summaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2010-04-22 20:46:18 +0200
committerJames Morris <jmorris@namei.org>2010-08-02 07:34:37 +0200
commitd4f2d97841827cb876da8b607df05a3dab812416 (patch)
tree8d3128128f465e23dbfc5ee4ccc50d9bc489f7d7 /security/selinux/hooks.c
parentselinux: Set the peer label correctly on connected UNIX domain sockets (diff)
downloadlinux-d4f2d97841827cb876da8b607df05a3dab812416.tar.xz
linux-d4f2d97841827cb876da8b607df05a3dab812416.zip
selinux: Consolidate sockcreate_sid logic
Consolidate the basic sockcreate_sid logic into a single helper function which allows us to do some cleanups in the related code. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c32
1 files changed, 12 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 190fd0ffb13e..2d94a406574e 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3671,6 +3671,12 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
}
/* socket security operations */
+
+static u32 socket_sockcreate_sid(const struct task_security_struct *tsec)
+{
+ return tsec->sockcreate_sid ? : tsec->sid;
+}
+
static int socket_has_perm(struct task_struct *task, struct socket *sock,
u32 perms)
{
@@ -3698,21 +3704,15 @@ static int selinux_socket_create(int family, int type,
{
const struct cred *cred = current_cred();
const struct task_security_struct *tsec = cred->security;
- u32 sid, newsid;
+ u32 newsid;
u16 secclass;
- int err = 0;
if (kern)
- goto out;
-
- sid = tsec->sid;
- newsid = tsec->sockcreate_sid ?: sid;
+ return 0;
+ newsid = socket_sockcreate_sid(tsec);
secclass = socket_type_to_security_class(family, type, protocol);
- err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
-
-out:
- return err;
+ return avc_has_perm(tsec->sid, newsid, secclass, SOCKET__CREATE, NULL);
}
static int selinux_socket_post_create(struct socket *sock, int family,
@@ -3720,22 +3720,14 @@ static int selinux_socket_post_create(struct socket *sock, int family,
{
const struct cred *cred = current_cred();
const struct task_security_struct *tsec = cred->security;
- struct inode_security_struct *isec;
+ struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
struct sk_security_struct *sksec;
- u32 sid, newsid;
int err = 0;
- sid = tsec->sid;
- newsid = tsec->sockcreate_sid;
-
- isec = SOCK_INODE(sock)->i_security;
-
if (kern)
isec->sid = SECINITSID_KERNEL;
- else if (newsid)
- isec->sid = newsid;
else
- isec->sid = sid;
+ isec->sid = socket_sockcreate_sid(tsec);
isec->sclass = socket_type_to_security_class(family, type, protocol);
isec->initialized = 1;