1 files changed, 4 insertions, 39 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3b42b154d87c..4a2bf212057b 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -516,16 +516,14 @@ static void type_attribute_bounds_av(struct context *scontext,
                                     u16 tclass,
                                     struct av_decision *avd)
 {
-        struct context lo_scontext;
-        struct context lo_tcontext;
-        struct av_decision lo_avd;
        struct type_datum *source
                = policydb.type_val_to_struct[scontext->type - 1];
-        struct type_datum *target
-                = policydb.type_val_to_struct[tcontext->type - 1];
-        u32 masked = 0;
        if (source->bounds) {
+                struct context lo_scontext;
+                struct av_decision lo_avd;
+                u32 masked;
                memset(&lo_avd, 0, sizeof(lo_avd));
                memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
@@ -538,40 +536,7 @@ static void type_attribute_bounds_av(struct context *scontext,
                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
                        return;         /* no masked permission */
                masked = ~lo_avd.allowed & avd->allowed;
-        }
-        if (target->bounds) {
-                memset(&lo_avd, 0, sizeof(lo_avd));
-                memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
-                lo_tcontext.type = target->bounds;
-                context_struct_compute_av(scontext,
-                                          &lo_tcontext,
-                                          tclass,
-                                          &lo_avd);
-                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
-                        return;         /* no masked permission */
-                masked = ~lo_avd.allowed & avd->allowed;
-        }
-        if (source->bounds && target->bounds) {
-                memset(&lo_avd, 0, sizeof(lo_avd));
-                /*
-                 * lo_scontext and lo_tcontext are already
-                 * set up.
-                 */
-                context_struct_compute_av(&lo_scontext,
-                                          &lo_tcontext,
-                                          tclass,
-                                          &lo_avd);
-                if ((lo_avd.allowed & avd->allowed) == avd->allowed)
-                        return;         /* no masked permission */
-                masked = ~lo_avd.allowed & avd->allowed;
-        }
-        if (masked) {
                /* mask violated permissions */
                avd->allowed &= ~masked;

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 3b42b154d87c..4a2bf212057b 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c
@@ -516,16 +516,14 @@ static void type_attribute_bounds_av(struct context *scontext,
516	u16 tclass,	516	u16 tclass,
517	struct av_decision *avd)	517	struct av_decision *avd)
518	{	518	{
519	struct context lo_scontext;
520	struct context lo_tcontext;
521	struct av_decision lo_avd;
522	struct type_datum *source	519	struct type_datum *source
523	= policydb.type_val_to_struct[scontext->type - 1];	520	= policydb.type_val_to_struct[scontext->type - 1];
524	struct type_datum *target
525	= policydb.type_val_to_struct[tcontext->type - 1];
526	u32 masked = 0;
527		521
528	if (source->bounds) {	522	if (source->bounds) {
		523	struct context lo_scontext;
		524	struct av_decision lo_avd;
		525	u32 masked;
		526
529	memset(&lo_avd, 0, sizeof(lo_avd));	527	memset(&lo_avd, 0, sizeof(lo_avd));
530		528
531	memcpy(&lo_scontext, scontext, sizeof(lo_scontext));	529	memcpy(&lo_scontext, scontext, sizeof(lo_scontext));
@@ -538,40 +536,7 @@ static void type_attribute_bounds_av(struct context *scontext,
538	if ((lo_avd.allowed & avd->allowed) == avd->allowed)	536	if ((lo_avd.allowed & avd->allowed) == avd->allowed)
539	return; /* no masked permission */	537	return; /* no masked permission */
540	masked = ~lo_avd.allowed & avd->allowed;	538	masked = ~lo_avd.allowed & avd->allowed;
541	}
542
543	if (target->bounds) {
544	memset(&lo_avd, 0, sizeof(lo_avd));
545
546	memcpy(&lo_tcontext, tcontext, sizeof(lo_tcontext));
547	lo_tcontext.type = target->bounds;
548
549	context_struct_compute_av(scontext,
550	&lo_tcontext,
551	tclass,
552	&lo_avd);
553	if ((lo_avd.allowed & avd->allowed) == avd->allowed)
554	return; /* no masked permission */
555	masked = ~lo_avd.allowed & avd->allowed;
556	}
557
558	if (source->bounds && target->bounds) {
559	memset(&lo_avd, 0, sizeof(lo_avd));
560	/*
561	* lo_scontext and lo_tcontext are already
562	* set up.
563	*/
564
565	context_struct_compute_av(&lo_scontext,
566	&lo_tcontext,
567	tclass,
568	&lo_avd);
569	if ((lo_avd.allowed & avd->allowed) == avd->allowed)
570	return; /* no masked permission */
571	masked = ~lo_avd.allowed & avd->allowed;
572	}
573		539
574	if (masked) {
575	/* mask violated permissions */	540	/* mask violated permissions */
576	avd->allowed &= ~masked;	541	avd->allowed &= ~masked;
577		542