| Message ID | 20240703025605.63628-1-guocanfeng@uniontech.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | selinux: Streamline type determination in security_compute_sid | expand |
On Tue, Jul 2, 2024 at 10:56 PM Canfeng Guo <guocanfeng@uniontech.com> wrote: > > Simplifies the logic for determining the security context type in > security_compute_sid, enhancing readability and efficiency. > > Consolidates default type assignment logic next to type transition > checks, removing redundancy and improving code flow. > > Signed-off-by: Canfeng Guo <guocanfeng@uniontech.com> > --- > v2: > Modify the format to follow the generally accepted style for > multi-line comments in the Linux kernel. > --- > security/selinux/ss/services.c | 36 ++++++++++++++++++---------------- > 1 file changed, 19 insertions(+), 17 deletions(-) Thanks for the revised patch, it looks good to me, but it is too late in the development cycle to merge it into the selinux/dev branch; I'm going to merge it into selinux/dev-staging for testing and I'll move it to the selinux/dev branch after the upcoming merge window closes.
On Thu, Jul 11, 2024 at 5:10 PM Paul Moore <paul@paul-moore.com> wrote: > On Tue, Jul 2, 2024 at 10:56 PM Canfeng Guo <guocanfeng@uniontech.com> wrote: > > > > Simplifies the logic for determining the security context type in > > security_compute_sid, enhancing readability and efficiency. > > > > Consolidates default type assignment logic next to type transition > > checks, removing redundancy and improving code flow. > > > > Signed-off-by: Canfeng Guo <guocanfeng@uniontech.com> > > --- > > v2: > > Modify the format to follow the generally accepted style for > > multi-line comments in the Linux kernel. > > --- > > security/selinux/ss/services.c | 36 ++++++++++++++++++---------------- > > 1 file changed, 19 insertions(+), 17 deletions(-) > > Thanks for the revised patch, it looks good to me, but it is too late > in the development cycle to merge it into the selinux/dev branch; I'm > going to merge it into selinux/dev-staging for testing and I'll move > it to the selinux/dev branch after the upcoming merge window closes. A quick note to let you know that this is now in the selinux/dev branch, thanks!
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e33e55384b75..a9830fbfc5c6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1804,22 +1804,9 @@ static int security_compute_sid(u32 ssid, newcontext.role = OBJECT_R_VAL; } - /* Set the type to default values. */ - if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { - newcontext.type = scontext->type; - } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { - newcontext.type = tcontext->type; - } else { - if ((tclass == policydb->process_class) || sock) { - /* Use the type of process. */ - newcontext.type = scontext->type; - } else { - /* Use the type of the related object. */ - newcontext.type = tcontext->type; - } - } - - /* Look for a type transition/member/change rule. */ + /* Set the type. + * Look for a type transition/member/change rule. + */ avkey.source_type = scontext->type; avkey.target_type = tcontext->type; avkey.target_class = tclass; @@ -1837,9 +1824,24 @@ static int security_compute_sid(u32 ssid, } } + /* If a permanent rule is found, use the type from + * the type transition/member/change rule. Otherwise, + * set the type to its default values. + */ if (avnode) { - /* Use the type from the type transition/member/change rule. */ newcontext.type = avnode->datum.u.data; + } else if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { + newcontext.type = scontext->type; + } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { + newcontext.type = tcontext->type; + } else { + if ((tclass == policydb->process_class) || sock) { + /* Use the type of process. */ + newcontext.type = scontext->type; + } else { + /* Use the type of the related object. */ + newcontext.type = tcontext->type; + } } /* if we have a objname this is a file trans check so check those rules */
Simplifies the logic for determining the security context type in security_compute_sid, enhancing readability and efficiency. Consolidates default type assignment logic next to type transition checks, removing redundancy and improving code flow. Signed-off-by: Canfeng Guo <guocanfeng@uniontech.com> --- v2: Modify the format to follow the generally accepted style for multi-line comments in the Linux kernel. --- security/selinux/ss/services.c | 36 ++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 17 deletions(-)