1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #pragma ident "%Z%%M% %I% %E% SMI" 27 28 #include <libtsnet.h> 29 #include <stdlib.h> 30 #include <string.h> 31 #include <syslog.h> 32 #include <zone.h> 33 34 #include <security/pam_appl.h> 35 #include <security/pam_modules.h> 36 #include <security/pam_impl.h> 37 38 #include <tsol/label.h> 39 40 /* 41 * pam_tsol_account - Trusted Extensions account management. 42 * Validates that the user's label range contains 43 * the process label (label of the zone). 44 */ 45 46 static void 47 free_labels(m_range_t *r, m_label_t *l) 48 { 49 m_label_free(r->lower_bound); 50 m_label_free(r->upper_bound); 51 free(r); 52 m_label_free(l); 53 } 54 55 /* ARGSUSED */ 56 int 57 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) 58 { 59 int i; 60 int debug = 0; 61 int allow_unlabeled = 0; 62 char *user; 63 char *rhost; 64 m_range_t *range; 65 m_label_t *plabel; 66 67 for (i = 0; i < argc; i++) { 68 if (strcmp(argv[i], "debug") == 0) { 69 debug = 1; 70 } else if (strcmp(argv[i], "allow_unlabeled") == 0) { 71 allow_unlabeled = 1; 72 } else { 73 __pam_log(LOG_AUTH | LOG_ERR, 74 "pam_tsol_account: illegal option %s", argv[i]); 75 } 76 } 77 78 /* Trusted Extensions not enabled */ 79 80 if (!is_system_labeled()) 81 return (PAM_IGNORE); 82 83 (void) pam_get_item(pamh, PAM_USER, (void **)&user); 84 85 (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost); 86 87 if (debug) { 88 __pam_log(LOG_AUTH | LOG_DEBUG, 89 "pam_tsol_account: allowed_unlabeled = %d, user %s, " 90 "rhost %s", 91 allow_unlabeled, 92 (user == NULL) ? "NULL" : (user == '\0') ? "ZERO" : 93 user, 94 (rhost == NULL) ? "NULL" : (rhost == '\0') ? "ZERO" : 95 rhost); 96 } 97 if (user == NULL || *user == '\0') { 98 __pam_log(LOG_AUTH | LOG_ERR, 99 "pam_tsol_account: no user"); 100 return (PAM_USER_UNKNOWN); 101 } 102 103 if ((range = getuserrange(user)) == NULL) { 104 __pam_log(LOG_AUTH | LOG_ERR, 105 "pam_tsol_account: getuserrange(%s) failure", user); 106 return (PAM_SYSTEM_ERR); 107 } 108 if ((plabel = m_label_alloc(MAC_LABEL)) == NULL) { 109 __pam_log(LOG_AUTH | LOG_ERR, 110 "pam_tsol_account: out of memory"); 111 free_labels(range, NULL); 112 return (PAM_BUF_ERR); 113 } 114 if (getplabel(plabel) < 0) { 115 __pam_log(LOG_AUTH | LOG_CRIT, 116 "pam_tsol_account: Unable to get process label %m"); 117 free_labels(range, plabel); 118 return (PAM_SYSTEM_ERR); 119 } 120 if (!blinrange(plabel, range)) { 121 free_labels(range, plabel); 122 return (PAM_PERM_DENIED); 123 } 124 125 free_labels(range, plabel); 126 127 /* Remote Host Type Policy Check */ 128 129 if ((allow_unlabeled == 0) && 130 (getzoneid() == GLOBAL_ZONEID) && 131 (rhost != NULL && *rhost != '\0')) { 132 tsol_host_type_t host_type; 133 134 host_type = tsol_getrhtype(rhost); 135 switch (host_type) { 136 case SUN_CIPSO: 137 break; 138 139 case UNLABELED: 140 default: 141 return (PAM_PERM_DENIED); 142 } 143 } 144 return (PAM_SUCCESS); 145 } 146