From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 29 Nov 2013 16:27:23 +0000 (+0100)
Subject: stroke: Add an option to prevent log level changes via stroke socket
X-Git-Tag: 5.1.2rc1~48
X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=5ab03863b0b5558cf29c2386839c379506edd779

stroke: Add an option to prevent log level changes via stroke socket
---

diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 0d52892..2509a82 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -721,6 +721,9 @@ certificates even if they don't contain a CA basic constraint.
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
+.BR charon.plugins.stroke.prevent_loglevel_changes " [no]"
+If enabled log level changes via stroke socket are not allowed.
+.TP
 .BR charon.plugins.stroke.socket " [unix://@piddir@/charon.ctl]"
 Socket provided by the stroke plugin
 .TP
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index cf7ec36..8c0f2ea 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Tobias Brunner
+ * Copyright (C) 2011-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -99,6 +99,11 @@ struct private_stroke_socket_t {
 	 * Counter values for IKE events
 	 */
 	stroke_counter_t *counter;
+
+	/**
+	 * TRUE if log level changes are not allowed
+	 */
+	bool prevent_loglevel_changes;
 };
 
 /**
@@ -567,6 +572,12 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 	DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
 		 msg->loglevel.level, msg->loglevel.type);
 
+	if (this->prevent_loglevel_changes)
+	{
+		DBG1(DBG_CFG, "prevented log level change");
+		fprintf(out, "command not allowed!\n");
+		return;
+	}
 	if (strcaseeq(msg->loglevel.type, "any"))
 	{
 		group = DBG_ANY;
@@ -576,7 +587,7 @@ static void stroke_loglevel(private_stroke_socket_t *this,
 		group = enum_from_name(debug_names, msg->loglevel.type);
 		if ((int)group < 0)
 		{
-			fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+			fprintf(out, "unknown type '%s'!\n", msg->loglevel.type);
 			return;
 		}
 	}
@@ -748,6 +759,8 @@ stroke_socket_t *stroke_socket_create()
 		.public = {
 			.destroy = _destroy,
 		},
+		.prevent_loglevel_changes = lib->settings->get_bool(lib->settings,
+			"%s.plugins.stroke.prevent_loglevel_changes", FALSE, charon->name),
 	);
 
 	this->cred = stroke_cred_create();