# HG changeset patch
# User Keir Fraser <keir.fraser@xxxxxxxxxx>
# Date 1256288715 -3600
# Node ID 1e5c3059d23bfd2d8e5088404d7fdb96c83732e8
# Parent ecc649ec367598e63e256a8c6515242ff5aa9afd
xsm: Add getenforce and setenforce functionality to tools
This patch exposes the getenforce and setenforce functionality for the
Flask XSM module.
Signed-off-by : Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
Signed-off-by : George S. Coker, II <gscoker@xxxxxxxxxxxxxx>
---
tools/flask/loadpolicy/Makefile | 56 -------------
tools/flask/loadpolicy/loadpolicy.c | 129 -------------------------------
tools/flask/Makefile | 2
tools/flask/libflask/flask_op.c | 39 +++++++++
tools/flask/libflask/include/flask.h | 2
tools/flask/utils/Makefile | 54 ++++++++++++
tools/flask/utils/getenforce.c | 66 +++++++++++++++
tools/flask/utils/loadpolicy.c | 129 +++++++++++++++++++++++++++++++
tools/flask/utils/setenforce.c | 73 +++++++++++++++++
tools/python/xen/lowlevel/flask/flask.c | 66 +++++++++++++++
tools/python/xen/util/xsm/flask/flask.py | 11 ++
tools/python/xen/xend/XendXSPolicy.py | 12 ++
tools/python/xen/xm/getenforce.py | 66 +++++++++++++++
tools/python/xen/xm/main.py | 23 ++++-
tools/python/xen/xm/setenforce.py | 74 +++++++++++++++++
15 files changed, 608 insertions(+), 194 deletions(-)
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/Makefile
--- a/tools/flask/Makefile Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/flask/Makefile Fri Oct 23 10:05:15 2009 +0100
@@ -3,7 +3,7 @@ include $(XEN_ROOT)/tools/Rules.mk
SUBDIRS :=
SUBDIRS += libflask
-SUBDIRS += loadpolicy
+SUBDIRS += utils
.PHONY: all clean install
all clean install: %: subdirs-%
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/libflask/flask_op.c
--- a/tools/flask/libflask/flask_op.c Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/flask/libflask/flask_op.c Fri Oct 23 10:05:15 2009 +0100
@@ -70,3 +70,42 @@ int flask_sid_to_context(int xc_handle,
return 0;
}
+
+int flask_getenforce(int xc_handle)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+ int mode;
+
+ op.cmd = FLASK_GETENFORCE;
+ op.buf = buf;
+ op.size = size;
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ sscanf(buf, "%i", &mode);
+
+ return mode;
+}
+
+int flask_setenforce(int xc_handle, int mode)
+{
+ int err;
+ flask_op_t op;
+ char buf[20];
+ int size = 20;
+
+ op.cmd = FLASK_SETENFORCE;
+ op.buf = buf;
+ op.size = size;
+
+ snprintf(buf, size, "%i", mode);
+
+ if ( (err = xc_flask_op(xc_handle, &op)) != 0 )
+ return err;
+
+ return 0;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/libflask/include/flask.h
--- a/tools/flask/libflask/include/flask.h Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/flask/libflask/include/flask.h Fri Oct 23 10:05:15 2009 +0100
@@ -18,5 +18,7 @@ int flask_load(int xc_handle, char *buf,
int flask_load(int xc_handle, char *buf, uint32_t size);
int flask_context_to_sid(int xc_handle, char *buf, uint32_t size, uint32_t
*sid);
int flask_sid_to_context(int xc_handle, int sid, char *buf, uint32_t size);
+int flask_getenforce(int xc_handle);
+int flask_setenforce(int xc_handle, int mode);
#endif /* __FLASK_H__ */
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/loadpolicy/Makefile
--- a/tools/flask/loadpolicy/Makefile Fri Oct 23 10:04:03 2009 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,57 +0,0 @@
-XEN_ROOT=../../..
-include $(XEN_ROOT)/tools/Rules.mk
-XEN_LIBXC = $(XEN_ROOT)/tools/libxc
-
-LIBXC_ROOT = $(XEN_ROOT)/tools/libxc
-LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask
-
-PROFILE=#-pg
-BASECFLAGS=-Wall -g -Werror
-BASECFLAGS+= $(PROFILE)
-#BASECFLAGS+= -I$(XEN_ROOT)/tools
-BASECFLAGS+= $(CFLAGS_libxenctrl)
-BASECFLAGS+= -I$(LIBFLASK_ROOT)/include
-BASECFLAGS+= -I.
-
-CFLAGS += $(BASECFLAGS)
-LDFLAGS += $(PROFILE) -L$(XEN_LIBXC) -L$(LIBFLASK_ROOT)
-TESTDIR = testsuite/tmp
-TESTFLAGS= -DTESTING
-TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
-
-CLIENTS := flask-loadpolicy
-CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
-CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
-
-.PHONY: all
-all: $(CLIENTS)
-
-$(CLIENTS): flask-%: %.o
- $(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask
$(LDFLAGS_libxenctrl) -o $@
-
-$(CLIENTS_OBJS): $(CLIENTS_SRCS)
- $(COMPILE.c) -o $@ $<
-
-.PHONY: clean
-clean:
- rm -f *.o *.opic *.so
- rm -f $(CLIENTS)
- $(RM) $(DEPS)
-
-.PHONY: print-dir
-print-dir:
- @echo -n tools/flask/loadpolicy:
-
-.PHONY: print-end
-print-end:
- @echo
-
-.PHONY: install
-install: all
- $(INSTALL_DIR) $(DESTDIR)$(SBINDIR)
- $(INSTALL_PROG) $(CLIENTS) $(DESTDIR)$(SBINDIR)
-
--include $(DEPS)
-
-# never delete any intermediate files.
-.SECONDARY:
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/loadpolicy/loadpolicy.c
--- a/tools/flask/loadpolicy/loadpolicy.c Fri Oct 23 10:04:03 2009 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,129 +0,0 @@
-/*
- *
- * Authors: Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
- * George Coker, <gscoker@xxxxxxxxxxxxxx>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2,
- * as published by the Free Software Foundation.
- */
-
-#include <stdlib.h>
-#include <errno.h>
-#include <stdio.h>
-#include <xenctrl.h>
-#include <fcntl.h>
-#include <sys/mman.h>
-#include <sys/stat.h>
-#include <string.h>
-#include <unistd.h>
-#include <flask.h>
-
-#define USE_MMAP
-
-static void usage (int argCnt, const char *args[])
-{
- fprintf(stderr, "Usage: %s <policy.file>\n", args[0]);
- exit(1);
-}
-
-int main (int argCnt, const char *args[])
-{
- const char *polFName;
- int polFd = 0;
- void *polMem = NULL;
- void *polMemCp = NULL;
- struct stat info;
- int ret;
- int xch = 0;
-
- if (argCnt != 2)
- usage(argCnt, args);
-
- polFName = args[1];
- polFd = open(polFName, O_RDONLY);
- if ( polFd < 0 )
- {
- fprintf(stderr, "Error occurred opening policy file '%s': %s\n",
- polFName, strerror(errno));
- ret = -1;
- goto cleanup;
- }
-
- ret = stat(polFName, &info);
- if ( ret < 0 )
- {
- fprintf(stderr, "Error occurred retrieving information about"
- "policy file '%s': %s\n", polFName, strerror(errno));
- goto cleanup;
- }
-
- polMemCp = malloc(info.st_size);
-
-#ifdef USE_MMAP
- polMem = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, polFd, 0);
- if ( !polMem )
- {
- fprintf(stderr, "Error occurred mapping policy file in memory: %s\n",
- strerror(errno));
- ret = -1;
- goto cleanup;
- }
-
- xch = xc_interface_open();
- if ( xch < 0 )
- {
- fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
- strerror(errno));
- ret = -1;
- goto cleanup;
- }
-
- memcpy(polMemCp, polMem, info.st_size);
-#else
- ret = read(polFd, polMemCp, info.st_size);
- if ( ret < 0 )
- {
- fprintf(stderr, "Unable to read new Flask policy file: %s\n",
- strerror(errno));
- goto cleanup;
- }
- else
- {
- printf("Read %d bytes from policy file '%s'.\n", ret, polFName);
- }
-#endif
-
- ret = flask_load(xch, polMemCp, info.st_size);
- if ( ret < 0 )
- {
- errno = -ret;
- fprintf(stderr, "Unable to load new Flask policy: %s\n",
- strerror(errno));
- ret = -1;
- goto cleanup;
- }
- else
- {
- printf("Successfully loaded policy.\n");
- }
-
-done:
- if ( polMemCp )
- free(polMemCp);
- if ( polMem )
- {
- ret = munmap(polMem, info.st_size);
- if ( ret < 0 )
- fprintf(stderr, "Unable to unmap policy memory: %s\n",
strerror(errno));
- }
- if ( polFd )
- close(polFd);
- if ( xch )
- xc_interface_close(xch);
-
- return ret;
-
-cleanup:
- goto done;
-}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/Makefile Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,54 @@
+XEN_ROOT=../../..
+include $(XEN_ROOT)/tools/Rules.mk
+XEN_LIBXC = $(XEN_ROOT)/tools/libxc
+
+LIBXC_ROOT = $(XEN_ROOT)/tools/libxc
+LIBFLASK_ROOT = $(XEN_ROOT)/tools/flask/libflask
+
+PROFILE=#-pg
+BASECFLAGS=-Wall -g -Werror
+BASECFLAGS+= $(PROFILE)
+#BASECFLAGS+= -I$(XEN_ROOT)/tools
+BASECFLAGS+= $(CFLAGS_libxenctrl)
+BASECFLAGS+= -I$(LIBFLASK_ROOT)/include
+BASECFLAGS+= -I.
+
+CFLAGS += $(BASECFLAGS)
+LDFLAGS += $(PROFILE) -L$(XEN_LIBXC) -L$(LIBFLASK_ROOT)
+TESTDIR = testsuite/tmp
+TESTFLAGS= -DTESTING
+TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
+
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce
+CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
+CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
+
+.PHONY: all
+all: $(CLIENTS)
+
+$(CLIENTS): flask-%: %.o
+ $(CC) $(CFLAGS) $(LDFLAGS) $< $(LOADLIBES) $(LDLIBS) -L. -lflask
$(LDFLAGS_libxenctrl) -o $@
+
+.PHONY: clean
+clean:
+ rm -f *.o *.opic *.so
+ rm -f $(CLIENTS)
+ $(RM) $(DEPS)
+
+.PHONY: print-dir
+print-dir:
+ @echo -n tools/flask/utils:
+
+.PHONY: print-end
+print-end:
+ @echo
+
+.PHONY: install
+install: all
+ $(INSTALL_DIR) $(DESTDIR)$(SBINDIR)
+ $(INSTALL_PROG) $(CLIENTS) $(DESTDIR)$(SBINDIR)
+
+-include $(DEPS)
+
+# never delete any intermediate files.
+.SECONDARY:
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/getenforce.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/getenforce.c Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,66 @@
+/*
+ *
+ * Author: Machon Gregory, <mbgrego@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+ fprintf(stderr, "Usage: %s\n", args[0]);
+ exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+ int ret;
+ int xch = 0;
+
+ if (argCnt != 1)
+ usage(argCnt, args);
+
+ xch = xc_interface_open();
+ if ( xch < 0 )
+ {
+ fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+
+ ret = flask_getenforce(xch);
+ if ( ret < 0 )
+ {
+ errno = -ret;
+ fprintf(stderr, "Unable to get enforcing mode: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+ else
+ {
+ if(ret)
+ printf("Enforcing\n");
+ else
+ printf("Permissive\n");
+ }
+
+done:
+ if ( xch )
+ xc_interface_close(xch);
+
+ return ret;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/loadpolicy.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/loadpolicy.c Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,129 @@
+/*
+ *
+ * Authors: Michael LeMay, <mdlemay@xxxxxxxxxxxxxx>
+ * George Coker, <gscoker@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+#define USE_MMAP
+
+static void usage (int argCnt, const char *args[])
+{
+ fprintf(stderr, "Usage: %s <policy.file>\n", args[0]);
+ exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+ const char *polFName;
+ int polFd = 0;
+ void *polMem = NULL;
+ void *polMemCp = NULL;
+ struct stat info;
+ int ret;
+ int xch = 0;
+
+ if (argCnt != 2)
+ usage(argCnt, args);
+
+ polFName = args[1];
+ polFd = open(polFName, O_RDONLY);
+ if ( polFd < 0 )
+ {
+ fprintf(stderr, "Error occurred opening policy file '%s': %s\n",
+ polFName, strerror(errno));
+ ret = -1;
+ goto cleanup;
+ }
+
+ ret = stat(polFName, &info);
+ if ( ret < 0 )
+ {
+ fprintf(stderr, "Error occurred retrieving information about"
+ "policy file '%s': %s\n", polFName, strerror(errno));
+ goto cleanup;
+ }
+
+ polMemCp = malloc(info.st_size);
+
+#ifdef USE_MMAP
+ polMem = mmap(NULL, info.st_size, PROT_READ, MAP_SHARED, polFd, 0);
+ if ( !polMem )
+ {
+ fprintf(stderr, "Error occurred mapping policy file in memory: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto cleanup;
+ }
+
+ xch = xc_interface_open();
+ if ( xch < 0 )
+ {
+ fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto cleanup;
+ }
+
+ memcpy(polMemCp, polMem, info.st_size);
+#else
+ ret = read(polFd, polMemCp, info.st_size);
+ if ( ret < 0 )
+ {
+ fprintf(stderr, "Unable to read new Flask policy file: %s\n",
+ strerror(errno));
+ goto cleanup;
+ }
+ else
+ {
+ printf("Read %d bytes from policy file '%s'.\n", ret, polFName);
+ }
+#endif
+
+ ret = flask_load(xch, polMemCp, info.st_size);
+ if ( ret < 0 )
+ {
+ errno = -ret;
+ fprintf(stderr, "Unable to load new Flask policy: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto cleanup;
+ }
+ else
+ {
+ printf("Successfully loaded policy.\n");
+ }
+
+done:
+ if ( polMemCp )
+ free(polMemCp);
+ if ( polMem )
+ {
+ ret = munmap(polMem, info.st_size);
+ if ( ret < 0 )
+ fprintf(stderr, "Unable to unmap policy memory: %s\n",
strerror(errno));
+ }
+ if ( polFd )
+ close(polFd);
+ if ( xch )
+ xc_interface_close(xch);
+
+ return ret;
+
+cleanup:
+ goto done;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/flask/utils/setenforce.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/flask/utils/setenforce.c Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,73 @@
+/*
+ *
+ * Authors: Machon Gregory, <mbgrego@xxxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <flask.h>
+
+static void usage (int argCnt, const char *args[])
+{
+ fprintf(stderr, "Usage: %s [ (Enforcing|1) | (Permissive|0) ]\n", args[0]);
+ exit(1);
+}
+
+int main (int argCnt, const char *args[])
+{
+ int ret = 0;
+ int xch = 0;
+ long mode = 0;
+ char *end;
+
+ if (argCnt != 2)
+ usage(argCnt, args);
+
+ xch = xc_interface_open();
+ if ( xch < 0 )
+ {
+ fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+
+ if( strlen(args[1]) == 1 && (args[1][0] == '0' || args[1][0] == '1')){
+ mode = strtol(args[1], &end, 10);
+ ret = flask_setenforce(xch, mode);
+ } else {
+ if( strcasecmp(args[1], "enforcing") == 0 ){
+ ret = flask_setenforce(xch, 1);
+ } else if( strcasecmp(args[1], "permissive") == 0 ){
+ ret = flask_setenforce(xch, 0);
+ } else {
+ usage(argCnt, args);
+ }
+ }
+
+ if ( ret < 0 )
+ {
+ errno = -ret;
+ fprintf(stderr, "Unable to get enforcing mode: %s\n",
+ strerror(errno));
+ ret = -1;
+ goto done;
+ }
+
+done:
+ if ( xch )
+ xc_interface_close(xch);
+
+ return ret;
+}
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/lowlevel/flask/flask.c
--- a/tools/python/xen/lowlevel/flask/flask.c Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/lowlevel/flask/flask.c Fri Oct 23 10:05:15 2009 +0100
@@ -136,6 +136,60 @@ static PyObject *pyflask_load(PyObject *
return Py_BuildValue("i", ret);
}
+static PyObject *pyflask_getenforce(PyObject *self)
+{
+ int xc_handle;
+ int ret;
+
+ xc_handle = xc_interface_open();
+ if (xc_handle < 0) {
+ errno = xc_handle;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = flask_getenforce(xc_handle);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret < 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
+static PyObject *pyflask_setenforce(PyObject *self, PyObject *args,
+ PyObject *kwds)
+{
+ int xc_handle;
+ int mode;
+ int ret;
+
+ static char *kwd_list[] = { "mode", NULL };
+
+ if ( !PyArg_ParseTupleAndKeywords(args, kwds, "i", kwd_list,
+ &mode) )
+ return NULL;
+
+ xc_handle = xc_interface_open();
+ if (xc_handle < 0) {
+ errno = xc_handle;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ ret = flask_setenforce(xc_handle, mode);
+
+ xc_interface_close(xc_handle);
+
+ if ( ret != 0 ) {
+ errno = -ret;
+ return PyErr_SetFromErrno(xc_error_obj);
+ }
+
+ return Py_BuildValue("i", ret);
+}
+
static PyMethodDef pyflask_methods[] = {
{ "flask_context_to_sid",
(PyCFunction)pyflask_context_to_sid,
@@ -158,6 +212,18 @@ static PyMethodDef pyflask_methods[] = {
" policy [str]: policy to be load\n"
"Returns: [int]: 0 on success; -1 on failure.\n" },
+ { "flask_getenforce",
+ (PyCFunction)pyflask_getenforce,
+ METH_NOARGS, "\n"
+ "Returns the current mode of the Flask XSM module.\n"
+ "Returns: [int]: 0 for permissive; 1 for enforcing; -1 on failure.\n" },
+
+ { "flask_setenforce",
+ (PyCFunction)pyflask_setenforce,
+ METH_KEYWORDS, "\n"
+ "Modifies the current mode for the Flask XSM module.\n"
+ " mode [int]: mode to change to\n"
+ "Returns: [int]: 0 on success; -1 on failure.\n" },
{ NULL, NULL, 0, NULL }
};
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/util/xsm/flask/flask.py
--- a/tools/python/xen/util/xsm/flask/flask.py Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/util/xsm/flask/flask.py Fri Oct 23 10:05:15 2009 +0100
@@ -7,9 +7,10 @@ from xen.xend import sxp
#Functions exported through XML-RPC
xmlrpc_exports = [
'on',
- 'set_policy'
+ 'set_policy',
+ 'getenforce',
+ 'setenforce'
]
-
def err(msg):
"""Raise XSM-Flask exception.
@@ -56,3 +57,9 @@ def set_policy(xs_type, policy_b64, flag
def set_policy(xs_type, policy_b64, flags=None, overwrite=None):
policy = base64.b64decode(policy_b64);
return flask.flask_load(policy), ""
+
+def getenforce():
+ return flask.flask_getenforce()
+
+def setenforce(mode):
+ return flask.flask_setenforce(mode)
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xend/XendXSPolicy.py
--- a/tools/python/xen/xend/XendXSPolicy.py Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/xend/XendXSPolicy.py Fri Oct 23 10:05:15 2009 +0100
@@ -49,7 +49,9 @@ class XendXSPolicy(XendBase):
'get_resource_label',
'set_resource_label',
'get_labeled_resources',
- 'can_run' ]
+ 'can_run',
+ 'getenforce',
+ 'setenforce']
return XendBase.getFuncs() + funcs
getClass = classmethod(getClass)
@@ -205,6 +207,12 @@ class XendXSPolicy(XendBase):
raise SecurityError(irc)
return security.check_can_run(sec_label)
+ def getenforce(self):
+ return security.getenforce()
+
+ def setenforce(self, mode):
+ return security.setenforce(mode)
+
get_xstype = classmethod(get_xstype)
get_xspolicy = classmethod(get_xspolicy)
set_xspolicy = classmethod(set_xspolicy)
@@ -214,6 +222,8 @@ class XendXSPolicy(XendBase):
get_resource_label = classmethod(get_resource_label)
get_labeled_resources = classmethod(get_labeled_resources)
can_run = classmethod(can_run)
+ getenforce = classmethod(getenforce)
+ setenforce = classmethod(setenforce)
class XendACMPolicy(XendXSPolicy):
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xm/getenforce.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/python/xen/xm/getenforce.py Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,66 @@
+#============================================================================
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of version 2.1 of the GNU Lesser General Public
+# License as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#============================================================================
+# Author: Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
+#============================================================================
+
+"""Get the current mode of the Flask XSM module.
+"""
+
+from xen.xm.opts import OptionError
+from xen.xm import main as xm_main
+from xen.xm.main import server
+from xen.util import xsconstants
+
+def help():
+ return """
+ Usage: xm getenforce
+
+ Returns the current mode (Permissive, Enforcing) of the
+ Flask XSM module."""
+
+def getenforce():
+ if xm_main.serverType == xm_main.SERVER_XEN_API:
+ if xsconstants.XS_POLICY_FLASK != \
+ int(server.xenapi.XSPolicy.get_xstype()):
+ raise OptionError("Unsupported policy type")
+ mode = int(server.xenapi.XSPolicy.getenforce())
+ else:
+ if server.xend.security.on() != xsconstants.XS_POLICY_FLASK:
+ raise OptionError("Unsupported policy type")
+ mode = server.xend.security.getenforce()
+
+ if mode == 0:
+ print "Permissive"
+ elif mode == 1:
+ print "Enforcing"
+
+def main(argv):
+ if "-?" in argv:
+ help()
+ return
+
+ if len(argv) != 1:
+ raise OptionError("No arguments expected.")
+
+ getenforce()
+
+if __name__ == '__main__':
+ try:
+ main(sys.argv)
+ except Exception, e:
+ sys.stderr.write('Error: %s\n' % str(e))
+ sys.exit(-1)
+
+
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xm/main.py
--- a/tools/python/xen/xm/main.py Fri Oct 23 10:04:03 2009 +0100
+++ b/tools/python/xen/xm/main.py Fri Oct 23 10:05:15 2009 +0100
@@ -225,8 +225,7 @@ SUBCOMMAND_HELP = {
# security
- 'addlabel' : ('<label> {dom <ConfigFile>|res <resource>|mgt <managed
domain>}\n'
- ' [<policy>]',
+ 'addlabel' : ('<label> {dom <ConfigFile>|res <resource>|mgt <managed
domain>} [<policy>]',
'Add security label to domain.'),
'rmlabel' : ('{dom <ConfigFile>|res <Resource>|mgt<managed
domain>}',
'Remove a security label from domain.'),
@@ -244,6 +243,9 @@ SUBCOMMAND_HELP = {
'labels' : ('[policy] [type=dom|res|any]',
'List <type> labels for (active) policy.'),
'serve' : ('', 'Proxy Xend XMLRPC over stdio.'),
+ 'getenforce' : ('', 'Returns the current enforcing mode for the Flask
XSM module (Enforcing,Permissive)'),
+ 'setenforce' : ('[ (Enforcing|1) | (Permissive|0) ]',
+ 'Modifies the current enforcing mode for the Flask XSM
module'),
}
SUBCOMMAND_OPTIONS = {
@@ -435,6 +437,10 @@ vnet_commands = [
"vnet-delete",
]
+security_commands = [
+ "setpolicy",
+ ]
+
acm_commands = [
"labels",
"addlabel",
@@ -443,9 +449,13 @@ acm_commands = [
"dry-run",
"resources",
"dumppolicy",
- "setpolicy",
"resetpolicy",
"getpolicy",
+ ]
+
+flask_commands = [
+ "getenforce",
+ "setenforce",
]
tmem_commands = [
@@ -458,8 +468,9 @@ tmem_commands = [
]
all_commands = (domain_commands + host_commands + scheduler_commands +
- device_commands + vnet_commands + acm_commands +
- tmem_commands + ['shell', 'event-monitor'])
+ device_commands + vnet_commands + security_commands +
+ acm_commands + flask_commands + tmem_commands +
+ ['shell', 'event-monitor'])
##
@@ -3347,6 +3358,8 @@ IMPORTED_COMMANDS = [
'getpolicy',
'setpolicy',
'resetpolicy',
+ 'getenforce',
+ 'setenforce',
]
for c in IMPORTED_COMMANDS:
diff -r ecc649ec3675 -r 1e5c3059d23b tools/python/xen/xm/setenforce.py
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tools/python/xen/xm/setenforce.py Fri Oct 23 10:05:15 2009 +0100
@@ -0,0 +1,74 @@
+#============================================================================
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of version 2.1 of the GNU Lesser General Public
+# License as published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#============================================================================
+# Author: Machon Gregory <mbgrego@xxxxxxxxxxxxxx>
+#============================================================================
+
+"""Modify the current mode of the Flask XSM module.
+"""
+
+from xen.xm.opts import OptionError
+from xen.xm import main as xm_main
+from xen.xm.main import server
+from xen.util import xsconstants
+
+def help():
+ return """
+ Usage: xm setenforce [ Enforcing | Permissive | 1 | 0 ]
+
+ Modifies the current mode of the Flask XSM module to be permissive or
+ enforcing. Using Enforcing or 1 will put the Flask module in enforcing
+ mode. Using Permissive or 0 will put the Flask module in permissive
+ mode."""
+
+def setenforce(mode):
+ if len(mode) == 1 and ( mode == "0" or mode == "1" ):
+ val = int(mode)
+ elif mode.lower() == "enforcing":
+ val = 1
+ elif mode.lower() == "permissive":
+ val = 0
+ else:
+ raise OptionError("%s is an unsupported mode" % mode)
+
+ if xm_main.serverType == xm_main.SERVER_XEN_API:
+ if xsconstants.XS_POLICY_FLASK != \
+ int(server.xenapi.XSPolicy.get_xstype()):
+ raise OptionError("Unsupported policy type")
+ ret = server.xenapi.XSPolicy.setenforce(val)
+ else:
+ if server.xend.security.on() != xsconstants.XS_POLICY_FLASK:
+ raise OptionError("Unsupported policy type")
+ ret = server.xend.security.setenforce(val)
+
+def main(argv):
+ if len(argv) != 2:
+ raise OptionError("Invalid arguments")
+
+ if "-?" in argv:
+ help()
+ return
+
+ mode = argv[1];
+
+ setenforce(mode)
+
+if __name__ == '__main__':
+ try:
+ main(sys.argv)
+ except Exception, e:
+ sys.stderr.write('Error: %s\n' % str(e))
+ sys.exit(-1)
+
+
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog
|