libsmack: change semantics of rule allow_code and deny_code

Fields in struct smack_rule are used to store either set or modify rule.
Set rules used to be distinguished by having deny_code = -1.
It is more convenient to have it differently: allow_code describing bits
that are to be set, deny_code describing bits that are to be cleared.
With that semantics access_code = ~deny_code for set rules. This enables
easy replacement of change rules that can be simplified to a set rule.
Thanks José Bollo for original idea about simplifying modify rules.

Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c
index 9bab0b1..f328a1d 100644 (file)
--- a/libsmack/libsmack.c
+++ b/libsmack/libsmack.c
@@ -58,6 +58,8 @@
 #define ACCESS_TYPE_T 0x10
 #define ACCESS_TYPE_L 0x20
 
+#define ACCESS_TYPE_ALL ((1 << ACC_LEN) - 1)
+
 #define DICT_HASH_SIZE 4096
 #define MAX_LABELS_CNT (UINT16_MAX + 1)
 
@@ -216,7 +218,7 @@ static int accesses_add(struct smack_accesses *handle, const char *subject,
                if (rule->deny_code == -1)
                        goto err_out;
        } else
-               rule->deny_code = -1; /* no modify */
+               rule->deny_code = ACCESS_TYPE_ALL & ~rule->allow_code;
 
        if (subject_label->first_rule == NULL) {
                subject_label->first_rule = subject_label->last_rule = rule;
@@ -720,15 +722,15 @@ static int accesses_print(struct smack_accesses *handle, int clear,
        for (x = 0; x < handle->labels_cnt; ++x) {
                subject_label = handle->labels[x];
                for (rule = subject_label->first_rule; rule != NULL; rule = rule->next_rule) {
-                       /* Fail immediately without doing any further processing
-                          if modify rules are not supported. */
-                       if (rule->deny_code >= 0 && change_fd < 0)
-                               return -1;
-
                        object_label = handle->labels[rule->object_id];
                        access_code_to_str(clear ? 0 : rule->allow_code, allow_str);
 
-                       if (rule->deny_code != -1 && !clear) {
+                       if ((rule->allow_code | rule->deny_code) != ACCESS_TYPE_ALL && !clear) {
+                               /* Fail immediately without doing any further processing
+                                  if modify rules are not supported. */
+                               if (change_fd < 0)
+                                       return -1;
+
                                access_code_to_str(rule->deny_code, deny_str);
 
                                fd = change_fd;