selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code

jira LE-1907
Rebuild_History Non-Buildable kernel-3.10.0-1160.118.1.el7
commit-author Paul Moore <pmoore@redhat.com>
commit ccf17cc
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
Will be included in final tarball splat. Ref for failed cherry-pick at:
ciq/ciq_backports/kernel-3.10.0-1160.118.1.el7/ccf17cc4.failed

The SELinux labeled IPsec code state management functions have been
long neglected and could use some cleanup and consolidation.

	Signed-off-by: Paul Moore <pmoore@redhat.com>
	Signed-off-by: Eric Paris <eparis@redhat.com>
(cherry picked from commit ccf17cc)
	Signed-off-by: Jonathan Maple <jmaple@ciq.com>

# Conflicts:
#	security/selinux/xfrm.c

ciq/ciq_backports/kernel-3.10.0-1160.118.1.el7/ccf17cc4.failed

@@ -0,0 +1,110 @@
+selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code
+
+jira LE-1907
+Rebuild_History Non-Buildable kernel-3.10.0-1160.118.1.el7
+commit-author Paul Moore <pmoore@redhat.com>
+commit ccf17cc4b81537c29f0d5950b38b5548b6cb5858
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-3.10.0-1160.118.1.el7/ccf17cc4.failed
+
+The SELinux labeled IPsec code state management functions have been
+long neglected and could use some cleanup and consolidation.
+
+ Signed-off-by: Paul Moore <pmoore@redhat.com>
+ Signed-off-by: Eric Paris <eparis@redhat.com>
+(cherry picked from commit ccf17cc4b81537c29f0d5950b38b5548b6cb5858)
+ Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+# security/selinux/xfrm.c
+diff --cc security/selinux/xfrm.c
+index 78504a18958a,f8d71262b45d..000000000000
+--- a/security/selinux/xfrm.c
++++ b/security/selinux/xfrm.c
+@@@ -74,6 -74,81 +74,84 @@@ static inline int selinux_authorizable_
+ }
+
+ /*
+++<<<<<<< HEAD
+++=======
++ * Allocates a xfrm_sec_state and populates it using the supplied security
++ * xfrm_user_sec_ctx context.
++ */
++ static int selinux_xfrm_alloc_user(struct xfrm_sec_ctx **ctxp,
++ struct xfrm_user_sec_ctx *uctx)
++ {
++ int rc;
++ const struct task_security_struct *tsec = current_security();
++ struct xfrm_sec_ctx *ctx = NULL;
++ u32 str_len;
++ 
++ if (ctxp == NULL || uctx == NULL ||
++ uctx->ctx_doi != XFRM_SC_DOI_LSM ||
++ uctx->ctx_alg != XFRM_SC_ALG_SELINUX)
++ return -EINVAL;
++ 
++ str_len = uctx->ctx_len;
++ if (str_len >= PAGE_SIZE)
++ return -ENOMEM;
++ 
++ ctx = kmalloc(sizeof(*ctx) + str_len + 1, GFP_KERNEL);
++ if (!ctx)
++ return -ENOMEM;
++ 
++ ctx->ctx_doi = XFRM_SC_DOI_LSM;
++ ctx->ctx_alg = XFRM_SC_ALG_SELINUX;
++ ctx->ctx_len = str_len;
++ memcpy(ctx->ctx_str, &uctx[1], str_len);
++ ctx->ctx_str[str_len] = '\0';
++ rc = security_context_to_sid(ctx->ctx_str, str_len, &ctx->ctx_sid);
++ if (rc)
++ goto err;
++ 
++ rc = avc_has_perm(tsec->sid, ctx->ctx_sid,
++ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, NULL);
++ if (rc)
++ goto err;
++ 
++ *ctxp = ctx;
++ atomic_inc(&selinux_xfrm_refcount);
++ return 0;
++ 
++ err:
++ kfree(ctx);
++ return rc;
++ }
++ 
++ /*
++ * Free the xfrm_sec_ctx structure.
++ */
++ static void selinux_xfrm_free(struct xfrm_sec_ctx *ctx)
++ {
++ if (!ctx)
++ return;
++ 
++ atomic_dec(&selinux_xfrm_refcount);
++ kfree(ctx);
++ }
++ 
++ /*
++ * Authorize the deletion of a labeled SA or policy rule.
++ */
++ static int selinux_xfrm_delete(struct xfrm_sec_ctx *ctx)
++ {
++ const struct task_security_struct *tsec = current_security();
++ 
++ if (!ctx)
++ return 0;
++ 
++ return avc_has_perm(tsec->sid, ctx->ctx_sid,
++ SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT,
++ NULL);
++ }
++ 
++ /*
+++>>>>>>> ccf17cc4b815 (selinux: cleanup and consolidate the XFRM alloc/clone/delete/free code)
+ * LSM hook implementation that authorizes that a flow can use
+ * a xfrm policy rule.
+ */
+* Unmerged path security/selinux/xfrm.c