selinux: cleanup selinux_xfrm_policy_lookup() and selinux_xfrm_state_pol_flow_match()

Do some basic simplification and comment reformatting. Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com>
author: Paul Moore <pmoore@redhat.com> 2013-07-23 17:38:39 -0400
committer: Eric Paris <eparis@redhat.com> 2013-07-25 13:01:46 -0400
commit: 96484348ad712aed2c6ad7229b848bc1bf6165a8 (patch)
tree: 6f0398d9d83c59d584b64fd9ba201fb30a555236
parent: ccf17cc4b81537c29f0d5950b38b5548b6cb5858 (diff)
1 files changed, 18 insertions, 36 deletions
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index f8d71262b45d..4a7ba4ac487e 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -155,42 +155,30 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
 int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
 {
        int rc;
-        u32 sel_sid;
-        /* Context sid is either set to label or ANY_ASSOC */
+        /* All flows should be treated as polmatch'ing an otherwise applicable
-        if (ctx) {
+         * "non-labeled" policy. This would prevent inadvertent "leaks". */
-                if (!selinux_authorizable_ctx(ctx))
+        if (!ctx)
-                        return -EINVAL;
-                sel_sid = ctx->ctx_sid;
-        } else
-                /*
-                 * All flows should be treated as polmatch'ing an
-                 * otherwise applicable "non-labeled" policy. This
-                 * would prevent inadvertent "leaks".
-                 */
                return 0;
-        rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
+        /* Context sid is either set to label or ANY_ASSOC */
-                          ASSOCIATION__POLMATCH,
+        if (!selinux_authorizable_ctx(ctx))
-                          NULL);
+                return -EINVAL;
-        if (rc == -EACCES)
-                return -ESRCH;
-        return rc;
+        rc = avc_has_perm(fl_secid, ctx->ctx_sid,
+                          SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
+        return (rc == -EACCES ? -ESRCH : rc);
 }
 /*
 * LSM hook implementation that authorizes that a state matches
 * the given policy, flow combo.
 */
+int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
-int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
+                                      struct xfrm_policy *xp,
-                        const struct flowi *fl)
+                                      const struct flowi *fl)
 {
        u32 state_sid;
-        int rc;
        if (!xp->security)
                if (x->security)
@@ -213,18 +201,12 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
        if (fl->flowi_secid != state_sid)
                return 0;
-        rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
+        /* We don't need a separate SA Vs. policy polmatch check since the SA
-                          ASSOCIATION__SENDTO,
+         * is now of the same label as the flow and a flow Vs. policy polmatch
-                          NULL)? 0:1;
+         * check had already happened in selinux_xfrm_policy_lookup() above. */
+        return (avc_has_perm(fl->flowi_secid, state_sid,
-        /*
+                            SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
-         * We don't need a separate SA Vs. policy polmatch check
+                            NULL) ? 0 : 1);
-         * since the SA is now of the same label as the flow and
-         * a flow Vs. policy polmatch check had already happened
-         * in selinux_xfrm_policy_lookup() above.
-         */
-        return rc;
 }
 /*
author	Paul Moore <pmoore@redhat.com>	2013-07-23 17:38:39 -0400
committer	Eric Paris <eparis@redhat.com>	2013-07-25 13:01:46 -0400
commit	96484348ad712aed2c6ad7229b848bc1bf6165a8 (patch)
tree	6f0398d9d83c59d584b64fd9ba201fb30a555236
parent	ccf17cc4b81537c29f0d5950b38b5548b6cb5858 (diff)

diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index f8d71262b45d..4a7ba4ac487e 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c
@@ -155,42 +155,30 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
155	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)	155	int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
156	{	156	{
157	int rc;	157	int rc;
158	u32 sel_sid;
159		158
160	/* Context sid is either set to label or ANY_ASSOC */	159	/* All flows should be treated as polmatch'ing an otherwise applicable
161	if (ctx) {	160	* "non-labeled" policy. This would prevent inadvertent "leaks". */
162	if (!selinux_authorizable_ctx(ctx))	161	if (!ctx)
163	return -EINVAL;
164
165	sel_sid = ctx->ctx_sid;
166	} else
167	/*
168	* All flows should be treated as polmatch'ing an
169	* otherwise applicable "non-labeled" policy. This
170	* would prevent inadvertent "leaks".
171	*/
172	return 0;	162	return 0;
173		163
174	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,	164	/* Context sid is either set to label or ANY_ASSOC */
175	ASSOCIATION__POLMATCH,	165	if (!selinux_authorizable_ctx(ctx))
176	NULL);	166	return -EINVAL;
177
178	if (rc == -EACCES)
179	return -ESRCH;
180		167
181	return rc;	168	rc = avc_has_perm(fl_secid, ctx->ctx_sid,
		169	SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
		170	return (rc == -EACCES ? -ESRCH : rc);
182	}	171	}
183		172
184	/*	173	/*
185	* LSM hook implementation that authorizes that a state matches	174	* LSM hook implementation that authorizes that a state matches
186	* the given policy, flow combo.	175	* the given policy, flow combo.
187	*/	176	*/
188		177	int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
189	int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy xp,	178	struct xfrm_policy *xp,
190	const struct flowi *fl)	179	const struct flowi *fl)
191	{	180	{
192	u32 state_sid;	181	u32 state_sid;
193	int rc;
194		182
195	if (!xp->security)	183	if (!xp->security)
196	if (x->security)	184	if (x->security)
@@ -213,18 +201,12 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state x, struct xfrm_policy
213	if (fl->flowi_secid != state_sid)	201	if (fl->flowi_secid != state_sid)
214	return 0;	202	return 0;
215		203
216	rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,	204	/* We don't need a separate SA Vs. policy polmatch check since the SA
217	ASSOCIATION__SENDTO,	205	* is now of the same label as the flow and a flow Vs. policy polmatch
218	NULL)? 0:1;	206	* check had already happened in selinux_xfrm_policy_lookup() above. */
219		207	return (avc_has_perm(fl->flowi_secid, state_sid,
220	/*	208	SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
221	* We don't need a separate SA Vs. policy polmatch check	209	NULL) ? 0 : 1);
222	* since the SA is now of the same label as the flow and
223	* a flow Vs. policy polmatch check had already happened
224	* in selinux_xfrm_policy_lookup() above.
225	*/
226
227	return rc;
228	}	210	}
229		211
230	/*	212	/*