selinux: make more use of current_sid() (cdc12eb4) · Commits · git / linux-nf

security/selinux/hooks.c

+6 −16

Original line number	Diff line number	Diff line
		@@ -2961,7 +2961,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
		const struct qstr *name,
		const struct inode *context_inode)
		{
		const struct task_security_struct *tsec = selinux_cred(current_cred());
		u32 sid = current_sid();
		struct common_audit_data ad;
		struct inode_security_struct *isec;
		int rc;
		@@ -2990,7 +2990,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
		} else {
		isec->sclass = SECCLASS_ANON_INODE;
		rc = security_transition_sid(
		tsec->sid, tsec->sid,
		sid, sid,
		isec->sclass, name, &isec->sid);
		if (rc)
		return rc;
		@@ -3005,7 +3005,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
		ad.type = LSM_AUDIT_DATA_ANONINODE;
		ad.u.anonclass = name ? (const char *)name->name : "?";

		return avc_has_perm(tsec->sid,
		return avc_has_perm(sid,
		isec->sid,
		isec->sclass,
		FILE__CREATE,
		@@ -3063,14 +3063,12 @@ static int selinux_inode_readlink(struct dentry *dentry)
		static int selinux_inode_follow_link(struct dentry dentry, struct inode inode,
		bool rcu)
		{
		const struct cred *cred = current_cred();
		struct common_audit_data ad;
		struct inode_security_struct *isec;
		u32 sid;
		u32 sid = current_sid();

		ad.type = LSM_AUDIT_DATA_DENTRY;
		ad.u.dentry = dentry;
		sid = cred_sid(cred);
		isec = inode_security_rcu(inode, rcu);
		if (IS_ERR(isec))
		return PTR_ERR(isec);
		@@ -3094,12 +3092,11 @@ static noinline int audit_inode_permission(struct inode *inode,

		static int selinux_inode_permission(struct inode *inode, int mask)
		{
		const struct cred *cred = current_cred();
		u32 perms;
		bool from_access;
		bool no_block = mask & MAY_NOT_BLOCK;
		struct inode_security_struct *isec;
		u32 sid;
		u32 sid = current_sid();
		struct av_decision avd;
		int rc, rc2;
		u32 audited, denied;
		@@ -3116,7 +3113,6 @@ static int selinux_inode_permission(struct inode *inode, int mask)

		perms = file_mask_to_av(inode->i_mode, mask);

		sid = cred_sid(cred);
		isec = inode_security_rcu(inode, no_block);
		if (IS_ERR(isec))
		return PTR_ERR(isec);
		@@ -5564,13 +5560,7 @@ static void selinux_inet_conn_established(struct sock sk, struct sk_buff skb)

		static int selinux_secmark_relabel_packet(u32 sid)
		{
		const struct task_security_struct *tsec;
		u32 tsid;

		tsec = selinux_cred(current_cred());
		tsid = tsec->sid;

		return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
		return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
		NULL);
		}

security/selinux/xfrm.c

+2 −5

Original line number	Diff line number	Diff line
		@@ -76,7 +76,6 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
		gfp_t gfp)
		{
		int rc;
		const struct task_security_struct *tsec = selinux_cred(current_cred());
		struct xfrm_sec_ctx *ctx = NULL;
		u32 str_len;

		@@ -103,7 +102,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
		if (rc)
		goto err;

		rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
		rc = avc_has_perm(current_sid(), ctx->ctx_sid,
		SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
		if (rc)
		goto err;
		@@ -134,12 +133,10 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
		*/
		static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
		{
		const struct task_security_struct *tsec = selinux_cred(current_cred());

		if (!ctx)
		return 0;

		return avc_has_perm(tsec->sid, ctx->ctx_sid,
		return avc_has_perm(current_sid(), ctx->ctx_sid,
		SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
		NULL);
		}