NetLabel: SELinux cleanups

This patch does a lot of cleanup in the SELinux NetLabel support code.  A
summary of the changes include:

* Use RCU locking for the NetLabel state variable in the skk_security_struct
  instead of using the inode_security_struct mutex.
* Remove unnecessary parameters in selinux_netlbl_socket_post_create().
* Rename selinux_netlbl_sk_clone_security() to
  selinux_netlbl_sk_security_clone() to better fit the other NetLabel
  sk_security functions.
* Improvements to selinux_netlbl_inode_permission() to help reduce the cost of
  the common case.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 13 insertions, 8 deletions

diff --git a/security/selinux/include/selinux_netlabel.h b/security/selinux/include/selinux_netlabel.h
index 9de10cc2cef2..57943f4a8f90 100644
--- a/security/selinux/include/selinux_netlabel.h
+++ b/security/selinux/include/selinux_netlabel.h
@@ -38,9 +38,7 @@
 
 #ifdef CONFIG_NETLABEL
 void selinux_netlbl_cache_invalidate(void);
-int selinux_netlbl_socket_post_create(struct socket *sock,
-                                      int sock_family,
-                                      u32 sid);
+int selinux_netlbl_socket_post_create(struct socket *sock);
 void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock);
 u32 selinux_netlbl_inet_conn_request(struct sk_buff *skb, u32 sock_sid);
 int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
@@ -48,9 +46,11 @@ int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
                                 struct avc_audit_data *ad);
 u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock);
 u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb);
+void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec,
+                                      int family);
 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec,
                                      int family);
-void selinux_netlbl_sk_clone_security(struct sk_security_struct *ssec,
+void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec,
                                       struct sk_security_struct *newssec);
 int selinux_netlbl_inode_permission(struct inode *inode, int mask);
 int selinux_netlbl_socket_setsockopt(struct socket *sock,
@@ -62,9 +62,7 @@ static inline void selinux_netlbl_cache_invalidate(void)
         return;
 }
 
-static inline int selinux_netlbl_socket_post_create(struct socket *sock,
-                                                    int sock_family,
-                                                    u32 sid)
+static inline int selinux_netlbl_socket_post_create(struct socket *sock)
 {
         return 0;
 }
@@ -98,6 +96,13 @@ static inline u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
         return SECSID_NULL;
 }
 
+static inline void selinux_netlbl_sk_security_reset(
+                                               struct sk_security_struct *ssec,
+                                               int family)
+{
+        return;
+}
+
 static inline void selinux_netlbl_sk_security_init(
                                                struct sk_security_struct *ssec,
                                                int family)
@@ -105,7 +110,7 @@ static inline void selinux_netlbl_sk_security_init(
         return;
 }
 
-static inline void selinux_netlbl_sk_clone_security(
+static inline void selinux_netlbl_sk_security_clone(
                                            struct sk_security_struct *ssec,
                                            struct sk_security_struct *newssec)
 {