Patch 1 fixes the check for self-referential loops that didn't work in all cases Patches 2 and 3 fix a couple of bugs Patches 4 and 5 make it harder to create small policies that expand into large policies that consume all of a system's memory. James Carter (5): libsepol/cil: Properly check for loops in sets libsepol/cil: Fix syntax checking of defaultrange rule libsepol/cil: Check for empty list when marking neverallow attributes libsepol/cil: Reduce the initial symtab sizes for blocks libsepol/cil: Improve degenerate inheritance check libsepol/cil/src/cil.c | 2 +- libsepol/cil/src/cil_build_ast.c | 2 +- libsepol/cil/src/cil_internal.h | 5 +- libsepol/cil/src/cil_post.c | 4 + libsepol/cil/src/cil_resolve_ast.c | 229 +++++++++++++++++++---------- libsepol/cil/src/cil_verify.c | 48 ++++-- 6 files changed, 191 insertions(+), 99 deletions(-) -- 2.26.3