isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Audit errors from policy_init_session(), audit_accept(), and audit_reject().

Browse Source
This commit is contained in:
Todd C. Miller
2020-12-03 14:10:30 -07:00
parent 02ebdfd7f2
commit cbb7b4afa6
1 changed files with 59 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
src/sudo.c
View File

@@ -1349,7 +1349,11 @@ policy_init_session(struct command_details *details)
&details->envp, &errstr); &details->envp, &errstr);
} }
sudo_debug_set_active_instance(sudo_debug_instance); sudo_debug_set_active_instance(sudo_debug_instance);
/* TODO: audit on error */ if (ret != 1) {
audit_error(policy_plugin.name, SUDO_POLICY_PLUGIN,
errstr ? errstr : _("policy plugin error"),
details->info);
}
} }
done: done:
debug_return_int(ret); debug_return_int(ret);
@@ -1624,6 +1628,47 @@ audit_show_version(int verbose)
debug_return; debug_return;
} }
/*
* Error from plugin or front-end.
* The error will not be sent to plugin source, if specified.
*/
static void
audit_error2(struct plugin_container *source, const char *plugin_name,
unsigned int plugin_type, const char *audit_msg, char * const command_info[])
{
struct plugin_container *plugin;
const char *errstr = NULL;
int ok;
debug_decl(audit_error2, SUDO_DEBUG_PCOMM);
TAILQ_FOREACH(plugin, &audit_plugins, entries) {
if (plugin->u.audit->error == NULL)
continue;
/* Avoid a loop if the audit plugin itself has an error. */
if (plugin == source)
continue;
sudo_debug_set_active_instance(plugin->debug_instance);
ok = plugin->u.audit->error(plugin_name, plugin_type,
audit_msg, command_info, &errstr);
sudo_debug_set_active_instance(sudo_debug_instance);
if (ok != 1) {
/*
* Don't propagate the error to other audit plugins.
* It is not worth the trouble to avoid potential loops.
*/
sudo_debug_printf(SUDO_DEBUG_ERROR,
"%s: plugin %s error failed, ret %d", __func__,
plugin->name, ok);
sudo_warnx(U_("%s: unable to log error event%s%s"),
plugin->name, errstr ? ": " : "", errstr ? errstr : "");
}
}
debug_return;
}
/* /*
* Command accepted by policy. * Command accepted by policy.
* See command_info[] for additional info. * See command_info[] for additional info.
@@ -1648,12 +1693,17 @@ audit_accept(const char *plugin_name, unsigned int plugin_type,
command_info, run_argv, run_envp, &errstr); command_info, run_argv, run_envp, &errstr);
sudo_debug_set_active_instance(sudo_debug_instance); sudo_debug_set_active_instance(sudo_debug_instance);
if (ok != 1) { if (ok != 1) {
/* TODO: notify other audit plugins of the error. */
sudo_debug_printf(SUDO_DEBUG_ERROR, sudo_debug_printf(SUDO_DEBUG_ERROR,
"%s: plugin %s accept failed, ret %d", __func__, "%s: plugin %s accept failed, ret %d", __func__,
plugin->name, ok); plugin->name, ok);
sudo_fatalx(U_("%s: unable to log accept event%s%s"), sudo_warnx(U_("%s: unable to log accept event%s%s"),
plugin->name, errstr ? ": " : "", errstr ? errstr : ""); plugin->name, errstr ? ": " : "", errstr ? errstr : "");
/* Notify other audit plugins and exit. */
audit_error2(plugin, plugin->name, SUDO_AUDIT_PLUGIN,
errstr ? errstr : _("audit plugin error"), command_info);
audit_close(SUDO_PLUGIN_NO_STATUS, 0);
exit(EXIT_FAILURE);
} }
} }
@@ -1681,12 +1731,15 @@ audit_reject(const char *plugin_name, unsigned int plugin_type,
audit_msg, command_info, &errstr); audit_msg, command_info, &errstr);
sudo_debug_set_active_instance(sudo_debug_instance); sudo_debug_set_active_instance(sudo_debug_instance);
if (ok != 1) { if (ok != 1) {
/* TODO: notify other audit plugins of the error. */
sudo_debug_printf(SUDO_DEBUG_ERROR, sudo_debug_printf(SUDO_DEBUG_ERROR,
"%s: plugin %s reject failed, ret %d", __func__, "%s: plugin %s reject failed, ret %d", __func__,
plugin->name, ok); plugin->name, ok);
sudo_warnx(U_("%s: unable to log reject event%s%s"), sudo_warnx(U_("%s: unable to log reject event%s%s"),
plugin->name, errstr ? ": " : "", errstr ? errstr : ""); plugin->name, errstr ? ": " : "", errstr ? errstr : "");
/* Notify other audit plugins. */
audit_error2(plugin, plugin->name, SUDO_AUDIT_PLUGIN,
errstr ? errstr : _("audit plugin error"), command_info);
} }
} }
@@ -1694,36 +1747,13 @@ audit_reject(const char *plugin_name, unsigned int plugin_type,
} }
/* /*
* Error from policy or I/O plugin. * Error from plugin or front-end.
*/ */
void void
audit_error(const char *plugin_name, unsigned int plugin_type, audit_error(const char *plugin_name, unsigned int plugin_type,
const char *audit_msg, char * const command_info[]) const char *audit_msg, char * const command_info[])
{ {
struct plugin_container *plugin; audit_error2(NULL, plugin_name, plugin_type, audit_msg, command_info);
const char *errstr = NULL;
int ok;
debug_decl(audit_error, SUDO_DEBUG_PCOMM);
TAILQ_FOREACH(plugin, &audit_plugins, entries) {
if (plugin->u.audit->error == NULL)
continue;
sudo_debug_set_active_instance(plugin->debug_instance);
ok = plugin->u.audit->error(plugin_name, plugin_type,
audit_msg, command_info, &errstr);
sudo_debug_set_active_instance(sudo_debug_instance);
if (ok != 1) {
/* TODO: notify other audit plugins of the error. */
sudo_debug_printf(SUDO_DEBUG_ERROR,
"%s: plugin %s error failed, ret %d", __func__,
plugin->name, ok);
sudo_warnx(U_("%s: unable to log error event%s%s"),
plugin->name, errstr ? ": " : "", errstr ? errstr : "");
}
}
debug_return;
} }
static int static int