* [PATCH 2/2] selinux: make more use of current_sid()
@ 2024-03-15 17:31 Christian Göttsche
2024-03-15 17:31 ` [PATCH 1/2] selinux: avoid identifier using reserved name Christian Göttsche
2024-03-27 22:25 ` [PATCH 2/2] selinux: make more use of current_sid() Paul Moore
0 siblings, 2 replies; 4+ messages in thread
From: Christian Göttsche @ 2024-03-15 17:31 UTC (permalink / raw
To: selinux; +Cc: Paul Moore, Stephen Smalley, Ondrej Mosnacek, linux-kernel
Use the internal helper current_sid() where applicable.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
security/selinux/hooks.c | 22 ++++++----------------
security/selinux/xfrm.c | 7 ++-----
2 files changed, 8 insertions(+), 21 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index f9a61ff64b83..9c41dc9eb0a0 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2961,7 +2961,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
const struct qstr *name,
const struct inode *context_inode)
{
- const struct task_security_struct *tsec = selinux_cred(current_cred());
+ u32 sid = current_sid();
struct common_audit_data ad;
struct inode_security_struct *isec;
int rc;
@@ -2990,7 +2990,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
} else {
isec->sclass = SECCLASS_ANON_INODE;
rc = security_transition_sid(
- tsec->sid, tsec->sid,
+ sid, sid,
isec->sclass, name, &isec->sid);
if (rc)
return rc;
@@ -3005,7 +3005,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
ad.type = LSM_AUDIT_DATA_ANONINODE;
ad.u.anonclass = name ? (const char *)name->name : "?";
- return avc_has_perm(tsec->sid,
+ return avc_has_perm(sid,
isec->sid,
isec->sclass,
FILE__CREATE,
@@ -3063,14 +3063,12 @@ static int selinux_inode_readlink(struct dentry *dentry)
static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
bool rcu)
{
- const struct cred *cred = current_cred();
struct common_audit_data ad;
struct inode_security_struct *isec;
- u32 sid;
+ u32 sid = current_sid();
ad.type = LSM_AUDIT_DATA_DENTRY;
ad.u.dentry = dentry;
- sid = cred_sid(cred);
isec = inode_security_rcu(inode, rcu);
if (IS_ERR(isec))
return PTR_ERR(isec);
@@ -3094,12 +3092,11 @@ static noinline int audit_inode_permission(struct inode *inode,
static int selinux_inode_permission(struct inode *inode, int mask)
{
- const struct cred *cred = current_cred();
u32 perms;
bool from_access;
bool no_block = mask & MAY_NOT_BLOCK;
struct inode_security_struct *isec;
- u32 sid;
+ u32 sid = current_sid();
struct av_decision avd;
int rc, rc2;
u32 audited, denied;
@@ -3116,7 +3113,6 @@ static int selinux_inode_permission(struct inode *inode, int mask)
perms = file_mask_to_av(inode->i_mode, mask);
- sid = cred_sid(cred);
isec = inode_security_rcu(inode, no_block);
if (IS_ERR(isec))
return PTR_ERR(isec);
@@ -5563,13 +5559,7 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
static int selinux_secmark_relabel_packet(u32 sid)
{
- const struct task_security_struct *tsec;
- u32 tsid;
-
- tsec = selinux_cred(current_cred());
- tsid = tsec->sid;
-
- return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
+ return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
NULL);
}
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 95fcd2d3433e..90ec4ef1b082 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -76,7 +76,6 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
gfp_t gfp)
{
int rc;
- const struct task_security_struct *tsec = selinux_cred(current_cred());
struct xfrm_sec_ctx *ctx = NULL;
u32 str_len;
@@ -103,7 +102,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
if (rc)
goto err;
- rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
+ rc = avc_has_perm(current_sid(), ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
if (rc)
goto err;
@@ -134,12 +133,10 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
*/
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
- const struct task_security_struct *tsec = selinux_cred(current_cred());
-
if (!ctx)
return 0;
- return avc_has_perm(tsec->sid, ctx->ctx_sid,
+ return avc_has_perm(current_sid(), ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 1/2] selinux: avoid identifier using reserved name
2024-03-15 17:31 [PATCH 2/2] selinux: make more use of current_sid() Christian Göttsche
@ 2024-03-15 17:31 ` Christian Göttsche
2024-03-26 20:39 ` Paul Moore
2024-03-27 22:25 ` [PATCH 2/2] selinux: make more use of current_sid() Paul Moore
1 sibling, 1 reply; 4+ messages in thread
From: Christian Göttsche @ 2024-03-15 17:31 UTC (permalink / raw
To: selinux; +Cc: Paul Moore, Stephen Smalley, Ondrej Mosnacek, linux-kernel
Avoid using an identifier starting with double underscores, which
signals a reserved identifier.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
security/selinux/hooks.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a0fde0641f77..f9a61ff64b83 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6347,16 +6347,16 @@ static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
char **value)
{
- const struct task_security_struct *__tsec;
+ const struct task_security_struct *tsec;
u32 sid;
int error;
unsigned len;
rcu_read_lock();
- __tsec = selinux_cred(__task_cred(p));
+ tsec = selinux_cred(__task_cred(p));
if (current != p) {
- error = avc_has_perm(current_sid(), __tsec->sid,
+ error = avc_has_perm(current_sid(), tsec->sid,
SECCLASS_PROCESS, PROCESS__GETATTR, NULL);
if (error)
goto bad;
@@ -6364,22 +6364,22 @@ static int selinux_lsm_getattr(unsigned int attr, struct task_struct *p,
switch (attr) {
case LSM_ATTR_CURRENT:
- sid = __tsec->sid;
+ sid = tsec->sid;
break;
case LSM_ATTR_PREV:
- sid = __tsec->osid;
+ sid = tsec->osid;
break;
case LSM_ATTR_EXEC:
- sid = __tsec->exec_sid;
+ sid = tsec->exec_sid;
break;
case LSM_ATTR_FSCREATE:
- sid = __tsec->create_sid;
+ sid = tsec->create_sid;
break;
case LSM_ATTR_KEYCREATE:
- sid = __tsec->keycreate_sid;
+ sid = tsec->keycreate_sid;
break;
case LSM_ATTR_SOCKCREATE:
- sid = __tsec->sockcreate_sid;
+ sid = tsec->sockcreate_sid;
break;
default:
error = -EOPNOTSUPP;
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] selinux: avoid identifier using reserved name
2024-03-15 17:31 ` [PATCH 1/2] selinux: avoid identifier using reserved name Christian Göttsche
@ 2024-03-26 20:39 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2024-03-26 20:39 UTC (permalink / raw
To: Christian Göttsche
Cc: selinux, Stephen Smalley, Ondrej Mosnacek, linux-kernel
On Fri, Mar 15, 2024 at 1:31 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Avoid using an identifier starting with double underscores, which
> signals a reserved identifier.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> security/selinux/hooks.c | 18 +++++++++---------
> 1 file changed, 9 insertions(+), 9 deletions(-)
Thank you for the patch, but this was addressed by the patch below
which was posted on February 23rd.
https://lore.kernel.org/selinux/20240223212640.305789-2-paul@paul-moore.com
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] selinux: make more use of current_sid()
2024-03-15 17:31 [PATCH 2/2] selinux: make more use of current_sid() Christian Göttsche
2024-03-15 17:31 ` [PATCH 1/2] selinux: avoid identifier using reserved name Christian Göttsche
@ 2024-03-27 22:25 ` Paul Moore
1 sibling, 0 replies; 4+ messages in thread
From: Paul Moore @ 2024-03-27 22:25 UTC (permalink / raw
To: Christian Göttsche, selinux
Cc: Stephen Smalley, Ondrej Mosnacek, linux-kernel
On Mar 15, 2024 =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> wrote:
>
> Use the internal helper current_sid() where applicable.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
> security/selinux/hooks.c | 22 ++++++----------------
> security/selinux/xfrm.c | 7 ++-----
> 2 files changed, 8 insertions(+), 21 deletions(-)
Merged into selinux/dev, thanks.
--
paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-27 22:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-15 17:31 [PATCH 2/2] selinux: make more use of current_sid() Christian Göttsche
2024-03-15 17:31 ` [PATCH 1/2] selinux: avoid identifier using reserved name Christian Göttsche
2024-03-26 20:39 ` Paul Moore
2024-03-27 22:25 ` [PATCH 2/2] selinux: make more use of current_sid() Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).