Commit ccf17cc4 authored by Paul Moore's avatar Paul Moore Committed by Eric Paris

selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code

The SELinux labeled IPsec code state management functions have been
long neglected and could use some cleanup and consolidation.
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent 2e5aa866
...@@ -121,6 +121,33 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp, ...@@ -121,6 +121,33 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
return rc; return rc;
} }
/*
* Free the xfrm_sec_ctx structure.
*/
static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
{
if (!ctx)
return;
atomic_dec(&selinux_xfrm_refcount);
kfree(ctx);
}
/*
* Authorize the deletion of a labeled SA or policy rule.
*/
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
const struct task_security_struct *tsec = current_security();
if (!ctx)
return 0;
return avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
}
/* /*
* LSM hook implementation that authorizes that a flow can use * LSM hook implementation that authorizes that a flow can use
* a xfrm policy rule. * a xfrm policy rule.
...@@ -258,17 +285,16 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, ...@@ -258,17 +285,16 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
{ {
struct xfrm_sec_ctx *new_ctx; struct xfrm_sec_ctx *new_ctx;
if (old_ctx) { if (!old_ctx)
new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, return 0;
GFP_ATOMIC);
if (!new_ctx) new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, GFP_ATOMIC);
return -ENOMEM; if (!new_ctx)
return -ENOMEM;
memcpy(new_ctx, old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len);
atomic_inc(&selinux_xfrm_refcount);
*new_ctxp = new_ctx;
memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
atomic_inc(&selinux_xfrm_refcount);
*new_ctxp = new_ctx;
}
return 0; return 0;
} }
...@@ -277,8 +303,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, ...@@ -277,8 +303,7 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
*/ */
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{ {
atomic_dec(&selinux_xfrm_refcount); selinux_xfrm_free(ctx);
kfree(ctx);
} }
/* /*
...@@ -286,14 +311,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx) ...@@ -286,14 +311,7 @@ void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
*/ */
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{ {
const struct task_security_struct *tsec = current_security(); return selinux_xfrm_delete(ctx);
if (!ctx)
return 0;
return avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
} }
/* /*
...@@ -349,8 +367,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x, ...@@ -349,8 +367,7 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
*/ */
void selinux_xfrm_state_free(struct xfrm_state *x) void selinux_xfrm_state_free(struct xfrm_state *x)
{ {
atomic_dec(&selinux_xfrm_refcount); selinux_xfrm_free(x->security);
kfree(x->security);
} }
/* /*
...@@ -358,15 +375,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x) ...@@ -358,15 +375,7 @@ void selinux_xfrm_state_free(struct xfrm_state *x)
*/ */
int selinux_xfrm_state_delete(struct xfrm_state *x) int selinux_xfrm_state_delete(struct xfrm_state *x)
{ {
const struct task_security_struct *tsec = current_security(); return selinux_xfrm_delete(x->security);
struct xfrm_sec_ctx *ctx = x->security;
if (!ctx)
return 0;
return avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment