|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 4/8] flask: add flask-{get,set}-bool tools
These utilities can be used to modify policy booleans, which allow
minor policy changes without reloading the security policy. This can be
used to make security policy change based on external information such
as time of day, user physical presence, completion of system boot, or
other relevant variables.
Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
---
tools/flask/utils/Makefile | 8 +++-
tools/flask/utils/get-bool.c | 90 ++++++++++++++++++++++++++++++++++++++++++
tools/flask/utils/set-bool.c | 72 +++++++++++++++++++++++++++++++++
3 files changed, 169 insertions(+), 1 deletions(-)
create mode 100644 tools/flask/utils/get-bool.c
create mode 100644 tools/flask/utils/set-bool.c
diff --git a/tools/flask/utils/Makefile b/tools/flask/utils/Makefile
index 171a728..3ac6ac2 100644
--- a/tools/flask/utils/Makefile
+++ b/tools/flask/utils/Makefile
@@ -11,7 +11,7 @@ TESTDIR = testsuite/tmp
TESTFLAGS= -DTESTING
TESTENV = XENSTORED_ROOTDIR=$(TESTDIR) XENSTORED_RUNDIR=$(TESTDIR)
-CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci
+CLIENTS := flask-loadpolicy flask-setenforce flask-getenforce flask-label-pci
flask-get-bool flask-set-bool
CLIENTS_SRCS := $(patsubst flask-%,%.c,$(CLIENTS))
CLIENTS_OBJS := $(patsubst flask-%,%.o,$(CLIENTS))
@@ -30,6 +30,12 @@ flask-getenforce: getenforce.o
flask-label-pci: label-pci.o
$(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask
$(LDLIBS_libxenctrl) -o $@
+flask-get-bool: get-bool.o
+ $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask
$(LDLIBS_libxenctrl) -o $@
+
+flask-set-bool: set-bool.o
+ $(CC) $(LDFLAGS) $< $(LDLIBS) -L$(LIBFLASK_ROOT) -lflask
$(LDLIBS_libxenctrl) -o $@
+
.PHONY: clean
clean:
rm -f *.o *.opic *.so
diff --git a/tools/flask/utils/get-bool.c b/tools/flask/utils/get-bool.c
new file mode 100644
index 0000000..c0cd7c8
--- /dev/null
+++ b/tools/flask/utils/get-bool.c
@@ -0,0 +1,90 @@
+/*
+ * Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <libflask.h>
+
+static void usage(char **argv)
+{
+ fprintf(stderr, "Usage: %s {name|-a}\n", argv[0]);
+ exit(1);
+}
+
+static int all_bools(xc_interface *xch)
+{
+ int err = 0, i = 0, curr, pend;
+ char name[256];
+ while (1) {
+ err = flask_getbool_byid(xch, i, name, &curr, &pend);
+ if (err < 0) {
+ if (errno == ENOENT)
+ return 0;
+ fprintf(stderr, "flask_getbool: Unable to get boolean
#%d: %s (%d)",
+ i, strerror(errno), err);
+ return 2;
+ }
+ if (curr == pend)
+ printf("%s: %d\n", name, curr);
+ else
+ printf("%s: %d (pending %d)\n", name, curr, pend);
+ i++;
+ }
+}
+
+int main(int argc, char **argv)
+{
+ int err = 0;
+ xc_interface *xch;
+ int curr, pend;
+
+ if (argc != 2)
+ usage(argv);
+
+ xch = xc_interface_open(0,0,0);
+ if ( !xch )
+ {
+ fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+ strerror(errno));
+ err = 1;
+ goto done;
+ }
+
+ if (!strcmp(argv[1], "-a"))
+ {
+ err = all_bools(xch);
+ goto done;
+ }
+
+ err = flask_getbool_byname(xch, argv[1], &curr, &pend);
+ if (err) {
+ fprintf(stderr, "flask_getbool: Unable to get boolean %s: %s
(%d)",
+ argv[1], strerror(errno), err);
+ err = 2;
+ goto done;
+ }
+
+ if (curr == pend)
+ printf("%s: %d\n", argv[1], curr);
+ else
+ printf("%s: %d (pending %d)\n", argv[1], curr, pend);
+
+ done:
+ if ( xch )
+ xc_interface_close(xch);
+
+ return err;
+}
diff --git a/tools/flask/utils/set-bool.c b/tools/flask/utils/set-bool.c
new file mode 100644
index 0000000..cde25cd
--- /dev/null
+++ b/tools/flask/utils/set-bool.c
@@ -0,0 +1,72 @@
+/*
+ * Author: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+
+#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <xenctrl.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <inttypes.h>
+#include <libflask.h>
+
+static void usage(char **argv)
+{
+ fprintf(stderr, "Usage: %s name value\n", argv[0]);
+ exit(1);
+}
+
+static int str2bool(const char *str)
+{
+ if (str[0] == '0' || str[0] == '1')
+ return (str[0] == '1');
+ if (!strcasecmp(str, "enabled") || !strcasecmp(str, "on") ||
!strcasecmp(str, "y"))
+ return 1;
+ if (!strcasecmp(str, "disabled") || !strcasecmp(str, "off") ||
!strcasecmp(str, "n"))
+ return 0;
+ fprintf(stderr, "Unknown value %s\n", str);
+ exit(1);
+}
+
+int main(int argc, char **argv)
+{
+ int err = 0;
+ xc_interface *xch;
+ int value;
+
+ if (argc != 3)
+ usage(argv);
+
+ value = str2bool(argv[2]);
+
+ xch = xc_interface_open(0,0,0);
+ if ( !xch )
+ {
+ fprintf(stderr, "Unable to create interface to xenctrl: %s\n",
+ strerror(errno));
+ err = 1;
+ goto done;
+ }
+
+ err = flask_setbool(xch, argv[1], value, 1);
+ if (err) {
+ fprintf(stderr, "flask_setbool: Unable to set boolean %s=%s: %s
(%d)",
+ argv[1], argv[2], strerror(errno), err);
+ err = 2;
+ goto done;
+ }
+
+ done:
+ if ( xch )
+ xc_interface_close(xch);
+
+ return err;
+}
--
1.7.7.6
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |