1. Patchew
  2. linux
  3. View series

[PATCH] selinux: Streamline type determination in security_compute_sid

Canfeng Guo posted 1 patch 1 year, 5 months ago 
security/selinux/ss/services.c | 36 ++++++++++++++++++----------------
1 file changed, 19 insertions(+), 17 deletions(-)
[PATCH] selinux: Streamline type determination in security_compute_sid
Posted by Canfeng Guo 1 year, 5 months ago 
Simplifies the logic for determining the security context type in
security_compute_sid, enhancing readability and efficiency.

Consolidates default type assignment logic next to type transition
checks, removing redundancy and improving code flow.

Signed-off-by: Canfeng Guo <guocanfeng@uniontech.com>
---
v2:
   Modify the format to follow the generally accepted style for
   multi-line comments in the Linux kernel.
---
 security/selinux/ss/services.c | 36 ++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index e33e55384b75..a9830fbfc5c6 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1804,22 +1804,9 @@ static int security_compute_sid(u32 ssid,
 			newcontext.role = OBJECT_R_VAL;
 	}
 
-	/* Set the type to default values. */
-	if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
-		newcontext.type = scontext->type;
-	} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
-		newcontext.type = tcontext->type;
-	} else {
-		if ((tclass == policydb->process_class) || sock) {
-			/* Use the type of process. */
-			newcontext.type = scontext->type;
-		} else {
-			/* Use the type of the related object. */
-			newcontext.type = tcontext->type;
-		}
-	}
-
-	/* Look for a type transition/member/change rule. */
+	/* Set the type.
+	 * Look for a type transition/member/change rule.
+	 */
 	avkey.source_type = scontext->type;
 	avkey.target_type = tcontext->type;
 	avkey.target_class = tclass;
@@ -1837,9 +1824,24 @@ static int security_compute_sid(u32 ssid,
 		}
 	}
 
+	/* If a permanent rule is found, use the type from
+	 * the type transition/member/change rule. Otherwise,
+	 * set the type to its default values.
+	 */
 	if (avnode) {
-		/* Use the type from the type transition/member/change rule. */
 		newcontext.type = avnode->datum.u.data;
+	} else if (cladatum && cladatum->default_type == DEFAULT_SOURCE) {
+		newcontext.type = scontext->type;
+	} else if (cladatum && cladatum->default_type == DEFAULT_TARGET) {
+		newcontext.type = tcontext->type;
+	} else {
+		if ((tclass == policydb->process_class) || sock) {
+			/* Use the type of process. */
+			newcontext.type = scontext->type;
+		} else {
+			/* Use the type of the related object. */
+			newcontext.type = tcontext->type;
+		}
 	}
 
 	/* if we have a objname this is a file trans check so check those rules */
-- 
2.20.1
Re: [PATCH] selinux: Streamline type determination in security_compute_sid
Posted by Paul Moore 1 year, 5 months ago 
On Tue, Jul 2, 2024 at 10:56 PM Canfeng Guo <guocanfeng@uniontech.com> wrote:
>
> Simplifies the logic for determining the security context type in
> security_compute_sid, enhancing readability and efficiency.
>
> Consolidates default type assignment logic next to type transition
> checks, removing redundancy and improving code flow.
>
> Signed-off-by: Canfeng Guo <guocanfeng@uniontech.com>
> ---
> v2:
>    Modify the format to follow the generally accepted style for
>    multi-line comments in the Linux kernel.
> ---
>  security/selinux/ss/services.c | 36 ++++++++++++++++++----------------
>  1 file changed, 19 insertions(+), 17 deletions(-)

Thanks for the revised patch, it looks good to me, but it is too late
in the development cycle to merge it into the selinux/dev branch; I'm
going to merge it into selinux/dev-staging for testing and I'll move
it to the selinux/dev branch after the upcoming merge window closes.

-- 
paul-moore.com
Re: [PATCH] selinux: Streamline type determination in security_compute_sid
Posted by Paul Moore 1 year, 4 months ago 
On Thu, Jul 11, 2024 at 5:10 PM Paul Moore <paul@paul-moore.com> wrote:
> On Tue, Jul 2, 2024 at 10:56 PM Canfeng Guo <guocanfeng@uniontech.com> wrote:
> >
> > Simplifies the logic for determining the security context type in
> > security_compute_sid, enhancing readability and efficiency.
> >
> > Consolidates default type assignment logic next to type transition
> > checks, removing redundancy and improving code flow.
> >
> > Signed-off-by: Canfeng Guo <guocanfeng@uniontech.com>
> > ---
> > v2:
> >    Modify the format to follow the generally accepted style for
> >    multi-line comments in the Linux kernel.
> > ---
> >  security/selinux/ss/services.c | 36 ++++++++++++++++++----------------
> >  1 file changed, 19 insertions(+), 17 deletions(-)
>
> Thanks for the revised patch, it looks good to me, but it is too late
> in the development cycle to merge it into the selinux/dev branch; I'm
> going to merge it into selinux/dev-staging for testing and I'll move
> it to the selinux/dev branch after the upcoming merge window closes.

A quick note to let you know that this is now in the selinux/dev branch, thanks!

-- 
paul-moore.com

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.