diff --git a/src/access.rs b/src/access.rs index 7956bc30..40e96f0c 100644 --- a/src/access.rs +++ b/src/access.rs @@ -78,7 +78,7 @@ where } .into()); } else { - let compat_bits = self & T::from_all(compat.abi); + let compat_bits = self & T::from_all(compat.abi()); if compat_bits.is_empty() { match compat.level { // Empty access-rights are ignored to avoid an error when passing them to @@ -143,7 +143,7 @@ fn compat_bit_flags() { assert!(!compat.is_mooted()); - compat.abi = ABI::Unsupported; + compat = ABI::Unsupported.into(); assert!(!compat.is_mooted()); // Access-rights are valid (but ignored) when they are not required for the current ABI. diff --git a/src/compat.rs b/src/compat.rs index 933e4e27..e09407c2 100644 --- a/src/compat.rs +++ b/src/compat.rs @@ -214,9 +214,9 @@ fn compat_state_update_2() { #[derive(Clone)] // Compatibility is not public outside this crate. pub struct Compatibility { - pub(crate) abi: ABI, + abi: ABI, pub(crate) level: CompatLevel, - pub(crate) state: CompatState, + state: CompatState, // is_mooted is required to differenciate a kernel not supporting Landlock from an error that // occured with CompatLevel::SoftRequirement. is_mooted is only changed with update() and only // used to not set no_new_privs in RulesetCreated::restrict_self(). @@ -253,6 +253,14 @@ impl Compatibility { } } + pub(crate) fn abi(&self) -> ABI { + self.abi + } + + pub(crate) fn state(&self) -> CompatState { + self.state + } + pub(crate) fn is_mooted(&self) -> bool { self.is_mooted } diff --git a/src/fs.rs b/src/fs.rs index 4edbe300..467b87f9 100644 --- a/src/fs.rs +++ b/src/fs.rs @@ -307,7 +307,7 @@ fn path_beneath_try_compat() { .attr .allowed_access; assert_eq!(raw_access, full_access.bits()); - assert_eq!(compat_copy.state, CompatState::Full); + assert_eq!(compat_copy.state(), CompatState::Full); } } diff --git a/src/ruleset.rs b/src/ruleset.rs index 8e0176d0..14d20112 100644 --- a/src/ruleset.rs +++ b/src/ruleset.rs @@ -250,10 +250,10 @@ impl Ruleset { handled_access_fs: self.actual_handled_fs.bits(), }; - match self.compat.abi { + match self.compat.abi() { ABI::Unsupported => { #[cfg(test)] - assert_eq!(self.compat.state, CompatState::Final); + assert_eq!(self.compat.state(), CompatState::Final); Ok(RulesetCreated::new(self, -1)) } _ => match unsafe { uapi::landlock_create_ruleset(&attr, size_of_val(&attr), 0) } { @@ -337,10 +337,10 @@ impl RulesetCreated { Some(r) => r, None => return Ok(self), }; - match self.compat.abi { + match self.compat.abi() { ABI::Unsupported => { #[cfg(test)] - assert_eq!(self.compat.state, CompatState::Final); + assert_eq!(self.compat.state(), CompatState::Final); Ok(self) } _ => match unsafe { @@ -489,7 +489,7 @@ impl RulesetCreated { // To get a consistent behavior, calls this prctl whether or not // Landlock is supported by the running kernel. let support_nnp = support_no_new_privs(); - match self.compat.abi { + match self.compat.abi() { // It should not be an error for kernel (older than 3.5) not supporting // no_new_privs. ABI::Unsupported => { @@ -511,12 +511,12 @@ impl RulesetCreated { false }; - match self.compat.abi { + match self.compat.abi() { ABI::Unsupported => { #[cfg(test)] - assert_eq!(self.compat.state, CompatState::Final); + assert_eq!(self.compat.state(), CompatState::Final); Ok(RestrictionStatus { - ruleset: self.compat.state.into(), + ruleset: self.compat.state().into(), no_new_privs: enforced_nnp, }) } @@ -524,7 +524,7 @@ impl RulesetCreated { 0 => { self.compat.update(CompatState::Full); Ok(RestrictionStatus { - ruleset: self.compat.state.into(), + ruleset: self.compat.state().into(), no_new_privs: enforced_nnp, }) }