6 files changed, 138 insertions, 15 deletions

diff --git a/security/capability.c b/security/capability.c
index 1728d4e375db..d32e16e3c6ae 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -91,7 +91,10 @@ static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
 }
 
 static int cap_sb_set_mnt_opts(struct super_block *sb,
-                               struct security_mnt_opts *opts)
+                               struct security_mnt_opts *opts,
+                               unsigned long kern_flags,
+                               unsigned long *set_kern_flags)
+
 {
         if (unlikely(opts->num_mnt_opts))
                 return -EOPNOTSUPP;
@@ -109,6 +112,13 @@ static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
         return 0;
 }
 
+static int cap_dentry_init_security(struct dentry *dentry, int mode,
+                                        struct qstr *name, void **ctx,
+                                        u32 *ctxlen)
+{
+        return 0;
+}
+
 static int cap_inode_alloc_security(struct inode *inode)
 {
         return 0;
@@ -816,6 +826,11 @@ static int cap_setprocattr(struct task_struct *p, char *name, void *value,
         return -EINVAL;
 }
 
+static int cap_ismaclabel(const char *name)
+{
+        return 0;
+}
+
 static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
         return -EOPNOTSUPP;
@@ -931,6 +946,7 @@ void __init security_fixup_ops(struct security_operations *ops)
         set_to_cap_if_null(ops, sb_set_mnt_opts);
         set_to_cap_if_null(ops, sb_clone_mnt_opts);
         set_to_cap_if_null(ops, sb_parse_opts_str);
+        set_to_cap_if_null(ops, dentry_init_security);
         set_to_cap_if_null(ops, inode_alloc_security);
         set_to_cap_if_null(ops, inode_free_security);
         set_to_cap_if_null(ops, inode_init_security);
@@ -1034,6 +1050,7 @@ void __init security_fixup_ops(struct security_operations *ops)
         set_to_cap_if_null(ops, d_instantiate);
         set_to_cap_if_null(ops, getprocattr);
         set_to_cap_if_null(ops, setprocattr);
+        set_to_cap_if_null(ops, ismaclabel);
         set_to_cap_if_null(ops, secid_to_secctx);
         set_to_cap_if_null(ops, secctx_to_secid);
         set_to_cap_if_null(ops, release_secctx);
diff --git a/security/security.c b/security/security.c
index a3dce87d1aef..94b35aef6871 100644
--- a/security/security.c
+++ b/security/security.c
@@ -12,6 +12,7 @@
  */
 
 #include <linux/capability.h>
+#include <linux/dcache.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
@@ -293,9 +294,12 @@ int security_sb_pivotroot(struct path *old_path, struct path *new_path)
 }
 
 int security_sb_set_mnt_opts(struct super_block *sb,
-                                struct security_mnt_opts *opts)
+                                struct security_mnt_opts *opts,
+                                unsigned long kern_flags,
+                                unsigned long *set_kern_flags)
 {
-        return security_ops->sb_set_mnt_opts(sb, opts);
+        return security_ops->sb_set_mnt_opts(sb, opts, kern_flags,
+                                                set_kern_flags);
 }
 EXPORT_SYMBOL(security_sb_set_mnt_opts);
 
@@ -324,6 +328,15 @@ void security_inode_free(struct inode *inode)
         security_ops->inode_free_security(inode);
 }
 
+int security_dentry_init_security(struct dentry *dentry, int mode,
+                                        struct qstr *name, void **ctx,
+                                        u32 *ctxlen)
+{
+        return security_ops->dentry_init_security(dentry, mode, name,
+                                                        ctx, ctxlen);
+}
+EXPORT_SYMBOL(security_dentry_init_security);
+
 int security_inode_init_security(struct inode *inode, struct inode *dir,
                                  const struct qstr *qstr,
                                  const initxattrs initxattrs, void *fs_data)
@@ -647,6 +660,7 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
                 return 0;
         return security_ops->inode_listsecurity(inode, buffer, buffer_size);
 }
+EXPORT_SYMBOL(security_inode_listsecurity);
 
 void security_inode_getsecid(const struct inode *inode, u32 *secid)
 {
@@ -1047,6 +1061,12 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
         return security_ops->netlink_send(sk, skb);
 }
 
+int security_ismaclabel(const char *name)
+{
+        return security_ops->ismaclabel(name);
+}
+EXPORT_SYMBOL(security_ismaclabel);
+
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
         return security_ops->secid_to_secctx(secid, secdata, seclen);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index db1fca990a24..c956390a9136 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -81,6 +81,7 @@
 #include <linux/syslog.h>
 #include <linux/user_namespace.h>
 #include <linux/export.h>
+#include <linux/security.h>
 #include <linux/msg.h>
 #include <linux/shm.h>
 
@@ -284,13 +285,14 @@ static void superblock_free_security(struct super_block *sb)
 
 /* The file system's label must be initialized prior to use. */
 
-static const char *labeling_behaviors[6] = {
+static const char *labeling_behaviors[7] = {
         "uses xattr",
         "uses transition SIDs",
         "uses task SIDs",
         "uses genfs_contexts",
         "not configured for labeling",
         "uses mountpoint labeling",
+        "uses native labeling",
 };
 
 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
@@ -552,7 +554,9 @@ static int bad_option(struct superblock_security_struct *sbsec, char flag,
  * labeling information.
  */
 static int selinux_set_mnt_opts(struct super_block *sb,
-                                struct security_mnt_opts *opts)
+                                struct security_mnt_opts *opts,
+                                unsigned long kern_flags,
+                                unsigned long *set_kern_flags)
 {
         const struct cred *cred = current_cred();
         int rc = 0, i;
@@ -580,6 +584,12 @@ static int selinux_set_mnt_opts(struct super_block *sb,
                         "before the security server is initialized\n");
                 goto out;
         }
+        if (kern_flags && !set_kern_flags) {
+                /* Specifying internal flags without providing a place to
+                 * place the results is not allowed */
+                rc = -EINVAL;
+                goto out;
+        }
 
         /*
          * Binary mount data FS will come through this function twice.  Once
@@ -670,14 +680,21 @@ static int selinux_set_mnt_opts(struct super_block *sb,
         if (strcmp(sb->s_type->name, "proc") == 0)
                 sbsec->flags |= SE_SBPROC;
 
-        /* Determine the labeling behavior to use for this filesystem type. */
-        rc = security_fs_use((sbsec->flags & SE_SBPROC) ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
-        if (rc) {
-                printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
-                       __func__, sb->s_type->name, rc);
-                goto out;
+        if (!sbsec->behavior) {
+                /*
+                 * Determine the labeling behavior to use for this
+                 * filesystem type.
+                 */
+                rc = security_fs_use((sbsec->flags & SE_SBPROC) ?
+                                        "proc" : sb->s_type->name,
+                                        &sbsec->behavior, &sbsec->sid);
+                if (rc) {
+                        printk(KERN_WARNING
+                                "%s: security_fs_use(%s) returned %d\n",
+                                        __func__, sb->s_type->name, rc);
+                        goto out;
+                }
         }
-
         /* sets the context of the superblock for the fs being mounted. */
         if (fscontext_sid) {
                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
@@ -692,6 +709,11 @@ static int selinux_set_mnt_opts(struct super_block *sb,
          * sets the label used on all file below the mountpoint, and will set
          * the superblock context if not already set.
          */
+        if (kern_flags & SECURITY_LSM_NATIVE_LABELS && !context_sid) {
+                sbsec->behavior = SECURITY_FS_USE_NATIVE;
+                *set_kern_flags |= SECURITY_LSM_NATIVE_LABELS;
+        }
+
         if (context_sid) {
                 if (!fscontext_sid) {
                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
@@ -723,7 +745,8 @@ static int selinux_set_mnt_opts(struct super_block *sb,
         }
 
         if (defcontext_sid) {
-                if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
+                if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
+                        sbsec->behavior != SECURITY_FS_USE_NATIVE) {
                         rc = -EINVAL;
                         printk(KERN_WARNING "SELinux: defcontext option is "
                                "invalid for this filesystem type\n");
@@ -980,7 +1003,7 @@ static int superblock_doinit(struct super_block *sb, void *data)
                 goto out_err;
 
 out:
-        rc = selinux_set_mnt_opts(sb, &opts);
+        rc = selinux_set_mnt_opts(sb, &opts, 0, NULL);
 
 out_err:
         security_free_mnt_opts(&opts);
@@ -1222,6 +1245,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
         }
 
         switch (sbsec->behavior) {
+        case SECURITY_FS_USE_NATIVE:
+                break;
         case SECURITY_FS_USE_XATTR:
                 if (!inode->i_op->getxattr) {
                         isec->sid = sbsec->def_sid;
@@ -2527,6 +2552,40 @@ static void selinux_inode_free_security(struct inode *inode)
         inode_free_security(inode);
 }
 
+static int selinux_dentry_init_security(struct dentry *dentry, int mode,
+                                        struct qstr *name, void **ctx,
+                                        u32 *ctxlen)
+{
+        const struct cred *cred = current_cred();
+        struct task_security_struct *tsec;
+        struct inode_security_struct *dsec;
+        struct superblock_security_struct *sbsec;
+        struct inode *dir = dentry->d_parent->d_inode;
+        u32 newsid;
+        int rc;
+
+        tsec = cred->security;
+        dsec = dir->i_security;
+        sbsec = dir->i_sb->s_security;
+
+        if (tsec->create_sid && sbsec->behavior != SECURITY_FS_USE_MNTPOINT) {
+                newsid = tsec->create_sid;
+        } else {
+                rc = security_transition_sid(tsec->sid, dsec->sid,
+                                             inode_mode_to_security_class(mode),
+                                             name,
+                                             &newsid);
+                if (rc) {
+                        printk(KERN_WARNING
+                                "%s: security_transition_sid failed, rc=%d\n",
+                               __func__, -rc);
+                        return rc;
+                }
+        }
+
+        return security_sid_to_context(newsid, (char **)ctx, ctxlen);
+}
+
 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
                                        const struct qstr *qstr, char **name,
                                        void **value, size_t *len)
@@ -2861,7 +2920,10 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
                 return;
         }
 
+        isec->sclass = inode_mode_to_security_class(inode->i_mode);
         isec->sid = newsid;
+        isec->initialized = 1;
+
         return;
 }
 
@@ -2949,6 +3011,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
         if (rc)
                 return rc;
 
+        isec->sclass = inode_mode_to_security_class(inode->i_mode);
         isec->sid = newsid;
         isec->initialized = 1;
         return 0;
@@ -5432,6 +5495,11 @@ abort_change:
         return error;
 }
 
+static int selinux_ismaclabel(const char *name)
+{
+        return (strcmp(name, XATTR_SELINUX_SUFFIX) == 0);
+}
+
 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
 {
         return security_sid_to_context(secid, secdata, seclen);
@@ -5574,6 +5642,7 @@ static struct security_operations selinux_ops = {
         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
         .sb_parse_opts_str =            selinux_parse_opts_str,
 
+        .dentry_init_security =         selinux_dentry_init_security,
 
         .inode_alloc_security =         selinux_inode_alloc_security,
         .inode_free_security =          selinux_inode_free_security,
@@ -5669,6 +5738,7 @@ static struct security_operations selinux_ops = {
         .getprocattr =                  selinux_getprocattr,
         .setprocattr =                  selinux_setprocattr,
 
+        .ismaclabel =                   selinux_ismaclabel,
         .secid_to_secctx =              selinux_secid_to_secctx,
         .secctx_to_secid =              selinux_secctx_to_secid,
         .release_secctx =               selinux_release_secctx,
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 6d3885165d14..8fd8e18ea340 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -169,6 +169,8 @@ int security_get_allow_unknown(void);
 #define SECURITY_FS_USE_GENFS           4 /* use the genfs support */
 #define SECURITY_FS_USE_NONE            5 /* no labeling support */
 #define SECURITY_FS_USE_MNTPOINT        6 /* use mountpoint labeling */
+#define SECURITY_FS_USE_NATIVE          7 /* use native label support */
+#define SECURITY_FS_USE_MAX             7 /* Highest SECURITY_FS_USE_XXX */
 
 int security_fs_use(const char *fstype, unsigned int *behavior,
         u32 *sid);
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 9cd9b7c661ec..c8adde3aff8f 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2168,7 +2168,10 @@ static int ocontext_read(struct policydb *p, struct policydb_compat_info *info,
 
                                 rc = -EINVAL;
                                 c->v.behavior = le32_to_cpu(buf[0]);
-                                if (c->v.behavior > SECURITY_FS_USE_NONE)
+                                /* Determined at runtime, not in policy DB. */
+                                if (c->v.behavior == SECURITY_FS_USE_MNTPOINT)
+                                        goto out;
+                                if (c->v.behavior > SECURITY_FS_USE_MAX)
                                         goto out;
 
                                 rc = -ENOMEM;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6a083303501d..3f7682a387b7 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3640,6 +3640,16 @@ static void smack_audit_rule_free(void *vrule)
 #endif /* CONFIG_AUDIT */
 
 /**
+ * smack_ismaclabel - check if xattr @name references a smack MAC label
+ * @name: Full xattr name to check.
+ */
+static int smack_ismaclabel(const char *name)
+{
+        return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
+}
+
+
+/**
  * smack_secid_to_secctx - return the smack label for a secid
  * @secid: incoming integer
  * @secdata: destination
@@ -3836,6 +3846,7 @@ struct security_operations smack_ops = {
         .audit_rule_free =              smack_audit_rule_free,
 #endif /* CONFIG_AUDIT */
 
+        .ismaclabel =                   smack_ismaclabel,
         .secid_to_secctx =              smack_secid_to_secctx,
         .secctx_to_secid =              smack_secctx_to_secid,
         .release_secctx =               smack_release_secctx,