Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:

 - EVM gains support for loading an x509 cert from the kernel
   (EVM_LOAD_X509), into the EVM trusted kernel keyring.

 - Smack implements 'file receive' process-based permission checking for
   sockets, rather than just depending on inode checks.

 - Misc enhancments for TPM & TPM2.

 - Cleanups and bugfixes for SELinux, Keys, and IMA.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (41 commits)
  selinux: Inode label revalidation performance fix
  KEYS: refcount bug fix
  ima: ima_write_policy() limit locking
  IMA: policy can be updated zero times
  selinux: rate-limit netlink message warnings in selinux_nlmsg_perm()
  selinux: export validatetrans decisions
  gfs2: Invalid security labels of inodes when they go invalid
  selinux: Revalidate invalid inode security labels
  security: Add hook to invalidate inode security labels
  selinux: Add accessor functions for inode->i_security
  security: Make inode argument of inode_getsecid non-const
  security: Make inode argument of inode_getsecurity non-const
  selinux: Remove unused variable in selinux_inode_init_security
  keys, trusted: seal with a TPM2 authorization policy
  keys, trusted: select hash algorithm for TPM2 chips
  keys, trusted: fix: *do not* allow duplicate key options
  tpm_ibmvtpm: properly handle interrupted packet receptions
  tpm_tis: Tighten IRQ auto-probing
  tpm_tis: Refactor the interrupt setup
  tpm_tis: Get rid of the duplicate IRQ probing code
  ...

6 files changed, 37 insertions, 24 deletions

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 476bc1237ec2..b40ed5df5542 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -238,7 +238,7 @@ extern void __audit_getname(struct filename *name);
 extern void __audit_inode(struct filename *name, const struct dentry *dentry,
                                 unsigned int flags);
 extern void __audit_file(const struct file *);
-extern void __audit_inode_child(const struct inode *parent,
+extern void __audit_inode_child(struct inode *parent,
                                 const struct dentry *dentry,
                                 const unsigned char type);
 extern void __audit_seccomp(unsigned long syscall, long signr, int code);
@@ -303,7 +303,7 @@ static inline void audit_inode_parent_hidden(struct filename *name,
                 __audit_inode(name, dentry,
                                 AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN);
 }
-static inline void audit_inode_child(const struct inode *parent,
+static inline void audit_inode_child(struct inode *parent,
                                      const struct dentry *dentry,
                                      const unsigned char type) {
         if (unlikely(!audit_dummy_context()))
@@ -463,7 +463,7 @@ static inline void __audit_inode(struct filename *name,
                                         const struct dentry *dentry,
                                         unsigned int flags)
 { }
-static inline void __audit_inode_child(const struct inode *parent,
+static inline void __audit_inode_child(struct inode *parent,
                                         const struct dentry *dentry,
                                         const unsigned char type)
 { }
@@ -477,7 +477,7 @@ static inline void audit_file(struct file *file)
 static inline void audit_inode_parent_hidden(struct filename *name,
                                 const struct dentry *dentry)
 { }
-static inline void audit_inode_child(const struct inode *parent,
+static inline void audit_inode_child(struct inode *parent,
                                      const struct dentry *dentry,
                                      const unsigned char type)
 { }
diff --git a/include/linux/capability.h b/include/linux/capability.h
index af9f0b9e80e6..f314275d4e3f 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -145,24 +145,24 @@ static inline kernel_cap_t cap_invert(const kernel_cap_t c)
         return dest;
 }
 
-static inline int cap_isclear(const kernel_cap_t a)
+static inline bool cap_isclear(const kernel_cap_t a)
 {
         unsigned __capi;
         CAP_FOR_EACH_U32(__capi) {
                 if (a.cap[__capi] != 0)
-                        return 0;
+                        return false;
         }
-        return 1;
+        return true;
 }
 
 /*
  * Check if "a" is a subset of "set".
- * return 1 if ALL of the capabilities in "a" are also in "set"
- *      cap_issubset(0101, 1111) will return 1
- * return 0 if ANY of the capabilities in "a" are not in "set"
- *      cap_issubset(1111, 0101) will return 0
+ * return true if ALL of the capabilities in "a" are also in "set"
+ *      cap_issubset(0101, 1111) will return true
+ * return false if ANY of the capabilities in "a" are not in "set"
+ *      cap_issubset(1111, 0101) will return false
  */
-static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
+static inline bool cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
 {
         kernel_cap_t dest;
         dest = cap_drop(a, set);
@@ -171,12 +171,6 @@ static inline int cap_issubset(const kernel_cap_t a, const kernel_cap_t set)
 
 /* Used to decide between falling back on the old suser() or fsuser(). */
 
-static inline int cap_is_fs_cap(int cap)
-{
-        const kernel_cap_t __cap_fs_set = CAP_FS_SET;
-        return !!(CAP_TO_MASK(cap) & __cap_fs_set.cap[CAP_TO_INDEX(cap)]);
-}
-
 static inline kernel_cap_t cap_drop_fs_set(const kernel_cap_t a)
 {
         const kernel_cap_t __cap_fs_set = CAP_FS_SET;
diff --git a/include/linux/evm.h b/include/linux/evm.h
index 1fcb88ca88de..35ed9a8a403a 100644
--- a/include/linux/evm.h
+++ b/include/linux/evm.h
@@ -14,6 +14,7 @@
 struct integrity_iint_cache;
 
 #ifdef CONFIG_EVM
+extern int evm_set_key(void *key, size_t keylen);
 extern enum integrity_status evm_verifyxattr(struct dentry *dentry,
                                              const char *xattr_name,
                                              void *xattr_value,
@@ -42,6 +43,12 @@ static inline int posix_xattr_acl(const char *xattrname)
 }
 #endif
 #else
+
+static inline int evm_set_key(void *key, size_t keylen)
+{
+        return -EOPNOTSUPP;
+}
+
 #ifdef CONFIG_INTEGRITY
 static inline enum integrity_status evm_verifyxattr(struct dentry *dentry,
                                                     const char *xattr_name,
diff --git a/include/linux/key.h b/include/linux/key.h
index 66f705243985..7321ab8ef949 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -177,6 +177,7 @@ struct key {
 #define KEY_FLAG_TRUSTED_ONLY   9       /* set if keyring only accepts links to trusted keys */
 #define KEY_FLAG_BUILTIN        10      /* set if key is builtin */
 #define KEY_FLAG_ROOT_CAN_INVAL 11      /* set if key can be invalidated by root without permission */
+#define KEY_FLAG_KEEP           12      /* set if key should not be removed */
 
         /* the key type and key description string
          * - the desc is used to match a key against search criteria
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index ec3a6bab29de..71969de4058c 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1261,6 +1261,10 @@
  *      audit_rule_init.
  *      @rule contains the allocated rule
  *
+ * @inode_invalidate_secctx:
+ *      Notify the security module that it must revalidate the security context
+ *      of an inode.
+ *
  * @inode_notifysecctx:
  *      Notify the security module of what the security context of an inode
  *      should be.  Initializes the incore security context managed by the
@@ -1413,14 +1417,14 @@ union security_list_options {
         int (*inode_removexattr)(struct dentry *dentry, const char *name);
         int (*inode_need_killpriv)(struct dentry *dentry);
         int (*inode_killpriv)(struct dentry *dentry);
-        int (*inode_getsecurity)(const struct inode *inode, const char *name,
+        int (*inode_getsecurity)(struct inode *inode, const char *name,
                                         void **buffer, bool alloc);
         int (*inode_setsecurity)(struct inode *inode, const char *name,
                                         const void *value, size_t size,
                                         int flags);
         int (*inode_listsecurity)(struct inode *inode, char *buffer,
                                         size_t buffer_size);
-        void (*inode_getsecid)(const struct inode *inode, u32 *secid);
+        void (*inode_getsecid)(struct inode *inode, u32 *secid);
 
         int (*file_permission)(struct file *file, int mask);
         int (*file_alloc_security)(struct file *file);
@@ -1516,6 +1520,7 @@ union security_list_options {
         int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid);
         void (*release_secctx)(char *secdata, u32 seclen);
 
+        void (*inode_invalidate_secctx)(struct inode *inode);
         int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen);
         int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
         int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
@@ -1757,6 +1762,7 @@ struct security_hook_heads {
         struct list_head secid_to_secctx;
         struct list_head secctx_to_secid;
         struct list_head release_secctx;
+        struct list_head inode_invalidate_secctx;
         struct list_head inode_notifysecctx;
         struct list_head inode_setsecctx;
         struct list_head inode_getsecctx;
diff --git a/include/linux/security.h b/include/linux/security.h
index 2f4c1f7aa7db..4824a4ccaf1c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -270,10 +270,10 @@ int security_inode_listxattr(struct dentry *dentry);
 int security_inode_removexattr(struct dentry *dentry, const char *name);
 int security_inode_need_killpriv(struct dentry *dentry);
 int security_inode_killpriv(struct dentry *dentry);
-int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
+int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc);
 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
-void security_inode_getsecid(const struct inode *inode, u32 *secid);
+void security_inode_getsecid(struct inode *inode, u32 *secid);
 int security_file_permission(struct file *file, int mask);
 int security_file_alloc(struct file *file);
 void security_file_free(struct file *file);
@@ -353,6 +353,7 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
 
+void security_inode_invalidate_secctx(struct inode *inode);
 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
@@ -719,7 +720,7 @@ static inline int security_inode_killpriv(struct dentry *dentry)
         return cap_inode_killpriv(dentry);
 }
 
-static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
+static inline int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
 {
         return -EOPNOTSUPP;
 }
@@ -734,7 +735,7 @@ static inline int security_inode_listsecurity(struct inode *inode, char *buffer,
         return 0;
 }
 
-static inline void security_inode_getsecid(const struct inode *inode, u32 *secid)
+static inline void security_inode_getsecid(struct inode *inode, u32 *secid)
 {
         *secid = 0;
 }
@@ -1093,6 +1094,10 @@ static inline void security_release_secctx(char *secdata, u32 seclen)
 {
 }
 
+static inline void security_inode_invalidate_secctx(struct inode *inode)
+{
+}
+
 static inline int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
 {
         return -EOPNOTSUPP;