mirror of
https://github.com/FEX-Emu/linux.git
synced 2024-12-16 14:02:10 +00:00
selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code
The SELinux labeled IPsec code state management functions have been long neglected and could use some cleanup and consolidation. Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
parent
2e5aa86609
commit
ccf17cc4b8
@ -121,6 +121,33 @@ err:
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Free the xfrm_sec_ctx structure.
|
||||||
|
*/
|
||||||
|
static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
|
||||||
|
{
|
||||||
|
if (!ctx)
|
||||||
|
return;
|
||||||
|
|
||||||
|
atomic_dec(&selinux_xfrm_refcount);
|
||||||
|
kfree(ctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Authorize the deletion of a labeled SA or policy rule.
|
||||||
|
*/
|
||||||
|
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
|
||||||
|
{
|
||||||
|
const struct task_security_struct *tsec = current_security();
|
||||||
|
|
||||||
|
if (!ctx)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
return avc_has_perm(tsec->sid, ctx->ctx_sid,
|
||||||
|
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
|
||||||
|
NULL);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* LSM hook implementation that authorizes that a flow can use
|
* LSM hook implementation that authorizes that a flow can use
|
||||||
* a xfrm policy rule.
|
* a xfrm policy rule.
|
||||||
@ -258,17 +285,16 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
|
|||||||
{
|
{
|
||||||
struct xfrm_sec_ctx *new_ctx;
|
struct xfrm_sec_ctx *new_ctx;
|
||||||
|
|
||||||
if (old_ctx) {
|
if (!old_ctx)
|
||||||
new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
|
return 0;
|
||||||
GFP_ATOMIC);
|
|
||||||
if (!new_ctx)
|
new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, GFP_ATOMIC);
|
||||||
return -ENOMEM;
|
if (!new_ctx)
|
||||||
|
return -ENOMEM;
|
||||||
|
memcpy(new_ctx, old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len);
|
||||||
|
atomic_inc(&selinux_xfrm_refcount);
|
||||||
|
*new_ctxp = new_ctx;
|
||||||
|
|
||||||
memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
|
|
||||||
memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
|
|
||||||
atomic_inc(&selinux_xfrm_refcount);
|
|
||||||
*new_ctxp = new_ctx;
|
|
||||||
}
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -277,8 +303,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
|
|||||||
*/
|
*/
|
||||||
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
|
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
|
||||||
{
|
{
|
||||||
atomic_dec(&selinux_xfrm_refcount);
|
selinux_xfrm_free(ctx);
|
||||||
kfree(ctx);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -286,14 +311,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
|
|||||||
*/
|
*/
|
||||||
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
|
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
|
||||||
{
|
{
|
||||||
const struct task_security_struct *tsec = current_security();
|
return selinux_xfrm_delete(ctx);
|
||||||
|
|
||||||
if (!ctx)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
return avc_has_perm(tsec->sid, ctx->ctx_sid,
|
|
||||||
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
|
|
||||||
NULL);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -349,8 +367,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
|
|||||||
*/
|
*/
|
||||||
void selinux_xfrm_state_free(struct xfrm_state *x)
|
void selinux_xfrm_state_free(struct xfrm_state *x)
|
||||||
{
|
{
|
||||||
atomic_dec(&selinux_xfrm_refcount);
|
selinux_xfrm_free(x->security);
|
||||||
kfree(x->security);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -358,15 +375,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
|
|||||||
*/
|
*/
|
||||||
int selinux_xfrm_state_delete(struct xfrm_state *x)
|
int selinux_xfrm_state_delete(struct xfrm_state *x)
|
||||||
{
|
{
|
||||||
const struct task_security_struct *tsec = current_security();
|
return selinux_xfrm_delete(x->security);
|
||||||
struct xfrm_sec_ctx *ctx = x->security;
|
|
||||||
|
|
||||||
if (!ctx)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
return avc_has_perm(tsec->sid, ctx->ctx_sid,
|
|
||||||
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
|
|
||||||
NULL);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
Loading…
Reference in New Issue
Block a user