1*f8994074SJan Friedel /* 2*f8994074SJan Friedel * CDDL HEADER START 3*f8994074SJan Friedel * 4*f8994074SJan Friedel * The contents of this file are subject to the terms of the 5*f8994074SJan Friedel * Common Development and Distribution License (the "License"). 6*f8994074SJan Friedel * You may not use this file except in compliance with the License. 7*f8994074SJan Friedel * 8*f8994074SJan Friedel * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9*f8994074SJan Friedel * or http://www.opensolaris.org/os/licensing. 10*f8994074SJan Friedel * See the License for the specific language governing permissions 11*f8994074SJan Friedel * and limitations under the License. 12*f8994074SJan Friedel * 13*f8994074SJan Friedel * When distributing Covered Code, include this CDDL HEADER in each 14*f8994074SJan Friedel * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15*f8994074SJan Friedel * If applicable, add the following below this CDDL HEADER, with the 16*f8994074SJan Friedel * fields enclosed by brackets "[]" replaced with your own identifying 17*f8994074SJan Friedel * information: Portions Copyright [yyyy] [name of copyright owner] 18*f8994074SJan Friedel * 19*f8994074SJan Friedel * CDDL HEADER END 20*f8994074SJan Friedel */ 21*f8994074SJan Friedel /* 22*f8994074SJan Friedel * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. 23*f8994074SJan Friedel */ 24*f8994074SJan Friedel 25*f8994074SJan Friedel /* 26*f8994074SJan Friedel * svc-auditset - auditset transient service (AUDITSET_FMRI) startup method; 27*f8994074SJan Friedel * sets non-/attributable mask in the kernel context. 28*f8994074SJan Friedel */ 29*f8994074SJan Friedel 30*f8994074SJan Friedel #include <audit_scf.h> 31*f8994074SJan Friedel #include <bsm/adt.h> 32*f8994074SJan Friedel #include <bsm/libbsm.h> 33*f8994074SJan Friedel #include <errno.h> 34*f8994074SJan Friedel #include <locale.h> 35*f8994074SJan Friedel #include <stdio.h> 36*f8994074SJan Friedel 37*f8994074SJan Friedel #if !defined(SMF_EXIT_ERR_OTHER) 38*f8994074SJan Friedel #define SMF_EXIT_ERR_OTHER 1 39*f8994074SJan Friedel #endif 40*f8994074SJan Friedel 41*f8994074SJan Friedel /* 42*f8994074SJan Friedel * update_kcontext() - updates the non-/attributable preselection masks in 43*f8994074SJan Friedel * the kernel context. Returns B_TRUE on success, B_FALSE otherwise. 44*f8994074SJan Friedel */ 45*f8994074SJan Friedel boolean_t 46*f8994074SJan Friedel update_kcontext(int cmd, char *cmask) 47*f8994074SJan Friedel { 48*f8994074SJan Friedel au_mask_t bmask; 49*f8994074SJan Friedel 50*f8994074SJan Friedel (void) getauditflagsbin(cmask, &bmask); 51*f8994074SJan Friedel if (auditon(cmd, (caddr_t)&bmask, sizeof (bmask)) == -1) { 52*f8994074SJan Friedel (void) printf("Could not update kernel context (%s).\n", 53*f8994074SJan Friedel cmd == A_SETAMASK ? "A_SETAMASK" : "A_SETKMASK"); 54*f8994074SJan Friedel return (B_FALSE); 55*f8994074SJan Friedel } 56*f8994074SJan Friedel 57*f8994074SJan Friedel #ifdef DEBUG 58*f8994074SJan Friedel (void) printf("svc-auditset: %s mask set to %s", 59*f8994074SJan Friedel cmd == A_SETAMASK ? "Attributable" : "Non-Attributable", cmask); 60*f8994074SJan Friedel #endif 61*f8994074SJan Friedel 62*f8994074SJan Friedel return (B_TRUE); 63*f8994074SJan Friedel } 64*f8994074SJan Friedel 65*f8994074SJan Friedel int 66*f8994074SJan Friedel main(void) 67*f8994074SJan Friedel { 68*f8994074SJan Friedel char *auditset_fmri; 69*f8994074SJan Friedel char *mask_cfg; 70*f8994074SJan Friedel 71*f8994074SJan Friedel (void) setlocale(LC_ALL, ""); 72*f8994074SJan Friedel (void) textdomain(TEXT_DOMAIN); 73*f8994074SJan Friedel 74*f8994074SJan Friedel /* allow execution only inside the SMF facility */ 75*f8994074SJan Friedel if ((auditset_fmri = getenv("SMF_FMRI")) == NULL || 76*f8994074SJan Friedel strcmp(auditset_fmri, AUDITSET_FMRI) != 0) { 77*f8994074SJan Friedel (void) printf(gettext("svc-auditset can be executed only " 78*f8994074SJan Friedel "inside the SMF facility.\n")); 79*f8994074SJan Friedel return (SMF_EXIT_ERR_NOSMF); 80*f8994074SJan Friedel } 81*f8994074SJan Friedel 82*f8994074SJan Friedel /* check the c2audit module state */ 83*f8994074SJan Friedel if (adt_audit_state(AUC_DISABLED)) { 84*f8994074SJan Friedel #ifdef DEBUG 85*f8994074SJan Friedel if (errno == ENOTSUP) { 86*f8994074SJan Friedel (void) printf("c2audit module is excluded from " 87*f8994074SJan Friedel "the system(4); kernel won't be updated.\n"); 88*f8994074SJan Friedel } else { 89*f8994074SJan Friedel (void) printf("%s\n", strerror(errno)); 90*f8994074SJan Friedel } 91*f8994074SJan Friedel #endif 92*f8994074SJan Friedel return (SMF_EXIT_OK); 93*f8994074SJan Friedel } 94*f8994074SJan Friedel 95*f8994074SJan Friedel /* update attributable mask */ 96*f8994074SJan Friedel if (!do_getflags_scf(&mask_cfg) || mask_cfg == NULL) { 97*f8994074SJan Friedel (void) printf("Could not get configured attributable audit " 98*f8994074SJan Friedel "flags.\n"); 99*f8994074SJan Friedel return (SMF_EXIT_ERR_OTHER); 100*f8994074SJan Friedel } 101*f8994074SJan Friedel if (!update_kcontext(A_SETAMASK, mask_cfg)) { 102*f8994074SJan Friedel free(mask_cfg); 103*f8994074SJan Friedel return (SMF_EXIT_ERR_OTHER); 104*f8994074SJan Friedel } 105*f8994074SJan Friedel free(mask_cfg); 106*f8994074SJan Friedel 107*f8994074SJan Friedel /* update non-attributable mask */ 108*f8994074SJan Friedel if (!do_getnaflags_scf(&mask_cfg) || mask_cfg == NULL) { 109*f8994074SJan Friedel (void) printf("Could not get configured non-attributable " 110*f8994074SJan Friedel "audit flags.\n"); 111*f8994074SJan Friedel return (SMF_EXIT_ERR_OTHER); 112*f8994074SJan Friedel } 113*f8994074SJan Friedel if (!update_kcontext(A_SETKMASK, mask_cfg)) { 114*f8994074SJan Friedel free(mask_cfg); 115*f8994074SJan Friedel return (SMF_EXIT_ERR_OTHER); 116*f8994074SJan Friedel } 117*f8994074SJan Friedel free(mask_cfg); 118*f8994074SJan Friedel 119*f8994074SJan Friedel return (SMF_EXIT_OK); 120*f8994074SJan Friedel } 121