selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code

jira LE-1907
Rebuild_History Non-Buildable kernel-3.10.0-1160.118.1.el7
commit-author Paul Moore <pmoore@redhat.com>
commit ccf17cc
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-3.10.0-1160.118.1.el7/ccf17cc4.failed

The SELinux labeled IPsec code state management functions have been
long neglected and could use some cleanup and consolidation.

	Signed-off-by: Paul Moore <pmoore@redhat.com>
	Signed-off-by: Eric Paris <eparis@redhat.com>
(cherry picked from commit ccf17cc)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	security/selinux/xfrm.c

Author: PlaidCat

ciq/ciq_backports/kernel-3.10.0-1160.118.1.el7/ccf17cc4.failed

@@ -0,0 +1,110 @@
+selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code
+
+jira LE-1907
+Rebuild_History Non-Buildable kernel-3.10.0-1160.118.1.el7
+commit-author Paul Moore <pmoore@redhat.com>
+commit ccf17cc4b81537c29f0d5950b38b5548b6cb5858
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-3.10.0-1160.118.1.el7/ccf17cc4.failed
+
+The SELinux labeled IPsec code state management functions have been
+long neglected and could use some cleanup and consolidation.
+
+	Signed-off-by: Paul Moore <pmoore@redhat.com>
+	Signed-off-by: Eric Paris <eparis@redhat.com>
+(cherry picked from commit ccf17cc4b81537c29f0d5950b38b5548b6cb5858)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	security/selinux/xfrm.c
+diff --cc security/selinux/xfrm.c
+index 78504a18958a,f8d71262b45d..000000000000
+--- a/security/selinux/xfrm.c
++++ b/security/selinux/xfrm.c
+@@@ -74,6 -74,81 +74,84 @@@ static inline int selinux_authorizable_
+  }
+  
+  /*
+++<<<<<<< HEAD
+++=======
++  * Allocates a xfrm_sec_state and populates it using the supplied security
++  * xfrm_user_sec_ctx context.
++  */
++ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
++ 				   struct xfrm_user_sec_ctx *uctx)
++ {
++ 	int rc;
++ 	const struct task_security_struct *tsec = current_security();
++ 	struct xfrm_sec_ctx *ctx = NULL;
++ 	u32 str_len;
++ 
++ 	if (ctxp == NULL || uctx == NULL ||
++ 	    uctx->ctx_doi != XFRM_SC_DOI_LSM ||
++ 	    uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
++ 		return -EINVAL;
++ 
++ 	str_len = uctx->ctx_len;
++ 	if (str_len >= PAGE_SIZE)
++ 		return -ENOMEM;
++ 
++ 	ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
++ 	if (!ctx)
++ 		return -ENOMEM;
++ 
++ 	ctx->ctx_doi = XFRM_SC_DOI_LSM;
++ 	ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
++ 	ctx->ctx_len = str_len;
++ 	memcpy(ctx->ctx_str, &uctx[1], str_len);
++ 	ctx->ctx_str[str_len] = '\0';
++ 	rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
++ 	if (rc)
++ 		goto err;
++ 
++ 	rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
++ 			  SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
++ 	if (rc)
++ 		goto err;
++ 
++ 	*ctxp = ctx;
++ 	atomic_inc(&selinux_xfrm_refcount);
++ 	return 0;
++ 
++ err:
++ 	kfree(ctx);
++ 	return rc;
++ }
++ 
++ /*
++  * Free the xfrm_sec_ctx structure.
++  */
++ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
++ {
++ 	if (!ctx)
++ 		return;
++ 
++ 	atomic_dec(&selinux_xfrm_refcount);
++ 	kfree(ctx);
++ }
++ 
++ /*
++  * Authorize the deletion of a labeled SA or policy rule.
++  */
++ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
++ {
++ 	const struct task_security_struct *tsec = current_security();
++ 
++ 	if (!ctx)
++ 		return 0;
++ 
++ 	return avc_has_perm(tsec->sid, ctx->ctx_sid,
++ 			    SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
++ 			    NULL);
++ }
++ 
++ /*
+++>>>>>>> ccf17cc4b815 (selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code)
+   * LSM hook implementation that authorizes that a flow can use
+   * a xfrm policy rule.
+   */
+* Unmerged path security/selinux/xfrm.c