xref: /titanic_50/usr/src/lib/libbsm/common/au_usermask.c (revision cc22b130832529204c03214239a57aaadd05101f) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
24  */
25 
26 #include <errno.h>
27 #include <nss.h>
28 #include <secdb.h>
29 #include <stdlib.h>
30 #include <string.h>
31 #include <user_attr.h>
32 #include <zone.h>
33 
34 #include <bsm/libbsm.h>
35 
36 #include <adt_xlate.h>		/* adt_write_syslog */
37 
38 /* ARGSUSED */
39 static int
40 audit_flags(const char *name, kva_t *kva, void *ctxt, void *pres)
41 {
42 	char *val;
43 
44 	if ((val = kva_match(kva, USERATTR_AUDIT_FLAGS_KW)) != NULL) {
45 		if ((*(char **)ctxt = strdup(val)) == NULL) {
46 			adt_write_syslog("au_user_mask strdup failed", errno);
47 		}
48 		return (1);
49 	}
50 	return (0);
51 }
52 
53 /*
54  * Build user's audit preselection mask.
55  *
56  * per-user audit flags are optional and may be missing.
57  * If global zone auditing is set, a local zone cannot reduce the default
58  * flags.
59  *
60  * success flags = (system default success flags + per-user always success) -
61  *			per-user never success flags
62  * failure flags = (system default failure flags + per-user always failure) -
63  *			per-user never failure flags
64  */
65 
66 int
67 au_user_mask(char *user, au_mask_t *mask)
68 {
69 	char		*last = NULL;
70 	char		deflt[360];	/* matches stuff in getac*.c */
71 	char		*user_flags = NULL;
72 
73 	if (mask == NULL) {
74 		return (-1);
75 	}
76 
77 	/*
78 	 * Get the default audit flags.
79 	 */
80 
81 	setac();
82 	if (getacflg(deflt, sizeof (deflt)) != 0) {
83 		endac();
84 		return (-1);
85 	}
86 	endac();
87 	(void) getauditflagsbin(deflt, mask);
88 
89 	/*
90 	 * Get per-user audit flags.
91 	 */
92 	(void) _enum_attrs(user, audit_flags, &user_flags, NULL);
93 	if (user_flags != NULL) {
94 		au_user_ent_t  per_user;
95 
96 		(void) getauditflagsbin(_strtok_escape(user_flags,
97 		    KV_AUDIT_DELIMIT, &last), &(per_user.au_always));
98 		(void) getauditflagsbin(_strtok_escape(NULL,
99 		    KV_AUDIT_DELIMIT, &last), &(per_user.au_never));
100 		/* merge default and per-user */
101 		mask->as_success |= per_user.au_always.as_success;
102 		mask->as_failure |= per_user.au_always.as_failure;
103 		mask->as_success &= ~(per_user.au_never.as_success);
104 		mask->as_failure &= ~(per_user.au_never.as_failure);
105 		free(user_flags);
106 	}
107 
108 	return (0);
109 }
110