1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright (c) 2004, 2010, Oracle and/or its affiliates. All rights reserved.
  24  * Copyright (c) 2012, Joyent, Inc. All rights reserved.
  25  */
  26 
  27 #include <libintl.h>
  28 #include <librestart.h>
  29 #include <librestart_priv.h>
  30 #include <libscf.h>
  31 #include <libscf_priv.h>
  32 
  33 #include <assert.h>
  34 #include <ctype.h>
  35 #include <dlfcn.h>
  36 #include <errno.h>
  37 #include <exec_attr.h>
  38 #include <grp.h>
  39 #include <libsysevent.h>
  40 #include <libuutil.h>
  41 #include <limits.h>
  42 #include <link.h>
  43 #include <malloc.h>
  44 #include <pool.h>
  45 #include <priv.h>
  46 #include <project.h>
  47 #include <pthread.h>
  48 #include <pwd.h>
  49 #include <secdb.h>
  50 #include <signal.h>
  51 #include <stdlib.h>
  52 #include <string.h>
  53 #include <syslog.h>
  54 #include <sys/corectl.h>
  55 #include <sys/machelf.h>
  56 #include <sys/task.h>
  57 #include <sys/types.h>
  58 #include <time.h>
  59 #include <unistd.h>
  60 #include <ucontext.h>
  61 
  62 #define min(a, b)               ((a) > (b) ? (b) : (a))
  63 
  64 #define MKW_TRUE        ":true"
  65 #define MKW_KILL        ":kill"
  66 #define MKW_KILL_PROC   ":kill_process"
  67 
  68 #define ALLOCFAIL       ((char *)"Allocation failure.")
  69 #define RCBROKEN        ((char *)"Repository connection broken.")
  70 
  71 #define MAX_COMMIT_RETRIES              10
  72 #define MAX_COMMIT_RETRY_INT            (5 * 1000000)   /* 5 seconds */
  73 #define INITIAL_COMMIT_RETRY_INT        (10000)         /* 1/100th second */
  74 
  75 /*
  76  * bad_fail() catches bugs in this and lower layers by reporting supposedly
  77  * impossible function failures.  The NDEBUG case keeps the strings out of the
  78  * library but still calls abort() so we can root-cause from the coredump.
  79  */
  80 #ifndef NDEBUG
  81 #define bad_fail(func, err)     {                                       \
  82         (void) fprintf(stderr,                                          \
  83             "At %s:%d, %s() failed with unexpected error %d.  Aborting.\n", \
  84             __FILE__, __LINE__, (func), (err));                         \
  85         abort();                                                        \
  86 }
  87 #else
  88 #define bad_fail(func, err)     abort()
  89 #endif
  90 
  91 struct restarter_event_handle {
  92         char                            *reh_restarter_name;
  93         char                            *reh_delegate_channel_name;
  94         evchan_t                        *reh_delegate_channel;
  95         char                            *reh_delegate_subscriber_id;
  96         char                            *reh_master_channel_name;
  97         evchan_t                        *reh_master_channel;
  98         char                            *reh_master_subscriber_id;
  99         int                             (*reh_handler)(restarter_event_t *);
 100 };
 101 
 102 struct restarter_event {
 103         sysevent_t                      *re_sysevent;
 104         restarter_event_type_t          re_type;
 105         char                            *re_instance_name;
 106         restarter_event_handle_t        *re_event_handle;
 107         restarter_instance_state_t      re_state;
 108         restarter_instance_state_t      re_next_state;
 109 };
 110 
 111 /*
 112  * Long reasons must all parse/read correctly in the following contexts:
 113  *
 114  * "A service instance transitioned state: %s."
 115  * "A service failed: %s."
 116  * "Reason: %s."
 117  * "The service transitioned state (%s) and ..."
 118  *
 119  * With the exception of restart_str_none they must also fit the following
 120  * moulds:
 121  *
 122  * "An instance transitioned because %s, and ..."
 123  * "An instance transitioned to <new-state> because %s, and ..."
 124  *
 125  * Note that whoever is rendering the long message must provide the
 126  * terminal punctuation - don't include it here.  Similarly, do not
 127  * provide an initial capital letter in reason-long.
 128  *
 129  * The long reason strings are Volatile - within the grammatical constraints
 130  * above we may improve them as need be.  The intention is that a consumer
 131  * may blindly render the string along the lines of the above examples,
 132  * but has no other guarantees as to the exact wording.  Long reasons
 133  * are localized.
 134  *
 135  * We define revisions of the set of short reason strings in use.  Within
 136  * a given revision, all short reasons are Committed.  Consumers must check
 137  * the revision in use before relying on the semantics of the short reason
 138  * codes - if the version exceeds that which they are familiar with they should
 139  * fail gracefully.  Having checked for version compatability, a consumer
 140  * is assured that
 141  *
 142  *      "short_reason_A iff semantic_A", provided:
 143  *
 144  *              . the restarter uses this short reason code at all,
 145  *              . the short reason is not "none" (which a restarter could
 146  *                specifiy for any transition semantics)
 147  *
 148  * To split/refine such a Committed semantic_A into further cases,
 149  * we are required to bump the revision number.  This should be an
 150  * infrequent occurence.  If you bump the revision number you may
 151  * need to make corresponding changes in any source that calls
 152  * restarter_str_version (e.g., FMA event generation).
 153  *
 154  * To add additional reasons to the set you must also bump the version
 155  * number.
 156  */
 157 
 158 /*
 159  * The following describes revision 0 of the set of transition reasons.
 160  * Read the preceding block comment before making any changes.
 161  */
 162 static const struct restarter_state_transition_reason restarter_str[] = {
 163         /*
 164          * Any transition for which the restarter has not provided a reason.
 165          */
 166         {
 167             restarter_str_none,
 168             "none",
 169             "the restarter gave no reason"
 170         },
 171 
 172         /*
 173          * A transition to maintenance state due to a
 174          * 'svcadm mark maintenance <fmri>'.  *Not* used if the libscf
 175          * interface smf_maintain_instance(3SCF) is used to request maintenance.
 176          */
 177         {
 178             restarter_str_administrative_request,
 179             "administrative_request",
 180             "maintenance was requested by an administrator"
 181         },
 182 
 183         /*
 184          * A transition to maintenance state if a repository inconsistency
 185          * exists when the service/instance state is first read by startd
 186          * into the graph engine (this can also happen during startd restart).
 187          */
 188         {
 189             restarter_str_bad_repo_state,
 190             "bad_repo_state",
 191             "an SMF repository inconsistecy exists"
 192         },
 193 
 194         /*
 195          * A transition 'maintenance -> uninitialized' resulting always
 196          * from 'svcadm clear <fmri>'.  *Not* used if the libscf interface
 197          * smf_restore_instance(3SCF) is used.
 198          */
 199         {
 200             restarter_str_clear_request,
 201             "clear_request",
 202             "maintenance clear was requested by an administrator"
 203         },
 204 
 205         /*
 206          * A transition 'online -> offline' due to a process core dump.
 207          */
 208         {
 209             restarter_str_ct_ev_core,
 210             "ct_ev_core",
 211             "a process dumped core"
 212         },
 213 
 214         /*
 215          * A transition 'online -> offline' due to an empty process contract,
 216          * i.e., the last process in a contract type service has exited.
 217          */
 218         {
 219             restarter_str_ct_ev_exit,
 220             "ct_ev_exit",
 221             "all processes in the service have exited"
 222         },
 223 
 224         /*
 225          * A transition 'online -> offline' due to a hardware error.
 226          */
 227         {
 228             restarter_str_ct_ev_hwerr,
 229             "ct_ev_hwerr",
 230             "a process was killed due to uncorrectable hardware error"
 231         },
 232 
 233         /*
 234          * A transition 'online -> offline' due to a process in the service
 235          * having received a fatal signal originating from outside the
 236          * service process contract.
 237          */
 238         {
 239             restarter_str_ct_ev_signal,
 240             "ct_ev_signal",
 241             "a process received a fatal signal from outside the service"
 242         },
 243 
 244         /*
 245          * A transition 'offline -> online' when all dependencies for the
 246          * service have been met.
 247          */
 248         {
 249             restarter_str_dependencies_satisfied,
 250             "dependencies_satisfied",
 251             "all dependencies have been satisfied"
 252         },
 253 
 254         /*
 255          * A transition 'online -> offline' because some dependency for the
 256          * service is no-longer met.
 257          */
 258         {
 259             restarter_str_dependency_activity,
 260             "dependency_activity",
 261             "a dependency activity required a stop"
 262         },
 263 
 264         /*
 265          * A transition to maintenance state due to a cycle in the
 266          * service dependencies.
 267          */
 268         {
 269             restarter_str_dependency_cycle,
 270             "dependency_cycle",
 271             "a dependency cycle exists"
 272         },
 273 
 274         /*
 275          * A transition 'online -> offline -> disabled' due to a
 276          * 'svcadm disable [-t] <fmri>' or smf_disable_instance(3SCF) call.
 277          */
 278         {
 279             restarter_str_disable_request,
 280             "disable_request",
 281             "a disable was requested"
 282         },
 283 
 284         /*
 285          * A transition 'disabled -> offline' due to a
 286          * 'svcadm enable [-t] <fmri>' or smf_enable_instance(3SCF) call.
 287          */
 288         {
 289             restarter_str_enable_request,
 290             "enable_request",
 291             "an enable was requested"
 292         },
 293 
 294         /*
 295          * A transition to maintenance state when a method fails
 296          * repeatedly for a retryable reason.
 297          */
 298         {
 299             restarter_str_fault_threshold_reached,
 300             "fault_threshold_reached",
 301             "a method is failing in a retryable manner but too often"
 302         },
 303 
 304         /*
 305          * A transition to uninitialized state when startd reads the service
 306          * configuration and inserts it into the graph engine.
 307          */
 308         {
 309             restarter_str_insert_in_graph,
 310             "insert_in_graph",
 311             "the instance was inserted in the graph"
 312         },
 313 
 314         /*
 315          * A transition to maintenance state due to an invalid dependency
 316          * declared for the service.
 317          */
 318         {
 319             restarter_str_invalid_dependency,
 320             "invalid_dependency",
 321             "a service has an invalid dependency"
 322         },
 323 
 324         /*
 325          * A transition to maintenance state because the service-declared
 326          * restarter is invalid.
 327          */
 328         {
 329             restarter_str_invalid_restarter,
 330             "invalid_restarter",
 331             "the service restarter is invalid"
 332         },
 333 
 334         /*
 335          * A transition to maintenance state because a restarter method
 336          * exited with one of SMF_EXIT_ERR_CONFIG, SMF_EXIT_ERR_NOSMF,
 337          * SMF_EXIT_ERR_PERM, or SMF_EXIT_ERR_FATAL.
 338          */
 339         {
 340             restarter_str_method_failed,
 341             "method_failed",
 342             "a start, stop or refresh method failed"
 343         },
 344 
 345         /*
 346          * A transition 'uninitialized -> {disabled|offline}' after
 347          * "insert_in_graph" to match the state configured in the
 348          * repository.
 349          */
 350         {
 351             restarter_str_per_configuration,
 352             "per_configuration",
 353             "the SMF repository configuration specifies this state"
 354         },
 355 
 356         /*
 357          * Refresh requested - no state change.
 358          */
 359         {
 360             restarter_str_refresh,
 361             NULL,
 362             "a refresh was requested (no change of state)"
 363         },
 364 
 365         /*
 366          * A transition 'online -> offline -> online' due to a
 367          * 'svcadm restart <fmri> or equivlaent libscf API call.
 368          * Both the 'online -> offline' and 'offline -> online' transtions
 369          * specify this reason.
 370          */
 371         {
 372             restarter_str_restart_request,
 373             "restart_request",
 374             "a restart was requested"
 375         },
 376 
 377         /*
 378          * A transition to maintenance state because the start method is
 379          * being executed successfully but too frequently.
 380          */
 381         {
 382             restarter_str_restarting_too_quickly,
 383             "restarting_too_quickly",
 384             "the instance is restarting too quickly"
 385         },
 386 
 387         /*
 388          * A transition to maintenance state due a service requesting
 389          * 'svcadm mark maintenance <fmri>' or equivalent libscf API call.
 390          * A command line 'svcadm mark maintenance <fmri>' does not produce
 391          * this reason - it produces administrative_request instead.
 392          */
 393         {
 394             restarter_str_service_request,
 395             "service_request",
 396             "maintenance was requested by another service"
 397         },
 398 
 399         /*
 400          * An instanced inserted into the graph at its existing state
 401          * during a startd restart - no state change.
 402          */
 403         {
 404             restarter_str_startd_restart,
 405             NULL,
 406             "the instance was inserted in the graph due to startd restart"
 407         }
 408 };
 409 
 410 uint32_t
 411 restarter_str_version(void)
 412 {
 413         return (RESTARTER_STRING_VERSION);
 414 }
 415 
 416 const char *
 417 restarter_get_str_short(restarter_str_t key)
 418 {
 419         int i;
 420         for (i = 0; i < sizeof (restarter_str) /
 421             sizeof (struct restarter_state_transition_reason); i++)
 422                 if (key == restarter_str[i].str_key)
 423                         return (restarter_str[i].str_short);
 424         return (NULL);
 425 }
 426 
 427 const char *
 428 restarter_get_str_long(restarter_str_t key)
 429 {
 430         int i;
 431         for (i = 0; i < sizeof (restarter_str) /
 432             sizeof (struct restarter_state_transition_reason); i++)
 433                 if (key == restarter_str[i].str_key)
 434                         return (dgettext(TEXT_DOMAIN,
 435                             restarter_str[i].str_long));
 436         return (NULL);
 437 }
 438 
 439 /*
 440  * A static no memory error message mc_error_t structure
 441  * to be used in cases when memory errors are to be returned
 442  * This avoids the need to attempt to allocate memory for the
 443  * message, therefore getting into a cycle of no memory failures.
 444  */
 445 mc_error_t mc_nomem_err = {
 446         0, ENOMEM, sizeof ("Out of memory") - 1, "Out of memory"
 447 };
 448 
 449 static const char * const allocfail = "Allocation failure.\n";
 450 static const char * const rcbroken = "Repository connection broken.\n";
 451 
 452 static int method_context_safety = 0;   /* Can safely call pools/projects. */
 453 
 454 int ndebug = 1;
 455 
 456 /* PRINTFLIKE3 */
 457 static mc_error_t *
 458 mc_error_create(mc_error_t *e, int type, const char *format, ...)
 459 {
 460         mc_error_t      *le;
 461         va_list         args;
 462         int             size;
 463 
 464         /*
 465          * If the type is ENOMEM and format is NULL, then
 466          * go ahead and return the default nomem error.
 467          * Otherwise, attempt to allocate the memory and if
 468          * that fails then there is no reason to continue.
 469          */
 470         if (type == ENOMEM && format == NULL)
 471                 return (&mc_nomem_err);
 472 
 473         if (e == NULL && (le = malloc(sizeof (mc_error_t))) == NULL)
 474                 return (&mc_nomem_err);
 475         else
 476                 le = e;
 477 
 478         le->type = type;
 479         le->destroy = 1;
 480         va_start(args, format);
 481         size = vsnprintf(NULL, 0, format, args) + 1;
 482         if (size >= RESTARTER_ERRMSGSZ) {
 483                 if ((le = realloc(e, sizeof (mc_error_t) +
 484                     (size - RESTARTER_ERRMSGSZ))) == NULL) {
 485                         size = RESTARTER_ERRMSGSZ - 1;
 486                         le = e;
 487                 }
 488         }
 489 
 490         le->size = size;
 491         (void) vsnprintf(le->msg, le->size, format, args);
 492         va_end(args);
 493 
 494         return (le);
 495 }
 496 
 497 void
 498 restarter_mc_error_destroy(mc_error_t *mc_err)
 499 {
 500         if (mc_err == NULL)
 501                 return;
 502 
 503         /*
 504          * If the error messages was allocated then free.
 505          */
 506         if (mc_err->destroy) {
 507                 free(mc_err);
 508         }
 509 }
 510 
 511 static void
 512 free_restarter_event_handle(struct restarter_event_handle *h)
 513 {
 514         if (h == NULL)
 515                 return;
 516 
 517         /*
 518          * Just free the memory -- don't unbind the sysevent handle,
 519          * as otherwise events may be lost if this is just a restarter
 520          * restart.
 521          */
 522 
 523         if (h->reh_restarter_name != NULL)
 524                 free(h->reh_restarter_name);
 525         if (h->reh_delegate_channel_name != NULL)
 526                 free(h->reh_delegate_channel_name);
 527         if (h->reh_delegate_subscriber_id != NULL)
 528                 free(h->reh_delegate_subscriber_id);
 529         if (h->reh_master_channel_name != NULL)
 530                 free(h->reh_master_channel_name);
 531         if (h->reh_master_subscriber_id != NULL)
 532                 free(h->reh_master_subscriber_id);
 533 
 534         free(h);
 535 }
 536 
 537 char *
 538 _restarter_get_channel_name(const char *fmri, int type)
 539 {
 540         char *name;
 541         char *chan_name = malloc(MAX_CHNAME_LEN);
 542         char prefix_name[3];
 543         int i;
 544 
 545         if (chan_name == NULL)
 546                 return (NULL);
 547 
 548         if (type == RESTARTER_CHANNEL_DELEGATE)
 549                 (void) strcpy(prefix_name, "d_");
 550         else if (type == RESTARTER_CHANNEL_MASTER)
 551                 (void) strcpy(prefix_name, "m_");
 552         else {
 553                 free(chan_name);
 554                 return (NULL);
 555         }
 556 
 557         /*
 558          * Create a unique name
 559          *
 560          * Use the entire name, using a replacement of the /
 561          * characters to get a better name.
 562          *
 563          * Remove the svc:/ from the beginning as this really
 564          * isn't going to provide any uniqueness...
 565          *
 566          * An fmri name greater than MAX_CHNAME_LEN is going
 567          * to be rejected as too long for the chan_name below
 568          * in the snprintf call.
 569          */
 570         if ((name = strdup(strchr(fmri, '/') + 1)) == NULL) {
 571                 free(chan_name);
 572                 return (NULL);
 573         }
 574         i = 0;
 575         while (name[i]) {
 576                 if (name[i] == '/') {
 577                         name[i] = '_';
 578                 }
 579 
 580                 i++;
 581         }
 582 
 583         /*
 584          * Should check for [a-z],[A-Z],[0-9],.,_,-,:
 585          */
 586 
 587         if (snprintf(chan_name, MAX_CHNAME_LEN, "com.sun:scf:%s%s",
 588             prefix_name, name) > MAX_CHNAME_LEN) {
 589                 free(chan_name);
 590                 chan_name = NULL;
 591         }
 592 
 593         free(name);
 594         return (chan_name);
 595 }
 596 
 597 int
 598 cb(sysevent_t *syse, void *cookie)
 599 {
 600         restarter_event_handle_t *h = (restarter_event_handle_t *)cookie;
 601         restarter_event_t *e;
 602         nvlist_t *attr_list = NULL;
 603         int ret = 0;
 604 
 605         e = uu_zalloc(sizeof (restarter_event_t));
 606         if (e == NULL)
 607                 uu_die(allocfail);
 608         e->re_event_handle = h;
 609         e->re_sysevent = syse;
 610 
 611         if (sysevent_get_attr_list(syse, &attr_list) != 0)
 612                 uu_die(allocfail);
 613 
 614         if ((nvlist_lookup_uint32(attr_list, RESTARTER_NAME_TYPE,
 615             &(e->re_type)) != 0) ||
 616             (nvlist_lookup_string(attr_list,
 617             RESTARTER_NAME_INSTANCE, &(e->re_instance_name)) != 0)) {
 618                 uu_warn("%s: Can't decode nvlist for event %p\n",
 619                     h->reh_restarter_name, (void *)syse);
 620 
 621                 ret = 0;
 622         } else {
 623                 ret = h->reh_handler(e);
 624         }
 625 
 626         uu_free(e);
 627         nvlist_free(attr_list);
 628         return (ret);
 629 }
 630 
 631 /*
 632  * restarter_bind_handle(uint32_t, char *, int (*)(restarter_event_t *), int,
 633  *     restarter_event_handle_t **)
 634  *
 635  * Bind to a delegated restarter event channel.
 636  * Each delegated restarter gets its own channel for resource management.
 637  *
 638  * Returns 0 on success or
 639  *   ENOTSUP    version mismatch
 640  *   EINVAL     restarter_name or event_handle is NULL
 641  *   ENOMEM     out of memory, too many channels, or too many subscriptions
 642  *   EBUSY      sysevent_evc_bind() could not establish binding
 643  *   EFAULT     internal sysevent_evc_bind()/sysevent_evc_subscribe() error
 644  *   EMFILE     out of file descriptors
 645  *   EPERM      insufficient privilege for sysevent_evc_bind()
 646  *   EEXIST     already subscribed
 647  */
 648 int
 649 restarter_bind_handle(uint32_t version, const char *restarter_name,
 650     int (*event_handler)(restarter_event_t *), int flags,
 651     restarter_event_handle_t **rehp)
 652 {
 653         restarter_event_handle_t *h;
 654         size_t sz;
 655         int err;
 656 
 657         if (version != RESTARTER_EVENT_VERSION)
 658                 return (ENOTSUP);
 659 
 660         if (restarter_name == NULL || event_handler == NULL)
 661                 return (EINVAL);
 662 
 663         if (flags & RESTARTER_FLAG_DEBUG)
 664                 ndebug++;
 665 
 666         if ((h = uu_zalloc(sizeof (restarter_event_handle_t))) == NULL)
 667                 return (ENOMEM);
 668 
 669         h->reh_delegate_subscriber_id = malloc(MAX_SUBID_LEN);
 670         h->reh_master_subscriber_id = malloc(MAX_SUBID_LEN);
 671         h->reh_restarter_name = strdup(restarter_name);
 672         if (h->reh_delegate_subscriber_id == NULL ||
 673             h->reh_master_subscriber_id == NULL ||
 674             h->reh_restarter_name == NULL) {
 675                 free_restarter_event_handle(h);
 676                 return (ENOMEM);
 677         }
 678 
 679         sz = strlcpy(h->reh_delegate_subscriber_id, "del", MAX_SUBID_LEN);
 680         assert(sz < MAX_SUBID_LEN);
 681         sz = strlcpy(h->reh_master_subscriber_id, "master", MAX_SUBID_LEN);
 682         assert(sz < MAX_SUBID_LEN);
 683 
 684         h->reh_delegate_channel_name =
 685             _restarter_get_channel_name(restarter_name,
 686             RESTARTER_CHANNEL_DELEGATE);
 687         h->reh_master_channel_name =
 688             _restarter_get_channel_name(restarter_name,
 689             RESTARTER_CHANNEL_MASTER);
 690 
 691         if (h->reh_delegate_channel_name == NULL ||
 692             h->reh_master_channel_name == NULL) {
 693                 free_restarter_event_handle(h);
 694                 return (ENOMEM);
 695         }
 696 
 697         if (sysevent_evc_bind(h->reh_delegate_channel_name,
 698             &h->reh_delegate_channel, EVCH_CREAT|EVCH_HOLD_PEND) != 0) {
 699                 err = errno;
 700                 assert(err != EINVAL);
 701                 assert(err != ENOENT);
 702                 free_restarter_event_handle(h);
 703                 return (err);
 704         }
 705 
 706         if (sysevent_evc_bind(h->reh_master_channel_name,
 707             &h->reh_master_channel, EVCH_CREAT|EVCH_HOLD_PEND) != 0) {
 708                 err = errno;
 709                 assert(err != EINVAL);
 710                 assert(err != ENOENT);
 711                 free_restarter_event_handle(h);
 712                 return (err);
 713         }
 714 
 715         h->reh_handler = event_handler;
 716 
 717         assert(strlen(restarter_name) <= MAX_CLASS_LEN - 1);
 718         assert(strlen(h->reh_delegate_subscriber_id) <= MAX_SUBID_LEN - 1);
 719         assert(strlen(h->reh_master_subscriber_id) <= MAX_SUBID_LEN - 1);
 720 
 721         if (sysevent_evc_subscribe(h->reh_delegate_channel,
 722             h->reh_delegate_subscriber_id, EC_ALL, cb, h, EVCH_SUB_KEEP) != 0) {
 723                 err = errno;
 724                 assert(err != EINVAL);
 725                 free_restarter_event_handle(h);
 726                 return (err);
 727         }
 728 
 729         *rehp = h;
 730         return (0);
 731 }
 732 
 733 restarter_event_handle_t *
 734 restarter_event_get_handle(restarter_event_t *e)
 735 {
 736         assert(e != NULL && e->re_event_handle != NULL);
 737         return (e->re_event_handle);
 738 }
 739 
 740 restarter_event_type_t
 741 restarter_event_get_type(restarter_event_t *e)
 742 {
 743         assert(e != NULL);
 744         return (e->re_type);
 745 }
 746 
 747 ssize_t
 748 restarter_event_get_instance(restarter_event_t *e, char *inst, size_t sz)
 749 {
 750         assert(e != NULL && inst != NULL);
 751         return ((ssize_t)strlcpy(inst, e->re_instance_name, sz));
 752 }
 753 
 754 int
 755 restarter_event_get_current_states(restarter_event_t *e,
 756     restarter_instance_state_t *state, restarter_instance_state_t *next_state)
 757 {
 758         if (e == NULL)
 759                 return (-1);
 760         *state = e->re_state;
 761         *next_state = e->re_next_state;
 762         return (0);
 763 }
 764 
 765 /*
 766  * restarter_event_publish_retry() is a wrapper around sysevent_evc_publish().
 767  * In case, the event cannot be sent at the first attempt (sysevent_evc_publish
 768  * returned EAGAIN - sysevent queue full), this function retries a few time
 769  * and return ENOSPC if it reaches the retry limit.
 770  *
 771  * The arguments to this function map the arguments of sysevent_evc_publish().
 772  *
 773  * On success, return 0. On error, return
 774  *
 775  *   EFAULT - internal sysevent_evc_publish() error
 776  *   ENOMEM - internal sysevent_evc_publish() error
 777  *   EBADF - scp is invalid (sysevent_evc_publish() returned EINVAL)
 778  *   ENOSPC - sysevent queue full (sysevent_evc_publish() returned EAGAIN)
 779  */
 780 int
 781 restarter_event_publish_retry(evchan_t *scp, const char *class,
 782     const char *subclass, const char *vendor, const char *pub_name,
 783     nvlist_t *attr_list, uint32_t flags)
 784 {
 785         int retries, ret;
 786         useconds_t retry_int = INITIAL_COMMIT_RETRY_INT;
 787 
 788         for (retries = 0; retries < MAX_COMMIT_RETRIES; retries++) {
 789                 ret = sysevent_evc_publish(scp, class, subclass, vendor,
 790                     pub_name, attr_list, flags);
 791                 if (ret == 0)
 792                         break;
 793 
 794                 switch (ret) {
 795                 case EAGAIN:
 796                         /* Queue is full */
 797                         (void) usleep(retry_int);
 798 
 799                         retry_int = min(retry_int * 2, MAX_COMMIT_RETRY_INT);
 800                         break;
 801 
 802                 case EINVAL:
 803                         ret = EBADF;
 804                         /* FALLTHROUGH */
 805 
 806                 case EFAULT:
 807                 case ENOMEM:
 808                         return (ret);
 809 
 810                 case EOVERFLOW:
 811                 default:
 812                         /* internal error - abort */
 813                         bad_fail("sysevent_evc_publish", ret);
 814                 }
 815         }
 816 
 817         if (retries == MAX_COMMIT_RETRIES)
 818                 ret = ENOSPC;
 819 
 820         return (ret);
 821 }
 822 
 823 /*
 824  * Commit the state, next state, and auxiliary state into the repository.
 825  * Let the graph engine know about the state change and error.  On success,
 826  * return 0. On error, return
 827  *   EPROTO - librestart compiled against different libscf
 828  *   ENOMEM - out of memory
 829  *          - repository server out of resources
 830  *   ENOTACTIVE - repository server not running
 831  *   ECONNABORTED - repository connection established, but then broken
 832  *                - unknown libscf error
 833  *   ENOENT - inst does not exist in the repository
 834  *   EPERM - insufficient permissions
 835  *   EACCESS - backend access denied
 836  *   EROFS - backend is readonly
 837  *   EFAULT - internal sysevent_evc_publish() error
 838  *   EBADF - h is invalid (sysevent_evc_publish() returned EINVAL)
 839  *   ENOSPC - sysevent queue full (sysevent_evc_publish() returned EAGAIN)
 840  */
 841 int
 842 restarter_set_states(restarter_event_handle_t *h, const char *inst,
 843     restarter_instance_state_t cur_state,
 844     restarter_instance_state_t new_cur_state,
 845     restarter_instance_state_t next_state,
 846     restarter_instance_state_t new_next_state, restarter_error_t e,
 847     restarter_str_t aux)
 848 {
 849         nvlist_t *attr;
 850         scf_handle_t *scf_h;
 851         instance_data_t id;
 852         int ret = 0;
 853         const char *p = restarter_get_str_short(aux);
 854 
 855         assert(h->reh_master_channel != NULL);
 856         assert(h->reh_master_channel_name != NULL);
 857         assert(h->reh_master_subscriber_id != NULL);
 858 
 859         if ((scf_h = scf_handle_create(SCF_VERSION)) == NULL) {
 860                 switch (scf_error()) {
 861                 case SCF_ERROR_VERSION_MISMATCH:
 862                         return (EPROTO);
 863 
 864                 case SCF_ERROR_NO_MEMORY:
 865                         return (ENOMEM);
 866 
 867                 default:
 868                         bad_fail("scf_handle_create", scf_error());
 869                 }
 870         }
 871 
 872         if (scf_handle_bind(scf_h) == -1) {
 873                 scf_handle_destroy(scf_h);
 874                 switch (scf_error()) {
 875                 case SCF_ERROR_NO_SERVER:
 876                         return (ENOTACTIVE);
 877 
 878                 case SCF_ERROR_NO_RESOURCES:
 879                         return (ENOMEM);
 880 
 881                 case SCF_ERROR_INVALID_ARGUMENT:
 882                 case SCF_ERROR_IN_USE:
 883                 default:
 884                         bad_fail("scf_handle_bind", scf_error());
 885                 }
 886         }
 887 
 888         if (nvlist_alloc(&attr, NV_UNIQUE_NAME, 0) != 0 ||
 889             nvlist_add_int32(attr, RESTARTER_NAME_STATE, new_cur_state) != 0 ||
 890             nvlist_add_int32(attr, RESTARTER_NAME_NEXT_STATE, new_next_state)
 891             != 0 ||
 892             nvlist_add_int32(attr, RESTARTER_NAME_ERROR, e) != 0 ||
 893             nvlist_add_string(attr, RESTARTER_NAME_INSTANCE, inst) != 0 ||
 894             nvlist_add_int32(attr, RESTARTER_NAME_REASON, aux) != 0) {
 895                 ret = ENOMEM;
 896         } else {
 897                 id.i_fmri = inst;
 898                 id.i_state = cur_state;
 899                 id.i_next_state = next_state;
 900 
 901                 ret = _restarter_commit_states(scf_h, &id, new_cur_state,
 902                     new_next_state, p);
 903 
 904                 if (ret == 0) {
 905                         ret = restarter_event_publish_retry(
 906                             h->reh_master_channel, "master", "state_change",
 907                             "com.sun", "librestart", attr, EVCH_NOSLEEP);
 908                 }
 909         }
 910 
 911         nvlist_free(attr);
 912         (void) scf_handle_unbind(scf_h);
 913         scf_handle_destroy(scf_h);
 914 
 915         return (ret);
 916 }
 917 
 918 restarter_instance_state_t
 919 restarter_string_to_state(char *string)
 920 {
 921         assert(string != NULL);
 922 
 923         if (strcmp(string, SCF_STATE_STRING_NONE) == 0)
 924                 return (RESTARTER_STATE_NONE);
 925         else if (strcmp(string, SCF_STATE_STRING_UNINIT) == 0)
 926                 return (RESTARTER_STATE_UNINIT);
 927         else if (strcmp(string, SCF_STATE_STRING_MAINT) == 0)
 928                 return (RESTARTER_STATE_MAINT);
 929         else if (strcmp(string, SCF_STATE_STRING_OFFLINE) == 0)
 930                 return (RESTARTER_STATE_OFFLINE);
 931         else if (strcmp(string, SCF_STATE_STRING_DISABLED) == 0)
 932                 return (RESTARTER_STATE_DISABLED);
 933         else if (strcmp(string, SCF_STATE_STRING_ONLINE) == 0)
 934                 return (RESTARTER_STATE_ONLINE);
 935         else if (strcmp(string, SCF_STATE_STRING_DEGRADED) == 0)
 936                 return (RESTARTER_STATE_DEGRADED);
 937         else {
 938                 return (RESTARTER_STATE_NONE);
 939         }
 940 }
 941 
 942 ssize_t
 943 restarter_state_to_string(restarter_instance_state_t state, char *string,
 944     size_t len)
 945 {
 946         assert(string != NULL);
 947 
 948         if (state == RESTARTER_STATE_NONE)
 949                 return ((ssize_t)strlcpy(string, SCF_STATE_STRING_NONE, len));
 950         else if (state == RESTARTER_STATE_UNINIT)
 951                 return ((ssize_t)strlcpy(string, SCF_STATE_STRING_UNINIT, len));
 952         else if (state == RESTARTER_STATE_MAINT)
 953                 return ((ssize_t)strlcpy(string, SCF_STATE_STRING_MAINT, len));
 954         else if (state == RESTARTER_STATE_OFFLINE)
 955                 return ((ssize_t)strlcpy(string, SCF_STATE_STRING_OFFLINE,
 956                     len));
 957         else if (state == RESTARTER_STATE_DISABLED)
 958                 return ((ssize_t)strlcpy(string, SCF_STATE_STRING_DISABLED,
 959                     len));
 960         else if (state == RESTARTER_STATE_ONLINE)
 961                 return ((ssize_t)strlcpy(string, SCF_STATE_STRING_ONLINE, len));
 962         else if (state == RESTARTER_STATE_DEGRADED)
 963                 return ((ssize_t)strlcpy(string, SCF_STATE_STRING_DEGRADED,
 964                     len));
 965         else
 966                 return ((ssize_t)strlcpy(string, "unknown", len));
 967 }
 968 
 969 /*
 970  * Sets pg to the name property group of s_inst.  If it doesn't exist, it is
 971  * added.
 972  *
 973  * Fails with
 974  *   ECONNABORTED - repository disconnection or unknown libscf error
 975  *   EBADF - inst is not set
 976  *   ECANCELED - inst is deleted
 977  *   EPERM - permission is denied
 978  *   EACCES - backend denied access
 979  *   EROFS - backend readonly
 980  */
 981 static int
 982 instance_get_or_add_pg(scf_instance_t *inst, const char *name,
 983     const char *type, uint32_t flags, scf_propertygroup_t *pg)
 984 {
 985 again:
 986         if (scf_instance_get_pg(inst, name, pg) == 0)
 987                 return (0);
 988 
 989         switch (scf_error()) {
 990         case SCF_ERROR_CONNECTION_BROKEN:
 991         default:
 992                 return (ECONNABORTED);
 993 
 994         case SCF_ERROR_NOT_SET:
 995                 return (EBADF);
 996 
 997         case SCF_ERROR_DELETED:
 998                 return (ECANCELED);
 999 
1000         case SCF_ERROR_NOT_FOUND:
1001                 break;
1002 
1003         case SCF_ERROR_HANDLE_MISMATCH:
1004         case SCF_ERROR_INVALID_ARGUMENT:
1005                 bad_fail("scf_instance_get_pg", scf_error());
1006         }
1007 
1008         if (scf_instance_add_pg(inst, name, type, flags, pg) == 0)
1009                 return (0);
1010 
1011         switch (scf_error()) {
1012         case SCF_ERROR_CONNECTION_BROKEN:
1013         default:
1014                 return (ECONNABORTED);
1015 
1016         case SCF_ERROR_DELETED:
1017                 return (ECANCELED);
1018 
1019         case SCF_ERROR_EXISTS:
1020                 goto again;
1021 
1022         case SCF_ERROR_PERMISSION_DENIED:
1023                 return (EPERM);
1024 
1025         case SCF_ERROR_BACKEND_ACCESS:
1026                 return (EACCES);
1027 
1028         case SCF_ERROR_BACKEND_READONLY:
1029                 return (EROFS);
1030 
1031         case SCF_ERROR_HANDLE_MISMATCH:
1032         case SCF_ERROR_INVALID_ARGUMENT:
1033         case SCF_ERROR_NOT_SET:                 /* should be caught above */
1034                 bad_fail("scf_instance_add_pg", scf_error());
1035         }
1036 
1037         return (0);
1038 }
1039 
1040 /*
1041  * Fails with
1042  *   ECONNABORTED
1043  *   ECANCELED - pg was deleted
1044  */
1045 static int
1046 tx_set_value(scf_transaction_t *tx, scf_transaction_entry_t *ent,
1047     const char *pname, scf_type_t ty, scf_value_t *val)
1048 {
1049         int r;
1050 
1051         for (;;) {
1052                 if (scf_transaction_property_change_type(tx, ent, pname,
1053                     ty) == 0)
1054                         break;
1055 
1056                 switch (scf_error()) {
1057                 case SCF_ERROR_CONNECTION_BROKEN:
1058                 default:
1059                         return (ECONNABORTED);
1060 
1061                 case SCF_ERROR_DELETED:
1062                         return (ECANCELED);
1063 
1064                 case SCF_ERROR_NOT_FOUND:
1065                         break;
1066 
1067                 case SCF_ERROR_HANDLE_MISMATCH:
1068                 case SCF_ERROR_INVALID_ARGUMENT:
1069                 case SCF_ERROR_IN_USE:
1070                 case SCF_ERROR_NOT_SET:
1071                         bad_fail("scf_transaction_property_change_type",
1072                             scf_error());
1073                 }
1074 
1075                 if (scf_transaction_property_new(tx, ent, pname, ty) == 0)
1076                         break;
1077 
1078                 switch (scf_error()) {
1079                 case SCF_ERROR_CONNECTION_BROKEN:
1080                 default:
1081                         return (ECONNABORTED);
1082 
1083                 case SCF_ERROR_DELETED:
1084                         return (ECANCELED);
1085 
1086                 case SCF_ERROR_EXISTS:
1087                         break;
1088 
1089                 case SCF_ERROR_HANDLE_MISMATCH:
1090                 case SCF_ERROR_INVALID_ARGUMENT:
1091                 case SCF_ERROR_IN_USE:
1092                 case SCF_ERROR_NOT_SET:
1093                         bad_fail("scf_transaction_property_new", scf_error());
1094                 }
1095         }
1096 
1097         r = scf_entry_add_value(ent, val);
1098         assert(r == 0);
1099 
1100         return (0);
1101 }
1102 
1103 /*
1104  * Commit new_state, new_next_state, and aux to the repository for id.  If
1105  * successful, also set id's state and next-state as given, and return 0.
1106  * Fails with
1107  *   ENOMEM - out of memory
1108  *   ECONNABORTED - repository connection broken
1109  *                - unknown libscf error
1110  *   EINVAL - id->i_fmri is invalid or not an instance FMRI
1111  *   ENOENT - id->i_fmri does not exist
1112  *   EPERM - insufficient permissions
1113  *   EACCES - backend access denied
1114  *   EROFS - backend is readonly
1115  */
1116 int
1117 _restarter_commit_states(scf_handle_t *h, instance_data_t *id,
1118     restarter_instance_state_t new_state,
1119     restarter_instance_state_t new_state_next, const char *aux)
1120 {
1121         char str_state[MAX_SCF_STATE_STRING_SZ];
1122         char str_new_state[MAX_SCF_STATE_STRING_SZ];
1123         char str_state_next[MAX_SCF_STATE_STRING_SZ];
1124         char str_new_state_next[MAX_SCF_STATE_STRING_SZ];
1125         int ret = 0, r;
1126         struct timeval now;
1127         ssize_t sz;
1128 
1129         scf_transaction_t *t = NULL;
1130         scf_transaction_entry_t *t_state = NULL, *t_state_next = NULL;
1131         scf_transaction_entry_t *t_stime = NULL, *t_aux = NULL;
1132         scf_value_t *v_state = NULL, *v_state_next = NULL, *v_stime = NULL;
1133         scf_value_t *v_aux = NULL;
1134         scf_instance_t *s_inst = NULL;
1135         scf_propertygroup_t *pg = NULL;
1136 
1137         assert(new_state != RESTARTER_STATE_NONE);
1138 
1139         if ((s_inst = scf_instance_create(h)) == NULL ||
1140             (pg = scf_pg_create(h)) == NULL ||
1141             (t = scf_transaction_create(h)) == NULL ||
1142             (t_state = scf_entry_create(h)) == NULL ||
1143             (t_state_next = scf_entry_create(h)) == NULL ||
1144             (t_stime = scf_entry_create(h)) == NULL ||
1145             (t_aux = scf_entry_create(h)) == NULL ||
1146             (v_state = scf_value_create(h)) == NULL ||
1147             (v_state_next = scf_value_create(h)) == NULL ||
1148             (v_stime = scf_value_create(h)) == NULL ||
1149             (v_aux = scf_value_create(h)) == NULL) {
1150                 ret = ENOMEM;
1151                 goto out;
1152         }
1153 
1154         sz = restarter_state_to_string(new_state, str_new_state,
1155             sizeof (str_new_state));
1156         assert(sz < sizeof (str_new_state));
1157         sz = restarter_state_to_string(new_state_next, str_new_state_next,
1158             sizeof (str_new_state_next));
1159         assert(sz < sizeof (str_new_state_next));
1160         sz = restarter_state_to_string(id->i_state, str_state,
1161             sizeof (str_state));
1162         assert(sz < sizeof (str_state));
1163         sz = restarter_state_to_string(id->i_next_state, str_state_next,
1164             sizeof (str_state_next));
1165         assert(sz < sizeof (str_state_next));
1166 
1167         ret = gettimeofday(&now, NULL);
1168         assert(ret != -1);
1169 
1170         if (scf_handle_decode_fmri(h, id->i_fmri, NULL, NULL, s_inst,
1171             NULL, NULL, SCF_DECODE_FMRI_EXACT) == -1) {
1172                 switch (scf_error()) {
1173                 case SCF_ERROR_CONNECTION_BROKEN:
1174                 default:
1175                         ret = ECONNABORTED;
1176                         break;
1177 
1178                 case SCF_ERROR_INVALID_ARGUMENT:
1179                 case SCF_ERROR_CONSTRAINT_VIOLATED:
1180                         ret = EINVAL;
1181                         break;
1182 
1183                 case SCF_ERROR_NOT_FOUND:
1184                         ret = ENOENT;
1185                         break;
1186 
1187                 case SCF_ERROR_HANDLE_MISMATCH:
1188                         bad_fail("scf_handle_decode_fmri", scf_error());
1189                 }
1190                 goto out;
1191         }
1192 
1193 
1194         if (scf_value_set_astring(v_state, str_new_state) != 0 ||
1195             scf_value_set_astring(v_state_next, str_new_state_next) != 0)
1196                 bad_fail("scf_value_set_astring", scf_error());
1197 
1198         if (aux) {
1199                 if (scf_value_set_astring(v_aux, aux) != 0)
1200                         bad_fail("scf_value_set_astring", scf_error());
1201         }
1202 
1203         if (scf_value_set_time(v_stime, now.tv_sec, now.tv_usec * 1000) != 0)
1204                 bad_fail("scf_value_set_time", scf_error());
1205 
1206 add_pg:
1207         switch (r = instance_get_or_add_pg(s_inst, SCF_PG_RESTARTER,
1208             SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS, pg)) {
1209         case 0:
1210                 break;
1211 
1212         case ECONNABORTED:
1213         case EPERM:
1214         case EACCES:
1215         case EROFS:
1216                 ret = r;
1217                 goto out;
1218 
1219         case ECANCELED:
1220                 ret = ENOENT;
1221                 goto out;
1222 
1223         case EBADF:
1224         default:
1225                 bad_fail("instance_get_or_add_pg", r);
1226         }
1227 
1228         for (;;) {
1229                 if (scf_transaction_start(t, pg) != 0) {
1230                         switch (scf_error()) {
1231                         case SCF_ERROR_CONNECTION_BROKEN:
1232                         default:
1233                                 ret = ECONNABORTED;
1234                                 goto out;
1235 
1236                         case SCF_ERROR_NOT_SET:
1237                                 goto add_pg;
1238 
1239                         case SCF_ERROR_PERMISSION_DENIED:
1240                                 ret = EPERM;
1241                                 goto out;
1242 
1243                         case SCF_ERROR_BACKEND_ACCESS:
1244                                 ret = EACCES;
1245                                 goto out;
1246 
1247                         case SCF_ERROR_BACKEND_READONLY:
1248                                 ret = EROFS;
1249                                 goto out;
1250 
1251                         case SCF_ERROR_HANDLE_MISMATCH:
1252                         case SCF_ERROR_IN_USE:
1253                                 bad_fail("scf_transaction_start", scf_error());
1254                         }
1255                 }
1256 
1257                 if ((r = tx_set_value(t, t_state, SCF_PROPERTY_STATE,
1258                     SCF_TYPE_ASTRING, v_state)) != 0 ||
1259                     (r = tx_set_value(t, t_state_next, SCF_PROPERTY_NEXT_STATE,
1260                     SCF_TYPE_ASTRING, v_state_next)) != 0 ||
1261                     (r = tx_set_value(t, t_stime, SCF_PROPERTY_STATE_TIMESTAMP,
1262                     SCF_TYPE_TIME, v_stime)) != 0) {
1263                         switch (r) {
1264                         case ECONNABORTED:
1265                                 ret = ECONNABORTED;
1266                                 goto out;
1267 
1268                         case ECANCELED:
1269                                 scf_transaction_reset(t);
1270                                 goto add_pg;
1271 
1272                         default:
1273                                 bad_fail("tx_set_value", r);
1274                         }
1275                 }
1276 
1277                 if (aux) {
1278                         if ((r = tx_set_value(t, t_aux, SCF_PROPERTY_AUX_STATE,
1279                             SCF_TYPE_ASTRING, v_aux)) != 0) {
1280                                 switch (r) {
1281                                 case ECONNABORTED:
1282                                         ret = ECONNABORTED;
1283                                         goto out;
1284 
1285                                 case ECANCELED:
1286                                         scf_transaction_reset(t);
1287                                         goto add_pg;
1288 
1289                                 default:
1290                                         bad_fail("tx_set_value", r);
1291                                 }
1292                         }
1293                 }
1294 
1295                 ret = scf_transaction_commit(t);
1296                 if (ret == 1)
1297                         break;
1298                 if (ret == -1) {
1299                         switch (scf_error()) {
1300                         case SCF_ERROR_CONNECTION_BROKEN:
1301                         default:
1302                                 ret = ECONNABORTED;
1303                                 goto out;
1304 
1305                         case SCF_ERROR_PERMISSION_DENIED:
1306                                 ret = EPERM;
1307                                 goto out;
1308 
1309                         case SCF_ERROR_BACKEND_ACCESS:
1310                                 ret = EACCES;
1311                                 goto out;
1312 
1313                         case SCF_ERROR_BACKEND_READONLY:
1314                                 ret = EROFS;
1315                                 goto out;
1316 
1317                         case SCF_ERROR_NOT_SET:
1318                                 bad_fail("scf_transaction_commit", scf_error());
1319                         }
1320                 }
1321 
1322                 scf_transaction_reset(t);
1323                 if (scf_pg_update(pg) == -1) {
1324                         switch (scf_error()) {
1325                         case SCF_ERROR_CONNECTION_BROKEN:
1326                         default:
1327                                 ret = ECONNABORTED;
1328                                 goto out;
1329 
1330                         case SCF_ERROR_NOT_SET:
1331                                 goto add_pg;
1332                         }
1333                 }
1334         }
1335 
1336         id->i_state = new_state;
1337         id->i_next_state = new_state_next;
1338         ret = 0;
1339 
1340 out:
1341         scf_transaction_destroy(t);
1342         scf_entry_destroy(t_state);
1343         scf_entry_destroy(t_state_next);
1344         scf_entry_destroy(t_stime);
1345         scf_entry_destroy(t_aux);
1346         scf_value_destroy(v_state);
1347         scf_value_destroy(v_state_next);
1348         scf_value_destroy(v_stime);
1349         scf_value_destroy(v_aux);
1350         scf_pg_destroy(pg);
1351         scf_instance_destroy(s_inst);
1352 
1353         return (ret);
1354 }
1355 
1356 /*
1357  * Fails with
1358  *   EINVAL - type is invalid
1359  *   ENOMEM
1360  *   ECONNABORTED - repository connection broken
1361  *   EBADF - s_inst is not set
1362  *   ECANCELED - s_inst is deleted
1363  *   EPERM - permission denied
1364  *   EACCES - backend access denied
1365  *   EROFS - backend readonly
1366  */
1367 int
1368 restarter_remove_contract(scf_instance_t *s_inst, ctid_t contract_id,
1369     restarter_contract_type_t type)
1370 {
1371         scf_handle_t *h;
1372         scf_transaction_t *t = NULL;
1373         scf_transaction_entry_t *t_cid = NULL;
1374         scf_propertygroup_t *pg = NULL;
1375         scf_property_t *prop = NULL;
1376         scf_value_t *val;
1377         scf_iter_t *iter = NULL;
1378         const char *pname;
1379         int ret = 0, primary;
1380         uint64_t c;
1381 
1382         switch (type) {
1383         case RESTARTER_CONTRACT_PRIMARY:
1384                 primary = 1;
1385                 break;
1386         case RESTARTER_CONTRACT_TRANSIENT:
1387                 primary = 0;
1388                 break;
1389         default:
1390                 return (EINVAL);
1391         }
1392 
1393         h = scf_instance_handle(s_inst);
1394 
1395         pg = scf_pg_create(h);
1396         prop = scf_property_create(h);
1397         iter = scf_iter_create(h);
1398         t = scf_transaction_create(h);
1399 
1400         if (pg == NULL || prop == NULL || iter == NULL || t == NULL) {
1401                 ret = ENOMEM;
1402                 goto remove_contract_cleanup;
1403         }
1404 
1405 add:
1406         scf_transaction_destroy_children(t);
1407         ret = instance_get_or_add_pg(s_inst, SCF_PG_RESTARTER,
1408             SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS, pg);
1409         if (ret != 0)
1410                 goto remove_contract_cleanup;
1411 
1412         pname = primary? SCF_PROPERTY_CONTRACT :
1413             SCF_PROPERTY_TRANSIENT_CONTRACT;
1414 
1415         for (;;) {
1416                 if (scf_transaction_start(t, pg) != 0) {
1417                         switch (scf_error()) {
1418                         case SCF_ERROR_CONNECTION_BROKEN:
1419                         default:
1420                                 ret = ECONNABORTED;
1421                                 goto remove_contract_cleanup;
1422 
1423                         case SCF_ERROR_DELETED:
1424                                 goto add;
1425 
1426                         case SCF_ERROR_PERMISSION_DENIED:
1427                                 ret = EPERM;
1428                                 goto remove_contract_cleanup;
1429 
1430                         case SCF_ERROR_BACKEND_ACCESS:
1431                                 ret = EACCES;
1432                                 goto remove_contract_cleanup;
1433 
1434                         case SCF_ERROR_BACKEND_READONLY:
1435                                 ret = EROFS;
1436                                 goto remove_contract_cleanup;
1437 
1438                         case SCF_ERROR_HANDLE_MISMATCH:
1439                         case SCF_ERROR_IN_USE:
1440                         case SCF_ERROR_NOT_SET:
1441                                 bad_fail("scf_transaction_start", scf_error());
1442                         }
1443                 }
1444 
1445                 t_cid = scf_entry_create(h);
1446 
1447                 if (scf_pg_get_property(pg, pname, prop) == 0) {
1448 replace:
1449                         if (scf_transaction_property_change_type(t, t_cid,
1450                             pname, SCF_TYPE_COUNT) != 0) {
1451                                 switch (scf_error()) {
1452                                 case SCF_ERROR_CONNECTION_BROKEN:
1453                                 default:
1454                                         ret = ECONNABORTED;
1455                                         goto remove_contract_cleanup;
1456 
1457                                 case SCF_ERROR_DELETED:
1458                                         scf_entry_destroy(t_cid);
1459                                         goto add;
1460 
1461                                 case SCF_ERROR_NOT_FOUND:
1462                                         goto new;
1463 
1464                                 case SCF_ERROR_HANDLE_MISMATCH:
1465                                 case SCF_ERROR_INVALID_ARGUMENT:
1466                                 case SCF_ERROR_IN_USE:
1467                                 case SCF_ERROR_NOT_SET:
1468                                         bad_fail(
1469                                         "scf_transaction_property_changetype",
1470                                             scf_error());
1471                                 }
1472                         }
1473 
1474                         if (scf_property_is_type(prop, SCF_TYPE_COUNT) == 0) {
1475                                 if (scf_iter_property_values(iter, prop) != 0) {
1476                                         switch (scf_error()) {
1477                                         case SCF_ERROR_CONNECTION_BROKEN:
1478                                         default:
1479                                                 ret = ECONNABORTED;
1480                                                 goto remove_contract_cleanup;
1481 
1482                                         case SCF_ERROR_NOT_SET:
1483                                         case SCF_ERROR_HANDLE_MISMATCH:
1484                                                 bad_fail(
1485                                                     "scf_iter_property_values",
1486                                                     scf_error());
1487                                         }
1488                                 }
1489 
1490 next_val:
1491                                 val = scf_value_create(h);
1492                                 if (val == NULL) {
1493                                         assert(scf_error() ==
1494                                             SCF_ERROR_NO_MEMORY);
1495                                         ret = ENOMEM;
1496                                         goto remove_contract_cleanup;
1497                                 }
1498 
1499                                 ret = scf_iter_next_value(iter, val);
1500                                 if (ret == -1) {
1501                                         switch (scf_error()) {
1502                                         case SCF_ERROR_CONNECTION_BROKEN:
1503                                                 ret = ECONNABORTED;
1504                                                 goto remove_contract_cleanup;
1505 
1506                                         case SCF_ERROR_DELETED:
1507                                                 scf_value_destroy(val);
1508                                                 goto add;
1509 
1510                                         case SCF_ERROR_HANDLE_MISMATCH:
1511                                         case SCF_ERROR_INVALID_ARGUMENT:
1512                                         case SCF_ERROR_PERMISSION_DENIED:
1513                                         default:
1514                                                 bad_fail("scf_iter_next_value",
1515                                                     scf_error());
1516                                         }
1517                                 }
1518 
1519                                 if (ret == 1) {
1520                                         ret = scf_value_get_count(val, &c);
1521                                         assert(ret == 0);
1522 
1523                                         if (c != contract_id) {
1524                                                 ret = scf_entry_add_value(t_cid,
1525                                                     val);
1526                                                 assert(ret == 0);
1527                                         } else {
1528                                                 scf_value_destroy(val);
1529                                         }
1530 
1531                                         goto next_val;
1532                                 }
1533 
1534                                 scf_value_destroy(val);
1535                         } else {
1536                                 switch (scf_error()) {
1537                                 case SCF_ERROR_CONNECTION_BROKEN:
1538                                 default:
1539                                         ret = ECONNABORTED;
1540                                         goto remove_contract_cleanup;
1541 
1542                                 case SCF_ERROR_TYPE_MISMATCH:
1543                                         break;
1544 
1545                                 case SCF_ERROR_INVALID_ARGUMENT:
1546                                 case SCF_ERROR_NOT_SET:
1547                                         bad_fail("scf_property_is_type",
1548                                             scf_error());
1549                                 }
1550                         }
1551                 } else {
1552                         switch (scf_error()) {
1553                         case SCF_ERROR_CONNECTION_BROKEN:
1554                         default:
1555                                 ret = ECONNABORTED;
1556                                 goto remove_contract_cleanup;
1557 
1558                         case SCF_ERROR_DELETED:
1559                                 scf_entry_destroy(t_cid);
1560                                 goto add;
1561 
1562                         case SCF_ERROR_NOT_FOUND:
1563                                 break;
1564 
1565                         case SCF_ERROR_HANDLE_MISMATCH:
1566                         case SCF_ERROR_INVALID_ARGUMENT:
1567                         case SCF_ERROR_NOT_SET:
1568                                 bad_fail("scf_pg_get_property", scf_error());
1569                         }
1570 
1571 new:
1572                         if (scf_transaction_property_new(t, t_cid, pname,
1573                             SCF_TYPE_COUNT) != 0) {
1574                                 switch (scf_error()) {
1575                                 case SCF_ERROR_CONNECTION_BROKEN:
1576                                 default:
1577                                         ret = ECONNABORTED;
1578                                         goto remove_contract_cleanup;
1579 
1580                                 case SCF_ERROR_DELETED:
1581                                         scf_entry_destroy(t_cid);
1582                                         goto add;
1583 
1584                                 case SCF_ERROR_EXISTS:
1585                                         goto replace;
1586 
1587                                 case SCF_ERROR_HANDLE_MISMATCH:
1588                                 case SCF_ERROR_INVALID_ARGUMENT:
1589                                 case SCF_ERROR_NOT_SET:
1590                                         bad_fail("scf_transaction_property_new",
1591                                             scf_error());
1592                                 }
1593                         }
1594                 }
1595 
1596                 ret = scf_transaction_commit(t);
1597                 if (ret == -1) {
1598                         switch (scf_error()) {
1599                         case SCF_ERROR_CONNECTION_BROKEN:
1600                         default:
1601                                 ret = ECONNABORTED;
1602                                 goto remove_contract_cleanup;
1603 
1604                         case SCF_ERROR_DELETED:
1605                                 goto add;
1606 
1607                         case SCF_ERROR_PERMISSION_DENIED:
1608                                 ret = EPERM;
1609                                 goto remove_contract_cleanup;
1610 
1611                         case SCF_ERROR_BACKEND_ACCESS:
1612                                 ret = EACCES;
1613                                 goto remove_contract_cleanup;
1614 
1615                         case SCF_ERROR_BACKEND_READONLY:
1616                                 ret = EROFS;
1617                                 goto remove_contract_cleanup;
1618 
1619                         case SCF_ERROR_NOT_SET:
1620                                 bad_fail("scf_transaction_commit", scf_error());
1621                         }
1622                 }
1623                 if (ret == 1) {
1624                         ret = 0;
1625                         break;
1626                 }
1627 
1628                 scf_transaction_destroy_children(t);
1629                 if (scf_pg_update(pg) == -1) {
1630                         switch (scf_error()) {
1631                         case SCF_ERROR_CONNECTION_BROKEN:
1632                         default:
1633                                 ret = ECONNABORTED;
1634                                 goto remove_contract_cleanup;
1635 
1636                         case SCF_ERROR_DELETED:
1637                                 goto add;
1638 
1639                         case SCF_ERROR_NOT_SET:
1640                                 bad_fail("scf_pg_update", scf_error());
1641                         }
1642                 }
1643         }
1644 
1645 remove_contract_cleanup:
1646         scf_transaction_destroy_children(t);
1647         scf_transaction_destroy(t);
1648         scf_iter_destroy(iter);
1649         scf_property_destroy(prop);
1650         scf_pg_destroy(pg);
1651 
1652         return (ret);
1653 }
1654 
1655 /*
1656  * Fails with
1657  *   EINVAL - type is invalid
1658  *   ENOMEM
1659  *   ECONNABORTED - repository disconnection
1660  *   EBADF - s_inst is not set
1661  *   ECANCELED - s_inst is deleted
1662  *   EPERM
1663  *   EACCES
1664  *   EROFS
1665  */
1666 int
1667 restarter_store_contract(scf_instance_t *s_inst, ctid_t contract_id,
1668     restarter_contract_type_t type)
1669 {
1670         scf_handle_t *h;
1671         scf_transaction_t *t = NULL;
1672         scf_transaction_entry_t *t_cid = NULL;
1673         scf_value_t *val;
1674         scf_propertygroup_t *pg = NULL;
1675         scf_property_t *prop = NULL;
1676         scf_iter_t *iter = NULL;
1677         const char *pname;
1678         int ret = 0, primary;
1679 
1680         if (type == RESTARTER_CONTRACT_PRIMARY)
1681                 primary = 1;
1682         else if (type == RESTARTER_CONTRACT_TRANSIENT)
1683                 primary = 0;
1684         else
1685                 return (EINVAL);
1686 
1687         h = scf_instance_handle(s_inst);
1688 
1689         pg = scf_pg_create(h);
1690         prop = scf_property_create(h);
1691         iter = scf_iter_create(h);
1692         t = scf_transaction_create(h);
1693 
1694         if (pg == NULL || prop == NULL || iter == NULL || t == NULL) {
1695                 ret = ENOMEM;
1696                 goto out;
1697         }
1698 
1699 add:
1700         scf_transaction_destroy_children(t);
1701         ret = instance_get_or_add_pg(s_inst, SCF_PG_RESTARTER,
1702             SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS, pg);
1703         if (ret != 0)
1704                 goto out;
1705 
1706         pname = primary ? SCF_PROPERTY_CONTRACT :
1707             SCF_PROPERTY_TRANSIENT_CONTRACT;
1708 
1709         for (;;) {
1710                 if (scf_transaction_start(t, pg) != 0) {
1711                         switch (scf_error()) {
1712                         case SCF_ERROR_CONNECTION_BROKEN:
1713                         default:
1714                                 ret = ECONNABORTED;
1715                                 goto out;
1716 
1717                         case SCF_ERROR_DELETED:
1718                                 goto add;
1719 
1720                         case SCF_ERROR_PERMISSION_DENIED:
1721                                 ret = EPERM;
1722                                 goto out;
1723 
1724                         case SCF_ERROR_BACKEND_ACCESS:
1725                                 ret = EACCES;
1726                                 goto out;
1727 
1728                         case SCF_ERROR_BACKEND_READONLY:
1729                                 ret = EROFS;
1730                                 goto out;
1731 
1732                         case SCF_ERROR_HANDLE_MISMATCH:
1733                         case SCF_ERROR_IN_USE:
1734                         case SCF_ERROR_NOT_SET:
1735                                 bad_fail("scf_transaction_start", scf_error());
1736                         }
1737                 }
1738 
1739                 t_cid = scf_entry_create(h);
1740                 if (t_cid == NULL) {
1741                         ret = ENOMEM;
1742                         goto out;
1743                 }
1744 
1745                 if (scf_pg_get_property(pg, pname, prop) == 0) {
1746 replace:
1747                         if (scf_transaction_property_change_type(t, t_cid,
1748                             pname, SCF_TYPE_COUNT) != 0) {
1749                                 switch (scf_error()) {
1750                                 case SCF_ERROR_CONNECTION_BROKEN:
1751                                 default:
1752                                         ret = ECONNABORTED;
1753                                         goto out;
1754 
1755                                 case SCF_ERROR_DELETED:
1756                                         scf_entry_destroy(t_cid);
1757                                         goto add;
1758 
1759                                 case SCF_ERROR_NOT_FOUND:
1760                                         goto new;
1761 
1762                                 case SCF_ERROR_HANDLE_MISMATCH:
1763                                 case SCF_ERROR_INVALID_ARGUMENT:
1764                                 case SCF_ERROR_IN_USE:
1765                                 case SCF_ERROR_NOT_SET:
1766                                         bad_fail(
1767                                         "scf_transaction_propert_change_type",
1768                                             scf_error());
1769                                 }
1770                         }
1771 
1772                         if (scf_property_is_type(prop, SCF_TYPE_COUNT) == 0) {
1773                                 if (scf_iter_property_values(iter, prop) != 0) {
1774                                         switch (scf_error()) {
1775                                         case SCF_ERROR_CONNECTION_BROKEN:
1776                                         default:
1777                                                 ret = ECONNABORTED;
1778                                                 goto out;
1779 
1780                                         case SCF_ERROR_NOT_SET:
1781                                         case SCF_ERROR_HANDLE_MISMATCH:
1782                                                 bad_fail(
1783                                                     "scf_iter_property_values",
1784                                                     scf_error());
1785                                         }
1786                                 }
1787 
1788 next_val:
1789                                 val = scf_value_create(h);
1790                                 if (val == NULL) {
1791                                         assert(scf_error() ==
1792                                             SCF_ERROR_NO_MEMORY);
1793                                         ret = ENOMEM;
1794                                         goto out;
1795                                 }
1796 
1797                                 ret = scf_iter_next_value(iter, val);
1798                                 if (ret == -1) {
1799                                         switch (scf_error()) {
1800                                         case SCF_ERROR_CONNECTION_BROKEN:
1801                                         default:
1802                                                 ret = ECONNABORTED;
1803                                                 goto out;
1804 
1805                                         case SCF_ERROR_DELETED:
1806                                                 scf_value_destroy(val);
1807                                                 goto add;
1808 
1809                                         case SCF_ERROR_HANDLE_MISMATCH:
1810                                         case SCF_ERROR_INVALID_ARGUMENT:
1811                                         case SCF_ERROR_PERMISSION_DENIED:
1812                                                 bad_fail(
1813                                                     "scf_iter_next_value",
1814                                                     scf_error());
1815                                         }
1816                                 }
1817 
1818                                 if (ret == 1) {
1819                                         ret = scf_entry_add_value(t_cid, val);
1820                                         assert(ret == 0);
1821 
1822                                         goto next_val;
1823                                 }
1824 
1825                                 scf_value_destroy(val);
1826                         } else {
1827                                 switch (scf_error()) {
1828                                 case SCF_ERROR_CONNECTION_BROKEN:
1829                                 default:
1830                                         ret = ECONNABORTED;
1831                                         goto out;
1832 
1833                                 case SCF_ERROR_TYPE_MISMATCH:
1834                                         break;
1835 
1836                                 case SCF_ERROR_INVALID_ARGUMENT:
1837                                 case SCF_ERROR_NOT_SET:
1838                                         bad_fail("scf_property_is_type",
1839                                             scf_error());
1840                                 }
1841                         }
1842                 } else {
1843                         switch (scf_error()) {
1844                         case SCF_ERROR_CONNECTION_BROKEN:
1845                         default:
1846                                 ret = ECONNABORTED;
1847                                 goto out;
1848 
1849                         case SCF_ERROR_DELETED:
1850                                 scf_entry_destroy(t_cid);
1851                                 goto add;
1852 
1853                         case SCF_ERROR_NOT_FOUND:
1854                                 break;
1855 
1856                         case SCF_ERROR_HANDLE_MISMATCH:
1857                         case SCF_ERROR_INVALID_ARGUMENT:
1858                         case SCF_ERROR_NOT_SET:
1859                                 bad_fail("scf_pg_get_property", scf_error());
1860                         }
1861 
1862 new:
1863                         if (scf_transaction_property_new(t, t_cid, pname,
1864                             SCF_TYPE_COUNT) != 0) {
1865                                 switch (scf_error()) {
1866                                 case SCF_ERROR_CONNECTION_BROKEN:
1867                                 default:
1868                                         ret = ECONNABORTED;
1869                                         goto out;
1870 
1871                                 case SCF_ERROR_DELETED:
1872                                         scf_entry_destroy(t_cid);
1873                                         goto add;
1874 
1875                                 case SCF_ERROR_EXISTS:
1876                                         goto replace;
1877 
1878                                 case SCF_ERROR_HANDLE_MISMATCH:
1879                                 case SCF_ERROR_INVALID_ARGUMENT:
1880                                 case SCF_ERROR_NOT_SET:
1881                                         bad_fail("scf_transaction_property_new",
1882                                             scf_error());
1883                                 }
1884                         }
1885                 }
1886 
1887                 val = scf_value_create(h);
1888                 if (val == NULL) {
1889                         assert(scf_error() == SCF_ERROR_NO_MEMORY);
1890                         ret = ENOMEM;
1891                         goto out;
1892                 }
1893 
1894                 scf_value_set_count(val, contract_id);
1895                 ret = scf_entry_add_value(t_cid, val);
1896                 assert(ret == 0);
1897 
1898                 ret = scf_transaction_commit(t);
1899                 if (ret == -1) {
1900                         switch (scf_error()) {
1901                         case SCF_ERROR_CONNECTION_BROKEN:
1902                         default:
1903                                 ret = ECONNABORTED;
1904                                 goto out;
1905 
1906                         case SCF_ERROR_DELETED:
1907                                 goto add;
1908 
1909                         case SCF_ERROR_PERMISSION_DENIED:
1910                                 ret = EPERM;
1911                                 goto out;
1912 
1913                         case SCF_ERROR_BACKEND_ACCESS:
1914                                 ret = EACCES;
1915                                 goto out;
1916 
1917                         case SCF_ERROR_BACKEND_READONLY:
1918                                 ret = EROFS;
1919                                 goto out;
1920 
1921                         case SCF_ERROR_NOT_SET:
1922                                 bad_fail("scf_transaction_commit", scf_error());
1923                         }
1924                 }
1925                 if (ret == 1) {
1926                         ret = 0;
1927                         break;
1928                 }
1929 
1930                 scf_transaction_destroy_children(t);
1931                 if (scf_pg_update(pg) == -1) {
1932                         switch (scf_error()) {
1933                         case SCF_ERROR_CONNECTION_BROKEN:
1934                         default:
1935                                 ret = ECONNABORTED;
1936                                 goto out;
1937 
1938                         case SCF_ERROR_DELETED:
1939                                 goto add;
1940 
1941                         case SCF_ERROR_NOT_SET:
1942                                 bad_fail("scf_pg_update", scf_error());
1943                         }
1944                 }
1945         }
1946 
1947 out:
1948         scf_transaction_destroy_children(t);
1949         scf_transaction_destroy(t);
1950         scf_iter_destroy(iter);
1951         scf_property_destroy(prop);
1952         scf_pg_destroy(pg);
1953 
1954         return (ret);
1955 }
1956 
1957 int
1958 restarter_rm_libs_loadable()
1959 {
1960         void *libhndl;
1961 
1962         if (method_context_safety)
1963                 return (1);
1964 
1965         if ((libhndl = dlopen("libpool.so", RTLD_LAZY | RTLD_LOCAL)) == NULL)
1966                 return (0);
1967 
1968         (void) dlclose(libhndl);
1969 
1970         if ((libhndl = dlopen("libproject.so", RTLD_LAZY | RTLD_LOCAL)) == NULL)
1971                 return (0);
1972 
1973         (void) dlclose(libhndl);
1974 
1975         method_context_safety = 1;
1976 
1977         return (1);
1978 }
1979 
1980 static int
1981 get_astring_val(scf_propertygroup_t *pg, const char *name, char *buf,
1982     size_t bufsz, scf_property_t *prop, scf_value_t *val)
1983 {
1984         ssize_t szret;
1985 
1986         if (pg == NULL)
1987                 return (-1);
1988 
1989         if (scf_pg_get_property(pg, name, prop) != SCF_SUCCESS) {
1990                 if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
1991                         uu_die(rcbroken);
1992                 return (-1);
1993         }
1994 
1995         if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
1996                 if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
1997                         uu_die(rcbroken);
1998                 return (-1);
1999         }
2000 
2001         szret = scf_value_get_astring(val, buf, bufsz);
2002 
2003         return (szret >= 0 ? 0 : -1);
2004 }
2005 
2006 static int
2007 get_boolean_val(scf_propertygroup_t *pg, const char *name, uint8_t *b,
2008     scf_property_t *prop, scf_value_t *val)
2009 {
2010         if (scf_pg_get_property(pg, name, prop) != SCF_SUCCESS) {
2011                 if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
2012                         uu_die(rcbroken);
2013                 return (-1);
2014         }
2015 
2016         if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
2017                 if (scf_error() == SCF_ERROR_CONNECTION_BROKEN)
2018                         uu_die(rcbroken);
2019                 return (-1);
2020         }
2021 
2022         if (scf_value_get_boolean(val, b))
2023                 return (-1);
2024 
2025         return (0);
2026 }
2027 
2028 /*
2029  * Try to load mcp->pwd, if it isn't already.
2030  * Fails with
2031  *   ENOMEM - malloc() failed
2032  *   ENOENT - no entry found
2033  *   EIO - I/O error
2034  *   EMFILE - process out of file descriptors
2035  *   ENFILE - system out of file handles
2036  */
2037 static int
2038 lookup_pwd(struct method_context *mcp)
2039 {
2040         struct passwd *pwdp;
2041 
2042         if (mcp->pwbuf != NULL && mcp->pwd.pw_uid == mcp->uid)
2043                 return (0);
2044 
2045         if (mcp->pwbuf == NULL) {
2046                 mcp->pwbufsz = sysconf(_SC_GETPW_R_SIZE_MAX);
2047                 assert(mcp->pwbufsz >= 0);
2048                 mcp->pwbuf = malloc(mcp->pwbufsz);
2049                 if (mcp->pwbuf == NULL)
2050                         return (ENOMEM);
2051         }
2052 
2053         do {
2054                 errno = 0;
2055                 pwdp = getpwuid_r(mcp->uid, &mcp->pwd, mcp->pwbuf,
2056                     mcp->pwbufsz);
2057         } while (pwdp == NULL && errno == EINTR);
2058         if (pwdp != NULL)
2059                 return (0);
2060 
2061         free(mcp->pwbuf);
2062         mcp->pwbuf = NULL;
2063 
2064         switch (errno) {
2065         case 0:
2066         default:
2067                 /*
2068                  * Until bug 5065780 is fixed, getpwuid_r() can fail with
2069                  * ENOENT, particularly on the miniroot.  Since the
2070                  * documentation is inaccurate, we'll return ENOENT for unknown
2071                  * errors.
2072                  */
2073                 return (ENOENT);
2074 
2075         case EIO:
2076         case EMFILE:
2077         case ENFILE:
2078                 return (errno);
2079 
2080         case ERANGE:
2081                 bad_fail("getpwuid_r", errno);
2082                 /* NOTREACHED */
2083         }
2084 }
2085 
2086 /*
2087  * Get the user id for str.  Returns 0 on success or
2088  *   ERANGE     the uid is too big
2089  *   EINVAL     the string starts with a digit, but is not a valid uid
2090  *   ENOMEM     out of memory
2091  *   ENOENT     no passwd entry for str
2092  *   EIO        an I/O error has occurred
2093  *   EMFILE/ENFILE  out of file descriptors
2094  */
2095 int
2096 get_uid(const char *str, struct method_context *ci, uid_t *uidp)
2097 {
2098         if (isdigit(str[0])) {
2099                 uid_t uid;
2100                 char *cp;
2101 
2102                 errno = 0;
2103                 uid = strtol(str, &cp, 10);
2104 
2105                 if (uid == 0 && errno != 0) {
2106                         assert(errno != EINVAL);
2107                         return (errno);
2108                 }
2109 
2110                 for (; *cp != '\0'; ++cp)
2111                         if (*cp != ' ' || *cp != '\t')
2112                                 return (EINVAL);
2113 
2114                 if (uid > UID_MAX)
2115                         return (EINVAL);
2116 
2117                 *uidp = uid;
2118                 return (0);
2119         } else {
2120                 struct passwd *pwdp;
2121 
2122                 if (ci->pwbuf == NULL) {
2123                         ci->pwbufsz = sysconf(_SC_GETPW_R_SIZE_MAX);
2124                         ci->pwbuf = malloc(ci->pwbufsz);
2125                         if (ci->pwbuf == NULL)
2126                                 return (ENOMEM);
2127                 }
2128 
2129                 do {
2130                         errno = 0;
2131                         pwdp =
2132                             getpwnam_r(str, &ci->pwd, ci->pwbuf, ci->pwbufsz);
2133                 } while (pwdp == NULL && errno == EINTR);
2134 
2135                 if (pwdp != NULL) {
2136                         *uidp = ci->pwd.pw_uid;
2137                         return (0);
2138                 } else {
2139                         free(ci->pwbuf);
2140                         ci->pwbuf = NULL;
2141                         switch (errno) {
2142                         case 0:
2143                                 return (ENOENT);
2144 
2145                         case ENOENT:
2146                         case EIO:
2147                         case EMFILE:
2148                         case ENFILE:
2149                                 return (errno);
2150 
2151                         case ERANGE:
2152                         default:
2153                                 bad_fail("getpwnam_r", errno);
2154                                 /* NOTREACHED */
2155                         }
2156                 }
2157         }
2158 }
2159 
2160 gid_t
2161 get_gid(const char *str)
2162 {
2163         if (isdigit(str[0])) {
2164                 gid_t gid;
2165                 char *cp;
2166 
2167                 errno = 0;
2168                 gid = strtol(str, &cp, 10);
2169 
2170                 if (gid == 0 && errno != 0)
2171                         return ((gid_t)-1);
2172 
2173                 for (; *cp != '\0'; ++cp)
2174                         if (*cp != ' ' || *cp != '\t')
2175                                 return ((gid_t)-1);
2176 
2177                 return (gid);
2178         } else {
2179                 struct group grp, *ret;
2180                 char *buffer;
2181                 size_t buflen;
2182 
2183                 buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
2184                 buffer = malloc(buflen);
2185                 if (buffer == NULL)
2186                         uu_die(allocfail);
2187 
2188                 errno = 0;
2189                 ret = getgrnam_r(str, &grp, buffer, buflen);
2190                 free(buffer);
2191 
2192                 return (ret == NULL ? (gid_t)-1 : grp.gr_gid);
2193         }
2194 }
2195 
2196 /*
2197  * Fails with
2198  *   ENOMEM - out of memory
2199  *   ENOENT - no passwd entry
2200  *            no project entry
2201  *   EIO - an I/O error occurred
2202  *   EMFILE - the process is out of file descriptors
2203  *   ENFILE - the system is out of file handles
2204  *   ERANGE - the project id is out of range
2205  *   EINVAL - str is invalid
2206  *   E2BIG - the project entry was too big
2207  *   -1 - the name service switch is misconfigured
2208  */
2209 int
2210 get_projid(const char *str, struct method_context *cip)
2211 {
2212         int ret;
2213         void *buf;
2214         const size_t bufsz = PROJECT_BUFSZ;
2215         struct project proj, *pp;
2216 
2217         if (strcmp(str, ":default") == 0) {
2218                 if (cip->uid == 0) {
2219                         /* Don't change project for root services */
2220                         cip->project = NULL;
2221                         return (0);
2222                 }
2223 
2224                 switch (ret = lookup_pwd(cip)) {
2225                 case 0:
2226                         break;
2227 
2228                 case ENOMEM:
2229                 case ENOENT:
2230                 case EIO:
2231                 case EMFILE:
2232                 case ENFILE:
2233                         return (ret);
2234 
2235                 default:
2236                         bad_fail("lookup_pwd", ret);
2237                 }
2238 
2239                 buf = malloc(bufsz);
2240                 if (buf == NULL)
2241                         return (ENOMEM);
2242 
2243                 do {
2244                         errno = 0;
2245                         pp = getdefaultproj(cip->pwd.pw_name, &proj, buf,
2246                             bufsz);
2247                 } while (pp == NULL && errno == EINTR);
2248 
2249                 /* to be continued ... */
2250         } else {
2251                 projid_t projid;
2252                 char *cp;
2253 
2254                 if (!isdigit(str[0])) {
2255                         cip->project = strdup(str);
2256                         return (cip->project != NULL ? 0 : ENOMEM);
2257                 }
2258 
2259                 errno = 0;
2260                 projid = strtol(str, &cp, 10);
2261 
2262                 if (projid == 0 && errno != 0) {
2263                         assert(errno == ERANGE);
2264                         return (errno);
2265                 }
2266 
2267                 for (; *cp != '\0'; ++cp)
2268                         if (*cp != ' ' || *cp != '\t')
2269                                 return (EINVAL);
2270 
2271                 if (projid > MAXPROJID)
2272                         return (ERANGE);
2273 
2274                 buf = malloc(bufsz);
2275                 if (buf == NULL)
2276                         return (ENOMEM);
2277 
2278                 do {
2279                         errno = 0;
2280                         pp = getprojbyid(projid, &proj, buf, bufsz);
2281                 } while (pp == NULL && errno == EINTR);
2282         }
2283 
2284         if (pp) {
2285                 cip->project = strdup(pp->pj_name);
2286                 free(buf);
2287                 return (cip->project != NULL ? 0 : ENOMEM);
2288         }
2289 
2290         free(buf);
2291 
2292         switch (errno) {
2293         case 0:
2294                 return (ENOENT);
2295 
2296         case EIO:
2297         case EMFILE:
2298         case ENFILE:
2299                 return (errno);
2300 
2301         case ERANGE:
2302                 return (E2BIG);
2303 
2304         default:
2305                 return (-1);
2306         }
2307 }
2308 
2309 /*
2310  * Parse the supp_groups property value and populate ci->groups.  Returns
2311  * EINVAL (get_gid() failed for one of the components), E2BIG (the property has
2312  * more than NGROUPS_MAX-1 groups), or 0 on success.
2313  */
2314 int
2315 get_groups(char *str, struct method_context *ci)
2316 {
2317         char *cp, *end, *next;
2318         uint_t i;
2319 
2320         const char * const whitespace = " \t";
2321         const char * const illegal = ", \t";
2322 
2323         if (str[0] == '\0') {
2324                 ci->ngroups = 0;
2325                 return (0);
2326         }
2327 
2328         for (cp = str, i = 0; *cp != '\0'; ) {
2329                 /* skip whitespace */
2330                 cp += strspn(cp, whitespace);
2331 
2332                 /* find the end */
2333                 end = cp + strcspn(cp, illegal);
2334 
2335                 /* skip whitespace after end */
2336                 next = end + strspn(end, whitespace);
2337 
2338                 /* if there's a comma, it separates the fields */
2339                 if (*next == ',')
2340                         ++next;
2341 
2342                 *end = '\0';
2343 
2344                 if ((ci->groups[i] = get_gid(cp)) == (gid_t)-1) {
2345                         ci->ngroups = 0;
2346                         return (EINVAL);
2347                 }
2348 
2349                 ++i;
2350                 if (i > NGROUPS_MAX - 1) {
2351                         ci->ngroups = 0;
2352                         return (E2BIG);
2353                 }
2354 
2355                 cp = next;
2356         }
2357 
2358         ci->ngroups = i;
2359         return (0);
2360 }
2361 
2362 
2363 /*
2364  * Return an error message structure containing the error message
2365  * with context, and the error so the caller can make a decision
2366  * on what to do next.
2367  *
2368  * Because get_ids uses the mc_error_create() function which can
2369  * reallocate the merr, this function must return the merr pointer
2370  * in case it was reallocated.
2371  */
2372 static mc_error_t *
2373 get_profile(scf_propertygroup_t *methpg, scf_propertygroup_t *instpg,
2374     scf_property_t *prop, scf_value_t *val, const char *cmdline,
2375     struct method_context *ci, mc_error_t *merr)
2376 {
2377         char *buf = ci->vbuf;
2378         ssize_t buf_sz = ci->vbuf_sz;
2379         char cmd[PATH_MAX];
2380         char *cp, *value;
2381         const char *cmdp;
2382         execattr_t *eap;
2383         mc_error_t *err = merr;
2384         int r;
2385 
2386         if (!(get_astring_val(methpg, SCF_PROPERTY_PROFILE, buf, buf_sz, prop,
2387             val) == 0 || get_astring_val(instpg, SCF_PROPERTY_PROFILE, buf,
2388             buf_sz, prop, val) == 0))
2389                 return (mc_error_create(merr, scf_error(),
2390                     "Method context requires a profile, but the  \"%s\" "
2391                     "property could not be read. scf_error is %s",
2392                     SCF_PROPERTY_PROFILE, scf_strerror(scf_error())));
2393 
2394         /* Extract the command from the command line. */
2395         cp = strpbrk(cmdline, " \t");
2396 
2397         if (cp == NULL) {
2398                 cmdp = cmdline;
2399         } else {
2400                 (void) strncpy(cmd, cmdline, cp - cmdline);
2401                 cmd[cp - cmdline] = '\0';
2402                 cmdp = cmd;
2403         }
2404 
2405         /* Require that cmdp[0] == '/'? */
2406 
2407         eap = getexecprof(buf, KV_COMMAND, cmdp, GET_ONE);
2408         if (eap == NULL)
2409                 return (mc_error_create(merr, ENOENT,
2410                     "Could not find the execution profile \"%s\", "
2411                     "command %s.", buf, cmdp));
2412 
2413         /* Based on pfexec.c */
2414 
2415         /* Get the euid first so we don't override ci->pwd for the uid. */
2416         if ((value = kva_match(eap->attr, EXECATTR_EUID_KW)) != NULL) {
2417                 if ((r = get_uid(value, ci, &ci->euid)) != 0) {
2418                         ci->euid = (uid_t)-1;
2419                         err = mc_error_create(merr, r,
2420                             "Could not interpret profile euid value \"%s\", "
2421                             "from the execution profile \"%s\", error %d.",
2422                             value, buf, r);
2423                         goto out;
2424                 }
2425         }
2426 
2427         if ((value = kva_match(eap->attr, EXECATTR_UID_KW)) != NULL) {
2428                 if ((r = get_uid(value, ci, &ci->uid)) != 0) {
2429                         ci->euid = ci->uid = (uid_t)-1;
2430                         err = mc_error_create(merr, r,
2431                             "Could not interpret profile uid value \"%s\", "
2432                             "from the execution profile \"%s\", error %d.",
2433                             value, buf, r);
2434                         goto out;
2435                 }
2436                 ci->euid = ci->uid;
2437         }
2438 
2439         if ((value = kva_match(eap->attr, EXECATTR_GID_KW)) != NULL) {
2440                 ci->egid = ci->gid = get_gid(value);
2441                 if (ci->gid == (gid_t)-1) {
2442                         err = mc_error_create(merr, EINVAL,
2443                             "Could not interpret profile gid value \"%s\", "
2444                             "from the execution profile \"%s\".", value, buf);
2445                         goto out;
2446                 }
2447         }
2448 
2449         if ((value = kva_match(eap->attr, EXECATTR_EGID_KW)) != NULL) {
2450                 ci->egid = get_gid(value);
2451                 if (ci->egid == (gid_t)-1) {
2452                         err = mc_error_create(merr, EINVAL,
2453                             "Could not interpret profile egid value \"%s\", "
2454                             "from the execution profile \"%s\".", value, buf);
2455                         goto out;
2456                 }
2457         }
2458 
2459         if ((value = kva_match(eap->attr, EXECATTR_LPRIV_KW)) != NULL) {
2460                 ci->lpriv_set = priv_str_to_set(value, ",", NULL);
2461                 if (ci->lpriv_set == NULL) {
2462                         if (errno != EINVAL)
2463                                 err = mc_error_create(merr, ENOMEM,
2464                                     ALLOCFAIL);
2465                         else
2466                                 err = mc_error_create(merr, EINVAL,
2467                                     "Could not interpret profile "
2468                                     "limitprivs value \"%s\", from "
2469                                     "the execution profile \"%s\".",
2470                                     value, buf);
2471                         goto out;
2472                 }
2473         }
2474 
2475         if ((value = kva_match(eap->attr, EXECATTR_IPRIV_KW)) != NULL) {
2476                 ci->priv_set = priv_str_to_set(value, ",", NULL);
2477                 if (ci->priv_set == NULL) {
2478                         if (errno != EINVAL)
2479                                 err = mc_error_create(merr, ENOMEM,
2480                                     ALLOCFAIL);
2481                         else
2482                                 err = mc_error_create(merr, EINVAL,
2483                                     "Could not interpret profile privs value "
2484                                     "\"%s\", from the execution profile "
2485                                     "\"%s\".", value, buf);
2486                         goto out;
2487                 }
2488         }
2489 
2490 out:
2491         free_execattr(eap);
2492 
2493         return (err);
2494 }
2495 
2496 /*
2497  * Return an error message structure containing the error message
2498  * with context, and the error so the caller can make a decision
2499  * on what to do next.
2500  *
2501  * Because get_ids uses the mc_error_create() function which can
2502  * reallocate the merr, this function must return the merr pointer
2503  * in case it was reallocated.
2504  */
2505 static mc_error_t *
2506 get_ids(scf_propertygroup_t *methpg, scf_propertygroup_t *instpg,
2507     scf_property_t *prop, scf_value_t *val, struct method_context *ci,
2508     mc_error_t *merr)
2509 {
2510         char *vbuf = ci->vbuf;
2511         ssize_t vbuf_sz = ci->vbuf_sz;
2512         int r;
2513 
2514         /*
2515          * This should never happen because the caller should fall through
2516          * another path of just setting the ids to defaults, instead of
2517          * attempting to get the ids here.
2518          */
2519         if (methpg == NULL && instpg == NULL)
2520                 return (mc_error_create(merr, ENOENT,
2521                     "No property groups to get ids from."));
2522 
2523         if (!(get_astring_val(methpg, SCF_PROPERTY_USER,
2524             vbuf, vbuf_sz, prop, val) == 0 || get_astring_val(instpg,
2525             SCF_PROPERTY_USER, vbuf, vbuf_sz, prop,
2526             val) == 0))
2527                 return (mc_error_create(merr, ENOENT,
2528                     "Could not get \"%s\" property.", SCF_PROPERTY_USER));
2529 
2530         if ((r = get_uid(vbuf, ci, &ci->uid)) != 0) {
2531                 ci->uid = (uid_t)-1;
2532                 return (mc_error_create(merr, r,
2533                     "Could not interpret \"%s\" property value \"%s\", "
2534                     "error %d.", SCF_PROPERTY_USER, vbuf, r));
2535         }
2536 
2537         if (!(get_astring_val(methpg, SCF_PROPERTY_GROUP, vbuf, vbuf_sz, prop,
2538             val) == 0 || get_astring_val(instpg, SCF_PROPERTY_GROUP, vbuf,
2539             vbuf_sz, prop, val) == 0)) {
2540                 if (scf_error() == SCF_ERROR_NOT_FOUND) {
2541                         (void) strcpy(vbuf, ":default");
2542                 } else {
2543                         return (mc_error_create(merr, ENOENT,
2544                             "Could not get \"%s\" property.",
2545                             SCF_PROPERTY_GROUP));
2546                 }
2547         }
2548 
2549         if (strcmp(vbuf, ":default") != 0) {
2550                 ci->gid = get_gid(vbuf);
2551                 if (ci->gid == (gid_t)-1) {
2552                         return (mc_error_create(merr, ENOENT,
2553                             "Could not interpret \"%s\" property value \"%s\".",
2554                             SCF_PROPERTY_GROUP, vbuf));
2555                 }
2556         } else {
2557                 switch (r = lookup_pwd(ci)) {
2558                 case 0:
2559                         ci->gid = ci->pwd.pw_gid;
2560                         break;
2561 
2562                 case ENOENT:
2563                         ci->gid = (gid_t)-1;
2564                         return (mc_error_create(merr, ENOENT,
2565                             "No passwd entry for uid \"%d\".", ci->uid));
2566 
2567                 case ENOMEM:
2568                         return (mc_error_create(merr, ENOMEM,
2569                             "Out of memory."));
2570 
2571                 case EIO:
2572                 case EMFILE:
2573                 case ENFILE:
2574                         return (mc_error_create(merr, ENFILE,
2575                             "getpwuid_r() failed, error %d.", r));
2576 
2577                 default:
2578                         bad_fail("lookup_pwd", r);
2579                 }
2580         }
2581 
2582         if (!(get_astring_val(methpg, SCF_PROPERTY_SUPP_GROUPS, vbuf, vbuf_sz,
2583             prop, val) == 0 || get_astring_val(instpg,
2584             SCF_PROPERTY_SUPP_GROUPS, vbuf, vbuf_sz, prop, val) == 0)) {
2585                 if (scf_error() == SCF_ERROR_NOT_FOUND) {
2586                         (void) strcpy(vbuf, ":default");
2587                 } else {
2588                         return (mc_error_create(merr, ENOENT,
2589                             "Could not get supplemental groups (\"%s\") "
2590                             "property.", SCF_PROPERTY_SUPP_GROUPS));
2591                 }
2592         }
2593 
2594         if (strcmp(vbuf, ":default") != 0) {
2595                 switch (r = get_groups(vbuf, ci)) {
2596                 case 0:
2597                         break;
2598 
2599                 case EINVAL:
2600                         return (mc_error_create(merr, EINVAL,
2601                             "Could not interpret supplemental groups (\"%s\") "
2602                             "property value \"%s\".", SCF_PROPERTY_SUPP_GROUPS,
2603                             vbuf));
2604 
2605                 case E2BIG:
2606                         return (mc_error_create(merr, E2BIG,
2607                             "Too many supplemental groups values in \"%s\".",
2608                             vbuf));
2609 
2610                 default:
2611                         bad_fail("get_groups", r);
2612                 }
2613         } else {
2614                 ci->ngroups = -1;
2615         }
2616 
2617         if (!(get_astring_val(methpg, SCF_PROPERTY_PRIVILEGES, vbuf, vbuf_sz,
2618             prop, val) == 0 || get_astring_val(instpg, SCF_PROPERTY_PRIVILEGES,
2619             vbuf, vbuf_sz, prop, val) == 0)) {
2620                 if (scf_error() == SCF_ERROR_NOT_FOUND) {
2621                         (void) strcpy(vbuf, ":default");
2622                 } else {
2623                         return (mc_error_create(merr, ENOENT,
2624                             "Could not get \"%s\" property.",
2625                             SCF_PROPERTY_PRIVILEGES));
2626                 }
2627         }
2628 
2629         /*
2630          * For default privs, we need to keep priv_set == NULL, as
2631          * we use this test elsewhere.
2632          */
2633         if (strcmp(vbuf, ":default") != 0) {
2634                 ci->priv_set = priv_str_to_set(vbuf, ",", NULL);
2635                 if (ci->priv_set == NULL) {
2636                         if (errno != EINVAL) {
2637                                 return (mc_error_create(merr, ENOMEM,
2638                                     ALLOCFAIL));
2639                         } else {
2640                                 return (mc_error_create(merr, EINVAL,
2641                                     "Could not interpret \"%s\" "
2642                                     "property value \"%s\".",
2643                                     SCF_PROPERTY_PRIVILEGES, vbuf));
2644                         }
2645                 }
2646         }
2647 
2648         if (!(get_astring_val(methpg, SCF_PROPERTY_LIMIT_PRIVILEGES, vbuf,
2649             vbuf_sz, prop, val) == 0 || get_astring_val(instpg,
2650             SCF_PROPERTY_LIMIT_PRIVILEGES, vbuf, vbuf_sz, prop, val) == 0)) {
2651                 if (scf_error() == SCF_ERROR_NOT_FOUND) {
2652                         (void) strcpy(vbuf, ":default");
2653                 } else {
2654                         return (mc_error_create(merr, ENOENT,
2655                             "Could not get \"%s\" property.",
2656                             SCF_PROPERTY_LIMIT_PRIVILEGES));
2657                 }
2658         }
2659 
2660         if (strcmp(vbuf, ":default") == 0)
2661                 /*
2662                  * L must default to all privileges so root NPA services see
2663                  * iE = all.  "zone" is all privileges available in the current
2664                  * zone, equivalent to "all" in the global zone.
2665                  */
2666                 (void) strcpy(vbuf, "zone");
2667 
2668         ci->lpriv_set = priv_str_to_set(vbuf, ",", NULL);
2669         if (ci->lpriv_set == NULL) {
2670                 if (errno != EINVAL) {
2671                         return (mc_error_create(merr, ENOMEM, ALLOCFAIL));
2672                 } else {
2673                         return (mc_error_create(merr, EINVAL,
2674                             "Could not interpret \"%s\" property value \"%s\".",
2675                             SCF_PROPERTY_LIMIT_PRIVILEGES, vbuf));
2676                 }
2677         }
2678 
2679         return (merr);
2680 }
2681 
2682 static int
2683 get_environment(scf_handle_t *h, scf_propertygroup_t *pg,
2684     struct method_context *mcp, scf_property_t *prop, scf_value_t *val)
2685 {
2686         scf_iter_t *iter;
2687         scf_type_t type;
2688         size_t i = 0;
2689         int ret;
2690 
2691         if (scf_pg_get_property(pg, SCF_PROPERTY_ENVIRONMENT, prop) != 0) {
2692                 if (scf_error() == SCF_ERROR_NOT_FOUND)
2693                         return (ENOENT);
2694                 return (scf_error());
2695         }
2696         if (scf_property_type(prop, &type) != 0)
2697                 return (scf_error());
2698         if (type != SCF_TYPE_ASTRING)
2699                 return (EINVAL);
2700         if ((iter = scf_iter_create(h)) == NULL)
2701                 return (scf_error());
2702 
2703         if (scf_iter_property_values(iter, prop) != 0) {
2704                 ret = scf_error();
2705                 scf_iter_destroy(iter);
2706                 return (ret);
2707         }
2708 
2709         mcp->env_sz = 10;
2710 
2711         if ((mcp->env = uu_zalloc(sizeof (*mcp->env) * mcp->env_sz)) == NULL) {
2712                 ret = ENOMEM;
2713                 goto out;
2714         }
2715 
2716         while ((ret = scf_iter_next_value(iter, val)) == 1) {
2717                 ret = scf_value_get_as_string(val, mcp->vbuf, mcp->vbuf_sz);
2718                 if (ret == -1) {
2719                         ret = scf_error();
2720                         goto out;
2721                 }
2722 
2723                 if ((mcp->env[i] = strdup(mcp->vbuf)) == NULL) {
2724                         ret = ENOMEM;
2725                         goto out;
2726                 }
2727 
2728                 if (++i == mcp->env_sz) {
2729                         char **env;
2730                         mcp->env_sz *= 2;
2731                         env = uu_zalloc(sizeof (*mcp->env) * mcp->env_sz);
2732                         if (env == NULL) {
2733                                 ret = ENOMEM;
2734                                 goto out;
2735                         }
2736                         (void) memcpy(env, mcp->env,
2737                             sizeof (*mcp->env) * (mcp->env_sz / 2));
2738                         free(mcp->env);
2739                         mcp->env = env;
2740                 }
2741         }
2742 
2743         if (ret == -1)
2744                 ret = scf_error();
2745 
2746 out:
2747         scf_iter_destroy(iter);
2748         return (ret);
2749 }
2750 
2751 /*
2752  * Fetch method context information from the repository, allocate and fill
2753  * a method_context structure, return it in *mcpp, and return NULL.
2754  *
2755  * If no method_context is defined, original init context is provided, where
2756  * the working directory is '/', and uid/gid are 0/0.  But if a method_context
2757  * is defined at any level the smf_method(5) method_context defaults are used.
2758  *
2759  * Return an error message structure containing the error message
2760  * with context, and the error so the caller can make a decision
2761  * on what to do next.
2762  *
2763  * Error Types :
2764  *      E2BIG           Too many values or entry is too big
2765  *      EINVAL          Invalid value
2766  *      EIO             an I/O error has occured
2767  *      ENOENT          no entry for value
2768  *      ENOMEM          out of memory
2769  *      ENOTSUP         Version mismatch
2770  *      ERANGE          value is out of range
2771  *      EMFILE/ENFILE   out of file descriptors
2772  *
2773  *      SCF_ERROR_BACKEND_ACCESS
2774  *      SCF_ERROR_CONNECTION_BROKEN
2775  *      SCF_ERROR_DELETED
2776  *      SCF_ERROR_CONSTRAINT_VIOLATED
2777  *      SCF_ERROR_HANDLE_DESTROYED
2778  *      SCF_ERROR_INTERNAL
2779  *      SCF_ERROR_INVALID_ARGUMENT
2780  *      SCF_ERROR_NO_MEMORY
2781  *      SCF_ERROR_NO_RESOURCES
2782  *      SCF_ERROR_NOT_BOUND
2783  *      SCF_ERROR_NOT_FOUND
2784  *      SCF_ERROR_NOT_SET
2785  *      SCF_ERROR_TYPE_MISMATCH
2786  *
2787  */
2788 mc_error_t *
2789 restarter_get_method_context(uint_t version, scf_instance_t *inst,
2790     scf_snapshot_t *snap, const char *mname, const char *cmdline,
2791     struct method_context **mcpp)
2792 {
2793         scf_handle_t *h;
2794         scf_propertygroup_t *methpg = NULL;
2795         scf_propertygroup_t *instpg = NULL;
2796         scf_propertygroup_t *pg = NULL;
2797         scf_property_t *prop = NULL;
2798         scf_value_t *val = NULL;
2799         scf_type_t ty;
2800         uint8_t use_profile;
2801         int ret = 0;
2802         int mc_used = 0;
2803         mc_error_t *err = NULL;
2804         struct method_context *cip;
2805 
2806         if ((err = malloc(sizeof (mc_error_t))) == NULL)
2807                 return (mc_error_create(NULL, ENOMEM, NULL));
2808 
2809         /* Set the type to zero to track if an error occured. */
2810         err->type = 0;
2811 
2812         if (version != RESTARTER_METHOD_CONTEXT_VERSION)
2813                 return (mc_error_create(err, ENOTSUP,
2814                     "Invalid client version %d. (Expected %d)",
2815                     version, RESTARTER_METHOD_CONTEXT_VERSION));
2816 
2817         /* Get the handle before we allocate anything. */
2818         h = scf_instance_handle(inst);
2819         if (h == NULL)
2820                 return (mc_error_create(err, scf_error(),
2821                     scf_strerror(scf_error())));
2822 
2823         cip = malloc(sizeof (*cip));
2824         if (cip == NULL)
2825                 return (mc_error_create(err, ENOMEM, ALLOCFAIL));
2826 
2827         (void) memset(cip, 0, sizeof (*cip));
2828         cip->uid = (uid_t)-1;
2829         cip->euid = (uid_t)-1;
2830         cip->gid = (gid_t)-1;
2831         cip->egid = (gid_t)-1;
2832 
2833         cip->vbuf_sz = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH);
2834         assert(cip->vbuf_sz >= 0);
2835         cip->vbuf = malloc(cip->vbuf_sz);
2836         if (cip->vbuf == NULL) {
2837                 free(cip);
2838                 return (mc_error_create(err, ENOMEM, ALLOCFAIL));
2839         }
2840 
2841         if ((instpg = scf_pg_create(h)) == NULL ||
2842             (methpg = scf_pg_create(h)) == NULL ||
2843             (prop = scf_property_create(h)) == NULL ||
2844             (val = scf_value_create(h)) == NULL) {
2845                 err = mc_error_create(err, scf_error(),
2846                     "Failed to create repository object: %s\n",
2847                     scf_strerror(scf_error()));
2848                 goto out;
2849         }
2850 
2851         /*
2852          * The method environment, and the credentials/profile data,
2853          * may be found either in the pg for the method (methpg),
2854          * or in the instance/service SCF_PG_METHOD_CONTEXT pg (named
2855          * instpg below).
2856          */
2857 
2858         if (scf_instance_get_pg_composed(inst, snap, mname, methpg) !=
2859             SCF_SUCCESS) {
2860                 err = mc_error_create(err, scf_error(), "Unable to get the "
2861                     "\"%s\" method, %s", mname, scf_strerror(scf_error()));
2862                 goto out;
2863         }
2864 
2865         if (scf_instance_get_pg_composed(inst, snap, SCF_PG_METHOD_CONTEXT,
2866             instpg) != SCF_SUCCESS) {
2867                 if (scf_error() != SCF_ERROR_NOT_FOUND) {
2868                         err = mc_error_create(err, scf_error(),
2869                             "Unable to retrieve the \"%s\" property group, %s",
2870                             SCF_PG_METHOD_CONTEXT, scf_strerror(scf_error()));
2871                         goto out;
2872                 }
2873                 scf_pg_destroy(instpg);
2874                 instpg = NULL;
2875         } else {
2876                 mc_used++;
2877         }
2878 
2879         ret = get_environment(h, methpg, cip, prop, val);
2880         if (ret == ENOENT && instpg != NULL) {
2881                 ret = get_environment(h, instpg, cip, prop, val);
2882         }
2883 
2884         switch (ret) {
2885         case 0:
2886                 mc_used++;
2887                 break;
2888         case ENOENT:
2889                 break;
2890         case ENOMEM:
2891                 err = mc_error_create(err, ret, "Out of memory.");
2892                 goto out;
2893         case EINVAL:
2894                 err = mc_error_create(err, ret, "Invalid method environment.");
2895                 goto out;
2896         default:
2897                 err = mc_error_create(err, ret,
2898                     "Get method environment failed : %s\n", scf_strerror(ret));
2899                 goto out;
2900         }
2901 
2902         pg = methpg;
2903 
2904         ret = scf_pg_get_property(pg, SCF_PROPERTY_USE_PROFILE, prop);
2905         if (ret && scf_error() == SCF_ERROR_NOT_FOUND && instpg != NULL) {
2906                 pg = NULL;
2907                 ret = scf_pg_get_property(instpg, SCF_PROPERTY_USE_PROFILE,
2908                     prop);
2909         }
2910 
2911         if (ret) {
2912                 switch (scf_error()) {
2913                 case SCF_ERROR_NOT_FOUND:
2914                         /* No profile context: use default credentials */
2915                         cip->uid = 0;
2916                         cip->gid = 0;
2917                         break;
2918 
2919                 case SCF_ERROR_CONNECTION_BROKEN:
2920                         err = mc_error_create(err, SCF_ERROR_CONNECTION_BROKEN,
2921                             RCBROKEN);
2922                         goto out;
2923 
2924                 case SCF_ERROR_DELETED:
2925                         err = mc_error_create(err, SCF_ERROR_NOT_FOUND,
2926                             "Could not find property group \"%s\"",
2927                             pg == NULL ? SCF_PG_METHOD_CONTEXT : mname);
2928                         goto out;
2929 
2930                 case SCF_ERROR_HANDLE_MISMATCH:
2931                 case SCF_ERROR_INVALID_ARGUMENT:
2932                 case SCF_ERROR_NOT_SET:
2933                 default:
2934                         bad_fail("scf_pg_get_property", scf_error());
2935                 }
2936         } else {
2937                 if (scf_property_type(prop, &ty) != SCF_SUCCESS) {
2938                         ret = scf_error();
2939                         switch (ret) {
2940                         case SCF_ERROR_CONNECTION_BROKEN:
2941                                 err = mc_error_create(err,
2942                                     SCF_ERROR_CONNECTION_BROKEN, RCBROKEN);
2943                                 break;
2944 
2945                         case SCF_ERROR_DELETED:
2946                                 err = mc_error_create(err,
2947                                     SCF_ERROR_NOT_FOUND,
2948                                     "Could not find property group \"%s\"",
2949                                     pg == NULL ? SCF_PG_METHOD_CONTEXT : mname);
2950                                 break;
2951 
2952                         case SCF_ERROR_NOT_SET:
2953                         default:
2954                                 bad_fail("scf_property_type", ret);
2955                         }
2956 
2957                         goto out;
2958                 }
2959 
2960                 if (ty != SCF_TYPE_BOOLEAN) {
2961                         err = mc_error_create(err,
2962                             SCF_ERROR_TYPE_MISMATCH,
2963                             "\"%s\" property is not boolean in property group "
2964                             "\"%s\".", SCF_PROPERTY_USE_PROFILE,
2965                             pg == NULL ? SCF_PG_METHOD_CONTEXT : mname);
2966                         goto out;
2967                 }
2968 
2969                 if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
2970                         ret = scf_error();
2971                         switch (ret) {
2972                         case SCF_ERROR_CONNECTION_BROKEN:
2973                                 err = mc_error_create(err,
2974                                     SCF_ERROR_CONNECTION_BROKEN, RCBROKEN);
2975                                 break;
2976 
2977                         case SCF_ERROR_CONSTRAINT_VIOLATED:
2978                                 err = mc_error_create(err,
2979                                     SCF_ERROR_CONSTRAINT_VIOLATED,
2980                                     "\"%s\" property has multiple values.",
2981                                     SCF_PROPERTY_USE_PROFILE);
2982                                 break;
2983 
2984                         case SCF_ERROR_NOT_FOUND:
2985                                 err = mc_error_create(err,
2986                                     SCF_ERROR_NOT_FOUND,
2987                                     "\"%s\" property has no values.",
2988                                     SCF_PROPERTY_USE_PROFILE);
2989                                 break;
2990                         default:
2991                                 bad_fail("scf_property_get_value", ret);
2992                         }
2993 
2994                         goto out;
2995                 }
2996 
2997                 mc_used++;
2998                 ret = scf_value_get_boolean(val, &use_profile);
2999                 assert(ret == SCF_SUCCESS);
3000 
3001                 /* get ids & privileges */
3002                 if (use_profile)
3003                         err = get_profile(pg, instpg, prop, val, cmdline,
3004                             cip, err);
3005                 else
3006                         err = get_ids(pg, instpg, prop, val, cip, err);
3007 
3008                 if (err->type != 0)
3009                         goto out;
3010         }
3011 
3012         /* get working directory */
3013         if ((methpg != NULL && scf_pg_get_property(methpg,
3014             SCF_PROPERTY_WORKING_DIRECTORY, prop) == SCF_SUCCESS) ||
3015             (instpg != NULL && scf_pg_get_property(instpg,
3016             SCF_PROPERTY_WORKING_DIRECTORY, prop) == SCF_SUCCESS)) {
3017                 if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3018                         ret = scf_error();
3019                         switch (ret) {
3020                         case SCF_ERROR_CONNECTION_BROKEN:
3021                                 err = mc_error_create(err, ret, RCBROKEN);
3022                                 break;
3023 
3024                         case SCF_ERROR_CONSTRAINT_VIOLATED:
3025                                 err = mc_error_create(err, ret,
3026                                     "\"%s\" property has multiple values.",
3027                                     SCF_PROPERTY_WORKING_DIRECTORY);
3028                                 break;
3029 
3030                         case SCF_ERROR_NOT_FOUND:
3031                                 err = mc_error_create(err, ret,
3032                                     "\"%s\" property has no values.",
3033                                     SCF_PROPERTY_WORKING_DIRECTORY);
3034                                 break;
3035 
3036                         default:
3037                                 bad_fail("scf_property_get_value", ret);
3038                         }
3039 
3040                         goto out;
3041                 }
3042 
3043                 mc_used++;
3044                 ret = scf_value_get_astring(val, cip->vbuf, cip->vbuf_sz);
3045                 assert(ret != -1);
3046         } else {
3047                 ret = scf_error();
3048                 switch (ret) {
3049                 case SCF_ERROR_NOT_FOUND:
3050                         /* okay if missing. */
3051                         (void) strcpy(cip->vbuf, ":default");
3052                         break;
3053 
3054                 case SCF_ERROR_CONNECTION_BROKEN:
3055                         err = mc_error_create(err, ret, RCBROKEN);
3056                         goto out;
3057 
3058                 case SCF_ERROR_DELETED:
3059                         err = mc_error_create(err, ret,
3060                             "Property group could not be found");
3061                         goto out;
3062 
3063                 case SCF_ERROR_HANDLE_MISMATCH:
3064                 case SCF_ERROR_INVALID_ARGUMENT:
3065                 case SCF_ERROR_NOT_SET:
3066                 default:
3067                         bad_fail("scf_pg_get_property", ret);
3068                 }
3069         }
3070 
3071         if (strcmp(cip->vbuf, ":default") == 0 ||
3072             strcmp(cip->vbuf, ":home") == 0) {
3073                 switch (ret = lookup_pwd(cip)) {
3074                 case 0:
3075                         break;
3076 
3077                 case ENOMEM:
3078                         err = mc_error_create(err, ret, "Out of memory.");
3079                         goto out;
3080 
3081                 case ENOENT:
3082                 case EIO:
3083                 case EMFILE:
3084                 case ENFILE:
3085                         err = mc_error_create(err, ret,
3086                             "Could not get passwd entry.");
3087                         goto out;
3088 
3089                 default:
3090                         bad_fail("lookup_pwd", ret);
3091                 }
3092 
3093                 cip->working_dir = strdup(cip->pwd.pw_dir);
3094                 if (cip->working_dir == NULL) {
3095                         err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3096                         goto out;
3097                 }
3098         } else {
3099                 cip->working_dir = strdup(cip->vbuf);
3100                 if (cip->working_dir == NULL) {
3101                         err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3102                         goto out;
3103                 }
3104         }
3105 
3106         /* get (optional) corefile pattern */
3107         if ((methpg != NULL && scf_pg_get_property(methpg,
3108             SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS) ||
3109             (instpg != NULL && scf_pg_get_property(instpg,
3110             SCF_PROPERTY_COREFILE_PATTERN, prop) == SCF_SUCCESS)) {
3111                 if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3112                         ret = scf_error();
3113                         switch (ret) {
3114                         case SCF_ERROR_CONNECTION_BROKEN:
3115                                 err = mc_error_create(err, ret, RCBROKEN);
3116                                 break;
3117 
3118                         case SCF_ERROR_CONSTRAINT_VIOLATED:
3119                                 err = mc_error_create(err, ret,
3120                                     "\"%s\" property has multiple values.",
3121                                     SCF_PROPERTY_COREFILE_PATTERN);
3122                                 break;
3123 
3124                         case SCF_ERROR_NOT_FOUND:
3125                                 err = mc_error_create(err, ret,
3126                                     "\"%s\" property has no values.",
3127                                     SCF_PROPERTY_COREFILE_PATTERN);
3128                                 break;
3129 
3130                         default:
3131                                 bad_fail("scf_property_get_value", ret);
3132                         }
3133 
3134                 } else {
3135 
3136                         ret = scf_value_get_astring(val, cip->vbuf,
3137                             cip->vbuf_sz);
3138                         assert(ret != -1);
3139 
3140                         cip->corefile_pattern = strdup(cip->vbuf);
3141                         if (cip->corefile_pattern == NULL) {
3142                                 err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3143                                 goto out;
3144                         }
3145                 }
3146 
3147                 mc_used++;
3148         } else {
3149                 ret = scf_error();
3150                 switch (ret) {
3151                 case SCF_ERROR_NOT_FOUND:
3152                         /* okay if missing. */
3153                         break;
3154 
3155                 case SCF_ERROR_CONNECTION_BROKEN:
3156                         err = mc_error_create(err, ret, RCBROKEN);
3157                         goto out;
3158 
3159                 case SCF_ERROR_DELETED:
3160                         err = mc_error_create(err, ret,
3161                             "Property group could not be found");
3162                         goto out;
3163 
3164                 case SCF_ERROR_HANDLE_MISMATCH:
3165                 case SCF_ERROR_INVALID_ARGUMENT:
3166                 case SCF_ERROR_NOT_SET:
3167                 default:
3168                         bad_fail("scf_pg_get_property", ret);
3169                 }
3170         }
3171 
3172         if (restarter_rm_libs_loadable()) {
3173                 /* get project */
3174                 if ((methpg != NULL && scf_pg_get_property(methpg,
3175                     SCF_PROPERTY_PROJECT, prop) == SCF_SUCCESS) ||
3176                     (instpg != NULL && scf_pg_get_property(instpg,
3177                     SCF_PROPERTY_PROJECT, prop) == SCF_SUCCESS)) {
3178                         if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3179                                 ret = scf_error();
3180                                 switch (ret) {
3181                                 case SCF_ERROR_CONNECTION_BROKEN:
3182                                         err = mc_error_create(err, ret,
3183                                             RCBROKEN);
3184                                         break;
3185 
3186                                 case SCF_ERROR_CONSTRAINT_VIOLATED:
3187                                         err = mc_error_create(err, ret,
3188                                             "\"%s\" property has multiple "
3189                                             "values.", SCF_PROPERTY_PROJECT);
3190                                         break;
3191 
3192                                 case SCF_ERROR_NOT_FOUND:
3193                                         err = mc_error_create(err, ret,
3194                                             "\"%s\" property has no values.",
3195                                             SCF_PROPERTY_PROJECT);
3196                                         break;
3197 
3198                                 default:
3199                                         bad_fail("scf_property_get_value", ret);
3200                                 }
3201 
3202                                 (void) strcpy(cip->vbuf, ":default");
3203                         } else {
3204                                 ret = scf_value_get_astring(val, cip->vbuf,
3205                                     cip->vbuf_sz);
3206                                 assert(ret != -1);
3207                         }
3208 
3209                         mc_used++;
3210                 } else {
3211                         (void) strcpy(cip->vbuf, ":default");
3212                 }
3213 
3214                 switch (ret = get_projid(cip->vbuf, cip)) {
3215                 case 0:
3216                         break;
3217 
3218                 case ENOMEM:
3219                         err = mc_error_create(err, ret, "Out of memory.");
3220                         goto out;
3221 
3222                 case ENOENT:
3223                         err = mc_error_create(err, ret,
3224                             "Missing passwd or project entry for \"%s\".",
3225                             cip->vbuf);
3226                         goto out;
3227 
3228                 case EIO:
3229                         err = mc_error_create(err, ret, "I/O error.");
3230                         goto out;
3231 
3232                 case EMFILE:
3233                 case ENFILE:
3234                         err = mc_error_create(err, ret,
3235                             "Out of file descriptors.");
3236                         goto out;
3237 
3238                 case -1:
3239                         err = mc_error_create(err, ret,
3240                             "Name service switch is misconfigured.");
3241                         goto out;
3242 
3243                 case ERANGE:
3244                 case E2BIG:
3245                         err = mc_error_create(err, ret,
3246                             "Project ID \"%s\" too big.", cip->vbuf);
3247                         goto out;
3248 
3249                 case EINVAL:
3250                         err = mc_error_create(err, ret,
3251                             "Project ID \"%s\" is invalid.", cip->vbuf);
3252                         goto out;
3253 
3254                 default:
3255                         bad_fail("get_projid", ret);
3256                 }
3257 
3258                 /* get resource pool */
3259                 if ((methpg != NULL && scf_pg_get_property(methpg,
3260                     SCF_PROPERTY_RESOURCE_POOL, prop) == SCF_SUCCESS) ||
3261                     (instpg != NULL && scf_pg_get_property(instpg,
3262                     SCF_PROPERTY_RESOURCE_POOL, prop) == SCF_SUCCESS)) {
3263                         if (scf_property_get_value(prop, val) != SCF_SUCCESS) {
3264                                 ret = scf_error();
3265                                 switch (ret) {
3266                                 case SCF_ERROR_CONNECTION_BROKEN:
3267                                         err = mc_error_create(err, ret,
3268                                             RCBROKEN);
3269                                         break;
3270 
3271                                 case SCF_ERROR_CONSTRAINT_VIOLATED:
3272                                         err = mc_error_create(err, ret,
3273                                             "\"%s\" property has multiple "
3274                                             "values.",
3275                                             SCF_PROPERTY_RESOURCE_POOL);
3276                                         break;
3277 
3278                                 case SCF_ERROR_NOT_FOUND:
3279                                         err = mc_error_create(err, ret,
3280                                             "\"%s\" property has no "
3281                                             "values.",
3282                                             SCF_PROPERTY_RESOURCE_POOL);
3283                                         break;
3284 
3285                                 default:
3286                                         bad_fail("scf_property_get_value", ret);
3287                                 }
3288 
3289                                 (void) strcpy(cip->vbuf, ":default");
3290                         } else {
3291                                 ret = scf_value_get_astring(val, cip->vbuf,
3292                                     cip->vbuf_sz);
3293                                 assert(ret != -1);
3294                         }
3295 
3296                         mc_used++;
3297                 } else {
3298                         ret = scf_error();
3299                         switch (ret) {
3300                         case SCF_ERROR_NOT_FOUND:
3301                                 /* okay if missing. */
3302                                 (void) strcpy(cip->vbuf, ":default");
3303                                 break;
3304 
3305                         case SCF_ERROR_CONNECTION_BROKEN:
3306                                 err = mc_error_create(err, ret, RCBROKEN);
3307                                 goto out;
3308 
3309                         case SCF_ERROR_DELETED:
3310                                 err = mc_error_create(err, ret,
3311                                     "property group could not be found.");
3312                                 goto out;
3313 
3314                         case SCF_ERROR_HANDLE_MISMATCH:
3315                         case SCF_ERROR_INVALID_ARGUMENT:
3316                         case SCF_ERROR_NOT_SET:
3317                         default:
3318                                 bad_fail("scf_pg_get_property", ret);
3319                         }
3320                 }
3321 
3322                 if (strcmp(cip->vbuf, ":default") != 0) {
3323                         cip->resource_pool = strdup(cip->vbuf);
3324                         if (cip->resource_pool == NULL) {
3325                                 err = mc_error_create(err, ENOMEM, ALLOCFAIL);
3326                                 goto out;
3327                         }
3328                 }
3329         }
3330 
3331         /*
3332          * A method_context was not used for any configurable
3333          * elements or attributes, so reset and use the simple
3334          * defaults that provide historic init behavior.
3335          */
3336         if (mc_used == 0) {
3337                 free(cip->pwbuf);
3338                 free(cip->vbuf);
3339                 free(cip->working_dir);
3340 
3341                 (void) memset(cip, 0, sizeof (*cip));
3342                 cip->uid = 0;
3343                 cip->gid = 0;
3344                 cip->euid = (uid_t)-1;
3345                 cip->egid = (gid_t)-1;
3346         }
3347 
3348         *mcpp = cip;
3349 
3350 out:
3351         (void) scf_value_destroy(val);
3352         scf_property_destroy(prop);
3353         scf_pg_destroy(instpg);
3354         scf_pg_destroy(methpg);
3355 
3356         if (cip->pwbuf != NULL) {
3357                 free(cip->pwbuf);
3358                 cip->pwbuf = NULL;
3359         }
3360 
3361         free(cip->vbuf);
3362 
3363         if (err->type != 0) {
3364                 restarter_free_method_context(cip);
3365         } else {
3366                 restarter_mc_error_destroy(err);
3367                 err = NULL;
3368         }
3369 
3370         return (err);
3371 }
3372 
3373 /*
3374  * Modify the current process per the given method_context.  On success, returns
3375  * 0.  Note that the environment is not modified by this function to include the
3376  * environment variables in cip->env.
3377  *
3378  * On failure, sets *fp to NULL or the name of the function which failed,
3379  * and returns one of the following error codes.  The words in parentheses are
3380  * the values to which *fp may be set for the error case.
3381  *   ENOMEM - malloc() failed
3382  *   EIO - an I/O error occurred (getpwuid_r, chdir)
3383  *   EMFILE - process is out of file descriptors (getpwuid_r)
3384  *   ENFILE - system is out of file handles (getpwuid_r)
3385  *   EINVAL - gid or egid is out of range (setregid)
3386  *            ngroups is too big (setgroups)
3387  *            project's project id is bad (setproject)
3388  *            uid or euid is out of range (setreuid)
3389  *            poolname is invalid (pool_set_binding)
3390  *   EPERM - insufficient privilege (setregid, initgroups, setgroups, setppriv,
3391  *               setproject, setreuid, settaskid)
3392  *   ENOENT - uid has a passwd entry but no shadow entry
3393  *            working_dir does not exist (chdir)
3394  *            uid has no passwd entry
3395  *            the pool could not be found (pool_set_binding)
3396  *   EFAULT - lpriv_set or priv_set has a bad address (setppriv)
3397  *            working_dir has a bad address (chdir)
3398  *   EACCES - could not access working_dir (chdir)
3399  *            in a TASK_FINAL task (setproject, settaskid)
3400  *            no resource pool accepting default binding exists (setproject)
3401  *   ELOOP - too many symbolic links in working_dir (chdir)
3402  *   ENAMETOOLONG - working_dir is too long (chdir)
3403  *   ENOLINK - working_dir is on an inaccessible remote machine (chdir)
3404  *   ENOTDIR - working_dir is not a directory (chdir)
3405  *   ESRCH - uid is not a user of project (setproject)
3406  *           project is invalid (setproject)
3407  *           the resource pool specified for project is unknown (setproject)
3408  *   EBADF - the configuration for the pool is invalid (pool_set_binding)
3409  *   -1 - core_set_process_path() failed (core_set_process_path)
3410  *        a resource control assignment failed (setproject)
3411  *        a system error occurred during pool_set_binding (pool_set_binding)
3412  */
3413 int
3414 restarter_set_method_context(struct method_context *cip, const char **fp)
3415 {
3416         pid_t mypid = -1;
3417         int r, ret;
3418 
3419         cip->pwbuf = NULL;
3420         *fp = NULL;
3421 
3422         if (cip->gid != (gid_t)-1) {
3423                 if (setregid(cip->gid,
3424                     cip->egid != (gid_t)-1 ? cip->egid : cip->gid) != 0) {
3425                         *fp = "setregid";
3426 
3427                         ret = errno;
3428                         assert(ret == EINVAL || ret == EPERM);
3429                         goto out;
3430                 }
3431         } else {
3432                 if (cip->pwbuf == NULL) {
3433                         switch (ret = lookup_pwd(cip)) {
3434                         case 0:
3435                                 break;
3436 
3437                         case ENOMEM:
3438                         case ENOENT:
3439                                 *fp = NULL;
3440                                 goto out;
3441 
3442                         case EIO:
3443                         case EMFILE:
3444                         case ENFILE:
3445                                 *fp = "getpwuid_r";
3446                                 goto out;
3447 
3448                         default:
3449                                 bad_fail("lookup_pwd", ret);
3450                         }
3451                 }
3452 
3453                 if (setregid(cip->pwd.pw_gid,
3454                     cip->egid != (gid_t)-1 ?
3455                     cip->egid : cip->pwd.pw_gid) != 0) {
3456                         *fp = "setregid";
3457 
3458                         ret = errno;
3459                         assert(ret == EINVAL || ret == EPERM);
3460                         goto out;
3461                 }
3462         }
3463 
3464         if (cip->ngroups == -1) {
3465                 if (cip->pwbuf == NULL) {
3466                         switch (ret = lookup_pwd(cip)) {
3467                         case 0:
3468                                 break;
3469 
3470                         case ENOMEM:
3471                         case ENOENT:
3472                                 *fp = NULL;
3473                                 goto out;
3474 
3475                         case EIO:
3476                         case EMFILE:
3477                         case ENFILE:
3478                                 *fp = "getpwuid_r";
3479                                 goto out;
3480 
3481                         default:
3482                                 bad_fail("lookup_pwd", ret);
3483                         }
3484                 }
3485 
3486                 /* Ok if cip->gid == -1 */
3487                 if (initgroups(cip->pwd.pw_name, cip->gid) != 0) {
3488                         *fp = "initgroups";
3489                         ret = errno;
3490                         assert(ret == EPERM);
3491                         goto out;
3492                 }
3493         } else if (cip->ngroups > 0 &&
3494             setgroups(cip->ngroups, cip->groups) != 0) {
3495                 *fp = "setgroups";
3496 
3497                 ret = errno;
3498                 assert(ret == EINVAL || ret == EPERM);
3499                 goto out;
3500         }
3501 
3502         if (cip->corefile_pattern != NULL) {
3503                 mypid = getpid();
3504 
3505                 if (core_set_process_path(cip->corefile_pattern,
3506                     strlen(cip->corefile_pattern) + 1, mypid) != 0) {
3507                         *fp = "core_set_process_path";
3508                         ret = -1;
3509                         goto out;
3510                 }
3511         }
3512 
3513         if (restarter_rm_libs_loadable()) {
3514                 if (cip->project == NULL) {
3515                         if (settaskid(getprojid(), TASK_NORMAL) == -1) {
3516                                 switch (errno) {
3517                                 case EACCES:
3518                                 case EPERM:
3519                                         *fp = "settaskid";
3520                                         ret = errno;
3521                                         goto out;
3522 
3523                                 case EINVAL:
3524                                 default:
3525                                         bad_fail("settaskid", errno);
3526                                 }
3527                         }
3528                 } else {
3529                         switch (ret = lookup_pwd(cip)) {
3530                         case 0:
3531                                 break;
3532 
3533                         case ENOMEM:
3534                         case ENOENT:
3535                                 *fp = NULL;
3536                                 goto out;
3537 
3538                         case EIO:
3539                         case EMFILE:
3540                         case ENFILE:
3541                                 *fp = "getpwuid_r";
3542                                 goto out;
3543 
3544                         default:
3545                                 bad_fail("lookup_pwd", ret);
3546                         }
3547 
3548                         *fp = "setproject";
3549 
3550                         switch (setproject(cip->project, cip->pwd.pw_name,
3551                             TASK_NORMAL)) {
3552                         case 0:
3553                                 break;
3554 
3555                         case SETPROJ_ERR_TASK:
3556                         case SETPROJ_ERR_POOL:
3557                                 ret = errno;
3558                                 goto out;
3559 
3560                         default:
3561                                 ret = -1;
3562                                 goto out;
3563                         }
3564                 }
3565 
3566                 if (cip->resource_pool != NULL) {
3567                         if (mypid == -1)
3568                                 mypid = getpid();
3569 
3570                         *fp = "pool_set_binding";
3571 
3572                         if (pool_set_binding(cip->resource_pool, P_PID,
3573                             mypid) != PO_SUCCESS) {
3574                                 switch (pool_error()) {
3575                                 case POE_INVALID_SEARCH:
3576                                         ret = ENOENT;
3577                                         break;
3578 
3579                                 case POE_BADPARAM:
3580                                         ret = EINVAL;
3581                                         break;
3582 
3583                                 case POE_INVALID_CONF:
3584                                         ret = EBADF;
3585                                         break;
3586 
3587                                 case POE_SYSTEM:
3588                                         ret = -1;
3589                                         break;
3590 
3591                                 default:
3592                                         bad_fail("pool_set_binding",
3593                                             pool_error());
3594                                 }
3595 
3596                                 goto out;
3597                         }
3598                 }
3599         }
3600 
3601         /*
3602          * Now, we have to assume our ID. If the UID is 0, we want it to be
3603          * privilege-aware, otherwise the limit set gets used instead of E/P.
3604          * We can do this by setting P as well, which keeps
3605          * PA status (see priv_can_clear_PA()).
3606          */
3607 
3608         *fp = "setppriv";
3609 
3610         if (cip->lpriv_set != NULL) {
3611                 if (setppriv(PRIV_SET, PRIV_LIMIT, cip->lpriv_set) != 0) {
3612                         ret = errno;
3613                         assert(ret == EFAULT || ret == EPERM);
3614                         goto out;
3615                 }
3616         }
3617         if (cip->priv_set != NULL) {
3618                 if (setppriv(PRIV_SET, PRIV_INHERITABLE, cip->priv_set) != 0) {
3619                         ret = errno;
3620                         assert(ret == EFAULT || ret == EPERM);
3621                         goto out;
3622                 }
3623         }
3624 
3625         /*
3626          * If the limit privset is already set, then must be privilege
3627          * aware.  Otherwise, don't assume anything, and force privilege
3628          * aware status.
3629          */
3630 
3631         if (cip->lpriv_set == NULL && cip->priv_set != NULL) {
3632                 ret = setpflags(PRIV_AWARE, 1);
3633                 assert(ret == 0);
3634         }
3635 
3636         *fp = "setreuid";
3637         if (setreuid(cip->uid,
3638             cip->euid != (uid_t)-1 ? cip->euid : cip->uid) != 0) {
3639                 ret = errno;
3640                 assert(ret == EINVAL || ret == EPERM);
3641                 goto out;
3642         }
3643 
3644         *fp = "setppriv";
3645         if (cip->priv_set != NULL) {
3646                 if (setppriv(PRIV_SET, PRIV_PERMITTED, cip->priv_set) != 0) {
3647                         ret = errno;
3648                         assert(ret == EFAULT || ret == EPERM);
3649                         goto out;
3650                 }
3651         }
3652 
3653         /*
3654          * The last thing to do is chdir to the specified working directory.
3655          * This should come after the uid switching as only the user might
3656          * have access to the specified directory.
3657          */
3658         if (cip->working_dir != NULL) {
3659                 do {
3660                         r = chdir(cip->working_dir);
3661                 } while (r != 0 && errno == EINTR);
3662                 if (r != 0) {
3663                         *fp = "chdir";
3664                         ret = errno;
3665                         goto out;
3666                 }
3667         }
3668 
3669         ret = 0;
3670 out:
3671         free(cip->pwbuf);
3672         cip->pwbuf = NULL;
3673         return (ret);
3674 }
3675 
3676 void
3677 restarter_free_method_context(struct method_context *mcp)
3678 {
3679         size_t i;
3680 
3681         if (mcp->lpriv_set != NULL)
3682                 priv_freeset(mcp->lpriv_set);
3683         if (mcp->priv_set != NULL)
3684                 priv_freeset(mcp->priv_set);
3685 
3686         if (mcp->env != NULL) {
3687                 for (i = 0; i < mcp->env_sz; i++)
3688                         free(mcp->env[i]);
3689                 free(mcp->env);
3690         }
3691 
3692         free(mcp->working_dir);
3693         free(mcp->corefile_pattern);
3694         free(mcp->project);
3695         free(mcp->resource_pool);
3696         free(mcp);
3697 }
3698 
3699 /*
3700  * Method keyword functions
3701  */
3702 
3703 int
3704 restarter_is_null_method(const char *meth)
3705 {
3706         return (strcmp(meth, MKW_TRUE) == 0);
3707 }
3708 
3709 static int
3710 is_kill_method(const char *method, const char *kill_str,
3711     size_t kill_str_len)
3712 {
3713         const char *cp;
3714         int sig;
3715 
3716         if (strncmp(method, kill_str, kill_str_len) != 0 ||
3717             (method[kill_str_len] != '\0' &&
3718             !isspace(method[kill_str_len])))
3719                 return (-1);
3720 
3721         cp = method + kill_str_len;
3722         while (*cp != '\0' && isspace(*cp))
3723                 ++cp;
3724 
3725         if (*cp == '\0')
3726                 return (SIGTERM);
3727 
3728         if (*cp != '-')
3729                 return (-1);
3730 
3731         return (str2sig(cp + 1, &sig) == 0 ? sig : -1);
3732 }
3733 
3734 int
3735 restarter_is_kill_proc_method(const char *method)
3736 {
3737         return (is_kill_method(method, MKW_KILL_PROC,
3738             sizeof (MKW_KILL_PROC) - 1));
3739 }
3740 
3741 int
3742 restarter_is_kill_method(const char *method)
3743 {
3744         return (is_kill_method(method, MKW_KILL, sizeof (MKW_KILL) - 1));
3745 }
3746 
3747 /*
3748  * Stubs for now.
3749  */
3750 
3751 /* ARGSUSED */
3752 int
3753 restarter_event_get_enabled(restarter_event_t *e)
3754 {
3755         return (-1);
3756 }
3757 
3758 /* ARGSUSED */
3759 uint64_t
3760 restarter_event_get_seq(restarter_event_t *e)
3761 {
3762         return (-1);
3763 }
3764 
3765 /* ARGSUSED */
3766 void
3767 restarter_event_get_time(restarter_event_t *e, hrtime_t *time)
3768 {
3769 }
3770 
3771 /*
3772  * Check for and validate fmri specified in restarter_actions/auxiliary_fmri
3773  * 0 - Success
3774  * 1 - Failure
3775  */
3776 int
3777 restarter_inst_validate_ractions_aux_fmri(scf_instance_t *inst)
3778 {
3779         scf_handle_t *h;
3780         scf_propertygroup_t *pg;
3781         scf_property_t *prop;
3782         scf_value_t *val;
3783         char *aux_fmri;
3784         size_t size = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH);
3785         int ret = 1;
3786 
3787         if ((aux_fmri = malloc(size)) == NULL)
3788                 return (1);
3789 
3790         h = scf_instance_handle(inst);
3791 
3792         pg = scf_pg_create(h);
3793         prop = scf_property_create(h);
3794         val = scf_value_create(h);
3795         if (pg == NULL || prop == NULL || val == NULL)
3796                 goto out;
3797 
3798         if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS,
3799             SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS,
3800             pg) != SCF_SUCCESS)
3801                 goto out;
3802 
3803         if (get_astring_val(pg, SCF_PROPERTY_AUX_FMRI, aux_fmri, size,
3804             prop, val) != SCF_SUCCESS)
3805                 goto out;
3806 
3807         if (scf_parse_fmri(aux_fmri, NULL, NULL, NULL, NULL, NULL,
3808             NULL) != SCF_SUCCESS)
3809                 goto out;
3810 
3811         ret = 0;
3812 
3813 out:
3814         free(aux_fmri);
3815         scf_value_destroy(val);
3816         scf_property_destroy(prop);
3817         scf_pg_destroy(pg);
3818         return (ret);
3819 }
3820 
3821 /*
3822  * Get instance's boolean value in restarter_actions/auxiliary_tty
3823  * Return -1 on failure
3824  */
3825 int
3826 restarter_inst_ractions_from_tty(scf_instance_t *inst)
3827 {
3828         scf_handle_t *h;
3829         scf_propertygroup_t *pg;
3830         scf_property_t *prop;
3831         scf_value_t *val;
3832         uint8_t has_tty;
3833         int ret = -1;
3834 
3835         h = scf_instance_handle(inst);
3836         pg = scf_pg_create(h);
3837         prop = scf_property_create(h);
3838         val = scf_value_create(h);
3839         if (pg == NULL || prop == NULL || val == NULL)
3840                 goto out;
3841 
3842         if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS,
3843             SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS,
3844             pg) != SCF_SUCCESS)
3845                 goto out;
3846 
3847         if (get_boolean_val(pg, SCF_PROPERTY_AUX_TTY, &has_tty, prop,
3848             val) != SCF_SUCCESS)
3849                 goto out;
3850 
3851         ret = has_tty;
3852 
3853 out:
3854         scf_value_destroy(val);
3855         scf_property_destroy(prop);
3856         scf_pg_destroy(pg);
3857         return (ret);
3858 }
3859 
3860 static int
3861 restarter_inst_set_astring_prop(scf_instance_t *inst, const char *pgname,
3862     const char *pgtype, uint32_t pgflags, const char *pname, const char *str)
3863 {
3864         scf_handle_t *h;
3865         scf_propertygroup_t *pg;
3866         scf_transaction_t *t;
3867         scf_transaction_entry_t *e;
3868         scf_value_t *v;
3869         int ret = 1, r;
3870 
3871         h = scf_instance_handle(inst);
3872 
3873         pg = scf_pg_create(h);
3874         t = scf_transaction_create(h);
3875         e = scf_entry_create(h);
3876         v = scf_value_create(h);
3877         if (pg == NULL || t == NULL || e == NULL || v == NULL)
3878                 goto out;
3879 
3880         if (instance_get_or_add_pg(inst, pgname, pgtype, pgflags, pg))
3881                 goto out;
3882 
3883         if (scf_value_set_astring(v, str) != SCF_SUCCESS)
3884                 goto out;
3885 
3886         for (;;) {
3887                 if (scf_transaction_start(t, pg) != 0)
3888                         goto out;
3889 
3890                 if (tx_set_value(t, e, pname, SCF_TYPE_ASTRING, v) != 0)
3891                         goto out;
3892 
3893                 if ((r = scf_transaction_commit(t)) == 1)
3894                         break;
3895 
3896                 if (r == -1)
3897                         goto out;
3898 
3899                 scf_transaction_reset(t);
3900                 if (scf_pg_update(pg) == -1)
3901                         goto out;
3902         }
3903         ret = 0;
3904 
3905 out:
3906         scf_transaction_destroy(t);
3907         scf_entry_destroy(e);
3908         scf_value_destroy(v);
3909         scf_pg_destroy(pg);
3910 
3911         return (ret);
3912 }
3913 
3914 int
3915 restarter_inst_set_aux_fmri(scf_instance_t *inst)
3916 {
3917         scf_handle_t *h;
3918         scf_propertygroup_t *pg;
3919         scf_property_t *prop;
3920         scf_value_t *val;
3921         char *aux_fmri;
3922         size_t size = scf_limit(SCF_LIMIT_MAX_VALUE_LENGTH);
3923         int ret = 1;
3924 
3925         if ((aux_fmri = malloc(size)) == NULL)
3926                 return (1);
3927 
3928         h = scf_instance_handle(inst);
3929 
3930         pg = scf_pg_create(h);
3931         prop = scf_property_create(h);
3932         val = scf_value_create(h);
3933         if (pg == NULL || prop == NULL || val == NULL)
3934                 goto out;
3935 
3936         /*
3937          * Get auxiliary_fmri value from restarter_actions pg
3938          */
3939         if (instance_get_or_add_pg(inst, SCF_PG_RESTARTER_ACTIONS,
3940             SCF_PG_RESTARTER_ACTIONS_TYPE, SCF_PG_RESTARTER_ACTIONS_FLAGS,
3941             pg) != SCF_SUCCESS)
3942                 goto out;
3943 
3944         if (get_astring_val(pg, SCF_PROPERTY_AUX_FMRI, aux_fmri, size,
3945             prop, val) != SCF_SUCCESS)
3946                 goto out;
3947 
3948         /*
3949          * Populate restarter/auxiliary_fmri with the obtained fmri.
3950          */
3951         ret = restarter_inst_set_astring_prop(inst, SCF_PG_RESTARTER,
3952             SCF_PG_RESTARTER_TYPE, SCF_PG_RESTARTER_FLAGS,
3953             SCF_PROPERTY_AUX_FMRI, aux_fmri);
3954 
3955 out:
3956         free(aux_fmri);
3957         scf_value_destroy(val);
3958         scf_property_destroy(prop);
3959         scf_pg_destroy(pg);
3960         return (ret);
3961 }
3962 
3963 int
3964 restarter_inst_reset_aux_fmri(scf_instance_t *inst)
3965 {
3966         return (scf_instance_delete_prop(inst,
3967             SCF_PG_RESTARTER, SCF_PROPERTY_AUX_FMRI));
3968 }
3969 
3970 int
3971 restarter_inst_reset_ractions_aux_fmri(scf_instance_t *inst)
3972 {
3973         return (scf_instance_delete_prop(inst,
3974             SCF_PG_RESTARTER_ACTIONS, SCF_PROPERTY_AUX_FMRI));
3975 }