From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tyler Hicks <tyhicks@canonical.com>
Subject: [PATCH 5/5] Conditionally build auditd network listener support
Date: Wed,  1 Aug 2012 00:00:24 -0700
Message-ID: <1343804424-3172-6-git-send-email-tyhicks@canonical.com>
References: <1343804424-3172-1-git-send-email-tyhicks@canonical.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1343804424-3172-1-git-send-email-tyhicks@canonical.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Add the --disable-listener configure option to leave the network
listener code out of auditd. By default, the listener code is still
included in auditd. When the listener is disabled, the listener init,
uninit, and reconfigure functions are stubbed out.

ifdefs are used in auditd-config.c to disable the listener-specific
parsers, following the style of the krb5 parser functions.
---
 configure.ac        |   14 ++++++++++++++
 src/Makefile.am     |    5 ++++-
 src/auditd-config.c |   35 +++++++++++++++++++++++++++++++++++
 src/auditd-listen.h |   21 +++++++++++++++++++++
 4 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index e14df60..76eaa26 100644
--- a/configure.ac
+++ b/configure.ac
@@ -104,6 +104,20 @@ fi
 fi
 AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
 
+#auditd listener
+AC_MSG_CHECKING(whether to include auditd network listener support)
+AC_ARG_ENABLE(listener,
+	      [AS_HELP_STRING([--disable-listener],
+			      [Disable auditd network listener support])],
+	      enable_listener=$enableval,
+	      enable_listener=yes)
+if test "x$enable_listener" != "xno"; then
+	AC_DEFINE(USE_LISTENER, 1,
+		  [Define if you want to use the auditd network listener.])
+fi
+AM_CONDITIONAL(ENABLE_LISTENER, test "x$enable_listener" != "xno")
+AC_MSG_RESULT($enable_listener)
+
 #gssapi
 AC_ARG_ENABLE(gssapi_krb5,
 	[AS_HELP_STRING([--enable-gssapi-krb5],[Enable GSSAPI Kerberos 5 support @<:@default=no@:>@])],
diff --git a/src/Makefile.am b/src/Makefile.am
index 57ddd27..fdfa5cf 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -28,7 +28,10 @@ sbin_PROGRAMS = auditd auditctl aureport ausearch autrace
 AM_CFLAGS = -D_GNU_SOURCE
 noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h
 
-auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c auditd-listen.c
+auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c
+if ENABLE_LISTENER
+auditd_SOURCES += auditd-listen.c
+endif
 auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread
 auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
 auditd_DEPENDENCIES = mt/libauditmt.a libev/libev.a
diff --git a/src/auditd-config.c b/src/auditd-config.c
index 9569378..13220bf 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -1189,6 +1189,12 @@ static int tcp_listen_port_parser(struct nv_pair *nv, int line,
 	audit_msg(LOG_DEBUG, "tcp_listen_port_parser called with: %s",
 		  nv->value);
 
+#ifndef USE_LISTENER
+	audit_msg(LOG_DEBUG,
+		"Listener support is not enabled, ignoring value at line %d",
+		line);
+	return 0;
+#else
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
@@ -1223,6 +1229,7 @@ static int tcp_listen_port_parser(struct nv_pair *nv, int line,
 	}
 	config->tcp_listen_port = (unsigned int)i;
 	return 0;
+#endif
 }
 
 static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
@@ -1234,6 +1241,12 @@ static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
 	audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s",
 		  nv->value);
 
+#ifndef USE_LISTENER
+	audit_msg(LOG_DEBUG,
+		"Listener support is not enabled, ignoring value at line %d",
+		line);
+	return 0;
+#else
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
@@ -1270,6 +1283,7 @@ static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
 	}
 	config->tcp_listen_queue = (unsigned int)i;
 	return 0;
+#endif
 }
 
 
@@ -1282,6 +1296,12 @@ static int tcp_max_per_addr_parser(struct nv_pair *nv, int line,
 	audit_msg(LOG_DEBUG, "tcp_max_per_addr_parser called with: %s",
 		  nv->value);
 
+#ifndef USE_LISTENER
+	audit_msg(LOG_DEBUG,
+		"Listener support is not enabled, ignoring value at line %d",
+		line);
+	return 0;
+#else
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
@@ -1318,6 +1338,7 @@ static int tcp_max_per_addr_parser(struct nv_pair *nv, int line,
 	}
 	config->tcp_max_per_addr = (unsigned int)i;
 	return 0;
+#endif
 }
 
 static int use_libwrap_parser(struct nv_pair *nv, int line,
@@ -1348,6 +1369,12 @@ static int tcp_client_ports_parser(struct nv_pair *nv, int line,
 	audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s",
 		  nv->value);
 
+#ifndef USE_LISTENER
+	audit_msg(LOG_DEBUG,
+		"Listener support is not enabled, ignoring value at line %d",
+		line);
+	return 0;
+#else
 	/* check that all chars are numbers, with an optional inclusive '-'. */
 	for (i=0; ptr[i]; i++) {
 		if (i > 0 && ptr[i] == '-' && ptr[i+1] != '\0') {
@@ -1412,6 +1439,7 @@ static int tcp_client_ports_parser(struct nv_pair *nv, int line,
 	config->tcp_client_min_port = (unsigned int)minv;
 	config->tcp_client_max_port = (unsigned int)maxv;
 	return 0;
+#endif
 }
 
 static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
@@ -1423,6 +1451,12 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
 	audit_msg(LOG_DEBUG, "tcp_client_max_idle_parser called with: %s",
 		  nv->value);
 
+#ifndef USE_LISTENER
+	audit_msg(LOG_DEBUG,
+		"Listener support is not enabled, ignoring value at line %d",
+		line);
+	return 0;
+#else
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
@@ -1453,6 +1487,7 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
 	}
 	config->tcp_client_max_idle = (unsigned int)i;
 	return 0;
+#endif
 }
 
 static int enable_krb5_parser(struct nv_pair *nv, int line,
diff --git a/src/auditd-listen.h b/src/auditd-listen.h
index 024fd6f..69f9310 100644
--- a/src/auditd-listen.h
+++ b/src/auditd-listen.h
@@ -25,10 +25,31 @@
 #define AUDITD_LISTEN_H
 
 #include "ev.h"
+
+#ifdef USE_LISTENER
 int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config );
 void auditd_tcp_listen_uninit ( struct ev_loop *loop,
 				struct daemon_conf *config );
 void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf,
 				     struct daemon_conf *oconf );
+#else
+static inline int auditd_tcp_listen_init ( struct ev_loop *loop,
+					   struct daemon_conf *config )
+{
+	return 0;
+}
+
+static inline void auditd_tcp_listen_uninit ( struct ev_loop *loop,
+					      struct daemon_conf *config )
+{
+	return;
+}
+
+static inline void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf,
+						   struct daemon_conf *oconf )
+{
+	return;
+}
+#endif /* USE_LISTENER */
 
 #endif
-- 
1.7.9.5