1. 27 7月, 2008 1 次提交
  2. 15 7月, 2008 1 次提交
  3. 14 7月, 2008 22 次提交
    • J
      security: remove register_security hook · 6f0f0fd4
      James Morris 提交于
      The register security hook is no longer required, as the capability
      module is always registered.  LSMs wishing to stack capability as
      a secondary module should do so explicitly.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NGreg Kroah-Hartman <gregkh@suse.de>
      6f0f0fd4
    • M
      security: remove unused sb_get_mnt_opts hook · b478a9f9
      Miklos Szeredi 提交于
      The sb_get_mnt_opts() hook is unused, and is superseded by the
      sb_show_options() hook.
      Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
      Acked-by: NJames Morris <jmorris@namei.org>
      b478a9f9
    • E
      LSM/SELinux: show LSM mount options in /proc/mounts · 2069f457
      Eric Paris 提交于
      This patch causes SELinux mount options to show up in /proc/mounts.  As
      with other code in the area seq_put errors are ignored.  Other LSM's
      will not have their mount options displayed until they fill in their own
      security_sb_show_options() function.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@suse.cz>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      2069f457
    • E
      SELinux: allow fstype unknown to policy to use xattrs if present · 811f3799
      Eric Paris 提交于
      Currently if a FS is mounted for which SELinux policy does not define an
      fs_use_* that FS will either be genfs labeled or not labeled at all.
      This decision is based on the existence of a genfscon rule in policy and
      is irrespective of the capabilities of the filesystem itself.  This
      patch allows the kernel to check if the filesystem supports security
      xattrs and if so will use those if there is no fs_use_* rule in policy.
      An fstype with a no fs_use_* rule but with a genfs rule will use xattrs
      if available and will follow the genfs rule.
      
      This can be particularly interesting for things like ecryptfs which
      actually overlays a real underlying FS.  If we define excryptfs in
      policy to use xattrs we will likely get this wrong at times, so with
      this path we just don't need to define it!
      
      Overlay ecryptfs on top of NFS with no xattr support:
      SELinux: initialized (dev ecryptfs, type ecryptfs), uses genfs_contexts
      Overlay ecryptfs on top of ext4 with xattr support:
      SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr
      
      It is also useful as the kernel adds new FS we don't need to add them in
      policy if they support xattrs and that is how we want to handle them.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      811f3799
    • J
      SELinux: use do_each_thread as a proper do/while block · 2baf06df
      James Morris 提交于
      Use do_each_thread as a proper do/while block.  Sparse complained.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      2baf06df
    • J
      SELinux: remove unused and shadowed addrlen variable · e399f982
      James Morris 提交于
      Remove unused and shadowed addrlen variable.  Picked up by sparse.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NPaul Moore <paul.moore@hp.com>
      e399f982
    • E
      SELinux: more user friendly unknown handling printk · 6cbe2706
      Eric Paris 提交于
      I've gotten complaints and reports about people not understanding the
      meaning of the current unknown class/perm handling the kernel emits on
      every policy load.  Hopefully this will make make it clear to everyone
      the meaning of the message and won't waste a printk the user won't care
      about anyway on systems where the kernel and the policy agree on
      everything.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      6cbe2706
    • S
      selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux whine) · 22df4adb
      Stephen Smalley 提交于
      On Mon, 2008-06-09 at 01:24 -0700, Andrew Morton wrote:
      > Getting a few of these with FC5:
      >
      > SELinux: context_struct_compute_av:  unrecognized class 69
      > SELinux: context_struct_compute_av:  unrecognized class 69
      >
      > one came out when I logged in.
      >
      > No other symptoms, yet.
      
      Change handling of invalid classes by SELinux, reporting class values
      unknown to the kernel as errors (w/ ratelimit applied) and handling
      class values unknown to policy as normal denials.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      22df4adb
    • E
      SELinux: drop load_mutex in security_load_policy · 89abd0ac
      Eric Paris 提交于
      We used to protect against races of policy load in security_load_policy
      by using the load_mutex.  Since then we have added a new mutex,
      sel_mutex, in sel_write_load() which is always held across all calls to
      security_load_policy we are covered and can safely just drop this one.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      89abd0ac
    • E
      SELinux: fix off by 1 reference of class_to_string in context_struct_compute_av · cea78dc4
      Eric Paris 提交于
      The class_to_string array is referenced by tclass.  My code mistakenly
      was using tclass - 1.  If the proceeding class is a userspace class
      rather than kernel class this may cause a denial/EINVAL even if unknown
      handling is set to allow.  The bug shouldn't be allowing excess
      privileges since those are given based on the contents of another array
      which should be correctly referenced.
      
      At this point in time its pretty unlikely this is going to cause
      problems.  The most recently added kernel classes which could be
      affected are association, dccp_socket, and peer.  Its pretty unlikely
      any policy with handle_unknown=allow doesn't have association and
      dccp_socket undefined (they've been around longer than unknown handling)
      and peer is conditionalized on a policy cap which should only be defined
      if that class exists in policy.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      cea78dc4
    • J
      SELinux: open code sidtab lock · bdd581c1
      James Morris 提交于
      Open code sidtab lock to make Andrew Morton happy.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      bdd581c1
    • J
      SELinux: open code load_mutex · 972ccac2
      James Morris 提交于
      Open code load_mutex as suggested by Andrew Morton.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      972ccac2
    • J
      SELinux: open code policy_rwlock · 0804d113
      James Morris 提交于
      Open code policy_rwlock, as suggested by Andrew Morton.
      Signed-off-by: NJames Morris <jmorris@namei.org>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      0804d113
    • S
      selinux: fix endianness bug in network node address handling · 59dbd1ba
      Stephen Smalley 提交于
      Fix an endianness bug in the handling of network node addresses by
      SELinux.  This yields no change on little endian hardware but fixes
      the incorrect handling on big endian hardware.  The network node
      addresses are stored in network order in memory by checkpolicy, not in
      cpu/host order, and thus should not have cpu_to_le32/le32_to_cpu
      conversions applied upon policy write/read unlike other data in the
      policy.
      
      Bug reported by John Weeks of Sun, who noticed that binary policy
      files built from the same policy source on x86 and sparc differed and
      tracked it down to the ipv4 address handling in checkpolicy.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      59dbd1ba
    • S
      selinux: simplify ioctl checking · 242631c4
      Stephen Smalley 提交于
      Simplify and improve the robustness of the SELinux ioctl checking by
      using the "access mode" bits of the ioctl command to determine the
      permission check rather than dealing with individual command values.
      This removes any knowledge of specific ioctl commands from SELinux
      and follows the same guidance we gave to Smack earlier.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      242631c4
    • S
      SELinux: enable processes with mac_admin to get the raw inode contexts · abc69bb6
      Stephen Smalley 提交于
      Enable processes with CAP_MAC_ADMIN + mac_admin permission in policy
      to get undefined contexts on inodes.  This extends the support for
      deferred mapping of security contexts in order to permit restorecon
      and similar programs to see the raw file contexts unknown to the
      system policy in order to check them.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      abc69bb6
    • S
      Security: split proc ptrace checking into read vs. attach · 006ebb40
      Stephen Smalley 提交于
      Enable security modules to distinguish reading of process state via
      proc from full ptrace access by renaming ptrace_may_attach to
      ptrace_may_access and adding a mode argument indicating whether only
      read access or full attach access is requested.  This allows security
      modules to permit access to reading process state without granting
      full ptrace access.  The base DAC/capability checking remains unchanged.
      
      Read access to /proc/pid/mem continues to apply a full ptrace attach
      check since check_mem_permission() already requires the current task
      to already be ptracing the target.  The other ptrace checks within
      proc for elements like environ, maps, and fds are changed to pass the
      read mode instead of attach.
      
      In the SELinux case, we model such reading of process state as a
      reading of a proc file labeled with the target process' label.  This
      enables SELinux policy to permit such reading of process state without
      permitting control or manipulation of the target process, as there are
      a number of cases where programs probe for such information via proc
      but do not need to be able to control the target (e.g. procps,
      lsof, PolicyKit, ConsoleKit).  At present we have to choose between
      allowing full ptrace in policy (more permissive than required/desired)
      or breaking functionality (or in some cases just silencing the denials
      via dontaudit rules but this can hide genuine attacks).
      
      This version of the patch incorporates comments from Casey Schaufler
      (change/replace existing ptrace_may_attach interface, pass access
      mode), and Chris Wright (provide greater consistency in the checking).
      
      Note that like their predecessors __ptrace_may_attach and
      ptrace_may_attach, the __ptrace_may_access and ptrace_may_access
      interfaces use different return value conventions from each other (0
      or -errno vs. 1 or 0).  I retained this difference to avoid any
      changes to the caller logic but made the difference clearer by
      changing the latter interface to return a bool rather than an int and
      by adding a comment about it to ptrace.h for any future callers.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Acked-by: NChris Wright <chrisw@sous-sol.org>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      006ebb40
    • J
      SELinux: remove inherit field from inode_security_struct · feb2a5b8
      James Morris 提交于
      Remove inherit field from inode_security_struct, per Stephen Smalley:
      "Let's just drop inherit altogether - dead field."
      Signed-off-by: NJames Morris <jmorris@namei.org>
      feb2a5b8
    • R
      SELinux: reorder inode_security_struct to increase objs/slab on 64bit · fdeb0518
      Richard Kennedy 提交于
      reorder inode_security_struct to remove padding on 64 bit builds
      
      size reduced from 72 to 64 bytes increasing objects per slab to 64.
      Signed-off-by: NRichard Kennedy <richard@rsk.demon.co.uk>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      fdeb0518
    • E
      SELinux: keep the code clean formating and syntax · f5269710
      Eric Paris 提交于
      Formatting and syntax changes
      
      whitespace, tabs to spaces, trailing space
      put open { on same line as struct def
      remove unneeded {} after if statements
      change printk("Lu") to printk("llu")
      convert asm/uaccess.h to linux/uaacess.h includes
      remove unnecessary asm/bug.h includes
      convert all users of simple_strtol to strict_strtol
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      f5269710
    • S
      SELinux: fix sleeping allocation in security_context_to_sid · 9a59daa0
      Stephen Smalley 提交于
      Fix a sleeping function called from invalid context bug by moving allocation
      to the callers prior to taking the policy rdlock.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      9a59daa0
    • S
      selinux: support deferred mapping of contexts · 12b29f34
      Stephen Smalley 提交于
      Introduce SELinux support for deferred mapping of security contexts in
      the SID table upon policy reload, and use this support for inode
      security contexts when the context is not yet valid under the current
      policy.  Only processes with CAP_MAC_ADMIN + mac_admin permission in
      policy can set undefined security contexts on inodes.  Inodes with
      such undefined contexts are treated as having the unlabeled context
      until the context becomes valid upon a policy reload that defines the
      context.  Context invalidation upon policy reload also uses this
      support to save the context information in the SID table and later
      recover it upon a subsequent policy reload that defines the context
      again.
      
      This support is to enable package managers and similar programs to set
      down file contexts unknown to the system policy at the time the file
      is created in order to better support placing loadable policy modules
      in packages and to support build systems that need to create images of
      different distro releases with different policies w/o requiring all of
      the contexts to be defined or legal in the build host policy.
      
      With this patch applied, the following sequence is possible, although
      in practice it is recommended that this permission only be allowed to
      specific program domains such as the package manager.
      
      # rmdir baz
      # rm bar
      # touch bar
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      # cat setundefined.te
      policy_module(setundefined, 1.0)
      require {
      	type unconfined_t;
      	type unlabeled_t;
      }
      files_type(unlabeled_t)
      allow unconfined_t self:capability2 mac_admin;
      # make -f /usr/share/selinux/devel/Makefile setundefined.pp
      # semodule -i setundefined.pp
      # chcon -t foo_exec_t bar # foo_exec_t is not yet defined
      # mkdir -Z system_u:object_r:foo_exec_t baz
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # cat foo.te
      policy_module(foo, 1.0)
      type foo_exec_t;
      files_type(foo_exec_t)
      # make -f /usr/share/selinux/devel/Makefile foo.pp
      # semodule -i foo.pp # defines foo_exec_t
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r foo
      # ls -Zd bar baz
      -rw-r--r--  root root system_u:object_r:unlabeled_t    bar
      drwxr-xr-x  root root system_u:object_r:unlabeled_t    baz
      # semodule -i foo.pp
      # ls -Zd bar baz
      -rw-r--r--  root root user_u:object_r:foo_exec_t       bar
      drwxr-xr-x  root root system_u:object_r:foo_exec_t    baz
      # semodule -r setundefined foo
      # chcon -t foo_exec_t bar # no longer defined and not allowed
      chcon: failed to change context of `bar' to `system_u:object_r:foo_exec_t': Invalid argument
      # rmdir baz
      # mkdir -Z system_u:object_r:foo_exec_t baz
      mkdir: failed to set default file creation context to `system_u:object_r:foo_exec_t': Invalid argument
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      12b29f34
  4. 02 5月, 2008 1 次提交
  5. 30 4月, 2008 3 次提交
  6. 29 4月, 2008 3 次提交
    • D
      keys: don't generate user and user session keyrings unless they're accessed · 69664cf1
      David Howells 提交于
      Don't generate the per-UID user and user session keyrings unless they're
      explicitly accessed.  This solves a problem during a login process whereby
      set*uid() is called before the SELinux PAM module, resulting in the per-UID
      keyrings having the wrong security labels.
      
      This also cures the problem of multiple per-UID keyrings sometimes appearing
      due to PAM modules (including pam_keyinit) setuiding and causing user_structs
      to come into and go out of existence whilst the session keyring pins the user
      keyring.  This is achieved by first searching for extant per-UID keyrings
      before inventing new ones.
      
      The serial bound argument is also dropped from find_keyring_by_name() as it's
      not currently made use of (setting it to 0 disables the feature).
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Cc: <kwc@citi.umich.edu>
      Cc: <arunsr@cse.iitk.ac.in>
      Cc: <dwalsh@redhat.com>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: James Morris <jmorris@namei.org>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      69664cf1
    • D
      keys: add keyctl function to get a security label · 70a5bb72
      David Howells 提交于
      Add a keyctl() function to get the security label of a key.
      
      The following is added to Documentation/keys.txt:
      
       (*) Get the LSM security context attached to a key.
      
      	long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,
      		    size_t buflen)
      
           This function returns a string that represents the LSM security context
           attached to a key in the buffer provided.
      
           Unless there's an error, it always returns the amount of data it could
           produce, even if that's too big for the buffer, but it won't copy more
           than requested to userspace. If the buffer pointer is NULL then no copy
           will take place.
      
           A NUL character is included at the end of the string if the buffer is
           sufficiently big.  This is included in the returned count.  If no LSM is
           in force then an empty string will be returned.
      
           A process must have view permission on the key for this function to be
           successful.
      
      [akpm@linux-foundation.org: declare keyctl_get_security()]
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
      Cc: Paul Moore <paul.moore@hp.com>
      Cc: Chris Wright <chrisw@sous-sol.org>
      Cc: James Morris <jmorris@namei.org>
      Cc: Kevin Coffman <kwc@citi.umich.edu>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      70a5bb72
    • D
      xattr: add missing consts to function arguments · 8f0cfa52
      David Howells 提交于
      Add missing consts to xattr function arguments.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Cc: Andreas Gruenbacher <agruen@suse.de>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      8f0cfa52
  7. 28 4月, 2008 9 次提交
    • A
      capabilities: implement per-process securebits · 3898b1b4
      Andrew G. Morgan 提交于
      Filesystem capability support makes it possible to do away with (set)uid-0
      based privilege and use capabilities instead.  That is, with filesystem
      support for capabilities but without this present patch, it is (conceptually)
      possible to manage a system with capabilities alone and never need to obtain
      privilege via (set)uid-0.
      
      Of course, conceptually isn't quite the same as currently possible since few
      user applications, certainly not enough to run a viable system, are currently
      prepared to leverage capabilities to exercise privilege.  Further, many
      applications exist that may never get upgraded in this way, and the kernel
      will continue to want to support their setuid-0 base privilege needs.
      
      Where pure-capability applications evolve and replace setuid-0 binaries, it is
      desirable that there be a mechanisms by which they can contain their
      privilege.  In addition to leveraging the per-process bounding and inheritable
      sets, this should include suppressing the privilege of the uid-0 superuser
      from the process' tree of children.
      
      The feature added by this patch can be leveraged to suppress the privilege
      associated with (set)uid-0.  This suppression requires CAP_SETPCAP to
      initiate, and only immediately affects the 'current' process (it is inherited
      through fork()/exec()).  This reimplementation differs significantly from the
      historical support for securebits which was system-wide, unwieldy and which
      has ultimately withered to a dead relic in the source of the modern kernel.
      
      With this patch applied a process, that is capable(CAP_SETPCAP), can now drop
      all legacy privilege (through uid=0) for itself and all subsequently
      fork()'d/exec()'d children with:
      
        prctl(PR_SET_SECUREBITS, 0x2f);
      
      This patch represents a no-op unless CONFIG_SECURITY_FILE_CAPABILITIES is
      enabled at configure time.
      
      [akpm@linux-foundation.org: fix uninitialised var warning]
      [serue@us.ibm.com: capabilities: use cap_task_prctl when !CONFIG_SECURITY]
      Signed-off-by: NAndrew G. Morgan <morgan@kernel.org>
      Acked-by: NSerge Hallyn <serue@us.ibm.com>
      Reviewed-by: NJames Morris <jmorris@namei.org>
      Cc: Stephen Smalley <sds@tycho.nsa.gov>
      Cc: Paul Moore <paul.moore@hp.com>
      Signed-off-by: NSerge E. Hallyn <serue@us.ibm.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3898b1b4
    • E
      Audit: standardize string audit interfaces · b556f8ad
      Eric Paris 提交于
      This patch standardized the string auditing interfaces.  No userspace
      changes will be visible and this is all just cleanup and consistancy
      work.  We have the following string audit interfaces to use:
      
      void audit_log_n_hex(struct audit_buffer *ab, const unsigned char *buf, size_t len);
      
      void audit_log_n_string(struct audit_buffer *ab, const char *buf, size_t n);
      void audit_log_string(struct audit_buffer *ab, const char *buf);
      
      void audit_log_n_untrustedstring(struct audit_buffer *ab, const char *string, size_t n);
      void audit_log_untrustedstring(struct audit_buffer *ab, const char *string);
      
      This may be the first step to possibly fixing some of the issues that
      people have with the string output from the kernel audit system.  But we
      still don't have an agreed upon solution to that problem.
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      b556f8ad
    • P
      SELinux: Fix a RCU free problem with the netport cache · c9b7b979
      Paul Moore 提交于
      The netport cache doesn't free resources in a manner which is safe or orderly.
      This patch fixes this by adding in a missing call to rcu_dereference() in
      sel_netport_insert() as well as some general cleanup throughout the file.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      c9b7b979
    • P
      SELinux: Made netnode cache adds faster · a639e7ca
      Paul Moore 提交于
      When adding new entries to the network node cache we would walk the entire
      hash bucket to make sure we didn't cross a threshold (done to bound the
      cache size).  This isn't a very quick or elegant solution for something
      which is supposed to be quick-ish so add a counter to each hash bucket to
      track the size of the bucket and eliminate the need to walk the entire
      bucket list on each add.
      Signed-off-by: NPaul Moore <paul.moore@hp.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      a639e7ca
    • E
      SELinux: policydb.h whitespace, syntax, and other cleanups · 489a5fd7
      Eric Paris 提交于
      This patch changes policydb.h to fix whitespace and syntax issues.  Things that
      are fixed may include (does not not have to include)
      
      spaces followed by tabs
      spaces used instead of tabs
      location of * in pointer declarations
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      489a5fd7
    • E
      SELinux: mls_types.h whitespace, syntax, and other cleanups · 8bf1f3a6
      Eric Paris 提交于
      This patch changes mls_types.h to fix whitespace and syntax issues.  Things that
      are fixed may include (does not not have to include)
      
      spaces used instead of tabs
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      8bf1f3a6
    • E
      SELinux: mls.h whitespace, syntax, and other cleanups · d497fc87
      Eric Paris 提交于
      This patch changes mls.h to fix whitespace and syntax issues.  Things that
      are fixed may include (does not not have to include)
      
      spaces used instead of tabs
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      d497fc87
    • E
      SELinux: hashtab.h whitespace, syntax, and other cleanups · faff786c
      Eric Paris 提交于
      This patch changes hashtab.h to fix whitespace and syntax issues.  Things that
      are fixed may include (does not not have to include)
      
      spaces used instead of tabs
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      faff786c
    • E
      SELinux: context.h whitespace, syntax, and other cleanups · 81fa42df
      Eric Paris 提交于
      This patch changes context.h to fix whitespace and syntax issues.  Things that
      are fixed may include (does not not have to include)
      
      include spaces around , in function calls
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Signed-off-by: NJames Morris <jmorris@namei.org>
      81fa42df