smack_have_access@LIBSMACK 1.0
smack_new_label_from_self@LIBSMACK 1.0
smack_new_label_from_socket@LIBSMACK 1.0
+ smack_revoke_subject@LIBSMACK 1.0
smack_have_access.3 \
smack_new_label_from_self.3 \
smack_new_label_from_socket.3 \
+ smack_revoke_subject.3 \
chsmack.8 \
smackcipso.8 \
smackctl.8 \
'\" t
.\" This file is part of libsmack
.\" Copyright (C) 2012 Intel Corporation
+.\" Copyright (C) 2012 Samsung Electronics Co.
.\"
.\" This library is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU Lesser General Public License
.\"
.\" Author:
.\" Brian McGillion <brian.mcgillion@intel.com>
+.\" Rafal Krypa <r.krypa@samsung.com>
.\"
-.TH "SMACK_ACCESSES_ADD" "3" "08/05/2012" "Libsmack 1\&.0"
+.TH "SMACK_ACCESSES_ADD" "3" "14/06/2012" "Libsmack 1\&.0"
.SH NAME
-smack_accesses_new, smack_accesses_free, smack_accesses_save, smack_accesses_apply, smack_accesses_clear, smack_accesses_add, smack_accesses_add_from_file \- Manipulate Smack rules
+smack_accesses_new, smack_accesses_free, smack_accesses_save, smack_accesses_apply, smack_accesses_clear, smack_accesses_add, smack_accesses_add_from_file, smack_revoke_subject \- Manipulate Smack rules
.SH SYNOPSIS
.B #include <sys/smack.h>
.sp
.BI "int smack_accesses_clear(struct smack_accesses *" handle ");"
.br
+.BI "int smack_revoke_subject(const char *" subject ");"
+.br
+
.SH DESCRIPTION
These methods provide a means to create properly formatted smack rules that can be stored to file or loaded directly into the kernel. For loading and unloading rules directly into the kernel the calling process must have the CAP_MAC_ADMIN capability. Most users will generally store the rules to a file that can be read by
.BR smackload (8).
remove the rules pointed to by
.I handle
directly from the kernel. The calling process must have the CAP_MAC_ADMIN capability.
+
+.BR smack_revoke_subject ()
+Sets the access to '-' (no access allowed) for all access rules with given
+.I subject
+label directly in the kernel. The calling process must have the CAP_MAC_ADMIN capability.
.SH RETURN VALUE
All methods, except
.IR smack_accesses_free ,
--- /dev/null
+.so man3/smack_accesses_add.3
*
* Copyright (C) 2010 Nokia Corporation
* Copyright (C) 2011 Intel Corporation
+ * Copyright (C) 2012 Samsung Electronics Co.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* Jarkko Sakkinen <jarkko.sakkinen@intel.com>
* Brian McGillion <brian.mcgillion@intel.com>
* Passion Zhao <passion.zhao@intel.com>
+ * Rafal Krypa <r.krypa@samsung.com>
*/
#include "sys/smack.h"
return 0;
}
+int smack_revoke_subject(const char *subject)
+{
+ int ret;
+ int fd;
+ char path[PATH_MAX];
+
+ snprintf(path, sizeof path, "%s/revoke-subject", smack_mnt);
+ fd = open(path, O_WRONLY);
+ if (fd < 0)
+ return -1;
+
+ ret = write(fd, subject, strnlen(subject, SMACK_LABEL_LEN));
+ close(fd);
+
+ return (ret < 0) ? -1 : 0;
+}
+
static int accesses_apply(struct smack_accesses *handle, int clear)
{
char buf[LOAD_LEN + 1];
smack_smackfs_path;
smack_new_label_from_self;
smack_new_label_from_socket;
+ smack_revoke_subject;
local:
*;
};
*/
int smack_new_label_from_socket(int fd, char **label);
+/*!
+ * Revoke all rules for a subject label.
+ *
+ * @param subject subject to revoke
+ * @return 0 on success and negative value on failure.
+ */
+int smack_revoke_subject(const char *subject);
#ifdef __cplusplus
}