From: Paul Moore <pmoore@redhat.com>
To: linux-security-module@vger.kernel.org, eparis@redhat.com,
selinux@tycho.nsa.gov
Subject: [PATCH 4/9] selinux: cleanup selinux_xfrm_policy_lookup() and selinux_xfrm_state_pol_flow_match()
Date: Tue, 25 Jun 2013 17:18:37 -0400 [thread overview]
Message-ID: <20130625211837.5057.30890.stgit@localhost> (raw)
In-Reply-To: <20130625211306.5057.31329.stgit@localhost>
Do some basic simplification and comment reformatting.
Signed-off-by: Paul Moore <pmoore@redhat.com>
---
security/selinux/xfrm.c | 54 ++++++++++++++++-------------------------------
1 file changed, 18 insertions(+), 36 deletions(-)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index f8d7126..4a7ba4a 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -155,42 +155,30 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{
int rc;
- u32 sel_sid;
- /* Context sid is either set to label or ANY_ASSOC */
- if (ctx) {
- if (!selinux_authorizable_ctx(ctx))
- return -EINVAL;
-
- sel_sid = ctx->ctx_sid;
- } else
- /*
- * All flows should be treated as polmatch'ing an
- * otherwise applicable "non-labeled" policy. This
- * would prevent inadvertent "leaks".
- */
+ /* All flows should be treated as polmatch'ing an otherwise applicable
+ * "non-labeled" policy. This would prevent inadvertent "leaks". */
+ if (!ctx)
return 0;
- rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
- ASSOCIATION__POLMATCH,
- NULL);
-
- if (rc == -EACCES)
- return -ESRCH;
+ /* Context sid is either set to label or ANY_ASSOC */
+ if (!selinux_authorizable_ctx(ctx))
+ return -EINVAL;
- return rc;
+ rc = avc_has_perm(fl_secid, ctx->ctx_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
+ return (rc == -EACCES ? -ESRCH : rc);
}
/*
* LSM hook implementation that authorizes that a state matches
* the given policy, flow combo.
*/
-
-int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
- const struct flowi *fl)
+int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
+ struct xfrm_policy *xp,
+ const struct flowi *fl)
{
u32 state_sid;
- int rc;
if (!xp->security)
if (x->security)
@@ -213,18 +201,12 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
if (fl->flowi_secid != state_sid)
return 0;
- rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
- ASSOCIATION__SENDTO,
- NULL)? 0:1;
-
- /*
- * We don't need a separate SA Vs. policy polmatch check
- * since the SA is now of the same label as the flow and
- * a flow Vs. policy polmatch check had already happened
- * in selinux_xfrm_policy_lookup() above.
- */
-
- return rc;
+ /* We don't need a separate SA Vs. policy polmatch check since the SA
+ * is now of the same label as the flow and a flow Vs. policy polmatch
+ * check had already happened in selinux_xfrm_policy_lookup() above. */
+ return (avc_has_perm(fl->flowi_secid, state_sid,
+ SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
+ NULL) ? 0 : 1);
}
/*
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-06-25 21:18 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-25 21:18 [PATCH 0/9] Labeled networking patches for 3.11 Paul Moore
2013-06-25 21:18 ` [PATCH 1/9] selinux: fix problems in netnode when BUG() is compiled out Paul Moore
2013-06-25 21:18 ` [PATCH 2/9] lsm: split the xfrm_state_alloc_security() hook implementation Paul Moore
2013-06-25 21:18 ` [PATCH 3/9] selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code Paul Moore
2013-06-25 21:18 ` Paul Moore [this message]
2013-06-25 21:18 ` [PATCH 5/9] selinux: cleanup selinux_xfrm_sock_rcv_skb() and selinux_xfrm_postroute_last() Paul Moore
2013-06-25 21:18 ` [PATCH 6/9] selinux: cleanup some comment and whitespace issues in the XFRM code Paul Moore
2013-06-25 21:19 ` [PATCH 7/9] selinux: cleanup selinux_xfrm_decode_session() Paul Moore
2013-06-25 21:19 ` [PATCH 8/9] selinux: cleanup the XFRM header Paul Moore
2013-06-25 21:19 ` [PATCH 9/9] selinux: remove the BUG_ON() from selinux_skb_xfrm_sid() Paul Moore
2013-06-25 23:53 ` [PATCH 0/9] Labeled networking patches for 3.11 Casey Schaufler
2013-06-26 13:52 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130625211837.5057.30890.stgit@localhost \
--to=pmoore@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.