0
|
1 |
/*
|
|
2 |
* CDDL HEADER START
|
|
3 |
*
|
|
4 |
* The contents of this file are subject to the terms of the
|
|
5 |
* Common Development and Distribution License, Version 1.0 only
|
|
6 |
* (the "License"). You may not use this file except in compliance
|
|
7 |
* with the License.
|
|
8 |
*
|
|
9 |
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
|
10 |
* or http://www.opensolaris.org/os/licensing.
|
|
11 |
* See the License for the specific language governing permissions
|
|
12 |
* and limitations under the License.
|
|
13 |
*
|
|
14 |
* When distributing Covered Code, include this CDDL HEADER in each
|
|
15 |
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
|
16 |
* If applicable, add the following below this CDDL HEADER, with the
|
|
17 |
* fields enclosed by brackets "[]" replaced with your own identifying
|
|
18 |
* information: Portions Copyright [yyyy] [name of copyright owner]
|
|
19 |
*
|
|
20 |
* CDDL HEADER END
|
|
21 |
*/
|
|
22 |
/*
|
|
23 |
* Copyright 2003 Sun Microsystems, Inc. All rights reserved.
|
|
24 |
* Use is subject to license terms.
|
|
25 |
*/
|
|
26 |
#pragma ident "%Z%%M% %I% %E% SMI"
|
|
27 |
|
|
28 |
#include <sys/types.h>
|
|
29 |
#include <stdio.h>
|
|
30 |
#include <bsm/audit.h>
|
|
31 |
#include <bsm/audit_uevents.h>
|
|
32 |
#include <bsm/libbsm.h>
|
|
33 |
#include <bsm/audit_private.h>
|
|
34 |
#include <netinet/in.h>
|
|
35 |
#include <generic.h>
|
|
36 |
#include <pwd.h>
|
|
37 |
#include <strings.h>
|
|
38 |
#include <stdlib.h>
|
|
39 |
#include <unistd.h>
|
|
40 |
|
|
41 |
#ifdef C2_DEBUG
|
|
42 |
#define dprintf(x) {printf x; }
|
|
43 |
#else
|
|
44 |
#define dprintf(x)
|
|
45 |
#endif
|
|
46 |
|
|
47 |
static void audit_inetd_session_setup(struct passwd *);
|
|
48 |
static au_tid_addr_t audit_inetd_tid;
|
|
49 |
static int auditingisoff;
|
|
50 |
static au_class_t eventclass;
|
|
51 |
static int preselected;
|
|
52 |
static au_mask_t kmask;
|
|
53 |
|
|
54 |
int
|
|
55 |
audit_inetd_config(void)
|
|
56 |
{
|
|
57 |
struct au_event_ent *ee;
|
|
58 |
|
|
59 |
/*
|
|
60 |
* If auditing is turned off, then don't do anything.
|
|
61 |
* Especially don't return an error
|
|
62 |
*/
|
|
63 |
if (auditingisoff = cannot_audit(0)) {
|
|
64 |
return (0);
|
|
65 |
}
|
|
66 |
aug_save_event(AUE_inetd_connect);
|
|
67 |
if (cacheauevent(&ee, AUE_inetd_connect) != 1)
|
|
68 |
return (1);
|
|
69 |
|
|
70 |
eventclass = ee->ae_class;
|
|
71 |
|
|
72 |
return (0);
|
|
73 |
}
|
|
74 |
|
|
75 |
/*
|
|
76 |
* save terminal ID for user level audit record generation
|
|
77 |
*/
|
|
78 |
int
|
|
79 |
audit_inetd_termid(int fd)
|
|
80 |
{
|
|
81 |
struct sockaddr_in6 peer;
|
|
82 |
struct sockaddr_in6 sock;
|
|
83 |
int peerlen = sizeof (peer);
|
|
84 |
int socklen = sizeof (sock);
|
|
85 |
uint_t port;
|
|
86 |
uint32_t *addr;
|
|
87 |
auditinfo_addr_t ai;
|
|
88 |
|
|
89 |
if (auditingisoff) {
|
|
90 |
return (0);
|
|
91 |
}
|
|
92 |
|
|
93 |
(void) aug_save_namask();
|
|
94 |
|
|
95 |
/* quick preslection */
|
|
96 |
if (auditon(A_GETKMASK, (caddr_t)&kmask, sizeof (kmask)) < 0) {
|
|
97 |
/* should generate syslog message here or in inetd.c */
|
|
98 |
preselected = 0;
|
|
99 |
return (1);
|
|
100 |
}
|
|
101 |
|
|
102 |
/* now see if we're preselected. Ignore success/failure for now */
|
|
103 |
if ((kmask.am_success|kmask.am_failure) & eventclass) {
|
|
104 |
preselected = 1;
|
|
105 |
} else {
|
|
106 |
preselected = 0;
|
|
107 |
return (0);
|
|
108 |
}
|
|
109 |
|
|
110 |
/* get peer name (use local termid if not a socket) */
|
|
111 |
if (getpeername(fd, (struct sockaddr *)&peer, (socklen_t *)&peerlen)
|
|
112 |
< 0) {
|
|
113 |
|
|
114 |
/* use machine terminal address if unknown ports */
|
|
115 |
if (auditon(A_GETKAUDIT, (caddr_t)&ai, sizeof (ai)) < 0) {
|
|
116 |
return (1);
|
|
117 |
}
|
|
118 |
|
|
119 |
/* termid unset, make it legal (0.0.0.0) */
|
|
120 |
if (ai.ai_termid.at_type == 0)
|
|
121 |
ai.ai_termid.at_type = AU_IPv4;
|
|
122 |
|
|
123 |
audit_inetd_tid = ai.ai_termid;
|
|
124 |
aug_save_tid_ex(ai.ai_termid.at_port,
|
|
125 |
(uint32_t *)&ai.ai_termid.at_addr,
|
|
126 |
(uint32_t)ai.ai_termid.at_type);
|
|
127 |
return (0);
|
|
128 |
}
|
|
129 |
|
|
130 |
addr = (uint32_t *)&peer.sin6_addr;
|
|
131 |
|
|
132 |
/* get sock name (use local termid if not a socket) */
|
|
133 |
if (getsockname(fd, (struct sockaddr *)&sock, (socklen_t *)&socklen)
|
|
134 |
< 0) {
|
|
135 |
/* have everything but local port. make it 0 for now */
|
|
136 |
bzero(&sock, sizeof (sock));
|
|
137 |
}
|
|
138 |
|
|
139 |
bzero(&audit_inetd_tid, sizeof (audit_inetd_tid));
|
|
140 |
|
|
141 |
port = ((peer.sin6_port<<16) | (sock.sin6_port));
|
|
142 |
audit_inetd_tid.at_port = port;
|
|
143 |
|
|
144 |
if (peer.sin6_family == AF_INET6) {
|
|
145 |
aug_save_tid_ex(port, (uint32_t *)&peer.sin6_addr, AU_IPv6);
|
|
146 |
|
|
147 |
audit_inetd_tid.at_type = AU_IPv6;
|
|
148 |
audit_inetd_tid.at_addr[0] = addr[0];
|
|
149 |
audit_inetd_tid.at_addr[1] = addr[1];
|
|
150 |
audit_inetd_tid.at_addr[2] = addr[2];
|
|
151 |
audit_inetd_tid.at_addr[3] = addr[3];
|
|
152 |
} else {
|
|
153 |
struct sockaddr_in *ppeer = (struct sockaddr_in *)&peer;
|
|
154 |
aug_save_tid(port, (int)ppeer->sin_addr.s_addr);
|
|
155 |
|
|
156 |
audit_inetd_tid.at_type = AU_IPv4;
|
|
157 |
audit_inetd_tid.at_addr[0] = (uint32_t)ppeer->sin_addr.s_addr;
|
|
158 |
}
|
|
159 |
return (0);
|
|
160 |
}
|
|
161 |
|
|
162 |
int
|
|
163 |
audit_inetd_service(
|
|
164 |
char *service_name, /* name of service */
|
|
165 |
struct passwd *pwd) /* password */
|
|
166 |
{
|
|
167 |
int set_audit = 0; /* flag - set audit characteristics */
|
|
168 |
auditinfo_addr_t ai;
|
|
169 |
|
|
170 |
dprintf(("audit_inetd_service()\n"));
|
|
171 |
|
|
172 |
if (auditingisoff)
|
|
173 |
return (0);
|
|
174 |
|
|
175 |
if (preselected == 0)
|
|
176 |
return (0);
|
|
177 |
|
|
178 |
/*
|
|
179 |
* set default values. We will overwrite them when appropriate.
|
|
180 |
*/
|
|
181 |
if (getaudit_addr(&ai, sizeof (ai))) {
|
|
182 |
perror("inetd");
|
|
183 |
exit(1);
|
|
184 |
}
|
|
185 |
aug_save_auid(ai.ai_auid); /* Audit ID */
|
|
186 |
aug_save_uid(getuid()); /* User ID */
|
|
187 |
aug_save_euid(geteuid()); /* Effective User ID */
|
|
188 |
aug_save_gid(getgid()); /* Group ID */
|
|
189 |
aug_save_egid(getegid()); /* Effective Group ID */
|
|
190 |
aug_save_pid(getpid()); /* process ID */
|
|
191 |
aug_save_asid(getpid()); /* session ID */
|
|
192 |
|
|
193 |
/*
|
|
194 |
* do the best we can. We have no way to determine if the
|
|
195 |
* request is from a system service or from the root user.
|
|
196 |
* We will consider all root requests to be system service
|
|
197 |
* operations for now. We'll readdress this when we devise a
|
|
198 |
* better algorithm.
|
|
199 |
*/
|
|
200 |
if (pwd != NULL && (pwd->pw_uid)) {
|
|
201 |
aug_save_auid(pwd->pw_uid); /* Audit ID */
|
|
202 |
aug_save_uid(pwd->pw_uid); /* User ID */
|
|
203 |
aug_save_euid(pwd->pw_uid); /* Effective User ID */
|
|
204 |
aug_save_gid(pwd->pw_gid); /* Group ID */
|
|
205 |
aug_save_egid(pwd->pw_gid); /* Effective Group ID */
|
|
206 |
set_audit = 1;
|
|
207 |
}
|
|
208 |
|
|
209 |
aug_save_text(service_name);
|
|
210 |
aug_save_sorf(0);
|
|
211 |
|
|
212 |
(void) aug_audit();
|
|
213 |
|
|
214 |
/*
|
|
215 |
* Note that we will only do this if non-attributable auditing set.
|
|
216 |
* we might want to change things so this is always called.
|
|
217 |
*/
|
|
218 |
if (set_audit)
|
|
219 |
audit_inetd_session_setup(pwd);
|
|
220 |
|
|
221 |
return (0);
|
|
222 |
}
|
|
223 |
|
|
224 |
/*
|
|
225 |
* set the audit characteristics for the inetd started process.
|
|
226 |
* inetd is setting the uid.
|
|
227 |
*/
|
|
228 |
void
|
|
229 |
audit_inetd_session_setup(struct passwd *pwd)
|
|
230 |
{
|
|
231 |
struct auditinfo_addr info;
|
|
232 |
au_mask_t mask;
|
|
233 |
|
|
234 |
info.ai_auid = pwd->pw_uid;
|
|
235 |
|
|
236 |
mask.am_success = 0;
|
|
237 |
mask.am_failure = 0;
|
|
238 |
(void) au_user_mask(pwd->pw_name, &mask);
|
|
239 |
info.ai_mask.am_success = mask.am_success;
|
|
240 |
info.ai_mask.am_failure = mask.am_failure;
|
|
241 |
|
|
242 |
info.ai_asid = getpid();
|
|
243 |
|
|
244 |
info.ai_termid = audit_inetd_tid;
|
|
245 |
|
|
246 |
if (setaudit_addr(&info, sizeof (info)) < 0) {
|
|
247 |
perror("inetd: setaudit_addr");
|
|
248 |
exit(1);
|
|
249 |
}
|
|
250 |
}
|