From 94509cbdc2fe799327bbc202ff8a166c8d589736 Mon Sep 17 00:00:00 2001 From: Jarkko Sakkinen Date: Sat, 27 Nov 2010 13:46:16 -0800 Subject: [PATCH] Pass label set as parameter in rule set API instead of attach function to make its usage more documented and robust. NULL can be given if long label support is not needed. No function in rule set API adds new labels to label set but checks against existing repository. --- src/smack.h | 67 +++++++++++++++++++++++++++++++++++------------------ src/smack_rules.c | 49 ++++++++++++++++++--------------------- tests/check_rules.c | 40 ++++++++++++++------------------ 3 files changed, 85 insertions(+), 71 deletions(-) diff --git a/src/smack.h b/src/smack.h index 586d7f4..4ec8002 100644 --- a/src/smack.h +++ b/src/smack.h @@ -81,17 +81,6 @@ extern SmackRuleSet smack_rule_set_new_from_file(const char *path, extern void smack_rule_set_delete(SmackRuleSet handle); /*! - * Attach label set to rule set to enabled transparent long name conversion. - * Note: does not take ownership of label set so caller must take care of - * freeing it. - * - * @param rules rule set - * @param labels label set - */ -extern void smack_rule_set_attach_label_set(SmackRuleSet rules, - SmackLabelSet labels); - -/*! * Write rules to a given file. * * @param handle handle to a rules @@ -113,54 +102,86 @@ extern int smack_rule_set_save_to_kernel(SmackRuleSet handle, const char *path); * Add new rule to a rule set. Updates existing rule if there is already rule * for the given subject and object. * - * @param handle handle to a rules + * Takes subject and object as long names and maps them to short names if the + * parameter labels is given (not set to NULL). In this case, if short labels + * are not found, this function fails and executes no action. + * + * @param handle handle to a rule set * @param subject subject of the rule * @param object object of the rule - * @param access string defining access type + * @param access access string (rwxa) + * @param labels handle to a label set * @return 0 on success */ extern int smack_rule_set_add(SmackRuleSet handle, const char *subject, - const char *object, const char *access); + const char *object, const char *access, + SmackLabelSet labels); /*! * Remove rule from a rule set. * - * @param handle handle to a rules + * Takes subject and object as long names and maps them to short names if the + * parameter labels is given (not set to NULL). In this case, if short labels + * are not found, this function fails and executes no action. + * + * @param handle handle to a rule set * @param subject subject of the rule * @param object object of the rule + * @param labels handle to a label set + * @return 0 on success */ extern void smack_rule_set_remove(SmackRuleSet handle, const char *subject, - const char *object); + const char *object, SmackLabelSet labels); /*! * Remove all rules with the given subject from a rule set. * - * @param handle handle to a rules + * Takes subject as long name and maps it to short name if the + * parameter labels is given (not set to NULL). In this case, + * if short label is not found, this function fails and executes + * no action. + * + * @param handle handle to a rule set * @param subject subject of the rule + * @param labels handle to a label set */ extern void smack_rule_set_remove_by_subject(SmackRuleSet handle, - const char *subject); + const char *subject, + SmackLabelSet labels); /*! * Remove all rules with the given object from a rule set. + + * Takes subject as long name and maps it to short name if the + * parameter labels is given (not set to NULL). In this case, + * if short label is not found, this function fails and executes + * no action. * - * @param handle handle to a rules + * @param handle handle to a rule set * @param object object of the rule + * @param labels handle to a label set */ extern void smack_rule_set_remove_by_object(SmackRuleSet handle, - const char *object); + const char *object, + SmackLabelSet labels); /*! - * Does the given subject have at least the given access to the given object? + * Check access to a give object. * - * @param handle handle to a rules + * Takes subject and object as long names and maps them to short names if the + * parameter labels is given (not set to NULL). In this case, if short labels + * are not found, this function fails and executes no action. + * + * @param handle handle to a rule set * @param subject subject of the rule * @param object object of the rule * @param access string defining access type + * @param labels handle to a label set * @return boolean value */ extern int smack_rule_set_have_access(SmackRuleSet handle, const char *subject, - const char *object, const char *access); + const char *object, const char *access, + SmackLabelSet labels); /*! * Create a new label set. The returned rule set must be freed with diff --git a/src/smack_rules.c b/src/smack_rules.c index 7c02e98..98501f8 100644 --- a/src/smack_rules.c +++ b/src/smack_rules.c @@ -44,7 +44,6 @@ struct smack_subject { struct _SmackRuleSet { struct smack_subject *subjects; - SmackLabelSet labels; }; static int update_rule(struct smack_subject **subjects, @@ -135,12 +134,6 @@ void smack_rule_set_delete(SmackRuleSet handle) free(handle); } -void smack_rule_set_attach_label_set(SmackRuleSet rules, - SmackLabelSet labels) -{ - rules->labels = labels; -} - int smack_rule_set_save_to_file(SmackRuleSet handle, const char *path) { struct smack_subject *s, *stmp; @@ -202,14 +195,15 @@ int smack_rule_set_save_to_kernel(SmackRuleSet handle, const char *path) } int smack_rule_set_add(SmackRuleSet handle, const char *subject, - const char *object, const char *access_str) + const char *object, const char *access_str, + SmackLabelSet labels) { unsigned access; int ret; - if (handle->labels != NULL) { - subject = smack_label_set_to_short_name(handle->labels, subject); - object = smack_label_set_to_short_name(handle->labels, object); + if (labels != NULL) { + subject = smack_label_set_to_short_name(labels, subject); + object = smack_label_set_to_short_name(labels, object); if (subject == NULL || object == NULL) return -1; @@ -221,14 +215,14 @@ int smack_rule_set_add(SmackRuleSet handle, const char *subject, } void smack_rule_set_remove(SmackRuleSet handle, const char *subject, - const char *object) + const char *object, SmackLabelSet labels) { struct smack_subject *s = NULL; struct smack_object *o = NULL; - if (handle->labels != NULL) { - subject = smack_label_set_to_short_name(handle->labels, subject); - object = smack_label_set_to_short_name(handle->labels, object); + if (labels != NULL) { + subject = smack_label_set_to_short_name(labels, subject); + object = smack_label_set_to_short_name(labels, object); if (subject == NULL || object == NULL) return; @@ -247,13 +241,14 @@ void smack_rule_set_remove(SmackRuleSet handle, const char *subject, return; } -void smack_rule_set_remove_by_subject(SmackRuleSet handle, const char *subject) +void smack_rule_set_remove_by_subject(SmackRuleSet handle, const char *subject, + SmackLabelSet labels) { struct smack_subject *s = NULL; struct smack_object *o = NULL, *tmp = NULL; - if (handle->labels != NULL) { - subject = smack_label_set_to_short_name(handle->labels, subject); + if (labels != NULL) { + subject = smack_label_set_to_short_name(labels, subject); if (subject == NULL) return; @@ -269,13 +264,14 @@ void smack_rule_set_remove_by_subject(SmackRuleSet handle, const char *subject) } } -void smack_rule_set_remove_by_object(SmackRuleSet handle, const char *object) +void smack_rule_set_remove_by_object(SmackRuleSet handle, const char *object, + SmackLabelSet labels) { struct smack_subject *s = NULL, *tmp = NULL; struct smack_object *o = NULL; - if (handle->labels != NULL) { - object = smack_label_set_to_short_name(handle->labels, object); + if (labels != NULL) { + object = smack_label_set_to_short_name(labels, object); if (object == NULL) return; @@ -289,18 +285,19 @@ void smack_rule_set_remove_by_object(SmackRuleSet handle, const char *object) } int smack_rule_set_have_access(SmackRuleSet handle, const char *subject, - const char *object, const char *access_str) + const char *object, const char *access_str, + SmackLabelSet labels) { struct smack_subject *s = NULL; struct smack_object *o = NULL; unsigned ac; - if (handle->labels != NULL) { - subject = smack_label_set_to_short_name(handle->labels, subject); - object = smack_label_set_to_short_name(handle->labels, object); + if (labels != NULL) { + subject = smack_label_set_to_short_name(labels, subject); + object = smack_label_set_to_short_name(labels, object); if (subject == NULL || object == NULL) - return -1; + return; } ac = str_to_ac(access_str); diff --git a/tests/check_rules.c b/tests/check_rules.c index 571887b..70be0bf 100644 --- a/tests/check_rules.c +++ b/tests/check_rules.c @@ -35,7 +35,7 @@ START_TEST(test_add_new_rule) int rc; SmackRuleSet rules = smack_rule_set_new_from_file("data/add_new_rule-in.txt", NULL); fail_unless(rules != NULL, "Reading rules failed"); - rc = smack_rule_set_add(rules, "Orange", "Apple", "ra"); + rc = smack_rule_set_add(rules, "Orange", "Apple", "ra", NULL); fail_unless(rc == 0, "Failed to add rule"); rc = smack_rule_set_save_to_kernel(rules, "add_new_rule-result.txt"); fail_unless(rc == 0, "Failed to write ruleset"); @@ -51,7 +51,7 @@ START_TEST(test_modify_existing_rule) int rc; SmackRuleSet rules = smack_rule_set_new_from_file("data/modify_existing_rule-in.txt", NULL); fail_unless(rules != NULL, "Reading rules failed"); - rc = smack_rule_set_add(rules, "Foo", "Bar", "wx"); + rc = smack_rule_set_add(rules, "Foo", "Bar", "wx", NULL); fail_unless(rc == 0, "Failed to add rule"); rc = smack_rule_set_save_to_kernel(rules, "modify_existing_rule-result.txt"); fail_unless(rc == 0, "Failed to write ruleset"); @@ -92,7 +92,7 @@ START_TEST(test_remove_rule) int rc; SmackRuleSet rules = smack_rule_set_new_from_file("data/remove_rule-in.txt", NULL); fail_unless(rules != NULL, "Reading rules failed"); - smack_rule_set_remove(rules, "Orange", "Apple"); + smack_rule_set_remove(rules, "Orange", "Apple", NULL); rc = smack_rule_set_save_to_kernel(rules, "remove_rule-result.txt"); fail_unless(rc == 0, "Failed to write ruleset"); rc = files_equal("remove_rule-result.txt", "data/remove_rule-excepted.txt"); @@ -106,7 +106,7 @@ START_TEST(test_remove_rules_by_subject) int rc; SmackRuleSet rules = smack_rule_set_new_from_file("data/remove_rules_by_subject-in.txt", NULL); fail_unless(rules != NULL, "Reading rules failed"); - smack_rule_set_remove_by_subject(rules, "Foo"); + smack_rule_set_remove_by_subject(rules, "Foo", NULL); rc = smack_rule_set_save_to_kernel(rules, "remove_rules_by_subject-result.txt"); fail_unless(rc == 0, "Failed to write ruleset"); rc = files_equal("remove_rules_by_subject-result.txt", "data/remove_rules_by_subject-excepted.txt"); @@ -120,7 +120,7 @@ START_TEST(test_remove_rules_by_object) int rc; SmackRuleSet rules = smack_rule_set_new_from_file("data/remove_rules_by_object-in.txt", NULL); fail_unless(rules != NULL, "Reading rules failed"); - smack_rule_set_remove_by_object(rules, "Apple"); + smack_rule_set_remove_by_object(rules, "Apple", NULL); rc = smack_rule_set_save_to_kernel(rules, "remove_rules_by_object-result.txt"); fail_unless(rc == 0, "Failed to write ruleset"); rc = files_equal("remove_rules_by_object-result.txt", "data/remove_rules_by_object-excepted.txt"); @@ -134,7 +134,7 @@ START_TEST(test_have_access_rule) int rc; SmackRuleSet rules = smack_rule_set_new_from_file("data/have_access_rule-in.txt", "Orange"); fail_unless(rules != NULL, "Reading rules failed"); - rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a"); + rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a", NULL); fail_unless(rc, "Have access \"a\" failed"); smack_rule_set_delete(rules); } @@ -145,14 +145,14 @@ START_TEST(test_have_access_removed_rule) int rc; SmackRuleSet rules = smack_rule_set_new_from_file("data/have_access_rule-in.txt", "Orange"); fail_unless(rules != NULL, "Reading rules failed"); - smack_rule_set_remove(rules, "Orange", "Apple"); - rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a"); + smack_rule_set_remove(rules, "Orange", "Apple", NULL); + rc = smack_rule_set_have_access(rules, "Orange", "Apple", "a", NULL); fail_unless(!rc, "Has access to a removed rule"); smack_rule_set_delete(rules); } END_TEST -START_TEST(test_rule_set_attach_label_set_add_remove_rule) +START_TEST(test_rule_set_add_remove_long) { int rc; const char *sn; @@ -163,26 +163,24 @@ START_TEST(test_rule_set_attach_label_set_add_remove_rule) SmackLabelSet labels = smack_label_set_new(); fail_unless(labels != NULL, "Creating label set failed"); - smack_rule_set_attach_label_set(rules, labels); - sn = smack_label_set_add(labels, LONG_LABEL_1); fail_unless(sn != NULL, "Adding label was not succesful"); sn = smack_label_set_add(labels, LONG_LABEL_2); fail_unless(sn != NULL, "Adding label was not succesful"); - rc = smack_rule_set_add(rules, LONG_LABEL_1, LONG_LABEL_2, "rx"); + rc = smack_rule_set_add(rules, LONG_LABEL_1, LONG_LABEL_2, "rx", labels); fail_unless(rc == 0, "Adding rule was not succesful"); - rc = smack_rule_set_add(rules, LONG_LABEL_2, LONG_LABEL_1, "rwa"); + rc = smack_rule_set_add(rules, LONG_LABEL_2, LONG_LABEL_1, "rwa", labels); fail_unless(rc == 0, "Adding rule was not succesful"); - smack_rule_set_remove(rules, LONG_LABEL_1, LONG_LABEL_2); + smack_rule_set_remove(rules, LONG_LABEL_1, LONG_LABEL_2, labels); - rc = smack_rule_set_have_access(rules, LONG_LABEL_2, LONG_LABEL_1, "a"); + rc = smack_rule_set_have_access(rules, LONG_LABEL_2, LONG_LABEL_1, "a", labels); fail_unless(rc, "Access failure"); - rc = smack_rule_set_have_access(rules, LONG_LABEL_1, LONG_LABEL_2, "r"); + rc = smack_rule_set_have_access(rules, LONG_LABEL_1, LONG_LABEL_2, "r", labels); fail_unless(!rc, "Access failure"); smack_rule_set_delete(rules); @@ -190,7 +188,7 @@ START_TEST(test_rule_set_attach_label_set_add_remove_rule) } END_TEST -START_TEST(test_rule_set_attach_label_set_add_rule_no_labels) +START_TEST(test_rule_set_add_long_no_labels) { int rc; @@ -200,9 +198,7 @@ START_TEST(test_rule_set_attach_label_set_add_rule_no_labels) SmackLabelSet labels = smack_label_set_new(); fail_unless(labels != NULL, "Creating label set failed"); - smack_rule_set_attach_label_set(rules, labels); - - rc = smack_rule_set_add(rules, LONG_LABEL_1, LONG_LABEL_2, "rx"); + rc = smack_rule_set_add(rules, LONG_LABEL_1, LONG_LABEL_2, "rx", labels); fail_unless(rc != 0, "Adding rule was succesful"); smack_rule_set_delete(rules); @@ -227,8 +223,8 @@ Suite *ruleset_suite (void) tcase_add_test(tc_core, test_remove_rules_by_object); tcase_add_test(tc_core, test_have_access_rule); tcase_add_test(tc_core, test_have_access_removed_rule); - tcase_add_test(tc_core, test_rule_set_attach_label_set_add_remove_rule); - tcase_add_test(tc_core, test_rule_set_attach_label_set_add_rule_no_labels); + tcase_add_test(tc_core, test_rule_set_add_remove_long); + tcase_add_test(tc_core, test_rule_set_add_long_no_labels); suite_add_tcase(s, tc_core); return s; -- 2.7.4