Commit 522576db authored by Josh Kunz's avatar Josh Kunz

Add Annotation skeleton

parent faad1ee5
......@@ -7,8 +7,9 @@ LDADD = ../lib/ ${MUL_LIBS} $(GLIB_LIBS) $(PROTOC_LIBS) \
-lpthread -lssl $(LIBCAP_LIBS)
noinst_HEADERS = \
$(top_srcdir)/include/capnet_log.h crc.h controller.h metadata.h dispatch.h \
obj_decl.h obj.h errors.h
obj_decl.h obj_internal.h obj.h errors.h
capnet_controller_SOURCES = crc.c \
metadata.c metadata_openstack.c metadata_file.c errors.c \
obj_callback.c obj_waiting.c obj.c dispatch.c controller.c mul_app_main.c
obj_callback.c obj_waiting.c obj_internal.c obj.c dispatch.c \
controller.c mul_app_main.c
capnet_controller_CFLAGS = -DMUL_APP_V2_MLAPI -DMUL_APP_VTY
......@@ -12,6 +12,10 @@ static const char * ERROR_DESCs[] = {
"The capability does not have the rights to perform that operation",
"The sealer provided is not the sealer used to seal this capability",
"Attempted to create an item when that item already exists",
"The item does not exists",
static inline int error_index(int err) {
#ifndef __ERRORS_H__
#define __ERRORS_H__
// We start at 10 so that any previous error codes are not erroneusly
// categorized.
#define __ERROR_BASE 10
#define EEMPTY -10
......@@ -8,9 +10,11 @@
#define EWASREPLY -12
#define EBADRIGHTS -13
#define EBADSEALER -14
#define EEXISTS -15
#define ENOTEXISTS -16
/* Update this when you add a new error */
#define __ERROR_MAX 14
#define __ERROR_MAX 16
const char * cn_error_desc(int err);
This diff is collapsed.
......@@ -528,31 +528,37 @@ enum cn_membrane_type {
enum cn_sealer_unsealer_capability {
typedef uint64_t method_mask_t;
static const method_mask_t METHOD_MASK_MAX = UINT64_MAX;
struct cn_cnode_meta_wrapper;
typedef struct cn_cnode_meta_wrapper * cn_wrapper_t;
typedef struct {
const cn_obj_t * declassifier;
method_mask_t method_mask;
/* Arbitrairy data field for the party adding the annotation to store
* information in */
struct {
void * val;
/* If not NULL, it is invoked on 'val' when the annotation is copied. */
void (*copy_f)(void *);
/* If not NULL, it is invoked on 'val' when the annotation is freed */
void (*free_f)(void *);
} data;
} cn_annotation_t;
/* All locking and refcounting of this object is done via the libcap library
* itself. Be careful you understand the semantic guarantees of those locks
* when working with instances of these objects. */
typedef struct {
union {
struct {
enum cn_membrane_type type;
} membrane;
struct {
enum cn_sealer_unsealer_capability capability;
} sealer_unsealer;
/* Stack of wrappers currently wrapped around this object. */
GList * wrappers;
/* The set of annotations currently applied to this object. The keys are
* the declassifiers of the annotations. The values are the actual annotations.
* As a side-effect of this, only one annotation can be added for each
* declassifier. If changes are needed, the annotation must be removed
* and then re-added. */
GHashTable * annotations;
/* Cache that is the logical AND of all of the method masks in
* the annotations. It is re-calculated when the annotations change. */
method_mask_t method_mask_cache;
} cn_cnode_meta_t;
struct cn_node_grant {
......@@ -725,33 +731,60 @@ void cn_cnode_meta_free(cn_cnode_meta_t *m);
int cn_cnode_meta_copy(cn_cnode_meta_t *m, cn_cnode_meta_t **copy);
/* Returns true if the given meta object is wrapped */
bool cn_cnode_meta_is_wrapped(cn_cnode_meta_t *m);
bool cn_cnode_meta_is_annotated(cn_cnode_meta_t *m);
/* Returns true if the given cnode meta object has an annotation from the given
* object */
bool cn_cnode_meta_is_annotated_by(cn_cnode_meta_t *m, const cn_obj_t *obj);
/* Returns true if the given cnode is annotated */
bool cn_cnode_is_annotated(struct cnode *c);
/* Returns true if the given cnode is annotated by the given object. */
bool cn_cnode_is_annotated_by(struct cnode *c, const cn_obj_t *obj);
/* Add the annotation the set of annotations on the metadata. */
int cn_cnode_meta_add_annotation(cn_cnode_meta_t *m, cn_annotation_t * a);
/* Get the annotation that can be declassified using the given object. Returns
* 0 on success, ENOTEXISTS on failure. */
int cn_cnode_meta_get_annotation_by(cn_cnode_meta_t *m, cn_obj_t *obj,
cn_annotation_t **a_out);
/* Remove the annotation with a declassifier matching 'obj' from the set of
* annotations for the metadata.
* Frees the memory associated with that annotation. */
int cn_cnode_meta_remove_annotation_by(cn_cnode_meta_t *m, const cn_obj_t *obj);
/* --------- annotation interface ---------- */
/* Annotations */
/* Returns true if the given cnode is wrapped */
bool cn_cnode_is_wrapped(struct cnode *c);
/* Create a new annotation */
int cn_annotation_new(cn_annotation_t **a);
int cn_cnode_meta_wrapper_new(cn_membrane_t * m, enum cn_membrane_type type,
cn_wrapper_t * o_wrapper);
/* Copy the annotation */
int cn_annotation_copy(cn_annotation_t *a, cn_annotation_t **a_copy);
int cn_cnode_meta_wrapper_copy(cn_wrapper_t * dest, cn_wrapper_t src);
/* Free an annotation created with cn_annotation_new, or cn_annotation_copy */
void cn_annotation_free(cn_annotation_t *a);
void cn_cnode_meta_wrapper_free(cn_wrapper_t wrapper);
/* method_masks */
bool cn_cnode_meta_wrapper_eq(cn_wrapper_t a, cn_wrapper_t b);
/* Allow all operations */
void cn_method_mask_permission_all(method_mask_t * mask);
/* Try to wrap the given meta object with the given wrapper. */
int cn_cnode_meta_wrap(cn_cnode_meta_t *m, cn_wrapper_t wrapper);
/* Prevent all operations */
void cn_method_mask_permission_none(method_mask_t * mask);
/* Unwrap the meta object with the given wrapper. It will fail if the given
* wrapper does not match the outermost wrapper. */
int cn_cnode_meta_unwrap(cn_cnode_meta_t *m, cn_wrapper_t wrapper);
/* Set this given permission to allow */
void cn_method_mask_permission_set(method_mask_t * mask, cn_method_t m);
/* Pretty self-explanitory. Returns true if the given wrapper matches the
* outermost wraper. */
bool cn_cnode_meta_outermost_wrapper_matches(cn_cnode_meta_t *m, cn_wrapper_t wrapper);
/* Set the given permission to deny */
void cn_method_mask_permission_clear(method_mask_t * mask, cn_method_t m);
/* Returns NULL if there is no outermost wrapper */
cn_wrapper_t cn_cnode_meta_outermost_wrapper(cn_cnode_meta_t *m);
/* Returns true if the given permission is set, returns false otherwise */
bool cn_method_mask_permission_is_set(method_mask_t * mask, cn_method_t m);
/* --------- libcap conversions ---------- */
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment