| Message ID | 20200112154216.46992-1-yehs2007@zoho.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | selinux: remove redundant selinux_nlmsg_perm | expand |
On 1/12/20 10:42 AM, Huaisheng Ye wrote: > From: Huaisheng Ye <yehs1@lenovo.com> > > selinux_nlmsg_perm is used for only by selinux_netlink_send. Remove > the redundant function to simplify the code. > > Signed-off-by: Huaisheng Ye <yehs1@lenovo.com> The patch itself seems fine but it looks like someone accidentally put pig= in the log message when they meant pid=; that can be fixed via a separate patch. Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/hooks.c | 73 ++++++++++++++++++++++-------------------------- > 1 file changed, 34 insertions(+), 39 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index fb1b9da..9f3f966 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -5507,44 +5507,6 @@ static int selinux_tun_dev_open(void *security) > return 0; > } > > -static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) > -{ > - int err = 0; > - u32 perm; > - struct nlmsghdr *nlh; > - struct sk_security_struct *sksec = sk->sk_security; > - > - if (skb->len < NLMSG_HDRLEN) { > - err = -EINVAL; > - goto out; > - } > - nlh = nlmsg_hdr(skb); > - > - err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); > - if (err) { > - if (err == -EINVAL) { > - pr_warn_ratelimited("SELinux: unrecognized netlink" > - " message: protocol=%hu nlmsg_type=%hu sclass=%s" > - " pig=%d comm=%s\n", > - sk->sk_protocol, nlh->nlmsg_type, > - secclass_map[sksec->sclass - 1].name, > - task_pid_nr(current), current->comm); > - if (!enforcing_enabled(&selinux_state) || > - security_get_allow_unknown(&selinux_state)) > - err = 0; > - } > - > - /* Ignore */ > - if (err == -ENOENT) > - err = 0; > - goto out; > - } > - > - err = sock_has_perm(sk, perm); > -out: > - return err; > -} > - > #ifdef CONFIG_NETFILTER > > static unsigned int selinux_ip_forward(struct sk_buff *skb, > @@ -5873,7 +5835,40 @@ static unsigned int selinux_ipv6_postroute(void *priv, > > static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) > { > - return selinux_nlmsg_perm(sk, skb); > + int err = 0; > + u32 perm; > + struct nlmsghdr *nlh; > + struct sk_security_struct *sksec = sk->sk_security; > + > + if (skb->len < NLMSG_HDRLEN) { > + err = -EINVAL; > + goto out; > + } > + nlh = nlmsg_hdr(skb); > + > + err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); > + if (err) { > + if (err == -EINVAL) { > + pr_warn_ratelimited("SELinux: unrecognized netlink" > + " message: protocol=%hu nlmsg_type=%hu sclass=%s" > + " pig=%d comm=%s\n", > + sk->sk_protocol, nlh->nlmsg_type, > + secclass_map[sksec->sclass - 1].name, > + task_pid_nr(current), current->comm); > + if (!enforcing_enabled(&selinux_state) || > + security_get_allow_unknown(&selinux_state)) > + err = 0; > + } > + > + /* Ignore */ > + if (err == -ENOENT) > + err = 0; > + goto out; > + } > + > + err = sock_has_perm(sk, perm); > +out: > + return err; > } > > static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass) >
> -----Original Message----- > From: Stephen Smalley <sds@tycho.nsa.gov> > Sent: Monday, January 13, 2020 9:47 PM > > On 1/12/20 10:42 AM, Huaisheng Ye wrote: > > From: Huaisheng Ye <yehs1@lenovo.com> > > > > selinux_nlmsg_perm is used for only by selinux_netlink_send. Remove > > the redundant function to simplify the code. > > > > Signed-off-by: Huaisheng Ye <yehs1@lenovo.com> > > The patch itself seems fine but it looks like someone accidentally put pig= in > the log message when they meant pid=; that can be fixed via a separate patch. > > Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Thanks for the Acked-by. Aha, yes it is. I will offer the patch v2 to fix this typo. Cheers, Huaisheng Ye
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index fb1b9da..9f3f966 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5507,44 +5507,6 @@ static int selinux_tun_dev_open(void *security) return 0; } -static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) -{ - int err = 0; - u32 perm; - struct nlmsghdr *nlh; - struct sk_security_struct *sksec = sk->sk_security; - - if (skb->len < NLMSG_HDRLEN) { - err = -EINVAL; - goto out; - } - nlh = nlmsg_hdr(skb); - - err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); - if (err) { - if (err == -EINVAL) { - pr_warn_ratelimited("SELinux: unrecognized netlink" - " message: protocol=%hu nlmsg_type=%hu sclass=%s" - " pig=%d comm=%s\n", - sk->sk_protocol, nlh->nlmsg_type, - secclass_map[sksec->sclass - 1].name, - task_pid_nr(current), current->comm); - if (!enforcing_enabled(&selinux_state) || - security_get_allow_unknown(&selinux_state)) - err = 0; - } - - /* Ignore */ - if (err == -ENOENT) - err = 0; - goto out; - } - - err = sock_has_perm(sk, perm); -out: - return err; -} - #ifdef CONFIG_NETFILTER static unsigned int selinux_ip_forward(struct sk_buff *skb, @@ -5873,7 +5835,40 @@ static unsigned int selinux_ipv6_postroute(void *priv, static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb) { - return selinux_nlmsg_perm(sk, skb); + int err = 0; + u32 perm; + struct nlmsghdr *nlh; + struct sk_security_struct *sksec = sk->sk_security; + + if (skb->len < NLMSG_HDRLEN) { + err = -EINVAL; + goto out; + } + nlh = nlmsg_hdr(skb); + + err = selinux_nlmsg_lookup(sksec->sclass, nlh->nlmsg_type, &perm); + if (err) { + if (err == -EINVAL) { + pr_warn_ratelimited("SELinux: unrecognized netlink" + " message: protocol=%hu nlmsg_type=%hu sclass=%s" + " pig=%d comm=%s\n", + sk->sk_protocol, nlh->nlmsg_type, + secclass_map[sksec->sclass - 1].name, + task_pid_nr(current), current->comm); + if (!enforcing_enabled(&selinux_state) || + security_get_allow_unknown(&selinux_state)) + err = 0; + } + + /* Ignore */ + if (err == -ENOENT) + err = 0; + goto out; + } + + err = sock_has_perm(sk, perm); +out: + return err; } static void ipc_init_security(struct ipc_security_struct *isec, u16 sclass)