Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Highlights:

  IMA:
   - provide ">" and "<" operators for fowner/uid/euid rules

  KEYS:
   - add a system blacklist keyring

   - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction
     functionality to userland via keyctl()

  LSM:
   - harden LSM API with __ro_after_init

   - add prlmit security hook, implement for SELinux

   - revive security_task_alloc hook

  TPM:
   - implement contextual TPM command 'spaces'"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits)
  tpm: Fix reference count to main device
  tpm_tis: convert to using locality callbacks
  tpm: fix handling of the TPM 2.0 event logs
  tpm_crb: remove a cruft constant
  keys: select CONFIG_CRYPTO when selecting DH / KDF
  apparmor: Make path_max parameter readonly
  apparmor: fix parameters so that the permission test is bypassed at boot
  apparmor: fix invalid reference to index variable of iterator line 836
  apparmor: use SHASH_DESC_ON_STACK
  security/apparmor/lsm.c: set debug messages
  apparmor: fix boolreturn.cocci warnings
  Smack: Use GFP_KERNEL for smk_netlbl_mls().
  smack: fix double free in smack_parse_opts_str()
  KEYS: add SP800-56A KDF support for DH
  KEYS: Keyring asymmetric key restrict method with chaining
  KEYS: Restrict asymmetric key linkage using a specific keychain
  KEYS: Add a lookup_restriction function for the asymmetric key type
  KEYS: Add KEYCTL_RESTRICT_KEYRING
  KEYS: Consistent ordering for __key_link_begin and restrict check
  KEYS: Add an optional lookup_restriction hook to key_type
  ...

1 files changed, 30 insertions, 4 deletions

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index e29d4c62a3c8..080f34e66017 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -533,8 +533,13 @@
  *      manual page for definitions of the @clone_flags.
  *      @clone_flags contains the flags indicating what should be shared.
  *      Return 0 if permission is granted.
+ * @task_alloc:
+ *      @task task being allocated.
+ *      @clone_flags contains the flags indicating what should be shared.
+ *      Handle allocation of task-related resources.
+ *      Returns a zero on success, negative values on failure.
  * @task_free:
- *      @task task being freed
+ *      @task task about to be freed.
  *      Handle release of task-related resources. (Note that this can be called
  *      from interrupt context.)
  * @cred_alloc_blank:
@@ -630,10 +635,19 @@
  *      Check permission before getting the ioprio value of @p.
  *      @p contains the task_struct of process.
  *      Return 0 if permission is granted.
+ * @task_prlimit:
+ *      Check permission before getting and/or setting the resource limits of
+ *      another task.
+ *      @cred points to the cred structure for the current task.
+ *      @tcred points to the cred structure for the target task.
+ *      @flags contains the LSM_PRLIMIT_* flag bits indicating whether the
+ *      resource limits are being read, modified, or both.
+ *      Return 0 if permission is granted.
  * @task_setrlimit:
- *      Check permission before setting the resource limits of the current
- *      process for @resource to @new_rlim.  The old resource limit values can
- *      be examined by dereferencing (current->signal->rlim + resource).
+ *      Check permission before setting the resource limits of process @p
+ *      for @resource to @new_rlim.  The old resource limit values can
+ *      be examined by dereferencing (p->signal->rlim + resource).
+ *      @p points to the task_struct for the target task's group leader.
  *      @resource contains the resource whose limit is being set.
  *      @new_rlim contains the new limits for @resource.
  *      Return 0 if permission is granted.
@@ -1473,6 +1487,7 @@ union security_list_options {
         int (*file_open)(struct file *file, const struct cred *cred);
 
         int (*task_create)(unsigned long clone_flags);
+        int (*task_alloc)(struct task_struct *task, unsigned long clone_flags);
         void (*task_free)(struct task_struct *task);
         int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp);
         void (*cred_free)(struct cred *cred);
@@ -1494,6 +1509,8 @@ union security_list_options {
         int (*task_setnice)(struct task_struct *p, int nice);
         int (*task_setioprio)(struct task_struct *p, int ioprio);
         int (*task_getioprio)(struct task_struct *p);
+        int (*task_prlimit)(const struct cred *cred, const struct cred *tcred,
+                            unsigned int flags);
         int (*task_setrlimit)(struct task_struct *p, unsigned int resource,
                                 struct rlimit *new_rlim);
         int (*task_setscheduler)(struct task_struct *p);
@@ -1737,6 +1754,7 @@ struct security_hook_heads {
         struct list_head file_receive;
         struct list_head file_open;
         struct list_head task_create;
+        struct list_head task_alloc;
         struct list_head task_free;
         struct list_head cred_alloc_blank;
         struct list_head cred_free;
@@ -1755,6 +1773,7 @@ struct security_hook_heads {
         struct list_head task_setnice;
         struct list_head task_setioprio;
         struct list_head task_getioprio;
+        struct list_head task_prlimit;
         struct list_head task_setrlimit;
         struct list_head task_setscheduler;
         struct list_head task_getscheduler;
@@ -1908,6 +1927,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks,
 }
 #endif /* CONFIG_SECURITY_SELINUX_DISABLE */
 
+/* Currently required to handle SELinux runtime hook disable. */
+#ifdef CONFIG_SECURITY_WRITABLE_HOOKS
+#define __lsm_ro_after_init
+#else
+#define __lsm_ro_after_init     __ro_after_init
+#endif /* CONFIG_SECURITY_WRITABLE_HOOKS */
+
 extern int __init security_module_enable(const char *module);
 extern void __init capability_add_hooks(void);
 #ifdef CONFIG_SECURITY_YAMA