1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23 * Use is subject to license terms.
24 */
25
26#include <libtsnet.h>
27#include <stdlib.h>
28#include <string.h>
29#include <syslog.h>
30#include <zone.h>
31
32#include <security/pam_appl.h>
33#include <security/pam_modules.h>
34#include <security/pam_impl.h>
35
36#include <tsol/label.h>
37
38/*
39 *	pam_tsol_account - Trusted Extensions account management.
40 *		Validates that the user's label range contains
41 *		the process label (label of the zone).
42 */
43
44static void
45free_labels(m_range_t *r, m_label_t *l)
46{
47	m_label_free(r->lower_bound);
48	m_label_free(r->upper_bound);
49	free(r);
50	m_label_free(l);
51}
52
53/* ARGSUSED */
54int
55pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
56{
57	int i;
58	int debug = 0;
59	int allow_unlabeled = 0;
60	char *user;
61	char *rhost;
62	m_range_t *range;
63	m_label_t *plabel;
64
65	for (i = 0; i < argc; i++) {
66		if (strcmp(argv[i], "debug") == 0) {
67			debug = 1;
68		} else if (strcmp(argv[i], "allow_unlabeled") == 0) {
69			allow_unlabeled = 1;
70		} else {
71			__pam_log(LOG_AUTH | LOG_ERR,
72			    "pam_tsol_account: illegal option %s", argv[i]);
73		}
74	}
75
76	/* Trusted Extensions not enabled */
77
78	if (!is_system_labeled())
79		return (PAM_IGNORE);
80
81	(void) pam_get_item(pamh, PAM_USER, (void **)&user);
82
83	(void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
84
85	if (debug) {
86		__pam_log(LOG_AUTH | LOG_DEBUG,
87		    "pam_tsol_account: allowed_unlabeled = %d, user %s, "
88		    "rhost %s",
89		    allow_unlabeled,
90		    (user == NULL) ? "NULL" : (*user == '\0') ? "ZERO" :
91		    user,
92		    (rhost == NULL) ? "NULL" : (*rhost == '\0') ? "ZERO" :
93		    rhost);
94	}
95	if (user == NULL || *user == '\0') {
96		__pam_log(LOG_AUTH | LOG_ERR,
97		    "pam_tsol_account: no user");
98		return (PAM_USER_UNKNOWN);
99	}
100
101	if ((range = getuserrange(user)) == NULL) {
102		__pam_log(LOG_AUTH | LOG_ERR,
103		    "pam_tsol_account: getuserrange(%s) failure", user);
104		return (PAM_SYSTEM_ERR);
105	}
106	if ((plabel = m_label_alloc(MAC_LABEL)) == NULL) {
107		__pam_log(LOG_AUTH | LOG_ERR,
108		    "pam_tsol_account: out of memory");
109		free_labels(range, NULL);
110		return (PAM_BUF_ERR);
111	}
112	if (getplabel(plabel) < 0) {
113		__pam_log(LOG_AUTH | LOG_CRIT,
114		    "pam_tsol_account: Unable to get process label %m");
115		free_labels(range, plabel);
116		return (PAM_SYSTEM_ERR);
117	}
118	if (!blinrange(plabel, range)) {
119		free_labels(range, plabel);
120		return (PAM_PERM_DENIED);
121	}
122
123	free_labels(range, plabel);
124
125	/* Remote Host Type Policy Check */
126
127	if ((allow_unlabeled == 0) &&
128	    (getzoneid() == GLOBAL_ZONEID) &&
129	    (rhost != NULL && *rhost != '\0')) {
130		tsol_host_type_t host_type;
131
132		host_type = tsol_getrhtype(rhost);
133		switch (host_type) {
134		case SUN_CIPSO:
135			break;
136
137		case UNLABELED:
138		default:
139			return (PAM_PERM_DENIED);
140		}
141	}
142	return (PAM_SUCCESS);
143}
144