imv_policy_manager: Added capability to execute an allow or block shell command string

[people/ms/strongswan.git] / src / libimcv / imv / imv_policy_manager.c

diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 9f7e4e8f49e2d7b6e6ae1f7a6357ed78afbe942b..b730f8c412c70cfa7e844ae7a0c11c6e4636a6e9 100644 (file)
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -255,7 +255,8 @@ static bool policy_stop(database_t *db, int session_id)
        enumerator_t *e;
        int rec, policy, final_rec, id_type;
        chunk_t id_value;
-       char *result, *ip_address = NULL;
+       char *result, *format, *ip_address = NULL;
+       char command[512];
        bool success = TRUE;
 
        /* store all workitem results for this session in the results table */
@@ -334,6 +335,25 @@ static bool policy_stop(database_t *db, int session_id)
        fprintf(stderr, "recommendation for access requestor %s is %N\n",
                        ip_address ? ip_address : "0.0.0.0",
                        TNC_IMV_Action_Recommendation_names, final_rec);
+
+       if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+       {
+               format = lib->settings->get_str(lib->settings,
+                                               "imv_policy_manager.command_allow", NULL);
+       }
+       else
+       {
+               format = lib->settings->get_str(lib->settings,
+                                               "imv_policy_manager.command_block", NULL);
+       }
+       if (format && ip_address)
+       {
+               /* the IP address can occur at most twice in the command string */
+               snprintf(command, sizeof(command), format, ip_address, ip_address);
+               success = system(command) == 0;
+               fprintf(stderr, "%s system command: %s\n",
+                           success ? "successful" : "failed", command);
+       }
        free(ip_address);
 
        return success;