From: Rafal Krypa Date: Thu, 13 Feb 2014 13:22:19 +0000 (+0100) Subject: libsmack: change semantics of rule allow_code and deny_code X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b7ba239e723680ab9c86fd5564d4464e48fa154d;p=framework%2Fsecurity%2Fsmack.git libsmack: change semantics of rule allow_code and deny_code Fields in struct smack_rule are used to store either set or modify rule. Set rules used to be distinguished by having deny_code = -1. It is more convenient to have it differently: allow_code describing bits that are to be set, deny_code describing bits that are to be cleared. With that semantics access_code = ~deny_code for set rules. This enables easy replacement of change rules that can be simplified to a set rule. Thanks José Bollo for original idea about simplifying modify rules. Signed-off-by: Rafal Krypa --- diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c index 9bab0b1..f328a1d 100644 --- a/libsmack/libsmack.c +++ b/libsmack/libsmack.c @@ -58,6 +58,8 @@ #define ACCESS_TYPE_T 0x10 #define ACCESS_TYPE_L 0x20 +#define ACCESS_TYPE_ALL ((1 << ACC_LEN) - 1) + #define DICT_HASH_SIZE 4096 #define MAX_LABELS_CNT (UINT16_MAX + 1) @@ -216,7 +218,7 @@ static int accesses_add(struct smack_accesses *handle, const char *subject, if (rule->deny_code == -1) goto err_out; } else - rule->deny_code = -1; /* no modify */ + rule->deny_code = ACCESS_TYPE_ALL & ~rule->allow_code; if (subject_label->first_rule == NULL) { subject_label->first_rule = subject_label->last_rule = rule; @@ -720,15 +722,15 @@ static int accesses_print(struct smack_accesses *handle, int clear, for (x = 0; x < handle->labels_cnt; ++x) { subject_label = handle->labels[x]; for (rule = subject_label->first_rule; rule != NULL; rule = rule->next_rule) { - /* Fail immediately without doing any further processing - if modify rules are not supported. */ - if (rule->deny_code >= 0 && change_fd < 0) - return -1; - object_label = handle->labels[rule->object_id]; access_code_to_str(clear ? 0 : rule->allow_code, allow_str); - if (rule->deny_code != -1 && !clear) { + if ((rule->allow_code | rule->deny_code) != ACCESS_TYPE_ALL && !clear) { + /* Fail immediately without doing any further processing + if modify rules are not supported. */ + if (change_fd < 0) + return -1; + access_code_to_str(rule->deny_code, deny_str); fd = change_fd;