From 3a2ce33141c5023a0698a38760baddc531f0ab36 Mon Sep 17 00:00:00 2001
From: Jarkko Sakkinen <ext-jarkko.2.sakkinen@nokia.com>
Date: Sun, 28 Nov 2010 21:10:15 -0800
Subject: [PATCH] In smack_rule_set_save_to_kernel, write removed rules with
 access string "----". This is achieved by setting ac to zero when rule is
 removed instead of deleting it.

---
 src/smack_rules.c                                  | 16 ++--
 tests/check_rules.c                                | 94 +++++++++++++++-------
 tests/data/remove_rules_by_object-excepted.txt     |  1 -
 tests/data/remove_rules_by_subject-excepted.txt    |  1 -
 ...ule_set_remove_and_save_to_kernel-excepted.txt} |  1 +
 ...t => rule_set_remove_and_save_to_kernel-in.txt} |  0
 ...emove_by_object_and_save_to_kernel-excepted.txt |  3 +
 ...set_remove_by_object_and_save_to_kernel-in.txt} |  0
 ...move_by_subject_and_save_to_kernel-excepted.txt |  3 +
 ...et_remove_by_subject_and_save_to_kernel-in.txt} |  0
 10 files changed, 78 insertions(+), 41 deletions(-)
 delete mode 100644 tests/data/remove_rules_by_object-excepted.txt
 delete mode 100644 tests/data/remove_rules_by_subject-excepted.txt
 rename tests/data/{remove_rule-excepted.txt => rule_set_remove_and_save_to_kernel-excepted.txt} (66%)
 rename tests/data/{remove_rules_by_subject-in.txt => rule_set_remove_and_save_to_kernel-in.txt} (100%)
 create mode 100644 tests/data/rule_set_remove_by_object_and_save_to_kernel-excepted.txt
 rename tests/data/{remove_rules_by_object-in.txt => rule_set_remove_by_object_and_save_to_kernel-in.txt} (100%)
 create mode 100644 tests/data/rule_set_remove_by_subject_and_save_to_kernel-excepted.txt
 rename tests/data/{remove_rule-in.txt => rule_set_remove_by_subject_and_save_to_kernel-in.txt} (100%)

diff --git a/src/smack_rules.c b/src/smack_rules.c
index 98501f8..6aabc88 100644
--- a/src/smack_rules.c
+++ b/src/smack_rules.c
@@ -148,6 +148,9 @@ int smack_rule_set_save_to_file(SmackRuleSet handle, const char *path)
 
 	HASH_ITER(hh, handle->subjects, s, stmp) {
 		HASH_ITER(hh, s->objects, o, otmp) {
+			if (o->ac == 0)
+				continue;
+
 			ac_to_config_str(o->ac, str);
 
 			err = fprintf(file, "%s %s %s\n",
@@ -236,8 +239,7 @@ void smack_rule_set_remove(SmackRuleSet handle, const char *subject,
 	if (o == NULL)
 		return;
 
-	HASH_DEL(s->objects, o);
-	free(o);
+	o->ac = 0;
 	return;
 }
 
@@ -258,10 +260,8 @@ void smack_rule_set_remove_by_subject(SmackRuleSet handle, const char *subject,
 	if (s == NULL)
 		return;
 
-	HASH_ITER(hh, s->objects, o, tmp) {
-		HASH_DEL(s->objects, o);
-		free(o);
-	}
+	HASH_ITER(hh, s->objects, o, tmp)
+		o->ac = 0;
 }
 
 void smack_rule_set_remove_by_object(SmackRuleSet handle, const char *object,
@@ -279,8 +279,8 @@ void smack_rule_set_remove_by_object(SmackRuleSet handle, const char *object,
 
 	HASH_ITER(hh, handle->subjects, s, tmp) {
 		HASH_FIND_STR(s->objects, object, o);
-		HASH_DEL(s->objects, o);
-		free(o);
+		if (o)
+			o->ac = 0;
 	}
 }
 
diff --git a/tests/check_rules.c b/tests/check_rules.c
index 70be0bf..28101ce 100644
--- a/tests/check_rules.c
+++ b/tests/check_rules.c
@@ -87,67 +87,99 @@ START_TEST(test_rw_rules_kernel)
 }
 END_TEST
 
-START_TEST(test_remove_rule)
+START_TEST(test_have_access_rule)
 {
 	int rc;
-	SmackRuleSet rules = smack_rule_set_new_from_file("data/remove_rule-in.txt", NULL);
+	SmackRuleSet rules = smack_rule_set_new_from_file("data/have_access_rule-in.txt", "Orange");
 	fail_unless(rules != NULL, "Reading rules failed");
-	smack_rule_set_remove(rules, "Orange", "Apple", NULL);
-	rc = smack_rule_set_save_to_kernel(rules, "remove_rule-result.txt");
-	fail_unless(rc == 0, "Failed to write ruleset");
-	rc = files_equal("remove_rule-result.txt", "data/remove_rule-excepted.txt");
-	fail_unless(rc == 1, "Unexcepted result");
+	rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a", NULL);
+	fail_unless(rc, "Have access \"a\" failed");
 	smack_rule_set_delete(rules);
 }
 END_TEST
 
-START_TEST(test_remove_rules_by_subject)
+START_TEST(test_have_access_removed_rule)
 {
 	int rc;
-	SmackRuleSet rules = smack_rule_set_new_from_file("data/remove_rules_by_subject-in.txt", NULL);
+	SmackRuleSet rules = smack_rule_set_new_from_file("data/have_access_rule-in.txt", "Orange");
 	fail_unless(rules != NULL, "Reading rules failed");
-	smack_rule_set_remove_by_subject(rules, "Foo", NULL);
-	rc = smack_rule_set_save_to_kernel(rules, "remove_rules_by_subject-result.txt");
-	fail_unless(rc == 0, "Failed to write ruleset");
-	rc = files_equal("remove_rules_by_subject-result.txt", "data/remove_rules_by_subject-excepted.txt");
-	fail_unless(rc == 1, "Unexcepted result");
+	smack_rule_set_remove(rules, "Orange", "Apple", NULL);
+	rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a", NULL);
+	fail_unless(!rc, "Has access to a removed rule");
 	smack_rule_set_delete(rules);
 }
 END_TEST
 
-START_TEST(test_remove_rules_by_object)
+START_TEST(test_rule_set_remove_and_save_to_kernel)
 {
 	int rc;
-	SmackRuleSet rules = smack_rule_set_new_from_file("data/remove_rules_by_object-in.txt", NULL);
+	SmackRuleSet rules;
+
+	rules = smack_rule_set_new_from_file(
+		"data/rule_set_remove_and_save_to_kernel-in.txt", NULL);
 	fail_unless(rules != NULL, "Reading rules failed");
-	smack_rule_set_remove_by_object(rules, "Apple", NULL);
-	rc = smack_rule_set_save_to_kernel(rules, "remove_rules_by_object-result.txt");
+
+	smack_rule_set_remove(rules, "Orange", "Apple", NULL);
+
+	rc = smack_rule_set_save_to_kernel(rules,
+		"rule_set_remove_and_save_to_kernel-result.txt");
 	fail_unless(rc == 0, "Failed to write ruleset");
-	rc = files_equal("remove_rules_by_object-result.txt", "data/remove_rules_by_object-excepted.txt");
+
+	rc = files_equal(
+		"rule_set_remove_and_save_to_kernel-result.txt",
+		"data/rule_set_remove_and_save_to_kernel-excepted.txt");
 	fail_unless(rc == 1, "Unexcepted result");
+
 	smack_rule_set_delete(rules);
 }
 END_TEST
 
-START_TEST(test_have_access_rule)
+START_TEST(test_rule_set_remove_by_subject_and_save_to_kernel)
 {
 	int rc;
-	SmackRuleSet rules = smack_rule_set_new_from_file("data/have_access_rule-in.txt", "Orange");
+	SmackRuleSet rules;
+	
+	rules = smack_rule_set_new_from_file(
+		"data/rule_set_remove_by_subject_and_save_to_kernel-in.txt",
+		NULL);
 	fail_unless(rules != NULL, "Reading rules failed");
-	rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a", NULL);
-	fail_unless(rc, "Have access \"a\" failed");
+
+	smack_rule_set_remove_by_subject(rules, "Foo", NULL);
+
+	rc = smack_rule_set_save_to_kernel(rules, 
+		"rule_set_remove_by_subject_and_save_to_kernel-result.txt");
+	fail_unless(rc == 0, "Failed to write ruleset");
+
+	rc = files_equal(
+		"rule_set_remove_by_subject_and_save_to_kernel-result.txt",
+		 "data/rule_set_remove_by_subject_and_save_to_kernel-excepted.txt");
+	fail_unless(rc == 1, "Unexcepted result");
+
 	smack_rule_set_delete(rules);
 }
 END_TEST
 
-START_TEST(test_have_access_removed_rule)
+START_TEST(test_rule_set_remove_by_object_and_save_to_kernel)
 {
 	int rc;
-	SmackRuleSet rules = smack_rule_set_new_from_file("data/have_access_rule-in.txt", "Orange");
+	SmackRuleSet rules;
+
+	rules = smack_rule_set_new_from_file(
+		"data/rule_set_remove_by_object_and_save_to_kernel-in.txt",
+		NULL);
 	fail_unless(rules != NULL, "Reading rules failed");
-	smack_rule_set_remove(rules, "Orange", "Apple", NULL);
-	rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a", NULL);
-	fail_unless(!rc, "Has access to a removed rule");
+
+	smack_rule_set_remove_by_object(rules, "Apple", NULL);
+
+	rc = smack_rule_set_save_to_kernel(rules,
+		"rule_set_remove_by_object_and_save_to_kernel-result.txt");
+	fail_unless(rc == 0, "Failed to write ruleset");
+
+	rc = files_equal(
+		"rule_set_remove_by_object_and_save_to_kernel-result.txt",
+		 "data/rule_set_remove_by_object_and_save_to_kernel-excepted.txt");
+	fail_unless(rc == 1, "Unexcepted result");
+
 	smack_rule_set_delete(rules);
 }
 END_TEST
@@ -218,11 +250,11 @@ Suite *ruleset_suite (void)
 	tcase_add_test(tc_core, test_modify_existing_rule);
 	tcase_add_test(tc_core, test_rw_rules_config);
 	tcase_add_test(tc_core, test_rw_rules_kernel);
-	tcase_add_test(tc_core, test_remove_rule);
-	tcase_add_test(tc_core, test_remove_rules_by_subject);
-	tcase_add_test(tc_core, test_remove_rules_by_object);
 	tcase_add_test(tc_core, test_have_access_rule);
 	tcase_add_test(tc_core, test_have_access_removed_rule);
+	tcase_add_test(tc_core, test_rule_set_remove_and_save_to_kernel);
+	tcase_add_test(tc_core, test_rule_set_remove_by_subject_and_save_to_kernel);
+	tcase_add_test(tc_core, test_rule_set_remove_by_object_and_save_to_kernel);
 	tcase_add_test(tc_core, test_rule_set_add_remove_long);
 	tcase_add_test(tc_core, test_rule_set_add_long_no_labels);
 	suite_add_tcase(s, tc_core);
diff --git a/tests/data/remove_rules_by_object-excepted.txt b/tests/data/remove_rules_by_object-excepted.txt
deleted file mode 100644
index e5de3ce..0000000
--- a/tests/data/remove_rules_by_object-excepted.txt
+++ /dev/null
@@ -1 +0,0 @@
-Foo                     Bar                     r-x-
diff --git a/tests/data/remove_rules_by_subject-excepted.txt b/tests/data/remove_rules_by_subject-excepted.txt
deleted file mode 100644
index 436abd2..0000000
--- a/tests/data/remove_rules_by_subject-excepted.txt
+++ /dev/null
@@ -1 +0,0 @@
-Orange                  Apple                   r--a
diff --git a/tests/data/remove_rule-excepted.txt b/tests/data/rule_set_remove_and_save_to_kernel-excepted.txt
similarity index 66%
rename from tests/data/remove_rule-excepted.txt
rename to tests/data/rule_set_remove_and_save_to_kernel-excepted.txt
index ba29f07..8c5dfd1 100644
--- a/tests/data/remove_rule-excepted.txt
+++ b/tests/data/rule_set_remove_and_save_to_kernel-excepted.txt
@@ -1,2 +1,3 @@
 Foo                     Bar                     r-x-
 Foo                     Apple                   -wx-
+Orange                  Apple                   ----
diff --git a/tests/data/remove_rules_by_subject-in.txt b/tests/data/rule_set_remove_and_save_to_kernel-in.txt
similarity index 100%
rename from tests/data/remove_rules_by_subject-in.txt
rename to tests/data/rule_set_remove_and_save_to_kernel-in.txt
diff --git a/tests/data/rule_set_remove_by_object_and_save_to_kernel-excepted.txt b/tests/data/rule_set_remove_by_object_and_save_to_kernel-excepted.txt
new file mode 100644
index 0000000..5f27d8c
--- /dev/null
+++ b/tests/data/rule_set_remove_by_object_and_save_to_kernel-excepted.txt
@@ -0,0 +1,3 @@
+Foo                     Bar                     r-x-
+Foo                     Apple                   ----
+Orange                  Apple                   ----
diff --git a/tests/data/remove_rules_by_object-in.txt b/tests/data/rule_set_remove_by_object_and_save_to_kernel-in.txt
similarity index 100%
rename from tests/data/remove_rules_by_object-in.txt
rename to tests/data/rule_set_remove_by_object_and_save_to_kernel-in.txt
diff --git a/tests/data/rule_set_remove_by_subject_and_save_to_kernel-excepted.txt b/tests/data/rule_set_remove_by_subject_and_save_to_kernel-excepted.txt
new file mode 100644
index 0000000..a24d862
--- /dev/null
+++ b/tests/data/rule_set_remove_by_subject_and_save_to_kernel-excepted.txt
@@ -0,0 +1,3 @@
+Foo                     Bar                     ----
+Foo                     Apple                   ----
+Orange                  Apple                   r--a
diff --git a/tests/data/remove_rule-in.txt b/tests/data/rule_set_remove_by_subject_and_save_to_kernel-in.txt
similarity index 100%
rename from tests/data/remove_rule-in.txt
rename to tests/data/rule_set_remove_by_subject_and_save_to_kernel-in.txt
-- 
2.7.4