2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright 2007 Sun Microsystems, Inc. All rights reserved.
2N/A * Use is subject to license terms.
2N/A */
2N/A
2N/A#pragma ident "%Z%%M% %I% %E% SMI"
2N/A
2N/A#include <libtsnet.h>
2N/A#include <stdlib.h>
2N/A#include <string.h>
2N/A#include <syslog.h>
2N/A#include <zone.h>
2N/A
2N/A#include <security/pam_appl.h>
2N/A#include <security/pam_modules.h>
2N/A#include <security/pam_impl.h>
2N/A
2N/A#include <tsol/label.h>
2N/A
2N/A/*
2N/A * pam_tsol_account - Trusted Extensions account management.
2N/A * Validates that the user's label range contains
2N/A * the process label (label of the zone).
2N/A */
2N/A
2N/Astatic void
2N/Afree_labels(m_range_t *r, m_label_t *l)
2N/A{
2N/A m_label_free(r->lower_bound);
2N/A m_label_free(r->upper_bound);
2N/A free(r);
2N/A m_label_free(l);
2N/A}
2N/A
2N/A/* ARGSUSED */
2N/Aint
2N/Apam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
2N/A{
2N/A int i;
2N/A int debug = 0;
2N/A int allow_unlabeled = 0;
2N/A char *user;
2N/A char *rhost;
2N/A m_range_t *range;
2N/A m_label_t *plabel;
2N/A
2N/A for (i = 0; i < argc; i++) {
2N/A if (strcmp(argv[i], "debug") == 0) {
2N/A debug = 1;
2N/A } else if (strcmp(argv[i], "allow_unlabeled") == 0) {
2N/A allow_unlabeled = 1;
2N/A } else {
2N/A __pam_log(LOG_AUTH | LOG_ERR,
2N/A "pam_tsol_account: illegal option %s", argv[i]);
2N/A }
2N/A }
2N/A
2N/A /* Trusted Extensions not enabled */
2N/A
2N/A if (!is_system_labeled())
2N/A return (PAM_IGNORE);
2N/A
2N/A (void) pam_get_item(pamh, PAM_USER, (void **)&user);
2N/A
2N/A (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
2N/A
2N/A if (debug) {
2N/A __pam_log(LOG_AUTH | LOG_DEBUG,
2N/A "pam_tsol_account: allowed_unlabeled = %d, user %s, "
2N/A "rhost %s",
2N/A allow_unlabeled,
2N/A (user == NULL) ? "NULL" : (user == '\0') ? "ZERO" :
2N/A user,
2N/A (rhost == NULL) ? "NULL" : (rhost == '\0') ? "ZERO" :
2N/A rhost);
2N/A }
2N/A if (user == NULL || *user == '\0') {
2N/A __pam_log(LOG_AUTH | LOG_ERR,
2N/A "pam_tsol_account: no user");
2N/A return (PAM_USER_UNKNOWN);
2N/A }
2N/A
2N/A if ((range = getuserrange(user)) == NULL) {
2N/A __pam_log(LOG_AUTH | LOG_ERR,
2N/A "pam_tsol_account: getuserrange(%s) failure", user);
2N/A return (PAM_SYSTEM_ERR);
2N/A }
2N/A if ((plabel = m_label_alloc(MAC_LABEL)) == NULL) {
2N/A __pam_log(LOG_AUTH | LOG_ERR,
2N/A "pam_tsol_account: out of memory");
2N/A free_labels(range, NULL);
2N/A return (PAM_BUF_ERR);
2N/A }
2N/A if (getplabel(plabel) < 0) {
2N/A __pam_log(LOG_AUTH | LOG_CRIT,
2N/A "pam_tsol_account: Unable to get process label %m");
2N/A free_labels(range, plabel);
2N/A return (PAM_SYSTEM_ERR);
2N/A }
2N/A if (!blinrange(plabel, range)) {
2N/A free_labels(range, plabel);
2N/A return (PAM_PERM_DENIED);
2N/A }
2N/A
2N/A free_labels(range, plabel);
2N/A
2N/A /* Remote Host Type Policy Check */
2N/A
2N/A if ((allow_unlabeled == 0) &&
2N/A (getzoneid() == GLOBAL_ZONEID) &&
2N/A (rhost != NULL && *rhost != '\0')) {
2N/A tsol_host_type_t host_type;
2N/A
2N/A host_type = tsol_getrhtype(rhost);
2N/A switch (host_type) {
2N/A case SUN_CIPSO:
2N/A break;
2N/A
2N/A case UNLABELED:
2N/A default:
2N/A return (PAM_PERM_DENIED);
2N/A }
2N/A }
2N/A return (PAM_SUCCESS);
2N/A}