Merge tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux

Pull selinux updates from Paul Moore:
 "A relatively quiet period for SELinux, 11 patches with only two/three
  having any substantive changes.

  These noteworthy changes include another tweak to the NNP/nosuid
  handling, per-file labeling for cgroups, and an object class fix for
  AF_UNIX/SOCK_RAW sockets; the rest of the changes are minor tweaks or
  administrative updates (Stephen's email update explains the file
  explosion in the diffstat).

  Everything passes the selinux-testsuite"

[ Also a couple of small patches from the security tree from Tetsuo
  Handa for Tomoyo and LSM cleanup. The separation of security policy
  updates wasn't all that clean - Linus ]

* tag 'selinux-pr-20170831' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
  selinux: constify nf_hook_ops
  selinux: allow per-file labeling for cgroupfs
  lsm_audit: update my email address
  selinux: update my email address
  MAINTAINERS: update the NetLabel and Labeled Networking information
  selinux: use GFP_NOWAIT in the AVC kmem_caches
  selinux: Generalize support for NNP/nosuid SELinux domain transitions
  selinux: genheaders should fail if too many permissions are defined
  selinux: update the selinux info in MAINTAINERS
  credits: update Paul Moore's info
  selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets
  tomoyo: Update URLs in Documentation/admin-guide/LSM/tomoyo.rst
  LSM: Remove security_task_create() hook.

1 files changed, 37 insertions, 17 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ad3b0f53ede0..f5d304736852 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3,7 +3,7 @@
  *
  *  This file contains the SELinux hook function implementations.
  *
- *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
+ *  Authors:  Stephen Smalley, <sds@tycho.nsa.gov>
  *            Chris Vance, <cvance@nai.com>
  *            Wayne Salamon, <wsalamon@nai.com>
  *            James Morris <jmorris@redhat.com>
@@ -815,7 +815,9 @@ static int selinux_set_mnt_opts(struct super_block *sb,
         if (!strcmp(sb->s_type->name, "debugfs") ||
             !strcmp(sb->s_type->name, "tracefs") ||
             !strcmp(sb->s_type->name, "sysfs") ||
-            !strcmp(sb->s_type->name, "pstore"))
+            !strcmp(sb->s_type->name, "pstore") ||
+            !strcmp(sb->s_type->name, "cgroup") ||
+            !strcmp(sb->s_type->name, "cgroup2"))
                 sbsec->flags |= SE_SBGENFS;
 
         if (!sbsec->behavior) {
@@ -1303,6 +1305,7 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
                 case SOCK_SEQPACKET:
                         return SECCLASS_UNIX_STREAM_SOCKET;
                 case SOCK_DGRAM:
+                case SOCK_RAW:
                         return SECCLASS_UNIX_DGRAM_SOCKET;
                 }
                 break;
@@ -2317,6 +2320,7 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
         int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
         int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
         int rc;
+        u32 av;
 
         if (!nnp && !nosuid)
                 return 0; /* neither NNP nor nosuid */
@@ -2325,24 +2329,40 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm,
                 return 0; /* No change in credentials */
 
         /*
-         * The only transitions we permit under NNP or nosuid
-         * are transitions to bounded SIDs, i.e. SIDs that are
-         * guaranteed to only be allowed a subset of the permissions
-         * of the current SID.
+         * If the policy enables the nnp_nosuid_transition policy capability,
+         * then we permit transitions under NNP or nosuid if the
+         * policy allows the corresponding permission between
+         * the old and new contexts.
          */
-        rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
-        if (rc) {
-                /*
-                 * On failure, preserve the errno values for NNP vs nosuid.
-                 * NNP:  Operation not permitted for caller.
-                 * nosuid:  Permission denied to file.
-                 */
+        if (selinux_policycap_nnp_nosuid_transition) {
+                av = 0;
                 if (nnp)
-                        return -EPERM;
-                else
-                        return -EACCES;
+                        av |= PROCESS2__NNP_TRANSITION;
+                if (nosuid)
+                        av |= PROCESS2__NOSUID_TRANSITION;
+                rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
+                                  SECCLASS_PROCESS2, av, NULL);
+                if (!rc)
+                        return 0;
         }
-        return 0;
+
+        /*
+         * We also permit NNP or nosuid transitions to bounded SIDs,
+         * i.e. SIDs that are guaranteed to only be allowed a subset
+         * of the permissions of the current SID.
+         */
+        rc = security_bounded_transition(old_tsec->sid, new_tsec->sid);
+        if (!rc)
+                return 0;
+
+        /*
+         * On failure, preserve the errno values for NNP vs nosuid.
+         * NNP:  Operation not permitted for caller.
+         * nosuid:  Permission denied to file.
+         */
+        if (nnp)
+                return -EPERM;
+        return -EACCES;
 }
 
 static int selinux_bprm_set_creds(struct linux_binprm *bprm)