veyron2/services/security/access: Update to the new ACL format.
Background:
https://drive.google.com/open?id=1DZUu2sGKrf-b4p9JFdIbN0ULhz9Loa8reuPNKsdMKD0&authuser=0
This commit is step 1 of (3 or 4) to remove the old format ACL
(security.ACL type), Labels and LabelSet types and switch everything to
the "tagged acl".
Specifically this change:
- Removes security.Label from security.Context
(a subsequent change will get rid of Label and LabelSet types
completely)
- Updates the access API to use the new format ACLs and tags.
- Updates all usage of the old format labels and ACLs in the core
repository to the new format
- Provides for backward compatibility - if flags/ACL files are lying
around in the old format, they will still work. Files will be
overwritten in place and at some point in the near future the
old format will be dropped completely.
- The "monitoring" label has no current equivalent. Can be added
later if needed, but so far its usage seemed to coincide with
"debug"
Change-Id: Ie665fdccd8c82c30273399fc17406cdc95be03ee
diff --git a/services/mgmt/node/impl/app_service.go b/services/mgmt/node/impl/app_service.go
index 5a278aa..dff4976 100644
--- a/services/mgmt/node/impl/app_service.go
+++ b/services/mgmt/node/impl/app_service.go
@@ -135,6 +135,7 @@
"veyron.io/veyron/veyron2/security"
"veyron.io/veyron/veyron2/services/mgmt/appcycle"
"veyron.io/veyron/veyron2/services/mgmt/application"
+ "veyron.io/veyron/veyron2/services/security/access"
"veyron.io/veyron/veyron2/verror"
"veyron.io/veyron/veyron2/vlog"
@@ -205,7 +206,7 @@
uat BlessingSystemAssociationStore
locks aclLocks
// Reference to the nodemanager top-level ACL list.
- nodeACL security.ACL
+ nodeACL access.TaggedACLMap
// securityAgent holds state related to the security agent (nil if not
// using the agent).
securityAgent *securityAgentState
@@ -363,23 +364,14 @@
return versionDir, updateLink(versionDir, filepath.Join(installationDir, "current"))
}
-// TODO(rjkroege): Refactor this code with the intance creation code.
-func initializeInstallationACLs(dir string, blessings []string, acl security.ACL) error {
- // Start out with the claimant's ACLs and add the invoker's blessings.
-
- var labels security.LabelSet
- if acl.In == nil {
- // The acl.In will be empty for an unclaimed node manager. In this case,
- // create it.
- acl.In = make(map[security.BlessingPattern]security.LabelSet)
+// TODO(rjkroege): Refactor this code with the instance creation code.
+func initializeInstallationACLs(dir string, blessings []string, acl access.TaggedACLMap) error {
+ // Add the invoker's blessings.
+ for _, b := range blessings {
+ for _, tag := range access.AllTypicalTags() {
+ acl.Add(security.BlessingPattern(b), string(tag))
+ }
}
- labels = security.AllLabels
-
- for _, name := range blessings {
- // TODO(rjkroege): Use custom labels.
- acl.In[security.BlessingPattern(name)] = labels
- }
-
aclDir := path.Join(dir, "acls")
aclData := path.Join(aclDir, "data")
aclSig := path.Join(aclDir, "signature")
@@ -416,7 +408,10 @@
return "", err
}
- if err := initializeInstallationACLs(installationDir, call.RemoteBlessings().ForContext(call), i.nodeACL); err != nil {
+ // TODO(caprita,rjkroege): Should the installation ACLs really be
+ // seeded with the node ACL? Instead, might want to hide the nodeACL
+ // from the app?
+ if err := initializeInstallationACLs(installationDir, call.RemoteBlessings().ForContext(call), i.nodeACL.Copy()); err != nil {
return "", err
}
deferrer = nil
@@ -603,23 +598,15 @@
return nil
}
-func initializeInstanceACLs(instanceDir string, blessings []string, acl security.ACL) error {
- if acl.In == nil {
- // The acl.In will be empty for an unclaimed node manager. In this case,
- // create it
- acl.In = make(map[security.BlessingPattern]security.LabelSet)
+func initializeInstanceACLs(instanceDir string, blessings []string, acl access.TaggedACLMap) error {
+ for _, b := range blessings {
+ for _, tag := range access.AllTypicalTags() {
+ acl.Add(security.BlessingPattern(b), string(tag))
+ }
}
-
- labels := security.AllLabels
- for _, name := range blessings {
- // TODO(rjkroege): Use custom labels.
- acl.In[security.BlessingPattern(name)] = labels
- }
-
aclDir := path.Join(instanceDir, "acls")
aclData := path.Join(aclDir, "data")
aclSig := path.Join(aclDir, "signature")
-
return writeACLs(aclData, aclSig, aclDir, acl)
}
@@ -663,7 +650,7 @@
return instanceDir, instanceID, err
}
- if err := initializeInstanceACLs(instanceDir, call.RemoteBlessings().ForContext(call), i.nodeACL); err != nil {
+ if err := initializeInstanceACLs(instanceDir, call.RemoteBlessings().ForContext(call), i.nodeACL.Copy()); err != nil {
return instanceDir, instanceID, err
}
return instanceDir, instanceID, nil
@@ -1260,7 +1247,7 @@
}
// TODO(rjkroege): Consider maintaining an in-memory ACL cache.
-func (i *appService) SetACL(_ ipc.ServerContext, acl security.ACL, etag string) error {
+func (i *appService) SetACL(_ ipc.ServerContext, acl access.TaggedACLMap, etag string) error {
dir, err := dirFromSuffix(i.suffix, i.config.Root)
if err != nil {
return err
@@ -1268,10 +1255,10 @@
return setAppACL(i.locks, dir, acl, etag)
}
-func (i *appService) GetACL(_ ipc.ServerContext) (acl security.ACL, etag string, err error) {
+func (i *appService) GetACL(_ ipc.ServerContext) (acl access.TaggedACLMap, etag string, err error) {
dir, err := dirFromSuffix(i.suffix, i.config.Root)
if err != nil {
- return security.ACL{}, "", err
+ return nil, "", err
}
return getAppACL(i.locks, dir)
}
diff --git a/services/mgmt/node/impl/dispatcher.go b/services/mgmt/node/impl/dispatcher.go
index 47d5092..deeddcd 100644
--- a/services/mgmt/node/impl/dispatcher.go
+++ b/services/mgmt/node/impl/dispatcher.go
@@ -12,7 +12,6 @@
"strings"
"sync"
- vsecurity "veyron.io/veyron/veyron/security"
"veyron.io/veyron/veyron/security/agent"
"veyron.io/veyron/veyron/security/agent/keymgr"
vflag "veyron.io/veyron/veyron/security/flag"
@@ -48,7 +47,7 @@
type dispatcher struct {
// acl/auth hold the acl and authorizer used to authorize access to the
// node manager methods.
- acl security.ACL
+ acl access.TaggedACLMap
auth security.Authorizer
// etag holds the version string for the ACL. We use this for optimistic
// concurrency control when clients update the ACLs for the node manager.
@@ -124,7 +123,7 @@
if err != nil {
return nil, fmt.Errorf("failed to read nodemanager ACL file:%v", err)
}
- acl, err := vsecurity.LoadACL(reader)
+ acl, err := access.ReadTaggedACLMap(reader)
if err != nil {
return nil, fmt.Errorf("failed to load nodemanager ACL:%v", err)
}
@@ -135,7 +134,7 @@
if d.auth = vflag.NewAuthorizerOrDie(); d.auth == nil {
// If there are no specified ACLs we grant nodemanager access to all
// principals until it is claimed.
- d.auth = vsecurity.NewACLAuthorizer(vsecurity.OpenACL())
+ d.auth = allowEveryone{}
}
}
// If we're in 'security agent mode', set up the key manager agent.
@@ -167,9 +166,11 @@
rt.R().Principal().BlessingStore().Set(proof, security.AllPrincipals)
rt.R().Principal().BlessingStore().SetDefault(proof)
// Create ACLs to transfer nodemanager permissions to the provided identity.
- acl := security.ACL{In: make(map[security.BlessingPattern]security.LabelSet)}
- for _, name := range names {
- acl.In[security.BlessingPattern(name)] = security.AllLabels
+ acl := make(access.TaggedACLMap)
+ for _, n := range names {
+ for _, tag := range access.AllTypicalTags() {
+ acl.Add(security.BlessingPattern(n), string(tag))
+ }
}
_, etag, err := d.getACL()
if err != nil {
@@ -184,7 +185,7 @@
}
// TODO(rjkroege): Further refactor ACL-setting code.
-func setAppACL(locks aclLocks, dir string, acl security.ACL, etag string) error {
+func setAppACL(locks aclLocks, dir string, acl access.TaggedACLMap, etag string) error {
aclpath := path.Join(dir, "acls", "data")
sigpath := path.Join(dir, "acls", "signature")
@@ -204,9 +205,9 @@
}
defer f.Close()
- curACL, err := vsecurity.LoadACL(f)
+ curACL, err := access.ReadTaggedACLMap(f)
if err != nil {
- vlog.Errorf("LoadACL(%s) failed: %v", aclpath, err)
+ vlog.Errorf("ReadTaggedACLMap(%s) failed: %v", aclpath, err)
return err
}
curEtag, err := computeEtag(curACL)
@@ -222,7 +223,7 @@
return writeACLs(aclpath, sigpath, dir, acl)
}
-func getAppACL(locks aclLocks, dir string) (security.ACL, string, error) {
+func getAppACL(locks aclLocks, dir string) (access.TaggedACLMap, string, error) {
aclpath := path.Join(dir, "acls", "data")
// Acquire lock. Locks are per path to an acls file.
@@ -236,30 +237,26 @@
f, err := os.Open(aclpath)
if err != nil {
- vlog.Errorf("LoadACL(%s) failed: %v", aclpath, err)
- return security.ACL{}, "", err
+ vlog.Errorf("Open(%s) failed: %v", aclpath, err)
+ return nil, "", err
}
defer f.Close()
- acl, err := vsecurity.LoadACL(f)
+ acl, err := access.ReadTaggedACLMap(f)
if err != nil {
- vlog.Errorf("LoadACL(%s) failed: %v", aclpath, err)
- return security.ACL{}, "", err
+ vlog.Errorf("ReadTaggedACLMap(%s) failed: %v", aclpath, err)
+ return nil, "", err
}
curEtag, err := computeEtag(acl)
if err != nil {
- return security.ACL{}, "", err
- }
-
- if err != nil {
- return security.ACL{}, "", err
+ return nil, "", err
}
return acl, curEtag, nil
}
-func computeEtag(acl security.ACL) (string, error) {
+func computeEtag(acl access.TaggedACLMap) (string, error) {
b := new(bytes.Buffer)
- if err := vsecurity.SaveACL(b, acl); err != nil {
+ if err := acl.WriteTo(b); err != nil {
vlog.Errorf("Failed to save ACL:%v", err)
return "", err
}
@@ -269,7 +266,7 @@
return etag, nil
}
-func writeACLs(aclFile, sigFile, dir string, acl security.ACL) error {
+func writeACLs(aclFile, sigFile, dir string, acl access.TaggedACLMap) error {
// Create dir directory if it does not exist
os.MkdirAll(dir, os.FileMode(0700))
// Save the object to temporary data and signature files, and then move
@@ -291,7 +288,7 @@
vlog.Errorf("Failed to create NewSigningWriteCloser:%v", err)
return errOperationFailed
}
- if err = vsecurity.SaveACL(writer, acl); err != nil {
+ if err = acl.WriteTo(writer); err != nil {
vlog.Errorf("Failed to SaveACL:%v", err)
return errOperationFailed
}
@@ -308,7 +305,7 @@
return nil
}
-func (d *dispatcher) setACL(acl security.ACL, etag string, writeToFile bool) error {
+func (d *dispatcher) setACL(acl access.TaggedACLMap, etag string, writeToFile bool) error {
d.mu.Lock()
defer d.mu.Unlock()
aclFile, sigFile, nodedata := d.getACLFilePaths()
@@ -326,11 +323,15 @@
if err != nil {
return err
}
- d.acl, d.etag, d.auth = acl, etag, vsecurity.NewACLAuthorizer(acl)
+ auth, err := access.TaggedACLAuthorizer(acl, access.TypicalTagType())
+ if err != nil {
+ return err
+ }
+ d.acl, d.etag, d.auth = acl, etag, auth
return nil
}
-func (d *dispatcher) getACL() (acl security.ACL, etag string, err error) {
+func (d *dispatcher) getACL() (acl access.TaggedACLMap, etag string, err error) {
d.mu.RLock()
defer d.mu.RUnlock()
return d.acl, d.etag, nil
@@ -384,18 +385,15 @@
if !instanceStateIs(appInstanceDir, started) {
return nil, nil, errInvalidSuffix
}
- var label security.Label
var sigStub signatureStub
if kind == "pprof" {
- label = security.DebugLabel
sigStub = pprof.PProfServer(nil)
} else {
- label = security.DebugLabel | security.MonitoringLabel
sigStub = stats.StatsServer(nil)
}
suffix := naming.Join("__debug", naming.Join(components[4:]...))
remote := naming.JoinAddressName(info.AppCycleMgrName, suffix)
- return &proxyInvoker{remote, label, sigStub}, d.auth, nil
+ return &proxyInvoker{remote, access.Debug, sigStub}, d.auth, nil
}
}
nodeACLs, _, err := d.getACL()
@@ -445,23 +443,27 @@
return sec, nil
}
// Otherwise, we require a per-installation and per-instance ACL file.
-
if len(suffix) == 2 {
p, err := installationDirCore(suffix, config.Root)
if err != nil {
vlog.Errorf("newAppSpecificAuthorizer failed: %v", err)
return nil, err
}
- p = path.Join(p, "acls", "data")
- return vsecurity.NewFileACLAuthorizer(p), nil
- } else if len(suffix) > 2 {
+ return access.TaggedACLAuthorizerFromFile(path.Join(p, "acls", "data"), access.TypicalTagType())
+ }
+ if len(suffix) > 2 {
p, err := instanceDir(config.Root, suffix[0:3])
if err != nil {
vlog.Errorf("newAppSpecificAuthorizer failed: %v", err)
return nil, err
}
- p = path.Join(p, "acls", "data")
- return vsecurity.NewFileACLAuthorizer(p), nil
+ return access.TaggedACLAuthorizerFromFile(path.Join(p, "acls", "data"), access.TypicalTagType())
}
return nil, errInvalidSuffix
}
+
+// allowEveryone implements the authorization policy that allows all principals
+// access.
+type allowEveryone struct{}
+
+func (allowEveryone) Authorize(security.Context) error { return nil }
diff --git a/services/mgmt/node/impl/impl_test.go b/services/mgmt/node/impl/impl_test.go
index 170d8cc..06eb18a 100644
--- a/services/mgmt/node/impl/impl_test.go
+++ b/services/mgmt/node/impl/impl_test.go
@@ -37,6 +37,7 @@
"veyron.io/veyron/veyron2/services/mgmt/node"
"veyron.io/veyron/veyron2/services/mgmt/pprof"
"veyron.io/veyron/veyron2/services/mgmt/stats"
+ "veyron.io/veyron/veyron2/services/security/access"
"veyron.io/veyron/veyron2/verror"
"veyron.io/veyron/veyron2/vlog"
"veyron.io/veyron/veyron2/vom"
@@ -46,7 +47,6 @@
"veyron.io/veyron/veyron/lib/signals"
"veyron.io/veyron/veyron/lib/testutil"
tsecurity "veyron.io/veyron/veyron/lib/testutil/security"
- vsecurity "veyron.io/veyron/veyron/security"
"veyron.io/veyron/veyron/services/mgmt/node/config"
"veyron.io/veyron/veyron/services/mgmt/node/impl"
suidhelper "veyron.io/veyron/veyron/services/mgmt/suidhelper/impl"
@@ -833,10 +833,13 @@
if err := nodeStub.Claim(selfRT.NewContext(), &granter{p: selfRT.Principal(), extension: "mydevice"}); err != nil {
t.Fatal(err)
}
- expectedACL := security.ACL{In: map[security.BlessingPattern]security.LabelSet{"root/self/mydevice": security.AllLabels}}
+ expectedACL := make(access.TaggedACLMap)
+ for _, tag := range access.AllTypicalTags() {
+ expectedACL[string(tag)] = access.ACL{In: []security.BlessingPattern{"root/self/mydevice"}}
+ }
var b bytes.Buffer
- if err := vsecurity.SaveACL(&b, expectedACL); err != nil {
- t.Fatalf("Failed to saveACL:%v", err)
+ if err := expectedACL.WriteTo(&b); err != nil {
+ t.Fatalf("Failed to save ACL:%v", err)
}
md5hash := md5.Sum(b.Bytes())
expectedETAG := hex.EncodeToString(md5hash[:])
@@ -850,7 +853,10 @@
if err := tryInstall(otherRT); err == nil {
t.Fatalf("Install should have failed with random identity")
}
- newACL := security.ACL{In: map[security.BlessingPattern]security.LabelSet{"root/other": security.AllLabels}}
+ newACL := make(access.TaggedACLMap)
+ for _, tag := range access.AllTypicalTags() {
+ newACL.Add("root/other", string(tag))
+ }
if err := nodeStub.SetACL(selfRT.NewContext(), newACL, "invalid"); err == nil {
t.Fatalf("SetACL should have failed with invalid etag")
}
@@ -1282,7 +1288,7 @@
if err != nil {
t.Fatalf("GetACL failed %v", err)
}
- newACL.In["root/other/..."] = security.LabelSet(security.WriteLabel)
+ newACL.Add("root/other", string(access.Write))
if err := nodeStub.SetACL(selfRT.NewContext(), newACL, ""); err != nil {
t.Fatalf("SetACL failed %v", err)
}
@@ -1299,7 +1305,7 @@
if err != nil {
t.Fatalf("GetACL on appID: %v failed %v", appID, err)
}
- newACL.In["root/other/..."] = security.LabelSet(security.ReadLabel)
+ newACL.Add("root/other", string(access.Read))
if err = appStub(appID).SetACL(selfRT.NewContext(), newACL, ""); err != nil {
t.Fatalf("SetACL on appID: %v failed: %v", appID, err)
}
diff --git a/services/mgmt/node/impl/node_service.go b/services/mgmt/node/impl/node_service.go
index 98fb0c0..0d4799a 100644
--- a/services/mgmt/node/impl/node_service.go
+++ b/services/mgmt/node/impl/node_service.go
@@ -43,10 +43,10 @@
"veyron.io/veyron/veyron2/mgmt"
"veyron.io/veyron/veyron2/naming"
"veyron.io/veyron/veyron2/rt"
- "veyron.io/veyron/veyron2/security"
"veyron.io/veyron/veyron2/services/mgmt/application"
"veyron.io/veyron/veyron2/services/mgmt/binary"
"veyron.io/veyron/veyron2/services/mgmt/node"
+ "veyron.io/veyron/veyron2/services/security/access"
"veyron.io/veyron/veyron2/vlog"
vexec "veyron.io/veyron/veyron/lib/exec"
@@ -436,11 +436,11 @@
return nil
}
-func (i *nodeService) SetACL(_ ipc.ServerContext, acl security.ACL, etag string) error {
+func (i *nodeService) SetACL(_ ipc.ServerContext, acl access.TaggedACLMap, etag string) error {
return i.disp.setACL(acl, etag, true /* store ACL on disk */)
}
-func (i *nodeService) GetACL(_ ipc.ServerContext) (acl security.ACL, etag string, err error) {
+func (i *nodeService) GetACL(_ ipc.ServerContext) (acl access.TaggedACLMap, etag string, err error) {
return i.disp.getACL()
}
diff --git a/services/mgmt/node/impl/proxy_invoker.go b/services/mgmt/node/impl/proxy_invoker.go
index 33914e7..1f8cf98 100644
--- a/services/mgmt/node/impl/proxy_invoker.go
+++ b/services/mgmt/node/impl/proxy_invoker.go
@@ -6,7 +6,7 @@
"veyron.io/veyron/veyron2/ipc"
"veyron.io/veyron/veyron2/rt"
- "veyron.io/veyron/veyron2/security"
+ "veyron.io/veyron/veyron2/services/security/access"
)
// proxyInvoker is an ipc.Invoker implementation that proxies all requests
@@ -14,11 +14,11 @@
// <remote> transparently.
//
// remote is the name of the remote object.
-// label is the security label required to access this object.
+// access is the access tag require to access the object.
// sigStub is used to get the signature of the remote object.
type proxyInvoker struct {
remote string
- label security.Label
+ access access.Tag
sigStub signatureStub
}
@@ -34,7 +34,7 @@
var x interface{}
argptrs[i] = &x
}
- tags = []interface{}{p.label}
+ tags = []interface{}{p.access}
return
}
diff --git a/services/mgmt/node/impl/proxy_invoker_test.go b/services/mgmt/node/impl/proxy_invoker_test.go
index 0fcb836..b729d10 100644
--- a/services/mgmt/node/impl/proxy_invoker_test.go
+++ b/services/mgmt/node/impl/proxy_invoker_test.go
@@ -11,6 +11,7 @@
"veyron.io/veyron/veyron2/security"
"veyron.io/veyron/veyron2/services/mgmt/stats"
"veyron.io/veyron/veyron2/services/mounttable"
+ "veyron.io/veyron/veyron2/services/security/access"
)
// TODO(toddw): Add tests of Signature and MethodSignature.
@@ -45,7 +46,6 @@
}
disp := &proxyDispatcher{
naming.JoinAddressName(ep1.String(), "__debug/stats"),
- security.Label(security.AllLabels),
stats.StatsServer(nil),
}
if err := server2.ServeDispatcher("", disp); err != nil {
@@ -97,10 +97,9 @@
type proxyDispatcher struct {
remote string
- label security.Label
sigStub signatureStub
}
func (d *proxyDispatcher) Lookup(suffix string) (interface{}, security.Authorizer, error) {
- return &proxyInvoker{naming.Join(d.remote, suffix), d.label, d.sigStub}, nil, nil
+ return &proxyInvoker{naming.Join(d.remote, suffix), access.Debug, d.sigStub}, nil, nil
}
diff --git a/services/mgmt/repository/repository.vdl b/services/mgmt/repository/repository.vdl
index 3b553b8..ab9acb4 100644
--- a/services/mgmt/repository/repository.vdl
+++ b/services/mgmt/repository/repository.vdl
@@ -4,8 +4,8 @@
import (
"veyron.io/veyron/veyron/services/mgmt/profile"
- "veyron.io/veyron/veyron2/security"
"veyron.io/veyron/veyron2/services/mgmt/application"
+ "veyron.io/veyron/veyron2/services/security/access"
public "veyron.io/veyron/veyron2/services/mgmt/repository"
)
@@ -17,7 +17,7 @@
// Put adds the given tuple of application version (specified
// through the object name suffix) and application envelope to all
// of the given application profiles.
- Put(Profiles []string, Envelope application.Envelope) error {security.WriteLabel}
+ Put(Profiles []string, Envelope application.Envelope) error {access.Write}
// Remove removes the application envelope for the given profile
// name and application version (specified through the object name
// suffix). If no version is specified as part of the suffix, the
@@ -25,7 +25,7 @@
//
// TODO(jsimsa): Add support for using "*" to specify all profiles
// when Matt implements Globing (or Ken implements querying).
- Remove(Profile string) error {security.WriteLabel}
+ Remove(Profile string) error {access.Write}
}
// Profile describes a profile internally. Besides the public Profile
@@ -34,11 +34,11 @@
public.Profile
// Specification returns the profile specification for the profile
// identified through the object name suffix.
- Specification() (profile.Specification, error) {security.ReadLabel}
+ Specification() (profile.Specification, error) {access.Read}
// Put sets the profile specification for the profile identified
// through the object name suffix.
- Put(Specification profile.Specification) error {security.WriteLabel}
+ Put(Specification profile.Specification) error {access.Write}
// Remove removes the profile specification for the profile
// identified through the object name suffix.
- Remove() error {security.WriteLabel}
+ Remove() error {access.Write}
}
diff --git a/services/mgmt/repository/repository.vdl.go b/services/mgmt/repository/repository.vdl.go
index 028e6f6..48541ae 100644
--- a/services/mgmt/repository/repository.vdl.go
+++ b/services/mgmt/repository/repository.vdl.go
@@ -8,12 +8,12 @@
import (
"veyron.io/veyron/veyron/services/mgmt/profile"
- "veyron.io/veyron/veyron2/security"
-
"veyron.io/veyron/veyron2/services/mgmt/application"
"veyron.io/veyron/veyron2/services/mgmt/repository"
+ "veyron.io/veyron/veyron2/services/security/access"
+
// The non-user imports are prefixed with "__" to prevent collisions.
__veyron2 "veyron.io/veyron/veyron2"
__context "veyron.io/veyron/veyron2/context"
@@ -232,7 +232,7 @@
OutArgs: []__ipc.ArgDesc{
{"", ``}, // error
},
- Tags: []__vdlutil.Any{security.Label(4)},
+ Tags: []__vdlutil.Any{access.Tag("Write")},
},
{
Name: "Remove",
@@ -243,7 +243,7 @@
OutArgs: []__ipc.ArgDesc{
{"", ``}, // error
},
- Tags: []__vdlutil.Any{security.Label(4)},
+ Tags: []__vdlutil.Any{access.Tag("Write")},
},
},
}
@@ -536,7 +536,7 @@
{"", ``}, // profile.Specification
{"", ``}, // error
},
- Tags: []__vdlutil.Any{security.Label(2)},
+ Tags: []__vdlutil.Any{access.Tag("Read")},
},
{
Name: "Put",
@@ -547,7 +547,7 @@
OutArgs: []__ipc.ArgDesc{
{"", ``}, // error
},
- Tags: []__vdlutil.Any{security.Label(4)},
+ Tags: []__vdlutil.Any{access.Tag("Write")},
},
{
Name: "Remove",
@@ -555,7 +555,7 @@
OutArgs: []__ipc.ArgDesc{
{"", ``}, // error
},
- Tags: []__vdlutil.Any{security.Label(4)},
+ Tags: []__vdlutil.Any{access.Tag("Write")},
},
},
}
