f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel/*
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * CDDL HEADER START
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel *
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * The contents of this file are subject to the terms of the
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * Common Development and Distribution License (the "License").
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * You may not use this file except in compliance with the License.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel *
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * or http://www.opensolaris.org/os/licensing.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * See the License for the specific language governing permissions
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * and limitations under the License.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel *
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * When distributing Covered Code, include this CDDL HEADER in each
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * If applicable, add the following below this CDDL HEADER, with the
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * fields enclosed by brackets "[]" replaced with your own identifying
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * information: Portions Copyright [yyyy] [name of copyright owner]
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel *
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * CDDL HEADER END
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel/*
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel/*
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * svc-auditset - auditset transient service (AUDITSET_FMRI) startup method;
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * sets non-/attributable mask in the kernel context.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#include <audit_scf.h>
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#include <bsm/adt.h>
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#include <bsm/libbsm.h>
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee#include <zone.h>
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#include <errno.h>
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#include <locale.h>
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#include <stdio.h>
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#if !defined(SMF_EXIT_ERR_OTHER)
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#define SMF_EXIT_ERR_OTHER 1
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#endif
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel/*
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * update_kcontext() - updates the non-/attributable preselection masks in
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel * the kernel context. Returns B_TRUE on success, B_FALSE otherwise.
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelboolean_t
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelupdate_kcontext(int cmd, char *cmask)
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel{
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel au_mask_t bmask;
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) getauditflagsbin(cmask, &bmask);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if (auditon(cmd, (caddr_t)&bmask, sizeof (bmask)) == -1) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) printf("Could not update kernel context (%s).\n",
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel cmd == A_SETAMASK ? "A_SETAMASK" : "A_SETKMASK");
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (B_FALSE);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#ifdef DEBUG
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) printf("svc-auditset: %s mask set to %s",
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel cmd == A_SETAMASK ? "Attributable" : "Non-Attributable", cmask);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#endif
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (B_TRUE);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel}
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelint
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedelmain(void)
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel{
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel char *auditset_fmri;
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel char *mask_cfg;
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee uint32_t policy;
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) setlocale(LC_ALL, "");
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) textdomain(TEXT_DOMAIN);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel /* allow execution only inside the SMF facility */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if ((auditset_fmri = getenv("SMF_FMRI")) == NULL ||
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel strcmp(auditset_fmri, AUDITSET_FMRI) != 0) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) printf(gettext("svc-auditset can be executed only "
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel "inside the SMF facility.\n"));
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (SMF_EXIT_ERR_NOSMF);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel /* check the c2audit module state */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if (adt_audit_state(AUC_DISABLED)) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#ifdef DEBUG
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if (errno == ENOTSUP) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) printf("c2audit module is excluded from "
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel "the system(4); kernel won't be updated.\n");
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel } else {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) printf("%s\n", strerror(errno));
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel#endif
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (SMF_EXIT_OK);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee /* check the audit policy */
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee if (auditon(A_GETPOLICY, (caddr_t)&policy, 0) == -1) {
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee (void) printf("Could not read audit policy: %s\n",
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee strerror(errno));
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee return (SMF_EXIT_ERR_OTHER);
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee }
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee if (!(policy & AUDIT_PERZONE) && (getzoneid() != GLOBAL_ZONEID))
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee return (SMF_EXIT_OK);
da5086c104e170d3832a3e1782dc8617061c7fc6Albert Lee
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel /* update attributable mask */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if (!do_getflags_scf(&mask_cfg) || mask_cfg == NULL) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) printf("Could not get configured attributable audit "
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel "flags.\n");
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (SMF_EXIT_ERR_OTHER);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if (!update_kcontext(A_SETAMASK, mask_cfg)) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel free(mask_cfg);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (SMF_EXIT_ERR_OTHER);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel free(mask_cfg);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel /* update non-attributable mask */
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if (!do_getnaflags_scf(&mask_cfg) || mask_cfg == NULL) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel (void) printf("Could not get configured non-attributable "
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel "audit flags.\n");
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (SMF_EXIT_ERR_OTHER);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel if (!update_kcontext(A_SETKMASK, mask_cfg)) {
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel free(mask_cfg);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (SMF_EXIT_ERR_OTHER);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel }
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel free(mask_cfg);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel return (SMF_EXIT_OK);
f89940742f5d14dde79b69b98a414dd7b7f585c7Jan Friedel}