xsm: Add getenforce and setenforce functionality to tools

This patch exposes the getenforce and setenforce functionality for the
Flask XSM module.

Signed-off-by : Machon Gregory <mbgrego@tycho.ncsc.mil>
Signed-off-by : George S. Coker, II <gscoker@alpha.ncsc.mil>

7 files changed, 183 insertions, 6 deletions

diff --git a/tools/flask/Makefile b/tools/flask/Makefile
index e78f5785db..08961cf810 100644
--- a/tools/flask/Makefile
+++ b/tools/flask/Makefile
@@ -3,7 +3,7 @@ include $(XEN_ROOT)/tools/Rules.mk
 
 SUBDIRS :=
 SUBDIRS += libflask
-SUBDIRS += loadpolicy
+SUBDIRS += utils
 
 .PHONY: all clean install
 all clean install: %: subdirs-%
diff --git a/tools/flask/libflask/flask_op.c b/tools/flask/libflask/flask_op.c
index 396c0814a8..579be20d96 100644
--- a/tools/flask/libflask/flask_op.c
+++ b/tools/flask/libflask/flask_op.c
@@ -70,3 +70,42 @@ int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size)
 
     return 0;
 }
+
+int flask_getenforce(int xc_handle)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];            
+    int size = 20;
+    int mode;
+ 
+    op.cmd = FLASK_GETENFORCE;
+    op.buf = buf;
+    op.size = size;
+    
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    sscanf(buf, "%i", &mode);
+
+    return mode;
+}
+
+int flask_setenforce(int xc_handle, int mode)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];
+    int size = 20; 
+ 
+    op.cmd = FLASK_SETENFORCE;
+    op.buf = buf;
+    op.size = size;
+   
+    snprintf(buf, size, "%i", mode);
+ 
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    return 0;
+}
diff --git a/tools/flask/libflask/include/flask.h b/tools/flask/libflask/include/flask.h
index 5241f7a2a0..31f6263404 100644
--- a/tools/flask/libflask/include/flask.h
+++ b/tools/flask/libflask/include/flask.h
@@ -18,5 +18,7 @@
 int flask_load(int xc_handle, char *buf, uint32_t size);
 int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t *sid);
 int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size);
+int flask_getenforce(int xc_handle);
+int flask_setenforce(int xc_handle, int mode);
 
 #endif /* __FLASK_H__ */
diff --git a/tools/flask/loadpolicy/Makefile b/tools/flask/utils/Makefile
index 8b404214c2..0908f51443 100644
--- a/tools/flask/loadpolicy/Makefile
+++ b/tools/flask/utils/Makefile
@@ -19,7 +19,7 @@ TESTDIR  = testsuite/tmp
 TESTFLAGS= -DTESTING
 TESTENV  = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
 
-CLIENTS := flask-loadpolicy
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce
 CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
 CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
 
@@ -29,9 +29,6 @@ all: $(CLIENTS)
 $(CLIENTS): flask-%: %.o
 	$(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask $(LDFLAGS_libxenctrl) -o $@
 
-$(CLIENTS_OBJS): $(CLIENTS_SRCS)
-	$(COMPILE.c) -o $@ $<
-
 .PHONY: clean
 clean: 
 	rm -f *.o *.opic *.so
@@ -40,7 +37,7 @@ clean:
 
 .PHONY: print-dir
 print-dir:
-	@echo -n tools/flask/loadpolicy: 
+	@echo -n tools/flask/utils: 
 
 .PHONY: print-end
 print-end:
diff --git a/tools/flask/utils/getenforce.c b/tools/flask/utils/getenforce.c
new file mode 100644
index 0000000000..9960434ac8
--- /dev/null
+++ b/tools/flask/utils/getenforce.c
@@ -0,0 +1,66 @@
+/*
+ *
+ *  Author:  Machon Gregory, <mbgrego@tycho.ncsc.mil>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    int ret;
+    int xch = 0;
+
+    if (argCnt != 1)
+        usage(argCnt, args);
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+    ret = flask_getenforce(xch);
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to get enforcing mode: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+    else
+    {
+        if(ret) 
+            printf("Enforcing\n");
+        else
+            printf("Permissive\n");
+    }
+
+done:
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+}
diff --git a/tools/flask/loadpolicy/loadpolicy.c b/tools/flask/utils/loadpolicy.c
index bb6eeb8de5..bb6eeb8de5 100644
--- a/tools/flask/loadpolicy/loadpolicy.c
+++ b/tools/flask/utils/loadpolicy.c
diff --git a/tools/flask/utils/setenforce.c b/tools/flask/utils/setenforce.c
new file mode 100644
index 0000000000..91fb3594aa
--- /dev/null
+++ b/tools/flask/utils/setenforce.c
@@ -0,0 +1,73 @@
+/*
+ *
+ *  Authors:  Machon Gregory, <mbgrego@tycho.ncsc.mil>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s [ (Enforcing|1) | (Permissive|0) ]\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    int ret = 0;
+    int xch = 0;
+    long mode = 0;
+    char *end;
+
+    if (argCnt != 2)
+        usage(argCnt, args);
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+    if( strlen(args[1]) == 1 && (args[1][0] == '0' || args[1][0] == '1')){
+        mode = strtol(args[1], &end, 10);
+        ret = flask_setenforce(xch, mode);
+    } else {
+        if( strcasecmp(args[1], "enforcing") == 0 ){
+            ret = flask_setenforce(xch, 1);
+        } else if( strcasecmp(args[1], "permissive") == 0 ){
+            ret = flask_setenforce(xch, 0);
+        } else {
+            usage(argCnt, args);
+        }
+    }
+
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to get enforcing mode: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+done:
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+}