WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-changelog

[Xen-changelog] [xen-unstable] xsm: Add getenforce and setenforce functi

To: xen-changelog@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-changelog] [xen-unstable] xsm: Add getenforce and setenforce functionality to tools
From: Xen patchbot-unstable <patchbot-unstable@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 23 Oct 2009 02:40:13 -0700
Delivery-date: Fri, 23 Oct 2009 02:43:04 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-changelog-request@lists.xensource.com?subject=help>
List-id: BK change log <xen-changelog.lists.xensource.com>
List-post: <mailto:xen-changelog@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-changelog>, <mailto:xen-changelog-request@lists.xensource.com?subject=unsubscribe>
Reply-to: xen-devel@xxxxxxxxxxxxxxxxxxx
Sender: xen-changelog-bounces@xxxxxxxxxxxxxxxxxxx
# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1256288715 -3600
# Node ID 1e5c3059d23bfd2d8e5088404d7fdb96c83732e8
# Parent  ecc649ec367598e63e256a8c6515242ff5aa9afd
xsm: Add getenforce and setenforce functionality to tools

This patch exposes the getenforce and setenforce functionality for the
Flask XSM module.

Signed-off-by : Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
Signed-off-by : George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
---
 tools/flask/loadpolicy/Makefile          |   56 -------------
 tools/flask/loadpolicy/loadpolicy.c      |  129 -------------------------------
 tools/flask/Makefile                     |    2 
 tools/flask/libflask/flask_op.c          |   39 +++++++++
 tools/flask/libflask/include/flask.h     |    2 
 tools/flask/utils/Makefile               |   54 ++++++++++++
 tools/flask/utils/getenforce.c           |   66 +++++++++++++++
 tools/flask/utils/loadpolicy.c           |  129 +++++++++++++++++++++++++++++++
 tools/flask/utils/setenforce.c           |   73 +++++++++++++++++
 tools/python/xen/lowlevel/flask/flask.c  |   66 +++++++++++++++
 tools/python/xen/util/xsm/flask/flask.py |   11 ++
 tools/python/xen/xend/XendXSPolicy.py    |   12 ++
 tools/python/xen/xm/getenforce.py        |   66 +++++++++++++++
 tools/python/xen/xm/main.py              |   23 ++++-
 tools/python/xen/xm/setenforce.py        |   74 +++++++++++++++++
 15 files changed, 608 insertions(+), 194 deletions(-)

diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/Makefile
--- a/tools/flask/Makefile      Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/flask/Makefile      Fri Oct 23 10:05:15 2009 +0100
@@ -3,7 +3,7 @@ include $(XEN_ROOT)/tools/Rules.mk
 
 SUBDIRS :=
 SUBDIRS += libflask
-SUBDIRS += loadpolicy
+SUBDIRS += utils
 
 .PHONY: all clean install
 all clean install: %: subdirs-%
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/libflask/flask_op.c
--- a/tools/flask/libflask/flask_op.c   Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/flask/libflask/flask_op.c   Fri Oct 23 10:05:15 2009 +0100
@@ -70,3 +70,42 @@ int flask_sid_to_context(int xc_handle, 
 
     return 0;
 }
+
+int flask_getenforce(int xc_handle)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];            
+    int size = 20;
+    int mode;
+ 
+    op.cmd = FLASK_GETENFORCE;
+    op.buf = buf;
+    op.size = size;
+    
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    sscanf(buf, "%i", &mode);
+
+    return mode;
+}
+
+int flask_setenforce(int xc_handle, int mode)
+{
+    int err;
+    flask_op_t op;
+    char buf[20];
+    int size = 20; 
+ 
+    op.cmd = FLASK_SETENFORCE;
+    op.buf = buf;
+    op.size = size;
+   
+    snprintf(buf, size, "%i", mode);
+ 
+    if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+        return err;
+
+    return 0;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/libflask/include/flask.h
--- a/tools/flask/libflask/include/flask.h      Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/flask/libflask/include/flask.h      Fri Oct 23 10:05:15 2009 +0100
@@ -18,5 +18,7 @@ int flask_load(int xc_handle, char *buf,
 int flask_load(int xc_handle, char *buf, uint32_t size);
 int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t 
*sid);
 int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size);
+int flask_getenforce(int xc_handle);
+int flask_setenforce(int xc_handle, int mode);
 
 #endif /* __FLASK_H__ */
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/loadpolicy/Makefile
--- a/tools/flask/loadpolicy/Makefile   Fri Oct 23 10:04:03 2009 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,57 +0,0 @@
-XEN_ROOT=../../..
-include $(XEN_ROOT)/tools/Rules.mk
-XEN_LIBXC          = $(XEN_ROOT)/tools/libxc
-
-LIBXC_ROOT = $(XEN_ROOT)/tools/libxc
-LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask
-
-PROFILE=#-pg
-BASECFLAGS=-Wall -g -Werror
-BASECFLAGS+= $(PROFILE)
-#BASECFLAGS+= -I$(XEN_ROOT)/tools
-BASECFLAGS+= $(CFLAGS_libxenctrl)
-BASECFLAGS+= -I$(LIBFLASK_ROOT)/include
-BASECFLAGS+= -I.
-
-CFLAGS  += $(BASECFLAGS)
-LDFLAGS += $(PROFILE) -L$(XEN_LIBXC) -L$(LIBFLASK_ROOT)
-TESTDIR  = testsuite/tmp
-TESTFLAGS= -DTESTING
-TESTENV  = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
-
-CLIENTS := flask-loadpolicy
-CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
-CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
-
-.PHONY: all
-all: $(CLIENTS)
-
-$(CLIENTS): flask-%: %.o
-       $(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask 
$(LDFLAGS_libxenctrl) -o $@
-
-$(CLIENTS_OBJS): $(CLIENTS_SRCS)
-       $(COMPILE.c) -o $@ $<
-
-.PHONY: clean
-clean: 
-       rm -f *.o *.opic *.so
-       rm -f $(CLIENTS)
-       $(RM) $(DEPS)
-
-.PHONY: print-dir
-print-dir:
-       @echo -n tools/flask/loadpolicy: 
-
-.PHONY: print-end
-print-end:
-       @echo
-
-.PHONY: install
-install: all
-       $(INSTALL_DIR) $(DESTDIR)$(SBINDIR)
-       $(INSTALL_PROG) $(CLIENTS) $(DESTDIR)$(SBINDIR)
-
--include $(DEPS)
-
-# never delete any intermediate files.
-.SECONDARY:
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/loadpolicy/loadpolicy.c
--- a/tools/flask/loadpolicy/loadpolicy.c       Fri Oct 23 10:04:03 2009 +0100
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,129 +0,0 @@
-/*
- *
- *  Authors:  Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
- *            George Coker, <gscoker@xxxxxxxxxxxxxx>
- *
- *    This program is free software; you can redistribute it and/or modify
- *    it under the terms of the GNU General Public License version 2,
- *      as published by the Free Software Foundation.
- */
-
-#include <stdlib.h>
-#include <errno.h>
-#include <stdio.h>
-#include <xenctrl.h>
-#include <fcntl.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <string.h>
-#include <unistd.h>
-#include <flask.h>
-
-#define USE_MMAP
-
-static void usage (int argCnt, const char *args[])
-{
-    fprintf(stderr, "Usage: %s <policy.file>\n", args[0]);
-    exit(1);
-}
-
-int main (int argCnt, const char *args[])
-{
-    const char *polFName;
-    int polFd = 0;
-    void *polMem = NULL;
-    void *polMemCp = NULL;
-    struct stat info;
-    int ret;
-    int xch = 0;
-
-    if (argCnt != 2)
-        usage(argCnt, args);
-
-    polFName = args[1];
-    polFd = open(polFName, O_RDONLY);
-    if ( polFd < 0 )
-    {
-        fprintf(stderr, "Error occurred opening policy file '%s': %s\n",
-                polFName, strerror(errno));
-        ret = -1;
-        goto cleanup;
-    }
-    
-    ret = stat(polFName, &info);
-    if ( ret < 0 )
-    {
-        fprintf(stderr, "Error occurred retrieving information about"
-                "policy file '%s': %s\n", polFName, strerror(errno));
-        goto cleanup;
-    }
-
-    polMemCp = malloc(info.st_size);
-
-#ifdef USE_MMAP
-    polMem = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, polFd, 0);
-    if ( !polMem )
-    {
-        fprintf(stderr, "Error occurred mapping policy file in memory: %s\n",
-                strerror(errno));
-        ret = -1;
-        goto cleanup;
-    }
-
-    xch = xc_interface_open();
-    if ( xch < 0 )
-    {
-        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
-                strerror(errno));
-        ret = -1;
-        goto cleanup;
-    }
-
-    memcpy(polMemCp, polMem, info.st_size);
-#else
-    ret = read(polFd, polMemCp, info.st_size);
-    if ( ret < 0 )
-    {
-        fprintf(stderr, "Unable to read new Flask policy file: %s\n",
-                strerror(errno));
-        goto cleanup;
-    }
-    else
-    {
-        printf("Read %d bytes from policy file '%s'.\n", ret, polFName);
-    }
-#endif
-
-    ret = flask_load(xch, polMemCp, info.st_size);
-    if ( ret < 0 )
-    {
-        errno = -ret;
-        fprintf(stderr, "Unable to load new Flask policy: %s\n",
-                strerror(errno));
-        ret = -1;
-        goto cleanup;
-    }
-    else
-    {
-        printf("Successfully loaded policy.\n");
-    }
-
-done:
-    if ( polMemCp )
-        free(polMemCp);
-    if ( polMem )
-    {
-        ret = munmap(polMem, info.st_size);
-        if ( ret < 0 )
-            fprintf(stderr, "Unable to unmap policy memory: %s\n", 
strerror(errno));
-    }
-    if ( polFd )
-        close(polFd);
-    if ( xch )
-        xc_interface_close(xch);
-
-    return ret;
-
-cleanup:
-    goto done;
-}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/Makefile        Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,54 @@
+XEN_ROOT=../../..
+include $(XEN_ROOT)/tools/Rules.mk
+XEN_LIBXC          = $(XEN_ROOT)/tools/libxc
+
+LIBXC_ROOT = $(XEN_ROOT)/tools/libxc
+LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask
+
+PROFILE=#-pg
+BASECFLAGS=-Wall -g -Werror
+BASECFLAGS+= $(PROFILE)
+#BASECFLAGS+= -I$(XEN_ROOT)/tools
+BASECFLAGS+= $(CFLAGS_libxenctrl)
+BASECFLAGS+= -I$(LIBFLASK_ROOT)/include
+BASECFLAGS+= -I.
+
+CFLAGS  += $(BASECFLAGS)
+LDFLAGS += $(PROFILE) -L$(XEN_LIBXC) -L$(LIBFLASK_ROOT)
+TESTDIR  = testsuite/tmp
+TESTFLAGS= -DTESTING
+TESTENV  = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
+
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce
+CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
+CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
+
+.PHONY: all
+all: $(CLIENTS)
+
+$(CLIENTS): flask-%: %.o
+       $(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask 
$(LDFLAGS_libxenctrl) -o $@
+
+.PHONY: clean
+clean: 
+       rm -f *.o *.opic *.so
+       rm -f $(CLIENTS)
+       $(RM) $(DEPS)
+
+.PHONY: print-dir
+print-dir:
+       @echo -n tools/flask/utils: 
+
+.PHONY: print-end
+print-end:
+       @echo
+
+.PHONY: install
+install: all
+       $(INSTALL_DIR) $(DESTDIR)$(SBINDIR)
+       $(INSTALL_PROG) $(CLIENTS) $(DESTDIR)$(SBINDIR)
+
+-include $(DEPS)
+
+# never delete any intermediate files.
+.SECONDARY:
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/getenforce.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/getenforce.c    Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,66 @@
+/*
+ *
+ *  Author:  Machon Gregory, <mbgrego@xxxxxxxxxxxxxx>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    int ret;
+    int xch = 0;
+
+    if (argCnt != 1)
+        usage(argCnt, args);
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+    ret = flask_getenforce(xch);
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to get enforcing mode: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+    else
+    {
+        if(ret) 
+            printf("Enforcing\n");
+        else
+            printf("Permissive\n");
+    }
+
+done:
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/loadpolicy.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/loadpolicy.c    Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,129 @@
+/*
+ *
+ *  Authors:  Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
+ *            George Coker, <gscoker@xxxxxxxxxxxxxx>
+ *
+ *    This program is free software; you can redistribute it and/or modify
+ *    it under the terms of the GNU General Public License version 2,
+ *      as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+#define USE_MMAP
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s <policy.file>\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    const char *polFName;
+    int polFd = 0;
+    void *polMem = NULL;
+    void *polMemCp = NULL;
+    struct stat info;
+    int ret;
+    int xch = 0;
+
+    if (argCnt != 2)
+        usage(argCnt, args);
+
+    polFName = args[1];
+    polFd = open(polFName, O_RDONLY);
+    if ( polFd < 0 )
+    {
+        fprintf(stderr, "Error occurred opening policy file '%s': %s\n",
+                polFName, strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+    
+    ret = stat(polFName, &info);
+    if ( ret < 0 )
+    {
+        fprintf(stderr, "Error occurred retrieving information about"
+                "policy file '%s': %s\n", polFName, strerror(errno));
+        goto cleanup;
+    }
+
+    polMemCp = malloc(info.st_size);
+
+#ifdef USE_MMAP
+    polMem = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, polFd, 0);
+    if ( !polMem )
+    {
+        fprintf(stderr, "Error occurred mapping policy file in memory: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+
+    memcpy(polMemCp, polMem, info.st_size);
+#else
+    ret = read(polFd, polMemCp, info.st_size);
+    if ( ret < 0 )
+    {
+        fprintf(stderr, "Unable to read new Flask policy file: %s\n",
+                strerror(errno));
+        goto cleanup;
+    }
+    else
+    {
+        printf("Read %d bytes from policy file '%s'.\n", ret, polFName);
+    }
+#endif
+
+    ret = flask_load(xch, polMemCp, info.st_size);
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to load new Flask policy: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto cleanup;
+    }
+    else
+    {
+        printf("Successfully loaded policy.\n");
+    }
+
+done:
+    if ( polMemCp )
+        free(polMemCp);
+    if ( polMem )
+    {
+        ret = munmap(polMem, info.st_size);
+        if ( ret < 0 )
+            fprintf(stderr, "Unable to unmap policy memory: %s\n", 
strerror(errno));
+    }
+    if ( polFd )
+        close(polFd);
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+
+cleanup:
+    goto done;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/setenforce.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/setenforce.c    Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,73 @@
+/*
+ *
+ *  Authors:  Machon Gregory, <mbgrego@xxxxxxxxxxxxxx>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2,
+ *  as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+    fprintf(stderr, "Usage: %s [ (Enforcing|1) | (Permissive|0) ]\n", args[0]);
+    exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+    int ret = 0;
+    int xch = 0;
+    long mode = 0;
+    char *end;
+
+    if (argCnt != 2)
+        usage(argCnt, args);
+
+    xch = xc_interface_open();
+    if ( xch < 0 )
+    {
+        fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+    if( strlen(args[1]) == 1 && (args[1][0] == '0' || args[1][0] == '1')){
+        mode = strtol(args[1], &end, 10);
+        ret = flask_setenforce(xch, mode);
+    } else {
+        if( strcasecmp(args[1], "enforcing") == 0 ){
+            ret = flask_setenforce(xch, 1);
+        } else if( strcasecmp(args[1], "permissive") == 0 ){
+            ret = flask_setenforce(xch, 0);
+        } else {
+            usage(argCnt, args);
+        }
+    }
+
+    if ( ret < 0 )
+    {
+        errno = -ret;
+        fprintf(stderr, "Unable to get enforcing mode: %s\n",
+                strerror(errno));
+        ret = -1;
+        goto done;
+    }
+
+done:
+    if ( xch )
+        xc_interface_close(xch);
+
+    return ret;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/lowlevel/flask/flask.c
--- a/tools/python/xen/lowlevel/flask/flask.c   Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/lowlevel/flask/flask.c   Fri Oct 23 10:05:15 2009 +0100
@@ -136,6 +136,60 @@ static PyObject *pyflask_load(PyObject *
     return Py_BuildValue("i", ret);
 }
 
+static PyObject *pyflask_getenforce(PyObject *self)
+{
+    int xc_handle;
+    int ret;
+
+    xc_handle = xc_interface_open();
+    if (xc_handle < 0) {
+        errno = xc_handle;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+    
+    ret = flask_getenforce(xc_handle);
+    
+    xc_interface_close(xc_handle);
+    
+    if ( ret < 0 ) {
+        errno = -ret;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+
+    return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_setenforce(PyObject *self, PyObject *args,
+                                                            PyObject *kwds)
+{
+    int xc_handle;
+    int mode;
+    int ret;
+
+    static char *kwd_list[] = { "mode", NULL };
+
+    if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list,
+                                      &mode) )
+        return NULL;
+
+    xc_handle = xc_interface_open();
+    if (xc_handle < 0) {
+        errno = xc_handle;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+    
+    ret = flask_setenforce(xc_handle, mode);
+    
+    xc_interface_close(xc_handle);
+    
+    if ( ret != 0 ) {
+        errno = -ret;
+        return PyErr_SetFromErrno(xc_error_obj);
+    }
+
+    return Py_BuildValue("i", ret);
+}
+
 static PyMethodDef pyflask_methods[] = {
     { "flask_context_to_sid",
       (PyCFunction)pyflask_context_to_sid,
@@ -158,6 +212,18 @@ static PyMethodDef pyflask_methods[] = {
       " policy [str]: policy to be load\n"
       "Returns: [int]: 0 on success; -1 on failure.\n" }, 
       
+    { "flask_getenforce",
+      (PyCFunction)pyflask_getenforce,
+      METH_NOARGS, "\n"
+      "Returns the current mode of the Flask XSM module.\n"
+      "Returns: [int]: 0 for permissive; 1 for enforcing; -1 on failure.\n" }, 
+
+    { "flask_setenforce",
+      (PyCFunction)pyflask_setenforce,
+      METH_KEYWORDS, "\n"
+      "Modifies the current mode for the Flask XSM module.\n"
+      " mode [int]: mode to change to\n"
+      "Returns: [int]: 0 on success; -1 on failure.\n" }, 
     { NULL, NULL, 0, NULL }
 };
 
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py  Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py  Fri Oct 23 10:05:15 2009 +0100
@@ -7,9 +7,10 @@ from xen.xend import sxp
 #Functions exported through XML-RPC
 xmlrpc_exports = [
   'on',
-  'set_policy'
+  'set_policy',
+  'getenforce',
+  'setenforce'
 ]
-
 
 def err(msg):
     """Raise XSM-Flask exception.
@@ -56,3 +57,9 @@ def set_policy(xs_type, policy_b64, flag
 def set_policy(xs_type, policy_b64, flags=None, overwrite=None):
     policy = base64.b64decode(policy_b64);
     return flask.flask_load(policy), ""
+
+def getenforce():
+    return flask.flask_getenforce()
+
+def setenforce(mode):
+    return flask.flask_setenforce(mode)
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xend/XendXSPolicy.py
--- a/tools/python/xen/xend/XendXSPolicy.py     Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/xend/XendXSPolicy.py     Fri Oct 23 10:05:15 2009 +0100
@@ -49,7 +49,9 @@ class XendXSPolicy(XendBase):
                   'get_resource_label',
                   'set_resource_label',
                   'get_labeled_resources',
-                  'can_run' ]
+                  'can_run',
+                  'getenforce',
+                  'setenforce']
         return XendBase.getFuncs() + funcs
 
     getClass    = classmethod(getClass)
@@ -205,6 +207,12 @@ class XendXSPolicy(XendBase):
             raise SecurityError(irc)
         return security.check_can_run(sec_label)
 
+    def getenforce(self):
+        return security.getenforce()
+
+    def setenforce(self, mode):
+        return security.setenforce(mode)
+
     get_xstype      = classmethod(get_xstype)
     get_xspolicy    = classmethod(get_xspolicy)
     set_xspolicy    = classmethod(set_xspolicy)
@@ -214,6 +222,8 @@ class XendXSPolicy(XendBase):
     get_resource_label = classmethod(get_resource_label)
     get_labeled_resources = classmethod(get_labeled_resources)
     can_run = classmethod(can_run)
+    getenforce      = classmethod(getenforce)
+    setenforce      = classmethod(setenforce)
 
 
 class XendACMPolicy(XendXSPolicy):
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xm/getenforce.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/python/xen/xm/getenforce.py Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,66 @@
+#============================================================================
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of version 2.1 of the GNU Lesser General Public
+# License as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#============================================================================
+# Author: Machon Gregory <mbgrego@xxxxxxxxxxxxxx> 
+#============================================================================
+
+"""Get the current mode of the Flask XSM module.
+"""
+
+from xen.xm.opts import OptionError
+from xen.xm import main as xm_main
+from xen.xm.main import server
+from xen.util import xsconstants
+
+def help():
+    return """
+    Usage: xm getenforce
+
+    Returns the current mode (Permissive, Enforcing) of the
+    Flask XSM module."""
+
+def getenforce():
+    if xm_main.serverType == xm_main.SERVER_XEN_API:
+        if xsconstants.XS_POLICY_FLASK != \
+                int(server.xenapi.XSPolicy.get_xstype()):
+            raise OptionError("Unsupported policy type")
+        mode = int(server.xenapi.XSPolicy.getenforce())
+    else:
+        if server.xend.security.on() != xsconstants.XS_POLICY_FLASK:
+            raise OptionError("Unsupported policy type")
+        mode = server.xend.security.getenforce()
+    
+    if mode == 0:
+        print "Permissive"
+    elif mode == 1:
+        print "Enforcing"
+
+def main(argv): 
+    if "-?" in argv:
+        help()
+        return
+
+    if len(argv) != 1:
+        raise OptionError("No arguments expected.")
+
+    getenforce()
+
+if __name__ == '__main__':
+    try:
+        main(sys.argv)
+    except Exception, e:
+        sys.stderr.write('Error: %s\n' % str(e))    
+        sys.exit(-1)
+
+    
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xm/main.py
--- a/tools/python/xen/xm/main.py       Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/xm/main.py       Fri Oct 23 10:05:15 2009 +0100
@@ -225,8 +225,7 @@ SUBCOMMAND_HELP = {
 
     # security
 
-    'addlabel'      :  ('<label> {dom <ConfigFile>|res <resource>|mgt <managed 
domain>}\n'
-                        '                   [<policy>]',
+    'addlabel'      :  ('<label> {dom <ConfigFile>|res <resource>|mgt <managed 
domain>} [<policy>]',
                         'Add security label to domain.'),
     'rmlabel'       :  ('{dom <ConfigFile>|res <Resource>|mgt<managed 
domain>}',
                         'Remove a security label from domain.'),
@@ -244,6 +243,9 @@ SUBCOMMAND_HELP = {
     'labels'        :  ('[policy] [type=dom|res|any]',
                         'List <type> labels for (active) policy.'),
     'serve'         :  ('', 'Proxy Xend XMLRPC over stdio.'),
+    'getenforce'    :  ('', 'Returns the current enforcing mode for the Flask 
XSM module (Enforcing,Permissive)'),
+    'setenforce'    :  ('[ (Enforcing|1) | (Permissive|0) ]',
+                        'Modifies the current enforcing mode for the Flask XSM 
module'),
 }
 
 SUBCOMMAND_OPTIONS = {
@@ -435,6 +437,10 @@ vnet_commands = [
     "vnet-delete",
     ]
 
+security_commands = [
+    "setpolicy",
+    ]
+
 acm_commands = [
     "labels",
     "addlabel",
@@ -443,9 +449,13 @@ acm_commands = [
     "dry-run",
     "resources",
     "dumppolicy",
-    "setpolicy",
     "resetpolicy",
     "getpolicy",
+    ]
+
+flask_commands = [
+    "getenforce",
+    "setenforce",
     ]
 
 tmem_commands = [
@@ -458,8 +468,9 @@ tmem_commands = [
     ]
 
 all_commands = (domain_commands + host_commands + scheduler_commands +
-                device_commands + vnet_commands + acm_commands +
-                tmem_commands + ['shell', 'event-monitor'])
+                device_commands + vnet_commands + security_commands +
+                acm_commands + flask_commands + tmem_commands + 
+                ['shell', 'event-monitor'])
 
 
 ##
@@ -3347,6 +3358,8 @@ IMPORTED_COMMANDS = [
     'getpolicy',
     'setpolicy',
     'resetpolicy',
+    'getenforce',
+    'setenforce',
     ]
 
 for c in IMPORTED_COMMANDS:
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xm/setenforce.py
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/python/xen/xm/setenforce.py Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,74 @@
+#============================================================================
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of version 2.1 of the GNU Lesser General Public
+# License as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#============================================================================
+# Author: Machon Gregory <mbgrego@xxxxxxxxxxxxxx> 
+#============================================================================
+
+"""Modify the current mode of the Flask XSM module.
+"""
+
+from xen.xm.opts import OptionError
+from xen.xm import main as xm_main
+from xen.xm.main import server
+from xen.util import xsconstants
+
+def help():
+    return """
+    Usage: xm setenforce [ Enforcing | Permissive | 1 | 0 ]
+
+    Modifies the current mode of the Flask XSM module to be permissive or 
+    enforcing. Using Enforcing or 1 will put the Flask module in enforcing
+    mode. Using Permissive or 0 will put the Flask module in permissive 
+    mode."""
+
+def setenforce(mode):
+    if len(mode) == 1 and ( mode == "0" or mode == "1" ):
+        val = int(mode)
+    elif mode.lower() == "enforcing":
+        val = 1
+    elif mode.lower() == "permissive":
+        val = 0
+    else:
+        raise OptionError("%s is an unsupported mode" % mode)
+        
+    if xm_main.serverType == xm_main.SERVER_XEN_API:
+        if xsconstants.XS_POLICY_FLASK != \
+                int(server.xenapi.XSPolicy.get_xstype()):
+            raise OptionError("Unsupported policy type")
+        ret = server.xenapi.XSPolicy.setenforce(val)
+    else:
+        if server.xend.security.on() != xsconstants.XS_POLICY_FLASK:
+            raise OptionError("Unsupported policy type")
+        ret = server.xend.security.setenforce(val)
+
+def main(argv): 
+    if len(argv) != 2:
+        raise OptionError("Invalid arguments")
+
+    if "-?" in argv:
+        help()
+        return
+
+    mode = argv[1];
+
+    setenforce(mode)
+
+if __name__ == '__main__':
+    try:
+        main(sys.argv)
+    except Exception, e:
+        sys.stderr.write('Error: %s\n' % str(e))    
+        sys.exit(-1)
+
+    

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-changelog] [xen-unstable] xsm: Add getenforce and setenforce functionality to tools, Xen patchbot-unstable <=