Commit 96484348 authored by Paul Moore's avatar Paul Moore Committed by Eric Paris
Browse files

selinux: cleanup selinux_xfrm_policy_lookup() and selinux_xfrm_state_pol_flow_match() 



Do some basic simplification and comment reformatting.

Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent ccf17cc4

security/selinux/xfrm.c

+18 −36
Original line number Diff line number Diff line
@@ -155,42 +155,30 @@ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx) 
int selinux_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)

{

	int rc;

	u32 sel_sid;



	/* All flows should be treated as polmatch'ing an otherwise applicable

	 * "non-labeled" policy. This would prevent inadvertent "leaks". */

	if (!ctx)

		return 0;



	/* Context sid is either set to label or ANY_ASSOC */

	if (ctx) {

	if (!selinux_authorizable_ctx(ctx))

		return -EINVAL;



		sel_sid = ctx->ctx_sid;

	} else

		/*

		 * All flows should be treated as polmatch'ing an

		 * otherwise applicable "non-labeled" policy. This

		 * would prevent inadvertent "leaks".

		 */

		return 0;



	rc = avc_has_perm(fl_secid, sel_sid, SECCLASS_ASSOCIATION,

			  ASSOCIATION__POLMATCH,

			  NULL);



	if (rc == -EACCES)

		return -ESRCH;



	return rc;

	rc = avc_has_perm(fl_secid, ctx->ctx_sid,

			  SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, NULL);

	return (rc == -EACCES ? -ESRCH : rc);

}



/*

 * LSM hook implementation that authorizes that a state matches

 * the given policy, flow combo.

 */



int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp,

int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x,

				      struct xfrm_policy *xp,

				      const struct flowi *fl)

{

	u32 state_sid;

	int rc;



	if (!xp->security)

		if (x->security)
@@ -213,18 +201,12 @@ int selinux_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy * 
	if (fl->flowi_secid != state_sid)

		return 0;



	rc = avc_has_perm(fl->flowi_secid, state_sid, SECCLASS_ASSOCIATION,

			  ASSOCIATION__SENDTO,

			  NULL)? 0:1;



	/*

	 * We don't need a separate SA Vs. policy polmatch check

	 * since the SA is now of the same label as the flow and

	 * a flow Vs. policy polmatch check had already happened

	 * in selinux_xfrm_policy_lookup() above.

	 */



	return rc;

	/* We don't need a separate SA Vs. policy polmatch check since the SA

	 * is now of the same label as the flow and a flow Vs. policy polmatch

	 * check had already happened in selinux_xfrm_policy_lookup() above. */

	return (avc_has_perm(fl->flowi_secid, state_sid,

			    SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO,

			    NULL) ? 0 : 1);

}



/*