
4532 	adt_session_data_t	*ah;
4533 	adt_event_data_t	*event;
4534 
4535 	if (!adt_audit_enabled())
4536 		return (0);
4537 
4538 	/*
4539 	 * the PROC_DATA picks up the context to tell whether this is
4540 	 * an attributed record (auid = -2 is unattributed)
4541 	 */
4542 	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA)) {
4543 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4544 		return (1);
4545 	}
4546 	event = adt_alloc_event(ah, ADT_init_solaris);
4547 	if (event == NULL) {
4548 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4549 		(void) adt_end_session(ah);
4550 		return (1);
4551 	}
4552 	event->adt_init_solaris.info = msg;	/* NULL is ok here */
4553 
4554 	if (adt_put_event(event, pass_fail, status)) {
4555 		console(B_TRUE, "audit failure:  %s\n", strerror(errno));
4556 		(void) adt_end_session(ah);
4557 		return (1);
4558 	}
4559 	adt_free_event(event);
4560 
4561 	(void) adt_end_session(ah);
4562 
4563 	return (1);
4564 }
4565