Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Highlights:

   - TPM core and driver updates/fixes
   - IPv6 security labeling (CALIPSO)
   - Lots of Apparmor fixes
   - Seccomp: remove 2-phase API, close hole where ptrace can change
     syscall #"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (156 commits)
  apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
  tpm: Add TPM 2.0 support to the Nuvoton i2c driver (NPCT6xx family)
  tpm: Factor out common startup code
  tpm: use devm_add_action_or_reset
  tpm2_i2c_nuvoton: add irq validity check
  tpm: read burstcount from TPM_STS in one 32-bit transaction
  tpm: fix byte-order for the value read by tpm2_get_tpm_pt
  tpm_tis_core: convert max timeouts from msec to jiffies
  apparmor: fix arg_size computation for when setprocattr is null terminated
  apparmor: fix oops, validate buffer size in apparmor_setprocattr()
  apparmor: do not expose kernel stack
  apparmor: fix module parameters can be changed after policy is locked
  apparmor: fix oops in profile_unpack() when policy_db is not present
  apparmor: don't check for vmalloc_addr if kvzalloc() failed
  apparmor: add missing id bounds check on dfa verification
  apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
  apparmor: use list_next_entry instead of list_entry_next
  apparmor: fix refcount race when finding a child profile
  apparmor: fix ref count leak when profile sha1 hash is read
  apparmor: check that xindex is in trans_table bounds
  ...

2 files changed, 92 insertions, 98 deletions

diff --git a/kernel/capability.c b/kernel/capability.c
index 45432b54d5c6..00411c82dac5 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -361,6 +361,24 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
         return has_ns_capability_noaudit(t, &init_user_ns, cap);
 }
 
+static bool ns_capable_common(struct user_namespace *ns, int cap, bool audit)
+{
+        int capable;
+
+        if (unlikely(!cap_valid(cap))) {
+                pr_crit("capable() called with invalid cap=%u\n", cap);
+                BUG();
+        }
+
+        capable = audit ? security_capable(current_cred(), ns, cap) :
+                          security_capable_noaudit(current_cred(), ns, cap);
+        if (capable == 0) {
+                current->flags |= PF_SUPERPRIV;
+                return true;
+        }
+        return false;
+}
+
 /**
  * ns_capable - Determine if the current task has a superior capability in effect
  * @ns:  The usernamespace we want the capability in
@@ -374,19 +392,27 @@ bool has_capability_noaudit(struct task_struct *t, int cap)
  */
 bool ns_capable(struct user_namespace *ns, int cap)
 {
-        if (unlikely(!cap_valid(cap))) {
-                pr_crit("capable() called with invalid cap=%u\n", cap);
-                BUG();
-        }
-
-        if (security_capable(current_cred(), ns, cap) == 0) {
-                current->flags |= PF_SUPERPRIV;
-                return true;
-        }
-        return false;
+        return ns_capable_common(ns, cap, true);
 }
 EXPORT_SYMBOL(ns_capable);
 
+/**
+ * ns_capable_noaudit - Determine if the current task has a superior capability
+ * (unaudited) in effect
+ * @ns:  The usernamespace we want the capability in
+ * @cap: The capability to be tested for
+ *
+ * Return true if the current task has the given superior capability currently
+ * available for use, false if not.
+ *
+ * This sets PF_SUPERPRIV on the task if the capability is available on the
+ * assumption that it's about to be used.
+ */
+bool ns_capable_noaudit(struct user_namespace *ns, int cap)
+{
+        return ns_capable_common(ns, cap, false);
+}
+EXPORT_SYMBOL(ns_capable_noaudit);
 
 /**
  * capable - Determine if the current task has a superior capability in effect
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index 7002796f14a4..54d15eb2b701 100644
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -173,7 +173,7 @@ static int seccomp_check_filter(struct sock_filter *filter, unsigned int flen)
  *
  * Returns valid seccomp BPF response codes.
  */
-static u32 seccomp_run_filters(struct seccomp_data *sd)
+static u32 seccomp_run_filters(const struct seccomp_data *sd)
 {
         struct seccomp_data sd_local;
         u32 ret = SECCOMP_RET_ALLOW;
@@ -554,20 +554,10 @@ void secure_computing_strict(int this_syscall)
                 BUG();
 }
 #else
-int __secure_computing(void)
-{
-        u32 phase1_result = seccomp_phase1(NULL);
-
-        if (likely(phase1_result == SECCOMP_PHASE1_OK))
-                return 0;
-        else if (likely(phase1_result == SECCOMP_PHASE1_SKIP))
-                return -1;
-        else
-                return seccomp_phase2(phase1_result);
-}
 
 #ifdef CONFIG_SECCOMP_FILTER
-static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
+static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
+                            const bool recheck_after_trace)
 {
         u32 filter_ret, action;
         int data;
@@ -599,10 +589,46 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
                 goto skip;
 
         case SECCOMP_RET_TRACE:
-                return filter_ret;  /* Save the rest for phase 2. */
+                /* We've been put in this state by the ptracer already. */
+                if (recheck_after_trace)
+                        return 0;
+
+                /* ENOSYS these calls if there is no tracer attached. */
+                if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) {
+                        syscall_set_return_value(current,
+                                                 task_pt_regs(current),
+                                                 -ENOSYS, 0);
+                        goto skip;
+                }
+
+                /* Allow the BPF to provide the event message */
+                ptrace_event(PTRACE_EVENT_SECCOMP, data);
+                /*
+                 * The delivery of a fatal signal during event
+                 * notification may silently skip tracer notification.
+                 * Terminating the task now avoids executing a system
+                 * call that may not be intended.
+                 */
+                if (fatal_signal_pending(current))
+                        do_exit(SIGSYS);
+                /* Check if the tracer forced the syscall to be skipped. */
+                this_syscall = syscall_get_nr(current, task_pt_regs(current));
+                if (this_syscall < 0)
+                        goto skip;
+
+                /*
+                 * Recheck the syscall, since it may have changed. This
+                 * intentionally uses a NULL struct seccomp_data to force
+                 * a reload of all registers. This does not goto skip since
+                 * a skip would have already been reported.
+                 */
+                if (__seccomp_filter(this_syscall, NULL, true))
+                        return -1;
+
+                return 0;
 
         case SECCOMP_RET_ALLOW:
-                return SECCOMP_PHASE1_OK;
+                return 0;
 
         case SECCOMP_RET_KILL:
         default:
@@ -614,96 +640,38 @@ static u32 __seccomp_phase1_filter(int this_syscall, struct seccomp_data *sd)
 
 skip:
         audit_seccomp(this_syscall, 0, action);
-        return SECCOMP_PHASE1_SKIP;
+        return -1;
+}
+#else
+static int __seccomp_filter(int this_syscall, const struct seccomp_data *sd,
+                            const bool recheck_after_trace)
+{
+        BUG();
 }
 #endif
 
-/**
- * seccomp_phase1() - run fast path seccomp checks on the current syscall
- * @arg sd: The seccomp_data or NULL
- *
- * This only reads pt_regs via the syscall_xyz helpers.  The only change
- * it will make to pt_regs is via syscall_set_return_value, and it will
- * only do that if it returns SECCOMP_PHASE1_SKIP.
- *
- * If sd is provided, it will not read pt_regs at all.
- *
- * It may also call do_exit or force a signal; these actions must be
- * safe.
- *
- * If it returns SECCOMP_PHASE1_OK, the syscall passes checks and should
- * be processed normally.
- *
- * If it returns SECCOMP_PHASE1_SKIP, then the syscall should not be
- * invoked.  In this case, seccomp_phase1 will have set the return value
- * using syscall_set_return_value.
- *
- * If it returns anything else, then the return value should be passed
- * to seccomp_phase2 from a context in which ptrace hooks are safe.
- */
-u32 seccomp_phase1(struct seccomp_data *sd)
+int __secure_computing(const struct seccomp_data *sd)
 {
         int mode = current->seccomp.mode;
-        int this_syscall = sd ? sd->nr :
-                syscall_get_nr(current, task_pt_regs(current));
+        int this_syscall;
 
         if (config_enabled(CONFIG_CHECKPOINT_RESTORE) &&
             unlikely(current->ptrace & PT_SUSPEND_SECCOMP))
-                return SECCOMP_PHASE1_OK;
+                return 0;
+
+        this_syscall = sd ? sd->nr :
+                syscall_get_nr(current, task_pt_regs(current));
 
         switch (mode) {
         case SECCOMP_MODE_STRICT:
                 __secure_computing_strict(this_syscall);  /* may call do_exit */
-                return SECCOMP_PHASE1_OK;
-#ifdef CONFIG_SECCOMP_FILTER
+                return 0;
         case SECCOMP_MODE_FILTER:
-                return __seccomp_phase1_filter(this_syscall, sd);
-#endif
+                return __seccomp_filter(this_syscall, sd, false);
         default:
                 BUG();
         }
 }
-
-/**
- * seccomp_phase2() - finish slow path seccomp work for the current syscall
- * @phase1_result: The return value from seccomp_phase1()
- *
- * This must be called from a context in which ptrace hooks can be used.
- *
- * Returns 0 if the syscall should be processed or -1 to skip the syscall.
- */
-int seccomp_phase2(u32 phase1_result)
-{
-        struct pt_regs *regs = task_pt_regs(current);
-        u32 action = phase1_result & SECCOMP_RET_ACTION;
-        int data = phase1_result & SECCOMP_RET_DATA;
-
-        BUG_ON(action != SECCOMP_RET_TRACE);
-
-        audit_seccomp(syscall_get_nr(current, regs), 0, action);
-
-        /* Skip these calls if there is no tracer. */
-        if (!ptrace_event_enabled(current, PTRACE_EVENT_SECCOMP)) {
-                syscall_set_return_value(current, regs,
-                                         -ENOSYS, 0);
-                return -1;
-        }
-
-        /* Allow the BPF to provide the event message */
-        ptrace_event(PTRACE_EVENT_SECCOMP, data);
-        /*
-         * The delivery of a fatal signal during event
-         * notification may silently skip tracer notification.
-         * Terminating the task now avoids executing a system
-         * call that may not be intended.
-         */
-        if (fatal_signal_pending(current))
-                do_exit(SIGSYS);
-        if (syscall_get_nr(current, regs) < 0)
-                return -1;  /* Explicit request to skip. */
-
-        return 0;
-}
 #endif /* CONFIG_HAVE_ARCH_SECCOMP_FILTER */
 
 long prctl_get_seccomp(void)