Commit ccf17cc4 authored by Paul Moore's avatar Paul Moore Committed by Eric Paris
Browse files

selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code 



The SELinux labeled IPsec code state management functions have been
long neglected and could use some cleanup and consolidation.

Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 2e5aa866

security/selinux/xfrm.c

+40 −31
Original line number Diff line number Diff line
@@ -121,6 +121,33 @@ err: 
	return rc;

}



/*

 * Free the xfrm_sec_ctx structure.

 */

static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)

{

	if (!ctx)

		return;



	atomic_dec(&selinux_xfrm_refcount);

	kfree(ctx);

}



/*

 * Authorize the deletion of a labeled SA or policy rule.

 */

static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)

{

	const struct task_security_struct *tsec = current_security();



	if (!ctx)

		return 0;



	return avc_has_perm(tsec->sid, ctx->ctx_sid,

			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,

			    NULL);

}



/*

 * LSM hook implementation that authorizes that a flow can use

 * a xfrm policy rule.
@@ -258,17 +285,16 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 
{

	struct xfrm_sec_ctx *new_ctx;



	if (old_ctx) {

		new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,

				  GFP_ATOMIC);

	if (!old_ctx)

		return 0;



	new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, GFP_ATOMIC);

	if (!new_ctx)

		return -ENOMEM;



		memcpy(new_ctx, old_ctx, sizeof(*new_ctx));

		memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);

	memcpy(new_ctx, old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len);

	atomic_inc(&selinux_xfrm_refcount);

	*new_ctxp = new_ctx;

	}



	return 0;

}
@@ -277,8 +303,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 
 */

void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)

{

	atomic_dec(&selinux_xfrm_refcount);

	kfree(ctx);

	selinux_xfrm_free(ctx);

}



/*
@@ -286,14 +311,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 
 */

int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)

{

	const struct task_security_struct *tsec = current_security();



	if (!ctx)

		return 0;



	return avc_has_perm(tsec->sid, ctx->ctx_sid,

			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,

			    NULL);

	return selinux_xfrm_delete(ctx);

}



/*
@@ -349,8 +367,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, 
 */

void selinux_xfrm_state_free(struct xfrm_state *x)

{

	atomic_dec(&selinux_xfrm_refcount);

	kfree(x->security);

	selinux_xfrm_free(x->security);

}



 /*
@@ -358,15 +375,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x) 
  */

int selinux_xfrm_state_delete(struct xfrm_state *x)

{

	const struct task_security_struct *tsec = current_security();

	struct xfrm_sec_ctx *ctx = x->security;



	if (!ctx)

		return 0;



	return avc_has_perm(tsec->sid, ctx->ctx_sid,

			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,

			    NULL);

	return selinux_xfrm_delete(x->security);

}



/*

CRA Git | Maintained and supported by SUSTech CRA and CCSE