1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 #include <errno.h>
27 #include <nss.h>
28 #include <secdb.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <user_attr.h>
32 #include <zone.h>
33
34 #include <bsm/libbsm.h>
35
36 #include <adt_xlate.h> /* adt_write_syslog */
37
38 /* ARGSUSED */
39 static int
audit_flags(const char * name,kva_t * kva,void * ctxt,void * pres)40 audit_flags(const char *name, kva_t *kva, void *ctxt, void *pres)
41 {
42 char *val;
43
44 if ((val = kva_match(kva, USERATTR_AUDIT_FLAGS_KW)) != NULL) {
45 if ((*(char **)ctxt = strdup(val)) == NULL) {
46 adt_write_syslog("au_user_mask strdup failed", errno);
47 }
48 return (1);
49 }
50 return (0);
51 }
52
53 /*
54 * Build user's audit preselection mask.
55 *
56 * per-user audit flags are optional and may be missing.
57 * If global zone auditing is set, a local zone cannot reduce the default
58 * flags.
59 *
60 * success flags = (system default success flags + per-user always success) -
61 * per-user never success flags
62 * failure flags = (system default failure flags + per-user always failure) -
63 * per-user never failure flags
64 */
65
66 int
au_user_mask(char * user,au_mask_t * mask)67 au_user_mask(char *user, au_mask_t *mask)
68 {
69 char *last = NULL;
70 char *user_flags = NULL;
71
72 if (mask == NULL) {
73 return (-1);
74 }
75
76 /*
77 * Get the system wide default audit flags. If you can't get the
78 * system wide flags, return an error code now and don't bother
79 * trying to get the user specific flags.
80 */
81 if (auditon(A_GETAMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
82 return (-1);
83 }
84
85 /*
86 * Get per-user audit flags.
87 */
88 (void) _enum_attrs(user, audit_flags, &user_flags, NULL);
89 if (user_flags != NULL) {
90 au_user_ent_t per_user;
91
92 (void) getauditflagsbin(_strtok_escape(user_flags,
93 KV_AUDIT_DELIMIT, &last), &(per_user.au_always));
94 (void) getauditflagsbin(_strtok_escape(NULL,
95 KV_AUDIT_DELIMIT, &last), &(per_user.au_never));
96 /* merge default and per-user */
97 mask->as_success |= per_user.au_always.as_success;
98 mask->as_failure |= per_user.au_always.as_failure;
99 mask->as_success &= ~(per_user.au_never.as_success);
100 mask->as_failure &= ~(per_user.au_never.as_failure);
101 free(user_flags);
102 }
103
104 return (0);
105 }
106