mirror of https://github.com/sudo-project/sudo.git
282 lines
9.1 KiB
C
282 lines
9.1 KiB
C
/*
|
|
* SPDX-License-Identifier: ISC
|
|
*
|
|
* Copyright (c) 2020 Robert Manner <robert.manner@oneidentity.com>
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
*/
|
|
|
|
/*
|
|
* This is an open source non-commercial project. Dear PVS-Studio, please check it.
|
|
* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
|
|
*/
|
|
|
|
#include "python_plugin_common.h"
|
|
|
|
struct AuditPluginContext
|
|
{
|
|
struct PluginContext base_ctx;
|
|
struct audit_plugin *plugin;
|
|
};
|
|
|
|
#define BASE_CTX(audit_ctx) (&(audit_ctx->base_ctx))
|
|
|
|
#define PY_AUDIT_PLUGIN_VERSION SUDO_API_MKVERSION(1, 0)
|
|
|
|
#define CALLBACK_PLUGINFUNC(func_name) audit_ctx->plugin->func_name
|
|
|
|
// This also verifies compile time that the name matches the sudo plugin API.
|
|
#define CALLBACK_PYNAME(func_name) ((void)CALLBACK_PLUGINFUNC(func_name), #func_name)
|
|
|
|
#define MARK_CALLBACK_OPTIONAL(function_name) \
|
|
do { \
|
|
python_plugin_mark_callback_optional(plugin_ctx, CALLBACK_PYNAME(function_name), \
|
|
(void **)&CALLBACK_PLUGINFUNC(function_name)); \
|
|
} while(0)
|
|
|
|
sudo_dso_public struct audit_plugin *python_audit_clone(void);
|
|
|
|
static int
|
|
_call_plugin_open(struct AuditPluginContext *audit_ctx, int submit_optind, char * const submit_argv[])
|
|
{
|
|
debug_decl(_call_plugin_open, PYTHON_DEBUG_CALLBACKS);
|
|
|
|
struct PluginContext *plugin_ctx = BASE_CTX(audit_ctx);
|
|
if (!PyObject_HasAttrString(plugin_ctx->py_instance, CALLBACK_PYNAME(open))) {
|
|
debug_return_int(SUDO_RC_OK);
|
|
}
|
|
|
|
int rc = SUDO_RC_ERROR;
|
|
PyObject *py_submit_argv = py_str_array_to_tuple(submit_argv);
|
|
|
|
if (py_submit_argv != NULL) {
|
|
rc = python_plugin_api_rc_call(plugin_ctx, CALLBACK_PYNAME(open),
|
|
Py_BuildValue("(iO)", submit_optind, py_submit_argv));
|
|
}
|
|
|
|
Py_XDECREF(py_submit_argv);
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
static int
|
|
python_plugin_audit_open(struct AuditPluginContext *audit_ctx,
|
|
unsigned int version, sudo_conv_t conversation,
|
|
sudo_printf_t sudo_printf, char * const settings[],
|
|
char * const user_info[], int submit_optind,
|
|
char * const submit_argv[], char * const submit_envp[],
|
|
char * const plugin_options[], const char **errstr)
|
|
{
|
|
debug_decl(python_plugin_audit_open, PYTHON_DEBUG_CALLBACKS);
|
|
(void) version;
|
|
|
|
int rc = python_plugin_register_logging(conversation, sudo_printf, settings);
|
|
if (rc != SUDO_RC_OK) {
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
struct PluginContext *plugin_ctx = BASE_CTX(audit_ctx);
|
|
|
|
rc = python_plugin_init(plugin_ctx, plugin_options, version);
|
|
if (rc != SUDO_RC_OK) {
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
rc = python_plugin_construct(plugin_ctx, PY_AUDIT_PLUGIN_VERSION, settings,
|
|
user_info, submit_envp, plugin_options);
|
|
CALLBACK_SET_ERROR(plugin_ctx, errstr);
|
|
if (rc != SUDO_RC_OK) {
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
// skip plugin callbacks which are not mandatory
|
|
MARK_CALLBACK_OPTIONAL(accept);
|
|
MARK_CALLBACK_OPTIONAL(reject);
|
|
MARK_CALLBACK_OPTIONAL(error);
|
|
|
|
plugin_ctx->call_close = 1;
|
|
rc = _call_plugin_open(audit_ctx, submit_optind, submit_argv);
|
|
CALLBACK_SET_ERROR(plugin_ctx, errstr);
|
|
|
|
if (PyErr_Occurred()) {
|
|
py_log_last_error("Error during calling audit open");
|
|
}
|
|
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
static void
|
|
python_plugin_audit_close(struct AuditPluginContext *audit_ctx, int status_type, int status)
|
|
{
|
|
debug_decl(python_plugin_audit_close, PYTHON_DEBUG_CALLBACKS);
|
|
|
|
python_plugin_close(BASE_CTX(audit_ctx), CALLBACK_PYNAME(close),
|
|
Py_BuildValue("(ii)", status_type, status));
|
|
|
|
debug_return;
|
|
}
|
|
|
|
static int
|
|
python_plugin_audit_accept(struct AuditPluginContext *audit_ctx,
|
|
const char *plugin_name, unsigned int plugin_type,
|
|
char * const command_info[], char * const run_argv[],
|
|
char * const run_envp[], const char **errstr)
|
|
{
|
|
debug_decl(python_plugin_audit_accept, PYTHON_DEBUG_CALLBACKS);
|
|
|
|
struct PluginContext *plugin_ctx = BASE_CTX(audit_ctx);
|
|
PyThreadState_Swap(plugin_ctx->py_interpreter);
|
|
|
|
PyObject *py_command_info = NULL, *py_run_argv = NULL, *py_run_envp = NULL;
|
|
int rc = SUDO_RC_ERROR;
|
|
|
|
py_run_argv = py_str_array_to_tuple(run_argv);
|
|
if (py_run_argv == NULL)
|
|
goto cleanup;
|
|
|
|
py_command_info = py_str_array_to_tuple(command_info);
|
|
if (py_command_info == NULL)
|
|
goto cleanup;
|
|
|
|
py_run_envp = py_str_array_to_tuple(run_envp);
|
|
if (py_run_envp == NULL)
|
|
goto cleanup;
|
|
|
|
PyObject *py_args = Py_BuildValue("(ziOOO)", plugin_name, plugin_type, py_command_info, py_run_argv, py_run_envp);
|
|
rc = python_plugin_api_rc_call(plugin_ctx, CALLBACK_PYNAME(accept), py_args);
|
|
CALLBACK_SET_ERROR(plugin_ctx, errstr);
|
|
|
|
cleanup:
|
|
Py_CLEAR(py_command_info);
|
|
Py_CLEAR(py_run_argv);
|
|
Py_CLEAR(py_run_envp);
|
|
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
static int
|
|
python_plugin_audit_reject(struct AuditPluginContext *audit_ctx,
|
|
const char *plugin_name, unsigned int plugin_type,
|
|
const char *audit_msg, char * const command_info[], const char **errstr)
|
|
{
|
|
debug_decl(python_plugin_audit_reject, PYTHON_DEBUG_CALLBACKS);
|
|
|
|
struct PluginContext *plugin_ctx = BASE_CTX(audit_ctx);
|
|
PyThreadState_Swap(plugin_ctx->py_interpreter);
|
|
|
|
PyObject *py_command_info = NULL;
|
|
int rc = SUDO_RC_ERROR;
|
|
|
|
py_command_info = py_str_array_to_tuple(command_info);
|
|
if (PyErr_Occurred())
|
|
goto cleanup;
|
|
|
|
PyObject *py_args = Py_BuildValue("(zizO)", plugin_name, plugin_type, audit_msg, py_command_info);
|
|
rc = python_plugin_api_rc_call(plugin_ctx, CALLBACK_PYNAME(reject), py_args);
|
|
|
|
CALLBACK_SET_ERROR(plugin_ctx, errstr);
|
|
|
|
cleanup:
|
|
Py_CLEAR(py_command_info);
|
|
if (PyErr_Occurred())
|
|
py_log_last_error("Error during calling audit reject");
|
|
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
static int
|
|
python_plugin_audit_error(struct AuditPluginContext *audit_ctx,
|
|
const char *plugin_name, unsigned int plugin_type,
|
|
const char *audit_msg, char * const command_info[], const char **errstr)
|
|
{
|
|
debug_decl(python_plugin_audit_error, PYTHON_DEBUG_CALLBACKS);
|
|
|
|
struct PluginContext *plugin_ctx = BASE_CTX(audit_ctx);
|
|
PyThreadState_Swap(plugin_ctx->py_interpreter);
|
|
|
|
PyObject *py_command_info = NULL;
|
|
int rc = SUDO_RC_ERROR;
|
|
|
|
py_command_info = py_str_array_to_tuple(command_info);
|
|
if (PyErr_Occurred())
|
|
goto cleanup;
|
|
|
|
PyObject *py_args = Py_BuildValue("(zizO)", plugin_name, plugin_type, audit_msg, py_command_info);
|
|
rc = python_plugin_api_rc_call(plugin_ctx, CALLBACK_PYNAME(error), py_args);
|
|
CALLBACK_SET_ERROR(plugin_ctx, errstr);
|
|
|
|
cleanup:
|
|
Py_CLEAR(py_command_info);
|
|
|
|
debug_return_int(rc);
|
|
}
|
|
|
|
static int
|
|
python_plugin_audit_show_version(struct AuditPluginContext *audit_ctx, int verbose)
|
|
{
|
|
debug_decl(python_plugin_audit_show_version, PYTHON_DEBUG_CALLBACKS);
|
|
|
|
struct PluginContext *plugin_ctx = BASE_CTX(audit_ctx);
|
|
PyThreadState_Swap(plugin_ctx->py_interpreter);
|
|
|
|
debug_return_int(python_plugin_show_version(plugin_ctx,
|
|
CALLBACK_PYNAME(show_version), verbose, PY_AUDIT_PLUGIN_VERSION, "audit"));
|
|
}
|
|
|
|
sudo_dso_public struct audit_plugin python_audit;
|
|
|
|
// generate symbols for loading multiple audit plugins:
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol
|
|
#include "python_plugin_audit_multi.inc"
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol##1
|
|
#include "python_plugin_audit_multi.inc"
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol##2
|
|
#include "python_plugin_audit_multi.inc"
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol##3
|
|
#include "python_plugin_audit_multi.inc"
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol##4
|
|
#include "python_plugin_audit_multi.inc"
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol##5
|
|
#include "python_plugin_audit_multi.inc"
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol##6
|
|
#include "python_plugin_audit_multi.inc"
|
|
#define AUDIT_SYMBOL_NAME(symbol) symbol##7
|
|
#include "python_plugin_audit_multi.inc"
|
|
|
|
static struct audit_plugin *extra_audit_plugins[] = {
|
|
&python_audit1,
|
|
&python_audit2,
|
|
&python_audit3,
|
|
&python_audit4,
|
|
&python_audit5,
|
|
&python_audit6,
|
|
&python_audit7
|
|
};
|
|
|
|
struct audit_plugin *
|
|
python_audit_clone(void)
|
|
{
|
|
static size_t counter = 0;
|
|
struct audit_plugin *next_plugin = NULL;
|
|
|
|
size_t max = sizeof(extra_audit_plugins) / sizeof(*extra_audit_plugins);
|
|
if (counter < max) {
|
|
next_plugin = extra_audit_plugins[counter];
|
|
++counter;
|
|
} else if (counter == max) {
|
|
++counter;
|
|
py_sudo_log(SUDO_CONV_ERROR_MSG, "sudo: loading more than %d sudo python audit plugins is not supported\n", counter);
|
|
}
|
|
|
|
return next_plugin;
|
|
}
|