[PATCH] selinux: remove redundant selinux_nlmsg_perm
Stephen Smalley
sds at tycho.nsa.gov
Mon Jan 13 13:47:00 UTC 2020
On 1/12/20 10:42 AM, Huaisheng Ye wrote:
> From: Huaisheng Ye <yehs1 at lenovo.com>
>
> selinux_nlmsg_perm is used for only by selinux_netlink_send. Remove
> the redundant function to simplify the code.
>
> Signed-off-by: Huaisheng Ye <yehs1 at lenovo.com>
The patch itself seems fine but it looks like someone accidentally put
pig= in the log message when they meant pid=; that can be fixed via a
separate patch.
Acked-by: Stephen Smalley <sds at tycho.nsa.gov>
> ---
> security/selinux/hooks.c | 73 ++++++++++++++++++++++--------------------------
> 1 file changed, 34 insertions(+), 39 deletions(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index fb1b9da..9f3f966 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -5507,44 +5507,6 @@ static int selinux_tun_dev_open(void *security)
> return 0;
> }
>
> -static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
> -{
> - int err = 0;
> - u32 perm;
> - struct nlmsghdr *nlh;
> - struct sk_security_struct *sksec = sk->sk_security;
> -
> - if (skb->len < NLMSG_HDRLEN) {
> - err = -EINVAL;
> - goto out;
> - }
> - nlh = nlmsg_hdr(skb);
> -
> - err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
> - if (err) {
> - if (err == -EINVAL) {
> - pr_warn_ratelimited("SELinux: unrecognized netlink"
> - " message: protocol=%hu nlmsg_type=%hu sclass=%s"
> - " pig=%d comm=%s\n",
> - sk->sk_protocol, nlh->nlmsg_type,
> - secclass_map[sksec->sclass - 1].name,
> - task_pid_nr(current), current->comm);
> - if (!enforcing_enabled(&selinux_state) ||
> - security_get_allow_unknown(&selinux_state))
> - err = 0;
> - }
> -
> - /* Ignore */
> - if (err == -ENOENT)
> - err = 0;
> - goto out;
> - }
> -
> - err = sock_has_perm(sk, perm);
> -out:
> - return err;
> -}
> -
> #ifdef CONFIG_NETFILTER
>
> static unsigned int selinux_ip_forward(struct sk_buff *skb,
> @@ -5873,7 +5835,40 @@ static unsigned int selinux_ipv6_postroute(void *priv,
>
> static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
> {
> - return selinux_nlmsg_perm(sk, skb);
> + int err = 0;
> + u32 perm;
> + struct nlmsghdr *nlh;
> + struct sk_security_struct *sksec = sk->sk_security;
> +
> + if (skb->len < NLMSG_HDRLEN) {
> + err = -EINVAL;
> + goto out;
> + }
> + nlh = nlmsg_hdr(skb);
> +
> + err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm);
> + if (err) {
> + if (err == -EINVAL) {
> + pr_warn_ratelimited("SELinux: unrecognized netlink"
> + " message: protocol=%hu nlmsg_type=%hu sclass=%s"
> + " pig=%d comm=%s\n",
> + sk->sk_protocol, nlh->nlmsg_type,
> + secclass_map[sksec->sclass - 1].name,
> + task_pid_nr(current), current->comm);
> + if (!enforcing_enabled(&selinux_state) ||
> + security_get_allow_unknown(&selinux_state))
> + err = 0;
> + }
> +
> + /* Ignore */
> + if (err == -ENOENT)
> + err = 0;
> + goto out;
> + }
> +
> + err = sock_has_perm(sk, perm);
> +out:
> + return err;
> }
>
> static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)
>
More information about the Linux-security-module-archive
mailing list