25 files changed, 32 insertions, 57 deletions

diff --git a/security/Kconfig b/security/Kconfig
index aeac3676dd4d..466cc1f8ffed 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 #
 # Security configuration
 #
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 0a1d4ca314f4..c6cb2d9b2905 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 menu "Kernel hardening options"
 
 config GCC_PLUGIN_STRUCTLEAK
diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
index 3de21f46c82a..d8b1a360a636 100644
--- a/security/apparmor/Kconfig
+++ b/security/apparmor/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_APPARMOR
         bool "AppArmor support"
         depends on SECURITY && NET
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 3ba1168b1756..c352532b8f84 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 #
 config INTEGRITY
         bool "Integrity subsystem"
diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index 60221852b26a..a6e19d23e700 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config EVM
         bool "EVM support"
         select KEYS
diff --git a/security/integrity/evm/Makefile b/security/integrity/evm/Makefile
index 7393c415a066..a56f5613be79 100644
--- a/security/integrity/evm/Makefile
+++ b/security/integrity/evm/Makefile
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 #
 # Makefile for building the Extended Verification Module(EVM)
 #
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index a18f8c6d13b5..2692c7358c2c 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 # IBM Integrity Measurement Architecture
 #
 config IMA
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index 6462e6654ccf..ee502e4d390b 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 #
 # Key management configuration
 #
diff --git a/security/keys/big_key.c b/security/keys/big_key.c
index 2806e70d7f8f..001abe530a0d 100644
--- a/security/keys/big_key.c
+++ b/security/keys/big_key.c
@@ -1,13 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /* Large capacity key type
  *
  * Copyright (C) 2017 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
  * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
  */
 
 #define pr_fmt(fmt) "big_key: "fmt
diff --git a/security/keys/gc.c b/security/keys/gc.c
index 634e96b380e8..44e58a3e5663 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -1,12 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /* Key garbage collector
  *
  * Copyright (C) 2009-2011 Red Hat, Inc. All Rights Reserved.
  * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
  */
 
 #include <linux/slab.h>
diff --git a/security/keys/keyctl_pkey.c b/security/keys/keyctl_pkey.c
index 8bdea5abad11..931d8dfb4a7f 100644
--- a/security/keys/keyctl_pkey.c
+++ b/security/keys/keyctl_pkey.c
@@ -1,12 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /* Public-key operation keyctls
  *
  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
  * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
  */
 
 #include <linux/slab.h>
diff --git a/security/keys/persistent.c b/security/keys/persistent.c
index d0cb5b32eff7..da9a0f42b795 100644
--- a/security/keys/persistent.c
+++ b/security/keys/persistent.c
@@ -1,12 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /* General persistent per-UID keyrings register
  *
  * Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
  * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
  */
 
 #include <linux/user_namespace.h>
diff --git a/security/keys/sysctl.c b/security/keys/sysctl.c
index b68faa1a5cfd..dd1e21fab827 100644
--- a/security/keys/sysctl.c
+++ b/security/keys/sysctl.c
@@ -1,12 +1,8 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /* Key management controls
  *
  * Copyright (C) 2008 Red Hat, Inc. All Rights Reserved.
  * Written by David Howells (dhowells@redhat.com)
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public Licence
- * as published by the Free Software Foundation; either version
- * 2 of the Licence, or (at your option) any later version.
  */
 
 #include <linux/key.h>
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index a0d70d82b98e..91be65dec2ab 100644
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_LOADPIN
         bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
         depends on SECURITY && BLOCK
diff --git a/security/loadpin/Makefile b/security/loadpin/Makefile
index c2d77f83037b..0ead1c3105fd 100644
--- a/security/loadpin/Makefile
+++ b/security/loadpin/Makefile
@@ -1 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0-only
 obj-$(CONFIG_SECURITY_LOADPIN) += loadpin.o
diff --git a/security/safesetid/Kconfig b/security/safesetid/Kconfig
index 4f415c4e3f93..18b5fb90417b 100644
--- a/security/safesetid/Kconfig
+++ b/security/safesetid/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_SAFESETID
         bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities"
         depends on SECURITY
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 55f032f1fc2d..5711689deb6a 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_SELINUX
         bool "NSA SELinux Support"
         depends on SECURITY_NETWORK && AUDIT && NET && INET
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index c61787b15f27..3ec702cf46ca 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4637,6 +4637,14 @@ static int selinux_socket_connect_helper(struct socket *sock,
         err = sock_has_perm(sk, SOCKET__CONNECT);
         if (err)
                 return err;
+        if (addrlen < offsetofend(struct sockaddr, sa_family))
+                return -EINVAL;
+
+        /* connect(AF_UNSPEC) has special handling, as it is a documented
+         * way to disconnect the socket
+         */
+        if (address->sa_family == AF_UNSPEC)
+                return 0;
 
         /*
          * If a TCP, DCCP or SCTP socket, check name_connect permission
@@ -4657,8 +4665,6 @@ static int selinux_socket_connect_helper(struct socket *sock,
                  * need to check address->sa_family as it is possible to have
                  * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
                  */
-                if (addrlen < offsetofend(struct sockaddr, sa_family))
-                        return -EINVAL;
                 switch (address->sa_family) {
                 case AF_INET:
                         addr4 = (struct sockaddr_in *)address;
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 8671de09c363..d30d8d7cdc9c 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -1,26 +1,12 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 /*
  * SELinux interface to the NetLabel subsystem
  *
  * Author: Paul Moore <paul@paul-moore.com>
- *
  */
 
 /*
  * (c) Copyright Hewlett-Packard Development Company, L.P., 2006
- *
- * This program is free software;  you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY;  without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
- * the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
  */
 
 #ifndef _SELINUX_NETLABEL_H_
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 6fd9954e1c08..abaab7683840 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -1,3 +1,4 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * SELinux NetLabel Support
  *
@@ -5,25 +6,10 @@
  * subsystem.
  *
  * Author: Paul Moore <paul@paul-moore.com>
- *
  */
 
 /*
  * (c) Copyright Hewlett-Packard Development Company, L.P., 2007, 2008
- *
- * This program is free software;  you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY;  without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
- * the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
  */
 
 #include <linux/spinlock.h>
diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index 923b120e0fa5..5a8dfad469c3 100644
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_SMACK
         bool "Simplified Mandatory Access Control Kernel Support"
         depends on NET
diff --git a/security/smack/Makefile b/security/smack/Makefile
index ee2ebd504541..6dbf6e22a68b 100644
--- a/security/smack/Makefile
+++ b/security/smack/Makefile
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 #
 # Makefile for the SMACK LSM
 #
diff --git a/security/tomoyo/Kconfig b/security/tomoyo/Kconfig
index a00ab7eb6181..9221ea506631 100644
--- a/security/tomoyo/Kconfig
+++ b/security/tomoyo/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_TOMOYO
         bool "TOMOYO Linux Support"
         depends on SECURITY
diff --git a/security/yama/Kconfig b/security/yama/Kconfig
index 96b27405558a..a810304123ca 100644
--- a/security/yama/Kconfig
+++ b/security/yama/Kconfig
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 config SECURITY_YAMA
         bool "Yama support"
         depends on SECURITY
diff --git a/security/yama/Makefile b/security/yama/Makefile
index 8b5e06588456..0fa5d0fe2cf6 100644
--- a/security/yama/Makefile
+++ b/security/yama/Makefile
@@ -1,3 +1,4 @@
+# SPDX-License-Identifier: GPL-2.0-only
 obj-$(CONFIG_SECURITY_YAMA) := yama.o
 
 yama-y := yama_lsm.o