1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26
27 #include <netdb.h>
28 #include <netinet/in.h>
29 #include <pwd.h>
30 #include <sys/errno.h>
31 #include <sys/mutex.h>
32 #include <sys/param.h>
33 #include <sys/socket.h>
34 #include <sys/stat.h>
35 #include <sys/types.h>
36 #include <string.h>
37 #include <unistd.h>
38 #include <stdlib.h>
39 #include <alloca.h>
40 #include <sys/smedia.h>
41 #include <tsol/label.h>
42 #include "smserver.h"
43 #include <bsm/audit.h>
44 #include <bsm/libbsm.h>
45 #include <bsm/audit_uevents.h>
46 #include <bsm/audit_record.h>
47
48 /* Private Functions */
49 static int selected(au_event_t, au_mask_t *, int);
50
51 static int audit_selected(door_data_t *);
52 static int audit_na_selected(door_data_t *);
53 static int audit_save_namask(door_data_t *door_dp);
54 static int audit_save_policy(door_data_t *door_dp);
55
56 /*
57 * can_audit:
58 * Return 1 if audit module is loaded.
59 * Return 0 otherwise.
60 *
61 */
62 int
can_audit(void)63 can_audit(void)
64 {
65 static int auc = AUC_UNSET;
66 int cond = 0;
67
68 if (auditon(A_GETCOND, (caddr_t)&cond, sizeof (cond))) {
69 auc = AUC_DISABLED;
70 } else {
71 auc = cond;
72 }
73 if (auc == AUC_DISABLED)
74 return (0);
75 else return (1);
76 }
77
78 static int
audit_save_policy(door_data_t * door_dp)79 audit_save_policy(door_data_t *door_dp)
80 {
81 uint32_t policy;
82
83 if (auditon(A_GETPOLICY, (caddr_t)&policy, sizeof (policy))) {
84 return (-1);
85 }
86 door_dp->audit_policy = policy;
87 return (0);
88 }
89
90 /*
91 * audit_init():
92 * Initialize variables.
93 */
94 void
audit_init(door_data_t * door_dp)95 audit_init(door_data_t *door_dp)
96 {
97 door_dp->audit_auid = (uid_t)-1;
98 door_dp->audit_uid = (uid_t)-1;
99 door_dp->audit_euid = (uid_t)-1;
100 door_dp->audit_gid = (gid_t)-1;
101 door_dp->audit_egid = (gid_t)-1;
102 door_dp->audit_pid = -1;
103 door_dp->audit_tid.at_port = 0;
104 door_dp->audit_tid.at_type = 0;
105 door_dp->audit_tid.at_addr[0] = 0;
106 door_dp->audit_tid.at_addr[1] = 0;
107 door_dp->audit_tid.at_addr[2] = 0;
108 door_dp->audit_tid.at_addr[3] = 0;
109 door_dp->audit_namask.am_success = (int)-1;
110 door_dp->audit_namask.am_failure = (int)-1;
111 door_dp->audit_event = 0;
112 door_dp->audit_sorf = -2;
113 door_dp->audit_user = NULL;
114 door_dp->audit_text[0] = NULL;
115 door_dp->audit_text1[0] = NULL;
116 door_dp->audit_na = 0;
117 door_dp->audit_asid = (au_asid_t)(-1);
118 door_dp->audit_path = NULL;
119 }
120
121 int
audit_save_me(door_data_t * door_dp)122 audit_save_me(door_data_t *door_dp)
123 {
124 door_cred_t client_cred;
125 int ret_val;
126 int i;
127
128 ret_val = door_cred(&client_cred);
129 if (ret_val == -1)
130 return (ret_val);
131 door_dp->audit_ap.ap_pid = client_cred.dc_pid;
132 ret_val = auditon(A_GETPINFO_ADDR, (caddr_t)&door_dp->audit_ap,
133 sizeof (door_dp->audit_ap));
134 if (ret_val == -1)
135 return (ret_val);
136
137 door_dp->audit_auid = door_dp->audit_ap.ap_auid;
138 door_dp->audit_euid = client_cred.dc_euid;
139 door_dp->audit_egid = client_cred.dc_egid;
140 door_dp->audit_uid = client_cred.dc_ruid;
141 door_dp->audit_gid = client_cred.dc_rgid;
142 door_dp->audit_pid = client_cred.dc_pid;
143 door_dp->audit_asid = door_dp->audit_ap.ap_asid;
144 door_dp->audit_tid.at_port = door_dp->audit_ap.ap_termid.at_port;
145 door_dp->audit_tid.at_type = door_dp->audit_ap.ap_termid.at_type;
146 for (i = 0; i < (door_dp->audit_ap.ap_termid.at_type/4); i++)
147 door_dp->audit_tid.at_addr[i] =
148 door_dp->audit_ap.ap_termid.at_addr[i];
149 (void) audit_save_policy(door_dp);
150 return (0);
151 }
152
153 /*
154 * audit_save_namask():
155 * Save the namask using the naflags entry in the audit_control file.
156 * Return 0 if successful.
157 * Return -1, and don't change the namask, if failed.
158 * Side Effect: Sets audit_na to -1 if error, 1 if successful.
159 */
160 static int
audit_save_namask(door_data_t * door_dp)161 audit_save_namask(door_data_t *door_dp)
162 {
163 au_mask_t mask;
164
165 door_dp->audit_na = -1;
166
167 /*
168 * get non-attributable system event mask from kernel.
169 */
170 if (auditon(A_GETKMASK, (caddr_t)&mask, sizeof (mask)) != 0) {
171 return (-1);
172 }
173
174 door_dp->audit_namask.am_success = mask.am_success;
175 door_dp->audit_namask.am_failure = mask.am_failure;
176 door_dp->audit_na = 1;
177 return (0);
178 }
179
180 /*
181 * audit_audit:
182 * Cut and audit record if it is selected.
183 * Return 0, if successfully written.
184 * Return 0, if not written, and not expected to write.
185 * Return -1, if not written because of unexpected error.
186 */
187 int
audit_audit(door_data_t * door_dp)188 audit_audit(door_data_t *door_dp)
189 {
190 int ad;
191
192 if (can_audit() == 0) {
193 return (0);
194 }
195
196 if (door_dp->audit_na) {
197 if (!audit_na_selected(door_dp)) {
198 return (0);
199 }
200 } else if (!audit_selected(door_dp)) {
201 return (0);
202 }
203
204 if ((ad = au_open()) == -1) {
205 return (-1);
206 }
207
208 (void) au_write(ad, au_to_subject_ex(door_dp->audit_auid,
209 door_dp->audit_euid,
210 door_dp->audit_egid,
211 door_dp->audit_uid, door_dp->audit_gid, door_dp->audit_pid,
212 door_dp->audit_asid, &door_dp->audit_tid));
213 if (is_system_labeled())
214 (void) au_write(ad, au_to_mylabel());
215 if (door_dp->audit_policy & AUDIT_GROUP) {
216
217 int ng;
218 int maxgrp = getgroups(0, NULL);
219 gid_t *grplst = alloca(maxgrp * sizeof (gid_t));
220
221 if ((ng = getgroups(maxgrp, grplst))) {
222 (void) au_write(ad, au_to_newgroups(ng, grplst));
223 }
224 }
225 if (strlen(door_dp->audit_text) != 0) {
226 (void) au_write(ad, au_to_text(door_dp->audit_text));
227 }
228 if (strlen(door_dp->audit_text1) != 0) {
229 (void) au_write(ad, au_to_text(door_dp->audit_text1));
230 }
231 if (door_dp->audit_path != NULL) {
232 (void) au_write(ad, au_to_path(door_dp->audit_path));
233 }
234 #ifdef _LP64
235 (void) au_write(ad, au_to_return64((door_dp->audit_sorf == 0) ? 0 : -1,
236 (int64_t)door_dp->audit_sorf));
237 #else
238 (void) au_write(ad, au_to_return32((door_dp->audit_sorf == 0) ? 0 : -1,
239 (int32_t)door_dp->audit_sorf));
240 #endif
241 if (au_close(ad, 1, door_dp->audit_event) < 0) {
242 (void) au_close(ad, 0, 0);
243 return (-1);
244 }
245
246 return (0);
247 }
248
249 static int
audit_na_selected(door_data_t * door_dp)250 audit_na_selected(door_data_t *door_dp)
251 {
252 if (door_dp->audit_na == -1) {
253 return (-1);
254 }
255
256 return (selected(door_dp->audit_event,
257 &door_dp->audit_namask, door_dp->audit_sorf));
258 }
259
260 static int
audit_selected(door_data_t * door_dp)261 audit_selected(door_data_t *door_dp)
262 {
263
264 if (door_dp->audit_uid > MAXUID) {
265 (void) audit_save_namask(door_dp);
266 return (audit_na_selected(door_dp));
267 }
268
269 return (selected(door_dp->audit_event,
270 &door_dp->audit_ap.ap_mask, door_dp->audit_sorf));
271 }
272
273 static int
selected(au_event_t e,au_mask_t * m,int sorf)274 selected(au_event_t e, au_mask_t *m, int sorf)
275 {
276 int prs_sorf;
277
278 if (sorf == 0) {
279 prs_sorf = AU_PRS_SUCCESS;
280 } else if (sorf == -1) {
281 prs_sorf = AU_PRS_FAILURE;
282 } else {
283 prs_sorf = AU_PRS_BOTH;
284 }
285
286 return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
287 }
288