Added a cleaner way of allocating the zenity command.

For now, perm table does not set the thrid parameter to anything useful

.gitignore

@@ -4,3 +4,5 @@ build/*
 test/protected/*
 test/.pt.db
 compile_commands.json
+test/perf*
+test/callgraph*

src/access_t.h

@@ -0,0 +1,6 @@
+#ifndef ACCESS_T_H
+#define ACCESS_T_H
+
+typedef enum { DENY, ALLOW, ALLOW_TEMP, NDEF } access_t;
+
+#endif // !ACCESS_T_H

src/fuse_operations.c

@@ -11,6 +11,7 @@
   See the file LICENSE.
 */
 
+#include <stddef.h>
 #define FUSE_USE_VERSION 31
 
 #define _GNU_SOURCE
@@ -39,23 +40,58 @@
 #include "sourcefs.h"
 #include "ui-socket.h"
 
-// TODO: move this to other file
 const char *get_process_name_by_pid(const int pid) {
-  char *name = (char *)calloc(1024, sizeof(char));
-  if (name) {
-    sprintf(name, "/proc/%d/cmdline", pid);
-    FILE *f = fopen(name, "r");
-    if (f) {
-      size_t size;
-      size = fread(name, sizeof(char), 1024, f);
-      if (size > 0) {
-        if ('\n' == name[size - 1])
-          name[size - 1] = '\0';
-      }
-      fclose(f);
+  char path[1024];
+  sprintf(path, "/proc/%d/exe", pid);
+
+  char *name = realpath(path, NULL);
+  if (name == NULL) {
+    fprintf(stderr, "Could not get process name by pid %d", pid);
+    perror("");
+  }
+
+  /*
+  size_t namelen = 32;
+  ssize_t readret = 0;
+  char *name = NULL;
+  while (namelen >= (size_t)readret && readret > 0) {
+    namelen *= 2;
+    name = calloc(namelen, sizeof(char));
+    if (name == NULL) {
+      free(path);
+      fprintf(stderr, "Could not get get process name by pid %d", pid);
+      perror("");
+      return NULL;
+    }
+    readret = readlink(path, name, namelen);
+    if (readret < 0) {
+      free(name);
+      free(path);
+      fprintf(stderr, "Couldn't get process name by pid %d", pid);
+      perror("");
+      return NULL;
+    }
+    if (namelen >= (size_t)readret) {
+      free(name);
     }
   }
+  */
+
   return name;
+
+  /*
+  FILE *file = fopen(path, "r");
+  if (file) {
+    size_t size = 0;
+    size = fread(path, sizeof(char), 1024, file);
+    if (size > 0) {
+      if ('\n' == path[size - 1]) {
+        path[size - 1] = '\0';
+      }
+    }
+    fclose(file);
+  }
+  */
 }
 
 // TODO: move this somewhere else
@@ -70,8 +106,8 @@ static void *xmp_init(struct fuse_conn_info *conn, struct fuse_config *cfg) {
      To make parallel_direct_writes valid, need either set cfg->direct_io
      in current function (recommended in high level API) or set fi->direct_io
      in xmp_create() or xmp_open(). */
-  // cfg->direct_io = 1;
-  // cfg->parallel_direct_writes = 1;
+  cfg->direct_io = 1;
+  cfg->parallel_direct_writes = 1;
 
   /* Pick up changes from lower filesystem right away. This is
      also necessary for better hardlink support. When the kernel
@@ -83,18 +119,19 @@ static void *xmp_init(struct fuse_conn_info *conn, struct fuse_config *cfg) {
   cfg->entry_timeout = 0;
   cfg->attr_timeout = 0;
   cfg->negative_timeout = 0;
+  fprintf(stderr, "%d\n", getpid());
 
   return NULL;
 }
 
 static int xmp_getattr(const char *path, struct stat *stbuf,
-                       struct fuse_file_info *fi) {
+                       struct fuse_file_info *file_info) {
   int res;
 
   (void)path;
 
-  if (fi)
-    res = fstat(fi->fh, stbuf);
+  if (file_info)
+    res = fstat(file_info->fh, stbuf);
   else
     res = source_stat(path, stbuf);
   if (res == -1) {
@@ -106,38 +143,39 @@ static int xmp_getattr(const char *path, struct stat *stbuf,
 }
 
 static int xmp_access(const char *path, int mask) {
-  int res;
+  int res = -1;
 
   // if mask is F_OK, then we don't need to check the permissions
   // (is that possible?)
 
   if (mask != F_OK) {
-    struct process_info pi;
-    struct fuse_context *fc = fuse_get_context();
+    struct process_info proc_info;
+    struct fuse_context *context = fuse_get_context();
 
-    pi.PID = fc->pid;
-    pi.name = get_process_name_by_pid(pi.PID);
+    proc_info.PID = context->pid;
+    proc_info.name = get_process_name_by_pid(proc_info.PID);
 
     // fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
 
-    if (!interactive_access(real_filename(path), pi, 0)) {
-      free(pi.name);
+    if (!interactive_access(real_filename(path), proc_info, 0)) {
+      free((void *)proc_info.name);
       return -EACCES;
     }
 
-    free(pi.name);
+    free((void *)proc_info.name);
   }
 
   res = source_access(path, mask);
 
-  if (res == -1)
+  if (res == -1) {
     return -errno;
+  }
 
   return 0;
 }
 
 static int xmp_readlink(const char *path, char *buf, size_t size) {
-  int res;
+  int res = -1;
 
   res = readlink(path, buf, size - 1);
   if (res == -1)
@@ -264,17 +302,18 @@ static int xmp_mknod(const char *path, mode_t mode, dev_t rdev) {
 */
 
 static int xmp_mkdir(const char *path, mode_t mode) {
-  int res;
+  int res = -1;
 
   res = source_mkdir(path, mode);
-  if (res == -1)
+  if (res == -1) {
     return -errno;
+  }
 
   return 0;
 }
 
 static int xmp_unlink(const char *path) {
-  int res;
+  int res = -1;
   struct process_info pi;
   struct fuse_context *fc = fuse_get_context();
 

src/main.c

@@ -15,9 +15,10 @@
 #define _GNU_SOURCE
 
 #include <fuse3/fuse.h>
-
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 #include "fuse_operations.h"
 #include "sourcefs.h"
@@ -26,25 +27,35 @@
 const char *mountpoint = NULL;
 
 int main(int argc, char *argv[]) {
-  umask(0);
-
-  mountpoint = realpath(argv[argc - 1], NULL);
-
-  int ret = source_init(mountpoint);
-  if (ret != 0) {
-    perror("source_init");
-    exit(EXIT_FAILURE);
+  if (argc < 3) {
+    fprintf(stderr, "Usage: icfs <FUSE arguments> [target directory] [path to "
+                    "the permanent permissions database\n");
+    return EXIT_FAILURE;
   }
 
-  ret = init_ui_socket();
+  // if umask != 0, the filesystem will create files with more restrictive
+  // permissions than it's caller reqested
+  umask(0);
+
+  // ui socket should always be initialized before anything else, since it
+  // handles the setuid bits!
+  int ret = init_ui_socket(argv[argc - 1]);
   if (ret != 0) {
     fprintf(stderr, "Could not initalize ui-socket.\n");
     exit(EXIT_FAILURE);
   }
 
-  ret = fuse_main(argc, argv, get_fuse_operations(), NULL);
+  mountpoint = realpath(argv[argc - 2], NULL);
 
-  free(mountpoint);
+  ret = source_init(mountpoint);
+  if (ret != 0) {
+    perror("source_init");
+    exit(EXIT_FAILURE);
+  }
+
+  ret = fuse_main(argc - 1, argv, get_fuse_operations(), NULL);
+
+  free((void *)mountpoint);
   destroy_ui_socket();
   return ret;
 }

src/perm_permissions_table.c

@@ -1,17 +1,64 @@
+/*
+  ICFS: Interactively Controlled File System
+  Copyright (C) 2024-2025  Fedir Kovalov
+
+  This program can be distributed under the terms of the GNU GPLv2.
+  See the file LICENSE.
+*/
+
 #include "perm_permissions_table.h"
+#include "access_t.h"
 #include "process_info.h"
+#include <fcntl.h>
+#include <pthread.h>
 #include <sqlite3.h>
 #include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/fsuid.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
 
 sqlite3 *perm_database = NULL;
 const char *const table_name = "permissions";
 // one row corresponds to a permission to access one file for one executable
-const int column_count = 2;
-const char *const schema[] = {"executable", "filename"};
-const char *const types[] = {"TEXT", "TEXT"};
+const int column_count = 3;
+const char *const schema[] = {"executable", "filename", "mode"};
+const char *const types[] = {"TEXT", "TEXT", "INTEGER"};
+uid_t ruid, euid, current_pid;
+pthread_mutex_t uid_switch = PTHREAD_MUTEX_INITIALIZER;
+
+void set_db_fsuid() {
+  pthread_mutex_lock(&uid_switch);
+  if (current_pid == ruid)
+    return;
+
+  int status = -1;
+
+  status = setfsuid(ruid);
+  if (status < 0) {
+    fprintf(stderr, "Couldn't set uid to %d.\n", ruid);
+    exit(status);
+  }
+  pthread_mutex_unlock(&uid_switch);
+}
+
+void set_real_fsuid() {
+  pthread_mutex_lock(&uid_switch);
+  if (current_pid == ruid)
+    return;
+
+  int status = -1;
+
+  status = setfsuid(ruid);
+  if (status < 0) {
+    fprintf(stderr, "Couldn't set uid to %d.\n", euid);
+    exit(status);
+  }
+  pthread_mutex_unlock(&uid_switch);
+}
 
 static int check_table_col_schema(void *notused, int argc, char **argv,
                                   char **colname) {
@@ -21,15 +68,17 @@ static int check_table_col_schema(void *notused, int argc, char **argv,
     fprintf(stderr, "Unexpected amount of arguments given to the callback.\n");
     return 1;
   }
-  int i = atoi(argv[0]);
-  if (i >= column_count) {
-    fprintf(stderr, "Table contains more columns than expected.\n");
+  int column_num = atoi(argv[0]);
+  if (column_num >= column_count) {
+    fprintf(stderr, "Table contains unexpected amount of columns.\n");
     return 1;
   }
-  if (strcmp(schema[i], argv[1]) == 0 && strcmp(types[i], argv[2]) == 0) {
+
+  if (strcmp(schema[column_num], argv[1]) == 0 &&
+      strcmp(types[column_num], argv[2]) == 0) {
     return 0;
   }
-  fprintf(stderr, "Column %d does not conform to the schema.\n", i);
+  fprintf(stderr, "Column %d does not conform to the schema.\n", column_num);
   return 1;
 }
 
@@ -43,8 +92,9 @@ static int set_flag(void *flag, int argc, char **argv, char **colname) {
 
 int create_database_schema() {
   fprintf(stderr, "Creating table 'permissions'.\n");
-  const char *create_query = "CREATE TABLE permissions(executable TEXT NOT "
-                             "NULL, filename TEXT NOT NULL);";
+  const char *create_query =
+      "CREATE TABLE permissions(executable TEXT NOT "
+      "NULL, filename TEXT NOT NULL, mode INTEGER NOT NULL);";
   char *err = NULL;
   int ret = sqlite3_exec(perm_database, create_query, NULL, NULL, &err);
 
@@ -101,14 +151,31 @@ int ensure_database_schema() {
  * @return: 0 on success, -1 on failure
  */
 int init_perm_permissions_table(const char *db_filename) {
-  if (sqlite3_open(db_filename, &perm_database)) {
-    perror("Can't open permanent permissions database:");
+  // we don't want the group and others to access the db
+  umask(0077);
+  ruid = getuid();
+  euid = geteuid();
+  fprintf(stderr, "Running with uid: %d, gid: %d\n", euid, getegid());
+
+  if (sqlite3_open_v2(db_filename, &perm_database,
+                      SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE |
+                          SQLITE_OPEN_FULLMUTEX,
+                      NULL)) {
+    perror("Can't open permanent permissions database");
     return -1;
   }
+  umask(0);
   if (ensure_database_schema()) {
     fprintf(stderr, "Database schema is not correct.\n");
     return -1;
   }
+
+  int status = seteuid(ruid);
+  if (status < 0) {
+    fprintf(stderr, "Couldn't set euid to ruid during database setup.\n");
+    exit(status);
+  }
+
   return 0;
 }
 
@@ -122,37 +189,41 @@ void destroy_perm_permissions_table() { sqlite3_close(perm_database); }
  *
  * @param filename: The file that the process is trying to access
  * @pram pi: The process information
- * @return: 0 if access is denied, 1 if access is allowed
+ * @return: access status - ALLOW, DENY or NDEF in case if no information was
+ * found
  */
-int check_perm_access(const char *filename, struct process_info pi) {
-  size_t query_len =
-      56 + strlen(table_name) + strlen(filename) + strlen(pi.name);
-  const char *query = malloc(query_len);
-  size_t should_be_written = snprintf(
-      query, query_len,
-      "SELECT * FROM %s WHERE executable = \'%s\' AND filename = \'%s\';",
-      table_name, pi.name, filename);
-  // -1 for the \0
-  if (should_be_written != query_len - 1) {
-    fprintf(stderr,
-            "Unexpected query size while permanent access rule check: "
-            "Expected %lu, but snprintf returned %lu. The query: %s\n",
-            query_len, should_be_written, query);
-    return 0;
+access_t check_perm_access(const char *filename, struct process_info pi) {
+
+  char *query = NULL;
+  int ret = asprintf(&query,
+                     "SELECT * FROM %s WHERE executable = \'%s\' "
+                     "AND filename = \'%s\' AND mode = TRUE;",
+                     table_name, pi.name, filename);
+
+  if (ret < 0) {
+    // If asprintf fails, the contents of query are undefined (see man
+    // asprintf). That does not explicitly rule out that query will be a valid
+    // pointer. But the risk of freeing a non-allocated pointer is too much to
+    // justify preparing for this.
+    fprintf(stderr, "Could not create query on access check");
+    perror("");
+    return NDEF;
   }
 
   char *sqlite_error = NULL;
   int flag = 0;
-  int ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
+  ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
+  free((void *)query);
   if (ret != SQLITE_OK) {
     fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
     sqlite3_free(sqlite_error);
-    free(query);
-    return 0;
+    return NDEF;
   }
 
-  free(query);
-  return flag;
+  if (flag) {
+    return ALLOW;
+  }
+  return NDEF;
 }
 
 /**
@@ -163,23 +234,23 @@ int check_perm_access(const char *filename, struct process_info pi) {
  * @return: 0 on success, 1 on failure
  */
 int give_perm_access(const char *filename, struct process_info pi) {
-  size_t query_len =
-      30 + strlen(table_name) + strlen(filename) + strlen(pi.name);
-  const char *query = malloc(query_len);
-  size_t should_be_written =
-      snprintf(query, query_len, "INSERT INTO %s VALUES (\'%s\', \'%s\');",
-               table_name, pi.name, filename);
-  // -1 for the \0
-  if (should_be_written != query_len - 1) {
-    fprintf(stderr,
-            "Unexpected query size while permanent access rule insertion: "
-            "Expected %lu, but snprintf returned %lu\n",
-            query_len, should_be_written);
+  char *query = NULL;
+  int ret = asprintf(&query, "INSERT INTO %s VALUES (\'%s\', \'%s\', TRUE);",
+                     table_name, pi.name, filename);
+
+  if (ret < 0) {
+    // If asprintf fails, the contents of query are undefined (see man
+    // asprintf). That does not explicitly rule out that query will be a valid
+    // pointer. But the risk of freeing a non-allocated pointer is too much to
+    // justify preparing for this.
+    fprintf(stderr, "Could not create query on rule insertion");
+    perror("");
     return 1;
   }
 
   char *sqlite_error = NULL;
-  int ret = sqlite3_exec(perm_database, query, NULL, NULL, &sqlite_error);
+  ret = sqlite3_exec(perm_database, query, NULL, NULL, &sqlite_error);
+  free(query);
   if (ret != SQLITE_OK) {
     fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
     sqlite3_free(sqlite_error);
@@ -187,6 +258,5 @@ int give_perm_access(const char *filename, struct process_info pi) {
     return 1;
   }
 
-  free(query);
   return 0;
 }

src/perm_permissions_table.h

@@ -1,7 +1,15 @@
+/*
+  ICFS: Interactively Controlled File System
+  Copyright (C) 2024-2025  Fedir Kovalov
+
+  This program can be distributed under the terms of the GNU GPLv2.
+  See the file LICENSE.
+*/
 
 #ifndef PERM_PERMISSION_TABLE_H
 #define PERM_PERMISSION_TABLE_H
 
+#include "access_t.h"
 #include "process_info.h"
 
 /**
@@ -22,9 +30,10 @@ void destroy_perm_permissions_table();
  *
  * @param filename: The file that the process is trying to access
  * @pram pi: The process information
- * @return: 0 if access is denied, 1 if access is allowed
+ * @return: access status - ALLOW, DENY or NDEF in case if no information was
+ * found
  */
-int check_perm_access(const char *filename, struct process_info pi);
+access_t check_perm_access(const char *filename, struct process_info pi);
 
 /**
  * Gives permanent access to the process to the file.

src/process_info.h

@@ -1,3 +1,10 @@
+/*
+  ICFS: Interactively Controlled File System
+  Copyright (C) 2024-2025  Fedir Kovalov
+
+  This program can be distributed under the terms of the GNU GPLv2.
+  See the file LICENSE.
+*/
 
 #ifndef PROCESS_INFO_H
 #define PROCESS_INFO_H

src/sourcefs.c

@@ -33,6 +33,8 @@ int source_init(const char *root_path) {
   int root_fd = open(root_path, O_PATH);
 
   if (root_fd == -1) {
+    fprintf(stderr, "Could not initialize source file system at %s", root_path);
+    perror("");
     return -1;
   }
 

src/temp_permissions_table.c

@@ -7,6 +7,7 @@
 */
 
 #include "temp_permissions_table.h"
+#include "access_t.h"
 #include "cc.h"
 #include "process_info.h"
 #include <pthread.h>
@@ -18,6 +19,7 @@ struct temp_process_permissions {
   // proc_pid_stat(5))
   unsigned long long creation_time;
   vec(char *) allowed_files;
+  vec(char *) denied_files;
 };
 
 map(pid_t, struct temp_process_permissions) temp_permissions_table;
@@ -33,8 +35,8 @@ pthread_mutex_t temp_permissions_table_lock;
  * never really equal to 0, it exceptionally unlikely.
  */
 unsigned long long get_process_creation_time(pid_t pid) {
-  char path[32];
-  FILE *fp;
+  char path[256];
+  FILE *fp = NULL;
   unsigned long long creation_time = 0;
 
   // Construct the path to the process's status file
@@ -72,22 +74,30 @@ unsigned long long get_process_creation_time(pid_t pid) {
  *
  * @return: 0 on success, -1 on failure (e.g. ENOMEM)
  */
-int init_temp_permissions_table() {
+int init_temp_permissions_table(void) {
   pthread_mutex_init(&temp_permissions_table_lock, PTHREAD_MUTEX_DEFAULT);
   init(&temp_permissions_table);
+  return 0;
 }
 
 /**
  * Destroys the temporary permissions table.
  *
- * @note: the table is guranteed to be destroyed if it is already initialized
+ * @note: the table is guranteed to be destroyed if it is already initialized.
+ * It does not indicate any errors whatsoever. If something goes wrong - you are
+ * screwed.
  */
-void destroy_temp_permissions_table() {
+void destroy_temp_permissions_table(void) {
   // free the memory allocated for the table
   for_each(&temp_permissions_table, entry) {
     for_each(&entry->allowed_files, allowed_file) { free(*allowed_file); }
     cleanup(&entry->allowed_files);
   }
+  for_each(&temp_permissions_table, entry) {
+    for_each(&entry->denied_files, denied_file) { free(*denied_file); }
+    cleanup(&entry->denied_files);
+  }
+
   cleanup(&temp_permissions_table);
   pthread_mutex_destroy(&temp_permissions_table_lock);
 }
@@ -97,10 +107,10 @@ void destroy_temp_permissions_table() {
  *
  * @param filename: The file that the process is trying to access
  * @pram pid: PID of the process
- * @return: 0 if access is denied, 1 if access is allowed
+ * @return: access status - ALLOW, DENY or NDEF in case if no information was
+ * found is avaliable
  */
-
-int check_temp_access_noparent(const char *filename, pid_t pid) {
+access_t check_temp_access_noparent(const char *filename, pid_t pid) {
   // TODO: more efficient locking
   pthread_mutex_lock(&temp_permissions_table_lock);
   struct temp_process_permissions *permission_entry =
@@ -110,22 +120,28 @@ int check_temp_access_noparent(const char *filename, pid_t pid) {
     if (process_creation_time == 0) {
       perror("Could not retrieve process creation time");
       pthread_mutex_unlock(&temp_permissions_table_lock);
-      return 0;
+      return NDEF;
     }
 
     if (process_creation_time == permission_entry->creation_time) {
       // the process is the same as the one that was granted temporary access
       // to the file
+      for_each(&permission_entry->denied_files, denied_file) {
+        if (strncmp(*denied_file, filename, strlen(filename)) == 0) {
+          pthread_mutex_unlock(&temp_permissions_table_lock);
+          return DENY;
+        }
+      }
       for_each(&permission_entry->allowed_files, allowed_file) {
         if (strncmp(*allowed_file, filename, strlen(filename)) == 0) {
           pthread_mutex_unlock(&temp_permissions_table_lock);
-          return 1;
+          return ALLOW;
         }
       }
     }
   }
   pthread_mutex_unlock(&temp_permissions_table_lock);
-  return 0;
+  return NDEF;
 }
 
 /**
@@ -164,31 +180,36 @@ pid_t get_parent_pid(pid_t pid) {
  *
  * @param filename: The file that the process is trying to access
  * @pram pi: The process information
- * @return: 0 if access is denied, 1 if access is allowed
+ * @return: access status - ALLOW, DENY or NDEF in case if no information was
+ * found. Does not return ALLOW_TEMP.
  * @note: In case one of the parent processes is killed while this function
  * execution the result is not guranteed to be correct. It should only lead to
  * false negatives, though.
  */
-int check_temp_access(const char *filename, struct process_info pi) {
+access_t check_temp_access(const char *filename, struct process_info pi) {
   pid_t current_pid = pi.PID;
   while (current_pid != 0) {
-    if (check_temp_access_noparent(filename, current_pid)) {
-      return 1;
+    access_t access = check_temp_access_noparent(filename, current_pid);
+    if (access != NDEF) {
+      return access;
     }
     current_pid = get_parent_pid(current_pid);
   }
 
-  return 0;
+  return NDEF;
 }
 
 /**
- * Gives temporary access to the process to the file.
+ * Sets temporary access mode of the process to the file.
  *
  * @param filename: The file that the process is trying to access
  * @param pi: The process information
- * @return: 0 on success, -1 on failure (e.g. ENOMEM)
+ * @param mode: Kind of access rule to be set - SET_DENY to deny access, and
+ * SET_ALLOW to allow access.
+ * @return: 0 on success, -1 on failure.
  */
-int give_temp_access(const char *filename, struct process_info pi) {
+int set_temp_access(const char *filename, struct process_info pi,
+                    set_mode_t mode) {
   pthread_mutex_lock(&temp_permissions_table_lock);
   struct temp_process_permissions *permission_entry =
       get(&temp_permissions_table, pi.PID);
@@ -206,7 +227,13 @@ int give_temp_access(const char *filename, struct process_info pi) {
     if (process_creation_time == permission_entry->creation_time) {
       // the process is the same as the one that was granted temporary access
       // to the file
-      push(&permission_entry->allowed_files, strdup(filename));
+      if (mode == SET_ALLOW) {
+        push(&permission_entry->allowed_files, strdup(filename));
+      }
+      if (mode == SET_DENY) {
+        push(&permission_entry->denied_files, strdup(filename));
+      }
+
       pthread_mutex_unlock(&temp_permissions_table_lock);
       return 0;
     }
@@ -222,10 +249,15 @@ int give_temp_access(const char *filename, struct process_info pi) {
 
   new_permission_entry.creation_time = get_process_creation_time(pi.PID);
   init(&new_permission_entry.allowed_files);
-  push(&new_permission_entry.allowed_files, strdup(filename));
+  init(&new_permission_entry.denied_files);
+  if (mode == SET_ALLOW) {
+    push(&new_permission_entry.allowed_files, strdup(filename));
+  }
+  if (mode == SET_DENY) {
+    push(&new_permission_entry.denied_files, strdup(filename));
+  }
 
   insert(&temp_permissions_table, pi.PID, new_permission_entry);
-  printf("temp_permissions_table size: %ld\n", size(&temp_permissions_table));
 
   pthread_mutex_unlock(&temp_permissions_table_lock);
   return 0;

src/temp_permissions_table.h

@@ -2,6 +2,7 @@
 #ifndef TEMP_PERMISSIONS_TABLE_H
 #define TEMP_PERMISSIONS_TABLE_H
 
+#include "access_t.h"
 #include "process_info.h"
 
 /**
@@ -9,31 +10,43 @@
  *
  * @return: 0 on success, -1 on failure (e.g. ENOMEM)
  */
-int init_temp_permissions_table();
+int init_temp_permissions_table(void);
 
 /**
  * Destroys the temporary permissions table.
  *
- * @note: the table is guranteed to be destroyed if it is already initialized
+ * @note: the table is guranteed to be destroyed if it is already initialized.
+ * It does not indicate any errors whatsoever. If something goes wrong - you are
+ * screwed.
  */
-void destroy_temp_permissions_table();
+void destroy_temp_permissions_table(void);
 
 /**
- * Checks if the process has a temporary access to the file.
+ * Checks if the process or any of it's parents have temporary access to the
+ * file.
+ *
+ * @param filename: The file that the process is trying to access
+ * @pram pi: The process information
+ * @return: access status - ALLOW, DENY or NDEF in case if no information was
+ * found. Does not return ALLOW_TEMP.
+ * @note: In case one of the parent processes is killed while this function
+ * execution the result is not guranteed to be correct. It should only lead to
+ * false negatives, though.
+ */
+access_t check_temp_access(const char *filename, struct process_info pi);
+
+typedef enum { SET_DENY, SET_ALLOW } set_mode_t;
+
+/**
+ * Sets temporary access mode of the process to the file.
  *
  * @param filename: The file that the process is trying to access
  * @param pi: The process information
- * @return: 0 if access is denied, 1 if access is allowed
+ * @param mode: Kind of access rule to be set - SET_DENY to deny access, and
+ * SET_ALLOW to allow access.
+ * @return: 0 on success, -1 on failure.
  */
-int check_temp_access(const char *filename, struct process_info pi);
-
-/**
- * Gives temporary access to the process to the file.
- *
- * @param filename: The file that the process is trying to access
- * @param pi: The process information
- * @return: 0 on success, -1 on failure (e.g. ENOMEM)
- */
-int give_temp_access(const char *filename, struct process_info pi);
+int set_temp_access(const char *filename, struct process_info pi,
+                    set_mode_t mode);
 
 #endif // !TEMP_PERMISSIONS_TABLE_H

src/ui-socket.c

@@ -6,6 +6,7 @@
   See the file LICENSE.
 */
 
+#include "access_t.h"
 #include <stddef.h>
 #include <sys/types.h>
 #include <time.h>
@@ -13,7 +14,6 @@
 #include "perm_permissions_table.h"
 #include "temp_permissions_table.h"
 #include "ui-socket.h"
-#include <errno.h>
 #include <pthread.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -22,17 +22,17 @@
 #include <sys/un.h>
 #include <unistd.h>
 
-int init_ui_socket() {
-  char line[256];
-  FILE *fp;
+#define ZENITY_TEMP_ALLOW_MESSAGE "Allow this time\n"
+
+int init_ui_socket(const char *perm_permissions_db_filename) {
+  FILE *fp = NULL;
 
   if (init_temp_permissions_table()) {
     fprintf(stderr, "Could not initialize temporary permissions table.\n");
     return 1;
   }
 
-  if (init_perm_permissions_table(
-          "/home/fedir/Developement/uni/ICFS/test/.pt.db")) {
+  if (init_perm_permissions_table(perm_permissions_db_filename)) {
     fprintf(stderr, "Could not initialize permanent permissions table.\n");
     return 1;
   }
@@ -44,13 +44,11 @@ int init_ui_socket() {
     return 1;
   }
 
-  while (fgets(line, sizeof(line), fp))
-    printf("%s", line);
   pclose(fp);
   return 0;
 }
 
-void destroy_ui_socket() {
+void destroy_ui_socket(void) {
   destroy_temp_permissions_table();
   destroy_perm_permissions_table();
 }
@@ -61,19 +59,28 @@ void destroy_ui_socket() {
  *
  * @param filename: The file that the process is trying to access
  * @param pi: The process information
- * @return: 0 if access is denied, 1 if access is allowed, 2 if access is
+ * @return: access status - ALLOW, DENY or ALLOW_TEMP
  * allowed for the runtime of the process
  */
-int ask_access(const char *filename, struct process_info pi) {
-  FILE *fp;
-  size_t command_len =
-      139 + sizeof(pid_t) * 8 + strlen(pi.name) + strlen(filename);
-  char *command = (char *)malloc(command_len);
-  snprintf(command, command_len,
-           "zenity --question --extra-button \"Allow this time\" --title "
-           "\"Allow Access?\" --text \"Allow process "
-           "<tt>%s</tt> with PID <tt>%d</tt> to access <tt>%s</tt>\"",
-           pi.name, pi.PID, filename);
+access_t ask_access(const char *filename, struct process_info proc_info) {
+  FILE *fp = NULL;
+  char *command = NULL;
+  int ret =
+      asprintf(&command,
+               "zenity --question --extra-button \"Allow this time\" --title "
+               "\"Allow Access?\" --text \"Allow process "
+               "<tt>%s</tt> with PID <tt>%d</tt> to access <tt>%s</tt>\"",
+               proc_info.name, proc_info.PID, filename);
+
+  if (ret < 0) {
+    // If asprintf fails, the contents of command are undefined (see man
+    // asprintf). That does not explicitly rule out that command will be a valid
+    // pointer. But the risk of freeing a non-allocated pointer is too much to
+    // justify preparing for this.
+    fprintf(stderr, "Could not create query on rule insertion");
+    perror("");
+    return 1;
+  }
 
   // Zenity Question Message Popup
   fp = popen(command, "r");
@@ -81,18 +88,18 @@ int ask_access(const char *filename, struct process_info pi) {
 
   if (fp == NULL) {
     perror("Pipe returned a error");
-    return -1;
+    return DENY;
   }
 
   // if the user clicks the "Allow this time" button, `zenity` will only
   // write it to `stdout`, but the exit code will still be `1`. So, we need
   // to manually check the output.
-  char buffer[1024];
+  char buffer[sizeof(ZENITY_TEMP_ALLOW_MESSAGE) + 1];
   while (fgets(buffer, sizeof(buffer), fp)) {
     printf("%s", buffer);
-    if (strcmp(buffer, "Allow this time\n") == 0) {
+    if (strcmp(buffer, ZENITY_TEMP_ALLOW_MESSAGE) == 0) {
       pclose(fp);
-      return 2;
+      return ALLOW_TEMP;
     }
   }
 
@@ -100,10 +107,10 @@ int ask_access(const char *filename, struct process_info pi) {
   fprintf(stderr, "zenity returned %d\n", zenity_exit_code);
   // zenity returns 1 on "No" >:(
   if (zenity_exit_code == 0) {
-    return 1;
+    return ALLOW;
   }
 
-  return 0;
+  return DENY;
 }
 
 /**
@@ -117,36 +124,53 @@ int ask_access(const char *filename, struct process_info pi) {
  * @param opts: options (GRANT_TEMP, GRANT_PERM)
  * @return: 0 if access is denied, 1 if access is allowed
  */
-int interactive_access(const char *filename, struct process_info pi, int opts) {
+int interactive_access(const char *filename, struct process_info proc_info,
+                       int opts) {
 
-  if (check_temp_access(filename, pi) || check_perm_access(filename, pi)) {
-    // access was already granted before
+  access_t access = check_temp_access(filename, proc_info);
+  if (access == ALLOW) {
     return 1;
   }
+  if (access == DENY) {
+    return 0;
+  }
+
+  access = check_perm_access(filename, proc_info);
+  if (access == ALLOW) {
+    return 1;
+  }
+  if (access == DENY) {
+    return 0;
+  }
 
   // if noth GRANT_TEMP and GRANT_PERM are selected, then only permanent
   // permissions are granted
 
   if (opts & GRANT_PERM) {
-    give_perm_access(filename, pi);
+    give_perm_access(filename, proc_info);
     return 1;
   }
   if (opts & GRANT_TEMP) {
-    give_temp_access(filename, pi);
+    set_temp_access(filename, proc_info, SET_ALLOW);
     return 1;
   }
 
-  int user_response = ask_access(filename, pi);
-  if (user_response == 1) {
-    // user said "yes"
-    give_perm_access(filename, pi);
-    return 1;
-  } else if (user_response == 2) {
-    // user said "yes, but only this time"
-    give_temp_access(filename, pi);
+  access_t user_response = ask_access(filename, proc_info);
+  if (user_response == ALLOW) {
+    give_perm_access(filename, proc_info);
     return 1;
   }
 
-  // otherwise "no"
+  if (user_response == ALLOW_TEMP) {
+    set_temp_access(filename, proc_info, SET_ALLOW);
+    return 1;
+  }
+
+  if (user_response == DENY) {
+    set_temp_access(filename, proc_info, SET_DENY);
+    return 0;
+  }
+
+  // deny on unknown options.
   return 0;
 }

src/ui-socket.h

@@ -21,7 +21,7 @@
  *
  * @return: 0 on success, -1 on faliure.
  */
-int init_ui_socket(void);
+int init_ui_socket(const char *perm_permissions_db_filename);
 
 /**
  * Close the GUI communication.

test/test.bash

@@ -16,9 +16,23 @@ PATH="$(realpath ./mock/):$PATH"
 # mount the filesystem
 
 echo "Run $(date -u +%Y-%m-%dT%H:%M:%S) "
-valgrind -s ../build/icfs -o default_permissions ./protected &
+if [[ $1 == "--setuid" ]]; then
+  echo "Setting the setuid bit..."
+  echo "root privilieges are required to create a special user and set correct ownership of the executable."
+  id -u icfs &>/dev/null || sudo useradd --system --user-group icfs
+  sudo chown icfs: ../build/icfs && sudo chmod 4777 ../build/icfs
+  chmod g+w . # needed for icfs to be able to create the database
+  echo "Valgrind will not be used due to setuid compatibility issues."
+  ../build/icfs -o default_permissions ./protected ./.pt.db &
+  sleep 1
+else
+  echo "Database protection will not be tested due to the lack of setuid capabilites."
+  echo "To test it, run this script with '--setuid'."
+  valgrind -s ../build/icfs -o default_permissions ./protected ./.pt.db &
+  sleep 5
+fi
 
-sleep 5
+#valgrind -s ../build/icfs -o default_permissions ./protected &
 
 # WARN: please don't use `>` or `>>` operators. They force **this script** to open the file, **not the program you are trying to run**. This is probably not what you mean when you want to test a specific program's access.
 # WARN: avoid using touch, since it generates errors because setting times is not implemented in icfs **yet**.
@@ -105,6 +119,13 @@ cat ./protected/motto >/dev/null 2>/dev/null &&
   echo "[ICFS-TEST]: OK" ||
   echo "[ICFS-TEST]: echo cannot read protected/motto despite access being permitted!" # OK
 
+# test database access
+if [[ -r "./.pt.db" || -w "./.pt.db" ]]; then
+  echo "[ICFS-TEST]: permanent permissions is accessible!"
+else
+  echo "[ICFS-TEST]: OK"
+fi
+
 # unmount
 
 sleep 0.5