Skip to content

Commit

Permalink
selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code
Browse files Browse the repository at this point in the history
The SELinux labeled IPsec code state management functions have been
long neglected and could use some cleanup and consolidation.

Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
  • Loading branch information
Paul Moore authored and Eric Paris committed Jul 25, 2013
1 parent 2e5aa86 commit ccf17cc
Showing 1 changed file with 40 additions and 31 deletions.
71 changes: 40 additions & 31 deletions security/selinux/xfrm.c
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,33 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
return rc;
}

/*
* Free the xfrm_sec_ctx structure.
*/
static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
{
if (!ctx)
return;

atomic_dec(&selinux_xfrm_refcount);
kfree(ctx);
}

/*
* Authorize the deletion of a labeled SA or policy rule.
*/
static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
{
const struct task_security_struct *tsec = current_security();

if (!ctx)
return 0;

return avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
}

/*
* LSM hook implementation that authorizes that a flow can use
* a xfrm policy rule.
Expand Down Expand Up @@ -258,17 +285,16 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
{
struct xfrm_sec_ctx *new_ctx;

if (old_ctx) {
new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len,
GFP_ATOMIC);
if (!new_ctx)
return -ENOMEM;
if (!old_ctx)
return 0;

new_ctx = kmalloc(sizeof(*old_ctx) + old_ctx->ctx_len, GFP_ATOMIC);
if (!new_ctx)
return -ENOMEM;
memcpy(new_ctx, old_ctx, sizeof(*old_ctx) + old_ctx->ctx_len);
atomic_inc(&selinux_xfrm_refcount);
*new_ctxp = new_ctx;

memcpy(new_ctx, old_ctx, sizeof(*new_ctx));
memcpy(new_ctx->ctx_str, old_ctx->ctx_str, new_ctx->ctx_len);
atomic_inc(&selinux_xfrm_refcount);
*new_ctxp = new_ctx;
}
return 0;
}

Expand All @@ -277,23 +303,15 @@ int selinux_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
*/
void selinux_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
{
atomic_dec(&selinux_xfrm_refcount);
kfree(ctx);
selinux_xfrm_free(ctx);
}

/*
* LSM hook implementation that authorizes deletion of labeled policies.
*/
int selinux_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
{
const struct task_security_struct *tsec = current_security();

if (!ctx)
return 0;

return avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
return selinux_xfrm_delete(ctx);
}

/*
Expand Down Expand Up @@ -349,24 +367,15 @@ int selinux_xfrm_state_alloc_acquire(struct xfrm_state *x,
*/
void selinux_xfrm_state_free(struct xfrm_state *x)
{
atomic_dec(&selinux_xfrm_refcount);
kfree(x->security);
selinux_xfrm_free(x->security);
}

/*
* LSM hook implementation that authorizes deletion of labeled SAs.
*/
int selinux_xfrm_state_delete(struct xfrm_state *x)
{
const struct task_security_struct *tsec = current_security();
struct xfrm_sec_ctx *ctx = x->security;

if (!ctx)
return 0;

return avc_has_perm(tsec->sid, ctx->ctx_sid,
SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
NULL);
return selinux_xfrm_delete(x->security);
}

/*
Expand Down

0 comments on commit ccf17cc

Please sign in to comment.