lwn.git/security/selinux/ss/conditional.c, branch v3.15-rc7

selinux: Casting (void *) value returned by kmalloc is useless

2011-12-19T00:23:56+00:00

The semantic patch that makes this change is available in scripts/coccinelle/api/alloc/drop_kmalloc_cast.cocci. Signed-off-by: Thomas Meyer Signed-off-by: James Morris

selinux: sparse fix: fix several warnings in the security server code

2011-09-09T23:56:32+00:00

Fix several sparse warnings in the SELinux security server code. Signed-off-by: James Morris

selinux: return -ENOMEM when memory allocation fails

2011-01-24T00:35:47+00:00

Return -ENOMEM when memory allocation fails in cond_init_bool_indexes, correctly propagating error code to caller. Signed-off-by: Davidlohr Bueso Signed-off-by: James Morris

selinux: convert part of the sym_val_to_name array to use flex_array

2010-11-30T22:28:58+00:00

The sym_val_to_name type array can be quite large as it grows linearly with the number of types. With known policies having over 5k types these allocations are growing large enough that they are likely to fail. Convert those to flex_array so no allocation is larger than PAGE_SIZE Signed-off-by: Eric Paris

SELinux: allow userspace to read policy back out of the kernel

2010-10-20T23:12:58+00:00

There is interest in being able to see what the actual policy is that was loaded into the kernel. The patch creates a new selinuxfs file /selinux/policy which can be read by userspace. The actual policy that is loaded into the kernel will be written back out to userspace. Signed-off-by: Eric Paris Signed-off-by: James Morris

selinux: fix error codes in cond_read_bool()

2010-08-02T05:35:04+00:00

The original code always returned -1 (-EPERM) on error. The new code returns either -ENOMEM, or -EINVAL or it propagates the error codes from lower level functions next_entry() or hashtab_insert(). next_entry() returns -EINVAL. hashtab_insert() returns -EINVAL, -EEXIST, or -ENOMEM. Signed-off-by: Dan Carpenter Acked-by: Stephen D. Smalley Signed-off-by: James Morris

selinux: fix error codes in cond_policydb_init()

2010-08-02T05:35:03+00:00

It's better to propagate the error code from avtab_init() instead of returning -1 (-EPERM). It turns out that avtab_init() never fails so this patch doesn't change how the code runs but it's still a clean up. Signed-off-by: Dan Carpenter Acked-by: Stephen D. Smalley Signed-off-by: James Morris

selinux: fix error codes in cond_read_node()

2010-08-02T05:35:02+00:00

Originally cond_read_node() returned -1 (-EPERM) on errors which was incorrect. Now it either propagates the error codes from lower level functions next_entry() or cond_read_av_list() or it returns -ENOMEM or -EINVAL. next_entry() returns -EINVAL. cond_read_av_list() returns -EINVAL or -ENOMEM. Signed-off-by: Dan Carpenter Acked-by: Stephen D. Smalley Signed-off-by: James Morris

selinux: fix error codes in cond_read_av_list()

2010-08-02T05:35:02+00:00

After this patch cond_read_av_list() no longer returns -1 for any errors. It just propagates error code back from lower levels. Those can either be -EINVAL or -ENOMEM. I also modified cond_insertf() since cond_read_av_list() passes that as a function pointer to avtab_read_item(). It isn't used anywhere else. Signed-off-by: Dan Carpenter Acked-by: Stephen D. Smalley Signed-off-by: James Morris

selinux: propagate error codes in cond_read_list()

2010-08-02T05:35:01+00:00

These are passed back when the security module gets loaded. The original code always returned -1 (-EPERM) on error but after this patch it can return -EINVAL, or -ENOMEM or propagate the error code from cond_read_node(). cond_read_node() still returns -1 all the time, but I fix that in a later patch. Signed-off-by: Dan Carpenter Acked-by: Stephen D. Smalley Signed-off-by: James Morris