selinux: generalize evaluate_cond_node()

WOnder93 · pcmoore · commit 89d4d7c88d2b · 2020-02-11T21:50:26.000-05:00
Both callers iterate the cond_list and call it for each node - turn it
into evaluate_cond_nodes(), which does the iteration for them.

Signed-off-by: Ondrej Mosnacek &lt;omosnace@redhat.com&gt;
Signed-off-by: Paul Moore &lt;paul@paul-moore.com&gt;
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
@@ -86,7 +86,7 @@ static int cond_evaluate_expr(struct policydb *p, struct cond_expr *expr)
  * list appropriately. If the result of the expression is undefined
  * all of the rules are disabled for safety.
  */
-void evaluate_cond_node(struct policydb *p, struct cond_node *node)
+static void evaluate_cond_node(struct policydb *p, struct cond_node *node)
 {
 	struct avtab_node *avnode;
 	int new_state;
@@ -117,6 +117,14 @@ void evaluate_cond_node(struct policydb *p, struct cond_node *node)
 	}
 }
 
+void evaluate_cond_nodes(struct policydb *p)
+{
+	u32 i;
+
+	for (i = 0; i < p->cond_list_len; i++)
+		evaluate_cond_node(p, &p->cond_list[i]);
+}
+
 int cond_policydb_init(struct policydb *p)
 {
 	int rc;
diff --git a/security/selinux/ss/conditional.h b/security/selinux/ss/conditional.h
@@ -78,6 +78,6 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
 		struct av_decision *avd, struct extended_perms *xperms);
 void cond_compute_xperms(struct avtab *ctab, struct avtab_key *key,
 		struct extended_perms_decision *xpermd);
-void evaluate_cond_node(struct policydb *p, struct cond_node *node);
+void evaluate_cond_nodes(struct policydb *p);
 
 #endif /* _CONDITIONAL_H_ */
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
@@ -2957,8 +2957,7 @@ int security_set_bools(struct selinux_state *state, u32 len, int *values)
 			policydb->bool_val_to_struct[i]->state = 0;
 	}
 
-	for (i = 0; i < policydb->cond_list_len; i++)
-		evaluate_cond_node(policydb, &policydb->cond_list[i]);
+	evaluate_cond_nodes(policydb);
 
 	seqno = ++state->ss->latest_granting;
 	rc = 0;
@@ -3011,8 +3010,7 @@ static int security_preserve_bools(struct selinux_state *state,
 		if (booldatum)
 			booldatum->state = bvalues[i];
 	}
-	for (i = 0; i < policydb->cond_list_len; i++)
-		evaluate_cond_node(policydb, &policydb->cond_list[i]);
+	evaluate_cond_nodes(policydb);
 
 out:
 	if (bnames) {

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ static int cond_evaluate_expr(struct policydb p, struct cond_expr expr)`
`86`	`86`	`* list appropriately. If the result of the expression is undefined`
`87`	`87`	`* all of the rules are disabled for safety.`
`88`	`88`	`*/`
`89`		`-void evaluate_cond_node(struct policydb p, struct cond_node node)`
	`89`	`+static void evaluate_cond_node(struct policydb p, struct cond_node node)`
`90`	`90`	`{`
`91`	`91`	`struct avtab_node *avnode;`
`92`	`92`	`int new_state;`
`@@ -117,6 +117,14 @@ void evaluate_cond_node(struct policydb p, struct cond_node node)`
`117`	`117`	`}`
`118`	`118`	`}`
`119`	`119`
	`120`	`+void evaluate_cond_nodes(struct policydb *p)`
	`121`	`+{`
	`122`	`+ u32 i;`
	`123`	`+`
	`124`	`+ for (i = 0; i < p->cond_list_len; i++)`
	`125`	`+ evaluate_cond_node(p, &p->cond_list[i]);`
	`126`	`+}`
	`127`	`+`
`120`	`128`	`int cond_policydb_init(struct policydb *p)`
`121`	`129`	`{`
`122`	`130`	`int rc;`