flask: add flask-{get,set}-bool tools

These utilities can be used to modify policy booleans, which allow
minor policy changes without reloading the security policy. This can
be used to make security policy change based on external information
such as time of day, user physical presence, completion of system
boot, or other relevant variables.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>

3 files changed, 169 insertions, 1 deletions

diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile
index 171a7283fa..3ac6ac210a 100644
--- a/tools/flask/utils/Makefile
+++ b/tools/flask/utils/Makefile
@@ -11,7 +11,7 @@ TESTDIR  = testsuite/tmp
 TESTFLAGS= -DTESTING
 TESTENV  = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
 
-CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci flask-get-bool flask-set-bool
 CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
 CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
 
@@ -30,6 +30,12 @@ flask-getenforce: getenforce.o
 flask-label-pci: label-pci.o
 	$(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@
 
+flask-get-bool: get-bool.o
+	$(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@
+
+flask-set-bool: set-bool.o
+	$(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@
+
 .PHONY: clean
 clean: 
 	rm -f *.o *.opic *.so
diff --git a/tools/flask/utils/get-bool.c b/tools/flask/utils/get-bool.c
new file mode 100644
index 0000000000..c0cd7c870e
--- /dev/null
+++ b/tools/flask/utils/get-bool.c
@@ -0,0 +1,90 @@
+/*
+ *  Author:  Daniel De Graaf <dgdegra@tycho.nsa.gov>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <libflask.h>
+
+static void usage(char **argv)
+{
+	fprintf(stderr, "Usage: %s {name|-a}\n", argv[0]);
+	exit(1);
+}
+
+static int all_bools(xc_interface *xch)
+{
+	int err = 0, i = 0, curr, pend;
+	char name[256];
+	while (1) {
+		err = flask_getbool_byid(xch, i, name, &curr, &pend);
+		if (err < 0) {
+			if (errno == ENOENT)
+				return 0;
+			fprintf(stderr, "flask_getbool: Unable to get boolean #%d: %s (%d)",
+				i, strerror(errno), err);
+			return 2;
+		}
+		if (curr == pend)
+			printf("%s: %d\n", name, curr);
+		else
+			printf("%s: %d (pending %d)\n", name, curr, pend);
+		i++;
+	}
+}
+
+int main(int argc, char **argv)
+{
+	int err = 0;
+	xc_interface *xch;
+	int curr, pend;
+
+	if (argc != 2)
+		usage(argv);
+
+	xch = xc_interface_open(0,0,0);
+	if ( !xch )
+	{
+		fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+				strerror(errno));
+		err = 1;
+		goto done;
+	}
+
+	if (!strcmp(argv[1], "-a"))
+	{
+		err = all_bools(xch);
+		goto done;
+	}
+
+	err = flask_getbool_byname(xch, argv[1], &curr, &pend);
+	if (err) {
+		fprintf(stderr, "flask_getbool: Unable to get boolean %s: %s (%d)",
+			argv[1], strerror(errno), err);
+		err = 2;
+		goto done;
+	}
+
+	if (curr == pend)
+		printf("%s: %d\n", argv[1], curr);
+	else
+		printf("%s: %d (pending %d)\n", argv[1], curr, pend);
+
+ done:
+	if ( xch )
+		xc_interface_close(xch);
+
+	return err;
+}
diff --git a/tools/flask/utils/set-bool.c b/tools/flask/utils/set-bool.c
new file mode 100644
index 0000000000..cde25cdcd6
--- /dev/null
+++ b/tools/flask/utils/set-bool.c
@@ -0,0 +1,72 @@
+/*
+ *  Author:  Daniel De Graaf <dgdegra@tycho.nsa.gov>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <libflask.h>
+
+static void usage(char **argv)
+{
+	fprintf(stderr, "Usage: %s name value\n", argv[0]);
+	exit(1);
+}
+
+static int str2bool(const char *str)
+{
+	if (str[0] == '0' || str[0] == '1')
+		return (str[0] == '1');
+	if (!strcasecmp(str, "enabled") || !strcasecmp(str, "on") || !strcasecmp(str, "y"))
+		return 1;
+	if (!strcasecmp(str, "disabled") || !strcasecmp(str, "off") || !strcasecmp(str, "n"))
+		return 0;
+	fprintf(stderr, "Unknown value %s\n", str);
+	exit(1);
+}
+
+int main(int argc, char **argv)
+{
+	int err = 0;
+	xc_interface *xch;
+	int value;
+
+	if (argc != 3)
+		usage(argv);
+
+	value = str2bool(argv[2]);
+
+	xch = xc_interface_open(0,0,0);
+	if ( !xch )
+	{
+		fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+				strerror(errno));
+		err = 1;
+		goto done;
+	}
+
+	err = flask_setbool(xch, argv[1], value, 1);
+	if (err) {
+		fprintf(stderr, "flask_setbool: Unable to set boolean %s=%s: %s (%d)",
+			argv[1], argv[2], strerror(errno), err);
+		err = 2;
+		goto done;
+	}
+
+ done:
+	if ( xch )
+		xc_interface_close(xch);
+
+	return err;
+}