diff options
author | Keir Fraser <keir.fraser@citrix.com> | 2009-10-23 10:05:15 +0100 |
---|---|---|
committer | Keir Fraser <keir.fraser@citrix.com> | 2009-10-23 10:05:15 +0100 |
commit | 0dba100da61528c1d36844a00ba2676b4712aa67 (patch) | |
tree | 82a83ca3db2728185d0c1636d04cba3e47bf261b /tools/flask/utils | |
parent | 545a227dfc099af8b17b6842e097196192658c3e (diff) | |
download | xen-0dba100da61528c1d36844a00ba2676b4712aa67.tar.gz xen-0dba100da61528c1d36844a00ba2676b4712aa67.tar.bz2 xen-0dba100da61528c1d36844a00ba2676b4712aa67.zip |
xsm: Add getenforce and setenforce functionality to tools
This patch exposes the getenforce and setenforce functionality for the
Flask XSM module.
Signed-off-by : Machon Gregory <mbgrego@tycho.ncsc.mil>
Signed-off-by : George S. Coker, II <gscoker@alpha.ncsc.mil>
Diffstat (limited to 'tools/flask/utils')
-rw-r--r-- | tools/flask/utils/Makefile | 54 | ||||
-rw-r--r-- | tools/flask/utils/getenforce.c | 66 | ||||
-rw-r--r-- | tools/flask/utils/loadpolicy.c | 129 | ||||
-rw-r--r-- | tools/flask/utils/setenforce.c | 73 |
4 files changed, 322 insertions, 0 deletions
diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile new file mode 100644 index 0000000000..0908f51443 --- /dev/null +++ b/tools/flask/utils/Makefile @@ -0,0 +1,54 @@ +XEN_ROOT=../../.. +include $(XEN_ROOT)/tools/Rules.mk +XEN_LIBXC = $(XEN_ROOT)/tools/libxc + +LIBXC_ROOT = $(XEN_ROOT)/tools/libxc +LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask + +PROFILE=#-pg +BASECFLAGS=-Wall -g -Werror +BASECFLAGS+= $(PROFILE) +#BASECFLAGS+= -I$(XEN_ROOT)/tools +BASECFLAGS+= $(CFLAGS_libxenctrl) +BASECFLAGS+= -I$(LIBFLASK_ROOT)/include +BASECFLAGS+= -I. + +CFLAGS += $(BASECFLAGS) +LDFLAGS += $(PROFILE) -L$(XEN_LIBXC) -L$(LIBFLASK_ROOT) +TESTDIR = testsuite/tmp +TESTFLAGS= -DTESTING +TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR) + +CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce +CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS)) +CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS)) + +.PHONY: all +all: $(CLIENTS) + +$(CLIENTS): flask-%: %.o + $(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask $(LDFLAGS_libxenctrl) -o $@ + +.PHONY: clean +clean: + rm -f *.o *.opic *.so + rm -f $(CLIENTS) + $(RM) $(DEPS) + +.PHONY: print-dir +print-dir: + @echo -n tools/flask/utils: + +.PHONY: print-end +print-end: + @echo + +.PHONY: install +install: all + $(INSTALL_DIR) $(DESTDIR)$(SBINDIR) + $(INSTALL_PROG) $(CLIENTS) $(DESTDIR)$(SBINDIR) + +-include $(DEPS) + +# never delete any intermediate files. +.SECONDARY: diff --git a/tools/flask/utils/getenforce.c b/tools/flask/utils/getenforce.c new file mode 100644 index 0000000000..9960434ac8 --- /dev/null +++ b/tools/flask/utils/getenforce.c @@ -0,0 +1,66 @@ +/* + * + * Author: Machon Gregory, <mbgrego@tycho.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <flask.h> + +static void usage (int argCnt, const char *args[]) +{ + fprintf(stderr, "Usage: %s\n", args[0]); + exit(1); +} + +int main (int argCnt, const char *args[]) +{ + int ret; + int xch = 0; + + if (argCnt != 1) + usage(argCnt, args); + + xch = xc_interface_open(); + if ( xch < 0 ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + + ret = flask_getenforce(xch); + if ( ret < 0 ) + { + errno = -ret; + fprintf(stderr, "Unable to get enforcing mode: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + else + { + if(ret) + printf("Enforcing\n"); + else + printf("Permissive\n"); + } + +done: + if ( xch ) + xc_interface_close(xch); + + return ret; +} diff --git a/tools/flask/utils/loadpolicy.c b/tools/flask/utils/loadpolicy.c new file mode 100644 index 0000000000..bb6eeb8de5 --- /dev/null +++ b/tools/flask/utils/loadpolicy.c @@ -0,0 +1,129 @@ +/* + * + * Authors: Michael LeMay, <mdlemay@epoch.ncsc.mil> + * George Coker, <gscoker@alpha.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <flask.h> + +#define USE_MMAP + +static void usage (int argCnt, const char *args[]) +{ + fprintf(stderr, "Usage: %s <policy.file>\n", args[0]); + exit(1); +} + +int main (int argCnt, const char *args[]) +{ + const char *polFName; + int polFd = 0; + void *polMem = NULL; + void *polMemCp = NULL; + struct stat info; + int ret; + int xch = 0; + + if (argCnt != 2) + usage(argCnt, args); + + polFName = args[1]; + polFd = open(polFName, O_RDONLY); + if ( polFd < 0 ) + { + fprintf(stderr, "Error occurred opening policy file '%s': %s\n", + polFName, strerror(errno)); + ret = -1; + goto cleanup; + } + + ret = stat(polFName, &info); + if ( ret < 0 ) + { + fprintf(stderr, "Error occurred retrieving information about" + "policy file '%s': %s\n", polFName, strerror(errno)); + goto cleanup; + } + + polMemCp = malloc(info.st_size); + +#ifdef USE_MMAP + polMem = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, polFd, 0); + if ( !polMem ) + { + fprintf(stderr, "Error occurred mapping policy file in memory: %s\n", + strerror(errno)); + ret = -1; + goto cleanup; + } + + xch = xc_interface_open(); + if ( xch < 0 ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + ret = -1; + goto cleanup; + } + + memcpy(polMemCp, polMem, info.st_size); +#else + ret = read(polFd, polMemCp, info.st_size); + if ( ret < 0 ) + { + fprintf(stderr, "Unable to read new Flask policy file: %s\n", + strerror(errno)); + goto cleanup; + } + else + { + printf("Read %d bytes from policy file '%s'.\n", ret, polFName); + } +#endif + + ret = flask_load(xch, polMemCp, info.st_size); + if ( ret < 0 ) + { + errno = -ret; + fprintf(stderr, "Unable to load new Flask policy: %s\n", + strerror(errno)); + ret = -1; + goto cleanup; + } + else + { + printf("Successfully loaded policy.\n"); + } + +done: + if ( polMemCp ) + free(polMemCp); + if ( polMem ) + { + ret = munmap(polMem, info.st_size); + if ( ret < 0 ) + fprintf(stderr, "Unable to unmap policy memory: %s\n", strerror(errno)); + } + if ( polFd ) + close(polFd); + if ( xch ) + xc_interface_close(xch); + + return ret; + +cleanup: + goto done; +} diff --git a/tools/flask/utils/setenforce.c b/tools/flask/utils/setenforce.c new file mode 100644 index 0000000000..91fb3594aa --- /dev/null +++ b/tools/flask/utils/setenforce.c @@ -0,0 +1,73 @@ +/* + * + * Authors: Machon Gregory, <mbgrego@tycho.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <flask.h> + +static void usage (int argCnt, const char *args[]) +{ + fprintf(stderr, "Usage: %s [ (Enforcing|1) | (Permissive|0) ]\n", args[0]); + exit(1); +} + +int main (int argCnt, const char *args[]) +{ + int ret = 0; + int xch = 0; + long mode = 0; + char *end; + + if (argCnt != 2) + usage(argCnt, args); + + xch = xc_interface_open(); + if ( xch < 0 ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + + if( strlen(args[1]) == 1 && (args[1][0] == '0' || args[1][0] == '1')){ + mode = strtol(args[1], &end, 10); + ret = flask_setenforce(xch, mode); + } else { + if( strcasecmp(args[1], "enforcing") == 0 ){ + ret = flask_setenforce(xch, 1); + } else if( strcasecmp(args[1], "permissive") == 0 ){ + ret = flask_setenforce(xch, 0); + } else { + usage(argCnt, args); + } + } + + if ( ret < 0 ) + { + errno = -ret; + fprintf(stderr, "Unable to get enforcing mode: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + +done: + if ( xch ) + xc_interface_close(xch); + + return ret; +} |