version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.3, 2013/07/22 10:46:12
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2009-2011 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
* Copyright (c) 2009 Christian S.J. Peron |
* Copyright (c) 2009 Christian S.J. Peron |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
Line 30
|
Line 30
|
#include <errno.h> |
#include <errno.h> |
#include <unistd.h> |
#include <unistd.h> |
|
|
|
#include "gettext.h" |
|
#include "error.h" |
|
#include "sudo_debug.h" |
#include "bsm_audit.h" |
#include "bsm_audit.h" |
|
|
/* |
/* |
Line 42
|
Line 45
|
# define AUDIT_NOT_CONFIGURED ENOSYS |
# define AUDIT_NOT_CONFIGURED ENOSYS |
#endif |
#endif |
|
|
void log_error(int flags, const char *fmt, ...) __attribute__((__noreturn__)); |
|
|
|
static int |
static int |
audit_sudo_selected(int sf) |
audit_sudo_selected(int sf) |
{ |
{ |
Line 51 audit_sudo_selected(int sf)
|
Line 52 audit_sudo_selected(int sf)
|
struct au_mask *mask; |
struct au_mask *mask; |
auditinfo_t ainfo; |
auditinfo_t ainfo; |
int rc, sorf; |
int rc, sorf; |
|
debug_decl(audit_sudo_selected, SUDO_DEBUG_AUDIT) |
|
|
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) < 0) { |
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) < 0) { |
if (errno == ENOSYS) { |
if (errno == ENOSYS) { |
if (getaudit(&ainfo) < 0) |
if (getaudit(&ainfo) < 0) |
log_error(0, _("getaudit: failed")); | fatal("getaudit"); |
mask = &ainfo.ai_mask; |
mask = &ainfo.ai_mask; |
} else |
} else |
log_error(0, _("getaudit: failed")); | fatal("getaudit"); |
} else |
} else |
mask = &ainfo_addr.ai_mask; |
mask = &ainfo_addr.ai_mask; |
sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; |
sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE; |
rc = au_preselect(AUE_sudo, mask, sorf, AU_PRS_REREAD); |
rc = au_preselect(AUE_sudo, mask, sorf, AU_PRS_REREAD); |
return rc; | debug_return_int(rc); |
} |
} |
|
|
void |
void |
Line 76 bsm_audit_success(char **exec_args)
|
Line 78 bsm_audit_success(char **exec_args)
|
long au_cond; |
long au_cond; |
int aufd; |
int aufd; |
pid_t pid; |
pid_t pid; |
|
debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT) |
|
|
pid = getpid(); |
pid = getpid(); |
/* |
/* |
Line 84 bsm_audit_success(char **exec_args)
|
Line 87 bsm_audit_success(char **exec_args)
|
if (auditon(A_GETCOND, (caddr_t)&au_cond, sizeof(long)) < 0) { |
if (auditon(A_GETCOND, (caddr_t)&au_cond, sizeof(long)) < 0) { |
if (errno == AUDIT_NOT_CONFIGURED) |
if (errno == AUDIT_NOT_CONFIGURED) |
return; |
return; |
log_error(0, _("Could not determine audit condition")); | fatal(_("Could not determine audit condition")); |
} |
} |
if (au_cond == AUC_NOAUDIT) |
if (au_cond == AUC_NOAUDIT) |
return; | debug_return; |
/* |
/* |
* Check to see if the preselection masks are interested in seeing |
* Check to see if the preselection masks are interested in seeing |
* this event. |
* this event. |
*/ |
*/ |
if (!audit_sudo_selected(0)) |
if (!audit_sudo_selected(0)) |
return; | debug_return; |
if (getauid(&auid) < 0) |
if (getauid(&auid) < 0) |
log_error(0, _("getauid failed")); | fatal("getauid"); |
if ((aufd = au_open()) == -1) |
if ((aufd = au_open()) == -1) |
log_error(0, _("au_open: failed")); | fatal("au_open"); |
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { |
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { |
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(), |
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(), |
getuid(), pid, pid, &ainfo_addr.ai_termid); |
getuid(), pid, pid, &ainfo_addr.ai_termid); |
Line 106 bsm_audit_success(char **exec_args)
|
Line 109 bsm_audit_success(char **exec_args)
|
* NB: We should probably watch out for ERANGE here. |
* NB: We should probably watch out for ERANGE here. |
*/ |
*/ |
if (getaudit(&ainfo) < 0) |
if (getaudit(&ainfo) < 0) |
log_error(0, _("getaudit: failed")); | fatal("getaudit"); |
tok = au_to_subject(auid, geteuid(), getegid(), getuid(), |
tok = au_to_subject(auid, geteuid(), getegid(), getuid(), |
getuid(), pid, pid, &ainfo.ai_termid); |
getuid(), pid, pid, &ainfo.ai_termid); |
} else |
} else |
log_error(0, _("getaudit: failed")); | fatal("getaudit"); |
if (tok == NULL) |
if (tok == NULL) |
log_error(0, _("au_to_subject: failed")); | fatal("au_to_subject"); |
au_write(aufd, tok); |
au_write(aufd, tok); |
tok = au_to_exec_args(exec_args); |
tok = au_to_exec_args(exec_args); |
if (tok == NULL) |
if (tok == NULL) |
log_error(0, _("au_to_exec_args: failed")); | fatal("au_to_exec_args"); |
au_write(aufd, tok); |
au_write(aufd, tok); |
tok = au_to_return32(0, 0); |
tok = au_to_return32(0, 0); |
if (tok == NULL) |
if (tok == NULL) |
log_error(0, _("au_to_return32: failed")); | fatal("au_to_return32"); |
au_write(aufd, tok); |
au_write(aufd, tok); |
if (au_close(aufd, 1, AUE_sudo) == -1) |
if (au_close(aufd, 1, AUE_sudo) == -1) |
log_error(0, _("unable to commit audit record")); | fatal(_("unable to commit audit record")); |
| debug_return; |
} |
} |
|
|
void |
void |
Line 137 bsm_audit_failure(char **exec_args, char const *const
|
Line 141 bsm_audit_failure(char **exec_args, char const *const
|
au_id_t auid; |
au_id_t auid; |
pid_t pid; |
pid_t pid; |
int aufd; |
int aufd; |
|
debug_decl(bsm_audit_success, SUDO_DEBUG_AUDIT) |
|
|
pid = getpid(); |
pid = getpid(); |
/* |
/* |
Line 144 bsm_audit_failure(char **exec_args, char const *const
|
Line 149 bsm_audit_failure(char **exec_args, char const *const
|
*/ |
*/ |
if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) { |
if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) { |
if (errno == AUDIT_NOT_CONFIGURED) |
if (errno == AUDIT_NOT_CONFIGURED) |
return; | debug_return; |
log_error(0, _("Could not determine audit condition")); | fatal(_("Could not determine audit condition")); |
} |
} |
if (au_cond == AUC_NOAUDIT) |
if (au_cond == AUC_NOAUDIT) |
return; | debug_return; |
if (!audit_sudo_selected(1)) |
if (!audit_sudo_selected(1)) |
return; | debug_return; |
if (getauid(&auid) < 0) |
if (getauid(&auid) < 0) |
log_error(0, _("getauid: failed")); | fatal("getauid"); |
if ((aufd = au_open()) == -1) |
if ((aufd = au_open()) == -1) |
log_error(0, _("au_open: failed")); | fatal("au_open"); |
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { |
if (getaudit_addr(&ainfo_addr, sizeof(ainfo_addr)) == 0) { |
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(), |
tok = au_to_subject_ex(auid, geteuid(), getegid(), getuid(), |
getuid(), pid, pid, &ainfo_addr.ai_termid); |
getuid(), pid, pid, &ainfo_addr.ai_termid); |
} else if (errno == ENOSYS) { |
} else if (errno == ENOSYS) { |
if (getaudit(&ainfo) < 0) |
if (getaudit(&ainfo) < 0) |
log_error(0, _("getaudit: failed")); | fatal("getaudit"); |
tok = au_to_subject(auid, geteuid(), getegid(), getuid(), |
tok = au_to_subject(auid, geteuid(), getegid(), getuid(), |
getuid(), pid, pid, &ainfo.ai_termid); |
getuid(), pid, pid, &ainfo.ai_termid); |
} else |
} else |
log_error(0, _("getaudit: failed")); | fatal("getaudit"); |
if (tok == NULL) |
if (tok == NULL) |
log_error(0, _("au_to_subject: failed")); | fatal("au_to_subject"); |
au_write(aufd, tok); |
au_write(aufd, tok); |
tok = au_to_exec_args(exec_args); |
tok = au_to_exec_args(exec_args); |
if (tok == NULL) |
if (tok == NULL) |
log_error(0, _("au_to_exec_args: failed")); | fatal("au_to_exec_args"); |
au_write(aufd, tok); |
au_write(aufd, tok); |
(void) vsnprintf(text, sizeof(text), fmt, ap); |
(void) vsnprintf(text, sizeof(text), fmt, ap); |
tok = au_to_text(text); |
tok = au_to_text(text); |
if (tok == NULL) |
if (tok == NULL) |
log_error(0, _("au_to_text: failed")); | fatal("au_to_text"); |
au_write(aufd, tok); |
au_write(aufd, tok); |
tok = au_to_return32(EPERM, 1); |
tok = au_to_return32(EPERM, 1); |
if (tok == NULL) |
if (tok == NULL) |
log_error(0, _("au_to_return32: failed")); | fatal("au_to_return32"); |
au_write(aufd, tok); |
au_write(aufd, tok); |
if (au_close(aufd, 1, AUE_sudo) == -1) |
if (au_close(aufd, 1, AUE_sudo) == -1) |
log_error(0, _("unable to commit audit record")); | fatal(_("unable to commit audit record")); |
| debug_return; |
} |
} |