diff options
Diffstat (limited to 'libpam')
-rw-r--r-- | libpam/include/security/pam_modutil.h | 3 | ||||
-rw-r--r-- | libpam/libpam.map | 5 | ||||
-rw-r--r-- | libpam/pam_audit.c | 51 |
3 files changed, 53 insertions, 6 deletions
diff --git a/libpam/include/security/pam_modutil.h b/libpam/include/security/pam_modutil.h index efb72436..ffdf5ad0 100644 --- a/libpam/include/security/pam_modutil.h +++ b/libpam/include/security/pam_modutil.h @@ -97,6 +97,9 @@ pam_modutil_read(int fd, char *buffer, int count); extern int pam_modutil_write(int fd, const char *buffer, int count); +extern int PAM_NONNULL((1,3)) +pam_modutil_audit_write(pam_handle_t *pamh, int type, + const char *message, int retval); #ifdef __cplusplus } #endif diff --git a/libpam/libpam.map b/libpam/libpam.map index 1c2c4480..e37fc356 100644 --- a/libpam/libpam.map +++ b/libpam/libpam.map @@ -45,3 +45,8 @@ LIBPAM_MODUTIL_1.0 { pam_modutil_read; pam_modutil_write; }; + +LIBPAM_MODUTIL_1.1 { + global: + pam_modutil_audit_write; +} LIBPAM_MODUTIL_1.0; diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c index 240d4a89..a9d72176 100644 --- a/libpam/pam_audit.c +++ b/libpam/pam_audit.c @@ -56,26 +56,39 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type, return rc; } -int -_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +static int +_pam_audit_open(pam_handle_t *pamh) { - const char *message; - int type; int audit_fd; - audit_fd = audit_open(); if (audit_fd < 0) { /* You get these error codes only when the kernel doesn't have * audit compiled in. */ if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) - return retval; + return -2; /* this should only fail in case of extreme resource shortage, * need to prevent login in that case for CAPP compliance. */ pam_syslog(pamh, LOG_CRIT, "audit_open() failed: %m"); + return -1; + } + + return audit_fd; +} + +int +_pam_auditlog(pam_handle_t *pamh, int action, int retval, int flags) +{ + const char *message; + int type; + int audit_fd; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { return PAM_SYSTEM_ERR; + } else if (audit_fd == -2) { + return retval; } switch (action) { @@ -142,4 +155,30 @@ _pam_audit_end(pam_handle_t *pamh, int status UNUSED) return 0; } +int +pam_modutil_audit_write(pam_handle_t *pamh, int type, + const char *message, int retval) +{ + int audit_fd; + int rc; + + if ((audit_fd=_pam_audit_open(pamh)) == -1) { + return PAM_SYSTEM_ERR; + } else if (audit_fd == -2) { + return retval; + } + + rc = _pam_audit_writelog(pamh, audit_fd, type, message, retval); + + audit_close(audit_fd); + + return rc < 0 ? PAM_SYSTEM_ERR : PAM_SUCCESS; +} + +#else +int pam_modutil_audit_write(pam_handle_t *pamh UNUSED, int type UNUSED, + const char *message UNUSED, int retval UNUSED) +{ + return PAM_SUCCESS; +} #endif /* HAVE_LIBAUDIT */ |