char subject[SMACK_LABEL_LEN + 1];
char object[SMACK_LABEL_LEN + 1];
int is_modify;
- char access_set[ACC_LEN + 1];
- char access_add[ACC_LEN + 1];
- char access_del[ACC_LEN + 1];
+ char access_type[ACC_LEN + 1];
+ char allow_access_type[ACC_LEN + 1];
+ char deny_access_type[ACC_LEN + 1];
struct smack_rule *next;
};
if (rule->is_modify) {
ret = fprintf(file, "%s %s %s %s\n",
rule->subject, rule->object,
- rule->access_add, rule->access_del);
+ rule->allow_access_type,
+ rule->deny_access_type);
} else {
ret = fprintf(file, "%s %s %s\n",
rule->subject, rule->object,
- rule->access_set);
+ rule->access_type);
}
if (ret < 0) {
strcpy(rule->subject, subject);
strcpy(rule->object, object);
- parse_access_type(access_type, rule->access_set);
+ parse_access_type(access_type, rule->access_type);
if (handle->first == NULL) {
handle->first = handle->last = rule;
return 0;
}
-int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
- const char *object, const char *access_add, const char *access_del)
+int smack_accesses_add_modify(struct smack_accesses *handle,
+ const char *subject,
+ const char *object,
+ const char *allow_access_type,
+ const char *deny_access_type)
{
struct smack_rule *rule = NULL;
strcpy(rule->subject, subject);
strcpy(rule->object, object);
- parse_access_type(access_add, rule->access_add);
- parse_access_type(access_del, rule->access_del);
+ parse_access_type(allow_access_type, rule->allow_access_type);
+ parse_access_type(deny_access_type, rule->deny_access_type);
rule->is_modify = 1;
if (handle->first == NULL) {
for (rule = handle->first; rule != NULL; rule = rule->next) {
if (clear) {
- strcpy(rule->access_set, "-----");
+ strcpy(rule->access_type, "-----");
rule->is_modify = 0;
}
if (rule->is_modify) {
fd = change_fd;
ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
- rule->subject, rule->object,
- rule->access_add, rule->access_del);
+ rule->subject, rule->object,
+ rule->allow_access_type,
+ rule->deny_access_type);
} else {
fd = load_fd;
if (load2)
ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
rule->subject, rule->object,
- rule->access_set);
+ rule->access_type);
else
ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
rule->subject, rule->object,
- rule->access_set);
+ rule->access_type);
}
if (ret < 0 || fd < 0) {
const char *object, const char *access_type);
/*!
- * Add a modification rule to a rule set.
- * The modification rule will change access permissions for a given subject and
- * object.
- * If such rule already existend (in the kernel or earlier in the rule set),
- * it will be modified. Otherwise a new rule will be created, with permissions
- * from access_add minus permissions from access_del.
+ * Add a modification rule to the given access rules. A modification rule
+ * is written to the kernel file 'change-rule' when you apply rules with
+ * smack_accesses_apply(). It can be used to turn on and off a certain access
+ * type like write access.
+ *
+ * When a modification rule is applied to the kernel it will turn on access
+ * types in allow_access and turn off access types in deny_access.
*
* @param handle handle to a struct smack_accesses instance
* @param subject subject of the rule
* @param object object of the rule
- * @param access_add access type
- * @param access_del access type
+ * @param allow_access_type access type to be turned on
+ * @param deny_access_type access type to be turned off
* @return Returns 0 on success and negative on failure.
*/
-int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
- const char *object, const char *access_add, const char *access_del);
+int smack_accesses_add_modify(struct smack_accesses *handle,
+ const char *subject,
+ const char *object,
+ const char *allow_access_type,
+ const char *deny_access_type);
/*!
* Load access rules from the given file.