search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
8322 nl: misleading-indentation
[unleashed/tickless.git] / usr / src / lib / libbsm / common / adt.c
blob8c7b299e320d23cf762a06f4cf098f5f5bd3791f
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 #include <bsm/adt.h>
27 #include <bsm/adt_event.h>
28 #include <assert.h>
29 #include <bsm/audit.h>
30 #include <bsm/audit_record.h>
31 #include <bsm/libbsm.h>
32 #include <door.h>
33 #include <errno.h>
34 #include <generic.h>
35 #include <md5.h>
36 #include <sys/mkdev.h>
37 #include <netdb.h>
38 #include <nss_dbdefs.h>
39 #include <pwd.h>
40 #include <sys/stat.h>
41 #include <time.h>
42 #include <stdlib.h>
43 #include <string.h>
44 #include <synch.h>
45 #include <sys/systeminfo.h>
46 #include <syslog.h>
47 #include <thread.h>
48 #include <unistd.h>
49 #include <adt_xlate.h>
50 #include <adt_ucred.h>
51 #include <arpa/inet.h>
52 #include <net/if.h>
53 #include <libinetutil.h>
54
55 static int adt_selected(struct adt_event_state *, au_event_t, int);
56 static int adt_init(adt_internal_state_t *, int);
57 static int adt_import(adt_internal_state_t *, const adt_export_data_t *);
58 static m_label_t *adt_ucred_label(ucred_t *);
59 static void adt_setto_unaudited(adt_internal_state_t *);
60 static int adt_get_local_address(int, struct ifaddrlist *);
61
62 #ifdef C2_DEBUG
63 #define DPRINTF(x) { (void) printf x; }
64 #define DFLUSH (void) fflush(stdout);
65 #else
66 #define DPRINTF(x)
67 #define DFLUSH
68 #endif
69
70 /*
71 * Local audit states are a bit mask
72 *
73 * The global audit states are
74 *
75 * AUC_UNSET 0 - on/off hasn't been decided
76 * AUC_ENABLED 1 - loaded and enabled
77 *
78 * The local Zone states are
79 *
80 * AUC_AUDITING 0x1 - audit daemon is active
81 * AUC_NOAUDIT 0x2 - audit daemon is not active
82 * AUC_INIT_AUDIT 0x4 - audit is ready but auditd has not run
83 * AUC_NOSPACE 0x8 - audit enabled, no space for audit records
84 *
85 * The only values returned by auditon(A_GETCOND) are:
86 * AUC_INIT_AUDIT, AUC_AUDITING, AUC_NOAUDIT, AUC_NOSPACE
87 *
88 * The pseudo audit state used when the c2audit module is excluded is
89 *
90 * AUC_DISABLED 0x100 - c2audit module is excluded
91 */
92
93 static int auditstate = AUC_DISABLED; /* default state */
94
95 /*
96 * adt_write_syslog
97 *
98 * errors that are not the user's fault (bugs or whatever in
99 * the underlying audit code are noted in syslog.)
100 *
101 * Avoid calling adt_write_syslog for things that can happen
102 * at high volume.
103 *
104 * syslog's open (openlog) and close (closelog) are interesting;
105 * openlog *may* create a file descriptor and is optional. closelog
106 * *will* close any open file descriptors and is also optional.
107 *
108 * Since syslog may also be used by the calling application, the
109 * choice is to avoid openlog, which sets some otherwise useful
110 * parameters, and to embed "Solaris_audit" in the log message.
111 */
112
113 void
114 adt_write_syslog(const char *message, int err)
115 {
116 int save_errno = errno;
117 int mask_priority;
118
119 DPRINTF(("syslog called: %s\n", message));
120
121 mask_priority = setlogmask(LOG_MASK(LOG_ALERT));
122 errno = err;
123 syslog(LOG_ALERT, "Solaris_audit %s: %m", message);
124 (void) setlogmask(mask_priority);
125 errno = save_errno;
126 }
127
128 /*
129 * return true if c2audit is not excluded.
130 *
131 * For purpose of this API, anything but AUC_DISABLED
132 * is enabled; however one never actually sees
133 * AUC_DISABLED since auditon returns ENOTSUP in that case. Any
134 * auditon error is considered the same as ENOTSUP for our
135 * purpose. auditstate is not changed by auditon if an error
136 * is returned.
137 */
138
139 /*
140 * XXX this should probably be eliminated and adt_audit_state() replace it.
141 * All the legitimate uses are to not fork a waiting process for
142 * process exit processing, as in su, login, dtlogin. Other bogus
143 * users are zoneadmd and init.
144 * All but dtlogin are in ON, so we can do this without cross gate
145 * synchronization.
146 *
147 * No longer used in adt.c.
148 */
149
150 boolean_t
151 adt_audit_enabled(void)
152 {
153
154 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
155
156 return (auditstate != AUC_DISABLED);
157 }
158
159 /*
160 * See adt_audit_enabled() for state discussions.
161 * The state parameter is a hedge until all the uses become clear.
162 * Likely if adt_audit_enabled is brought internal to this file,
163 * it could be modified to take one or more parameters to describe the
164 * state.
165 */
166
167 boolean_t
168 adt_audit_state(int states)
169 {
170
171 (void) auditon(A_GETCOND, (caddr_t)&auditstate, sizeof (auditstate));
172
173 return ((auditstate & states) ? B_TRUE : B_FALSE);
174 }
175
176 /*
177 * Get user_specific/non-attributable audit mask. This may be called even when
178 * auditing is off.
179 */
180
181 static int
182 adt_get_mask_from_user(uid_t uid, au_mask_t *mask)
183 {
184 struct passwd pwd;
185 long buff_sz;
186 char *pwd_buff;
187
188
189 if (auditstate & AUC_DISABLED) {
190 /* c2audit excluded */
191 mask->am_success = 0;
192 mask->am_failure = 0;
193 } else if (uid <= MAXUID) {
194 if ((buff_sz = sysconf(_SC_GETPW_R_SIZE_MAX)) == -1) {
195 adt_write_syslog("couldn't determine maximum size of "
196 "password buffer", errno);
197 return (-1);
198 }
199 if ((pwd_buff = calloc(1, (size_t)++buff_sz)) == NULL) {
200 return (-1);
201 }
202 if (getpwuid_r(uid, &pwd, pwd_buff, (int)buff_sz) == NULL) {
203 errno = EINVAL; /* user doesn't exist */
204 free(pwd_buff);
205 return (-1);
206 }
207 if (au_user_mask(pwd.pw_name, mask)) {
208 free(pwd_buff);
209 errno = EFAULT; /* undetermined failure */
210 return (-1);
211 }
212 free(pwd_buff);
213 } else if (auditon(A_GETKMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
214 return (-1);
215 }
216
217 return (0);
218 }
219
220 /*
221 * adt_get_unique_id -- generate a hopefully unique 32 bit value
222 *
223 * there will be a follow up to replace this with the use of /dev/random
224 *
225 * An MD5 hash is taken on a buffer of
226 * hostname . audit id . unix time . pid . count
227 *
228 * "count = noise++;" is subject to a race condition but I don't
229 * see a need to put a lock around it.
230 */
231
232 au_asid_t
233 adt_get_unique_id(au_id_t uid)
234 {
235 char hostname[MAXHOSTNAMELEN];
236 union {
237 au_id_t v[4];
238 unsigned char obuff[128/8];
239 } output;
240 MD5_CTX context;
241
242 static int noise = 0;
243
244 int count = noise++;
245 time_t timebits = time(NULL);
246 pid_t pidbits = getpid();
247 au_asid_t retval = 0;
248
249 if (gethostname(hostname, MAXHOSTNAMELEN)) {
250 adt_write_syslog("gethostname call failed", errno);
251 (void) strncpy(hostname, "invalidHostName", MAXHOSTNAMELEN);
252 }
253
254 while (retval == 0) { /* 0 is the only invalid result */
255 MD5Init(&context);
256
257 MD5Update(&context, (unsigned char *)hostname,
258 (unsigned int) strlen((const char *)hostname));
259
260 MD5Update(&context, (unsigned char *) &uid, sizeof (uid_t));
261
262 MD5Update(&context,
263 (unsigned char *) &timebits, sizeof (time_t));
264
265 MD5Update(&context, (unsigned char *) &pidbits,
266 sizeof (pid_t));
267
268 MD5Update(&context, (unsigned char *) &(count), sizeof (int));
269 MD5Final(output.obuff, &context);
270
271 retval = output.v[count % 4];
272 }
273 return (retval);
274 }
275
276 /*
277 * the following "port" function deals with the following issues:
278 *
279 * 1 the kernel and ucred deal with a dev_t as a 64 bit value made
280 * up from a 32 bit major and 32 bit minor.
281 * 2 User space deals with a dev_t as either the above 64 bit value
282 * or a 32 bit value made from a 14 bit major and an 18 bit minor.
283 * 3 The various audit interfaces (except ucred) pass the 32 or
284 * 64 bit version depending the architecture of the userspace
285 * application. If you get a port value from ucred and pass it
286 * to the kernel via auditon(), it must be squeezed into a 32
287 * bit value because the kernel knows the userspace app's bit
288 * size.
289 *
290 * The internal state structure for adt (adt_internal_state_t) uses
291 * dev_t, so adt converts data from ucred to fit. The import/export
292 * functions, however, can't know if they are importing/exporting
293 * from 64 or 32 bit applications, so they always send 64 bits and
294 * the 32 bit end(s) are responsible to convert 32 -> 64 -> 32 as
295 * appropriate.
296 */
297
298 /*
299 * adt_cpy_tid() -- if lib is 64 bit, just copy it (dev_t and port are
300 * both 64 bits). If lib is 32 bits, squeeze the two-int port into
301 * a 32 bit dev_t. A port fits in the "minor" part of au_port_t,
302 * so it isn't broken up into pieces. (When it goes to the kernel
303 * and back, however, it will have been split into major/minor
304 * pieces.)
305 */
306
307 static void
308 adt_cpy_tid(au_tid_addr_t *dest, const au_tid64_addr_t *src)
309 {
310 #ifdef _LP64
311 (void) memcpy(dest, src, sizeof (au_tid_addr_t));
312 #else /* _LP64 */
313 dest->at_type = src->at_type;
314
315 dest->at_port = src->at_port.at_minor & MAXMIN32;
316 dest->at_port |= (src->at_port.at_major & MAXMAJ32) <<
317 NBITSMINOR32;
318
319 (void) memcpy(dest->at_addr, src->at_addr, 4 * sizeof (uint32_t));
320 #endif /* _LP64 */
321 }
322
323 /*
324 * adt_start_session -- create interface handle, create context
325 *
326 * The imported_state input is normally NULL, if not, it represents
327 * a continued session; its values obviate the need for a subsequent
328 * call to adt_set_user().
329 *
330 * The flag is used to decide how to set the initial state of the session.
331 * If 0, the session is "no audit" until a call to adt_set_user; if
332 * ADT_USE_PROC_DATA, the session is built from the process audit
333 * characteristics obtained from the kernel. If imported_state is
334 * not NULL, the resulting audit mask is an OR of the current process
335 * audit mask and that passed in.
336 *
337 * The basic model is that the caller can use the pointer returned
338 * by adt_start_session whether or not auditing is enabled or an
339 * error was returned. The functions that take the session handle
340 * as input generally return without doing anything if auditing is
341 * disabled.
342 */
343
344 int
345 adt_start_session(adt_session_data_t **new_session,
346 const adt_export_data_t *imported_state, adt_session_flags_t flags)
347 {
348 adt_internal_state_t *state;
349 adt_session_flags_t flgmask = ADT_FLAGS_ALL;
350
351 /* test and set auditstate */
352 if (adt_audit_state(AUC_DISABLED)) {
353 /* c2audit excluded */
354 *new_session = NULL;
355 return (0);
356 }
357
358 if ((flags & ~flgmask) != 0) {
359 errno = EINVAL;
360 goto return_err;
361 }
362
363 if ((state = calloc(1, sizeof (adt_internal_state_t))) == NULL) {
364 goto return_err;
365 }
366
367 if (adt_init(state, flags & ADT_USE_PROC_DATA) != 0) {
368 goto return_err_free; /* errno from adt_init() */
369 }
370
371 /*
372 * The imported state overwrites the initial state if the
373 * imported state represents a valid audit trail
374 */
375
376 if (imported_state != NULL) {
377 if (adt_import(state, imported_state) != 0) {
378 goto return_err_free;
379 }
380 } else if (flags & ADT_USE_PROC_DATA) {
381 state->as_session_model = ADT_PROCESS_MODEL;
382 }
383 state->as_flags = flags;
384 DPRINTF(("(%lld) Starting session id = %08X\n",
385 (long long) getpid(), state->as_info.ai_asid));
386
387 *new_session = (adt_session_data_t *)state;
388 return (0);
389
390 return_err_free:
391 free(state);
392 return_err:
393 *new_session = NULL;
394 adt_write_syslog("audit session create failed", errno);
395 return (-1);
396 }
397
398 /*
399 * adt_load_table()
400 *
401 * loads the event translation table into the audit session.
402 */
403
404 void
405 adt_load_table(const adt_session_data_t *session_data,
406 adt_translation_t **xlate, void (*preload)(au_event_t, adt_event_data_t *))
407 {
408 adt_internal_state_t *state = (adt_internal_state_t *)session_data;
409
410 if (state != NULL) {
411 assert(state->as_check == ADT_VALID);
412 state->as_xlate = xlate;
413 state->as_preload = preload;
414 }
415 }
416
417 /*
418 * adt_get_asid() and adt_set_asid()
419 *
420 * if you use this interface, you are responsible to insure that the
421 * rest of the session data is populated correctly before calling
422 * adt_proccess_attr()
423 *
424 * neither of these are intended for general use and will likely
425 * remain private interfaces for a long time. Forever is a long
426 * time. In the case of adt_set_asid(), you should have a very,
427 * very good reason for setting your own session id. The process
428 * audit characteristics are not changed by put, use adt_set_proc().
429 *
430 * These are "volatile" (more changable than "evolving") and will
431 * probably change in the S10 period.
432 */
433
434 void
435 adt_get_asid(const adt_session_data_t *session_data, au_asid_t *asid)
436 {
437
438 if (session_data == NULL) {
439 *asid = 0;
440 } else {
441 assert(((adt_internal_state_t *)session_data)->as_check ==
442 ADT_VALID);
443
444 *asid = ((adt_internal_state_t *)session_data)->as_info.ai_asid;
445 }
446 }
447
448 void
449 adt_set_asid(const adt_session_data_t *session_data, const au_asid_t session_id)
450 {
451
452 if (session_data != NULL) {
453 assert(((adt_internal_state_t *)session_data)->as_check ==
454 ADT_VALID);
455
456 ((adt_internal_state_t *)session_data)->as_have_user_data |=
457 ADT_HAVE_ASID;
458 ((adt_internal_state_t *)session_data)->as_info.ai_asid =
459 session_id;
460 }
461 }
462
463 /*
464 * adt_get_auid() and adt_set_auid()
465 *
466 * neither of these are intended for general use and will likely
467 * remain private interfaces for a long time. Forever is a long
468 * time. In the case of adt_set_auid(), you should have a very,
469 * very good reason for setting your own audit id. The process
470 * audit characteristics are not changed by put, use adt_set_proc().
471 */
472
473 void
474 adt_get_auid(const adt_session_data_t *session_data, au_id_t *auid)
475 {
476
477 if (session_data == NULL) {
478 *auid = AU_NOAUDITID;
479 } else {
480 assert(((adt_internal_state_t *)session_data)->as_check ==
481 ADT_VALID);
482
483 *auid = ((adt_internal_state_t *)session_data)->as_info.ai_auid;
484 }
485 }
486
487 void
488 adt_set_auid(const adt_session_data_t *session_data, const au_id_t audit_id)
489 {
490
491 if (session_data != NULL) {
492 assert(((adt_internal_state_t *)session_data)->as_check ==
493 ADT_VALID);
494
495 ((adt_internal_state_t *)session_data)->as_have_user_data |=
496 ADT_HAVE_AUID;
497 ((adt_internal_state_t *)session_data)->as_info.ai_auid =
498 audit_id;
499 }
500 }
501
502 /*
503 * adt_get_termid(), adt_set_termid()
504 *
505 * if you use this interface, you are responsible to insure that the
506 * rest of the session data is populated correctly before calling
507 * adt_proccess_attr()
508 *
509 * The process audit characteristics are not changed by put, use
510 * adt_set_proc().
511 */
512
513 void
514 adt_get_termid(const adt_session_data_t *session_data, au_tid_addr_t *termid)
515 {
516
517 if (session_data == NULL) {
518 (void) memset(termid, 0, sizeof (au_tid_addr_t));
519 termid->at_type = AU_IPv4;
520 } else {
521 assert(((adt_internal_state_t *)session_data)->as_check ==
522 ADT_VALID);
523
524 *termid =
525 ((adt_internal_state_t *)session_data)->as_info.ai_termid;
526 }
527 }
528
529 void
530 adt_set_termid(const adt_session_data_t *session_data,
531 const au_tid_addr_t *termid)
532 {
533
534 if (session_data != NULL) {
535 assert(((adt_internal_state_t *)session_data)->as_check ==
536 ADT_VALID);
537
538 ((adt_internal_state_t *)session_data)->as_info.ai_termid =
539 *termid;
540
541 ((adt_internal_state_t *)session_data)->as_have_user_data |=
542 ADT_HAVE_TID;
543 }
544 }
545
546 /*
547 * adt_get_mask(), adt_set_mask()
548 *
549 * if you use this interface, you are responsible to insure that the
550 * rest of the session data is populated correctly before calling
551 * adt_proccess_attr()
552 *
553 * The process audit characteristics are not changed by put, use
554 * adt_set_proc().
555 */
556
557 void
558 adt_get_mask(const adt_session_data_t *session_data, au_mask_t *mask)
559 {
560
561 if (session_data == NULL) {
562 mask->am_success = 0;
563 mask->am_failure = 0;
564 } else {
565 assert(((adt_internal_state_t *)session_data)->as_check ==
566 ADT_VALID);
567
568 *mask = ((adt_internal_state_t *)session_data)->as_info.ai_mask;
569 }
570 }
571
572 void
573 adt_set_mask(const adt_session_data_t *session_data, const au_mask_t *mask)
574 {
575
576 if (session_data != NULL) {
577 assert(((adt_internal_state_t *)session_data)->as_check ==
578 ADT_VALID);
579
580 ((adt_internal_state_t *)session_data)->as_info.ai_mask = *mask;
581
582 ((adt_internal_state_t *)session_data)->as_have_user_data |=
583 ADT_HAVE_MASK;
584 }
585 }
586
587 /*
588 * helpers for adt_load_termid
589 */
590
591 static void
592 adt_do_ipv6_address(struct sockaddr_in6 *peer, struct sockaddr_in6 *sock,
593 au_tid_addr_t *termid)
594 {
595
596 termid->at_port = ((peer->sin6_port<<16) | (sock->sin6_port));
597 termid->at_type = AU_IPv6;
598 (void) memcpy(termid->at_addr, &peer->sin6_addr, 4 * sizeof (uint_t));
599 }
600
601 static void
602 adt_do_ipv4_address(struct sockaddr_in *peer, struct sockaddr_in *sock,
603 au_tid_addr_t *termid)
604 {
605
606 termid->at_port = ((peer->sin_port<<16) | (sock->sin_port));
607
608 termid->at_type = AU_IPv4;
609 termid->at_addr[0] = (uint32_t)peer->sin_addr.s_addr;
610 (void) memset(&(termid->at_addr[1]), 0, 3 * sizeof (uint_t));
611 }
612
613 /*
614 * adt_load_termid: convenience function; inputs file handle and
615 * outputs an au_tid_addr struct.
616 *
617 * This code was stolen from audit_settid.c; it differs from audit_settid()
618 * in that it does not write the terminal id to the process.
619 */
620
621 int
622 adt_load_termid(int fd, adt_termid_t **termid)
623 {
624 au_tid_addr_t *p_term;
625 struct sockaddr_in6 peer;
626 struct sockaddr_in6 sock;
627 int peerlen = sizeof (peer);
628 int socklen = sizeof (sock);
629
630 /* get peer name if its a socket, else assume local terminal */
631
632 if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
633 < 0) {
634 if (errno == ENOTSOCK) {
635 return (adt_load_hostname(NULL, termid));
636 }
637 goto return_err;
638 }
639
640 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
641 goto return_err;
642 }
643
644 /* get sock name */
645 if (getsockname(fd, (struct sockaddr *)&sock,
646 (socklen_t *)&socklen) < 0) {
647 goto return_err_free;
648 }
649
650 if (peer.sin6_family == AF_INET6) {
651 adt_do_ipv6_address(&peer, &sock, p_term);
652 } else {
653 adt_do_ipv4_address((struct sockaddr_in *)&peer,
654 (struct sockaddr_in *)&sock, p_term);
655 }
656 *termid = (adt_termid_t *)p_term;
657
658 return (0);
659
660 return_err_free:
661 free(p_term);
662 return_err:
663 *termid = NULL;
664 return (-1);
665 }
666
667 static boolean_t
668 adt_have_termid(au_tid_addr_t *dest)
669 {
670 struct auditinfo_addr audit_data;
671
672 if (getaudit_addr(&audit_data, sizeof (audit_data)) < 0) {
673 adt_write_syslog("getaudit failed", errno);
674 return (B_FALSE);
675 }
676
677 if ((audit_data.ai_termid.at_type == 0) ||
678 (audit_data.ai_termid.at_addr[0] |
679 audit_data.ai_termid.at_addr[1] |
680 audit_data.ai_termid.at_addr[2] |
681 audit_data.ai_termid.at_addr[3]) == 0)
682 return (B_FALSE);
683
684 (void) memcpy(dest, &(audit_data.ai_termid),
685 sizeof (au_tid_addr_t));
686
687 return (B_TRUE);
688 }
689
690 /*
691 * adt_get_hostIP - construct a terminal id from a hostname
692 *
693 * Returns 0 = success
694 * -1 = failure and errno = ENETDOWN with the address
695 * defaulted to IPv4 loopback.
696 */
697
698 static int
699 adt_get_hostIP(const char *hostname, au_tid_addr_t *p_term)
700 {
701 struct addrinfo *ai = NULL;
702 int tries = 3;
703 char msg[512];
704 int eai_err;
705
706 while ((tries-- > 0) &&
707 ((eai_err = getaddrinfo(hostname, NULL, NULL, &ai)) != 0)) {
708 /*
709 * getaddrinfo returns its own set of errors.
710 * Log them here, so any subsequent syslogs will
711 * have a context. adt_get_hostIP callers can only
712 * return errno, so subsequent syslogs may be lacking
713 * that getaddrinfo failed.
714 */
715 (void) snprintf(msg, sizeof (msg), "getaddrinfo(%s) "
716 "failed[%s]", hostname, gai_strerror(eai_err));
717 adt_write_syslog(msg, 0);
718
719 if (eai_err != EAI_AGAIN) {
720
721 break;
722 }
723 /* see if resolution becomes available */
724 (void) sleep(1);
725 }
726 if (ai != NULL) {
727 if (ai->ai_family == AF_INET) {
728 p_term->at_type = AU_IPv4;
729 (void) memcpy(p_term->at_addr,
730 /* LINTED */
731 &((struct sockaddr_in *)ai->ai_addr)->sin_addr,
732 AU_IPv4);
733 } else {
734 p_term->at_type = AU_IPv6;
735 (void) memcpy(p_term->at_addr,
736 /* LINTED */
737 &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
738 AU_IPv6);
739 }
740 freeaddrinfo(ai);
741 return (0);
742 } else if (auditstate & (AUC_AUDITING | AUC_NOSPACE)) {
743 auditinfo_addr_t audit_info;
744
745 /*
746 * auditd is running so there should be a
747 * kernel audit context
748 */
749 if (auditon(A_GETKAUDIT, (caddr_t)&audit_info,
750 sizeof (audit_info)) < 0) {
751 adt_write_syslog("unable to get kernel audit context",
752 errno);
753 goto try_interface;
754 }
755 adt_write_syslog("setting Audit IP address to kernel", 0);
756 *p_term = audit_info.ai_termid;
757 return (0);
758 }
759 try_interface:
760 {
761 struct ifaddrlist al;
762 int family;
763 char ntop[INET6_ADDRSTRLEN];
764
765 /*
766 * getaddrinfo has failed to map the hostname
767 * to an IP address, try to get an IP address
768 * from a local interface. If none up, default
769 * to loopback.
770 */
771 family = AF_INET6;
772 if (adt_get_local_address(family, &al) != 0) {
773 family = AF_INET;
774
775 if (adt_get_local_address(family, &al) != 0) {
776 adt_write_syslog("adt_get_local_address "
777 "failed, no Audit IP address available, "
778 "faking loopback and error",
779 errno);
780 IN_SET_LOOPBACK_ADDR(
781 (struct sockaddr_in *)&(al.addr.addr));
782 (void) memcpy(p_term->at_addr, &al.addr.addr,
783 AU_IPv4);
784 p_term->at_type = AU_IPv4;
785 return (-1);
786 }
787 }
788 if (family == AF_INET) {
789 p_term->at_type = AU_IPv4;
790 (void) memcpy(p_term->at_addr, &al.addr.addr, AU_IPv4);
791 } else {
792 p_term->at_type = AU_IPv6;
793 (void) memcpy(p_term->at_addr, &al.addr.addr6, AU_IPv6);
794 }
795
796 (void) snprintf(msg, sizeof (msg), "mapping %s to %s",
797 hostname, inet_ntop(family, &(al.addr), ntop,
798 sizeof (ntop)));
799 adt_write_syslog(msg, 0);
800 return (0);
801 }
802 }
803
804 /*
805 * adt_load_hostname() is called when the caller does not have a file
806 * handle that gives access to the socket info or any other way to
807 * pass in both port and ip address. The hostname input is ignored if
808 * the terminal id has already been set; instead it returns the
809 * existing terminal id.
810 *
811 * If c2audit is excluded, success is returned.
812 * If the hostname lookup fails, the loopback address is assumed,
813 * errno is set to ENETDOWN, this allows the caller to interpret
814 * whether failure is fatal, and if not to have a address for the
815 * hostname.
816 * Otherwise the caller would need to be aware of the audit state.
817 *
818 * Other errors are ignored if not auditing.
819 */
820
821 int
822 adt_load_hostname(const char *hostname, adt_termid_t **termid)
823 {
824 char localhost[MAXHOSTNAMELEN + 1];
825 au_tid_addr_t *p_term;
826
827 if (adt_audit_state(AUC_DISABLED)) {
828 /* c2audit excluded */
829 *termid = NULL;
830 return (0);
831 }
832
833 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
834 goto return_err;
835 }
836
837 if (adt_have_termid(p_term)) {
838 *termid = (adt_termid_t *)p_term;
839 return (0);
840 }
841 p_term->at_port = 0;
842
843 if (hostname == NULL || *hostname == '\0') {
844 (void) sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN);
845 hostname = localhost;
846 }
847 if (adt_get_hostIP(hostname, p_term) == 0) {
848 *termid = (adt_termid_t *)p_term;
849 return (0);
850 } else {
851 *termid = (adt_termid_t *)p_term;
852 return (-1);
853 }
854
855 return_err:
856 *termid = NULL;
857 if (auditstate & AUC_NOAUDIT) {
858 return (0);
859 }
860
861 return (-1);
862 }
863
864 /*
865 * adt_load_ttyname() is called when the caller does not have a file
866 * handle that gives access to the local terminal or any other way
867 * of determining the device id. The ttyname input is ignored if
868 * the terminal id has already been set; instead it returns the
869 * existing terminal id.
870 *
871 * If c2audit is excluded, success is returned.
872 * The local hostname is used for the local IP address.
873 * If that hostname lookup fails, the loopback address is assumed,
874 * errno is set to ENETDOWN, this allows the caller to interpret
875 * whether failure is fatal, and if not to have a address for the
876 * hostname.
877 * Otherwise the caller would need to be aware of the audit state.
878 *
879 * Other errors are ignored if not auditing.
880 */
881
882 int
883 adt_load_ttyname(const char *ttyname, adt_termid_t **termid)
884 {
885 char localhost[MAXHOSTNAMELEN + 1];
886 au_tid_addr_t *p_term;
887 struct stat stat_buf;
888
889 if (adt_audit_state(AUC_DISABLED)) {
890 /* c2audit excluded */
891 *termid = NULL;
892 return (0);
893 }
894
895 if ((p_term = calloc(1, sizeof (au_tid_addr_t))) == NULL) {
896 goto return_err;
897 }
898
899 if (adt_have_termid(p_term)) {
900 *termid = (adt_termid_t *)p_term;
901 return (0);
902 }
903
904 p_term->at_port = 0;
905
906 if (sysinfo(SI_HOSTNAME, localhost, MAXHOSTNAMELEN) < 0) {
907 goto return_err_free; /* errno from sysinfo */
908 }
909
910 if (ttyname != NULL && *ttyname != '\0') {
911 if (stat(ttyname, &stat_buf) < 0) {
912 goto return_err_free;
913 }
914
915 p_term->at_port = stat_buf.st_rdev;
916 }
917
918 if (adt_get_hostIP(localhost, p_term) == 0) {
919 *termid = (adt_termid_t *)p_term;
920 return (0);
921 } else {
922 *termid = (adt_termid_t *)p_term;
923 return (-1);
924 }
925
926 return_err_free:
927 free(p_term);
928
929 return_err:
930 *termid = NULL;
931 if (auditstate & AUC_NOAUDIT) {
932 return (0);
933 }
934
935 return (-1);
936 }
937
938 /*
939 * adt_get_session_id returns a stringified representation of
940 * the audit session id. See also adt_get_asid() for how to
941 * get the unexpurgated version. No guarantees as to how long
942 * the returned string will be or its general form; hex for now.
943 *
944 * An empty string is returned if auditing is off; length = 1
945 * and the pointer is valid.
946 *
947 * returns strlen + 1 if buffer is valid; else 0 and errno.
948 */
949
950 size_t
951 adt_get_session_id(const adt_session_data_t *session_data, char **buff)
952 {
953 au_asid_t session_id;
954 size_t length;
955 /*
956 * output is 0x followed by
957 * two characters per byte
958 * plus terminator,
959 * except leading 0's are suppressed, so a few bytes may
960 * be unused.
961 */
962 length = 2 + (2 * sizeof (session_id)) + 1;
963 *buff = malloc(length);
964
965 if (*buff == NULL) {
966 return (0);
967 }
968 if (session_data == NULL) { /* NULL is not an error */
969 **buff = '\0';
970 return (1);
971 }
972 adt_get_asid(session_data, &session_id);
973
974 length = snprintf(*buff, length, "0x%X", (int)session_id);
975
976 /* length < 1 is a bug: the session data type may have changed */
977 assert(length > 0);
978
979 return (length);
980 }
981
982 /*
983 * adt_end_session -- close handle, clear context
984 *
985 * if as_check is invalid, no harm, no foul, EXCEPT that this could
986 * be an attempt to free data already free'd, so output to syslog
987 * to help explain why the process cored dumped.
988 */
989
990 int
991 adt_end_session(adt_session_data_t *session_data)
992 {
993 adt_internal_state_t *state;
994
995 if (session_data != NULL) {
996 state = (adt_internal_state_t *)session_data;
997 if (state->as_check != ADT_VALID) {
998 adt_write_syslog("freeing invalid data", EINVAL);
999 } else {
1000 state->as_check = 0;
1001 m_label_free(state->as_label);
1002 free(session_data);
1003 }
1004 }
1005 /* no errors yet defined */
1006 return (0);
1007 }
1008
1009 /*
1010 * adt_dup_session -- copy the session data
1011 */
1012
1013 int
1014 adt_dup_session(const adt_session_data_t *source, adt_session_data_t **dest)
1015 {
1016 adt_internal_state_t *source_state;
1017 adt_internal_state_t *dest_state = NULL;
1018 int rc = 0;
1019
1020 if (source != NULL) {
1021 source_state = (adt_internal_state_t *)source;
1022 assert(source_state->as_check == ADT_VALID);
1023
1024 dest_state = malloc(sizeof (adt_internal_state_t));
1025 if (dest_state == NULL) {
1026 rc = -1;
1027 goto return_rc;
1028 }
1029 (void) memcpy(dest_state, source,
1030 sizeof (struct adt_internal_state));
1031
1032 if (source_state->as_label != NULL) {
1033 dest_state->as_label = NULL;
1034 if ((rc = m_label_dup(&dest_state->as_label,
1035 source_state->as_label)) != 0) {
1036 free(dest_state);
1037 dest_state = NULL;
1038 }
1039 }
1040 }
1041 return_rc:
1042 *dest = (adt_session_data_t *)dest_state;
1043 return (rc);
1044 }
1045
1046 /*
1047 * from_export_format()
1048 * read from a network order buffer into struct adt_session_data
1049 */
1050
1051 static size_t
1052 adt_from_export_format(adt_internal_state_t *internal,
1053 const adt_export_data_t *external)
1054 {
1055 struct export_header head;
1056 struct export_link link;
1057 adr_t context;
1058 int32_t offset;
1059 int32_t length;
1060 int32_t version;
1061 size_t label_len;
1062 char *p = (char *)external;
1063
1064 adrm_start(&context, (char *)external);
1065 adrm_int32(&context, (int *)&head, 4);
1066
1067 if ((internal->as_check = head.ax_check) != ADT_VALID) {
1068 errno = EINVAL;
1069 return (0);
1070 }
1071 offset = head.ax_link.ax_offset;
1072 version = head.ax_link.ax_version;
1073 length = head.ax_buffer_length;
1074
1075 /*
1076 * Skip newer versions.
1077 */
1078 while (version > PROTOCOL_VERSION_2) {
1079 if (offset < 1) {
1080 return (0); /* failed to match version */
1081 }
1082 p += offset; /* point to next version # */
1083
1084 if (p > (char *)external + length) {
1085 return (0);
1086 }
1087 adrm_start(&context, p);
1088 adrm_int32(&context, (int *)&link, 2);
1089 offset = link.ax_offset;
1090 version = link.ax_version;
1091 assert(version != 0);
1092 }
1093 /*
1094 * Adjust buffer pointer to the first data item (euid).
1095 */
1096 if (p == (char *)external) {
1097 adrm_start(&context, (char *)(p + sizeof (head)));
1098 } else {
1099 adrm_start(&context, (char *)(p + sizeof (link)));
1100 }
1101 /*
1102 * if down rev version, neither pid nor label are included
1103 * in v1 ax_size_of_tsol_data intentionally ignored
1104 */
1105 if (version == PROTOCOL_VERSION_1) {
1106 adrm_int32(&context, (int *)&(internal->as_euid), 1);
1107 adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1108 adrm_int32(&context, (int *)&(internal->as_egid), 1);
1109 adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1110 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1111 adrm_int32(&context,
1112 (int *)&(internal->as_info.ai_mask.am_success), 2);
1113 adrm_int32(&context,
1114 (int *)&(internal->as_info.ai_termid.at_port), 1);
1115 adrm_int32(&context,
1116 (int *)&(internal->as_info.ai_termid.at_type), 1);
1117 adrm_int32(&context,
1118 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1119 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1120 adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1121 internal->as_pid = (pid_t)-1;
1122 internal->as_label = NULL;
1123 } else if (version == PROTOCOL_VERSION_2) {
1124 adrm_int32(&context, (int *)&(internal->as_euid), 1);
1125 adrm_int32(&context, (int *)&(internal->as_ruid), 1);
1126 adrm_int32(&context, (int *)&(internal->as_egid), 1);
1127 adrm_int32(&context, (int *)&(internal->as_rgid), 1);
1128 adrm_int32(&context, (int *)&(internal->as_info.ai_auid), 1);
1129 adrm_int32(&context,
1130 (int *)&(internal->as_info.ai_mask.am_success), 2);
1131 adrm_int32(&context,
1132 (int *)&(internal->as_info.ai_termid.at_port), 1);
1133 adrm_int32(&context,
1134 (int *)&(internal->as_info.ai_termid.at_type), 1);
1135 adrm_int32(&context,
1136 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1137 adrm_int32(&context, (int *)&(internal->as_info.ai_asid), 1);
1138 adrm_int32(&context, (int *)&(internal->as_audit_state), 1);
1139 adrm_int32(&context, (int *)&(internal->as_pid), 1);
1140 adrm_int32(&context, (int *)&label_len, 1);
1141 if (label_len > 0) {
1142 /* read in and deal with different sized labels. */
1143 size32_t my_label_len = blabel_size();
1144
1145 if ((internal->as_label =
1146 m_label_alloc(MAC_LABEL)) == NULL) {
1147 return (0);
1148 }
1149 if (label_len > my_label_len) {
1150 errno = EINVAL;
1151 m_label_free(internal->as_label);
1152 return (0);
1153 }
1154 (void) memset(internal->as_label, 0, my_label_len);
1155 adrm_int32(&context, (int *)(internal->as_label),
1156 label_len / sizeof (int32_t));
1157 } else {
1158 internal->as_label = NULL;
1159 }
1160 }
1161
1162 return (length);
1163 }
1164
1165 /*
1166 * adt_to_export_format
1167 * read from struct adt_session_data into a network order buffer.
1168 *
1169 * (network order 'cause this data may be shared with a remote host.)
1170 */
1171
1172 static size_t
1173 adt_to_export_format(adt_export_data_t *external,
1174 adt_internal_state_t *internal)
1175 {
1176 struct export_header head;
1177 struct export_link tail;
1178 adr_t context;
1179 size32_t label_len = 0;
1180
1181 adrm_start(&context, (char *)external);
1182
1183 if (internal->as_label != NULL) {
1184 label_len = blabel_size();
1185 }
1186
1187 head.ax_check = ADT_VALID;
1188 head.ax_buffer_length = sizeof (struct adt_export_data) + label_len;
1189
1190 /* version 2 first */
1191
1192 head.ax_link.ax_version = PROTOCOL_VERSION_2;
1193 head.ax_link.ax_offset = sizeof (struct export_header) +
1194 sizeof (struct adt_export_v2) + label_len;
1195
1196 adrm_putint32(&context, (int *)&head, 4);
1197
1198 adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1199 adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1200 adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1201 adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1202 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1203 adrm_putint32(&context,
1204 (int *)&(internal->as_info.ai_mask.am_success), 2);
1205 adrm_putint32(&context,
1206 (int *)&(internal->as_info.ai_termid.at_port), 1);
1207 adrm_putint32(&context,
1208 (int *)&(internal->as_info.ai_termid.at_type), 1);
1209 adrm_putint32(&context,
1210 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1211 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1212 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1213 adrm_putint32(&context, (int *)&(internal->as_pid), 1);
1214 adrm_putint32(&context, (int *)&label_len, 1);
1215 if (internal->as_label != NULL) {
1216 /* serialize the label */
1217 adrm_putint32(&context, (int *)(internal->as_label),
1218 (label_len / sizeof (int32_t)));
1219 }
1220
1221 /* now version 1 */
1222
1223 tail.ax_version = PROTOCOL_VERSION_1;
1224 tail.ax_offset = 0;
1225
1226 adrm_putint32(&context, (int *)&tail, 2);
1227
1228 adrm_putint32(&context, (int *)&(internal->as_euid), 1);
1229 adrm_putint32(&context, (int *)&(internal->as_ruid), 1);
1230 adrm_putint32(&context, (int *)&(internal->as_egid), 1);
1231 adrm_putint32(&context, (int *)&(internal->as_rgid), 1);
1232 adrm_putint32(&context, (int *)&(internal->as_info.ai_auid), 1);
1233 adrm_putint32(&context,
1234 (int *)&(internal->as_info.ai_mask.am_success), 2);
1235 adrm_putint32(&context,
1236 (int *)&(internal->as_info.ai_termid.at_port), 1);
1237 adrm_putint32(&context,
1238 (int *)&(internal->as_info.ai_termid.at_type), 1);
1239 adrm_putint32(&context,
1240 (int *)&(internal->as_info.ai_termid.at_addr[0]), 4);
1241 adrm_putint32(&context, (int *)&(internal->as_info.ai_asid), 1);
1242 adrm_putint32(&context, (int *)&(internal->as_audit_state), 1);
1243 /* ignored in v1 */
1244 adrm_putint32(&context, (int *)&label_len, 1);
1245
1246 /* finally terminator */
1247
1248 tail.ax_version = 0; /* invalid version number */
1249 tail.ax_offset = 0;
1250
1251 adrm_putint32(&context, (int *)&tail, 2);
1252
1253 return (head.ax_buffer_length);
1254 }
1255
1256 /*
1257 * adt_ucred_label() -- if label is available, duplicate it.
1258 */
1259
1260 static m_label_t *
1261 adt_ucred_label(ucred_t *uc)
1262 {
1263 m_label_t *ul = NULL;
1264
1265 if (ucred_getlabel(uc) != NULL) {
1266 (void) m_label_dup(&ul, ucred_getlabel(uc));
1267 }
1268
1269 return (ul);
1270 }
1271
1272 /*
1273 * adt_import() -- convert from network order to machine-specific order
1274 */
1275
1276 static int
1277 adt_import(adt_internal_state_t *internal, const adt_export_data_t *external)
1278 {
1279 au_mask_t mask;
1280
1281 /* save local audit state */
1282 int local_audit_state = internal->as_audit_state;
1283
1284 if (adt_from_export_format(internal, external) < 1)
1285 return (-1); /* errno from adt_from_export_format */
1286
1287 /*
1288 * If audit isn't enabled on the remote, they were unable
1289 * to generate the audit mask, so generate it based on
1290 * local configuration. If the user id has changed, the
1291 * resulting mask may miss some subtleties that occurred
1292 * on the remote system.
1293 *
1294 * If the remote failed to generate a terminal id, it is not
1295 * recoverable.
1296 */
1297
1298 if (!(internal->as_audit_state & AUC_DISABLED)) {
1299 if (adt_get_mask_from_user(internal->as_info.ai_auid,
1300 &(internal->as_info.ai_mask)))
1301 return (-1);
1302 if (internal->as_info.ai_auid != internal->as_ruid) {
1303 if (adt_get_mask_from_user(internal->as_info.ai_auid,
1304 &mask))
1305 return (-1);
1306 internal->as_info.ai_mask.am_success |=
1307 mask.am_success;
1308 internal->as_info.ai_mask.am_failure |=
1309 mask.am_failure;
1310 }
1311 }
1312 internal->as_audit_state = local_audit_state;
1313
1314 DPRINTF(("(%lld)imported asid = %X %u\n", (long long) getpid(),
1315 internal->as_info.ai_asid,
1316 internal->as_info.ai_asid));
1317
1318 internal->as_have_user_data = ADT_HAVE_ALL;
1319
1320 return (0);
1321 }
1322
1323 /*
1324 * adt_export_session_data()
1325 * copies a adt_session_data struct into a network order buffer
1326 *
1327 * In a misconfigured network, the local host may have auditing
1328 * off while the destination may have auditing on, so if there
1329 * is sufficient memory, a buffer will be returned even in the
1330 * audit off case.
1331 */
1332
1333 size_t
1334 adt_export_session_data(const adt_session_data_t *internal,
1335 adt_export_data_t **external)
1336 {
1337 size32_t length = 0;
1338
1339 if ((internal != NULL) &&
1340 ((adt_internal_state_t *)internal)->as_label != NULL) {
1341 length = blabel_size();
1342 }
1343
1344 *external = malloc(sizeof (adt_export_data_t) + length);
1345
1346 if (*external == NULL)
1347 return (0);
1348
1349 if (internal == NULL) {
1350 adt_internal_state_t *dummy;
1351
1352 dummy = malloc(sizeof (adt_internal_state_t));
1353 if (dummy == NULL)
1354 goto return_length_free;
1355
1356 if (adt_init(dummy, 0)) { /* 0 == don't copy from proc */
1357 free(dummy);
1358 goto return_length_free;
1359 }
1360 length = adt_to_export_format(*external, dummy);
1361 free(dummy);
1362 } else {
1363 length = adt_to_export_format(*external,
1364 (adt_internal_state_t *)internal);
1365 }
1366 return (length);
1367
1368 return_length_free:
1369 free(*external);
1370 *external = NULL;
1371 return (0);
1372 }
1373
1374 static void
1375 adt_setto_unaudited(adt_internal_state_t *state)
1376 {
1377 if (state->as_audit_state & AUC_DISABLED) {
1378 state->as_ruid = AU_NOAUDITID;
1379 state->as_euid = AU_NOAUDITID;
1380 state->as_rgid = AU_NOAUDITID;
1381 state->as_egid = AU_NOAUDITID;
1382 state->as_pid = (pid_t)-1;
1383 state->as_label = NULL;
1384 } else {
1385 state->as_info.ai_asid = 0;
1386 state->as_info.ai_auid = AU_NOAUDITID;
1387
1388 (void) memset((void *)&(state->as_info.ai_termid), 0,
1389 sizeof (au_tid_addr_t));
1390 state->as_info.ai_termid.at_type = AU_IPv4;
1391
1392 (void) memset((void *)&(state->as_info.ai_mask), 0,
1393 sizeof (au_mask_t));
1394 state->as_have_user_data = 0;
1395 }
1396 }
1397
1398 /*
1399 * adt_init -- set session context by copying the audit characteristics
1400 * from the proc and picking up current uid/tid information.
1401 *
1402 * By default, an audit session is based on the process; the default
1403 * is overriden by adt_set_user()
1404 */
1405
1406 static int
1407 adt_init(adt_internal_state_t *state, int use_proc_data)
1408 {
1409 /* ensure auditstate is set */
1410
1411 (void) adt_audit_state(0);
1412 state->as_audit_state = auditstate;
1413
1414 if (use_proc_data) {
1415 state->as_ruid = getuid();
1416 state->as_euid = geteuid();
1417 state->as_rgid = getgid();
1418 state->as_egid = getegid();
1419 state->as_pid = getpid();
1420
1421 if (!(state->as_audit_state & AUC_DISABLED)) {
1422 const au_tid64_addr_t *tid;
1423 const au_mask_t *mask;
1424 ucred_t *ucred = ucred_get(P_MYID);
1425
1426 /*
1427 * Even if the ucred is NULL, the underlying
1428 * credential may have a valid terminal id; if the
1429 * terminal id is set, then that's good enough. An
1430 * example of where this matters is failed login,
1431 * where rlogin/telnet sets the terminal id before
1432 * calling login; login does not load the credential
1433 * since auth failed.
1434 */
1435 if (ucred == NULL) {
1436 if (!adt_have_termid(
1437 &(state->as_info.ai_termid)))
1438 return (-1);
1439 } else {
1440 mask = ucred_getamask(ucred);
1441 if (mask != NULL) {
1442 state->as_info.ai_mask = *mask;
1443 } else {
1444 ucred_free(ucred);
1445 return (-1);
1446 }
1447 tid = ucred_getatid(ucred);
1448 if (tid != NULL) {
1449 adt_cpy_tid(&(state->as_info.ai_termid),
1450 tid);
1451 } else {
1452 ucred_free(ucred);
1453 return (-1);
1454 }
1455 state->as_info.ai_asid = ucred_getasid(ucred);
1456 state->as_info.ai_auid = ucred_getauid(ucred);
1457 state->as_label = adt_ucred_label(ucred);
1458 ucred_free(ucred);
1459 }
1460 state->as_have_user_data = ADT_HAVE_ALL;
1461 }
1462 } else {
1463 adt_setto_unaudited(state);
1464 }
1465 state->as_session_model = ADT_SESSION_MODEL; /* default */
1466
1467 if ((state->as_audit_state & (AUC_AUDITING | AUC_NOSPACE)) &&
1468 auditon(A_GETPOLICY, (caddr_t)&(state->as_kernel_audit_policy),
1469 sizeof (state->as_kernel_audit_policy))) {
1470 return (-1); /* errno set by auditon */
1471 }
1472 state->as_check = ADT_VALID;
1473 adt_load_table((adt_session_data_t *)state, &adt_xlate_table[0],
1474 &adt_preload);
1475 return (0);
1476 }
1477
1478 /*
1479 * adt_set_proc
1480 *
1481 * Copy the current session state to the process. If this function
1482 * is called, the model becomes a process model rather than a
1483 * session model.
1484 *
1485 * In the current implementation, the value state->as_have_user_data
1486 * must contain all of: ADT_HAVE_{AUID,MASK,TID,ASID}. These are all set
1487 * by adt_set_user() when the ADT_SETTID or ADT_NEW flag is passed in.
1488 *
1489 */
1490
1491 int
1492 adt_set_proc(const adt_session_data_t *session_data)
1493 {
1494 adt_internal_state_t *state;
1495
1496 if (session_data == NULL) {
1497 return (0);
1498 }
1499
1500 state = (adt_internal_state_t *)session_data;
1501
1502 assert(state->as_check == ADT_VALID);
1503
1504 if ((state->as_have_user_data & (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) !=
1505 (ADT_HAVE_ALL & ~ADT_HAVE_IDS)) {
1506 errno = EINVAL;
1507 goto return_err;
1508 }
1509
1510 if (setaudit_addr((auditinfo_addr_t *)&(state->as_info),
1511 sizeof (auditinfo_addr_t)) < 0) {
1512 goto return_err; /* errno set by setaudit_addr() */
1513 }
1514
1515 state->as_session_model = ADT_PROCESS_MODEL;
1516
1517 return (0);
1518
1519 return_err:
1520 adt_write_syslog("failed to set process audit characteristics", errno);
1521 return (-1);
1522 }
1523
1524 static int
1525 adt_newuser(adt_internal_state_t *state, uid_t ruid, au_tid_addr_t *termid)
1526 {
1527 au_tid_addr_t no_tid = {0, AU_IPv4, 0, 0, 0, 0};
1528 au_mask_t no_mask = {0, 0};
1529
1530 if (ruid == ADT_NO_AUDIT) {
1531 state->as_info.ai_auid = AU_NOAUDITID;
1532 state->as_info.ai_asid = 0;
1533 state->as_info.ai_termid = no_tid;
1534 state->as_info.ai_mask = no_mask;
1535 return (0);
1536 }
1537 state->as_info.ai_auid = ruid;
1538 state->as_info.ai_asid = adt_get_unique_id(ruid);
1539 if (termid != NULL)
1540 state->as_info.ai_termid = *termid;
1541
1542 if (adt_get_mask_from_user(ruid, &(state->as_info.ai_mask)))
1543 return (-1);
1544
1545 /* Assume intending to audit as this process */
1546
1547 if (state->as_pid == (pid_t)-1)
1548 state->as_pid = getpid();
1549
1550 if (is_system_labeled() && state->as_label == NULL) {
1551 ucred_t *ucred = ucred_get(P_MYID);
1552
1553 state->as_label = adt_ucred_label(ucred);
1554 ucred_free(ucred);
1555 }
1556
1557 return (0);
1558 }
1559
1560 static int
1561 adt_changeuser(adt_internal_state_t *state, uid_t ruid)
1562 {
1563 au_mask_t mask;
1564
1565 if (!(state->as_have_user_data & ADT_HAVE_AUID))
1566 state->as_info.ai_auid = ruid;
1567 if (!(state->as_have_user_data & ADT_HAVE_ASID))
1568 state->as_info.ai_asid = adt_get_unique_id(ruid);
1569
1570 if (ruid <= MAXEPHUID) {
1571 if (adt_get_mask_from_user(ruid, &mask))
1572 return (-1);
1573
1574 state->as_info.ai_mask.am_success |= mask.am_success;
1575 state->as_info.ai_mask.am_failure |= mask.am_failure;
1576 }
1577 DPRINTF(("changed mask to %08X/%08X for ruid=%d\n",
1578 state->as_info.ai_mask.am_success,
1579 state->as_info.ai_mask.am_failure,
1580 ruid));
1581 return (0);
1582 }
1583
1584 /*
1585 * adt_set_user -- see also adt_set_from_ucred()
1586 *
1587 * ADT_NO_ATTRIB is a valid uid/gid meaning "not known" or
1588 * "unattributed." If ruid, change the model to session.
1589 *
1590 * ADT_NO_CHANGE is a valid uid/gid meaning "do not change this value"
1591 * only valid with ADT_UPDATE.
1592 *
1593 * ADT_NO_AUDIT is the external equivalent to AU_NOAUDITID -- there
1594 * isn't a good reason to call adt_set_user() with it unless you don't
1595 * have a good value yet and intend to replace it later; auid will be
1596 * AU_NOAUDITID.
1597 *
1598 * adt_set_user should be called even if auditing is not enabled
1599 * so that adt_export_session_data() will have useful stuff to
1600 * work with.
1601 *
1602 * See the note preceding adt_set_proc() about the use of ADT_HAVE_TID
1603 * and ADT_HAVE_ALL.
1604 */
1605
1606 int
1607 adt_set_user(const adt_session_data_t *session_data, uid_t euid, gid_t egid,
1608 uid_t ruid, gid_t rgid, const adt_termid_t *termid,
1609 enum adt_user_context user_context)
1610 {
1611 adt_internal_state_t *state;
1612 int rc;
1613
1614 if (session_data == NULL) /* no session exists to audit */
1615 return (0);
1616
1617 state = (adt_internal_state_t *)session_data;
1618 assert(state->as_check == ADT_VALID);
1619
1620 switch (user_context) {
1621 case ADT_NEW:
1622 if (ruid == ADT_NO_CHANGE || euid == ADT_NO_CHANGE ||
1623 rgid == ADT_NO_CHANGE || egid == ADT_NO_CHANGE) {
1624 errno = EINVAL;
1625 return (-1);
1626 }
1627 if ((rc = adt_newuser(state, ruid,
1628 (au_tid_addr_t *)termid)) != 0)
1629 return (rc);
1630
1631 state->as_have_user_data = ADT_HAVE_ALL;
1632 break;
1633 case ADT_UPDATE:
1634 if (state->as_have_user_data != ADT_HAVE_ALL) {
1635 errno = EINVAL;
1636 return (-1);
1637 }
1638
1639 if (ruid != ADT_NO_CHANGE)
1640 if ((rc = adt_changeuser(state, ruid)) != 0)
1641 return (rc);
1642 break;
1643 case ADT_USER:
1644 if (state->as_have_user_data != ADT_HAVE_ALL) {
1645 errno = EINVAL;
1646 return (-1);
1647 }
1648 break;
1649 case ADT_SETTID:
1650 assert(termid != NULL);
1651 state->as_info.ai_termid = *((au_tid_addr_t *)termid);
1652 /* avoid fooling pam_setcred()... */
1653 state->as_info.ai_auid = AU_NOAUDITID;
1654 state->as_info.ai_asid = 0;
1655 state->as_info.ai_mask.am_failure = 0;
1656 state->as_info.ai_mask.am_success = 0;
1657 state->as_have_user_data = ADT_HAVE_TID |
1658 ADT_HAVE_AUID | ADT_HAVE_ASID | ADT_HAVE_MASK;
1659 return (0);
1660 default:
1661 errno = EINVAL;
1662 return (-1);
1663 }
1664
1665 if (ruid == ADT_NO_AUDIT) {
1666 state->as_ruid = AU_NOAUDITID;
1667 state->as_euid = AU_NOAUDITID;
1668 state->as_rgid = AU_NOAUDITID;
1669 state->as_egid = AU_NOAUDITID;
1670 } else {
1671 if (ruid != ADT_NO_CHANGE)
1672 state->as_ruid = ruid;
1673 if (euid != ADT_NO_CHANGE)
1674 state->as_euid = euid;
1675 if (rgid != ADT_NO_CHANGE)
1676 state->as_rgid = rgid;
1677 if (egid != ADT_NO_CHANGE)
1678 state->as_egid = egid;
1679 }
1680
1681 if (ruid == ADT_NO_ATTRIB) {
1682 state->as_session_model = ADT_SESSION_MODEL;
1683 }
1684
1685 return (0);
1686 }
1687
1688 /*
1689 * adt_set_from_ucred()
1690 *
1691 * an alternate to adt_set_user that fills the same role but uses
1692 * a pointer to a ucred rather than a list of id's. If the ucred
1693 * pointer is NULL, use the credential from the this process.
1694 *
1695 * A key difference is that for ADT_NEW, adt_set_from_ucred() does
1696 * not overwrite the asid and auid unless auid has not been set.
1697 * ADT_NEW differs from ADT_UPDATE in that it does not OR together
1698 * the incoming audit mask with the one that already exists.
1699 *
1700 * adt_set_from_ucred should be called even if auditing is not enabled
1701 * so that adt_export_session_data() will have useful stuff to
1702 * work with.
1703 */
1704
1705 int
1706 adt_set_from_ucred(const adt_session_data_t *session_data, const ucred_t *uc,
1707 enum adt_user_context user_context)
1708 {
1709 adt_internal_state_t *state;
1710 int rc = -1;
1711 const au_tid64_addr_t *tid64;
1712 au_tid_addr_t termid, *tid;
1713 ucred_t *ucred = (ucred_t *)uc;
1714 boolean_t local_uc = B_FALSE;
1715
1716 if (session_data == NULL) /* no session exists to audit */
1717 return (0);
1718
1719 state = (adt_internal_state_t *)session_data;
1720 assert(state->as_check == ADT_VALID);
1721
1722 if (ucred == NULL) {
1723 ucred = ucred_get(P_MYID);
1724
1725 if (ucred == NULL)
1726 goto return_rc;
1727 local_uc = B_TRUE;
1728 }
1729
1730 switch (user_context) {
1731 case ADT_NEW:
1732 tid64 = ucred_getatid(ucred);
1733 if (tid64 != NULL) {
1734 adt_cpy_tid(&termid, tid64);
1735 tid = &termid;
1736 } else {
1737 tid = NULL;
1738 }
1739 if (ucred_getauid(ucred) == AU_NOAUDITID) {
1740 adt_setto_unaudited(state);
1741 state->as_have_user_data = ADT_HAVE_ALL;
1742 rc = 0;
1743 goto return_rc;
1744 } else {
1745 state->as_info.ai_auid = ucred_getauid(ucred);
1746 state->as_info.ai_asid = ucred_getasid(ucred);
1747 state->as_info.ai_mask = *ucred_getamask(ucred);
1748 state->as_info.ai_termid = *tid;
1749 }
1750 state->as_have_user_data = ADT_HAVE_ALL;
1751 break;
1752 case ADT_UPDATE:
1753 if (state->as_have_user_data != ADT_HAVE_ALL) {
1754 errno = EINVAL;
1755 goto return_rc;
1756 }
1757
1758 if ((rc = adt_changeuser(state, ucred_getruid(ucred))) != 0)
1759 goto return_rc;
1760 break;
1761 case ADT_USER:
1762 if (state->as_have_user_data != ADT_HAVE_ALL) {
1763 errno = EINVAL;
1764 goto return_rc;
1765 }
1766 break;
1767 default:
1768 errno = EINVAL;
1769 goto return_rc;
1770 }
1771 rc = 0;
1772
1773 state->as_ruid = ucred_getruid(ucred);
1774 state->as_euid = ucred_geteuid(ucred);
1775 state->as_rgid = ucred_getrgid(ucred);
1776 state->as_egid = ucred_getegid(ucred);
1777 state->as_pid = ucred_getpid(ucred);
1778 state->as_label = adt_ucred_label(ucred);
1779
1780 return_rc:
1781 if (local_uc) {
1782 ucred_free(ucred);
1783 }
1784 return (rc);
1785 }
1786
1787 /*
1788 * adt_alloc_event() returns a pointer to allocated memory
1789 *
1790 */
1791
1792 adt_event_data_t
1793 *adt_alloc_event(const adt_session_data_t *session_data, au_event_t event_id)
1794 {
1795 struct adt_event_state *event_state;
1796 adt_internal_state_t *session_state;
1797 adt_event_data_t *return_event = NULL;
1798 /*
1799 * need to return a valid event pointer even if audit is
1800 * off, else the caller will end up either (1) keeping its
1801 * own flags for on/off or (2) writing to a NULL pointer.
1802 * If auditing is on, the session data must be valid; otherwise
1803 * we don't care.
1804 */
1805 if (session_data != NULL) {
1806 session_state = (adt_internal_state_t *)session_data;
1807 assert(session_state->as_check == ADT_VALID);
1808 }
1809 event_state = calloc(1, sizeof (struct adt_event_state));
1810 if (event_state == NULL)
1811 goto return_ptr;
1812
1813 event_state->ae_check = ADT_VALID;
1814
1815 event_state->ae_event_id = event_id;
1816 event_state->ae_session = (struct adt_internal_state *)session_data;
1817
1818 return_event = (adt_event_data_t *)&(event_state->ae_event_data);
1819
1820 /*
1821 * preload data so the adt_au_*() functions can detect un-supplied
1822 * values (0 and NULL are free via calloc()).
1823 */
1824 if (session_data != NULL) {
1825 session_state->as_preload(event_id, return_event);
1826 }
1827
1828 return_ptr:
1829 return (return_event);
1830 }
1831
1832 /*
1833 * adt_getXlateTable -- look up translation table address for event id
1834 */
1835
1836 static adt_translation_t *
1837 adt_getXlateTable(adt_translation_t **xlate, au_event_t event_id)
1838 {
1839 /* xlate_table is global in adt_xlate.c */
1840 adt_translation_t **p_xlate = xlate;
1841 adt_translation_t *p_event;
1842
1843 while (*p_xlate != NULL) {
1844 p_event = *p_xlate;
1845 if (event_id == p_event->tx_external_event)
1846 return (p_event);
1847 p_xlate++;
1848 }
1849 return (NULL);
1850 }
1851
1852 /*
1853 * adt_calcOffsets
1854 *
1855 * the call to this function is surrounded by a mutex.
1856 *
1857 * i walks down the table picking up next_token. j walks again to
1858 * calculate the offset to the input data. k points to the next
1859 * token's row. Finally, l, is used to sum the values in the
1860 * datadef array.
1861 *
1862 * What's going on? The entry array is in the order of the input
1863 * fields but the processing of array entries is in the order of
1864 * the output (see next_token). Calculating the offset to the
1865 * "next" input can't be done in the outer loop (i) since i doesn't
1866 * point to the current entry and it can't be done with the k index
1867 * because it doesn't represent the order of input fields.
1868 *
1869 * While the resulting algorithm is n**2, it is only done once per
1870 * event type.
1871 */
1872
1873 /*
1874 * adt_calcOffsets is only called once per event type, but it uses
1875 * the address alignment of memory allocated for that event as if it
1876 * were the same for all subsequently allocated memory. This is
1877 * guaranteed by calloc/malloc. Arrays take special handling since
1878 * what matters for figuring out the correct alignment is the size
1879 * of the array element.
1880 */
1881
1882 static void
1883 adt_calcOffsets(struct entry *p_entry, int tablesize, void *p_data)
1884 {
1885 int i, j;
1886 size_t this_size, prev_size;
1887 void *struct_start = p_data;
1888
1889 for (i = 0; i < tablesize; i++) {
1890 if (p_entry[i].en_type_def == NULL) {
1891 p_entry[i].en_offset = 0;
1892 continue;
1893 }
1894 prev_size = 0;
1895 p_entry[i].en_offset = (char *)p_data - (char *)struct_start;
1896
1897 for (j = 0; j < p_entry[i].en_count_types; j++) {
1898 if (p_entry[i].en_type_def[j].dd_datatype == ADT_MSG)
1899 this_size = sizeof (enum adt_generic);
1900 else
1901 this_size =
1902 p_entry[i].en_type_def[j].dd_input_size;
1903
1904 /* adj for first entry */
1905 if (prev_size == 0)
1906 prev_size = this_size;
1907
1908 if (p_entry[i].en_type_def[j].dd_datatype ==
1909 ADT_UINT32ARRAY) {
1910 p_data = (char *)adt_adjust_address(p_data,
1911 prev_size, sizeof (uint32_t)) +
1912 this_size - sizeof (uint32_t);
1913
1914 prev_size = sizeof (uint32_t);
1915 } else {
1916 p_data = adt_adjust_address(p_data, prev_size,
1917 this_size);
1918 prev_size = this_size;
1919 }
1920 }
1921 }
1922 }
1923
1924 /*
1925 * adt_generate_event
1926 * generate event record from external struct. The order is based on
1927 * the output tokens, allowing for the possibility that the input data
1928 * is in a different order.
1929 *
1930 */
1931
1932 static int
1933 adt_generate_event(const adt_event_data_t *p_extdata,
1934 struct adt_event_state *p_event,
1935 adt_translation_t *p_xlate)
1936 {
1937 struct entry *p_entry;
1938 static mutex_t lock = DEFAULTMUTEX;
1939
1940 p_entry = p_xlate->tx_first_entry;
1941 assert(p_entry != NULL);
1942
1943 p_event->ae_internal_id = p_xlate->tx_internal_event;
1944 adt_token_open(p_event);
1945
1946 /*
1947 * offsets are not pre-calculated; the initial offsets are all
1948 * 0; valid offsets are >= 0. Offsets for no-input tokens such
1949 * as subject are set to -1 by adt_calcOffset()
1950 */
1951 if (p_xlate->tx_offsetsCalculated == 0) {
1952 (void) mutex_lock(&lock);
1953 p_xlate->tx_offsetsCalculated = 1;
1954
1955 adt_calcOffsets(p_xlate->tx_top_entry, p_xlate->tx_entries,
1956 (void *)p_extdata);
1957 (void) mutex_unlock(&lock);
1958 }
1959 while (p_entry != NULL) {
1960 adt_generate_token(p_entry, (char *)p_extdata, p_event);
1961
1962 p_entry = p_entry->en_next_token;
1963 }
1964 return (adt_token_close(p_event));
1965 }
1966
1967 /*
1968 * adt_put_event -- main event generation function.
1969 * The input "event" is the address of the struct containing
1970 * event-specific data.
1971 *
1972 * However if auditing is off or the session handle
1973 * is NULL, no attempt to write a record is made.
1974 */
1975
1976 int
1977 adt_put_event(const adt_event_data_t *event, int status, int return_val)
1978 {
1979 struct adt_event_state *event_state;
1980 adt_translation_t *xlate;
1981
1982 if (event == NULL) {
1983 errno = EINVAL;
1984 return (-1);
1985 }
1986 event_state = (struct adt_event_state *)event;
1987
1988 /* if this is a broken session or not auditing, exit */
1989 if ((event_state->ae_session == NULL) ||
1990 !(event_state->ae_session->as_audit_state &
1991 (AUC_AUDITING | AUC_NOSPACE))) {
1992 return (0);
1993 }
1994
1995 assert(event_state->ae_check == ADT_VALID);
1996
1997 event_state->ae_rc = status;
1998 event_state->ae_type = return_val;
1999
2000 /* look up the event */
2001
2002 xlate = adt_getXlateTable(event_state->ae_session->as_xlate,
2003 event_state->ae_event_id);
2004
2005 if (xlate == NULL) {
2006 errno = EINVAL;
2007 return (-1);
2008 }
2009 DPRINTF(("got event %d\n", xlate->tx_internal_event));
2010
2011 if (adt_selected(event_state, xlate->tx_internal_event, status)) {
2012 return (adt_generate_event(event, event_state, xlate));
2013 }
2014
2015 return (0);
2016 }
2017
2018 /*
2019 * adt_free_event -- invalidate and free
2020 */
2021
2022 void
2023 adt_free_event(adt_event_data_t *event)
2024 {
2025 struct adt_event_state *event_state;
2026
2027 if (event == NULL)
2028 return;
2029
2030 event_state = (struct adt_event_state *)event;
2031
2032 assert(event_state->ae_check == ADT_VALID);
2033
2034 event_state->ae_check = 0;
2035
2036 free(event_state);
2037 }
2038
2039 /*
2040 * adt_is_selected -- helper to adt_selected(), below.
2041 *
2042 * "sorf" is "success or fail" status; au_preselect compares
2043 * that with success, fail, or both.
2044 */
2045
2046 static int
2047 adt_is_selected(au_event_t e, au_mask_t *m, int sorf)
2048 {
2049 int prs_sorf;
2050
2051 if (sorf == 0)
2052 prs_sorf = AU_PRS_SUCCESS;
2053 else
2054 prs_sorf = AU_PRS_FAILURE;
2055
2056 return (au_preselect(e, m, prs_sorf, AU_PRS_REREAD));
2057 }
2058
2059 /*
2060 * selected -- see if this event is preselected.
2061 *
2062 * if errors are encountered trying to check a preselection mask
2063 * or look up a user name, the event is selected. Otherwise, the
2064 * preselection mask is used for the job.
2065 */
2066
2067 static int
2068 adt_selected(struct adt_event_state *event, au_event_t actual_id, int status)
2069 {
2070 adt_internal_state_t *sp;
2071 au_mask_t namask;
2072
2073 sp = event->ae_session;
2074
2075 if ((sp->as_have_user_data & ADT_HAVE_IDS) == 0) {
2076 adt_write_syslog("No user data available", EINVAL);
2077 return (1); /* default is "selected" */
2078 }
2079
2080 /* non-attributable? */
2081 if ((sp->as_info.ai_auid == AU_NOAUDITID) ||
2082 (sp->as_info.ai_auid == ADT_NO_AUDIT)) {
2083 if (auditon(A_GETKMASK, (caddr_t)&namask,
2084 sizeof (namask)) != 0) {
2085 adt_write_syslog("auditon failure", errno);
2086 return (1);
2087 }
2088 return (adt_is_selected(actual_id, &namask, status));
2089 } else {
2090 return (adt_is_selected(actual_id, &(sp->as_info.ai_mask),
2091 status));
2092 }
2093 }
2094
2095 /*
2096 * Can't map the host name to an IP address in
2097 * adt_get_hostIP. Get something off an interface
2098 * to act as the hosts IP address for auditing.
2099 */
2100
2101 static int
2102 adt_get_local_address(int family, struct ifaddrlist *al)
2103 {
2104 struct ifaddrlist *ifal;
2105 char errbuf[ERRBUFSIZE] = "empty list";
2106 char msg[ERRBUFSIZE + 512];
2107 int ifal_count;
2108 int i;
2109
2110 if ((ifal_count = ifaddrlist(&ifal, family, 0, errbuf)) < 0) {
2111 int serrno = errno;
2112
2113 (void) snprintf(msg, sizeof (msg), "adt_get_local_address "
2114 "couldn't get %d addrlist %s", family, errbuf);
2115 adt_write_syslog(msg, serrno);
2116 errno = serrno;
2117 return (-1);
2118 }
2119
2120 for (i = 0; i < ifal_count; i++) {
2121 /*
2122 * loopback always defined,
2123 * even if there is no real address
2124 */
2125 if ((ifal[i].flags & (IFF_UP | IFF_LOOPBACK)) == IFF_UP) {
2126 break;
2127 }
2128 }
2129 if (i >= ifal_count) {
2130 free(ifal);
2131 /*
2132 * Callers of adt_get_hostIP() can only return
2133 * errno to their callers and eventually the application.
2134 * Picked one that seemed least worse for saying no
2135 * usable address for Audit terminal ID.
2136 */
2137 errno = ENETDOWN;
2138 return (-1);
2139 }
2140
2141 *al = ifal[i];
2142 free(ifal);
2143 return (0);
2144 }
unleashed repo fork