Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Apart from reordering the SELinux mmap code to ensure DAC is called
  before MAC, these are minor maintenance updates"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (23 commits)
  selinux: correctly label /proc inodes in use before the policy is loaded
  selinux: put the mmap() DAC controls before the MAC controls
  selinux: fix the output of ./scripts/get_maintainer.pl for SELinux
  evm: enable key retention service automatically
  ima: skip memory allocation for empty files
  evm: EVM does not use MD5
  ima: return d_name.name if d_path fails
  integrity: fix checkpatch errors
  ima: fix erroneous removal of security.ima xattr
  security: integrity: Use a more current logging style
  MAINTAINERS: email updates and other misc. changes
  ima: reduce memory usage when a template containing the n field is used
  ima: restore the original behavior for sending data with ima template
  Integrity: Pass commname via get_task_comm()
  fs: move i_readcount
  ima: use static const char array definitions
  security: have cap_dentry_init_security return error
  ima: new helper: file_inode(file)
  kernel: Mark function as static in kernel/seccomp.c
  capability: Use current logging styles
  ...

1 files changed, 37 insertions, 23 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b332e2cc0954..869c2f1e0da1 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -106,7 +106,7 @@ int selinux_enforcing;
 static int __init enforcing_setup(char *str)
 {
         unsigned long enforcing;
-        if (!strict_strtoul(str, 0, &enforcing))
+        if (!kstrtoul(str, 0, &enforcing))
                 selinux_enforcing = enforcing ? 1 : 0;
         return 1;
 }
@@ -119,7 +119,7 @@ int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
 static int __init selinux_enabled_setup(char *str)
 {
         unsigned long enabled;
-        if (!strict_strtoul(str, 0, &enabled))
+        if (!kstrtoul(str, 0, &enabled))
                 selinux_enabled = enabled ? 1 : 0;
         return 1;
 }
@@ -1418,15 +1418,33 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                 isec->sid = sbsec->sid;
 
                 if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
-                        if (opt_dentry) {
-                                isec->sclass = inode_mode_to_security_class(inode->i_mode);
-                                rc = selinux_proc_get_sid(opt_dentry,
-                                                          isec->sclass,
-                                                          &sid);
-                                if (rc)
-                                        goto out_unlock;
-                                isec->sid = sid;
-                        }
+                        /* We must have a dentry to determine the label on
+                         * procfs inodes */
+                        if (opt_dentry)
+                                /* Called from d_instantiate or
+                                 * d_splice_alias. */
+                                dentry = dget(opt_dentry);
+                        else
+                                /* Called from selinux_complete_init, try to
+                                 * find a dentry. */
+                                dentry = d_find_alias(inode);
+                        /*
+                         * This can be hit on boot when a file is accessed
+                         * before the policy is loaded.  When we load policy we
+                         * may find inodes that have no dentry on the
+                         * sbsec->isec_head list.  No reason to complain as
+                         * these will get fixed up the next time we go through
+                         * inode_doinit() with a dentry, before these inodes
+                         * could be used again by userspace.
+                         */
+                        if (!dentry)
+                                goto out_unlock;
+                        isec->sclass = inode_mode_to_security_class(inode->i_mode);
+                        rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
+                        dput(dentry);
+                        if (rc)
+                                goto out_unlock;
+                        isec->sid = sid;
                 }
                 break;
         }
@@ -3205,24 +3223,20 @@ error:
 
 static int selinux_mmap_addr(unsigned long addr)
 {
-        int rc = 0;
-        u32 sid = current_sid();
+        int rc;
+
+        /* do DAC check on address space usage */
+        rc = cap_mmap_addr(addr);
+        if (rc)
+                return rc;
 
-        /*
-         * notice that we are intentionally putting the SELinux check before
-         * the secondary cap_file_mmap check.  This is such a likely attempt
-         * at bad behaviour/exploit that we always want to get the AVC, even
-         * if DAC would have also denied the operation.
-         */
         if (addr < CONFIG_LSM_MMAP_MIN_ADDR) {
+                u32 sid = current_sid();
                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
                                   MEMPROTECT__MMAP_ZERO, NULL);
-                if (rc)
-                        return rc;
         }
 
-        /* do DAC check on address space usage */
-        return cap_mmap_addr(addr);
+        return rc;
 }
 
 static int selinux_mmap_file(struct file *file, unsigned long reqprot,