projects / framework / security / smack.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 62f1c06)
Regression fix: don't modify smack_accesses while applying the rules.
authorRafał Krypa <rafal@krypa.net>
Thu, 14 Nov 2013 23:58:22 +0000 (00:58 +0100)
committerJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Mon, 18 Nov 2013 16:22:26 +0000 (18:22 +0200)
Regression introduced in eaf908fd caused access_type field to be modified,
when smack_accesses_apply() is called with clear set to true.

This patch reverts that, restoring invariant that smack_accessess_apply()
doesn't modify given rule set.
(cherry picked from commit 74f5b5c21a2ed9c0576c3c3ab3802d11d66098a9)

libsmack/libsmack.c patch | blob | history

diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c
index 1949f6f..376301b 100644 (file)
--- a/libsmack/libsmack.c
+++ b/libsmack/libsmack.c
@@ -50,6 +50,7 @@
 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
 #define READ_BUF_SIZE LOAD_LEN + 1
 #define SELF_LABEL_FILE "/proc/self/attr/current"
+#define ACC_CLEAR "-----"
 
 extern char *smackfs_mnt;
 
@@ -643,12 +644,7 @@ static int accesses_apply(struct smack_accesses *handle, int clear)
        }
 
        for (rule = handle->first; rule != NULL; rule = rule->next) {
-               if (clear) {
-                       strcpy(rule->access_type, "-----");
-                       rule->is_modify = 0;
-               }
-
-               if (rule->is_modify) {
+               if (rule->is_modify && !clear) {
                        fd = change_fd;
                        ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
                                       rule->subject, rule->object,
@@ -659,11 +655,11 @@ static int accesses_apply(struct smack_accesses *handle, int clear)
                        if (load2)
                                ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
                                               rule->subject, rule->object,
-                                              rule->access_type);
+                                              clear ? ACC_CLEAR : rule->access_type);
                        else
                                ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
                                               rule->subject, rule->object,
-                                              rule->access_type);
+                                              clear ? ACC_CLEAR : rule->access_type);
                }
 
                if (ret < 0 || fd < 0) {
Domain: Security / Uncategorized;