diff -r 75421c62b19f tools/libxl/Makefile --- a/tools/libxl/Makefile Tue May 31 16:37:16 2011 -0400 +++ b/tools/libxl/Makefile Tue May 31 16:52:10 2011 -0400 @@ -35,7 +35,7 @@ LIBXL_OBJS = flexarray.o libxl.o libxl_create.o libxl_dm.o libxl_pci.o \ libxl_dom.o libxl_exec.o libxl_xshelp.o libxl_device.o \ libxl_internal.o libxl_utils.o libxl_uuid.o $(LIBXL_OBJS-y) -LIBXL_OBJS += _libxl_types.o +LIBXL_OBJS += _libxl_types.o libxl_flask.o $(LIBXL_OBJS): CFLAGS += $(CFLAGS_libxenctrl) $(CFLAGS_libxenguest) $(CFLAGS_libxenstore) $(CFLAGS_libblktapctl) diff -r 75421c62b19f tools/libxl/libxl.c --- a/tools/libxl/libxl.c Tue May 31 16:37:16 2011 -0400 +++ b/tools/libxl/libxl.c Tue May 31 16:52:10 2011 -0400 @@ -342,6 +342,7 @@ { memcpy(&(xlinfo->uuid), xcinfo->handle, sizeof(xen_domain_handle_t)); xlinfo->domid = xcinfo->domain; + xlinfo->ssidref = xcinfo->ssidref; xlinfo->dying = !!(xcinfo->flags&XEN_DOMINF_dying); xlinfo->shutdown = !!(xcinfo->flags&XEN_DOMINF_shutdown); diff -r 75421c62b19f tools/libxl/libxl.h --- a/tools/libxl/libxl.h Tue May 31 16:37:16 2011 -0400 +++ b/tools/libxl/libxl.h Tue May 31 16:52:10 2011 -0400 @@ -499,6 +499,14 @@ return domid > 0 && domid < DOMID_FIRST_RESERVED; } +int libxl_flask_context_to_sid(libxl_ctx *ctx, char *buf, size_t len, + uint32_t *ssidref); +int libxl_flask_sid_to_context(libxl_ctx *ctx, uint32_t ssidref, char **buf, + size_t *len); +int libxl_flask_getenforce(libxl_ctx *ctx); +int libxl_flask_setenforce(libxl_ctx *ctx, int mode); +int libxl_flask_loadpolicy(libxl_ctx *ctx, void *policy, uint32_t size); + /* common paths */ const char *libxl_sbindir_path(void); const char *libxl_bindir_path(void); diff -r 75421c62b19f tools/libxl/libxl.idl --- a/tools/libxl/libxl.idl Tue May 31 16:37:16 2011 -0400 +++ b/tools/libxl/libxl.idl Tue May 31 16:52:10 2011 -0400 @@ -89,6 +89,7 @@ libxl_dominfo = Struct("dominfo",[ ("uuid", libxl_uuid), ("domid", libxl_domid), + ("ssidref", uint32), ("running", bool), ("blocked", bool), ("paused", bool), @@ -138,7 +139,7 @@ ("hvm", bool), ("hap", bool), ("oos", bool), - ("ssidref", integer), + ("ssidref", uint32), ("name", string), ("uuid", libxl_uuid), ("xsdata", libxl_key_value_list), diff -r 75421c62b19f tools/libxl/libxl_flask.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/tools/libxl/libxl_flask.c Tue May 31 16:52:10 2011 -0400 @@ -0,0 +1,71 @@ +/* + * + * Author: Machon Gregory, + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include +#include +#include +#include +#include + +#include "libxl.h" +#include "libxl_internal.h" + +int libxl_flask_context_to_sid(libxl_ctx *ctx, char *buf, size_t len, + uint32_t *ssidref) +{ + int rc; + + rc = xc_flask_context_to_sid(ctx->xch, buf, len, ssidref); + + return rc; +} + +int libxl_flask_sid_to_context(libxl_ctx *ctx, uint32_t ssidref, + char **buf, size_t *len) +{ + int rc; + char tmp[XC_PAGE_SIZE]; + + rc = xc_flask_sid_to_context(ctx->xch, ssidref, tmp, sizeof(tmp)); + + if (!rc) { + *len = strlen(tmp); + *buf = strdup(tmp); + } + + return rc; +} + +int libxl_flask_getenforce(libxl_ctx *ctx) +{ + int rc; + + rc = xc_flask_getenforce(ctx->xch); + + return rc; +} + +int libxl_flask_setenforce(libxl_ctx *ctx, int mode) +{ + int rc; + + rc = xc_flask_setenforce(ctx->xch, mode); + + return rc; +} + +int libxl_flask_loadpolicy(libxl_ctx *ctx, void *policy, uint32_t size) +{ + + int rc; + + rc = xc_flask_load(ctx->xch, policy, size); + + return rc; +} diff -r 75421c62b19f tools/libxl/xl.h --- a/tools/libxl/xl.h Tue May 31 16:37:16 2011 -0400 +++ b/tools/libxl/xl.h Tue May 31 16:52:10 2011 -0400 @@ -87,6 +87,9 @@ int main_cpupoolcpuremove(int argc, char **argv); int main_cpupoolmigrate(int argc, char **argv); int main_cpupoolnumasplit(int argc, char **argv); +int main_getenforce(int argc, char **argv); +int main_setenforce(int argc, char **argv); +int main_loadpolicy(int argc, char **argv); void help(const char *command); diff -r 75421c62b19f tools/libxl/xl_cmdimpl.c --- a/tools/libxl/xl_cmdimpl.c Tue May 31 16:37:16 2011 -0400 +++ b/tools/libxl/xl_cmdimpl.c Tue May 31 16:52:10 2011 -0400 @@ -644,6 +644,19 @@ libxl_init_create_info(c_info); + if (!xlu_cfg_get_string (config, "seclabel", &buf)) { + e = libxl_flask_context_to_sid(ctx, (char *)buf, strlen(buf), + &c_info->ssidref); + if (e) { + if (errno == ENOSYS) { + fprintf(stderr, "XSM Disabled: seclabel not supported\n"); + } else { + fprintf(stderr, "Invalid seclabel: %s\n", buf); + exit(1); + } + } + } + c_info->hvm = 0; if (!xlu_cfg_get_string (config, "builder", &buf) && !strncmp(buf, "hvm", strlen(buf))) @@ -2230,13 +2243,14 @@ } } -static void list_domains(int verbose, const libxl_dominfo *info, int nb_domain) +static void list_domains(int verbose, int context, const libxl_dominfo *info, int nb_domain) { int i; static const char shutdown_reason_letters[]= "-rscw"; printf("Name ID Mem VCPUs\tState\tTime(s)"); - if (verbose) printf(" UUID Reason-Code"); + if (verbose) printf(" UUID Reason-Code\tSecurity Label"); + if (context && !verbose) printf(" Security Label"); printf("\n"); for (i = 0; i < nb_domain; i++) { char *domname; @@ -2260,9 +2274,22 @@ free(domname); if (verbose) { printf(" " LIBXL_UUID_FMT, LIBXL_UUID_BYTES(info[i].uuid)); - if (info[i].shutdown) printf(" %8x", shutdown_reason); - else printf(" %8s", "-"); - } + if (info[i].shutdown) printf(" %8x", shutdown_reason); + else printf(" %8s", "-"); + } + if (verbose || context) { + int rc; + size_t size; + char *buf; + rc = libxl_flask_sid_to_context(ctx, info[i].ssidref, &buf, + &size); + if (rc < 0) + printf(" -"); + else { + printf(" %s", buf); + free(buf); + } + } putchar('\n'); } } @@ -2998,12 +3025,14 @@ int main_list(int argc, char **argv) { int opt, verbose = 0; + int context = 0; int details = 0; int option_index = 0; static struct option long_options[] = { {"long", 0, 0, 'l'}, {"help", 0, 0, 'h'}, {"verbose", 0, 0, 'v'}, + {"context", 0, 0, 'Z'}, {0, 0, 0, 0} }; @@ -3012,7 +3041,7 @@ int nb_domain, rc; while (1) { - opt = getopt_long(argc, argv, "lvh", long_options, &option_index); + opt = getopt_long(argc, argv, "lvhZ", long_options, &option_index); if (opt == -1) break; @@ -3026,6 +3055,9 @@ case 'v': verbose = 1; break; + case 'Z': + context = 1; + break; default: fprintf(stderr, "option `%c' not supported.\n", optopt); break; @@ -3061,7 +3093,7 @@ if (details) list_domains_details(info, nb_domain); else - list_domains(verbose, info, nb_domain); + list_domains(verbose, context, info, nb_domain); free(info_free); @@ -5246,3 +5278,122 @@ return ret; } + +int main_getenforce(int argc, char **argv) +{ + int ret; + + ret = libxl_flask_getenforce(ctx); + + if (ret < 0) { + if (errno == ENOSYS) + printf("Flask XSM Disabled\n"); + else + fprintf(stderr, "Failed to get enforcing mode\n"); + } + else if (ret == 1) + printf("Enforcing\n"); + else if (ret == 0) + printf("Permissive\n"); + + return ret; +} + +int main_setenforce(int argc, char **argv) +{ + int ret, mode = -1; + const char *p = NULL; + + if (optind >= argc) { + help("setenforce"); + return 2; + } + + p = argv[optind]; + + if (!strcmp(p, "0")) + mode = 0; + else if (!strcmp(p, "1")) + mode = 1; + else if (!strcasecmp(p, "permissive")) + mode = 0; + else if (!strcasecmp(p, "enforcing")) + mode = 1; + else { + help("setenforce"); + return 2; + } + + ret = libxl_flask_setenforce(ctx, mode); + + if (ret) { + if (errno == ENOSYS) { + fprintf(stderr, "Flask XSM disabled\n"); + } + else + fprintf(stderr, "error occured while setting enforcing mode (%i)\n", ret); + } + + return ret; +} + +int main_loadpolicy(int argc, char **argv) +{ + const char *polFName; + int polFd = 0; + void *polMemCp = NULL; + struct stat info; + int ret; + + if (optind >= argc) { + help("loadpolicy"); + return 2; + } + + polFName = argv[optind]; + polFd = open(polFName, O_RDONLY); + if ( polFd < 0 ) { + fprintf(stderr, "Error occurred opening policy file '%s': %s\n", + polFName, strerror(errno)); + ret = -1; + goto done; + } + + ret = stat(polFName, &info); + if ( ret < 0 ) { + fprintf(stderr, "Error occurred retrieving information about" + "policy file '%s': %s\n", polFName, strerror(errno)); + goto done; + } + + polMemCp = malloc(info.st_size); + + ret = read(polFd, polMemCp, info.st_size); + if ( ret < 0 ) { + fprintf(stderr, "Unable to read new Flask policy file: %s\n", + strerror(errno)); + goto done; + } + + ret = libxl_flask_loadpolicy(ctx, polMemCp, info.st_size); + + if (ret < 0) { + if (errno == ENOSYS) { + fprintf(stderr, "Flask XSM disabled\n"); + } else { + errno = -ret; + fprintf(stderr, "Unable to load new Flask policy: %s\n", + strerror(errno)); + ret = -1; + } + } else { + printf("Successfully loaded policy.\n"); + } + +done: + free(polMemCp); + if ( polFd > 0 ) + close(polFd); + + return ret; +} diff -r 75421c62b19f tools/libxl/xl_cmdtable.c --- a/tools/libxl/xl_cmdtable.c Tue May 31 16:37:16 2011 -0400 +++ b/tools/libxl/xl_cmdtable.c Tue May 31 16:52:10 2011 -0400 @@ -36,7 +36,8 @@ "List information about all/some domains", "[options] [Domain]\n", "-l, --long Output all VM details\n" - "-v, --verbose Prints out UUIDs", + "-v, --verbose Prints out UUIDs and security context\n" + "-Z, --context Prints out security context" }, { "destroy", &main_destroy, @@ -364,6 +365,21 @@ "Splits up the machine into one CPU pool per NUMA node", "", }, + { "getenforce", + &main_getenforce, + "Returns the current enforcing mode of the Flask Xen security module", + "", + }, + { "setenforce", + &main_setenforce, + "Sets the current enforcing mode of the Flask Xen security module", + "<1|0|Enforcing|Permissive>", + }, + { "loadpolicy", + &main_loadpolicy, + "Loads a new policy int the Flask Xen security module", + "", + }, }; int cmdtable_len = sizeof(cmd_table)/sizeof(struct cmd_spec);