| Message ID | 20200116120439.303034-7-omosnace@redhat.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | selinux: Assorted simplifications and cleanups | expand |
On 1/16/20 7:04 AM, Ondrej Mosnacek wrote: > Both callers iterate the cond_list and call it for each node - turn it > into evaluate_cond_nodes(), which does the iteration for them. > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > security/selinux/ss/conditional.c | 10 +++++++++- > security/selinux/ss/conditional.h | 2 +- > security/selinux/ss/services.c | 6 ++---- > 3 files changed, 12 insertions(+), 6 deletions(-) > > diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c > index 8f9f2f3c86a0..ad709ccea036 100644 > --- a/security/selinux/ss/conditional.c > +++ b/security/selinux/ss/conditional.c > @@ -86,7 +86,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) > * list appropriately. If the result of the expression is undefined > * all of the rules are disabled for safety. > */ > -void evaluate_cond_node(struct policydb *p, struct cond_node *node) > +static void evaluate_cond_node(struct policydb *p, struct cond_node *node) > { > struct avtab_node *avnode; > int new_state; > @@ -117,6 +117,14 @@ void evaluate_cond_node(struct policydb *p, struct cond_node *node) > } > } > > +void evaluate_cond_nodes(struct policydb *p) > +{ > + u32 i; > + > + for (i = 0; i < p->cond_list_len; i++) > + evaluate_cond_node(p, &p->cond_list[i]); > +} > + > int cond_policydb_init(struct policydb *p) > { > int rc; > diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h > index 4677c6ff7450..b9eb888ffa76 100644 > --- a/security/selinux/ss/conditional.h > +++ b/security/selinux/ss/conditional.h > @@ -78,6 +78,6 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, > struct av_decision *avd, struct extended_perms *xperms); > void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key, > struct extended_perms_decision *xpermd); > -void evaluate_cond_node(struct policydb *p, struct cond_node *node); > +void evaluate_cond_nodes(struct policydb *p); > > #endif /* _CONDITIONAL_H_ */ > diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c > index b0f71afcf4b8..887331a0cc3c 100644 > --- a/security/selinux/ss/services.c > +++ b/security/selinux/ss/services.c > @@ -2954,8 +2954,7 @@ int security_set_bools(struct selinux_state *state, u32 len, int *values) > policydb->bool_val_to_struct[i]->state = 0; > } > > - for (i = 0; i < policydb->cond_list_len; i++) > - evaluate_cond_node(policydb, &policydb->cond_list[i]); > + evaluate_cond_nodes(policydb); > > seqno = ++state->ss->latest_granting; > rc = 0; > @@ -3006,8 +3005,7 @@ static void security_preserve_bools(struct policydb *oldpolicydb, > if (booldatum) > booldatum->state = value; > } > - for (i = 0; i < newpolicydb->cond_list_len; i++) > - evaluate_cond_node(newpolicydb, &newpolicydb->cond_list[i]); > + evaluate_cond_nodes(newpolicydb); > } > > /* >
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c index 8f9f2f3c86a0..ad709ccea036 100644 --- a/security/selinux/ss/conditional.c +++ b/security/selinux/ss/conditional.c @@ -86,7 +86,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr) * list appropriately. If the result of the expression is undefined * all of the rules are disabled for safety. */ -void evaluate_cond_node(struct policydb *p, struct cond_node *node) +static void evaluate_cond_node(struct policydb *p, struct cond_node *node) { struct avtab_node *avnode; int new_state; @@ -117,6 +117,14 @@ void evaluate_cond_node(struct policydb *p, struct cond_node *node) } } +void evaluate_cond_nodes(struct policydb *p) +{ + u32 i; + + for (i = 0; i < p->cond_list_len; i++) + evaluate_cond_node(p, &p->cond_list[i]); +} + int cond_policydb_init(struct policydb *p) { int rc; diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h index 4677c6ff7450..b9eb888ffa76 100644 --- a/security/selinux/ss/conditional.h +++ b/security/selinux/ss/conditional.h @@ -78,6 +78,6 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key, struct av_decision *avd, struct extended_perms *xperms); void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key, struct extended_perms_decision *xpermd); -void evaluate_cond_node(struct policydb *p, struct cond_node *node); +void evaluate_cond_nodes(struct policydb *p); #endif /* _CONDITIONAL_H_ */ diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index b0f71afcf4b8..887331a0cc3c 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2954,8 +2954,7 @@ int security_set_bools(struct selinux_state *state, u32 len, int *values) policydb->bool_val_to_struct[i]->state = 0; } - for (i = 0; i < policydb->cond_list_len; i++) - evaluate_cond_node(policydb, &policydb->cond_list[i]); + evaluate_cond_nodes(policydb); seqno = ++state->ss->latest_granting; rc = 0; @@ -3006,8 +3005,7 @@ static void security_preserve_bools(struct policydb *oldpolicydb, if (booldatum) booldatum->state = value; } - for (i = 0; i < newpolicydb->cond_list_len; i++) - evaluate_cond_node(newpolicydb, &newpolicydb->cond_list[i]); + evaluate_cond_nodes(newpolicydb); } /*
Both callers iterate the cond_list and call it for each node - turn it into evaluate_cond_nodes(), which does the iteration for them. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- security/selinux/ss/conditional.c | 10 +++++++++- security/selinux/ss/conditional.h | 2 +- security/selinux/ss/services.c | 6 ++---- 3 files changed, 12 insertions(+), 6 deletions(-)