diff options
Diffstat (limited to 'framework/src/audit/audisp/audispd-pconfig.c')
| -rw-r--r-- | framework/src/audit/audisp/audispd-pconfig.c | 516 |
1 files changed, 516 insertions, 0 deletions
diff --git a/framework/src/audit/audisp/audispd-pconfig.c b/framework/src/audit/audisp/audispd-pconfig.c new file mode 100644 index 00000000..4ae1b4d1 --- /dev/null +++ b/framework/src/audit/audisp/audispd-pconfig.c @@ -0,0 +1,516 @@ +/* audispd-pconfig.c -- + * Copyright 2007,2010,2015 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * + */ + +#include "config.h" +#include <string.h> +#include <stdio.h> +#include <fcntl.h> +#include <sys/stat.h> +#include <errno.h> +#include <unistd.h> +#include <stdlib.h> +#include <libgen.h> +#include "audispd-pconfig.h" +#include "private.h" + +/* Local prototypes */ +struct nv_pair +{ + const char *name; + const char *value; + const char *option; +}; + +struct kw_pair +{ + const char *name; + int (*parser)(struct nv_pair *, int, plugin_conf_t *); + int max_options; +}; + +struct nv_list +{ + const char *name; + int option; +}; + +static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, + const char *file); +static int nv_split(char *buf, struct nv_pair *nv); +static const struct kw_pair *kw_lookup(const char *val); +static int active_parser(struct nv_pair *nv, int line, + plugin_conf_t *config); +static int direction_parser(struct nv_pair *nv, int line, + plugin_conf_t *config); +static int path_parser(struct nv_pair *nv, int line, + plugin_conf_t *config); +static int service_type_parser(struct nv_pair *nv, int line, + plugin_conf_t *config); +static int args_parser(struct nv_pair *nv, int line, + plugin_conf_t *config); +static int format_parser(struct nv_pair *nv, int line, + plugin_conf_t *config); +static int sanity_check(plugin_conf_t *config, const char *file); + +static const struct kw_pair keywords[] = +{ + {"active", active_parser, 0 }, + {"direction", direction_parser, 0 }, + {"path", path_parser, 0 }, + {"type", service_type_parser, 0 }, + {"args", args_parser, 2 }, + {"format", format_parser, 0 }, + { NULL, NULL } +}; + +static const struct nv_list active[] = +{ + {"yes", A_YES }, + {"no", A_NO }, + { NULL, 0 } +}; + +static const struct nv_list directions[] = +{ +// {"in", D_IN }, FIXME: not supported yet + {"out", D_OUT }, + { NULL, 0 } +}; + +static const struct nv_list service_type[] = +{ + {"builtin", S_BUILTIN }, + {"always", S_ALWAYS }, + { NULL, 0 } +}; + +static const struct nv_list formats[] = +{ + {"binary", F_BINARY }, + {"string", F_STRING }, + { NULL, 0 } +}; + +/* + * Set everything to its default value +*/ +void clear_pconfig(plugin_conf_t *config) +{ + int i; + + config->active = A_NO; + config->direction = D_UNSET; + config->path = NULL; + config->type = S_ALWAYS; + for (i=0; i< (MAX_PLUGIN_ARGS + 2); i++) + config->args[i] = NULL; + config->format = F_STRING; + config->plug_pipe[0] = -1; + config->plug_pipe[1] = -1; + config->pid = 0; + config->inode = 0; + config->checked = 0; + config->name = NULL; + config->restart_cnt = 0; +} + +int load_pconfig(plugin_conf_t *config, char *file) +{ + int fd, rc, mode, lineno = 1; + struct stat st; + FILE *f; + char buf[160]; + + clear_pconfig(config); + + /* open the file */ + mode = O_RDONLY; + rc = open(file, mode); + if (rc < 0) { + if (errno != ENOENT) { + audit_msg(LOG_ERR, "Error opening %s (%s)", file, + strerror(errno)); + return 1; + } + audit_msg(LOG_WARNING, + "Config file %s doesn't exist, skipping", file); + return 0; + } + fd = rc; + + /* check the file's permissions: owned by root, not world writable, + * not symlink. + */ + if (fstat(fd, &st) < 0) { + audit_msg(LOG_ERR, "Error fstat'ing config file (%s)", + strerror(errno)); + close(fd); + return 1; + } + if (st.st_uid != 0) { + audit_msg(LOG_ERR, "Error - %s isn't owned by root", + file); + close(fd); + return 1; + } + if ((st.st_mode & S_IWOTH) == S_IWOTH) { + audit_msg(LOG_ERR, "Error - %s is world writable", + file); + close(fd); + return 1; + } + if (!S_ISREG(st.st_mode)) { + audit_msg(LOG_ERR, "Error - %s is not a regular file", + file); + close(fd); + return 1; + } + + /* it's ok, read line by line */ + f = fdopen(fd, "rm"); + if (f == NULL) { + audit_msg(LOG_ERR, "Error - fdopen failed (%s)", + strerror(errno)); + close(fd); + return 1; + } + + while (get_line(f, buf, sizeof(buf), &lineno, file)) { + // convert line into name-value pair + const struct kw_pair *kw; + struct nv_pair nv; + rc = nv_split(buf, &nv); + switch (rc) { + case 0: // fine + break; + case 1: // not the right number of tokens. + audit_msg(LOG_ERR, + "Wrong number of arguments for line %d in %s", + lineno, file); + break; + case 2: // no '=' sign + audit_msg(LOG_ERR, + "Missing equal sign for line %d in %s", + lineno, file); + break; + default: // something else went wrong... + audit_msg(LOG_ERR, + "Unknown error for line %d in %s", + lineno, file); + break; + } + if (nv.name == NULL) { + lineno++; + continue; + } + if (nv.value == NULL) { + fclose(f); + return 1; + } + + /* identify keyword or error */ + kw = kw_lookup(nv.name); + if (kw->name == NULL) { + audit_msg(LOG_ERR, + "Unknown keyword \"%s\" in line %d of %s", + nv.name, lineno, file); + fclose(f); + return 1; + } + + /* Check number of options */ + if (kw->max_options == 0 && nv.option != NULL) { + audit_msg(LOG_ERR, + "Keyword \"%s\" has invalid option " + "\"%s\" in line %d of %s", + nv.name, nv.option, lineno, file); + fclose(f); + return 1; + } + + /* dispatch to keyword's local parser */ + rc = kw->parser(&nv, lineno, config); + if (rc != 0) { + fclose(f); + return 1; // local parser puts message out + } + + lineno++; + } + + fclose(f); + config->name = strdup(basename(file)); + if (lineno > 1) + return sanity_check(config, file); + return 0; +} + +static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, + const char *file) +{ + int too_long = 0; + + while (fgets_unlocked(buf, size, f)) { + /* remove newline */ + char *ptr = strchr(buf, 0x0a); + if (ptr) { + if (!too_long) { + *ptr = 0; + return buf; + } + // Reset and start with the next line + too_long = 0; + *lineno = *lineno + 1; + } else { + // If a line is too long skip it. + // Only output 1 warning + if (!too_long) + audit_msg(LOG_ERR, + "Skipping line %d in %s: too long", + *lineno, file); + too_long = 1; + } + } + return NULL; +} + +static int nv_split(char *buf, struct nv_pair *nv) +{ + /* Get the name part */ + char *ptr, *saved; + + nv->name = NULL; + nv->value = NULL; + nv->option = NULL; + ptr = strtok_r(buf, " ", &saved); + if (ptr == NULL) + return 0; /* If there's nothing, go to next line */ + if (ptr[0] == '#') + return 0; /* If there's a comment, go to next line */ + nv->name = ptr; + + /* Check for a '=' */ + ptr = strtok_r(NULL, " ", &saved); + if (ptr == NULL) + return 1; + if (strcmp(ptr, "=") != 0) + return 2; + + /* get the value */ + ptr = strtok_r(NULL, " ", &saved); + if (ptr == NULL) + return 1; + nv->value = ptr; + + /* See if there's an option */ + ptr = strtok_r(NULL, " ", &saved); + if (ptr) { + nv->option = ptr; + + /* Make sure there's nothing else */ + ptr = strtok_r(NULL, " ", &saved); + if (ptr) + return 1; + } + + /* Everything is OK */ + return 0; +} + +static const struct kw_pair *kw_lookup(const char *val) +{ + int i = 0; + while (keywords[i].name != NULL) { + if (strcasecmp(keywords[i].name, val) == 0) + break; + i++; + } + return &keywords[i]; +} + +static int active_parser(struct nv_pair *nv, int line, + plugin_conf_t *config) +{ + int i; + + for (i=0; active[i].name != NULL; i++) { + if (strcasecmp(nv->value, active[i].name) == 0) { + config->active = active[i].option; + return 0; + } + } + audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + +static int direction_parser(struct nv_pair *nv, int line, + plugin_conf_t *config) +{ + int i; + + for (i=0; directions[i].name != NULL; i++) { + if (strcasecmp(nv->value, directions[i].name) == 0) { + config->direction = directions[i].option; + return 0; + } + } + audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + +static int path_parser(struct nv_pair *nv, int line, + plugin_conf_t *config) +{ + char *dir = NULL, *tdir; + struct stat buf; + + if (nv->value == NULL) { + config->path = NULL; + return 0; + } + + if (strncasecmp(nv->value, "builtin_", 8) == 0) { + config->path = strdup(nv->value); + return 0; + } + + /* get dir form name. */ + tdir = strdup(nv->value); + if (tdir) + dir = dirname(tdir); + if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname + audit_msg(LOG_ERR, + "The directory name: %s is too short - line %d", + dir, line); + free(tdir); + return 1; + } + + free((void *)tdir); + /* If the file exists, see that its regular, owned by root, + * and not world anything */ + if (stat(nv->value, &buf) < 0) { + audit_msg(LOG_ERR, "Unable to stat %s (%s)", nv->value, + strerror(errno)); + return 1; + } + if (!S_ISREG(buf.st_mode)) { + audit_msg(LOG_ERR, "%s is not a regular file", nv->value); + return 1; + } + if (buf.st_uid != 0) { + audit_msg(LOG_ERR, "%s is not owned by root", nv->value); + return 1; + } + if ((buf.st_mode & (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) != + (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) { + audit_msg(LOG_ERR, "%s permissions should be 0750", nv->value); + return 1; + } + free((void *)config->path); + config->path = strdup(nv->value); + config->inode = buf.st_ino; + if (config->path == NULL) + return 1; + return 0; +} + +static int service_type_parser(struct nv_pair *nv, int line, + plugin_conf_t *config) +{ + int i; + + for (i=0; service_type[i].name != NULL; i++) { + if (strcasecmp(nv->value, service_type[i].name) == 0) { + config->type = service_type[i].option; + return 0; + } + } + audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + +static int args_parser(struct nv_pair *nv, int line, + plugin_conf_t *config) +{ + int i; + + for (i=0; i < (MAX_PLUGIN_ARGS + 2); i++) { + free((void *)config->args[i]); + config->args[i] = NULL; + } + + config->args[1] = strdup(nv->value); + if (nv->option) + config->args[2] = strdup(nv->option); + return 0; +} + +static int format_parser(struct nv_pair *nv, int line, + plugin_conf_t *config) +{ + int i; + + for (i=0; formats[i].name != NULL; i++) { + if (strcasecmp(nv->value, formats[i].name) == 0) { + config->format = formats[i].option; + return 0; + } + } + audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line); + return 1; +} + +/* + * This function is where we do the integrated check of the audispd config + * options. At this point, all fields have been read. Returns 0 if no + * problems and 1 if problems detected. + */ +static int sanity_check(plugin_conf_t *config, const char *file) +{ + /* Error checking */ + if (config->active == A_YES && config->path == NULL) { + audit_msg(LOG_ERR, + "Error - plugin (%s) is active but no path given", file); + return 1; + } + return 0; +} + +void free_pconfig(plugin_conf_t *config) +{ + int i; + + if (config == NULL) + return; + + for (i=0; i < (MAX_PLUGIN_ARGS + 2); i++) + free(config->args[i]); + if (config->plug_pipe[0] >= 0) + close(config->plug_pipe[0]); + if (config->plug_pipe[1] >= 0) + close(config->plug_pipe[1]); + free((void *)config->path); + free((void *)config->name); +} + |