usr/src/lib/libbsm/common/au_usermask.c

   1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21
  22 /*
  23  * Copyright (c) 1992, 2010, Oracle and/or its affiliates. All rights reserved.
  24  */
  25
  26 #include <errno.h>
  27 #include <nss.h>
  28 #include <secdb.h>
  29 #include <stdlib.h>
  30 #include <string.h>
  31 #include <user_attr.h>
  32 #include <zone.h>
  33
  34 #include <bsm/libbsm.h>
  35
  36 #include <adt_xlate.h>          /* adt_write_syslog */
  37
  38 /* ARGSUSED */
  39 static int
  40 audit_flags(const char *name, kva_t *kva, void *ctxt, void *pres)
  41 {
  42         char *val;
  43
  44         if ((val = kva_match(kva, USERATTR_AUDIT_FLAGS_KW)) != NULL) {
  45                 if ((*(char **)ctxt = strdup(val)) == NULL) {
  46                         adt_write_syslog("au_user_mask strdup failed", errno);
  47                 }
  48                 return (1);
  49         }
  50         return (0);
  51 }
  52
  53 /*
  54  * Build user's audit preselection mask.
  55  *
  56  * per-user audit flags are optional and may be missing.
  57  * If global zone auditing is set, a local zone cannot reduce the default
  58  * flags.
  59  *
  60  * success flags = (system default success flags + per-user always success) -
  61  *                      per-user never success flags
  62  * failure flags = (system default failure flags + per-user always failure) -
  63  *                      per-user never failure flags
  64  */
  65
  66 int
  67 au_user_mask(char *user, au_mask_t *mask)
  68 {
  69         char            *last = NULL;
  70         char            *user_flags = NULL;
  71
  72         if (mask == NULL) {
  73                 return (-1);
  74         }
  75
  76         /*
  77          * Get the system wide default audit flags. If you can't get the
  78          * system wide flags, return an error code now and don't bother
  79          * trying to get the user specific flags.
  80          */
  81         if (auditon(A_GETAMASK, (caddr_t)mask, sizeof (*mask)) == -1) {
  82                 return (-1);
  83         }
  84
  85         /*
  86          * Get per-user audit flags.
  87          */
  88         (void) _enum_attrs(user, audit_flags, &user_flags, NULL);
  89         if (user_flags != NULL) {
  90                 au_user_ent_t  per_user;
  91
  92                 (void) getauditflagsbin(_strtok_escape(user_flags,
  93                     KV_AUDIT_DELIMIT, &last), &(per_user.au_always));
  94                 (void) getauditflagsbin(_strtok_escape(NULL,
  95                     KV_AUDIT_DELIMIT, &last), &(per_user.au_never));
  96                 /* merge default and per-user */
  97                 mask->as_success |= per_user.au_always.as_success;
  98                 mask->as_failure |= per_user.au_always.as_failure;
  99                 mask->as_success &= ~(per_user.au_never.as_success);
 100                 mask->as_failure &= ~(per_user.au_never.as_failure);
 101                 free(user_flags);
 102         }
 103
 104         return (0);
 105 }