diff -r 9dd91e9691a2 tools/libxl/libxl.c --- a/tools/libxl/libxl.c Sat Apr 02 15:58:54 2011 +0100 +++ b/tools/libxl/libxl.c Mon Apr 04 09:19:49 2011 -0400 @@ -333,6 +333,7 @@ { memcpy(&(xlinfo->uuid), xcinfo->handle, sizeof(xen_domain_handle_t)); xlinfo->domid = xcinfo->domain; + xlinfo->ssidref = xcinfo->ssidref; xlinfo->dying = !!(xcinfo->flags&XEN_DOMINF_dying); xlinfo->shutdown = !!(xcinfo->flags&XEN_DOMINF_shutdown); diff -r 9dd91e9691a2 tools/libxl/libxl.idl --- a/tools/libxl/libxl.idl Sat Apr 02 15:58:54 2011 +0100 +++ b/tools/libxl/libxl.idl Mon Apr 04 09:19:49 2011 -0400 @@ -28,6 +28,7 @@ libxl_dominfo = Struct("dominfo",[ ("uuid", libxl_uuid), ("domid", domid), + ("ssidref", uint32), ("running", BitField(uint8, 1)), ("blocked", BitField(uint8, 1)), ("paused", BitField(uint8, 1)), @@ -77,7 +78,7 @@ ("hvm", bool), ("hap", bool), ("oos", bool), - ("ssidref", integer), + ("ssidref", uint32), ("name", string), ("uuid", libxl_uuid), ("xsdata", libxl_key_value_list), diff -r 9dd91e9691a2 tools/libxl/xl.h --- a/tools/libxl/xl.h Sat Apr 02 15:58:54 2011 +0100 +++ b/tools/libxl/xl.h Mon Apr 04 09:19:49 2011 -0400 @@ -87,6 +87,9 @@ int main_cpupoolcpuremove(int argc, char **argv); int main_cpupoolmigrate(int argc, char **argv); int main_cpupoolnumasplit(int argc, char **argv); +int main_getenforce(int argc, char **argv); +int main_setenforce(int argc, char **argv); +int main_loadpolicy(int argc, char **argv); void help(const char *command); diff -r 9dd91e9691a2 tools/libxl/xl_cmdimpl.c --- a/tools/libxl/xl_cmdimpl.c Sat Apr 02 15:58:54 2011 +0100 +++ b/tools/libxl/xl_cmdimpl.c Mon Apr 04 09:19:49 2011 -0400 @@ -640,6 +640,20 @@ libxl_init_create_info(c_info); + if (!xlu_cfg_get_string (config, "seclabel", &buf)) { + e = xc_flask_context_to_sid(ctx.xch, (char *)buf, strlen(buf), + &c_info->ssidref); + if (e) { + if (errno == ENOSYS) { + fprintf(stderr, "XSM Disabled: seclabel not supported\n"); + } + else { + fprintf(stderr, "Invalid seclabel: %s\n", buf); + exit(1); + } + } + } + c_info->hvm = 0; if (!xlu_cfg_get_string (config, "builder", &buf) && !strncmp(buf, "hvm", strlen(buf))) @@ -2304,13 +2318,14 @@ } } -static void list_domains(int verbose, const libxl_dominfo *info, int nb_domain) +static void list_domains(int verbose, int context, const libxl_dominfo *info, int nb_domain) { int i; static const char shutdown_reason_letters[]= "-rscw"; printf("Name ID Mem VCPUs\tState\tTime(s)"); - if (verbose) printf(" UUID Reason-Code"); + if (verbose) printf(" UUID Reason-Code\tSecurity Label"); + if (context && !verbose) printf(" Security Label"); printf("\n"); for (i = 0; i < nb_domain; i++) { char *domname; @@ -2334,9 +2349,19 @@ free(domname); if (verbose) { printf(" " LIBXL_UUID_FMT, LIBXL_UUID_BYTES(info[i].uuid)); - if (info[i].shutdown) printf(" %8x", shutdown_reason); - else printf(" %8s", "-"); - } + if (info[i].shutdown) printf(" %8x", shutdown_reason); + else printf(" %8s", "-"); + } + if (verbose || context) { + int rc; + uint32_t size = XC_PAGE_SIZE; + char buf[size]; + rc = xc_flask_sid_to_context(ctx.xch, info[i].ssidref, buf, size); + if (rc < 0) + printf(" -"); + else + printf(" %s", buf); + } putchar('\n'); } } @@ -3159,12 +3184,14 @@ int main_list(int argc, char **argv) { int opt, verbose = 0; + int context = 0; int details = 0; int option_index = 0; static struct option long_options[] = { {"long", 0, 0, 'l'}, {"help", 0, 0, 'h'}, {"verbose", 0, 0, 'v'}, + {"context", 0, 0, 'Z'}, {0, 0, 0, 0} }; @@ -3173,7 +3200,7 @@ int nb_domain, rc; while (1) { - opt = getopt_long(argc, argv, "lvh", long_options, &option_index); + opt = getopt_long(argc, argv, "lvhZ", long_options, &option_index); if (opt == -1) break; @@ -3187,6 +3214,9 @@ case 'v': verbose = 1; break; + case 'Z': + context = 1; + break; default: fprintf(stderr, "option `%c' not supported.\n", optopt); break; @@ -3222,7 +3252,7 @@ if (details) list_domains_details(info, nb_domain); else - list_domains(verbose, info, nb_domain); + list_domains(verbose, context, info, nb_domain); free(info_free); @@ -5921,3 +5951,130 @@ return ret; } + +int main_getenforce(int argc, char **argv) +{ + int ret; + + ret = xc_flask_getenforce(ctx.xch); + + if (ret < 0) { + if (errno == ENOSYS) + printf("Disabled\n"); + else + fprintf(stderr, "Failed to get enforcing mode (%i)\n", ret); + } + else if (ret == 1) + printf("Enforcing\n"); + else if (ret == 0) + printf("Permissive\n"); + + return ret; +} + +int main_setenforce(int argc, char **argv) +{ + int ret, mode = -1; + const char *p = NULL; + + if (optind >= argc) { + help("setenforce"); + return 2; + } + + p = argv[optind]; + + if (!strcmp(p, "0")) + mode = 0; + else if (!strcmp(p, "1")) + mode = 1; + else if (!strcasecmp(p, "permissive")) + mode = 0; + else if (!strcasecmp(p, "enforcing")) + mode = 1; + else { + help("setenforce"); + return 2; + } + + ret = xc_flask_setenforce(ctx.xch, mode); + + if (ret) { + if (errno == ENOSYS) { + fprintf(stderr, "Flask XSM disabled\n"); + } + else + fprintf(stderr, "error occured while setting enforcing mode (%i)\n", ret); + } + + return ret; +} + +int main_loadpolicy(int argc, char **argv) +{ + const char *polFName; + int polFd = 0; + void *polMemCp = NULL; + struct stat info; + int ret; + + if (optind >= argc) { + help("loadpolicy"); + return 2; + } + + polFName = argv[optind]; + polFd = open(polFName, O_RDONLY); + if ( polFd < 0 ) + { + fprintf(stderr, "Error occurred opening policy file '%s': %s\n", + polFName, strerror(errno)); + ret = -1; + goto done; + } + + ret = stat(polFName, &info); + if ( ret < 0 ) + { + fprintf(stderr, "Error occurred retrieving information about" + "policy file '%s': %s\n", polFName, strerror(errno)); + goto done; + } + + polMemCp = malloc(info.st_size); + + ret = read(polFd, polMemCp, info.st_size); + if ( ret < 0 ) + { + fprintf(stderr, "Unable to read new Flask policy file: %s\n", + strerror(errno)); + goto done; + } + + ret = xc_flask_load(ctx.xch, polMemCp, info.st_size); + + if ( ret < 0 ) + { + if (errno == ENOSYS) { + fprintf(stderr, "Flask XSM disabled\n"); + } + else + { + errno = -ret; + fprintf(stderr, "Unable to load new Flask policy: %s\n", + strerror(errno)); + ret = -1; + } + } + else + { + printf("Successfully loaded policy.\n"); + } + +done: + free(polMemCp); + if ( polFd > 0 ) + close(polFd); + + return ret; +} diff -r 9dd91e9691a2 tools/libxl/xl_cmdtable.c --- a/tools/libxl/xl_cmdtable.c Sat Apr 02 15:58:54 2011 +0100 +++ b/tools/libxl/xl_cmdtable.c Mon Apr 04 09:19:49 2011 -0400 @@ -36,7 +36,8 @@ "List information about all/some domains", "[options] [Domain]\n", "-l, --long Output all VM details\n" - "-v, --verbose Prints out UUIDs", + "-v, --verbose Prints out UUIDs and security context\n" + "-Z, --context Prints out security context" }, { "destroy", &main_destroy, @@ -382,6 +383,21 @@ "Splits up the machine into one CPU pool per NUMA node", "", }, + { "getenforce", + &main_getenforce, + "Returns the current enforcing mode of the Flask Xen security module", + "", + }, + { "setenforce", + &main_setenforce, + "Sets the current enforcing mode of the Flask Xen security module", + "<1|0|Enforcing|Permissive>", + }, + { "loadpolicy", + &main_loadpolicy, + "Loads a new policy int the Flask Xen security module", + "", + }, }; int cmdtable_len = sizeof(cmd_table)/sizeof(struct cmd_spec);