1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2007 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <libtsnet.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <syslog.h> 30 #include <zone.h> 31 32 #include <security/pam_appl.h> 33 #include <security/pam_modules.h> 34 #include <security/pam_impl.h> 35 36 #include <tsol/label.h> 37 38 /* 39 * pam_tsol_account - Trusted Extensions account management. 40 * Validates that the user's label range contains 41 * the process label (label of the zone). 42 */ 43 44 static void 45 free_labels(m_range_t *r, m_label_t *l) 46 { 47 m_label_free(r->lower_bound); 48 m_label_free(r->upper_bound); 49 free(r); 50 m_label_free(l); 51 } 52 53 /* ARGSUSED */ 54 int 55 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) 56 { 57 int i; 58 int debug = 0; 59 int allow_unlabeled = 0; 60 char *user; 61 char *rhost; 62 m_range_t *range; 63 m_label_t *plabel; 64 65 for (i = 0; i < argc; i++) { 66 if (strcmp(argv[i], "debug") == 0) { 67 debug = 1; 68 } else if (strcmp(argv[i], "allow_unlabeled") == 0) { 69 allow_unlabeled = 1; 70 } else { 71 __pam_log(LOG_AUTH | LOG_ERR, 72 "pam_tsol_account: illegal option %s", argv[i]); 73 } 74 } 75 76 /* Trusted Extensions not enabled */ 77 78 if (!is_system_labeled()) 79 return (PAM_IGNORE); 80 81 (void) pam_get_item(pamh, PAM_USER, (void **)&user); 82 83 (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost); 84 85 if (debug) { 86 __pam_log(LOG_AUTH | LOG_DEBUG, 87 "pam_tsol_account: allowed_unlabeled = %d, user %s, " 88 "rhost %s", 89 allow_unlabeled, 90 (user == NULL) ? "NULL" : (*user == '\0') ? "ZERO" : 91 user, 92 (rhost == NULL) ? "NULL" : (*rhost == '\0') ? "ZERO" : 93 rhost); 94 } 95 if (user == NULL || *user == '\0') { 96 __pam_log(LOG_AUTH | LOG_ERR, 97 "pam_tsol_account: no user"); 98 return (PAM_USER_UNKNOWN); 99 } 100 101 if ((range = getuserrange(user)) == NULL) { 102 __pam_log(LOG_AUTH | LOG_ERR, 103 "pam_tsol_account: getuserrange(%s) failure", user); 104 return (PAM_SYSTEM_ERR); 105 } 106 if ((plabel = m_label_alloc(MAC_LABEL)) == NULL) { 107 __pam_log(LOG_AUTH | LOG_ERR, 108 "pam_tsol_account: out of memory"); 109 free_labels(range, NULL); 110 return (PAM_BUF_ERR); 111 } 112 if (getplabel(plabel) < 0) { 113 __pam_log(LOG_AUTH | LOG_CRIT, 114 "pam_tsol_account: Unable to get process label %m"); 115 free_labels(range, plabel); 116 return (PAM_SYSTEM_ERR); 117 } 118 if (!blinrange(plabel, range)) { 119 free_labels(range, plabel); 120 return (PAM_PERM_DENIED); 121 } 122 123 free_labels(range, plabel); 124 125 /* Remote Host Type Policy Check */ 126 127 if ((allow_unlabeled == 0) && 128 (getzoneid() == GLOBAL_ZONEID) && 129 (rhost != NULL && *rhost != '\0')) { 130 tsol_host_type_t host_type; 131 132 host_type = tsol_getrhtype(rhost); 133 switch (host_type) { 134 case SUN_CIPSO: 135 break; 136 137 case UNLABELED: 138 default: 139 return (PAM_PERM_DENIED); 140 } 141 } 142 return (PAM_SUCCESS); 143 } 144