Re: [PATCH 1/1] selinux: simplify avc_xperms_audit_required()

From: Paul Moore
Date: Wed Aug 28 2024 - 13:42:19 EST


On Aug 22, 2024 Zhen Lei <thunder.leizhen@xxxxxxxxxx> wrote:
>
> By associative and commutative laws, the result of the two 'audited' is
> zero. Take the second 'audited' as an example:
> 1) audited = requested & avd->auditallow;
> 2) audited &= ~requested;
> ==> audited = ~requested & (requested & avd->auditallow);
> ==> audited = (~requested & requested) & avd->auditallow;
> ==> audited = 0 & avd->auditallow;
> ==> audited = 0;
>
> In fact, it is more readable to directly write zero. The value of the
> first 'audited' is 0 because AUDIT is not allowed. The second 'audited'
> is zero because there is no AUDITALLOW permission.
>
> Signed-off-by: Zhen Lei <thunder.leizhen@xxxxxxxxxx>
> ---
> security/selinux/avc.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)

Looks good to me, merged into selinux/dev, thanks!

--
paul-moore.com