xsm: Add getenforce and setenforce functionality to tools

This patch exposes the getenforce and setenforce functionality for the Flask XSM module. Signed-off-by : Machon Gregory <mbgrego@tycho.ncsc.mil> Signed-off-by : George S. Coker, II <gscoker@alpha.ncsc.mil>
author: Keir Fraser <keir.fraser@citrix.com> 2009-10-23 10:05:15 +0100
committer: Keir Fraser <keir.fraser@citrix.com> 2009-10-23 10:05:15 +0100
commit: 0dba100da61528c1d36844a00ba2676b4712aa67 (patch)
tree: 82a83ca3db2728185d0c1636d04cba3e47bf261b /tools/flask/utils
parent: 545a227dfc099af8b17b6842e097196192658c3e (diff)
download: xen-0dba100da61528c1d36844a00ba2676b4712aa67.tar.gz
xen-0dba100da61528c1d36844a00ba2676b4712aa67.tar.bz2
xen-0dba100da61528c1d36844a00ba2676b4712aa67.zip
4 files changed, 322 insertions, 0 deletions
diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile
new file mode 100644
index 0000000000..0908f51443
--- /dev/null
+++ b/tools/flask/utils/Makefile
@@ -0,0 +1,54 @@
+XEN_ROOT=../../..
+include $(XEN_ROOT)/tools/Rules.mk
+XEN_LIBXC          = $(XEN_ROOT)/tools/libxc
+
+LIBXC_ROOT = $(XEN_ROOT)/tools/libxc
+LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask
+
+PROFILE=#-pg
+BASECFLAGS=-Wall -g -Werror
+BASECFLAGS+= $(PROFILE)
+#BASECFLAGS+= -I$(XEN_ROOT)/tools
+BASECFLAGS+= $(CFLAGS_libxenctrl)
+BASECFLAGS+= -I$(LIBFLASK_ROOT)/include
+BASECFLAGS+= -I.
+
+CFLAGS  += $(BASECFLAGS)
+LDFLAGS += $(PROFILE) -L$(XEN_LIBXC) -L$(LIBFLASK_ROOT)
+TESTDIR  = testsuite/tmp
+TESTFLAGS= -DTESTING
+TESTENV  = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
+
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce
+CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
+CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
+
+.PHONY: all
+all: $(CLIENTS)
+
+$(CLIENTS): flask-%: %.o
+	$(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask $(LDFLAGS_libxenctrl) -o $@
+
+.PHONY: clean
+clean: 
+	rm -f *.o *.opic *.so
+	rm -f $(CLIENTS)
+	$(RM) $(DEPS)
+
+.PHONY: print-dir
+print-dir:
+	@echo -n tools/flask/utils: 
+
+.PHONY: print-end
+print-end:
+	@echo
+
+.PHONY: install
+install: all
+	$(INSTALL_DIR) $(DESTDIR)$(SBINDIR)
+	$(INSTALL_PROG) $(CLIENTS) $(DESTDIR)$(SBINDIR)
+
+-include $(DEPS)
+
+# never delete any intermediate files.
+.SECONDARY:
diff --git a/tools/flask/utils/getenforce.c b/tools/flask/utils/getenforce.c
new file mode 100644
index 0000000000..9960434ac8
--- /dev/null
+++ b/tools/flask/utils/getenforce.c
@@ -0,0 +1,66 @@
+/*
+ *
+ *  Author:  Machon Gregory, <mbgrego@tycho.ncsc.mil>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    int ret;
+    int xch = 0;
+
+    if (argCnt != 1)
+        usage(argCnt, args);
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+    ret = flask_getenforce(xch);
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to get enforcing mode: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+    else
+    {
+        if(ret) 
+            printf("Enforcing\n");
+        else
+            printf("Permissive\n");
+    }
+
+done:
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+}
diff --git a/tools/flask/utils/loadpolicy.c b/tools/flask/utils/loadpolicy.c
new file mode 100644
index 0000000000..bb6eeb8de5
--- /dev/null
+++ b/tools/flask/utils/loadpolicy.c
@@ -0,0 +1,129 @@
+/*
+ *
+ *  Authors:  Michael LeMay, <mdlemay@epoch.ncsc.mil>
+ *            George Coker, <gscoker@alpha.ncsc.mil>
+ *
+ *    This program is free software; you can redistribute it and/or modify
+ *    it under the terms of the GNU General Public License version 2,
+ *      as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+#define USE_MMAP
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s <policy.file>\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    const char *polFName;
+    int polFd = 0;
+    void *polMem = NULL;
+    void *polMemCp = NULL;
+    struct stat info;
+    int ret;
+    int xch = 0;
+
+    if (argCnt != 2)
+        usage(argCnt, args);
+
+    polFName = args[1];
+    polFd = open(polFName, O_RDONLY);
+    if ( polFd < 0 )
+    {
+        fprintf(stderr, "Error occurred opening policy file '%s': %s\n",
+                polFName, strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+    
+    ret = stat(polFName, &info);
+    if ( ret < 0 )
+    {
+        fprintf(stderr, "Error occurred retrieving information about"
+                "policy file '%s': %s\n", polFName, strerror(errno));
+        goto cleanup;
+    }
+
+    polMemCp = malloc(info.st_size);
+
+#ifdef USE_MMAP
+    polMem = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, polFd, 0);
+    if ( !polMem )
+    {
+        fprintf(stderr, "Error occurred mapping policy file in memory: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+
+    memcpy(polMemCp, polMem, info.st_size);
+#else
+    ret = read(polFd, polMemCp, info.st_size);
+    if ( ret < 0 )
+    {
+        fprintf(stderr, "Unable to read new Flask policy file: %s\n",
+                strerror(errno));
+        goto cleanup;
+    }
+    else
+    {
+        printf("Read %d bytes from policy file '%s'.\n", ret, polFName);
+    }
+#endif
+
+    ret = flask_load(xch, polMemCp, info.st_size);
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to load new Flask policy: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+    else
+    {
+        printf("Successfully loaded policy.\n");
+    }
+
+done:
+    if ( polMemCp )
+        free(polMemCp);
+    if ( polMem )
+    {
+        ret = munmap(polMem, info.st_size);
+        if ( ret < 0 )
+            fprintf(stderr, "Unable to unmap policy memory: %s\n", strerror(errno));
+    }
+    if ( polFd )
+        close(polFd);
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+
+cleanup:
+    goto done;
+}
diff --git a/tools/flask/utils/setenforce.c b/tools/flask/utils/setenforce.c
new file mode 100644
index 0000000000..91fb3594aa
--- /dev/null
+++ b/tools/flask/utils/setenforce.c
@@ -0,0 +1,73 @@
+/*
+ *
+ *  Authors:  Machon Gregory, <mbgrego@tycho.ncsc.mil>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s [ (Enforcing|1) | (Permissive|0) ]\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    int ret = 0;
+    int xch = 0;
+    long mode = 0;
+    char *end;
+
+    if (argCnt != 2)
+        usage(argCnt, args);
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+    if( strlen(args[1]) == 1 && (args[1][0] == '0' || args[1][0] == '1')){
+        mode = strtol(args[1], &end, 10);
+        ret = flask_setenforce(xch, mode);
+    } else {
+        if( strcasecmp(args[1], "enforcing") == 0 ){
+            ret = flask_setenforce(xch, 1);
+        } else if( strcasecmp(args[1], "permissive") == 0 ){
+            ret = flask_setenforce(xch, 0);
+        } else {
+            usage(argCnt, args);
+        }
+    }
+
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to get enforcing mode: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+done:
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+}
author	Keir Fraser <keir.fraser@citrix.com>	2009-10-23 10:05:15 +0100
committer	Keir Fraser <keir.fraser@citrix.com>	2009-10-23 10:05:15 +0100
commit	0dba100da61528c1d36844a00ba2676b4712aa67 (patch)
tree	82a83ca3db2728185d0c1636d04cba3e47bf261b /tools/flask/utils
parent	545a227dfc099af8b17b6842e097196192658c3e (diff)
download	xen-0dba100da61528c1d36844a00ba2676b4712aa67.tar.gz xen-0dba100da61528c1d36844a00ba2676b4712aa67.tar.bz2 xen-0dba100da61528c1d36844a00ba2676b4712aa67.zip