diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2019-01-25 05:06:48 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2019-01-25 17:04:29 -0500 |
| commit | a2c513835bb6c6ca660ae4ecda8ff9f676e47e55 (patch) | |
| tree | edf1d5916668db1a2136990c77e6dbc0ff048683 /security/selinux/avc.c | |
| parent | 53e0c2aa9a59a48e3798ef193d573ade85aa80f5 (diff) | |
selinux: inline some AVC functions used only once
avc_dump_av() and avc_dump_query() are each used only in one place. Get
rid of them and open code their contents in the call sites.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/avc.c')
| -rw-r--r-- | security/selinux/avc.c | 140 |
1 files changed, 58 insertions, 82 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 9b63d8ee1687..502162eeb3a0 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c | |||
| @@ -130,75 +130,6 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) | |||
| 130 | } | 130 | } |
| 131 | 131 | ||
| 132 | /** | 132 | /** |
| 133 | * avc_dump_av - Display an access vector in human-readable form. | ||
| 134 | * @tclass: target security class | ||
| 135 | * @av: access vector | ||
| 136 | */ | ||
| 137 | static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) | ||
| 138 | { | ||
| 139 | const char **perms; | ||
| 140 | int i, perm; | ||
| 141 | |||
| 142 | if (av == 0) { | ||
| 143 | audit_log_format(ab, " null"); | ||
| 144 | return; | ||
| 145 | } | ||
| 146 | |||
| 147 | BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); | ||
| 148 | perms = secclass_map[tclass-1].perms; | ||
| 149 | |||
| 150 | audit_log_format(ab, " {"); | ||
| 151 | i = 0; | ||
| 152 | perm = 1; | ||
| 153 | while (i < (sizeof(av) * 8)) { | ||
| 154 | if ((perm & av) && perms[i]) { | ||
| 155 | audit_log_format(ab, " %s", perms[i]); | ||
| 156 | av &= ~perm; | ||
| 157 | } | ||
| 158 | i++; | ||
| 159 | perm <<= 1; | ||
| 160 | } | ||
| 161 | |||
| 162 | if (av) | ||
| 163 | audit_log_format(ab, " 0x%x", av); | ||
| 164 | |||
| 165 | audit_log_format(ab, " }"); | ||
| 166 | } | ||
| 167 | |||
| 168 | /** | ||
| 169 | * avc_dump_query - Display a SID pair and a class in human-readable form. | ||
| 170 | * @ssid: source security identifier | ||
| 171 | * @tsid: target security identifier | ||
| 172 | * @tclass: target security class | ||
| 173 | */ | ||
| 174 | static void avc_dump_query(struct audit_buffer *ab, struct selinux_state *state, | ||
| 175 | u32 ssid, u32 tsid, u16 tclass) | ||
| 176 | { | ||
| 177 | int rc; | ||
| 178 | char *scontext; | ||
| 179 | u32 scontext_len; | ||
| 180 | |||
| 181 | rc = security_sid_to_context(state, ssid, &scontext, &scontext_len); | ||
| 182 | if (rc) | ||
| 183 | audit_log_format(ab, "ssid=%d", ssid); | ||
| 184 | else { | ||
| 185 | audit_log_format(ab, "scontext=%s", scontext); | ||
| 186 | kfree(scontext); | ||
| 187 | } | ||
| 188 | |||
| 189 | rc = security_sid_to_context(state, tsid, &scontext, &scontext_len); | ||
| 190 | if (rc) | ||
| 191 | audit_log_format(ab, " tsid=%d", tsid); | ||
| 192 | else { | ||
| 193 | audit_log_format(ab, " tcontext=%s", scontext); | ||
| 194 | kfree(scontext); | ||
| 195 | } | ||
| 196 | |||
| 197 | BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)); | ||
| 198 | audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name); | ||
| 199 | } | ||
| 200 | |||
| 201 | /** | ||
| 202 | * avc_init - Initialize the AVC. | 133 | * avc_init - Initialize the AVC. |
| 203 | * | 134 | * |
| 204 | * Initialize the access vector cache. | 135 | * Initialize the access vector cache. |
| @@ -735,11 +666,37 @@ out: | |||
| 735 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | 666 | static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) |
| 736 | { | 667 | { |
| 737 | struct common_audit_data *ad = a; | 668 | struct common_audit_data *ad = a; |
| 738 | audit_log_format(ab, "avc: %s ", | 669 | struct selinux_audit_data *sad = ad->selinux_audit_data; |
| 739 | ad->selinux_audit_data->denied ? "denied" : "granted"); | 670 | u32 av = sad->audited; |
| 740 | avc_dump_av(ab, ad->selinux_audit_data->tclass, | 671 | const char **perms; |
| 741 | ad->selinux_audit_data->audited); | 672 | int i, perm; |
| 742 | audit_log_format(ab, " for "); | 673 | |
| 674 | audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted"); | ||
| 675 | |||
| 676 | if (av == 0) { | ||
| 677 | audit_log_string(ab, " null"); | ||
| 678 | return; | ||
| 679 | } | ||
| 680 | |||
| 681 | BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); | ||
| 682 | perms = secclass_map[sad->tclass-1].perms; | ||
| 683 | |||
| 684 | audit_log_string(ab, " {"); | ||
| 685 | i = 0; | ||
| 686 | perm = 1; | ||
| 687 | while (i < (sizeof(av) * 8)) { | ||
| 688 | if ((perm & av) && perms[i]) { | ||
| 689 | audit_log_format(ab, " %s", perms[i]); | ||
| 690 | av &= ~perm; | ||
| 691 | } | ||
| 692 | i++; | ||
| 693 | perm <<= 1; | ||
| 694 | } | ||
| 695 | |||
| 696 | if (av) | ||
| 697 | audit_log_format(ab, " 0x%x", av); | ||
| 698 | |||
| 699 | audit_log_string(ab, " } for "); | ||
| 743 | } | 700 | } |
| 744 | 701 | ||
| 745 | /** | 702 | /** |
| @@ -751,15 +708,34 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) | |||
| 751 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) | 708 | static void avc_audit_post_callback(struct audit_buffer *ab, void *a) |
| 752 | { | 709 | { |
| 753 | struct common_audit_data *ad = a; | 710 | struct common_audit_data *ad = a; |
| 754 | audit_log_format(ab, " "); | 711 | struct selinux_audit_data *sad = ad->selinux_audit_data; |
| 755 | avc_dump_query(ab, ad->selinux_audit_data->state, | 712 | char *scontext; |
| 756 | ad->selinux_audit_data->ssid, | 713 | u32 scontext_len; |
| 757 | ad->selinux_audit_data->tsid, | 714 | int rc; |
| 758 | ad->selinux_audit_data->tclass); | 715 | |
| 759 | if (ad->selinux_audit_data->denied) { | 716 | rc = security_sid_to_context(sad->state, sad->ssid, &scontext, |
| 760 | audit_log_format(ab, " permissive=%u", | 717 | &scontext_len); |
| 761 | ad->selinux_audit_data->result ? 0 : 1); | 718 | if (rc) |
| 719 | audit_log_format(ab, " ssid=%d", sad->ssid); | ||
| 720 | else { | ||
| 721 | audit_log_format(ab, " scontext=%s", scontext); | ||
| 722 | kfree(scontext); | ||
| 762 | } | 723 | } |
| 724 | |||
| 725 | rc = security_sid_to_context(sad->state, sad->tsid, &scontext, | ||
| 726 | &scontext_len); | ||
| 727 | if (rc) | ||
| 728 | audit_log_format(ab, " tsid=%d", sad->tsid); | ||
| 729 | else { | ||
| 730 | audit_log_format(ab, " tcontext=%s", scontext); | ||
| 731 | kfree(scontext); | ||
| 732 | } | ||
| 733 | |||
| 734 | BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map)); | ||
| 735 | audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name); | ||
| 736 | |||
| 737 | if (sad->denied) | ||
| 738 | audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1); | ||
| 763 | } | 739 | } |
| 764 | 740 | ||
| 765 | /* This is the slow part of avc audit with big stack footprint */ | 741 | /* This is the slow part of avc audit with big stack footprint */ |