Smack: add support for modification of existing rules

Rule modifications are enabled via /smack/change-rule. Format is as follows:
"Subject Object rwaxt rwaxt"

First two strings are subject and object labels up to 255 characters.
Third string contains permissions to enable.
Fourth string contains permissions to disable.

All unmentioned permissions will be left unchanged.
If no rule previously existed, it will be created.

Targeted for git://git.gitorious.org/smack-next/kernel.git

Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

1 files changed, 11 insertions, 0 deletions

diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt
index 8a177e4b6e21..7a2d30c132e3 100644
--- a/Documentation/security/Smack.txt
+++ b/Documentation/security/Smack.txt
@@ -117,6 +117,17 @@ access2
 ambient
         This contains the Smack label applied to unlabeled network
         packets.
+change-rule
+        This interface allows modification of existing access control rules.
+        The format accepted on write is:
+                "%s %s %s %s"
+        where the first string is the subject label, the second the
+        object label, the third the access to allow and the fourth the
+        access to deny. The access strings may contain only the characters
+        "rwxat-". If a rule for a given subject and object exists it will be
+        modified by enabling the permissions in the third string and disabling
+        those in the fourth string. If there is no such rule it will be
+        created using the access specified in the third and the fourth strings.
 cipso
         This interface allows a specific CIPSO header to be assigned
         to a Smack label. The format accepted on write is: