diff options
author | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:24:53 +0000 |
---|---|---|
committer | Daniel De Graaf <dgdegra@tycho.nsa.gov> | 2012-02-02 15:24:53 +0000 |
commit | 9e68bb1b66aafd6434bd737da77760570a5cc5c2 (patch) | |
tree | c44c9173139d95b28aac997338a124ed0522058b /tools/flask | |
parent | 4a5445e86711140d0f2c068075a461f489ff793f (diff) | |
download | xen-9e68bb1b66aafd6434bd737da77760570a5cc5c2.tar.gz xen-9e68bb1b66aafd6434bd737da77760570a5cc5c2.tar.bz2 xen-9e68bb1b66aafd6434bd737da77760570a5cc5c2.zip |
flask: add flask-{get,set}-bool tools
These utilities can be used to modify policy booleans, which allow
minor policy changes without reloading the security policy. This can
be used to make security policy change based on external information
such as time of day, user physical presence, completion of system
boot, or other relevant variables.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Committed-by: Keir Fraser <keir@xen.org>
Diffstat (limited to 'tools/flask')
-rw-r--r-- | tools/flask/utils/Makefile | 8 | ||||
-rw-r--r-- | tools/flask/utils/get-bool.c | 90 | ||||
-rw-r--r-- | tools/flask/utils/set-bool.c | 72 |
3 files changed, 169 insertions, 1 deletions
diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile index 171a7283fa..3ac6ac210a 100644 --- a/tools/flask/utils/Makefile +++ b/tools/flask/utils/Makefile @@ -11,7 +11,7 @@ TESTDIR = testsuite/tmp TESTFLAGS= -DTESTING TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR) -CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci +CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci flask-get-bool flask-set-bool CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS)) CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS)) @@ -30,6 +30,12 @@ flask-getenforce: getenforce.o flask-label-pci: label-pci.o $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@ +flask-get-bool: get-bool.o + $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@ + +flask-set-bool: set-bool.o + $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask $(LDLIBS_libxenctrl) -o $@ + .PHONY: clean clean: rm -f *.o *.opic *.so diff --git a/tools/flask/utils/get-bool.c b/tools/flask/utils/get-bool.c new file mode 100644 index 0000000000..c0cd7c870e --- /dev/null +++ b/tools/flask/utils/get-bool.c @@ -0,0 +1,90 @@ +/* + * Author: Daniel De Graaf <dgdegra@tycho.nsa.gov> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <inttypes.h> +#include <libflask.h> + +static void usage(char **argv) +{ + fprintf(stderr, "Usage: %s {name|-a}\n", argv[0]); + exit(1); +} + +static int all_bools(xc_interface *xch) +{ + int err = 0, i = 0, curr, pend; + char name[256]; + while (1) { + err = flask_getbool_byid(xch, i, name, &curr, &pend); + if (err < 0) { + if (errno == ENOENT) + return 0; + fprintf(stderr, "flask_getbool: Unable to get boolean #%d: %s (%d)", + i, strerror(errno), err); + return 2; + } + if (curr == pend) + printf("%s: %d\n", name, curr); + else + printf("%s: %d (pending %d)\n", name, curr, pend); + i++; + } +} + +int main(int argc, char **argv) +{ + int err = 0; + xc_interface *xch; + int curr, pend; + + if (argc != 2) + usage(argv); + + xch = xc_interface_open(0,0,0); + if ( !xch ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + err = 1; + goto done; + } + + if (!strcmp(argv[1], "-a")) + { + err = all_bools(xch); + goto done; + } + + err = flask_getbool_byname(xch, argv[1], &curr, &pend); + if (err) { + fprintf(stderr, "flask_getbool: Unable to get boolean %s: %s (%d)", + argv[1], strerror(errno), err); + err = 2; + goto done; + } + + if (curr == pend) + printf("%s: %d\n", argv[1], curr); + else + printf("%s: %d (pending %d)\n", argv[1], curr, pend); + + done: + if ( xch ) + xc_interface_close(xch); + + return err; +} diff --git a/tools/flask/utils/set-bool.c b/tools/flask/utils/set-bool.c new file mode 100644 index 0000000000..cde25cdcd6 --- /dev/null +++ b/tools/flask/utils/set-bool.c @@ -0,0 +1,72 @@ +/* + * Author: Daniel De Graaf <dgdegra@tycho.nsa.gov> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <inttypes.h> +#include <libflask.h> + +static void usage(char **argv) +{ + fprintf(stderr, "Usage: %s name value\n", argv[0]); + exit(1); +} + +static int str2bool(const char *str) +{ + if (str[0] == '0' || str[0] == '1') + return (str[0] == '1'); + if (!strcasecmp(str, "enabled") || !strcasecmp(str, "on") || !strcasecmp(str, "y")) + return 1; + if (!strcasecmp(str, "disabled") || !strcasecmp(str, "off") || !strcasecmp(str, "n")) + return 0; + fprintf(stderr, "Unknown value %s\n", str); + exit(1); +} + +int main(int argc, char **argv) +{ + int err = 0; + xc_interface *xch; + int value; + + if (argc != 3) + usage(argv); + + value = str2bool(argv[2]); + + xch = xc_interface_open(0,0,0); + if ( !xch ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + err = 1; + goto done; + } + + err = flask_setbool(xch, argv[1], value, 1); + if (err) { + fprintf(stderr, "flask_setbool: Unable to set boolean %s=%s: %s (%d)", + argv[1], argv[2], strerror(errno), err); + err = 2; + goto done; + } + + done: + if ( xch ) + xc_interface_close(xch); + + return err; +} |