15 Apr, 2010
1 commit
-
Reduce MAX_AVTAB_HASH_BITS so that the avtab allocation is an order 2
allocation rather than an order 4 allocation on x86_64. This
addresses reports of page allocation failures:
http://marc.info/?l=selinux&m=126757230625867&w=2
https://bugzilla.redhat.com/show_bug.cgi?id=570433Reported-by: Russell Coker
Signed-off-by: Stephen D. Smalley
Acked-by: Eric Paris
Signed-off-by: James Morris
30 Mar, 2010
1 commit
-
…it slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
08 Mar, 2010
1 commit
-
Conflicts:
Documentation/filesystems/proc.txt
arch/arm/mach-u300/include/mach/debug-macro.S
drivers/net/qlge/qlge_ethtool.c
drivers/net/qlge/qlge_main.c
drivers/net/typhoon.c
01 Mar, 2010
1 commit
26 Feb, 2010
1 commit
-
Make selinux_kernel_create_files_as() return an error when it gets one, rather
than unconditionally returning 0.Without this, cachefiles doesn't return an error if the SELinux policy doesn't
let it create files with the label of the directory at the base of the cache.Signed-off-by: David Howells
Signed-off-by: James Morris
25 Feb, 2010
1 commit
-
This fixes corrupted CIPSO packets when SELinux categories greater than 127
are used. The bug occured on the second (and later) loops through the
while; the inner for loop through the ebitmap->maps array used the same
index as the NetLabel catmap->bitmap array, even though the NetLabel bitmap
is twice as long as the SELinux bitmap.Signed-off-by: Joshua Roys
Acked-by: Paul Moore
Signed-off-by: James Morris
24 Feb, 2010
1 commit
-
Enhance the security framework to support resetting the active security
module. This eliminates the need for direct use of the security_ops and
default_security_ops variables outside of security.c, so make security_ops
and default_security_ops static. Also remove the secondary_ops variable as
a cleanup since there is no use for that. secondary_ops was originally used by
SELinux to call the "secondary" security module (capability or dummy),
but that was replaced by direct calls to capability and the only
remaining use is to save and restore the original security ops pointer
value if SELinux is disabled by early userspace based on /etc/selinux/config.
Further, if we support this directly in the security framework, then we can
just use &default_security_ops for this purpose since that is now available.Signed-off-by: Zhitong Wang
Acked-by: Stephen Smalley
Signed-off-by: James Morris
22 Feb, 2010
1 commit
-
This patch revert the commit of 7d52a155e38d5a165759dbbee656455861bf7801
which removed a part of type_attribute_bounds_av as a dead code.
However, at that time, we didn't find out the target side boundary allows
to handle some of pseudo /proc//* entries with its process's security
context well.Signed-off-by: KaiGai Kohei
Acked-by: Stephen Smalley--
security/selinux/ss/services.c | 43 ++++++++++++++++++++++++++++++++++++---
1 files changed, 39 insertions(+), 4 deletions(-)
Signed-off-by: James Morris
16 Feb, 2010
1 commit
-
Fix a couple of sparse warnings for callers of
context_struct_to_string, which takes a *u32, not an *int.These cases are harmless as the values are not used.
Signed-off-by: James Morris
Acked-by: KaiGai Kohei
09 Feb, 2010
1 commit
-
In sel_make_bools, kernel allocates memory for bool_pending_names[i]
with security_get_bools. So if we just free bool_pending_names, those
memories for bool_pending_names[i] will be leaked.This patch resolves dozens of following kmemleak report after resuming
from suspend:
unreferenced object 0xffff88022e4c7380 (size 32):
comm "init", pid 1, jiffies 4294677173
backtrace:
[] create_object+0x1a2/0x2a9
[] kmemleak_alloc+0x26/0x4b
[] __kmalloc+0x18f/0x1b8
[] security_get_bools+0xd7/0x16f
[] sel_write_load+0x12e/0x62b
[] vfs_write+0xae/0x10b
[] sys_write+0x4a/0x6e
[] system_call_fastpath+0x16/0x1b
[] 0xffffffffffffffffSigned-off-by: Xiaotian Feng
Signed-off-by: James Morris
05 Feb, 2010
1 commit
-
Signed-off-by: Justin P. Mattock
Signed-off-by: Jiri Kosina
04 Feb, 2010
4 commits
-
Right now the syslog "type" action are just raw numbers which makes
the source difficult to follow. This patch replaces the raw numbers
with defined constants for some level of sanity.Signed-off-by: Kees Cook
Acked-by: John Johansen
Acked-by: Serge Hallyn
Signed-off-by: James Morris -
This allows the LSM to distinguish between syslog functions originating
from /proc/kmsg access and direct syscalls. By default, the commoncaps
will now no longer require CAP_SYS_ADMIN to read an opened /proc/kmsg
file descriptor. For example the kernel syslog reader can now drop
privileges after opening /proc/kmsg, instead of staying privileged with
CAP_SYS_ADMIN. MAC systems that implement security_syslog have unchanged
behavior.Signed-off-by: Kees Cook
Acked-by: Serge Hallyn
Acked-by: John Johansen
Signed-off-by: James Morris -
Allow runtime switching between different policy types (e.g. from a MLS/MCS
policy to a non-MLS/non-MCS policy or viceversa).Signed-off-by: Guido Trentalancia
Acked-by: Stephen Smalley
Signed-off-by: James Morris -
Always load the initial SIDs, even in the case of a policy
reload and not just at the initial policy load. This comes
particularly handy after the introduction of a recent
patch for enabling runtime switching between different
policy types, although this patch is in theory independent
from that feature.Signed-off-by: Guido Trentalancia
Acked-by: Stephen Smalley
Signed-off-by: James Morris
03 Feb, 2010
1 commit
-
Only audit the permissions specified by the policy rules.
Before:
type=AVC msg=audit(01/28/2010 14:30:46.690:3250) : avc: denied { read
append } for pid=14092 comm=foo name=test_file dev=dm-1 ino=132932
scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=fileAfter:
type=AVC msg=audit(01/28/2010 14:52:37.448:26) : avc: denied
{ append } for pid=1917 comm=foo name=test_file dev=dm-1 ino=132932
scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=fileReference:
https://bugzilla.redhat.com/show_bug.cgi?id=558499Reported-by: Tom London
Signed-off-by: Stephen D. Smalley
Signed-off-by: James Morris
25 Jan, 2010
2 commits
-
This patch removes dead code in type_attribute_bounds_av().
Due to the historical reason, the type boundary feature is delivered
from hierarchical types in libsepol, it has supported boundary features
both of subject type (domain; in most cases) and target type.However, we don't have any actual use cases in bounded target types,
and it tended to make conceptual confusion.
So, this patch removes the dead code to apply boundary checks on the
target types. I makes clear the TYPEBOUNDS restricts privileges of
a certain domain bounded to any other domain.Signed-off-by: KaiGai Kohei
Acked-by: Stephen Smalley--
security/selinux/ss/services.c | 43 +++------------------------------------
1 files changed, 4 insertions(+), 39 deletions(-)
Signed-off-by: James Morris -
Per https://bugzilla.redhat.com/show_bug.cgi?id=548145
there are sufficient range transition rules in modern (Fedora) policy to
make mls_compute_sid a significant factor on the shmem file setup path
due to the length of the range_tr list. Replace the simple range_tr
list with a hashtab inside the security server to help mitigate this
problem.Signed-off-by: Stephen D. Smalley
Signed-off-by: James Morris
18 Jan, 2010
2 commits
-
If allow_unknown==deny, SELinux treats an undefined kernel security
class as an error condition rather than as a typical permission denial
and thus does not allow permissions on undefined classes even when in
permissive mode. Change the SELinux logic so that this case is handled
as a typical permission denial, subject to the usual permissive mode and
permissive domain handling.Also drop the 'requested' argument from security_compute_av() and
helpers as it is a legacy of the original security server interface and
is unused.Changes:
- Handle permissive domains consistently by moving up the test for a
permissive domain.
- Make security_compute_av_user() consistent with security_compute_av();
the only difference now is that security_compute_av() performs mapping
between the kernel-private class and permission indices and the policy
values. In the userspace case, this mapping is handled by libselinux.
- Moved avd_init inside the policy lock.Based in part on a patch by Paul Moore .
Reported-by: Andrew Worsley
Signed-off-by: Stephen D. Smalley
Reviewed-by: Paul Moore
Signed-off-by: James Morris
04 Jan, 2010
1 commit
-
Don't pass current RLIMIT_RTTIME to update_rlimit_cpu() in
selinux_bprm_committing_creds, since update_rlimit_cpu expects
RLIMIT_CPU limit.Use proper rlim[RLIMIT_CPU].rlim_cur instead to fix that.
Signed-off-by: Jiri Slaby
Acked-by: James Morris
Cc: Stephen Smalley
Cc: Eric Paris
Cc: David Howells
10 Dec, 2009
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (42 commits)
tree-wide: fix misspelling of "definition" in comments
reiserfs: fix misspelling of "journaled"
doc: Fix a typo in slub.txt.
inotify: remove superfluous return code check
hdlc: spelling fix in find_pvc() comment
doc: fix regulator docs cut-and-pasteism
mtd: Fix comment in Kconfig
doc: Fix IRQ chip docs
tree-wide: fix assorted typos all over the place
drivers/ata/libata-sff.c: comment spelling fixes
fix typos/grammos in Documentation/edac.txt
sysctl: add missing comments
fs/debugfs/inode.c: fix comment typos
sgivwfb: Make use of ARRAY_SIZE.
sky2: fix sky2_link_down copy/paste comment error
tree-wide: fix typos "couter" -> "counter"
tree-wide: fix typos "offest" -> "offset"
fix kerneldoc for set_irq_msi()
spidev: fix double "of of" in comment
comment typo fix: sybsystem -> subsystem
...
09 Dec, 2009
1 commit
08 Dec, 2009
3 commits
-
The last return is unreachable, remove the 'return'
in default, let it fall through.Signed-off-by: WANG Cong
Acked-by: Eric Paris
Signed-off-by: James Morris -
The size argument to kcalloc should be the size of desired structure,
not the pointer to it.The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)//
@expression@
expression *x;
@@x =
//Signed-off-by: Julia Lawall
Acked-by: Eric Paris
Signed-off-by: James Morris -
Conflicts:
kernel/irq/chip.c
06 Dec, 2009
1 commit
-
Conflicts:
drivers/net/pcmcia/fmvj18x_cs.c
drivers/net/pcmcia/nmclan_cs.c
drivers/net/pcmcia/xirc2ps_cs.c
drivers/net/wireless/ray_cs.c
04 Dec, 2009
1 commit
-
That is "success", "unknown", "through", "performance", "[re|un]mapping"
, "access", "default", "reasonable", "[con]currently", "temperature"
, "channel", "[un]used", "application", "example","hierarchy", "therefore"
, "[over|under]flow", "contiguous", "threshold", "enough" and others.Signed-off-by: André Goddard Rosa
Signed-off-by: Jiri Kosina
24 Nov, 2009
1 commit
-
Historically we've seen cases where permissions are requested for classes
where they do not exist. In particular we have seen CIFS forget to set
i_mode to indicate it is a directory so when we later check something like
remove_name we have problems since it wasn't defined in tclass file. This
used to result in a avc which included the permission 0x2000 or something.
Currently the kernel will deny the operations (good thing) but will not
print ANY information (bad thing). First the auditdeny field is no
extended to include unknown permissions. After that is fixed the logic in
avc_dump_query to output this information isn't right since it will remove
the permission from the av and print the phrase "". This takes us
back to the behavior before the classmap rewrite.Signed-off-by: Eric Paris
Signed-off-by: James Morris
21 Nov, 2009
1 commit
-
To help grep games, rename iif to skb_iif
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
10 Nov, 2009
1 commit
-
For SELinux to do better filtering in userspace we send the name of the
module along with the AVC denial when a program is denied module_request.Example output:
type=SYSCALL msg=audit(11/03/2009 10:59:43.510:9) : arch=x86_64 syscall=write success=yes exit=2 a0=3 a1=7fc28c0d56c0 a2=2 a3=7fffca0d7440 items=0 ppid=1727 pid=1729 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(11/03/2009 10:59:43.510:9) : avc: denied { module_request } for pid=1729 comm=rpc.nfsd kmod="net-pf-10" scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=systemSigned-off-by: Eric Paris
Signed-off-by: James Morris
24 Oct, 2009
1 commit
-
The SELinux dynamic class work in c6d3aaa4e35c71a32a86ececacd4eea7ecfc316c
creates a number of dynamic header files and scripts. Add .gitignore files
so git doesn't complain about these.Signed-off-by: Eric Paris
Acked-by: Stephen D. Smalley
Signed-off-by: James Morris
20 Oct, 2009
1 commit
-
Ensure that we release the policy read lock on all exit paths from
security_compute_av.Signed-off-by: Stephen D. Smalley
Signed-off-by: James Morris
07 Oct, 2009
3 commits
-
Drop remapping of netlink classes and bypass of permission checking
based on netlink message type for policy version < 18. This removes
compatibility code introduced when the original single netlink
security class used for all netlink sockets was split into
finer-grained netlink classes based on netlink protocol and when
permission checking was added based on netlink message type in Linux
2.6.8. The only known distribution that shipped with SELinux and
policy < 18 was Fedora Core 2, which was EOL'd on 2005-04-11.Given that the remapping code was never updated to address the
addition of newer netlink classes, that the corresponding userland
support was dropped in 2005, and that the assumptions made by the
remapping code about the fixed ordering among netlink classes in the
policy may be violated in the future due to the dynamic class/perm
discovery support, we should drop this compatibility code now.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
Add a simple utility (scripts/selinux/genheaders) and invoke it to
generate the kernel-private class and permission indices in flask.h
and av_permissions.h automatically during the kernel build from the
security class mapping definitions in classmap.h. Adding new kernel
classes and permissions can then be done just by adding them to classmap.h.Signed-off-by: Stephen Smalley
Signed-off-by: James Morris -
Modify SELinux to dynamically discover class and permission values
upon policy load, based on the dynamic object class/perm discovery
logic from libselinux. A mapping is created between kernel-private
class and permission indices used outside the security server and the
policy values used within the security server.The mappings are only applied upon kernel-internal computations;
similar mappings for the private indices of userspace object managers
is handled on a per-object manager basis by the userspace AVC. The
interfaces for compute_av and transition_sid are split for kernel
vs. userspace; the userspace functions are distinguished by a _user
suffix.The kernel-private class indices are no longer tied to the policy
values and thus do not need to skip indices for userspace classes;
thus the kernel class index values are compressed. The flask.h
definitions were regenerated by deleting the userspace classes from
refpolicy's definitions and then regenerating the headers. Going
forward, we can just maintain the flask.h, av_permissions.h, and
classmap.h definitions separately from policy as they are no longer
tied to the policy values. The next patch introduces a utility to
automate generation of flask.h and av_permissions.h from the
classmap.h definitions.The older kernel class and permission string tables are removed and
replaced by a single security class mapping table that is walked at
policy load to generate the mapping. The old kernel class validation
logic is completely replaced by the mapping logic.The handle unknown logic is reworked. reject_unknown=1 is handled
when the mappings are computed at policy load time, similar to the old
handling by the class validation logic. allow_unknown=1 is handled
when computing and mapping decisions - if the permission was not able
to be mapped (i.e. undefined, mapped to zero), then it is
automatically added to the allowed vector. If the class was not able
to be mapped (i.e. undefined, mapped to zero), then all permissions
are allowed for it if allow_unknown=1.avc_audit leverages the new security class mapping table to lookup the
class and permission names from the kernel-private indices.The mdp program is updated to use the new table when generating the
class definitions and allow rules for a minimal boot policy for the
kernel. It should be noted that this policy will not include any
userspace classes, nor will its policy index values for the kernel
classes correspond with the ones in refpolicy (they will instead match
the kernel-private indices).Signed-off-by: Stephen Smalley
Signed-off-by: James Morris
30 Sep, 2009
1 commit
-
This patch resets the security_ops to the secondary_ops before it flushes
the avc. It's still possible that a task on another processor could have
already passed the security_ops dereference and be executing an selinux hook
function which would add a new avc entry. That entry would still not be
freed. This should however help to reduce the number of needless avcs the
kernel has when selinux is disabled at run time. There is no wasted
memory if selinux is disabled on the command line or not compiled.Signed-off-by: Eric Paris
Signed-off-by: James Morris
24 Sep, 2009
2 commits
-
Ratan Nalumasu reported that in a process with many threads doing
unnecessary wakeups. Every waiting thread in the process wakes up to loop
through the children and see that the only ones it cares about are still
not ready.Now that we have struct wait_opts we can change do_wait/__wake_up_parent
to use filtered wakeups.We can make child_wait_callback() more clever later, right now it only
checks eligible_child().Signed-off-by: Oleg Nesterov
Acked-by: Roland McGrath
Cc: Ingo Molnar
Cc: Ratan Nalumasu
Cc: Vitaly Mayatskikh
Acked-by: James Morris
Tested-by: Valdis Kletnieks
Acked-by: David Howells
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds -
The security_ops reset done when SELinux is disabled at run time is done
after the avc cache is freed and after the kmem_cache for the avc is also
freed. This means that between the time the selinux disable code destroys
the avc_node_cachep another process could make a security request and could
try to allocate from the cache. We are just going to leave the cachep around,
like we always have.SELinux: Disabled at runtime.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [] kmem_cache_alloc+0x9a/0x185
PGD 0
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
last sysfs file:
CPU 1
Modules linked in:
Pid: 12, comm: khelper Not tainted 2.6.31-tip-05525-g0eeacc6-dirty #14819
System Product Name
RIP: 0010:[] []
kmem_cache_alloc+0x9a/0x185
RSP: 0018:ffff88003f9258b0 EFLAGS: 00010086
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000078c0129e
RDX: 0000000000000000 RSI: ffffffff8130b626 RDI: ffffffff81122528
RBP: ffff88003f925900 R08: 0000000078c0129e R09: 0000000000000001
R10: 0000000000000000 R11: 0000000078c0129e R12: 0000000000000246
R13: 0000000000008020 R14: ffff88003f8586d8 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff880002b00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 0000000001001000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: ffffffff827bd420 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process khelper (pid: 12, threadinfo ffff88003f924000, task
ffff88003f928000)
Stack:
0000000000000246 0000802000000246 ffffffff8130b626 0000000000000001
0000000078c0129e 0000000000000000 ffff88003f925a70 0000000000000002
0000000000000001 0000000000000001 ffff88003f925960 ffffffff8130b626
Call Trace:
[] ? avc_alloc_node+0x36/0x273
[] avc_alloc_node+0x36/0x273
[] ? avc_latest_notif_update+0x7d/0x9e
[] avc_insert+0x51/0x18d
[] avc_has_perm_noaudit+0x9d/0x128
[] avc_has_perm+0x45/0x88
[] current_has_perm+0x52/0x6d
[] selinux_task_create+0x2f/0x45
[] security_task_create+0x29/0x3f
[] copy_process+0x82/0xdf0
[] ? register_lock_class+0x2f/0x36c
[] ? mark_lock+0x2e/0x1e1
[] do_fork+0x16e/0x382
[] ? register_lock_class+0x2f/0x36c
[] ? probe_workqueue_execution+0x57/0xf9
[] ? mark_lock+0x2e/0x1e1
[] ? probe_workqueue_execution+0x57/0xf9
[] kernel_thread+0x82/0xe0
[] ? ____call_usermodehelper+0x0/0x139
[] ? child_rip+0x0/0x20
[] ? __call_usermodehelper+0x65/0x9a
[] run_workqueue+0x171/0x27e
[] ? run_workqueue+0x11d/0x27e
[] ? __call_usermodehelper+0x0/0x9a
[] worker_thread+0xe8/0x10f
[] ? autoremove_wake_function+0x0/0x63
[] ? worker_thread+0x0/0x10f
[] kthread+0x91/0x99
[] child_rip+0xa/0x20
[] ? restore_args+0x0/0x30
[] ? kthread+0x0/0x99
[] ? child_rip+0x0/0x20
Code: 0f 85 99 00 00 00 9c 58 66 66 90 66 90 49 89 c4 fa 66 66 90 66 66 90
e8 83 34 fb ff e8 d7 e9 26 00 48 98 49 8b 94 c6 10 01 00 00 8b 1a 44
8b 7a 18 48 85 db 74 0f 8b 42 14 48 8b 04 c3 ff 42
RIP [] kmem_cache_alloc+0x9a/0x185
RSP
CR2: 0000000000000000
---[ end trace 42f41a982344e606 ]---Reported-by: Ingo Molnar
Signed-off-by: Eric Paris
Signed-off-by: James Morris
14 Sep, 2009
1 commit
-
Before SELinux is disabled at boot it can create AVC entries. This patch
will flush those entries before disabling SELinux.Signed-off-by: Eric Paris
Signed-off-by: James Morris