aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c14
-rw-r--r--security/selinux/include/netif.h2
-rw-r--r--security/selinux/include/netnode.h2
-rw-r--r--security/selinux/include/netport.h2
-rw-r--r--security/selinux/include/security.h3
-rw-r--r--security/selinux/netif.c15
-rw-r--r--security/selinux/netnode.c15
-rw-r--r--security/selinux/netport.c15
-rw-r--r--security/selinux/ss/conditional.c11
-rw-r--r--security/selinux/ss/ebitmap.c133
-rw-r--r--security/selinux/ss/ebitmap.h8
-rw-r--r--security/selinux/ss/policydb.c141
-rw-r--r--security/selinux/ss/services.c41
-rw-r--r--security/smack/smack_access.c11
-rw-r--r--security/smack/smack_lsm.c6
-rw-r--r--security/smack/smackfs.c14
16 files changed, 171 insertions, 262 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 83d06db34d03..b0e940497e23 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -161,6 +161,17 @@ static int selinux_peerlbl_enabled(void)
161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled()); 161 return (selinux_policycap_alwaysnetwork || netlbl_enabled() || selinux_xfrm_enabled());
162} 162}
163 163
164static int selinux_netcache_avc_callback(u32 event)
165{
166 if (event == AVC_CALLBACK_RESET) {
167 sel_netif_flush();
168 sel_netnode_flush();
169 sel_netport_flush();
170 synchronize_net();
171 }
172 return 0;
173}
174
164/* 175/*
165 * initialise the security for the init task 176 * initialise the security for the init task
166 */ 177 */
@@ -5993,6 +6004,9 @@ static __init int selinux_init(void)
5993 if (register_security(&selinux_ops)) 6004 if (register_security(&selinux_ops))
5994 panic("SELinux: Unable to register with kernel.\n"); 6005 panic("SELinux: Unable to register with kernel.\n");
5995 6006
6007 if (avc_add_callback(selinux_netcache_avc_callback, AVC_CALLBACK_RESET))
6008 panic("SELinux: Unable to register AVC netcache callback\n");
6009
5996 if (selinux_enforcing) 6010 if (selinux_enforcing)
5997 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n"); 6011 printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
5998 else 6012 else
diff --git a/security/selinux/include/netif.h b/security/selinux/include/netif.h
index 43d507242b42..57c6eae81eac 100644
--- a/security/selinux/include/netif.h
+++ b/security/selinux/include/netif.h
@@ -17,6 +17,8 @@
17#ifndef _SELINUX_NETIF_H_ 17#ifndef _SELINUX_NETIF_H_
18#define _SELINUX_NETIF_H_ 18#define _SELINUX_NETIF_H_
19 19
20void sel_netif_flush(void);
21
20int sel_netif_sid(int ifindex, u32 *sid); 22int sel_netif_sid(int ifindex, u32 *sid);
21 23
22#endif /* _SELINUX_NETIF_H_ */ 24#endif /* _SELINUX_NETIF_H_ */
diff --git a/security/selinux/include/netnode.h b/security/selinux/include/netnode.h
index df7a5ed6c694..937668dd3024 100644
--- a/security/selinux/include/netnode.h
+++ b/security/selinux/include/netnode.h
@@ -27,6 +27,8 @@
27#ifndef _SELINUX_NETNODE_H 27#ifndef _SELINUX_NETNODE_H
28#define _SELINUX_NETNODE_H 28#define _SELINUX_NETNODE_H
29 29
30void sel_netnode_flush(void);
31
30int sel_netnode_sid(void *addr, u16 family, u32 *sid); 32int sel_netnode_sid(void *addr, u16 family, u32 *sid);
31 33
32#endif 34#endif
diff --git a/security/selinux/include/netport.h b/security/selinux/include/netport.h
index 4d965b83d735..d1ce896b2cb0 100644
--- a/security/selinux/include/netport.h
+++ b/security/selinux/include/netport.h
@@ -26,6 +26,8 @@
26#ifndef _SELINUX_NETPORT_H 26#ifndef _SELINUX_NETPORT_H
27#define _SELINUX_NETPORT_H 27#define _SELINUX_NETPORT_H
28 28
29void sel_netport_flush(void);
30
29int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid); 31int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid);
30 32
31#endif 33#endif
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ce7852cf526b..d1e0b239b602 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -8,6 +8,7 @@
8#ifndef _SELINUX_SECURITY_H_ 8#ifndef _SELINUX_SECURITY_H_
9#define _SELINUX_SECURITY_H_ 9#define _SELINUX_SECURITY_H_
10 10
11#include <linux/compiler.h>
11#include <linux/dcache.h> 12#include <linux/dcache.h>
12#include <linux/magic.h> 13#include <linux/magic.h>
13#include <linux/types.h> 14#include <linux/types.h>
@@ -220,7 +221,7 @@ struct selinux_kernel_status {
220 /* 221 /*
221 * The version > 0 supports above members. 222 * The version > 0 supports above members.
222 */ 223 */
223} __attribute__((packed)); 224} __packed;
224 225
225extern void selinux_status_update_setenforce(int enforcing); 226extern void selinux_status_update_setenforce(int enforcing);
226extern void selinux_status_update_policyload(int seqno); 227extern void selinux_status_update_policyload(int seqno);
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 694e9e43855f..3c3de4ca0ebc 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -240,7 +240,7 @@ static void sel_netif_kill(int ifindex)
240 * Remove all entries from the network interface table. 240 * Remove all entries from the network interface table.
241 * 241 *
242 */ 242 */
243static void sel_netif_flush(void) 243void sel_netif_flush(void)
244{ 244{
245 int idx; 245 int idx;
246 struct sel_netif *netif; 246 struct sel_netif *netif;
@@ -252,15 +252,6 @@ static void sel_netif_flush(void)
252 spin_unlock_bh(&sel_netif_lock); 252 spin_unlock_bh(&sel_netif_lock);
253} 253}
254 254
255static int sel_netif_avc_callback(u32 event)
256{
257 if (event == AVC_CALLBACK_RESET) {
258 sel_netif_flush();
259 synchronize_net();
260 }
261 return 0;
262}
263
264static int sel_netif_netdev_notifier_handler(struct notifier_block *this, 255static int sel_netif_netdev_notifier_handler(struct notifier_block *this,
265 unsigned long event, void *ptr) 256 unsigned long event, void *ptr)
266{ 257{
@@ -291,10 +282,6 @@ static __init int sel_netif_init(void)
291 282
292 register_netdevice_notifier(&sel_netif_netdev_notifier); 283 register_netdevice_notifier(&sel_netif_netdev_notifier);
293 284
294 err = avc_add_callback(sel_netif_avc_callback, AVC_CALLBACK_RESET);
295 if (err)
296 panic("avc_add_callback() failed, error %d\n", err);
297
298 return err; 285 return err;
299} 286}
300 287
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 03a72c32afd7..ddf315260839 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -283,7 +283,7 @@ int sel_netnode_sid(void *addr, u16 family, u32 *sid)
283 * Remove all entries from the network address table. 283 * Remove all entries from the network address table.
284 * 284 *
285 */ 285 */
286static void sel_netnode_flush(void) 286void sel_netnode_flush(void)
287{ 287{
288 unsigned int idx; 288 unsigned int idx;
289 struct sel_netnode *node, *node_tmp; 289 struct sel_netnode *node, *node_tmp;
@@ -300,15 +300,6 @@ static void sel_netnode_flush(void)
300 spin_unlock_bh(&sel_netnode_lock); 300 spin_unlock_bh(&sel_netnode_lock);
301} 301}
302 302
303static int sel_netnode_avc_callback(u32 event)
304{
305 if (event == AVC_CALLBACK_RESET) {
306 sel_netnode_flush();
307 synchronize_net();
308 }
309 return 0;
310}
311
312static __init int sel_netnode_init(void) 303static __init int sel_netnode_init(void)
313{ 304{
314 int iter; 305 int iter;
@@ -322,10 +313,6 @@ static __init int sel_netnode_init(void)
322 sel_netnode_hash[iter].size = 0; 313 sel_netnode_hash[iter].size = 0;
323 } 314 }
324 315
325 ret = avc_add_callback(sel_netnode_avc_callback, AVC_CALLBACK_RESET);
326 if (ret != 0)
327 panic("avc_add_callback() failed, error %d\n", ret);
328
329 return ret; 316 return ret;
330} 317}
331 318
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index d35379781c2c..73ac6784d091 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -217,7 +217,7 @@ int sel_netport_sid(u8 protocol, u16 pnum, u32 *sid)
217 * Remove all entries from the network address table. 217 * Remove all entries from the network address table.
218 * 218 *
219 */ 219 */
220static void sel_netport_flush(void) 220void sel_netport_flush(void)
221{ 221{
222 unsigned int idx; 222 unsigned int idx;
223 struct sel_netport *port, *port_tmp; 223 struct sel_netport *port, *port_tmp;
@@ -234,15 +234,6 @@ static void sel_netport_flush(void)
234 spin_unlock_bh(&sel_netport_lock); 234 spin_unlock_bh(&sel_netport_lock);
235} 235}
236 236
237static int sel_netport_avc_callback(u32 event)
238{
239 if (event == AVC_CALLBACK_RESET) {
240 sel_netport_flush();
241 synchronize_net();
242 }
243 return 0;
244}
245
246static __init int sel_netport_init(void) 237static __init int sel_netport_init(void)
247{ 238{
248 int iter; 239 int iter;
@@ -256,10 +247,6 @@ static __init int sel_netport_init(void)
256 sel_netport_hash[iter].size = 0; 247 sel_netport_hash[iter].size = 0;
257 } 248 }
258 249
259 ret = avc_add_callback(sel_netport_avc_callback, AVC_CALLBACK_RESET);
260 if (ret != 0)
261 panic("avc_add_callback() failed, error %d\n", ret);
262
263 return ret; 250 return ret;
264} 251}
265 252
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 377d148e7157..62c6773be0b7 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -402,19 +402,14 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
402 int rc; 402 int rc;
403 struct cond_expr *expr = NULL, *last = NULL; 403 struct cond_expr *expr = NULL, *last = NULL;
404 404
405 rc = next_entry(buf, fp, sizeof(u32)); 405 rc = next_entry(buf, fp, sizeof(u32) * 2);
406 if (rc) 406 if (rc)
407 return rc; 407 goto err;
408 408
409 node->cur_state = le32_to_cpu(buf[0]); 409 node->cur_state = le32_to_cpu(buf[0]);
410 410
411 len = 0;
412 rc = next_entry(buf, fp, sizeof(u32));
413 if (rc)
414 return rc;
415
416 /* expr */ 411 /* expr */
417 len = le32_to_cpu(buf[0]); 412 len = le32_to_cpu(buf[1]);
418 413
419 for (i = 0; i < len; i++) { 414 for (i = 0; i < len; i++) {
420 rc = next_entry(buf, fp, sizeof(u32) * 2); 415 rc = next_entry(buf, fp, sizeof(u32) * 2);
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 820313a04d49..afe6a269ec17 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -86,51 +86,36 @@ int ebitmap_cpy(struct ebitmap *dst, struct ebitmap *src)
86 * 86 *
87 */ 87 */
88int ebitmap_netlbl_export(struct ebitmap *ebmap, 88int ebitmap_netlbl_export(struct ebitmap *ebmap,
89 struct netlbl_lsm_secattr_catmap **catmap) 89 struct netlbl_lsm_catmap **catmap)
90{ 90{
91 struct ebitmap_node *e_iter = ebmap->node; 91 struct ebitmap_node *e_iter = ebmap->node;
92 struct netlbl_lsm_secattr_catmap *c_iter; 92 unsigned long e_map;
93 u32 cmap_idx, cmap_sft; 93 u32 offset;
94 int i; 94 unsigned int iter;
95 95 int rc;
96 /* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64,
97 * however, it is not always compatible with an array of unsigned long
98 * in ebitmap_node.
99 * In addition, you should pay attention the following implementation
100 * assumes unsigned long has a width equal with or less than 64-bit.
101 */
102 96
103 if (e_iter == NULL) { 97 if (e_iter == NULL) {
104 *catmap = NULL; 98 *catmap = NULL;
105 return 0; 99 return 0;
106 } 100 }
107 101
108 c_iter = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 102 if (*catmap != NULL)
109 if (c_iter == NULL) 103 netlbl_catmap_free(*catmap);
110 return -ENOMEM; 104 *catmap = NULL;
111 *catmap = c_iter;
112 c_iter->startbit = e_iter->startbit & ~(NETLBL_CATMAP_SIZE - 1);
113 105
114 while (e_iter) { 106 while (e_iter) {
115 for (i = 0; i < EBITMAP_UNIT_NUMS; i++) { 107 offset = e_iter->startbit;
116 unsigned int delta, e_startbit, c_endbit; 108 for (iter = 0; iter < EBITMAP_UNIT_NUMS; iter++) {
117 109 e_map = e_iter->maps[iter];
118 e_startbit = e_iter->startbit + i * EBITMAP_UNIT_SIZE; 110 if (e_map != 0) {
119 c_endbit = c_iter->startbit + NETLBL_CATMAP_SIZE; 111 rc = netlbl_catmap_setlong(catmap,
120 if (e_startbit >= c_endbit) { 112 offset,
121 c_iter->next 113 e_map,
122 = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 114 GFP_ATOMIC);
123 if (c_iter->next == NULL) 115 if (rc != 0)
124 goto netlbl_export_failure; 116 goto netlbl_export_failure;
125 c_iter = c_iter->next;
126 c_iter->startbit
127 = e_startbit & ~(NETLBL_CATMAP_SIZE - 1);
128 } 117 }
129 delta = e_startbit - c_iter->startbit; 118 offset += EBITMAP_UNIT_SIZE;
130 cmap_idx = delta / NETLBL_CATMAP_MAPSIZE;
131 cmap_sft = delta % NETLBL_CATMAP_MAPSIZE;
132 c_iter->bitmap[cmap_idx]
133 |= e_iter->maps[i] << cmap_sft;
134 } 119 }
135 e_iter = e_iter->next; 120 e_iter = e_iter->next;
136 } 121 }
@@ -138,7 +123,7 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
138 return 0; 123 return 0;
139 124
140netlbl_export_failure: 125netlbl_export_failure:
141 netlbl_secattr_catmap_free(*catmap); 126 netlbl_catmap_free(*catmap);
142 return -ENOMEM; 127 return -ENOMEM;
143} 128}
144 129
@@ -153,58 +138,44 @@ netlbl_export_failure:
153 * 138 *
154 */ 139 */
155int ebitmap_netlbl_import(struct ebitmap *ebmap, 140int ebitmap_netlbl_import(struct ebitmap *ebmap,
156 struct netlbl_lsm_secattr_catmap *catmap) 141 struct netlbl_lsm_catmap *catmap)
157{ 142{
143 int rc;
158 struct ebitmap_node *e_iter = NULL; 144 struct ebitmap_node *e_iter = NULL;
159 struct ebitmap_node *emap_prev = NULL; 145 struct ebitmap_node *e_prev = NULL;
160 struct netlbl_lsm_secattr_catmap *c_iter = catmap; 146 u32 offset = 0, idx;
161 u32 c_idx, c_pos, e_idx, e_sft; 147 unsigned long bitmap;
162 148
163 /* NetLabel's NETLBL_CATMAP_MAPTYPE is defined as an array of u64, 149 for (;;) {
164 * however, it is not always compatible with an array of unsigned long 150 rc = netlbl_catmap_getlong(catmap, &offset, &bitmap);
165 * in ebitmap_node. 151 if (rc < 0)
166 * In addition, you should pay attention the following implementation 152 goto netlbl_import_failure;
167 * assumes unsigned long has a width equal with or less than 64-bit. 153 if (offset == (u32)-1)
168 */ 154 return 0;
169
170 do {
171 for (c_idx = 0; c_idx < NETLBL_CATMAP_MAPCNT; c_idx++) {
172 unsigned int delta;
173 u64 map = c_iter->bitmap[c_idx];
174
175 if (!map)
176 continue;
177 155
178 c_pos = c_iter->startbit 156 if (e_iter == NULL ||
179 + c_idx * NETLBL_CATMAP_MAPSIZE; 157 offset >= e_iter->startbit + EBITMAP_SIZE) {
180 if (!e_iter 158 e_prev = e_iter;
181 || c_pos >= e_iter->startbit + EBITMAP_SIZE) { 159 e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC);
182 e_iter = kzalloc(sizeof(*e_iter), GFP_ATOMIC); 160 if (e_iter == NULL)
183 if (!e_iter) 161 goto netlbl_import_failure;
184 goto netlbl_import_failure; 162 e_iter->startbit = offset & ~(EBITMAP_SIZE - 1);
185 e_iter->startbit 163 if (e_prev == NULL)
186 = c_pos - (c_pos % EBITMAP_SIZE); 164 ebmap->node = e_iter;
187 if (emap_prev == NULL) 165 else
188 ebmap->node = e_iter; 166 e_prev->next = e_iter;
189 else 167 ebmap->highbit = e_iter->startbit + EBITMAP_SIZE;
190 emap_prev->next = e_iter;
191 emap_prev = e_iter;
192 }
193 delta = c_pos - e_iter->startbit;
194 e_idx = delta / EBITMAP_UNIT_SIZE;
195 e_sft = delta % EBITMAP_UNIT_SIZE;
196 while (map) {
197 e_iter->maps[e_idx++] |= map & (-1UL);
198 map = EBITMAP_SHIFT_UNIT_SIZE(map);
199 }
200 } 168 }
201 c_iter = c_iter->next;
202 } while (c_iter);
203 if (e_iter != NULL)
204 ebmap->highbit = e_iter->startbit + EBITMAP_SIZE;
205 else
206 ebitmap_destroy(ebmap);
207 169
170 /* offset will always be aligned to an unsigned long */
171 idx = EBITMAP_NODE_INDEX(e_iter, offset);
172 e_iter->maps[idx] = bitmap;
173
174 /* next */
175 offset += EBITMAP_UNIT_SIZE;
176 }
177
178 /* NOTE: we should never reach this return */
208 return 0; 179 return 0;
209 180
210netlbl_import_failure: 181netlbl_import_failure:
diff --git a/security/selinux/ss/ebitmap.h b/security/selinux/ss/ebitmap.h
index 712c8a7b8e8b..9637b8c71085 100644
--- a/security/selinux/ss/ebitmap.h
+++ b/security/selinux/ss/ebitmap.h
@@ -132,17 +132,17 @@ int ebitmap_write(struct ebitmap *e, void *fp);
132 132
133#ifdef CONFIG_NETLABEL 133#ifdef CONFIG_NETLABEL
134int ebitmap_netlbl_export(struct ebitmap *ebmap, 134int ebitmap_netlbl_export(struct ebitmap *ebmap,
135 struct netlbl_lsm_secattr_catmap **catmap); 135 struct netlbl_lsm_catmap **catmap);
136int ebitmap_netlbl_import(struct ebitmap *ebmap, 136int ebitmap_netlbl_import(struct ebitmap *ebmap,
137 struct netlbl_lsm_secattr_catmap *catmap); 137 struct netlbl_lsm_catmap *catmap);
138#else 138#else
139static inline int ebitmap_netlbl_export(struct ebitmap *ebmap, 139static inline int ebitmap_netlbl_export(struct ebitmap *ebmap,
140 struct netlbl_lsm_secattr_catmap **catmap) 140 struct netlbl_lsm_catmap **catmap)
141{ 141{
142 return -ENOMEM; 142 return -ENOMEM;
143} 143}
144static inline int ebitmap_netlbl_import(struct ebitmap *ebmap, 144static inline int ebitmap_netlbl_import(struct ebitmap *ebmap,
145 struct netlbl_lsm_secattr_catmap *catmap) 145 struct netlbl_lsm_catmap *catmap)
146{ 146{
147 return -ENOMEM; 147 return -ENOMEM;
148} 148}
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 9c5cdc2caaef..bc2a586f095c 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -1080,6 +1080,26 @@ out:
1080 * binary representation file. 1080 * binary representation file.
1081 */ 1081 */
1082 1082
1083static int str_read(char **strp, gfp_t flags, void *fp, u32 len)
1084{
1085 int rc;
1086 char *str;
1087
1088 str = kmalloc(len + 1, flags);
1089 if (!str)
1090 return -ENOMEM;
1091
1092 /* it's expected the caller should free the str */
1093 *strp = str;
1094
1095 rc = next_entry(str, fp, len);
1096 if (rc)
1097 return rc;
1098
1099 str[len] = '\0';
1100 return 0;
1101}
1102
1083static int perm_read(struct policydb *p, struct hashtab *h, void *fp) 1103static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
1084{ 1104{
1085 char *key = NULL; 1105 char *key = NULL;
@@ -1100,15 +1120,9 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
1100 len = le32_to_cpu(buf[0]); 1120 len = le32_to_cpu(buf[0]);
1101 perdatum->value = le32_to_cpu(buf[1]); 1121 perdatum->value = le32_to_cpu(buf[1]);
1102 1122
1103 rc = -ENOMEM; 1123 rc = str_read(&key, GFP_KERNEL, fp, len);
1104 key = kmalloc(len + 1, GFP_KERNEL);
1105 if (!key)
1106 goto bad;
1107
1108 rc = next_entry(key, fp, len);
1109 if (rc) 1124 if (rc)
1110 goto bad; 1125 goto bad;
1111 key[len] = '\0';
1112 1126
1113 rc = hashtab_insert(h, key, perdatum); 1127 rc = hashtab_insert(h, key, perdatum);
1114 if (rc) 1128 if (rc)
@@ -1146,15 +1160,9 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
1146 comdatum->permissions.nprim = le32_to_cpu(buf[2]); 1160 comdatum->permissions.nprim = le32_to_cpu(buf[2]);
1147 nel = le32_to_cpu(buf[3]); 1161 nel = le32_to_cpu(buf[3]);
1148 1162
1149 rc = -ENOMEM; 1163 rc = str_read(&key, GFP_KERNEL, fp, len);
1150 key = kmalloc(len + 1, GFP_KERNEL);
1151 if (!key)
1152 goto bad;
1153
1154 rc = next_entry(key, fp, len);
1155 if (rc) 1164 if (rc)
1156 goto bad; 1165 goto bad;
1157 key[len] = '\0';
1158 1166
1159 for (i = 0; i < nel; i++) { 1167 for (i = 0; i < nel; i++) {
1160 rc = perm_read(p, comdatum->permissions.table, fp); 1168 rc = perm_read(p, comdatum->permissions.table, fp);
@@ -1321,25 +1329,14 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
1321 1329
1322 ncons = le32_to_cpu(buf[5]); 1330 ncons = le32_to_cpu(buf[5]);
1323 1331
1324 rc = -ENOMEM; 1332 rc = str_read(&key, GFP_KERNEL, fp, len);
1325 key = kmalloc(len + 1, GFP_KERNEL);
1326 if (!key)
1327 goto bad;
1328
1329 rc = next_entry(key, fp, len);
1330 if (rc) 1333 if (rc)
1331 goto bad; 1334 goto bad;
1332 key[len] = '\0';
1333 1335
1334 if (len2) { 1336 if (len2) {
1335 rc = -ENOMEM; 1337 rc = str_read(&cladatum->comkey, GFP_KERNEL, fp, len2);
1336 cladatum->comkey = kmalloc(len2 + 1, GFP_KERNEL);
1337 if (!cladatum->comkey)
1338 goto bad;
1339 rc = next_entry(cladatum->comkey, fp, len2);
1340 if (rc) 1338 if (rc)
1341 goto bad; 1339 goto bad;
1342 cladatum->comkey[len2] = '\0';
1343 1340
1344 rc = -EINVAL; 1341 rc = -EINVAL;
1345 cladatum->comdatum = hashtab_search(p->p_commons.table, cladatum->comkey); 1342 cladatum->comdatum = hashtab_search(p->p_commons.table, cladatum->comkey);
@@ -1422,15 +1419,9 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
1422 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1419 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1423 role->bounds = le32_to_cpu(buf[2]); 1420 role->bounds = le32_to_cpu(buf[2]);
1424 1421
1425 rc = -ENOMEM; 1422 rc = str_read(&key, GFP_KERNEL, fp, len);
1426 key = kmalloc(len + 1, GFP_KERNEL);
1427 if (!key)
1428 goto bad;
1429
1430 rc = next_entry(key, fp, len);
1431 if (rc) 1423 if (rc)
1432 goto bad; 1424 goto bad;
1433 key[len] = '\0';
1434 1425
1435 rc = ebitmap_read(&role->dominates, fp); 1426 rc = ebitmap_read(&role->dominates, fp);
1436 if (rc) 1427 if (rc)
@@ -1495,14 +1486,9 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
1495 typdatum->primary = le32_to_cpu(buf[2]); 1486 typdatum->primary = le32_to_cpu(buf[2]);
1496 } 1487 }
1497 1488
1498 rc = -ENOMEM; 1489 rc = str_read(&key, GFP_KERNEL, fp, len);
1499 key = kmalloc(len + 1, GFP_KERNEL);
1500 if (!key)
1501 goto bad;
1502 rc = next_entry(key, fp, len);
1503 if (rc) 1490 if (rc)
1504 goto bad; 1491 goto bad;
1505 key[len] = '\0';
1506 1492
1507 rc = hashtab_insert(h, key, typdatum); 1493 rc = hashtab_insert(h, key, typdatum);
1508 if (rc) 1494 if (rc)
@@ -1565,14 +1551,9 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
1565 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 1551 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
1566 usrdatum->bounds = le32_to_cpu(buf[2]); 1552 usrdatum->bounds = le32_to_cpu(buf[2]);
1567 1553
1568 rc = -ENOMEM; 1554 rc = str_read(&key, GFP_KERNEL, fp, len);
1569 key = kmalloc(len + 1, GFP_KERNEL);
1570 if (!key)
1571 goto bad;
1572 rc = next_entry(key, fp, len);
1573 if (rc) 1555 if (rc)
1574 goto bad; 1556 goto bad;
1575 key[len] = '\0';
1576 1557
1577 rc = ebitmap_read(&usrdatum->roles, fp); 1558 rc = ebitmap_read(&usrdatum->roles, fp);
1578 if (rc) 1559 if (rc)
@@ -1616,14 +1597,9 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
1616 len = le32_to_cpu(buf[0]); 1597 len = le32_to_cpu(buf[0]);
1617 levdatum->isalias = le32_to_cpu(buf[1]); 1598 levdatum->isalias = le32_to_cpu(buf[1]);
1618 1599
1619 rc = -ENOMEM; 1600 rc = str_read(&key, GFP_ATOMIC, fp, len);
1620 key = kmalloc(len + 1, GFP_ATOMIC);
1621 if (!key)
1622 goto bad;
1623 rc = next_entry(key, fp, len);
1624 if (rc) 1601 if (rc)
1625 goto bad; 1602 goto bad;
1626 key[len] = '\0';
1627 1603
1628 rc = -ENOMEM; 1604 rc = -ENOMEM;
1629 levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC); 1605 levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC);
@@ -1664,14 +1640,9 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
1664 catdatum->value = le32_to_cpu(buf[1]); 1640 catdatum->value = le32_to_cpu(buf[1]);
1665 catdatum->isalias = le32_to_cpu(buf[2]); 1641 catdatum->isalias = le32_to_cpu(buf[2]);
1666 1642
1667 rc = -ENOMEM; 1643 rc = str_read(&key, GFP_ATOMIC, fp, len);
1668 key = kmalloc(len + 1, GFP_ATOMIC);
1669 if (!key)
1670 goto bad;
1671 rc = next_entry(key, fp, len);
1672 if (rc) 1644 if (rc)
1673 goto bad; 1645 goto bad;
1674 key[len] = '\0';
1675 1646
1676 rc = hashtab_insert(h, key, catdatum); 1647 rc = hashtab_insert(h, key, catdatum);
1677 if (rc) 1648 if (rc)
@@ -1968,18 +1939,12 @@ static int filename_trans_read(struct policydb *p, void *fp)
1968 goto out; 1939 goto out;
1969 len = le32_to_cpu(buf[0]); 1940 len = le32_to_cpu(buf[0]);
1970 1941
1971 rc = -ENOMEM;
1972 name = kmalloc(len + 1, GFP_KERNEL);
1973 if (!name)
1974 goto out;
1975
1976 ft->name = name;
1977
1978 /* path component string */ 1942 /* path component string */
1979 rc = next_entry(name, fp, len); 1943 rc = str_read(&name, GFP_KERNEL, fp, len);
1980 if (rc) 1944 if (rc)
1981 goto out; 1945 goto out;
1982 name[len] = 0; 1946
1947 ft->name = name;
1983 1948
1984 rc = next_entry(buf, fp, sizeof(u32) * 4); 1949 rc = next_entry(buf, fp, sizeof(u32) * 4);
1985 if (rc) 1950 if (rc)
@@ -2045,17 +2010,10 @@ static int genfs_read(struct policydb *p, void *fp)
2045 if (!newgenfs) 2010 if (!newgenfs)
2046 goto out; 2011 goto out;
2047 2012
2048 rc = -ENOMEM; 2013 rc = str_read(&newgenfs->fstype, GFP_KERNEL, fp, len);
2049 newgenfs->fstype = kmalloc(len + 1, GFP_KERNEL);
2050 if (!newgenfs->fstype)
2051 goto out;
2052
2053 rc = next_entry(newgenfs->fstype, fp, len);
2054 if (rc) 2014 if (rc)
2055 goto out; 2015 goto out;
2056 2016
2057 newgenfs->fstype[len] = 0;
2058
2059 for (genfs_p = NULL, genfs = p->genfs; genfs; 2017 for (genfs_p = NULL, genfs = p->genfs; genfs;
2060 genfs_p = genfs, genfs = genfs->next) { 2018 genfs_p = genfs, genfs = genfs->next) {
2061 rc = -EINVAL; 2019 rc = -EINVAL;
@@ -2091,15 +2049,9 @@ static int genfs_read(struct policydb *p, void *fp)
2091 if (!newc) 2049 if (!newc)
2092 goto out; 2050 goto out;
2093 2051
2094 rc = -ENOMEM; 2052 rc = str_read(&newc->u.name, GFP_KERNEL, fp, len);
2095 newc->u.name = kmalloc(len + 1, GFP_KERNEL);
2096 if (!newc->u.name)
2097 goto out;
2098
2099 rc = next_entry(newc->u.name, fp, len);
2100 if (rc) 2053 if (rc)
2101 goto out; 2054 goto out;
2102 newc->u.name[len] = 0;
2103 2055
2104 rc = next_entry(buf, fp, sizeof(u32)); 2056 rc = next_entry(buf, fp, sizeof(u32));
2105 if (rc) 2057 if (rc)
@@ -2189,16 +2141,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
2189 goto out; 2141 goto out;
2190 len = le32_to_cpu(buf[0]); 2142 len = le32_to_cpu(buf[0]);
2191 2143
2192 rc = -ENOMEM; 2144 rc = str_read(&c->u.name, GFP_KERNEL, fp, len);
2193 c->u.name = kmalloc(len + 1, GFP_KERNEL);
2194 if (!c->u.name)
2195 goto out;
2196
2197 rc = next_entry(c->u.name, fp, len);
2198 if (rc) 2145 if (rc)
2199 goto out; 2146 goto out;
2200 2147
2201 c->u.name[len] = 0;
2202 rc = context_read_and_validate(&c->context[0], p, fp); 2148 rc = context_read_and_validate(&c->context[0], p, fp);
2203 if (rc) 2149 if (rc)
2204 goto out; 2150 goto out;
@@ -2240,16 +2186,11 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
2240 if (c->v.behavior > SECURITY_FS_USE_MAX) 2186 if (c->v.behavior > SECURITY_FS_USE_MAX)
2241 goto out; 2187 goto out;
2242 2188
2243 rc = -ENOMEM;
2244 len = le32_to_cpu(buf[1]); 2189 len = le32_to_cpu(buf[1]);
2245 c->u.name = kmalloc(len + 1, GFP_KERNEL); 2190 rc = str_read(&c->u.name, GFP_KERNEL, fp, len);
2246 if (!c->u.name)
2247 goto out;
2248
2249 rc = next_entry(c->u.name, fp, len);
2250 if (rc) 2191 if (rc)
2251 goto out; 2192 goto out;
2252 c->u.name[len] = 0; 2193
2253 rc = context_read_and_validate(&c->context[0], p, fp); 2194 rc = context_read_and_validate(&c->context[0], p, fp);
2254 if (rc) 2195 if (rc)
2255 goto out; 2196 goto out;
@@ -2608,7 +2549,7 @@ static int mls_write_range_helper(struct mls_range *r, void *fp)
2608 if (!eq) 2549 if (!eq)
2609 buf[2] = cpu_to_le32(r->level[1].sens); 2550 buf[2] = cpu_to_le32(r->level[1].sens);
2610 2551
2611 BUG_ON(items > (sizeof(buf)/sizeof(buf[0]))); 2552 BUG_ON(items > ARRAY_SIZE(buf));
2612 2553
2613 rc = put_entry(buf, sizeof(u32), items, fp); 2554 rc = put_entry(buf, sizeof(u32), items, fp);
2614 if (rc) 2555 if (rc)
@@ -2990,7 +2931,7 @@ static int role_write(void *vkey, void *datum, void *ptr)
2990 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 2931 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
2991 buf[items++] = cpu_to_le32(role->bounds); 2932 buf[items++] = cpu_to_le32(role->bounds);
2992 2933
2993 BUG_ON(items > (sizeof(buf)/sizeof(buf[0]))); 2934 BUG_ON(items > ARRAY_SIZE(buf));
2994 2935
2995 rc = put_entry(buf, sizeof(u32), items, fp); 2936 rc = put_entry(buf, sizeof(u32), items, fp);
2996 if (rc) 2937 if (rc)
@@ -3040,7 +2981,7 @@ static int type_write(void *vkey, void *datum, void *ptr)
3040 } else { 2981 } else {
3041 buf[items++] = cpu_to_le32(typdatum->primary); 2982 buf[items++] = cpu_to_le32(typdatum->primary);
3042 } 2983 }
3043 BUG_ON(items > (sizeof(buf) / sizeof(buf[0]))); 2984 BUG_ON(items > ARRAY_SIZE(buf));
3044 rc = put_entry(buf, sizeof(u32), items, fp); 2985 rc = put_entry(buf, sizeof(u32), items, fp);
3045 if (rc) 2986 if (rc)
3046 return rc; 2987 return rc;
@@ -3069,7 +3010,7 @@ static int user_write(void *vkey, void *datum, void *ptr)
3069 buf[items++] = cpu_to_le32(usrdatum->value); 3010 buf[items++] = cpu_to_le32(usrdatum->value);
3070 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY) 3011 if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
3071 buf[items++] = cpu_to_le32(usrdatum->bounds); 3012 buf[items++] = cpu_to_le32(usrdatum->bounds);
3072 BUG_ON(items > (sizeof(buf) / sizeof(buf[0]))); 3013 BUG_ON(items > ARRAY_SIZE(buf));
3073 rc = put_entry(buf, sizeof(u32), items, fp); 3014 rc = put_entry(buf, sizeof(u32), items, fp);
3074 if (rc) 3015 if (rc)
3075 return rc; 3016 return rc;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 4bca49414a40..2aa9d172dc7e 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -2277,7 +2277,7 @@ out:
2277} 2277}
2278 2278
2279/** 2279/**
2280 * security_genfs_sid - Obtain a SID for a file in a filesystem 2280 * __security_genfs_sid - Helper to obtain a SID for a file in a filesystem
2281 * @fstype: filesystem type 2281 * @fstype: filesystem type
2282 * @path: path from root of mount 2282 * @path: path from root of mount
2283 * @sclass: file security class 2283 * @sclass: file security class
@@ -2286,11 +2286,13 @@ out:
2286 * Obtain a SID to use for a file in a filesystem that 2286 * Obtain a SID to use for a file in a filesystem that
2287 * cannot support xattr or use a fixed labeling behavior like 2287 * cannot support xattr or use a fixed labeling behavior like
2288 * transition SIDs or task SIDs. 2288 * transition SIDs or task SIDs.
2289 *
2290 * The caller must acquire the policy_rwlock before calling this function.
2289 */ 2291 */
2290int security_genfs_sid(const char *fstype, 2292static inline int __security_genfs_sid(const char *fstype,
2291 char *path, 2293 char *path,
2292 u16 orig_sclass, 2294 u16 orig_sclass,
2293 u32 *sid) 2295 u32 *sid)
2294{ 2296{
2295 int len; 2297 int len;
2296 u16 sclass; 2298 u16 sclass;
@@ -2301,8 +2303,6 @@ int security_genfs_sid(const char *fstype,
2301 while (path[0] == '/' && path[1] == '/') 2303 while (path[0] == '/' && path[1] == '/')
2302 path++; 2304 path++;
2303 2305
2304 read_lock(&policy_rwlock);
2305
2306 sclass = unmap_class(orig_sclass); 2306 sclass = unmap_class(orig_sclass);
2307 *sid = SECINITSID_UNLABELED; 2307 *sid = SECINITSID_UNLABELED;
2308 2308
@@ -2336,11 +2336,33 @@ int security_genfs_sid(const char *fstype,
2336 *sid = c->sid[0]; 2336 *sid = c->sid[0];
2337 rc = 0; 2337 rc = 0;
2338out: 2338out:
2339 read_unlock(&policy_rwlock);
2340 return rc; 2339 return rc;
2341} 2340}
2342 2341
2343/** 2342/**
2343 * security_genfs_sid - Obtain a SID for a file in a filesystem
2344 * @fstype: filesystem type
2345 * @path: path from root of mount
2346 * @sclass: file security class
2347 * @sid: SID for path
2348 *
2349 * Acquire policy_rwlock before calling __security_genfs_sid() and release
2350 * it afterward.
2351 */
2352int security_genfs_sid(const char *fstype,
2353 char *path,
2354 u16 orig_sclass,
2355 u32 *sid)
2356{
2357 int retval;
2358
2359 read_lock(&policy_rwlock);
2360 retval = __security_genfs_sid(fstype, path, orig_sclass, sid);
2361 read_unlock(&policy_rwlock);
2362 return retval;
2363}
2364
2365/**
2344 * security_fs_use - Determine how to handle labeling for a filesystem. 2366 * security_fs_use - Determine how to handle labeling for a filesystem.
2345 * @sb: superblock in question 2367 * @sb: superblock in question
2346 */ 2368 */
@@ -2370,7 +2392,8 @@ int security_fs_use(struct super_block *sb)
2370 } 2392 }
2371 sbsec->sid = c->sid[0]; 2393 sbsec->sid = c->sid[0];
2372 } else { 2394 } else {
2373 rc = security_genfs_sid(fstype, "/", SECCLASS_DIR, &sbsec->sid); 2395 rc = __security_genfs_sid(fstype, "/", SECCLASS_DIR,
2396 &sbsec->sid);
2374 if (rc) { 2397 if (rc) {
2375 sbsec->behavior = SECURITY_FS_USE_NONE; 2398 sbsec->behavior = SECURITY_FS_USE_NONE;
2376 rc = 0; 2399 rc = 0;
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c
index c062e9467b62..f97d0842e621 100644
--- a/security/smack/smack_access.c
+++ b/security/smack/smack_access.c
@@ -457,19 +457,16 @@ int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,
457 457
458 sap->flags |= NETLBL_SECATTR_MLS_CAT; 458 sap->flags |= NETLBL_SECATTR_MLS_CAT;
459 sap->attr.mls.lvl = level; 459 sap->attr.mls.lvl = level;
460 sap->attr.mls.cat = netlbl_secattr_catmap_alloc(GFP_ATOMIC); 460 sap->attr.mls.cat = NULL;
461 if (!sap->attr.mls.cat)
462 return -ENOMEM;
463 sap->attr.mls.cat->startbit = 0;
464 461
465 for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) 462 for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++)
466 for (m = 0x80; m != 0; m >>= 1, cat++) { 463 for (m = 0x80; m != 0; m >>= 1, cat++) {
467 if ((m & *cp) == 0) 464 if ((m & *cp) == 0)
468 continue; 465 continue;
469 rc = netlbl_secattr_catmap_setbit(sap->attr.mls.cat, 466 rc = netlbl_catmap_setbit(&sap->attr.mls.cat,
470 cat, GFP_ATOMIC); 467 cat, GFP_ATOMIC);
471 if (rc < 0) { 468 if (rc < 0) {
472 netlbl_secattr_catmap_free(sap->attr.mls.cat); 469 netlbl_catmap_free(sap->attr.mls.cat);
473 return rc; 470 return rc;
474 } 471 }
475 } 472 }
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index f2c30801ce41..e6ab307ce86e 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3209,9 +3209,9 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
3209 break; 3209 break;
3210 } 3210 }
3211 for (acat = -1, kcat = -1; acat == kcat; ) { 3211 for (acat = -1, kcat = -1; acat == kcat; ) {
3212 acat = netlbl_secattr_catmap_walk( 3212 acat = netlbl_catmap_walk(sap->attr.mls.cat,
3213 sap->attr.mls.cat, acat + 1); 3213 acat + 1);
3214 kcat = netlbl_secattr_catmap_walk( 3214 kcat = netlbl_catmap_walk(
3215 skp->smk_netlabel.attr.mls.cat, 3215 skp->smk_netlabel.attr.mls.cat,
3216 kcat + 1); 3216 kcat + 1);
3217 if (acat < 0 || kcat < 0) 3217 if (acat < 0 || kcat < 0)
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 32b248820840..3c720ff10591 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -787,7 +787,7 @@ static int cipso_seq_show(struct seq_file *s, void *v)
787 struct list_head *list = v; 787 struct list_head *list = v;
788 struct smack_known *skp = 788 struct smack_known *skp =
789 list_entry(list, struct smack_known, list); 789 list_entry(list, struct smack_known, list);
790 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat; 790 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
791 char sep = '/'; 791 char sep = '/';
792 int i; 792 int i;
793 793
@@ -804,8 +804,8 @@ static int cipso_seq_show(struct seq_file *s, void *v)
804 804
805 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); 805 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
806 806
807 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0; 807 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
808 i = netlbl_secattr_catmap_walk(cmp, i + 1)) { 808 i = netlbl_catmap_walk(cmp, i + 1)) {
809 seq_printf(s, "%c%d", sep, i); 809 seq_printf(s, "%c%d", sep, i);
810 sep = ','; 810 sep = ',';
811 } 811 }
@@ -926,7 +926,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
926 926
927 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); 927 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
928 if (rc >= 0) { 928 if (rc >= 0) {
929 netlbl_secattr_catmap_free(skp->smk_netlabel.attr.mls.cat); 929 netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
930 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; 930 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
931 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; 931 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
932 rc = count; 932 rc = count;
@@ -976,14 +976,14 @@ static int cipso2_seq_show(struct seq_file *s, void *v)
976 struct list_head *list = v; 976 struct list_head *list = v;
977 struct smack_known *skp = 977 struct smack_known *skp =
978 list_entry(list, struct smack_known, list); 978 list_entry(list, struct smack_known, list);
979 struct netlbl_lsm_secattr_catmap *cmp = skp->smk_netlabel.attr.mls.cat; 979 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
980 char sep = '/'; 980 char sep = '/';
981 int i; 981 int i;
982 982
983 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); 983 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
984 984
985 for (i = netlbl_secattr_catmap_walk(cmp, 0); i >= 0; 985 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
986 i = netlbl_secattr_catmap_walk(cmp, i + 1)) { 986 i = netlbl_catmap_walk(cmp, i + 1)) {
987 seq_printf(s, "%c%d", sep, i); 987 seq_printf(s, "%c%d", sep, i);
988 sep = ','; 988 sep = ',';
989 } 989 }
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-05 19:35:36 -0400