selinux: make more use of current_sid()

author Christian Göttsche <cgzones@googlemail.com>

Fri, 15 Mar 2024 17:31:00 +0000 (18:31 +0100)

committer Paul Moore <paul@paul-moore.com>

Wed, 27 Mar 2024 22:25:18 +0000 (18:25 -0400)
author Christian Göttsche <cgzones@googlemail.com>
Fri, 15 Mar 2024 17:31:00 +0000 (18:31 +0100)
committer Paul Moore <paul@paul-moore.com>
Wed, 27 Mar 2024 22:25:18 +0000 (18:25 -0400)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index 190d3f94c5955841448b290cd8a9c51567d84c03..e92061019bea00aef4cff7a208699b6c152fbe03 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2961,7 +2961,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
                                             const struct qstr *name,
                                             const struct inode *context_inode)
  {
-       const struct task_security_struct *tsec = selinux_cred(current_cred());
+       u32 sid = current_sid();
         struct common_audit_data ad;
         struct inode_security_struct *isec;
         int rc;
@@ -2990,7 +2990,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
         } else {
                 isec->sclass = SECCLASS_ANON_INODE;
                 rc = security_transition_sid(
-                       tsec->sid, tsec->sid,
+                       sid, sid,
                         isec->sclass, name, &isec->sid);
                 if (rc)
                         return rc;
@@ -3005,7 +3005,7 @@ static int selinux_inode_init_security_anon(struct inode *inode,
         ad.type = LSM_AUDIT_DATA_ANONINODE;
         ad.u.anonclass = name ? (const char *)name->name : "?";
  
-       return avc_has_perm(tsec->sid,
+       return avc_has_perm(sid,
                             isec->sid,
                             isec->sclass,
                             FILE__CREATE,
@@ -3063,14 +3063,12 @@ static int selinux_inode_readlink(struct dentry *dentry)
  static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode,
                                      bool rcu)
  {
-       const struct cred *cred = current_cred();
         struct common_audit_data ad;
         struct inode_security_struct *isec;
-       u32 sid;
+       u32 sid = current_sid();
  
         ad.type = LSM_AUDIT_DATA_DENTRY;
         ad.u.dentry = dentry;
-       sid = cred_sid(cred);
         isec = inode_security_rcu(inode, rcu);
         if (IS_ERR(isec))
                 return PTR_ERR(isec);
@@ -3094,12 +3092,11 @@ static noinline int audit_inode_permission(struct inode *inode,
  
  static int selinux_inode_permission(struct inode *inode, int mask)
  {
-       const struct cred *cred = current_cred();
         u32 perms;
         bool from_access;
         bool no_block = mask & MAY_NOT_BLOCK;
         struct inode_security_struct *isec;
-       u32 sid;
+       u32 sid = current_sid();
         struct av_decision avd;
         int rc, rc2;
         u32 audited, denied;
@@ -3116,7 +3113,6 @@ static int selinux_inode_permission(struct inode *inode, int mask)
  
         perms = file_mask_to_av(inode->i_mode, mask);
  
-       sid = cred_sid(cred);
         isec = inode_security_rcu(inode, no_block);
         if (IS_ERR(isec))
                 return PTR_ERR(isec);
@@ -5564,13 +5560,7 @@ static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
  
  static int selinux_secmark_relabel_packet(u32 sid)
  {
-       const struct task_security_struct *tsec;
-       u32 tsid;
-
-       tsec = selinux_cred(current_cred());
-       tsid = tsec->sid;
-
-       return avc_has_perm(tsid, sid, SECCLASS_PACKET, PACKET__RELABELTO,
+       return avc_has_perm(current_sid(), sid, SECCLASS_PACKET, PACKET__RELABELTO,
                             NULL);
  }
  
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c

index 95fcd2d3433e4ba6a26ef92adb46835b1a4216b0..90ec4ef1b082f9021f686adb4e0ed3b14f282727 100644 (file)
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -76,7 +76,6 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
                                    gfp_t gfp)
  {
         int rc;
-       const struct task_security_struct *tsec = selinux_cred(current_cred());
         struct xfrm_sec_ctx *ctx = NULL;
         u32 str_len;
  
@@ -103,7 +102,7 @@ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
         if (rc)
                 goto err;
  
-       rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
+       rc = avc_has_perm(current_sid(), ctx->ctx_sid,
                           SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
         if (rc)
                 goto err;
@@ -134,12 +133,10 @@ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
   */
  static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
  {
-       const struct task_security_struct *tsec = selinux_cred(current_cred());
-
         if (!ctx)
                 return 0;
  
-       return avc_has_perm(tsec->sid, ctx->ctx_sid,
+       return avc_has_perm(current_sid(), ctx->ctx_sid,
                             SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
                             NULL);
  }
author	Christian Göttsche <cgzones@googlemail.com>
	Fri, 15 Mar 2024 17:31:00 +0000 (18:31 +0100)
committer	Paul Moore <paul@paul-moore.com>
	Wed, 27 Mar 2024 22:25:18 +0000 (18:25 -0400)
security/selinux/hooks.c		patch \| blob \| blame \| history
security/selinux/xfrm.c		patch \| blob \| blame \| history