Commit 96484348 authored by Paul Moore's avatar Paul Moore Committed by Eric Paris

selinux: cleanup selinux_xfrm_policy_lookup() and selinux_xfrm_state_pol_flow_match()

Do some basic simplification and comment reformatting.
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent ccf17cc4
...@@ -155,42 +155,30 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) ...@@ -155,42 +155,30 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
{ {
int rc; int rc;
u32 sel_sid;
/* Context sid is either set to label or ANY_ASSOC */ /* All flows should be treated as polmatch'ing an otherwise applicable
if (ctx) { * "non-labeled" policy. This would prevent inadvertent "leaks". */
if (!selinux_authorizable_ctx(ctx)) if (!ctx)
return -EINVAL;
sel_sid = ctx->ctx_sid;
} else
/*
* All flows should be treated as polmatch'ing an
* otherwise applicable "non-labeled" policy. This
* would prevent inadvertent "leaks".
*/
return 0; return 0;
rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION, /* Context sid is either set to label or ANY_ASSOC */
ASSOCIATION__POLMATCH, if (!selinux_authorizable_ctx(ctx))
NULL); return -EINVAL;
if (rc == -EACCES)
return -ESRCH;
return rc; rc = avc_has_perm(fl_secid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
return (rc == -EACCES ? -ESRCH : rc);
} }
/* /*
* LSM hook implementation that authorizes that a state matches * LSM hook implementation that authorizes that a state matches
* the given policy, flow combo. * the given policy, flow combo.
*/ */
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, struct xfrm_policy *xp,
const struct flowi *fl) const struct flowi *fl)
{ {
u32 state_sid; u32 state_sid;
int rc;
if (!xp->security) if (!xp->security)
if (x->security) if (x->security)
...@@ -213,18 +201,12 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy * ...@@ -213,18 +201,12 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
if (fl->flowi_secid != state_sid) if (fl->flowi_secid != state_sid)
return 0; return 0;
rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION, /* We don't need a separate SA Vs. policy polmatch check since the SA
ASSOCIATION__SENDTO, * is now of the same label as the flow and a flow Vs. policy polmatch
NULL)? 0:1; * check had already happened in selinux_xfrm_policy_lookup() above. */
return (avc_has_perm(fl->flowi_secid, state_sid,
/* SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
* We don't need a separate SA Vs. policy polmatch check NULL) ? 0 : 1);
* since the SA is now of the same label as the flow and
* a flow Vs. policy polmatch check had already happened
* in selinux_xfrm_policy_lookup() above.
*/
return rc;
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment