Merge tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull AppArmor updates from John Johansen:
 "Features
   - add support for mapping secids and using secctxes
   - add the ability to get a task's secid
   - add support for audit rule filtering

  Cleanups:
   - multiple typo fixes
   - Convert to use match_string() helper
   - update git and wiki locations in AppArmor docs
   - improve get_buffers macro by using get_cpu_ptr
   - Use an IDR to allocate apparmor secids

  Bug fixes:
   - fix '*seclen' is never less than zero
   - fix mediation of prlimit
   - fix memory leak when deduping profile load
   - fix ptrace read check
   - fix memory leak of rule on error exit path"

* tag 'apparmor-pr-2018-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (21 commits)
  apparmor: fix ptrace read check
  apparmor: fix memory leak when deduping profile load
  apparmor: fix mediation of prlimit
  apparmor: fixup secid map conversion to using IDR
  apparmor: Use an IDR to allocate apparmor secids
  apparmor: Fix memory leak of rule on error exit path
  apparmor: modify audit rule support to support profile stacks
  apparmor: Add support for audit rule filtering
  apparmor: update git and wiki locations in AppArmor docs
  apparmor: Convert to use match_string() helper
  apparmor: improve get_buffers macro by using get_cpu_ptr
  apparmor: fix '*seclen' is never less than zero
  apparmor: fix typo "preconfinement"
  apparmor: fix typo "independent"
  apparmor: fix typo "traverse"
  apparmor: fix typo "type"
  apparmor: fix typo "replace"
  apparmor: fix typo "comparison"
  apparmor: fix typo "loosen"
  apparmor: add the ability to get a task's secid
  ...

14 files changed, 310 insertions, 71 deletions

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 8f9ecac7f8de..eeaddfe0c0fb 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -19,7 +19,7 @@
 #include "include/audit.h"
 #include "include/policy.h"
 #include "include/policy_ns.h"
-
+#include "include/secid.h"
 
 const char *const audit_mode_names[] = {
         "normal",
@@ -163,3 +163,91 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
 
         return aad(sa)->error;
 }
+
+struct aa_audit_rule {
+        struct aa_label *label;
+};
+
+void aa_audit_rule_free(void *vrule)
+{
+        struct aa_audit_rule *rule = vrule;
+
+        if (rule) {
+                if (!IS_ERR(rule->label))
+                        aa_put_label(rule->label);
+                kfree(rule);
+        }
+}
+
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
+{
+        struct aa_audit_rule *rule;
+
+        switch (field) {
+        case AUDIT_SUBJ_ROLE:
+                if (op != Audit_equal && op != Audit_not_equal)
+                        return -EINVAL;
+                break;
+        default:
+                return -EINVAL;
+        }
+
+        rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
+
+        if (!rule)
+                return -ENOMEM;
+
+        /* Currently rules are treated as coming from the root ns */
+        rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
+                                     GFP_KERNEL, true, false);
+        if (IS_ERR(rule->label)) {
+                aa_audit_rule_free(rule);
+                return PTR_ERR(rule->label);
+        }
+
+        *vrule = rule;
+        return 0;
+}
+
+int aa_audit_rule_known(struct audit_krule *rule)
+{
+        int i;
+
+        for (i = 0; i < rule->field_count; i++) {
+                struct audit_field *f = &rule->fields[i];
+
+                switch (f->type) {
+                case AUDIT_SUBJ_ROLE:
+                        return 1;
+                }
+        }
+
+        return 0;
+}
+
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                        struct audit_context *actx)
+{
+        struct aa_audit_rule *rule = vrule;
+        struct aa_label *label;
+        int found = 0;
+
+        label = aa_secid_to_label(sid);
+
+        if (!label)
+                return -ENOENT;
+
+        if (aa_label_is_subset(label, rule->label))
+                found = 1;
+
+        switch (field) {
+        case AUDIT_SUBJ_ROLE:
+                switch (op) {
+                case Audit_equal:
+                        return found;
+                case Audit_not_equal:
+                        return !found;
+                }
+        }
+        return 0;
+}
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 590b7e8cd21c..098d546d8253 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -839,7 +839,7 @@ static struct aa_label *handle_onexec(struct aa_label *label,
                                                    cond, unsafe));
 
         } else {
-                /* TODO: determine how much we want to losen this */
+                /* TODO: determine how much we want to loosen this */
                 error = fn_for_each_in_ns(label, profile,
                                 profile_onexec(profile, onexec, stack, bprm,
                                                buffer, cond, unsafe));
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 9c9be9c98c15..b8c8b1066b0a 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -189,4 +189,10 @@ static inline int complain_error(int error)
         return error;
 }
 
+void aa_audit_rule_free(void *vrule);
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
+int aa_audit_rule_known(struct audit_krule *rule);
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                        struct audit_context *actx);
+
 #endif /* __AA_AUDIT_H */
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
index d871e7ff0952..7ce5fe73ae7f 100644
--- a/security/apparmor/include/label.h
+++ b/security/apparmor/include/label.h
@@ -281,7 +281,7 @@ void __aa_labelset_update_subtree(struct aa_ns *ns);
 
 void aa_label_free(struct aa_label *label);
 void aa_label_kref(struct kref *kref);
-bool aa_label_init(struct aa_label *label, int size);
+bool aa_label_init(struct aa_label *label, int size, gfp_t gfp);
 struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp);
 
 bool aa_label_is_subset(struct aa_label *set, struct aa_label *sub);
diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
index e042b994f2b8..b6380c5f0097 100644
--- a/security/apparmor/include/path.h
+++ b/security/apparmor/include/path.h
@@ -43,10 +43,11 @@ struct aa_buffers {
 
 DECLARE_PER_CPU(struct aa_buffers, aa_buffers);
 
-#define ASSIGN(FN, X, N) ((X) = FN(N))
-#define EVAL1(FN, X) ASSIGN(FN, X, 0) /*X = FN(0)*/
-#define EVAL2(FN, X, Y...) do { ASSIGN(FN, X, 1);  EVAL1(FN, Y); } while (0)
-#define EVAL(FN, X...) CONCATENATE(EVAL, COUNT_ARGS(X))(FN, X)
+#define ASSIGN(FN, A, X, N) ((X) = FN(A, N))
+#define EVAL1(FN, A, X) ASSIGN(FN, A, X, 0) /*X = FN(0)*/
+#define EVAL2(FN, A, X, Y...)   \
+        do { ASSIGN(FN, A, X, 1);  EVAL1(FN, A, Y); } while (0)
+#define EVAL(FN, A, X...) CONCATENATE(EVAL, COUNT_ARGS(X))(FN, A, X)
 
 #define for_each_cpu_buffer(I) for ((I) = 0; (I) < MAX_PATH_BUFFERS; (I)++)
 
@@ -56,26 +57,24 @@ DECLARE_PER_CPU(struct aa_buffers, aa_buffers);
 #define AA_BUG_PREEMPT_ENABLED(X) /* nop */
 #endif
 
-#define __get_buffer(N) ({                                      \
-        struct aa_buffers *__cpu_var; \
+#define __get_buffer(C, N) ({                                           \
         AA_BUG_PREEMPT_ENABLED("__get_buffer without preempt disabled");  \
-        __cpu_var = this_cpu_ptr(&aa_buffers);                  \
-        __cpu_var->buf[(N)]; })
+        (C)->buf[(N)]; })
 
-#define __get_buffers(X...)    EVAL(__get_buffer, X)
+#define __get_buffers(C, X...)    EVAL(__get_buffer, C, X)
 
 #define __put_buffers(X, Y...) ((void)&(X))
 
-#define get_buffers(X...)       \
-do {                            \
-        preempt_disable();      \
-        __get_buffers(X);       \
+#define get_buffers(X...)                                               \
+do {                                                                    \
+        struct aa_buffers *__cpu_var = get_cpu_ptr(&aa_buffers);        \
+        __get_buffers(__cpu_var, X);                                    \
 } while (0)
 
-#define put_buffers(X, Y...)    \
-do {                            \
-        __put_buffers(X, Y);    \
-        preempt_enable();       \
+#define put_buffers(X, Y...)            \
+do {                                    \
+        __put_buffers(X, Y);            \
+        put_cpu_ptr(&aa_buffers);       \
 } while (0)
 
 #endif /* __AA_PATH_H */
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
index 95ed86a0f1e2..dee6fa3b6081 100644
--- a/security/apparmor/include/secid.h
+++ b/security/apparmor/include/secid.h
@@ -3,7 +3,7 @@
  *
  * This file contains AppArmor security identifier (secid) definitions
  *
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2009-2018 Canonical Ltd.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
@@ -14,13 +14,24 @@
 #ifndef __AA_SECID_H
 #define __AA_SECID_H
 
+#include <linux/slab.h>
 #include <linux/types.h>
 
+struct aa_label;
+
 /* secid value that will not be allocated */
 #define AA_SECID_INVALID 0
-#define AA_SECID_ALLOC AA_SECID_INVALID
 
-u32 aa_alloc_secid(void);
+struct aa_label *aa_secid_to_label(u32 secid);
+int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+void apparmor_release_secctx(char *secdata, u32 seclen);
+
+
+int aa_alloc_secid(struct aa_label *label, gfp_t gfp);
 void aa_free_secid(u32 secid);
+void aa_secid_update(u32 secid, struct aa_label *label);
+
+void aa_secids_init(void);
 
 #endif /* __AA_SECID_H */
diff --git a/security/apparmor/label.c b/security/apparmor/label.c
index 523250e34837..ba11bdf9043a 100644
--- a/security/apparmor/label.c
+++ b/security/apparmor/label.c
@@ -128,7 +128,7 @@ static int ns_cmp(struct aa_ns *a, struct aa_ns *b)
 }
 
 /**
- * profile_cmp - profile comparision for set ordering
+ * profile_cmp - profile comparison for set ordering
  * @a: profile to compare (NOT NULL)
  * @b: profile to compare (NOT NULL)
  *
@@ -157,7 +157,7 @@ static int profile_cmp(struct aa_profile *a, struct aa_profile *b)
 }
 
 /**
- * vec_cmp - label comparision for set ordering
+ * vec_cmp - label comparison for set ordering
  * @a: label to compare (NOT NULL)
  * @vec: vector of profiles to compare (NOT NULL)
  * @n: length of @vec
@@ -402,13 +402,12 @@ static void label_free_or_put_new(struct aa_label *label, struct aa_label *new)
                 aa_put_label(new);
 }
 
-bool aa_label_init(struct aa_label *label, int size)
+bool aa_label_init(struct aa_label *label, int size, gfp_t gfp)
 {
         AA_BUG(!label);
         AA_BUG(size < 1);
 
-        label->secid = aa_alloc_secid();
-        if (label->secid == AA_SECID_INVALID)
+        if (aa_alloc_secid(label, gfp) < 0)
                 return false;
 
         label->size = size;                     /* doesn't include null */
@@ -441,7 +440,7 @@ struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp)
         if (!new)
                 goto fail;
 
-        if (!aa_label_init(new, size))
+        if (!aa_label_init(new, size, gfp))
                 goto fail;
 
         if (!proxy) {
@@ -463,7 +462,7 @@ fail:
 
 
 /**
- * label_cmp - label comparision for set ordering
+ * label_cmp - label comparison for set ordering
  * @a: label to compare (NOT NULL)
  * @b: label to compare (NOT NULL)
  *
@@ -2011,7 +2010,7 @@ out:
 
 /**
  * __label_update - insert updated version of @label into labelset
- * @label - the label to update/repace
+ * @label - the label to update/replace
  *
  * Returns: new label that is up to date
  *     else NULL on failure
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
index 068a9f471f77..a7b3f681b80e 100644
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -408,7 +408,7 @@ int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
  * @request: requested perms
  * @deny: Returns: explicit deny set
  * @sa: initialized audit structure (MAY BE NULL if not auditing)
- * @cb: callback fn for tpye specific fields (MAY BE NULL)
+ * @cb: callback fn for type specific fields (MAY BE NULL)
  *
  * Returns: 0 if permission else error code
  *
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index ce2b89e9ad94..74f17376202b 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -39,6 +39,7 @@
 #include "include/policy_ns.h"
 #include "include/procattr.h"
 #include "include/mount.h"
+#include "include/secid.h"
 
 /* Flag indicating whether initialization completed */
 int apparmor_initialized;
@@ -116,7 +117,8 @@ static int apparmor_ptrace_access_check(struct task_struct *child,
         tracer = begin_current_label_crit_section();
         tracee = aa_get_task_label(child);
         error = aa_may_ptrace(tracer, tracee,
-                  mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
+                        (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
+                                                  : AA_PTRACE_TRACE);
         aa_put_label(tracee);
         end_current_label_crit_section(tracer);
 
@@ -710,6 +712,13 @@ static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
         return;
 }
 
+static void apparmor_task_getsecid(struct task_struct *p, u32 *secid)
+{
+        struct aa_label *label = aa_get_task_label(p);
+        *secid = label->secid;
+        aa_put_label(label);
+}
+
 static int apparmor_task_setrlimit(struct task_struct *task,
                 unsigned int resource, struct rlimit *new_rlim)
 {
@@ -1186,8 +1195,20 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
 
         LSM_HOOK_INIT(task_free, apparmor_task_free),
         LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
+        LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid),
         LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
         LSM_HOOK_INIT(task_kill, apparmor_task_kill),
+
+#ifdef CONFIG_AUDIT
+        LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init),
+        LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known),
+        LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match),
+        LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free),
+#endif
+
+        LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
+        LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
+        LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
 };
 
 /*
@@ -1378,14 +1399,12 @@ static int param_set_audit(const char *val, const struct kernel_param *kp)
         if (apparmor_initialized && !policy_admin_capable(NULL))
                 return -EPERM;
 
-        for (i = 0; i < AUDIT_MAX_INDEX; i++) {
-                if (strcmp(val, audit_mode_names[i]) == 0) {
-                        aa_g_audit = i;
-                        return 0;
-                }
-        }
+        i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val);
+        if (i < 0)
+                return -EINVAL;
 
-        return -EINVAL;
+        aa_g_audit = i;
+        return 0;
 }
 
 static int param_get_mode(char *buffer, const struct kernel_param *kp)
@@ -1409,14 +1428,13 @@ static int param_set_mode(const char *val, const struct kernel_param *kp)
         if (apparmor_initialized && !policy_admin_capable(NULL))
                 return -EPERM;
 
-        for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
-                if (strcmp(val, aa_profile_mode_names[i]) == 0) {
-                        aa_g_profile_mode = i;
-                        return 0;
-                }
-        }
+        i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX,
+                         val);
+        if (i < 0)
+                return -EINVAL;
 
-        return -EINVAL;
+        aa_g_profile_mode = i;
+        return 0;
 }
 
 /*
@@ -1530,6 +1548,8 @@ static int __init apparmor_init(void)
                 return 0;
         }
 
+        aa_secids_init();
+
         error = aa_setup_dfa_engine();
         if (error) {
                 AA_ERROR("Unable to setup dfa engine\n");
diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 280eba082c7b..55f2ee505a01 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -472,7 +472,7 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
 
 /**
  * aa_dfa_next - step one character to the next state in the dfa
- * @dfa: the dfa to tranverse (NOT NULL)
+ * @dfa: the dfa to traverse (NOT NULL)
  * @state: the state to start in
  * @c: the input character to transition on
  *
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index 6e8c7ac0b33d..c1da22482bfb 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -121,7 +121,7 @@ static void audit_cb(struct audit_buffer *ab, void *va)
  * @src_name: src_name of object being mediated (MAYBE_NULL)
  * @type: type of filesystem (MAYBE_NULL)
  * @trans: name of trans (MAYBE NULL)
- * @flags: filesystem idependent mount flags
+ * @flags: filesystem independent mount flags
  * @data: filesystem mount flags
  * @request: permissions requested
  * @perms: the permissions computed for the request (NOT NULL)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index c07493ce2376..1590e2de4e84 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -268,7 +268,7 @@ struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
 
         if (!aa_policy_init(&profile->base, NULL, hname, gfp))
                 goto fail;
-        if (!aa_label_init(&profile->label, 1))
+        if (!aa_label_init(&profile->label, 1, gfp))
                 goto fail;
 
         /* update being set needed by fs interface */
@@ -1008,6 +1008,9 @@ ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
                         audit_policy(label, op, ns_name, ent->new->base.hname,
                                      "same as current profile, skipping",
                                      error);
+                        /* break refcount cycle with proxy. */
+                        aa_put_proxy(ent->new->label.proxy);
+                        ent->new->label.proxy = NULL;
                         goto skip;
                 }
 
@@ -1085,7 +1088,7 @@ fail:
  * Remove a profile or sub namespace from the current namespace, so that
  * they can not be found anymore and mark them as replaced by unconfined
  *
- * NOTE: removing confinement does not restore rlimits to preconfinemnet values
+ * NOTE: removing confinement does not restore rlimits to preconfinement values
  *
  * Returns: size of data consume else error code if fails
  */
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index d022137143b9..95fd26d09757 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -124,7 +124,7 @@ int aa_task_setrlimit(struct aa_label *label, struct task_struct *task,
          */
 
         if (label != peer &&
-            !aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT))
+            aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT) != 0)
                 error = fn_for_each(label, profile,
                                 audit_resource(profile, resource,
                                                new_rlim->rlim_max, peer,
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index 3a3edbad0b21..f2f22d00db18 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -3,7 +3,7 @@
  *
  * This file contains AppArmor security identifier (secid) manipulation fns
  *
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2009-2017 Canonical Ltd.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
@@ -11,38 +11,142 @@
  * License.
  *
  *
- * AppArmor allocates a unique secid for every profile loaded.  If a profile
- * is replaced it receives the secid of the profile it is replacing.
- *
- * The secid value of 0 is invalid.
+ * AppArmor allocates a unique secid for every label used. If a label
+ * is replaced it receives the secid of the label it is replacing.
  */
 
-#include <linux/spinlock.h>
 #include <linux/errno.h>
 #include <linux/err.h>
+#include <linux/gfp.h>
+#include <linux/idr.h>
+#include <linux/slab.h>
+#include <linux/spinlock.h>
 
+#include "include/cred.h"
+#include "include/lib.h"
 #include "include/secid.h"
+#include "include/label.h"
+#include "include/policy_ns.h"
+
+/*
+ * secids - do not pin labels with a refcount. They rely on the label
+ * properly updating/freeing them
+ */
 
-/* global counter from which secids are allocated */
-static u32 global_secid;
+#define AA_FIRST_SECID 1
+
+static DEFINE_IDR(aa_secids);
 static DEFINE_SPINLOCK(secid_lock);
 
-/* TODO FIXME: add secid to profile mapping, and secid recycling */
+/*
+ * TODO: allow policy to reserve a secid range?
+ * TODO: add secid pinning
+ * TODO: use secid_update in label replace
+ */
+
+/**
+ * aa_secid_update - update a secid mapping to a new label
+ * @secid: secid to update
+ * @label: label the secid will now map to
+ */
+void aa_secid_update(u32 secid, struct aa_label *label)
+{
+        unsigned long flags;
+
+        spin_lock_irqsave(&secid_lock, flags);
+        idr_replace(&aa_secids, label, secid);
+        spin_unlock_irqrestore(&secid_lock, flags);
+}
+
+/**
+ *
+ * see label for inverse aa_label_to_secid
+ */
+struct aa_label *aa_secid_to_label(u32 secid)
+{
+        struct aa_label *label;
+
+        rcu_read_lock();
+        label = idr_find(&aa_secids, secid);
+        rcu_read_unlock();
+
+        return label;
+}
+
+int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+        /* TODO: cache secctx and ref count so we don't have to recreate */
+        struct aa_label *label = aa_secid_to_label(secid);
+        int len;
+
+        AA_BUG(!secdata);
+        AA_BUG(!seclen);
+
+        if (!label)
+                return -EINVAL;
+
+        if (secdata)
+                len = aa_label_asxprint(secdata, root_ns, label,
+                                        FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
+                                        FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT,
+                                        GFP_ATOMIC);
+        else
+                len = aa_label_snxprint(NULL, 0, root_ns, label,
+                                        FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
+                                        FLAG_HIDDEN_UNCONFINED | FLAG_ABS_ROOT);
+        if (len < 0)
+                return -ENOMEM;
+
+        *seclen = len;
+
+        return 0;
+}
+
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+{
+        struct aa_label *label;
+
+        label = aa_label_strn_parse(&root_ns->unconfined->label, secdata,
+                                    seclen, GFP_KERNEL, false, false);
+        if (IS_ERR(label))
+                return PTR_ERR(label);
+        *secid = label->secid;
+
+        return 0;
+}
+
+void apparmor_release_secctx(char *secdata, u32 seclen)
+{
+        kfree(secdata);
+}
 
 /**
  * aa_alloc_secid - allocate a new secid for a profile
+ * @label: the label to allocate a secid for
+ * @gfp: memory allocation flags
+ *
+ * Returns: 0 with @label->secid initialized
+ *          <0 returns error with @label->secid set to AA_SECID_INVALID
  */
-u32 aa_alloc_secid(void)
+int aa_alloc_secid(struct aa_label *label, gfp_t gfp)
 {
-        u32 secid;
+        unsigned long flags;
+        int ret;
+
+        idr_preload(gfp);
+        spin_lock_irqsave(&secid_lock, flags);
+        ret = idr_alloc(&aa_secids, label, AA_FIRST_SECID, 0, GFP_ATOMIC);
+        spin_unlock_irqrestore(&secid_lock, flags);
+        idr_preload_end();
 
-        /*
-         * TODO FIXME: secid recycling - part of profile mapping table
-         */
-        spin_lock(&secid_lock);
-        secid = (++global_secid);
-        spin_unlock(&secid_lock);
-        return secid;
+        if (ret < 0) {
+                label->secid = AA_SECID_INVALID;
+                return ret;
+        }
+
+        AA_BUG(ret == AA_SECID_INVALID);
+        label->secid = ret;
+        return 0;
 }
 
 /**
@@ -51,5 +155,14 @@ u32 aa_alloc_secid(void)
  */
 void aa_free_secid(u32 secid)
 {
-        ;                       /* NOP ATM */
+        unsigned long flags;
+
+        spin_lock_irqsave(&secid_lock, flags);
+        idr_remove(&aa_secids, secid);
+        spin_unlock_irqrestore(&secid_lock, flags);
+}
+
+void aa_secids_init(void)
+{
+        idr_init_base(&aa_secids, AA_FIRST_SECID);
 }