From 22c98dd03e352057b23f8d8d2d9ad252175c685b Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Wed, 2 Oct 2013 08:38:59 +0300 Subject: [PATCH] libsmack: clean up smack_accesses_add_modify() This patch makes smack_accesses_add_modify() easier to follow by changing variable names bit more self-documentative and less easier to mix up with adding and deleting rules. This patch also fixes some very minor coding style errors. Also documentation of this function is cleaned up. --- libsmack/libsmack.c | 35 ++++++++++++++++++++--------------- libsmack/sys/smack.h | 24 ++++++++++++++---------- 2 files changed, 34 insertions(+), 25 deletions(-) diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c index d2e4b85..ac58dd2 100644 --- a/libsmack/libsmack.c +++ b/libsmack/libsmack.c @@ -57,9 +57,9 @@ struct smack_rule { char subject[SMACK_LABEL_LEN + 1]; char object[SMACK_LABEL_LEN + 1]; int is_modify; - char access_set[ACC_LEN + 1]; - char access_add[ACC_LEN + 1]; - char access_del[ACC_LEN + 1]; + char access_type[ACC_LEN + 1]; + char allow_access_type[ACC_LEN + 1]; + char deny_access_type[ACC_LEN + 1]; struct smack_rule *next; }; @@ -134,11 +134,12 @@ int smack_accesses_save(struct smack_accesses *handle, int fd) if (rule->is_modify) { ret = fprintf(file, "%s %s %s %s\n", rule->subject, rule->object, - rule->access_add, rule->access_del); + rule->allow_access_type, + rule->deny_access_type); } else { ret = fprintf(file, "%s %s %s\n", rule->subject, rule->object, - rule->access_set); + rule->access_type); } if (ret < 0) { @@ -180,7 +181,7 @@ int smack_accesses_add(struct smack_accesses *handle, const char *subject, strcpy(rule->subject, subject); strcpy(rule->object, object); - parse_access_type(access_type, rule->access_set); + parse_access_type(access_type, rule->access_type); if (handle->first == NULL) { handle->first = handle->last = rule; @@ -192,8 +193,11 @@ int smack_accesses_add(struct smack_accesses *handle, const char *subject, return 0; } -int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject, - const char *object, const char *access_add, const char *access_del) +int smack_accesses_add_modify(struct smack_accesses *handle, + const char *subject, + const char *object, + const char *allow_access_type, + const char *deny_access_type) { struct smack_rule *rule = NULL; @@ -209,8 +213,8 @@ int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject strcpy(rule->subject, subject); strcpy(rule->object, object); - parse_access_type(access_add, rule->access_add); - parse_access_type(access_del, rule->access_del); + parse_access_type(allow_access_type, rule->allow_access_type); + parse_access_type(deny_access_type, rule->deny_access_type); rule->is_modify = 1; if (handle->first == NULL) { @@ -657,25 +661,26 @@ static int accesses_apply(struct smack_accesses *handle, int clear) for (rule = handle->first; rule != NULL; rule = rule->next) { if (clear) { - strcpy(rule->access_set, "-----"); + strcpy(rule->access_type, "-----"); rule->is_modify = 0; } if (rule->is_modify) { fd = change_fd; ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT, - rule->subject, rule->object, - rule->access_add, rule->access_del); + rule->subject, rule->object, + rule->allow_access_type, + rule->deny_access_type); } else { fd = load_fd; if (load2) ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT, rule->subject, rule->object, - rule->access_set); + rule->access_type); else ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT, rule->subject, rule->object, - rule->access_set); + rule->access_type); } if (ret < 0 || fd < 0) { diff --git a/libsmack/sys/smack.h b/libsmack/sys/smack.h index bc6a0f1..3a78a80 100644 --- a/libsmack/sys/smack.h +++ b/libsmack/sys/smack.h @@ -105,22 +105,26 @@ int smack_accesses_add(struct smack_accesses *handle, const char *subject, const char *object, const char *access_type); /*! - * Add a modification rule to a rule set. - * The modification rule will change access permissions for a given subject and - * object. - * If such rule already existend (in the kernel or earlier in the rule set), - * it will be modified. Otherwise a new rule will be created, with permissions - * from access_add minus permissions from access_del. + * Add a modification rule to the given access rules. A modification rule + * is written to the kernel file 'change-rule' when you apply rules with + * smack_accesses_apply(). It can be used to turn on and off a certain access + * type like write access. + * + * When a modification rule is applied to the kernel it will turn on access + * types in allow_access and turn off access types in deny_access. * * @param handle handle to a struct smack_accesses instance * @param subject subject of the rule * @param object object of the rule - * @param access_add access type - * @param access_del access type + * @param allow_access_type access type to be turned on + * @param deny_access_type access type to be turned off * @return Returns 0 on success and negative on failure. */ -int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject, - const char *object, const char *access_add, const char *access_del); +int smack_accesses_add_modify(struct smack_accesses *handle, + const char *subject, + const char *object, + const char *allow_access_type, + const char *deny_access_type); /*! * Load access rules from the given file. -- 2.7.4