ipn/ipnlocal: use syspolicy to determine collection of posture data

Updates #5902

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
pull/9729/head
Kristoffer Dalby 1 year ago committed by Kristoffer Dalby
parent d0b8bdf8f7
commit 7f540042d5

@ -356,7 +356,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
tailscale.com/util/set from tailscale.com/health+ tailscale.com/util/set from tailscale.com/health+
tailscale.com/util/singleflight from tailscale.com/control/controlclient+ tailscale.com/util/singleflight from tailscale.com/control/controlclient+
tailscale.com/util/slicesx from tailscale.com/net/dnscache+ tailscale.com/util/slicesx from tailscale.com/net/dnscache+
W tailscale.com/util/syspolicy from tailscale.com/cmd/tailscaled tailscale.com/util/syspolicy from tailscale.com/cmd/tailscaled+
tailscale.com/util/sysresources from tailscale.com/wgengine/magicsock tailscale.com/util/sysresources from tailscale.com/wgengine/magicsock
tailscale.com/util/systemd from tailscale.com/control/controlclient+ tailscale.com/util/systemd from tailscale.com/control/controlclient+
tailscale.com/util/testenv from tailscale.com/ipn/ipnlocal+ tailscale.com/util/testenv from tailscale.com/ipn/ipnlocal+

@ -29,6 +29,7 @@ import (
"tailscale.com/util/clientmetric" "tailscale.com/util/clientmetric"
"tailscale.com/util/goroutines" "tailscale.com/util/goroutines"
"tailscale.com/util/httpm" "tailscale.com/util/httpm"
"tailscale.com/util/syspolicy"
"tailscale.com/version" "tailscale.com/version"
) )
@ -229,9 +230,17 @@ func (b *LocalBackend) handleC2NPostureIdentityGet(w http.ResponseWriter, r *htt
res := tailcfg.C2NPostureIdentityResponse{} res := tailcfg.C2NPostureIdentityResponse{}
// TODO(kradalby): Use syspolicy + envknob to allow Win registry, // Only collect serial numbers if enabled on the client,
// macOS defaults and env to override this setting. // this will first check syspolicy, MDM settings like Registry
if b.Prefs().PostureChecking() { // on Windows or defaults on macOS. If they are not set, it falls
// back to the cli-flag, `--posture-checking`.
enabled, err := syspolicy.GetBoolean(syspolicy.PostureChecking, b.Prefs().PostureChecking())
if err != nil {
enabled = b.Prefs().PostureChecking()
b.logf("c2n: failed to read PostureChecking from syspolicy, returning default from CLI: %s; got error: %s", enabled, err)
}
if enabled {
sns, err := posture.GetSerialNumbers(b.logf) sns, err := posture.GetSerialNumbers(b.logf)
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)

@ -32,4 +32,8 @@ const (
// The default is 0 unless otherwise stated. // The default is 0 unless otherwise stated.
LogSCMInteractions Key = "LogSCMInteractions" LogSCMInteractions Key = "LogSCMInteractions"
FlushDNSOnSessionUnlock Key = "FlushDNSOnSessionUnlock" FlushDNSOnSessionUnlock Key = "FlushDNSOnSessionUnlock"
// Boolean key that indicates if posture checking is enabled and the client shall gather
// posture data.
PostureChecking Key = "PostureChecking"
) )

Loading…
Cancel
Save