libsmack: early fail in accesses_apply() if modify rules are not supported

In accesses_apply(), in the beginning of each iteration, check
that change_fd is a valid file descriptor if the current rule
is a modify rule. Return with -1 immediately if that is not the
case.

Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>

diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c
index 28c2715..9116422 100644 (file)
--- a/libsmack/libsmack.c
+++ b/libsmack/libsmack.c
@@ -674,6 +674,13 @@ static int accesses_apply(struct smack_accesses *handle, int clear)
        }
 
        for (rule = handle->first; rule != NULL; rule = rule->next) {
+               /* Fail immediately without doing any further processing
+                  if modify rules are not supported. */
+               if (rule->deny_code >= 0 && change_fd < 0) {
+                       ret = -1;
+                       goto err_out;
+               }
+
                access_code_to_str(clear ? 0 : rule->allow_code, allow_str);
 
                if (rule->deny_code != -1 && !clear) {
@@ -696,7 +703,7 @@ static int accesses_apply(struct smack_accesses *handle, int clear)
                                               allow_str);
                }
 
-               if (ret < 0 || fd < 0) {
+               if (ret < 0) {
                        ret = -1;
                        goto err_out;
                }