Merge tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:

 - Add LSM hooks, and SELinux access control hooks, for dnotify,
   fanotify, and inotify watches. This has been discussed with both the
   LSM and fs/notify folks and everybody is good with these new hooks.

 - The LSM stacking changes missed a few calls to current_security() in
   the SELinux code; we fix those and remove current_security() for
   good.

 - Improve our network object labeling cache so that we always return
   the object's label, even when under memory pressure. Previously we
   would return an error if we couldn't allocate a new cache entry, now
   we always return the label even if we can't create a new cache entry
   for it.

 - Convert the sidtab atomic_t counter to a normal u32 with
   READ/WRITE_ONCE() and memory barrier protection.

 - A few patches to policydb.c to clean things up (remove forward
   declarations, long lines, bad variable names, etc)

* tag 'selinux-pr-20190917' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  lsm: remove current_security()
  selinux: fix residual uses of current_security() for the SELinux blob
  selinux: avoid atomic_t usage in sidtab
  fanotify, inotify, dnotify, security: add security hook for fs notifications
  selinux: always return a secid from the network caches if we find one
  selinux: policydb - rename type_val_to_struct_array
  selinux: policydb - fix some checkpatch.pl warnings
  selinux: shuffle around policydb.c to get rid of forward declarations

1 files changed, 14 insertions, 16 deletions

diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index cae1fcaffd1a..9ab84efa46c7 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -189,9 +189,9 @@ static void sel_netnode_insert(struct sel_netnode *node)
  */
 static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
 {
-        int ret = -ENOMEM;
+        int ret;
         struct sel_netnode *node;
-        struct sel_netnode *new = NULL;
+        struct sel_netnode *new;
 
         spin_lock_bh(&sel_netnode_lock);
         node = sel_netnode_find(addr, family);
@@ -200,38 +200,36 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid)
                 spin_unlock_bh(&sel_netnode_lock);
                 return 0;
         }
+
         new = kzalloc(sizeof(*new), GFP_ATOMIC);
-        if (new == NULL)
-                goto out;
         switch (family) {
         case PF_INET:
                 ret = security_node_sid(&selinux_state, PF_INET,
                                         addr, sizeof(struct in_addr), sid);
-                new->nsec.addr.ipv4 = *(__be32 *)addr;
+                if (new)
+                        new->nsec.addr.ipv4 = *(__be32 *)addr;
                 break;
         case PF_INET6:
                 ret = security_node_sid(&selinux_state, PF_INET6,
                                         addr, sizeof(struct in6_addr), sid);
-                new->nsec.addr.ipv6 = *(struct in6_addr *)addr;
+                if (new)
+                        new->nsec.addr.ipv6 = *(struct in6_addr *)addr;
                 break;
         default:
                 BUG();
                 ret = -EINVAL;
         }
-        if (ret != 0)
-                goto out;
-
-        new->nsec.family = family;
-        new->nsec.sid = *sid;
-        sel_netnode_insert(new);
+        if (ret == 0 && new) {
+                new->nsec.family = family;
+                new->nsec.sid = *sid;
+                sel_netnode_insert(new);
+        } else
+                kfree(new);
 
-out:
         spin_unlock_bh(&sel_netnode_lock);
-        if (unlikely(ret)) {
+        if (unlikely(ret))
                 pr_warn("SELinux: failure in %s(), unable to determine network node label\n",
                         __func__);
-                kfree(new);
-        }
         return ret;
 }