From 7f540042d5f25f3b832fca6f4c3c13663a0d1f4a Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Fri, 6 Oct 2023 15:00:04 +0200
Subject: [PATCH] ipn/ipnlocal: use syspolicy to determine collection of
 posture data

Updates #5902

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 cmd/tailscaled/depaware.txt   |  2 +-
 ipn/ipnlocal/c2n.go           | 15 ++++++++++++---
 util/syspolicy/policy_keys.go |  4 ++++
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/cmd/tailscaled/depaware.txt b/cmd/tailscaled/depaware.txt
index 56036681c..029c05399 100644
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -356,7 +356,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/set                                       from tailscale.com/health+
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
         tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
-   W    tailscale.com/util/syspolicy                                 from tailscale.com/cmd/tailscaled
+        tailscale.com/util/syspolicy                                 from tailscale.com/cmd/tailscaled+
         tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
         tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+
diff --git a/ipn/ipnlocal/c2n.go b/ipn/ipnlocal/c2n.go
index 23853169d..344a0938a 100644
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -29,6 +29,7 @@ import (
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/goroutines"
 	"tailscale.com/util/httpm"
+	"tailscale.com/util/syspolicy"
 	"tailscale.com/version"
 )
 
@@ -229,9 +230,17 @@ func (b *LocalBackend) handleC2NPostureIdentityGet(w http.ResponseWriter, r *htt
 
 	res := tailcfg.C2NPostureIdentityResponse{}
 
-	// TODO(kradalby): Use syspolicy + envknob to allow Win registry,
-	// macOS defaults and env to override this setting.
-	if b.Prefs().PostureChecking() {
+	// Only collect serial numbers if enabled on the client,
+	// this will first check syspolicy, MDM settings like Registry
+	// on Windows or defaults on macOS. If they are not set, it falls
+	// back to the cli-flag, `--posture-checking`.
+	enabled, err := syspolicy.GetBoolean(syspolicy.PostureChecking, b.Prefs().PostureChecking())
+	if err != nil {
+		enabled = b.Prefs().PostureChecking()
+		b.logf("c2n: failed to read PostureChecking from syspolicy, returning default from CLI: %s; got error: %s", enabled, err)
+	}
+
+	if enabled {
 		sns, err := posture.GetSerialNumbers(b.logf)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
diff --git a/util/syspolicy/policy_keys.go b/util/syspolicy/policy_keys.go
index 08162ab9e..80b266730 100644
--- a/util/syspolicy/policy_keys.go
+++ b/util/syspolicy/policy_keys.go
@@ -32,4 +32,8 @@ const (
 	// The default is 0 unless otherwise stated.
 	LogSCMInteractions      Key = "LogSCMInteractions"
 	FlushDNSOnSessionUnlock Key = "FlushDNSOnSessionUnlock"
+
+	// Boolean key that indicates if posture checking is enabled and the client shall gather
+	// posture data.
+	PostureChecking Key = "PostureChecking"
 )