static void
print_profile_privs(kva_t *attr)
{
char *privs;
if (attr) {
privs = kva_match(attr, PROFATTR_PRIVS_KW);
if (privs)
(void) printf(" privs=%s", privs);
}
}
/* ARGSUSED */
static int
attr(const char *name, kva_t *kva, void *ctxt, void *pres)
{
char *val;
if ((val = kva_match(kva, attr_name)) != NULL) {
if (verbose) {
char *prof_name = "user_attr";
if (name != NULL) {
prof_name = (char *)name;
}
(void) printf("%s : %s\n", prof_name, val);
} else {
(void) printf("%s\n", val);
}
exit(0);
}
return (0); /* no match */
}
/*
* Verifies the provided list of role names are valid.
*
* Returns NULL if all role names are valid.
* Otherwise, returns the invalid role name
*
*/
static const char *
check_role(const char *roles)
{
char *rolename;
userattr_t *result;
char *utype;
char *tmp;
tmp = strdup(roles);
if (tmp == NULL) {
errmsg(M_NOSPACE);
exit(EX_FAILURE);
}
rolename = strtok(tmp, ROLE_SEP);
while (rolename != NULL) {
result = getusernam(rolename);
if (result == NULL) {
/* can't find the rolename */
return (rolename);
}
/* Now, make sure it is a role */
utype = kva_match(result->attr, USERATTR_TYPE_KW);
if (utype == NULL) {
/* no user type defined. not a role */
free_userattr(result);
return (rolename);
}
if (strcmp(utype, USERATTR_TYPE_NONADMIN_KW) != 0) {
free_userattr(result);
return (rolename);
}
free_userattr(result);
rolename = strtok(NULL, ROLE_SEP);
}
free(tmp);
return (NULL);
}
static boolean_t
is_audit_config_ok() {
int state = B_TRUE; /* B_TRUE/B_FALSE = ok/not_ok */
char *cval_str;
int cval_int;
kva_t *kvlist;
scf_plugin_kva_node_t *plugin_kva_ll;
scf_plugin_kva_node_t *plugin_kva_ll_head;
boolean_t one_plugin_enabled = B_FALSE;
/*
* There must be at least one active plugin configured; if the
* configured plugin is audit_binfile(5), then the p_dir must not be
* empty.
*/
if (!do_getpluginconfig_scf(NULL, &plugin_kva_ll)) {
(void) fprintf(stderr,
gettext("Could not get plugin configuration.\n"));
exit(1);
}
plugin_kva_ll_head = plugin_kva_ll;
while (plugin_kva_ll != NULL) {
kvlist = plugin_kva_ll->plugin_kva;
if (!one_plugin_enabled) {
cval_str = kva_match(kvlist, "active");
if (atoi(cval_str) == 1) {
one_plugin_enabled = B_TRUE;
}
}
if (strcmp((char *)&(*plugin_kva_ll).plugin_name,
"audit_binfile") == 0) {
cval_str = kva_match(kvlist, "p_dir");
if (*cval_str == '\0' || cval_str == NULL) {
(void) fprintf(stderr,
gettext("%s: audit_binfile(5) \"p_dir:\" "
"attribute empty\n"), progname);
state = B_FALSE;
} else if (!contains_valid_dirs(cval_str)) {
(void) fprintf(stderr,
gettext("%s: audit_binfile(5) \"p_dir:\" "
"attribute invalid\n"), progname);
state = B_FALSE;
}
cval_str = kva_match(kvlist, "p_minfree");
cval_int = atoi(cval_str);
if (cval_int < 0 || cval_int > 100) {
(void) fprintf(stderr,
gettext("%s: audit_binfile(5) "
"\"p_minfree:\" attribute invalid\n"),
progname);
state = B_FALSE;
}
}
plugin_kva_ll = plugin_kva_ll->next;
}
plugin_kva_ll_free(plugin_kva_ll_head);
if (!one_plugin_enabled) {
(void) fprintf(stderr, gettext("%s: no active plugin found\n"),
progname);
state = B_FALSE;
}
return (state);
}
/*
* auditd_plugin_open() may be called multiple times; on initial open or
* `audit -s`, then kvlist != NULL; on `audit -n`, then kvlist == NULL.
* For more information see audit(1M).
*
* Note, that space on stack allocated for any error message returned along
* with AUDITD_RETRY is subsequently freed by auditd.
*
*/
auditd_rc_t
auditd_plugin_open(const kva_t *kvlist, char **ret_list, char **error)
{
kva_t *kv;
char *val_str;
int val;
long val_l;
int rc = 0;
*error = NULL;
*ret_list = NULL;
kv = (kva_t *)kvlist;
#if DEBUG
dfile = __auditd_debug_file_open();
#endif
/* initial open or audit -s */
if (kvlist != NULL) {
DPRINT((dfile, "Action: initial open or `audit -s`\n"));
val_str = kva_match(kv, "p_timeout");
if (val_str == NULL) {
*error = strdup(
gettext("p_timeout attribute not found"));
return (AUDITD_RETRY);
}
DPRINT((dfile, "val_str=%s\n", val_str));
errno = 0;
val = atoi(val_str);
if (errno == 0 && val >= 1) {
timeout_p_timeout = val;
timeout = val;
} else {
timeout_p_timeout = DEFAULT_TIMEOUT;
timeout = timeout_p_timeout;
DPRINT((dfile, "p_timeout set to default value: %d\n",
timeout));
}
val_str = kva_match(kv, "p_retries");
if (val_str == NULL) {
*error = strdup(
gettext("p_retries attribute not found"));
return (AUDITD_RETRY);
}
DPRINT((dfile, "val_str=%s\n", val_str));
errno = 0;
val = atoi(val_str);
if (errno == 0 && val >= 0) {
retries = val;
}
val_str = kva_match(kv, "qsize");
if (val_str == NULL) {
*error = strdup(gettext("qsize attribute not found"));
return (AUDITD_RETRY);
}
DPRINT((dfile, "qsize=%s\n", val_str));
errno = 0;
val_l = atol(val_str);
if (errno == 0 && val_l >= 0) {
transq_count_max = val_l;
}
if (transq_count_max == 0 &&
(rc = set_transq_count_max()) != AUDITD_SUCCESS) {
*error = strdup(gettext("cannot get kernel "
"auditd queue high water mark\n"));
return (rc);
}
DPRINT((dfile, "timeout=%d, retries=%d, transq_count_max=%ld\n",
timeout, retries, transq_count_max));
val_str = kva_match(kv, "p_hosts");
if (val_str == NULL) {
*error = strdup(gettext("no hosts configured"));
return (AUDITD_RETRY);
}
if ((rc = parsehosts(val_str, error)) != AUDITD_SUCCESS) {
return (rc);
}
/* create the notification pipe towards the receiving thread */
if (!notify_pipe_ready) {
if (create_notify_pipe(notify_pipe, error)) {
notify_pipe_ready = B_TRUE;
} else {
return (AUDITD_RETRY);
}
}
#if DEBUG
} else { /* audit -n */
DPRINT((dfile, "Action: `audit -n`\n"));
#endif
}
return (AUDITD_SUCCESS);
}
/*
* da_interpret -
* parses val and initializes pointers in devalloc_t.
* returns pointer to parsed devalloc_t entry, else returns NULL on error.
*/
static devalloc_t *
da_interpret(char *val)
{
struct _dabuff *_da = _daalloc();
char *opts;
int i;
kva_t *kvap;
kv_t *kvp;
if (_da == NULL)
return (NULL);
(void) strcpy(interpdaline, val);
interpdevalloc.da_devname = getdadmfield(interpdaline, KV_DELIMITER);
interpdevalloc.da_devtype = getdadmfield(NULL, KV_DELIMITER);
opts = getdadmfield(NULL, KV_DELIMITER);
(void) getdadmfield(NULL, KV_DELIMITER); /* reserved field */
interpdevalloc.da_devauth = getdadmfield(NULL, KV_DELIMITER);
interpdevalloc.da_devexec = getdadmfield(NULL, KV_DELIMITER);
interpdevalloc.da_devopts = NULL;
if (interpdevalloc.da_devname == NULL ||
interpdevalloc.da_devtype == NULL)
return (NULL);
if ((opts != NULL) &&
(strncmp(opts, DA_RESERVED, strlen(DA_RESERVED)) != 0)) {
interpdevalloc.da_devopts =
_str2kva(opts, KV_ASSIGN, KV_TOKEN_DELIMIT);
}
/* remove any extraneous whitespace in the options */
if ((kvap = interpdevalloc.da_devopts) != NULL) {
for (i = 0, kvp = kvap->data; i < kvap->length; i++, kvp++) {
(void) pack_white(kvp->key);
(void) pack_white(kvp->value);
}
}
if (system_labeled) {
/* if label range is not defined, use the default range. */
int i = 0, nlen = 0;
char *minstr = NULL, *maxstr = NULL;
kva_t *nkvap = NULL;
kv_t *ndata = NULL, *odata = NULL;
if (kvap == NULL) {
nlen = 2; /* minlabel, maxlabel */
} else {
nlen += kvap->length;
if ((minstr = kva_match(kvap, DAOPT_MINLABEL)) == NULL)
nlen++;
if ((maxstr = kva_match(kvap, DAOPT_MAXLABEL)) == NULL)
nlen++;
}
if ((minstr != NULL) && (maxstr != NULL))
/*
* label range provided; we don't need to construct
* default range.
*/
goto out;
nkvap = _new_kva(nlen);
ndata = nkvap->data;
if (kvap != NULL) {
for (i = 0; i < kvap->length; i++) {
odata = kvap->data;
ndata[i].key = _strdup_null(odata[i].key);
ndata[i].value = _strdup_null(odata[i].value);
nkvap->length++;
}
}
if (minstr == NULL) {
ndata[i].key = strdup(DAOPT_MINLABEL);
ndata[i].value = strdup(DA_DEFAULT_MIN);
nkvap->length++;
i++;
}
if (maxstr == NULL) {
ndata[i].key = strdup(DAOPT_MAXLABEL);
ndata[i].value = strdup(DA_DEFAULT_MAX);
nkvap->length++;
}
interpdevalloc.da_devopts = nkvap;
}
out:
return (&interpdevalloc);
}
