| Message ID | 20240822140858.1998-1-thunder.leizhen@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [1/1] selinux: simplify avc_xperms_audit_required() | expand |
On Aug 22, 2024 Zhen Lei <thunder.leizhen@huawei.com> wrote: > > By associative and commutative laws, the result of the two 'audited' is > zero. Take the second 'audited' as an example: > 1) audited = requested & avd->auditallow; > 2) audited &= ~requested; > ==> audited = ~requested & (requested & avd->auditallow); > ==> audited = (~requested & requested) & avd->auditallow; > ==> audited = 0 & avd->auditallow; > ==> audited = 0; > > In fact, it is more readable to directly write zero. The value of the > first 'audited' is 0 because AUDIT is not allowed. The second 'audited' > is zero because there is no AUDITALLOW permission. > > Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> > --- > security/selinux/avc.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Looks good to me, merged into selinux/dev, thanks! -- paul-moore.com
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b49c44869dc4627..21f5bbba50caaeb 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -396,7 +396,7 @@ static inline u32 avc_xperms_audit_required(u32 requested, audited = denied & avd->auditdeny; if (audited && xpd) { if (avc_xperms_has_perm(xpd, perm, XPERMS_DONTAUDIT)) - audited &= ~requested; + audited = 0; } } else if (result) { audited = denied = requested; @@ -404,7 +404,7 @@ static inline u32 avc_xperms_audit_required(u32 requested, audited = requested & avd->auditallow; if (audited && xpd) { if (!avc_xperms_has_perm(xpd, perm, XPERMS_AUDITALLOW)) - audited &= ~requested; + audited = 0; } }
By associative and commutative laws, the result of the two 'audited' is zero. Take the second 'audited' as an example: 1) audited = requested & avd->auditallow; 2) audited &= ~requested; ==> audited = ~requested & (requested & avd->auditallow); ==> audited = (~requested & requested) & avd->auditallow; ==> audited = 0 & avd->auditallow; ==> audited = 0; In fact, it is more readable to directly write zero. The value of the first 'audited' is 0 because AUDIT is not allowed. The second 'audited' is zero because there is no AUDITALLOW permission. Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> --- security/selinux/avc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)