/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */
#pragma ident	"%Z%%M%	%I%	%E% SMI"

#include <sys/types.h>
#include <sys/param.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/fcntl.h>
#include <bsm/audit.h>
#include <bsm/audit_record.h>
#include <bsm/audit_uevents.h>
#include <bsm/libbsm.h>
#include <bsm/audit_private.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <pwd.h>
#include <netinet/in.h>
#include <tsol/label.h>
#include <locale.h>
#include "generic.h"

#ifdef C2_DEBUG
#define	dprintf(x) { printf x; }
#else
#define	dprintf(x)
#endif

#define	UNKNOWN_CMD	"???"

static au_event_t	event;
static int		audit_rexd_status = 0;

static char *
build_cmd(char **cmd)
{
	int i, l;
	char *r;

	if (cmd == NULL)
		return (NULL);
	/* count the total length of command line */
	for (i = 0, l = 0; cmd[i] != NULL; i++)
		l += strlen(cmd[i]) + 1;

	if (l == 0)
		return (NULL);
	r = malloc(l);
	if (r != NULL) {
		for (i = 0; cmd[i] != NULL; i++) {
			(void) strcat(r, cmd[i]);
			if (cmd[i + 1] != NULL)
				(void) strcat(r, " ");
		}
	}
	return (r);
}

static int
selected(uid, user, event, sf)
uid_t uid;
char	*user;
au_event_t	event;
int	sf;
{
	int	rc, sorf;
	char	naflags[512];
	struct au_mask mask;

	mask.am_success = mask.am_failure = 0;
	if (uid > MAXEPHUID) {
		rc = getacna(naflags, 256); /* get non-attrib flags */
		if (rc == 0)
			(void) getauditflagsbin(naflags, &mask);
	} else {
		rc = au_user_mask(user, &mask);
	}

	if (sf == 0)
		sorf = AU_PRS_SUCCESS;
	else if (sf == -1)
		sorf = AU_PRS_FAILURE;
	else
		sorf = AU_PRS_BOTH;
	rc = au_preselect(event, &mask, sorf, AU_PRS_REREAD);
	return (rc);
}

void
audit_rexd_setup()
{
	dprintf(("audit_rexd_setup()\n"));

	event = AUE_rexd;
}

/* ARGSUSED */
static void
audit_rexd_session_setup(char *name, char *mach, uid_t uid)
{
	int			rc;
	au_mask_t		mask;
	struct auditinfo_addr	info;

	if (getaudit_addr(&info, sizeof (info)) < 0) {
		perror("getaudit_addr");
		exit(1);
	}

	info.ai_auid = uid;
	info.ai_asid = getpid();

	mask.am_success = 0;
	mask.am_failure = 0;

	(void) au_user_mask(name, &mask);

	info.ai_mask.am_success  = mask.am_success;
	info.ai_mask.am_failure  = mask.am_failure;

	rc = setaudit_addr(&info, sizeof (info));
	if (rc < 0) {
		perror("setaudit_addr");
	}
}

void
audit_rexd_fail(msg, hostname, user, uid, gid, shell, cmd)
	char	*msg;		/* message containing failure information */
	char	*hostname;	/* hostname of machine requesting service */
	char	*user;		/* username of user requesting service */
	uid_t 	uid;		/* user id of user requesting service */
	gid_t	gid;		/* group of user requesting service */
	char	*shell;		/* login shell of user requesting service */
	char	**cmd;		/* argv to be executed locally */
{
	int	rd;		/* audit record descriptor */
	char	buf[256];	/* temporary buffer */
	char	*tbuf;		/* temporary buffer */
	int	tlen;
	const char *gtxt;	/* gettext return value */
	pid_t	pid;
	char	*cmdbuf;
	char	*audit_cmd[2] = {NULL, NULL};
	int	dont_free = 0;
	struct auditinfo_addr info;

	dprintf(("audit_rexd_fail()\n"));

	/*
	 * check if audit_rexd_fail() or audit_rexd_success()
	 * have been called already.
	 */
	if (audit_rexd_status == 1) {
		return;
	}

	if (cannot_audit(0)) {
		return;
	}

	/*
	 * set status to prevent multiple calls
	 * to audit_rexd_fail() and audit_rexd_success()
	 */
	audit_rexd_status = 1;

	/* determine if we're preselected */
	if (!selected(uid, user, event, -1))
		return;

	pid = getpid();

	if (getaudit_addr(&info, sizeof (info)) < 0) {
		perror("getaudit_addr");
		exit(1);
	}

	rd = au_open();

	/* add subject token */
	(void) au_write(rd,
		au_to_subject_ex(uid, uid, gid, uid, gid, pid, pid,
			&info.ai_termid));
	if (is_system_labeled())
		(void) au_write(rd, au_to_mylabel());

	/* add reason for failure */
	(void) au_write(rd, au_to_text(msg));

	/* add hostname of machine requesting service */
	(void) snprintf(buf, sizeof (buf), dgettext(bsm_dom,
		"Remote execution requested by: %s"), hostname);
	(void) au_write(rd, au_to_text(buf));

	/* add username of user requesting service */
	if (user == NULL)
		user = "???";
	(void) snprintf(buf, sizeof (buf), dgettext(bsm_dom,
	    "Username: %s"), user);
	(void) au_write(rd, au_to_text(buf));

	(void) snprintf(buf, sizeof (buf), dgettext(bsm_dom,
	    "User id: %d"), uid);
	(void) au_write(rd, au_to_text(buf));

	if (cmd == NULL) {
		audit_cmd[0] = shell;
		cmd = audit_cmd;
	}

	cmdbuf = build_cmd(cmd);
	if (cmdbuf == NULL) {
		cmdbuf = UNKNOWN_CMD;
		dont_free = 1;
	}

	gtxt = dgettext(bsm_dom, "Command line: %s");
	/* over estimate of size of buffer needed (%s is replaced) */
	tlen = strlen(cmdbuf) + strlen(gtxt) + 1;

	if ((tbuf = malloc(tlen)) == NULL) {
		(void) au_close(rd, 0, 0);
		return;
	}
	(void) snprintf(tbuf, tlen, gtxt, cmdbuf);
	(void) au_write(rd, au_to_text(tbuf));
	(void) free(tbuf);
	if (!dont_free)
		(void) free(cmdbuf);

	/* add return token */
#ifdef _LP64
	(void) au_write(rd, au_to_return64(-1, (int64_t)0));
#else
	(void) au_write(rd, au_to_return32(-1, (int32_t)0));
#endif

	/* write audit record */
	if (au_close(rd, 1, event) < 0) {
		(void) au_close(rd, 0, 0);
		return;
	}
}

void
audit_rexd_success(hostname, user, uid, gid, shell, cmd)
char	*hostname;	/* hostname of machine requesting service */
char	*user;		/* username of user requesting service, may be NULL */
uid_t 	uid;		/* user id of user requesting service */
gid_t	gid;		/* group of user requesting service */
char	*shell;		/* login shell of user requesting service */
char	**cmd;		/* argv to be executed locally, may be NULL */
{
	int	rd;			/* audit record descriptor */
	char	buf[256];	/* temporary buffer */
	char	*tbuf;		/* temporary buffer */
	int	tlen;
	const char *gtxt;
	pid_t	pid;
	char	*cmdbuf;
	char	*audit_cmd[2] = {NULL, NULL};
	int	dont_free = 0;
	struct auditinfo_addr info;
	char	*empty = "";

	dprintf(("audit_rexd_success()\n"));

	/*
	 * check if audit_rexd_fail() or audit_rexd_success()
	 * have been called already.
	 */
	if (audit_rexd_status == 1) {
		return;
	}

	if (cannot_audit(0)) {
		return;
	}

	/* a little bullet proofing... */

	if (hostname == NULL)
		hostname = empty;
	if (shell == NULL)
		shell = empty;

	/*
	 * set status to prevent multiple calls
	 * to audit_rexd_fail() and audit_rexd_success()
	 */
	audit_rexd_status = 1;

	/* determine if we're preselected */
	if (!selected(uid, user, event, 0))
		goto rexd_audit_session;

	pid = getpid();

	if (getaudit_addr(&info, sizeof (info)) < 0) {
		perror("getaudit_addr");
		exit(1);
	}

	rd = au_open();

	/* add subject token */
	(void) au_write(rd,
		au_to_subject_ex(uid, uid, gid, uid, gid, pid, pid,
			&info.ai_termid));
	if (is_system_labeled())
		(void) au_write(rd, au_to_mylabel());

	/* add hostname of machine requesting service */

	(void) snprintf(buf, sizeof (buf), dgettext(bsm_dom,
		"Remote execution requested by: %s"), hostname);
	(void) au_write(rd, au_to_text(buf));

	/* add username at machine requesting service */
	(void) snprintf(buf, sizeof (buf), dgettext(bsm_dom,
	    "Username: %s"), user);
	(void) au_write(rd, au_to_text(buf));

	if (cmd == NULL) {
		audit_cmd[0] = shell;
		cmd = audit_cmd;
	}

	cmdbuf = build_cmd(cmd);
	if (cmdbuf == NULL) {
		cmdbuf = UNKNOWN_CMD;
		dont_free = 1;
	}

	gtxt = dgettext(bsm_dom, "Command line: %s");
	tlen = strlen(cmdbuf) + strlen(gtxt) + 1;

	if ((tbuf = malloc(tlen)) == NULL) {
		(void) au_close(rd, 0, 0);
		goto rexd_audit_session;
	}

	(void) snprintf(tbuf, tlen, gtxt, cmdbuf);
	(void) au_write(rd, au_to_text(tbuf));
	(void) free(tbuf);
	if (!dont_free)
		(void) free(cmdbuf);

	/* add return token */
#ifdef _LP64
	(void) au_write(rd, au_to_return64(0, (int64_t)0));
#else
	(void) au_write(rd, au_to_return32(0, (int32_t)0));
#endif

	/* write audit record */
	if (au_close(rd, 1, event) < 0) {
		(void) au_close(rd, 0, 0);
	}

rexd_audit_session:
	audit_rexd_session_setup(user, hostname, uid);
}