diff options
| author | Ondrej Mosnacek <omosnace@redhat.com> | 2018-11-13 08:52:53 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2018-11-20 16:38:14 -0500 |
| commit | 5386e6caa6711407182573e2b0344fe908b0fbcc (patch) | |
| tree | e03f89d863f28a5a26e23858f78814e7fab949e5 | |
| parent | 0427612cddef07568ba80596a02089181092783d (diff) | |
selinux: refactor sidtab conversion
This is a purely cosmetic change that encapsulates the three-step sidtab
conversion logic (shutdown -> clone -> map) into a single function
defined in sidtab.c (as opposed to services.c).
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: whitespaces fixes to make checkpatch happy]
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | security/selinux/ss/services.c | 22 | ||||
| -rw-r--r-- | security/selinux/ss/sidtab.c | 50 | ||||
| -rw-r--r-- | security/selinux/ss/sidtab.h | 11 |
3 files changed, 42 insertions, 41 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 12e414394530..7337db24a6a8 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1880,19 +1880,6 @@ int security_change_sid(struct selinux_state *state, | |||
| 1880 | out_sid, false); | 1880 | out_sid, false); |
| 1881 | } | 1881 | } |
| 1882 | 1882 | ||
| 1883 | /* Clone the SID into the new SID table. */ | ||
| 1884 | static int clone_sid(u32 sid, | ||
| 1885 | struct context *context, | ||
| 1886 | void *arg) | ||
| 1887 | { | ||
| 1888 | struct sidtab *s = arg; | ||
| 1889 | |||
| 1890 | if (sid > SECINITSID_NUM) | ||
| 1891 | return sidtab_insert(s, sid, context); | ||
| 1892 | else | ||
| 1893 | return 0; | ||
| 1894 | } | ||
| 1895 | |||
| 1896 | static inline int convert_context_handle_invalid_context( | 1883 | static inline int convert_context_handle_invalid_context( |
| 1897 | struct selinux_state *state, | 1884 | struct selinux_state *state, |
| 1898 | struct context *context) | 1885 | struct context *context) |
| @@ -2186,13 +2173,6 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) | |||
| 2186 | goto err; | 2173 | goto err; |
| 2187 | } | 2174 | } |
| 2188 | 2175 | ||
| 2189 | /* Clone the SID table. */ | ||
| 2190 | sidtab_shutdown(sidtab); | ||
| 2191 | |||
| 2192 | rc = sidtab_map(sidtab, clone_sid, &newsidtab); | ||
| 2193 | if (rc) | ||
| 2194 | goto err; | ||
| 2195 | |||
| 2196 | /* | 2176 | /* |
| 2197 | * Convert the internal representations of contexts | 2177 | * Convert the internal representations of contexts |
| 2198 | * in the new SID table. | 2178 | * in the new SID table. |
| @@ -2200,7 +2180,7 @@ int security_load_policy(struct selinux_state *state, void *data, size_t len) | |||
| 2200 | args.state = state; | 2180 | args.state = state; |
| 2201 | args.oldp = policydb; | 2181 | args.oldp = policydb; |
| 2202 | args.newp = newpolicydb; | 2182 | args.newp = newpolicydb; |
| 2203 | rc = sidtab_map(&newsidtab, convert_context, &args); | 2183 | rc = sidtab_convert(sidtab, &newsidtab, convert_context, &args); |
| 2204 | if (rc) { | 2184 | if (rc) { |
| 2205 | pr_err("SELinux: unable to convert the internal" | 2185 | pr_err("SELinux: unable to convert the internal" |
| 2206 | " representation of contexts in the new SID" | 2186 | " representation of contexts in the new SID" |
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index fd75a12fa8fc..ccc0ea230df4 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c | |||
| @@ -116,11 +116,11 @@ struct context *sidtab_search_force(struct sidtab *s, u32 sid) | |||
| 116 | return sidtab_search_core(s, sid, 1); | 116 | return sidtab_search_core(s, sid, 1); |
| 117 | } | 117 | } |
| 118 | 118 | ||
| 119 | int sidtab_map(struct sidtab *s, | 119 | static int sidtab_map(struct sidtab *s, |
| 120 | int (*apply) (u32 sid, | 120 | int (*apply)(u32 sid, |
| 121 | struct context *context, | 121 | struct context *context, |
| 122 | void *args), | 122 | void *args), |
| 123 | void *args) | 123 | void *args) |
| 124 | { | 124 | { |
| 125 | int i, rc = 0; | 125 | int i, rc = 0; |
| 126 | struct sidtab_node *cur; | 126 | struct sidtab_node *cur; |
| @@ -141,6 +141,37 @@ out: | |||
| 141 | return rc; | 141 | return rc; |
| 142 | } | 142 | } |
| 143 | 143 | ||
| 144 | /* Clone the SID into the new SID table. */ | ||
| 145 | static int clone_sid(u32 sid, struct context *context, void *arg) | ||
| 146 | { | ||
| 147 | struct sidtab *s = arg; | ||
| 148 | |||
| 149 | if (sid > SECINITSID_NUM) | ||
| 150 | return sidtab_insert(s, sid, context); | ||
| 151 | else | ||
| 152 | return 0; | ||
| 153 | } | ||
| 154 | |||
| 155 | int sidtab_convert(struct sidtab *s, struct sidtab *news, | ||
| 156 | int (*convert)(u32 sid, | ||
| 157 | struct context *context, | ||
| 158 | void *args), | ||
| 159 | void *args) | ||
| 160 | { | ||
| 161 | unsigned long flags; | ||
| 162 | int rc; | ||
| 163 | |||
| 164 | spin_lock_irqsave(&s->lock, flags); | ||
| 165 | s->shutdown = 1; | ||
| 166 | spin_unlock_irqrestore(&s->lock, flags); | ||
| 167 | |||
| 168 | rc = sidtab_map(s, clone_sid, news); | ||
| 169 | if (rc) | ||
| 170 | return rc; | ||
| 171 | |||
| 172 | return sidtab_map(news, convert, args); | ||
| 173 | } | ||
| 174 | |||
| 144 | static void sidtab_update_cache(struct sidtab *s, struct sidtab_node *n, int loc) | 175 | static void sidtab_update_cache(struct sidtab *s, struct sidtab_node *n, int loc) |
| 145 | { | 176 | { |
| 146 | BUG_ON(loc >= SIDTAB_CACHE_LEN); | 177 | BUG_ON(loc >= SIDTAB_CACHE_LEN); |
| @@ -295,12 +326,3 @@ void sidtab_set(struct sidtab *dst, struct sidtab *src) | |||
| 295 | dst->cache[i] = NULL; | 326 | dst->cache[i] = NULL; |
| 296 | spin_unlock_irqrestore(&src->lock, flags); | 327 | spin_unlock_irqrestore(&src->lock, flags); |
| 297 | } | 328 | } |
| 298 | |||
| 299 | void sidtab_shutdown(struct sidtab *s) | ||
| 300 | { | ||
| 301 | unsigned long flags; | ||
| 302 | |||
| 303 | spin_lock_irqsave(&s->lock, flags); | ||
| 304 | s->shutdown = 1; | ||
| 305 | spin_unlock_irqrestore(&s->lock, flags); | ||
| 306 | } | ||
diff --git a/security/selinux/ss/sidtab.h b/security/selinux/ss/sidtab.h index a1a1d2617b6f..e1d1f0beb17c 100644 --- a/security/selinux/ss/sidtab.h +++ b/security/selinux/ss/sidtab.h | |||
| @@ -37,11 +37,11 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context *context); | |||
| 37 | struct context *sidtab_search(struct sidtab *s, u32 sid); | 37 | struct context *sidtab_search(struct sidtab *s, u32 sid); |
| 38 | struct context *sidtab_search_force(struct sidtab *s, u32 sid); | 38 | struct context *sidtab_search_force(struct sidtab *s, u32 sid); |
| 39 | 39 | ||
| 40 | int sidtab_map(struct sidtab *s, | 40 | int sidtab_convert(struct sidtab *s, struct sidtab *news, |
| 41 | int (*apply) (u32 sid, | 41 | int (*apply)(u32 sid, |
| 42 | struct context *context, | 42 | struct context *context, |
| 43 | void *args), | 43 | void *args), |
| 44 | void *args); | 44 | void *args); |
| 45 | 45 | ||
| 46 | int sidtab_context_to_sid(struct sidtab *s, | 46 | int sidtab_context_to_sid(struct sidtab *s, |
| 47 | struct context *context, | 47 | struct context *context, |
| @@ -50,7 +50,6 @@ int sidtab_context_to_sid(struct sidtab *s, | |||
| 50 | void sidtab_hash_eval(struct sidtab *h, char *tag); | 50 | void sidtab_hash_eval(struct sidtab *h, char *tag); |
| 51 | void sidtab_destroy(struct sidtab *s); | 51 | void sidtab_destroy(struct sidtab *s); |
| 52 | void sidtab_set(struct sidtab *dst, struct sidtab *src); | 52 | void sidtab_set(struct sidtab *dst, struct sidtab *src); |
| 53 | void sidtab_shutdown(struct sidtab *s); | ||
| 54 | 53 | ||
| 55 | #endif /* _SS_SIDTAB_H_ */ | 54 | #endif /* _SS_SIDTAB_H_ */ |
| 56 | 55 | ||