5079356 Framework should provide administrative audit trail/history

6405683 svc.configd audit events need to be defined.

9 files changed, 501 insertions, 30 deletions

diff --git a/usr/src/lib/libbsm/audit_event.txt b/usr/src/lib/libbsm/audit_event.txt
index 9664c3b9e1..6614459b90 100644
--- a/usr/src/lib/libbsm/audit_event.txt
+++ b/usr/src/lib/libbsm/audit_event.txt
@@ -1,5 +1,5 @@
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #
@@ -452,6 +452,42 @@
 6249:AUE_ndmp_backup:ndmp backup:na
 6250:AUE_ndmp_restore:ndmp restore:na
 #
+# SMF(5) svc.configd events (svcadm(1M) related)
+#
+6260:AUE_smf_enable:persistently enable service instance:ss
+6261:AUE_smf_tmp_enable:temporarily enable service instance:ss
+6262:AUE_smf_disable:persistently disable service instance:ss
+6263:AUE_smf_tmp_disable:temporarily disable service instance:ss
+6264:AUE_smf_restart:restart service instance:ss
+6265:AUE_smf_refresh:refresh service instance:ss
+6266:AUE_smf_clear:clear service instance state:ss
+6267:AUE_smf_degrade:set service instance degraded state:ss
+6268:AUE_smf_immediate_degrade:immediately set service instance degraded state:ss
+6269:AUE_smf_maintenance:set service instance persistent maintenance state:ss
+6270:AUE_smf_immediate_maintenance:immediately set service instance persistent maintenance state:ss
+6271:AUE_smf_immtmp_maintenance:immediately set service instance temporary maintenance state:ss
+6272:AUE_smf_tmp_maintenance:set service instance maintenance temporary state:ss
+6273:AUE_smf_milestone:set service management facility milestone:ss
+#
+# SMF(5) svc.configd miscellaneous events
+#
+6275:AUE_smf_read_prop:read restricted access property value:as
+#
+# SMF(5) svc.configd events (svccfg(1M) related)
+#
+6280:AUE_smf_create:create service instance object:as
+6281:AUE_smf_delete:delete service instance object:as
+6282:AUE_smf_create_pg:create persistent service property group:as
+6283:AUE_smf_create_npg:create non-persistent service property group:as
+6284:AUE_smf_delete_pg:delete persistent service property group:as
+6285:AUE_smf_delete_npg:delete non-persistent service property group:as
+6286:AUE_smf_create_snap:create repository snapshot:as
+6287:AUE_smf_delete_snap:delete repository snapshot:as
+6288:AUE_smf_attach_snap:attach repository snapshot:as
+6289:AUE_smf_annotation:annotate transaction:as,ss
+6290:AUE_smf_create_prop:create service instance property:as
+6291:AUE_smf_change_prop:change service instance property:as
+6292:AUE_smf_delete_prop:delete service instance property:as
 #
 # Trusted Extensions events:
 #
diff --git a/usr/src/lib/libbsm/auditxml b/usr/src/lib/libbsm/auditxml
index 8681d98b35..c78cc9ae43 100644
--- a/usr/src/lib/libbsm/auditxml
+++ b/usr/src/lib/libbsm/auditxml
@@ -20,7 +20,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -534,6 +534,7 @@ extern	void	adt_set_termid(const adt_session_data_t *,
 
 extern	void	adt_get_asid(const adt_session_data_t *, au_asid_t *);
 extern	void	adt_set_asid(const adt_session_data_t *, const au_asid_t);
+extern	au_id_t	adt_get_unique_id(au_id_t);
 
 #endif
 
diff --git a/usr/src/lib/libbsm/common/adt.c b/usr/src/lib/libbsm/common/adt.c
index 473ecbcc51..aa1b01751b 100644
--- a/usr/src/lib/libbsm/common/adt.c
+++ b/usr/src/lib/libbsm/common/adt.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -192,8 +192,8 @@ adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
  * see a need to put a lock around it.
  */
 
-static au_id_t
-adt_get_unique_id(uid_t uid)
+au_id_t
+adt_get_unique_id(au_id_t uid)
 {
 	char		hostname[MAXHOSTNAMELEN];
 	union {
@@ -480,10 +480,10 @@ adt_set_termid(const adt_session_data_t *session_data,
 		    ADT_VALID);
 
 		((adt_internal_state_t *)session_data)->as_info.ai_termid =
-			*termid;
+		    *termid;
 
 		((adt_internal_state_t *)session_data)->as_have_user_data |=
-			ADT_HAVE_TID;
+		    ADT_HAVE_TID;
 	}
 }
 
@@ -649,7 +649,7 @@ adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
 		case AF_INET6:
 			/* LINTED */
 			p = &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
-			(void) memcpy(p_term->at_addr, p,
+			    (void) memcpy(p_term->at_addr, p,
 			    sizeof (((struct sockaddr_in6 *)NULL)->sin6_addr));
 			p_term->at_type = AU_IPv6;
 			break;
@@ -1515,9 +1515,9 @@ adt_changeuser(adt_internal_state_t *state, uid_t ruid)
 		state->as_info.ai_mask.am_failure |= mask.am_failure;
 	}
 	DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
-		state->as_info.ai_mask.am_success,
-		state->as_info.ai_mask.am_failure,
-		ruid));
+	    state->as_info.ai_mask.am_success,
+	    state->as_info.ai_mask.am_failure,
+	    ruid));
 	return (0);
 }
 
diff --git a/usr/src/lib/libbsm/common/adt.xml b/usr/src/lib/libbsm/common/adt.xml
index 85a5e0cbd9..589eb9744b 100644
--- a/usr/src/lib/libbsm/common/adt.xml
+++ b/usr/src/lib/libbsm/common/adt.xml
@@ -20,7 +20,7 @@
 
  CDDL HEADER END
 
-Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 Use is subject to license terms.
 
   ident	"%Z%%M%	%I%	%E% SMI"
@@ -1386,8 +1386,378 @@ Use is subject to license terms.
 	</entry>
     </event>
 
+<!-- SMF related events -->
+    <event id="AUE_smf_generic" type="generic" omit="always">
+	<!--
+	This is a template for the event types that have no tokens
+	other than the header and return. There is no allowed_type
+	list because the template is not externally visible due to the
+	omit="always".
+	-->
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>name</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+    <event id="AUE_smf_generic_pg" type="generic" omit="always">
+	<!--
+	This is a template for the event types related to property groups.
+	There is no allowed_type list because the template is not externally
+	visible due to the omit="always".
+	-->
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	</entry>
+	<entry id="type">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>property group type</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+    <event id="AUE_smf_enable" instance_of="AUE_smf_generic" header="0"
+	idNo="65" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_tmp_enable" instance_of="AUE_smf_generic" header="0"
+	idNo="66" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_disable" instance_of="AUE_smf_generic" header="0"
+	idNo="67" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_tmp_disable" instance_of="AUE_smf_generic" header="0"
+	idNo="68" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_restart" instance_of="AUE_smf_generic" header="0"
+	idNo="69" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_refresh" instance_of="AUE_smf_generic" header="0"
+	idNo="70" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_clear" instance_of="AUE_smf_generic" header="0"
+	idNo="71" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_degrade" instance_of="AUE_smf_generic" header="0"
+	idNo="72" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_immediate_degrade" instance_of="AUE_smf_generic"
+	header="0" idNo="73" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_maintenance" instance_of="AUE_smf_generic" header="0"
+	idNo="74" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_immediate_maintenance" instance_of="AUE_smf_generic"
+	header="0" idNo="75" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_immtmp_maintenance" instance_of="AUE_smf_generic"
+	header="0" idNo="76" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_tmp_maintenance" instance_of="AUE_smf_generic" header="0"
+	idNo="77" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+    <event id="AUE_smf_milestone" instance_of="AUE_smf_generic" header="0"
+	idNo="78" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svcadm(1M)</see>
+    </event>
+
+    <event id="AUE_smf_create" instance_of="AUE_smf_generic" header="0"
+	idNo="79" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+    </event>
+    <event id="AUE_smf_delete" instance_of="AUE_smf_generic" header="0"
+	idNo="80" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+    </event>
+
+    <event id="AUE_smf_create_pg" instance_of="AUE_smf_generic_pg" header="0"
+	idNo="81" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+    </event>
+    <event id="AUE_smf_create_npg" instance_of="AUE_smf_generic_pg" header="0"
+	idNo="82" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+    </event>
+    <event id="AUE_smf_delete_pg" instance_of="AUE_smf_generic_pg" header="0"
+	idNo="83" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+    </event>
+    <event id="AUE_smf_delete_npg" instance_of="AUE_smf_generic_pg" header="0"
+	idNo="84" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+    </event>
+
+    <event id="AUE_smf_create_snap" header="0" idNo="85" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>name</comment>
+	</entry>
+	<entry id="name">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>snapshot name</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+    <event id="AUE_smf_delete_snap" header="0" idNo="86" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>name</comment>
+	</entry>
+	<entry id="name">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>snapshot name</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+    <event id="AUE_smf_attach_snap" header="0" idNo="87" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="old_fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>old name</comment>
+	</entry>
+	<entry id="old_name">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>old snapshot</comment>
+	</entry>
+	<entry id="new_fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>new name</comment>
+	</entry>
+	<entry id="new_name">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>new snapshot</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+    <event id="AUE_smf_annotation" header="0" idNo="88" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="operation">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>operation</comment>
+	</entry>
+	<entry id="file">
+	    <internal token="path"/>
+	    <external opt="required" type="char *"/>
+	    <comment>imported file</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+    <event id="AUE_smf_create_prop" header="0" idNo="89" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>name</comment>
+	</entry>
+	<entry id="type">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>type</comment>
+	</entry>
+	<entry id="value">
+	    <internal token="text"/>
+	    <external opt="optional" type="char *"/>
+	    <comment>value</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+    <event id="AUE_smf_change_prop" header="0" idNo="90" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>name</comment>
+	</entry>
+	<entry id="type">
+	    <internal token="text"/>
+	    <external opt="required" type="char *"/>
+	    <comment>type</comment>
+	</entry>
+	<entry id="value">
+	    <internal token="text"/>
+	    <external opt="optional" type="char *"/>
+	    <comment>value</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+    <event id="AUE_smf_delete_prop" header="0" idNo="91" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+	<entry id="subject">
+	    <internal token="subject"/>
+	    <external opt="none"/>
+	</entry>
+	<entry id="auth_used">
+	    <internal token="uauth"/>
+	    <external opt="required" type="char *"/>
+	    <comment>authorization used</comment>
+	</entry>
+	<entry id="fmri">
+	    <internal token="fmri"/>
+	    <external opt="required" type="char *"/>
+	    <comment>name</comment>
+	</entry>
+	<entry id="return">
+	    <internal token="return"/>
+	    <external opt="none"/>
+	</entry>
+    </event>
+
+    <event id="AUE_smf_read_prop" instance_of="AUE_smf_generic" header="0"
+	idNo="92" omit="JNI">
+	<program>svc.configd(1M)</program>
+	<see>svccfg(1M)</see>
+    </event>
+
 <!-- add new events here with the next higher idNo -->
-<!-- Highest idNo is 64, so next is 65, then fix this comment -->
+<!-- Highest idNo is 92, so next is 93, then fix this comment -->
 <!-- end of C Only events -->
 
 
diff --git a/usr/src/lib/libbsm/common/mapfile-vers b/usr/src/lib/libbsm/common/mapfile-vers
index cdadac09e6..6cff4e7554 100644
--- a/usr/src/lib/libbsm/common/mapfile-vers
+++ b/usr/src/lib/libbsm/common/mapfile-vers
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -153,6 +153,7 @@ SUNWprivate_1.1 {
 	adt_get_mask;
 	adt_get_session_id;
 	adt_get_termid;
+	adt_get_unique_id;
 	adt_import_proc;
 	adt_load_hostname;
 	adt_load_termid;
diff --git a/usr/src/lib/libscf/common/libscf_impl.h b/usr/src/lib/libscf/common/libscf_impl.h
index 6dfef8577c..f0947de5a0 100644
--- a/usr/src/lib/libscf/common/libscf_impl.h
+++ b/usr/src/lib/libscf/common/libscf_impl.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -21,7 +20,7 @@
  */
 
 /*
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -41,15 +40,6 @@
 extern "C" {
 #endif
 
-#define	SCF_FMRI_SVC_PREFIX		"svc:"
-#define	SCF_FMRI_FILE_PREFIX		"file:"
-#define	SCF_FMRI_SCOPE_PREFIX		"//"
-#define	SCF_FMRI_LOCAL_SCOPE		"localhost"
-#define	SCF_FMRI_SCOPE_SUFFIX		"@localhost"
-#define	SCF_FMRI_SERVICE_PREFIX		"/"
-#define	SCF_FMRI_INSTANCE_PREFIX	":"
-#define	SCF_FMRI_PROPERTYGRP_PREFIX	"/:properties/"
-#define	SCF_FMRI_PROPERTY_PREFIX	"/"
 /*
  * This macro must be extended if additional FMRI prefixes are defined
  */
diff --git a/usr/src/lib/libscf/common/lowlevel.c b/usr/src/lib/libscf/common/lowlevel.c
index 2e31aa6e1f..ce40d0e74f 100644
--- a/usr/src/lib/libscf/common/lowlevel.c
+++ b/usr/src/lib/libscf/common/lowlevel.c
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -6871,3 +6871,49 @@ _scf_pg_is_read_protected(const scf_propertygroup_t *pg, boolean_t *out)
 		return (scf_set_error(SCF_ERROR_INTERNAL));
 	return (SCF_SUCCESS);
 }
+
+/*
+ * _scf_set_annotation: a wrapper to set the annotation fields for SMF
+ * security auditing.
+ *
+ * Fails with following in scf_error_key thread specific data:
+ *	_INVALID_ARGUMENT - operation or file too large
+ *	_NOT_BOUND
+ *	_CONNECTION_BROKEN
+ *	_INTERNAL
+ *	_NO_RESOURCES
+ */
+int
+_scf_set_annotation(scf_handle_t *h, const char *operation, const char *file)
+{
+	struct rep_protocol_annotation request;
+	struct rep_protocol_response response;
+	size_t copied;
+	int r;
+
+	request.rpr_request = REP_PROTOCOL_SET_AUDIT_ANNOTATION;
+	copied = strlcpy(request.rpr_operation,
+	    (operation == NULL) ? "" : operation,
+	    sizeof (request.rpr_operation));
+	if (copied >= sizeof (request.rpr_operation))
+		return (scf_set_error(SCF_ERROR_INVALID_ARGUMENT));
+
+	copied = strlcpy(request.rpr_file,
+	    (file == NULL) ? "" : file,
+	    sizeof (request.rpr_file));
+	if (copied >= sizeof (request.rpr_operation))
+		return (scf_set_error(SCF_ERROR_INVALID_ARGUMENT));
+
+	(void) pthread_mutex_lock(&h->rh_lock);
+	r = make_door_call(h, &request, sizeof (request),
+	    &response, sizeof (response));
+	(void) pthread_mutex_unlock(&h->rh_lock);
+
+	if (r < 0) {
+		DOOR_ERRORS_BLOCK(r);
+	}
+
+	if (response.rpr_response != REP_PROTOCOL_SUCCESS)
+		return (scf_set_error(proto_error(response.rpr_response)));
+	return (0);
+}
diff --git a/usr/src/lib/libscf/common/mapfile-vers b/usr/src/lib/libscf/common/mapfile-vers
index d64e43b026..898e8307ac 100644
--- a/usr/src/lib/libscf/common/mapfile-vers
+++ b/usr/src/lib/libscf/common/mapfile-vers
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -216,6 +216,7 @@ SUNWprivate_1.1 {
 	scf_parse_svc_fmri;
 	_scf_pg_wait;
 	_scf_request_backup;
+	_scf_set_annotation;
 	_scf_snapshot_attach;
 	_scf_snapshot_delete;
 	_scf_snapshot_take_attach;
diff --git a/usr/src/lib/libscf/inc/libscf_priv.h b/usr/src/lib/libscf/inc/libscf_priv.h
index acffe5b5d8..39c92d20b7 100644
--- a/usr/src/lib/libscf/inc/libscf_priv.h
+++ b/usr/src/lib/libscf/inc/libscf_priv.h
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -60,6 +60,9 @@ extern "C" {
 #define	SCF_PG_RESTARTER_ACTIONS_TYPE	SCF_GROUP_FRAMEWORK
 #define	SCF_PG_RESTARTER_ACTIONS_FLAGS	SCF_PG_FLAG_NONPERSISTENT
 
+#define	SCF_PROPERTY_CLEAR		((const char *)"maint_off")
+#define	SCF_PROPERTY_MAINTENANCE	((const char *)"maint_on")
+
 #define	SCF_PROPERTY_LOGFILE		((const char *)"logfile")
 #define	SCF_PROPERTY_ALT_LOGFILE	((const char *)"alt_logfile")
 
@@ -72,6 +75,19 @@ extern "C" {
 #define	SCF_FMRI_TYPE_SVC		0x1
 #define	SCF_FMRI_TYPE_FILE		0x2
 
+/*
+ * Strings for use in constructing FMRIs
+ */
+#define	SCF_FMRI_SVC_PREFIX		"svc:"
+#define	SCF_FMRI_FILE_PREFIX		"file:"
+#define	SCF_FMRI_SCOPE_PREFIX		"//"
+#define	SCF_FMRI_LOCAL_SCOPE		"localhost"
+#define	SCF_FMRI_SCOPE_SUFFIX		"@localhost"
+#define	SCF_FMRI_SERVICE_PREFIX		"/"
+#define	SCF_FMRI_INSTANCE_PREFIX	":"
+#define	SCF_FMRI_PROPERTYGRP_PREFIX	"/:properties/"
+#define	SCF_FMRI_PROPERTY_PREFIX	"/"
+
 typedef struct scf_decoration_info {
 	const char *sdi_name;
 	scf_type_t sdi_type;
@@ -304,6 +320,16 @@ int _scf_request_backup(scf_handle_t *, const char *);
 int _scf_pg_is_read_protected(const scf_propertygroup_t *, boolean_t *);
 
 /*
+ * Sets annotation data for SMF audit logging.  Once this function has been
+ * set, the next audit record will be preceded by an ADT_smf_annotation
+ * with the information provided in this function.  This function is used
+ * to mark operations which comprise multiple primitive operations such as
+ * svccfg import.
+ */
+int _scf_set_annotation(scf_handle_t *h, const char *operation,
+    const char *file);
+
+/*
  * scf_pattern_t
  */
 typedef struct scf_pattern {