Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit a2c5138

Browse files
WOnder93pcmoore
WOnder93
authored and
pcmoore
committedJan 25, 2019
selinux: inline some AVC functions used only once
avc_dump_av() and avc_dump_query() are each used only in one place. Get rid of them and open code their contents in the call sites. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
1 parent 53e0c2a commit a2c5138

File tree

1 file changed

+58
-82
lines changed

1 file changed

+58
-82
lines changed
 

‎security/selinux/avc.c

Lines changed: 58 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -129,75 +129,6 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
129129
return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1);
130130
}
131131

132-
/**
133-
* avc_dump_av - Display an access vector in human-readable form.
134-
* @tclass: target security class
135-
* @av: access vector
136-
*/
137-
static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
138-
{
139-
const char **perms;
140-
int i, perm;
141-
142-
if (av == 0) {
143-
audit_log_format(ab, " null");
144-
return;
145-
}
146-
147-
BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map));
148-
perms = secclass_map[tclass-1].perms;
149-
150-
audit_log_format(ab, " {");
151-
i = 0;
152-
perm = 1;
153-
while (i < (sizeof(av) * 8)) {
154-
if ((perm & av) && perms[i]) {
155-
audit_log_format(ab, " %s", perms[i]);
156-
av &= ~perm;
157-
}
158-
i++;
159-
perm <<= 1;
160-
}
161-
162-
if (av)
163-
audit_log_format(ab, " 0x%x", av);
164-
165-
audit_log_format(ab, " }");
166-
}
167-
168-
/**
169-
* avc_dump_query - Display a SID pair and a class in human-readable form.
170-
* @ssid: source security identifier
171-
* @tsid: target security identifier
172-
* @tclass: target security class
173-
*/
174-
static void avc_dump_query(struct audit_buffer *ab, struct selinux_state *state,
175-
u32 ssid, u32 tsid, u16 tclass)
176-
{
177-
int rc;
178-
char *scontext;
179-
u32 scontext_len;
180-
181-
rc = security_sid_to_context(state, ssid, &scontext, &scontext_len);
182-
if (rc)
183-
audit_log_format(ab, "ssid=%d", ssid);
184-
else {
185-
audit_log_format(ab, "scontext=%s", scontext);
186-
kfree(scontext);
187-
}
188-
189-
rc = security_sid_to_context(state, tsid, &scontext, &scontext_len);
190-
if (rc)
191-
audit_log_format(ab, " tsid=%d", tsid);
192-
else {
193-
audit_log_format(ab, " tcontext=%s", scontext);
194-
kfree(scontext);
195-
}
196-
197-
BUG_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map));
198-
audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
199-
}
200-
201132
/**
202133
* avc_init - Initialize the AVC.
203134
*
@@ -735,11 +666,37 @@ static struct avc_node *avc_insert(struct selinux_avc *avc,
735666
static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
736667
{
737668
struct common_audit_data *ad = a;
738-
audit_log_format(ab, "avc: %s ",
739-
ad->selinux_audit_data->denied ? "denied" : "granted");
740-
avc_dump_av(ab, ad->selinux_audit_data->tclass,
741-
ad->selinux_audit_data->audited);
742-
audit_log_format(ab, " for ");
669+
struct selinux_audit_data *sad = ad->selinux_audit_data;
670+
u32 av = sad->audited;
671+
const char **perms;
672+
int i, perm;
673+
674+
audit_log_format(ab, "avc: %s ", sad->denied ? "denied" : "granted");
675+
676+
if (av == 0) {
677+
audit_log_string(ab, " null");
678+
return;
679+
}
680+
681+
BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map));
682+
perms = secclass_map[sad->tclass-1].perms;
683+
684+
audit_log_string(ab, " {");
685+
i = 0;
686+
perm = 1;
687+
while (i < (sizeof(av) * 8)) {
688+
if ((perm & av) && perms[i]) {
689+
audit_log_format(ab, " %s", perms[i]);
690+
av &= ~perm;
691+
}
692+
i++;
693+
perm <<= 1;
694+
}
695+
696+
if (av)
697+
audit_log_format(ab, " 0x%x", av);
698+
699+
audit_log_string(ab, " } for ");
743700
}
744701

745702
/**
@@ -751,15 +708,34 @@ static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
751708
static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
752709
{
753710
struct common_audit_data *ad = a;
754-
audit_log_format(ab, " ");
755-
avc_dump_query(ab, ad->selinux_audit_data->state,
756-
ad->selinux_audit_data->ssid,
757-
ad->selinux_audit_data->tsid,
758-
ad->selinux_audit_data->tclass);
759-
if (ad->selinux_audit_data->denied) {
760-
audit_log_format(ab, " permissive=%u",
761-
ad->selinux_audit_data->result ? 0 : 1);
711+
struct selinux_audit_data *sad = ad->selinux_audit_data;
712+
char *scontext;
713+
u32 scontext_len;
714+
int rc;
715+
716+
rc = security_sid_to_context(sad->state, sad->ssid, &scontext,
717+
&scontext_len);
718+
if (rc)
719+
audit_log_format(ab, " ssid=%d", sad->ssid);
720+
else {
721+
audit_log_format(ab, " scontext=%s", scontext);
722+
kfree(scontext);
762723
}
724+
725+
rc = security_sid_to_context(sad->state, sad->tsid, &scontext,
726+
&scontext_len);
727+
if (rc)
728+
audit_log_format(ab, " tsid=%d", sad->tsid);
729+
else {
730+
audit_log_format(ab, " tcontext=%s", scontext);
731+
kfree(scontext);
732+
}
733+
734+
BUG_ON(!sad->tclass || sad->tclass >= ARRAY_SIZE(secclass_map));
735+
audit_log_format(ab, " tclass=%s", secclass_map[sad->tclass-1].name);
736+
737+
if (sad->denied)
738+
audit_log_format(ab, " permissive=%u", sad->result ? 0 : 1);
763739
}
764740

765741
/* This is the slow part of avc audit with big stack footprint */

0 commit comments

Comments
 (0)
Failed to load comments.