xref: /titanic_52/usr/src/cmd/auditset/svc-auditset.c (revision 40a5c998e5462ed47916e2edfcc5016073cf8851)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
23  */
24 
25 /*
26  * svc-auditset - auditset transient service (AUDITSET_FMRI) startup method;
27  * sets non-/attributable mask in the kernel context.
28  */
29 
30 #include <audit_scf.h>
31 #include <bsm/adt.h>
32 #include <bsm/libbsm.h>
33 #include <zone.h>
34 #include <errno.h>
35 #include <locale.h>
36 #include <stdio.h>
37 
38 #if !defined(SMF_EXIT_ERR_OTHER)
39 #define	SMF_EXIT_ERR_OTHER	1
40 #endif
41 
42 /*
43  * update_kcontext() - updates the non-/attributable preselection masks in
44  * the kernel context. Returns B_TRUE on success, B_FALSE otherwise.
45  */
46 boolean_t
47 update_kcontext(int cmd, char *cmask)
48 {
49 	au_mask_t	bmask;
50 
51 	(void) getauditflagsbin(cmask, &bmask);
52 	if (auditon(cmd, (caddr_t)&bmask, sizeof (bmask)) == -1) {
53 		(void) printf("Could not update kernel context (%s).\n",
54 		    cmd == A_SETAMASK ? "A_SETAMASK" : "A_SETKMASK");
55 		return (B_FALSE);
56 	}
57 
58 #ifdef	DEBUG
59 	(void) printf("svc-auditset: %s mask set to %s",
60 	    cmd == A_SETAMASK ? "Attributable" : "Non-Attributable", cmask);
61 #endif
62 
63 	return (B_TRUE);
64 }
65 
66 int
67 main(void)
68 {
69 	char		*auditset_fmri;
70 	char		*mask_cfg;
71 	uint32_t	policy;
72 
73 	(void) setlocale(LC_ALL, "");
74 	(void) textdomain(TEXT_DOMAIN);
75 
76 	/* allow execution only inside the SMF facility */
77 	if ((auditset_fmri = getenv("SMF_FMRI")) == NULL ||
78 	    strcmp(auditset_fmri, AUDITSET_FMRI) != 0) {
79 		(void) printf(gettext("svc-auditset can be executed only "
80 		    "inside the SMF facility.\n"));
81 		return (SMF_EXIT_ERR_NOSMF);
82 	}
83 
84 	/* check the c2audit module state */
85 	if (adt_audit_state(AUC_DISABLED)) {
86 #ifdef	DEBUG
87 		if (errno == ENOTSUP) {
88 			(void) printf("c2audit module is excluded from "
89 			    "the system(4); kernel won't be updated.\n");
90 		} else {
91 			(void) printf("%s\n", strerror(errno));
92 		}
93 #endif
94 		return (SMF_EXIT_OK);
95 	}
96 
97 	/* check the audit policy */
98 	if (auditon(A_GETPOLICY, (caddr_t)&policy, 0) == -1) {
99 		(void) printf("Could not read audit policy: %s\n",
100 		    strerror(errno));
101 		return (SMF_EXIT_ERR_OTHER);
102 	}
103 
104 	if (!(policy & AUDIT_PERZONE) && (getzoneid() != GLOBAL_ZONEID))
105 		return (SMF_EXIT_OK);
106 
107 	/* update attributable mask */
108 	if (!do_getflags_scf(&mask_cfg) || mask_cfg == NULL) {
109 		(void) printf("Could not get configured attributable audit "
110 		    "flags.\n");
111 		return (SMF_EXIT_ERR_OTHER);
112 	}
113 	if (!update_kcontext(A_SETAMASK, mask_cfg)) {
114 		free(mask_cfg);
115 		return (SMF_EXIT_ERR_OTHER);
116 	}
117 	free(mask_cfg);
118 
119 	/* update non-attributable mask */
120 	if (!do_getnaflags_scf(&mask_cfg) || mask_cfg == NULL) {
121 		(void) printf("Could not get configured non-attributable "
122 		    "audit flags.\n");
123 		return (SMF_EXIT_ERR_OTHER);
124 	}
125 	if (!update_kcontext(A_SETKMASK, mask_cfg)) {
126 		free(mask_cfg);
127 		return (SMF_EXIT_ERR_OTHER);
128 	}
129 	free(mask_cfg);
130 
131 	return (SMF_EXIT_OK);
132 }
133