diff options
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/flask/Makefile | 2 | ||||
| -rw-r--r-- | tools/flask/libflask/flask_op.c | 39 | ||||
| -rw-r--r-- | tools/flask/libflask/include/flask.h | 2 | ||||
| -rw-r--r-- | tools/flask/utils/Makefile (renamed from tools/flask/loadpolicy/Makefile) | 7 | ||||
| -rw-r--r-- | tools/flask/utils/getenforce.c | 66 | ||||
| -rw-r--r-- | tools/flask/utils/loadpolicy.c (renamed from tools/flask/loadpolicy/loadpolicy.c) | 0 | ||||
| -rw-r--r-- | tools/flask/utils/setenforce.c | 73 | ||||
| -rw-r--r-- | tools/python/xen/lowlevel/flask/flask.c | 66 | ||||
| -rw-r--r-- | tools/python/xen/util/xsm/flask/flask.py | 11 | ||||
| -rw-r--r-- | tools/python/xen/xend/XendXSPolicy.py | 12 | ||||
| -rw-r--r-- | tools/python/xen/xm/getenforce.py | 66 | ||||
| -rw-r--r-- | tools/python/xen/xm/main.py | 23 | ||||
| -rw-r--r-- | tools/python/xen/xm/setenforce.py | 74 |
13 files changed, 427 insertions, 14 deletions
diff --git a/tools/flask/Makefile b/tools/flask/Makefile index e78f5785db..08961cf810 100644 --- a/tools/flask/Makefile +++ b/tools/flask/Makefile @@ -3,7 +3,7 @@ include $(XEN_ROOT)/tools/Rules.mk SUBDIRS := SUBDIRS += libflask -SUBDIRS += loadpolicy +SUBDIRS += utils .PHONY: all clean install all clean install: %: subdirs-% diff --git a/tools/flask/libflask/flask_op.c b/tools/flask/libflask/flask_op.c index 396c0814a8..579be20d96 100644 --- a/tools/flask/libflask/flask_op.c +++ b/tools/flask/libflask/flask_op.c @@ -70,3 +70,42 @@ int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size) return 0; } + +int flask_getenforce(int xc_handle) +{ + int err; + flask_op_t op; + char buf[20]; + int size = 20; + int mode; + + op.cmd = FLASK_GETENFORCE; + op.buf = buf; + op.size = size; + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + return err; + + sscanf(buf, "%i", &mode); + + return mode; +} + +int flask_setenforce(int xc_handle, int mode) +{ + int err; + flask_op_t op; + char buf[20]; + int size = 20; + + op.cmd = FLASK_SETENFORCE; + op.buf = buf; + op.size = size; + + snprintf(buf, size, "%i", mode); + + if ( (err = xc_flask_op(xc_handle, &op)) != 0 ) + return err; + + return 0; +} diff --git a/tools/flask/libflask/include/flask.h b/tools/flask/libflask/include/flask.h index 5241f7a2a0..31f6263404 100644 --- a/tools/flask/libflask/include/flask.h +++ b/tools/flask/libflask/include/flask.h @@ -18,5 +18,7 @@ int flask_load(int xc_handle, char *buf, uint32_t size); int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t *sid); int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size); +int flask_getenforce(int xc_handle); +int flask_setenforce(int xc_handle, int mode); #endif /* __FLASK_H__ */ diff --git a/tools/flask/loadpolicy/Makefile b/tools/flask/utils/Makefile index 8b404214c2..0908f51443 100644 --- a/tools/flask/loadpolicy/Makefile +++ b/tools/flask/utils/Makefile @@ -19,7 +19,7 @@ TESTDIR = testsuite/tmp TESTFLAGS= -DTESTING TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR) -CLIENTS := flask-loadpolicy +CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS)) CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS)) @@ -29,9 +29,6 @@ all: $(CLIENTS) $(CLIENTS): flask-%: %.o $(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask $(LDFLAGS_libxenctrl) -o $@ -$(CLIENTS_OBJS): $(CLIENTS_SRCS) - $(COMPILE.c) -o $@ $< - .PHONY: clean clean: rm -f *.o *.opic *.so @@ -40,7 +37,7 @@ clean: .PHONY: print-dir print-dir: - @echo -n tools/flask/loadpolicy: + @echo -n tools/flask/utils: .PHONY: print-end print-end: diff --git a/tools/flask/utils/getenforce.c b/tools/flask/utils/getenforce.c new file mode 100644 index 0000000000..9960434ac8 --- /dev/null +++ b/tools/flask/utils/getenforce.c @@ -0,0 +1,66 @@ +/* + * + * Author: Machon Gregory, <mbgrego@tycho.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <flask.h> + +static void usage (int argCnt, const char *args[]) +{ + fprintf(stderr, "Usage: %s\n", args[0]); + exit(1); +} + +int main (int argCnt, const char *args[]) +{ + int ret; + int xch = 0; + + if (argCnt != 1) + usage(argCnt, args); + + xch = xc_interface_open(); + if ( xch < 0 ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + + ret = flask_getenforce(xch); + if ( ret < 0 ) + { + errno = -ret; + fprintf(stderr, "Unable to get enforcing mode: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + else + { + if(ret) + printf("Enforcing\n"); + else + printf("Permissive\n"); + } + +done: + if ( xch ) + xc_interface_close(xch); + + return ret; +} diff --git a/tools/flask/loadpolicy/loadpolicy.c b/tools/flask/utils/loadpolicy.c index bb6eeb8de5..bb6eeb8de5 100644 --- a/tools/flask/loadpolicy/loadpolicy.c +++ b/tools/flask/utils/loadpolicy.c diff --git a/tools/flask/utils/setenforce.c b/tools/flask/utils/setenforce.c new file mode 100644 index 0000000000..91fb3594aa --- /dev/null +++ b/tools/flask/utils/setenforce.c @@ -0,0 +1,73 @@ +/* + * + * Authors: Machon Gregory, <mbgrego@tycho.ncsc.mil> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <stdlib.h> +#include <errno.h> +#include <stdio.h> +#include <xenctrl.h> +#include <fcntl.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <string.h> +#include <unistd.h> +#include <flask.h> + +static void usage (int argCnt, const char *args[]) +{ + fprintf(stderr, "Usage: %s [ (Enforcing|1) | (Permissive|0) ]\n", args[0]); + exit(1); +} + +int main (int argCnt, const char *args[]) +{ + int ret = 0; + int xch = 0; + long mode = 0; + char *end; + + if (argCnt != 2) + usage(argCnt, args); + + xch = xc_interface_open(); + if ( xch < 0 ) + { + fprintf(stderr, "Unable to create interface to xenctrl: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + + if( strlen(args[1]) == 1 && (args[1][0] == '0' || args[1][0] == '1')){ + mode = strtol(args[1], &end, 10); + ret = flask_setenforce(xch, mode); + } else { + if( strcasecmp(args[1], "enforcing") == 0 ){ + ret = flask_setenforce(xch, 1); + } else if( strcasecmp(args[1], "permissive") == 0 ){ + ret = flask_setenforce(xch, 0); + } else { + usage(argCnt, args); + } + } + + if ( ret < 0 ) + { + errno = -ret; + fprintf(stderr, "Unable to get enforcing mode: %s\n", + strerror(errno)); + ret = -1; + goto done; + } + +done: + if ( xch ) + xc_interface_close(xch); + + return ret; +} diff --git a/tools/python/xen/lowlevel/flask/flask.c b/tools/python/xen/lowlevel/flask/flask.c index 02ad04d422..bb42b5ce8f 100644 --- a/tools/python/xen/lowlevel/flask/flask.c +++ b/tools/python/xen/lowlevel/flask/flask.c @@ -136,6 +136,60 @@ static PyObject *pyflask_load(PyObject *self, PyObject *args, PyObject *kwds) return Py_BuildValue("i", ret); } +static PyObject *pyflask_getenforce(PyObject *self) +{ + int xc_handle; + int ret; + + xc_handle = xc_interface_open(); + if (xc_handle < 0) { + errno = xc_handle; + return PyErr_SetFromErrno(xc_error_obj); + } + + ret = flask_getenforce(xc_handle); + + xc_interface_close(xc_handle); + + if ( ret < 0 ) { + errno = -ret; + return PyErr_SetFromErrno(xc_error_obj); + } + + return Py_BuildValue("i", ret); +} + +static PyObject *pyflask_setenforce(PyObject *self, PyObject *args, + PyObject *kwds) +{ + int xc_handle; + int mode; + int ret; + + static char *kwd_list[] = { "mode", NULL }; + + if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list, + &mode) ) + return NULL; + + xc_handle = xc_interface_open(); + if (xc_handle < 0) { + errno = xc_handle; + return PyErr_SetFromErrno(xc_error_obj); + } + + ret = flask_setenforce(xc_handle, mode); + + xc_interface_close(xc_handle); + + if ( ret != 0 ) { + errno = -ret; + return PyErr_SetFromErrno(xc_error_obj); + } + + return Py_BuildValue("i", ret); +} + static PyMethodDef pyflask_methods[] = { { "flask_context_to_sid", (PyCFunction)pyflask_context_to_sid, @@ -158,6 +212,18 @@ static PyMethodDef pyflask_methods[] = { " policy [str]: policy to be load\n" "Returns: [int]: 0 on success; -1 on failure.\n" }, + { "flask_getenforce", + (PyCFunction)pyflask_getenforce, + METH_NOARGS, "\n" + "Returns the current mode of the Flask XSM module.\n" + "Returns: [int]: 0 for permissive; 1 for enforcing; -1 on failure.\n" }, + + { "flask_setenforce", + (PyCFunction)pyflask_setenforce, + METH_KEYWORDS, "\n" + "Modifies the current mode for the Flask XSM module.\n" + " mode [int]: mode to change to\n" + "Returns: [int]: 0 on success; -1 on failure.\n" }, { NULL, NULL, 0, NULL } }; diff --git a/tools/python/xen/util/xsm/flask/flask.py b/tools/python/xen/util/xsm/flask/flask.py index 906b537d77..83d662d98a 100644 --- a/tools/python/xen/util/xsm/flask/flask.py +++ b/tools/python/xen/util/xsm/flask/flask.py @@ -7,10 +7,11 @@ from xen.xend import sxp #Functions exported through XML-RPC xmlrpc_exports = [ 'on', - 'set_policy' + 'set_policy', + 'getenforce', + 'setenforce' ] - def err(msg): """Raise XSM-Flask exception. """ @@ -56,3 +57,9 @@ def get_security_label(self, xspol=None): def set_policy(xs_type, policy_b64, flags=None, overwrite=None): policy = base64.b64decode(policy_b64); return flask.flask_load(policy), "" + +def getenforce(): + return flask.flask_getenforce() + +def setenforce(mode): + return flask.flask_setenforce(mode) diff --git a/tools/python/xen/xend/XendXSPolicy.py b/tools/python/xen/xend/XendXSPolicy.py index 5fb1635faf..dd508d9b9e 100644 --- a/tools/python/xen/xend/XendXSPolicy.py +++ b/tools/python/xen/xend/XendXSPolicy.py @@ -49,7 +49,9 @@ class XendXSPolicy(XendBase): 'get_resource_label', 'set_resource_label', 'get_labeled_resources', - 'can_run' ] + 'can_run', + 'getenforce', + 'setenforce'] return XendBase.getFuncs() + funcs getClass = classmethod(getClass) @@ -205,6 +207,12 @@ class XendXSPolicy(XendBase): raise SecurityError(irc) return security.check_can_run(sec_label) + def getenforce(self): + return security.getenforce() + + def setenforce(self, mode): + return security.setenforce(mode) + get_xstype = classmethod(get_xstype) get_xspolicy = classmethod(get_xspolicy) set_xspolicy = classmethod(set_xspolicy) @@ -214,6 +222,8 @@ class XendXSPolicy(XendBase): get_resource_label = classmethod(get_resource_label) get_labeled_resources = classmethod(get_labeled_resources) can_run = classmethod(can_run) + getenforce = classmethod(getenforce) + setenforce = classmethod(setenforce) class XendACMPolicy(XendXSPolicy): diff --git a/tools/python/xen/xm/getenforce.py b/tools/python/xen/xm/getenforce.py new file mode 100644 index 0000000000..526be82e7f --- /dev/null +++ b/tools/python/xen/xm/getenforce.py @@ -0,0 +1,66 @@ +#============================================================================ +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +#============================================================================ +# Author: Machon Gregory <mbgrego@tycho.ncsc.mil> +#============================================================================ + +"""Get the current mode of the Flask XSM module. +""" + +from xen.xm.opts import OptionError +from xen.xm import main as xm_main +from xen.xm.main import server +from xen.util import xsconstants + +def help(): + return """ + Usage: xm getenforce + + Returns the current mode (Permissive, Enforcing) of the + Flask XSM module.""" + +def getenforce(): + if xm_main.serverType == xm_main.SERVER_XEN_API: + if xsconstants.XS_POLICY_FLASK != \ + int(server.xenapi.XSPolicy.get_xstype()): + raise OptionError("Unsupported policy type") + mode = int(server.xenapi.XSPolicy.getenforce()) + else: + if server.xend.security.on() != xsconstants.XS_POLICY_FLASK: + raise OptionError("Unsupported policy type") + mode = server.xend.security.getenforce() + + if mode == 0: + print "Permissive" + elif mode == 1: + print "Enforcing" + +def main(argv): + if "-?" in argv: + help() + return + + if len(argv) != 1: + raise OptionError("No arguments expected.") + + getenforce() + +if __name__ == '__main__': + try: + main(sys.argv) + except Exception, e: + sys.stderr.write('Error: %s\n' % str(e)) + sys.exit(-1) + + diff --git a/tools/python/xen/xm/main.py b/tools/python/xen/xm/main.py index 94236a6ab7..e570f8eebe 100644 --- a/tools/python/xen/xm/main.py +++ b/tools/python/xen/xm/main.py @@ -225,8 +225,7 @@ SUBCOMMAND_HELP = { # security - 'addlabel' : ('<label> {dom <ConfigFile>|res <resource>|mgt <managed domain>}\n' - ' [<policy>]', + 'addlabel' : ('<label> {dom <ConfigFile>|res <resource>|mgt <managed domain>} [<policy>]', 'Add security label to domain.'), 'rmlabel' : ('{dom <ConfigFile>|res <Resource>|mgt<managed domain>}', 'Remove a security label from domain.'), @@ -244,6 +243,9 @@ SUBCOMMAND_HELP = { 'labels' : ('[policy] [type=dom|res|any]', 'List <type> labels for (active) policy.'), 'serve' : ('', 'Proxy Xend XMLRPC over stdio.'), + 'getenforce' : ('', 'Returns the current enforcing mode for the Flask XSM module (Enforcing,Permissive)'), + 'setenforce' : ('[ (Enforcing|1) | (Permissive|0) ]', + 'Modifies the current enforcing mode for the Flask XSM module'), } SUBCOMMAND_OPTIONS = { @@ -435,6 +437,10 @@ vnet_commands = [ "vnet-delete", ] +security_commands = [ + "setpolicy", + ] + acm_commands = [ "labels", "addlabel", @@ -443,11 +449,15 @@ acm_commands = [ "dry-run", "resources", "dumppolicy", - "setpolicy", "resetpolicy", "getpolicy", ] +flask_commands = [ + "getenforce", + "setenforce", + ] + tmem_commands = [ "tmem-list", "tmem-thaw", @@ -458,8 +468,9 @@ tmem_commands = [ ] all_commands = (domain_commands + host_commands + scheduler_commands + - device_commands + vnet_commands + acm_commands + - tmem_commands + ['shell', 'event-monitor']) + device_commands + vnet_commands + security_commands + + acm_commands + flask_commands + tmem_commands + + ['shell', 'event-monitor']) ## @@ -3347,6 +3358,8 @@ IMPORTED_COMMANDS = [ 'getpolicy', 'setpolicy', 'resetpolicy', + 'getenforce', + 'setenforce', ] for c in IMPORTED_COMMANDS: diff --git a/tools/python/xen/xm/setenforce.py b/tools/python/xen/xm/setenforce.py new file mode 100644 index 0000000000..38f245d6ad --- /dev/null +++ b/tools/python/xen/xm/setenforce.py @@ -0,0 +1,74 @@ +#============================================================================ +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +#============================================================================ +# Author: Machon Gregory <mbgrego@tycho.ncsc.mil> +#============================================================================ + +"""Modify the current mode of the Flask XSM module. +""" + +from xen.xm.opts import OptionError +from xen.xm import main as xm_main +from xen.xm.main import server +from xen.util import xsconstants + +def help(): + return """ + Usage: xm setenforce [ Enforcing | Permissive | 1 | 0 ] + + Modifies the current mode of the Flask XSM module to be permissive or + enforcing. Using Enforcing or 1 will put the Flask module in enforcing + mode. Using Permissive or 0 will put the Flask module in permissive + mode.""" + +def setenforce(mode): + if len(mode) == 1 and ( mode == "0" or mode == "1" ): + val = int(mode) + elif mode.lower() == "enforcing": + val = 1 + elif mode.lower() == "permissive": + val = 0 + else: + raise OptionError("%s is an unsupported mode" % mode) + + if xm_main.serverType == xm_main.SERVER_XEN_API: + if xsconstants.XS_POLICY_FLASK != \ + int(server.xenapi.XSPolicy.get_xstype()): + raise OptionError("Unsupported policy type") + ret = server.xenapi.XSPolicy.setenforce(val) + else: + if server.xend.security.on() != xsconstants.XS_POLICY_FLASK: + raise OptionError("Unsupported policy type") + ret = server.xend.security.setenforce(val) + +def main(argv): + if len(argv) != 2: + raise OptionError("Invalid arguments") + + if "-?" in argv: + help() + return + + mode = argv[1]; + + setenforce(mode) + +if __name__ == '__main__': + try: + main(sys.argv) + except Exception, e: + sys.stderr.write('Error: %s\n' % str(e)) + sys.exit(-1) + + |