diff options
| author | trhodes <trhodes@FreeBSD.org> | 2004-08-21 20:19:19 +0000 |
|---|---|---|
| committer | trhodes <trhodes@FreeBSD.org> | 2004-08-21 20:19:19 +0000 |
| commit | e8f5fe75244345d666a00f064a6845e64d1d41fc (patch) | |
| tree | 55bedcc0c8a55f642ed88242d7537d10836c9872 /sys/security/mac_bsdextended | |
| parent | 1e23f58a1df4a19058c63b60716ddbae0398c477 (diff) | |
| download | FreeBSD-src-e8f5fe75244345d666a00f064a6845e64d1d41fc.zip FreeBSD-src-e8f5fe75244345d666a00f064a6845e64d1d41fc.tar.gz | |
Allow mac_bsdextended(4) to log failed attempts to syslog's AUTHPRIV
facility. This is disabled by default but may be turned on by using
the mac_bsdextended_logging sysctl.
Reviewed by: re (jhb)
Approved by: re (jhb)
Diffstat (limited to 'sys/security/mac_bsdextended')
| -rw-r--r-- | sys/security/mac_bsdextended/mac_bsdextended.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/sys/security/mac_bsdextended/mac_bsdextended.c b/sys/security/mac_bsdextended/mac_bsdextended.c index 5dc237b..c9e97f0 100644 --- a/sys/security/mac_bsdextended/mac_bsdextended.c +++ b/sys/security/mac_bsdextended/mac_bsdextended.c @@ -58,6 +58,7 @@ #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/sysctl.h> +#include <sys/syslog.h> #include <net/bpfdesc.h> #include <net/if.h> @@ -92,11 +93,24 @@ SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_count, CTLFLAG_RD, SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, rule_slots, CTLFLAG_RD, &rule_slots, 0, "Number of used rule slots\n"); +/* + * This tunable spits out information about what is going on which + * would be more suited for a log file. Eventually + * this will go away as we do not currently use it. + */ static int mac_bsdextended_debugging; SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, debugging, CTLFLAG_RW, &mac_bsdextended_debugging, 0, "Enable debugging on failure"); /* + * This is just used for logging purposes as eventually we would like + * to log much more then failed requests. + */ +static int mac_bsdextended_logging; +SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, logging, CTLFLAG_RW, + &mac_bsdextended_logging, 0, "Log failed authorization requests"); + +/* * This tunable is here for compatibility. It will allow the user * to switch between the new mode (first rule matches) and the old * functionality (all rules match). @@ -270,11 +284,11 @@ mac_bsdextended_rulecheck(struct mac_bsdextended_rule *rule, * Is the access permitted? */ if ((rule->mbr_mode & acc_mode) != acc_mode) { - if (mac_bsdextended_debugging) - printf("mac_bsdextended: %d:%d request %d on %d:%d" - " fails\n", cred->cr_ruid, cred->cr_rgid, - acc_mode, object_uid, object_gid); - return (EACCES); + if (mac_bsdextended_logging) + log(LOG_AUTHPRIV, "mac_bsdextended: %d:%d request %d" + " on %d:%d failed. \n", cred->cr_ruid, + cred->cr_rgid, acc_mode, object_uid, object_gid); + return (EACCES); /* Matching rule denies access */ } /* * If the rule matched and allowed access and first match is |
