Commit 522576db authored by Josh Kunz's avatar Josh Kunz

Add Annotation skeleton

parent faad1ee5
......@@ -7,8 +7,9 @@ LDADD = ../lib/libcapnet-lib.la ${MUL_LIBS} $(GLIB_LIBS) $(PROTOC_LIBS) \
-lpthread -lssl $(LIBCAP_LIBS)
noinst_HEADERS = \
$(top_srcdir)/include/capnet_log.h crc.h controller.h metadata.h dispatch.h \
obj_decl.h obj.h errors.h
obj_decl.h obj_internal.h obj.h errors.h
capnet_controller_SOURCES = crc.c \
metadata.c metadata_openstack.c metadata_file.c errors.c \
obj_callback.c obj_waiting.c obj.c dispatch.c controller.c mul_app_main.c
obj_callback.c obj_waiting.c obj_internal.c obj.c dispatch.c \
controller.c mul_app_main.c
capnet_controller_CFLAGS = -DMUL_APP_V2_MLAPI -DMUL_APP_VTY
......@@ -12,6 +12,10 @@ static const char * ERROR_DESCs[] = {
"The capability does not have the rights to perform that operation",
// EBADSEALER
"The sealer provided is not the sealer used to seal this capability",
// EEXISTS
"Attempted to create an item when that item already exists",
// ENOTEXISTS
"The item does not exists",
};
static inline int error_index(int err) {
......
#ifndef __ERRORS_H__
#define __ERRORS_H__
// We start at 10 so that any previous error codes are not erroneusly
// categorized.
#define __ERROR_BASE 10
#define EEMPTY -10
......@@ -8,9 +10,11 @@
#define EWASREPLY -12
#define EBADRIGHTS -13
#define EBADSEALER -14
#define EEXISTS -15
#define ENOTEXISTS -16
/* Update this when you add a new error */
#define __ERROR_MAX 14
#define __ERROR_MAX 16
const char * cn_error_desc(int err);
......
This diff is collapsed.
......@@ -528,31 +528,37 @@ enum cn_membrane_type {
CN_MEMBRANE_TYPE_EXTERNAL
};
enum cn_sealer_unsealer_capability {
CN_SEALER_UNSEALER_CAPABILITY_NONE = 0x0,
CN_SEALER_UNSEALER_CAPABILITY_SEAL = 0x1,
CN_SEALER_UNSEALER_CAPABILITY_UNSEAL = 0x2,
CN_SEALER_UNSEALER_CAPABILITY_ALL = 0x3
};
typedef uint64_t method_mask_t;
static const method_mask_t METHOD_MASK_MAX = UINT64_MAX;
struct cn_cnode_meta_wrapper;
typedef struct cn_cnode_meta_wrapper * cn_wrapper_t;
typedef struct {
const cn_obj_t * declassifier;
method_mask_t method_mask;
/* Arbitrairy data field for the party adding the annotation to store
* information in */
struct {
void * val;
/* If not NULL, it is invoked on 'val' when the annotation is copied. */
void (*copy_f)(void *);
/* If not NULL, it is invoked on 'val' when the annotation is freed */
void (*free_f)(void *);
} data;
} cn_annotation_t;
/* All locking and refcounting of this object is done via the libcap library
* itself. Be careful you understand the semantic guarantees of those locks
* when working with instances of these objects. */
typedef struct {
union {
struct {
enum cn_membrane_type type;
} membrane;
struct {
enum cn_sealer_unsealer_capability capability;
} sealer_unsealer;
};
/* Stack of wrappers currently wrapped around this object. */
GList * wrappers;
/* The set of annotations currently applied to this object. The keys are
* the declassifiers of the annotations. The values are the actual annotations.
* As a side-effect of this, only one annotation can be added for each
* declassifier. If changes are needed, the annotation must be removed
* and then re-added. */
GHashTable * annotations;
/* Cache that is the logical AND of all of the method masks in
* the annotations. It is re-calculated when the annotations change. */
method_mask_t method_mask_cache;
} cn_cnode_meta_t;
struct cn_node_grant {
......@@ -725,33 +731,60 @@ void cn_cnode_meta_free(cn_cnode_meta_t *m);
int cn_cnode_meta_copy(cn_cnode_meta_t *m, cn_cnode_meta_t **copy);
/* Returns true if the given meta object is wrapped */
bool cn_cnode_meta_is_wrapped(cn_cnode_meta_t *m);
bool cn_cnode_meta_is_annotated(cn_cnode_meta_t *m);
/* Returns true if the given cnode meta object has an annotation from the given
* object */
bool cn_cnode_meta_is_annotated_by(cn_cnode_meta_t *m, const cn_obj_t *obj);
/* Returns true if the given cnode is annotated */
bool cn_cnode_is_annotated(struct cnode *c);
/* Returns true if the given cnode is annotated by the given object. */
bool cn_cnode_is_annotated_by(struct cnode *c, const cn_obj_t *obj);
/* Add the annotation the set of annotations on the metadata. */
int cn_cnode_meta_add_annotation(cn_cnode_meta_t *m, cn_annotation_t * a);
/* Get the annotation that can be declassified using the given object. Returns
* 0 on success, ENOTEXISTS on failure. */
int cn_cnode_meta_get_annotation_by(cn_cnode_meta_t *m, cn_obj_t *obj,
cn_annotation_t **a_out);
/* Remove the annotation with a declassifier matching 'obj' from the set of
* annotations for the metadata.
* Frees the memory associated with that annotation. */
int cn_cnode_meta_remove_annotation_by(cn_cnode_meta_t *m, const cn_obj_t *obj);
/* --------- annotation interface ---------- */
/* Annotations */
/* Returns true if the given cnode is wrapped */
bool cn_cnode_is_wrapped(struct cnode *c);
/* Create a new annotation */
int cn_annotation_new(cn_annotation_t **a);
int cn_cnode_meta_wrapper_new(cn_membrane_t * m, enum cn_membrane_type type,
cn_wrapper_t * o_wrapper);
/* Copy the annotation */
int cn_annotation_copy(cn_annotation_t *a, cn_annotation_t **a_copy);
int cn_cnode_meta_wrapper_copy(cn_wrapper_t * dest, cn_wrapper_t src);
/* Free an annotation created with cn_annotation_new, or cn_annotation_copy */
void cn_annotation_free(cn_annotation_t *a);
void cn_cnode_meta_wrapper_free(cn_wrapper_t wrapper);
/* method_masks */
bool cn_cnode_meta_wrapper_eq(cn_wrapper_t a, cn_wrapper_t b);
/* Allow all operations */
void cn_method_mask_permission_all(method_mask_t * mask);
/* Try to wrap the given meta object with the given wrapper. */
int cn_cnode_meta_wrap(cn_cnode_meta_t *m, cn_wrapper_t wrapper);
/* Prevent all operations */
void cn_method_mask_permission_none(method_mask_t * mask);
/* Unwrap the meta object with the given wrapper. It will fail if the given
* wrapper does not match the outermost wrapper. */
int cn_cnode_meta_unwrap(cn_cnode_meta_t *m, cn_wrapper_t wrapper);
/* Set this given permission to allow */
void cn_method_mask_permission_set(method_mask_t * mask, cn_method_t m);
/* Pretty self-explanitory. Returns true if the given wrapper matches the
* outermost wraper. */
bool cn_cnode_meta_outermost_wrapper_matches(cn_cnode_meta_t *m, cn_wrapper_t wrapper);
/* Set the given permission to deny */
void cn_method_mask_permission_clear(method_mask_t * mask, cn_method_t m);
/* Returns NULL if there is no outermost wrapper */
cn_wrapper_t cn_cnode_meta_outermost_wrapper(cn_cnode_meta_t *m);
/* Returns true if the given permission is set, returns false otherwise */
bool cn_method_mask_permission_is_set(method_mask_t * mask, cn_method_t m);
/* --------- libcap conversions ---------- */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment