From c02bf9709dd3536a47beeee400c345e64591b02e Mon Sep 17 00:00:00 2001
From: Rafal Krypa <r.krypa@samsung.com>
Date: Thu, 13 Dec 2012 19:02:09 +0100
Subject: [PATCH] Revert "Smack: add support for modification of existing
 rules"

This reverts commit 3cf5b164d32a648a627506a21d2fc6a6c24a2808.

Change-Id: Ia099ccd24faf7556771e0fd08184bc6065db92a8
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Reviewed-on: http://165.213.202.130:8080/53905
Reviewed-by: Kyungmin Park <kyungmin.park@samsung.com>
Tested-by: Kyungmin Park <kyungmin.park@samsung.com>
---
 Documentation/security/Smack.txt |  11 ---
 security/smack/smackfs.c         | 152 +++++++++----------------------
 2 files changed, 41 insertions(+), 122 deletions(-)

diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index ea20fa243169..e68536d85680 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -118,17 +118,6 @@ access2
 ambient
 	This contains the Smack label applied to unlabeled network
 	packets.
-change-rule
-	This interface allows modification of existing access control rules.
-	The format accepted on write is:
-		"%s %s %s %s"
-	where the first string is the subject label, the second the
-	object label, the third the access to allow and the fourth the
-	access to deny. The access strings may contain only the characters
-	"rwxat-". If a rule for a given subject and object exists it will be
-	modified by enabling the permissions in the third string and disabling
-	those in the fourth string. If there is no such rule it will be
-	created using the access specified in the third and the fourth strings.
 cipso
 	This interface allows a specific CIPSO header to be assigned
 	to a Smack label. The format accepted on write is:
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 952789b95cc0..337e32c551da 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -50,7 +50,6 @@ enum smk_inos {
 	SMK_ACCESS2	= 16,	/* make an access check with long labels */
 	SMK_CIPSO2	= 17,	/* load long label -> CIPSO mapping */
 	SMK_REVOKE_SUBJ	= 18,	/* set rules with subject label to '-' */
-	SMK_CHANGE_RULE	= 19,	/* change or add rules (long labels) */
 };
 
 /*
@@ -210,52 +209,11 @@ static int smk_set_access(struct smack_rule *srp, struct list_head *rule_list,
 	return found;
 }
 
-/**
- * smk_perm_from_str - parse smack accesses from a text string
- * @string: a text string that contains a Smack accesses code
- *
- * Returns an integer with respective bits set for specified accesses.
- */
-static int smk_perm_from_str(const char *string)
-{
-	int perm = 0;
-	const char *cp;
-
-	for (cp = string; ; cp++)
-		switch (*cp) {
-		case '-':
-			break;
-		case 'r':
-		case 'R':
-			perm |= MAY_READ;
-			break;
-		case 'w':
-		case 'W':
-			perm |= MAY_WRITE;
-			break;
-		case 'x':
-		case 'X':
-			perm |= MAY_EXEC;
-			break;
-		case 'a':
-		case 'A':
-			perm |= MAY_APPEND;
-			break;
-		case 't':
-		case 'T':
-			perm |= MAY_TRANSMUTE;
-			break;
-		default:
-			return perm;
-		}
-}
-
 /**
  * smk_fill_rule - Fill Smack rule from strings
  * @subject: subject label string
  * @object: object label string
  * @access: access string
- * @access_remove: string with permissions to be removed
  * @rule: Smack rule
  * @import: if non-zero, import labels
  * @len: label length limit
@@ -263,10 +221,9 @@ static int smk_perm_from_str(const char *string)
  * Returns 0 on success, -1 on failure
  */
 static int smk_fill_rule(const char *subject, const char *object,
-				const char *access, const char *access_remove,
-				struct smack_rule *rule, int import, int len)
+				const char *access, struct smack_rule *rule,
+				int import, int len)
 {
-	int rc = -1;
 	const char *cp;
 	struct smack_known *skp;
 
@@ -298,11 +255,36 @@ static int smk_fill_rule(const char *subject, const char *object,
 		rule->smk_object = skp->smk_known;
 	}
 
-	if (access_remove) {
-		rule->smk_access |= smk_perm_from_str(access);
-		rule->smk_access &= ~smk_perm_from_str(access_remove);
-	} else
-		rule->smk_access = smk_perm_from_str(access);
+	rule->smk_access = 0;
+
+	for (cp = access; *cp != '\0'; cp++) {
+		switch (*cp) {
+		case '-':
+			break;
+		case 'r':
+		case 'R':
+			rule->smk_access |= MAY_READ;
+			break;
+		case 'w':
+		case 'W':
+			rule->smk_access |= MAY_WRITE;
+			break;
+		case 'x':
+		case 'X':
+			rule->smk_access |= MAY_EXEC;
+			break;
+		case 'a':
+		case 'A':
+			rule->smk_access |= MAY_APPEND;
+			break;
+		case 't':
+		case 'T':
+			rule->smk_access |= MAY_TRANSMUTE;
+			break;
+		default:
+			return 0;
+		}
+	}
 
 	return 0;
 }
@@ -320,8 +302,8 @@ static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
 	int rc;
 
 	rc = smk_fill_rule(data, data + SMK_LABELLEN,
-			   data + SMK_LABELLEN + SMK_LABELLEN, NULL, rule,
-			   import, SMK_LABELLEN);
+			   data + SMK_LABELLEN + SMK_LABELLEN, rule, import,
+			   SMK_LABELLEN);
 	return rc;
 }
 
@@ -330,17 +312,15 @@ static int smk_parse_rule(const char *data, struct smack_rule *rule, int import)
  * @data: string to be parsed, null terminated
  * @rule: Smack rule
  * @import: if non-zero, import labels
- * @change: if non-zero, data is from /smack/change-rule
  *
  * Returns 0 on success, -1 on failure
  */
 static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
-				int import, int change)
+				int import)
 {
 	char *subject;
 	char *object;
 	char *access;
-	char *access_remove;
 	int datalen;
 	int rc = -1;
 
@@ -357,23 +337,10 @@ static int smk_parse_long_rule(const char *data, struct smack_rule *rule,
 	access = kzalloc(datalen, GFP_KERNEL);
 	if (access == NULL)
 		goto free_out_o;
-	access_remove = kzalloc(datalen, GFP_KERNEL);
-	if (access_remove == NULL)
-		goto free_out_a;
-
-	if (change) {
-		if (sscanf(data, "%s %s %s %s",
-			subject, object, access, access_remove) == 4)
-			rc = smk_fill_rule(subject, object, access,
-				access_remove, rule, import, 0);
-	} else {
-		if (sscanf(data, "%s %s %s", subject, object, access) == 3)
-			rc = smk_fill_rule(subject, object, access,
-				NULL, rule, import, 0);
-	}
 
-	kfree(access_remove);
-free_out_a:
+	if (sscanf(data, "%s %s %s", subject, object, access) == 3)
+		rc = smk_fill_rule(subject, object, access, rule, import, 0);
+
 	kfree(access);
 free_out_o:
 	kfree(object);
@@ -384,7 +351,6 @@ free_out_s:
 
 #define SMK_FIXED24_FMT	0	/* Fixed 24byte label format */
 #define SMK_LONG_FMT	1	/* Variable long label format */
-#define SMK_CHANGE_FMT	2	/* Rule modification format */
 /**
  * smk_write_rules_list - write() for any /smack rule file
  * @file: file pointer, not actually used
@@ -393,16 +359,13 @@ free_out_s:
  * @ppos: where to start - must be 0
  * @rule_list: the list of rules to write to
  * @rule_lock: lock for the rule list
- * @format: /smack/load or /smack/load2 or /smack/change-rule format.
+ * @format: /smack/load or /smack/load2 format.
  *
  * Get one smack access rule from above.
  * The format for SMK_LONG_FMT is:
  *	"subject<whitespace>object<whitespace>access[<whitespace>...]"
  * The format for SMK_FIXED24_FMT is exactly:
  *	"subject                 object                  rwxat"
- * The format for SMK_CHANGE_FMT is:
- *	"subject<whitespace>object<whitespace>
- *	 acc_enable<whitespace>acc_disable[<whitespace>...]"
  */
 static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
 					size_t count, loff_t *ppos,
@@ -454,11 +417,7 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
 		 * Be sure the data string is terminated.
 		 */
 		data[count] = '\0';
-		if (smk_parse_long_rule(data, rule, 1, 0))
-			goto out_free_rule;
-	} else if (format == SMK_CHANGE_FMT) {
-		data[count] = '\0';
-		if (smk_parse_long_rule(data, rule, 1, 1))
+		if (smk_parse_long_rule(data, rule, 1))
 			goto out_free_rule;
 	} else {
 		/*
@@ -1837,7 +1796,7 @@ static ssize_t smk_user_access(struct file *file, const char __user *buf,
 			return -ENOMEM;
 		memcpy(cod, data, count);
 		cod[count] = '\0';
-		res = smk_parse_long_rule(cod, &rule, 0, 0);
+		res = smk_parse_long_rule(cod, &rule, 0);
 		kfree(cod);
 	}
 
@@ -2115,33 +2074,6 @@ static int smk_init_sysfs(void)
 	return 0;
 }
 
-/**
- * smk_write_change_rule - write() for /smack/change-rule
- * @file: file pointer
- * @buf: data from user space
- * @count: bytes sent
- * @ppos: where to start - must be 0
- */
-static ssize_t smk_write_change_rule(struct file *file, const char __user *buf,
-				size_t count, loff_t *ppos)
-{
-	/*
-	 * Must have privilege.
-	 */
-	if (!capable(CAP_MAC_ADMIN))
-		return -EPERM;
-
-	return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
-				    SMK_CHANGE_FMT);
-}
-
-static const struct file_operations smk_change_rule_ops = {
-	.write		= smk_write_change_rule,
-	.read		= simple_transaction_read,
-	.release	= simple_transaction_release,
-	.llseek		= generic_file_llseek,
-};
-
 /**
  * smk_fill_super - fill the /smackfs superblock
  * @sb: the empty superblock
@@ -2191,8 +2123,6 @@ static int smk_fill_super(struct super_block *sb, void *data, int silent)
 		[SMK_REVOKE_SUBJ] = {
 			"revoke-subject", &smk_revoke_subj_ops,
 			S_IRUGO|S_IWUSR},
-		[SMK_CHANGE_RULE] = {
-			"change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
 		/* last one */
 			{""}
 	};
-- 
2.34.1