Commit 638b9968 authored by Jeremy White's avatar Jeremy White

Add an option to require auditing.

parent 49452f5e
......@@ -21,6 +21,8 @@ AC_PROG_SED
# and uncomment this line, and the matching one in src/Makefile.am.
#AX_CODE_COVERAGE()
AC_CHECK_HEADERS(libaudit.h)
AC_CHECK_LIB(audit, audit_open)
AC_PROG_CC
AC_CONFIG_FILES(Makefile src/Makefile src/tests/Makefile)
......
......@@ -41,6 +41,10 @@
#include "options.h"
#include "x11spice.h"
#if defined(HAVE_LIBAUDIT_H)
#include <libaudit.h>
#endif
void options_init(options_t *options)
{
memset(options, 0, sizeof(*options));
......@@ -375,6 +379,14 @@ void options_from_config(options_t *options)
options->uinput_path = string_option(userkey, systemkey, "spice", "uinput-path");
options->on_connect = string_option(userkey, systemkey, "spice", "on-connect");
options->on_disconnect = string_option(userkey, systemkey, "spice", "on-disconnect");
options->audit = bool_option(userkey, systemkey, "spice", "audit");
options->audit_message_type = int_option(userkey, systemkey, "spice", "audit-message-type");
#if defined(HAVE_LIBAUDIT_H)
/* Pick an arbitrary default in the user range. CodeWeavers was founed in 1996, so 1196 it is... */
if (options->audit_message_type == 0)
options->audit_message_type = AUDIT_LAST_USER_MSG - 3;
#endif
options_handle_ssl_file_options(options, userkey, systemkey);
......
......@@ -60,6 +60,8 @@ typedef struct {
char *uinput_path;
char *on_connect;
char *on_disconnect;
int audit;
int audit_message_type;
/* file names of config files */
char *user_config_file;
......
......@@ -30,6 +30,7 @@
#include <string.h>
#include <stdlib.h>
#include <sched.h>
#include <errno.h>
#include <xcb/xcb.h>
#include <xcb/xtest.h>
......@@ -43,6 +44,9 @@
#include "session.h"
#include "scan.h"
#if defined(HAVE_LIBAUDIT_H)
#include <libaudit.h>
#endif
/*----------------------------------------------------------------------------
** I fought very hard to avoid global variables, but the spice channel_event
......@@ -248,6 +252,44 @@ void session_end(session_t *s)
}
static int begin_audit(session_t *s)
{
int rc = X11SPICE_ERR_NOAUDIT;
#if defined(HAVE_LIBAUDIT) && defined(HAVE_LIBAUDIT_H)
s->audit_id = audit_open();
if (s->audit_id != -1)
{
rc = audit_log_user_message(s->audit_id, s->options.audit_message_type,
"x11spice begin", NULL, NULL, NULL, 1);
if (rc <= 0)
{
perror("audit_log_user_message");
rc = X11SPICE_ERR_NOAUDIT;
}
else
rc = 0;
}
else
perror("audit_open");
#else
fprintf(stderr, "Error: audit requested, but not libaudit available.\n");
#endif
return rc;
}
static void end_audit(session_t *s)
{
#if defined(HAVE_LIBAUDIT) && defined(HAVE_LIBAUDIT_H)
if (s->audit_id != -1)
{
audit_log_user_message(s->audit_id, s->options.audit_message_type,
"x11spice close", NULL, NULL, NULL, 1);
audit_close(s->audit_id);
}
s->audit_id = -1;
#endif
}
int session_create(session_t *s)
{
int rc = 0;
......@@ -264,6 +306,9 @@ int session_create(session_t *s)
s->connect_pid = 0;
s->disconnect_pid = 0;
if (s->options.audit)
rc = begin_audit(s);
return rc;
}
......@@ -289,6 +334,9 @@ void session_destroy(session_t *s)
if (s->disconnect_pid)
cleanup_process(s->disconnect_pid);
s->disconnect_pid = 0;
if (s->options.audit)
end_audit(s);
}
/* Important note - this is meant to be called from
......@@ -472,6 +520,10 @@ void session_remote_connected(const char *from)
}
if (global_session->options.on_connect)
invoke_on_connect(global_session, from);
if (global_session->options.audit && global_session->audit_id != -1)
audit_log_user_message(global_session->audit_id, global_session->options.audit_message_type,
"x11spice connect", NULL, NULL, NULL, 1);
}
void session_remote_disconnected(void)
......@@ -483,4 +535,8 @@ void session_remote_disconnected(void)
if (global_session->options.on_disconnect)
invoke_on_disconnect(global_session);
gui_remote_disconnected(&global_session->gui);
if (global_session->options.audit && global_session->audit_id != -1)
audit_log_user_message(global_session->audit_id, global_session->options.audit_message_type,
"x11spice disconnect", NULL, NULL, NULL, 1);
}
......@@ -44,6 +44,10 @@ typedef struct session_struct {
int connect_pid;
int disconnect_pid;
#if defined(HAVE_LIBAUDIT_H)
int audit_id;
#endif
GMutex *lock;
int draw_command_in_progress;
......
......@@ -42,5 +42,6 @@
#define X11SPICE_ERR_BIND 15
#define X11SPICE_ERR_LISTEN 16
#define X11SPICE_ERR_OPEN 17
#define X11SPICE_ERR_NOAUDIT 18
#endif
......@@ -68,6 +68,23 @@
#-----------------------------------------------------------------------------
#timeout=0
#-----------------------------------------------------------------------------
# audit Specify whether or not to audit events. Default false.
# Note: this requires permission to connect to the audit
# system, which on most systems is limited to the root user.
# If true, and you do not have permission, x11spice will exit.
#-----------------------------------------------------------------------------
#audit=false
#-----------------------------------------------------------------------------
# audit-message-type
# If audit is on, specifies the message type to provide.
# Refer to audit_log_user_message and 'ausearch --message'
# for more information.
# Default: 1196
#-----------------------------------------------------------------------------
#audit-message-type=1196
#-----------------------------------------------------------------------------
# minimize Starts the x11spice gui minimized. Default false.
#-----------------------------------------------------------------------------
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment