Simplifies the logic for determining the security context type in security_compute_sid, enhancing readability and efficiency. Consolidates default type assignment logic next to type transition checks, removing redundancy and improving code flow. Signed-off-by: Canfeng Guo <guocanfeng@xxxxxxxxxxxxx> --- v2: Modify the format to follow the generally accepted style for multi-line comments in the Linux kernel. --- security/selinux/ss/services.c | 36 ++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index e33e55384b75..a9830fbfc5c6 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1804,22 +1804,9 @@ static int security_compute_sid(u32 ssid, newcontext.role = OBJECT_R_VAL; } - /* Set the type to default values. */ - if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { - newcontext.type = scontext->type; - } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { - newcontext.type = tcontext->type; - } else { - if ((tclass == policydb->process_class) || sock) { - /* Use the type of process. */ - newcontext.type = scontext->type; - } else { - /* Use the type of the related object. */ - newcontext.type = tcontext->type; - } - } - - /* Look for a type transition/member/change rule. */ + /* Set the type. + * Look for a type transition/member/change rule. + */ avkey.source_type = scontext->type; avkey.target_type = tcontext->type; avkey.target_class = tclass; @@ -1837,9 +1824,24 @@ static int security_compute_sid(u32 ssid, } } + /* If a permanent rule is found, use the type from + * the type transition/member/change rule. Otherwise, + * set the type to its default values. + */ if (avnode) { - /* Use the type from the type transition/member/change rule. */ newcontext.type = avnode->datum.u.data; + } else if (cladatum && cladatum->default_type == DEFAULT_SOURCE) { + newcontext.type = scontext->type; + } else if (cladatum && cladatum->default_type == DEFAULT_TARGET) { + newcontext.type = tcontext->type; + } else { + if ((tclass == policydb->process_class) || sock) { + /* Use the type of process. */ + newcontext.type = scontext->type; + } else { + /* Use the type of the related object. */ + newcontext.type = tcontext->type; + } } /* if we have a objname this is a file trans check so check those rules */ -- 2.20.1