1. 15 2月, 2010 4 次提交
  2. 11 2月, 2010 1 次提交
  3. 09 2月, 2010 1 次提交
    • X
      selinux: fix memory leak in sel_make_bools · 8007f102
      Xiaotian Feng 提交于
      In sel_make_bools, kernel allocates memory for bool_pending_names[i]
      with security_get_bools. So if we just free bool_pending_names, those
      memories for bool_pending_names[i] will be leaked.
      
      This patch resolves dozens of following kmemleak report after resuming
      from suspend:
      unreferenced object 0xffff88022e4c7380 (size 32):
        comm "init", pid 1, jiffies 4294677173
        backtrace:
          [<ffffffff810f76b5>] create_object+0x1a2/0x2a9
          [<ffffffff810f78bb>] kmemleak_alloc+0x26/0x4b
          [<ffffffff810ef3eb>] __kmalloc+0x18f/0x1b8
          [<ffffffff811cd511>] security_get_bools+0xd7/0x16f
          [<ffffffff811c48c0>] sel_write_load+0x12e/0x62b
          [<ffffffff810f9a39>] vfs_write+0xae/0x10b
          [<ffffffff810f9b56>] sys_write+0x4a/0x6e
          [<ffffffff81011b82>] system_call_fastpath+0x16/0x1b
          [<ffffffffffffffff>] 0xffffffffffffffff
      Signed-off-by: NXiaotian Feng <dfeng@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8007f102
  4. 08 2月, 2010 1 次提交
  5. 05 2月, 2010 1 次提交
  6. 04 2月, 2010 4 次提交
  7. 03 2月, 2010 1 次提交
  8. 27 1月, 2010 1 次提交
  9. 25 1月, 2010 2 次提交
  10. 18 1月, 2010 2 次提交
    • J
      Merge branch 'master' into next · 2457552d
      James Morris 提交于
      2457552d
    • S
      selinux: change the handling of unknown classes · 19439d05
      Stephen Smalley 提交于
      If allow_unknown==deny, SELinux treats an undefined kernel security
      class as an error condition rather than as a typical permission denial
      and thus does not allow permissions on undefined classes even when in
      permissive mode.  Change the SELinux logic so that this case is handled
      as a typical permission denial, subject to the usual permissive mode and
      permissive domain handling.
      
      Also drop the 'requested' argument from security_compute_av() and
      helpers as it is a legacy of the original security server interface and
      is unused.
      
      Changes:
      - Handle permissive domains consistently by moving up the test for a
      permissive domain.
      - Make security_compute_av_user() consistent with security_compute_av();
      the only difference now is that security_compute_av() performs mapping
      between the kernel-private class and permission indices and the policy
      values.  In the userspace case, this mapping is handled by libselinux.
      - Moved avd_init inside the policy lock.
      
      Based in part on a patch by Paul Moore <paul.moore@hp.com>.
      Reported-by: NAndrew Worsley <amworsley@gmail.com>
      Signed-off-by: NStephen D. Smalley <sds@tycho.nsa.gov>
      Reviewed-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      19439d05
  11. 17 1月, 2010 22 次提交