selinux: cleanup selinux_xfrm_policy_lookup() and selinux_xfrm_state_pol_flow_match()
Do some basic simplification and comment reformatting. Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Paul Moore
Eric Paris
@@ -155,42 +155,30 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
|
|||||||
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
|
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
|
||||||
{
|
{
|
||||||
int rc;
|
int rc;
|
||||||
u32 sel_sid;
|
|
||||||
|
|
||||||
/* Context sid is either set to label or ANY_ASSOC */
|
/* All flows should be treated as polmatch'ing an otherwise applicable
|
||||||
if (ctx) {
|
* "non-labeled" policy. This would prevent inadvertent "leaks". */
|
||||||
if (!selinux_authorizable_ctx(ctx))
|
if (!ctx)
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
sel_sid = ctx->ctx_sid;
|
|
||||||
} else
|
|
||||||
/*
|
|
||||||
* All flows should be treated as polmatch'ing an
|
|
||||||
* otherwise applicable "non-labeled" policy. This
|
|
||||||
* would prevent inadvertent "leaks".
|
|
||||||
*/
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,
|
/* Context sid is either set to label or ANY_ASSOC */
|
||||||
ASSOCIATION__POLMATCH,
|
if (!selinux_authorizable_ctx(ctx))
|
||||||
NULL);
|
return -EINVAL;
|
||||||
|
|
||||||
if (rc == -EACCES)
|
rc = avc_has_perm(fl_secid, ctx->ctx_sid,
|
||||||
return -ESRCH;
|
SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);
|
||||||
|
return (rc == -EACCES ? -ESRCH : rc);
|
||||||
return rc;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* LSM hook implementation that authorizes that a state matches
|
* LSM hook implementation that authorizes that a state matches
|
||||||
* the given policy, flow combo.
|
* the given policy, flow combo.
|
||||||
*/
|
*/
|
||||||
|
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,
|
||||||
int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,
|
struct xfrm_policy *xp,
|
||||||
const struct flowi *fl)
|
const struct flowi *fl)
|
||||||
{
|
{
|
||||||
u32 state_sid;
|
u32 state_sid;
|
||||||
int rc;
|
|
||||||
|
|
||||||
if (!xp->security)
|
if (!xp->security)
|
||||||
if (x->security)
|
if (x->security)
|
||||||
@@ -213,18 +201,12 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *
|
|||||||
if (fl->flowi_secid != state_sid)
|
if (fl->flowi_secid != state_sid)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,
|
/* We don't need a separate SA Vs. policy polmatch check since the SA
|
||||||
ASSOCIATION__SENDTO,
|
* is now of the same label as the flow and a flow Vs. policy polmatch
|
||||||
NULL)? 0:1;
|
* check had already happened in selinux_xfrm_policy_lookup() above. */
|
||||||
|
return (avc_has_perm(fl->flowi_secid, state_sid,
|
||||||
/*
|
SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,
|
||||||
* We don't need a separate SA Vs. policy polmatch check
|
NULL) ? 0 : 1);
|
||||||
* since the SA is now of the same label as the flow and
|
|
||||||
* a flow Vs. policy polmatch check had already happened
|
|
||||||
* in selinux_xfrm_policy_lookup() above.
|
|
||||||
*/
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
Reference in New Issue
Block a user