Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris:
 "Highlights:

  IMA:
   - provide ">" and "<" operators for fowner/uid/euid rules

  KEYS:
   - add a system blacklist keyring

   - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction
     functionality to userland via keyctl()

  LSM:
   - harden LSM API with __ro_after_init

   - add prlmit security hook, implement for SELinux

   - revive security_task_alloc hook

  TPM:
   - implement contextual TPM command 'spaces'"

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits)
  tpm: Fix reference count to main device
  tpm_tis: convert to using locality callbacks
  tpm: fix handling of the TPM 2.0 event logs
  tpm_crb: remove a cruft constant
  keys: select CONFIG_CRYPTO when selecting DH / KDF
  apparmor: Make path_max parameter readonly
  apparmor: fix parameters so that the permission test is bypassed at boot
  apparmor: fix invalid reference to index variable of iterator line 836
  apparmor: use SHASH_DESC_ON_STACK
  security/apparmor/lsm.c: set debug messages
  apparmor: fix boolreturn.cocci warnings
  Smack: Use GFP_KERNEL for smk_netlbl_mls().
  smack: fix double free in smack_parse_opts_str()
  KEYS: add SP800-56A KDF support for DH
  KEYS: Keyring asymmetric key restrict method with chaining
  KEYS: Restrict asymmetric key linkage using a specific keychain
  KEYS: Add a lookup_restriction function for the asymmetric key type
  KEYS: Add KEYCTL_RESTRICT_KEYRING
  KEYS: Consistent ordering for __key_link_begin and restrict check
  KEYS: Add an optional lookup_restriction hook to key_type
  ...

10 files changed, 81 insertions, 62 deletions

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index ea7e3efbe0f7..8af7a690eb40 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -40,6 +40,7 @@ config SECURITY_SELINUX_BOOTPARAM_VALUE
 config SECURITY_SELINUX_DISABLE
         bool "NSA SELinux runtime disable"
         depends on SECURITY_SELINUX
+        select SECURITY_WRITABLE_HOOKS
         default n
         help
           This option enables writing to a selinuxfs node 'disable', which
@@ -50,6 +51,11 @@ config SECURITY_SELINUX_DISABLE
           portability across platforms where boot parameters are difficult
           to employ.
 
+          NOTE: selecting this option will disable the '__ro_after_init'
+          kernel hardening feature for security hooks.   Please consider
+          using the selinux=0 boot parameter instead of enabling this
+          option.
+
           If you are unsure how to answer this question, answer N.
 
 config SECURITY_SELINUX_DEVELOP
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 0c2ac318aa7f..e67a526d1f30 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3920,6 +3920,21 @@ static int selinux_task_getioprio(struct task_struct *p)
                             PROCESS__GETSCHED, NULL);
 }
 
+int selinux_task_prlimit(const struct cred *cred, const struct cred *tcred,
+                         unsigned int flags)
+{
+        u32 av = 0;
+
+        if (!flags)
+                return 0;
+        if (flags & LSM_PRLIMIT_WRITE)
+                av |= PROCESS__SETRLIMIT;
+        if (flags & LSM_PRLIMIT_READ)
+                av |= PROCESS__GETRLIMIT;
+        return avc_has_perm(cred_sid(cred), cred_sid(tcred),
+                            SECCLASS_PROCESS, av, NULL);
+}
+
 static int selinux_task_setrlimit(struct task_struct *p, unsigned int resource,
                 struct rlimit *new_rlim)
 {
@@ -4352,10 +4367,18 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                 u32 sid, node_perm;
 
                 if (family == PF_INET) {
+                        if (addrlen < sizeof(struct sockaddr_in)) {
+                                err = -EINVAL;
+                                goto out;
+                        }
                         addr4 = (struct sockaddr_in *)address;
                         snum = ntohs(addr4->sin_port);
                         addrp = (char *)&addr4->sin_addr.s_addr;
                 } else {
+                        if (addrlen < SIN6_LEN_RFC2133) {
+                                err = -EINVAL;
+                                goto out;
+                        }
                         addr6 = (struct sockaddr_in6 *)address;
                         snum = ntohs(addr6->sin6_port);
                         addrp = (char *)&addr6->sin6_addr.s6_addr;
@@ -6108,7 +6131,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
 
 #endif
 
-static struct security_hook_list selinux_hooks[] = {
+static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
         LSM_HOOK_INIT(binder_set_context_mgr, selinux_binder_set_context_mgr),
         LSM_HOOK_INIT(binder_transaction, selinux_binder_transaction),
         LSM_HOOK_INIT(binder_transfer_binder, selinux_binder_transfer_binder),
@@ -6206,6 +6229,7 @@ static struct security_hook_list selinux_hooks[] = {
         LSM_HOOK_INIT(task_setnice, selinux_task_setnice),
         LSM_HOOK_INIT(task_setioprio, selinux_task_setioprio),
         LSM_HOOK_INIT(task_getioprio, selinux_task_getioprio),
+        LSM_HOOK_INIT(task_prlimit, selinux_task_prlimit),
         LSM_HOOK_INIT(task_setrlimit, selinux_task_setrlimit),
         LSM_HOOK_INIT(task_setscheduler, selinux_task_setscheduler),
         LSM_HOOK_INIT(task_getscheduler, selinux_task_getscheduler),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index d429c4a1c551..1e0cc9b5de20 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -47,7 +47,7 @@ struct security_class_mapping secclass_map[] = {
             "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
             "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
             "execmem", "execstack", "execheap", "setkeycreate",
-            "setsockcreate", NULL } },
+            "setsockcreate", "getrlimit", NULL } },
         { "system",
           { "ipc_info", "syslog_read", "syslog_mod",
             "syslog_console", "module_request", "module_load", NULL } },
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 8e67bb4c9cab..5aeaf30b7a13 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -28,7 +28,7 @@ struct nlmsg_perm {
         u32     perm;
 };
 
-static struct nlmsg_perm nlmsg_route_perms[] =
+static const struct nlmsg_perm nlmsg_route_perms[] =
 {
         { RTM_NEWLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
         { RTM_DELLINK,          NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
@@ -81,7 +81,7 @@ static struct nlmsg_perm nlmsg_route_perms[] =
         { RTM_GETSTATS,         NETLINK_ROUTE_SOCKET__NLMSG_READ  },
 };
 
-static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
+static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
 {
         { TCPDIAG_GETSOCK,      NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
         { DCCPDIAG_GETSOCK,     NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
@@ -89,7 +89,7 @@ static struct nlmsg_perm nlmsg_tcpdiag_perms[] =
         { SOCK_DESTROY,         NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
 };
 
-static struct nlmsg_perm nlmsg_xfrm_perms[] =
+static const struct nlmsg_perm nlmsg_xfrm_perms[] =
 {
         { XFRM_MSG_NEWSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
         { XFRM_MSG_DELSA,       NETLINK_XFRM_SOCKET__NLMSG_WRITE },
@@ -116,7 +116,7 @@ static struct nlmsg_perm nlmsg_xfrm_perms[] =
         { XFRM_MSG_MAPPING,     NETLINK_XFRM_SOCKET__NLMSG_READ  },
 };
 
-static struct nlmsg_perm nlmsg_audit_perms[] =
+static const struct nlmsg_perm nlmsg_audit_perms[] =
 {
         { AUDIT_GET,            NETLINK_AUDIT_SOCKET__NLMSG_READ     },
         { AUDIT_SET,            NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
@@ -137,7 +137,7 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
 };
 
 
-static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)
+static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
 {
         int i, err = -EINVAL;
 
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index cb3fd98fb05a..ce7171884223 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1456,10 +1456,10 @@ static int sel_avc_stats_seq_show(struct seq_file *seq, void *v)
 {
         struct avc_cache_stats *st = v;
 
-        if (v == SEQ_START_TOKEN)
-                seq_printf(seq, "lookups hits misses allocations reclaims "
-                           "frees\n");
-        else {
+        if (v == SEQ_START_TOKEN) {
+                seq_puts(seq,
+                         "lookups hits misses allocations reclaims frees\n");
+        } else {
                 unsigned int lookups = st->lookups;
                 unsigned int misses = st->misses;
                 unsigned int hits = lookups - misses;
diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 34afeadd9e73..771c96afe1d5 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -176,8 +176,9 @@ void cond_policydb_destroy(struct policydb *p)
 int cond_init_bool_indexes(struct policydb *p)
 {
         kfree(p->bool_val_to_struct);
-        p->bool_val_to_struct =
-                kmalloc(p->p_bools.nprim * sizeof(struct cond_bool_datum *), GFP_KERNEL);
+        p->bool_val_to_struct = kmalloc_array(p->p_bools.nprim,
+                                              sizeof(*p->bool_val_to_struct),
+                                              GFP_KERNEL);
         if (!p->bool_val_to_struct)
                 return -ENOMEM;
         return 0;
@@ -226,7 +227,7 @@ int cond_read_bool(struct policydb *p, struct hashtab *h, void *fp)
         u32 len;
         int rc;
 
-        booldatum = kzalloc(sizeof(struct cond_bool_datum), GFP_KERNEL);
+        booldatum = kzalloc(sizeof(*booldatum), GFP_KERNEL);
         if (!booldatum)
                 return -ENOMEM;
 
@@ -331,7 +332,7 @@ static int cond_insertf(struct avtab *a, struct avtab_key *k, struct avtab_datum
                 goto err;
         }
 
-        list = kzalloc(sizeof(struct cond_av_list), GFP_KERNEL);
+        list = kzalloc(sizeof(*list), GFP_KERNEL);
         if (!list) {
                 rc = -ENOMEM;
                 goto err;
@@ -420,7 +421,7 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
                         goto err;
 
                 rc = -ENOMEM;
-                expr = kzalloc(sizeof(struct cond_expr), GFP_KERNEL);
+                expr = kzalloc(sizeof(*expr), GFP_KERNEL);
                 if (!expr)
                         goto err;
 
@@ -471,7 +472,7 @@ int cond_read_list(struct policydb *p, void *fp)
 
         for (i = 0; i < len; i++) {
                 rc = -ENOMEM;
-                node = kzalloc(sizeof(struct cond_node), GFP_KERNEL);
+                node = kzalloc(sizeof(*node), GFP_KERNEL);
                 if (!node)
                         goto err;
 
@@ -663,5 +664,4 @@ void cond_compute_av(struct avtab *ctab, struct avtab_key *key,
                                 (node->key.specified & AVTAB_XPERMS))
                         services_compute_xperms_drivers(xperms, node);
         }
-        return;
 }
diff --git a/security/selinux/ss/hashtab.c b/security/selinux/ss/hashtab.c
index 2cc496149842..3858706a29fb 100644
--- a/security/selinux/ss/hashtab.c
+++ b/security/selinux/ss/hashtab.c
@@ -17,15 +17,15 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *
         u32 i;
 
         p = kzalloc(sizeof(*p), GFP_KERNEL);
-        if (p == NULL)
+        if (!p)
                 return p;
 
         p->size = size;
         p->nel = 0;
         p->hash_value = hash_value;
         p->keycmp = keycmp;
-        p->htable = kmalloc(sizeof(*(p->htable)) * size, GFP_KERNEL);
-        if (p->htable == NULL) {
+        p->htable = kmalloc_array(size, sizeof(*p->htable), GFP_KERNEL);
+        if (!p->htable) {
                 kfree(p);
                 return NULL;
         }
@@ -58,7 +58,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
                 return -EEXIST;
 
         newnode = kzalloc(sizeof(*newnode), GFP_KERNEL);
-        if (newnode == NULL)
+        if (!newnode)
                 return -ENOMEM;
         newnode->key = key;
         newnode->datum = datum;
@@ -87,7 +87,7 @@ void *hashtab_search(struct hashtab *h, const void *key)
         while (cur && h->keycmp(h, key, cur->key) > 0)
                 cur = cur->next;
 
-        if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+        if (!cur || (h->keycmp(h, key, cur->key) != 0))
                 return NULL;
 
         return cur->datum;
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 9c92f29a38ea..0080122760ad 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -178,10 +178,9 @@ static int roles_init(struct policydb *p)
         int rc;
         struct role_datum *role;
 
-        rc = -ENOMEM;
         role = kzalloc(sizeof(*role), GFP_KERNEL);
         if (!role)
-                goto out;
+                return -ENOMEM;
 
         rc = -EINVAL;
         role->value = ++p->p_roles.nprim;
@@ -540,23 +539,23 @@ static int policydb_index(struct policydb *p)
 #endif
 
         rc = -ENOMEM;
-        p->class_val_to_struct =
-                kzalloc(p->p_classes.nprim * sizeof(*(p->class_val_to_struct)),
-                        GFP_KERNEL);
+        p->class_val_to_struct = kcalloc(p->p_classes.nprim,
+                                         sizeof(*p->class_val_to_struct),
+                                         GFP_KERNEL);
         if (!p->class_val_to_struct)
                 goto out;
 
         rc = -ENOMEM;
-        p->role_val_to_struct =
-                kzalloc(p->p_roles.nprim * sizeof(*(p->role_val_to_struct)),
-                        GFP_KERNEL);
+        p->role_val_to_struct = kcalloc(p->p_roles.nprim,
+                                        sizeof(*p->role_val_to_struct),
+                                        GFP_KERNEL);
         if (!p->role_val_to_struct)
                 goto out;
 
         rc = -ENOMEM;
-        p->user_val_to_struct =
-                kzalloc(p->p_users.nprim * sizeof(*(p->user_val_to_struct)),
-                        GFP_KERNEL);
+        p->user_val_to_struct = kcalloc(p->p_users.nprim,
+                                        sizeof(*p->user_val_to_struct),
+                                        GFP_KERNEL);
         if (!p->user_val_to_struct)
                 goto out;
 
@@ -880,8 +879,6 @@ void policydb_destroy(struct policydb *p)
         ebitmap_destroy(&p->filename_trans_ttypes);
         ebitmap_destroy(&p->policycaps);
         ebitmap_destroy(&p->permissive_map);
-
-        return;
 }
 
 /*
@@ -1120,10 +1117,9 @@ static int perm_read(struct policydb *p, struct hashtab *h, void *fp)
         __le32 buf[2];
         u32 len;
 
-        rc = -ENOMEM;
         perdatum = kzalloc(sizeof(*perdatum), GFP_KERNEL);
         if (!perdatum)
-                goto bad;
+                return -ENOMEM;
 
         rc = next_entry(buf, fp, sizeof buf);
         if (rc)
@@ -1154,10 +1150,9 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
         u32 len, nel;
         int i, rc;
 
-        rc = -ENOMEM;
         comdatum = kzalloc(sizeof(*comdatum), GFP_KERNEL);
         if (!comdatum)
-                goto bad;
+                return -ENOMEM;
 
         rc = next_entry(buf, fp, sizeof buf);
         if (rc)
@@ -1320,10 +1315,9 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
         u32 len, len2, ncons, nel;
         int i, rc;
 
-        rc = -ENOMEM;
         cladatum = kzalloc(sizeof(*cladatum), GFP_KERNEL);
         if (!cladatum)
-                goto bad;
+                return -ENOMEM;
 
         rc = next_entry(buf, fp, sizeof(u32)*6);
         if (rc)
@@ -1414,10 +1408,9 @@ static int role_read(struct policydb *p, struct hashtab *h, void *fp)
         __le32 buf[3];
         u32 len;
 
-        rc = -ENOMEM;
         role = kzalloc(sizeof(*role), GFP_KERNEL);
         if (!role)
-                goto bad;
+                return -ENOMEM;
 
         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
                 to_read = 3;
@@ -1471,10 +1464,9 @@ static int type_read(struct policydb *p, struct hashtab *h, void *fp)
         __le32 buf[4];
         u32 len;
 
-        rc = -ENOMEM;
         typdatum = kzalloc(sizeof(*typdatum), GFP_KERNEL);
         if (!typdatum)
-                goto bad;
+                return -ENOMEM;
 
         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
                 to_read = 4;
@@ -1546,10 +1538,9 @@ static int user_read(struct policydb *p, struct hashtab *h, void *fp)
         __le32 buf[3];
         u32 len;
 
-        rc = -ENOMEM;
         usrdatum = kzalloc(sizeof(*usrdatum), GFP_KERNEL);
         if (!usrdatum)
-                goto bad;
+                return -ENOMEM;
 
         if (p->policyvers >= POLICYDB_VERSION_BOUNDARY)
                 to_read = 3;
@@ -1597,10 +1588,9 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
         __le32 buf[2];
         u32 len;
 
-        rc = -ENOMEM;
         levdatum = kzalloc(sizeof(*levdatum), GFP_ATOMIC);
         if (!levdatum)
-                goto bad;
+                return -ENOMEM;
 
         rc = next_entry(buf, fp, sizeof buf);
         if (rc)
@@ -1614,7 +1604,7 @@ static int sens_read(struct policydb *p, struct hashtab *h, void *fp)
                 goto bad;
 
         rc = -ENOMEM;
-        levdatum->level = kmalloc(sizeof(struct mls_level), GFP_ATOMIC);
+        levdatum->level = kmalloc(sizeof(*levdatum->level), GFP_ATOMIC);
         if (!levdatum->level)
                 goto bad;
 
@@ -1639,10 +1629,9 @@ static int cat_read(struct policydb *p, struct hashtab *h, void *fp)
         __le32 buf[3];
         u32 len;
 
-        rc = -ENOMEM;
         catdatum = kzalloc(sizeof(*catdatum), GFP_ATOMIC);
         if (!catdatum)
-                goto bad;
+                return -ENOMEM;
 
         rc = next_entry(buf, fp, sizeof buf);
         if (rc)
@@ -1854,7 +1843,7 @@ static int range_read(struct policydb *p, void *fp)
 
         rc = next_entry(buf, fp, sizeof(u32));
         if (rc)
-                goto out;
+                return rc;
 
         nel = le32_to_cpu(buf[0]);
         for (i = 0; i < nel; i++) {
@@ -1931,7 +1920,6 @@ static int filename_trans_read(struct policydb *p, void *fp)
         nel = le32_to_cpu(buf[0]);
 
         for (i = 0; i < nel; i++) {
-                ft = NULL;
                 otype = NULL;
                 name = NULL;
 
@@ -2008,7 +1996,7 @@ static int genfs_read(struct policydb *p, void *fp)
 
         rc = next_entry(buf, fp, sizeof(u32));
         if (rc)
-                goto out;
+                return rc;
         nel = le32_to_cpu(buf[0]);
 
         for (i = 0; i < nel; i++) {
@@ -2100,9 +2088,10 @@ static int genfs_read(struct policydb *p, void *fp)
         }
         rc = 0;
 out:
-        if (newgenfs)
+        if (newgenfs) {
                 kfree(newgenfs->fstype);
-        kfree(newgenfs);
+                kfree(newgenfs);
+        }
         ocontext_destroy(newc, OCON_FSUSE);
 
         return rc;
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index b4aa491a0a23..60d9b0252321 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -157,7 +157,7 @@ static int selinux_set_mapping(struct policydb *pol,
                 }
 
                 k = 0;
-                while (p_in->perms && p_in->perms[k]) {
+                while (p_in->perms[k]) {
                         /* An empty permission string skips ahead */
                         if (!*p_in->perms[k]) {
                                 k++;
diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
index 5840a35155fc..f6915f257486 100644
--- a/security/selinux/ss/sidtab.c
+++ b/security/selinux/ss/sidtab.c
@@ -18,7 +18,7 @@ int sidtab_init(struct sidtab *s)
 {
         int i;
 
-        s->htable = kmalloc(sizeof(*(s->htable)) * SIDTAB_SIZE, GFP_ATOMIC);
+        s->htable = kmalloc_array(SIDTAB_SIZE, sizeof(*s->htable), GFP_ATOMIC);
         if (!s->htable)
                 return -ENOMEM;
         for (i = 0; i < SIDTAB_SIZE; i++)
@@ -54,7 +54,7 @@ int sidtab_insert(struct sidtab *s, u32 sid, struct context *context)
         }
 
         newnode = kmalloc(sizeof(*newnode), GFP_ATOMIC);
-        if (newnode == NULL) {
+        if (!newnode) {
                 rc = -ENOMEM;
                 goto out;
         }
@@ -98,7 +98,7 @@ static struct context *sidtab_search_core(struct sidtab *s, u32 sid, int force)
         if (force && cur && sid == cur->sid && cur->context.len)
                 return &cur->context;
 
-        if (cur == NULL || sid != cur->sid || cur->context.len) {
+        if (!cur || sid != cur->sid || cur->context.len) {
                 /* Remap invalid SIDs to the unlabeled SID. */
                 sid = SECINITSID_UNLABELED;
                 hvalue = SIDTAB_HASH(sid);